S\bSu\bud\bdo\boe\ber\brs\bs g\bgr\bro\bou\bup\bp p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
group lookups. This can be used to query a group source other than the
- standard Unix group database. A sample group plugin is bundled with s\bsu\bud\bdo\bo
- that implements file-based lookups. Third party group plugins include a
- QAS AD plugin available from Quest Software.
+ standard Unix group database. Two sample group plugins are bundled with
+ s\bsu\bud\bdo\bo, _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be and _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp, are detailed in sudoers(4). Third
+ party group plugins include a QAS AD plugin available from Quest
+ Software.
A group plugin must declare and populate a sudoers_group_plugin struct in
the global scope. This structure contains pointers to the functions that
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 February 24, 2013 Sudo 1.8.7
+Sudo 1.8.7 March 5, 2013 Sudo 1.8.7
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDO_PLUGIN" "5" "February 24, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO_PLUGIN" "5" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
group lookups.
This can be used to query a group source other than the standard Unix
group database.
-A sample group plugin is bundled with
-\fBsudo\fR
-that implements file-based lookups.
+Two sample group plugins are bundled with
+\fBsudo\fR,
+\fIgroup_file\fR
+and
+\fIsystem_group\fR,
+are detailed in
+sudoers(@mansectform@).
Third party group plugins include a QAS AD plugin available from Quest Software.
.PP
A group plugin must declare and populate a
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 24, 2013
+.Dd March 5, 2013
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
group lookups.
This can be used to query a group source other than the standard Unix
group database.
-A sample group plugin is bundled with
-.Nm sudo
-that implements file-based lookups.
+Two sample group plugins are bundled with
+.Nm sudo ,
+.Em group_file
+and
+.Em system_group ,
+are detailed in
+.Xr sudoers @mansectform@ .
Third party group plugins include a QAS AD plugin available from Quest Software.
.Pp
A group plugin must declare and populate a
characters must be included inside the quotes.
The actual nonunix_group and nonunix_gid syntax depends on the underlying
- group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description below). For
- instance, the QAS AD plugin supports the following formats:
+ group provider plugin. For instance, the QAS AD plugin supports the
+ following formats:
o\bo Group in the same domain: "%:Group Name"
o\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+ See _\bG_\bR_\bO_\bU_\bP _\bP_\bR_\bO_\bV_\bI_\bD_\bE_\bR _\bP_\bL_\bU_\bG_\bI_\bN_\bS for more information.
+
Note that quotes around group names are optional. Unquoted strings must
use a backslash (`\') to escape spaces and special characters. See _\bO_\bt_\bh_\be_\br
_\bs_\bp_\be_\bc_\bi_\ba_\bl _\bc_\bh_\ba_\br_\ba_\bc_\bt_\be_\br_\bs _\ba_\bn_\bd _\br_\be_\bs_\be_\br_\bv_\be_\bd _\bw_\bo_\br_\bd_\bs for a list of characters that need
arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
take command line arguments just as a normal command does. Note that
- ``sudoedit'' is a command built-in to s\bsu\bud\bdo\bo itself and must be specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
+ ``sudoedit'' is a command built into s\bsu\bud\bdo\bo itself and must be specified in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values at
a % prefix. This is not set by default.
group_plugin A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
- arguments. This can be used to implement support for the
- nonunix_group syntax described earlier. The string should
- consist of the plugin path, either fully-qualified or
- relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo directory, followed
- by any configuration arguments the plugin requires. These
+ arguments. The string should consist of the plugin path,
+ either fully-qualified or relative to the
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo directory, followed by any
+ configuration arguments the plugin requires. These
arguments (if any) will be passed to the plugin's
initialization function. If arguments are present, the
string must be enclosed in double quotes ("").
- For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
- group format, the sample group plugin can be used:
-
- Defaults group_plugin="group_file.so /etc/sudo-group"
-
- For more information see sudo_plugin(4).
+ For more information see GROUP PROVIDER PLUGINS.
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the -\b-V\bV option.
+G\bGR\bRO\bOU\bUP\bP P\bPR\bRO\bOV\bVI\bID\bDE\bER\bR P\bPL\bLU\bUG\bGI\bIN\bNS\bS
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
+ group lookups which can query a group source other than the standard Unix
+ group database. This can be used to implement support for the
+ nonunix_group syntax described earlier.
+
+ Group provider plugins are specified via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn Defaults
+ setting. The argument to _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn should consist of the plugin path,
+ either fully-qualified or relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo
+ directory, followed by any configuration options the plugin requires.
+ These options (if specified) will be passed to the plugin's
+ initialization function. If options are present, the string must be
+ enclosed in double quotes ("").
+
+ The following group provider plugins are installed by default:
+
+ group_file
+ The _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be plugin supports an alternate group file that
+ uses the same syntax as the _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp file. The path to the
+ group file should be specified as an option to the plugin. For
+ example, if the group file to be used is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp:
+
+ Defaults group_plugin="group_file.so /etc/sudo-group"
+
+ system_group
+ The _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp plugin supports group lookups via the standard
+ C library functions g\bge\bet\btg\bgr\brn\bna\bam\bm() and g\bge\bet\btg\bgr\bri\bid\bd(). This plugin can
+ be used in instances where the user belongs to groups not
+ present in the user's supplemental group vector. This plugin
+ takes no options:
+
+ Defaults group_plugin=system_group.so
+
+ The group provider plugin API is described in detail in sudo_plugin(1m).
+
L\bLO\bOG\bG F\bFO\bOR\bRM\bMA\bAT\bT
s\bsu\bud\bdo\boe\ber\brs\bs can log events using either syslog(3) or a simple log file. In
each case the log format is almost identical.
and
\fRnonunix_gid\fR
syntax depends on
-the underlying group provider plugin (see the
-\fIgroup_plugin\fR
-description below).
+the underlying group provider plugin.
For instance, the QAS AD plugin supports the following formats:
.TP 6n
\fBo\fR
\fBo\fR
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
.PP
+See
+\fIGROUP PROVIDER PLUGINS\fR
+for more information.
+.PP
Note that quotes around group names are optional.
Unquoted strings must use a backslash
(`\e')
It may take command line arguments just as a normal command does.
Note that
``\fRsudoedit\fR''
-is a command built-in to
+is a command built into
\fBsudo\fR
itself and must be specified in
\fIsudoers\fR
A string containing a
\fIsudoers\fR
group plugin with optional arguments.
-This can be used to implement support for the
-\fRnonunix_group\fR
-syntax described earlier.
The string should consist of the plugin
path, either fully-qualified or relative to the
\fI@PLUGINDIR@\fR
If arguments are present, the string must be enclosed in double quotes
(\&"").
.sp
-For example, given
-\fI/etc/sudo-group\fR,
-a group file in Unix group format, the sample group plugin can be used:
-.RS
-.nf
-.sp
-.RS 0n
-Defaults group_plugin="group_file.so /etc/sudo-group"
-.RE
-.fi
-.sp
For more information see
-sudo_plugin(@mansectform@).
-.PP
-.RE
-.PD 0
+GROUP PROVIDER PLUGINS.
.TP 14n
lecture
This option controls when a short lecture will be printed along with
the password prompt.
It has the following possible values:
.RS
-.PD
.TP 8n
always
Always lecture the user.
is run by root with the
\fB\-V\fR
option.
+.SH "GROUP PROVIDER PLUGINS"
+The
+\fBsudoers\fR
+plugin supports its own plugin interface to allow non-Unix
+group lookups which can query a group source other
+than the standard Unix group database.
+This can be used to implement support for the
+\fRnonunix_group\fR
+syntax described earlier.
+.PP
+Group provider plugins are specified via the
+\fIgroup_plugin\fR
+Defaults setting.
+The argument to
+\fIgroup_plugin\fR
+should consist of the plugin path, either fully-qualified or relative to the
+\fI@PLUGINDIR@\fR
+directory, followed by any configuration options the plugin requires.
+These options (if specified) will be passed to the plugin's initialization
+function.
+If options are present, the string must be enclosed in double quotes
+(\&"").
+.PP
+The following group provider plugins are installed by default:
+.TP 10n
+group_file
+The
+\fIgroup_file\fR
+plugin supports an alternate group file that uses the same syntax as the
+\fI/etc/group\fR
+file.
+The path to the group file should be specified as an option
+to the plugin.
+For example, if the group file to be used is
+\fI/etc/sudo-group\fR:
+.RS
+.nf
+.sp
+.RS 0n
+Defaults group_plugin="group_file.so /etc/sudo-group"
+.RE
+.fi
+.PP
+.RE
+.PD 0
+.TP 10n
+system_group
+The
+\fIsystem_group\fR
+plugin supports group lookups via the standard C library functions
+\fBgetgrnam\fR()
+and
+\fBgetgrid\fR().
+This plugin can be used in instances where the user belongs to
+groups not present in the user's supplemental group vector.
+This plugin takes no options:
+.RS
+.nf
+.sp
+.RS 0n
+Defaults group_plugin=system_group.so
+.RE
+.fi
+.RE
+.PD
+.PP
+The group provider plugin API is described in detail in
+sudo_plugin(@mansectsu@).
.SH "LOG FORMAT"
\fBsudoers\fR
can log events using either
and
.Li nonunix_gid
syntax depends on
-the underlying group provider plugin (see the
-.Em group_plugin
-description below).
+the underlying group provider plugin.
For instance, the QAS AD plugin supports the following formats:
.Bl -bullet -width 4n
.It
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
.El
.Pp
+See
+.Sx "GROUP PROVIDER PLUGINS"
+for more information.
+.Pp
Note that quotes around group names are optional.
Unquoted strings must use a backslash
.Pq Ql \e
It may take command line arguments just as a normal command does.
Note that
.Dq Li sudoedit
-is a command built-in to
+is a command built into
.Nm sudo
itself and must be specified in
.Em sudoers
A string containing a
.Em sudoers
group plugin with optional arguments.
-This can be used to implement support for the
-.Li nonunix_group
-syntax described earlier.
The string should consist of the plugin
path, either fully-qualified or relative to the
.Pa @PLUGINDIR@
If arguments are present, the string must be enclosed in double quotes
.Pq \&"" .
.Pp
-For example, given
-.Pa /etc/sudo-group ,
-a group file in Unix group format, the sample group plugin can be used:
-.Bd -literal
-Defaults group_plugin="group_file.so /etc/sudo-group"
-.Ed
-.Pp
For more information see
-.Xr sudo_plugin @mansectform@ .
+.Xr "GROUP PROVIDER PLUGINS" .
.It lecture
This option controls when a short lecture will be printed along with
the password prompt.
.Fl V
option.
.El
+.Sh GROUP PROVIDER PLUGINS
+The
+.Nm sudoers
+plugin supports its own plugin interface to allow non-Unix
+group lookups which can query a group source other
+than the standard Unix group database.
+This can be used to implement support for the
+.Li nonunix_group
+syntax described earlier.
+.Pp
+Group provider plugins are specified via the
+.Em group_plugin
+Defaults setting.
+The argument to
+.Em group_plugin
+should consist of the plugin path, either fully-qualified or relative to the
+.Pa @PLUGINDIR@
+directory, followed by any configuration options the plugin requires.
+These options (if specified) will be passed to the plugin's initialization
+function.
+If options are present, the string must be enclosed in double quotes
+.Pq \&"" .
+.Pp
+The following group provider plugins are installed by default:
+.Bl -tag -width 8n
+.It group_file
+The
+.Em group_file
+plugin supports an alternate group file that uses the same syntax as the
+.Pa /etc/group
+file.
+The path to the group file should be specified as an option
+to the plugin.
+For example, if the group file to be used is
+.Pa /etc/sudo-group :
+.Bd -literal
+Defaults group_plugin="group_file.so /etc/sudo-group"
+.Ed
+.It system_group
+The
+.Em system_group
+plugin supports group lookups via the standard C library functions
+.Fn getgrnam
+and
+.Fn getgrid .
+This plugin can be used in instances where the user belongs to
+groups not present in the user's supplemental group vector.
+This plugin takes no options:
+.Bd -literal
+Defaults group_plugin=system_group.so
+.Ed
+.El
+.Pp
+The group provider plugin API is described in detail in
+.Xr sudo_plugin @mansectsu@ .
.Sh LOG FORMAT
.Nm sudoers
can log events using either
projects / sudo / commitdiff