isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move askpass path specification from sudoers to sudo.conf.

Browse Source
This commit is contained in:
Todd C. Miller
2010-06-09 17:40:44 -04:00
parent 34613c8465
commit eec336115a
16 changed files with 243 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
doc/sudo.cat
View File

@@ -86,8 +86,15 @@ OOPPTTIIOONNSS
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the
helper program. Otherwise, the value specified by the
_a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used.
helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a
line specifying the askpass program that value will be
used. For example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an
error.
-a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
specified authentication type when validating the user, as
@@ -117,13 +124,6 @@ OOPPTTIIOONNSS
Specifying a _c_l_a_s_s of - indicates that the command should
be run restricted by the default login capabilities for the
user the command is run as. If the _c_l_a_s_s argument
specifies an existing user class, the command must be run
as root, or the ssuuddoo command must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
-D _l_e_v_e_l Enable debugging of ssuuddoo plugins and ssuuddoo itself. The
_l_e_v_e_l may be a value from 1 through 9.
@@ -136,6 +136,14 @@ OOPPTTIIOONNSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
specifies an existing user class, the command must be run
as root, or the ssuuddoo command must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
-D _l_e_v_e_l Enable debugging of ssuuddoo plugins and ssuuddoo itself. The
_l_e_v_e_l may be a value from 1 through 9.
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the
_e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when
either the matching command has the SETENV tag or the
@@ -183,14 +191,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
specified in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify
HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)).
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
and exit.
-i [command]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified in the _p_a_s_s_w_d(4) entry of the target user as a
login shell. This means that login-specific resource files
1.8.0a2 June 9, 2010 3
@@ -202,6 +202,13 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
and exit.
-i [command]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified in the _p_a_s_s_w_d(4) entry of the target user as a
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
execution. Otherwise, an interactive shell is executed.
@@ -249,13 +256,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
preserve the invoking user's group vector unaltered. By
default, ssuuddoo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
@@ -268,6 +268,14 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
default, ssuuddoo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
%H expanded to the local host name including the domain
name (on if the machine's host name is fully qualified
or the _f_q_d_n _s_u_d_o_e_r_s option is set)
@@ -314,14 +322,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands
with a uid not listed in the password database.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version
number and exit. If the invoking user is already root the
--VV option will print out a list of the defaults ssuuddoo was
compiled with as well as the machine's local network
addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's time stamp, prompting for the user's password if
@@ -334,6 +334,14 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version
number and exit. If the invoking user is already root the
--VV option will print out a list of the defaults ssuuddoo was
compiled with as well as the machine's local network
addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's time stamp, prompting for the user's password if
necessary. This extends the ssuuddoo timeout for another 5
minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but
does not run a command.
@@ -367,6 +375,7 @@ PPLLUUGGIINNSS
#
# Format:
# Plugin plugin_name plugin_path
# Path askpass path/to/askpass
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
@@ -379,15 +388,6 @@ PPLLUUGGIINNSS
A Plugin line consists of the Plugin keyword, followed by the
_s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin.
The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified
or relative. If not fully qualified it is relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h
are ignored.
For more information, see the "_s_u_d_o___p_l_u_g_i_n(1m) manual."
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the exit status from ssuuddoo will
@@ -400,6 +400,16 @@ RREETTUURRNN VVAALLUUEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified
or relative. If not fully qualified it is relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h
are ignored. Lines that don't begin with Plugin or Path are silently
ignored
For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual.
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the exit status from ssuuddoo will
simply be the exit status of the program that was executed.
Otherwise, ssuuddoo quits with an exit value of 1 if there is a
@@ -444,16 +454,6 @@ SSEECCUURRIITTYY NNOOTTEESS
ssuuddoo to preserve them.
To prevent command spoofing, ssuuddoo checks "." and "" (both denoting
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes.
ssuuddoo will check the ownership of its time stamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
systems that allow non-root users to give away files via _c_h_o_w_n(2), if
the time stamp directory is located in a directory writable by anyone
@@ -466,6 +466,16 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes.
ssuuddoo will check the ownership of its time stamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
systems that allow non-root users to give away files via _c_h_o_w_n(2), if
the time stamp directory is located in a directory writable by anyone
(e.g., _/_t_m_p), it is possible for a user to create the time stamp
directory before ssuuddoo is run. However, because ssuuddoo checks the
ownership and mode of the directory and its contents, the only damage
@@ -510,16 +520,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
when giving users access to commands via ssuuddoo to verify that the
command does not inadvertently give the user an effective root shell.
For more information, please see the PREVENTING SHELL ESCAPES section
in _s_u_d_o_e_r_s(4).
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
EDITOR Default editor to use in --ee (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
HOME In --ss or --HH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
@@ -532,6 +532,16 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
in _s_u_d_o_e_r_s(4).
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
EDITOR Default editor to use in --ee (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
HOME In --ss or --HH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
target user
PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option
@@ -565,7 +575,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_EDITOR is not set
FFIILLEESS
_/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin configuration
_/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin and path configuration
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
@@ -577,16 +587,6 @@ FFIILLEESS
EEXXAAMMPPLLEESS
Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
1.8.0a2 June 9, 2010 9
@@ -598,6 +598,15 @@ EEXXAAMMPPLLEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
$ sudo -u www vi ~www/htdocs/index.html
@@ -622,7 +631,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4),
"_s_u_d_o___p_l_u_g_i_n(1m), "_s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)""
_s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)
AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists
@@ -643,15 +652,6 @@ CCAAVVEEAATTSS
It is not meaningful to run the cd command directly via sudo, e.g.,
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
@@ -664,6 +664,15 @@ CCAAVVEEAATTSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
Running shell scripts via ssuuddoo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
@@ -684,15 +693,6 @@ DDIISSCCLLAAIIMMEERR
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
PPOODD EERRRROORRSS
Hey! TThhee aabboovvee ddooccuummeenntt hhaadd ssoommee ccooddiinngg eerrrroorrss,, wwhhiicchh aarree eexxppllaaiinneedd
bbeellooww::
Around line 442:
Unterminated L<...> sequence
Around line 678:
Unterminated L<L<...>> sequence

39
doc/sudo.man.in
View File

@@ -241,11 +241,19 @@ or via the \fIsudoers\fR file.
.IX Item "-A"
Normally, if \fBsudo\fR requires a password, it will read it from the
current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
a (possibly graphical) helper program is executed to read the
user's password and output the password to the standard output. If
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
a (possibly graphical) helper program is executed to read the user's
password and output the password to the standard output. If the
\&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path
to the helper program. Otherwise, if \fI@sysconfdir@/sudo.conf\fR
contains a line specifying the askpass program that value will be
used. For example:
.Sp
.Vb 2
\& # Path to askpass helper program
\& Path askpass /usr/X11R6/bin/ssh\-askpass
.Ve
.Sp
If no askpass program is available, sudo will exit with an error.
.if \n(BA \{\
.IP "\-a \fItype\fR" 12
.IX Item "-a type"
@@ -521,6 +529,7 @@ policy and I/O logging, which corresponds to the following
\& #
\& # Format:
\& # Plugin plugin_name plugin_path
\& # Path askpass path/to/askpass
\& #
\& # The plugin_path is relative to @prefix@/libexec unless
\& # fully qualified.
@@ -536,10 +545,11 @@ A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword
plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
may be fully qualified or relative. If not fully qualified it is
relative to the \fI@prefix@/libexec\fR directory. Any additional parameters
after the \fIpath\fR are ignored.
relative to the \fI@prefix@/libexec\fR directory. Any additional
parameters after the \fIpath\fR are ignored. Lines that don't begin
with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored
.PP
For more information, see the \*(L"\fIsudo_plugin\fR\|(@mansectsu@) manual.\*(R"
For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the exit status from \fBsudo\fR
@@ -713,7 +723,7 @@ is not set
.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
.IX Item "@sysconfdir@/sudo.conf"
\&\fBsudo\fR plugin configuration
\&\fBsudo\fR plugin and path configuration
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
@@ -777,7 +787,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
.if \n(LC \&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), "\fIsudo_plugin\fR\|(@mansectsu@), "\fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)""
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
@@ -832,12 +842,3 @@ including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.
.SH "POD ERRORS"
.IX Header "POD ERRORS"
Hey! \fBThe above document had some coding errors, which are explained below:\fR
.IP "Around line 442:" 4
.IX Item "Around line 442:"
Unterminated L<...> sequence
.IP "Around line 678:" 4
.IX Item "Around line 678:"
Unterminated L<L<...>> sequence

28
doc/sudo.pod
View File

@@ -115,11 +115,17 @@ B<sudo> accepts the following command line options:
Normally, if B<sudo> requires a password, it will read it from the
current terminal. If the B<-A> (I<askpass>) option is specified,
a (possibly graphical) helper program is executed to read the
user's password and output the password to the standard output. If
the C<SUDO_ASKPASS> environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
I<askpass> option in L<sudoers(5)> is used.
a (possibly graphical) helper program is executed to read the user's
password and output the password to the standard output. If the
C<SUDO_ASKPASS> environment variable is set, it specifies the path
to the helper program. Otherwise, if F<@sysconfdir@/sudo.conf>
contains a line specifying the askpass program that value will be
used. For example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an error.
=item -a I<type>
@@ -422,6 +428,7 @@ F<@sysconfdir@/sudo.conf> file.
#
# Format:
# Plugin plugin_name plugin_path
# Path askpass path/to/askpass
#
# The plugin_path is relative to @prefix@/libexec unless
# fully qualified.
@@ -436,10 +443,11 @@ I<symbol_name> and the I<path> to the shared object containing the
plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
or C<struct io_plugin> in the plugin shared object. The I<path>
may be fully qualified or relative. If not fully qualified it is
relative to the F<@prefix@/libexec> directory. Any additional parameters
after the I<path> are ignored.
relative to the F<@prefix@/libexec> directory. Any additional
parameters after the I<path> are ignored. Lines that don't begin
with C<Plugin> or C<Path> are silently ignored
For more information, see the L<sudo_plugin(8) manual.
For more information, see the L<sudo_plugin(8)> manual.
=head1 RETURN VALUES
@@ -622,7 +630,7 @@ is not set
=item F<@sysconfdir@/sudo.conf>
B<sudo> plugin configuration
B<sudo> plugin and path configuration
=item F<@sysconfdir@/sudoers>
@@ -677,7 +685,7 @@ to make the C<cd> and file redirection work.
L<grep(1)>, L<su(1)>, L<stat(2)>,
L<login_cap(3)>,
L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8), L<sudoreplay(8), L<visudo(8)>
L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8)>, L<sudoreplay(8)>, L<visudo(8)>
=head1 AUTHORS

74
doc/sudo_plugin.cat
View File

@@ -31,7 +31,8 @@ SSuuddoo PPlluuggiinn AAPPII
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified
or relative. If not fully qualified it is relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h
are ignored.
are ignored. Lines that don't begin with Plugin or Path are silently
ignored.
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid 0
@@ -44,6 +45,7 @@ SSuuddoo PPlluuggiinn AAPPII
#
# Format:
# Plugin plugin_name plugin_path
# Path askpass /path/to/askpass
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
@@ -56,8 +58,6 @@ SSuuddoo PPlluuggiinn AAPPII
PPoolliiccyy PPlluuggiinn AAPPII
A policy plugin must declare and populate a policy_plugin struct in the
global scope. This structure contains pointers to the functions that
implement the ssuuddoo policy checks. The name of the symbol should be
specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that
@@ -70,6 +70,8 @@ SSuuddoo PPlluuggiinn AAPPII
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
implement the ssuuddoo policy checks. The name of the symbol should be
specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that
ssuuddoo can load it.
struct policy_plugin {
@@ -121,9 +123,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
the major and minor version number of the plugin API supported
by ssuuddoo.
conversation
A pointer to the conversation function that can be used by the
plugin to interact with the user (see below).
@@ -136,6 +136,10 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
conversation
A pointer to the conversation function that can be used by the
plugin to interact with the user (see below).
plugin_printf
A pointer to a printf-style function that may be used to
display informational or error messages (see below).
@@ -186,10 +190,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
set _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo with no
arguments to be used similarly to _s_u(1). If the plugin
does not to support this usage, it may return a value of -2
from the check_policy function, which will cause ssuuddoo to
print a usage message and exit.
@@ -202,6 +202,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
from the check_policy function, which will cause ssuuddoo to
print a usage message and exit.
preserve_groups=bool
Set to true if the user specified the -P flag, indicating
that the user wishes to preserve the group vector instead
@@ -254,9 +257,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
Additional settings may be added in the future so the plugin
should silently ignore settings that it does not recognize.
user_info
A vector of information about the user running the command in
1.8.0a2 June 9, 2010 4
@@ -268,6 +268,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
user_info
A vector of information about the user running the command in
the form of "name=value" strings. The vector is terminated by
a NULL pointer.
@@ -321,8 +323,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
close
void (*close)(int exit_status, int error);
The close function is called when the command being run by ssuuddoo
1.8.0a2 June 9, 2010 5
@@ -334,6 +334,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
The close function is called when the command being run by ssuuddoo
finishes.
The function arguments are as follows:
@@ -387,7 +388,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
not allowed, -1 for a general error, or -2 for a usage error or if
ssuuddooeeddiitt was specified but is unsupported by the plugin. In the
latter case, ssuuddoo will print a usage message before it exits. If
an error occurs, the plugin may optionally call the conversation or
@@ -400,6 +400,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
an error occurs, the plugin may optionally call the conversation or
plugin_printf function with SUDO_CONF_ERROR_MSG to present
additional error information to the user.
@@ -453,7 +454,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
runas_groups=list
The supplementary group vector to use for the command in
the form of a comma-separated list of group IDs. If
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored.
@@ -466,6 +466,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored.
login_class=login_class
BSD login class to use when setting resource limits and
nice value (optional). This option is only set on systems
@@ -518,8 +520,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
argv_out
The NULL-terminated argument vector to pass to the _e_x_e_c_v_e_(_)
system call when executing the command. The plugin is
responsible for allocating and populating the vector.
@@ -532,6 +532,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
system call when executing the command. The plugin is
responsible for allocating and populating the vector.
user_env_out
The NULL-terminated environment vector to use when executing
the command. The plugin is responsible for allocating and
@@ -583,9 +586,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
Returns 1 on success, 0 on failure and -1 on error. On error, the
plugin may optionally call the conversation or plugin_printf
function with SUDO_CONF_ERROR_MSG to present additional error
information to the user.
@@ -598,6 +598,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
information to the user.
invalidate
void (*invalidate)(int remove);
@@ -651,8 +653,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
const char *msg;
};
struct sudo_conv_reply {
1.8.0a2 June 9, 2010 10
@@ -664,6 +664,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
struct sudo_conv_reply {
char *reply;
};
@@ -716,8 +718,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
I/O for logging before passing it on.
The log_ttyin function receives the raw user input from the terminal
device (note that this will include input even when echo is disabled,
such as when a password is read). The log_ttyout function receives
@@ -730,6 +730,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
device (note that this will include input even when echo is disabled,
such as when a password is read). The log_ttyout function receives
output from the pseudo-tty that is suitable for replaying the user's
session at a later time. The log_stdin, log_stdout and log_stderr
functions are only called if the standard input, standard output or
@@ -782,8 +784,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
plugin_printf
A pointer to a printf-style function that may be used by the
_s_h_o_w___v_e_r_s_i_o_n function to display version information (see
show_version below). The plugin_printf function may also be
used to display additional error message to the user.
@@ -796,6 +796,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
show_version below). The plugin_printf function may also be
used to display additional error message to the user.
settings
A vector of user-supplied ssuuddoo settings in the form of
"name=value" strings. The vector is terminated by a NULL
@@ -847,9 +850,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
The function arguments are as follows:
exit_status
The command's exit status, as returned by the _w_a_i_t(2) system
call. The value of exit_status is undefined if error is non-
@@ -862,6 +862,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
exit_status
The command's exit status, as returned by the _w_a_i_t(2) system
call. The value of exit_status is undefined if error is non-
zero.
error
@@ -913,9 +916,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
log_stdin
int (*log_stdin)(const char *buf, unsigned int len);
The _l_o_g___s_t_d_i_n function is only used if the standard input does not
correspond to a tty device. It is called whenever data can be read
from the standard input but before it is passed to the running
@@ -928,6 +928,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
The _l_o_g___s_t_d_i_n function is only used if the standard input does not
correspond to a tty device. It is called whenever data can be read
from the standard input but before it is passed to the running
command. This allows the plugin to reject data if it chooses to
(for instance if the input contains banned content). Returns 1 if
the data should be passed to the command, 0 if the data is rejected
@@ -982,9 +985,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
1.8.0a2 June 9, 2010 15

6
doc/sudo_plugin.man.in
View File

@@ -171,8 +171,9 @@ A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword
plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
may be fully qualified or relative. If not fully qualified it is
relative to the \fI@prefix@/libexec\fR directory. Any additional parameters
after the \fIpath\fR are ignored.
relative to the \fI@prefix@/libexec\fR directory. Any additional
parameters after the \fIpath\fR are ignored. Lines that don't begin
with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored.
.PP
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid
@@ -186,6 +187,7 @@ This limitation does not apply to I/O plugins.
\& #
\& # Format:
\& # Plugin plugin_name plugin_path
\& # Path askpass /path/to/askpass
\& #
\& # The plugin_path is relative to @prefix@/libexec unless
\& # fully qualified.

6
doc/sudo_plugin.pod
View File

@@ -43,8 +43,9 @@ I<symbol_name> and the I<path> to the shared object containing the
plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
or C<struct io_plugin> in the plugin shared object. The I<path>
may be fully qualified or relative. If not fully qualified it is
relative to the F<@prefix@/libexec> directory. Any additional parameters
after the I<path> are ignored.
relative to the F<@prefix@/libexec> directory. Any additional
parameters after the I<path> are ignored. Lines that don't begin
with C<Plugin> or C<Path> are silently ignored.
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid
@@ -57,6 +58,7 @@ This limitation does not apply to I/O plugins.
#
# Format:
# Plugin plugin_name plugin_path
# Path askpass /path/to/askpass
#
# The plugin_path is relative to @prefix@/libexec unless
# fully qualified.

21
plugins/sudoers/check.c
View File

@@ -136,26 +136,7 @@ check_user(int validated, int mode)
return -1;
}
#if 0 /* XXX - checks need to be done in main driver */
/* If user specified -A, make sure we have an askpass helper. */
if (ISSET(tgetpass_flags, TGP_ASKPASS)) {
if (user_askpass == NULL)
log_error(NO_MAIL,
"no askpass program specified, try setting SUDO_ASKPASS");
} else if (!ISSET(tgetpass_flags, TGP_STDIN)) {
/* If no tty but DISPLAY is set, use askpass if we have it. */
if (!user_ttypath && !tty_present()) {
if (user_askpass && user_display && *user_display != '\0') {
SET(tgetpass_flags, TGP_ASKPASS);
} else if (!def_visiblepw) {
log_error(NO_MAIL,
"no tty present and no askpass program specified");
}
}
}
if (!ISSET(tgetpass_flags, TGP_ASKPASS))
#endif
/* XXX - should not lecture if askpass help is being used. */
lecture(status);
/* Expand any escapes in the prompt. */

4
plugins/sudoers/def_data.c
View File

@@ -286,10 +286,6 @@ struct sudo_defs_types sudo_defs_table[] = {
"type", T_STR,
"SELinux type to use in the new security context: %s",
NULL,
}, {
"askpass", T_STR|T_PATH|T_BOOL,
"Path to the askpass helper program: %s",
NULL,
}, {
"env_file", T_STR|T_PATH|T_BOOL,
"Path to the sudo-specific environment file: %s",

42
plugins/sudoers/def_data.h
View File

@@ -130,28 +130,26 @@
#define I_ROLE 64
#define def_type (sudo_defs_table[65].sd_un.str)
#define I_TYPE 65
#define def_askpass (sudo_defs_table[66].sd_un.str)
#define I_ASKPASS 66
#define def_env_file (sudo_defs_table[67].sd_un.str)
#define I_ENV_FILE 67
#define def_sudoers_locale (sudo_defs_table[68].sd_un.str)
#define I_SUDOERS_LOCALE 68
#define def_visiblepw (sudo_defs_table[69].sd_un.flag)
#define I_VISIBLEPW 69
#define def_pwfeedback (sudo_defs_table[70].sd_un.flag)
#define I_PWFEEDBACK 70
#define def_fast_glob (sudo_defs_table[71].sd_un.flag)
#define I_FAST_GLOB 71
#define def_umask_override (sudo_defs_table[72].sd_un.flag)
#define I_UMASK_OVERRIDE 72
#define def_log_input (sudo_defs_table[73].sd_un.flag)
#define I_LOG_INPUT 73
#define def_log_output (sudo_defs_table[74].sd_un.flag)
#define I_LOG_OUTPUT 74
#define def_compress_io (sudo_defs_table[75].sd_un.flag)
#define I_COMPRESS_IO 75
#define def_use_pty (sudo_defs_table[76].sd_un.flag)
#define I_USE_PTY 76
#define def_env_file (sudo_defs_table[66].sd_un.str)
#define I_ENV_FILE 66
#define def_sudoers_locale (sudo_defs_table[67].sd_un.str)
#define I_SUDOERS_LOCALE 67
#define def_visiblepw (sudo_defs_table[68].sd_un.flag)
#define I_VISIBLEPW 68
#define def_pwfeedback (sudo_defs_table[69].sd_un.flag)
#define I_PWFEEDBACK 69
#define def_fast_glob (sudo_defs_table[70].sd_un.flag)
#define I_FAST_GLOB 70
#define def_umask_override (sudo_defs_table[71].sd_un.flag)
#define I_UMASK_OVERRIDE 71
#define def_log_input (sudo_defs_table[72].sd_un.flag)
#define I_LOG_INPUT 72
#define def_log_output (sudo_defs_table[73].sd_un.flag)
#define I_LOG_OUTPUT 73
#define def_compress_io (sudo_defs_table[74].sd_un.flag)
#define I_COMPRESS_IO 74
#define def_use_pty (sudo_defs_table[75].sd_un.flag)
#define I_USE_PTY 75
enum def_tupple {
never,

3
plugins/sudoers/def_data.in
View File

@@ -211,9 +211,6 @@ role
type
T_STR
"SELinux type to use in the new security context: %s"
askpass
T_STR|T_PATH|T_BOOL
"Path to the askpass helper program: %s"
env_file
T_STR|T_PATH|T_BOOL
"Path to the sudo-specific environment file: %s"

3
plugins/sudoers/defaults.c
View File

@@ -444,9 +444,6 @@ init_defaults(void)
#endif
#ifdef ENV_EDITOR
def_env_editor = TRUE;
#endif
#ifdef _PATH_SUDO_ASKPASS
def_askpass = estrdup(_PATH_SUDO_ASKPASS);
#endif
def_sudoers_locale = estrdup("C");
def_env_reset = TRUE;

6
plugins/sudoers/sudoers.c
View File

@@ -718,10 +718,6 @@ init_vars(char * const envp[])
for (ep = envp; *ep; ep++) {
/* XXX - don't fill in if empty string */
switch (**ep) {
case 'D':
if (strncmp("DISPLAY=", *ep, 8) == 0)
user_display = *ep + 8;
break;
case 'K':
if (strncmp("KRB5CCNAME=", *ep, 11) == 0)
user_ccname = *ep + 11;
@@ -735,8 +731,6 @@ init_vars(char * const envp[])
user_prompt = *ep + 12;
else if (strncmp("SUDO_USER=", *ep, 10) == 0)
prev_user = *ep + 10;
else if (strncmp("SUDO_ASKPASS=", *ep, 13) == 0)
user_askpass = *ep + 13;
break;
}
}

4
plugins/sudoers/sudoers.h
View File

@@ -60,8 +60,6 @@ struct sudo_user {
char *cmnd_safe;
char *class_name;
char *krb5_ccname;
char *display;
char *askpass;
int closefrom;
int ngroups;
uid_t uid;
@@ -171,8 +169,6 @@ struct sudo_user {
#define user_host (sudo_user.host)
#define user_shost (sudo_user.shost)
#define user_ccname (sudo_user.krb5_ccname)
#define user_display (sudo_user.display)
#define user_askpass (sudo_user.askpass)
#define safe_cmnd (sudo_user.cmnd_safe)
#define login_class (sudo_user.class_name)
#define runas_pw (sudo_user._runas_pw)

19
src/load_plugins.c
View File

@@ -82,22 +82,35 @@ sudo_read_conf(const char *conf_file)
if (*cp == '\0')
continue;
/* Look for a line starting with "Plugin" */
if (strncasecmp(cp, "Plugin", 6) != 0)
/* Look for a line starting with "Path" */
if (strncasecmp(cp, "Path", 4) == 0) {
/* Parse line */
if ((name = strtok(cp + 4, " \t")) == NULL ||
(path = strtok(NULL, " \t")) == NULL) {
continue;
}
if (strcasecmp(name, "askpass") != 0)
continue;
/* XXX - Just set in environment for now */
setenv("SUDO_ASKPASS", path, 0);
continue;
}
/* Look for a line starting with "Plugin" */
if (strncasecmp(cp, "Plugin", 6) == 0) {
/* Parse line */
if ((name = strtok(cp + 6, " \t")) == NULL ||
(path = strtok(NULL, " \t")) == NULL) {
continue;
}
info = emalloc(sizeof(*info));
info->symbol_name = estrdup(name);
info->path = estrdup(path);
info->prev = info;
info->next = NULL;
tq_append(&pil, info);
continue;
}
}
fclose(fp);

5
src/parse_args.c
View File

@@ -367,6 +367,11 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv, char ***settingsp,
sudo_settings[ARG_IMPLIED_SHELL].value = "true";
}
#ifndef _PATH_SUDO_ASKPASS
if (ISSET(tgetpass_flags, TGP_ASKPASS) && !getenv("SUDO_ASKPASS"))
errorx(1, "no askpass program specified, try setting SUDO_ASKPASS");
#endif
if (mode == MODE_HELP)
usage(0);

19
src/tgetpass.c
View File

@@ -79,16 +79,25 @@ tgetpass(const char *prompt, int timeout, int flags)
(void) fflush(stdout);
/* If using a helper program to get the password, run it instead. */
/* XXX - askpass may be set by policy */
if (ISSET(flags, TGP_ASKPASS)) {
if (!askpass) {
if (askpass == NULL) {
askpass = getenv("SUDO_ASKPASS");
#ifdef _PATH_SUDO_ASKPASS
if (!askpass)
if (askpass == NULL)
askpass = _PATH_SUDO_ASKPASS;
#endif
}
/* If no tty present and we need to disable echo, try askpass. */
if (!ISSET(flags, TGP_STDIN|TGP_ECHO|TGP_ASKPASS) && !tty_present()) {
if (askpass == NULL || getenv("DISPLAY") == NULL) {
warningx("no tty present and no askpass program specified");
return(NULL);
}
SET(flags, TGP_ASKPASS);
}
/* If using a helper program to get the password, run it instead. */
if (ISSET(flags, TGP_ASKPASS)) {
if (askpass && *askpass)
return(sudo_askpass(askpass, prompt));
}