Annotation of embedaddon/sudo/doc/sudo.conf.cat, revision 1.1.1.1

1.1       misho       1: SUDO(4)                       Programmer's Manual                      SUDO(4)
                      2: 
                      3: NNAAMMEE
                      4:      ssuuddoo..ccoonnff - configuration for sudo front end
                      5: 
                      6: DDEESSCCRRIIPPTTIIOONN
                      7:      The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end.  It specifies
                      8:      the security policy and I/O logging plugins, debug flags as well as
                      9:      plugin-agnostic path names and settings.
                     10: 
                     11:      The ssuuddoo..ccoonnff file supports the following directives, described in detail
                     12:      below.
                     13: 
                     14:      Plugin    a security policy or I/O logging plugin
                     15: 
                     16:      Path      a plugin-agnostic path
                     17: 
                     18:      Set       a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e
                     19: 
                     20:      Debug     debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and
                     21:                the ssuuddooeerrss plugin.
                     22: 
                     23:      The pound sign (`#') is used to indicate a comment.  Both the comment
                     24:      character and any text after it, up to the end of the line, are ignored.
                     25: 
                     26:      Long lines can be continued with a backslash (`\') as the last character
                     27:      on the line.  Note that leading white space is removed from the beginning
                     28:      of lines even when the continuation character is used.
                     29: 
                     30:      Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
                     31:      silently ignored.
                     32: 
                     33:      The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale.
                     34: 
                     35:    PPlluuggiinn ccoonnffiigguurraattiioonn
                     36:      ssuuddoo supports a plugin architecture for security policies and
                     37:      input/output logging.  Third parties can develop and distribute their own
                     38:      policy and I/O logging plugins to work seamlessly with the ssuuddoo front
                     39:      end.  Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff.
                     40: 
                     41:      A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
                     42:      and the _p_a_t_h to the shared object containing the plugin.  The _s_y_m_b_o_l___n_a_m_e
                     43:      is the name of the struct policy_plugin or struct io_plugin in the plugin
                     44:      shared object.  The _p_a_t_h may be fully qualified or relative.  If not
                     45:      fully qualified, it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory.
                     46:      In other words:
                     47: 
                     48:            Plugin sudoers_policy sudoers.so
                     49: 
                     50:      is equivalent to:
                     51: 
                     52:            Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
                     53: 
                     54:      Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
                     55:      passed as arguments to the plugin's _o_p_e_n function.  For example, to
                     56:      override the compile-time default sudoers file mode:
                     57: 
                     58:            Plugin sudoers_policy sudoers.so sudoers_mode=0440
                     59: 
                     60:      The same shared object may contain multiple plugins, each with a
                     61:      different symbol name.  The shared object file must be owned by uid 0 and
                     62:      only writable by its owner.  Because of ambiguities that arise from
                     63:      composite policies, only a single policy plugin may be specified.  This
                     64:      limitation does not apply to I/O plugins.
                     65: 
                     66:      If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
                     67:      ssuuddooeerrss plugin will be used as the default security policy and for I/O
                     68:      logging (if enabled by the policy).  This is equivalent to the following:
                     69: 
                     70:            Plugin sudoers_policy sudoers.so
                     71:            Plugin sudoers_io sudoers.so
                     72: 
                     73:      For more information on the ssuuddoo plugin architecture, see the
                     74:      sudo_plugin(1m) manual.
                     75: 
                     76:    PPaatthh sseettttiinnggss
                     77:      A Path line consists of the Path keyword, followed by the name of the
                     78:      path to set and its value.  For example:
                     79: 
                     80:            Path noexec /usr/local/libexec/sudo/sudo_noexec.so
                     81:            Path askpass /usr/X11R6/bin/ssh-askpass
                     82: 
                     83:      The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
                     84:      file:
                     85: 
                     86:      askpass   The fully qualified path to a helper program used to read the
                     87:                user's password when no terminal is available.  This may be the
                     88:                case when ssuuddoo is executed from a graphical (as opposed to
                     89:                text-based) application.  The program specified by _a_s_k_p_a_s_s
                     90:                should display the argument passed to it as the prompt and
                     91:                write the user's password to the standard output.  The value of
                     92:                _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
                     93:                variable.
                     94: 
                     95:      noexec    The fully-qualified path to a shared library containing dummy
                     96:                versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
                     97:                functions that just return an error.  This is used to implement
                     98:                the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
                     99:                its equivalent.  The default value is:
                    100:                _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o.
                    101: 
                    102:      sesh      The fully-qualified path to the sseesshh binary.  This setting is
                    103:                only used when ssuuddoo is built with SELinux support.  The default
                    104:                value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h.
                    105: 
                    106:    OOtthheerr sseettttiinnggss
                    107:      The ssuuddoo..ccoonnff file also supports the following front end settings:
                    108: 
                    109:      disable_coredump
                    110:                Core dumps of ssuuddoo itself are disabled by default.  To aid in
                    111:                debugging ssuuddoo crashes, you may wish to re-enable core dumps by
                    112:                setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows:
                    113: 
                    114:                      Set disable_coredump false
                    115: 
                    116:                Note that most operating systems disable core dumps from setuid
                    117:                programs, including ssuuddoo.  To actually get a ssuuddoo core file you
                    118:                will likely need to enable core dumps for setuid processes.  On
                    119:                BSD and Linux systems this is accomplished in the sysctl
                    120:                command.  On Solaris, the coreadm command is used to configure
                    121:                core dump behavior.
                    122: 
                    123:                This setting is only available in ssuuddoo version 1.8.4 and
                    124:                higher.
                    125: 
                    126:      group_source
                    127:                ssuuddoo passes the invoking user's group list to the policy and
                    128:                I/O plugins.  On most systems, there is an upper limit to the
                    129:                number of groups that a user may belong to simultaneously
                    130:                (typically 16 for compatibility with NFS).  On systems with the
                    131:                getconf(1) utility, running:
                    132:                      getconf NGROUPS_MAX
                    133:                will return the maximum number of groups.
                    134: 
                    135:                However, it is still possible to be a member of a larger number
                    136:                of groups--they simply won't be included in the group list
                    137:                returned by the kernel for the user.  Starting with ssuuddoo
                    138:                version 1.8.7, if the user's kernel group list has the maximum
                    139:                number of entries, ssuuddoo will consult the group database
                    140:                directly to determine the group list.  This makes it possible
                    141:                for the security policy to perform matching by group name even
                    142:                when the user is a member of more than the maximum number of
                    143:                groups.
                    144: 
                    145:                The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change
                    146:                this default behavior.  Supported values for _g_r_o_u_p___s_o_u_r_c_e are:
                    147: 
                    148:                static    Use the static group list that the kernel returns.
                    149:                          Retrieving the group list this way is very fast but
                    150:                          it is subject to an upper limit as described above.
                    151:                          It is ``static'' in that it does not reflect changes
                    152:                          to the group database made after the user logs in.
                    153:                          This was the default behavior prior to ssuuddoo 1.8.7.
                    154: 
                    155:                dynamic   Always query the group database directly.  It is
                    156:                          ``dynamic'' in that changes made to the group
                    157:                          database after the user logs in will be reflected in
                    158:                          the group list.  On some systems, querying the group
                    159:                          database for all of a user's groups can be time
                    160:                          consuming when querying a network-based group
                    161:                          database.  Most operating systems provide an
                    162:                          efficient method of performing such queries.
                    163:                          Currently, ssuuddoo supports efficient group queries on
                    164:                          AIX, BSD, HP-UX, Linux and Solaris.
                    165: 
                    166:                adaptive  Only query the group database if the static group
                    167:                          list returned by the kernel has the maximum number of
                    168:                          entries.  This is the default behavior in ssuuddoo 1.8.7
                    169:                          and higher.
                    170: 
                    171:                For example, to cause ssuuddoo to only use the kernel's static list
                    172:                of groups for the user:
                    173: 
                    174:                      Set group_source static
                    175: 
                    176:                This setting is only available in ssuuddoo version 1.8.7 and
                    177:                higher.
                    178: 
                    179:      max_groups
                    180:                The maximum number of user groups to retrieve from the group
                    181:                database.  This setting is only used when querying the group
                    182:                database directly.  It is intended to be used on systems where
                    183:                it is not possible to detect when the array to be populated
                    184:                with group entries is not sufficiently large.  By default, ssuuddoo
                    185:                will allocate four times the system's maximum number of groups
                    186:                (see above) and retry with double that number if the group
                    187:                database query fails.  However, some systems just return as
                    188:                many entries as will fit and do not indicate an error when
                    189:                there is a lack of space.
                    190: 
                    191:                This setting is only available in ssuuddoo version 1.8.7 and
                    192:                higher.
                    193: 
                    194:    DDeebbuugg ffllaaggss
                    195:      ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
                    196:      that can help track down what ssuuddoo is doing internally if there is a
                    197:      problem.
                    198: 
                    199:      A Debug line consists of the Debug keyword, followed by the name of the
                    200:      program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the
                    201:      debug file name and a comma-separated list of debug flags.  The debug
                    202:      flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but
                    203:      a plugin is free to use a different format so long as it does not include
                    204:      a comma (`,').
                    205: 
                    206:      For example:
                    207: 
                    208:            Debug sudo /var/log/sudo_debug all@warn,plugin@info
                    209: 
                    210:      would log all debugging statements at the _w_a_r_n level and higher in
                    211:      addition to those at the _i_n_f_o level for the plugin subsystem.
                    212: 
                    213:      Currently, only one Debug entry per program is supported.  The ssuuddoo Debug
                    214:      entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins.  A
                    215:      future release may add support for per-plugin Debug lines and/or support
                    216:      for multiple debugging files for a single program.
                    217: 
                    218:      The priorities used by the ssuuddoo front end, in order of decreasing
                    219:      severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
                    220:      Each priority, when specified, also includes all priorities higher than
                    221:      it.  For example, a priority of _n_o_t_i_c_e would include debug messages
                    222:      logged at _n_o_t_i_c_e and higher.
                    223: 
                    224:      The following subsystems are used by the ssuuddoo front-end:
                    225: 
                    226:      _a_l_l         matches every subsystem
                    227: 
                    228:      _a_r_g_s        command line argument processing
                    229: 
                    230:      _c_o_n_v        user conversation
                    231: 
                    232:      _e_d_i_t        sudoedit
                    233: 
                    234:      _e_x_e_c        command execution
                    235: 
                    236:      _m_a_i_n        ssuuddoo main function
                    237: 
                    238:      _n_e_t_i_f       network interface handling
                    239: 
                    240:      _p_c_o_m_m       communication with the plugin
                    241: 
                    242:      _p_l_u_g_i_n      plugin configuration
                    243: 
                    244:      _p_t_y         pseudo-tty related code
                    245: 
                    246:      _s_e_l_i_n_u_x     SELinux-specific handling
                    247: 
                    248:      _u_t_i_l        utility functions
                    249: 
                    250:      _u_t_m_p        utmp handling
                    251: 
                    252:      The sudoers(4) plugin includes support for additional subsystems.
                    253: 
                    254: FFIILLEESS
                    255:      _/_e_t_c_/_s_u_d_o_._c_o_n_f            ssuuddoo front end configuration
                    256: 
                    257: EEXXAAMMPPLLEESS
                    258:      #
                    259:      # Default /etc/sudo.conf file
                    260:      #
                    261:      # Format:
                    262:      #   Plugin plugin_name plugin_path plugin_options ...
                    263:      #   Path askpass /path/to/askpass
                    264:      #   Path noexec /path/to/sudo_noexec.so
                    265:      #   Debug sudo /var/log/sudo_debug all@warn
                    266:      #   Set disable_coredump true
                    267:      #
                    268:      # The plugin_path is relative to /usr/local/libexec/sudo unless
                    269:      #   fully qualified.
                    270:      # The plugin_name corresponds to a global symbol in the plugin
                    271:      #   that contains the plugin interface structure.
                    272:      # The plugin_options are optional.
                    273:      #
                    274:      # The sudoers plugin is used by default if no Plugin lines are
                    275:      # present.
                    276:      Plugin sudoers_policy sudoers.so
                    277:      Plugin sudoers_io sudoers.so
                    278: 
                    279:      #
                    280:      # Sudo askpass:
                    281:      #
                    282:      # An askpass helper program may be specified to provide a graphical
                    283:      # password prompt for "sudo -A" support.  Sudo does not ship with
                    284:      # its own askpass program but can use the OpenSSH askpass.
                    285:      #
                    286:      # Use the OpenSSH askpass
                    287:      #Path askpass /usr/X11R6/bin/ssh-askpass
                    288:      #
                    289:      # Use the Gnome OpenSSH askpass
                    290:      #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
                    291: 
                    292:      #
                    293:      # Sudo noexec:
                    294:      #
                    295:      # Path to a shared library containing dummy versions of the execv(),
                    296:      # execve() and fexecve() library functions that just return an error.
                    297:      # This is used to implement the "noexec" functionality on systems that
                    298:      # support C<LD_PRELOAD> or its equivalent.
                    299:      # The compiled-in value is usually sufficient and should only be
                    300:      # changed if you rename or move the sudo_noexec.so file.
                    301:      #
                    302:      #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
                    303: 
                    304:      #
                    305:      # Core dumps:
                    306:      #
                    307:      # By default, sudo disables core dumps while it is executing
                    308:      # (they are re-enabled for the command that is run).
                    309:      # To aid in debugging sudo problems, you may wish to enable core
                    310:      # dumps by setting "disable_coredump" to false.
                    311:      #
                    312:      #Set disable_coredump false
                    313: 
                    314:      #
                    315:      # User groups:
                    316:      #
                    317:      # Sudo passes the user's group list to the policy plugin.
                    318:      # If the user is a member of the maximum number of groups (usually 16),
                    319:      # sudo will query the group database directly to be sure to include
                    320:      # the full list of groups.
                    321:      #
                    322:      # On some systems, this can be expensive so the behavior is configurable.
                    323:      # The "group_source" setting has three possible values:
                    324:      #   static   - use the user's list of groups returned by the kernel.
                    325:      #   dynamic  - query the group database to find the list of groups.
                    326:      #   adaptive - if user is in less than the maximum number of groups.
                    327:      #              use the kernel list, else query the group database.
                    328:      #
                    329:      #Set group_source static
                    330: 
                    331: SSEEEE AALLSSOO
                    332:      sudoers(4), sudo(1m), sudo_plugin(1m)
                    333: 
                    334: HHIISSTTOORRYY
                    335:      See the HISTORY file in the ssuuddoo distribution
                    336:      (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
                    337: 
                    338: AAUUTTHHOORRSS
                    339:      Many people have worked on ssuuddoo over the years; this version consists of
                    340:      code written primarily by:
                    341: 
                    342:            Todd C. Miller
                    343: 
                    344:      See the CONTRIBUTORS file in the ssuuddoo distribution
                    345:      (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
                    346:      people who have contributed to ssuuddoo.
                    347: 
                    348: BBUUGGSS
                    349:      If you feel you have found a bug in ssuuddoo, please submit a bug report at
                    350:      http://www.sudo.ws/sudo/bugs/
                    351: 
                    352: SSUUPPPPOORRTT
                    353:      Limited free support is available via the sudo-users mailing list, see
                    354:      http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
                    355:      archives.
                    356: 
                    357: DDIISSCCLLAAIIMMEERR
                    358:      ssuuddoo is provided ``AS IS'' and any express or implied warranties,
                    359:      including, but not limited to, the implied warranties of merchantability
                    360:      and fitness for a particular purpose are disclaimed.  See the LICENSE
                    361:      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
                    362:      complete details.
                    363: 
                    364: Sudo 1.8.7                      March 14, 2013                      Sudo 1.8.7

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>