1: SUDO_PLUGIN(4) Programmer's Manual SUDO_PLUGIN(4)
2:
3: N�NA�AM�ME�E
4: s�su�ud�do�o_�_p�pl�lu�ug�gi�in�n - Sudo Plugin API
5:
6: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
7: Starting with version 1.8, s�su�ud�do�o supports a plugin API for policy and
8: session logging. Plugins may be compiled as dynamic shared objects (the
9: default on systems that support them) or compiled statically into the
10: s�su�ud�do�o binary itself. By default, the s�su�ud�do�oe�er�rs�s policy plugin and an
11: associated I/O logging plugin are used. Via the plugin API, s�su�ud�do�o can be
12: configured to use alternate policy and/or I/O logging plugins provided by
13: third parties. The plugins to be used are specified in the sudo.conf(4)
14: file.
15:
16: The API is versioned with a major and minor number. The minor version
17: number is incremented when additions are made. The major number is
18: incremented when incompatible changes are made. A plugin should be check
19: the version passed to it and make sure that the major version matches.
20:
21: The plugin API is defined by the sudo_plugin.h header file.
22:
23: P�Po�ol�li�ic�cy�y p�pl�lu�ug�gi�in�n A�AP�PI�I
24: A policy plugin must declare and populate a policy_plugin struct in the
25: global scope. This structure contains pointers to the functions that
26: implement the s�su�ud�do�o policy checks. The name of the symbol should be
27: specified in sudo.conf(4) along with a path to the plugin so that s�su�ud�do�o
28: can load it.
29:
30: struct policy_plugin {
31: #define SUDO_POLICY_PLUGIN 1
32: unsigned int type; /* always SUDO_POLICY_PLUGIN */
33: unsigned int version; /* always SUDO_API_VERSION */
34: int (*open)(unsigned int version, sudo_conv_t conversation,
35: sudo_printf_t plugin_printf, char * const settings[],
36: char * const user_info[], char * const user_env[],
37: char * const plugin_options[]);
38: void (*close)(int exit_status, int error);
39: int (*show_version)(int verbose);
40: int (*check_policy)(int argc, char * const argv[],
41: char *env_add[], char **command_info[],
42: char **argv_out[], char **user_env_out[]);
43: int (*list)(int argc, char * const argv[], int verbose,
44: const char *list_user);
45: int (*validate)(void);
46: void (*invalidate)(int remove);
47: int (*init_session)(struct passwd *pwd, char **user_env[]);
48: void (*register_hooks)(int version,
49: int (*register_hook)(struct sudo_hook *hook));
50: void (*deregister_hooks)(int version,
51: int (*deregister_hook)(struct sudo_hook *hook));
52: };
53:
54: The policy_plugin struct has the following fields:
55:
56: type The type field should always be set to SUDO_POLICY_PLUGIN.
57:
58: version
59: The version field should be set to SUDO_API_VERSION.
60:
61: This allows s�su�ud�do�o to determine the API version the plugin was built
62: against.
63:
64: open
65: int (*open)(unsigned int version, sudo_conv_t conversation,
66: sudo_printf_t plugin_printf, char * const settings[],
67: char * const user_info[], char * const user_env[],
68: char * const plugin_options[]);
69:
70: Returns 1 on success, 0 on failure, -1 if a general error occurred,
71: or -2 if there was a usage error. In the latter case, s�su�ud�do�o will
72: print a usage message before it exits. If an error occurs, the
73: plugin may optionally call the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
74: function with SUDO_CONF_ERROR_MSG to present additional error
75: information to the user.
76:
77: The function arguments are as follows:
78:
79: version
80: The version passed in by s�su�ud�do�o allows the plugin to determine
81: the major and minor version number of the plugin API
82: supported by s�su�ud�do�o.
83:
84: conversation
85: A pointer to the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function that can be used by
86: the plugin to interact with the user (see below). Returns 0
87: on success and -1 on failure.
88:
89: plugin_printf
90: A pointer to a p�pr�ri�in�nt�tf�f()-style function that may be used to
91: display informational or error messages (see below). Returns
92: the number of characters printed on success and -1 on
93: failure.
94:
95: settings
96: A vector of user-supplied s�su�ud�do�o settings in the form of
97: ``name=value'' strings. The vector is terminated by a NULL
98: pointer. These settings correspond to flags the user
99: specified when running s�su�ud�do�o. As such, they will only be
100: present when the corresponding flag has been specified on the
101: command line.
102:
103: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
104: equal sign (`=') since the _�n_�a_�m_�e field will never include one
105: itself but the _�v_�a_�l_�u_�e might.
106:
107: bsdauth_type=string
108: Authentication type, if specified by the -�-a�a flag, to
109: use on systems where BSD authentication is supported.
110:
111: closefrom=number
112: If specified, the user has requested via the -�-C�C flag
113: that s�su�ud�do�o close all files descriptors with a value of
114: _�n_�u_�m_�b_�e_�r or higher. The plugin may optionally pass this,
115: or another value, back in the _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
116:
117: debug_flags=string
118: A comma-separated list of debug flags that correspond
119: to s�su�ud�do�o's Debug entry in sudo.conf(4), if there is one.
120: The flags are passed to the plugin as they appear in
121: sudo.conf(4). The syntax used by s�su�ud�do�o and the s�su�ud�do�oe�er�rs�s
122: plugin is _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y but the plugin is free to
123: use a different format so long as it does not include a
124: comma (`,'). There is not currently a way to specify a
125: set of debug flags specific to the plugin--the flags
126: are shared by s�su�ud�do�o and the plugin.
127:
128: debug_level=number
129: This setting has been deprecated in favor of
130: _�d_�e_�b_�u_�g_�__�f_�l_�a_�g_�s.
131:
132: ignore_ticket=bool
133: Set to true if the user specified the -�-k�k flag along
134: with a command, indicating that the user wishes to
135: ignore any cached authentication credentials.
136: _�i_�m_�p_�l_�i_�e_�d_�__�s_�h_�e_�l_�l to true. This allows s�su�ud�do�o with no
137: arguments to be used similarly to su(1). If the plugin
138: does not to support this usage, it may return a value
139: of -2 from the c�ch�he�ec�ck�k_�_p�po�ol�li�ic�cy�y() function, which will
140: cause s�su�ud�do�o to print a usage message and exit.
141:
142: implied_shell=bool
143: If the user does not specify a program on the command
144: line, s�su�ud�do�o will pass the plugin the path to the user's
145: shell and set
146:
147: login_class=string
148: BSD login class to use when setting resource limits and
149: nice value, if specified by the -�-c�c flag.
150:
151: login_shell=bool
152: Set to true if the user specified the -�-i�i flag,
153: indicating that the user wishes to run a login shell.
154:
155: max_groups=int
156: The maximum number of groups a user may belong to.
157: This will only be present if there is a corresponding
158: setting in sudo.conf(4).
159:
160: network_addrs=list
161: A space-separated list of IP network addresses and
162: netmasks in the form ``addr/netmask'', e.g.
163: ``192.168.1.2/255.255.255.0''. The address and netmask
164: pairs may be either IPv4 or IPv6, depending on what the
165: operating system supports. If the address contains a
166: colon (`:'), it is an IPv6 address, else it is IPv4.
167:
168: noninteractive=bool
169: Set to true if the user specified the -�-n�n flag,
170: indicating that s�su�ud�do�o should operate in non-interactive
171: mode. The plugin may reject a command run in non-
172: interactive mode if user interaction is required.
173:
174: plugin_dir=string
175: The default plugin directory used by the s�su�ud�do�o front
176: end. This is the default directory set at compile time
177: and may not correspond to the directory the running
178: plugin was loaded from. It may be used by a plugin to
179: locate support files.
180:
181: preserve_environment=bool
182: Set to true if the user specified the -�-E�E flag,
183: indicating that the user wishes to preserve the
184: environment.
185:
186: preserve_groups=bool
187: Set to true if the user specified the -�-P�P flag,
188: indicating that the user wishes to preserve the group
189: vector instead of setting it based on the runas user.
190:
191: progname=string
192: The command name that sudo was run as, typically
193: ``sudo'' or ``sudoedit''.
194:
195: prompt=string
196: The prompt to use when requesting a password, if
197: specified via the -�-p�p flag.
198:
199: remote_host=string
200: The name of the remote host to run the command on, if
201: specified via the -�-h�h option. Support for running the
202: command on a remote host is meant to be implemented via
203: a helper program that is executed in place of the user-
204: specified command. The s�su�ud�do�o front end is only capable
205: of executing commands on the local host. Only
206: available starting with API version 1.4.
207:
208: run_shell=bool
209: Set to true if the user specified the -�-s�s flag,
210: indicating that the user wishes to run a shell.
211:
212: runas_group=string
213: The group name or gid to run the command as, if
214: specified via the -�-g�g flag.
215:
216: runas_user=string
217: The user name or uid to run the command as, if
218: specified via the -�-u�u flag.
219:
220: selinux_role=string
221: SELinux role to use when executing the command, if
222: specified by the -�-r�r flag.
223:
224: selinux_type=string
225: SELinux type to use when executing the command, if
226: specified by the -�-t�t flag.
227:
228: set_home=bool
229: Set to true if the user specified the -�-H�H flag. If
230: true, set the HOME environment variable to the target
231: user's home directory.
232:
233: sudoedit=bool
234: Set to true when the -�-e�e flag is is specified or if
235: invoked as s�su�ud�do�oe�ed�di�it�t. The plugin shall substitute an
236: editor into _�a_�r_�g_�v in the c�ch�he�ec�ck�k_�_p�po�ol�li�ic�cy�y() function or
237: return -2 with a usage error if the plugin does not
238: support _�s_�u_�d_�o_�e_�d_�i_�t. For more information, see the
239: _�c_�h_�e_�c_�k_�__�p_�o_�l_�i_�c_�y section.
240:
241: Additional settings may be added in the future so the plugin
242: should silently ignore settings that it does not recognize.
243:
244: user_info
245: A vector of information about the user running the command in
246: the form of ``name=value'' strings. The vector is terminated
247: by a NULL pointer.
248:
249: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
250: equal sign (`=') since the _�n_�a_�m_�e field will never include one
251: itself but the _�v_�a_�l_�u_�e might.
252:
253: cols=int
254: The number of columns the user's terminal supports. If
255: there is no terminal device available, a default value
256: of 80 is used.
257:
258: cwd=string
259: The user's current working directory.
260:
261: egid=gid_t
262: The effective group ID of the user invoking s�su�ud�do�o.
263:
264: euid=uid_t
265: The effective user ID of the user invoking s�su�ud�do�o.
266:
267: gid=gid_t
268: The real group ID of the user invoking s�su�ud�do�o.
269:
270: groups=list
271: The user's supplementary group list formatted as a
272: string of comma-separated group IDs.
273:
274: host=string
275: The local machine's hostname as returned by the
276: gethostname(2) system call.
277:
278: lines=int
279: The number of lines the user's terminal supports. If
280: there is no terminal device available, a default value
281: of 24 is used.
282:
283: pgid=int
284: The ID of the process group that the running s�su�ud�do�o
285: process is a member of. Only available starting with
286: API version 1.2.
287:
288: pid=int
289: The process ID of the running s�su�ud�do�o process. Only
290: available starting with API version 1.2.
291:
292: plugin_options
293: Any (non-comment) strings immediately after the plugin
294: path are passed as arguments to the plugin. These
295: arguments are split on a white space boundary and are
296: passed to the plugin in the form of a NULL-terminated
297: array of strings. If no arguments were specified,
298: _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s will be the NULL pointer.
299:
300: NOTE: the _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s parameter is only available
301: starting with API version 1.2. A plugin m�mu�us�st�t check the
302: API version specified by the s�su�ud�do�o front end before
303: using _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s. Failure to do so may result in a
304: crash.
305:
306: ppid=int
307: The parent process ID of the running s�su�ud�do�o process.
308: Only available starting with API version 1.2.
309:
310: sid=int
311: The session ID of the running s�su�ud�do�o process or 0 if s�su�ud�do�o
312: is not part of a POSIX job control session. Only
313: available starting with API version 1.2.
314:
315: tcpgid=int
316: The ID of the foreground process group associated with
317: the terminal device associated with the s�su�ud�do�o process or
318: -1 if there is no terminal present. Only available
319: starting with API version 1.2.
320:
321: tty=string
322: The path to the user's terminal device. If the user
323: has no terminal device associated with the session, the
324: value will be empty, as in ``tty=''.
325:
326: uid=uid_t
327: The real user ID of the user invoking s�su�ud�do�o.
328:
329: user=string
330: The name of the user invoking s�su�ud�do�o.
331:
332: user_env
333: The user's environment in the form of a NULL-terminated
334: vector of ``name=value'' strings.
335:
336: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
337: equal sign (`=') since the _�n_�a_�m_�e field will never include one
338: itself but the _�v_�a_�l_�u_�e might.
339:
340: close
341: void (*close)(int exit_status, int error);
342:
343: The c�cl�lo�os�se�e() function is called when the command being run by s�su�ud�do�o
344: finishes.
345:
346: The function arguments are as follows:
347:
348: exit_status
349: The command's exit status, as returned by the wait(2) system
350: call. The value of exit_status is undefined if error is non-
351: zero.
352:
353: error
354: If the command could not be executed, this is set to the
355: value of errno set by the execve(2) system call. The plugin
356: is responsible for displaying error information via the
357: c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function. If the command
358: was successfully executed, the value of error is 0.
359:
360: If no c�cl�lo�os�se�e() function is defined, no I/O logging plugins are
361: loaded, and neither the _�t_�i_�m_�e_�o_�u_�t not _�u_�s_�e_�__�p_�t_�y options are set in the
362: command_info list, the s�su�ud�do�o front end may execute the command
363: directly instead of running it as a child process.
364:
365: show_version
366: int (*show_version)(int verbose);
367:
368: The s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() function is called by s�su�ud�do�o when the user
369: specifies the -�-V�V option. The plugin may display its version
370: information to the user via the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
371: function using SUDO_CONV_INFO_MSG. If the user requests detailed
372: version information, the verbose flag will be set.
373:
374: check_policy
375: int (*check_policy)(int argc, char * const argv[]
376: char *env_add[], char **command_info[],
377: char **argv_out[], char **user_env_out[]);
378:
379: The c�ch�he�ec�ck�k_�_p�po�ol�li�ic�cy�y() function is called by s�su�ud�do�o to determine whether
380: the user is allowed to run the specified commands.
381:
382: If the _�s_�u_�d_�o_�e_�d_�i_�t option was enabled in the _�s_�e_�t_�t_�i_�n_�g_�s array passed to
383: the o�op�pe�en�n() function, the user has requested _�s_�u_�d_�o_�e_�d_�i_�t mode.
384: _�s_�u_�d_�o_�e_�d_�i_�t is a mechanism for editing one or more files where an
385: editor is run with the user's credentials instead of with elevated
386: privileges. s�su�ud�do�o achieves this by creating user-writable temporary
387: copies of the files to be edited and then overwriting the originals
388: with the temporary copies after editing is complete. If the plugin
389: supports _�s_�u_�d_�o_�e_�d_�i_�t, it should choose the editor to be used,
390: potentially from a variable in the user's environment, such as
391: EDITOR, and include it in _�a_�r_�g_�v_�__�o_�u_�t (note that environment variables
392: may include command line flags). The files to be edited should be
393: copied from _�a_�r_�g_�v into _�a_�r_�g_�v_�__�o_�u_�t, separated from the editor and its
394: arguments by a ``--'' element. The ``--'' will be removed by s�su�ud�do�o
395: before the editor is executed. The plugin should also set
396: _�s_�u_�d_�o_�e_�d_�i_�t_�=_�t_�r_�u_�e in the _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o list.
397:
398: The c�ch�he�ec�ck�k_�_p�po�ol�li�ic�cy�y() function returns 1 if the command is allowed, 0
399: if not allowed, -1 for a general error, or -2 for a usage error or
400: if _�s_�u_�d_�o_�e_�d_�i_�t was specified but is unsupported by the plugin. In the
401: latter case, s�su�ud�do�o will print a usage message before it exits. If
402: an error occurs, the plugin may optionally call the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n()
403: or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function with SUDO_CONF_ERROR_MSG to present
404: additional error information to the user.
405:
406: The function arguments are as follows:
407:
408: argc The number of elements in _�a_�r_�g_�v, not counting the final NULL
409: pointer.
410:
411: argv The argument vector describing the command the user wishes to
412: run, in the same form as what would be passed to the
413: execve(2) system call. The vector is terminated by a NULL
414: pointer.
415:
416: env_add
417: Additional environment variables specified by the user on the
418: command line in the form of a NULL-terminated vector of
419: ``name=value'' strings. The plugin may reject the command if
420: one or more variables are not allowed to be set, or it may
421: silently ignore such variables.
422:
423: When parsing _�e_�n_�v_�__�a_�d_�d, the plugin should split on the f�fi�ir�rs�st�t
424: equal sign (`=') since the _�n_�a_�m_�e field will never include one
425: itself but the _�v_�a_�l_�u_�e might.
426:
427: command_info
428: Information about the command being run in the form of
429: ``name=value'' strings. These values are used by s�su�ud�do�o to set
430: the execution environment when running a command. The plugin
431: is responsible for creating and populating the vector, which
432: must be terminated with a NULL pointer. The following values
433: are recognized by s�su�ud�do�o:
434:
435: chroot=string
436: The root directory to use when running the command.
437:
438: closefrom=number
439: If specified, s�su�ud�do�o will close all files descriptors
440: with a value of _�n_�u_�m_�b_�e_�r or higher.
441:
442: command=string
443: Fully qualified path to the command to be executed.
444:
445: cwd=string
446: The current working directory to change to when
447: executing the command.
448:
449: exec_background=bool
450: By default, s�su�ud�do�o runs a command as the foreground
451: process as long as s�su�ud�do�o itself is running in the
452: foreground. When _�e_�x_�e_�c_�__�b_�a_�c_�k_�g_�r_�o_�u_�n_�d is enabled and the
453: command is being run in a pty (due to I/O logging or
454: the _�u_�s_�e_�__�p_�t_�y setting), the command will be run as a
455: background process. Attempts to read from the
456: controlling terminal (or to change terminal settings)
457: will result in the command being suspended with the
458: SIGTTIN signal (or SIGTTOU in the case of terminal
459: settings). If this happens when s�su�ud�do�o is a foreground
460: process, the command will be granted the controlling
461: terminal and resumed in the foreground with no user
462: intervention required. The advantage of initially
463: running the command in the background is that s�su�ud�do�o need
464: not read from the terminal unless the command
465: explicitly requests it. Otherwise, any terminal input
466: must be passed to the command, whether it has required
467: it or not (the kernel buffers terminals so it is not
468: possible to tell whether the command really wants the
469: input). This is different from historic _�s_�u_�d_�o behavior
470: or when the command is not being run in a pty.
471:
472: For this to work seamlessly, the operating system must
473: support the automatic restarting of system calls.
474: Unfortunately, not all operating systems do this by
475: default, and even those that do may have bugs. For
476: example, Mac OS X fails to restart the t�tc�cg�ge�et�ta�at�tt�tr�r() and
477: t�tc�cs�se�et�ta�at�tt�tr�r() system calls (this is a bug in Mac OS X).
478: Furthermore, because this behavior depends on the
479: command stopping with the SIGTTIN or SIGTTOU signals,
480: programs that catch these signals and suspend
481: themselves with a different signal (usually SIGTOP)
482: will not be automatically foregrounded. Some versions
483: of the linux su(1) command behave this way. Because of
484: this, a plugin should not set _�e_�x_�e_�c_�__�b_�a_�c_�k_�g_�r_�o_�u_�n_�d unless it
485: is explicitly enabled by the administrator and there
486: should be a way to enabled or disable it on a per-
487: command basis.
488:
489: This setting has no effect unless I/O logging is
490: enabled or _�u_�s_�e_�__�p_�t_�y is enabled.
491:
492: iolog_compress=bool
493: Set to true if the I/O logging plugins, if any, should
494: compress the log data. This is a hint to the I/O
495: logging plugin which may choose to ignore it.
496:
497: iolog_path=string
498: Fully qualified path to the file or directory in which
499: I/O log is to be stored. This is a hint to the I/O
500: logging plugin which may choose to ignore it. If no
501: I/O logging plugin is loaded, this setting has no
502: effect.
503:
504: iolog_stdin=bool
505: Set to true if the I/O logging plugins, if any, should
506: log the standard input if it is not connected to a
507: terminal device. This is a hint to the I/O logging
508: plugin which may choose to ignore it.
509:
510: iolog_stdout=bool
511: Set to true if the I/O logging plugins, if any, should
512: log the standard output if it is not connected to a
513: terminal device. This is a hint to the I/O logging
514: plugin which may choose to ignore it.
515:
516: iolog_stderr=bool
517: Set to true if the I/O logging plugins, if any, should
518: log the standard error if it is not connected to a
519: terminal device. This is a hint to the I/O logging
520: plugin which may choose to ignore it.
521:
522: iolog_ttyin=bool
523: Set to true if the I/O logging plugins, if any, should
524: log all terminal input. This only includes input typed
525: by the user and not from a pipe or redirected from a
526: file. This is a hint to the I/O logging plugin which
527: may choose to ignore it.
528:
529: iolog_ttyout=bool
530: Set to true if the I/O logging plugins, if any, should
531: log all terminal output. This only includes output to
532: the screen, not output to a pipe or file. This is a
533: hint to the I/O logging plugin which may choose to
534: ignore it.
535:
536: login_class=string
537: BSD login class to use when setting resource limits and
538: nice value (optional). This option is only set on
539: systems that support login classes.
540:
541: nice=int
542: Nice value (priority) to use when executing the
543: command. The nice value, if specified, overrides the
544: priority associated with the _�l_�o_�g_�i_�n_�__�c_�l_�a_�s_�s on BSD
545: systems.
546:
547: noexec=bool
548: If set, prevent the command from executing other
549: programs.
550:
551: preserve_fds=list
552: A comma-separated list of file descriptors that should
553: be preserved, regardless of the value of the _�c_�l_�o_�s_�e_�f_�r_�o_�m
554: setting. Only available starting with API version 1.5.
555:
556: preserve_groups=bool
557: If set, s�su�ud�do�o will preserve the user's group vector
558: instead of initializing the group vector based on
559: runas_user.
560:
561: runas_egid=gid
562: Effective group ID to run the command as. If not
563: specified, the value of _�r_�u_�n_�a_�s_�__�g_�i_�d is used.
564:
565: runas_euid=uid
566: Effective user ID to run the command as. If not
567: specified, the value of _�r_�u_�n_�a_�s_�__�u_�i_�d is used.
568:
569: runas_gid=gid
570: Group ID to run the command as.
571:
572: runas_groups=list
573: The supplementary group vector to use for the command
574: in the form of a comma-separated list of group IDs. If
575: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, this option is ignored.
576:
577: runas_uid=uid
578: User ID to run the command as.
579:
580: selinux_role=string
581: SELinux role to use when executing the command.
582:
583: selinux_type=string
584: SELinux type to use when executing the command.
585:
586: set_utmp=bool
587: Create a utmp (or utmpx) entry when a pseudo-tty is
588: allocated. By default, the new entry will be a copy of
589: the user's existing utmp entry (if any), with the tty,
590: time, type and pid fields updated.
591:
592: sudoedit=bool
593: Set to true when in _�s_�u_�d_�o_�e_�d_�i_�t mode. The plugin may
594: enable _�s_�u_�d_�o_�e_�d_�i_�t mode even if s�su�ud�do�o was not invoked as
595: s�su�ud�do�oe�ed�di�it�t. This allows the plugin to perform command
596: substitution and transparently enable _�s_�u_�d_�o_�e_�d_�i_�t when the
597: user attempts to run an editor.
598:
599: timeout=int
600: Command timeout. If non-zero then when the timeout
601: expires the command will be killed.
602:
603: umask=octal
604: The file creation mask to use when executing the
605: command.
606:
607: use_pty=bool
608: Allocate a pseudo-tty to run the command in, regardless
609: of whether or not I/O logging is in use. By default,
610: s�su�ud�do�o will only run the command in a pty when an I/O log
611: plugin is loaded.
612:
613: utmp_user=string
614: User name to use when constructing a new utmp (or
615: utmpx) entry when _�s_�e_�t_�__�u_�t_�m_�p is enabled. This option can
616: be used to set the user field in the utmp entry to the
617: user the command runs as rather than the invoking user.
618: If not set, s�su�ud�do�o will base the new entry on the
619: invoking user's existing entry.
620:
621: Unsupported values will be ignored.
622:
623: argv_out
624: The NULL-terminated argument vector to pass to the execve(2)
625: system call when executing the command. The plugin is
626: responsible for allocating and populating the vector.
627:
628: user_env_out
629: The NULL-terminated environment vector to use when executing
630: the command. The plugin is responsible for allocating and
631: populating the vector.
632:
633: list
634: int (*list)(int verbose, const char *list_user,
635: int argc, char * const argv[]);
636:
637: List available privileges for the invoking user. Returns 1 on
638: success, 0 on failure and -1 on error. On error, the plugin may
639: optionally call the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function with
640: SUDO_CONF_ERROR_MSG to present additional error information to the
641: user.
642:
643: Privileges should be output via the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or
644: p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function using SUDO_CONV_INFO_MSG,
645:
646: verbose
647: Flag indicating whether to list in verbose mode or not.
648:
649: list_user
650: The name of a different user to list privileges for if the
651: policy allows it. If NULL, the plugin should list the
652: privileges of the invoking user.
653:
654: argc The number of elements in _�a_�r_�g_�v, not counting the final NULL
655: pointer.
656:
657: argv If non-NULL, an argument vector describing a command the user
658: wishes to check against the policy in the same form as what
659: would be passed to the execve(2) system call. If the command
660: is permitted by the policy, the fully-qualified path to the
661: command should be displayed along with any command line
662: arguments.
663:
664: validate
665: int (*validate)(void);
666:
667: The v�va�al�li�id�da�at�te�e() function is called when s�su�ud�do�o is run with the -�-v�v
668: flag. For policy plugins such as s�su�ud�do�oe�er�rs�s that cache authentication
669: credentials, this function will validate and cache the credentials.
670:
671: The v�va�al�li�id�da�at�te�e() function should be NULL if the plugin does not
672: support credential caching.
673:
674: Returns 1 on success, 0 on failure and -1 on error. On error, the
675: plugin may optionally call the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
676: function with SUDO_CONF_ERROR_MSG to present additional error
677: information to the user.
678:
679: invalidate
680: void (*invalidate)(int remove);
681:
682: The i�in�nv�va�al�li�id�da�at�te�e() function is called when s�su�ud�do�o is called with the -�-k�k
683: or -�-K�K flag. For policy plugins such as s�su�ud�do�oe�er�rs�s that cache
684: authentication credentials, this function will invalidate the
685: credentials. If the _�r_�e_�m_�o_�v_�e flag is set, the plugin may remove the
686: credentials instead of simply invalidating them.
687:
688: The i�in�nv�va�al�li�id�da�at�te�e() function should be NULL if the plugin does not
689: support credential caching.
690:
691: init_session
692: int (*init_session)(struct passwd *pwd, char **user_envp[);
693:
694: The i�in�ni�it�t_�_s�se�es�ss�si�io�on�n() function is called before s�su�ud�do�o sets up the
695: execution environment for the command. It is run in the parent
696: s�su�ud�do�o process and before any uid or gid changes. This can be used
697: to perform session setup that is not supported by _�c_�o_�m_�m_�a_�n_�d_�__�i_�n_�f_�o,
698: such as opening the PAM session. The c�cl�lo�os�se�e() function can be used
699: to tear down the session that was opened by init_session.
700:
701: The _�p_�w_�d argument points to a passwd struct for the user the command
702: will be run as if the uid the command will run as was found in the
703: password database, otherwise it will be NULL.
704:
705: The _�u_�s_�e_�r_�__�e_�n_�v argument points to the environment the command will
706: run in, in the form of a NULL-terminated vector of ``name=value''
707: strings. This is the same string passed back to the front end via
708: the Policy Plugin's _�u_�s_�e_�r_�__�e_�n_�v_�__�o_�u_�t parameter. If the i�in�ni�it�t_�_s�se�es�ss�si�io�on�n()
709: function needs to modify the user environment, it should update the
710: pointer stored in _�u_�s_�e_�r_�__�e_�n_�v. The expected use case is to merge the
711: contents of the PAM environment (if any) with the contents of
712: _�u_�s_�e_�r_�__�e_�n_�v. NOTE: the _�u_�s_�e_�r_�__�e_�n_�v parameter is only available starting
713: with API version 1.2. A plugin m�mu�us�st�t check the API version
714: specified by the s�su�ud�do�o front end before using _�u_�s_�e_�r_�__�e_�n_�v. Failure to
715: do so may result in a crash.
716:
717: Returns 1 on success, 0 on failure and -1 on error. On error, the
718: plugin may optionally call the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
719: function with SUDO_CONF_ERROR_MSG to present additional error
720: information to the user.
721:
722: register_hooks
723: void (*register_hooks)(int version,
724: int (*register_hook)(struct sudo_hook *hook));
725:
726: The r�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�ks�s() function is called by the sudo front end to
727: register any hooks the plugin needs. If the plugin does not
728: support hooks, register_hooks should be set to the NULL pointer.
729:
730: The _�v_�e_�r_�s_�i_�o_�n argument describes the version of the hooks API
731: supported by the s�su�ud�do�o front end.
732:
733: The r�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�k() function should be used to register any
734: supported hooks the plugin needs. It returns 0 on success, 1 if
735: the hook type is not supported and -1 if the major version in
736: struct hook does not match the front end's major hook API version.
737:
738: See the _�H_�o_�o_�k _�f_�u_�n_�c_�t_�i_�o_�n _�A_�P_�I section below for more information about
739: hooks.
740:
741: NOTE: the r�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�ks�s() function is only available starting with
742: API version 1.2. If the s�su�ud�do�o front end doesn't support API version
743: 1.2 or higher, register_hooks will not be called.
744:
745: deregister_hooks
746: void (*deregister_hooks)(int version,
747: int (*deregister_hook)(struct sudo_hook *hook));
748:
749: The d�de�er�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�ks�s() function is called by the sudo front end to
750: deregister any hooks the plugin has registered. If the plugin does
751: not support hooks, deregister_hooks should be set to the NULL
752: pointer.
753:
754: The _�v_�e_�r_�s_�i_�o_�n argument describes the version of the hooks API
755: supported by the s�su�ud�do�o front end.
756:
757: The d�de�er�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�k() function should be used to deregister any
758: hooks that were put in place by the r�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�k() function. If
759: the plugin tries to deregister a hook that the front end does not
760: support, deregister_hook will return an error.
761:
762: See the _�H_�o_�o_�k _�f_�u_�n_�c_�t_�i_�o_�n _�A_�P_�I section below for more information about
763: hooks.
764:
765: NOTE: the d�de�er�re�eg�gi�is�st�te�er�r_�_h�ho�oo�ok�ks�s() function is only available starting
766: with API version 1.2. If the s�su�ud�do�o front end doesn't support API
767: version 1.2 or higher, deregister_hooks will not be called.
768:
769: _�P_�o_�l_�i_�c_�y _�P_�l_�u_�g_�i_�n _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
770:
771: /* Plugin API version major/minor. */
772: #define SUDO_API_VERSION_MAJOR 1
773: #define SUDO_API_VERSION_MINOR 2
774: #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
775: #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
776: SUDO_API_VERSION_MINOR)
777:
778: /* Getters and setters for API version */
779: #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
780: #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
781: #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
782: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
783: } while(0)
784: #define SUDO_VERSION_SET_MINOR(vp, n) do { \
785: *(vp) = (*(vp) & 0xffff0000) | (n); \
786: } while(0)
787:
788: I�I/�/O�O p�pl�lu�ug�gi�in�n A�AP�PI�I
789: struct io_plugin {
790: #define SUDO_IO_PLUGIN 2
791: unsigned int type; /* always SUDO_IO_PLUGIN */
792: unsigned int version; /* always SUDO_API_VERSION */
793: int (*open)(unsigned int version, sudo_conv_t conversation,
794: sudo_printf_t plugin_printf, char * const settings[],
795: char * const user_info[], char * const command_info[],
796: int argc, char * const argv[], char * const user_env[],
797: char * const plugin_options[]);
798: void (*close)(int exit_status, int error); /* wait status or error */
799: int (*show_version)(int verbose);
800: int (*log_ttyin)(const char *buf, unsigned int len);
801: int (*log_ttyout)(const char *buf, unsigned int len);
802: int (*log_stdin)(const char *buf, unsigned int len);
803: int (*log_stdout)(const char *buf, unsigned int len);
804: int (*log_stderr)(const char *buf, unsigned int len);
805: void (*register_hooks)(int version,
806: int (*register_hook)(struct sudo_hook *hook));
807: void (*deregister_hooks)(int version,
808: int (*deregister_hook)(struct sudo_hook *hook));
809: };
810:
811: When an I/O plugin is loaded, s�su�ud�do�o runs the command in a pseudo-tty.
812: This makes it possible to log the input and output from the user's
813: session. If any of the standard input, standard output or standard error
814: do not correspond to a tty, s�su�ud�do�o will open a pipe to capture the I/O for
815: logging before passing it on.
816:
817: The log_ttyin function receives the raw user input from the terminal
818: device (note that this will include input even when echo is disabled,
819: such as when a password is read). The log_ttyout function receives
820: output from the pseudo-tty that is suitable for replaying the user's
821: session at a later time. The l�lo�og�g_�_s�st�td�di�in�n(), l�lo�og�g_�_s�st�td�do�ou�ut�t() and l�lo�og�g_�_s�st�td�de�er�rr�r()
822: functions are only called if the standard input, standard output or
823: standard error respectively correspond to something other than a tty.
824:
825: Any of the logging functions may be set to the NULL pointer if no logging
826: is to be performed. If the open function returns 0, no I/O will be sent
827: to the plugin.
828:
829: The io_plugin struct has the following fields:
830:
831: type The type field should always be set to SUDO_IO_PLUGIN.
832:
833: version
834: The version field should be set to SUDO_API_VERSION.
835:
836: This allows s�su�ud�do�o to determine the API version the plugin was built
837: against.
838:
839: open
840: int (*open)(unsigned int version, sudo_conv_t conversation,
841: sudo_printf_t plugin_printf, char * const settings[],
842: char * const user_info[], int argc, char * const argv[],
843: char * const user_env[], char * const plugin_options[]);
844:
845: The o�op�pe�en�n() function is run before the l�lo�og�g_�_i�in�np�pu�ut�t(), l�lo�og�g_�_o�ou�ut�tp�pu�ut�t() or
846: s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() functions are called. It is only called if the
847: version is being requested or the c�ch�he�ec�ck�k_�_p�po�ol�li�ic�cy�y() function has
848: returned successfully. It returns 1 on success, 0 on failure, -1
849: if a general error occurred, or -2 if there was a usage error. In
850: the latter case, s�su�ud�do�o will print a usage message before it exits.
851: If an error occurs, the plugin may optionally call the
852: c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function with SUDO_CONF_ERROR_MSG
853: to present additional error information to the user.
854:
855: The function arguments are as follows:
856:
857: version
858: The version passed in by s�su�ud�do�o allows the plugin to determine
859: the major and minor version number of the plugin API
860: supported by s�su�ud�do�o.
861:
862: conversation
863: A pointer to the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function that may be used by
864: the s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() function to display version information
865: (see s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() below). The c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function may
866: also be used to display additional error message to the user.
867: The c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function returns 0 on success and -1 on
868: failure.
869:
870: plugin_printf
871: A pointer to a p�pr�ri�in�nt�tf�f()-style function that may be used by
872: the s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() function to display version information
873: (see show_version below). The p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function may
874: also be used to display additional error message to the user.
875: The p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f() function returns number of characters
876: printed on success and -1 on failure.
877:
878: settings
879: A vector of user-supplied s�su�ud�do�o settings in the form of
880: ``name=value'' strings. The vector is terminated by a NULL
881: pointer. These settings correspond to flags the user
882: specified when running s�su�ud�do�o. As such, they will only be
883: present when the corresponding flag has been specified on the
884: command line.
885:
886: When parsing _�s_�e_�t_�t_�i_�n_�g_�s, the plugin should split on the f�fi�ir�rs�st�t
887: equal sign (`=') since the _�n_�a_�m_�e field will never include one
888: itself but the _�v_�a_�l_�u_�e might.
889:
890: See the _�P_�o_�l_�i_�c_�y _�p_�l_�u_�g_�i_�n _�A_�P_�I section for a list of all possible
891: settings.
892:
893: user_info
894: A vector of information about the user running the command in
895: the form of ``name=value'' strings. The vector is terminated
896: by a NULL pointer.
897:
898: When parsing _�u_�s_�e_�r_�__�i_�n_�f_�o, the plugin should split on the f�fi�ir�rs�st�t
899: equal sign (`=') since the _�n_�a_�m_�e field will never include one
900: itself but the _�v_�a_�l_�u_�e might.
901:
902: See the _�P_�o_�l_�i_�c_�y _�p_�l_�u_�g_�i_�n _�A_�P_�I section for a list of all possible
903: strings.
904:
905: argc The number of elements in _�a_�r_�g_�v, not counting the final NULL
906: pointer.
907:
908: argv If non-NULL, an argument vector describing a command the user
909: wishes to run in the same form as what would be passed to the
910: execve(2) system call.
911:
912: user_env
913: The user's environment in the form of a NULL-terminated
914: vector of ``name=value'' strings.
915:
916: When parsing _�u_�s_�e_�r_�__�e_�n_�v, the plugin should split on the f�fi�ir�rs�st�t
917: equal sign (`=') since the _�n_�a_�m_�e field will never include one
918: itself but the _�v_�a_�l_�u_�e might.
919:
920: plugin_options
921: Any (non-comment) strings immediately after the plugin path
922: are treated as arguments to the plugin. These arguments are
923: split on a white space boundary and are passed to the plugin
924: in the form of a NULL-terminated array of strings. If no
925: arguments were specified, _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s will be the NULL
926: pointer.
927:
928: NOTE: the _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s parameter is only available starting
929: with API version 1.2. A plugin m�mu�us�st�t check the API version
930: specified by the s�su�ud�do�o front end before using _�p_�l_�u_�g_�i_�n_�__�o_�p_�t_�i_�o_�n_�s.
931: Failure to do so may result in a crash.
932:
933: close
934: void (*close)(int exit_status, int error);
935:
936: The c�cl�lo�os�se�e() function is called when the command being run by s�su�ud�do�o
937: finishes.
938:
939: The function arguments are as follows:
940:
941: exit_status
942: The command's exit status, as returned by the wait(2) system
943: call. The value of exit_status is undefined if error is non-
944: zero.
945:
946: error
947: If the command could not be executed, this is set to the
948: value of errno set by the execve(2) system call. If the
949: command was successfully executed, the value of error is 0.
950:
951: show_version
952: int (*show_version)(int verbose);
953:
954: The s�sh�ho�ow�w_�_v�ve�er�rs�si�io�on�n() function is called by s�su�ud�do�o when the user
955: specifies the -�-V�V option. The plugin may display its version
956: information to the user via the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() or p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
957: function using SUDO_CONV_INFO_MSG. If the user requests detailed
958: version information, the verbose flag will be set.
959:
960: log_ttyin
961: int (*log_ttyin)(const char *buf, unsigned int len);
962:
963: The l�lo�og�g_�_t�tt�ty�yi�in�n() function is called whenever data can be read from
964: the user but before it is passed to the running command. This
965: allows the plugin to reject data if it chooses to (for instance if
966: the input contains banned content). Returns 1 if the data should
967: be passed to the command, 0 if the data is rejected (which will
968: terminate the command) or -1 if an error occurred.
969:
970: The function arguments are as follows:
971:
972: buf The buffer containing user input.
973:
974: len The length of _�b_�u_�f in bytes.
975:
976: log_ttyout
977: int (*log_ttyout)(const char *buf, unsigned int len);
978:
979: The l�lo�og�g_�_t�tt�ty�yo�ou�ut�t() function is called whenever data can be read from
980: the command but before it is written to the user's terminal. This
981: allows the plugin to reject data if it chooses to (for instance if
982: the output contains banned content). Returns 1 if the data should
983: be passed to the user, 0 if the data is rejected (which will
984: terminate the command) or -1 if an error occurred.
985:
986: The function arguments are as follows:
987:
988: buf The buffer containing command output.
989:
990: len The length of _�b_�u_�f in bytes.
991:
992: log_stdin
993: int (*log_stdin)(const char *buf, unsigned int len);
994:
995: The l�lo�og�g_�_s�st�td�di�in�n() function is only used if the standard input does
996: not correspond to a tty device. It is called whenever data can be
997: read from the standard input but before it is passed to the running
998: command. This allows the plugin to reject data if it chooses to
999: (for instance if the input contains banned content). Returns 1 if
1000: the data should be passed to the command, 0 if the data is rejected
1001: (which will terminate the command) or -1 if an error occurred.
1002:
1003: The function arguments are as follows:
1004:
1005: buf The buffer containing user input.
1006:
1007: len The length of _�b_�u_�f in bytes.
1008:
1009: log_stdout
1010: int (*log_stdout)(const char *buf, unsigned int len);
1011:
1012: The l�lo�og�g_�_s�st�td�do�ou�ut�t() function is only used if the standard output does
1013: not correspond to a tty device. It is called whenever data can be
1014: read from the command but before it is written to the standard
1015: output. This allows the plugin to reject data if it chooses to
1016: (for instance if the output contains banned content). Returns 1 if
1017: the data should be passed to the user, 0 if the data is rejected
1018: (which will terminate the command) or -1 if an error occurred.
1019:
1020: The function arguments are as follows:
1021:
1022: buf The buffer containing command output.
1023:
1024: len The length of _�b_�u_�f in bytes.
1025:
1026: log_stderr
1027: int (*log_stderr)(const char *buf, unsigned int len);
1028:
1029: The l�lo�og�g_�_s�st�td�de�er�rr�r() function is only used if the standard error does
1030: not correspond to a tty device. It is called whenever data can be
1031: read from the command but before it is written to the standard
1032: error. This allows the plugin to reject data if it chooses to (for
1033: instance if the output contains banned content). Returns 1 if the
1034: data should be passed to the user, 0 if the data is rejected (which
1035: will terminate the command) or -1 if an error occurred.
1036:
1037: The function arguments are as follows:
1038:
1039: buf The buffer containing command output.
1040:
1041: len The length of _�b_�u_�f in bytes.
1042:
1043: register_hooks
1044: See the _�P_�o_�l_�i_�c_�y _�p_�l_�u_�g_�i_�n _�A_�P_�I section for a description of
1045: register_hooks.
1046:
1047: deregister_hooks
1048: See the _�P_�o_�l_�i_�c_�y _�p_�l_�u_�g_�i_�n _�A_�P_�I section for a description of
1049: deregister_hooks.
1050:
1051: _�I_�/_�O _�P_�l_�u_�g_�i_�n _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1052:
1053: Same as for the _�P_�o_�l_�i_�c_�y _�p_�l_�u_�g_�i_�n _�A_�P_�I.
1054:
1055: S�Si�ig�gn�na�al�l h�ha�an�nd�dl�le�er�rs�s
1056: The s�su�ud�do�o front end installs default signal handlers to trap common
1057: signals while the plugin functions are run. The following signals are
1058: trapped by default before the command is executed:
1059:
1060: o�o SIGALRM
1061: o�o SIGHUP
1062: o�o SIGINT
1063: o�o SIGQUIT
1064: o�o SIGTERM
1065: o�o SIGTSTP
1066: o�o SIGUSR1
1067: o�o SIGUSR2
1068:
1069: If a fatal signal is received before the command is executed, s�su�ud�do�o will
1070: call the plugin's c�cl�lo�os�se�e() function with an exit status of 128 plus the
1071: value of the signal that was received. This allows for consistent
1072: logging of commands killed by a signal for plugins that log such
1073: information in their c�cl�lo�os�se�e() function.
1074:
1075: A plugin may temporarily install its own signal handlers but must restore
1076: the original handler before the plugin function returns.
1077:
1078: H�Ho�oo�ok�k f�fu�un�nc�ct�ti�io�on�n A�AP�PI�I
1079: Beginning with plugin API version 1.2, it is possible to install hooks
1080: for certain functions called by the s�su�ud�do�o front end.
1081:
1082: Currently, the only supported hooks relate to the handling of environment
1083: variables. Hooks can be used to intercept attempts to get, set, or
1084: remove environment variables so that these changes can be reflected in
1085: the version of the environment that is used to execute a command. A
1086: future version of the API will support hooking internal s�su�ud�do�o front end
1087: functions as well.
1088:
1089: _�H_�o_�o_�k _�s_�t_�r_�u_�c_�t_�u_�r_�e
1090:
1091: Hooks in s�su�ud�do�o are described by the following structure:
1092:
1093: typedef int (*sudo_hook_fn_t)();
1094:
1095: struct sudo_hook {
1096: int hook_version;
1097: int hook_type;
1098: sudo_hook_fn_t hook_fn;
1099: void *closure;
1100: };
1101:
1102: The sudo_hook structure has the following fields:
1103:
1104: hook_version
1105: The hook_version field should be set to SUDO_HOOK_VERSION.
1106:
1107: hook_type
1108: The hook_type field may be one of the following supported hook
1109: types:
1110:
1111: SUDO_HOOK_SETENV
1112: The C library setenv(3) function. Any registered hooks will
1113: run before the C library implementation. The hook_fn field
1114: should be a function that matches the following typedef:
1115:
1116: typedef int (*sudo_hook_fn_setenv_t)(const char *name,
1117: const char *value, int overwrite, void *closure);
1118:
1119: If the registered hook does not match the typedef the results
1120: are unspecified.
1121:
1122: SUDO_HOOK_UNSETENV
1123: The C library unsetenv(3) function. Any registered hooks
1124: will run before the C library implementation. The hook_fn
1125: field should be a function that matches the following
1126: typedef:
1127:
1128: typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
1129: void *closure);
1130:
1131: SUDO_HOOK_GETENV
1132: The C library getenv(3) function. Any registered hooks will
1133: run before the C library implementation. The hook_fn field
1134: should be a function that matches the following typedef:
1135:
1136: typedef int (*sudo_hook_fn_getenv_t)(const char *name,
1137: char **value, void *closure);
1138:
1139: If the registered hook does not match the typedef the results
1140: are unspecified.
1141:
1142: SUDO_HOOK_PUTENV
1143: The C library putenv(3) function. Any registered hooks will
1144: run before the C library implementation. The hook_fn field
1145: should be a function that matches the following typedef:
1146:
1147: typedef int (*sudo_hook_fn_putenv_t)(char *string,
1148: void *closure);
1149:
1150: If the registered hook does not match the typedef the results
1151: are unspecified.
1152:
1153: hook_fn
1154: sudo_hook_fn_t hook_fn;
1155:
1156: The hook_fn field should be set to the plugin's hook
1157: implementation. The actual function arguments will vary depending
1158: on the hook_type (see hook_type above). In all cases, the closure
1159: field of struct sudo_hook is passed as the last function parameter.
1160: This can be used to pass arbitrary data to the plugin's hook
1161: implementation.
1162:
1163: The function return value may be one of the following:
1164:
1165: SUDO_HOOK_RET_ERROR
1166: The hook function encountered an error.
1167:
1168: SUDO_HOOK_RET_NEXT
1169: The hook completed without error, go on to the next hook
1170: (including the native implementation if applicable). For
1171: example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if
1172: the specified variable was not found in the private copy of
1173: the environment.
1174:
1175: SUDO_HOOK_RET_STOP
1176: The hook completed without error, stop processing hooks for
1177: this invocation. This can be used to replace the native
1178: implementation. For example, a setenv hook that operates on
1179: a private copy of the environment but leaves environ
1180: unchanged.
1181:
1182: Note that it is very easy to create an infinite loop when hooking C
1183: library functions. For example, a getenv(3) hook that calls the
1184: snprintf(3) function may create a loop if the snprintf(3) implementation
1185: calls getenv(3) to check the locale. To prevent this, you may wish to
1186: use a static variable in the hook function to guard against nested calls.
1187: For example:
1188:
1189: static int in_progress = 0; /* avoid recursion */
1190: if (in_progress)
1191: return SUDO_HOOK_RET_NEXT;
1192: in_progress = 1;
1193: ...
1194: in_progress = 0;
1195: return SUDO_HOOK_RET_STOP;
1196:
1197: _�H_�o_�o_�k _�A_�P_�I _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1198:
1199: /* Hook API version major/minor */
1200: #define SUDO_HOOK_VERSION_MAJOR 1
1201: #define SUDO_HOOK_VERSION_MINOR 0
1202: #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
1203: #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
1204: SUDO_HOOK_VERSION_MINOR)
1205:
1206: /* Getters and setters for hook API version */
1207: #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
1208: #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
1209: #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
1210: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
1211: } while(0)
1212: #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
1213: *(vp) = (*(vp) & 0xffff0000) | (n); \
1214: } while(0)
1215:
1216: R�Re�em�mo�ot�te�e c�co�om�mm�ma�an�nd�d e�ex�xe�ec�cu�ut�ti�io�on�n
1217: The s�su�ud�do�o front end does not have native support for running remote
1218: commands. However, starting with s�su�ud�do�o 1.8.8, the -�-h�h option may be used
1219: to specify a remote host that is passed to the policy plugin. A plugin
1220: may also accept a _�r_�u_�n_�a_�s_�__�u_�s_�e_�r in the form of ``user@hostname'' which will
1221: work with older versions of s�su�ud�do�o. It is anticipated that remote commands
1222: will be supported by executing a ``helper'' program. The policy plugin
1223: should setup the execution environment such that the s�su�ud�do�o front end will
1224: run the helper which, in turn, will connect to the remote host and run
1225: the command.
1226:
1227: For example, the policy plugin could utilize s�ss�sh�h to perform remote
1228: command execution. The helper program would be responsible for running
1229: s�ss�sh�h with the proper options to use a private key or certificate that the
1230: remote host will accept and run a program on the remote host that would
1231: setup the execution environment accordingly.
1232:
1233: Note that remote s�su�ud�do�oe�ed�di�it�t functionality must be handled by the policy
1234: plugin, not s�su�ud�do�o itself as the front end has no knowledge that a remote
1235: command is being executed. This may be addressed in a future revision of
1236: the plugin API.
1237:
1238: C�Co�on�nv�ve�er�rs�sa�at�ti�io�on�n A�AP�PI�I
1239: If the plugin needs to interact with the user, it may do so via the
1240: c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function. A plugin should not attempt to read directly
1241: from the standard input or the user's tty (neither of which are
1242: guaranteed to exist). The caller must include a trailing newline in msg
1243: if one is to be printed.
1244:
1245: A p�pr�ri�in�nt�tf�f()-style function is also available that can be used to display
1246: informational or error messages to the user, which is usually more
1247: convenient for simple messages where no use input is required.
1248:
1249: struct sudo_conv_message {
1250: #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
1251: #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
1252: #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
1253: #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
1254: #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
1255: #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
1256: #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
1257: int msg_type;
1258: int timeout;
1259: const char *msg;
1260: };
1261:
1262: #define SUDO_CONV_REPL_MAX 255
1263:
1264: struct sudo_conv_reply {
1265: char *reply;
1266: };
1267:
1268: typedef int (*sudo_conv_t)(int num_msgs,
1269: const struct sudo_conv_message msgs[],
1270: struct sudo_conv_reply replies[]);
1271:
1272: typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
1273:
1274: Pointers to the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() and p�pr�ri�in�nt�tf�f()-style functions are passed in
1275: to the plugin's o�op�pe�en�n() function when the plugin is initialized.
1276:
1277: To use the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function, the plugin must pass an array of
1278: sudo_conv_message and sudo_conv_reply structures. There must be a struct
1279: sudo_conv_message and struct sudo_conv_reply for each message in the
1280: conversation. The plugin is responsible for freeing the reply buffer
1281: located in each struct sudo_conv_reply, if it is not NULL.
1282: SUDO_CONV_REPL_MAX represents the maximum length of the reply buffer (not
1283: including the trailing NUL character). In practical terms, this is the
1284: longest password s�su�ud�do�o will support. It is also useful as a maximum value
1285: for the m�me�em�ms�se�et�t_�_s�s() function when clearing passwords filled in by the
1286: conversation function.
1287:
1288: The p�pr�ri�in�nt�tf�f()-style function uses the same underlying mechanism as the
1289: c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function but only supports SUDO_CONV_INFO_MSG,
1290: SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _�m_�s_�g_�__�t_�y_�p_�e parameter.
1291: It can be more convenient than using the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function if no
1292: user reply is needed and supports standard p�pr�ri�in�nt�tf�f() escape sequences.
1293:
1294: Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
1295: with the SUDO_CONV_DEBUG_MSG _�m_�s_�g_�__�t_�y_�p_�e are not directly user-visible.
1296: Instead, they are logged to the file specified in the Debug statement (if
1297: any) in the sudo.conf(4). file. This allows a plugin to log debugging
1298: information and is intended to be used in conjunction with the
1299: _�d_�e_�b_�u_�g_�__�f_�l_�a_�g_�s setting.
1300:
1301: See the sample plugin for an example of the c�co�on�nv�ve�er�rs�sa�at�ti�io�on�n() function
1302: usage.
1303:
1304: S�Su�ud�do�oe�er�rs�s g�gr�ro�ou�up�p p�pl�lu�ug�gi�in�n A�AP�PI�I
1305: The s�su�ud�do�oe�er�rs�s plugin supports its own plugin interface to allow non-Unix
1306: group lookups. This can be used to query a group source other than the
1307: standard Unix group database. Two sample group plugins are bundled with
1308: s�su�ud�do�o, _�g_�r_�o_�u_�p_�__�f_�i_�l_�e and _�s_�y_�s_�t_�e_�m_�__�g_�r_�o_�u_�p, are detailed in sudoers(4). Third
1309: party group plugins include a QAS AD plugin available from Quest
1310: Software.
1311:
1312: A group plugin must declare and populate a sudoers_group_plugin struct in
1313: the global scope. This structure contains pointers to the functions that
1314: implement plugin initialization, cleanup and group lookup.
1315:
1316: struct sudoers_group_plugin {
1317: unsigned int version;
1318: int (*init)(int version, sudo_printf_t sudo_printf,
1319: char *const argv[]);
1320: void (*cleanup)(void);
1321: int (*query)(const char *user, const char *group,
1322: const struct passwd *pwd);
1323: };
1324:
1325: The sudoers_group_plugin struct has the following fields:
1326:
1327: version
1328: The version field should be set to GROUP_API_VERSION.
1329:
1330: This allows s�su�ud�do�oe�er�rs�s to determine the API version the group plugin
1331: was built against.
1332:
1333: init
1334: int (*init)(int version, sudo_printf_t plugin_printf,
1335: char *const argv[]);
1336:
1337: The i�in�ni�it�t() function is called after _�s_�u_�d_�o_�e_�r_�s has been parsed but
1338: before any policy checks. It returns 1 on success, 0 on failure
1339: (or if the plugin is not configured), and -1 if a error occurred.
1340: If an error occurs, the plugin may call the p�pl�lu�ug�gi�in�n_�_p�pr�ri�in�nt�tf�f()
1341: function with SUDO_CONF_ERROR_MSG to present additional error
1342: information to the user.
1343:
1344: The function arguments are as follows:
1345:
1346: version
1347: The version passed in by s�su�ud�do�oe�er�rs�s allows the plugin to
1348: determine the major and minor version number of the group
1349: plugin API supported by s�su�ud�do�oe�er�rs�s.
1350:
1351: plugin_printf
1352: A pointer to a p�pr�ri�in�nt�tf�f()-style function that may be used to
1353: display informational or error message to the user. Returns
1354: the number of characters printed on success and -1 on
1355: failure.
1356:
1357: argv A NULL-terminated array of arguments generated from the
1358: _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n option in _�s_�u_�d_�o_�e_�r_�s. If no arguments were given,
1359: _�a_�r_�g_�v will be NULL.
1360:
1361: cleanup
1362: void (*cleanup)();
1363:
1364: The c�cl�le�ea�an�nu�up�p() function is called when s�su�ud�do�oe�er�rs�s has finished its
1365: group checks. The plugin should free any memory it has allocated
1366: and close open file handles.
1367:
1368: query
1369: int (*query)(const char *user, const char *group,
1370: const struct passwd *pwd);
1371:
1372: The q�qu�ue�er�ry�y() function is used to ask the group plugin whether _�u_�s_�e_�r
1373: is a member of _�g_�r_�o_�u_�p.
1374:
1375: The function arguments are as follows:
1376:
1377: user The name of the user being looked up in the external group
1378: database.
1379:
1380: group
1381: The name of the group being queried.
1382:
1383: pwd The password database entry for _�u_�s_�e_�r, if any. If _�u_�s_�e_�r is not
1384: present in the password database, _�p_�w_�d will be NULL.
1385:
1386: _�G_�r_�o_�u_�p _�A_�P_�I _�V_�e_�r_�s_�i_�o_�n _�M_�a_�c_�r_�o_�s
1387:
1388: /* Sudoers group plugin version major/minor */
1389: #define GROUP_API_VERSION_MAJOR 1
1390: #define GROUP_API_VERSION_MINOR 0
1391: #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
1392: GROUP_API_VERSION_MINOR)
1393:
1394: /* Getters and setters for group version */
1395: #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
1396: #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
1397: #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
1398: *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
1399: } while(0)
1400: #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
1401: *(vp) = (*(vp) & 0xffff0000) | (n); \
1402: } while(0)
1403:
1404: P�PL�LU�UG�GI�IN�N A�AP�PI�I C�CH�HA�AN�NG�GE�EL�LO�OG�G
1405: The following revisions have been made to the Sudo Plugin API.
1406:
1407: Version 1.0
1408: Initial API version.
1409:
1410: Version 1.1 (sudo 1.8.0)
1411: The I/O logging plugin's o�op�pe�en�n() function was modified to take the
1412: command_info list as an argument.
1413:
1414: Version 1.2 (sudo 1.8.5)
1415: The Policy and I/O logging plugins' o�op�pe�en�n() functions are now passed
1416: a list of plugin parameters if any are specified in sudo.conf(4).
1417:
1418: A simple hooks API has been introduced to allow plugins to hook in
1419: to the system's environment handling functions.
1420:
1421: The init_session Policy plugin function is now passed a pointer to
1422: the user environment which can be updated as needed. This can be
1423: used to merge in environment variables stored in the PAM handle
1424: before a command is run.
1425:
1426: Version 1.3 (sudo 1.8.7)
1427: Support for the _�e_�x_�e_�c_�__�b_�a_�c_�k_�g_�r_�o_�u_�n_�d entry has been added to the
1428: command_info list.
1429:
1430: The _�m_�a_�x_�__�g_�r_�o_�u_�p_�s and _�p_�l_�u_�g_�i_�n_�__�d_�i_�r entries were added to the settings
1431: list.
1432:
1433: The v�ve�er�rs�si�io�on�n() and c�cl�lo�os�se�e() functions are now optional. Previously,
1434: a missing v�ve�er�rs�si�io�on�n() or c�cl�lo�os�se�e() function would result in a crash.
1435: If no policy plugin c�cl�lo�os�se�e() function is defined, a default c�cl�lo�os�se�e()
1436: function will be provided by the s�su�ud�do�o front end that displays a
1437: warning if the command could not be executed.
1438:
1439: The s�su�ud�do�o front end now installs default signal handlers to trap
1440: common signals while the plugin functions are run.
1441:
1442: Version 1.4 (sudo 1.8.8)
1443: The _�r_�e_�m_�o_�t_�e_�__�h_�o_�s_�t entry was added to the settings list.
1444:
1445: Version 1.5 (sudo 1.8.9)
1446: The entry was added to the command_info list.
1447:
1448: S�SE�EE�E A�AL�LS�SO�O
1449: sudo.conf(4), sudoers(4), sudo(1m)
1450:
1451: B�BU�UG�GS�S
1452: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
1453: http://www.sudo.ws/sudo/bugs/
1454:
1455: S�SU�UP�PP�PO�OR�RT�T
1456: Limited free support is available via the sudo-users mailing list, see
1457: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
1458: archives.
1459:
1460: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1461: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
1462: including, but not limited to, the implied warranties of merchantability
1463: and fitness for a particular purpose are disclaimed. See the LICENSE
1464: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
1465: complete details.
1466:
1467: Sudo 1.8.10 December 20, 2013 Sudo 1.8.10
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo_plugin.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc