|
version 1.1, 2013/07/22 00:51:37
|
version 1.1.1.3, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| .\" |
.\" |
| .\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
|
Line 14
|
Line 14
|
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .Dd March 14, 2013 | .Dd January 22, 2014 |
| .Dt SUDO @mansectform@ |
.Dt SUDO @mansectform@ |
| .Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
| .Sh NAME |
.Sh NAME |
|
Line 96 keyword, followed by the
|
Line 96 keyword, followed by the
|
| .Em symbol_name |
.Em symbol_name |
| and the |
and the |
| .Em path |
.Em path |
| to the shared object containing the plugin. | to the dynamic shared object that contains the plugin. |
| The |
The |
| .Em symbol_name |
.Em symbol_name |
| is the name of the |
is the name of the |
| .Li struct policy_plugin |
.Li struct policy_plugin |
| or |
or |
| .Li struct io_plugin |
.Li struct io_plugin |
| in the plugin shared object. | symbol contained in the plugin. |
| The |
The |
| .Em path |
.Em path |
| may be fully qualified or relative. |
may be fully qualified or relative. |
| If not fully qualified, it is relative to the | If not fully qualified, it is relative to the directory |
| .Pa @PLUGINDIR@ | specified by the |
| directory. | .Em plugin_dir |
| | .Li Path |
| | setting, which defaults to |
| | .Pa @PLUGINDIR@ . |
| In other words: |
In other words: |
| .Bd -literal -offset indent |
.Bd -literal -offset indent |
| Plugin sudoers_policy sudoers.so |
Plugin sudoers_policy sudoers.so |
|
Line 120 is equivalent to:
|
Line 123 is equivalent to:
|
| Plugin sudoers_policy @PLUGINDIR@/sudoers.so |
Plugin sudoers_policy @PLUGINDIR@/sudoers.so |
| .Ed |
.Ed |
| .Pp |
.Pp |
| |
If the plugin was compiled statically into the |
| |
.Nm sudo |
| |
binary instead of being installed as a dynamic shared object, the |
| |
.Em path |
| |
should be specified without a leading directory, |
| |
as it does not actually exist in the file system. |
| |
For example: |
| |
.Bd -literal -offset indent |
| |
Plugin sudoers_policy sudoers.so |
| |
.Ed |
| |
.Pp |
| Starting with |
Starting with |
| .Nm sudo |
.Nm sudo |
| 1.8.5, any additional parameters after the |
1.8.5, any additional parameters after the |
|
Line 132 For example, to override the compile-time default sudo
|
Line 146 For example, to override the compile-time default sudo
|
| Plugin sudoers_policy sudoers.so sudoers_mode=0440 |
Plugin sudoers_policy sudoers.so sudoers_mode=0440 |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The same shared object may contain multiple plugins, each with a | The same dynamic shared object may contain multiple plugins, |
| different symbol name. | each with a different symbol name. |
| The shared object file must be owned by uid 0 and only writable by its owner. | The file must be owned by uid 0 and only writable by its owner. |
| Because of ambiguities that arise from composite policies, only a single |
Because of ambiguities that arise from composite policies, only a single |
| policy plugin may be specified. |
policy plugin may be specified. |
| This limitation does not apply to I/O plugins. |
This limitation does not apply to I/O plugins. |
|
Line 204 functionality on systems that support
|
Line 218 functionality on systems that support
|
| or its equivalent. |
or its equivalent. |
| The default value is: |
The default value is: |
| .Pa @noexec_file@ . |
.Pa @noexec_file@ . |
| |
.It plugin_dir |
| |
The default directory to use when searching for plugins |
| |
that are specified without a fully qualified path name. |
| |
The default value is |
| |
.Pa @PLUGINDIR@ . |
| .It sesh |
.It sesh |
| The fully-qualified path to the |
The fully-qualified path to the |
| .Nm sesh |
.Nm sesh |
|
Line 327 This setting is only available in
|
Line 346 This setting is only available in
|
| version 1.8.7 and higher. |
version 1.8.7 and higher. |
| .It max_groups |
.It max_groups |
| The maximum number of user groups to retrieve from the group database. |
The maximum number of user groups to retrieve from the group database. |
| |
Values less than one will be ignored. |
| This setting is only used when querying the group database directly. |
This setting is only used when querying the group database directly. |
| It is intended to be used on systems where it is not possible to detect |
It is intended to be used on systems where it is not possible to detect |
| when the array to be populated with group entries is not sufficiently large. |
when the array to be populated with group entries is not sufficiently large. |
|
Line 340 do not indicate an error when there is a lack of space
|
Line 360 do not indicate an error when there is a lack of space
|
| This setting is only available in |
This setting is only available in |
| .Nm sudo |
.Nm sudo |
| version 1.8.7 and higher. |
version 1.8.7 and higher. |
| |
.It probe_interfaces |
| |
By default, |
| |
.Nm sudo |
| |
will probe the system's network interfaces and pass the IP address |
| |
of each enabled interface to the policy plugin. This makes it |
| |
possible for the plugin to match rules based on the IP address |
| |
without having to query DNS. On Linux systems with a large number |
| |
of virtual interfaces, this may take a non-negligible amount of time. |
| |
If IP-based matching is not required, network interface probing |
| |
can be disabled as follows: |
| |
.Bd -literal -offset indent |
| |
Set probe_interfaces false |
| |
.Ed |
| |
.Pp |
| |
This setting is only available in |
| |
.Nm sudo |
| |
version 1.8.10 and higher. |
| .El |
.El |
| .Ss Debug flags |
.Ss Debug flags |
| .Nm sudo |
.Nm sudo |
|
Line 360 debug flag syntax used by
|
Line 397 debug flag syntax used by
|
| and the |
and the |
| .Nm sudoers |
.Nm sudoers |
| plugin is |
plugin is |
| .Em subsystem Ns No @ Ns Em priority | .Em subsystem Ns @ Ns Em priority |
| but a plugin is free to use a different format so long as it does |
but a plugin is free to use a different format so long as it does |
| not include a comma |
not include a comma |
| .Pq Ql \&, . |
.Pq Ql \&, . |
|
Line 415 command line argument processing
|
Line 452 command line argument processing
|
| user conversation |
user conversation |
| .It Em edit |
.It Em edit |
| sudoedit |
sudoedit |
| |
.It Em event |
| |
event subsystem |
| .It Em exec |
.It Em exec |
| command execution |
command execution |
| .It Em main |
.It Em main |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.conf.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc