--- embedaddon/sudo/doc/sudo.conf.man.in 2013/10/14 07:56:34 1.1.1.2 +++ embedaddon/sudo/doc/sudo.conf.man.in 2014/06/15 16:12:54 1.1.1.3 @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in .\" -.\" Copyright (c) 2010-2013 Todd C. Miller +.\" Copyright (c) 2010-2014 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO" "5" "August 13, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.TH "SUDO" "5" "January 22, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -57,13 +57,13 @@ and the plugin. .PP The pound sign -(`#') +(\(oq#\(cq) is used to indicate a comment. Both the comment character and any text after it, up to the end of the line, are ignored. .PP Long lines can be continued with a backslash -(`\e') +(\(oq\e\(cq) as the last character on the line. Note that leading white space is removed from the beginning of lines even when the continuation character is used. @@ -79,7 +79,7 @@ are silently ignored. The \fBsudo.conf\fR file is always parsed in the -``\fRC\fR'' +\(lq\fRC\fR\(rq locale. .SS "Plugin configuration" \fBsudo\fR @@ -100,14 +100,14 @@ keyword, followed by the \fIsymbol_name\fR and the \fIpath\fR -to the shared object containing the plugin. +to the dynamic shared object that contains the plugin. The \fIsymbol_name\fR is the name of the \fRstruct policy_plugin\fR or \fRstruct io_plugin\fR -in the plugin shared object. +symbol contained in the plugin. The \fIpath\fR may be fully qualified or relative. @@ -133,6 +133,20 @@ Plugin sudoers_policy @PLUGINDIR@/sudoers.so .RE .fi .PP +If the plugin was compiled statically into the +\fBsudo\fR +binary instead of being installed as a dynamic shared object, the +\fIpath\fR +should be specified without a leading directory, +as it does not actually exist in the file system. +For example: +.nf +.sp +.RS 6n +Plugin sudoers_policy sudoers.so +.RE +.fi +.PP Starting with \fBsudo\fR 1.8.5, any additional parameters after the @@ -148,9 +162,9 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0440 .RE .fi .PP -The same shared object may contain multiple plugins, each with a -different symbol name. -The shared object file must be owned by uid 0 and only writable by its owner. +The same dynamic shared object may contain multiple plugins, +each with a different symbol name. +The file must be owned by uid 0 and only writable by its owner. Because of ambiguities that arise from composite policies, only a single policy plugin may be specified. This limitation does not apply to I/O plugins. @@ -255,17 +269,17 @@ itself are disabled by default. To aid in debugging \fBsudo\fR crashes, you may wish to re-enable core dumps by setting -``disable_coredump'' +\(lqdisable_coredump\(rq to false in \fBsudo.conf\fR as follows: -.RS .nf .sp -.RS 6n +.RS 16n Set disable_coredump false .RE .fi +.RS 10n .sp Note that most operating systems disable core dumps from setuid programs, including @@ -283,9 +297,7 @@ command is used to configure core dump behavior. This setting is only available in \fBsudo\fR version 1.8.4 and higher. -.PP .RE -.PD 0 .TP 10n group_source \fBsudo\fR @@ -296,9 +308,10 @@ with NFS). On systems with the getconf(1) utility, running: -.RS 6n +.RS 16n getconf NGROUPS_MAX .RE +.RS 10n will return the maximum number of groups. .sp However, it is still possible to be a member of a larger number of @@ -319,15 +332,13 @@ setting allows the administrator to change this defaul Supported values for \fIgroup_source\fR are: -.RS -.PD .TP 10n static Use the static group list that the kernel returns. Retrieving the group list this way is very fast but it is subject to an upper limit as described above. It is -``static'' +\(lqstatic\(rq in that it does not reflect changes to the group database made after the user logs in. This was the default behavior prior to @@ -337,7 +348,7 @@ This was the default behavior prior to dynamic Always query the group database directly. It is -``dynamic'' +\(lqdynamic\(rq in that changes made to the group database after the user logs in will be reflected in the group list. On some systems, querying the group database for all of a user's @@ -362,7 +373,7 @@ For example, to cause to only use the kernel's static list of groups for the user: .nf .sp -.RS 6n +.RS 16n Set group_source static .RE .fi @@ -370,9 +381,7 @@ Set group_source static This setting is only available in \fBsudo\fR version 1.8.7 and higher. -.PP .RE -.PD 0 .TP 10n max_groups The maximum number of user groups to retrieve from the group database. @@ -390,7 +399,29 @@ do not indicate an error when there is a lack of space This setting is only available in \fBsudo\fR version 1.8.7 and higher. -.PD +.TP 10n +probe_interfaces +By default, +\fBsudo\fR +will probe the system's network interfaces and pass the IP address +of each enabled interface to the policy plugin. This makes it +possible for the plugin to match rules based on the IP address +without having to query DNS. On Linux systems with a large number +of virtual interfaces, this may take a non-negligible amount of time. +If IP-based matching is not required, network interface probing +can be disabled as follows: +.nf +.sp +.RS 16n +Set probe_interfaces false +.RE +.fi +.RS 10n +.sp +This setting is only available in +\fBsudo\fR +version 1.8.10 and higher. +.RE .SS "Debug flags" \fBsudo\fR versions 1.8.4 and higher support a flexible debugging framework @@ -413,7 +444,7 @@ plugin is \fIsubsystem\fR@\fIpriority\fR but a plugin is free to use a different format so long as it does not include a comma -(`\&,'). +(\(oq\&,\(cq). .PP For example: .nf @@ -472,6 +503,9 @@ user conversation \fIedit\fR sudoedit .TP 12n +\fIevent\fR +event subsystem +.TP 12n \fIexec\fR command execution .TP 12n @@ -619,7 +653,7 @@ search the archives. .SH "DISCLAIMER" \fBsudo\fR is provided -``AS IS'' +\(lqAS IS\(rq and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed.