Annotation of embedaddon/sudo/doc/sudo.conf.cat, revision 1.1.1.2
1.1 misho 1: SUDO(4) Programmer's Manual SUDO(4)
2:
3: NNAAMMEE
4: ssuuddoo..ccoonnff - configuration for sudo front end
5:
6: DDEESSCCRRIIPPTTIIOONN
7: The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end. It specifies
8: the security policy and I/O logging plugins, debug flags as well as
9: plugin-agnostic path names and settings.
10:
11: The ssuuddoo..ccoonnff file supports the following directives, described in detail
12: below.
13:
14: Plugin a security policy or I/O logging plugin
15:
16: Path a plugin-agnostic path
17:
18: Set a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e
19:
20: Debug debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and
21: the ssuuddooeerrss plugin.
22:
23: The pound sign (`#') is used to indicate a comment. Both the comment
24: character and any text after it, up to the end of the line, are ignored.
25:
26: Long lines can be continued with a backslash (`\') as the last character
27: on the line. Note that leading white space is removed from the beginning
28: of lines even when the continuation character is used.
29:
30: Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
31: silently ignored.
32:
33: The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale.
34:
35: PPlluuggiinn ccoonnffiigguurraattiioonn
36: ssuuddoo supports a plugin architecture for security policies and
37: input/output logging. Third parties can develop and distribute their own
38: policy and I/O logging plugins to work seamlessly with the ssuuddoo front
39: end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff.
40:
41: A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
42: and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
43: is the name of the struct policy_plugin or struct io_plugin in the plugin
44: shared object. The _p_a_t_h may be fully qualified or relative. If not
1.1.1.2 ! misho 45: fully qualified, it is relative to the directory specified by the
! 46: _p_l_u_g_i_n___d_i_r Path setting, which defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In
! 47: other words:
1.1 misho 48:
49: Plugin sudoers_policy sudoers.so
50:
51: is equivalent to:
52:
53: Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
54:
55: Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
56: passed as arguments to the plugin's _o_p_e_n function. For example, to
57: override the compile-time default sudoers file mode:
58:
59: Plugin sudoers_policy sudoers.so sudoers_mode=0440
60:
61: The same shared object may contain multiple plugins, each with a
62: different symbol name. The shared object file must be owned by uid 0 and
63: only writable by its owner. Because of ambiguities that arise from
64: composite policies, only a single policy plugin may be specified. This
65: limitation does not apply to I/O plugins.
66:
67: If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
68: ssuuddooeerrss plugin will be used as the default security policy and for I/O
69: logging (if enabled by the policy). This is equivalent to the following:
70:
71: Plugin sudoers_policy sudoers.so
72: Plugin sudoers_io sudoers.so
73:
74: For more information on the ssuuddoo plugin architecture, see the
75: sudo_plugin(1m) manual.
76:
77: PPaatthh sseettttiinnggss
78: A Path line consists of the Path keyword, followed by the name of the
79: path to set and its value. For example:
80:
81: Path noexec /usr/local/libexec/sudo/sudo_noexec.so
82: Path askpass /usr/X11R6/bin/ssh-askpass
83:
84: The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
85: file:
86:
87: askpass The fully qualified path to a helper program used to read the
88: user's password when no terminal is available. This may be the
89: case when ssuuddoo is executed from a graphical (as opposed to
90: text-based) application. The program specified by _a_s_k_p_a_s_s
91: should display the argument passed to it as the prompt and
92: write the user's password to the standard output. The value of
93: _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
94: variable.
95:
96: noexec The fully-qualified path to a shared library containing dummy
97: versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
98: functions that just return an error. This is used to implement
99: the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
100: its equivalent. The default value is:
101: _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o.
102:
1.1.1.2 ! misho 103: plugin_dir
! 104: The default directory to use when searching for plugins that
! 105: are specified without a fully qualified path name. The default
! 106: value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o.
! 107:
1.1 misho 108: sesh The fully-qualified path to the sseesshh binary. This setting is
109: only used when ssuuddoo is built with SELinux support. The default
110: value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h.
111:
112: OOtthheerr sseettttiinnggss
113: The ssuuddoo..ccoonnff file also supports the following front end settings:
114:
115: disable_coredump
116: Core dumps of ssuuddoo itself are disabled by default. To aid in
117: debugging ssuuddoo crashes, you may wish to re-enable core dumps by
118: setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows:
119:
120: Set disable_coredump false
121:
122: Note that most operating systems disable core dumps from setuid
123: programs, including ssuuddoo. To actually get a ssuuddoo core file you
124: will likely need to enable core dumps for setuid processes. On
125: BSD and Linux systems this is accomplished in the sysctl
126: command. On Solaris, the coreadm command is used to configure
127: core dump behavior.
128:
129: This setting is only available in ssuuddoo version 1.8.4 and
130: higher.
131:
132: group_source
133: ssuuddoo passes the invoking user's group list to the policy and
134: I/O plugins. On most systems, there is an upper limit to the
135: number of groups that a user may belong to simultaneously
136: (typically 16 for compatibility with NFS). On systems with the
137: getconf(1) utility, running:
138: getconf NGROUPS_MAX
139: will return the maximum number of groups.
140:
141: However, it is still possible to be a member of a larger number
142: of groups--they simply won't be included in the group list
143: returned by the kernel for the user. Starting with ssuuddoo
144: version 1.8.7, if the user's kernel group list has the maximum
145: number of entries, ssuuddoo will consult the group database
146: directly to determine the group list. This makes it possible
147: for the security policy to perform matching by group name even
148: when the user is a member of more than the maximum number of
149: groups.
150:
151: The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change
152: this default behavior. Supported values for _g_r_o_u_p___s_o_u_r_c_e are:
153:
154: static Use the static group list that the kernel returns.
155: Retrieving the group list this way is very fast but
156: it is subject to an upper limit as described above.
157: It is ``static'' in that it does not reflect changes
158: to the group database made after the user logs in.
159: This was the default behavior prior to ssuuddoo 1.8.7.
160:
161: dynamic Always query the group database directly. It is
162: ``dynamic'' in that changes made to the group
163: database after the user logs in will be reflected in
164: the group list. On some systems, querying the group
165: database for all of a user's groups can be time
166: consuming when querying a network-based group
167: database. Most operating systems provide an
168: efficient method of performing such queries.
169: Currently, ssuuddoo supports efficient group queries on
170: AIX, BSD, HP-UX, Linux and Solaris.
171:
172: adaptive Only query the group database if the static group
173: list returned by the kernel has the maximum number of
174: entries. This is the default behavior in ssuuddoo 1.8.7
175: and higher.
176:
177: For example, to cause ssuuddoo to only use the kernel's static list
178: of groups for the user:
179:
180: Set group_source static
181:
182: This setting is only available in ssuuddoo version 1.8.7 and
183: higher.
184:
185: max_groups
186: The maximum number of user groups to retrieve from the group
1.1.1.2 ! misho 187: database. Values less than one will be ignored. This setting
! 188: is only used when querying the group database directly. It is
! 189: intended to be used on systems where it is not possible to
! 190: detect when the array to be populated with group entries is not
! 191: sufficiently large. By default, ssuuddoo will allocate four times
! 192: the system's maximum number of groups (see above) and retry
! 193: with double that number if the group database query fails.
! 194: However, some systems just return as many entries as will fit
! 195: and do not indicate an error when there is a lack of space.
1.1 misho 196:
197: This setting is only available in ssuuddoo version 1.8.7 and
198: higher.
199:
200: DDeebbuugg ffllaaggss
201: ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
202: that can help track down what ssuuddoo is doing internally if there is a
203: problem.
204:
205: A Debug line consists of the Debug keyword, followed by the name of the
206: program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the
207: debug file name and a comma-separated list of debug flags. The debug
208: flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but
209: a plugin is free to use a different format so long as it does not include
210: a comma (`,').
211:
212: For example:
213:
214: Debug sudo /var/log/sudo_debug all@warn,plugin@info
215:
216: would log all debugging statements at the _w_a_r_n level and higher in
217: addition to those at the _i_n_f_o level for the plugin subsystem.
218:
219: Currently, only one Debug entry per program is supported. The ssuuddoo Debug
220: entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
221: future release may add support for per-plugin Debug lines and/or support
222: for multiple debugging files for a single program.
223:
224: The priorities used by the ssuuddoo front end, in order of decreasing
225: severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
226: Each priority, when specified, also includes all priorities higher than
227: it. For example, a priority of _n_o_t_i_c_e would include debug messages
228: logged at _n_o_t_i_c_e and higher.
