From: Todd C. Miller Date: Wed, 9 Jun 2010 21:40:44 +0000 (-0400) Subject: Move askpass path specification from sudoers to sudo.conf. X-Git-Tag: SUDO_1_8_0~498 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eec336115a3e9e5e8a592d1baaafbe917047aa85;p=sudo Move askpass path specification from sudoers to sudo.conf. --- diff --git a/doc/sudo.cat b/doc/sudo.cat index b2a2594a8..a2ad93fc2 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -86,8 +86,15 @@ OOPPTTIIOONNSS executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the - helper program. Otherwise, the value specified by the - _a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used. + helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a + line specifying the askpass program that value will be + used. For example: + + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass + + If no askpass program is available, sudo will exit with an + error. -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the specified authentication type when validating the user, as @@ -117,13 +124,6 @@ OOPPTTIIOONNSS Specifying a _c_l_a_s_s of - indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the _c_l_a_s_s argument - specifies an existing user class, the command must be run - as root, or the ssuuddoo command must be run from a shell that - is already root. This option is only available on systems - with BSD login classes. - - -D _l_e_v_e_l Enable debugging of ssuuddoo plugins and ssuuddoo itself. The - _l_e_v_e_l may be a value from 1 through 9. @@ -136,6 +136,14 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + specifies an existing user class, the command must be run + as root, or the ssuuddoo command must be run from a shell that + is already root. This option is only available on systems + with BSD login classes. + + -D _l_e_v_e_l Enable debugging of ssuuddoo plugins and ssuuddoo itself. The + _l_e_v_e_l may be a value from 1 through 9. + -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when either the matching command has the SETENV tag or the @@ -183,14 +191,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) specified in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)). - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message - and exit. - - -i [command] - The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the _p_a_s_s_w_d(4) entry of the target user as a - login shell. This means that login-specific resource files - 1.8.0a2 June 9, 2010 3 @@ -202,6 +202,13 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message + and exit. + + -i [command] + The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell + specified in the _p_a_s_s_w_d(4) entry of the target user as a + login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. @@ -249,13 +256,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve the invoking user's group vector unaltered. By - default, ssuuddoo will initialize the group vector to the list - of groups the target user is in. The real and effective - group IDs, however, are still set to match the target user. - - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default - password prompt and use a custom one. The following - percent (`%') escapes are supported: @@ -268,6 +268,14 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + default, ssuuddoo will initialize the group vector to the list + of groups the target user is in. The real and effective + group IDs, however, are still set to match the target user. + + -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following + percent (`%') escapes are supported: + %H expanded to the local host name including the domain name (on if the machine's host name is fully qualified or the _f_q_d_n _s_u_d_o_e_r_s option is set) @@ -314,14 +322,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands with a uid not listed in the password database. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version - number and exit. If the invoking user is already root the - --VV option will print out a list of the defaults ssuuddoo was - compiled with as well as the machine's local network - addresses. - - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the - user's time stamp, prompting for the user's password if @@ -334,6 +334,14 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version + number and exit. If the invoking user is already root the + --VV option will print out a list of the defaults ssuuddoo was + compiled with as well as the machine's local network + addresses. + + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's time stamp, prompting for the user's password if necessary. This extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. @@ -367,6 +375,7 @@ PPLLUUGGIINNSS # # Format: # Plugin plugin_name plugin_path + # Path askpass path/to/askpass # # The plugin_path is relative to /usr/local/libexec unless # fully qualified. @@ -379,15 +388,6 @@ PPLLUUGGIINNSS A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct - io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified - or relative. If not fully qualified it is relative to the - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h - are ignored. - - For more information, see the "_s_u_d_o___p_l_u_g_i_n(1m) manual." - -RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the exit status from ssuuddoo will @@ -400,6 +400,16 @@ RREETTUURRNN VVAALLUUEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified + or relative. If not fully qualified it is relative to the + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h + are ignored. Lines that don't begin with Plugin or Path are silently + ignored + + For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual. + +RREETTUURRNN VVAALLUUEESS + Upon successful execution of a program, the exit status from ssuuddoo will simply be the exit status of the program that was executed. Otherwise, ssuuddoo quits with an exit value of 1 if there is a @@ -444,16 +454,6 @@ SSEECCUURRIITTYY NNOOTTEESS ssuuddoo to preserve them. To prevent command spoofing, ssuuddoo checks "." and "" (both denoting - current directory) last when searching for a command in the user's PATH - (if one or both are in the PATH). Note, however, that the actual PATH - environment variable is _n_o_t modified and is passed unchanged to the - program that ssuuddoo executes. - - ssuuddoo will check the ownership of its time stamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is - not owned by root or if it is writable by a user other than root. On - systems that allow non-root users to give away files via _c_h_o_w_n(2), if - the time stamp directory is located in a directory writable by anyone @@ -466,6 +466,16 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + current directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. + + ssuuddoo will check the ownership of its time stamp directory + (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is + not owned by root or if it is writable by a user other than root. On + systems that allow non-root users to give away files via _c_h_o_w_n(2), if + the time stamp directory is located in a directory writable by anyone (e.g., _/_t_m_p), it is possible for a user to create the time stamp directory before ssuuddoo is run. However, because ssuuddoo checks the ownership and mode of the directory and its contents, the only damage @@ -510,28 +520,28 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) when giving users access to commands via ssuuddoo to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the PREVENTING SHELL ESCAPES section - in _s_u_d_o_e_r_s(4). -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: - EDITOR Default editor to use in --ee (sudoedit) mode if neither - SUDO_EDITOR nor VISUAL is set - HOME In --ss or --HH mode (or if sudo was configured with the - --enable-shell-sets-home option), set to homedir of the +1.8.0a2 June 9, 2010 8 -1.8.0a2 June 9, 2010 8 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + in _s_u_d_o_e_r_s(4). -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +EENNVVIIRROONNMMEENNTT + ssuuddoo utilizes the following environment variables: + EDITOR Default editor to use in --ee (sudoedit) mode if neither + SUDO_EDITOR nor VISUAL is set + HOME In --ss or --HH mode (or if sudo was configured with the + --enable-shell-sets-home option), set to homedir of the target user PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option @@ -565,7 +575,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO_EDITOR is not set FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin configuration + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin and path configuration _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what @@ -577,26 +587,25 @@ FFIILLEESS EEXXAAMMPPLLEESS Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. - To get a file listing of an unreadable directory: - - $ sudo ls /usr/local/protected - To list the home directory of user yaz on a machine where the file - system holding ~yaz is not exported as root: - $ sudo -u yaz ls ~yaz +1.8.0a2 June 9, 2010 9 -1.8.0a2 June 9, 2010 9 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + To get a file listing of an unreadable directory: + $ sudo ls /usr/local/protected -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + To list the home directory of user yaz on a machine where the file + system holding ~yaz is not exported as root: + $ sudo -u yaz ls ~yaz To edit the _i_n_d_e_x_._h_t_m_l file as user www: @@ -622,7 +631,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SSEEEE AALLSSOO _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), - "_s_u_d_o___p_l_u_g_i_n(1m), "_s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)"" + _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m) AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this version consists @@ -643,26 +652,26 @@ CCAAVVEEAATTSS It is not meaningful to run the cd command directly via sudo, e.g., - $ sudo cd /usr/local/protected - since when the command exits the parent process (your shell) will still - be the same. Please see the EXAMPLES section for more information. - If users have sudo ALL there is nothing to prevent them from creating - their own program that gives them a root shell regardless of any '!' - elements in the user specification. +1.8.0a2 June 9, 2010 10 -1.8.0a2 June 9, 2010 10 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo cd /usr/local/protected -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + since when the command exits the parent process (your shell) will still + be the same. Please see the EXAMPLES section for more information. + If users have sudo ALL there is nothing to prevent them from creating + their own program that gives them a root shell regardless of any '!' + elements in the user specification. Running shell scripts via ssuuddoo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS @@ -684,15 +693,6 @@ DDIISSCCLLAAIIMMEERR See the LICENSE file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -PPOODD EERRRROORRSS - Hey! TThhee aabboovvee ddooccuummeenntt hhaadd ssoommee ccooddiinngg eerrrroorrss,, wwhhiicchh aarree eexxppllaaiinneedd - bbeellooww:: - - Around line 442: - Unterminated L<...> sequence - - Around line 678: - Unterminated L> sequence diff --git a/doc/sudo.man.in b/doc/sudo.man.in index f8100eb48..92cfb4d42 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -241,11 +241,19 @@ or via the \fIsudoers\fR file. .IX Item "-A" Normally, if \fBsudo\fR requires a password, it will read it from the current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified, -a (possibly graphical) helper program is executed to read the -user's password and output the password to the standard output. If -the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the -path to the helper program. Otherwise, the value specified by the -\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used. +a (possibly graphical) helper program is executed to read the user's +password and output the password to the standard output. If the +\&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path +to the helper program. Otherwise, if \fI@sysconfdir@/sudo.conf\fR +contains a line specifying the askpass program that value will be +used. For example: +.Sp +.Vb 2 +\& # Path to askpass helper program +\& Path askpass /usr/X11R6/bin/ssh\-askpass +.Ve +.Sp +If no askpass program is available, sudo will exit with an error. .if \n(BA \{\ .IP "\-a \fItype\fR" 12 .IX Item "-a type" @@ -521,6 +529,7 @@ policy and I/O logging, which corresponds to the following \& # \& # Format: \& # Plugin plugin_name plugin_path +\& # Path askpass path/to/askpass \& # \& # The plugin_path is relative to @prefix@/libexec unless \& # fully qualified. @@ -536,10 +545,11 @@ A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR may be fully qualified or relative. If not fully qualified it is -relative to the \fI@prefix@/libexec\fR directory. Any additional parameters -after the \fIpath\fR are ignored. +relative to the \fI@prefix@/libexec\fR directory. Any additional +parameters after the \fIpath\fR are ignored. Lines that don't begin +with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored .PP -For more information, see the \*(L"\fIsudo_plugin\fR\|(@mansectsu@) manual.\*(R" +For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the exit status from \fBsudo\fR @@ -713,7 +723,7 @@ is not set .ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24 .el .IP "\fI@sysconfdir@/sudo.conf\fR" 24 .IX Item "@sysconfdir@/sudo.conf" -\&\fBsudo\fR plugin configuration +\&\fBsudo\fR plugin and path configuration .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 .el .IP "\fI@sysconfdir@/sudoers\fR" 24 .IX Item "@sysconfdir@/sudoers" @@ -777,7 +787,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .IX Header "SEE ALSO" \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), .if \n(LC \&\fIlogin_cap\fR\|(3), -\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), "\fIsudo_plugin\fR\|(@mansectsu@), "\fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)"" +\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -832,12 +842,3 @@ including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html for complete details. -.SH "POD ERRORS" -.IX Header "POD ERRORS" -Hey! \fBThe above document had some coding errors, which are explained below:\fR -.IP "Around line 442:" 4 -.IX Item "Around line 442:" -Unterminated L<...> sequence -.IP "Around line 678:" 4 -.IX Item "Around line 678:" -Unterminated L> sequence diff --git a/doc/sudo.pod b/doc/sudo.pod index 1d243f6b6..2ae1ae41c 100644 --- a/doc/sudo.pod +++ b/doc/sudo.pod @@ -115,11 +115,17 @@ B accepts the following command line options: Normally, if B requires a password, it will read it from the current terminal. If the B<-A> (I) option is specified, -a (possibly graphical) helper program is executed to read the -user's password and output the password to the standard output. If -the C environment variable is set, it specifies the -path to the helper program. Otherwise, the value specified by the -I option in L is used. +a (possibly graphical) helper program is executed to read the user's +password and output the password to the standard output. If the +C environment variable is set, it specifies the path +to the helper program. Otherwise, if F<@sysconfdir@/sudo.conf> +contains a line specifying the askpass program that value will be +used. For example: + + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass + +If no askpass program is available, sudo will exit with an error. =item -a I @@ -422,6 +428,7 @@ F<@sysconfdir@/sudo.conf> file. # # Format: # Plugin plugin_name plugin_path + # Path askpass path/to/askpass # # The plugin_path is relative to @prefix@/libexec unless # fully qualified. @@ -436,10 +443,11 @@ I and the I to the shared object containing the plugin. The I is the name of the C or C in the plugin shared object. The I may be fully qualified or relative. If not fully qualified it is -relative to the F<@prefix@/libexec> directory. Any additional parameters -after the I are ignored. +relative to the F<@prefix@/libexec> directory. Any additional +parameters after the I are ignored. Lines that don't begin +with C or C are silently ignored -For more information, see the L manual. =head1 RETURN VALUES @@ -622,7 +630,7 @@ is not set =item F<@sysconfdir@/sudo.conf> -B plugin configuration +B plugin and path configuration =item F<@sysconfdir@/sudoers> @@ -677,7 +685,7 @@ to make the C and file redirection work. L, L, L, L, -L, L, L +L, L, L, L, L =head1 AUTHORS diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index d1d67881a..8679a6290 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -31,7 +31,8 @@ SSuuddoo PPlluuggiinn AAPPII io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified or relative. If not fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h - are ignored. + are ignored. Lines that don't begin with Plugin or Path are silently + ignored. The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid 0 @@ -44,6 +45,7 @@ SSuuddoo PPlluuggiinn AAPPII # # Format: # Plugin plugin_name plugin_path + # Path askpass /path/to/askpass # # The plugin_path is relative to /usr/local/libexec unless # fully qualified. @@ -56,8 +58,6 @@ SSuuddoo PPlluuggiinn AAPPII PPoolliiccyy PPlluuggiinn AAPPII A policy plugin must declare and populate a policy_plugin struct in the global scope. This structure contains pointers to the functions that - implement the ssuuddoo policy checks. The name of the symbol should be - specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that @@ -70,6 +70,8 @@ SSuuddoo PPlluuggiinn AAPPII SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + implement the ssuuddoo policy checks. The name of the symbol should be + specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that ssuuddoo can load it. struct policy_plugin { @@ -121,9 +123,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) the major and minor version number of the plugin API supported by ssuuddoo. - conversation - A pointer to the conversation function that can be used by the - plugin to interact with the user (see below). + @@ -136,6 +136,10 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + conversation + A pointer to the conversation function that can be used by the + plugin to interact with the user (see below). + plugin_printf A pointer to a printf-style function that may be used to display informational or error messages (see below). @@ -186,10 +190,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) set _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo with no arguments to be used similarly to _s_u(1). If the plugin does not to support this usage, it may return a value of -2 - from the check_policy function, which will cause ssuuddoo to - print a usage message and exit. - - @@ -202,6 +202,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + from the check_policy function, which will cause ssuuddoo to + print a usage message and exit. + preserve_groups=bool Set to true if the user specified the -P flag, indicating that the user wishes to preserve the group vector instead @@ -254,9 +257,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) Additional settings may be added in the future so the plugin should silently ignore settings that it does not recognize. - user_info - A vector of information about the user running the command in - 1.8.0a2 June 9, 2010 4 @@ -268,6 +268,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + user_info + A vector of information about the user running the command in the form of "name=value" strings. The vector is terminated by a NULL pointer. @@ -321,8 +323,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) close void (*close)(int exit_status, int error); - The close function is called when the command being run by ssuuddoo - 1.8.0a2 June 9, 2010 5 @@ -334,6 +334,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + The close function is called when the command being run by ssuuddoo finishes. The function arguments are as follows: @@ -387,7 +388,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) not allowed, -1 for a general error, or -2 for a usage error or if ssuuddooeeddiitt was specified but is unsupported by the plugin. In the latter case, ssuuddoo will print a usage message before it exits. If - an error occurs, the plugin may optionally call the conversation or @@ -400,6 +400,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + an error occurs, the plugin may optionally call the conversation or plugin_printf function with SUDO_CONF_ERROR_MSG to present additional error information to the user. @@ -453,7 +454,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) runas_groups=list The supplementary group vector to use for the command in the form of a comma-separated list of group IDs. If - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. @@ -466,6 +466,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. + login_class=login_class BSD login class to use when setting resource limits and nice value (optional). This option is only set on systems @@ -518,8 +520,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) argv_out The NULL-terminated argument vector to pass to the _e_x_e_c_v_e_(_) - system call when executing the command. The plugin is - responsible for allocating and populating the vector. @@ -532,6 +532,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + system call when executing the command. The plugin is + responsible for allocating and populating the vector. + user_env_out The NULL-terminated environment vector to use when executing the command. The plugin is responsible for allocating and @@ -583,9 +586,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) Returns 1 on success, 0 on failure and -1 on error. On error, the plugin may optionally call the conversation or plugin_printf function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - @@ -598,6 +598,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + information to the user. + invalidate void (*invalidate)(int remove); @@ -651,8 +653,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) const char *msg; }; - struct sudo_conv_reply { - 1.8.0a2 June 9, 2010 10 @@ -664,6 +664,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + + struct sudo_conv_reply { char *reply; }; @@ -716,8 +718,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) I/O for logging before passing it on. The log_ttyin function receives the raw user input from the terminal - device (note that this will include input even when echo is disabled, - such as when a password is read). The log_ttyout function receives @@ -730,6 +730,8 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + device (note that this will include input even when echo is disabled, + such as when a password is read). The log_ttyout function receives output from the pseudo-tty that is suitable for replaying the user's session at a later time. The log_stdin, log_stdout and log_stderr functions are only called if the standard input, standard output or @@ -782,8 +784,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) plugin_printf A pointer to a printf-style function that may be used by the _s_h_o_w___v_e_r_s_i_o_n function to display version information (see - show_version below). The plugin_printf function may also be - used to display additional error message to the user. @@ -796,6 +796,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + show_version below). The plugin_printf function may also be + used to display additional error message to the user. + settings A vector of user-supplied ssuuddoo settings in the form of "name=value" strings. The vector is terminated by a NULL @@ -847,9 +850,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) The function arguments are as follows: - exit_status - The command's exit status, as returned by the _w_a_i_t(2) system - call. The value of exit_status is undefined if error is non- @@ -862,6 +862,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + exit_status + The command's exit status, as returned by the _w_a_i_t(2) system + call. The value of exit_status is undefined if error is non- zero. error @@ -913,9 +916,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) log_stdin int (*log_stdin)(const char *buf, unsigned int len); - The _l_o_g___s_t_d_i_n function is only used if the standard input does not - correspond to a tty device. It is called whenever data can be read - from the standard input but before it is passed to the running @@ -928,6 +928,9 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + The _l_o_g___s_t_d_i_n function is only used if the standard input does not + correspond to a tty device. It is called whenever data can be read + from the standard input but before it is passed to the running command. This allows the plugin to reject data if it chooses to (for instance if the input contains banned content). Returns 1 if the data should be passed to the command, 0 if the data is rejected @@ -982,9 +985,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - - 1.8.0a2 June 9, 2010 15 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index eb6e49832..7dc045581 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -171,8 +171,9 @@ A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR may be fully qualified or relative. If not fully qualified it is -relative to the \fI@prefix@/libexec\fR directory. Any additional parameters -after the \fIpath\fR are ignored. +relative to the \fI@prefix@/libexec\fR directory. Any additional +parameters after the \fIpath\fR are ignored. Lines that don't begin +with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored. .PP The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid @@ -186,6 +187,7 @@ This limitation does not apply to I/O plugins. \& # \& # Format: \& # Plugin plugin_name plugin_path +\& # Path askpass /path/to/askpass \& # \& # The plugin_path is relative to @prefix@/libexec unless \& # fully qualified. diff --git a/doc/sudo_plugin.pod b/doc/sudo_plugin.pod index 64b44c447..a297b64c4 100644 --- a/doc/sudo_plugin.pod +++ b/doc/sudo_plugin.pod @@ -43,8 +43,9 @@ I and the I to the shared object containing the plugin. The I is the name of the C or C in the plugin shared object. The I may be fully qualified or relative. If not fully qualified it is -relative to the F<@prefix@/libexec> directory. Any additional parameters -after the I are ignored. +relative to the F<@prefix@/libexec> directory. Any additional +parameters after the I are ignored. Lines that don't begin +with C or C are silently ignored. The same shared object may contain multiple plugins, each with a different symbol name. The shared object file must be owned by uid @@ -57,6 +58,7 @@ This limitation does not apply to I/O plugins. # # Format: # Plugin plugin_name plugin_path + # Path askpass /path/to/askpass # # The plugin_path is relative to @prefix@/libexec unless # fully qualified. diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 77d9355eb..8df4a9f40 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -136,27 +136,8 @@ check_user(int validated, int mode) return -1; } -#if 0 /* XXX - checks need to be done in main driver */ - /* If user specified -A, make sure we have an askpass helper. */ - if (ISSET(tgetpass_flags, TGP_ASKPASS)) { - if (user_askpass == NULL) - log_error(NO_MAIL, - "no askpass program specified, try setting SUDO_ASKPASS"); - } else if (!ISSET(tgetpass_flags, TGP_STDIN)) { - /* If no tty but DISPLAY is set, use askpass if we have it. */ - if (!user_ttypath && !tty_present()) { - if (user_askpass && user_display && *user_display != '\0') { - SET(tgetpass_flags, TGP_ASKPASS); - } else if (!def_visiblepw) { - log_error(NO_MAIL, - "no tty present and no askpass program specified"); - } - } - } - - if (!ISSET(tgetpass_flags, TGP_ASKPASS)) -#endif - lecture(status); + /* XXX - should not lecture if askpass help is being used. */ + lecture(status); /* Expand any escapes in the prompt. */ prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt, diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index fbdc0c791..81c03f432 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -286,10 +286,6 @@ struct sudo_defs_types sudo_defs_table[] = { "type", T_STR, "SELinux type to use in the new security context: %s", NULL, - }, { - "askpass", T_STR|T_PATH|T_BOOL, - "Path to the askpass helper program: %s", - NULL, }, { "env_file", T_STR|T_PATH|T_BOOL, "Path to the sudo-specific environment file: %s", diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index e868d3226..ec1014ab9 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -130,28 +130,26 @@ #define I_ROLE 64 #define def_type (sudo_defs_table[65].sd_un.str) #define I_TYPE 65 -#define def_askpass (sudo_defs_table[66].sd_un.str) -#define I_ASKPASS 66 -#define def_env_file (sudo_defs_table[67].sd_un.str) -#define I_ENV_FILE 67 -#define def_sudoers_locale (sudo_defs_table[68].sd_un.str) -#define I_SUDOERS_LOCALE 68 -#define def_visiblepw (sudo_defs_table[69].sd_un.flag) -#define I_VISIBLEPW 69 -#define def_pwfeedback (sudo_defs_table[70].sd_un.flag) -#define I_PWFEEDBACK 70 -#define def_fast_glob (sudo_defs_table[71].sd_un.flag) -#define I_FAST_GLOB 71 -#define def_umask_override (sudo_defs_table[72].sd_un.flag) -#define I_UMASK_OVERRIDE 72 -#define def_log_input (sudo_defs_table[73].sd_un.flag) -#define I_LOG_INPUT 73 -#define def_log_output (sudo_defs_table[74].sd_un.flag) -#define I_LOG_OUTPUT 74 -#define def_compress_io (sudo_defs_table[75].sd_un.flag) -#define I_COMPRESS_IO 75 -#define def_use_pty (sudo_defs_table[76].sd_un.flag) -#define I_USE_PTY 76 +#define def_env_file (sudo_defs_table[66].sd_un.str) +#define I_ENV_FILE 66 +#define def_sudoers_locale (sudo_defs_table[67].sd_un.str) +#define I_SUDOERS_LOCALE 67 +#define def_visiblepw (sudo_defs_table[68].sd_un.flag) +#define I_VISIBLEPW 68 +#define def_pwfeedback (sudo_defs_table[69].sd_un.flag) +#define I_PWFEEDBACK 69 +#define def_fast_glob (sudo_defs_table[70].sd_un.flag) +#define I_FAST_GLOB 70 +#define def_umask_override (sudo_defs_table[71].sd_un.flag) +#define I_UMASK_OVERRIDE 71 +#define def_log_input (sudo_defs_table[72].sd_un.flag) +#define I_LOG_INPUT 72 +#define def_log_output (sudo_defs_table[73].sd_un.flag) +#define I_LOG_OUTPUT 73 +#define def_compress_io (sudo_defs_table[74].sd_un.flag) +#define I_COMPRESS_IO 74 +#define def_use_pty (sudo_defs_table[75].sd_un.flag) +#define I_USE_PTY 75 enum def_tupple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index d903cfaee..203fd1d0c 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -211,9 +211,6 @@ role type T_STR "SELinux type to use in the new security context: %s" -askpass - T_STR|T_PATH|T_BOOL - "Path to the askpass helper program: %s" env_file T_STR|T_PATH|T_BOOL "Path to the sudo-specific environment file: %s" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 5be5dfe5f..fde60deb3 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -444,9 +444,6 @@ init_defaults(void) #endif #ifdef ENV_EDITOR def_env_editor = TRUE; -#endif -#ifdef _PATH_SUDO_ASKPASS - def_askpass = estrdup(_PATH_SUDO_ASKPASS); #endif def_sudoers_locale = estrdup("C"); def_env_reset = TRUE; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index d77109597..a21ab11cd 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -718,10 +718,6 @@ init_vars(char * const envp[]) for (ep = envp; *ep; ep++) { /* XXX - don't fill in if empty string */ switch (**ep) { - case 'D': - if (strncmp("DISPLAY=", *ep, 8) == 0) - user_display = *ep + 8; - break; case 'K': if (strncmp("KRB5CCNAME=", *ep, 11) == 0) user_ccname = *ep + 11; @@ -735,8 +731,6 @@ init_vars(char * const envp[]) user_prompt = *ep + 12; else if (strncmp("SUDO_USER=", *ep, 10) == 0) prev_user = *ep + 10; - else if (strncmp("SUDO_ASKPASS=", *ep, 13) == 0) - user_askpass = *ep + 13; break; } } diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index f1f4dec5e..cda619dea 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -60,8 +60,6 @@ struct sudo_user { char *cmnd_safe; char *class_name; char *krb5_ccname; - char *display; - char *askpass; int closefrom; int ngroups; uid_t uid; @@ -171,8 +169,6 @@ struct sudo_user { #define user_host (sudo_user.host) #define user_shost (sudo_user.shost) #define user_ccname (sudo_user.krb5_ccname) -#define user_display (sudo_user.display) -#define user_askpass (sudo_user.askpass) #define safe_cmnd (sudo_user.cmnd_safe) #define login_class (sudo_user.class_name) #define runas_pw (sudo_user._runas_pw) diff --git a/src/load_plugins.c b/src/load_plugins.c index 22ff79dd4..685535dc1 100644 --- a/src/load_plugins.c +++ b/src/load_plugins.c @@ -82,22 +82,35 @@ sudo_read_conf(const char *conf_file) if (*cp == '\0') continue; - /* Look for a line starting with "Plugin" */ - if (strncasecmp(cp, "Plugin", 6) != 0) + /* Look for a line starting with "Path" */ + if (strncasecmp(cp, "Path", 4) == 0) { + /* Parse line */ + if ((name = strtok(cp + 4, " \t")) == NULL || + (path = strtok(NULL, " \t")) == NULL) { + continue; + } + if (strcasecmp(name, "askpass") != 0) + continue; + /* XXX - Just set in environment for now */ + setenv("SUDO_ASKPASS", path, 0); continue; + } - /* Parse line */ - if ((name = strtok(cp + 6, " \t")) == NULL || - (path = strtok(NULL, " \t")) == NULL) { + /* Look for a line starting with "Plugin" */ + if (strncasecmp(cp, "Plugin", 6) == 0) { + /* Parse line */ + if ((name = strtok(cp + 6, " \t")) == NULL || + (path = strtok(NULL, " \t")) == NULL) { + continue; + } + info = emalloc(sizeof(*info)); + info->symbol_name = estrdup(name); + info->path = estrdup(path); + info->prev = info; + info->next = NULL; + tq_append(&pil, info); continue; } - - info = emalloc(sizeof(*info)); - info->symbol_name = estrdup(name); - info->path = estrdup(path); - info->prev = info; - info->next = NULL; - tq_append(&pil, info); } fclose(fp); diff --git a/src/parse_args.c b/src/parse_args.c index 8c0e05974..18b3ef8cc 100644 --- a/src/parse_args.c +++ b/src/parse_args.c @@ -367,6 +367,11 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv, char ***settingsp, sudo_settings[ARG_IMPLIED_SHELL].value = "true"; } +#ifndef _PATH_SUDO_ASKPASS + if (ISSET(tgetpass_flags, TGP_ASKPASS) && !getenv("SUDO_ASKPASS")) + errorx(1, "no askpass program specified, try setting SUDO_ASKPASS"); +#endif + if (mode == MODE_HELP) usage(0); diff --git a/src/tgetpass.c b/src/tgetpass.c index 7020c4b46..6b2f054e1 100644 --- a/src/tgetpass.c +++ b/src/tgetpass.c @@ -79,16 +79,25 @@ tgetpass(const char *prompt, int timeout, int flags) (void) fflush(stdout); - /* If using a helper program to get the password, run it instead. */ - /* XXX - askpass may be set by policy */ - if (ISSET(flags, TGP_ASKPASS)) { - if (!askpass) { - askpass = getenv("SUDO_ASKPASS"); + if (askpass == NULL) { + askpass = getenv("SUDO_ASKPASS"); #ifdef _PATH_SUDO_ASKPASS - if (!askpass) - askpass = _PATH_SUDO_ASKPASS; + if (askpass == NULL) + askpass = _PATH_SUDO_ASKPASS; #endif + } + + /* If no tty present and we need to disable echo, try askpass. */ + if (!ISSET(flags, TGP_STDIN|TGP_ECHO|TGP_ASKPASS) && !tty_present()) { + if (askpass == NULL || getenv("DISPLAY") == NULL) { + warningx("no tty present and no askpass program specified"); + return(NULL); } + SET(flags, TGP_ASKPASS); + } + + /* If using a helper program to get the password, run it instead. */ + if (ISSET(flags, TGP_ASKPASS)) { if (askpass && *askpass) return(sudo_askpass(askpass, prompt)); }