mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Document the sudo log server protocol

Browse Source
This commit is contained in:
Todd C. Miller 2019-10-24 20:04:33 -06:00
parent 3b8011ea9e
commit 1df3230c2a
8 changed files with 1707 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
MANIFEST
View File

@ -34,10 +34,12 @@ doc/sudo.conf.mdoc.in
doc/sudo.man.in doc/sudo.man.in
doc/sudo.man.in.sed doc/sudo.man.in.sed
doc/sudo.mdoc.in doc/sudo.mdoc.in
doc/sudo_logsrvd.man.in doc/sudo_logsrv.proto.man.in
doc/sudo_logsrvd.mdoc.in doc/sudo_logsrv.proto.mdoc.in
doc/sudo_logsrvd.conf.man.in doc/sudo_logsrvd.conf.man.in
doc/sudo_logsrvd.conf.mdoc.in doc/sudo_logsrvd.conf.mdoc.in
doc/sudo_logsrvd.man.in
doc/sudo_logsrvd.mdoc.in
doc/sudo_plugin.man.in doc/sudo_plugin.man.in
doc/sudo_plugin.mdoc.in doc/sudo_plugin.mdoc.in
doc/sudo_sendlog.man.in doc/sudo_sendlog.man.in

20
doc/Makefile.in
View File

@ -72,6 +72,7 @@ SHELL = @SHELL@
DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \ DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \
$(mansrcdir)/sudo.conf.$(mantype) $(mansrcdir)/sudo_logsrvd.$(mantype) \ $(mansrcdir)/sudo.conf.$(mantype) $(mansrcdir)/sudo_logsrvd.$(mantype) \
$(mansrcdir)/sudo_logsrv.proto.$(mantype) \
$(mansrcdir)/sudo_logsrvd.conf.$(mantype) \ $(mansrcdir)/sudo_logsrvd.conf.$(mantype) \
$(mansrcdir)/sudo_plugin.$(mantype) \ $(mansrcdir)/sudo_plugin.$(mantype) \
$(mansrcdir)/sudo_sendlog.$(mantype) \ $(mansrcdir)/sudo_sendlog.$(mantype) \
@ -81,6 +82,7 @@ DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \
DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \ DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \
$(srcdir)/sudo.man.in $(srcdir)/sudo_logsrvd.man.in \ $(srcdir)/sudo.man.in $(srcdir)/sudo_logsrvd.man.in \
$(srcdir)/sudo_logsrv.proto.man.in \
$(srcdir)/sudo_logsrvd.conf.man.in \ $(srcdir)/sudo_logsrvd.conf.man.in \
$(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_sendlog.man.in \ $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_sendlog.man.in \
$(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \
@ -260,6 +262,20 @@ $(mansrcdir)/sudo_logsrvd.man: $(top_builddir)/config.status $(srcdir)/sudo_logs
$(mansrcdir)/sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in $(mansrcdir)/sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_logsrv.proto.man.in: $(srcdir)/sudo_logsrv.proto.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrv.proto.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRV.PROTO" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
fi
$(mansrcdir)/sudo_logsrv.proto.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.man.in | $(SED) -f fixman.sed > $@
$(mansrcdir)/sudo_logsrv.proto.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in $(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
@ -325,12 +341,13 @@ install-doc: install-dirs
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_logsrv.proto.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_logsrvd.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_logsrvd.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
@LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) @LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@if test -n "$(MANCOMPRESS)"; then \ @if test -n "$(MANCOMPRESS)"; then \
for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_logsrvd.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudo_sendlog.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudo_logsrvd.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \ for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_logsrvd.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudo_sendlog.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudo_logsrv.proto.$(mansectform) $(mandirform)/sudo_logsrvd.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
if test -f $(DESTDIR)$$f; then \ if test -f $(DESTDIR)$$f; then \
echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \ echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
$(MANCOMPRESS) -f $(DESTDIR)$$f; \ $(MANCOMPRESS) -f $(DESTDIR)$$f; \
@ -358,6 +375,7 @@ uninstall:
$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) \ $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)

856
doc/sudo_logsrv.proto.man.in Normal file
View File

@ -0,0 +1,856 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "October 6, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrv.proto\fR
\- Sudo log server protocol
.SH "DESCRIPTION"
Starting with version 1.9.0,
\fBsudo\fR
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
\fIEXAMPLES\fR
section includes a complete description of the protocol in Protocol
Buffers format.
.PP
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
\(lqlength-prefix framing\(rq
and is how Google suggests handling the lack of message delimiters.
.PP
The protocol is made up of two basic messages,
\fIClientMessage\fR
and
\fIServerMessage\fR,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.SH "Client Messages"
A
\fIClientMessage\fR
is a container used to encapsulate all the possible message types
a client may send to the server.
.nf
.sp
.RS 0n
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
.RE
.fi
.PP
The different
\fIClientMessage\fR
sub-messages the client may sent to the server are described below.
.SS "TimeSpec"
.nf
.RS 0n
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.RE
.fi
.PP
A
\fITimeSpec\fR
is the equivalent of a POSIX
\fRstruct timespec\fR,
containing seconds and nanoseconds members.
The
\fItv_sec\fR
member is a 64-bit integer to support dates after the year 2038.
.SS "InfoMessage"
.nf
.RS 0n
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.RE
.fi
.PP
An
\fIInfoMessage\fR
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings or an array of 64-bit integers.
The event log data is composed of
\fIInfoMessage\fR
entries.
See the
\fIEVENT LOG VARIABLES\fR
section for more information.
.SS "AcceptMessage accept_msg"
.nf
.RS 0n
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.RE
.fi
.PP
An
\fIAcceptMessage\fR
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
as choose the
.TP 8n
expect_iobufs
Set to true if the server should expect
\fIIoBuffer\fR
messages to follow (for I/O logging) or false if the server should only
store the event log.
.PP
If an
\fIAcceptMessage\fR
is sent, the client must not send a
\fIRejectMessage\fR
or
\fIRestartMessage\fR.
.SS "RejectMessage reject_msg"
.nf
.RS 0n
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.RE
.fi
.PP
A
\fIRejectMessage\fR
is sent by the client when a command is denied by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
reason
The reason the security policy gave for denying the command.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.PP
If a
\fIRejectMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRestartMessage\fR.
.SS "ExitMessage exit_msg"
.nf
.RS 0n
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.PP
.RE
.fi
An
\fIExitMessage\fR
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.TP 8n
run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.TP 8n
exit_value
The command's exit value in the range 0-255.
.TP 8n
dumped_core
True if the command was terminated by a signal and dumped core.
.TP 8n
signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
\(lqSIG\(rq.
For example,
\fRINT\fR,
\fRTERM\fR,
\fRKILL\fR,
\fRSEGV\fR.
.TP 8n
error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.PP
When performing I/O logging, the client should wait for a
\fIcommit_point\fR
corresponding to the final
\fIIoBuffer\fR
before closing the connection unless the final
\fIcommit_point\fR
has already been received.
.SS "RestartMessage restart_msg"
.nf
.RS 0n
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.RE
.fi
.PP
A
\fIRestartMessage\fR
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.TP 8n
log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.TP 8n
resume_point
The point in time after which to resume the I/O log.
This is in the form of a
\fITimeSpec\fR
representing the amount of time since the command started, not
the wall clock time.
The
\fIresume_point\fR
should correspond to a
\fIcommit_point\fR
previously sent to the client by the server.
If the server receives a
\fIRestartMessage\fR
containing a
\fIresume_point\fR
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.PP
If a
\fIRestartMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRejectMessage\fR.
.SS "AlertMessage alert_msg"
.nf
.RS 0n
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
}
.RE
.fi
.PP
An
\fIAlertMessage\fR
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.TP 8n
alert_time
The wall clock time when the alert occurred.
.TP 8n
reason
The reason for the alert.
.SS "IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf"
.nf
.RS 0n
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.RE
.fi
.PP
An
\fIIoBuffer\fR
is used to represent data from terminal input, terminal
output, standard input, standard output or standard error.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
data
The binary I/O log data from terminal input, terminal output,
standard input, standard output or standard error.
.SS "ChangeWindowSize winsize_event"
.nf
.RS 0n
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.RE
.fi
.PP
A
\fIChangeWindowSize\fR
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
rows
The new number of terminal rows.
.TP 8n
cols
The new number of terminal columns.
.SS "CommandSuspend suspend_event"
.nf
.RS 0n
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.RE
.fi
.PP
A
\fICommandSuspend\fR
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
signal
The signal name without the leading
\(lqSIG\(rq.
For example,
\fRSTOP\fR,
\fRTSTP\fR,
\fRCONT\fR.
.SH "Server Messages"
A
\fIServerMessage\fR
is a container used to encapsulate all the possible message types
the server may send to a client.
.nf
.sp
.RS 0n
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.RE
.fi
.PP
The different
\fIServerMessage\fR
sub-messages the server may sent to the client are described below.
.SS "ServerHello hello"
.nf
.RS 0n
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
}
.RE
.fi
.PP
The
\fIServerHello\fR
message consists of server information sent when the client first connects.
It contains the following members:
.TP 8n
server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.TP 8n
redirect
A host and port separated by a colon
(\(oq\(cq):
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
\fIServerHello\fR
when it includes a
\fBredirect\fR.
.TP 8n
servers
.br
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.SS "TimeSpec commit_point"
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
\fIIoBuffer\fR
but rather at a server-configurable interval.
When the server receives an
\fIExitMessage\fR,
it will respond with a
\fIcommit_point\fR
corresponding to the last received
\fIIoBuffer\fR
before closing the connection.
.SS "string log_id"
The server-side ID of the I/O log being stored, sent in response
to an
\fIAcceptMessage\fR
where
\fIexpect_iobufs\fR
is true.
.SS "string error"
A fatal server-side error.
The server will close the connection after sending the
\fIerror\fR
message.
.SS "string abort"
An
\fIabort\fR
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
\fIabort\fR
message.
.SH "Protocol flow of control"
The expected protocol flow is as follows:
.TP 5n
1.\&
Client connect to server.
.TP 5n
2.\&
Server sends
\fIServerHello\fR.
.TP 5n
3.\&
Client responds with either
\fIAcceptMessage\fR,
\fIRejectMessage\fR,
or
\fIRestartMessage\fR.
.TP 5n
4.\&
If client sent a
\fIAcceptMessage\fR
with
\fIexpect_iobufs\fR
set, server creates a new I/O log and responds with a
\fIlog_id\fR.
.TP 5n
5.\&
Client sends zero or more
\fIIoBuffer\fR
messages.
.TP 5n
6.\&
Server periodically responds to
\fIIoBuffer\fR
messages with a
\fIcommit_point\fR.
.TP 5n
7.\&
Client sends an
\fIExitMessage\fR
when the command exits or is killed.
.TP 5n
8.\&
Server sends the final
\fIcommit_point\fR
if one is pending.
.TP 5n
9.\&
Server closes the connection.
.PP
At any point, the server may send an
\fIerror\fR
or
\fIabort\fR
message to the client at which point the server will close the
connection.
If an
\fIabort\fR
message is received, the client should terminate the running command.
.SH "EVENT LOG VARIABLES"
\fIAcceptMessage\fR
and
\fIRejectMessage\fR
classes contain an array of
\fIInfoMessage\fR
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.PP
Some variables have a
\fIclient\fR,
\fIrun\fR,
or
\fIsubmit\fR
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
\fIclient\fR
prefix pertain to the program performing the connection to the log
server, for example
\fBsudo\fR.
Variables with a
\fIrun\fR
prefix pertain to the command that the user requested be run.
Variables with a
\fIsubmit\fR
prefix pertain to the user submitting the request
(the user running \fBsudo\fR).
.PP
The following
\fIInfoMessage\fR
entries are required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
command string command that was submitted
.PP
runuser string name of user the command was run as
.PP
submithost string name of host the command was submitted on
.PP
submituser string name of user submitting the command
.TE
.PP
The following
\fIInfoMessage\fR
entries are recognized, but not required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
clientargv StringList client's original argument vector
.PP
clientpid int64 client's process ID
.PP
clientppid int64 client's parent process ID
.PP
clientsid int64 client's terminal session ID
.PP
columns int64 number of columns in the terminal
.PP
lines int64 number of lines in the terminal
.PP
runargv StringList argument vector of command to run
.PP
runchroot string root directory of command to run
.PP
runcwd string running command's working directory
.PP
runenv StringList the running command's environment
.PP
rungid int64 primary group-ID of the command
.PP
rungids NumberList supplementary group-IDs for the command
.PP
rungroup string primary group name of the command
.PP
rungroups StringList supplementary group names for the command
.PP
runuid int64 run user's user-ID
.PP
submitcwd string submit user's current working directory
.PP
submitenv StringList the submit user's environment
.PP
submitgid int64 submit user's primary group-ID
.PP
submitgids NumberList submit user's supplementary group-IDs
.PP
submitgroup string submitting user's primary group name
.PP
submitgroups StringList submit user's supplementary group names
.PP
submituid int64 submit user's user-ID
.PP
ttyname string the terminal the command was submitted from
.TE
.PP
The server must accept other variables not listed above but may
ignore them.
.SH "EXAMPLES"
The Protocol Buffers description of the log server protocol is included
in full below.
Note that this uses the newer
\(lqproto3\(rq
syntax.
.nf
.sp
.RS 0n
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* description of policy violation */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.RE
.fi
.SH "SEE ALSO"
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(8),
sudo_logsrvd(8)
.PP
\fIProtocol Buffers\fR,
https://developers.google.com/protocol-buffers/.
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

778
doc/sudo_logsrv.proto.mdoc.in Normal file
View File

@ -0,0 +1,778 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 6, 2019
.Dt SUDO_LOGSRV.PROTO @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrv.proto
.Nd Sudo log server protocol
.Sh DESCRIPTION
Starting with version 1.9.0,
.Nm sudo
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
.Sx EXAMPLES
section includes a complete description of the protocol in Protocol
Buffers format.
.Pp
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
.Dq length-prefix framing
and is how Google suggests handling the lack of message delimiters.
.Pp
The protocol is made up of two basic messages,
.Em ClientMessage
and
.Em ServerMessage ,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.Sh Client Messages
A
.Em ClientMessage
is a container used to encapsulate all the possible message types
a client may send to the server.
.Bd -literal
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
.Ed
.Pp
The different
.Em ClientMessage
sub-messages the client may sent to the server are described below.
.Ss TimeSpec
.Bd -literal
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.Ed
.Pp
A
.Em TimeSpec
is the equivalent of a POSIX
.Li struct timespec ,
containing seconds and nanoseconds members.
The
.Em tv_sec
member is a 64-bit integer to support dates after the year 2038.
.Ss InfoMessage
.Bd -literal
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.Ed
.Pp
An
.Em InfoMessage
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings or an array of 64-bit integers.
The event log data is composed of
.Em InfoMessage
entries.
See the
.Sx EVENT LOG VARIABLES
section for more information.
.Ss AcceptMessage accept_msg
.Bd -literal
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.Ed
.Pp
An
.Em AcceptMessage
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
as choose the
.It expect_iobufs
Set to true if the server should expect
.Em IoBuffer
messages to follow (for I/O logging) or false if the server should only
store the event log.
.El
.Pp
If an
.Em AcceptMessage
is sent, the client must not send a
.Em RejectMessage
or
.Em RestartMessage .
.Ss RejectMessage reject_msg
.Bd -literal
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.Ed
.Pp
A
.Em RejectMessage
is sent by the client when a command is denied by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It reason
The reason the security policy gave for denying the command.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.El
.Pp
If a
.Em RejectMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RestartMessage .
.Ss ExitMessage exit_msg
.Bd -literal
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.Pp
.Ed
An
.Em ExitMessage
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.Bl -tag -width Ds
.It run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.It exit_value
The command's exit value in the range 0-255.
.It dumped_core
True if the command was terminated by a signal and dumped core.
.It signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
.Dq SIG .
For example,
.Li INT ,
.Li TERM ,
.Li KILL ,
.Li SEGV .
.It error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.El
.Pp
When performing I/O logging, the client should wait for a
.Em commit_point
corresponding to the final
.Em IoBuffer
before closing the connection unless the final
.Em commit_point
has already been received.
.Ss RestartMessage restart_msg
.Bd -literal
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.Ed
.Pp
A
.Em RestartMessage
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.Bl -tag -width Ds
.It log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.It resume_point
The point in time after which to resume the I/O log.
This is in the form of a
.Em TimeSpec
representing the amount of time since the command started, not
the wall clock time.
The
.Em resume_point
should correspond to a
.Em commit_point
previously sent to the client by the server.
If the server receives a
.Em RestartMessage
containing a
.Em resume_point
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.El
.Pp
If a
.Em RestartMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RejectMessage .
.Ss AlertMessage alert_msg
.Bd -literal
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
}
.Ed
.Pp
An
.Em AlertMessage
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.Bl -tag -width Ds
.It alert_time
The wall clock time when the alert occurred.
.It reason
The reason for the alert.
.El
.Ss IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf
.Bd -literal
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.Ed
.Pp
An
.Em IoBuffer
is used to represent data from terminal input, terminal
output, standard input, standard output or standard error.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It data
The binary I/O log data from terminal input, terminal output,
standard input, standard output or standard error.
.El
.Ss ChangeWindowSize winsize_event
.Bd -literal
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.Ed
.Pp
A
.Em ChangeWindowSize
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It rows
The new number of terminal rows.
.It cols
The new number of terminal columns.
.El
.Ss CommandSuspend suspend_event
.Bd -literal
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.Ed
.Pp
A
.Em CommandSuspend
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It signal
The signal name without the leading
.Dq SIG .
For example,
.Li STOP ,
.Li TSTP ,
.Li CONT .
.El
.Sh Server Messages
A
.Em ServerMessage
is a container used to encapsulate all the possible message types
the server may send to a client.
.Bd -literal
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.Ed
.Pp
The different
.Em ServerMessage
sub-messages the server may sent to the client are described below.
.Ss ServerHello hello
.Bd -literal
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
}
.Ed
.Pp
The
.Em ServerHello
message consists of server information sent when the client first connects.
It contains the following members:
.Bl -tag -width Ds
.It server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.It redirect
A host and port separated by a colon
.Pq Ql :
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
.Em ServerHello
when it includes a
.Sy redirect .
.It servers
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.El
.Ss TimeSpec commit_point
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
.Em IoBuffer
but rather at a server-configurable interval.
When the server receives an
.Em ExitMessage ,
it will respond with a
.Em commit_point
corresponding to the last received
.Em IoBuffer
before closing the connection.
.Ss string log_id
The server-side ID of the I/O log being stored, sent in response
to an
.Em AcceptMessage
where
.Em expect_iobufs
is true.
.Ss string error
A fatal server-side error.
The server will close the connection after sending the
.Em error
message.
.Ss string abort
An
.Em abort
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
.Em abort
message.
.Sh Protocol flow of control
The expected protocol flow is as follows:
.Bl -enum
.It
Client connect to server.
.It
Server sends
.Em ServerHello .
.It
Client responds with either
.Em AcceptMessage ,
.Em RejectMessage ,
or
.Em RestartMessage .
.It
If client sent a
.Em AcceptMessage
with
.Em expect_iobufs
set, server creates a new I/O log and responds with a
.Em log_id .
.It
Client sends zero or more
.Em IoBuffer
messages.
.It
Server periodically responds to
.Em IoBuffer
messages with a
.Em commit_point .
.It
Client sends an
.Em ExitMessage
when the command exits or is killed.
.It
Server sends the final
.Em commit_point
if one is pending.
.It
Server closes the connection.
.El
.Pp
At any point, the server may send an
.Em error
or
.Em abort
message to the client at which point the server will close the
connection.
If an
.Em abort
message is received, the client should terminate the running command.
.Sh EVENT LOG VARIABLES
.Em AcceptMessage
and
.Em RejectMessage
classes contain an array of
.Em InfoMessage
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.Pp
Some variables have a
.Em client ,
.Em run ,
or
.Em submit
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
.Em client
prefix pertain to the program performing the connection to the log
server, for example
.Nm sudo .
Variables with a
.Em run
prefix pertain to the command that the user requested be run.
Variables with a
.Em submit
prefix pertain to the user submitting the request
.Pq the user running Nm sudo .
.Pp
The following
.Em InfoMessage
entries are required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It command Ta string Ta command that was submitted
.It runuser Ta string Ta name of user the command was run as
.It submithost Ta string Ta name of host the command was submitted on
.It submituser Ta string Ta name of user submitting the command
.El
.Pp
The following
.Em InfoMessage
entries are recognized, but not required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It clientargv Ta StringList Ta client's original argument vector
.It clientpid Ta int64 Ta client's process ID
.It clientppid Ta int64 Ta client's parent process ID
.It clientsid Ta int64 Ta client's terminal session ID
.It columns Ta int64 Ta number of columns in the terminal
.It lines Ta int64 Ta number of lines in the terminal
.It runargv Ta StringList Ta argument vector of command to run
.It runchroot Ta string Ta root directory of command to run
.It runcwd Ta string Ta running command's working directory
.It runenv Ta StringList Ta the running command's environment
.It rungid Ta int64 Ta primary group-ID of the command
.It rungids Ta NumberList Ta supplementary group-IDs for the command
.It rungroup Ta string Ta primary group name of the command
.It rungroups Ta StringList Ta supplementary group names for the command
.It runuid Ta int64 Ta run user's user-ID
.It submitcwd Ta string Ta submit user's current working directory
.It submitenv Ta StringList Ta the submit user's environment
.It submitgid Ta int64 Ta submit user's primary group-ID
.It submitgids Ta NumberList Ta submit user's supplementary group-IDs
.It submitgroup Ta string Ta submitting user's primary group name
.It submitgroups Ta StringList Ta submit user's supplementary group names
.It submituid Ta int64 Ta submit user's user-ID
.It ttyname Ta string Ta the terminal the command was submitted from
.El
.Pp
The server must accept other variables not listed above but may
ignore them.
.Sh EXAMPLES
The Protocol Buffers description of the log server protocol is included
in full below.
Note that this uses the newer
.Dq proto3
syntax.
.Bd -literal
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* description of policy violation */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.Ed
.Sh SEE ALSO
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Rs
.%T Protocol Buffers
.%U https://developers.google.com/protocol-buffers/
.Re
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

27
doc/sudo_logsrvd.conf.man.in
View File

@ -452,24 +452,24 @@ Sudo log server configuration file
# are set, I/O log files and directories are created with group-ID 0. # are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel #iolog_group = wheel
# The user to use when setting the user and group-IDs on new I/O log files # The user to use when setting the user-ID and group-ID of new I/O
# and directories. If iolog_group is set, it will be used instead of the # log files and directories. If iolog_group is set, it will be used
# user's primary group-ID. By default, I/O log files and directories are # instead of the user's primary group-ID. By default, I/O log files
# created with user and group-ID 0. # and directories are created with user and group-ID 0.
#iolog_user = root #iolog_user = root
# The file mode to use when creating I/O log files. The file permissions # The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are not # will always include the owner read and write bits, even if they are
# present in the specified mode. When creating I/O log directories, search # not present in the specified mode. When creating I/O log directories,
# (execute) bits are added to match the read and write bits specified by # search (execute) bits are added to match the read and write bits
# iolog_mode. # specified by iolog_mode.
#iolog_mode = 0600 #iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}" # The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}" # escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values # is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence number # larger than 2176782336 (which corresponds to the base 36 sequence
# "ZZZZZZ") will be silently truncated to 2176782336. # number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
@ -492,8 +492,8 @@ Sudo log server configuration file
# The syslog facility to use for event log messages. # The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS # The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3, local4, # supports it), auth, daemon, user, local0, local1, local2, local3,
# local5, local6, and local7. # local4, local5, local6, and local7.
#facility = authpriv #facility = authpriv
# Syslog priority to use for event log accept messages, when the command # Syslog priority to use for event log accept messages, when the command
@ -505,7 +505,8 @@ Sudo log server configuration file
# is not allowed by the security policy. # is not allowed by the security policy.
#reject_priority = alert #reject_priority = alert
# Syslog priority to use for event log alert messages reported by the client. # Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = alert #alert_priority = alert
[logfile] [logfile]

27
doc/sudo_logsrvd.conf.mdoc.in
View File

@ -426,24 +426,24 @@ Sudo log server configuration file
# are set, I/O log files and directories are created with group-ID 0. # are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel #iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O log files # The user to use when setting the user-ID and group-ID of new I/O
# and directories. If iolog_group is set, it will be used instead of the # log files and directories. If iolog_group is set, it will be used
# user's primary group-ID. By default, I/O log files and directories are # instead of the user's primary group-ID. By default, I/O log files
# created with user and group-ID 0. # and directories are created with user and group-ID 0.
#iolog_user = root #iolog_user = root
# The file mode to use when creating I/O log files. The file permissions # The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are not # will always include the owner read and write bits, even if they are
# present in the specified mode. When creating I/O log directories, search # not present in the specified mode. When creating I/O log directories,
# (execute) bits are added to match the read and write bits specified by # search (execute) bits are added to match the read and write bits
# iolog_mode. # specified by iolog_mode.
#iolog_mode = 0600 #iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}" # The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}" # escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values # is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence number # larger than 2176782336 (which corresponds to the base 36 sequence
# "ZZZZZZ") will be silently truncated to 2176782336. # number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
@ -466,8 +466,8 @@ Sudo log server configuration file
# The syslog facility to use for event log messages. # The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS # The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3, local4, # supports it), auth, daemon, user, local0, local1, local2, local3,
# local5, local6, and local7. # local4, local5, local6, and local7.
#facility = authpriv #facility = authpriv
# Syslog priority to use for event log accept messages, when the command # Syslog priority to use for event log accept messages, when the command
@ -479,7 +479,8 @@ Sudo log server configuration file
# is not allowed by the security policy. # is not allowed by the security policy.
#reject_priority = alert #reject_priority = alert
# Syslog priority to use for event log alert messages reported by the client. # Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = alert #alert_priority = alert
[logfile] [logfile]

29
examples/sudo_logsrvd.conf
View File

@ -12,7 +12,7 @@
# listen_address = IPv4_address:port # listen_address = IPv4_address:port
# listen_address = [IPv6_address] # listen_address = [IPv6_address]
# listen_address = [IPv6_address]:port # listen_address = [IPv6_address]:port
# #
# Multiple listen_address settings may be specified. # Multiple listen_address settings may be specified.
# The default is to listen on all addresses. # The default is to listen on all addresses.
#listen_address = *:30344 #listen_address = *:30344
@ -41,24 +41,24 @@
# are set, I/O log files and directories are created with group-ID 0. # are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel #iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O log files # The user to use when setting the user-ID and group-ID of new I/O
# and directories. If iolog_group is set, it will be used instead of the # log files and directories. If iolog_group is set, it will be used
# user's primary group-ID. By default, I/O log files and directories are # instead of the user's primary group-ID. By default, I/O log files
# created with user and group-ID 0. # and directories are created with user and group-ID 0.
#iolog_user = root #iolog_user = root
# The file mode to use when creating I/O log files. The file permissions # The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are not # will always include the owner read and write bits, even if they are
# present in the specified mode. When creating I/O log directories, search # not present in the specified mode. When creating I/O log directories,
# (execute) bits are added to match the read and write bits specified by # search (execute) bits are added to match the read and write bits
# iolog_mode. # specified by iolog_mode.
#iolog_mode = 0600 #iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}" # The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}" # escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values # is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence number # larger than 2176782336 (which corresponds to the base 36 sequence
# "ZZZZZZ") will be silently truncated to 2176782336. # number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
@ -81,8 +81,8 @@
# The syslog facility to use for event log messages. # The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS # The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3, local4, # supports it), auth, daemon, user, local0, local1, local2, local3,
# local5, local6, and local7. # local4, local5, local6, and local7.
#facility = authpriv #facility = authpriv
# Syslog priority to use for event log accept messages, when the command # Syslog priority to use for event log accept messages, when the command
@ -94,7 +94,8 @@
# is not allowed by the security policy. # is not allowed by the security policy.
#reject_priority = alert #reject_priority = alert
# Syslog priority to use for event log alert messages reported by the client. # Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = alert #alert_priority = alert
[logfile] [logfile]

9
logsrvd/iolog_writer.c
View File

@ -327,12 +327,17 @@ iolog_details_fill(struct iolog_details *details, TimeSpec *submit_time,
/* Check for required settings */ /* Check for required settings */
if (details->submituser == NULL) { if (details->submituser == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"missing user in AcceptMessage"); "missing submituser in AcceptMessage");
goto done; goto done;
} }
if (details->submithost == NULL) { if (details->submithost == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"missing host in AcceptMessage"); "missing submithost in AcceptMessage");
goto done;
}
if (details->runuser == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"missing runuser in AcceptMessage");
goto done; goto done;
} }
if (details->command == NULL) { if (details->command == NULL) {