diff --git a/doc/sudo.conf.man.in b/doc/sudo.conf.man.in index a0bab7cad..c186b7470 100644 --- a/doc/sudo.conf.man.in +++ b/doc/sudo.conf.man.in @@ -675,12 +675,8 @@ front end configuration # # Default @sysconfdir@/sudo.conf file # -# Format: +# Sudo plugins: # Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true # # The plugin_path is relative to @plugindir@ unless # fully qualified. @@ -688,17 +684,17 @@ front end configuration # that contains the plugin interface structure. # The plugin_options are optional. # -# The sudoers plugin is used by default if no Plugin lines are -# present. +# The sudoers plugin is used by default if no Plugin lines are present. Plugin sudoers_policy sudoers.so Plugin sudoers_io sudoers.so # # Sudo askpass: +# Path askpass /path/to/askpass # # An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with -# its own askpass program but can use the OpenSSH askpass. +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. # # Use the OpenSSH askpass #Path askpass /usr/X11R6/bin/ssh-askpass @@ -706,23 +702,52 @@ Plugin sudoers_io sudoers.so # Use the Gnome OpenSSH askpass #Path askpass /usr/libexec/openssh/gnome-ssh-askpass +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + # # Sudo noexec: +# Path noexec /path/to/sudo_noexec.so # # Path to a shared library containing dummy versions of the execv(), # execve() and fexecve() library functions that just return an error. # This is used to implement the "noexec" functionality on systems that # support LD_PRELOAD or its equivalent. -# The compiled-in value is usually sufficient and should only be -# changed if you rename or move the sudo_noexec.so file. # -#Path noexec @noexec_file@ +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec @plugindir@/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir @plugindir@ + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true # # Core dumps: +# Set disable_coredump true|false # -# By default, sudo disables core dumps while it is executing -# (they are re-enabled for the command that is run). +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # @@ -730,6 +755,7 @@ Plugin sudoers_io sudoers.so # # User groups: +# Set group_source static|dynamic|adaptive # # Sudo passes the user's group list to the policy plugin. # If the user is a member of the maximum number of groups (usually 16), @@ -741,9 +767,34 @@ Plugin sudoers_io sudoers.so # static - use the user's list of groups returned by the kernel. # dynamic - query the group database to find the list of groups. # adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. +# use the kernel list, else query the group database. # #Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug .RE .fi .SH "SEE ALSO" diff --git a/doc/sudo.conf.mdoc.in b/doc/sudo.conf.mdoc.in index c94a0146b..80ecea606 100644 --- a/doc/sudo.conf.mdoc.in +++ b/doc/sudo.conf.mdoc.in @@ -609,12 +609,8 @@ front end configuration # # Default @sysconfdir@/sudo.conf file # -# Format: +# Sudo plugins: # Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true # # The plugin_path is relative to @plugindir@ unless # fully qualified. @@ -622,17 +618,17 @@ front end configuration # that contains the plugin interface structure. # The plugin_options are optional. # -# The sudoers plugin is used by default if no Plugin lines are -# present. +# The sudoers plugin is used by default if no Plugin lines are present. Plugin sudoers_policy sudoers.so Plugin sudoers_io sudoers.so # # Sudo askpass: +# Path askpass /path/to/askpass # # An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with -# its own askpass program but can use the OpenSSH askpass. +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. # # Use the OpenSSH askpass #Path askpass /usr/X11R6/bin/ssh-askpass @@ -640,23 +636,52 @@ Plugin sudoers_io sudoers.so # Use the Gnome OpenSSH askpass #Path askpass /usr/libexec/openssh/gnome-ssh-askpass +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + # # Sudo noexec: +# Path noexec /path/to/sudo_noexec.so # # Path to a shared library containing dummy versions of the execv(), # execve() and fexecve() library functions that just return an error. # This is used to implement the "noexec" functionality on systems that # support LD_PRELOAD or its equivalent. -# The compiled-in value is usually sufficient and should only be -# changed if you rename or move the sudo_noexec.so file. # -#Path noexec @noexec_file@ +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec @plugindir@/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir @plugindir@ + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true # # Core dumps: +# Set disable_coredump true|false # -# By default, sudo disables core dumps while it is executing -# (they are re-enabled for the command that is run). +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # @@ -664,6 +689,7 @@ Plugin sudoers_io sudoers.so # # User groups: +# Set group_source static|dynamic|adaptive # # Sudo passes the user's group list to the policy plugin. # If the user is a member of the maximum number of groups (usually 16), @@ -675,9 +701,34 @@ Plugin sudoers_io sudoers.so # static - use the user's list of groups returned by the kernel. # dynamic - query the group database to find the list of groups. # adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. +# use the kernel list, else query the group database. # #Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug .Ed .Sh SEE ALSO .Xr sudo_plugin @mansectform@ , diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in index 2c329bde4..9bbbd8aa5 100644 --- a/examples/sudo.conf.in +++ b/examples/sudo.conf.in @@ -1,16 +1,11 @@ # -# Sample /etc/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true +# Sample @sysconfdir@/sudo.conf file # # Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... # -# The plugin_path is relative to @plugindir@ unless fully qualified. +# The plugin_path is relative to @plugindir@ unless +# fully qualified. # The plugin_name corresponds to a global symbol in the plugin # that contains the plugin interface structure. # The plugin_options are optional. @@ -21,6 +16,7 @@ Plugin sudoers_io sudoers.so # # Sudo askpass: +# Path askpass /path/to/askpass # # An askpass helper program may be specified to provide a graphical # password prompt for "sudo -A" support. Sudo does not ship with its @@ -32,20 +28,49 @@ Plugin sudoers_io sudoers.so # Use the Gnome OpenSSH askpass #Path askpass /usr/libexec/openssh/gnome-ssh-askpass +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + # # Sudo noexec: +# Path noexec /path/to/sudo_noexec.so # # Path to a shared library containing dummy versions of the execv(), # execve() and fexecve() library functions that just return an error. # This is used to implement the "noexec" functionality on systems that # support LD_PRELOAD or its equivalent. +# # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_noexec.so file. # #Path noexec @plugindir@/sudo_noexec.so +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir @plugindir@ + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: +# Set disable_coredump true|false # # By default, sudo disables core dumps while it is executing (they # are re-enabled for the command that is run). @@ -56,6 +81,7 @@ Plugin sudoers_io sudoers.so # # User groups: +# Set group_source static|dynamic|adaptive # # Sudo passes the user's group list to the policy plugin. # If the user is a member of the maximum number of groups (usually 16), @@ -70,3 +96,28 @@ Plugin sudoers_io sudoers.so # use the kernel list, else query the group database. # #Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug