manuals and cross-reference the new sudo.conf manual.
input/output logging. Third parties can develop and distribute their own
policy and I/O logging plugins to work seamlessly with the s\bsu\bud\bdo\bo front
end. The default security policy is _\bs_\bu_\bd_\bo_\be_\br_\bs, which is configured via the
- file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the _\bP_\bL_\bU_\bG_\bI_\bN_\bS section for more
+ file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the _\bP_\bl_\bu_\bg_\bi_\bn_\bs section for more
information.
The security policy determines what privileges, if any, a user has to run
to read the user's password and output the password to the
standard output. If the SUDO_ASKPASS environment variable is
set, it specifies the path to the helper program. Otherwise,
- if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf contains a line specifying the askpass
+ if sudo.conf(4) contains a line specifying the askpass
program, that value will be used. For example:
# Path to askpass helper program
C\bCO\bOM\bMM\bMA\bAN\bND\bD E\bEX\bXE\bEC\bCU\bUT\bTI\bIO\bON\bN
When s\bsu\bud\bdo\bo executes a command, the security policy specifies the execution
- envionment for the command. Typically, the real and effective uid and
+ environment for the command. Typically, the real and effective uid and
gid are set to match those of the target user, as specified in the
password database, and the group vector is initialized based on the group
database (unless the -\b-P\bP option was specified).
As a special case, s\bsu\bud\bdo\bo will not relay signals that were sent by the
command it is running. This prevents the command from accidentally
killing itself. On some systems, the reboot(1m) command sends SIGTERM to
- all non-system processes other than itself before rebooting the systyem.
+ all non-system processes other than itself before rebooting the system.
This prevents s\bsu\bud\bdo\bo from relaying the SIGTERM signal it received back to
reboot(1m), which might then exit before the system was actually rebooted,
leaving it in a half-dead state similar to single user mode. Note,
run using the e\bex\bxe\bec\bc() family of functions instead of s\bsy\bys\bst\bte\bem\bm() (which
interposes a shell between the command and the calling process).
-P\bPL\bLU\bUG\bGI\bIN\bNS\bS
- Plugins are dynamically loaded based on the contents of the
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it
- contains no Plugin lines, s\bsu\bud\bdo\bo will use the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs security
- policy and I/O logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
- A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- and the _\bp_\ba_\bt_\bh to the shared object containing the plugin. The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- is the name of the struct policy_plugin or struct io_plugin in the plugin
- shared object. The _\bp_\ba_\bt_\bh may be fully qualified or relative. If not
- fully qualified it is relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any
- additional parameters after the _\bp_\ba_\bt_\bh are passed as arguments to the
- plugin's _\bo_\bp_\be_\bn function. Lines that don't begin with Plugin, Path, Debug,
- or Set are silently ignored.
-
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is always parsed in the ``C'' locale.
-
- For more information, see the sudo_plugin(1m) manual.
-
-P\bPA\bAT\bTH\bHS\bS
- A Path line consists of the Path keyword, followed by the name of the
- path to set and its value. E.g.
-
- Path noexec /usr/local/libexec/sudo_noexec.so
- Path askpass /usr/X11R6/bin/ssh-askpass
-
- The following plugin-agnostic paths may be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file:
-
- askpass The fully qualified path to a helper program used to read the
- user's password when no terminal is available. This may be the
- case when s\bsu\bud\bdo\bo is executed from a graphical (as opposed to
- text-based) application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs
- should display the argument passed to it as the prompt and
- write the user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
- variable.
-
- noexec The fully-qualified path to a shared library containing dummy
- versions of the e\bex\bxe\bec\bcv\bv(), e\bex\bxe\bec\bcv\bve\be() and f\bfe\bex\bxe\bec\bcv\bve\be() library
- functions that just return an error. This is used to implement
- the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support LD_PRELOAD or
- its equivalent. Defaults to _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
-
-D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
- s\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
- that can help track down what s\bsu\bud\bdo\bo is doing internally if there is a
- problem.
-
- A Debug line consists of the Debug keyword, followed by the name of the
- program to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by), the debug file name and a
- comma-separated list of debug flags. The debug flag syntax used by s\bsu\bud\bdo\bo
- and the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to
- use a different format so long as it does not include a comma (`,').
-
- For instance:
-
- Debug sudo /var/log/sudo_debug all@warn,plugin@info
-
- would log all debugging statements at the _\bw_\ba_\br_\bn level and higher in
- addition to those at the _\bi_\bn_\bf_\bo level for the plugin subsystem.
-
- Currently, only one Debug entry per program is supported. The s\bsu\bud\bdo\bo Debug
- entry is shared by the s\bsu\bud\bdo\bo front end, s\bsu\bud\bdo\boe\bed\bdi\bit\bt and the plugins. A
- future release may add support for per-plugin Debug lines and/or support
- for multiple debugging files for a single program.
-
- The priorities used by the s\bsu\bud\bdo\bo front end, in order of decreasing
- severity, are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
- Each priority, when specified, also includes all priorities higher than
- it. For example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages
- logged at _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The following subsystems are used by the s\bsu\bud\bdo\bo front-end:
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\br_\bg_\bs command line argument processing
-
- _\bc_\bo_\bn_\bv user conversation
-
- _\be_\bd_\bi_\bt sudoedit
-
- _\be_\bx_\be_\bc command execution
-
- _\bm_\ba_\bi_\bn s\bsu\bud\bdo\bo main function
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bp_\bc_\bo_\bm_\bm communication with the plugin
-
- _\bp_\bl_\bu_\bg_\bi_\bn plugin configuration
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\bs_\be_\bl_\bi_\bn_\bu_\bx SELinux-specific handling
-
- _\bu_\bt_\bi_\bl utility functions
-
- _\bu_\bt_\bm_\bp utmp handling
+ P\bPl\blu\bug\bgi\bin\bns\bs
+ Plugins are dynamically loaded based on the contents of the sudo.conf(4)
+ file. If no sudo.conf(4) file is present, or it contains no Plugin
+ lines, s\bsu\bud\bdo\bo will use the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O
+ logging. See the sudo.conf(4) manual for details of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file and the sudo_plugin(1m) manual for more information about the s\bsu\bud\bdo\bo
+ plugin architecture.
E\bEX\bXI\bIT\bT V\bVA\bAL\bLU\bUE\bE
Upon successful execution of a program, the exit status from _\bs_\bu_\bd_\bo will
disables core dumps by default while it is executing (they are re-enabled
for the command that is run). To aid in debugging s\bsu\bud\bdo\bo crashes, you may
wish to re-enable core dumps by setting ``disable_coredump'' to false in
- the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file as follows:
+ the sudo.conf(4) file as follows:
Set disable_coredump false
- Note that by default, most operating systems disable core dumps from
- setuid programs, which includes s\bsu\bud\bdo\bo. To actually get a s\bsu\bud\bdo\bo core file
- you may need to enable core dumps for setuid processes. On BSD and Linux
- systems this is accomplished via the sysctl command, on Solaris the
- coreadm command can be used.
+ See the sudo.conf(4) manual for more information.
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables. The security policy
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- su(1), stat(2), login_cap(3), passwd(4), sudoers(4), sudo_plugin(1m),
- sudoreplay(1m), visudo(1m)
+ su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4),
+ sudo_plugin(1m), sudoreplay(1m), visudo(1m)
H\bHI\bIS\bST\bTO\bOR\bRY\bY
See the HISTORY file in the s\bsu\bud\bdo\bo distribution
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 November 12, 2012 Sudo 1.8.7
+Sudo 1.8.7 February 5, 2013 Sudo 1.8.7
Plugin sudoers_policy /usr/local/libexec/sudoers.so
- Any additional parameters after the _\bp_\ba_\bt_\bh are passed as arguments to the
- plugin's _\bo_\bp_\be_\bn function. For example, to override the compile-time
- default sudoers file mode:
+ Starting with s\bsu\bud\bdo\bo 1.8.5, any additional parameters after the _\bp_\ba_\bt_\bh are
+ passed as arguments to the plugin's _\bo_\bp_\be_\bn function. For example, to
+ override the compile-time default sudoers file mode:
Plugin sudoers_policy sudoers.so sudoers_mode=0440
+ The same shared object may contain multiple plugins, each with a
+ different symbol name. The shared object file must be owned by uid 0 and
+ only writable by its owner. Because of ambiguities that arise from
+ composite policies, only a single policy plugin may be specified. This
+ limitation does not apply to I/O plugins.
+
If no s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file is present, or if it contains no Plugin lines, the
s\bsu\bud\bdo\boe\ber\brs\bs plugin will be used as the default security policy and for I/O
logging (if enabled by the policy). This is equivalent to the following:
Note that most operating systems disable core dumps from setuid
programs, including s\bsu\bud\bdo\bo. To actually get a s\bsu\bud\bdo\bo core file you
will likely need to enable core dumps for setuid processes. On
- BSD and Linux systems this is accomplished via the sysctl
+ BSD and Linux systems this is accomplished in the sysctl
command. On Solaris, the coreadm command is used to configure
core dump behavior.
#Set group_source static
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudoers(4), sudo(1m), sudo_plugin(1m),
+ sudoers(4), sudo(1m), sudo_plugin(1m)
H\bHI\bIS\bST\bTO\bOR\bRY\bY
See the HISTORY file in the s\bsu\bud\bdo\bo distribution
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 February 1, 2013 Sudo 1.8.7
+Sudo 1.8.7 February 5, 2013 Sudo 1.8.7
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
.RE
.fi
.PP
-Any additional parameters after the
+Starting with
+\fBsudo\fR
+1.8.5, any additional parameters after the
\fIpath\fR
are passed as arguments to the plugin's
\fIopen\fR
.RE
.fi
.PP
+The same shared object may contain multiple plugins, each with a
+different symbol name.
+The shared object file must be owned by uid 0 and only writable by its owner.
+Because of ambiguities that arise from composite policies, only a single
+policy plugin may be specified.
+This limitation does not apply to I/O plugins.
+.PP
If no
\fBsudo.conf\fR
file is present, or if it contains no
To actually get a
\fBsudo\fR
core file you will likely need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the
+On BSD and Linux systems this is accomplished in the
sysctl
command.
On Solaris, the
.SH "SEE ALSO"
sudoers(@mansectform@),
sudo(@mansectsu@),
-sudo_plugin(@mansectsu@),
+sudo_plugin(@mansectsu@)
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR
Plugin sudoers_policy @PLUGINDIR@/sudoers.so
.Ed
.Pp
-Any additional parameters after the
+Starting with
+.Nm sudo
+1.8.5, any additional parameters after the
.Em path
are passed as arguments to the plugin's
.Em open
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.Ed
.Pp
+The same shared object may contain multiple plugins, each with a
+different symbol name.
+The shared object file must be owned by uid 0 and only writable by its owner.
+Because of ambiguities that arise from composite policies, only a single
+policy plugin may be specified.
+This limitation does not apply to I/O plugins.
+.Pp
If no
.Nm sudo.conf
file is present, or if it contains no
To actually get a
.Nm sudo
core file you will likely need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the
+On BSD and Linux systems this is accomplished in the
.Xr sysctl
command.
On Solaris, the
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDO" "@mansectsu@" "November 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fI@sysconfdir@/sudoers\fR,
or via LDAP.
See the
-\fIPLUGINS\fR
+\fIPlugins\fR
section for more information.
.PP
The security policy determines what privileges, if any, a user has
environment variable is set, it specifies the path to the helper
program.
Otherwise, if
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
contains a line specifying the askpass program, that value will be
used.
For example:
When
\fBsudo\fR
executes a command, the security policy specifies the execution
-envionment for the command.
+environment for the command.
Typically, the real and effective uid and gid are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
command sends
\fRSIGTERM\fR
to all non-system processes other than itself before rebooting
-the systyem.
+the system.
This prevents
\fBsudo\fR
from relaying the
family of functions instead of
\fBsystem\fR()
(which interposes a shell between the command and the calling process).
-.SH "PLUGINS"
+.SS "Plugins"
Plugins are dynamically loaded based on the contents of the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
file.
If no
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
file is present, or it contains no
\fRPlugin\fR
lines,
\fBsudo\fR
will use the traditional
\fIsudoers\fR
-security policy and I/O logging, which corresponds to the following
-\fI@sysconfdir@/sudo.conf\fR
-file.
-.nf
-.sp
-.RS 0n
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.RE
-.fi
-.PP
-A
-\fRPlugin\fR
-line consists of the
-\fRPlugin\fR
-keyword, followed by the
-\fIsymbol_name\fR
-and the
-\fIpath\fR
-to the shared object containing the plugin.
-The
-\fIsymbol_name\fR
-is the name of the
-\fRstruct policy_plugin\fR
-or
-\fRstruct io_plugin\fR
-in the plugin shared object.
-The
-\fIpath\fR
-may be fully qualified or relative.
-If not fully qualified it is relative to the
-\fI@PLUGINDIR@\fR
-directory.
-Any additional parameters after the
-\fIpath\fR
-are passed as arguments to the plugin's
-\fIopen\fR
-function.
-Lines that don't begin with
-\fRPlugin\fR,
-\fRPath\fR,
-\fRDebug\fR,
-or
-\fRSet\fR
-are silently ignored.
-.PP
-The
+security policy and I/O logging.
+See the
+sudo.conf(@mansectform@)
+manual for details of the
\fI@sysconfdir@/sudo.conf\fR
-file is always parsed in the
-``\fRC\fR''
-locale.
-.PP
-For more information, see the
+file and the
sudo_plugin(@mansectsu@)
-manual.
-.SH "PATHS"
-A
-\fRPath\fR
-line consists of the
-\fRPath\fR
-keyword, followed by the name of the path to set and its value.
-E.g.
-.nf
-.sp
-.RS 6n
-Path noexec @noexec_file@
-Path askpass /usr/X11R6/bin/ssh-askpass
-.RE
-.fi
-.PP
-The following plugin-agnostic paths may be set in the
-\fI@sysconfdir@/sudo.conf\fR
-file:
-.TP 10n
-askpass
-The fully qualified path to a helper program used to read the user's
-password when no terminal is available.
-This may be the case when
-\fBsudo\fR
-is executed from a graphical (as opposed to text-based) application.
-The program specified by
-\fIaskpass\fR
-should display the argument passed to it as the prompt and write
-the user's password to the standard output.
-The value of
-\fIaskpass\fR
-may be overridden by the
-\fRSUDO_ASKPASS\fR
-environment variable.
-.TP 10n
-noexec
-The fully-qualified path to a shared library containing dummy
-versions of the
-\fBexecv\fR(),
-\fBexecve\fR()
-and
-\fBfexecve\fR()
-library functions that just return an error.
-This is used to implement the
-\fInoexec\fR
-functionality on systems that support
-\fRLD_PRELOAD\fR
-or its equivalent.
-Defaults to
-\fI@noexec_file@\fR.
-.SH "DEBUG FLAGS"
-\fBsudo\fR
-versions 1.8.4 and higher support a flexible debugging framework
-that can help track down what
-\fBsudo\fR
-is doing internally if there is a problem.
-.PP
-A
-\fRDebug\fR
-line consists of the
-\fRDebug\fR
-keyword, followed by the name of the program to debug
-(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
-the debug file name and a comma-separated list of debug flags.
-The debug flag syntax used by
-\fBsudo\fR
-and the
-\fIsudoers\fR
-plugin is
-\fIsubsystem\fR@\fIpriority\fR
-but the plugin is free to use a different format so long as it does
-not include a comma
-(`\&,').
-.PP
-For instance:
-.nf
-.sp
-.RS 6n
-Debug sudo /var/log/sudo_debug all@warn,plugin@info
-.RE
-.fi
-.PP
-would log all debugging statements at the
-\fIwarn\fR
-level and higher in addition to those at the
-\fIinfo\fR
-level for the plugin subsystem.
-.PP
-Currently, only one
-\fRDebug\fR
-entry per program is supported.
-The
+manual for more information about the
\fBsudo\fR
-\fRDebug\fR
-entry is shared by the
-\fBsudo\fR
-front end,
-\fBsudoedit\fR
-and the plugins.
-A future release may add support for per-plugin
-\fRDebug\fR
-lines and/or support for multiple debugging files for a single
-program.
-.PP
-The priorities used by the
-\fBsudo\fR
-front end, in order of decreasing severity, are:
-\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
-and
-\fIdebug\fR.
-Each priority, when specified, also includes all priorities higher
-than it.
-For example, a priority of
-\fInotice\fR
-would include debug messages logged at
-\fInotice\fR
-and higher.
-.PP
-The following subsystems are used by the
-\fBsudo\fR
-front-end:
-.TP 12n
-\fIall\fR
-matches every subsystem
-.TP 12n
-\fIargs\fR
-command line argument processing
-.TP 12n
-\fIconv\fR
-user conversation
-.TP 12n
-\fIedit\fR
-sudoedit
-.TP 12n
-\fIexec\fR
-command execution
-.TP 12n
-\fImain\fR
-\fBsudo\fR
-main function
-.TP 12n
-\fInetif\fR
-network interface handling
-.TP 12n
-\fIpcomm\fR
-communication with the plugin
-.TP 12n
-\fIplugin\fR
-plugin configuration
-.TP 12n
-\fIpty\fR
-pseudo-tty related code
-.TP 12n
-\fIselinux\fR
-SELinux-specific handling
-.TP 12n
-\fIutil\fR
-utility functions
-.TP 12n
-\fIutmp\fR
-utmp handling
+plugin architecture.
.SH "EXIT VALUE"
Upon successful execution of a program, the exit status from
\fIsudo\fR
crashes, you may wish to re-enable core dumps by setting
``disable_coredump''
to false in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
file as follows:
.nf
.sp
.RE
.fi
.PP
-Note that by default, most operating systems disable core dumps
-from setuid programs, which includes
-\fBsudo\fR.
-To actually get a
-\fBsudo\fR
-core file you may need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the sysctl command,
-on Solaris the coreadm command can be used.
+See the
+sudo.conf(@mansectform@)
+manual for more information.
.SH "ENVIRONMENT"
\fBsudo\fR
utilizes the following environment variables.
stat(2),
login_cap(3),
passwd(@mansectform@),
+sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo_plugin(@mansectsu@),
sudoreplay(@mansectsu@),
.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd November 12, 2012
+.Dd February 5, 2013
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Pa @sysconfdir@/sudoers ,
or via LDAP.
See the
-.Sx PLUGINS
+.Sx Plugins
section for more information.
.Pp
The security policy determines what privileges, if any, a user has
environment variable is set, it specifies the path to the helper
program.
Otherwise, if
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
contains a line specifying the askpass program, that value will be
used.
For example:
When
.Nm sudo
executes a command, the security policy specifies the execution
-envionment for the command.
+environment for the command.
Typically, the real and effective uid and gid are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
command sends
.Dv SIGTERM
to all non-system processes other than itself before rebooting
-the systyem.
+the system.
This prevents
.Nm sudo
from relaying the
family of functions instead of
.Fn system
(which interposes a shell between the command and the calling process).
-.Sh PLUGINS
+.Ss Plugins
Plugins are dynamically loaded based on the contents of the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
file.
If no
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
file is present, or it contains no
.Li Plugin
lines,
.Nm sudo
will use the traditional
.Em sudoers
-security policy and I/O logging, which corresponds to the following
-.Pa @sysconfdir@/sudo.conf
-file.
-.Bd -literal
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.Ed
-.Pp
-A
-.Li Plugin
-line consists of the
-.Li Plugin
-keyword, followed by the
-.Em symbol_name
-and the
-.Em path
-to the shared object containing the plugin.
-The
-.Em symbol_name
-is the name of the
-.Li struct policy_plugin
-or
-.Li struct io_plugin
-in the plugin shared object.
-The
-.Em path
-may be fully qualified or relative.
-If not fully qualified it is relative to the
-.Pa @PLUGINDIR@
-directory.
-Any additional parameters after the
-.Em path
-are passed as arguments to the plugin's
-.Em open
-function.
-Lines that don't begin with
-.Li Plugin ,
-.Li Path ,
-.Li Debug ,
-or
-.Li Set
-are silently ignored.
-.Pp
-The
+security policy and I/O logging.
+See the
+.Xr sudo.conf @mansectform@
+manual for details of the
.Pa @sysconfdir@/sudo.conf
-file is always parsed in the
-.Dq Li C
-locale.
-.Pp
-For more information, see the
+file and the
.Xr sudo_plugin @mansectsu@
-manual.
-.Sh PATHS
-A
-.Li Path
-line consists of the
-.Li Path
-keyword, followed by the name of the path to set and its value.
-E.g.
-.Bd -literal -offset indent
-Path noexec @noexec_file@
-Path askpass /usr/X11R6/bin/ssh-askpass
-.Ed
-.Pp
-The following plugin-agnostic paths may be set in the
-.Pa @sysconfdir@/sudo.conf
-file:
-.Bl -tag -width 8n
-.It askpass
-The fully qualified path to a helper program used to read the user's
-password when no terminal is available.
-This may be the case when
-.Nm sudo
-is executed from a graphical (as opposed to text-based) application.
-The program specified by
-.Em askpass
-should display the argument passed to it as the prompt and write
-the user's password to the standard output.
-The value of
-.Em askpass
-may be overridden by the
-.Ev SUDO_ASKPASS
-environment variable.
-.It noexec
-The fully-qualified path to a shared library containing dummy
-versions of the
-.Fn execv ,
-.Fn execve
-and
-.Fn fexecve
-library functions that just return an error.
-This is used to implement the
-.Em noexec
-functionality on systems that support
-.Ev LD_PRELOAD
-or its equivalent.
-Defaults to
-.Pa @noexec_file@ .
-.El
-.Sh DEBUG FLAGS
-.Nm sudo
-versions 1.8.4 and higher support a flexible debugging framework
-that can help track down what
+manual for more information about the
.Nm sudo
-is doing internally if there is a problem.
-.Pp
-A
-.Li Debug
-line consists of the
-.Li Debug
-keyword, followed by the name of the program to debug
-.Pq Nm sudo , Nm visudo , Nm sudoreplay ,
-the debug file name and a comma-separated list of debug flags.
-The debug flag syntax used by
-.Nm sudo
-and the
-.Em sudoers
-plugin is
-.Em subsystem Ns No @ Ns Em priority
-but the plugin is free to use a different format so long as it does
-not include a comma
-.Pq Ql \&, .
-.Pp
-For instance:
-.Bd -literal -offset indent
-Debug sudo /var/log/sudo_debug all@warn,plugin@info
-.Ed
-.Pp
-would log all debugging statements at the
-.Em warn
-level and higher in addition to those at the
-.Em info
-level for the plugin subsystem.
-.Pp
-Currently, only one
-.Li Debug
-entry per program is supported.
-The
-.Nm sudo
-.Li Debug
-entry is shared by the
-.Nm sudo
-front end,
-.Nm sudoedit
-and the plugins.
-A future release may add support for per-plugin
-.Li Debug
-lines and/or support for multiple debugging files for a single
-program.
-.Pp
-The priorities used by the
-.Nm sudo
-front end, in order of decreasing severity, are:
-.Em crit , err , warn , notice , diag , info , trace
-and
-.Em debug .
-Each priority, when specified, also includes all priorities higher
-than it.
-For example, a priority of
-.Em notice
-would include debug messages logged at
-.Em notice
-and higher.
-.Pp
-The following subsystems are used by the
-.Nm sudo
-front-end:
-.Bl -tag -width Fl
-.It Em all
-matches every subsystem
-.It Em args
-command line argument processing
-.It Em conv
-user conversation
-.It Em edit
-sudoedit
-.It Em exec
-command execution
-.It Em main
-.Nm sudo
-main function
-.It Em netif
-network interface handling
-.It Em pcomm
-communication with the plugin
-.It Em plugin
-plugin configuration
-.It Em pty
-pseudo-tty related code
-.It Em selinux
-SELinux-specific handling
-.It Em util
-utility functions
-.It Em utmp
-utmp handling
-.El
+plugin architecture.
.Sh EXIT VALUE
Upon successful execution of a program, the exit status from
.Em sudo
crashes, you may wish to re-enable core dumps by setting
.Dq disable_coredump
to false in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
file as follows:
.Bd -literal -offset indent
Set disable_coredump false
.Ed
.Pp
-Note that by default, most operating systems disable core dumps
-from setuid programs, which includes
-.Nm sudo .
-To actually get a
-.Nm sudo
-core file you may need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the sysctl command,
-on Solaris the coreadm command can be used.
+See the
+.Xr sudo.conf @mansectform@
+manual for more information.
.Sh ENVIRONMENT
.Nm sudo
utilizes the following environment variables.
.Xr stat 2 ,
.Xr login_cap 3 ,
.Xr passwd @mansectform@ ,
+.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudoreplay @mansectsu@ ,
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
Starting with version 1.8, s\bsu\bud\bdo\bo supports a plugin API for policy and
- session logging. By default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin and an associated
+ session logging. By default, the s\bsu\bud\bdo\boe\ber\brs\bs policy plugin and an associated
I/O logging plugin are used. Via the plugin API, s\bsu\bud\bdo\bo can be configured
to use alternate policy and/or I/O logging plugins provided by third
- parties. The plugins to be used are specified via the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
+ parties. The plugins to be used are specified in the sudo.conf(4) file.
The API is versioned with a major and minor number. The minor version
number is incremented when additions are made. The major number is
The plugin API is defined by the sudo_plugin.h header file.
- T\bTh\bhe\be s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfi\bil\ble\be
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file contains plugin configuration directives. The
- primary keyword is the Plugin directive, which causes a plugin to be
- loaded. It is always parsed in the ``C'' locale.
-
- A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- and the _\bp_\ba_\bt_\bh to the shared object containing the plugin. The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- is the name of the struct policy_plugin or struct io_plugin in the plugin
- shared object. The _\bp_\ba_\bt_\bh may be fully qualified or relative. If not
- fully qualified it is relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any
- additional parameters after the _\bp_\ba_\bt_\bh are passed as options to the
- plugin's o\bop\bpe\ben\bn() function. Lines that don't begin with Plugin, Path,
- Debug or Set are silently ignored.
-
- The same shared object may contain multiple plugins, each with a
- different symbol name. The shared object file must be owned by uid 0 and
- only writable by its owner. Because of ambiguities that arise from
- composite policies, only a single policy plugin may be specified. This
- limitation does not apply to I/O plugins.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
P\bPo\bol\bli\bic\bcy\by p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
A policy plugin must declare and populate a policy_plugin struct in the
global scope. This structure contains pointers to the functions that
implement the s\bsu\bud\bdo\bo policy checks. The name of the symbol should be
- specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf along with a path to the plugin so that s\bsu\bud\bdo\bo
+ specified in sudo.conf(4) along with a path to the plugin so that s\bsu\bud\bdo\bo
can load it.
struct policy_plugin {
debug_flags=string
A comma-separated list of debug flags that correspond
- to s\bsu\bud\bdo\bo's Debug entry in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf, if there is
- one. The flags are passed to the plugin as they appear
- in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf. The syntax used by s\bsu\bud\bdo\bo and the
- _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
- free to use a different format so long as it does not
- include a comma (`,').
-
- For reference, the priorities supported by the s\bsu\bud\bdo\bo
- front end and _\bs_\bu_\bd_\bo_\be_\br_\bs are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be,
- _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
-
- The following subsystems are defined: _\bm_\ba_\bi_\bn, _\bm_\be_\bm_\bo_\br_\by,
- _\ba_\br_\bg_\bs, _\be_\bx_\be_\bc, _\bp_\bt_\by, _\bu_\bt_\bm_\bp, _\bc_\bo_\bn_\bv, _\bp_\bc_\bo_\bm_\bm, _\bu_\bt_\bi_\bl, _\bl_\bi_\bs_\bt, _\bn_\be_\bt_\bi_\bf,
- _\ba_\bu_\bd_\bi_\bt, _\be_\bd_\bi_\bt, _\bs_\be_\bl_\bi_\bn_\bu_\bx, _\bl_\bd_\ba_\bp, _\bm_\ba_\bt_\bc_\bh, _\bp_\ba_\br_\bs_\be_\br, _\ba_\bl_\bi_\ba_\bs,
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs, _\ba_\bu_\bt_\bh, _\be_\bn_\bv, _\bl_\bo_\bg_\bg_\bi_\bn_\bg, _\bn_\bs_\bs, _\br_\bb_\bt_\br_\be_\be, _\bp_\be_\br_\bm_\bs,
- _\bp_\bl_\bu_\bg_\bi_\bn. The subsystem _\ba_\bl_\bl includes every subsystem.
-
- There is not currently a way to specify a set of debug
- flags specific to the plugin--the flags are shared by
- s\bsu\bud\bdo\bo and the plugin.
+ to s\bsu\bud\bdo\bo's Debug entry in sudo.conf(4), if there is one.
+ The flags are passed to the plugin as they appear in
+ sudo.conf(4). The syntax used by s\bsu\bud\bdo\bo and the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to
+ use a different format so long as it does not include a
+ comma (`,'). There is not currently a way to specify a
+ set of debug flags specific to the plugin--the flags
+ are shared by s\bsu\bud\bdo\bo and the plugin.
debug_level=number
This setting has been deprecated in favor of
version 1.2
tcpgid=int
- The ID of the forground process group associated with
- the terminal device associcated with the s\bsu\bud\bdo\bo process
- or -1 if there is no terminal present. Only available
+ The ID of the foreground process group associated with
+ the terminal device associated with the s\bsu\bud\bdo\bo process or
+ -1 if there is no terminal present. Only available
starting with API version 1.2
user=string
int (*validate)(void);
The v\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is run with the -\b-v\bv
- flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache authentication
+ flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache authentication
credentials, this function will validate and cache the credentials.
The v\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
void (*invalidate)(int remove);
The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is called with the -\b-k\bk
- or -\b-K\bK flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache
+ or -\b-K\bK flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache
authentication credentials, this function will invalidate the
credentials. If the _\br_\be_\bm_\bo_\bv_\be flag is set, the plugin may remove the
credentials instead of simply invalidating them.
Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
with the SUDO_CONV_DEBUG_MSG _\bm_\bs_\bg_\b__\bt_\by_\bp_\be are not directly user-visible.
Instead, they are logged to the file specified in the Debug statement (if
- any) in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
-
- file. This allows a plugin to log debugging information and is intended
- to be used in conjunction with the _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
+ any) in the sudo.conf(4). file. This allows a plugin to log debugging
+ information and is intended to be used in conjunction with the
+ _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
See the sample plugin for an example of the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function
usage.
S\bSu\bud\bdo\boe\ber\brs\bs g\bgr\bro\bou\bup\bp p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- The _\bs_\bu_\bd_\bo_\be_\br_\bs module supports a plugin interface to allow non-Unix group
- lookups. This can be used to query a group source other than the
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
+ group lookups. This can be used to query a group source other than the
standard Unix group database. A sample group plugin is bundled with s\bsu\bud\bdo\bo
that implements file-based lookups. Third party group plugins include a
QAS AD plugin available from Quest Software.
version
The version field should be set to GROUP_API_VERSION.
- This allows _\bs_\bu_\bd_\bo_\be_\br_\bs to determine the API version the group plugin
+ This allows s\bsu\bud\bdo\boe\ber\brs\bs to determine the API version the group plugin
was built against.
init
The function arguments are as follows:
version
- The version passed in by _\bs_\bu_\bd_\bo_\be_\br_\bs allows the plugin to
+ The version passed in by s\bsu\bud\bdo\boe\ber\brs\bs allows the plugin to
determine the major and minor version number of the group
- plugin API supported by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ plugin API supported by s\bsu\bud\bdo\boe\ber\brs\bs.
plugin_printf
A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
cleanup
void (*cleanup)();
- The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when _\bs_\bu_\bd_\bo_\be_\br_\bs has finished its
+ The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when s\bsu\bud\bdo\boe\ber\brs\bs has finished its
group checks. The plugin should free any memory it has allocated
and close open file handles.
Version 1.2
The Policy and I/O logging plugins' o\bop\bpe\ben\bn() functions are now passed
- a list of plugin options if any are specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf.
+ a list of plugin parameters if any are specified in sudo.conf(4).
A simple hooks API has been introduced to allow plugins to hook in
to the system's environment handling functions.
common signals while the plugin functions are run.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudoers(4), sudo(1m)
+ sudo.conf(4), sudoers(4), sudo(1m)
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 Janurary 11, 2013 Sudo 1.8.7
+Sudo 1.8.7 February 5, 2013 Sudo 1.8.7
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDO_PLUGIN" "5" "Janurary 11, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO_PLUGIN" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
supports a plugin API
for policy and session logging.
By default, the
-\fIsudoers\fR
+\fBsudoers\fR
policy plugin and an associated I/O logging plugin are used.
Via the plugin API,
\fBsudo\fR
can be configured to use alternate policy and/or I/O logging plugins
provided by third parties.
-The plugins to be used are specified via the
-\fI@sysconfdir@/sudo.conf\fR
+The plugins to be used are specified in the
+sudo.conf(@mansectform@)
file.
.PP
The API is versioned with a major and minor number.
The plugin API is defined by the
\fRsudo_plugin.h\fR
header file.
-.SS "The sudo.conf file"
-The
-\fI@sysconfdir@/sudo.conf\fR
-file contains plugin configuration directives.
-The primary keyword is the
-\fRPlugin\fR
-directive, which causes a plugin to be loaded.
-It is always parsed in the
-``\fRC\fR''
-locale.
-.PP
-A
-\fRPlugin\fR
-line consists of the
-\fRPlugin\fR
-keyword, followed by the
-\fIsymbol_name\fR
-and the
-\fIpath\fR
-to the shared object containing the plugin.
-The
-\fIsymbol_name\fR
-is the name of the
-\fRstruct policy_plugin\fR
-or
-\fRstruct io_plugin\fR
-in the plugin shared object.
-The
-\fIpath\fR
-may be fully qualified or relative.
-If not fully qualified it is relative to the
-\fI@PLUGINDIR@\fR
-directory.
-Any additional parameters after the
-\fIpath\fR
-are passed as options to the plugin's
-\fBopen\fR()
-function.
-Lines that don't begin with
-\fRPlugin\fR,
-\fRPath\fR,
-\fRDebug\fR
-or
-\fRSet\fR
-are silently ignored.
-.PP
-The same shared object may contain multiple plugins, each with a
-different symbol name.
-The shared object file must be owned by uid 0 and only writable by its owner.
-Because of ambiguities that arise from composite policies, only a single
-policy plugin may be specified.
-This limitation does not apply to I/O plugins.
-.nf
-.sp
-.RS 0n
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin sudoers_policy sudoers.so
-Plugin sudoers_io sudoers.so
-.RE
-.fi
.SS "Policy plugin API"
A policy plugin must declare and populate a
\fRpolicy_plugin\fR
\fBsudo\fR
policy checks.
The name of the symbol should be specified in
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
along with a path to the plugin so that
\fBsudo\fR
can load it.
\fBsudo\fR's
\fRDebug\fR
entry in
-\fI@sysconfdir@/sudo.conf\fR,
+sudo.conf(@mansectform@),
if there is one.
The flags are passed to the plugin as they appear in
-\fI@sysconfdir@/sudo.conf\fR.
+sudo.conf(@mansectform@).
The syntax used by
\fBsudo\fR
and the
-\fIsudoers\fR
+\fBsudoers\fR
plugin is
\fIsubsystem\fR@\fIpriority\fR
but the plugin is free to use a different
format so long as it does not include a comma
(`,\&').
-.sp
-For reference, the priorities supported by the
-\fBsudo\fR
-front end and
-\fIsudoers\fR
-are:
-\fIcrit\fR,
-\fIerr\fR,
-\fIwarn\fR,
-\fInotice\fR,
-\fIdiag\fR,
-\fIinfo\fR,
-\fItrace\fR
-and
-\fIdebug\fR.
-.sp
-The following subsystems are defined:
-\fImain\fR,
-\fImemory\fR,
-\fIargs\fR,
-\fIexec\fR,
-\fIpty\fR,
-\fIutmp\fR,
-\fIconv\fR,
-\fIpcomm\fR,
-\fIutil\fR,
-\fIlist\fR,
-\fInetif\fR,
-\fIaudit\fR,
-\fIedit\fR,
-\fIselinux\fR,
-\fIldap\fR,
-\fImatch\fR,
-\fIparser\fR,
-\fIalias\fR,
-\fIdefaults\fR,
-\fIauth\fR,
-\fIenv\fR,
-\fIlogging\fR,
-\fInss\fR,
-\fIrbtree\fR,
-\fIperms\fR,
-\fIplugin\fR.
-The subsystem
-\fIall\fR
-includes every subsystem.
-.sp
There is not currently a way to specify a set of debug flags specific
to the plugin--the flags are shared by
\fBsudo\fR
Only available starting with API version 1.2
.TP 6n
tcpgid=int
-The ID of the forground process group associated with the terminal
-device associcated with the
+The ID of the foreground process group associated with the terminal
+device associated with the
\fBsudo\fR
process or \-1 if there is no
terminal present.
\fB\-v\fR
flag.
For policy plugins such as
-\fIsudoers\fR
+\fBsudoers\fR
that cache
authentication credentials, this function will validate and cache
the credentials.
\fB\-K\fR
flag.
For policy plugins such as
-\fIsudoers\fR
+\fBsudoers\fR
that
cache authentication credentials, this function will invalidate the
credentials.
Instead, they are logged to the file specified in the
\fRDebug\fR
statement (if any) in the
-\fI@sysconfdir@/sudo.conf\fR
-.PP
+sudo.conf(@mansectform@).
file.
This allows a plugin to log debugging information and is intended
to be used in conjunction with the
function usage.
.SS "Sudoers group plugin API"
The
-\fIsudoers\fR
-module supports a plugin interface to allow non-Unix
+\fBsudoers\fR
+plugin supports its own plugin interface to allow non-Unix
group lookups.
This can be used to query a group source other than the standard Unix
group database.
field should be set to GROUP_API_VERSION.
.sp
This allows
-\fIsudoers\fR
+\fBsudoers\fR
to determine the API version the group plugin
was built against.
.TP 6n
.TP 6n
version
The version passed in by
-\fIsudoers\fR
+\fBsudoers\fR
allows the plugin to determine the
major and minor version number of the group plugin API supported by
-\fIsudoers\fR.
+\fBsudoers\fR.
.TP 6n
plugin_printf
A pointer to a
The
\fBcleanup\fR()
function is called when
-\fIsudoers\fR
+\fBsudoers\fR
has finished its
group checks.
The plugin should free any memory it has allocated and close open file handles.
The Policy and I/O logging plugins'
\fBopen\fR()
functions are now passed
-a list of plugin options if any are specified in
-\fI@sysconfdir@/sudo.conf\fR.
+a list of plugin parameters if any are specified in
+sudo.conf(@mansectform@).
.sp
A simple hooks API has been introduced to allow plugins to hook in to the
system's environment handling functions.
front end now installs default signal handlers to trap common signals
while the plugin functions are run.
.SH "SEE ALSO"
+sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "BUGS"
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd Janurary 11, 2013
+.Dd February 5, 2013
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
supports a plugin API
for policy and session logging.
By default, the
-.Em sudoers
+.Nm sudoers
policy plugin and an associated I/O logging plugin are used.
Via the plugin API,
.Nm sudo
can be configured to use alternate policy and/or I/O logging plugins
provided by third parties.
-The plugins to be used are specified via the
-.Pa @sysconfdir@/sudo.conf
+The plugins to be used are specified in the
+.Xr sudo.conf @mansectform@
file.
.Pp
The API is versioned with a major and minor number.
The plugin API is defined by the
.Li sudo_plugin.h
header file.
-.Ss The sudo.conf file
-The
-.Pa @sysconfdir@/sudo.conf
-file contains plugin configuration directives.
-The primary keyword is the
-.Li Plugin
-directive, which causes a plugin to be loaded.
-It is always parsed in the
-.Dq Li C
-locale.
-.Pp
-A
-.Li Plugin
-line consists of the
-.Li Plugin
-keyword, followed by the
-.Em symbol_name
-and the
-.Em path
-to the shared object containing the plugin.
-The
-.Em symbol_name
-is the name of the
-.Li struct policy_plugin
-or
-.Li struct io_plugin
-in the plugin shared object.
-The
-.Em path
-may be fully qualified or relative.
-If not fully qualified it is relative to the
-.Pa @PLUGINDIR@
-directory.
-Any additional parameters after the
-.Em path
-are passed as options to the plugin's
-.Fn open
-function.
-Lines that don't begin with
-.Li Plugin ,
-.Li Path ,
-.Li Debug
-or
-.Li Set
-are silently ignored.
-.Pp
-The same shared object may contain multiple plugins, each with a
-different symbol name.
-The shared object file must be owned by uid 0 and only writable by its owner.
-Because of ambiguities that arise from composite policies, only a single
-policy plugin may be specified.
-This limitation does not apply to I/O plugins.
-.Bd -literal
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin sudoers_policy sudoers.so
-Plugin sudoers_io sudoers.so
-.Ed
.Ss Policy plugin API
A policy plugin must declare and populate a
.Li policy_plugin
.Nm sudo
policy checks.
The name of the symbol should be specified in
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
along with a path to the plugin so that
.Nm sudo
can load it.
.Nm sudo Ns No 's
.Li Debug
entry in
-.Pa @sysconfdir@/sudo.conf ,
+.Xr sudo.conf @mansectform@ ,
if there is one.
The flags are passed to the plugin as they appear in
-.Pa @sysconfdir@/sudo.conf .
+.Xr sudo.conf @mansectform@ .
The syntax used by
.Nm sudo
and the
-.Em sudoers
+.Nm sudoers
plugin is
.Em subsystem Ns No @ Ns Em priority
but the plugin is free to use a different
format so long as it does not include a comma
.Pq Ql ,\& .
-.Pp
-For reference, the priorities supported by the
-.Nm sudo
-front end and
-.Em sudoers
-are:
-.Em crit ,
-.Em err ,
-.Em warn ,
-.Em notice ,
-.Em diag ,
-.Em info ,
-.Em trace
-and
-.Em debug .
-.Pp
-The following subsystems are defined:
-.Em main ,
-.Em memory ,
-.Em args ,
-.Em exec ,
-.Em pty ,
-.Em utmp ,
-.Em conv ,
-.Em pcomm ,
-.Em util ,
-.Em list ,
-.Em netif ,
-.Em audit ,
-.Em edit ,
-.Em selinux ,
-.Em ldap ,
-.Em match ,
-.Em parser ,
-.Em alias ,
-.Em defaults ,
-.Em auth ,
-.Em env ,
-.Em logging ,
-.Em nss ,
-.Em rbtree ,
-.Em perms ,
-.Em plugin .
-The subsystem
-.Em all
-includes every subsystem.
-.Pp
There is not currently a way to specify a set of debug flags specific
to the plugin--the flags are shared by
.Nm sudo
to.
Only available starting with API version 1.2
.It tcpgid=int
-The ID of the forground process group associated with the terminal
-device associcated with the
+The ID of the foreground process group associated with the terminal
+device associated with the
.Nm sudo
process or \-1 if there is no
terminal present.
.Fl v
flag.
For policy plugins such as
-.Em sudoers
+.Nm sudoers
that cache
authentication credentials, this function will validate and cache
the credentials.
.Fl K
flag.
For policy plugins such as
-.Em sudoers
+.Nm sudoers
that
cache authentication credentials, this function will invalidate the
credentials.
Instead, they are logged to the file specified in the
.Li Debug
statement (if any) in the
-.Pa @sysconfdir@/sudo.conf
-.Pp
+.Xr sudo.conf @mansectform@ .
file.
This allows a plugin to log debugging information and is intended
to be used in conjunction with the
function usage.
.Ss Sudoers group plugin API
The
-.Em sudoers
-module supports a plugin interface to allow non-Unix
+.Nm sudoers
+plugin supports its own plugin interface to allow non-Unix
group lookups.
This can be used to query a group source other than the standard Unix
group database.
field should be set to GROUP_API_VERSION.
.Pp
This allows
-.Em sudoers
+.Nm sudoers
to determine the API version the group plugin
was built against.
.It init
.Bl -tag -width 4n
.It version
The version passed in by
-.Em sudoers
+.Nm sudoers
allows the plugin to determine the
major and minor version number of the group plugin API supported by
-.Em sudoers .
+.Nm sudoers .
.It plugin_printf
A pointer to a
.Fn printf Ns No -style
The
.Fn cleanup
function is called when
-.Em sudoers
+.Nm sudoers
has finished its
group checks.
The plugin should free any memory it has allocated and close open file handles.
The Policy and I/O logging plugins'
.Fn open
functions are now passed
-a list of plugin options if any are specified in
-.Pa @sysconfdir@/sudo.conf .
+a list of plugin parameters if any are specified in
+.Xr sudo.conf @mansectform@ .
.Pp
A simple hooks API has been introduced to allow plugins to hook in to the
system's environment handling functions.
while the plugin functions are run.
.El
.Sh SEE ALSO
+.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh BUGS
SUDOERS(4) Programmer's Manual SUDOERS(4)
N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy module
+ s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy plugin
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs policy module determines a user's s\bsu\bud\bdo\bo privileges. It is the
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin determines a user's s\bsu\bud\bdo\bo privileges. It is the
default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
file or, optionally in LDAP. The policy format is described in detail in
the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs
policy information in LDAP, please see sudoers.ldap(4).
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfo\bor\br s\bsu\bud\bdo\boe\ber\brs\bs
+ s\bsu\bud\bdo\bo consults the sudo.conf(4) file to determine which policy and and I/O
+ logging plugins to load. If no sudo.conf(4) file is present, or if it
+ contains no Plugin lines, s\bsu\bud\bdo\boe\ber\brs\bs will be used for policy decisions and
+ I/O logging. To explicitly configure sudo.conf(4) to use the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin, the following configuration can be used.
+
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
+
+ Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to specify optional arguments to
+ the s\bsu\bud\bdo\boe\ber\brs\bs plugin in the sudo.conf(4) file. These arguments, if
+ present, should be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo). Multiple arguments may be specified, separated by white
+ space. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_mode=0400
+
+ The following plugin arguments are supported:
+
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be arguments can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd arguments can be used to override the default
+ owner of the sudoers file. It should be specified as a numeric
+ user ID.
+
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd arguments can be used to override the default
+ group of the sudoers file. It must be specified as a numeric
+ group ID (not a group name).
+
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be arguments can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ For more information on configuring sudo.conf(4), please refer to its
+ manual.
+
A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd l\blo\bog\bgg\bgi\bin\bng\bg
The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
escape %h will expand to the host name of the machine.
Default is ``*** SECURITY information for %h ***''.
- noexec_file This option is no longer supported. The path to the
- noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
+ noexec_file As of s\bsu\bud\bdo\bo version 1.8.1 this option is no longer
+ supported. The path to the noexec file should now be
+ set in the sudo.conf(4) file.
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open
_\bs_\bu_\bd_\bo_\be_\br_\bs using group permissions to avoid this problem. Consider
- changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs by adding an option like
- ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ either changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs or adding an argument
+ like ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file) to the end of the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the sudo.conf(4) file.
unable to stat /etc/sudoers
The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
/etc/sudoers is owned by uid N, should be 0
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner. If you wish to change the
_\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
- user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the
+ sudo.conf(4) file.
/etc/sudoers is world writable
The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default
mode may be changed via the ``sudoers_mode'' option to the s\bsu\bud\bdo\boe\ber\brs\bs
- plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ Plugin line in the sudo.conf(4) file.
/etc/sudoers is owned by gid N, should be 1
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership. If you wish to change
the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add ``sudoers_gid=N'' (where
- `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin
- line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin
+ line in the sudo.conf(4) file.
unable to open /var/adm/sudo/username/ttyname
_\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file.
_\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn option is set to 0 (or negated with a `!'), word wrap
will be disabled.
-S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end will
- load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no Plugin
- lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O logging, which
- corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
- P\bPl\blu\bug\bgi\bin\bn o\bop\bpt\bti\bio\bon\bns\bs
- Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
- plugin. Options may be listed after the path to the plugin (i.e. after
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
-
- Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-
- The following plugin options are supported:
-
- sudoers_file=pathname
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
- path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- sudoers_uid=uid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
- owner of the sudoers file. It should be specified as a numeric
- user ID.
-
- sudoers_gid=gid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
- group of the sudoers file. It should be specified as a numeric
- group ID.
-
- sudoers_mode=mode
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
- file mode for the sudoers file. It should be specified as an
- octal value.
-
- D\bDe\beb\bbu\bug\bg f\bfl\bla\bag\bgs\bs
- Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin support a debugging
- framework that can help track down what the plugin is doing internally if
- there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file as
- described in sudo(1m).
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
- _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
-
- The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
-
- _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
-
- _\ba_\bu_\bt_\bh user authentication
-
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
-
- _\be_\bn_\bv environment handling
-
- _\bl_\bd_\ba_\bp LDAP-based sudoers
-
- _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
-
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
-
- _\bp_\be_\br_\bm_\bs permission setting
-
- _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\br_\bb_\bt_\br_\be_\be redblack tree internals
-
- _\bu_\bt_\bi_\bl utility functions
-
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
stamp file is stale and will ignore it. Administrators should not rely
on this feature as it is not universally available.
+D\bDE\bEB\bBU\bUG\bGG\bGI\bIN\bNG\bG
+ Versions 1.8.4 and higher of the s\bsu\bud\bdo\boe\ber\brs\bs plugin support a flexible
+ debugging framework that can help track down what the plugin is doing
+ internally if there is a problem. This can be configured in the
+ sudo.conf(4) file.
+
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by s\bsu\bud\bdo\boe\ber\brs\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by the s\bsu\bud\bdo\boe\ber\brs\bs plugin:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+
+ _\bp_\be_\br_\bm_\bs permission setting
+
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+ For example:
+
+ Debug sudo /var/log/sudo_debug match@info,nss@info
+
+ For more information, see the sudo.conf(4) manual.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 January 27, 2013 Sudo 1.8.7
+Sudo 1.8.7 February 5, 2013 Sudo 1.8.7
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "@mansectsu@" "January 27, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers\fR
-\- default sudo security policy module
+\- default sudo security policy plugin
.SH "DESCRIPTION"
The
\fIsudoers\fR
-policy module determines a user's
+policy plugin determines a user's
\fBsudo\fR
privileges.
It is the default
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
+.SS "Configuring sudo.conf for sudoers"
+\fBsudo\fR
+consults the
+sudo.conf(@mansectform@)
+file to determine which policy and and I/O logging plugins to load.
+If no
+sudo.conf(@mansectform@)
+file is present, or if it contains no
+\fRPlugin\fR
+lines,
+\fBsudoers\fR
+will be used for policy decisions and I/O logging.
+To explicitly configure
+sudo.conf(@mansectform@)
+to use the
+\fBsudoers\fR
+plugin, the following configuration can be used.
+.nf
+.sp
+.RS 6n
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.RE
+.fi
+.PP
+Starting with
+\fBsudo\fR
+1.8.5, it is possible to specify optional arguments to the
+\fBsudoers\fR
+plugin in the
+sudo.conf(@mansectform@)
+file.
+These arguments, if present, should be listed after the path to the plugin
+(i.e.\& after
+\fIsudoers.so\fR).
+Multiple arguments may be specified, separated by white space.
+For example:
+.nf
+.sp
+.RS 6n
+Plugin sudoers_policy sudoers.so sudoers_mode=0400
+.RE
+.fi
+.PP
+The following plugin arguments are supported:
+.TP 10n
+sudoers_file=pathname
+The
+\fIsudoers_file\fR
+arguments can be used to override the default path
+to the
+\fIsudoers\fR
+file.
+.TP 10n
+sudoers_uid=uid
+The
+\fIsudoers_uid\fR
+arguments can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.TP 10n
+sudoers_gid=gid
+The
+\fIsudoers_gid\fR
+arguments can be used to override the default group of the sudoers file.
+It must be specified as a numeric group ID (not a group name).
+.TP 10n
+sudoers_mode=mode
+The
+\fIsudoers_mode\fR
+arguments can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.PP
+For more information on configuring
+sudo.conf(@mansectform@),
+please refer to its manual.
.SS "Authentication and logging"
The
\fIsudoers\fR
``\fR@mailsub@\fR''.
.TP 18n
noexec_file
-This option is no longer supported.
+As of
+\fBsudo\fR
+version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
file.
.TP 18n
passprompt
tries to open
\fIsudoers\fR
using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
-by adding an option like
+or adding an argument like
``sudoers_uid=N''
(where
`N'
is the user ID that owns the
\fIsudoers\fR
-file) to the
+file) to the end of the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
unable to stat @sysconfdir@/sudoers
\fIsudoers\fR
file) to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is world writable
``sudoers_mode''
option to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1
\fIsudoers\fR
file) to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
unable to open @timedir@/username/ttyname
option is set to 0 (or negated with a
`\&!'),
word wrap will be disabled.
-.SH "SUDO.CONF"
-The
-\fI@sysconfdir@/sudo.conf\fR
-file determines which plugins the
-\fBsudo\fR
-front end will load.
-If no
-\fI@sysconfdir@/sudo.conf\fR
-file
-is present, or it contains no
-\fRPlugin\fR
-lines,
-\fBsudo\fR
-will use the
-\fIsudoers\fR
-security policy and I/O logging, which corresponds to the following
-\fI@sysconfdir@/sudo.conf\fR
-file.
-.nf
-.sp
-.RS 0n
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.RE
-.fi
-.SS "Plugin options"
-Starting with
-\fBsudo\fR
-1.8.5, it is possible to pass options to the
-\fIsudoers\fR
-plugin.
-Options may be listed after the path to the plugin (i.e.\& after
-\fIsudoers.so\fR);
-multiple options should be space-separated.
-For example:
-.nf
-.sp
-.RS 0n
-Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-.RE
-.fi
-.PP
-The following plugin options are supported:
-.TP 10n
-sudoers_file=pathname
-The
-\fIsudoers_file\fR
-option can be used to override the default path
-to the
-\fIsudoers\fR
-file.
-.TP 10n
-sudoers_uid=uid
-The
-\fIsudoers_uid\fR
-option can be used to override the default owner of the sudoers file.
-It should be specified as a numeric user ID.
-.TP 10n
-sudoers_gid=gid
-The
-\fIsudoers_gid\fR
-option can be used to override the default group of the sudoers file.
-It should be specified as a numeric group ID.
-.TP 10n
-sudoers_mode=mode
-The
-\fIsudoers_mode\fR
-option can be used to override the default file mode for the sudoers file.
-It should be specified as an octal value.
-.SS "Debug flags"
-Versions 1.8.4 and higher of the
-\fIsudoers\fR
-plugin support a debugging framework that can help track down what the
-plugin is doing internally if there is a problem.
-This can be configured in the
-\fI@sysconfdir@/sudo.conf\fR
-file as described in
-sudo(@mansectsu@).
-.PP
-The
-\fIsudoers\fR
-plugin uses the same debug flag format as the
-\fBsudo\fR
-front-end:
-\fIsubsystem\fR@\fIpriority\fR.
-.PP
-The priorities used by
-\fIsudoers\fR,
-in order of decreasing severity,
-are:
-\fIcrit\fR,
-\fIerr\fR,
-\fIwarn\fR,
-\fInotice\fR,
-\fIdiag\fR,
-\fIinfo\fR,
-\fItrace\fR
-and
-\fIdebug\fR.
-Each priority, when specified, also includes all priorities higher than it.
-For example, a priority of
-\fInotice\fR
-would include debug messages logged at
-\fInotice\fR
-and higher.
-.PP
-The following subsystems are used by
-\fIsudoers\fR:
-.TP 10n
-\fIalias\fR
-\fRUser_Alias\fR,
-\fRRunas_Alias\fR,
-\fRHost_Alias\fR
-and
-\fRCmnd_Alias\fR
-processing
-.TP 10n
-\fIall\fR
-matches every subsystem
-.TP 10n
-\fIaudit\fR
-BSM and Linux audit code
-.TP 10n
-\fIauth\fR
-user authentication
-.TP 10n
-\fIdefaults\fR
-\fIsudoers\fR
-\fIDefaults\fR
-settings
-.TP 10n
-\fIenv\fR
-environment handling
-.TP 10n
-\fIldap\fR
-LDAP-based sudoers
-.TP 10n
-\fIlogging\fR
-logging support
-.TP 10n
-\fImatch\fR
-matching of users, groups, hosts and netgroups in
-\fIsudoers\fR
-.TP 10n
-\fInetif\fR
-network interface handling
-.TP 10n
-\fInss\fR
-network service switch handling in
-\fIsudoers\fR
-.TP 10n
-\fIparser\fR
-\fIsudoers\fR
-file parsing
-.TP 10n
-\fIperms\fR
-permission setting
-.TP 10n
-\fIplugin\fR
-The equivalent of
-\fImain\fR
-for the plugin.
-.TP 10n
-\fIpty\fR
-pseudo-tty related code
-.TP 10n
-\fIrbtree\fR
-redblack tree internals
-.TP 10n
-\fIutil\fR
-utility functions
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
ignore it.
Administrators should not rely on this feature as it is not universally
available.
+.SH "DEBUGGING"
+Versions 1.8.4 and higher of the
+\fBsudoers\fR
+plugin support a flexible debugging framework that can help track
+down what the plugin is doing internally if there is a problem.
+This can be configured in the
+sudo.conf(@mansectform@)
+file.
+.PP
+The
+\fBsudoers\fR
+plugin uses the same debug flag format as the
+\fBsudo\fR
+front-end:
+\fIsubsystem\fR@\fIpriority\fR.
+.PP
+The priorities used by
+\fBsudoers\fR,
+in order of decreasing severity,
+are:
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+and
+\fIdebug\fR.
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+\fInotice\fR
+would include debug messages logged at
+\fInotice\fR
+and higher.
+.PP
+The following subsystems are used by the
+\fBsudoers\fR
+plugin:
+.TP 10n
+\fIalias\fR
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR
+and
+\fRCmnd_Alias\fR
+processing
+.TP 10n
+\fIall\fR
+matches every subsystem
+.TP 10n
+\fIaudit\fR
+BSM and Linux audit code
+.TP 10n
+\fIauth\fR
+user authentication
+.TP 10n
+\fIdefaults\fR
+\fIsudoers\fR
+\fIDefaults\fR
+settings
+.TP 10n
+\fIenv\fR
+environment handling
+.TP 10n
+\fIldap\fR
+LDAP-based sudoers
+.TP 10n
+\fIlogging\fR
+logging support
+.TP 10n
+\fImatch\fR
+matching of users, groups, hosts and netgroups in
+\fIsudoers\fR
+.TP 10n
+\fInetif\fR
+network interface handling
+.TP 10n
+\fInss\fR
+network service switch handling in
+\fIsudoers\fR
+.TP 10n
+\fIparser\fR
+\fIsudoers\fR
+file parsing
+.TP 10n
+\fIperms\fR
+permission setting
+.TP 10n
+\fIplugin\fR
+The equivalent of
+\fImain\fR
+for the plugin.
+.TP 10n
+\fIpty\fR
+pseudo-tty related code
+.TP 10n
+\fIrbtree\fR
+redblack tree internals
+.TP 10n
+\fIutil\fR
+utility functions
+.PD 0
+.PP
+.PD
+For example:
+.nf
+.sp
+.RS 0n
+Debug sudo /var/log/sudo_debug match@info,nss@info
+.RE
+.fi
+.PP
+For more information, see the
+sudo.conf(@mansectform@)
+manual.
.SH "SEE ALSO"
ssh(1),
su(1),
glob(3),
mktemp(3),
strftime(3),
+sudo.conf(@mansectform@),
sudoers.ldap(@mansectform@),
sudo_plugin(@mansectsu@),
sudo(@mansectsu@),
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd January 27, 2013
+.Dd February 5, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers
-.Nd default sudo security policy module
+.Nd default sudo security policy plugin
.Sh DESCRIPTION
The
.Em sudoers
-policy module determines a user's
+policy plugin determines a user's
.Nm sudo
privileges.
It is the default
policy information
in LDAP, please see
.Xr sudoers.ldap @mansectform@ .
+.Ss Configuring sudo.conf for sudoers
+.Nm sudo
+consults the
+.Xr sudo.conf @mansectform@
+file to determine which policy and and I/O logging plugins to load.
+If no
+.Xr sudo.conf @mansectform@
+file is present, or if it contains no
+.Li Plugin
+lines,
+.Nm sudoers
+will be used for policy decisions and I/O logging.
+To explicitly configure
+.Xr sudo.conf @mansectform@
+to use the
+.Nm sudoers
+plugin, the following configuration can be used.
+.Bd -literal -offset indent
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.Ed
+.Pp
+Starting with
+.Nm sudo
+1.8.5, it is possible to specify optional arguments to the
+.Nm sudoers
+plugin in the
+.Xr sudo.conf @mansectform@
+file.
+These arguments, if present, should be listed after the path to the plugin
+(i.e.\& after
+.Pa sudoers.so ) .
+Multiple arguments may be specified, separated by white space.
+For example:
+.Bd -literal -offset indent
+Plugin sudoers_policy sudoers.so sudoers_mode=0400
+.Ed
+.Pp
+The following plugin arguments are supported:
+.Bl -tag -width 8n
+.It sudoers_file=pathname
+The
+.Em sudoers_file
+arguments can be used to override the default path
+to the
+.Em sudoers
+file.
+.It sudoers_uid=uid
+The
+.Em sudoers_uid
+arguments can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.It sudoers_gid=gid
+The
+.Em sudoers_gid
+arguments can be used to override the default group of the sudoers file.
+It must be specified as a numeric group ID (not a group name).
+.It sudoers_mode=mode
+The
+.Em sudoers_mode
+arguments can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.El
+.Pp
+For more information on configuring
+.Xr sudo.conf @mansectform@ ,
+please refer to its manual.
.Ss Authentication and logging
The
.Em sudoers
Default is
.Dq Li @mailsub@ .
.It noexec_file
-This option is no longer supported.
+As of
+.Nm sudo
+version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
file.
.It passprompt
The default prompt to use when asking for a password; can be overridden via the
tries to open
.Em sudoers
using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
.Pa @sysconfdir@/sudoers
-by adding an option like
+or adding an argument like
.Dq sudoers_uid=N
(where
.Sq N
is the user ID that owns the
.Em sudoers
-file) to the
+file) to the end of the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It unable to stat @sysconfdir@/sudoers
The
.Em sudoers
file) to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is world writable
The permissions on the
.Dq sudoers_mode
option to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is owned by gid N, should be 1
The
.Em sudoers
file) to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It unable to open @timedir@/username/ttyname
.Em sudoers
.Ql \&! ) ,
word wrap will be disabled.
.El
-.Sh SUDO.CONF
-The
-.Pa @sysconfdir@/sudo.conf
-file determines which plugins the
-.Nm sudo
-front end will load.
-If no
-.Pa @sysconfdir@/sudo.conf
-file
-is present, or it contains no
-.Li Plugin
-lines,
-.Nm sudo
-will use the
-.Em sudoers
-security policy and I/O logging, which corresponds to the following
-.Pa @sysconfdir@/sudo.conf
-file.
-.Bd -literal
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @PLUGINDIR@ unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.Ed
-.Ss Plugin options
-Starting with
-.Nm sudo
-1.8.5, it is possible to pass options to the
-.Em sudoers
-plugin.
-Options may be listed after the path to the plugin (i.e.\& after
-.Pa sudoers.so ) ;
-multiple options should be space-separated.
-For example:
-.Bd -literal
-Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-.Ed
-.Pp
-The following plugin options are supported:
-.Bl -tag -width 8n
-.It sudoers_file=pathname
-The
-.Em sudoers_file
-option can be used to override the default path
-to the
-.Em sudoers
-file.
-.It sudoers_uid=uid
-The
-.Em sudoers_uid
-option can be used to override the default owner of the sudoers file.
-It should be specified as a numeric user ID.
-.It sudoers_gid=gid
-The
-.Em sudoers_gid
-option can be used to override the default group of the sudoers file.
-It should be specified as a numeric group ID.
-.It sudoers_mode=mode
-The
-.Em sudoers_mode
-option can be used to override the default file mode for the sudoers file.
-It should be specified as an octal value.
-.El
-.Ss Debug flags
-Versions 1.8.4 and higher of the
-.Em sudoers
-plugin support a debugging framework that can help track down what the
-plugin is doing internally if there is a problem.
-This can be configured in the
-.Pa @sysconfdir@/sudo.conf
-file as described in
-.Xr sudo @mansectsu@ .
-.Pp
-The
-.Em sudoers
-plugin uses the same debug flag format as the
-.Nm sudo
-front-end:
-.Em subsystem Ns No @ Ns Em priority .
-.Pp
-The priorities used by
-.Em sudoers ,
-in order of decreasing severity,
-are:
-.Em crit ,
-.Em err ,
-.Em warn ,
-.Em notice ,
-.Em diag ,
-.Em info ,
-.Em trace
-and
-.Em debug .
-Each priority, when specified, also includes all priorities higher than it.
-For example, a priority of
-.Em notice
-would include debug messages logged at
-.Em notice
-and higher.
-.Pp
-The following subsystems are used by
-.Em sudoers :
-.Bl -tag -width 8n
-.It Em alias
-.Li User_Alias ,
-.Li Runas_Alias ,
-.Li Host_Alias
-and
-.Li Cmnd_Alias
-processing
-.It Em all
-matches every subsystem
-.It Em audit
-BSM and Linux audit code
-.It Em auth
-user authentication
-.It Em defaults
-.Em sudoers
-.Em Defaults
-settings
-.It Em env
-environment handling
-.It Em ldap
-LDAP-based sudoers
-.It Em logging
-logging support
-.It Em match
-matching of users, groups, hosts and netgroups in
-.Em sudoers
-.It Em netif
-network interface handling
-.It Em nss
-network service switch handling in
-.Em sudoers
-.It Em parser
-.Em sudoers
-file parsing
-.It Em perms
-permission setting
-.It Em plugin
-The equivalent of
-.Em main
-for the plugin.
-.It Em pty
-pseudo-tty related code
-.It Em rbtree
-redblack tree internals
-.It Em util
-utility functions
-.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
ignore it.
Administrators should not rely on this feature as it is not universally
available.
+.Sh DEBUGGING
+Versions 1.8.4 and higher of the
+.Nm sudoers
+plugin support a flexible debugging framework that can help track
+down what the plugin is doing internally if there is a problem.
+This can be configured in the
+.Xr sudo.conf @mansectform@
+file.
+.Pp
+The
+.Nm sudoers
+plugin uses the same debug flag format as the
+.Nm sudo
+front-end:
+.Em subsystem Ns No @ Ns Em priority .
+.Pp
+The priorities used by
+.Nm sudoers ,
+in order of decreasing severity,
+are:
+.Em crit , err , warn , notice , diag , info , trace
+and
+.Em debug .
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+.Em notice
+would include debug messages logged at
+.Em notice
+and higher.
+.Pp
+The following subsystems are used by the
+.Nm sudoers
+plugin:
+.Bl -tag -width 8n
+.It Em alias
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias
+and
+.Li Cmnd_Alias
+processing
+.It Em all
+matches every subsystem
+.It Em audit
+BSM and Linux audit code
+.It Em auth
+user authentication
+.It Em defaults
+.Em sudoers
+.Em Defaults
+settings
+.It Em env
+environment handling
+.It Em ldap
+LDAP-based sudoers
+.It Em logging
+logging support
+.It Em match
+matching of users, groups, hosts and netgroups in
+.Em sudoers
+.It Em netif
+network interface handling
+.It Em nss
+network service switch handling in
+.Em sudoers
+.It Em parser
+.Em sudoers
+file parsing
+.It Em perms
+permission setting
+.It Em plugin
+The equivalent of
+.Em main
+for the plugin.
+.It Em pty
+pseudo-tty related code
+.It Em rbtree
+redblack tree internals
+.It Em util
+utility functions
+.El
+For example:
+.Bd -literal
+Debug sudo /var/log/sudo_debug match@info,nss@info
+.Ed
+.Pp
+For more information, see the
+.Xr sudo.conf @mansectform@
+manual.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr su 1 ,
.Xr glob 3 ,
.Xr mktemp 3 ,
.Xr strftime 3 ,
+.Xr sudo.conf @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudo @mansectsu@ ,
projects / sudo / commitdiff