--- embedaddon/sudo/doc/sudo.conf.cat 2013/07/22 10:46:11 1.1.1.1 +++ embedaddon/sudo/doc/sudo.conf.cat 2014/06/15 16:12:54 1.1.1.3 @@ -39,11 +39,12 @@ DDEESSCCRRIIPPTTIIOONN end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff. A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e - and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e - is the name of the struct policy_plugin or struct io_plugin in the plugin - shared object. The _p_a_t_h may be fully qualified or relative. If not - fully qualified, it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory. - In other words: + and the _p_a_t_h to the dynamic shared object that contains the plugin. The + _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct io_plugin + symbol contained in the plugin. The _p_a_t_h may be fully qualified or + relative. If not fully qualified, it is relative to the directory + specified by the _p_l_u_g_i_n___d_i_r Path setting, which defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In other words: Plugin sudoers_policy sudoers.so @@ -51,17 +52,24 @@ DDEESSCCRRIIPPTTIIOONN Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so + If the plugin was compiled statically into the ssuuddoo binary instead of + being installed as a dynamic shared object, the _p_a_t_h should be specified + without a leading directory, as it does not actually exist in the file + system. For example: + + Plugin sudoers_policy sudoers.so + Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are passed as arguments to the plugin's _o_p_e_n function. For example, to override the compile-time default sudoers file mode: Plugin sudoers_policy sudoers.so sudoers_mode=0440 - The same shared object may contain multiple plugins, each with a - different symbol name. The shared object file must be owned by uid 0 and - only writable by its owner. Because of ambiguities that arise from - composite policies, only a single policy plugin may be specified. This - limitation does not apply to I/O plugins. + The same dynamic shared object may contain multiple plugins, each with a + different symbol name. The file must be owned by uid 0 and only writable + by its owner. Because of ambiguities that arise from composite policies, + only a single policy plugin may be specified. This limitation does not + apply to I/O plugins. If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the ssuuddooeerrss plugin will be used as the default security policy and for I/O @@ -99,6 +107,11 @@ DDEESSCCRRIIPPTTIIOONN its equivalent. The default value is: _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o. + plugin_dir + The default directory to use when searching for plugins that + are specified without a fully qualified path name. The default + value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. + sesh The fully-qualified path to the sseesshh binary. This setting is only used when ssuuddoo is built with SELinux support. The default value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h. @@ -178,19 +191,34 @@ DDEESSCCRRIIPPTTIIOONN max_groups The maximum number of user groups to retrieve from the group - database. This setting is only used when querying the group - database directly. It is intended to be used on systems where - it is not possible to detect when the array to be populated - with group entries is not sufficiently large. By default, ssuuddoo - will allocate four times the system's maximum number of groups - (see above) and retry with double that number if the group - database query fails. However, some systems just return as - many entries as will fit and do not indicate an error when - there is a lack of space. + database. Values less than one will be ignored. This setting + is only used when querying the group database directly. It is + intended to be used on systems where it is not possible to + detect when the array to be populated with group entries is not + sufficiently large. By default, ssuuddoo will allocate four times + the system's maximum number of groups (see above) and retry + with double that number if the group database query fails. + However, some systems just return as many entries as will fit + and do not indicate an error when there is a lack of space. This setting is only available in ssuuddoo version 1.8.7 and higher. + probe_interfaces + By default, ssuuddoo will probe the system's network interfaces and + pass the IP address of each enabled interface to the policy + plugin. This makes it possible for the plugin to match rules + based on the IP address without having to query DNS. On Linux + systems with a large number of virtual interfaces, this may + take a non-negligible amount of time. If IP-based matching is + not required, network interface probing can be disabled as + follows: + + Set probe_interfaces false + + This setting is only available in ssuuddoo version 1.8.10 and + higher. + DDeebbuugg ffllaaggss ssuuddoo versions 1.8.4 and higher support a flexible debugging framework that can help track down what ssuuddoo is doing internally if there is a @@ -231,6 +259,8 @@ DDEESSCCRRIIPPTTIIOONN _e_d_i_t sudoedit + _e_v_e_n_t event subsystem + _e_x_e_c command execution _m_a_i_n ssuuddoo main function @@ -361,4 +391,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 March 14, 2013 Sudo 1.8.7 +Sudo 1.8.10 January 22, 2014 Sudo 1.8.10