1: SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
2:
3:
4:
5: N�NA�AM�ME�E
6: sudo_plugin - Sudo Plugin API
7:
8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
9: Starting with version 1.8, s�su�ud�do�o supports a plugin API for policy and
10: session logging. By default, the _�s_�u_�d_�o_�e_�r_�s policy plugin and an
11: associated I/O logging plugin are used. Via the plugin API, s�su�ud�do�o can
12: be configured to use alternate policy and/or I/O logging plugins
13: provided by third parties. The plugins to be used are specified via
14: the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
15:
16: The API is versioned with a major and minor number. The minor version
17: number is incremented when additions are made. The major number is
18: incremented when incompatible changes are made. A plugin should be
19: check the version passed to it and make sure that the major version
20: matches.
21:
22: The plugin API is defined by the sudo_plugin.h header file.
23:
24: T�Th�he�e s�su�ud�do�o.�.c�co�on�nf�f F�Fi�il�le�e
25: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file contains plugin configuration directives.
26: Currently, the only supported keyword is the Plugin directive, which
27: causes a plugin plugin to be loaded.
28:
29: A Plugin line consists of the Plugin keyword, followed by the
30: _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e and the _�p_�a_�t_�h to the shared object containing the plugin.
31: The _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e is the name of the struct policy_plugin or struct
32: io_plugin in the plugin shared object. The _�p_�a_�t_�h may be fully qualified
33: or relative. If not fully qualified it is relative to the
34: _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory. Any additional parameters after the _�p_�a_�t_�h
35: are passed as options to the plugin's _�o_�p_�e_�n function. Lines that don't
36: begin with Plugin, Path, Debug or Set are silently ignored.
37:
38: The same shared object may contain multiple plugins, each with a
39: different symbol name. The shared object file must be owned by uid 0
40: and only writable by its owner. Because of ambiguities that arise from
41: composite policies, only a single policy plugin may be specified. This
42: limitation does not apply to I/O plugins.
43:
44: #
45: # Default /etc/sudo.conf file
46: #
47: # Format:
48: # Plugin plugin_name plugin_path plugin_options ...
49: # Path askpass /path/to/askpass
50: # Path noexec /path/to/sudo_noexec.so
51: # Debug sudo /var/log/sudo_debug all@warn
52: # Set disable_coredump true
53: #
54: # The plugin_path is relative to /usr/local/libexec unless
55: # fully qualified.
56: # The plugin_name corresponds to a global symbol in the plugin
57: # that contains the plugin interface structure.
58: # The plugin_options are optional.
59: #
60: Plugin sudoers_policy sudoers.so
61: Plugin sudoers_io sudoers.so
62:
63: P�Po�ol�li�ic�cy�y P�Pl�lu�ug�gi�in�n A�AP�PI�I
64: A policy plugin must declare and populate a policy_plugin struct in the
65: global scope. This structure contains pointers to the functions that
66: implement the s�su�ud�do�o policy checks. The name of the symbol should be
67: specified in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f along with a path to the plugin so that
68: s�su�ud�do�o can load it.
69:
70: struct policy_plugin {
71: #define SUDO_POLICY_PLUGIN 1
72: unsigned int type; /* always SUDO_POLICY_PLUGIN */
73: unsigned int version; /* always SUDO_API_VERSION */
74: int (*open)(unsigned int version, sudo_conv_t conversation,
75: sudo_printf_t plugin_printf, char * const settings[],
76: char * const user_info[], char * const user_env[],
77: char * const plugin_options[]);
78: void (*close)(int exit_status, int error);
79: int (*show_version)(int verbose);
80: int (*check_policy)(int argc, char * const argv[],
81: char *env_add[], char **command_info[],
82: char **argv_out[], char **user_env_out[]);
83: int (*list)(int argc, char * const argv[], int verbose,
84: const char *list_user);
85: int (*validate)(void);
86: void (*invalidate)(int remove);
87: int (*init_session)(struct passwd *pwd, char **user_env[]);
88: void (*register_hooks)(int version,
89: int (*register_hook)(struct sudo_hook *hook));
90: void (*deregister_hooks)(int version,
91: int (*deregister_hook)(struct sudo_hook *hook));
92: };
93:
94: The policy_plugin struct has the following fields:
95:
96: type
97: The type field should always be set to SUDO_POLICY_PLUGIN.
98:
99: version
100: The version field should be set to SUDO_API_VERSION.
101:
102: This allows s�su�ud�do�o to determine the API version the plugin was built
103: against.
104:
105: open
106: int (*open)(unsigned int version, sudo_conv_t conversation,
107: sudo_printf_t plugin_printf, char * const settings[],
108: char * const user_info[], char * const user_env[],
109: char * const plugin_options[]);
110:
111: Returns 1 on success, 0 on failure, -1 if a general error occurred,
112: or -2 if there was a usage error. In the latter case, s�su�ud�do�o will
113: print a usage message before it exits. If an error occurs, the
114: plugin may optionally call the conversation or plugin_printf
115: function with SUDO_CONF_ERROR_MSG to present additional error
116: information to the user.
117:
118: The function arguments are as follows:
119:
120: version
121: The version passed in by s�su�ud�do�o allows the plugin to determine
122: the major and minor version number of the plugin API supported
123: by s�su�ud�do�o.
124:
125: conversation
126: A pointer to the conversation function that can be used by the
127: plugin to interact with the user (see below). Returns 0 on
128: success and -1 on failure.
129:
130: plugin_printf
131: A pointer to a printf-style function that may be used to
132: display informational or error messages (see below). Returns
133: the number of characters printed on success and -1 on failure.
134:
135: settings
136: A vector of user-supplied s�su�ud�do�o settings in the form of
137: "name=value" strings. The vector is terminated by a NULL
138: pointer. These settings correspond to flags the user specified
139: when running s�su�ud�do�o. As such, they will only be present when the
140: corresponding flag has been specified on the command line.
141:
142: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
143: equal sign ('=') since the _�n_�a_�m_�e field will never include one
144: itself but the _�v_�a_�l_�u_�e might.
145:
146: debug_flags=string
147: A comma-separated list of debug flags that correspond to
148: s�su�ud�do�o's Debug entry in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f, if there is one. The
149: flags are passed to the plugin as they appear in
150: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f. The syntax used by s�su�ud�do�o and the _�s_�u_�d_�o_�e_�r_�s
151: plugin is _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y but the plugin is free to use
152: a different format so long as it does not include a command
153: ,.
154:
155: For reference, the priorities supported by the s�su�ud�do�o front
156: end and _�s_�u_�d_�o_�e_�r_�s are: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o,
157: _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g.
158:
159: The following subsystems are defined: _�m_�a_�i_�n, _�m_�e_�m_�o_�r_�y, _�a_�r_�g_�s,
160: _�e_�x_�e_�c, _�p_�t_�y, _�u_�t_�m_�p, _�c_�o_�n_�v, _�p_�c_�o_�m_�m, _�u_�t_�i_�l, _�l_�i_�s_�t, _�n_�e_�t_�i_�f, _�a_�u_�d_�i_�t,
161: _�e_�d_�i_�t, _�s_�e_�l_�i_�n_�u_�x, _�l_�d_�a_�p, _�m_�a_�t_�c_�h, _�p_�a_�r_�s_�e_�r, _�a_�l_�i_�a_�s, _�d_�e_�f_�a_�u_�l_�t_�s, _�a_�u_�t_�h,
162: _�e_�n_�v, _�l_�o_�g_�g_�i_�n_�g, _�n_�s_�s, _�r_�b_�t_�r_�e_�e, _�p_�e_�r_�m_�s, _�p_�l_�u_�g_�i_�n. The subsystem
163: _�a_�l_�l includes every subsystem.
164:
165: There is not currently a way to specify a set of debug
166: flags specific to the plugin--the flags are shared by s�su�ud�do�o
167: and the plugin.
168:
169: debug_level=number
170: This setting has been deprecated in favor of _�d_�e_�b_�u_�g_�__�f_�l_�a_�g_�s.
171:
172: runas_user=string
173: The user name or uid to to run the command as, if specified
174: via the -u flag.
175:
176: runas_group=string
177: The group name or gid to to run the command as, if
178: specified via the -g flag.
179:
180: prompt=string
181: The prompt to use when requesting a password, if specified
182: via the -p flag.
183:
184: set_home=bool
185: Set to true if the user specified the -H flag. If true,
186: set the HOME environment variable to the target user's home
187: directory.
188:
189: preserve_environment=bool
190: Set to true if the user specified the -E flag, indicating
191: that the user wishes to preserve the environment.
192:
193: run_shell=bool
194: Set to true if the user specified the -s flag, indicating
195: that the user wishes to run a shell.
196:
197: login_shell=bool
198: Set to true if the user specified the -i flag, indicating
199: that the user wishes to run a login shell.
200:
201: implied_shell=bool
202: If the user does not specify a program on the command line,
203: s�su�ud�do�o will pass the plugin the path to the user's shell and
204: set _�i_�m_�p_�l_�i_�e_�d_�__�s_�h_�e_�l_�l to true. This allows s�su�ud�do�o with no
205: arguments to be used similarly to _�s_�u(1). If the plugin
206: does not to support this usage, it may return a value of -2
207: from the check_policy function, which will cause s�su�ud�do�o to
208: print a usage message and exit.
209:
210: preserve_groups=bool
211: Set to true if the user specified the -P flag, indicating
212: that the user wishes to preserve the group vector instead
213: of setting it based on the runas user.
214:
215: ignore_ticket=bool
216: Set to true if the user specified the -k flag along with a
217: command, indicating that the user wishes to ignore any
218: cached authentication credentials.
219:
220: noninteractive=bool
221: Set to true if the user specified the -n flag, indicating
222: that s�su�ud�do�o should operate in non-interactive mode. The
223: plugin may reject a command run in non-interactive mode if
224: user interaction is required.
225:
226: login_class=string
227: BSD login class to use when setting resource limits and
228: nice value, if specified by the -c flag.
229:
230: selinux_role=string
231: SELinux role to use when executing the command, if
232: specified by the -r flag.
233:
234: selinux_type=string
235: SELinux type to use when executing the command, if
236: specified by the -t flag.
237:
238: bsdauth_type=string
239: Authentication type, if specified by the -a flag, to use on
240: systems where BSD authentication is supported.
241:
242: network_addrs=list
243: A space-separated list of IP network addresses and netmasks
244: in the form "addr/netmask", e.g.
245: "192.168.1.2/255.255.255.0". The address and netmask pairs
246: may be either IPv4 or IPv6, depending on what the operating
247: system supports. If the address contains a colon (':'), it
248: is an IPv6 address, else it is IPv4.
249:
250: progname=string
251: The command name that sudo was run as, typically "sudo" or
252: "sudoedit".
253:
254: sudoedit=bool
255: Set to true when the -e flag is is specified or if invoked
256: as s�su�ud�do�oe�ed�di�it�t. The plugin shall substitute an editor into
257: _�a_�r_�g_�v in the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function or return -2 with a usage
258: error if the plugin does not support _�s_�u_�d_�o_�e_�d_�i_�t. For more
259: information, see the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y section.
260:
261: closefrom=number
262: If specified, the user has requested via the -C flag that
263: s�su�ud�do�o close all files descriptors with a value of _�n_�u_�m_�b_�e_�r or
264: higher. The plugin may optionally pass this, or another
265: value, back in the _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
266:
267: Additional settings may be added in the future so the plugin
268: should silently ignore settings that it does not recognize.
269:
270: user_info
271: A vector of information about the user running the command in
272: the form of "name=value" strings. The vector is terminated by
273: a NULL pointer.
274:
275: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
276: equal sign ('=') since the _�n_�a_�m_�e field will never include one
277: itself but the _�v_�a_�l_�u_�e might.
278:
279: pid=int
280: The process ID of the running s�su�ud�do�o process. Only available
281: starting with API version 1.2
282:
283: ppid=int
284: The parent process ID of the running s�su�ud�do�o process. Only
285: available starting with API version 1.2
286:
287: sid=int
288: The session ID of the running s�su�ud�do�o process or 0 if s�su�ud�do�o is
289: not part of a POSIX job control session. Only available
290: starting with API version 1.2
291:
292: pgid=int
293: The ID of the process group that the running s�su�ud�do�o process
294: belongs to. Only available starting with API version 1.2
295:
296: tcpgid=int
297: The ID of the forground process group associated with the
298: terminal device associcated with the s�su�ud�do�o process or -1 if
299: there is no terminal present. Only available starting with
300: API version 1.2
301:
302: user=string
303: The name of the user invoking s�su�ud�do�o.
304:
305: euid=uid_t
306: The effective user ID of the user invoking s�su�ud�do�o.
307:
308: uid=uid_t
309: The real user ID of the user invoking s�su�ud�do�o.
310:
311: egid=gid_t
312: The effective group ID of the user invoking s�su�ud�do�o.
313:
314: gid=gid_t
315: The real group ID of the user invoking s�su�ud�do�o.
316:
317: groups=list
318: The user's supplementary group list formatted as a string
319: of comma-separated group IDs.
320:
321: cwd=string
322: The user's current working directory.
323:
324: tty=string
325: The path to the user's terminal device. If the user has no
326: terminal device associated with the session, the value will
327: be empty, as in tty=.
328:
329: host=string
330: The local machine's hostname as returned by the
331: gethostname() system call.
332:
333: lines=int
334: The number of lines the user's terminal supports. If there
335: is no terminal device available, a default value of 24 is
336: used.
337:
338: cols=int
339: The number of columns the user's terminal supports. If
340: there is no terminal device available, a default value of
341: 80 is used.
342:
343: user_env
344: The user's environment in the form of a NULL-terminated vector
345: of "name=value" strings.
346:
347: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
348: equal sign ('=') since the _�n_�a_�m_�e field will never include one
349: itself but the _�v_�a_�l_�u_�e might.
350:
351: plugin_options
352: Any (non-comment) strings immediately after the plugin path are
353: treated as arguments to the plugin. These arguments are split
354: on a white space boundary and are passed to the plugin in the
355: form of a NULL-terminated array of strings. If no arguments
356: were specified, _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s will be the NULL pointer.
357:
358: NOTE: the _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s parameter is only available starting
359: with API version 1.2. A plugin m�mu�us�st�t check the API version
360: specified by the s�su�ud�do�o front end before using _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s.
361: Failure to do so may result in a crash.
362:
363: close
364: void (*close)(int exit_status, int error);
365:
366: The close function is called when the command being run by s�su�ud�do�o
367: finishes.
368:
369: The function arguments are as follows:
370:
371: exit_status
372: The command's exit status, as returned by the _�w_�a_�i_�t(2) system
373: call. The value of exit_status is undefined if error is non-
374: zero.
375:
376: error
377: If the command could not be executed, this is set to the value
378: of errno set by the _�e_�x_�e_�c_�v_�e(2) system call. The plugin is
379: responsible for displaying error information via the
380: conversation or plugin_printf function. If the command was
381: successfully executed, the value of error is 0.
382:
383: show_version
384: int (*show_version)(int verbose);
385:
386: The show_version function is called by s�su�ud�do�o when the user specifies
387: the -V option. The plugin may display its version information to
388: the user via the conversation or plugin_printf function using
389: SUDO_CONV_INFO_MSG. If the user requests detailed version
390: information, the verbose flag will be set.
391:
392: check_policy
393: int (*check_policy)(int argc, char * const argv[]
394: char *env_add[], char **command_info[],
395: char **argv_out[], char **user_env_out[]);
396:
397: The _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function is called by s�su�ud�do�o to determine whether
398: the user is allowed to run the specified commands.
399:
400: If the _�s_�u_�d_�o_�e_�d_�i_�t option was enabled in the _�s_�e_�t_�t_�i_�n_�g_�s array passed to
401: the _�o_�p_�e_�n function, the user has requested _�s_�u_�d_�o_�e_�d_�i_�t mode. _�s_�u_�d_�o_�e_�d_�i_�t
402: is a mechanism for editing one or more files where an editor is run
403: with the user's credentials instead of with elevated privileges.
404: s�su�ud�do�o achieves this by creating user-writable temporary copies of
405: the files to be edited and then overwriting the originals with the
406: temporary copies after editing is complete. If the plugin supports
407: s�su�ud�do�oe�ed�di�it�t, it should choose the editor to be used, potentially from
408: a variable in the user's environment, such as EDITOR, and include
409: it in _�a_�r_�g_�v_�__�o_�u_�t (note that environment variables may include command
410: line flags). The files to be edited should be copied from _�a_�r_�g_�v
411: into _�a_�r_�g_�v_�__�o_�u_�t, separated from the editor and its arguments by a
412: "--" element. The "--" will be removed by s�su�ud�do�o before the editor
413: is executed. The plugin should also set _�s_�u_�d_�o_�e_�d_�i_�t_�=_�t_�r_�u_�e in the
414: _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
415:
416: The _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function returns 1 if the command is allowed, 0 if
417: not allowed, -1 for a general error, or -2 for a usage error or if
418: s�su�ud�do�oe�ed�di�it�t was specified but is unsupported by the plugin. In the
419: latter case, s�su�ud�do�o will print a usage message before it exits. If
420: an error occurs, the plugin may optionally call the conversation or
421: plugin_printf function with SUDO_CONF_ERROR_MSG to present
422: additional error information to the user.
423:
424: The function arguments are as follows:
425:
426: argc
427: The number of elements in _�a_�r_�g_�v, not counting the final NULL
428: pointer.
429:
430: argv
431: The argument vector describing the command the user wishes to
432: run, in the same form as what would be passed to the _�e_�x_�e_�c_�v_�e_�(_�)
433: system call. The vector is terminated by a NULL pointer.
434:
435: env_add
436: Additional environment variables specified by the user on the
437: command line in the form of a NULL-terminated vector of
438: "name=value" strings. The plugin may reject the command if one
439: or more variables are not allowed to be set, or it may silently
440: ignore such variables.
441:
442: When parsing _�e_�n_�v_�__�a_�d_�d, the plugin should split on the f�fi�ir�rs�st�t
443: equal sign ('=') since the _�n_�a_�m_�e field will never include one
444: itself but the _�v_�a_�l_�u_�e might.
445:
446: command_info
447: Information about the command being run in the form of
448: "name=value" strings. These values are used by s�su�ud�do�o to set the
449: execution environment when running a command. The plugin is
450: responsible for creating and populating the vector, which must
451: be terminated with a NULL pointer. The following values are
452: recognized by s�su�ud�do�o:
453:
454: command=string
455: Fully qualified path to the command to be executed.
456:
457: runas_uid=uid
458: User ID to run the command as.
459:
460: runas_euid=uid
461: Effective user ID to run the command as. If not specified,
462: the value of _�r_�u_�n_�a_�s_�__�u_�i_�d is used.
463:
464: runas_gid=gid
465: Group ID to run the command as.
466:
467: runas_egid=gid
468: Effective group ID to run the command as. If not
469: specified, the value of _�r_�u_�n_�a_�s_�__�g_�i_�d is used.
470:
471: runas_groups=list
472: The supplementary group vector to use for the command in
473: the form of a comma-separated list of group IDs. If
474: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, this option is ignored.
475:
476: login_class=string
477: BSD login class to use when setting resource limits and
478: nice value (optional). This option is only set on systems
479: that support login classes.
480:
481: preserve_groups=bool
482: If set, s�su�ud�do�o will preserve the user's group vector instead
483: of initializing the group vector based on runas_user.
484:
485: cwd=string
486: The current working directory to change to when executing
487: the command.
488:
489: noexec=bool
490: If set, prevent the command from executing other programs.
491:
492: chroot=string
493: The root directory to use when running the command.
494:
495: nice=int
496: Nice value (priority) to use when executing the command.
497: The nice value, if specified, overrides the priority
498: associated with the _�l_�o_�g_�i_�n_�__�c_�l_�a_�s_�s on BSD systems.
499:
500: umask=octal
501: The file creation mask to use when executing the command.
502:
503: selinux_role=string
504: SELinux role to use when executing the command.
505:
506: selinux_type=string
507: SELinux type to use when executing the command.
508:
509: timeout=int
510: Command timeout. If non-zero then when the timeout expires
511: the command will be killed.
512:
513: sudoedit=bool
514: Set to true when in _�s_�u_�d_�o_�e_�d_�i_�t mode. The plugin may enable
515: _�s_�u_�d_�o_�e_�d_�i_�t mode even if s�su�ud�do�o was not invoked as s�su�ud�do�oe�ed�di�it�t.
516: This allows the plugin to perform command substitution and
517: transparently enable _�s_�u_�d_�o_�e_�d_�i_�t when the user attempts to run
518: an editor.
519:
520: closefrom=number
521: If specified, s�su�ud�do�o will close all files descriptors with a
522: value of _�n_�u_�m_�b_�e_�r or higher.
523:
524: iolog_compress=bool
525: Set to true if the I/O logging plugins, if any, should
526: compress the log data. This is a hint to the I/O logging
527: plugin which may choose to ignore it.
528:
529: iolog_path=string
530: Fully qualified path to the file or directory in which I/O
531: log is to be stored. This is a hint to the I/O logging
532: plugin which may choose to ignore it. If no I/O logging
533: plugin is loaded, this setting has no effect.
534:
535: iolog_stdin=bool
536: Set to true if the I/O logging plugins, if any, should log
537: the standard input if it is not connected to a terminal
538: device. This is a hint to the I/O logging plugin which may
539: choose to ignore it.
540:
541: iolog_stdout=bool
542: Set to true if the I/O logging plugins, if any, should log
543: the standard output if it is not connected to a terminal
544: device. This is a hint to the I/O logging plugin which may
545: choose to ignore it.
546:
547: iolog_stderr=bool
548: Set to true if the I/O logging plugins, if any, should log
549: the standard error if it is not connected to a terminal
550: device. This is a hint to the I/O logging plugin which may
551: choose to ignore it.
552:
553: iolog_ttyin=bool
554: Set to true if the I/O logging plugins, if any, should log
555: all terminal input. This only includes input typed by the
556: user and not from a pipe or redirected from a file. This
557: is a hint to the I/O logging plugin which may choose to
558: ignore it.
559:
560: iolog_ttyout=bool
561: Set to true if the I/O logging plugins, if any, should log
562: all terminal output. This only includes output to the
563: screen, not output to a pipe or file. This is a hint to
564: the I/O logging plugin which may choose to ignore it.
565:
566: use_pty=bool
567: Allocate a pseudo-tty to run the command in, regardless of
568: whether or not I/O logging is in use. By default, s�su�ud�do�o
569: will only run the command in a pty when an I/O log plugin
570: is loaded.
571:
572: set_utmp=bool
573: Create a utmp (or utmpx) entry when a pseudo-tty is
574: allocated. By default, the new entry will be a copy of the
575: user's existing utmp entry (if any), with the tty, time,
576: type and pid fields updated.
577:
578: utmp_user=string
579: User name to use when constructing a new utmp (or utmpx)
580: entry when _�s_�e_�t_�__�u_�t_�m_�p is enabled. This option can be used to
581: set the user field in the utmp entry to the user the
582: command runs as rather than the invoking user. If not set,
583: s�su�ud�do�o will base the new entry on the invoking user's
584: existing entry.
585:
586: Unsupported values will be ignored.
587:
588: argv_out
589: The NULL-terminated argument vector to pass to the _�e_�x_�e_�c_�v_�e_�(_�)
590: system call when executing the command. The plugin is
591: responsible for allocating and populating the vector.
592:
593: user_env_out
594: The NULL-terminated environment vector to use when executing
595: the command. The plugin is responsible for allocating and
596: populating the vector.
597:
598: list
599: int (*list)(int verbose, const char *list_user,
600: int argc, char * const argv[]);
601:
602: List available privileges for the invoking user. Returns 1 on
603: success, 0 on failure and -1 on error. On error, the plugin may
604: optionally call the conversation or plugin_printf function with
605: SUDO_CONF_ERROR_MSG to present additional error information to the
606: user.
607:
608: Privileges should be output via the conversation or plugin_printf
609: function using SUDO_CONV_INFO_MSG.
610:
611: verbose
612: Flag indicating whether to list in verbose mode or not.
613:
614: list_user
615: The name of a different user to list privileges for if the
616: policy allows it. If NULL, the plugin should list the
617: privileges of the invoking user.
618:
619: argc
620: The number of elements in _�a_�r_�g_�v, not counting the final NULL
621: pointer.
622:
623: argv
624: If non-NULL, an argument vector describing a command the user
625: wishes to check against the policy in the same form as what
626: would be passed to the _�e_�x_�e_�c_�v_�e_�(_�) system call. If the command is
627: permitted by the policy, the fully-qualified path to the
628: command should be displayed along with any command line
629: arguments.
630:
631: validate
632: int (*validate)(void);
633:
634: The validate function is called when s�su�ud�do�o is run with the -v flag.
635: For policy plugins such as _�s_�u_�d_�o_�e_�r_�s that cache authentication
636: credentials, this function will validate and cache the credentials.
637:
638: The validate function should be NULL if the plugin does not support
639: credential caching.
640:
641: Returns 1 on success, 0 on failure and -1 on error. On error, the
642: plugin may optionally call the conversation or plugin_printf
643: function with SUDO_CONF_ERROR_MSG to present additional error
644: information to the user.
645:
646: invalidate
647: void (*invalidate)(int remove);
648:
649: The invalidate function is called when s�su�ud�do�o is called with the -k
650: or -K flag. For policy plugins such as _�s_�u_�d_�o_�e_�r_�s that cache
651: authentication credentials, this function will invalidate the
652: credentials. If the _�r_�e_�m_�o_�v_�e flag is set, the plugin may remove the
653: credentials instead of simply invalidating them.
654:
655: The invalidate function should be NULL if the plugin does not
656: support credential caching.
657:
658: init_session
659: int (*init_session)(struct passwd *pwd, char **user_envp[);
660:
661: The init_session function is called before s�su�ud�do�o sets up the
662: execution environment for the command. It is run in the parent
663: s�su�ud�do�o process and before any uid or gid changes. This can be used
664: to perform session setup that is not supported by _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o,
665: such as opening the PAM session. The close function can be used to
666: tear down the session that was opened by init_session.
667:
668: The _�p_�w_�d argument points to a passwd struct for the user the command
669: will be run as if the uid the command will run as was found in the
670: password database, otherwise it will be NULL.
671:
672: The _�u_�s_�e_�r_�__�e_�n_�v argument points to the environment the command will
673: run in, in the form of a NULL-terminated vector of "name=value"
674: strings. This is the same string passed back to the front end via
675: the Policy Plugin's _�u_�s_�e_�r_�__�e_�n_�v_�__�o_�u_�t parameter. If the init_session
676: function needs to modify the user environment, it should update the
677: pointer stored in _�u_�s_�e_�r_�__�e_�n_�v. The expected use case is to merge the
678: contents of the PAM environment (if any) with the contents of
679: _�u_�s_�e_�r_�__�e_�n_�v. NOTE: the _�u_�s_�e_�r_�__�e_�n_�v parameter is only available starting
680: with API version 1.2. A plugin m�mu�us�st�t check the API version
681: specified by the s�su�ud�do�o front end before using _�u_�s_�e_�r_�__�e_�n_�v. Failure to
682: do so may result in a crash.
683:
684: Returns 1 on success, 0 on failure and -1 on error. On error, the
685: plugin may optionally call the conversation or plugin_printf
686: function with SUDO_CONF_ERROR_MSG to present additional error
687: information to the user.
688:
689: register_hooks
690: void (*register_hooks)(int version,
691: int (*register_hook)(struct sudo_hook *hook));
692:
693: The register_hooks function is called by the sudo front end to
694: register any hooks the plugin needs. If the plugin does not
695: support hooks, register_hooks should be set to the NULL pointer.
696:
697: The _�v_�e_�r_�s_�i_�o_�n argument describes the version of the hooks API
698: supported by the s�su�ud�do�o front end.
699:
700: The register_hook function should be used to register any supported
701: hooks the plugin needs. It returns 0 on success, 1 if the hook
702: type is not supported and -1 if the major version in struct hook
703: does not match the front end's major hook API version.
704:
705: See the "Hook Function API" section below for more information
706: about hooks.
707:
708: NOTE: the register_hooks function is only available starting with
709: API version 1.2. If the s�su�ud�do�o front end doesn't support API version
710: 1.2 or higher, register_hooks will not be called.
711:
712: deregister_hooks
713: void (*deregister_hooks)(int version,
714: int (*deregister_hook)(struct sudo_hook *hook));
715:
716: The deregister_hooks function is called by the sudo front end to
717: deregister any hooks the plugin has registered. If the plugin does
718: not support hooks, deregister_hooks should be set to the NULL
719: pointer.
720:
721: The _�v_�e_�r_�s_�i_�o_�n argument describes the version of the hooks API
722: supported by the s�su�ud�do�o front end.
723:
724: The deregister_hook function should be used to deregister any hooks
725: that were put in place by the register_hook function. If the
726: plugin tries to deregister a hook that the front end does not
727: support, deregister_hook will return an error.
728:
729: See the "Hook Function API" section below for more information
730: about hooks.
731:
732: NOTE: the deregister_hooks function is only available starting with
733: API version 1.2. If the s�su�ud�do�o front end doesn't support API version
734: 1.2 or higher, deregister_hooks will not be called.
735:
736: _�P_�o_�l_�i_�c_�y _�P_�l_�u_�g_�i_�n _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
737:
738: /* Plugin API version major/minor. */
739: #define SUDO_API_VERSION_MAJOR 1
740: #define SUDO_API_VERSION_MINOR 2
741: #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
742: #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
743: SUDO_API_VERSION_MINOR)
744:
745: /* Getters and setters for API version */
746: #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
747: #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
748: #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
749: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
750: } while(0)
751: #define SUDO_VERSION_SET_MINOR(vp, n) do { \
752: *(vp) = (*(vp) & 0xffff0000) | (n); \
753: } while(0)
754:
755: I�I/�/O�O P�Pl�lu�ug�gi�in�n A�AP�PI�I
756: struct io_plugin {
757: #define SUDO_IO_PLUGIN 2
758: unsigned int type; /* always SUDO_IO_PLUGIN */
759: unsigned int version; /* always SUDO_API_VERSION */
760: int (*open)(unsigned int version, sudo_conv_t conversation
761: sudo_printf_t plugin_printf, char * const settings[],
762: char * const user_info[], int argc, char * const argv[],
763: char * const user_env[], char * const plugin_options[]);
764: void (*close)(int exit_status, int error); /* wait status or error */
765: int (*show_version)(int verbose);
766: int (*log_ttyin)(const char *buf, unsigned int len);
767: int (*log_ttyout)(const char *buf, unsigned int len);
768: int (*log_stdin)(const char *buf, unsigned int len);
769: int (*log_stdout)(const char *buf, unsigned int len);
770: int (*log_stderr)(const char *buf, unsigned int len);
771: void (*register_hooks)(int version,
772: int (*register_hook)(struct sudo_hook *hook));
773: void (*deregister_hooks)(int version,
774: int (*deregister_hook)(struct sudo_hook *hook));
775: };
776:
777: When an I/O plugin is loaded, s�su�ud�do�o runs the command in a pseudo-tty.
778: This makes it possible to log the input and output from the user's
779: session. If any of the standard input, standard output or standard
780: error do not correspond to a tty, s�su�ud�do�o will open a pipe to capture the
781: I/O for logging before passing it on.
782:
783: The log_ttyin function receives the raw user input from the terminal
784: device (note that this will include input even when echo is disabled,
785: such as when a password is read). The log_ttyout function receives
786: output from the pseudo-tty that is suitable for replaying the user's
787: session at a later time. The log_stdin, log_stdout and log_stderr
788: functions are only called if the standard input, standard output or
789: standard error respectively correspond to something other than a tty.
790:
791: Any of the logging functions may be set to the NULL pointer if no
792: logging is to be performed. If the open function returns 0, no I/O
793: will be sent to the plugin.
794:
795: The io_plugin struct has the following fields:
796:
797: type
798: The type field should always be set to SUDO_IO_PLUGIN
799:
800: version
801: The version field should be set to SUDO_API_VERSION.
802:
803: This allows s�su�ud�do�o to determine the API version the plugin was built
804: against.
805:
806: open
807: int (*open)(unsigned int version, sudo_conv_t conversation
808: sudo_printf_t plugin_printf, char * const settings[],
809: char * const user_info[], int argc, char * const argv[],
810: char * const user_env[], char * const plugin_options[]);
811:
812: The _�o_�p_�e_�n function is run before the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t or
813: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n functions are called. It is only called if the
814: version is being requested or the _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y function has
815: returned successfully. It returns 1 on success, 0 on failure, -1
816: if a general error occurred, or -2 if there was a usage error. In
817: the latter case, s�su�ud�do�o will print a usage message before it exits.
818: If an error occurs, the plugin may optionally call the conversation
819: or plugin_printf function with SUDO_CONF_ERROR_MSG to present
820: additional error information to the user.
821:
822: The function arguments are as follows:
823:
824: version
825: The version passed in by s�su�ud�do�o allows the plugin to determine
826: the major and minor version number of the plugin API supported
827: by s�su�ud�do�o.
828:
829: conversation
830: A pointer to the conversation function that may be used by the
831: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n function to display version information (see
832: show_version below). The conversation function may also be
833: used to display additional error message to the user. The
834: conversation function returns 0 on success and -1 on failure.
835:
836: plugin_printf
837: A pointer to a printf-style function that may be used by the
838: _�s_�h_�o_�w_�__�v_�e_�r_�s_�i_�o_�n function to display version information (see
839: show_version below). The plugin_printf function may also be
840: used to display additional error message to the user. The
841: plugin_printf function returns number of characters printed on
842: success and -1 on failure.
843:
844: settings
845: A vector of user-supplied s�su�ud�do�o settings in the form of
846: "name=value" strings. The vector is terminated by a NULL
847: pointer. These settings correspond to flags the user specified
848: when running s�su�ud�do�o. As such, they will only be present when the
849: corresponding flag has been specified on the command line.
850:
851: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
852: equal sign ('=') since the _�n_�a_�m_�e field will never include one
853: itself but the _�v_�a_�l_�u_�e might.
854:
855: See the "Policy Plugin API" section for a list of all possible
856: settings.
857:
858: user_info
859: A vector of information about the user running the command in
860: the form of "name=value" strings. The vector is terminated by
861: a NULL pointer.
862:
863: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
864: equal sign ('=') since the _�n_�a_�m_�e field will never include one
865: itself but the _�v_�a_�l_�u_�e might.
866:
867: See the "Policy Plugin API" section for a list of all possible
868: strings.
869:
870: argc
871: The number of elements in _�a_�r_�g_�v, not counting the final NULL
872: pointer.
873:
874: argv
875: If non-NULL, an argument vector describing a command the user
876: wishes to run in the same form as what would be passed to the
877: _�e_�x_�e_�c_�v_�e_�(_�) system call.
878:
879: user_env
880: The user's environment in the form of a NULL-terminated vector
881: of "name=value" strings.
882:
883: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
884: equal sign ('=') since the _�n_�a_�m_�e field will never include one
885: itself but the _�v_�a_�l_�u_�e might.
886:
887: plugin_options
888: Any (non-comment) strings immediately after the plugin path are
889: treated as arguments to the plugin. These arguments are split
890: on a white space boundary and are passed to the plugin in the
891: form of a NULL-terminated array of strings. If no arguments
892: were specified, _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s will be the NULL pointer.
893:
894: NOTE: the _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s parameter is only available starting
895: with API version 1.2. A plugin m�mu�us�st�t check the API version
896: specified by the s�su�ud�do�o front end before using _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s.
897: Failure to do so may result in a crash.
898:
899: close
900: void (*close)(int exit_status, int error);
901:
902: The close function is called when the command being run by s�su�ud�do�o
903: finishes.
904:
905: The function arguments are as follows:
906:
907: exit_status
908: The command's exit status, as returned by the _�w_�a_�i_�t(2) system
909: call. The value of exit_status is undefined if error is non-
910: zero.
911:
912: error
913: If the command could not be executed, this is set to the value
914: of errno set by the _�e_�x_�e_�c_�v_�e(2) system call. If the command was
915: successfully executed, the value of error is 0.
916:
917: show_version
918: int (*show_version)(int verbose);
919:
920: The show_version function is called by s�su�ud�do�o when the user specifies
921: the -V option. The plugin may display its version information to
922: the user via the conversation or plugin_printf function using
923: SUDO_CONV_INFO_MSG. If the user requests detailed version
924: information, the verbose flag will be set.
925:
926: log_ttyin
927: int (*log_ttyin)(const char *buf, unsigned int len);
928:
929: The _�l_�o_�g_�__�t_�t_�y_�i_�n function is called whenever data can be read from the
930: user but before it is passed to the running command. This allows
931: the plugin to reject data if it chooses to (for instance if the
932: input contains banned content). Returns 1 if the data should be
933: passed to the command, 0 if the data is rejected (which will
934: terminate the command) or -1 if an error occurred.
935:
936: The function arguments are as follows:
937:
938: buf The buffer containing user input.
939:
940: len The length of _�b_�u_�f in bytes.
941:
942: log_ttyout
943: int (*log_ttyout)(const char *buf, unsigned int len);
944:
945: The _�l_�o_�g_�__�t_�t_�y_�o_�u_�t function is called whenever data can be read from
946: the command but before it is written to the user's terminal. This
947: allows the plugin to reject data if it chooses to (for instance if
948: the output contains banned content). Returns 1 if the data should
949: be passed to the user, 0 if the data is rejected (which will
950: terminate the command) or -1 if an error occurred.
951:
952: The function arguments are as follows:
953:
954: buf The buffer containing command output.
955:
956: len The length of _�b_�u_�f in bytes.
957:
958: log_stdin
959: int (*log_stdin)(const char *buf, unsigned int len);
960:
961: The _�l_�o_�g_�__�s_�t_�d_�i_�n function is only used if the standard input does not
962: correspond to a tty device. It is called whenever data can be read
963: from the standard input but before it is passed to the running
964: command. This allows the plugin to reject data if it chooses to
965: (for instance if the input contains banned content). Returns 1 if
966: the data should be passed to the command, 0 if the data is rejected
967: (which will terminate the command) or -1 if an error occurred.
968:
969: The function arguments are as follows:
970:
971: buf The buffer containing user input.
972:
973: len The length of _�b_�u_�f in bytes.
974:
975: log_stdout
976: int (*log_stdout)(const char *buf, unsigned int len);
977:
978: The _�l_�o_�g_�__�s_�t_�d_�o_�u_�t function is only used if the standard output does
979: not correspond to a tty device. It is called whenever data can be
980: read from the command but before it is written to the standard
981: output. This allows the plugin to reject data if it chooses to
982: (for instance if the output contains banned content). Returns 1 if
983: the data should be passed to the user, 0 if the data is rejected
984: (which will terminate the command) or -1 if an error occurred.
985:
986: The function arguments are as follows:
987:
988: buf The buffer containing command output.
989:
990: len The length of _�b_�u_�f in bytes.
991:
992: log_stderr
993: int (*log_stderr)(const char *buf, unsigned int len);
994:
995: The _�l_�o_�g_�__�s_�t_�d_�e_�r_�r function is only used if the standard error does not
996: correspond to a tty device. It is called whenever data can be read
997: from the command but before it is written to the standard error.
998: This allows the plugin to reject data if it chooses to (for
999: instance if the output contains banned content). Returns 1 if the
1000: data should be passed to the user, 0 if the data is rejected (which
1001: will terminate the command) or -1 if an error occurred.
1002:
1003: The function arguments are as follows:
1004:
1005: buf The buffer containing command output.
1006:
1007: len The length of _�b_�u_�f in bytes.
1008:
1009: register_hooks
1010: See the "Policy Plugin API" section for a description of
1011: register_hooks.
1012:
1013: deregister_hooks
1014: See the "Policy Plugin API" section for a description of
1015: deregister_hooks.
1016:
1017: _�I_�/_�O _�P_�l_�u_�g_�i_�n _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1018:
1019: Same as for the "Policy Plugin API".
1020:
1021: H�Ho�oo�ok�k F�Fu�un�nc�ct�ti�io�on�n A�AP�PI�I
1022: Beginning with plugin API version 1.2, it is possible to install hooks
1023: for certain functions called by the s�su�ud�do�o front end.
1024:
1025: Currently, the only supported hooks relate to the handling of
1026: environment variables. Hooks can be used to intercept attempts to get,
1027: set, or remove environment variables so that these changes can be
1028: reflected in the version of the environment that is used to execute a
1029: command. A future version of the API will support hooking internal
1030: s�su�ud�do�o front end functions as well.
1031:
1032: _�H_�o_�o_�k _�s_�t_�r_�u_�c_�t_�u_�r_�e
1033:
1034: Hooks in s�su�ud�do�o are described by the following structure:
1035:
1036: typedef int (*sudo_hook_fn_t)();
1037:
1038: struct sudo_hook {
1039: int hook_version;
1040: int hook_type;
1041: sudo_hook_fn_t hook_fn;
1042: void *closure;
1043: };
1044:
1045: The sudo_hook structure has the following fields:
1046:
1047: hook_version
1048: The hook_version field should be set to SUDO_HOOK_VERSION.
1049:
1050: hook_type
1051: The hook_type field may be one of the following supported hook
1052: types:
1053:
1054: SUDO_HOOK_SETENV
1055: The C library setenv() function. Any registered hooks will run
1056: before the C library implementation. The hook_fn field should
1057: be a function that matches the following typedef:
1058:
1059: typedef int (*sudo_hook_fn_setenv_t)(const char *name,
1060: const char *value, int overwrite, void *closure);
1061:
1062: If the registered hook does not match the typedef the results
1063: are unspecified.
1064:
1065: SUDO_HOOK_UNSETENV
1066: The C library unsetenv() function. Any registered hooks will
1067: run before the C library implementation. The hook_fn field
1068: should be a function that matches the following typedef:
1069:
1070: typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
1071: void *closure);
1072:
1073: SUDO_HOOK_GETENV
1074: The C library getenv() function. Any registered hooks will run
1075: before the C library implementation. The hook_fn field should
1076: be a function that matches the following typedef:
1077:
1078: typedef int (*sudo_hook_fn_getenv_t)(const char *name,
1079: char **value, void *closure);
1080:
1081: If the registered hook does not match the typedef the results
1082: are unspecified.
1083:
1084: SUDO_HOOK_PUTENV
1085: The C library putenv() function. Any registered hooks will run
1086: before the C library implementation. The hook_fn field should
1087: be a function that matches the following typedef:
1088:
1089: typedef int (*sudo_hook_fn_putenv_t)(char *string,
1090: void *closure);
1091:
1092: If the registered hook does not match the typedef the results
1093: are unspecified.
1094:
1095: hook_fn
1096: sudo_hook_fn_t hook_fn;
1097:
1098: The hook_fn field should be set to the plugin's hook
1099: implementation. The actual function arguments will vary depending
1100: on the hook_type (see hook_type above). In all cases, the closure
1101: field of struct sudo_hook is passed as the last function parameter.
1102: This can be used to pass arbitrary data to the plugin's hook
1103: implementation.
1104:
1105: The function return value may be one of the following:
1106:
1107: SUDO_HOOK_RET_ERROR
1108: The hook function encountered an error.
1109:
1110: SUDO_HOOK_RET_NEXT
1111: The hook completed without error, go on to the next hook
1112: (including the native implementation if applicable). For
1113: example, a getenv hook might return SUDO_HOOK_RET_NEXT if the
1114: specified variable was not found in the private copy of the
1115: environment.
1116:
1117: SUDO_HOOK_RET_STOP
1118: The hook completed without error, stop processing hooks for
1119: this invocation. This can be used to replace the native
1120: implementation. For example, a setenv hook that operates on a
1121: private copy of the environment but leaves environ unchanged.
1122:
1123: Note that it is very easy to create an infinite loop when hooking C
1124: library functions. For example, a getenv hook that calls the snprintf
1125: function may create a loop if the snprintf implementation calls getenv
1126: to check the locale. To prevent this, you may wish to use a static
1127: variable in the hook function to guard against nested calls. E.g.
1128:
1129: static int in_progress = 0; /* avoid recursion */
1130: if (in_progress)
1131: return SUDO_HOOK_RET_NEXT;
1132: in_progress = 1;
1133: ...
1134: in_progress = 0;
1135: return SUDO_HOOK_RET_STOP;
1136:
1137: _�H_�o_�o_�k _�A_�P_�I _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1138:
1139: /* Hook API version major/minor */
1140: #define SUDO_HOOK_VERSION_MAJOR 1
1141: #define SUDO_HOOK_VERSION_MINOR 0
1142: #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
1143: #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
1144: SUDO_HOOK_VERSION_MINOR)
1145:
1146: /* Getters and setters for hook API version */
1147: #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
1148: #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
1149: #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
1150: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
1151: } while(0)
1152: #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
1153: *(vp) = (*(vp) & 0xffff0000) | (n); \
1154: } while(0)
1155:
1156: C�Co�on�nv�ve�er�rs�sa�at�ti�io�on�n A�AP�PI�I
1157: If the plugin needs to interact with the user, it may do so via the
1158: conversation function. A plugin should not attempt to read directly
1159: from the standard input or the user's tty (neither of which are
1160: guaranteed to exist). The caller must include a trailing newline in
1161: msg if one is to be printed.
1162:
1163: A printf-style function is also available that can be used to display
1164: informational or error messages to the user, which is usually more
1165: convenient for simple messages where no use input is required.
1166:
1167: struct sudo_conv_message {
1168: #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
1169: #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
1170: #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
1171: #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
1172: #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
1173: #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
1174: #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
1175: int msg_type;
1176: int timeout;
1177: const char *msg;
1178: };
1179:
1180: struct sudo_conv_reply {
1181: char *reply;
1182: };
1183:
1184: typedef int (*sudo_conv_t)(int num_msgs,
1185: const struct sudo_conv_message msgs[],
1186: struct sudo_conv_reply replies[]);
1187:
1188: typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
1189:
1190: Pointers to the conversation and printf-style functions are passed in
1191: to the plugin's open function when the plugin is initialized.
1192:
1193: To use the conversation function, the plugin must pass an array of
1194: sudo_conv_message and sudo_conv_reply structures. There must be a
1195: struct sudo_conv_message and struct sudo_conv_reply for each message in
1196: the conversation. The plugin is responsible for freeing the reply
1197: buffer filled in to the struct sudo_conv_reply, if any.
1198:
1199: The printf-style function uses the same underlying mechanism as the
1200: conversation function but only supports SUDO_CONV_INFO_MSG,
1201: SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _�m_�s_�g_�__�t_�y_�p_�e parameter.
1202: It can be more convenient than using the conversation function if no
1203: user reply is needed and supports standard _�p_�r_�i_�n_�t_�f_�(_�) escape sequences.
1204:
1205: Unlike, SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG, messages sent with
1206: the <SUDO_CONV_DEBUG_MSG> _�m_�s_�g_�__�t_�y_�p_�e are not directly user-visible.
1207: Instead, they are logged to the file specified in the Debug statement
1208: (if any) in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. This allows a plugin to log
1209: debugging information and is intended to be used in conjunction with
1210: the _�d_�e_�b_�u_�g_�__�f_�l_�a_�g_�s setting.
1211:
1212: See the sample plugin for an example of the conversation function
1213: usage.
1214:
1215: S�Su�ud�do�oe�er�rs�s G�Gr�ro�ou�up�p P�Pl�lu�ug�gi�in�n A�AP�PI�I
1216: The _�s_�u_�d_�o_�e_�r_�s module supports a plugin interface to allow non-Unix group
1217: lookups. This can be used to query a group source other than the
1218: standard Unix group database. A sample group plugin is bundled with
1219: s�su�ud�do�o that implements file-based lookups. Third party group plugins
1220: include a QAS AD plugin available from Quest Software.
1221:
1222: A group plugin must declare and populate a sudoers_group_plugin struct
1223: in the global scope. This structure contains pointers to the functions
1224: that implement plugin initialization, cleanup and group lookup.
1225:
1226: struct sudoers_group_plugin {
1227: unsigned int version;
1228: int (*init)(int version, sudo_printf_t sudo_printf,
1229: char *const argv[]);
1230: void (*cleanup)(void);
1231: int (*query)(const char *user, const char *group,
1232: const struct passwd *pwd);
1233: };
1234:
1235: The sudoers_group_plugin struct has the following fields:
1236:
1237: version
1238: The version field should be set to GROUP_API_VERSION.
1239:
1240: This allows _�s_�u_�d_�o_�e_�r_�s to determine the API version the group plugin
1241: was built against.
1242:
1243: init
1244: int (*init)(int version, sudo_printf_t plugin_printf,
1245: char *const argv[]);
1246:
1247: The _�i_�n_�i_�t function is called after _�s_�u_�d_�o_�e_�r_�s has been parsed but
1248: before any policy checks. It returns 1 on success, 0 on failure
1249: (or if the plugin is not configured), and -1 if a error occurred.
1250: If an error occurs, the plugin may call the plugin_printf function
1251: with SUDO_CONF_ERROR_MSG to present additional error information to
1252: the user.
1253:
1254: The function arguments are as follows:
1255:
1256: version
1257: The version passed in by _�s_�u_�d_�o_�e_�r_�s allows the plugin to determine
1258: the major and minor version number of the group plugin API
1259: supported by _�s_�u_�d_�o_�e_�r_�s.
1260:
1261: plugin_printf
1262: A pointer to a printf-style function that may be used to
1263: display informational or error message to the user. Returns
1264: the number of characters printed on success and -1 on failure.
1265:
1266: argv
1267: A NULL-terminated array of arguments generated from the
1268: _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n option in _�s_�u_�d_�o_�e_�r_�s. If no arguments were given,
1269: _�a_�r_�g_�v will be NULL.
1270:
1271: cleanup
1272: void (*cleanup)();
1273:
1274: The _�c_�l_�e_�a_�n_�u_�p function is called when _�s_�u_�d_�o_�e_�r_�s has finished its group
1275: checks. The plugin should free any memory it has allocated and
1276: close open file handles.
1277:
1278: query
1279: int (*query)(const char *user, const char *group,
1280: const struct passwd *pwd);
1281:
1282: The _�q_�u_�e_�r_�y function is used to ask the group plugin whether _�u_�s_�e_�r is
1283: a member of _�g_�r_�o_�u_�p.
1284:
1285: The function arguments are as follows:
1286:
1287: user
1288: The name of the user being looked up in the external group
1289: database.
1290:
1291: group
1292: The name of the group being queried.
1293:
1294: pwd The password database entry for _�u_�s_�e_�r, if any. If _�u_�s_�e_�r is not
1295: present in the password database, _�p_�w_�d will be NULL.
1296:
1297: _�G_�r_�o_�u_�p _�A_�P_�I _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1298:
1299: /* Sudoers group plugin version major/minor */
1300: #define GROUP_API_VERSION_MAJOR 1
1301: #define GROUP_API_VERSION_MINOR 0
1302: #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
1303: GROUP_API_VERSION_MINOR)
1304:
1305: /* Getters and setters for group version */
1306: #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
1307: #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
1308: #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
1309: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
1310: } while(0)
1311: #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
1312: *(vp) = (*(vp) & 0xffff0000) | (n); \
1313: } while(0)
1314:
1315: P�PL�LU�UG�GI�IN�N A�AP�PI�I C�CH�HA�AN�NG�GE�EL�LO�OG�G
1316: The following revisions have been made to the Sudo Plugin API.
1317:
1318: Version 1.0
1319: Initial API version.
1320:
1321: Version 1.1
1322: The I/O logging plugin's open function was modified to take the
1323: command_info list as an argument.
1324:
1325: Version 1.2
1326: The Policy and I/O logging plugins' open functions are now passed a
1327: list of plugin options if any are specified in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f.
1328:
1329: A simple hooks API has been introduced to allow plugins to hook in
1330: to the system's environment handling functions.
1331:
1332: The init_session Policy plugin function is now passed a pointer to
1333: the user environment which can be updated as needed. This can be
1334: used to merge in environment variables stored in the PAM handle
1335: before a command is run.
1336:
1337: S�SE�EE�E A�AL�LS�SO�O
1338: _�s_�u_�d_�o_�e_�r_�s(4), _�s_�u_�d_�o(1m)
1339:
1340: B�BU�UG�GS�S
1341: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
1342: http://www.sudo.ws/sudo/bugs/
1343:
1344: S�SU�UP�PP�PO�OR�RT�T
1345: Limited free support is available via the sudo-workers mailing list,
1346: see http://www.sudo.ws/mailman/listinfo/sudo-workers to subscribe or
1347: search the archives.
1348:
1349: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1350: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
1351: including, but not limited to, the implied warranties of
1352: merchantability and fitness for a particular purpose are disclaimed.
1353: See the LICENSE file distributed with s�su�ud�do�o or
1354: http://www.sudo.ws/sudo/license.html for complete details.
1355:
1356:
1357:
1358: 1.8.5 April 23, 2012 SUDO_PLUGIN(1m)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo_plugin.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc