diff --git a/doc/sudo_logsrvd.conf.man.in b/doc/sudo_logsrvd.conf.man.in index 848751ae6..28a076cd3 100644 --- a/doc/sudo_logsrvd.conf.man.in +++ b/doc/sudo_logsrvd.conf.man.in @@ -221,7 +221,7 @@ clients will authenticate the server by verifying its certificate and identity. If false, no verification is performed of the server certificate by the server or the client. -If using self-signed certificates without a certificate authority, +When using self-signed certificates without a certificate authority, this setting should be set to false. The default value is true. .SS "iolog" diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 3af5162ff..dccae741d 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 2009-2019 Todd C. Miller +.\" Copyright (c) 2009-2020 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_PLUGIN" "5" "December 5, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_PLUGIN" "5" "February 2, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -73,17 +73,19 @@ struct policy_plugin { int (*open)(unsigned int version, sudo_conv_t conversation, sudo_printf_t plugin_printf, char * const settings[], char * const user_info[], char * const user_env[], - char * const plugin_options[]); + char * const plugin_options[], const char **errstr); void (*close)(int exit_status, int error); - int (*show_version)(int verbose); + int (*show_version)(int verbose, const char **errstr); int (*check_policy)(int argc, char * const argv[], char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); + char **argv_out[], char **user_env_out[], + const char **errstr); int (*list)(int argc, char * const argv[], int verbose, - const char *list_user); - int (*validate)(void); + const char *list_user, const char **errstr); + int (*validate)(const char **errstr); void (*invalidate)(int remove); - int (*init_session)(struct passwd *pwd, char **user_env[]); + int (*init_session)(struct passwd *pwd, char **user_env[], + const char **errstr); void (*register_hooks)(int version, int (*register_hook)(struct sudo_hook *hook)); void (*deregister_hooks)(int version, @@ -117,7 +119,7 @@ open int (*open)(unsigned int version, sudo_conv_t conversation, sudo_printf_t plugin_printf, char * const settings[], char * const user_info[], char * const user_env[], - char * const plugin_options[]); + char * const plugin_options[], const char **errstr); .RE .fi .RS 6n @@ -497,33 +499,6 @@ The process ID of the running process. Only available starting with API version 1.2. .TP 6n -plugin_options -Any (non-comment) strings immediately after the plugin path are -passed as arguments to the plugin. -These arguments are split on a white space boundary and are passed to -the plugin in the form of a -\fRNULL\fR-terminated -array of strings. -If no arguments were -specified, -\fIplugin_options\fR -will be the -\fRNULL\fR -pointer. -.sp -NOTE: the -\fIplugin_options\fR -parameter is only available starting with -API version 1.2. -A plugin -\fBmust\fR -check the API version specified -by the -\fBsudo\fR -front end before using -\fIplugin_options\fR. -Failure to do so may result in a crash. -.TP 6n ppid=int The parent process ID of the running \fBsudo\fR @@ -585,6 +560,55 @@ field will never include one itself but the \fIvalue\fR might. +.TP 6n +plugin_options +Any (non-comment) strings immediately after the plugin path are +passed as arguments to the plugin. +These arguments are split on a white space boundary and are passed to +the plugin in the form of a +\fRNULL\fR-terminated +array of strings. +If no arguments were +specified, +\fIplugin_options\fR +will be the +\fRNULL\fR +pointer. +.sp +NOTE: the +\fIplugin_options\fR +parameter is only available starting with +API version 1.2. +A plugin +\fBmust\fR +check the API version specified +by the +\fBsudo\fR +front end before using +\fIplugin_options\fR. +Failure to do so may result in a crash. +.TP 6n +errstr +If the +\fBopen\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -664,7 +688,7 @@ it as a child process. show_version .nf .RS 6n -int (*show_version)(int verbose); +int (*show_version)(int verbose, const char **errstr); .RE .fi .RS 6n @@ -683,19 +707,51 @@ or \fBplugin_printf\fR() function using \fRSUDO_CONV_INFO_MSG\fR. -If the user requests detailed version information, the verbose flag will be set. .sp Returns 1 on success, 0 on failure, \-1 if a general error occurred, or \-2 if there was a usage error, although the return value is currently ignored. +.sp +The function arguments are as follows: +.TP 6n +verbose +If the user requests detailed version information, the +\fIverbose\fR +flag will be set to 1. +.TP 6n +errstr +If the +\fBshow_version\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. +.PD 0 +.PP .RE +.PD .TP 6n check_policy .nf .RS 6n int (*check_policy)(int argc, char * const argv[], char *env_add[], char **command_info[], - char **argv_out[], char **user_env_out[]); + char **argv_out[], char **user_env_out[], + const char **errstr); .RE .fi .RS 6n @@ -1137,6 +1193,28 @@ The \fRNULL\fR-terminated environment vector to use when executing the command. The plugin is responsible for allocating and populating the vector. +.TP 6n +errstr +If the +\fBcheck_policy\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1146,7 +1224,7 @@ list .nf .RS 6n int (*list)(int argc, char * const argv[], - int verbose, const char *list_user); + int verbose, const char *list_user, const char **errstr); .RE .fi .RS 6n @@ -1198,6 +1276,28 @@ allows it. If \fRNULL\fR, the plugin should list the privileges of the invoking user. +.TP 6n +errstr +If the +\fBlist\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1206,7 +1306,7 @@ the plugin should list the privileges of the invoking user. validate .nf .RS 6n -int (*validate)(void); +int (*validate)(const char **errstr); .RE .fi .RS 6n @@ -1239,7 +1339,34 @@ function with \fRSUDO_CONF_ERROR_MSG\fR to present additional error information to the user. +.sp +The function arguments are as follows: +.TP 6n +errstr +If the +\fBvalidate\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. +.PD 0 +.PP .RE +.PD .TP 6n invalidate .nf @@ -1253,8 +1380,7 @@ The \fBinvalidate\fR() function is called when \fBsudo\fR -is called with -the +is run with the \fB\-k\fR or \fB\-K\fR @@ -1495,6 +1621,28 @@ version 1.15 or higher, \fBevent_alloc\fR() will not be set. .RE +.TP 6n +errstr +If the +\fBinit_session\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PP \fIPolicy Plugin Version Macros\fR .nf @@ -1529,20 +1677,26 @@ struct io_plugin { sudo_printf_t plugin_printf, char * const settings[], char * const user_info[], char * const command_info[], int argc, char * const argv[], char * const user_env[], - char * const plugin_options[]); + char * const plugin_options[], const char **errstr); void (*close)(int exit_status, int error); /* wait status or error */ - int (*show_version)(int verbose); - int (*log_ttyin)(const char *buf, unsigned int len); - int (*log_ttyout)(const char *buf, unsigned int len); - int (*log_stdin)(const char *buf, unsigned int len); - int (*log_stdout)(const char *buf, unsigned int len); - int (*log_stderr)(const char *buf, unsigned int len); + int (*show_version)(int verbose, const char **errstr); + int (*log_ttyin)(const char *buf, unsigned int len, + const char **errstr); + int (*log_ttyout)(const char *buf, unsigned int len, + const char **errstr); + int (*log_stdin)(const char *buf, unsigned int len, + const char **errstr); + int (*log_stdout)(const char *buf, unsigned int len, + const char **errstr); + int (*log_stderr)(const char *buf, unsigned int len, + const char **errstr); void (*register_hooks)(int version, int (*register_hook)(struct sudo_hook *hook)); void (*deregister_hooks)(int version, int (*deregister_hook)(struct sudo_hook *hook)); - int (*change_winsize)(unsigned int lines, unsigned int cols); - int (*log_suspend)(int signo); + int (*change_winsize)(unsigned int lines, unsigned int cols, + const char **errstr); + int (*log_suspend)(int signo, const char **errstr); struct sudo_plugin_event * (*event_alloc)(void); }; .RE @@ -1748,6 +1902,31 @@ See the \fIPolicy plugin API\fR section for a list of all possible strings. .TP 6n +command_info +A vector of information describing the command being run in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIcommand_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible strings. +.TP 6n argc The number of elements in \fIargv\fR, @@ -1812,6 +1991,28 @@ by the front end before using \fIplugin_options\fR. Failure to do so may result in a crash. +.TP 6n +errstr +If the +\fBopen\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1831,11 +2032,6 @@ The function is called when \fBsudo\fR is finished, shortly before it exits. -Starting with API version 1.15, -\fBclose\fR() -is called regardless of whether or not a command was actually executed. -This makes it possible for plugins to perform cleanup even when a -command was not run. .sp The function arguments are as follows: .TP 6n @@ -1886,17 +2082,49 @@ or \fBplugin_printf\fR() function using \fRSUDO_CONV_INFO_MSG\fR. -If the user requests detailed version information, the verbose flag will be set. .sp Returns 1 on success, 0 on failure, \-1 if a general error occurred, or \-2 if there was a usage error, although the return value is currently ignored. +.sp +The function arguments are as follows: +.TP 6n +verbose +If the user requests detailed version information, the +\fIverbose\fR +flag will be set to 1. +.TP 6n +errstr +If the +\fBshow_version\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. +.PD 0 +.PP .RE +.PD .TP 6n log_ttyin .nf .RS 6n -int (*log_ttyin)(const char *buf, unsigned int len); +int (*log_ttyin)(const char *buf, unsigned int len, + const char **errstr); .RE .fi .RS 6n @@ -1920,6 +2148,28 @@ len The length of \fIbuf\fR in bytes. +.TP 6n +errstr +If the +\fBlog_ttyin\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1928,7 +2178,8 @@ in bytes. log_ttyout .nf .RS 6n -int (*log_ttyout)(const char *buf, unsigned int len); +int (*log_ttyout)(const char *buf, unsigned int len, + const char **errstr); .RE .fi .RS 6n @@ -1951,6 +2202,28 @@ len The length of \fIbuf\fR in bytes. +.TP 6n +errstr +If the +\fBlog_ttyout\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1959,7 +2232,8 @@ in bytes. log_stdin .nf .RS 6n -int (*log_stdin)(const char *buf, unsigned int len); +int (*log_stdin)(const char *buf, unsigned int len, + const char **errstr); .RE .fi .RS 6n @@ -1984,6 +2258,28 @@ len The length of \fIbuf\fR in bytes. +.TP 6n +errstr +If the +\fBlog_stdin\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -1992,7 +2288,8 @@ in bytes. log_stdout .nf .RS 6n -int (*log_stdout)(const char *buf, unsigned int len); +int (*log_stdout)(const char *buf, unsigned int len, + const char **errstr); .RE .fi .RS 6n @@ -2017,6 +2314,28 @@ len The length of \fIbuf\fR in bytes. +.TP 6n +errstr +If the +\fBlog_stdout\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -2025,7 +2344,8 @@ in bytes. log_stderr .nf .RS 6n -int (*log_stderr)(const char *buf, unsigned int len); +int (*log_stderr)(const char *buf, unsigned int len, + const char **errstr); .RE .fi .RS 6n @@ -2050,6 +2370,28 @@ len The length of \fIbuf\fR in bytes. +.TP 6n +errstr +If the +\fBlog_stderr\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .PD 0 .PP .RE @@ -2070,7 +2412,8 @@ section for a description of change_winsize .nf .RS 6n -int (*change_winsize)(unsigned int lines, unsigned int cols); +int (*change_winsize)(unsigned int lines, unsigned int cols, + const char **errstr); .RE .fi .RS 6n @@ -2084,12 +2427,46 @@ list. Returns \-1 if an error occurred, in which case no further calls to \fBchange_winsize\fR() will be made, +.sp +The function arguments are as follows: +.TP 6n +lines +.br +The number of lines (rows) in the resized terminal. +.TP 6n +cols +The number of columns in the resized terminal. +.TP 6n +errstr +If the +\fBchange_winsize\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. +.PD 0 +.PP .RE +.PD .TP 6n log_suspend .nf .RS 6n -int (*log_suspend)(int signo); +int (*log_suspend)(int signo, const char **errstr); .RE .fi .RS 6n @@ -2097,17 +2474,41 @@ int (*log_suspend)(int signo); The \fBlog_suspend\fR() function is called whenever a command is suspended or resumed. -The -\fIsigno\fR -argument is either the signal that caused the command to be suspended or -\fRSIGCONT\fR -if the command was resumed. Logging this information makes it possible to skip the period of time when the command was suspended during playback of a session. Returns \-1 if an error occurred, in which case no further calls to \fBlog_suspend\fR() will be made, -.RE +.sp +The function arguments are as follows: +.TP 6n +signo +.br +The signal that caused the command to be suspended, or +\fRSIGCONT\fR +if the command was resumed. +.TP 6n +errstr +If the +\fBlog_suspend\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.sp +NOTE: the +\fIerrstr\fR +parameter is only available starting with +API version 1.15. +A plugin +\fBmust\fR +check the API version specified by the +\fBsudo\fR +front end before using +\fIerrstr\fR. +Failure to do so may result in a crash. .TP 6n event_alloc .nf @@ -2148,9 +2549,608 @@ will not be set. .RE .PP \fII/O Plugin Version Macros\fR -.PP +.sp Same as for the \fIPolicy plugin API\fR. +.RE +.SS "Audit plugin API" +.nf +.RS 0n +/* Audit plugin close function status types. */ +#define SUDO_PLUGIN_NO_STATUS 0 +#define SUDO_PLUGIN_WAIT_STATUS 1 +#define SUDO_PLUGIN_EXEC_ERROR 2 +#define SUDO_PLUGIN_SUDO_ERROR 3 + +#define SUDO_AUDIT_PLUGIN 3 +struct audit_plugin { + unsigned int type; /* always SUDO_AUDIT_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t sudo_printf, char * const settings[], + char * const user_info[], int submit_optind, + char * const submit_argv[], char * const submit_envp[], + char * const plugin_options[], const char **errstr); + void (*close)(int status_type, int status); + int (*accept)(const char *plugin_name, + unsigned int plugin_type, char * const command_info[], + char * const run_argv[], char * const run_envp[], + const char **errstr); + int (*reject)(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[], + const char **errstr); + int (*error)(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[], + const char **errstr); + int (*show_version)(int verbose); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); +} +.RE +.fi +.PP +An audit plugin can be used to log successful and unsuccessful attempts +to run +\fBsudo\fR +independent of the policy or any I/O plugins. +Multiple audit plugins may be specified in +sudo.conf(@mansectform@). +.PP +The io_plugin struct has the following fields: +.TP 6n +type +The +\fRtype\fR +field should always be set to +\fRSUDO_AUDIT_PLUGIN\fR. +.TP 6n +version +The +\fRversion\fR +field should be set to +\fRSUDO_API_VERSION\fR. +.sp +This allows +\fBsudo\fR +to determine the API version the plugin was +built against. +.TP 6n +open +.nf +.RS 6n +int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t sudo_printf, char * const settings[], + char * const user_info[], int submit_optind, + char * const submit_argv[], char * const submit_envp[], + char * const plugin_options[], const char **errstr); +.RE +.fi +.RS 6n +.sp +The audit +\fBopen\fR() +function is run before any other +\fBsudo\fR +plugin API functions. +This makes it possible to audit failures in the other plugins. +It returns 1 on success, 0 on failure, \-1 if a general error occurred, +or \-2 if there was a usage error. +In the latter case, +\fBsudo\fR +will print a usage message before it exits. +If an error occurs, the plugin may optionally call the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function with +\fRSUDO_CONF_ERROR_MSG\fR +to present +additional error information to the user. +.sp +The function arguments are as follows: +.TP 6n +version +The version passed in by +\fBsudo\fR +allows the plugin to determine the +major and minor version number of the plugin API supported by +\fBsudo\fR. +.TP 6n +conversation +A pointer to the +\fBconversation\fR() +function that may be used by the +\fBshow_version\fR() +function to display version information (see +\fBshow_version\fR() +below). +The +\fBconversation\fR() +function may also be used to display additional error message to the user. +The +\fBconversation\fR() +function returns 0 on success and \-1 on failure. +.TP 6n +plugin_printf +A pointer to a +\fBprintf\fR()-style +function that may be used by the +\fBshow_version\fR() +function to display version information (see +show_version below). +The +\fBplugin_printf\fR() +function may also be used to display additional error message to the user. +The +\fBplugin_printf\fR() +function returns number of characters printed on success and \-1 on failure. +.TP 6n +settings +A vector of user-supplied +\fBsudo\fR +settings in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +These settings correspond to options the user specified when running +\fBsudo\fR. +As such, they will only be present when the corresponding option has +been specified on the command line. +.sp +When parsing +\fIsettings\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible settings. +.TP 6n +user_info +A vector of information about the user running the command in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIuser_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible strings. +.TP 6n +submit_optind +The index into +\fIsubmit_argv\fR +that corresponds to the first entry that is not a command line option. +If +\fIsubmit_argv\fR +only consists of options, which may be the case with the +\fB\-l\fR +or +\fB\-v\fR +options, +\fRsubmit_argv[submit_optind]\fR +will evaluate to the NULL pointer. +.TP 6n +submit_argv +The argument vector +\fBsudo\fR +was invoked with, including all command line options. +The +\fIsubmit_optind\fR +argument can be used to determine the end of the command line options. +.TP 6n +submit_envp +The invoking user's environment in the form of a +\fRNULL\fR-terminated +vector of +\(lqname=value\(rq +strings. +.sp +When parsing +\fIsubmit_envp\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.TP 6n +plugin_options +Any (non-comment) strings immediately after the plugin path are +treated as arguments to the plugin. +These arguments are split on a white space boundary and are passed to +the plugin in the form of a +\fRNULL\fR-terminated +array of strings. +If no arguments were specified, +\fIplugin_options\fR +will be the +\fRNULL\fR +pointer. +.TP 6n +errstr +If the +\fBopen\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.PD 0 +.PP +.RE +.PD +.TP 6n +close +.br +.nf +.RS 6n +void (*close)(int status_type, int status); +.RE +.fi +.RS 6n +.sp +The +\fBclose\fR() +function is called when +\fBsudo\fR +is finished, shortly before it exits. +.sp +The function arguments are as follows: +.TP 6n +status_type +The type of status being passed. +One of +\fRSUDO_PLUGIN_NO_STATUS\fR, +\fRSUDO_PLUGIN_WAIT_STATUS\fR, +\fRSUDO_PLUGIN_EXEC_ERROR\fR +or +\fRSUDO_PLUGIN_SUDO_ERROR\fR. +.TP 6n +status +Depending on the value of +\fIstatus_type\fR, +this value is either +ignored, the command's exit status as returned by the +wait(2) +system call, the value of +\fRerrno\fR +set by the +execve(2) +system call, or the value of +\fRerrno\fR +resulting from an error in the +\fBsudo\fR +front end. +.PD 0 +.PP +.RE +.PD +.TP 6n +accept +.nf +.RS 6n +int (*accept)(const char *plugin_name, unsigned int plugin_type, + char * const command_info[], char * const run_argv[], + char * const run_envp[], const char **errstr); +.RE +.fi +.RS 6n +.sp +The +\fBaccept\fR() +function is called when a command or action is accepted by the policy +plugin. +The function arguments are as follows: +.TP 6n +plugin_name +The name of the plugin that accepted the command. +.TP 6n +plugin_type +The type of plugin that accepted the command, currently always +\fRSUDO_POLICY_PLUGIN\fR. +.TP 6n +command_info +A vector of information describing the command being run in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIcommand_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible strings. +.TP 6n +run_argv +A +\fRNULL\fR-terminated +argument vector describing a command that will be run in the +same form as what would be passed to the +execve(2) +system call. +.TP 6n +run_envp +The environment the command will be run with in the form of a +\fRNULL\fR-terminated +vector of +\(lqname=value\(rq +strings. +.sp +When parsing +\fIrun_envp\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.TP 6n +errstr +If the +\fBaccept\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.PD 0 +.PP +.RE +.PD +.TP 6n +reject +.nf +.RS 6n +int (*reject)(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[], + const char **errstr); +.RE +.fi +.RS 6n +.sp +The +\fBreject\fR() +function is called when a command or action is rejected by a plugin. +The function arguments are as follows: +.TP 6n +plugin_name +The name of the plugin that accepted the command. +.TP 6n +plugin_type +The type of plugin that accepted the command, currently either +\fRSUDO_POLICY_PLUGIN\fR +or +\fRSUDO_IO_PLUGIN\fR. +.TP 6n +audit_msg +An optional string describing the reason the command was rejected +by the plugin. +If the plugin did not provide a reason, +\fIaudit_msg\fR +will be the +\fRNULL\fR +pointer. +.TP 6n +command_info +A vector of information describing the command being run in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIcommand_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible strings. +.TP 6n +errstr +If the +\fBreject\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.PD 0 +.PP +.RE +.PD +.TP 6n +error +.br +.nf +.RS 6n +int (*error)(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[], + const char **errstr); +.RE +.fi +.RS 6n +.sp +The +\fBerror\fR() +function is called when a plugin returns an error. +The function arguments are as follows: +.TP 6n +plugin_name +The name of the plugin that accepted the command. +.TP 6n +plugin_type +The type of plugin that accepted the command, currently either +\fRSUDO_POLICY_PLUGIN\fR +or +\fRSUDO_IO_PLUGIN\fR. +.TP 6n +audit_msg +An optional string describing the plugin error. +If the plugin did not provide a description, +\fIaudit_msg\fR +will be the +\fRNULL\fR +pointer. +.TP 6n +command_info +A vector of information describing the command being run in the form of +\(lqname=value\(rq +strings. +The vector is terminated by a +\fRNULL\fR +pointer. +.sp +When parsing +\fIcommand_info\fR, +the plugin should split on the +\fBfirst\fR +equal sign +(\(oq=\(cq) +since the +\fIname\fR +field will never include one +itself but the +\fIvalue\fR +might. +.sp +See the +\fIPolicy plugin API\fR +section for a list of all possible strings. +.TP 6n +errstr +If the +\fBerror\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.PD 0 +.PP +.RE +.PD +.TP 6n +show_version +.nf +.RS 6n +int (*show_version)(int verbose); +.RE +.fi +.RS 6n +.sp +The +\fBshow_version\fR() +function is called by +\fBsudo\fR +when the user specifies +the +\fB\-V\fR +option. +The plugin may display its version information to the user via the +\fBconversation\fR() +or +\fBplugin_printf\fR() +function using +\fRSUDO_CONV_INFO_MSG\fR. +.sp +Returns 1 on success, 0 on failure, \-1 if a general error occurred, +or \-2 if there was a usage error, although the return value is currently +ignored. +.sp +The function arguments are as follows: +.TP 6n +verbose +If the user requests detailed version information, the +\fIverbose\fR +flag will be set to 1. +.TP 6n +errstr +If the +\fBshow_version\fR() +function returns a value other than 1, the plugin may +store a message describing the failure or error in +\fIerrstr\fR. +The +\fBsudo\fR +front end will then pass this value to any registered audit plugins. +.PD 0 +.PP +.RE +.PD +.TP 6n +register_hooks +See the +\fIPolicy plugin API\fR +section for a description of +\fRregister_hooks\fR. +.TP 6n +deregister_hooks +See the +\fIPolicy plugin API\fR +section for a description of +\fRderegister_hooks\fR. .SS "Signal handlers" The \fBsudo\fR @@ -2460,7 +3460,7 @@ struct sudo_plugin_event { int (*add)(struct sudo_plugin_event *pev, struct timespec *timeout); int (*del)(struct sudo_plugin_event *pev); int (*pending)(struct sudo_plugin_event *pev, int events, - struct timespec *ts); + struct timespec *ts); int (*fd)(struct sudo_plugin_event *pev); void (*setbase)(struct sudo_plugin_event *pev, void *base); void (*loopbreak)(struct sudo_plugin_event *pev); @@ -2694,6 +3694,14 @@ to the specified value. This can be used to move an event created via \fBevent_alloc\fR() to a new event loop allocated by sudo's event subsystem. +If +\fIbase\fR +is +\fRNULL\fR, +\fIpev\fR's +event base is reset to the default value, which corresponds to +\fBsudo\fR's +main event loop. Using this function requires linking the plugin with the sudo_util library. It is unlikely to be used outside of the @@ -2840,7 +3848,7 @@ function: typedef int (*sudo_conv_t)(int num_msgs, const struct sudo_conv_message msgs[], struct sudo_conv_reply replies[], - struct sudo_conv_callback *callback); + struct sudo_conv_callback *callback); typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); .RE @@ -3365,6 +4373,13 @@ The field was added to the policy_plugin and io_plugin structs. .sp The +\fIerrstr\fR +argument was added to the policy and I/O plugin functions +which the plugin function can use to return an error string. +This string may be used by the audit plugin to report failure or +error conditions set by the other plugins. +.sp +The \fBclose\fR() function is now is called regardless of whether or not a command was actually executed.