mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Document that plugins can be compiled statically into the sudo binary.

Browse Source
This commit is contained in:
Todd C. Miller 2013-12-04 16:05:05 -07:00
parent 9e964a8c0e
commit 1739350e20
9 changed files with 99 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/sudo.cat
View File

@ -392,12 +392,14 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
instead of running it as a child process.
PPlluuggiinnss
Plugins are dynamically loaded based on the contents of the sudo.conf(4)
file. If no sudo.conf(4) file is present, or it contains no Plugin
lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security policy and I/O
logging. See the sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file and the sudo_plugin(1m) manual for more information about the ssuuddoo
plugin architecture.
Plugins may be specified via Plugin directives in the sudo.conf(4) file.
They may be loaded as dynamic shared objects (on systems that support
them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4)
file is present, or it contains no Plugin lines, ssuuddoo will use the
traditional _s_u_d_o_e_r_s security policy and I/O logging. See the
sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the
sudo_plugin(1m) manual for more information about the ssuuddoo plugin
architecture.
EEXXIITT VVAALLUUEE
Upon successful execution of a program, the exit status from _s_u_d_o will
@ -579,4 +581,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.8 August 14, 2013 Sudo 1.8.8
Sudo 1.8.9 December 4, 2013 Sudo 1.8.9

31
doc/sudo.conf.cat
View File

@ -39,12 +39,12 @@ DDEESSCCRRIIPPTTIIOONN
end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff.
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
is the name of the struct policy_plugin or struct io_plugin in the plugin
shared object. The _p_a_t_h may be fully qualified or relative. If not
fully qualified, it is relative to the directory specified by the
_p_l_u_g_i_n___d_i_r Path setting, which defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In
other words:
and the _p_a_t_h to the dynamic shared object that contains the plugin. The
_s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct io_plugin
symbol contained in the plugin. The _p_a_t_h may be fully qualified or
relative. If not fully qualified, it is relative to the directory
specified by the _p_l_u_g_i_n___d_i_r Path setting, which defaults to
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In other words:
Plugin sudoers_policy sudoers.so
@ -52,17 +52,24 @@ DDEESSCCRRIIPPTTIIOONN
Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
If the plugin was compiled statically into the ssuuddoo binary instead of
being installed as a dynamic shared object, the _p_a_t_h should be specified
without a leading directory, as it does not actually exist in the file
system. For example:
Plugin sudoers_policy sudoers.so
Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
passed as arguments to the plugin's _o_p_e_n function. For example, to
override the compile-time default sudoers file mode:
Plugin sudoers_policy sudoers.so sudoers_mode=0440
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid 0 and
only writable by its owner. Because of ambiguities that arise from
composite policies, only a single policy plugin may be specified. This
limitation does not apply to I/O plugins.
The same dynamic shared object may contain multiple plugins, each with a
different symbol name. The file must be owned by uid 0 and only writable
by its owner. Because of ambiguities that arise from composite policies,
only a single policy plugin may be specified. This limitation does not
apply to I/O plugins.
If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
ssuuddooeerrss plugin will be used as the default security policy and for I/O
@ -369,4 +376,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.9 December 3, 2013 Sudo 1.8.9
Sudo 1.8.9 December 4, 2013 Sudo 1.8.9

26
doc/sudo.conf.man.in
View File

@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "SUDO" "5" "December 3, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.TH "SUDO" "5" "December 4, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
@ -100,14 +100,14 @@ keyword, followed by the
\fIsymbol_name\fR
and the
\fIpath\fR
to the shared object containing the plugin.
to the dynamic shared object that contains the plugin.
The
\fIsymbol_name\fR
is the name of the
\fRstruct policy_plugin\fR
or
\fRstruct io_plugin\fR
in the plugin shared object.
symbol contained in the plugin.
The
\fIpath\fR
may be fully qualified or relative.
@ -133,6 +133,20 @@ Plugin sudoers_policy @PLUGINDIR@/sudoers.so
.RE
.fi
.PP
If the plugin was compiled statically into the
\fBsudo\fR
binary instead of being installed as a dynamic shared object, the
\fIpath\fR
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so
.RE
.fi
.PP
Starting with
\fBsudo\fR
1.8.5, any additional parameters after the
@ -148,9 +162,9 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0440
.RE
.fi
.PP
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.

23
doc/sudo.conf.mdoc.in
View File

@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd December 3, 2013
.Dd December 4, 2013
.Dt SUDO @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -96,14 +96,14 @@ keyword, followed by the
.Em symbol_name
and the
.Em path
to the shared object containing the plugin.
to the dynamic shared object that contains the plugin.
The
.Em symbol_name
is the name of the
.Li struct policy_plugin
or
.Li struct io_plugin
in the plugin shared object.
symbol contained in the plugin.
The
.Em path
may be fully qualified or relative.
@ -123,6 +123,17 @@ is equivalent to:
Plugin sudoers_policy @PLUGINDIR@/sudoers.so
.Ed
.Pp
If the plugin was compiled statically into the
.Nm sudo
binary instead of being installed as a dynamic shared object, the
.Em path
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so
.Ed
.Pp
Starting with
.Nm sudo
1.8.5, any additional parameters after the
@ -135,9 +146,9 @@ For example, to override the compile-time default sudoers file mode:
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.Ed
.Pp
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.

10
doc/sudo.man.in
View File

@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDO" "@mansectsu@" "August 14, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "@mansectsu@" "December 4, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@ -788,9 +788,15 @@ run in a new pty,
\fBsudo\fR
may execute the command directly instead of running it as a child process.
.SS "Plugins"
Plugins are dynamically loaded based on the contents of the
Plugins may be specified via
\fRPlugin\fR
directives in the
sudo.conf(@mansectform@)
file.
They may be loaded as dynamic shared objects (on systems that support them),
or compiled directly into the
\fBsudo\fR
binary.
If no
sudo.conf(@mansectform@)
file is present, or it contains no

10
doc/sudo.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd August 14, 2013
.Dd December 4, 2013
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -779,9 +779,15 @@ run in a new pty,
.Nm sudo
may execute the command directly instead of running it as a child process.
.Ss Plugins
Plugins are dynamically loaded based on the contents of the
Plugins may be specified via
.Li Plugin
directives in the
.Xr sudo.conf @mansectform@
file.
They may be loaded as dynamic shared objects (on systems that support them),
or compiled directly into the
.Nm sudo
binary.
If no
.Xr sudo.conf @mansectform@
file is present, or it contains no

13
doc/sudo_plugin.cat
View File

@ -5,10 +5,13 @@ NNAAMMEE
DDEESSCCRRIIPPTTIIOONN
Starting with version 1.8, ssuuddoo supports a plugin API for policy and
session logging. By default, the ssuuddooeerrss policy plugin and an associated
I/O logging plugin are used. Via the plugin API, ssuuddoo can be configured
to use alternate policy and/or I/O logging plugins provided by third
parties. The plugins to be used are specified in the sudo.conf(4) file.
session logging. Plugins may be compiled as dynamic shared objects (the
default on systems that support them) or compiled statically into the
ssuuddoo binary itself. By default, the ssuuddooeerrss policy plugin and an
associated I/O logging plugin are used. Via the plugin API, ssuuddoo can be
configured to use alternate policy and/or I/O logging plugins provided by
third parties. The plugins to be used are specified in the sudo.conf(4)
file.
The API is versioned with a major and minor number. The minor version
number is incremented when additions are made. The major number is
@ -1453,4 +1456,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.8 August 16, 2013 Sudo 1.8.8
Sudo 1.8.9 December 4, 2013 Sudo 1.8.9

6
doc/sudo_plugin.man.in
View File

@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "SUDO_PLUGIN" "5" "August 16, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.TH "SUDO_PLUGIN" "5" "December 4, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
@ -27,6 +27,10 @@ Starting with version 1.8,
\fBsudo\fR
supports a plugin API
for policy and session logging.
Plugins may be compiled as dynamic shared objects (the default on
systems that support them) or compiled statically into the
\fBsudo\fR
binary itself.
By default, the
\fBsudoers\fR
policy plugin and an associated I/O logging plugin are used.

6
doc/sudo_plugin.mdoc.in
View File

@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd August 16, 2013
.Dd December 4, 2013
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -25,6 +25,10 @@ Starting with version 1.8,
.Nm sudo
supports a plugin API
for policy and session logging.
Plugins may be compiled as dynamic shared objects (the default on
systems that support them) or compiled statically into the
.Nm sudo
binary itself.
By default, the
.Nm sudoers
policy plugin and an associated I/O logging plugin are used.