version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.4, 2013/07/22 10:46:11
|
Line 24 DDEESSCCRRIIPPTTIIOONN
|
Line 24 DDEESSCCRRIIPPTTIIOONN
|
input/output logging. Third parties can develop and distribute their own |
input/output logging. Third parties can develop and distribute their own |
policy and I/O logging plugins to work seamlessly with the ssuuddoo front |
policy and I/O logging plugins to work seamlessly with the ssuuddoo front |
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the |
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the |
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more | file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more |
information. |
information. |
|
|
The security policy determines what privileges, if any, a user has to run |
The security policy determines what privileges, if any, a user has to run |
Line 54 DDEESSCCRRIIPPTTIIOONN
|
Line 54 DDEESSCCRRIIPPTTIIOONN
|
to read the user's password and output the password to the |
to read the user's password and output the password to the |
standard output. If the SUDO_ASKPASS environment variable is |
standard output. If the SUDO_ASKPASS environment variable is |
set, it specifies the path to the helper program. Otherwise, |
set, it specifies the path to the helper program. Otherwise, |
if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass | if sudo.conf(4) contains a line specifying the askpass |
program, that value will be used. For example: |
program, that value will be used. For example: |
|
|
# Path to askpass helper program |
# Path to askpass helper program |
Line 299 DDEESSCCRRIIPPTTIIOONN
|
Line 299 DDEESSCCRRIIPPTTIIOONN
|
|
|
CCOOMMMMAANNDD EEXXEECCUUTTIIOONN |
CCOOMMMMAANNDD EEXXEECCUUTTIIOONN |
When ssuuddoo executes a command, the security policy specifies the execution |
When ssuuddoo executes a command, the security policy specifies the execution |
envionment for the command. Typically, the real and effective uid and | environment for the command. Typically, the real and effective uid and |
gid are set to match those of the target user, as specified in the |
gid are set to match those of the target user, as specified in the |
password database, and the group vector is initialized based on the group |
password database, and the group vector is initialized based on the group |
database (unless the --PP option was specified). |
database (unless the --PP option was specified). |
Line 333 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
Line 333 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
environment as described above, and calls the execve system call in the |
environment as described above, and calls the execve system call in the |
child process. The main ssuuddoo process waits until the command has |
child process. The main ssuuddoo process waits until the command has |
completed, then passes the command's exit status to the security policy's |
completed, then passes the command's exit status to the security policy's |
close method and exits. If an I/O logging plugin is configured, a new | close function and exits. If an I/O logging plugin is configured or if |
pseudo-terminal (``pty'') is created and a second ssuuddoo process is used to | the security policy explicitly requests it, a new pseudo-terminal |
relay job control signals between the user's existing pty and the new pty | (``pty'') is created and a second ssuuddoo process is used to relay job |
the command is being run in. This extra process makes it possible to, | control signals between the user's existing pty and the new pty the |
for example, suspend and resume the command. Without it, the command | command is being run in. This extra process makes it possible to, for |
would be in what POSIX terms an ``orphaned process group'' and it would | example, suspend and resume the command. Without it, the command would |
not receive any job control signals. | be in what POSIX terms an ``orphaned process group'' and it would not |
| receive any job control signals. As a special case, if the policy plugin |
| does not define a close function and no pty is required, ssuuddoo will |
| execute the command directly instead of calling fork(2) first. |
|
|
SSiiggnnaall hhaannddlliinngg |
SSiiggnnaall hhaannddlliinngg |
Because the command is run as a child of the ssuuddoo process, ssuuddoo will |
Because the command is run as a child of the ssuuddoo process, ssuuddoo will |
Line 354 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
Line 357 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
As a special case, ssuuddoo will not relay signals that were sent by the |
As a special case, ssuuddoo will not relay signals that were sent by the |
command it is running. This prevents the command from accidentally |
command it is running. This prevents the command from accidentally |
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
all non-system processes other than itself before rebooting the systyem. | all non-system processes other than itself before rebooting the system. |
This prevents ssuuddoo from relaying the SIGTERM signal it received back to |
This prevents ssuuddoo from relaying the SIGTERM signal it received back to |
reboot(1m), which might then exit before the system was actually rebooted, |
reboot(1m), which might then exit before the system was actually rebooted, |
leaving it in a half-dead state similar to single user mode. Note, |
leaving it in a half-dead state similar to single user mode. Note, |
Line 365 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
Line 368 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
run using the eexxeecc() family of functions instead of ssyysstteemm() (which |
run using the eexxeecc() family of functions instead of ssyysstteemm() (which |
interposes a shell between the command and the calling process). |
interposes a shell between the command and the calling process). |
|
|
PPLLUUGGIINNSS | If no I/O logging plugins are loaded and the policy plugin has not |
Plugins are dynamically loaded based on the contents of the | defined a cclloossee() function, set a command timeout or required that the |
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it | command be run in a new pty, ssuuddoo may execute the command directly |
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security | instead of running it as a child process. |
policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f | |
file. | |
|
|
# | PPlluuggiinnss |
# Default /etc/sudo.conf file | Plugins are dynamically loaded based on the contents of the sudo.conf(4) |
# | file. If no sudo.conf(4) file is present, or it contains no Plugin |
# Format: | lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security policy and I/O |
# Plugin plugin_name plugin_path plugin_options ... | logging. See the sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f |
# Path askpass /path/to/askpass | file and the sudo_plugin(1m) manual for more information about the ssuuddoo |
# Path noexec /path/to/sudo_noexec.so | plugin architecture. |
# Debug sudo /var/log/sudo_debug all@warn | |
# Set disable_coredump true | |
# | |
# The plugin_path is relative to /usr/local/libexec unless | |
# fully qualified. | |
# The plugin_name corresponds to a global symbol in the plugin | |
# that contains the plugin interface structure. | |
# The plugin_options are optional. | |
# | |
Plugin policy_plugin sudoers.so | |
Plugin io_plugin sudoers.so | |
|
|
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e |
|
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e |
|
is the name of the struct policy_plugin or struct io_plugin in the plugin |
|
shared object. The _p_a_t_h may be fully qualified or relative. If not |
|
fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any |
|
additional parameters after the _p_a_t_h are passed as arguments to the |
|
plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug, |
|
or Set are silently ignored. |
|
|
|
For more information, see the sudo_plugin(1m) manual. |
|
|
|
PPAATTHHSS |
|
A Path line consists of the Path keyword, followed by the name of the |
|
path to set and its value. E.g. |
|
|
|
Path noexec /usr/local/libexec/sudo_noexec.so |
|
Path askpass /usr/X11R6/bin/ssh-askpass |
|
|
|
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f |
|
file: |
|
|
|
askpass The fully qualified path to a helper program used to read the |
|
user's password when no terminal is available. This may be the |
|
case when ssuuddoo is executed from a graphical (as opposed to |
|
text-based) application. The program specified by _a_s_k_p_a_s_s |
|
should display the argument passed to it as the prompt and |
|
write the user's password to the standard output. The value of |
|
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment |
|
variable. |
|
|
|
noexec The fully-qualified path to a shared library containing dummy |
|
versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library |
|
functions that just return an error. This is used to implement |
|
the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or |
|
its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. |
|
|
|
DDEEBBUUGG FFLLAAGGSS |
|
ssuuddoo versions 1.8.4 and higher support a flexible debugging framework |
|
that can help track down what ssuuddoo is doing internally if there is a |
|
problem. |
|
|
|
A Debug line consists of the Debug keyword, followed by the name of the |
|
program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a |
|
comma-separated list of debug flags. The debug flag syntax used by ssuuddoo |
|
and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to |
|
use a different format so long as it does not include a comma (`,'). |
|
|
|
For instance: |
|
|
|
Debug sudo /var/log/sudo_debug all@warn,plugin@info |
|
|
|
would log all debugging statements at the _w_a_r_n level and higher in |
|
addition to those at the _i_n_f_o level for the plugin subsystem. |
|
|
|
Currently, only one Debug entry per program is supported. The ssuuddoo Debug |
|
entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A |
|
future release may add support for per-plugin Debug lines and/or support |
|
for multiple debugging files for a single program. |
|
|
|
The priorities used by the ssuuddoo front end, in order of decreasing |
|
severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. |
|
Each priority, when specified, also includes all priorities higher than |
|
it. For example, a priority of _n_o_t_i_c_e would include debug messages |
|
logged at _n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by the ssuuddoo front-end: |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_r_g_s command line argument processing |
|
|
|
_c_o_n_v user conversation |
|
|
|
_e_d_i_t sudoedit |
|
|
|
_e_x_e_c command execution |
|
|
|
_m_a_i_n ssuuddoo main function |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_p_c_o_m_m communication with the plugin |
|
|
|
_p_l_u_g_i_n plugin configuration |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_s_e_l_i_n_u_x SELinux-specific handling |
|
|
|
_u_t_i_l utility functions |
|
|
|
_u_t_m_p utmp handling |
|
|
|
EEXXIITT VVAALLUUEE |
EEXXIITT VVAALLUUEE |
Upon successful execution of a program, the exit status from _s_u_d_o will |
Upon successful execution of a program, the exit status from _s_u_d_o will |
simply be the exit status of the program that was executed. |
simply be the exit status of the program that was executed. |
Line 524 SSEECCUURRIITTYY NNOOTTEESS
|
Line 421 SSEECCUURRIITTYY NNOOTTEESS
|
disables core dumps by default while it is executing (they are re-enabled |
disables core dumps by default while it is executing (they are re-enabled |
for the command that is run). To aid in debugging ssuuddoo crashes, you may |
for the command that is run). To aid in debugging ssuuddoo crashes, you may |
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows: | the sudo.conf(4) file as follows: |
|
|
Set disable_coredump false |
Set disable_coredump false |
|
|
Note that by default, most operating systems disable core dumps from | See the sudo.conf(4) manual for more information. |
setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file | |
you may need to enable core dumps for setuid processes. On BSD and Linux | |
systems this is accomplished via the sysctl command, on Solaris the | |
coreadm command can be used. | |
|
|
EENNVVIIRROONNMMEENNTT |
EENNVVIIRROONNMMEENNTT |
ssuuddoo utilizes the following environment variables. The security policy |
ssuuddoo utilizes the following environment variables. The security policy |
Line 617 EEXXAAMMPPLLEESS
|
Line 510 EEXXAAMMPPLLEESS
|
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), | su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4), |
sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
|
|
HHIISSTTOORRYY |
HHIISSTTOORRYY |
Line 668 DDIISSCCLLAAIIMMEERR
|
Line 561 DDIISSCCLLAAIIMMEERR
|
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
complete details. |
complete details. |
|
|
Sudo 1.8.6 July 10, 2012 Sudo 1.8.6 | Sudo 1.8.7 March 13, 2013 Sudo 1.8.7 |