From 71fdb8e03763777382fcd2b45478d8cd8ac0bfc0 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 20 Jun 2019 13:15:46 -0600 Subject: [PATCH] Remove .cat pages, there is no need for them in the modern world. Sudo only shipped .cat pages for Irix, which lacked nroff. Irix is long dead and there are multiple open source nroff options. --- MANIFEST | 9 - configure | 29 +- configure.ac | 27 +- doc/Makefile.in | 76 +- doc/cvtsudoers.cat | 282 ---- doc/sudo.cat | 745 ---------- doc/sudo.conf.cat | 434 ------ doc/sudo_plugin.cat | 1683 --------------------- doc/sudoers.cat | 2956 ------------------------------------- doc/sudoers.ldap.cat | 1033 ------------- doc/sudoers_timestamp.cat | 201 --- doc/sudoreplay.cat | 303 ---- doc/visudo.cat | 226 --- 13 files changed, 17 insertions(+), 7987 deletions(-) delete mode 100644 doc/cvtsudoers.cat delete mode 100644 doc/sudo.cat delete mode 100644 doc/sudo.conf.cat delete mode 100644 doc/sudo_plugin.cat delete mode 100644 doc/sudoers.cat delete mode 100644 doc/sudoers.ldap.cat delete mode 100644 doc/sudoers_timestamp.cat delete mode 100644 doc/sudoreplay.cat delete mode 100644 doc/visudo.cat diff --git a/MANIFEST b/MANIFEST index 10d02e91c..47c645b93 100644 --- a/MANIFEST +++ b/MANIFEST @@ -20,7 +20,6 @@ doc/LICENSE doc/Makefile.in doc/TROUBLESHOOTING doc/UPGRADE -doc/cvtsudoers.cat doc/cvtsudoers.man.in doc/cvtsudoers.mdoc.in doc/fixman.sh @@ -29,30 +28,22 @@ doc/schema.ActiveDirectory doc/schema.OpenLDAP doc/schema.iPlanet doc/schema.olcSudo -doc/sudo.cat -doc/sudo.conf.cat doc/sudo.conf.man.in doc/sudo.conf.mdoc.in doc/sudo.man.in doc/sudo.man.in.sed doc/sudo.mdoc.in -doc/sudo_plugin.cat doc/sudo_plugin.man.in doc/sudo_plugin.mdoc.in -doc/sudoers.cat -doc/sudoers.ldap.cat doc/sudoers.ldap.man.in doc/sudoers.ldap.mdoc.in doc/sudoers.man.in doc/sudoers.man.in.sed doc/sudoers.mdoc.in -doc/sudoers_timestamp.cat doc/sudoers_timestamp.man.in doc/sudoers_timestamp.mdoc.in -doc/sudoreplay.cat doc/sudoreplay.man.in doc/sudoreplay.mdoc.in -doc/visudo.cat doc/visudo.man.in doc/visudo.mdoc.in examples/Makefile.in diff --git a/configure b/configure index 9bc9caa19..a8d9ba428 100755 --- a/configure +++ b/configure @@ -3106,7 +3106,7 @@ mailsub="*** SECURITY information for %h ***" badpass_message="Sorry, try again." fqdn=off runas_default=root -env_editor=off +env_editor=on env_reset=on editor=vi passwd_tries=3 @@ -15393,10 +15393,6 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5 $as_echo "$sudo_cv_var_mantype" >&6; } MANTYPE="$sudo_cv_var_mantype" - else - MANTYPE=cat - MANDIRTYPE=cat - mansrcdir='$(srcdir)' fi fi @@ -15867,24 +15863,11 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext *-*-irix*) $as_echo "#define _BSD_TYPES 1" >>confdefs.h - if test -z "$NROFFPROG"; then - if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then - if test -d /usr/share/catman/local; then - mandir="/usr/share/catman/local" - else - mandir="/usr/catman/local" - fi - fi - # Compress cat pages with pack - MANCOMPRESS='pack' - MANCOMPRESSEXT='.z' - else - if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then - if test -d "/usr/share/man/local"; then - mandir="/usr/share/man/local" - else - mandir="/usr/man/local" - fi + if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then + if test -d "/usr/share/man/local"; then + mandir="/usr/share/man/local" + else + mandir="/usr/man/local" fi fi # IRIX <= 4 needs -lsun diff --git a/configure.ac b/configure.ac index b913e2f0a..384dd6437 100644 --- a/configure.ac +++ b/configure.ac @@ -1748,10 +1748,6 @@ else ] ) MANTYPE="$sudo_cv_var_mantype" - else - MANTYPE=cat - MANDIRTYPE=cat - mansrcdir='$(srcdir)' fi fi @@ -2032,24 +2028,11 @@ case "$host" in ;; *-*-irix*) AC_DEFINE([_BSD_TYPES]) - if test -z "$NROFFPROG"; then - if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then - if test -d /usr/share/catman/local; then - mandir="/usr/share/catman/local" - else - mandir="/usr/catman/local" - fi - fi - # Compress cat pages with pack - MANCOMPRESS='pack' - MANCOMPRESSEXT='.z' - else - if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then - if test -d "/usr/share/man/local"; then - mandir="/usr/share/man/local" - else - mandir="/usr/man/local" - fi + if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then + if test -d "/usr/share/man/local"; then + mandir="/usr/share/man/local" + else + mandir="/usr/man/local" fi fi # IRIX <= 4 needs -lsun diff --git a/doc/Makefile.in b/doc/Makefile.in index 90c9a8f66..880949381 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -76,15 +76,11 @@ DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \ $(mansrcdir)/sudoers_timestamp.$(mantype) \ $(mansrcdir)/sudoreplay.$(mantype) $(mansrcdir)/visudo.$(mantype) -DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/cvtsudoers.cat \ - $(srcdir)/sudo.conf.man.in $(srcdir)/sudo.conf.cat \ - $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \ - $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat \ - $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \ - $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \ - $(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoers_timestamp.cat \ - $(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat \ - $(srcdir)/visudo.man.in $(srcdir)/visudo.cat +DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \ + $(srcdir)/sudo.man.in $(srcdir)/sudo_plugin.man.in \ + $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \ + $(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoreplay.man.in \ + $(srcdir)/visudo.man.in OTHER_DOCS = $(top_srcdir)/ChangeLog $(top_srcdir)/README \ $(top_srcdir)/NEWS $(srcdir)/HISTORY $(srcdir)/CONTRIBUTORS \ @@ -128,12 +124,6 @@ Makefile: $(srcdir)/Makefile.in .SUFFIXES: .man -varsub: $(top_srcdir)/configure.ac - @if [ -n "$(DEVEL)" ]; then \ - printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN PSMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \ - $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.ac | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ - fi - $(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -151,12 +141,6 @@ $(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixma $(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -171,12 +155,6 @@ $(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in f $(mansrcdir)/visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -191,12 +169,6 @@ $(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.ma $(mansrcdir)/sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -211,12 +183,6 @@ $(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in $(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@ -$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -231,12 +197,6 @@ $(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.l $(mansrcdir)/sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -251,12 +211,6 @@ $(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudo $(mansrcdir)/sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudoers_timestamp.cat: varsub $(srcdir)/sudoers_timestamp.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -271,12 +225,6 @@ $(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers. $(mansrcdir)/cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/cvtsudoers.cat: varsub $(srcdir)/cvtsudoers.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -291,12 +239,6 @@ $(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay. $(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -311,12 +253,6 @@ $(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugi $(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ -$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in - @if [ -n "$(DEVEL)" ]; then \ - echo "Generating $@"; \ - $(SED) -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ - fi - pre-install: install: install-doc @@ -383,7 +319,7 @@ pvs-studio: check: clean: - -rm -f varsub fixman.sed + -rm -f fixman.sed mostlyclean: clean diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat deleted file mode 100644 index f7567b8bc..000000000 --- a/doc/cvtsudoers.cat +++ /dev/null @@ -1,282 +0,0 @@ -CVTSUDOERS(1) General Commands Manual CVTSUDOERS(1) - -NNAAMMEE - ccvvttssuuddooeerrss - convert between sudoers file formats - -SSYYNNOOPPSSIISS - ccvvttssuuddooeerrss [--eehhMMppVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--dd _d_e_f_t_y_p_e_s] - [--ff _o_u_t_p_u_t___f_o_r_m_a_t] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] - [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] [--OO _s_t_a_r_t___p_o_i_n_t] [--PP _p_a_d_d_i_n_g] - [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e] - -DDEESSCCRRIIPPTTIIOONN - ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file - formats. The default input format is sudoers. The default output format - is LDIF. It is only possible to convert a _s_u_d_o_e_r_s file that is - syntactically correct. - - If no _i_n_p_u_t___f_i_l_e is specified, or if it is `-', the policy is read from - the standard input. By default, the result is written to the standard - output. - - The options are as follows: - - --bb _d_n, ----bbaassee=_d_n - The base DN (distinguished name) that will be used when - performing LDAP queries. Typically this is of the form - ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com. - If this option is not specified, the value of the - SUDOERS_BASE environment variable will be used instead. Only - necessary when converting to LDIF format. - - --cc _c_o_n_f___f_i_l_e, ----ccoonnffiigg=_c_o_n_f___f_i_l_e - Specify the path to the configuration file. Defaults to - _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f. - - --dd _d_e_f_t_y_p_e_s, ----ddeeffaauullttss=_d_e_f_t_y_p_e_s - Only convert Defaults entries of the specified types. One or - more Defaults types may be specified, separated by a comma - (`,'). The supported types are: - - all All Defaults entries. - - global Global Defaults entries that are applied regardless - of user, runas, host or command. - - user Per-user Defaults entries. - - runas Per-runas user Defaults entries. - - host Per-host Defaults entries. - - command Per-command Defaults entries. - - See the DDeeffaauullttss section in sudoers(4) for more information. - - If the --dd option is not specified, all Defaults entries will - be converted. - - --ee, ----eexxppaanndd--aalliiaasseess - Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by - default when the output _f_o_r_m_a_t is JSON or sudoers. - - --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t - Specify the output format (case-insensitive). The following - formats are supported: - - JSON JSON (JavaScript Object Notation) files are usually - easier for third-party applications to consume than - the traditional _s_u_d_o_e_r_s format. The various values - have explicit types which removes much of the - ambiguity of the _s_u_d_o_e_r_s format. - - LDIF LDIF (LDAP Data Interchange Format) files can be - imported into an LDAP server for use with - sudoers.ldap(4). - - Conversion to LDIF has the following limitations: - - ++oo Command, host, runas and user-specific Defaults - lines cannot be translated as they don't have an - equivalent in the sudoers LDAP schema. - - ++oo Command, host, runas and user aliases are not - supported by the sudoers LDAP schema so they are - expanded during the conversion. - - sudoers Traditional sudoers format. A new sudoers file - will be reconstructed from the parsed input file. - Comments are not preserved and data from any - include files will be output inline. - - --hh, ----hheellpp Display a short help message to the standard output and exit. - - --ii _i_n_p_u_t___f_o_r_m_a_t, ----iinnppuutt--ffoorrmmaatt=_i_n_p_u_t___f_o_r_m_a_t - Specify the input format. The following formats are - supported: - - LDIF LDIF (LDAP Data Interchange Format) files can be - exported from an LDAP server to convert security - policies used by sudoers.ldap(4). If a base DN - (distinguished name) is specified, only sudoRole - objects that match the base DN will be processed. - Not all sudoOptions specified in a sudoRole can be - translated from LDIF to sudoers format. - - sudoers Traditional sudoers format. This is the default - input format. - - --II _i_n_c_r_e_m_e_n_t, ----iinnccrreemmeenntt=_i_n_c_r_e_m_e_n_t - When generating LDIF output, increment each sudoOrder - attribute by the specified number. Defaults to an increment - of 1. - - --mm _f_i_l_t_e_r, ----mmaattcchh=_f_i_l_t_e_r - Only output rules that match the specified _f_i_l_t_e_r. A _f_i_l_t_e_r - expression is made up of one or more kkeeyy == _v_a_l_u_e pairs, - separated by a comma (`,'). The kkeeyy may be "user", "group" - or "host". For example, uusseerr = _o_p_e_r_a_t_o_r or hhoosstt = _w_w_w. An - upper-case User_Alias or Host_Alias may be specified as the - "user" or "host". - - A matching _s_u_d_o_e_r_s rule may also include users, groups and - hosts that are not part of the _f_i_l_t_e_r. This can happen when - a rule includes multiple users, groups or hosts. To prune - out any non-matching user, group or host from the rules, the - --pp option may be used. - - By default, the password and group databases are not - consulted when matching against the filter so the users and - groups do not need to be present on the local system (see the - --MM option). Only aliases that are referenced by the filtered - policy rules will be displayed. - - --MM, ----mmaattcchh--llooccaall - When the --mm option is also specified, use password and group - database information when matching users and groups in the - filter. Only users and groups in the filter that exist on - the local system will match, and a user's groups will - automatically be added to the filter. If the --MM is _n_o_t - specified, users and groups in the filter do not need to - exist on the local system, but all groups used for matching - must be explicitly listed in the filter. - - --oo _o_u_t_p_u_t___f_i_l_e, ----oouuttppuutt=_o_u_t_p_u_t___f_i_l_e - Write the converted output to _o_u_t_p_u_t___f_i_l_e. If no _o_u_t_p_u_t___f_i_l_e - is specified, or if it is `-', the converted _s_u_d_o_e_r_s policy - will be written to the standard output. - - --OO _s_t_a_r_t___p_o_i_n_t, ----oorrddeerr--ssttaarrtt=_s_t_a_r_t___p_o_i_n_t - When generating LDIF output, use the number specified by - _s_t_a_r_t___p_o_i_n_t in the sudoOrder attribute of the first sudoRole - object. Subsequent sudoRole object use a sudoOrder value - generated by adding an _i_n_c_r_e_m_e_n_t, see the --II option for - details. Defaults to a starting point of 1. A starting - point of 0 will disable the generation of sudoOrder - attributes in the resulting LDIF file. - - --pp, ----pprruunnee--mmaattcchheess - When the --mm option is also specified, ccvvttssuuddooeerrss will prune - out non-matching users, groups and hosts from matching - entries. - - --PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g - When generating LDIF output, construct the initial sudoOrder - value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the - _i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits. - For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and - _i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry - will be 1027000, followed by 1027001, 1027002, etc. If the - number of sudoRole entries is larger than the padding would - allow, ccvvttssuuddooeerrss will exit with an error. By default, no - padding is performed. - - --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s - Suppress the output of specific _s_e_c_t_i_o_n_s of the security - policy. One or more section names may be specified, - separated by a comma (`,'). The supported section name are: - ddeeffaauullttss, aalliiaasseess and pprriivviilleeggeess (which may be shortened to - pprriivvss). - - --VV, ----vveerrssiioonn - Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit. - - Options in the form "keyword = value" may also be specified in a - configuration file, _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f by default. The following - keywords are recognized: - - ddeeffaauullttss == _d_e_f_t_y_p_e_s - See the description of the --dd command line option. - - eexxppaanndd__aalliiaasseess == _y_e_s | _n_o - See the description of the --ee command line option. - - iinnppuutt__ffoorrmmaatt == _l_d_i_f | _s_u_d_o_e_r_s - See the description of the --ii command line option. - - mmaattcchh == _f_i_l_t_e_r - See the description of the --mm command line option. - - oorrddeerr__iinnccrreemmeenntt == _i_n_c_r_e_m_e_n_t - See the description of the --II command line option. - - oorrddeerr__ssttaarrtt == _s_t_a_r_t___p_o_i_n_t - See the description of the --OO command line option. - - oouuttppuutt__ffoorrmmaatt == _j_s_o_n | _l_d_i_f | _s_u_d_o_e_r_s - See the description of the --ff command line option. - - ppaaddddiinngg == _p_a_d_d_i_n_g - See the description of the --PP command line option. - - pprruunnee__mmaattcchheess == _y_e_s | _n_o - See the description of the --pp command line option. - - ssuuddooeerrss__bbaassee == _d_n - See the description of the --bb command line option. - - ssuupppprreessss == _s_e_c_t_i_o_n_s - See the description of the --ss command line option. - - Options on the command line will override values from the configuration - file. - -FFIILLEESS - _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f default configuration for cvtsudoers - -EEXXAAMMPPLLEESS - Convert _/_e_t_c_/_s_u_d_o_e_r_s to LDIF (LDAP Data Interchange Format) where the - _l_d_a_p_._c_o_n_f file uses a _s_u_d_o_e_r_s___b_a_s_e of my-domain,dc=com, storing the - result in _s_u_d_o_e_r_s_._l_d_i_f: - - $ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \ - /etc/sudoers - - Convert _/_e_t_c_/_s_u_d_o_e_r_s to JSON format, storing the result in _s_u_d_o_e_r_s_._j_s_o_n: - - $ cvtsudoers -f json -o sudoers.json /etc/sudoers - - Parse _/_e_t_c_/_s_u_d_o_e_r_s and display only rules that match user _a_m_b_r_o_s_e on host - _h_a_s_t_u_r: - - $ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers - - Same as above, but expand aliases and prune out any non-matching users - and hosts from the expanded entries. - - $ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers - - Convert _s_u_d_o_e_r_s_._l_d_i_f from LDIF to traditional _s_u_d_o_e_r_s format: - - $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif - -SSEEEE AALLSSOO - sudoers(4), sudoers.ldap(4), sudo(1m) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -BBUUGGSS - If you feel you have found a bug in ccvvttssuuddooeerrss, please submit a bug - report at https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ccvvttssuuddooeerrss is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 December 11, 2018 Sudo 1.8.28 diff --git a/doc/sudo.cat b/doc/sudo.cat deleted file mode 100644 index 32a808ac9..000000000 --- a/doc/sudo.cat +++ /dev/null @@ -1,745 +0,0 @@ -SUDO(1m) System Manager's Manual SUDO(1m) - -NNAAMMEE - ssuuddoo, ssuuddooeeddiitt - execute a command as another user - -SSYYNNOOPPSSIISS - ssuuddoo --hh | --KK | --kk | --VV - ssuuddoo --vv [--AABBkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] - ssuuddoo --ll [--AABBkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r] - [--uu _u_s_e_r] [_c_o_m_m_a_n_d] - ssuuddoo [--AABBbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] - [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e] - [--ii | --ss] [_c_o_m_m_a_n_d] - ssuuddooeeddiitt [--AABBkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] - [--pp _p_r_o_m_p_t] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] _f_i_l_e _._._. - -DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or - another user, as specified by the security policy. The invoking user's - real (_n_o_t effective) user ID is used to determine the user name with - which to query the security policy. - - ssuuddoo supports a plugin architecture for security policies and - input/output logging. Third parties can develop and distribute their own - policy and I/O logging plugins to work seamlessly with the ssuuddoo front - end. The default security policy is _s_u_d_o_e_r_s, which is configured via the - file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more - information. - - The security policy determines what privileges, if any, a user has to run - ssuuddoo. The policy may require that users authenticate themselves with a - password or another authentication mechanism. If authentication is - required, ssuuddoo will exit if the user's password is not entered within a - configurable time limit. This limit is policy-specific; the default - password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes. - - Security policies may support credential caching to allow the user to run - ssuuddoo again for a period of time without requiring authentication. The - _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in - sudoers(4). By running ssuuddoo with the --vv option, a user can update the - cached credentials without running a _c_o_m_m_a_n_d. - - When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. - - Security policies may log successful and failed attempts to use ssuuddoo. If - an I/O plugin is configured, the running command's input and output may - be logged as well. - - The options are as follows: - - --AA, ----aasskkppaassss - Normally, if ssuuddoo requires a password, it will read it from - the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is - specified, a (possibly graphical) helper program is executed - to read the user's password and output the password to the - standard output. If the SUDO_ASKPASS environment variable is - set, it specifies the path to the helper program. Otherwise, - if sudo.conf(4) contains a line specifying the askpass - program, that value will be used. For example: - - # Path to askpass helper program - Path askpass /usr/X11R6/bin/ssh-askpass - - If no askpass program is available, ssuuddoo will exit with an - error. - - --aa _t_y_p_e, ----aauutthh--ttyyppee=_t_y_p_e - Use the specified BSD authentication _t_y_p_e when validating the - user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system - administrator may specify a list of sudo-specific - authentication methods by adding an "auth-sudo" entry in - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems - that support BSD authentication. - - --BB, ----bbeellll Ring the bell as part of the password promp when a terminal - is present. This option has no effect if an askpass program - is used. - - --bb, ----bbaacckkggrroouunndd - Run the given command in the background. Note that it is not - possible to use shell job control to manipulate background - processes started by ssuuddoo. Most interactive commands will - fail to work properly in background mode. - - --CC _n_u_m, ----cclloossee--ffrroomm=_n_u_m - Close all file descriptors greater than or equal to _n_u_m - before executing a command. Values less than three are not - permitted. By default, ssuuddoo will close all open file - descriptors other than standard input, standard output and - standard error when executing a command. The security policy - may restrict the user's ability to use this option. The - _s_u_d_o_e_r_s policy only permits use of the --CC option when the - administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. - - --cc _c_l_a_s_s, ----llooggiinn--ccllaassss=_c_l_a_s_s - Run the command with resource limits and scheduling priority - of the specified login _c_l_a_s_s. The _c_l_a_s_s argument can be - either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a - single `-' character. If _c_l_a_s_s is --, the default login class - of the target user will be used. Otherwise, the command must - be run as the superuser (user ID 0), or ssuuddoo must be run from - a shell that is already running as the superuser. If the - command is being run as a login shell, additional - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f settings, such as the umask and environment - variables, will be applied, if present. This option is only - available on systems with BSD login classes. - - --EE, ----pprreesseerrvvee--eennvv - Indicates to the security policy that the user wishes to - preserve their existing environment variables. The security - policy may return an error if the user does not have - permission to preserve the environment. - - ----pprreesseerrvvee--eennvv==lliisstt - Indicates to the security policy that the user wishes to add - the comma-separated list of environment variables to those - preserved from the user's environment. The security policy - may return an error if the user does not have permission to - preserve the environment. - - --ee, ----eeddiitt Edit one or more files instead of running a command. In lieu - of a path name, the string "sudoedit" is used when consulting - the security policy. If the user is authorized by the - policy, the following steps are taken: - - 1. Temporary copies are made of the files to be edited - with the owner set to the invoking user. - - 2. The editor specified by the policy is run to edit the - temporary files. The _s_u_d_o_e_r_s policy uses the - SUDO_EDITOR, VISUAL and EDITOR environment variables - (in that order). If none of SUDO_EDITOR, VISUAL or - EDITOR are set, the first program listed in the _e_d_i_t_o_r - sudoers(4) option is used. - - 3. If they have been modified, the temporary files are - copied back to their original location and the - temporary versions are removed. - - To help prevent the editing of unauthorized files, the - following restrictions are enforced unless explicitly allowed - by the security policy: - - ++oo Symbolic links may not be edited (version 1.8.15 and - higher). - - ++oo Symbolic links along the path to be edited are not - followed when the parent directory is writable by the - invoking user unless that user is root (version 1.8.16 - and higher). - - ++oo Files located in a directory that is writable by the - invoking user may not be edited unless that user is root - (version 1.8.16 and higher). - - Users are never allowed to edit device special files. - - If the specified file does not exist, it will be created. - Note that unlike most commands run by _s_u_d_o, the editor is run - with the invoking user's environment unmodified. If, for - some reason, ssuuddoo is unable to update a file with its edited - version, the user will receive a warning and the edited copy - will remain in a temporary file. - - --gg _g_r_o_u_p, ----ggrroouupp=_g_r_o_u_p - Run the command with the primary group set to _g_r_o_u_p instead - of the primary group specified by the target user's password - database entry. The _g_r_o_u_p may be either a group name or a - numeric group ID (GID) prefixed with the `#' character (e.g., - #0 for GID 0). When running a command as a GID, many shells - require that the `#' be escaped with a backslash (`\'). If - no --uu option is specified, the command will be run as the - invoking user. In either case, the primary group will be set - to _g_r_o_u_p. The _s_u_d_o_e_r_s policy permits any of the target - user's groups to be specified via the --gg option as long as - the --PP option is not in use. - - --HH, ----sseett--hhoommee - Request that the security policy set the HOME environment - variable to the home directory specified by the target user's - password database entry. Depending on the policy, this may - be the default behavior. - - --hh, ----hheellpp Display a short help message to the standard output and exit. - - --hh _h_o_s_t, ----hhoosstt=_h_o_s_t - Run the command on the specified _h_o_s_t if the security policy - plugin supports remote commands. Note that the _s_u_d_o_e_r_s - plugin does not currently support running remote commands. - This may also be used in conjunction with the --ll option to - list a user's privileges for the remote host. - - --ii, ----llooggiinn - Run the shell specified by the target user's password - database entry as a login shell. This means that login- - specific resource files such as _._p_r_o_f_i_l_e, _._b_a_s_h___p_r_o_f_i_l_e or - _._l_o_g_i_n will be read by the shell. If a command is specified, - it is passed to the shell for execution via the shell's --cc - option. If no command is specified, an interactive shell is - executed. ssuuddoo attempts to change to that user's home - directory before running the shell. The command is run with - an environment similar to the one a user would receive at log - in. Note that most shells behave differently when a command - is specified as compared to an interactive session; consult - the shell's manual for details. The _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t - section in the sudoers(4) manual documents how the --ii option - affects the environment in which a command is run when the - _s_u_d_o_e_r_s policy is in use. - - --KK, ----rreemmoovvee--ttiimmeessttaammpp - Similar to the --kk option, except that it removes the user's - cached credentials entirely and may not be used in - conjunction with a command or other option. This option does - not require a password. Not all security policies support - credential caching. - - --kk, ----rreesseett--ttiimmeessttaammpp - When used without a command, invalidates the user's cached - credentials. In other words, the next time ssuuddoo is run a - password will be required. This option does not require a - password and was added to allow a user to revoke ssuuddoo - permissions from a _._l_o_g_o_u_t file. - - When used in conjunction with a command or an option that may - require a password, this option will cause ssuuddoo to ignore the - user's cached credentials. As a result, ssuuddoo will prompt for - a password (if one is required by the security policy) and - will not update the user's cached credentials. - - Not all security policies support credential caching. - - --ll, ----lliisstt If no _c_o_m_m_a_n_d is specified, list the allowed (and forbidden) - commands for the invoking user (or the user specified by the - --UU option) on the current host. A longer list format is used - if this option is specified multiple times and the security - policy supports a verbose output format. - - If a _c_o_m_m_a_n_d is specified and is permitted by the security - policy, the fully-qualified path to the command is displayed - along with any command line arguments. If a _c_o_m_m_a_n_d is - specified but not allowed by the policy, ssuuddoo will exit with - a status value of 1. - - --nn, ----nnoonn--iinntteerraaccttiivvee - Avoid prompting the user for input of any kind. If a - password is required for the command to run, ssuuddoo will - display an error message and exit. - - --PP, ----pprreesseerrvvee--ggrroouuppss - Preserve the invoking user's group vector unaltered. By - default, the _s_u_d_o_e_r_s policy will initialize the group vector - to the list of groups the target user is a member of. The - real and effective group IDs, however, are still set to match - the target user. - - --pp _p_r_o_m_p_t, ----pprroommpptt=_p_r_o_m_p_t - Use a custom password prompt with optional escape sequences. - The following percent (`%') escape sequences are supported by - the _s_u_d_o_e_r_s policy: - - %H expanded to the host name including the domain name (on - if the machine's host name is fully qualified or the _f_q_d_n - option is set in sudoers(4)) - - %h expanded to the local host name without the domain name - - %p expanded to the name of the user whose password is being - requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w - flags in sudoers(4)) - - %U expanded to the login name of the user the command will - be run as (defaults to root unless the --uu option is also - specified) - - %u expanded to the invoking user's login name - - %% two consecutive `%' characters are collapsed into a - single `%' character - - The custom prompt will override the default prompt specified - by either the security policy or the SUDO_PROMPT environment - variable. On systems that use PAM, the custom prompt will - also override the prompt specified by a PAM module unless the - _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - - --rr _r_o_l_e, ----rroollee=_r_o_l_e - Run the command with an SELinux security context that - includes the specified _r_o_l_e. - - --SS, ----ssttddiinn - Write the prompt to the standard error and read the password - from the standard input instead of using the terminal device. - - --ss, ----sshheellll - Run the shell specified by the SHELL environment variable if - it is set or the shell specified by the invoking user's - password database entry. If a command is specified, it is - passed to the shell for execution via the shell's --cc option. - If no command is specified, an interactive shell is executed. - Note that most shells behave differently when a command is - specified as compared to an interactive session; consult the - shell's manual for details. - - --tt _t_y_p_e, ----ttyyppee=_t_y_p_e - Run the command with an SELinux security context that - includes the specified _t_y_p_e. If no _t_y_p_e is specified, the - default type is derived from the role. - - --UU _u_s_e_r, ----ootthheerr--uusseerr=_u_s_e_r - Used in conjunction with the --ll option to list the privileges - for _u_s_e_r instead of for the invoking user. The security - policy may restrict listing other users' privileges. The - _s_u_d_o_e_r_s policy only allows root or a user with the ALL - privilege on the current host to use this option. - - --TT _t_i_m_e_o_u_t, ----ccoommmmaanndd--ttiimmeeoouutt=_t_i_m_e_o_u_t - Used to set a timeout for the command. If the timeout - expires before the command has exited, the command will be - terminated. The security policy may restrict the ability to - set command timeouts. The _s_u_d_o_e_r_s policy requires that user- - specified timeouts be explicitly enabled. - - --uu _u_s_e_r, ----uusseerr=_u_s_e_r - Run the command as a user other than the default target user - (usually _r_o_o_t). The _u_s_e_r may be either a user name or a - numeric user ID (UID) prefixed with the `#' character (e.g., - #0 for UID 0). When running commands as a UID, many shells - require that the `#' be escaped with a backslash (`\'). Some - security policies may restrict UIDs to those listed in the - password database. The _s_u_d_o_e_r_s policy allows UIDs that are - not in the password database as long as the _t_a_r_g_e_t_p_w option - is not set. Other security policies may not support this. - - --VV, ----vveerrssiioonn - Print the ssuuddoo version string as well as the version string - of the security policy plugin and any I/O plugins. If the - invoking user is already root the --VV option will display the - arguments passed to configure when ssuuddoo was built and plugins - may display more verbose information such as default options. - - --vv, ----vvaalliiddaattee - Update the user's cached credentials, authenticating the user - if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo - timeout for another 5 minutes by default, but does not run a - command. Not all security policies support cached - credentials. - - ---- The ---- option indicates that ssuuddoo should stop processing - command line arguments. - - Environment variables to be set for the command may also be passed on the - command line in the form of _V_A_R=_v_a_l_u_e, e.g., - LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line - are subject to restrictions imposed by the security policy plugin. The - _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same - restrictions as normal environment variables with one important - exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run - has the SETENV tag set or the command matched is ALL, the user may set - variables that would otherwise be forbidden. See sudoers(4) for more - information. - -CCOOMMMMAANNDD EEXXEECCUUTTIIOONN - When ssuuddoo executes a command, the security policy specifies the execution - environment for the command. Typically, the real and effective user and - group and IDs are set to match those of the target user, as specified in - the password database, and the group vector is initialized based on the - group database (unless the --PP option was specified). - - The following parameters may be specified by security policy: - - ++oo real and effective user ID - - ++oo real and effective group ID - - ++oo supplementary group IDs - - ++oo the environment list - - ++oo current working directory - - ++oo file creation mode mask (umask) - - ++oo SELinux role and type - - ++oo Solaris project - - ++oo Solaris privileges - - ++oo BSD login class - - ++oo scheduling priority (aka nice value) - - PPrroocceessss mmooddeell - There are two distinct ways ssuuddoo can run a command. - - If an I/O logging plugin is configured or if the security policy - explicitly requests it, a new pseudo-terminal ("pty") is allocated and - fork(2) is used to create a second ssuuddoo process, referred to as the - _m_o_n_i_t_o_r. The _m_o_n_i_t_o_r creates a new terminal session with itself as the - leader and the pty as its controlling terminal, calls fork(2), sets up - the execution environment as described above, and then uses the execve(2) - system call to run the command in the child process. The _m_o_n_i_t_o_r exists - to relay job control signals between the user's existing terminal and the - pty the command is being run in. This makes it possible to suspend and - resume the command. Without the monitor, the command would be in what - POSIX terms an "orphaned process group" and it would not receive any job - control signals from the kernel. When the command exits or is terminated - by a signal, the _m_o_n_i_t_o_r passes the command's exit status to the main - ssuuddoo process and exits. After receiving the command's exit status, the - main ssuuddoo passes the command's exit status to the security policy's close - function and exits. - - If no pty is used, ssuuddoo calls fork(2), sets up the execution environment - as described above, and uses the execve(2) system call to run the command - in the child process. The main ssuuddoo process waits until the command has - completed, then passes the command's exit status to the security policy's - close function and exits. As a special case, if the policy plugin does - not define a close function, ssuuddoo will execute the command directly - instead of calling fork(2) first. The _s_u_d_o_e_r_s policy plugin will only - define a close function when I/O logging is enabled, a pty is required, - or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options are enabled. Note that - _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by default on systems using PAM. - - SSiiggnnaall hhaannddlliinngg - When the command is run as a child of the ssuuddoo process, ssuuddoo will relay - signals it receives to the command. The SIGINT and SIGQUIT signals are - only relayed when the command is being run in a new pty or when the - signal was sent by a user process, not the kernel. This prevents the - command from receiving SIGINT twice each time the user enters control-C. - Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will - not be relayed to the command. As a general rule, SIGTSTP should be used - instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo. - - As a special case, ssuuddoo will not relay signals that were sent by the - command it is running. This prevents the command from accidentally - killing itself. On some systems, the reboot(1m) command sends SIGTERM to - all non-system processes other than itself before rebooting the system. - This prevents ssuuddoo from relaying the SIGTERM signal it received back to - reboot(1m), which might then exit before the system was actually rebooted, - leaving it in a half-dead state similar to single user mode. Note, - however, that this check only applies to the command run by ssuuddoo and not - any other processes that the command may create. As a result, running a - script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system - to end up in this undefined state unless the reboot(1m) or shutdown(1m) are - run using the eexxeecc() family of functions instead of ssyysstteemm() (which - interposes a shell between the command and the calling process). - - If no I/O logging plugins are loaded and the policy plugin has not - defined a cclloossee() function, set a command timeout or required that the - command be run in a new pty, ssuuddoo may execute the command directly - instead of running it as a child process. - - PPlluuggiinnss - Plugins may be specified via Plugin directives in the sudo.conf(4) file. - They may be loaded as dynamic shared objects (on systems that support - them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4) - file is present, or it contains no Plugin lines, ssuuddoo will use the - traditional _s_u_d_o_e_r_s security policy and I/O logging. See the - sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the - sudo_plugin(4) manual for more information about the ssuuddoo plugin - architecture. - -EEXXIITT VVAALLUUEE - Upon successful execution of a command, the exit status from ssuuddoo will be - the exit status of the program that was executed. If the command - terminated due to receipt of a signal, ssuuddoo will send itself the same - signal that terminated the command. - - If the --ll option was specified without a command, ssuuddoo will exit with a - value of 0 if the user is allowed to run ssuuddoo and they authenticated - successfully (as required by the security policy). If a command is - specified with the --ll option, the exit value will only be 0 if the - command is permitted by the security policy, otherwise it will be 1. - - If there is an authentication failure, a configuration/permission problem - or if the given command cannot be executed, ssuuddoo exits with a value of 1. - In the latter case, the error string is printed to the standard error. - If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an error - is printed to the standard error. (If the directory does not exist or if - it is not really a directory, the entry is ignored and no error is - printed.) This should not happen under normal circumstances. The most - common reason for stat(2) to return "permission denied" is if you are - running an automounter and one of the directories in your PATH is on a - machine that is currently unreachable. - -SSEECCUURRIITTYY NNOOTTEESS - ssuuddoo tries to be safe when executing external commands. - - To prevent command spoofing, ssuuddoo checks "." and "" (both denoting - current directory) last when searching for a command in the user's PATH - (if one or both are in the PATH). Note, however, that the actual PATH - environment variable is _n_o_t modified and is passed unchanged to the - program that ssuuddoo executes. - - Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are - writable by the user or that reside in a directory that is writable by - the user. If the user can modify or replace the command there is no way - to limit what additional commands they can run. - - Please note that ssuuddoo will normally only log the command it explicitly - runs. If a user runs a command such as sudo su or sudo sh, subsequent - commands run from that shell are not subject to ssuuddoo's security policy. - The same is true for commands that offer shell escapes (including most - editors). If I/O logging is enabled, subsequent commands will have their - input and/or output logged, but there will not be traditional logs for - those commands. Because of this, care must be taken when giving users - access to commands via ssuuddoo to verify that the command does not - inadvertently give the user an effective root shell. For more - information, please see the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section in - sudoers(4). - - To prevent the disclosure of potentially sensitive information, ssuuddoo - disables core dumps by default while it is executing (they are re-enabled - for the command that is run). This historical practice dates from a time - when most operating systems allowed setuid processes to dump core by - default. To aid in debugging ssuuddoo crashes, you may wish to re-enable - core dumps by setting "disable_coredump" to false in the sudo.conf(4) - file as follows: - - Set disable_coredump false - - See the sudo.conf(4) manual for more information. - -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables. The security policy - has control over the actual content of the command's environment. - - EDITOR Default editor to use in --ee (sudoedit) mode if neither - SUDO_EDITOR nor VISUAL is set. - - MAIL Set to the mail spool of the target user when the --ii - option is specified or when _e_n_v___r_e_s_e_t is enabled in - _s_u_d_o_e_r_s (unless MAIL is present in the _e_n_v___k_e_e_p list). - - HOME Set to the home directory of the target user when the --ii - or --HH options are specified, when the --ss option is - specified and _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s, when - _a_l_w_a_y_s___s_e_t___h_o_m_e is enabled in _s_u_d_o_e_r_s, or when _e_n_v___r_e_s_e_t - is enabled in _s_u_d_o_e_r_s and _H_O_M_E is not present in the - _e_n_v___k_e_e_p list. - - LOGNAME Set to the login name of the target user when the --ii - option is specified, when the _s_e_t___l_o_g_n_a_m_e option is - enabled in _s_u_d_o_e_r_s or when the _e_n_v___r_e_s_e_t option is - enabled in _s_u_d_o_e_r_s (unless LOGNAME is present in the - _e_n_v___k_e_e_p list). - - PATH May be overridden by the security policy. - - SHELL Used to determine shell to run with --ss option. - - SUDO_ASKPASS Specifies the path to a helper program used to read the - password if no terminal is available or if the --AA option - is specified. - - SUDO_COMMAND Set to the command run by sudo. - - SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. - - SUDO_GID Set to the group ID of the user who invoked sudo. - - SUDO_PROMPT Used as the default password prompt unless the --pp option - was specified. - - SUDO_PS1 If set, PS1 will be set to its value for the program - being run. - - SUDO_UID Set to the user ID of the user who invoked sudo. - - SUDO_USER Set to the login name of the user who invoked sudo. - - USER Set to the same value as LOGNAME, described above. - - VISUAL Default editor to use in --ee (sudoedit) mode if - SUDO_EDITOR is not set. - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration - -EEXXAAMMPPLLEESS - Note: the following examples assume a properly configured security - policy. - - To get a file listing of an unreadable directory: - - $ sudo ls /usr/local/protected - - To list the home directory of user yaz on a machine where the file system - holding ~yaz is not exported as root: - - $ sudo -u yaz ls ~yaz - - To edit the _i_n_d_e_x_._h_t_m_l file as user www: - - $ sudoedit -u www ~www/htdocs/index.html - - To view system logs only accessible to root and users in the adm group: - - $ sudo -g adm more /var/log/syslog - - To run an editor as jim with a different primary group: - - $ sudoedit -u jim -g audio ~jim/sound.txt - - To shut down a machine: - - $ sudo shutdown -r +15 "quick reboot" - - To make a usage listing of the directories in the /home partition. Note - that this runs the commands in a sub-shell to make the cd and file - redirection work. - - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" - -DDIIAAGGNNOOSSTTIICCSS - Error messages produced by ssuuddoo include: - - editing files in a writable directory is not permitted - By default, ssuuddooeeddiitt does not permit editing a file when any of the - parent directories are writable by the invoking user. This avoids - a race condition that could allow the user to overwrite an - arbitrary file. See the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option in sudoers(4) for - more information. - - editing symbolic links is not permitted - By default, ssuuddooeeddiitt does not follow symbolic links when opening - files. See the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option in sudoers(4) for more - information. - - effective uid is not 0, is sudo installed setuid root? - ssuuddoo was not run with root privileges. The ssuuddoo binary must be - owned by the root user and have the Set-user-ID bit set. Also, it - must not be located on a file system mounted with the `nosuid' - option or on an NFS file system that maps uid 0 to an unprivileged - uid. - - effective uid is not 0, is sudo on a file system with the 'nosuid' option - set or an NFS file system without root privileges? - ssuuddoo was not run with root privileges. The ssuuddoo binary has the - proper owner and permissions but it still did not run with root - privileges. The most common reason for this is that the file - system the ssuuddoo binary is located on is mounted with the `nosuid' - option or it is an NFS file system that maps uid 0 to an - unprivileged uid. - - fatal error, unable to load plugins - An error occurred while loading or initializing the plugins - specified in sudo.conf(4). - - invalid environment variable name - One or more environment variable names specified via the --EE option - contained an equal sign (`='). The arguments to the --EE option - should be environment variable names without an associated value. - - no password was provided - When ssuuddoo tried to read the password, it did not receive any - characters. This may happen if no terminal is available (or the --SS - option is specified) and the standard input has been redirected - from _/_d_e_v_/_n_u_l_l. - - no tty present and no askpass program specified - ssuuddoo needs to read the password but there is no mechanism available - to do so. A terminal is not present to read the password from, - ssuuddoo has not been configured to read from the standard input, and - no askpass program has been specified either via the --AA option or - the SUDO_ASKPASS environment variable. - - no writable temporary directory found - ssuuddooeeddiitt was unable to find a usable temporary directory in which - to store its intermediate files. - - sudo must be owned by uid 0 and have the setuid bit set - ssuuddoo was not run with root privileges. The ssuuddoo binary does not - have the correct owner or permissions. It must be owned by the - root user and have the Set-user-ID bit set. - - sudoedit is not supported on this platform - It is only possible to run ssuuddooeeddiitt on systems that support setting - the effective user-ID. - - timed out reading password - The user did not enter a password before the password timeout (5 - minutes by default) expired. - - you do not exist in the passwd database - Your user ID does not appear in the system passwd database. - - you may not specify environment variables in edit mode - It is only possible to specify environment variables when running a - command. When editing a file, the editor is run with the user's - environment unmodified. - -SSEEEE AALLSSOO - su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudo_plugin(4), - sudoers(4), sudoreplay(1m), visudo(1m) - -HHIISSTTOORRYY - See the HISTORY file in the ssuuddoo distribution - (https://www.sudo.ws/history.html) for a brief history of sudo. - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if that - user is allowed to run arbitrary commands via ssuuddoo. Also, many programs - (such as editors) allow the user to run commands via shell escapes, thus - avoiding ssuuddoo's checks. However, on most systems it is possible to - prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality. - - It is not meaningful to run the cd command directly via sudo, e.g., - - $ sudo cd /usr/local/protected - - since when the command exits the parent process (your shell) will still - be the same. Please see the _E_X_A_M_P_L_E_S section for more information. - - Running shell scripts via ssuuddoo can expose the same kernel bugs that make - setuid shell scripts unsafe on some operating systems (if your OS has a - /dev/fd/ directory, setuid shell scripts are generally safe). - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 May 27, 2019 Sudo 1.8.28 diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat deleted file mode 100644 index 25c4f876f..000000000 --- a/doc/sudo.conf.cat +++ /dev/null @@ -1,434 +0,0 @@ -SUDO.CONF(4) File Formats Manual SUDO.CONF(4) - -NNAAMMEE - ssuuddoo..ccoonnff - configuration for sudo front end - -DDEESSCCRRIIPPTTIIOONN - The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end. It specifies - the security policy and I/O logging plugins, debug flags as well as - plugin-agnostic path names and settings. - - The ssuuddoo..ccoonnff file supports the following directives, described in detail - below. - - Plugin a security policy or I/O logging plugin - - Path a plugin-agnostic path - - Set a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e - - Debug debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and - the ssuuddooeerrss plugin. - - The pound sign (`#') is used to indicate a comment. Both the comment - character and any text after it, up to the end of the line, are ignored. - - Long lines can be continued with a backslash (`\') as the last character - on the line. Note that leading white space is removed from the beginning - of lines even when the continuation character is used. - - Non-comment lines that don't begin with Plugin, Path, Debug, or Set are - silently ignored. - - The ssuuddoo..ccoonnff file is always parsed in the "C" locale. - - PPlluuggiinn ccoonnffiigguurraattiioonn - ssuuddoo supports a plugin architecture for security policies and - input/output logging. Third parties can develop and distribute their own - policy and I/O logging plugins to work seamlessly with the ssuuddoo front - end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff. - - A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e - and the _p_a_t_h to the dynamic shared object that contains the plugin. The - _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct io_plugin - symbol contained in the plugin. The _p_a_t_h may be fully qualified or - relative. If not fully qualified, it is relative to the directory - specified by the _p_l_u_g_i_n___d_i_r Path setting, which defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In other words: - - Plugin sudoers_policy sudoers.so - - is equivalent to: - - Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so - - If the plugin was compiled statically into the ssuuddoo binary instead of - being installed as a dynamic shared object, the _p_a_t_h should be specified - without a leading directory, as it does not actually exist in the file - system. For example: - - Plugin sudoers_policy sudoers.so - - Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are - passed as arguments to the plugin's _o_p_e_n function. For example, to - override the compile-time default sudoers file mode: - - Plugin sudoers_policy sudoers.so sudoers_mode=0440 - - See the sudoers(4) manual for a list of supported arguments. - - The same dynamic shared object may contain multiple plugins, each with a - different symbol name. The file must be owned by uid 0 and only writable - by its owner. Because of ambiguities that arise from composite policies, - only a single policy plugin may be specified. This limitation does not - apply to I/O plugins. - - If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the - ssuuddooeerrss plugin will be used as the default security policy and for I/O - logging (if enabled by the policy). This is equivalent to the following: - - Plugin sudoers_policy sudoers.so - Plugin sudoers_io sudoers.so - - For more information on the ssuuddoo plugin architecture, see the - sudo_plugin(4) manual. - - PPaatthh sseettttiinnggss - A Path line consists of the Path keyword, followed by the name of the - path to set and its value. For example: - - Path noexec /usr/local/libexec/sudo/sudo_noexec.so - Path askpass /usr/X11R6/bin/ssh-askpass - - If no path name is specified, features relying on the specified setting - will be disabled. Disabling Path settings is only supported in ssuuddoo - version 1.8.16 and higher. - - The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file: - - askpass The fully qualified path to a helper program used to read the - user's password when no terminal is available. This may be the - case when ssuuddoo is executed from a graphical (as opposed to - text-based) application. The program specified by _a_s_k_p_a_s_s - should display the argument passed to it as the prompt and - write the user's password to the standard output. The value of - _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment - variable. - - devsearch - An ordered, colon-separated search path of directories to look - in for device nodes. This is used when mapping the process's - tty device number to a device name on systems that do not - provide such a mechanism. Sudo will _n_o_t recurse into sub- - directories. If terminal devices may be located in a sub- - directory of _/_d_e_v, that path must be explicitly listed in - _d_e_v_s_e_a_r_c_h. The default value is: - /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - - This option is ignored on systems that support either the - ddeevvnnaammee() or __ttttyynnaammee__ddeevv() functions, for example BSD, macOS - and Solaris. - - noexec The fully-qualified path to a shared library containing - wrappers for the eexxeeccll(), eexxeeccllee(), eexxeeccllpp(), eexxeecctt(), eexxeeccvv(), - eexxeeccvvee(), eexxeeccvvPP(), eexxeeccvvpp(), eexxeeccvvppee(), ffeexxeeccvvee(), ppooppeenn(), - ppoossiixx__ssppaawwnn(), ppoossiixx__ssppaawwnnpp(), ssyysstteemm(), and wwoorrddeexxpp() library - functions that prevent the execution of further commands. This - is used to implement the _n_o_e_x_e_c functionality on systems that - support LD_PRELOAD or its equivalent. The default value is: - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o. - - plugin_dir - The default directory to use when searching for plugins that - are specified without a fully qualified path name. The default - value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. - - sesh The fully-qualified path to the sseesshh binary. This setting is - only used when ssuuddoo is built with SELinux support. The default - value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h. - - OOtthheerr sseettttiinnggss - The ssuuddoo..ccoonnff file also supports the following front end settings: - - disable_coredump - Core dumps of ssuuddoo itself are disabled by default to prevent - the disclosure of potentially sensitive information. To aid in - debugging ssuuddoo crashes, you may wish to re-enable core dumps by - setting "disable_coredump" to false in ssuuddoo..ccoonnff as follows: - - Set disable_coredump false - - All modern operating systems place restrictions on core dumps - from setuid processes like ssuuddoo so this option can be enabled - without compromising security. To actually get a ssuuddoo core - file you will likely need to enable core dumps for setuid - processes. On BSD and Linux systems this is accomplished in - the sysctl(1m) command. On Solaris, the coreadm(1m) command is - used to configure core dump behavior. - - This setting is only available in ssuuddoo version 1.8.4 and - higher. - - group_source - ssuuddoo passes the invoking user's group list to the policy and - I/O plugins. On most systems, there is an upper limit to the - number of groups that a user may belong to simultaneously - (typically 16 for compatibility with NFS). On systems with the - getconf(1) utility, running: - getconf NGROUPS_MAX - will return the maximum number of groups. - - However, it is still possible to be a member of a larger number - of groups--they simply won't be included in the group list - returned by the kernel for the user. Starting with ssuuddoo - version 1.8.7, if the user's kernel group list has the maximum - number of entries, ssuuddoo will consult the group database - directly to determine the group list. This makes it possible - for the security policy to perform matching by group name even - when the user is a member of more than the maximum number of - groups. - - The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change - this default behavior. Supported values for _g_r_o_u_p___s_o_u_r_c_e are: - - static Use the static group list that the kernel returns. - Retrieving the group list this way is very fast but - it is subject to an upper limit as described above. - It is "static" in that it does not reflect changes to - the group database made after the user logs in. This - was the default behavior prior to ssuuddoo 1.8.7. - - dynamic Always query the group database directly. It is - "dynamic" in that changes made to the group database - after the user logs in will be reflected in the group - list. On some systems, querying the group database - for all of a user's groups can be time consuming when - querying a network-based group database. Most - operating systems provide an efficient method of - performing such queries. Currently, ssuuddoo supports - efficient group queries on AIX, BSD, HP-UX, Linux and - Solaris. - - adaptive Only query the group database if the static group - list returned by the kernel has the maximum number of - entries. This is the default behavior in ssuuddoo 1.8.7 - and higher. - - For example, to cause ssuuddoo to only use the kernel's static list - of groups for the user: - - Set group_source static - - This setting is only available in ssuuddoo version 1.8.7 and - higher. - - max_groups - The maximum number of user groups to retrieve from the group - database. Values less than one will be ignored. This setting - is only used when querying the group database directly. It is - intended to be used on systems where it is not possible to - detect when the array to be populated with group entries is not - sufficiently large. By default, ssuuddoo will allocate four times - the system's maximum number of groups (see above) and retry - with double that number if the group database query fails. - - This setting is only available in ssuuddoo version 1.8.7 and - higher. It should not be required in ssuuddoo versions 1.8.24 and - higher and may be removed in a later release. - - probe_interfaces - By default, ssuuddoo will probe the system's network interfaces and - pass the IP address of each enabled interface to the policy - plugin. This makes it possible for the plugin to match rules - based on the IP address without having to query DNS. On Linux - systems with a large number of virtual interfaces, this may - take a non-negligible amount of time. If IP-based matching is - not required, network interface probing can be disabled as - follows: - - Set probe_interfaces false - - This setting is only available in ssuuddoo version 1.8.10 and - higher. - - DDeebbuugg ffllaaggss - ssuuddoo versions 1.8.4 and higher support a flexible debugging framework - that can help track down what ssuuddoo is doing internally if there is a - problem. - - A Debug line consists of the Debug keyword, followed by the name of the - program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the - debug file name and a comma-separated list of debug flags. The debug - flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but - a plugin is free to use a different format so long as it does not include - a comma (`,'). - - For example: - - Debug sudo /var/log/sudo_debug all@warn,plugin@info - - would log all debugging statements at the _w_a_r_n level and higher in - addition to those at the _i_n_f_o level for the plugin subsystem. - - As of ssuuddoo 1.8.12, multiple Debug entries may be specified per program. - Older versions of ssuuddoo only support a single Debug entry per program. - Plugin-specific Debug entries are also supported starting with ssuuddoo - 1.8.12 and are matched by either the base name of the plugin that was - loaded (for example sudoers.so) or by the plugin's fully-qualified path - name. Previously, the ssuuddooeerrss plugin shared the same Debug entry as the - ssuuddoo front end and could not be configured separately. - - The following priorities are supported, in order of decreasing severity: - _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, - when specified, also includes all priorities higher than it. For - example, a priority of _n_o_t_i_c_e would include debug messages logged at - _n_o_t_i_c_e and higher. - - The priorities _t_r_a_c_e and _d_e_b_u_g also include function call tracing which - logs when a function is entered and when it returns. For example, the - following trace is for the ggeett__uusseerr__ggrroouuppss() function located in - src/sudo.c: - - sudo[123] -> get_user_groups @ src/sudo.c:385 - sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5 - - When the function is entered, indicated by a right arrow `->', the - program, process ID, function, source file and line number are logged. - When the function returns, indicated by a left arrow `<-', the same - information is logged along with the return value. In this case, the - return value is a string. - - The following subsystems are used by the ssuuddoo front-end: - - _a_l_l matches every subsystem - - _a_r_g_s command line argument processing - - _c_o_n_v user conversation - - _e_d_i_t sudoedit - - _e_v_e_n_t event subsystem - - _e_x_e_c command execution - - _m_a_i_n ssuuddoo main function - - _n_e_t_i_f network interface handling - - _p_c_o_m_m communication with the plugin - - _p_l_u_g_i_n plugin configuration - - _p_t_y pseudo-tty related code - - _s_e_l_i_n_u_x SELinux-specific handling - - _u_t_i_l utility functions - - _u_t_m_p utmp handling - - The sudoers(4) plugin includes support for additional subsystems. - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration - -EEXXAAMMPPLLEESS - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec/sudo unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - # The sudoers plugin is used by default if no Plugin lines are - # present. - Plugin sudoers_policy sudoers.so - Plugin sudoers_io sudoers.so - - # - # Sudo askpass: - # - # An askpass helper program may be specified to provide a graphical - # password prompt for "sudo -A" support. Sudo does not ship with - # its own askpass program but can use the OpenSSH askpass. - # - # Use the OpenSSH askpass - #Path askpass /usr/X11R6/bin/ssh-askpass - # - # Use the Gnome OpenSSH askpass - #Path askpass /usr/libexec/openssh/gnome-ssh-askpass - - # - # Sudo noexec: - # - # Path to a shared library containing dummy versions of the execv(), - # execve() and fexecve() library functions that just return an error. - # This is used to implement the "noexec" functionality on systems that - # support C or its equivalent. - # The compiled-in value is usually sufficient and should only be - # changed if you rename or move the sudo_noexec.so file. - # - #Path noexec /usr/local/libexec/sudo/sudo_noexec.so - - # - # Core dumps: - # - # By default, sudo disables core dumps while it is executing - # (they are re-enabled for the command that is run). - # To aid in debugging sudo problems, you may wish to enable core - # dumps by setting "disable_coredump" to false. - # - #Set disable_coredump false - - # - # User groups: - # - # Sudo passes the user's group list to the policy plugin. - # If the user is a member of the maximum number of groups (usually 16), - # sudo will query the group database directly to be sure to include - # the full list of groups. - # - # On some systems, this can be expensive so the behavior is configurable. - # The "group_source" setting has three possible values: - # static - use the user's list of groups returned by the kernel. - # dynamic - query the group database to find the list of groups. - # adaptive - if user is in less than the maximum number of groups. - # use the kernel list, else query the group database. - # - #Set group_source static - -SSEEEE AALLSSOO - sudo_plugin(4), sudoers(4), sudo(1m) - -HHIISSTTOORRYY - See the HISTORY file in the ssuuddoo distribution - (https://www.sudo.ws/history.html) for a brief history of sudo. - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 October 7, 2018 Sudo 1.8.28 diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat deleted file mode 100644 index 2d12cdd6f..000000000 --- a/doc/sudo_plugin.cat +++ /dev/null @@ -1,1683 +0,0 @@ -SUDO_PLUGIN(4) File Formats Manual SUDO_PLUGIN(4) - -NNAAMMEE - ssuuddoo__pplluuggiinn - Sudo Plugin API - -DDEESSCCRRIIPPTTIIOONN - Starting with version 1.8, ssuuddoo supports a plugin API for policy and - session logging. Plugins may be compiled as dynamic shared objects (the - default on systems that support them) or compiled statically into the - ssuuddoo binary itself. By default, the ssuuddooeerrss policy plugin and an - associated I/O logging plugin are used. Via the plugin API, ssuuddoo can be - configured to use alternate policy and/or I/O logging plugins provided by - third parties. The plugins to be used are specified in the sudo.conf(4) - file. - - The API is versioned with a major and minor number. The minor version - number is incremented when additions are made. The major number is - incremented when incompatible changes are made. A plugin should be check - the version passed to it and make sure that the major version matches. - - The plugin API is defined by the sudo_plugin.h header file. - - PPoolliiccyy pplluuggiinn AAPPII - A policy plugin must declare and populate a policy_plugin struct in the - global scope. This structure contains pointers to the functions that - implement the ssuuddoo policy checks. The name of the symbol should be - specified in sudo.conf(4) along with a path to the plugin so that ssuuddoo - can load it. - - struct policy_plugin { - #define SUDO_POLICY_PLUGIN 1 - unsigned int type; /* always SUDO_POLICY_PLUGIN */ - unsigned int version; /* always SUDO_API_VERSION */ - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const user_env[], - char * const plugin_options[]); - void (*close)(int exit_status, int error); - int (*show_version)(int verbose); - int (*check_policy)(int argc, char * const argv[], - char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); - int (*list)(int argc, char * const argv[], int verbose, - const char *list_user); - int (*validate)(void); - void (*invalidate)(int remove); - int (*init_session)(struct passwd *pwd, char **user_env[]); - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); - }; - - The policy_plugin struct has the following fields: - - type The type field should always be set to SUDO_POLICY_PLUGIN. - - version - The version field should be set to SUDO_API_VERSION. - - This allows ssuuddoo to determine the API version the plugin was built - against. - - open - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const user_env[], - char * const plugin_options[]); - - Returns 1 on success, 0 on failure, -1 if a general error occurred, - or -2 if there was a usage error. In the latter case, ssuuddoo will - print a usage message before it exits. If an error occurs, the - plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - The function arguments are as follows: - - version - The version passed in by ssuuddoo allows the plugin to determine - the major and minor version number of the plugin API - supported by ssuuddoo. - - conversation - A pointer to the ccoonnvveerrssaattiioonn() function that can be used by - the plugin to interact with the user (see below). Returns 0 - on success and -1 on failure. - - plugin_printf - A pointer to a pprriinnttff()-style function that may be used to - display informational or error messages (see below). Returns - the number of characters printed on success and -1 on - failure. - - settings - A vector of user-supplied ssuuddoo settings in the form of - "name=value" strings. The vector is terminated by a NULL - pointer. These settings correspond to flags the user - specified when running ssuuddoo. As such, they will only be - present when the corresponding flag has been specified on the - command line. - - When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - bsdauth_type=string - Authentication type, if specified by the --aa flag, to - use on systems where BSD authentication is supported. - - closefrom=number - If specified, the user has requested via the --CC flag - that ssuuddoo close all files descriptors with a value of - _n_u_m_b_e_r or higher. The plugin may optionally pass this, - or another value, back in the _c_o_m_m_a_n_d___i_n_f_o list. - - debug_flags=string - A debug file path name followed by a space and a comma- - separated list of debug flags that correspond to the - plugin's Debug entry in sudo.conf(4), if there is one. - The flags are passed to the plugin exactly as they - appear in sudo.conf(4). The syntax used by ssuuddoo and - the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but a plugin - is free to use a different format so long as it does - not include a comma (`,'). Prior to ssuuddoo 1.8.12, there - was no way to specify plugin-specific _d_e_b_u_g___f_l_a_g_s so - the value was always the same as that used by the ssuuddoo - front end and did not include a path name, only the - flags themselves. As of version 1.7 of the plugin - interface, ssuuddoo will only pass _d_e_b_u_g___f_l_a_g_s if - sudo.conf(4) contains a plugin-specific Debug entry. - - debug_level=number - This setting has been deprecated in favor of - _d_e_b_u_g___f_l_a_g_s. - - ignore_ticket=bool - Set to true if the user specified the --kk flag along - with a command, indicating that the user wishes to - ignore any cached authentication credentials. - _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo with no - arguments to be used similarly to su(1). If the plugin - does not to support this usage, it may return a value - of -2 from the cchheecckk__ppoolliiccyy() function, which will - cause ssuuddoo to print a usage message and exit. - - implied_shell=bool - If the user does not specify a program on the command - line, ssuuddoo will pass the plugin the path to the user's - shell and set - - login_class=string - BSD login class to use when setting resource limits and - nice value, if specified by the --cc flag. - - login_shell=bool - Set to true if the user specified the --ii flag, - indicating that the user wishes to run a login shell. - - max_groups=int - The maximum number of groups a user may belong to. - This will only be present if there is a corresponding - setting in sudo.conf(4). - - network_addrs=list - A space-separated list of IP network addresses and - netmasks in the form "addr/netmask", e.g., - "192.168.1.2/255.255.255.0". The address and netmask - pairs may be either IPv4 or IPv6, depending on what the - operating system supports. If the address contains a - colon (`:'), it is an IPv6 address, else it is IPv4. - - noninteractive=bool - Set to true if the user specified the --nn flag, - indicating that ssuuddoo should operate in non-interactive - mode. The plugin may reject a command run in non- - interactive mode if user interaction is required. - - plugin_dir=string - The default plugin directory used by the ssuuddoo front - end. This is the default directory set at compile time - and may not correspond to the directory the running - plugin was loaded from. It may be used by a plugin to - locate support files. - - plugin_path=string - The path name of plugin loaded by the ssuuddoo front end. - The path name will be a fully-qualified unless the - plugin was statically compiled into ssuuddoo. - - preserve_environment=bool - Set to true if the user specified the --EE flag, - indicating that the user wishes to preserve the - environment. - - preserve_groups=bool - Set to true if the user specified the --PP flag, - indicating that the user wishes to preserve the group - vector instead of setting it based on the runas user. - - progname=string - The command name that sudo was run as, typically "sudo" - or "sudoedit". - - prompt=string - The prompt to use when requesting a password, if - specified via the --pp flag. - - remote_host=string - The name of the remote host to run the command on, if - specified via the --hh option. Support for running the - command on a remote host is meant to be implemented via - a helper program that is executed in place of the user- - specified command. The ssuuddoo front end is only capable - of executing commands on the local host. Only - available starting with API version 1.4. - - run_shell=bool - Set to true if the user specified the --ss flag, - indicating that the user wishes to run a shell. - - runas_group=string - The group name or gid to run the command as, if - specified via the --gg flag. - - runas_user=string - The user name or uid to run the command as, if - specified via the --uu flag. - - selinux_role=string - SELinux role to use when executing the command, if - specified by the --rr flag. - - selinux_type=string - SELinux type to use when executing the command, if - specified by the --tt flag. - - set_home=bool - Set to true if the user specified the --HH flag. If - true, set the HOME environment variable to the target - user's home directory. - - sudoedit=bool - Set to true when the --ee flag is specified or if invoked - as ssuuddooeeddiitt. The plugin shall substitute an editor - into _a_r_g_v in the cchheecckk__ppoolliiccyy() function or return -2 - with a usage error if the plugin does not support - _s_u_d_o_e_d_i_t. For more information, see the _c_h_e_c_k___p_o_l_i_c_y - section. - - timeout=string - User-specified command timeout. Not all plugins - support command timeouts and the ability for the user - to set a timeout may be restricted by policy. The - format of the timeout string is plugin-specific. - - Additional settings may be added in the future so the plugin - should silently ignore settings that it does not recognize. - - user_info - A vector of information about the user running the command in - the form of "name=value" strings. The vector is terminated - by a NULL pointer. - - When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - cols=int - The number of columns the user's terminal supports. If - there is no terminal device available, a default value - of 80 is used. - - cwd=string - The user's current working directory. - - egid=gid_t - The effective group ID of the user invoking ssuuddoo. - - euid=uid_t - The effective user ID of the user invoking ssuuddoo. - - gid=gid_t - The real group ID of the user invoking ssuuddoo. - - groups=list - The user's supplementary group list formatted as a - string of comma-separated group IDs. - - host=string - The local machine's hostname as returned by the - gethostname(2) system call. - - lines=int - The number of lines the user's terminal supports. If - there is no terminal device available, a default value - of 24 is used. - - pgid=int - The ID of the process group that the running ssuuddoo - process is a member of. Only available starting with - API version 1.2. - - pid=int - The process ID of the running ssuuddoo process. Only - available starting with API version 1.2. - - plugin_options - Any (non-comment) strings immediately after the plugin - path are passed as arguments to the plugin. These - arguments are split on a white space boundary and are - passed to the plugin in the form of a NULL-terminated - array of strings. If no arguments were specified, - _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL pointer. - - NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available - starting with API version 1.2. A plugin mmuusstt check the - API version specified by the ssuuddoo front end before - using _p_l_u_g_i_n___o_p_t_i_o_n_s. Failure to do so may result in a - crash. - - ppid=int - The parent process ID of the running ssuuddoo process. - Only available starting with API version 1.2. - - sid=int - The session ID of the running ssuuddoo process or 0 if ssuuddoo - is not part of a POSIX job control session. Only - available starting with API version 1.2. - - tcpgid=int - The ID of the foreground process group associated with - the terminal device associated with the ssuuddoo process or - -1 if there is no terminal present. Only available - starting with API version 1.2. - - tty=string - The path to the user's terminal device. If the user - has no terminal device associated with the session, the - value will be empty, as in "tty=". - - uid=uid_t - The real user ID of the user invoking ssuuddoo. - - umask=octal - The invoking user's file creation mask. Only available - starting with API version 1.10. - - user=string - The name of the user invoking ssuuddoo. - - user_env - The user's environment in the form of a NULL-terminated - vector of "name=value" strings. - - When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - close - void (*close)(int exit_status, int error); - - The cclloossee() function is called when the command being run by ssuuddoo - finishes. - - The function arguments are as follows: - - exit_status - The command's exit status, as returned by the wait(2) system - call. The value of exit_status is undefined if error is non- - zero. - - error - If the command could not be executed, this is set to the - value of errno set by the execve(2) system call. The plugin - is responsible for displaying error information via the - ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function. If the command - was successfully executed, the value of error is 0. - - If no cclloossee() function is defined, no I/O logging plugins are - loaded, and neither the _t_i_m_e_o_u_t not _u_s_e___p_t_y options are set in the - command_info list, the ssuuddoo front end may execute the command - directly instead of running it as a child process. - - show_version - int (*show_version)(int verbose); - - The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user - specifies the --VV option. The plugin may display its version - information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function using SUDO_CONV_INFO_MSG. If the user requests detailed - version information, the verbose flag will be set. - - Returns 1 on success, 0 on failure, -1 if a general error occurred, - or -2 if there was a usage error, although the return value is - currently ignored. - - check_policy - int (*check_policy)(int argc, char * const argv[], - char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); - - The cchheecckk__ppoolliiccyy() function is called by ssuuddoo to determine whether - the user is allowed to run the specified commands. - - If the _s_u_d_o_e_d_i_t option was enabled in the _s_e_t_t_i_n_g_s array passed to - the ooppeenn() function, the user has requested _s_u_d_o_e_d_i_t mode. - _s_u_d_o_e_d_i_t is a mechanism for editing one or more files where an - editor is run with the user's credentials instead of with elevated - privileges. ssuuddoo achieves this by creating user-writable temporary - copies of the files to be edited and then overwriting the originals - with the temporary copies after editing is complete. If the plugin - supports _s_u_d_o_e_d_i_t, it should choose the editor to be used, - potentially from a variable in the user's environment, such as - EDITOR, and include it in _a_r_g_v___o_u_t (note that environment variables - may include command line flags). The files to be edited should be - copied from _a_r_g_v into _a_r_g_v___o_u_t, separated from the editor and its - arguments by a "--" element. The "--" will be removed by ssuuddoo - before the editor is executed. The plugin should also set - _s_u_d_o_e_d_i_t_=_t_r_u_e in the _c_o_m_m_a_n_d___i_n_f_o list. - - The cchheecckk__ppoolliiccyy() function returns 1 if the command is allowed, 0 - if not allowed, -1 for a general error, or -2 for a usage error or - if _s_u_d_o_e_d_i_t was specified but is unsupported by the plugin. In the - latter case, ssuuddoo will print a usage message before it exits. If - an error occurs, the plugin may optionally call the ccoonnvveerrssaattiioonn() - or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present - additional error information to the user. - - The function arguments are as follows: - - argc The number of elements in _a_r_g_v, not counting the final NULL - pointer. - - argv The argument vector describing the command the user wishes to - run, in the same form as what would be passed to the - execve(2) system call. The vector is terminated by a NULL - pointer. - - env_add - Additional environment variables specified by the user on the - command line in the form of a NULL-terminated vector of - "name=value" strings. The plugin may reject the command if - one or more variables are not allowed to be set, or it may - silently ignore such variables. - - When parsing _e_n_v___a_d_d, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - command_info - Information about the command being run in the form of - "name=value" strings. These values are used by ssuuddoo to set - the execution environment when running a command. The plugin - is responsible for creating and populating the vector, which - must be terminated with a NULL pointer. The following values - are recognized by ssuuddoo: - - chroot=string - The root directory to use when running the command. - - closefrom=number - If specified, ssuuddoo will close all files descriptors - with a value of _n_u_m_b_e_r or higher. - - command=string - Fully qualified path to the command to be executed. - - cwd=string - The current working directory to change to when - executing the command. - - exec_background=bool - By default, ssuuddoo runs a command as the foreground - process as long as ssuuddoo itself is running in the - foreground. When _e_x_e_c___b_a_c_k_g_r_o_u_n_d is enabled and the - command is being run in a pty (due to I/O logging or - the _u_s_e___p_t_y setting), the command will be run as a - background process. Attempts to read from the - controlling terminal (or to change terminal settings) - will result in the command being suspended with the - SIGTTIN signal (or SIGTTOU in the case of terminal - settings). If this happens when ssuuddoo is a foreground - process, the command will be granted the controlling - terminal and resumed in the foreground with no user - intervention required. The advantage of initially - running the command in the background is that ssuuddoo need - not read from the terminal unless the command - explicitly requests it. Otherwise, any terminal input - must be passed to the command, whether it has required - it or not (the kernel buffers terminals so it is not - possible to tell whether the command really wants the - input). This is different from historic _s_u_d_o behavior - or when the command is not being run in a pty. - - For this to work seamlessly, the operating system must - support the automatic restarting of system calls. - Unfortunately, not all operating systems do this by - default, and even those that do may have bugs. For - example, macOS fails to restart the ttccggeettaattttrr() and - ttccsseettaattttrr() system calls (this is a bug in macOS). - Furthermore, because this behavior depends on the - command stopping with the SIGTTIN or SIGTTOU signals, - programs that catch these signals and suspend - themselves with a different signal (usually SIGTOP) - will not be automatically foregrounded. Some versions - of the linux su(1) command behave this way. Because of - this, a plugin should not set _e_x_e_c___b_a_c_k_g_r_o_u_n_d unless it - is explicitly enabled by the administrator and there - should be a way to enabled or disable it on a per- - command basis. - - This setting has no effect unless I/O logging is - enabled or _u_s_e___p_t_y is enabled. - - execfd=number - If specified, ssuuddoo will use the fexecve(2) system call - to execute the command instead of execve(2). The - specified _n_u_m_b_e_r must refer to an open file descriptor. - - iolog_compress=bool - Set to true if the I/O logging plugins, if any, should - compress the log data. This is a hint to the I/O - logging plugin which may choose to ignore it. - - iolog_group=string - The group that will own newly created I/O log files and - directories. This is a hint to the I/O logging plugin - which may choose to ignore it. - - iolog_mode=octal - The file permission mode to use when creating I/O log - files and directories. This is a hint to the I/O - logging plugin which may choose to ignore it. - - iolog_user=string - The user that will own newly created I/O log files and - directories. This is a hint to the I/O logging plugin - which may choose to ignore it. - - iolog_path=string - Fully qualified path to the file or directory in which - I/O log is to be stored. This is a hint to the I/O - logging plugin which may choose to ignore it. If no - I/O logging plugin is loaded, this setting has no - effect. - - iolog_stdin=bool - Set to true if the I/O logging plugins, if any, should - log the standard input if it is not connected to a - terminal device. This is a hint to the I/O logging - plugin which may choose to ignore it. - - iolog_stdout=bool - Set to true if the I/O logging plugins, if any, should - log the standard output if it is not connected to a - terminal device. This is a hint to the I/O logging - plugin which may choose to ignore it. - - iolog_stderr=bool - Set to true if the I/O logging plugins, if any, should - log the standard error if it is not connected to a - terminal device. This is a hint to the I/O logging - plugin which may choose to ignore it. - - iolog_ttyin=bool - Set to true if the I/O logging plugins, if any, should - log all terminal input. This only includes input typed - by the user and not from a pipe or redirected from a - file. This is a hint to the I/O logging plugin which - may choose to ignore it. - - iolog_ttyout=bool - Set to true if the I/O logging plugins, if any, should - log all terminal output. This only includes output to - the screen, not output to a pipe or file. This is a - hint to the I/O logging plugin which may choose to - ignore it. - - login_class=string - BSD login class to use when setting resource limits and - nice value (optional). This option is only set on - systems that support login classes. - - nice=int - Nice value (priority) to use when executing the - command. The nice value, if specified, overrides the - priority associated with the _l_o_g_i_n___c_l_a_s_s on BSD - systems. - - noexec=bool - If set, prevent the command from executing other - programs. - - preserve_fds=list - A comma-separated list of file descriptors that should - be preserved, regardless of the value of the _c_l_o_s_e_f_r_o_m - setting. Only available starting with API version 1.5. - - preserve_groups=bool - If set, ssuuddoo will preserve the user's group vector - instead of initializing the group vector based on - runas_user. - - runas_egid=gid - Effective group ID to run the command as. If not - specified, the value of _r_u_n_a_s___g_i_d is used. - - runas_euid=uid - Effective user ID to run the command as. If not - specified, the value of _r_u_n_a_s___u_i_d is used. - - runas_gid=gid - Group ID to run the command as. - - runas_groups=list - The supplementary group vector to use for the command - in the form of a comma-separated list of group IDs. If - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. - - runas_uid=uid - User ID to run the command as. - - selinux_role=string - SELinux role to use when executing the command. - - selinux_type=string - SELinux type to use when executing the command. - - set_utmp=bool - Create a utmp (or utmpx) entry when a pseudo-tty is - allocated. By default, the new entry will be a copy of - the user's existing utmp entry (if any), with the tty, - time, type and pid fields updated. - - sudoedit=bool - Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may - enable _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as - ssuuddooeeddiitt. This allows the plugin to perform command - substitution and transparently enable _s_u_d_o_e_d_i_t when the - user attempts to run an editor. - - sudoedit_checkdir=bool - Set to false to disable directory writability checks in - ssuuddooeeddiitt. By default, ssuuddooeeddiitt 1.8.16 and higher will - check all directory components of the path to be edited - for writability by the invoking user. Symbolic links - will not be followed in writable directories and - ssuuddooeeddiitt will refuse to edit a file located in a - writable directory. These restrictions are not - enforced when ssuuddooeeddiitt is run by root. The - _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be set to false to disable - this check. Only available starting with API version - 1.8. - - sudoedit_follow=bool - Set to true to allow ssuuddooeeddiitt to edit files that are - symbolic links. By default, ssuuddooeeddiitt 1.8.15 and higher - will refuse to open a symbolic link. The - _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be used to restore the older - behavior and allow ssuuddooeeddiitt to open symbolic links. - Only available starting with API version 1.8. - - timeout=int - Command timeout. If non-zero then when the timeout - expires the command will be killed. - - umask=octal - The file creation mask to use when executing the - command. - - use_pty=bool - Allocate a pseudo-tty to run the command in, regardless - of whether or not I/O logging is in use. By default, - ssuuddoo will only run the command in a pty when an I/O log - plugin is loaded. - - utmp_user=string - User name to use when constructing a new utmp (or - utmpx) entry when _s_e_t___u_t_m_p is enabled. This option can - be used to set the user field in the utmp entry to the - user the command runs as rather than the invoking user. - If not set, ssuuddoo will base the new entry on the - invoking user's existing entry. - - Unsupported values will be ignored. - - argv_out - The NULL-terminated argument vector to pass to the execve(2) - system call when executing the command. The plugin is - responsible for allocating and populating the vector. - - user_env_out - The NULL-terminated environment vector to use when executing - the command. The plugin is responsible for allocating and - populating the vector. - - list - int (*list)(int argc, char * const argv[], - int verbose, const char *list_user); - - List available privileges for the invoking user. Returns 1 on - success, 0 on failure and -1 on error. On error, the plugin may - optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with - SUDO_CONF_ERROR_MSG to present additional error information to the - user. - - Privileges should be output via the ccoonnvveerrssaattiioonn() or - pplluuggiinn__pprriinnttff() function using SUDO_CONV_INFO_MSG, - - verbose - Flag indicating whether to list in verbose mode or not. - - list_user - The name of a different user to list privileges for if the - policy allows it. If NULL, the plugin should list the - privileges of the invoking user. - - argc The number of elements in _a_r_g_v, not counting the final NULL - pointer. - - argv If non-NULL, an argument vector describing a command the user - wishes to check against the policy in the same form as what - would be passed to the execve(2) system call. If the command - is permitted by the policy, the fully-qualified path to the - command should be displayed along with any command line - arguments. - - validate - int (*validate)(void); - - The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv - flag. For policy plugins such as ssuuddooeerrss that cache authentication - credentials, this function will validate and cache the credentials. - - The vvaalliiddaattee() function should be NULL if the plugin does not - support credential caching. - - Returns 1 on success, 0 on failure and -1 on error. On error, the - plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - invalidate - void (*invalidate)(int remove); - - The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk - or --KK flag. For policy plugins such as ssuuddooeerrss that cache - authentication credentials, this function will invalidate the - credentials. If the _r_e_m_o_v_e flag is set, the plugin may remove the - credentials instead of simply invalidating them. - - The iinnvvaalliiddaattee() function should be NULL if the plugin does not - support credential caching. - - init_session - int (*init_session)(struct passwd *pwd, char **user_envp[); - - The iinniitt__sseessssiioonn() function is called before ssuuddoo sets up the - execution environment for the command. It is run in the parent - ssuuddoo process and before any uid or gid changes. This can be used - to perform session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o, - such as opening the PAM session. The cclloossee() function can be used - to tear down the session that was opened by init_session. - - The _p_w_d argument points to a passwd struct for the user the command - will be run as if the uid the command will run as was found in the - password database, otherwise it will be NULL. - - The _u_s_e_r___e_n_v argument points to the environment the command will - run in, in the form of a NULL-terminated vector of "name=value" - strings. This is the same string passed back to the front end via - the Policy Plugin's _u_s_e_r___e_n_v___o_u_t parameter. If the iinniitt__sseessssiioonn() - function needs to modify the user environment, it should update the - pointer stored in _u_s_e_r___e_n_v. The expected use case is to merge the - contents of the PAM environment (if any) with the contents of - _u_s_e_r___e_n_v. NOTE: the _u_s_e_r___e_n_v parameter is only available starting - with API version 1.2. A plugin mmuusstt check the API version - specified by the ssuuddoo front end before using _u_s_e_r___e_n_v. Failure to - do so may result in a crash. - - Returns 1 on success, 0 on failure and -1 on error. On error, the - plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - register_hooks - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); - - The rreeggiisstteerr__hhooookkss() function is called by the sudo front end to - register any hooks the plugin needs. If the plugin does not - support hooks, register_hooks should be set to the NULL pointer. - - The _v_e_r_s_i_o_n argument describes the version of the hooks API - supported by the ssuuddoo front end. - - The rreeggiisstteerr__hhooookk() function should be used to register any - supported hooks the plugin needs. It returns 0 on success, 1 if - the hook type is not supported and -1 if the major version in - struct hook does not match the front end's major hook API version. - - See the _H_o_o_k _f_u_n_c_t_i_o_n _A_P_I section below for more information about - hooks. - - NOTE: the rreeggiisstteerr__hhooookkss() function is only available starting with - API version 1.2. If the ssuuddoo front end doesn't support API version - 1.2 or higher, register_hooks will not be called. - - deregister_hooks - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); - - The ddeerreeggiisstteerr__hhooookkss() function is called by the sudo front end to - deregister any hooks the plugin has registered. If the plugin does - not support hooks, deregister_hooks should be set to the NULL - pointer. - - The _v_e_r_s_i_o_n argument describes the version of the hooks API - supported by the ssuuddoo front end. - - The ddeerreeggiisstteerr__hhooookk() function should be used to deregister any - hooks that were put in place by the rreeggiisstteerr__hhooookk() function. If - the plugin tries to deregister a hook that the front end does not - support, deregister_hook will return an error. - - See the _H_o_o_k _f_u_n_c_t_i_o_n _A_P_I section below for more information about - hooks. - - NOTE: the ddeerreeggiisstteerr__hhooookkss() function is only available starting - with API version 1.2. If the ssuuddoo front end doesn't support API - version 1.2 or higher, deregister_hooks will not be called. - - _P_o_l_i_c_y _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s - - /* Plugin API version major/minor. */ - #define SUDO_API_VERSION_MAJOR 1 - #define SUDO_API_VERSION_MINOR 13 - #define SUDO_API_MKVERSION(x, y) ((x << 16) | y) - #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\ - SUDO_API_VERSION_MINOR) - - /* Getters and setters for API version */ - #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) - #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) - #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ - *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ - } while(0) - #define SUDO_API_VERSION_SET_MINOR(vp, n) do { \ - *(vp) = (*(vp) & 0xffff0000) | (n); \ - } while(0) - - II//OO pplluuggiinn AAPPII - struct io_plugin { - #define SUDO_IO_PLUGIN 2 - unsigned int type; /* always SUDO_IO_PLUGIN */ - unsigned int version; /* always SUDO_API_VERSION */ - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const command_info[], - int argc, char * const argv[], char * const user_env[], - char * const plugin_options[]); - void (*close)(int exit_status, int error); /* wait status or error */ - int (*show_version)(int verbose); - int (*log_ttyin)(const char *buf, unsigned int len); - int (*log_ttyout)(const char *buf, unsigned int len); - int (*log_stdin)(const char *buf, unsigned int len); - int (*log_stdout)(const char *buf, unsigned int len); - int (*log_stderr)(const char *buf, unsigned int len); - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); - int (*change_winsize)(unsigned int lines, unsigned int cols); - int (*log_suspend)(int signo); - }; - - When an I/O plugin is loaded, ssuuddoo runs the command in a pseudo-tty. - This makes it possible to log the input and output from the user's - session. If any of the standard input, standard output or standard error - do not correspond to a tty, ssuuddoo will open a pipe to capture the I/O for - logging before passing it on. - - The log_ttyin function receives the raw user input from the terminal - device (note that this will include input even when echo is disabled, - such as when a password is read). The log_ttyout function receives - output from the pseudo-tty that is suitable for replaying the user's - session at a later time. The lloogg__ssttddiinn(), lloogg__ssttddoouutt() and lloogg__ssttddeerrrr() - functions are only called if the standard input, standard output or - standard error respectively correspond to something other than a tty. - - Any of the logging functions may be set to the NULL pointer if no logging - is to be performed. If the open function returns 0, no I/O will be sent - to the plugin. - - If a logging function returns an error (-1), the running command will be - terminated and all of the plugin's logging functions will be disabled. - Other I/O logging plugins will still receive any remaining input or - output that has not yet been processed. - - If an input logging function rejects the data by returning 0, the command - will be terminated and the data will not be passed to the command, though - it will still be sent to any other I/O logging plugins. If an output - logging function rejects the data by returning 0, the command will be - terminated and the data will not be written to the terminal, though it - will still be sent to any other I/O logging plugins. - - The io_plugin struct has the following fields: - - type The type field should always be set to SUDO_IO_PLUGIN. - - version - The version field should be set to SUDO_API_VERSION. - - This allows ssuuddoo to determine the API version the plugin was built - against. - - open - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const command_info[], - int argc, char * const argv[], char * const user_env[], - char * const plugin_options[]); - - The ooppeenn() function is run before the lloogg__ttttyyiinn(), lloogg__ttttyyoouutt(), - lloogg__ssttddiinn(), lloogg__ssttddoouutt(), lloogg__ssttddeerrrr(), lloogg__ssuussppeenndd(), - cchhaannggee__wwiinnssiizzee(), or sshhooww__vveerrssiioonn() functions are called. It is - only called if the version is being requested or if the policy - plugin's cchheecckk__ppoolliiccyy() function has returned successfully. It - returns 1 on success, 0 on failure, -1 if a general error occurred, - or -2 if there was a usage error. In the latter case, ssuuddoo will - print a usage message before it exits. If an error occurs, the - plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - The function arguments are as follows: - - version - The version passed in by ssuuddoo allows the plugin to determine - the major and minor version number of the plugin API - supported by ssuuddoo. - - conversation - A pointer to the ccoonnvveerrssaattiioonn() function that may be used by - the sshhooww__vveerrssiioonn() function to display version information - (see sshhooww__vveerrssiioonn() below). The ccoonnvveerrssaattiioonn() function may - also be used to display additional error message to the user. - The ccoonnvveerrssaattiioonn() function returns 0 on success and -1 on - failure. - - plugin_printf - A pointer to a pprriinnttff()-style function that may be used by - the sshhooww__vveerrssiioonn() function to display version information - (see show_version below). The pplluuggiinn__pprriinnttff() function may - also be used to display additional error message to the user. - The pplluuggiinn__pprriinnttff() function returns number of characters - printed on success and -1 on failure. - - settings - A vector of user-supplied ssuuddoo settings in the form of - "name=value" strings. The vector is terminated by a NULL - pointer. These settings correspond to flags the user - specified when running ssuuddoo. As such, they will only be - present when the corresponding flag has been specified on the - command line. - - When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a list of all possible - settings. - - user_info - A vector of information about the user running the command in - the form of "name=value" strings. The vector is terminated - by a NULL pointer. - - When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a list of all possible - strings. - - argc The number of elements in _a_r_g_v, not counting the final NULL - pointer. It can be zero, when ssuuddoo is called with --VV. - - argv If non-NULL, an argument vector describing a command the user - wishes to run in the same form as what would be passed to the - execve(2) system call. - - user_env - The user's environment in the form of a NULL-terminated - vector of "name=value" strings. - - When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt - equal sign (`=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. - - plugin_options - Any (non-comment) strings immediately after the plugin path - are treated as arguments to the plugin. These arguments are - split on a white space boundary and are passed to the plugin - in the form of a NULL-terminated array of strings. If no - arguments were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL - pointer. - - NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting - with API version 1.2. A plugin mmuusstt check the API version - specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. - Failure to do so may result in a crash. - - close - void (*close)(int exit_status, int error); - - The cclloossee() function is called when the command being run by ssuuddoo - finishes. - - The function arguments are as follows: - - exit_status - The command's exit status, as returned by the wait(2) system - call. The value of exit_status is undefined if error is non- - zero. - - error - If the command could not be executed, this is set to the - value of errno set by the execve(2) system call. If the - command was successfully executed, the value of error is 0. - - show_version - int (*show_version)(int verbose); - - The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user - specifies the --VV option. The plugin may display its version - information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() - function using SUDO_CONV_INFO_MSG. If the user requests detailed - version information, the verbose flag will be set. - - Returns 1 on success, 0 on failure, -1 if a general error occurred, - or -2 if there was a usage error, although the return value is - currently ignored. - - log_ttyin - int (*log_ttyin)(const char *buf, unsigned int len); - - The lloogg__ttttyyiinn() function is called whenever data can be read from - the user but before it is passed to the running command. This - allows the plugin to reject data if it chooses to (for instance if - the input contains banned content). Returns 1 if the data should - be passed to the command, 0 if the data is rejected (which will - terminate the running command) or -1 if an error occurred. - - The function arguments are as follows: - - buf The buffer containing user input. - - len The length of _b_u_f in bytes. - - log_ttyout - int (*log_ttyout)(const char *buf, unsigned int len); - - The lloogg__ttttyyoouutt() function is called whenever data can be read from - the command but before it is written to the user's terminal. This - allows the plugin to reject data if it chooses to (for instance if - the output contains banned content). Returns 1 if the data should - be passed to the user, 0 if the data is rejected (which will - terminate the running command) or -1 if an error occurred. - - The function arguments are as follows: - - buf The buffer containing command output. - - len The length of _b_u_f in bytes. - - log_stdin - int (*log_stdin)(const char *buf, unsigned int len); - - The lloogg__ssttddiinn() function is only used if the standard input does - not correspond to a tty device. It is called whenever data can be - read from the standard input but before it is passed to the running - command. This allows the plugin to reject data if it chooses to - (for instance if the input contains banned content). Returns 1 if - the data should be passed to the command, 0 if the data is rejected - (which will terminate the running command) or -1 if an error - occurred. - - The function arguments are as follows: - - buf The buffer containing user input. - - len The length of _b_u_f in bytes. - - log_stdout - int (*log_stdout)(const char *buf, unsigned int len); - - The lloogg__ssttddoouutt() function is only used if the standard output does - not correspond to a tty device. It is called whenever data can be - read from the command but before it is written to the standard - output. This allows the plugin to reject data if it chooses to - (for instance if the output contains banned content). Returns 1 if - the data should be passed to the user, 0 if the data is rejected - (which will terminate the running command) or -1 if an error - occurred. - - The function arguments are as follows: - - buf The buffer containing command output. - - len The length of _b_u_f in bytes. - - log_stderr - int (*log_stderr)(const char *buf, unsigned int len); - - The lloogg__ssttddeerrrr() function is only used if the standard error does - not correspond to a tty device. It is called whenever data can be - read from the command but before it is written to the standard - error. This allows the plugin to reject data if it chooses to (for - instance if the output contains banned content). Returns 1 if the - data should be passed to the user, 0 if the data is rejected (which - will terminate the running command) or -1 if an error occurred. - - The function arguments are as follows: - - buf The buffer containing command output. - - len The length of _b_u_f in bytes. - - register_hooks - See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a description of - register_hooks. - - deregister_hooks - See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a description of - deregister_hooks. - - change_winsize - int (*change_winsize)(unsigned int lines, unsigned int cols); - - The cchhaannggee__wwiinnssiizzee() function is called whenever the window size of - the terminal changes from the initial values specified in the - user_info list. Returns -1 if an error occurred, in which case no - further calls to cchhaannggee__wwiinnssiizzee() will be made, - - log_suspend - int (*log_suspend)(int signo); - - The lloogg__ssuussppeenndd() function is called whenever a command is - suspended or resumed. The _s_i_g_n_o argument is either the signal that - caused the command to be suspended or SIGCONT if the command was - resumed. Logging this information makes it possible to skip the - period of time when the command was suspended during playback of a - session. Returns -1 if an error occurred, in which case no further - calls to lloogg__ssuussppeenndd() will be made, - - _I_/_O _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s - - Same as for the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. - - SSiiggnnaall hhaannddlleerrss - The ssuuddoo front end installs default signal handlers to trap common - signals while the plugin functions are run. The following signals are - trapped by default before the command is executed: - - ++oo SIGALRM - ++oo SIGHUP - ++oo SIGINT - ++oo SIGPIPE - ++oo SIGQUIT - ++oo SIGTERM - ++oo SIGTSTP - ++oo SIGUSR1 - ++oo SIGUSR2 - - If a fatal signal is received before the command is executed, ssuuddoo will - call the plugin's cclloossee() function with an exit status of 128 plus the - value of the signal that was received. This allows for consistent - logging of commands killed by a signal for plugins that log such - information in their cclloossee() function. An exception to this is SIGPIPE, - which is ignored until the command is executed. - - A plugin may temporarily install its own signal handlers but must restore - the original handler before the plugin function returns. - - HHooookk ffuunnccttiioonn AAPPII - Beginning with plugin API version 1.2, it is possible to install hooks - for certain functions called by the ssuuddoo front end. - - Currently, the only supported hooks relate to the handling of environment - variables. Hooks can be used to intercept attempts to get, set, or - remove environment variables so that these changes can be reflected in - the version of the environment that is used to execute a command. A - future version of the API will support hooking internal ssuuddoo front end - functions as well. - - _H_o_o_k _s_t_r_u_c_t_u_r_e - - Hooks in ssuuddoo are described by the following structure: - - typedef int (*sudo_hook_fn_t)(); - - struct sudo_hook { - unsigned int hook_version; - unsigned int hook_type; - sudo_hook_fn_t hook_fn; - void *closure; - }; - - The sudo_hook structure has the following fields: - - hook_version - The hook_version field should be set to SUDO_HOOK_VERSION. - - hook_type - The hook_type field may be one of the following supported hook - types: - - SUDO_HOOK_SETENV - The C library setenv(3) function. Any registered hooks will - run before the C library implementation. The hook_fn field - should be a function that matches the following typedef: - - typedef int (*sudo_hook_fn_setenv_t)(const char *name, - const char *value, int overwrite, void *closure); - - If the registered hook does not match the typedef the results - are unspecified. - - SUDO_HOOK_UNSETENV - The C library unsetenv(3) function. Any registered hooks - will run before the C library implementation. The hook_fn - field should be a function that matches the following - typedef: - - typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, - void *closure); - - SUDO_HOOK_GETENV - The C library getenv(3) function. Any registered hooks will - run before the C library implementation. The hook_fn field - should be a function that matches the following typedef: - - typedef int (*sudo_hook_fn_getenv_t)(const char *name, - char **value, void *closure); - - If the registered hook does not match the typedef the results - are unspecified. - - SUDO_HOOK_PUTENV - The C library putenv(3) function. Any registered hooks will - run before the C library implementation. The hook_fn field - should be a function that matches the following typedef: - - typedef int (*sudo_hook_fn_putenv_t)(char *string, - void *closure); - - If the registered hook does not match the typedef the results - are unspecified. - - hook_fn - sudo_hook_fn_t hook_fn; - - The hook_fn field should be set to the plugin's hook - implementation. The actual function arguments will vary depending - on the hook_type (see hook_type above). In all cases, the closure - field of struct sudo_hook is passed as the last function parameter. - This can be used to pass arbitrary data to the plugin's hook - implementation. - - The function return value may be one of the following: - - SUDO_HOOK_RET_ERROR - The hook function encountered an error. - - SUDO_HOOK_RET_NEXT - The hook completed without error, go on to the next hook - (including the native implementation if applicable). For - example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if - the specified variable was not found in the private copy of - the environment. - - SUDO_HOOK_RET_STOP - The hook completed without error, stop processing hooks for - this invocation. This can be used to replace the native - implementation. For example, a setenv hook that operates on - a private copy of the environment but leaves environ - unchanged. - - Note that it is very easy to create an infinite loop when hooking C - library functions. For example, a getenv(3) hook that calls the - snprintf(3) function may create a loop if the snprintf(3) implementation - calls getenv(3) to check the locale. To prevent this, you may wish to - use a static variable in the hook function to guard against nested calls. - For example: - - static int in_progress = 0; /* avoid recursion */ - if (in_progress) - return SUDO_HOOK_RET_NEXT; - in_progress = 1; - ... - in_progress = 0; - return SUDO_HOOK_RET_STOP; - - _H_o_o_k _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s - - /* Hook API version major/minor */ - #define SUDO_HOOK_VERSION_MAJOR 1 - #define SUDO_HOOK_VERSION_MINOR 0 - #define SUDO_HOOK_VERSION SUDO_API_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\ - SUDO_HOOK_VERSION_MINOR) - - For getters and setters see the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. - - RReemmoottee ccoommmmaanndd eexxeeccuuttiioonn - The ssuuddoo front end does not have native support for running remote - commands. However, starting with ssuuddoo 1.8.8, the --hh option may be used - to specify a remote host that is passed to the policy plugin. A plugin - may also accept a _r_u_n_a_s___u_s_e_r in the form of "user@hostname" which will - work with older versions of ssuuddoo. It is anticipated that remote commands - will be supported by executing a "helper" program. The policy plugin - should setup the execution environment such that the ssuuddoo front end will - run the helper which, in turn, will connect to the remote host and run - the command. - - For example, the policy plugin could utilize sssshh to perform remote - command execution. The helper program would be responsible for running - sssshh with the proper options to use a private key or certificate that the - remote host will accept and run a program on the remote host that would - setup the execution environment accordingly. - - Note that remote ssuuddooeeddiitt functionality must be handled by the policy - plugin, not ssuuddoo itself as the front end has no knowledge that a remote - command is being executed. This may be addressed in a future revision of - the plugin API. - - CCoonnvveerrssaattiioonn AAPPII - If the plugin needs to interact with the user, it may do so via the - ccoonnvveerrssaattiioonn() function. A plugin should not attempt to read directly - from the standard input or the user's tty (neither of which are - guaranteed to exist). The caller must include a trailing newline in msg - if one is to be printed. - - A pprriinnttff()-style function is also available that can be used to display - informational or error messages to the user, which is usually more - convenient for simple messages where no use input is required. - - _C_o_n_v_e_r_s_a_t_i_o_n _f_u_n_c_t_i_o_n _s_t_r_u_c_t_u_r_e_s - - The conversation function takes as arguments pointers to the following - structures: - - struct sudo_conv_message { - #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ - #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ - #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ - #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ - #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ - #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ - #define SUDO_CONV_PREFER_TTY 0x2000 /* flag: use tty if possible */ - int msg_type; - int timeout; - const char *msg; - }; - - #define SUDO_CONV_REPL_MAX 255 - - struct sudo_conv_reply { - char *reply; - }; - - typedef int (*sudo_conv_callback_fn_t)(int signo, void *closure); - struct sudo_conv_callback { - unsigned int version; - void *closure; - sudo_conv_callback_fn_t on_suspend; - sudo_conv_callback_fn_t on_resume; - }; - - Pointers to the ccoonnvveerrssaattiioonn() and pprriinnttff()-style functions are passed in - to the plugin's ooppeenn() function when the plugin is initialized. The - following type definitions can be used in the declaration of the ooppeenn() - function: - - typedef int (*sudo_conv_t)(int num_msgs, - const struct sudo_conv_message msgs[], - struct sudo_conv_reply replies[], - struct sudo_conv_callback *callback); - - typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); - - To use the ccoonnvveerrssaattiioonn() function, the plugin must pass an array of - sudo_conv_message and sudo_conv_reply structures. There must be a struct - sudo_conv_message and struct sudo_conv_reply for each message in the - conversation, that is, both arrays must have the same number of elements. - Each struct sudo_conv_reply must have its _r_e_p_l_y member initialized to - NULL. The struct sudo_conv_callback pointer, if not NULL, should contain - function pointers to be called when the ssuuddoo process is suspended and/or - resumed during conversation input. The _o_n___s_u_s_p_e_n_d and _o_n___r_e_s_u_m_e - functions are called with the signal that caused ssuuddoo to be suspended and - the _c_l_o_s_u_r_e pointer from the struct sudo_conv_callback. These functions - should return 0 on success and -1 on error. On error, the conversation - will end and the conversation function will return a value of -1. The - intended use is to allow the plugin to release resources, such as locks, - that should not be held indefinitely while suspended and then reacquire - them when the process is resumed. Note that the functions are not - actually invoked from within a signal handler. - - The _m_s_g___t_y_p_e must be set to one of the following values: - - SUDO_CONV_PROMPT_ECHO_OFF - Prompt the user for input with echo disabled; this is generally - used for passwords. The reply will be stored in the _r_e_p_l_i_e_s array, - and it will never be NULL. - - SUDO_CONV_PROMPT_ECHO_ON - Prompt the user for input with echo enabled. The reply will be - stored in the _r_e_p_l_i_e_s array, and it will never be NULL. - - SUDO_CONV_ERROR_MSG - Display an error message. The message is written to the standard - error unless the SUDO_CONV_PREFER_TTY flag is set, in which case it - is written to the user's terminal if possible. - - SUDO_CONV_INFO_MSG - Display a message. The message is written to the standard output - unless the SUDO_CONV_PREFER_TTY flag is set, in which case it is - written to the user's terminal if possible. - - SUDO_CONV_PROMPT_MASK - Prompt the user for input but echo an asterisk character for each - character read. The reply will be stored in the _r_e_p_l_i_e_s array, and - it will never be NULL. This can be used to provide visual feedback - to the user while reading sensitive information that should not be - displayed. - - In addition to the above values, the following flag bits may also be set: - - SUDO_CONV_PROMPT_ECHO_OK - Allow input to be read when echo cannot be disabled when the - message type is SUDO_CONV_PROMPT_ECHO_OFF or SUDO_CONV_PROMPT_MASK. - By default, ssuuddoo will refuse to read input if the echo cannot be - disabled for those message types. - - SUDO_CONV_PREFER_TTY - When displaying a message via SUDO_CONV_ERROR_MSG or - SUDO_CONV_INFO_MSG, try to write the message to the user's - terminal. If the terminal is unavailable, the standard error or - standard output will be used, depending upon whether The user's - terminal is always used when possible for input, this flag is only - used for output. SUDO_CONV_ERROR_MSG or SUDO_CONV_INFO_MSG was - used. - - The _t_i_m_e_o_u_t in seconds until the prompt will wait for no more input. A - zero value implies an infinite timeout. - - The plugin is responsible for freeing the reply buffer located in each - struct sudo_conv_reply, if it is not NULL. SUDO_CONV_REPL_MAX represents - the maximum length of the reply buffer (not including the trailing NUL - character). In practical terms, this is the longest password ssuuddoo will - support. It is also useful as a maximum value for the mmeemmsseett__ss() - function when clearing passwords filled in by the conversation function. - - The pprriinnttff()-style function uses the same underlying mechanism as the - ccoonnvveerrssaattiioonn() function but only supports SUDO_CONV_INFO_MSG and - SUDO_CONV_ERROR_MSG for the _m_s_g___t_y_p_e parameter. It can be more - convenient than using the ccoonnvveerrssaattiioonn() function if no user reply is - needed and supports standard pprriinnttff() escape sequences. - - See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function - usage. - - SSuuddooeerrss ggrroouupp pplluuggiinn AAPPII - The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix - group lookups. This can be used to query a group source other than the - standard Unix group database. Two sample group plugins are bundled with - ssuuddoo, _g_r_o_u_p___f_i_l_e and _s_y_s_t_e_m___g_r_o_u_p, are detailed in sudoers(4). Third - party group plugins include a QAS AD plugin available from Quest - Software. - - A group plugin must declare and populate a sudoers_group_plugin struct in - the global scope. This structure contains pointers to the functions that - implement plugin initialization, cleanup and group lookup. - - struct sudoers_group_plugin { - unsigned int version; - int (*init)(int version, sudo_printf_t sudo_printf, - char *const argv[]); - void (*cleanup)(void); - int (*query)(const char *user, const char *group, - const struct passwd *pwd); - }; - - The sudoers_group_plugin struct has the following fields: - - version - The version field should be set to GROUP_API_VERSION. - - This allows ssuuddooeerrss to determine the API version the group plugin - was built against. - - init - int (*init)(int version, sudo_printf_t plugin_printf, - char *const argv[]); - - The iinniitt() function is called after _s_u_d_o_e_r_s has been parsed but - before any policy checks. It returns 1 on success, 0 on failure - (or if the plugin is not configured), and -1 if a error occurred. - If an error occurs, the plugin may call the pplluuggiinn__pprriinnttff() - function with SUDO_CONF_ERROR_MSG to present additional error - information to the user. - - The function arguments are as follows: - - version - The version passed in by ssuuddooeerrss allows the plugin to - determine the major and minor version number of the group - plugin API supported by ssuuddooeerrss. - - plugin_printf - A pointer to a pprriinnttff()-style function that may be used to - display informational or error message to the user. Returns - the number of characters printed on success and -1 on - failure. - - argv A NULL-terminated array of arguments generated from the - _g_r_o_u_p___p_l_u_g_i_n option in _s_u_d_o_e_r_s. If no arguments were given, - _a_r_g_v will be NULL. - - cleanup - void (*cleanup)(); - - The cclleeaannuupp() function is called when ssuuddooeerrss has finished its - group checks. The plugin should free any memory it has allocated - and close open file handles. - - query - int (*query)(const char *user, const char *group, - const struct passwd *pwd); - - The qquueerryy() function is used to ask the group plugin whether _u_s_e_r - is a member of _g_r_o_u_p. - - The function arguments are as follows: - - user The name of the user being looked up in the external group - database. - - group - The name of the group being queried. - - pwd The password database entry for _u_s_e_r, if any. If _u_s_e_r is not - present in the password database, _p_w_d will be NULL. - - _G_r_o_u_p _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s - - /* Sudoers group plugin version major/minor */ - #define GROUP_API_VERSION_MAJOR 1 - #define GROUP_API_VERSION_MINOR 0 - #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \ - GROUP_API_VERSION_MINOR) - For getters and setters see the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. - -PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG - The following revisions have been made to the Sudo Plugin API. - - Version 1.0 - Initial API version. - - Version 1.1 (sudo 1.8.0) - The I/O logging plugin's ooppeenn() function was modified to take the - command_info list as an argument. - - Version 1.2 (sudo 1.8.5) - The Policy and I/O logging plugins' ooppeenn() functions are now passed - a list of plugin parameters if any are specified in sudo.conf(4). - - A simple hooks API has been introduced to allow plugins to hook in - to the system's environment handling functions. - - The init_session Policy plugin function is now passed a pointer to - the user environment which can be updated as needed. This can be - used to merge in environment variables stored in the PAM handle - before a command is run. - - Version 1.3 (sudo 1.8.7) - Support for the _e_x_e_c___b_a_c_k_g_r_o_u_n_d entry has been added to the - command_info list. - - The _m_a_x___g_r_o_u_p_s and _p_l_u_g_i_n___d_i_r entries were added to the settings - list. - - The vveerrssiioonn() and cclloossee() functions are now optional. Previously, - a missing vveerrssiioonn() or cclloossee() function would result in a crash. - If no policy plugin cclloossee() function is defined, a default cclloossee() - function will be provided by the ssuuddoo front end that displays a - warning if the command could not be executed. - - The ssuuddoo front end now installs default signal handlers to trap - common signals while the plugin functions are run. - - Version 1.4 (sudo 1.8.8) - The _r_e_m_o_t_e___h_o_s_t entry was added to the settings list. - - Version 1.5 (sudo 1.8.9) - The _p_r_e_s_e_r_v_e___f_d_s entry was added to the command_info list. - - Version 1.6 (sudo 1.8.11) - The behavior when an I/O logging plugin returns an error (-1) has - changed. Previously, the ssuuddoo front end took no action when the - lloogg__ttttyyiinn(), lloogg__ttttyyoouutt(), lloogg__ssttddiinn(), lloogg__ssttddoouutt(), or - lloogg__ssttddeerrrr() function returned an error. - - The behavior when an I/O logging plugin returns 0 has changed. - Previously, output from the command would be displayed to the - terminal even if an output logging function returned 0. - - Version 1.7 (sudo 1.8.12) - The _p_l_u_g_i_n___p_a_t_h entry was added to the settings list. - - The _d_e_b_u_g___f_l_a_g_s entry now starts with a debug file path name and - may occur multiple times if there are multiple plugin-specific - Debug lines in the sudo.conf(4) file. - - Version 1.8 (sudo 1.8.15) - The _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r and _s_u_d_o_e_d_i_t___f_o_l_l_o_w entries were added to the - command_info list. The default value of _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r was - changed to true in sudo 1.8.16. - - The sudo _c_o_n_v_e_r_s_a_t_i_o_n function now takes a pointer to a struct - sudo_conv_callback as its fourth argument. The sudo_conv_t - definition has been updated to match. The plugin must specify that - it supports plugin API version 1.8 or higher to receive a - conversation function pointer that supports this argument. - - Version 1.9 (sudo 1.8.16) - The _e_x_e_c_f_d entry was added to the command_info list. - - Version 1.10 (sudo 1.8.19) - The _u_m_a_s_k entry was added to the user_info list. The _i_o_l_o_g___g_r_o_u_p, - _i_o_l_o_g___m_o_d_e, and _i_o_l_o_g___u_s_e_r entries were added to the command_info - list. - - Version 1.11 (sudo 1.8.20) - The _t_i_m_e_o_u_t entry was added to the settings list. - - Version 1.12 (sudo 1.8.21) - The change_winsize field was added to the io_plugin struct. - - Version 1.13 (sudo 1.8.26) - The log_suspend field was added to the io_plugin struct. - -SSEEEE AALLSSOO - sudo.conf(4), sudoers(4), sudo(1m) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 October 24, 2018 Sudo 1.8.28 diff --git a/doc/sudoers.cat b/doc/sudoers.cat deleted file mode 100644 index 9231a213a..000000000 --- a/doc/sudoers.cat +++ /dev/null @@ -1,2956 +0,0 @@ -SUDOERS(4) File Formats Manual SUDOERS(4) - -NNAAMMEE - ssuuddooeerrss - default sudo security policy plugin - -DDEESSCCRRIIPPTTIIOONN - The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the - default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s - file or, optionally in LDAP. The policy format is described in detail in - the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss - policy information in LDAP, please see sudoers.ldap(4). - - CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss - ssuuddoo consults the sudo.conf(4) file to determine which policy and I/O - logging plugins to load. If no sudo.conf(4) file is present, or if it - contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and - I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss - plugin, the following configuration can be used. - - Plugin sudoers_policy sudoers.so - Plugin sudoers_io sudoers.so - - Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to - the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if - present, should be listed after the path to the plugin (i.e., after - _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white - space. For example: - - Plugin sudoers_policy sudoers.so sudoers_mode=0400 - - The following plugin arguments are supported: - - ldap_conf=pathname - The _l_d_a_p___c_o_n_f argument can be used to override the default path - to the _l_d_a_p_._c_o_n_f file. - - ldap_secret=pathname - The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default - path to the _l_d_a_p_._s_e_c_r_e_t file. - - sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default - path to the _s_u_d_o_e_r_s file. - - sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default - owner of the sudoers file. It should be specified as a numeric - user ID. - - sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default - group of the sudoers file. It must be specified as a numeric - group ID (not a group name). - - sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default - file mode for the sudoers file. It should be specified as an - octal value. - - For more information on configuring sudo.conf(4), please refer to its - manual. - - UUsseerr AAuutthheennttiiccaattiioonn - The ssuuddooeerrss security policy requires that most users authenticate - themselves before they can use ssuuddoo. A password is not required if the - invoking user is root, if the target user is the same as the invoking - user, or if the policy has disabled authentication for the user or - command. Unlike su(1), when ssuuddooeerrss requires authentication, it - validates the invoking user's credentials, not the target user's (or - root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and - _r_u_n_a_s_p_w flags, described later. - - If a user who is not listed in the policy tries to run a command via - ssuuddoo, mail is sent to the proper authorities. The address used for such - mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and - defaults to root. - - Note that no mail will be sent if an unauthorized user tries to run ssuuddoo - with the --ll or --vv option unless there is an authentication error and - either the _m_a_i_l___a_l_w_a_y_s or _m_a_i_l___b_a_d_p_a_s_s flags are enabled. This allows - users to determine for themselves whether or not they are allowed to use - ssuuddoo. All attempts to run ssuuddoo (successful or not) will be logged, - regardless of whether or not mail is sent. - - If ssuuddoo is run by root and the SUDO_USER environment variable is set, the - ssuuddooeerrss policy will use this value to determine who the actual user is. - This can be used by a user to log commands through sudo even when a root - shell has been invoked. It also allows the --ee option to remain useful - even when invoked via a sudo-run script or program. Note, however, that - the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by - SUDO_USER. - - ssuuddooeerrss uses per-user time stamp files for credential caching. Once a - user has been authenticated, a record is written containing the user ID - that was used to authenticate, the terminal session ID, the start time of - the session leader (or parent process) and a time stamp (using a - monotonic clock if one is available). The user may then use ssuuddoo without - a password for a short period of time (5 minutes unless overridden by the - _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record - for each terminal, which means that a user's login sessions are - authenticated separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to - select the type of time stamp record ssuuddooeerrss will use. - - LLooggggiinngg - ssuuddooeerrss can log both successful and unsuccessful attempts (as well as - errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log - via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults - settings. See _L_O_G _F_O_R_M_A_T for a description of the log file format. - - ssuuddooeerrss is also capable of running a command in a pseudo-tty and logging - all input and/or output. The standard input, standard output and - standard error can be logged even when not associated with a terminal. - I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t - and _l_o_g___o_u_t_p_u_t options as well as the LOG_INPUT and LOG_OUTPUT command - tags. See _I_/_O _L_O_G _F_I_L_E_S for details on how I/O log files are stored. - - CCoommmmaanndd eennvviirroonnmmeenntt - Since environment variables can influence program behavior, ssuuddooeerrss - provides a means to restrict which variables from the user's environment - are inherited by the command to be run. There are two distinct ways - ssuuddooeerrss can deal with environment variables. - - By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be - executed with a new, minimal environment. On AIX (and Linux systems - without PAM), the environment is initialized with the contents of the - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is - enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v - settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The HOME, MAIL, SHELL, LOGNAME and USER - environment variables are initialized based on the target user and the - SUDO_* variables are set based on the invoking user. Additional - variables, such as DISPLAY, PATH and TERM, are preserved from the - invoking user's environment if permitted by the _e_n_v___c_h_e_c_k or _e_n_v___k_e_e_p - options. This is effectively a whitelist for environment variables. A - few environment variables are treated specially. If the PATH and TERM - variables are not preserved from the user's environment, they will be set - to default values. The LOGNAME and USER are handled as a single entity. - If one of them is preserved (or removed) from the user's environment, the - other will be as well. If LOGNAME and USER are to be preserved but only - one of them is present in the user's environment, the other will be set - to the same value. This avoids an inconsistent environment where one of - the variables describing the user name is set to the invoking user and - one is set to the target user. Environment variables with a value - beginning with () are removed unless both the name and value parts are - matched by _e_n_v___k_e_e_p or _e_n_v___c_h_e_c_k, as they may be interpreted as functions - by the bbaasshh shell. Prior to version 1.8.11, such variables were always - removed. - - If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not - explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited - from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave - like a blacklist. Prior to version 1.8.21, environment variables with a - value beginning with () were always removed. Beginning with version - 1.8.21, a pattern in _e_n_v___d_e_l_e_t_e is used to match bbaasshh shell functions - instead. Since it is not possible to blacklist all potentially dangerous - environment variables, use of the default _e_n_v___r_e_s_e_t behavior is - encouraged. - - Environment variables specified by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p may - include one or more `*' characters which will match zero or more - characters. No other wildcard characters are supported. - - By default, environment variables are matched by name. However, if the - pattern includes an equal sign (`='), both the variables name and value - must match. For example, a bbaasshh shell function could be matched as - follows: - - env_keep += "BASH_FUNC_my_func%%=()*" - - Without the "=()*" suffix, this would not match, as bbaasshh shell functions - are not preserved by default. - - The complete list of environment variables that are preserved or removed, - as modified by global Defaults parameters in _s_u_d_o_e_r_s, is displayed when - ssuuddoo is run by root with the --VV option. Please note that the list of - environment variables to remove varies based on the operating system ssuuddoo - is running on. - - Other ssuuddooeerrss options may influence the command environment, such as - _a_l_w_a_y_s___s_e_t___h_o_m_e, _s_e_c_u_r_e___p_a_t_h, _s_e_t___l_o_g_n_a_m_e, and _s_e_t___h_o_m_e. - - On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo, - variables in the PAM environment may be merged in to the environment. If - a variable in the PAM environment is already present in the user's - environment, the value will only be overridden if the variable was not - preserved by ssuuddooeerrss. When _e_n_v___r_e_s_e_t is enabled, variables preserved - from the invoking user's environment by the _e_n_v___k_e_e_p list take precedence - over those in the PAM environment. When _e_n_v___r_e_s_e_t is disabled, variables - present the invoking user's environment take precedence over those in the - PAM environment unless they match a pattern in the _e_n_v___d_e_l_e_t_e list. - - Note that the dynamic linker on most operating systems will remove - variables that can control dynamic linking from the environment of setuid - executables, including ssuuddoo. Depending on the operating system this may - include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. - These type of variables are removed from the environment before ssuuddoo even - begins execution and, as such, it is not possible for ssuuddoo to preserve - them. - - As a special case, if ssuuddoo's --ii option (initial login) is specified, - ssuuddooeerrss will initialize the environment regardless of the value of - _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, - MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX - (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are - also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s flag is enabled, - the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All - other environment variables are removed unless permitted by _e_n_v___k_e_e_p or - _e_n_v___c_h_e_c_k, described above. - - Finally, the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e and _e_n_v___f_i_l_e files are applied, if - present. The variables in _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are applied first and are - subject to the same restrictions as the invoking user's environment, as - detailed above. The variables in _e_n_v___f_i_l_e are applied last and are not - subject to these restrictions. In both cases, variables present in the - files will only be set to their specified values if they would not - conflict with an existing environment variable. - -SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT - The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically - variables) and user specifications (which specify who may run what). - - When multiple entries match for a user, they are applied in order. Where - there are multiple matches, the last match is used (which is not - necessarily the most specific match). - - The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur - Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly - simple, and the definitions below are annotated. - - QQuuiicckk gguuiiddee ttoo EEBBNNFF - EBNF is a concise and exact way of describing the grammar of a language. - Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., - - symbol ::= definition | alternate1 | alternate2 ... - - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for - the language. EBNF also contains the following operators, which many - readers will recognize from regular expressions. Do not, however, - confuse them with "wildcard" characters, which have different meanings. - - ? Means that the preceding symbol (or group of symbols) is optional. - That is, it may appear once or not at all. - - * Means that the preceding symbol (or group of symbols) may appear - zero or more times. - - + Means that the preceding symbol (or group of symbols) may appear - one or more times. - - Parentheses may be used to group symbols together. For clarity, we will - use single quotes ('') to designate what is a verbatim character string - (as opposed to a symbol name). - - AAlliiaasseess - There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and - Cmnd_Alias. - - Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* | - 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* | - 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* | - 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* - - User_Alias ::= NAME - - User_Alias_Spec ::= User_Alias '=' User_List - - Runas_Alias ::= NAME - - Runas_Alias_Spec ::= Runas_Alias '=' Runas_List - - Host_Alias ::= NAME - - Host_Alias_Spec ::= Host_Alias '=' Host_List - - Cmnd_Alias ::= NAME - - Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List - - NAME ::= [A-Z]([A-Z][0-9]_)* - - Each _a_l_i_a_s definition is of the form - - Alias_Type NAME = item1, item2, ... - - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or - Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and - underscore characters (`_'). A NAME mmuusstt start with an uppercase letter. - It is possible to put several alias definitions of the same type on a - single line, joined by a colon (`:'). E.g., - - Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - - It is a syntax error to redefine an existing _a_l_i_a_s. It is possible to - use the same name for _a_l_i_a_s_e_s of different types, but this is not - recommended. - - The definitions of what constitutes a valid _a_l_i_a_s member follow. - - User_List ::= User | - User ',' User_List - - User ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* +netgroup | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* User_Alias - - A User_List is made up of one or more user names, user IDs (prefixed with - `#'), system group names and IDs (prefixed with `%' and `%#' - respectively), netgroups (prefixed with `+'), non-Unix group names and - IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each - list item may be prefixed with zero or more `!' operators. An odd number - of `!' operators negate the value of the item; an even number just cancel - each other out. User netgroups are matched using the user and domain - members only; the host member is not used when matching. - - A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may - be enclosed in double quotes to avoid the need for escaping special - characters. Alternately, special characters may be specified in escaped - hex mode, e.g., \x20 for space. When using double quotes, any prefix - characters must be included inside the quotes. - - The actual nonunix_group and nonunix_gid syntax depends on the underlying - group provider plugin. For instance, the QAS AD plugin supports the - following formats: - - ++oo Group in the same domain: "%:Group Name" - - ++oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - - ++oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" - - See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. - - Note that quotes around group names are optional. Unquoted strings must - use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r - _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need - to be escaped. - - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List - - Runas_Member ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* +netgroup | - '!'* Runas_Alias - - A Runas_List is similar to a User_List except that instead of - User_Aliases it can contain Runas_Aliases. Note that user names and - groups are matched as strings. In other words, two users (groups) with - the same uid (gid) are considered to be distinct. If you wish to match - all user names with the same uid (e.g., root and toor), you can use a uid - instead (#0 in the example given). - - Host_List ::= Host | - Host ',' Host_List - - Host ::= '!'* host name | - '!'* ip_addr | - '!'* network(/netmask)? | - '!'* +netgroup | - '!'* Host_Alias - - A Host_List is made up of one or more host names, IP addresses, network - numbers, netgroups (prefixed with `+') and other aliases. Again, the - value of an item may be negated with the `!' operator. Host netgroups - are matched using the host (both qualified and unqualified) and domain - members only; the user member is not used when matching. If you specify - a network number without a netmask, ssuuddoo will query each of the local - host's network interfaces and, if the network number corresponds to one - of the hosts's network interfaces, will use the netmask of that - interface. The netmask may be specified either in standard IP address - notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation - (number of bits, e.g., 24 or 64). A host name may include shell-style - wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name - command on your machine returns the fully qualified host name, you'll - need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo - only inspects actual network interfaces; this means that IP address - 127.0.0.1 (localhost) will never match. Also, the host name "localhost" - will only match if that is the actual host name, which is usually only - the case for non-networked systems. - - digest ::= [A-Fa-f0-9]+ | - [A-Za-z0-9\+/=]+ - - Digest_Spec ::= "sha224" ':' digest | - "sha256" ':' digest | - "sha384" ':' digest | - "sha512" ':' digest - - Cmnd_List ::= Cmnd | - Cmnd ',' Cmnd_List - - command name ::= file name | - file name args | - file name '""' - - Cmnd ::= Digest_Spec? '!'* command name | - '!'* directory | - '!'* "sudoedit" | - '!'* Cmnd_Alias - - A Cmnd_List is a list of one or more command names, directories, and - other aliases. A command name is a fully qualified file name which may - include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A - simple file name allows the user to run the command with any arguments - they wish. However, you may also specify command line arguments - (including wildcards). Alternately, you can specify "" to indicate that - the command may only be run wwiitthhoouutt command line arguments. A directory - is a fully qualified path name ending in a `/'. When you specify a - directory in a Cmnd_List, the user will be able to run any file within - that directory (but not in any sub-directories therein). - - If a Cmnd has associated command line arguments, then the arguments in - the Cmnd must match exactly those given by the user on the command line - (or match the wildcards if there are any). Note that the following - characters must be escaped with a `\' if they are used in command - arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used - to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may - take command line arguments just as a normal command does. Note that - "sudoedit" is a command built into ssuuddoo itself and must be specified in - the _s_u_d_o_e_r_s file without a leading path. - - If a command name is prefixed with a Digest_Spec, the command will only - match successfully if it can be verified using the specified SHA-2 - digest. The following digest formats are supported: sha224, sha256, - sha384 and sha512. The string may be specified in either hex or base64 - format (base64 is more compact). There are several utilities capable of - generating SHA-2 digests in hex format such as openssl, shasum, - sha224sum, sha256sum, sha384sum, sha512sum. - - For example, using openssl: - - $ openssl dgst -sha224 /bin/ls - SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 - - It is also possible to use openssl to generate base64 output: - - $ openssl dgst -binary -sha224 /bin/ls | openssl base64 - EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== - - Warning, if the user has write access to the command itself (directly or - via a ssuuddoo command), it may be possible for the user to replace the - command after the digest check has been performed but before the command - is executed. A similar race condition exists on systems that lack the - fexecve(2) system call when the directory in which the command is located - is writable by the user. See the description of the _f_d_e_x_e_c setting for - more information on how ssuuddoo executes commands that have an associated - digest. - - Command digests are only supported by version 1.8.7 or higher. - - DDeeffaauullttss - Certain configuration options may be changed from their default values at - run-time via one or more Default_Entry lines. These may affect all users - on any host, all users on a specific host, a specific user, a specific - command, or commands being run as a specific user. Note that per-command - entries may not include command line arguments. If you need to specify - arguments, define a Cmnd_Alias and reference that instead. - - Default_Type ::= 'Defaults' | - 'Defaults' '@' Host_List | - 'Defaults' ':' User_List | - 'Defaults' '!' Cmnd_List | - 'Defaults' '>' Runas_List - - Default_Entry ::= Default_Type Parameter_List - - Parameter_List ::= Parameter | - Parameter ',' Parameter_List - - Parameter ::= Parameter '=' Value | - Parameter '+=' Value | - Parameter '-=' Value | - '!'* Parameter - - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are - implicitly boolean and can be turned off via the `!' operator. Some - integer, string and list parameters may also be used in a boolean context - to disable them. Values may be enclosed in double quotes ("") when they - contain multiple words. Special characters may be escaped with a - backslash (`\'). - - Lists have two additional assignment operators, += and -=. These - operators are used to add to and delete from a list respectively. It is - not an error to use the -= operator to remove an element that does not - exist in a list. - - Defaults entries are parsed in the following order: generic, host, user - and runas Defaults first, then command defaults. If there are multiple - Defaults settings of the same type, the last matching setting is used. - The following Defaults settings are parsed before all others since they - may affect subsequent entries: _f_q_d_n, _g_r_o_u_p___p_l_u_g_i_n, _r_u_n_a_s___d_e_f_a_u_l_t, - _s_u_d_o_e_r_s___l_o_c_a_l_e. - - See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. - - UUsseerr ssppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* - - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List - - Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd - - Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' - - Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) - - SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') - - Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') - - Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') - - Timeout_Spec ::= 'TIMEOUT=timeout' - - Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' | - 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | - 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' | - 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:') - - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as - what user) on specified hosts. By default, commands are run as rroooott, but - this can be changed on a per-command basis. - - The basic structure of a user specification is "who where = (as_whom) - what". Let's break that down into its constituent parts: - - RRuunnaass__SSppeecc - A Runas_Spec determines the user and/or the group that a command may be - run as. A fully-specified Runas_Spec consists of two Runas_Lists (as - defined above) separated by a colon (`:') and enclosed in a set of - parentheses. The first Runas_List indicates which users the command may - be run as via ssuuddoo's --uu option. The second defines a list of groups that - can be specified via ssuuddoo's --gg option in addition to any of the target - user's groups. If both Runas_Lists are specified, the command may be run - with any combination of users and groups listed in their respective - Runas_Lists. If only the first is specified, the command may be run as - any user in the list but no --gg option may be specified. If the first - Runas_List is empty but the second is specified, the command may be run - as the invoking user with the group set to any listed in the Runas_List. - If both Runas_Lists are empty, the command may only be run as the - invoking user. If no Runas_Spec is specified the command may be run as - rroooott and no group may be specified. - - A Runas_Spec sets the default for the commands that follow it. What this - means is that for the entry: - - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m on the host - boulder--but only as ooppeerraattoorr. E.g., - - $ sudo -u operator /bin/ls - - It is also possible to override a Runas_Spec later on in an entry. If we - modify the entry like so: - - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l - and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - - We can extend this to allow ddggbb to run /bin/ls with either the user or - group set to ooppeerraattoorr: - - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ - /usr/bin/lprm - - Note that while the group portion of the Runas_Spec permits the user to - run as command with that group, it does not force the user to do so. If - no group is specified on the command line, the command will run with the - group listed in the target user's password database entry. The following - would all be permitted by the sudoers entry above: - - $ sudo -u operator /bin/ls - $ sudo -u operator -g operator /bin/ls - $ sudo -g operator /bin/ls - - In the following example, user ttccmm may run commands that access a modem - device file with the dialer group. - - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ - /usr/local/bin/minicom - - Note that in this example only the group will be set, the command still - runs as user ttccmm. E.g. - - $ sudo -g dialer /usr/bin/cu - - Multiple users and groups may be present in a Runas_Spec, in which case - the user may select any combination of users and groups via the --uu and --gg - options. In this example: - - alan ALL = (root, bin : operator, system) ALL - - user aallaann may run any command as either user root or bin, optionally - setting the group to operator or system. - - OOppttiioonn__SSppeecc - A Cmnd may have zero or more options associated with it. Options may - consist of SELinux roles and/or types, Solaris privileges sets, start - and/or end dates and command timeouts. Once an option is set for a Cmnd, - subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is - overridden by another option. - - SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have - an SELinux role and/or type associated with a command. If a role or type - is specified with the command it will override any default values - specified in _s_u_d_o_e_r_s. A role or type specified on the command line, - however, will supersede the values in _s_u_d_o_e_r_s. - - SSoollaarriiss__PPrriivv__SSppeecc - On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris - privilege set and/or limit privilege set associated with a command. If - privileges or limit privileges are specified with the command it will - override any default values specified in _s_u_d_o_e_r_s. - - A privilege set is a comma-separated list of privilege names. The - ppriv(1) command can be used to list all privileges known to the system. - For example: - - $ ppriv -l - - In addition, there are several "special" privilege strings: - - none the empty set - - all the set of all privileges - - zone the set of all privileges available in the current zone - - basic the default set of privileges normal users are granted at login - time - - Privileges can be excluded from a set by prefixing the privilege name - with either an `!' or `-' character. - - DDaattee__SSppeecc - ssuuddooeerrss rules can be specified with a start and end date via the - NOTBEFORE and NOTAFTER settings. The time stamp must be specified in - _G_e_n_e_r_a_l_i_z_e_d _T_i_m_e as defined by RFC 4517. The format is effectively - yyyymmddHHMMSSZ where the minutes and seconds are optional. The `Z' - suffix indicates that the time stamp is in Coordinated Universal Time - (UTC). It is also possible to specify a timezone offset from UTC in - hours and minutes instead of a `Z'. For example, `-0500' would - correspond to Eastern Standard time in the US. As an extension, if no - `Z' or timezone offset is specified, local time will be used. - - The following are all valid time stamps: - - 20170214083000Z - 2017021408Z - 20160315220000-0500 - 20151201235900 - - TTiimmeeoouutt__SSppeecc - A command may have a timeout associated with it. If the timeout expires - before the command has exited, the command will be terminated. The - timeout may be specified in combinations of days, hours, minutes and - seconds with a single-letter case-insensitive suffix that indicates the - unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes and - 10 seconds would be written as 7d8h30m10s. If a number is specified - without a unit, seconds are assumed. Any of the days, minutes, hours or - seconds may be omitted. The order must be from largest to smallest unit - and a unit may not be specified more than once. - - The following are all _v_a_l_i_d timeout values: 7d8h30m10s, 14d, 8h30m, 600s, - 3600. The following are _i_n_v_a_l_i_d timeout values: 12m2w1d, 30s10m4h, - 1d2d3h. - - This option is only supported by version 1.8.20 or higher. - - TTaagg__SSppeecc - A command may have zero or more tags associated with it. The following - tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT, - NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD, - SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in - the Cmnd_Spec_List, inherit the tag unless it is overridden by the - opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC - overrides EXEC). - - _E_X_E_C and _N_O_E_X_E_C - - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. - - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - - See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how - NOEXEC works and whether or not it will work on your system. - - _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open - a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is - enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of - _s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of - symbolic links on a per-command basis. These tags are only effective - for the _s_u_d_o_e_d_i_t command and are ignored for all other commands. - - _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T - - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - - _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T - - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - - _M_A_I_L and _N_O_M_A_I_L - - These tags provide fine-grained control over whether mail will be sent - when a user runs a command by overriding the value of the - _m_a_i_l___a_l_l___c_m_n_d_s option on a per-command basis. They have no effect when - ssuuddoo is run with the --ll or --vv options. A _N_O_M_A_I_L tag will also override - the _m_a_i_l___a_l_w_a_y_s and _m_a_i_l___n_o___p_e_r_m_s options. For more information, see - the descriptions of _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, and _m_a_i_l___n_o___p_e_r_m_s in - the _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - - _P_A_S_S_W_D and _N_O_P_A_S_S_W_D - - By default, ssuuddoo requires that a user authenticate him or herself - before running a command. This behavior can be modified via the - NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for - the commands that follow it in the Cmnd_Spec_List. Conversely, the - PASSWD tag can be used to reverse things. For example: - - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m - as rroooott on the machine rushmore without authenticating himself. If we - only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry - would be: - - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - - Note, however, that the PASSWD tag has no effect on users who are in - the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - - By default, if the NOPASSWD tag is applied to any of a user's entries - for the current host, the user will be able to run "sudo -l" without a - password. Additionally, a user may only run "sudo -v" without a - password if all of the user's entries for the current host have the - NOPASSWD tag. This behavior may be overridden via the _v_e_r_i_f_y_p_w and - _l_i_s_t_p_w options. - - _S_E_T_E_N_V and _N_O_S_E_T_E_N_V - - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. - Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set - variables in this manner. If the command matched is AALLLL, the SETENV - tag is implied for that command; this default may be overridden by use - of the NOSETENV tag. - - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be - used in host names, path names and command line arguments in the _s_u_d_o_e_r_s - file. Wildcard matching is done via the glob(3) and fnmatch(3) functions - as specified by IEEE Std 1003.1 ("POSIX.1"). - - * Matches any set of zero or more characters (including white - space). - - ? Matches any single character (including white space). - - [...] Matches any character in the specified range. - - [!...] Matches any character _n_o_t in the specified range. - - \x For any character `x', evaluates to `x'. This is used to - escape special characters such as: `*', `?', `[', and `]'. - - NNoottee tthhaatt tthheessee aarree nnoott rreegguullaarr eexxpprreessssiioonnss.. Unlike a regular expression - there is no way to match one or more characters within a range. - - Character classes may be used if your system's glob(3) and fnmatch(3) - functions support them. However, because the `:' character has special - meaning in _s_u_d_o_e_r_s, it must be escaped. For example: - - /bin/ls [[\:alpha\:]]* - - Would match any file name beginning with a letter. - - Note that a forward slash (`/') will _n_o_t be matched by wildcards used in - the file name portion of the command. This is to make a path like: - - /usr/bin/* - - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - - When matching the command line arguments, however, a slash _d_o_e_s get - matched by wildcards since command line arguments may contain arbitrary - strings and not just path names. - - WWiillddccaarrddss iinn ccoommmmaanndd lliinnee aarrgguummeennttss sshhoouulldd bbee uusseedd wwiitthh ccaarree.. - Command line arguments are matched as a single, concatenated string. - This mean a wildcard character such as `?' or `*' will match across word - boundaries, which may be unexpected. For example, while a sudoers entry - like: - - %operator ALL = /bin/cat /var/log/messages* - - will allow command like: - - $ sudo cat /var/log/messages.1 - - It will also allow: - - $ sudo cat /var/log/messages /etc/shadow - - which is probably not what was intended. In most cases it is better to - do command line processing outside of the _s_u_d_o_e_r_s file in a scripting - language. - - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: - - "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s file entry it means that command is not allowed to be - run with _a_n_y arguments. - - sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should - always be path names, so a forward slash (`/') will not be - matched by a wildcard. - - IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s - file currently being parsed using the #include and #includedir - directives. - - This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in - addition to a local, per-machine file. For the sake of this example the - site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will - be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within - _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: - - #include /etc/sudoers.local - - When ssuuddoo reaches this line it will suspend processing of the current - file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the - end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. - Files that are included may themselves include other files. A hard limit - of 128 nested include files is enforced to prevent include file loops. - - If the path to the include file is not fully-qualified (does not begin - with a `/'), it must be located in the same directory as the sudoers file - it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: - - #include sudoers.local - - the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. - - The file name may also include the %h escape, signifying the short form - of the host name. In other words, if the machine's host name is - "xerxes", then - - #include /etc/sudoers.%h - - will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. - - The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory - that the system package manager can drop _s_u_d_o_e_r_s file rules into as part - of package installation. For example, given: - - #includedir /etc/sudoers.d - - ssuuddoo will suspend processing of the current file and read each file in - _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end in `~' or contain a `.' - character to avoid causing problems with package manager or editor - temporary/backup files. Files are parsed in sorted lexical order. That - is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, - not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded _a_f_t_e_r - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in - the file names can be used to avoid such problems. After parsing the - files in the directory, control returns to the file that contained the - #includedir directive. - - Note that unlike files included via #include, vviissuuddoo will not edit the - files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the --ff flag to edit the - files directly, but this will not catch the redefinition of an _a_l_i_a_s that - is also present in a different file. - - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - The pound sign (`#') is used to indicate a comment (unless it is part of - a #include directive or unless it occurs in the context of a user name - and is followed by one or more digits, in which case it is treated as a - uid). Both the comment character and any text after it, up to the end of - the line, are ignored. - - The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to - succeed. It can be used wherever one might otherwise use a Cmnd_Alias, - User_Alias, Runas_Alias, or Host_Alias. You should not try to define - your own _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be dangerous - since in a command context, it allows the user to run _a_n_y command on the - system. - - An exclamation point (`!') can be used as a logical _n_o_t operator in a - list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude - certain values. For the `!' operator to be effective, there must be - something for it to exclude. For example, to match all users except for - root one would use: - - ALL,!root - - If the AALLLL, is omitted, as in: - - !root - - it would explicitly deny root but not match any other users. This is - different from a true "negation" operator. - - Note, however, that using a `!' in conjunction with the built-in AALLLL - alias to allow a user to run "all but a few" commands rarely works as - intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). - - Long lines can be continued with a backslash (`\') as the last character - on the line. - - White space between elements in a list as well as special syntactic - characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. - - The following characters must be escaped with a backslash (`\') when used - as part of a word (e.g., a user name or host name): `!', `=', `:', `,', - `(', `)', `\'. - -SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as explained - earlier. A list of all supported Defaults parameters, grouped by type, - are listed below. - - BBoooolleeaann FFllaaggss: - - always_query_group_plugin - If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve - groups of the form %group as long as there is not also - a system group of the same name. Normally, only groups - of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n. - This flag is _o_f_f by default. - - always_set_home If enabled, ssuuddoo will set the HOME environment variable - to the home directory of the target user (which is root - unless the --uu option is used). This effectively means - that the --HH option is always implied. Note that by - default, HOME will be set to the home directory of the - target user when the _e_n_v___r_e_s_e_t option is enabled, so - _a_l_w_a_y_s___s_e_t___h_o_m_e only has an effect for configurations - where either _e_n_v___r_e_s_e_t is disabled or HOME is present - in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - - authenticate If set, users must authenticate themselves via a - password (or other means of authentication) before they - may run commands. This default may be overridden via - the PASSWD and NOPASSWD tags. This flag is _o_n by - default. - - case_insensitive_group - If enabled, group names in _s_u_d_o_e_r_s will be matched in a - case insensitive manner. This may be necessary when - users are stored in LDAP or AD. This flag is _o_n by - default. - - case_insensitive_user - If enabled, user names in _s_u_d_o_e_r_s will be matched in a - case insensitive manner. This may be necessary when - groups are stored in LDAP or AD. This flag is _o_n by - default. - - closefrom_override - If set, the user may use ssuuddoo's --CC option which - overrides the default starting point at which ssuuddoo - begins closing open file descriptors. This flag is _o_f_f - by default. - - compress_io If set, and ssuuddoo is configured to log a command's input - or output, the I/O logs will be compressed using zzlliibb. - This flag is _o_n by default when ssuuddoo is compiled with - zzlliibb support. - - exec_background By default, ssuuddoo runs a command as the foreground - process as long as ssuuddoo itself is running in the - foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled - and the command is being run in a pty (due to I/O - logging or the _u_s_e___p_t_y flag), the command will be run - as a background process. Attempts to read from the - controlling terminal (or to change terminal settings) - will result in the command being suspended with the - SIGTTIN signal (or SIGTTOU in the case of terminal - settings). If this happens when ssuuddoo is a foreground - process, the command will be granted the controlling - terminal and resumed in the foreground with no user - intervention required. The advantage of initially - running the command in the background is that ssuuddoo need - not read from the terminal unless the command - explicitly requests it. Otherwise, any terminal input - must be passed to the command, whether it has required - it or not (the kernel buffers terminals so it is not - possible to tell whether the command really wants the - input). This is different from historic _s_u_d_o behavior - or when the command is not being run in a pty. - - For this to work seamlessly, the operating system must - support the automatic restarting of system calls. - Unfortunately, not all operating systems do this by - default, and even those that do may have bugs. For - example, macOS fails to restart the ttccggeettaattttrr() and - ttccsseettaattttrr() system calls (this is a bug in macOS). - Furthermore, because this behavior depends on the - command stopping with the SIGTTIN or SIGTTOU signals, - programs that catch these signals and suspend - themselves with a different signal (usually SIGTOP) - will not be automatically foregrounded. Some versions - of the linux su(1) command behave this way. This flag - is _o_f_f by default. - - This setting is only supported by version 1.8.7 or - higher. It has no effect unless I/O logging is enabled - or the _u_s_e___p_t_y flag is enabled. - - env_editor If set, vviissuuddoo will use the value of the SUDO_EDITOR, - VISUAL or EDITOR environment variables before falling - back on the default editor list. Note that vviissuuddoo is - typically run as root so this option may allow a user - with vviissuuddoo privileges to run arbitrary commands as - root without logging. An alternative is to place a - colon-separated list of "safe" editors int the _e_d_i_t_o_r - variable. vviissuuddoo will then only use SUDO_EDITOR, - VISUAL or EDITOR if they match a value specified in - _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, the - SUDO_EDITOR, VISUAL and/or EDITOR environment variables - must be present in the _e_n_v___k_e_e_p list for the _e_n_v___e_d_i_t_o_r - flag to function when vviissuuddoo is invoked via ssuuddoo. This - flag is _o_n by default. - - env_reset If set, ssuuddoo will run the command in a minimal - environment containing the TERM, PATH, HOME, MAIL, - SHELL, LOGNAME, USER and SUDO_* variables. Any - variables in the caller's environment or in the file - specified by the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option that match - the env_keep and env_check lists are then added, - followed by any variables present in the file specified - by the _e_n_v___f_i_l_e option (if any). The contents of the - env_keep and env_check lists, as modified by global - Defaults parameters in _s_u_d_o_e_r_s, are displayed when ssuuddoo - is run by root with the --VV option. If the _s_e_c_u_r_e___p_a_t_h - option is set, its value will be used for the PATH - environment variable. This flag is _o_n by default. - - fast_glob Normally, ssuuddoo uses the glob(3) function to do shell- - style globbing when matching path names. However, - since it accesses the file system, glob(3) can take a - long time to complete for some patterns, especially - when the pattern references a network file system that - is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b - option causes ssuuddoo to use the fnmatch(3) function, - which does not access the file system to do its - matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is - unable to match relative path names such as _._/_l_s or - _._._/_b_i_n_/_l_s. This has security implications when path - names that include globbing characters are used with - the negation operator, `!', as such rules can be - trivially bypassed. As such, this option should not be - used when the _s_u_d_o_e_r_s file contains rules that contain - negated path names which include globbing characters. - This flag is _o_f_f by default. - - fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file when the local host name (as - returned by the hostname command) does not contain the - domain name. In other words, instead of myhost you - would use myhost.mydomain.edu. You may still use the - short form if you wish (and even mix the two). This - option is only effective when the "canonical" host - name, as returned by the ggeettaaddddrriinnffoo() or - ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain - name. This is usually the case when the system is - configured to use DNS for host name resolution. - - If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file - in preference to DNS, the "canonical" host name may not - be fully-qualified. The order that sources are queried - for host name resolution is usually specified in the - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, _/_e_t_c_/_h_o_s_t_._c_o_n_f, - or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f file. In the - _/_e_t_c_/_h_o_s_t_s file, the first host name of the entry is - considered to be the "canonical" name; subsequent names - are aliases that are not used by ssuuddooeerrss. For example, - the following hosts file line for the machine "xyzzy" - has the fully-qualified domain name as the "canonical" - host name, and the short version as an alias. - - 192.168.1.1 xyzzy.sudo.ws xyzzy - - If the machine's hosts file entry is not formatted - properly, the _f_q_d_n option will not be effective if it - is queried before DNS. - - Beware that when using DNS for host name resolution, - turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups - which renders ssuuddoo unusable if DNS stops working (for - example if the machine is disconnected from the - network). Also note that just like with the hosts - file, you must use the "canonical" name as DNS knows - it. That is, you may not use a host alias (CNAME - entry) due to performance issues and the fact that - there is no way to get all aliases from DNS. - - This flag is _o_f_f by default. - - ignore_audit_errors - Allow commands to be run even if ssuuddooeerrss cannot write - to the audit log. If enabled, an audit log write - failure is not treated as a fatal error. If disabled, - a command may only be run after the audit event is - successfully written. This flag is only effective on - systems for which ssuuddooeerrss supports audit logging, - including FreeBSD, Linux, macOS and Solaris. This flag - is _o_n by default. - - ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting - current directory) in the PATH environment variable; - the PATH itself is not modified. This flag is _o_f_f by - default. - - ignore_iolog_errors - Allow commands to be run even if ssuuddooeerrss cannot write - to the I/O log. If enabled, an I/O log write failure - is not treated as a fatal error. If disabled, the - command will be terminated if the I/O log cannot be - written to. This flag is _o_f_f by default. - - ignore_logfile_errors - Allow commands to be run even if ssuuddooeerrss cannot write - to the log file. If enabled, a log file write failure - is not treated as a fatal error. If disabled, a - command may only be run after the log file entry is - successfully written. This flag only has an effect - when ssuuddooeerrss is configured to use file-based logging - via the _l_o_g_f_i_l_e option. This flag is _o_n by default. - - ignore_local_sudoers - If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be - skipped. This is intended for Enterprises that wish to - prevent the usage of local sudoers files so that only - LDAP is used. This thwarts the efforts of rogue - operators who would attempt to add roles to - _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, - _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this - option tells ssuuddoo how to behave when no specific LDAP - entries have been matched, this sudoOption is only - meaningful for the cn=defaults section. This flag is - _o_f_f by default. - - ignore_unknown_defaults - If set, ssuuddoo will not produce a warning if it - encounters an unknown Defaults entry in the _s_u_d_o_e_r_s - file or an unknown sudoOption in LDAP. This flag is - _o_f_f by default. - - insults If set, ssuuddoo will insult users when they enter an - incorrect password. This flag is _o_f_f by default. - - log_host If set, the host name will be logged in the (non- - syslog) ssuuddoo log file. This flag is _o_f_f by default. - - log_input If set, ssuuddoo will run the command in a pseudo-tty and - log all user input. If the standard input is not - connected to the user's tty, due to I/O redirection or - because the command is part of a pipeline, that input - is also captured and stored in a separate log file. - Anything sent to the standard input will be consumed, - regardless of whether or not the command run via ssuuddoo - is actually reading the standard input. This may have - unexpected results when using ssuuddoo in a shell script - that expects to process the standard input. For more - information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S - section. This flag is _o_f_f by default. - - log_output If set, ssuuddoo will run the command in a pseudo-tty and - log all output that is sent to the screen, similar to - the script(1) command. For more information about I/O - logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is - _o_f_f by default. - - log_year If set, the four-digit year will be logged in the (non- - syslog) ssuuddoo log file. This flag is _o_f_f by default. - - long_otp_prompt When validating with a One Time Password (OTP) scheme - such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to - make it easier to cut and paste the challenge to a - local window. It's not as pretty as the default but - some people find it more convenient. This flag is _o_f_f - by default. - - mail_all_cmnds Send mail to the _m_a_i_l_t_o user every time a user attempts - to run a command via ssuuddoo (this includes ssuuddooeeddiitt). No - mail will be sent if the user runs ssuuddoo with the --ll or - --vv option unless there is an authentication error and - the _m_a_i_l___b_a_d_p_a_s_s flag is also set. This flag is _o_f_f by - default. - - mail_always Send mail to the _m_a_i_l_t_o user every time a user runs - ssuuddoo. This flag is _o_f_f by default. - - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo - does not enter the correct password. If the command - the user is attempting to run is not permitted by - ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, - _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are - set, this flag will have no effect. This flag is _o_f_f - by default. - - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user exists in the _s_u_d_o_e_r_s file, but is not - allowed to run commands on the current host. This flag - is _o_f_f by default. - - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is allowed to use ssuuddoo but the command - they are trying is not listed in their _s_u_d_o_e_r_s file - entry or is explicitly denied. This flag is _o_f_f by - default. - - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is not in the _s_u_d_o_e_r_s file. This flag is - _o_n by default. - - match_group_by_gid - By default, ssuuddooeerrss will look up each group the user is - a member of by group ID to determine the group name - (this is only done once). The resulting list of the - user's group names is used when matching groups listed - in the _s_u_d_o_e_r_s file. This works well on systems where - the number of groups listed in the _s_u_d_o_e_r_s file is - larger than the number of groups a typical user belongs - to. On systems where group lookups are slow, where - users may belong to a large number of groups, and where - the number of groups listed in the _s_u_d_o_e_r_s file is - relatively small, it may be prohibitively expensive and - running commands via ssuuddoo may take longer than normal. - On such systems it may be faster to use the - _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's - group IDs to group names. In this case, ssuuddooeerrss must - look up any group name listed in the _s_u_d_o_e_r_s file and - use the group ID instead of the group name when - determining whether the user is a member of the group. - - Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group - database lookups performed by ssuuddooeerrss will be keyed by - group name as opposed to group ID. On systems where - there are multiple sources for the group database, it - is possible to have conflicting group names or group - IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group - database. On such systems, enabling or disabling - _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group - database queries are performed by name (enabled) or ID - (disabled), which may aid in working around group entry - conflicts. - - The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s - data is stored in LDAP. This flag is _o_f_f by default. - - This setting is only supported by version 1.8.18 or - higher. - - netgroup_tuple If set, netgroup lookups will be performed using the - full netgroup tuple: host name, user name and domain - (if one is set). Historically, ssuuddoo only matched the - user name and domain for netgroups used in a User_List - and only matched the host name and domain for netgroups - used in a Host_List. This flag is _o_f_f by default. - - noexec If set, all commands run via ssuuddoo will behave as if the - NOEXEC tag has been set, unless overridden by an EXEC - tag. See the description of _E_X_E_C _a_n_d _N_O_E_X_E_C above as - well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end - of this manual. This flag is _o_f_f by default. - - pam_acct_mgmt On systems that use PAM for authentication, ssuuddoo will - perform PAM account validation for the invoking user by - default. The actual checks performed depend on which - PAM modules are configured. If enabled, account - validation will be performed regardless of whether or - not a password is required. This flag is _o_n by - default. - - This setting is only supported by version 1.8.28 or - higher. - - pam_session On systems that use PAM for authentication, ssuuddoo will - create a new PAM session for the command to be run in. - Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM - implementations or on operating systems where opening a - PAM session changes the utmp or wtmp files. If PAM - session support is disabled, resource limits may not be - updated for the command being run. If _p_a_m___s_e_s_s_i_o_n, - _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging - has not been configured, ssuuddoo will execute the command - directly instead of running it as a child process. - This flag is _o_n by default. - - This setting is only supported by version 1.8.7 or - higher. - - pam_setcred On systems that use PAM for authentication, ssuuddoo will - attempt to establish credentials for the target user by - default, if supported by the underlying authentication - system. One example of a credential is a Kerberos - ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are - disabled and I/O logging has not been configured, ssuuddoo - will execute the command directly instead of running it - as a child process. This flag is _o_n by default. - - This setting is only supported by version 1.8.8 or - higher. - - passprompt_override - If set, the prompt specified by _p_a_s_s_p_r_o_m_p_t or the - SUDO_PROMPT environment variable will always be used - and will replace the prompt provided by a PAM module or - other authentication method. This flag is _o_f_f by - default. - - path_info Normally, ssuuddoo will tell the user when a command could - not be found in their PATH environment variable. Some - sites may wish to disable this as it could be used to - gather information on the location of executables that - the normal user does not have access to. The - disadvantage is that if the executable is simply not in - the user's PATH, ssuuddoo will tell the user that they are - not allowed to run it, which can be confusing. This - flag is _o_n by default. - - preserve_groups By default, ssuuddoo will initialize the group vector to - the list of groups the target user is in. When - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group - vector is left unaltered. The real and effective group - IDs, however, are still set to match the target user. - This flag is _o_f_f by default. - - pwfeedback By default, ssuuddoo reads the password like most other - Unix programs, by turning off echo until the user hits - the return (or enter) key. Some users become confused - by this as it appears to them that ssuuddoo has hung at - this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide - visual feedback when the user presses a key. Note that - this does have a security impact as an onlooker may be - able to determine the length of the password being - entered. This flag is _o_f_f by default. - - requiretty If set, ssuuddoo will only run when the user is logged in - to a real tty. When this flag is set, ssuuddoo can only be - run from a login session and not via other means such - as cron(1m) or cgi-bin scripts. This flag is _o_f_f by - default. - - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to - get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o - will also prevent root from running ssuuddooeeddiitt. - Disabling _r_o_o_t___s_u_d_o provides no real additional - security; it exists purely for historical reasons. - This flag is _o_n by default. - - rootpw If set, ssuuddoo will prompt for the root password instead - of the password of the invoking user when running a - command or editing a file. This flag is _o_f_f by - default. - - runaspw If set, ssuuddoo will prompt for the password of the user - defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) - instead of the password of the invoking user when - running a command or editing a file. This flag is _o_f_f - by default. - - set_home If enabled and ssuuddoo is invoked with the --ss option the - HOME environment variable will be set to the home - directory of the target user (which is root unless the - --uu option is used). This effectively makes the --ss - option imply --HH. Note that HOME is already set when - the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is only - effective for configurations where either _e_n_v___r_e_s_e_t is - disabled or HOME is present in the _e_n_v___k_e_e_p list. This - flag is _o_f_f by default. - - set_logname Normally, ssuuddoo will set the LOGNAME and USER - environment variables to the name of the target user - (usually root unless the --uu option is given). However, - since some programs (including the RCS revision control - system) use LOGNAME to determine the real identity of - the user, it may be desirable to change this behavior. - This can be done by negating the set_logname option. - Note that _s_e_t___l_o_g_n_a_m_e will have no effect if the - _e_n_v___r_e_s_e_t option has not been disabled and the _e_n_v___k_e_e_p - list contains LOGNAME or USER. This flag is _o_n by - default. - - set_utmp When enabled, ssuuddoo will create an entry in the utmp (or - utmpx) file when a pseudo-tty is allocated. A pseudo- - tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t - or _u_s_e___p_t_y flags are enabled. By default, the new - entry will be a copy of the user's existing utmp entry - (if any), with the tty, time, type and pid fields - updated. This flag is _o_n by default. - - setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the - command line via the --EE option. Additionally, - environment variables set via the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, - _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users - should be allowed to set variables in this manner. - This flag is _o_f_f by default. - - shell_noargs If set and ssuuddoo is invoked with no arguments it acts as - if the --ss option had been given. That is, it runs a - shell as root (the shell is determined by the SHELL - environment variable if it is set, falling back on the - shell listed in the invoking user's /etc/passwd entry - if not). This flag is _o_f_f by default. - - stay_setuid Normally, when ssuuddoo executes a command the real and - effective UIDs are set to the target user (root by - default). This option changes that behavior such that - the real UID is left as the invoking user's UID. In - other words, this makes ssuuddoo act as a setuid wrapper. - This can be useful on systems that disable some - potentially dangerous functionality when a program is - run setuid. This option is only effective on systems - that support either the setreuid(2) or setresuid(2) - system call. This flag is _o_f_f by default. - - sudoedit_checkdir - If set, ssuuddooeeddiitt will check all directory components of - the path to be edited for writability by the invoking - user. Symbolic links will not be followed in writable - directories and ssuuddooeeddiitt will refuse to edit a file - located in a writable directory. These restrictions - are not enforced when ssuuddooeeddiitt is run by root. On some - systems, if all directory components of the path to be - edited are not readable by the target user, ssuuddooeeddiitt - will be unable to edit the file. This flag is _o_n by - default. - - This setting was first introduced in version 1.8.15 but - initially suffered from a race condition. The check - for symbolic links in writable intermediate directories - was added in version 1.8.16. - - sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links - when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be - enabled to allow ssuuddooeeddiitt to open symbolic links. It - may be overridden on a per-command basis by the _F_O_L_L_O_W - and _N_O_F_O_L_L_O_W tags. This flag is _o_f_f by default. - - This setting is only supported by version 1.8.15 or - higher. - - syslog_pid When logging via syslog(3), include the process ID in - the log entry. This flag is _o_f_f by default. - - This setting is only supported by version 1.8.21 or - higher. - - targetpw If set, ssuuddoo will prompt for the password of the user - specified by the --uu option (defaults to root) instead - of the password of the invoking user when running a - command or editing a file. Note that this flag - precludes the use of a uid not listed in the passwd - database as an argument to the --uu option. This flag is - _o_f_f by default. - - tty_tickets If set, users must authenticate on a per-tty basis. - With this flag enabled, ssuuddoo will use a separate record - in the time stamp file for each terminal. If disabled, - a single record is used for all login sessions. - - This option has been superseded by the _t_i_m_e_s_t_a_m_p___t_y_p_e - option. - - umask_override If set, ssuuddoo will set the umask as specified in the - _s_u_d_o_e_r_s file without modification. This makes it - possible to specify a umask in the _s_u_d_o_e_r_s file that is - more permissive than the user's own umask and matches - historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, - ssuuddoo will set the umask to be the union of the user's - umask and what is specified in _s_u_d_o_e_r_s. This flag is - _o_f_f by default. - - use_loginclass If set, ssuuddoo will apply the defaults specified for the - target user's login class if one exists. Only - available if ssuuddoo is configured with the - --with-logincap option. This flag is _o_f_f by default. - - use_netgroups If set, netgroups (prefixed with `+'), may be used in - place of a user or host. For LDAP-based sudoers, - netgroup support requires an expensive sub-string match - on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is - present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are - not needed, this option can be disabled to reduce the - load on the LDAP server. This flag is _o_n by default. - - use_pty If set, and ssuuddoo is running in a terminal, the command - will be run in a pseudo-pty (even if no I/O logging is - being done). If the ssuuddoo process is not attached to a - terminal, _u_s_e___p_t_y has no effect. - - A malicious program run under ssuuddoo may be capable of - injecting commands into the user's terminal or running - a background process that retains access to the user's - terminal device even after the main program has - finished executing. By running the command in a - separate pseudo-pty, this attack is no longer possible. - This flag is _o_f_f by default. - - user_command_timeouts - If set, the user may specify a timeout on the command - line. If the timeout expires before the command has - exited, the command will be terminated. If a timeout - is specified both in the _s_u_d_o_e_r_s file and on the - command line, the smaller of the two timeouts will be - used. See the Timeout_Spec section for a description - of the timeout syntax. This flag is _o_f_f by default. - - This setting is only supported by version 1.8.20 or - higher. - - utmp_runas If set, ssuuddoo will store the name of the runas user when - updating the utmp (or utmpx) file. By default, ssuuddoo - stores the name of the invoking user. This flag is _o_f_f - by default. - - visiblepw By default, ssuuddoo will refuse to run if the user must - enter a password but it is not possible to disable echo - on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo - will prompt for a password even when it would be - visible on the screen. This makes it possible to run - things like "ssh somehost sudo ls" since by default, - ssh(1) does not allocate a tty when running a command. - This flag is _o_f_f by default. - - IInntteeggeerrss: - - closefrom Before it executes a command, ssuuddoo will close all open - file descriptors other than standard input, standard - output and standard error (ie: file descriptors 0-2). - The _c_l_o_s_e_f_r_o_m option can be used to specify a different - file descriptor at which to start closing. The default - is 3. - - command_timeout The maximum amount of time a command is allowed to run - before it is terminated. See the Timeout_Spec section - for a description of the timeout syntax. - - This setting is only supported by version 1.8.20 or - higher. - - maxseq The maximum sequence number that will be substituted - for the "%{seq}" escape in the I/O log file (see the - _i_o_l_o_g___d_i_r description below for more information). - While the value substituted for "%{seq}" is in base 36, - _m_a_x_s_e_q itself should be expressed in decimal. Values - larger than 2176782336 (which corresponds to the base - 36 sequence number "ZZZZZZ") will be silently truncated - to 2176782336. The default value is 2176782336. - - Once the local sequence number reaches the value of - _m_a_x_s_e_q, it will "roll over" to zero, after which - ssuuddooeerrss will truncate and re-use any existing I/O log - path names. - - This setting is only supported by version 1.8.7 or - higher. - - passwd_tries The number of tries a user gets to enter his/her - password before ssuuddoo logs the failure and exits. The - default is 3. - - syslog_maxlen On many systems, syslog(3) has a relatively small log - buffer. IETF RFC 5424 states that syslog servers must - support messages of at least 480 bytes and should - support messages up to 2048 bytes. By default, ssuuddooeerrss - creates log messages up to 980 bytes which corresponds - to the historic BSD syslog implementation which used a - 1024 byte buffer to store the message, date, hostname - and program name. To prevent syslog messages from - being truncated, ssuuddooeerrss will split up log messages - that are larger than _s_y_s_l_o_g___m_a_x_l_e_n bytes. When a - message is split, additional parts will include the - string "(command continued)" after the user name and - before the continued command line arguments. - - This setting is only supported by version 1.8.19 or - higher. - - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - loglinelen Number of characters per line for the file log. This - value is used to decide when to wrap lines for nicer - log files. This has no effect on the syslog log file, - only the file log. The default is 80 (use 0 or negate - the option to disable word wrap). - - passwd_timeout Number of minutes before the ssuuddoo password prompt times - out, or 0 for no timeout. The timeout may include a - fractional component if minute granularity is - insufficient, for example 2.5. The default is 5. - - timestamp_timeout - Number of minutes that can elapse before ssuuddoo will ask - for a passwd again. The timeout may include a - fractional component if minute granularity is - insufficient, for example 2.5. The default is 5. Set - this to 0 to always prompt for a password. If set to a - value less than 0 the user's time stamp will not expire - until the system is rebooted. This can be used to - allow users to create or delete their own time stamps - via "sudo -v" and "sudo -k" respectively. - - umask Umask to use when running the command. Negate this - option or set it to 0777 to preserve the user's umask. - The actual umask that is used will be the union of the - user's umask and the value of the _u_m_a_s_k option, which - defaults to 0022. This guarantees that ssuuddoo never - lowers the umask when running a command. Note: on - systems that use PAM, the default PAM configuration may - specify its own umask which will override the value set - in _s_u_d_o_e_r_s. - - SSttrriinnggss: - - authfail_message Message that is displayed after a user fails to - authenticate. The message may include the `%d' escape - which will expand to the number of failed password - attempts. If set, it overrides the default message, %d - incorrect password attempt(s). - - badpass_message Message that is displayed if a user enters an incorrect - password. The default is Sorry, try again. unless - insults are enabled. - - editor A colon (`:') separated list of editors path names used - by ssuuddooeeddiitt and vviissuuddoo. For ssuuddooeeddiitt, this list is - used to find an editor when none of the SUDO_EDITOR, - VISUAL or EDITOR environment variables are set to an - editor that exists and is executable. For vviissuuddoo, it - is used as a white list of allowed editors; vviissuuddoo will - choose the editor that matches the user's SUDO_EDITOR, - VISUAL or EDITOR environment variable if possible, or - the first editor in the list that exists and is - executable if not. Unless invoked as ssuuddooeeddiitt, ssuuddoo - does not preserve the SUDO_EDITOR, VISUAL or EDITOR - environment variables unless they are present in the - _e_n_v___k_e_e_p list or the _e_n_v___r_e_s_e_t option is disabled. The - default is _v_i. - - iolog_dir The top-level directory to use when constructing the - path name for the input/output log directory. Only - used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled - or when the LOG_INPUT or LOG_OUTPUT tags are present - for a command. The session sequence number, if any, is - stored in the directory. The default is - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. - - The following percent (`%') escape sequences are - supported: - - %{seq} - expanded to a monotonically increasing base-36 - sequence number, such as 0100A5, where every two - digits are used to form a new directory, e.g., - _0_1_/_0_0_/_A_5 - - %{user} - expanded to the invoking user's login name - - %{group} - expanded to the name of the invoking user's real - group ID - - %{runas_user} - expanded to the login name of the user the - command will be run as (e.g., root) - - %{runas_group} - expanded to the group name of the user the - command will be run as (e.g., wheel) - - %{hostname} - expanded to the local host name without the - domain name - - %{command} - expanded to the base name of the command being - run - - In addition, any escape sequences supported by the - system's strftime(3) function will be expanded. - - To include a literal `%' character, the string `%%' - should be used. - - iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store - input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t - options are enabled or when the LOG_INPUT or LOG_OUTPUT - tags are present for a command. Note that _i_o_l_o_g___f_i_l_e - may contain directory components. The default is - "%{seq}". - - See the _i_o_l_o_g___d_i_r option above for a list of supported - percent (`%') escape sequences. - - In addition to the escape sequences, path names that - end in six or more Xs will have the Xs replaced with a - unique combination of digits and letters, similar to - the mktemp(3) function. - - If the path created by concatenating _i_o_l_o_g___d_i_r and - _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file - will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e - ends in six or more Xs. - - iolog_flush If set, ssuuddoo will flush I/O log data to disk after each - write instead of buffering it. This makes it possible - to view the logs in real-time as the program is - executing but may significantly reduce the - effectiveness of I/O log compression. This flag is _o_f_f - by default. - - This setting is only supported by version 1.8.20 or - higher. - - iolog_group The group name to look up when setting the group ID on - new I/O log files and directories. If _i_o_l_o_g___g_r_o_u_p is - not set, the primary group ID of the user specified by - _i_o_l_o_g___u_s_e_r is used. If neither _i_o_l_o_g___g_r_o_u_p nor - _i_o_l_o_g___u_s_e_r are set, I/O log files and directories are - created with group ID 0. - - This setting is only supported by version 1.8.19 or - higher. - - iolog_mode The file mode to use when creating I/O log files. Mode - bits for read and write permissions for owner, group or - other are honored, everything else is ignored. The - file permissions will always include the owner read and - write bits, even if they are not present in the - specified mode. When creating I/O log directories, - search (execute) bits are added to match the read and - write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to 0600 - (read and write by user only). - - This setting is only supported by version 1.8.19 or - higher. - - iolog_user The user name to look up when setting the user and - group IDs on new I/O log files and directories. If - _i_o_l_o_g___g_r_o_u_p is set, it will be used instead of the - user's primary group ID. By default, I/O log files and - directories are created with user and group ID 0. - - This setting can be useful when the I/O logs are stored - on a Network File System (NFS) share. Having a - dedicated user own the I/O log files means that ssuuddooeerrss - does not write to the log files as user ID 0, which is - usually not permitted by NFS. - - This setting is only supported by version 1.8.19 or - higher. - - lecture_status_dir - The directory in which ssuuddoo stores per-user lecture - status files. Once a user has received the lecture, a - zero-length file is created in this directory so that - ssuuddoo will not lecture the user again. This directory - should _n_o_t be cleared when the system reboots. The - default is _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d. - - limitprivs The default Solaris limit privileges to use when - constructing a new privilege set for a command. This - bounds all privileges of the executing process. The - default limit privileges may be overridden on a per- - command basis in _s_u_d_o_e_r_s. This option is only - available if ssuuddooeerrss is built on Solaris 10 or higher. - - mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The - escape %h will expand to the host name of the machine. - Default is "*** SECURITY information for %h ***". - - noexec_file As of ssuuddoo version 1.8.1 this option is no longer - supported. The path to the noexec file should now be - set in the sudo.conf(4) file. - - pam_login_service - On systems that use PAM for authentication, this is the - service name used when the --ii option is specified. The - default value is "sudo". See the description of - _p_a_m___s_e_r_v_i_c_e for more information. - - This setting is only supported by version 1.8.8 or - higher. - - pam_service On systems that use PAM for authentication, the service - name specifies the PAM policy to apply. This usually - corresponds to an entry in the _p_a_m_._c_o_n_f file or a file - in the _/_e_t_c_/_p_a_m_._d directory. The default value is - "sudo". - - This setting is only supported by version 1.8.8 or - higher. - - passprompt The default prompt to use when asking for a password; - can be overridden via the --pp option or the SUDO_PROMPT - environment variable. The following percent (`%') - escape sequences are supported: - - %H expanded to the local host name including the - domain name (only if the machine's host name is - fully qualified or the _f_q_d_n option is set) - - %h expanded to the local host name without the - domain name - - %p expanded to the user whose password is being - asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and - _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) - - %U expanded to the login name of the user the - command will be run as (defaults to root) - - %u expanded to the invoking user's login name - - %% two consecutive % characters are collapsed into a - single % character - - On systems that use PAM for authentication, _p_a_s_s_p_r_o_m_p_t - will only be used if the prompt provided by the PAM - module matches the string "Password: " or "username's - Password: ". This ensures that the _p_a_s_s_p_r_o_m_p_t setting - does not interfere with challenge-response style - authentication. The _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag can be - used to change this behavior. - - The default value is "Password: ". - - privs The default Solaris privileges to use when constructing - a new privilege set for a command. This is passed to - the executing process via the inherited privilege set, - but is bounded by the limit privileges. If the _p_r_i_v_s - option is specified but the _l_i_m_i_t_p_r_i_v_s option is not, - the limit privileges of the executing process is set to - _p_r_i_v_s. The default privileges may be overridden on a - per-command basis in _s_u_d_o_e_r_s. This option is only - available if ssuuddooeerrss is built on Solaris 10 or higher. - - role The default SELinux role to use when constructing a new - security context to run the command. The default role - may be overridden on a per-command basis in the _s_u_d_o_e_r_s - file or via command line options. This option is only - available when ssuuddoo is built with SELinux support. - - runas_default The default user to run commands as if the --uu option is - not specified on the command line. This defaults to - root. - - sudoers_locale Locale to use when parsing the sudoers file, logging - commands, and sending email. Note that changing the - locale may affect how sudoers is interpreted. Defaults - to "C". - - timestamp_type ssuuddooeerrss uses per-user time stamp files for credential - caching. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to - specify the type of time stamp record used. It has the - following possible values: - - global A single time stamp record is used for all of a - user's login sessions, regardless of the - terminal or parent process ID. An additional - record is used to serialize password prompts - when ssuuddoo is used multiple times in a pipeline, - but this does not affect authentication. - - ppid A single time stamp record is used for all - processes with the same parent process ID - (usually the shell). Commands run from the - same shell (or other common parent process) - will not require a password for - _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default). - Commands run via ssuuddoo with a different parent - process ID, for example from a shell script, - will be authenticated separately. - - tty One time stamp record is used for each - terminal, which means that a user's login - sessions are authenticated separately. If no - terminal is present, the behavior is the same - as _p_p_i_d. Commands run from the same terminal - will not require a password for - _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default). - - kernel The time stamp is stored in the kernel as an - attribute of the terminal device. If no - terminal is present, the behavior is the same - as _p_p_i_d. Negative _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t values are - not supported and positive values are limited - to a maximum of 60 minutes. This is currently - only supported on OpenBSD. - - The default value is _t_t_y. - - This setting is only supported by version 1.8.21 or - higher. - - timestampdir The directory in which ssuuddoo stores its time stamp - files. This directory should be cleared when the - system reboots. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s. - - timestampowner The owner of the lecture status directory, time stamp - directory and all files stored therein. The default is - root. - - type The default SELinux type to use when constructing a new - security context to run the command. The default type - may be overridden on a per-command basis in the _s_u_d_o_e_r_s - file or via command line options. This option is only - available when ssuuddoo is built with SELinux support. - - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a - file containing variables to be set in the environment of - the program being run. Entries in this file should either - be of the form "VARIABLE=value" or "export VARIABLE=value". - The value may optionally be surrounded by single or double - quotes. Variables in this file are only added if the - variable does not already exist in the environment. This - file is considered to be part of the security policy, its - contents are not subject to other ssuuddoo environment - restrictions such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. - - exempt_group Users in this group are exempt from password and PATH - requirements. The group name specified should not include - a % prefix. This is not set by default. - - fdexec Determines whether ssuuddoo will execute a command by its path - or by an open file descriptor. It has the following - possible values: - - always Always execute by file descriptor. - - never Never execute by file descriptor. - - digest_only - Only execute by file descriptor if the command has - an associated digest in the _s_u_d_o_e_r_s file. - - The default value is _d_i_g_e_s_t___o_n_l_y. This avoids a time of - check versus time of use race condition when the command is - located in a directory writable by the invoking user. - - Note that _f_d_e_x_e_c will change the first element of the - argument vector for scripts ($0 in the shell) due to the - way the kernel runs script interpreters. Instead of being - a normal path, it will refer to a file descriptor. For - example, _/_d_e_v_/_f_d_/_4 on Solaris and _/_p_r_o_c_/_s_e_l_f_/_f_d_/_4 on Linux. - A workaround is to use the SUDO_COMMAND environment - variable instead. - - The _f_d_e_x_e_c setting is only used when the command is matched - by path name. It has no effect if the command is matched - by the built-in AALLLL alias. - - This setting is only supported by version 1.8.20 or higher. - If the operating system does not support the fexecve(2) - system call, this setting has no effect. - - group_plugin A string containing a ssuuddooeerrss group plugin with optional - arguments. The string should consist of the plugin path, - either fully-qualified or relative to the - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any - configuration arguments the plugin requires. These - arguments (if any) will be passed to the plugin's - initialization function. If arguments are present, the - string must be enclosed in double quotes (""). - - For more information see _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S. - - lecture This option controls when a short lecture will be printed - along with the password prompt. It has the following - possible values: - - always Always lecture the user. - - never Never lecture the user. - - once Only lecture the user the first time they run ssuuddoo. - - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _o_n_c_e. - - lecture_file Path to a file containing an alternate ssuuddoo lecture that - will be used in place of the standard lecture if the named - file exists. By default, ssuuddoo uses a built-in lecture. - - listpw This option controls when a password will be required when - a user runs ssuuddoo with the --ll option. It has the following - possible values: - - all All the user's _s_u_d_o_e_r_s file entries for the - current host must have the NOPASSWD flag set to - avoid entering a password. - - always The user must always enter a password to use the - --ll option. - - any At least one of the user's _s_u_d_o_e_r_s file entries - for the current host must have the NOPASSWD flag - set to avoid entering a password. - - never The user need never enter a password to use the - --ll option. - - If no value is specified, a value of _a_n_y is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _a_n_y. - - logfile Path to the ssuuddoo log file (not the syslog log file). - Setting a path turns on logging to a file; negating this - option turns it off. By default, ssuuddoo logs via syslog. - - mailerflags Flags to use when invoking mailer. Defaults to --tt. - - mailerpath Path to mail program used to send warning mail. Defaults - to the path to sendmail found at configure time. - - mailfrom Address to use for the "from" address when sending warning - and error mail. The address should be enclosed in double - quotes ("") to protect against ssuuddoo interpreting the @ - sign. Defaults to the name of the user running ssuuddoo. - - mailto Address to send warning and error mail to. The address - should be enclosed in double quotes ("") to protect against - ssuuddoo interpreting the @ sign. Defaults to root. - - restricted_env_file - The _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option specifies the fully - qualified path to a file containing variables to be set in - the environment of the program being run. Entries in this - file should either be of the form "VARIABLE=value" or - "export VARIABLE=value". The value may optionally be - surrounded by single or double quotes. Variables in this - file are only added if the variable does not already exist - in the environment. Unlike _e_n_v___f_i_l_e, the file's contents - are not trusted and are processed in a manner similar to - that of the invoking user's environment. If _e_n_v___r_e_s_e_t is - enabled, variables in the file will only be added if they - are matched by either the _e_n_v___c_h_e_c_k or _e_n_v___k_e_e_p list. If - _e_n_v___r_e_s_e_t is disabled, variables in the file are added as - long as they are not matched by the _e_n_v___d_e_l_e_t_e list. In - either case, the contents of _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are - processed before the contents of _e_n_v___f_i_l_e. - - secure_path If set, ssuuddoo will use this value in place of the user's - PATH environment variable. This option can be used to - reset the PATH to a known good value that contains - directories for system administrator commands such as - _/_u_s_r_/_s_b_i_n. - - Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are - not affected by _s_e_c_u_r_e___p_a_t_h. This option is not set by - default. - - syslog Syslog facility if syslog is being used for logging (negate - to disable syslog logging). Defaults to auth. - - The following syslog facilities are supported: aauutthhpprriivv (if - your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, - llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. - - syslog_badpri - Syslog priority to use when the user is not allowed to run - a command or when authentication is unsuccessful. Defaults - to alert. - - The following syslog priorities are supported: aalleerrtt, ccrriitt, - ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, wwaarrnniinngg, and nnoonnee. - Negating the option or setting it to a value of nnoonnee will - disable logging of unsuccessful commands. - - syslog_goodpri - Syslog priority to use when the user is allowed to run a - command and authentication is successful. Defaults to - notice. - - See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog - priorities. Negating the option or setting it to a value - of nnoonnee will disable logging of successful commands. - - verifypw This option controls when a password will be required when - a user runs ssuuddoo with the --vv option. It has the following - possible values: - - all All the user's _s_u_d_o_e_r_s file entries for the current - host must have the NOPASSWD flag set to avoid - entering a password. - - always The user must always enter a password to use the --vv - option. - - any At least one of the user's _s_u_d_o_e_r_s file entries for - the current host must have the NOPASSWD flag set to - avoid entering a password. - - never The user need never enter a password to use the --vv - option. - - If no value is specified, a value of _a_l_l is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _a_l_l. - - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - env_check Environment variables to be removed from the user's - environment unless they are considered "safe". For all - variables except TZ, "safe" means that the variable's - value does not contain any `%' or `/' characters. This - can be used to guard against printf-style format - vulnerabilities in poorly-written programs. The TZ - variable is considered unsafe if any of the following - are true: - - ++oo It consists of a fully-qualified path name, - optionally prefixed with a colon (`:'), that does - not match the location of the _z_o_n_e_i_n_f_o directory. - - ++oo It contains a _._. path element. - - ++oo It contains white space or non-printable characters. - - ++oo It is longer than the value of PATH_MAX. - - The argument may be a double-quoted, space-separated - list or a single value without double-quotes. The list - can be replaced, added to, deleted from, or disabled by - using the =, +=, -=, and ! operators respectively. - Regardless of whether the env_reset option is enabled - or disabled, variables specified by env_check will be - preserved in the environment if they pass the - aforementioned check. The global list of environment - variables to check is displayed when ssuuddoo is run by - root with the --VV option. - - env_delete Environment variables to be removed from the user's - environment when the _e_n_v___r_e_s_e_t option is not in effect. - The argument may be a double-quoted, space-separated - list or a single value without double-quotes. The list - can be replaced, added to, deleted from, or disabled by - using the =, +=, -=, and ! operators respectively. The - global list of environment variables to remove is - displayed when ssuuddoo is run by root with the --VV option. - Note that many operating systems will remove - potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in the user's - environment when the _e_n_v___r_e_s_e_t option is in effect. - This allows fine-grained control over the environment - ssuuddoo-spawned processes will receive. The argument may - be a double-quoted, space-separated list or a single - value without double-quotes. The list can be replaced, - added to, deleted from, or disabled by using the =, +=, - -=, and ! operators respectively. The global list of - variables to keep is displayed when ssuuddoo is run by root - with the --VV option. - -GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS - The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix - group lookups which can query a group source other than the standard Unix - group database. This can be used to implement support for the - nonunix_group syntax described earlier. - - Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults - setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path, - either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o - directory, followed by any configuration options the plugin requires. - These options (if specified) will be passed to the plugin's - initialization function. If options are present, the string must be - enclosed in double quotes (""). - - The following group provider plugins are installed by default: - - group_file - The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that - uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the - group file should be specified as an option to the plugin. For - example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p: - - Defaults group_plugin="group_file.so /etc/sudo-group" - - system_group - The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard - C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can - be used in instances where the user belongs to groups not - present in the user's supplemental group vector. This plugin - takes no options: - - Defaults group_plugin=system_group.so - - The group provider plugin API is described in detail in sudo_plugin(4). - -LLOOGG FFOORRMMAATT - ssuuddooeerrss can log events using either syslog(3) or a simple log file. The - log format is almost identical in both cases. - - AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess - Commands that sudo runs are logged using the following format (split into - multiple lines for readability): - - date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ - USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ - ENV=env_vars COMMAND=command - - Where the fields are as follows: - - date The date the command was run. Typically, this is in the - format "MMM, DD, HH:MM:SS". If logging via syslog(3), the - actual date format is controlled by the syslog daemon. If - logging to a file and the _l_o_g___y_e_a_r option is enabled, the - date will also include the year. - - hostname The name of the host ssuuddoo was run on. This field is only - present when logging via syslog(3). - - progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This - field is only present when logging via syslog(3). - - username The login name of the user who ran ssuuddoo. - - ttyname The short name of the terminal (e.g., "console", "tty01", - or "pts/0") ssuuddoo was run on, or "unknown" if there was no - terminal present. - - cwd The current working directory that ssuuddoo was run in. - - runasuser The user the command was run as. - - runasgroup The group the command was run as if one was specified on - the command line. - - logid An I/O log identifier that can be used to replay the - command's output. This is only present when the _l_o_g___i_n_p_u_t - or _l_o_g___o_u_t_p_u_t option is enabled. - - env_vars A list of environment variables specified on the command - line, if specified. - - command The actual command that was executed. - - Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which - defaults to the "C" locale. - - DDeenniieedd ccoommmmaanndd lloogg eennttrriieess - If the user is not allowed to run the command, the reason for the denial - will follow the user name. Possible reasons include: - - user NOT in sudoers - The user is not listed in the _s_u_d_o_e_r_s file. - - user NOT authorized on host - The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run - commands on the host. - - command not allowed - The user is listed in the _s_u_d_o_e_r_s file for the host but they are not - allowed to run the specified command. - - 3 incorrect password attempts - The user failed to enter their password after 3 tries. The actual - number of tries will vary based on the number of failed attempts and - the value of the _p_a_s_s_w_d___t_r_i_e_s option. - - a password is required - ssuuddoo's --nn option was specified but a password was required. - - sorry, you are not allowed to set the following environment variables - The user specified environment variables on the command line that were - not allowed by _s_u_d_o_e_r_s. - - EErrrroorr lloogg eennttrriieess - If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a - message to the administrator via email. Possible errors include: - - parse error in /etc/sudoers near line N - ssuuddooeerrss encountered an error when parsing the specified file. In some - cases, the actual error may be one line above or below the line number - listed, depending on the type of error. - - problem with defaults entries - The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This - does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be - checked using vviissuuddoo. - - timestamp owner (username): No such user - The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r - setting, could not be found in the password database. - - unable to open/read /etc/sudoers - The _s_u_d_o_e_r_s file could not be opened for reading. This can happen - when the _s_u_d_o_e_r_s file is located on a remote file system that maps - user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the - _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider - either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument - like "sudoers_uid=N" (where `N' is the user ID that owns the _s_u_d_o_e_r_s - file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. - - unable to stat /etc/sudoers - The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. - - /etc/sudoers is not a regular file - The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic - link. - - /etc/sudoers is owned by uid N, should be 0 - The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the - _s_u_d_o_e_r_s file owner, please add "sudoers_uid=N" (where `N' is the user - ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the - sudo.conf(4) file. - - /etc/sudoers is world writable - The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. - The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is - 0440 (readable by owner and group, writable by none). The default - mode may be changed via the "sudoers_mode" option to the ssuuddooeerrss - Plugin line in the sudo.conf(4) file. - - /etc/sudoers is owned by gid N, should be 1 - The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change - the _s_u_d_o_e_r_s file group ownership, please add "sudoers_gid=N" (where - `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin - line in the sudo.conf(4) file. - - unable to open /var/run/sudo/ts/username - ssuuddooeerrss was unable to read or create the user's time stamp file. This - can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and - the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The - default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. - - unable to write to /var/run/sudo/ts/username - ssuuddooeerrss was unable to write to the user's time stamp file. - - /var/run/sudo/ts is owned by uid X, should be Y - The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. - This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. - ssuuddooeerrss will ignore the time stamp directory until the owner is - corrected. - - /var/run/sudo/ts is group writable - The time stamp directory is group-writable; it should be writable only - by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is - 0700. ssuuddooeerrss will ignore the time stamp directory until the mode is - corrected. - - NNootteess oonn llooggggiinngg vviiaa ssyysslloogg - By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and - _p_r_o_g_n_a_m_e fields are added by the system's ssyysslloogg() function, not ssuuddooeerrss - itself. As such, they may vary in format on different systems. - - The maximum size of syslog messages varies from system to system. The - _s_y_s_l_o_g___m_a_x_l_e_n setting can be used to change the maximum syslog message - size from the default value of 980 bytes. For more information, see the - description of _s_y_s_l_o_g___m_a_x_l_e_n. - - NNootteess oonn llooggggiinngg ttoo aa ffiillee - If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as - _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to - syslog(3), with a few important differences: - - 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. - - 2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the - year. - - 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are - word-wrapped and continued on the next line with a four character - indent. This makes entries easier to read for a human being, but - makes it more difficult to use grep(1) on the log files. If the - _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap - will be disabled. - -II//OO LLOOGG FFIILLEESS - When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty - and log all user input and/or output, depending on which options are - enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r - option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is - included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e - option may be used to control the format of the session ID. - - Each I/O log is stored in a separate directory that contains the - following files: - - _l_o_g a text file containing the time the command was run, the name - of the user who ran ssuuddoo, the name of the target user, the name - of the target group (optional), the terminal that ssuuddoo was run - from, the number of rows and columns of the terminal, the - working directory the command was run from and the path name of - the command itself (with arguments if present) - - _t_i_m_i_n_g a log of the amount of time between, and the number of bytes - in, each I/O log entry (used for session playback) - - _t_t_y_i_n input from the user's tty (what the user types) - - _s_t_d_i_n input from a pipe or file - - _t_t_y_o_u_t output from the pseudo-tty (what the command writes to the - screen) - - _s_t_d_o_u_t standard output to a pipe or redirected to a file - - _s_t_d_e_r_r standard error to a pipe or redirected to a file - - All files other than _l_o_g are compressed in gzip format unless the - _c_o_m_p_r_e_s_s___i_o flag has been disabled. Due to buffering, it is not normally - possible to display the I/O logs in real-time as the program is executing - The I/O log data will not be complete until the program run by ssuuddoo has - exited or has been terminated by a signal. The _i_o_l_o_g___f_l_u_s_h flag can be - used to disable buffering, in which case I/O log data is written to disk - as soon as it is available. The output portion of an I/O log file can be - viewed with the sudoreplay(1m) utility, which can also be used to list or - search the available logs. - - Note that user input may contain sensitive information such as passwords - (even if they are not echoed to the screen), which will be stored in the - log file unencrypted. In most cases, logging the command output via - _l_o_g___o_u_t_p_u_t or LOG_OUTPUT is all that is required. - - Since each session's I/O logs are stored in a separate directory, - traditional log rotation utilities cannot be used to limit the number of - I/O logs. The simplest way to limit the number of I/O is by setting the - _m_a_x_s_e_q option to the maximum number of logs you wish to store. Once the - I/O log sequence number reaches _m_a_x_s_e_q, it will be reset to zero and - ssuuddooeerrss will truncate and re-use any existing I/O logs. - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration - - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - - _/_e_t_c_/_g_r_o_u_p Local groups file - - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files - - _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the - ssuuddooeerrss security policy - - _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for - the ssuuddooeerrss security policy - - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and - Linux systems - -EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a - bit contrived. First, we allow a few environment variables to pass and - then define our _a_l_i_a_s_e_s: - - # Run X applications through sudo; HOME is used to find the - # .Xauthority file. Note that other programs use HOME to find - # configuration files and this may lead to privilege escalation! - Defaults env_keep += "DISPLAY HOME" - - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim - - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules - - # Cmnd alias specification - Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore,\ - sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ - /home/operator/bin/start_backups - Cmnd_Alias KILL = /usr/bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt - Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ - /usr/local/bin/tcsh, /usr/bin/rsh,\ - /usr/local/bin/zsh - Cmnd_Alias SU = /usr/bin/su - Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - - Here we override some of the compiled in default values. We want ssuuddoo to - log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to - subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not - give a password, and we don't want to reset the LOGNAME or USER - environment variables when running commands as root. Additionally, on - the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log - file and make sure we log the year in each log line since the log entries - will be kept around for several years. Lastly, we disable shell escapes - for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and - _/_u_s_r_/_b_i_n_/_l_e_s_s). Note that this will not effectively constrain users with - ssuuddoo AALLLL privileges. - - # Override built-in defaults - Defaults syslog=auth - Defaults>root !set_logname - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log - Defaults!PAGERS noexec - - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run - what. - - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - - We let rroooott and any user in group wwhheeeell run any command on any host as - any user. - - FULLTIMERS ALL = NOPASSWD: ALL - - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on - any host without authenticating themselves. - - PARTTIMERS ALL = ALL - - Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any - host but they must authenticate themselves first (since the entry lacks - the NOPASSWD tag). - - jack CSNETS = ALL - - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias - (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those - networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) - indicating it is a class C network. For the other networks in _C_S_N_E_T_S, - the local machine's netmask will be used during matching. - - lisa CUNETS = ALL - - The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the - class B network 128.138.0.0). - - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ - - The ooppeerraattoorr user may run commands limited to simple maintenance. Here, - those are commands related to backups, killing processes, the printing - system, shutting down the system, and any commands in the directory - _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a - sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the - directory containing the script is writable by the operator user. If the - script is modified (resulting in a digest mismatch) it will no longer be - possible to run it via ssuuddoo. - - joe ALL = /usr/bin/su operator - - The user jjooee may only su(1) to operator. - - pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* - - %opers ALL = (: ADMINGRP) /usr/sbin/ - - Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves - with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). - - The user ppeettee is allowed to change anyone's password except for root on - the _H_P_P_A machines. Because command line arguments are matched as a - single, concatenated string, the `*' wildcard will match _m_u_l_t_i_p_l_e words. - This example assumes that passwd(1) does not take multiple user names on - the command line. Note that on GNU systems, options to passwd(1) may be - specified after the user argument. As a result, this rule will also - allow: - - passwd username --expire - - which may not be desirable. - - bob SPARC = (OP) ALL : SGI = (OP) ALL - - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user - listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.) - - jim +biglab = ALL - - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the `+' prefix. - - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands - on all machines. - - fred ALL = (DB) NOPASSWD: ALL - - The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee - or ssyybbaassee) without giving a password. - - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is - not allowed to specify any options to the su(1) command. - - jen ALL, !SERVERS = ALL - - The user jjeenn may run any command on any machine except for those in the - _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). - - jill SERVERS = /usr/bin/, !SU, !SHELLS - - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in - the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and - _S_H_E_L_L_S Cmnd_Aliases. While not specifically mentioned in the rule, the - commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the - _n_o_e_x_e_c option set. - - steve CSNETS = (operator) /usr/local/op_commands/ - - The user sstteevvee may run any command in the directory - /usr/local/op_commands/ but only as user operator. - - matt valkyrie = KILL - - On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung - processes. - - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and - wim), may run any command as user www (which owns the web pages) or - simply su(1) to www. - - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - - Any user may mount or unmount a CD-ROM on the machines in the CDROM - Host_Alias (orion, perseus, hercules) without entering a password. This - is a bit tedious for users to type, so it is a prime candidate for - encapsulating in a shell script. - -SSEECCUURRIITTYY NNOOTTEESS - LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr - It is generally not effective to "subtract" commands from AALLLL using the - `!' operator. A user can trivially circumvent this by copying the - desired command to a different name and then executing that. For - example: - - bill ALL = ALL, !SU, !SHELLS - - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or - use a shell escape from an editor or other program. Therefore, these - kind of restrictions should be considered advisory at best (and - reinforced by policy). - - In general, if a user has sudo AALLLL there is nothing to prevent them from - creating their own program that gives them a root shell (or making their - own copy of a shell) regardless of any `!' elements in the user - specification. - - SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b - If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate - commands where the path name includes globbing (aka wildcard) characters. - This is because the C library's fnmatch(3) function cannot resolve - relative paths. While this is typically only an inconvenience for rules - that grant privileges, it can result in a security issue for rules that - subtract or revoke privileges. - - For example, given the following _s_u_d_o_e_r_s file entry: - - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ - /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - - User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by - changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. - - PPrreevveennttiinngg sshheellll eessccaappeess - Once ssuuddoo executes a program, that program is free to do whatever it - pleases, including run other programs. This can be a security issue - since it is not uncommon for a program to allow shell escapes, which lets - a user bypass ssuuddoo's access control and logging. Common programs that - permit shell escapes include shells (obviously), editors, paginators, - mail and terminal programs. - - There are two basic approaches to this problem: - - restrict Avoid giving users access to commands that allow the user to - run arbitrary commands. Many editors have a restricted mode - where shell escapes are disabled, though ssuuddooeeddiitt is a better - solution to running editors via ssuuddoo. Due to the large number - of programs that offer shell escapes, restricting users to the - set of programs that do not is often unworkable. - - noexec Many systems that support shared libraries have the ability to - override default library functions by pointing an environment - variable (usually LD_PRELOAD) to an alternate shared library. - On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to - prevent a program run by ssuuddoo from executing any other - programs. Note, however, that this applies only to native - dynamically-linked executables. Statically-linked executables - and foreign executables running under binary emulation are not - affected. - - The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, - Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and - above. It should be supported on most operating systems that - support the LD_PRELOAD environment variable. Check your - operating system's manual pages for the dynamic linker (usually - ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if - LD_PRELOAD is supported. - - On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges - instead of the LD_PRELOAD environment variable. - - To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as - documented in the User Specification section above. Here is - that example again: - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i - with _n_o_e_x_e_c enabled. This will prevent those two commands from - executing other commands (such as a shell). If you are unsure - whether or not your system is capable of supporting _n_o_e_x_e_c you - can always just try it out and check whether shell escapes work - when _n_o_e_x_e_c is enabled. - - Note that restricting shell escapes is not a panacea. Programs running - as root are still capable of many potentially hazardous operations (such - as changing or overwriting files) that could lead to unintended privilege - escalation. In the specific case of an editor, a safer approach is to - give the user permission to run ssuuddooeeddiitt (see below). - - SSeeccuurree eeddiittiinngg - The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to - securely edit files with the editor of their choice. As ssuuddooeeddiitt is a - built-in command, it must be specified in the _s_u_d_o_e_r_s file without a - leading path. However, it may take command line arguments just as a - normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments - are expected to be path names, so a forward slash (`/') will not be - matched by a wildcard. - - Unlike other ssuuddoo commands, the editor is run with the permissions of the - invoking user and with the environment unmodified. More information may - be found in the description of the --ee option in sudo(1m). - - For example, to allow user operator to edit the "message of the day" - file: - - operator sudoedit /etc/motd - - The operator user then runs ssuuddooeeddiitt as follows: - - $ sudoedit /etc/motd - - The editor will run as the operator user, not root, on a temporary copy - of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated - with the contents of the temporary copy. - - Users should _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that - resides in a directory the user has write access to, either directly or - via a wildcard. If the user has write access to the directory it is - possible to replace the legitimate file with a link to another file, - allowing the editing of arbitrary files. To prevent this, starting with - version 1.8.16, symbolic links will not be followed in writable - directories and ssuuddooeeddiitt will refuse to edit a file located in a writable - directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the - invoking user is root. Additionally, in version 1.8.15 and higher, - ssuuddooeeddiitt will refuse to open a symbolic link unless either the - _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed - with the FOLLOW tag in the _s_u_d_o_e_r_s file. - - TTiimmee ssttaammpp ffiillee cchheecckkss - ssuuddooeerrss will check the ownership of its time stamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it - is not owned by root or if it is writable by a user other than root. - Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer - recommended as it may be possible for a user to create the time stamp - themselves on systems that allow unprivileged users to change the - ownership of files they create. - - While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all - systems contain a _/_r_u_n or _/_v_a_r_/_r_u_n directory. To avoid potential - problems, ssuuddooeerrss will ignore time stamp files that date from before the - machine booted on systems where the boot time is available. - - Some systems with graphical desktop environments allow unprivileged users - to change the system clock. Since ssuuddooeerrss relies on the system clock for - time stamp validation, it may be possible on such systems for a user to - run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To - combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards) - for its time stamps if the system supports it. - - ssuuddooeerrss will not honor time stamps set far in the future. Time stamps - with a date greater than current_time + 2 * TIMEOUT will be ignored and - ssuuddooeerrss will log and complain. - - If the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "tty", the time stamp record - includes the device number of the terminal the user authenticated with. - This provides per-terminal granularity but time stamp records may still - outlive the user's session. - - Unless the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "global", the time stamp - record also includes the session ID of the process that last - authenticated. This prevents processes in different terminal sessions - from using the same time stamp record. On systems where a process's - start time can be queried, the start time of the session leader is - recorded in the time stamp record. If no terminal is present or the - _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "ppid", the start time of the parent - process is used instead. In most cases this will prevent a time stamp - record from being re-used without the user entering a password when - logging out and back in again. - -DDEEBBUUGGGGIINNGG - Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible - debugging framework that can help track down what the plugin is doing - internally if there is a problem. This can be configured in the - sudo.conf(4) file. - - The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: - _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. - - The priorities used by ssuuddooeerrss, in order of decreasing severity, are: - _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, - when specified, also includes all priorities higher than it. For - example, a priority of _n_o_t_i_c_e would include debug messages logged at - _n_o_t_i_c_e and higher. - - The following subsystems are used by the ssuuddooeerrss plugin: - - _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing - - _a_l_l matches every subsystem - - _a_u_d_i_t BSM and Linux audit code - - _a_u_t_h user authentication - - _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings - - _e_n_v environment handling - - _l_d_a_p LDAP-based sudoers - - _l_o_g_g_i_n_g logging support - - _m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s - file - - _n_e_t_i_f network interface handling - - _n_s_s network service switch handling in ssuuddooeerrss - - _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing - - _p_e_r_m_s permission setting - - _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. - - _p_t_y pseudo-tty related code - - _r_b_t_r_e_e redblack tree internals - - _s_s_s_d SSSD-based sudoers - - _u_t_i_l utility functions - For example: - - Debug sudo /var/log/sudo_debug match@info,nss@info - - For more information, see the sudo.conf(4) manual. - -SSEEEE AALLSSOO - ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), - sudo_plugin(4), sudoers.ldap(4), sudoers_timestamp(4), sudo(1m), visudo(1m) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which - locks the file and does grammatical checking. It is imperative that the - _s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a - syntactically incorrect _s_u_d_o_e_r_s file. - - When using netgroups of machines (as opposed to users), if you store - fully qualified host name in the netgroup (as is usually the case), you - either need to have the machine's host name be fully qualified as - returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 June 20, 2019 Sudo 1.8.28 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat deleted file mode 100644 index c538f88bd..000000000 --- a/doc/sudoers.ldap.cat +++ /dev/null @@ -1,1033 +0,0 @@ -SUDOERS.LDAP(4) File Formats Manual SUDOERS.LDAP(4) - -NNAAMMEE - ssuuddooeerrss..llddaapp - sudo LDAP configuration - -DDEESSCCRRIIPPTTIIOONN - In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a - large, distributed environment. - - Using LDAP for _s_u_d_o_e_r_s has several benefits: - - ++oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is - used, there are only two or three LDAP queries per invocation. This - makes it especially fast and particularly usable in LDAP environments. - - ++oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not - possible to load LDAP data into the server that does not conform to - the sudoers schema, so proper syntax is guaranteed. It is still - possible to have typos in a user or host name, but this will not - prevent ssuuddoo from running. - - ++oo It is possible to specify per-entry options that override the global - default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and - limited options associated with user/host/commands/aliases. The - syntax is complicated and can be difficult for users to understand. - Placing the options directly in the entry is more natural. - - ++oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and - syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are - atomic, locking is no longer necessary. Because syntax is checked - when the data is inserted into LDAP, there is no need for a - specialized tool to check syntax. - - SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. - - Sudo first looks for the cn=defaults entry in the SUDOers container. If - found, the multi-valued sudoOption attribute is parsed in the same manner - as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the - SSH_AUTH_SOCK variable will be preserved in the environment for all - users. - - dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com - objectClass: top - objectClass: sudoRole - cn: defaults - description: Default sudoOption's go here - sudoOption: env_keep+=SSH_AUTH_SOCK - - The equivalent of a sudoer in LDAP is a sudoRole. It consists of the - following attributes: - - ssuuddooUUsseerr - A user name, user ID (prefixed with `#'), Unix group name or ID - (prefixed with `%' or `%#' respectively), user netgroup (prefixed - with `+'), or non-Unix group name or ID (prefixed with `%:' or - `%:#' respectively). User netgroups are matched using the user and - domain members only; the host member is not used when matching. - Non-Unix group support is only available when an appropriate - _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s sudoRole object. - - ssuuddooHHoosstt - A host name, IP address, IP network, or host netgroup (prefixed - with a `+'). The special value ALL will match any host. Host - netgroups are matched using the host (both qualified and - unqualified) and domain members only; the user member is not used - when matching. If a sudoHost entry is preceded by an exclamation - point, `!', and the entry matches, the sudoRole in which it resides - will be ignored. Negated sudoHost entries are only supported by - version 1.8.18 or higher. - - ssuuddooCCoommmmaanndd - A fully-qualified Unix command name with optional command line - arguments, potentially including globbing characters (aka wild - cards). If a command name is preceded by an exclamation point, - `!', the user will be prohibited from running that command. - - The built-in command "sudoedit" is used to permit a user to run - ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line - arguments just as a normal command does. Note that "sudoedit" is a - command built into ssuuddoo itself and must be specified in without a - leading path. - - The special value ALL will match any command. - - If a command name is prefixed with a SHA-2 digest, it will only be - allowed if the digest matches. This may be useful in situations - where the user invoking ssuuddoo has write access to the command or its - parent directory. The following digest formats are supported: - sha224, sha256, sha384 and sha512. The digest name must be - followed by a colon (`:') and then the actual digest, in either hex - or base64 format. For example, given the following value for - sudoCommand: - - sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls - - The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the - specified value. Command digests are only supported by version - 1.8.7 or higher. - - ssuuddooOOppttiioonn - Identical in function to the global options described above, but - specific to the sudoRole in which it resides. - - ssuuddooRRuunnAAssUUsseerr - A user name or uid (prefixed with `#') that commands may be run as - or a Unix group (prefixed with a `%') or user netgroup (prefixed - with a `+') that contains a list of users that commands may be run - as. The special value ALL will match any user. If a sudoRunAsUser - entry is preceded by an exclamation point, `!', and the entry - matches, the sudoRole in which it resides will be ignored. If - sudoRunAsUser is specified but empty, it will match the invoking - user. If neither sudoRunAsUser nor sudoRunAsGroup are present, the - value of the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root). - - The sudoRunAsUser attribute is only available in ssuuddoo versions - 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs - attribute instead. Negated sudoRunAsUser entries are only - supported by version 1.8.26 or higher. - - ssuuddooRRuunnAAssGGrroouupp - A Unix group or gid (prefixed with `#') that commands may be run - as. The special value ALL will match any group. If a - sudoRunAsGroup entry is preceded by an exclamation point, `!', and - the entry matches, the sudoRole in which it resides will be - ignored. - - The sudoRunAsGroup attribute is only available in ssuuddoo versions - 1.7.0 and higher. Negated sudoRunAsGroup entries are only - supported by version 1.8.26 or higher. - - ssuuddooNNoottBBeeffoorree - A timestamp in the form yyyymmddHHMMSSZ that can be used to provide - a start date/time for when the sudoRole will be valid. If multiple - sudoNotBefore entries are present, the earliest is used. Note that - timestamps must be in Coordinated Universal Time (UTC), not the - local timezone. The minute and seconds portions are optional, but - some LDAP servers require that they be present (contrary to the - RFC). - - The sudoNotBefore attribute is only available in ssuuddoo versions - 1.7.5 and higher and must be explicitly enabled via the - SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - - ssuuddooNNoottAAfftteerr - A timestamp in the form yyyymmddHHMMSSZ that indicates an - expiration date/time, after which the sudoRole will no longer be - valid. If multiple sudoNotAfter entries are present, the last one - is used. Note that timestamps must be in Coordinated Universal - Time (UTC), not the local timezone. The minute and seconds - portions are optional, but some LDAP servers require that they be - present (contrary to the RFC). - - The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5 - and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD - option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - - ssuuddooOOrrddeerr - The sudoRole entries retrieved from the LDAP directory have no - inherent order. The sudoOrder attribute is an integer (or floating - point value for LDAP servers that support it) that is used to sort - the matching entries. This allows LDAP-based sudoers entries to - more closely mimic the behavior of the sudoers file, where the - order of the entries influences the result. If multiple entries - match, the entry with the highest sudoOrder attribute is chosen. - This corresponds to the "last match" behavior of the sudoers file. - If the sudoOrder attribute is not present, a value of 0 is assumed. - - The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 - and higher. - - Each attribute listed above should contain a single value, but there may - be multiple instances of each attribute type. A sudoRole must contain at - least one sudoUser, sudoHost and sudoCommand. - - The following example allows users in group wheel to run any command on - any host via ssuuddoo: - - dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com - objectClass: top - objectClass: sudoRole - cn: %wheel - sudoUser: %wheel - sudoHost: ALL - sudoCommand: ALL - - AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp - When looking up a sudoer using LDAP there are only two or three LDAP - queries per invocation. The first query is to parse the global options. - The second is to match against the user's name and the groups that the - user belongs to. (The special ALL tag is matched in this query too.) If - no match is returned for the user's name and groups, a third query - returns all entries containing user netgroups and other non-Unix groups - and checks to see if the user belongs to any of them. - - If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration - directive, the LDAP queries include a sub-filter that limits retrieval to - entries that satisfy the time constraints, if any. - - If the NNEETTGGRROOUUPP__BBAASSEE configuration directive is present (see _C_o_n_f_i_g_u_r_i_n_g - _l_d_a_p_._c_o_n_f below), queries are performed to determine the list of - netgroups the user belongs to before the sudoers query. This makes it - possible to include netgroups in the sudoers query string in the same - manner as Unix groups. The third query mentioned above is not performed - unless a group provider plugin is also configured. The actual LDAP - queries performed by ssuuddoo are as follows: - - 1. Match all nisNetgroup records with a nisNetgroupTriple containing - the user, host and NIS domain. The query will match - nisNetgroupTriple entries with either the short or long form of the - host name or no host name specified in the tuple. If the NIS domain - is set, the query will match only match entries that include the - domain or for which there is no domain present. If the NIS domain - is _n_o_t set, a wildcard is used to match any domain name but be aware - that the NIS schema used by some LDAP servers may not support wild - cards for nisNetgroupTriple. - - 2. Repeated queries are performed to find any nested nisNetgroup - records with a memberNisNetgroup entry that refers to an already- - matched record. - - For sites with a large number of netgroups, using NNEETTGGRROOUUPP__BBAASSEE can - significantly speed up ssuuddoo's execution time. - - DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - One of the major differences between LDAP and file-based _s_u_d_o_e_r_s is that - in LDAP, ssuuddoo-specific Aliases are not supported. - - For the most part, there is little need for ssuuddoo-specific Aliases. Unix - groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can be - used in place of User_Aliases and Runas_Aliases. Host netgroups can be - used in place of Host_Aliases. Since groups and netgroups can also be - stored in LDAP there is no real need for ssuuddoo-specific aliases. - - There are also some subtle differences in the way sudoers is handled once - in LDAP. Probably the biggest is that according to the RFC, LDAP - ordering is arbitrary and you cannot expect that Attributes and Entries - are returned in any specific order. - - The order in which different entries are applied can be controlled using - the sudoOrder attribute, but there is no way to guarantee the order of - attributes within a specific entry. If there are conflicting command - rules in an entry, the negative takes precedence. This is called - paranoid behavior (not necessarily the most specific match). - - Here is an example: - - # /etc/sudoers: - # Allow all commands except shell - johnny ALL=(root) ALL,!/bin/sh - # Always allows all commands because ALL is matched last - puddles ALL=(root) !/bin/sh,ALL - - # LDAP equivalent of johnny - # Allows all commands except shell - dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role1 - sudoUser: johnny - sudoHost: ALL - sudoCommand: ALL - sudoCommand: !/bin/sh - - # LDAP equivalent of puddles - # Notice that even though ALL comes last, it still behaves like - # role1 since the LDAP code assumes the more paranoid configuration - dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role2 - sudoUser: puddles - sudoHost: ALL - sudoCommand: !/bin/sh - sudoCommand: ALL - - Another difference is that it is not possible to use negation in a - sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the - following attributes do not behave the way one might expect. - - # does not match all but joe - # rather, does not match anyone - sudoUser: !joe - - # does not match all but joe - # rather, matches everyone including Joe - sudoUser: ALL - sudoUser: !joe - - CCoonnvveerrttiinngg bbeettwweeeenn ffiillee--bbaasseedd aanndd LLDDAAPP ssuuddooeerrss - The cvtsudoers(1) utility can be used to convert between file-based and - LDAP _s_u_d_o_e_r_s. However, there are features in the file-based sudoers that - have no equivalent in LDAP-based sudoers (and vice versa). These cannot - be converted automatically. - - For example, a Cmnd_Alias in a _s_u_d_o_e_r_s file may be converted to a - sudoRole that contains multiple commands. Multiple users and/or groups - may be assigned to the sudoRole. - - Also, host, user, runas and command-based Defaults entries are not - supported. However, a sudoRole may contain one or more sudoOption - attributes which can often serve the same purpose. - - Consider the following _s_u_d_o_e_r_s lines: - - Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Defaults!PAGERS noexec - alice, bob ALL = ALL - - In this example, alice and bob are allowed to run all commands, but the - commands listed in PAGERS will have the noexec flag set, preventing shell - escapes. - - When converting this to LDAP, two sudoRole objects can be used: - - dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com - objectClass: top - objectClass: sudoRole - cn: PAGERS - sudoUser: alice - sudoUser: bob - sudoHost: ALL - sudoCommand: /usr/bin/more - sudoCommand: /usr/bin/pg - sudoCommand: /usr/bin/less - sudoOption: noexec - sudoOrder: 900 - - dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com - objectClass: top - objectClass: sudoRole - cn: ADMINS - sudoUser: alice - sudoUser: bob - sudoHost: ALL - sudoCommand: ALL - sudoOrder: 100 - - In the LDAP version, the sudoOrder attribute is used to guarantee that - the PAGERS sudoRole with _n_o_e_x_e_c has precedence. Unlike the _s_u_d_o_e_r_s - version, the LDAP version requires that all users for whom the - restriction should apply be assigned to the PAGERS sudoRole. Using a - Unix group or netgroup in PAGERS rather than listing each user would make - this easier to maintain. - - Per-user Defaults entries can be emulated by using one or more sudoOption - attributes in a sudoRole. Consider the following _s_u_d_o_e_r_s lines: - - User_Alias ADMINS = john, sally - Defaults:ADMINS !authenticate - ADMINS ALL = (ALL:ALL) ALL - - In this example, john and sally are allowed to run any command as any - user or group. - - When converting this to LDAP, we can use a Unix group instead of the - User_Alias. - - dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com - objectClass: top - objectClass: sudoRole - cn: admins - sudoUser: %admin - sudoHost: ALL - sudoRunAsUser: ALL - sudoRunAsGroup: ALL - sudoCommand: ALL - sudoOption: !authenticate - - This assumes that users john and sally are members of the "admins" Unix - group. - - SSuuddooeerrss sscchheemmaa - In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on - your LDAP server. In addition, be sure to index the sudoUser attribute. - - The ssuuddoo distribution includes versions of the ssuuddooeerrss schema for - multiple LDAP servers: - - _s_c_h_e_m_a_._O_p_e_n_L_D_A_P - OpenLDAP slapd and OpenBSD ldapd - - _s_c_h_e_m_a_._o_l_c_S_u_d_o - OpenLDAP slapd 2.3 and higher when on-line configuration is enabled - - _s_c_h_e_m_a_._i_P_l_a_n_e_t - Netscape-derived servers such as the iPlanet, Oracle, and 389 - Directory Servers - - _s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y - Microsoft Active Directory - - The schema in OpenLDAP format is also included in the _E_X_A_M_P_L_E_S section. - - CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. - Typically, this file is shared between different LDAP-aware clients. As - such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses - _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those - described in the system's ldap.conf(4) manual. The path to _l_d_a_p_._c_o_n_f may - be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4). - - Also note that on systems using the OpenLDAP libraries, default values - specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not - used. - - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported - by ssuuddoo are honored. Configuration options are listed below in upper - case but are parsed in a case-independent manner. - - Lines beginning with a pound sign (`#') are ignored. Leading white space - is removed from the beginning of lines. - - BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s - The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in - seconds, to wait while trying to connect to an LDAP server. If - multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to - wait before trying the next one in the list. - - BBIINNDDDDNN _D_N - The BBIINNDDDDNN parameter specifies the identity, in the form of a - Distinguished Name (DN), to use when performing LDAP operations. - If not specified, LDAP operations are performed with an anonymous - identity. By default, most LDAP servers will allow anonymous - access. - - BBIINNDDPPWW _s_e_c_r_e_t - The BBIINNDDPPWW parameter specifies the password to use when performing - LDAP operations. This is typically used in conjunction with the - BBIINNDDDDNN parameter. The _s_e_c_r_e_t may be a plain text password or a - base64-encoded string with a "base64:" prefix. For example: - - BINDPW base64:dGVzdA== - - If a plain text password is used, it should be a simple string - without quotes. Plain text passwords may not include the comment - character (`#') and the escaping of special characters with a - backslash (`\') is not supported. - - DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s - How alias dereferencing is to be performed when searching. See the - ldap.conf(4) manual for a full description of this option. - - HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._. - If no UURRII is specified (see below), the HHOOSSTT parameter specifies a - white space-delimited list of LDAP servers to connect to. Each - host may include an optional _p_o_r_t separated by a colon (`:'). The - HHOOSSTT parameter is deprecated in favor of the UURRII specification and - is included for backwards compatibility only. - - KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e - The path to the Kerberos 5 credential cache to use when - authenticating with the remote server. This option is only - relevant when using SASL authentication (see below). - - LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r - The version of the LDAP protocol to use when connecting to the - server. The default value is protocol version 3. - - NNEETTGGRROOUUPP__BBAASSEE _b_a_s_e - The base DN to use when performing LDAP netgroup queries. - Typically this is of the form ou=netgroup,dc=my-domain,dc=com for - the domain my-domain.com. Multiple NNEETTGGRROOUUPP__BBAASSEE lines may be - specified, in which case they are queried in the order specified. - - This option can be used to query a user's netgroups directly via - LDAP which is usually faster than fetching every sudoRole object - containing a sudoUser that begins with a `+' prefix. The NIS - schema used by some LDAP servers need a modification to support - querying the nisNetgroup object by its nisNetgroupTriple member. - OpenLDAP's ssllaappdd requires the following change to the - nisNetgroupTriple attribute: - - attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' - DESC 'Netgroup triple' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - NNEETTGGRROOUUPP__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r - An LDAP filter which is used to restrict the set of records - returned when performing an LDAP netgroup query. Typically, this - is of the form attribute=value or - (&(attribute=value)(attribute2=value2)). The default search filter - is: objectClass=nisNetgroup. If _l_d_a_p___f_i_l_t_e_r is omitted, no search - filter will be used. This option is only when querying netgroups - directly via LDAP. - - NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s - An alias for BBIINNDD__TTIIMMEELLIIMMIITT provided for OpenLDAP compatibility. - - PPOORRTT _p_o_r_t___n_u_m_b_e_r - If no UURRII is specified, the PPOORRTT parameter specifies the default - port to connect to on the LDAP server if a HHOOSSTT parameter does not - specify the port itself. If no PPOORRTT parameter is used, the default - is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The - PPOORRTT parameter is deprecated in favor of the UURRII specification and - is included for backwards compatibility only. - - RROOOOTTBBIINNDDDDNN _D_N - The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a - Distinguished Name (DN), to use when performing privileged LDAP - operations, such as _s_u_d_o_e_r_s queries. The password corresponding to - the identity should be stored in the or the path specified by the - _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to - _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN - identity is used (if any). - - RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o - Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting - to an LDAP server from a privileged process, such as ssuuddoo. - - SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y - The SASL user name to use when connecting to the LDAP server. By - default, ssuuddoo will use an anonymous connection. This option is - only relevant when using SASL authentication. - - SSAASSLL__MMEECCHH _m_e_c_h_a_n_i_s_m_s - A white space-delimited list of SASL authentication mechanisms to - use. By default, ssuuddoo will use GSSAPI authentication. - - SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s - SASL security properties or _n_o_n_e for no properties. See the SASL - programmer's manual for details. This option is only relevant when - using SASL authentication. - - SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o - If the SSSSLL parameter is set to on, true or yes, TLS (SSL) - encryption is always used when communicating with the LDAP server. - Typically, this involves connecting to the server on port 636 - (ldaps). - - SSSSLL _s_t_a_r_t___t_l_s - If the SSSSLL parameter is set to start_tls, the LDAP server - connection is initiated normally and TLS encryption is begun before - the bind credentials are sent. This has the advantage of not - requiring a dedicated port for encrypted communications. This - parameter is only supported by LDAP servers that honor the - _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory - servers. - - SSUUDDOOEERRSS__BBAASSEE _b_a_s_e - The base DN to use when performing ssuuddoo LDAP queries. Typically - this is of the form ou=SUDOers,dc=my-domain,dc=com for the domain - my-domain.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in - which case they are queried in the order specified. - - SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l - This sets the debug level for ssuuddoo LDAP queries. Debugging - information is printed to the standard error. A value of 1 results - in a moderate amount of debugging information. A value of 2 shows - the results of the matches themselves. This parameter should not - be set in a production environment as the extra information is - likely to confuse users. - - The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a - future release. The same information is now logged via the ssuuddoo - debugging framework using the "ldap" subsystem at priorities _d_i_a_g - and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively. See the - sudo.conf(4) manual for details on how to configure ssuuddoo debugging. - - SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r - An LDAP filter which is used to restrict the set of records - returned when performing a ssuuddoo LDAP query. Typically, this is of - the form attribute=value or - (&(attribute=value)(attribute2=value2)). The default search filter - is: objectClass=sudoRole. If _l_d_a_p___f_i_l_t_e_r is omitted, no search - filter will be used. - - SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o - Whether or not to evaluate the sudoNotBefore and sudoNotAfter - attributes that implement time-dependent sudoers entries. - - TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s - The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, - to wait for a response to an LDAP query. - - TTIIMMEEOOUUTT _s_e_c_o_n_d_s - The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to - wait for a response from the various LDAP APIs. - - TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e - An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. - - TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e - The path to a certificate authority bundle which contains the - certificates for all the Certificate Authorities the client knows - to be valid, e.g., _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only - supported by the OpenLDAP libraries. Netscape-derived LDAP - libraries use the same certificate database for CA and client - certificates (see TTLLSS__CCEERRTT). - - TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y - Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory - containing individual Certificate Authority certificates, e.g., - _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is - checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the - OpenLDAP libraries. - - TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e - The path to a file containing the client certificate which can be - used to authenticate the client to the LDAP server. The - certificate type depends on the LDAP libraries used. - - OpenLDAP: - tls_cert /etc/ssl/client_cert.pem - - Netscape-derived: - tls_cert /var/ldap/cert7.db - - Tivoli Directory Server: - Unused, the key database specified by TTLLSS__KKEEYY contains both - keys and certificates. - - When using Netscape-derived libraries, this file may also - contain Certificate Authority certificates. - - TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o - If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS - certificated to be verified. If the server's TLS certificate - cannot be verified (usually because it is signed by an unknown - certificate authority), ssuuddoo will be unable to connect to it. If - TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling - the check creates an opportunity for man-in-the-middle attacks - since the server's identity will not be authenticated. If - possible, the CA's certificate should be installed locally so it - can be verified. This option is not supported by the Tivoli - Directory Server LDAP libraries. - - TTLLSS__KKEEYY _f_i_l_e _n_a_m_e - The path to a file containing the private key which matches the - certificate specified by TTLLSS__CCEERRTT. The private key must not be - password-protected. The key type depends on the LDAP libraries - used. - - OpenLDAP: - tls_key /etc/ssl/client_key.pem - - Netscape-derived: - tls_key /var/ldap/key3.db - - Tivoli Directory Server: - tls_key /usr/ldap/ldapkey.kdb - When using Tivoli LDAP libraries, this file may also contain - Certificate Authority and client certificates and may be encrypted. - - TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t - The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which - encryption algorithms may be used for TLS (SSL) connections. See - the OpenLDAP or Tivoli Directory Server manual for a list of valid - ciphers. This option is not supported by Netscape-derived - libraries. - - TTLLSS__KKEEYYPPWW _s_e_c_r_e_t - The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key - database on clients using the Tivoli Directory Server LDAP library. - The _s_e_c_r_e_t may be a plain text password or a base64-encoded string - with a "base64:" prefix. For example: - - TLS_KEYPW base64:dGVzdA== - - If a plain text password is used, it should be a simple string - without quotes. Plain text passwords may not include the comment - character (`#') and the escaping of special characters with a - backslash (`\') is not supported. If this option is used, - _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid exposing the - password. Alternately, a _s_t_a_s_h _f_i_l_e can be used to store the - password in encrypted form (see below). - - If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it - exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file - specified by TTLLSS__KKEEYY, but use a .sth file extension instead of - .kdb, e.g., ldapkey.sth. The default ldapkey.kdb that ships with - Tivoli Directory Server is encrypted with the password - ssl_password. The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the - key database and create a _s_t_a_s_h _f_i_l_e. This option is only - supported by the Tivoli LDAP libraries. - - TTLLSS__RREEQQCCEERRTT _l_e_v_e_l - The TTLLSS__RREEQQCCEERRTT parameter controls how the LDAP server's TLS - certificated will be verified (if at all). If the server's TLS - certificate cannot be verified (usually because it is signed by an - unknown certificate authority), ssuuddoo will be unable to connect to - it. The following _l_e_v_e_l values are supported: - - never The server certificate will not be requested or - checked. - - allow The server certificate will be requested. A missing - or invalid certificate is ignored and not considered - an error. - - try The server certificate will be requested. A missing - certificate is ignored but an invalid certificate - will result in a connection error. - - demand | _h_a_r_d - The server certificate will be requested. A missing - or invalid certificate will result in a connection - error. This is the default behavior. - - This option is only supported by the OpenLDAP libraries. Other - LDAP libraries only support the TTLLSS__CCHHEECCKKPPEEEERR parameter. - - TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e - The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source - for systems that lack a random device. It is generally used in - conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by - the OpenLDAP libraries. - - UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._. - Specifies a white space-delimited list of one or more URIs - describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be - either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS - (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 - for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, - ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated - identically to a UURRII line containing multiple entries. Only - systems using the OpenSSL libraries support the mixing of ldap:// - and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP - libraries used on most commercial versions of Unix are only capable - of supporting one or the other. - - UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o - Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. - - RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - - See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section. - - CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - Unless it is disabled at build time, ssuuddoo consults the Name Service - Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. - Sudo looks for a line beginning with sudoers: and uses this to determine - the search order. Note that ssuuddoo does not stop searching after the first - match and later matches take precedence over earlier ones. The following - sources are recognized: - - files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s - ldap read sudoers from LDAP - - In addition, the entry [NOTFOUND=return] will short-circuit the search if - the user was not found in the preceding source. - - To consult LDAP first followed by the local sudoers file (if it exists), - use: - - sudoers: ldap files - - The local _s_u_d_o_e_r_s file can be ignored completely by using: - - sudoers: ldap - - If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers - line, the following default is assumed: - - sudoers: files - - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying - operating system does not use an nsswitch.conf file, except on AIX (see - below). - - CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of - _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file - format itself still applies. - - To consult LDAP first followed by the local sudoers file (if it exists), - use: - - sudoers = ldap, files - - The local _s_u_d_o_e_r_s file can be ignored completely by using: - - sudoers = ldap - - To treat LDAP as authoritative and only use the local sudoers file if the - user is not present in LDAP, use: - - sudoers = ldap = auth, files - - Note that in the above example, the auth qualifier only affects user - lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. - - If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line, - the following default is assumed: - - sudoers = files - - IInntteeggrraattiioonn wwiitthh ssssssdd - On systems with the _S_y_s_t_e_m _S_e_c_u_r_i_t_y _S_e_r_v_i_c_e_s _D_a_e_m_o_n (SSSD) and where ssuuddoo - has been built with SSSD support, it is possible to use SSSD to cache - LDAP _s_u_d_o_e_r_s rules. To use SSSD as the _s_u_d_o_e_r_s source, you should use - sss instead of ldap for the sudoers entry in _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. Note - that the _/_e_t_c_/_l_d_a_p_._c_o_n_f file is not used by the SSSD ssuuddoo back end. - Please see sssd-sudo(4) for more information on configuring ssuuddoo to work - with SSSD. - -FFIILLEESS - _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file - - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order - - _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX - -EEXXAAMMPPLLEESS - EExxaammppllee llddaapp..ccoonnff - # Either specify one or more URIs or one or more host:port pairs. - # If neither is specified sudo will default to localhost, port 389. - # - #host ldapserver - #host ldapserver1 ldapserver2:390 - # - # Default port if host is specified without one, defaults to 389. - #port 389 - # - # URI will override the host and port settings. - uri ldap://ldapserver - #uri ldaps://secureldapserver - #uri ldaps://secureldapserver ldap://ldapserver - # - # The amount of time, in seconds, to wait while trying to connect to - # an LDAP server. - bind_timelimit 30 - # - # The amount of time, in seconds, to wait while performing an LDAP query. - timelimit 30 - # - # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=my-domain,dc=com - # - # verbose sudoers matching from ldap - #sudoers_debug 2 - # - # Enable support for time-based entries in sudoers. - #sudoers_timed yes - # - # optional proxy credentials - #binddn - #bindpw - #rootbinddn - # - # LDAP protocol version, defaults to 3 - #ldap_version 3 - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). - #ssl on - # - # Define if you want to use port 389 and switch to - # encryption before the bind credentials are sent. - # Only supported by LDAP servers that support the start_tls - # extension such as OpenLDAP. - #ssl start_tls - # - # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. - # - #tls_checkpeer yes # verify server SSL certificate - #tls_checkpeer no # ignore server SSL certificate - # - # If you enable tls_checkpeer, specify either tls_cacertfile - # or tls_cacertdir. Only supported when using OpenLDAP. - # - #tls_cacertfile /etc/certs/trusted_signers.pem - #tls_cacertdir /etc/certs - # - # For systems that don't have /dev/random - # use this along with PRNGD or EGD.pl to seed the - # random number pool to generate cryptographic session keys. - # Only supported when using OpenLDAP. - # - #tls_randfile /etc/egd-pool - # - # You may restrict which ciphers are used. Consult your SSL - # documentation for which options go here. - # Only supported when using OpenLDAP. - # - #tls_ciphers - # - # Sudo can provide a client certificate when communicating to - # the LDAP server. - # Tips: - # * Enable both lines at the same time. - # * Do not password protect the key file. - # * Ensure the keyfile is only readable by root. - # - # For OpenLDAP: - #tls_cert /etc/certs/client_cert.pem - #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either - # a directory, in which case the files in the directory must have the - # default names (e.g., cert8.db and key4.db), or the path to the cert - # and key files themselves. However, a bug in version 5.0 of the LDAP - # SDK will prevent specific file names from working. For this reason - # it is suggested that tls_cert and tls_key be set to a directory, - # not a file name. - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. - # For backward compatibility, "sslpath" may be used in place of tls_cert. - #tls_cert /var/ldap - #tls_key /var/ldap - # - # If using SASL authentication for LDAP (OpenSSL) - # use_sasl yes - # sasl_auth_id - # rootuse_sasl yes - # rootsasl_auth_id - # sasl_secprops none - # krb5_ccname /etc/.ldapcache - - SSuuddooeerrss sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema, in OpenLDAP format, is included with ssuuddoo source - and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the - schema directory (e.g., _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include - line in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. Sites using the optional on-line - configuration supported by OpenLDAP 2.3 and higher should apply the - _s_c_h_e_m_a_._o_l_c_S_u_d_o file instead. - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) - -SSEEEE AALLSSOO - cvtsudoers(1), ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -CCAAVVEEAATTSS - Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is - parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P - _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information. - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 February 26, 2018 Sudo 1.8.28 diff --git a/doc/sudoers_timestamp.cat b/doc/sudoers_timestamp.cat deleted file mode 100644 index f6489726e..000000000 --- a/doc/sudoers_timestamp.cat +++ /dev/null @@ -1,201 +0,0 @@ -SUDOERS_TIMESTAMP(4) File Formats Manual SUDOERS_TIMESTAMP(4) - -NNAAMMEE - ssuuddooeerrss__ttiimmeessttaammpp - Sudoers Time Stamp Format - -DDEESSCCRRIIPPTTIIOONN - The ssuuddooeerrss plugin uses per-user time stamp files for credential caching. - Once a user has been authenticated, they may use ssuuddoo without a password - for a short period of time (5 minutes unless overridden by the - _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record - for each terminal, which means that a user's login sessions are - authenticated separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to - select the type of time stamp record ssuuddooeerrss will use. - - A multi-record time stamp file format was introduced in ssuuddoo 1.8.10 that - uses a single file per user. Previously, a separate file was used for - each user and terminal combination unless tty-based time stamps were - disabled. The new format is extensible and records of multiple types and - versions may coexist within the same file. - - All records, regardless of type or version, begin with a 16-bit version - number and a 16-bit record size. - - Time stamp records have the following structure: - - /* Time stamp entry types */ - #define TS_GLOBAL 0x01 /* not restricted by tty or ppid */ - #define TS_TTY 0x02 /* restricted by tty */ - #define TS_PPID 0x03 /* restricted by ppid */ - #define TS_LOCKEXCL 0x04 /* special lock record */ - - /* Time stamp flags */ - #define TS_DISABLED 0x01 /* entry disabled */ - #define TS_ANYUID 0x02 /* ignore uid, only valid in key */ - - struct timestamp_entry { - unsigned short version; /* version number */ - unsigned short size; /* entry size */ - unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */ - unsigned short flags; /* TS_DISABLED, TS_ANYUID */ - uid_t auth_uid; /* uid to authenticate as */ - pid_t sid; /* session ID associated with tty/ppid */ - struct timespec start_time; /* session/ppid start time */ - struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */ - union { - dev_t ttydev; /* tty device number */ - pid_t ppid; /* parent pid */ - } u; - }; - - The timestamp_entry struct fields are as follows: - - version - The version number of the timestamp_entry struct. New entries are - created with a version number of 2. Records with different version - numbers may coexist in the same file but are not inter-operable. - - size The size of the record in bytes. - - type The record type, currently TS_GLOBAL, TS_TTY, or TS_PPID. - - flags - Zero or more record flags which can be bit-wise ORed together. - Supported flags are TS_DISABLED, for records disabled via ssuuddoo --kk - and TS_ANYUID, which is used only when matching records. - - auth_uid - The user ID that was used for authentication. Depending on the - value of the _r_o_o_t_p_w, _r_u_n_a_s_p_w and _t_a_r_g_e_t_p_w options, the user ID may - be that of the invoking user, the root user, the default runas user - or the target user. - - sid The ID of the user's terminal session, if present. The session ID - is only used when matching records of type TS_TTY. - - start_time - The start time of the session leader for records of type TS_TTY or - of the parent process for records of type TS_PPID. The _s_t_a_r_t___t_i_m_e - is used to help prevent re-use of a time stamp record after a user - has logged out. Not all systems support a method to easily - retrieve a process's start time. The _s_t_a_r_t___t_i_m_e field was added in - ssuuddooeerrss version 1.8.22 for the second revision of the - timestamp_entry struct. - - ts The actual time stamp. A monotonic time source (which does not - move backward) is used if the system supports it. Where possible, - ssuuddooeerrss uses a monotonic timer that increments even while the - system is suspended. The value of _t_s is updated each time a - command is run via ssuuddoo. If the difference between _t_s and the - current time is less than the value of the _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t - option, no password is required. - - u.ttydev - The device number of the terminal associated with the session for - records of type TS_TTY. - - u.ppid - The ID of the parent process for records of type TS_PPID. - -LLOOCCKKIINNGG - In ssuuddooeerrss versions 1.8.10 through 1.8.14, the entire time stamp file was - locked for exclusive access when reading or writing to the file. - Starting in ssuuddooeerrss 1.8.15, individual records are locked in the time - stamp file instead of the entire file and the lock is held for a longer - period of time. This scheme is described below. - - The first record in the time stamp file is of type TS_LOCKEXCL and is - used as a _l_o_c_k record to prevent more than one ssuuddoo process from adding a - new record at the same time. Once the desired time stamp record has been - located or created (and locked), the TS_LOCKEXCL record is unlocked. The - lock on the individual time stamp record, however, is held until - authentication is complete. This allows ssuuddooeerrss to avoid prompting for a - password multiple times when it is used more than once in a pipeline. - - Records of type TS_GLOBAL cannot be locked for a long period of time - since doing so would interfere with other ssuuddoo processes. Instead, a - separate lock record is used to prevent multiple ssuuddoo processes using the - same terminal (or parent process ID) from prompting for a password as the - same time. - -SSEEEE AALLSSOO - sudoers(4), sudo(1m) - -HHIISSTTOORRYY - Originally, ssuuddoo used a single zero-length file per user and the file's - modification time was used as the time stamp. Later versions of ssuuddoo - added restrictions on the ownership of the time stamp files and directory - as well as sanity checks on the time stamp itself. Notable changes were - introduced in the following ssuuddoo versions: - - 1.4.0 - Support for tty-based time stamp file was added by appending the - terminal name to the time stamp file name. - - 1.6.2 - The time stamp file was replaced by a per-user directory which - contained any tty-based time stamp files. - - 1.6.3p2 - The target user name was added to the time stamp file name when the - _t_a_r_g_e_t_p_w option was set. - - 1.7.3 - Information about the terminal device was stored in tty-based time - stamp files for sanity checking. This included the terminal device - numbers, inode number and, on systems where it was not updated when - the device was written to, the inode change time. This helped - prevent re-use of the time stamp file after logout. - - 1.8.6p7 - The terminal session ID was added to tty-based time stamp files to - prevent re-use of the time stamp by the same user in a different - terminal session. It also helped prevent re-use of the time stamp - file on systems where the terminal device's inode change time was - updated by writing. - - 1.8.10 - A new, multi-record time stamp file format was introduced that uses - a single file per user. The terminal device's change time was not - included since most systems now update the change time after a - write is performed as required by POSIX. - - 1.8.15 - Individual records are locked in the time stamp file instead of the - entire file and the lock is held until authentication is complete. - - 1.8.22 - The start time of the terminal session leader or parent process is - now stored in non-global time stamp records. This prevents re-use - of the time stamp file after logout in most cases. - - Support was added for the kernel-based tty time stamps available in - OpenBSD which do not use an on-disk time stamp file. - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 October 7, 2018 Sudo 1.8.28 diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat deleted file mode 100644 index bc7c76737..000000000 --- a/doc/sudoreplay.cat +++ /dev/null @@ -1,303 +0,0 @@ -SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m) - -NNAAMMEE - ssuuddoorreeppllaayy - replay sudo session logs - -SSYYNNOOPPSSIISS - ssuuddoorreeppllaayy [--hhnnRRSS] [--dd _d_i_r] [--ff _f_i_l_t_e_r] [--mm _n_u_m] [--ss _n_u_m] ID - - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r] --ll [search expression] - -DDEESSCCRRIIPPTTIIOONN - ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When - replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the - playback speed may be adjusted (faster or slower) based on the command - line options. - - The _I_D should either be a six character sequence of digits and upper case - letters, e.g., 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the - _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in - the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo - log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode. - - In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on - a number of criteria such as the user, tty or command run. - - In replay mode, if the standard input and output are connected to a - terminal and the --nn option is not specified, ssuuddoorreeppllaayy will operate - interactively. In interactive mode, ssuuddoorreeppllaayy will attempt to adjust - the terminal size to match that of the session and write directly to the - terminal (not all terminals support this). Additionally, it will poll - the keyboard and act on the following keys: - - `\n' or `\r' Skip to the next replay event; useful for long pauses. - - ` ' (space) Pause output; press any key to resume. - - `<' Reduce the playback speed by one half. - - `>' Double the playback speed. - - The session can be interrupted via control-C. When the session has - finished, the terminal is restored to its original size if it was changed - during playback. - - The options are as follows: - - --dd _d_i_r, ----ddiirreeccttoorryy=_d_i_r - Store session logs in _d_i_r instead of the default, - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. - - --ff _f_i_l_t_e_r, ----ffiilltteerr=_f_i_l_t_e_r - Select which I/O type(s) to display. By default, ssuuddoorreeppllaayy - will display the command's standard output, standard error - and tty output. The _f_i_l_t_e_r argument is a comma-separated - list, consisting of one or more of following: _s_t_d_i_n, _s_t_d_o_u_t, - _s_t_d_e_r_r, _t_t_y_i_n, and _t_t_y_o_u_t. - - --hh, ----hheellpp Display a short help message to the standard output and exit. - - --ll, ----lliisstt [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] - Enable "list mode". In this mode, ssuuddoorreeppllaayy will list - available sessions in a format similar to the ssuuddoo log file - format, sorted by file name (or sequence number). If a - _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict - the IDs that are displayed. An expression is composed of the - following predicates: - - command _p_a_t_t_e_r_n - Evaluates to true if the command run matches the - POSIX extended regular expression _p_a_t_t_e_r_n. - - cwd _d_i_r_e_c_t_o_r_y - Evaluates to true if the command was run with the - specified current working directory. - - fromdate _d_a_t_e - Evaluates to true if the command was run on or after - _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description of - supported date and time formats. - - group _r_u_n_a_s___g_r_o_u_p - Evaluates to true if the command was run with the - specified _r_u_n_a_s___g_r_o_u_p. Note that unless a - _r_u_n_a_s___g_r_o_u_p was explicitly specified when ssuuddoo was - run this field will be empty in the log. - - runas _r_u_n_a_s___u_s_e_r - Evaluates to true if the command was run as the - specified _r_u_n_a_s___u_s_e_r. Note that ssuuddoo runs commands - as user _r_o_o_t by default. - - todate _d_a_t_e - Evaluates to true if the command was run on or prior - to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description - of supported date and time formats. - - tty _t_t_y _n_a_m_e - Evaluates to true if the command was run on the - specified terminal device. The _t_t_y _n_a_m_e should be - specified without the _/_d_e_v_/ prefix, e.g., _t_t_y_0_1 - instead of _/_d_e_v_/_t_t_y_0_1. - - user _u_s_e_r _n_a_m_e - Evaluates to true if the ID matches a command run by - _u_s_e_r _n_a_m_e. - - Predicates may be abbreviated to the shortest unique string. - - Predicates may be combined using _a_n_d, _o_r and _! operators as - well as `(' and `)' grouping (note that parentheses must - generally be escaped from the shell). The _a_n_d operator is - optional, adjacent predicates have an implied _a_n_d unless - separated by an _o_r. - - --mm, ----mmaaxx--wwaaiitt _m_a_x___w_a_i_t - Specify an upper bound on how long to wait between key - presses or output data. By default, ssuuddoorreeppllaayy will - accurately reproduce the delays between key presses or - program output. However, this can be tedious when the - session includes long pauses. When the --mm option is - specified, ssuuddoorreeppllaayy will limit these pauses to at most - _m_a_x___w_a_i_t seconds. The value may be specified as a floating - point number, e.g., _2_._5. A _m_a_x___w_a_i_t of zero or less will - eliminate the pauses entirely. - - --nn, ----nnoonn--iinntteerraaccttiivvee - Do not prompt for user input or attempt to re-size the - terminal. The session is written to the standard output, not - directly to the user's terminal. - - --RR, ----nnoo--rreessiizzee - Do not attempt to re-size the terminal to match the terminal - size of the session. - - --SS, ----ssuussppeenndd--wwaaiitt - Wait while the command was suspended. By default, ssuuddoorreeppllaayy - will ignore the time interval between when the command was - suspended and when it was resumed. If the --SS option is - specified, ssuuddoorreeppllaayy will wait instead. - - --ss, ----ssppeeeedd _s_p_e_e_d___f_a_c_t_o_r - This option causes ssuuddoorreeppllaayy to adjust the number of seconds - it will wait between key presses or program output. This can - be used to slow down or speed up the display. For example, a - _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as fast whereas - a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output twice as slow. - - --VV, ----vveerrssiioonn - Print the ssuuddoorreeppllaayy versions version number and exit. - - DDaattee aanndd ttiimmee ffoorrmmaatt - The time and date may be specified multiple ways, common formats include: - - HH:MM:SS am MM/DD/CCYY timezone - 24 hour time may be used in place of am/pm. - - HH:MM:SS am Month, Day Year timezone - 24 hour time may be used in place of am/pm, and month and day - names may be abbreviated. Note that month and day of the week - names must be specified in English. - - CCYY-MM-DD HH:MM:SS - ISO time format - - DD Month CCYY HH:MM:SS - The month name may be abbreviated. - - Either time or date may be omitted, the am/pm and timezone are optional. - If no date is specified, the current day is assumed; if no time is - specified, the first second of the specified date is used. The less - significant parts of both time and date may also be omitted, in which - case zero is assumed. - - The following are all valid time and date specifications: - - now The current time and date. - - tomorrow - Exactly one day from now. - - yesterday - 24 hours ago. - - 2 hours ago - 2 hours ago. - - next Friday - The first second of the Friday in the next (upcoming) week. Not - to be confused with "this Friday" which would match the Friday of - the current week. - - last week - The current time but 7 days ago. This is equivalent to "a week - ago". - - a fortnight ago - The current time but 14 days ago. - - 10:01 am 9/17/2009 - 10:01 am, September 17, 2009. - - 10:01 am - 10:01 am on the current day. - - 10 10:00 am on the current day. - - 9/17/2009 - 00:00 am, September 17, 2009. - - 10:01 am Sep 17, 2009 - 10:01 am, September 17, 2009. - - Note that relative time specifications do not always work as expected. - For example, the "next" qualifier is intended to be used in conjunction - with a day such as "next Monday". When used with units of weeks, months, - years, etc the result will be one more than expected. For example, "next - week" will result in a time exactly two weeks from now, which is probably - not what was intended. This will be addressed in a future version of - ssuuddoorreeppllaayy. - - DDeebbuuggggiinngg ssuuddoorreeppllaayy - ssuuddoorreeppllaayy versions 1.8.4 and higher support a flexible debugging - framework that is configured via Debug lines in the sudo.conf(4) file. - - For more information on configuring sudo.conf(4), please refer to its - manual. - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f Debugging framework configuration - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g - Example session log info. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n - Example session standard input log. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t - Example session standard output log. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r - Example session standard error log. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n - Example session tty input file. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t - Example session tty output file. - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g - Example session timing file. - - Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo - was used as part of a pipeline for a particular command. - -EEXXAAMMPPLLEESS - List sessions run by user _m_i_l_l_e_r_t: - - # sudoreplay -l user millert - - List sessions run by user _b_o_b with a command containing the string vi: - - # sudoreplay -l user bob command vi - - List sessions run by user _j_e_f_f that match a regular expression: - - # sudoreplay -l user jeff command '/bin/[a-z]*sh' - - List sessions run by jeff or bob on the console: - - # sudoreplay -l ( user jeff or user bob ) tty console - -SSEEEE AALLSSOO - script(1), sudo.conf(4), sudo(1m) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -BBUUGGSS - If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug - report at https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoorreeppllaayy is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 October 6, 2018 Sudo 1.8.28 diff --git a/doc/visudo.cat b/doc/visudo.cat deleted file mode 100644 index 1260ca8f9..000000000 --- a/doc/visudo.cat +++ /dev/null @@ -1,226 +0,0 @@ -VISUDO(1m) System Manager's Manual VISUDO(1m) - -NNAAMMEE - vviissuuddoo - edit the sudoers file - -SSYYNNOOPPSSIISS - vviissuuddoo [--cchhqqssVV] [[--ff] _s_u_d_o_e_r_s] - -DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m). - vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, - provides basic sanity checks, and checks for parse errors before - installing the edited file. If the _s_u_d_o_e_r_s file is currently being - edited you will receive a message to try again later. - - vviissuuddoo parses the _s_u_d_o_e_r_s file after editing and will not save the - changes if there is a syntax error. Upon finding an error, vviissuuddoo will - print a message stating the line number(s) where the error occurred and - the user will receive the "What now?" prompt. At this point the user may - enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the - changes, or `Q' to quit and save changes. The `Q' option should be used - with extreme caution because if vviissuuddoo believes there to be a parse - error, so will ssuuddoo and no one will be able to run ssuuddoo again until the - error is fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse - error has been detected, the cursor will be placed on the line where the - error occurred (if the editor supports this feature). - - There are two _s_u_d_o_e_r_s settings that determine which editor vviissuuddoo will - run. - - editor A colon (`:') separated list of editors allowed to be used with - vviissuuddoo. vviissuuddoo will choose the editor that matches the user's - SUDO_EDITOR, VISUAL or EDITOR environment variable if possible, - or the first editor in the list that exists and is executable. - Note that ssuuddoo does not preserve the SUDO_EDITOR, VISUAL or - EDITOR environment variables unless they are present in the - _e_n_v___k_e_e_p list or the _e_n_v___r_e_s_e_t option is disabled in the - _s_u_d_o_e_r_s file. The default editor path is _v_i which can be set - at compile time via the --with-editor configure option. - - env_editor - If set, vviissuuddoo will use the value of the SUDO_EDITOR, VISUAL or - EDITOR environment variables before falling back on the default - editor list. Note that vviissuuddoo is typically run as root so this - option may allow a user with vviissuuddoo privileges to run arbitrary - commands as root without logging. An alternative is to place a - colon-separated list of "safe" editors int the _e_d_i_t_o_r variable. - vviissuuddoo will then only use SUDO_EDITOR, VISUAL or EDITOR if they - match a value specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is - enabled, the SUDO_EDITOR, VISUAL and/or EDITOR environment - variables must be present in the _e_n_v___k_e_e_p list for the - _e_n_v___e_d_i_t_o_r flag to function when vviissuuddoo is invoked via ssuuddoo. - The default value is _o_n, which can be set at compile time via - the --with-env-editor configure option. - - The options are as follows: - - --cc, ----cchheecckk - Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file (and any - other files it includes) will be checked for syntax errors. - If the path to the _s_u_d_o_e_r_s file was not specified, vviissuuddoo - will also check the file owner and mode. A message will be - printed to the standard output describing the status of - _s_u_d_o_e_r_s unless the --qq option was specified. If the check - completes successfully, vviissuuddoo will exit with a value of 0. - If an error is encountered, vviissuuddoo will exit with a value of - 1. - - --ff _s_u_d_o_e_r_s, ----ffiillee=_s_u_d_o_e_r_s - Specify an alternate _s_u_d_o_e_r_s file location, see below. As of - version 1.8.27, the _s_u_d_o_e_r_s path can be specified without - using the --ff option. - - --hh, ----hheellpp Display a short help message to the standard output and exit. - - --qq, ----qquuiieett - Enable _q_u_i_e_t mode. In this mode details about syntax errors - are not printed. This option is only useful when combined - with the --cc option. - - --ss, ----ssttrriicctt - Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is - referenced but not actually defined or if there is a cycle in - an alias, vviissuuddoo will consider this a parse error. Note that - it is not possible to differentiate between an alias and a - host name or user name that consists solely of uppercase - letters, digits, and the underscore (`_') character. - - --VV, ----vveerrssiioonn - Print the vviissuuddoo and _s_u_d_o_e_r_s grammar versions and exit. - - A _s_u_d_o_e_r_s file may be specified instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. - The temporary file used is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. In _c_h_e_c_k_-_o_n_l_y mode only, `-' may be used to indicate - that _s_u_d_o_e_r_s will be read from the standard input. Because the policy is - evaluated in its entirety, it is not sufficient to check an individual - _s_u_d_o_e_r_s include file for syntax errors. - - DDeebbuuggggiinngg aanndd ssuuddooeerrss pplluuggiinn aarrgguummeennttss - vviissuuddoo versions 1.8.4 and higher support a flexible debugging framework - that is configured via Debug lines in the sudo.conf(4) file. - - Starting with ssuuddoo 1.8.12, vviissuuddoo will also parse the arguments to the - _s_u_d_o_e_r_s plugin to override the default _s_u_d_o_e_r_s path name, UID, GID and - file mode. These arguments, if present, should be listed after the path - to the plugin (i.e., after _s_u_d_o_e_r_s_._s_o). Multiple arguments may be - specified, separated by white space. For example: - - Plugin sudoers_policy sudoers.so sudoers_mode=0400 - - The following arguments are supported: - - sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default - path to the _s_u_d_o_e_r_s file. - - sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default - owner of the sudoers file. It should be specified as a numeric - user ID. - - sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default - group of the sudoers file. It must be specified as a numeric - group ID (not a group name). - - sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default - file mode for the sudoers file. It should be specified as an - octal value. - - For more information on configuring sudo.conf(4), please refer to its - manual. - -EENNVVIIRROONNMMEENNTT - The following environment variables may be consulted depending on the - value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings: - - SUDO_EDITOR Invoked by vviissuuddoo as the editor to use - - VISUAL Used by vviissuuddoo if SUDO_EDITOR is not set - - EDITOR Used by vviissuuddoo if neither SUDO_EDITOR nor VISUAL is set - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration - - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - - _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Default temporary file used by visudo - -DDIIAAGGNNOOSSTTIICCSS - In addition to reporting _s_u_d_o_e_r_s parse errors, vviissuuddoo may produce the - following messages: - - sudoers file busy, try again later. - Someone else is currently editing the _s_u_d_o_e_r_s file. - - /etc/sudoers: Permission denied - You didn't run vviissuuddoo as root. - - you do not exist in the passwd database - Your user ID does not appear in the system passwd database. - - Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined - Either you are trying to use an undeclared - {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed - that consists solely of uppercase letters, digits, and the - underscore (`_') character. In the latter case, you can ignore the - warnings (ssuuddoo will not complain). The message is prefixed with - the path name of the _s_u_d_o_e_r_s file and the line number where the - undefined alias was used. In --ss (strict) mode these are errors, - not warnings. - - Warning: unused {User,Runas,Host,Cmnd}_Alias - The specified {User,Runas,Host,Cmnd}_Alias was defined but never - used. The message is prefixed with the path name of the _s_u_d_o_e_r_s - file and the line number where the unused alias was defined. You - may wish to comment out or remove the unused alias. - - Warning: cycle in {User,Runas,Host,Cmnd}_Alias - The specified {User,Runas,Host,Cmnd}_Alias includes a reference to - itself, either directly or through an alias it includes. The - message is prefixed with the path name of the _s_u_d_o_e_r_s file and the - line number where the cycle was detected. This is only a warning - unless vviissuuddoo is run in --ss (strict) mode as ssuuddoo will ignore cycles - when parsing the _s_u_d_o_e_r_s file. - - unknown defaults entry "name" - The _s_u_d_o_e_r_s file contains a Defaults setting not recognized by - vviissuuddoo. - -SSEEEE AALLSSOO - vi(1), sudo.conf(4), sudoers(4), sudo(1m), vipw(1m) - -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists of - code written primarily by: - - Todd C. Miller - - See the CONTRIBUTORS file in the ssuuddoo distribution - (https://www.sudo.ws/contributors.html) for an exhaustive list of people - who have contributed to ssuuddoo. - -CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if the - editor used by vviissuuddoo allows shell escapes. - -BBUUGGSS - If you feel you have found a bug in vviissuuddoo, please submit a bug report at - https://bugzilla.sudo.ws/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided "AS IS" and any express or implied warranties, - including, but not limited to, the implied warranties of merchantability - and fitness for a particular purpose are disclaimed. See the LICENSE - file distributed with ssuuddoo or https://www.sudo.ws/license.html for - complete details. - -Sudo 1.8.28 June 20, 2019 Sudo 1.8.28 -- 2.40.0