229:
230: The following subsystems are used by the ssuuddoo front-end:
231:
232: _a_l_l matches every subsystem
233:
234: _a_r_g_s command line argument processing
235:
236: _c_o_n_v user conversation
237:
238: _e_d_i_t sudoedit
239:
240: _e_x_e_c command execution
241:
242: _m_a_i_n ssuuddoo main function
243:
244: _n_e_t_i_f network interface handling
245:
246: _p_c_o_m_m communication with the plugin
247:
248: _p_l_u_g_i_n plugin configuration
249:
250: _p_t_y pseudo-tty related code
251:
252: _s_e_l_i_n_u_x SELinux-specific handling
253:
254: _u_t_i_l utility functions
255:
256: _u_t_m_p utmp handling
257:
258: The sudoers(4) plugin includes support for additional subsystems.
259:
260: FFIILLEESS
261: _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration
262:
263: EEXXAAMMPPLLEESS
264: #
265: # Default /etc/sudo.conf file
266: #
267: # Format:
268: # Plugin plugin_name plugin_path plugin_options ...
269: # Path askpass /path/to/askpass
270: # Path noexec /path/to/sudo_noexec.so
271: # Debug sudo /var/log/sudo_debug all@warn
272: # Set disable_coredump true
273: #
274: # The plugin_path is relative to /usr/local/libexec/sudo unless
275: # fully qualified.
276: # The plugin_name corresponds to a global symbol in the plugin
277: # that contains the plugin interface structure.
278: # The plugin_options are optional.
279: #
280: # The sudoers plugin is used by default if no Plugin lines are
281: # present.
282: Plugin sudoers_policy sudoers.so
283: Plugin sudoers_io sudoers.so
284:
285: #
286: # Sudo askpass:
287: #
288: # An askpass helper program may be specified to provide a graphical
289: # password prompt for "sudo -A" support. Sudo does not ship with
290: # its own askpass program but can use the OpenSSH askpass.
291: #
292: # Use the OpenSSH askpass
293: #Path askpass /usr/X11R6/bin/ssh-askpass
294: #
295: # Use the Gnome OpenSSH askpass
296: #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
297:
298: #
299: # Sudo noexec:
300: #
301: # Path to a shared library containing dummy versions of the execv(),
302: # execve() and fexecve() library functions that just return an error.
303: # This is used to implement the "noexec" functionality on systems that
304: # support C<LD_PRELOAD> or its equivalent.
305: # The compiled-in value is usually sufficient and should only be
306: # changed if you rename or move the sudo_noexec.so file.
307: #
308: #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
309:
310: #
311: # Core dumps:
312: #
313: # By default, sudo disables core dumps while it is executing
314: # (they are re-enabled for the command that is run).
315: # To aid in debugging sudo problems, you may wish to enable core
316: # dumps by setting "disable_coredump" to false.
317: #
318: #Set disable_coredump false
319:
320: #
321: # User groups:
322: #
323: # Sudo passes the user's group list to the policy plugin.
324: # If the user is a member of the maximum number of groups (usually 16),
325: # sudo will query the group database directly to be sure to include
326: # the full list of groups.
327: #
328: # On some systems, this can be expensive so the behavior is configurable.
329: # The "group_source" setting has three possible values:
330: # static - use the user's list of groups returned by the kernel.
331: # dynamic - query the group database to find the list of groups.
332: # adaptive - if user is in less than the maximum number of groups.
333: # use the kernel list, else query the group database.
334: #
335: #Set group_source static
336:
337: SSEEEE AALLSSOO
338: sudoers(4), sudo(1m), sudo_plugin(1m)
339:
340: HHIISSTTOORRYY
341: See the HISTORY file in the ssuuddoo distribution
342: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
343:
344: AAUUTTHHOORRSS
345: Many people have worked on ssuuddoo over the years; this version consists of
346: code written primarily by:
347:
348: Todd C. Miller
349:
350: See the CONTRIBUTORS file in the ssuuddoo distribution
351: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
352: people who have contributed to ssuuddoo.
353:
354: BBUUGGSS
355: If you feel you have found a bug in ssuuddoo, please submit a bug report at
356: http://www.sudo.ws/sudo/bugs/
357:
358: SSUUPPPPOORRTT
359: Limited free support is available via the sudo-users mailing list, see
360: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
361: archives.
362:
363: DDIISSCCLLAAIIMMEERR
364: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
365: including, but not limited to, the implied warranties of merchantability
366: and fitness for a particular purpose are disclaimed. See the LICENSE
367: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
368: complete details.
369:
1.1.1.2 ! misho 370: Sudo 1.8.8 August 13, 2013 Sudo 1.8.8
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>