+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
N\bNA\bAM\bME\bE
sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo [-\b-D\bD _\bl_\be_\bv_\be_\bl] -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-D\bD _\bl_\be_\bv_\be_\bl] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-D\bD _\bl_\be_\bv_\be_\bl] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-D\bD _\bl_\be_\bv_\be_\bl] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
[-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
[-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-D\bD _\bl_\be_\bv_\be_\bl]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
[-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
s\bsu\bud\bdo\bo supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute their
- own policy and I/O logging modules to work seemlessly with the s\bsu\bud\bdo\bo
+ own policy and I/O logging modules to work seamlessly with the s\bsu\bud\bdo\bo
front end. The default security policy is _\bs_\bu_\bd_\bo_\be_\br_\bs, which is configured
via the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the PLUGINS section for
more information.
If an I/O plugin is configured, the running command's input and output
may be logged as well.
-
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
is already root. This option is only available on systems
with BSD login classes.
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- -D _\bl_\be_\bv_\be_\bl Enable debugging of s\bsu\bud\bdo\bo plugins and s\bsu\bud\bdo\bo itself. The
- _\bl_\be_\bv_\be_\bl may be a value from 1 through 9.
-
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
- security policy that the uses wishes to preserve their
+ security policy that the user wishes to preserve their
existing environment variables. The security policy may
return an error if the -\b-E\bE option is specified and the user
does not have permission to preserve the environment.
behavior.
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
-
-
-
-1.8.0rc1 February 21, 2011 3
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
message to the standard output and exit.
-i [command]
to change to that user's home directory before running the
shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what
- is present when a user logs in.
+ is present when a user logs in. The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt
+ section in the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual documents how the -\b-i\bi
+ option affects the environment in which a command is run
+ when the _\bs_\bu_\bd_\bo_\be_\br_\bs policy is in use.
-K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
the user's cached credentials entirely and may not be used
messages and exit.
-P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
-
-
-
-1.8.0rc1 February 21, 2011 4
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
preserve the invoking user's group vector unaltered. By
default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy will initialize the group
vector to the list of groups the target user is in. The
role.
-U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
-
-
-
-1.8.0rc1 February 21, 2011 5
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
-\b-l\bl option to specify the user whose privileges should be
listed. The security policy may restrict listing other
users' privileges. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only allows root or
line are subject to the same restrictions as normal environment
variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
_\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
- matched is ALL, the user may set variables that would overwise be
+ matched is ALL, the user may set variables that would otherwise be
forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
P\bPL\bLU\bUG\bGI\bIN\bNS\bS
security policy and I/O logging, which corresponds to the following
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
#
# Default /etc/sudo.conf file
#
# Format:
- # Plugin plugin_name plugin_path
- # Path askpass path/to/askpass
+ # Plugin plugin_name plugin_path plugin_args ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
+ # The plugin_args are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
io_plugin in the plugin shared object. The _\bp_\ba_\bt_\bh may be fully qualified
or relative. If not fully qualified it is relative to the
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any additional parameters after the _\bp_\ba_\bt_\bh
- are ignored. Lines that don't begin with Plugin or Path are silently
- ignored
+ are passed as arguments to the plugin's _\bo_\bp_\be_\bn function. Lines that
+ don't begin with Plugin, Path, Debug or Set are silently ignored.
For more information, see the _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m) manual.
+P\bPA\bAT\bTH\bHS\bS
+ A Path line consists of the Path keyword, followed by the name of the
+ path to set and its value. E.g.
+
+ Path noexec /usr/local/libexec/sudo_noexec.so
+ Path askpass /usr/X11R6/bin/ssh-askpass
+
+ The following plugin-agnostic paths may be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
+
+ askpass The fully qualified path to a helper program used to
+ read the user's password when no terminal is available.
+ This may be the case when s\bsu\bud\bdo\bo is executed from a
+ graphical (as opposed to text-based) application. The
+ program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should display the
+ argument passed to it as the prompt and write the
+ user's password to the standard output. The value of
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS
+ environment variable.
+
+ noexec The fully-qualified path to a shared library containing
+ dummy versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
+ library functions that just return an error. This is
+ used to implement the _\bn_\bo_\be_\bx_\be_\bc functionality on systems
+ that support LD_PRELOAD or its equivalent. Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+
+D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
+ s\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
+ that can help track down what s\bsu\bud\bdo\bo is doing internally if there is a
+ problem.
+
+ A Debug line consists of the Debug keyword, followed by the name of the
+ program to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by), the debug file name and a
+ comma-separated list of debug flags. The debug flag syntax used by
+ s\bsu\bud\bdo\bo and the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
+ free to use a different format so long as it does not include a command
+ ,.
+
+ For instance:
+
+ Debug sudo /var/log/sudo_debug all@warn,plugin@info
+
+ would log all debugging statements at the _\bw_\ba_\br_\bn level and higher in
+ addition to those at the _\bi_\bn_\bf_\bo level for the plugin subsystem.
+
+ Currently, only one Debug entry per program is supported. The sudo
+ Debug entry is shared by the s\bsu\bud\bdo\bo front end, s\bsu\bud\bdo\boe\bed\bdi\bit\bt and the plugins.
+ A future release may add support for per-plugin Debug lines and/or
+ support for multiple debugging files for a single program.
+
+ The priorities used by the s\bsu\bud\bdo\bo front end, in order of decreasing
+ severity, are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
+ Each priority, when specified, also includes all priorities higher than
+ it. For example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages
+ logged at _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by s\bsu\bud\bdo\bo:
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\br_\bg_\bs command line argument processing
+
+ _\bc_\bo_\bn_\bv user conversation
+
+ _\be_\bd_\bi_\bt sudoedit
+
+ _\be_\bx_\be_\bc command execution
+
+ _\bm_\ba_\bi_\bn s\bsu\bud\bdo\bo main function
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bp_\bc_\bo_\bm_\bm communication with the plugin
+
+ _\bp_\bl_\bu_\bg_\bi_\bn plugin configuration
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\bs_\be_\bl_\bi_\bn_\bu_\bx SELinux-specific handling
+
+ _\bu_\bt_\bi_\bl utility functions
+
+ _\bu_\bt_\bm_\bp utmp handling
+
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
simply be the exit status of the program that was executed.
runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell are not subject to s\bsu\bud\bdo\bo's security policy.
The same is true for commands that offer shell escapes (including most
-
-
-
-1.8.0rc1 February 21, 2011 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
editors). If I/O logging is enabled, subsequent commands will have
their input and/or output logged, but there will not be traditional
logs for those commands. Because of this, care must be taken when
information, please see the PREVENTING SHELL ESCAPES section in
_\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ To prevent the disclosure of potentially sensitive information, s\bsu\bud\bdo\bo
+ disables core dumps by default while it is executing (they are re-
+ enabled for the command that is run). To aid in debugging s\bsu\bud\bdo\bo
+ crashes, you may wish to re-enable core dumps by setting
+ "disable_coredump" to false in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ Set disable_coredump false
+
+ Note that by default, most operating systems disable core dumps from
+ setuid programs, which includes s\bsu\bud\bdo\bo. To actually get a s\bsu\bud\bdo\bo core file
+ you may need to enable core dumps for setuid processes. On BSD and
+ Linux systems this is accomplished via the sysctl command, on Solaris
+ the coreadm command can be used.
+
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables. The security policy
has control over the content of the command's environment.
SUDO_EDITOR is not set
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo plugin and path configuration
-
-
-
-1.8.0rc1 February 21, 2011 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Note: the following examples assume a properly configured security
Todd C. Miller
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for a list of people who
+ have contributed to s\bsu\bud\bdo\bo.
+
+H\bHI\bIS\bST\bTO\bOR\bRY\bY
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
programs (such as editors) allow the user to run commands via shell
escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
possible to prevent shell escapes with the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) module's _\bn_\bo_\be_\bx_\be_\bc
-
-
-
-1.8.0rc1 February 21, 2011 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
functionality.
It is not meaningful to run the cd command directly via sudo, e.g.,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 10
-
-
+1.8.5 March 14, 2012 SUDO(1m)
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudo\fR [\fB\-D\fR\ \fIlevel\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
+\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-[\fB\-D\fR\ \fIlevel\fR]
.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.PP
\&\fBsudo\fR supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute
-their own policy and I/O logging modules to work seemlessly with
+their own policy and I/O logging modules to work seamlessly with
the \fBsudo\fR front end. The default security policy is \fIsudoers\fR,
which is configured via the file \fI@sysconfdir@/sudoers\fR, or via
\&\s-1LDAP\s0. See the \s-1PLUGINS\s0 section for more information.
as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes.
\}
-.IP "\-D \fIlevel\fR" 12
-.IX Item "-D level"
-Enable debugging of \fBsudo\fR plugins and \fBsudo\fR itself. The \fIlevel\fR
-may be a value from 1 through 9.
.IP "\-E" 12
.IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the
-security policy that the uses wishes to preserve their existing
+security policy that the user wishes to preserve their existing
environment variables. The security policy may return an error if
the \fB\-E\fR option is specified and the user does not have permission
to preserve the environment.
\&\fBsudo\fR attempts to change to that user's home directory before
running the shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what is present
-when a user logs in.
+when a user logs in. The \fICommand Environment\fR section in the
+\&\fIsudoers\fR\|(@mansectform@) manual documents how the \fB\-i\fR option affects the
+environment in which a command is run when the \fIsudoers\fR policy
+is in use.
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
variables with one important exception. If the \fIsetenv\fR option
is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
-that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
+that would otherwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
.SH "PLUGINS"
.IX Header "PLUGINS"
Plugins are dynamically loaded based on the contents of the
\& # Default @sysconfdir@/sudo.conf file
\& #
\& # Format:
-\& # Plugin plugin_name plugin_path
-\& # Path askpass path/to/askpass
+\& # Plugin plugin_name plugin_path plugin_args ...
+\& # Path askpass /path/to/askpass
+\& # Path noexec /path/to/sudo_noexec.so
+\& # Debug sudo /var/log/sudo_debug all@warn
+\& # Set disable_coredump true
\& #
\& # The plugin_path is relative to @prefix@/libexec unless
\& # fully qualified.
\& # The plugin_name corresponds to a global symbol in the plugin
\& # that contains the plugin interface structure.
+\& # The plugin_args are optional.
\& #
\& Plugin policy_plugin sudoers.so
\& Plugin io_plugin sudoers.so
or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
may be fully qualified or relative. If not fully qualified it is
relative to the \fI@prefix@/libexec\fR directory. Any additional
-parameters after the \fIpath\fR are ignored. Lines that don't begin
-with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored
+parameters after the \fIpath\fR are passed as arguments to the plugin's
+\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR,
+\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored.
.PP
For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual.
+.SH "PATHS"
+.IX Header "PATHS"
+A \f(CW\*(C`Path\*(C'\fR line consists of the \f(CW\*(C`Path\*(C'\fR keyword, followed by the
+name of the path to set and its value. E.g.
+.PP
+.Vb 2
+\& Path noexec @noexec_file@
+\& Path askpass /usr/X11R6/bin/ssh\-askpass
+.Ve
+.PP
+The following plugin-agnostic paths may be set in the
+\&\fI@sysconfdir@/sudo.conf\fR file.
+.IP "askpass" 16
+.IX Item "askpass"
+The fully qualified path to a helper program used to read the user's
+password when no terminal is available. This may be the case when
+\&\fBsudo\fR is executed from a graphical (as opposed to text-based)
+application. The program specified by \fIaskpass\fR should display
+the argument passed to it as the prompt and write the user's password
+to the standard output. The value of \fIaskpass\fR may be overridden
+by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable.
+.IP "noexec" 16
+.IX Item "noexec"
+The fully-qualified path to a shared library containing dummy
+versions of the \fIexecv()\fR, \fIexecve()\fR and \fIfexecve()\fR library functions
+that just return an error. This is used to implement the \fInoexec\fR
+functionality on systems that support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent.
+Defaults to \fI@noexec_file@\fR.
+.SH "DEBUG FLAGS"
+.IX Header "DEBUG FLAGS"
+\&\fBsudo\fR versions 1.8.4 and higher support a flexible debugging
+framework that can help track down what \fBsudo\fR is doing internally
+if there is a problem.
+.PP
+A \f(CW\*(C`Debug\*(C'\fR line consists of the \f(CW\*(C`Debug\*(C'\fR keyword, followed by the
+name of the program to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
+the debug file name and a comma-separated list of debug flags.
+The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
+\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
+format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+.PP
+For instance:
+.PP
+.Vb 1
+\& Debug sudo /var/log/sudo_debug all@warn,plugin@info
+.Ve
+.PP
+would log all debugging statements at the \fIwarn\fR level and higher
+in addition to those at the \fIinfo\fR level for the plugin subsystem.
+.PP
+Currently, only one \f(CW\*(C`Debug\*(C'\fR entry per program is supported. The
+\&\f(CW\*(C`sudo\*(C'\fR \f(CW\*(C`Debug\*(C'\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR
+and the plugins. A future release may add support for per-plugin
+\&\f(CW\*(C`Debug\*(C'\fR lines and/or support for multiple debugging files for a
+single program.
+.PP
+The priorities used by the \fBsudo\fR front end, in order of decreasing
+severity, are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR,
+\&\fItrace\fR and \fIdebug\fR. Each priority, when specified, also includes
+all priorities higher than it. For example, a priority of \fInotice\fR
+would include debug messages logged at \fInotice\fR and higher.
+.PP
+The following subsystems are used by \fBsudo\fR:
+.IP "\fIall\fR" 10
+.IX Item "all"
+matches every subsystem
+.IP "\fIargs\fR" 10
+.IX Item "args"
+command line argument processing
+.IP "\fIconv\fR" 10
+.IX Item "conv"
+user conversation
+.IP "\fIedit\fR" 10
+.IX Item "edit"
+sudoedit
+.IP "\fIexec\fR" 10
+.IX Item "exec"
+command execution
+.IP "\fImain\fR" 10
+.IX Item "main"
+\&\fBsudo\fR main function
+.IP "\fInetif\fR" 10
+.IX Item "netif"
+network interface handling
+.IP "\fIpcomm\fR" 10
+.IX Item "pcomm"
+communication with the plugin
+.IP "\fIplugin\fR" 10
+.IX Item "plugin"
+plugin configuration
+.IP "\fIpty\fR" 10
+.IX Item "pty"
+pseudo-tty related code
+.IP "\fIselinux\fR" 10
+.IX Item "selinux"
+SELinux-specific handling
+.IP "\fIutil\fR" 10
+.IX Item "util"
+utility functions
+.IP "\fIutmp\fR" 10
+.IX Item "utmp"
+utmp handling
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the exit status from \fBsudo\fR
commands via \fBsudo\fR to verify that the command does not inadvertently
give the user an effective root shell. For more information, please
see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in \fIsudoers\fR\|(@mansectform@).
+.PP
+To prevent the disclosure of potentially sensitive information,
+\&\fBsudo\fR disables core dumps by default while it is executing (they
+are re-enabled for the command that is run). To aid in debugging
+\&\fBsudo\fR crashes, you may wish to re-enable core dumps by setting
+\&\*(L"disable_coredump\*(R" to false in the \fI@sysconfdir@/sudo.conf\fR file.
+.PP
+.Vb 1
+\& Set disable_coredump false
+.Ve
+.PP
+Note that by default, most operating systems disable core dumps
+from setuid programs, which includes \fBsudo\fR. To actually get a
+\&\fBsudo\fR core file you may need to enable core dumps for setuid
+processes. On \s-1BSD\s0 and Linux systems this is accomplished via the
+sysctl command, on Solaris the coreadm command can be used.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables. The security
.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
.IX Item "@sysconfdir@/sudo.conf"
-\&\fBsudo\fR plugin and path configuration
+\&\fBsudo\fR front end configuration
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume a properly configured security policy.
\& Todd C. Miller
.Ve
.PP
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
-http://www.sudo.ws/sudo/history.html for a short history
-of \fBsudo\fR.
+See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/contributors.html) for a list of people
+who have contributed to \fBsudo\fR.
+.SH "HISTORY"
+.IX Header "HISTORY"
+See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
+SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
N\bNA\bAM\bME\bE
sudo_plugin - Sudo Plugin API
io_plugin in the plugin shared object. The _\bp_\ba_\bt_\bh may be fully qualified
or relative. If not fully qualified it is relative to the
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any additional parameters after the _\bp_\ba_\bt_\bh
- are ignored. Lines that don't begin with Plugin or Path are silently
- ignored.
+ are passed as arguments to the plugin's _\bo_\bp_\be_\bn function. Lines that
+ don't begin with Plugin, Path, Debug or Set are silently ignored.
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid 0
# Default /etc/sudo.conf file
#
# Format:
- # Plugin plugin_name plugin_path
+ # Plugin plugin_name plugin_path optional_args
# Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
+ # The plugin_args are optional.
#
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
P\bPo\bol\bli\bic\bcy\by P\bPl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
A policy plugin must declare and populate a policy_plugin struct in the
global scope. This structure contains pointers to the functions that
unsigned int version; /* always SUDO_API_VERSION */
int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[]);
+ char * const user_info[], char * const user_env[],
+ char * const plugin_args[]);
void (*close)(int exit_status, int error);
int (*show_version)(int verbose);
int (*check_policy)(int argc, char * const argv[],
int (*validate)(void);
void (*invalidate)(int remove);
int (*init_session)(struct passwd *pwd);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
};
The policy_plugin struct has the following fields:
open
int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[]);
+ char * const user_info[], char * const user_env[],
+ char * const plugin_args[]);
Returns 1 on success, 0 on failure, -1 if a general error occurred,
or -2 if there was a usage error. In the latter case, s\bsu\bud\bdo\bo will
version
The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
the major and minor version number of the plugin API supported
-
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
by s\bsu\bud\bdo\bo.
conversation
equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
+ debug_flags=string
+ A comma-separated list of debug flags that correspond to
+ s\bsu\bud\bdo\bo's Debug entry in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf, if there is one. The
+ flags are passed to the plugin as they appear in
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf. The syntax used by s\bsu\bud\bdo\bo and the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to use
+ a different format so long as it does not include a command
+ ,.
+
+ For reference, the priorities supported by the s\bsu\bud\bdo\bo front
+ end and _\bs_\bu_\bd_\bo_\be_\br_\bs are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo,
+ _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
+
+ The following subsystems are defined: _\bm_\ba_\bi_\bn, _\bm_\be_\bm_\bo_\br_\by, _\ba_\br_\bg_\bs,
+ _\be_\bx_\be_\bc, _\bp_\bt_\by, _\bu_\bt_\bm_\bp, _\bc_\bo_\bn_\bv, _\bp_\bc_\bo_\bm_\bm, _\bu_\bt_\bi_\bl, _\bl_\bi_\bs_\bt, _\bn_\be_\bt_\bi_\bf, _\ba_\bu_\bd_\bi_\bt,
+ _\be_\bd_\bi_\bt, _\bs_\be_\bl_\bi_\bn_\bu_\bx, _\bl_\bd_\ba_\bp, _\bm_\ba_\bt_\bc_\bh, _\bp_\ba_\br_\bs_\be_\br, _\ba_\bl_\bi_\ba_\bs, _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs, _\ba_\bu_\bt_\bh,
+ _\be_\bn_\bv, _\bl_\bo_\bg_\bg_\bi_\bn_\bg, _\bn_\bs_\bs, _\br_\bb_\bt_\br_\be_\be, _\bp_\be_\br_\bm_\bs, _\bp_\bl_\bu_\bg_\bi_\bn. The subsystem
+ _\ba_\bl_\bl includes every subsystem.
+
+ There is not currently a way to specify a set of debug
+ flags specific to the plugin--the flags are shared by s\bsu\bud\bdo\bo
+ and the plugin.
+
debug_level=number
- A numeric debug level, from 1-9, if specified via the -D
- flag.
+ This setting has been deprecated in favor of _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs.
runas_user=string
The user name or uid to to run the command as, if specified
Set to true if the user specified the -E flag, indicating
that the user wishes to preserve the environment.
+ run_shell=bool
+ Set to true if the user specified the -s flag, indicating
+ that the user wishes to run a shell.
+
login_shell=bool
Set to true if the user specified the -i flag, indicating
that the user wishes to run a login shell.
implied_shell=bool
If the user does not specify a program on the command line,
-
-
-
-1.8.0rc1 February 21, 2011 3
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
s\bsu\bud\bdo\bo will pass the plugin the path to the user's shell and
set _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo with no
arguments to be used similarly to _\bs_\bu(1). If the plugin
sudoedit=bool
Set to true when the -e flag is is specified or if invoked
as s\bsu\bud\bdo\boe\bed\bdi\bit\bt. The plugin shall substitute an editor into
-
-
-
-1.8.0rc1 February 21, 2011 4
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
_\ba_\br_\bg_\bv in the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by function or return -2 with a usage
error if the plugin does not support _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. For more
information, see the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by section.
cols=int
The number of columns the user's terminal supports. If
-
-
-
-1.8.0rc1 February 21, 2011 5
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
there is no terminal device available, a default value of
80 is used.
equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
+ plugin_args
+ Any (non-comment) strings immediately after the plugin path are
+ treated as arguments to the plugin. These arguments are split
+ on a whitespace boundary and are passed to the plugin in the
+ form of a NULL-terminated array of strings. If no arguments
+ were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs will be the NULL pointer.
+
+ NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs parameter is only available starting with
+ API version 1.2. A plugin m\bmu\bus\bst\bt check the API version specified
+ by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs. Failure to do
+ so may result in a crash.
+
close
void (*close)(int exit_status, int error);
with the user's credentials instead of with elevated privileges.
s\bsu\bud\bdo\bo achieves this by creating user-writable temporary copies of
the files to be edited and then overwriting the originals with the
-
-
-
-1.8.0rc1 February 21, 2011 6
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
temporary copies after editing is complete. If the plugin supports
s\bsu\bud\bdo\boe\bed\bdi\bit\bt, it should choose the editor to be used, potentially from
a variable in the user's environment, such as EDITOR, and include
runas_uid=uid
User ID to run the command as.
-
-
-
-1.8.0rc1 February 21, 2011 7
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
runas_euid=uid
Effective user ID to run the command as. If not specified,
the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
the form of a comma-separated list of group IDs. If
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
- login_class=login_class
+ login_class=string
BSD login class to use when setting resource limits and
nice value (optional). This option is only set on systems
that support login classes.
Command timeout. If non-zero then when the timeout expires
the command will be killed.
-
-
-
-
-1.8.0rc1 February 21, 2011 8
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
sudoedit=bool
Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may enable
_\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
screen, not output to a pipe or file. This is a hint to
the I/O logging plugin which may choose to ignore it.
-
-
-
-
-1.8.0rc1 February 21, 2011 9
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
use_pty=bool
Allocate a pseudo-tty to run the command in, regardless of
whether or not I/O logging is in use. By default, s\bsu\bud\bdo\bo
will only run the command in a pty when an I/O log plugin
is loaded.
+ set_utmp=bool
+ Create a utmp (or utmpx) entry when a pseudo-tty is
+ allocated. By default, the new entry will be a copy of the
+ user's existing utmp entry (if any), with the tty, time,
+ type and pid fields updated.
+
+ utmp_user=string
+ User name to use when constructing a new utmp (or utmpx)
+ entry when _\bs_\be_\bt_\b__\bu_\bt_\bm_\bp is enabled. This option can be used to
+ set the user field in the utmp entry to the user the
+ command runs as rather than the invoking user. If not set,
+ s\bsu\bud\bdo\bo will base the new entry on the invoking user's
+ existing entry.
+
Unsupported values will be ignored.
argv_out
validate
int (*validate)(void);
-
-
-
-1.8.0rc1 February 21, 2011 10
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
The validate function is called when s\bsu\bud\bdo\bo is run with the -v flag.
For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache authentication
credentials, this function will validate and cache the credentials.
function with SUDO_CONF_ERROR_MSG to present additional error
information to the user.
- _\bV_\be_\br_\bs_\bi_\bo_\bn _\bm_\ba_\bc_\br_\bo_\bs
+ register_hooks
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
- #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
+ The register_hooks function is called by the sudo front end to
+ register any hooks the plugin needs. If the plugin does not
+ support hooks, register_hooks should be set to the NULL pointer.
- #define SUDO_API_VERSION_MAJOR 1
+ The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
+ supported by the s\bsu\bud\bdo\bo front end.
+ The register_hook function should be used to register any suppored
+ hooks the plugin needs. It returns 0 on success, 1 if the hook
+ type is not supported and -1 if the major version in struct hook
+ does not match the front end's major hook API version.
+ See the "Hook Function API" section below for more information
+ about hooks.
-1.8.0rc1 February 21, 2011 11
+ NOTE: the register_hooks function is only available starting with
+ API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API version
+ 1.2 or higher, register_hooks will not be called.
+ deregister_hooks
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+ The deregister_hooks function is called by the sudo front end to
+ deregister any hooks the plugin has registered. If the plugin does
+ not support hooks, deregister_hooks should be set to the NULL
+ pointer.
+ The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
+ supported by the s\bsu\bud\bdo\bo front end.
+ The deregister_hook function should be used to deregister any hooks
+ that were put in place by the register_hook function. If the
+ plugin tries to deregister a hook that the front end does not
+ support, deregister_hook will return an error.
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
+ See the "Hook Function API" section below for more information
+ about hooks.
+ NOTE: the deregister_hooks function is only available starting with
+ API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API version
+ 1.2 or higher, deregister_hooks will not be called.
- #define SUDO_API_VERSION_MINOR 0
- #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \
- SUDO_API_VERSION_MINOR)
+ _\bP_\bo_\bl_\bi_\bc_\by _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+
+ /* Plugin API version major/minor. */
+ #define SUDO_API_VERSION_MAJOR 1
+ #define SUDO_API_VERSION_MINOR 2
+ #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
+ #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
+ SUDO_API_VERSION_MINOR)
+
+ /* Getters and setters for API version */
+ #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+ #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+ #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+ } while(0)
+ #define SUDO_VERSION_SET_MINOR(vp, n) do { \
+ *(vp) = (*(vp) & 0xffff0000) | (n); \
+ } while(0)
I\bI/\b/O\bO P\bPl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
struct io_plugin {
int (*open)(unsigned int version, sudo_conv_t conversation
sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], int argc, char * const argv[],
- char * const user_env[]);
+ char * const user_env[], char * const plugin_args[]);
void (*close)(int exit_status, int error); /* wait status or error */
int (*show_version)(int verbose);
int (*log_ttyin)(const char *buf, unsigned int len);
int (*log_stdin)(const char *buf, unsigned int len);
int (*log_stdout)(const char *buf, unsigned int len);
int (*log_stderr)(const char *buf, unsigned int len);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
};
When an I/O plugin is loaded, s\bsu\bud\bdo\bo runs the command in a pseudo-tty.
against.
open
-
-
-
-
-
-1.8.0rc1 February 21, 2011 12
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
int (*open)(unsigned int version, sudo_conv_t conversation
sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], int argc, char * const argv[],
- char * const user_env[]);
+ char * const user_env[], char * const plugin_args[]);
The _\bo_\bp_\be_\bn function is run before the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt or
_\bs_\bh_\bo_\bw_\b__\bv_\be_\br_\bs_\bi_\bo_\bn functions are called. It is only called if the
user_info
A vector of information about the user running the command in
the form of "name=value" strings. The vector is terminated by
-
-
-
-1.8.0rc1 February 21, 2011 13
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
a NULL pointer.
When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
+ plugin_args
+ Any (non-comment) strings immediately after the plugin path are
+ treated as arguments to the plugin. These arguments are split
+ on a whitespace boundary and are passed to the plugin in the
+ form of a NULL-terminated array of strings. If no arguments
+ were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs will be the NULL pointer.
+
+ NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs parameter is only available starting with
+ API version 1.2. A plugin m\bmu\bus\bst\bt check the API version specified
+ by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\ba_\br_\bg_\bs. Failure to do
+ so may result in a crash.
+
close
void (*close)(int exit_status, int error);
SUDO_CONV_INFO_MSG. If the user requests detailed version
information, the verbose flag will be set.
-
-
-
-
-1.8.0rc1 February 21, 2011 14
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
log_ttyin
int (*log_ttyin)(const char *buf, unsigned int len);
The _\bl_\bo_\bg_\b__\bs_\bt_\bd_\bo_\bu_\bt function is only used if the standard output does
not correspond to a tty device. It is called whenever data can be
-
-
-
-1.8.0rc1 February 21, 2011 15
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
read from the command but before it is written to the standard
output. This allows the plugin to reject data if it chooses to
(for instance if the output contains banned content). Returns 1 if
len The length of _\bb_\bu_\bf in bytes.
- _\bV_\be_\br_\bs_\bi_\bo_\bn _\bm_\ba_\bc_\br_\bo_\bs
-
- Same as for the "Policy Plugin API".
-
- C\bCo\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn A\bAP\bPI\bI
- If the plugin needs to interact with the user, it may do so via the
- conversation function. A plugin should not attempt to read directly
- from the standard input or the user's tty (neither of which are
- guaranteed to exist). The caller must include a trailing newline in
- msg if one is to be printed.
-
- A printf-style function is also available that can be used to display
- informational or error messages to the user, which is usually more
- convenient for simple messages where no use input is required.
-
-
-
-
-
-
+ register_hooks
+ See the "Policy Plugin API" section for a description of
+ register_hooks.
+ deregister_hooks
+ See the "Policy Plugin API" section for a description of
+ deregister_hooks.
+ _\bI_\b/_\bO _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+ Same as for the "Policy Plugin API".
+ H\bHo\boo\bok\bk F\bFu\bun\bnc\bct\bti\bio\bon\bn A\bAP\bPI\bI
+ Beginning with plugin API version 1.2, it is possible to install hooks
+ for certain functions called by the s\bsu\bud\bdo\bo front end.
+ Currently, the only supported hooks relate to the handling of
+ environment variables. Hooks can be used to intercept attempts to get,
+ set, or remove environment variables so that these changes can be
+ reflected in the version of the environment that is used to execute a
+ command. A future version of the API will support hooking internal
+ s\bsu\bud\bdo\bo front end functions as well.
+ Environment-related hooks are disabled prior to the execution of the
+ init_session policy plugin function (if any). This is necessary
+ because init_session has no way of passing back a modified environment
+ pointer. However, since the user environment specified by the
+ check_policy function is already in place, there should be no need to
+ hook the environment functions at that time.
+ _\bH_\bo_\bo_\bk _\bs_\bt_\br_\bu_\bc_\bt_\bu_\br_\be
-1.8.0rc1 February 21, 2011 16
+ Hooks in s\bsu\bud\bdo\bo are described by the following structure:
+ typedef int (*sudo_hook_fn_t)();
+ struct sudo_hook {
+ int hook_version;
+ int hook_type;
+ sudo_hook_fn_t hook_fn;
+ void *closure;
+ };
+ The sudo_hook structure has the following fields:
+ hook_version
+ The hook_version field should be set to SUDO_HOOK_VERSION.
+
+ hook_type
+ The hook_type field may be one of the following supported hook
+ types:
+
+ SUDO_HOOK_SETENV
+ The C library setenv() function. Any registered hooks will run
+ before the C library implementation. The hook_fn field should
+ be a function that matches the following typedef:
+
+ typedef int (*sudo_hook_fn_setenv_t)(const char *name,
+ const char *value, int overwrite, void *closure);
+
+ If the registered hook does not match the typedef the results
+ are unspecified.
+
+ SUDO_HOOK_UNSETENV
+ The C library unsetenv() function. Any registered hooks will
+ run before the C library implementation. The hook_fn field
+ should be a function that matches the following typedef:
+
+ typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
+ void *closure);
+
+ SUDO_HOOK_GETENV
+ The C library getenv() function. Any registered hooks will run
+ before the C library implementation. The hook_fn field should
+ be a function that matches the following typedef:
+
+ typedef int (*sudo_hook_fn_getenv_t)(const char *name,
+ char **value, void *closure);
+
+ If the registered hook does not match the typedef the results
+ are unspecified.
+
+ SUDO_HOOK_PUTENV
+ The C library putenv() function. Any registered hooks will run
+ before the C library implementation. The hook_fn field should
+ be a function that matches the following typedef:
+
+ typedef int (*sudo_hook_fn_putenv_t)(char *string,
+ void *closure);
+
+ If the registered hook does not match the typedef the results
+ are unspecified.
+
+ hook_fn
+ sudo_hook_fn_t hook_fn;
+
+ The hook_fn field should be set to the plugin's hook
+ implementation. The actual function arguments will vary depending
+ on the hook_type (see hook_type above). In all cases, the closure
+ field of struct sudo_hook is passed as the last function parameter.
+ This can be used to pass arbitrary data to the plugin's hook
+ implementation.
+
+ The function return value may be one of the following:
+
+ SUDO_HOOK_RET_ERROR
+ The hook function encountered an error.
+
+ SUDO_HOOK_RET_NEXT
+ The hook completed without error, go on to the next hook
+ (including the native implementation if applicable). For
+ example, a getenv hook might return SUDO_HOOK_RET_NEXT if the
+ specified variable was not found in the private copy of the
+ environment.
+
+ SUDO_HOOK_RET_STOP
+ The hook completed without error, stop processing hooks for
+ this invocation. This can be used to replace the native
+ implementation. For example, a setenv hook that operates on a
+ private copy of the environment but leaves environ unchanged.
+
+ Note that it is very easy to create an infinite loop when hooking C
+ library functions. For example, a getenv hook that calls the snprintf
+ function may create a loop if the snprintf implementation calls getenv
+ to check the locale. To prevent this, you may wish to use a static
+ variable in the hook function to guard against nested calls. E.g.
+
+ static int in_progress = 0; /* avoid recursion */
+ if (in_progress)
+ return SUDO_HOOK_RET_NEXT;
+ in_progress = 1;
+ ...
+ in_progress = 0;
+ return SUDO_HOOK_RET_STOP;
+
+ _\bH_\bo_\bo_\bk _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+
+ /* Hook API version major/minor */
+ #define SUDO_HOOK_VERSION_MAJOR 1
+ #define SUDO_HOOK_VERSION_MINOR 0
+ #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+ #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
+ SUDO_HOOK_VERSION_MINOR)
+
+ /* Getters and setters for hook API version */
+ #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+ #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+ #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+ } while(0)
+ #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
+ *(vp) = (*(vp) & 0xffff0000) | (n); \
+ } while(0)
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
+ C\bCo\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn A\bAP\bPI\bI
+ If the plugin needs to interact with the user, it may do so via the
+ conversation function. A plugin should not attempt to read directly
+ from the standard input or the user's tty (neither of which are
+ guaranteed to exist). The caller must include a trailing newline in
+ msg if one is to be printed.
+ A printf-style function is also available that can be used to display
+ informational or error messages to the user, which is usually more
+ convenient for simple messages where no use input is required.
struct sudo_conv_message {
#define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
#define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
#define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
#define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+ #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
#define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
int msg_type;
int timeout;
buffer filled in to the struct sudo_conv_reply, if any.
The printf-style function uses the same underlying mechanism as the
- conversation function but only supports SUDO_CONV_INFO_MSG and
- SUDO_CONV_ERROR_MSG for the _\bm_\bs_\bg_\b__\bt_\by_\bp_\be parameter. It can be more
- convenient than using the conversation function if no user reply is
- needed and supports standard _\bp_\br_\bi_\bn_\bt_\bf_\b(_\b) escape sequences.
+ conversation function but only supports SUDO_CONV_INFO_MSG,
+ SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _\bm_\bs_\bg_\b__\bt_\by_\bp_\be parameter.
+ It can be more convenient than using the conversation function if no
+ user reply is needed and supports standard _\bp_\br_\bi_\bn_\bt_\bf_\b(_\b) escape sequences.
+
+ Unlike, SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG, messages sent with
+ the <SUDO_CONV_DEBUG_MSG> _\bm_\bs_\bg_\b__\bt_\by_\bp_\be are not directly user-visible.
+ Instead, they are logged to the file specified in the Debug statement
+ (if any) in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file. This allows a plugin to log
+ debugging information and is intended to be used in conjunction with
+ the _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
See the sample plugin for an example of the conversation function
usage.
in the global scope. This structure contains pointers to the functions
that implement plugin initialization, cleanup and group lookup.
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 17
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
struct sudoers_group_plugin {
unsigned int version;
int (*init)(int version, sudo_printf_t sudo_printf,
close open file handles.
query
-
-
-
-
-1.8.0rc1 February 21, 2011 18
-
-
-
-
-
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
int (*query)(const char *user, const char *group,
const struct passwd *pwd);
pwd The password database entry for _\bu_\bs_\be_\br, if any. If _\bu_\bs_\be_\br is not
present in the password database, _\bp_\bw_\bd will be NULL.
- _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+ _\bG_\br_\bo_\bu_\bp _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
/* Sudoers group plugin version major/minor */
#define GROUP_API_VERSION_MAJOR 1
-1.8.0rc1 February 21, 2011 19
-
-
+1.8.5 March 14, 2012 SUDO_PLUGIN(1m)
-.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" ========================================================================
.\"
.IX Title "SUDO_PLUGIN @mansectsu@"
-.TH SUDO_PLUGIN @mansectsu@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH SUDO_PLUGIN @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
may be fully qualified or relative. If not fully qualified it is
relative to the \fI@prefix@/libexec\fR directory. Any additional
-parameters after the \fIpath\fR are ignored. Lines that don't begin
-with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored.
+parameters after the \fIpath\fR are passed as arguments to the plugin's
+\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR,
+\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored.
.PP
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid
\& # Default @sysconfdir@/sudo.conf file
\& #
\& # Format:
-\& # Plugin plugin_name plugin_path
+\& # Plugin plugin_name plugin_path optional_args
\& # Path askpass /path/to/askpass
+\& # Path noexec /path/to/sudo_noexec.so
+\& # Debug sudo /var/log/sudo_debug all@warn
+\& # Set disable_coredump true
\& #
\& # The plugin_path is relative to @prefix@/libexec unless
\& # fully qualified.
\& # The plugin_name corresponds to a global symbol in the plugin
\& # that contains the plugin interface structure.
+\& # The plugin_args are optional.
\& #
\& Plugin sudoers_policy sudoers.so
\& Plugin sudoers_io sudoers.so
\& unsigned int version; /* always SUDO_API_VERSION */
\& int (*open)(unsigned int version, sudo_conv_t conversation,
\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], char * const user_env[]);
+\& char * const user_info[], char * const user_env[],
+\& char * const plugin_args[]);
\& void (*close)(int exit_status, int error);
\& int (*show_version)(int verbose);
\& int (*check_policy)(int argc, char * const argv[],
\& int (*validate)(void);
\& void (*invalidate)(int remove);
\& int (*init_session)(struct passwd *pwd);
+\& void (*register_hooks)(int version,
+\& int (*register_hook)(struct sudo_hook *hook));
+\& void (*deregister_hooks)(int version,
+\& int (*deregister_hook)(struct sudo_hook *hook));
\& };
.Ve
.PP
built against.
.IP "open" 4
.IX Item "open"
-.Vb 3
+.Vb 4
\& int (*open)(unsigned int version, sudo_conv_t conversation,
\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], char * const user_env[]);
+\& char * const user_info[], char * const user_env[],
+\& char * const plugin_args[]);
.Ve
.Sp
Returns 1 on success, 0 on failure, \-1 if a general error occurred,
equal sign ('=') since the \fIname\fR field will never include one
itself but the \fIvalue\fR might.
.RS 4
+.IP "debug_flags=string" 4
+.IX Item "debug_flags=string"
+A comma-separated list of debug flags that correspond to \fBsudo\fR's
+\&\f(CW\*(C`Debug\*(C'\fR entry in \fI@sysconfdir@/sudo.conf\fR, if there is one. The
+flags are passed to the plugin as they appear in \fI@sysconfdir@/sudo.conf\fR.
+The syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
+\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
+format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+.Sp
+For reference, the priorities supported by the \fBsudo\fR front end and
+\&\fIsudoers\fR are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR,
+\&\fIinfo\fR, \fItrace\fR and \fIdebug\fR.
+.Sp
+The following subsystems are defined: \fImain\fR, \fImemory\fR, \fIargs\fR,
+\&\fIexec\fR, \fIpty\fR, \fIutmp\fR, \fIconv\fR, \fIpcomm\fR, \fIutil\fR, \fIlist\fR,
+\&\fInetif\fR, \fIaudit\fR, \fIedit\fR, \fIselinux\fR, \fIldap\fR, \fImatch\fR, \fIparser\fR,
+\&\fIalias\fR, \fIdefaults\fR, \fIauth\fR, \fIenv\fR, \fIlogging\fR, \fInss\fR, \fIrbtree\fR,
+\&\fIperms\fR, \fIplugin\fR. The subsystem \fIall\fR includes every subsystem.
+.Sp
+There is not currently a way to specify a set of debug flags specific
+to the plugin\*(--the flags are shared by \fBsudo\fR and the plugin.
.IP "debug_level=number" 4
.IX Item "debug_level=number"
-A numeric debug level, from 1\-9, if specified via the \f(CW\*(C`\-D\*(C'\fR flag.
+This setting has been deprecated in favor of \fIdebug_flags\fR.
.IP "runas_user=string" 4
.IX Item "runas_user=string"
The user name or uid to to run the command as, if specified via the
.IX Item "preserve_environment=bool"
Set to true if the user specified the \f(CW\*(C`\-E\*(C'\fR flag, indicating that
the user wishes to preserve the environment.
+.IP "run_shell=bool" 4
+.IX Item "run_shell=bool"
+Set to true if the user specified the \f(CW\*(C`\-s\*(C'\fR flag, indicating that
+the user wishes to run a shell.
.IP "login_shell=bool" 4
.IX Item "login_shell=bool"
Set to true if the user specified the \f(CW\*(C`\-i\*(C'\fR flag, indicating that
When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
equal sign ('=') since the \fIname\fR field will never include one
itself but the \fIvalue\fR might.
+.IP "plugin_args" 4
+.IX Item "plugin_args"
+Any (non-comment) strings immediately after the plugin path are
+treated as arguments to the plugin. These arguments are split on
+a whitespace boundary and are passed to the plugin in the form of
+a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were
+specified, \fIplugin_args\fR will be the \s-1NULL\s0 pointer.
+.Sp
+\&\s-1NOTE:\s0 the \fIplugin_args\fR parameter is only available starting with
+\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified
+by the \fBsudo\fR front end before using \fIplugin_args\fR. Failure to
+do so may result in a crash.
.RE
.RS 4
.RE
The supplementary group vector to use for the command in the form
of a comma-separated list of group IDs. If \fIpreserve_groups\fR
is set, this option is ignored.
-.IP "login_class=login_class" 4
-.IX Item "login_class=login_class"
+.IP "login_class=string" 4
+.IX Item "login_class=string"
\&\s-1BSD\s0 login class to use when setting resource limits and nice value
(optional). This option is only set on systems that support login
classes.
Allocate a pseudo-tty to run the command in, regardless of whether
or not I/O logging is in use. By default, \fBsudo\fR will only run
the command in a pty when an I/O log plugin is loaded.
+.IP "set_utmp=bool" 4
+.IX Item "set_utmp=bool"
+Create a utmp (or utmpx) entry when a pseudo-tty is allocated. By
+default, the new entry will be a copy of the user's existing utmp
+entry (if any), with the tty, time, type and pid fields updated.
+.IP "utmp_user=string" 4
+.IX Item "utmp_user=string"
+User name to use when constructing a new utmp (or utmpx) entry when
+\&\fIset_utmp\fR is enabled. This option can be used to set the user
+field in the utmp entry to the user the command runs as rather than
+the invoking user. If not set, \fBsudo\fR will base the new entry on
+the invoking user's existing entry.
.RE
.RS 4
.Sp
On error, the plugin may optionally call the conversation or plugin_printf
function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional
error information to the user.
+.IP "register_hooks" 4
+.IX Item "register_hooks"
+.Vb 2
+\& void (*register_hooks)(int version,
+\& int (*register_hook)(struct sudo_hook *hook));
+.Ve
+.Sp
+The \f(CW\*(C`register_hooks\*(C'\fR function is called by the sudo front end to
+register any hooks the plugin needs. If the plugin does not support
+hooks, \f(CW\*(C`register_hooks\*(C'\fR should be set to the \s-1NULL\s0 pointer.
+.Sp
+The \fIversion\fR argument describes the version of the hooks \s-1API\s0
+supported by the \fBsudo\fR front end.
+.Sp
+The \f(CW\*(C`register_hook\*(C'\fR function should be used to register any suppored
+hooks the plugin needs. It returns 0 on success, 1 if the hook
+type is not supported and \-1 if the major version in \f(CW\*(C`struct hook\*(C'\fR
+does not match the front end's major hook \s-1API\s0 version.
+.Sp
+See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information
+about hooks.
+.Sp
+\&\s-1NOTE:\s0 the \f(CW\*(C`register_hooks\*(C'\fR function is only available starting
+with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0
+version 1.2 or higher, \f(CW\*(C`register_hooks\*(C'\fR will not be called.
+.IP "deregister_hooks" 4
+.IX Item "deregister_hooks"
+.Vb 2
+\& void (*deregister_hooks)(int version,
+\& int (*deregister_hook)(struct sudo_hook *hook));
+.Ve
+.Sp
+The \f(CW\*(C`deregister_hooks\*(C'\fR function is called by the sudo front end
+to deregister any hooks the plugin has registered. If the plugin
+does not support hooks, \f(CW\*(C`deregister_hooks\*(C'\fR should be set to the
+\&\s-1NULL\s0 pointer.
+.Sp
+The \fIversion\fR argument describes the version of the hooks \s-1API\s0
+supported by the \fBsudo\fR front end.
+.Sp
+The \f(CW\*(C`deregister_hook\*(C'\fR function should be used to deregister any
+hooks that were put in place by the \f(CW\*(C`register_hook\*(C'\fR function. If
+the plugin tries to deregister a hook that the front end does not
+support, \f(CW\*(C`deregister_hook\*(C'\fR will return an error.
+.Sp
+See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information
+about hooks.
+.Sp
+\&\s-1NOTE:\s0 the \f(CW\*(C`deregister_hooks\*(C'\fR function is only available starting
+with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0
+version 1.2 or higher, \f(CW\*(C`deregister_hooks\*(C'\fR will not be called.
.PP
-\fIVersion macros\fR
-.IX Subsection "Version macros"
+\fIPolicy Plugin Version Macros\fR
+.IX Subsection "Policy Plugin Version Macros"
.PP
-.Vb 8
+.Vb 6
+\& /* Plugin API version major/minor. */
+\& #define SUDO_API_VERSION_MAJOR 1
+\& #define SUDO_API_VERSION_MINOR 2
+\& #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
+\& #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e
+\& SUDO_API_VERSION_MINOR)
+\&
+\& /* Getters and setters for API version */
\& #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
\& #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
\& #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e
\& #define SUDO_VERSION_SET_MINOR(vp, n) do { \e
\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
\& } while(0)
-\&
-\& #define SUDO_API_VERSION_MAJOR 1
-\& #define SUDO_API_VERSION_MINOR 0
-\& #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \e
-\& SUDO_API_VERSION_MINOR)
.Ve
.SS "I/O Plugin \s-1API\s0"
.IX Subsection "I/O Plugin API"
\& int (*open)(unsigned int version, sudo_conv_t conversation
\& sudo_printf_t plugin_printf, char * const settings[],
\& char * const user_info[], int argc, char * const argv[],
-\& char * const user_env[]);
+\& char * const user_env[], char * const plugin_args[]);
\& void (*close)(int exit_status, int error); /* wait status or error */
\& int (*show_version)(int verbose);
\& int (*log_ttyin)(const char *buf, unsigned int len);
\& int (*log_stdin)(const char *buf, unsigned int len);
\& int (*log_stdout)(const char *buf, unsigned int len);
\& int (*log_stderr)(const char *buf, unsigned int len);
+\& void (*register_hooks)(int version,
+\& int (*register_hook)(struct sudo_hook *hook));
+\& void (*deregister_hooks)(int version,
+\& int (*deregister_hook)(struct sudo_hook *hook));
\& };
.Ve
.PP
\& int (*open)(unsigned int version, sudo_conv_t conversation
\& sudo_printf_t plugin_printf, char * const settings[],
\& char * const user_info[], int argc, char * const argv[],
-\& char * const user_env[]);
+\& char * const user_env[], char * const plugin_args[]);
.Ve
.Sp
The \fIopen\fR function is run before the \fIlog_input\fR, \fIlog_output\fR
When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
equal sign ('=') since the \fIname\fR field will never include one
itself but the \fIvalue\fR might.
+.IP "plugin_args" 4
+.IX Item "plugin_args"
+Any (non-comment) strings immediately after the plugin path are
+treated as arguments to the plugin. These arguments are split on
+a whitespace boundary and are passed to the plugin in the form of
+a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were
+specified, \fIplugin_args\fR will be the \s-1NULL\s0 pointer.
+.Sp
+\&\s-1NOTE:\s0 the \fIplugin_args\fR parameter is only available starting with
+\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified
+by the \fBsudo\fR front end before using \fIplugin_args\fR. Failure to
+do so may result in a crash.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
+.IP "register_hooks" 4
+.IX Item "register_hooks"
+See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of
+\&\f(CW\*(C`register_hooks\*(C'\fR.
+.IP "deregister_hooks" 4
+.IX Item "deregister_hooks"
+See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of
+\&\f(CW\*(C`deregister_hooks\*(C'\fR.
.PP
-\fIVersion macros\fR
-.IX Subsection "Version macros"
+\fII/O Plugin Version Macros\fR
+.IX Subsection "I/O Plugin Version Macros"
.PP
Same as for the \*(L"Policy Plugin \s-1API\s0\*(R".
+.SS "Hook Function \s-1API\s0"
+.IX Subsection "Hook Function API"
+Beginning with plugin \s-1API\s0 version 1.2, it is possible to install
+hooks for certain functions called by the \fBsudo\fR front end.
+.PP
+Currently, the only supported hooks relate to the handling of
+environment variables. Hooks can be used to intercept attempts to
+get, set, or remove environment variables so that these changes can
+be reflected in the version of the environment that is used to
+execute a command. A future version of the \s-1API\s0 will support
+hooking internal \fBsudo\fR front end functions as well.
+.PP
+Environment-related hooks are disabled prior to the execution of
+the \f(CW\*(C`init_session\*(C'\fR policy plugin function (if any). This is
+necessary because \f(CW\*(C`init_session\*(C'\fR has no way of passing back a
+modified environment pointer. However, since the user environment
+specified by the \f(CW\*(C`check_policy\*(C'\fR function is already in place, there
+should be no need to hook the environment functions at that time.
+.PP
+\fIHook structure\fR
+.IX Subsection "Hook structure"
+.PP
+Hooks in \fBsudo\fR are described by the following structure:
+.PP
+.Vb 1
+\& typedef int (*sudo_hook_fn_t)();
+\&
+\& struct sudo_hook {
+\& int hook_version;
+\& int hook_type;
+\& sudo_hook_fn_t hook_fn;
+\& void *closure;
+\& };
+.Ve
+.PP
+The \f(CW\*(C`sudo_hook\*(C'\fR structure has the following fields:
+.IP "hook_version" 4
+.IX Item "hook_version"
+The \f(CW\*(C`hook_version\*(C'\fR field should be set to \s-1SUDO_HOOK_VERSION\s0.
+.IP "hook_type" 4
+.IX Item "hook_type"
+The \f(CW\*(C`hook_type\*(C'\fR field may be one of the following supported hook types:
+.RS 4
+.IP "\s-1SUDO_HOOK_SETENV\s0" 4
+.IX Item "SUDO_HOOK_SETENV"
+The C library \f(CW\*(C`setenv()\*(C'\fR function. Any registered hooks will run
+before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+be a function that matches the following typedef:
+.Sp
+.Vb 2
+\& typedef int (*sudo_hook_fn_setenv_t)(const char *name,
+\& const char *value, int overwrite, void *closure);
+.Ve
+.Sp
+If the registered hook does not match the typedef the results are
+unspecified.
+.IP "\s-1SUDO_HOOK_UNSETENV\s0" 4
+.IX Item "SUDO_HOOK_UNSETENV"
+The C library \f(CW\*(C`unsetenv()\*(C'\fR function. Any registered hooks will run
+before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+be a function that matches the following typedef:
+.Sp
+.Vb 2
+\& typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
+\& void *closure);
+.Ve
+.IP "\s-1SUDO_HOOK_GETENV\s0" 4
+.IX Item "SUDO_HOOK_GETENV"
+The C library \f(CW\*(C`getenv()\*(C'\fR function. Any registered hooks will run
+before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+be a function that matches the following typedef:
+.Sp
+.Vb 2
+\& typedef int (*sudo_hook_fn_getenv_t)(const char *name,
+\& char **value, void *closure);
+.Ve
+.Sp
+If the registered hook does not match the typedef the results are
+unspecified.
+.IP "\s-1SUDO_HOOK_PUTENV\s0" 4
+.IX Item "SUDO_HOOK_PUTENV"
+The C library \f(CW\*(C`putenv()\*(C'\fR function. Any registered hooks will run
+before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+be a function that matches the following typedef:
+.Sp
+.Vb 2
+\& typedef int (*sudo_hook_fn_putenv_t)(char *string,
+\& void *closure);
+.Ve
+.Sp
+If the registered hook does not match the typedef the results are
+unspecified.
+.RE
+.RS 4
+.RE
+.IP "hook_fn" 4
+.IX Item "hook_fn"
+.Vb 1
+\& sudo_hook_fn_t hook_fn;
+.Ve
+.Sp
+The \f(CW\*(C`hook_fn\*(C'\fR field should be set to the plugin's hook implementation.
+The actual function arguments will vary depending on the \f(CW\*(C`hook_type\*(C'\fR
+(see \f(CW\*(C`hook_type\*(C'\fR above). In all cases, the \f(CW\*(C`closure\*(C'\fR field of
+\&\f(CW\*(C`struct sudo_hook\*(C'\fR is passed as the last function parameter. This
+can be used to pass arbitrary data to the plugin's hook implementation.
+.Sp
+The function return value may be one of the following:
+.RS 4
+.IP "\s-1SUDO_HOOK_RET_ERROR\s0" 4
+.IX Item "SUDO_HOOK_RET_ERROR"
+The hook function encountered an error.
+.IP "\s-1SUDO_HOOK_RET_NEXT\s0" 4
+.IX Item "SUDO_HOOK_RET_NEXT"
+The hook completed without error, go on to the next hook (including
+the native implementation if applicable). For example, a \f(CW\*(C`getenv\*(C'\fR
+hook might return \f(CW\*(C`SUDO_HOOK_RET_NEXT\*(C'\fR if the specified variable
+was not found in the private copy of the environment.
+.IP "\s-1SUDO_HOOK_RET_STOP\s0" 4
+.IX Item "SUDO_HOOK_RET_STOP"
+The hook completed without error, stop processing hooks for this
+invocation. This can be used to replace the native implementation.
+For example, a \f(CW\*(C`setenv\*(C'\fR hook that operates on a private copy of
+the environment but leaves \f(CW\*(C`environ\*(C'\fR unchanged.
+.RE
+.RS 4
+.RE
+.PP
+Note that it is very easy to create an infinite loop when hooking
+C library functions. For example, a \f(CW\*(C`getenv\*(C'\fR hook that calls the
+\&\f(CW\*(C`snprintf\*(C'\fR function may create a loop if the \f(CW\*(C`snprintf\*(C'\fR implementation
+calls \f(CW\*(C`getenv\*(C'\fR to check the locale. To prevent this, you may wish
+to use a static variable in the hook function to guard against
+nested calls. E.g.
+.PP
+.Vb 7
+\& static int in_progress = 0; /* avoid recursion */
+\& if (in_progress)
+\& return SUDO_HOOK_RET_NEXT;
+\& in_progress = 1;
+\& ...
+\& in_progress = 0;
+\& return SUDO_HOOK_RET_STOP;
+.Ve
+.PP
+\fIHook \s-1API\s0 Version Macros\fR
+.IX Subsection "Hook API Version Macros"
+.PP
+.Vb 6
+\& /* Hook API version major/minor */
+\& #define SUDO_HOOK_VERSION_MAJOR 1
+\& #define SUDO_HOOK_VERSION_MINOR 0
+\& #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+\& #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e
+\& SUDO_HOOK_VERSION_MINOR)
+\&
+\& /* Getters and setters for hook API version */
+\& #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+\& #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+\& #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+\& } while(0)
+\& #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
+\& } while(0)
+.Ve
.SS "Conversation \s-1API\s0"
.IX Subsection "Conversation API"
If the plugin needs to interact with the user, it may do so via the
informational or error messages to the user, which is usually more
convenient for simple messages where no use input is required.
.PP
-.Vb 11
+.Vb 12
\& struct sudo_conv_message {
\& #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
\& #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
\& #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
\& #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
\& #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+\& #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
\& #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
\& int msg_type;
\& int timeout;
if any.
.PP
The printf-style function uses the same underlying mechanism as the
-conversation function but only supports \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR and
-\&\f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR for the \fImsg_type\fR parameter. It can be
-more convenient than using the conversation function if no user
-reply is needed and supports standard \fIprintf()\fR escape sequences.
+conversation function but only supports \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR,
+\&\f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_DEBUG_MSG\*(C'\fR for the \fImsg_type\fR
+parameter. It can be more convenient than using the conversation
+function if no user reply is needed and supports standard \fIprintf()\fR
+escape sequences.
+.PP
+Unlike, \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR, messages
+sent with the <\s-1SUDO_CONV_DEBUG_MSG\s0> \fImsg_type\fR are not directly
+user-visible. Instead, they are logged to the file specified in
+the \f(CW\*(C`Debug\*(C'\fR statement (if any) in the \fI@sysconfdir@/sudo.conf\fR
+file. This allows a plugin to log debugging information and is
+intended to be used in conjunction with the \fIdebug_flags\fR setting.
.PP
See the sample plugin for an example of the conversation function usage.
.SS "Sudoers Group Plugin \s-1API\s0"
.RS 4
.RE
.PP
-\fIVersion Macros\fR
-.IX Subsection "Version Macros"
+\fIGroup \s-1API\s0 Version Macros\fR
+.IX Subsection "Group API Version Macros"
.PP
.Vb 5
\& /* Sudoers group plugin version major/minor */
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
N\bNA\bAM\bME\bE
sudoers - default sudo security policy module
_\bs_\bu_\bd_\bo_\be_\br_\bs also supports logging a command's input and output streams.
I/O logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
and _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
command tags.
C\bCo\bom\bmm\bma\ban\bnd\bd E\bEn\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to
- be executed with a minimal environment containing TERM, PATH, HOME,
- MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
- the invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options.
- This is effectively a whitelist for environment variables.
+ be executed with a minimal environment containing the TERM, PATH, HOME,
+ MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition
+ to variables from the invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for environment
+ variables.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
s\bsu\bud\bdo\bo to preserve them.
- As a special case, If s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
_\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
_\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
On Linux and AIX systems the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also
included. All other environment variables are removed.
+ Lastly, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
+ that file will be set to their specified values.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who may
Form (EBNF). Don't despair if you don't know what EBNF is; it is
fairly simple, and the definitions below are annotated.
-
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
EBNF is a concise and exact way of describing the grammar of a
language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
-
-1.8.0rc1 February 21, 2011 3
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
User_List ::= User |
User ',' User_List
User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* User_Alias
- A User_List is made up of one or more user names, uids (prefixed with
- '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
- and User_Aliases. Each list item may be prefixed with zero or more '!'
- operators. An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
+ A User_List is made up of one or more user names, user ids (prefixed
+ with '#'), system group names and ids (prefixed with '%' and '%#'
+ respectively), netgroups (prefixed with '+'), non-Unix group names and
+ IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more '!' operators. An odd
+ number of '!' operators negate the value of the item; an even number
+ just cancel each other out.
- A user name, group, netgroup or nonunix_group may be enclosed in double
- quotes to avoid the need for escaping special characters. Alternately,
- special characters may be specified in escaped hex mode, e.g. \x20 for
- space.
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
+ may be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in
+ escaped hex mode, e.g. \x20 for space. When using double quotes, any
+ prefix characters must be included inside the quotes.
- The actual nonunix_group syntax depends on the underlying group
- provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description below). For
- instance, the QAS AD plugin supports the following formats:
+ The actual nonunix_group and nonunix_gid syntax depends on the
+ underlying group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description
+ below). For instance, the QAS AD plugin supports the following
+ formats:
- +\bo Group in the same domain: "Group Name"
+ o Group in the same domain: "Group Name"
- +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
- +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and the '@' symbol.
