Annotation of embedaddon/sudo/doc/sudo.conf.cat, revision 1.1
1.1 ! misho 1: SUDO(4) Programmer's Manual SUDO(4)
! 2:
! 3: NNAAMMEE
! 4: ssuuddoo..ccoonnff - configuration for sudo front end
! 5:
! 6: DDEESSCCRRIIPPTTIIOONN
! 7: The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end. It specifies
! 8: the security policy and I/O logging plugins, debug flags as well as
! 9: plugin-agnostic path names and settings.
! 10:
! 11: The ssuuddoo..ccoonnff file supports the following directives, described in detail
! 12: below.
! 13:
! 14: Plugin a security policy or I/O logging plugin
! 15:
! 16: Path a plugin-agnostic path
! 17:
! 18: Set a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e
! 19:
! 20: Debug debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and
! 21: the ssuuddooeerrss plugin.
! 22:
! 23: The pound sign (`#') is used to indicate a comment. Both the comment
! 24: character and any text after it, up to the end of the line, are ignored.
! 25:
! 26: Long lines can be continued with a backslash (`\') as the last character
! 27: on the line. Note that leading white space is removed from the beginning
! 28: of lines even when the continuation character is used.
! 29:
! 30: Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
! 31: silently ignored.
! 32:
! 33: The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale.
! 34:
! 35: PPlluuggiinn ccoonnffiigguurraattiioonn
! 36: ssuuddoo supports a plugin architecture for security policies and
! 37: input/output logging. Third parties can develop and distribute their own
! 38: policy and I/O logging plugins to work seamlessly with the ssuuddoo front
! 39: end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff.
! 40:
! 41: A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
! 42: and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
! 43: is the name of the struct policy_plugin or struct io_plugin in the plugin
! 44: shared object. The _p_a_t_h may be fully qualified or relative. If not
! 45: fully qualified, it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory.
! 46: In other words:
! 47:
! 48: Plugin sudoers_policy sudoers.so
! 49:
! 50: is equivalent to:
! 51:
! 52: Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
! 53:
! 54: Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
! 55: passed as arguments to the plugin's _o_p_e_n function. For example, to
! 56: override the compile-time default sudoers file mode:
! 57:
! 58: Plugin sudoers_policy sudoers.so sudoers_mode=0440
! 59:
! 60: The same shared object may contain multiple plugins, each with a
! 61: different symbol name. The shared object file must be owned by uid 0 and
! 62: only writable by its owner. Because of ambiguities that arise from
! 63: composite policies, only a single policy plugin may be specified. This
! 64: limitation does not apply to I/O plugins.
! 65:
! 66: If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
! 67: ssuuddooeerrss plugin will be used as the default security policy and for I/O
! 68: logging (if enabled by the policy). This is equivalent to the following:
! 69:
! 70: Plugin sudoers_policy sudoers.so
! 71: Plugin sudoers_io sudoers.so
! 72:
! 73: For more information on the ssuuddoo plugin architecture, see the
! 74: sudo_plugin(1m) manual.
! 75:
! 76: PPaatthh sseettttiinnggss
! 77: A Path line consists of the Path keyword, followed by the name of the
! 78: path to set and its value. For example:
! 79:
! 80: Path noexec /usr/local/libexec/sudo/sudo_noexec.so
! 81: Path askpass /usr/X11R6/bin/ssh-askpass
! 82:
! 83: The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
! 84: file:
! 85:
! 86: askpass The fully qualified path to a helper program used to read the
! 87: user's password when no terminal is available. This may be the
! 88: case when ssuuddoo is executed from a graphical (as opposed to
! 89: text-based) application. The program specified by _a_s_k_p_a_s_s
! 90: should display the argument passed to it as the prompt and
! 91: write the user's password to the standard output. The value of
! 92: _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
! 93: variable.
! 94:
! 95: noexec The fully-qualified path to a shared library containing dummy
! 96: versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
! 97: functions that just return an error. This is used to implement
! 98: the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
! 99: its equivalent. The default value is:
! 100: _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o.
! 101:
! 102: sesh The fully-qualified path to the sseesshh binary. This setting is
! 103: only used when ssuuddoo is built with SELinux support. The default
! 104: value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h.
! 105:
! 106: OOtthheerr sseettttiinnggss
! 107: The ssuuddoo..ccoonnff file also supports the following front end settings:
! 108:
! 109: disable_coredump
! 110: Core dumps of ssuuddoo itself are disabled by default. To aid in
! 111: debugging ssuuddoo crashes, you may wish to re-enable core dumps by
! 112: setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows:
! 113:
! 114: Set disable_coredump false
! 115:
! 116: Note that most operating systems disable core dumps from setuid
! 117: programs, including ssuuddoo. To actually get a ssuuddoo core file you
! 118: will likely need to enable core dumps for setuid processes. On
! 119: BSD and Linux systems this is accomplished in the sysctl
! 120: command. On Solaris, the coreadm command is used to configure
! 121: core dump behavior.
! 122:
! 123: This setting is only available in ssuuddoo version 1.8.4 and
! 124: higher.
! 125:
! 126: group_source
! 127: ssuuddoo passes the invoking user's group list to the policy and
! 128: I/O plugins. On most systems, there is an upper limit to the
! 129: number of groups that a user may belong to simultaneously
! 130: (typically 16 for compatibility with NFS). On systems with the
! 131: getconf(1) utility, running:
! 132: getconf NGROUPS_MAX
! 133: will return the maximum number of groups.
! 134:
! 135: However, it is still possible to be a member of a larger number
! 136: of groups--they simply won't be included in the group list
! 137: returned by the kernel for the user. Starting with ssuuddoo
! 138: version 1.8.7, if the user's kernel group list has the maximum
! 139: number of entries, ssuuddoo will consult the group database
! 140: directly to determine the group list. This makes it possible
! 141: for the security policy to perform matching by group name even
! 142: when the user is a member of more than the maximum number of
! 143: groups.
! 144:
! 145: The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change
! 146: this default behavior. Supported values for _g_r_o_u_p___s_o_u_r_c_e are:
! 147:
! 148: static Use the static group list that the kernel returns.
! 149: Retrieving the group list this way is very fast but
! 150: it is subject to an upper limit as described above.
! 151: It is ``static'' in that it does not reflect changes
! 152: to the group database made after the user logs in.
! 153: This was the default behavior prior to ssuuddoo 1.8.7.
! 154:
! 155: dynamic Always query the group database directly. It is
! 156: ``dynamic'' in that changes made to the group
! 157: database after the user logs in will be reflected in
! 158: the group list. On some systems, querying the group
! 159: database for all of a user's groups can be time
! 160: consuming when querying a network-based group
! 161: database. Most operating systems provide an
! 162: efficient method of performing such queries.
! 163: Currently, ssuuddoo supports efficient group queries on
! 164: AIX, BSD, HP-UX, Linux and Solaris.
! 165:
! 166: adaptive Only query the group database if the static group
! 167: list returned by the kernel has the maximum number of
! 168: entries. This is the default behavior in ssuuddoo 1.8.7
! 169: and higher.
! 170:
! 171: For example, to cause ssuuddoo to only use the kernel's static list
! 172: of groups for the user:
! 173:
! 174: Set group_source static
! 175:
! 176: This setting is only available in ssuuddoo version 1.8.7 and
! 177: higher.
! 178:
! 179: max_groups
! 180: The maximum number of user groups to retrieve from the group
! 181: database. This setting is only used when querying the group
! 182: database directly. It is intended to be used on systems where
! 183: it is not possible to detect when the array to be populated
! 184: with group entries is not sufficiently large. By default, ssuuddoo
! 185: will allocate four times the system's maximum number of groups
! 186: (see above) and retry with double that number if the group
! 187: database query fails. However, some systems just return as
! 188: many entries as will fit and do not indicate an error when
! 189: there is a lack of space.
! 190:
! 191: This setting is only available in ssuuddoo version 1.8.7 and
! 192: higher.
! 193:
! 194: DDeebbuugg ffllaaggss
! 195: ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
! 196: that can help track down what ssuuddoo is doing internally if there is a
! 197: problem.
! 198:
! 199: A Debug line consists of the Debug keyword, followed by the name of the
! 200: program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the
! 201: debug file name and a comma-separated list of debug flags. The debug
! 202: flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but
! 203: a plugin is free to use a different format so long as it does not include
! 204: a comma (`,').
! 205:
! 206: For example:
! 207:
! 208: Debug sudo /var/log/sudo_debug all@warn,plugin@info
! 209:
! 210: would log all debugging statements at the _w_a_r_n level and higher in
! 211: addition to those at the _i_n_f_o level for the plugin subsystem.
! 212:
! 213: Currently, only one Debug entry per program is supported. The ssuuddoo Debug
! 214: entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
! 215: future release may add support for per-plugin Debug lines and/or support
! 216: for multiple debugging files for a single program.
! 217:
! 218: The priorities used by the ssuuddoo front end, in order of decreasing
! 219: severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
! 220: Each priority, when specified, also includes all priorities higher than
! 221: it. For example, a priority of _n_o_t_i_c_e would include debug messages
! 222: logged at _n_o_t_i_c_e and higher.
! 223:
! 224: The following subsystems are used by the ssuuddoo front-end:
! 225:
! 226: _a_l_l matches every subsystem
! 227:
! 228: _a_r_g_s command line argument processing
! 229:
! 230: _c_o_n_v user conversation
! 231:
! 232: _e_d_i_t sudoedit
! 233:
! 234: _e_x_e_c command execution
! 235:
! 236: _m_a_i_n ssuuddoo main function
! 237:
! 238: _n_e_t_i_f network interface handling
! 239:
! 240: _p_c_o_m_m communication with the plugin
! 241:
! 242: _p_l_u_g_i_n plugin configuration
! 243:
! 244: _p_t_y pseudo-tty related code
! 245:
! 246: _s_e_l_i_n_u_x SELinux-specific handling
! 247:
! 248: _u_t_i_l utility functions
! 249:
! 250: _u_t_m_p utmp handling
! 251:
! 252: The sudoers(4) plugin includes support for additional subsystems.
! 253:
! 254: FFIILLEESS
! 255: _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration
! 256:
! 257: EEXXAAMMPPLLEESS
! 258: #
! 259: # Default /etc/sudo.conf file
! 260: #
! 261: # Format:
! 262: # Plugin plugin_name plugin_path plugin_options ...
! 263: # Path askpass /path/to/askpass
! 264: # Path noexec /path/to/sudo_noexec.so
! 265: # Debug sudo /var/log/sudo_debug all@warn
! 266: # Set disable_coredump true
! 267: #
! 268: # The plugin_path is relative to /usr/local/libexec/sudo unless
! 269: # fully qualified.
! 270: # The plugin_name corresponds to a global symbol in the plugin
! 271: # that contains the plugin interface structure.
! 272: # The plugin_options are optional.
! 273: #
! 274: # The sudoers plugin is used by default if no Plugin lines are
! 275: # present.
! 276: Plugin sudoers_policy sudoers.so
! 277: Plugin sudoers_io sudoers.so
! 278:
! 279: #
! 280: # Sudo askpass:
! 281: #
! 282: # An askpass helper program may be specified to provide a graphical
! 283: # password prompt for "sudo -A" support. Sudo does not ship with
! 284: # its own askpass program but can use the OpenSSH askpass.
! 285: #
! 286: # Use the OpenSSH askpass
! 287: #Path askpass /usr/X11R6/bin/ssh-askpass
! 288: #
! 289: # Use the Gnome OpenSSH askpass
! 290: #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
! 291:
! 292: #
! 293: # Sudo noexec:
! 294: #
! 295: # Path to a shared library containing dummy versions of the execv(),
! 296: # execve() and fexecve() library functions that just return an error.
! 297: # This is used to implement the "noexec" functionality on systems that
! 298: # support C<LD_PRELOAD> or its equivalent.
! 299: # The compiled-in value is usually sufficient and should only be
! 300: # changed if you rename or move the sudo_noexec.so file.
! 301: #
! 302: #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
! 303:
! 304: #
! 305: # Core dumps:
! 306: #
! 307: # By default, sudo disables core dumps while it is executing
! 308: # (they are re-enabled for the command that is run).
! 309: # To aid in debugging sudo problems, you may wish to enable core
! 310: # dumps by setting "disable_coredump" to false.
! 311: #
! 312: #Set disable_coredump false
! 313:
! 314: #
! 315: # User groups:
! 316: #
! 317: # Sudo passes the user's group list to the policy plugin.
! 318: # If the user is a member of the maximum number of groups (usually 16),
! 319: # sudo will query the group database directly to be sure to include
! 320: # the full list of groups.
! 321: #
! 322: # On some systems, this can be expensive so the behavior is configurable.
! 323: # The "group_source" setting has three possible values:
! 324: # static - use the user's list of groups returned by the kernel.
! 325: # dynamic - query the group database to find the list of groups.
! 326: # adaptive - if user is in less than the maximum number of groups.
! 327: # use the kernel list, else query the group database.
! 328: #
! 329: #Set group_source static
! 330:
! 331: SSEEEE AALLSSOO
! 332: sudoers(4), sudo(1m), sudo_plugin(1m)
! 333:
! 334: HHIISSTTOORRYY
! 335: See the HISTORY file in the ssuuddoo distribution
! 336: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
! 337:
! 338: AAUUTTHHOORRSS
! 339: Many people have worked on ssuuddoo over the years; this version consists of
! 340: code written primarily by:
! 341:
! 342: Todd C. Miller
! 343:
! 344: See the CONTRIBUTORS file in the ssuuddoo distribution
! 345: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
! 346: people who have contributed to ssuuddoo.
! 347:
! 348: BBUUGGSS
! 349: If you feel you have found a bug in ssuuddoo, please submit a bug report at
! 350: http://www.sudo.ws/sudo/bugs/
! 351:
! 352: SSUUPPPPOORRTT
! 353: Limited free support is available via the sudo-users mailing list, see
! 354: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
! 355: archives.
! 356:
! 357: DDIISSCCLLAAIIMMEERR
! 358: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
! 359: including, but not limited to, the implied warranties of merchantability
! 360: and fitness for a particular purpose are disclaimed. See the LICENSE
! 361: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
! 362: complete details.
! 363:
! 364: Sudo 1.8.7 March 14, 2013 Sudo 1.8.7
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>