From: Todd C. Miller Date: Tue, 5 Feb 2013 21:12:39 +0000 (-0500) Subject: Remove duplicated sudo.conf info in the sudo, sudoers and sudo_plugin X-Git-Tag: SUDO_1_8_7~1^2~249 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=14bf23c4a2cf59ceb84fb0d51bbcef27b97655f3;p=sudo Remove duplicated sudo.conf info in the sudo, sudoers and sudo_plugin manuals and cross-reference the new sudo.conf manual. --- diff --git a/doc/sudo.cat b/doc/sudo.cat index 0d123cad6..fcefe9a8c 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the ssuuddoo front end. The default security policy is _s_u_d_o_e_r_s, which is configured via the - file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more + file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more information. The security policy determines what privileges, if any, a user has to run @@ -54,7 +54,7 @@ DDEESSCCRRIIPPTTIIOONN to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. Otherwise, - if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass + if sudo.conf(4) contains a line specifying the askpass program, that value will be used. For example: # Path to askpass helper program @@ -299,7 +299,7 @@ DDEESSCCRRIIPPTTIIOONN CCOOMMMMAANNDD EEXXEECCUUTTIIOONN When ssuuddoo executes a command, the security policy specifies the execution - envionment for the command. Typically, the real and effective uid and + environment for the command. Typically, the real and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database (unless the --PP option was specified). @@ -354,7 +354,7 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN As a special case, ssuuddoo will not relay signals that were sent by the command it is running. This prevents the command from accidentally killing itself. On some systems, the reboot(1m) command sends SIGTERM to - all non-system processes other than itself before rebooting the systyem. + all non-system processes other than itself before rebooting the system. This prevents ssuuddoo from relaying the SIGTERM signal it received back to reboot(1m), which might then exit before the system was actually rebooted, leaving it in a half-dead state similar to single user mode. Note, @@ -365,126 +365,13 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN run using the eexxeecc() family of functions instead of ssyysstteemm() (which interposes a shell between the command and the calling process). -PPLLUUGGIINNSS - Plugins are dynamically loaded based on the contents of the - _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it - contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security - policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f - file. - - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so - - A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e - and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e - is the name of the struct policy_plugin or struct io_plugin in the plugin - shared object. The _p_a_t_h may be fully qualified or relative. If not - fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any - additional parameters after the _p_a_t_h are passed as arguments to the - plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug, - or Set are silently ignored. - - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file is always parsed in the ``C'' locale. - - For more information, see the sudo_plugin(1m) manual. - -PPAATTHHSS - A Path line consists of the Path keyword, followed by the name of the - path to set and its value. E.g. - - Path noexec /usr/local/libexec/sudo_noexec.so - Path askpass /usr/X11R6/bin/ssh-askpass - - The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file: - - askpass The fully qualified path to a helper program used to read the - user's password when no terminal is available. This may be the - case when ssuuddoo is executed from a graphical (as opposed to - text-based) application. The program specified by _a_s_k_p_a_s_s - should display the argument passed to it as the prompt and - write the user's password to the standard output. The value of - _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment - variable. - - noexec The fully-qualified path to a shared library containing dummy - versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library - functions that just return an error. This is used to implement - the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or - its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - -DDEEBBUUGG FFLLAAGGSS - ssuuddoo versions 1.8.4 and higher support a flexible debugging framework - that can help track down what ssuuddoo is doing internally if there is a - problem. - - A Debug line consists of the Debug keyword, followed by the name of the - program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a - comma-separated list of debug flags. The debug flag syntax used by ssuuddoo - and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to - use a different format so long as it does not include a comma (`,'). - - For instance: - - Debug sudo /var/log/sudo_debug all@warn,plugin@info - - would log all debugging statements at the _w_a_r_n level and higher in - addition to those at the _i_n_f_o level for the plugin subsystem. - - Currently, only one Debug entry per program is supported. The ssuuddoo Debug - entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A - future release may add support for per-plugin Debug lines and/or support - for multiple debugging files for a single program. - - The priorities used by the ssuuddoo front end, in order of decreasing - severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. - Each priority, when specified, also includes all priorities higher than - it. For example, a priority of _n_o_t_i_c_e would include debug messages - logged at _n_o_t_i_c_e and higher. - - The following subsystems are used by the ssuuddoo front-end: - - _a_l_l matches every subsystem - - _a_r_g_s command line argument processing - - _c_o_n_v user conversation - - _e_d_i_t sudoedit - - _e_x_e_c command execution - - _m_a_i_n ssuuddoo main function - - _n_e_t_i_f network interface handling - - _p_c_o_m_m communication with the plugin - - _p_l_u_g_i_n plugin configuration - - _p_t_y pseudo-tty related code - - _s_e_l_i_n_u_x SELinux-specific handling - - _u_t_i_l utility functions - - _u_t_m_p utmp handling + PPlluuggiinnss + Plugins are dynamically loaded based on the contents of the sudo.conf(4) + file. If no sudo.conf(4) file is present, or it contains no Plugin + lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security policy and I/O + logging. See the sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file and the sudo_plugin(1m) manual for more information about the ssuuddoo + plugin architecture. EEXXIITT VVAALLUUEE Upon successful execution of a program, the exit status from _s_u_d_o will @@ -526,15 +413,11 @@ SSEECCUURRIITTYY NNOOTTEESS disables core dumps by default while it is executing (they are re-enabled for the command that is run). To aid in debugging ssuuddoo crashes, you may wish to re-enable core dumps by setting ``disable_coredump'' to false in - the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows: + the sudo.conf(4) file as follows: Set disable_coredump false - Note that by default, most operating systems disable core dumps from - setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file - you may need to enable core dumps for setuid processes. On BSD and Linux - systems this is accomplished via the sysctl command, on Solaris the - coreadm command can be used. + See the sudo.conf(4) manual for more information. EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables. The security policy @@ -619,8 +502,8 @@ EEXXAAMMPPLLEESS $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - su(1), stat(2), login_cap(3), passwd(4), sudoers(4), sudo_plugin(1m), - sudoreplay(1m), visudo(1m) + su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4), + sudo_plugin(1m), sudoreplay(1m), visudo(1m) HHIISSTTOORRYY See the HISTORY file in the ssuuddoo distribution @@ -670,4 +553,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 November 12, 2012 Sudo 1.8.7 +Sudo 1.8.7 February 5, 2013 Sudo 1.8.7 diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat index 198f5f52e..edd22080a 100644 --- a/doc/sudo.conf.cat +++ b/doc/sudo.conf.cat @@ -47,12 +47,18 @@ DDEESSCCRRIIPPTTIIOONN Plugin sudoers_policy /usr/local/libexec/sudoers.so - Any additional parameters after the _p_a_t_h are passed as arguments to the - plugin's _o_p_e_n function. For example, to override the compile-time - default sudoers file mode: + Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are + passed as arguments to the plugin's _o_p_e_n function. For example, to + override the compile-time default sudoers file mode: Plugin sudoers_policy sudoers.so sudoers_mode=0440 + The same shared object may contain multiple plugins, each with a + different symbol name. The shared object file must be owned by uid 0 and + only writable by its owner. Because of ambiguities that arise from + composite policies, only a single policy plugin may be specified. This + limitation does not apply to I/O plugins. + If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the ssuuddooeerrss plugin will be used as the default security policy and for I/O logging (if enabled by the policy). This is equivalent to the following: @@ -102,7 +108,7 @@ DDEESSCCRRIIPPTTIIOONN Note that most operating systems disable core dumps from setuid programs, including ssuuddoo. To actually get a ssuuddoo core file you will likely need to enable core dumps for setuid processes. On - BSD and Linux systems this is accomplished via the sysctl + BSD and Linux systems this is accomplished in the sysctl command. On Solaris, the coreadm command is used to configure core dump behavior. @@ -298,7 +304,7 @@ EEXXAAMMPPLLEESS #Set group_source static SSEEEE AALLSSOO - sudoers(4), sudo(1m), sudo_plugin(1m), + sudoers(4), sudo(1m), sudo_plugin(1m) HHIISSTTOORRYY See the HISTORY file in the ssuuddoo distribution @@ -330,4 +336,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 February 1, 2013 Sudo 1.8.7 +Sudo 1.8.7 February 5, 2013 Sudo 1.8.7 diff --git a/doc/sudo.conf.man.in b/doc/sudo.conf.man.in index 866432ae4..0410e704e 100644 --- a/doc/sudo.conf.man.in +++ b/doc/sudo.conf.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.TH "SUDO" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -124,7 +124,9 @@ Plugin sudoers_policy @PLUGINDIR@/sudoers.so .RE .fi .PP -Any additional parameters after the +Starting with +\fBsudo\fR +1.8.5, any additional parameters after the \fIpath\fR are passed as arguments to the plugin's \fIopen\fR @@ -137,6 +139,13 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0440 .RE .fi .PP +The same shared object may contain multiple plugins, each with a +different symbol name. +The shared object file must be owned by uid 0 and only writable by its owner. +Because of ambiguities that arise from composite policies, only a single +policy plugin may be specified. +This limitation does not apply to I/O plugins. +.PP If no \fBsudo.conf\fR file is present, or if it contains no @@ -239,7 +248,7 @@ including To actually get a \fBsudo\fR core file you will likely need to enable core dumps for setuid processes. -On BSD and Linux systems this is accomplished via the +On BSD and Linux systems this is accomplished in the sysctl command. On Solaris, the @@ -533,7 +542,7 @@ Plugin io_plugin sudoers.so .SH "SEE ALSO" sudoers(@mansectform@), sudo(@mansectsu@), -sudo_plugin(@mansectsu@), +sudo_plugin(@mansectsu@) .SH "HISTORY" See the HISTORY file in the \fBsudo\fR diff --git a/doc/sudo.conf.mdoc.in b/doc/sudo.conf.mdoc.in index 693aed8b6..3ac87ca9c 100644 --- a/doc/sudo.conf.mdoc.in +++ b/doc/sudo.conf.mdoc.in @@ -114,7 +114,9 @@ is equivalent to: Plugin sudoers_policy @PLUGINDIR@/sudoers.so .Ed .Pp -Any additional parameters after the +Starting with +.Nm sudo +1.8.5, any additional parameters after the .Em path are passed as arguments to the plugin's .Em open @@ -124,6 +126,13 @@ For example, to override the compile-time default sudoers file mode: Plugin sudoers_policy sudoers.so sudoers_mode=0440 .Ed .Pp +The same shared object may contain multiple plugins, each with a +different symbol name. +The shared object file must be owned by uid 0 and only writable by its owner. +Because of ambiguities that arise from composite policies, only a single +policy plugin may be specified. +This limitation does not apply to I/O plugins. +.Pp If no .Nm sudo.conf file is present, or if it contains no @@ -216,7 +225,7 @@ including To actually get a .Nm sudo core file you will likely need to enable core dumps for setuid processes. -On BSD and Linux systems this is accomplished via the +On BSD and Linux systems this is accomplished in the .Xr sysctl command. On Solaris, the diff --git a/doc/sudo.man.in b/doc/sudo.man.in index bd64ad4e2..f0298841a 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "@mansectsu@" "November 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -99,7 +99,7 @@ which is configured via the file \fI@sysconfdir@/sudoers\fR, or via LDAP. See the -\fIPLUGINS\fR +\fIPlugins\fR section for more information. .PP The security policy determines what privileges, if any, a user has @@ -162,7 +162,7 @@ If the environment variable is set, it specifies the path to the helper program. Otherwise, if -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) contains a line specifying the askpass program, that value will be used. For example: @@ -694,7 +694,7 @@ for more information. When \fBsudo\fR executes a command, the security policy specifies the execution -envionment for the command. +environment for the command. Typically, the real and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database @@ -796,7 +796,7 @@ reboot(@mansectsu@) command sends \fRSIGTERM\fR to all non-system processes other than itself before rebooting -the systyem. +the system. This prevents \fBsudo\fR from relaying the @@ -823,250 +823,28 @@ are run using the family of functions instead of \fBsystem\fR() (which interposes a shell between the command and the calling process). -.SH "PLUGINS" +.SS "Plugins" Plugins are dynamically loaded based on the contents of the -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) file. If no -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) file is present, or it contains no \fRPlugin\fR lines, \fBsudo\fR will use the traditional \fIsudoers\fR -security policy and I/O logging, which corresponds to the following -\fI@sysconfdir@/sudo.conf\fR -file. -.nf -.sp -.RS 0n -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so -.RE -.fi -.PP -A -\fRPlugin\fR -line consists of the -\fRPlugin\fR -keyword, followed by the -\fIsymbol_name\fR -and the -\fIpath\fR -to the shared object containing the plugin. -The -\fIsymbol_name\fR -is the name of the -\fRstruct policy_plugin\fR -or -\fRstruct io_plugin\fR -in the plugin shared object. -The -\fIpath\fR -may be fully qualified or relative. -If not fully qualified it is relative to the -\fI@PLUGINDIR@\fR -directory. -Any additional parameters after the -\fIpath\fR -are passed as arguments to the plugin's -\fIopen\fR -function. -Lines that don't begin with -\fRPlugin\fR, -\fRPath\fR, -\fRDebug\fR, -or -\fRSet\fR -are silently ignored. -.PP -The +security policy and I/O logging. +See the +sudo.conf(@mansectform@) +manual for details of the \fI@sysconfdir@/sudo.conf\fR -file is always parsed in the -``\fRC\fR'' -locale. -.PP -For more information, see the +file and the sudo_plugin(@mansectsu@) -manual. -.SH "PATHS" -A -\fRPath\fR -line consists of the -\fRPath\fR -keyword, followed by the name of the path to set and its value. -E.g. -.nf -.sp -.RS 6n -Path noexec @noexec_file@ -Path askpass /usr/X11R6/bin/ssh-askpass -.RE -.fi -.PP -The following plugin-agnostic paths may be set in the -\fI@sysconfdir@/sudo.conf\fR -file: -.TP 10n -askpass -The fully qualified path to a helper program used to read the user's -password when no terminal is available. -This may be the case when -\fBsudo\fR -is executed from a graphical (as opposed to text-based) application. -The program specified by -\fIaskpass\fR -should display the argument passed to it as the prompt and write -the user's password to the standard output. -The value of -\fIaskpass\fR -may be overridden by the -\fRSUDO_ASKPASS\fR -environment variable. -.TP 10n -noexec -The fully-qualified path to a shared library containing dummy -versions of the -\fBexecv\fR(), -\fBexecve\fR() -and -\fBfexecve\fR() -library functions that just return an error. -This is used to implement the -\fInoexec\fR -functionality on systems that support -\fRLD_PRELOAD\fR -or its equivalent. -Defaults to -\fI@noexec_file@\fR. -.SH "DEBUG FLAGS" -\fBsudo\fR -versions 1.8.4 and higher support a flexible debugging framework -that can help track down what -\fBsudo\fR -is doing internally if there is a problem. -.PP -A -\fRDebug\fR -line consists of the -\fRDebug\fR -keyword, followed by the name of the program to debug -(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR), -the debug file name and a comma-separated list of debug flags. -The debug flag syntax used by -\fBsudo\fR -and the -\fIsudoers\fR -plugin is -\fIsubsystem\fR@\fIpriority\fR -but the plugin is free to use a different format so long as it does -not include a comma -(`\&,'). -.PP -For instance: -.nf -.sp -.RS 6n -Debug sudo /var/log/sudo_debug all@warn,plugin@info -.RE -.fi -.PP -would log all debugging statements at the -\fIwarn\fR -level and higher in addition to those at the -\fIinfo\fR -level for the plugin subsystem. -.PP -Currently, only one -\fRDebug\fR -entry per program is supported. -The +manual for more information about the \fBsudo\fR -\fRDebug\fR -entry is shared by the -\fBsudo\fR -front end, -\fBsudoedit\fR -and the plugins. -A future release may add support for per-plugin -\fRDebug\fR -lines and/or support for multiple debugging files for a single -program. -.PP -The priorities used by the -\fBsudo\fR -front end, in order of decreasing severity, are: -\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR -and -\fIdebug\fR. -Each priority, when specified, also includes all priorities higher -than it. -For example, a priority of -\fInotice\fR -would include debug messages logged at -\fInotice\fR -and higher. -.PP -The following subsystems are used by the -\fBsudo\fR -front-end: -.TP 12n -\fIall\fR -matches every subsystem -.TP 12n -\fIargs\fR -command line argument processing -.TP 12n -\fIconv\fR -user conversation -.TP 12n -\fIedit\fR -sudoedit -.TP 12n -\fIexec\fR -command execution -.TP 12n -\fImain\fR -\fBsudo\fR -main function -.TP 12n -\fInetif\fR -network interface handling -.TP 12n -\fIpcomm\fR -communication with the plugin -.TP 12n -\fIplugin\fR -plugin configuration -.TP 12n -\fIpty\fR -pseudo-tty related code -.TP 12n -\fIselinux\fR -SELinux-specific handling -.TP 12n -\fIutil\fR -utility functions -.TP 12n -\fIutmp\fR -utmp handling +plugin architecture. .SH "EXIT VALUE" Upon successful execution of a program, the exit status from \fIsudo\fR @@ -1148,7 +926,7 @@ To aid in debugging crashes, you may wish to re-enable core dumps by setting ``disable_coredump'' to false in the -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) file as follows: .nf .sp @@ -1157,14 +935,9 @@ Set disable_coredump false .RE .fi .PP -Note that by default, most operating systems disable core dumps -from setuid programs, which includes -\fBsudo\fR. -To actually get a -\fBsudo\fR -core file you may need to enable core dumps for setuid processes. -On BSD and Linux systems this is accomplished via the sysctl command, -on Solaris the coreadm command can be used. +See the +sudo.conf(@mansectform@) +manual for more information. .SH "ENVIRONMENT" \fBsudo\fR utilizes the following environment variables. @@ -1333,6 +1106,7 @@ su(1), stat(2), login_cap(3), passwd(@mansectform@), +sudo.conf(@mansectform@), sudoers(@mansectform@), sudo_plugin(@mansectsu@), sudoreplay(@mansectsu@), diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 095b3b90c..e20b89821 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd November 12, 2012 +.Dd February 5, 2013 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -139,7 +139,7 @@ which is configured via the file .Pa @sysconfdir@/sudoers , or via LDAP. See the -.Sx PLUGINS +.Sx Plugins section for more information. .Pp The security policy determines what privileges, if any, a user has @@ -202,7 +202,7 @@ If the environment variable is set, it specifies the path to the helper program. Otherwise, if -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ contains a line specifying the askpass program, that value will be used. For example: @@ -687,7 +687,7 @@ for more information. When .Nm sudo executes a command, the security policy specifies the execution -envionment for the command. +environment for the command. Typically, the real and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database @@ -780,7 +780,7 @@ On some systems, the command sends .Dv SIGTERM to all non-system processes other than itself before rebooting -the systyem. +the system. This prevents .Nm sudo from relaying the @@ -807,230 +807,28 @@ are run using the family of functions instead of .Fn system (which interposes a shell between the command and the calling process). -.Sh PLUGINS +.Ss Plugins Plugins are dynamically loaded based on the contents of the -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ file. If no -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ file is present, or it contains no .Li Plugin lines, .Nm sudo will use the traditional .Em sudoers -security policy and I/O logging, which corresponds to the following -.Pa @sysconfdir@/sudo.conf -file. -.Bd -literal -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so -.Ed -.Pp -A -.Li Plugin -line consists of the -.Li Plugin -keyword, followed by the -.Em symbol_name -and the -.Em path -to the shared object containing the plugin. -The -.Em symbol_name -is the name of the -.Li struct policy_plugin -or -.Li struct io_plugin -in the plugin shared object. -The -.Em path -may be fully qualified or relative. -If not fully qualified it is relative to the -.Pa @PLUGINDIR@ -directory. -Any additional parameters after the -.Em path -are passed as arguments to the plugin's -.Em open -function. -Lines that don't begin with -.Li Plugin , -.Li Path , -.Li Debug , -or -.Li Set -are silently ignored. -.Pp -The +security policy and I/O logging. +See the +.Xr sudo.conf @mansectform@ +manual for details of the .Pa @sysconfdir@/sudo.conf -file is always parsed in the -.Dq Li C -locale. -.Pp -For more information, see the +file and the .Xr sudo_plugin @mansectsu@ -manual. -.Sh PATHS -A -.Li Path -line consists of the -.Li Path -keyword, followed by the name of the path to set and its value. -E.g. -.Bd -literal -offset indent -Path noexec @noexec_file@ -Path askpass /usr/X11R6/bin/ssh-askpass -.Ed -.Pp -The following plugin-agnostic paths may be set in the -.Pa @sysconfdir@/sudo.conf -file: -.Bl -tag -width 8n -.It askpass -The fully qualified path to a helper program used to read the user's -password when no terminal is available. -This may be the case when -.Nm sudo -is executed from a graphical (as opposed to text-based) application. -The program specified by -.Em askpass -should display the argument passed to it as the prompt and write -the user's password to the standard output. -The value of -.Em askpass -may be overridden by the -.Ev SUDO_ASKPASS -environment variable. -.It noexec -The fully-qualified path to a shared library containing dummy -versions of the -.Fn execv , -.Fn execve -and -.Fn fexecve -library functions that just return an error. -This is used to implement the -.Em noexec -functionality on systems that support -.Ev LD_PRELOAD -or its equivalent. -Defaults to -.Pa @noexec_file@ . -.El -.Sh DEBUG FLAGS -.Nm sudo -versions 1.8.4 and higher support a flexible debugging framework -that can help track down what +manual for more information about the .Nm sudo -is doing internally if there is a problem. -.Pp -A -.Li Debug -line consists of the -.Li Debug -keyword, followed by the name of the program to debug -.Pq Nm sudo , Nm visudo , Nm sudoreplay , -the debug file name and a comma-separated list of debug flags. -The debug flag syntax used by -.Nm sudo -and the -.Em sudoers -plugin is -.Em subsystem Ns No @ Ns Em priority -but the plugin is free to use a different format so long as it does -not include a comma -.Pq Ql \&, . -.Pp -For instance: -.Bd -literal -offset indent -Debug sudo /var/log/sudo_debug all@warn,plugin@info -.Ed -.Pp -would log all debugging statements at the -.Em warn -level and higher in addition to those at the -.Em info -level for the plugin subsystem. -.Pp -Currently, only one -.Li Debug -entry per program is supported. -The -.Nm sudo -.Li Debug -entry is shared by the -.Nm sudo -front end, -.Nm sudoedit -and the plugins. -A future release may add support for per-plugin -.Li Debug -lines and/or support for multiple debugging files for a single -program. -.Pp -The priorities used by the -.Nm sudo -front end, in order of decreasing severity, are: -.Em crit , err , warn , notice , diag , info , trace -and -.Em debug . -Each priority, when specified, also includes all priorities higher -than it. -For example, a priority of -.Em notice -would include debug messages logged at -.Em notice -and higher. -.Pp -The following subsystems are used by the -.Nm sudo -front-end: -.Bl -tag -width Fl -.It Em all -matches every subsystem -.It Em args -command line argument processing -.It Em conv -user conversation -.It Em edit -sudoedit -.It Em exec -command execution -.It Em main -.Nm sudo -main function -.It Em netif -network interface handling -.It Em pcomm -communication with the plugin -.It Em plugin -plugin configuration -.It Em pty -pseudo-tty related code -.It Em selinux -SELinux-specific handling -.It Em util -utility functions -.It Em utmp -utmp handling -.El +plugin architecture. .Sh EXIT VALUE Upon successful execution of a program, the exit status from .Em sudo @@ -1112,20 +910,15 @@ To aid in debugging crashes, you may wish to re-enable core dumps by setting .Dq disable_coredump to false in the -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ file as follows: .Bd -literal -offset indent Set disable_coredump false .Ed .Pp -Note that by default, most operating systems disable core dumps -from setuid programs, which includes -.Nm sudo . -To actually get a -.Nm sudo -core file you may need to enable core dumps for setuid processes. -On BSD and Linux systems this is accomplished via the sysctl command, -on Solaris the coreadm command can be used. +See the +.Xr sudo.conf @mansectform@ +manual for more information. .Sh ENVIRONMENT .Nm sudo utilizes the following environment variables. @@ -1261,6 +1054,7 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" .Xr stat 2 , .Xr login_cap 3 , .Xr passwd @mansectform@ , +.Xr sudo.conf @mansectform@ , .Xr sudoers @mansectform@ , .Xr sudo_plugin @mansectsu@ , .Xr sudoreplay @mansectsu@ , diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index ae265109b..097e48ba6 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -5,11 +5,10 @@ NNAAMMEE DDEESSCCRRIIPPTTIIOONN Starting with version 1.8, ssuuddoo supports a plugin API for policy and - session logging. By default, the _s_u_d_o_e_r_s policy plugin and an associated + session logging. By default, the ssuuddooeerrss policy plugin and an associated I/O logging plugin are used. Via the plugin API, ssuuddoo can be configured to use alternate policy and/or I/O logging plugins provided by third - parties. The plugins to be used are specified via the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file. + parties. The plugins to be used are specified in the sudo.conf(4) file. The API is versioned with a major and minor number. The minor version number is incremented when additions are made. The major number is @@ -18,50 +17,11 @@ DDEESSCCRRIIPPTTIIOONN The plugin API is defined by the sudo_plugin.h header file. - TThhee ssuuddoo..ccoonnff ffiillee - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file contains plugin configuration directives. The - primary keyword is the Plugin directive, which causes a plugin to be - loaded. It is always parsed in the ``C'' locale. - - A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e - and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e - is the name of the struct policy_plugin or struct io_plugin in the plugin - shared object. The _p_a_t_h may be fully qualified or relative. If not - fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any - additional parameters after the _p_a_t_h are passed as options to the - plugin's ooppeenn() function. Lines that don't begin with Plugin, Path, - Debug or Set are silently ignored. - - The same shared object may contain multiple plugins, each with a - different symbol name. The shared object file must be owned by uid 0 and - only writable by its owner. Because of ambiguities that arise from - composite policies, only a single policy plugin may be specified. This - limitation does not apply to I/O plugins. - - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin sudoers_policy sudoers.so - Plugin sudoers_io sudoers.so - PPoolliiccyy pplluuggiinn AAPPII A policy plugin must declare and populate a policy_plugin struct in the global scope. This structure contains pointers to the functions that implement the ssuuddoo policy checks. The name of the symbol should be - specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that ssuuddoo + specified in sudo.conf(4) along with a path to the plugin so that ssuuddoo can load it. struct policy_plugin { @@ -143,26 +103,14 @@ DDEESSCCRRIIPPTTIIOONN debug_flags=string A comma-separated list of debug flags that correspond - to ssuuddoo's Debug entry in _/_e_t_c_/_s_u_d_o_._c_o_n_f, if there is - one. The flags are passed to the plugin as they appear - in _/_e_t_c_/_s_u_d_o_._c_o_n_f. The syntax used by ssuuddoo and the - _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is - free to use a different format so long as it does not - include a comma (`,'). - - For reference, the priorities supported by the ssuuddoo - front end and _s_u_d_o_e_r_s are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, - _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. - - The following subsystems are defined: _m_a_i_n, _m_e_m_o_r_y, - _a_r_g_s, _e_x_e_c, _p_t_y, _u_t_m_p, _c_o_n_v, _p_c_o_m_m, _u_t_i_l, _l_i_s_t, _n_e_t_i_f, - _a_u_d_i_t, _e_d_i_t, _s_e_l_i_n_u_x, _l_d_a_p, _m_a_t_c_h, _p_a_r_s_e_r, _a_l_i_a_s, - _d_e_f_a_u_l_t_s, _a_u_t_h, _e_n_v, _l_o_g_g_i_n_g, _n_s_s, _r_b_t_r_e_e, _p_e_r_m_s, - _p_l_u_g_i_n. The subsystem _a_l_l includes every subsystem. - - There is not currently a way to specify a set of debug - flags specific to the plugin--the flags are shared by - ssuuddoo and the plugin. + to ssuuddoo's Debug entry in sudo.conf(4), if there is one. + The flags are passed to the plugin as they appear in + sudo.conf(4). The syntax used by ssuuddoo and the ssuuddooeerrss + plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to + use a different format so long as it does not include a + comma (`,'). There is not currently a way to specify a + set of debug flags specific to the plugin--the flags + are shared by ssuuddoo and the plugin. debug_level=number This setting has been deprecated in favor of @@ -297,9 +245,9 @@ DDEESSCCRRIIPPTTIIOONN version 1.2 tcpgid=int - The ID of the forground process group associated with - the terminal device associcated with the ssuuddoo process - or -1 if there is no terminal present. Only available + The ID of the foreground process group associated with + the terminal device associated with the ssuuddoo process or + -1 if there is no terminal present. Only available starting with API version 1.2 user=string @@ -682,7 +630,7 @@ DDEESSCCRRIIPPTTIIOONN int (*validate)(void); The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv - flag. For policy plugins such as _s_u_d_o_e_r_s that cache authentication + flag. For policy plugins such as ssuuddooeerrss that cache authentication credentials, this function will validate and cache the credentials. The vvaalliiddaattee() function should be NULL if the plugin does not @@ -697,7 +645,7 @@ DDEESSCCRRIIPPTTIIOONN void (*invalidate)(int remove); The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk - or --KK flag. For policy plugins such as _s_u_d_o_e_r_s that cache + or --KK flag. For policy plugins such as ssuuddooeerrss that cache authentication credentials, this function will invalidate the credentials. If the _r_e_m_o_v_e flag is set, the plugin may remove the credentials instead of simply invalidating them. @@ -1282,17 +1230,16 @@ DDEESSCCRRIIPPTTIIOONN Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent with the SUDO_CONV_DEBUG_MSG _m_s_g___t_y_p_e are not directly user-visible. Instead, they are logged to the file specified in the Debug statement (if - any) in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - - file. This allows a plugin to log debugging information and is intended - to be used in conjunction with the _d_e_b_u_g___f_l_a_g_s setting. + any) in the sudo.conf(4). file. This allows a plugin to log debugging + information and is intended to be used in conjunction with the + _d_e_b_u_g___f_l_a_g_s setting. See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function usage. SSuuddooeerrss ggrroouupp pplluuggiinn AAPPII - The _s_u_d_o_e_r_s module supports a plugin interface to allow non-Unix group - lookups. This can be used to query a group source other than the + The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix + group lookups. This can be used to query a group source other than the standard Unix group database. A sample group plugin is bundled with ssuuddoo that implements file-based lookups. Third party group plugins include a QAS AD plugin available from Quest Software. @@ -1315,7 +1262,7 @@ DDEESSCCRRIIPPTTIIOONN version The version field should be set to GROUP_API_VERSION. - This allows _s_u_d_o_e_r_s to determine the API version the group plugin + This allows ssuuddooeerrss to determine the API version the group plugin was built against. init @@ -1332,9 +1279,9 @@ DDEESSCCRRIIPPTTIIOONN The function arguments are as follows: version - The version passed in by _s_u_d_o_e_r_s allows the plugin to + The version passed in by ssuuddooeerrss allows the plugin to determine the major and minor version number of the group - plugin API supported by _s_u_d_o_e_r_s. + plugin API supported by ssuuddooeerrss. plugin_printf A pointer to a pprriinnttff()-style function that may be used to @@ -1349,7 +1296,7 @@ DDEESSCCRRIIPPTTIIOONN cleanup void (*cleanup)(); - The cclleeaannuupp() function is called when _s_u_d_o_e_r_s has finished its + The cclleeaannuupp() function is called when ssuuddooeerrss has finished its group checks. The plugin should free any memory it has allocated and close open file handles. @@ -1401,7 +1348,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG Version 1.2 The Policy and I/O logging plugins' ooppeenn() functions are now passed - a list of plugin options if any are specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f. + a list of plugin parameters if any are specified in sudo.conf(4). A simple hooks API has been introduced to allow plugins to hook in to the system's environment handling functions. @@ -1419,7 +1366,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG common signals while the plugin functions are run. SSEEEE AALLSSOO - sudoers(4), sudo(1m) + sudo.conf(4), sudoers(4), sudo(1m) BBUUGGSS If you feel you have found a bug in ssuuddoo, please submit a bug report at @@ -1437,4 +1384,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 Janurary 11, 2013 Sudo 1.8.7 +Sudo 1.8.7 February 5, 2013 Sudo 1.8.7 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index b4716957d..075956db0 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO_PLUGIN" "5" "Janurary 11, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.TH "SUDO_PLUGIN" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -28,14 +28,14 @@ Starting with version 1.8, supports a plugin API for policy and session logging. By default, the -\fIsudoers\fR +\fBsudoers\fR policy plugin and an associated I/O logging plugin are used. Via the plugin API, \fBsudo\fR can be configured to use alternate policy and/or I/O logging plugins provided by third parties. -The plugins to be used are specified via the -\fI@sysconfdir@/sudo.conf\fR +The plugins to be used are specified in the +sudo.conf(@mansectform@) file. .PP The API is versioned with a major and minor number. @@ -47,81 +47,6 @@ major version matches. The plugin API is defined by the \fRsudo_plugin.h\fR header file. -.SS "The sudo.conf file" -The -\fI@sysconfdir@/sudo.conf\fR -file contains plugin configuration directives. -The primary keyword is the -\fRPlugin\fR -directive, which causes a plugin to be loaded. -It is always parsed in the -``\fRC\fR'' -locale. -.PP -A -\fRPlugin\fR -line consists of the -\fRPlugin\fR -keyword, followed by the -\fIsymbol_name\fR -and the -\fIpath\fR -to the shared object containing the plugin. -The -\fIsymbol_name\fR -is the name of the -\fRstruct policy_plugin\fR -or -\fRstruct io_plugin\fR -in the plugin shared object. -The -\fIpath\fR -may be fully qualified or relative. -If not fully qualified it is relative to the -\fI@PLUGINDIR@\fR -directory. -Any additional parameters after the -\fIpath\fR -are passed as options to the plugin's -\fBopen\fR() -function. -Lines that don't begin with -\fRPlugin\fR, -\fRPath\fR, -\fRDebug\fR -or -\fRSet\fR -are silently ignored. -.PP -The same shared object may contain multiple plugins, each with a -different symbol name. -The shared object file must be owned by uid 0 and only writable by its owner. -Because of ambiguities that arise from composite policies, only a single -policy plugin may be specified. -This limitation does not apply to I/O plugins. -.nf -.sp -.RS 0n -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -.RE -.fi .SS "Policy plugin API" A policy plugin must declare and populate a \fRpolicy_plugin\fR @@ -130,7 +55,7 @@ This structure contains pointers to the functions that implement the \fBsudo\fR policy checks. The name of the symbol should be specified in -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) along with a path to the plugin so that \fBsudo\fR can load it. @@ -260,66 +185,19 @@ A comma-separated list of debug flags that correspond to \fBsudo\fR's \fRDebug\fR entry in -\fI@sysconfdir@/sudo.conf\fR, +sudo.conf(@mansectform@), if there is one. The flags are passed to the plugin as they appear in -\fI@sysconfdir@/sudo.conf\fR. +sudo.conf(@mansectform@). The syntax used by \fBsudo\fR and the -\fIsudoers\fR +\fBsudoers\fR plugin is \fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different format so long as it does not include a comma (`,\&'). -.sp -For reference, the priorities supported by the -\fBsudo\fR -front end and -\fIsudoers\fR -are: -\fIcrit\fR, -\fIerr\fR, -\fIwarn\fR, -\fInotice\fR, -\fIdiag\fR, -\fIinfo\fR, -\fItrace\fR -and -\fIdebug\fR. -.sp -The following subsystems are defined: -\fImain\fR, -\fImemory\fR, -\fIargs\fR, -\fIexec\fR, -\fIpty\fR, -\fIutmp\fR, -\fIconv\fR, -\fIpcomm\fR, -\fIutil\fR, -\fIlist\fR, -\fInetif\fR, -\fIaudit\fR, -\fIedit\fR, -\fIselinux\fR, -\fIldap\fR, -\fImatch\fR, -\fIparser\fR, -\fIalias\fR, -\fIdefaults\fR, -\fIauth\fR, -\fIenv\fR, -\fIlogging\fR, -\fInss\fR, -\fIrbtree\fR, -\fIperms\fR, -\fIplugin\fR. -The subsystem -\fIall\fR -includes every subsystem. -.sp There is not currently a way to specify a set of debug flags specific to the plugin--the flags are shared by \fBsudo\fR @@ -542,8 +420,8 @@ to. Only available starting with API version 1.2 .TP 6n tcpgid=int -The ID of the forground process group associated with the terminal -device associcated with the +The ID of the foreground process group associated with the terminal +device associated with the \fBsudo\fR process or \-1 if there is no terminal present. @@ -1178,7 +1056,7 @@ is run with the \fB\-v\fR flag. For policy plugins such as -\fIsudoers\fR +\fBsudoers\fR that cache authentication credentials, this function will validate and cache the credentials. @@ -1222,7 +1100,7 @@ or \fB\-K\fR flag. For policy plugins such as -\fIsudoers\fR +\fBsudoers\fR that cache authentication credentials, this function will invalidate the credentials. @@ -2359,8 +2237,7 @@ user-visible. Instead, they are logged to the file specified in the \fRDebug\fR statement (if any) in the -\fI@sysconfdir@/sudo.conf\fR -.PP +sudo.conf(@mansectform@). file. This allows a plugin to log debugging information and is intended to be used in conjunction with the @@ -2372,8 +2249,8 @@ See the sample plugin for an example of the function usage. .SS "Sudoers group plugin API" The -\fIsudoers\fR -module supports a plugin interface to allow non-Unix +\fBsudoers\fR +plugin supports its own plugin interface to allow non-Unix group lookups. This can be used to query a group source other than the standard Unix group database. @@ -2411,7 +2288,7 @@ The field should be set to GROUP_API_VERSION. .sp This allows -\fIsudoers\fR +\fBsudoers\fR to determine the API version the group plugin was built against. .TP 6n @@ -2443,10 +2320,10 @@ The function arguments are as follows: .TP 6n version The version passed in by -\fIsudoers\fR +\fBsudoers\fR allows the plugin to determine the major and minor version number of the group plugin API supported by -\fIsudoers\fR. +\fBsudoers\fR. .TP 6n plugin_printf A pointer to a @@ -2480,7 +2357,7 @@ void (*cleanup)(); The \fBcleanup\fR() function is called when -\fIsudoers\fR +\fBsudoers\fR has finished its group checks. The plugin should free any memory it has allocated and close open file handles. @@ -2567,8 +2444,8 @@ Version 1.2 The Policy and I/O logging plugins' \fBopen\fR() functions are now passed -a list of plugin options if any are specified in -\fI@sysconfdir@/sudo.conf\fR. +a list of plugin parameters if any are specified in +sudo.conf(@mansectform@). .sp A simple hooks API has been introduced to allow plugins to hook in to the system's environment handling functions. @@ -2592,6 +2469,7 @@ The front end now installs default signal handlers to trap common signals while the plugin functions are run. .SH "SEE ALSO" +sudo.conf(@mansectform@), sudoers(@mansectform@), sudo(@mansectsu@) .SH "BUGS" diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index 4b1b602de..103b07021 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd Janurary 11, 2013 +.Dd February 5, 2013 .Dt SUDO_PLUGIN @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -26,14 +26,14 @@ Starting with version 1.8, supports a plugin API for policy and session logging. By default, the -.Em sudoers +.Nm sudoers policy plugin and an associated I/O logging plugin are used. Via the plugin API, .Nm sudo can be configured to use alternate policy and/or I/O logging plugins provided by third parties. -The plugins to be used are specified via the -.Pa @sysconfdir@/sudo.conf +The plugins to be used are specified in the +.Xr sudo.conf @mansectform@ file. .Pp The API is versioned with a major and minor number. @@ -45,78 +45,6 @@ major version matches. The plugin API is defined by the .Li sudo_plugin.h header file. -.Ss The sudo.conf file -The -.Pa @sysconfdir@/sudo.conf -file contains plugin configuration directives. -The primary keyword is the -.Li Plugin -directive, which causes a plugin to be loaded. -It is always parsed in the -.Dq Li C -locale. -.Pp -A -.Li Plugin -line consists of the -.Li Plugin -keyword, followed by the -.Em symbol_name -and the -.Em path -to the shared object containing the plugin. -The -.Em symbol_name -is the name of the -.Li struct policy_plugin -or -.Li struct io_plugin -in the plugin shared object. -The -.Em path -may be fully qualified or relative. -If not fully qualified it is relative to the -.Pa @PLUGINDIR@ -directory. -Any additional parameters after the -.Em path -are passed as options to the plugin's -.Fn open -function. -Lines that don't begin with -.Li Plugin , -.Li Path , -.Li Debug -or -.Li Set -are silently ignored. -.Pp -The same shared object may contain multiple plugins, each with a -different symbol name. -The shared object file must be owned by uid 0 and only writable by its owner. -Because of ambiguities that arise from composite policies, only a single -policy plugin may be specified. -This limitation does not apply to I/O plugins. -.Bd -literal -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -.Ed .Ss Policy plugin API A policy plugin must declare and populate a .Li policy_plugin @@ -125,7 +53,7 @@ This structure contains pointers to the functions that implement the .Nm sudo policy checks. The name of the symbol should be specified in -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ along with a path to the plugin so that .Nm sudo can load it. @@ -243,66 +171,19 @@ A comma-separated list of debug flags that correspond to .Nm sudo Ns No 's .Li Debug entry in -.Pa @sysconfdir@/sudo.conf , +.Xr sudo.conf @mansectform@ , if there is one. The flags are passed to the plugin as they appear in -.Pa @sysconfdir@/sudo.conf . +.Xr sudo.conf @mansectform@ . The syntax used by .Nm sudo and the -.Em sudoers +.Nm sudoers plugin is .Em subsystem Ns No @ Ns Em priority but the plugin is free to use a different format so long as it does not include a comma .Pq Ql ,\& . -.Pp -For reference, the priorities supported by the -.Nm sudo -front end and -.Em sudoers -are: -.Em crit , -.Em err , -.Em warn , -.Em notice , -.Em diag , -.Em info , -.Em trace -and -.Em debug . -.Pp -The following subsystems are defined: -.Em main , -.Em memory , -.Em args , -.Em exec , -.Em pty , -.Em utmp , -.Em conv , -.Em pcomm , -.Em util , -.Em list , -.Em netif , -.Em audit , -.Em edit , -.Em selinux , -.Em ldap , -.Em match , -.Em parser , -.Em alias , -.Em defaults , -.Em auth , -.Em env , -.Em logging , -.Em nss , -.Em rbtree , -.Em perms , -.Em plugin . -The subsystem -.Em all -includes every subsystem. -.Pp There is not currently a way to specify a set of debug flags specific to the plugin--the flags are shared by .Nm sudo @@ -496,8 +377,8 @@ process belongs to. Only available starting with API version 1.2 .It tcpgid=int -The ID of the forground process group associated with the terminal -device associcated with the +The ID of the foreground process group associated with the terminal +device associated with the .Nm sudo process or \-1 if there is no terminal present. @@ -1038,7 +919,7 @@ is run with the .Fl v flag. For policy plugins such as -.Em sudoers +.Nm sudoers that cache authentication credentials, this function will validate and cache the credentials. @@ -1074,7 +955,7 @@ or .Fl K flag. For policy plugins such as -.Em sudoers +.Nm sudoers that cache authentication credentials, this function will invalidate the credentials. @@ -2047,8 +1928,7 @@ user-visible. Instead, they are logged to the file specified in the .Li Debug statement (if any) in the -.Pa @sysconfdir@/sudo.conf -.Pp +.Xr sudo.conf @mansectform@ . file. This allows a plugin to log debugging information and is intended to be used in conjunction with the @@ -2060,8 +1940,8 @@ See the sample plugin for an example of the function usage. .Ss Sudoers group plugin API The -.Em sudoers -module supports a plugin interface to allow non-Unix +.Nm sudoers +plugin supports its own plugin interface to allow non-Unix group lookups. This can be used to query a group source other than the standard Unix group database. @@ -2096,7 +1976,7 @@ The field should be set to GROUP_API_VERSION. .Pp This allows -.Em sudoers +.Nm sudoers to determine the API version the group plugin was built against. .It init @@ -2124,10 +2004,10 @@ The function arguments are as follows: .Bl -tag -width 4n .It version The version passed in by -.Em sudoers +.Nm sudoers allows the plugin to determine the major and minor version number of the group plugin API supported by -.Em sudoers . +.Nm sudoers . .It plugin_printf A pointer to a .Fn printf Ns No -style @@ -2153,7 +2033,7 @@ void (*cleanup)(); The .Fn cleanup function is called when -.Em sudoers +.Nm sudoers has finished its group checks. The plugin should free any memory it has allocated and close open file handles. @@ -2223,8 +2103,8 @@ list as an argument. The Policy and I/O logging plugins' .Fn open functions are now passed -a list of plugin options if any are specified in -.Pa @sysconfdir@/sudo.conf . +a list of plugin parameters if any are specified in +.Xr sudo.conf @mansectform@ . .Pp A simple hooks API has been introduced to allow plugins to hook in to the system's environment handling functions. @@ -2248,6 +2128,7 @@ front end now installs default signal handlers to trap common signals while the plugin functions are run. .El .Sh SEE ALSO +.Xr sudo.conf @mansectform@ , .Xr sudoers @mansectform@ , .Xr sudo @mansectsu@ .Sh BUGS diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 922bc5eaa..c505d80df 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1,15 +1,57 @@ SUDOERS(4) Programmer's Manual SUDOERS(4) NNAAMMEE - ssuuddooeerrss - default sudo security policy module + ssuuddooeerrss - default sudo security policy plugin DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the + The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is described in detail in the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s policy information in LDAP, please see sudoers.ldap(4). + CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss + ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O + logging plugins to load. If no sudo.conf(4) file is present, or if it + contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and + I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss + plugin, the following configuration can be used. + + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + + Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to + the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if + present, should be listed after the path to the plugin (i.e. after + _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white + space. For example: + + Plugin sudoers_policy sudoers.so sudoers_mode=0400 + + The following plugin arguments are supported: + + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default + path to the _s_u_d_o_e_r_s file. + + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default + owner of the sudoers file. It should be specified as a numeric + user ID. + + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default + group of the sudoers file. It must be specified as a numeric + group ID (not a group name). + + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. + + For more information on configuring sudo.conf(4), please refer to its + manual. + AAuutthheennttiiccaattiioonn aanndd llooggggiinngg The _s_u_d_o_e_r_s security policy requires that most users authenticate themselves before they can use ssuuddoo. A password is not required if the @@ -1253,9 +1295,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS escape %h will expand to the host name of the machine. Default is ``*** SECURITY information for %h ***''. - noexec_file This option is no longer supported. The path to the - noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file. + noexec_file As of ssuuddoo version 1.8.1 this option is no longer + supported. The path to the noexec file should now be + set in the sudo.conf(4) file. passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT @@ -1600,9 +1642,9 @@ LLOOGG FFOORRMMAATT when the _s_u_d_o_e_r_s file is located on a remote file system that maps user ID 0 to a different value. Normally, ssuuddooeerrss tries to open _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider - changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like - ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s - file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument + like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s + file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. unable to stat /etc/sudoers The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. @@ -1614,21 +1656,21 @@ LLOOGG FFOORRMMAATT /etc/sudoers is owned by uid N, should be 0 The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the - user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the - _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the + sudo.conf(4) file. /etc/sudoers is world writable The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss - plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + Plugin line in the sudo.conf(4) file. /etc/sudoers is owned by gid N, should be 1 The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where - `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin - line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin + line in the sudo.conf(4) file. unable to open /var/adm/sudo/username/ttyname _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. @@ -1668,110 +1710,6 @@ LLOOGG FFOORRMMAATT _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap will be disabled. -SSUUDDOO..CCOONNFF - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will - load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin - lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which - corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. - - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so - - PPlluuggiinn ooppttiioonnss - Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s - plugin. Options may be listed after the path to the plugin (i.e. after - _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: - - Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 - - The following plugin options are supported: - - sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default - path to the _s_u_d_o_e_r_s file. - - sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d option can be used to override the default - owner of the sudoers file. It should be specified as a numeric - user ID. - - sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d option can be used to override the default - group of the sudoers file. It should be specified as a numeric - group ID. - - sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default - file mode for the sudoers file. It should be specified as an - octal value. - - DDeebbuugg ffllaaggss - Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin support a debugging - framework that can help track down what the plugin is doing internally if - there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as - described in sudo(1m). - - The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end: - _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. - - The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: - _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, - when specified, also includes all priorities higher than it. For - example, a priority of _n_o_t_i_c_e would include debug messages logged at - _n_o_t_i_c_e and higher. - - The following subsystems are used by _s_u_d_o_e_r_s: - - _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing - - _a_l_l matches every subsystem - - _a_u_d_i_t BSM and Linux audit code - - _a_u_t_h user authentication - - _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings - - _e_n_v environment handling - - _l_d_a_p LDAP-based sudoers - - _l_o_g_g_i_n_g logging support - - _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s - - _n_e_t_i_f network interface handling - - _n_s_s network service switch handling in _s_u_d_o_e_r_s - - _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing - - _p_e_r_m_s permission setting - - _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. - - _p_t_y pseudo-tty related code - - _r_b_t_r_e_e redblack tree internals - - _u_t_i_l utility functions - FFIILLEESS _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration @@ -2100,8 +2038,64 @@ SSEECCUURRIITTYY NNOOTTEESS stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. +DDEEBBUUGGGGIINNGG + Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible + debugging framework that can help track down what the plugin is doing + internally if there is a problem. This can be configured in the + sudo.conf(4) file. + + The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: + _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. + + The priorities used by ssuuddooeerrss, in order of decreasing severity, are: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. + + The following subsystems are used by the ssuuddooeerrss plugin: + + _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing + + _a_l_l matches every subsystem + + _a_u_d_i_t BSM and Linux audit code + + _a_u_t_h user authentication + + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings + + _e_n_v environment handling + + _l_d_a_p LDAP-based sudoers + + _l_o_g_g_i_n_g logging support + + _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s + + _n_e_t_i_f network interface handling + + _n_s_s network service switch handling in _s_u_d_o_e_r_s + + _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing + + _p_e_r_m_s permission setting + + _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. + + _p_t_y pseudo-tty related code + + _r_b_t_r_e_e redblack tree internals + + _u_t_i_l utility functions + For example: + + Debug sudo /var/log/sudo_debug match@info,nss@info + + For more information, see the sudo.conf(4) manual. + SSEEEE AALLSSOO - ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), + ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) CCAAVVEEAATTSS @@ -2131,4 +2125,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 January 27, 2013 Sudo 1.8.7 +Sudo 1.8.7 February 5, 2013 Sudo 1.8.7 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index d28e02802..c8f13df35 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -2,7 +2,7 @@ .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in .\" .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 -.\" Todd C. Miller +.\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -21,16 +21,16 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "January 27, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" \fBsudoers\fR -\- default sudo security policy module +\- default sudo security policy plugin .SH "DESCRIPTION" The \fIsudoers\fR -policy module determines a user's +policy plugin determines a user's \fBsudo\fR privileges. It is the default @@ -48,6 +48,81 @@ For information on storing policy information in LDAP, please see sudoers.ldap(@mansectform@). +.SS "Configuring sudo.conf for sudoers" +\fBsudo\fR +consults the +sudo.conf(@mansectform@) +file to determine which policy and and I/O logging plugins to load. +If no +sudo.conf(@mansectform@) +file is present, or if it contains no +\fRPlugin\fR +lines, +\fBsudoers\fR +will be used for policy decisions and I/O logging. +To explicitly configure +sudo.conf(@mansectform@) +to use the +\fBsudoers\fR +plugin, the following configuration can be used. +.nf +.sp +.RS 6n +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.RE +.fi +.PP +Starting with +\fBsudo\fR +1.8.5, it is possible to specify optional arguments to the +\fBsudoers\fR +plugin in the +sudo.conf(@mansectform@) +file. +These arguments, if present, should be listed after the path to the plugin +(i.e.\& after +\fIsudoers.so\fR). +Multiple arguments may be specified, separated by white space. +For example: +.nf +.sp +.RS 6n +Plugin sudoers_policy sudoers.so sudoers_mode=0400 +.RE +.fi +.PP +The following plugin arguments are supported: +.TP 10n +sudoers_file=pathname +The +\fIsudoers_file\fR +arguments can be used to override the default path +to the +\fIsudoers\fR +file. +.TP 10n +sudoers_uid=uid +The +\fIsudoers_uid\fR +arguments can be used to override the default owner of the sudoers file. +It should be specified as a numeric user ID. +.TP 10n +sudoers_gid=gid +The +\fIsudoers_gid\fR +arguments can be used to override the default group of the sudoers file. +It must be specified as a numeric group ID (not a group name). +.TP 10n +sudoers_mode=mode +The +\fIsudoers_mode\fR +arguments can be used to override the default file mode for the sudoers file. +It should be specified as an octal value. +.PP +For more information on configuring +sudo.conf(@mansectform@), +please refer to its manual. .SS "Authentication and logging" The \fIsudoers\fR @@ -2652,9 +2727,11 @@ Default is ``\fR@mailsub@\fR''. .TP 18n noexec_file -This option is no longer supported. +As of +\fBsudo\fR +version 1.8.1 this option is no longer supported. The path to the noexec file should now be set in the -\fI@sysconfdir@/sudo.conf\fR +sudo.conf(@mansectform@) file. .TP 18n passprompt @@ -3317,18 +3394,19 @@ Normally, tries to open \fIsudoers\fR using group permissions to avoid this problem. -Consider changing the ownership of +Consider either changing the ownership of \fI@sysconfdir@/sudoers\fR -by adding an option like +or adding an argument like ``sudoers_uid=N'' (where `N' is the user ID that owns the \fIsudoers\fR -file) to the +file) to the end of the \fBsudoers\fR -plugin line in the -\fI@sysconfdir@/sudo.conf\fR +\fRPlugin\fR +line in the +sudo.conf(@mansectform@) file. .TP 3n unable to stat @sysconfdir@/sudoers @@ -3355,8 +3433,9 @@ is the user ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -plugin line in the -\fI@sysconfdir@/sudo.conf\fR +\fRPlugin\fR +line in the +sudo.conf(@mansectform@) file. .TP 3n @sysconfdir@/sudoers is world writable @@ -3371,8 +3450,9 @@ The default mode may be changed via the ``sudoers_mode'' option to the \fBsudoers\fR -plugin line in the -\fI@sysconfdir@/sudo.conf\fR +\fRPlugin\fR +line in the +sudo.conf(@mansectform@) file. .TP 3n @sysconfdir@/sudoers is owned by gid N, should be 1 @@ -3389,8 +3469,9 @@ is the group ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -plugin line in the -\fI@sysconfdir@/sudo.conf\fR +\fRPlugin\fR +line in the +sudo.conf(@mansectform@) file. .TP 3n unable to open @timedir@/username/ttyname @@ -3470,193 +3551,6 @@ If the option is set to 0 (or negated with a `\&!'), word wrap will be disabled. -.SH "SUDO.CONF" -The -\fI@sysconfdir@/sudo.conf\fR -file determines which plugins the -\fBsudo\fR -front end will load. -If no -\fI@sysconfdir@/sudo.conf\fR -file -is present, or it contains no -\fRPlugin\fR -lines, -\fBsudo\fR -will use the -\fIsudoers\fR -security policy and I/O logging, which corresponds to the following -\fI@sysconfdir@/sudo.conf\fR -file. -.nf -.sp -.RS 0n -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so -.RE -.fi -.SS "Plugin options" -Starting with -\fBsudo\fR -1.8.5, it is possible to pass options to the -\fIsudoers\fR -plugin. -Options may be listed after the path to the plugin (i.e.\& after -\fIsudoers.so\fR); -multiple options should be space-separated. -For example: -.nf -.sp -.RS 0n -Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 -.RE -.fi -.PP -The following plugin options are supported: -.TP 10n -sudoers_file=pathname -The -\fIsudoers_file\fR -option can be used to override the default path -to the -\fIsudoers\fR -file. -.TP 10n -sudoers_uid=uid -The -\fIsudoers_uid\fR -option can be used to override the default owner of the sudoers file. -It should be specified as a numeric user ID. -.TP 10n -sudoers_gid=gid -The -\fIsudoers_gid\fR -option can be used to override the default group of the sudoers file. -It should be specified as a numeric group ID. -.TP 10n -sudoers_mode=mode -The -\fIsudoers_mode\fR -option can be used to override the default file mode for the sudoers file. -It should be specified as an octal value. -.SS "Debug flags" -Versions 1.8.4 and higher of the -\fIsudoers\fR -plugin support a debugging framework that can help track down what the -plugin is doing internally if there is a problem. -This can be configured in the -\fI@sysconfdir@/sudo.conf\fR -file as described in -sudo(@mansectsu@). -.PP -The -\fIsudoers\fR -plugin uses the same debug flag format as the -\fBsudo\fR -front-end: -\fIsubsystem\fR@\fIpriority\fR. -.PP -The priorities used by -\fIsudoers\fR, -in order of decreasing severity, -are: -\fIcrit\fR, -\fIerr\fR, -\fIwarn\fR, -\fInotice\fR, -\fIdiag\fR, -\fIinfo\fR, -\fItrace\fR -and -\fIdebug\fR. -Each priority, when specified, also includes all priorities higher than it. -For example, a priority of -\fInotice\fR -would include debug messages logged at -\fInotice\fR -and higher. -.PP -The following subsystems are used by -\fIsudoers\fR: -.TP 10n -\fIalias\fR -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR -and -\fRCmnd_Alias\fR -processing -.TP 10n -\fIall\fR -matches every subsystem -.TP 10n -\fIaudit\fR -BSM and Linux audit code -.TP 10n -\fIauth\fR -user authentication -.TP 10n -\fIdefaults\fR -\fIsudoers\fR -\fIDefaults\fR -settings -.TP 10n -\fIenv\fR -environment handling -.TP 10n -\fIldap\fR -LDAP-based sudoers -.TP 10n -\fIlogging\fR -logging support -.TP 10n -\fImatch\fR -matching of users, groups, hosts and netgroups in -\fIsudoers\fR -.TP 10n -\fInetif\fR -network interface handling -.TP 10n -\fInss\fR -network service switch handling in -\fIsudoers\fR -.TP 10n -\fIparser\fR -\fIsudoers\fR -file parsing -.TP 10n -\fIperms\fR -permission setting -.TP 10n -\fIplugin\fR -The equivalent of -\fImain\fR -for the plugin. -.TP 10n -\fIpty\fR -pseudo-tty related code -.TP 10n -\fIrbtree\fR -redblack tree internals -.TP 10n -\fIutil\fR -utility functions .SH "FILES" .TP 26n \fI@sysconfdir@/sudo.conf\fR @@ -4309,6 +4203,117 @@ is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. +.SH "DEBUGGING" +Versions 1.8.4 and higher of the +\fBsudoers\fR +plugin support a flexible debugging framework that can help track +down what the plugin is doing internally if there is a problem. +This can be configured in the +sudo.conf(@mansectform@) +file. +.PP +The +\fBsudoers\fR +plugin uses the same debug flag format as the +\fBsudo\fR +front-end: +\fIsubsystem\fR@\fIpriority\fR. +.PP +The priorities used by +\fBsudoers\fR, +in order of decreasing severity, +are: +\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR +and +\fIdebug\fR. +Each priority, when specified, also includes all priorities higher +than it. +For example, a priority of +\fInotice\fR +would include debug messages logged at +\fInotice\fR +and higher. +.PP +The following subsystems are used by the +\fBsudoers\fR +plugin: +.TP 10n +\fIalias\fR +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR +and +\fRCmnd_Alias\fR +processing +.TP 10n +\fIall\fR +matches every subsystem +.TP 10n +\fIaudit\fR +BSM and Linux audit code +.TP 10n +\fIauth\fR +user authentication +.TP 10n +\fIdefaults\fR +\fIsudoers\fR +\fIDefaults\fR +settings +.TP 10n +\fIenv\fR +environment handling +.TP 10n +\fIldap\fR +LDAP-based sudoers +.TP 10n +\fIlogging\fR +logging support +.TP 10n +\fImatch\fR +matching of users, groups, hosts and netgroups in +\fIsudoers\fR +.TP 10n +\fInetif\fR +network interface handling +.TP 10n +\fInss\fR +network service switch handling in +\fIsudoers\fR +.TP 10n +\fIparser\fR +\fIsudoers\fR +file parsing +.TP 10n +\fIperms\fR +permission setting +.TP 10n +\fIplugin\fR +The equivalent of +\fImain\fR +for the plugin. +.TP 10n +\fIpty\fR +pseudo-tty related code +.TP 10n +\fIrbtree\fR +redblack tree internals +.TP 10n +\fIutil\fR +utility functions +.PD 0 +.PP +.PD +For example: +.nf +.sp +.RS 0n +Debug sudo /var/log/sudo_debug match@info,nss@info +.RE +.fi +.PP +For more information, see the +sudo.conf(@mansectform@) +manual. .SH "SEE ALSO" ssh(1), su(1), @@ -4316,6 +4321,7 @@ fnmatch(3), glob(3), mktemp(3), strftime(3), +sudo.conf(@mansectform@), sudoers.ldap(@mansectform@), sudo_plugin(@mansectsu@), sudo(@mansectsu@), diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 724c38978..5e5bb5df9 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1,6 +1,6 @@ .\" .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 -.\" Todd C. Miller +.\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -19,16 +19,16 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd January 27, 2013 +.Dd February 5, 2013 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudoers -.Nd default sudo security policy module +.Nd default sudo security policy plugin .Sh DESCRIPTION The .Em sudoers -policy module determines a user's +policy plugin determines a user's .Nm sudo privileges. It is the default @@ -46,6 +46,73 @@ For information on storing policy information in LDAP, please see .Xr sudoers.ldap @mansectform@ . +.Ss Configuring sudo.conf for sudoers +.Nm sudo +consults the +.Xr sudo.conf @mansectform@ +file to determine which policy and and I/O logging plugins to load. +If no +.Xr sudo.conf @mansectform@ +file is present, or if it contains no +.Li Plugin +lines, +.Nm sudoers +will be used for policy decisions and I/O logging. +To explicitly configure +.Xr sudo.conf @mansectform@ +to use the +.Nm sudoers +plugin, the following configuration can be used. +.Bd -literal -offset indent +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.Ed +.Pp +Starting with +.Nm sudo +1.8.5, it is possible to specify optional arguments to the +.Nm sudoers +plugin in the +.Xr sudo.conf @mansectform@ +file. +These arguments, if present, should be listed after the path to the plugin +(i.e.\& after +.Pa sudoers.so ) . +Multiple arguments may be specified, separated by white space. +For example: +.Bd -literal -offset indent +Plugin sudoers_policy sudoers.so sudoers_mode=0400 +.Ed +.Pp +The following plugin arguments are supported: +.Bl -tag -width 8n +.It sudoers_file=pathname +The +.Em sudoers_file +arguments can be used to override the default path +to the +.Em sudoers +file. +.It sudoers_uid=uid +The +.Em sudoers_uid +arguments can be used to override the default owner of the sudoers file. +It should be specified as a numeric user ID. +.It sudoers_gid=gid +The +.Em sudoers_gid +arguments can be used to override the default group of the sudoers file. +It must be specified as a numeric group ID (not a group name). +.It sudoers_mode=mode +The +.Em sudoers_mode +arguments can be used to override the default file mode for the sudoers file. +It should be specified as an octal value. +.El +.Pp +For more information on configuring +.Xr sudo.conf @mansectform@ , +please refer to its manual. .Ss Authentication and logging The .Em sudoers @@ -2481,9 +2548,11 @@ will expand to the host name of the machine. Default is .Dq Li @mailsub@ . .It noexec_file -This option is no longer supported. +As of +.Nm sudo +version 1.8.1 this option is no longer supported. The path to the noexec file should now be set in the -.Pa @sysconfdir@/sudo.conf +.Xr sudo.conf @mansectform@ file. .It passprompt The default prompt to use when asking for a password; can be overridden via the @@ -3071,18 +3140,19 @@ Normally, tries to open .Em sudoers using group permissions to avoid this problem. -Consider changing the ownership of +Consider either changing the ownership of .Pa @sysconfdir@/sudoers -by adding an option like +or adding an argument like .Dq sudoers_uid=N (where .Sq N is the user ID that owns the .Em sudoers -file) to the +file) to the end of the .Nm sudoers -plugin line in the -.Pa @sysconfdir@/sudo.conf +.Li Plugin +line in the +.Xr sudo.conf @mansectform@ file. .It unable to stat @sysconfdir@/sudoers The @@ -3106,8 +3176,9 @@ is the user ID that owns the .Em sudoers file) to the .Nm sudoers -plugin line in the -.Pa @sysconfdir@/sudo.conf +.Li Plugin +line in the +.Xr sudo.conf @mansectform@ file. .It @sysconfdir@/sudoers is world writable The permissions on the @@ -3121,8 +3192,9 @@ The default mode may be changed via the .Dq sudoers_mode option to the .Nm sudoers -plugin line in the -.Pa @sysconfdir@/sudo.conf +.Li Plugin +line in the +.Xr sudo.conf @mansectform@ file. .It @sysconfdir@/sudoers is owned by gid N, should be 1 The @@ -3138,8 +3210,9 @@ is the group ID that owns the .Em sudoers file) to the .Nm sudoers -plugin line in the -.Pa @sysconfdir@/sudo.conf +.Li Plugin +line in the +.Xr sudo.conf @mansectform@ file. .It unable to open @timedir@/username/ttyname .Em sudoers @@ -3216,170 +3289,6 @@ option is set to 0 (or negated with a .Ql \&! ) , word wrap will be disabled. .El -.Sh SUDO.CONF -The -.Pa @sysconfdir@/sudo.conf -file determines which plugins the -.Nm sudo -front end will load. -If no -.Pa @sysconfdir@/sudo.conf -file -is present, or it contains no -.Li Plugin -lines, -.Nm sudo -will use the -.Em sudoers -security policy and I/O logging, which corresponds to the following -.Pa @sysconfdir@/sudo.conf -file. -.Bd -literal -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so -.Ed -.Ss Plugin options -Starting with -.Nm sudo -1.8.5, it is possible to pass options to the -.Em sudoers -plugin. -Options may be listed after the path to the plugin (i.e.\& after -.Pa sudoers.so ) ; -multiple options should be space-separated. -For example: -.Bd -literal -Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 -.Ed -.Pp -The following plugin options are supported: -.Bl -tag -width 8n -.It sudoers_file=pathname -The -.Em sudoers_file -option can be used to override the default path -to the -.Em sudoers -file. -.It sudoers_uid=uid -The -.Em sudoers_uid -option can be used to override the default owner of the sudoers file. -It should be specified as a numeric user ID. -.It sudoers_gid=gid -The -.Em sudoers_gid -option can be used to override the default group of the sudoers file. -It should be specified as a numeric group ID. -.It sudoers_mode=mode -The -.Em sudoers_mode -option can be used to override the default file mode for the sudoers file. -It should be specified as an octal value. -.El -.Ss Debug flags -Versions 1.8.4 and higher of the -.Em sudoers -plugin support a debugging framework that can help track down what the -plugin is doing internally if there is a problem. -This can be configured in the -.Pa @sysconfdir@/sudo.conf -file as described in -.Xr sudo @mansectsu@ . -.Pp -The -.Em sudoers -plugin uses the same debug flag format as the -.Nm sudo -front-end: -.Em subsystem Ns No @ Ns Em priority . -.Pp -The priorities used by -.Em sudoers , -in order of decreasing severity, -are: -.Em crit , -.Em err , -.Em warn , -.Em notice , -.Em diag , -.Em info , -.Em trace -and -.Em debug . -Each priority, when specified, also includes all priorities higher than it. -For example, a priority of -.Em notice -would include debug messages logged at -.Em notice -and higher. -.Pp -The following subsystems are used by -.Em sudoers : -.Bl -tag -width 8n -.It Em alias -.Li User_Alias , -.Li Runas_Alias , -.Li Host_Alias -and -.Li Cmnd_Alias -processing -.It Em all -matches every subsystem -.It Em audit -BSM and Linux audit code -.It Em auth -user authentication -.It Em defaults -.Em sudoers -.Em Defaults -settings -.It Em env -environment handling -.It Em ldap -LDAP-based sudoers -.It Em logging -logging support -.It Em match -matching of users, groups, hosts and netgroups in -.Em sudoers -.It Em netif -network interface handling -.It Em nss -network service switch handling in -.Em sudoers -.It Em parser -.Em sudoers -file parsing -.It Em perms -permission setting -.It Em plugin -The equivalent of -.Em main -for the plugin. -.It Em pty -pseudo-tty related code -.It Em rbtree -redblack tree internals -.It Em util -utility functions -.El .Sh FILES .Bl -tag -width 24n .It Pa @sysconfdir@/sudo.conf @@ -3962,6 +3871,96 @@ is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. +.Sh DEBUGGING +Versions 1.8.4 and higher of the +.Nm sudoers +plugin support a flexible debugging framework that can help track +down what the plugin is doing internally if there is a problem. +This can be configured in the +.Xr sudo.conf @mansectform@ +file. +.Pp +The +.Nm sudoers +plugin uses the same debug flag format as the +.Nm sudo +front-end: +.Em subsystem Ns No @ Ns Em priority . +.Pp +The priorities used by +.Nm sudoers , +in order of decreasing severity, +are: +.Em crit , err , warn , notice , diag , info , trace +and +.Em debug . +Each priority, when specified, also includes all priorities higher +than it. +For example, a priority of +.Em notice +would include debug messages logged at +.Em notice +and higher. +.Pp +The following subsystems are used by the +.Nm sudoers +plugin: +.Bl -tag -width 8n +.It Em alias +.Li User_Alias , +.Li Runas_Alias , +.Li Host_Alias +and +.Li Cmnd_Alias +processing +.It Em all +matches every subsystem +.It Em audit +BSM and Linux audit code +.It Em auth +user authentication +.It Em defaults +.Em sudoers +.Em Defaults +settings +.It Em env +environment handling +.It Em ldap +LDAP-based sudoers +.It Em logging +logging support +.It Em match +matching of users, groups, hosts and netgroups in +.Em sudoers +.It Em netif +network interface handling +.It Em nss +network service switch handling in +.Em sudoers +.It Em parser +.Em sudoers +file parsing +.It Em perms +permission setting +.It Em plugin +The equivalent of +.Em main +for the plugin. +.It Em pty +pseudo-tty related code +.It Em rbtree +redblack tree internals +.It Em util +utility functions +.El +For example: +.Bd -literal +Debug sudo /var/log/sudo_debug match@info,nss@info +.Ed +.Pp +For more information, see the +.Xr sudo.conf @mansectform@ +manual. .Sh SEE ALSO .Xr ssh 1 , .Xr su 1 , @@ -3969,6 +3968,7 @@ available. .Xr glob 3 , .Xr mktemp 3 , .Xr strftime 3 , +.Xr sudo.conf @mansectform@ , .Xr sudoers.ldap @mansectform@ , .Xr sudo_plugin @mansectsu@ , .Xr sudo @mansectsu@ ,