mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Document apparmor_profile, intercept_verify, and update_ticket.

Browse Source
This commit is contained in:
Todd C. Miller 2022-09-11 19:06:26 -06:00
parent 5bcec02442
commit 3194d16674
2 changed files with 84 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/sudo_plugin.man.in
View File

@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_PLUGIN" "5" "September 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_PLUGIN" "5" "September 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -305,6 +305,7 @@ filtering and the
action.
Other systems will use a dynamic shared object to implement
intercept.
Only available starting with API version 1.19.
.TP 6n
intercept_setid=bool
Indicates whether or not the system supports running set-user-ID
@ -322,6 +323,7 @@ This will disable intercept mode for that program and any other
programs that it executes.
The policy plugin may refuse to execute a set-user-ID or set-group-ID
binary in intercept mode to avoid this.
Only available starting with API version 1.19.
.TP 6n
login_class=string
BSD
@ -474,6 +476,13 @@ option.
Not all plugins support command timeouts and the ability of the
user to set a timeout may be restricted by policy.
The format of the timeout string is plugin-specific.
.TP 6n
update_ticket=bool
Set to false if the user specified the
\fB\-N\fR
option, indicating that the user wishes to avoid updating any cached
authentication credentials.
Only available starting with API version 1.20.
.PP
Additional settings may be added in the future so the plugin should
silently ignore settings that it does not recognize.
@ -1001,9 +1010,13 @@ The following values are recognized by
.RS 6n
.PD 0
.TP 6n
apparmor_profile=string
AppArmor profile to transition to when executing the command.
Only available starting with API version 1.19.
.PD
.TP 6n
chroot=string
The root directory to use when running the command.
.PD
.TP 6n
closefrom=number
If specified,
@ -1026,7 +1039,7 @@ not be run unless
is also set (see below).
.TP 6n
cwd_optional=bool
If enabled,
If set,
\fBsudo\fR
will treat an inability to change to the new working directory as a
non-fatal error.
@ -1107,7 +1120,7 @@ The specified
must refer to an open file descriptor.
.TP 6n
intercept=bool
If specified,
If set,
\fBsudo\fR
will intercept attempts to execute a subsequent command and perform
a policy check via the policy plugin's
@ -1120,6 +1133,17 @@ See
in
sudoers(@mansectform@)
for details.
Only available starting with API version 1.18.
.TP 6n
intercept_verify=bool
If set,
\fBsudo\fR
will attempt to verify that a command run in intercept mode has the
expected path name, command line arguments and environment.
This setting has no effect unless
\fIuse_ptrace\fR
is also enabled.
Only available starting with API version 1.20.
.TP 6n
iolog_compress=bool
Set to true if the I/O logging plugins, if any, should compress the
@ -1186,7 +1210,7 @@ BSD
systems.
.TP 6n
log_subcmds=bool
If specified,
If set,
\fBsudo\fR
will call the audit plugin's
\fBaccept\fR()
@ -1202,6 +1226,7 @@ See
in
sudoers(@mansectform@)
for more information.
Only available starting with API version 1.18.
.TP 6n
noexec=bool
If set, prevent the command from executing other programs.
@ -1235,7 +1260,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_core=soft,hard
The largest size core dump file that may be created (in bytes).
@ -1251,7 +1276,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_cpu=soft,hard
The maximum amount of CPU time that the process may use (in seconds).
@ -1267,7 +1292,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_data=soft,hard
The maximum size of the data segment for the process (in bytes).
@ -1283,7 +1308,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_fsize=soft,hard
The largest size file that the process may create (in bytes).
@ -1299,7 +1324,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_locks=soft,hard
The maximum number of locks that the process may establish,
@ -1316,7 +1341,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_memlock=soft,hard
The maximum size that the process may lock in memory (in bytes),
@ -1333,7 +1358,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_nofile=soft,hard
The maximum number of files that the process may have open.
@ -1349,7 +1374,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_nproc=soft,hard
The maximum number of processes that the user may run simultaneously.
@ -1365,7 +1390,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_rss=soft,hard
The maximum size to which the process's resident set size may grow (in bytes).
@ -1381,7 +1406,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
rlimit_stack=soft,hard
The maximum size to which the process's stack may grow (in bytes).
@ -1397,7 +1422,7 @@ A value of
\(lqdefault\(rq
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.TP 6n
runas_egid=gid
Effective group-ID to run the command as.
@ -1493,7 +1518,7 @@ These restrictions are not enforced when
\fBsudoedit\fR
is run by root.
The
\fIsudoedit_follow\fR
\fIsudoedit_checkdir\fR
option can be set to false to disable this check.
Only available starting with API version 1.8.
.TP 6n
@ -1528,7 +1553,7 @@ Force the value specified by the
option to override any umask set by PAM or login.conf.
.TP 6n
use_ptrace=bool
If specified,
If set,
\fBsudo\fR
will use
ptrace(2)
@ -1536,6 +1561,7 @@ to implement intercept mode if supported by the system.
This setting has no effect unless
\fIintercept\fR
is also set.
Only available starting with API version 1.19.
.TP 6n
use_pty=bool
Allocate a pseudo-terminal to run the command in, regardless of whether

57
docs/sudo_plugin.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 10, 2022
.Dd September 11, 2022
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -282,6 +282,7 @@ filtering and the
action.
Other systems will use a dynamic shared object to implement
intercept.
Only available starting with API version 1.19.
.It intercept_setid=bool
Indicates whether or not the system supports running set-user-ID
and set-group-ID binaries in intercept mode.
@ -298,6 +299,7 @@ This will disable intercept mode for that program and any other
programs that it executes.
The policy plugin may refuse to execute a set-user-ID or set-group-ID
binary in intercept mode to avoid this.
Only available starting with API version 1.19.
.It login_class=string
.Bx
login class to use when setting resource limits and nice value,
@ -430,6 +432,12 @@ option.
Not all plugins support command timeouts and the ability of the
user to set a timeout may be restricted by policy.
The format of the timeout string is plugin-specific.
.It update_ticket=bool
Set to false if the user specified the
.Fl N
option, indicating that the user wishes to avoid updating any cached
authentication credentials.
Only available starting with API version 1.20.
.El
.Pp
Additional settings may be added in the future so the plugin should
@ -894,6 +902,9 @@ pointer.
The following values are recognized by
.Nm sudo :
.Bl -tag -width 4n
.It apparmor_profile=string
AppArmor profile to transition to when executing the command.
Only available starting with API version 1.19.
.It chroot=string
The root directory to use when running the command.
.It closefrom=number
@ -914,7 +925,7 @@ not be run unless
.Em cwd_optional
is also set (see below).
.It cwd_optional=bool
If enabled,
If set,
.Nm sudo
will treat an inability to change to the new working directory as a
non-fatal error.
@ -992,7 +1003,7 @@ The specified
.Em number
must refer to an open file descriptor.
.It intercept=bool
If specified,
If set,
.Nm sudo
will intercept attempts to execute a subsequent command and perform
a policy check via the policy plugin's
@ -1005,6 +1016,16 @@ See
in
.Xr sudoers @mansectform@
for details.
Only available starting with API version 1.18.
.It intercept_verify=bool
If set,
.Nm sudo
will attempt to verify that a command run in intercept mode has the
expected path name, command line arguments and environment.
This setting has no effect unless
.Em use_ptrace
is also enabled.
Only available starting with API version 1.20.
.It iolog_compress=bool
Set to true if the I/O logging plugins, if any, should compress the
log data.
@ -1058,7 +1079,7 @@ on
.Bx
systems.
.It log_subcmds=bool
If specified,
If set,
.Nm sudo
will call the audit plugin's
.Fn accept
@ -1074,6 +1095,7 @@ See
in
.Xr sudoers @mansectform@
for more information.
Only available starting with API version 1.18.
.It noexec=bool
If set, prevent the command from executing other programs.
.It preserve_fds=list
@ -1103,7 +1125,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_core=soft,hard
The largest size core dump file that may be created (in bytes).
The soft and hard limits are separated by a comma.
@ -1118,7 +1140,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_cpu=soft,hard
The maximum amount of CPU time that the process may use (in seconds).
The soft and hard limits are separated by a comma.
@ -1133,7 +1155,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_data=soft,hard
The maximum size of the data segment for the process (in bytes).
The soft and hard limits are separated by a comma.
@ -1148,7 +1170,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_fsize=soft,hard
The largest size file that the process may create (in bytes).
The soft and hard limits are separated by a comma.
@ -1163,7 +1185,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_locks=soft,hard
The maximum number of locks that the process may establish,
if supported by the operating system.
@ -1179,7 +1201,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_memlock=soft,hard
The maximum size that the process may lock in memory (in bytes),
if supported by the operating system.
@ -1195,7 +1217,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_nofile=soft,hard
The maximum number of files that the process may have open.
The soft and hard limits are separated by a comma.
@ -1210,7 +1232,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_nproc=soft,hard
The maximum number of processes that the user may run simultaneously.
The soft and hard limits are separated by a comma.
@ -1225,7 +1247,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_rss=soft,hard
The maximum size to which the process's resident set size may grow (in bytes).
The soft and hard limits are separated by a comma.
@ -1240,7 +1262,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It rlimit_stack=soft,hard
The maximum size to which the process's stack may grow (in bytes).
The soft and hard limits are separated by a comma.
@ -1255,7 +1277,7 @@ A value of
.Dq default
will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17.
Only available starting with API version 1.18.
.It runas_egid=gid
Effective group-ID to run the command as.
If not specified, the value of
@ -1339,7 +1361,7 @@ These restrictions are not enforced when
.Nm sudoedit
is run by root.
The
.Em sudoedit_follow
.Em sudoedit_checkdir
option can be set to false to disable this check.
Only available starting with API version 1.8.
.It sudoedit_follow=bool
@ -1369,7 +1391,7 @@ Force the value specified by the
.Em umask
option to override any umask set by PAM or login.conf.
.It use_ptrace=bool
If specified,
If set,
.Nm sudo
will use
.Xr ptrace 2
@ -1377,6 +1399,7 @@ to implement intercept mode if supported by the system.
This setting has no effect unless
.Em intercept
is also set.
Only available starting with API version 1.19.
.It use_pty=bool
Allocate a pseudo-terminal to run the command in, regardless of whether
or not I/O logging is in use.