embedaddon/sudo/doc/sudoers.mdoc.in - diff

Return to sudoers.mdoc.in CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc

Diff for /embedaddon/sudo/doc/sudoers.mdoc.in between versions 1.1.1.1 and 1.1.1.3

-version 1.1.1.1, 2012/10/09 09:29:52
+version 1.1.1.3, 2013/10/14 07:56:34
  Line 1
  .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"        Todd C. Miller <Todd.Miller@courtesan.com>
  .\"
  .\" Permission to use, copy, modify, and distribute this software for any
  .\" purpose with or without fee is hereby granted, provided that the above
  Line 19
  .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
  .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
  .\"
-.Dd July 16, 2012
+.Dd August 31, 2013
  .Dt SUDOERS @mansectform@
  .Os Sudo @PACKAGE_VERSION@
  .Sh NAME
  .Nm sudoers
-.Nd default sudo security policy module
+.Nd default sudo security policy plugin
  .Sh DESCRIPTION
  The
  .Em sudoers
-policy module determines a user's
+policy plugin determines a user's
  .Nm sudo
  privileges.
  It is the default
  Line 46  For information on storing
  policy information
  in LDAP, please see
  .Xr sudoers.ldap @mansectform@ .
+ .Ss Configuring sudo.conf for sudoers
+ .Nm sudo
+ consults the
+ .Xr sudo.conf @mansectform@
+ file to determine which policy and and I/O logging plugins to load.
+ If no
+ .Xr sudo.conf @mansectform@
+ file is present, or if it contains no
+ .Li Plugin
+ lines,
+ .Nm sudoers
+ will be used for policy decisions and I/O logging.
+ To explicitly configure
+ .Xr sudo.conf @mansectform@
+ to use the
+ .Nm sudoers
+ plugin, the following configuration can be used.
+ .Bd -literal -offset indent
+ Plugin sudoers_policy sudoers.so
+ Plugin sudoers_io sudoers.so
+ .Ed
+ .Pp
+ Starting with
+ .Nm sudo
+.8.5, it is possible to specify optional arguments to the
+ .Nm sudoers
+ plugin in the
+ .Xr sudo.conf @mansectform@
+ file.
+ These arguments, if present, should be listed after the path to the plugin
+ (i.e.\& after
+ .Pa sudoers.so ) .
+ Multiple arguments may be specified, separated by white space.
+ For example:
+ .Bd -literal -offset indent
+ Plugin sudoers_policy sudoers.so sudoers_mode=0400
+ .Ed
+ .Pp
+ The following plugin arguments are supported:
+ .Bl -tag -width 8n
+ .It ldap_conf=pathname
+ The
+ .Em ldap_conf
+ argument can be used to override the default path to the
+ .Pa ldap.conf
+ file.
+ .It ldap_secret=pathname
+ The
+ .Em ldap_secret
+ argument can be used to override the default path to the
+ .Pa ldap.secret
+ file.
+ .It sudoers_file=pathname
+ The
+ .Em sudoers_file
+ argument can be used to override the default path to the
+ .Em sudoers
+ file.
+ .It sudoers_uid=uid
+ The
+ .Em sudoers_uid
+ argument can be used to override the default owner of the sudoers file.
+ It should be specified as a numeric user ID.
+ .It sudoers_gid=gid
+ The
+ .Em sudoers_gid
+ argument can be used to override the default group of the sudoers file.
+ It must be specified as a numeric group ID (not a group name).
+ .It sudoers_mode=mode
+ The
+ .Em sudoers_mode
+ argument can be used to override the default file mode for the sudoers file.
+ It should be specified as an octal value.
+ .El
+ .Pp
+ For more information on configuring
+ .Xr sudo.conf @mansectform@ ,
+ please refer to its manual.
  .Ss Authentication and logging
  The
  .Em sudoers
- Line 437  User ::= '!'* user name |
+ Line 515  User ::= '!'* user name |
  .Pp
  A
  .Li User_List
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
  (prefixed with
  .Ql # ) ,
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
  .Ql %
  and
  .Ql %#
- Line 482  The actual
+ Line 560  The actual
  and
  .Li nonunix_gid
  syntax depends on
-the underlying group provider plugin (see the
+the underlying group provider plugin.
-.Em group_plugin
-description below).
  For instance, the QAS AD plugin supports the following formats:
  .Bl -bullet -width 4n
  .It
- Line 495  Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOM
+ Line 571  Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOM
  Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
  .El
  .Pp
+ See
+ .Sx "GROUP PROVIDER PLUGINS"
+ for more information.
+ .Pp
  Note that quotes around group names are optional.
  Unquoted strings must use a backslash
  .Pq Ql \e
- Line 579  Also, the host name
+ Line 659  Also, the host name
  will only match if that is the actual host name, which is usually
  only the case for non-networked systems.
  .Bd -literal
+ digest ::= [A-Fa-f0-9]+ |
+            [[A-Za-z0-9\+/=]+
+ Digest_Spec ::= "sha224" ':' digest |
+                 "sha256" ':' digest |
+                 "sha384" ':' digest |
+                 "sha512" ':' digest
  Cmnd_List ::= Cmnd |
                Cmnd ',' Cmnd_List
- Line 586  command name ::= file name |
+ Line 674  command name ::= file name |
                   file name args |
                   file name '""'
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
           '!'* directory |
           '!'* "sudoedit" |
           '!'* Cmnd_Alias
- Line 631  if they are used in command arguments:
+ Line 719  if they are used in command arguments:
  .Ql :\& ,
  .Ql =\& ,
  .Ql \e .
-The special command
+The built-in command
  .Dq Li sudoedit
  is used to permit a user to run
  .Nm sudo
- Line 640  with the
+ Line 728  with the
  option (or as
  .Nm sudoedit ) .
  It may take command line arguments just as a normal command does.
+ Note that
+ .Dq Li sudoedit
+ is a command built into
+ .Nm sudo
+ itself and must be specified in
+ .Em sudoers
+ without a leading path.
+ .Pp
+ If a
+ .Li command name
+ is prefixed with a
+ .Li Digest_Spec ,
+ the command will only match successfully if it can be verified
+ using the specified SHA-2 digest.
+ This may be useful in situations where the user invoking
+ .Nm sudo
+ has write access to the command or its parent directory.
+ The following digest formats are supported: sha224, sha256, sha384 and sha512.
+ The string may be specified in either hex or base64 format
+ (base64 is more compact).
+ There are several utilities capable of generating SHA-2 digests in hex
+ format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+ .Pp
+ For example, using openssl:
+ .Bd -literal
+ $ openssl dgst -sha224 /bin/ls
+ SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+ .Ed
+ .Pp
+ It is also possible to use openssl to generate base64 output:
+ .Bd -literal
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+ .Ed
+ .Pp
+ Command digests are only supported by version 1.8.7 or higher.
  .Ss Defaults
  Certain configuration options may be changed from their default
  values at run-time via one or more
- Line 970  and
+ Line 1094  and
  .Li NOEXEC
  overrides
  .Li EXEC ) .
-.Pp
+.Bl -hang -width 0n
-.Em NOPASSWD and PASSWD
+.It Em NOPASSWD No and Em PASSWD
-.Pp
+.sp
  By default,
  .Nm sudo
  requires that a user authenticate him or herself
- Line 1037  This behavior may be overridden via the
+ Line 1161  This behavior may be overridden via the
  and
  .Em listpw
  options.
-.Pp
+.It Em NOEXEC No and Em EXEC
-.Em NOEXEC and EXEC
+.sp
-.Pp
  If
  .Nm sudo
  has been compiled with
- Line 1065  See the
+ Line 1188  See the
  section below for more details on how
  .Li NOEXEC
  works and whether or not it will work on your system.
-.Pp
+.It Em SETENV No and Em NOSETENV
-.Em SETENV and NOSETENV
+.sp
-.Pp
  These tags override the value of the
  .Em setenv
  option on a per-command basis.
- Line 1092  the
+ Line 1214  the
  tag is implied for that command; this default may be overridden by use of the
  .Li NOSETENV
  tag.
-.Pp
+.It Em LOG_INPUT No and Em NOLOG_INPUT
-.Em LOG_INPUT and NOLOG_INPUT
+.sp
-.Pp
  These tags override the value of the
  .Em log_input
  option on a per-command basis.
- Line 1103  For more information, see the description of
+ Line 1224  For more information, see the description of
  in the
  .Sx SUDOERS OPTIONS
  section below.
-.Pp
+.It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
-.Em LOG_OUTPUT and NOLOG_OUTPUT
+.sp
-.Pp
  These tags override the value of the
  .Em log_output
  option on a per-command basis.
- Line 1114  For more information, see the description of
+ Line 1234  For more information, see the description of
  in the
  .Sx SUDOERS OPTIONS
  section below.
+ .El
  .Ss Wildcards
  .Nm sudo
  allows shell-style
- Line 1123  to be used in host names, path names and command line
+ Line 1244  to be used in host names, path names and command line
  .Em sudoers
  file.
  Wildcard matching is done via the
- .Sy POSIX
  .Xr glob 3
  and
  .Xr fnmatch 3
-routines.
+functions as specified by
+.St -p1003.1 .
  Note that these are
  .Em not
  regular expressions.
- Line 1155  and
+ Line 1276  and
  .Ql ]\& .
  .El
  .Pp
-POSIX character classes may also be used if your system's
+Character classes may also be used if your system's
  .Xr glob 3
  and
  .Xr fnmatch 3
- Line 1393  An exclamation point
+ Line 1514  An exclamation point
  .Pq Ql \&!
  can be used as a logical
  .Em not
-operator both in an
+operator in a list or
  .Em alias
-and in front of a
+as well as in front of a
  .Li Cmnd .
  This allows one to exclude certain values.
+ For the
+ .Ql \&!
+ operator to be effective, there must be something for it to exclude.
+ For example, to match all users except for root one would use:
+ .Bd -literal -offset 4n
+ ALL,!root
+ .Ed
+ .Pp
+ If the
+ .Sy ALL ,
+ is omitted, as in:
+ .Bd -literal -offset 4n
+ !root
+ .Ed
+ .Pp
+ it would explicitly deny root but not match any other users.
+ This is different from a true
+ .Dq negation
+ operator.
+ .Pp
  Note, however, that using a
  .Ql \&!
  in conjunction with the built-in
- Line 1456  This effectively means that the
+ Line 1597  This effectively means that the
  option is always implied.
  Note that
  .Ev HOME
-is already set when the the
+is already set when the
  .Em env_reset
  option is enabled, so
  .Em always_set_home
- Line 1504  by default when
+ Line 1645  by default when
  is compiled with
  .Sy zlib
  support.
+ .It exec_background
+ By default,
+ .Nm sudo
+ runs a command as the foreground process as long as
+ .Nm sudo
+ itself is running in the foreground.
+ When the
+ .Em exec_background
+ flag is enabled and the command is being run in a pty (due to I/O logging
+ or the
+ .Em use_pty
+ flag), the command will be run as a background process.
+ Attempts to read from the controlling terminal (or to change terminal
+ settings) will result in the command being suspended with the
+ .Dv SIGTTIN
+ signal (or
+ .Dv SIGTTOU
+ in the case of terminal settings).
+ If this happens when
+ .Nm sudo
+ is a foreground process, the command will be granted the controlling terminal
+ and resumed in the foreground with no user intervention required.
+ The advantage of initially running the command in the background is that
+ .Nm sudo
+ need not read from the terminal unless the command explicitly requests it.
+ Otherwise, any terminal input must be passed to the command, whether it
+ has required it or not (the kernel buffers terminals so it is not possible
+ to tell whether the command really wants the input).
+ This is different from historic
+ .Em sudo
+ behavior or when the command is not being run in a pty.
+ .Pp
+ For this to work seamlessly, the operating system must support the
+ automatic restarting of system calls.
+ Unfortunately, not all operating systems do this by default,
+ and even those that do may have bugs.
+ For example, Mac OS X fails to restart the
+ .Fn tcgetattr
+ and
+ .Fn tcsetattr
+ system calls (this is a bug in Mac OS X).
+ Furthermore, because this behavior depends on the command stopping with the
+ .Dv SIGTTIN
+ or
+ .Dv SIGTTOU
+ signals, programs that catch these signals and suspend themselves
+ with a different signal (usually
+ .Dv SIGTOP )
+ will not be automatically foregrounded.
+ Some versions of the linux
+ .Xr su 1
+ command behave this way.
+ .Pp
+ This setting is only supported by version 1.8.7 or higher.
+ It has no effect unless I/O logging is enabled or the
+ .Em use_pty
+ flag is enabled.
  .It env_editor
  If set,
  .Nm visudo
- Line 1872  section at the end of this manual.
+ Line 2070  section at the end of this manual.
  This flag is
  .Em off
  by default.
-.It path_info
+.It pam_session
-Normally,
+On systems that use PAM for authentication,
  .Nm sudo
-will tell the user when a command could not be
+will create a new PAM session for the command to be run in.
-found in their
+Disabling
-.Ev PATH
+.Em pam_session
-environment variable.
+may be needed on older PAM implementations or on operating systems where
-Some sites may wish to disable this as it could be used to gather
+opening a PAM session changes the utmp or wtmp files.
-information on the location of executables that the normal user does
+If PAM session support is disabled, resource limits may not be updated
-not have access to.
+for the command being run.
-The disadvantage is that if the executable is simply not in the user's
+If
-.Ev PATH ,
+.Em pam_session ,
+.Em pam_setcred ,
+and
+.Em use_pty
+are disabled and I/O logging has not been configured,
  .Nm sudo
-will tell the user that they are not allowed to run it, which can be confusing.
+will execute the command directly instead of running it as a child
+process.
  This flag is
-.Em @path_info@
+.Em @pam_session@
  by default.
+ .Pp
+ This setting is only supported by version 1.8.7 or higher.
+ .It pam_setcred
+ On systems that use PAM for authentication,
+ .Nm sudo
+ will attempt to establish credentials for the target user by default,
+ if supported by the underlying authentication system.
+ One example of a credential is a Kerberos ticket.
+ If
+ .Em pam_session ,
+ .Em pam_setcred ,
+ and
+ .Em use_pty
+ are disabled and I/O logging has not been configured,
+ .Nm sudo
+ will execute the command directly instead of running it as a child
+ process.
+ This flag is
+ .Em on
+ by default.
+ .Pp
+ This setting is only supported by version 1.8.8 or higher.
  .It passprompt_override
  The password prompt specified by
  .Em passprompt
- Line 1903  will always be used.
+ Line 2128  will always be used.
  This flag is
  .Em off
  by default.
+ .It path_info
+ Normally,
+ .Nm sudo
+ will tell the user when a command could not be
+ found in their
+ .Ev PATH
+ environment variable.
+ Some sites may wish to disable this as it could be used to gather
+ information on the location of executables that the normal user does
+ not have access to.
+ The disadvantage is that if the executable is simply not in the user's
+ .Ev PATH ,
+ .Nm sudo
+ will tell the user that they are not allowed to run it, which can be confusing.
+ This flag is
+ .Em @path_info@
+ by default.
  .It preserve_groups
  By default,
  .Nm sudo
- Line 1999  option imply
+ Line 2241  option imply
  .Fl H .
  Note that
  .Ev HOME
-is already set when the the
+is already set when the
  .Em env_reset
  option is enabled, so
  .Em set_home
- Line 2386  will have the
+ Line 2628  will have the
  replaced with a unique combination of digits and letters, similar to the
  .Xr mktemp 3
  function.
+ .Pp
+ If the path created by concatenating
+ .Em iolog_dir
+ and
+ .Em iolog_file
+ already exists, the existing I/O log file will be truncated and
+ overwritten unless
+ .Em iolog_file
+ ends in six or
+ more
+ .Li X Ns No s .
  .It limitprivs
  The default Solaris limit privileges to use when constructing a new
  privilege set for a command.
- Line 2404  The escape
+ Line 2657  The escape
  will expand to the host name of the machine.
  Default is
  .Dq Li @mailsub@ .
+ .It maxseq
+ The maximum sequence number that will be substituted for the
+ .Dq Li %{seq}
+ escape in the I/O log file (see the
+ .Em iolog_dir
+ description above for more information).
+ While the value substituted for
+ .Dq Li %{seq}
+ is in base 36,
+ .Em maxseq
+ itself should be expressed in decimal.
+ Values larger than 2176782336 (which corresponds to the
+ base 36 sequence number
+ .Dq ZZZZZZ )
+ will be silently truncated to 2176782336.
+ The default value is 2176782336.
+ .Pp
+ Once the local sequence number reaches the value of
+ .Em maxseq ,
+ it will
+ .Dq roll over
+ to zero, after which
+ .Nm sudoers
+ will truncate and re-use any existing I/O log pathnames.
+ .Pp
+ This setting is only supported by version 1.8.7 or higher.
  .It noexec_file
-This option is no longer supported.
+As of
+.Nm sudo
+version 1.8.1 this option is no longer supported.
  The path to the noexec file should now be set in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
  file.
+ .It pam_login_service
+ On systems that use PAM for authentication, this is the service
+ name used when the
+ .Fl i
+ option is specified.
+ The default value is
+ .Dq Li @pam_login_service@ .
+ See the description of
+ .Em pam_service
+ for more information.
+ .Pp
+ This setting is only supported by version 1.8.8 or higher.
+ .It pam_service
+ On systems that use PAM for authentication, the service name
+ specifies the PAM policy to apply.
+ This usually corresponds to an entry in the
+ .Pa pam.conf
+ file or a file in the
+ .Pa /etc/pam.d
+ directory.
+ The default value is
+ .Dq Li sudo .
+ .Pp
+ This setting is only supported by version 1.8.8 or higher.
  .It passprompt
  The default prompt to use when asking for a password; can be overridden via the
  .Fl p
- Line 2501  Defaults to
+ Line 2806  Defaults to
  .Li @goodpri@ .
  .Pp
  See
-.Sx syslog_badpri
+.Em syslog_badpri
  for the list of supported syslog priorities.
  .It sudoers_locale
  Locale to use when parsing the sudoers file, logging commands, and
- Line 2558  This is not set by default.
+ Line 2863  This is not set by default.
  A string containing a
  .Em sudoers
  group plugin with optional arguments.
- This can be used to implement support for the
- .Li nonunix_group
- syntax described earlier.
  The string should consist of the plugin
  path, either fully-qualified or relative to the
-.Pa @prefix@/libexec
+.Pa @PLUGINDIR@
  directory, followed by any configuration arguments the plugin requires.
  These arguments (if any) will be passed to the plugin's initialization function.
  If arguments are present, the string must be enclosed in double quotes
  .Pq \&"" .
  .Pp
- For example, given
- .Pa /etc/sudo-group ,
- a group file in Unix group format, the sample group plugin can be used:
- .Bd -literal
- Defaults group_plugin="sample_group.so /etc/sudo-group"
- .Ed
- .Pp
  For more information see
-.Xr sudo_plugin @mansectform@ .
+.Xr "GROUP PROVIDER PLUGINS" .
  .It lecture
  This option controls when a short lecture will be printed along with
  the password prompt.
- Line 2843  is run by root with the
+ Line 3138  is run by root with the
  .Fl V
  option.
  .El
+ .Sh GROUP PROVIDER PLUGINS
+ The
+ .Nm sudoers
+ plugin supports its own plugin interface to allow non-Unix
+ group lookups which can query a group source other
+ than the standard Unix group database.
+ This can be used to implement support for the
+ .Li nonunix_group
+ syntax described earlier.
+ .Pp
+ Group provider plugins are specified via the
+ .Em group_plugin
+ Defaults setting.
+ The argument to
+ .Em group_plugin
+ should consist of the plugin path, either fully-qualified or relative to the
+ .Pa @PLUGINDIR@
+ directory, followed by any configuration options the plugin requires.
+ These options (if specified) will be passed to the plugin's initialization
+ function.
+ If options are present, the string must be enclosed in double quotes
+ .Pq \&"" .
+ .Pp
+ The following group provider plugins are installed by default:
+ .Bl -tag -width 8n
+ .It group_file
+ The
+ .Em group_file
+ plugin supports an alternate group file that uses the same syntax as the
+ .Pa /etc/group
+ file.
+ The path to the group file should be specified as an option
+ to the plugin.
+ For example, if the group file to be used is
+ .Pa /etc/sudo-group :
+ .Bd -literal
+ Defaults group_plugin="group_file.so /etc/sudo-group"
+ .Ed
+ .It system_group
+ The
+ .Em system_group
+ plugin supports group lookups via the standard C library functions
+ .Fn getgrnam
+ and
+ .Fn getgrid .
+ This plugin can be used in instances where the user belongs to
+ groups not present in the user's supplemental group vector.
+ This plugin takes no options:
+ .Bd -literal
+ Defaults group_plugin=system_group.so
+ .Ed
+ .El
+ .Pp
+ The group provider plugin API is described in detail in
+ .Xr sudo_plugin @mansectsu@ .
  .Sh LOG FORMAT
  .Nm sudoers
  can log events using either
- Line 2995  Normally,
+ Line 3345  Normally,
  tries to open
  .Em sudoers
  using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
  .Pa @sysconfdir@/sudoers
-by adding an option like
+or adding an argument like
  .Dq sudoers_uid=N
  (where
  .Sq N
  is the user ID that owns the
  .Em sudoers
-file) to the
+file) to the end of the
  .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
+.Xr sudo.conf @mansectform@
  file.
  .It unable to stat @sysconfdir@/sudoers
  The
- Line 3030  is the user ID that owns the
+ Line 3381  is the user ID that owns the
  .Em sudoers
  file) to the
  .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
+.Xr sudo.conf @mansectform@
  file.
  .It @sysconfdir@/sudoers is world writable
  The permissions on the
- Line 3045  The default mode may be changed via the
+ Line 3397  The default mode may be changed via the
  .Dq sudoers_mode
  option to the
  .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
+.Xr sudo.conf @mansectform@
  file.
  .It @sysconfdir@/sudoers is owned by gid N, should be 1
  The
- Line 3062  is the group ID that owns the
+ Line 3415  is the group ID that owns the
  .Em sudoers
  file) to the
  .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
+.Xr sudo.conf @mansectform@
  file.
  .It unable to open @timedir@/username/ttyname
  .Em sudoers
- Line 3140  option is set to 0 (or negated with a
+ Line 3494  option is set to 0 (or negated with a
  .Ql \&! ) ,
  word wrap will be disabled.
  .El
- .Sh SUDO.CONF
- The
- .Pa @sysconfdir@/sudo.conf
- file determines which plugins the
- .Nm sudo
- front end will load.
- If no
- .Pa @sysconfdir@/sudo.conf
- file
- is present, or it contains no
- .Li Plugin
- lines,
- .Nm sudo
- will use the
- .Em sudoers
- security policy and I/O logging, which corresponds to the following
- .Pa @sysconfdir@/sudo.conf
- file.
- .Bd -literal
- #
- # Default @sysconfdir@/sudo.conf file
- #
- # Format:
- #   Plugin plugin_name plugin_path plugin_options ...
- #   Path askpass /path/to/askpass
- #   Path noexec /path/to/sudo_noexec.so
- #   Debug sudo /var/log/sudo_debug all@warn
- #   Set disable_coredump true
- #
- # The plugin_path is relative to @prefix@/libexec unless
- #   fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- #   that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
- .Ed
- .Ss Plugin options
- Starting with
- .Nm sudo
-.8.5, it is possible to pass options to the
- .Em sudoers
- plugin.
- Options may be listed after the path to the plugin (i.e.\& after
- .Pa sudoers.so ) ;
- multiple options should be space-separated.
- For example:
- .Bd -literal
- Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
- .Ed
- .Pp
- The following plugin options are supported:
- .Bl -tag -width 8n
- .It sudoers_file=pathname
- The
- .Em sudoers_file
- option can be used to override the default path
- to the
- .Em sudoers
- file.
- .It sudoers_uid=uid
- The
- .Em sudoers_uid
- option can be used to override the default owner of the sudoers file.
- It should be specified as a numeric user ID.
- .It sudoers_gid=gid
- The
- .Em sudoers_gid
- option can be used to override the default group of the sudoers file.
- It should be specified as a numeric group ID.
- .It sudoers_mode=mode
- The
- .Em sudoers_mode
- option can be used to override the default file mode for the sudoers file.
- It should be specified as an octal value.
- .El
- .Ss Debug flags
- Versions 1.8.4 and higher of the
- .Em sudoers
- plugin supports a debugging framework that can help track down what the
- plugin is doing internally if there is a problem.
- This can be configured in the
- .Pa @sysconfdir@/sudo.conf
- file as described in
- .Xr sudo @mansectsu@ .
- .Pp
- The
- .Em sudoers
- plugin uses the same debug flag format as the
- .Nm sudo
- front-end:
- .Em subsystem Ns No @ Ns Em priority .
- .Pp
- The priorities used by
- .Em sudoers ,
- in order of decreasing severity,
- are:
- .Em crit ,
- .Em err ,
- .Em warn ,
- .Em notice ,
- .Em diag ,
- .Em info ,
- .Em trace
- and
- .Em debug .
- Each priority, when specified, also includes all priorities higher than it.
- For example, a priority of
- .Em notice
- would include debug messages logged at
- .Em notice
- and higher.
- .Pp
- The following subsystems are used by
- .Em sudoers :
- .Bl -tag -width 8n
- .It Em alias
- .Li User_Alias ,
- .Li Runas_Alias ,
- .Li Host_Alias
- and
- .Li Cmnd_Alias
- processing
- .It Em all
- matches every subsystem
- .It Em audit
- BSM and Linux audit code
- .It Em auth
- user authentication
- .It Em defaults
- .Em sudoers
- .Em Defaults
- settings
- .It Em env
- environment handling
- .It Em ldap
- LDAP-based sudoers
- .It Em logging
- logging support
- .It Em match
- matching of users, groups, hosts and netgroups in
- .Em sudoers
- .It Em netif
- network interface handling
- .It Em nss
- network service switch handling in
- .Em sudoers
- .It Em parser
- .Em sudoers
- file parsing
- .It Em perms
- permission setting
- .It Em plugin
- The equivalent of
- .Em main
- for the plugin.
- .It Em pty
- pseudo-tty related code
- .It Em rbtree
- redblack tree internals
- .It Em util
- utility functions
- .El
  .Sh FILES
  .Bl -tag -width 24n
  .It Pa @sysconfdir@/sudo.conf
- Line 3360  Host_Alias CDROM = orion, perseus, hercules
+ Line 3550  Host_Alias CDROM = orion, perseus, hercules
  # Cmnd alias specification
  Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-                        /usr/sbin/restore, /usr/sbin/rrestore
+                        /usr/sbin/restore, /usr/sbin/rrestore,\e
+                        sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+                        /home/operator/bin/start_backups
  Cmnd_Alias      KILL = /usr/bin/kill
  Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
  Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
- Line 3404  Lastly, we disable shell escapes for the commands in t
+ Line 3596  Lastly, we disable shell escapes for the commands in t
  and
  .Pa /usr/bin/less
  .Pc .
+ Note that this will not effectively constrain users with
+ .Nm sudo
+ .Sy ALL
+ privileges.
  .Bd -literal
  # Override built-in defaults
  Defaults                syslog=auth
- Line 3493  Here, those are commands related to backups, killing p
+ Line 3689  Here, those are commands related to backups, killing p
  printing system, shutting down the system, and any commands in the
  directory
  .Pa /usr/oper/bin/ .
+ Note that one command in the
+ .Li DUMPS
+ Cmnd_Alias includes a sha224 digest,
+ .Pa /home/operator/bin/start_backups .
+ This is because the directory containing the script is writable by the
+ operator user.
+ If the script is modified (resulting in a digest mismatch) it will no longer
+ be possible to run it via
+ .Nm sudo .
  .Bd -literal
  joe             ALL = /usr/bin/su operator
  .Ed
- Line 3626  belonging to the
+ Line 3831  belonging to the
  and
  .Em SHELLS
  .Li Cmnd_Aliases .
+ While not specifically mentioned in the rule, the commands in the
+ .Em PAGERS
+ .Li Cmnd_Alias
+ all reside in
+ .Pa /usr/bin
+ and have the
+ .Em noexec
+ option set.
  .Bd -literal
  steve           CSNETS = (operator) /usr/local/op_commands/
  .Ed
- Line 3886  is able to determine when a tty-based time stamp file
+ Line 4099  is able to determine when a tty-based time stamp file
  ignore it.
  Administrators should not rely on this feature as it is not universally
  available.
+ .Sh DEBUGGING
+ Versions 1.8.4 and higher of the
+ .Nm sudoers
+ plugin support a flexible debugging framework that can help track
+ down what the plugin is doing internally if there is a problem.
+ This can be configured in the
+ .Xr sudo.conf @mansectform@
+ file.
+ .Pp
+ The
+ .Nm sudoers
+ plugin uses the same debug flag format as the
+ .Nm sudo
+ front-end:
+ .Em subsystem Ns No @ Ns Em priority .
+ .Pp
+ The priorities used by
+ .Nm sudoers ,
+ in order of decreasing severity,
+ are:
+ .Em crit , err , warn , notice , diag , info , trace
+ and
+ .Em debug .
+ Each priority, when specified, also includes all priorities higher
+ than it.
+ For example, a priority of
+ .Em notice
+ would include debug messages logged at
+ .Em notice
+ and higher.
+ .Pp
+ The following subsystems are used by the
+ .Nm sudoers
+ plugin:
+ .Bl -tag -width 8n
+ .It Em alias
+ .Li User_Alias ,
+ .Li Runas_Alias ,
+ .Li Host_Alias
+ and
+ .Li Cmnd_Alias
+ processing
+ .It Em all
+ matches every subsystem
+ .It Em audit
+ BSM and Linux audit code
+ .It Em auth
+ user authentication
+ .It Em defaults
+ .Em sudoers
+ .Em Defaults
+ settings
+ .It Em env
+ environment handling
+ .It Em ldap
+ LDAP-based sudoers
+ .It Em logging
+ logging support
+ .It Em match
+ matching of users, groups, hosts and netgroups in
+ .Em sudoers
+ .It Em netif
+ network interface handling
+ .It Em nss
+ network service switch handling in
+ .Em sudoers
+ .It Em parser
+ .Em sudoers
+ file parsing
+ .It Em perms
+ permission setting
+ .It Em plugin
+ The equivalent of
+ .Em main
+ for the plugin.
+ .It Em pty
+ pseudo-tty related code
+ .It Em rbtree
+ redblack tree internals
+ .It Em util
+ utility functions
+ .El
+ For example:
+ .Bd -literal
+ Debug sudo /var/log/sudo_debug match@info,nss@info
+ .Ed
+ .Pp
+ For more information, see the
+ .Xr sudo.conf @mansectform@
+ manual.
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr su 1 ,
- Line 3893  available.
+ Line 4196  available.
  .Xr glob 3 ,
  .Xr mktemp 3 ,
  .Xr strftime 3 ,
+ .Xr sudo.conf @mansectform@ ,
  .Xr sudoers.ldap @mansectform@ ,
  .Xr sudo_plugin @mansectsu@ ,
  .Xr sudo @mansectsu@ ,

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1.1.1
changed lines
	Added in v.1.1.1.3