From 90f2cfa5896b7554932e96f4c132a89dd7fd4021 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 19 Jul 2012 13:41:14 -0400 Subject: [PATCH] Build .man.in and .cat files from .mdoc.in files. Add new --with-man and --with-mdoc configure options. --- INSTALL | 10 + MANIFEST | 14 +- NEWS | 3 + configure | 72 +- configure.in | 55 +- doc/Makefile.in | 101 +- doc/sudo.cat | 914 ++++--- doc/sudo.man.in | 1907 ++++++++------ doc/sudo.mdoc.in | 32 +- doc/sudo_plugin.cat | 1814 ++++++------- doc/sudo_plugin.man.in | 3687 ++++++++++++++++---------- doc/sudo_plugin.mdoc.in | 8 +- doc/sudoers.cat | 1977 +++++++------- doc/sudoers.ldap.cat | 883 ++++--- doc/sudoers.ldap.man.in | 1927 ++++++++------ doc/sudoers.ldap.mdoc.in | 12 +- doc/sudoers.man.in | 5313 +++++++++++++++++++++++++------------- doc/sudoers.mdoc.in | 26 +- doc/sudoreplay.cat | 226 +- doc/sudoreplay.man.in | 683 +++-- doc/sudoreplay.mdoc.in | 6 +- doc/visudo.cat | 183 +- doc/visudo.man.in | 548 ++-- doc/visudo.mdoc.in | 12 +- 24 files changed, 11796 insertions(+), 8617 deletions(-) diff --git a/INSTALL b/INSTALL index 16e894a22..71d306085 100644 --- a/INSTALL +++ b/INSTALL @@ -348,6 +348,16 @@ Special features/options: Enable support for role based access control (RBAC) on systems that support SELinux. + --with-man + Use the "man" macros for manual pages. By default, mdoc + versions of the manuals are installed. This can be used + to override configure's test for "nroff -mdoc" support. + + --with-mdoc + Use the "mdoc" macros for manual pages. By default, mdoc + versions of the manuals are installed. This can be used + to override configure's test for "nroff -mdoc" support. + The following options are also configurable at runtime: --with-long-otp-prompt diff --git a/MANIFEST b/MANIFEST index 7de0ffea4..f5c9381f0 100644 --- a/MANIFEST +++ b/MANIFEST @@ -81,24 +81,22 @@ doc/schema.OpenLDAP doc/schema.iPlanet doc/sudo.cat doc/sudo.man.in -doc/sudo.man.pl -doc/sudo.pod +doc/sudo.mdoc.in doc/sudo_plugin.cat doc/sudo_plugin.man.in -doc/sudo_plugin.pod +doc/sudo_plugin.mdoc.in doc/sudoers.cat doc/sudoers.ldap.cat doc/sudoers.ldap.man.in -doc/sudoers.ldap.pod +doc/sudoers.ldap.mdoc.in doc/sudoers.man.in -doc/sudoers.man.pl -doc/sudoers.pod +doc/sudoers.mdoc.in doc/sudoreplay.cat doc/sudoreplay.man.in -doc/sudoreplay.pod +doc/sudoreplay.mdoc.in doc/visudo.cat doc/visudo.man.in -doc/visudo.pod +doc/visudo.mdoc.in include/Makefile.in include/alloc.h include/error.h diff --git a/NEWS b/NEWS index 58bfd96ce..1aa183abb 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,9 @@ What's new in Sudo 1.8.6? of "N incorrect password attempts". Likewise, the "mail_no_perms" sudoers option now takes precedence over "mail_badpass". + * The sudo manuals are now formatted in mdoc. Versions using the + legacy man macros are provided for systems that lack mdoc. + What's new in Sudo 1.8.5p2? * Fixed use of the SUDO_ASKPASS environment variable which was diff --git a/configure b/configure index 0118579f4..be4bc05ed 100755 --- a/configure +++ b/configure @@ -731,6 +731,7 @@ SUDOERS_MODE SHLIB_MODE MANCOMPRESSEXT MANCOMPRESS +MANDIRTYPE MANTYPE AUTH_OBJS OSDEFS @@ -871,6 +872,8 @@ with_interfaces with_stow with_askpass with_plugindir +with_man +with_mdoc enable_authentication enable_root_mailer enable_setreuid @@ -1655,6 +1658,8 @@ Optional Packages: --with-stow deprecated --with-askpass=PATH Fully qualified pathname of askpass helper --with-plugindir set directory to load plugins from + --with-man manual pages use man macros + --with-mdoc manual pages use mdoc macros --with-selinux enable SELinux support --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] @@ -2899,6 +2904,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -2946,7 +2952,7 @@ secure_path="not set" INSTALL_NOEXEC= devdir='$(srcdir)' PROGS="sudo" -: ${MANTYPE='man'} +: ${MANDIRTYPE='man'} : ${mansrcdir='.'} : ${SHLIB_MODE='0644'} : ${SUDOERS_MODE='0440'} @@ -5208,6 +5214,34 @@ fi +# Check whether --with-man was given. +if test "${with_man+set}" = set; then : + withval=$with_man; case $with_man in + yes) MANTYPE=man + ;; + no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5 + ;; + *) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5 + ;; +esac +fi + + + +# Check whether --with-mdoc was given. +if test "${with_mdoc+set}" = set; then : + withval=$with_mdoc; case $with_mdoc in + yes) MANTYPE=mdoc + ;; + no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5 + ;; + *) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5 + ;; +esac +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5 $as_echo_n "checking whether to do user authentication by default... " >&6; } # Check whether --enable-authentication was given. @@ -13649,7 +13683,7 @@ $as_echo "no" >&6; } fi -for ac_prog in nroff mandoc +for ac_prog in mandoc nroff do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -13692,6 +13726,29 @@ fi done if test -n "$NROFFPROG"; then + test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5 +$as_echo_n "checking which macro set to use for manual pages... " >&6; } +if ${sudo_cv_var_mantype+:} false; then : + $as_echo_n "(cached) " >&6 +else + sudo_cv_var_mantype="man" + if test "$NROFFPROG" != "no"; then + echo ".Sh NAME" > conftest + echo ".Nm sudo" >> conftest + echo ".Nd sudo" >> conftest + echo ".Sh DESCRIPTION" >> conftest + echo "sudo" >> conftest + if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then + sudo_cv_var_mantype="mdoc" + fi + rm -f conftest + fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5 +$as_echo "$sudo_cv_var_mantype" >&6; } + MANTYPE="$sudo_cv_var_mantype" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5 $as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; } if ${sudo_cv_var_nroff_opt_c+:} false; then : @@ -13709,7 +13766,7 @@ $as_echo "$sudo_cv_var_nroff_opt_c" >&6; } if test "$sudo_cv_var_nroff_opt_c" = "yes"; then NROFFPROG="$NROFFPROG -c" fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -Tascii option" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -Tascii option" >&5 $as_echo_n "checking whether $NROFFPROG supports the -Tascii option... " >&6; } if ${sudo_cv_var_nroff_opt_Tascii+:} false; then : $as_echo_n "(cached) " >&6 @@ -13719,15 +13776,16 @@ else else sudo_cv_var_nroff_opt_Tascii=no fi - if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then - NROFFPROG="$NROFFPROG -Tascii" - fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5 $as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; } + if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then + NROFFPROG="$NROFFPROG -Tascii" + fi else - MANTYPE="cat" + MANTYPE=cat + MANDIRTYPE=cat mansrcdir='$(srcdir)' fi diff --git a/configure.in b/configure.in index b848aabdc..04586f97e 100644 --- a/configure.in +++ b/configure.in @@ -38,6 +38,7 @@ AC_SUBST([GETGROUPS_LIB]) AC_SUBST([OSDEFS]) AC_SUBST([AUTH_OBJS]) AC_SUBST([MANTYPE]) +AC_SUBST([MANDIRTYPE]) AC_SUBST([MANCOMPRESS]) AC_SUBST([MANCOMPRESSEXT]) AC_SUBST([SHLIB_MODE]) @@ -164,7 +165,7 @@ dnl INSTALL_NOEXEC= devdir='$(srcdir)' PROGS="sudo" -: ${MANTYPE='man'} +: ${MANDIRTYPE='man'} : ${mansrcdir='.'} : ${SHLIB_MODE='0644'} : ${SUDOERS_MODE='0440'} @@ -1112,6 +1113,26 @@ AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to loa *) ;; esac], [with_plugindir="$libexecdir"]) +AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])], +[case $with_man in + yes) MANTYPE=man + ;; + no) AC_MSG_ERROR(["--without-man not supported."]) + ;; + *) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."]) + ;; +esac]) + +AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])], +[case $with_mdoc in + yes) MANTYPE=mdoc + ;; + no) AC_MSG_ERROR(["--without-mdoc not supported."]) + ;; + *) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."]) + ;; +esac]) + dnl dnl Options for --enable dnl @@ -1428,8 +1449,25 @@ dnl Find programs we use dnl AC_CHECK_PROG(UNAMEPROG, [uname], [uname]) AC_CHECK_PROG(TRPROG, [tr], [tr]) -AC_CHECK_PROGS(NROFFPROG, [nroff mandoc]) +AC_CHECK_PROGS(NROFFPROG, [mandoc nroff]) if test -n "$NROFFPROG"; then + test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE" + AC_CACHE_CHECK([which macro set to use for manual pages], + [sudo_cv_var_mantype], + [sudo_cv_var_mantype="man" + if test "$NROFFPROG" != "no"; then + echo ".Sh NAME" > conftest + echo ".Nm sudo" >> conftest + echo ".Nd sudo" >> conftest + echo ".Sh DESCRIPTION" >> conftest + echo "sudo" >> conftest + if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then + sudo_cv_var_mantype="mdoc" + fi + rm -f conftest + fi] + ) + MANTYPE="$sudo_cv_var_mantype" AC_CACHE_CHECK([whether $NROFFPROG supports the -c option], [sudo_cv_var_nroff_opt_c], [if $NROFFPROG -c /dev/null 2>&1; then @@ -1441,6 +1479,9 @@ if test -n "$NROFFPROG"; then if test "$sudo_cv_var_nroff_opt_c" = "yes"; then NROFFPROG="$NROFFPROG -c" fi + dnl + dnl This test will fail for mandoc but it is the default anyway... + dnl AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option], [sudo_cv_var_nroff_opt_Tascii], [if $NROFFPROG -Tascii /dev/null 2>&1; then @@ -1448,12 +1489,13 @@ if test -n "$NROFFPROG"; then else sudo_cv_var_nroff_opt_Tascii=no fi] + ) if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then NROFFPROG="$NROFFPROG -Tascii" fi - ) else - MANTYPE="cat" + MANTYPE=cat + MANDIRTYPE=cat mansrcdir='$(srcdir)' fi @@ -2884,7 +2926,7 @@ if test "${with_skey-'no'}" = "yes"; then for dir in "" "/usr/local" "/usr/contrib"; do test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include" AC_CHECK_HEADER([skey.h], [found=yes; break], [], - [#include ]) + [#include ]) done if test "$found" = "no" -o -z "$dir"; then CPPFLAGS="$O_CPPFLAGS" @@ -3168,7 +3210,7 @@ SUDO_IO_LOGDIR dnl dnl Turn warnings into errors. -dnl All compiler/loader tests after this point will fail if +dnl All compiler/loader tests after this point will fail if dnl a warning is displayed (nornally, warnings are not fata). dnl AC_LANG_WERROR @@ -3451,7 +3493,6 @@ test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/ dnl dnl Substitute into the Makefile and man pages dnl -dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h]) AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers]) AC_OUTPUT diff --git a/doc/Makefile.in b/doc/Makefile.in index 0891af8cf..b25b98626 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -48,8 +48,8 @@ mandir = @mandir@ mantype = @MANTYPE@ mansectsu = @mansectsu@ mansectform = @mansectform@ -mandirsu = $(mandir)/$(mantype)$(mansectsu) -mandirform = $(mandir)/$(mantype)$(mansectform) +mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu) +mandirform = $(mandir)/@MANDIRTYPE@$(mansectform) # User and group ids the installed files should be "owned" by install_uid = 0 @@ -62,8 +62,9 @@ DEVEL = @DEVEL@ SHELL = @SHELL@ -DOCS = sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \ - sudoreplay.man sudo_plugin.man +DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \ + sudoers.ldap.$(mantype) sudoers.$(mantype) \ + sudoreplay.$(mantype) sudo_plugin.$(mantype) DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \ $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \ @@ -93,116 +94,146 @@ Makefile: $(srcdir)/Makefile.in varsub: $(top_srcdir)/configure.in @if [ -n "$(DEVEL)" ]; then \ - printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; \ + printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \ sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ fi -$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod +$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudo.man.pl >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi sudo.man: $(srcdir)/sudo.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in +sudo.mdoc: $(srcdir)/sudo.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/sudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod +$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi visudo.man: $(srcdir)/visudo.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in +visudo.mdoc: $(srcdir)/visudo.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/visudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod +$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudoers.man.pl >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi sudoers.man: $(srcdir)/sudoers.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in +sudoers.mdoc: $(srcdir)/sudoers.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/sudoers.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod +$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in +sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod +$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi sudoreplay.man: $(srcdir)/sudoreplay.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in +sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/sudoreplay.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod +$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ - sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo_plugin.pod > $@; \ - pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in\n' >> $@; \ + sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo_plugin.mdoc.in >> $@; \ + sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ fi sudo_plugin.man: $(srcdir)/sudo_plugin.man.in (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) -$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in +sudo_plugin.mdoc: $(srcdir)/sudo_plugin.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ - sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@; \ + sed -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi CONTRIBUTORS: $(srcdir)/contributors.pod diff --git a/doc/sudo.cat b/doc/sudo.cat index 60cd02a9b..c6e69ca0d 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -1,627 +1,607 @@ -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - +SUDO(1m) System Manager's Manual SUDO(1m) NNAAMMEE - sudo, sudoedit - execute a command as another user + ssuuddoo, ssuuddooeeddiitt - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --hh | --KK | --kk | --VV - - ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] - - ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] - - ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] - [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] - - ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... + ssuuddoo --hh | --KK | --kk | --VV + ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] + [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] + ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] + [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] + ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] + [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d] + ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file + ... DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or - another user, as specified by the security policy. The real and - effective uid and gid are set to match those of the target user, as - specified in the password database, and the group vector is initialized - based on the group database (unless the --PP option was specified). + ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or + another user, as specified by the security policy. The real and + effective uid and gid are set to match those of the target user, as + specified in the password database, and the group vector is initialized + based on the group database (unless the --PP option was specified). - ssuuddoo supports a plugin architecture for security policies and - input/output logging. Third parties can develop and distribute their - own policy and I/O logging modules to work seamlessly with the ssuuddoo - front end. The default security policy is _s_u_d_o_e_r_s, which is configured - via the file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the PLUGINS section for - more information. + ssuuddoo supports a plugin architecture for security policies and + input/output logging. Third parties can develop and distribute their own + policy and I/O logging modules to work seamlessly with the ssuuddoo front + end. The default security policy is _s_u_d_o_e_r_s, which is configured via the + file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more + information. - The security policy determines what privileges, if any, a user has to - run ssuuddoo. The policy may require that users authenticate themselves - with a password or another authentication mechanism. If authentication - is required, ssuuddoo will exit if the user's password is not entered - within a configurable time limit. This limit is policy-specific; the - default password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 - minutes. + The security policy determines what privileges, if any, a user has to run + ssuuddoo. The policy may require that users authenticate themselves with a + password or another authentication mechanism. If authentication is + required, ssuuddoo will exit if the user's password is not entered within a + configurable time limit. This limit is policy-specific; the default + password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes. - Security policies may support credential caching to allow the user to - run ssuuddoo again for a period of time without requiring authentication. - The _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden - in _s_u_d_o_e_r_s(4). By running ssuuddoo with the --vv option, a user can update - the cached credentials without running a _c_o_m_m_a_n_d. + Security policies may support credential caching to allow the user to run + ssuuddoo again for a period of time without requiring authentication. The + _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in + sudoers(4). By running ssuuddoo with the --vv option, a user can update the + cached credentials without running a _c_o_m_m_a_n_d. - When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. + When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. - Security policies may log successful and failed attempts to use ssuuddoo. - If an I/O plugin is configured, the running command's input and output - may be logged as well. + Security policies may log successful and failed attempts to use ssuuddoo. If + an I/O plugin is configured, the running command's input and output may + be logged as well. OOPPTTIIOONNSS - ssuuddoo accepts the following command line options: + ssuuddoo accepts the following command line options: - -A Normally, if ssuuddoo requires a password, it will read it from - the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is - specified, a (possibly graphical) helper program is - executed to read the user's password and output the - password to the standard output. If the SUDO_ASKPASS - environment variable is set, it specifies the path to the - helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a - line specifying the askpass program, that value will be - used. For example: + --AA Normally, if ssuuddoo requires a password, it will read it from + the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is + specified, a (possibly graphical) helper program is executed + to read the user's password and output the password to the + standard output. If the SUDO_ASKPASS environment variable is + set, it specifies the path to the helper program. Otherwise, + if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass + program, that value will be used. For example: - # Path to askpass helper program - Path askpass /usr/X11R6/bin/ssh-askpass + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass - If no askpass program is available, sudo will exit with an - error. + If no askpass program is available, ssuuddoo will exit with an + error. - -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the - specified authentication type when validating the user, as - allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may - specify a list of sudo-specific authentication methods by - adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This - option is only available on systems that support BSD - authentication. + --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + specified authentication type when validating the user, as + allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may + specify a list of sudo-specific authentication methods by + adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This + option is only available on systems that support BSD + authentication. - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given - command in the background. Note that if you use the --bb - option you cannot use shell job control to manipulate the - process. Most interactive commands will fail to work - properly in background mode. + --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given + command in the background. Note that if you use the --bb + option you cannot use shell job control to manipulate the + process. Most interactive commands will fail to work + properly in background mode. - -C _f_d Normally, ssuuddoo will close all open file descriptors other - than standard input, standard output and standard error. - The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a - starting point above the standard error (file descriptor - three). Values less than three are not permitted. The - security policy may restrict the user's ability to use the - --CC option. The _s_u_d_o_e_r_s policy only permits use of the --CC - option when the administrator has enabled the - _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. + --CC _f_d Normally, ssuuddoo will close all open file descriptors other + than standard input, standard output and standard error. The + --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting + point above the standard error (file descriptor three). + Values less than three are not permitted. The security + policy may restrict the user's ability to use the --CC option. + The _s_u_d_o_e_r_s policy only permits use of the --CC option when the + administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. - -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified - command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name as - defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. - Specifying a _c_l_a_s_s of - indicates that the command should - be run restricted by the default login capabilities for the - user the command is run as. If the _c_l_a_s_s argument - specifies an existing user class, the command must be run - as root, or the ssuuddoo command must be run from a shell that - is already root. This option is only available on systems - with BSD login classes. + --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + command with resources limited by the specified login class. + The _c_l_a_s_s argument can be either a class name as defined in + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a + _c_l_a_s_s of - indicates that the command should be run + restricted by the default login capabilities for the user the + command is run as. If the _c_l_a_s_s argument specifies an + existing user class, the command must be run as root, or the + ssuuddoo command must be run from a shell that is already root. + This option is only available on systems with BSD login + classes. - -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the - security policy that the user wishes to preserve their - existing environment variables. The security policy may - return an error if the --EE option is specified and the user - does not have permission to preserve the environment. + --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the + security policy that the user wishes to preserve their + existing environment variables. The security policy may + return an error if the --EE option is specified and the user + does not have permission to preserve the environment. - -e The --ee (_e_d_i_t) option indicates that, instead of running a - command, the user wishes to edit one or more files. In - lieu of a command, the string "sudoedit" is used when - consulting the security policy. If the user is authorized - by the policy, the following steps are taken: + --ee The --ee (_e_d_i_t) option indicates that, instead of running a + command, the user wishes to edit one or more files. In lieu + of a command, the string "sudoedit" is used when consulting + the security policy. If the user is authorized by the + policy, the following steps are taken: - 1. Temporary copies are made of the files to be edited + 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. - 2. The editor specified by the policy is run to edit the + 2. The editor specified by the policy is run to edit the temporary files. The _s_u_d_o_e_r_s policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the _e_d_i_t_o_r - _s_u_d_o_e_r_s(4) option is used. + sudoers(4) option is used. - 3. If they have been modified, the temporary files are + 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. - If the specified file does not exist, it will be created. - Note that unlike most commands run by ssuuddoo, the editor is - run with the invoking user's environment unmodified. If, - for some reason, ssuuddoo is unable to update a file with its - edited version, the user will receive a warning and the - edited copy will remain in a temporary file. + If the specified file does not exist, it will be created. + Note that unlike most commands run by _s_u_d_o, the editor is run + with the invoking user's environment unmodified. If, for + some reason, ssuuddoo is unable to update a file with its edited + version, the user will receive a warning and the edited copy + will remain in a temporary file. - -g _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to - the one specified by the password database for the user the - command is being run as (by default, root). The --gg (_g_r_o_u_p) - option causes ssuuddoo to run the command with the primary - group set to _g_r_o_u_p instead. To specify a _g_i_d instead of a - _g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many - shells require that the '#' be escaped with a backslash - ('\'). If no --uu option is specified, the command will be - run as the invoking user (not root). In either case, the - primary group will be set to _g_r_o_u_p. + --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to + the one specified by the password database for the user the + command is being run as (by default, root). The --gg (_g_r_o_u_p) + option causes ssuuddoo to run the command with the primary group + set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p + _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells + require that the `#' be escaped with a backslash (`\'). If + no --uu option is specified, the command will be run as the + invoking user (not root). In either case, the primary group + will be set to _g_r_o_u_p. - -H The --HH (_H_O_M_E) option requests that the security policy set - the HOME environment variable to the home directory of the - target user (root by default) as specified by the password - database. Depending on the policy, this may be the default - behavior. + --HH The --HH (_H_O_M_E) option requests that the security policy set + the HOME environment variable to the home directory of the + target user (root by default) as specified by the password + database. Depending on the policy, this may be the default + behavior. - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help - message to the standard output and exit. + --hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help + message to the standard output and exit. - -i [command] - The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified by the password database entry of the target user - as a login shell. This means that login-specific resource - files such as .profile or .login will be read by the shell. - If a command is specified, it is passed to the shell for - execution via the shell's --cc option. If no command is - specified, an interactive shell is executed. ssuuddoo attempts - to change to that user's home directory before running the - shell. The security policy shall initialize the - environment to a minimal set of variables, similar to what - is present when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t - section in the _s_u_d_o_e_r_s(4) manual documents how the --ii - option affects the environment in which a command is run - when the _s_u_d_o_e_r_s policy is in use. + --ii [_c_o_m_m_a_n_d] + The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell + specified by the password database entry of the target user + as a login shell. This means that login-specific resource + files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell. + If a command is specified, it is passed to the shell for + execution via the shell's --cc option. If no command is + specified, an interactive shell is executed. ssuuddoo attempts + to change to that user's home directory before running the + shell. The security policy shall initialize the environment + to a minimal set of variables, similar to what is present + when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the + sudoers(4) manual documents how the --ii option affects the + environment in which a command is run when the _s_u_d_o_e_r_s policy + is in use. - -K The --KK (sure _k_i_l_l) option is like --kk except that it removes - the user's cached credentials entirely and may not be used - in conjunction with a command or other option. This option - does not require a password. Not all security policies - support credential caching. + --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes + the user's cached credentials entirely and may not be used in + conjunction with a command or other option. This option does + not require a password. Not all security policies support + credential caching. - -k [command] - When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates - the user's cached credentials. The next time ssuuddoo is run a - password will be required. This option does not require a - password and was added to allow a user to revoke ssuuddoo - permissions from a .logout file. Not all security policies - support credential caching. + --kk [_c_o_m_m_a_n_d] + When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the + user's cached credentials. The next time ssuuddoo is run a + password will be required. This option does not require a + password and was added to allow a user to revoke ssuuddoo + permissions from a _._l_o_g_o_u_t file. Not all security policies + support credential caching. - When used in conjunction with a command or an option that - may require a password, the --kk option will cause ssuuddoo to - ignore the user's cached credentials. As a result, ssuuddoo - will prompt for a password (if one is required by the - security policy) and will not update the user's cached - credentials. + When used in conjunction with a command or an option that may + require a password, the --kk option will cause ssuuddoo to ignore + the user's cached credentials. As a result, ssuuddoo will prompt + for a password (if one is required by the security policy) + and will not update the user's cached credentials. - -l[l] [_c_o_m_m_a_n_d] - If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list - the allowed (and forbidden) commands for the invoking user - (or the user specified by the --UU option) on the current - host. If a _c_o_m_m_a_n_d is specified and is permitted by the - security policy, the fully-qualified path to the command is - displayed along with any command line arguments. If - _c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a - status value of 1. If the --ll option is specified with an ll - argument (i.e. --llll), or if --ll is specified multiple times, - a longer list format is used. + --ll[ll] [_c_o_m_m_a_n_d] + If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list + the allowed (and forbidden) commands for the invoking user + (or the user specified by the --UU option) on the current host. + If a _c_o_m_m_a_n_d is specified and is permitted by the security + policy, the fully-qualified path to the command is displayed + along with any command line arguments. If _c_o_m_m_a_n_d is + specified but not allowed, ssuuddoo will exit with a status value + of 1. If the --ll option is specified with an _l argument (i.e. + --llll), or if --ll is specified multiple times, a longer list + format is used. - -n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from - prompting the user for a password. If a password is - required for the command to run, ssuuddoo will display an error - message and exit. + --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting + the user for a password. If a password is required for the + command to run, ssuuddoo will display an error message and exit. - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the invoking user's group vector unaltered. By - default, the _s_u_d_o_e_r_s policy will initialize the group - vector to the list of groups the target user is in. The - real and effective group IDs, however, are still set to - match the target user. + --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve + the invoking user's group vector unaltered. By default, the + _s_u_d_o_e_r_s policy will initialize the group vector to the list + of groups the target user is in. The real and effective + group IDs, however, are still set to match the target user. - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default - password prompt and use a custom one. The following - percent (`%') escapes are supported by the _s_u_d_o_e_r_s policy: + --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following percent + (`%') escapes are supported by the _s_u_d_o_e_r_s policy: - %H expanded to the host name including the domain name (on - if the machine's host name is fully qualified or the - _f_q_d_n option is set in _s_u_d_o_e_r_s(4)) + %H expanded to the host name including the domain name (on + if the machine's host name is fully qualified or the _f_q_d_n + option is set in sudoers(4)) - %h expanded to the local host name without the domain name + %h expanded to the local host name without the domain name - %p expanded to the name of the user whose password is - being requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and - _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s(4)) + %p expanded to the name of the user whose password is being + requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w + flags in sudoers(4)) - %U expanded to the login name of the user the command will - be run as (defaults to root unless the --uu option is - also specified) + %U expanded to the login name of the user the command will + be run as (defaults to root unless the --uu option is also + specified) - %u expanded to the invoking user's login name + %u expanded to the invoking user's login name - %% two consecutive % characters are collapsed into a - single % character + %% two consecutive % characters are collapsed into a single + % character - The prompt specified by the --pp option will override the - system password prompt on systems that support PAM unless - the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + The prompt specified by the --pp option will override the + system password prompt on systems that support PAM unless the + _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security - context to have the role specified by _r_o_l_e. + --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security + context to have the role specified by _r_o_l_e. - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from - the standard input instead of the terminal device. The - password must be followed by a newline character. + --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + the standard input instead of the terminal device. The + password must be followed by a newline character. - -s [command] - The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L - environment variable if it is set or the shell as specified - in the password database. If a command is specified, it is - passed to the shell for execution via the shell's --cc - option. If no command is specified, an interactive shell - is executed. + --ss [_c_o_m_m_a_n_d] + The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL + environment variable if it is set or the shell as specified + in the password database. If a command is specified, it is + passed to the shell for execution via the shell's --cc option. + If no command is specified, an interactive shell is executed. - -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security - context to have the type specified by _t_y_p_e. If no type is - specified, the default type is derived from the specified - role. + --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security + context to have the type specified by _t_y_p_e. If no type is + specified, the default type is derived from the specified + role. - -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the - --ll option to specify the user whose privileges should be - listed. The security policy may restrict listing other - users' privileges. The _s_u_d_o_e_r_s policy only allows root or - a user with the ALL privilege on the current host to use - this option. + --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll + option to specify the user whose privileges should be listed. + The security policy may restrict listing other users' + privileges. The _s_u_d_o_e_r_s policy only allows root or a user + with the ALL privilege on the current host to use this + option. - -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as - a _u_i_d, many shells require that the '#' be escaped with a - backslash ('\'). Security policies may restrict _u_i_ds to - those listed in the password database. The _s_u_d_o_e_r_s policy - allows _u_i_ds that are not in the password database as long - as the _t_a_r_g_e_t_p_w option is not set. Other security policies - may not support this. + --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command + as a user other than _r_o_o_t. To specify a _u_i_d instead of a + _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells + require that the `#' be escaped with a backslash (`\'). + Security policies may restrict _u_i_ds to those listed in the + password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are + not in the password database as long as the _t_a_r_g_e_t_p_w option + is not set. Other security policies may not support this. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version - string and the version string of the security policy plugin - and any I/O plugins. If the invoking user is already root - the --VV option will display the arguments passed to - configure when ssuuddoo was built and plugins may display more - verbose information such as default options. + --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version + string and the version string of the security policy plugin + and any I/O plugins. If the invoking user is already root + the --VV option will display the arguments passed to configure + when ssuuddoo was built and plugins may display more verbose + information such as default options. - -v When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the - user's cached credentials, authenticating the user's - password if necessary. For the _s_u_d_o_e_r_s plugin, this - extends the ssuuddoo timeout for another 5 minutes (or whatever - the timeout is set to by the security policy) but does not - run a command. Not all security policies support cached - credentials. + --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's cached credentials, authenticating the user's password + if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo + timeout for another 5 minutes (or whatever the timeout is set + to by the security policy) but does not run a command. Not + all security policies support cached credentials. - -- The ---- option indicates that ssuuddoo should stop processing - command line arguments. + ---- The ---- option indicates that ssuuddoo should stop processing + command line arguments. - Environment variables to be set for the command may also be passed on - the command line in the form of VVAARR=_v_a_l_u_e, e.g. - LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command - line are subject to the same restrictions as normal environment - variables with one important exception. If the _s_e_t_e_n_v option is set in - _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command - matched is ALL, the user may set variables that would otherwise be - forbidden. See _s_u_d_o_e_r_s(4) for more information. + Environment variables to be set for the command may also be passed on the + command line in the form of VVAARR=_v_a_l_u_e, e.g. + LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line + are subject to the same restrictions as normal environment variables with + one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the + command to be run has the SETENV tag set or the command matched is ALL, + the user may set variables that would otherwise be forbidden. See + sudoers(4) for more information. PPLLUUGGIINNSS - Plugins are dynamically loaded based on the contents of the - _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it - contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s - security policy and I/O logging, which corresponds to the following - _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + Plugins are dynamically loaded based on the contents of the + _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it + contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security + policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f + file. - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so - A Plugin line consists of the Plugin keyword, followed by the - _s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. - The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct - io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified - or relative. If not fully qualified it is relative to the - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h - are passed as arguments to the plugin's _o_p_e_n function. Lines that - don't begin with Plugin, Path, Debug or Set are silently ignored. + A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e + and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e + is the name of the struct policy_plugin or struct io_plugin in the plugin + shared object. The _p_a_t_h may be fully qualified or relative. If not + fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any + additional parameters after the _p_a_t_h are passed as arguments to the + plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug, + or Set are silently ignored. - For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual. + For more information, see the sudo_plugin(1m) manual. PPAATTHHSS - A Path line consists of the Path keyword, followed by the name of the - path to set and its value. E.g. + A Path line consists of the Path keyword, followed by the name of the + path to set and its value. E.g. - Path noexec /usr/local/libexec/sudo_noexec.so - Path askpass /usr/X11R6/bin/ssh-askpass + Path noexec /usr/local/libexec/sudo_noexec.so + Path askpass /usr/X11R6/bin/ssh-askpass - The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file. + The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file: - askpass The fully qualified path to a helper program used to - read the user's password when no terminal is available. - This may be the case when ssuuddoo is executed from a - graphical (as opposed to text-based) application. The - program specified by _a_s_k_p_a_s_s should display the - argument passed to it as the prompt and write the - user's password to the standard output. The value of - _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS - environment variable. + askpass The fully qualified path to a helper program used to read the + user's password when no terminal is available. This may be the + case when ssuuddoo is executed from a graphical (as opposed to + text-based) application. The program specified by _a_s_k_p_a_s_s + should display the argument passed to it as the prompt and + write the user's password to the standard output. The value of + _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment + variable. - noexec The fully-qualified path to a shared library containing - dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) - library functions that just return an error. This is - used to implement the _n_o_e_x_e_c functionality on systems - that support LD_PRELOAD or its equivalent. Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + noexec The fully-qualified path to a shared library containing dummy + versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library + functions that just return an error. This is used to implement + the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or + its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. DDEEBBUUGG FFLLAAGGSS - ssuuddoo versions 1.8.4 and higher support a flexible debugging framework - that can help track down what ssuuddoo is doing internally if there is a - problem. + ssuuddoo versions 1.8.4 and higher support a flexible debugging framework + that can help track down what ssuuddoo is doing internally if there is a + problem. - A Debug line consists of the Debug keyword, followed by the name of the - program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a - comma-separated list of debug flags. The debug flag syntax used by - ssuuddoo and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is - free to use a different format so long as it does not include a comma - (`,'). + A Debug line consists of the Debug keyword, followed by the name of the + program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a + comma-separated list of debug flags. The debug flag syntax used by ssuuddoo + and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to + use a different format so long as it does not include a comma (`,'). - For instance: + For instance: - Debug sudo /var/log/sudo_debug all@warn,plugin@info + Debug sudo /var/log/sudo_debug all@warn,plugin@info - would log all debugging statements at the _w_a_r_n level and higher in - addition to those at the _i_n_f_o level for the plugin subsystem. + would log all debugging statements at the _w_a_r_n level and higher in + addition to those at the _i_n_f_o level for the plugin subsystem. - Currently, only one Debug entry per program is supported. The sudo - Debug entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. - A future release may add support for per-plugin Debug lines and/or - support for multiple debugging files for a single program. + Currently, only one Debug entry per program is supported. The ssuuddoo Debug + entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A + future release may add support for per-plugin Debug lines and/or support + for multiple debugging files for a single program. - The priorities used by the ssuuddoo front end, in order of decreasing - severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. - Each priority, when specified, also includes all priorities higher than - it. For example, a priority of _n_o_t_i_c_e would include debug messages - logged at _n_o_t_i_c_e and higher. + The priorities used by the ssuuddoo front end, in order of decreasing + severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. + Each priority, when specified, also includes all priorities higher than + it. For example, a priority of _n_o_t_i_c_e would include debug messages + logged at _n_o_t_i_c_e and higher. - The following subsystems are used by ssuuddoo: + The following subsystems are used by the ssuuddoo front-end: - _a_l_l matches every subsystem + _a_l_l matches every subsystem - _a_r_g_s command line argument processing + _a_r_g_s command line argument processing - _c_o_n_v user conversation + _c_o_n_v user conversation - _e_d_i_t sudoedit + _e_d_i_t sudoedit - _e_x_e_c command execution + _e_x_e_c command execution - _m_a_i_n ssuuddoo main function + _m_a_i_n ssuuddoo main function - _n_e_t_i_f network interface handling + _n_e_t_i_f network interface handling - _p_c_o_m_m communication with the plugin + _p_c_o_m_m communication with the plugin - _p_l_u_g_i_n plugin configuration + _p_l_u_g_i_n plugin configuration - _p_t_y pseudo-tty related code + _p_t_y pseudo-tty related code - _s_e_l_i_n_u_x SELinux-specific handling + _s_e_l_i_n_u_x SELinux-specific handling - _u_t_i_l utility functions + _u_t_i_l utility functions - _u_t_m_p utmp handling + _u_t_m_p utmp handling EEXXIITT VVAALLUUEE - Upon successful execution of a program, the exit status from ssuuddoo will - simply be the exit status of the program that was executed. + Upon successful execution of a program, the exit status from _s_u_d_o will + simply be the exit status of the program that was executed. - Otherwise, ssuuddoo exits with a value of 1 if there is a - configuration/permission problem or if ssuuddoo cannot execute the given - command. In the latter case the error string is printed to the - standard error. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the - user's PATH, an error is printed on stderr. (If the directory does not - exist or if it is not really a directory, the entry is ignored and no - error is printed.) This should not happen under normal circumstances. - The most common reason for _s_t_a_t(2) to return "permission denied" is if - you are running an automounter and one of the directories in your PATH - is on a machine that is currently unreachable. + Otherwise, ssuuddoo exits with a value of 1 if there is a + configuration/permission problem or if ssuuddoo cannot execute the given + command. In the latter case the error string is printed to the standard + error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an + error is printed on stderr. (If the directory does not exist or if it is + not really a directory, the entry is ignored and no error is printed.) + This should not happen under normal circumstances. The most common + reason for stat(2) to return ``permission denied'' is if you are running + an automounter and one of the directories in your PATH is on a machine + that is currently unreachable. SSEECCUURRIITTYY NNOOTTEESS - ssuuddoo tries to be safe when executing external commands. + ssuuddoo tries to be safe when executing external commands. - To prevent command spoofing, ssuuddoo checks "." and "" (both denoting - current directory) last when searching for a command in the user's PATH - (if one or both are in the PATH). Note, however, that the actual PATH - environment variable is _n_o_t modified and is passed unchanged to the - program that ssuuddoo executes. + To prevent command spoofing, ssuuddoo checks "." and "" (both denoting + current directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. - Please note that ssuuddoo will normally only log the command it explicitly - runs. If a user runs a command such as sudo su or sudo sh, subsequent - commands run from that shell are not subject to ssuuddoo's security policy. - The same is true for commands that offer shell escapes (including most - editors). If I/O logging is enabled, subsequent commands will have - their input and/or output logged, but there will not be traditional - logs for those commands. Because of this, care must be taken when - giving users access to commands via ssuuddoo to verify that the command - does not inadvertently give the user an effective root shell. For more - information, please see the PREVENTING SHELL ESCAPES section in - _s_u_d_o_e_r_s(4). + Please note that ssuuddoo will normally only log the command it explicitly + runs. If a user runs a command such as sudo su or sudo sh, subsequent + commands run from that shell are not subject to ssuuddoo's security policy. + The same is true for commands that offer shell escapes (including most + editors). If I/O logging is enabled, subsequent commands will have their + input and/or output logged, but there will not be traditional logs for + those commands. Because of this, care must be taken when giving users + access to commands via ssuuddoo to verify that the command does not + inadvertently give the user an effective root shell. For more + information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in + sudoers(4). - To prevent the disclosure of potentially sensitive information, ssuuddoo - disables core dumps by default while it is executing (they are re- - enabled for the command that is run). To aid in debugging ssuuddoo - crashes, you may wish to re-enable core dumps by setting - "disable_coredump" to false in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + To prevent the disclosure of potentially sensitive information, ssuuddoo + disables core dumps by default while it is executing (they are re-enabled + for the command that is run). To aid in debugging ssuuddoo crashes, you may + wish to re-enable core dumps by setting ``disable_coredump'' to false in + the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows: - Set disable_coredump false + Set disable_coredump false - Note that by default, most operating systems disable core dumps from - setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file - you may need to enable core dumps for setuid processes. On BSD and - Linux systems this is accomplished via the sysctl command, on Solaris - the coreadm command can be used. + Note that by default, most operating systems disable core dumps from + setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file + you may need to enable core dumps for setuid processes. On BSD and Linux + systems this is accomplished via the sysctl command, on Solaris the + coreadm command can be used. EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables. The security policy - has control over the content of the command's environment. + ssuuddoo utilizes the following environment variables. The security policy + has control over the actual content of the command's environment. - EDITOR Default editor to use in --ee (sudoedit) mode if neither - SUDO_EDITOR nor VISUAL is set. + EDITOR Default editor to use in --ee (sudoedit) mode if neither + SUDO_EDITOR nor VISUAL is set. - MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set - to the mail spool of the target user. + MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set + to the mail spool of the target user. - HOME Set to the home directory of the target user if --ii or - --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set - in _s_u_d_o_e_r_s, or when the --ss option is specified and - _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s. + HOME Set to the home directory of the target user if --ii or --HH + are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in + _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e + is set in _s_u_d_o_e_r_s. - PATH May be overridden by the security policy. + PATH May be overridden by the security policy. - SHELL Used to determine shell to run with --ss option. + SHELL Used to determine shell to run with --ss option. - SUDO_ASKPASS Specifies the path to a helper program used to read the - password if no terminal is available or if the --AA - option is specified. + SUDO_ASKPASS Specifies the path to a helper program used to read the + password if no terminal is available or if the --AA option + is specified. - SUDO_COMMAND Set to the command run by sudo. + SUDO_COMMAND Set to the command run by sudo. - SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. + SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. - SUDO_GID Set to the group ID of the user who invoked sudo. + SUDO_GID Set to the group ID of the user who invoked sudo. - SUDO_PROMPT Used as the default password prompt. + SUDO_PROMPT Used as the default password prompt. - SUDO_PS1 If set, PS1 will be set to its value for the program - being run. + SUDO_PS1 If set, PS1 will be set to its value for the program + being run. - SUDO_UID Set to the user ID of the user who invoked sudo. + SUDO_UID Set to the user ID of the user who invoked sudo. - SUDO_USER Set to the login name of the user who invoked sudo. + SUDO_USER Set to the login name of the user who invoked sudo. - USER Set to the target user (root unless the --uu option is - specified). + USER Set to the target user (root unless the --uu option is + specified). - VISUAL Default editor to use in --ee (sudoedit) mode if - SUDO_EDITOR is not set. + VISUAL Default editor to use in --ee (sudoedit) mode if + SUDO_EDITOR is not set. FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration EEXXAAMMPPLLEESS - Note: the following examples assume a properly configured security - policy. + Note: the following examples assume a properly configured security + policy. - To get a file listing of an unreadable directory: + To get a file listing of an unreadable directory: - $ sudo ls /usr/local/protected + $ sudo ls /usr/local/protected - To list the home directory of user yaz on a machine where the file - system holding ~yaz is not exported as root: + To list the home directory of user yaz on a machine where the file system + holding ~yaz is not exported as root: - $ sudo -u yaz ls ~yaz + $ sudo -u yaz ls ~yaz - To edit the _i_n_d_e_x_._h_t_m_l file as user www: + To edit the _i_n_d_e_x_._h_t_m_l file as user www: - $ sudo -u www vi ~www/htdocs/index.html + $ sudo -u www vi ~www/htdocs/index.html - To view system logs only accessible to root and users in the adm group: + To view system logs only accessible to root and users in the adm group: - $ sudo -g adm view /var/log/syslog + $ sudo -g adm view /var/log/syslog - To run an editor as jim with a different primary group: + To run an editor as jim with a different primary group: - $ sudo -u jim -g audio vi ~jim/sound.txt + $ sudo -u jim -g audio vi ~jim/sound.txt - To shutdown a machine: + To shut down a machine: - $ sudo shutdown -r +15 "quick reboot" + $ sudo shutdown -r +15 "quick reboot" - To make a usage listing of the directories in the /home partition. - Note that this runs the commands in a sub-shell to make the cd and file - redirection work. + To make a usage listing of the directories in the /home partition. Note + that this runs the commands in a sub-shell to make the cd and file + redirection work. - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), - _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m) + grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), + sudo_plugin(1m), sudoreplay(1m), visudo(1m) HHIISSTTOORRYY - See the HISTORY file in the ssuuddoo distribution - (http://www.sudo.ws/sudo/history.html) for a brief history of sudo. + See the HISTORY file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/history.html) for a brief history of sudo. AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists - of code written primarily by: + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: - Todd C. Miller + Todd C. Miller - See the CONTRIBUTORS file in the ssuuddoo distribution - (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of - people who have contributed to ssuuddoo. + See the CONTRIBUTORS file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of + people who have contributed to ssuuddoo. CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if - that user is allowed to run arbitrary commands via ssuuddoo. Also, many - programs (such as editors) allow the user to run commands via shell - escapes, thus avoiding ssuuddoo's checks. However, on most systems it is - possible to prevent shell escapes with the _s_u_d_o_e_r_s(4) module's _n_o_e_x_e_c - functionality. + There is no easy way to prevent a user from gaining a root shell if that + user is allowed to run arbitrary commands via ssuuddoo. Also, many programs + (such as editors) allow the user to run commands via shell escapes, thus + avoiding ssuuddoo's checks. However, on most systems it is possible to + prevent shell escapes with the sudoers(4) module's _n_o_e_x_e_c functionality. - It is not meaningful to run the cd command directly via sudo, e.g., + It is not meaningful to run the cd command directly via sudo, e.g., - $ sudo cd /usr/local/protected + $ sudo cd /usr/local/protected - since when the command exits the parent process (your shell) will still - be the same. Please see the EXAMPLES section for more information. + since when the command exits the parent process (your shell) will still + be the same. Please see the _E_X_A_M_P_L_E_S section for more information. - Running shell scripts via ssuuddoo can expose the same kernel bugs that - make setuid shell scripts unsafe on some operating systems (if your OS - has a /dev/fd/ directory, setuid shell scripts are generally safe). + Running shell scripts via ssuuddoo can expose the same kernel bugs that make + setuid shell scripts unsafe on some operating systems (if your OS has a + /dev/fd/ directory, setuid shell scripts are generally safe). BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 12, 2012 SUDO(1m) +Sudo 1.8.6 July 10, 2012 Sudo 1.8.6 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index bde062c22..a5f3c8811 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -1,10 +1,13 @@ +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in +.\" .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 -.\" Todd C. Miller -.\" +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,881 +16,1261 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.nr SL @SEMAN@ -.nr BA @BAMAN@ -.nr LC @LCMAN@ -.nr PT @password_timeout@ .\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 12, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "SUDO" "@mansectsu@" "July 10, 2012" "1.8.6" "System Manager's Manual" .SH "NAME" -sudo, sudoedit \- execute a command as another user +\fBsudo\fR, +\fBsudoedit\fR +\- execute a command as another user .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR -.PP -\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] -.PP -\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR] -.PP -\&\fBsudo\fR [\fB\-AbEHnPS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-C\fR\ \fIfd\fR] -.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] -[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] -[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] -.PP -\&\fBsudoedit\fR [\fB\-AnS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-C\fR\ \fIfd\fR] -.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ... +.HP 5n +\fBsudo\fR +\fB-h\fR | \fB-K\fR | \fB-k\fR | \fB-V\fR +.sp -1v +.HP 5n +\fBsudo\fR +\fB-v\fR +[\fB-AknS\fR] +[\fB-a\fR\~\fIauth_type\fR] +[\fB-g\fR\~\fIgroup\~name\fR\~|\~\fI#gid\fR] +[\fB-p\fR\~\fIprompt\fR] +[\fB-u\fR\~\fIuser\~name\fR\~|\~\fI#uid\fR] +.sp -1v +.HP 5n +\fBsudo\fR +\fB-l\fR[\fIl\fR] +[\fB-AknS\fR] +[\fB-a\fR\~\fIauth_type\fR] +[\fB-g\fR\~\fIgroup\~name\fR\~|\~\fI#gid\fR] +[\fB-p\fR\~\fIprompt\fR] +[\fB-U\fR\~\fIuser\~name\fR] +[\fB-u\fR\~\fIuser\~name\fR\~|\~\fI#uid\fR] +[\fIcommand\fR] +.sp -1v +.HP 5n +\fBsudo\fR +[\fB-AbEHnPS\fR] +[\fB-a\fR\~\fIauth_type\fR] +[\fB-C\fR\~\fIfd\fR] +[\fB-c\fR\~\fIclass\fR\~|\~\fI-\fR] +[\fB-g\fR\~\fIgroup\~name\fR\~|\~\fI#gid\fR] +[\fB-p\fR\~\fIprompt\fR] +[\fB-r\fR\~\fIrole\fR] +[\fB-t\fR\~\fItype\fR] +[\fB-u\fR\~\fIuser\~name\fR\~|\~\fI#uid\fR] +[\fBVAR\fR=\fIvalue\fR] +\fB-i\fR\~|\~\fB-s\fR +[\fIcommand\fR] +.sp -1v +.HP 9n +\fBsudoedit\fR +[\fB-AnS\fR] +[\fB-a\fR\~\fIauth_type\fR] +[\fB-C\fR\~\fIfd\fR] +[\fB-c\fR\~\fIclass\fR\~|\~\fI-\fR] +[\fB-g\fR\~\fIgroup\~name\fR\~|\~\fI#gid\fR] +[\fB-p\fR\~\fIprompt\fR] +[\fB-u\fR\~\fIuser\~name\fR\~|\~\fI#uid\fR] +file ... .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the -superuser or another user, as specified by the security policy. +\fBsudo\fR +allows a permitted user to execute a +\fIcommand\fR +as the superuser or another user, as specified by the security +policy. The real and effective uid and gid are set to match those of the target user, as specified in the password database, and the group -vector is initialized based on the group database (unless the \fB\-P\fR +vector is initialized based on the group database (unless the +\fB-P\fR option was specified). .PP -\&\fBsudo\fR supports a plugin architecture for security policies and -input/output logging. Third parties can develop and distribute -their own policy and I/O logging modules to work seamlessly with -the \fBsudo\fR front end. The default security policy is \fIsudoers\fR, -which is configured via the file \fI@sysconfdir@/sudoers\fR, or via -\&\s-1LDAP\s0. See the \s-1PLUGINS\s0 section for more information. +\fBsudo\fR +supports a plugin architecture for security policies and input/output +logging. +Third parties can develop and distribute their own policy and I/O +logging modules to work seamlessly with the +\fBsudo\fR +front end. +The default security policy is +\fIsudoers\fR, +which is configured via the file +\fI@sysconfdir@/sudoers\fR, +or via LDAP. +See the +\fIPLUGINS\fR +section for more information. .PP The security policy determines what privileges, if any, a user has -to run \fBsudo\fR. The policy may require that users authenticate -themselves with a password or another authentication mechanism. If -authentication is required, \fBsudo\fR will exit if the user's password -is not entered within a configurable time limit. This limit is -policy-specific; the default password prompt timeout for the -\&\fIsudoers\fR security policy is -.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes. -.el unlimited. +to run +\fBsudo\fR. +The policy may require that users authenticate themselves with a +password or another authentication mechanism. +If authentication is required, +\fBsudo\fR +will exit if the user's password is not entered within a configurable +time limit. +This limit is policy-specific; the default password prompt timeout +for the +\fIsudoers\fR +security policy is +\fR@password_timeout@\fR +minutes. .PP Security policies may support credential caching to allow the user -to run \fBsudo\fR again for a period of time without requiring -authentication. The \fIsudoers\fR policy caches credentials for -\&\f(CW\*(C`@timeout@\*(C'\fR minutes, unless overridden in \fIsudoers\fR\|(@mansectform@). By -running \fBsudo\fR with the \fB\-v\fR option, a user can update the cached -credentials without running a \fIcommand\fR. +to run +\fBsudo\fR +again for a period of time without requiring authentication. +The +\fIsudoers\fR +policy caches credentials for +\fR@timeout@\fR +minutes, unless overridden in +sudoers(@mansectform@). +By running +\fBsudo\fR +with the +\fB-v\fR +option, a user can update the cached credentials without running a +\fIcommand\fR. .PP -When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below), -is implied. +When invoked as +\fBsudoedit\fR, +the +\fB-e\fR +option (described below), is implied. .PP Security policies may log successful and failed attempts to use -\&\fBsudo\fR. If an I/O plugin is configured, the running command's -input and output may be logged as well. +\fBsudo\fR. +If an I/O plugin is configured, the running command's input and +output may be logged as well. .SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBsudo\fR accepts the following command line options: -.IP "\-A" 12 -.IX Item "-A" -Normally, if \fBsudo\fR requires a password, it will read it from the -user's terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified, -a (possibly graphical) helper program is executed to read the user's -password and output the password to the standard output. If the -\&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path -to the helper program. Otherwise, if \fI@sysconfdir@/sudo.conf\fR +\fBsudo\fR +accepts the following command line options: +.TP 12n +\fB-A\fR +Normally, if +\fBsudo\fR +requires a password, it will read it from the user's terminal. +If the +\fB-A\fR (\fIaskpass\fR) +option is specified, a (possibly graphical) helper program is +executed to read the user's password and output the password to the +standard output. +If the +\fRSUDO_ASKPASS\fR +environment variable is set, it specifies the path to the helper +program. +Otherwise, if +\fI@sysconfdir@/sudo.conf\fR contains a line specifying the askpass program, that value will be -used. For example: -.Sp -.Vb 2 -\& # Path to askpass helper program -\& Path askpass /usr/X11R6/bin/ssh\-askpass -.Ve -.Sp -If no askpass program is available, sudo will exit with an error. -.if \n(BA \{\ -.IP "\-a \fItype\fR" 12 -.IX Item "-a type" -The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -specified authentication type when validating the user, as allowed -by \fI/etc/login.conf\fR. The system administrator may specify a list -of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" -entry in \fI/etc/login.conf\fR. This option is only available on systems -that support \s-1BSD\s0 authentication. -\} -.IP "\-b" 12 -.IX Item "-b" -The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given -command in the background. Note that if you use the \fB\-b\fR +used. +For example: +.nf +.sp +.RS 13n + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass +.RE +.fi +.RS +.sp +If no askpass program is available, +\fBsudo\fR +will exit with an error. +.PP +.RE +.sp -1v +.TP 12n +\fB-a\fR \fItype\fR +The +\fB-a\fR (\fIauthentication type\fR) +option causes +\fBsudo\fR +to use the specified authentication type when validating the user, +as allowed by +\fI/etc/login.conf\fR. +The system administrator may specify a list of sudo-specific +authentication methods by adding an +``auth-sudo'' +entry in +\fI/etc/login.conf\fR. +This option is only available on systems that support BSD authentication. +.TP 12n +\fB-b\fR +The +\fB-b\fR (\fIbackground\fR) +option tells +\fBsudo\fR +to run the given command in the background. +Note that if you use the +\fB-b\fR option you cannot use shell job control to manipulate the process. Most interactive commands will fail to work properly in background mode. -.IP "\-C \fIfd\fR" 12 -.IX Item "-C fd" -Normally, \fBsudo\fR will close all open file descriptors other than -standard input, standard output and standard error. The \fB\-C\fR -(\fIclose from\fR) option allows the user to specify a starting point -above the standard error (file descriptor three). Values less than -three are not permitted. The security policy may restrict the -user's ability to use the \fB\-C\fR option. The \fIsudoers\fR policy only -permits use of the \fB\-C\fR option when the administrator has enabled -the \fIclosefrom_override\fR option. -.if \n(LC \{\ -.IP "\-c \fIclass\fR" 12 -.IX Item "-c class" -The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -with resources limited by the specified login class. The \fIclass\fR -argument can be either a class name as defined in \fI/etc/login.conf\fR, -or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -that the command should be run restricted by the default login -capabilities for the user the command is run as. If the \fIclass\fR +.TP 12n +\fB-C\fR \fIfd\fR +Normally, +\fBsudo\fR +will close all open file descriptors other than standard input, +standard output and standard error. +The +\fB-C\fR (\fIclose from\fR) +option allows the user to specify a starting point above the standard +error (file descriptor three). +Values less than three are not permitted. +The security policy may restrict the user's ability to use the +\fB-C\fR +option. +The +\fIsudoers\fR +policy only permits use of the +\fB-C\fR +option when the administrator has enabled the +\fIclosefrom_override\fR +option. +.TP 12n +\fB-c\fR \fIclass\fR +The +\fB-c\fR (\fIclass\fR) +option causes +\fBsudo\fR +to run the specified command with resources limited by the specified +login class. +The +\fIclass\fR +argument can be either a class name as defined in +\fI/etc/login.conf\fR, +or a single +`\-' +character. +Specifying a +\fIclass\fR +of +\fR-\fR +indicates that the command should be run restricted by the default +login capabilities for the user the command is run as. +If the +\fIclass\fR argument specifies an existing user class, the command must be run -as root, or the \fBsudo\fR command must be run from a shell that is already -root. This option is only available on systems with \s-1BSD\s0 login classes. -\} -.IP "\-E" 12 -.IX Item "-E" -The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the -security policy that the user wishes to preserve their existing -environment variables. The security policy may return an error if -the \fB\-E\fR option is specified and the user does not have permission -to preserve the environment. -.IP "\-e" 12 -.IX Item "-e" -The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running a -command, the user wishes to edit one or more files. In lieu of a -command, the string \*(L"sudoedit\*(R" is used when consulting the security -policy. If the user is authorized by the policy, the following -steps are taken: -.RS 12 -.IP "1." 4 +as root, or the +\fBsudo\fR +command must be run from a shell that is already root. +This option is only available on systems with BSD login classes. +.TP 12n +\fB-E\fR +The +\fB-E\fR (\fIpreserve environment\fR) +option indicates to the security policy that the user wishes to +preserve their existing environment variables. +The security policy may return an error if the +\fB-E\fR +option is specified and the user does not have permission to preserve +the environment. +.TP 12n +\fB-e\fR +The +\fB-e\fR (\fIedit\fR) +option indicates that, instead of running a command, the user wishes +to edit one or more files. +In lieu of a command, the string "sudoedit" is used when consulting +the security policy. +If the user is authorized by the policy, the following steps are +taken: +.RS +.TP 5n +1. Temporary copies are made of the files to be edited with the owner set to the invoking user. -.IP "2." 4 -The editor specified by the policy is run to edit the temporary files. -The \fIsudoers\fR policy uses the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR and \f(CW\*(C`EDITOR\*(C'\fR -environment variables (in that order). If none of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, -\&\f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program listed in the -\&\fIeditor\fR \fIsudoers\fR\|(@mansectform@) option is used. -.IP "3." 4 +.TP 5n +2. +The editor specified by the policy is run to edit the temporary +files. +The +\fIsudoers\fR +policy uses the +\fRSUDO_EDITOR\fR, +\fRVISUAL\fR +and +\fREDITOR\fR +environment variables (in that order). +If none of +\fRSUDO_EDITOR\fR, +\fRVISUAL\fR +or +\fREDITOR\fR +are set, the first program listed in the +\fIeditor\fR +sudoers(@mansectform@) +option is used. +.TP 5n +3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. .RE -.RS 12 -.Sp -If the specified file does not exist, it will be created. Note -that unlike most commands run by \fBsudo\fR, the editor is run with -the invoking user's environment unmodified. If, for some reason, -\&\fBsudo\fR is unable to update a file with its edited version, the -user will receive a warning and the edited copy will remain in a -temporary file. +.RS +.PP +If the specified file does not exist, it will be created. +Note that unlike most commands run by +\fIsudo\fR, +the editor is run with the invoking user's environment unmodified. +If, for some reason, +\fBsudo\fR +is unable to update a file with its edited version, the user will +receive a warning and the edited copy will remain in a temporary +file. +.PP .RE -.IP "\-g \fIgroup\fR" 12 -.IX Item "-g group" -Normally, \fBsudo\fR runs a command with the primary group set to the -one specified by the password database for the user the command is -being run as (by default, root). The \fB\-g\fR (\fIgroup\fR) option causes -\&\fBsudo\fR to run the command with the primary group set to \fIgroup\fR -instead. To specify a \fIgid\fR instead of a \fIgroup name\fR, use -\&\fI#gid\fR. When running commands as a \fIgid\fR, many shells require -that the '#' be escaped with a backslash ('\e'). If no \fB\-u\fR option -is specified, the command will be run as the invoking user (not -root). In either case, the primary group will be set to \fIgroup\fR. -.IP "\-H" 12 -.IX Item "-H" -The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set -the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target -user (root by default) as specified by the password database. +.sp -1v +.TP 12n +\fB-g\fR \fIgroup\fR +Normally, +\fBsudo\fR +runs a command with the primary group set to the one specified by +the password database for the user the command is being run as (by +default, root). +The +\fB-g\fR (\fIgroup\fR) +option causes +\fBsudo\fR +to run the command with the primary group set to +\fIgroup\fR +instead. +To specify a +\fIgid\fR +instead of a +\fIgroup name\fR, +use +\fI#gid\fR. +When running commands as a +\fIgid\fR, +many shells require that the +`#' +be escaped with a backslash +(`\e'). +If no +\fB-u\fR +option is specified, the command will be run as the invoking user +(not root). +In either case, the primary group will be set to +\fIgroup\fR. +.TP 12n +\fB-H\fR +The +\fB-H\fR (\fIHOME\fR) +option requests that the security policy set the +\fRHOME\fR +environment variable to the home directory of the target user (root +by default) as specified by the password database. Depending on the policy, this may be the default behavior. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message -to the standard output and exit. -.IP "\-i [command]" 12 -.IX Item "-i [command]" -The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified -by the password database entry of the target user as a login shell. -This means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR -or \f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified, -it is passed to the shell for execution via the shell's \fB\-c\fR option. +.TP 12n +\fB-h\fR +The +\fB-h\fR (\fIhelp\fR) +option causes +\fBsudo\fR +to print a short help message to the standard output and exit. +.TP 12n +\fB-i\fR [\fIcommand\fR] +The +\fB-i\fR (\fIsimulate initial login\fR) +option runs the shell specified by the password database entry of +the target user as a login shell. +This means that login-specific resource files such as +\fI.profile\fR +or +\fI.login\fR +will be read by the shell. +If a command is specified, it is passed to the shell for execution +via the shell's +\fB-c\fR +option. If no command is specified, an interactive shell is executed. -\&\fBsudo\fR attempts to change to that user's home directory before -running the shell. The security policy shall initialize the -environment to a minimal set of variables, similar to what is present -when a user logs in. The \fICommand Environment\fR section in the -\&\fIsudoers\fR\|(@mansectform@) manual documents how the \fB\-i\fR option affects the -environment in which a command is run when the \fIsudoers\fR policy -is in use. -.IP "\-K" 12 -.IX Item "-K" -The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes -the user's cached credentials entirely and may not be used in -conjunction with a command or other option. This option does not -require a password. Not all security policies support credential -caching. -.IP "\-k [command]" 12 -.IX Item "-k [command]" -When used alone, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates -the user's cached credentials. The next time \fBsudo\fR is run a -password will be required. This option does not require a password -and was added to allow a user to revoke \fBsudo\fR permissions from a -\&.logout file. Not all security policies support credential -caching. -.Sp +\fBsudo\fR +attempts to change to that user's home directory before running the +shell. +The security policy shall initialize the environment to a minimal +set of variables, similar to what is present when a user logs in. +The +\fICommand Environment\fR +section in the +sudoers(@mansectform@) +manual documents how the +\fB-i\fR +option affects the environment in which a command is run when the +\fIsudoers\fR +policy is in use. +.TP 12n +\fB-K\fR +The +\fB-K\fR (sure \fIkill\fR) +option is like +\fB-k\fR +except that it removes the user's cached credentials entirely and +may not be used in conjunction with a command or other option. +This option does not require a password. +Not all security policies support credential caching. +.TP 12n +\fB-k\fR [\fIcommand\fR] +When used alone, the +\fB-k\fR (\fIkill\fR) +option to +\fBsudo\fR +invalidates the user's cached credentials. +The next time +\fBsudo\fR +is run a password will be required. +This option does not require a password and was added to allow a +user to revoke +\fBsudo\fR +permissions from a +\fI.logout\fR +file. +Not all security policies support credential caching. +.sp When used in conjunction with a command or an option that may require -a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's -cached credentials. As a result, \fBsudo\fR will prompt for a password -(if one is required by the security policy) and will not update the -user's cached credentials. -.IP "\-l[l] [\fIcommand\fR]" 12 -.IX Item "-l[l] [command]" -If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list -the allowed (and forbidden) commands for the invoking user (or the -user specified by the \fB\-U\fR option) on the current host. If a -\&\fIcommand\fR is specified and is permitted by the security policy, -the fully-qualified path to the command is displayed along with any -command line arguments. If \fIcommand\fR is specified but not allowed, -\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option -is specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR is -specified multiple times, a longer list format is used. -.IP "\-n" 12 -.IX Item "-n" -The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting -the user for a password. If a password is required for the command -to run, \fBsudo\fR will display an error message and exit. -.IP "\-P" 12 -.IX Item "-P" -The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to -preserve the invoking user's group vector unaltered. By default, -the \fIsudoers\fR policy will initialize the group vector to the list -of groups the target user is in. The real and effective group IDs, -however, are still set to match the target user. -.IP "\-p \fIprompt\fR" 12 -.IX Item "-p prompt" -The \fB\-p\fR (\fIprompt\fR) option allows you to override the default -password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') -escapes are supported by the \fIsudoers\fR policy: -.RS 12 -.ie n .IP "%H" 4 -.el .IP "\f(CW%H\fR" 4 -.IX Item "%H" -expanded to the host name including the domain name (on if -the machine's host name is fully qualified or the \fIfqdn\fR option -is set in \fIsudoers\fR\|(@mansectform@)) -.ie n .IP "%h" 4 -.el .IP "\f(CW%h\fR" 4 -.IX Item "%h" +a password, the +\fB-k\fR +option will cause +\fBsudo\fR +to ignore the user's cached credentials. +As a result, +\fBsudo\fR +will prompt for a password (if one is required by the security +policy) and will not update the user's cached credentials. +.TP 12n +\fB-l\fR[\fBl\fR] [\fIcommand\fR] +If no +\fIcommand\fR +is specified, the +\fB-l\fR (\fIlist\fR) +option will list the allowed (and forbidden) commands for the +invoking user (or the user specified by the +\fB-U\fR +option) on the current host. +If a +\fIcommand\fR +is specified and is permitted by the security policy, the fully-qualified +path to the command is displayed along with any command line +arguments. +If +\fIcommand\fR +is specified but not allowed, +\fBsudo\fR +will exit with a status value of 1. +If the +\fB-l\fR +option is specified with an +\fIl\fR +argument +(i.e.\& \fB-ll\fR), +or if +\fB-l\fR +is specified multiple times, a longer list format is used. +.TP 12n +\fB-n\fR +The +\fB-n\fR (\fInon-interactive\fR) +option prevents +\fBsudo\fR +from prompting the user for a password. +If a password is required for the command to run, +\fBsudo\fR +will display an error message and exit. +.TP 12n +\fB-P\fR +The +\fB-P\fR (\fIpreserve group vector\fR) +option causes +\fBsudo\fR +to preserve the invoking user's group vector unaltered. +By default, the +\fIsudoers\fR +policy will initialize the group vector to the list of groups the +target user is in. +The real and effective group IDs, however, are still set to match +the target user. +.TP 12n +\fB-p\fR \fIprompt\fR +The +\fB-p\fR (\fIprompt\fR) +option allows you to override the default password prompt and use +a custom one. +The following percent +(`%') +escapes are supported by the +\fIsudoers\fR +policy: +.RS +.TP 4n +\fR%H\fR +expanded to the host name including the domain name (on if the +machine's host name is fully qualified or the +\fIfqdn\fR +option is set in +sudoers(@mansectform@)) +.TP 4n +\fR%h\fR expanded to the local host name without the domain name -.ie n .IP "%p" 4 -.el .IP "\f(CW%p\fR" 4 -.IX Item "%p" +.TP 4n +\fR%p\fR expanded to the name of the user whose password is being requested -(respects the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in -\&\fIsudoers\fR\|(@mansectform@)) -.ie n .IP "%U" 4 -.el .IP "\f(CW%U\fR" 4 -.IX Item "%U" +(respects the +\fIrootpw\fR, +\fItargetpw\fR, +and +\fIrunaspw\fR +flags in +sudoers(@mansectform@)) +.TP 4n +\fR%U\fR expanded to the login name of the user the command will be run as -(defaults to root unless the \fB\-u\fR option is also specified) -.ie n .IP "%u" 4 -.el .IP "\f(CW%u\fR" 4 -.IX Item "%u" +(defaults to root unless the +\fB-u\fR +option is also specified) +.TP 4n +\fR%u\fR expanded to the invoking user's login name -.ie n .IP "\*(C`%%\*(C'" 4 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 -.IX Item "%%" -two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character +.TP 4n +\fR%%\fR +two consecutive +\fR%\fR +characters are collapsed into a single +\fR%\fR +character .RE -.RS 12 -.Sp -The prompt specified by the \fB\-p\fR option will override the system -password prompt on systems that support \s-1PAM\s0 unless the -\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. +.RS +.PP +The prompt specified by the +\fB-p\fR +option will override the system password prompt on systems that +support PAM unless the +\fIpassprompt_override\fR +flag is disabled in +\fIsudoers\fR. +.PP .RE -.if \n(SL \{\ -.IP "\-r \fIrole\fR" 12 -.IX Item "-r role" -The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to -have the role specified by \fIrole\fR. -\} -.IP "\-S" 12 -.IX Item "-S" -The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -the standard input instead of the terminal device. The password must -be followed by a newline character. -.IP "\-s [command]" 12 -.IX Item "-s [command]" -The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR +.sp -1v +.TP 12n +\fB-r\fR \fIrole\fR +The +\fB-r\fR (\fIrole\fR) +option causes the new (SELinux) security context to have the role +specified by +\fIrole\fR. +.TP 12n +\fB-S\fR +The +\fB-S\fR (\fIstdin\fR) +option causes +\fBsudo\fR +to read the password from the standard input instead of the terminal +device. +The password must be followed by a newline character. +.TP 12n +\fB-s\fR [\fIcommand\fR] +The +\fB-s\fR (\fIshell\fR) +option runs the shell specified by the +\fRSHELL\fR environment variable if it is set or the shell as specified in the -password database. If a command is specified, it is passed to the -shell for execution via the shell's \fB\-c\fR option. If no command -is specified, an interactive shell is executed. -.if \n(SL \{\ -.IP "\-t \fItype\fR" 12 -.IX Item "-t type" -The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to -have the type specified by \fItype\fR. If no type is specified, the default -type is derived from the specified role. -\} -.IP "\-U \fIuser\fR" 12 -.IX Item "-U user" -The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the -\&\fB\-l\fR option to specify the user whose privileges should be listed. +password database. +If a command is specified, it is passed to the shell for execution +via the shell's +\fB-c\fR +option. +If no command is specified, an interactive shell is executed. +.TP 12n +\fB-t\fR \fItype\fR +The +\fB-t\fR (\fItype\fR) +option causes the new (SELinux) security context to have the type +specified by +\fItype\fR. +If no type is specified, the default type is derived from the +specified role. +.TP 12n +\fB-U\fR \fIuser\fR +The +\fB-U\fR (\fIother user\fR) +option is used in conjunction with the +\fB-l\fR +option to specify the user whose privileges should be listed. The security policy may restrict listing other users' privileges. -The \fIsudoers\fR policy only allows root or a user with the \f(CW\*(C`ALL\*(C'\fR +The +\fIsudoers\fR +policy only allows root or a user with the +\fRALL\fR privilege on the current host to use this option. -.IP "\-u \fIuser\fR" 12 -.IX Item "-u user" -The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified -command as a user other than \fIroot\fR. To specify a \fIuid\fR instead -of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR, -many shells require that the '#' be escaped with a backslash ('\e'). -Security policies may restrict \fIuid\fRs to those listed in the -password database. The \fIsudoers\fR policy allows \fIuid\fRs that are -not in the password database as long as the \fItargetpw\fR option is -not set. Other security policies may not support this. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print its version -string and the version string of the security policy plugin and any -I/O plugins. If the invoking user is already root the \fB\-V\fR option -will display the arguments passed to configure when \fBsudo\fR was -built and plugins may display more verbose information such as +.TP 12n +\fB-u\fR \fIuser\fR +The +\fB-u\fR (\fIuser\fR) +option causes +\fBsudo\fR +to run the specified command as a user other than +\fIroot\fR. +To specify a +\fIuid\fR +instead of a +\fIuser name\fR, +\fI#uid\fR. +When running commands as a +\fIuid\fR, +many shells require that the +`#' +be escaped with a backslash +(`\e'). +Security policies may restrict +\fIuid\fRs +to those listed in the password database. +The +\fIsudoers\fR +policy allows +\fIuid\fRs +that are not in the password database as long as the +\fItargetpw\fR +option is not set. +Other security policies may not support this. +.TP 12n +\fB-V\fR +The +\fB-V\fR (\fIversion\fR) +option causes +\fBsudo\fR +to print its version string and the version string of the security +policy plugin and any I/O plugins. +If the invoking user is already root the +\fB-V\fR +option will display the arguments passed to configure when +\fBsudo\fR +was built and plugins may display more verbose information such as default options. -.IP "\-v" 12 -.IX Item "-v" -When given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the -user's cached credentials, authenticating the user's password if -necessary. For the \fIsudoers\fR plugin, this extends the \fBsudo\fR -timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes (or whatever the timeout -is set to by the security policy) but does not run a command. Not all -security policies support cached credentials. -.IP "\-\-" 12 -The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command -line arguments. +.TP 12n +\fB-v\fR +When given the +\fB-v\fR (\fIvalidate\fR) +option, +\fBsudo\fR +will update the user's cached credentials, authenticating the user's +password if necessary. +For the +\fIsudoers\fR +plugin, this extends the +\fBsudo\fR +timeout for another +\fR@timeout@\fR +minutes (or whatever the timeout is set to by the security policy) +but does not run a command. +Not all security policies support cached credentials. +.TP 12n +\fB--\fR +The +\fB--\fR +option indicates that +\fBsudo\fR +should stop processing command line arguments. .PP Environment variables to be set for the command may also be passed -on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. -\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the -command line are subject to the same restrictions as normal environment -variables with one important exception. If the \fIsetenv\fR option -is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag -set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables -that would otherwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information. +on the command line in the form of +\fBVAR\fR=\fIvalue\fR, +e.g.\& +\fBLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR. +Variables passed on the command line are subject to the same +restrictions as normal environment variables with one important +exception. +If the +\fIsetenv\fR +option is set in +\fIsudoers\fR, +the command to be run has the +\fRSETENV\fR +tag set or the command matched is +\fRALL\fR, +the user may set variables that would otherwise be forbidden. +See +sudoers(@mansectform@) +for more information. .SH "PLUGINS" -.IX Header "PLUGINS" Plugins are dynamically loaded based on the contents of the -\&\fI@sysconfdir@/sudo.conf\fR file. If no \fI@sysconfdir@/sudo.conf\fR -file is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR -will use the traditional \fIsudoers\fR security policy and I/O logging, -which corresponds to the following \fI@sysconfdir@/sudo.conf\fR file. +\fI@sysconfdir@/sudo.conf\fR +file. +If no +\fI@sysconfdir@/sudo.conf\fR +file is present, or it contains no +\fRPlugin\fR +lines, +\fBsudo\fR +will use the traditional +\fIsudoers\fR +security policy and I/O logging, which corresponds to the following +\fI@sysconfdir@/sudo.conf\fR +file. +.nf +.sp +.RS 0n +# +# Default @sysconfdir@/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# The plugin_path is relative to @prefix@/libexec unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.RE +.fi .PP -.Vb 10 -\& # -\& # Default @sysconfdir@/sudo.conf file -\& # -\& # Format: -\& # Plugin plugin_name plugin_path plugin_options ... -\& # Path askpass /path/to/askpass -\& # Path noexec /path/to/sudo_noexec.so -\& # Debug sudo /var/log/sudo_debug all@warn -\& # Set disable_coredump true -\& # -\& # The plugin_path is relative to @prefix@/libexec unless -\& # fully qualified. -\& # The plugin_name corresponds to a global symbol in the plugin -\& # that contains the plugin interface structure. -\& # The plugin_options are optional. -\& # -\& Plugin policy_plugin sudoers.so -\& Plugin io_plugin sudoers.so -.Ve +A +\fRPlugin\fR +line consists of the +\fRPlugin\fR +keyword, followed by the +\fIsymbol_name\fR +and the +\fIpath\fR +to the shared object containing the plugin. +The +\fIsymbol_name\fR +is the name of the +\fRstruct policy_plugin\fR +or +\fRstruct io_plugin\fR +in the plugin shared object. +The +\fIpath\fR +may be fully qualified or relative. +If not fully qualified it is relative to the +\fI@prefix@/libexec\fR +directory. +Any additional parameters after the +\fIpath\fR +are passed as arguments to the plugin's +\fIopen\fR +function. +Lines that don't begin with +\fRPlugin\fR, +\fRPath\fR, +\fRDebug\fR, +or +\fRSet\fR +are silently ignored. .PP -A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the -\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the -plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR -or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR -may be fully qualified or relative. If not fully qualified it is -relative to the \fI@prefix@/libexec\fR directory. Any additional -parameters after the \fIpath\fR are passed as arguments to the plugin's -\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR, -\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored. -.PP -For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual. +For more information, see the +sudo_plugin(@mansectsu@) +manual. .SH "PATHS" -.IX Header "PATHS" -A \f(CW\*(C`Path\*(C'\fR line consists of the \f(CW\*(C`Path\*(C'\fR keyword, followed by the -name of the path to set and its value. E.g. -.PP -.Vb 2 -\& Path noexec @noexec_file@ -\& Path askpass /usr/X11R6/bin/ssh\-askpass -.Ve +A +\fRPath\fR +line consists of the +\fRPath\fR +keyword, followed by the name of the path to set and its value. +E.g. +.nf +.sp +.RS 6n +Path noexec @noexec_file@ +Path askpass /usr/X11R6/bin/ssh-askpass +.RE +.fi .PP The following plugin-agnostic paths may be set in the -\&\fI@sysconfdir@/sudo.conf\fR file. -.IP "askpass" 16 -.IX Item "askpass" +\fI@sysconfdir@/sudo.conf\fR +file: +.TP 10n +askpass The fully qualified path to a helper program used to read the user's -password when no terminal is available. This may be the case when -\&\fBsudo\fR is executed from a graphical (as opposed to text-based) -application. The program specified by \fIaskpass\fR should display -the argument passed to it as the prompt and write the user's password -to the standard output. The value of \fIaskpass\fR may be overridden -by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable. -.IP "noexec" 16 -.IX Item "noexec" +password when no terminal is available. +This may be the case when +\fBsudo\fR +is executed from a graphical (as opposed to text-based) application. +The program specified by +\fIaskpass\fR +should display the argument passed to it as the prompt and write +the user's password to the standard output. +The value of +\fIaskpass\fR +may be overridden by the +\fRSUDO_ASKPASS\fR +environment variable. +.TP 10n +noexec The fully-qualified path to a shared library containing dummy -versions of the \fIexecv()\fR, \fIexecve()\fR and \fIfexecve()\fR library functions -that just return an error. This is used to implement the \fInoexec\fR -functionality on systems that support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. -Defaults to \fI@noexec_file@\fR. +versions of the +\fBexecv\fR(), +\fBexecve\fR() +and +\fBfexecve\fR() +library functions that just return an error. +This is used to implement the +\fInoexec\fR +functionality on systems that support +\fRLD_PRELOAD\fR +or its equivalent. +Defaults to +\fI@noexec_file@\fR. .SH "DEBUG FLAGS" -.IX Header "DEBUG FLAGS" -\&\fBsudo\fR versions 1.8.4 and higher support a flexible debugging -framework that can help track down what \fBsudo\fR is doing internally -if there is a problem. +\fBsudo\fR +versions 1.8.4 and higher support a flexible debugging framework +that can help track down what +\fBsudo\fR +is doing internally if there is a problem. .PP -A \f(CW\*(C`Debug\*(C'\fR line consists of the \f(CW\*(C`Debug\*(C'\fR keyword, followed by the -name of the program to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR), +A +\fRDebug\fR +line consists of the +\fRDebug\fR +keyword, followed by the name of the program to debug +(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR), the debug file name and a comma-separated list of debug flags. -The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is -\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different -format so long as it does not include a comma (`\f(CW\*(C`,\*(C'\fR'). +The debug flag syntax used by +\fBsudo\fR +and the +\fIsudoers\fR +plugin is +\fIsubsystem\fR@\fIpriority\fR +but the plugin is free to use a different format so long as it does +not include a comma +(`\&,'). .PP For instance: +.nf +.sp +.RS 6n +Debug sudo /var/log/sudo_debug all@warn,plugin@info +.RE +.fi .PP -.Vb 1 -\& Debug sudo /var/log/sudo_debug all@warn,plugin@info -.Ve +would log all debugging statements at the +\fIwarn\fR +level and higher in addition to those at the +\fIinfo\fR +level for the plugin subsystem. .PP -would log all debugging statements at the \fIwarn\fR level and higher -in addition to those at the \fIinfo\fR level for the plugin subsystem. +Currently, only one +\fRDebug\fR +entry per program is supported. +The +\fBsudo\fR +\fRDebug\fR +entry is shared by the +\fBsudo\fR +front end, +\fBsudoedit\fR +and the plugins. +A future release may add support for per-plugin +\fRDebug\fR +lines and/or support for multiple debugging files for a single +program. .PP -Currently, only one \f(CW\*(C`Debug\*(C'\fR entry per program is supported. The -\&\f(CW\*(C`sudo\*(C'\fR \f(CW\*(C`Debug\*(C'\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR -and the plugins. A future release may add support for per-plugin -\&\f(CW\*(C`Debug\*(C'\fR lines and/or support for multiple debugging files for a -single program. +The priorities used by the +\fBsudo\fR +front end, in order of decreasing severity, are: +\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR +and +\fIdebug\fR. +Each priority, when specified, also includes all priorities higher +than it. +For example, a priority of +\fInotice\fR +would include debug messages logged at +\fInotice\fR +and higher. .PP -The priorities used by the \fBsudo\fR front end, in order of decreasing -severity, are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, -\&\fItrace\fR and \fIdebug\fR. Each priority, when specified, also includes -all priorities higher than it. For example, a priority of \fInotice\fR -would include debug messages logged at \fInotice\fR and higher. -.PP -The following subsystems are used by \fBsudo\fR: -.IP "\fIall\fR" 10 -.IX Item "all" +The following subsystems are used by the +\fBsudo\fR +front-end: +.TP 12n +\fIall\fR matches every subsystem -.IP "\fIargs\fR" 10 -.IX Item "args" +.TP 12n +\fIargs\fR command line argument processing -.IP "\fIconv\fR" 10 -.IX Item "conv" +.TP 12n +\fIconv\fR user conversation -.IP "\fIedit\fR" 10 -.IX Item "edit" +.TP 12n +\fIedit\fR sudoedit -.IP "\fIexec\fR" 10 -.IX Item "exec" +.TP 12n +\fIexec\fR command execution -.IP "\fImain\fR" 10 -.IX Item "main" -\&\fBsudo\fR main function -.IP "\fInetif\fR" 10 -.IX Item "netif" +.TP 12n +\fImain\fR +\fBsudo\fR +main function +.TP 12n +\fInetif\fR network interface handling -.IP "\fIpcomm\fR" 10 -.IX Item "pcomm" +.TP 12n +\fIpcomm\fR communication with the plugin -.IP "\fIplugin\fR" 10 -.IX Item "plugin" +.TP 12n +\fIplugin\fR plugin configuration -.IP "\fIpty\fR" 10 -.IX Item "pty" +.TP 12n +\fIpty\fR pseudo-tty related code -.IP "\fIselinux\fR" 10 -.IX Item "selinux" +.TP 12n +\fIselinux\fR SELinux-specific handling -.IP "\fIutil\fR" 10 -.IX Item "util" +.TP 12n +\fIutil\fR utility functions -.IP "\fIutmp\fR" 10 -.IX Item "utmp" +.TP 12n +\fIutmp\fR utmp handling .SH "EXIT VALUE" -.IX Header "EXIT VALUE" -Upon successful execution of a program, the exit status from \fBsudo\fR +Upon successful execution of a program, the exit status from +\fIsudo\fR will simply be the exit status of the program that was executed. .PP -Otherwise, \fBsudo\fR exits with a value of 1 if there is a -configuration/permission problem or if \fBsudo\fR cannot execute the -given command. In the latter case the error string is printed to -the standard error. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries -in the user's \f(CW\*(C`PATH\*(C'\fR, an error is printed on stderr. (If the -directory does not exist or if it is not really a directory, the -entry is ignored and no error is printed.) This should not happen -under normal circumstances. The most common reason for \fIstat\fR\|(2) -to return \*(L"permission denied\*(R" is if you are running an automounter -and one of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is -currently unreachable. +Otherwise, +\fBsudo\fR +exits with a value of 1 if there is a configuration/permission +problem or if +\fBsudo\fR +cannot execute the given command. +In the latter case the error string is printed to the standard error. +If +\fBsudo\fR +cannot +stat(2) +one or more entries in the user's +\fRPATH\fR, +an error is printed on stderr. +(If the directory does not exist or if it is not really a directory, +the entry is ignored and no error is printed.) +This should not happen under normal circumstances. +The most common reason for +stat(2) +to return +``permission denied'' +is if you are running an automounter and one of the directories in +your +\fRPATH\fR +is on a machine that is currently unreachable. .SH "SECURITY NOTES" -.IX Header "SECURITY NOTES" -\&\fBsudo\fR tries to be safe when executing external commands. +\fBsudo\fR +tries to be safe when executing external commands. .PP -To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting -current directory) last when searching for a command in the user's -\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the -actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed -unchanged to the program that \fBsudo\fR executes. +To prevent command spoofing, +\fBsudo\fR +checks "." and "" (both denoting current directory) last when +searching for a command in the user's +\fRPATH (if one or both are in the\fR +\fRPATH\fR). +Note, however, that the actual +\fRPATH\fR +environment variable is +\fInot\fR +modified and is passed unchanged to the program that +\fBsudo\fR +executes. .PP -Please note that \fBsudo\fR will normally only log the command it -explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or -\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell are not subject -to \fBsudo\fR's security policy. The same is true for commands that -offer shell escapes (including most editors). If I/O logging is -enabled, subsequent commands will have their input and/or output -logged, but there will not be traditional logs for those commands. -Because of this, care must be taken when giving users access to -commands via \fBsudo\fR to verify that the command does not inadvertently -give the user an effective root shell. For more information, please -see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in \fIsudoers\fR\|(@mansectform@). +Please note that +\fBsudo\fR +will normally only log the command it explicitly runs. +If a user runs a command such as +\fRsudo su\fR +or +\fRsudo sh\fR, +subsequent commands run from that shell are not subject to +\fBsudo\fR's +security policy. +The same is true for commands that offer shell escapes (including +most editors). +If I/O logging is enabled, subsequent commands will have their input and/or +output logged, but there will not be traditional logs for those commands. +Because of this, care must be taken when giving users access to commands via +\fBsudo\fR +to verify that the command does not inadvertently give the user an +effective root shell. +For more information, please see the +\fIPREVENTING SHELL ESCAPES\fR +section in +sudoers(@mansectform@). .PP To prevent the disclosure of potentially sensitive information, -\&\fBsudo\fR disables core dumps by default while it is executing (they -are re-enabled for the command that is run). To aid in debugging -\&\fBsudo\fR crashes, you may wish to re-enable core dumps by setting -\&\*(L"disable_coredump\*(R" to false in the \fI@sysconfdir@/sudo.conf\fR file. -.PP -.Vb 1 -\& Set disable_coredump false -.Ve +\fBsudo\fR +disables core dumps by default while it is executing (they are +re-enabled for the command that is run). +To aid in debugging +\fBsudo\fR +crashes, you may wish to re-enable core dumps by setting +``disable_coredump'' +to false in the +\fI@sysconfdir@/sudo.conf\fR +file as follows: +.nf +.sp +.RS 6n +Set disable_coredump false +.RE +.fi .PP Note that by default, most operating systems disable core dumps -from setuid programs, which includes \fBsudo\fR. To actually get a -\&\fBsudo\fR core file you may need to enable core dumps for setuid -processes. On \s-1BSD\s0 and Linux systems this is accomplished via the -sysctl command, on Solaris the coreadm command can be used. +from setuid programs, which includes +\fBsudo\fR. +To actually get a +\fBsudo\fR +core file you may need to enable core dumps for setuid processes. +On BSD and Linux systems this is accomplished via the sysctl command, +on Solaris the coreadm command can be used. .SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -\&\fBsudo\fR utilizes the following environment variables. The security -policy has control over the content of the command's environment. -.ie n .IP "\*(C`EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 -.IX Item "EDITOR" -Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR -nor \f(CW\*(C`VISUAL\*(C'\fR is set. -.ie n .IP "\*(C`MAIL\*(C'" 16 -.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16 -.IX Item "MAIL" -In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set -to the mail spool of the target user. -.ie n .IP "\*(C`HOME\*(C'" 16 -.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 -.IX Item "HOME" -Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are -specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR, -or when the \fB\-s\fR option is specified and \fIset_home\fR is set in -\&\fIsudoers\fR. -.ie n .IP "\*(C`PATH\*(C'" 16 -.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 -.IX Item "PATH" +\fBsudo\fR +utilizes the following environment variables. +The security policy has control over the actual content of the command's +environment. +.TP 17n +\fREDITOR\fR +Default editor to use in +\fB-e\fR +(sudoedit) mode if neither +\fRSUDO_EDITOR\fR +nor +\fRVISUAL\fR +is set. +.TP 17n +\fRMAIL\fR +In +\fB-i\fR +mode or when +\fIenv_reset\fR +is enabled in +\fIsudoers\fR, +set to the mail spool of the target user. +.TP 17n +\fRHOME\fR +Set to the home directory of the target user if +\fB-i\fR +or +\fB-H\fR +are specified, +\fIenv_reset\fR +or +\fIalways_set_home\fR +are set in +\fIsudoers\fR, +or when the +\fB-s\fR +option is specified and +\fIset_home\fR +is set in +\fIsudoers\fR. +.TP 17n +\fRPATH\fR May be overridden by the security policy. -.ie n .IP "\*(C`SHELL\*(C'" 16 -.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16 -.IX Item "SHELL" -Used to determine shell to run with \fB\-s\fR option. -.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16 -.IX Item "SUDO_ASKPASS" +.TP 17n +\fRSHELL\fR +Used to determine shell to run with +\fB-s\fR +option. +.TP 17n +\fRSUDO_ASKPASS\fR Specifies the path to a helper program used to read the password -if no terminal is available or if the \fB\-A\fR option is specified. -.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16 -.IX Item "SUDO_COMMAND" +if no terminal is available or if the +\fB-A\fR +option is specified. +.TP 17n +\fRSUDO_COMMAND\fR Set to the command run by sudo. -.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16 -.IX Item "SUDO_EDITOR" -Default editor to use in \fB\-e\fR (sudoedit) mode. -.ie n .IP "\*(C`SUDO_GID\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16 -.IX Item "SUDO_GID" -Set to the group \s-1ID\s0 of the user who invoked sudo. -.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16 -.IX Item "SUDO_PROMPT" +.TP 17n +\fRSUDO_EDITOR\fR +Default editor to use in +\fB-e\fR +(sudoedit) mode. +.TP 17n +\fRSUDO_GID\fR +Set to the group ID of the user who invoked sudo. +.TP 17n +\fRSUDO_PROMPT\fR Used as the default password prompt. -.ie n .IP "\*(C`SUDO_PS1\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16 -.IX Item "SUDO_PS1" -If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run. -.ie n .IP "\*(C`SUDO_UID\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16 -.IX Item "SUDO_UID" -Set to the user \s-1ID\s0 of the user who invoked sudo. -.ie n .IP "\*(C`SUDO_USER\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16 -.IX Item "SUDO_USER" +.TP 17n +\fRSUDO_PS1\fR +If set, +\fRPS1\fR +will be set to its value for the program being run. +.TP 17n +\fRSUDO_UID\fR +Set to the user ID of the user who invoked sudo. +.TP 17n +\fRSUDO_USER\fR Set to the login name of the user who invoked sudo. -.ie n .IP "\*(C`USER\*(C'" 16 -.el .IP "\f(CW\*(C`USER\*(C'\fR" 16 -.IX Item "USER" -Set to the target user (root unless the \fB\-u\fR option is specified). -.ie n .IP "\*(C`VISUAL\*(C'" 16 -.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 -.IX Item "VISUAL" -Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR +.TP 17n +\fRUSER\fR +Set to the target user (root unless the +\fB-u\fR +option is specified). +.TP 17n +\fRVISUAL\fR +Default editor to use in +\fB-e\fR +(sudoedit) mode if +\fRSUDO_EDITOR\fR is not set. .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24 -.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24 -.IX Item "@sysconfdir@/sudo.conf" -\&\fBsudo\fR front end configuration +.TP 26n +\fI@sysconfdir@/sudo.conf\fR +\fBsudo\fR +front end configuration .SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: the following examples assume a properly configured security policy. +Note: the following examples assume a properly configured security +policy. .PP To get a file listing of an unreadable directory: +.nf +.sp +.RS 6n +$ sudo ls /usr/local/protected +.RE +.fi .PP -.Vb 1 -\& $ sudo ls /usr/local/protected -.Ve +To list the home directory of user yaz on a machine where the file +system holding ~yaz is not exported as root: +.nf +.sp +.RS 6n +$ sudo -u yaz ls ~yaz +.RE +.fi .PP -To list the home directory of user yaz on a machine where the -file system holding ~yaz is not exported as root: +To edit the +\fIindex.html\fR +file as user www: +.nf +.sp +.RS 6n +$ sudo -u www vi ~www/htdocs/index.html +.RE +.fi .PP -.Vb 1 -\& $ sudo \-u yaz ls ~yaz -.Ve -.PP -To edit the \fIindex.html\fR file as user www: -.PP -.Vb 1 -\& $ sudo \-u www vi ~www/htdocs/index.html -.Ve -.PP -To view system logs only accessible to root and users in the adm group: -.PP -.Vb 1 -\& $ sudo \-g adm view /var/log/syslog -.Ve +To view system logs only accessible to root and users in the adm +group: +.nf +.sp +.RS 6n +$ sudo -g adm view /var/log/syslog +.RE +.fi .PP To run an editor as jim with a different primary group: +.nf +.sp +.RS 6n +$ sudo -u jim -g audio vi ~jim/sound.txt +.RE +.fi .PP -.Vb 1 -\& $ sudo \-u jim \-g audio vi ~jim/sound.txt -.Ve +To shut down a machine: +.nf +.sp +.RS 6n +$ sudo shutdown -r +15 "quick reboot" +.RE +.fi .PP -To shutdown a machine: -.PP -.Vb 1 -\& $ sudo shutdown \-r +15 "quick reboot" -.Ve -.PP -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. -.PP -.Vb 1 -\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE" -.Ve +To make a usage listing of the directories in the /home partition. +Note that this runs the commands in a sub-shell to make the +\fRcd\fR +and file redirection work. +.nf +.sp +.RS 6n +$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), -.if \n(LC \&\fIlogin_cap\fR\|(3), -\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@) +grep(1), +su(1), +stat(2), +login_cap(3), +passwd(@mansectform@), +sudoers(@mansectform@), +sudo_plugin(@mansectsu@), +sudoreplay(@mansectsu@), +visudo(@mansectsu@) .SH "HISTORY" -.IX Header "HISTORY" -See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution -(http://www.sudo.ws/sudo/history.html) for a brief history of sudo. +See the HISTORY file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/history.html) for a brief +history of sudo. .SH "AUTHORS" -.IX Header "AUTHORS" -Many people have worked on \fBsudo\fR over the years; this -version consists of code written primarily by: +Many people have worked on +\fBsudo\fR +over the years; this version consists of code written primarily by: +.sp +.RS 6n +Todd C. Miller +.RE .PP -.Vb 1 -\& Todd C. Miller -.Ve -.PP -See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution -(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people -who have contributed to \fBsudo\fR. +See the CONTRIBUTORS file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +\fBsudo\fR. .SH "CAVEATS" -.IX Header "CAVEATS" There is no easy way to prevent a user from gaining a root shell -if that user is allowed to run arbitrary commands via \fBsudo\fR. +if that user is allowed to run arbitrary commands via +\fBsudo\fR. Also, many programs (such as editors) allow the user to run commands -via shell escapes, thus avoiding \fBsudo\fR's checks. However, on -most systems it is possible to prevent shell escapes with the -\&\fIsudoers\fR\|(@mansectform@) module's \fInoexec\fR functionality. +via shell escapes, thus avoiding +\fBsudo\fR's +checks. +However, on most systems it is possible to prevent shell escapes with the +sudoers(@mansectform@) +module's +\fInoexec\fR +functionality. .PP -It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., -.PP -.Vb 1 -\& $ sudo cd /usr/local/protected -.Ve +It is not meaningful to run the +\fRcd\fR +command directly via sudo, e.g., +.nf +.sp +.RS 6n +$ sudo cd /usr/local/protected +.RE +.fi .PP since when the command exits the parent process (your shell) will -still be the same. Please see the \s-1EXAMPLES\s0 section for more information. +still be the same. +Please see the +\fIEXAMPLES\fR +section for more information. .PP -Running shell scripts via \fBsudo\fR can expose the same kernel bugs that -make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 -has a /dev/fd/ directory, setuid shell scripts are generally safe). +Running shell scripts via +\fBsudo\fR +can expose the same kernel bugs that make setuid shell scripts +unsafe on some operating systems (if your OS has a /dev/fd/ directory, +setuid shell scripts are generally safe). .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 14ddbaaaa..f305ca302 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -20,8 +20,8 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .Dd July 10, 2012 -.Dt SUDO 8 -.Os +.Dt SUDO @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudo , .Nm sudoedit @@ -172,7 +172,7 @@ The policy caches credentials for .Li @timeout@ minutes, unless overridden in -.Xr sudoers 5 . +.Xr sudoers @mansectform@ . By running .Nm sudo with the @@ -332,7 +332,7 @@ or .Ev EDITOR are set, the first program listed in the .Em editor -.Xr sudoers 5 +.Xr sudoers @mansectform@ option is used. .It If they have been modified, the temporary files are copied back to @@ -416,7 +416,7 @@ set of variables, similar to what is present when a user logs in. The .Em Command Environment section in the -.Xr sudoers 5 +.Xr sudoers @mansectform@ manual documents how the .Fl i option affects the environment in which a command is run when the @@ -523,7 +523,7 @@ expanded to the host name including the domain name (on if the machine's host name is fully qualified or the .Em fqdn option is set in -.Xr sudoers 5 ) +.Xr sudoers @mansectform@ ) .It Li %h expanded to the local host name without the domain name .It Li %p @@ -534,7 +534,7 @@ expanded to the name of the user whose password is being requested and .Em runaspw flags in -.Xr sudoers 5 ) +.Xr sudoers @mansectform@ ) .It Li %U expanded to the login name of the user the command will be run as (defaults to root unless the @@ -687,7 +687,7 @@ tag set or the command matched is .Li ALL , the user may set variables that would otherwise be forbidden. See -.Xr sudoers 5 +.Xr sudoers @mansectform@ for more information. .Sh PLUGINS Plugins are dynamically loaded based on the contents of the @@ -761,7 +761,7 @@ or are silently ignored. .Pp For more information, see the -.Xr sudo_plugin 8 +.Xr sudo_plugin @mansectsu@ manual. .Sh PATHS A @@ -976,7 +976,7 @@ effective root shell. For more information, please see the .Em PREVENTING SHELL ESCAPES section in -.Xr sudoers 5 . +.Xr sudoers @mansectform@ . .Pp To prevent the disclosure of potentially sensitive information, .Nm sudo @@ -1136,11 +1136,11 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" .Xr su 1 , .Xr stat 2 , .Xr login_cap 3 , -.Xr passwd 5 , -.Xr sudoers 5 , -.Xr sudo_plugin 8 , -.Xr sudoreplay 8 , -.Xr visudo 8 +.Xr passwd @mansectform@ , +.Xr sudoers @mansectform@ , +.Xr sudo_plugin @mansectsu@ , +.Xr sudoreplay @mansectsu@ , +.Xr visudo @mansectsu@ .Sh HISTORY See the HISTORY file in the .Nm sudo @@ -1168,7 +1168,7 @@ via shell escapes, thus avoiding .Nm sudo No Ns 's checks. However, on most systems it is possible to prevent shell escapes with the -.Xr sudoers 5 +.Xr sudoers @mansectform@ module's .Em noexec functionality. diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index 0f139616a..3cf98f8be 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -1,678 +1,685 @@ -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - +SUDO_PLUGIN(4) Programmer's Manual SUDO_PLUGIN(4) NNAAMMEE - sudo_plugin - Sudo Plugin API + ssuuddoo__pplluuggiinn - Sudo Plugin API DDEESSCCRRIIPPTTIIOONN - Starting with version 1.8, ssuuddoo supports a plugin API for policy and - session logging. By default, the _s_u_d_o_e_r_s policy plugin and an - associated I/O logging plugin are used. Via the plugin API, ssuuddoo can - be configured to use alternate policy and/or I/O logging plugins - provided by third parties. The plugins to be used are specified via - the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + Starting with version 1.8, ssuuddoo supports a plugin API for policy and + session logging. By default, the _s_u_d_o_e_r_s policy plugin and an associated + I/O logging plugin are used. Via the plugin API, ssuuddoo can be configured + to use alternate policy and/or I/O logging plugins provided by third + parties. The plugins to be used are specified via the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file. - The API is versioned with a major and minor number. The minor version - number is incremented when additions are made. The major number is - incremented when incompatible changes are made. A plugin should be - check the version passed to it and make sure that the major version - matches. + The API is versioned with a major and minor number. The minor version + number is incremented when additions are made. The major number is + incremented when incompatible changes are made. A plugin should be check + the version passed to it and make sure that the major version matches. - The plugin API is defined by the sudo_plugin.h header file. + The plugin API is defined by the sudo_plugin.h header file. TThhee ssuuddoo..ccoonnff FFiillee - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file contains plugin configuration directives. The - primary keyword is the Plugin directive, which causes a plugin to be - loaded. + The _/_e_t_c_/_s_u_d_o_._c_o_n_f file contains plugin configuration directives. The + primary keyword is the Plugin directive, which causes a plugin to be + loaded. - A Plugin line consists of the Plugin keyword, followed by the - _s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. - The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct - io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified - or relative. If not fully qualified it is relative to the - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h - are passed as options to the plugin's _o_p_e_n function. Lines that don't - begin with Plugin, Path, Debug or Set are silently ignored. + A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e + and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e + is the name of the struct policy_plugin or struct io_plugin in the plugin + shared object. The _p_a_t_h may be fully qualified or relative. If not + fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any + additional parameters after the _p_a_t_h are passed as options to the + plugin's ooppeenn() function. Lines that don't begin with Plugin, Path, + Debug or Set are silently ignored. - The same shared object may contain multiple plugins, each with a - different symbol name. The shared object file must be owned by uid 0 - and only writable by its owner. Because of ambiguities that arise from - composite policies, only a single policy plugin may be specified. This - limitation does not apply to I/O plugins. + The same shared object may contain multiple plugins, each with a + different symbol name. The shared object file must be owned by uid 0 and + only writable by its owner. Because of ambiguities that arise from + composite policies, only a single policy plugin may be specified. This + limitation does not apply to I/O plugins. - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin sudoers_policy sudoers.so - Plugin sudoers_io sudoers.so + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + Plugin sudoers_policy sudoers.so + Plugin sudoers_io sudoers.so PPoolliiccyy PPlluuggiinn AAPPII - A policy plugin must declare and populate a policy_plugin struct in the - global scope. This structure contains pointers to the functions that - implement the ssuuddoo policy checks. The name of the symbol should be - specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that - ssuuddoo can load it. + A policy plugin must declare and populate a policy_plugin struct in the + global scope. This structure contains pointers to the functions that + implement the ssuuddoo policy checks. The name of the symbol should be + specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that ssuuddoo + can load it. - struct policy_plugin { - #define SUDO_POLICY_PLUGIN 1 - unsigned int type; /* always SUDO_POLICY_PLUGIN */ - unsigned int version; /* always SUDO_API_VERSION */ - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const user_env[], - char * const plugin_options[]); - void (*close)(int exit_status, int error); - int (*show_version)(int verbose); - int (*check_policy)(int argc, char * const argv[], - char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); - int (*list)(int argc, char * const argv[], int verbose, - const char *list_user); - int (*validate)(void); - void (*invalidate)(int remove); - int (*init_session)(struct passwd *pwd, char **user_env[]); - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); - }; + struct policy_plugin { + #define SUDO_POLICY_PLUGIN 1 + unsigned int type; /* always SUDO_POLICY_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); + void (*close)(int exit_status, int error); + int (*show_version)(int verbose); + int (*check_policy)(int argc, char * const argv[], + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); + int (*list)(int argc, char * const argv[], int verbose, + const char *list_user); + int (*validate)(void); + void (*invalidate)(int remove); + int (*init_session)(struct passwd *pwd, char **user_env[]); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); + }; - The policy_plugin struct has the following fields: + The policy_plugin struct has the following fields: - type - The type field should always be set to SUDO_POLICY_PLUGIN. + type The type field should always be set to SUDO_POLICY_PLUGIN. - version + version The version field should be set to SUDO_API_VERSION. This allows ssuuddoo to determine the API version the plugin was built against. - open - int (*open)(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], char * const user_env[], - char * const plugin_options[]); + open + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); Returns 1 on success, 0 on failure, -1 if a general error occurred, or -2 if there was a usage error. In the latter case, ssuuddoo will print a usage message before it exits. If an error occurs, the - plugin may optionally call the conversation or plugin_printf + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present additional error information to the user. The function arguments are as follows: version - The version passed in by ssuuddoo allows the plugin to determine - the major and minor version number of the plugin API supported - by ssuuddoo. + The version passed in by ssuuddoo allows the plugin to determine + the major and minor version number of the plugin API + supported by ssuuddoo. conversation - A pointer to the conversation function that can be used by the - plugin to interact with the user (see below). Returns 0 on - success and -1 on failure. + A pointer to the ccoonnvveerrssaattiioonn() function that can be used by + the plugin to interact with the user (see below). Returns 0 + on success and -1 on failure. plugin_printf - A pointer to a printf-style function that may be used to - display informational or error messages (see below). Returns - the number of characters printed on success and -1 on failure. + A pointer to a pprriinnttff()-style function that may be used to + display informational or error messages (see below). Returns + the number of characters printed on success and -1 on + failure. settings - A vector of user-supplied ssuuddoo settings in the form of - "name=value" strings. The vector is terminated by a NULL - pointer. These settings correspond to flags the user specified - when running ssuuddoo. As such, they will only be present when the - corresponding flag has been specified on the command line. + A vector of user-supplied ssuuddoo settings in the form of + ``name=value'' strings. The vector is terminated by a NULL + pointer. These settings correspond to flags the user + specified when running ssuuddoo. As such, they will only be + present when the corresponding flag has been specified on the + command line. - When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. - debug_flags=string - A comma-separated list of debug flags that correspond to - ssuuddoo's Debug entry in _/_e_t_c_/_s_u_d_o_._c_o_n_f, if there is one. The - flags are passed to the plugin as they appear in - _/_e_t_c_/_s_u_d_o_._c_o_n_f. The syntax used by ssuuddoo and the _s_u_d_o_e_r_s - plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to use - a different format so long as it does not include a comma - (,). + debug_flags=string + A comma-separated list of debug flags that correspond + to ssuuddoo's Debug entry in _/_e_t_c_/_s_u_d_o_._c_o_n_f, if there is + one. The flags are passed to the plugin as they appear + in _/_e_t_c_/_s_u_d_o_._c_o_n_f. The syntax used by ssuuddoo and the + _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is + free to use a different format so long as it does not + include a comma (`,'). - For reference, the priorities supported by the ssuuddoo front - end and _s_u_d_o_e_r_s are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, - _t_r_a_c_e and _d_e_b_u_g. + For reference, the priorities supported by the ssuuddoo + front end and _s_u_d_o_e_r_s are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, + _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. - The following subsystems are defined: _m_a_i_n, _m_e_m_o_r_y, _a_r_g_s, - _e_x_e_c, _p_t_y, _u_t_m_p, _c_o_n_v, _p_c_o_m_m, _u_t_i_l, _l_i_s_t, _n_e_t_i_f, _a_u_d_i_t, - _e_d_i_t, _s_e_l_i_n_u_x, _l_d_a_p, _m_a_t_c_h, _p_a_r_s_e_r, _a_l_i_a_s, _d_e_f_a_u_l_t_s, _a_u_t_h, - _e_n_v, _l_o_g_g_i_n_g, _n_s_s, _r_b_t_r_e_e, _p_e_r_m_s, _p_l_u_g_i_n. The subsystem - _a_l_l includes every subsystem. + The following subsystems are defined: _m_a_i_n, _m_e_m_o_r_y, + _a_r_g_s, _e_x_e_c, _p_t_y, _u_t_m_p, _c_o_n_v, _p_c_o_m_m, _u_t_i_l, _l_i_s_t, _n_e_t_i_f, + _a_u_d_i_t, _e_d_i_t, _s_e_l_i_n_u_x, _l_d_a_p, _m_a_t_c_h, _p_a_r_s_e_r, _a_l_i_a_s, + _d_e_f_a_u_l_t_s, _a_u_t_h, _e_n_v, _l_o_g_g_i_n_g, _n_s_s, _r_b_t_r_e_e, _p_e_r_m_s, + _p_l_u_g_i_n. The subsystem _a_l_l includes every subsystem. - There is not currently a way to specify a set of debug - flags specific to the plugin--the flags are shared by ssuuddoo - and the plugin. + There is not currently a way to specify a set of debug + flags specific to the plugin--the flags are shared by + ssuuddoo and the plugin. - debug_level=number - This setting has been deprecated in favor of _d_e_b_u_g___f_l_a_g_s. + debug_level=number + This setting has been deprecated in favor of + _d_e_b_u_g___f_l_a_g_s. - runas_user=string - The user name or uid to to run the command as, if specified - via the --uu flag. + runas_user=string + The user name or uid to to run the command as, if + specified via the --uu flag. - runas_group=string - The group name or gid to to run the command as, if - specified via the --gg flag. + runas_group=string + The group name or gid to to run the command as, if + specified via the --gg flag. - prompt=string - The prompt to use when requesting a password, if specified - via the --pp flag. + prompt=string + The prompt to use when requesting a password, if + specified via the --pp flag. - set_home=bool - Set to true if the user specified the --HH flag. If true, - set the HOME environment variable to the target user's home - directory. + set_home=bool + Set to true if the user specified the --HH flag. If + true, set the HOME environment variable to the target + user's home directory. - preserve_environment=bool - Set to true if the user specified the --EE flag, indicating - that the user wishes to preserve the environment. + preserve_environment=bool + Set to true if the user specified the --EE flag, + indicating that the user wishes to preserve the + environment. - run_shell=bool - Set to true if the user specified the --ss flag, indicating - that the user wishes to run a shell. + run_shell=bool + Set to true if the user specified the --ss flag, + indicating that the user wishes to run a shell. - login_shell=bool - Set to true if the user specified the --ii flag, indicating - that the user wishes to run a login shell. + login_shell=bool + Set to true if the user specified the --ii flag, + indicating that the user wishes to run a login shell. - implied_shell=bool - If the user does not specify a program on the command line, - ssuuddoo will pass the plugin the path to the user's shell and - set _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo with no - arguments to be used similarly to _s_u(1). If the plugin - does not to support this usage, it may return a value of -2 - from the check_policy function, which will cause ssuuddoo to - print a usage message and exit. + implied_shell=bool + If the user does not specify a program on the command + line, ssuuddoo will pass the plugin the path to the user's + shell and set _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo + with no arguments to be used similarly to su(1). If + the plugin does not to support this usage, it may + return a value of -2 from the cchheecckk__ppoolliiccyy() function, + which will cause ssuuddoo to print a usage message and + exit. - preserve_groups=bool - Set to true if the user specified the --PP flag, indicating - that the user wishes to preserve the group vector instead - of setting it based on the runas user. + preserve_groups=bool + Set to true if the user specified the --PP flag, + indicating that the user wishes to preserve the group + vector instead of setting it based on the runas user. - ignore_ticket=bool - Set to true if the user specified the --kk flag along with a - command, indicating that the user wishes to ignore any - cached authentication credentials. + ignore_ticket=bool + Set to true if the user specified the --kk flag along + with a command, indicating that the user wishes to + ignore any cached authentication credentials. - noninteractive=bool - Set to true if the user specified the --nn flag, indicating - that ssuuddoo should operate in non-interactive mode. The - plugin may reject a command run in non-interactive mode if - user interaction is required. + noninteractive=bool + Set to true if the user specified the --nn flag, + indicating that ssuuddoo should operate in non-interactive + mode. The plugin may reject a command run in non- + interactive mode if user interaction is required. - login_class=string - BSD login class to use when setting resource limits and - nice value, if specified by the --cc flag. + login_class=string + BSD login class to use when setting resource limits and + nice value, if specified by the --cc flag. - selinux_role=string - SELinux role to use when executing the command, if - specified by the --rr flag. + selinux_role=string + SELinux role to use when executing the command, if + specified by the --rr flag. - selinux_type=string - SELinux type to use when executing the command, if - specified by the --tt flag. + selinux_type=string + SELinux type to use when executing the command, if + specified by the --tt flag. - bsdauth_type=string - Authentication type, if specified by the --aa flag, to use on - systems where BSD authentication is supported. + bsdauth_type=string + Authentication type, if specified by the --aa flag, to + use on systems where BSD authentication is supported. - network_addrs=list - A space-separated list of IP network addresses and netmasks - in the form "addr/netmask", e.g. - "192.168.1.2/255.255.255.0". The address and netmask pairs - may be either IPv4 or IPv6, depending on what the operating - system supports. If the address contains a colon (':'), it - is an IPv6 address, else it is IPv4. + network_addrs=list + A space-separated list of IP network addresses and + netmasks in the form ``addr/netmask'', e.g. + ``192.168.1.2/255.255.255.0''. The address and netmask + pairs may be either IPv4 or IPv6, depending on what the + operating system supports. If the address contains a + colon (`:'), it is an IPv6 address, else it is IPv4. - progname=string - The command name that sudo was run as, typically "sudo" or - "sudoedit". + progname=string + The command name that sudo was run as, typically + ``sudo'' or ``sudoedit''. - sudoedit=bool - Set to true when the --ee flag is is specified or if invoked - as ssuuddooeeddiitt. The plugin shall substitute an editor into - _a_r_g_v in the _c_h_e_c_k___p_o_l_i_c_y function or return -2 with a usage - error if the plugin does not support _s_u_d_o_e_d_i_t. For more - information, see the _c_h_e_c_k___p_o_l_i_c_y section. + sudoedit=bool + Set to true when the --ee flag is is specified or if + invoked as ssuuddooeeddiitt. The plugin shall substitute an + editor into _a_r_g_v in the cchheecckk__ppoolliiccyy() function or + return -2 with a usage error if the plugin does not + support _s_u_d_o_e_d_i_t. For more information, see the + _c_h_e_c_k___p_o_l_i_c_y section. - closefrom=number - If specified, the user has requested via the --CC flag that - ssuuddoo close all files descriptors with a value of _n_u_m_b_e_r or - higher. The plugin may optionally pass this, or another - value, back in the _c_o_m_m_a_n_d___i_n_f_o list. + closefrom=number + If specified, the user has requested via the --CC flag + that ssuuddoo close all files descriptors with a value of + _n_u_m_b_e_r or higher. The plugin may optionally pass this, + or another value, back in the _c_o_m_m_a_n_d___i_n_f_o list. - Additional settings may be added in the future so the plugin - should silently ignore settings that it does not recognize. + Additional settings may be added in the future so the plugin + should silently ignore settings that it does not recognize. user_info - A vector of information about the user running the command in - the form of "name=value" strings. The vector is terminated by - a NULL pointer. + A vector of information about the user running the command in + the form of ``name=value'' strings. The vector is terminated + by a NULL pointer. - When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. - pid=int - The process ID of the running ssuuddoo process. Only available - starting with API version 1.2 + pid=int + The process ID of the running ssuuddoo process. Only + available starting with API version 1.2 - ppid=int - The parent process ID of the running ssuuddoo process. Only - available starting with API version 1.2 + ppid=int + The parent process ID of the running ssuuddoo process. + Only available starting with API version 1.2 - sid=int - The session ID of the running ssuuddoo process or 0 if ssuuddoo is - not part of a POSIX job control session. Only available - starting with API version 1.2 + sid=int + The session ID of the running ssuuddoo process or 0 if ssuuddoo + is not part of a POSIX job control session. Only + available starting with API version 1.2 - pgid=int - The ID of the process group that the running ssuuddoo process - belongs to. Only available starting with API version 1.2 + pgid=int + The ID of the process group that the running ssuuddoo + process belongs to. Only available starting with API + version 1.2 - tcpgid=int - The ID of the forground process group associated with the - terminal device associcated with the ssuuddoo process or -1 if - there is no terminal present. Only available starting with - API version 1.2 + tcpgid=int + The ID of the forground process group associated with + the terminal device associcated with the ssuuddoo process + or -1 if there is no terminal present. Only available + starting with API version 1.2 - user=string - The name of the user invoking ssuuddoo. + user=string + The name of the user invoking ssuuddoo. - euid=uid_t - The effective user ID of the user invoking ssuuddoo. + euid=uid_t + The effective user ID of the user invoking ssuuddoo. - uid=uid_t - The real user ID of the user invoking ssuuddoo. + uid=uid_t + The real user ID of the user invoking ssuuddoo. - egid=gid_t - The effective group ID of the user invoking ssuuddoo. + egid=gid_t + The effective group ID of the user invoking ssuuddoo. - gid=gid_t - The real group ID of the user invoking ssuuddoo. + gid=gid_t + The real group ID of the user invoking ssuuddoo. - groups=list - The user's supplementary group list formatted as a string - of comma-separated group IDs. + groups=list + The user's supplementary group list formatted as a + string of comma-separated group IDs. - cwd=string - The user's current working directory. + cwd=string + The user's current working directory. - tty=string - The path to the user's terminal device. If the user has no - terminal device associated with the session, the value will - be empty, as in tty=. + tty=string + The path to the user's terminal device. If the user + has no terminal device associated with the session, the + value will be empty, as in ``tty=''. - host=string - The local machine's hostname as returned by the - gethostname() system call. + host=string + The local machine's hostname as returned by the + gethostname(2) system call. - lines=int - The number of lines the user's terminal supports. If there - is no terminal device available, a default value of 24 is - used. + lines=int + The number of lines the user's terminal supports. If + there is no terminal device available, a default value + of 24 is used. - cols=int - The number of columns the user's terminal supports. If - there is no terminal device available, a default value of - 80 is used. + cols=int + The number of columns the user's terminal supports. If + there is no terminal device available, a default value + of 80 is used. user_env - The user's environment in the form of a NULL-terminated vector - of "name=value" strings. + The user's environment in the form of a NULL-terminated + vector of ``name=value'' strings. - When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. plugin_options - Any (non-comment) strings immediately after the plugin path are - treated as arguments to the plugin. These arguments are split - on a white space boundary and are passed to the plugin in the - form of a NULL-terminated array of strings. If no arguments - were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL pointer. + Any (non-comment) strings immediately after the plugin path + are treated as arguments to the plugin. These arguments are + split on a white space boundary and are passed to the plugin + in the form of a NULL-terminated array of strings. If no + arguments were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL + pointer. - NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting - with API version 1.2. A plugin mmuusstt check the API version - specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. - Failure to do so may result in a crash. + NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting + with API version 1.2. A plugin mmuusstt check the API version + specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. + Failure to do so may result in a crash. - close - void (*close)(int exit_status, int error); + close + void (*close)(int exit_status, int error); - The close function is called when the command being run by ssuuddoo + The cclloossee() function is called when the command being run by ssuuddoo finishes. The function arguments are as follows: exit_status - The command's exit status, as returned by the _w_a_i_t(2) system - call. The value of exit_status is undefined if error is non- - zero. + The command's exit status, as returned by the wait(2) system + call. The value of exit_status is undefined if error is non- + zero. error - If the command could not be executed, this is set to the value - of errno set by the _e_x_e_c_v_e(2) system call. The plugin is - responsible for displaying error information via the - conversation or plugin_printf function. If the command was - successfully executed, the value of error is 0. + If the command could not be executed, this is set to the + value of errno set by the execve(2) system call. The plugin + is responsible for displaying error information via the + ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function. If the command + was successfully executed, the value of error is 0. - show_version - int (*show_version)(int verbose); + show_version + int (*show_version)(int verbose); - The show_version function is called by ssuuddoo when the user specifies - the --VV option. The plugin may display its version information to - the user via the conversation or plugin_printf function using - SUDO_CONV_INFO_MSG. If the user requests detailed version - information, the verbose flag will be set. + The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user + specifies the --VV option. The plugin may display its version + information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function using SUDO_CONV_INFO_MSG. If the user requests detailed + version information, the verbose flag will be set. - check_policy - int (*check_policy)(int argc, char * const argv[] - char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); + check_policy + int (*check_policy)(int argc, char * const argv[] + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); - The _c_h_e_c_k___p_o_l_i_c_y function is called by ssuuddoo to determine whether + The cchheecckk__ppoolliiccyy() function is called by ssuuddoo to determine whether the user is allowed to run the specified commands. If the _s_u_d_o_e_d_i_t option was enabled in the _s_e_t_t_i_n_g_s array passed to - the _o_p_e_n function, the user has requested _s_u_d_o_e_d_i_t mode. _s_u_d_o_e_d_i_t - is a mechanism for editing one or more files where an editor is run - with the user's credentials instead of with elevated privileges. - ssuuddoo achieves this by creating user-writable temporary copies of - the files to be edited and then overwriting the originals with the - temporary copies after editing is complete. If the plugin supports - ssuuddooeeddiitt, it should choose the editor to be used, potentially from - a variable in the user's environment, such as EDITOR, and include - it in _a_r_g_v___o_u_t (note that environment variables may include command - line flags). The files to be edited should be copied from _a_r_g_v - into _a_r_g_v___o_u_t, separated from the editor and its arguments by a - "--" element. The "--" will be removed by ssuuddoo before the editor - is executed. The plugin should also set _s_u_d_o_e_d_i_t_=_t_r_u_e in the - _c_o_m_m_a_n_d___i_n_f_o list. + the ooppeenn() function, the user has requested _s_u_d_o_e_d_i_t mode. + _s_u_d_o_e_d_i_t is a mechanism for editing one or more files where an + editor is run with the user's credentials instead of with elevated + privileges. ssuuddoo achieves this by creating user-writable temporary + copies of the files to be edited and then overwriting the originals + with the temporary copies after editing is complete. If the plugin + supports _s_u_d_o_e_d_i_t, it should choose the editor to be used, + potentially from a variable in the user's environment, such as + EDITOR, and include it in _a_r_g_v___o_u_t (note that environment variables + may include command line flags). The files to be edited should be + copied from _a_r_g_v into _a_r_g_v___o_u_t, separated from the editor and its + arguments by a ``--'' element. The ``--'' will be removed by ssuuddoo + before the editor is executed. The plugin should also set + _s_u_d_o_e_d_i_t_=_t_r_u_e in the _c_o_m_m_a_n_d___i_n_f_o list. - The _c_h_e_c_k___p_o_l_i_c_y function returns 1 if the command is allowed, 0 if - not allowed, -1 for a general error, or -2 for a usage error or if - ssuuddooeeddiitt was specified but is unsupported by the plugin. In the + The cchheecckk__ppoolliiccyy() function returns 1 if the command is allowed, 0 + if not allowed, -1 for a general error, or -2 for a usage error or + if _s_u_d_o_e_d_i_t was specified but is unsupported by the plugin. In the latter case, ssuuddoo will print a usage message before it exits. If - an error occurs, the plugin may optionally call the conversation or - plugin_printf function with SUDO_CONF_ERROR_MSG to present + an error occurs, the plugin may optionally call the ccoonnvveerrssaattiioonn() + or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present additional error information to the user. The function arguments are as follows: - argc - The number of elements in _a_r_g_v, not counting the final NULL - pointer. + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. - argv - The argument vector describing the command the user wishes to - run, in the same form as what would be passed to the _e_x_e_c_v_e_(_) - system call. The vector is terminated by a NULL pointer. + argv The argument vector describing the command the user wishes to + run, in the same form as what would be passed to the + execve(2) system call. The vector is terminated by a NULL + pointer. env_add - Additional environment variables specified by the user on the - command line in the form of a NULL-terminated vector of - "name=value" strings. The plugin may reject the command if one - or more variables are not allowed to be set, or it may silently - ignore such variables. + Additional environment variables specified by the user on the + command line in the form of a NULL-terminated vector of + ``name=value'' strings. The plugin may reject the command if + one or more variables are not allowed to be set, or it may + silently ignore such variables. - When parsing _e_n_v___a_d_d, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _e_n_v___a_d_d, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. command_info - Information about the command being run in the form of - "name=value" strings. These values are used by ssuuddoo to set the - execution environment when running a command. The plugin is - responsible for creating and populating the vector, which must - be terminated with a NULL pointer. The following values are - recognized by ssuuddoo: + Information about the command being run in the form of + ``name=value'' strings. These values are used by ssuuddoo to set + the execution environment when running a command. The plugin + is responsible for creating and populating the vector, which + must be terminated with a NULL pointer. The following values + are recognized by ssuuddoo: - command=string - Fully qualified path to the command to be executed. + command=string + Fully qualified path to the command to be executed. - runas_uid=uid - User ID to run the command as. + runas_uid=uid + User ID to run the command as. - runas_euid=uid - Effective user ID to run the command as. If not specified, - the value of _r_u_n_a_s___u_i_d is used. + runas_euid=uid + Effective user ID to run the command as. If not + specified, the value of _r_u_n_a_s___u_i_d is used. - runas_gid=gid - Group ID to run the command as. + runas_gid=gid + Group ID to run the command as. - runas_egid=gid - Effective group ID to run the command as. If not - specified, the value of _r_u_n_a_s___g_i_d is used. + runas_egid=gid + Effective group ID to run the command as. If not + specified, the value of _r_u_n_a_s___g_i_d is used. - runas_groups=list - The supplementary group vector to use for the command in - the form of a comma-separated list of group IDs. If - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. + runas_groups=list + The supplementary group vector to use for the command + in the form of a comma-separated list of group IDs. If + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. - login_class=string - BSD login class to use when setting resource limits and - nice value (optional). This option is only set on systems - that support login classes. + login_class=string + BSD login class to use when setting resource limits and + nice value (optional). This option is only set on + systems that support login classes. - preserve_groups=bool - If set, ssuuddoo will preserve the user's group vector instead - of initializing the group vector based on runas_user. + preserve_groups=bool + If set, ssuuddoo will preserve the user's group vector + instead of initializing the group vector based on + runas_user. - cwd=string - The current working directory to change to when executing - the command. + cwd=string + The current working directory to change to when + executing the command. - noexec=bool - If set, prevent the command from executing other programs. + noexec=bool + If set, prevent the command from executing other + programs. - chroot=string - The root directory to use when running the command. + chroot=string + The root directory to use when running the command. - nice=int - Nice value (priority) to use when executing the command. - The nice value, if specified, overrides the priority - associated with the _l_o_g_i_n___c_l_a_s_s on BSD systems. + nice=int + Nice value (priority) to use when executing the + command. The nice value, if specified, overrides the + priority associated with the _l_o_g_i_n___c_l_a_s_s on BSD + systems. - umask=octal - The file creation mask to use when executing the command. + umask=octal + The file creation mask to use when executing the + command. - selinux_role=string - SELinux role to use when executing the command. + selinux_role=string + SELinux role to use when executing the command. - selinux_type=string - SELinux type to use when executing the command. + selinux_type=string + SELinux type to use when executing the command. - timeout=int - Command timeout. If non-zero then when the timeout expires - the command will be killed. + timeout=int + Command timeout. If non-zero then when the timeout + expires the command will be killed. - sudoedit=bool - Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may enable - _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as ssuuddooeeddiitt. - This allows the plugin to perform command substitution and - transparently enable _s_u_d_o_e_d_i_t when the user attempts to run - an editor. + sudoedit=bool + Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may + enable _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as + ssuuddooeeddiitt. This allows the plugin to perform command + substitution and transparently enable _s_u_d_o_e_d_i_t when the + user attempts to run an editor. - closefrom=number - If specified, ssuuddoo will close all files descriptors with a - value of _n_u_m_b_e_r or higher. + closefrom=number + If specified, ssuuddoo will close all files descriptors + with a value of _n_u_m_b_e_r or higher. - iolog_compress=bool - Set to true if the I/O logging plugins, if any, should - compress the log data. This is a hint to the I/O logging - plugin which may choose to ignore it. + iolog_compress=bool + Set to true if the I/O logging plugins, if any, should + compress the log data. This is a hint to the I/O + logging plugin which may choose to ignore it. - iolog_path=string - Fully qualified path to the file or directory in which I/O - log is to be stored. This is a hint to the I/O logging - plugin which may choose to ignore it. If no I/O logging - plugin is loaded, this setting has no effect. + iolog_path=string + Fully qualified path to the file or directory in which + I/O log is to be stored. This is a hint to the I/O + logging plugin which may choose to ignore it. If no + I/O logging plugin is loaded, this setting has no + effect. - iolog_stdin=bool - Set to true if the I/O logging plugins, if any, should log - the standard input if it is not connected to a terminal - device. This is a hint to the I/O logging plugin which may - choose to ignore it. + iolog_stdin=bool + Set to true if the I/O logging plugins, if any, should + log the standard input if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. - iolog_stdout=bool - Set to true if the I/O logging plugins, if any, should log - the standard output if it is not connected to a terminal - device. This is a hint to the I/O logging plugin which may - choose to ignore it. + iolog_stdout=bool + Set to true if the I/O logging plugins, if any, should + log the standard output if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. - iolog_stderr=bool - Set to true if the I/O logging plugins, if any, should log - the standard error if it is not connected to a terminal - device. This is a hint to the I/O logging plugin which may - choose to ignore it. + iolog_stderr=bool + Set to true if the I/O logging plugins, if any, should + log the standard error if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. - iolog_ttyin=bool - Set to true if the I/O logging plugins, if any, should log - all terminal input. This only includes input typed by the - user and not from a pipe or redirected from a file. This - is a hint to the I/O logging plugin which may choose to - ignore it. + iolog_ttyin=bool + Set to true if the I/O logging plugins, if any, should + log all terminal input. This only includes input typed + by the user and not from a pipe or redirected from a + file. This is a hint to the I/O logging plugin which + may choose to ignore it. - iolog_ttyout=bool - Set to true if the I/O logging plugins, if any, should log - all terminal output. This only includes output to the - screen, not output to a pipe or file. This is a hint to - the I/O logging plugin which may choose to ignore it. + iolog_ttyout=bool + Set to true if the I/O logging plugins, if any, should + log all terminal output. This only includes output to + the screen, not output to a pipe or file. This is a + hint to the I/O logging plugin which may choose to + ignore it. - use_pty=bool - Allocate a pseudo-tty to run the command in, regardless of - whether or not I/O logging is in use. By default, ssuuddoo - will only run the command in a pty when an I/O log plugin - is loaded. + use_pty=bool + Allocate a pseudo-tty to run the command in, regardless + of whether or not I/O logging is in use. By default, + ssuuddoo will only run the command in a pty when an I/O log + plugin is loaded. - set_utmp=bool - Create a utmp (or utmpx) entry when a pseudo-tty is - allocated. By default, the new entry will be a copy of the - user's existing utmp entry (if any), with the tty, time, - type and pid fields updated. + set_utmp=bool + Create a utmp (or utmpx) entry when a pseudo-tty is + allocated. By default, the new entry will be a copy of + the user's existing utmp entry (if any), with the tty, + time, type and pid fields updated. - utmp_user=string - User name to use when constructing a new utmp (or utmpx) - entry when _s_e_t___u_t_m_p is enabled. This option can be used to - set the user field in the utmp entry to the user the - command runs as rather than the invoking user. If not set, - ssuuddoo will base the new entry on the invoking user's - existing entry. + utmp_user=string + User name to use when constructing a new utmp (or + utmpx) entry when _s_e_t___u_t_m_p is enabled. This option can + be used to set the user field in the utmp entry to the + user the command runs as rather than the invoking user. + If not set, ssuuddoo will base the new entry on the + invoking user's existing entry. - Unsupported values will be ignored. + Unsupported values will be ignored. argv_out - The NULL-terminated argument vector to pass to the _e_x_e_c_v_e_(_) - system call when executing the command. The plugin is - responsible for allocating and populating the vector. + The NULL-terminated argument vector to pass to the execve(2) + system call when executing the command. The plugin is + responsible for allocating and populating the vector. user_env_out - The NULL-terminated environment vector to use when executing - the command. The plugin is responsible for allocating and - populating the vector. + The NULL-terminated environment vector to use when executing + the command. The plugin is responsible for allocating and + populating the vector. - list - int (*list)(int verbose, const char *list_user, - int argc, char * const argv[]); + list + int (*list)(int verbose, const char *list_user, + int argc, char * const argv[]); List available privileges for the invoking user. Returns 1 on success, 0 on failure and -1 on error. On error, the plugin may - optionally call the conversation or plugin_printf function with + optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present additional error information to the user. - Privileges should be output via the conversation or plugin_printf - function using SUDO_CONV_INFO_MSG. + Privileges should be output via the ccoonnvveerrssaattiioonn() or + pplluuggiinn__pprriinnttff() function using SUDO_CONV_INFO_MSG, verbose - Flag indicating whether to list in verbose mode or not. + Flag indicating whether to list in verbose mode or not. list_user - The name of a different user to list privileges for if the - policy allows it. If NULL, the plugin should list the - privileges of the invoking user. + The name of a different user to list privileges for if the + policy allows it. If NULL, the plugin should list the + privileges of the invoking user. - argc - The number of elements in _a_r_g_v, not counting the final NULL - pointer. + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. - argv - If non-NULL, an argument vector describing a command the user - wishes to check against the policy in the same form as what - would be passed to the _e_x_e_c_v_e_(_) system call. If the command is - permitted by the policy, the fully-qualified path to the - command should be displayed along with any command line - arguments. + argv If non-NULL, an argument vector describing a command the user + wishes to check against the policy in the same form as what + would be passed to the execve(2) system call. If the command + is permitted by the policy, the fully-qualified path to the + command should be displayed along with any command line + arguments. - validate - int (*validate)(void); + validate + int (*validate)(void); - The validate function is called when ssuuddoo is run with the --vv flag. - For policy plugins such as _s_u_d_o_e_r_s that cache authentication + The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv + flag. For policy plugins such as _s_u_d_o_e_r_s that cache authentication credentials, this function will validate and cache the credentials. - The validate function should be NULL if the plugin does not support - credential caching. + The vvaalliiddaattee() function should be NULL if the plugin does not + support credential caching. Returns 1 on success, 0 on failure and -1 on error. On error, the - plugin may optionally call the conversation or plugin_printf + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present additional error information to the user. - invalidate - void (*invalidate)(int remove); + invalidate + void (*invalidate)(int remove); - The invalidate function is called when ssuuddoo is called with the --kk + The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk or --KK flag. For policy plugins such as _s_u_d_o_e_r_s that cache authentication credentials, this function will invalidate the credentials. If the _r_e_m_o_v_e flag is set, the plugin may remove the credentials instead of simply invalidating them. - The invalidate function should be NULL if the plugin does not + The iinnvvaalliiddaattee() function should be NULL if the plugin does not support credential caching. - init_session - int (*init_session)(struct passwd *pwd, char **user_envp[); + init_session + int (*init_session)(struct passwd *pwd, char **user_envp[); - The init_session function is called before ssuuddoo sets up the + The iinniitt__sseessssiioonn() function is called before ssuuddoo sets up the execution environment for the command. It is run in the parent ssuuddoo process and before any uid or gid changes. This can be used to perform session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o, - such as opening the PAM session. The close function can be used to - tear down the session that was opened by init_session. + such as opening the PAM session. The cclloossee() function can be used + to tear down the session that was opened by init_session. The _p_w_d argument points to a passwd struct for the user the command will be run as if the uid the command will run as was found in the password database, otherwise it will be NULL. The _u_s_e_r___e_n_v argument points to the environment the command will - run in, in the form of a NULL-terminated vector of "name=value" + run in, in the form of a NULL-terminated vector of ``name=value'' strings. This is the same string passed back to the front end via - the Policy Plugin's _u_s_e_r___e_n_v___o_u_t parameter. If the init_session + the Policy Plugin's _u_s_e_r___e_n_v___o_u_t parameter. If the iinniitt__sseessssiioonn() function needs to modify the user environment, it should update the pointer stored in _u_s_e_r___e_n_v. The expected use case is to merge the contents of the PAM environment (if any) with the contents of @@ -682,38 +689,38 @@ DDEESSCCRRIIPPTTIIOONN do so may result in a crash. Returns 1 on success, 0 on failure and -1 on error. On error, the - plugin may optionally call the conversation or plugin_printf + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present additional error information to the user. - register_hooks - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); + register_hooks + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); - The register_hooks function is called by the sudo front end to + The rreeggiisstteerr__hhooookkss() function is called by the sudo front end to register any hooks the plugin needs. If the plugin does not support hooks, register_hooks should be set to the NULL pointer. The _v_e_r_s_i_o_n argument describes the version of the hooks API supported by the ssuuddoo front end. - The register_hook function should be used to register any supported - hooks the plugin needs. It returns 0 on success, 1 if the hook - type is not supported and -1 if the major version in struct hook - does not match the front end's major hook API version. + The rreeggiisstteerr__hhooookk() function should be used to register any + supported hooks the plugin needs. It returns 0 on success, 1 if + the hook type is not supported and -1 if the major version in + struct hook does not match the front end's major hook API version. - See the "Hook Function API" section below for more information - about hooks. + See the _H_o_o_k _F_u_n_c_t_i_o_n _A_P_I section below for more information about + hooks. - NOTE: the register_hooks function is only available starting with + NOTE: the rreeggiisstteerr__hhooookkss() function is only available starting with API version 1.2. If the ssuuddoo front end doesn't support API version 1.2 or higher, register_hooks will not be called. - deregister_hooks - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); + deregister_hooks + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); - The deregister_hooks function is called by the sudo front end to + The ddeerreeggiisstteerr__hhooookkss() function is called by the sudo front end to deregister any hooks the plugin has registered. If the plugin does not support hooks, deregister_hooks should be set to the NULL pointer. @@ -721,228 +728,228 @@ DDEESSCCRRIIPPTTIIOONN The _v_e_r_s_i_o_n argument describes the version of the hooks API supported by the ssuuddoo front end. - The deregister_hook function should be used to deregister any hooks - that were put in place by the register_hook function. If the - plugin tries to deregister a hook that the front end does not + The ddeerreeggiisstteerr__hhooookk() function should be used to deregister any + hooks that were put in place by the rreeggiisstteerr__hhooookk() function. If + the plugin tries to deregister a hook that the front end does not support, deregister_hook will return an error. - See the "Hook Function API" section below for more information - about hooks. + See the _H_o_o_k _F_u_n_c_t_i_o_n _A_P_I section below for more information about + hooks. - NOTE: the deregister_hooks function is only available starting with - API version 1.2. If the ssuuddoo front end doesn't support API version - 1.2 or higher, deregister_hooks will not be called. + NOTE: the ddeerreeggiisstteerr__hhooookkss() function is only available starting + with API version 1.2. If the ssuuddoo front end doesn't support API + version 1.2 or higher, deregister_hooks will not be called. - _P_o_l_i_c_y _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s + _P_o_l_i_c_y _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s - /* Plugin API version major/minor. */ - #define SUDO_API_VERSION_MAJOR 1 - #define SUDO_API_VERSION_MINOR 2 - #define SUDO_API_MKVERSION(x, y) ((x << 16) | y) - #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\ - SUDO_API_VERSION_MINOR) + /* Plugin API version major/minor. */ + #define SUDO_API_VERSION_MAJOR 1 + #define SUDO_API_VERSION_MINOR 2 + #define SUDO_API_MKVERSION(x, y) ((x << 16) | y) + #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\ + SUDO_API_VERSION_MINOR) - /* Getters and setters for API version */ - #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) - #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) - #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ - *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ - } while(0) - #define SUDO_VERSION_SET_MINOR(vp, n) do { \ - *(vp) = (*(vp) & 0xffff0000) | (n); \ - } while(0) + /* Getters and setters for API version */ + #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) + #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) + #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ + } while(0) + #define SUDO_VERSION_SET_MINOR(vp, n) do { \ + *(vp) = (*(vp) & 0xffff0000) | (n); \ + } while(0) II//OO PPlluuggiinn AAPPII - struct io_plugin { - #define SUDO_IO_PLUGIN 2 - unsigned int type; /* always SUDO_IO_PLUGIN */ - unsigned int version; /* always SUDO_API_VERSION */ - int (*open)(unsigned int version, sudo_conv_t conversation - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], int argc, char * const argv[], - char * const user_env[], char * const plugin_options[]); - void (*close)(int exit_status, int error); /* wait status or error */ - int (*show_version)(int verbose); - int (*log_ttyin)(const char *buf, unsigned int len); - int (*log_ttyout)(const char *buf, unsigned int len); - int (*log_stdin)(const char *buf, unsigned int len); - int (*log_stdout)(const char *buf, unsigned int len); - int (*log_stderr)(const char *buf, unsigned int len); - void (*register_hooks)(int version, - int (*register_hook)(struct sudo_hook *hook)); - void (*deregister_hooks)(int version, - int (*deregister_hook)(struct sudo_hook *hook)); - }; + struct io_plugin { + #define SUDO_IO_PLUGIN 2 + unsigned int type; /* always SUDO_IO_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int argc, char * const argv[], + char * const user_env[], char * const plugin_options[]); + void (*close)(int exit_status, int error); /* wait status or error */ + int (*show_version)(int verbose); + int (*log_ttyin)(const char *buf, unsigned int len); + int (*log_ttyout)(const char *buf, unsigned int len); + int (*log_stdin)(const char *buf, unsigned int len); + int (*log_stdout)(const char *buf, unsigned int len); + int (*log_stderr)(const char *buf, unsigned int len); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); + }; - When an I/O plugin is loaded, ssuuddoo runs the command in a pseudo-tty. - This makes it possible to log the input and output from the user's - session. If any of the standard input, standard output or standard - error do not correspond to a tty, ssuuddoo will open a pipe to capture the - I/O for logging before passing it on. + When an I/O plugin is loaded, ssuuddoo runs the command in a pseudo-tty. + This makes it possible to log the input and output from the user's + session. If any of the standard input, standard output or standard error + do not correspond to a tty, ssuuddoo will open a pipe to capture the I/O for + logging before passing it on. - The log_ttyin function receives the raw user input from the terminal - device (note that this will include input even when echo is disabled, - such as when a password is read). The log_ttyout function receives - output from the pseudo-tty that is suitable for replaying the user's - session at a later time. The log_stdin, log_stdout and log_stderr - functions are only called if the standard input, standard output or - standard error respectively correspond to something other than a tty. + The log_ttyin function receives the raw user input from the terminal + device (note that this will include input even when echo is disabled, + such as when a password is read). The log_ttyout function receives + output from the pseudo-tty that is suitable for replaying the user's + session at a later time. The lloogg__ssttddiinn(), lloogg__ssttddoouutt() and lloogg__ssttddeerrrr() + functions are only called if the standard input, standard output or + standard error respectively correspond to something other than a tty. - Any of the logging functions may be set to the NULL pointer if no - logging is to be performed. If the open function returns 0, no I/O - will be sent to the plugin. + Any of the logging functions may be set to the NULL pointer if no logging + is to be performed. If the open function returns 0, no I/O will be sent + to the plugin. - The io_plugin struct has the following fields: + The io_plugin struct has the following fields: - type - The type field should always be set to SUDO_IO_PLUGIN + type The type field should always be set to SUDO_IO_PLUGIN. - version + version The version field should be set to SUDO_API_VERSION. This allows ssuuddoo to determine the API version the plugin was built against. - open - int (*open)(unsigned int version, sudo_conv_t conversation - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], int argc, char * const argv[], - char * const user_env[], char * const plugin_options[]); + open + int (*open)(unsigned int version, sudo_conv_t conversation + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int argc, char * const argv[], + char * const user_env[], char * const plugin_options[]); - The _o_p_e_n function is run before the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t or - _s_h_o_w___v_e_r_s_i_o_n functions are called. It is only called if the - version is being requested or the _c_h_e_c_k___p_o_l_i_c_y function has + The ooppeenn() function is run before the lloogg__iinnppuutt(), lloogg__oouuttppuutt() or + sshhooww__vveerrssiioonn() functions are called. It is only called if the + version is being requested or the cchheecckk__ppoolliiccyy() function has returned successfully. It returns 1 on success, 0 on failure, -1 if a general error occurred, or -2 if there was a usage error. In the latter case, ssuuddoo will print a usage message before it exits. - If an error occurs, the plugin may optionally call the conversation - or plugin_printf function with SUDO_CONF_ERROR_MSG to present - additional error information to the user. + If an error occurs, the plugin may optionally call the + ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG + to present additional error information to the user. The function arguments are as follows: version - The version passed in by ssuuddoo allows the plugin to determine - the major and minor version number of the plugin API supported - by ssuuddoo. + The version passed in by ssuuddoo allows the plugin to determine + the major and minor version number of the plugin API + supported by ssuuddoo. conversation - A pointer to the conversation function that may be used by the - _s_h_o_w___v_e_r_s_i_o_n function to display version information (see - show_version below). The conversation function may also be - used to display additional error message to the user. The - conversation function returns 0 on success and -1 on failure. + A pointer to the ccoonnvveerrssaattiioonn() function that may be used by + the sshhooww__vveerrssiioonn() function to display version information + (see sshhooww__vveerrssiioonn() below). The ccoonnvveerrssaattiioonn() function may + also be used to display additional error message to the user. + The ccoonnvveerrssaattiioonn() function returns 0 on success and -1 on + failure. plugin_printf - A pointer to a printf-style function that may be used by the - _s_h_o_w___v_e_r_s_i_o_n function to display version information (see - show_version below). The plugin_printf function may also be - used to display additional error message to the user. The - plugin_printf function returns number of characters printed on - success and -1 on failure. + A pointer to a pprriinnttff()-style function that may be used by + the sshhooww__vveerrssiioonn() function to display version information + (see show_version below). The pplluuggiinn__pprriinnttff() function may + also be used to display additional error message to the user. + The pplluuggiinn__pprriinnttff() function returns number of characters + printed on success and -1 on failure. settings - A vector of user-supplied ssuuddoo settings in the form of - "name=value" strings. The vector is terminated by a NULL - pointer. These settings correspond to flags the user specified - when running ssuuddoo. As such, they will only be present when the - corresponding flag has been specified on the command line. + A vector of user-supplied ssuuddoo settings in the form of + ``name=value'' strings. The vector is terminated by a NULL + pointer. These settings correspond to flags the user + specified when running ssuuddoo. As such, they will only be + present when the corresponding flag has been specified on the + command line. - When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. - See the "Policy Plugin API" section for a list of all possible - settings. + See the _P_o_l_i_c_y _P_l_u_g_i_n _A_P_I section for a list of all possible + settings. user_info - A vector of information about the user running the command in - the form of "name=value" strings. The vector is terminated by - a NULL pointer. + A vector of information about the user running the command in + the form of ``name=value'' strings. The vector is terminated + by a NULL pointer. - When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. - See the "Policy Plugin API" section for a list of all possible - strings. + See the _P_o_l_i_c_y _P_l_u_g_i_n _A_P_I section for a list of all possible + strings. - argc - The number of elements in _a_r_g_v, not counting the final NULL - pointer. + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. - argv - If non-NULL, an argument vector describing a command the user - wishes to run in the same form as what would be passed to the - _e_x_e_c_v_e_(_) system call. + argv If non-NULL, an argument vector describing a command the user + wishes to run in the same form as what would be passed to the + execve(2) system call. user_env - The user's environment in the form of a NULL-terminated vector - of "name=value" strings. + The user's environment in the form of a NULL-terminated + vector of ``name=value'' strings. - When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. + When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. plugin_options - Any (non-comment) strings immediately after the plugin path are - treated as arguments to the plugin. These arguments are split - on a white space boundary and are passed to the plugin in the - form of a NULL-terminated array of strings. If no arguments - were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL pointer. + Any (non-comment) strings immediately after the plugin path + are treated as arguments to the plugin. These arguments are + split on a white space boundary and are passed to the plugin + in the form of a NULL-terminated array of strings. If no + arguments were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL + pointer. - NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting - with API version 1.2. A plugin mmuusstt check the API version - specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. - Failure to do so may result in a crash. + NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting + with API version 1.2. A plugin mmuusstt check the API version + specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. + Failure to do so may result in a crash. - close - void (*close)(int exit_status, int error); + close + void (*close)(int exit_status, int error); - The close function is called when the command being run by ssuuddoo + The cclloossee() function is called when the command being run by ssuuddoo finishes. The function arguments are as follows: exit_status - The command's exit status, as returned by the _w_a_i_t(2) system - call. The value of exit_status is undefined if error is non- - zero. + The command's exit status, as returned by the wait(2) system + call. The value of exit_status is undefined if error is non- + zero. error - If the command could not be executed, this is set to the value - of errno set by the _e_x_e_c_v_e(2) system call. If the command was - successfully executed, the value of error is 0. + If the command could not be executed, this is set to the + value of errno set by the execve(2) system call. If the + command was successfully executed, the value of error is 0. - show_version - int (*show_version)(int verbose); + show_version + int (*show_version)(int verbose); - The show_version function is called by ssuuddoo when the user specifies - the --VV option. The plugin may display its version information to - the user via the conversation or plugin_printf function using - SUDO_CONV_INFO_MSG. If the user requests detailed version - information, the verbose flag will be set. + The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user + specifies the --VV option. The plugin may display its version + information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function using SUDO_CONV_INFO_MSG. If the user requests detailed + version information, the verbose flag will be set. - log_ttyin - int (*log_ttyin)(const char *buf, unsigned int len); + log_ttyin + int (*log_ttyin)(const char *buf, unsigned int len); - The _l_o_g___t_t_y_i_n function is called whenever data can be read from the - user but before it is passed to the running command. This allows - the plugin to reject data if it chooses to (for instance if the - input contains banned content). Returns 1 if the data should be - passed to the command, 0 if the data is rejected (which will + The lloogg__ttttyyiinn() function is called whenever data can be read from + the user but before it is passed to the running command. This + allows the plugin to reject data if it chooses to (for instance if + the input contains banned content). Returns 1 if the data should + be passed to the command, 0 if the data is rejected (which will terminate the command) or -1 if an error occurred. The function arguments are as follows: - buf The buffer containing user input. + buf The buffer containing user input. - len The length of _b_u_f in bytes. + len The length of _b_u_f in bytes. - log_ttyout - int (*log_ttyout)(const char *buf, unsigned int len); + log_ttyout + int (*log_ttyout)(const char *buf, unsigned int len); - The _l_o_g___t_t_y_o_u_t function is called whenever data can be read from + The lloogg__ttttyyoouutt() function is called whenever data can be read from the command but before it is written to the user's terminal. This allows the plugin to reject data if it chooses to (for instance if the output contains banned content). Returns 1 if the data should @@ -951,16 +958,16 @@ DDEESSCCRRIIPPTTIIOONN The function arguments are as follows: - buf The buffer containing command output. + buf The buffer containing command output. - len The length of _b_u_f in bytes. + len The length of _b_u_f in bytes. - log_stdin - int (*log_stdin)(const char *buf, unsigned int len); + log_stdin + int (*log_stdin)(const char *buf, unsigned int len); - The _l_o_g___s_t_d_i_n function is only used if the standard input does not - correspond to a tty device. It is called whenever data can be read - from the standard input but before it is passed to the running + The lloogg__ssttddiinn() function is only used if the standard input does + not correspond to a tty device. It is called whenever data can be + read from the standard input but before it is passed to the running command. This allows the plugin to reject data if it chooses to (for instance if the input contains banned content). Returns 1 if the data should be passed to the command, 0 if the data is rejected @@ -968,14 +975,14 @@ DDEESSCCRRIIPPTTIIOONN The function arguments are as follows: - buf The buffer containing user input. + buf The buffer containing user input. - len The length of _b_u_f in bytes. + len The length of _b_u_f in bytes. - log_stdout - int (*log_stdout)(const char *buf, unsigned int len); + log_stdout + int (*log_stdout)(const char *buf, unsigned int len); - The _l_o_g___s_t_d_o_u_t function is only used if the standard output does + The lloogg__ssttddoouutt() function is only used if the standard output does not correspond to a tty device. It is called whenever data can be read from the command but before it is written to the standard output. This allows the plugin to reject data if it chooses to @@ -985,115 +992,116 @@ DDEESSCCRRIIPPTTIIOONN The function arguments are as follows: - buf The buffer containing command output. + buf The buffer containing command output. - len The length of _b_u_f in bytes. + len The length of _b_u_f in bytes. - log_stderr - int (*log_stderr)(const char *buf, unsigned int len); + log_stderr + int (*log_stderr)(const char *buf, unsigned int len); - The _l_o_g___s_t_d_e_r_r function is only used if the standard error does not - correspond to a tty device. It is called whenever data can be read - from the command but before it is written to the standard error. - This allows the plugin to reject data if it chooses to (for + The lloogg__ssttddeerrrr() function is only used if the standard error does + not correspond to a tty device. It is called whenever data can be + read from the command but before it is written to the standard + error. This allows the plugin to reject data if it chooses to (for instance if the output contains banned content). Returns 1 if the data should be passed to the user, 0 if the data is rejected (which will terminate the command) or -1 if an error occurred. The function arguments are as follows: - buf The buffer containing command output. + buf The buffer containing command output. - len The length of _b_u_f in bytes. + len The length of _b_u_f in bytes. - register_hooks - See the "Policy Plugin API" section for a description of + register_hooks + See the _P_o_l_i_c_y _P_l_u_g_i_n _A_P_I section for a description of register_hooks. - deregister_hooks - See the "Policy Plugin API" section for a description of + deregister_hooks + See the _P_o_l_i_c_y _P_l_u_g_i_n _A_P_I section for a description of deregister_hooks. - _I_/_O _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s + _I_/_O _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s - Same as for the "Policy Plugin API". + Same as for the _P_o_l_i_c_y _P_l_u_g_i_n _A_P_I. HHooookk FFuunnccttiioonn AAPPII - Beginning with plugin API version 1.2, it is possible to install hooks - for certain functions called by the ssuuddoo front end. + Beginning with plugin API version 1.2, it is possible to install hooks + for certain functions called by the ssuuddoo front end. - Currently, the only supported hooks relate to the handling of - environment variables. Hooks can be used to intercept attempts to get, - set, or remove environment variables so that these changes can be - reflected in the version of the environment that is used to execute a - command. A future version of the API will support hooking internal - ssuuddoo front end functions as well. + Currently, the only supported hooks relate to the handling of environment + variables. Hooks can be used to intercept attempts to get, set, or + remove environment variables so that these changes can be reflected in + the version of the environment that is used to execute a command. A + future version of the API will support hooking internal ssuuddoo front end + functions as well. - _H_o_o_k _s_t_r_u_c_t_u_r_e + _H_o_o_k _s_t_r_u_c_t_u_r_e - Hooks in ssuuddoo are described by the following structure: + Hooks in ssuuddoo are described by the following structure: - typedef int (*sudo_hook_fn_t)(); + typedef int (*sudo_hook_fn_t)(); - struct sudo_hook { - int hook_version; - int hook_type; - sudo_hook_fn_t hook_fn; - void *closure; - }; + struct sudo_hook { + int hook_version; + int hook_type; + sudo_hook_fn_t hook_fn; + void *closure; + }; - The sudo_hook structure has the following fields: + The sudo_hook structure has the following fields: - hook_version + hook_version The hook_version field should be set to SUDO_HOOK_VERSION. - hook_type + hook_type The hook_type field may be one of the following supported hook types: SUDO_HOOK_SETENV - The C library setenv() function. Any registered hooks will run - before the C library implementation. The hook_fn field should - be a function that matches the following typedef: + The C library setenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: - typedef int (*sudo_hook_fn_setenv_t)(const char *name, - const char *value, int overwrite, void *closure); + typedef int (*sudo_hook_fn_setenv_t)(const char *name, + const char *value, int overwrite, void *closure); - If the registered hook does not match the typedef the results - are unspecified. + If the registered hook does not match the typedef the results + are unspecified. SUDO_HOOK_UNSETENV - The C library unsetenv() function. Any registered hooks will - run before the C library implementation. The hook_fn field - should be a function that matches the following typedef: + The C library unsetenv(3) function. Any registered hooks + will run before the C library implementation. The hook_fn + field should be a function that matches the following + typedef: - typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, - void *closure); + typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, + void *closure); SUDO_HOOK_GETENV - The C library getenv() function. Any registered hooks will run - before the C library implementation. The hook_fn field should - be a function that matches the following typedef: + The C library getenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: - typedef int (*sudo_hook_fn_getenv_t)(const char *name, - char **value, void *closure); + typedef int (*sudo_hook_fn_getenv_t)(const char *name, + char **value, void *closure); - If the registered hook does not match the typedef the results - are unspecified. + If the registered hook does not match the typedef the results + are unspecified. SUDO_HOOK_PUTENV - The C library putenv() function. Any registered hooks will run - before the C library implementation. The hook_fn field should - be a function that matches the following typedef: + The C library putenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: - typedef int (*sudo_hook_fn_putenv_t)(char *string, - void *closure); + typedef int (*sudo_hook_fn_putenv_t)(char *string, + void *closure); - If the registered hook does not match the typedef the results - are unspecified. + If the registered hook does not match the typedef the results + are unspecified. - hook_fn - sudo_hook_fn_t hook_fn; + hook_fn + sudo_hook_fn_t hook_fn; The hook_fn field should be set to the plugin's hook implementation. The actual function arguments will vary depending @@ -1105,226 +1113,228 @@ DDEESSCCRRIIPPTTIIOONN The function return value may be one of the following: SUDO_HOOK_RET_ERROR - The hook function encountered an error. + The hook function encountered an error. SUDO_HOOK_RET_NEXT - The hook completed without error, go on to the next hook - (including the native implementation if applicable). For - example, a getenv hook might return SUDO_HOOK_RET_NEXT if the - specified variable was not found in the private copy of the - environment. + The hook completed without error, go on to the next hook + (including the native implementation if applicable). For + example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if + the specified variable was not found in the private copy of + the environment. SUDO_HOOK_RET_STOP - The hook completed without error, stop processing hooks for - this invocation. This can be used to replace the native - implementation. For example, a setenv hook that operates on a - private copy of the environment but leaves environ unchanged. + The hook completed without error, stop processing hooks for + this invocation. This can be used to replace the native + implementation. For example, a setenv hook that operates on + a private copy of the environment but leaves environ + unchanged. - Note that it is very easy to create an infinite loop when hooking C - library functions. For example, a getenv hook that calls the snprintf - function may create a loop if the snprintf implementation calls getenv - to check the locale. To prevent this, you may wish to use a static - variable in the hook function to guard against nested calls. E.g. + Note that it is very easy to create an infinite loop when hooking C + library functions. For example, a getenv(3) hook that calls the + snprintf(3) function may create a loop if the snprintf(3) implementation + calls getenv(3) to check the locale. To prevent this, you may wish to + use a static variable in the hook function to guard against nested calls. + For example: - static int in_progress = 0; /* avoid recursion */ - if (in_progress) - return SUDO_HOOK_RET_NEXT; - in_progress = 1; - ... - in_progress = 0; - return SUDO_HOOK_RET_STOP; + static int in_progress = 0; /* avoid recursion */ + if (in_progress) + return SUDO_HOOK_RET_NEXT; + in_progress = 1; + ... + in_progress = 0; + return SUDO_HOOK_RET_STOP; - _H_o_o_k _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s + _H_o_o_k _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s - /* Hook API version major/minor */ - #define SUDO_HOOK_VERSION_MAJOR 1 - #define SUDO_HOOK_VERSION_MINOR 0 - #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y) - #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\ - SUDO_HOOK_VERSION_MINOR) + /* Hook API version major/minor */ + #define SUDO_HOOK_VERSION_MAJOR 1 + #define SUDO_HOOK_VERSION_MINOR 0 + #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y) + #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\ + SUDO_HOOK_VERSION_MINOR) - /* Getters and setters for hook API version */ - #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16) - #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff) - #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \ - *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ - } while(0) - #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \ - *(vp) = (*(vp) & 0xffff0000) | (n); \ - } while(0) + /* Getters and setters for hook API version */ + #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16) + #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff) + #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \ + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ + } while(0) + #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \ + *(vp) = (*(vp) & 0xffff0000) | (n); \ + } while(0) CCoonnvveerrssaattiioonn AAPPII - If the plugin needs to interact with the user, it may do so via the - conversation function. A plugin should not attempt to read directly - from the standard input or the user's tty (neither of which are - guaranteed to exist). The caller must include a trailing newline in - msg if one is to be printed. + If the plugin needs to interact with the user, it may do so via the + ccoonnvveerrssaattiioonn() function. A plugin should not attempt to read directly + from the standard input or the user's tty (neither of which are + guaranteed to exist). The caller must include a trailing newline in msg + if one is to be printed. - A printf-style function is also available that can be used to display - informational or error messages to the user, which is usually more - convenient for simple messages where no use input is required. + A pprriinnttff()-style function is also available that can be used to display + informational or error messages to the user, which is usually more + convenient for simple messages where no use input is required. - struct sudo_conv_message { - #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ - #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ - #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ - #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ - #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ - #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */ - #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ - int msg_type; - int timeout; - const char *msg; - }; + struct sudo_conv_message { + #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ + #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ + #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ + #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ + #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ + #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */ + #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ + int msg_type; + int timeout; + const char *msg; + }; - struct sudo_conv_reply { - char *reply; - }; + struct sudo_conv_reply { + char *reply; + }; - typedef int (*sudo_conv_t)(int num_msgs, - const struct sudo_conv_message msgs[], - struct sudo_conv_reply replies[]); + typedef int (*sudo_conv_t)(int num_msgs, + const struct sudo_conv_message msgs[], + struct sudo_conv_reply replies[]); - typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); + typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); - Pointers to the conversation and printf-style functions are passed in - to the plugin's open function when the plugin is initialized. + Pointers to the ccoonnvveerrssaattiioonn() and pprriinnttff()-style functions are passed in + to the plugin's ooppeenn() function when the plugin is initialized. - To use the conversation function, the plugin must pass an array of - sudo_conv_message and sudo_conv_reply structures. There must be a - struct sudo_conv_message and struct sudo_conv_reply for each message in - the conversation. The plugin is responsible for freeing the reply - buffer filled in to the struct sudo_conv_reply, if any. + To use the ccoonnvveerrssaattiioonn() function, the plugin must pass an array of + sudo_conv_message and sudo_conv_reply structures. There must be a struct + sudo_conv_message and struct sudo_conv_reply for each message in the + conversation. The plugin is responsible for freeing the reply buffer + filled in to the struct sudo_conv_reply, if any. - The printf-style function uses the same underlying mechanism as the - conversation function but only supports SUDO_CONV_INFO_MSG, - SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _m_s_g___t_y_p_e parameter. - It can be more convenient than using the conversation function if no - user reply is needed and supports standard _p_r_i_n_t_f_(_) escape sequences. + The pprriinnttff()-style function uses the same underlying mechanism as the + ccoonnvveerrssaattiioonn() function but only supports SUDO_CONV_INFO_MSG, + SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _m_s_g___t_y_p_e parameter. + It can be more convenient than using the ccoonnvveerrssaattiioonn() function if no + user reply is needed and supports standard pprriinnttff() escape sequences. - Unlike, SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG, messages sent with - the SUDO_CONV_DEBUG_MSG _m_s_g___t_y_p_e are not directly user-visible. - Instead, they are logged to the file specified in the Debug statement - (if any) in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. This allows a plugin to log - debugging information and is intended to be used in conjunction with - the _d_e_b_u_g___f_l_a_g_s setting. + Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent + with the SUDO_CONV_DEBUG_MSG _m_s_g___t_y_p_e are not directly user-visible. + Instead, they are logged to the file specified in the Debug statement (if + any) in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - See the sample plugin for an example of the conversation function - usage. + file. This allows a plugin to log debugging information and is intended + to be used in conjunction with the _d_e_b_u_g___f_l_a_g_s setting. + + See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function + usage. SSuuddooeerrss GGrroouupp PPlluuggiinn AAPPII - The _s_u_d_o_e_r_s module supports a plugin interface to allow non-Unix group - lookups. This can be used to query a group source other than the - standard Unix group database. A sample group plugin is bundled with - ssuuddoo that implements file-based lookups. Third party group plugins - include a QAS AD plugin available from Quest Software. + The _s_u_d_o_e_r_s module supports a plugin interface to allow non-Unix group + lookups. This can be used to query a group source other than the + standard Unix group database. A sample group plugin is bundled with ssuuddoo + that implements file-based lookups. Third party group plugins include a + QAS AD plugin available from Quest Software. - A group plugin must declare and populate a sudoers_group_plugin struct - in the global scope. This structure contains pointers to the functions - that implement plugin initialization, cleanup and group lookup. + A group plugin must declare and populate a sudoers_group_plugin struct in + the global scope. This structure contains pointers to the functions that + implement plugin initialization, cleanup and group lookup. - struct sudoers_group_plugin { - unsigned int version; - int (*init)(int version, sudo_printf_t sudo_printf, - char *const argv[]); - void (*cleanup)(void); - int (*query)(const char *user, const char *group, - const struct passwd *pwd); - }; + struct sudoers_group_plugin { + unsigned int version; + int (*init)(int version, sudo_printf_t sudo_printf, + char *const argv[]); + void (*cleanup)(void); + int (*query)(const char *user, const char *group, + const struct passwd *pwd); + }; - The sudoers_group_plugin struct has the following fields: + The sudoers_group_plugin struct has the following fields: - version + version The version field should be set to GROUP_API_VERSION. This allows _s_u_d_o_e_r_s to determine the API version the group plugin was built against. - init - int (*init)(int version, sudo_printf_t plugin_printf, - char *const argv[]); + init + int (*init)(int version, sudo_printf_t plugin_printf, + char *const argv[]); - The _i_n_i_t function is called after _s_u_d_o_e_r_s has been parsed but + The iinniitt() function is called after _s_u_d_o_e_r_s has been parsed but before any policy checks. It returns 1 on success, 0 on failure (or if the plugin is not configured), and -1 if a error occurred. - If an error occurs, the plugin may call the plugin_printf function - with SUDO_CONF_ERROR_MSG to present additional error information to - the user. + If an error occurs, the plugin may call the pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. The function arguments are as follows: version - The version passed in by _s_u_d_o_e_r_s allows the plugin to determine - the major and minor version number of the group plugin API - supported by _s_u_d_o_e_r_s. + The version passed in by _s_u_d_o_e_r_s allows the plugin to + determine the major and minor version number of the group + plugin API supported by _s_u_d_o_e_r_s. plugin_printf - A pointer to a printf-style function that may be used to - display informational or error message to the user. Returns - the number of characters printed on success and -1 on failure. + A pointer to a pprriinnttff()-style function that may be used to + display informational or error message to the user. Returns + the number of characters printed on success and -1 on + failure. - argv - A NULL-terminated array of arguments generated from the - _g_r_o_u_p___p_l_u_g_i_n option in _s_u_d_o_e_r_s. If no arguments were given, - _a_r_g_v will be NULL. + argv A NULL-terminated array of arguments generated from the + _g_r_o_u_p___p_l_u_g_i_n option in _s_u_d_o_e_r_s. If no arguments were given, + _a_r_g_v will be NULL. - cleanup - void (*cleanup)(); + cleanup + void (*cleanup)(); - The _c_l_e_a_n_u_p function is called when _s_u_d_o_e_r_s has finished its group - checks. The plugin should free any memory it has allocated and - close open file handles. + The cclleeaannuupp() function is called when _s_u_d_o_e_r_s has finished its + group checks. The plugin should free any memory it has allocated + and close open file handles. - query - int (*query)(const char *user, const char *group, - const struct passwd *pwd); + query + int (*query)(const char *user, const char *group, + const struct passwd *pwd); - The _q_u_e_r_y function is used to ask the group plugin whether _u_s_e_r is - a member of _g_r_o_u_p. + The qquueerryy() function is used to ask the group plugin whether _u_s_e_r + is a member of _g_r_o_u_p. The function arguments are as follows: - user - The name of the user being looked up in the external group - database. + user The name of the user being looked up in the external group + database. group - The name of the group being queried. + The name of the group being queried. - pwd The password database entry for _u_s_e_r, if any. If _u_s_e_r is not - present in the password database, _p_w_d will be NULL. + pwd The password database entry for _u_s_e_r, if any. If _u_s_e_r is not + present in the password database, _p_w_d will be NULL. - _G_r_o_u_p _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s + _G_r_o_u_p _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s - /* Sudoers group plugin version major/minor */ - #define GROUP_API_VERSION_MAJOR 1 - #define GROUP_API_VERSION_MINOR 0 - #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \ - GROUP_API_VERSION_MINOR) + /* Sudoers group plugin version major/minor */ + #define GROUP_API_VERSION_MAJOR 1 + #define GROUP_API_VERSION_MINOR 0 + #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \ + GROUP_API_VERSION_MINOR) - /* Getters and setters for group version */ - #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16) - #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff) - #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \ - *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ - } while(0) - #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \ - *(vp) = (*(vp) & 0xffff0000) | (n); \ - } while(0) + /* Getters and setters for group version */ + #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16) + #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff) + #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \ + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ + } while(0) + #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \ + *(vp) = (*(vp) & 0xffff0000) | (n); \ + } while(0) PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG - The following revisions have been made to the Sudo Plugin API. + The following revisions have been made to the Sudo Plugin API. - Version 1.0 + Version 1.0 Initial API version. - Version 1.1 - The I/O logging plugin's open function was modified to take the + Version 1.1 + The I/O logging plugin's ooppeenn() function was modified to take the command_info list as an argument. - Version 1.2 - The Policy and I/O logging plugins' open functions are now passed a - list of plugin options if any are specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f. + Version 1.2 + The Policy and I/O logging plugins' ooppeenn() functions are now passed + a list of plugin options if any are specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f. A simple hooks API has been introduced to allow plugins to hook in to the system's environment handling functions. @@ -1335,24 +1345,22 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG before a command is run. SSEEEE AALLSSOO - _s_u_d_o_e_r_s(4), _s_u_d_o(1m) + sudoers(4), sudo(1m) BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-workers mailing list, - see http://www.sudo.ws/mailman/listinfo/sudo-workers to subscribe or - search the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 17, 2012 SUDO_PLUGIN(1m) +Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 9125532a9..2880d08fc 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -1,9 +1,12 @@ +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in +.\" .\" Copyright (c) 2009-2012 Todd C. Miller -.\" +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -12,1626 +15,2478 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDO_PLUGIN @mansectsu@" -.TH SUDO_PLUGIN @mansectsu@ "July 17, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "SUDO_PLUGIN" "5" "July 16, 2012" "1.8.6" "OpenBSD Programmer's Manual" .SH "NAME" -sudo_plugin \- Sudo Plugin API +\fBsudo_plugin\fR +\- Sudo Plugin API .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Starting with version 1.8, \fBsudo\fR supports a plugin \s-1API\s0 -for policy and session logging. By default, the \fIsudoers\fR policy -plugin and an associated I/O logging plugin are used. Via the plugin -\&\s-1API\s0, \fBsudo\fR can be configured to use alternate policy and/or I/O -logging plugins provided by third parties. The plugins to be used -are specified via the \fI@sysconfdir@/sudo.conf\fR file. +Starting with version 1.8, +\fBsudo\fR +supports a plugin API +for policy and session logging. +By default, the +\fIsudoers\fR +policy plugin and an associated I/O logging plugin are used. +Via the plugin API, +\fBsudo\fR +can be configured to use alternate policy and/or I/O logging plugins +provided by third parties. +The plugins to be used are specified via the +\fI@sysconfdir@/sudo.conf\fR +file. .PP -The \s-1API\s0 is versioned with a major and minor number. The minor -version number is incremented when additions are made. The major -number is incremented when incompatible changes are made. A plugin -should be check the version passed to it and make sure that the +The API is versioned with a major and minor number. +The minor version number is incremented when additions are made. +The major number is incremented when incompatible changes are made. +A plugin should be check the version passed to it and make sure that the major version matches. .PP -The plugin \s-1API\s0 is defined by the \f(CW\*(C`sudo_plugin.h\*(C'\fR header file. +The plugin API is defined by the +\fRsudo_plugin.h\fR +header file. .SS "The sudo.conf File" -.IX Subsection "The sudo.conf File" -The \fI@sysconfdir@/sudo.conf\fR file contains plugin configuration directives. -The primary keyword is the \f(CW\*(C`Plugin\*(C'\fR directive, which causes a plugin -to be loaded. +The +\fI@sysconfdir@/sudo.conf\fR +file contains plugin configuration directives. +The primary keyword is the +\fRPlugin\fR +directive, which causes a plugin to be loaded. .PP -A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the -\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the -plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR -or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR -may be fully qualified or relative. If not fully qualified it is -relative to the \fI@prefix@/libexec\fR directory. Any additional -parameters after the \fIpath\fR are passed as options to the plugin's -\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR, -\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored. +A +\fRPlugin\fR +line consists of the +\fRPlugin\fR +keyword, followed by the +\fIsymbol_name\fR +and the +\fIpath\fR +to the shared object containing the plugin. +The +\fIsymbol_name\fR +is the name of the +\fRstruct policy_plugin\fR +or +\fRstruct io_plugin\fR +in the plugin shared object. +The +\fIpath\fR +may be fully qualified or relative. +If not fully qualified it is relative to the +\fI@prefix@/libexec\fR +directory. +Any additional parameters after the +\fIpath\fR +are passed as options to the plugin's +\fBopen\fR() +function. +Lines that don't begin with +\fRPlugin\fR, +\fRPath\fR, +\fRDebug\fR +or +\fRSet\fR +are silently ignored. .PP The same shared object may contain multiple plugins, each with a -different symbol name. The shared object file must be owned by uid -0 and only writable by its owner. Because of ambiguities that arise -from composite policies, only a single policy plugin may be specified. +different symbol name. +The shared object file must be owned by uid 0 and only writable by its owner. +Because of ambiguities that arise from composite policies, only a single +policy plugin may be specified. This limitation does not apply to I/O plugins. -.PP -.Vb 10 -\& # -\& # Default @sysconfdir@/sudo.conf file -\& # -\& # Format: -\& # Plugin plugin_name plugin_path plugin_options ... -\& # Path askpass /path/to/askpass -\& # Path noexec /path/to/sudo_noexec.so -\& # Debug sudo /var/log/sudo_debug all@warn -\& # Set disable_coredump true -\& # -\& # The plugin_path is relative to @prefix@/libexec unless -\& # fully qualified. -\& # The plugin_name corresponds to a global symbol in the plugin -\& # that contains the plugin interface structure. -\& # The plugin_options are optional. -\& # -\& Plugin sudoers_policy sudoers.so -\& Plugin sudoers_io sudoers.so -.Ve -.SS "Policy Plugin \s-1API\s0" -.IX Subsection "Policy Plugin API" -A policy plugin must declare and populate a \f(CW\*(C`policy_plugin\*(C'\fR struct -in the global scope. This structure contains pointers to the functions -that implement the \fBsudo\fR policy checks. The name of the symbol should -be specified in \fI@sysconfdir@/sudo.conf\fR along with a path to the plugin -so that \fBsudo\fR can load it. -.PP -.Vb 10 -\& struct policy_plugin { -\& #define SUDO_POLICY_PLUGIN 1 -\& unsigned int type; /* always SUDO_POLICY_PLUGIN */ -\& unsigned int version; /* always SUDO_API_VERSION */ -\& int (*open)(unsigned int version, sudo_conv_t conversation, -\& sudo_printf_t plugin_printf, char * const settings[], -\& char * const user_info[], char * const user_env[], -\& char * const plugin_options[]); -\& void (*close)(int exit_status, int error); -\& int (*show_version)(int verbose); -\& int (*check_policy)(int argc, char * const argv[], -\& char *env_add[], char **command_info[], -\& char **argv_out[], char **user_env_out[]); -\& int (*list)(int argc, char * const argv[], int verbose, -\& const char *list_user); -\& int (*validate)(void); -\& void (*invalidate)(int remove); -\& int (*init_session)(struct passwd *pwd, char **user_env[]); -\& void (*register_hooks)(int version, -\& int (*register_hook)(struct sudo_hook *hook)); -\& void (*deregister_hooks)(int version, -\& int (*deregister_hook)(struct sudo_hook *hook)); -\& }; -.Ve +.nf +.sp +.RS 0n +# +# Default @sysconfdir@/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# The plugin_path is relative to @prefix@/libexec unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +.RE +.fi +.SS "Policy Plugin API" +A policy plugin must declare and populate a +\fRpolicy_plugin\fR +struct in the global scope. +This structure contains pointers to the functions that implement the +\fBsudo\fR +policy checks. +The name of the symbol should be specified in +\fI@sysconfdir@/sudo.conf\fR +along with a path to the plugin so that +\fBsudo\fR +can load it. +.nf +.sp +.RS 0n +struct policy_plugin { +#define SUDO_POLICY_PLUGIN 1 + unsigned int type; /* always SUDO_POLICY_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); + void (*close)(int exit_status, int error); + int (*show_version)(int verbose); + int (*check_policy)(int argc, char * const argv[], + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); + int (*list)(int argc, char * const argv[], int verbose, + const char *list_user); + int (*validate)(void); + void (*invalidate)(int remove); + int (*init_session)(struct passwd *pwd, char **user_env[]); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); +}; +.RE +.fi .PP The policy_plugin struct has the following fields: -.IP "type" 4 -.IX Item "type" -The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_POLICY_PLUGIN\s0. -.IP "version" 4 -.IX Item "version" -The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0. -.Sp -This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was +.TP 6n +type +The +\fRtype\fR +field should always be set to SUDO_POLICY_PLUGIN. +.TP 6n +version +The +\fRversion\fR +field should be set to +\fRSUDO_API_VERSION\fR. +.sp +This allows +\fBsudo\fR +to determine the API version the plugin was built against. -.IP "open" 4 -.IX Item "open" -.Vb 4 -\& int (*open)(unsigned int version, sudo_conv_t conversation, -\& sudo_printf_t plugin_printf, char * const settings[], -\& char * const user_info[], char * const user_env[], -\& char * const plugin_options[]); -.Ve -.Sp +.TP 6n +open +.nf +.RS 6n +int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); +.RE +.fi +.RS +.sp Returns 1 on success, 0 on failure, \-1 if a general error occurred, -or \-2 if there was a usage error. In the latter case, \fBsudo\fR will -print a usage message before it exits. If an error occurs, the -plugin may optionally call the conversation or plugin_printf function -with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information -to the user. -.Sp +or \-2 if there was a usage error. +In the latter case, +\fBsudo\fR +will print a usage message before it exits. +If an error occurs, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. +.sp The function arguments are as follows: -.RS 4 -.IP "version" 4 -.IX Item "version" -The version passed in by \fBsudo\fR allows the plugin to determine the -major and minor version number of the plugin \s-1API\s0 supported by -\&\fBsudo\fR. -.IP "conversation" 4 -.IX Item "conversation" -A pointer to the conversation function that can be used by the -plugin to interact with the user (see below). +.RS +.PP +.RE +.sp -1v +.TP 6n +version +The version passed in by +\fBsudo\fR +allows the plugin to determine the +major and minor version number of the plugin API supported by +\fBsudo\fR. +.TP 6n +conversation +A pointer to the +\fBconversation\fR() +function that can be used by the plugin to interact with the user (see below). Returns 0 on success and \-1 on failure. -.IP "plugin_printf" 4 -.IX Item "plugin_printf" -A pointer to a printf-style function that may be used to display -informational or error messages (see below). +.TP 6n +plugin_printf +A pointer to a +\fBprintf\fR()-style +function that may be used to display informational or error messages +(see below). Returns the number of characters printed on success and \-1 on failure. -.IP "settings" 4 -.IX Item "settings" -A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R" -strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These -settings correspond to flags the user specified when running \fBsudo\fR. +.TP 6n +settings +A vector of user-supplied +\fBsudo\fR +settings in the form of +``name=value'' +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +These settings correspond to flags the user specified when running +\fBsudo\fR. As such, they will only be present when the corresponding flag has been specified on the command line. -.Sp -When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.RS 4 -.IP "debug_flags=string" 4 -.IX Item "debug_flags=string" -A comma-separated list of debug flags that correspond to \fBsudo\fR's -\&\f(CW\*(C`Debug\*(C'\fR entry in \fI@sysconfdir@/sudo.conf\fR, if there is one. The -flags are passed to the plugin as they appear in \fI@sysconfdir@/sudo.conf\fR. -The syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is -\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different -format so long as it does not include a comma (\f(CW\*(C`,\*(C'\fR). -.Sp -For reference, the priorities supported by the \fBsudo\fR front end and -\&\fIsudoers\fR are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, -\&\fIinfo\fR, \fItrace\fR and \fIdebug\fR. -.Sp -The following subsystems are defined: \fImain\fR, \fImemory\fR, \fIargs\fR, -\&\fIexec\fR, \fIpty\fR, \fIutmp\fR, \fIconv\fR, \fIpcomm\fR, \fIutil\fR, \fIlist\fR, -\&\fInetif\fR, \fIaudit\fR, \fIedit\fR, \fIselinux\fR, \fIldap\fR, \fImatch\fR, \fIparser\fR, -\&\fIalias\fR, \fIdefaults\fR, \fIauth\fR, \fIenv\fR, \fIlogging\fR, \fInss\fR, \fIrbtree\fR, -\&\fIperms\fR, \fIplugin\fR. The subsystem \fIall\fR includes every subsystem. -.Sp +.sp +When parsing +\fIsettings\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.RS +.TP 6n +debug_flags=string +A comma-separated list of debug flags that correspond to +\fBsudo\fR's +\fRDebug\fR +entry in +\fI@sysconfdir@/sudo.conf\fR, +if there is one. +The flags are passed to the plugin as they appear in +\fI@sysconfdir@/sudo.conf\fR. +The syntax used by +\fBsudo\fR +and the +\fIsudoers\fR +plugin is +\fIsubsystem\fR@\fIpriority\fR +but the plugin is free to use a different +format so long as it does not include a comma +(`,\&'). +.sp +For reference, the priorities supported by the +\fBsudo\fR +front end and +\fIsudoers\fR +are: +\fIcrit\fR, +\fIerr\fR, +\fIwarn\fR, +\fInotice\fR, +\fIdiag\fR, +\fIinfo\fR, +\fItrace\fR +and +\fIdebug\fR. +.sp +The following subsystems are defined: +\fImain\fR, +\fImemory\fR, +\fIargs\fR, +\fIexec\fR, +\fIpty\fR, +\fIutmp\fR, +\fIconv\fR, +\fIpcomm\fR, +\fIutil\fR, +\fIlist\fR, +\fInetif\fR, +\fIaudit\fR, +\fIedit\fR, +\fIselinux\fR, +\fIldap\fR, +\fImatch\fR, +\fIparser\fR, +\fIalias\fR, +\fIdefaults\fR, +\fIauth\fR, +\fIenv\fR, +\fIlogging\fR, +\fInss\fR, +\fIrbtree\fR, +\fIperms\fR, +\fIplugin\fR. +The subsystem +\fIall\fR +includes every subsystem. +.sp There is not currently a way to specify a set of debug flags specific -to the plugin\*(--the flags are shared by \fBsudo\fR and the plugin. -.IP "debug_level=number" 4 -.IX Item "debug_level=number" -This setting has been deprecated in favor of \fIdebug_flags\fR. -.IP "runas_user=string" 4 -.IX Item "runas_user=string" +to the plugin--the flags are shared by +\fBsudo\fR +and the plugin. +.TP 6n +debug_level=number +This setting has been deprecated in favor of +\fIdebug_flags\fR. +.TP 6n +runas_user=string The user name or uid to to run the command as, if specified via the -\&\fB\-u\fR flag. -.IP "runas_group=string" 4 -.IX Item "runas_group=string" +\fB-u\fR +flag. +.TP 6n +runas_group=string The group name or gid to to run the command as, if specified via -the \fB\-g\fR flag. -.IP "prompt=string" 4 -.IX Item "prompt=string" +the +\fB-g\fR +flag. +.TP 6n +prompt=string The prompt to use when requesting a password, if specified via -the \fB\-p\fR flag. -.IP "set_home=bool" 4 -.IX Item "set_home=bool" -Set to true if the user specified the \fB\-H\fR flag. If true, set the -\&\f(CW\*(C`HOME\*(C'\fR environment variable to the target user's home directory. -.IP "preserve_environment=bool" 4 -.IX Item "preserve_environment=bool" -Set to true if the user specified the \fB\-E\fR flag, indicating that +the +\fB-p\fR +flag. +.TP 6n +set_home=bool +Set to true if the user specified the +\fB-H\fR +flag. +If true, set the +\fRHOME\fR +environment variable to the target user's home directory. +.TP 6n +preserve_environment=bool +Set to true if the user specified the +\fB-E\fR +flag, indicating that the user wishes to preserve the environment. -.IP "run_shell=bool" 4 -.IX Item "run_shell=bool" -Set to true if the user specified the \fB\-s\fR flag, indicating that +.TP 6n +run_shell=bool +Set to true if the user specified the +\fB-s\fR +flag, indicating that the user wishes to run a shell. -.IP "login_shell=bool" 4 -.IX Item "login_shell=bool" -Set to true if the user specified the \fB\-i\fR flag, indicating that +.TP 6n +login_shell=bool +Set to true if the user specified the +\fB-i\fR +flag, indicating that the user wishes to run a login shell. -.IP "implied_shell=bool" 4 -.IX Item "implied_shell=bool" -If the user does not specify a program on the command line, \fBsudo\fR +.TP 6n +implied_shell=bool +If the user does not specify a program on the command line, +\fBsudo\fR will pass the plugin the path to the user's shell and set -\&\fIimplied_shell\fR to true. This allows \fBsudo\fR with no arguments -to be used similarly to \fIsu\fR\|(1). If the plugin does not to support -this usage, it may return a value of \-2 from the \f(CW\*(C`check_policy\*(C'\fR -function, which will cause \fBsudo\fR to print a usage message and +\fIimplied_shell\fR +to true. +This allows +\fBsudo\fR +with no arguments +to be used similarly to +su(1). +If the plugin does not to support this usage, it may return a value of \-2 +from the +\fBcheck_policy\fR() +function, which will cause +\fBsudo\fR +to print a usage message and exit. -.IP "preserve_groups=bool" 4 -.IX Item "preserve_groups=bool" -Set to true if the user specified the \fB\-P\fR flag, indicating that +.TP 6n +preserve_groups=bool +Set to true if the user specified the +\fB-P\fR +flag, indicating that the user wishes to preserve the group vector instead of setting it based on the runas user. -.IP "ignore_ticket=bool" 4 -.IX Item "ignore_ticket=bool" -Set to true if the user specified the \fB\-k\fR flag along with a +.TP 6n +ignore_ticket=bool +Set to true if the user specified the +\fB-k\fR +flag along with a command, indicating that the user wishes to ignore any cached authentication credentials. -.IP "noninteractive=bool" 4 -.IX Item "noninteractive=bool" -Set to true if the user specified the \fB\-n\fR flag, indicating that -\&\fBsudo\fR should operate in non-interactive mode. The plugin may -reject a command run in non-interactive mode if user interaction -is required. -.IP "login_class=string" 4 -.IX Item "login_class=string" -\&\s-1BSD\s0 login class to use when setting resource limits and nice value, -if specified by the \fB\-c\fR flag. -.IP "selinux_role=string" 4 -.IX Item "selinux_role=string" +.TP 6n +noninteractive=bool +Set to true if the user specified the +\fB-n\fR +flag, indicating that +\fBsudo\fR +should operate in non-interactive mode. +The plugin may reject a command run in non-interactive mode if user +interaction is required. +.TP 6n +login_class=string +BSD login class to use when setting resource limits and nice value, +if specified by the +\fB-c\fR +flag. +.TP 6n +selinux_role=string SELinux role to use when executing the command, if specified by -the \fB\-r\fR flag. -.IP "selinux_type=string" 4 -.IX Item "selinux_type=string" +the +\fB-r\fR +flag. +.TP 6n +selinux_type=string SELinux type to use when executing the command, if specified by -the \fB\-t\fR flag. -.IP "bsdauth_type=string" 4 -.IX Item "bsdauth_type=string" -Authentication type, if specified by the \fB\-a\fR flag, to use on -systems where \s-1BSD\s0 authentication is supported. -.IP "network_addrs=list" 4 -.IX Item "network_addrs=list" -A space-separated list of \s-1IP\s0 network addresses and netmasks in the -form \*(L"addr/netmask\*(R", e.g. \*(L"192.168.1.2/255.255.255.0\*(R". The address -and netmask pairs may be either IPv4 or IPv6, depending on what the -operating system supports. If the address contains a colon (':'), +the +\fB-t\fR +flag. +.TP 6n +bsdauth_type=string +Authentication type, if specified by the +\fB-a\fR +flag, to use on +systems where BSD authentication is supported. +.TP 6n +network_addrs=list +A space-separated list of IP network addresses and netmasks in the +form +``addr/netmask'', +e.g.\& +``192.168.1.2/255.255.255.0''. +The address and netmask pairs may be either IPv4 or IPv6, depending on +what the operating system supports. +If the address contains a colon +(`:\&'), it is an IPv6 address, else it is IPv4. -.IP "progname=string" 4 -.IX Item "progname=string" -The command name that sudo was run as, typically \*(L"sudo\*(R" or \*(L"sudoedit\*(R". -.IP "sudoedit=bool" 4 -.IX Item "sudoedit=bool" -Set to true when the \fB\-e\fR flag is is specified or if invoked as -\&\fBsudoedit\fR. The plugin shall substitute an editor into \fIargv\fR -in the \fIcheck_policy\fR function or return \f(CW\*(C`\-2\*(C'\fR with a usage error -if the plugin does not support \fIsudoedit\fR. For more information, -see the \fIcheck_policy\fR section. -.IP "closefrom=number" 4 -.IX Item "closefrom=number" -If specified, the user has requested via the \fB\-C\fR flag that \fBsudo\fR -close all files descriptors with a value of \fInumber\fR or higher. +.TP 6n +progname=string +The command name that sudo was run as, typically +``sudo'' +or +``sudoedit''. +.TP 6n +sudoedit=bool +Set to true when the +\fB-e\fR +flag is is specified or if invoked as +\fBsudoedit\fR. +The plugin shall substitute an editor into +\fIargv\fR +in the +\fBcheck_policy\fR() +function or return \-2 with a usage error +if the plugin does not support +\fIsudoedit\fR. +For more information, see the +\fIcheck_policy\fR +section. +.TP 6n +closefrom=number +If specified, the user has requested via the +\fB-C\fR +flag that +\fBsudo\fR +close all files descriptors with a value of +\fInumber\fR +or higher. The plugin may optionally pass this, or another value, back in the -\&\fIcommand_info\fR list. +\fIcommand_info\fR +list. .RE -.RS 4 -.Sp +.RS +.PP Additional settings may be added in the future so the plugin should silently ignore settings that it does not recognize. +.PP .RE -.IP "user_info" 4 -.IX Item "user_info" +.sp -1v +.TP 6n +user_info A vector of information about the user running the command in the form of -\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. -.Sp -When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.RS 4 -.IP "pid=int" 4 -.IX Item "pid=int" -The process \s-1ID\s0 of the running \fBsudo\fR process. -Only available starting with \s-1API\s0 version 1.2 -.IP "ppid=int" 4 -.IX Item "ppid=int" -The parent process \s-1ID\s0 of the running \fBsudo\fR process. -Only available starting with \s-1API\s0 version 1.2 -.IP "sid=int" 4 -.IX Item "sid=int" -The session \s-1ID\s0 of the running \fBsudo\fR process or 0 if \fBsudo\fR is -not part of a \s-1POSIX\s0 job control session. -Only available starting with \s-1API\s0 version 1.2 -.IP "pgid=int" 4 -.IX Item "pgid=int" -The \s-1ID\s0 of the process group that the running \fBsudo\fR process belongs +``name=value'' +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIuser_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.RS +.TP 6n +pid=int +The process ID of the running +\fBsudo\fR +process. +Only available starting with API version 1.2 +.TP 6n +ppid=int +The parent process ID of the running +\fBsudo\fR +process. +Only available starting with API version 1.2 +.TP 6n +sid=int +The session ID of the running +\fBsudo\fR +process or 0 if +\fBsudo\fR +is +not part of a POSIX job control session. +Only available starting with API version 1.2 +.TP 6n +pgid=int +The ID of the process group that the running +\fBsudo\fR +process belongs to. -Only available starting with \s-1API\s0 version 1.2 -.IP "tcpgid=int" 4 -.IX Item "tcpgid=int" -The \s-1ID\s0 of the forground process group associated with the terminal -device associcated with the \fBsudo\fR process or \-1 if there is no +Only available starting with API version 1.2 +.TP 6n +tcpgid=int +The ID of the forground process group associated with the terminal +device associcated with the +\fBsudo\fR +process or \-1 if there is no terminal present. -Only available starting with \s-1API\s0 version 1.2 -.IP "user=string" 4 -.IX Item "user=string" -The name of the user invoking \fBsudo\fR. -.IP "euid=uid_t" 4 -.IX Item "euid=uid_t" -The effective user \s-1ID\s0 of the user invoking \fBsudo\fR. -.IP "uid=uid_t" 4 -.IX Item "uid=uid_t" -The real user \s-1ID\s0 of the user invoking \fBsudo\fR. -.IP "egid=gid_t" 4 -.IX Item "egid=gid_t" -The effective group \s-1ID\s0 of the user invoking \fBsudo\fR. -.IP "gid=gid_t" 4 -.IX Item "gid=gid_t" -The real group \s-1ID\s0 of the user invoking \fBsudo\fR. -.IP "groups=list" 4 -.IX Item "groups=list" +Only available starting with API version 1.2 +.TP 6n +user=string +The name of the user invoking +\fBsudo\fR. +.TP 6n +euid=uid_t +The effective user ID of the user invoking +\fBsudo\fR. +.TP 6n +uid=uid_t +The real user ID of the user invoking +\fBsudo\fR. +.TP 6n +egid=gid_t +The effective group ID of the user invoking +\fBsudo\fR. +.TP 6n +gid=gid_t +The real group ID of the user invoking +\fBsudo\fR. +.TP 6n +groups=list The user's supplementary group list formatted as a string of comma-separated group IDs. -.IP "cwd=string" 4 -.IX Item "cwd=string" +.TP 6n +cwd=string The user's current working directory. -.IP "tty=string" 4 -.IX Item "tty=string" -The path to the user's terminal device. If the user has no terminal -device associated with the session, the value will be empty, as in -\&\f(CW\*(C`tty=\*(C'\fR. -.IP "host=string" 4 -.IX Item "host=string" -The local machine's hostname as returned by the \f(CW\*(C`gethostname()\*(C'\fR +.TP 6n +tty=string +The path to the user's terminal device. +If the user has no terminal device associated with the session, +the value will be empty, as in +``\fRtty=\fR''. +.TP 6n +host=string +The local machine's hostname as returned by the +gethostname(2) system call. -.IP "lines=int" 4 -.IX Item "lines=int" -The number of lines the user's terminal supports. If there is +.TP 6n +lines=int +The number of lines the user's terminal supports. +If there is no terminal device available, a default value of 24 is used. -.IP "cols=int" 4 -.IX Item "cols=int" -The number of columns the user's terminal supports. If there is -no terminal device available, a default value of 80 is used. +.TP 6n +cols=int +The number of columns the user's terminal supports. +If there is no terminal device available, a default value of 80 is used. .RE -.RS 4 -.RE -.IP "user_env" 4 -.IX Item "user_env" -The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of -\&\*(L"name=value\*(R" strings. -.Sp -When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.IP "plugin_options" 4 -.IX Item "plugin_options" +.TP 6n +user_env +The user's environment in the form of a +\fRNULL\fR-terminated vector of +``name=value'' +strings. +.sp +When parsing +\fIuser_env\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.TP 6n +plugin_options Any (non-comment) strings immediately after the plugin path are -treated as arguments to the plugin. These arguments are split on -a white space boundary and are passed to the plugin in the form of -a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were -specified, \fIplugin_options\fR will be the \s-1NULL\s0 pointer. -.Sp -\&\s-1NOTE:\s0 the \fIplugin_options\fR parameter is only available starting with -\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified -by the \fBsudo\fR front end before using \fIplugin_options\fR. Failure to -do so may result in a crash. -.RE -.RS 4 -.RE -.IP "close" 4 -.IX Item "close" -.Vb 1 -\& void (*close)(int exit_status, int error); -.Ve -.Sp -The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR -finishes. -.Sp -The function arguments are as follows: -.RS 4 -.IP "exit_status" 4 -.IX Item "exit_status" -The command's exit status, as returned by the \fIwait\fR\|(2) system call. -The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero. -.IP "error" 4 -.IX Item "error" -If the command could not be executed, this is set to the value of -\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. The plugin is responsible -for displaying error information via the conversation or plugin_printf -function. If the command was successfully executed, the value of -\&\f(CW\*(C`error\*(C'\fR is 0. -.RE -.RS 4 -.RE -.IP "show_version" 4 -.IX Item "show_version" -.Vb 1 -\& int (*show_version)(int verbose); -.Ve -.Sp -The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies -the \fB\-V\fR option. The plugin may display its version information -to the user via the conversation or plugin_printf function using -\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version -information, the verbose flag will be set. -.IP "check_policy" 4 -.IX Item "check_policy" -.Vb 3 -\& int (*check_policy)(int argc, char * const argv[] -\& char *env_add[], char **command_info[], -\& char **argv_out[], char **user_env_out[]); -.Ve -.Sp -The \fIcheck_policy\fR function is called by \fBsudo\fR to determine -whether the user is allowed to run the specified commands. -.Sp -If the \fIsudoedit\fR option was enabled in the \fIsettings\fR array -passed to the \fIopen\fR function, the user has requested \fIsudoedit\fR -mode. \fIsudoedit\fR is a mechanism for editing one or more files -where an editor is run with the user's credentials instead of with -elevated privileges. \fBsudo\fR achieves this by creating user-writable -temporary copies of the files to be edited and then overwriting the -originals with the temporary copies after editing is complete. If -the plugin supports \fBsudoedit\fR, it should choose the editor to be -used, potentially from a variable in the user's environment, such -as \f(CW\*(C`EDITOR\*(C'\fR, and include it in \fIargv_out\fR (note that environment -variables may include command line flags). The files to be edited -should be copied from \fIargv\fR into \fIargv_out\fR, separated from the -editor and its arguments by a \f(CW"\-\-"\fR element. The \f(CW"\-\-"\fR will -be removed by \fBsudo\fR before the editor is executed. The plugin -should also set \fIsudoedit=true\fR in the \fIcommand_info\fR list. -.Sp -The \fIcheck_policy\fR function returns 1 if the command is allowed, -0 if not allowed, \-1 for a general error, or \-2 for a usage error -or if \fBsudoedit\fR was specified but is unsupported by the plugin. -In the latter case, \fBsudo\fR will print a usage message before it -exits. If an error occurs, the plugin may optionally call the -conversation or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR -to present additional error information to the user. -.Sp -The function arguments are as follows: -.RS 4 -.IP "argc" 4 -.IX Item "argc" -The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR +treated as arguments to the plugin. +These arguments are split on a white space boundary and are passed to +the plugin in the form of a +\fRNULL\fR-terminated +array of strings. +If no arguments were +specified, +\fIplugin_options\fR +will be the +\fRNULL\fR pointer. -.IP "argv" 4 -.IX Item "argv" +.sp +NOTE: the +\fIplugin_options\fR +parameter is only available starting with +API version 1.2. +A plugin +\fBmust\fR +check the API version specified +by the +\fBsudo\fR +front end before using +\fIplugin_options\fR. +Failure to do so may result in a crash. +.RE +.TP 6n +close +.br +.nf +.RS 6n +void (*close)(int exit_status, int error); +.RE +.fi +.RS +.sp +The +\fBclose\fR() +function is called when the command being run by +\fBsudo\fR +finishes. +.sp +The function arguments are as follows: +.RS +.PP +.RE +.sp -1v +.TP 6n +exit_status +The command's exit status, as returned by the +wait(2) +system call. +The value of +\fRexit_status\fR +is undefined if +\fRerror\fR +is non-zero. +.TP 6n +error +.br +If the command could not be executed, this is set to the value of +\fRerrno\fR +set by the +execve(2) +system call. +The plugin is responsible for displaying error information via the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function. +If the command was successfully executed, the value of +\fRerror\fR +is 0. +.RE +.TP 6n +show_version +.nf +.RS 6n +int (*show_version)(int verbose); +.RE +.fi +.RS +.sp +The +\fBshow_version\fR() +function is called by +\fBsudo\fR +when the user specifies +the +\fB-V\fR +option. +The plugin may display its version information to the user via the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function using +\fRSUDO_CONV_INFO_MSG\fR. +If the user requests detailed version information, the verbose flag will be set. +.PP +.RE +.sp -1v +.TP 6n +check_policy +.nf +.RS 6n +int (*check_policy)(int argc, char * const argv[] + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); +.RE +.fi +.RS +.sp +The +\fBcheck_policy\fR() +function is called by +\fBsudo\fR +to determine +whether the user is allowed to run the specified commands. +.sp +If the +\fIsudoedit\fR +option was enabled in the +\fIsettings\fR +array +passed to the +\fBopen\fR() +function, the user has requested +\fIsudoedit\fR +mode. +\fIsudoedit\fR +is a mechanism for editing one or more files +where an editor is run with the user's credentials instead of with +elevated privileges. +\fBsudo\fR +achieves this by creating user-writable +temporary copies of the files to be edited and then overwriting the +originals with the temporary copies after editing is complete. +If the plugin supports +\fIsudoedit\fR, +it should choose the editor to be used, potentially from a variable +in the user's environment, such as +\fREDITOR\fR, +and include it in +\fIargv_out\fR +(note that environment +variables may include command line flags). +The files to be edited should be copied from +\fIargv\fR +into +\fIargv_out\fR, +separated from the +editor and its arguments by a +``\fR--\fR'' +element. +The +``\fR--\fR'' +will +be removed by +\fBsudo\fR +before the editor is executed. +The plugin should also set +\fIsudoedit=true\fR +in the +\fIcommand_info\fR +list. +.sp +The +\fBcheck_policy\fR() +function returns 1 if the command is allowed, +0 if not allowed, \-1 for a general error, or \-2 for a usage error +or if +\fIsudoedit\fR +was specified but is unsupported by the plugin. +In the latter case, +\fBsudo\fR +will print a usage message before it +exits. +If an error occurs, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. +.sp +The function arguments are as follows: +.RS +.PP +.RE +.sp -1v +.TP 6n +argc +The number of elements in +\fIargv\fR, +not counting the final +\fRNULL\fR +pointer. +.TP 6n +argv The argument vector describing the command the user wishes to run, -in the same form as what would be passed to the \fIexecve()\fR system -call. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. -.IP "env_add" 4 -.IX Item "env_add" +in the same form as what would be passed to the +execve(2) +system call. +The vector is terminated by a +\fRNULL\fR +pointer. +.TP 6n +env_add Additional environment variables specified by the user on the command -line in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of \*(L"name=value\*(R" -strings. The plugin may reject the command if one or more variables +line in the form of a +\fRNULL\fR-terminated +vector of +``name=value'' +strings. +The plugin may reject the command if one or more variables are not allowed to be set, or it may silently ignore such variables. -.Sp -When parsing \fIenv_add\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.IP "command_info" 4 -.IX Item "command_info" -Information about the command being run in the form of \*(L"name=value\*(R" -strings. These values are used by \fBsudo\fR to set the execution -environment when running a command. The plugin is responsible for -creating and populating the vector, which must be terminated with -a \f(CW\*(C`NULL\*(C'\fR pointer. The following values are recognized by \fBsudo\fR: -.RS 4 -.IP "command=string" 4 -.IX Item "command=string" +.sp +When parsing +\fIenv_add\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.TP 6n +command_info +Information about the command being run in the form of +``name=value'' +strings. +These values are used by +\fBsudo\fR +to set the execution +environment when running a command. +The plugin is responsible for creating and populating the vector, +which must be terminated with a +\fRNULL\fR +pointer. +The following values are recognized by +\fBsudo\fR: +.RS +.TP 6n +command=string Fully qualified path to the command to be executed. -.IP "runas_uid=uid" 4 -.IX Item "runas_uid=uid" -User \s-1ID\s0 to run the command as. -.IP "runas_euid=uid" 4 -.IX Item "runas_euid=uid" -Effective user \s-1ID\s0 to run the command as. -If not specified, the value of \fIrunas_uid\fR is used. -.IP "runas_gid=gid" 4 -.IX Item "runas_gid=gid" -Group \s-1ID\s0 to run the command as. -.IP "runas_egid=gid" 4 -.IX Item "runas_egid=gid" -Effective group \s-1ID\s0 to run the command as. -If not specified, the value of \fIrunas_gid\fR is used. -.IP "runas_groups=list" 4 -.IX Item "runas_groups=list" +.TP 6n +runas_uid=uid +User ID to run the command as. +.TP 6n +runas_euid=uid +Effective user ID to run the command as. +If not specified, the value of +\fIrunas_uid\fR +is used. +.TP 6n +runas_gid=gid +Group ID to run the command as. +.TP 6n +runas_egid=gid +Effective group ID to run the command as. +If not specified, the value of +\fIrunas_gid\fR +is used. +.TP 6n +runas_groups=list The supplementary group vector to use for the command in the form -of a comma-separated list of group IDs. If \fIpreserve_groups\fR +of a comma-separated list of group IDs. +If +\fIpreserve_groups\fR is set, this option is ignored. -.IP "login_class=string" 4 -.IX Item "login_class=string" -\&\s-1BSD\s0 login class to use when setting resource limits and nice value -(optional). This option is only set on systems that support login -classes. -.IP "preserve_groups=bool" 4 -.IX Item "preserve_groups=bool" -If set, \fBsudo\fR will preserve the user's group vector instead of -initializing the group vector based on \f(CW\*(C`runas_user\*(C'\fR. -.IP "cwd=string" 4 -.IX Item "cwd=string" +.TP 6n +login_class=string +BSD login class to use when setting resource limits and nice value +(optional). +This option is only set on systems that support login classes. +.TP 6n +preserve_groups=bool +If set, +\fBsudo\fR +will preserve the user's group vector instead of +initializing the group vector based on +\fRrunas_user\fR. +.TP 6n +cwd=string The current working directory to change to when executing the command. -.IP "noexec=bool" 4 -.IX Item "noexec=bool" +.TP 6n +noexec=bool If set, prevent the command from executing other programs. -.IP "chroot=string" 4 -.IX Item "chroot=string" +.TP 6n +chroot=string The root directory to use when running the command. -.IP "nice=int" 4 -.IX Item "nice=int" -Nice value (priority) to use when executing the command. The nice -value, if specified, overrides the priority associated with the -\&\fIlogin_class\fR on \s-1BSD\s0 systems. -.IP "umask=octal" 4 -.IX Item "umask=octal" +.TP 6n +nice=int +Nice value (priority) to use when executing the command. +The nice value, if specified, overrides the priority associated with the +\fIlogin_class\fR +on BSD systems. +.TP 6n +umask=octal The file creation mask to use when executing the command. -.IP "selinux_role=string" 4 -.IX Item "selinux_role=string" +.TP 6n +selinux_role=string SELinux role to use when executing the command. -.IP "selinux_type=string" 4 -.IX Item "selinux_type=string" +.TP 6n +selinux_type=string SELinux type to use when executing the command. -.IP "timeout=int" 4 -.IX Item "timeout=int" -Command timeout. If non-zero then when the timeout expires the -command will be killed. -.IP "sudoedit=bool" 4 -.IX Item "sudoedit=bool" -Set to true when in \fIsudoedit\fR mode. The plugin may enable -\&\fIsudoedit\fR mode even if \fBsudo\fR was not invoked as \fBsudoedit\fR. +.TP 6n +timeout=int +Command timeout. +If non-zero then when the timeout expires the command will be killed. +.TP 6n +sudoedit=bool +Set to true when in +\fIsudoedit\fR +mode. +The plugin may enable +\fIsudoedit\fR +mode even if +\fBsudo\fR +was not invoked as +\fBsudoedit\fR. This allows the plugin to perform command substitution and transparently -enable \fIsudoedit\fR when the user attempts to run an editor. -.IP "closefrom=number" 4 -.IX Item "closefrom=number" -If specified, \fBsudo\fR will close all files descriptors with a value -of \fInumber\fR or higher. -.IP "iolog_compress=bool" 4 -.IX Item "iolog_compress=bool" +enable +\fIsudoedit\fR +when the user attempts to run an editor. +.TP 6n +closefrom=number +If specified, +\fBsudo\fR +will close all files descriptors with a value +of +\fInumber\fR +or higher. +.TP 6n +iolog_compress=bool Set to true if the I/O logging plugins, if any, should compress the -log data. This is a hint to the I/O logging plugin which may choose -to ignore it. -.IP "iolog_path=string" 4 -.IX Item "iolog_path=string" +log data. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_path=string Fully qualified path to the file or directory in which I/O log is -to be stored. This is a hint to the I/O logging plugin which may -choose to ignore it. If no I/O logging plugin is loaded, this -setting has no effect. -.IP "iolog_stdin=bool" 4 -.IX Item "iolog_stdin=bool" +to be stored. +This is a hint to the I/O logging plugin which may choose to ignore it. +If no I/O logging plugin is loaded, this setting has no effect. +.TP 6n +iolog_stdin=bool Set to true if the I/O logging plugins, if any, should log the -standard input if it is not connected to a terminal device. This -is a hint to the I/O logging plugin which may choose to ignore it. -.IP "iolog_stdout=bool" 4 -.IX Item "iolog_stdout=bool" +standard input if it is not connected to a terminal device. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_stdout=bool Set to true if the I/O logging plugins, if any, should log the -standard output if it is not connected to a terminal device. This -is a hint to the I/O logging plugin which may choose to ignore it. -.IP "iolog_stderr=bool" 4 -.IX Item "iolog_stderr=bool" +standard output if it is not connected to a terminal device. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_stderr=bool Set to true if the I/O logging plugins, if any, should log the -standard error if it is not connected to a terminal device. This -is a hint to the I/O logging plugin which may choose to ignore it. -.IP "iolog_ttyin=bool" 4 -.IX Item "iolog_ttyin=bool" +standard error if it is not connected to a terminal device. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_ttyin=bool Set to true if the I/O logging plugins, if any, should log all -terminal input. This only includes input typed by the user and not -from a pipe or redirected from a file. This is a hint to the I/O -logging plugin which may choose to ignore it. -.IP "iolog_ttyout=bool" 4 -.IX Item "iolog_ttyout=bool" +terminal input. +This only includes input typed by the user and not from a pipe or +redirected from a file. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_ttyout=bool Set to true if the I/O logging plugins, if any, should log all -terminal output. This only includes output to the screen, not -output to a pipe or file. This is a hint to the I/O logging plugin -which may choose to ignore it. -.IP "use_pty=bool" 4 -.IX Item "use_pty=bool" +terminal output. +This only includes output to the screen, not output to a pipe or file. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +use_pty=bool Allocate a pseudo-tty to run the command in, regardless of whether -or not I/O logging is in use. By default, \fBsudo\fR will only run +or not I/O logging is in use. +By default, +\fBsudo\fR +will only run the command in a pty when an I/O log plugin is loaded. -.IP "set_utmp=bool" 4 -.IX Item "set_utmp=bool" -Create a utmp (or utmpx) entry when a pseudo-tty is allocated. By -default, the new entry will be a copy of the user's existing utmp +.TP 6n +set_utmp=bool +Create a utmp (or utmpx) entry when a pseudo-tty is allocated. +By default, the new entry will be a copy of the user's existing utmp entry (if any), with the tty, time, type and pid fields updated. -.IP "utmp_user=string" 4 -.IX Item "utmp_user=string" +.TP 6n +utmp_user=string User name to use when constructing a new utmp (or utmpx) entry when -\&\fIset_utmp\fR is enabled. This option can be used to set the user -field in the utmp entry to the user the command runs as rather than -the invoking user. If not set, \fBsudo\fR will base the new entry on +\fIset_utmp\fR +is enabled. +This option can be used to set the user field in the utmp entry to +the user the command runs as rather than the invoking user. +If not set, +\fBsudo\fR +will base the new entry on the invoking user's existing entry. .RE -.RS 4 -.Sp +.RS +.PP Unsupported values will be ignored. +.PP .RE -.IP "argv_out" 4 -.IX Item "argv_out" -The \f(CW\*(C`NULL\*(C'\fR\-terminated argument vector to pass to the \fIexecve()\fR -system call when executing the command. The plugin is responsible -for allocating and populating the vector. -.IP "user_env_out" 4 -.IX Item "user_env_out" -The \f(CW\*(C`NULL\*(C'\fR\-terminated environment vector to use when executing the -command. The plugin is responsible for allocating and populating -the vector. +.sp -1v +.TP 6n +argv_out +The +\fRNULL\fR-terminated +argument vector to pass to the +execve(2) +system call when executing the command. +The plugin is responsible for allocating and populating the vector. +.TP 6n +user_env_out +The +\fRNULL\fR-terminated +environment vector to use when executing the command. +The plugin is responsible for allocating and populating the vector. .RE -.RS 4 +.TP 6n +list +.nf +.RS 6n +int (*list)(int verbose, const char *list_user, + int argc, char * const argv[]); .RE -.IP "list" 4 -.IX Item "list" -.Vb 2 -\& int (*list)(int verbose, const char *list_user, -\& int argc, char * const argv[]); -.Ve -.Sp -List available privileges for the invoking user. Returns 1 on -success, 0 on failure and \-1 on error. On error, the plugin may -optionally call the conversation or plugin_printf function with -\&\f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information to +.fi +.RS +.sp +List available privileges for the invoking user. +Returns 1 on success, 0 on failure and \-1 on error. +On error, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. -.Sp -Privileges should be output via the conversation or plugin_printf -function using \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. -.RS 4 -.IP "verbose" 4 -.IX Item "verbose" +.sp +Privileges should be output via the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function using +\fRSUDO_CONV_INFO_MSG\fR, +.RS +.PP +.RE +.sp -1v +.TP 6n +verbose Flag indicating whether to list in verbose mode or not. -.IP "list_user" 4 -.IX Item "list_user" +.TP 6n +list_user The name of a different user to list privileges for if the policy -allows it. If \f(CW\*(C`NULL\*(C'\fR, the plugin should list the privileges of -the invoking user. -.IP "argc" 4 -.IX Item "argc" -The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR +allows it. +If +\fRNULL\fR, +the plugin should list the privileges of the invoking user. +.TP 6n +argc +The number of elements in +\fIargv\fR, +not counting the final +\fRNULL\fR pointer. -.IP "argv" 4 -.IX Item "argv" -If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user +.TP 6n +argv +If +non-\fRNULL\fR, +an argument vector describing a command the user wishes to check against the policy in the same form as what would -be passed to the \fIexecve()\fR system call. If the command is permitted -by the policy, the fully-qualified path to the command should be -displayed along with any command line arguments. +be passed to the +execve(2) +system call. +If the command is permitted by the policy, the fully-qualified path +to the command should be displayed along with any command line arguments. .RE -.RS 4 +.TP 6n +validate +.nf +.RS 6n +int (*validate)(void); .RE -.IP "validate" 4 -.IX Item "validate" -.Vb 1 -\& int (*validate)(void); -.Ve -.Sp -The \f(CW\*(C`validate\*(C'\fR function is called when \fBsudo\fR is run with the -\&\fB\-v\fR flag. For policy plugins such as \fIsudoers\fR that cache +.fi +.RS +.sp +The +\fBvalidate\fR() +function is called when +\fBsudo\fR +is run with the +\fB-v\fR +flag. +For policy plugins such as +\fIsudoers\fR +that cache authentication credentials, this function will validate and cache the credentials. -.Sp -The \f(CW\*(C`validate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not -support credential caching. -.Sp +.sp +The +\fBvalidate\fR() +function should be +\fRNULL\fR +if the plugin does not support credential caching. +.sp Returns 1 on success, 0 on failure and \-1 on error. -On error, the plugin may optionally call the conversation or plugin_printf -function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional +On error, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. -.IP "invalidate" 4 -.IX Item "invalidate" -.Vb 1 -\& void (*invalidate)(int remove); -.Ve -.Sp -The \f(CW\*(C`invalidate\*(C'\fR function is called when \fBsudo\fR is called with -the \fB\-k\fR or \fB\-K\fR flag. For policy plugins such as \fIsudoers\fR that +.PP +.RE +.sp -1v +.TP 6n +invalidate +.nf +.RS 6n +void (*invalidate)(int remove); +.RE +.fi +.RS +.sp +The +\fBinvalidate\fR() +function is called when +\fBsudo\fR +is called with +the +\fB-k\fR +or +\fB-K\fR +flag. +For policy plugins such as +\fIsudoers\fR +that cache authentication credentials, this function will invalidate the -credentials. If the \fIremove\fR flag is set, the plugin may remove +credentials. +If the +\fIremove\fR +flag is set, the plugin may remove the credentials instead of simply invalidating them. -.Sp -The \f(CW\*(C`invalidate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not -support credential caching. -.IP "init_session" 4 -.IX Item "init_session" -.Vb 1 -\& int (*init_session)(struct passwd *pwd, char **user_envp[); -.Ve -.Sp -The \f(CW\*(C`init_session\*(C'\fR function is called before \fBsudo\fR sets up the -execution environment for the command. It is run in the parent -\&\fBsudo\fR process and before any uid or gid changes. This can be used -to perform session setup that is not supported by \fIcommand_info\fR, -such as opening the \s-1PAM\s0 session. The \f(CW\*(C`close\*(C'\fR function can be -used to tear down the session that was opened by \f(CW\*(C`init_session\*(C'\fR. -.Sp -The \fIpwd\fR argument points to a passwd struct for the user the +.sp +The +\fBinvalidate\fR() +function should be +\fRNULL\fR +if the plugin does not support credential caching. +.PP +.RE +.sp -1v +.TP 6n +init_session +.nf +.RS 6n +int (*init_session)(struct passwd *pwd, char **user_envp[); +.RE +.fi +.RS +.sp +The +\fBinit_session\fR() +function is called before +\fBsudo\fR +sets up the +execution environment for the command. +It is run in the parent +\fBsudo\fR +process and before any uid or gid changes. +This can be used to perform session setup that is not supported by +\fIcommand_info\fR, +such as opening the PAM session. +The +\fBclose\fR() +function can be +used to tear down the session that was opened by +\fRinit_session\fR. +.sp +The +\fIpwd\fR +argument points to a passwd struct for the user the command will be run as if the uid the command will run as was found -in the password database, otherwise it will be \s-1NULL\s0. -.Sp -The \fIuser_env\fR argument points to the environment the command will -run in, in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of \*(L"name=value\*(R" -strings. This is the same string passed back to the front end via -the Policy Plugin's \fIuser_env_out\fR parameter. If the \f(CW\*(C`init_session\*(C'\fR +in the password database, otherwise it will be +\fRNULL\fR. +.sp +The +\fIuser_env\fR +argument points to the environment the command will +run in, in the form of a +\fRNULL\fR-terminated +vector of +``name=value'' +strings. +This is the same string passed back to the front end via +the Policy Plugin's +\fIuser_env_out\fR +parameter. +If the +\fBinit_session\fR() function needs to modify the user environment, it should update the -pointer stored in \fIuser_env\fR. The expected use case is to merge -the contents of the \s-1PAM\s0 environment (if any) with the contents of -\&\fIuser_env\fR. \s-1NOTE:\s0 the \fIuser_env\fR parameter is only available -starting with \s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 -version specified by the \fBsudo\fR front end before using \fIuser_env\fR. +pointer stored in +\fIuser_env\fR. +The expected use case is to merge the contents of the PAM environment +(if any) with the contents of +\fIuser_env\fR. +NOTE: the +\fIuser_env\fR +parameter is only available +starting with API version 1.2. +A plugin +\fBmust\fR +check the API +version specified by the +\fBsudo\fR +front end before using +\fIuser_env\fR. Failure to do so may result in a crash. -.Sp +.sp Returns 1 on success, 0 on failure and \-1 on error. -On error, the plugin may optionally call the conversation or plugin_printf -function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional +On error, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. -.IP "register_hooks" 4 -.IX Item "register_hooks" -.Vb 2 -\& void (*register_hooks)(int version, -\& int (*register_hook)(struct sudo_hook *hook)); -.Ve -.Sp -The \f(CW\*(C`register_hooks\*(C'\fR function is called by the sudo front end to -register any hooks the plugin needs. If the plugin does not support -hooks, \f(CW\*(C`register_hooks\*(C'\fR should be set to the \s-1NULL\s0 pointer. -.Sp -The \fIversion\fR argument describes the version of the hooks \s-1API\s0 -supported by the \fBsudo\fR front end. -.Sp -The \f(CW\*(C`register_hook\*(C'\fR function should be used to register any supported -hooks the plugin needs. It returns 0 on success, 1 if the hook -type is not supported and \-1 if the major version in \f(CW\*(C`struct hook\*(C'\fR -does not match the front end's major hook \s-1API\s0 version. -.Sp -See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information +.PP +.RE +.sp -1v +.TP 6n +register_hooks +.nf +.RS 6n +void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); +.RE +.fi +.RS +.sp +The +\fBregister_hooks\fR() +function is called by the sudo front end to +register any hooks the plugin needs. +If the plugin does not support hooks, +\fRregister_hooks\fR +should be set to the +\fRNULL\fR +pointer. +.sp +The +\fIversion\fR +argument describes the version of the hooks API +supported by the +\fBsudo\fR +front end. +.sp +The +\fBregister_hook\fR() +function should be used to register any supported +hooks the plugin needs. +It returns 0 on success, 1 if the hook type is not supported and \-1 +if the major version in +\fRstruct hook\fR +does not match the front end's major hook API version. +.sp +See the +\fIHook Function API\fR +section below for more information about hooks. -.Sp -\&\s-1NOTE:\s0 the \f(CW\*(C`register_hooks\*(C'\fR function is only available starting -with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0 -version 1.2 or higher, \f(CW\*(C`register_hooks\*(C'\fR will not be called. -.IP "deregister_hooks" 4 -.IX Item "deregister_hooks" -.Vb 2 -\& void (*deregister_hooks)(int version, -\& int (*deregister_hook)(struct sudo_hook *hook)); -.Ve -.Sp -The \f(CW\*(C`deregister_hooks\*(C'\fR function is called by the sudo front end -to deregister any hooks the plugin has registered. If the plugin -does not support hooks, \f(CW\*(C`deregister_hooks\*(C'\fR should be set to the -\&\s-1NULL\s0 pointer. -.Sp -The \fIversion\fR argument describes the version of the hooks \s-1API\s0 -supported by the \fBsudo\fR front end. -.Sp -The \f(CW\*(C`deregister_hook\*(C'\fR function should be used to deregister any -hooks that were put in place by the \f(CW\*(C`register_hook\*(C'\fR function. If -the plugin tries to deregister a hook that the front end does not -support, \f(CW\*(C`deregister_hook\*(C'\fR will return an error. -.Sp -See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information +.sp +NOTE: the +\fBregister_hooks\fR() +function is only available starting +with API version 1.2. +If the +\fBsudo\fR +front end doesn't support API +version 1.2 or higher, +\fRregister_hooks\fR +will not be called. +.PP +.RE +.sp -1v +.TP 6n +deregister_hooks +.nf +.RS 6n +void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); +.RE +.fi +.RS +.sp +The +\fBderegister_hooks\fR() +function is called by the sudo front end +to deregister any hooks the plugin has registered. +If the plugin does not support hooks, +\fRderegister_hooks\fR +should be set to the +\fRNULL\fR +pointer. +.sp +The +\fIversion\fR +argument describes the version of the hooks API +supported by the +\fBsudo\fR +front end. +.sp +The +\fBderegister_hook\fR() +function should be used to deregister any +hooks that were put in place by the +\fBregister_hook\fR() +function. +If the plugin tries to deregister a hook that the front end does not support, +\fRderegister_hook\fR +will return an error. +.sp +See the +\fIHook Function API\fR +section below for more information about hooks. -.Sp -\&\s-1NOTE:\s0 the \f(CW\*(C`deregister_hooks\*(C'\fR function is only available starting -with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0 -version 1.2 or higher, \f(CW\*(C`deregister_hooks\*(C'\fR will not be called. +.sp +NOTE: the +\fBderegister_hooks\fR() +function is only available starting +with API version 1.2. +If the +\fBsudo\fR +front end doesn't support API +version 1.2 or higher, +\fRderegister_hooks\fR +will not be called. +.RE .PP \fIPolicy Plugin Version Macros\fR -.IX Subsection "Policy Plugin Version Macros" +.nf +.sp +.RS 0n +/* Plugin API version major/minor. */ +#define SUDO_API_VERSION_MAJOR 1 +#define SUDO_API_VERSION_MINOR 2 +#define SUDO_API_MKVERSION(x, y) ((x << 16) | y) +#define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e + SUDO_API_VERSION_MINOR) + +/* Getters and setters for API version */ +#define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) +#define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) +#define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e +} while(0) +#define SUDO_VERSION_SET_MINOR(vp, n) do { \e + *(vp) = (*(vp) & 0xffff0000) | (n); \e +} while(0) +.RE +.fi +.SS "I/O Plugin API" +.nf +.RS 0n +struct io_plugin { +#define SUDO_IO_PLUGIN 2 + unsigned int type; /* always SUDO_IO_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int argc, char * const argv[], + char * const user_env[], char * const plugin_options[]); + void (*close)(int exit_status, int error); /* wait status or error */ + int (*show_version)(int verbose); + int (*log_ttyin)(const char *buf, unsigned int len); + int (*log_ttyout)(const char *buf, unsigned int len); + int (*log_stdin)(const char *buf, unsigned int len); + int (*log_stdout)(const char *buf, unsigned int len); + int (*log_stderr)(const char *buf, unsigned int len); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); +}; +.RE +.fi .PP -.Vb 6 -\& /* Plugin API version major/minor. */ -\& #define SUDO_API_VERSION_MAJOR 1 -\& #define SUDO_API_VERSION_MINOR 2 -\& #define SUDO_API_MKVERSION(x, y) ((x << 16) | y) -\& #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e -\& SUDO_API_VERSION_MINOR) -\& -\& /* Getters and setters for API version */ -\& #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) -\& #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) -\& #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e -\& } while(0) -\& #define SUDO_VERSION_SET_MINOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0xffff0000) | (n); \e -\& } while(0) -.Ve -.SS "I/O Plugin \s-1API\s0" -.IX Subsection "I/O Plugin API" -.Vb 10 -\& struct io_plugin { -\& #define SUDO_IO_PLUGIN 2 -\& unsigned int type; /* always SUDO_IO_PLUGIN */ -\& unsigned int version; /* always SUDO_API_VERSION */ -\& int (*open)(unsigned int version, sudo_conv_t conversation -\& sudo_printf_t plugin_printf, char * const settings[], -\& char * const user_info[], int argc, char * const argv[], -\& char * const user_env[], char * const plugin_options[]); -\& void (*close)(int exit_status, int error); /* wait status or error */ -\& int (*show_version)(int verbose); -\& int (*log_ttyin)(const char *buf, unsigned int len); -\& int (*log_ttyout)(const char *buf, unsigned int len); -\& int (*log_stdin)(const char *buf, unsigned int len); -\& int (*log_stdout)(const char *buf, unsigned int len); -\& int (*log_stderr)(const char *buf, unsigned int len); -\& void (*register_hooks)(int version, -\& int (*register_hook)(struct sudo_hook *hook)); -\& void (*deregister_hooks)(int version, -\& int (*deregister_hook)(struct sudo_hook *hook)); -\& }; -.Ve -.PP -When an I/O plugin is loaded, \fBsudo\fR runs the command in a pseudo-tty. +When an I/O plugin is loaded, +\fBsudo\fR +runs the command in a pseudo-tty. This makes it possible to log the input and output from the user's -session. If any of the standard input, standard output or standard -error do not correspond to a tty, \fBsudo\fR will open a pipe to capture +session. +If any of the standard input, standard output or standard error do not +correspond to a tty, +\fBsudo\fR +will open a pipe to capture the I/O for logging before passing it on. .PP The log_ttyin function receives the raw user input from the terminal device (note that this will include input even when echo is disabled, -such as when a password is read). The log_ttyout function receives -output from the pseudo-tty that is suitable for replaying the user's -session at a later time. The log_stdin, log_stdout and log_stderr +such as when a password is read). +The log_ttyout function receives output from the pseudo-tty that is +suitable for replaying the user's session at a later time. +The +\fBlog_stdin\fR(), +\fBlog_stdout\fR() +and +\fBlog_stderr\fR() functions are only called if the standard input, standard output or standard error respectively correspond to something other than a tty. .PP -Any of the logging functions may be set to the \s-1NULL\s0 -pointer if no logging is to be performed. If the open function -returns \f(CW0\fR, no I/O will be sent to the plugin. +Any of the logging functions may be set to the +\fRNULL\fR +pointer if no logging is to be performed. +If the open function returns 0, no I/O will be sent to the plugin. .PP The io_plugin struct has the following fields: -.IP "type" 4 -.IX Item "type" -The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_IO_PLUGIN\s0 -.IP "version" 4 -.IX Item "version" -The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0. -.Sp -This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was +.TP 6n +type +The +\fRtype\fR +field should always be set to +\fRSUDO_IO_PLUGIN\fR. +.TP 6n +version +The +\fRversion\fR +field should be set to +\fRSUDO_API_VERSION\fR. +.sp +This allows +\fBsudo\fR +to determine the API version the plugin was built against. -.IP "open" 4 -.IX Item "open" -.Vb 4 -\& int (*open)(unsigned int version, sudo_conv_t conversation -\& sudo_printf_t plugin_printf, char * const settings[], -\& char * const user_info[], int argc, char * const argv[], -\& char * const user_env[], char * const plugin_options[]); -.Ve -.Sp -The \fIopen\fR function is run before the \fIlog_input\fR, \fIlog_output\fR -or \fIshow_version\fR functions are called. It is only called if the -version is being requested or the \fIcheck_policy\fR function has -returned successfully. It returns 1 on success, 0 on failure, \-1 -if a general error occurred, or \-2 if there was a usage error. In -the latter case, \fBsudo\fR will print a usage message before it exits. -If an error occurs, the plugin may optionally call the conversation -or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present +.TP 6n +open +.nf +.RS 6n +int (*open)(unsigned int version, sudo_conv_t conversation + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int argc, char * const argv[], + char * const user_env[], char * const plugin_options[]); +.RE +.fi +.RS +.sp +The +\fBopen\fR() +function is run before the +\fBlog_input\fR(), +\fBlog_output\fR() +or +\fBshow_version\fR() +functions are called. +It is only called if the version is being requested or the +\fBcheck_policy\fR() +function has +returned successfully. +It returns 1 on success, 0 on failure, \-1 if a general error occurred, +or \-2 if there was a usage error. +In the latter case, +\fBsudo\fR +will print a usage message before it exits. +If an error occurs, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. -.Sp +.sp The function arguments are as follows: -.RS 4 -.IP "version" 4 -.IX Item "version" -The version passed in by \fBsudo\fR allows the plugin to determine the -major and minor version number of the plugin \s-1API\s0 supported by -\&\fBsudo\fR. -.IP "conversation" 4 -.IX Item "conversation" -A pointer to the conversation function that may be used by the -\&\fIshow_version\fR function to display version information (see -show_version below). The conversation function may also be used -to display additional error message to the user. -The conversation function returns 0 on success and \-1 on failure. -.IP "plugin_printf" 4 -.IX Item "plugin_printf" -A pointer to a printf-style function that may be used by the -\&\fIshow_version\fR function to display version information (see -show_version below). The plugin_printf function may also be used -to display additional error message to the user. -The plugin_printf function returns number of characters printed on -success and \-1 on failure. -.IP "settings" 4 -.IX Item "settings" -A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R" -strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These -settings correspond to flags the user specified when running \fBsudo\fR. +.RS +.PP +.RE +.sp -1v +.TP 6n +version +The version passed in by +\fBsudo\fR +allows the plugin to determine the +major and minor version number of the plugin API supported by +\fBsudo\fR. +.TP 6n +conversation +A pointer to the +\fBconversation\fR() +function that may be used by the +\fBshow_version\fR() +function to display version information (see +\fBshow_version\fR() +below). +The +\fBconversation\fR() +function may also be used to display additional error message to the user. +The +\fBconversation\fR() +function returns 0 on success and \-1 on failure. +.TP 6n +plugin_printf +A pointer to a +\fBprintf\fR()-style +function that may be used by the +\fBshow_version\fR() +function to display version information (see +show_version below). +The +\fBplugin_printf\fR() +function may also be used to display additional error message to the user. +The +\fBplugin_printf\fR() +function returns number of characters printed on success and \-1 on failure. +.TP 6n +settings +A vector of user-supplied +\fBsudo\fR +settings in the form of +``name=value'' +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +These settings correspond to flags the user specified when running +\fBsudo\fR. As such, they will only be present when the corresponding flag has been specified on the command line. -.Sp -When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.Sp -See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible settings. -.IP "user_info" 4 -.IX Item "user_info" +.sp +When parsing +\fIsettings\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy Plugin API\fR +section for a list of all possible settings. +.TP 6n +user_info A vector of information about the user running the command in the form of -\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. -.Sp -When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.Sp -See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible strings. -.IP "argc" 4 -.IX Item "argc" -The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR +``name=value'' +strings. +The vector is terminated by a +\fRNULL\fR pointer. -.IP "argv" 4 -.IX Item "argv" -If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user +.sp +When parsing +\fIuser_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy Plugin API\fR +section for a list of all possible strings. +.TP 6n +argc +The number of elements in +\fIargv\fR, +not counting the final +\fRNULL\fR +pointer. +.TP 6n +argv +If +non-\fRNULL\fR, +an argument vector describing a command the user wishes to run in the same form as what would be passed to the -\&\fIexecve()\fR system call. -.IP "user_env" 4 -.IX Item "user_env" -The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of -\&\*(L"name=value\*(R" strings. -.Sp -When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR -equal sign ('=') since the \fIname\fR field will never include one -itself but the \fIvalue\fR might. -.IP "plugin_options" 4 -.IX Item "plugin_options" +execve(2) +system call. +.TP 6n +user_env +The user's environment in the form of a +\fRNULL\fR-terminated +vector of +``name=value'' +strings. +.sp +When parsing +\fIuser_env\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(`=') +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.TP 6n +plugin_options Any (non-comment) strings immediately after the plugin path are -treated as arguments to the plugin. These arguments are split on -a white space boundary and are passed to the plugin in the form of -a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were -specified, \fIplugin_options\fR will be the \s-1NULL\s0 pointer. -.Sp -\&\s-1NOTE:\s0 the \fIplugin_options\fR parameter is only available starting with -\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified -by the \fBsudo\fR front end before using \fIplugin_options\fR. Failure to -do so may result in a crash. +treated as arguments to the plugin. +These arguments are split on a white space boundary and are passed to +the plugin in the form of a +\fRNULL\fR-terminated +array of strings. +If no arguments were specified, +\fIplugin_options\fR +will be the +\fRNULL\fR +pointer. +.sp +NOTE: the +\fIplugin_options\fR +parameter is only available starting with +API version 1.2. +A plugin +\fBmust\fR +check the API version specified +by the +\fBsudo\fR +front end before using +\fIplugin_options\fR. +Failure to do so may result in a crash. .RE -.RS 4 +.TP 6n +close +.br +.nf +.RS 6n +void (*close)(int exit_status, int error); .RE -.IP "close" 4 -.IX Item "close" -.Vb 1 -\& void (*close)(int exit_status, int error); -.Ve -.Sp -The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR +.fi +.RS +.sp +The +\fBclose\fR() +function is called when the command being run by +\fBsudo\fR finishes. -.Sp +.sp The function arguments are as follows: -.RS 4 -.IP "exit_status" 4 -.IX Item "exit_status" -The command's exit status, as returned by the \fIwait\fR\|(2) system call. -The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero. -.IP "error" 4 -.IX Item "error" +.RS +.PP +.RE +.sp -1v +.TP 6n +exit_status +The command's exit status, as returned by the +wait(2) +system call. +The value of +\fRexit_status\fR +is undefined if +\fRerror\fR +is non-zero. +.TP 6n +error +.br If the command could not be executed, this is set to the value of -\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. If the command was -successfully executed, the value of \f(CW\*(C`error\*(C'\fR is 0. +\fRerrno\fR +set by the +execve(2) +system call. +If the command was successfully executed, the value of +\fRerror\fR +is 0. .RE -.RS 4 +.TP 6n +show_version +.nf +.RS 6n +int (*show_version)(int verbose); .RE -.IP "show_version" 4 -.IX Item "show_version" -.Vb 1 -\& int (*show_version)(int verbose); -.Ve -.Sp -The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies -the \fB\-V\fR option. The plugin may display its version information -to the user via the conversation or plugin_printf function using -\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version -information, the verbose flag will be set. -.IP "log_ttyin" 4 -.IX Item "log_ttyin" -.Vb 1 -\& int (*log_ttyin)(const char *buf, unsigned int len); -.Ve -.Sp -The \fIlog_ttyin\fR function is called whenever data can be read from -the user but before it is passed to the running command. This -allows the plugin to reject data if it chooses to (for instance -if the input contains banned content). Returns \f(CW1\fR if the data -should be passed to the command, \f(CW0\fR if the data is rejected -(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred. -.Sp +.fi +.RS +.sp +The +\fBshow_version\fR() +function is called by +\fBsudo\fR +when the user specifies +the +\fB-V\fR +option. +The plugin may display its version information to the user via the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function using +\fRSUDO_CONV_INFO_MSG\fR. +If the user requests detailed version information, the verbose flag will be set. +.PP +.RE +.sp -1v +.TP 6n +log_ttyin +.nf +.RS 6n +int (*log_ttyin)(const char *buf, unsigned int len); +.RE +.fi +.RS +.sp +The +\fBlog_ttyin\fR() +function is called whenever data can be read from +the user but before it is passed to the running command. +This allows the plugin to reject data if it chooses to (for instance +if the input contains banned content). +Returns 1 if the data should be passed to the command, 0 if the data +is rejected (which will terminate the command) or \-1 if an error occurred. +.sp The function arguments are as follows: -.RS 4 -.IP "buf" 4 -.IX Item "buf" +.RS +.PP +.RE +.sp -1v +.TP 6n +buf The buffer containing user input. -.IP "len" 4 -.IX Item "len" -The length of \fIbuf\fR in bytes. +.TP 6n +len +The length of +\fIbuf\fR +in bytes. .RE -.RS 4 +.TP 6n +log_ttyout +.nf +.RS 6n +int (*log_ttyout)(const char *buf, unsigned int len); .RE -.IP "log_ttyout" 4 -.IX Item "log_ttyout" -.Vb 1 -\& int (*log_ttyout)(const char *buf, unsigned int len); -.Ve -.Sp -The \fIlog_ttyout\fR function is called whenever data can be read from -the command but before it is written to the user's terminal. This -allows the plugin to reject data if it chooses to (for instance -if the output contains banned content). Returns \f(CW1\fR if the data -should be passed to the user, \f(CW0\fR if the data is rejected -(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred. -.Sp +.fi +.RS +.sp +The +\fBlog_ttyout\fR() +function is called whenever data can be read from +the command but before it is written to the user's terminal. +This allows the plugin to reject data if it chooses to (for instance +if the output contains banned content). +Returns 1 if the data should be passed to the user, 0 if the data is rejected +(which will terminate the command) or \-1 if an error occurred. +.sp The function arguments are as follows: -.RS 4 -.IP "buf" 4 -.IX Item "buf" +.RS +.PP +.RE +.sp -1v +.TP 6n +buf The buffer containing command output. -.IP "len" 4 -.IX Item "len" -The length of \fIbuf\fR in bytes. +.TP 6n +len +The length of +\fIbuf\fR +in bytes. .RE -.RS 4 +.TP 6n +log_stdin +.nf +.RS 6n +int (*log_stdin)(const char *buf, unsigned int len); .RE -.IP "log_stdin" 4 -.IX Item "log_stdin" -.Vb 1 -\& int (*log_stdin)(const char *buf, unsigned int len); -.Ve -.Sp -The \fIlog_stdin\fR function is only used if the standard input does -not correspond to a tty device. It is called whenever data can be -read from the standard input but before it is passed to the running -command. This allows the plugin to reject data if it chooses to -(for instance if the input contains banned content). Returns \f(CW1\fR -if the data should be passed to the command, \f(CW0\fR if the data is -rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error -occurred. -.Sp +.fi +.RS +.sp +The +\fBlog_stdin\fR() +function is only used if the standard input does +not correspond to a tty device. +It is called whenever data can be read from the standard input but +before it is passed to the running command. +This allows the plugin to reject data if it chooses to +(for instance if the input contains banned content). +Returns 1 if the data should be passed to the command, 0 if the data is +rejected (which will terminate the command) or \-1 if an error occurred. +.sp The function arguments are as follows: -.RS 4 -.IP "buf" 4 -.IX Item "buf" +.RS +.PP +.RE +.sp -1v +.TP 6n +buf The buffer containing user input. -.IP "len" 4 -.IX Item "len" -The length of \fIbuf\fR in bytes. +.TP 6n +len +The length of +\fIbuf\fR +in bytes. .RE -.RS 4 +.TP 6n +log_stdout +.nf +.RS 6n +int (*log_stdout)(const char *buf, unsigned int len); .RE -.IP "log_stdout" 4 -.IX Item "log_stdout" -.Vb 1 -\& int (*log_stdout)(const char *buf, unsigned int len); -.Ve -.Sp -The \fIlog_stdout\fR function is only used if the standard output does -not correspond to a tty device. It is called whenever data can be -read from the command but before it is written to the standard -output. This allows the plugin to reject data if it chooses to -(for instance if the output contains banned content). Returns \f(CW1\fR -if the data should be passed to the user, \f(CW0\fR if the data is -rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error -occurred. -.Sp +.fi +.RS +.sp +The +\fBlog_stdout\fR() +function is only used if the standard output does not correspond +to a tty device. +It is called whenever data can be read from the command but before +it is written to the standard output. +This allows the plugin to reject data if it chooses to +(for instance if the output contains banned content). +Returns 1 if the data should be passed to the user, 0 if the data is +rejected (which will terminate the command) or \-1 if an error occurred. +.sp The function arguments are as follows: -.RS 4 -.IP "buf" 4 -.IX Item "buf" +.RS +.PP +.RE +.sp -1v +.TP 6n +buf The buffer containing command output. -.IP "len" 4 -.IX Item "len" -The length of \fIbuf\fR in bytes. +.TP 6n +len +The length of +\fIbuf\fR +in bytes. .RE -.RS 4 +.TP 6n +log_stderr +.nf +.RS 6n +int (*log_stderr)(const char *buf, unsigned int len); .RE -.IP "log_stderr" 4 -.IX Item "log_stderr" -.Vb 1 -\& int (*log_stderr)(const char *buf, unsigned int len); -.Ve -.Sp -The \fIlog_stderr\fR function is only used if the standard error does -not correspond to a tty device. It is called whenever data can be -read from the command but before it is written to the standard -error. This allows the plugin to reject data if it chooses to -(for instance if the output contains banned content). Returns \f(CW1\fR -if the data should be passed to the user, \f(CW0\fR if the data is -rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error -occurred. -.Sp +.fi +.RS +.sp +The +\fBlog_stderr\fR() +function is only used if the standard error does +not correspond to a tty device. +It is called whenever data can be read from the command but before it +is written to the standard error. +This allows the plugin to reject data if it chooses to +(for instance if the output contains banned content). +Returns 1 if the data should be passed to the user, 0 if the data is +rejected (which will terminate the command) or \-1 if an error occurred. +.sp The function arguments are as follows: -.RS 4 -.IP "buf" 4 -.IX Item "buf" +.RS +.PP +.RE +.sp -1v +.TP 6n +buf The buffer containing command output. -.IP "len" 4 -.IX Item "len" -The length of \fIbuf\fR in bytes. +.TP 6n +len +The length of +\fIbuf\fR +in bytes. .RE -.RS 4 -.RE -.IP "register_hooks" 4 -.IX Item "register_hooks" -See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of -\&\f(CW\*(C`register_hooks\*(C'\fR. -.IP "deregister_hooks" 4 -.IX Item "deregister_hooks" -See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of -\&\f(CW\*(C`deregister_hooks\*(C'\fR. +.TP 6n +register_hooks +See the +\fIPolicy Plugin API\fR +section for a description of +\fRregister_hooks\fR. +.TP 6n +deregister_hooks +See the +\fIPolicy Plugin API\fR +section for a description of +\fRderegister_hooks.\fR .PP \fII/O Plugin Version Macros\fR -.IX Subsection "I/O Plugin Version Macros" .PP -Same as for the \*(L"Policy Plugin \s-1API\s0\*(R". -.SS "Hook Function \s-1API\s0" -.IX Subsection "Hook Function API" -Beginning with plugin \s-1API\s0 version 1.2, it is possible to install -hooks for certain functions called by the \fBsudo\fR front end. +Same as for the +\fIPolicy Plugin API\fR. +.SS "Hook Function API" +Beginning with plugin API version 1.2, it is possible to install +hooks for certain functions called by the +\fBsudo\fR +front end. .PP Currently, the only supported hooks relate to the handling of -environment variables. Hooks can be used to intercept attempts to -get, set, or remove environment variables so that these changes can -be reflected in the version of the environment that is used to -execute a command. A future version of the \s-1API\s0 will support -hooking internal \fBsudo\fR front end functions as well. +environment variables. +Hooks can be used to intercept attempts to get, set, or remove +environment variables so that these changes can be reflected in +the version of the environment that is used to execute a command. +A future version of the API will support hooking internal +\fBsudo\fR +front end functions as well. .PP \fIHook structure\fR -.IX Subsection "Hook structure" .PP -Hooks in \fBsudo\fR are described by the following structure: +Hooks in +\fBsudo\fR +are described by the following structure: +.nf +.sp +.RS 0n +typedef int (*sudo_hook_fn_t)(); + +struct sudo_hook { + int hook_version; + int hook_type; + sudo_hook_fn_t hook_fn; + void *closure; +}; +.RE +.fi .PP -.Vb 1 -\& typedef int (*sudo_hook_fn_t)(); -\& -\& struct sudo_hook { -\& int hook_version; -\& int hook_type; -\& sudo_hook_fn_t hook_fn; -\& void *closure; -\& }; -.Ve -.PP -The \f(CW\*(C`sudo_hook\*(C'\fR structure has the following fields: -.IP "hook_version" 4 -.IX Item "hook_version" -The \f(CW\*(C`hook_version\*(C'\fR field should be set to \s-1SUDO_HOOK_VERSION\s0. -.IP "hook_type" 4 -.IX Item "hook_type" -The \f(CW\*(C`hook_type\*(C'\fR field may be one of the following supported hook types: -.RS 4 -.IP "\s-1SUDO_HOOK_SETENV\s0" 4 -.IX Item "SUDO_HOOK_SETENV" -The C library \f(CW\*(C`setenv()\*(C'\fR function. Any registered hooks will run -before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should +The +\fRsudo_hook\fR +structure has the following fields: +.TP 6n +hook_version +The +\fRhook_version\fR +field should be set to +\fRSUDO_HOOK_VERSION\fR. +.TP 6n +hook_type +The +\fRhook_type\fR +field may be one of the following supported hook types: +.RS +.TP 6n +\fRSUDO_HOOK_SETENV\fR +The C library +setenv(3) +function. +Any registered hooks will run before the C library implementation. +The +\fRhook_fn\fR +field should be a function that matches the following typedef: -.Sp -.Vb 2 -\& typedef int (*sudo_hook_fn_setenv_t)(const char *name, -\& const char *value, int overwrite, void *closure); -.Ve -.Sp +.nf +.sp +.RS 12n +typedef int (*sudo_hook_fn_setenv_t)(const char *name, + const char *value, int overwrite, void *closure); +.RE +.fi +.RS +.sp If the registered hook does not match the typedef the results are unspecified. -.IP "\s-1SUDO_HOOK_UNSETENV\s0" 4 -.IX Item "SUDO_HOOK_UNSETENV" -The C library \f(CW\*(C`unsetenv()\*(C'\fR function. Any registered hooks will run -before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should +.PP +.RE +.sp -1v +.TP 6n +\fRSUDO_HOOK_UNSETENV\fR +The C library +unsetenv(3) +function. +Any registered hooks will run before the C library implementation. +The +\fRhook_fn\fR +field should be a function that matches the following typedef: -.Sp -.Vb 2 -\& typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, -\& void *closure); -.Ve -.IP "\s-1SUDO_HOOK_GETENV\s0" 4 -.IX Item "SUDO_HOOK_GETENV" -The C library \f(CW\*(C`getenv()\*(C'\fR function. Any registered hooks will run -before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should +.nf +.sp +.RS 12n +typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, + void *closure); +.RE +.fi +.RS +.PP +.RE +.sp -1v +.TP 6n +\fRSUDO_HOOK_GETENV\fR +The C library +getenv(3) +function. +Any registered hooks will run before the C library implementation. +The +\fRhook_fn\fR +field should be a function that matches the following typedef: -.Sp -.Vb 2 -\& typedef int (*sudo_hook_fn_getenv_t)(const char *name, -\& char **value, void *closure); -.Ve -.Sp +.nf +.sp +.RS 12n +typedef int (*sudo_hook_fn_getenv_t)(const char *name, + char **value, void *closure); +.RE +.fi +.RS +.sp If the registered hook does not match the typedef the results are unspecified. -.IP "\s-1SUDO_HOOK_PUTENV\s0" 4 -.IX Item "SUDO_HOOK_PUTENV" -The C library \f(CW\*(C`putenv()\*(C'\fR function. Any registered hooks will run -before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should +.PP +.RE +.sp -1v +.TP 6n +\fRSUDO_HOOK_PUTENV\fR +The C library +putenv(3) +function. +Any registered hooks will run before the C library implementation. +The +\fRhook_fn\fR +field should be a function that matches the following typedef: -.Sp -.Vb 2 -\& typedef int (*sudo_hook_fn_putenv_t)(char *string, -\& void *closure); -.Ve -.Sp +.nf +.sp +.RS 12n +typedef int (*sudo_hook_fn_putenv_t)(char *string, + void *closure); +.RE +.fi +.RS +.sp If the registered hook does not match the typedef the results are unspecified. .RE -.RS 4 +.PP .RE -.IP "hook_fn" 4 -.IX Item "hook_fn" -.Vb 1 -\& sudo_hook_fn_t hook_fn; -.Ve -.Sp -The \f(CW\*(C`hook_fn\*(C'\fR field should be set to the plugin's hook implementation. -The actual function arguments will vary depending on the \f(CW\*(C`hook_type\*(C'\fR -(see \f(CW\*(C`hook_type\*(C'\fR above). In all cases, the \f(CW\*(C`closure\*(C'\fR field of -\&\f(CW\*(C`struct sudo_hook\*(C'\fR is passed as the last function parameter. This -can be used to pass arbitrary data to the plugin's hook implementation. -.Sp +.sp -1v +.TP 6n +hook_fn +sudo_hook_fn_t hook_fn; +.sp +The +\fRhook_fn\fR +field should be set to the plugin's hook implementation. +The actual function arguments will vary depending on the +\fRhook_type\fR +(see +\fRhook_type\fR +above). +In all cases, the +\fRclosure\fR +field of +\fRstruct sudo_hook\fR +is passed as the last function parameter. +This can be used to pass arbitrary data to the plugin's hook implementation. +.sp The function return value may be one of the following: -.RS 4 -.IP "\s-1SUDO_HOOK_RET_ERROR\s0" 4 -.IX Item "SUDO_HOOK_RET_ERROR" +.RS +.TP 6n +\fRSUDO_HOOK_RET_ERROR\fR The hook function encountered an error. -.IP "\s-1SUDO_HOOK_RET_NEXT\s0" 4 -.IX Item "SUDO_HOOK_RET_NEXT" +.TP 6n +\fRSUDO_HOOK_RET_NEXT\fR The hook completed without error, go on to the next hook (including -the native implementation if applicable). For example, a \f(CW\*(C`getenv\*(C'\fR -hook might return \f(CW\*(C`SUDO_HOOK_RET_NEXT\*(C'\fR if the specified variable -was not found in the private copy of the environment. -.IP "\s-1SUDO_HOOK_RET_STOP\s0" 4 -.IX Item "SUDO_HOOK_RET_STOP" -The hook completed without error, stop processing hooks for this -invocation. This can be used to replace the native implementation. -For example, a \f(CW\*(C`setenv\*(C'\fR hook that operates on a private copy of -the environment but leaves \f(CW\*(C`environ\*(C'\fR unchanged. -.RE -.RS 4 +the native implementation if applicable). +For example, a +getenv(3) +hook might return +\fRSUDO_HOOK_RET_NEXT\fR +if the specified variable was not found in the private copy of the environment. +.TP 6n +\fRSUDO_HOOK_RET_STOP\fR +The hook completed without error, stop processing hooks for this invocation. +This can be used to replace the native implementation. +For example, a +\fRsetenv\fR +hook that operates on a private copy of +the environment but leaves +\fRenviron\fR +unchanged. .RE .PP Note that it is very easy to create an infinite loop when hooking -C library functions. For example, a \f(CW\*(C`getenv\*(C'\fR hook that calls the -\&\f(CW\*(C`snprintf\*(C'\fR function may create a loop if the \f(CW\*(C`snprintf\*(C'\fR implementation -calls \f(CW\*(C`getenv\*(C'\fR to check the locale. To prevent this, you may wish -to use a static variable in the hook function to guard against -nested calls. E.g. +C library functions. +For example, a +getenv(3) +hook that calls the +snprintf(3) +function may create a loop if the +snprintf(3) +implementation calls +getenv(3) +to check the locale. +To prevent this, you may wish to use a static variable in the hook +function to guard against nested calls. +For example: +.nf +.sp +.RS 0n +static int in_progress = 0; /* avoid recursion */ +if (in_progress) + return SUDO_HOOK_RET_NEXT; +in_progress = 1; +\&... +in_progress = 0; +return SUDO_HOOK_RET_STOP; +.RE +.fi .PP -.Vb 7 -\& static int in_progress = 0; /* avoid recursion */ -\& if (in_progress) -\& return SUDO_HOOK_RET_NEXT; -\& in_progress = 1; -\& ... -\& in_progress = 0; -\& return SUDO_HOOK_RET_STOP; -.Ve -.PP -\fIHook \s-1API\s0 Version Macros\fR -.IX Subsection "Hook API Version Macros" -.PP -.Vb 6 -\& /* Hook API version major/minor */ -\& #define SUDO_HOOK_VERSION_MAJOR 1 -\& #define SUDO_HOOK_VERSION_MINOR 0 -\& #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y) -\& #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e -\& SUDO_HOOK_VERSION_MINOR) -\& -\& /* Getters and setters for hook API version */ -\& #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16) -\& #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff) -\& #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e -\& } while(0) -\& #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0xffff0000) | (n); \e -\& } while(0) -.Ve -.SS "Conversation \s-1API\s0" -.IX Subsection "Conversation API" +\fIHook API Version Macros\fR +.nf +.sp +.RS 0n +/* Hook API version major/minor */ +#define SUDO_HOOK_VERSION_MAJOR 1 +#define SUDO_HOOK_VERSION_MINOR 0 +#define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y) +#define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e + SUDO_HOOK_VERSION_MINOR) + +/* Getters and setters for hook API version */ +#define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16) +#define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff) +#define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e +} while(0) +#define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e + *(vp) = (*(vp) & 0xffff0000) | (n); \e +} while(0) +.RE +.fi +.SS "Conversation API" If the plugin needs to interact with the user, it may do so via the -conversation function. A plugin should not attempt to read directly -from the standard input or the user's tty (neither of which are -guaranteed to exist). The caller must include a trailing newline -in \f(CW\*(C`msg\*(C'\fR if one is to be printed. +\fBconversation\fR() +function. +A plugin should not attempt to read directly from the standard input +or the user's tty (neither of which are guaranteed to exist). +The caller must include a trailing newline in +\fRmsg\fR +if one is to be printed. .PP -A printf-style function is also available that can be used to display -informational or error messages to the user, which is usually more -convenient for simple messages where no use input is required. +A +\fBprintf\fR()-style +function is also available that can be used to display informational +or error messages to the user, which is usually more convenient for +simple messages where no use input is required. +.nf +.sp +.RS 0n +struct sudo_conv_message { +#define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ +#define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ +#define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ +#define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ +#define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ +#define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */ +#define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ + int msg_type; + int timeout; + const char *msg; +}; + +struct sudo_conv_reply { + char *reply; +}; + +typedef int (*sudo_conv_t)(int num_msgs, + const struct sudo_conv_message msgs[], + struct sudo_conv_reply replies[]); + +typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); +.RE +.fi .PP -.Vb 12 -\& struct sudo_conv_message { -\& #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ -\& #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ -\& #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ -\& #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ -\& #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ -\& #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */ -\& #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ -\& int msg_type; -\& int timeout; -\& const char *msg; -\& }; -\& -\& struct sudo_conv_reply { -\& char *reply; -\& }; -\& -\& typedef int (*sudo_conv_t)(int num_msgs, -\& const struct sudo_conv_message msgs[], -\& struct sudo_conv_reply replies[]); -\& -\& typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); -.Ve +Pointers to the +\fBconversation\fR() +and +\fBprintf\fR()-style +functions are passed +in to the plugin's +\fBopen\fR() +function when the plugin is initialized. .PP -Pointers to the conversation and printf-style functions are passed -in to the plugin's \f(CW\*(C`open\*(C'\fR function when the plugin is initialized. -.PP -To use the conversation function, the plugin must pass an array of -\&\f(CW\*(C`sudo_conv_message\*(C'\fR and \f(CW\*(C`sudo_conv_reply\*(C'\fR structures. There must -be a \f(CW\*(C`struct sudo_conv_message\*(C'\fR and \f(CW\*(C`struct sudo_conv_reply\*(C'\fR for -each message in the conversation. The plugin is responsible for -freeing the reply buffer filled in to the \f(CW\*(C`struct sudo_conv_reply\*(C'\fR, +To use the +\fBconversation\fR() +function, the plugin must pass an array of +\fRsudo_conv_message\fR +and +\fRsudo_conv_reply\fR +structures. +There must be a +\fRstruct sudo_conv_message\fR +and +\fRstruct sudo_conv_reply\fR +for +each message in the conversation. +The plugin is responsible for freeing the reply buffer filled in to the +\fRstruct sudo_conv_reply\fR, if any. .PP -The printf-style function uses the same underlying mechanism as the -conversation function but only supports \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR, -\&\f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_DEBUG_MSG\*(C'\fR for the \fImsg_type\fR -parameter. It can be more convenient than using the conversation -function if no user reply is needed and supports standard \fIprintf()\fR +The +\fBprintf\fR()-style +function uses the same underlying mechanism as the +\fBconversation\fR() +function but only supports +\fRSUDO_CONV_INFO_MSG\fR, +\fRSUDO_CONV_ERROR_MSG\fR +and +\fRSUDO_CONV_DEBUG_MSG\fR +for the +\fImsg_type\fR +parameter. +It can be more convenient than using the +\fBconversation\fR() +function if no user reply is needed and supports standard +\fBprintf\fR() escape sequences. .PP -Unlike, \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR, messages -sent with the \f(CW\*(C`SUDO_CONV_DEBUG_MSG\*(C'\fR \fImsg_type\fR are not directly -user-visible. Instead, they are logged to the file specified in -the \f(CW\*(C`Debug\*(C'\fR statement (if any) in the \fI@sysconfdir@/sudo.conf\fR -file. This allows a plugin to log debugging information and is -intended to be used in conjunction with the \fIdebug_flags\fR setting. +Unlike, +\fRSUDO_CONV_INFO_MSG\fR +and +Dv SUDO_CONV_ERROR_MSG , +messages +sent with the +\fRSUDO_CONV_DEBUG_MSG\fR +\fImsg_type\fR +are not directly +user-visible. +Instead, they are logged to the file specified in the +\fRDebug\fR +statement (if any) in the +\fI@sysconfdir@/sudo.conf\fR .PP -See the sample plugin for an example of the conversation function usage. -.SS "Sudoers Group Plugin \s-1API\s0" -.IX Subsection "Sudoers Group Plugin API" -The \fIsudoers\fR module supports a plugin interface to allow non-Unix -group lookups. This can be used to query a group source other than -the standard Unix group database. A sample group plugin is bundled -with \fBsudo\fR that implements file-based lookups. Third party group -plugins include a \s-1QAS\s0 \s-1AD\s0 plugin available from Quest Software. +file. +This allows a plugin to log debugging information and is intended +to be used in conjunction with the +\fIdebug_flags\fR +setting. .PP -A group plugin must declare and populate a \f(CW\*(C`sudoers_group_plugin\*(C'\fR -struct in the global scope. This structure contains pointers to -the functions that implement plugin initialization, cleanup and -group lookup. +See the sample plugin for an example of the +\fBconversation\fR() +function usage. +.SS "Sudoers Group Plugin API" +The +\fIsudoers\fR +module supports a plugin interface to allow non-Unix +group lookups. +This can be used to query a group source other than the standard Unix +group database. +A sample group plugin is bundled with +\fBsudo\fR +that implements file-based lookups. +Third party group plugins include a QAS AD plugin available from Quest Software. .PP -.Vb 8 -\& struct sudoers_group_plugin { -\& unsigned int version; -\& int (*init)(int version, sudo_printf_t sudo_printf, -\& char *const argv[]); -\& void (*cleanup)(void); -\& int (*query)(const char *user, const char *group, -\& const struct passwd *pwd); -\&}; -.Ve +A group plugin must declare and populate a +\fRsudoers_group_plugin\fR +struct in the global scope. +This structure contains pointers to the functions that implement plugin +initialization, cleanup and group lookup. +.nf +.sp +.RS 0n +struct sudoers_group_plugin { + unsigned int version; + int (*init)(int version, sudo_printf_t sudo_printf, + char *const argv[]); + void (*cleanup)(void); + int (*query)(const char *user, const char *group, + const struct passwd *pwd); +}; +.RE +.fi .PP -The \f(CW\*(C`sudoers_group_plugin\*(C'\fR struct has the following fields: -.IP "version" 4 -.IX Item "version" -The \f(CW\*(C`version\*(C'\fR field should be set to \s-1GROUP_API_VERSION\s0. -.Sp -This allows \fIsudoers\fR to determine the \s-1API\s0 version the group plugin +The +\fRsudoers_group_plugin\fR +struct has the following fields: +.TP 6n +version +The +\fRversion\fR +field should be set to GROUP_API_VERSION. +.sp +This allows +\fIsudoers\fR +to determine the API version the group plugin was built against. -.IP "init" 4 -.IX Item "init" -.Vb 2 -\& int (*init)(int version, sudo_printf_t plugin_printf, -\& char *const argv[]); -.Ve -.Sp -The \fIinit\fR function is called after \fIsudoers\fR has been parsed but -before any policy checks. It returns 1 on success, 0 on failure -(or if the plugin is not configured), and \-1 if a error occurred. -If an error occurs, the plugin may call the plugin_printf function -with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information +.TP 6n +init +.nf +.RS 6n +int (*init)(int version, sudo_printf_t plugin_printf, + char *const argv[]); +.RE +.fi +.RS +.sp +The +\fBinit\fR() +function is called after +\fIsudoers\fR +has been parsed but +before any policy checks. +It returns 1 on success, 0 on failure (or if the plugin is not configured), +and \-1 if a error occurred. +If an error occurs, the plugin may call the +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present additional error information to the user. -.Sp +.sp The function arguments are as follows: -.RS 4 -.IP "version" 4 -.IX Item "version" -The version passed in by \fIsudoers\fR allows the plugin to determine the -major and minor version number of the group plugin \s-1API\s0 supported by -\&\fIsudoers\fR. -.IP "plugin_printf" 4 -.IX Item "plugin_printf" -A pointer to a printf-style function that may be used to display -informational or error message to the user. +.RS +.PP +.RE +.sp -1v +.TP 6n +version +The version passed in by +\fIsudoers\fR +allows the plugin to determine the +major and minor version number of the group plugin API supported by +\fIsudoers\fR. +.TP 6n +plugin_printf +A pointer to a +\fBprintf\fR()-style +function that may be used to display informational or error message to the user. Returns the number of characters printed on success and \-1 on failure. -.IP "argv" 4 -.IX Item "argv" -A NULL-terminated array of arguments generated from the \fIgroup_plugin\fR -option in \fIsudoers\fR. If no arguments were given, \fIargv\fR will be -\&\s-1NULL\s0. +.TP 6n +argv +A +\fRNULL\fR-terminated +array of arguments generated from the +\fIgroup_plugin\fR +option in +\fIsudoers\fR. +If no arguments were given, +\fIargv\fR +will be +\fRNULL\fR. .RE -.RS 4 +.TP 6n +cleanup +.nf +.RS 6n +void (*cleanup)(); .RE -.IP "cleanup" 4 -.IX Item "cleanup" -.Vb 1 -\& void (*cleanup)(); -.Ve -.Sp -The \fIcleanup\fR function is called when \fIsudoers\fR has finished its -group checks. The plugin should free any memory it has allocated -and close open file handles. -.IP "query" 4 -.IX Item "query" -.Vb 2 -\& int (*query)(const char *user, const char *group, -\& const struct passwd *pwd); -.Ve -.Sp -The \fIquery\fR function is used to ask the group plugin whether \fIuser\fR -is a member of \fIgroup\fR. -.Sp +.fi +.RS +.sp +The +\fBcleanup\fR() +function is called when +\fIsudoers\fR +has finished its +group checks. +The plugin should free any memory it has allocated and close open file handles. +.PP +.RE +.sp -1v +.TP 6n +query +.br +.nf +.RS 6n +int (*query)(const char *user, const char *group, + const struct passwd *pwd); +.RE +.fi +.RS +.sp +The +\fBquery\fR() +function is used to ask the group plugin whether +\fIuser\fR +is a member of +\fIgroup\fR. +.sp The function arguments are as follows: -.RS 4 -.IP "user" 4 -.IX Item "user" +.RS +.PP +.RE +.sp -1v +.TP 6n +user The name of the user being looked up in the external group database. -.IP "group" 4 -.IX Item "group" +.TP 6n +group +.br The name of the group being queried. -.IP "pwd" 4 -.IX Item "pwd" -The password database entry for \fIuser\fR, if any. If \fIuser\fR is not -present in the password database, \fIpwd\fR will be \f(CW\*(C`NULL\*(C'\fR. -.RE -.RS 4 +.TP 6n +pwd +The password database entry for +\fIuser\fR, +if any. +If +\fIuser\fR +is not +present in the password database, +\fIpwd\fR +will be +\fRNULL\fR. .RE .PP -\fIGroup \s-1API\s0 Version Macros\fR -.IX Subsection "Group API Version Macros" -.PP -.Vb 5 -\& /* Sudoers group plugin version major/minor */ -\& #define GROUP_API_VERSION_MAJOR 1 -\& #define GROUP_API_VERSION_MINOR 0 -\& #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e -\& GROUP_API_VERSION_MINOR) -\& -\& /* Getters and setters for group version */ -\& #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16) -\& #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff) -\& #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e -\& } while(0) -\& #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e -\& *(vp) = (*(vp) & 0xffff0000) | (n); \e -\& } while(0) -.Ve +\fIGroup API Version Macros\fR +.nf +.sp +.RS 0n +/* Sudoers group plugin version major/minor */ +#define GROUP_API_VERSION_MAJOR 1 +#define GROUP_API_VERSION_MINOR 0 +#define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e + GROUP_API_VERSION_MINOR) + +/* Getters and setters for group version */ +#define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16) +#define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff) +#define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e +} while(0) +#define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e + *(vp) = (*(vp) & 0xffff0000) | (n); \e +} while(0) +.RE +.fi .SH "PLUGIN API CHANGELOG" -.IX Header "PLUGIN API CHANGELOG" -The following revisions have been made to the Sudo Plugin \s-1API\s0. -.IP "Version 1.0" 4 -.IX Item "Version 1.0" -Initial \s-1API\s0 version. -.IP "Version 1.1" 4 -.IX Item "Version 1.1" -The I/O logging plugin's \f(CW\*(C`open\*(C'\fR function was modified to take the -\&\f(CW\*(C`command_info\*(C'\fR list as an argument. -.IP "Version 1.2" 4 -.IX Item "Version 1.2" -The Policy and I/O logging plugins' \f(CW\*(C`open\*(C'\fR functions are now passed -a list of plugin options if any are specified in \fI@sysconfdir@/sudo.conf\fR. -.Sp -A simple hooks \s-1API\s0 has been introduced to allow plugins to hook in to the +The following revisions have been made to the Sudo Plugin API. +.TP 6n +Version 1.0 +Initial API version. +.TP 6n +Version 1.1 +The I/O logging plugin's +\fBopen\fR() +function was modified to take the +\fRcommand_info\fR +list as an argument. +.TP 6n +Version 1.2 +The Policy and I/O logging plugins' +\fBopen\fR() +functions are now passed +a list of plugin options if any are specified in +\fI@sysconfdir@/sudo.conf\fR. +.sp +A simple hooks API has been introduced to allow plugins to hook in to the system's environment handling functions. -.Sp -The \f(CW\*(C`init_session\*(C'\fR Policy plugin function is now passed a pointer -to the user environment which can be updated as needed. This can -be used to merge in environment variables stored in the \s-1PAM\s0 handle -before a command is run. +.sp +The +\fRinit_session\fR +Policy plugin function is now passed a pointer +to the user environment which can be updated as needed. +This can be used to merge in environment variables stored in the PAM +handle before a command is run. .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@) +sudoers(@mansectform@), +sudo(@mansectsu@) .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" -Limited free support is available via the sudo-workers mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-workers to subscribe or +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index 323386b00..cd88f6541 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -15,8 +15,8 @@ .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd July 16, 2012 -.Dt SUDO_PLUGIN 5 -.Os +.Dt SUDO_PLUGIN @mansectform@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudo_plugin .Nd Sudo Plugin API @@ -2133,8 +2133,8 @@ This can be used to merge in environment variables stored in the PAM handle before a command is run. .El .Sh SEE ALSO -.Xr sudoers 5 , -.Xr sudo 8 +.Xr sudoers @mansectform@ , +.Xr sudo @mansectsu@ .Sh BUGS If you feel you have found a bug in .Nm sudo , diff --git a/doc/sudoers.cat b/doc/sudoers.cat index b46701878..39bf9f960 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1,653 +1,644 @@ -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - +SUDOERS(4) Programmer's Manual SUDOERS(4) NNAAMMEE - sudoers - default sudo security policy module + ssuuddooeerrss - default sudo security policy module DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is - the default ssuuddoo policy plugin. The policy is driven by the - _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is - described in detail in the "SUDOERS FILE FORMAT" section. For - information on storing _s_u_d_o_e_r_s policy information in LDAP, please see - _s_u_d_o_e_r_s_._l_d_a_p(4). + The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the + default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s + file or, optionally in LDAP. The policy format is described in detail in + the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s + policy information in LDAP, please see sudoers.ldap(4). AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg - The _s_u_d_o_e_r_s security policy requires that most users authenticate - themselves before they can use ssuuddoo. A password is not required if the - invoking user is root, if the target user is the same as the invoking - user, or if the policy has disabled authentication for the user or - command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it - validates the invoking user's credentials, not the target user's (or - root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and - _r_u_n_a_s_p_w flags, described later. + The _s_u_d_o_e_r_s security policy requires that most users authenticate + themselves before they can use ssuuddoo. A password is not required if the + invoking user is root, if the target user is the same as the invoking + user, or if the policy has disabled authentication for the user or + command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it + validates the invoking user's credentials, not the target user's (or + root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags, described later. - If a user who is not listed in the policy tries to run a command via - ssuuddoo, mail is sent to the proper authorities. The address used for - such mail is configurable via the _m_a_i_l_t_o Defaults entry (described - later) and defaults to root. + If a user who is not listed in the policy tries to run a command via + ssuuddoo, mail is sent to the proper authorities. The address used for such + mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and + defaults to root. - Note that mail will not be sent if an unauthorized user tries to run - ssuuddoo with the --ll or --vv option. This allows users to determine for - themselves whether or not they are allowed to use ssuuddoo. + Note that mail will not be sent if an unauthorized user tries to run ssuuddoo + with the --ll or --vv option. This allows users to determine for themselves + whether or not they are allowed to use ssuuddoo. - If ssuuddoo is run by root and the SUDO_USER environment variable is set, - the _s_u_d_o_e_r_s policy will use this value to determine who the actual user - is. This can be used by a user to log commands through sudo even when - a root shell has been invoked. It also allows the --ee option to remain - useful even when invoked via a sudo-run script or program. Note, - however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user - specified by SUDO_USER. + If ssuuddoo is run by root and the SUDO_USER environment variable is set, the + _s_u_d_o_e_r_s policy will use this value to determine who the actual user is. + This can be used by a user to log commands through sudo even when a root + shell has been invoked. It also allows the --ee option to remain useful + even when invoked via a sudo-run script or program. Note, however, that + the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by + SUDO_USER. - _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has - been authenticated, a time stamp is updated and the user may then use - sudo without a password for a short period of time (5 minutes unless - overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty- - based time stamp which means that there is a separate time stamp for - each of a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be - disabled to force the use of a single time stamp for all of a user's - sessions. + _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has + been authenticated, the time stamp is updated and the user may then use + sudo without a password for a short period of time (5 minutes unless + overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based + time stamp which means that there is a separate time stamp for each of a + user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force + the use of a single time stamp for all of a user's sessions. - _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as - errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will - log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e - Defaults settings. + _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as + errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log + via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults + settings. - _s_u_d_o_e_r_s also supports logging a command's input and output streams. - I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t - and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT - command tags. + _s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O + logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and + _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command + tags. CCoommmmaanndd EEnnvviirroonnmmeenntt - Since environment variables can influence program behavior, _s_u_d_o_e_r_s - provides a means to restrict which variables from the user's - environment are inherited by the command to be run. There are two - distinct ways _s_u_d_o_e_r_s can deal with environment variables. + Since environment variables can influence program behavior, _s_u_d_o_e_r_s + provides a means to restrict which variables from the user's environment + are inherited by the command to be run. There are two distinct ways + _s_u_d_o_e_r_s can deal with environment variables. - By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to - be executed with a new, minimal environment. On AIX (and Linux systems - without PAM), the environment is initialized with the contents of the - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is - enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v - settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, - PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables - in addition to variables from the invoking process permitted by the - _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for - environment variables. + By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be + executed with a new, minimal environment. On AIX (and Linux systems + without PAM), the environment is initialized with the contents of the + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is + enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v + settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, + PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in + addition to variables from the invoking process permitted by the + _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for + environment variables. - If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not - explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited - from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e - behave like a blacklist. Since it is not possible to blacklist all - potentially dangerous environment variables, use of the default - _e_n_v___r_e_s_e_t behavior is encouraged. + If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not + explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited + from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave + like a blacklist. Since it is not possible to blacklist all potentially + dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is + encouraged. - In all cases, environment variables with a value beginning with () are - removed as they could be interpreted as bbaasshh functions. The list of - environment variables that ssuuddoo allows or denies is contained in the - output of sudo -V when run as root. + In all cases, environment variables with a value beginning with () are + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of ``sudo -V'' when run as root. - Note that the dynamic linker on most operating systems will remove - variables that can control dynamic linking from the environment of - setuid executables, including ssuuddoo. Depending on the operating system - this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and - others. These type of variables are removed from the environment - before ssuuddoo even begins execution and, as such, it is not possible for - ssuuddoo to preserve them. + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of setuid + executables, including ssuuddoo. Depending on the operating system this may + include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. + These type of variables are removed from the environment before ssuuddoo even + begins execution and, as such, it is not possible for ssuuddoo to preserve + them. - As a special case, if ssuuddoo's --ii option (initial login) is specified, - _s_u_d_o_e_r_s will initialize the environment regardless of the value of - _e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged; - _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user. - On AIX (and Linux systems without PAM), the contents of - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the - _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are - removed. + As a special case, if ssuuddoo's --ii option (initial login) is specified, + _s_u_d_o_e_r_s will initialize the environment regardless of the value of + _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, + MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX + (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are + also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, + the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All + other environment variables are removed. - Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in - that file will be set to their specified values as long as they would - not conflict with an existing environment variable. + Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that + file will be set to their specified values as long as they would not + conflict with an existing environment variable. SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT - The _s_u_d_o_e_r_s file is composed of two types of entries: aliases - (basically variables) and user specifications (which specify who may - run what). + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically + variables) and user specifications (which specify who may run what). - When multiple entries match for a user, they are applied in order. - Where there are multiple matches, the last match is used (which is not - necessarily the most specific match). + When multiple entries match for a user, they are applied in order. Where + there are multiple matches, the last match is used (which is not + necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur - Form (EBNF). Don't despair if you don't know what EBNF is; it is - fairly simple, and the definitions below are annotated. + The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form + (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly + simple, and the definitions below are annotated. QQuuiicckk gguuiiddee ttoo EEBBNNFF - EBNF is a concise and exact way of describing the grammar of a - language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., + EBNF is a concise and exact way of describing the grammar of a language. + Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., - symbol ::= definition | alternate1 | alternate2 ... + symbol ::= definition | alternate1 | alternate2 ... - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for - the language. EBNF also contains the following operators, which many - readers will recognize from regular expressions. Do not, however, - confuse them with "wildcard" characters, which have different meanings. + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, + confuse them with ``wildcard'' characters, which have different meanings. - ? Means that the preceding symbol (or group of symbols) is optional. + ? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. - * Means that the preceding symbol (or group of symbols) may appear + * Means that the preceding symbol (or group of symbols) may appear zero or more times. - + Means that the preceding symbol (or group of symbols) may appear + + Means that the preceding symbol (or group of symbols) may appear one or more times. - Parentheses may be used to group symbols together. For clarity, we - will use single quotes ('') to designate what is a verbatim character - string (as opposed to a symbol name). + Parentheses may be used to group symbols together. For clarity, we will + use single quotes ('') to designate what is a verbatim character string + (as opposed to a symbol name). AAlliiaasseess - There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias - and Cmnd_Alias. + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and + Cmnd_Alias. - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - User_Alias ::= NAME '=' User_List + User_Alias ::= NAME '=' User_List - Runas_Alias ::= NAME '=' Runas_List + Runas_Alias ::= NAME '=' Runas_List - Host_Alias ::= NAME '=' Host_List + Host_Alias ::= NAME '=' Host_List - Cmnd_Alias ::= NAME '=' Cmnd_List + Cmnd_Alias ::= NAME '=' Cmnd_List - NAME ::= [A-Z]([A-Z][0-9]_)* + NAME ::= [A-Z]([A-Z][0-9]_)* - Each _a_l_i_a_s definition is of the form + Each _a_l_i_a_s definition is of the form - Alias_Type NAME = item1, item2, ... + Alias_Type NAME = item1, item2, ... - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or - Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and - underscore characters ('_'). A NAME mmuusstt start with an uppercase - letter. It is possible to put several alias definitions of the same - type on a single line, joined by a colon (':'). E.g., + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters (`_'). A NAME mmuusstt start with an uppercase letter. + It is possible to put several alias definitions of the same type on a + single line, joined by a colon (`:'). E.g., - Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 + Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - The definitions of what constitutes a valid _a_l_i_a_s member follow. + The definitions of what constitutes a valid _a_l_i_a_s member follow. - User_List ::= User | - User ',' User_List + User_List ::= User | + User ',' User_List - User ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* +netgroup | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* User_Alias + User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias - A User_List is made up of one or more user names, user ids (prefixed - with '#'), system group names and ids (prefixed with '%' and '%#' - respectively), netgroups (prefixed with '+'), non-Unix group names and - IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each - list item may be prefixed with zero or more '!' operators. An odd - number of '!' operators negate the value of the item; an even number - just cancel each other out. + A User_List is made up of one or more user names, user ids (prefixed with + `#'), system group names and ids (prefixed with `%' and `%#' + respectively), netgroups (prefixed with `+'), non-Unix group names and + IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each + list item may be prefixed with zero or more `!' operators. An odd number + of `!' operators negate the value of the item; an even number just cancel + each other out. - A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid - may be enclosed in double quotes to avoid the need for escaping special - characters. Alternately, special characters may be specified in - escaped hex mode, e.g. \x20 for space. When using double quotes, any - prefix characters must be included inside the quotes. + A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may + be enclosed in double quotes to avoid the need for escaping special + characters. Alternately, special characters may be specified in escaped + hex mode, e.g. \x20 for space. When using double quotes, any prefix + characters must be included inside the quotes. - The actual nonunix_group and nonunix_gid syntax depends on the - underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description - below). For instance, the QAS AD plugin supports the following - formats: + The actual nonunix_group and nonunix_gid syntax depends on the underlying + group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For + instance, the QAS AD plugin supports the following formats: - o Group in the same domain: "%:Group Name" + oo Group in the same domain: "%:Group Name" - o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" + oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" + oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" - Note that quotes around group names are optional. Unquoted strings - must use a backslash (\) to escape spaces and special characters. See - "Other special characters and reserved words" for a list of characters - that need to be escaped. + Note that quotes around group names are optional. Unquoted strings must + use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r + _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need + to be escaped. - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List - Runas_Member ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* +netgroup | - '!'* Runas_Alias + Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias - A Runas_List is similar to a User_List except that instead of - User_Aliases it can contain Runas_Aliases. Note that user names and - groups are matched as strings. In other words, two users (groups) with - the same uid (gid) are considered to be distinct. If you wish to match - all user names with the same uid (e.g. root and toor), you can use a - uid instead (#0 in the example given). + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that user names and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all user names with the same uid (e.g. root and toor), you can use a uid + instead (#0 in the example given). - Host_List ::= Host | - Host ',' Host_List + Host_List ::= Host | + Host ',' Host_List - Host ::= '!'* host name | - '!'* ip_addr | - '!'* network(/netmask)? | - '!'* +netgroup | - '!'* Host_Alias + Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias - A Host_List is made up of one or more host names, IP addresses, network - numbers, netgroups (prefixed with '+') and other aliases. Again, the - value of an item may be negated with the '!' operator. If you do not - specify a netmask along with the network number, ssuuddoo will query each - of the local host's network interfaces and, if the network number - corresponds to one of the hosts's network interfaces, the corresponding - netmask will be used. The netmask may be specified either in standard - IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or - CIDR notation (number of bits, e.g. 24 or 64). A host name may include - shell-style wildcards (see the Wildcards section below), but unless the - host name command on your machine returns the fully qualified host - name, you'll need to use the _f_q_d_n option for wildcards to be useful. - Note ssuuddoo only inspects actual network interfaces; this means that IP - address 127.0.0.1 (localhost) will never match. Also, the host name - "localhost" will only match if that is the actual host name, which is - usually only the case for non-networked systems. + A Host_List is made up of one or more host names, IP addresses, network + numbers, netgroups (prefixed with `+') and other aliases. Again, the + value of an item may be negated with the `!' operator. If you do not + specify a netmask along with the network number, ssuuddoo will query each of + the local host's network interfaces and, if the network number + corresponds to one of the hosts's network interfaces, the corresponding + netmask will be used. The netmask may be specified either in standard IP + address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR + notation (number of bits, e.g. 24 or 64). A host name may include shell- + style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host + name command on your machine returns the fully qualified host name, + you'll need to use the _f_q_d_n option for wildcards to be useful. Note that + ssuuddoo only inspects actual network interfaces; this means that IP address + 127.0.0.1 (localhost) will never match. Also, the host name + ``localhost'' will only match if that is the actual host name, which is + usually only the case for non-networked systems. - Cmnd_List ::= Cmnd | - Cmnd ',' Cmnd_List + Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List - commandname ::= file name | - file name args | - file name '""' + command name ::= file name | + file name args | + file name '""' - Cmnd ::= '!'* commandname | - '!'* directory | - '!'* "sudoedit" | - '!'* Cmnd_Alias + Cmnd ::= '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias - A Cmnd_List is a list of one or more commandnames, directories, and - other aliases. A commandname is a fully qualified file name which may - include shell-style wildcards (see the Wildcards section below). A - simple file name allows the user to run the command with any arguments - he/she wishes. However, you may also specify command line arguments - (including wildcards). Alternately, you can specify "" to indicate - that the command may only be run wwiitthhoouutt command line arguments. A - directory is a fully qualified path name ending in a '/'. When you - specify a directory in a Cmnd_List, the user will be able to run any - file within that directory (but not in any subdirectories therein). + A Cmnd_List is a list of one or more command names, directories, and + other aliases. A command name is a fully qualified file name which may + include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate that + the command may only be run wwiitthhoouutt command line arguments. A directory + is a fully qualified path name ending in a `/'. When you specify a + directory in a Cmnd_List, the user will be able to run any file within + that directory (but not in any subdirectories therein). - If a Cmnd has associated command line arguments, then the arguments in - the Cmnd must match exactly those given by the user on the command line - (or match the wildcards if there are any). Note that the following - characters must be escaped with a '\' if they are used in command - arguments: ',', ':', '=', '\'. The special command "sudoedit" is used - to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It - may take command line arguments just as a normal command does. + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a `\' if they are used in command + arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used + to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may + take command line arguments just as a normal command does. DDeeffaauullttss - Certain configuration options may be changed from their default values - at runtime via one or more Default_Entry lines. These may affect all - users on any host, all users on a specific host, a specific user, a - specific command, or commands being run as a specific user. Note that - per-command entries may not include command line arguments. If you - need to specify arguments, define a Cmnd_Alias and reference that - instead. + Certain configuration options may be changed from their default values at + runtime via one or more Default_Entry lines. These may affect all users + on any host, all users on a specific host, a specific user, a specific + command, or commands being run as a specific user. Note that per-command + entries may not include command line arguments. If you need to specify + arguments, define a Cmnd_Alias and reference that instead. - Default_Type ::= 'Defaults' | - 'Defaults' '@' Host_List | - 'Defaults' ':' User_List | - 'Defaults' '!' Cmnd_List | - 'Defaults' '>' Runas_List + Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List - Default_Entry ::= Default_Type Parameter_List + Default_Entry ::= Default_Type Parameter_List - Parameter_List ::= Parameter | - Parameter ',' Parameter_List + Parameter_List ::= Parameter | + Parameter ',' Parameter_List - Parameter ::= Parameter '=' Value | - Parameter '+=' Value | - Parameter '-=' Value | - '!'* Parameter + Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are - implicitly boolean and can be turned off via the '!' operator. Some - integer, string and list parameters may also be used in a boolean - context to disable them. Values may be enclosed in double quotes (") - when they contain multiple words. Special characters may be escaped - with a backslash (\). + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the `!' operator. Some + integer, string and list parameters may also be used in a boolean context + to disable them. Values may be enclosed in double quotes ("") when they + contain multiple words. Special characters may be escaped with a + backslash (`\'). - Lists have two additional assignment operators, += and -=. These - operators are used to add to and delete from a list respectively. It - is not an error to use the -= operator to remove an element that does - not exist in a list. + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It is + not an error to use the -= operator to remove an element that does not + exist in a list. - Defaults entries are parsed in the following order: generic, host and - user Defaults first, then runas Defaults and finally command defaults. + Defaults entries are parsed in the following order: generic, host and + user Defaults first, then runas Defaults and finally command defaults. - See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd - Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' - SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | - 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as - what user) on specified hosts. By default, commands are run as rroooott, - but this can be changed on a per-command basis. + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, but + this can be changed on a per-command basis. - The basic structure of a user specification is `who where = (as_whom) - what'. Let's break that down into its constituent parts: + The basic structure of a user specification is ``who where = (as_whom) + what''. Let's break that down into its constituent parts: RRuunnaass__SSppeecc - A Runas_Spec determines the user and/or the group that a command may be - run as. A fully-specified Runas_Spec consists of two Runas_Lists (as - defined above) separated by a colon (':') and enclosed in a set of - parentheses. The first Runas_List indicates which users the command - may be run as via ssuuddoo's --uu option. The second defines a list of - groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists - are specified, the command may be run with any combination of users and - groups listed in their respective Runas_Lists. If only the first is - specified, the command may be run as any user in the list but no --gg - option may be specified. If the first Runas_List is empty but the - second is specified, the command may be run as the invoking user with - the group set to any listed in the Runas_List. If no Runas_Spec is - specified the command may be run as rroooott and no group may be specified. + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (`:') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command may + be run as via ssuuddoo's --uu option. The second defines a list of groups that + can be specified via ssuuddoo's --gg option. If both Runas_Lists are + specified, the command may be run with any combination of users and + groups listed in their respective Runas_Lists. If only the first is + specified, the command may be run as any user in the list but no --gg + option may be specified. If the first Runas_List is empty but the second + is specified, the command may be run as the invoking user with the group + set to any listed in the Runas_List. If no Runas_Spec is specified the + command may be run as rroooott and no group may be specified. - A Runas_Spec sets the default for the commands that follow it. What - this means is that for the entry: + A Runas_Spec sets the default for the commands that follow it. What this + means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only - as ooppeerraattoorr. E.g., + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as + ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls + $ sudo -u operator /bin/ls - It is also possible to override a Runas_Spec later on in an entry. If - we modify the entry like so: + It is also possible to override a Runas_Spec later on in an entry. If we + modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l - and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - We can extend this to allow ddggbb to run /bin/ls with either the user or - group set to ooppeerraattoorr: + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ - /usr/bin/lprm + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ + /usr/bin/lprm - Note that while the group portion of the Runas_Spec permits the user to - run as command with that group, it does not force the user to do so. - If no group is specified on the command line, the command will run with - the group listed in the target user's password database entry. The - following would all be permitted by the sudoers entry above: + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. If + no group is specified on the command line, the command will run with the + group listed in the target user's password database entry. The following + would all be permitted by the sudoers entry above: - $ sudo -u operator /bin/ls - $ sudo -u operator -g operator /bin/ls - $ sudo -g operator /bin/ls + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls - In the following example, user ttccmm may run commands that access a modem - device file with the dialer group. + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ - /usr/local/bin/minicom + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ + /usr/local/bin/minicom - Note that in this example only the group will be set, the command still - runs as user ttccmm. E.g. + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. - $ sudo -g dialer /usr/bin/cu + $ sudo -g dialer /usr/bin/cu - Multiple users and groups may be present in a Runas_Spec, in which case - the user may select any combination of users and groups via the --uu and - --gg options. In this example: + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and --gg + options. In this example: - alan ALL = (root, bin : operator, system) ALL + alan ALL = (root, bin : operator, system) ALL - user aallaann may run any command as either user root or bin, optionally - setting the group to operator or system. + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an - SELinux role and/or type associated with a command. If a role or type - is specified with the command it will override any default values - specified in _s_u_d_o_e_r_s. A role or type specified on the command line, - however, will supercede the values in _s_u_d_o_e_r_s. + On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux role and/or type associated with a command. If a role or type is + specified with the command it will override any default values specified + in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will + supercede the values in _s_u_d_o_e_r_s. TTaagg__SSppeecc - A command may have zero or more tags associated with it. There are ten - possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, - LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set - on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag - unless it is overridden by the opposite tag (in other words, PASSWD - overrides NOPASSWD and NOEXEC overrides EXEC). + A command may have zero or more tags associated with it. There are ten + possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, + LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set + on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless + it is overridden by the opposite tag (in other words, PASSWD overrides + NOPASSWD and NOEXEC overrides EXEC). - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or herself - before running a command. This behavior can be modified via the - NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for - the commands that follow it in the Cmnd_Spec_List. Conversely, the - PASSWD tag can be used to reverse things. For example: + By default, ssuuddoo requires that a user authenticate him or herself before + running a command. This behavior can be modified via the NOPASSWD tag. + Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that + follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used + to reverse things. For example: - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m - as rroooott on the machine rushmore without authenticating himself. If we - only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry - would be: + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as + rroooott on the machine rushmore without authenticating himself. If we only + want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would + be: - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users who are in - the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in the + group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the entries for a - user on the current host, he or she will be able to run sudo -l without - a password. Additionally, a user may only run sudo -v without a - password if the NOPASSWD tag is present for all a user's entries that - pertain to the current host. This behavior may be overridden via the - verifypw and listpw options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run ``sudo -l'' + without a password. Additionally, a user may only run ``sudo -v'' + without a password if the NOPASSWD tag is present for all a user's + entries that pertain to the current host. This behavior may be + overridden via the verifypw and listpw options. - _N_O_E_X_E_C _a_n_d _E_X_E_C + _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the "Preventing Shell Escapes" section below for more details on - how NOEXEC works and whether or not it will work on your system. + See the _P_r_e_v_e_n_t_i_n_g _S_h_e_l_l _E_s_c_a_p_e_s section below for more details on how + NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. - Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set - variables in this manner. If the command matched is AALLLL, the SETENV - tag is implied for that command; this default may be overridden by use - of the NOSETENV tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables + in this manner. If the command matched is AALLLL, the SETENV tag is implied + for that command; this default may be overridden by use of the NOSETENV + tag. - _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the - "SUDOERS OPTIONS" section below. + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the - "SUDOERS OPTIONS" section below. + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be - used in host names, path names and command line arguments in the - _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in host names, path names and command line arguments in the _s_u_d_o_e_r_s + file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3) + routines. Note that these are _n_o_t regular expressions. - * Matches any set of zero or more characters. + * Matches any set of zero or more characters. - ? Matches any single character. + ? Matches any single character. - [...] Matches any character in the specified range. + [...] Matches any character in the specified range. - [!...] Matches any character nnoott in the specified range. + [!...] Matches any character nnoott in the specified range. - \x For any character "x", evaluates to "x". This is used to - escape special characters such as: "*", "?", "[", and "]". + \x For any character `x', evaluates to `x'. This is used to + escape special characters such as: `*', `?', `[', and `]'. - POSIX character classes may also be used if your system's _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character - has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + POSIX character classes may also be used if your system's glob(3) and + fnmatch(3) functions support them. However, because the `:' character + has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: - /bin/ls [[\:alpha\:]]* + /bin/ls [[:alpha:]]* - Would match any file name beginning with a letter. + Would match any file name beginning with a letter. - Note that a forward slash ('/') will nnoott be matched by wildcards used - in the path name. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: + Note that a forward slash (`/') will nnoott be matched by wildcards used in + the path name. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: - /usr/bin/* + /usr/bin/* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: + The following exceptions apply to the above rules: - "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s entry it means that command is not allowed to be run - with aannyy arguments. + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run with + aannyy arguments. IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s - file currently being parsed using the #include and #includedir - directives. + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir + directives. - This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in - addition to a local, per-machine file. For the sake of this example - the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will - be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within - _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + addition to a local, per-machine file. For the sake of this example the + site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be + _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: - #include /etc/sudoers.local + #include /etc/sudoers.local - When ssuuddoo reaches this line it will suspend processing of the current - file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching - the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be - processed. Files that are included may themselves include other files. - A hard limit of 128 nested include files is enforced to prevent include - file loops. + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the + end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. + Files that are included may themselves include other files. A hard limit + of 128 nested include files is enforced to prevent include file loops. - If the path to the include file is not fully-qualified (does not begin - with a /), it must be located in the same directory as the sudoers file - it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: + If the path to the include file is not fully-qualified (does not begin + with a `/', it must be located in the same directory as the sudoers file + it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: - #include sudoers.local + #include sudoers.local - the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. + the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. - The file name may also include the %h escape, signifying the short form - of the host name. In other words, if the machine's host name is - "xerxes", then + The file name may also include the %h escape, signifying the short form + of the host name. In other words, if the machine's host name is + ``xerxes'', then - #include /etc/sudoers.%h + #include /etc/sudoers.%h - will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. - The #includedir directive can be used to create a _s_u_d_o_._d directory that - the system package manager can drop _s_u_d_o_e_r_s rules into as part of - package installation. For example, given: + The #includedir directive can be used to create a _s_u_d_o_._d directory that + the system package manager can drop _s_u_d_o_e_r_s rules into as part of package + installation. For example, given: - #includedir /etc/sudoers.d + #includedir /etc/sudoers.d - ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that - end in ~ or contain a . character to avoid causing problems with - package manager or editor temporary/backup files. Files are parsed in - sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed - before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is - lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes - in the file names can be used to avoid such problems. + ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end + in `~' or contain a `.' character to avoid causing problems with package + manager or editor temporary/backup files. Files are parsed in sorted + lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, + not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in + the file names can be used to avoid such problems. - Note that unlike files included via #include, vviissuuddoo will not edit the - files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the --ff flag to edit the - files directly. + Note that unlike files included via #include, vviissuuddoo will not edit the + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the --ff flag to edit the + files directly. OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - The pound sign ('#') is used to indicate a comment (unless it is part - of a #include directive or unless it occurs in the context of a user - name and is followed by one or more digits, in which case it is treated - as a uid). Both the comment character and any text after it, up to the - end of the line, are ignored. + The pound sign (`#') is used to indicate a comment (unless it is part of + a #include directive or unless it occurs in the context of a user name + and is followed by one or more digits, in which case it is treated as a + uid). Both the comment character and any text after it, up to the end of + the line, are ignored. - The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to - succeed. It can be used wherever one might otherwise use a Cmnd_Alias, - User_Alias, Runas_Alias, or Host_Alias. You should not try to define - your own _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be dangerous - since in a command context, it allows the user to run aannyy command on - the system. + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous + since in a command context, it allows the user to run aannyy command on the + system. - An exclamation point ('!') can be used as a logical _n_o_t operator both - in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain - values. Note, however, that using a ! in conjunction with the built-in - ALL alias to allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). + An exclamation point (`!') can be used as a logical _n_o_t operator both in + an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + values. Note, however, that using a `!' in conjunction with the built-in + AALLLL alias to allow a user to run ``all but a few'' commands rarely works + as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). - Long lines can be continued with a backslash ('\') as the last - character on the line. + Long lines can be continued with a backslash (`\') as the last character + on the line. - Whitespace between elements in a list as well as special syntactic - characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. + Whitespace between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. - The following characters must be escaped with a backslash ('\') when - used as part of a word (e.g. a user name or host name): '!', '=', ':', - ',', '(', ')', '\'. + The following characters must be escaped with a backslash (`\') when used + as part of a word (e.g. a user name or host name): `!', `=', `:', `,', + `(', `)', `\'. SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as explained - earlier. A list of all supported Defaults parameters, grouped by type, - are listed below. + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. - BBoooolleeaann FFllaaggss: + BBoooolleeaann FFllaaggss: - always_set_home If enabled, ssuuddoo will set the HOME environment variable + always_set_home If enabled, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root unless the --uu option is used). This effectively means that the --HH option is always implied. Note that HOME @@ -657,24 +648,24 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - authenticate If set, users must authenticate themselves via a + authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is _o_n by default. - closefrom_override + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo begins closing open file descriptors. This flag is _o_f_f by default. - compress_io If set, and ssuuddoo is configured to log a command's input + compress_io If set, and ssuuddoo is configured to log a command's input or output, the I/O logs will be compressed using zzlliibb. This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. - env_editor If set, vviissuuddoo will use the value of the EDITOR or + env_editor If set, vviissuuddoo will use the value of the EDITOR or VISUAL environment variables before falling back on the default editor list. Note that this may create a security hole as it allows the user to run any @@ -684,7 +675,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS use the EDITOR or VISUAL if they match a value specified in editor. This flag is _o_f_f by default. - env_reset If set, ssuuddoo will run the command in a minimal + env_reset If set, ssuuddoo will run the command in a minimal environment containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. Any variables in the caller's environment that match @@ -697,25 +688,25 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS the PATH environment variable. This flag is _o_n by default. - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- + fast_glob Normally, ssuuddoo uses the glob(3) function to do shell- style globbing when matching path names. However, - since it accesses the file system, _g_l_o_b(3) can take a + since it accesses the file system, glob(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that is mounted on demand (automounted). The _f_a_s_t___g_l_o_b - option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + option causes ssuuddoo to use the fnmatch(3) function, which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative path names such as _._/_l_s or _._._/_b_i_n_/_l_s. This has security implications when path names that include globbing characters are used with - the negation operator, '!', as such rules can be + the negation operator, `!', as such rules can be trivially bypassed. As such, this option should not be used when _s_u_d_o_e_r_s contains rules that contain negated path names which include globbing characters. This flag is _o_f_f by default. - fqdn Set this flag if you want to put fully qualified host + fqdn Set this flag if you want to put fully qualified host names in the _s_u_d_o_e_r_s file. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the @@ -731,30 +722,31 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. - ignore_dot If set, ssuuddoo will ignore "." or "" (current dir) in the - PATH environment variable; the PATH itself is not - modified. This flag is _o_f_f by default. + ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting + current directory) in the PATH environment variable; + the PATH itself is not modified. This flag is _o_f_f by + default. - ignore_local_sudoers + ignore_local_sudoers If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, - _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this option tells ssuuddoo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is _o_f_f by default. - insults If set, ssuuddoo will insult users when they enter an + insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. - log_host If set, the host name will be logged in the (non- + log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input @@ -763,8 +755,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Input is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e option - may be used to control the format of the session ID. + log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e + option may be used to control the format of the session + ID. Note that user input may contain sensitive information such as passwords (even if they are not echoed to the @@ -772,9 +765,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS unencrypted. In most cases, logging the command output via _l_o_g___o_u_t_p_u_t is all that is required. - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all output that is sent to the screen, similar to - the _s_c_r_i_p_t(1) command. If the standard output or + the script(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in @@ -783,55 +776,56 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Output is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e option - may be used to control the format of the session ID. + log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e + option may be used to control the format of the session + ID. - Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + Output logs may be viewed with the sudoreplay(1m) utility, which can also be used to list or search the available logs. - log_year If set, the four-digit year will be logged in the (non- + log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - long_otp_prompt When validating with a One Time Password (OTP) scheme + long_otp_prompt When validating with a One Time Password (OTP) scheme such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it more convenient. This flag is _o_f_f by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a users runs + mail_always Send mail to the _m_a_i_l_t_o user every time a users runs ssuuddoo. This flag is _o_f_f by default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo does not enter the correct password. If the command the user is attempting to run is not permitted by _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag will have no effect. This flag is _o_f_f by default. - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user exists in the _s_u_d_o_e_r_s file, but is not allowed to run commands on the current host. This flag is _o_f_f by default. - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is allowed to use ssuuddoo but the command they are trying is not listed in their _s_u_d_o_e_r_s file entry or is explicitly denied. This flag is _o_f_f by default. - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is not in the _s_u_d_o_e_r_s file. This flag is _o_n by default. - noexec If set, all commands run via ssuuddoo will behave as if the + noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "Preventing Shell Escapes" section at the - end of this manual. This flag is _o_f_f by default. + well as the _P_r_e_v_e_n_t_i_n_g _S_h_e_l_l _E_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. - path_info Normally, ssuuddoo will tell the user when a command could + path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to gather information on the location of executables that @@ -841,21 +835,22 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not allowed to run it, which can be confusing. This flag is _o_n by default. - passprompt_override + passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will normally only be used if the password prompt provided - by systems such as PAM matches the string "Password:". - If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always - be used. This flag is _o_f_f by default. + by systems such as PAM matches the string + ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, + _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by + default. - preserve_groups By default, ssuuddoo will initialize the group vector to + preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. This flag is _o_f_f by default. - pwfeedback By default, ssuuddoo reads the password like most other + pwfeedback By default, ssuuddoo reads the password like most other Unix programs, by turning off echo until the user hits the return (or enter) key. Some users become confused by this as it appears to them that ssuuddoo has hung at @@ -865,31 +860,31 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS able to determine the length of the password being entered. This flag is _o_f_f by default. - requiretty If set, ssuuddoo will only run when the user is logged in + requiretty If set, ssuuddoo will only run when the user is logged in to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such - as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + as cron(1m) or cgi-bin scripts. This flag is _o_f_f by default. - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to - get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from ``chaining'' ssuuddoo commands to + get a root shell by doing something like ``sudo sudo + /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o will also prevent root from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. This flag is _o_n by default. - rootpw If set, ssuuddoo will prompt for the root password instead + rootpw If set, ssuuddoo will prompt for the root password instead of the password of the invoking user. This flag is _o_f_f by default. - runaspw If set, ssuuddoo will prompt for the password of the user + runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of the invoking user. This flag is _o_f_f by default. - set_home If enabled and ssuuddoo is invoked with the --ss option the + set_home If enabled and ssuuddoo is invoked with the --ss option the HOME environment variable will be set to the home directory of the target user (which is root unless the --uu option is used). This effectively makes the --ss @@ -899,7 +894,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS _e_n_v___r_e_s_e_t is disabled or HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user (usually root unless the --uu option is given). However, since some programs (including the RCS revision control @@ -910,7 +905,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS disabled, entries in the _e_n_v___k_e_e_p list will override the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. - set_utmp When enabled, ssuuddoo will create an entry in the utmp (or + set_utmp When enabled, ssuuddoo will create an entry in the utmp (or utmpx) file when a pseudo-tty is allocated. A pseudo- tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t or _u_s_e___p_t_y flags are enabled. By default, the new @@ -918,7 +913,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS (if any), with the tty, time, type and pid fields updated. This flag is _o_n by default. - setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. Additionally, environment variables set via the command line are not subject to the restrictions imposed by _e_n_v___c_h_e_c_k, @@ -926,14 +921,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS should be allowed to set variables in this manner. This flag is _o_f_f by default. - shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as if the --ss option had been given. That is, it runs a shell as root (the shell is determined by the SHELL environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). This flag is _o_f_f by default. - stay_setuid Normally, when ssuuddoo executes a command the real and + stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In @@ -941,10 +936,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems - with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. - This flag is _o_f_f by default. + that support either the setreuid(2) or setresuid(2) + system call. This flag is _o_f_f by default. - targetpw If set, ssuuddoo will prompt for the password of the user + targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead of the password of the invoking user. In addition, the timestamp file name will include the target user's @@ -952,13 +947,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not listed in the passwd database as an argument to the --uu option. This flag is _o_f_f by default. - tty_tickets If set, users must authenticate on a per-tty basis. + tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, ssuuddoo will use a file named for the tty the user is logged in on in the user's time stamp directory. If disabled, the time stamp of the directory is used instead. This flag is _o_n by default. - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s without modification. This makes it possible to specify a more permissive umask in _s_u_d_o_e_r_s than the user's own umask and matches historical behavior. If @@ -966,12 +961,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS be the union of the user's umask and what is specified in _s_u_d_o_e_r_s. This flag is _o_f_f by default. - use_loginclass If set, ssuuddoo will apply the defaults specified for the + use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is _o_f_f by default. - use_pty If set, ssuuddoo will run the command in a pseudo-pty even + use_pty If set, ssuuddoo will run the command in a pseudo-pty even if no I/O logging is being gone. A malicious program run under ssuuddoo could conceivably fork a background process that retains to the user's terminal device @@ -979,47 +974,47 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS this option will make that impossible. This flag is _o_f_f by default. - utmp_runas If set, ssuuddoo will store the name of the runas user when + utmp_runas If set, ssuuddoo will store the name of the runas user when updating the utmp (or utmpx) file. By default, ssuuddoo stores the name of the invoking user. This flag is _o_f_f by default. - visiblepw By default, ssuuddoo will refuse to run if the user must + visiblepw By default, ssuuddoo will refuse to run if the user must enter a password but it is not possible to disable echo on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run - things like "ssh somehost sudo ls" since by default, - _s_s_h(1) does not allocate a tty when running a command. + things like ``ssh somehost sudo ls'' since by default, + ssh(1) does not allocate a tty when running a command. This flag is _o_f_f by default. - IInntteeggeerrss: + IInntteeggeerrss: - closefrom Before it executes a command, ssuuddoo will close all open + closefrom Before it executes a command, ssuuddoo will close all open file descriptors other than standard input, standard output and standard error (ie: file descriptors 0-2). The _c_l_o_s_e_f_r_o_m option can be used to specify a different file descriptor at which to start closing. The default is 3. - passwd_tries The number of tries a user gets to enter his/her + passwd_tries The number of tries a user gets to enter his/her password before ssuuddoo logs the failure and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - loglinelen Number of characters per line for the file log. This + loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is 80 (use 0 or negate the option to disable word wrap). - passwd_timeout Number of minutes before the ssuuddoo password prompt times + passwd_timeout Number of minutes before the ssuuddoo password prompt times out, or 0 for no timeout. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. - timestamp_timeout + timestamp_timeout Number of minutes that can elapse before ssuuddoo will ask for a passwd again. The timeout may include a fractional component if minute granularity is @@ -1027,82 +1022,83 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or - delete their own timestamps via sudo -v and sudo -k - respectively. + delete their own timestamps via ``sudo -v'' and ``sudo + -k'' respectively. - umask Umask to use when running the command. Negate this + umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The actual umask that is used will be the union of the user's umask and the value of the _u_m_a_s_k option, which defaults to 0022. This guarantees that ssuuddoo never - lowers the umask when running a command. Note on + lowers the umask when running a command. Note: on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set in _s_u_d_o_e_r_s. - SSttrriinnggss: + SSttrriinnggss: - badpass_message Message that is displayed if a user enters an incorrect + badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless insults are enabled. - editor A colon (':') separated list of editors allowed to be + editor A colon (`:') separated list of editors allowed to be used with vviissuuddoo. vviissuuddoo will choose the editor that matches the user's EDITOR environment variable if possible, or the first editor in the list that exists - and is executable. The default is "vi". + and is executable. The default is _v_i. - iolog_dir The top-level directory to use when constructing the + iolog_dir The top-level directory to use when constructing the path name for the input/output log directory. Only used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a command. The session sequence number, if any, is stored in the directory. The default is - "/var/log/sudo-io". + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. The following percent (`%') escape sequences are supported: %{seq} - expanded to a monotonically increasing base-36 - sequence number, such as 0100A5, where every two - digits are used to form a new directory, e.g. - _0_1_/_0_0_/_A_5 + expanded to a monotonically increasing base-36 + sequence number, such as 0100A5, where every two + digits are used to form a new directory, e.g. + _0_1_/_0_0_/_A_5 %{user} - expanded to the invoking user's login name + expanded to the invoking user's login name %{group} - expanded to the name of the invoking user's real - group ID + expanded to the name of the invoking user's real + group ID %{runas_user} - expanded to the login name of the user the command - will be run as (e.g. root) + expanded to the login name of the user the + command will be run as (e.g. root) %{runas_group} - expanded to the group name of the user the command - will be run as (e.g. wheel) + expanded to the group name of the user the + command will be run as (e.g. wheel) %{hostname} - expanded to the local host name without the domain - name + expanded to the local host name without the + domain name %{command} - expanded to the base name of the command being run + expanded to the base name of the command being + run In addition, any escape sequences supported by the - system's _s_t_r_f_t_i_m_e_(_) function will be expanded. + system's strftime(3) function will be expanded. To include a literal `%' character, the string `%%' should be used. - iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store + iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a command. Note that _i_o_l_o_g___f_i_l_e may contain directory components. The default is - "%{seq}". + ``%{seq}''. See the _i_o_l_o_g___d_i_r option above for a list of supported percent (`%') escape sequences. @@ -1110,98 +1106,97 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS In addition to the escape sequences, path names that end in six or more Xs will have the Xs replaced with a unique combination of digits and letters, similar to - the _m_k_t_e_m_p_(_) function. + the mktemp(3) function. - mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape - %h will expand to the host name of the machine. - Default is *** SECURITY information for %h ***. + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The + escape %h will expand to the host name of the machine. + Default is ``*** SECURITY information for %h ***''. - noexec_file This option is no longer supported. The path to the + noexec_file This option is no longer supported. The path to the noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. - passprompt The default prompt to use when asking for a password; + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') escape sequences are supported: - %H expanded to the local host name including the - domain name (only if the machine's host name is - fully qualified or the _f_q_d_n option is set) + %H expanded to the local host name including the + domain name (only if the machine's host name is + fully qualified or the _f_q_d_n option is set) - %h expanded to the local host name without the domain - name + %h expanded to the local host name without the + domain name - %p expanded to the user whose password is being asked - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w - flags in _s_u_d_o_e_r_s) + %p expanded to the user whose password is being + asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) - %U expanded to the login name of the user the command - will be run as (defaults to root) + %U expanded to the login name of the user the + command will be run as (defaults to root) - %u expanded to the invoking user's login name + %u expanded to the invoking user's login name - %% two consecutive % characters are collapsed into a - single % character + %% two consecutive % characters are collapsed into a + single % character - The default value is Password:. + The default value is ``Password:''. - role The default SELinux role to use when constructing a new + role The default SELinux role to use when constructing a new security context to run the command. The default role may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only available whe ssuuddoo is built with SELinux support. - runas_default The default user to run commands as if the --uu option is + runas_default The default user to run commands as if the --uu option is not specified on the command line. This defaults to root. - syslog_badpri Syslog priority to use when user authenticates + syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. The following syslog priorities are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. - syslog_goodpri Syslog priority to use when user authenticates + syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to notice. - See syslog_badpri for the list of supported syslog + See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog priorities. - sudoers_locale Locale to use when parsing the sudoers file, logging + sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Note that changing the locale may affect how sudoers is interpreted. Defaults - to "C". + to ``C''. - timestampdir The directory in which ssuuddoo stores its timestamp files. + timestampdir The directory in which ssuuddoo stores its timestamp files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. - timestampowner The owner of the timestamp directory and the timestamps + timestampowner The owner of the timestamp directory and the timestamps stored therein. The default is root. - type The default SELinux type to use when constructing a new + type The default SELinux type to use when constructing a new security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only available whe ssuuddoo is built with SELinux support. - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a + env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either - be of the form VARIABLE=value or export VARIABLE=value. - The value may optionally be surrounded by single or double - quotes. Variables in this file are subject to other ssuuddoo - environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + be of the form ``VARIABLE=value'' or ``export + VARIABLE=value''. The value may optionally be surrounded + by single or double quotes. Variables in this file are + subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p + and _e_n_v___c_h_e_c_k. - exempt_group - Users in this group are exempt from password and PATH + exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include a % prefix. This is not set by default. - group_plugin - A string containing a _s_u_d_o_e_r_s group plugin with optional + group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional arguments. This can be used to implement support for the nonunix_group syntax described earlier. The string should consist of the plugin path, either fully-qualified or @@ -1209,16 +1204,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS any configuration arguments the plugin requires. These arguments (if any) will be passed to the plugin's initialization function. If arguments are present, the - string must be enclosed in double quotes ("). + string must be enclosed in double quotes (""). For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix group format, the sample group plugin can be used: - Defaults group_plugin="sample_group.so /etc/sudo-group" + Defaults group_plugin="sample_group.so /etc/sudo-group" - For more information see _s_u_d_o___p_l_u_g_i_n(4). + For more information see sudo_plugin(4). - lecture This option controls when a short lecture will be printed + lecture This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: @@ -1232,67 +1227,66 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. - lecture_file - Path to a file containing an alternate ssuuddoo lecture that + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named file exists. By default, ssuuddoo uses a built-in lecture. - listpw This option controls when a password will be required when + listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current host - must have the NOPASSWD flag set to avoid entering a - password. + all All the user's _s_u_d_o_e_r_s entries for the current + host must have the NOPASSWD flag set to avoid + entering a password. - always The user must always enter a password to use the --ll - option. + always The user must always enter a password to use the + --ll option. - any At least one of the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD flag set to - avoid entering a password. + any At least one of the user's _s_u_d_o_e_r_s entries for + the current host must have the NOPASSWD flag set + to avoid entering a password. - never The user need never enter a password to use the --ll - option. + never The user need never enter a password to use the + --ll option. If no value is specified, a value of _a_n_y is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_n_y. - logfile Path to the ssuuddoo log file (not the syslog log file). + logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. By default, ssuuddoo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailerflags Flags to use when invoking mailer. Defaults to --tt. - mailerpath Path to mail program used to send warning mail. Defaults + mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. - mailfrom Address to use for the "from" address when sending warning - and error mail. The address should be enclosed in double - quotes (") to protect against ssuuddoo interpreting the @ sign. - Defaults to the name of the user running ssuuddoo. + mailfrom Address to use for the ``from'' address when sending + warning and error mail. The address should be enclosed in + double quotes ("") to protect against ssuuddoo interpreting the + @ sign. Defaults to the name of the user running ssuuddoo. - mailto Address to send warning and error mail to. The address - should be enclosed in double quotes (") to protect against + mailto Address to send warning and error mail to. The address + should be enclosed in double quotes ("") to protect against ssuuddoo interpreting the @ sign. Defaults to root. - secure_path Path used for every command run from ssuuddoo. If you don't + secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - is if you want to have the "root path" be separate from the - "user path." Users in the group specified by the + is if you want to have the ``root path'' be separate from + the ``user path''. Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This option is not set by default. - syslog Syslog facility if syslog is being used for logging (negate + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. The following syslog facilities are supported: aauutthhpprriivv (if your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. - verifypw This option controls when a password will be required when + verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following possible values: @@ -1314,10 +1308,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_l_l. - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_check Environment variables to be removed from the user's - environment if the variable's value contains % or / + env_check Environment variables to be removed from the user's + environment if the variable's value contains `%' or `/' characters. This can be used to guard against printf- style format vulnerabilities in poorly-written programs. The argument may be a double-quoted, space- @@ -1331,7 +1325,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS environment variables to check is displayed when ssuuddoo is run by root with the --VV option. - env_delete Environment variables to be removed from the user's + env_delete Environment variables to be removed from the user's environment when the _e_n_v___r_e_s_e_t option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list @@ -1343,7 +1337,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS potentially dangerous variables from the environment of any setuid process (such as ssuuddoo). - env_keep Environment variables to be preserved in the user's + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1355,469 +1349,466 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS with the --VV option. SSUUDDOO..CCOONNFF - The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end - will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no - Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O - logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will + load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin + lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which + corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so PPLLUUGGIINN OOPPTTIIOONNSS - Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s - plugin. Options may be listed after the path to the plugin (i.e. after - _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: + Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s + plugin. Options may be listed after the path to the plugin (i.e. after + _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: - Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 + Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 - The following plugin options are supported: + The following plugin options are supported: - sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default - path to the _s_u_d_o_e_r_s file. + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default + path to the _s_u_d_o_e_r_s file. - sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d option can be used to override the default - owner of the sudoers file. It should be specified as a - numeric user ID. + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d option can be used to override the default + owner of the sudoers file. It should be specified as a numeric + user ID. - sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d option can be used to override the default - group of the sudoers file. It should be specified as a - numeric group ID. + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d option can be used to override the default + group of the sudoers file. It should be specified as a numeric + group ID. - sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default - file mode for the sudoers file. It should be specified as an - octal value. + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. DDEEBBUUGG FFLLAAGGSS - Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging - framework that can help track down what the plugin is doing internally - if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f - file as described in _s_u_d_o(1m). + Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging + framework that can help track down what the plugin is doing internally if + there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as + described in sudo(1m). - The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself: - _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. + The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end: + _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. - The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: - _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, - when specified, also includes all priorities higher than it. For - example, a priority of _n_o_t_i_c_e would include debug messages logged at - _n_o_t_i_c_e and higher. + The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. - The following subsystems are used by _s_u_d_o_e_r_s: + The following subsystems are used by _s_u_d_o_e_r_s: - _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing + _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing - _a_l_l matches every subsystem + _a_l_l matches every subsystem - _a_u_d_i_t BSM and Linux audit code + _a_u_d_i_t BSM and Linux audit code - _a_u_t_h user authentication + _a_u_t_h user authentication - _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings - _e_n_v environment handling + _e_n_v environment handling - _l_d_a_p LDAP-based sudoers + _l_d_a_p LDAP-based sudoers - _l_o_g_g_i_n_g logging support + _l_o_g_g_i_n_g logging support - _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s + _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s - _n_e_t_i_f network interface handling + _n_e_t_i_f network interface handling - _n_s_s network service switch handling in _s_u_d_o_e_r_s + _n_s_s network service switch handling in _s_u_d_o_e_r_s - _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing + _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing - _p_e_r_m_s permission setting + _p_e_r_m_s permission setting - _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. + _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. - _p_t_y pseudo-tty related code + _p_t_y pseudo-tty related code - _r_b_t_r_e_e redblack tree internals + _r_b_t_r_e_e redblack tree internals - _u_t_i_l utility functions + _u_t_i_l utility functions FFIILLEESS - _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration + _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_g_r_o_u_p Local groups file + _/_e_t_c_/_g_r_o_u_p Local groups file - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files - _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the + _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the _s_u_d_o_e_r_s security policy - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and Linux systems EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit - contrived. First, we allow a few environment variables to pass and - then define our _a_l_i_a_s_e_s: + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit + contrived. First, we allow a few environment variables to pass and then + define our _a_l_i_a_s_e_s: - # Run X applications through sudo; HOME is used to find the - # .Xauthority file. Note that other programs use HOME to find - # configuration files and this may lead to privilege escalation! - Defaults env_keep += "DISPLAY HOME" + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules - # Cmnd alias specification - Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore - Cmnd_Alias KILL = /usr/bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt - Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ - /usr/local/bin/tcsh, /usr/bin/rsh, \ - /usr/local/bin/zsh - Cmnd_Alias SU = /usr/bin/su - Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + # Cmnd alias specification + Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ + /usr/sbin/restore, /usr/sbin/rrestore + Cmnd_Alias KILL = /usr/bin/kill + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt + Cmnd_Alias REBOOT = /usr/sbin/reboot + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ + /usr/local/bin/tcsh, /usr/bin/rsh,\ + /usr/local/bin/zsh + Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Here we override some of the compiled in default values. We want ssuuddoo - to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't - want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt - need not give a password, and we don't want to reset the LOGNAME, USER - or USERNAME environment variables when running commands as root. - Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an - additional local log file and make sure we log the year in each log - line since the log entries will be kept around for several years. - Lastly, we disable shell escapes for the commands in the PAGERS - Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). + Here we override some of the compiled in default values. We want ssuuddoo to + log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to + subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not + give a password, and we don't want to reset the LOGNAME, USER or USERNAME + environment variables when running commands as root. Additionally, on + the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log + file and make sure we log the year in each log line since the log entries + will be kept around for several years. Lastly, we disable shell escapes + for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and + _/_u_s_r_/_b_i_n_/_l_e_s_s). - # Override built-in defaults - Defaults syslog=auth - Defaults>root !set_logname - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log - Defaults!PAGERS noexec + # Override built-in defaults + Defaults syslog=auth + Defaults>root !set_logname + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run - what. + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on any host as - any user. + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. - FULLTIMERS ALL = NOPASSWD: ALL + FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on - any host without authenticating themselves. + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. - PARTTIMERS ALL = ALL + PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on - any host but they must authenticate themselves first (since the entry - lacks the NOPASSWD tag). + Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any + host but they must authenticate themselves first (since the entry lacks + the NOPASSWD tag). - jack CSNETS = ALL + jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias - (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of - those networks, only 128.138.204.0 has an explicit netmask (in CIDR - notation) indicating it is a class C network. For the other networks - in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those + networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) + indicating it is a class C network. For the other networks in _C_S_N_E_T_S, + the local machine's netmask will be used during matching. - lisa CUNETS = ALL + lisa CUNETS = ALL - The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the - class B network 128.138.0.0). + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple maintenance. - Here, those are commands related to backups, killing processes, the - printing system, shutting down the system, and any commands in the - directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + The ooppeerraattoorr user may run commands limited to simple maintenance. Here, + those are commands related to backups, killing processes, the printing + system, shutting down the system, and any commands in the directory + _/_u_s_r_/_o_p_e_r_/_b_i_n_/. - joe ALL = /usr/bin/su operator + joe ALL = /usr/bin/su operator - The user jjooee may only _s_u(1) to operator. + The user jjooee may only su(1) to operator. - pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root - %opers ALL = (: ADMINGRP) /usr/sbin/ + %opers ALL = (: ADMINGRP) /usr/sbin/ - Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves - with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). - The user ppeettee is allowed to change anyone's password except for root on - the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take - multiple user names on the command line. + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Note that this assumes passwd(1) does not take + multiple user names on the command line. - bob SPARC = (OP) ALL : SGI = (OP) ALL + bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user - listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.) - jim +biglab = ALL + jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix. - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands - on all machines. + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. - fred ALL = (DB) NOPASSWD: ALL + fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B Runas_Alias - (oorraaccllee or ssyybbaassee) without giving a password. + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee + or ssyybbaassee) without giving a password. - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is - not allowed to specify any options to the _s_u(1) command. + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the su(1) command. - jen ALL, !SERVERS = ALL + jen ALL, !SERVERS = ALL - The user jjeenn may run any command on any machine except for those in the - _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). - jill SERVERS = /usr/bin/, !SU, !SHELLS + jill SERVERS = /usr/bin/, !SU, !SHELLS - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in - the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U - and _S_H_E_L_L_S Cmnd_Aliases. + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and + _S_H_E_L_L_S Cmnd_Aliases. - steve CSNETS = (operator) /usr/local/op_commands/ + steve CSNETS = (operator) /usr/local/op_commands/ - The user sstteevvee may run any command in the directory - /usr/local/op_commands/ but only as user operator. + The user sstteevvee may run any command in the directory + /usr/local/op_commands/ but only as user operator. - matt valkyrie = KILL + matt valkyrie = KILL - On his personal workstation, valkyrie, mmaatttt needs to be able to kill - hung processes. + On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung + processes. - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, - and wim), may run any command as user www (which owns the web pages) or - simply _s_u(1) to www. + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and + wim), may run any command as user www (which owns the web pages) or + simply su(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM - Any user may mount or unmount a CD-ROM on the machines in the CDROM - Host_Alias (orion, perseus, hercules) without entering a password. - This is a bit tedious for users to type, so it is a prime candidate for - encapsulating in a shell script. + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. This + is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. SSEECCUURRIITTYY NNOOTTEESS - LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the - desired command to a different name and then executing that. For - example: + LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr + It is generally not effective to ``subtract'' commands from AALLLL using the + `!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: - bill ALL = ALL, !SU, !SHELLS + bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or - use a shell escape from an editor or other program. Therefore, these - kind of restrictions should be considered advisory at best (and - reinforced by policy). + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these + kind of restrictions should be considered advisory at best (and + reinforced by policy). - In general, if a user has sudo ALL there is nothing to prevent them - from creating their own program that gives them a root shell (or making - their own copy of a shell) regardless of any '!' elements in the user - specification. + In general, if a user has sudo AALLLL there is nothing to prevent them from + creating their own program that gives them a root shell (or making their + own copy of a shell) regardless of any `!' elements in the user + specification. SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b - If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably - negate commands where the path name includes globbing (aka wildcard) - characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot - resolve relative paths. While this is typically only an inconvenience - for rules that grant privileges, it can result in a security issue for - rules that subtract or revoke privileges. + If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate + commands where the path name includes globbing (aka wildcard) characters. + This is because the C library's fnmatch(3) function cannot resolve + relative paths. While this is typically only an inconvenience for rules + that grant privileges, it can result in a security issue for rules that + subtract or revoke privileges. - For example, given the following _s_u_d_o_e_r_s entry: + For example, given the following _s_u_d_o_e_r_s entry: - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ - /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by - changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. PPrreevveennttiinngg SShheellll EEssccaappeess - Once ssuuddoo executes a program, that program is free to do whatever it - pleases, including run other programs. This can be a security issue - since it is not uncommon for a program to allow shell escapes, which - lets a user bypass ssuuddoo's access control and logging. Common programs - that permit shell escapes include shells (obviously), editors, - paginators, mail and terminal programs. + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which lets + a user bypass ssuuddoo's access control and logging. Common programs that + permit shell escapes include shells (obviously), editors, paginators, + mail and terminal programs. - There are two basic approaches to this problem: + There are two basic approaches to this problem: - restrict Avoid giving users access to commands that allow the user to - run arbitrary commands. Many editors have a restricted mode - where shell escapes are disabled, though ssuuddooeeddiitt is a better - solution to running editors via ssuuddoo. Due to the large - number of programs that offer shell escapes, restricting - users to the set of programs that do not is often unworkable. + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large number + of programs that offer shell escapes, restricting users to the + set of programs that do not is often unworkable. - noexec Many systems that support shared libraries have the ability - to override default library functions by pointing an - environment variable (usually LD_PRELOAD) to an alternate - shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality - can be used to prevent a program run by ssuuddoo from executing - any other programs. Note, however, that this applies only to - native dynamically-linked executables. Statically-linked - executables and foreign executables running under binary - emulation are not affected. + noexec Many systems that support shared libraries have the ability to + override default library functions by pointing an environment + variable (usually LD_PRELOAD) to an alternate shared library. + On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to + prevent a program run by ssuuddoo from executing any other + programs. Note, however, that this applies only to native + dynamically-linked executables. Statically-linked executables + and foreign executables running under binary emulation are not + affected. - The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, - Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and - above. It should be supported on most operating systems that - support the LD_PRELOAD environment variable. Check your - operating system's manual pages for the dynamic linker - (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see - if LD_PRELOAD is supported. + The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, + Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and + above. It should be supported on most operating systems that + support the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic linker (usually + ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if + LD_PRELOAD is supported. - On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges - instead of the LD_PRELOAD environment variable. + On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges + instead of the LD_PRELOAD environment variable. - To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as - documented in the User Specification section above. Here is - that example again: + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + documented in the User Specification section above. Here is + that example again: - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i - with _n_o_e_x_e_c enabled. This will prevent those two commands - from executing other commands (such as a shell). If you are - unsure whether or not your system is capable of supporting - _n_o_e_x_e_c you can always just try it out and check whether shell - escapes work when _n_o_e_x_e_c is enabled. + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands from + executing other commands (such as a shell). If you are unsure + whether or not your system is capable of supporting _n_o_e_x_e_c you + can always just try it out and check whether shell escapes work + when _n_o_e_x_e_c is enabled. - Note that restricting shell escapes is not a panacea. Programs running - as root are still capable of many potentially hazardous operations - (such as changing or overwriting files) that could lead to unintended - privilege escalation. In the specific case of an editor, a safer - approach is to give the user permission to run ssuuddooeeddiitt. + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations (such + as changing or overwriting files) that could lead to unintended privilege + escalation. In the specific case of an editor, a safer approach is to + give the user permission to run ssuuddooeeddiitt. TTiimmee ssttaammpp ffiillee cchheecckkss - _s_u_d_o_e_r_s will check the ownership of its time stamp directory - (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is - not owned by root or if it is writable by a user other than root. On - systems that allow non-root users to give away files via _c_h_o_w_n(2), if - the time stamp directory is located in a world-writable directory - (e.g., _/_t_m_p), it is possible for a user to create the time stamp - directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the - ownership and mode of the directory and its contents, the only damage - that can be done is to "hide" files by putting them in the time stamp - dir. This is unlikely to happen since once the time stamp dir is owned - by root and inaccessible by any other user, the user placing files - there would be unable to get them back out. + _s_u_d_o_e_r_s will check the ownership of its time stamp directory + (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is + not owned by root or if it is writable by a user other than root. On + systems that allow non-root users to give away files via chown(2), if the + time stamp directory is located in a world-writable directory (e.g., + _/_t_m_p), it is possible for a user to create the time stamp directory + before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and + mode of the directory and its contents, the only damage that can be done + is to ``hide'' files by putting them in the time stamp dir. This is + unlikely to happen since once the time stamp dir is owned by root and + inaccessible by any other user, the user placing files there would be + unable to get them back out. - _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps - with a date greater than current_time + 2 * TIMEOUT will be ignored and - sudo will log and complain. This is done to keep a user from creating - his/her own time stamp with a bogus date on systems that allow users to - give away files if the time stamp directory is located in a world- - writable directory. + _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and + sudo will log and complain. This is done to keep a user from creating + his/her own time stamp with a bogus date on systems that allow users to + give away files if the time stamp directory is located in a world- + writable directory. - On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time - stamps that date from before the machine booted. + On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time + stamps that date from before the machine booted. - Since time stamp files live in the file system, they can outlive a - user's login session. As a result, a user may be able to login, run a - command with ssuuddoo after authenticating, logout, login again, and run - ssuuddoo without authenticating so long as the time stamp file's - modification time is within 5 minutes (or whatever the timeout is set - to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp - has per-tty granularity but still may outlive the user's session. On - Linux systems where the devpts filesystem is used, Solaris systems with - the devices filesystem, as well as other systems that utilize a devfs - filesystem that monotonically increase the inode number of devices as - they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when - a tty-based time stamp file is stale and will ignore it. - Administrators should not rely on this feature as it is not universally - available. + Since time stamp files live in the file system, they can outlive a user's + login session. As a result, a user may be able to login, run a command + with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without + authenticating so long as the time stamp file's modification time is + within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When + the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity + but still may outlive the user's session. On Linux systems where the + devpts filesystem is used, Solaris systems with the devices filesystem, + as well as other systems that utilize a devfs filesystem that + monotonically increase the inode number of devices as they are created + (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time + stamp file is stale and will ignore it. Administrators should not rely + on this feature as it is not universally available. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), - _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) + rsh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), + sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which - locks the file and does grammatical checking. It is imperative that - _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a - syntactically incorrect _s_u_d_o_e_r_s file. + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. - When using netgroups of machines (as opposed to users), if you store - fully qualified host name in the netgroup (as is usually the case), you - either need to have the machine's host name be fully qualified as - returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 18, 2012 SUDOERS(4) +Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 518265721..522c69f73 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -1,113 +1,109 @@ -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - +SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m) NNAAMMEE - sudoers.ldap - sudo LDAP configuration + ssuuddooeerrss..llddaapp - sudo LDAP configuration DDEESSCCRRIIPPTTIIOONN - In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a - large, distributed environment. + In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via + LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a + large, distributed environment. - Using LDAP for _s_u_d_o_e_r_s has several benefits: + Using LDAP for _s_u_d_o_e_r_s has several benefits: - o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is - used, there are only two or three LDAP queries per invocation. - This makes it especially fast and particularly usable in LDAP - environments. + oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is + used, there are only two or three LDAP queries per invocation. This + makes it especially fast and particularly usable in LDAP + environments. - o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not - possible to load LDAP data into the server that does not conform to - the sudoers schema, so proper syntax is guaranteed. It is still - possible to have typos in a user or host name, but this will not - prevent ssuuddoo from running. + oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not + possible to load LDAP data into the server that does not conform to + the sudoers schema, so proper syntax is guaranteed. It is still + possible to have typos in a user or host name, but this will not + prevent ssuuddoo from running. - o It is possible to specify per-entry options that override the - global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options - and limited options associated with user/host/commands/aliases. - The syntax is complicated and can be difficult for users to - understand. Placing the options directly in the entry is more - natural. + oo It is possible to specify per-entry options that override the global + default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and + limited options associated with user/host/commands/aliases. The + syntax is complicated and can be difficult for users to understand. + Placing the options directly in the entry is more natural. - o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking - and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates - are atomic, locking is no longer necessary. Because syntax is - checked when the data is inserted into LDAP, there is no need for a - specialized tool to check syntax. + oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and + syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are + atomic, locking is no longer necessary. Because syntax is checked + when the data is inserted into LDAP, there is no need for a + specialized tool to check syntax. - Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in - LDAP, ssuuddoo-specific Aliases are not supported. + Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in + LDAP, ssuuddoo-specific Aliases are not supported. - For the most part, there is really no need for ssuuddoo-specific Aliases. - Unix groups or user netgroups can be used in place of User_Aliases and - Runas_Aliases. Host netgroups can be used in place of Host_Aliases. - Since Unix groups and netgroups can also be stored in LDAP there is no - real need for ssuuddoo-specific aliases. + For the most part, there is really no need for ssuuddoo-specific Aliases. + Unix groups or user netgroups can be used in place of User_Aliases and + Runas_Aliases. Host netgroups can be used in place of Host_Aliases. + Since Unix groups and netgroups can also be stored in LDAP there is no + real need for ssuuddoo-specific aliases. - Cmnd_Aliases are not really required either since it is possible to - have multiple users listed in a sudoRole. Instead of defining a - Cmnd_Alias that is referenced by multiple users, one can create a - sudoRole that contains the commands and assign multiple users to it. + Cmnd_Aliases are not really required either since it is possible to have + multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias + that is referenced by multiple users, one can create a sudoRole that + contains the commands and assign multiple users to it. SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP - container. + The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. - Sudo first looks for the cn=default entry in the SUDOers container. If - found, the multi-valued sudoOption attribute is parsed in the same - manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following - example, the SSH_AUTH_SOCK variable will be preserved in the - environment for all users. + Sudo first looks for the cn=default entry in the SUDOers container. If + found, the multi-valued sudoOption attribute is parsed in the same manner + as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the + SSH_AUTH_SOCK variable will be preserved in the environment for all + users. - dn: cn=defaults,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: defaults - description: Default sudoOption's go here - sudoOption: env_keep+=SSH_AUTH_SOCK + dn: cn=defaults,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: defaults + description: Default sudoOption's go here + sudoOption: env_keep+=SSH_AUTH_SOCK - The equivalent of a sudoer in LDAP is a sudoRole. It consists of the - following attributes: + The equivalent of a sudoer in LDAP is a sudoRole. It consists of the + following attributes: - ssuuddooUUsseerr - A user name, user ID (prefixed with '#'), Unix group (prefixed with - '%'), Unix group ID (prefixed with '%#'), or user netgroup - (prefixed with '+'). + ssuuddooUUsseerr + A user name, user ID (prefixed with `#'), Unix group (prefixed with + `%'), Unix group ID (prefixed with `%#'), or user netgroup + (prefixed with `+'). - ssuuddooHHoosstt + ssuuddooHHoosstt A host name, IP address, IP network, or host netgroup (prefixed - with a '+'). The special value ALL will match any host. + with a `+'). The special value ALL will match any host. - ssuuddooCCoommmmaanndd + ssuuddooCCoommmmaanndd A Unix command with optional command line arguments, potentially including globbing characters (aka wild cards). The special value ALL will match any command. If a command is prefixed with an - exclamation point '!', the user will be prohibited from running + exclamation point `!', the user will be prohibited from running that command. - ssuuddooOOppttiioonn + ssuuddooOOppttiioonn Identical in function to the global options described above, but specific to the sudoRole in which it resides. - ssuuddooRRuunnAAssUUsseerr - A user name or uid (prefixed with '#') that commands may be run as - or a Unix group (prefixed with a '%') or user netgroup (prefixed - with a '+') that contains a list of users that commands may be run + ssuuddooRRuunnAAssUUsseerr + A user name or uid (prefixed with `#') that commands may be run as + or a Unix group (prefixed with a `%') or user netgroup (prefixed + with a `+') that contains a list of users that commands may be run as. The special value ALL will match any user. The sudoRunAsUser attribute is only available in ssuuddoo versions 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs attribute instead. - ssuuddooRRuunnAAssGGrroouupp - A Unix group or gid (prefixed with '#') that commands may be run + ssuuddooRRuunnAAssGGrroouupp + A Unix group or gid (prefixed with `#') that commands may be run as. The special value ALL will match any group. The sudoRunAsGroup attribute is only available in ssuuddoo versions 1.7.0 and higher. - ssuuddooNNoottBBeeffoorree + ssuuddooNNoottBBeeffoorree A timestamp in the form yyyymmddHHMMSSZ that can be used to provide a start date/time for when the sudoRole will be valid. If multiple sudoNotBefore entries are present, the earliest is used. Note that @@ -120,7 +116,7 @@ DDEESSCCRRIIPPTTIIOONN 1.7.5 and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - ssuuddooNNoottAAfftteerr + ssuuddooNNoottAAfftteerr A timestamp in the form yyyymmddHHMMSSZ that indicates an expiration date/time, after which the sudoRole will no longer be valid. If multiple sudoNotBefore entries are present, the last one @@ -133,7 +129,7 @@ DDEESSCCRRIIPPTTIIOONN and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - ssuuddooOOrrddeerr + ssuuddooOOrrddeerr The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort @@ -141,150 +137,149 @@ DDEESSCCRRIIPPTTIIOONN more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This - corresponds to the "last match" behavior of the sudoers file. If + corresponds to the ``last match'' behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed. The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 and higher. - Each attribute listed above should contain a single value, but there - may be multiple instances of each attribute type. A sudoRole must - contain at least one sudoUser, sudoHost and sudoCommand. + Each attribute listed above should contain a single value, but there may + be multiple instances of each attribute type. A sudoRole must contain at + least one sudoUser, sudoHost and sudoCommand. - The following example allows users in group wheel to run any command on - any host via ssuuddoo: + The following example allows users in group wheel to run any command on + any host via ssuuddoo: - dn: cn=%wheel,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: %wheel - sudoUser: %wheel - sudoHost: ALL - sudoCommand: ALL + dn: cn=%wheel,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: %wheel + sudoUser: %wheel + sudoHost: ALL + sudoCommand: ALL AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp - When looking up a sudoer using LDAP there are only two or three LDAP - queries per invocation. The first query is to parse the global - options. The second is to match against the user's name and the groups - that the user belongs to. (The special ALL tag is matched in this - query too.) If no match is returned for the user's name and groups, a - third query returns all entries containing user netgroups and checks to - see if the user belongs to any of them. + When looking up a sudoer using LDAP there are only two or three LDAP + queries per invocation. The first query is to parse the global options. + The second is to match against the user's name and the groups that the + user belongs to. (The special ALL tag is matched in this query too.) If + no match is returned for the user's name and groups, a third query + returns all entries containing user netgroups and checks to see if the + user belongs to any of them. - If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration - directive, the LDAP queries include a subfilter that limits retrieval - to entries that satisfy the time constraints, if any. + If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration + directive, the LDAP queries include a subfilter that limits retrieval to + entries that satisfy the time constraints, if any. DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - There are some subtle differences in the way sudoers is handled once in - LDAP. Probably the biggest is that according to the RFC, LDAP ordering - is arbitrary and you cannot expect that Attributes and Entries are - returned in any specific order. + There are some subtle differences in the way sudoers is handled once in + LDAP. Probably the biggest is that according to the RFC, LDAP ordering + is arbitrary and you cannot expect that Attributes and Entries are + returned in any specific order. - The order in which different entries are applied can be controlled - using the sudoOrder attribute, but there is no way to guarantee the - order of attributes within a specific entry. If there are conflicting - command rules in an entry, the negative takes precedence. This is - called paranoid behavior (not necessarily the most specific match). + The order in which different entries are applied can be controlled using + the sudoOrder attribute, but there is no way to guarantee the order of + attributes within a specific entry. If there are conflicting command + rules in an entry, the negative takes precedence. This is called + paranoid behavior (not necessarily the most specific match). - Here is an example: + Here is an example: - # /etc/sudoers: - # Allow all commands except shell - johnny ALL=(root) ALL,!/bin/sh - # Always allows all commands because ALL is matched last - puddles ALL=(root) !/bin/sh,ALL + # /etc/sudoers: + # Allow all commands except shell + johnny ALL=(root) ALL,!/bin/sh + # Always allows all commands because ALL is matched last + puddles ALL=(root) !/bin/sh,ALL - # LDAP equivalent of johnny - # Allows all commands except shell - dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role1 - sudoUser: johnny - sudoHost: ALL - sudoCommand: ALL - sudoCommand: !/bin/sh + # LDAP equivalent of johnny + # Allows all commands except shell + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role1 + sudoUser: johnny + sudoHost: ALL + sudoCommand: ALL + sudoCommand: !/bin/sh - # LDAP equivalent of puddles - # Notice that even though ALL comes last, it still behaves like - # role1 since the LDAP code assumes the more paranoid configuration - dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role2 - sudoUser: puddles - sudoHost: ALL - sudoCommand: !/bin/sh - sudoCommand: ALL + # LDAP equivalent of puddles + # Notice that even though ALL comes last, it still behaves like + # role1 since the LDAP code assumes the more paranoid configuration + dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role2 + sudoUser: puddles + sudoHost: ALL + sudoCommand: !/bin/sh + sudoCommand: ALL - Another difference is that negations on the Host, User or Runas are - currently ignored. For example, the following attributes do not behave - the way one might expect. + Another difference is that negations on the Host, User or Runas are + currently ignored. For example, the following attributes do not behave + the way one might expect. - # does not match all but joe - # rather, does not match anyone - sudoUser: !joe + # does not match all but joe + # rather, does not match anyone + sudoUser: !joe - # does not match all but joe - # rather, matches everyone including Joe - sudoUser: ALL - sudoUser: !joe + # does not match all but joe + # rather, matches everyone including Joe + sudoUser: ALL + sudoUser: !joe - # does not match all but web01 - # rather, matches all hosts including web01 - sudoHost: ALL - sudoHost: !web01 + # does not match all but web01 + # rather, matches all hosts including web01 + sudoHost: ALL + sudoHost: !web01 SSuuddooeerrss SScchheemmaa - In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed - on your LDAP server. In addition, be sure to index the 'sudoUser' - attribute. + In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on + your LDAP server. In addition, be sure to index the sudoUser attribute. - Three versions of the schema: one for OpenLDAP servers - (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), - and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be - found in the ssuuddoo distribution. + Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), + one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft + Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo + distribution. - The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES - section. + The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S + section. CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. - Typically, this file is shared amongst different LDAP-aware clients. - As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo - parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from - those described in the system's _l_d_a_p_._c_o_n_f(4) manual. + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. + Typically, this file is shared amongst different LDAP-aware clients. As + such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses + _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those + described in the system's ldap.conf(1m) manual. - Also note that on systems using the OpenLDAP libraries, default values - specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are - not used. + Also note that on systems using the OpenLDAP libraries, default values + specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not + used. - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being - supported by ssuuddoo are honored. Configuration options are listed below - in upper case but are parsed in a case-independent manner. + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported + by ssuuddoo are honored. Configuration options are listed below in upper + case but are parsed in a case-independent manner. - UURRII ldap[s]://[hostname[:port]] ... + UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._. Specifies a whitespace-delimited list of one or more URIs describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be - either llddaapp or llddaappss, the latter being for servers that support TLS + either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, - ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated + ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated identically to a UURRII line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of ldap:// and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP libraries used on most commercial versions of Unix are only capable of supporting one or the other. - HHOOSSTT name[:port] ... + HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._. If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- delimited list of LDAP servers to connect to. Each host may - include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT + include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT parameter is deprecated in favor of the UURRII specification and is included for backwards compatibility. - PPOORRTT port_number + PPOORRTT _p_o_r_t___n_u_m_b_e_r If no UURRII is specified, the PPOORRTT parameter specifies the default port to connect to on the LDAP server if a HHOOSSTT parameter does not specify the port itself. If no PPOORRTT parameter is used, the default @@ -292,40 +287,40 @@ DDEESSCCRRIIPPTTIIOONN PPOORRTT parameter is deprecated in favor of the UURRII specification and is included for backwards compatibility. - BBIINNDD__TTIIMMEELLIIMMIITT seconds + BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, to wait while trying to connect to an LDAP server. If multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to wait before trying the next one in the list. - NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds + NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. - TTIIMMEELLIIMMIITT seconds + TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, to wait for a response to an LDAP query. - TTIIMMEEOOUUTT seconds + TTIIMMEEOOUUTT _s_e_c_o_n_d_s The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to wait for a response from the various LDAP APIs. - SSUUDDOOEERRSS__BBAASSEE base + SSUUDDOOEERRSS__BBAASSEE _b_a_s_e The base DN to use when performing ssuuddoo LDAP queries. Typically this is of the form ou=SUDOers,dc=example,dc=com for the domain example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. - SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter + SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r An LDAP filter which is used to restrict the set of records returned when performing a ssuuddoo LDAP query. Typically, this is of the form attribute=value or (&(attribute=value)(attribute2=value2)). - SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no + SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes that implement time-dependent sudoers entries. - SSUUDDOOEERRSS__DDEEBBUUGG debug_level + SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l This sets the debug level for ssuuddoo LDAP queries. Debugging information is printed to the standard error. A value of 1 results in a moderate amount of debugging information. A value of 2 shows @@ -333,44 +328,45 @@ DDEESSCCRRIIPPTTIIOONN be set in a production environment as the extra information is likely to confuse users. - BBIINNDDDDNN DN + BBIINNDDDDNN _D_N The BBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing LDAP operations. If not specified, LDAP operations are performed with an anonymous identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret + BBIINNDDPPWW _s_e_c_r_e_t The BBIINNDDPPWW parameter specifies the password to use when performing LDAP operations. This is typically used in conjunction with the BBIINNDDDDNN parameter. - RROOOOTTBBIINNDDDDNN DN + RROOOOTTBBIINNDDDDNN _D_N The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as _s_u_d_o_e_r_s queries. The password corresponding to the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not specified, the BBIINNDDDDNN identity is used (if any). - LLDDAAPP__VVEERRSSIIOONN number + LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r The version of the LDAP protocol to use when connecting to the server. The default value is protocol version 3. - SSSSLL on/true/yes/off/false/no + SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o If the SSSSLL parameter is set to on, true or yes, TLS (SSL) encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). - SSSSLL start_tls + SSSSLL _s_t_a_r_t___t_l_s If the SSSSLL parameter is set to start_tls, the LDAP server connection is initiated normally and TLS encryption is begun before the bind credentials are sent. This has the advantage of not requiring a dedicated port for encrypted communications. This parameter is only supported by LDAP servers that honor the - start_tls extension, such as the OpenLDAP server. + _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory + servers. - TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no + TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown @@ -382,10 +378,10 @@ DDEESSCCRRIIPPTTIIOONN can be verified. This option is not supported by the Tivoli Directory Server LDAP libraries. - TTLLSS__CCAACCEERRTT file name + TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. - TTLLSS__CCAACCEERRTTFFIILLEE file name + TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only @@ -393,50 +389,49 @@ DDEESSCCRRIIPPTTIIOONN libraries use the same certificate database for CA and client certificates (see TTLLSS__CCEERRTT). - TTLLSS__CCAACCEERRTTDDIIRR directory + TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory containing individual Certificate Authority certificates, e.g. _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCEERRTT file name + TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e The path to a file containing the client certificate which can be used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. OpenLDAP: - tls_cert /etc/ssl/client_cert.pem + tls_cert /etc/ssl/client_cert.pem Netscape-derived: - tls_cert /var/ldap/cert7.db + tls_cert /var/ldap/cert7.db Tivoli Directory Server: - Unused, the key database specified by TTLLSS__KKEEYY contains both - keys and certificates. + Unused, the key database specified by TTLLSS__KKEEYY contains both + keys and certificates. - When using Netscape-derived libraries, this file may also contain - Certificate Authority certificates. + When using Netscape-derived libraries, this file may also + contain Certificate Authority certificates. - TTLLSS__KKEEYY file name + TTLLSS__KKEEYY _f_i_l_e _n_a_m_e The path to a file containing the private key which matches the certificate specified by TTLLSS__CCEERRTT. The private key must not be password-protected. The key type depends on the LDAP libraries used. OpenLDAP: - tls_key /etc/ssl/client_key.pem + tls_key /etc/ssl/client_key.pem Netscape-derived: - tls_key /var/ldap/key3.db + tls_key /var/ldap/key3.db Tivoli Directory Server: - tls_cert /usr/ldap/ldapkey.kdb - + tls_cert /usr/ldap/ldapkey.kdb When using Tivoli LDAP libraries, this file may also contain Certificate Authority and client certificates and may be encrypted. - TTLLSS__KKEEYYPPWW secret + TTLLSS__KKEEYYPPWW _s_e_c_r_e_t The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it @@ -447,328 +442,324 @@ DDEESSCCRRIIPPTTIIOONN ssl_password. This option is only supported by the Tivoli LDAP libraries. - TTLLSS__RRAANNDDFFIILLEE file name + TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCIIPPHHEERRSS cipher list + TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which encryption algorithms may be used for TLS (SSL) connections. See the OpenLDAP or Tivoli Directory Server manual for a list of valid ciphers. This option is not supported by Netscape-derived libraries. - UUSSEE__SSAASSLL on/true/yes/off/false/no + UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. - SSAASSLL__AAUUTTHH__IIDD identity + SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y The SASL user name to use when connecting to the LDAP server. By default, ssuuddoo will use an anonymous connection. - RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no + RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity + RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties + SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s SASL security properties or _n_o_n_e for no properties. See the SASL programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name + KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e The path to the Kerberos 5 credential cache to use when authenticating with the remote server. - DDEERREEFF never/searching/finding/always + DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s How alias dereferencing is to be performed when searching. See the - _l_d_a_p_._c_o_n_f(4) manual for a full description of this option. + ldap.conf(1m) manual for a full description of this option. - See the ldap.conf entry in the EXAMPLES section. + See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section. CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - Unless it is disabled at build time, ssuuddoo consults the Name Service - Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. - Sudo looks for a line beginning with sudoers: and uses this to - determine the search order. Note that ssuuddoo does not stop searching - after the first match and later matches take precedence over earlier - ones. + Unless it is disabled at build time, ssuuddoo consults the Name Service + Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. + Sudo looks for a line beginning with sudoers: and uses this to determine + the search order. Note that ssuuddoo does not stop searching after the first + match and later matches take precedence over earlier ones. The following + sources are recognized: - The following sources are recognized: + files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s + ldap read sudoers from LDAP - files read sudoers from F - ldap read sudoers from LDAP + In addition, the entry [NOTFOUND=return] will short-circuit the search if + the user was not found in the preceding source. - In addition, the entry [NOTFOUND=return] will short-circuit the search - if the user was not found in the preceding source. + To consult LDAP first followed by the local sudoers file (if it exists), + use: - To consult LDAP first followed by the local sudoers file (if it - exists), use: + sudoers: ldap files - sudoers: ldap files + The local _s_u_d_o_e_r_s file can be ignored completely by using: - The local _s_u_d_o_e_r_s file can be ignored completely by using: + sudoers: ldap - sudoers: ldap + If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers + line, the following default is assumed: - If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers - line, the following default is assumed: + sudoers: files - sudoers: files - - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying - operating system does not use an nsswitch.conf file, except on AIX (see - below). + Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying + operating system does not use an nsswitch.conf file, except on AIX (see + below). CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of - _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the - file format itself still applies. + On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of + _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file + format itself still applies. - To consult LDAP first followed by the local sudoers file (if it - exists), use: + To consult LDAP first followed by the local sudoers file (if it exists), + use: - sudoers = ldap, files + sudoers = ldap, files - The local _s_u_d_o_e_r_s file can be ignored completely by using: + The local _s_u_d_o_e_r_s file can be ignored completely by using: - sudoers = ldap + sudoers = ldap - To treat LDAP as authoratative and only use the local sudoers file if - the user is not present in LDAP, use: + To treat LDAP as authoratative and only use the local sudoers file if the + user is not present in LDAP, use: - sudoers = ldap = auth, files + sudoers = ldap = auth, files - Note that in the above example, the auth qualfier only affects user - lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. + Note that in the above example, the auth qualfier only affects user + lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. - If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers - line, the following default is assumed: + If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line, + the following default is assumed: - sudoers = files + sudoers = files FFIILLEESS - _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file + _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order - _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX + _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX EEXXAAMMPPLLEESS EExxaammppllee llddaapp..ccoonnff - # Either specify one or more URIs or one or more host:port pairs. - # If neither is specified sudo will default to localhost, port 389. - # - #host ldapserver - #host ldapserver1 ldapserver2:390 - # - # Default port if host is specified without one, defaults to 389. - #port 389 - # - # URI will override the host and port settings. - uri ldap://ldapserver - #uri ldaps://secureldapserver - #uri ldaps://secureldapserver ldap://ldapserver - # - # The amount of time, in seconds, to wait while trying to connect to - # an LDAP server. - bind_timelimit 30 - # - # The amount of time, in seconds, to wait while performing an LDAP query. - timelimit 30 - # - # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=example,dc=com - # - # verbose sudoers matching from ldap - #sudoers_debug 2 - # - # Enable support for time-based entries in sudoers. - #sudoers_timed yes - # - # optional proxy credentials - #binddn - #bindpw - #rootbinddn - # - # LDAP protocol version, defaults to 3 - #ldap_version 3 - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). - #ssl on - # - # Define if you want to use port 389 and switch to - # encryption before the bind credentials are sent. - # Only supported by LDAP servers that support the start_tls - # extension such as OpenLDAP. - #ssl start_tls - # - # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. - # - #tls_checkpeer yes # verify server SSL certificate - #tls_checkpeer no # ignore server SSL certificate - # - # If you enable tls_checkpeer, specify either tls_cacertfile - # or tls_cacertdir. Only supported when using OpenLDAP. - # - #tls_cacertfile /etc/certs/trusted_signers.pem - #tls_cacertdir /etc/certs - # - # For systems that don't have /dev/random - # use this along with PRNGD or EGD.pl to seed the - # random number pool to generate cryptographic session keys. - # Only supported when using OpenLDAP. - # - #tls_randfile /etc/egd-pool - # - # You may restrict which ciphers are used. Consult your SSL - # documentation for which options go here. - # Only supported when using OpenLDAP. - # - #tls_ciphers - # - # Sudo can provide a client certificate when communicating to - # the LDAP server. - # Tips: - # * Enable both lines at the same time. - # * Do not password protect the key file. - # * Ensure the keyfile is only readable by root. - # - # For OpenLDAP: - #tls_cert /etc/certs/client_cert.pem - #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either - # a directory, in which case the files in the directory must have the - # default names (e.g. cert8.db and key4.db), or the path to the cert - # and key files themselves. However, a bug in version 5.0 of the LDAP - # SDK will prevent specific file names from working. For this reason - # it is suggested that tls_cert and tls_key be set to a directory, - # not a file name. - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. - # For backward compatibility, "sslpath" may be used in place of tls_cert. - #tls_cert /var/ldap - #tls_key /var/ldap - # - # If using SASL authentication for LDAP (OpenSSL) - # use_sasl yes - # sasl_auth_id - # rootuse_sasl yes - # rootsasl_auth_id - # sasl_secprops none - # krb5_ccname /etc/.ldapcache + # Either specify one or more URIs or one or more host:port pairs. + # If neither is specified sudo will default to localhost, port 389. + # + #host ldapserver + #host ldapserver1 ldapserver2:390 + # + # Default port if host is specified without one, defaults to 389. + #port 389 + # + # URI will override the host and port settings. + uri ldap://ldapserver + #uri ldaps://secureldapserver + #uri ldaps://secureldapserver ldap://ldapserver + # + # The amount of time, in seconds, to wait while trying to connect to + # an LDAP server. + bind_timelimit 30 + # + # The amount of time, in seconds, to wait while performing an LDAP query. + timelimit 30 + # + # Must be set or sudo will ignore LDAP; may be specified multiple times. + sudoers_base ou=SUDOers,dc=example,dc=com + # + # verbose sudoers matching from ldap + #sudoers_debug 2 + # + # Enable support for time-based entries in sudoers. + #sudoers_timed yes + # + # optional proxy credentials + #binddn + #bindpw + #rootbinddn + # + # LDAP protocol version, defaults to 3 + #ldap_version 3 + # + # Define if you want to use an encrypted LDAP connection. + # Typically, you must also set the port to 636 (ldaps). + #ssl on + # + # Define if you want to use port 389 and switch to + # encryption before the bind credentials are sent. + # Only supported by LDAP servers that support the start_tls + # extension such as OpenLDAP. + #ssl start_tls + # + # Additional TLS options follow that allow tweaking of the + # SSL/TLS connection. + # + #tls_checkpeer yes # verify server SSL certificate + #tls_checkpeer no # ignore server SSL certificate + # + # If you enable tls_checkpeer, specify either tls_cacertfile + # or tls_cacertdir. Only supported when using OpenLDAP. + # + #tls_cacertfile /etc/certs/trusted_signers.pem + #tls_cacertdir /etc/certs + # + # For systems that don't have /dev/random + # use this along with PRNGD or EGD.pl to seed the + # random number pool to generate cryptographic session keys. + # Only supported when using OpenLDAP. + # + #tls_randfile /etc/egd-pool + # + # You may restrict which ciphers are used. Consult your SSL + # documentation for which options go here. + # Only supported when using OpenLDAP. + # + #tls_ciphers + # + # Sudo can provide a client certificate when communicating to + # the LDAP server. + # Tips: + # * Enable both lines at the same time. + # * Do not password protect the key file. + # * Ensure the keyfile is only readable by root. + # + # For OpenLDAP: + #tls_cert /etc/certs/client_cert.pem + #tls_key /etc/certs/client_key.pem + # + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either + # a directory, in which case the files in the directory must have the + # default names (e.g. cert8.db and key4.db), or the path to the cert + # and key files themselves. However, a bug in version 5.0 of the LDAP + # SDK will prevent specific file names from working. For this reason + # it is suggested that tls_cert and tls_key be set to a directory, + # not a file name. + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key + # should be specified as well. + # For backward compatibility, "sslpath" may be used in place of tls_cert. + #tls_cert /var/ldap + #tls_key /var/ldap + # + # If using SASL authentication for LDAP (OpenSSL) + # use_sasl yes + # sasl_auth_id + # rootuse_sasl yes + # rootsasl_auth_id + # sasl_secprops none + # krb5_ccname /etc/.ldapcache SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema, in OpenLDAP format, is included with ssuuddoo source - and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the - schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include - line in slapd.conf and restart ssllaappdd. + The following schema, in OpenLDAP format, is included with ssuuddoo source + and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the + schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line + in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) + ldap.conf(1m), sudoers(1m) CCAAVVEEAATTSS - Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is - parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between - LDAP and non-LDAP sudoers" section for more information. + Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is + parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P + _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 17, 2012 SUDOERS.LDAP(4) +Sudo 1.8.6 July 12, 2012 Sudo 1.8.6 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index c97cf5e2c..6ddb4b8ae 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -1,10 +1,12 @@ -.\" Copyright (c) 2003-2012 -.\" Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in +.\" +.\" Copyright (c) 2003-2012 Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,935 +15,1180 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "July 17, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "SUDOERS.LDAP" "8" "July 12, 2012" "1.8.6" "OpenBSD System Manager's Manual" .SH "NAME" -sudoers.ldap \- sudo LDAP configuration +\fBsudoers.ldap\fR +\- sudo LDAP configuration .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured -via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR +In addition to the standard +\fIsudoers\fR +file, +\fBsudo\fR +may be configured +via LDAP. +This can be especially useful for synchronizing +\fIsudoers\fR in a large, distributed environment. .PP -Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: -.IP "\(bu" 4 -\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When -\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation. -This makes it especially fast and particularly usable in \s-1LDAP\s0 -environments. -.IP "\(bu" 4 -\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR. -It is not possible to load \s-1LDAP\s0 data into the server that does +Using LDAP for +\fIsudoers\fR +has several benefits: +.TP 4n +\fBo\fR +\fBsudo\fR +no longer needs to read +\fIsudoers\fR +in its entirety. +When LDAP is used, there are only two or three LDAP queries per invocation. +This makes it especially fast and particularly usable in LDAP environments. +.TP 4n +\fBo\fR +\fBsudo\fR +no longer exits if there is a typo in +\fIsudoers\fR. +It is not possible to load LDAP data into the server that does not conform to the sudoers schema, so proper syntax is guaranteed. It is still possible to have typos in a user or host name, but -this will not prevent \fBsudo\fR from running. -.IP "\(bu" 4 +this will not prevent +\fBsudo\fR +from running. +.TP 4n +\fBo\fR It is possible to specify per-entry options that override the global -default options. \fI@sysconfdir@/sudoers\fR only supports default options and -limited options associated with user/host/commands/aliases. The -syntax is complicated and can be difficult for users to understand. +default options. +\fI@sysconfdir@/sudoers\fR +only supports default options and limited options associated with +user/host/commands/aliases. +The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural. -.IP "\(bu" 4 -The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides -locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file. -Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary. -Because syntax is checked when the data is inserted into \s-1LDAP\s0, there +.TP 4n +\fBo\fR +The +\fBvisudo\fR +program is no longer needed. +\fBvisudo\fR +provides locking and syntax checking of the +\fI@sysconfdir@/sudoers\fR +file. +Since LDAP updates are atomic, locking is no longer necessary. +Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. .PP -Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR -is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported. +Another major difference between LDAP and file-based +\fIsudoers\fR +is that in LDAP, +\fBsudo\fR-specific +Aliases are not supported. .PP -For the most part, there is really no need for \fBsudo\fR\-specific -Aliases. Unix groups or user netgroups can be used in place of -User_Aliases and Runas_Aliases. Host netgroups can be used in place -of Host_Aliases. Since Unix groups and netgroups can also be stored -in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases. +For the most part, there is really no need for +\fBsudo\fR-specific +Aliases. +Unix groups or user netgroups can be used in place of User_Aliases and +Runas_Aliases. +Host netgroups can be used in place of Host_Aliases. +Since Unix groups and netgroups can also be stored in LDAP there is no +real need for +\fBsudo\fR-specific +aliases. .PP Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining -a Cmnd_Alias that is referenced by multiple users, one can create -a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users -to it. -.SS "SUDOers \s-1LDAP\s0 container" -.IX Subsection "SUDOers LDAP container" -The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0 -container. +to have multiple users listed in a +\fRsudoRole\fR. +Instead of defining a Cmnd_Alias that is referenced by multiple users, +one can create a +\fRsudoRole\fR +that contains the commands and assign multiple users to it. +.SS "SUDOers LDAP container" +The +\fIsudoers\fR +configuration is contained in the +\fRou=SUDOers\fR +LDAP container. .PP -Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container. -If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the -same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In -the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved -in the environment for all users. +Sudo first looks for the +\fRcn=default\fR +entry in the SUDOers container. +If found, the multi-valued +\fRsudoOption\fR +attribute is parsed in the same manner as a global +\fRDefaults\fR +line in +\fI@sysconfdir@/sudoers\fR. +In the following example, the +\fRSSH_AUTH_SOCK\fR +variable will be preserved in the environment for all users. +.nf +.sp +.RS 4n +dn: cn=defaults,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: env_keep+=SSH_AUTH_SOCK +.RE +.fi .PP -.Vb 6 -\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com -\& objectClass: top -\& objectClass: sudoRole -\& cn: defaults -\& description: Default sudoOption\*(Aqs go here -\& sudoOption: env_keep+=SSH_AUTH_SOCK -.Ve -.PP -The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of -the following attributes: -.IP "\fBsudoUser\fR" 4 -.IX Item "sudoUser" -A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with -\&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup -(prefixed with \f(CW\*(Aq+\*(Aq\fR). -.IP "\fBsudoHost\fR" 4 -.IX Item "sudoHost" -A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed -with a \f(CW\*(Aq+\*(Aq\fR). -The special value \f(CW\*(C`ALL\*(C'\fR will match any host. -.IP "\fBsudoCommand\fR" 4 -.IX Item "sudoCommand" +The equivalent of a sudoer in LDAP is a +\fRsudoRole\fR. +It consists of the following attributes: +.TP 6n +\fBsudoUser\fR +A user name, user ID (prefixed with +`#'), +Unix group (prefixed with +`%'), +Unix group ID (prefixed with +`%#'), +or user netgroup (prefixed with +`+'). +.TP 6n +\fBsudoHost\fR +A host name, IP address, IP network, or host netgroup (prefixed with a +`+'). +The special value +\fRALL\fR +will match any host. +.TP 6n +\fBsudoCommand\fR A Unix command with optional command line arguments, potentially including globbing characters (aka wild cards). -The special value \f(CW\*(C`ALL\*(C'\fR will match any command. -If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the -user will be prohibited from running that command. -.IP "\fBsudoOption\fR" 4 -.IX Item "sudoOption" +The special value +\fRALL\fR +will match any command. +If a command is prefixed with an exclamation point +`\&!', +the user will be prohibited from running that command. +.TP 6n +\fBsudoOption\fR Identical in function to the global options described above, but -specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides. -.IP "\fBsudoRunAsUser\fR" 4 -.IX Item "sudoRunAsUser" -A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run -as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed -with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be -run as. -The special value \f(CW\*(C`ALL\*(C'\fR will match any user. -.Sp -The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR -attribute instead. -.IP "\fBsudoRunAsGroup\fR" 4 -.IX Item "sudoRunAsGroup" -A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as. -The special value \f(CW\*(C`ALL\*(C'\fR will match any group. -.Sp -The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions +specific to the +\fRsudoRole\fR +in which it resides. +.TP 6n +\fBsudoRunAsUser\fR +A user name or uid (prefixed with +`#') +that commands may be run as or a Unix group (prefixed with a +`%') +or user netgroup (prefixed with a +`+') +that contains a list of users that commands may be run as. +The special value +\fRALL\fR +will match any user. +.sp +The +\fRsudoRunAsUser\fR +attribute is only available in +\fBsudo\fR +versions 1.7.0 and higher. -.IP "\fBsudoNotBefore\fR" 4 -.IX Item "sudoNotBefore" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide -a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If -multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used. -Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. The minute and seconds portions are optional, -but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). -.Sp -The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR -option in \fI@ldap_conf@\fR. -.IP "\fBsudoNotAfter\fR" 4 -.IX Item "sudoNotAfter" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration -date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If -multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used. -Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. The minute and seconds portions are optional, -but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). -.Sp -The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR -option in \fI@ldap_conf@\fR. -.IP "\fBsudoOrder\fR" 4 -.IX Item "sudoOrder" -The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no -inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or -floating point value for \s-1LDAP\s0 servers that support it) that is used -to sort the matching entries. This allows LDAP-based sudoers entries -to more closely mimic the behaviour of the sudoers file, where the -of the entries influences the result. If multiple entries match, -the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This -corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If -the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed. -.Sp -The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher. +Older versions of +\fBsudo\fR +use the +\fRsudoRunAs\fR +attribute instead. +.TP 6n +\fBsudoRunAsGroup\fR +A Unix group or gid (prefixed with +`#') +that commands may be run as. +The special value +\fRALL\fR +will match any group. +.sp +The +\fRsudoRunAsGroup\fR +attribute is only available in +\fBsudo\fR +versions +1.7.0 and higher. +.TP 6n +\fBsudoNotBefore\fR +A timestamp in the form +\fRyyyymmddHHMMSSZ\fR +that can be used to provide a start date/time for when the +\fRsudoRole\fR +will be valid. +If multiple +\fRsudoNotBefore\fR +entries are present, the earliest is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.sp +The +\fRsudoNotBefore\fR +attribute is only available in +\fBsudo\fR +versions 1.7.5 and higher and must be explicitly enabled via the +\fBSUDOERS_TIMED\fR +option in +\fI@ldap_conf@\fR. +.TP 6n +\fBsudoNotAfter\fR +A timestamp in the form +\fRyyyymmddHHMMSSZ\fR +that indicates an expiration date/time, after which the +\fRsudoRole\fR +will no longer be valid. +If multiple +\fRsudoNotBefore\fR +entries are present, the last one is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.sp +The +\fRsudoNotAfter\fR +attribute is only available in +\fBsudo\fR +versions +1.7.5 and higher and must be explicitly enabled via the +\fBSUDOERS_TIMED\fR +option in +\fI@ldap_conf@\fR. +.TP 6n +\fBsudoOrder\fR +The +\fRsudoRole\fR +entries retrieved from the LDAP directory have no inherent order. +The +\fRsudoOrder\fR +attribute is an integer (or floating point value for LDAP servers +that support it) that is used to sort the matching entries. +This allows LDAP-based sudoers entries to more closely mimic the behaviour +of the sudoers file, where the of the entries influences the result. +If multiple entries match, the entry with the highest +\fRsudoOrder\fR +attribute is chosen. +This corresponds to the +``last match'' +behavior of the sudoers file. +If the +\fRsudoOrder\fR +attribute is not present, a value of 0 is assumed. +.sp +The +\fRsudoOrder\fR +attribute is only available in +\fBsudo\fR +versions 1.7.5 and higher. .PP Each attribute listed above should contain a single value, but there -may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must -contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR. +may be multiple instances of each attribute type. +A +\fRsudoRole\fR +must contain at least one +\fRsudoUser\fR, +\fRsudoHost\fR +and +\fRsudoCommand\fR. .PP The following example allows users in group wheel to run any command -on any host via \fBsudo\fR: +on any host via +\fBsudo\fR: +.nf +.sp +.RS 4n +dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoCommand: ALL +.RE +.fi +.SS "Anatomy of LDAP sudoers lookup" +When looking up a sudoer using LDAP there are only two or three +LDAP queries per invocation. +The first query is to parse the global options. +The second is to match against the user's name and the groups that +the user belongs to. +(The special +\fRALL\fR +tag is matched in this query too.) +If no match is returned for the user's name and groups, a third +query returns all entries containing user netgroups and checks +to see if the user belongs to any of them. .PP -.Vb 7 -\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com -\& objectClass: top -\& objectClass: sudoRole -\& cn: %wheel -\& sudoUser: %wheel -\& sudoHost: ALL -\& sudoCommand: ALL -.Ve -.SS "Anatomy of \s-1LDAP\s0 sudoers lookup" -.IX Subsection "Anatomy of LDAP sudoers lookup" -When looking up a sudoer using \s-1LDAP\s0 there are only two or three -\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global -options. The second is to match against the user's name and the -groups that the user belongs to. (The special \s-1ALL\s0 tag is matched -in this query too.) If no match is returned for the user's name -and groups, a third query returns all entries containing user -netgroups and checks to see if the user belongs to any of them. -.PP -If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration -directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval -to entries that satisfy the time constraints, if any. -.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" -.IX Subsection "Differences between LDAP and non-LDAP sudoers" +If timed entries are enabled with the +\fBSUDOERS_TIMED\fR +configuration directive, the LDAP queries include a subfilter that +limits retrieval to entries that satisfy the time constraints, if any. +.SS "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled -once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, -\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes -and Entries are returned in any specific order. +once in LDAP. +Probably the biggest is that according to the RFC, LDAP ordering +is arbitrary and you cannot expect that Attributes and Entries are +returned in any specific order. .PP The order in which different entries are applied can be controlled -using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee -the order of attributes within a specific entry. If there are -conflicting command rules in an entry, the negative takes precedence. +using the +\fRsudoOrder\fR +attribute, but there is no way to guarantee the order of attributes +within a specific entry. +If there are conflicting command rules in an entry, the negative +takes precedence. This is called paranoid behavior (not necessarily the most specific match). .PP Here is an example: -.PP -.Vb 5 -\& # /etc/sudoers: -\& # Allow all commands except shell -\& johnny ALL=(root) ALL,!/bin/sh -\& # Always allows all commands because ALL is matched last -\& puddles ALL=(root) !/bin/sh,ALL -\& -\& # LDAP equivalent of johnny -\& # Allows all commands except shell -\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com -\& objectClass: sudoRole -\& objectClass: top -\& cn: role1 -\& sudoUser: johnny -\& sudoHost: ALL -\& sudoCommand: ALL -\& sudoCommand: !/bin/sh -\& -\& # LDAP equivalent of puddles -\& # Notice that even though ALL comes last, it still behaves like -\& # role1 since the LDAP code assumes the more paranoid configuration -\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com -\& objectClass: sudoRole -\& objectClass: top -\& cn: role2 -\& sudoUser: puddles -\& sudoHost: ALL -\& sudoCommand: !/bin/sh -\& sudoCommand: ALL -.Ve +.nf +.sp +.RS 4n +# /etc/sudoers: +# Allow all commands except shell +johnny ALL=(root) ALL,!/bin/sh +# Always allows all commands because ALL is matched last +puddles ALL=(root) !/bin/sh,ALL + +# LDAP equivalent of johnny +# Allows all commands except shell +dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role1 +sudoUser: johnny +sudoHost: ALL +sudoCommand: ALL +sudoCommand: !/bin/sh + +# LDAP equivalent of puddles +# Notice that even though ALL comes last, it still behaves like +# role1 since the LDAP code assumes the more paranoid configuration +dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role2 +sudoUser: puddles +sudoHost: ALL +sudoCommand: !/bin/sh +sudoCommand: ALL +.RE +.fi .PP Another difference is that negations on the Host, User or Runas are -currently ignored. For example, the following attributes do not -behave the way one might expect. -.PP -.Vb 3 -\& # does not match all but joe -\& # rather, does not match anyone -\& sudoUser: !joe -\& -\& # does not match all but joe -\& # rather, matches everyone including Joe -\& sudoUser: ALL -\& sudoUser: !joe -\& -\& # does not match all but web01 -\& # rather, matches all hosts including web01 -\& sudoHost: ALL -\& sudoHost: !web01 -.Ve +currently ignored. +For example, the following attributes do not behave the way one might expect. +.nf +.sp +.RS 4n +# does not match all but joe +# rather, does not match anyone +sudoUser: !joe + +# does not match all but joe +# rather, matches everyone including Joe +sudoUser: ALL +sudoUser: !joe + +# does not match all but web01 +# rather, matches all hosts including web01 +sudoHost: ALL +sudoHost: !web01 +.RE +.fi .SS "Sudoers Schema" -.IX Subsection "Sudoers Schema" -In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be -installed on your \s-1LDAP\s0 server. In addition, be sure to index the -\&'sudoUser' attribute. +In order to use +\fBsudo\fR's +LDAP support, the +\fBsudo\fR +schema must be +installed on your LDAP server. +In addition, be sure to index the +\fRsudoUser\fR +attribute. .PP -Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR), -one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for -Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may -be found in the \fBsudo\fR distribution. +Three versions of the schema: one for OpenLDAP servers +(\fIschema.OpenLDAP\fR), +one for Netscape-derived servers +(\fIschema.iPlanet\fR), +and one for Microsoft Active Directory +(\fIschema.ActiveDirectory\fR) +may be found in the +\fBsudo\fR +distribution. .PP -The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 +The schema for +\fBsudo\fR +in OpenLDAP form is also included in the +\fIEXAMPLES\fR section. .SS "Configuring ldap.conf" -.IX Subsection "Configuring ldap.conf" -Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. +Sudo reads the +\fI@ldap_conf@\fR +file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. -As such, most of the settings are not \fBsudo\fR\-specific. Note that -\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that -differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual. +As such, most of the settings are not +\fBsudo\fR-specific. +Note that +\fBsudo\fR +parses +\fI@ldap_conf@\fR +itself and may support options that differ from those described in the +system's +ldap.conf(@mansectsu@) +manual. .PP Also note that on systems using the OpenLDAP libraries, default -values specified in \fI/etc/openldap/ldap.conf\fR or the user's -\&\fI.ldaprc\fR files are not used. +values specified in +\fI/etc/openldap/ldap.conf\fR +or the user's +\fI.ldaprc\fR +files are not used. .PP -Only those options explicitly listed in \fI@ldap_conf@\fR as being -supported by \fBsudo\fR are honored. Configuration options are listed -below in upper case but are parsed in a case-independent manner. -.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 -.IX Item "URI ldap[s]://[hostname[:port]] ..." +Only those options explicitly listed in +\fI@ldap_conf@\fR +as being supported by +\fBsudo\fR +are honored. +Configuration options are listed below in upper case but are parsed +in a case-independent manner. +.TP 6n +\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR Specifies a whitespace-delimited list of one or more URIs describing -the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either -\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 -(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port -389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR -is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR -lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple -entries. Only systems using the OpenSSL libraries support the -mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived -and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix -are only capable of supporting one or the other. -.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 -.IX Item "HOST name[:port] ..." -If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a -whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host -may include an optional \fIport\fR separated by a colon (':'). The -\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification -and is included for backwards compatibility. -.IP "\fB\s-1PORT\s0\fR port_number" 4 -.IX Item "PORT port_number" -If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the -default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter -does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used, -the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0 -(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR +the LDAP server(s) to connect to. +The +\fIprotocol\fR +may be either +\fIldap\fR +\fIldaps\fR, +the latter being for servers that support TLS (SSL) encryption. +If no +\fIport\fR +is specified, the default is port 389 for +\fRldap://\fR +or port 636 for +\fRldaps://\fR. +If no +\fIhostname\fR +is specified, +\fBsudo\fR +will connect to +\fIlocalhost\fR. +Multiple +\fBURI\fR +lines are treated identically to a +\fBURI\fR +line containing multiple entries. +Only systems using the OpenSSL libraries support the mixing of +\fRldap://\fR +and +\fRldaps://\fR +URIs. +Both the Netscape-derived and Tivoli LDAP libraries used on most commercial +versions of Unix are only capable of supporting one or the other. +.TP 6n +\fBHOST\fR \fIname[:port] ...\fR +If no +\fBURI\fR +is specified, the +\fBHOST\fR +parameter specifies a whitespace-delimited list of LDAP servers to connect to. +Each host may include an optional +\fIport\fR +separated by a colon +(`:\&'). +The +\fBHOST\fR +parameter is deprecated in favor of the +\fBURI\fR specification and is included for backwards compatibility. -.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4 -.IX Item "BIND_TIMELIMIT seconds" -The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, -to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or -\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying +.TP 6n +\fBPORT\fR \fIport_number\fR +If no +\fBURI\fR +is specified, the +\fBPORT\fR +parameter specifies the default port to connect to on the LDAP server if a +\fBHOST\fR +parameter does not specify the port itself. +If no +\fBPORT\fR +parameter is used, the default is port 389 for LDAP and port 636 for LDAP +over TLS (SSL). +The +\fBPORT\fR +parameter is deprecated in favor of the +\fBURI\fR +specification and is included for backwards compatibility. +.TP 6n +\fBBIND_TIMELIMIT\fR \fIseconds\fR +The +\fBBIND_TIMELIMIT\fR +parameter specifies the amount of time, in seconds, to wait while trying +to connect to an LDAP server. +If multiple +\fBURI\fRs +or +\fBHOST\fRs +are specified, this is the amount of time to wait before trying the next one in the list. -.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4 -.IX Item "NETWORK_TIMEOUT seconds" -An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility. -.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4 -.IX Item "TIMELIMIT seconds" -The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, -to wait for a response to an \s-1LDAP\s0 query. -.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4 -.IX Item "TIMEOUT seconds" -The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds, -to wait for a response from the various \s-1LDAP\s0 APIs. -.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4 -.IX Item "SUDOERS_BASE base" -The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically -this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain -\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, -in which case they are queried in the order specified. -.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4 -.IX Item "SUDOERS_SEARCH_FILTER ldap_filter" -An \s-1LDAP\s0 filter which is used to restrict the set of records returned -when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the -form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR. -.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 -.IX Item "SUDOERS_TIMED on/true/yes/off/false/no" -Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR +.TP 6n +\fBNETWORK_TIMEOUT\fR \fIseconds\fR +An alias for +\fBBIND_TIMELIMIT\fR +for OpenLDAP compatibility. +.TP 6n +\fBTIMELIMIT\fR \fIseconds\fR +The +\fBTIMELIMIT\fR +parameter specifies the amount of time, in seconds, to wait for a +response to an LDAP query. +.TP 6n +\fBTIMEOUT\fR \fIseconds\fR +The +\fBTIMEOUT\fR +parameter specifies the amount of time, in seconds, to wait for a +response from the various LDAP APIs. +.TP 6n +\fBSUDOERS_BASE\fR \fIbase\fR +The base DN to use when performing +\fBsudo\fR +LDAP queries. +Typically this is of the form +\fRou=SUDOers,dc=example,dc=com\fR +for the domain +\fRexample.com\fR. +Multiple +\fBSUDOERS_BASE\fR +lines may be specified, in which case they are queried in the order specified. +.TP 6n +\fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR +An LDAP filter which is used to restrict the set of records returned +when performing a +\fBsudo\fR +LDAP query. +Typically, this is of the +form +\fRattribute=value\fR +or +\fR(&(attribute=value)(attribute2=value2))\fR. +.TP 6n +\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR +Whether or not to evaluate the +\fRsudoNotBefore\fR +and +\fRsudoNotAfter\fR attributes that implement time-dependent sudoers entries. -.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 -.IX Item "SUDOERS_DEBUG debug_level" -This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging -information is printed to the standard error. A value of 1 results -in a moderate amount of debugging information. A value of 2 shows -the results of the matches themselves. This parameter should not -be set in a production environment as the extra information is -likely to confuse users. -.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4 -.IX Item "BINDDN DN" -The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a -Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations. -If not specified, \s-1LDAP\s0 operations are performed with an anonymous -identity. By default, most \s-1LDAP\s0 servers will allow anonymous access. -.IP "\fB\s-1BINDPW\s0\fR secret" 4 -.IX Item "BINDPW secret" -The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing -\&\s-1LDAP\s0 operations. This is typically used in conjunction with the -\&\fB\s-1BINDDN\s0\fR parameter. -.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4 -.IX Item "ROOTBINDDN DN" -The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of -a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0 -operations, such as \fIsudoers\fR queries. The password corresponding -to the identity should be stored in \fI@ldap_secret@\fR. -If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any). -.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4 -.IX Item "LDAP_VERSION number" -The version of the \s-1LDAP\s0 protocol to use when connecting to the server. +.TP 6n +\fBSUDOERS_DEBUG\fR \fIdebug_level\fR +This sets the debug level for +\fBsudo\fR +LDAP queries. +Debugging information is printed to the standard error. +A value of 1 results in a moderate amount of debugging information. +A value of 2 shows the results of the matches themselves. +This parameter should not be set in a production environment as the +extra information is likely to confuse users. +.TP 6n +\fBBINDDN\fR \fIDN\fR +The +\fBBINDDN\fR +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing LDAP operations. +If not specified, LDAP operations are performed with an anonymous identity. +By default, most LDAP servers will allow anonymous access. +.TP 6n +\fBBINDPW\fR \fIsecret\fR +The +\fBBINDPW\fR +parameter specifies the password to use when performing LDAP operations. +This is typically used in conjunction with the +\fBBINDDN\fR +parameter. +.TP 6n +\fBROOTBINDDN\fR \fIDN\fR +The +\fBROOTBINDDN\fR +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing privileged LDAP operations, such as +\fIsudoers\fR +queries. +The password corresponding +to the identity should be stored in +\fI@ldap_secret@\fR. +If not specified, the +\fBBINDDN\fR +identity is used (if any). +.TP 6n +\fBLDAP_VERSION\fR \fInumber\fR +The version of the LDAP protocol to use when connecting to the server. The default value is protocol version 3. -.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "SSL on/true/yes/off/false/no" -If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0 -(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0 -server. Typically, this involves connecting to the server on port -636 (ldaps). -.IP "\fB\s-1SSL\s0\fR start_tls" 4 -.IX Item "SSL start_tls" -If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server -connection is initiated normally and \s-1TLS\s0 encryption is begun before -the bind credentials are sent. This has the advantage of not -requiring a dedicated port for encrypted communications. This -parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR -extension, such as the OpenLDAP server. -.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4 -.IX Item "TLS_CHECKPEER on/true/yes/off/false/no" -If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0 -certificated to be verified. If the server's \s-1TLS\s0 certificate cannot -be verified (usually because it is signed by an unknown certificate -authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR -is disabled, no check is made. Note that disabling the check creates -an opportunity for man-in-the-middle attacks since the server's -identity will not be authenticated. If possible, the \s-1CA\s0's certificate -should be installed locally so it can be verified. This option is -not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries. -.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 -.IX Item "TLS_CACERT file name" -An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. -.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 -.IX Item "TLS_CACERTFILE file name" +.TP 6n +\fBSSL\fR \fIon/true/yes/off/false/no\fR +If the +\fBSSL\fR +parameter is set to +\fRon\fR, +\fRtrue\fR +\fRor\fR +\fRyes\fR, +TLS (SSL) encryption is always used when communicating with the LDAP server. +Typically, this involves connecting to the server on port 636 (ldaps). +.TP 6n +\fBSSL\fR \fIstart_tls\fR +If the +\fBSSL\fR +parameter is set to +\fRstart_tls\fR, +the LDAP server connection is initiated normally and TLS encryption is +begun before the bind credentials are sent. +This has the advantage of not requiring a dedicated port for encrypted +communications. +This parameter is only supported by LDAP servers that honor the +\fIstart_tls\fR +extension, such as the OpenLDAP and Tivoli Directory servers. +.TP 6n +\fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR +If enabled, +\fBTLS_CHECKPEER\fR +will cause the LDAP server's TLS certificated to be verified. +If the server's TLS certificate cannot be verified (usually because it +is signed by an unknown certificate authority), +\fBsudo\fR +will be unable to connect to it. +If +\fBTLS_CHECKPEER\fR +is disabled, no check is made. +Note that disabling the check creates an opportunity for man-in-the-middle +attacks since the server's identity will not be authenticated. +If possible, the CA's certificate should be installed locally so it can +be verified. +This option is not supported by the Tivoli Directory Server LDAP libraries. +.TP 6n +\fBTLS_CACERT\fR \fIfile name\fR +An alias for +\fBTLS_CACERTFILE\fR +for OpenLDAP compatibility. +.TP 6n +\fBTLS_CACERTFILE\fR \fIfile name\fR The path to a certificate authority bundle which contains the certificates -for all the Certificate Authorities the client knows to be valid, -e.g. \fI/etc/ssl/ca\-bundle.pem\fR. +for all the Certificate Authorities the client knows to be valid, e.g.\& +\fI/etc/ssl/ca-bundle.pem\fR. This option is only supported by the OpenLDAP libraries. -Netscape-derived \s-1LDAP\s0 libraries use the same certificate -database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR). -.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4 -.IX Item "TLS_CACERTDIR directory" -Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a -directory containing individual Certificate Authority certificates, -e.g. \fI/etc/ssl/certs\fR. -The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after -\&\fB\s-1TLS_CACERTFILE\s0\fR. +Netscape-derived LDAP libraries use the same certificate +database for CA and client certificates (see +\fBTLS_CERT\fR). +.TP 6n +\fBTLS_CACERTDIR\fR \fIdirectory\fR +Similar to +\fBTLS_CACERTFILE\fR +but instead of a file, it is a directory containing individual +Certificate Authority certificates, e.g.\& +\fI/etc/ssl/certs\fR. +The directory specified by +\fBTLS_CACERTDIR\fR +is checked after +\fBTLS_CACERTFILE\fR. This option is only supported by the OpenLDAP libraries. -.IP "\fB\s-1TLS_CERT\s0\fR file name" 4 -.IX Item "TLS_CERT file name" +.TP 6n +\fBTLS_CERT\fR \fIfile name\fR The path to a file containing the client certificate which can -be used to authenticate the client to the \s-1LDAP\s0 server. -The certificate type depends on the \s-1LDAP\s0 libraries used. -.Sp +be used to authenticate the client to the LDAP server. +The certificate type depends on the LDAP libraries used. +.RS +.TP 6n OpenLDAP: - \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR -.Sp +\fRtls_cert /etc/ssl/client_cert.pem\fR +.TP 6n Netscape-derived: - \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR -.Sp +\fRtls_cert /var/ldap/cert7.db\fR +.TP 6n Tivoli Directory Server: - Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both - keys and certificates. -.Sp +Unused, the key database specified by +\fBTLS_KEY\fR +contains both keys and certificates. +.sp When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. -.IP "\fB\s-1TLS_KEY\s0\fR file name" 4 -.IX Item "TLS_KEY file name" +.RE +.TP 6n +\fBTLS_KEY\fR \fIfile name\fR The path to a file containing the private key which matches the -certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be -password-protected. The key type depends on the \s-1LDAP\s0 libraries -used. -.Sp +certificate specified by +\fBTLS_CERT\fR. +The private key must not be password-protected. +The key type depends on the LDAP libraries used. +.RS +.TP 6n OpenLDAP: - \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR -.Sp +\fRtls_key /etc/ssl/client_key.pem\fR +.TP 6n Netscape-derived: - \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR -.Sp +\fRtls_key /var/ldap/key3.db\fR +.TP 6n Tivoli Directory Server: - \f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR -.Sp -When using Tivoli \s-1LDAP\s0 libraries, this file may also contain +\fRtls_cert /usr/ldap/ldapkey.kdb\fR +.RE +.sp -1v +.RS +.PP +When using Tivoli LDAP libraries, this file may also contain Certificate Authority and client certificates and may be encrypted. -.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4 -.IX Item "TLS_KEYPW secret" -The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key -database on clients using the Tivoli Directory Server \s-1LDAP\s0 library. -If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if -it exists. The \fIstash file\fR must have the same path as the file -specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead -of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that -ships with Tivoli Directory Server is encrypted with the password -\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0 -libraries. -.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4 -.IX Item "TLS_RANDFILE file name" -The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy -source for systems that lack a random device. It is generally used -in conjunction with \fIprngd\fR or \fIegd\fR. +.PP +.RE +.sp -1v +.TP 6n +\fBTLS_KEYPW\fR \fIsecret\fR +The +\fBTLS_KEYPW\fR +contains the password used to decrypt the key database on clients +using the Tivoli Directory Server LDAP library. +If no +\fBTLS_KEYPW\fR +is specified, a +\fIstash file\fR +will be used if it exists. +The +\fIstash file\fR +must have the same path as the file specified by +\fBTLS_KEY\fR, +but use a +\fR.sth\fR +file extension instead of +\fR.kdb\fR, +e.g.\& +\fRldapkey.sth\fR. +The default +\fRldapkey.kdb\fR +that ships with Tivoli Directory Server is encrypted with the password +\fRssl_password\fR. +This option is only supported by the Tivoli LDAP libraries. +.TP 6n +\fBTLS_RANDFILE\fR \fIfile name\fR +The +\fBTLS_RANDFILE\fR +parameter specifies the path to an entropy source for systems that lack +a random device. +It is generally used in conjunction with +\fIprngd\fR +or +\fIegd\fR. This option is only supported by the OpenLDAP libraries. -.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4 -.IX Item "TLS_CIPHERS cipher list" -The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which -encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See -the OpenLDAP or Tivoli Directory Server manual for a list of valid -ciphers. This option is not supported by Netscape-derived libraries. -.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "USE_SASL on/true/yes/off/false/no" -Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication. -.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4 -.IX Item "SASL_AUTH_ID identity" -The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server. -By default, \fBsudo\fR will use an anonymous connection. -.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "ROOTUSE_SASL on/true/yes/off/false/no" -Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting -to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR. -.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4 -.IX Item "ROOTSASL_AUTH_ID identity" -The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled. -.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4 -.IX Item "SASL_SECPROPS none/properties" -\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the -\&\s-1SASL\s0 programmer's manual for details. -.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4 -.IX Item "KRB5_CCNAME file name" +.TP 6n +\fBTLS_CIPHERS\fR \fIcipher list\fR +The +\fBTLS_CIPHERS\fR +parameter allows the administer to restrict which encryption algorithms +may be used for TLS (SSL) connections. +See the OpenLDAP or Tivoli Directory Server manual for a list of valid +ciphers. +This option is not supported by Netscape-derived libraries. +.TP 6n +\fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR +Enable +\fBUSE_SASL\fR +for LDAP servers that support SASL authentication. +.TP 6n +\fBSASL_AUTH_ID\fR \fIidentity\fR +The SASL user name to use when connecting to the LDAP server. +By default, +\fBsudo\fR +will use an anonymous connection. +.TP 6n +\fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR +Enable +\fBROOTUSE_SASL\fR +to enable SASL authentication when connecting +to an LDAP server from a privileged process, such as +\fBsudo\fR. +.TP 6n +\fBROOTSASL_AUTH_ID\fR \fIidentity\fR +The SASL user name to use when +\fBROOTUSE_SASL\fR +is enabled. +.TP 6n +\fBSASL_SECPROPS\fR \fInone/properties\fR +SASL security properties or +\fInone\fR +for no properties. +See the SASL programmer's manual for details. +.TP 6n +\fBKRB5_CCNAME\fR \fIfile name\fR The path to the Kerberos 5 credential cache to use when authenticating with the remote server. -.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4 -.IX Item "DEREF never/searching/finding/always" -How alias dereferencing is to be performed when searching. See the -\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option. +.TP 6n +\fBDEREF\fR \fInever/searching/finding/always\fR +How alias dereferencing is to be performed when searching. +See the +ldap.conf(@mansectsu@) +manual for a full description of this option. .PP -See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. +See the +\fIldap.conf\fR +entry in the +\fIEXAMPLES\fR +section. .SS "Configuring nsswitch.conf" -.IX Subsection "Configuring nsswitch.conf" -Unless it is disabled at build time, \fBsudo\fR consults the Name -Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR -search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and -uses this to determine the search order. Note that \fBsudo\fR does +Unless it is disabled at build time, +\fBsudo\fR +consults the Name Service Switch file, +\fI@nsswitch_conf@\fR, +to specify the +\fIsudoers\fR +search order. +Sudo looks for a line beginning with +\fRsudoers\fR: +and uses this to determine the search order. +Note that +\fBsudo\fR +does not stop searching after the first match and later matches take precedence over earlier ones. -.PP The following sources are recognized: +.TP 10n +files +read sudoers from +\fI@sysconfdir@/sudoers\fR +.sp -1v +.TP 10n +ldap +read sudoers from LDAP .PP -.Vb 2 -\& files read sudoers from F<@sysconfdir@/sudoers> -\& ldap read sudoers from LDAP -.Ve +In addition, the entry +\fR[NOTFOUND=return]\fR +will short-circuit the search if the user was not found in the +preceding source. .PP -In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the -search if the user was not found in the preceding source. -.PP -To consult \s-1LDAP\s0 first followed by the local sudoers file (if it +To consult LDAP first followed by the local sudoers file (if it exists), use: +.nf +.sp +.RS 4n +sudoers: ldap files +.RE +.fi .PP -.Vb 1 -\& sudoers: ldap files -.Ve +The local +\fIsudoers\fR +file can be ignored completely by using: +.nf +.sp +.RS 4n +sudoers: ldap +.RE +.fi .PP -The local \fIsudoers\fR file can be ignored completely by using: +If the +\fI@nsswitch_conf@\fR +file is not present or there is no sudoers line, the following +default is assumed: +.nf +.sp +.RS 4n +sudoers: files +.RE +.fi .PP -.Vb 1 -\& sudoers: ldap -.Ve -.PP -If the \fI@nsswitch_conf@\fR file is not present or there is no -sudoers line, the following default is assumed: -.PP -.Vb 1 -\& sudoers: files -.Ve -.PP -Note that \fI@nsswitch_conf@\fR is supported even when the underlying -operating system does not use an nsswitch.conf file, except on \s-1AIX\s0 (see below). +Note that +\fI@nsswitch_conf@\fR +is supported even when the underlying operating system does not use +an nsswitch.conf file, except on AIX (see below). .SS "Configuring netsvc.conf" -.IX Subsection "Configuring netsvc.conf" -On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of -\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a -variant of \fInsswitch.conf\fR; information in the previous section -unrelated to the file format itself still applies. +On AIX systems, the +\fI@netsvc_conf@\fR +file is consulted instead of +\fI@nsswitch_conf@\fR. +\fBsudo\fR +simply treats +\fInetsvc.conf\fR +as a variant of +\fInsswitch.conf\fR; +information in the previous section unrelated to the file format +itself still applies. .PP -To consult \s-1LDAP\s0 first followed by the local sudoers file (if it +To consult LDAP first followed by the local sudoers file (if it exists), use: +.nf +.sp +.RS 4n +sudoers = ldap, files +.RE +.fi .PP -.Vb 1 -\& sudoers = ldap, files -.Ve +The local +\fIsudoers\fR +file can be ignored completely by using: +.nf +.sp +.RS 4n +sudoers = ldap +.RE +.fi .PP -The local \fIsudoers\fR file can be ignored completely by using: +To treat LDAP as authoratative and only use the local sudoers file +if the user is not present in LDAP, use: +.nf +.sp +.RS 4n +sudoers = ldap = auth, files +.RE +.fi .PP -.Vb 1 -\& sudoers = ldap -.Ve -.PP -To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file -if the user is not present in \s-1LDAP\s0, use: -.PP -.Vb 1 -\& sudoers = ldap = auth, files -.Ve -.PP -Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects -user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR +Note that in the above example, the +\fRauth\fR +qualfier only affects user lookups; both LDAP and +\fIsudoers\fR +will be queried for +\fRDefaults\fR entries. .PP -If the \fI@netsvc_conf@\fR file is not present or there is no -sudoers line, the following default is assumed: -.PP -.Vb 1 -\& sudoers = files -.Ve +If the +\fI@netsvc_conf@\fR +file is not present or there is no sudoers line, the following +default is assumed: +.nf +.sp +.RS 4n +sudoers = files +.RE +.fi .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@ldap_conf@\fR" 24 -.el .IP "\fI@ldap_conf@\fR" 24 -.IX Item "@ldap_conf@" -\&\s-1LDAP\s0 configuration file -.ie n .IP "\fI@nsswitch_conf@\fR" 24 -.el .IP "\fI@nsswitch_conf@\fR" 24 -.IX Item "@nsswitch_conf@" +.TP 26n +\fI@ldap_conf@\fR +LDAP configuration file +.TP 26n +\fI@nsswitch_conf@\fR determines sudoers source order -.ie n .IP "\fI@netsvc_conf@\fR" 24 -.el .IP "\fI@netsvc_conf@\fR" 24 -.IX Item "@netsvc_conf@" -determines sudoers source order on \s-1AIX\s0 +.TP 26n +\fI@netsvc_conf@\fR +determines sudoers source order on AIX .SH "EXAMPLES" -.IX Header "EXAMPLES" .SS "Example ldap.conf" -.IX Subsection "Example ldap.conf" -.Vb 10 -\& # Either specify one or more URIs or one or more host:port pairs. -\& # If neither is specified sudo will default to localhost, port 389. -\& # -\& #host ldapserver -\& #host ldapserver1 ldapserver2:390 -\& # -\& # Default port if host is specified without one, defaults to 389. -\& #port 389 -\& # -\& # URI will override the host and port settings. -\& uri ldap://ldapserver -\& #uri ldaps://secureldapserver -\& #uri ldaps://secureldapserver ldap://ldapserver -\& # -\& # The amount of time, in seconds, to wait while trying to connect to -\& # an LDAP server. -\& bind_timelimit 30 -\& # -\& # The amount of time, in seconds, to wait while performing an LDAP query. -\& timelimit 30 -\& # -\& # Must be set or sudo will ignore LDAP; may be specified multiple times. -\& sudoers_base ou=SUDOers,dc=example,dc=com -\& # -\& # verbose sudoers matching from ldap -\& #sudoers_debug 2 -\& # -\& # Enable support for time\-based entries in sudoers. -\& #sudoers_timed yes -\& # -\& # optional proxy credentials -\& #binddn -\& #bindpw -\& #rootbinddn -\& # -\& # LDAP protocol version, defaults to 3 -\& #ldap_version 3 -\& # -\& # Define if you want to use an encrypted LDAP connection. -\& # Typically, you must also set the port to 636 (ldaps). -\& #ssl on -\& # -\& # Define if you want to use port 389 and switch to -\& # encryption before the bind credentials are sent. -\& # Only supported by LDAP servers that support the start_tls -\& # extension such as OpenLDAP. -\& #ssl start_tls -\& # -\& # Additional TLS options follow that allow tweaking of the -\& # SSL/TLS connection. -\& # -\& #tls_checkpeer yes # verify server SSL certificate -\& #tls_checkpeer no # ignore server SSL certificate -\& # -\& # If you enable tls_checkpeer, specify either tls_cacertfile -\& # or tls_cacertdir. Only supported when using OpenLDAP. -\& # -\& #tls_cacertfile /etc/certs/trusted_signers.pem -\& #tls_cacertdir /etc/certs -\& # -\& # For systems that don\*(Aqt have /dev/random -\& # use this along with PRNGD or EGD.pl to seed the -\& # random number pool to generate cryptographic session keys. -\& # Only supported when using OpenLDAP. -\& # -\& #tls_randfile /etc/egd\-pool -\& # -\& # You may restrict which ciphers are used. Consult your SSL -\& # documentation for which options go here. -\& # Only supported when using OpenLDAP. -\& # -\& #tls_ciphers -\& # -\& # Sudo can provide a client certificate when communicating to -\& # the LDAP server. -\& # Tips: -\& # * Enable both lines at the same time. -\& # * Do not password protect the key file. -\& # * Ensure the keyfile is only readable by root. -\& # -\& # For OpenLDAP: -\& #tls_cert /etc/certs/client_cert.pem -\& #tls_key /etc/certs/client_key.pem -\& # -\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either -\& # a directory, in which case the files in the directory must have the -\& # default names (e.g. cert8.db and key4.db), or the path to the cert -\& # and key files themselves. However, a bug in version 5.0 of the LDAP -\& # SDK will prevent specific file names from working. For this reason -\& # it is suggested that tls_cert and tls_key be set to a directory, -\& # not a file name. -\& # -\& # The certificate database specified by tls_cert may contain CA certs -\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key -\& # should be specified as well. -\& # For backward compatibility, "sslpath" may be used in place of tls_cert. -\& #tls_cert /var/ldap -\& #tls_key /var/ldap -\& # -\& # If using SASL authentication for LDAP (OpenSSL) -\& # use_sasl yes -\& # sasl_auth_id -\& # rootuse_sasl yes -\& # rootsasl_auth_id -\& # sasl_secprops none -\& # krb5_ccname /etc/.ldapcache -.Ve +.nf +.RS 2n +# Either specify one or more URIs or one or more host:port pairs. +# If neither is specified sudo will default to localhost, port 389. +# +#host ldapserver +#host ldapserver1 ldapserver2:390 +# +# Default port if host is specified without one, defaults to 389. +#port 389 +# +# URI will override the host and port settings. +uri ldap://ldapserver +#uri ldaps://secureldapserver +#uri ldaps://secureldapserver ldap://ldapserver +# +# The amount of time, in seconds, to wait while trying to connect to +# an LDAP server. +bind_timelimit 30 +# +# The amount of time, in seconds, to wait while performing an LDAP query. +timelimit 30 +# +# Must be set or sudo will ignore LDAP; may be specified multiple times. +sudoers_base ou=SUDOers,dc=example,dc=com +# +# verbose sudoers matching from ldap +#sudoers_debug 2 +# +# Enable support for time-based entries in sudoers. +#sudoers_timed yes +# +# optional proxy credentials +#binddn +#bindpw +#rootbinddn +# +# LDAP protocol version, defaults to 3 +#ldap_version 3 +# +# Define if you want to use an encrypted LDAP connection. +# Typically, you must also set the port to 636 (ldaps). +#ssl on +# +# Define if you want to use port 389 and switch to +# encryption before the bind credentials are sent. +# Only supported by LDAP servers that support the start_tls +# extension such as OpenLDAP. +#ssl start_tls +# +# Additional TLS options follow that allow tweaking of the +# SSL/TLS connection. +# +#tls_checkpeer yes # verify server SSL certificate +#tls_checkpeer no # ignore server SSL certificate +# +# If you enable tls_checkpeer, specify either tls_cacertfile +# or tls_cacertdir. Only supported when using OpenLDAP. +# +#tls_cacertfile /etc/certs/trusted_signers.pem +#tls_cacertdir /etc/certs +# +# For systems that don't have /dev/random +# use this along with PRNGD or EGD.pl to seed the +# random number pool to generate cryptographic session keys. +# Only supported when using OpenLDAP. +# +#tls_randfile /etc/egd-pool +# +# You may restrict which ciphers are used. Consult your SSL +# documentation for which options go here. +# Only supported when using OpenLDAP. +# +#tls_ciphers +# +# Sudo can provide a client certificate when communicating to +# the LDAP server. +# Tips: +# * Enable both lines at the same time. +# * Do not password protect the key file. +# * Ensure the keyfile is only readable by root. +# +# For OpenLDAP: +#tls_cert /etc/certs/client_cert.pem +#tls_key /etc/certs/client_key.pem +# +# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either +# a directory, in which case the files in the directory must have the +# default names (e.g. cert8.db and key4.db), or the path to the cert +# and key files themselves. However, a bug in version 5.0 of the LDAP +# SDK will prevent specific file names from working. For this reason +# it is suggested that tls_cert and tls_key be set to a directory, +# not a file name. +# +# The certificate database specified by tls_cert may contain CA certs +# and/or the client's cert. If the client's cert is included, tls_key +# should be specified as well. +# For backward compatibility, "sslpath" may be used in place of tls_cert. +#tls_cert /var/ldap +#tls_key /var/ldap +# +# If using SASL authentication for LDAP (OpenSSL) +# use_sasl yes +# sasl_auth_id +# rootuse_sasl yes +# rootsasl_auth_id +# sasl_secprops none +# krb5_ccname /etc/.ldapcache +.RE +.fi .SS "Sudo schema for OpenLDAP" -.IX Subsection "Sudo schema for OpenLDAP" -The following schema, in OpenLDAP format, is included with \fBsudo\fR -source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy -it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the -proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. -.PP -.Vb 6 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 -\& NAME \*(AqsudoUser\*(Aq -\& DESC \*(AqUser(s) who may run sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 -\& NAME \*(AqsudoHost\*(Aq -\& DESC \*(AqHost(s) who may run sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 -\& NAME \*(AqsudoCommand\*(Aq -\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 -\& NAME \*(AqsudoRunAs\*(Aq -\& DESC \*(AqUser(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 -\& NAME \*(AqsudoOption\*(Aq -\& DESC \*(AqOptions(s) followed by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 -\& NAME \*(AqsudoRunAsUser\*(Aq -\& DESC \*(AqUser(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 -\& NAME \*(AqsudoRunAsGroup\*(Aq -\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.8 -\& NAME \*(AqsudoNotBefore\*(Aq -\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq -\& EQUALITY generalizedTimeMatch -\& ORDERING generalizedTimeOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.9 -\& NAME \*(AqsudoNotAfter\*(Aq -\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq -\& EQUALITY generalizedTimeMatch -\& ORDERING generalizedTimeOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) -\& -\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 -\& NAME \*(AqsudoOrder\*(Aq -\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq -\& EQUALITY integerMatch -\& ORDERING integerOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) -\& -\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL -\& DESC \*(AqSudoer Entries\*(Aq -\& MUST ( cn ) -\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ -\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ -\& sudoOrder $ description ) -\& ) -.Ve +The following schema, in OpenLDAP format, is included with +\fBsudo\fR +source and binary distributions as +\fIschema.OpenLDAP\fR. +Simply copy +it to the schema directory (e.g.\& +\fI/etc/openldap/schema\fR), +add the proper +\fRinclude\fR +line in +\fIslapd.conf\fR +and restart +\fBslapd\fR. +.nf +.sp +.RS 2n +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@) +ldap.conf(@mansectsu@), +sudoers(@mansectsu@) .SH "CAVEATS" -.IX Header "CAVEATS" -Note that there are differences in the way that LDAP-based \fIsudoers\fR -is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences -between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information. +Note that there are differences in the way that LDAP-based +\fIsudoers\fR +is parsed compared to file-based +\fIsudoers\fR. +See the +\fIDifferences between LDAP and non-LDAP sudoers\fR +section for more information. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 73b014b5a..b43187ad5 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -15,8 +15,8 @@ .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd July 12, 2012 -.Dt SUDOERS.LDAP 5 -.Os +.Dt SUDOERS.LDAP @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudoers.ldap .Nd sudo LDAP configuration @@ -412,7 +412,7 @@ parses .Pa @ldap_conf@ itself and may support options that differ from those described in the system's -.Xr ldap.conf 5 +.Xr ldap.conf @mansectsu@ manual. .Pp Also note that on systems using the OpenLDAP libraries, default @@ -753,7 +753,7 @@ with the remote server. .It Sy DEREF Ar never/searching/finding/always How alias dereferencing is to be performed when searching. See the -.Xr ldap.conf 5 +.Xr ldap.conf @mansectsu@ manual for a full description of this option. .El .Pp @@ -1073,8 +1073,8 @@ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL ) .Ed .Sh SEE ALSO -.Xr ldap.conf 5 , -.Xr sudoers 5 +.Xr ldap.conf @mansectsu@ , +.Xr sudoers @mansectsu@ .Sh CAVEATS Note that there are differences in the way that LDAP-based .Em sudoers diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index d0b11073d..90d2a8999 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -1,10 +1,13 @@ +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in +.\" .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 -.\" Todd C. Miller -.\" +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,258 +16,302 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.nr SL @SEMAN@ -.nr BA @BAMAN@ -.nr LC @LCMAN@ .\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 18, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "1.8.6" "Programmer's Manual" .SH "NAME" -sudoers \- default sudo security policy module +\fBsudoers\fR +\- default sudo security policy module .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges. -It is the default \fBsudo\fR policy plugin. The policy is driven by -the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy -format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R" -section. For information on storing \fIsudoers\fR policy information -in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@). +The +\fIsudoers\fR +policy module determines a user's +\fBsudo\fR +privileges. +It is the default +\fBsudo\fR +policy plugin. +The policy is driven by +the +\fI@sysconfdir@/sudoers\fR +file or, optionally in LDAP. +The policy format is described in detail in the +\fISUDOERS FILE FORMAT\fR +section. +For information on storing +\fIsudoers\fR +policy information +in LDAP, please see +sudoers.ldap(@mansectform@). .SS "Authentication and Logging" -.IX Subsection "Authentication and Logging" -The \fIsudoers\fR security policy requires that most users authenticate -themselves before they can use \fBsudo\fR. A password is not required +The +\fIsudoers\fR +security policy requires that most users authenticate +themselves before they can use +\fBsudo\fR. +A password is not required if the invoking user is root, if the target user is the same as the invoking user, or if the policy has disabled authentication for the -user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires +user or command. +Unlike +su(1), +when +\fIsudoers\fR +requires authentication, it validates the invoking user's credentials, not -the target user's (or root's) credentials. This can be changed via -the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later. +the target user's (or root's) credentials. +This can be changed via +the +\fIrootpw\fR, +\fItargetpw\fR +and +\fIrunaspw\fR +flags, described later. .PP If a user who is not listed in the policy tries to run a command -via \fBsudo\fR, mail is sent to the proper authorities. The address -used for such mail is configurable via the \fImailto\fR Defaults entry -(described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR. +via +\fBsudo\fR, +mail is sent to the proper authorities. +The address +used for such mail is configurable via the +\fImailto\fR +Defaults entry +(described later) and defaults to +\fR@mailto@\fR. .PP Note that mail will not be sent if an unauthorized user tries to -run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to +run +\fBsudo\fR +with the +\fB-l\fR +or +\fB-v\fR +option. +This allows users to determine for themselves whether or not they are allowed to use -\&\fBsudo\fR. +\fBsudo\fR. .PP -If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable -is set, the \fIsudoers\fR policy will use this value to determine who -the actual user is. This can be used by a user to log commands -through sudo even when a root shell has been invoked. It also -allows the \fB\-e\fR option to remain useful even when invoked via a -sudo-run script or program. Note, however, that the \fIsudoers\fR -lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR. +If +\fBsudo\fR +is run by root and the +\fRSUDO_USER\fR +environment variable +is set, the +\fIsudoers\fR +policy will use this value to determine who +the actual user is. +This can be used by a user to log commands +through sudo even when a root shell has been invoked. +It also +allows the +\fB-e\fR +option to remain useful even when invoked via a +sudo-run script or program. +Note, however, that the +\fIsudoers\fR +lookup is still done for root, not the user specified by +\fRSUDO_USER\fR. .PP -\&\fIsudoers\fR uses time stamp files for credential caching. Once a -user has been authenticated, a time stamp is updated and the user +\fIsudoers\fR +uses time stamp files for credential caching. +Once a +user has been authenticated, the time stamp is updated and the user may then use sudo without a password for a short period of time -(\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option). -By default, \fIsudoers\fR uses a tty-based time stamp which means that +(\fR@timeout@\fR +minutes unless overridden by the +\fItimeout\fR +option) +\&. +By default, +\fIsudoers\fR +uses a tty-based time stamp which means that there is a separate time stamp for each of a user's login sessions. -The \fItty_tickets\fR option can be disabled to force the use of a +The +\fItty_tickets\fR +option can be disabled to force the use of a single time stamp for all of a user's sessions. .PP -\&\fIsudoers\fR can log both successful and unsuccessful attempts (as well -as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR -will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR -and \fIlogfile\fR Defaults settings. +\fIsudoers\fR +can log both successful and unsuccessful attempts (as well +as errors) to +syslog(3), +a log file, or both. +By default, +\fIsudoers\fR +will log via +syslog(3) +but this is changeable via the +\fIsyslog\fR +and +\fIlogfile\fR +Defaults settings. .PP -\&\fIsudoers\fR also supports logging a command's input and output -streams. I/O logging is not on by default but can be enabled using -the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the -\&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags. +\fIsudoers\fR +also supports logging a command's input and output +streams. +I/O logging is not on by default but can be enabled using +the +\fIlog_input\fR +and +\fIlog_output\fR +Defaults flags as well as the +\fRLOG_INPUT\fR +and +\fRLOG_OUTPUT\fR +command tags. .SS "Command Environment" -.IX Subsection "Command Environment" -Since environment variables can influence program behavior, \fIsudoers\fR +Since environment variables can influence program behavior, +\fIsudoers\fR provides a means to restrict which variables from the user's -environment are inherited by the command to be run. There are two -distinct ways \fIsudoers\fR can deal with environment variables. +environment are inherited by the command to be run. +There are two +distinct ways +\fIsudoers\fR +can deal with environment variables. .PP -By default, the \fIenv_reset\fR option is enabled. This causes commands -to be executed with a new, minimal environment. On \s-1AIX\s0 (and Linux -systems without \s-1PAM\s0), the environment is initialized with the -contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems, if the -\&\fIuse_loginclass\fR option is enabled, the environment is initialized -based on the \fIpath\fR and \fIsetenv\fR settings in \fI/etc/login.conf\fR. -The new environment contains the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, -\&\f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables +By default, the +\fIenv_reset\fR +option is enabled. +This causes commands +to be executed with a new, minimal environment. +On AIX (and Linux +systems without PAM), the environment is initialized with the +contents of the +\fI/etc/environment\fR +file. +On BSD systems, if the +\fIuse_loginclass\fR +option is enabled, the environment is initialized +based on the +\fIpath\fR +and +\fIsetenv\fR +settings in +\fI/etc/login.conf\fR. +The new environment contains the +\fRTERM\fR, +\fRPATH\fR, +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRLOGNAME\fR, +\fRUSER\fR, +\fRUSERNAME\fR +and +\fRSUDO_*\fR +variables in addition to variables from the invoking process permitted by the -\&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist +\fIenv_check\fR +and +\fIenv_keep\fR +options. +This is effectively a whitelist for environment variables. .PP -If, however, the \fIenv_reset\fR option is disabled, any variables not -explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are -inherited from the invoking process. In this case, \fIenv_check\fR -and \fIenv_delete\fR behave like a blacklist. Since it is not possible +If, however, the +\fIenv_reset\fR +option is disabled, any variables not +explicitly denied by the +\fIenv_check\fR +and +\fIenv_delete\fR +options are +inherited from the invoking process. +In this case, +\fIenv_check\fR +and +\fIenv_delete\fR +behave like a blacklist. +Since it is not possible to blacklist all potentially dangerous environment variables, use -of the default \fIenv_reset\fR behavior is encouraged. +of the default +\fIenv_reset\fR +behavior is encouraged. .PP In all cases, environment variables with a value beginning with -\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions. -The list of environment variables that \fBsudo\fR allows or denies is -contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root. +\fR()\fR +are removed as they could be interpreted as +\fBbash\fR +functions. +The list of environment variables that +\fBsudo\fR +allows or denies is +contained in the output of +``\fRsudo -V\fR'' +when run as root. .PP Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of -setuid executables, including \fBsudo\fR. Depending on the operating -system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR, -\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are -removed from the environment before \fBsudo\fR even begins execution -and, as such, it is not possible for \fBsudo\fR to preserve them. +setuid executables, including +\fBsudo\fR. +Depending on the operating +system this may include +\fR_RLD*\fR, +\fRDYLD_*\fR, +\fRLD_*\fR, +\fRLDR_*\fR, +\fRLIBPATH\fR, +\fRSHLIB_PATH\fR, +and others. +These type of variables are +removed from the environment before +\fBsudo\fR +even begins execution +and, as such, it is not possible for +\fBsudo\fR +to preserve them. .PP -As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is -specified, \fIsudoers\fR will initialize the environment regardless -of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR -variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, -and \fI\s-1LOGNAME\s0\fR are set based on the target user. On \s-1AIX\s0 (and Linux -systems without \s-1PAM\s0), the contents of \fI/etc/environment\fR are also -included. On \s-1BSD\s0 systems, if the \fIuse_loginclass\fR option is -enabled, the \fIpath\fR and \fIsetenv\fR variables in \fI/etc/login.conf\fR -are also applied. All other environment variables are removed. +As a special case, if +\fBsudo\fR's +\fB-i\fR +option (initial login) is +specified, +\fIsudoers\fR +will initialize the environment regardless +of the value of +\fIenv_reset\fR. +The +\fRDISPLAY\fR, +\fRPATH\fR +and +\fRTERM\fR +variables remain unchanged; +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRUSER\fR, +and +\fRLOGNAME\fR +are set based on the target user. +On AIX (and Linux +systems without PAM), the contents of +\fI/etc/environment\fR +are also +included. +On BSD systems, if the +\fIuse_loginclass\fR +option is +enabled, the +\fIpath\fR +and +\fIsetenv\fR +variables in +\fI/etc/login.conf\fR +are also applied. +All other environment variables are removed. .PP -Finally, if the \fIenv_file\fR option is defined, any variables present +Finally, if the +\fIenv_file\fR +option is defined, any variables present in that file will be set to their specified values as long as they would not conflict with an existing environment variable. .SH "SUDOERS FILE FORMAT" -.IX Header "SUDOERS FILE FORMAT" -The \fIsudoers\fR file is composed of two types of entries: aliases +The +\fIsudoers\fR +file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). .PP @@ -272,1923 +319,3467 @@ When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match). .PP -The \fIsudoers\fR grammar will be described below in Extended Backus-Naur -Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is -fairly simple, and the definitions below are annotated. -.SS "Quick guide to \s-1EBNF\s0" -.IX Subsection "Quick guide to EBNF" -\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. -Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., +The +\fIsudoers\fR +grammar will be described below in Extended Backus-Naur +Form (EBNF). +Don't despair if you are unfamiliar with EBNF; it is fairly simple, +and the definitions below are annotated. +.SS "Quick guide to EBNF" +EBNF is a concise and exact way of describing the grammar of a language. +Each EBNF definition is made up of +\fIproduction rules\fR. +E.g., .PP -.Vb 1 -\& symbol ::= definition | alternate1 | alternate2 ... -.Ve +\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR .PP -Each \fIproduction rule\fR references others and thus makes up a -grammar for the language. \s-1EBNF\s0 also contains the following +Each +\fIproduction rule\fR +references others and thus makes up a +grammar for the language. +EBNF also contains the following operators, which many readers will recognize from regular -expressions. Do not, however, confuse them with \*(L"wildcard\*(R" +expressions. +Do not, however, confuse them with +``wildcard'' characters, which have different meanings. -.ie n .IP "\*(C`?\*(C'" 4 -.el .IP "\f(CW\*(C`?\*(C'\fR" 4 -.IX Item "?" +.TP 6n +\fR\&?\fR Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. -.ie n .IP "\*(C`*\*(C'" 4 -.el .IP "\f(CW\*(C`*\*(C'\fR" 4 -.IX Item "*" +.TP 6n +\fR*\fR Means that the preceding symbol (or group of symbols) may appear zero or more times. -.ie n .IP "\*(C`+\*(C'" 4 -.el .IP "\f(CW\*(C`+\*(C'\fR" 4 -.IX Item "+" +.TP 6n +\fR+\fR Means that the preceding symbol (or group of symbols) may appear one or more times. .PP -Parentheses may be used to group symbols together. For clarity, -we will use single quotes ('') to designate what is a verbatim character -string (as opposed to a symbol name). +Parentheses may be used to group symbols together. +For clarity, +we will use single quotes +('') +to designate what is a verbatim character string (as opposed to a symbol name). .SS "Aliases" -.IX Subsection "Aliases" -There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, -\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR. +There are four kinds of aliases: +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR +and +\fRCmnd_Alias\fR. +.nf +.sp +.RS 0n +Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + +User_Alias ::= NAME '=' User_List + +Runas_Alias ::= NAME '=' Runas_List + +Host_Alias ::= NAME '=' Host_List + +Cmnd_Alias ::= NAME '=' Cmnd_List + +NAME ::= [A-Z]([A-Z][0-9]_)* +.RE +.fi .PP -.Vb 4 -\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* | -\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* | -\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* | -\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)* -\& -\& User_Alias ::= NAME \*(Aq=\*(Aq User_List -\& -\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List -\& -\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List -\& -\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List -\& -\& NAME ::= [A\-Z]([A\-Z][0\-9]_)* -.Ve +Each +\fIalias\fR +definition is of the form +.nf +.sp +.RS 0n +Alias_Type NAME = item1, item2, ... +.RE +.fi .PP -Each \fIalias\fR definition is of the form +where +\fIAlias_Type\fR +is one of +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR, +or +\fRCmnd_Alias\fR. +A +\fRNAME\fR +is a string of uppercase letters, numbers, +and underscore characters +(`_'). +A +\fRNAME\fR +\fBmust\fR +start with an +uppercase letter. +It is possible to put several alias definitions +of the same type on a single line, joined by a colon +(`:\&'). +E.g., +.nf +.sp +.RS 0n +Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 +.RE +.fi .PP -.Vb 1 -\& Alias_Type NAME = item1, item2, ... -.Ve +The definitions of what constitutes a valid +\fIalias\fR +member follow. +.nf +.sp +.RS 0n +User_List ::= User | + User ',' User_List + +User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias +.RE +.fi .PP -where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR, -or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers, -and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an -uppercase letter. It is possible to put several alias definitions -of the same type on a single line, joined by a colon (':'). E.g., -.PP -.Vb 1 -\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 -.Ve -.PP -The definitions of what constitutes a valid \fIalias\fR member follow. -.PP -.Vb 2 -\& User_List ::= User | -\& User \*(Aq,\*(Aq User_List -\& -\& User ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* #uid | -\& \*(Aq!\*(Aq* %group | -\& \*(Aq!\*(Aq* %#gid | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* %:nonunix_group | -\& \*(Aq!\*(Aq* %:#nonunix_gid | -\& \*(Aq!\*(Aq* User_Alias -.Ve -.PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids -(prefixed with '#'), system group names and ids (prefixed with '%' -and '%#' respectively), netgroups (prefixed with '+'), non-Unix -group names and IDs (prefixed with '%:' and '%:#' respectively) and -\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more -\&'!' operators. An odd number of '!' operators negate the value of +A +\fRUser_List\fR +is made up of one or more user names, user ids +(prefixed with +`#'), +system group names and ids (prefixed with +`%' +and +`%#' +respectively), netgroups (prefixed with +`+'), +non-Unix group names and IDs (prefixed with +`%:' +and +`%:#' +respectively) and +\fRUser_Alias\fRes. +Each list item may be prefixed with zero or more +`\&!' +operators. +An odd number of +`\&!' +operators negate the value of the item; an even number just cancel each other out. .PP -A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR -or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the -need for escaping special characters. Alternately, special characters -may be specified in escaped hex mode, e.g. \ex20 for space. When +A +\fRuser name\fR, +\fRuid\fR, +\fRgroup\fR, +\fRgid\fR, +\fRnetgroup\fR, +\fRnonunix_group\fR +or +\fRnonunix_gid\fR +may be enclosed in double quotes to avoid the +need for escaping special characters. +Alternately, special characters +may be specified in escaped hex mode, e.g.\& \ex20 for space. +When using double quotes, any prefix characters must be included inside the quotes. .PP -The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on -the underlying group provider plugin (see the \fIgroup_plugin\fR -description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the -following formats: -.IP "\(bu" 4 -Group in the same domain: \*(L"%:Group Name\*(R" -.IP "\(bu" 4 -Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R" -.IP "\(bu" 4 -Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" +The actual +\fRnonunix_group\fR +and +\fRnonunix_gid\fR +syntax depends on +the underlying group provider plugin (see the +\fIgroup_plugin\fR +description below). +For instance, the QAS AD plugin supports the following formats: +.TP 6n +\fBo\fR +Group in the same domain: "%:Group Name" +.TP 6n +\fBo\fR +Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" +.TP 6n +\fBo\fR +Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" .PP -Note that quotes around group names are optional. Unquoted strings -must use a backslash (\e) to escape spaces and special characters. -See \*(L"Other special characters and reserved words\*(R" for a list of +Note that quotes around group names are optional. +Unquoted strings must use a backslash +(`\e') +to escape spaces and special characters. +See +\fIOther special characters and reserved words\fR +for a list of characters that need to be escaped. +.nf +.sp +.RS 0n +Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + +Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias +.RE +.fi .PP -.Vb 2 -\& Runas_List ::= Runas_Member | -\& Runas_Member \*(Aq,\*(Aq Runas_List -\& -\& Runas_Member ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* #uid | -\& \*(Aq!\*(Aq* %group | -\& \*(Aq!\*(Aq* %#gid | -\& \*(Aq!\*(Aq* %:nonunix_group | -\& \*(Aq!\*(Aq* %:#nonunix_gid | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* Runas_Alias -.Ve -.PP -A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead -of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that -user names and groups are matched as strings. In other words, two +A +\fRRunas_List\fR +is similar to a +\fRUser_List\fR +except that instead +of +\fRUser_Alias\fRes +it can contain +\fRRunas_Alias\fRes. +Note that +user names and groups are matched as strings. +In other words, two users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all user names with the same uid (e.g.\ root -and toor), you can use a uid instead (#0 in the example given). +If you wish to match all user names with the same uid (e.g.\& +root and toor), you can use a uid instead (#0 in the example given). +.nf +.sp +.RS 0n +Host_List ::= Host | + Host ',' Host_List + +Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias +.RE +.fi .PP -.Vb 2 -\& Host_List ::= Host | -\& Host \*(Aq,\*(Aq Host_List -\& -\& Host ::= \*(Aq!\*(Aq* host name | -\& \*(Aq!\*(Aq* ip_addr | -\& \*(Aq!\*(Aq* network(/netmask)? | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* Host_Alias -.Ve -.PP -A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses, -network numbers, netgroups (prefixed with '+') and other aliases. -Again, the value of an item may be negated with the '!' operator. +A +\fRHost_List\fR +is made up of one or more host names, IP addresses, +network numbers, netgroups (prefixed with +`+') +and other aliases. +Again, the value of an item may be negated with the +`\&!' +operator. If you do not specify a netmask along with the network number, -\&\fBsudo\fR will query each of the local host's network interfaces and, +\fBsudo\fR +will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network -interfaces, the corresponding netmask will be used. The netmask -may be specified either in standard \s-1IP\s0 address notation -(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::), -or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may -include shell-style wildcards (see the Wildcards section below), -but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully -qualified host name, you'll need to use the \fIfqdn\fR option for -wildcards to be useful. Note \fBsudo\fR only inspects actual network -interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will -never match. Also, the host name \*(L"localhost\*(R" will only match if -that is the actual host name, which is usually only the case for -non-networked systems. +interfaces, the corresponding netmask will be used. +The netmask +may be specified either in standard IP address notation +(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), +or CIDR notation (number of bits, e.g.\& 24 or 64). +A host name may include shell-style wildcards (see the +\fIWildcards\fR +section below), +but unless the +\fRhost name\fR +command on your machine returns the fully +qualified host name, you'll need to use the +\fIfqdn\fR +option for wildcards to be useful. +Note that +\fBsudo\fR +only inspects actual network interfaces; this means that IP address +127.0.0.1 (localhost) will never match. +Also, the host name +``localhost'' +will only match if that is the actual host name, which is usually +only the case for non-networked systems. +.nf +.sp +.RS 0n +Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + +command name ::= file name | + file name args | + file name '""' + +Cmnd ::= '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias +.RE +.fi .PP -.Vb 2 -\& Cmnd_List ::= Cmnd | -\& Cmnd \*(Aq,\*(Aq Cmnd_List -\& -\& commandname ::= file name | -\& file name args | -\& file name \*(Aq""\*(Aq -\& -\& Cmnd ::= \*(Aq!\*(Aq* commandname | -\& \*(Aq!\*(Aq* directory | -\& \*(Aq!\*(Aq* "sudoedit" | -\& \*(Aq!\*(Aq* Cmnd_Alias -.Ve -.PP -A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other -aliases. A commandname is a fully qualified file name which may include -shell-style wildcards (see the Wildcards section below). A simple -file name allows the user to run the command with any arguments he/she -wishes. However, you may also specify command line arguments (including -wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command -may only be run \fBwithout\fR command line arguments. A directory is a -fully qualified path name ending in a '/'. When you specify a directory -in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory +A +\fRCmnd_List\fR +is a list of one or more command names, directories, and other aliases. +A command name is a fully qualified file name which may include +shell-style wildcards (see the +\fIWildcards\fR +section below). +A simple file name allows the user to run the command with any +arguments he/she wishes. +However, you may also specify command line arguments (including +wildcards). +Alternately, you can specify +\fR\&""\fR +to indicate that the command +may only be run +\fBwithout\fR +command line arguments. +A directory is a +fully qualified path name ending in a +`/'. +When you specify a directory in a +\fRCmnd_List\fR, +the user will be able to run any file within that directory (but not in any subdirectories therein). .PP -If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments -in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line -(or match the wildcards if there are any). Note that the following -characters must be escaped with a '\e' if they are used in command -arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR -is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or -as \fBsudoedit\fR). It may take command line arguments just as -a normal command does. +If a +\fRCmnd\fR +has associated command line arguments, then the arguments +in the +\fRCmnd\fR +must match exactly those given by the user on the command line +(or match the wildcards if there are any). +Note that the following characters must be escaped with a +`\e' +if they are used in command arguments: +`,\&', +`:\&', +`=\&', +`\e'. +The special command +``\fRsudoedit\fR'' +is used to permit a user to run +\fBsudo\fR +with the +\fB-e\fR +option (or as +\fBsudoedit\fR). +It may take command line arguments just as a normal command does. .SS "Defaults" -.IX Subsection "Defaults" Certain configuration options may be changed from their default -values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These -may affect all users on any host, all users on a specific host, a +values at runtime via one or more +\fRDefault_Entry\fR +lines. +These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. -If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference +If you need to specify arguments, define a +\fRCmnd_Alias\fR +and reference that instead. +.nf +.sp +.RS 0n +Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + +Default_Entry ::= Default_Type Parameter_List + +Parameter_List ::= Parameter | + Parameter ',' Parameter_List + +Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter +.RE +.fi .PP -.Vb 5 -\& Default_Type ::= \*(AqDefaults\*(Aq | -\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List | -\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List | -\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List | -\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List -\& -\& Default_Entry ::= Default_Type Parameter_List -\& -\& Parameter_List ::= Parameter | -\& Parameter \*(Aq,\*(Aq Parameter_List -\& -\& Parameter ::= Parameter \*(Aq=\*(Aq Value | -\& Parameter \*(Aq+=\*(Aq Value | -\& Parameter \*(Aq\-=\*(Aq Value | -\& \*(Aq!\*(Aq* Parameter -.Ve +Parameters may be +\fBflags\fR, +\fBinteger\fR +values, +\fBstrings\fR, +or +\fBlists\fR. +Flags are implicitly boolean and can be turned off via the +`\&!' +operator. +Some integer, string and list parameters may also be +used in a boolean context to disable them. +Values may be enclosed +in double quotes +(\&"") +when they contain multiple words. +Special characters may be escaped with a backslash +(`\e'). .PP -Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR. -Flags are implicitly boolean and can be turned off via the '!' -operator. Some integer, string and list parameters may also be -used in a boolean context to disable them. Values may be enclosed -in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special -characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR). -.PP -Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR. +Lists have two additional assignment operators, +\fR+=\fR +and +\fR-=\fR. These operators are used to add to and delete from a list respectively. -It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element +It is not an error to use the +\fR-=\fR +operator to remove an element that does not exist in a list. .PP Defaults entries are parsed in the following order: generic, host and user Defaults first, then runas Defaults and finally command defaults. .PP -See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. +See +\fISUDOERS OPTIONS\fR +for a list of supported Defaults parameters. .SS "User Specification" -.IX Subsection "User Specification" -.Vb 2 -\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e -\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)* -\& -\& Cmnd_Spec_List ::= Cmnd_Spec | -\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List -\& -.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd -.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd -\& -\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq -\& -.if \n(SL \{\ -\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq) -\& -\} -\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq | -\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq | -\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq) -.Ve +.nf +.RS 0n +User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e + (':' Host_List '=' Cmnd_Spec_List)* + +Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + +Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + +Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + +SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + +Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') +.RE +.fi .PP -A \fBuser specification\fR determines which commands a user may run -(and as what user) on specified hosts. By default, commands are -run as \fBroot\fR, but this can be changed on a per-command basis. +A +\fBuser specification\fR +determines which commands a user may run +(and as what user) on specified hosts. +By default, commands are +run as +\fBroot\fR, +but this can be changed on a per-command basis. .PP -The basic structure of a user specification is `who where = (as_whom) -what'. Let's break that down into its constituent parts: +The basic structure of a user specification is +``who where = (as_whom) what''. +Let's break that down into its constituent parts: .SS "Runas_Spec" -.IX Subsection "Runas_Spec" -A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command -may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two -\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and -enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates -which users the command may be run as via \fBsudo\fR's \fB\-u\fR option. +A +\fRRunas_Spec\fR +determines the user and/or the group that a command +may be run as. +A fully-specified +\fRRunas_Spec\fR +consists of two +\fRRunas_List\fRs +(as defined above) separated by a colon +(`:\&') +and enclosed in a set of parentheses. +The first +\fRRunas_List\fR +indicates +which users the command may be run as via +\fBsudo\fR's +\fB-u\fR +option. The second defines a list of groups that can be specified via -\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the -command may be run with any combination of users and groups listed -in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified, -the command may be run as any user in the list but no \fB\-g\fR option -may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the +\fBsudo\fR's +\fB-g\fR +option. +If both +\fRRunas_List\fRs +are specified, the command may be run with any combination of users +and groups listed in their respective +\fRRunas_List\fRs. +If only the first is specified, the command may be run as any user +in the list but no +\fB-g\fR +option +may be specified. +If the first +\fRRunas_List\fR +is empty but the second is specified, the command may be run as the invoking user -with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no -\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and +with the group set to any listed in the +\fRRunas_List\fR. +If no +\fRRunas_Spec\fR +is specified the command may be run as +\fBroot\fR +and no group may be specified. .PP -A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it. +A +\fRRunas_Spec\fR +sets the default for the commands that follow it. What this means is that for the entry: +.nf +.sp +.RS 0n +dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm +.RE +.fi .PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm -.Ve +The user +\fBdgb\fR +may run +\fI/bin/ls\fR, +\fI/bin/kill\fR, +and +\fI/usr/bin/lprm\fR\(embut +only as +\fBoperator\fR. +E.g., +.nf +.sp +.RS 0n +$ sudo -u operator /bin/ls +.RE +.fi .PP -The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and -\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., +It is also possible to override a +\fRRunas_Spec\fR +later on in an entry. +If we modify the entry like so: +.nf +.sp +.RS 0n +dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +.RE +.fi .PP -.Vb 1 -\& $ sudo \-u operator /bin/ls -.Ve +Then user +\fBdgb\fR +is now allowed to run +\fI/bin/ls\fR +as +\fBoperator\fR, +but +\fI/bin/kill\fR +and +\fI/usr/bin/lprm\fR +as +\fBroot\fR. .PP -It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an -entry. If we modify the entry like so: +We can extend this to allow +\fBdgb\fR +to run +\fR/bin/ls\fR +with either +the user or group set to +\fBoperator\fR: +.nf +.sp +.RS 0n +dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e + /usr/bin/lprm +.RE +.fi .PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm -.Ve -.PP -Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, -but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. -.PP -We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either -the user or group set to \fBoperator\fR: -.PP -.Vb 2 -\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e -\& /usr/bin/lprm -.Ve -.PP -Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the +Note that while the group portion of the +\fRRunas_Spec\fR +permits the user to run as command with that group, it does not force the user -to do so. If no group is specified on the command line, the command +to do so. +If no group is specified on the command line, the command will run with the group listed in the target user's password database -entry. The following would all be permitted by the sudoers entry above: +entry. +The following would all be permitted by the sudoers entry above: +.nf +.sp +.RS 0n +$ sudo -u operator /bin/ls +$ sudo -u operator -g operator /bin/ls +$ sudo -g operator /bin/ls +.RE +.fi .PP -.Vb 3 -\& $ sudo \-u operator /bin/ls -\& $ sudo \-u operator \-g operator /bin/ls -\& $ sudo \-g operator /bin/ls -.Ve -.PP -In the following example, user \fBtcm\fR may run commands that access +In the following example, user +\fBtcm\fR +may run commands that access a modem device file with the dialer group. -.PP -.Vb 2 -\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e -\& /usr/local/bin/minicom -.Ve +.nf +.sp +.RS 0n +tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e + /usr/local/bin/minicom +.RE +.fi .PP Note that in this example only the group will be set, the command -still runs as user \fBtcm\fR. E.g. +still runs as user +\fBtcm\fR. +E.g.\& +.nf +.sp +.RS 0n +$ sudo -g dialer /usr/bin/cu +.RE +.fi .PP -.Vb 1 -\& $ sudo \-g dialer /usr/bin/cu -.Ve +Multiple users and groups may be present in a +\fRRunas_Spec\fR, +in which case the user may select any combination of users and groups via the +\fB-u\fR +and +\fB-g\fR +options. +In this example: +.nf +.sp +.RS 0n +alan ALL = (root, bin : operator, system) ALL +.RE +.fi .PP -Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in -which case the user may select any combination of users and groups -via the \fB\-u\fR and \fB\-g\fR options. In this example: -.PP -.Vb 1 -\& alan ALL = (root, bin : operator, system) ALL -.Ve -.PP -user \fBalan\fR may run any command as either user root or bin, +user +\fBalan\fR +may run any command as either user root or bin, optionally setting the group to operator or system. -.if \n(SL \{\ .SS "SELinux_Spec" -.IX Subsection "SELinux_Spec" -On systems with SELinux support, \fIsudoers\fR entries may optionally have -an SELinux role and/or type associated with a command. If a role or +On systems with SELinux support, +\fIsudoers\fR +entries may optionally have an SELinux role and/or type associated +with a command. +If a role or type is specified with the command it will override any default values -specified in \fIsudoers\fR. A role or type specified on the command line, -however, will supercede the values in \fIsudoers\fR. -\} +specified in +\fIsudoers\fR. +A role or type specified on the command line, +however, will supercede the values in +\fIsudoers\fR. .SS "Tag_Spec" -.IX Subsection "Tag_Spec" -A command may have zero or more tags associated with it. There are -ten possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, -\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR, -\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, -subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless -it is overridden by the opposite tag (in other words, \f(CW\*(C`PASSWD\*(C'\fR overrides -\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR). +A command may have zero or more tags associated with it. +There are +ten possible tag values: +\fRNOPASSWD\fR, +\fRPASSWD\fR, +\fRNOEXEC\fR, +\fREXEC\fR, +\fRSETENV\fR, +\fRNOSETENV\fR, +\fRLOG_INPUT\fR, +\fRNOLOG_INPUT\fR, +\fRLOG_OUTPUT\fR +and +\fRNOLOG_OUTPUT\fR. +Once a tag is set on a +\fRCmnd\fR, +subsequent +\fRCmnd\fRs +in the +\fRCmnd_Spec_List\fR, +inherit the tag unless it is overridden by the opposite tag (in other words, +\fRPASSWD\fR +overrides +\fRNOPASSWD\fR +and +\fRNOEXEC\fR +overrides +\fREXEC\fR). .PP -\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR -.IX Subsection "NOPASSWD and PASSWD" +\fINOPASSWD and PASSWD\fR .PP -By default, \fBsudo\fR requires that a user authenticate him or herself -before running a command. This behavior can be modified via the -\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets -a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR. -Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things. +By default, +\fBsudo\fR +requires that a user authenticate him or herself +before running a command. +This behavior can be modified via the +\fRNOPASSWD\fR +tag. +Like a +\fRRunas_Spec\fR, +the +\fRNOPASSWD\fR +tag sets +a default for the commands that follow it in the +\fRCmnd_Spec_List\fR. +Conversely, the +\fRPASSWD\fR +tag can be used to reverse things. For example: +.nf +.sp +.RS 0n +ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +.RE +.fi .PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm -.Ve +would allow the user +\fBray\fR +to run +\fI/bin/kill\fR, +\fI/bin/ls\fR, +and +\fI/usr/bin/lprm\fR +as +\fBroot\fR +on the machine rushmore without authenticating himself. +If we only want +\fBray\fR +to be able to +run +\fI/bin/kill\fR +without a password the entry would be: +.nf +.sp +.RS 0n +ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +.RE +.fi .PP -would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and -\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without -authenticating himself. If we only want \fBray\fR to be able to -run \fI/bin/kill\fR without a password the entry would be: +Note, however, that the +\fRPASSWD\fR +tag has no effect on users who are in the group specified by the +\fIexempt_group\fR +option. .PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm -.Ve -.PP -Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are -in the group specified by the \fIexempt_group\fR option. -.PP -By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries -for a user on the current host, he or she will be able to run -\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run -\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present -for all a user's entries that pertain to the current host. +By default, if the +\fRNOPASSWD\fR +tag is applied to any of the entries for a user on the current host, +he or she will be able to run +``\fRsudo -l\fR'' +without a password. +Additionally, a user may only run +``\fRsudo -v\fR'' +without a password if the +\fRNOPASSWD\fR +tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the verifypw and listpw options. .PP -\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR -.IX Subsection "NOEXEC and EXEC" +\fINOEXEC and EXEC\fR .PP -If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying -operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent -a dynamically-linked executable from running further commands itself. +If +\fBsudo\fR +has been compiled with +\fInoexec\fR +support and the underlying operating system supports it, the +\fRNOEXEC\fR +tag can be used to prevent a dynamically-linked executable from +running further commands itself. .PP -In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR -and \fI/usr/bin/vi\fR but shell escapes will be disabled. +In the following example, user +\fBaaron\fR +may run +\fI/usr/bin/more\fR +and +\fI/usr/bin/vi\fR +but shell escapes will be disabled. +.nf +.sp +.RS 0n +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.RE +.fi .PP -.Vb 1 -\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -.Ve +See the +\fIPreventing Shell Escapes\fR +section below for more details on how +\fRNOEXEC\fR +works and whether or not it will work on your system. .PP -See the \*(L"Preventing Shell Escapes\*(R" section below for more details -on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. +\fISETENV and NOSETENV\fR .PP -\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR -.IX Subsection "SETENV and NOSETENV" +These tags override the value of the +\fIsetenv\fR +option on a per-command basis. +Note that if +\fRSETENV\fR +has been set for a command, the user may disable the +\fIenv_reset\fR +option from the command line via the +\fB-E\fR +option. +Additionally, environment variables set on the command +line are not subject to the restrictions imposed by +\fIenv_check\fR, +\fIenv_delete\fR, +or +\fIenv_keep\fR. +As such, only trusted users should be allowed to set variables in this manner. +If the command matched is +\fBALL\fR, +the +\fRSETENV\fR +tag is implied for that command; this default may be overridden by use of the +\fRNOSETENV\fR +tag. .PP -These tags override the value of the \fIsetenv\fR option on a per-command -basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user -may disable the \fIenv_reset\fR option from the command line via the -\&\fB\-E\fR option. Additionally, environment variables set on the command -line are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should -be allowed to set variables in this manner. If the command matched -is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this -default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag. +\fILOG_INPUT and NOLOG_INPUT\fR .PP -\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR -.IX Subsection "LOG_INPUT and NOLOG_INPUT" +These tags override the value of the +\fIlog_input\fR +option on a per-command basis. +For more information, see the description of +\fIlog_input\fR +in the +\fISUDOERS OPTIONS\fR +section below. .PP -These tags override the value of the \fIlog_input\fR option on a -per-command basis. For more information, see the description of -\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. +\fILOG_OUTPUT and NOLOG_OUTPUT\fR .PP -\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR -.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT" -.PP -These tags override the value of the \fIlog_output\fR option on a -per-command basis. For more information, see the description of -\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. +These tags override the value of the +\fIlog_output\fR +option on a per-command basis. +For more information, see the description of +\fIlog_output\fR +in the +\fISUDOERS OPTIONS\fR +section below. .SS "Wildcards" -.IX Subsection "Wildcards" -\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) -to be used in host names, path names and command line arguments in -the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR -\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR +\fBsudo\fR +allows shell-style +\fIwildcards\fR +(aka meta or glob characters) +to be used in host names, path names and command line arguments in the +\fIsudoers\fR +file. +Wildcard matching is done via the +\fBPOSIX\fR +glob(3) +and +fnmatch(3) +routines. +Note that these are +\fInot\fR regular expressions. -.ie n .IP "\*(C`*\*(C'" 8 -.el .IP "\f(CW\*(C`*\*(C'\fR" 8 -.IX Item "*" +.TP 10n +\fR*\fR Matches any set of zero or more characters. -.ie n .IP "\*(C`?\*(C'" 8 -.el .IP "\f(CW\*(C`?\*(C'\fR" 8 -.IX Item "?" +.TP 10n +\fR\&?\fR Matches any single character. -.ie n .IP "\*(C`[...]\*(C'" 8 -.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8 -.IX Item "[...]" +.TP 10n +\fR[...]\fR Matches any character in the specified range. -.ie n .IP "\*(C`[!...]\*(C'" 8 -.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8 -.IX Item "[!...]" -Matches any character \fBnot\fR in the specified range. -.ie n .IP "\*(C`\ex\*(C'" 8 -.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8 -.IX Item "x" -For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to -escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"]\*(R". +.TP 10n +\fR[!...]\fR +Matches any character +\fBnot\fR +in the specified range. +.TP 10n +\fR\ex\fR +For any character +`x', +evaluates to +`x'. +This is used to escape special characters such as: +`*', +`\&?', +`[\&', +and +`]\&'. .PP -\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3) -and \fIfnmatch\fR\|(3) functions support them. However, because the -\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be -escaped. For example: -.PP -.Vb 1 -\& /bin/ls [[\e:alpha\e:]]* -.Ve +POSIX character classes may also be used if your system's +glob(3) +and +fnmatch(3) +functions support them. +However, because the +`:\&' +character has special meaning in +\fIsudoers\fR, +it must be +escaped. +For example: +.nf +.sp +.RS 4n +/bin/ls [[\:alpha\:]]* +.RE +.fi .PP Would match any file name beginning with a letter. .PP -Note that a forward slash ('/') will \fBnot\fR be matched by -wildcards used in the path name. When matching the command -line arguments, however, a slash \fBdoes\fR get matched by -wildcards. This is to make a path like: -.PP -.Vb 1 -\& /usr/bin/* -.Ve -.PP -match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. -.SS "Exceptions to wildcard rules" -.IX Subsection "Exceptions to wildcard rules" -The following exceptions apply to the above rules: -.ie n .IP """""" 8 -.el .IP "\f(CW``''\fR" 8 -.IX Item """""" -If the empty string \f(CW""\fR is the only command line argument in the -\&\fIsudoers\fR entry it means that command is not allowed to be run -with \fBany\fR arguments. -.SS "Including other files from within sudoers" -.IX Subsection "Including other files from within sudoers" -It is possible to include other \fIsudoers\fR files from within the -\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and -\&\f(CW\*(C`#includedir\*(C'\fR directives. -.PP -This can be used, for example, to keep a site-wide \fIsudoers\fR file -in addition to a local, per-machine file. For the sake of this -example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the -per-machine one will be \fI/etc/sudoers.local\fR. To include -\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the -following line in \fI/etc/sudoers\fR: -.Sp -.RS 4 -\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR +Note that a forward slash +(`/') +will +\fBnot\fR +be matched by +wildcards used in the path name. +When matching the command line arguments, however, a slash +\fBdoes\fR +get matched by +wildcards. +This is to make a path like: +.nf +.sp +.RS 4n +/usr/bin/* .RE +.fi .PP -When \fBsudo\fR reaches this line it will suspend processing of the -current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR. -Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of -\&\fI/etc/sudoers\fR will be processed. Files that are included may -themselves include other files. A hard limit of 128 nested include -files is enforced to prevent include file loops. +match +\fI/usr/bin/who\fR +but not +\fI/usr/bin/X11/xterm\fR. +.SS "Exceptions to wildcard rules" +The following exceptions apply to the above rules: +.TP 6n +\fR\&""\fR +If the empty string +\fR\&""\fR +is the only command line argument in the +\fIsudoers\fR +entry it means that command is not allowed to be run with +\fBany\fR +arguments. +.SS "Including other files from within sudoers" +It is possible to include other +\fIsudoers\fR +files from within the +\fIsudoers\fR +file currently being parsed using the +\fR#include\fR +and +\fR#includedir\fR +directives. +.PP +This can be used, for example, to keep a site-wide +\fIsudoers\fR +file in addition to a local, per-machine file. +For the sake of this example the site-wide +\fIsudoers\fR +will be +\fI/etc/sudoers\fR +and the per-machine one will be +\fI/etc/sudoers.local\fR. +To include +\fI/etc/sudoers.local\fR +from within +\fI/etc/sudoers\fR +we would use the +following line in +\fI/etc/sudoers\fR: +.nf +.sp +.RS 4n +#include /etc/sudoers.local +.RE +.fi +.PP +When +\fBsudo\fR +reaches this line it will suspend processing of the current file +(\fI/etc/sudoers\fR) +and switch to +\fI/etc/sudoers.local\fR. +Upon reaching the end of +\fI/etc/sudoers.local\fR, +the rest of +\fI/etc/sudoers\fR +will be processed. +Files that are included may themselves include other files. +A hard limit of 128 nested include files is enforced to prevent include +file loops. .PP If the path to the include file is not fully-qualified (does not -begin with a \f(CW\*(C`/\*(C'\fR), it must be located in the same directory as the -sudoers file it was included from. For example, if \fI/etc/sudoers\fR +begin with a +`/', +it must be located in the same directory as the sudoers file it was +included from. +For example, if +\fI/etc/sudoers\fR contains the line: -.Sp -.RS 4 -\&\f(CW\*(C`#include sudoers.local\*(C'\fR +.nf +.sp +.RS 4n +\fR#include sudoers.local\fR .RE +.fi .PP -the file that will be included is \fI/etc/sudoers.local\fR. +the file that will be included is +\fI/etc/sudoers.local\fR. .PP -The file name may also include the \f(CW%h\fR escape, signifying the short form -of the host name. In other words, if the machine's host name is \*(L"xerxes\*(R", then +The file name may also include the +\fR%h\fR +escape, signifying the short form of the host name. +In other words, if the machine's host name is +``xerxes'', +then +.nf +.sp +.RS 4n +#include /etc/sudoers.%h +.RE +.fi .PP -\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR +will cause +\fBsudo\fR +to include the file +\fI/etc/sudoers.xerxes\fR. .PP -will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR. +The +\fR#includedir\fR +directive can be used to create a +\fIsudo.d\fR +directory that the system package manager can drop +\fIsudoers\fR +rules +into as part of package installation. +For example, given: +.nf +.sp +.RS 4n +#includedir /etc/sudoers.d +.RE +.fi .PP -The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR -directory that the system package manager can drop \fIsudoers\fR rules -into as part of package installation. For example, given: +\fBsudo\fR +will read each file in +\fI/etc/sudoers.d\fR, +skipping file names that end in +`~' +or contain a +`.\&' +character to avoid causing problems with package manager or editor +temporary/backup files. +Files are parsed in sorted lexical order. +That is, +\fI/etc/sudoers.d/01_first\fR +will be parsed before +\fI/etc/sudoers.d/10_second\fR. +Be aware that because the sorting is lexical, not numeric, +\fI/etc/sudoers.d/1_whoops\fR +would be loaded +\fBafter\fR +\fI/etc/sudoers.d/10_second\fR. +Using a consistent number of leading zeroes in the file names can be used +to avoid such problems. .PP -\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR -.PP -\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file -names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing -problems with package manager or editor temporary/backup files. -Files are parsed in sorted lexical order. That is, -\&\fI/etc/sudoers.d/01_first\fR will be parsed before -\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is -lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded -\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number -of leading zeroes in the file names can be used to avoid such -problems. -.PP -Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not -edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them -contains a syntax error. It is still possible to run \fBvisudo\fR -with the \fB\-f\fR flag to edit the files directly. +Note that unlike files included via +\fR#include\fR, +\fBvisudo\fR +will not edit the files in a +\fR#includedir\fR +directory unless one of them contains a syntax error. +It is still possible to run +\fBvisudo\fR +with the +\fB-f\fR +flag to edit the files directly. .SS "Other special characters and reserved words" -.IX Subsection "Other special characters and reserved words" -The pound sign ('#') is used to indicate a comment (unless it is -part of a #include directive or unless it occurs in the context of -a user name and is followed by one or more digits, in which case -it is treated as a uid). Both the comment character and any text -after it, up to the end of the line, are ignored. +The pound sign +(`#') +is used to indicate a comment (unless it is part of a #include +directive or unless it occurs in the context of a user name and is +followed by one or more digits, in which case it is treated as a +uid). +Both the comment character and any text after it, up to the end of +the line, are ignored. .PP -The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes -a match to succeed. It can be used wherever one might otherwise -use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR. -You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the -built-in alias will be used in preference to your own. Please note -that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it -allows the user to run \fBany\fR command on the system. +The reserved word +\fBALL\fR +is a built-in +\fIalias\fR +that always causes a match to succeed. +It can be used wherever one might otherwise use a +\fRCmnd_Alias\fR, +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +or +\fRHost_Alias\fR. +You should not try to define your own +\fIalias\fR +called +\fBALL\fR +as the built-in alias will be used in preference to your own. +Please note that using +\fBALL\fR +can be dangerous since in a command context, it allows the user to run +\fBany\fR +command on the system. .PP -An exclamation point ('!') can be used as a logical \fInot\fR operator -both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to -exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in -conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to -run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0 -\&\s-1NOTES\s0 below). +An exclamation point +(`\&!') +can be used as a logical +\fInot\fR +operator both in an +\fIalias\fR +and in front of a +\fRCmnd\fR. +This allows one to exclude certain values. +Note, however, that using a +`\&!' +in conjunction with the built-in +\fBALL\fR +alias to allow a user to run +``all but a few'' +commands rarely works as intended (see +\fISECURITY NOTES\fR +below). .PP -Long lines can be continued with a backslash ('\e') as the last -character on the line. +Long lines can be continued with a backslash +(`\e') +as the last character on the line. .PP Whitespace between elements in a list as well as special syntactic -characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. +characters in a +\fIUser Specification\fR +(`=\&', +`:\&', +`(\&', +`)\&') +is optional. .PP -The following characters must be escaped with a backslash ('\e') when -used as part of a word (e.g.\ a user name or host name): -\&'!', '=', ':', ',', '(', ')', '\e'. +The following characters must be escaped with a backslash +(`\e') +when used as part of a word (e.g.\& a user name or host name): +`\&!', +`=\&', +`:\&', +`,\&', +`(\&', +`)\&', +`\e'. .SH "SUDOERS OPTIONS" -.IX Header "SUDOERS OPTIONS" -\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as -explained earlier. A list of all supported Defaults parameters, -grouped by type, are listed below. +\fBsudo\fR's +behavior can be modified by +\fRDefault_Entry\fR +lines, as explained earlier. +A list of all supported Defaults parameters, grouped by type, are listed below. .PP -\&\fBBoolean Flags\fR: -.IP "always_set_home" 16 -.IX Item "always_set_home" -If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the -home directory of the target user (which is root unless the \fB\-u\fR -option is used). This effectively means that the \fB\-H\fR option is -always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the -\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only -effective for configurations where either \fIenv_reset\fR is disabled -or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. -This flag is \fIoff\fR by default. -.IP "authenticate" 16 -.IX Item "authenticate" +\fBBoolean Flags\fR: +.TP 18n +always_set_home +If enabled, +\fBsudo\fR +will set the +\fRHOME\fR +environment variable to the home directory of the target user +(which is root unless the +\fB-u\fR +option is used). +This effectively means that the +\fB-H\fR +option is always implied. +Note that +\fRHOME\fR +is already set when the the +\fIenv_reset\fR +option is enabled, so +\fIalways_set_home\fR +is only effective for configurations where either +\fIenv_reset\fR +is disabled or +\fRHOME\fR +is present in the +\fIenv_keep\fR +list. +This flag is +\fIoff\fR +by default. +.TP 18n +authenticate If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. -This flag is \fIon\fR by default. -.IP "closefrom_override" 16 -.IX Item "closefrom_override" -If set, the user may use \fBsudo\fR's \fB\-C\fR option which -overrides the default starting point at which \fBsudo\fR begins -closing open file descriptors. This flag is \fIoff\fR by default. -.IP "compress_io" 16 -.IX Item "compress_io" -If set, and \fBsudo\fR is configured to log a command's input or output, -the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR -by default when \fBsudo\fR is compiled with \fBzlib\fR support. -.IP "env_editor" 16 -.IX Item "env_editor" -If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 +means of authentication) before they may run commands. +This default may be overridden via the +\fRPASSWD\fR +and +\fRNOPASSWD\fR +tags. +This flag is +\fIon\fR +by default. +.TP 18n +closefrom_override +If set, the user may use +\fBsudo\fR's +\fB-C\fR +option which overrides the default starting point at which +\fBsudo\fR +begins closing open file descriptors. +This flag is +\fIoff\fR +by default. +.TP 18n +compress_io +If set, and +\fBsudo\fR +is configured to log a command's input or output, +the I/O logs will be compressed using +\fBzlib\fR. +This flag is +\fIon\fR +by default when +\fBsudo\fR +is compiled with +\fBzlib\fR +support. +.TP 18n +env_editor +If set, +\fBvisudo\fR +will use the value of the +\fREDITOR\fR +or +\fRVISUAL\fR environment variables before falling back on the default editor list. Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR -variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if -they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by +run any arbitrary command as root without logging. +A safer alternative is to place a colon-separated list of editors +in the +\fReditor\fR +variable. +\fBvisudo\fR +will then only use the +\fREDITOR\fR +or +\fRVISUAL\fR +if they match a value specified in +\fReditor\fR. +This flag is +\fI@env_editor@\fR +by default. -.IP "env_reset" 16 -.IX Item "env_reset" -If set, \fBsudo\fR will run the command in a minimal environment -containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, -\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any -variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR -and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables -present in the file specified by the \fIenv_file\fR option (if any). -The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are -displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. If -the \fIsecure_path\fR option is set, its value will be used for the -\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by -default. -.IP "fast_glob" 16 -.IX Item "fast_glob" -Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style -globbing when matching path names. However, since it accesses the -file system, \fIglob\fR\|(3) can take a long time to complete for some -patterns, especially when the pattern references a network file -system that is mounted on demand (automounted). The \fIfast_glob\fR -option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does -not access the file system to do its matching. The disadvantage -of \fIfast_glob\fR is that it is unable to match relative path names -such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications -when path names that include globbing characters are used with the -negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed. -As such, this option should not be used when \fIsudoers\fR contains rules -that contain negated path names which include globbing characters. -This flag is \fIoff\fR by default. -.IP "fqdn" 16 -.IX Item "fqdn" +.TP 18n +env_reset +If set, +\fBsudo\fR +will run the command in a minimal environment containing the +\fRTERM\fR, +\fRPATH\fR, +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRLOGNAME\fR, +\fRUSER\fR, +\fRUSERNAME\fR +and +\fRSUDO_*\fR +variables. +Any +variables in the caller's environment that match the +\fRenv_keep\fR +and +\fRenv_check\fR +lists are then added, followed by any variables present in the file +specified by the +\fIenv_file\fR +option (if any). +The default contents of the +\fRenv_keep\fR +and +\fRenv_check\fR +lists are displayed when +\fBsudo\fR +is run by root with the +\fB-V\fR +option. +If the +\fIsecure_path\fR +option is set, its value will be used for the +\fRPATH\fR +environment variable. +This flag is +\fI@env_reset@\fR +by default. +.TP 18n +fast_glob +Normally, +\fBsudo\fR +uses the +glob(3) +function to do shell-style globbing when matching path names. +However, since it accesses the file system, +glob(3) +can take a long time to complete for some patterns, especially +when the pattern references a network file system that is mounted +on demand (automounted). +The +\fIfast_glob\fR +option causes +\fBsudo\fR +to use the +fnmatch(3) +function, which does not access the file system to do its matching. +The disadvantage of +\fIfast_glob\fR +is that it is unable to match relative path names such as +\fI./ls\fR +or +\fI../bin/ls\fR. +This has security implications when path names that include globbing +characters are used with the negation operator, +`!\&', +as such rules can be trivially bypassed. +As such, this option should not be used when +\fIsudoers\fR +contains rules that contain negated path names which include globbing +characters. +This flag is +\fIoff\fR +by default. +.TP 18n +fqdn Set this flag if you want to put fully qualified host names in the -\&\fIsudoers\fR file. +\fIsudoers\fR +file. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). -Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups -which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as \s-1DNS\s0 knows it. That is, -you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance -issues and the fact that there is no way to get all aliases from -\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR +Beware that turning on +\fIfqdn\fR +requires +\fBsudo\fR +to make DNS lookups which may make +\fBsudo\fR +unusable if DNS stops working (for example if the machine is not plugged +into the network). +Also note that you must use the host's official name as DNS knows it. +That is, you may not use a host alias +(\fRCNAME\fR +entry) +due to performance issues and the fact that there is no way to get all +aliases from DNS. +If your machine's host name (as returned by the +\fRhostname\fR command) is already fully qualified you shouldn't need to set -\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. -.IP "ignore_dot" 16 -.IX Item "ignore_dot" -If set, \fBsudo\fR will ignore \*(L".\*(R" or "" (current dir) in the \f(CW\*(C`PATH\*(C'\fR -environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This -flag is \fI@ignore_dot@\fR by default. -.IP "ignore_local_sudoers" 16 -.IX Item "ignore_local_sudoers" -If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped. +\fIfqdn\fR. +This flag is +\fI@fqdn@\fR +by default. +.TP 18n +ignore_dot +If set, +\fBsudo\fR +will ignore "." or "" (both denoting current directory) in the +\fRPATH\fR +environment variable; the +\fRPATH\fR +itself is not modified. +This flag is +\fI@ignore_dot@\fR +by default. +.TP 18n +ignore_local_sudoers +If set via LDAP, parsing of +\fI@sysconfdir@/sudoers\fR +will be skipped. This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of -rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR. -When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to -exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 -entries have been matched, this sudoOption is only meaningful for the -\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default. -.IP "insults" 16 -.IX Item "insults" -If set, \fBsudo\fR will insult users when they enter an incorrect -password. This flag is \fI@insults@\fR by default. -.IP "log_host" 16 -.IX Item "log_host" -If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "log_input" 16 -.IX Item "log_input" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -user input. +sudoers files so that only LDAP is used. +This thwarts the efforts of rogue operators who would attempt to add roles to +\fI@sysconfdir@/sudoers\fR. +When this option is present, +\fI@sysconfdir@/sudoers\fR +does not even need to exist. +Since this option tells +\fBsudo\fR +how to behave when no specific LDAP entries have been matched, this +sudoOption is only meaningful for the +\fRcn=defaults\fR +section. +This flag is +\fIoff\fR +by default. +.TP 18n +insults +If set, +\fBsudo\fR +will insult users when they enter an incorrect password. +This flag is +\fI@insults@\fR +by default. +.TP 18n +log_host +If set, the host name will be logged in the (non-syslog) +\fBsudo\fR +log file. +This flag is +\fIoff\fR +by default. +.TP 18n +log_input +If set, +\fBsudo\fR +will run the command in a +\fIpseudo tty\fR +and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. -.Sp -Input is logged to the directory specified by the \fIiolog_dir\fR -option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". -The \fIiolog_file\fR option may be used to control the format of the -session \s-1ID\s0. -.Sp +.sp +Input is logged to the directory specified by the +\fIiolog_dir\fR +option +(\fI@iolog_dir@\fR +by default) +using a unique session ID that is included in the normal +\fBsudo\fR +log line, prefixed with +``\fRTSID=\fR''. +The +\fIiolog_file\fR +option may be used to control the format of the session ID. +.sp Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will -be stored in the log file unencrypted. In most cases, logging the -command output via \fIlog_output\fR is all that is required. -.IP "log_output" 16 -.IX Item "log_output" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -output that is sent to the screen, similar to the \fIscript\fR\|(1) command. +be stored in the log file unencrypted. +In most cases, logging the command output via +\fIlog_output\fR +is all that is required. +.TP 18n +log_output +If set, +\fBsudo\fR +will run the command in a +\fIpseudo tty\fR +and log all output that is sent to the screen, similar to the +script(1) +command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in separate log files. -.Sp -Output is logged to the directory specified by the \fIiolog_dir\fR -option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". -The \fIiolog_file\fR option may be used to control the format of the -session \s-1ID\s0. -.Sp -Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which -can also be used to list or search the available logs. -.IP "log_year" 16 -.IX Item "log_year" -If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "long_otp_prompt" 16 -.IX Item "long_otp_prompt" -When validating with a One Time Password (\s-1OTP\s0) scheme such as -\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier -to cut and paste the challenge to a local window. It's not as -pretty as the default but some people find it more convenient. This -flag is \fI@long_otp_prompt@\fR by default. -.IP "mail_always" 16 -.IX Item "mail_always" -Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. -This flag is \fIoff\fR by default. -.IP "mail_badpass" 16 -.IX Item "mail_badpass" -Send mail to the \fImailto\fR user if the user running \fBsudo\fR does -not enter the correct password. If the command the user is attempting -to run is not permitted by \fIsudoers\fR and one of the \fImail_always\fR, -\&\fImail_no_host\fR, \fImail_no_perms\fR or \fImail_no_user\fR flags are set, -this flag will have no effect. This flag is \fIoff\fR by default. -.IP "mail_no_host" 16 -.IX Item "mail_no_host" -If set, mail will be sent to the \fImailto\fR user if the invoking -user exists in the \fIsudoers\fR file, but is not allowed to run -commands on the current host. This flag is \fI@mail_no_host@\fR by default. -.IP "mail_no_perms" 16 -.IX Item "mail_no_perms" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is allowed to use \fBsudo\fR but the command they are trying is not -listed in their \fIsudoers\fR file entry or is explicitly denied. -This flag is \fI@mail_no_perms@\fR by default. -.IP "mail_no_user" 16 -.IX Item "mail_no_user" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR +.sp +Output is logged to the directory specified by the +\fIiolog_dir\fR +option +(\fI@iolog_dir@\fR +by default) +using a unique session ID that is included in the normal +\fBsudo\fR +log line, prefixed with +``\fRTSID=\fR''. +The +\fIiolog_file\fR +option may be used to control the format of the session ID. +.sp +Output logs may be viewed with the +sudoreplay(@mansectsu@) +utility, which can also be used to list or search the available logs. +.TP 18n +log_year +If set, the four-digit year will be logged in the (non-syslog) +\fBsudo\fR +log file. +This flag is +\fIoff\fR by default. -.IP "noexec" 16 -.IX Item "noexec" -If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR -tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the -description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell -Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default. -.IP "path_info" 16 -.IX Item "path_info" -Normally, \fBsudo\fR will tell the user when a command could not be -found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish -to disable this as it could be used to gather information on the -location of executables that the normal user does not have access -to. The disadvantage is that if the executable is simply not in -the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not -allowed to run it, which can be confusing. This flag is \fI@path_info@\fR +.TP 18n +long_otp_prompt +When validating with a One Time Password (OTP) scheme such as +\fBS/Key\fR +or +\fBOPIE\fR, +a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. +It's not as pretty as the default but some people find it more convenient. +This flag is +\fI@long_otp_prompt@\fR by default. -.IP "passprompt_override" 16 -.IX Item "passprompt_override" -The password prompt specified by \fIpassprompt\fR will normally only -be used if the password prompt provided by systems such as \s-1PAM\s0 matches -the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR -will always be used. This flag is \fIoff\fR by default. -.IP "preserve_groups" 16 -.IX Item "preserve_groups" -By default, \fBsudo\fR will initialize the group vector to the list of -groups the target user is in. When \fIpreserve_groups\fR is set, the -user's existing group vector is left unaltered. The real and -effective group IDs, however, are still set to match the target -user. This flag is \fIoff\fR by default. -.IP "pwfeedback" 16 -.IX Item "pwfeedback" -By default, \fBsudo\fR reads the password like most other Unix programs, +.TP 18n +mail_always +Send mail to the +\fImailto\fR +user every time a users runs +\fBsudo\fR. +This flag is +\fIoff\fR +by default. +.TP 18n +mail_badpass +Send mail to the +\fImailto\fR +user if the user running +\fBsudo\fR +does not enter the correct password. +If the command the user is attempting to run is not permitted by +\fIsudoers\fR +and one of the +\fImail_always\fR, +\fImail_no_host\fR, +\fImail_no_perms\fR +or +\fImail_no_user\fR +flags are set, this flag will have no effect. +This flag is +\fIoff\fR +by default. +.TP 18n +mail_no_host +If set, mail will be sent to the +\fImailto\fR +user if the invoking user exists in the +\fIsudoers\fR +file, but is not allowed to run commands on the current host. +This flag is +\fI@mail_no_host@\fR +by default. +.TP 18n +mail_no_perms +If set, mail will be sent to the +\fImailto\fR +user if the invoking user is allowed to use +\fBsudo\fR +but the command they are trying is not listed in their +\fIsudoers\fR +file entry or is explicitly denied. +This flag is +\fI@mail_no_perms@\fR +by default. +.TP 18n +mail_no_user +If set, mail will be sent to the +\fImailto\fR +user if the invoking user is not in the +\fIsudoers\fR +file. +This flag is +\fI@mail_no_user@\fR +by default. +.TP 18n +noexec +If set, all commands run via +\fBsudo\fR +will behave as if the +\fRNOEXEC\fR +tag has been set, unless overridden by a +\fREXEC\fR +tag. +See the description of +\fINOEXEC and EXEC\fR +below as well as the +\fIPreventing Shell Escapes\fR +section at the end of this manual. +This flag is +\fIoff\fR +by default. +.TP 18n +path_info +Normally, +\fBsudo\fR +will tell the user when a command could not be +found in their +\fRPATH\fR +environment variable. +Some sites may wish to disable this as it could be used to gather +information on the location of executables that the normal user does +not have access to. +The disadvantage is that if the executable is simply not in the user's +\fRPATH\fR, +\fBsudo\fR +will tell the user that they are not allowed to run it, which can be confusing. +This flag is +\fI@path_info@\fR +by default. +.TP 18n +passprompt_override +The password prompt specified by +\fIpassprompt\fR +will normally only be used if the password prompt provided by systems +such as PAM matches the string +``Password:''. +If +\fIpassprompt_override\fR +is set, +\fIpassprompt\fR +will always be used. +This flag is +\fIoff\fR +by default. +.TP 18n +preserve_groups +By default, +\fBsudo\fR +will initialize the group vector to the list of groups the target user is in. +When +\fIpreserve_groups\fR +is set, the user's existing group vector is left unaltered. +The real and effective group IDs, however, are still set to match the +target user. +This flag is +\fIoff\fR +by default. +.TP 18n +pwfeedback +By default, +\fBsudo\fR +reads the password like most other Unix programs, by turning off echo until the user hits the return (or enter) key. -Some users become confused by this as it appears to them that \fBsudo\fR -has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will -provide visual feedback when the user presses a key. Note that -this does have a security impact as an onlooker may be able to +Some users become confused by this as it appears to them that +\fBsudo\fR +has hung at this point. +When +\fIpwfeedback\fR +is set, +\fBsudo\fR +will provide visual feedback when the user presses a key. +Note that this does have a security impact as an onlooker may be able to determine the length of the password being entered. -This flag is \fIoff\fR by default. -.IP "requiretty" 16 -.IX Item "requiretty" -If set, \fBsudo\fR will only run when the user is logged in to a real -tty. When this flag is set, \fBsudo\fR can only be run from a login -session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts. -This flag is \fIoff\fR by default. -.IP "root_sudo" 16 -.IX Item "root_sudo" -If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users -from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something -like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR -will also prevent root from running \fBsudoedit\fR. -Disabling \fIroot_sudo\fR provides no real additional security; it -exists purely for historical reasons. -This flag is \fI@root_sudo@\fR by default. -.IP "rootpw" 16 -.IX Item "rootpw" -If set, \fBsudo\fR will prompt for the root password instead of the password -of the invoking user. This flag is \fIoff\fR by default. -.IP "runaspw" 16 -.IX Item "runaspw" -If set, \fBsudo\fR will prompt for the password of the user defined by the -\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the -password of the invoking user. This flag is \fIoff\fR by default. -.IP "set_home" 16 -.IX Item "set_home" -If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR +This flag is +\fIoff\fR +by default. +.TP 18n +requiretty +If set, +\fBsudo\fR +will only run when the user is logged in to a real tty. +When this flag is set, +\fBsudo\fR +can only be run from a login session and not via other means such as +cron(@mansectsu@) +or cgi-bin scripts. +This flag is +\fIoff\fR +by default. +.TP 18n +root_sudo +If set, root is allowed to run +\fBsudo\fR +too. +Disabling this prevents users from +``chaining'' +\fBsudo\fR +commands to get a root shell by doing something like +``\fRsudo sudo /bin/sh\fR''. +Note, however, that turning off +\fIroot_sudo\fR +will also prevent root from running +\fBsudoedit\fR. +Disabling +\fIroot_sudo\fR +provides no real additional security; it exists purely for historical reasons. +This flag is +\fI@root_sudo@\fR +by default. +.TP 18n +rootpw +If set, +\fBsudo\fR +will prompt for the root password instead of the password of the invoking user. +This flag is +\fIoff\fR +by default. +.TP 18n +runaspw +If set, +\fBsudo\fR +will prompt for the password of the user defined by the +\fIrunas_default\fR +option (defaults to +\fR@runas_default@\fR) +instead of the password of the invoking user. +This flag is +\fIoff\fR +by default. +.TP 18n +set_home +If enabled and +\fBsudo\fR +is invoked with the +\fB-s\fR +option the +\fRHOME\fR environment variable will be set to the home directory of the target -user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already -set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is -only effective for configurations where either \fIenv_reset\fR is disabled -or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. -This flag is \fIoff\fR by default. -.IP "set_logname" 16 -.IX Item "set_logname" -Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR -environment variables to the name of the target user (usually root -unless the \fB\-u\fR option is given). However, since some programs -(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to -determine the real identity of the user, it may be desirable to -change this behavior. This can be done by negating the set_logname -option. Note that if the \fIenv_reset\fR option has not been disabled, -entries in the \fIenv_keep\fR list will override the value of -\&\fIset_logname\fR. This flag is \fIon\fR by default. -.IP "set_utmp" 16 -.IX Item "set_utmp" -When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx) -file when a pseudo-tty is allocated. A pseudo-tty is allocated by -\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags -are enabled. By default, the new entry will be a copy of the user's -existing utmp entry (if any), with the tty, time, type and pid -fields updated. This flag is \fIon\fR by default. -.IP "setenv" 16 -.IX Item "setenv" -Allow the user to disable the \fIenv_reset\fR option from the command -line via the \fB\-E\fR option. Additionally, environment variables set -via the command line are not subject to the restrictions imposed -by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only -trusted users should be allowed to set variables in this manner. -This flag is \fIoff\fR by default. -.IP "shell_noargs" 16 -.IX Item "shell_noargs" -If set and \fBsudo\fR is invoked with no arguments it acts as if the -\&\fB\-s\fR option had been given. That is, it runs a shell as root (the -shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is \fIoff\fR by default. -.IP "stay_setuid" 16 -.IX Item "stay_setuid" -Normally, when \fBsudo\fR executes a command the real and effective -UIDs are set to the target user (root by default). This option -changes that behavior such that the real \s-1UID\s0 is left as the invoking -user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid -wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. This option -is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR -function. This flag is \fIoff\fR by default. -.IP "targetpw" 16 -.IX Item "targetpw" -If set, \fBsudo\fR will prompt for the password of the user specified -by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password -of the invoking user. In addition, the timestamp file name will -include the target user's name. Note that this flag precludes the -use of a uid not listed in the passwd database as an argument to -the \fB\-u\fR option. This flag is \fIoff\fR by default. -.IP "tty_tickets" 16 -.IX Item "tty_tickets" -If set, users must authenticate on a per-tty basis. With this flag -enabled, \fBsudo\fR will use a file named for the tty the user is -logged in on in the user's time stamp directory. If disabled, the -time stamp of the directory is used instead. This flag is -\&\fI@tty_tickets@\fR by default. -.IP "umask_override" 16 -.IX Item "umask_override" -If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without -modification. This makes it possible to specify a more permissive -umask in \fIsudoers\fR than the user's own umask and matches historical -behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the -umask to be the union of the user's umask and what is specified in -\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default. -.if \n(LC \{\ -.IP "use_loginclass" 16 -.IX Item "use_loginclass" -If set, \fBsudo\fR will apply the defaults specified for the target user's -login class if one exists. Only available if \fBsudo\fR is configured with -the \-\-with\-logincap option. This flag is \fIoff\fR by default. -\} -.IP "use_pty" 16 -.IX Item "use_pty" -If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O -logging is being gone. A malicious program run under \fBsudo\fR could -conceivably fork a background process that retains to the user's -terminal device after the main program has finished executing. Use -of this option will make that impossible. This flag is \fIoff\fR by default. -.IP "utmp_runas" 16 -.IX Item "utmp_runas" -If set, \fBsudo\fR will store the name of the runas user when updating -the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of -the invoking user. This flag is \fIoff\fR by default. -.IP "visiblepw" 16 -.IX Item "visiblepw" -By default, \fBsudo\fR will refuse to run if the user must enter a -password but it is not possible to disable echo on the terminal. -If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password -even when it would be visible on the screen. This makes it possible -to run things like \f(CW"ssh somehost sudo ls"\fR since by default, \fIssh\fR\|(1) does -not allocate a tty when running a command. This flag is \fIoff\fR by default. +user (which is root unless the +\fB-u\fR +option is used). +This effectively makes the +\fB-s\fR +option imply +\fB-H\fR. +Note that +\fRHOME\fR +is already set when the the +\fIenv_reset\fR +option is enabled, so +\fIset_home\fR +is only effective for configurations where either +\fIenv_reset\fR +is disabled +or +\fRHOME\fR +is present in the +\fIenv_keep\fR +list. +This flag is +\fIoff\fR +by default. +.TP 18n +set_logname +Normally, +\fBsudo\fR +will set the +\fRLOGNAME\fR, +\fRUSER\fR +and +\fRUSERNAME\fR +environment variables to the name of the target user (usually root unless the +\fB-u\fR +option is given). +However, since some programs (including the RCS revision control system) use +\fRLOGNAME\fR +to determine the real identity of the user, it may be desirable to +change this behavior. +This can be done by negating the set_logname option. +Note that if the +\fIenv_reset\fR +option has not been disabled, entries in the +\fIenv_keep\fR +list will override the value of +\fIset_logname\fR. +This flag is +\fIon\fR +by default. +.TP 18n +set_utmp +When enabled, +\fBsudo\fR +will create an entry in the utmp (or utmpx) file when a pseudo-tty +is allocated. +A pseudo-tty is allocated by +\fBsudo\fR +when the +\fIlog_input\fR, +\fIlog_output\fR +or +\fIuse_pty\fR +flags are enabled. +By default, the new entry will be a copy of the user's existing utmp +entry (if any), with the tty, time, type and pid fields updated. +This flag is +\fIon\fR +by default. +.TP 18n +setenv +Allow the user to disable the +\fIenv_reset\fR +option from the command line via the +\fB-E\fR +option. +Additionally, environment variables set via the command line are +not subject to the restrictions imposed by +\fIenv_check\fR, +\fIenv_delete\fR, +or +\fIenv_keep\fR. +As such, only trusted users should be allowed to set variables in this manner. +This flag is +\fIoff\fR +by default. +.TP 18n +shell_noargs +If set and +\fBsudo\fR +is invoked with no arguments it acts as if the +\fB-s\fR +option had been given. +That is, it runs a shell as root (the shell is determined by the +\fRSHELL\fR +environment variable if it is set, falling back on the shell listed +in the invoking user's /etc/passwd entry if not). +This flag is +\fIoff\fR +by default. +.TP 18n +stay_setuid +Normally, when +\fBsudo\fR +executes a command the real and effective UIDs are set to the target +user (root by default). +This option changes that behavior such that the real UID is left +as the invoking user's UID. +In other words, this makes +\fBsudo\fR +act as a setuid wrapper. +This can be useful on systems that disable some potentially +dangerous functionality when a program is run setuid. +This option is only effective on systems that support either the +setreuid(2) +or +setresuid(2) +system call. +This flag is +\fIoff\fR +by default. +.TP 18n +targetpw +If set, +\fBsudo\fR +will prompt for the password of the user specified +by the +\fB-u\fR +option (defaults to +\fRroot\fR) +instead of the password of the invoking user. +In addition, the timestamp file name will include the target user's name. +Note that this flag precludes the use of a uid not listed in the passwd +database as an argument to the +\fB-u\fR +option. +This flag is +\fIoff\fR +by default. +.TP 18n +tty_tickets +If set, users must authenticate on a per-tty basis. +With this flag enabled, +\fBsudo\fR +will use a file named for the tty the user is +logged in on in the user's time stamp directory. +If disabled, the time stamp of the directory is used instead. +This flag is +\fI@tty_tickets@\fR +by default. +.TP 18n +umask_override +If set, +\fBsudo\fR +will set the umask as specified by +\fIsudoers\fR +without modification. +This makes it possible to specify a more permissive umask in +\fIsudoers\fR +than the user's own umask and matches historical behavior. +If +\fIumask_override\fR +is not set, +\fBsudo\fR +will set the umask to be the union of the user's umask and what is specified in +\fIsudoers\fR. +This flag is +\fI@umask_override@\fR +by default. +.TP 18n +use_loginclass +If set, +\fBsudo\fR +will apply the defaults specified for the target user's login class +if one exists. +Only available if +\fBsudo\fR +is configured with the +\fR--with-logincap\fR +option. +This flag is +\fIoff\fR +by default. +.TP 18n +use_pty +If set, +\fBsudo\fR +will run the command in a pseudo-pty even if no I/O logging is being gone. +A malicious program run under +\fBsudo\fR +could conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. +Use of this option will make that impossible. +This flag is +\fIoff\fR +by default. +.TP 18n +utmp_runas +If set, +\fBsudo\fR +will store the name of the runas user when updating the utmp (or utmpx) file. +By default, +\fBsudo\fR +stores the name of the invoking user. +This flag is +\fIoff\fR +by default. +.TP 18n +visiblepw +By default, +\fBsudo\fR +will refuse to run if the user must enter a password but it is not +possible to disable echo on the terminal. +If the +\fIvisiblepw\fR +flag is set, +\fBsudo\fR +will prompt for a password even when it would be visible on the screen. +This makes it possible to run things like +``\fRssh somehost sudo ls\fR'' +since by default, +ssh(1) +does +not allocate a tty when running a command. +This flag is +\fIoff\fR +by default. .PP -\&\fBIntegers\fR: -.IP "closefrom" 16 -.IX Item "closefrom" -Before it executes a command, \fBsudo\fR will close all open file -descriptors other than standard input, standard output and standard -error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used -to specify a different file descriptor at which to start closing. -The default is \f(CW3\fR. -.IP "passwd_tries" 16 -.IX Item "passwd_tries" +\fBIntegers\fR: +.TP 18n +closefrom +Before it executes a command, +\fBsudo\fR +will close all open file descriptors other than standard input, +standard output and standard error (ie: file descriptors 0-2). +The +\fIclosefrom\fR +option can be used to specify a different file descriptor at which +to start closing. +The default is +\fR3\fR. +.TP 18n +passwd_tries The number of tries a user gets to enter his/her password before -\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR. +\fBsudo\fR +logs the failure and exits. +The default is +\fR@passwd_tries@\fR. .PP -\&\fBIntegers that can be used in a boolean context\fR: -.IP "loglinelen" 16 -.IX Item "loglinelen" -Number of characters per line for the file log. This value is used -to decide when to wrap lines for nicer log files. This has no -effect on the syslog log file, only the file log. The default is -\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap). -.IP "passwd_timeout" 16 -.IX Item "passwd_timeout" -Number of minutes before the \fBsudo\fR password prompt times out, or -\&\f(CW0\fR for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example \f(CW2.5\fR. The -default is \f(CW\*(C`@password_timeout@\*(C'\fR. -.IP "timestamp_timeout" 16 -.IX Item "timestamp_timeout" -Number of minutes that can elapse before \fBsudo\fR will ask for a -passwd again. The timeout may include a fractional component if -minute granularity is insufficient, for example \f(CW2.5\fR. The default -is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password. -If set to a value less than \f(CW0\fR the user's timestamp will never -expire. This can be used to allow users to create or delete their -own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively. -.IP "umask" 16 -.IX Item "umask" -Umask to use when running the command. Negate this option or set -it to 0777 to preserve the user's umask. The actual umask that is -used will be the union of the user's umask and the value of the -\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees -that \fBsudo\fR never lowers the umask when running a command. Note -on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify -its own umask which will override the value set in \fIsudoers\fR. +\fBIntegers that can be used in a boolean context\fR: +.TP 18n +loglinelen +Number of characters per line for the file log. +This value is used to decide when to wrap lines for nicer log files. +This has no effect on the syslog log file, only the file log. +The default is +\fR@loglen@\fR +(use 0 or negate the option to disable word wrap). +.TP 18n +passwd_timeout +Number of minutes before the +\fBsudo\fR +password prompt times out, or +\fR0\fR +for no timeout. +The timeout may include a fractional component +if minute granularity is insufficient, for example +\fR2.5\fR. +The +default is +\fR@password_timeout@\fR. +.TP 18n +timestamp_timeout +.br +Number of minutes that can elapse before +\fBsudo\fR +will ask for a passwd again. +The timeout may include a fractional component if +minute granularity is insufficient, for example +\fR2.5\fR. +The default is +\fR@timeout@\fR. +Set this to +\fR0\fR +to always prompt for a password. +If set to a value less than +\fR0\fR +the user's timestamp will never expire. +This can be used to allow users to create or delete their own timestamps via +``\fRsudo -v\fR'' +and +``\fRsudo -k\fR'' +respectively. +.TP 18n +umask +Umask to use when running the command. +Negate this option or set it to 0777 to preserve the user's umask. +The actual umask that is used will be the union of the user's umask +and the value of the +\fIumask\fR +option, which defaults to +\fR@sudo_umask@\fR. +This guarantees +that +\fBsudo\fR +never lowers the umask when running a command. +Note: on systems that use PAM, the default PAM configuration may specify +its own umask which will override the value set in +\fIsudoers\fR. .PP -\&\fBStrings\fR: -.IP "badpass_message" 16 -.IX Item "badpass_message" +\fBStrings\fR: +.TP 18n +badpass_message Message that is displayed if a user enters an incorrect password. -The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. -.IP "editor" 16 -.IX Item "editor" -A colon (':') separated list of editors allowed to be used with -\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's -\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the -list that exists and is executable. The default is \f(CW"@editor@"\fR. -.IP "iolog_dir" 16 -.IX Item "iolog_dir" +The default is +\fR@badpass_message@\fR +unless insults are enabled. +.TP 18n +editor +A colon +(`:\&') +separated list of editors allowed to be used with +\fBvisudo\fR. +\fBvisudo\fR +will choose the editor that matches the user's +\fREDITOR\fR +environment variable if possible, or the first editor in the +list that exists and is executable. +The default is +\fI@editor@\fR. +.TP 18n +iolog_dir The top-level directory to use when constructing the path name for -the input/output log directory. Only used if the \fIlog_input\fR or -\&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or -\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence -number, if any, is stored in the directory. -The default is \f(CW"@iolog_dir@"\fR. -.Sp -The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported: -.RS 16 -.ie n .IP "\*(C`%{seq}\*(C'" 4 -.el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4 -.IX Item "%{seq}" -expanded to a monotonically increasing base\-36 sequence number, such as 0100A5, -where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR -.ie n .IP "\*(C`%{user}\*(C'" 4 -.el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4 -.IX Item "%{user}" +the input/output log directory. +Only used if the +\fIlog_input\fR +or +\fIlog_output\fR +options are enabled or when the +\fRLOG_INPUT\fR +or +\fRLOG_OUTPUT\fR +tags are present for a command. +The session sequence number, if any, is stored in the directory. +The default is +\fI@iolog_dir@\fR. +.sp +The following percent +(`%') +escape sequences are supported: +.RS +.TP 6n +\fR%{seq}\fR +expanded to a monotonically increasing base-36 sequence number, such as 0100A5, +where every two digits are used to form a new directory, e.g.\& +\fI01/00/A5\fR +.TP 6n +\fR%{user}\fR expanded to the invoking user's login name -.ie n .IP "\*(C`%{group}\*(C'" 4 -.el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4 -.IX Item "%{group}" -expanded to the name of the invoking user's real group \s-1ID\s0 -.ie n .IP "\*(C`%{runas_user}\*(C'" 4 -.el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4 -.IX Item "%{runas_user}" +.TP 6n +\fR%{group}\fR +expanded to the name of the invoking user's real group ID +.TP 6n +\fR%{runas_user}\fR expanded to the login name of the user the command will -be run as (e.g. root) -.ie n .IP "\*(C`%{runas_group}\*(C'" 4 -.el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4 -.IX Item "%{runas_group}" +be run as (e.g.\& root) +.TP 6n +\fR%{runas_group}\fR expanded to the group name of the user the command will -be run as (e.g. wheel) -.ie n .IP "\*(C`%{hostname}\*(C'" 4 -.el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4 -.IX Item "%{hostname}" +be run as (e.g.\& wheel) +.TP 6n +\fR%{hostname}\fR expanded to the local host name without the domain name -.ie n .IP "\*(C`%{command}\*(C'" 4 -.el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4 -.IX Item "%{command}" +.TP 6n +\fR%{command}\fR expanded to the base name of the command being run .RE -.RS 16 -.Sp -In addition, any escape sequences supported by the system's \fIstrftime()\fR +.RS +.PP +In addition, any escape sequences supported by the system's +strftime(3) function will be expanded. -.Sp -To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should -be used. +.sp +To include a literal +`%' +character, the string +`%%' +should be used. +.PP .RE -.IP "iolog_file" 16 -.IX Item "iolog_file" -The path name, relative to \fIiolog_dir\fR, in which to store input/output -logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or -when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. -Note that \fIiolog_file\fR may contain directory components. -The default is \f(CW"%{seq}"\fR. -.Sp -See the \fIiolog_dir\fR option above for a list of supported percent -(`\f(CW\*(C`%\*(C'\fR') escape sequences. -.Sp +.sp -1v +.TP 18n +iolog_file +The path name, relative to +\fIiolog_dir\fR, +in which to store input/output logs when the +\fIlog_input\fR +or +\fIlog_output\fR +options are enabled or when the +\fRLOG_INPUT\fR +or +\fRLOG_OUTPUT\fR +tags are present for a command. +Note that +\fIiolog_file\fR +may contain directory components. +The default is +``\fR%{seq}\fR''. +.sp +See the +\fIiolog_dir\fR +option above for a list of supported percent +(`%') +escape sequences. +.sp In addition to the escape sequences, path names that end in six or -more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination -of digits and letters, similar to the \fImktemp()\fR function. -.IP "mailsub" 16 -.IX Item "mailsub" -Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +more +\fRX\fRs +will have the +\fRX\fRs +replaced with a unique combination of digits and letters, similar to the +mktemp(3) +function. +.TP 18n +mailsub +Subject of the mail sent to the +\fImailto\fR +user. +The escape +\fR%h\fR will expand to the host name of the machine. -Default is \f(CW\*(C`@mailsub@\*(C'\fR. -.IP "noexec_file" 16 -.IX Item "noexec_file" -This option is no longer supported. The path to the noexec file -should now be set in the \fI@sysconfdir@/sudo.conf\fR file. -.IP "passprompt" 16 -.IX Item "passprompt" -The default prompt to use when asking for a password; can be overridden -via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable. -The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported: -.RS 16 -.ie n .IP "%H" 4 -.el .IP "\f(CW%H\fR" 4 -.IX Item "%H" +Default is +``\fR@mailsub@\fR''. +.TP 18n +noexec_file +This option is no longer supported. +The path to the noexec file should now be set in the +\fI@sysconfdir@/sudo.conf\fR +file. +.TP 18n +passprompt +The default prompt to use when asking for a password; can be overridden via the +\fB-p\fR +option or the +\fRSUDO_PROMPT\fR +environment variable. +The following percent +(`%') +escape sequences are supported: +.RS +.TP 6n +\fR%H\fR expanded to the local host name including the domain name -(only if the machine's host name is fully qualified or the \fIfqdn\fR +(only if the machine's host name is fully qualified or the +\fIfqdn\fR option is set) -.ie n .IP "%h" 4 -.el .IP "\f(CW%h\fR" 4 -.IX Item "%h" +.TP 6n +\fR%h\fR expanded to the local host name without the domain name -.ie n .IP "%p" 4 -.el .IP "\f(CW%p\fR" 4 -.IX Item "%p" -expanded to the user whose password is being asked for (respects the -\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) -.ie n .IP "%U" 4 -.el .IP "\f(CW%U\fR" 4 -.IX Item "%U" +.TP 6n +\fR%p\fR +expanded to the user whose password is being asked for (respects the +\fIrootpw\fR, +\fItargetpw\fR +and +\fIrunaspw\fR +flags in +\fIsudoers\fR) +.TP 6n +\fR%U\fR expanded to the login name of the user the command will be run as (defaults to root) -.ie n .IP "%u" 4 -.el .IP "\f(CW%u\fR" 4 -.IX Item "%u" +.TP 6n +\fR%u\fR expanded to the invoking user's login name -.ie n .IP "\*(C`%%\*(C'" 4 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 -.IX Item "%%" -two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character +.TP 6n +\fR%%\fR +two consecutive +\fR%\fR +characters are collapsed into a single +\fR%\fR +character .RE -.RS 16 -.Sp -The default value is \f(CW\*(C`@passprompt@\*(C'\fR. -.RE -.if \n(SL \{\ -.IP "role" 16 -.IX Item "role" -The default SELinux role to use when constructing a new security -context to run the command. The default role may be overridden on -a per-command basis in \fIsudoers\fR or via command line options. -This option is only available whe \fBsudo\fR is built with SELinux support. -\} -.IP "runas_default" 16 -.IX Item "runas_default" -The default user to run commands as if the \fB\-u\fR option is not specified -on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR. -.IP "syslog_badpri" 16 -.IX Item "syslog_badpri" -Syslog priority to use when user authenticates unsuccessfully. -Defaults to \f(CW\*(C`@badpri@\*(C'\fR. -.Sp -The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR, -\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. -.IP "syslog_goodpri" 16 -.IX Item "syslog_goodpri" -Syslog priority to use when user authenticates successfully. -Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. -.Sp -See syslog_badpri for the list of supported syslog priorities. -.IP "sudoers_locale" 16 -.IX Item "sudoers_locale" -Locale to use when parsing the sudoers file, logging commands, and -sending email. Note that changing the locale may affect how sudoers -is interpreted. Defaults to \f(CW"C"\fR. -.IP "timestampdir" 16 -.IX Item "timestampdir" -The directory in which \fBsudo\fR stores its timestamp files. -The default is \fI@timedir@\fR. -.IP "timestampowner" 16 -.IX Item "timestampowner" -The owner of the timestamp directory and the timestamps stored therein. -The default is \f(CW\*(C`root\*(C'\fR. -.if \n(SL \{\ -.IP "type" 16 -.IX Item "type" -The default SELinux type to use when constructing a new security -context to run the command. The default type may be overridden on -a per-command basis in \fIsudoers\fR or via command line options. -This option is only available whe \fBsudo\fR is built with SELinux support. -\} +.RS .PP -\&\fBStrings that can be used in a boolean context\fR: -.IP "env_file" 12 -.IX Item "env_file" -The \fIenv_file\fR option specifies the fully qualified path to a -file containing variables to be set in the environment of the program -being run. Entries in this file should either be of the form -\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may -optionally be surrounded by single or double quotes. Variables in -this file are subject to other \fBsudo\fR environment settings such -as \fIenv_keep\fR and \fIenv_check\fR. -.IP "exempt_group" 12 -.IX Item "exempt_group" -Users in this group are exempt from password and \s-1PATH\s0 requirements. -The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix. +The default value is +``\fR@passprompt@\fR''. +.PP +.RE +.sp -1v +.TP 18n +role +The default SELinux role to use when constructing a new security +context to run the command. +The default role may be overridden on a per-command basis in +\fIsudoers\fR +or via command line options. +This option is only available whe +\fBsudo\fR +is built with SELinux support. +.TP 18n +runas_default +The default user to run commands as if the +\fB-u\fR +option is not specified on the command line. +This defaults to +\fR@runas_default@\fR. +.TP 18n +syslog_badpri +Syslog priority to use when user authenticates unsuccessfully. +Defaults to +\fR@badpri@\fR. +.sp +The following syslog priorities are supported: +\fBalert\fR, +\fBcrit\fR, +\fBdebug\fR, +\fBemerg\fR, +\fBerr\fR, +\fBinfo\fR, +\fBnotice\fR, +and +\fBwarning\fR. +.TP 18n +syslog_goodpri +Syslog priority to use when user authenticates successfully. +Defaults to +\fR@goodpri@\fR. +.sp +See +\fIsyslog_badpri\fR +for the list of supported syslog priorities. +.TP 18n +sudoers_locale +Locale to use when parsing the sudoers file, logging commands, and +sending email. +Note that changing the locale may affect how sudoers is interpreted. +Defaults to +``\fRC\fR''. +.TP 18n +timestampdir +The directory in which +\fBsudo\fR +stores its timestamp files. +The default is +\fI@timedir@\fR. +.TP 18n +timestampowner +The owner of the timestamp directory and the timestamps stored therein. +The default is +\fRroot\fR. +.TP 18n +type +The default SELinux type to use when constructing a new security +context to run the command. +The default type may be overridden on a per-command basis in +\fIsudoers\fR +or via command line options. +This option is only available whe +\fBsudo\fR +is built with SELinux support. +.PP +\fBStrings that can be used in a boolean context\fR: +.TP 14n +env_file +The +\fIenv_file\fR +option specifies the fully qualified path to a file containing variables +to be set in the environment of the program being run. +Entries in this file should either be of the form +``\fRVARIABLE=value\fR'' +or +``\fRexport VARIABLE=value\fR''. +The value may optionally be surrounded by single or double quotes. +Variables in this file are subject to other +\fBsudo\fR +environment settings such as +\fIenv_keep\fR +and +\fIenv_check\fR. +.TP 14n +exempt_group +Users in this group are exempt from password and PATH requirements. +The group name specified should not include a +\fR%\fR +prefix. This is not set by default. -.IP "group_plugin" 12 -.IX Item "group_plugin" -A string containing a \fIsudoers\fR group plugin with optional arguments. -This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR -syntax described earlier. The string should consist of the plugin -path, either fully-qualified or relative to the \fI@prefix@/libexec\fR -directory, followed by any configuration arguments the plugin -requires. These arguments (if any) will be passed to the plugin's -initialization function. If arguments are present, the string must -be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR). -.Sp -For example, given \fI/etc/sudo\-group\fR, a group file in Unix group -format, the sample group plugin can be used: -.Sp -.Vb 1 -\& Defaults group_plugin="sample_group.so /etc/sudo\-group" -.Ve -.Sp -For more information see \fIsudo_plugin\fR\|(@mansectform@). -.IP "lecture" 12 -.IX Item "lecture" +.TP 14n +group_plugin +A string containing a +\fIsudoers\fR +group plugin with optional arguments. +This can be used to implement support for the +\fRnonunix_group\fR +syntax described earlier. +The string should consist of the plugin +path, either fully-qualified or relative to the +\fI@prefix@/libexec\fR +directory, followed by any configuration arguments the plugin requires. +These arguments (if any) will be passed to the plugin's initialization function. +If arguments are present, the string must be enclosed in double quotes +(\&""). +.sp +For example, given +\fI/etc/sudo-group\fR, +a group file in Unix group format, the sample group plugin can be used: +.nf +.sp +.RS 14n +Defaults group_plugin="sample_group.so /etc/sudo-group" +.RE +.fi +.RS +.sp +For more information see +sudo_plugin(@mansectform@). +.PP +.RE +.sp -1v +.TP 14n +lecture This option controls when a short lecture will be printed along with -the password prompt. It has the following possible values: -.RS 12 -.IP "always" 8 -.IX Item "always" +the password prompt. +It has the following possible values: +.RS +.TP 8n +always Always lecture the user. -.IP "never" 8 -.IX Item "never" +.TP 8n +never Never lecture the user. -.IP "once" 8 -.IX Item "once" -Only lecture the user the first time they run \fBsudo\fR. +.TP 8n +once +Only lecture the user the first time they run +\fBsudo\fR. .RE -.RS 12 -.Sp -If no value is specified, a value of \fIonce\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fI@lecture@\fR. +.RS +.PP +If no value is specified, a value of +\fIonce\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fI@lecture@\fR. +.PP .RE -.IP "lecture_file" 12 -.IX Item "lecture_file" -Path to a file containing an alternate \fBsudo\fR lecture that will -be used in place of the standard lecture if the named file exists. -By default, \fBsudo\fR uses a built-in lecture. -.IP "listpw" 12 -.IX Item "listpw" -This option controls when a password will be required when a -user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-l\fR option. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-l\fR option. +.sp -1v +.TP 14n +lecture_file +Path to a file containing an alternate +\fBsudo\fR +lecture that will be used in place of the standard lecture if the named +file exists. +By default, +\fBsudo\fR +uses a built-in lecture. +.TP 14n +listpw +This option controls when a password will be required when a user runs +\fBsudo\fR +with the +\fB-l\fR +option. +It has the following possible values: +.RS +.TP 10n +all +All the user's +\fIsudoers\fR +entries for the current host must have +the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 10n +always +The user must always enter a password to use the +\fB-l\fR +option. +.TP 10n +any +At least one of the user's +\fIsudoers\fR +entries for the current host +must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 10n +never +The user need never enter a password to use the +\fB-l\fR +option. .RE -.RS 12 -.Sp -If no value is specified, a value of \fIany\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIany\fR. +.RS +.PP +If no value is specified, a value of +\fIany\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fIany\fR. +.PP .RE -.IP "logfile" 12 -.IX Item "logfile" -Path to the \fBsudo\fR log file (not the syslog log file). Setting a path -turns on logging to a file; negating this option turns it off. -By default, \fBsudo\fR logs via syslog. -.IP "mailerflags" 12 -.IX Item "mailerflags" -Flags to use when invoking mailer. Defaults to \fB\-t\fR. -.IP "mailerpath" 12 -.IX Item "mailerpath" +.sp -1v +.TP 14n +logfile +Path to the +\fBsudo\fR +log file (not the syslog log file). +Setting a path turns on logging to a file; +negating this option turns it off. +By default, +\fBsudo\fR +logs via syslog. +.TP 14n +mailerflags +Flags to use when invoking mailer. Defaults to +\fB-t\fR. +.TP 14n +mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -.IP "mailfrom" 12 -.IX Item "mailfrom" -Address to use for the \*(L"from\*(R" address when sending warning and error -mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to -protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to -the name of the user running \fBsudo\fR. -.IP "mailto" 12 -.IX Item "mailto" -Address to send warning and error mail to. The address should -be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR -interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. -.IP "secure_path" 12 -.IX Item "secure_path" -Path used for every command run from \fBsudo\fR. If you don't trust the -people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may -want to use this. Another use is if you want to have the \*(L"root path\*(R" -be separate from the \*(L"user path.\*(R" Users in the group specified by the -\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR. +.TP 14n +mailfrom +Address to use for the +``from'' +address when sending warning and error mail. +The address should be enclosed in double quotes +(\&"") +to protect against +\fBsudo\fR +interpreting the +\fR@\fR +sign. +Defaults to the name of the user running +\fBsudo\fR. +.TP 14n +mailto +Address to send warning and error mail to. +The address should be enclosed in double quotes +(\&"") +to protect against +\fBsudo\fR +interpreting the +\fR@\fR +sign. +Defaults to +\fR@mailto@\fR. +.TP 14n +secure_path +Path used for every command run from +\fBsudo\fR. +If you don't trust the +people running +\fBsudo\fR +to have a sane +\fRPATH\fR +environment variable you may want to use this. +Another use is if you want to have the +``root path'' +be separate from the +``user path''. +Users in the group specified by the +\fIexempt_group\fR +option are not affected by +\fIsecure_path\fR. This option is @secure_path@ by default. -.IP "syslog" 12 -.IX Item "syslog" +.TP 14n +syslog Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. -.Sp -The following syslog facilities are supported: \fBauthpriv\fR (if your -\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, -\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. -.IP "verifypw" 12 -.IX Item "verifypw" +disable syslog logging). +Defaults to +\fR@logfac@\fR. +.sp +The following syslog facilities are supported: +\fBauthpriv\fR +(if your +OS supports it), +\fBauth\fR, +\fBdaemon\fR, +\fBuser\fR, +\fBlocal0\fR, +\fBlocal1\fR, +\fBlocal2\fR, +\fBlocal3\fR, +\fBlocal4\fR, +\fBlocal5\fR, +\fBlocal6\fR, +and +\fBlocal7\fR. +.TP 14n +verifypw This option controls when a password will be required when a user runs -\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-v\fR option. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-v\fR option. +\fBsudo\fR +with the +\fB-v\fR +option. +It has the following possible values: +.RS +.TP 8n +all +All the user's +\fIsudoers\fR +entries for the current host must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 8n +always +The user must always enter a password to use the +\fB-v\fR +option. +.TP 8n +any +At least one of the user's +\fIsudoers\fR +entries for the current host must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 8n +never +The user need never enter a password to use the +\fB-v\fR +option. .RE -.RS 12 -.Sp -If no value is specified, a value of \fIall\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIall\fR. +.RS +.PP +If no value is specified, a value of +\fIall\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fIall\fR. .RE .PP -\&\fBLists that can be used in a boolean context\fR: -.IP "env_check" 16 -.IX Item "env_check" +\fBLists that can be used in a boolean context\fR: +.TP 18n +env_check Environment variables to be removed from the user's environment if -the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can -be used to guard against printf-style format vulnerabilities in -poorly-written programs. The argument may be a double-quoted, -space-separated list or a single value without double-quotes. The -list can be replaced, added to, deleted from, or disabled by using -the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless -of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables -specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if -they pass the aforementioned check. The default list of environment -variables to check is displayed when \fBsudo\fR is run by root with -the \fB\-V\fR option. -.IP "env_delete" 16 -.IX Item "env_delete" -Environment variables to be removed from the user's environment -when the \fIenv_reset\fR option is not in effect. The argument may -be a double-quoted, space-separated list or a single value without -double-quotes. The list can be replaced, added to, deleted from, -or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators -respectively. The default list of environment variables to remove -is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. +the variable's value contains +`%' +or +`/' +characters. +This can be used to guard against printf-style format vulnerabilities +in poorly-written programs. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using +the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +Regardless of whether the +\fRenv_reset\fR +option is enabled or disabled, variables specified by +\fRenv_check\fR +will be preserved in the environment if they pass the aforementioned check. +The default list of environment variables to check is displayed when +\fBsudo\fR +is run by root with +the +\fB-V\fR +option. +.TP 18n +env_delete +Environment variables to be removed from the user's environment when the +\fIenv_reset\fR +option is not in effect. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +The default list of environment variables to remove is displayed when +\fBsudo\fR +is run by root with the +\fB-V\fR +option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as -\&\fBsudo\fR). -.IP "env_keep" 16 -.IX Item "env_keep" -Environment variables to be preserved in the user's environment -when the \fIenv_reset\fR option is in effect. This allows fine-grained -control over the environment \fBsudo\fR\-spawned processes will receive. +\fBsudo\fR). +.TP 18n +env_keep +Environment variables to be preserved in the user's environment when the +\fIenv_reset\fR +option is in effect. +This allows fine-grained control over the environment +\fBsudo\fR-spawned +processes will receive. The argument may be a double-quoted, space-separated list or a -single value without double-quotes. The list can be replaced, added -to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and -\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep -is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +The default list of variables to keep +is displayed when +\fBsudo\fR +is run by root with the +\fB-V\fR +option. .SH "SUDO.CONF" -.IX Header "SUDO.CONF" -The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the -\&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file -is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the -\&\fIsudoers\fR security policy and I/O logging, which corresponds to -the following \fI@sysconfdir@/sudo.conf\fR file. -.PP -.Vb 10 -\& # -\& # Default @sysconfdir@/sudo.conf file -\& # -\& # Format: -\& # Plugin plugin_name plugin_path plugin_options ... -\& # Path askpass /path/to/askpass -\& # Path noexec /path/to/sudo_noexec.so -\& # Debug sudo /var/log/sudo_debug all@warn -\& # Set disable_coredump true -\& # -\& # The plugin_path is relative to @prefix@/libexec unless -\& # fully qualified. -\& # The plugin_name corresponds to a global symbol in the plugin -\& # that contains the plugin interface structure. -\& # The plugin_options are optional. -\& # -\& Plugin policy_plugin sudoers.so -\& Plugin io_plugin sudoers.so -.Ve -.SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0" -.IX Subsection "PLUGIN OPTIONS" -Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the -\&\fIsudoers\fR plugin. Options may be listed after the path to the -plugin (i.e. after \fIsudoers.so\fR); multiple options should be -space-separated. For example: -.PP -.Vb 1 -\& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 -.Ve +The +\fI@sysconfdir@/sudo.conf\fR +file determines which plugins the +\fBsudo\fR +front end will load. +If no +\fI@sysconfdir@/sudo.conf\fR +file +is present, or it contains no +\fRPlugin\fR +lines, +\fBsudo\fR +will use the +\fIsudoers\fR +security policy and I/O logging, which corresponds to the following +\fI@sysconfdir@/sudo.conf\fR +file. +.nf +.sp +.RS 0n +# +# Default @sysconfdir@/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# The plugin_path is relative to @prefix@/libexec unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.RE +.fi +.SS "PLUGIN OPTIONS" +Starting with +\fBsudo\fR +1.8.5, it is possible to pass options to the +\fIsudoers\fR +plugin. +Options may be listed after the path to the plugin (i.e.\& after +\fIsudoers.so\fR); +multiple options should be space-separated. +For example: +.nf +.sp +.RS 0n +Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 +.RE +.fi .PP The following plugin options are supported: -.IP "sudoers_file=pathname" 10 -.IX Item "sudoers_file=pathname" -The \fIsudoers_file\fR option can be used to override the default path -to the \fIsudoers\fR file. -.IP "sudoers_uid=uid" 10 -.IX Item "sudoers_uid=uid" -The \fIsudoers_uid\fR option can be used to override the default owner -of the sudoers file. It should be specified as a numeric user \s-1ID\s0. -.IP "sudoers_gid=gid" 10 -.IX Item "sudoers_gid=gid" -The \fIsudoers_gid\fR option can be used to override the default group -of the sudoers file. It should be specified as a numeric group \s-1ID\s0. -.IP "sudoers_mode=mode" 10 -.IX Item "sudoers_mode=mode" -The \fIsudoers_mode\fR option can be used to override the default file -mode for the sudoers file. It should be specified as an octal value. -.SS "\s-1DEBUG\s0 \s-1FLAGS\s0" -.IX Subsection "DEBUG FLAGS" -Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a -debugging framework that can help track down what the plugin is -doing internally if there is a problem. This can be configured in -the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@). +.TP 10n +sudoers_file=pathname +The +\fIsudoers_file\fR +option can be used to override the default path +to the +\fIsudoers\fR +file. +.TP 10n +sudoers_uid=uid +The +\fIsudoers_uid\fR +option can be used to override the default owner of the sudoers file. +It should be specified as a numeric user ID. +.TP 10n +sudoers_gid=gid +The +\fIsudoers_gid\fR +option can be used to override the default group of the sudoers file. +It should be specified as a numeric group ID. +.TP 10n +sudoers_mode=mode +The +\fIsudoers_mode\fR +option can be used to override the default file mode for the sudoers file. +It should be specified as an octal value. +.SS "DEBUG FLAGS" +Versions 1.8.4 and higher of the +\fIsudoers\fR +plugin supports a debugging framework that can help track down what the +plugin is doing internally if there is a problem. +This can be configured in the +\fI@sysconfdir@/sudo.conf\fR +file as described in +sudo(@mansectsu@). .PP -The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR -itself: \fIsubsystem\fR@\fIpriority\fR. +The +\fIsudoers\fR +plugin uses the same debug flag format as the +\fBsudo\fR +front-end: +\fIsubsystem\fR@\fIpriority\fR. .PP -The priorities used by \fIsudoers\fR, in order of decreasing severity, -are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR -and \fIdebug\fR. Each priority, when specified, also includes all -priorities higher than it. For example, a priority of \fInotice\fR -would include debug messages logged at \fInotice\fR and higher. +The priorities used by +\fIsudoers\fR, +in order of decreasing severity, +are: +\fIcrit\fR, +\fIerr\fR, +\fIwarn\fR, +\fInotice\fR, +\fIdiag\fR, +\fIinfo\fR, +\fItrace\fR +and +\fIdebug\fR. +Each priority, when specified, also includes all priorities higher than it. +For example, a priority of +\fInotice\fR +would include debug messages logged at +\fInotice\fR +and higher. .PP -The following subsystems are used by \fIsudoers\fR: -.IP "\fIalias\fR" 10 -.IX Item "alias" -\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing -.IP "\fIall\fR" 10 -.IX Item "all" +The following subsystems are used by +\fIsudoers\fR: +.TP 10n +\fIalias\fR +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR +and +\fRCmnd_Alias\fR +processing +.TP 10n +\fIall\fR matches every subsystem -.IP "\fIaudit\fR" 10 -.IX Item "audit" -\&\s-1BSM\s0 and Linux audit code -.IP "\fIauth\fR" 10 -.IX Item "auth" +.TP 10n +\fIaudit\fR +BSM and Linux audit code +.TP 10n +\fIauth\fR user authentication -.IP "\fIdefaults\fR" 10 -.IX Item "defaults" -\&\fIsudoers\fR \fIDefaults\fR settings -.IP "\fIenv\fR" 10 -.IX Item "env" +.TP 10n +\fIdefaults\fR +\fIsudoers\fR +\fIDefaults\fR +settings +.TP 10n +\fIenv\fR environment handling -.IP "\fIldap\fR" 10 -.IX Item "ldap" +.TP 10n +\fIldap\fR LDAP-based sudoers -.IP "\fIlogging\fR" 10 -.IX Item "logging" +.TP 10n +\fIlogging\fR logging support -.IP "\fImatch\fR" 10 -.IX Item "match" -matching of users, groups, hosts and netgroups in \fIsudoers\fR -.IP "\fInetif\fR" 10 -.IX Item "netif" +.TP 10n +\fImatch\fR +matching of users, groups, hosts and netgroups in +\fIsudoers\fR +.TP 10n +\fInetif\fR network interface handling -.IP "\fInss\fR" 10 -.IX Item "nss" -network service switch handling in \fIsudoers\fR -.IP "\fIparser\fR" 10 -.IX Item "parser" -\&\fIsudoers\fR file parsing -.IP "\fIperms\fR" 10 -.IX Item "perms" +.TP 10n +\fInss\fR +network service switch handling in +\fIsudoers\fR +.TP 10n +\fIparser\fR +\fIsudoers\fR +file parsing +.TP 10n +\fIperms\fR permission setting -.IP "\fIplugin\fR" 10 -.IX Item "plugin" -The equivalent of \fImain\fR for the plugin. -.IP "\fIpty\fR" 10 -.IX Item "pty" +.TP 10n +\fIplugin\fR +The equivalent of +\fImain\fR +for the plugin. +.TP 10n +\fIpty\fR pseudo-tty related code -.IP "\fIrbtree\fR" 10 -.IX Item "rbtree" +.TP 10n +\fIrbtree\fR redblack tree internals -.IP "\fIutil\fR" 10 -.IX Item "util" +.TP 10n +\fIutil\fR utility functions .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24 -.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24 -.IX Item "@sysconfdir@/sudo.conf" +.TP 26n +\fI@sysconfdir@/sudo.conf\fR Sudo front end configuration -.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers\fR" 24 -.IX Item "@sysconfdir@/sudoers" +.TP 26n +\fI@sysconfdir@/sudoers\fR List of who can run what -.IP "\fI/etc/group\fR" 24 -.IX Item "/etc/group" +.TP 26n +\fI/etc/group\fR Local groups file -.IP "\fI/etc/netgroup\fR" 24 -.IX Item "/etc/netgroup" +.TP 26n +\fI/etc/netgroup\fR List of network groups -.ie n .IP "\fI@iolog_dir@\fR" 24 -.el .IP "\fI@iolog_dir@\fR" 24 -.IX Item "@iolog_dir@" +.TP 26n +\fI@iolog_dir@\fR I/O log files -.ie n .IP "\fI@timedir@\fR" 24 -.el .IP "\fI@timedir@\fR" 24 -.IX Item "@timedir@" -Directory containing time stamps for the \fIsudoers\fR security policy -.IP "\fI/etc/environment\fR" 24 -.IX Item "/etc/environment" -Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems +.TP 26n +\fI@timedir@\fR +Directory containing time stamps for the +\fIsudoers\fR +security policy +.TP 26n +\fI/etc/environment\fR +Initial environment for +\fB-i\fR +mode on AIX and Linux systems .SH "EXAMPLES" -.IX Header "EXAMPLES" -Below are example \fIsudoers\fR entries. Admittedly, some of -these are a bit contrived. First, we allow a few environment -variables to pass and then define our \fIaliases\fR: +Below are example +\fIsudoers\fR +entries. +Admittedly, some of these are a bit contrived. +First, we allow a few environment variables to pass and then define our +\fIaliases\fR: +.nf +.sp +.RS 0n +# Run X applications through sudo; HOME is used to find the +# .Xauthority file. Note that other programs use HOME to find +# configuration files and this may lead to privilege escalation! +Defaults env_keep += "DISPLAY HOME" + +# User alias specification +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBMASTERS = will, wendy, wim + +# Runas alias specification +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase +Runas_Alias ADMINGRP = adm, oper + +# Host alias specification +Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e + SGI = grolsch, dandelion, black :\e + ALPHA = widget, thalamus, foobar :\e + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +# Cmnd alias specification +Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e + /usr/sbin/restore, /usr/sbin/rrestore +Cmnd_Alias KILL = /usr/bin/kill +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e + /usr/local/bin/tcsh, /usr/bin/rsh,\e + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +.RE +.fi .PP -.Vb 4 -\& # Run X applications through sudo; HOME is used to find the -\& # .Xauthority file. Note that other programs use HOME to find -\& # configuration files and this may lead to privilege escalation! -\& Defaults env_keep += "DISPLAY HOME" -\& -\& # User alias specification -\& User_Alias FULLTIMERS = millert, mikef, dowdy -\& User_Alias PARTTIMERS = bostley, jwfox, crawl -\& User_Alias WEBMASTERS = will, wendy, wim -\& -\& # Runas alias specification -\& Runas_Alias OP = root, operator -\& Runas_Alias DB = oracle, sybase -\& Runas_Alias ADMINGRP = adm, oper -\& -\& # Host alias specification -\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e -\& SGI = grolsch, dandelion, black :\e -\& ALPHA = widget, thalamus, foobar :\e -\& HPPA = boa, nag, python -\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0 -\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 -\& Host_Alias SERVERS = master, mail, www, ns -\& Host_Alias CDROM = orion, perseus, hercules -\& -\& # Cmnd alias specification -\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e -\& /usr/sbin/restore, /usr/sbin/rrestore -\& Cmnd_Alias KILL = /usr/bin/kill -\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm -\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown -\& Cmnd_Alias HALT = /usr/sbin/halt -\& Cmnd_Alias REBOOT = /usr/sbin/reboot -\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e -\& /usr/local/bin/tcsh, /usr/bin/rsh, \e -\& /usr/local/bin/zsh -\& Cmnd_Alias SU = /usr/bin/su -\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less -.Ve +Here we override some of the compiled in default values. +We want +\fBsudo\fR +to log via +syslog(3) +using the +\fIauth\fR +facility in all cases. +We don't want to subject the full time staff to the +\fBsudo\fR +lecture, user +\fBmillert\fR +need not give a password, and we don't want to reset the +\fRLOGNAME\fR, +\fRUSER\fR +or +\fRUSERNAME\fR +environment variables when running commands as root. +Additionally, on the machines in the +\fISERVERS\fR +\fRHost_Alias\fR, +we keep an additional local log file and make sure we log the year +in each log line since the log entries will be kept around for several years. +Lastly, we disable shell escapes for the commands in the PAGERS +\fRCmnd_Alias\fR +(\fI/usr/bin/more\fR, +\fI/usr/bin/pg\fR +and +\fI/usr/bin/less\fR) +\&. +.nf +.sp +.RS 0n +# Override built-in defaults +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec +.RE +.fi .PP -Here we override some of the compiled in default values. We want -\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all -cases. We don't want to subject the full time staff to the \fBsudo\fR -lecture, user \fBmillert\fR need not give a password, and we don't -want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment -variables when running commands as root. Additionally, on the -machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional -local log file and make sure we log the year in each log line since -the log entries will be kept around for several years. Lastly, we -disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR -(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR). +The +\fIUser specification\fR +is the part that actually determines who may run what. +.nf +.sp +.RS 0n +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL +.RE +.fi .PP -.Vb 7 -\& # Override built\-in defaults -\& Defaults syslog=auth -\& Defaults>root !set_logname -\& Defaults:FULLTIMERS !lecture -\& Defaults:millert !authenticate -\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log -\& Defaults!PAGERS noexec -.Ve +We let +\fBroot\fR +and any user in group +\fBwheel\fR +run any command on any host as any user. +.nf +.sp +.RS 0n +FULLTIMERS ALL = NOPASSWD: ALL +.RE +.fi .PP -The \fIUser specification\fR is the part that actually determines who may -run what. +Full time sysadmins +(\fBmillert\fR, +\fBmikef\fR, +and +\fBdowdy\fR) +may run any command on any host without authenticating themselves. +.nf +.sp +.RS 0n +PARTTIMERS ALL = ALL +.RE +.fi .PP -.Vb 2 -\& root ALL = (ALL) ALL -\& %wheel ALL = (ALL) ALL -.Ve +Part time sysadmins +\fBbostley\fR, +\fBjwfox\fR, +and +\fBcrawl\fR) +may run any command on any host but they must authenticate themselves +first (since the entry lacks the +\fRNOPASSWD\fR +tag). +.nf +.sp +.RS 0n +jack CSNETS = ALL +.RE +.fi .PP -We let \fBroot\fR and any user in group \fBwheel\fR run any command on any -host as any user. +The user +\fBjack\fR +may run any command on the machines in the +\fICSNETS\fR +alias (the networks +\fR128.138.243.0\fR, +\fR128.138.204.0\fR, +and +\fR128.138.242.0\fR). +Of those networks, only +\fR128.138.204.0\fR +has an explicit netmask (in CIDR notation) indicating it is a class C network. +For the other networks in +\fICSNETS\fR, +the local machine's netmask will be used during matching. +.nf +.sp +.RS 0n +lisa CUNETS = ALL +.RE +.fi .PP -.Vb 1 -\& FULLTIMERS ALL = NOPASSWD: ALL -.Ve +The user +\fBlisa\fR +may run any command on any host in the +\fICUNETS\fR +alias (the class B network +\fR128.138.0.0\fR). +.nf +.sp +.RS 0n +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e + sudoedit /etc/printcap, /usr/oper/bin/ +.RE +.fi .PP -Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any -command on any host without authenticating themselves. -.PP -.Vb 1 -\& PARTTIMERS ALL = ALL -.Ve -.PP -Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any -command on any host but they must authenticate themselves first -(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag). -.PP -.Vb 1 -\& jack CSNETS = ALL -.Ve -.PP -The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias -(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR). -Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in -\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other -networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used -during matching. -.PP -.Vb 1 -\& lisa CUNETS = ALL -.Ve -.PP -The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias -(the class B network \f(CW128.138.0.0\fR). -.PP -.Vb 2 -\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e -\& sudoedit /etc/printcap, /usr/oper/bin/ -.Ve -.PP -The \fBoperator\fR user may run commands limited to simple maintenance. +The +\fBoperator\fR +user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the -directory \fI/usr/oper/bin/\fR. +directory +\fI/usr/oper/bin/\fR. +.nf +.sp +.RS 0n +joe ALL = /usr/bin/su operator +.RE +.fi .PP -.Vb 1 -\& joe ALL = /usr/bin/su operator -.Ve +The user +\fBjoe\fR +may only +su(1) +to operator. +.nf +.sp +.RS 0n +pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + +%opers ALL = (: ADMINGRP) /usr/sbin/ +.RE +.fi .PP -The user \fBjoe\fR may only \fIsu\fR\|(1) to operator. -.PP -.Vb 1 -\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root -\& -\& %opers ALL = (: ADMINGRP) /usr/sbin/ -.Ve -.PP -Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves -with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR +Users in the +\fBopers\fR +group may run commands in +\fI/usr/sbin/\fR +as themselves +with any group in the +\fIADMINGRP\fR +\fRRunas_Alias\fR +(the +\fBadm\fR +and +\fBoper\fR groups). .PP -The user \fBpete\fR is allowed to change anyone's password except for -root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1) +The user +\fBpete\fR +is allowed to change anyone's password except for +root on the +\fIHPPA\fR +machines. +Note that this assumes +passwd(1) does not take multiple user names on the command line. +.nf +.sp +.RS 0n +bob SPARC = (OP) ALL : SGI = (OP) ALL +.RE +.fi .PP -.Vb 1 -\& bob SPARC = (OP) ALL : SGI = (OP) ALL -.Ve +The user +\fBbob\fR +may run anything on the +\fISPARC\fR +and +\fISGI\fR +machines as any user listed in the +\fIOP\fR +\fRRunas_Alias\fR +(\fBroot\fR +and +\fBoperator\fR.) +.nf +.sp +.RS 0n +jim +biglab = ALL +.RE +.fi .PP -The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines -as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR). +The user +\fBjim\fR +may run any command on machines in the +\fIbiglab\fR +netgroup. +\fBsudo\fR +knows that +``biglab'' +is a netgroup due to the +`+' +prefix. +.nf +.sp +.RS 0n ++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +.RE +.fi .PP -.Vb 1 -\& jim +biglab = ALL -.Ve +Users in the +\fBsecretaries\fR +netgroup need to help manage the printers as well as add and remove users, +so they are allowed to run those commands on all machines. +.nf +.sp +.RS 0n +fred ALL = (DB) NOPASSWD: ALL +.RE +.fi .PP -The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup. -\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. +The user +\fBfred\fR +can run commands as any user in the +\fIDB\fR +\fRRunas_Alias\fR +(\fBoracle\fR +or +\fBsybase\fR) +without giving a password. +.nf +.sp +.RS 0n +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +.RE +.fi .PP -.Vb 1 -\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser -.Ve +On the +\fIALPHA\fR +machines, user +\fBjohn\fR +may su to anyone except root but he is not allowed to specify any options +to the +su(1) +command. +.nf +.sp +.RS 0n +jen ALL, !SERVERS = ALL +.RE +.fi .PP -Users in the \fBsecretaries\fR netgroup need to help manage the printers -as well as add and remove users, so they are allowed to run those -commands on all machines. +The user +\fBjen\fR +may run any command on any machine except for those in the +\fISERVERS\fR +\fRHost_Alias\fR +(master, mail, www and ns). +.nf +.sp +.RS 0n +jill SERVERS = /usr/bin/, !SU, !SHELLS +.RE +.fi .PP -.Vb 1 -\& fred ALL = (DB) NOPASSWD: ALL -.Ve +For any machine in the +\fISERVERS\fR +\fRHost_Alias\fR, +\fBjill\fR +may run +any commands in the directory +\fI/usr/bin/\fR +except for those commands +belonging to the +\fISU\fR +and +\fISHELLS\fR +\fRCmnd_Aliases\fR. +.nf +.sp +.RS 0n +steve CSNETS = (operator) /usr/local/op_commands/ +.RE +.fi .PP -The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR -(\fBoracle\fR or \fBsybase\fR) without giving a password. -.PP -.Vb 1 -\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root* -.Ve -.PP -On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root -but he is not allowed to specify any options to the \fIsu\fR\|(1) command. -.PP -.Vb 1 -\& jen ALL, !SERVERS = ALL -.Ve -.PP -The user \fBjen\fR may run any command on any machine except for those -in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns). -.PP -.Vb 1 -\& jill SERVERS = /usr/bin/, !SU, !SHELLS -.Ve -.PP -For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run -any commands in the directory \fI/usr/bin/\fR except for those commands -belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR. -.PP -.Vb 1 -\& steve CSNETS = (operator) /usr/local/op_commands/ -.Ve -.PP -The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/ +The user +\fBsteve\fR +may run any command in the directory /usr/local/op_commands/ but only as user operator. +.nf +.sp +.RS 0n +matt valkyrie = KILL +.RE +.fi .PP -.Vb 1 -\& matt valkyrie = KILL -.Ve +On his personal workstation, valkyrie, +\fBmatt\fR +needs to be able to kill hung processes. +.nf +.sp +.RS 0n +WEBMASTERS www = (www) ALL, (root) /usr/bin/su www +.RE +.fi .PP -On his personal workstation, valkyrie, \fBmatt\fR needs to be able to -kill hung processes. +On the host www, any user in the +\fIWEBMASTERS\fR +\fRUser_Alias\fR +(will, wendy, and wim), may run any command as user www (which owns the +web pages) or simply +su(1) +to www. +.nf +.sp +.RS 0n +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM +.RE +.fi .PP -.Vb 1 -\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www -.Ve -.PP -On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will, -wendy, and wim), may run any command as user www (which owns the -web pages) or simply \fIsu\fR\|(1) to www. -.PP -.Vb 2 -\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e -\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM -.Ve -.PP -Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0 -\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password. +Any user may mount or unmount a CD-ROM on the machines in the CDROM +\fRHost_Alias\fR +(orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. .SH "SECURITY NOTES" -.IX Header "SECURITY NOTES" -.SS "Limitations of the '!' operator" -.IX Subsection "Limitations of the '!' operator" -It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR -using the '!' operator. A user can trivially circumvent this -by copying the desired command to a different name and then -executing that. For example: +.SS "Limitations of the `!\&' operator" +It is generally not effective to +``subtract'' +commands from +\fBALL\fR +using the +`!\&' +operator. +A user can trivially circumvent this by copying the desired command +to a different name and then executing that. +For example: +.nf +.sp +.RS 0n +bill ALL = ALL, !SU, !SHELLS +.RE +.fi .PP -.Vb 1 -\& bill ALL = ALL, !SU, !SHELLS -.Ve -.PP -Doesn't really prevent \fBbill\fR from running the commands listed in -\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a -different name, or use a shell escape from an editor or other -program. Therefore, these kind of restrictions should be considered +Doesn't really prevent +\fBbill\fR +from running the commands listed in +\fISU\fR +or +\fISHELLS\fR +since he can simply copy those commands to a different name, or use +a shell escape from an editor or other program. +Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). .PP -In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent -them from creating their own program that gives them a root shell -(or making their own copy of a shell) regardless of any '!' elements -in the user specification. -.SS "Security implications of \fIfast_glob\fP" -.IX Subsection "Security implications of fast_glob" -If the \fIfast_glob\fR option is in use, it is not possible -to reliably negate commands where the path name includes globbing -(aka wildcard) characters. This is because the C library's -\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this -is typically only an inconvenience for rules that grant privileges, -it can result in a security issue for rules that subtract or revoke -privileges. +In general, if a user has sudo +\fBALL\fR +there is nothing to prevent them from creating their own program that gives +them a root shell (or making their own copy of a shell) regardless of any +`!\&' +elements in the user specification. +.SS "Security implications of \fIfast_glob\fR" +If the +\fIfast_glob\fR +option is in use, it is not possible to reliably negate commands where the +path name includes globbing (aka wildcard) characters. +This is because the C library's +fnmatch(3) +function cannot resolve relative paths. +While this is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke privileges. .PP -For example, given the following \fIsudoers\fR entry: +For example, given the following +\fIsudoers\fR +entry: +.nf +.sp +.RS 0n +john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root +.RE +.fi .PP -.Vb 2 -\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e -\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root -.Ve -.PP -User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is -enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead. +User +\fBjohn\fR +can still run +\fR/usr/bin/passwd root\fR +if +\fIfast_glob\fR +is enabled by changing to +\fI/usr/bin\fR +and running +\fR./passwd root\fR +instead. .SS "Preventing Shell Escapes" -.IX Subsection "Preventing Shell Escapes" -Once \fBsudo\fR executes a program, that program is free to do whatever -it pleases, including run other programs. This can be a security -issue since it is not uncommon for a program to allow shell escapes, -which lets a user bypass \fBsudo\fR's access control and logging. +Once +\fBsudo\fR +executes a program, that program is free to do whatever +it pleases, including run other programs. +This can be a security issue since it is not uncommon for a program to +allow shell escapes, which lets a user bypass +\fBsudo\fR's +access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. .PP There are two basic approaches to this problem: -.IP "restrict" 10 -.IX Item "restrict" +.TP 10n +restrict Avoid giving users access to commands that allow the user to run -arbitrary commands. Many editors have a restricted mode where shell -escapes are disabled, though \fBsudoedit\fR is a better solution to -running editors via \fBsudo\fR. Due to the large number of programs that +arbitrary commands. +Many editors have a restricted mode where shell +escapes are disabled, though +\fBsudoedit\fR +is a better solution to +running editors via +\fBsudo\fR. +Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. -.IP "noexec" 10 -.IX Item "noexec" +.TP 10n +noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment -variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. -On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to -prevent a program run by \fBsudo\fR from executing any other programs. +variable (usually +\fRLD_PRELOAD\fR) +to an alternate shared library. +On such systems, +\fBsudo\fR's +\fInoexec\fR +functionality can be used to prevent a program run by +\fBsudo\fR +from executing any other programs. Note, however, that this applies only to native dynamically-linked -executables. Statically-linked executables and foreign executables +executables. +Statically-linked executables and foreign executables running under binary emulation are not affected. -.Sp -The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD, -Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above. +.sp +The +\fInoexec\fR +feature is known to work on SunOS, Solaris, *BSD, +Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above. It should be supported on most operating systems that support the -\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's -manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, -dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. -.Sp -On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead -of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. -.Sp -To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented -in the User Specification section above. Here is that example again: -.Sp -.Vb 1 -\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -.Ve -.Sp -This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR -with \fInoexec\fR enabled. This will prevent those two commands from -executing other commands (such as a shell). If you are unsure -whether or not your system is capable of supporting \fInoexec\fR you -can always just try it out and check whether shell escapes work -when \fInoexec\fR is enabled. +\fRLD_PRELOAD\fR +environment variable. +Check your operating system's manual pages for the dynamic linker +(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if +\fRLD_PRELOAD\fR +is supported. +.sp +On Solaris 10 and higher, +\fInoexec\fR +uses Solaris privileges instead of the +\fRLD_PRELOAD\fR +environment variable. +.sp +To enable +\fInoexec\fR +for a command, use the +\fRNOEXEC\fR +tag as documented +in the User Specification section above. +Here is that example again: +.nf +.sp +.RS 10n +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.RE +.fi +.RS +.sp +This allows user +\fBaaron\fR +to run +\fI/usr/bin/more\fR +and +\fI/usr/bin/vi\fR +with +\fInoexec\fR +enabled. +This will prevent those two commands from +executing other commands (such as a shell). +If you are unsure whether or not your system is capable of supporting +\fInoexec\fR +you can always just try it out and check whether shell escapes work when +\fInoexec\fR +is enabled. +.RE .PP -Note that restricting shell escapes is not a panacea. Programs -running as root are still capable of many potentially hazardous +Note that restricting shell escapes is not a panacea. +Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. In the specific case of an -editor, a safer approach is to give the user permission to run -\&\fBsudoedit\fR. +to unintended privilege escalation. +In the specific case of an editor, a safer approach is to give the +user permission to run +\fBsudoedit\fR. .SS "Time stamp file checks" -.IX Subsection "Time stamp file checks" -\&\fIsudoers\fR will check the ownership of its time stamp directory -(\fI@timedir@\fR by default) and ignore the directory's contents if -it is not owned by root or if it is writable by a user other than -root. On systems that allow non-root users to give away files via -\&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable -directory (e.g., \fI/tmp\fR), it is possible for a user to create the -time stamp directory before \fBsudo\fR is run. However, because -\&\fIsudoers\fR checks the ownership and mode of the directory and its -contents, the only damage that can be done is to \*(L"hide\*(R" files by -putting them in the time stamp dir. This is unlikely to happen -since once the time stamp dir is owned by root and inaccessible by -any other user, the user placing files there would be unable to get -them back out. +\fIsudoers\fR +will check the ownership of its time stamp directory +(\fI@timedir@\fR +by default) +and ignore the directory's contents if it is not owned by root or +if it is writable by a user other than root. +On systems that allow non-root users to give away files via +chown(2), +if the time stamp directory is located in a world-writable +directory (e.g.\&, +\fI/tmp\fR), +it is possible for a user to create the time stamp directory before +\fBsudo\fR +is run. +However, because +\fIsudoers\fR +checks the ownership and mode of the directory and its +contents, the only damage that can be done is to +``hide'' +files by putting them in the time stamp dir. +This is unlikely to happen since once the time stamp dir is owned by root +and inaccessible by any other user, the user placing files there would be +unable to get them back out. .PP -\&\fIsudoers\fR will not honor time stamps set far in the future. Time -stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will -be ignored and sudo will log and complain. This is done to keep a -user from creating his/her own time stamp with a bogus date on -systems that allow users to give away files if the time stamp directory -is located in a world-writable directory. +\fIsudoers\fR +will not honor time stamps set far in the future. +Time stamps with a date greater than current_time + 2 * +\fRTIMEOUT\fR +will be ignored and sudo will log and complain. +This is done to keep a user from creating his/her own time stamp with a +bogus date on systems that allow users to give away files if the time +stamp directory is located in a world-writable directory. .PP -On systems where the boot time is available, \fIsudoers\fR will ignore -time stamps that date from before the machine booted. +On systems where the boot time is available, +\fIsudoers\fR +will ignore time stamps that date from before the machine booted. .PP Since time stamp files live in the file system, they can outlive a -user's login session. As a result, a user may be able to login, -run a command with \fBsudo\fR after authenticating, logout, login -again, and run \fBsudo\fR without authenticating so long as the time -stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or -whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR +user's login session. +As a result, a user may be able to login, run a command with +\fBsudo\fR +after authenticating, logout, login again, and run +\fBsudo\fR +without authenticating so long as the time stamp file's modification +time is within +\fR@timeout@\fR +minutes (or whatever the timeout is set to in +\fIsudoers\fR). +When the +\fItty_tickets\fR option is enabled, the time stamp has per-tty granularity but still -may outlive the user's session. On Linux systems where the devpts -filesystem is used, Solaris systems with the devices filesystem, -as well as other systems that utilize a devfs filesystem that -monotonically increase the inode number of devices as they are -created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a -tty-based time stamp file is stale and will ignore it. Administrators -should not rely on this feature as it is not universally available. +may outlive the user's session. +On Linux systems where the devpts filesystem is used, Solaris systems +with the devices filesystem, as well as other systems that utilize a +devfs filesystem that monotonically increase the inode number of devices +as they are created (such as Mac OS X), +\fIsudoers\fR +is able to determine when a tty-based time stamp file is stale and will +ignore it. +Administrators should not rely on this feature as it is not universally +available. .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3), -\&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@) +rsh(1), +su(1), +fnmatch(3), +glob(3), +mktemp(3), +strftime(3), +sudoers.ldap(@mansectform@), +sudo_plugin(@mansectsu@), +sudo(@mansectsu@), +visudo(@mansectsu@) .SH "CAVEATS" -.IX Header "CAVEATS" -The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR -command which locks the file and does grammatical checking. It is -imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR -will not run with a syntactically incorrect \fIsudoers\fR file. +The +\fIsudoers\fR +file should +\fBalways\fR +be edited by the +\fBvisudo\fR +command which locks the file and does grammatical checking. +It is +imperative that +\fIsudoers\fR +be free of syntax errors since +\fBsudo\fR +will not run with a syntactically incorrect +\fIsudoers\fR +file. .PP When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified -as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in -\&\fIsudoers\fR. +as returned by the +\fRhostname\fR +command or use the +\fIfqdn\fR +option in +\fIsudoers\fR. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 72425dc92..b8298e6d3 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -20,8 +20,8 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .Dd July 16, 2012 -.Dt SUDOERS 5 -.Os +.Dt SUDOERS @mansectform@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudoers .Nd default sudo security policy module @@ -45,7 +45,7 @@ For information on storing .Em sudoers policy information in LDAP, please see -.Xr sudoers.ldap 5 . +.Xr sudoers.ldap @mansectform@ . .Ss Authentication and Logging The .Em sudoers @@ -1087,7 +1087,7 @@ regular expressions. .Bl -tag -width 8n .It Li * Matches any set of zero or more characters. -.It Li \? +.It Li \&? Matches any single character. .It Li [...] Matches any character in the specified range. @@ -1102,7 +1102,7 @@ evaluates to .Sq x . This is used to escape special characters such as: .Ql * , -.Ql \? , +.Ql \&? , .Ql [\& , and .Ql ]\& . @@ -1661,7 +1661,7 @@ The option may be used to control the format of the session ID. .Pp Output logs may be viewed with the -.Xr sudoreplay 8 +.Xr sudoreplay @mansectsu@ utility, which can also be used to list or search the available logs. .It log_year If set, the four-digit year will be logged in the (non-syslog) @@ -1820,7 +1820,7 @@ will only run when the user is logged in to a real tty. When this flag is set, .Nm sudo can only be run from a login session and not via other means such as -.Xr cron 8 +.Xr cron @mansectsu@ or cgi-bin scripts. This flag is .Em off @@ -2432,7 +2432,7 @@ Defaults group_plugin="sample_group.so /etc/sudo-group" .Ed .Pp For more information see -.Xr sudo_plugin 5 . +.Xr sudo_plugin @mansectform@ . .It lecture This option controls when a short lecture will be printed along with the password prompt. @@ -2783,7 +2783,7 @@ plugin is doing internally if there is a problem. This can be configured in the .Pa @sysconfdir@/sudo.conf file as described in -.Xr sudo 8 . +.Xr sudo @mansectsu@ . .Pp The .Em sudoers @@ -3451,10 +3451,10 @@ available. .Xr glob 3 , .Xr mktemp 3 , .Xr strftime 3 , -.Xr sudoers.ldap 5 , -.Xr sudo_plugin 8 , -.Xr sudo 8 , -.Xr visudo 8 +.Xr sudoers.ldap @mansectform@ , +.Xr sudo_plugin @mansectsu@ , +.Xr sudo @mansectsu@ , +.Xr visudo @mansectsu@ .Sh CAVEATS The .Em sudoers diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat index 301a55013..59b7b48fa 100644 --- a/doc/sudoreplay.cat +++ b/doc/sudoreplay.cat @@ -1,60 +1,55 @@ -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - +SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m) NNAAMMEE - sudoreplay - replay sudo session logs + ssuuddoorreeppllaayy - replay sudo session logs SSYYNNOOPPSSIISS - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] - [--ss _s_p_e_e_d___f_a_c_t_o_r] ID + ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] + [--ss _s_p_e_e_d___f_a_c_t_o_r] ID - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] + ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] --ll [search expression] DDEESSCCRRIIPPTTIIOONN - ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When - replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the - playback speed may be adjusted (faster or slower) based on the command - line options. + ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When + replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the + playback speed may be adjusted (faster or slower) based on the command + line options. - The _I_D should either be a six character sequence of digits and upper - case letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option - in the _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t - enabled in the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or - to the ssuuddoo log file. The _I_D may also be determined using ssuuddoorreeppllaayy's - list mode. + The _I_D should either be a six character sequence of digits and upper case + letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the + _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in + the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo + log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode. - In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based - on a number of criteria such as the user, tty or command run. + In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on + a number of criteria such as the user, tty or command run. - In replay mode, if the standard output has not been redirected, - ssuuddoorreeppllaayy will act on the following keys: + In replay mode, if the standard output has not been redirected, + ssuuddoorreeppllaayy will act on the following keys: - ' ' (space) - Pause output; press any key to resume. + ` ' (space) Pause output; press any key to resume. - '<' Reduce the playback speed by one half. + `<' Reduce the playback speed by one half. - '>' Double the playback speed. + `>' Double the playback speed. OOPPTTIIOONNSS - ssuuddoorreeppllaayy accepts the following command line options: + ssuuddoorreeppllaayy accepts the following command line options: - -d _d_i_r_e_c_t_o_r_y - Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the + --dd _d_i_r_e_c_t_o_r_y Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. - -f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's - standard output, standard error and tty output. The _-_f + --ff _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's + standard output, standard error and tty output. The --ff option can be used to select which of these to output. The _f_i_l_t_e_r argument is a comma-separated list, consisting of one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. - -h The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short + --hh The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short help message to the standard output and exit. - -l [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] - Enable "list mode". In this mode, ssuuddoorreeppllaayy will list + --ll [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] + Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list available sessions in a format similar to the ssuuddoo log file format, sorted by file name (or sequence number). If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict @@ -75,7 +70,7 @@ OOPPTTIIOONNSS fromdate _d_a_t_e Evaluates to true if the command was run on or - after _d_a_t_e. See "Date and time format" for a + after _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description of supported date and time formats. group _r_u_n_a_s___g_r_o_u_p @@ -91,13 +86,13 @@ OOPPTTIIOONNSS todate _d_a_t_e Evaluates to true if the command was run on or - prior to _d_a_t_e. See "Date and time format" for a + prior to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description of supported date and time formats. tty _t_t_y _n_a_m_e Evaluates to true if the command was run on the specified terminal device. The _t_t_y _n_a_m_e should be - specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 + specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 instead of _/_d_e_v_/_t_t_y_0_1. user _u_s_e_r _n_a_m_e @@ -109,21 +104,21 @@ OOPPTTIIOONNSS character). Predicates may be combined using _a_n_d, _o_r and _! operators as - well as '(' and ')' for grouping (note that parentheses - must generally be escaped from the shell). The _a_n_d - operator is optional, adjacent predicates have an implied - _a_n_d unless separated by an _o_r. + well as `(' and `)' grouping (note that parentheses must + generally be escaped from the shell). The _a_n_d operator is + optional, adjacent predicates have an implied _a_n_d unless + separated by an _o_r. - -m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key + --mm _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key presses or output data. By default, ssuuddoorreeppllaayy will accurately reproduce the delays between key presses or program output. However, this can be tedious when the - session includes long pauses. When the _-_m option is + session includes long pauses. When the --mm option is specified, ssuuddoorreeppllaayy will limit these pauses to at most _m_a_x___w_a_i_t seconds. The value may be specified as a floating point number, e.g. _2_._5. - -s _s_p_e_e_d___f_a_c_t_o_r + --ss _s_p_e_e_d___f_a_c_t_o_r This option causes ssuuddoorreeppllaayy to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For @@ -131,135 +126,132 @@ OOPPTTIIOONNSS fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output twice as slow. - -V The --VV (version) option causes ssuuddoorreeppllaayy to print its + --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoorreeppllaayy to print its version number and exit. DDaattee aanndd ttiimmee ffoorrmmaatt - The time and date may be specified multiple ways, common formats - include: + The time and date may be specified multiple ways, common formats include: - HH:MM:SS am MM/DD/CCYY timezone - 24 hour time may be used in place of am/pm. + HH:MM:SS am MM/DD/CCYY timezone + 24 hour time may be used in place of am/pm. - HH:MM:SS am Month, Day Year timezone - 24 hour time may be used in place of am/pm, and month and day - names may be abbreviated. Note that month and day of the week - names must be specified in English. + HH:MM:SS am Month, Day Year timezone + 24 hour time may be used in place of am/pm, and month and day + names may be abbreviated. Note that month and day of the week + names must be specified in English. - CCYY-MM-DD HH:MM:SS - ISO time format + CCYY-MM-DD HH:MM:SS + ISO time format - DD Month CCYY HH:MM:SS - The month name may be abbreviated. + DD Month CCYY HH:MM:SS + The month name may be abbreviated. - Either time or date may be omitted, the am/pm and timezone are - optional. If no date is specified, the current day is assumed; if no - time is specified, the first second of the specified date is used. The - less significant parts of both time and date may also be omitted, in - which case zero is assumed. + Either time or date may be omitted, the am/pm and timezone are optional. + If no date is specified, the current day is assumed; if no time is + specified, the first second of the specified date is used. The less + significant parts of both time and date may also be omitted, in which + case zero is assumed. - The following are all valid time and date specifications: + The following are all valid time and date specifications: - now The current time and date. + now The current time and date. - tomorrow - Exactly one day from now. + tomorrow + Exactly one day from now. - yesterday - 24 hours ago. + yesterday + 24 hours ago. - 2 hours ago - 2 hours ago. + 2 hours ago + 2 hours ago. - next Friday - The first second of the next Friday. + next Friday + The first second of the next Friday. - this week - The current time but the first day of the coming week. + this week + The current time but the first day of the coming week. - a fortnight ago - The current time but 14 days ago. + a fortnight ago + The current time but 14 days ago. - 10:01 am 9/17/2009 - 10:01 am, September 17, 2009. + 10:01 am 9/17/2009 + 10:01 am, September 17, 2009. - 10:01 am - 10:01 am on the current day. + 10:01 am + 10:01 am on the current day. - 10 10:00 am on the current day. + 10 10:00 am on the current day. - 9/17/2009 - 00:00 am, September 17, 2009. + 9/17/2009 + 00:00 am, September 17, 2009. - 10:01 am Sep 17, 2009 - 10:01 am, September 17, 2009. + 10:01 am Sep 17, 2009 + 10:01 am, September 17, 2009. FFIILLEESS - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g Example session log info. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n Example session standard input log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t Example session standard output log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r Example session standard error log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n Example session tty input file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t Example session tty output file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g Example session timing file. - Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo - was used as part of a pipeline for a particular command. + Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo + was used as part of a pipeline for a particular command. EEXXAAMMPPLLEESS - List sessions run by user _m_i_l_l_e_r_t: + List sessions run by user _m_i_l_l_e_r_t: - # sudoreplay -l user millert + # sudoreplay -l user millert - List sessions run by user _b_o_b with a command containing the string vi: + List sessions run by user _b_o_b with a command containing the string vi: - # sudoreplay -l user bob command vi + # sudoreplay -l user bob command vi - List sessions run by user _j_e_f_f that match a regular expression: + List sessions run by user _j_e_f_f that match a regular expression: - # sudoreplay -l user jeff command '/bin/[a-z]*sh' + # sudoreplay -l user jeff command '/bin/[a-z]*sh' - List sessions run by jeff or bob on the console: + List sessions run by jeff or bob on the console: - # sudoreplay -l ( user jeff or user bob ) tty console + # sudoreplay -l ( user jeff or user bob ) tty console SSEEEE AALLSSOO - _s_u_d_o(1m), _s_c_r_i_p_t(1) + sudo(1m), script(1) AAUUTTHHOORRSS - Todd C. Miller + Todd C. Miller BBUUGGSS - If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug - report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug + report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 17, 2012 SUDOREPLAY(1m) +Sudo 1.8.6 July 12, 2012 Sudo 1.8.6 diff --git a/doc/sudoreplay.man.in b/doc/sudoreplay.man.in index 4574d951a..1addbee30 100644 --- a/doc/sudoreplay.man.in +++ b/doc/sudoreplay.man.in @@ -1,9 +1,12 @@ -.\" Copyright (c) 2009-2011 Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in +.\" +.\" Copyright (c) 2009-2012 Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -12,409 +15,399 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "July 17, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual" .SH "NAME" -sudoreplay \- replay sudo session logs +\fBsudoreplay\fR +\- replay sudo session logs .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0 -.PP -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression] +.HP 11n +\fBsudoreplay\fR +[\fB-h\fR] +[\fB-d\fR\~\fIdirectory\fR] +[\fB-f\fR\~\fIfilter\fR] +[\fB-m\fR\~\fImax_wait\fR] +[\fB-s\fR\~\fIspeed_factor\fR] +ID +.HP 11n +\fBsudoreplay\fR +[\fB-h\fR] +[\fB-d\fR\~\fIdirectory\fR] +\fB-l\fR +[search expression] .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR. -When replaying, \fBsudoreplay\fR can play the session back in real-time, -or the playback speed may be adjusted (faster or slower) based on -the command line options. +\fBsudoreplay\fR +plays back or lists the output logs created by +\fBsudo\fR. +When replaying, +\fBsudoreplay\fR +can play the session back in real-time, or the playback speed may be +adjusted (faster or slower) based on the command line options. .PP -The \fI\s-1ID\s0\fR should either be a six character sequence of digits and -upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the -\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run -via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a -\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file. -The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode. +The +\fIID\fR +should either be a six character sequence of digits and +upper case letters, e.g.\& +\fR0100A5\fR, +or a pattern matching the +\fIiolog_file\fR +option in the +\fIsudoers\fR +file. +When a command is run via +\fBsudo\fR +with +\fIlog_output\fR +enabled in the +\fIsudoers\fR +file, a +\fRTSID=ID\fR +string is logged via syslog or to the +\fBsudo\fR +log file. +The +\fIID\fR +may also be determined using +\fBsudoreplay\fR's +list mode. .PP -In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session -based on a number of criteria such as the user, tty or command run. +In list mode, +\fBsudoreplay\fR +can be used to find the ID of a session based on a number of criteria +such as the user, tty or command run. .PP In replay mode, if the standard output has not been redirected, -\&\fBsudoreplay\fR will act on the following keys: -.IP "' ' (space)" 8 -.IX Item "' ' (space)" +\fBsudoreplay\fR +will act on the following keys: +.TP 14n +`\fR\ \fR' (space) Pause output; press any key to resume. -.IP "'<'" 8 +.TP 14n +`<' Reduce the playback speed by one half. -.IP "'>'" 8 +.TP 14n +`>' Double the playback speed. .SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBsudoreplay\fR accepts the following command line options: -.IP "\-d \fIdirectory\fR" 12 -.IX Item "-d directory" -Use \fIdirectory\fR to for the session logs instead of the default, -\&\fI@iolog_dir@\fR. -.IP "\-f \fIfilter\fR" 12 -.IX Item "-f filter" -By default, \fBsudoreplay\fR will play back the command's standard -output, standard error and tty output. The \fI\-f\fR option can be -used to select which of these to output. The \fIfilter\fR argument -is a comma-separated list, consisting of one or more of following: -\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short -help message to the standard output and exit. -.IP "\-l [\fIsearch expression\fR]" 12 -.IX Item "-l [search expression]" -Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available -sessions in a format similar to the \fBsudo\fR log file format, sorted -by file name (or sequence number). If a \fIsearch expression\fR is -specified, it will be used to restrict the IDs that are displayed. +\fBsudoreplay\fR +accepts the following command line options: +.TP 14n +\fB-d\fR \fIdirectory\fR +Use +\fIdirectory\fR +to for the session logs instead of the default, +\fI@iolog_dir@\fR. +.TP 14n +\fB-f\fR \fIfilter\fR +By default, +\fBsudoreplay\fR +will play back the command's standard output, standard error and tty output. +The +\fB-f\fR +option can be used to select which of these to output. +The +\fIfilter\fR +argument is a comma-separated list, consisting of one or more of following: +\fIstdout\fR, +\fIstderr\fR, +and +\fIttyout\fR. +.TP 14n +\fB-h\fR +The +\fB-h\fR (\fIhelp\fR) +option causes +\fBsudoreplay\fR +to print a short help message to the standard output and exit. +.TP 14n +\fB-l\fR [\fIsearch expression\fR] +Enable +``list mode''. +In this mode, +\fBsudoreplay\fR +will list available sessions in a format similar to the +\fBsudo\fR +log file format, sorted by file name (or sequence number). +If a +\fIsearch expression\fR +is specified, it will be used to restrict the IDs that are displayed. An expression is composed of the following predicates: -.RS 12 -.IP "command \fIpattern\fR" 8 -.IX Item "command pattern" -Evaluates to true if the command run matches \fIpattern\fR. -On systems with \s-1POSIX\s0 regular expression support, the pattern may -be an extended regular expression. On systems without \s-1POSIX\s0 regular -expression support, a simple substring match is performed instead. -.IP "cwd \fIdirectory\fR" 8 -.IX Item "cwd directory" +.RS +.TP 8n +command \fIpattern\fR +Evaluates to true if the command run matches +\fIpattern\fR. +On systems with POSIX regular expression support, the pattern may +be an extended regular expression. +On systems without POSIX regular expression support, a simple substring +match is performed instead. +.TP 8n +cwd \fIdirectory\fR Evaluates to true if the command was run with the specified current working directory. -.IP "fromdate \fIdate\fR" 8 -.IX Item "fromdate date" -Evaluates to true if the command was run on or after \fIdate\fR. -See \*(L"Date and time format\*(R" for a description of supported -date and time formats. -.IP "group \fIrunas_group\fR" 8 -.IX Item "group runas_group" +.TP 8n +fromdate \fIdate\fR +Evaluates to true if the command was run on or after +\fIdate\fR. +See +\fIDate and time format\fR +for a description of supported date and time formats. +.TP 8n +group \fIrunas_group\fR Evaluates to true if the command was run with the specified -\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly -specified when \fBsudo\fR was run this field will be empty in the log. -.IP "runas \fIrunas_user\fR" 8 -.IX Item "runas runas_user" -Evaluates to true if the command was run as the specified \fIrunas_user\fR. -Note that \fBsudo\fR runs commands as user \fIroot\fR by default. -.IP "todate \fIdate\fR" 8 -.IX Item "todate date" -Evaluates to true if the command was run on or prior to \fIdate\fR. -See \*(L"Date and time format\*(R" for a description of supported -date and time formats. -.IP "tty \fItty name\fR" 8 -.IX Item "tty tty name" -Evaluates to true if the command was run on the specified terminal -device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix, -e.g. \fItty01\fR instead of \fI/dev/tty01\fR. -.IP "user \fIuser name\fR" 8 -.IX Item "user user name" -Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR. +\fIrunas_group\fR. +Note that unless a +\fIrunas_group\fR +was explicitly specified when +\fBsudo\fR +was run this field will be empty in the log. +.TP 8n +runas \fIrunas_user\fR +Evaluates to true if the command was run as the specified +\fIrunas_user\fR. +Note that +\fBsudo\fR +runs commands as user +\fIroot\fR +by default. +.TP 8n +todate \fIdate\fR +Evaluates to true if the command was run on or prior to +\fIdate\fR. +See +\fIDate and time format\fR +for a description of supported date and time formats. +.TP 8n +tty \fItty name\fR +Evaluates to true if the command was run on the specified terminal device. +The +\fItty name\fR +should be specified without the +\fI/dev/\fR +prefix, e.g.\& +\fItty01\fR +instead of +\fI/dev/tty01\fR. +.TP 8n +user \fIuser name\fR +Evaluates to true if the ID matches a command run by +\fIuser name\fR. .RE -.RS 12 -.Sp +.RS +.PP Predicates may be abbreviated to the shortest unique string (currently all predicates may be shortened to a single character). -.Sp -Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators -as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses -must generally be escaped from the shell). The \fIand\fR operator is -optional, adjacent predicates have an implied \fIand\fR unless separated -by an \fIor\fR. +.sp +Predicates may be combined using +\fIand\fR, +\fIor\fR +and +\fI\&!\fR +operators as well as +`\&(' +and +`\&)' +grouping (note that parentheses must generally be escaped from the shell). +The +\fIand\fR +operator is optional, adjacent predicates have an implied +\fIand\fR +unless separated by an +\fIor\fR. +.PP .RE -.IP "\-m \fImax_wait\fR" 12 -.IX Item "-m max_wait" -Specify an upper bound on how long to wait between key presses or -output data. By default, \fBsudoreplay\fR will accurately reproduce -the delays between key presses or program output. However, this -can be tedious when the session includes long pauses. When the -\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses -to at most \fImax_wait\fR seconds. The value may be specified as a -floating point number, e.g. \fI2.5\fR. -.IP "\-s \fIspeed_factor\fR" 12 -.IX Item "-s speed_factor" -This option causes \fBsudoreplay\fR to adjust the number of seconds -it will wait between key presses or program output. This can be -used to slow down or speed up the display. For example, a -\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas -a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number +.sp -1v +.TP 14n +\fB-m\fR \fImax_wait\fR +Specify an upper bound on how long to wait between key presses or output data. +By default, +\fBsudoreplay\fR +will accurately reproduce the delays between key presses or program output. +However, this can be tedious when the session includes long pauses. +When the +\fB-m\fR +option is specified, +\fBsudoreplay\fR +will limit these pauses to at most +\fImax_wait\fR +seconds. +The value may be specified as a floating point number, e.g.\& +\fI2.5\fR. +.TP 14n +\fB-s\fR \fIspeed_factor\fR +This option causes +\fBsudoreplay\fR +to adjust the number of seconds it will wait between key presses or +program output. +This can be used to slow down or speed up the display. +For example, a +\fIspeed_factor\fR +of +\fI2\fR +would make the output twice as fast whereas a +\fIspeed_factor\fR +of +\fI.5\fR +would make the output twice as slow. +.TP 14n +\fB-V\fR +The +\fB-V\fR (\fIversion\fR) +option causes +\fBsudoreplay\fR +to print its version number and exit. .SS "Date and time format" -.IX Subsection "Date and time format" The time and date may be specified multiple ways, common formats include: -.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8 -.IX Item "HH:MM:SS am MM/DD/CCYY timezone" +.TP 8n +HH:MM:SS am MM/DD/CCYY timezone 24 hour time may be used in place of am/pm. -.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8 -.IX Item "HH:MM:SS am Month, Day Year timezone" +.TP 8n +HH:MM:SS am Month, Day Year timezone 24 hour time may be used in place of am/pm, and month and day names -may be abbreviated. Note that month and day of the week names must -be specified in English. -.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8 -.IX Item "CCYY-MM-DD HH:MM:SS" -\&\s-1ISO\s0 time format -.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8 -.IX Item "DD Month CCYY HH:MM:SS" +may be abbreviated. +Note that month and day of the week names must be specified in English. +.TP 8n +CCYY-MM-DD HH:MM:SS +ISO time format +.TP 8n +DD Month CCYY HH:MM:SS The month name may be abbreviated. .PP -Either time or date may be omitted, the am/pm and timezone are -optional. If no date is specified, the current day is assumed; if -no time is specified, the first second of the specified date is -used. The less significant parts of both time and date may also -be omitted, in which case zero is assumed. +Either time or date may be omitted, the am/pm and timezone are optional. +If no date is specified, the current day is assumed; if no time is +specified, the first second of the specified date is used. +The less significant parts of both time and date may also be omitted, +in which case zero is assumed. .PP The following are all valid time and date specifications: -.IP "now" 8 -.IX Item "now" +.TP 8n +now The current time and date. -.IP "tomorrow" 8 -.IX Item "tomorrow" +.TP 8n +tomorrow Exactly one day from now. -.IP "yesterday" 8 -.IX Item "yesterday" +.TP 8n +yesterday 24 hours ago. -.IP "2 hours ago" 8 -.IX Item "2 hours ago" +.TP 8n +2 hours ago 2 hours ago. -.IP "next Friday" 8 -.IX Item "next Friday" +.TP 8n +next Friday The first second of the next Friday. -.IP "this week" 8 -.IX Item "this week" +.TP 8n +this week The current time but the first day of the coming week. -.IP "a fortnight ago" 8 -.IX Item "a fortnight ago" +.TP 8n +a fortnight ago The current time but 14 days ago. -.IP "10:01 am 9/17/2009" 8 -.IX Item "10:01 am 9/17/2009" +.TP 8n +10:01 am 9/17/2009 10:01 am, September 17, 2009. -.IP "10:01 am" 8 -.IX Item "10:01 am" +.TP 8n +10:01 am 10:01 am on the current day. -.IP "10" 8 -.IX Item "10" +.TP 8n +10 10:00 am on the current day. -.IP "9/17/2009" 8 -.IX Item "9/17/2009" +.TP 8n +9/17/2009 00:00 am, September 17, 2009. -.IP "10:01 am Sep 17, 2009" 8 -.IX Item "10:01 am Sep 17, 2009" +.TP 8n +10:01 am Sep 17, 2009 10:01 am, September 17, 2009. .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@iolog_dir@\fR" 24 -.el .IP "\fI@iolog_dir@\fR" 24 -.IX Item "@iolog_dir@" +.TP 26n +\fI@iolog_dir@\fR The default I/O log directory. -.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 -.IX Item "@iolog_dir@/00/00/01/log" +.TP 26n +\fI@iolog_dir@/00/00/01/log\fR Example session log info. -.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stdin" +.TP 26n +\fI@iolog_dir@/00/00/01/stdin\fR Example session standard input log. -.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stdout" +.TP 26n +\fI@iolog_dir@/00/00/01/stdout\fR Example session standard output log. -.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stderr" +.TP 26n +\fI@iolog_dir@/00/00/01/stderr\fR Example session standard error log. -.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 -.IX Item "@iolog_dir@/00/00/01/ttyin" +.TP 26n +\fI@iolog_dir@/00/00/01/ttyin\fR Example session tty input file. -.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 -.IX Item "@iolog_dir@/00/00/01/ttyout" +.TP 26n +\fI@iolog_dir@/00/00/01/ttyout\fR Example session tty output file. -.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 -.IX Item "@iolog_dir@/00/00/01/timing" +.TP 26n +\fI@iolog_dir@/00/00/01/timing\fR Example session timing file. .PP -Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty -unless \fBsudo\fR was used as part of a pipeline for a particular -command. +Note that the +\fIstdin\fR, +\fIstdout\fR +and +\fIstderr\fR +files will be empty unless +\fBsudo\fR +was used as part of a pipeline for a particular command. .SH "EXAMPLES" -.IX Header "EXAMPLES" -List sessions run by user \fImillert\fR: +List sessions run by user +\fImillert\fR: +.nf +.sp +.RS 6n +# sudoreplay -l user millert +.RE +.fi .PP -.Vb 1 -\& # sudoreplay \-l user millert -.Ve +List sessions run by user +\fIbob\fR +with a command containing the string vi: +.nf +.sp +.RS 6n +# sudoreplay -l user bob command vi +.RE +.fi .PP -List sessions run by user \fIbob\fR with a command containing the string vi: -.PP -.Vb 1 -\& # sudoreplay \-l user bob command vi -.Ve -.PP -List sessions run by user \fIjeff\fR that match a regular expression: -.PP -.Vb 1 -\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq -.Ve +List sessions run by user +\fIjeff\fR +that match a regular expression: +.nf +.sp +.RS 6n +# sudoreplay -l user jeff command '/bin/[a-z]*sh' +.RE +.fi .PP List sessions run by jeff or bob on the console: -.PP -.Vb 1 -\& # sudoreplay \-l ( user jeff or user bob ) tty console -.Ve +.nf +.sp +.RS 6n +# sudoreplay -l ( user jeff or user bob ) tty console +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1) +sudo(@mansectsu@), +script(1) .SH "AUTHORS" -.IX Header "AUTHORS" Todd C. Miller .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudoreplay\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudoreplay\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/sudoreplay.mdoc.in b/doc/sudoreplay.mdoc.in index 3bb283a76..aa5c75e5e 100644 --- a/doc/sudoreplay.mdoc.in +++ b/doc/sudoreplay.mdoc.in @@ -15,8 +15,8 @@ .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd July 12, 2012 -.Dt SUDOREPLAY 8 -.Os +.Dt SUDOREPLAY @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm sudoreplay .Nd replay sudo session logs @@ -350,7 +350,7 @@ List sessions run by jeff or bob on the console: # sudoreplay -l ( user jeff or user bob ) tty console .Ed .Sh SEE ALSO -.Xr sudo 8 , +.Xr sudo @mansectsu@ , .Xr script 1 .Sh AUTHORS Todd C. Miller diff --git a/doc/visudo.cat b/doc/visudo.cat index 38482cf4c..cf2606f98 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -1,154 +1,149 @@ -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - - +VISUDO(1m) System Manager's Manual VISUDO(1m) NNAAMMEE - visudo - edit the sudoers file + vviissuuddoo - edit the sudoers file SSYYNNOOPPSSIISS - vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] + vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). - vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, - provides basic sanity checks, and checks for parse errors. If the - _s_u_d_o_e_r_s file is currently being edited you will receive a message to - try again later. + vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m). + vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, + provides basic sanity checks, and checks for parse errors. If the + _s_u_d_o_e_r_s file is currently being edited you will receive a message to try + again later. - There is a hard-coded list of one or more editors that vviissuuddoo will use - set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s - Default variable. This list defaults to "vi". Normally, vviissuuddoo does - not honor the VISUAL or EDITOR environment variables unless they - contain an editor in the aforementioned editors list. However, if - vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the - _e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the - editor defines by VISUAL or EDITOR. Note that this can be a security - hole since it allows the user to execute any program they wish simply - by setting VISUAL or EDITOR. + There is a hard-coded list of one or more editors that vviissuuddoo will use + set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default + variable. This list defaults to vi. Normally, vviissuuddoo does not honor the + VISUAL or EDITOR environment variables unless they contain an editor in + the aforementioned editors list. However, if vviissuuddoo is configured with + the --with-env-editor option or the _e_n_v___e_d_i_t_o_r Default variable is set in + _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR. + Note that this can be a security hole since it allows the user to execute + any program they wish simply by setting VISUAL or EDITOR. - vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the - changes if there is a syntax error. Upon finding an error, vviissuuddoo will - print a message stating the line number(s) where the error occurred and - the user will receive the "What now?" prompt. At this point the user - may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving - the changes, or "Q" to quit and save changes. The "Q" option should be - used with extreme care because if vviissuuddoo believes there to be a parse - error, so will ssuuddoo and no one will be able to ssuuddoo again until the - error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a - parse error has been detected, the cursor will be placed on the line - where the error occurred (if the editor supports this feature). + vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the + changes if there is a syntax error. Upon finding an error, vviissuuddoo will + print a message stating the line number(s) where the error occurred and + the user will receive the ``What now?'' prompt. At this point the user + may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the + changes, or `Q' to quit and save changes. The `Q' option should be used + with extreme care because if vviissuuddoo believes there to be a parse error, + so will ssuuddoo and no one will be able to ssuuddoo again until the error is + fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse error has + been detected, the cursor will be placed on the line where the error + occurred (if the editor supports this feature). OOPPTTIIOONNSS - vviissuuddoo accepts the following command line options: + vviissuuddoo accepts the following command line options: accepts the following + command line options: - -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be - checked for syntax errors, owner and mode. A message will - be printed to the standard output describing the status of - _s_u_d_o_e_r_s unless the --qq option was specified. If the check - completes successfully, vviissuuddoo will exit with a value of 0. - If an error is encountered, vviissuuddoo will exit with a value - of 1. + --cc Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file will be + checked for syntax errors, owner and mode. A message will be + printed to the standard output describing the status of + _s_u_d_o_e_r_s unless the --qq option was specified. If the check + completes successfully, vviissuuddoo will exit with a value of 0. + If an error is encountered, vviissuuddoo will exit with a value of + 1. - -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this - option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your - choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock - file used is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. In cchheecckk--oonnllyy mode only, the argument to - --ff may be "-", indicating that _s_u_d_o_e_r_s will be read from - the standard input. + --ff _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this + option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your + choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file + used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to + it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-', + indicating that _s_u_d_o_e_r_s will be read from the standard input. - -h The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help - message to the standard output and exit. + --hh The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help + message to the standard output and exit. - -q Enable qquuiieett mode. In this mode details about syntax - errors are not printed. This option is only useful when - combined with the --cc option. + --qq Enable _q_u_i_e_t mode. In this mode details about syntax errors + are not printed. This option is only useful when combined + with the --cc option. - -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is - used before it is defined, vviissuuddoo will consider this a - parse error. Note that it is not possible to differentiate - between an alias and a host name or user name that consists - solely of uppercase letters, digits, and the underscore - ('_') character. + --ss Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is + used before it is defined, vviissuuddoo will consider this a parse + error. Note that it is not possible to differentiate between + an alias and a host name or user name that consists solely of + uppercase letters, digits, and the underscore (`_') + character. - -V The --VV (version) option causes vviissuuddoo to print its version - number and exit. + --VV The --VV (_v_e_r_s_i_o_n) option causes vviissuuddoo to print its version + number and exit. EENNVVIIRROONNMMEENNTT - The following environment variables may be consulted depending on the - value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables: + The following environment variables may be consulted depending on the + value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings: - VISUAL Invoked by visudo as the editor to use + VISUAL Invoked by vviissuuddoo as the editor to use - EDITOR Used by visudo if VISUAL is not set + EDITOR Used by vviissuuddoo if VISUAL is not set FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo + _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo DDIIAAGGNNOOSSTTIICCSS - sudoers file busy, try again later. + sudoers file busy, try again later. Someone else is currently editing the _s_u_d_o_e_r_s file. - /etc/sudoers.tmp: Permission denied + /etc/sudoers.tmp: Permission denied You didn't run vviissuuddoo as root. - Can't find you in the passwd database + Can't find you in the passwd database Your user ID does not appear in the system passwd file. - Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined + Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the - underscore ('_') character. In the latter case, you can ignore the + underscore (`_') character. In the latter case, you can ignore the warnings (ssuuddoo will not complain). In --ss (strict) mode these are errors, not warnings. - Warning: unused {User,Runas,Host,Cmnd}_Alias + Warning: unused {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove the unused alias. In --ss (strict) mode this is an error, not a warning. - Warning: cycle in {User,Runas,Host,Cmnd}_Alias + Warning: cycle in {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias includes a reference to itself, either directly or through an alias it includes. This is only a warning by default as ssuuddoo will ignore cycles when parsing the _s_u_d_o_e_r_s file. SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m) + vi(1), sudoers(4), sudo(1m), vipw(1m) AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version of vviissuuddoo - was written by: + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: - Todd C. Miller + Todd C. Miller - See the CONTRIBUTORS file in the ssuuddoo distribution - (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of - people who have contributed to ssuuddoo. + See the CONTRIBUTORS file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of + people who have contributed to ssuuddoo. CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if the - editor used by vviissuuddoo allows shell escapes. + There is no easy way to prevent a user from gaining a root shell if the + editor used by vviissuuddoo allows shell escapes. BBUUGGSS - If you feel you have found a bug in vviissuuddoo, please submit a bug report - at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in vviissuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. + vviissuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. - - -1.8.6 July 13, 2012 VISUDO(1m) +Sudo 1.8.6 July 12, 2012 Sudo 1.8.6 diff --git a/doc/visudo.man.in b/doc/visudo.man.in index c4d1a1654..6f1d2c23d 100644 --- a/doc/visudo.man.in +++ b/doc/visudo.man.in @@ -1,10 +1,13 @@ +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in +.\" .\" Copyright (c) 1996,1998-2005, 2007-2012 -.\" Todd C. Miller -.\" +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,302 +16,311 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "July 13, 2012" "1.8.6" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH "VISUDO" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual" .SH "NAME" -visudo \- edit the sudoers file +\fBvisudo\fR +\- edit the sudoers file .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR] +.HP 7n +\fBvisudo\fR +[\fB-chqsV\fR] +[\fB-f\fR\~\fIsudoers\fR] .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to -\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple -simultaneous edits, provides basic sanity checks, and checks -for parse errors. If the \fIsudoers\fR file is currently being -edited you will receive a message to try again later. +\fBvisudo\fR +edits the +\fIsudoers\fR +file in a safe fashion, analogous to +vipw(@mansectsu@). +\fBvisudo\fR +locks the +\fIsudoers\fR +file against multiple simultaneous edits, provides basic sanity checks, +and checks for parse errors. +If the +\fIsudoers\fR +file is currently being edited you will receive a message to try again later. .PP -There is a hard-coded list of one or more editors that \fBvisudo\fR will -use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR -\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally, -\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment -variables unless they contain an editor in the aforementioned editors -list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR -option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, -\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. +There is a hard-coded list of one or more editors that +\fBvisudo\fR +will use set at compile-time that may be overridden via the +\fIeditor\fR +\fIsudoers\fR +\fRDefault\fR +variable. +This list defaults to +\fR@editor@\fR. +Normally, +\fBvisudo\fR +does not honor the +\fRVISUAL\fR +or +\fREDITOR\fR +environment variables unless they contain an editor in the aforementioned +editors list. +However, if +\fBvisudo\fR +is configured with the +\fR--with-env-editor\fR +option or the +\fIenv_editor\fR +\fRDefault\fR +variable is set in +\fIsudoers\fR, +\fBvisudo\fR +will use any the editor defines by +\fRVISUAL\fR +or +\fREDITOR\fR. Note that this can be a security hole since it allows the user to -execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. +execute any program they wish simply by setting +\fRVISUAL\fR +or +\fREDITOR\fR. .PP -\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will -not save the changes if there is a syntax error. Upon finding -an error, \fBvisudo\fR will print a message stating the line number(s) +\fBvisudo\fR +parses the +\fIsudoers\fR +file after the edit and will +not save the changes if there is a syntax error. +Upon finding an error, +\fBvisudo\fR +will print a message stating the line number(s) where the error occurred and the user will receive the -\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R" -to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without -saving the changes, or \*(L"Q\*(R" to quit and save changes. The -\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR -believes there to be a parse error, so will \fBsudo\fR and no one -will be able to \fBsudo\fR again until the error is fixed. -If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error -has been detected, the cursor will be placed on the line where the -error occurred (if the editor supports this feature). +``What now?'' +prompt. +At this point the user may enter +`e' +to re-edit the +\fIsudoers\fR +file, +`x' +to exit without saving the changes, or +`Q' +to quit and save changes. +The +`Q' +option should be used with extreme care because if +\fBvisudo\fR +believes there to be a parse error, so will +\fBsudo\fR +and no one +will be able to +\fBsudo\fR +again until the error is fixed. +If +`e' +is typed to edit the +\fIsudoers\fR +file after a parse error has been detected, the cursor will be placed on +the line where the error occurred (if the editor supports this feature). .SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBvisudo\fR accepts the following command line options: -.IP "\-c" 12 -.IX Item "-c" -Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be -checked for syntax errors, owner and mode. A message will be printed -to the standard output describing the status of \fIsudoers\fR unless -the \fB\-q\fR option was specified. If the check completes successfully, -\&\fBvisudo\fR will exit with a value of 0. If an error is encountered, -\&\fBvisudo\fR will exit with a value of 1. -.IP "\-f \fIsudoers\fR" 12 -.IX Item "-f sudoers" -Specify and alternate \fIsudoers\fR file location. With this option -\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice, -instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used -is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it. -In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R", -indicating that \fIsudoers\fR will be read from the standard input. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message +\fBvisudo\fR +accepts the following command line options: +accepts the following command line options: +.TP 12n +\fB-c\fR +Enable +\fIcheck-only\fR +mode. +The existing +\fIsudoers\fR +file will be +checked for syntax errors, owner and mode. +A message will be printed to the standard output describing the status of +\fIsudoers\fR +unless the +\fB-q\fR +option was specified. +If the check completes successfully, +\fBvisudo\fR +will exit with a value of 0. +If an error is encountered, +\fBvisudo\fR +will exit with a value of 1. +.TP 12n +\fB-f\fR \fIsudoers\fR +Specify and alternate +\fIsudoers\fR +file location. +With this option +\fBvisudo\fR +will edit (or check) the +\fIsudoers\fR +file of your choice, +instead of the default, +\fI@sysconfdir@/sudoers\fR. +The lock file used is the specified +\fIsudoers\fR +file with +``\.tmp'' +appended to it. +In +\fIcheck-only\fR +mode only, the argument to +\fB-f\fR +may be +`-', +indicating that +\fIsudoers\fR +will be read from the standard input. +.TP 12n +\fB-h\fR +The +\fB-h\fR (\fIhelp\fR) +option causes +\fBvisudo\fR +to print a short help message to the standard output and exit. -.IP "\-q" 12 -.IX Item "-q" -Enable \fBquiet\fR mode. In this mode details about syntax errors -are not printed. This option is only useful when combined with -the \fB\-c\fR option. -.IP "\-s" 12 -.IX Item "-s" -Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is -used before it is defined, \fBvisudo\fR will consider this a parse -error. Note that it is not possible to differentiate between an +.TP 12n +\fB-q\fR +Enable +\fIquiet\fR +mode. +In this mode details about syntax errors are not printed. +This option is only useful when combined with +the +\fB-c\fR +option. +.TP 12n +\fB-s\fR +Enable +\fIstrict\fR +checking of the +\fIsudoers\fR +file. +If an alias is used before it is defined, +\fBvisudo\fR +will consider this a parse error. +Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase -letters, digits, and the underscore ('_') character. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number +letters, digits, and the underscore +(`_') +character. +.TP 12n +\fB-V\fR +The +\fB-V\fR (\fIversion\fR) +option causes +\fBvisudo\fR +to print its version number and exit. .SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" The following environment variables may be consulted depending on -the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables: -.ie n .IP "\*(C`VISUAL\*(C'" 16 -.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 -.IX Item "VISUAL" -Invoked by visudo as the editor to use -.ie n .IP "\*(C`EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 -.IX Item "EDITOR" -Used by visudo if \s-1VISUAL\s0 is not set +the value of the +\fIeditor\fR +and +\fIenv_editor\fR +\fIsudoers\fR +settings: +.TP 17n +\fRVISUAL\fR +Invoked by +\fBvisudo\fR +as the editor to use +.TP 17n +\fREDITOR\fR +Used by +\fBvisudo\fR +if +\fRVISUAL\fR +is not set .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers\fR" 24 -.IX Item "@sysconfdir@/sudoers" +.TP 26n +\fI@sysconfdir@/sudoers\fR List of who can run what -.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 -.IX Item "@sysconfdir@/sudoers.tmp" +.TP 26n +\fI@sysconfdir@/sudoers.tmp\fR Lock file for visudo .SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -.IP "sudoers file busy, try again later." 4 -.IX Item "sudoers file busy, try again later." -Someone else is currently editing the \fIsudoers\fR file. -.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4 -.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4 -.IX Item "@sysconfdir@/sudoers.tmp: Permission denied" -You didn't run \fBvisudo\fR as root. -.IP "Can't find you in the passwd database" 4 -.IX Item "Can't find you in the passwd database" -Your user \s-1ID\s0 does not appear in the system passwd file. -.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4 -.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" +.TP 6n +\fRsudoers file busy, try again later.\fR +Someone else is currently editing the +\fIsudoers\fR +file. +.TP 6n +\fR@sysconfdir@/sudoers.tmp: Permission denied\fR +You didn't run +\fBvisudo\fR +as root. +.TP 6n +\fRCan't find you in the passwd database\fR +Your user ID does not appear in the system passwd file. +.TP 6n +\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of -uppercase letters, digits, and the underscore ('_') character. In -the latter case, you can ignore the warnings (\fBsudo\fR will not -complain). In \fB\-s\fR (strict) mode these are errors, not warnings. -.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4 -.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias" +uppercase letters, digits, and the underscore +(`_') +character. +In the latter case, you can ignore the warnings +(\fBsudo\fR +will not complain) +\&. +In +\fB-s\fR +(strict) mode these are errors, not warnings. +.TP 6n +\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR The specified {User,Runas,Host,Cmnd}_Alias was defined but never -used. You may wish to comment out or remove the unused alias. In -\&\fB\-s\fR (strict) mode this is an error, not a warning. -.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4 -.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" +used. +You may wish to comment out or remove the unused alias. +In +\fB-s\fR +(strict) mode this is an error, not a warning. +.TP 6n +\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR The specified {User,Runas,Host,Cmnd}_Alias includes a reference to -itself, either directly or through an alias it includes. This is -only a warning by default as \fBsudo\fR will ignore cycles when parsing -the \fIsudoers\fR file. +itself, either directly or through an alias it includes. +This is only a warning by default as +\fBsudo\fR +will ignore cycles when parsing +the +\fIsudoers\fR +file. .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@) +vi(1), +sudoers(@mansectform@), +sudo(@mansectsu@), +vipw(@mansectsu@) .SH "AUTHORS" -.IX Header "AUTHORS" -Many people have worked on \fBsudo\fR over the years; this version of -\&\fBvisudo\fR was written by: +Many people have worked on +\fBsudo\fR +over the years; this version consists of code written primarily by: +.sp +.RS 6n +Todd C. Miller +.RE .PP -.Vb 1 -\& Todd C. Miller -.Ve -.PP -See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution -(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people -who have contributed to \fBsudo\fR. +See the CONTRIBUTORS file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +\fBsudo\fR. .SH "CAVEATS" -.IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -the editor used by \fBvisudo\fR allows shell escapes. +There is no easy way to prevent a user from gaining a root shell if +the editor used by +\fBvisudo\fR +allows shell escapes. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBvisudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBvisudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBvisudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/doc/visudo.mdoc.in b/doc/visudo.mdoc.in index 7efa0a2c1..6b38a8d32 100644 --- a/doc/visudo.mdoc.in +++ b/doc/visudo.mdoc.in @@ -20,8 +20,8 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .Dd July 12, 2012 -.Dt VISUDO 8 -.Os +.Dt VISUDO @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ .Sh NAME .Nm visudo .Nd edit the sudoers file @@ -36,7 +36,7 @@ edits the .Em sudoers file in a safe fashion, analogous to -.Xr vipw 8 . +.Xr vipw @mansectsu@ . .Nm visudo locks the .Em sudoers @@ -278,9 +278,9 @@ file. .El .Sh SEE ALSO .Xr vi 1 , -.Xr sudoers 5 , -.Xr sudo 8 , -.Xr vipw 8 +.Xr sudoers @mansectform@ , +.Xr sudo @mansectsu@ , +.Xr vipw @mansectsu@ .Sh AUTHORS Many people have worked on .Nm sudo