+ must use a backslash (\) to escape spaces and special characters. See
+ "Other special characters and reserved words" for a list of characters
+ that need to be escaped.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
Host_List ::= Host |
Host ',' Host_List
-
-
-1.8.0rc1 February 21, 2011 4
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
- '!'* '+'netgroup |
+ '!'* +netgroup |
'!'* Host_Alias
A Host_List is made up of one or more host names, IP addresses, network
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
-
-
-1.8.0rc1 February 21, 2011 5
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
-
-1.8.0rc1 February 21, 2011 6
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
- The basic structure of a user specification is `who = where (as_whom)
+ The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
Note that while the group portion of the Runas_Spec permits the user to
run as command with that group, it does not force the user to do so.
If no group is specified on the command line, the command will run with
-
-
-
-1.8.0rc1 February 21, 2011 7
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the group listed in the target user's password database entry. The
following would all be permitted by the sudoers entry above:
would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
-
-
-
-1.8.0rc1 February 21, 2011 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
would be:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more details on
+ See the "Preventing Shell Escapes" section below for more details on
how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user
- maydisable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE
- option. Additionally, environment variables set on the command line
- are not subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be,
- or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
tag is implied for that command; this default may be overridden by use
of the NOSETENV tag.
basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
"SUDOERS OPTIONS" section below.
-
-
-
-
-1.8.0rc1 February 21, 2011 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the
#include /etc/sudoers.local
When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
-
-
-
-1.8.0rc1 February 21, 2011 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
processed. Files that are included may themselves include other files.
A hard limit of 128 nested include files is enforced to prevent include
file loops.
- The file name may include the %h escape, signifying the short form of
- the host name. I.e., if the machine's host name is "xerxes", then
+ If the path to the include file is not fully-qualified (does not begin
+ with a _\b/), it must be located in the same directory as the sudoers file
+ it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
+
+ #include sudoers.local
+
+ the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
+
+ The file name may also include the %h escape, signifying the short form
+ of the host name. I.e., if the machine's host name is "xerxes", then
#include /etc/sudoers.%h
ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
-
-
-
-1.8.0rc1 February 21, 2011 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Long lines can be continued with a backslash ('\') as the last
character on the line.
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '@', '!', '=',
- ':', ',', '(', ')', '\'.
+ used as part of a word (e.g. a user name or host name): '!', '=', ':',
+ ',', '(', ')', '\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _\bo_\bf_\bf by default.
-
-
-
-1.8.0rc1 February 21, 2011 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
- the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
- variables. Any variables in the caller's environment
- that match the env_keep and env_check lists are then
- added. The default contents of the env_keep and
- env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
- its value will be used for the PATH environment
- variable. This flag is _\bo_\bn by default.
+ env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
+ environment containing the TERM, PATH, HOME, MAIL,
+ SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
+ Any variables in the caller's environment that match
+ the env_keep and env_check lists are then added,
+ followed by any variables present in the file specified
+ by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The default contents
+ of the env_keep and env_check lists are displayed when
+ s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option. If the
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value will be used for
+ the PATH environment variable. This flag is _\bo_\bn by
+ default.
fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
style globbing when matching path names. However,
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
-
-
-
-1.8.0rc1 February 21, 2011 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
+ may be used to control the format of the session ID.
+
+ Note that user input may contain sensitive information
+ such as passwords (even if they are not echoed to the
+ screen), which will be stored in the log file
+ unencrypted. In most cases, logging the command output
+ via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
+
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
+ may be used to control the format of the session ID.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password (OPT) scheme
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
+ well as the "Preventing Shell Escapes" section at the
end of this manual. This flag is _\bo_\bf_\bf by default.
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
-
-
-
-1.8.0rc1 February 21, 2011 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
gather information on the location of executables that
the normal user does not have access to. The
disadvantage is that if the executable is simply not in
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
-
-
-1.8.0rc1 February 21, 2011 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
+ set_utmp When enabled, s\bsu\bud\bdo\bo will create an entry in the utmp (or
+ utmpx) file when a pseudo-tty is allocated. A pseudo-
+ tty is allocated by s\bsu\bud\bdo\bo when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
+ or _\bu_\bs_\be_\b__\bp_\bt_\by flags are enabled. By default, the new
+ entry will be a copy of the user's existing utmp entry
+ (if any), with the tty, time, type and pid fields
+ updated. This flag is _\bo_\bn by default.
+
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
command line via the -\b-E\bE option. Additionally,
environment variables set via the command line are not
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
-
-
-1.8.0rc1 February 21, 2011 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-
- Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
- a unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
- standard error is not connected to the user's tty, due
- to I/O redirection or because the command is part of a
- pipeline, that output is also captured and stored in
- separate log files.
-
- Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
- using a unique session ID that is included in the
- normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
-
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
the tty the user is logged in on in the user's time
run under s\bsu\bud\bdo\bo could conceivably fork a background
process that retains to the user's terminal device
after the main program has finished executing. Use of
- this option will make that impossible.
+ this option will make that impossible. This flag is
+ _\bo_\bf_\bf by default.
+
+ utmp_runas If set, s\bsu\bud\bdo\bo will store the name of the runas user when
+ updating the utmp (or utmpx) file. By default, s\bsu\bud\bdo\bo
+ stores the name of the invoking user. This flag is _\bo_\bf_\bf
+ by default.
visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
enter a password but it is not possible to disable echo
-
-
-
-1.8.0rc1 February 21, 2011 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
S\bSt\btr\bri\bin\bng\bgs\bs:
-
-
-1.8.0rc1 February 21, 2011 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
In addition, any escape sequences supported by the
system's _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be_\b(_\b) function will be expanded.
- Path names that end in six or more Xs will have the Xs
- replaced with a unique combination of digits and
-
-
-
-1.8.0rc1 February 21, 2011 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- letters, similar to the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
+ To include a literal `%' character, the string `%%'
+ should be used.
iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
input/output logs when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
percent (`%') escape sequences.
+ In addition to the escape sequences, path names that
+ end in six or more Xs will have the Xs replaced with a
+ unique combination of digits and letters, similar to
+ the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
+
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
- noexec_file Path to a shared library containing dummy versions of
- the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
- that just return an error. This is used to implement
- the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
- LD_PRELOAD or its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ noexec_file This option is no longer supported. The path to the
+ noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
escape sequences are supported:
%H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local host name without the domain
name
via command line options. This option is only
available whe s\bsu\bud\bdo\bo is built with SELinux support.
-
-
-1.8.0rc1 February 21, 2011 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
- root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
- before any Runas_Alias specifications.
+ root.
syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
+ The following syslog priorities are supported: a\bal\ble\ber\brt\bt,
+ c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bni\bin\bng\bg.
+
syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
+ See syslog_badpri for the list of supported syslog
+ priorities.
+
sudoers_locale Locale to use when parsing the sudoers file, logging
commands, and sending email. Note that changing the
locale may affect how sudoers is interpreted. Defaults
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
- helper program used to read the user's password when no
- terminal is available. This may be the case when s\bsu\bud\bdo\bo is
- executed from a graphical (as opposed to text-based)
- application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
- display the argument passed to it as the prompt and write
- the user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
- variable.
-
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
- a file containing variables to be set in the environment of
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
+ file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
exempt_group
Users in this group are exempt from password and PATH
- requirements. This is not set by default.
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
group_plugin
A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
-
-
-
-1.8.0rc1 February 21, 2011 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
arguments. This can be used to implement support for the
nonunix_group syntax described earlier. The string should
consist of the plugin path, either fully-qualified or
For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
group format, the sample group plugin can be used:
- Defaults sudo_plugin="sample_group.so /etc/sudo-group"
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
For more information see _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(4).
option.
If no value is specified, a value of _\ba_\bn_\by is implied.
-
-
-
-1.8.0rc1 February 21, 2011 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
+ The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
+ your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
+ l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
+
verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bl_\bl.
-
-
-
-1.8.0rc1 February 21, 2011 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the _\b-_\bV option.
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
- syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
- OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
- l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
- are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
- w\bwa\bar\brn\bni\bin\bng\bg.
+S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end
+ will load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no
+ Plugin lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O
+ logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_args ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_args are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ P\bPL\bLU\bUG\bGI\bIN\bN O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ Starting with s\bsu\bud\bdo\bo 1.8.5 it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ plugin. Options may be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+
+ The following plugin options are supported:
+
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
+ owner of the sudoers file. It should be specified as a
+ numeric user ID.
+
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
+ group of the sudoers file. It should be specified as a
+ numeric group ID.
+
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
+ Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
+ framework that can help track down what the plugin is doing internally
+ if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file as described in _\bs_\bu_\bd_\bo(1m).
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
-1.8.0rc1 February 21, 2011 24
+ _\bn_\be_\bt_\bi_\bf network interface handling
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+ _\bp_\be_\br_\bm_\bs permission setting
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bp_\bt_\by pseudo-tty related code
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
+
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
-
-
-
-1.8.0rc1 February 21, 2011 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
need not give a password, and we don't want to reset the LOGNAME, USER
or USERNAME environment variables when running commands as root.
sudoedit /etc/printcap, /usr/oper/bin/
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
-
-
-
-1.8.0rc1 February 21, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
-
-
-
-1.8.0rc1 February 21, 2011 27
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be '\b'!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
kind of restrictions should be considered advisory at best (and
reinforced by policy).
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- function cannot resolve relative paths. While this is typically only
- an inconvenience for rules that grant privileges, it can result in a
- security issue for rules that subtract or revoke privileges.
+ In general, if a user has sudo ALL there is nothing to prevent them
+ from creating their own program that gives them a root shell (or making
+ their own copy of a shell) regardless of any '!' elements in the user
+ specification.
+
+ S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably
+ negate commands where the path name includes globbing (aka wildcard)
+ characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function cannot
+ resolve relative paths. While this is typically only an inconvenience
+ for rules that grant privileges, it can result in a security issue for
+ rules that subtract or revoke privileges.
For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-
-
-1.8.0rc1 February 21, 2011 28
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
+ P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg S\bSh\bhe\bel\bll\bl E\bEs\bsc\bca\bap\bpe\bes\bs
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
executables and foreign executables running under binary
emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
- following as root:
+ The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
+ Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
+ above. It should be supported on most operating systems that
+ support the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic linker
+ (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
+ if LD_PRELOAD is supported.
- sudo -V | grep "dummy exec"
-
- If the resulting output contains a line that begins with:
-
- File containing dummy exec functions:
-
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
- should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
- MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
- systems that support the LD_PRELOAD environment variable.
- Check your operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
- to see if LD_PRELOAD is supported.
+ On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
+ instead of the LD_PRELOAD environment variable.
To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
documented in the User Specification section above. Here is
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-
-
-1.8.0rc1 February 21, 2011 29
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and check whether shell
+ escapes work when _\bn_\bo_\be_\bx_\be_\bc is enabled.
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
_\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
(_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
Administrators should not rely on this feature as it is not universally
available.
- If users have sudo ALL there is nothing to prevent them from creating
- their own program that gives them a root shell (or making their own
- copy of a shell) regardless of any '!' elements in the user
-
-
-
-1.8.0rc1 February 21, 2011 30
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- specification.
-
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bm_\bk_\bt_\be_\bm_\bp(3), _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be(3),
_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4), _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 31
-
-
+1.8.5 March 14, 2012 SUDOERS(4)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
N\bNA\bAM\bME\bE
sudoers.ldap - sudo LDAP configuration
Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
- +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ o s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
- +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ o s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
prevent s\bsu\bud\bdo\bo from running.
- +\bo It is possible to specify per-entry options that override the
+ o It is possible to specify per-entry options that override the
global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
- +\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
+ o The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
following attributes:
s\bsu\bud\bdo\boU\bUs\bse\ber\br
- A user name, uid (prefixed with '#'), Unix group (prefixed with a
- '%') or user netgroup (prefixed with a '+').
+ A user name, user ID (prefixed with '#'), Unix group (prefixed with
+ '%'), Unix group ID (prefixed with '%#'), or user netgroup
+ (prefixed with '+').
s\bsu\bud\bdo\boH\bHo\bos\bst\bt
A host name, IP address, IP network, or host netgroup (prefixed
1.7.0 and higher.
s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
- A timestamp in the form yyyymmddHHMMZ that can be used to provide a
- start date/time for when the sudoRole will be valid. If multiple
+ A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
+ a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
-
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
timestamps must be in Coordinated Universal Time (UTC), not the
- local timezone.
+ local timezone. The minute and seconds portions are optional, but
+ some LDAP servers require that they be present (contrary to the
+ RFC).
The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
1.7.5 and higher and must be explicitly enabled via the
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
- A timestamp in the form yyyymmddHHMMZ that indicates an expiration
- date/time, after which the sudoRole will no longer be valid. If
- multiple sudoNotBefore entries are present, the last one is used.
- Note that timestamps must be in Coordinated Universal Time (UTC),
- not the local timezone.
+ A timestamp in the form yyyymmddHHMMSSZ that indicates an
+ expiration date/time, after which the sudoRole will no longer be
+ valid. If multiple sudoNotBefore entries are present, the last one
+ is used. Note that timestamps must be in Coordinated Universal
+ Time (UTC), not the local timezone. The minute and seconds
+ portions are optional, but some LDAP servers require that they be
+ present (contrary to the RFC).
The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
-
-
-
-1.8.0rc1 February 21, 2011 3
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
see if the user belongs to any of them.
If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
currently ignored. For example, the following attributes do not behave
the way one might expect.
-
-
-
-
-1.8.0rc1 February 21, 2011 4
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
commercial versions of Unix are only capable of supporting one or
the other.
-
-
-1.8.0rc1 February 21, 2011 5
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ An LDAP filter which is used to restrict the set of records
+ returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
+ the form attribute=value or
+ (&(attribute=value)(attribute2=value2)).
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
-
-
-
-1.8.0rc1 February 21, 2011 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
identity. By default, most LDAP servers will allow anonymous
access.
libraries use the same certificate database for CA and client
certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
-
-
-1.8.0rc1 February 21, 2011 7
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
-
-
-
-1.8.0rc1 February 21, 2011 8
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
+ D\bDE\bER\bRE\bEF\bF never/searching/finding/always
+ How alias dereferencing is to be performed when searching. See the
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual for a full description of this option.
+
See the ldap.conf entry in the EXAMPLES section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
file format itself still applies.
-
-
-
-1.8.0rc1 February 21, 2011 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
To consult LDAP first followed by the local sudoers file (if it
exists), use:
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base ou=SUDOers,dc=example,dc=com
-
-
-
-1.8.0rc1 February 21, 2011 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
#
# verbose sudoers matching from ldap
#sudoers_debug 2
# the LDAP server.
# Tips:
# * Enable both lines at the same time.
-
-
-
-1.8.0rc1 February 21, 2011 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
-
-
-
-1.8.0rc1 February 21, 2011 12
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
sudoOrder $ description )
)
-
-
-1.8.0rc1 February 21, 2011 13
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 14
-
-
+1.8.5 March 14, 2012 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
the following attributes:
.IP "\fBsudoUser\fR" 4
.IX Item "sudoUser"
-A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
-a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
+A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
+\&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup
+(prefixed with \f(CW\*(Aq+\*(Aq\fR).
.IP "\fBsudoHost\fR" 4
.IX Item "sudoHost"
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
1.7.0 and higher.
.IP "\fBsudoNotBefore\fR" 4
.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
option in \fI@ldap_conf@\fR.
.IP "\fBsudoNotAfter\fR" 4
.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
+.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
+An \s-1LDAP\s0 filter which is used to restrict the set of records returned
+when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
+form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
.IX Item "KRB5_CCNAME file name"
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
+.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
+.IX Item "DEREF never/searching/finding/always"
+How alias dereferencing is to be performed when searching. See the
+\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.SS "Configuring nsswitch.conf"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
distinct ways \fIsudoers\fR can deal with environment variables.
.PP
By default, the \fIenv_reset\fR option is enabled. This causes commands
-to be executed with a minimal environment containing \f(CW\*(C`TERM\*(C'\fR,
-\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR in
-addition to variables from the invoking process permitted by the
-\&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
-for environment variables.
+to be executed with a minimal environment containing the \f(CW\*(C`TERM\*(C'\fR,
+\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR
+and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from the
+invoking process permitted by the \fIenv_check\fR and \fIenv_keep\fR
+options. This is effectively a whitelist for environment variables.
.PP
If, however, the \fIenv_reset\fR option is disabled, any variables not
explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
removed from the environment before \fBsudo\fR even begins execution
and, as such, it is not possible for \fBsudo\fR to preserve them.
.PP
-As a special case, If \fBsudo\fR's \fB\-i\fR option (initial login) is
+As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
specified, \fIsudoers\fR will initialize the environment regardless
of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
and \fI\s-1LOGNAME\s0\fR are set based on the target user. On Linux and \s-1AIX\s0
systems the contents of \fI/etc/environment\fR are also included. All
other environment variables are removed.
+.PP
+Lastly, if the \fIenv_file\fR option is defined, any variables present
+in that file will be set to their specified values.
.SH "SUDOERS FILE FORMAT"
.IX Header "SUDOERS FILE FORMAT"
The \fIsudoers\fR file is composed of two types of entries: aliases
\& User \*(Aq,\*(Aq User_List
\&
\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
-.PP
-The actual \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying group
-provider plugin (see the \fIgroup_plugin\fR description below).
-For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the following formats:
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+.PP
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.PP
+The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
+the underlying group provider plugin (see the \fIgroup_plugin\fR
+description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
+following formats:
.IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R"
.IP "\(bu" 4
.IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Runas_Alias
.Ve
\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve
.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
+See the \*(L"Preventing Shell Escapes\*(R" section below for more details
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
-maydisable the \fIenv_reset\fR option from the command line via the
+may disable the \fIenv_reset\fR option from the command line via the
\&\fB\-E\fR option. Additionally, environment variables set on the command
line are not subject to the restrictions imposed by \fIenv_check\fR,
\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.PP
-The file name may include the \f(CW%h\fR escape, signifying the short form
+If the path to the include file is not fully-qualified (does not
+begin with a \fI/\fR), it must be located in the same directory as the
+sudoers file it was included from. For example, if \fI/etc/sudoers\fR
+contains the line:
+.Sp
+.RS 4
+\&\f(CW\*(C`#include sudoers.local\*(C'\fR
+.RE
+.PP
+the file that will be included is \fI/etc/sudoers.local\fR.
+.PP
+The file name may also include the \f(CW%h\fR escape, signifying the short form
of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a user name or host name):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+\&'!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
default.
.IP "env_reset" 16
.IX Item "env_reset"
-If set, \fBsudo\fR will reset the environment to only contain the
-\&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+If set, \fBsudo\fR will run the command in a minimal environment
+containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
+\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
-\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
-run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
-is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fI@env_reset@\fR by default.
+and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
+present in the file specified by the \fIenv_file\fR option (if any).
+The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
+displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
+the \fIsecure_path\fR option is set, its value will be used for the
+\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
+default.
.IP "fast_glob" 16
.IX Item "fast_glob"
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
.IX Item "log_host"
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+The \fIiolog_file\fR option may be used to control the format of the
+session \s-1ID\s0.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+The \fIiolog_file\fR option may be used to control the format of the
+session \s-1ID\s0.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.
.IP "log_year" 16
.IX Item "log_year"
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OPT\s0) scheme such as
+When validating with a One Time Password (\s-1OTP\s0) scheme such as
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
to cut and paste the challenge to a local window. It's not as
pretty as the default but some people find it more convenient. This
.IX Item "noexec"
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
-\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell
+Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
.IP "path_info" 16
.IX Item "path_info"
Normally, \fBsudo\fR will tell the user when a command could not be
option. Note that if the \fIenv_reset\fR option has not been disabled,
entries in the \fIenv_keep\fR list will override the value of
\&\fIset_logname\fR. This flag is \fIon\fR by default.
+.IP "set_utmp" 16
+.IX Item "set_utmp"
+When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
+file when a pseudo-tty is allocated. A pseudo-tty is allocated by
+\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
+are enabled. By default, the new entry will be a copy of the user's
+existing utmp entry (if any), with the tty, time, type and pid
+fields updated. This flag is \fIon\fR by default.
.IP "setenv" 16
.IX Item "setenv"
Allow the user to disable the \fIenv_reset\fR option from the command
include the target user's name. Note that this flag precludes the
use of a uid not listed in the passwd database as an argument to
the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
-session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
-with \fITSID=\fR.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-.Sp
-Output is logged to the
-\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
-included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
If set, users must authenticate on a per-tty basis. With this flag
logging is being gone. A malicious program run under \fBsudo\fR could
conceivably fork a background process that retains to the user's
terminal device after the main program has finished executing. Use
-of this option will make that impossible.
+of this option will make that impossible. This flag is \fIoff\fR by default.
+.IP "utmp_runas" 16
+.IX Item "utmp_runas"
+If set, \fBsudo\fR will store the name of the runas user when updating
+the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
+the invoking user. This flag is \fIoff\fR by default.
.IP "visiblepw" 16
.IX Item "visiblepw"
By default, \fBsudo\fR will refuse to run if the user must enter a
In addition, any escape sequences supported by the system's \fIstrftime()\fR
function will be expanded.
.Sp
-Path names that end in six or more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced
-with a unique combination of digits and letters, similar to the
-\&\fImktemp()\fR function.
+To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
+be used.
.RE
.IP "iolog_file" 16
.IX Item "iolog_file"
.Sp
See the \fIiolog_dir\fR option above for a list of supported percent
(`\f(CW\*(C`%\*(C'\fR') escape sequences.
+.Sp
+In addition to the escape sequences, path names that end in six or
+more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
+of digits and letters, similar to the \fImktemp()\fR function.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
.IP "noexec_file" 16
.IX Item "noexec_file"
-Path to a shared library containing dummy versions of the \fIexecv()\fR,
-\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
-This is used to implement the \fInoexec\fR functionality on systems that
-support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
+This option is no longer supported. The path to the noexec file
+should now be set in the \fI@sysconfdir@/sudo.conf\fR file.
.IP "passprompt" 16
.IX Item "passprompt"
The default prompt to use when asking for a password; can be overridden
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the \fIfqdn\fR
+(only if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
-Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
-any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
.IP "syslog_badpri" 16
.IX Item "syslog_badpri"
Syslog priority to use when user authenticates unsuccessfully.
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
+.Sp
+The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
+\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
.IP "syslog_goodpri" 16
.IX Item "syslog_goodpri"
Syslog priority to use when user authenticates successfully.
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
+.Sp
+See syslog_badpri for the list of supported syslog priorities.
.IP "sudoers_locale" 16
.IX Item "sudoers_locale"
Locale to use when parsing the sudoers file, logging commands, and
\}
.PP
\&\fBStrings that can be used in a boolean context\fR:
-.IP "askpass" 12
-.IX Item "askpass"
-The \fIaskpass\fR option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when \fBsudo\fR is executed from a
-graphical (as opposed to text-based) application. The program
-specified by \fIaskpass\fR should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
-environment variable.
.IP "env_file" 12
.IX Item "env_file"
-The \fIenv_file\fR options specifies the fully qualified path to a
+The \fIenv_file\fR option specifies the fully qualified path to a
file containing variables to be set in the environment of the program
being run. Entries in this file should either be of the form
\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
+The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
This is not set by default.
.IP "group_plugin" 12
.IX Item "group_plugin"
format, the sample group plugin can be used:
.Sp
.Vb 1
-\& Defaults sudo_plugin="sample_group.so /etc/sudo\-group"
+\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
.Ve
.Sp
For more information see \fIsudo_plugin\fR\|(@mansectform@).
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
+.Sp
+The following syslog facilities are supported: \fBauthpriv\fR (if your
+\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
+\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+.SH "SUDO.CONF"
+.IX Header "SUDO.CONF"
+The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the
+\&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file
+is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the
+\&\fIsudoers\fR security policy and I/O logging, which corresponds to
+the following \fI@sysconfdir@/sudo.conf\fR file.
+.PP
+.Vb 10
+\& #
+\& # Default @sysconfdir@/sudo.conf file
+\& #
+\& # Format:
+\& # Plugin plugin_name plugin_path plugin_args ...
+\& # Path askpass /path/to/askpass
+\& # Path noexec /path/to/sudo_noexec.so
+\& # Debug sudo /var/log/sudo_debug all@warn
+\& # Set disable_coredump true
+\& #
+\& # The plugin_path is relative to @prefix@/libexec unless
+\& # fully qualified.
+\& # The plugin_name corresponds to a global symbol in the plugin
+\& # that contains the plugin interface structure.
+\& # The plugin_args are optional.
+\& #
+\& Plugin policy_plugin sudoers.so
+\& Plugin io_plugin sudoers.so
+.Ve
+.SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0"
+.IX Subsection "PLUGIN OPTIONS"
+Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the
+\&\fIsudoers\fR plugin. Options may be listed after the path to the
+plugin (i.e. after \fIsudoers.so\fR); multiple options should be
+space-separated. For example:
.PP
-When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
-for the syslog facility (the value of the \fBsyslog\fR Parameter):
-\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
-\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
-\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
-supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
-\&\fBnotice\fR, and \fBwarning\fR.
+.Vb 1
+\& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+.Ve
+.PP
+The following plugin options are supported:
+.IP "sudoers_file=pathname" 10
+.IX Item "sudoers_file=pathname"
+The \fIsudoers_file\fR option can be used to override the default path
+to the \fIsudoers\fR file.
+.IP "sudoers_uid=uid" 10
+.IX Item "sudoers_uid=uid"
+The \fIsudoers_uid\fR option can be used to override the default owner
+of the sudoers file. It should be specified as a numeric user \s-1ID\s0.
+.IP "sudoers_gid=gid" 10
+.IX Item "sudoers_gid=gid"
+The \fIsudoers_gid\fR option can be used to override the default group
+of the sudoers file. It should be specified as a numeric group \s-1ID\s0.
+.IP "sudoers_mode=mode" 10
+.IX Item "sudoers_mode=mode"
+The \fIsudoers_mode\fR option can be used to override the default file
+mode for the sudoers file. It should be specified as an octal value.
+.SS "\s-1DEBUG\s0 \s-1FLAGS\s0"
+.IX Subsection "DEBUG FLAGS"
+Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
+debugging framework that can help track down what the plugin is
+doing internally if there is a problem. This can be configured in
+the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@).
+.PP
+The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
+itself: \fIsubsystem\fR@\fIpriority\fR.
+.PP
+The priorities used by \fIsudoers\fR, in order of decreasing severity,
+are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+and \fIdebug\fR. Each priority, when specified, also includes all
+priorities higher than it. For example, a priority of \fInotice\fR
+would include debug messages logged at \fInotice\fR and higher.
+.PP
+The following subsystems are used by \fIsudoers\fR:
+.IP "\fIalias\fR" 10
+.IX Item "alias"
+\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
+.IP "\fIall\fR" 10
+.IX Item "all"
+matches every subsystem
+.IP "\fIaudit\fR" 10
+.IX Item "audit"
+\&\s-1BSM\s0 and Linux audit code
+.IP "\fIauth\fR" 10
+.IX Item "auth"
+user authentication
+.IP "\fIdefaults\fR" 10
+.IX Item "defaults"
+\&\fIsudoers\fR \fIDefaults\fR settings
+.IP "\fIenv\fR" 10
+.IX Item "env"
+environment handling
+.IP "\fIldap\fR" 10
+.IX Item "ldap"
+LDAP-based sudoers
+.IP "\fIlogging\fR" 10
+.IX Item "logging"
+logging support
+.IP "\fImatch\fR" 10
+.IX Item "match"
+matching of users, groups, hosts and netgroups in \fIsudoers\fR
+.IP "\fInetif\fR" 10
+.IX Item "netif"
+network interface handling
+.IP "\fInss\fR" 10
+.IX Item "nss"
+network service switch handling in \fIsudoers\fR
+.IP "\fIparser\fR" 10
+.IX Item "parser"
+\&\fIsudoers\fR file parsing
+.IP "\fIperms\fR" 10
+.IX Item "perms"
+permission setting
+.IP "\fIplugin\fR" 10
+.IX Item "plugin"
+The equivalent of \fImain\fR for the plugin.
+.IP "\fIpty\fR" 10
+.IX Item "pty"
+pseudo-tty related code
+.IP "\fIrbtree\fR" 10
+.IX Item "rbtree"
+redblack tree internals
+.IP "\fIutil\fR" 10
+.IX Item "util"
+utility functions
.SH "FILES"
.IX Header "FILES"
+.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
+.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
+.IX Item "@sysconfdir@/sudo.conf"
+Sudo front end configuration
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
for encapsulating in a shell script.
.SH "SECURITY NOTES"
.IX Header "SECURITY NOTES"
+.SS "Limitations of the '!' operator"
+.IX Subsection "Limitations of the '!' operator"
It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
using the '!' operator. A user can trivially circumvent this
by copying the desired command to a different name and then
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
.PP
-Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent
+them from creating their own program that gives them a root shell
+(or making their own copy of a shell) regardless of any '!' elements
+in the user specification.
+.SS "Security implications of \fIfast_glob\fP"
+.IX Subsection "Security implications of fast_glob"
+If the \fIfast_glob\fR option is in use, it is not possible
to reliably negate commands where the path name includes globbing
(aka wildcard) characters. This is because the C library's
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
.PP
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
-.SH "PREVENTING SHELL ESCAPES"
-.IX Header "PREVENTING SHELL ESCAPES"
+.SS "Preventing Shell Escapes"
+.IX Subsection "Preventing Shell Escapes"
Once \fBsudo\fR executes a program, that program is free to do whatever
it pleases, including run other programs. This can be a security
issue since it is not uncommon for a program to allow shell escapes,
executables. Statically-linked executables and foreign executables
running under binary emulation are not affected.
.Sp
-To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
-the following as root:
-.Sp
-.Vb 1
-\& sudo \-V | grep "dummy exec"
-.Ve
-.Sp
-If the resulting output contains a line that begins with:
-.Sp
-.Vb 1
-\& File containing dummy exec functions:
-.Ve
-.Sp
-then \fBsudo\fR may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
-SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
-11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
-is expected to work on most operating systems that support the
+The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
+Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
+It should be supported on most operating systems that support the
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
.Sp
+On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
+of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
+.Sp
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
in the User Specification section above. Here is that example again:
.Sp
with \fInoexec\fR enabled. This will prevent those two commands from
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
-can always just try it out and see if it works.
+can always just try it out and check whether shell escapes work
+when \fInoexec\fR is enabled.
.PP
Note that restricting shell escapes is not a panacea. Programs
running as root are still capable of many potentially hazardous
to unintended privilege escalation. In the specific case of an
editor, a safer approach is to give the user permission to run
\&\fBsudoedit\fR.
-.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
+.SS "Time stamp file checks"
+.IX Subsection "Time stamp file checks"
\&\fIsudoers\fR will check the ownership of its time stamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
tty-based time stamp file is stale and will ignore it. Administrators
should not rely on this feature as it is not universally available.
-.PP
-If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
-creating their own program that gives them a root shell (or making
-their own copy of a shell) regardless of any '!' elements in the
-user specification.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
+SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
N\bNA\bAM\bME\bE
sudoreplay - replay sudo session logs
s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the session logs created by s\bsu\bud\bdo\bo. When
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the output logs created by s\bsu\bud\bdo\bo. When
replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
playback speed may be adjusted (faster or slower) based on the command
- line options. The _\bI_\bD should be a six character sequence of digits and
- upper case letters, e.g. 0100A5, which is logged by s\bsu\bud\bdo\bo when a
- command is run with session logging enabled.
+ line options.
+
+ The _\bI_\bD should either be a six character sequence of digits and upper
+ case letters, e.g. 0100A5, or a pattern matching the _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
+ in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. When a command is run via s\bsu\bud\bdo\bo with _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
+ enabled in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, a TSID=ID string is logged via syslog or
+ to the s\bsu\bud\bdo\bo log file. The _\bI_\bD may also be determined using s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by's
+ list mode.
In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based
on a number of criteria such as the user, tty or command run.
displayed. An expression is composed of the following
predicates:
-
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
Evaluates to true if the command run matches
_\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
-m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
presses or output data. By default, s\bsu\bud\bdo\bo_\b_r\bre\bep\bpl\bla\bay\by will
-
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
session includes long pauses. When the _\b-_\bm option is
2 hours ago
2 hours ago.
-
-
-1.8.0rc1 February 21, 2011 3
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
next Friday
The first second of the next Friday.
sudoreplay -l user millert
-
-
-1.8.0rc1 February 21, 2011 4
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
sudoreplay -l user bob command vi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 5
-
-
+1.8.5 March 14, 2012 SUDOREPLAY(1m)
-.\" Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
-\&\fBsudoreplay\fR plays back or lists the session logs created by
-\&\fBsudo\fR. When replaying, \fBsudoreplay\fR can play the session back
-in real-time, or the playback speed may be adjusted (faster or
-slower) based on the command line options. The \fI\s-1ID\s0\fR should be
-a six character sequence of digits and upper case letters, e.g.
-0100A5, which is logged by \fBsudo\fR when a command is run with
-session logging enabled.
+\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR.
+When replaying, \fBsudoreplay\fR can play the session back in real-time,
+or the playback speed may be adjusted (faster or slower) based on
+the command line options.
+.PP
+The \fI\s-1ID\s0\fR should either be a six character sequence of digits and
+upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the
+\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run
+via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a
+\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file.
+The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode.
.PP
In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
based on a number of criteria such as the user, tty or command run.
+VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
N\bNA\bAM\bME\bE
visudo - edit the sudoers file
v\bvi\bis\bsu\bud\bdo\bo accepts the following command line options:
-c Enable c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
- checked for syntax and a message will be printed to the
- standard output detailing the status of _\bs_\bu_\bd_\bo_\be_\br_\bs. If the
- syntax check completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with
- a value of 0. If a syntax error is encountered, v\bvi\bis\bsu\bud\bdo\bo
- will exit with a value of 1.
+ checked for syntax errors, owner and mode. A message will
+ be printed to the standard output describing the status of
+ _\bs_\bu_\bd_\bo_\be_\br_\bs unless the -\b-q\bq option was specified. If the check
+ completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 0.
+ If an error is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value
+ of 1.
-f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
-\b-f\bf may be "-", indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from
the standard input.
-
-
-
-1.8.0rc1 February 21, 2011 1
-
-
-
-
-
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
message to the standard output and exit.
used. You may wish to comment out or remove the unused alias. In
-\b-s\bs (strict) mode this is an error, not a warning.
-
-
-
-
-1.8.0rc1 February 21, 2011 2
-
-
-
-
-
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
+ Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+ The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+ itself, either directly or through an alias it includes. This is
+ only a warning by default as s\bsu\bud\bdo\bo will ignore cycles when parsing
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(1m)
A\bAU\bUT\bTH\bHO\bOR\bR
- Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
was written by:
Todd Miller
- See the HISTORY file in the sudo distribution or visit
- http://www.sudo.ws/sudo/history.html for more details.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for a list of people who
+ have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if the
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0rc1 February 21, 2011 3
-
-
+1.8.5 March 14, 2012 VISUDO(1m)
-.\" Copyright (c) 1996,1998-2005, 2007-2008
+.\" Copyright (c) 1996,1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IP "\-c" 12
.IX Item "-c"
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
-checked for syntax and a message will be printed to the
-standard output detailing the status of \fIsudoers\fR.
-If the syntax check completes successfully, \fBvisudo\fR will
-exit with a value of 0. If a syntax error is encountered,
+checked for syntax errors, owner and mode. A message will be printed
+to the standard output describing the status of \fIsudoers\fR unless
+the \fB\-q\fR option was specified. If the check completes successfully,
+\&\fBvisudo\fR will exit with a value of 0. If an error is encountered,
\&\fBvisudo\fR will exit with a value of 1.
.IP "\-f \fIsudoers\fR" 12
.IX Item "-f sudoers"
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
+.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4
+.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias"
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes. This is
+only a warning by default as \fBsudo\fR will ignore cycles when parsing
+the \fIsudoers\fR file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)
.SH "AUTHOR"
.IX Header "AUTHOR"
-Many people have worked on \fIsudo\fR over the years; this version of
+Many people have worked on \fBsudo\fR over the years; this version of
\&\fBvisudo\fR was written by:
.PP
.Vb 1
\& Todd Miller
.Ve
.PP
-See the \s-1HISTORY\s0 file in the sudo distribution or visit
-http://www.sudo.ws/sudo/history.html for more details.
+See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/contributors.html) for a list of people
+who have contributed to \fBsudo\fR.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
projects / sudo / commitdiff