--- embedaddon/sudo/doc/sudoers.cat 2012/10/09 09:29:52 1.1.1.3 +++ embedaddon/sudo/doc/sudoers.cat 2013/07/22 10:46:12 1.1.1.4 @@ -1,15 +1,65 @@ SUDOERS(4) Programmer's Manual SUDOERS(4) NNAAMMEE - ssuuddooeerrss - default sudo security policy module + ssuuddooeerrss - default sudo security policy plugin DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the + The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is described in detail in the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s policy information in LDAP, please see sudoers.ldap(4). + CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss + ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O + logging plugins to load. If no sudo.conf(4) file is present, or if it + contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and + I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss + plugin, the following configuration can be used. + + Plugin sudoers_policy sudoers.so + Plugin sudoers_io sudoers.so + + Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to + the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if + present, should be listed after the path to the plugin (i.e. after + _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white + space. For example: + + Plugin sudoers_policy sudoers.so sudoers_mode=0400 + + The following plugin arguments are supported: + + ldap_conf=pathname + The _l_d_a_p___c_o_n_f argument can be used to override the default path + to the _l_d_a_p_._c_o_n_f file. + + ldap_secret=pathname + The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default + path to the _l_d_a_p_._s_e_c_r_e_t file. + + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default + path to the _s_u_d_o_e_r_s file. + + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default + owner of the sudoers file. It should be specified as a numeric + user ID. + + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default + group of the sudoers file. It must be specified as a numeric + group ID (not a group name). + + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. + + For more information on configuring sudo.conf(4), please refer to its + manual. + AAuutthheennttiiccaattiioonn aanndd llooggggiinngg The _s_u_d_o_e_r_s security policy requires that most users authenticate themselves before they can use ssuuddoo. A password is not required if the @@ -186,8 +236,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT '!'* %:#nonunix_gid | '!'* User_Alias - A User_List is made up of one or more user names, user ids (prefixed with - `#'), system group names and ids (prefixed with `%' and `%#' + A User_List is made up of one or more user names, user IDs (prefixed with + `#'), system group names and IDs (prefixed with `%' and `%#' respectively), netgroups (prefixed with `+'), non-Unix group names and IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each list item may be prefixed with zero or more `!' operators. An odd number @@ -201,8 +251,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT characters must be included inside the quotes. The actual nonunix_group and nonunix_gid syntax depends on the underlying - group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For - instance, the QAS AD plugin supports the following formats: + group provider plugin. For instance, the QAS AD plugin supports the + following formats: oo Group in the same domain: "%:Group Name" @@ -210,6 +260,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" + See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. + Note that quotes around group names are optional. Unquoted strings must use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need @@ -260,6 +312,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT ``localhost'' will only match if that is the actual host name, which is usually only the case for non-networked systems. + digest ::= [A-Fa-f0-9]+ | + [[A-Za-z0-9+/=]+ + + Digest_Spec ::= "sha224" ':' digest | + "sha256" ':' digest | + "sha384" ':' digest | + "sha512" ':' digest + Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -267,7 +327,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT file name args | file name '""' - Cmnd ::= '!'* command name | + Cmnd ::= Digest_Spec? '!'* command name | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias @@ -287,10 +347,34 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a `\' if they are used in command - arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used + arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may - take command line arguments just as a normal command does. + take command line arguments just as a normal command does. Note that + ``sudoedit'' is a command built into ssuuddoo itself and must be specified in + _s_u_d_o_e_r_s without a leading path. + If a command name is prefixed with a Digest_Spec, the command will only + match successfully if it can be verified using the specified SHA-2 + digest. This may be useful in situations where the user invoking ssuuddoo + has write access to the command or its parent directory. The following + digest formats are supported: sha224, sha256, sha384 and sha512. The + string may be specified in either hex or base64 format (base64 is more + compact). There are several utilities capable of generating SHA-2 + digests in hex format such as openssl, shasum, sha224sum, sha256sum, + sha384sum, sha512sum. + + For example, using openssl: + + $ openssl dgst -sha224 /bin/ls + SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 + + It is also possible to use openssl to generate base64 output: + + $ openssl dgst -binary -sha224 /bin/ls | openssl base64 + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + + Command digests are only supported by version 1.8.7 or higher. + DDeeffaauullttss Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users @@ -469,76 +553,77 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT it is overridden by the opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + _N_O_P_A_S_S_W_D and _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or herself before - running a command. This behavior can be modified via the NOPASSWD tag. - Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that - follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used - to reverse things. For example: + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as - rroooott on the machine rushmore without authenticating himself. If we only - want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as rroooott on the machine rushmore without authenticating himself. If we + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would be: - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users who are in the - group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the entries for a - user on the current host, he or she will be able to run ``sudo -l'' - without a password. Additionally, a user may only run ``sudo -v'' - without a password if the NOPASSWD tag is present for all a user's - entries that pertain to the current host. This behavior may be - overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run ``sudo -l'' + without a password. Additionally, a user may only run ``sudo -v'' + without a password if the NOPASSWD tag is present for all a user's + entries that pertain to the current host. This behavior may be + overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. - _N_O_E_X_E_C _a_n_d _E_X_E_C + _N_O_E_X_E_C and _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how - NOEXEC works and whether or not it will work on your system. + See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how + NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + _S_E_T_E_N_V and _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. - Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables - in this manner. If the command matched is AALLLL, the SETENV tag is implied - for that command; this default may be overridden by use of the NOSETENV - tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is AALLLL, the SETENV + tag is implied for that command; this default may be overridden by use + of the NOSETENV tag. - _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. WWiillddccaarrddss ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in host names, path names and command line arguments in the _s_u_d_o_e_r_s - file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3) - routines. Note that these are _n_o_t regular expressions. + file. Wildcard matching is done via the glob(3) and fnmatch(3) functions + as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _n_o_t + regular expressions. * Matches any set of zero or more characters. @@ -551,7 +636,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT \x For any character `x', evaluates to `x'. This is used to escape special characters such as: `*', `?', `[', and `]'. - POSIX character classes may also be used if your system's glob(3) and + Character classes may also be used if your system's glob(3) and fnmatch(3) functions support them. However, because the `:' character has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: @@ -668,12 +753,25 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT since in a command context, it allows the user to run aannyy command on the system. - An exclamation point (`!') can be used as a logical _n_o_t operator both in - an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain - values. Note, however, that using a `!' in conjunction with the built-in - AALLLL alias to allow a user to run ``all but a few'' commands rarely works - as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). + An exclamation point (`!') can be used as a logical _n_o_t operator in a + list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude + certain values. For the `!' operator to be effective, there must be + something for it to exclude. For example, to match all users except for + root one would use: + ALL,!root + + If the AALLLL, is omitted, as in: + + !root + + it would explicitly deny root but not match any other users. This is + different from a true ``negation'' operator. + + Note, however, that using a `!' in conjunction with the built-in AALLLL + alias to allow a user to run ``all but a few'' commands rarely works as + intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). + Long lines can be continued with a backslash (`\') as the last character on the line. @@ -718,6 +816,45 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. + exec_background By default, ssuuddoo runs a command as the foreground + process as long as ssuuddoo itself is running in the + foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled + and the command is being run in a pty (due to I/O + logging or the _u_s_e___p_t_y flag), the command will be run + as a background process. Attempts to read from the + controlling terminal (or to change terminal settings) + will result in the command being suspended with the + SIGTTIN signal (or SIGTTOU in the case of terminal + settings). If this happens when ssuuddoo is a foreground + process, the command will be granted the controlling + terminal and resumed in the foreground with no user + intervention required. The advantage of initially + running the command in the background is that ssuuddoo need + not read from the terminal unless the command + explicitly requests it. Otherwise, any terminal input + must be passed to the command, whether it has required + it or not (the kernel buffers terminals so it is not + possible to tell whether the command really wants the + input). This is different from historic _s_u_d_o behavior + or when the command is not being run in a pty. + + For this to work seamlessly, the operating system must + support the automatic restarting of system calls. + Unfortunately, not all operating systems do this by + default, and even those that do may have bugs. For + example, Mac OS X fails to restart the ttccggeettaattttrr() and + ttccsseettaattttrr() system calls (this is a bug in Mac OS X). + Furthermore, because this behavior depends on the + command stopping with the SIGTTIN or SIGTTOU signals, + programs that catch these signals and suspend + themselves with a different signal (usually SIGTOP) + will not be automatically foregrounded. Some versions + of the linux su(1) command behave this way. + + This setting is only supported by version 1.8.7 or + higher. It has no effect unless I/O logging is enabled + or the _u_s_e___p_t_y flag is enabled. + env_editor If set, vviissuuddoo will use the value of the EDITOR or VISUAL environment variables before falling back on the default editor list. Note that this may create a @@ -906,6 +1043,26 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end of this manual. This flag is _o_f_f by default. + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM + implementations or on operating systems where opening a + PAM session changes the utmp or wtmp files. If PAM + session support is disabled, resource limits may not be + updated for the command being run. This flag is _o_n by + default. + + This setting is only supported by version 1.8.7 or + higher. + + passprompt_override + The password prompt specified by _p_a_s_s_p_r_o_m_p_t will + normally only be used if the password prompt provided + by systems such as PAM matches the string + ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, + _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by + default. + path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to @@ -916,14 +1073,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not allowed to run it, which can be confusing. This flag is _o_n by default. - passprompt_override - The password prompt specified by _p_a_s_s_p_r_o_m_p_t will - normally only be used if the password prompt provided - by systems such as PAM matches the string - ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, - _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by - default. - preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group @@ -1189,6 +1338,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS unique combination of digits and letters, similar to the mktemp(3) function. + If the path created by concatenating _i_o_l_o_g___d_i_r and + _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file + will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e + ends in six or more Xs. + limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. This bounds all privileges of the executing process. The @@ -1200,10 +1354,28 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS escape %h will expand to the host name of the machine. Default is ``*** SECURITY information for %h ***''. - noexec_file This option is no longer supported. The path to the - noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file. + maxseq The maximum sequence number that will be substituted + for the ``%{seq}'' escape in the I/O log file (see the + _i_o_l_o_g___d_i_r description above for more information). + While the value substituted for ``%{seq}'' is in base + 36, _m_a_x_s_e_q itself should be expressed in decimal. + Values larger than 2176782336 (which corresponds to the + base 36 sequence number ``ZZZZZZ'') will be silently + truncated to 2176782336. The default value is + 2176782336. + Once the local sequence number reaches the value of + _m_a_x_s_e_q, it will ``roll over'' to zero, after which + ssuuddooeerrss will truncate and re-use any existing I/O log + pathnames. + + This setting is only supported by version 1.8.7 or + higher. + + noexec_file As of ssuuddoo version 1.8.1 this option is no longer + supported. The path to the noexec file should now be + set in the sudo.conf(4) file. + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') @@ -1295,22 +1467,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS a % prefix. This is not set by default. group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional - arguments. This can be used to implement support for the - nonunix_group syntax described earlier. The string should - consist of the plugin path, either fully-qualified or - relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by - any configuration arguments the plugin requires. These + arguments. The string should consist of the plugin path, + either fully-qualified or relative to the + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any + configuration arguments the plugin requires. These arguments (if any) will be passed to the plugin's initialization function. If arguments are present, the string must be enclosed in double quotes (""). - For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix - group format, the sample group plugin can be used: + For more information see GROUP PROVIDER PLUGINS. - Defaults group_plugin="sample_group.so /etc/sudo-group" - - For more information see sudo_plugin(4). - lecture This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: @@ -1446,6 +1612,41 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS variables to keep is displayed when ssuuddoo is run by root with the --VV option. +GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS + The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix + group lookups which can query a group source other than the standard Unix + group database. This can be used to implement support for the + nonunix_group syntax described earlier. + + Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults + setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path, + either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o + directory, followed by any configuration options the plugin requires. + These options (if specified) will be passed to the plugin's + initialization function. If options are present, the string must be + enclosed in double quotes (""). + + The following group provider plugins are installed by default: + + group_file + The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that + uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the + group file should be specified as an option to the plugin. For + example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p: + + Defaults group_plugin="group_file.so /etc/sudo-group" + + system_group + The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard + C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can + be used in instances where the user belongs to groups not + present in the user's supplemental group vector. This plugin + takes no options: + + Defaults group_plugin=system_group.so + + The group provider plugin API is described in detail in sudo_plugin(1m). + LLOOGG FFOORRMMAATT ssuuddooeerrss can log events using either syslog(3) or a simple log file. In each case the log format is almost identical. @@ -1547,9 +1748,9 @@ LLOOGG FFOORRMMAATT when the _s_u_d_o_e_r_s file is located on a remote file system that maps user ID 0 to a different value. Normally, ssuuddooeerrss tries to open _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider - changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like - ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s - file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument + like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s + file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. unable to stat /etc/sudoers The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. @@ -1561,21 +1762,21 @@ LLOOGG FFOORRMMAATT /etc/sudoers is owned by uid N, should be 0 The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the - user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the - _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the + sudo.conf(4) file. /etc/sudoers is world writable The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss - plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + Plugin line in the sudo.conf(4) file. /etc/sudoers is owned by gid N, should be 1 The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where - `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin - line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin + line in the sudo.conf(4) file. unable to open /var/adm/sudo/username/ttyname _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. @@ -1615,110 +1816,6 @@ LLOOGG FFOORRMMAATT _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap will be disabled. -SSUUDDOO..CCOONNFF - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will - load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin - lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which - corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. - - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so - - PPlluuggiinn ooppttiioonnss - Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s - plugin. Options may be listed after the path to the plugin (i.e. after - _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: - - Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 - - The following plugin options are supported: - - sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default - path to the _s_u_d_o_e_r_s file. - - sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d option can be used to override the default - owner of the sudoers file. It should be specified as a numeric - user ID. - - sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d option can be used to override the default - group of the sudoers file. It should be specified as a numeric - group ID. - - sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default - file mode for the sudoers file. It should be specified as an - octal value. - - DDeebbuugg ffllaaggss - Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging - framework that can help track down what the plugin is doing internally if - there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as - described in sudo(1m). - - The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end: - _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. - - The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: - _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, - when specified, also includes all priorities higher than it. For - example, a priority of _n_o_t_i_c_e would include debug messages logged at - _n_o_t_i_c_e and higher. - - The following subsystems are used by _s_u_d_o_e_r_s: - - _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing - - _a_l_l matches every subsystem - - _a_u_d_i_t BSM and Linux audit code - - _a_u_t_h user authentication - - _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings - - _e_n_v environment handling - - _l_d_a_p LDAP-based sudoers - - _l_o_g_g_i_n_g logging support - - _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s - - _n_e_t_i_f network interface handling - - _n_s_s network service switch handling in _s_u_d_o_e_r_s - - _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing - - _p_e_r_m_s permission setting - - _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. - - _p_t_y pseudo-tty related code - - _r_b_t_r_e_e redblack tree internals - - _u_t_i_l utility functions - FFIILLEESS _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration @@ -1768,7 +1865,9 @@ EEXXAAMMPPLLEESS # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore + /usr/sbin/restore, /usr/sbin/rrestore,\ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown @@ -1838,7 +1937,11 @@ EEXXAAMMPPLLEESS The ooppeerraattoorr user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory - _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a + sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the + directory containing the script is writable by the operator user. If the + script is modified (resulting in a digest mismatch) it will no longer be + possible to run it via ssuuddoo. joe ALL = /usr/bin/su operator @@ -2047,8 +2150,64 @@ SSEECCUURRIITTYY NNOOTTEESS stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. +DDEEBBUUGGGGIINNGG + Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible + debugging framework that can help track down what the plugin is doing + internally if there is a problem. This can be configured in the + sudo.conf(4) file. + + The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: + _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. + + The priorities used by ssuuddooeerrss, in order of decreasing severity, are: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. + + The following subsystems are used by the ssuuddooeerrss plugin: + + _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing + + _a_l_l matches every subsystem + + _a_u_d_i_t BSM and Linux audit code + + _a_u_t_h user authentication + + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings + + _e_n_v environment handling + + _l_d_a_p LDAP-based sudoers + + _l_o_g_g_i_n_g logging support + + _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s + + _n_e_t_i_f network interface handling + + _n_s_s network service switch handling in _s_u_d_o_e_r_s + + _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing + + _p_e_r_m_s permission setting + + _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. + + _p_t_y pseudo-tty related code + + _r_b_t_r_e_e redblack tree internals + + _u_t_i_l utility functions + For example: + + Debug sudo /var/log/sudo_debug match@info,nss@info + + For more information, see the sudo.conf(4) manual. + SSEEEE AALLSSOO - ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), + ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) CCAAVVEEAATTSS @@ -2078,4 +2237,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 +Sudo 1.8.7 April 30, 2013 Sudo 1.8.7