1: SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
2:
3:
4:
5: N�NA�AM�ME�E
6: sudo_plugin - Sudo Plugin API
7:
8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
9: Starting with version 1.8, s�su�ud�do�o supports a plugin API for policy and
10: session logging. By default, the _�s_�u_�d_�o_�e_�r_�s policy plugin and an
11: associated I/O logging plugin are used. Via the plugin API, s�su�ud�do�o can
12: be configured to use alternate policy and/or I/O logging plugins
13: provided by third parties. The plugins to be used are specified via
14: the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
15:
16: The API is versioned with a major and minor number. The minor version
17: number is incremented when additions are made. The major number is
18: incremented when incompatible changes are made. A plugin should be
19: check the version passed to it and make sure that the major version
20: matches.
21:
22: The plugin API is defined by the sudo_plugin.h header file.
23:
24: T�Th�he�e s�su�ud�do�o.�.c�co�on�nf�f F�Fi�il�le�e
25: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file contains plugin configuration directives.
26: Currently, the only supported keyword is the Plugin directive, which
27: causes a plugin plugin to be loaded.
28:
29: A Plugin line consists of the Plugin keyword, followed by the
30: _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e and the _�p_�a_�t_�h to the shared object containing the plugin.
31: The _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e is the name of the struct policy_plugin or struct
32: io_plugin in the plugin shared object. The _�p_�a_�t_�h may be fully qualified
33: or relative. If not fully qualified it is relative to the
34: _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory. Any additional parameters after the _�p_�a_�t_�h
35: are ignored. Lines that don't begin with Plugin or Path are silently
36: ignored.
37:
38: The same shared object may contain multiple plugins, each with a
39: different symbol name. The shared object file must be owned by uid 0
40: and only writable by its owner. Because of ambiguities that arise from
41: composite policies, only a single policy plugin may be specified. This
42: limitation does not apply to I/O plugins.
43:
44: #
45: # Default /etc/sudo.conf file
46: #
47: # Format:
48: # Plugin plugin_name plugin_path
49: # Path askpass /path/to/askpass
50: #
51: # The plugin_path is relative to /usr/local/libexec unless
52: # fully qualified.
53: # The plugin_name corresponds to a global symbol in the plugin
54: # that contains the plugin interface structure.
55: #
56: Plugin sudoers_policy sudoers.so
57: Plugin sudoers_io sudoers.so
58:
59: P�Po�ol�li�ic�cy�y P�Pl�lu�ug�gi�in�n A�AP�PI�I
60: A policy plugin must declare and populate a policy_plugin struct in the
61: global scope. This structure contains pointers to the functions that
62: implement the s�su�ud�do�o policy checks. The name of the symbol should be
63: specified in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f along with a path to the plugin so that
64: s�su�ud�do�o can load it.
65:
66: struct policy_plugin {
67: #define SUDO_POLICY_PLUGIN 1
68: unsigned int type; /* always SUDO_POLICY_PLUGIN */
69: unsigned int version; /* always SUDO_API_VERSION */
70: int (*open)(unsigned int version, sudo_conv_t conversation,
71: sudo_printf_t plugin_printf, char * const settings[],
72: char * const user_info[], char * const user_env[]);
73: void (*close)(int exit_status, int error);
74: int (*show_version)(int verbose);
75: int (*check_policy)(int argc, char * const argv[],
76: char *env_add[], char **command_info[],
77: char **argv_out[], char **user_env_out[]);
78: int (*list)(int argc, char * const argv[], int verbose,
79: const char *list_user);
80: int (*validate)(void);
81: void (*invalidate)(int remove);
82: int (*init_session)(struct passwd *pwd);
83: };
84:
85: The policy_plugin struct has the following fields:
86:
87: type
88: The type field should always be set to SUDO_POLICY_PLUGIN.
89:
90: version
91: The version field should be set to SUDO_API_VERSION.
92:
93: This allows s�su�ud�do�o to determine the API version the plugin was built
94: against.
95:
96: open
97: int (*open)(unsigned int version, sudo_conv_t conversation,
98: sudo_printf_t plugin_printf, char * const settings[],
99: char * const user_info[], char * const user_env[]);
100:
101: Returns 1 on success, 0 on failure, -1 if a general error occurred,
102: or -2 if there was a usage error. In the latter case, s�su�ud�do�o will
103: print a usage message before it exits. If an error occurs, the
104: plugin may optionally call the conversation or plugin_printf
105: function with SUDO_CONF_ERROR_MSG to present additional error
106: information to the user.
107:
108: The function arguments are as follows:
109:
110: version
111: The version passed in by s�su�ud�do�o allows the plugin to determine
112: the major and minor version number of the plugin API supported
113: by s�su�ud�do�o.
114:
115: conversation
116: A pointer to the conversation function that can be used by the
117: plugin to interact with the user (see below). Returns 0 on
118: success and -1 on failure.
119:
120: plugin_printf
121: A pointer to a printf-style function that may be used to
122: display informational or error messages (see below). Returns
123: the number of characters printed on success and -1 on failure.
124:
125: settings
126: A vector of user-supplied s�su�ud�do�o settings in the form of
127: "name=value" strings. The vector is terminated by a NULL
128: pointer. These settings correspond to flags the user specified
129: when running s�su�ud�do�o. As such, they will only be present when the
130: corresponding flag has been specified on the command line.
131:
132: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
133: equal sign ('=') since the _�n_�a_�m_�e field will never include one
134: itself but the _�v_�a_�l_�u_�e might.
135:
136: debug_level=number
137: A numeric debug level, from 1-9, if specified via the -D
138: flag.
139:
140: runas_user=string
141: The user name or uid to to run the command as, if specified
142: via the -u flag.
143:
144: runas_group=string
145: The group name or gid to to run the command as, if
146: specified via the -g flag.
147:
148: prompt=string
149: The prompt to use when requesting a password, if specified
150: via the -p flag.
151:
152: set_home=bool
153: Set to true if the user specified the -H flag. If true,
154: set the HOME environment variable to the target user's home
155: directory.
156:
157: preserve_environment=bool
158: Set to true if the user specified the -E flag, indicating
159: that the user wishes to preserve the environment.
160:
161: run_shell=bool
162: Set to true if the user specified the -s flag, indicating
163: that the user wishes to run a shell.
164:
165: login_shell=bool
166: Set to true if the user specified the -i flag, indicating
167: that the user wishes to run a login shell.
168:
169: implied_shell=bool
170: If the user does not specify a program on the command line,
171: s�su�ud�do�o will pass the plugin the path to the user's shell and
172: set _�i_�m_�p_�l_�i_�e_�d_�__�s_�h_�e_�l_�l to true. This allows s�su�ud�do�o with no
173: arguments to be used similarly to _�s_�u(1). If the plugin
174: does not to support this usage, it may return a value of -2
175: from the check_policy function, which will cause s�su�ud�do�o to
176: print a usage message and exit.
177:
178: preserve_groups=bool
179: Set to true if the user specified the -P flag, indicating
180: that the user wishes to preserve the group vector instead
181: of setting it based on the runas user.
182:
183: ignore_ticket=bool
184: Set to true if the user specified the -k flag along with a
185: command, indicating that the user wishes to ignore any
186: cached authentication credentials.
187:
188: noninteractive=bool
189: Set to true if the user specified the -n flag, indicating
190: that s�su�ud�do�o should operate in non-interactive mode. The
191: plugin may reject a command run in non-interactive mode if
192: user interaction is required.
193:
194: login_class=string
195: BSD login class to use when setting resource limits and
196: nice value, if specified by the -c flag.
197:
198: selinux_role=string
199: SELinux role to use when executing the command, if
200: specified by the -r flag.
201:
202: selinux_type=string
203: SELinux type to use when executing the command, if
204: specified by the -t flag.
205:
206: bsdauth_type=string
207: Authentication type, if specified by the -a flag, to use on
208: systems where BSD authentication is supported.
209:
210: network_addrs=list
211: A space-separated list of IP network addresses and netmasks
212: in the form "addr/netmask", e.g.
213: "192.168.1.2/255.255.255.0". The address and netmask pairs
214: may be either IPv4 or IPv6, depending on what the operating
215: system supports. If the address contains a colon (':'), it
216: is an IPv6 address, else it is IPv4.
217:
218: progname=string
219: The command name that sudo was run as, typically "sudo" or
220: "sudoedit".
221:
222: sudoedit=bool
223: Set to true when the -e flag is is specified or if invoked
224: as s�su�ud�do�oe�ed�di�it�t. The plugin shall substitute an editor into
225: _�a_�r_�g_�v in the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function or return -2 with a usage
226: error if the plugin does not support _�s_�u_�d_�o_�e_�d_�i_�t. For more
227: information, see the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y section.
228:
229: closefrom=number
230: If specified, the user has requested via the -C flag that
231: s�su�ud�do�o close all files descriptors with a value of _�n_�u_�m_�b_�e_�r or
232: higher. The plugin may optionally pass this, or another
233: value, back in the _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
234:
235: Additional settings may be added in the future so the plugin
236: should silently ignore settings that it does not recognize.
237:
238: user_info
239: A vector of information about the user running the command in
240: the form of "name=value" strings. The vector is terminated by
241: a NULL pointer.
242:
243: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
244: equal sign ('=') since the _�n_�a_�m_�e field will never include one
245: itself but the _�v_�a_�l_�u_�e might.
246:
247: user=string
248: The name of the user invoking s�su�ud�do�o.
249:
250: uid=uid_t
251: The real user ID of the user invoking s�su�ud�do�o.
252:
253: gid=gid_t
254: The real group ID of the user invoking s�su�ud�do�o.
255:
256: groups=list
257: The user's supplementary group list formatted as a string
258: of comma-separated group IDs.
259:
260: cwd=string
261: The user's current working directory.
262:
263: tty=string
264: The path to the user's terminal device. If the user has no
265: terminal device associated with the session, the value will
266: be empty, as in tty=.
267:
268: host=string
269: The local machine's hostname as returned by the
270: gethostname() system call.
271:
272: lines=int
273: The number of lines the user's terminal supports. If there
274: is no terminal device available, a default value of 24 is
275: used.
276:
277: cols=int
278: The number of columns the user's terminal supports. If
279: there is no terminal device available, a default value of
280: 80 is used.
281:
282: user_env
283: The user's environment in the form of a NULL-terminated vector
284: of "name=value" strings.
285:
286: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
287: equal sign ('=') since the _�n_�a_�m_�e field will never include one
288: itself but the _�v_�a_�l_�u_�e might.
289:
290: close
291: void (*close)(int exit_status, int error);
292:
293: The close function is called when the command being run by s�su�ud�do�o
294: finishes.
295:
296: The function arguments are as follows:
297:
298: exit_status
299: The command's exit status, as returned by the _�w_�a_�i_�t(2) system
300: call. The value of exit_status is undefined if error is non-
301: zero.
302:
303: error
304: If the command could not be executed, this is set to the value
305: of errno set by the _�e_�x_�e_�c_�v_�e(2) system call. The plugin is
306: responsible for displaying error information via the
307: conversation or plugin_printf function. If the command was
308: successfully executed, the value of error is 0.
309:
310: show_version
311: int (*show_version)(int verbose);
312:
313: The show_version function is called by s�su�ud�do�o when the user specifies
314: the -V option. The plugin may display its version information to
315: the user via the conversation or plugin_printf function using
316: SUDO_CONV_INFO_MSG. If the user requests detailed version
317: information, the verbose flag will be set.
318:
319: check_policy
320: int (*check_policy)(int argc, char * const argv[]
321: char *env_add[], char **command_info[],
322: char **argv_out[], char **user_env_out[]);
323:
324: The _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function is called by s�su�ud�do�o to determine whether
325: the user is allowed to run the specified commands.
326:
327: If the _�s_�u_�d_�o_�e_�d_�i_�t option was enabled in the _�s_�e_�t_�t_�i_�n_�g_�s array passed to
328: the _�o_�p_�e_�n function, the user has requested _�s_�u_�d_�o_�e_�d_�i_�t mode. _�s_�u_�d_�o_�e_�d_�i_�t
329: is a mechanism for editing one or more files where an editor is run
330: with the user's credentials instead of with elevated privileges.
331: s�su�ud�do�o achieves this by creating user-writable temporary copies of
332: the files to be edited and then overwriting the originals with the
333: temporary copies after editing is complete. If the plugin supports
334: s�su�ud�do�oe�ed�di�it�t, it should choose the editor to be used, potentially from
335: a variable in the user's environment, such as EDITOR, and include
336: it in _�a_�r_�g_�v_�__�o_�u_�t (note that environment variables may include command
337: line flags). The files to be edited should be copied from _�a_�r_�g_�v
338: into _�a_�r_�g_�v_�__�o_�u_�t, separated from the editor and its arguments by a
339: "--" element. The "--" will be removed by s�su�ud�do�o before the editor
340: is executed. The plugin should also set _�s_�u_�d_�o_�e_�d_�i_�t_�=_�t_�r_�u_�e in the
341: _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
342:
343: The _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function returns 1 if the command is allowed, 0 if
344: not allowed, -1 for a general error, or -2 for a usage error or if
345: s�su�ud�do�oe�ed�di�it�t was specified but is unsupported by the plugin. In the
346: latter case, s�su�ud�do�o will print a usage message before it exits. If
347: an error occurs, the plugin may optionally call the conversation or
348: plugin_printf function with SUDO_CONF_ERROR_MSG to present
349: additional error information to the user.
350:
351: The function arguments are as follows:
352:
353: argc
354: The number of elements in _�a_�r_�g_�v, not counting the final NULL
355: pointer.
356:
357: argv
358: The argument vector describing the command the user wishes to
359: run, in the same form as what would be passed to the _�e_�x_�e_�c_�v_�e_�(_�)
360: system call. The vector is terminated by a NULL pointer.
361:
362: env_add
363: Additional environment variables specified by the user on the
364: command line in the form of a NULL-terminated vector of
365: "name=value" strings. The plugin may reject the command if one
366: or more variables are not allowed to be set, or it may silently
367: ignore such variables.
368:
369: When parsing _�e_�n_�v_�__�a_�d_�d, the plugin should split on the f�fi�ir�rs�st�t
370: equal sign ('=') since the _�n_�a_�m_�e field will never include one
371: itself but the _�v_�a_�l_�u_�e might.
372:
373: command_info
374: Information about the command being run in the form of
375: "name=value" strings. These values are used by s�su�ud�do�o to set the
376: execution environment when running a command. The plugin is
377: responsible for creating and populating the vector, which must
378: be terminated with a NULL pointer. The following values are
379: recognized by s�su�ud�do�o:
380:
381: command=string
382: Fully qualified path to the command to be executed.
383:
384: runas_uid=uid
385: User ID to run the command as.
386:
387: runas_euid=uid
388: Effective user ID to run the command as. If not specified,
389: the value of _�r_�u_�n_�a_�s_�__�u_�i_�d is used.
390:
391: runas_gid=gid
392: Group ID to run the command as.
393:
394: runas_egid=gid
395: Effective group ID to run the command as. If not
396: specified, the value of _�r_�u_�n_�a_�s_�__�g_�i_�d is used.
397:
398: runas_groups=list
399: The supplementary group vector to use for the command in
400: the form of a comma-separated list of group IDs. If
401: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, this option is ignored.
402:
403: login_class=string
404: BSD login class to use when setting resource limits and
405: nice value (optional). This option is only set on systems
406: that support login classes.
407:
408: preserve_groups=bool
409: If set, s�su�ud�do�o will preserve the user's group vector instead
410: of initializing the group vector based on runas_user.
411:
412: cwd=string
413: The current working directory to change to when executing
414: the command.
415:
416: noexec=bool
417: If set, prevent the command from executing other programs.
418:
419: chroot=string
420: The root directory to use when running the command.
421:
422: nice=int
423: Nice value (priority) to use when executing the command.
424: The nice value, if specified, overrides the priority
425: associated with the _�l_�o_�g_�i_�n_�__�c_�l_�a_�s_�s on BSD systems.
426:
427: umask=octal
428: The file creation mask to use when executing the command.
429:
430: selinux_role=string
431: SELinux role to use when executing the command.
432:
433: selinux_type=string
434: SELinux type to use when executing the command.
435:
436: timeout=int
437: Command timeout. If non-zero then when the timeout expires
438: the command will be killed.
439:
440: sudoedit=bool
441: Set to true when in _�s_�u_�d_�o_�e_�d_�i_�t mode. The plugin may enable
442: _�s_�u_�d_�o_�e_�d_�i_�t mode even if s�su�ud�do�o was not invoked as s�su�ud�do�oe�ed�di�it�t.
443: This allows the plugin to perform command substitution and
444: transparently enable _�s_�u_�d_�o_�e_�d_�i_�t when the user attempts to run
445: an editor.
446:
447: closefrom=number
448: If specified, s�su�ud�do�o will close all files descriptors with a
449: value of _�n_�u_�m_�b_�e_�r or higher.
450:
451: iolog_compress=bool
452: Set to true if the I/O logging plugins, if any, should
453: compress the log data. This is a hint to the I/O logging
454: plugin which may choose to ignore it.
455:
456: iolog_path=string
457: Fully qualified path to the file or directory in which I/O
458: log is to be stored. This is a hint to the I/O logging
459: plugin which may choose to ignore it. If no I/O logging
460: plugin is loaded, this setting has no effect.
461:
462: iolog_stdin=bool
463: Set to true if the I/O logging plugins, if any, should log
464: the standard input if it is not connected to a terminal
465: device. This is a hint to the I/O logging plugin which may
466: choose to ignore it.
467:
468: iolog_stdout=bool
469: Set to true if the I/O logging plugins, if any, should log
470: the standard output if it is not connected to a terminal
471: device. This is a hint to the I/O logging plugin which may
472: choose to ignore it.
473:
474: iolog_stderr=bool
475: Set to true if the I/O logging plugins, if any, should log
476: the standard error if it is not connected to a terminal
477: device. This is a hint to the I/O logging plugin which may
478: choose to ignore it.
479:
480: iolog_ttyin=bool
481: Set to true if the I/O logging plugins, if any, should log
482: all terminal input. This only includes input typed by the
483: user and not from a pipe or redirected from a file. This
484: is a hint to the I/O logging plugin which may choose to
485: ignore it.
486:
487: iolog_ttyout=bool
488: Set to true if the I/O logging plugins, if any, should log
489: all terminal output. This only includes output to the
490: screen, not output to a pipe or file. This is a hint to
491: the I/O logging plugin which may choose to ignore it.
492:
493: use_pty=bool
494: Allocate a pseudo-tty to run the command in, regardless of
495: whether or not I/O logging is in use. By default, s�su�ud�do�o
496: will only run the command in a pty when an I/O log plugin
497: is loaded.
498:
499: set_utmp=bool
500: Create a utmp (or utmpx) entry when a pseudo-tty is
501: allocated. By default, the new entry will be a copy of the
502: user's existing utmp entry (if any), with the tty, time,
503: type and pid fields updated.
504:
505: utmp_user=string
506: User name to use when constructing a new utmp (or utmpx)
507: entry when _�s_�e_�t_�__�u_�t_�m_�p is enabled. This option can be used to
508: set the user field in the utmp entry to the user the
509: command runs as rather than the invoking user. If not set,
510: s�su�ud�do�o will base the new entry on the invoking user's
511: existing entry.
512:
513: Unsupported values will be ignored.
514:
515: argv_out
516: The NULL-terminated argument vector to pass to the _�e_�x_�e_�c_�v_�e_�(_�)
517: system call when executing the command. The plugin is
518: responsible for allocating and populating the vector.
519:
520: user_env_out
521: The NULL-terminated environment vector to use when executing
522: the command. The plugin is responsible for allocating and
523: populating the vector.
524:
525: list
526: int (*list)(int verbose, const char *list_user,
527: int argc, char * const argv[]);
528:
529: List available privileges for the invoking user. Returns 1 on
530: success, 0 on failure and -1 on error. On error, the plugin may
531: optionally call the conversation or plugin_printf function with
532: SUDO_CONF_ERROR_MSG to present additional error information to the
533: user.
534:
535: Privileges should be output via the conversation or plugin_printf
536: function using SUDO_CONV_INFO_MSG.
537:
538: verbose
539: Flag indicating whether to list in verbose mode or not.
540:
541: list_user
542: The name of a different user to list privileges for if the
543: policy allows it. If NULL, the plugin should list the
544: privileges of the invoking user.
545:
546: argc
547: The number of elements in _�a_�r_�g_�v, not counting the final NULL
548: pointer.
549:
550: argv
551: If non-NULL, an argument vector describing a command the user
552: wishes to check against the policy in the same form as what
553: would be passed to the _�e_�x_�e_�c_�v_�e_�(_�) system call. If the command is
554: permitted by the policy, the fully-qualified path to the
555: command should be displayed along with any command line
556: arguments.
557:
558: validate
559: int (*validate)(void);
560:
561: The validate function is called when s�su�ud�do�o is run with the -v flag.
562: For policy plugins such as _�s_�u_�d_�o_�e_�r_�s that cache authentication
563: credentials, this function will validate and cache the credentials.
564:
565: The validate function should be NULL if the plugin does not support
566: credential caching.
567:
568: Returns 1 on success, 0 on failure and -1 on error. On error, the
569: plugin may optionally call the conversation or plugin_printf
570: function with SUDO_CONF_ERROR_MSG to present additional error
571: information to the user.
572:
573: invalidate
574: void (*invalidate)(int remove);
575:
576: The invalidate function is called when s�su�ud�do�o is called with the -k
577: or -K flag. For policy plugins such as _�s_�u_�d_�o_�e_�r_�s that cache
578: authentication credentials, this function will invalidate the
579: credentials. If the _�r_�e_�m_�o_�v_�e flag is set, the plugin may remove the
580: credentials instead of simply invalidating them.
581:
582: The invalidate function should be NULL if the plugin does not
583: support credential caching.
584:
585: init_session
586: int (*init_session)(struct passwd *pwd);
587:
588: The init_session function is called when s�su�ud�do�o sets up the execution
589: environment for the command, immediately before the contents of the
590: _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list are applied (before the uid changes). This can
591: be used to do session setup that is not supported by _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o,
592: such as opening the PAM session.
593:
594: The _�p_�w_�d argument points to a passwd struct for the user the command
595: will be run as if the uid the command will run as was found in the
596: password database, otherwise it will be NULL.
597:
598: Returns 1 on success, 0 on failure and -1 on error. On error, the
599: plugin may optionally call the conversation or plugin_printf
600: function with SUDO_CONF_ERROR_MSG to present additional error
601: information to the user.
602:
603: _�V_�e_�r_�s_�i_�o_�n _�m_�a_�c_�r_�o_�s
604:
605: #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
606: #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
607: #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
608: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
609: } while(0)
610: #define SUDO_VERSION_SET_MINOR(vp, n) do { \
611: *(vp) = (*(vp) & 0xffff0000) | (n); \
612: } while(0)
613:
614: #define SUDO_API_VERSION_MAJOR 1
615: #define SUDO_API_VERSION_MINOR 0
616: #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \
617: SUDO_API_VERSION_MINOR)
618:
619: I�I/�/O�O P�Pl�lu�ug�gi�in�n A�AP�PI�I
620: struct io_plugin {
621: #define SUDO_IO_PLUGIN 2
622: unsigned int type; /* always SUDO_IO_PLUGIN */
623: unsigned int version; /* always SUDO_API_VERSION */
624: int (*open)(unsigned int version, sudo_conv_t conversation
625: sudo_printf_t plugin_printf, char * const settings[],
626: char * const user_info[], int argc, char * const argv[],
627: char * const user_env[]);
628: void (*close)(int exit_status, int error); /* wait status or error */
629: int (*show_version)(int verbose);
630: int (*log_ttyin)(const char *buf, unsigned int len);
631: int (*log_ttyout)(const char *buf, unsigned int len);
632: int (*log_stdin)(const char *buf, unsigned int len);
633: int (*log_stdout)(const char *buf, unsigned int len);
634: int (*log_stderr)(const char *buf, unsigned int len);
635: };
636:
637: When an I/O plugin is loaded, s�su�ud�do�o runs the command in a pseudo-tty.
638: This makes it possible to log the input and output from the user's
639: session. If any of the standard input, standard output or standard
640: error do not correspond to a tty, s�su�ud�do�o will open a pipe to capture the
641: I/O for logging before passing it on.
642:
643: The log_ttyin function receives the raw user input from the terminal
644: device (note that this will include input even when echo is disabled,
645: such as when a password is read). The log_ttyout function receives
646: output from the pseudo-tty that is suitable for replaying the user's
647: session at a later time. The log_stdin, log_stdout and log_stderr
648: functions are only called if the standard input, standard output or
649: standard error respectively correspond to something other than a tty.
650:
651: Any of the logging functions may be set to the NULL pointer if no
652: logging is to be performed. If the open function returns 0, no I/O
653: will be sent to the plugin.
654:
655: The io_plugin struct has the following fields:
656:
657: type
658: The type field should always be set to SUDO_IO_PLUGIN
659:
660: version
661: The version field should be set to SUDO_API_VERSION.
662:
663: This allows s�su�ud�do�o to determine the API version the plugin was built
664: against.
665:
666: open
667: int (*open)(unsigned int version, sudo_conv_t conversation
668: sudo_printf_t plugin_printf, char * const settings[],
669: char * const user_info[], int argc, char * const argv[],
670: char * const user_env[]);
671:
672: The _�o_�p_�e_�n function is run before the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t or
673: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n functions are called. It is only called if the
674: version is being requested or the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function has
675: returned successfully. It returns 1 on success, 0 on failure, -1
676: if a general error occurred, or -2 if there was a usage error. In
677: the latter case, s�su�ud�do�o will print a usage message before it exits.
678: If an error occurs, the plugin may optionally call the conversation
679: or plugin_printf function with SUDO_CONF_ERROR_MSG to present
680: additional error information to the user.
681:
682: The function arguments are as follows:
683:
684: version
685: The version passed in by s�su�ud�do�o allows the plugin to determine
686: the major and minor version number of the plugin API supported
687: by s�su�ud�do�o.
688:
689: conversation
690: A pointer to the conversation function that may be used by the
691: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n function to display version information (see
692: show_version below). The conversation function may also be
693: used to display additional error message to the user. The
694: conversation function returns 0 on success and -1 on failure.
695:
696: plugin_printf
697: A pointer to a printf-style function that may be used by the
698: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n function to display version information (see
699: show_version below). The plugin_printf function may also be
700: used to display additional error message to the user. The
701: plugin_printf function returns number of characters printed on
702: success and -1 on failure.
703:
704: settings
705: A vector of user-supplied s�su�ud�do�o settings in the form of
706: "name=value" strings. The vector is terminated by a NULL
707: pointer. These settings correspond to flags the user specified
708: when running s�su�ud�do�o. As such, they will only be present when the
709: corresponding flag has been specified on the command line.
710:
711: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
712: equal sign ('=') since the _�n_�a_�m_�e field will never include one
713: itself but the _�v_�a_�l_�u_�e might.
714:
715: See the "Policy Plugin API" section for a list of all possible
716: settings.
717:
718: user_info
719: A vector of information about the user running the command in
720: the form of "name=value" strings. The vector is terminated by
721: a NULL pointer.
722:
723: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
724: equal sign ('=') since the _�n_�a_�m_�e field will never include one
725: itself but the _�v_�a_�l_�u_�e might.
726:
727: See the "Policy Plugin API" section for a list of all possible
728: strings.
729:
730: argc
731: The number of elements in _�a_�r_�g_�v, not counting the final NULL
732: pointer.
733:
734: argv
735: If non-NULL, an argument vector describing a command the user
736: wishes to run in the same form as what would be passed to the
737: _�e_�x_�e_�c_�v_�e_�(_�) system call.
738:
739: user_env
740: The user's environment in the form of a NULL-terminated vector
741: of "name=value" strings.
742:
743: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
744: equal sign ('=') since the _�n_�a_�m_�e field will never include one
745: itself but the _�v_�a_�l_�u_�e might.
746:
747: close
748: void (*close)(int exit_status, int error);
749:
750: The close function is called when the command being run by s�su�ud�do�o
751: finishes.
752:
753: The function arguments are as follows:
754:
755: exit_status
756: The command's exit status, as returned by the _�w_�a_�i_�t(2) system
757: call. The value of exit_status is undefined if error is non-
758: zero.
759:
760: error
761: If the command could not be executed, this is set to the value
762: of errno set by the _�e_�x_�e_�c_�v_�e(2) system call. If the command was
763: successfully executed, the value of error is 0.
764:
765: show_version
766: int (*show_version)(int verbose);
767:
768: The show_version function is called by s�su�ud�do�o when the user specifies
769: the -V option. The plugin may display its version information to
770: the user via the conversation or plugin_printf function using
771: SUDO_CONV_INFO_MSG. If the user requests detailed version
772: information, the verbose flag will be set.
773:
774: log_ttyin
775: int (*log_ttyin)(const char *buf, unsigned int len);
776:
777: The _�l_�o_�g_�__�t_�t_�y_�i_�n function is called whenever data can be read from the
778: user but before it is passed to the running command. This allows
779: the plugin to reject data if it chooses to (for instance if the
780: input contains banned content). Returns 1 if the data should be
781: passed to the command, 0 if the data is rejected (which will
782: terminate the command) or -1 if an error occurred.
783:
784: The function arguments are as follows:
785:
786: buf The buffer containing user input.
787:
788: len The length of _�b_�u_�f in bytes.
789:
790: log_ttyout
791: int (*log_ttyout)(const char *buf, unsigned int len);
792:
793: The _�l_�o_�g_�__�t_�t_�y_�o_�u_�t function is called whenever data can be read from
794: the command but before it is written to the user's terminal. This
795: allows the plugin to reject data if it chooses to (for instance if
796: the output contains banned content). Returns 1 if the data should
797: be passed to the user, 0 if the data is rejected (which will
798: terminate the command) or -1 if an error occurred.
799:
800: The function arguments are as follows:
801:
802: buf The buffer containing command output.
803:
804: len The length of _�b_�u_�f in bytes.
805:
806: log_stdin
807: int (*log_stdin)(const char *buf, unsigned int len);
808:
809: The _�l_�o_�g_�__�s_�t_�d_�i_�n function is only used if the standard input does not
810: correspond to a tty device. It is called whenever data can be read
811: from the standard input but before it is passed to the running
812: command. This allows the plugin to reject data if it chooses to
813: (for instance if the input contains banned content). Returns 1 if
814: the data should be passed to the command, 0 if the data is rejected
815: (which will terminate the command) or -1 if an error occurred.
816:
817: The function arguments are as follows:
818:
819: buf The buffer containing user input.
820:
821: len The length of _�b_�u_�f in bytes.
822:
823: log_stdout
824: int (*log_stdout)(const char *buf, unsigned int len);
825:
826: The _�l_�o_�g_�__�s_�t_�d_�o_�u_�t function is only used if the standard output does
827: not correspond to a tty device. It is called whenever data can be
828: read from the command but before it is written to the standard
829: output. This allows the plugin to reject data if it chooses to
830: (for instance if the output contains banned content). Returns 1 if
831: the data should be passed to the user, 0 if the data is rejected
832: (which will terminate the command) or -1 if an error occurred.
833:
834: The function arguments are as follows:
835:
836: buf The buffer containing command output.
837:
838: len The length of _�b_�u_�f in bytes.
839:
840: log_stderr
841: int (*log_stderr)(const char *buf, unsigned int len);
842:
843: The _�l_�o_�g_�__�s_�t_�d_�e_�r_�r function is only used if the standard error does not
844: correspond to a tty device. It is called whenever data can be read
845: from the command but before it is written to the standard error.
846: This allows the plugin to reject data if it chooses to (for
847: instance if the output contains banned content). Returns 1 if the
848: data should be passed to the user, 0 if the data is rejected (which
849: will terminate the command) or -1 if an error occurred.
850:
851: The function arguments are as follows:
852:
853: buf The buffer containing command output.
854:
855: len The length of _�b_�u_�f in bytes.
856:
857: _�V_�e_�r_�s_�i_�o_�n _�m_�a_�c_�r_�o_�s
858:
859: Same as for the "Policy Plugin API".
860:
861: C�Co�on�nv�ve�er�rs�sa�at�ti�io�on�n A�AP�PI�I
862: If the plugin needs to interact with the user, it may do so via the
863: conversation function. A plugin should not attempt to read directly
864: from the standard input or the user's tty (neither of which are
865: guaranteed to exist). The caller must include a trailing newline in
866: msg if one is to be printed.
867:
868: A printf-style function is also available that can be used to display
869: informational or error messages to the user, which is usually more
870: convenient for simple messages where no use input is required.
871:
872: struct sudo_conv_message {
873: #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
874: #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
875: #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
876: #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
877: #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
878: #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
879: int msg_type;
880: int timeout;
881: const char *msg;
882: };
883:
884: struct sudo_conv_reply {
885: char *reply;
886: };
887:
888: typedef int (*sudo_conv_t)(int num_msgs,
889: const struct sudo_conv_message msgs[],
890: struct sudo_conv_reply replies[]);
891:
892: typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
893:
894: Pointers to the conversation and printf-style functions are passed in
895: to the plugin's open function when the plugin is initialized.
896:
897: To use the conversation function, the plugin must pass an array of
898: sudo_conv_message and sudo_conv_reply structures. There must be a
899: struct sudo_conv_message and struct sudo_conv_reply for each message in
900: the conversation. The plugin is responsible for freeing the reply
901: buffer filled in to the struct sudo_conv_reply, if any.
902:
903: The printf-style function uses the same underlying mechanism as the
904: conversation function but only supports SUDO_CONV_INFO_MSG and
905: SUDO_CONV_ERROR_MSG for the _�m_�s_�g_�__�t_�y_�p_�e parameter. It can be more
906: convenient than using the conversation function if no user reply is
907: needed and supports standard _�p_�r_�i_�n_�t_�f_�(_�) escape sequences.
908:
909: See the sample plugin for an example of the conversation function
910: usage.
911:
912: S�Su�ud�do�oe�er�rs�s G�Gr�ro�ou�up�p P�Pl�lu�ug�gi�in�n A�AP�PI�I
913: The _�s_�u_�d_�o_�e_�r_�s module supports a plugin interface to allow non-Unix group
914: lookups. This can be used to query a group source other than the
915: standard Unix group database. A sample group plugin is bundled with
916: s�su�ud�do�o that implements file-based lookups. Third party group plugins
917: include a QAS AD plugin available from Quest Software.
918:
919: A group plugin must declare and populate a sudoers_group_plugin struct
920: in the global scope. This structure contains pointers to the functions
921: that implement plugin initialization, cleanup and group lookup.
922:
923: struct sudoers_group_plugin {
924: unsigned int version;
925: int (*init)(int version, sudo_printf_t sudo_printf,
926: char *const argv[]);
927: void (*cleanup)(void);
928: int (*query)(const char *user, const char *group,
929: const struct passwd *pwd);
930: };
931:
932: The sudoers_group_plugin struct has the following fields:
933:
934: version
935: The version field should be set to GROUP_API_VERSION.
936:
937: This allows _�s_�u_�d_�o_�e_�r_�s to determine the API version the group plugin
938: was built against.
939:
940: init
941: int (*init)(int version, sudo_printf_t plugin_printf,
942: char *const argv[]);
943:
944: The _�i_�n_�i_�t function is called after _�s_�u_�d_�o_�e_�r_�s has been parsed but
945: before any policy checks. It returns 1 on success, 0 on failure
946: (or if the plugin is not configured), and -1 if a error occurred.
947: If an error occurs, the plugin may call the plugin_printf function
948: with SUDO_CONF_ERROR_MSG to present additional error information to
949: the user.
950:
951: The function arguments are as follows:
952:
953: version
954: The version passed in by _�s_�u_�d_�o_�e_�r_�s allows the plugin to determine
955: the major and minor version number of the group plugin API
956: supported by _�s_�u_�d_�o_�e_�r_�s.
957:
958: plugin_printf
959: A pointer to a printf-style function that may be used to
960: display informational or error message to the user. Returns
961: the number of characters printed on success and -1 on failure.
962:
963: argv
964: A NULL-terminated array of arguments generated from the
965: _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n option in _�s_�u_�d_�o_�e_�r_�s. If no arguments were given,
966: _�a_�r_�g_�v will be NULL.
967:
968: cleanup
969: void (*cleanup)();
970:
971: The _�c_�l_�e_�a_�n_�u_�p function is called when _�s_�u_�d_�o_�e_�r_�s has finished its group
972: checks. The plugin should free any memory it has allocated and
973: close open file handles.
974:
975: query
976: int (*query)(const char *user, const char *group,
977: const struct passwd *pwd);
978:
979: The _�q_�u_�e_�r_�y function is used to ask the group plugin whether _�u_�s_�e_�r is
980: a member of _�g_�r_�o_�u_�p.
981:
982: The function arguments are as follows:
983:
984: user
985: The name of the user being looked up in the external group
986: database.
987:
988: group
989: The name of the group being queried.
990:
991: pwd The password database entry for _�u_�s_�e_�r, if any. If _�u_�s_�e_�r is not
992: present in the password database, _�p_�w_�d will be NULL.
993:
994: _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
995:
996: /* Sudoers group plugin version major/minor */
997: #define GROUP_API_VERSION_MAJOR 1
998: #define GROUP_API_VERSION_MINOR 0
999: #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
1000: GROUP_API_VERSION_MINOR)
1001:
1002: /* Getters and setters for group version */
1003: #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
1004: #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
1005: #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
1006: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
1007: } while(0)
1008: #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
1009: *(vp) = (*(vp) & 0xffff0000) | (n); \
1010: } while(0)
1011:
1012: S�SE�EE�E A�AL�LS�SO�O
1013: _�s_�u_�d_�o_�e_�r_�s(4), _�s_�u_�d_�o(1m)
1014:
1015: B�BU�UG�GS�S
1016: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
1017: http://www.sudo.ws/sudo/bugs/
1018:
1019: S�SU�UP�PP�PO�OR�RT�T
1020: Limited free support is available via the sudo-workers mailing list,
1021: see http://www.sudo.ws/mailman/listinfo/sudo-workers to subscribe or
1022: search the archives.
1023:
1024: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1025: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
1026: including, but not limited to, the implied warranties of
1027: merchantability and fitness for a particular purpose are disclaimed.
1028: See the LICENSE file distributed with s�su�ud�do�o or
1029: http://www.sudo.ws/sudo/license.html for complete details.
1030:
1031:
1032:
1033: 1.8.3 September 16, 2011 SUDO_PLUGIN(1m)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo_plugin.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc