version 1.1.1.4, 2013/07/22 10:46:12
|
version 1.1.1.5, 2013/10/14 07:56:34
|
Line 16
|
Line 16
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.TH "SUDO_PLUGIN" "5" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" | .TH "SUDO_PLUGIN" "5" "August 16, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" |
.nh |
.nh |
.if n .ad l |
.if n .ad l |
.SH "NAME" |
.SH "NAME" |
Line 322 the
|
Line 322 the
|
\fB\-p\fR |
\fB\-p\fR |
flag. |
flag. |
.TP 6n |
.TP 6n |
|
remote_host=string |
|
The name of the remote host to run the command on, if specified via |
|
the |
|
\fB\-h\fR |
|
option. |
|
Support for running the command on a remote host is meant to be implemented |
|
via a helper program that is executed in place of the user-specified command. |
|
The |
|
\fBsudo\fR |
|
front end is only capable of executing commands on the local host. |
|
Only available starting with API version 1.4. |
|
.TP 6n |
run_shell=bool |
run_shell=bool |
Set to true if the user specified the |
Set to true if the user specified the |
\fB\-s\fR |
\fB\-s\fR |
flag, indicating that | flag, indicating that the user wishes to run a shell. |
the user wishes to run a shell. | |
.TP 6n |
.TP 6n |
runas_group=string |
runas_group=string |
The group name or gid to to run the command as, if specified via | The group name or gid to run the command as, if specified via |
the |
the |
\fB\-g\fR |
\fB\-g\fR |
flag. |
flag. |
.TP 6n |
.TP 6n |
runas_user=string |
runas_user=string |
The user name or uid to to run the command as, if specified via the | The user name or uid to run the command as, if specified via the |
\fB\-u\fR |
\fB\-u\fR |
flag. |
flag. |
.TP 6n |
.TP 6n |
Line 441 pgid=int
|
Line 452 pgid=int
|
The ID of the process group that the running |
The ID of the process group that the running |
\fBsudo\fR |
\fBsudo\fR |
process is a member of. |
process is a member of. |
Only available starting with API version 1.2 | Only available starting with API version 1.2. |
.TP 6n |
.TP 6n |
pid=int |
pid=int |
The process ID of the running |
The process ID of the running |
\fBsudo\fR |
\fBsudo\fR |
process. |
process. |
Only available starting with API version 1.2 | Only available starting with API version 1.2. |
.TP 6n |
.TP 6n |
plugin_options |
plugin_options |
Any (non-comment) strings immediately after the plugin path are |
Any (non-comment) strings immediately after the plugin path are |
Line 480 ppid=int
|
Line 491 ppid=int
|
The parent process ID of the running |
The parent process ID of the running |
\fBsudo\fR |
\fBsudo\fR |
process. |
process. |
Only available starting with API version 1.2 | Only available starting with API version 1.2. |
.TP 6n |
.TP 6n |
sid=int |
sid=int |
The session ID of the running |
The session ID of the running |
Line 488 The session ID of the running
|
Line 499 The session ID of the running
|
process or 0 if |
process or 0 if |
\fBsudo\fR |
\fBsudo\fR |
is not part of a POSIX job control session. |
is not part of a POSIX job control session. |
Only available starting with API version 1.2 | Only available starting with API version 1.2. |
.TP 6n |
.TP 6n |
tcpgid=int |
tcpgid=int |
The ID of the foreground process group associated with the terminal |
The ID of the foreground process group associated with the terminal |
Line 496 device associated with the
|
Line 507 device associated with the
|
\fBsudo\fR |
\fBsudo\fR |
process or \-1 if there is no |
process or \-1 if there is no |
terminal present. |
terminal present. |
Only available starting with API version 1.2 | Only available starting with API version 1.2. |
.TP 6n |
.TP 6n |
tty=string |
tty=string |
The path to the user's terminal device. |
The path to the user's terminal device. |
Line 2162 return SUDO_HOOK_RET_STOP;
|
Line 2173 return SUDO_HOOK_RET_STOP;
|
} while(0) |
} while(0) |
.RE |
.RE |
.fi |
.fi |
|
.SS "Remote command execution" |
|
The |
|
\fBsudo\fR |
|
front end does not have native support for running remote commands. |
|
However, starting with |
|
\fBsudo\fR |
|
1.8.8, the |
|
\fB\-h\fR |
|
option may be used to specify a remote host that is passed |
|
to the policy plugin. |
|
A plugin may also accept a |
|
\fIrunas_user\fR |
|
in the form of |
|
``user@hostname'' |
|
which will work with older versions of |
|
\fBsudo\fR. |
|
It is anticipated that remote commands will be supported by executing a |
|
``helper'' |
|
program. |
|
The policy plugin should setup the execution environment such that the |
|
\fBsudo\fR |
|
front end will run the helper which, in turn, will connect to the |
|
remote host and run the command. |
|
.PP |
|
For example, the policy plugin could utilize |
|
\fBssh\fR |
|
to perform remote command execution. |
|
The helper program would be responsible for running |
|
\fBssh\fR |
|
with the proper options to use a private key or certificate |
|
that the remote host will accept and run a program |
|
on the remote host that would setup the execution environment |
|
accordingly. |
|
.PP |
|
Note that remote |
|
\fBsudoedit\fR |
|
functionality must be handled by the policy plugin, not |
|
\fBsudo\fR |
|
itself as the front end has no knowledge that a remote command is |
|
being executed. |
|
This may be addressed in a future revision of the plugin API. |
.SS "Conversation API" |
.SS "Conversation API" |
If the plugin needs to interact with the user, it may do so via the |
If the plugin needs to interact with the user, it may do so via the |
\fBconversation\fR() |
\fBconversation\fR() |
Line 2193 struct sudo_conv_message {
|
Line 2245 struct sudo_conv_message {
|
const char *msg; |
const char *msg; |
}; |
}; |
|
|
|
#define SUDO_CONV_REPL_MAX 255 |
|
|
struct sudo_conv_reply { |
struct sudo_conv_reply { |
char *reply; |
char *reply; |
}; |
}; |
Line 2227 and
|
Line 2281 and
|
\fRstruct sudo_conv_reply\fR |
\fRstruct sudo_conv_reply\fR |
for |
for |
each message in the conversation. |
each message in the conversation. |
The plugin is responsible for freeing the reply buffer filled in to the | The plugin is responsible for freeing the reply buffer located in each |
\fRstruct sudo_conv_reply\fR, |
\fRstruct sudo_conv_reply\fR, |
if any. | if it is not |
| \fRNULL\fR. |
| \fRSUDO_CONV_REPL_MAX\fR |
| represents the maximum length of the reply buffer (not including |
| the trailing NUL character). |
| In practical terms, this is the longest password |
| \fBsudo\fR |
| will support. |
| It is also useful as a maximum value for the |
| \fBmemset_s\fR() |
| function when clearing passwords filled in by the conversation function. |
.PP |
.PP |
The |
The |
\fBprintf\fR()-style |
\fBprintf\fR()-style |
Line 2524 The
|
Line 2588 The
|
\fBsudo\fR |
\fBsudo\fR |
front end now installs default signal handlers to trap common signals |
front end now installs default signal handlers to trap common signals |
while the plugin functions are run. |
while the plugin functions are run. |
|
.TP 6n |
|
Version 1.4 (sudo 1.8.8) |
|
The |
|
\fIremote_host\fR |
|
entry was added to the |
|
\fRsettings\fR |
|
list. |
.SH "SEE ALSO" |
.SH "SEE ALSO" |
sudo.conf(@mansectform@), |
sudo.conf(@mansectform@), |
sudoers(@mansectform@), |
sudoers(@mansectform@), |