.\"
.\" SPDX-License-Identifier: ISC
.\"
-.\" Copyright (c) 2010-2018 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2010-2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.TH "SUDO.CONF" "@mansectform@" "October 7, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO.CONF" "@mansectform@" "June 20, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
plugin configuration
.TP 12n
\fIpty\fR
-pseudo-tty related code
+pseudo-terminal related code
.TP 12n
\fIselinux\fR
SELinux-specific handling
.\"
.\" SPDX-License-Identifier: ISC
.\"
-.\" Copyright (c) 2010-2018 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2010-2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd October 7, 2018
+.Dd June 20, 2019
.Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.It Em plugin
plugin configuration
.It Em pty
-pseudo-tty related code
+pseudo-terminal related code
.It Em selinux
SELinux-specific handling
.It Em util
itself is running in the foreground.
When
\fIexec_background\fR
-is enabled and the command is being run in a pty (due to I/O logging
-or the
+is enabled and the command is being run in a pseudo-terminal
+(due to I/O logging or the
\fIuse_pty\fR
setting), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
to tell whether the command really wants the input).
This is different from historic
\fIsudo\fR
-behavior or when the command is not being run in a pty.
+behavior or when the command is not being run in a pseudo-terminal.
.sp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
SELinux type to use when executing the command.
.TP 6n
set_utmp=bool
-Create a utmp (or utmpx) entry when a pseudo-tty is allocated.
+Create a utmp (or utmpx) entry when a pseudo-terminal is allocated.
By default, the new entry will be a copy of the user's existing utmp
entry (if any), with the tty, time, type and pid fields updated.
.TP 6n
The file creation mask to use when executing the command.
.TP 6n
use_pty=bool
-Allocate a pseudo-tty to run the command in, regardless of whether
+Allocate a pseudo-terminal to run the command in, regardless of whether
or not I/O logging is in use.
By default,
\fBsudo\fR
will only run
-the command in a pty when an I/O log plugin is loaded.
+the command in a pseudo-terminal when an I/O log plugin is loaded.
.TP 6n
utmp_user=string
User name to use when constructing a new utmp (or utmpx) entry when
.PP
When an I/O plugin is loaded,
\fBsudo\fR
-runs the command in a pseudo-tty.
+runs the command in a pseudo-terminal.
This makes it possible to log the input and output from the user's
session.
If any of the standard input, standard output or standard error do not
The log_ttyin function receives the raw user input from the terminal
device (note that this will include input even when echo is disabled,
such as when a password is read).
-The log_ttyout function receives output from the pseudo-tty that is
+The log_ttyout function receives output from the pseudo-terminal that is
suitable for replaying the user's session at a later time.
The
\fBlog_stdin\fR(),
itself is running in the foreground.
When
.Em exec_background
-is enabled and the command is being run in a pty (due to I/O logging
-or the
+is enabled and the command is being run in a pseudo-terminal
+(due to I/O logging or the
.Em use_pty
setting), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
to tell whether the command really wants the input).
This is different from historic
.Em sudo
-behavior or when the command is not being run in a pty.
+behavior or when the command is not being run in a pseudo-terminal.
.Pp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
.It selinux_type=string
SELinux type to use when executing the command.
.It set_utmp=bool
-Create a utmp (or utmpx) entry when a pseudo-tty is allocated.
+Create a utmp (or utmpx) entry when a pseudo-terminal is allocated.
By default, the new entry will be a copy of the user's existing utmp
entry (if any), with the tty, time, type and pid fields updated.
.It sudoedit=bool
.It umask=octal
The file creation mask to use when executing the command.
.It use_pty=bool
-Allocate a pseudo-tty to run the command in, regardless of whether
+Allocate a pseudo-terminal to run the command in, regardless of whether
or not I/O logging is in use.
By default,
.Nm sudo
will only run
-the command in a pty when an I/O log plugin is loaded.
+the command in a pseudo-terminal when an I/O log plugin is loaded.
.It utmp_user=string
User name to use when constructing a new utmp (or utmpx) entry when
.Em set_utmp
.Pp
When an I/O plugin is loaded,
.Nm sudo
-runs the command in a pseudo-tty.
+runs the command in a pseudo-terminal.
This makes it possible to log the input and output from the user's
session.
If any of the standard input, standard output or standard error do not
The log_ttyin function receives the raw user input from the terminal
device (note that this will include input even when echo is disabled,
such as when a password is read).
-The log_ttyout function receives output from the pseudo-tty that is
+The log_ttyout function receives output from the pseudo-terminal that is
suitable for replaying the user's session at a later time.
The
.Fn log_stdin ,
for a description of the log file format.
.PP
\fBsudoers\fR
-is also capable of running a command in a pseudo-tty and logging all
+is also capable of running a command in a pseudo-terminal and logging all
input and/or output.
The standard input, standard output and standard error can be logged
even when not associated with a terminal.
itself is running in the foreground.
When the
\fIexec_background\fR
-flag is enabled and the command is being run in a pty (due to I/O logging
-or the
+flag is enabled and the command is being run in a pseudo-terminal
+(due to I/O logging or the
\fIuse_pty\fR
flag), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
to tell whether the command really wants the input).
This is different from historic
\fIsudo\fR
-behavior or when the command is not being run in a pty.
+behavior or when the command is not being run in a pseudo-terminal.
.sp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
log_input
If set,
\fBsudo\fR
-will run the command in a pseudo-tty and log all user input.
+will run the command in a pseudo-terminal and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
log_output
If set,
\fBsudo\fR
-will run the command in a pseudo-tty and log all output that is sent
+will run the command in a pseudo-terminal and log all output that is sent
to the screen, similar to the
script(1)
command.
set_utmp
When enabled,
\fBsudo\fR
-will create an entry in the utmp (or utmpx) file when a pseudo-tty
+will create an entry in the utmp (or utmpx) file when a pseudo-terminal
is allocated.
-A pseudo-tty is allocated by
+A pseudo-terminal is allocated by
\fBsudo\fR
-when the
+when it is running in a terminal and one or more of the
\fIlog_input\fR,
\fIlog_output\fR
or
\fIuse_pty\fR
-flags are enabled.
+flags is enabled.
By default, the new entry will be a copy of the user's existing utmp
entry (if any), with the tty, time, type and pid fields updated.
This flag is
use_pty
If set, and
\fBsudo\fR
-is running in a terminal, the command will be run in a pseudo-pty
+is running in a terminal, the command will be run in a pseudo-terminal
(even if no I/O logging is being done).
If the
\fBsudo\fR
terminal or running a background process that retains access to the
user's terminal device even after the main program has finished
executing.
-By running the command in a separate pseudo-pty, this attack is
+By running the command in a separate pseudo-terminal, this attack is
no longer possible.
This flag is
\fIoff\fR
.SH "I/O LOG FILES"
When I/O logging is enabled,
\fBsudo\fR
-will run the command in a pseudo-tty and log all user input and/or output,
+will run the command in a pseudo-terminal and log all user input and/or output,
depending on which options are enabled.
I/O is logged to the directory specified by the
\fIiolog_dir\fR
input from a pipe or file
.TP 10n
\fIttyout\fR
-output from the pseudo-tty (what the command writes to the screen)
+output from the pseudo-terminal (what the command writes to the screen)
.TP 10n
\fIstdout\fR
standard output to a pipe or redirected to a file
for the plugin.
.TP 10n
\fIpty\fR
-pseudo-tty related code
+pseudo-terminal related code
.TP 10n
\fIrbtree\fR
redblack tree internals
for a description of the log file format.
.Pp
.Nm sudoers
-is also capable of running a command in a pseudo-tty and logging all
+is also capable of running a command in a pseudo-terminal and logging all
input and/or output.
The standard input, standard output and standard error can be logged
even when not associated with a terminal.
itself is running in the foreground.
When the
.Em exec_background
-flag is enabled and the command is being run in a pty (due to I/O logging
-or the
+flag is enabled and the command is being run in a pseudo-terminal
+(due to I/O logging or the
.Em use_pty
flag), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
to tell whether the command really wants the input).
This is different from historic
.Em sudo
-behavior or when the command is not being run in a pty.
+behavior or when the command is not being run in a pseudo-terminal.
.Pp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
.It log_input
If set,
.Nm sudo
-will run the command in a pseudo-tty and log all user input.
+will run the command in a pseudo-terminal and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
.It log_output
If set,
.Nm sudo
-will run the command in a pseudo-tty and log all output that is sent
+will run the command in a pseudo-terminal and log all output that is sent
to the screen, similar to the
.Xr script 1
command.
.It set_utmp
When enabled,
.Nm sudo
-will create an entry in the utmp (or utmpx) file when a pseudo-tty
+will create an entry in the utmp (or utmpx) file when a pseudo-terminal
is allocated.
-A pseudo-tty is allocated by
+A pseudo-terminal is allocated by
.Nm sudo
-when the
+when it is running in a terminal and one or more of the
.Em log_input ,
.Em log_output
or
.Em use_pty
-flags are enabled.
+flags is enabled.
By default, the new entry will be a copy of the user's existing utmp
entry (if any), with the tty, time, type and pid fields updated.
This flag is
.It use_pty
If set, and
.Nm sudo
-is running in a terminal, the command will be run in a pseudo-pty
+is running in a terminal, the command will be run in a pseudo-terminal
(even if no I/O logging is being done).
If the
.Nm sudo
terminal or running a background process that retains access to the
user's terminal device even after the main program has finished
executing.
-By running the command in a separate pseudo-pty, this attack is
+By running the command in a separate pseudo-terminal, this attack is
no longer possible.
This flag is
.Em off
.Sh I/O LOG FILES
When I/O logging is enabled,
.Nm sudo
-will run the command in a pseudo-tty and log all user input and/or output,
+will run the command in a pseudo-terminal and log all user input and/or output,
depending on which options are enabled.
I/O is logged to the directory specified by the
.Em iolog_dir
.It Pa stdin
input from a pipe or file
.It Pa ttyout
-output from the pseudo-tty (what the command writes to the screen)
+output from the pseudo-terminal (what the command writes to the screen)
.It Pa stdout
standard output to a pipe or redirected to a file
.It Pa stderr
.Em main
for the plugin.
.It Em pty
-pseudo-tty related code
+pseudo-terminal related code
.It Em rbtree
redblack tree internals
.It Em sssd
projects / sudo / commitdiff