From c32bd3db545dbe210e7a4745ac07158d84867829 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 5 Feb 2012 10:17:09 -0500 Subject: [PATCH] Enumerate the debug subsystems used by sudo and sudoers. --- doc/sudo.pod | 72 ++++++++++++++++++++++++++++++++++----- doc/sudoers.pod | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+), 9 deletions(-) diff --git a/doc/sudo.pod b/doc/sudo.pod index f35930fd9..13b1b84af 100644 --- a/doc/sudo.pod +++ b/doc/sudo.pod @@ -483,7 +483,7 @@ Defaults to F<@noexec_file@>. B versions 1.8.4 and higher support a flexible debugging framework that can help track down what B is doing internally -when there is a problem. +if there is a problem. A C line consists of the C keyword, followed by the name of the program to debug (B, B, B), @@ -505,15 +505,69 @@ and the plugins. A future release may add support for per-plugin C lines and/or support for multiple debugging files for a single program. -For reference, the priorities supported by the B front end and -I are: I, I, I, I, I, -I, I and I. +The priorities used by the B front end, in order of decreasing +severity, are: I, I, I, I, I, I, +I and I. Each priority, when specified, also includes +all priorities higher than it. For example, a priority of I +would include debug messages logged at I and higher. -The following subsystems are defined: I
, I, I, -I, I, I, I, I, I, I, -I, I, I, I, I, I, I, -I, I, I, I, I, I, I, -I, I. The subsystem I includes every subsystem. +The following subsystems are used by B: + +=over 10 + +=item I + +matches every subsystem + +=item I + +command line argument processing + +=item I + +user conversation + +=item I + +sudoedit + +=item I + +command execution + +=item I
+ +B main function + +=item I + +network interface handling + +=item I + +communication with the plugin + +=item I + +plugin configuration + +=item I + +pseudo-tty related code + +=item I + +SELinux-specific handling + +=item I + +utility functions + +=item I + +utmp handling + +=back =head1 RETURN VALUES diff --git a/doc/sudoers.pod b/doc/sudoers.pod index 9418542cb..cd0ef3780 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -1903,6 +1903,96 @@ to unintended privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run B. +=head1 DEBUG FLAGS + +Versions 1.8.4 and higher of the I plugin supports a +debugging framework that can help track down what the plugin is +doing internally if there is a problem. This can be configured in +the F<@sysconfdir@/sudo.conf> file as described in L. + +The I plugin uses the same debug flag format as B +itself: I@I. + +The priorities used by I, in order of decreasing severity, +are: I, I, I, I, I, I, I +and I. Each priority, when specified, also includes all +priorities higher than it. For example, a priority of I +would include debug messages logged at I and higher. + +The following subsystems are used by I: + +=over 10 + +=item I + +C, C, C and C processing + +=item I + +matches every subsystem + +=item I + +BSM and Linux audit code + +=item I + +user authentication + +=item I + +I I settings + +=item I + +environment handling + +=item I + +LDAP-based sudoers + +=item I + +logging support + +=item I + +matching of users, groups, hosts and netgroups in I + +=item I + +network interface handling + +=item I + +network service switch handling in I + +=item I + +I file parsing + +=item I + +permission setting + +=item I + +The equivalent of I
for the plugin. + +=item I + +pseudo-tty related code + +=item I + +redblack tree internals + +=item I + +utility functions + +=back + =head1 SECURITY NOTES I will check the ownership of its time stamp directory -- 2.40.0