mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

Document apparmor_profile, intercept_verify, and update_ticket.

Browse Source
This commit is contained in:
Todd C. Miller 2022-09-11 19:06:26 -06:00
parent 5bcec02442
commit 3194d16674
2 changed files with 84 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/sudo_plugin.man.in
View File

@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.TH "SUDO_PLUGIN" "5" "September 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO_PLUGIN" "5" "September 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -305,6 +305,7 @@ filtering and the
action. action.
Other systems will use a dynamic shared object to implement Other systems will use a dynamic shared object to implement
intercept. intercept.
Only available starting with API version 1.19.
.TP 6n .TP 6n
intercept_setid=bool intercept_setid=bool
Indicates whether or not the system supports running set-user-ID Indicates whether or not the system supports running set-user-ID
@ -322,6 +323,7 @@ This will disable intercept mode for that program and any other
programs that it executes. programs that it executes.
The policy plugin may refuse to execute a set-user-ID or set-group-ID The policy plugin may refuse to execute a set-user-ID or set-group-ID
binary in intercept mode to avoid this. binary in intercept mode to avoid this.
Only available starting with API version 1.19.
.TP 6n .TP 6n
login_class=string login_class=string
BSD BSD
@ -474,6 +476,13 @@ option.
Not all plugins support command timeouts and the ability of the Not all plugins support command timeouts and the ability of the
user to set a timeout may be restricted by policy. user to set a timeout may be restricted by policy.
The format of the timeout string is plugin-specific. The format of the timeout string is plugin-specific.
.TP 6n
update_ticket=bool
Set to false if the user specified the
\fB\-N\fR
option, indicating that the user wishes to avoid updating any cached
authentication credentials.
Only available starting with API version 1.20.
.PP .PP
Additional settings may be added in the future so the plugin should Additional settings may be added in the future so the plugin should
silently ignore settings that it does not recognize. silently ignore settings that it does not recognize.
@ -1001,9 +1010,13 @@ The following values are recognized by
.RS 6n .RS 6n
.PD 0 .PD 0
.TP 6n .TP 6n
apparmor_profile=string
AppArmor profile to transition to when executing the command.
Only available starting with API version 1.19.
.PD
.TP 6n
chroot=string chroot=string
The root directory to use when running the command. The root directory to use when running the command.
.PD
.TP 6n .TP 6n
closefrom=number closefrom=number
If specified, If specified,
@ -1026,7 +1039,7 @@ not be run unless
is also set (see below). is also set (see below).
.TP 6n .TP 6n
cwd_optional=bool cwd_optional=bool
If enabled, If set,
\fBsudo\fR \fBsudo\fR
will treat an inability to change to the new working directory as a will treat an inability to change to the new working directory as a
non-fatal error. non-fatal error.
@ -1107,7 +1120,7 @@ The specified
must refer to an open file descriptor. must refer to an open file descriptor.
.TP 6n .TP 6n
intercept=bool intercept=bool
If specified, If set,
\fBsudo\fR \fBsudo\fR
will intercept attempts to execute a subsequent command and perform will intercept attempts to execute a subsequent command and perform
a policy check via the policy plugin's a policy check via the policy plugin's
@ -1120,6 +1133,17 @@ See
in in
sudoers(@mansectform@) sudoers(@mansectform@)
for details. for details.
Only available starting with API version 1.18.
.TP 6n
intercept_verify=bool
If set,
\fBsudo\fR
will attempt to verify that a command run in intercept mode has the
expected path name, command line arguments and environment.
This setting has no effect unless
\fIuse_ptrace\fR
is also enabled.
Only available starting with API version 1.20.
.TP 6n .TP 6n
iolog_compress=bool iolog_compress=bool
Set to true if the I/O logging plugins, if any, should compress the Set to true if the I/O logging plugins, if any, should compress the
@ -1186,7 +1210,7 @@ BSD
systems. systems.
.TP 6n .TP 6n
log_subcmds=bool log_subcmds=bool
If specified, If set,
\fBsudo\fR \fBsudo\fR
will call the audit plugin's will call the audit plugin's
\fBaccept\fR() \fBaccept\fR()
@ -1202,6 +1226,7 @@ See
in in
sudoers(@mansectform@) sudoers(@mansectform@)
for more information. for more information.
Only available starting with API version 1.18.
.TP 6n .TP 6n
noexec=bool noexec=bool
If set, prevent the command from executing other programs. If set, prevent the command from executing other programs.
@ -1235,7 +1260,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_core=soft,hard rlimit_core=soft,hard
The largest size core dump file that may be created (in bytes). The largest size core dump file that may be created (in bytes).
@ -1251,7 +1276,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_cpu=soft,hard rlimit_cpu=soft,hard
The maximum amount of CPU time that the process may use (in seconds). The maximum amount of CPU time that the process may use (in seconds).
@ -1267,7 +1292,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_data=soft,hard rlimit_data=soft,hard
The maximum size of the data segment for the process (in bytes). The maximum size of the data segment for the process (in bytes).
@ -1283,7 +1308,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_fsize=soft,hard rlimit_fsize=soft,hard
The largest size file that the process may create (in bytes). The largest size file that the process may create (in bytes).
@ -1299,7 +1324,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_locks=soft,hard rlimit_locks=soft,hard
The maximum number of locks that the process may establish, The maximum number of locks that the process may establish,
@ -1316,7 +1341,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_memlock=soft,hard rlimit_memlock=soft,hard
The maximum size that the process may lock in memory (in bytes), The maximum size that the process may lock in memory (in bytes),
@ -1333,7 +1358,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_nofile=soft,hard rlimit_nofile=soft,hard
The maximum number of files that the process may have open. The maximum number of files that the process may have open.
@ -1349,7 +1374,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_nproc=soft,hard rlimit_nproc=soft,hard
The maximum number of processes that the user may run simultaneously. The maximum number of processes that the user may run simultaneously.
@ -1365,7 +1390,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_rss=soft,hard rlimit_rss=soft,hard
The maximum size to which the process's resident set size may grow (in bytes). The maximum size to which the process's resident set size may grow (in bytes).
@ -1381,7 +1406,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
rlimit_stack=soft,hard rlimit_stack=soft,hard
The maximum size to which the process's stack may grow (in bytes). The maximum size to which the process's stack may grow (in bytes).
@ -1397,7 +1422,7 @@ A value of
\(lqdefault\(rq \(lqdefault\(rq
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.TP 6n .TP 6n
runas_egid=gid runas_egid=gid
Effective group-ID to run the command as. Effective group-ID to run the command as.
@ -1493,7 +1518,7 @@ These restrictions are not enforced when
\fBsudoedit\fR \fBsudoedit\fR
is run by root. is run by root.
The The
\fIsudoedit_follow\fR \fIsudoedit_checkdir\fR
option can be set to false to disable this check. option can be set to false to disable this check.
Only available starting with API version 1.8. Only available starting with API version 1.8.
.TP 6n .TP 6n
@ -1528,7 +1553,7 @@ Force the value specified by the
option to override any umask set by PAM or login.conf. option to override any umask set by PAM or login.conf.
.TP 6n .TP 6n
use_ptrace=bool use_ptrace=bool
If specified, If set,
\fBsudo\fR \fBsudo\fR
will use will use
ptrace(2) ptrace(2)
@ -1536,6 +1561,7 @@ to implement intercept mode if supported by the system.
This setting has no effect unless This setting has no effect unless
\fIintercept\fR \fIintercept\fR
is also set. is also set.
Only available starting with API version 1.19.
.TP 6n .TP 6n
use_pty=bool use_pty=bool
Allocate a pseudo-terminal to run the command in, regardless of whether Allocate a pseudo-terminal to run the command in, regardless of whether

57
docs/sudo_plugin.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd September 10, 2022 .Dd September 11, 2022
.Dt SUDO_PLUGIN @mansectform@ .Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -282,6 +282,7 @@ filtering and the
action. action.
Other systems will use a dynamic shared object to implement Other systems will use a dynamic shared object to implement
intercept. intercept.
Only available starting with API version 1.19.
.It intercept_setid=bool .It intercept_setid=bool
Indicates whether or not the system supports running set-user-ID Indicates whether or not the system supports running set-user-ID
and set-group-ID binaries in intercept mode. and set-group-ID binaries in intercept mode.
@ -298,6 +299,7 @@ This will disable intercept mode for that program and any other
programs that it executes. programs that it executes.
The policy plugin may refuse to execute a set-user-ID or set-group-ID The policy plugin may refuse to execute a set-user-ID or set-group-ID
binary in intercept mode to avoid this. binary in intercept mode to avoid this.
Only available starting with API version 1.19.
.It login_class=string .It login_class=string
.Bx .Bx
login class to use when setting resource limits and nice value, login class to use when setting resource limits and nice value,
@ -430,6 +432,12 @@ option.
Not all plugins support command timeouts and the ability of the Not all plugins support command timeouts and the ability of the
user to set a timeout may be restricted by policy. user to set a timeout may be restricted by policy.
The format of the timeout string is plugin-specific. The format of the timeout string is plugin-specific.
.It update_ticket=bool
Set to false if the user specified the
.Fl N
option, indicating that the user wishes to avoid updating any cached
authentication credentials.
Only available starting with API version 1.20.
.El .El
.Pp .Pp
Additional settings may be added in the future so the plugin should Additional settings may be added in the future so the plugin should
@ -894,6 +902,9 @@ pointer.
The following values are recognized by The following values are recognized by
.Nm sudo : .Nm sudo :
.Bl -tag -width 4n .Bl -tag -width 4n
.It apparmor_profile=string
AppArmor profile to transition to when executing the command.
Only available starting with API version 1.19.
.It chroot=string .It chroot=string
The root directory to use when running the command. The root directory to use when running the command.
.It closefrom=number .It closefrom=number
@ -914,7 +925,7 @@ not be run unless
.Em cwd_optional .Em cwd_optional
is also set (see below). is also set (see below).
.It cwd_optional=bool .It cwd_optional=bool
If enabled, If set,
.Nm sudo .Nm sudo
will treat an inability to change to the new working directory as a will treat an inability to change to the new working directory as a
non-fatal error. non-fatal error.
@ -992,7 +1003,7 @@ The specified
.Em number .Em number
must refer to an open file descriptor. must refer to an open file descriptor.
.It intercept=bool .It intercept=bool
If specified, If set,
.Nm sudo .Nm sudo
will intercept attempts to execute a subsequent command and perform will intercept attempts to execute a subsequent command and perform
a policy check via the policy plugin's a policy check via the policy plugin's
@ -1005,6 +1016,16 @@ See
in in
.Xr sudoers @mansectform@ .Xr sudoers @mansectform@
for details. for details.
Only available starting with API version 1.18.
.It intercept_verify=bool
If set,
.Nm sudo
will attempt to verify that a command run in intercept mode has the
expected path name, command line arguments and environment.
This setting has no effect unless
.Em use_ptrace
is also enabled.
Only available starting with API version 1.20.
.It iolog_compress=bool .It iolog_compress=bool
Set to true if the I/O logging plugins, if any, should compress the Set to true if the I/O logging plugins, if any, should compress the
log data. log data.
@ -1058,7 +1079,7 @@ on
.Bx .Bx
systems. systems.
.It log_subcmds=bool .It log_subcmds=bool
If specified, If set,
.Nm sudo .Nm sudo
will call the audit plugin's will call the audit plugin's
.Fn accept .Fn accept
@ -1074,6 +1095,7 @@ See
in in
.Xr sudoers @mansectform@ .Xr sudoers @mansectform@
for more information. for more information.
Only available starting with API version 1.18.
.It noexec=bool .It noexec=bool
If set, prevent the command from executing other programs. If set, prevent the command from executing other programs.
.It preserve_fds=list .It preserve_fds=list
@ -1103,7 +1125,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_core=soft,hard .It rlimit_core=soft,hard
The largest size core dump file that may be created (in bytes). The largest size core dump file that may be created (in bytes).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1118,7 +1140,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_cpu=soft,hard .It rlimit_cpu=soft,hard
The maximum amount of CPU time that the process may use (in seconds). The maximum amount of CPU time that the process may use (in seconds).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1133,7 +1155,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_data=soft,hard .It rlimit_data=soft,hard
The maximum size of the data segment for the process (in bytes). The maximum size of the data segment for the process (in bytes).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1148,7 +1170,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_fsize=soft,hard .It rlimit_fsize=soft,hard
The largest size file that the process may create (in bytes). The largest size file that the process may create (in bytes).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1163,7 +1185,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_locks=soft,hard .It rlimit_locks=soft,hard
The maximum number of locks that the process may establish, The maximum number of locks that the process may establish,
if supported by the operating system. if supported by the operating system.
@ -1179,7 +1201,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_memlock=soft,hard .It rlimit_memlock=soft,hard
The maximum size that the process may lock in memory (in bytes), The maximum size that the process may lock in memory (in bytes),
if supported by the operating system. if supported by the operating system.
@ -1195,7 +1217,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_nofile=soft,hard .It rlimit_nofile=soft,hard
The maximum number of files that the process may have open. The maximum number of files that the process may have open.
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1210,7 +1232,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_nproc=soft,hard .It rlimit_nproc=soft,hard
The maximum number of processes that the user may run simultaneously. The maximum number of processes that the user may run simultaneously.
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1225,7 +1247,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_rss=soft,hard .It rlimit_rss=soft,hard
The maximum size to which the process's resident set size may grow (in bytes). The maximum size to which the process's resident set size may grow (in bytes).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1240,7 +1262,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It rlimit_stack=soft,hard .It rlimit_stack=soft,hard
The maximum size to which the process's stack may grow (in bytes). The maximum size to which the process's stack may grow (in bytes).
The soft and hard limits are separated by a comma. The soft and hard limits are separated by a comma.
@ -1255,7 +1277,7 @@ A value of
.Dq default .Dq default
will cause the target user's default resource limit to be used will cause the target user's default resource limit to be used
on systems that allow per-user resource limits to be configured. on systems that allow per-user resource limits to be configured.
Only available starting with API version 1.17. Only available starting with API version 1.18.
.It runas_egid=gid .It runas_egid=gid
Effective group-ID to run the command as. Effective group-ID to run the command as.
If not specified, the value of If not specified, the value of
@ -1339,7 +1361,7 @@ These restrictions are not enforced when
.Nm sudoedit .Nm sudoedit
is run by root. is run by root.
The The
.Em sudoedit_follow .Em sudoedit_checkdir
option can be set to false to disable this check. option can be set to false to disable this check.
Only available starting with API version 1.8. Only available starting with API version 1.8.
.It sudoedit_follow=bool .It sudoedit_follow=bool
@ -1369,7 +1391,7 @@ Force the value specified by the
.Em umask .Em umask
option to override any umask set by PAM or login.conf. option to override any umask set by PAM or login.conf.
.It use_ptrace=bool .It use_ptrace=bool
If specified, If set,
.Nm sudo .Nm sudo
will use will use
.Xr ptrace 2 .Xr ptrace 2
@ -1377,6 +1399,7 @@ to implement intercept mode if supported by the system.
This setting has no effect unless This setting has no effect unless
.Em intercept .Em intercept
is also set. is also set.
Only available starting with API version 1.19.
.It use_pty=bool .It use_pty=bool
Allocate a pseudo-terminal to run the command in, regardless of whether Allocate a pseudo-terminal to run the command in, regardless of whether
or not I/O logging is in use. or not I/O logging is in use.