1: SUDO(4) Programmer's Manual SUDO(4)
2:
3: N�NA�AM�ME�E
4: s�su�ud�do�o.�.c�co�on�nf�f - configuration for sudo front end
5:
6: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
7: The s�su�ud�do�o.�.c�co�on�nf�f file is used to configure the s�su�ud�do�o front end. It specifies
8: the security policy and I/O logging plugins, debug flags as well as
9: plugin-agnostic path names and settings.
10:
11: The s�su�ud�do�o.�.c�co�on�nf�f file supports the following directives, described in detail
12: below.
13:
14: Plugin a security policy or I/O logging plugin
15:
16: Path a plugin-agnostic path
17:
18: Set a front end setting, such as _�d_�i_�s_�a_�b_�l_�e_�__�c_�o_�r_�e_�d_�u_�m_�p or _�g_�r_�o_�u_�p_�__�s_�o_�u_�r_�c_�e
19:
20: Debug debug flags to aid in debugging s�su�ud�do�o, s�su�ud�do�or�re�ep�pl�la�ay�y, v�vi�is�su�ud�do�o, and
21: the s�su�ud�do�oe�er�rs�s plugin.
22:
23: The pound sign (`#') is used to indicate a comment. Both the comment
24: character and any text after it, up to the end of the line, are ignored.
25:
26: Long lines can be continued with a backslash (`\') as the last character
27: on the line. Note that leading white space is removed from the beginning
28: of lines even when the continuation character is used.
29:
30: Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
31: silently ignored.
32:
33: The s�su�ud�do�o.�.c�co�on�nf�f file is always parsed in the ``C'' locale.
34:
35: P�Pl�lu�ug�gi�in�n c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n
36: s�su�ud�do�o supports a plugin architecture for security policies and
37: input/output logging. Third parties can develop and distribute their own
38: policy and I/O logging plugins to work seamlessly with the s�su�ud�do�o front
39: end. Plugins are dynamically loaded based on the contents of s�su�ud�do�o.�.c�co�on�nf�f.
40:
41: A Plugin line consists of the Plugin keyword, followed by the _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e
42: and the _�p_�a_�t_�h to the dynamic shared object that contains the plugin. The
43: _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e is the name of the struct policy_plugin or struct io_plugin
44: symbol contained in the plugin. The _�p_�a_�t_�h may be fully qualified or
45: relative. If not fully qualified, it is relative to the directory
46: specified by the _�p_�l_�u_�g_�i_�n_�__�d_�i_�r Path setting, which defaults to
47: _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o. In other words:
48:
49: Plugin sudoers_policy sudoers.so
50:
51: is equivalent to:
52:
53: Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
54:
55: If the plugin was compiled statically into the s�su�ud�do�o binary instead of
56: being installed as a dynamic shared object, the _�p_�a_�t_�h should be specified
57: without a leading directory, as it does not actually exist in the file
58: system. For example:
59:
60: Plugin sudoers_policy sudoers.so
61:
62: Starting with s�su�ud�do�o 1.8.5, any additional parameters after the _�p_�a_�t_�h are
63: passed as arguments to the plugin's _�o_�p_�e_�n function. For example, to
64: override the compile-time default sudoers file mode:
65:
66: Plugin sudoers_policy sudoers.so sudoers_mode=0440
67:
68: The same dynamic shared object may contain multiple plugins, each with a
69: different symbol name. The file must be owned by uid 0 and only writable
70: by its owner. Because of ambiguities that arise from composite policies,
71: only a single policy plugin may be specified. This limitation does not
72: apply to I/O plugins.
73:
74: If no s�su�ud�do�o.�.c�co�on�nf�f file is present, or if it contains no Plugin lines, the
75: s�su�ud�do�oe�er�rs�s plugin will be used as the default security policy and for I/O
76: logging (if enabled by the policy). This is equivalent to the following:
77:
78: Plugin sudoers_policy sudoers.so
79: Plugin sudoers_io sudoers.so
80:
81: For more information on the s�su�ud�do�o plugin architecture, see the
82: sudo_plugin(1m) manual.
83:
84: P�Pa�at�th�h s�se�et�tt�ti�in�ng�gs�s
85: A Path line consists of the Path keyword, followed by the name of the
86: path to set and its value. For example:
87:
88: Path noexec /usr/local/libexec/sudo/sudo_noexec.so
89: Path askpass /usr/X11R6/bin/ssh-askpass
90:
91: The following plugin-agnostic paths may be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
92: file:
93:
94: askpass The fully qualified path to a helper program used to read the
95: user's password when no terminal is available. This may be the
96: case when s�su�ud�do�o is executed from a graphical (as opposed to
97: text-based) application. The program specified by _�a_�s_�k_�p_�a_�s_�s
98: should display the argument passed to it as the prompt and
99: write the user's password to the standard output. The value of
100: _�a_�s_�k_�p_�a_�s_�s may be overridden by the SUDO_ASKPASS environment
101: variable.
102:
103: noexec The fully-qualified path to a shared library containing dummy
104: versions of the e�ex�xe�ec�cv�v(), e�ex�xe�ec�cv�ve�e() and f�fe�ex�xe�ec�cv�ve�e() library
105: functions that just return an error. This is used to implement
106: the _�n_�o_�e_�x_�e_�c functionality on systems that support LD_PRELOAD or
107: its equivalent. The default value is:
108: _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o_�/_�s_�u_�d_�o_�__�n_�o_�e_�x_�e_�c_�._�s_�o.
109:
110: plugin_dir
111: The default directory to use when searching for plugins that
112: are specified without a fully qualified path name. The default
113: value is _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o.
114:
115: sesh The fully-qualified path to the s�se�es�sh�h binary. This setting is
116: only used when s�su�ud�do�o is built with SELinux support. The default
117: value is _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o_�/_�s_�e_�s_�h.
118:
119: O�Ot�th�he�er�r s�se�et�tt�ti�in�ng�gs�s
120: The s�su�ud�do�o.�.c�co�on�nf�f file also supports the following front end settings:
121:
122: disable_coredump
123: Core dumps of s�su�ud�do�o itself are disabled by default. To aid in
124: debugging s�su�ud�do�o crashes, you may wish to re-enable core dumps by
125: setting ``disable_coredump'' to false in s�su�ud�do�o.�.c�co�on�nf�f as follows:
126:
127: Set disable_coredump false
128:
129: Note that most operating systems disable core dumps from setuid
130: programs, including s�su�ud�do�o. To actually get a s�su�ud�do�o core file you
131: will likely need to enable core dumps for setuid processes. On
132: BSD and Linux systems this is accomplished in the sysctl
133: command. On Solaris, the coreadm command is used to configure
134: core dump behavior.
135:
136: This setting is only available in s�su�ud�do�o version 1.8.4 and
137: higher.
138:
139: group_source
140: s�su�ud�do�o passes the invoking user's group list to the policy and
141: I/O plugins. On most systems, there is an upper limit to the
142: number of groups that a user may belong to simultaneously
143: (typically 16 for compatibility with NFS). On systems with the
144: getconf(1) utility, running:
145: getconf NGROUPS_MAX
146: will return the maximum number of groups.
147:
148: However, it is still possible to be a member of a larger number
149: of groups--they simply won't be included in the group list
150: returned by the kernel for the user. Starting with s�su�ud�do�o
151: version 1.8.7, if the user's kernel group list has the maximum
152: number of entries, s�su�ud�do�o will consult the group database
153: directly to determine the group list. This makes it possible
154: for the security policy to perform matching by group name even
155: when the user is a member of more than the maximum number of
156: groups.
157:
158: The _�g_�r_�o_�u_�p_�__�s_�o_�u_�r_�c_�e setting allows the administrator to change
159: this default behavior. Supported values for _�g_�r_�o_�u_�p_�__�s_�o_�u_�r_�c_�e are:
160:
161: static Use the static group list that the kernel returns.
162: Retrieving the group list this way is very fast but
163: it is subject to an upper limit as described above.
164: It is ``static'' in that it does not reflect changes
165: to the group database made after the user logs in.
166: This was the default behavior prior to s�su�ud�do�o 1.8.7.
167:
168: dynamic Always query the group database directly. It is
169: ``dynamic'' in that changes made to the group
170: database after the user logs in will be reflected in
171: the group list. On some systems, querying the group
172: database for all of a user's groups can be time
173: consuming when querying a network-based group
174: database. Most operating systems provide an
175: efficient method of performing such queries.
176: Currently, s�su�ud�do�o supports efficient group queries on
177: AIX, BSD, HP-UX, Linux and Solaris.
178:
179: adaptive Only query the group database if the static group
180: list returned by the kernel has the maximum number of
181: entries. This is the default behavior in s�su�ud�do�o 1.8.7
182: and higher.
183:
184: For example, to cause s�su�ud�do�o to only use the kernel's static list
185: of groups for the user:
186:
187: Set group_source static
188:
189: This setting is only available in s�su�ud�do�o version 1.8.7 and
190: higher.
191:
192: max_groups
193: The maximum number of user groups to retrieve from the group
194: database. Values less than one will be ignored. This setting
195: is only used when querying the group database directly. It is
196: intended to be used on systems where it is not possible to
197: detect when the array to be populated with group entries is not
198: sufficiently large. By default, s�su�ud�do�o will allocate four times
199: the system's maximum number of groups (see above) and retry
200: with double that number if the group database query fails.
201: However, some systems just return as many entries as will fit
202: and do not indicate an error when there is a lack of space.
203:
204: This setting is only available in s�su�ud�do�o version 1.8.7 and
205: higher.
206:
207: probe_interfaces
208: By default, s�su�ud�do�o will probe the system's network interfaces and
209: pass the IP address of each enabled interface to the policy
210: plugin. This makes it possible for the plugin to match rules
211: based on the IP address without having to query DNS. On Linux
212: systems with a large number of virtual interfaces, this may
213: take a non-negligible amount of time. If IP-based matching is
214: not required, network interface probing can be disabled as
215: follows:
216:
217: Set probe_interfaces false
218:
219: This setting is only available in s�su�ud�do�o version 1.8.10 and
220: higher.
221:
222: D�De�eb�bu�ug�g f�fl�la�ag�gs�s
223: s�su�ud�do�o versions 1.8.4 and higher support a flexible debugging framework
224: that can help track down what s�su�ud�do�o is doing internally if there is a
225: problem.
226:
227: A Debug line consists of the Debug keyword, followed by the name of the
228: program (or plugin) to debug (s�su�ud�do�o, v�vi�is�su�ud�do�o, s�su�ud�do�or�re�ep�pl�la�ay�y, s�su�ud�do�oe�er�rs�s), the
229: debug file name and a comma-separated list of debug flags. The debug
230: flag syntax used by s�su�ud�do�o and the s�su�ud�do�oe�er�rs�s plugin is _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y but
231: a plugin is free to use a different format so long as it does not include
232: a comma (`,').
233:
234: For example:
235:
236: Debug sudo /var/log/sudo_debug all@warn,plugin@info
237:
238: would log all debugging statements at the _�w_�a_�r_�n level and higher in
239: addition to those at the _�i_�n_�f_�o level for the plugin subsystem.
240:
241: Currently, only one Debug entry per program is supported. The s�su�ud�do�o Debug
242: entry is shared by the s�su�ud�do�o front end, s�su�ud�do�oe�ed�di�it�t and the plugins. A
243: future release may add support for per-plugin Debug lines and/or support
244: for multiple debugging files for a single program.
245:
246: The priorities used by the s�su�ud�do�o front end, in order of decreasing
247: severity, are: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g.
248: Each priority, when specified, also includes all priorities higher than
249: it. For example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages
250: logged at _�n_�o_�t_�i_�c_�e and higher.
251:
252: The following subsystems are used by the s�su�ud�do�o front-end:
253:
254: _�a_�l_�l matches every subsystem
255:
256: _�a_�r_�g_�s command line argument processing
257:
258: _�c_�o_�n_�v user conversation
259:
260: _�e_�d_�i_�t sudoedit
261:
262: _�e_�v_�e_�n_�t event subsystem
263:
264: _�e_�x_�e_�c command execution
265:
266: _�m_�a_�i_�n s�su�ud�do�o main function
267:
268: _�n_�e_�t_�i_�f network interface handling
269:
270: _�p_�c_�o_�m_�m communication with the plugin
271:
272: _�p_�l_�u_�g_�i_�n plugin configuration
273:
274: _�p_�t_�y pseudo-tty related code
275:
276: _�s_�e_�l_�i_�n_�u_�x SELinux-specific handling
277:
278: _�u_�t_�i_�l utility functions
279:
280: _�u_�t_�m_�p utmp handling
281:
282: The sudoers(4) plugin includes support for additional subsystems.
283:
284: F�FI�IL�LE�ES�S
285: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f s�su�ud�do�o front end configuration
286:
287: E�EX�XA�AM�MP�PL�LE�ES�S
288: #
289: # Default /etc/sudo.conf file
290: #
291: # Format:
292: # Plugin plugin_name plugin_path plugin_options ...
293: # Path askpass /path/to/askpass
294: # Path noexec /path/to/sudo_noexec.so
295: # Debug sudo /var/log/sudo_debug all@warn
296: # Set disable_coredump true
297: #
298: # The plugin_path is relative to /usr/local/libexec/sudo unless
299: # fully qualified.
300: # The plugin_name corresponds to a global symbol in the plugin
301: # that contains the plugin interface structure.
302: # The plugin_options are optional.
303: #
304: # The sudoers plugin is used by default if no Plugin lines are
305: # present.
306: Plugin sudoers_policy sudoers.so
307: Plugin sudoers_io sudoers.so
308:
309: #
310: # Sudo askpass:
311: #
312: # An askpass helper program may be specified to provide a graphical
313: # password prompt for "sudo -A" support. Sudo does not ship with
314: # its own askpass program but can use the OpenSSH askpass.
315: #
316: # Use the OpenSSH askpass
317: #Path askpass /usr/X11R6/bin/ssh-askpass
318: #
319: # Use the Gnome OpenSSH askpass
320: #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
321:
322: #
323: # Sudo noexec:
324: #
325: # Path to a shared library containing dummy versions of the execv(),
326: # execve() and fexecve() library functions that just return an error.
327: # This is used to implement the "noexec" functionality on systems that
328: # support C<LD_PRELOAD> or its equivalent.
329: # The compiled-in value is usually sufficient and should only be
330: # changed if you rename or move the sudo_noexec.so file.
331: #
332: #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
333:
334: #
335: # Core dumps:
336: #
337: # By default, sudo disables core dumps while it is executing
338: # (they are re-enabled for the command that is run).
339: # To aid in debugging sudo problems, you may wish to enable core
340: # dumps by setting "disable_coredump" to false.
341: #
342: #Set disable_coredump false
343:
344: #
345: # User groups:
346: #
347: # Sudo passes the user's group list to the policy plugin.
348: # If the user is a member of the maximum number of groups (usually 16),
349: # sudo will query the group database directly to be sure to include
350: # the full list of groups.
351: #
352: # On some systems, this can be expensive so the behavior is configurable.
353: # The "group_source" setting has three possible values:
354: # static - use the user's list of groups returned by the kernel.
355: # dynamic - query the group database to find the list of groups.
356: # adaptive - if user is in less than the maximum number of groups.
357: # use the kernel list, else query the group database.
358: #
359: #Set group_source static
360:
361: S�SE�EE�E A�AL�LS�SO�O
362: sudoers(4), sudo(1m), sudo_plugin(1m)
363:
364: H�HI�IS�ST�TO�OR�RY�Y
365: See the HISTORY file in the s�su�ud�do�o distribution
366: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
367:
368: A�AU�UT�TH�HO�OR�RS�S
369: Many people have worked on s�su�ud�do�o over the years; this version consists of
370: code written primarily by:
371:
372: Todd C. Miller
373:
374: See the CONTRIBUTORS file in the s�su�ud�do�o distribution
375: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
376: people who have contributed to s�su�ud�do�o.
377:
378: B�BU�UG�GS�S
379: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
380: http://www.sudo.ws/sudo/bugs/
381:
382: S�SU�UP�PP�PO�OR�RT�T
383: Limited free support is available via the sudo-users mailing list, see
384: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
385: archives.
386:
387: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
388: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
389: including, but not limited to, the implied warranties of merchantability
390: and fitness for a particular purpose are disclaimed. See the LICENSE
391: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
392: complete details.
393:
394: Sudo 1.8.10 January 22, 2014 Sudo 1.8.10
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.conf.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc