isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename "doc" directory to "docs" for better GitHub compatibility.

Browse Source
This commit is contained in:
Todd C. Miller
2021-11-10 16:45:16 -07:00
parent 5faf46de6f
commit 289a045a4f
52 changed files with 76 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
docs/CONTRIBUTORS Normal file
View File

@@ -0,0 +1,245 @@
The following list of people, sorted by last name, have contributed
code or patches to this implementation of sudo since I began
maintaining it in 1993. This list is known to be incomplete--if
you believe you should be listed, please send a note to sudo@sudo.ws.
Ackeret, Matt
Adler, Mark
Allbery, Russ
Anderson, Jamie
Andrew, Nick
Andric, Dimitry
Barron, Danny
Bates, Tom
Behan, Zdeněk
Bellis, Ray
Benali, Elias
Beverly, Jamie
Boardman, Spider
Bos, Sander
Bostley, P.J.
Bowes, Keith
Boyce, Keith Garry
Brantley, Michael
Braun, Rob
Březina, Pavel
Brooks, Piete
Brown, Jerry
Burr, Michael E
Burton, Ross
Bussjaeger, Andreas
Calvin, Gary
Campbell, Aaron
Chazelas, Stephane
Cheloha, Scott
Čížek, Vítězslav
Coleman, Chris
Corzine, Deven T.
Cusack, Frank
Dai, Wei
Dill, David
Earickson, Jeff
Eckhardt, Drew
Edgington, Ben
Esipovich, Marc
Espie, Marc
Faigon, Ariel
Farrell, Brian
Fobes, Steve
Frysinger, Mike
G., Daniel Richard
Gailly, Jean-loup
Gelman, Stephen
Gerraty, Simon J.
Graber, Stephane
Guillory, B.
Hayman, Randy M.
Henke, Joachim
Hideaki, Yoshifuji
Hieb, Dave
Holloway, Nick
Hoover, Adam
Hunter, Michael T.
Hutchings, Ben
Irrgang, Eric
Jackson, Brian
Jackson, John R.
Jackson, Richard L., Jr.
Janssen, Mark
Jepeway, Chris
Jorge, Joel Peláe
Jover, Guillem
Juhani, Timo
Kikuchi, Ayamura
Kadow, Kevin
Kasal, Stepan
Kienenberger, Mike
King, Dale
King, Michael
Klyachkin, Andrey
Knoble, Jim
Knox, Tim
Komarnitsky, Alek O.
Kondrashov, Nikolai
Kopeček, Daniel
Kranenburg, Paul
Krause, David
Lakin, Eric
Larsen, Case
Levin, Dmitry V.
Libby, Kendall
Lobbes, Phillip E.
McIntyre, Jason
MacKenzie, David J.
McLaughlin, Tom
Makey, Jeff
Mallayya, Sangamesh
Manner, Róbert
Marchionna, Michael D.
Markham, Paul
Martinian, Emin
Meskes, Michael
Michael, David
Miller, Todd C.
Minier, Loïc
Moffat, Darren
Moldung, Jan Thomas
Morris, Charles
Mueller, Andreas
Müller, Dworkin
Nieusma, Jeff
Nikitser, Peter A.
Nussel, Ludwig
Orbán, László
Ouellet, Jean-Philippe
Paquet, Eric
Paradis, Chantal
Pasteleurs, Frederic
Percival, Ted
Perera, Andres
Peron, Christian S.J.
Peschel, Aaron
Peslyak, Alexander
Peterson, Toby
Pettenò, Diego Elio
Pickett, Joel
Plotnick, Alex
de Raadt, Theo
Rasch, Gudleik
Reid, Steve
Richards, Matt
Rossum, Guido van
Rouillard, John P.
Rowe, William A., Jr.
Roy, Alain
Ruusamäe, Elan
Ryabinkin, Eygene
Sato, Yuichi
Sánchez, Wilfredo
Sanders, Miguel
Sasaki, Kan
Saucier, Jean-Francois
Schoenfeld, Patrick
Schuring, Arno
Schwarze, Ingo
Scott, Dougal
Sieger, Nick
Simon, Thor Lancelot
Slemko, Marc
Smith, Andy
Sobrado, Igor
Soulen, Steven
Spangler, Aaron
Spradling, Cloyce D.
Spradling, Michael
Stier, Matthew
Stoeckmann, Tobias
Street, Russell
Stritzky, Tilo
Stroucken, Michael
Tarrall, Robert
Thomas, Matthew
Todd, Giles
Toft, Martin
Torek, Chris
Tucker, Darren
Uhl, Robert
Uzel, Petr
Valery, Reznic
Van Dinter, Theo
Venckus, Martynas
de Vries, Maarten
Wagner, Klaus
Walsh, Dan
Warburton, John
Webb, Kirk
Wetzel, Timm
Wieringen, Marco van
Wilk, Jakub
Winiger, Gary
Wood, David
Zacarias, Gustavo
Zolnowsky, John
The following people have worked to translate sudo into
other languages as part of the Translation Project, see
https://translationproject.org for more details.
Albuquerque, Pedro
Blättermann, Mario
Bogusz, Jakub
Buo-ren, Lin
Casagrande, Milo
Castro, Felipe
Cho, Seong-ho
Chornoivan, Yuri
Diéguez, Francisco
Fontenelle, Rafael
García-Fontes, Walter
Gezer, Volkan
Hamasaki, Takeshi
Hamming, Peter
Hansen, Joe
Hantrais, Frédéric
Hein, Jochen
Hufthammer, Karl Ove
Jerovšek, Damir
Karvonen, Jorma
Kazik, Dušan
Kelemen, Gábor
Keçeci, Mehmet
Košir, Klemen
Kozlov, Yuri
Kramer, Jakob
Krznar, Tomislav
Marchal, Frédéric
Margevičius, Algimantas
Maryanov, Pavel
Florentina Mușat
Nurmi, Lauri
Nikolić, Miroslav
Nylander, Daniel
Pan, Yi-Jyun
Písař, Petr
Puente, Enol
Putanec, Božidar
Quân, Trần Ngọc
Rasmussen, Sebastian
Regueiro, Leandro
Sarıer, Özgür
Sendón, Abel
Șerbănescu, Daniel
Sikrom, Åka
Spingos, Dimitris
Taniguchi, Yasuaki
Tomat, Fábio
Úr, Balázs
Uranga, Mikel Olasagasti
Vorotnikov, Artem
Wang, Wylmer
Yang, Boyuan
The following people designed the artwork used on the sudo website:
Shield logo: Badger, Trent
Sandwich logo (inspired by xkcd): Stillman, Mark

76
docs/HISTORY Normal file
View File

@@ -0,0 +1,76 @@
A Brief History of Sudo:
The Early Years
Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer
around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on
a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel,
Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to
the net.sources Usenet newsgroup in December of 1985.
Sudo at CU-Boulder
In the Summer of 1986, Garth Snyder released an enhanced version of sudo.
For the next 5 years, sudo was fed and watered by a handful of folks at
CU-Boulder, including Bob Coggeshall, Bob Manchek, and Trent Hein.
Root Group Sudo
In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo with an
enhanced sudoers format under contract to a consulting firm called "The Root
Group". This version was later released under the GNU public license.
CU Sudo
In 1994, after maintaining sudo informally within CU-Boulder for some time,
Todd C. Miller made a public release of "CU sudo" (version 1.3) with bug
fixes and support for more operating systems. The "CU" was added to
differentiate it from the "official" version from "The Root Group".
In 1995, a new parser for the sudoers file was contributed by Chris Jepeway.
The new parser was a proper grammar (unlike the old one) and could work with
both sudo and visudo (previously they had slightly different parsers).
In 1996, Todd, who had been maintaining sudo for several years in his spare
time, moved distribution of sudo from a CU-Boulder ftp site to his domain,
courtesan.com.
Just Plain Sudo
In 1999, the "CU" prefix was dropped from the name since there had been no
formal release of sudo from "The Root Group" since 1991 (the original
authors now work elsewhere). As of version 1.6, Sudo no longer contains any
of the original "Root Group" code and is available under an ISC-style
license.
In 2001, the sudo web site, ftp site and mailing lists were moved from
courtesan.com to the sudo.ws domain (sudo.org was already taken).
LDAP Integration
In 2003, Nationwide Mutual Insurance Company contributed code written by
Aaron Spangler to store the sudoers data in LDAP. These changes were
incorporated into Sudo 1.6.8.
New Parser
In 2005, Todd rewrote the sudoers parser to better support the features that
had been added in the past ten years. This new parser removes some
limitations of the previous one, removes ordering constraints and adds
support for including multiple sudoers files.
Quest Sponsorship
In 2010, Quest Software began sponsoring Sudo development by hiring
Todd to work on Sudo as part of his full-time job. This enabled
the addition of I/O logging, the plugin API, the log server,
additional regression and fuzz tests, support for binary packages
and more regular releases.
Present Day
Sudo, in its current form, is maintained by:
Todd C. Miller <Todd.Miller@sudo.ws>
Todd continues to enhance sudo and fix bugs.

347
docs/LICENSE Normal file
View File

@@ -0,0 +1,347 @@
Sudo is distributed under the following license:
Copyright (c) 1994-1996, 1998-2021
Todd C. Miller <Todd.Miller@sudo.ws>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
The Python plugin bindings bear the following license:
Copyright (c) 2019-2020 Robert Manner <robert.manner@oneidentity.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files hostcheck.c and hostcheck.h bear the following license:
Copyright (c) 2020 Laszlo Orban <laszlo.orban@oneidentity.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file redblack.c bears the following license:
Copyright (c) 2001 Emin Martinian
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that neither the name of Emin
Martinian nor the names of any contributors are be used to endorse or
promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The file sssd.c bears the following license:
Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com>
This code is derived from software contributed by Aaron Spangler.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files bsm_audit.c and bsm_audit.h bear the following license:
Copyright (c) 2009 Christian S.J. Peron
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files solaris_audit.c and solaris_audit.h bear the following license:
Copyright (c) 2014, Oracle and/or its affiliates.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file reallocarray.c bears the following license:
Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files getcwd.c, glob.c, glob.h, snprintf.c and sudo_queue.h bear the
following license:
Copyright (c) 1989, 1990, 1991, 1993
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
The file fnmatch.c bears the following license:
Copyright (c) 2011, VMware, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the VMware, Inc. nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The file getopt_long.c bears the following license:
Copyright (c) 2000 The NetBSD Foundation, Inc.
All rights reserved.
This code is derived from software contributed to The NetBSD Foundation
by Dieter Baron and Thomas Klausner.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The file inet_pton.c bears the following license:
Copyright (c) 1996 by Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
The file arc4random.c bears the following license:
Copyright (c) 1996, David Mazieres <dm@uun.org>
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file arc4random_uniform.c bears the following license:
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file getentropy.c bears the following license:
Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
Copyright (c) 2014 Bob Beck <beck@obtuse.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The embedded copy of zlib bears the following license:
Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu
The embedded copy of protobuf-c bears the following license:
Copyright (c) 2008-2018, Dave Benson and the protobuf-c authors.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

429
docs/Makefile.in Normal file
View File

@@ -0,0 +1,429 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2010-2015, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# @configure_input@
#
#### Start of system configuration section. ####
srcdir = @srcdir@
abs_srcdir = @abs_srcdir@
top_srcdir = @top_srcdir@
abs_top_srcdir = @abs_top_srcdir@
top_builddir = @top_builddir@
abs_top_builddir = @abs_top_builddir@
docdir = @docdir@
scriptdir = $(top_srcdir)/scripts
# Tools to use
SED = @SED@
IGOR = igor
MANDOC = @MANDOCPROG@
MANCOMPRESS = @MANCOMPRESS@
MANCOMPRESSEXT = @MANCOMPRESSEXT@
TR = @TRPROG@
# Our install program supports extra flags...
INSTALL = $(SHELL) $(scriptdir)/install-sh -c
INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
# Where to install things...
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
libexecdir = @libexecdir@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
mandir = @mandir@
# Directory in which to install the man page
mantype = @MANTYPE@
mansectsu = @mansectsu@
mansectform = @mansectform@
mandirexe = $(mandir)/@MANDIRTYPE@1
mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
install_gid = 0
# Set to non-empty for development mode
DEVEL = @DEVEL@
#### End of system configuration section. ####
SHELL = @SHELL@
DOCS = ./cvtsudoers.$(mantype) ./sudo.$(mantype) ./sudo.conf.$(mantype) \
./sudo_logsrvd.$(mantype) ./sudo_logsrv.proto.$(mantype) \
./sudo_logsrvd.conf.$(mantype) ./sudo_plugin.$(mantype) \
./sudo_plugin_python.$(mantype) ./sudo_sendlog.$(mantype) \
./sudoers.$(mantype) ./sudoers.ldap.$(mantype) \
./sudoers_timestamp.$(mantype) \
./sudoreplay.$(mantype) ./visudo.$(mantype)
DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \
$(srcdir)/sudo.man.in $(srcdir)/sudo_logsrvd.man.in \
$(srcdir)/sudo_logsrv.proto.man.in \
$(srcdir)/sudo_logsrvd.conf.man.in \
$(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin_python.man.in \
$(srcdir)/sudo_sendlog.man.in $(srcdir)/sudoers.ldap.man.in \
$(srcdir)/sudoers.man.in $(srcdir)/sudoers_timestamp.man.in \
$(srcdir)/sudoreplay.man.in $(srcdir)/visudo.man.in
OTHER_DOCS = $(top_srcdir)/ChangeLog $(top_srcdir)/README \
$(top_srcdir)/NEWS $(srcdir)/HISTORY $(srcdir)/CONTRIBUTORS \
$(srcdir)/LICENSE $(srcdir)/TROUBLESHOOTING $(srcdir)/UPGRADE
OTHER_DOCS_LDAP = $(top_srcdir)/README.LDAP $(srcdir)/schema.*
VERSION = @PACKAGE_VERSION@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
all: $(DEVDOCS) $(DOCS)
igor: all
@if [ "$(mantype)" != "mdoc" ]; then \
echo "make igor only supported for mdoc manuals" 1>&2; \
exit 1; \
else \
rval=0; \
for m in $(DOCS); do \
echo $(IGOR) -D $$m; \
$(IGOR) -D $$m || rval=`expr $$rval + $$?`; \
done; \
exit $$rval; \
fi
lint: all
@if [ "$(mantype)" != "mdoc" ]; then \
echo "make lint only supported for mdoc manuals" 1>&2; \
exit 1; \
else \
rval=0; \
for m in $(DOCS); do \
echo $(MANDOC) -Tlint -Wwarning $$m; \
$(MANDOC) -Tlint -Wwarning $$m || rval=`expr $$rval + $$?`; \
done; \
exit $$rval; \
fi
depend:
Makefile: $(srcdir)/Makefile.in
cd $(top_builddir) && ./config.status --file docs/Makefile
.SUFFIXES: .man
$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.man.in.sed > $@; \
fi
fixman.sed: $(srcdir)/fixman.sh
$(SHELL) $(srcdir)/fixman.sh $@
./sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@
./sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@
./visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.conf.man.in.sed > $@; \
fi
./sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@
./sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudoers.man.in.sed> $@; \
fi
./sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@
./sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@
./sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS_TIMESTAMP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@
./sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@
./cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@
./sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_logsrvd.man.in: $(srcdir)/sudo_logsrvd.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudo_logsrvd.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_logsrv.proto.man.in: $(srcdir)/sudo_logsrv.proto.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrv.proto.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRV.PROTO" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
fi
./sudo_logsrv.proto.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrv.proto.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
fi
./sudo_logsrvd.conf.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_plugin_python.man.in: $(srcdir)/sudo_plugin_python.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin_python.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudo_plugin_python.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin_python.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin_python.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
$(srcdir)/sudo_sendlog.man.in: $(srcdir)/sudo_sendlog.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_sendlog.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_SENDLOG" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
./sudo_sendlog.man: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.man.in | $(SED) -f fixman.sed > $@
./sudo_sendlog.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
pre-install:
install: install-doc
install-dirs:
$(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(docdir) \
$(DESTDIR)$(mandirexe) $(DESTDIR)$(mandirform) $(DESTDIR)$(mandirsu)
install-binaries:
install-includes:
install-doc: install-dirs
for f in $(OTHER_DOCS); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done
@LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./cvtsudoers.$(mantype) $(DESTDIR)$(mandirexe)/cvtsudoers.1
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrvd.$(mantype) $(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)
@PYTHON_PLUGIN@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_plugin_python.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin_python.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_sendlog.$(mantype) $(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrv.proto.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrvd.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
@LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@if test -n "$(MANCOMPRESS)"; then \
for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_logsrvd.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudo_plugin_python.$(mansectsu) $(mandirsu)/sudo_sendlog.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudo_logsrv.proto.$(mansectform) $(mandirform)/sudo_logsrvd.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
if test -f $(DESTDIR)$$f; then \
echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
$(MANCOMPRESS) -f $(DESTDIR)$$f; \
fi; \
done; \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
else \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
fi
install-plugin:
install-fuzzer:
uninstall:
-rm -rf $(DESTDIR)$(docdir)
-rm -f $(DESTDIR)$(mandirexe)/cvtsudoers.1 \
$(DESTDIR)$(mandirsu)/sudo.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_plugin_python.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
splint:
cppcheck:
pvs-log-files:
pvs-studio:
fuzz:
check-fuzzer:
check: check-fuzzer
clean:
-rm -f fixman.sed
mostlyclean: clean
distclean: clean
-rm -rf Makefile config.log *.man *.mdoc
clobber: distclean
realclean: distclean
cleandir: distclean
.PHONY: clean mostlyclean distclean cleandir clobber realclean

295
docs/TROUBLESHOOTING Normal file
View File

@@ -0,0 +1,295 @@
Troubleshooting tips and FAQ for Sudo
=====================================
Q) When I run configure, it says "C compiler cannot create executables".
A) This usually means you either don't have a working compiler. This
could be due to the lack of a license or that some component of the
compiler suite could not be found. Check config.log for clues as
to why this is happening. On many systems, compiler components live
in /usr/ccs/bin which may not be in your PATH environment variable.
Q) When I run configure, it says "sudo requires the 'ar' utility to build".
A) As part of the build process, sudo creates a temporary library containing
objects that are shared amongst the different sudo executables.
On Unix systems, the "ar" utility is used to do this. This error
indicates that "ar" is missing on your system. On Solaris systems,
you may need to install the SUNWbtool package. On other systems
"ar" may be included in the GNU binutils package.
Q) Sudo compiles and installs OK but when I try to run it I get:
/usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo
is not owned by uid 0 or the setuid bit is not set. This should have
been done for you by "make install" but you can fix it manually by
running the following as root:
# chown root /usr/local/bin/sudo; chmod 4755 /usr/local/bin/sudo
Q) Sudo compiles and installs OK but when I try to run it I get:
effective uid is not 0, is /usr/local/bin/sudo on a file system with the
'nosuid' option set or an NFS file system without root privileges?
A) The owner and permissions on the sudo binary appear to be OK but when
sudo ran, the setuid bit did not have an effect. There are two common
causes for this. The first is that the file system the sudo binary
is located on is mounted with the 'nosuid' mount option, which disables
setuid binaries. The output of the "mount" command should tell you if
the file system is mounted with the 'nosuid' option. The other possible
cause is that sudo is installed on an NFS-mounted file system that is
exported without root privileges. By default, NFS file systems are
exported with uid 0 mapped to a non-privileged uid (usually -2). You
should be able to determine whether sudo is located on an NFS-mounted
filesystem by running "df `which sudo'".
Q) Sudo never gives me a chance to enter a password using PAM, it just
says 'Sorry, try again.' three times and exits.
A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
Core this generally means installing the sample pam.conf file as
/etc/pam.d/sudo. See the example pam.conf file for hints on what
to use for other Linux systems.
Q) Sudo says 'Account expired or PAM config lacks an "account"
section for sudo, contact your system administrator' and exits
but I know my account has not expired.
A) Your PAM config lacks an "account" specification. On Linux this
usually means you are missing a line like:
account required pam_unix.so
in /etc/pam.d/sudo.
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
messages.
A) Make sure you have an entry in your syslog.conf file to save
the sudo messages (see the example syslog.conf file). The default
log facility is authpriv (changeable via configure or in sudoers).
Don't forget to send a SIGHUP to your syslogd so that it re-reads
its conf file. Also, remember that syslogd does *not* create
log files, you need to create the file before syslogd will log
to it (ie: touch /var/log/sudo).
Note: the facility (e.g. "auth.debug") must be separated from the
destination (e.g. "/var/log/auth" or "@loghost") by
tabs, *not* spaces. This is a common error.
Q) When sudo asks me for my password it never accepts what I enter even
though I know I entered my password correctly.
A) If you are not using pam and your system uses shadow passwords,
it is possible that sudo didn't properly detect that shadow
passwords are in use. Take a look at the generated config.h
file and verify that the C function used for shadow password
look ups was detected. For instance, for SVR4-style shadow
passwords, HAVE_GETSPNAM should be defined (you can search for
the string "shadow passwords" in config.h with your editor).
Note that there is no define for 4.4BSD-based shadow passwords
since that just uses the standard getpw* routines.
Q) Can sudo use the ssh agent for authentication instead of asking
for the user's Unix password?
A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
or pam_ssh for this purpose.
Q) I don't want the sudoers file in /etc, how can I specify where it
should go?
A) Use the --sysconfdir option to configure. Ie:
configure --sysconfdir=/dir/you/want/sudoers/in
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
copy on each machine?
A) There is no support for making an NIS/NIS+ map/table out of
the sudoers file at this time. You can distribute the sudoers
file via rsync or rdist. It is also possible to NFS-mount the
sudoers file. If you use LDAP at your site you may be interested
in sudo's LDAP sudoers support, see the README.LDAP file and the
sudoers.ldap manual.
Q) I don't run sendmail on my machine. Does this mean that I cannot
use sudo?
A) No, you just need to disable mailing with a line like:
Defaults !mailerpath
in your sudoers file or run configure with the --without-sendmail
option.
Q) When I run visudo it uses vi as the editor and I hate vi. How
can I make it use another editor?
A) You can specify the editor to use in visudo in the sudoers file.
See the "editor" and "env_editor" entries in the sudoers manual.
The defaults can also be set at configure time using the
--with-editor and --with-env-editor configure options.
Q) Sudo appears to be removing some variables from the environment, why?
A) By default, sudo runs commands with a new, minimal environment.
The "env_keep" setting in sudoers can be used to control which
environment variables are preserved from the invoking user's
environment via the "env_keep" setting in sudoers.
While it is possible to disable the "env_reset" setting, which
will preserve all environment variables that don't match a black
list, doing so is strongly discouraged. See the "Command
environment" section of the sudoers manual for more information.
Q) Why does sudo reset the HOME environment variable?
A) Many programs use the HOME environment variable to locate
configuration and data files. Often, these configuration files
are treated as trusted input that affects how the program operates.
By controlling the configuration files, a user may be able to
cause the program to execute other commands without sudo's
restrictions or logging.
Some programs perform extra checks when the real and effective
user-IDs differ, but because sudo runs commands with all user-IDs
set to the target user, these checks are insufficient.
While it is possible to preserve the value of the HOME environment
variable by adding it to the "env_keep" list in the sudoers file,
doing so is strongly discouraged. Users wishing to edit files
with sudo should run sudoedit (or sudo -e) to get their accustomed
editor configuration instead of invoking the editor directly.
Q) How can I keep sudo from asking for a password?
A) To specify this on a per-user (and per-command) basis, use the
'NOPASSWD' tag right before the command list in sudoers. See
the sudoers man page and examples/sudoers for details. To disable
passwords completely, add !authenticate" to the Defaults line
in /etc/sudoers. You can also turn off authentication on a
per-user or per-host basis using a user or host-specific Defaults
entry in sudoers. To hard-code the global default, you can
configure with the --without-passwd option.
Q) When I run configure, it dies with the following error:
"no acceptable cc found in $PATH".
A) /usr/ucb/cc was the only C compiler that configure could find.
You need to tell configure the path to the "real" C compiler
via the --with-CC option. On Solaris, the path is probably
something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
that will also work.
Q) When I run configure, it dies with the following error:
Fatal Error: config.cache exists from another platform!
Please remove it and re-run configure.
A) configure caches the results of its tests in a file called
config.cache to make re-running configure speedy. However,
if you are building sudo for a different platform the results
in config.cache will be wrong so you need to remove config.cache.
You can do this by "rm config.cache" or "make realclean".
Note that "make realclean" will also remove any object files
and configure temp files that are laying around as well.
Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
binary doesn't work older Solaris versions. Why?
A) Starting with Solaris 11, asprintf(3) is included in the standard
C library. To build a version of sudo on a Solaris 11 machine that
will run on an older Solaris release, edit config.h and comment out
the lines:
#define HAVE_ASPRINTF 1
#define HAVE_VASPRINTF 1
and run make.
Q) When I run "visudo" it says "sudoers file busy, try again later."
and doesn't do anything.
A) Someone else is currently editing the sudoers file with visudo.
Q) When I try to use "cd" with sudo it says "cd: command not found".
A) "cd" is a shell built-in command, you can't run it as a command
since a child process (sudo) cannot affect the current working
directory of the parent (your shell).
Q) When I try to use "cd" with sudo the command completes without
errors but nothing happens.
A) Even though "cd" is a shell built-in command, some operating systems
include a /usr/bin/cd command for some reason. A standalone
"cd" command is totally useless since a child process (cd) cannot
affect the current working directory of the parent (your shell).
Thus, "sudo cd /foo" will start a child process, change the
directory and immediately exit without doing anything useful.
Q) When I run sudo it says I am not allowed to run the command as root
but I don't want to run it as root, I want to run it as another user.
My sudoers file entry looks like:
bob ALL=(oracle) ALL
A) The default user sudo tries to run things as is always root, even if
the invoking user can only run commands as a single, specific user.
This may change in the future but at the present time you have to
work around this using the 'runas_default' option in sudoers.
For example:
Defaults:bob runas_default=oracle
would achieve the desired result for the preceding sudoers fragment.
Q) When I try to run sudo via ssh, I get the error:
sudo: a terminal is required to read the password; either use the -S
option to read from standard input or configure an askpass helper
A) If sudo needs to authenticate a user, it requires access to the user's
terminal to disable echo so the password is not displayed to the screen.
The above message indicates that no terminal was present.
When running a command via ssh, a terminal is not allocated by default
which can cause this message. The "-t" option to ssh will force it to
allocate a tty. Alternately, you may be able to use the ssh-askpass
utility to prompt for the password if X11 forwarding is enabled and an
askpass helper is configured in the sudo.conf file. If you do not mind
your password being echoed to the screen, you may use sudo's -S option
to read the password from the standard input. Alternately, you may set
the "visiblepw" sudoers option which will allow the password to be entered
even when echo cannot be disabled, though this is not recommended.
Q) When I try to use SSL-enabled LDAP with sudo I get an error:
unable to initialize SSL cert and key db: security library: bad database.
you must set TLS_CERT in /etc/ldap.conf to use SSL
A) On systems that use a Mozilla-derived LDAP SDK there must be a
certificate database in place to use SSL-encrypted LDAP connections.
This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
The actual number after "cert" will vary, depending on the version
of the LDAP SDK that is being used. If you do not have a certificate
database you can either copy one from a mozilla-derived browser, such
as firefox, or create one using the "certutil" command. You can run
"certutil" as follows and press the <return> (or <enter>) key at the
password prompt:
# certutil -N -d /var/ldap
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: <return>
Re-enter password: <return>
Q) On HP-UX, the umask setting in sudoers has no effect.
A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
enabled, you may need to a add line like the following to pam.conf:
sudo session required libpam_hpsec.so.1 bypass_umask
Q) When I run "sudo -i shell_alias" I get "command not found" even
though the alias is defined in my shell startup files.
A) Commands run via "sudo -i" are executed by the shell in
non-interactive mode. The bash shell will only parse aliases in
interactive mode unless the "expand_aliases" shell option is
set. If you add "shopt -s expand_aliases" to your .bash_profile
(or .profile if using that instead) the aliases should now be
available to "sudo -i".
Q) When I run sudo on AIX I get the following error:
setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
A) AIX's Enhanced RBAC is preventing sudo from running. To fix
this, add the following entry to /etc/security/privcmds (adjust
the path to sudo as needed) and run the setkst command as root:
/usr/local/bin/sudo:
accessauths = ALLOW_ALL
innateprivs = PV_DAC_GID,PV_DAC_R,PV_DAC_UID,PV_DAC_X,PV_FS_CHOWN,PV_PROC_PRIO,PV_NET_PORT,PV_NET_CNTL,PV_SU_UID
secflags = FSF_EPS
Q) Sudo configures and builds without error but when I run it I get
a Segmentation fault.
A) If you are on a Linux system, the first thing to try is to run
configure with the --disable-pie option, then "make clean" and
"make". If that fixes the problem then your operating system
does not properly support position independent executables.
Please send a message to sudo@sudo.ws with system details such
as the Linux distro, kernel version and CPU architecture.
Q) When I run configure I get the following error:
dlopen present but libtool doesn't appear to support your platform.
A) Libtool doesn't know how to support dynamic linking on the operating
system you are building for. If you are cross-compiling, you need to
specify the operating system, not just the CPU type. For example:
--host powerpc-unknown-linux
instead of just:
--host powerpc
Q) How do you pronounce `sudo'?
A) The official pronunciation is soo-doo (for su "do"). However, an
alternate pronunciation, a homophone of "pseudo", is also common.

560
docs/UPGRADE Normal file
View File

@@ -0,0 +1,560 @@
Notes on upgrading from an older release
========================================
o Upgrading from a version prior to 1.9.9:
On systems where SELinux is enabled and sudo is built with
SELinux support, if the user's role is not "unconfined_r" sudo
will always execute commands via the "sesh" helper program.
Previously, commands were only executed via "sesh" if a role
was specified in the sudoers file rule or by the user on the
command line.
Sudo now runs commands with the core limit resource limit set
to 0 by default. While most operating systems restrict core
dumps of set-user-ID programs like sudo, this protection is
lost when sudo executes a command. By disabling core dumps by
default, it is possible to avoid potential security problems
such as those seen with the Linux logrotate utility, which could
interpret a core dump as a valid configuration file.
o Upgrading from a version prior to 1.9.7:
Sudo now links with OpenSSL 1.0.1 or higher by default if it
is present on the system unless it is explicitly disabled (via
--disable-openssl), or unless the sudo log client and server
code is disabled (via --disable-log-client and --disable-log-server).
As a result, the sudo log server (and the client built into the
sudoers plugin) now support TLS connections by default.
o Upgrading from a version prior to 1.9.3:
Due to the addition of the CHROOT and CWD options, it is no
longer possible to declare an alias with one of those names.
If a sudoers file has an alias with one of those names, sudo
and visudo will report a syntax error with a message like
"syntax error: unexpected CHROOT, expecting ALIAS".
Starting with version 1.9.3, sudoers rules must end in either
a newline or the end-of-file. This makes it possible to provide
better error messages. Previously, it was possible to include
multiple rules on a single line, separated by white space.
Starting with version 1.9.3, sudo will attempt to recover from
a syntax error in the sudoers file by discarding the portion
of the line that contains the error until the end of the line.
To restore the historic behavior of refusing to run when a
syntax error is encountered, add "error_recovery=false" as a
plugin option in sudo.conf for the "sudoers_audit" plugin, (or
"sudoers_policy" if there is no "sudoers_audit" plugin configured).
o Upgrading from a version prior to 1.9.1:
Starting with version 1.9.1, sudoers plugin arguments in sudo.conf
should be specified for the "sudoers_audit" plugin, not
"sudoers_policy". This is because the sudoers file is now
opened and parsed by the "sudoers_audit" plugin. Previously,
this was done by the "sudoers_policy" plugin. The use of an
audit plugin makes it possible for the sudoers module to detect
when a command has been rejected by an approval plugin and only
log commands that are allowed by both policy and approval
plugins.
o Upgrading from a version prior to 1.8.30:
Starting with version 1.8.30, sudo will no longer allow commands
to be run as a user or group ID that is not in the password or
group databases by default. Previously, sudo would always allow
unknown user or group IDs if the sudoers entry permitted it,
including via the "ALL" alias. The old behavior can be restored
by setting the new "allow_unknown_runas_id" Defaults setting
in the sudoers file.
o Upgrading from a version prior to 1.8.29:
Starting with version 1.8.29, if the umask is explicitly set
in sudoers, that value is used regardless of the umask specified
by PAM or login.conf. However, if the umask is not explicitly
set in sudoers, PAM or login.conf may now override the default
sudoers umask. Previously, the sudoers umask always overrode
the umask set by PAM, which was not the documented behavior.
o Upgrading from a version prior to 1.8.28:
Starting with version 1.8.28, sudo stores the signal that caused
a command to be suspended or resumed as a string in the I/O log
timing file. The version of sudoreplay included with sudo
1.8.28 can process either type of I/O log file but older versions
of sudoreplay are unable to replay the newer logs.
Starting with version 1.8.28, sudoedit honors the umask and
umask_override settings in sudoers. Previously, the user's
umask was used as-is.
o Upgrading from a version prior to 1.8.26:
Starting with version 1.8.26, sudo no long sets the USERNAME
environment variable when running commands. This is a non-standard
environment variable that was set on some older Linux systems.
Sudo still sets the LOGNAME, USER and, on AIX systems, LOGIN
environment variables.
Handling of the LOGNAME, USER (and on AIX, LOGIN) environment
variables has changed slightly in version 1.8.26. Sudo now
treats those variables as a single unit. This means that if
one variable is preserved or removed from the environment using
env_keep, env_check or env_delete, the others are too.
o Upgrading from a version prior to 1.8.23:
In sudo 1.8.23 the "sudoers2ldif" script and the "visudo -x"
functionality has been superseded by the "cvtsudoers" utility.
The cvtsudoers utility is intended to be a drop-in replacement
for "sudoers2ldif". Because it uses the same parser as sudo
and visudo, cvtsudoers can perform a more accurate conversion
than sudoers2ldif could.
To convert a sudoers file to JSON, the format option must be
specified. For example, instead of:
visudo -f sudoers_file -x output_file
one would use:
cvtsudoers -f json -o output_file sudoers_file
Note that unlike "visudo -x", "cvtsudoers" reads from the
standard input by default. Also, the base DN may be specified
on the command line, if desired, using the -b option.
o Upgrading from a version prior to 1.8.20:
Due to the addition of the TIMEOUT, NOTBEFORE and NOTAFTTER
options, it is no longer possible to declare an alias with one
of those names. If a sudoers file has an alias with one of
those names, sudo and visudo will report a syntax error with a
message like "syntax error: unexpected TIMEOUT, expecting ALIAS".
Starting with version 1.9.3, sudoers rules must end in either
Prior to version 1.8.20, when log_input, log_output or use_pty
were enabled, if any of the standard input, output or error
were not connected to a terminal, sudo would use a pipe. The
pipe allows sudo to interpose itself between the old standard
input, output or error and log the contents. Beginning with
version 1.8.20, a pipe is only used when I/O logging is enabled.
If use_pty is set without log_input or log_output, no pipe will
be used. Additionally, if log_input is set without log_output,
a pipe is only used for the standard input. Likewise, if
log_output is set without log_input, a pipe is only used for
the standard output and standard error. This results in a
noticeable change in behavior if the use_pty flag is set and no
terminal is present when running commands such as scripts that
execute other commands asynchronously (in the background).
Previously, sudo would exit immediately, causing background
commands to terminate with a broken pipe if they attempt to
write to the standard output or standard error. As of version
1.8.20, a pipe will not be used in this case so the command
will no longer be terminated.
o Upgrading from a version prior to 1.8.16:
When editing files with sudoedit, files in a directory that is
writable by the invoking user may no longer be edited by default.
Also, sudoedit will refuse to follow a symbolic link in the
path to be edited if that directory containing the link is
writable by the user. This behavior can be disabled by negating
the sudoedit_checkdir sudoers option, which is now enabled by
default.
o Upgrading from a version prior to 1.8.15:
Prior to version 1.8.15, when env_reset was enabled (the default)
and the -s option was not used, the SHELL environment variable
was set to the shell of the invoking user. In 1.8.15 and above,
when env_reset is enabled and the -s option is not used, SHELL
is set based on the target user.
When editing files with sudoedit, symbolic links will no longer
be followed by default. The old behavior can be restored by
enabling the sudoedit_follow option in sudoers or on a per-command
basis with the FOLLOW and NOFOLLOW tags.
Prior to version 1.8.15, groups listed in sudoers that were not
found in the system group database were passed to the group
plugin, if any. Starting with 1.8.15, only groups of the form
%:group are resolved via the group plugin by default. The old
behavior can be restored by using the always_query_group_plugin
sudoers option.
Locking of the time stamp file has changed in sudo 1.8.15.
Previously, the user's entire time stamp file was locked while
retrieving and updating a time stamp record. Now, only a single
record, specific to the tty or parent process ID, is locked.
This lock is held while the user enters their password. If
sudo is suspended at the password prompt (or run in the
background), the lock is dropped until sudo is resumed, at which
point it will be reacquired. This allows sudo to be used in a
pipeline even when a password is required--only one instance
of sudo will prompt for a password.
o Upgrading from a version prior to 1.8.14:
On HP-UX, sudo will no longer check for "plugin.sl" if "plugin.so"
is specified but does not exist. This was a temporary hack for
backward compatibility with Sudo 1.8.6 and below when the
plugin path name was not listed in sudo.conf. A plugin path
name that explicitly ends in ".sl" will still work as expected.
o Upgrading from a version prior to 1.8.12:
On Solaris, sudo is now able to determine the NIS domain name.
As a result, if you had previously been using netgroups that
do not include the domain, you will need to either set the
domain in the entry or leave the domain part of the tuple blank.
For example, the following will no longer work:
my-hosts (foo,-,-) (bar,-,-) (baz,-,-)
and should be changed to:
my-hosts (foo,-,) (bar,-,) (baz,-,)
o Upgrading from a version prior to 1.8.10:
The time stamp file format has changed in sudo 1.8.10. There
is now a single time stamp file for each user, even when tty-based
time stamps are used. Each time stamp file may contain multiple
records to support tty-based time stamps as well as multiple
authentication users. On systems that support it, monotonic
time is stored instead of wall clock time. As a result, it is
important that the time stamp files not persist when the system
reboots. For this reason, the default location for the time
stamp files has changed back to a directory located in /var/run.
Systems that do not have /var/run (e.g. AIX) or that do not clear
it on boot (e.g. HP-UX) will need to clear the time stamp
directory via a start up script. Such a script is installed by
default on AIX and HP-UX systems.
Because there is now a single time stamp file per user, the -K
option will remove all of the user's time stamps, not just the
time stamp for the current terminal.
Lecture status is now stored separately from the time stamps
in a separate directory: /var/db/sudo/lectured, /var/lib/sudo/lectured
or /var/adm/sudo/lectured depending on what is present on the
system.
LDAP-based sudoers now uses a default search filter of
(objectClass=sudoRole) for more efficient queries. It is
possible to disable the default search filter by specifying
SUDOERS_SEARCH_FILTER in ldap.conf but omitting a value.
o Upgrading from a version prior to 1.8.7:
Sudo now stores its libexec files in a "sudo" sub-directory
instead of in libexec itself. For backward compatibility, if
the plugin is not found in the default plugin directory, sudo
will check the parent directory default directory ends in "/sudo".
The default sudo plugins now all use the .so extension, regardless
of the extension used by system shared libraries. For backward
compatibility, sudo on HP-UX will also search for a plugin with
an .sl extension if the .so version is not found.
Handling of users belonging to a large number of groups has
changed. Previously, sudo would only use the group list from
the kernel unless the system_group plugin was enabled in sudoers.
Now, sudo will query the groups database if the user belongs
to the maximum number of groups supported by the kernel. See
the group_source and max_groups settings in the sudo.conf manual
for details.
o Upgrading from a version prior to 1.8.2:
When matching Unix groups in the sudoers file, sudo will now
match based on the name of the group as it appears in sudoers
instead of the group-ID. This can substantially reduce the
number of group lookups for sudoers files that contain a large
number of groups. There are a few side effects of this change.
1) Unix groups with different names but the same group-ID are
can no longer be used interchangeably. Sudo will look up all
of a user's groups by group-ID and use the resulting group
names when matching sudoers entries. If there are multiple
groups with the same ID, the group name returned by the
system getgrgid() library function is the name that will be
used when matching sudoers entries.
2) Unix group names specified in the sudoers file that are
longer than the system maximum will no longer match. For
instance, if there is a Unix group "fireflie" on a system
where group names are limited to eight characters, "%fireflies"
in sudoers will no longer match "fireflie". Previously, a
lookup by name of the group "fireflies" would have matched
the "fireflie" group on most systems.
The legacy group matching behavior may be restored by enabling
the match_group_by_gid Defaults option in sudoers available
in sudo 1.8.18 and higher.
o Upgrading from a version prior to 1.8.1:
Changes in the sudoers parser could result in parse errors for
existing sudoers file. These changes cause certain erroneous
entries to be flagged as errors where before they allowed.
Changes include:
Combining multiple Defaults entries with a backslash. E.g.
Defaults set_path \
Defaults syslog
which should be:
Defaults set_path
Defaults syslog
Also, double-quoted strings with a missing end-quote are now
detected and result in an error. Previously, text starting a
double quote and ending with a newline was ignored. E.g.
Defaults set_path"foo
In previous versions of sudo, the `"foo' portion would have
been ignored.
To avoid problems, sudo 1.8.1's "make install" will not install
a new sudo binary if the existing sudoers file has errors.
In Sudo 1.8.1 the "noexec" functionality has moved out of the
sudoers policy plugin and into the sudo front-end. As a result,
the path to the noexec file is now specified in the sudo.conf
file instead of the sudoers file. If you have a sudoers file
that uses the "noexec_file" option, you will need to move the
definition to the sudo.conf file instead.
Old style in /etc/sudoers:
Defaults noexec_file=/usr/local/libexec/sudo_noexec.so
New style in /etc/sudo.conf:
Path noexec /usr/local/libexec/sudo_noexec.so
o Upgrading from a version prior to 1.8.0:
Starting with version 1.8.0, sudo uses a modular framework to
support policy and I/O logging plugins. The default policy
plugin is "sudoers" which provides the traditional sudoers
evaluation and I/O logging. Plugins are typically located in
/usr/libexec or /usr/local/libexec, though this is system-dependent.
The sudoers plugin is named "sudoers.so" on most systems.
The sudo.conf file, usually stored in /etc, is used to configure
plugins. This file is optional--if no plugins are specified
in sudo.conf, the "sudoers" plugin is used. See the example
sudo.conf file in the docs directory or refer to the updated
sudo manual to see how to configure sudo.conf.
The "askpass" setting has moved from the sudoers file to the
sudo.conf file. If you have a sudoers file that uses the
"askpass" option, you will need to move the definition to the
sudo.conf file.
Old style in /etc/sudoers:
Defaults askpass=/usr/X11R6/bin/ssh-askpass
New style in /etc/sudo.conf:
Path askpass /usr/X11R6/bin/ssh-askpass
o Upgrading from a version prior to 1.7.5:
Sudo 1.7.5 includes an updated LDAP schema with support for
the sudoNotBefore, sudoNotAfter and sudoOrder attributes.
The sudoNotBefore and sudoNotAfter attribute support is only
used when the SUDOERS_TIMED setting is enabled in ldap.conf.
If enabled, those attributes are used directly when constructing
an LDAP filter. As a result, your LDAP server must have the
updated schema if you want to use sudoNotBefore and sudoNotAfter.
The sudoOrder support does not affect the LDAP filter sudo
constructs and so there is no need to explicitly enable it in
ldap.conf. If the sudoOrder attribute is not present in an
entry, a value of 0 is used. If no entries contain sudoOrder
attributes, the results are in whatever order the LDAP server
returns them, as in past versions of sudo.
Older versions of sudo will simply ignore the new attributes
if they are present in an entry. There are no compatibility
problems using the updated schema with older versions of sudo.
o Upgrading from a version prior to 1.7.4:
Starting with sudo 1.7.4, the time stamp files have moved from
/var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
The directories are checked for existence in that order. This
prevents users from receiving the sudo lecture every time the
system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this.
Additionally, the tty_tickets sudoers option is now enabled by
default. To restore the old behavior (single time stamp per user),
add a line like:
Defaults !tty_tickets
to sudoers or use the --without-tty-tickets configure option.
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
NOTE: preserving HOME has security implications since many programs
use it when searching for configuration files. Adding HOME to env_keep
may enable a user to run unrestricted commands via sudo.
The default syslog facility has changed from "local2" to "authpriv"
(or "auth" if the operating system doesn't have "authpriv").
The --with-logfac configure option can be used to change this
or it can be changed in the sudoers file.
o Upgrading from a version prior to 1.7.0:
Starting with sudo 1.7.0, comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
('#'). Otherwise, the comment may be interpreted as a user or
group-ID.
When sudo is build with LDAP support the /etc/nsswitch.conf file is
now used to determine the sudoers sea ch order. sudo will default to
only using /etc/sudoers unless /etc/nsswitch.conf says otherwise.
This can be changed with an nsswitch.conf line, e.g.:
sudoers: ldap files
Would case LDAP to be searched first, then the sudoers file.
To restore the pre-1.7.0 behavior, run configure with the
--with-nsswitch=no flag.
Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in /etc/ldap.conf (or whichever file
was specified by configure's --with-ldap-conf-file option).
If you are using TLS, you may now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).
Please also see the NEWS file for a list of new features in
sudo 1.7.0.
o Upgrading from a version prior to 1.6.9:
Starting with sudo 1.6.9, if an OS supports a modular authentication
method such as PAM, it will be used by default by configure.
Environment variable handling has changed significantly in sudo
1.6.9. Prior to version 1.6.9, sudo would preserve the user's
environment, pruning out potentially dangerous variables.
Beginning with sudo 1.6.9, the environment is reset to a default
set of values with only a small number of "safe" variables
preserved. To preserve specific environment variables, add
them to the "env_keep" list in sudoers. E.g.
Defaults env_keep += "EDITOR"
The old behavior can be restored by negating the "env_reset"
option in sudoers. E.g.
Defaults !env_reset
There have also been changes to how the "env_keep" and
"env_check" options behave.
Prior to sudo 1.6.9, the TERM and PATH environment variables
would always be preserved even if the env_keep option was
redefined. That is no longer the case. Consequently, if
env_keep is set with "=" and not simply appended to (i.e. using
"+="), PATH and TERM must be explicitly included in the list
of environment variables to keep. The LOGNAME, SHELL, USER,
and USERNAME environment variables are still always set.
Additionally, the env_check setting previously had no effect
when env_reset was set (which is now on by default). Starting
with sudo 1.6.9, environment variables listed in env_check are
also preserved in the env_reset case, provided that they do not
contain a '/' or '%' character. Note that it is not necessary
to also list a variable in env_keep--having it in env_check is
sufficient.
The default lists of variables to be preserved and/or checked
are displayed when sudo is run by root with the -V flag.
o Upgrading from a version prior to 1.6.8:
Prior to sudo 1.6.8, if /var/run did not exist, sudo would put
the time stamp files in /tmp/.odus. As of sudo 1.6.8, the
time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo
if there is no /var/run directory. This directory will be
created if it does not already exist.
Previously, a sudoers entry that explicitly prohibited running
a command as a certain user did not override a previous entry
allowing the same command. This has been fixed in sudo 1.6.8
such that the last match is now used (as it is documented).
Hopefully no one was depending on the previous (buggy) behavior.
o Upgrading from a version prior to 1.6:
As of sudo 1.6, parsing of runas entries and the NOPASSWD tag
has changed. Prior to 1.6, a runas specifier applied only to
a single command directly following it. Likewise, the NOPASSWD
tag only allowed the command directly following it to be run
without a password. Starting with sudo 1.6, both the runas
specifier and the NOPASSWD tag are "sticky" for an entire
command list. So, given the following line in sudo < 1.6
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls
millert would be able to run /usr/bin/whoami as user daemon
without a password and /bin/ls as root with a password.
As of sudo 1.6, the same line now means that millert is able
to run run both /usr/bin/whoami and /bin/ls as user daemon
without a password. To expand on this, take the following
example:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \
/sbin/dump
millert can run /usr/bin/whoami as daemon and /bin/ls and
/sbin/dump as root. No password need be given for either
command. In other words, the "(root)" sets the default runas
user to root for the rest of the list. If we wanted to require
a password for /bin/ls and /sbin/dump the line could be written
as:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
(root) PASSWD:/bin/ls, /sbin/dump
Additionally, sudo now uses a per-user time stamp directory
instead of a time stamp file. This allows tty time stamps to
simply be files within the user's time stamp dir. For the
default, non-tty case, the time stamp on the directory itself
is used.
Also, the temporary file used by visudo is now /etc/sudoers.tmp
since some versions of vipw on systems with shadow passwords use
/etc/stmp for the temporary shadow file.
o Upgrading from a version prior to 1.5:
By default, sudo expects the sudoers file to be mode 0440 and
to be owned by user and group 0. This differs from version 1.4
and below which expected the sudoers file to be mode 0400 and
to be owned by root. Doing a `make install' will set the sudoers
file to the new mode and group. If sudo encounters a sudoers
file with the old permissions it will attempt to update it to
the new scheme. You cannot, however, use a sudoers file with
the new permissions with an old sudo binary. It is suggested
that if have a means of distributing sudo you distribute the
new binaries first, then the new sudoers file (or you can leave
sudoers as is and sudo will fix the permissions itself as long
as sudoers is on a local file system).

540
docs/cvtsudoers.man.in Normal file
View File

@@ -0,0 +1,540 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2018, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "CVTSUDOERS" "1" "October 10, 2021" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
\fBcvtsudoers\fR
\- convert between sudoers file formats
.SH "SYNOPSIS"
.HP 11n
\fBcvtsudoers\fR
[\fB\-ehMpV\fR]
[\fB\-b\fR\ \fIdn\fR]
[\fB\-c\fR\ \fIconf_file\fR]
[\fB\-d\fR\ \fIdeftypes\fR]
[\fB\-f\fR\ \fIoutput_format\fR]
[\fB\-i\fR\ \fIinput_format\fR]
[\fB\-I\fR\ \fIincrement\fR]
[\fB\-m\fR\ \fIfilter\fR]
[\fB\-o\fR\ \fIoutput_file\fR]
[\fB\-O\fR\ \fIstart_point\fR]
[\fB\-P\fR\ \fIpadding\fR]
[\fB\-s\fR\ \fIsections\fR]
[\fIinput_file\fR]
.SH "DESCRIPTION"
\fBcvtsudoers\fR
can be used to convert between
\fIsudoers\fR
security policy file formats.
The default input format is sudoers.
The default output format is LDIF.
It is only possible to convert a
\fIsudoers\fR
file that is syntactically correct.
.PP
If no
\fIinput_file\fR
is specified, or if it is
\(oq-\(cq,
the policy is read from the standard input.
By default, the result is written to the standard output.
.PP
The options are as follows:
.TP 12n
\fB\-b\fR \fIdn\fR, \fB\--base\fR=\fIdn\fR
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
If this option is not specified, the value of the
\fRSUDOERS_BASE\fR
environment variable will be used instead.
Only necessary when converting to LDIF format.
.TP 12n
\fB\-c\fR \fIconf_file\fR, \fB\--config\fR=\fIconf_file\fR
Specify the path to the configuration file.
Defaults to
\fI@sysconfdir@/cvtsudoers.conf\fR.
.TP 12n
\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
Only convert
\fRDefaults\fR
entries of the specified types.
One or more
\fRDefaults\fR
types may be specified, separated by a comma
(\(oq\&,\(cq).
The supported types are:
.PP
.RS 12n
.PD 0
.TP 10n
all
All Defaults entries.
.PD
.TP 10n
global
Global Defaults entries that are applied regardless of
user, runas, host or command.
.TP 10n
user
Per-user Defaults entries.
.TP 10n
runas
Per-runas user Defaults entries.
.TP 10n
host
Per-host Defaults entries.
.TP 10n
command
Per-command Defaults entries.
.PP
See the
\fBDefaults\fR
section in
sudoers(@mansectform@)
for more information.
.sp
If the
\fB\-d\fR
option is not specified, all
\fRDefaults\fR
entries will be converted.
.RE
.TP 12n
\fB\-e\fR, \fB\--expand-aliases\fR
Expand aliases in
\fIinput_file\fR.
Aliases are preserved by default when the output
\fIformat\fR
is JSON or sudoers.
.TP 12n
\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
Specify the output format (case-insensitive).
The following formats are supported:
.PP
.RS 12n
.PD 0
.TP 10n
CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
For CSV output,
\fBcvtsudoers\fR
double quotes strings that contain commas.
For each literal double quote character present inside the string,
two double quotes are output.
This method of quoting commas is compatible with most spreadsheet programs.
.PD
.TP 10n
JSON
JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional
\fIsudoers\fR
format.
The various values have explicit types which removes much of the
ambiguity of the
\fIsudoers\fR
format.
.TP 10n
LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with
sudoers.ldap(@mansectform@).
.sp
Conversion to LDIF has the following limitations:
.PP
.RS 10n
.PD 0
.TP 3n
\fB\(bu\fR
Command, host, runas and user-specific Defaults lines cannot be
translated as they don't have an equivalent in the sudoers LDAP schema.
.PD
.TP 3n
\fB\(bu\fR
Command, host, runas and user aliases are not supported by the
sudoers LDAP schema so they are expanded during the conversion.
.PD 0
.PP
.RE
.PD
.TP 10n
sudoers
Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file.
Comments are not preserved and data from any include files will be
output inline.
.PD 0
.PP
.RE
.PD
.TP 12n
\fB\--group-file\fR=\fIfile\fR
When the
\fB\-M\fR
option is also specified, perform group queries using
\fIfile\fR
instead of the system group database.
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-i\fR \fIinput_format\fR, \fB\--input-format\fR=\fIinput_format\fR
Specify the input format.
The following formats are supported:
.PP
.RS 12n
.PD 0
.TP 10n
LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
sudoers.ldap(@mansectform@).
If a base DN (distinguished name) is specified, only sudoRole objects
that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format.
.PD
.TP 10n
sudoers
Traditional sudoers format.
This is the default input format.
.PD 0
.PP
.RE
.PD
.TP 12n
\fB\-I\fR \fIincrement\fR, \fB\--increment\fR=\fIincrement\fR
When generating LDIF output, increment each sudoOrder attribute by
the specified number.
Defaults to an increment of 1.
.TP 12n
\fB\-m\fR \fIfilter\fR, \fB\--match\fR=\fIfilter\fR
Only output rules that match the specified
\fIfilter\fR.
A
\fIfilter\fR
expression is made up of one or more
\fBkey =\fR \fIvalue\fR
pairs, separated by a comma
(\(oq\&,\(cq).
The
\fBkey\fR
may be
\(lqcmnd\(rq
(or \(lqcmd\(rq),
\(lqhost\(rq,
\(lqgroup\(rq,
or
\(lquser\(rq.
For example,
\fBuser\fR = \fIoperator\fR
or
\fBhost\fR = \fIwww\fR.
An upper-case Cmnd_Alias, Host_alias, or Host_Alias may be specified as the
\(lqcmnd\(rq,
\(lqhost\(rq,
or
\(lquser\(rq.
.sp
A matching
\fIsudoers\fR
rule may also include users, groups and hosts that are not part of the
\fIfilter\fR.
This can happen when a rule includes multiple users, groups or hosts.
To prune out any non-matching user, group or host from the rules, the
\fB\-p\fR
option may be used.
.sp
By default, the password and group databases are not consulted when matching
against the filter so the users and groups do not need to be present
on the local system (see the
\fB\-M\fR
option).
Only aliases that are referenced by the filtered policy rules will
be displayed.
.TP 12n
\fB\-M\fR, \fB\--match-local\fR
When the
\fB\-m\fR
option is also specified, use password and group database information
when matching users and groups in the filter.
Only users and groups in the filter that exist on the local system will match,
and a user's groups will automatically be added to the filter.
If the
\fB\-M\fR
is
\fInot\fR
specified, users and groups in the filter do not need to exist on the
local system, but all groups used for matching must be explicitly listed
in the filter.
.TP 12n
\fB\-o\fR \fIoutput_file\fR, \fB\--output\fR=\fIoutput_file\fR
Write the converted output to
\fIoutput_file\fR.
If no
\fIoutput_file\fR
is specified, or if it is
\(oq-\(cq,
the converted
\fIsudoers\fR
policy will be written to the standard output.
.TP 12n
\fB\-O\fR \fIstart_point\fR, \fB\--order-start\fR=\fIstart_point\fR
When generating LDIF output, use the number specified by
\fIstart_point\fR
in the sudoOrder attribute of the first sudoRole object.
Subsequent sudoRole object use a sudoOrder value generated by adding an
\fIincrement\fR,
see the
\fB\-I\fR
option for details.
Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file.
.TP 12n
\fB\--passwd-file\fR=\fIfile\fR
When the
\fB\-M\fR
option is also specified, perform passwd queries using
\fIfile\fR
instead of the system passwd database.
.TP 12n
\fB\-p\fR, \fB\--prune-matches\fR
When the
\fB\-m\fR
option is also specified,
\fBcvtsudoers\fR
will prune out non-matching users, groups and hosts from
matching entries.
.TP 12n
\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
When generating LDIF output, construct the initial sudoOrder value by
concatenating
\fIorder_start\fR
and
\fIincrement\fR,
padding the
\fIincrement\fR
with zeros until it consists of
\fIpadding\fR
digits.
For example, if
\fIorder_start\fR
is 1027,
\fIpadding\fR
is 3, and
\fIincrement\fR
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
\fBcvtsudoers\fR
will exit with an error.
By default, no padding is performed.
.TP 12n
\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
Suppress the output of specific
\fIsections\fR
of the security policy.
One or more section names may be specified, separated by a comma
(\(oq\&,\(cq).
The supported section name are:
\fBdefaults\fR,
\fBaliases\fR
and
\fBprivileges\fR
(which may be shortened to
\fBprivs\fR).
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBcvtsudoers\fR
and
\fIsudoers\fR
grammar versions and exit.
.PP
Options in the form
\(lqkeyword = value\(rq
may also be specified in a configuration file,
\fI@sysconfdir@/cvtsudoers.conf\fR
by default.
The following keywords are recognized:
.TP 6n
\fBdefaults =\fR \fIdeftypes\fR
See the description of the
\fB\-d\fR
command line option.
.TP 6n
\fBexpand_aliases =\fR \fIyes\fR | \fIno\fR
See the description of the
\fB\-e\fR
command line option.
.TP 6n
\fBinput_format =\fR \fIldif\fR | \fIsudoers\fR
See the description of the
\fB\-i\fR
command line option.
.TP 6n
\fBmatch =\fR \fIfilter\fR
See the description of the
\fB\-m\fR
command line option.
.TP 6n
\fBorder_increment =\fR \fIincrement\fR
See the description of the
\fB\-I\fR
command line option.
.TP 6n
\fBorder_start =\fR \fIstart_point\fR
See the description of the
\fB\-O\fR
command line option.
.TP 6n
\fBoutput_format =\fR \fIcsv\fR | \fIjson\fR | \fIldif\fR | \fIsudoers\fR
See the description of the
\fB\-f\fR
command line option.
.TP 6n
\fBpadding =\fR \fIpadding\fR
See the description of the
\fB\-P\fR
command line option.
.TP 6n
\fBprune_matches =\fR \fIyes\fR | \fIno\fR
See the description of the
\fB\-p\fR
command line option.
.TP 6n
\fBsudoers_base =\fR \fIdn\fR
See the description of the
\fB\-b\fR
command line option.
.TP 6n
\fBsuppress =\fR \fIsections\fR
See the description of the
\fB\-s\fR
command line option.
.PP
Options on the command line will override values from the
configuration file.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/cvtsudoers.conf\fR
default configuration for cvtsudoers
.SH "EXAMPLES"
Convert
\fI/etc/sudoers\fR
to LDIF (LDAP Data Interchange Format) where the
\fIldap.conf\fR
file uses a
\fIsudoers_base\fR
of my-domain,dc=com, storing the result in
\fIsudoers.ldif\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
/etc/sudoers
.RE
.fi
.PP
Convert
\fI/etc/sudoers\fR
to JSON format, storing the result in
\fIsudoers.json\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.RE
.fi
.PP
Parse
\fI/etc/sudoers\fR
and display only rules that match user
\fIambrose\fR
on host
\fIhastur\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
.PP
Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.nf
.sp
.RS 6n
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
.PP
Convert
\fIsudoers.ldif\fR
from LDIF to traditional
\fIsudoers\fR
format:
.nf
.sp
.RS 6n
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.RE
.fi
.SH "SEE ALSO"
sudoers(@mansectform@),
sudoers.ldap(@mansectform@),
sudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBcvtsudoers\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBcvtsudoers\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

463
docs/cvtsudoers.mdoc.in Normal file
View File

@@ -0,0 +1,463 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2018, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 10, 2021
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm cvtsudoers
.Nd convert between sudoers file formats
.Sh SYNOPSIS
.Nm cvtsudoers
.Op Fl ehMpV
.Op Fl b Ar dn
.Op Fl c Ar conf_file
.Op Fl d Ar deftypes
.Op Fl f Ar output_format
.Op Fl i Ar input_format
.Op Fl I Ar increment
.Op Fl m Ar filter
.Op Fl o Ar output_file
.Op Fl O Ar start_point
.Op Fl P Ar padding
.Op Fl s Ar sections
.Op Ar input_file
.Sh DESCRIPTION
.Nm
can be used to convert between
.Em sudoers
security policy file formats.
The default input format is sudoers.
The default output format is LDIF.
It is only possible to convert a
.Em sudoers
file that is syntactically correct.
.Pp
If no
.Ar input_file
is specified, or if it is
.Ql - ,
the policy is read from the standard input.
By default, the result is written to the standard output.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl b Ar dn , Fl -base Ns = Ns Ar dn
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
If this option is not specified, the value of the
.Ev SUDOERS_BASE
environment variable will be used instead.
Only necessary when converting to LDIF format.
.It Fl c Ar conf_file , Fl -config Ns = Ns Ar conf_file
Specify the path to the configuration file.
Defaults to
.Pa @sysconfdir@/cvtsudoers.conf .
.It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes
Only convert
.Li Defaults
entries of the specified types.
One or more
.Li Defaults
types may be specified, separated by a comma
.Pq Ql \&, .
The supported types are:
.Bl -tag -width 8n
.It all
All Defaults entries.
.It global
Global Defaults entries that are applied regardless of
user, runas, host or command.
.It user
Per-user Defaults entries.
.It runas
Per-runas user Defaults entries.
.It host
Per-host Defaults entries.
.It command
Per-command Defaults entries.
.El
.Pp
See the
.Sy Defaults
section in
.Xr sudoers @mansectform@
for more information.
.Pp
If the
.Fl d
option is not specified, all
.Li Defaults
entries will be converted.
.It Fl e , Fl -expand-aliases
Expand aliases in
.Ar input_file .
Aliases are preserved by default when the output
.Ar format
is JSON or sudoers.
.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive).
The following formats are supported:
.Bl -tag -width 8n
.It CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
For CSV output,
.Nm
double quotes strings that contain commas.
For each literal double quote character present inside the string,
two double quotes are output.
This method of quoting commas is compatible with most spreadsheet programs.
.It JSON
JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional
.Em sudoers
format.
The various values have explicit types which removes much of the
ambiguity of the
.Em sudoers
format.
.It LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with
.Xr sudoers.ldap @mansectform@ .
.Pp
Conversion to LDIF has the following limitations:
.Bl -bullet -width 1n
.It
Command, host, runas and user-specific Defaults lines cannot be
translated as they don't have an equivalent in the sudoers LDAP schema.
.It
Command, host, runas and user aliases are not supported by the
sudoers LDAP schema so they are expanded during the conversion.
.El
.It sudoers
Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file.
Comments are not preserved and data from any include files will be
output inline.
.El
.It Fl -group-file Ns = Ns Ar file
When the
.Fl M
option is also specified, perform group queries using
.Ar file
instead of the system group database.
.It Fl h , Fl -help
Display a short help message to the standard output and exit.
.It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format
Specify the input format.
The following formats are supported:
.Bl -tag -width 8n
.It LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
.Xr sudoers.ldap @mansectform@ .
If a base DN (distinguished name) is specified, only sudoRole objects
that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format.
.It sudoers
Traditional sudoers format.
This is the default input format.
.El
.It Fl I Ar increment , Fl -increment Ns = Ns Ar increment
When generating LDIF output, increment each sudoOrder attribute by
the specified number.
Defaults to an increment of 1.
.It Fl m Ar filter , Fl -match Ns = Ns Ar filter
Only output rules that match the specified
.Ar filter .
A
.Ar filter
expression is made up of one or more
.Sy key = Ar value
pairs, separated by a comma
.Pq Ql \&, .
The
.Sy key
may be
.Dq cmnd
.Pq or Dq cmd ,
.Dq host ,
.Dq group ,
or
.Dq user .
For example,
.Sy user No = Ar operator
or
.Sy host No = Ar www .
An upper-case Cmnd_Alias, Host_alias, or Host_Alias may be specified as the
.Dq cmnd ,
.Dq host ,
or
.Dq user .
.Pp
A matching
.Em sudoers
rule may also include users, groups and hosts that are not part of the
.Ar filter .
This can happen when a rule includes multiple users, groups or hosts.
To prune out any non-matching user, group or host from the rules, the
.Fl p
option may be used.
.Pp
By default, the password and group databases are not consulted when matching
against the filter so the users and groups do not need to be present
on the local system (see the
.Fl M
option).
Only aliases that are referenced by the filtered policy rules will
be displayed.
.It Fl M , Fl -match-local
When the
.Fl m
option is also specified, use password and group database information
when matching users and groups in the filter.
Only users and groups in the filter that exist on the local system will match,
and a user's groups will automatically be added to the filter.
If the
.Fl M
is
.Em not
specified, users and groups in the filter do not need to exist on the
local system, but all groups used for matching must be explicitly listed
in the filter.
.It Fl o Ar output_file , Fl -output Ns = Ns Ar output_file
Write the converted output to
.Ar output_file .
If no
.Ar output_file
is specified, or if it is
.Ql - ,
the converted
.Em sudoers
policy will be written to the standard output.
.It Fl O Ar start_point , Fl -order-start Ns = Ns Ar start_point
When generating LDIF output, use the number specified by
.Ar start_point
in the sudoOrder attribute of the first sudoRole object.
Subsequent sudoRole object use a sudoOrder value generated by adding an
.Ar increment ,
see the
.Fl I
option for details.
Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file.
.It Fl -passwd-file Ns = Ns Ar file
When the
.Fl M
option is also specified, perform passwd queries using
.Ar file
instead of the system passwd database.
.It Fl p , Fl -prune-matches
When the
.Fl m
option is also specified,
.Nm
will prune out non-matching users, groups and hosts from
matching entries.
.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
When generating LDIF output, construct the initial sudoOrder value by
concatenating
.Ar order_start
and
.Ar increment ,
padding the
.Ar increment
with zeros until it consists of
.Ar padding
digits.
For example, if
.Ar order_start
is 1027,
.Ar padding
is 3, and
.Ar increment
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
.Nm
will exit with an error.
By default, no padding is performed.
.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
Suppress the output of specific
.Ar sections
of the security policy.
One or more section names may be specified, separated by a comma
.Pq Ql \&, .
The supported section name are:
.Sy defaults ,
.Sy aliases
and
.Sy privileges
(which may be shortened to
.Sy privs ) .
.It Fl V , -version
Print the
.Nm
and
.Em sudoers
grammar versions and exit.
.El
.Pp
Options in the form
.Dq keyword = value
may also be specified in a configuration file,
.Pa @sysconfdir@/cvtsudoers.conf
by default.
The following keywords are recognized:
.Bl -tag -width 4n
.It Sy defaults = Ar deftypes
See the description of the
.Fl d
command line option.
.It Sy expand_aliases = Ar yes | no
See the description of the
.Fl e
command line option.
.It Sy input_format = Ar ldif | sudoers
See the description of the
.Fl i
command line option.
.It Sy match = Ar filter
See the description of the
.Fl m
command line option.
.It Sy order_increment = Ar increment
See the description of the
.Fl I
command line option.
.It Sy order_start = Ar start_point
See the description of the
.Fl O
command line option.
.It Sy output_format = Ar csv | json | ldif | sudoers
See the description of the
.Fl f
command line option.
.It Sy padding = Ar padding
See the description of the
.Fl P
command line option.
.It Sy prune_matches = Ar yes | no
See the description of the
.Fl p
command line option.
.It Sy sudoers_base = Ar dn
See the description of the
.Fl b
command line option.
.It Sy suppress = Ar sections
See the description of the
.Fl s
command line option.
.El
.Pp
Options on the command line will override values from the
configuration file.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/cvtsudoers.conf
default configuration for cvtsudoers
.El
.Sh EXAMPLES
Convert
.Pa /etc/sudoers
to LDIF (LDAP Data Interchange Format) where the
.Pa ldap.conf
file uses a
.Em sudoers_base
of my-domain,dc=com, storing the result in
.Pa sudoers.ldif :
.Bd -literal -offset indent
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
/etc/sudoers
.Ed
.Pp
Convert
.Pa /etc/sudoers
to JSON format, storing the result in
.Pa sudoers.json :
.Bd -literal -offset indent
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.Ed
.Pp
Parse
.Pa /etc/sudoers
and display only rules that match user
.Em ambrose
on host
.Em hastur :
.Bd -literal -offset indent
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.Bd -literal -offset indent
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
Convert
.Pa sudoers.ldif
from LDIF to traditional
.Em sudoers
format:
.Bd -literal -offset indent
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.Ed
.Sh SEE ALSO
.Xr sudoers @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

39
docs/fixman.sh Executable file
View File

@@ -0,0 +1,39 @@
#!/bin/sh
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2012-2014, 2017 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
OUTFILE="$1"
rm -f "$OUTFILE"
> "$OUTFILE"
# HP-UX friendly header/footer for all man pages
if [ X"`uname 2>&1`" = X"HP-UX" ]; then
cat >>"$OUTFILE" <<-'EOF'
s/^\.TH \("[^"]*"\) \("[^"]*"\) "\([^"]*\)" "\([^"]*\)" \("[^"]*"\)/.TH \1 \2\
.ds )H \4\
.ds ]W \3/
EOF
fi
# Replace "0 minutes" with "unlimited"
cat >>"$OUTFILE" <<-'EOF'
/^\\fR0\\fR$/ {
N
s/^\\fR0\\fR\nminutes\.$/unlimited./
}
EOF

5
docs/fixmdoc.sed Normal file
View File

@@ -0,0 +1,5 @@
# Replace "0 minutes" with "unlimited"
/^\.Li 0$/ {
N
s/^\.Li 0\nminutes\.$/unlimited./
}

255
docs/schema.ActiveDirectory Normal file
View File

@@ -0,0 +1,255 @@
#
# Active Directory Schema for sudo configuration (sudoers)
#
# To extend your Active Directory schema, run one of the following command
# on your Windows DC (default port - Active Directory):
#
# ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
# or on your Windows DC if using another port (with Active Directory LightWeight Directory Services / ADAM-Active Directory Application Mode)
# Port 50000 by example (or any other port specified when defining the ADLDS/ADAM instance
#
# ldifde -i -f schema.ActiveDirectory -t 50000 -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
# or
#
# ldifde -i -f schema.ActiveDirectory -s server:port -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
# Can add username domain and password
#
# -b username domain password
#
# Can create Log file in current or any directory
#
# -j .
#
dn: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoUser
distinguishedName: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.1
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoUser
adminDescription: User(s) who may run sudo
oMSyntax: 22
searchFlags: 1
lDAPDisplayName: sudoUser
name: sudoUser
schemaIDGUID:: JrGcaKpnoU+0s+HgeFjAbg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoHost
distinguishedName: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.2
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoHost
adminDescription: Host(s) who may run sudo
oMSyntax: 22
lDAPDisplayName: sudoHost
name: sudoHost
schemaIDGUID:: d0TTjg+Y6U28g/Y+ns2k4w==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoCommand
distinguishedName: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.3
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoCommand
adminDescription: Command(s) to be executed by sudo
oMSyntax: 22
lDAPDisplayName: sudoCommand
name: sudoCommand
schemaIDGUID:: D6QR4P5UyUen3RGYJCHCPg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAs
distinguishedName: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.4
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAs
adminDescription: User(s) impersonated by sudo (deprecated)
oMSyntax: 22
lDAPDisplayName: sudoRunAs
name: sudoRunAs
schemaIDGUID:: CP98mCQTyUKKxGrQeM80hQ==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoOption
distinguishedName: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.5
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOption
adminDescription: Option(s) followed by sudo
oMSyntax: 22
lDAPDisplayName: sudoOption
name: sudoOption
schemaIDGUID:: ojaPzBBlAEmsvrHxQctLnA==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsUser
distinguishedName: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.6
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsUser
adminDescription: User(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsUser
name: sudoRunAsUser
schemaIDGUID:: 9C52yPYd3RG3jMR2VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsGroup
distinguishedName: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.7
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsGroup
adminDescription: Groups(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsGroup
name: sudoRunAsGroup
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoNotBefore
distinguishedName: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.8
attributeSyntax: 2.5.5.11
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotBefore
adminDescription: Start of time interval for which the entry is valid
oMSyntax: 24
lDAPDisplayName: sudoNotBefore
name: sudoNotBefore
schemaIDGUID:: dm1HnRfY4RGf4gopYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoNotAfter
distinguishedName: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.9
attributeSyntax: 2.5.5.11
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotAfter
adminDescription: End of time interval for which the entry is valid
oMSyntax: 24
lDAPDisplayName: sudoNotAfter
name: sudoNotAfter
schemaIDGUID:: OAr/pBfY4RG9dBIpYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoOrder
distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.10
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOrder
adminDescription: an integer to order the sudoRole entries
oMSyntax: 2
lDAPDisplayName: sudoOrder
name: sudoOrder
schemaIDGUID:: 0J8yrRfY4RGIYBUpYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoCommand
mayContain: sudoHost
mayContain: sudoOption
mayContain: sudoRunAs
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoUser
mayContain: sudoNotBefore
mayContain: sudoNotAfter
mayContain: sudoOrder
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=X

78
docs/schema.OpenLDAP Normal file
View File

@@ -0,0 +1,78 @@
#
# OpenLDAP schema file for Sudo
# Save as /etc/openldap/schema/sudo.schema and restart slapd.
# For a version that uses online configuration, see schema.olcSudo.
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $
sudoNotAfter $ description )
)

12
docs/schema.iPlanet Normal file
View File

@@ -0,0 +1,12 @@
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) X-ORIGIN 'SUDO' )

79
docs/schema.olcSudo Normal file
View File

@@ -0,0 +1,79 @@
dn: cn=sudoschema,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoschema
#
# OpenLDAP schema file for Sudo in on-line configuration (OLC) format.
# Import using ldapadd or another suitable LDAP browser.
# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be>
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
#
olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
description )
)

916
docs/sudo.conf.man.in Normal file
View File

@@ -0,0 +1,916 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo.conf\fR
\- configuration for sudo front-end
.SH "DESCRIPTION"
The
\fBsudo.conf\fR
file is used to configure the
\fBsudo\fR
front-end.
It specifies the security policy and I/O logging plugins, debug flags
as well as plugin-agnostic path names and settings.
.PP
The
\fBsudo.conf\fR
file supports the following directives, described in detail below.
.TP 10n
Plugin
an approval, audit, I/O logging or security policy plugin
.TP 10n
Path
a plugin-agnostic path
.TP 10n
Set
a front-end setting, such as
\fIdisable_coredump\fR
or
\fIgroup_source\fR
.TP 10n
Debug
debug flags to aid in debugging
\fBsudo\fR,
\fBsudoreplay\fR,
\fBvisudo\fR,
and the
\fBsudoers\fR
plugin.
.PP
The pound sign
(\(oq#\(cq)
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
.PP
Long lines can be continued with a backslash
(\(oq\e\(cq)
as the last character on the line.
Note that leading white space is removed from the beginning of lines
even when the continuation character is used.
.PP
Non-comment lines that don't begin with
\fRPlugin\fR,
\fRPath\fR,
\fRDebug\fR,
or
\fRSet\fR
are silently ignored.
.PP
The
\fBsudo.conf\fR
file is always parsed in the
\(lq\fRC\fR\(rq
locale.
.SS "Plugin configuration"
\fBsudo\fR
supports a plugin architecture for security policies and input/output
logging.
Third parties can develop and distribute their own policy and I/O
logging plugins to work seamlessly with the
\fBsudo\fR
front-end.
Plugins are dynamically loaded based on the contents of
\fBsudo.conf\fR.
.PP
A
\fRPlugin\fR
line consists of the
\fRPlugin\fR
keyword, followed by the
\fIsymbol_name\fR
and the
\fIpath\fR
to the dynamic shared object that contains the plugin.
The
\fIsymbol_name\fR
is the name of the
\fRapproval_plugin\fR,
\fRaudit_plugin\fR,
\fRio_plugin\fR,
or
\fRpolicy_plugin\fR
struct contained in the plugin.
If a plugin implements multiple plugin types, there must be a
\fRPlugin\fR
line for each unique symbol name.
The
\fIpath\fR
may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
\fIplugin_dir\fR
\fRPath\fR
setting, which defaults to
\fI@plugindir@\fR.
In other words:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so
.RE
.fi
.PP
is equivalent to:
.nf
.sp
.RS 6n
Plugin sudoers_policy @plugindir@/sudoers.so
.RE
.fi
.PP
If the plugin was compiled statically into the
\fBsudo\fR
binary instead of being installed as a dynamic shared object, the
\fIpath\fR
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so
.RE
.fi
.PP
Starting with
\fBsudo\fR
1.8.5, any additional parameters after the
\fIpath\fR
are passed as arguments to the plugin's
\fIopen\fR
function.
For example, to override the compile-time default sudoers file mode:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.RE
.fi
.PP
See the
sudoers(@mansectform@)
manual for a list of supported arguments.
.PP
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.PP
If no
\fBsudo.conf\fR
file is present, or if it contains no
\fRPlugin\fR
lines, the
\fBsudoers\fR
plugin will be used as the default security policy, for I/O logging
(if enabled by the policy) and for auditing.
This is equivalent to the following:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so
.RE
.fi
.PP
Starting with
\fBsudo\fR
version 1.9.1, some of the logging functionality of the
\fBsudoers\fR
plugin has been moved from the policy plugin to an audit plugin.
To maintain compatibility with
\fBsudo.conf\fR
files from older
\fBsudo\fR
versions, if
\fBsudoers\fR
is configured as the security policy, it will be used as an audit
plugin as well.
This guarantees that the logging behavior will be consistnet with that of
\fBsudo\fR
versions 1.9.0 and below.
.PP
For more information on the
\fBsudo\fR
plugin architecture, see the
sudo_plugin(@mansectform@)
manual.
.SS "Path settings"
A
\fRPath\fR
line consists of the
\fRPath\fR
keyword, followed by the name of the path to set and its value.
For example:
.nf
.sp
.RS 6n
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.RE
.fi
.PP
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
\fRPath\fR
settings is only supported in
\fBsudo\fR
version 1.8.16 and higher.
.PP
The following plugin-agnostic paths may be set in the
\fI@sysconfdir@/sudo.conf\fR
file:
.TP 10n
askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
\fBsudo\fR
is executed from a graphical (as opposed to text-based) application.
The program specified by
\fIaskpass\fR
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
\fIaskpass\fR
may be overridden by the
\fRSUDO_ASKPASS\fR
environment variable.
.TP 10n
devsearch
.br
An ordered, colon-separated search path of directories to look in for
device nodes.
This is used when mapping the process's tty device number to a device name
on systems that do not provide such a mechanism.
Sudo will
\fInot\fR
recurse into sub-directories.
If terminal devices may be located in a sub-directory of
\fI/dev\fR,
that path must be explicitly listed in
\fIdevsearch\fR.
The default value is
\fR/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
.sp
This option is ignored on systems that support either the
\fBdevname\fR()
or
\fB_ttyname_dev\fR()
functions, for example
BSD,
macOS and Solaris.
.TP 10n
intercept
.br
The fully-qualified path to a shared library containing a wrappers for the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexecv\fR(),
\fBexecve\fR(),
\fBexecvp\fR(),
and
\fBexecvpe\fR()
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
\fIintercept\fR
functionality on systems that support
\fRLD_PRELOAD\fR
or its equivalent.
The default value is
\fI@intercept_file@\fR.
.TP 10n
noexec
The fully-qualified path to a shared library containing wrappers
for the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexect\fR(),
\fBexecv\fR(),
\fBexecve\fR(),
\fBexecveat\fR(),
\fBexecvP\fR(),
\fBexecvp\fR(),
\fBexecvpe\fR(),
\fBfexecve\fR(),
\fBpopen\fR(),
\fBposix_spawn\fR(),
\fBposix_spawnp\fR(),
\fBsystem\fR(),
and
\fBwordexp\fR()
library functions that prevent the execution of further commands.
This is used to implement the
\fInoexec\fR
functionality on systems that support
\fRLD_PRELOAD\fR
or its equivalent.
The default value is
\fI@noexec_file@\fR.
.TP 10n
plugin_dir
The default directory to use when searching for plugins
that are specified without a fully qualified path name.
The default value is
\fI@plugindir@\fR.
.if \n(SL \{\
.TP 10n
sesh
The fully-qualified path to the
\fBsesh\fR
binary.
This setting is only used when
\fBsudo\fR
is built with SELinux support.
The default value is
\fI@sesh_file@\fR.
.\}
.SS "Other settings"
The
\fBsudo.conf\fR
file also supports the following front-end settings:
.TP 10n
disable_coredump
Core dumps of
\fBsudo\fR
itself are disabled by default to prevent the disclosure of potentially
sensitive information.
To aid in debugging
\fBsudo\fR
crashes, you may wish to re-enable core dumps by setting
\(lqdisable_coredump\(rq
to false in
\fBsudo.conf\fR
as follows:
.nf
.sp
.RS 16n
Set disable_coredump false
.RE
.fi
.RS 10n
.sp
All modern operating systems place restrictions on core dumps
from set-user-ID processes like
\fBsudo\fR
so this option can be enabled without compromising security.
To actually get a
\fBsudo\fR
core file you will likely need to enable core dumps for set-user-ID processes.
On
BSD
and Linux systems this is accomplished in the
sysctl(@mansectsu@)
command.
On Solaris, the
coreadm(1m)
command is used to configure core dump behavior.
.sp
This setting is only available in
\fBsudo\fR
version 1.8.4 and higher.
.RE
.TP 10n
developer_mode
By default
\fBsudo\fR
refuses to load plugins which can be modified by other than the root user.
The plugin should be owned by root and write access permissions should be
disabled for
\(lqgroup\(rq
and
\(lqother\(rq\&.
To make development of a plugin easier, you can disable that by setting
\(lqdeveloper_mode\(rq
option to true in
\fBsudo.conf\fR
as follows:
.nf
.sp
.RS 16n
Set developer_mode true
.RE
.fi
.RS 10n
.sp
Please note that this creates a security risk, so it is not recommended
on critical systems such as a desktop machine for daily use, but is intended
to be used in development environments (VM, container, etc).
Before enabling developer mode, ensure you understand the implications.
.sp
This setting is only available in
\fBsudo\fR
version 1.9.0 and higher.
.RE
.TP 10n
group_source
\fBsudo\fR
passes the invoking user's group list to the policy and I/O plugins.
On most systems, there is an upper limit to the number of groups that
a user may belong to simultaneously (typically 16 for compatibility
with NFS).
On systems with the
getconf(1)
utility, running:
.RS 16n
getconf NGROUPS_MAX
.RE
.RS 10n
will return the maximum number of groups.
.sp
However, it is still possible to be a member of a larger number of
groups--they simply won't be included in the group list returned
by the kernel for the user.
Starting with
\fBsudo\fR
version 1.8.7, if the user's kernel group list has the maximum number
of entries,
\fBsudo\fR
will consult the group database directly to determine the group list.
This makes it possible for the security policy to perform matching by group
name even when the user is a member of more than the maximum number of groups.
.sp
The
\fIgroup_source\fR
setting allows the administrator to change this default behavior.
Supported values for
\fIgroup_source\fR
are:
.TP 10n
static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject
to an upper limit as described above.
It is
\(lqstatic\(rq
in that it does not reflect changes to the group database made
after the user logs in.
This was the default behavior prior to
\fBsudo\fR
1.8.7.
.TP 10n
dynamic
Always query the group database directly.
It is
\(lqdynamic\(rq
in that changes made to the group database after the user logs in
will be reflected in the group list.
On some systems, querying the group database for all of a user's
groups can be time consuming when querying a network-based group
database.
Most operating systems provide an efficient method of performing
such queries.
Currently,
\fBsudo\fR
supports efficient group queries on AIX,
BSD,
HP-UX, Linux, macOS and Solaris.
This is the default behavior on macOS in
\fBsudo\fR
1.9.6 and higher.
.TP 10n
adaptive
Only query the group database if the static group list returned
by the kernel has the maximum number of entries.
This is the default behavior on systems other than macOS in
\fBsudo\fR
1.8.7 and higher.
.PP
For example, to cause
\fBsudo\fR
to only use the kernel's static list of groups for the user:
.nf
.sp
.RS 16n
Set group_source static
.RE
.fi
.sp
This setting is only available in
\fBsudo\fR
version 1.8.7 and higher.
.RE
.TP 10n
max_groups
The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored.
This setting is only used when querying the group database directly.
It is intended to be used on systems where it is not possible to detect
when the array to be populated with group entries is not sufficiently large.
By default,
\fBsudo\fR
will allocate four times the system's maximum number of groups (see above)
and retry with double that number if the group database query fails.
.sp
This setting is only available in
\fBsudo\fR
version 1.8.7 and higher.
It should not be required in
\fBsudo\fR
versions 1.8.24 and higher and may be removed in a later release.
.TP 10n
probe_interfaces
By default,
\fBsudo\fR
will probe the system's network interfaces and pass the IP address
of each enabled interface to the policy plugin.
This makes it possible for the plugin to match rules based on the IP address
without having to query DNS.
On Linux systems with a large number of virtual interfaces, this may
take a non-negligible amount of time.
If IP-based matching is not required, network interface probing
can be disabled as follows:
.nf
.sp
.RS 16n
Set probe_interfaces false
.RE
.fi
.RS 10n
.sp
This setting is only available in
\fBsudo\fR
version 1.8.10 and higher.
.RE
.SS "Debug settings"
\fBsudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that can log what
\fBsudo\fR
is doing internally if there is a problem.
.PP
A
\fRDebug\fR
line consists of the
\fRDebug\fR
keyword, followed by the name of the program, plugin or shared object to debug,
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by
\fBsudo\fR,
the
\fBsudoers\fR
plugin and its associated programs and shared objects is
\fIsubsystem\fR@\fIpriority\fR
but a third-party plugin is free to use a different format so long
as it does not include a comma
(\(oq\&,\(cq).
.PP
Examples:
.nf
.sp
.RS 6n
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.RE
.fi
.PP
would log all debugging statements at the
\fIwarn\fR
level and higher in addition to those at the
\fIinfo\fR
level for the plugin subsystem.
.nf
.sp
.RS 6n
Debug sudo_intercept.so /var/log/intercept_debug all@debug
.RE
.fi
.PP
would log all debugging statements, regardless of level, for the
\fIsudo_intercept.so\fR
shared object that implements
\fBsudo\fR's
intercept functionality.
.PP
As of
\fBsudo\fR
1.8.12, multiple
\fRDebug\fR
entries may be specified per program.
Older versions of
\fBsudo\fR
only support a single
\fRDebug\fR
entry per program.
Plugin-specific
\fRDebug\fR
entries are also supported starting with
\fBsudo\fR
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
\fRsudoers.so\fR)
or by the plugin's fully-qualified path name.
Previously, the
\fBsudoers\fR
plugin shared the same
\fRDebug\fR
entry as the
\fBsudo\fR
front-end and could not be configured separately.
.PP
The following priorities are supported, in order of decreasing severity:
\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
and
\fIdebug\fR.
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
\fInotice\fR
would include debug messages logged at
\fInotice\fR
and higher.
.PP
The priorities
\fItrace\fR
and
\fIdebug\fR
also include function call tracing which logs when a function is
entered and when it returns.
For example, the following trace is for the
\fBget_user_groups\fR()
function located in src/sudo.c:
.nf
.sp
.RS 6n
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.RE
.fi
.PP
When the function is entered, indicated by a right arrow
\(oq->\(cq,
the program, process ID, function, source file and line number
are logged.
When the function returns, indicated by a left arrow
\(oq<-\(cq,
the same information is logged along with the return value.
In this case, the return value is a string.
.PP
The following subsystems are used by the
\fBsudo\fR
front-end:
.TP 12n
\fIall\fR
matches every subsystem
.TP 12n
\fIargs\fR
command line argument processing
.TP 12n
\fIconv\fR
user conversation
.TP 12n
\fIedit\fR
sudoedit
.TP 12n
\fIevent\fR
event subsystem
.TP 12n
\fIexec\fR
command execution
.TP 12n
\fImain\fR
\fBsudo\fR
main function
.TP 12n
\fInetif\fR
network interface handling
.TP 12n
\fIpcomm\fR
communication with the plugin
.TP 12n
\fIplugin\fR
plugin configuration
.TP 12n
\fIpty\fR
pseudo-terminal related code
.TP 12n
\fIselinux\fR
SELinux-specific handling
.TP 12n
\fIutil\fR
utility functions
.TP 12n
\fIutmp\fR
utmp handling
.PP
The
sudoers(@mansectform@)
plugin includes support for additional subsystems.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
\fBsudo\fR
front-end configuration
.SH "EXAMPLES"
.nf
.RS 0n
#
# Default @sysconfdir@/sudo.conf file
#
# Sudo plugins:
# Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to @plugindir@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so
#Plugin sudoers_io sudoers.so
#Plugin sudoers_audit sudoers.so
#
# Sudo askpass:
# Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo device search path:
# Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
#
# Sudo command interception:
# Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv()
# and execve() library functions that perform a policy check to verify
# the command is allowed and simply return an error if not. This is
# used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept @plugindir@/sudo_intercept.so
#
# Sudo noexec:
# Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv()
# family of library functions that just return an error. This is
# used to implement the "noexec" functionality on systems that support
# LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec @plugindir@/sudo_noexec.so
#
# Sudo plugin directory:
# Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir @plugindir@
#
# Sudo developer mode:
# Set developer_mode true|false
#
# Allow loading of plugins that are owned by non-root or are writable
# by "group" or "other". Should only be used during plugin development.
#Set developer_mode true
#
# Core dumps:
# Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false
#
# User groups:
# Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
# static - use the user's list of groups returned by the kernel.
# dynamic - query the group database to find the list of groups.
# adaptive - if user is in less than the maximum number of groups.
# use the kernel list, else query the group database.
#
#Set group_source static
#
# Sudo interface probing:
# Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false
#
# Sudo debug files:
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo /var/log/sudo_debug all@debug
#Debug sudoers.so /var/log/sudoers_debug all@debug
.RE
.fi
.SH "SEE ALSO"
sudo_plugin(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

15
docs/sudo.conf.man.in.sed Normal file
View File

@@ -0,0 +1,15 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
\1/
/^\.TP 10n$/ {
N
/^.TP 10n\nsesh$/ {
i\
.if \\n(SL \\{\\
}
}
/^\\fI@sesh_file@\\fR\.$/ {
a\
.\\}
}

843
docs/sudo.conf.mdoc.in Normal file
View File

@@ -0,0 +1,843 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.Dd September 17, 2021
.Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo.conf
.Nd configuration for sudo front-end
.Sh DESCRIPTION
The
.Nm sudo.conf
file is used to configure the
.Nm sudo
front-end.
It specifies the security policy and I/O logging plugins, debug flags
as well as plugin-agnostic path names and settings.
.Pp
The
.Nm
file supports the following directives, described in detail below.
.Bl -tag -width 8n
.It Plugin
an approval, audit, I/O logging or security policy plugin
.It Path
a plugin-agnostic path
.It Set
a front-end setting, such as
.Em disable_coredump
or
.Em group_source
.It Debug
debug flags to aid in debugging
.Nm sudo ,
.Nm sudoreplay ,
.Nm visudo ,
and the
.Nm sudoers
plugin.
.El
.Pp
The pound sign
.Pq Ql #
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
.Pp
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
Note that leading white space is removed from the beginning of lines
even when the continuation character is used.
.Pp
Non-comment lines that don't begin with
.Li Plugin ,
.Li Path ,
.Li Debug ,
or
.Li Set
are silently ignored.
.Pp
The
.Nm
file is always parsed in the
.Dq Li C
locale.
.Ss Plugin configuration
.Nm sudo
supports a plugin architecture for security policies and input/output
logging.
Third parties can develop and distribute their own policy and I/O
logging plugins to work seamlessly with the
.Nm sudo
front-end.
Plugins are dynamically loaded based on the contents of
.Nm .
.Pp
A
.Li Plugin
line consists of the
.Li Plugin
keyword, followed by the
.Em symbol_name
and the
.Em path
to the dynamic shared object that contains the plugin.
The
.Em symbol_name
is the name of the
.Li approval_plugin ,
.Li audit_plugin ,
.Li io_plugin ,
or
.Li policy_plugin
struct contained in the plugin.
If a plugin implements multiple plugin types, there must be a
.Li Plugin
line for each unique symbol name.
The
.Em path
may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
.Em plugin_dir
.Li Path
setting, which defaults to
.Pa @plugindir@ .
In other words:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so
.Ed
.Pp
is equivalent to:
.Bd -literal -offset indent
Plugin sudoers_policy @plugindir@/sudoers.so
.Ed
.Pp
If the plugin was compiled statically into the
.Nm sudo
binary instead of being installed as a dynamic shared object, the
.Em path
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so
.Ed
.Pp
Starting with
.Nm sudo
1.8.5, any additional parameters after the
.Em path
are passed as arguments to the plugin's
.Em open
function.
For example, to override the compile-time default sudoers file mode:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.Ed
.Pp
See the
.Xr sudoers @mansectform@
manual for a list of supported arguments.
.Pp
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.Pp
If no
.Nm
file is present, or if it contains no
.Li Plugin
lines, the
.Nm sudoers
plugin will be used as the default security policy, for I/O logging
(if enabled by the policy) and for auditing.
This is equivalent to the following:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so
.Ed
.Pp
Starting with
.Nm sudo
version 1.9.1, some of the logging functionality of the
.Nm sudoers
plugin has been moved from the policy plugin to an audit plugin.
To maintain compatibility with
.Nm
files from older
.Nm sudo
versions, if
.Nm sudoers
is configured as the security policy, it will be used as an audit
plugin as well.
This guarantees that the logging behavior will be consistnet with that of
.Nm sudo
versions 1.9.0 and below.
.Pp
For more information on the
.Nm sudo
plugin architecture, see the
.Xr sudo_plugin @mansectform@
manual.
.Ss Path settings
A
.Li Path
line consists of the
.Li Path
keyword, followed by the name of the path to set and its value.
For example:
.Bd -literal -offset indent
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.Ed
.Pp
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
.Li Path
settings is only supported in
.Nm sudo
version 1.8.16 and higher.
.Pp
The following plugin-agnostic paths may be set in the
.Pa @sysconfdir@/sudo.conf
file:
.Bl -tag -width 8n
.It askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
.Nm sudo
is executed from a graphical (as opposed to text-based) application.
The program specified by
.Em askpass
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
.Em askpass
may be overridden by the
.Ev SUDO_ASKPASS
environment variable.
.It devsearch
An ordered, colon-separated search path of directories to look in for
device nodes.
This is used when mapping the process's tty device number to a device name
on systems that do not provide such a mechanism.
Sudo will
.Em not
recurse into sub-directories.
If terminal devices may be located in a sub-directory of
.Pa /dev ,
that path must be explicitly listed in
.Em devsearch .
The default value is
.Li /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
.Pp
This option is ignored on systems that support either the
.Fn devname
or
.Fn _ttyname_dev
functions, for example
.Bx ,
macOS and Solaris.
.It intercept
The fully-qualified path to a shared library containing a wrappers for the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn execv ,
.Fn execve ,
.Fn execvp ,
and
.Fn execvpe
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
.Em intercept
functionality on systems that support
.Ev LD_PRELOAD
or its equivalent.
The default value is
.Pa @intercept_file@ .
.It noexec
The fully-qualified path to a shared library containing wrappers
for the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn exect ,
.Fn execv ,
.Fn execve ,
.Fn execveat ,
.Fn execvP ,
.Fn execvp ,
.Fn execvpe ,
.Fn fexecve ,
.Fn popen ,
.Fn posix_spawn ,
.Fn posix_spawnp ,
.Fn system ,
and
.Fn wordexp
library functions that prevent the execution of further commands.
This is used to implement the
.Em noexec
functionality on systems that support
.Ev LD_PRELOAD
or its equivalent.
The default value is
.Pa @noexec_file@ .
.It plugin_dir
The default directory to use when searching for plugins
that are specified without a fully qualified path name.
The default value is
.Pa @plugindir@ .
.if \n(SL \{\
.It sesh
The fully-qualified path to the
.Nm sesh
binary.
This setting is only used when
.Nm sudo
is built with SELinux support.
The default value is
.Pa @sesh_file@ .
.\}
.El
.Ss Other settings
The
.Nm
file also supports the following front-end settings:
.Bl -tag -width 8n
.It disable_coredump
Core dumps of
.Nm sudo
itself are disabled by default to prevent the disclosure of potentially
sensitive information.
To aid in debugging
.Nm sudo
crashes, you may wish to re-enable core dumps by setting
.Dq disable_coredump
to false in
.Nm
as follows:
.Bd -literal -offset indent
Set disable_coredump false
.Ed
.Pp
All modern operating systems place restrictions on core dumps
from set-user-ID processes like
.Nm sudo
so this option can be enabled without compromising security.
To actually get a
.Nm sudo
core file you will likely need to enable core dumps for set-user-ID processes.
On
.Bx
and Linux systems this is accomplished in the
.Xr sysctl 8
command.
On Solaris, the
.Xr coreadm 1m
command is used to configure core dump behavior.
.Pp
This setting is only available in
.Nm sudo
version 1.8.4 and higher.
.It developer_mode
By default
.Nm sudo
refuses to load plugins which can be modified by other than the root user.
The plugin should be owned by root and write access permissions should be
disabled for
.Dq group
and
.Sm off
.Dq other
\&.
.Sm on
To make development of a plugin easier, you can disable that by setting
.Dq developer_mode
option to true in
.Nm sudo.conf
as follows:
.Bd -literal -offset indent
Set developer_mode true
.Ed
.Pp
Please note that this creates a security risk, so it is not recommended
on critical systems such as a desktop machine for daily use, but is intended
to be used in development environments (VM, container, etc).
Before enabling developer mode, ensure you understand the implications.
.Pp
This setting is only available in
.Nm sudo
version 1.9.0 and higher.
.It group_source
.Nm sudo
passes the invoking user's group list to the policy and I/O plugins.
On most systems, there is an upper limit to the number of groups that
a user may belong to simultaneously (typically 16 for compatibility
with NFS).
On systems with the
.Xr getconf 1
utility, running:
.Dl getconf NGROUPS_MAX
will return the maximum number of groups.
.Pp
However, it is still possible to be a member of a larger number of
groups--they simply won't be included in the group list returned
by the kernel for the user.
Starting with
.Nm sudo
version 1.8.7, if the user's kernel group list has the maximum number
of entries,
.Nm sudo
will consult the group database directly to determine the group list.
This makes it possible for the security policy to perform matching by group
name even when the user is a member of more than the maximum number of groups.
.Pp
The
.Em group_source
setting allows the administrator to change this default behavior.
Supported values for
.Em group_source
are:
.Bl -tag -width 8n
.It static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject
to an upper limit as described above.
It is
.Dq static
in that it does not reflect changes to the group database made
after the user logs in.
This was the default behavior prior to
.Nm sudo
1.8.7.
.It dynamic
Always query the group database directly.
It is
.Dq dynamic
in that changes made to the group database after the user logs in
will be reflected in the group list.
On some systems, querying the group database for all of a user's
groups can be time consuming when querying a network-based group
database.
Most operating systems provide an efficient method of performing
such queries.
Currently,
.Nm sudo
supports efficient group queries on AIX,
.Bx ,
HP-UX, Linux, macOS and Solaris.
This is the default behavior on macOS in
.Nm sudo
1.9.6 and higher.
.It adaptive
Only query the group database if the static group list returned
by the kernel has the maximum number of entries.
This is the default behavior on systems other than macOS in
.Nm sudo
1.8.7 and higher.
.El
.Pp
For example, to cause
.Nm sudo
to only use the kernel's static list of groups for the user:
.Bd -literal -offset indent
Set group_source static
.Ed
.Pp
This setting is only available in
.Nm sudo
version 1.8.7 and higher.
.It max_groups
The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored.
This setting is only used when querying the group database directly.
It is intended to be used on systems where it is not possible to detect
when the array to be populated with group entries is not sufficiently large.
By default,
.Nm sudo
will allocate four times the system's maximum number of groups (see above)
and retry with double that number if the group database query fails.
.Pp
This setting is only available in
.Nm sudo
version 1.8.7 and higher.
It should not be required in
.Nm sudo
versions 1.8.24 and higher and may be removed in a later release.
.It probe_interfaces
By default,
.Nm sudo
will probe the system's network interfaces and pass the IP address
of each enabled interface to the policy plugin.
This makes it possible for the plugin to match rules based on the IP address
without having to query DNS.
On Linux systems with a large number of virtual interfaces, this may
take a non-negligible amount of time.
If IP-based matching is not required, network interface probing
can be disabled as follows:
.Bd -literal -offset indent
Set probe_interfaces false
.Ed
.Pp
This setting is only available in
.Nm sudo
version 1.8.10 and higher.
.El
.Ss Debug settings
.Nm sudo
versions 1.8.4 and higher support a flexible debugging framework
that can log what
.Nm sudo
is doing internally if there is a problem.
.Pp
A
.Li Debug
line consists of the
.Li Debug
keyword, followed by the name of the program, plugin or shared object to debug,
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by
.Nm sudo ,
the
.Nm sudoers
plugin and its associated programs and shared objects is
.Em subsystem Ns @ Ns Em priority
but a third-party plugin is free to use a different format so long
as it does not include a comma
.Pq Ql \&, .
.Pp
Examples:
.Bd -literal -offset indent
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.Ed
.Pp
would log all debugging statements at the
.Em warn
level and higher in addition to those at the
.Em info
level for the plugin subsystem.
.Bd -literal -offset indent
Debug sudo_intercept.so /var/log/intercept_debug all@debug
.Ed
.Pp
would log all debugging statements, regardless of level, for the
.Pa sudo_intercept.so
shared object that implements
.Nm sudo Ns 's
intercept functionality.
.Pp
As of
.Nm sudo
1.8.12, multiple
.Li Debug
entries may be specified per program.
Older versions of
.Nm sudo
only support a single
.Li Debug
entry per program.
Plugin-specific
.Li Debug
entries are also supported starting with
.Nm sudo
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
.Li sudoers.so )
or by the plugin's fully-qualified path name.
Previously, the
.Nm sudoers
plugin shared the same
.Li Debug
entry as the
.Nm sudo
front-end and could not be configured separately.
.Pp
The following priorities are supported, in order of decreasing severity:
.Em crit , err , warn , notice , diag , info , trace
and
.Em debug .
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
.Em notice
would include debug messages logged at
.Em notice
and higher.
.Pp
The priorities
.Em trace
and
.Em debug
also include function call tracing which logs when a function is
entered and when it returns.
For example, the following trace is for the
.Fn get_user_groups
function located in src/sudo.c:
.Bd -literal -offset indent
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.Ed
.Pp
When the function is entered, indicated by a right arrow
.Ql -> ,
the program, process ID, function, source file and line number
are logged.
When the function returns, indicated by a left arrow
.Ql <- ,
the same information is logged along with the return value.
In this case, the return value is a string.
.Pp
The following subsystems are used by the
.Nm sudo
front-end:
.Bl -tag -width Fl
.It Em all
matches every subsystem
.It Em args
command line argument processing
.It Em conv
user conversation
.It Em edit
sudoedit
.It Em event
event subsystem
.It Em exec
command execution
.It Em main
.Nm sudo
main function
.It Em netif
network interface handling
.It Em pcomm
communication with the plugin
.It Em plugin
plugin configuration
.It Em pty
pseudo-terminal related code
.It Em selinux
SELinux-specific handling
.It Em util
utility functions
.It Em utmp
utmp handling
.El
.Pp
The
.Xr sudoers @mansectform@
plugin includes support for additional subsystems.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
.Nm sudo
front-end configuration
.El
.Sh EXAMPLES
.Bd -literal
#
# Default @sysconfdir@/sudo.conf file
#
# Sudo plugins:
# Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to @plugindir@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so
#Plugin sudoers_io sudoers.so
#Plugin sudoers_audit sudoers.so
#
# Sudo askpass:
# Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo device search path:
# Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
#
# Sudo command interception:
# Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv()
# and execve() library functions that perform a policy check to verify
# the command is allowed and simply return an error if not. This is
# used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept @plugindir@/sudo_intercept.so
#
# Sudo noexec:
# Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv()
# family of library functions that just return an error. This is
# used to implement the "noexec" functionality on systems that support
# LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec @plugindir@/sudo_noexec.so
#
# Sudo plugin directory:
# Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir @plugindir@
#
# Sudo developer mode:
# Set developer_mode true|false
#
# Allow loading of plugins that are owned by non-root or are writable
# by "group" or "other". Should only be used during plugin development.
#Set developer_mode true
#
# Core dumps:
# Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false
#
# User groups:
# Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
# static - use the user's list of groups returned by the kernel.
# dynamic - query the group database to find the list of groups.
# adaptive - if user is in less than the maximum number of groups.
# use the kernel list, else query the group database.
#
#Set group_source static
#
# Sudo interface probing:
# Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false
#
# Sudo debug files:
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo /var/log/sudo_debug all@debug
#Debug sudoers.so /var/log/sudoers_debug all@debug
.Ed
.Sh SEE ALSO
.Xr sudo_plugin @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

1495
docs/sudo.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

76
docs/sudo.man.in.sed Normal file
View File

@@ -0,0 +1,76 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
.nr BA @BAMAN@\
.nr LC @LCMAN@\
.nr PS @PSMAN@\
\1/
s/^\(\[\\fB\\-a\\fR.*\\fItype\\fR\]\) *$/.if \\n(BA \1/
s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/
s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/
s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/
/^\.TP 12n$/ {
N
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\
.if \\n(BA \\{\\
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\
.if \\n(LC \\{\\
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\
.if \\n(SL \\{\\
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\
.if \\n(SL \\{\\
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\
.\\}
}
}
}
/^\.TP 3n$/ {
N
N
/^.TP 3n\n\\fB\\(bu\\fR\nSELinux role and type$/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nSolaris project$/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nSolaris privileges$/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nBSD$/ {
N
i\
.if \\n(LC \\{\\
a\
.\\}
}
}

1383
docs/sudo.mdoc.in Normal file
View File

File diff suppressed because it is too large Load Diff

918
docs/sudo_logsrv.proto.man.in Normal file
View File

@@ -0,0 +1,918 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "August 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrv.proto\fR
\- Sudo log server protocol
.SH "DESCRIPTION"
Starting with version 1.9.0,
\fBsudo\fR
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
\fIEXAMPLES\fR
section includes a complete description of the protocol in Protocol
Buffers format.
.PP
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
\(lqlength-prefix framing\(rq
and is how Google suggests handling the lack of message delimiters.
.PP
The protocol is made up of two basic messages,
\fIClientMessage\fR
and
\fIServerMessage\fR,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.SH "Client Messages"
A
\fIClientMessage\fR
is a container used to encapsulate all the possible message types
a client may send to the server.
.nf
.sp
.RS 0n
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
ClientHello hello_msg = 13;
}
}
.RE
.fi
.PP
The different
\fIClientMessage\fR
sub-messages the client may sent to the server are described below.
.SS "TimeSpec"
.nf
.RS 0n
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.RE
.fi
.PP
A
\fITimeSpec\fR
is the equivalent of a POSIX
\fRstruct timespec\fR,
containing seconds and nanoseconds members.
The
\fItv_sec\fR
member is a 64-bit integer to support dates after the year 2038.
.SS "InfoMessage"
.nf
.RS 0n
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.RE
.fi
.PP
An
\fIInfoMessage\fR
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings or an array of 64-bit integers.
The event log data is composed of
\fIInfoMessage\fR
entries.
See the
\fIEVENT LOG VARIABLES\fR
section for more information.
.SS "ClientHello hello_msg"
.nf
.RS 0n
message ClientHello {
string client_id = 1;
}
.RE
.fi
.PP
A
\fIClientHello\fR
message consists of client information that may be sent to the
server when the client first connects.
.TP 8n
client_id
A free-form client description.
This usually includes the name and version of the client implementation.
.SS "AcceptMessage accept_msg"
.nf
.RS 0n
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.RE
.fi
.PP
An
\fIAcceptMessage\fR
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
.TP 8n
expect_iobufs
Set to true if the server should expect
\fIIoBuffer\fR
messages to follow (for I/O logging) or false if the server should only
store the event log.
.PP
If an
\fIAcceptMessage\fR
is sent, the client must not send a
\fIRejectMessage\fR
or
\fIRestartMessage\fR.
.SS "RejectMessage reject_msg"
.nf
.RS 0n
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.RE
.fi
.PP
A
\fIRejectMessage\fR
is sent by the client when a command is denied by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
reason
The reason the security policy gave for denying the command.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.PP
If a
\fIRejectMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRestartMessage\fR.
.SS "ExitMessage exit_msg"
.nf
.RS 0n
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.PP
.RE
.fi
An
\fIExitMessage\fR
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.TP 8n
run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.TP 8n
exit_value
The command's exit value in the range 0-255.
.TP 8n
dumped_core
True if the command was terminated by a signal and dumped core.
.TP 8n
signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
\(lqSIG\(rq.
For example,
\fRINT\fR,
\fRTERM\fR,
\fRKILL\fR,
\fRSEGV\fR.
.TP 8n
error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.PP
When performing I/O logging, the client should wait for a
\fIcommit_point\fR
corresponding to the final
\fIIoBuffer\fR
before closing the connection unless the final
\fIcommit_point\fR
has already been received.
.SS "RestartMessage restart_msg"
.nf
.RS 0n
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.RE
.fi
.PP
A
\fIRestartMessage\fR
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.TP 8n
log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.TP 8n
resume_point
The point in time after which to resume the I/O log.
This is in the form of a
\fITimeSpec\fR
representing the amount of time since the command started, not
the wall clock time.
The
\fIresume_point\fR
should correspond to a
\fIcommit_point\fR
previously sent to the client by the server.
If the server receives a
\fIRestartMessage\fR
containing a
\fIresume_point\fR
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.PP
If a
\fIRestartMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRejectMessage\fR.
.SS "AlertMessage alert_msg"
.nf
.RS 0n
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.RE
.fi
.PP
An
\fIAlertMessage\fR
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.TP 8n
alert_time
The wall clock time when the alert occurred.
.TP 8n
reason
The reason for the alert.
.TP 8n
info_msgs
An optional array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.SS "IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf"
.nf
.RS 0n
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.RE
.fi
.PP
An
\fIIoBuffer\fR
is used to represent data from terminal input, terminal
output, standard input, standard output or standard error.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
data
The binary I/O log data from terminal input, terminal output,
standard input, standard output or standard error.
.SS "ChangeWindowSize winsize_event"
.nf
.RS 0n
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.RE
.fi
.PP
A
\fIChangeWindowSize\fR
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
rows
The new number of terminal rows.
.TP 8n
cols
The new number of terminal columns.
.SS "CommandSuspend suspend_event"
.nf
.RS 0n
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.RE
.fi
.PP
A
\fICommandSuspend\fR
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
signal
The signal name without the leading
\(lqSIG\(rq.
For example,
\fRSTOP\fR,
\fRTSTP\fR,
\fRCONT\fR.
.SH "Server Messages"
A
\fIServerMessage\fR
is a container used to encapsulate all the possible message types
the server may send to a client.
.nf
.sp
.RS 0n
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.RE
.fi
.PP
The different
\fIServerMessage\fR
sub-messages the server may sent to the client are described below.
.SS "ServerHello hello"
.nf
.RS 0n
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
bool subcommands = 4;
}
.RE
.fi
.PP
The
\fIServerHello\fR
message consists of server information sent when the client first connects.
It contains the following members:
.TP 8n
server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.TP 8n
redirect
A host and port separated by a colon
(\(oq\(cq):
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
\fIServerHello\fR
when it includes a
\fBredirect\fR.
.TP 8n
servers
.br
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.TP 8n
subcommands
If set, the server supports logging additional commands during a session.
The client may send an
\fIAcceptMessage\fR
or
\fIRejectMessage\fR
when
\fBsudo\fR
is running in
\fIintercept\fR
mode.
In this mode, commands spawned from the initial command authorized by
\fBsudo\fR
are subject to policy restrictions and/or are logged.
If
\fIsubcommands\fR
is false, the client must not attempt to log additional commands.
.SS "TimeSpec commit_point"
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
\fIIoBuffer\fR
but rather at a server-configurable interval.
When the server receives an
\fIExitMessage\fR,
it will respond with a
\fIcommit_point\fR
corresponding to the last received
\fIIoBuffer\fR
before closing the connection.
.SS "string log_id"
The server-side ID of the I/O log being stored, sent in response
to an
\fIAcceptMessage\fR
where
\fIexpect_iobufs\fR
is true.
.SS "string error"
A fatal server-side error.
The server will close the connection after sending the
\fIerror\fR
message.
.SS "string abort"
An
\fIabort\fR
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
\fIabort\fR
message.
.SH "Protocol flow of control"
The expected protocol flow is as follows:
.TP 5n
1.\&
Client connects to the first available server.
If the client is configured to use TLS, a TLS handshake will be
attempted.
.TP 5n
2.\&
Client sends
\fIClientHello\fR.
This is currently optional but allows the server to detect a
non-TLS connection on the TLS port.
.TP 5n
3.\&
Server sends
\fIServerHello\fR.
.TP 5n
4.\&
Client responds with either
\fIAcceptMessage\fR,
\fIRejectMessage\fR,
or
\fIRestartMessage\fR.
.TP 5n
5.\&
If client sent a
\fIAcceptMessage\fR
with
\fIexpect_iobufs\fR
set, server creates a new I/O log and responds with a
\fIlog_id\fR.
.TP 5n
6.\&
Client sends zero or more
\fIIoBuffer\fR
messages.
.TP 5n
7.\&
Server periodically responds to
\fIIoBuffer\fR
messages with a
\fIcommit_point\fR.
.TP 5n
8.\&
Client sends an
\fIExitMessage\fR
when the command exits or is killed.
.TP 5n
9.\&
Server sends the final
\fIcommit_point\fR
if one is pending.
.TP 5n
10.\&
Server closes the connection.
After receiving the final
\fIcommit_point\fR,
the client shuts down its side of the TLS connection if TLS
is in use, and closes the connection.
.TP 5n
11.\&
Server shuts down its side of the TLS connection if TLS is in use,
and closes the connection.
.PP
At any point, the server may send an
\fIerror\fR
or
\fIabort\fR
message to the client at which point the server will close the
connection.
If an
\fIabort\fR
message is received, the client should terminate the running command.
.SH "EVENT LOG VARIABLES"
\fIAcceptMessage\fR,
\fIAlertMessage\fR
and
\fIRejectMessage\fR
classes contain an array of
\fIInfoMessage\fR
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.PP
Some variables have a
\fIclient\fR,
\fIrun\fR,
or
\fIsubmit\fR
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
\fIclient\fR
prefix pertain to the program performing the connection to the log
server, for example
\fBsudo\fR.
Variables with a
\fIrun\fR
prefix pertain to the command that the user requested be run.
Variables with a
\fIsubmit\fR
prefix pertain to the user submitting the request
(the user running \fBsudo\fR).
.PP
The following
\fIInfoMessage\fR
entries are required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
command string command that was submitted
.PP
runuser string name of user the command was run as
.PP
submithost string name of host the command was submitted on
.PP
submituser string name of user submitting the command
.TE
.PP
The following
\fIInfoMessage\fR
entries are recognized, but not required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
clientargv StringList client's original argument vector
.PP
clientpid int64 client's process ID
.PP
clientppid int64 client's parent process ID
.PP
clientsid int64 client's terminal session ID
.PP
columns int64 number of columns in the terminal
.PP
lines int64 number of lines in the terminal
.PP
runargv StringList argument vector of command to run
.PP
runchroot string root directory of command to run
.PP
runcwd string running command's working directory
.PP
runenv StringList the running command's environment
.PP
rungid int64 primary group-ID of the command
.PP
rungids NumberList supplementary group-IDs for the command
.PP
rungroup string primary group name of the command
.PP
rungroups StringList supplementary group names for the command
.PP
runuid int64 run user's user-ID
.PP
submitcwd string submit user's current working directory
.PP
submitenv StringList the submit user's environment
.PP
submitgid int64 submit user's primary group-ID
.PP
submitgids NumberList submit user's supplementary group-IDs
.PP
submitgroup string submitting user's primary group name
.PP
submitgroups StringList submit user's supplementary group names
.PP
submituid int64 submit user's user-ID
.PP
ttyname string the terminal the command was submitted from
.TE
.PP
The server must accept other variables not listed above but may
ignore them.
.SH "EXAMPLES"
The Protocol Buffers description of the log server protocol is included
in full below.
Note that this uses the newer
\(lqproto3\(rq
syntax.
.nf
.sp
.RS 0n
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* policy alert error string */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.RE
.fi
.SH "SEE ALSO"
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(8),
sudo_logsrvd(8)
.PP
\fIProtocol Buffers\fR,
https://developers.google.com/protocol-buffers/.
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

835
docs/sudo_logsrv.proto.mdoc.in Normal file
View File

@@ -0,0 +1,835 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd August 3, 2021
.Dt SUDO_LOGSRV.PROTO @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrv.proto
.Nd Sudo log server protocol
.Sh DESCRIPTION
Starting with version 1.9.0,
.Nm sudo
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
.Sx EXAMPLES
section includes a complete description of the protocol in Protocol
Buffers format.
.Pp
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
.Dq length-prefix framing
and is how Google suggests handling the lack of message delimiters.
.Pp
The protocol is made up of two basic messages,
.Em ClientMessage
and
.Em ServerMessage ,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.Sh Client Messages
A
.Em ClientMessage
is a container used to encapsulate all the possible message types
a client may send to the server.
.Bd -literal
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
ClientHello hello_msg = 13;
}
}
.Ed
.Pp
The different
.Em ClientMessage
sub-messages the client may sent to the server are described below.
.Ss TimeSpec
.Bd -literal
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.Ed
.Pp
A
.Em TimeSpec
is the equivalent of a POSIX
.Li struct timespec ,
containing seconds and nanoseconds members.
The
.Em tv_sec
member is a 64-bit integer to support dates after the year 2038.
.Ss InfoMessage
.Bd -literal
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.Ed
.Pp
An
.Em InfoMessage
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings or an array of 64-bit integers.
The event log data is composed of
.Em InfoMessage
entries.
See the
.Sx EVENT LOG VARIABLES
section for more information.
.Ss ClientHello hello_msg
.Bd -literal
message ClientHello {
string client_id = 1;
}
.Ed
.Pp
A
.Em ClientHello
message consists of client information that may be sent to the
server when the client first connects.
.Bl -tag -width Ds
.It client_id
A free-form client description.
This usually includes the name and version of the client implementation.
.El
.Ss AcceptMessage accept_msg
.Bd -literal
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.Ed
.Pp
An
.Em AcceptMessage
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
.It expect_iobufs
Set to true if the server should expect
.Em IoBuffer
messages to follow (for I/O logging) or false if the server should only
store the event log.
.El
.Pp
If an
.Em AcceptMessage
is sent, the client must not send a
.Em RejectMessage
or
.Em RestartMessage .
.Ss RejectMessage reject_msg
.Bd -literal
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.Ed
.Pp
A
.Em RejectMessage
is sent by the client when a command is denied by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It reason
The reason the security policy gave for denying the command.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.El
.Pp
If a
.Em RejectMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RestartMessage .
.Ss ExitMessage exit_msg
.Bd -literal
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.Pp
.Ed
An
.Em ExitMessage
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.Bl -tag -width Ds
.It run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.It exit_value
The command's exit value in the range 0-255.
.It dumped_core
True if the command was terminated by a signal and dumped core.
.It signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
.Dq SIG .
For example,
.Li INT ,
.Li TERM ,
.Li KILL ,
.Li SEGV .
.It error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.El
.Pp
When performing I/O logging, the client should wait for a
.Em commit_point
corresponding to the final
.Em IoBuffer
before closing the connection unless the final
.Em commit_point
has already been received.
.Ss RestartMessage restart_msg
.Bd -literal
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.Ed
.Pp
A
.Em RestartMessage
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.Bl -tag -width Ds
.It log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.It resume_point
The point in time after which to resume the I/O log.
This is in the form of a
.Em TimeSpec
representing the amount of time since the command started, not
the wall clock time.
The
.Em resume_point
should correspond to a
.Em commit_point
previously sent to the client by the server.
If the server receives a
.Em RestartMessage
containing a
.Em resume_point
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.El
.Pp
If a
.Em RestartMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RejectMessage .
.Ss AlertMessage alert_msg
.Bd -literal
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.Ed
.Pp
An
.Em AlertMessage
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.Bl -tag -width Ds
.It alert_time
The wall clock time when the alert occurred.
.It reason
The reason for the alert.
.It info_msgs
An optional array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.El
.Ss IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf
.Bd -literal
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.Ed
.Pp
An
.Em IoBuffer
is used to represent data from terminal input, terminal
output, standard input, standard output or standard error.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It data
The binary I/O log data from terminal input, terminal output,
standard input, standard output or standard error.
.El
.Ss ChangeWindowSize winsize_event
.Bd -literal
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.Ed
.Pp
A
.Em ChangeWindowSize
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It rows
The new number of terminal rows.
.It cols
The new number of terminal columns.
.El
.Ss CommandSuspend suspend_event
.Bd -literal
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.Ed
.Pp
A
.Em CommandSuspend
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It signal
The signal name without the leading
.Dq SIG .
For example,
.Li STOP ,
.Li TSTP ,
.Li CONT .
.El
.Sh Server Messages
A
.Em ServerMessage
is a container used to encapsulate all the possible message types
the server may send to a client.
.Bd -literal
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.Ed
.Pp
The different
.Em ServerMessage
sub-messages the server may sent to the client are described below.
.Ss ServerHello hello
.Bd -literal
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
bool subcommands = 4;
}
.Ed
.Pp
The
.Em ServerHello
message consists of server information sent when the client first connects.
It contains the following members:
.Bl -tag -width Ds
.It server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.It redirect
A host and port separated by a colon
.Pq Ql :
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
.Em ServerHello
when it includes a
.Sy redirect .
.It servers
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.It subcommands
If set, the server supports logging additional commands during a session.
The client may send an
.Em AcceptMessage
or
.Em RejectMessage
when
.Nm sudo
is running in
.Em intercept
mode.
In this mode, commands spawned from the initial command authorized by
.Nm sudo
are subject to policy restrictions and/or are logged.
If
.Em subcommands
is false, the client must not attempt to log additional commands.
.El
.Ss TimeSpec commit_point
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
.Em IoBuffer
but rather at a server-configurable interval.
When the server receives an
.Em ExitMessage ,
it will respond with a
.Em commit_point
corresponding to the last received
.Em IoBuffer
before closing the connection.
.Ss string log_id
The server-side ID of the I/O log being stored, sent in response
to an
.Em AcceptMessage
where
.Em expect_iobufs
is true.
.Ss string error
A fatal server-side error.
The server will close the connection after sending the
.Em error
message.
.Ss string abort
An
.Em abort
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
.Em abort
message.
.Sh Protocol flow of control
The expected protocol flow is as follows:
.Bl -enum
.It
Client connects to the first available server.
If the client is configured to use TLS, a TLS handshake will be
attempted.
.It
Client sends
.Em ClientHello .
This is currently optional but allows the server to detect a
non-TLS connection on the TLS port.
.It
Server sends
.Em ServerHello .
.It
Client responds with either
.Em AcceptMessage ,
.Em RejectMessage ,
or
.Em RestartMessage .
.It
If client sent a
.Em AcceptMessage
with
.Em expect_iobufs
set, server creates a new I/O log and responds with a
.Em log_id .
.It
Client sends zero or more
.Em IoBuffer
messages.
.It
Server periodically responds to
.Em IoBuffer
messages with a
.Em commit_point .
.It
Client sends an
.Em ExitMessage
when the command exits or is killed.
.It
Server sends the final
.Em commit_point
if one is pending.
.It
Server closes the connection.
After receiving the final
.Em commit_point ,
the client shuts down its side of the TLS connection if TLS
is in use, and closes the connection.
.It
Server shuts down its side of the TLS connection if TLS is in use,
and closes the connection.
.El
.Pp
At any point, the server may send an
.Em error
or
.Em abort
message to the client at which point the server will close the
connection.
If an
.Em abort
message is received, the client should terminate the running command.
.Sh EVENT LOG VARIABLES
.Em AcceptMessage ,
.Em AlertMessage
and
.Em RejectMessage
classes contain an array of
.Em InfoMessage
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.Pp
Some variables have a
.Em client ,
.Em run ,
or
.Em submit
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
.Em client
prefix pertain to the program performing the connection to the log
server, for example
.Nm sudo .
Variables with a
.Em run
prefix pertain to the command that the user requested be run.
Variables with a
.Em submit
prefix pertain to the user submitting the request
.Pq the user running Nm sudo .
.Pp
The following
.Em InfoMessage
entries are required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It command Ta string Ta command that was submitted
.It runuser Ta string Ta name of user the command was run as
.It submithost Ta string Ta name of host the command was submitted on
.It submituser Ta string Ta name of user submitting the command
.El
.Pp
The following
.Em InfoMessage
entries are recognized, but not required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It clientargv Ta StringList Ta client's original argument vector
.It clientpid Ta int64 Ta client's process ID
.It clientppid Ta int64 Ta client's parent process ID
.It clientsid Ta int64 Ta client's terminal session ID
.It columns Ta int64 Ta number of columns in the terminal
.It lines Ta int64 Ta number of lines in the terminal
.It runargv Ta StringList Ta argument vector of command to run
.It runchroot Ta string Ta root directory of command to run
.It runcwd Ta string Ta running command's working directory
.It runenv Ta StringList Ta the running command's environment
.It rungid Ta int64 Ta primary group-ID of the command
.It rungids Ta NumberList Ta supplementary group-IDs for the command
.It rungroup Ta string Ta primary group name of the command
.It rungroups Ta StringList Ta supplementary group names for the command
.It runuid Ta int64 Ta run user's user-ID
.It submitcwd Ta string Ta submit user's current working directory
.It submitenv Ta StringList Ta the submit user's environment
.It submitgid Ta int64 Ta submit user's primary group-ID
.It submitgids Ta NumberList Ta submit user's supplementary group-IDs
.It submitgroup Ta string Ta submitting user's primary group name
.It submitgroups Ta StringList Ta submit user's supplementary group names
.It submituid Ta int64 Ta submit user's user-ID
.It ttyname Ta string Ta the terminal the command was submitted from
.El
.Pp
The server must accept other variables not listed above but may
ignore them.
.Sh EXAMPLES
The Protocol Buffers description of the log server protocol is included
in full below.
Note that this uses the newer
.Dq proto3
syntax.
.Bd -literal
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* policy alert error string */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.Ed
.Sh SEE ALSO
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Rs
.%T Protocol Buffers
.%U https://developers.google.com/protocol-buffers/
.Re
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

1056
docs/sudo_logsrvd.conf.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

982
docs/sudo_logsrvd.conf.mdoc.in Normal file
View File

@@ -0,0 +1,982 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 16, 2021
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd.conf
.Nd configuration for sudo_logsrvd
.Sh DESCRIPTION
The
.Nm sudo_logsrvd.conf
file is used to configure the
.Nm sudo_logsrvd
log server.
It uses an INI-style format made up of sections in square brackets and
.Dq key = value
pairs specific to each section below the section name.
Depending on the key, values may be integers, booleans or strings.
Section and key names are not case sensitive, but values are.
.Pp
The pound sign
.Pq Ql #
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
Lines beginning with a semi-colon
.Pq Ql \&;
are also ignored.
.Pp
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
Note that leading white space is removed from the beginning of lines
even when the continuation character is used.
.Pp
The
.Sx EXAMPLES
section contains a copy of the default
.Nm
file.
.Pp
The following configuration sections are recognized:
.Pp
.Bl -bullet -compact -offset indent
.It
server
.It
relay
.It
iolog
.It
eventlog
.It
syslog
.It
logfile
.El
.Pp
Each section is described in detail below.
.Ss server
The
.Em server
section configures the address and port the server will listen on.
The following keys are recognized:
.Bl -tag -width 8n
.It listen_address = host Ns Oo : Ns port Oc Ns Op (tls)
The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses.
.Pp
The host may be a host name, an IPv4 address, an IPv6 address
in square brackets or the wild card entry
.Ql * .
A host setting of
.Ql *
will cause
.Nm sudo_logsrvd
to listen on all configured network interfaces.
.Pp
If the optional tls flag is present,
.Nm sudo_logsrvd
will secure the connection with TLS version 1.2 or 1.3.
Versions of TLS prior to 1.2 are not supported.
See
.Xr sudo_logsrvd @mansectsu@
for details on generating TLS keys and certificates.
.Pp
If a port is specified, it may either be a port number or a known
service name as defined by the system service name database.
If no port is specified, port 30343 will be used for plaintext
connections and port 30344 will be used for TLS connections.
.Pp
The default value is:
.Bd -literal -compact -offset indent
listen_address = *:30343
listen_address = *:30344(tls)
.Ed
which will listen on all configured network interfaces for both
plaintext and TLS connections.
Multiple
.Em listen_address
lines may be specified to listen on more than one port or interface.
.It server_log = string
Where to log server warning and error messages.
Supported values are
.Em none ,
.Em stderr ,
.Em syslog ,
or a path name beginning with the
.Ql /
character.
Note that a value of
.Em stderr
is only effective when used in conjunction with the
.Fl n
option.
The default value is
.Em syslog .
.It pid_file = path
The path to the file containing the process ID of the running
.Nm sudo_logsrvd .
If set to an empty value, or if
.Nm sudo_logsrvd
is run with the
.Fl n
option, no
.Em pid_file
will be created.
If
.Em pid_file
refers to a symbolic link, it will be ignored.
The default value is
.Pa @rundir@/sudo_logsrvd.pid .
.It tcp_keepalive = boolean
If true,
.Nm sudo_logsrvd
will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will
be closed.
Defaults to true.
.It timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the client to respond.
A value of 0 will disable the timeout.
The default value is 30.
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating clients.
The default is to use
.Pa /etc/ssl/sudo/cacert.pem
if it exists, otherwise the system's default certificate authority
database is used.
.It tls_cert = path
The path to the server's certificate file, in PEM format.
The default value is
.Pa /etc/ssl/sudo/certs/logsrvd_cert.pem .
.It tls_checkpeer = bool
If true, client certificates will be validated by
.Nm sudo_logsrvd ;
clients without a valid certificate will be unable to connect.
If false, no validation of client certificates will be performed.
It true and client certificates are created using a private certificate
authority, the
.Em tls_cacert
setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate.
The default value is
.Li false .
.It tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
.Ql :\& .
See the
.Sx CIPHER LIST FORMAT
section in
.Xr openssl-ciphers 1
for full details.
The default value is
.Li HIGH:!aNULL
which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded.
.It tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
.Ql :\& .
Supported cipher suites depend on the version of OpenSSL used,
but should include the following:
.Pp
.Bl -tag -compact -width 8n -offset indent
.It TLS_AES_128_GCM_SHA256
.It TLS_AES_256_GCM_SHA384
.It TLS_CHACHA20_POLY1305_SHA256
.It TLS_AES_128_CCM_SHA256
.It TLS_AES_128_CCM_8_SHA256
.El
.Pp
The default cipher suite is TLS_AES_256_GCM_SHA384.
.It tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
This file can be created with the following command:
.Bd -literal
openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
.Ed
.Pp
By default,
.Nm sudo_logsrvd
will use the OpenSSL defaults for Diffie-Hellman key generation.
.It tls_key = path
The path to the server's private key file, in PEM format.
The default value is
.Pa /etc/ssl/sudo/private/logsrvd_key.pem .
.It tls_verify = bool
If true,
.Nm
will validate its own certificate at startup time or when the
configuration is changed.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default value is true.
.El
.Ss relay
The
.Em relay
section configures the optional logsrv relay host and port the server will
connect to.
The TLS configuration keys are optional, by default the corresponding
keys in the
.Sx server
section will be used.
They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing
server.
The following keys are recognized:
.Bl -tag -width 8n
.It connect_timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the connection to a
.Em relay_host
(see below) to complete.
Once the connection is complete, the
.Em timeout
setting controls the amount of time
.Nm sudo_logsrvd
will wait for the relay to respond.
A value of 0 will disable the timeout.
The default value is 30.
.It relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
Messages are stored in the wire format specified by
.Xr sudo_logsrv.proto @mansectform@
The default value is
.Pa @relay_dir@ .
.It relay_host = host Ns Oo : Ns port Oc Ns Op (tls)
The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses.
The syntax is identical to
.Em listen_address
in the
.Sx server
section with one exception: the wild card
.Ql *
syntax is not supported.
.Pp
When this setting is enabled, messages from the client will be forwarded
to one of the specified relay hosts instead of being stored locally.
The
.Ar host
could be running an instance of
.Nm sudo_logsrvd
or another server that supports the
.Xr sudo_logsrv.proto @mansectform@
protocol.
.Pp
If multiple
.Em relay_host
lines are specified, the first available relay host will be used.
.It retry_interval = number
The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host.
The default value is 30 seconds.
.It store_first = boolean
If true,
.Nm sudo_logsrvd
will store logs locally before relaying them.
Once the log is complete, a connection to the relay host is opened
and the log is relayed.
If the network connection is interrupted before the log can be fully
transferred, it will be retransmitted later.
The default is to relay logs in real-time.
.It tcp_keepalive = boolean
If true,
.Nm sudo_logsrvd
will enable the TCP keepalive socket option on the relay connection.
This enables the periodic transmission of keepalive messages to the relay
server.
If the relay does not respond to a message in time, the connection will
be closed.
.It timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout.
The default value is 30.
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating clients.
The default is to use the value specified in the
.Sx server
section, or the system's default certificate authority database if
no value is set.
.It tls_cert = path
The path to the server's certificate file, in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_checkpeer = bool
If true, the relay host's certificate will be validated by
.Nm sudo_logsrvd ;
connections to a relay without a valid certificate will fail.
If false, no validation of relay certificates will be performed.
It true and relay certificates are created using a private certificate
authority, the
.Em tls_cacert
setting must be set to a CA bundle that contains the CA certificate
used to generate the relay certificate.
The default is to use the value specified in the
.Sx server
section.
.It tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
.Ql :\& .
See the
.Sx CIPHER LIST FORMAT
section in
.Xr openssl-ciphers 1
for full details.
The default is to use the value specified in the
.Sx server
section.
.It tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
.Ql :\& .
Supported cipher suites depend on the version of OpenSSL used,
see the
.Sx server
section for more information.
The default is to use the value specified in the
.Sx server
section.
.It tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_key = path
The path to the server's private key file, in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_verify = bool
If true, the server's certificate used for relaying will be verified at startup.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default is to use the value specified in the
.Sx server
section.
.El
.Ss iolog
The
.Em iolog
section configures I/O log parameters.
These settings are identical to the I/O configuration in
.Xr sudoers @mansectform@ .
The following keys are recognized:
.Bl -tag -width 8n
.It iolog_compress = boolean
If set, I/O logs will be compressed using
.Sy zlib .
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
.Li false .
.It iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
The session sequence number, if any, is stored in the directory.
The default value is
.Pa @iolog_dir@ .
.Pp
The following percent
.Pq Ql %
escape sequences are supported:
.Bl -tag -width 4n
.It Li %{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
.Pa 01/00/A5
.It Li %{user}
expanded to the invoking user's login name
.It Li %{group}
expanded to the name of the invoking user's real group-ID
.It Li %{runas_user}
expanded to the login name of the user the command will
be run as (e.g., root)
.It Li %{runas_group}
expanded to the group name of the user the command will
be run as (e.g., wheel)
.It Li %{hostname}
expanded to the local host name without the domain name
.It Li %{command}
expanded to the base name of the command being run
.El
.Pp
In addition, any escape sequences supported by the system's
.Xr strftime 3
function will be expanded.
.Pp
To include a literal
.Ql %
character, the string
.Ql %%
should be used.
.It iolog_file = path
The path name, relative to
.Em iolog_dir ,
in which to store I/O logs.
Note that
.Em iolog_file
may contain directory components.
The default value is
.Li %{seq} .
.Pp
See the
.Em iolog_dir
setting above for a list of supported percent
.Pq Ql %
escape sequences.
.Pp
In addition to the escape sequences, path names that end in six or
more
.Li X Ns s
will have the
.Li X Ns s
replaced with a unique combination of digits and letters, similar to the
.Xr mktemp 3
function.
.Pp
If the path created by concatenating
.Em iolog_dir
and
.Em iolog_file
already exists, the existing I/O log file will be truncated and
overwritten unless
.Em iolog_file
ends in six or
more
.Li X Ns s .
.It iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
This makes it possible to view the logs in real-time as the program is
executing but may significantly reduce the effectiveness
of I/O log compression.
I/O logs are always flushed before sending a commit point to the client
regardless of this setting.
The default value is
.Li true .
.It iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
If
.Em iolog_group
is not set,
the primary group-ID of the user specified by
.Em iolog_user is used.
If neither
.Em iolog_group
nor
.Em iolog_user
are set, I/O log files and directories are created with group-ID 0.
.It iolog_mode = mode
The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group or other
are honored, everything else is ignored.
The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
.Em iolog_mode .
The default value is
.Li 0600 .
.It iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
If
.Em iolog_group
is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and
group-ID 0.
.It maxseq = number
The maximum sequence number that will be substituted for the
.Dq Li %{seq}
escape in the I/O log file (see the
.Em iolog_dir
description above for more information).
While the value substituted for
.Dq Li %{seq}
is in base 36,
.Em maxseq
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
.Dq ZZZZZZ )
will be silently truncated to 2176782336.
The default value is 2176782336.
.El
.Ss eventlog
The
.Em eventlog
section configures how (and if) security policy events are logged.
.Bl -tag -width 4n
.It log_type = string
Where to log accept, reject and alert events reported by the policy.
Supported values are
.Em syslog ,
.Em logfile ,
and
.Em none .
The default value is
.Em syslog .
.It log_exit = boolean
If true,
.Nm sudo_logsrvd
will log an event when a command exits or is terminated by a signal.
Defaults to false.
.It log_format = string
The event log format.
Supported log formats are
.Dq sudo
for traditional sudo-style logs and
.Dq json
for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject, exit
and alert messages.
The default value is
.Em sudo .
.El
.Ss syslog
The
.Em syslog
section configures how events are logged via
.Xr syslog 3 .
.Bl -tag -width 4n
.It facility = string
Syslog facility if syslog is being used for logging.
Defaults to
.Li @logfac@ .
.Pp
The following syslog facilities are supported:
.Sy authpriv
(if your
OS supports it),
.Sy auth ,
.Sy daemon ,
.Sy user ,
.Sy local0 ,
.Sy local1 ,
.Sy local2 ,
.Sy local3 ,
.Sy local4 ,
.Sy local5 ,
.Sy local6 ,
and
.Sy local7 .
.It accept_priority = string
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
.Li @goodpri@ .
.Pp
The following syslog priorities are supported:
.Sy alert ,
.Sy crit ,
.Sy debug ,
.Sy emerg ,
.Sy err ,
.Sy info ,
.Sy notice ,
.Sy warning ,
and
.Sy none .
Setting it to a value of
.Sy none
will disable logging of successful commands.
.It reject_priority = string
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
.Li @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
.Li @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It maxlen = number
On many systems,
.Xr syslog 3
has a relatively small log buffer.
IETF RFC 5424 states that syslog servers must support messages of
at least 480 bytes and should support messages up to 2048 bytes.
By default,
.Nm sudo_logsrvd
creates log messages up to 960 bytes which corresponds to the
historic
.Bx
syslog implementation which used a 1024 byte buffer
to store the message, date, hostname and program name.
.Pp
To prevent syslog messages from being truncated,
.Nm sudo_logsrvd
will split up sudo-style log messages that are larger than
.Em maxlen
bytes.
When a message is split, additional parts will include the string
.Dq Pq command continued
after the user name and before the continued command line arguments.
JSON-format log entries are never split and are not affected by
.Em maxlen .
.It server_facility = string
Syslog facility if syslog is being used for server warning messages.
See above for a list of supported facilities.
Defaults to
.Li daemon
.El
.Ss logfile
The
.Em logfile
section consists of settings related to logging to a plain file
(not syslog).
.Bl -tag -width 4n
.It path = string
The path to the file-based event log.
This path must be fully-qualified and start with a
.Sq /
character.
The default value is
.Pa @logpath@ .
.It time_format = string
The string used when formatting the date and time for file-based event logs.
Formatting is performed via the system's
.Xr strftime 3
function so any escape sequences supported by that function will be expanded.
The default value is
.Dq Li "%h %e %T"
which produces dates like
.Dq Oct 3 07:15:24
in the C locale.
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.El
.Sh EXAMPLES
.Bd -literal
#
# sudo logsrv daemon configuration
#
[server]
# The host name or IP address and port to listen on with an optional TLS
# flag. If no port is specified, port 30343 will be used for plaintext
# connections and port 30344 will be used to TLS connections.
# The following forms are accepted:
# listen_address = hostname(tls)
# listen_address = hostname:port(tls)
# listen_address = IPv4_address(tls)
# listen_address = IPv4_address:port(tls)
# listen_address = [IPv6_address](tls)
# listen_address = [IPv6_address]:port(tls)
#
# The (tls) suffix should be omitted for plaintext connections.
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30343
#listen_address = *:30344(tls)
# The file containing the ID of the running sudo_logsrvd process.
#pid_file = @rundir@/sudo_logsrvd.pid
# Where to log server warnings: none, stderr, syslog, or a path name.
#server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server will validate its own certificate at startup.
# Defaults to true.
#tls_verify = true
# If true, client certificates will be validated by the server;
# clients without a valid certificate will be unable to connect.
# By default, client certs are not checked.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# Required for TLS connections.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# Required for TLS connections.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# NOTE that this setting is only effective if the negotiated protocol
# is TLS version 1.2.
# The default cipher list is HIGH:!aNULL.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default cipher list is TLS_AES_256_GCM_SHA384.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# If not set, the server will use the OpenSSL defaults.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[relay]
# The host name or IP address and port to send logs to in relay mode.
# The syntax is identical to listen_address with the exception of
# the wild card ('*') syntax. When this setting is enabled, logs will
# be relayed to the specified host instead of being stored locally.
# This setting is not enabled by default.
#relay_host = relayhost.dom.ain
#relay_host = relayhost.dom.ain(tls)
# The amount of time, in seconds, the server will wait for a connection
# to the relay server to complete. A value of 0 will disable the timeout.
# The default value is 30.
#connect_timeout = 30
# The directory to store messages in before they are sent to the relay.
# Messages are stored in wire format.
# The default value is /var/log/sudo_logsrvd.
#relay_dir = /var/log/sudo_logsrvd
# The number of seconds to wait after a connection error before
# making a new attempt to forward a message to a relay host.
# The default value is 30.
#retry_interval = 30
# Whether to store the log before relaying it. If true, enable store
# and forward mode. If false, the client connection is immediately
# relayed. Defaults to false.
#store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server's relay certificate will be verified at startup.
# The default is to use the value in the [server] section.
#tls_verify = true
# Whether to verify the relay's certificate for TLS connections.
# The default is to use the value in the [server] section.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
# The default is to use the value in the [server] section.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# The default is to use the certificate in the [server] section.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# The default is to use the key in the [server] section.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# NOTE that this setting is only effective if the negotiated protocol
# is TLS version 1.2.
# The default is to use the value in the [server] section.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default is to use the value in the [server] section.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# The default is to use the value in the [server] section.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
#iolog_dir = /var/log/sudo-io
# The path name, relative to iolog_dir, in which to store I/O logs.
# Note that iolog_file may contain directory components.
#iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O
# log files and directories. If iolog_group is set, it will be used
# instead of the user's primary group-ID. By default, I/O log files
# and directories are created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are
# not present in the specified mode. When creating I/O log directories,
# search (execute) bits are added to match the read and write bits
# specified by iolog_mode.
#iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence
# number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336
[eventlog]
# Where to log accept, reject, exit and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format.
# Currently only sudo-style event logs are supported.
#log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3,
# local4, local5, local6, and local7.
#facility = authpriv
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = notice
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = alert
# Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = alert
# The syslog facility to use for server warning messages.
# Defaults to daemon.
#server_facility = daemon
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T
.Ed
.Sh SEE ALSO
.Xr strftime 3 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

462
docs/sudo_logsrvd.man.in Normal file
View File

@@ -0,0 +1,462 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD" "@mansectsu@" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrvd\fR
\- sudo event and I/O log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_logsrvd\fR
[\fB\-hnV\fR]
[\fB\-f\fR\ \fIfile\fR]
[\fB\-R\fR\ \fIpercentage\fR]
.SH "DESCRIPTION"
\fBsudo_logsrvd\fR
is a high-performance log server that accepts event and I/O logs from
\fBsudo\fR.
It can be used to implement centralized logging of
\fBsudo\fR
logs.
The server has two modes of operation: local and relay.
By default,
\fBsudo_logsrvd\fR
stores the logs locally but it can also be configured to
relay them to another server that supports the
sudo_logsrv.proto(@mansectform@)
protocol.
.PP
When not relaying, event log entries may be logged either via
syslog(3)
or to a local file.
I/O Logs stored locally by
\fBsudo_logsrvd\fR
can be replayed via the
sudoreplay(@mansectsu@)
utility in the same way as logs generated directly by the
\fBsudoers\fR
plugin.
.PP
The server also supports restarting interrupted log transfers.
To distinguish completed I/O logs from incomplete ones, the
I/O log timing file is set to be read-only when the log is complete.
.PP
Configuration parameters for
\fBsudo_logsrvd\fR
may be specified in the
sudo_logsrvd.conf(@mansectform@)
file or the file specified via the
\fB\-f\fR
option.
.PP
\fBsudo_logsrvd\fR
rereads its configuration file when it receives SIGHUP and writes server
state to the debug file (if one is configured) when it receives SIGUSR1.
.PP
The options are as follows:
.TP 12n
\fB\-f\fR \fIfile\fR, \fB\--file\fR=\fIfile\fR
Read configuration from
\fIfile\fR
instead of the default,
\fI@sysconfdir@/sudo_logsrvd.conf\fR.
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-n\fR, \fB\--no-fork\fR
Run
\fBsudo_logsrvd\fR
in the foreground instead of detaching from the terminal and becoming
a daemon.
.TP 12n
\fB\-R\fR \fIpercentage\fR, \fB\--random-drop\fR=\fIpercentage\fR
For each message, there is a
\fIpercentage\fR
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_logsrvd\fR
version and exit.
.SS "Securing server connections"
The I/O log data sent to
\fBsudo_logsrvd\fR
may contain sensitive information such as passwords and should be
secured using Transport Layer Security (TLS).
Doing so requires having a signed certificate on the server and, if
\fItls_checkpeer\fR
is enabled in
sudo_logsrvd.conf(@mansectform@),
a signed certificate on the client as well.
.PP
The certificates can either be signed by a well-known Certificate
Authority (CA), or a private CA can be used.
Instructions for creating a private CA are included below in the
\fIEXAMPLES\fR
section.
.SS "Debugging sudo_logsrvd"
\fBsudo_logsrvd\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.TP 26n
\fI@sysconfdir@/sudo_logsrvd.conf\fR
Sudo log server configuration file
.TP 26n
\fI@relay_dir@/incoming\fR
Directory where new journals are stored when the
\fIstore_first relay\fR
setting is enabled.
.TP 26n
\fI@relay_dir@/outgoing\fR
Directory where completed journals are stored when the
\fIstore_first relay\fR
setting is enabled.
.TP 26n
\fI@iolog_dir@\fR
Default I/O log file location
.TP 26n
\fI@rundir@/sudo_logsrvd.pid\fR
.br
Process ID file for
\fBsudo_logsrvd\fR
.SH "EXAMPLES"
.SS "Creating self-signed certificates"
Unless you are using certificates signed by a well-known Certificate
Authority (or a local enterprise CA), you will need to create your
own CA that can sign the certificates used by
\fBsudo_logsrvd\fR,
\fBsudo_sendlog\fR,
and the
\fBsudoers\fR
plugin.
The following steps use the
openssl(1)
command to create keys and certificates.
.SS "Initial setup"
First, we need to create a directory structure to store the
files for the CA.
We'll create a new directory hierarchy in
\fI/etc/ssl/sudo\fR
for this purpose.
.nf
.sp
.RS 6n
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
.RE
.fi
.PP
The serial and index.txt files are used to keep track of signed certificates.
.PP
Next, we need to make a copy of the openssl.conf file and customize
it for our new CA.
The path to openssl.cnf is system-dependent but
\fI/etc/ssl/openssl.cnf\fR
is the most common location.
You will need to adjust the example below if it has a different location on
your system.
.nf
.sp
.RS 6n
# cp /etc/ssl/openssl.cnf .
.RE
.fi
.PP
Now edit the
\fIopenssl.cnf\fR
file in the current directory and make sure it contains
\(lqca\(rq
and
\(lqCA_default\(rq
sections.
Those sections should include the following settings:
.nf
.sp
.RS 6n
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/sudo
certs = $dir/certs
database = $dir/index.txt
certificate = $dir/cacert.pem
serial = $dir/serial
.RE
.fi
.PP
If your
\fIopenssl.conf\fR
file already has a
\(lqCA_default\(rq
section, you may only need to modify the
\(lqdir\(rq
setting.
.SS "Creating the CA key and certificate"
In order to create and sign our own certificates, we need to create
a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.nf
.sp
.RS 6n
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.RE
.fi
.PP
Next, generate the root certificate, using appropriate values for
the site-specific fields:
.nf
.sp
.RS 6n
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
# chmod 444 cacert.pem
.RE
.fi
.PP
Finally, verify the root certificate:
.nf
.sp
.RS 6n
# openssl x509 -noout -text -in cacert.pem
.RE
.fi
.SS "Creating and signing certificates"
The server and client certificates will be signed by the previously
created root CA.
Usually, the root CA is not used to sign server/client certificates
directly.
Instead, intermediate certificates are created and signed with the
root CA and the intermediate certs are used to sign CSRs (Certificate
Signing Request).
In this example we'll skip this part for simplicity's sake and sign the
CSRs with the root CA.
.PP
First, generate the private key without a pass phrase.
.nf
.sp
.RS 6n
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.RE
.fi
.PP
Next, create a certificate signing request (CSR) for the server's certificate.
The organization name must match the name given in the root certificate.
The common name should be either the server's IP address or a fully
qualified domain name.
.nf
.sp
.RS 6n
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
Enter pass phrase for private/logsrvd_key.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
.RE
.fi
.PP
Now sign the CSR that was just created:
.nf
.sp
.RS 6n
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 11 14:05:05 2019 GMT
Not After : Nov 20 14:05:05 2020 GMT
Subject:
countryName = US
stateOrProvinceName = Colorado
organizationName = sudo
organizationalUnitName = sudo log server
commonName = logserve.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5
X509v3 Authority Key Identifier:
keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C
Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
.RE
.fi
.PP
Finally, verify the new certificate:
.nf
.sp
.RS 6n
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.RE
.fi
.PP
The
\fI/etc/ssl/sudo/certs\fR
directory now contains a signed and verified certificate for use with
\fBsudo_logsrvd\fR.
.PP
To generate a client certificate, repeat the process above using
a different file name.
.SS "Configuring sudo_logsrvd to use TLS"
To use TLS for client/server communication, both
\fBsudo_logsrvd\fR
and the
\fBsudoers\fR
plugin need to be configured to use TLS.
Configuring
\fBsudo_logsrvd\fR
for TLS requires the following settings, assuming the same path
names used earlier:
.nf
.sp
.RS 6n
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)
# Path to the certificate authority bundle file in PEM format.
tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
.RE
.fi
.PP
The root CA cert
(\fIcacert.pem\fR)
must be installed on the system running
\fBsudo_logsrvd\fR.
If peer authentication is enabled on the client, a copy of
\fIcacert.pem\fR
must be present on the client system too.
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
sudo_sendlog(@mansectsu@),
sudoreplay(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo_logsrvd\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_logsrvd\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

418
docs/sudo_logsrvd.mdoc.in Normal file
View File

@@ -0,0 +1,418 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 17, 2021
.Dt SUDO_LOGSRVD @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd
.Nd sudo event and I/O log server
.Sh SYNOPSIS
.Nm sudo_logsrvd
.Op Fl hnV
.Op Fl f Ar file
.Op Fl R Ar percentage
.Sh DESCRIPTION
.Nm
is a high-performance log server that accepts event and I/O logs from
.Nm sudo .
It can be used to implement centralized logging of
.Nm sudo
logs.
The server has two modes of operation: local and relay.
By default,
.Nm
stores the logs locally but it can also be configured to
relay them to another server that supports the
.Xr sudo_logsrv.proto @mansectform@
protocol.
.Pp
When not relaying, event log entries may be logged either via
.Xr syslog 3
or to a local file.
I/O Logs stored locally by
.Nm
can be replayed via the
.Xr sudoreplay @mansectsu@
utility in the same way as logs generated directly by the
.Nm sudoers
plugin.
.Pp
The server also supports restarting interrupted log transfers.
To distinguish completed I/O logs from incomplete ones, the
I/O log timing file is set to be read-only when the log is complete.
.Pp
Configuration parameters for
.Nm
may be specified in the
.Xr sudo_logsrvd.conf @mansectform@
file or the file specified via the
.Fl f
option.
.Pp
.Nm
rereads its configuration file when it receives SIGHUP and writes server
state to the debug file (if one is configured) when it receives SIGUSR1.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl f Ar file , Fl -file Ns = Ns Ar file
Read configuration from
.Ar file
instead of the default,
.Pa @sysconfdir@/sudo_logsrvd.conf .
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl n , -no-fork
Run
.Nm
in the foreground instead of detaching from the terminal and becoming
a daemon.
.It Fl R Ar percentage , Fl -random-drop Ns = Ns Ar percentage
For each message, there is a
.Ar percentage
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Ss Securing server connections
The I/O log data sent to
.Nm
may contain sensitive information such as passwords and should be
secured using Transport Layer Security (TLS).
Doing so requires having a signed certificate on the server and, if
.Em tls_checkpeer
is enabled in
.Xr sudo_logsrvd.conf @mansectform@ ,
a signed certificate on the client as well.
.Pp
The certificates can either be signed by a well-known Certificate
Authority (CA), or a private CA can be used.
Instructions for creating a private CA are included below in the
.Sx EXAMPLES
section.
.Ss Debugging sudo_logsrvd
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.It Pa @relay_dir@/incoming
Directory where new journals are stored when the
.Em store_first relay
setting is enabled.
.It Pa @relay_dir@/outgoing
Directory where completed journals are stored when the
.Em store_first relay
setting is enabled.
.It Pa @iolog_dir@
Default I/O log file location
.It Pa @rundir@/sudo_logsrvd.pid
Process ID file for
.Nm
.El
.Sh EXAMPLES
.Ss Creating self-signed certificates
Unless you are using certificates signed by a well-known Certificate
Authority (or a local enterprise CA), you will need to create your
own CA that can sign the certificates used by
.Nm ,
.Nm sudo_sendlog ,
and the
.Nm sudoers
plugin.
The following steps use the
.Xr openssl 1
command to create keys and certificates.
.Ss Initial setup
First, we need to create a directory structure to store the
files for the CA.
We'll create a new directory hierarchy in
.Pa /etc/ssl/sudo
for this purpose.
.Bd -literal -offset indent
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
.Ed
.Pp
The serial and index.txt files are used to keep track of signed certificates.
.Pp
Next, we need to make a copy of the openssl.conf file and customize
it for our new CA.
The path to openssl.cnf is system-dependent but
.Pa /etc/ssl/openssl.cnf
is the most common location.
You will need to adjust the example below if it has a different location on
your system.
.Bd -literal -offset indent
# cp /etc/ssl/openssl.cnf .
.Ed
.Pp
Now edit the
.Pa openssl.cnf
file in the current directory and make sure it contains
.Dq ca
and
.Dq CA_default
sections.
Those sections should include the following settings:
.Bd -literal -offset indent
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/sudo
certs = $dir/certs
database = $dir/index.txt
certificate = $dir/cacert.pem
serial = $dir/serial
.Ed
.Pp
If your
.Pa openssl.conf
file already has a
.Dq CA_default
section, you may only need to modify the
.Dq dir
setting.
.Ss Creating the CA key and certificate
In order to create and sign our own certificates, we need to create
a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.Bd -literal -offset indent
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.Ed
.Pp
Next, generate the root certificate, using appropriate values for
the site-specific fields:
.Bd -literal -offset indent
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
# chmod 444 cacert.pem
.Ed
.Pp
Finally, verify the root certificate:
.Bd -literal -offset indent
# openssl x509 -noout -text -in cacert.pem
.Ed
.Ss Creating and signing certificates
The server and client certificates will be signed by the previously
created root CA.
Usually, the root CA is not used to sign server/client certificates
directly.
Instead, intermediate certificates are created and signed with the
root CA and the intermediate certs are used to sign CSRs (Certificate
Signing Request).
In this example we'll skip this part for simplicity's sake and sign the
CSRs with the root CA.
.Pp
First, generate the private key without a pass phrase.
.Bd -literal -offset indent
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.Ed
.Pp
Next, create a certificate signing request (CSR) for the server's certificate.
The organization name must match the name given in the root certificate.
The common name should be either the server's IP address or a fully
qualified domain name.
.Bd -literal -offset indent
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
Enter pass phrase for private/logsrvd_key.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
.Ed
.Pp
Now sign the CSR that was just created:
.Bd -literal -offset indent
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 11 14:05:05 2019 GMT
Not After : Nov 20 14:05:05 2020 GMT
Subject:
countryName = US
stateOrProvinceName = Colorado
organizationName = sudo
organizationalUnitName = sudo log server
commonName = logserve.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5
X509v3 Authority Key Identifier:
keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C
Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
.Ed
.Pp
Finally, verify the new certificate:
.Bd -literal -offset indent
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.Ed
.Pp
The
.Pa /etc/ssl/sudo/certs
directory now contains a signed and verified certificate for use with
.Nm sudo_logsrvd .
.Pp
To generate a client certificate, repeat the process above using
a different file name.
.Ss Configuring sudo_logsrvd to use TLS
To use TLS for client/server communication, both
.Nm
and the
.Nm sudoers
plugin need to be configured to use TLS.
Configuring
.Nm
for TLS requires the following settings, assuming the same path
names used earlier:
.Bd -literal -offset indent
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)
# Path to the certificate authority bundle file in PEM format.
tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
.Ed
.Pp
The root CA cert
.Pq Pa cacert.pem
must be installed on the system running
.Nm .
If peer authentication is enabled on the client, a copy of
.Pa cacert.pem
must be present on the client system too.
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_sendlog @mansectsu@ ,
.Xr sudoreplay @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

5331
docs/sudo_plugin.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

4725
docs/sudo_plugin.mdoc.in Normal file
View File

File diff suppressed because it is too large Load Diff

1890
docs/sudo_plugin_python.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

1541
docs/sudo_plugin_python.mdoc.in Normal file
View File

File diff suppressed because it is too large Load Diff

204
docs/sudo_sendlog.man.in Normal file
View File

@@ -0,0 +1,204 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_SENDLOG" "@mansectsu@" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_sendlog\fR
\- send sudo I/O log to log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_sendlog\fR
[\fB\-AnV\fR]
[\fB\-b\fR\ \fIca_bundle\fR]
[\fB\-c\fR\ \fIcert_file\fR]
[\fB\-h\fR\ \fIhost\fR]
[\fB\-i\fR\ \fIiolog-id\fR]
[\fB\-k\fR\ \fIkey_file\fR]
[\fB\-p\fR\ \fIport\fR]
[\fB\-r\fR\ \fIrestart-point\fR]
[\fB\-R\fR\ \fIreject-reason\fR]
[\fB\-s\fR\ \fIstop-point\fR]
[\fB\-t\fR\ \fInumber\fR]
\fIpath\fR
.SH "DESCRIPTION"
\fBsudo_sendlog\fR
can be used to send the existing
\fBsudoers\fR
I/O log
\fIpath\fR
to a remote log server such as
sudo_logsrvd(@mansectsu@)
for central storage.
.PP
The options are as follows:
.TP 12n
\fB\-A\fR, \fB\--accept-only\fR
Only send the accept event, not the I/O associated with the log.
This can be used to test the logging of accept events without
any associated I/O.
.TP 12n
\fB\-b\fR, \fB\--ca-bundle\fR
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating the log server.
The default is to use the system's default certificate authority database.
.TP 12n
\fB\-c\fR, \fB\--cert\fR
The path to the client's certificate file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.TP 12n
\fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-h\fR, \fB\--host\fR
Connect to the specified
\fIhost\fR
instead of localhost.
.TP 12n
\fB\-i\fR, \fB\--iolog-id\fR
Use the specified
\fIiolog-id\fR
when restarting a log transfer.
The
\fIiolog-id\fR
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
\fB\-r\fR
option.
.TP 12n
\fB\-k\fR, \fB\--key\fR
.br
The path to the client's private key file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.TP 12n
\fB\-n\fR, \fB\--no-verify\fR
If specified, the server's certificate will not be verified during
the TLS handshake.
By default,
\fBsudo_sendlog\fR
verifies that the server's certificate is valid and that it contains either
the server's host name or its IP address.
This setting is only supported when the connection to the remote log server
is secured with TLS.
.TP 12n
\fB\-p\fR, \fB\--port\fR
Use the specified network
\fIport\fR
when connecting to the log server instead of the
default, port 30344.
.TP 12n
\fB\-r\fR, \fB\--restart\fR
Restart an interrupted connection to the log server.
The specified
\fIrestart-point\fR
is used to tell the server the point in time at which to continue the log.
The
\fIrestart-point\fR
is specified in the form
\(lqseconds,nanoseconds\(rq
and is usually the last commit point received from the server.
The
\fB\-i\fR
option must also be specified when restarting a transfer.
.TP 12n
\fB\-R\fR, \fB\--reject\fR
Send a reject event for the command using the specified
\fIreject-reason\fR,
even though it was actually accepted locally.
This can be used to test the logging of reject events; no I/O
will be sent.
.TP 12n
\fB\-s\fR, \fB\--stop-after\fR
Stop sending log records and close the connection when
\fIstop-point\fR
is reached.
This can be used for testing purposes to send a partial I/O log to the server.
Partial logs can be restarted using the
\fB\-r\fR
option.
The
\fIstop-point\fR
is an elapsed time specified in the form
\(lqseconds,nanoseconds\(rq.
.TP 12n
\fB\-t\fR, \fB\--test\fR
Open
\fInumber\fR
simultaneous connections to the log server and send the specified
I/O log file on each one.
This option is useful for performance testing.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_sendlog\fR
version and exit.
.SS "Debugging sendlog"
\fBsudo_sendlog\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo(@mansectsu@),
sudo_logsrvd(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo_sendlog\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_sendlog\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

189
docs/sudo_sendlog.mdoc.in Normal file
View File

@@ -0,0 +1,189 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 17, 2021
.Dt SUDO_SENDLOG @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_sendlog
.Nd send sudo I/O log to log server
.Sh SYNOPSIS
.Nm sudo_sendlog
.Op Fl AnV
.Op Fl b Ar ca_bundle
.Op Fl c Ar cert_file
.Op Fl h Ar host
.Op Fl i Ar iolog-id
.Op Fl k Ar key_file
.Op Fl p Ar port
.Op Fl r Ar restart-point
.Op Fl R Ar reject-reason
.Op Fl s Ar stop-point
.Op Fl t Ar number
.Ar path
.Sh DESCRIPTION
.Nm
can be used to send the existing
.Nm sudoers
I/O log
.Ar path
to a remote log server such as
.Xr sudo_logsrvd @mansectsu@
for central storage.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl A , -accept-only
Only send the accept event, not the I/O associated with the log.
This can be used to test the logging of accept events without
any associated I/O.
.It Fl b , -ca-bundle
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating the log server.
The default is to use the system's default certificate authority database.
.It Fl c , -cert
The path to the client's certificate file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.It Fl -help
Display a short help message to the standard output and exit.
.It Fl h , -host
Connect to the specified
.Ar host
instead of localhost.
.It Fl i , -iolog-id
Use the specified
.Ar iolog-id
when restarting a log transfer.
The
.Ar iolog-id
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
.Fl r
option.
.It Fl k , -key
The path to the client's private key file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.It Fl n , -no-verify
If specified, the server's certificate will not be verified during
the TLS handshake.
By default,
.Nm
verifies that the server's certificate is valid and that it contains either
the server's host name or its IP address.
This setting is only supported when the connection to the remote log server
is secured with TLS.
.It Fl p , -port
Use the specified network
.Ar port
when connecting to the log server instead of the
default, port 30344.
.It Fl r , -restart
Restart an interrupted connection to the log server.
The specified
.Ar restart-point
is used to tell the server the point in time at which to continue the log.
The
.Ar restart-point
is specified in the form
.Dq seconds,nanoseconds
and is usually the last commit point received from the server.
The
.Fl i
option must also be specified when restarting a transfer.
.It Fl R , -reject
Send a reject event for the command using the specified
.Ar reject-reason ,
even though it was actually accepted locally.
This can be used to test the logging of reject events; no I/O
will be sent.
.It Fl s , -stop-after
Stop sending log records and close the connection when
.Ar stop-point
is reached.
This can be used for testing purposes to send a partial I/O log to the server.
Partial logs can be restarted using the
.Fl r
option.
The
.Ar stop-point
is an elapsed time specified in the form
.Dq seconds,nanoseconds .
.It Fl t , -test
Open
.Ar number
simultaneous connections to the log server and send the specified
I/O log file on each one.
This option is useful for performance testing.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Ss Debugging sendlog
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

1748
docs/sudoers.ldap.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

1606
docs/sudoers.ldap.mdoc.in Normal file
View File

File diff suppressed because it is too large Load Diff

7007
docs/sudoers.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

150
docs/sudoers.man.in.sed Normal file
View File

@@ -0,0 +1,150 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
.nr BA @BAMAN@\
.nr LC @LCMAN@\
.nr PS @PSMAN@\
\1/
/^On$/N
/^On\nBSD$/,/^.*\.$/ {
/^On\nBSD$/i\
.if \\n(LC \\{\\
/\.$/a\
.\\}
}
/^\.SS "SELinux_Spec"$/,/^\.SS/ {
/^\.SS / {
/^\.SS "SELinux_Spec"$/i\
.if \\n(SL \\{\\
/^\.SS "SELinux_Spec"$/!i\
.\\}
}
}
/^\.SS "Solaris_Priv_Spec"$/,/^\.SS/ {
/^\.SS / {
/^\.SS "Solaris_Priv_Spec"$/i\
.if \\n(PS \\{\\
/^\.SS "Solaris_Priv_Spec"$/!i\
.\\}
}
}
/^Option_Spec ::= / {
s/^.*$/.ie \\n(SL \\{\\\
.ie \\n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\
.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)\
.\\}\
.el \\{\\\
.ie \\n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\
.el Option_Spec ::= (Date_Spec | Timeout_Spec)\
.\\}/
}
/^SELinux_Spec ::=/ {
i\
.if \\n(SL \\{\\
N
a\
.\\}
}
/^Solaris_Priv_Spec ::=/ {
i\
.if \\n(PS \\{\\
N
a\
.\\}
}
/^SELinux roles.*types,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^Solaris privileges sets,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\.TP 18n$/ {
N
/^\.TP 18n\nuse_loginclass$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nuse_loginclass$/i\
.if \\n(BA \\{\\
/^\.TP 18n\nuse_loginclass$/!i\
.\\}
}
}
/^\.TP 18n\nlimitprivs$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nlimitprivs$/i\
.if \\n(PS \\{\\
/^\.TP 18n\nlimitprivs$/!i\
.\\}
}
}
/^\.TP 18n\nprivs$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nprivs$/i\
.if \\n(PS \\{\\
/^\.TP 18n\nprivs$/!i\
.\\}
}
}
/^\.TP 18n\nselinux$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nselinux$/i\
.if \\n(SL \\{\\
/^\.TP 18n\nselinux$/!i\
.\\}
}
}
/^\.TP 18n\nrole$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nrole$/i\
.if \\n(SL \\{\\
/^\.TP 18n\nrole$/!i\
.\\}
}
}
/^\.TP 18n\ntype$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\ntype$/i\
.if \\n(SL \\{\\
/^\.TP 18n\ntype$/!i\
.\\}
}
}
}
/^\\fRPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRLIMITPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRROLE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^\\fRTYPE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}

6477
docs/sudoers.mdoc.in Normal file
View File

File diff suppressed because it is too large Load Diff

312
docs/sudoers_timestamp.man.in Normal file
View File

@@ -0,0 +1,312 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "October 20, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers_timestamp\fR
\- Sudoers Time Stamp Format
.SH "DESCRIPTION"
The
\fBsudoers\fR
plugin uses per-user time stamp files for credential caching.
Once a user has been authenticated, they may use
\fBsudo\fR
without a password for a short period of time
(\fR@timeout@\fR
minutes unless overridden by the
\fItimestamp_timeout\fR
option)
\&.
By default,
\fBsudoers\fR
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
\fItimestamp_type\fR
option can be used to select the type of time stamp record
\fBsudoers\fR
will use.
.PP
A multi-record time stamp file format was introduced in
\fBsudo\fR
1.8.10 that uses a single file per user.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled.
The new format is extensible and records of multiple types and versions
may coexist within the same file.
.PP
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
.PP
Time stamp records have the following structure:
.nf
.sp
.RS 0n
/* Time stamp entry types */
#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
#define TS_TTY 0x02 /* restricted by tty */
#define TS_PPID 0x03 /* restricted by ppid */
#define TS_LOCKEXCL 0x04 /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01 /* entry disabled */
#define TS_ANYUID 0x02 /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
unsigned short size; /* entry size */
unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
unsigned short flags; /* TS_DISABLED, TS_ANYUID */
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
} u;
};
.RE
.fi
.PP
The timestamp_entry struct fields are as follows:
.TP 6n
version
The version number of the timestamp_entry struct.
New entries are created with a version number of 2.
Records with different version numbers may coexist in the
same file but are not inter-operable.
.TP 6n
size
The size of the record in bytes.
.TP 6n
type
The record type, currently
\fRTS_GLOBAL\fR,
\fRTS_TTY\fR,
or
\fRTS_PPID\fR.
.TP 6n
flags
.br
Zero or more record flags which can be bit-wise ORed together.
Supported flags are
\fRTS_DISABLED\fR,
for records disabled via
\fBsudo\fR
\fB\-k\fR
and
\fRTS_ANYUID\fR,
which is used only when matching records.
.TP 6n
auth_uid
The user-ID that was used for authentication.
Depending on the value of the
\fIrootpw\fR,
\fIrunaspw\fR
and
\fItargetpw\fR
options, the user-ID may be that of the invoking user, the root user,
the default runas user or the target user.
.TP 6n
sid
The ID of the user's terminal session, if present.
The session ID is only used when matching records of type
\fRTS_TTY\fR.
.TP 6n
start_time
The start time of the session leader for records of type
\fRTS_TTY\fR
or of the parent process for records of type
\fRTS_PPID\fR.
The
\fIstart_time\fR
is used to help prevent re-use of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
The
\fIstart_time\fR
field was added in
\fBsudoers\fR
version 1.8.22 for the second revision of the timestamp_entry struct.
.TP 6n
ts
The actual time stamp.
A monotonic time source (which does not move backward) is used if the
system supports it.
Where possible,
\fBsudoers\fR
uses a monotonic timer that increments even while the system
is suspended.
The value of
\fIts\fR
is updated each time a command is run via
\fBsudo\fR.
If the difference between
\fIts\fR
and the current time is less than the value of the
\fItimestamp_timeout\fR
option, no password is required.
.TP 6n
u.ttydev
The device number of the terminal associated with the session for
records of type
\fRTS_TTY\fR.
.TP 6n
u.ppid
The ID of the parent process for records of type
\fRTS_PPID\fR.
.SH "LOCKING"
In
\fBsudoers\fR
versions 1.8.10 through 1.8.14, the entire time stamp file was
locked for exclusive access when reading or writing to the file.
Starting in
\fBsudoers\fR
1.8.15, individual records are locked in the time stamp file instead
of the entire file and the lock is held for a longer period of time.
This scheme is described below.
.PP
The first record in the time stamp file is of type
\fRTS_LOCKEXCL\fR
and is used as a
\fIlock\fR
record to prevent more than one
\fBsudo\fR
process from adding a new record at the same time.
Once the desired time stamp record has been located or created (and
locked), the
\fRTS_LOCKEXCL\fR
record is unlocked.
The lock on the individual time stamp record, however, is held until
authentication is complete.
This allows
\fBsudoers\fR
to avoid prompting for a password multiple times when it
is used more than once in a pipeline.
.PP
Records of type
\fRTS_GLOBAL\fR
cannot be locked for a long period of time since doing so would
interfere with other
\fBsudo\fR
processes.
Instead, a separate lock record is used to prevent multiple
\fBsudo\fR
processes using the same terminal (or parent process ID) from
prompting for a password as the same time.
.SH "SEE ALSO"
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "HISTORY"
Originally,
\fBsudo\fR
used a single zero-length file per user and the file's modification
time was used as the time stamp.
Later versions of
\fBsudo\fR
added restrictions on the ownership of the time stamp files and
directory as well as checks on the validity of the time stamp itself.
Notable changes were introduced in the following
\fBsudo\fR
versions:
.TP 6n
1.4.0
.br
Support for tty-based time stamp file was added
by appending the terminal name to the time stamp file name.
.TP 6n
1.6.2
.br
The time stamp file was replaced by a per-user directory which
contained any tty-based time stamp files.
.TP 6n
1.6.3p2
The target user name was added to the time stamp file name when the
\fItargetpw\fR
option was set.
.TP 6n
1.7.3
.br
Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent re-use of the time stamp file after logout.
.TP 6n
1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent re-use of the time stamp by the same user in a different
terminal session.
It also helped prevent re-use of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.TP 6n
1.8.10
A new, multi-record time stamp file format was introduced that uses a
single file per user.
The terminal device's change time was not included since most
systems now update the change time after a write is performed
as required by POSIX.
.TP 6n
1.8.15
Individual records are locked in the time stamp file instead of the
entire file and the lock is held until authentication is complete.
.TP 6n
1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
.sp
Support was added for the kernel-based tty time stamps available in
OpenBSD
which do not use an on-disk time stamp file.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

290
docs/sudoers_timestamp.mdoc.in Normal file
View File

@@ -0,0 +1,290 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 20, 2019
.Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers_timestamp
.Nd Sudoers Time Stamp Format
.Sh DESCRIPTION
The
.Nm sudoers
plugin uses per-user time stamp files for credential caching.
Once a user has been authenticated, they may use
.Nm sudo
without a password for a short period of time
.Po
.Li @timeout@
minutes unless overridden by the
.Em timestamp_timeout
option
.Pc .
By default,
.Nm sudoers
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
.Em timestamp_type
option can be used to select the type of time stamp record
.Nm sudoers
will use.
.Pp
A multi-record time stamp file format was introduced in
.Nm sudo
1.8.10 that uses a single file per user.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled.
The new format is extensible and records of multiple types and versions
may coexist within the same file.
.Pp
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
.Pp
Time stamp records have the following structure:
.Bd -literal
/* Time stamp entry types */
#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
#define TS_TTY 0x02 /* restricted by tty */
#define TS_PPID 0x03 /* restricted by ppid */
#define TS_LOCKEXCL 0x04 /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01 /* entry disabled */
#define TS_ANYUID 0x02 /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
unsigned short size; /* entry size */
unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
unsigned short flags; /* TS_DISABLED, TS_ANYUID */
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
} u;
};
.Ed
.Pp
The timestamp_entry struct fields are as follows:
.Bl -tag -width 4n
.It version
The version number of the timestamp_entry struct.
New entries are created with a version number of 2.
Records with different version numbers may coexist in the
same file but are not inter-operable.
.It size
The size of the record in bytes.
.It type
The record type, currently
.Li TS_GLOBAL ,
.Li TS_TTY ,
or
.Li TS_PPID .
.It flags
Zero or more record flags which can be bit-wise ORed together.
Supported flags are
.Li TS_DISABLED ,
for records disabled via
.Nm sudo
.Fl k
and
.Li TS_ANYUID ,
which is used only when matching records.
.It auth_uid
The user-ID that was used for authentication.
Depending on the value of the
.Em rootpw ,
.Em runaspw
and
.Em targetpw
options, the user-ID may be that of the invoking user, the root user,
the default runas user or the target user.
.It sid
The ID of the user's terminal session, if present.
The session ID is only used when matching records of type
.Li TS_TTY .
.It start_time
The start time of the session leader for records of type
.Li TS_TTY
or of the parent process for records of type
.Li TS_PPID .
The
.Em start_time
is used to help prevent re-use of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
The
.Em start_time
field was added in
.Nm sudoers
version 1.8.22 for the second revision of the timestamp_entry struct.
.It ts
The actual time stamp.
A monotonic time source (which does not move backward) is used if the
system supports it.
Where possible,
.Nm sudoers
uses a monotonic timer that increments even while the system
is suspended.
The value of
.Em ts
is updated each time a command is run via
.Nm sudo .
If the difference between
.Em ts
and the current time is less than the value of the
.Em timestamp_timeout
option, no password is required.
.It u.ttydev
The device number of the terminal associated with the session for
records of type
.Li TS_TTY .
.It u.ppid
The ID of the parent process for records of type
.Li TS_PPID .
.El
.Sh LOCKING
In
.Nm sudoers
versions 1.8.10 through 1.8.14, the entire time stamp file was
locked for exclusive access when reading or writing to the file.
Starting in
.Nm sudoers
1.8.15, individual records are locked in the time stamp file instead
of the entire file and the lock is held for a longer period of time.
This scheme is described below.
.Pp
The first record in the time stamp file is of type
.Li TS_LOCKEXCL
and is used as a
.Em lock
record to prevent more than one
.Nm sudo
process from adding a new record at the same time.
Once the desired time stamp record has been located or created (and
locked), the
.Li TS_LOCKEXCL
record is unlocked.
The lock on the individual time stamp record, however, is held until
authentication is complete.
This allows
.Nm sudoers
to avoid prompting for a password multiple times when it
is used more than once in a pipeline.
.Pp
Records of type
.Li TS_GLOBAL
cannot be locked for a long period of time since doing so would
interfere with other
.Nm sudo
processes.
Instead, a separate lock record is used to prevent multiple
.Nm sudo
processes using the same terminal (or parent process ID) from
prompting for a password as the same time.
.Sh SEE ALSO
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh HISTORY
Originally,
.Nm sudo
used a single zero-length file per user and the file's modification
time was used as the time stamp.
Later versions of
.Nm sudo
added restrictions on the ownership of the time stamp files and
directory as well as checks on the validity of the time stamp itself.
Notable changes were introduced in the following
.Nm sudo
versions:
.Bl -tag -width 4n
.It 1.4.0
Support for tty-based time stamp file was added
by appending the terminal name to the time stamp file name.
.It 1.6.2
The time stamp file was replaced by a per-user directory which
contained any tty-based time stamp files.
.It 1.6.3p2
The target user name was added to the time stamp file name when the
.Em targetpw
option was set.
.It 1.7.3
Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent re-use of the time stamp file after logout.
.It 1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent re-use of the time stamp by the same user in a different
terminal session.
It also helped prevent re-use of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.It 1.8.10
A new, multi-record time stamp file format was introduced that uses a
single file per user.
The terminal device's change time was not included since most
systems now update the change time after a write is performed
as required by POSIX.
.It 1.8.15
Individual records are locked in the time stamp file instead of the
entire file and the lock is held until authentication is complete.
.It 1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
.Pp
Support was added for the kernel-based tty time stamps available in
.Ox
which do not use an on-disk time stamp file.
.El
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

523
docs/sudoreplay.man.in Normal file
View File

@@ -0,0 +1,523 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOREPLAY" "@mansectsu@" "August 13, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoreplay\fR
\- replay sudo session logs
.SH "SYNOPSIS"
.HP 11n
\fBsudoreplay\fR
[\fB\-FhnRS\fR]
[\fB\-d\fR\ \fIdir\fR]
[\fB\-f\fR\ \fIfilter\fR]
[\fB\-m\fR\ \fInum\fR]
[\fB\-s\fR\ \fInum\fR]
ID[\fI@offset\fR]
.HP 11n
\fBsudoreplay\fR
[\fB\-h\fR]
[\fB\-d\fR\ \fIdir\fR]
\fB\-l\fR
[search\ expression]
.SH "DESCRIPTION"
\fBsudoreplay\fR
plays back or lists the output logs created by
\fBsudo\fR.
When replaying,
\fBsudoreplay\fR
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.PP
The
\fIID\fR
should either be a six character sequence of digits and
upper case letters, e.g.,
\fR0100A5\fR
or a path name.
The
\fIID\fR
may include an optional
\fI@offset\fR
suffix which may be used to start replaying at a specific time offset.
The
\fI@offset\fR
is specified as a number in seconds since the start of the session
with an optional decimal fraction.
.PP
Path names may be relative to the I/O log directory
\fI@iolog_dir@\fR
(unless overridden by the
\fB\-d\fR
option) or fully qualified, beginning with a
\(oq/\(cq
character.
When a command is run via
\fBsudo\fR
with
\fIlog_output\fR
enabled in the
\fIsudoers\fR
file, a
\fRTSID=ID\fR
string is logged via syslog or to the
\fBsudo\fR
log file.
The
\fIID\fR
may also be determined using
\fBsudoreplay\fR's
list mode.
.PP
In list mode,
\fBsudoreplay\fR
can be used to find the ID of a session based on a number of criteria
such as the user, tty or command run.
.PP
In replay mode, if the standard input and output are connected to a terminal
and the
\fB\-n\fR
option is not specified,
\fBsudoreplay\fR
will operate interactively.
In interactive mode,
\fBsudoreplay\fR
will attempt to adjust the terminal size to match that of the session and
write directly to the terminal (not all terminals support this).
Additionally, it will poll the keyboard and act on the following keys:
.TP 14n
\(oq\fR\en\fR\(cq or \(oq\fR\er\fR\(cq
Skip to the next replay event; useful for long pauses.
.TP 14n
\(oq\fR\ \fR\(cq (space)
Pause output; press any key to resume.
.TP 14n
\(oq<\(cq
Reduce the playback speed by one half.
.TP 14n
\(oq>\(cq
Double the playback speed.
.PP
The session can be interrupted via control-C.
When the session has finished, the terminal is restored to its
original size if it was changed during playback.
.PP
The options are as follows:
.TP 12n
\fB\-d\fR \fIdir\fR, \fB\--directory\fR=\fIdir\fR
Store session logs in
\fIdir\fR
instead of the default,
\fI@iolog_dir@\fR.
.TP 12n
\fB\-f\fR \fIfilter\fR, \fB\--filter\fR=\fIfilter\fR
Select which I/O type(s) to display.
By default,
\fBsudoreplay\fR
will display the command's standard output, standard error and tty output.
The
\fIfilter\fR
argument is a comma-separated list, consisting of one or more of following:
\fIstdin\fR,
\fIstdout\fR,
\fIstderr\fR,
\fIttyin\fR,
and
\fIttyout\fR.
.TP 12n
\fB\-F\fR, \fB\--follow\fR
Enable
\(lqfollow mode\(rq.
When replaying a session,
\fBsudoreplay\fR
will ignore end-of-file and keep replaying until the log is complete.
This can be used to replay a session that is still in progress,
similar to
\(lqtail -f\(rq.
An I/O log file is considered to be complete when the write bits
have been cleared on the session's timing file.
Note that versions of
\fBsudo\fR
prior to 1.9.1 do not clear the write bits upon completion.
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-l\fR, \fB\--list\fR [\fIsearch expression\fR]
Enable
\(lqlist mode\(rq.
In this mode,
\fBsudoreplay\fR
will list available sessions in a format similar to the
\fBsudo\fR
log file format, sorted by file name (or sequence number).
If a
\fIsearch expression\fR
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.PP
.RS 12n
.PD 0
.TP 8n
command \fIpattern\fR
Evaluates to true if the command run matches the POSIX extended
regular expression
\fIpattern\fR.
.PD
.TP 8n
cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current
working directory.
.TP 8n
fromdate \fIdate\fR
Evaluates to true if the command was run on or after
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
group \fIrunas_group\fR
Evaluates to true if the command was run with the specified
\fIrunas_group\fR.
Note that unless a
\fIrunas_group\fR
was explicitly specified when
\fBsudo\fR
was run this field will be empty in the log.
.TP 8n
host \fIhostname\fR
Evaluates to true if the command was run on the specified
\fIhostname\fR.
.TP 8n
runas \fIrunas_user\fR
Evaluates to true if the command was run as the specified
\fIrunas_user\fR.
Note that
\fBsudo\fR
runs commands as user
\fIroot\fR
by default.
.TP 8n
todate \fIdate\fR
Evaluates to true if the command was run on or prior to
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
tty \fItty name\fR
Evaluates to true if the command was run on the specified terminal device.
The
\fItty name\fR
should be specified without the
\fI/dev/\fR
prefix, e.g.,
\fItty01\fR
instead of
\fI/dev/tty01\fR.
.TP 8n
user \fIuser name\fR
Evaluates to true if the ID matches a command run by
\fIuser name\fR.
.PP
Predicates may be abbreviated to the shortest unique string.
.sp
Predicates may be combined using
\fIand\fR,
\fIor\fR
and
\fI\&!\fR
operators as well as
\(oq\&(\(cq
and
\(oq\&)\(cq
grouping (note that parentheses must generally be escaped from the shell).
The
\fIand\fR
operator is optional, adjacent predicates have an implied
\fIand\fR
unless separated by an
\fIor\fR.
.RE
.TP 12n
\fB\-m\fR, \fB\--max-wait\fR \fImax_wait\fR
Specify an upper bound on how long to wait between key presses or output data.
By default,
\fBsudoreplay\fR
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
\fB\-m\fR
option is specified,
\fBsudoreplay\fR
will limit these pauses to at most
\fImax_wait\fR
seconds.
The value may be specified as a floating point number, e.g.,
\fI2.5\fR.
A
\fImax_wait\fR
of zero or less will eliminate the pauses entirely.
.TP 12n
\fB\-n\fR, \fB\--non-interactive\fR
Do not prompt for user input or attempt to re-size the terminal.
The session is written to the standard output, not directly to
the user's terminal.
.TP 12n
\fB\-R\fR, \fB\--no-resize\fR
Do not attempt to re-size the terminal to match the terminal size
of the session.
.TP 12n
\fB\-S\fR, \fB\--suspend-wait\fR
Wait while the command was suspended.
By default,
\fBsudoreplay\fR
will ignore the time interval between when the command was suspended
and when it was resumed.
If the
\fB\-S\fR
option is specified,
\fBsudoreplay\fR
will wait instead.
.TP 12n
\fB\-s\fR, \fB\--speed\fR \fIspeed_factor\fR
This option causes
\fBsudoreplay\fR
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
\fIspeed_factor\fR
of
\fI2\fR
would make the output twice as fast whereas a
\fIspeed_factor\fR
of
\fI.5\fR
would make the output twice as slow.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudoreplay\fR
versions version number and exit.
.SS "Date and time format"
The time and date may be specified multiple ways, common formats include:
.TP 8n
HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.TP 8n
HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated.
Note that month and day of the week names must be specified in English.
.TP 8n
CCYY-MM-DD HH:MM:SS
ISO time format
.TP 8n
DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.PP
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.PP
The following are all valid time and date specifications:
.TP 8n
now
The current time and date.
.TP 8n
tomorrow
Exactly one day from now.
.TP 8n
yesterday
24 hours ago.
.TP 8n
2 hours ago
2 hours ago.
.TP 8n
next Friday
The first second of the Friday in the next (upcoming) week.
Not to be confused with
\(lqthis Friday\(rq
which would match the Friday of the current week.
.TP 8n
last week
The current time but 7 days ago.
This is equivalent to
\(lqa week ago\(rq.
.TP 8n
a fortnight ago
The current time but 14 days ago.
.TP 8n
10:01 am 9/17/2009
10:01 am, September 17, 2009.
.TP 8n
10:01 am
10:01 am on the current day.
.TP 8n
10
10:00 am on the current day.
.TP 8n
9/17/2009
00:00 am, September 17, 2009.
.TP 8n
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.PP
Note that relative time specifications do not always work as expected.
For example, the
\(lqnext\(rq
qualifier is intended to be used in conjunction with a day such as
\(lqnext Monday\(rq.
When used with units of weeks, months, years, etc
the result will be one more than expected.
For example,
\(lqnext week\(rq
will result in a time exactly two weeks from now, which is probably
not what was intended.
This will be addressed in a future version of
\fBsudoreplay\fR.
.SS "Debugging sudoreplay"
\fBsudoreplay\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Debugging framework configuration
.TP 26n
\fI@iolog_dir@\fR
The default I/O log directory.
.TP 26n
\fI@iolog_dir@/00/00/01/log\fR
Example session log info.
.TP 26n
\fI@iolog_dir@/00/00/01/log.json\fR
Example session log info (JSON format).
.TP 26n
\fI@iolog_dir@/00/00/01/stdin\fR
Example session standard input log.
.TP 26n
\fI@iolog_dir@/00/00/01/stdout\fR
Example session standard output log.
.TP 26n
\fI@iolog_dir@/00/00/01/stderr\fR
Example session standard error log.
.TP 26n
\fI@iolog_dir@/00/00/01/ttyin\fR
Example session tty input file.
.TP 26n
\fI@iolog_dir@/00/00/01/ttyout\fR
Example session tty output file.
.TP 26n
\fI@iolog_dir@/00/00/01/timing\fR
Example session timing file.
.PP
Note that the
\fIstdin\fR,
\fIstdout\fR
and
\fIstderr\fR
files will be empty unless
\fBsudo\fR
was used as part of a pipeline for a particular command.
.SH "EXAMPLES"
List sessions run by user
\fImillert\fR:
.nf
.sp
.RS 6n
# sudoreplay -l user millert
.RE
.fi
.PP
List sessions run by user
\fIbob\fR
with a command containing the string vi:
.nf
.sp
.RS 6n
# sudoreplay -l user bob command vi
.RE
.fi
.PP
List sessions run by user
\fIjeff\fR
that match a regular expression:
.nf
.sp
.RS 6n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.RE
.fi
.PP
List sessions run by jeff or bob on the console:
.nf
.sp
.RS 6n
# sudoreplay -l ( user jeff or user bob ) tty console
.RE
.fi
.SH "SEE ALSO"
script(1),
sudo.conf(@mansectform@),
sudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudoreplay\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudoreplay\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

465
docs/sudoreplay.mdoc.in Normal file
View File

@@ -0,0 +1,465 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd August 13, 2021
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoreplay
.Nd replay sudo session logs
.Sh SYNOPSIS
.Nm sudoreplay
.Op Fl FhnRS
.Op Fl d Ar dir
.Op Fl f Ar filter
.Op Fl m Ar num
.Op Fl s Ar num
.No ID Ns Op Ar @offset
.Pp
.Nm
.Op Fl h
.Op Fl d Ar dir
.Fl l
.Op search expression
.Sh DESCRIPTION
.Nm
plays back or lists the output logs created by
.Nm sudo .
When replaying,
.Nm
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.Pp
The
.Em ID
should either be a six character sequence of digits and
upper case letters, e.g.,
.Li 0100A5
or a path name.
The
.Em ID
may include an optional
.Ar @offset
suffix which may be used to start replaying at a specific time offset.
The
.Ar @offset
is specified as a number in seconds since the start of the session
with an optional decimal fraction.
.Pp
Path names may be relative to the I/O log directory
.Pa @iolog_dir@
(unless overridden by the
.Fl d
option) or fully qualified, beginning with a
.Ql /
character.
When a command is run via
.Nm sudo
with
.Em log_output
enabled in the
.Em sudoers
file, a
.Li TSID=ID
string is logged via syslog or to the
.Nm sudo
log file.
The
.Em ID
may also be determined using
.Nm sudoreplay Ns 's
list mode.
.Pp
In list mode,
.Nm
can be used to find the ID of a session based on a number of criteria
such as the user, tty or command run.
.Pp
In replay mode, if the standard input and output are connected to a terminal
and the
.Fl n
option is not specified,
.Nm
will operate interactively.
In interactive mode,
.Nm
will attempt to adjust the terminal size to match that of the session and
write directly to the terminal (not all terminals support this).
Additionally, it will poll the keyboard and act on the following keys:
.Bl -tag -width 12n
.It So Li \en Sc No or So Li \er Sc
Skip to the next replay event; useful for long pauses.
.It So Li \ Sc Pq space
Pause output; press any key to resume.
.It Ql <
Reduce the playback speed by one half.
.It Ql >
Double the playback speed.
.El
.Pp
The session can be interrupted via control-C.
When the session has finished, the terminal is restored to its
original size if it was changed during playback.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl d Ar dir , Fl -directory Ns = Ns Ar dir
Store session logs in
.Ar dir
instead of the default,
.Pa @iolog_dir@ .
.It Fl f Ar filter , Fl -filter Ns = Ns Ar filter
Select which I/O type(s) to display.
By default,
.Nm
will display the command's standard output, standard error and tty output.
The
.Ar filter
argument is a comma-separated list, consisting of one or more of following:
.Em stdin ,
.Em stdout ,
.Em stderr ,
.Em ttyin ,
and
.Em ttyout .
.It Fl F , -follow
Enable
.Dq follow mode .
When replaying a session,
.Nm
will ignore end-of-file and keep replaying until the log is complete.
This can be used to replay a session that is still in progress,
similar to
.Dq tail -f .
An I/O log file is considered to be complete when the write bits
have been cleared on the session's timing file.
Note that versions of
.Nm sudo
prior to 1.9.1 do not clear the write bits upon completion.
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl l , -list Op Ar search expression
Enable
.Dq list mode .
In this mode,
.Nm
will list available sessions in a format similar to the
.Nm sudo
log file format, sorted by file name (or sequence number).
If a
.Ar search expression
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.Bl -tag -width 6n
.It command Ar pattern
Evaluates to true if the command run matches the POSIX extended
regular expression
.Ar pattern .
.It cwd Ar directory
Evaluates to true if the command was run with the specified current
working directory.
.It fromdate Ar date
Evaluates to true if the command was run on or after
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It group Ar runas_group
Evaluates to true if the command was run with the specified
.Ar runas_group .
Note that unless a
.Ar runas_group
was explicitly specified when
.Nm sudo
was run this field will be empty in the log.
.It host Ar hostname
Evaluates to true if the command was run on the specified
.Ar hostname .
.It runas Ar runas_user
Evaluates to true if the command was run as the specified
.Ar runas_user .
Note that
.Nm sudo
runs commands as user
.Em root
by default.
.It todate Ar date
Evaluates to true if the command was run on or prior to
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It tty Ar tty name
Evaluates to true if the command was run on the specified terminal device.
The
.Ar tty name
should be specified without the
.Pa /dev/
prefix, e.g.,
.Pa tty01
instead of
.Pa /dev/tty01 .
.It user Ar user name
Evaluates to true if the ID matches a command run by
.Ar user name .
.El
.Pp
Predicates may be abbreviated to the shortest unique string.
.Pp
Predicates may be combined using
.Em and ,
.Em or
and
.Em \&!
operators as well as
.Ql \&(
and
.Ql \&)
grouping (note that parentheses must generally be escaped from the shell).
The
.Em and
operator is optional, adjacent predicates have an implied
.Em and
unless separated by an
.Em or .
.It Fl m , -max-wait Ar max_wait
Specify an upper bound on how long to wait between key presses or output data.
By default,
.Nm
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
.Fl m
option is specified,
.Nm
will limit these pauses to at most
.Em max_wait
seconds.
The value may be specified as a floating point number, e.g.,
.Em 2.5 .
A
.Em max_wait
of zero or less will eliminate the pauses entirely.
.It Fl n , -non-interactive
Do not prompt for user input or attempt to re-size the terminal.
The session is written to the standard output, not directly to
the user's terminal.
.It Fl R , -no-resize
Do not attempt to re-size the terminal to match the terminal size
of the session.
.It Fl S , -suspend-wait
Wait while the command was suspended.
By default,
.Nm
will ignore the time interval between when the command was suspended
and when it was resumed.
If the
.Fl S
option is specified,
.Nm
will wait instead.
.It Fl s , -speed Ar speed_factor
This option causes
.Nm
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
.Ar speed_factor
of
.Em 2
would make the output twice as fast whereas a
.Ar speed_factor
of
.Em .5
would make the output twice as slow.
.It Fl V , -version
Print the
.Nm
versions version number and exit.
.El
.Ss Date and time format
The time and date may be specified multiple ways, common formats include:
.Bl -tag -width 6n
.It HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.It HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated.
Note that month and day of the week names must be specified in English.
.It CCYY-MM-DD HH:MM:SS
ISO time format
.It DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.El
.Pp
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.Pp
The following are all valid time and date specifications:
.Bl -tag -width 6n
.It now
The current time and date.
.It tomorrow
Exactly one day from now.
.It yesterday
24 hours ago.
.It 2 hours ago
2 hours ago.
.It next Friday
The first second of the Friday in the next (upcoming) week.
Not to be confused with
.Dq this Friday
which would match the Friday of the current week.
.It last week
The current time but 7 days ago.
This is equivalent to
.Dq a week ago .
.It a fortnight ago
The current time but 14 days ago.
.It 10:01 am 9/17/2009
10:01 am, September 17, 2009.
.It 10:01 am
10:01 am on the current day.
.It 10
10:00 am on the current day.
.It 9/17/2009
00:00 am, September 17, 2009.
.It 10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.El
.Pp
Note that relative time specifications do not always work as expected.
For example, the
.Dq next
qualifier is intended to be used in conjunction with a day such as
.Dq next Monday .
When used with units of weeks, months, years, etc
the result will be one more than expected.
For example,
.Dq next week
will result in a time exactly two weeks from now, which is probably
not what was intended.
This will be addressed in a future version of
.Nm .
.Ss Debugging sudoreplay
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Debugging framework configuration
.It Pa @iolog_dir@
The default I/O log directory.
.It Pa @iolog_dir@/00/00/01/log
Example session log info.
.It Pa @iolog_dir@/00/00/01/log.json
Example session log info (JSON format).
.It Pa @iolog_dir@/00/00/01/stdin
Example session standard input log.
.It Pa @iolog_dir@/00/00/01/stdout
Example session standard output log.
.It Pa @iolog_dir@/00/00/01/stderr
Example session standard error log.
.It Pa @iolog_dir@/00/00/01/ttyin
Example session tty input file.
.It Pa @iolog_dir@/00/00/01/ttyout
Example session tty output file.
.It Pa @iolog_dir@/00/00/01/timing
Example session timing file.
.El
.Pp
Note that the
.Em stdin ,
.Em stdout
and
.Em stderr
files will be empty unless
.Nm sudo
was used as part of a pipeline for a particular command.
.Sh EXAMPLES
List sessions run by user
.Em millert :
.Bd -literal -offset indent
# sudoreplay -l user millert
.Ed
.Pp
List sessions run by user
.Em bob
with a command containing the string vi:
.Bd -literal -offset indent
# sudoreplay -l user bob command vi
.Ed
.Pp
List sessions run by user
.Em jeff
that match a regular expression:
.Bd -literal -offset indent
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.Ed
.Pp
List sessions run by jeff or bob on the console:
.Bd -literal -offset indent
# sudoreplay -l ( user jeff or user bob ) tty console
.Ed
.Sh SEE ALSO
.Xr script 1 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

503
docs/visudo.man.in Normal file
View File

@@ -0,0 +1,503 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2021
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "VISUDO" "@mansectsu@" "November 6, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBvisudo\fR
\- edit the sudoers file
.SH "SYNOPSIS"
.HP 7n
\fBvisudo\fR
[\fB\-chOPqsV\fR]
[[\fB\-f\fR]\ \fIsudoers\fR]
.SH "DESCRIPTION"
\fBvisudo\fR
edits the
\fIsudoers\fR
file in a safe fashion, analogous to
vipw(@mansectsu@).
\fBvisudo\fR
locks the
\fIsudoers\fR
file against multiple simultaneous edits, performs basic validity checks,
and checks for syntax errors before installing the edited file.
If the
\fIsudoers\fR
file is currently being edited you will receive a message to try again later.
.PP
\fBvisudo\fR
parses the
\fIsudoers\fR
file after editing and will not save the changes if there is a syntax error.
Upon finding an error,
\fBvisudo\fR
will print a message stating the line number(s)
where the error occurred and the user will receive the
\(lqWhat now?\(rq
prompt.
At this point the user may enter
\(oqe\(cq
to re-edit the
\fIsudoers\fR
file,
\(oqx\(cq
to exit without saving the changes, or
\(oqQ\(cq
to quit and save changes.
The
\(oqQ\(cq
option should be used with extreme caution because if
\fBvisudo\fR
believes there to be a syntax error, so will
\fBsudo\fR
and no one will be able to run
\fBsudo\fR
again until the error is fixed.
If
\(oqe\(cq
is typed to edit the
\fIsudoers\fR
file after a syntax error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.PP
There are two
\fIsudoers\fR
settings that determine which editor
\fBvisudo\fR
will run.
.TP 10n
editor
A colon
(\(oq:\&\(cq)
separated list of editors allowed to be used with
\fBvisudo\fR.
\fBvisudo\fR
will choose the editor that matches the user's
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR
or
\fREDITOR\fR
environment variable if possible, or the first editor in the
list that exists and is executable.
Note that
\fBsudo\fR
does not preserve the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR
or
\fREDITOR\fR
environment variables unless they are present in the
\fIenv_keep\fR
list or the
\fIenv_reset\fR
option is disabled in the
\fIsudoers\fR
file.
The default editor path is
\fI@editor@\fR
which can be set at compile time via the
\fR--with-editor\fR
configure option.
.TP 10n
env_editor
If set,
\fBvisudo\fR
will use the value of the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR
or
\fREDITOR\fR
environment variables before falling back on the default editor list.
Note that
\fBvisudo\fR
is typically run as root so this option may allow a user with
\fBvisudo\fR
privileges to run arbitrary commands as root without logging.
An alternative is to place a colon-separated list of
\(lqsafe\(rq
editors int the
\fIeditor\fR
variable.
\fBvisudo\fR
will then only use
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR
or
\fREDITOR\fR
if they match a value specified in
\fIeditor\fR.
If the
\fIenv_reset\fR
flag is enabled, the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR
and/or
\fREDITOR\fR
environment variables must be present in the
\fIenv_keep\fR
list for the
\fIenv_editor\fR
flag to function when
\fBvisudo\fR
is invoked via
\fBsudo\fR.
The default value is
\fI@env_editor@\fR,
which can be set at compile time via the
\fR--with-env-editor\fR
configure option.
.PP
The options are as follows:
.TP 12n
\fB\-c\fR, \fB\--check\fR
Enable
\fIcheck-only\fR
mode.
The existing
\fIsudoers\fR
file (and any other files it includes) will be
checked for syntax errors.
If the path to the
\fIsudoers\fR
file was not specified,
\fBvisudo\fR
will also check the file ownership and permissions (see the
\fB\-O\fR
and
\fB\-P\fR
options).
A message will be printed to the standard output describing the status of
\fIsudoers\fR
unless the
\fB\-q\fR
option was specified.
If the check completes successfully,
\fBvisudo\fR
will exit with a value of 0.
If an error is encountered,
\fBvisudo\fR
will exit with a value of 1.
.TP 12n
\fB\-f\fR \fIsudoers\fR, \fB\--file\fR=\fIsudoers\fR
Specify an alternate
\fIsudoers\fR
file location, see below.
As of version 1.8.27, the
\fIsudoers\fR
path can be specified without using the
\fB\-f\fR
option.
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-O\fR, \fB\--owner\fR
Enforce the default ownership (user and group) of the
\fIsudoers\fR
file.
In edit mode, the owner of the edited file will be set to the default.
In check mode
(\fB\-c\fR),
an error will be reported if the owner is incorrect.
This option is enabled by default if the
\fIsudoers\fR
file was not specified.
.TP 12n
\fB\-P\fR, \fB\--perms\fR
Enforce the default permissions (mode) of the
\fIsudoers\fR
file.
In edit mode, the permissions of the edited file will be set to the default.
In check mode
(\fB\-c\fR),
an error will be reported if the file permissions are incorrect.
This option is enabled by default if the
\fIsudoers\fR
file was not specified.
.TP 12n
\fB\-q\fR, \fB\--quiet\fR
Enable
\fIquiet\fR
mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
\fB\-c\fR
option.
.TP 12n
\fB\-s\fR, \fB\--strict\fR
Enable
\fIstrict\fR
checking of the
\fIsudoers\fR
file.
If an alias is referenced but not actually defined
or if there is a cycle in an alias,
\fBvisudo\fR
will consider this a syntax error.
Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore
(\(oq_\(cq)
character.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBvisudo\fR
and
\fIsudoers\fR
grammar versions and exit.
.PP
A
\fIsudoers\fR
file may be specified instead of the default,
\fI@sysconfdir@/sudoers\fR.
The temporary file used is the specified
\fIsudoers\fR
file with
\(lq\.tmp\(rq
appended to it.
In
\fIcheck-only\fR
mode only,
\(oq-\(cq
may be used to indicate that
\fIsudoers\fR
will be read from the standard input.
Because the policy is evaluated in its entirety, it is not sufficient
to check an individual
\fIsudoers\fR
include file for syntax errors.
.SS "Debugging and sudoers plugin arguments"
\fBvisudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
Starting with
\fBsudo\fR
1.8.12,
\fBvisudo\fR
will also parse the arguments to the
\fIsudoers\fR
plugin to override the default
\fIsudoers\fR
path name, UID, GID and file mode.
These arguments, if present, should be listed after the path to the plugin
(i.e., after
\fIsudoers.so\fR).
Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.RE
.fi
.PP
The following arguments are supported:
.TP 10n
sudoers_file=pathname
The
\fIsudoers_file\fR
argument can be used to override the default path to the
\fIsudoers\fR
file.
.TP 10n
sudoers_uid=uid
The
\fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.TP 10n
sudoers_gid=gid
The
\fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.TP 10n
sudoers_mode=mode
The
\fIsudoers_mode\fR
argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "ENVIRONMENT"
The following environment variables may be consulted depending on
the value of the
\fIeditor\fR
and
\fIenv_editor\fR
\fIsudoers\fR
settings:
.TP 17n
\fRSUDO_EDITOR\fR
Invoked by
\fBvisudo\fR
as the editor to use
.TP 17n
\fRVISUAL\fR
Used by
\fBvisudo\fR
if
\fRSUDO_EDITOR\fR
is not set
.TP 17n
\fREDITOR\fR
Used by
\fBvisudo\fR
if neither
\fRSUDO_EDITOR\fR
nor
\fRVISUAL\fR
is set
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.TP 26n
\fI@sysconfdir@/sudoers\fR
List of who can run what
.TP 26n
\fI@sysconfdir@/sudoers.tmp\fR
Default temporary file used by visudo
.SH "DIAGNOSTICS"
In addition to reporting
\fIsudoers\fR
syntax errors,
\fBvisudo\fR
may produce the following messages:
.TP 6n
\fRsudoers file busy, try again later.\fR
Someone else is currently editing the
\fIsudoers\fR
file.
.TP 6n
\fR@sysconfdir@/sudoers: Permission denied\fR
You didn't run
\fBvisudo\fR
as root.
.TP 6n
\fRyou do not exist in the passwd database\fR
Your user-ID does not appear in the system passwd database.
.TP 6n
\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore
(\(oq_\(cq)
character.
In the latter case, you can ignore the warnings
(\fBsudo\fR
will not complain)
\&.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the undefined alias was used.
In
\fB\-s\fR
(strict) mode these are errors, not warnings.
.TP 6n
\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the unused alias was defined.
You may wish to comment out or remove the unused alias.
.TP 6n
\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the cycle was detected.
This is only a warning unless
\fBvisudo\fR
is run in
\fB\-s\fR
(strict) mode as
\fBsudo\fR
will ignore cycles when parsing
the
\fIsudoers\fR
file.
.TP 6n
\fRunknown defaults entry \&"name\&"\fR
The
\fIsudoers\fR
file contains a
\fRDefaults\fR
setting not recognized by
\fBvisudo\fR.
.SH "SEE ALSO"
vi(1),
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
vipw(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
the editor used by
\fBvisudo\fR
allows shell escapes.
.SH "BUGS"
If you feel you have found a bug in
\fBvisudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBvisudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

483
docs/visudo.mdoc.in Normal file
View File

@@ -0,0 +1,483 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2021
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd November 6, 2021
.Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm visudo
.Nd edit the sudoers file
.Sh SYNOPSIS
.Nm visudo
.Op Fl chOPqsV
.Op Bo Fl f Bc Ar sudoers
.Sh DESCRIPTION
.Nm
edits the
.Em sudoers
file in a safe fashion, analogous to
.Xr vipw @mansectsu@ .
.Nm
locks the
.Em sudoers
file against multiple simultaneous edits, performs basic validity checks,
and checks for syntax errors before installing the edited file.
If the
.Em sudoers
file is currently being edited you will receive a message to try again later.
.Pp
.Nm
parses the
.Em sudoers
file after editing and will not save the changes if there is a syntax error.
Upon finding an error,
.Nm
will print a message stating the line number(s)
where the error occurred and the user will receive the
.Dq What now?
prompt.
At this point the user may enter
.Ql e
to re-edit the
.Em sudoers
file,
.Ql x
to exit without saving the changes, or
.Ql Q
to quit and save changes.
The
.Ql Q
option should be used with extreme caution because if
.Nm
believes there to be a syntax error, so will
.Nm sudo
and no one will be able to run
.Nm sudo
again until the error is fixed.
If
.Ql e
is typed to edit the
.Em sudoers
file after a syntax error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.Pp
There are two
.Em sudoers
settings that determine which editor
.Nm visudo
will run.
.Bl -tag -width 8n
.It editor
A colon
.Pq Ql :\&
separated list of editors allowed to be used with
.Nm .
.Nm
will choose the editor that matches the user's
.Ev SUDO_EDITOR ,
.Ev VISUAL
or
.Ev EDITOR
environment variable if possible, or the first editor in the
list that exists and is executable.
Note that
.Nm sudo
does not preserve the
.Ev SUDO_EDITOR ,
.Ev VISUAL
or
.Ev EDITOR
environment variables unless they are present in the
.Em env_keep
list or the
.Em env_reset
option is disabled in the
.Em sudoers
file.
The default editor path is
.Pa @editor@
which can be set at compile time via the
.Li --with-editor
configure option.
.It env_editor
If set,
.Nm
will use the value of the
.Ev SUDO_EDITOR ,
.Ev VISUAL
or
.Ev EDITOR
environment variables before falling back on the default editor list.
Note that
.Nm visudo
is typically run as root so this option may allow a user with
.Nm visudo
privileges to run arbitrary commands as root without logging.
An alternative is to place a colon-separated list of
.Dq safe
editors int the
.Em editor
variable.
.Nm
will then only use
.Ev SUDO_EDITOR ,
.Ev VISUAL
or
.Ev EDITOR
if they match a value specified in
.Em editor .
If the
.Em env_reset
flag is enabled, the
.Ev SUDO_EDITOR ,
.Ev VISUAL
and/or
.Ev EDITOR
environment variables must be present in the
.Em env_keep
list for the
.Em env_editor
flag to function when
.Nm
is invoked via
.Nm sudo .
The default value is
.Em @env_editor@ ,
which can be set at compile time via the
.Li --with-env-editor
configure option.
.El
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl c , -check
Enable
.Em check-only
mode.
The existing
.Em sudoers
file (and any other files it includes) will be
checked for syntax errors.
If the path to the
.Em sudoers
file was not specified,
.Nm
will also check the file ownership and permissions (see the
.Fl O
and
.Fl P
options).
A message will be printed to the standard output describing the status of
.Em sudoers
unless the
.Fl q
option was specified.
If the check completes successfully,
.Nm
will exit with a value of 0.
If an error is encountered,
.Nm
will exit with a value of 1.
.It Fl f Ar sudoers , Fl -file Ns = Ns Ar sudoers
Specify an alternate
.Em sudoers
file location, see below.
As of version 1.8.27, the
.Em sudoers
path can be specified without using the
.Fl f
option.
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl O , -owner
Enforce the default ownership (user and group) of the
.Em sudoers
file.
In edit mode, the owner of the edited file will be set to the default.
In check mode
.Pq Fl c ,
an error will be reported if the owner is incorrect.
This option is enabled by default if the
.Em sudoers
file was not specified.
.It Fl P , -perms
Enforce the default permissions (mode) of the
.Em sudoers
file.
In edit mode, the permissions of the edited file will be set to the default.
In check mode
.Pq Fl c ,
an error will be reported if the file permissions are incorrect.
This option is enabled by default if the
.Em sudoers
file was not specified.
.It Fl q , -quiet
Enable
.Em quiet
mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
.Fl c
option.
.It Fl s , -strict
Enable
.Em strict
checking of the
.Em sudoers
file.
If an alias is referenced but not actually defined
or if there is a cycle in an alias,
.Nm
will consider this a syntax error.
Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore
.Pq Ql _
character.
.It Fl V , -version
Print the
.Nm
and
.Em sudoers
grammar versions and exit.
.El
.Pp
A
.Em sudoers
file may be specified instead of the default,
.Pa @sysconfdir@/sudoers .
The temporary file used is the specified
.Em sudoers
file with
.Dq \.tmp
appended to it.
In
.Em check-only
mode only,
.Ql -
may be used to indicate that
.Em sudoers
will be read from the standard input.
Because the policy is evaluated in its entirety, it is not sufficient
to check an individual
.Em sudoers
include file for syntax errors.
.Ss Debugging and sudoers plugin arguments
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
Starting with
.Nm sudo
1.8.12,
.Nm
will also parse the arguments to the
.Em sudoers
plugin to override the default
.Em sudoers
path name, UID, GID and file mode.
These arguments, if present, should be listed after the path to the plugin
(i.e., after
.Pa sudoers.so ) .
Multiple arguments may be specified, separated by white space.
For example:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.Ed
.Pp
The following arguments are supported:
.Bl -tag -width 8n
.It sudoers_file=pathname
The
.Em sudoers_file
argument can be used to override the default path to the
.Em sudoers
file.
.It sudoers_uid=uid
The
.Em sudoers_uid
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.It sudoers_gid=gid
The
.Em sudoers_gid
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.It sudoers_mode=mode
The
.Em sudoers_mode
argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.El
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh ENVIRONMENT
The following environment variables may be consulted depending on
the value of the
.Em editor
and
.Em env_editor
.Em sudoers
settings:
.Bl -tag -width 15n
.It Ev SUDO_EDITOR
Invoked by
.Nm
as the editor to use
.It Ev VISUAL
Used by
.Nm
if
.Ev SUDO_EDITOR
is not set
.It Ev EDITOR
Used by
.Nm
if neither
.Ev SUDO_EDITOR
nor
.Ev VISUAL
is set
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.It Pa @sysconfdir@/sudoers
List of who can run what
.It Pa @sysconfdir@/sudoers.tmp
Default temporary file used by visudo
.El
.Sh DIAGNOSTICS
In addition to reporting
.Em sudoers
syntax errors,
.Nm
may produce the following messages:
.Bl -tag -width 4n
.It Li sudoers file busy, try again later.
Someone else is currently editing the
.Em sudoers
file.
.It Li @sysconfdir@/sudoers: Permission denied
You didn't run
.Nm
as root.
.It Li you do not exist in the passwd database
Your user-ID does not appear in the system passwd database.
.It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore
.Pq Ql _
character.
In the latter case, you can ignore the warnings
.Po
.Nm sudo
will not complain
.Pc .
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the undefined alias was used.
In
.Fl s
(strict) mode these are errors, not warnings.
.It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used.
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the unused alias was defined.
You may wish to comment out or remove the unused alias.
.It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes.
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the cycle was detected.
This is only a warning unless
.Nm
is run in
.Fl s
(strict) mode as
.Nm sudo
will ignore cycles when parsing
the
.Em sudoers
file.
.It Li unknown defaults entry \&"name\&"
The
.Em sudoers
file contains a
.Li Defaults
setting not recognized by
.Nm .
.El
.Sh SEE ALSO
.Xr vi 1 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr vipw @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh CAVEATS
There is no easy way to prevent a user from gaining a root shell if
the editor used by
.Nm
allows shell escapes.
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.