version 1.1.1.2, 2013/10/14 07:56:34
|
version 1.1.1.3, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in |
.\" |
.\" |
.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
Line 16
|
Line 16
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.TH "SUDO" "5" "August 13, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" | .TH "SUDO" "5" "January 22, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" |
.nh |
.nh |
.if n .ad l |
.if n .ad l |
.SH "NAME" |
.SH "NAME" |
Line 57 and the
|
Line 57 and the
|
plugin. |
plugin. |
.PP |
.PP |
The pound sign |
The pound sign |
(`#') | (\(oq#\(cq) |
is used to indicate a comment. |
is used to indicate a comment. |
Both the comment character and any text after it, up to the end of |
Both the comment character and any text after it, up to the end of |
the line, are ignored. |
the line, are ignored. |
.PP |
.PP |
Long lines can be continued with a backslash |
Long lines can be continued with a backslash |
(`\e') | (\(oq\e\(cq) |
as the last character on the line. |
as the last character on the line. |
Note that leading white space is removed from the beginning of lines |
Note that leading white space is removed from the beginning of lines |
even when the continuation character is used. |
even when the continuation character is used. |
Line 79 are silently ignored.
|
Line 79 are silently ignored.
|
The |
The |
\fBsudo.conf\fR |
\fBsudo.conf\fR |
file is always parsed in the |
file is always parsed in the |
``\fRC\fR'' | \(lq\fRC\fR\(rq |
locale. |
locale. |
.SS "Plugin configuration" |
.SS "Plugin configuration" |
\fBsudo\fR |
\fBsudo\fR |
Line 100 keyword, followed by the
|
Line 100 keyword, followed by the
|
\fIsymbol_name\fR |
\fIsymbol_name\fR |
and the |
and the |
\fIpath\fR |
\fIpath\fR |
to the shared object containing the plugin. | to the dynamic shared object that contains the plugin. |
The |
The |
\fIsymbol_name\fR |
\fIsymbol_name\fR |
is the name of the |
is the name of the |
\fRstruct policy_plugin\fR |
\fRstruct policy_plugin\fR |
or |
or |
\fRstruct io_plugin\fR |
\fRstruct io_plugin\fR |
in the plugin shared object. | symbol contained in the plugin. |
The |
The |
\fIpath\fR |
\fIpath\fR |
may be fully qualified or relative. |
may be fully qualified or relative. |
Line 133 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
Line 133 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
.RE |
.RE |
.fi |
.fi |
.PP |
.PP |
|
If the plugin was compiled statically into the |
|
\fBsudo\fR |
|
binary instead of being installed as a dynamic shared object, the |
|
\fIpath\fR |
|
should be specified without a leading directory, |
|
as it does not actually exist in the file system. |
|
For example: |
|
.nf |
|
.sp |
|
.RS 6n |
|
Plugin sudoers_policy sudoers.so |
|
.RE |
|
.fi |
|
.PP |
Starting with |
Starting with |
\fBsudo\fR |
\fBsudo\fR |
1.8.5, any additional parameters after the |
1.8.5, any additional parameters after the |
Line 148 Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
Line 162 Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
.RE |
.RE |
.fi |
.fi |
.PP |
.PP |
The same shared object may contain multiple plugins, each with a | The same dynamic shared object may contain multiple plugins, |
different symbol name. | each with a different symbol name. |
The shared object file must be owned by uid 0 and only writable by its owner. | The file must be owned by uid 0 and only writable by its owner. |
Because of ambiguities that arise from composite policies, only a single |
Because of ambiguities that arise from composite policies, only a single |
policy plugin may be specified. |
policy plugin may be specified. |
This limitation does not apply to I/O plugins. |
This limitation does not apply to I/O plugins. |
Line 255 itself are disabled by default.
|
Line 269 itself are disabled by default.
|
To aid in debugging |
To aid in debugging |
\fBsudo\fR |
\fBsudo\fR |
crashes, you may wish to re-enable core dumps by setting |
crashes, you may wish to re-enable core dumps by setting |
``disable_coredump'' | \(lqdisable_coredump\(rq |
to false in |
to false in |
\fBsudo.conf\fR |
\fBsudo.conf\fR |
as follows: |
as follows: |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 6n | .RS 16n |
Set disable_coredump false |
Set disable_coredump false |
.RE |
.RE |
.fi |
.fi |
|
.RS 10n |
.sp |
.sp |
Note that most operating systems disable core dumps from setuid programs, |
Note that most operating systems disable core dumps from setuid programs, |
including |
including |
Line 283 command is used to configure core dump behavior.
|
Line 297 command is used to configure core dump behavior.
|
This setting is only available in |
This setting is only available in |
\fBsudo\fR |
\fBsudo\fR |
version 1.8.4 and higher. |
version 1.8.4 and higher. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 10n |
.TP 10n |
group_source |
group_source |
\fBsudo\fR |
\fBsudo\fR |
Line 296 with NFS).
|
Line 308 with NFS).
|
On systems with the |
On systems with the |
getconf(1) |
getconf(1) |
utility, running: |
utility, running: |
.RS 6n | .RS 16n |
getconf NGROUPS_MAX |
getconf NGROUPS_MAX |
.RE |
.RE |
|
.RS 10n |
will return the maximum number of groups. |
will return the maximum number of groups. |
.sp |
.sp |
However, it is still possible to be a member of a larger number of |
However, it is still possible to be a member of a larger number of |
Line 319 setting allows the administrator to change this defaul
|
Line 332 setting allows the administrator to change this defaul
|
Supported values for |
Supported values for |
\fIgroup_source\fR |
\fIgroup_source\fR |
are: |
are: |
.RS |
|
.PD |
|
.TP 10n |
.TP 10n |
static |
static |
Use the static group list that the kernel returns. |
Use the static group list that the kernel returns. |
Retrieving the group list this way is very fast but it is subject |
Retrieving the group list this way is very fast but it is subject |
to an upper limit as described above. |
to an upper limit as described above. |
It is |
It is |
``static'' | \(lqstatic\(rq |
in that it does not reflect changes to the group database made |
in that it does not reflect changes to the group database made |
after the user logs in. |
after the user logs in. |
This was the default behavior prior to |
This was the default behavior prior to |
Line 337 This was the default behavior prior to
|
Line 348 This was the default behavior prior to
|
dynamic |
dynamic |
Always query the group database directly. |
Always query the group database directly. |
It is |
It is |
``dynamic'' | \(lqdynamic\(rq |
in that changes made to the group database after the user logs in |
in that changes made to the group database after the user logs in |
will be reflected in the group list. |
will be reflected in the group list. |
On some systems, querying the group database for all of a user's |
On some systems, querying the group database for all of a user's |
Line 362 For example, to cause
|
Line 373 For example, to cause
|
to only use the kernel's static list of groups for the user: |
to only use the kernel's static list of groups for the user: |
.nf |
.nf |
.sp |
.sp |
.RS 6n | .RS 16n |
Set group_source static |
Set group_source static |
.RE |
.RE |
.fi |
.fi |
Line 370 Set group_source static
|
Line 381 Set group_source static
|
This setting is only available in |
This setting is only available in |
\fBsudo\fR |
\fBsudo\fR |
version 1.8.7 and higher. |
version 1.8.7 and higher. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 10n |
.TP 10n |
max_groups |
max_groups |
The maximum number of user groups to retrieve from the group database. |
The maximum number of user groups to retrieve from the group database. |
Line 390 do not indicate an error when there is a lack of space
|
Line 399 do not indicate an error when there is a lack of space
|
This setting is only available in |
This setting is only available in |
\fBsudo\fR |
\fBsudo\fR |
version 1.8.7 and higher. |
version 1.8.7 and higher. |
.PD | .TP 10n |
| probe_interfaces |
| By default, |
| \fBsudo\fR |
| will probe the system's network interfaces and pass the IP address |
| of each enabled interface to the policy plugin. This makes it |
| possible for the plugin to match rules based on the IP address |
| without having to query DNS. On Linux systems with a large number |
| of virtual interfaces, this may take a non-negligible amount of time. |
| If IP-based matching is not required, network interface probing |
| can be disabled as follows: |
| .nf |
| .sp |
| .RS 16n |
| Set probe_interfaces false |
| .RE |
| .fi |
| .RS 10n |
| .sp |
| This setting is only available in |
| \fBsudo\fR |
| version 1.8.10 and higher. |
| .RE |
.SS "Debug flags" |
.SS "Debug flags" |
\fBsudo\fR |
\fBsudo\fR |
versions 1.8.4 and higher support a flexible debugging framework |
versions 1.8.4 and higher support a flexible debugging framework |
Line 413 plugin is
|
Line 444 plugin is
|
\fIsubsystem\fR@\fIpriority\fR |
\fIsubsystem\fR@\fIpriority\fR |
but a plugin is free to use a different format so long as it does |
but a plugin is free to use a different format so long as it does |
not include a comma |
not include a comma |
(`\&,'). | (\(oq\&,\(cq). |
.PP |
.PP |
For example: |
For example: |
.nf |
.nf |
Line 472 user conversation
|
Line 503 user conversation
|
\fIedit\fR |
\fIedit\fR |
sudoedit |
sudoedit |
.TP 12n |
.TP 12n |
|
\fIevent\fR |
|
event subsystem |
|
.TP 12n |
\fIexec\fR |
\fIexec\fR |
command execution |
command execution |
.TP 12n |
.TP 12n |
Line 619 search the archives.
|
Line 653 search the archives.
|
.SH "DISCLAIMER" |
.SH "DISCLAIMER" |
\fBsudo\fR |
\fBsudo\fR |
is provided |
is provided |
``AS IS'' | \(lqAS IS\(rq |
and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
particular purpose are disclaimed. |
particular purpose are disclaimed. |