|
version 1.1.1.2, 2013/10/14 07:56:34
|
version 1.1.1.3, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
| .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in |
| .\" |
.\" |
| .\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
|
Line 16
|
Line 16
|
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .TH "SUDO" "5" "August 13, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" | .TH "SUDO" "5" "January 22, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" |
| .nh |
.nh |
| .if n .ad l |
.if n .ad l |
| .SH "NAME" |
.SH "NAME" |
|
Line 57 and the
|
Line 57 and the
|
| plugin. |
plugin. |
| .PP |
.PP |
| The pound sign |
The pound sign |
| (`#') | (\(oq#\(cq) |
| is used to indicate a comment. |
is used to indicate a comment. |
| Both the comment character and any text after it, up to the end of |
Both the comment character and any text after it, up to the end of |
| the line, are ignored. |
the line, are ignored. |
| .PP |
.PP |
| Long lines can be continued with a backslash |
Long lines can be continued with a backslash |
| (`\e') | (\(oq\e\(cq) |
| as the last character on the line. |
as the last character on the line. |
| Note that leading white space is removed from the beginning of lines |
Note that leading white space is removed from the beginning of lines |
| even when the continuation character is used. |
even when the continuation character is used. |
|
Line 79 are silently ignored.
|
Line 79 are silently ignored.
|
| The |
The |
| \fBsudo.conf\fR |
\fBsudo.conf\fR |
| file is always parsed in the |
file is always parsed in the |
| ``\fRC\fR'' | \(lq\fRC\fR\(rq |
| locale. |
locale. |
| .SS "Plugin configuration" |
.SS "Plugin configuration" |
| \fBsudo\fR |
\fBsudo\fR |
|
Line 100 keyword, followed by the
|
Line 100 keyword, followed by the
|
| \fIsymbol_name\fR |
\fIsymbol_name\fR |
| and the |
and the |
| \fIpath\fR |
\fIpath\fR |
| to the shared object containing the plugin. | to the dynamic shared object that contains the plugin. |
| The |
The |
| \fIsymbol_name\fR |
\fIsymbol_name\fR |
| is the name of the |
is the name of the |
| \fRstruct policy_plugin\fR |
\fRstruct policy_plugin\fR |
| or |
or |
| \fRstruct io_plugin\fR |
\fRstruct io_plugin\fR |
| in the plugin shared object. | symbol contained in the plugin. |
| The |
The |
| \fIpath\fR |
\fIpath\fR |
| may be fully qualified or relative. |
may be fully qualified or relative. |
|
Line 133 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
Line 133 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
| .RE |
.RE |
| .fi |
.fi |
| .PP |
.PP |
| |
If the plugin was compiled statically into the |
| |
\fBsudo\fR |
| |
binary instead of being installed as a dynamic shared object, the |
| |
\fIpath\fR |
| |
should be specified without a leading directory, |
| |
as it does not actually exist in the file system. |
| |
For example: |
| |
.nf |
| |
.sp |
| |
.RS 6n |
| |
Plugin sudoers_policy sudoers.so |
| |
.RE |
| |
.fi |
| |
.PP |
| Starting with |
Starting with |
| \fBsudo\fR |
\fBsudo\fR |
| 1.8.5, any additional parameters after the |
1.8.5, any additional parameters after the |
|
Line 148 Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
Line 162 Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
| .RE |
.RE |
| .fi |
.fi |
| .PP |
.PP |
| The same shared object may contain multiple plugins, each with a | The same dynamic shared object may contain multiple plugins, |
| different symbol name. | each with a different symbol name. |
| The shared object file must be owned by uid 0 and only writable by its owner. | The file must be owned by uid 0 and only writable by its owner. |
| Because of ambiguities that arise from composite policies, only a single |
Because of ambiguities that arise from composite policies, only a single |
| policy plugin may be specified. |
policy plugin may be specified. |
| This limitation does not apply to I/O plugins. |
This limitation does not apply to I/O plugins. |
|
Line 255 itself are disabled by default.
|
Line 269 itself are disabled by default.
|
| To aid in debugging |
To aid in debugging |
| \fBsudo\fR |
\fBsudo\fR |
| crashes, you may wish to re-enable core dumps by setting |
crashes, you may wish to re-enable core dumps by setting |
| ``disable_coredump'' | \(lqdisable_coredump\(rq |
| to false in |
to false in |
| \fBsudo.conf\fR |
\fBsudo.conf\fR |
| as follows: |
as follows: |
| .RS |
|
| .nf |
.nf |
| .sp |
.sp |
| .RS 6n | .RS 16n |
| Set disable_coredump false |
Set disable_coredump false |
| .RE |
.RE |
| .fi |
.fi |
| |
.RS 10n |
| .sp |
.sp |
| Note that most operating systems disable core dumps from setuid programs, |
Note that most operating systems disable core dumps from setuid programs, |
| including |
including |
|
Line 283 command is used to configure core dump behavior.
|
Line 297 command is used to configure core dump behavior.
|
| This setting is only available in |
This setting is only available in |
| \fBsudo\fR |
\fBsudo\fR |
| version 1.8.4 and higher. |
version 1.8.4 and higher. |
| .PP |
|
| .RE |
.RE |
| .PD 0 |
|
| .TP 10n |
.TP 10n |
| group_source |
group_source |
| \fBsudo\fR |
\fBsudo\fR |
|
Line 296 with NFS).
|
Line 308 with NFS).
|
| On systems with the |
On systems with the |
| getconf(1) |
getconf(1) |
| utility, running: |
utility, running: |
| .RS 6n | .RS 16n |
| getconf NGROUPS_MAX |
getconf NGROUPS_MAX |
| .RE |
.RE |
| |
.RS 10n |
| will return the maximum number of groups. |
will return the maximum number of groups. |
| .sp |
.sp |
| However, it is still possible to be a member of a larger number of |
However, it is still possible to be a member of a larger number of |
|
Line 319 setting allows the administrator to change this defaul
|
Line 332 setting allows the administrator to change this defaul
|
| Supported values for |
Supported values for |
| \fIgroup_source\fR |
\fIgroup_source\fR |
| are: |
are: |
| .RS |
|
| .PD |
|
| .TP 10n |
.TP 10n |
| static |
static |
| Use the static group list that the kernel returns. |
Use the static group list that the kernel returns. |
| Retrieving the group list this way is very fast but it is subject |
Retrieving the group list this way is very fast but it is subject |
| to an upper limit as described above. |
to an upper limit as described above. |
| It is |
It is |
| ``static'' | \(lqstatic\(rq |
| in that it does not reflect changes to the group database made |
in that it does not reflect changes to the group database made |
| after the user logs in. |
after the user logs in. |
| This was the default behavior prior to |
This was the default behavior prior to |
|
Line 337 This was the default behavior prior to
|
Line 348 This was the default behavior prior to
|
| dynamic |
dynamic |
| Always query the group database directly. |
Always query the group database directly. |
| It is |
It is |
| ``dynamic'' | \(lqdynamic\(rq |
| in that changes made to the group database after the user logs in |
in that changes made to the group database after the user logs in |
| will be reflected in the group list. |
will be reflected in the group list. |
| On some systems, querying the group database for all of a user's |
On some systems, querying the group database for all of a user's |
|
Line 362 For example, to cause
|
Line 373 For example, to cause
|
| to only use the kernel's static list of groups for the user: |
to only use the kernel's static list of groups for the user: |
| .nf |
.nf |
| .sp |
.sp |
| .RS 6n | .RS 16n |
| Set group_source static |
Set group_source static |
| .RE |
.RE |
| .fi |
.fi |
|
Line 370 Set group_source static
|
Line 381 Set group_source static
|
| This setting is only available in |
This setting is only available in |
| \fBsudo\fR |
\fBsudo\fR |
| version 1.8.7 and higher. |
version 1.8.7 and higher. |
| .PP |
|
| .RE |
.RE |
| .PD 0 |
|
| .TP 10n |
.TP 10n |
| max_groups |
max_groups |
| The maximum number of user groups to retrieve from the group database. |
The maximum number of user groups to retrieve from the group database. |
|
Line 390 do not indicate an error when there is a lack of space
|
Line 399 do not indicate an error when there is a lack of space
|
| This setting is only available in |
This setting is only available in |
| \fBsudo\fR |
\fBsudo\fR |
| version 1.8.7 and higher. |
version 1.8.7 and higher. |
| .PD | .TP 10n |
| | probe_interfaces |
| | By default, |
| | \fBsudo\fR |
| | will probe the system's network interfaces and pass the IP address |
| | of each enabled interface to the policy plugin. This makes it |
| | possible for the plugin to match rules based on the IP address |
| | without having to query DNS. On Linux systems with a large number |
| | of virtual interfaces, this may take a non-negligible amount of time. |
| | If IP-based matching is not required, network interface probing |
| | can be disabled as follows: |
| | .nf |
| | .sp |
| | .RS 16n |
| | Set probe_interfaces false |
| | .RE |
| | .fi |
| | .RS 10n |
| | .sp |
| | This setting is only available in |
| | \fBsudo\fR |
| | version 1.8.10 and higher. |
| | .RE |
| .SS "Debug flags" |
.SS "Debug flags" |
| \fBsudo\fR |
\fBsudo\fR |
| versions 1.8.4 and higher support a flexible debugging framework |
versions 1.8.4 and higher support a flexible debugging framework |
|
Line 413 plugin is
|
Line 444 plugin is
|
| \fIsubsystem\fR@\fIpriority\fR |
\fIsubsystem\fR@\fIpriority\fR |
| but a plugin is free to use a different format so long as it does |
but a plugin is free to use a different format so long as it does |
| not include a comma |
not include a comma |
| (`\&,'). | (\(oq\&,\(cq). |
| .PP |
.PP |
| For example: |
For example: |
| .nf |
.nf |
|
Line 472 user conversation
|
Line 503 user conversation
|
| \fIedit\fR |
\fIedit\fR |
| sudoedit |
sudoedit |
| .TP 12n |
.TP 12n |
| |
\fIevent\fR |
| |
event subsystem |
| |
.TP 12n |
| \fIexec\fR |
\fIexec\fR |
| command execution |
command execution |
| .TP 12n |
.TP 12n |
|
Line 619 search the archives.
|
Line 653 search the archives.
|
| .SH "DISCLAIMER" |
.SH "DISCLAIMER" |
| \fBsudo\fR |
\fBsudo\fR |
| is provided |
is provided |
| ``AS IS'' | \(lqAS IS\(rq |
| and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
| to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
| particular purpose are disclaimed. |
particular purpose are disclaimed. |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.conf.man.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc