From 1d20a0ab637e3aa9ecae61f60c36328ea76a56cb Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 16 Jul 2013 16:21:14 -0600 Subject: [PATCH] Document the remote_host setting (-h host) --- doc/sudo_plugin.cat | 28 ++-- doc/sudo_plugin.man.in | 312 ++++++++++++++++++++-------------------- doc/sudo_plugin.mdoc.in | 36 +++-- 3 files changed, 201 insertions(+), 175 deletions(-) diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index 193da0e8b..f7fe8fb24 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -193,16 +193,25 @@ DDEESSCCRRIIPPTTIIOONN The prompt to use when requesting a password, if specified via the --pp flag. + remote_host=string + The name of the remote host to run the command on, if + specified via the --hh option. Support for running the + command on a remote host is meant to be implemented via + a helper program that is executed in place of the user- + specified command. The ssuuddoo front end is only capable + of executing commands on the local host. Only + available starting with API version 1.4. + run_shell=bool Set to true if the user specified the --ss flag, indicating that the user wishes to run a shell. runas_group=string - The group name or gid to to run the command as, if + The group name or gid to run the command as, if specified via the --gg flag. runas_user=string - The user name or uid to to run the command as, if + The user name or uid to run the command as, if specified via the --uu flag. selinux_role=string @@ -271,11 +280,11 @@ DDEESSCCRRIIPPTTIIOONN pgid=int The ID of the process group that the running ssuuddoo process is a member of. Only available starting with - API version 1.2 + API version 1.2. pid=int The process ID of the running ssuuddoo process. Only - available starting with API version 1.2 + available starting with API version 1.2. plugin_options Any (non-comment) strings immediately after the plugin @@ -293,18 +302,18 @@ DDEESSCCRRIIPPTTIIOONN ppid=int The parent process ID of the running ssuuddoo process. - Only available starting with API version 1.2 + Only available starting with API version 1.2. sid=int The session ID of the running ssuuddoo process or 0 if ssuuddoo is not part of a POSIX job control session. Only - available starting with API version 1.2 + available starting with API version 1.2. tcpgid=int The ID of the foreground process group associated with the terminal device associated with the ssuuddoo process or -1 if there is no terminal present. Only available - starting with API version 1.2 + starting with API version 1.2. tty=string The path to the user's terminal device. If the user @@ -1393,6 +1402,9 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG The ssuuddoo front end now installs default signal handlers to trap common signals while the plugin functions are run. + Version 1.4 (sudo 1.8.8) + The _r_e_m_o_t_e___h_o_s_t entry was added to the settings list. + SSEEEE AALLSSOO sudo.conf(4), sudoers(4), sudo(1m) @@ -1412,4 +1424,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 March 5, 2013 Sudo 1.8.7 +Sudo 1.8.8 July 16, 2013 Sudo 1.8.8 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 0278db655..32a336eb3 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO_PLUGIN" "5" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.TH "SUDO_PLUGIN" "5" "July 16, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -107,15 +107,15 @@ to determine the API version the plugin was built against. .TP 6n open -.RS .nf -.RS 0n +.RS 6n int (*open)(unsigned int version, sudo_conv_t conversation, sudo_printf_t plugin_printf, char * const settings[], char * const user_info[], char * const user_env[], char * const plugin_options[]); .RE .fi +.RS 6n .sp Returns 1 on success, 0 on failure, \-1 if a general error occurred, or \-2 if there was a usage error. @@ -156,7 +156,7 @@ settings A vector of user-supplied \fBsudo\fR settings in the form of -``name=value'' +\(lqname=value\(rq strings. The vector is terminated by a \fRNULL\fR @@ -171,20 +171,23 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one itself but the \fIvalue\fR might. -.RS +.PP +.RS 6n +.PD 0 .TP 6n bsdauth_type=string Authentication type, if specified by the \fB\-a\fR flag, to use on systems where BSD authentication is supported. +.PD .TP 6n closefrom=number If specified, the user has requested via the @@ -215,7 +218,7 @@ plugin is \fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different format so long as it does not include a comma -(`,\&'). +(\(oq,\&\(cq). There is not currently a way to specify a set of debug flags specific to the plugin--the flags are shared by \fBsudo\fR @@ -271,13 +274,13 @@ sudo.conf(@mansectform@). network_addrs=list A space-separated list of IP network addresses and netmasks in the form -``addr/netmask'', +\(lqaddr/netmask\(rq, e.g.\& -``192.168.1.2/255.255.255.0''. +\(lq192.168.1.2/255.255.255.0\(rq. The address and netmask pairs may be either IPv4 or IPv6, depending on what the operating system supports. If the address contains a colon -(`:\&'), +(\(oq:\&\(cq), it is an IPv6 address, else it is IPv4. .TP 6n noninteractive=bool @@ -312,9 +315,9 @@ based on the runas user. .TP 6n progname=string The command name that sudo was run as, typically -``sudo'' +\(lqsudo\(rq or -``sudoedit''. +\(lqsudoedit\(rq. .TP 6n prompt=string The prompt to use when requesting a password, if specified via @@ -322,20 +325,31 @@ the \fB\-p\fR flag. .TP 6n +remote_host=string +The name of the remote host to run the command on, if specified via +the +\fB\-h\fR +option. +Support for running the command on a remote host is meant to be implemented +via a helper program that is executed in place of the user-specified command. +The +\fBsudo\fR +front end is only capable of executing commands on the local host. +Only available starting with API version 1.4. +.TP 6n run_shell=bool Set to true if the user specified the \fB\-s\fR -flag, indicating that -the user wishes to run a shell. +flag, indicating that the user wishes to run a shell. .TP 6n runas_group=string -The group name or gid to to run the command as, if specified via +The group name or gid to run the command as, if specified via the \fB\-g\fR flag. .TP 6n runas_user=string -The user name or uid to to run the command as, if specified via the +The user name or uid to run the command as, if specified via the \fB\-u\fR flag. .TP 6n @@ -377,13 +391,11 @@ section. .PP Additional settings may be added in the future so the plugin should silently ignore settings that it does not recognize. -.PP .RE -.PD 0 .TP 6n user_info A vector of information about the user running the command in the form of -``name=value'' +\(lqname=value\(rq strings. The vector is terminated by a \fRNULL\fR @@ -394,19 +406,21 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one itself but the \fIvalue\fR might. -.RS -.PD +.PP +.RS 6n +.PD 0 .TP 6n cols=int The number of columns the user's terminal supports. If there is no terminal device available, a default value of 80 is used. +.PD .TP 6n cwd=string The user's current working directory. @@ -441,13 +455,13 @@ pgid=int The ID of the process group that the running \fBsudo\fR process is a member of. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .TP 6n pid=int The process ID of the running \fBsudo\fR process. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .TP 6n plugin_options Any (non-comment) strings immediately after the plugin path are @@ -480,7 +494,7 @@ ppid=int The parent process ID of the running \fBsudo\fR process. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .TP 6n sid=int The session ID of the running @@ -488,7 +502,7 @@ The session ID of the running process or 0 if \fBsudo\fR is not part of a POSIX job control session. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .TP 6n tcpgid=int The ID of the foreground process group associated with the terminal @@ -496,13 +510,13 @@ device associated with the \fBsudo\fR process or \-1 if there is no terminal present. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .TP 6n tty=string The path to the user's terminal device. If the user has no terminal device associated with the session, the value will be empty, as in -``\fRtty=\fR''. +\(lq\fRtty=\fR\(rq. .TP 6n uid=uid_t The real user ID of the user invoking @@ -511,14 +525,15 @@ The real user ID of the user invoking user=string The name of the user invoking \fBsudo\fR. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n user_env The user's environment in the form of a \fRNULL\fR-terminated vector of -``name=value'' +\(lqname=value\(rq strings. .sp When parsing @@ -526,26 +541,26 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one itself but the \fIvalue\fR might. -.PD +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n close .br -.RS .nf -.RS 0n +.RS 6n void (*close)(int exit_status, int error); .RE .fi +.RS 6n .sp The \fBclose\fR() @@ -554,7 +569,6 @@ function is called when the command being run by finishes. .sp The function arguments are as follows: -.PD .TP 6n exit_status The command's exit status, as returned by the @@ -595,17 +609,15 @@ list, the \fBsudo\fR front end may execute the command directly instead of running it as a child process. -.PP .RE -.PD 0 .TP 6n show_version -.RS .nf -.RS 0n +.RS 6n int (*show_version)(int verbose); .RE .fi +.RS 6n .sp The \fBshow_version\fR() @@ -622,20 +634,17 @@ or function using \fRSUDO_CONV_INFO_MSG\fR. If the user requests detailed version information, the verbose flag will be set. -.PD -.PP .RE -.PD 0 .TP 6n check_policy -.RS .nf -.RS 0n +.RS 6n int (*check_policy)(int argc, char * const argv[] char *env_add[], char **command_info[], char **argv_out[], char **user_env_out[]); .RE .fi +.RS 6n .sp The \fBcheck_policy\fR() @@ -677,10 +686,10 @@ into \fIargv_out\fR, separated from the editor and its arguments by a -``\fR--\fR'' +\(lq\fR--\fR\(rq element. The -``\fR--\fR'' +\(lq\fR--\fR\(rq will be removed by \fBsudo\fR @@ -711,7 +720,6 @@ function with to present additional error information to the user. .sp The function arguments are as follows: -.PD .TP 6n argc The number of elements in @@ -734,7 +742,7 @@ Additional environment variables specified by the user on the command line in the form of a \fRNULL\fR-terminated vector of -``name=value'' +\(lqname=value\(rq strings. The plugin may reject the command if one or more variables are not allowed to be set, or it may silently ignore such variables. @@ -744,7 +752,7 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one @@ -754,7 +762,7 @@ might. .TP 6n command_info Information about the command being run in the form of -``name=value'' +\(lqname=value\(rq strings. These values are used by \fBsudo\fR @@ -766,10 +774,13 @@ which must be terminated with a pointer. The following values are recognized by \fBsudo\fR: -.RS +.PP +.RS 6n +.PD 0 .TP 6n chroot=string The root directory to use when running the command. +.PD .TP 6n closefrom=number If specified, @@ -984,9 +995,7 @@ will base the new entry on the invoking user's existing entry. .PP Unsupported values will be ignored. -.PP .RE -.PD 0 .TP 6n argv_out The @@ -995,25 +1004,25 @@ argument vector to pass to the execve(2) system call when executing the command. The plugin is responsible for allocating and populating the vector. -.PD .TP 6n user_env_out The \fRNULL\fR-terminated environment vector to use when executing the command. The plugin is responsible for allocating and populating the vector. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n list -.RS .nf -.RS 0n +.RS 6n int (*list)(int verbose, const char *list_user, int argc, char * const argv[]); .RE .fi +.RS 6n .sp List available privileges for the invoking user. Returns 1 on success, 0 on failure and \-1 on error. @@ -1032,7 +1041,6 @@ or \fBplugin_printf\fR() function using \fRSUDO_CONV_INFO_MSG\fR, -.PD .TP 6n verbose Flag indicating whether to list in verbose mode or not. @@ -1061,17 +1069,18 @@ execve(2) system call. If the command is permitted by the policy, the fully-qualified path to the command should be displayed along with any command line arguments. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n validate -.RS .nf -.RS 0n +.RS 6n int (*validate)(void); .RE .fi +.RS 6n .sp The \fBvalidate\fR() @@ -1101,18 +1110,15 @@ function with \fRSUDO_CONF_ERROR_MSG\fR to present additional error information to the user. -.PD -.PP .RE -.PD 0 .TP 6n invalidate -.RS .nf -.RS 0n +.RS 6n void (*invalidate)(int remove); .RE .fi +.RS 6n .sp The \fBinvalidate\fR() @@ -1139,18 +1145,15 @@ The function should be \fRNULL\fR if the plugin does not support credential caching. -.PD -.PP .RE -.PD 0 .TP 6n init_session -.RS .nf -.RS 0n +.RS 6n int (*init_session)(struct passwd *pwd, char **user_envp[); .RE .fi +.RS 6n .sp The \fBinit_session\fR() @@ -1183,7 +1186,7 @@ argument points to the environment the command will run in, in the form of a \fRNULL\fR-terminated vector of -``name=value'' +\(lqname=value\(rq strings. This is the same string passed back to the front end via the Policy Plugin's @@ -1219,19 +1222,16 @@ function with \fRSUDO_CONF_ERROR_MSG\fR to present additional error information to the user. -.PD -.PP .RE -.PD 0 .TP 6n register_hooks -.RS .nf -.RS 0n +.RS 6n void (*register_hooks)(int version, int (*register_hook)(struct sudo_hook *hook)); .RE .fi +.RS 6n .sp The \fBregister_hooks\fR() @@ -1274,19 +1274,16 @@ front end doesn't support API version 1.2 or higher, \fRregister_hooks\fR will not be called. -.PD -.PP .RE -.PD 0 .TP 6n deregister_hooks -.RS .nf -.RS 0n +.RS 6n void (*deregister_hooks)(int version, int (*deregister_hook)(struct sudo_hook *hook)); .RE .fi +.RS 6n .sp The \fBderegister_hooks\fR() @@ -1331,7 +1328,6 @@ version 1.2 or higher, \fRderegister_hooks\fR will not be called. .RE -.PD .PP \fIPolicy Plugin Version Macros\fR .nf @@ -1432,15 +1428,15 @@ to determine the API version the plugin was built against. .TP 6n open -.RS .nf -.RS 0n +.RS 6n int (*open)(unsigned int version, sudo_conv_t conversation, sudo_printf_t plugin_printf, char * const settings[], char * const user_info[], int argc, char * const argv[], char * const user_env[], char * const plugin_options[]); .RE .fi +.RS 6n .sp The \fBopen\fR() @@ -1510,7 +1506,7 @@ settings A vector of user-supplied \fBsudo\fR settings in the form of -``name=value'' +\(lqname=value\(rq strings. The vector is terminated by a \fRNULL\fR @@ -1525,7 +1521,7 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one @@ -1539,7 +1535,7 @@ section for a list of all possible settings. .TP 6n user_info A vector of information about the user running the command in the form of -``name=value'' +\(lqname=value\(rq strings. The vector is terminated by a \fRNULL\fR @@ -1550,7 +1546,7 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one @@ -1581,7 +1577,7 @@ user_env The user's environment in the form of a \fRNULL\fR-terminated vector of -``name=value'' +\(lqname=value\(rq strings. .sp When parsing @@ -1589,7 +1585,7 @@ When parsing the plugin should split on the \fBfirst\fR equal sign -(`=') +(\(oq=\(cq) since the \fIname\fR field will never include one @@ -1622,18 +1618,19 @@ by the front end before using \fIplugin_options\fR. Failure to do so may result in a crash. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n close .br -.RS .nf -.RS 0n +.RS 6n void (*close)(int exit_status, int error); .RE .fi +.RS 6n .sp The \fBclose\fR() @@ -1642,7 +1639,6 @@ function is called when the command being run by finishes. .sp The function arguments are as follows: -.PD .TP 6n exit_status The command's exit status, as returned by the @@ -1664,17 +1660,18 @@ system call. If the command was successfully executed, the value of \fRerror\fR is 0. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n show_version -.RS .nf -.RS 0n +.RS 6n int (*show_version)(int verbose); .RE .fi +.RS 6n .sp The \fBshow_version\fR() @@ -1691,18 +1688,15 @@ or function using \fRSUDO_CONV_INFO_MSG\fR. If the user requests detailed version information, the verbose flag will be set. -.PD -.PP .RE -.PD 0 .TP 6n log_ttyin -.RS .nf -.RS 0n +.RS 6n int (*log_ttyin)(const char *buf, unsigned int len); .RE .fi +.RS 6n .sp The \fBlog_ttyin\fR() @@ -1714,7 +1708,6 @@ Returns 1 if the data should be passed to the command, 0 if the data is rejected (which will terminate the command) or \-1 if an error occurred. .sp The function arguments are as follows: -.PD .TP 6n buf The buffer containing user input. @@ -1723,17 +1716,18 @@ len The length of \fIbuf\fR in bytes. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n log_ttyout -.RS .nf -.RS 0n +.RS 6n int (*log_ttyout)(const char *buf, unsigned int len); .RE .fi +.RS 6n .sp The \fBlog_ttyout\fR() @@ -1745,7 +1739,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is rejected (which will terminate the command) or \-1 if an error occurred. .sp The function arguments are as follows: -.PD .TP 6n buf The buffer containing command output. @@ -1754,17 +1747,18 @@ len The length of \fIbuf\fR in bytes. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n log_stdin -.RS .nf -.RS 0n +.RS 6n int (*log_stdin)(const char *buf, unsigned int len); .RE .fi +.RS 6n .sp The \fBlog_stdin\fR() @@ -1778,7 +1772,6 @@ Returns 1 if the data should be passed to the command, 0 if the data is rejected (which will terminate the command) or \-1 if an error occurred. .sp The function arguments are as follows: -.PD .TP 6n buf The buffer containing user input. @@ -1787,17 +1780,18 @@ len The length of \fIbuf\fR in bytes. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n log_stdout -.RS .nf -.RS 0n +.RS 6n int (*log_stdout)(const char *buf, unsigned int len); .RE .fi +.RS 6n .sp The \fBlog_stdout\fR() @@ -1811,7 +1805,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is rejected (which will terminate the command) or \-1 if an error occurred. .sp The function arguments are as follows: -.PD .TP 6n buf The buffer containing command output. @@ -1820,17 +1813,18 @@ len The length of \fIbuf\fR in bytes. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n log_stderr -.RS .nf -.RS 0n +.RS 6n int (*log_stderr)(const char *buf, unsigned int len); .RE .fi +.RS 6n .sp The \fBlog_stderr\fR() @@ -1844,7 +1838,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is rejected (which will terminate the command) or \-1 if an error occurred. .sp The function arguments are as follows: -.PD .TP 6n buf The buffer containing command output. @@ -1853,16 +1846,16 @@ len The length of \fIbuf\fR in bytes. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n register_hooks See the \fIPolicy plugin API\fR section for a description of \fRregister_hooks\fR. -.PD .TP 6n deregister_hooks See the @@ -1969,7 +1962,9 @@ hook_type The \fRhook_type\fR field may be one of the following supported hook types: -.RS +.PP +.RS 6n +.PD 0 .TP 6n \fRSUDO_HOOK_SETENV\fR The C library @@ -1980,20 +1975,19 @@ The \fRhook_fn\fR field should be a function that matches the following typedef: -.RS .nf .sp -.RS 0n +.RS 6n typedef int (*sudo_hook_fn_setenv_t)(const char *name, const char *value, int overwrite, void *closure); .RE .fi +.RS 6n .sp If the registered hook does not match the typedef the results are unspecified. -.PP .RE -.PD 0 +.PD .TP 6n \fRSUDO_HOOK_UNSETENV\fR The C library @@ -2004,18 +1998,13 @@ The \fRhook_fn\fR field should be a function that matches the following typedef: -.RS .nf .sp -.RS 0n +.RS 6n typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, void *closure); .RE .fi -.PD -.PP -.RE -.PD 0 .TP 6n \fRSUDO_HOOK_GETENV\fR The C library @@ -2026,21 +2015,18 @@ The \fRhook_fn\fR field should be a function that matches the following typedef: -.RS .nf .sp -.RS 0n +.RS 6n typedef int (*sudo_hook_fn_getenv_t)(const char *name, char **value, void *closure); .RE .fi +.RS 6n .sp If the registered hook does not match the typedef the results are unspecified. -.PD -.PP .RE -.PD 0 .TP 6n \fRSUDO_HOOK_PUTENV\fR The C library @@ -2051,22 +2037,22 @@ The \fRhook_fn\fR field should be a function that matches the following typedef: -.RS .nf .sp -.RS 0n +.RS 6n typedef int (*sudo_hook_fn_putenv_t)(char *string, void *closure); .RE .fi +.RS 6n .sp If the registered hook does not match the typedef the results are unspecified. .RE -.PD +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n hook_fn sudo_hook_fn_t hook_fn; @@ -2087,11 +2073,13 @@ is passed as the last function parameter. This can be used to pass arbitrary data to the plugin's hook implementation. .sp The function return value may be one of the following: -.RS -.PD +.PP +.RS 6n +.PD 0 .TP 6n \fRSUDO_HOOK_RET_ERROR\fR The hook function encountered an error. +.PD .TP 6n \fRSUDO_HOOK_RET_NEXT\fR The hook completed without error, go on to the next hook (including @@ -2111,7 +2099,10 @@ hook that operates on a private copy of the environment but leaves \fRenviron\fR unchanged. +.PD 0 +.PP .RE +.PD .PP Note that it is very easy to create an infinite loop when hooking C library functions. @@ -2322,13 +2313,13 @@ to determine the API version the group plugin was built against. .TP 6n init -.RS .nf -.RS 0n +.RS 6n int (*init)(int version, sudo_printf_t plugin_printf, char *const argv[]); .RE .fi +.RS 6n .sp The \fBinit\fR() @@ -2371,17 +2362,18 @@ If no arguments were given, \fIargv\fR will be \fRNULL\fR. +.PD 0 .PP .RE -.PD 0 +.PD .TP 6n cleanup -.RS .nf -.RS 0n +.RS 6n void (*cleanup)(); .RE .fi +.RS 6n .sp The \fBcleanup\fR() @@ -2390,20 +2382,17 @@ function is called when has finished its group checks. The plugin should free any memory it has allocated and close open file handles. -.PD -.PP .RE -.PD 0 .TP 6n query .br -.RS .nf -.RS 0n +.RS 6n int (*query)(const char *user, const char *group, const struct passwd *pwd); .RE .fi +.RS 6n .sp The \fBquery\fR() @@ -2413,7 +2402,6 @@ is a member of \fIgroup\fR. .sp The function arguments are as follows: -.PD .TP 6n user The name of the user being looked up in the external group database. @@ -2433,7 +2421,10 @@ present in the password database, \fIpwd\fR will be \fRNULL\fR. +.PD 0 +.PP .RE +.PD .PP \fIGroup API Version Macros\fR .nf @@ -2524,6 +2515,13 @@ The \fBsudo\fR front end now installs default signal handlers to trap common signals while the plugin functions are run. +.TP 6n +Version 1.4 (sudo 1.8.8) +The +\fIremote_host\fR +entry was added to the +\fRsettings\fR +list. .SH "SEE ALSO" sudo.conf(@mansectform@), sudoers(@mansectform@), @@ -2539,7 +2537,7 @@ search the archives. .SH "DISCLAIMER" \fBsudo\fR is provided -``AS IS'' +\(lqAS IS\(rq and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index 53b54b643..8b0810cb0 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 5, 2013 +.Dd July 16, 2013 .Dt SUDO_PLUGIN @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -292,18 +292,28 @@ The prompt to use when requesting a password, if specified via the .Fl p flag. +.It remote_host=string +The name of the remote host to run the command on, if specified via +the +.Fl h +option. +Support for running the command on a remote host is meant to be implemented +via a helper program that is executed in place of the user-specified command. +The +.Nm sudo +front end is only capable of executing commands on the local host. +Only available starting with API version 1.4. .It run_shell=bool Set to true if the user specified the .Fl s -flag, indicating that -the user wishes to run a shell. +flag, indicating that the user wishes to run a shell. .It runas_group=string -The group name or gid to to run the command as, if specified via +The group name or gid to run the command as, if specified via the .Fl g flag. .It runas_user=string -The user name or uid to to run the command as, if specified via the +The user name or uid to run the command as, if specified via the .Fl u flag. .It selinux_role=string @@ -392,12 +402,12 @@ no terminal device available, a default value of 24 is used. The ID of the process group that the running .Nm sudo process is a member of. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .It pid=int The process ID of the running .Nm sudo process. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .It plugin_options Any (non-comment) strings immediately after the plugin path are passed as arguments to the plugin. @@ -428,21 +438,21 @@ Failure to do so may result in a crash. The parent process ID of the running .Nm sudo process. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .It sid=int The session ID of the running .Nm sudo process or 0 if .Nm sudo is not part of a POSIX job control session. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .It tcpgid=int The ID of the foreground process group associated with the terminal device associated with the .Nm sudo process or \-1 if there is no terminal present. -Only available starting with API version 1.2 +Only available starting with API version 1.2. .It tty=string The path to the user's terminal device. If the user has no terminal device associated with the session, @@ -2180,6 +2190,12 @@ The .Nm sudo front end now installs default signal handlers to trap common signals while the plugin functions are run. +.It Version 1.4 (sudo 1.8.8) +The +.Em remote_host +entry was added to the +.Li settings +list. .El .Sh SEE ALSO .Xr sudo.conf @mansectform@ ,