From 9d09966aada867a5eaaa5bd94e32c28ced42118d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 9 Jun 2010 12:26:37 -0400 Subject: [PATCH] Mention plugins in the sudo manual and add some missing path substitution in the sudo_plugin manual. --- doc/sudo.cat | 180 ++++++++++++++++++++++++++++------------- doc/sudo.man.in | 59 +++++++++++++- doc/sudo.pod | 47 ++++++++++- doc/sudo_plugin.cat | 14 ++-- doc/sudo_plugin.man.in | 19 ++--- doc/sudo_plugin.pod | 17 ++-- 6 files changed, 248 insertions(+), 88 deletions(-) diff --git a/doc/sudo.cat b/doc/sudo.cat index 5d16aa88e..b2a2594a8 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -11,7 +11,7 @@ SSYYNNOOPPSSIISS ssuuddoo [--DD _l_e_v_e_l] --hh | --KK | --kk | --VV ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--DD _l_e_v_e_l] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] - [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--DD _l_e_v_e_l] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0a2 June 3, 2010 1 +1.8.0a2 June 9, 2010 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.8.0a2 June 3, 2010 2 +1.8.0a2 June 9, 2010 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0a2 June 3, 2010 3 +1.8.0a2 June 9, 2010 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0a2 June 3, 2010 4 +1.8.0a2 June 9, 2010 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0a2 June 3, 2010 5 +1.8.0a2 June 9, 2010 5 @@ -351,8 +351,55 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) matched is ALL, the user may set variables that would overwise be forbidden. See _s_u_d_o_e_r_s(4) for more information. +PPLLUUGGIINNSS + ssuuddoo supports a plugin architecture for security policies and + input/output logging. Third parties can develop and distribute their + own policy and I/O logging modules to work seemlessly with the ssuuddoo + front end. + + Plugins are dynamically loaded based on the contents of the + _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, ssuuddoo will + use the traditional _s_u_d_o_e_r_s security policy and I/O logging, which + corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + + A Plugin line consists of the Plugin keyword, followed by the + _s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. + The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct + io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified + or relative. If not fully qualified it is relative to the + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h + are ignored. + + For more information, see the "_s_u_d_o___p_l_u_g_i_n(1m) manual." + RREETTUURRNN VVAALLUUEESS Upon successful execution of a program, the exit status from ssuuddoo will + + + +1.8.0a2 June 9, 2010 6 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + simply be the exit status of the program that was executed. Otherwise, ssuuddoo quits with an exit value of 1 if there is a @@ -388,18 +435,6 @@ SSEECCUURRIITTYY NNOOTTEESS environment variables that ssuuddoo allows or denies is contained in the output of sudo -V when run as root. - - - -1.8.0a2 June 3, 2010 6 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including ssuuddoo. Depending on the operating system @@ -419,6 +454,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via _c_h_o_w_n(2), if the time stamp directory is located in a directory writable by anyone + + + +1.8.0a2 June 9, 2010 7 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + (e.g., _/_t_m_p), it is possible for a user to create the time stamp directory before ssuuddoo is run. However, because ssuuddoo checks the ownership and mode of the directory and its contents, the only damage @@ -431,9 +478,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) appropriate owner (root) and permissions (0700) in the system startup files. - ssuuddoo will not honor time stamps set far in the future. Timestamps with - a date greater than current_time + 2 * TIMEOUT will be ignored and sudo - will log and complain. This is done to keep a user from creating + ssuuddoo will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and + sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files. @@ -455,17 +502,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) Administrators should not rely on this feature as it is not universally available. - - -1.8.0a2 June 3, 2010 7 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - Please note that ssuuddoo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access @@ -484,6 +520,18 @@ EENNVVIIRROONNMMEENNTT HOME In --ss or --HH mode (or if sudo was configured with the --enable-shell-sets-home option), set to homedir of the + + + +1.8.0a2 June 9, 2010 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + target user PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option @@ -517,21 +565,12 @@ EENNVVIIRROONNMMEENNTT SUDO_EDITOR is not set FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin configuration + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing time stamps - - -1.8.0a2 June 3, 2010 8 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and AIX @@ -547,6 +586,18 @@ EEXXAAMMPPLLEESS $ sudo -u yaz ls ~yaz + + + +1.8.0a2 June 9, 2010 9 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + To edit the _i_n_d_e_x_._h_t_m_l file as user www: $ sudo -u www vi ~www/htdocs/index.html @@ -571,7 +622,7 @@ EEXXAAMMPPLLEESS SSEEEE AALLSSOO _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), - _v_i_s_u_d_o(1m) + "_s_u_d_o___p_l_u_g_i_n(1m), "_s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)"" AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this version consists @@ -586,18 +637,6 @@ CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via ssuuddoo. Also, many programs (such as editors) allow the user to run commands via shell - - - -1.8.0a2 June 3, 2010 9 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - escapes, thus avoiding ssuuddoo's checks. However, on most systems it is possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. See the _s_u_d_o_e_r_s(4) manual for details. @@ -613,6 +652,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) their own program that gives them a root shell regardless of any '!' elements in the user specification. + + + +1.8.0a2 June 9, 2010 10 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + Running shell scripts via ssuuddoo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS has a /dev/fd/ directory, setuid shell scripts are generally safe). @@ -633,6 +684,15 @@ DDIISSCCLLAAIIMMEERR See the LICENSE file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. +PPOODD EERRRROORRSS + Hey! TThhee aabboovvee ddooccuummeenntt hhaadd ssoommee ccooddiinngg eerrrroorrss,, wwhhiicchh aarree eexxppllaaiinneedd + bbeellooww:: + + Around line 442: + Unterminated L<...> sequence + + Around line 678: + Unterminated L> sequence @@ -655,6 +715,12 @@ DDIISSCCLLAAIIMMEERR -1.8.0a2 June 3, 2010 10 + + + + + + +1.8.0a2 June 9, 2010 11 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 9d6dbc80f..f8100eb48 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "June 3, 2010" "1.8.0a2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 9, 2010" "1.8.0a2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,7 +163,7 @@ sudo, sudoedit \- execute a command as another user .if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-D\fR\ \fIlevel\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] .PP \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] .if \n(BA [\fB\-a\fR\ \fIauth_type\fR] @@ -502,6 +502,44 @@ variables with one important exception. If the \fIsetenv\fR option is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information. +.SH "PLUGINS" +.IX Header "PLUGINS" +\&\fBsudo\fR supports a plugin architecture for security policies and +input/output logging. Third parties can develop and distribute +their own policy and I/O logging modules to work seemlessly with +the \fBsudo\fR front end. +.PP +Plugins are dynamically loaded based on the contents of the +\&\fI@sysconfdir@/sudo.conf\fR file. If no \fI@sysconfdir@/sudo.conf\fR +file is present, \fBsudo\fR will use the traditional \fIsudoers\fR security +policy and I/O logging, which corresponds to the following +\&\fI@sysconfdir@/sudo.conf\fR file. +.PP +.Vb 10 +\& # +\& # Default @sysconfdir@/sudo.conf file +\& # +\& # Format: +\& # Plugin plugin_name plugin_path +\& # +\& # The plugin_path is relative to @prefix@/libexec unless +\& # fully qualified. +\& # The plugin_name corresponds to a global symbol in the plugin +\& # that contains the plugin interface structure. +\& # +\& Plugin policy_plugin sudoers.so +\& Plugin io_plugin sudoers.so +.Ve +.PP +A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the +\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the +plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR +or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR +may be fully qualified or relative. If not fully qualified it is +relative to the \fI@prefix@/libexec\fR directory. Any additional parameters +after the \fIpath\fR are ignored. +.PP +For more information, see the \*(L"\fIsudo_plugin\fR\|(@mansectsu@) manual.\*(R" .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the exit status from \fBsudo\fR @@ -574,7 +612,7 @@ instance) or create \fI@timedir@\fR with the appropriate owner (root) and permissions (0700) in the system startup files. .PP \&\fBsudo\fR will not honor time stamps set far in the future. -Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR +Time stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files. @@ -672,6 +710,10 @@ Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C' is not set .SH "FILES" .IX Header "FILES" +.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24 +.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24 +.IX Item "@sysconfdir@/sudo.conf" +\&\fBsudo\fR plugin configuration .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 .el .IP "\fI@sysconfdir@/sudoers\fR" 24 .IX Item "@sysconfdir@/sudoers" @@ -735,7 +777,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .IX Header "SEE ALSO" \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), .if \n(LC \&\fIlogin_cap\fR\|(3), -\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@) +\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), "\fIsudo_plugin\fR\|(@mansectsu@), "\fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)"" .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -790,3 +832,12 @@ including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html for complete details. +.SH "POD ERRORS" +.IX Header "POD ERRORS" +Hey! \fBThe above document had some coding errors, which are explained below:\fR +.IP "Around line 442:" 4 +.IX Item "Around line 442:" +Unterminated L<...> sequence +.IP "Around line 678:" 4 +.IX Item "Around line 678:" +Unterminated L> sequence diff --git a/doc/sudo.pod b/doc/sudo.pod index 93af96510..1d243f6b6 100644 --- a/doc/sudo.pod +++ b/doc/sudo.pod @@ -32,7 +32,7 @@ B B<-v> [B<-AknS>] S<[B<-a> I]> S<[B<-D> I]> S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-u> I|I<#uid>]> +S<[B<-u> I|I<#uid>]> B B<-l[l]> [B<-AknS>] S<[B<-a> I]> @@ -404,6 +404,43 @@ is set in I, the command to be run has the C tag set or the command matched is C, the user may set variables that would overwise be forbidden. See L for more information. +=head1 PLUGINS + +B supports a plugin architecture for security policies and +input/output logging. Third parties can develop and distribute +their own policy and I/O logging modules to work seemlessly with +the B front end. + +Plugins are dynamically loaded based on the contents of the +F<@sysconfdir@/sudo.conf> file. If no F<@sysconfdir@/sudo.conf> +file is present, B will use the traditional I security +policy and I/O logging, which corresponds to the following +F<@sysconfdir@/sudo.conf> file. + + # + # Default @sysconfdir@/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path + # + # The plugin_path is relative to @prefix@/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + +A C line consists of the C keyword, followed by the +I and the I to the shared object containing the +plugin. The I is the name of the C +or C in the plugin shared object. The I +may be fully qualified or relative. If not fully qualified it is +relative to the F<@prefix@/libexec> directory. Any additional parameters +after the I are ignored. + +For more information, see the L @@ -477,7 +514,7 @@ instance) or create F<@timedir@> with the appropriate owner (root) and permissions (0700) in the system startup files. B will not honor time stamps set far in the future. -Timestamps with a date greater than current_time + 2 * C +Time stamps with a date greater than current_time + 2 * C will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files. @@ -583,6 +620,10 @@ is not set =over 24 +=item F<@sysconfdir@/sudo.conf> + +B plugin configuration + =item F<@sysconfdir@/sudoers> List of who can run what @@ -636,7 +677,7 @@ to make the C and file redirection work. L, L, L, L, -L, L, L +L, L, L =head1 AUTHORS diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index d8d87184a..d1d67881a 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -30,8 +30,8 @@ SSuuddoo PPlluuggiinn AAPPII The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified or relative. If not fully qualified it is relative to the - $prefix/libexec directory where the prefix is specified at build time - (/usr/local by default). + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h + are ignored. The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid 0 @@ -45,9 +45,10 @@ SSuuddoo PPlluuggiinn AAPPII # Format: # Plugin plugin_name plugin_path # - # The plugin_path relative to prefix/libexec unless fully qualified + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface. + # that contains the plugin interface structure. # Plugin policy_plugin sudoers.so Plugin io_plugin sudoers.so @@ -57,7 +58,6 @@ SSuuddoo PPlluuggiinn AAPPII global scope. This structure contains pointers to the functions that implement the ssuuddoo policy checks. The name of the symbol should be specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that - ssuuddoo can load it. @@ -70,6 +70,8 @@ SSuuddoo PPlluuggiinn AAPPII SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + ssuuddoo can load it. + struct policy_plugin { #define SUDO_POLICY_PLUGIN 1 unsigned int type; /* always SUDO_POLICY_PLUGIN */ @@ -125,8 +127,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - 1.8.0a2 June 9, 2010 2 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index e3e65daaa..eb6e49832 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -151,7 +151,7 @@ for policy and session logging. By default, the \fIsudoers\fR policy plugin and an associated I/O logging plugin are used. Via the plugin \&\s-1API\s0, \fBsudo\fR can be configured to use alternate policy and/or I/O logging plugins provided by third parties. The plugins to be used -are specified via the \fI/etc/sudo.conf\fR file. +are specified via the \fI@sysconfdir@/sudo.conf\fR file. .PP The \s-1API\s0 is versioned with a major and minor number. The minor version number is incremented when additions are made. The major @@ -162,7 +162,7 @@ major version matches. The plugin \s-1API\s0 is defined by the \f(CW\*(C`sudo_plugin.h\*(C'\fR header file. .SS "The sudo.conf File" .IX Subsection "The sudo.conf File" -The \fI/etc/sudo.conf\fR file contains plugin configuration directives. +The \fI@sysconfdir@/sudo.conf\fR file contains plugin configuration directives. Currently, the only supported keyword is the \f(CW\*(C`Plugin\*(C'\fR directive, which causes a plugin plugin to be loaded. .PP @@ -171,8 +171,8 @@ A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR may be fully qualified or relative. If not fully qualified it is -relative to the \f(CW$prefix\fR/libexec directory where the prefix is -specified at build time (/usr/local by default). +relative to the \fI@prefix@/libexec\fR directory. Any additional parameters +after the \fIpath\fR are ignored. .PP The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid @@ -180,16 +180,17 @@ different symbol name. The shared object file must be owned by uid from composite policies, only a single policy plugin may be specified. This limitation does not apply to I/O plugins. .PP -.Vb 12 +.Vb 10 \& # -\& # Default /etc/sudo.conf file +\& # Default @sysconfdir@/sudo.conf file \& # \& # Format: \& # Plugin plugin_name plugin_path \& # -\& # The plugin_path relative to prefix/libexec unless fully qualified +\& # The plugin_path is relative to @prefix@/libexec unless +\& # fully qualified. \& # The plugin_name corresponds to a global symbol in the plugin -\& # that contains the plugin interface. +\& # that contains the plugin interface structure. \& # \& Plugin policy_plugin sudoers.so \& Plugin io_plugin sudoers.so @@ -199,7 +200,7 @@ This limitation does not apply to I/O plugins. A policy plugin must declare and populate a \f(CW\*(C`policy_plugin\*(C'\fR struct in the global scope. This structure contains pointers to the functions that implement the \fBsudo\fR policy checks. The name of the symbol should -be specified in \fI/etc/sudo.conf\fR along with a path to the plugin +be specified in \fI@sysconfdir@/sudo.conf\fR along with a path to the plugin so that \fBsudo\fR can load it. .PP .Vb 10 diff --git a/doc/sudo_plugin.pod b/doc/sudo_plugin.pod index 3498c7d76..64b44c447 100644 --- a/doc/sudo_plugin.pod +++ b/doc/sudo_plugin.pod @@ -22,7 +22,7 @@ for policy and session logging. By default, the I policy plugin and an associated I/O logging plugin are used. Via the plugin API, B can be configured to use alternate policy and/or I/O logging plugins provided by third parties. The plugins to be used -are specified via the F file. +are specified via the F<@sysconfdir@/sudo.conf> file. The API is versioned with a major and minor number. The minor version number is incremented when additions are made. The major @@ -34,7 +34,7 @@ The plugin API is defined by the C header file. =head2 The sudo.conf File -The F file contains plugin configuration directives. +The F<@sysconfdir@/sudo.conf> file contains plugin configuration directives. Currently, the only supported keyword is the C directive, which causes a plugin plugin to be loaded. @@ -43,8 +43,8 @@ I and the I to the shared object containing the plugin. The I is the name of the C or C in the plugin shared object. The I may be fully qualified or relative. If not fully qualified it is -relative to the $prefix/libexec directory where the prefix is -specified at build time (/usr/local by default). +relative to the F<@prefix@/libexec> directory. Any additional parameters +after the I are ignored. The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid @@ -53,14 +53,15 @@ from composite policies, only a single policy plugin may be specified. This limitation does not apply to I/O plugins. # - # Default /etc/sudo.conf file + # Default @sysconfdir@/sudo.conf file # # Format: # Plugin plugin_name plugin_path # - # The plugin_path relative to prefix/libexec unless fully qualified + # The plugin_path is relative to @prefix@/libexec unless + # fully qualified. # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface. + # that contains the plugin interface structure. # Plugin policy_plugin sudoers.so Plugin io_plugin sudoers.so @@ -70,7 +71,7 @@ This limitation does not apply to I/O plugins. A policy plugin must declare and populate a C struct in the global scope. This structure contains pointers to the functions that implement the B policy checks. The name of the symbol should -be specified in F along with a path to the plugin +be specified in F<@sysconfdir@/sudo.conf> along with a path to the plugin so that B can load it. struct policy_plugin {