Annotation of embedaddon/sudo/doc/sudo.conf.cat, revision 1.1

1.1     ! misho       1: SUDO(4)                       Programmer's Manual                      SUDO(4)
        !             2: 
        !             3: NNAAMMEE
        !             4:      ssuuddoo..ccoonnff - configuration for sudo front end
        !             5: 
        !             6: DDEESSCCRRIIPPTTIIOONN
        !             7:      The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end.  It specifies
        !             8:      the security policy and I/O logging plugins, debug flags as well as
        !             9:      plugin-agnostic path names and settings.
        !            10: 
        !            11:      The ssuuddoo..ccoonnff file supports the following directives, described in detail
        !            12:      below.
        !            13: 
        !            14:      Plugin    a security policy or I/O logging plugin
        !            15: 
        !            16:      Path      a plugin-agnostic path
        !            17: 
        !            18:      Set       a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e
        !            19: 
        !            20:      Debug     debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and
        !            21:                the ssuuddooeerrss plugin.
        !            22: 
        !            23:      The pound sign (`#') is used to indicate a comment.  Both the comment
        !            24:      character and any text after it, up to the end of the line, are ignored.
        !            25: 
        !            26:      Long lines can be continued with a backslash (`\') as the last character
        !            27:      on the line.  Note that leading white space is removed from the beginning
        !            28:      of lines even when the continuation character is used.
        !            29: 
        !            30:      Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
        !            31:      silently ignored.
        !            32: 
        !            33:      The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale.
        !            34: 
        !            35:    PPlluuggiinn ccoonnffiigguurraattiioonn
        !            36:      ssuuddoo supports a plugin architecture for security policies and
        !            37:      input/output logging.  Third parties can develop and distribute their own
        !            38:      policy and I/O logging plugins to work seamlessly with the ssuuddoo front
        !            39:      end.  Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff.
        !            40: 
        !            41:      A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
        !            42:      and the _p_a_t_h to the shared object containing the plugin.  The _s_y_m_b_o_l___n_a_m_e
        !            43:      is the name of the struct policy_plugin or struct io_plugin in the plugin
        !            44:      shared object.  The _p_a_t_h may be fully qualified or relative.  If not
        !            45:      fully qualified, it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory.
        !            46:      In other words:
        !            47: 
        !            48:            Plugin sudoers_policy sudoers.so
        !            49: 
        !            50:      is equivalent to:
        !            51: 
        !            52:            Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
        !            53: 
        !            54:      Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
        !            55:      passed as arguments to the plugin's _o_p_e_n function.  For example, to
        !            56:      override the compile-time default sudoers file mode:
        !            57: 
        !            58:            Plugin sudoers_policy sudoers.so sudoers_mode=0440
        !            59: 
        !            60:      The same shared object may contain multiple plugins, each with a
        !            61:      different symbol name.  The shared object file must be owned by uid 0 and
        !            62:      only writable by its owner.  Because of ambiguities that arise from
        !            63:      composite policies, only a single policy plugin may be specified.  This
        !            64:      limitation does not apply to I/O plugins.
        !            65: 
        !            66:      If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
        !            67:      ssuuddooeerrss plugin will be used as the default security policy and for I/O
        !            68:      logging (if enabled by the policy).  This is equivalent to the following:
        !            69: 
        !            70:            Plugin sudoers_policy sudoers.so
        !            71:            Plugin sudoers_io sudoers.so
        !            72: 
        !            73:      For more information on the ssuuddoo plugin architecture, see the
        !            74:      sudo_plugin(1m) manual.
        !            75: 
        !            76:    PPaatthh sseettttiinnggss
        !            77:      A Path line consists of the Path keyword, followed by the name of the
        !            78:      path to set and its value.  For example:
        !            79: 
        !            80:            Path noexec /usr/local/libexec/sudo/sudo_noexec.so
        !            81:            Path askpass /usr/X11R6/bin/ssh-askpass
        !            82: 
        !            83:      The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
        !            84:      file:
        !            85: 
        !            86:      askpass   The fully qualified path to a helper program used to read the
        !            87:                user's password when no terminal is available.  This may be the
        !            88:                case when ssuuddoo is executed from a graphical (as opposed to
        !            89:                text-based) application.  The program specified by _a_s_k_p_a_s_s
        !            90:                should display the argument passed to it as the prompt and
        !            91:                write the user's password to the standard output.  The value of
        !            92:                _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
        !            93:                variable.
        !            94: 
        !            95:      noexec    The fully-qualified path to a shared library containing dummy
        !            96:                versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
        !            97:                functions that just return an error.  This is used to implement
        !            98:                the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
        !            99:                its equivalent.  The default value is:
        !           100:                _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o.
        !           101: 
        !           102:      sesh      The fully-qualified path to the sseesshh binary.  This setting is
        !           103:                only used when ssuuddoo is built with SELinux support.  The default
        !           104:                value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h.
        !           105: 
        !           106:    OOtthheerr sseettttiinnggss
        !           107:      The ssuuddoo..ccoonnff file also supports the following front end settings:
        !           108: 
        !           109:      disable_coredump
        !           110:                Core dumps of ssuuddoo itself are disabled by default.  To aid in
        !           111:                debugging ssuuddoo crashes, you may wish to re-enable core dumps by
        !           112:                setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows:
        !           113: 
        !           114:                      Set disable_coredump false
        !           115: 
        !           116:                Note that most operating systems disable core dumps from setuid
        !           117:                programs, including ssuuddoo.  To actually get a ssuuddoo core file you
        !           118:                will likely need to enable core dumps for setuid processes.  On
        !           119:                BSD and Linux systems this is accomplished in the sysctl
        !           120:                command.  On Solaris, the coreadm command is used to configure
        !           121:                core dump behavior.
        !           122: 
        !           123:                This setting is only available in ssuuddoo version 1.8.4 and
        !           124:                higher.
        !           125: 
        !           126:      group_source
        !           127:                ssuuddoo passes the invoking user's group list to the policy and
        !           128:                I/O plugins.  On most systems, there is an upper limit to the
        !           129:                number of groups that a user may belong to simultaneously
        !           130:                (typically 16 for compatibility with NFS).  On systems with the
        !           131:                getconf(1) utility, running:
        !           132:                      getconf NGROUPS_MAX
        !           133:                will return the maximum number of groups.
        !           134: 
        !           135:                However, it is still possible to be a member of a larger number
        !           136:                of groups--they simply won't be included in the group list
        !           137:                returned by the kernel for the user.  Starting with ssuuddoo
        !           138:                version 1.8.7, if the user's kernel group list has the maximum
        !           139:                number of entries, ssuuddoo will consult the group database
        !           140:                directly to determine the group list.  This makes it possible
        !           141:                for the security policy to perform matching by group name even
        !           142:                when the user is a member of more than the maximum number of
        !           143:                groups.
        !           144: 
        !           145:                The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change
        !           146:                this default behavior.  Supported values for _g_r_o_u_p___s_o_u_r_c_e are:
        !           147: 
        !           148:                static    Use the static group list that the kernel returns.
        !           149:                          Retrieving the group list this way is very fast but
        !           150:                          it is subject to an upper limit as described above.
        !           151:                          It is ``static'' in that it does not reflect changes
        !           152:                          to the group database made after the user logs in.
        !           153:                          This was the default behavior prior to ssuuddoo 1.8.7.
        !           154: 
        !           155:                dynamic   Always query the group database directly.  It is
        !           156:                          ``dynamic'' in that changes made to the group
        !           157:                          database after the user logs in will be reflected in
        !           158:                          the group list.  On some systems, querying the group
        !           159:                          database for all of a user's groups can be time
        !           160:                          consuming when querying a network-based group
        !           161:                          database.  Most operating systems provide an
        !           162:                          efficient method of performing such queries.
        !           163:                          Currently, ssuuddoo supports efficient group queries on
        !           164:                          AIX, BSD, HP-UX, Linux and Solaris.
        !           165: 
        !           166:                adaptive  Only query the group database if the static group
        !           167:                          list returned by the kernel has the maximum number of
        !           168:                          entries.  This is the default behavior in ssuuddoo 1.8.7
        !           169:                          and higher.
        !           170: 
        !           171:                For example, to cause ssuuddoo to only use the kernel's static list
        !           172:                of groups for the user:
        !           173: 
        !           174:                      Set group_source static
        !           175: 
        !           176:                This setting is only available in ssuuddoo version 1.8.7 and
        !           177:                higher.
        !           178: 
        !           179:      max_groups
        !           180:                The maximum number of user groups to retrieve from the group
        !           181:                database.  This setting is only used when querying the group
        !           182:                database directly.  It is intended to be used on systems where
        !           183:                it is not possible to detect when the array to be populated
        !           184:                with group entries is not sufficiently large.  By default, ssuuddoo
        !           185:                will allocate four times the system's maximum number of groups
        !           186:                (see above) and retry with double that number if the group
        !           187:                database query fails.  However, some systems just return as
        !           188:                many entries as will fit and do not indicate an error when
        !           189:                there is a lack of space.
        !           190: 
        !           191:                This setting is only available in ssuuddoo version 1.8.7 and
        !           192:                higher.
        !           193: 
        !           194:    DDeebbuugg ffllaaggss
        !           195:      ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
        !           196:      that can help track down what ssuuddoo is doing internally if there is a
        !           197:      problem.
        !           198: 
        !           199:      A Debug line consists of the Debug keyword, followed by the name of the
        !           200:      program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the
        !           201:      debug file name and a comma-separated list of debug flags.  The debug
        !           202:      flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but
        !           203:      a plugin is free to use a different format so long as it does not include
        !           204:      a comma (`,').
        !           205: 
        !           206:      For example:
        !           207: 
        !           208:            Debug sudo /var/log/sudo_debug all@warn,plugin@info
        !           209: 
        !           210:      would log all debugging statements at the _w_a_r_n level and higher in
        !           211:      addition to those at the _i_n_f_o level for the plugin subsystem.
        !           212: 
        !           213:      Currently, only one Debug entry per program is supported.  The ssuuddoo Debug
        !           214:      entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins.  A
        !           215:      future release may add support for per-plugin Debug lines and/or support
        !           216:      for multiple debugging files for a single program.
        !           217: 
        !           218:      The priorities used by the ssuuddoo front end, in order of decreasing
        !           219:      severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
        !           220:      Each priority, when specified, also includes all priorities higher than
        !           221:      it.  For example, a priority of _n_o_t_i_c_e would include debug messages
        !           222:      logged at _n_o_t_i_c_e and higher.
        !           223: 
        !           224:      The following subsystems are used by the ssuuddoo front-end:
        !           225: 
        !           226:      _a_l_l         matches every subsystem
        !           227: 
        !           228:      _a_r_g_s        command line argument processing
        !           229: 
        !           230:      _c_o_n_v        user conversation
        !           231: 
        !           232:      _e_d_i_t        sudoedit
        !           233: 
        !           234:      _e_x_e_c        command execution
        !           235: 
        !           236:      _m_a_i_n        ssuuddoo main function
        !           237: 
        !           238:      _n_e_t_i_f       network interface handling
        !           239: 
        !           240:      _p_c_o_m_m       communication with the plugin
        !           241: 
        !           242:      _p_l_u_g_i_n      plugin configuration
        !           243: 
        !           244:      _p_t_y         pseudo-tty related code
        !           245: 
        !           246:      _s_e_l_i_n_u_x     SELinux-specific handling
        !           247: 
        !           248:      _u_t_i_l        utility functions
        !           249: 
        !           250:      _u_t_m_p        utmp handling
        !           251: 
        !           252:      The sudoers(4) plugin includes support for additional subsystems.
        !           253: 
        !           254: FFIILLEESS
        !           255:      _/_e_t_c_/_s_u_d_o_._c_o_n_f            ssuuddoo front end configuration
        !           256: 
        !           257: EEXXAAMMPPLLEESS
        !           258:      #
        !           259:      # Default /etc/sudo.conf file
        !           260:      #
        !           261:      # Format:
        !           262:      #   Plugin plugin_name plugin_path plugin_options ...
        !           263:      #   Path askpass /path/to/askpass
        !           264:      #   Path noexec /path/to/sudo_noexec.so
        !           265:      #   Debug sudo /var/log/sudo_debug all@warn
        !           266:      #   Set disable_coredump true
        !           267:      #
        !           268:      # The plugin_path is relative to /usr/local/libexec/sudo unless
        !           269:      #   fully qualified.
        !           270:      # The plugin_name corresponds to a global symbol in the plugin
        !           271:      #   that contains the plugin interface structure.
        !           272:      # The plugin_options are optional.
        !           273:      #
        !           274:      # The sudoers plugin is used by default if no Plugin lines are
        !           275:      # present.
        !           276:      Plugin sudoers_policy sudoers.so
        !           277:      Plugin sudoers_io sudoers.so
        !           278: 
        !           279:      #
        !           280:      # Sudo askpass:
        !           281:      #
        !           282:      # An askpass helper program may be specified to provide a graphical
        !           283:      # password prompt for "sudo -A" support.  Sudo does not ship with
        !           284:      # its own askpass program but can use the OpenSSH askpass.
        !           285:      #
        !           286:      # Use the OpenSSH askpass
        !           287:      #Path askpass /usr/X11R6/bin/ssh-askpass
        !           288:      #
        !           289:      # Use the Gnome OpenSSH askpass
        !           290:      #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
        !           291: 
        !           292:      #
        !           293:      # Sudo noexec:
        !           294:      #
        !           295:      # Path to a shared library containing dummy versions of the execv(),
        !           296:      # execve() and fexecve() library functions that just return an error.
        !           297:      # This is used to implement the "noexec" functionality on systems that
        !           298:      # support C<LD_PRELOAD> or its equivalent.
        !           299:      # The compiled-in value is usually sufficient and should only be
        !           300:      # changed if you rename or move the sudo_noexec.so file.
        !           301:      #
        !           302:      #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
        !           303: 
        !           304:      #
        !           305:      # Core dumps:
        !           306:      #
        !           307:      # By default, sudo disables core dumps while it is executing
        !           308:      # (they are re-enabled for the command that is run).
        !           309:      # To aid in debugging sudo problems, you may wish to enable core
        !           310:      # dumps by setting "disable_coredump" to false.
        !           311:      #
        !           312:      #Set disable_coredump false
        !           313: 
        !           314:      #
        !           315:      # User groups:
        !           316:      #
        !           317:      # Sudo passes the user's group list to the policy plugin.
        !           318:      # If the user is a member of the maximum number of groups (usually 16),
        !           319:      # sudo will query the group database directly to be sure to include
        !           320:      # the full list of groups.
        !           321:      #
        !           322:      # On some systems, this can be expensive so the behavior is configurable.
        !           323:      # The "group_source" setting has three possible values:
        !           324:      #   static   - use the user's list of groups returned by the kernel.
        !           325:      #   dynamic  - query the group database to find the list of groups.
        !           326:      #   adaptive - if user is in less than the maximum number of groups.
        !           327:      #              use the kernel list, else query the group database.
        !           328:      #
        !           329:      #Set group_source static
        !           330: 
        !           331: SSEEEE AALLSSOO
        !           332:      sudoers(4), sudo(1m), sudo_plugin(1m)
        !           333: 
        !           334: HHIISSTTOORRYY
        !           335:      See the HISTORY file in the ssuuddoo distribution
        !           336:      (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
        !           337: 
        !           338: AAUUTTHHOORRSS
        !           339:      Many people have worked on ssuuddoo over the years; this version consists of
        !           340:      code written primarily by:
        !           341: 
        !           342:            Todd C. Miller
        !           343: 
        !           344:      See the CONTRIBUTORS file in the ssuuddoo distribution
        !           345:      (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
        !           346:      people who have contributed to ssuuddoo.
        !           347: 
        !           348: BBUUGGSS
        !           349:      If you feel you have found a bug in ssuuddoo, please submit a bug report at
        !           350:      http://www.sudo.ws/sudo/bugs/
        !           351: 
        !           352: SSUUPPPPOORRTT
        !           353:      Limited free support is available via the sudo-users mailing list, see
        !           354:      http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
        !           355:      archives.
        !           356: 
        !           357: DDIISSCCLLAAIIMMEERR
        !           358:      ssuuddoo is provided ``AS IS'' and any express or implied warranties,
        !           359:      including, but not limited to, the implied warranties of merchantability
        !           360:      and fitness for a particular purpose are disclaimed.  See the LICENSE
        !           361:      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
        !           362:      complete details.
        !           363: 
        !           364: Sudo 1.8.7                      March 14, 2013                      Sudo 1.8.7

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>