|
 |
1b092f |
diff -up sudo-1.8.6p7/doc/Makefile.in.sudoconfman sudo-1.8.6p7/doc/Makefile.in
|
|
 |
1b092f |
--- sudo-1.8.6p7/doc/Makefile.in.sudoconfman 2013-07-30 13:57:00.000004193 +0200
|
|
 |
1b092f |
+++ sudo-1.8.6p7/doc/Makefile.in 2013-07-30 13:58:25.732323525 +0200
|
|
 |
1b092f |
@@ -64,12 +64,13 @@ DEVEL = @DEVEL@
|
|
 |
1b092f |
|
|
 |
1b092f |
SHELL = @SHELL@
|
|
 |
1b092f |
|
|
 |
1b092f |
-DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \
|
|
 |
1b092f |
- sudoers.ldap.$(mantype) sudoers.$(mantype) \
|
|
 |
1b092f |
+DOCS = sudo.$(mantype) visudo.$(mantype) sudo.conf.$(mantype) \
|
|
 |
1b092f |
+ sudoers.$(mantype) sudoers.ldap.$(mantype) sudoers.$(mantype) \
|
|
 |
1b092f |
sudoreplay.$(mantype) sudo_plugin.$(mantype)
|
|
 |
1b092f |
|
|
 |
1b092f |
DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
|
|
 |
1b092f |
$(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
|
|
 |
1b092f |
+ $(srcdir)/sudo.conf.man.in $(srcdir)/sudo.conf.cat \
|
|
 |
1b092f |
$(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
|
|
 |
1b092f |
$(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
|
|
 |
1b092f |
$(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
|
|
 |
1b092f |
@@ -158,6 +159,34 @@ $(srcdir)/visudo.cat: varsub $(srcdir)/v
|
|
 |
1b092f |
|
|
 |
1b092f |
visudo.cat: $(srcdir)/visudo.cat
|
|
 |
1b092f |
|
|
 |
1b092f |
+$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
|
|
 |
1b092f |
+ @if [ -n "$(DEVEL)" ]; then \
|
|
 |
1b092f |
+ echo "Generating $@"; \
|
|
 |
1b092f |
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
|
|
 |
1b092f |
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
|
|
 |
1b092f |
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
|
|
 |
1b092f |
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in\n' >> $@; \
|
|
 |
1b092f |
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.conf.mdoc.in >> $@; \
|
|
 |
1b092f |
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
|
|
 |
1b092f |
+ fi
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+sudo.conf.man.sed: $(srcdir)/fixman.sh
|
|
 |
1b092f |
+ $(SHELL) $(srcdir)/fixman.sh $@
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+sudo.conf.man: $(srcdir)/sudo.conf.man.in sudo.conf.man.sed
|
|
 |
1b092f |
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+sudo.conf.mdoc: $(srcdir)/sudo.conf.mdoc.in
|
|
 |
1b092f |
+ (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+$(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in
|
|
 |
1b092f |
+ @if [ -n "$(DEVEL)" ]; then \
|
|
 |
1b092f |
+ echo "Generating $@"; \
|
|
 |
1b092f |
+ $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
|
|
 |
1b092f |
+ fi
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+sudo.conf.cat: $(srcdir)/sudo.conf.cat
|
|
 |
1b092f |
+
|
|
 |
1b092f |
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
|
|
 |
1b092f |
@if [ -n "$(DEVEL)" ]; then \
|
|
 |
1b092f |
echo "Generating $@"; \
|
|
 |
1b092f |
@@ -292,10 +321,11 @@ install-doc: install-dirs
|
|
 |
1b092f |
$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)
|
|
 |
1b092f |
$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
|
|
 |
1b092f |
$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
|
|
 |
1b092f |
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)
|
|
 |
1b092f |
$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
|
|
 |
1b092f |
@LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
|
|
 |
1b092f |
@if test -n "$(MANCOMPRESS)"; then \
|
|
 |
1b092f |
- for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
|
|
 |
1b092f |
+ for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
|
|
 |
1b092f |
if test -f $(DESTDIR)$$f; then \
|
|
 |
1b092f |
echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
|
|
 |
1b092f |
$(MANCOMPRESS) -f $(DESTDIR)$$f; \
|
|
 |
1b092f |
@@ -319,6 +349,7 @@ uninstall:
|
|
 |
1b092f |
$(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \
|
|
 |
1b092f |
$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \
|
|
 |
1b092f |
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
|
|
 |
1b092f |
+ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
|
|
 |
1b092f |
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
|
|
 |
1b092f |
$(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
|
|
 |
1b092f |
|
|
 |
1b092f |
diff -up sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman sudo-1.8.6p7/doc/sudo.conf.cat
|
|
 |
1b092f |
--- sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman 2013-07-30 13:58:15.401285217 +0200
|
|
 |
1b092f |
+++ sudo-1.8.6p7/doc/sudo.conf.cat 2013-07-30 13:58:25.733323538 +0200
|
|
 |
1b092f |
@@ -0,0 +1,263 @@
|
|
 |
1b092f |
+SUDO(4) Programmer's Manual SUDO(4)
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+N?NA?AM?ME?E
|
|
 |
1b092f |
+ s?su?ud?do?o.?.c?co?on?nf?f - configuration for sudo front end
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+D?DE?ES?SC?CR?RI?IP?PT?TI?IO?ON?N
|
|
 |
1b092f |
+ The s?su?ud?do?o.?.c?co?on?nf?f file is used to configure the s?su?ud?do?o front end. It specifies
|
|
 |
1b092f |
+ the security policy and I/O logging plugins, debug flags as well as
|
|
 |
1b092f |
+ plugin-agnostic path names and settings.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The s?su?ud?do?o.?.c?co?on?nf?f file supports the following directives, described in detail
|
|
 |
1b092f |
+ below.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Plugin a security policy or I/O logging plugin
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Path a plugin-agnostic path
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Set a front end setting, such as _?d_?i_?s_?a_?b_?l_?e_?__?c_?o_?r_?e_?d_?u_?m_?p or _?g_?r_?o_?u_?p_?__?s_?o_?u_?r_?c_?e
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Debug debug flags to aid in debugging s?su?ud?do?o, s?su?ud?do?or?re?ep?pl?la?ay?y, v?vi?is?su?ud?do?o, and
|
|
 |
1b092f |
+ the s?su?ud?do?oe?er?rs?s plugin.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The pound sign (`#') is used to indicate a comment. Both the comment
|
|
 |
1b092f |
+ character and any text after it, up to the end of the line, are ignored.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
|
|
 |
1b092f |
+ silently ignored.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The s?su?ud?do?o.?.c?co?on?nf?f file is always parsed in the ``C'' locale.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ P?Pl?lu?ug?gi?in?n c?co?on?nf?fi?ig?gu?ur?ra?at?ti?io?on?n
|
|
 |
1b092f |
+ s?su?ud?do?o supports a plugin architecture for security policies and
|
|
 |
1b092f |
+ input/output logging. Third parties can develop and distribute their own
|
|
 |
1b092f |
+ policy and I/O logging plugins to work seamlessly with the s?su?ud?do?o front
|
|
 |
1b092f |
+ end. Plugins are dynamically loaded based on the contents of s?su?ud?do?o.?.c?co?on?nf?f.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ A Plugin line consists of the Plugin keyword, followed by the _?s_?y_?m_?b_?o_?l_?__?n_?a_?m_?e
|
|
 |
1b092f |
+ and the _?p_?a_?t_?h to the shared object containing the plugin. The _?s_?y_?m_?b_?o_?l_?__?n_?a_?m_?e
|
|
 |
1b092f |
+ is the name of the struct policy_plugin or struct io_plugin in the plugin
|
|
 |
1b092f |
+ shared object. The _?p_?a_?t_?h may be fully qualified or relative. If not
|
|
 |
1b092f |
+ fully qualified, it is relative to the _?/_?u_?s_?r_?/_?l_?o_?c_?a_?l_?/_?l_?i_?b_?e_?x_?e_?c directory. In
|
|
 |
1b092f |
+ other words:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Plugin sudoers_policy sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ is equivalent to:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Plugin sudoers_policy /usr/local/libexec/sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Any additional parameters after the _?p_?a_?t_?h are passed as arguments to the
|
|
 |
1b092f |
+ plugin's _?o_?p_?e_?n function. For example, to override the compile-time
|
|
 |
1b092f |
+ default sudoers file mode:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ If no s?su?ud?do?o.?.c?co?on?nf?f file is present, or if it contains no Plugin lines, the
|
|
 |
1b092f |
+ s?su?ud?do?oe?er?rs?s plugin will be used as the default security policy and for I/O
|
|
 |
1b092f |
+ logging (if enabled by the policy). This is equivalent to the following:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+ Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ For more information on the s?su?ud?do?o plugin architecture, see the
|
|
 |
1b092f |
+ sudo_plugin(1m) manual.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ P?Pa?at?th?h s?se?et?tt?ti?in?ng?gs?s
|
|
 |
1b092f |
+ A Path line consists of the Path keyword, followed by the name of the
|
|
 |
1b092f |
+ path to set and its value. For example:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Path noexec /usr/local/libexec/sudo_noexec.so
|
|
 |
1b092f |
+ Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The following plugin-agnostic paths may be set in the _?/_?e_?t_?c_?/_?s_?u_?d_?o_?._?c_?o_?n_?f
|
|
 |
1b092f |
+ file:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ askpass The fully qualified path to a helper program used to read the
|
|
 |
1b092f |
+ user's password when no terminal is available. This may be the
|
|
 |
1b092f |
+ case when s?su?ud?do?o is executed from a graphical (as opposed to
|
|
 |
1b092f |
+ text-based) application. The program specified by _?a_?s_?k_?p_?a_?s_?s
|
|
 |
1b092f |
+ should display the argument passed to it as the prompt and
|
|
 |
1b092f |
+ write the user's password to the standard output. The value of
|
|
 |
1b092f |
+ _?a_?s_?k_?p_?a_?s_?s may be overridden by the SUDO_ASKPASS environment
|
|
 |
1b092f |
+ variable.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ noexec The fully-qualified path to a shared library containing dummy
|
|
 |
1b092f |
+ versions of the e?ex?xe?ec?cv?v(), e?ex?xe?ec?cv?ve?e() and f?fe?ex?xe?ec?cv?ve?e() library
|
|
 |
1b092f |
+ functions that just return an error. This is used to implement
|
|
 |
1b092f |
+ the _?n_?o_?e_?x_?e_?c functionality on systems that support LD_PRELOAD or
|
|
 |
1b092f |
+ its equivalent. The default value is:
|
|
 |
1b092f |
+ _?/_?u_?s_?r_?/_?l_?o_?c_?a_?l_?/_?l_?i_?b_?e_?x_?e_?c_?/_?s_?u_?d_?o_?__?n_?o_?e_?x_?e_?c_?._?s_?o.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ O?Ot?th?he?er?r s?se?et?tt?ti?in?ng?gs?s
|
|
 |
1b092f |
+ The s?su?ud?do?o.?.c?co?on?nf?f file also supports the following front end settings:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ disable_coredump
|
|
 |
1b092f |
+ Core dumps of s?su?ud?do?o itself are disabled by default. To aid in
|
|
 |
1b092f |
+ debugging s?su?ud?do?o crashes, you may wish to re-enable core dumps by
|
|
 |
1b092f |
+ setting ``disable_coredump'' to false in s?su?ud?do?o.?.c?co?on?nf?f as follows:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Set disable_coredump false
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Note that most operating systems disable core dumps from setuid
|
|
 |
1b092f |
+ programs, including s?su?ud?do?o. To actually get a s?su?ud?do?o core file you
|
|
 |
1b092f |
+ will likely need to enable core dumps for setuid processes. On
|
|
 |
1b092f |
+ BSD and Linux systems this is accomplished via the sysctl
|
|
 |
1b092f |
+ command. On Solaris, the coreadm command is used to configure
|
|
 |
1b092f |
+ core dump behavior.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ This setting is only available in s?su?ud?do?o version 1.8.4 and
|
|
 |
1b092f |
+ higher.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ D?De?eb?bu?ug?g f?fl?la?ag?gs?s
|
|
 |
1b092f |
+ s?su?ud?do?o versions 1.8.4 and higher support a flexible debugging framework
|
|
 |
1b092f |
+ that can help track down what s?su?ud?do?o is doing internally if there is a
|
|
 |
1b092f |
+ problem.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ A Debug line consists of the Debug keyword, followed by the name of the
|
|
 |
1b092f |
+ program (or plugin) to debug (s?su?ud?do?o, v?vi?is?su?ud?do?o, s?su?ud?do?or?re?ep?pl?la?ay?y, s?su?ud?do?oe?er?rs?s), the
|
|
 |
1b092f |
+ debug file name and a comma-separated list of debug flags. The debug
|
|
 |
1b092f |
+ flag syntax used by s?su?ud?do?o and the s?su?ud?do?oe?er?rs?s plugin is _?s_?u_?b_?s_?y_?s_?t_?e_?m@_?p_?r_?i_?o_?r_?i_?t_?y but
|
|
 |
1b092f |
+ a plugin is free to use a different format so long as it does not include
|
|
 |
1b092f |
+ a comma (`,').
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ For example:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Debug sudo /var/log/sudo_debug all@warn,plugin@info
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ would log all debugging statements at the _?w_?a_?r_?n level and higher in
|
|
 |
1b092f |
+ addition to those at the _?i_?n_?f_?o level for the plugin subsystem.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Currently, only one Debug entry per program is supported. The s?su?ud?do?o Debug
|
|
 |
1b092f |
+ entry is shared by the s?su?ud?do?o front end, s?su?ud?do?oe?ed?di?it?t and the plugins. A
|
|
 |
1b092f |
+ future release may add support for per-plugin Debug lines and/or support
|
|
 |
1b092f |
+ for multiple debugging files for a single program.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The priorities used by the s?su?ud?do?o front end, in order of decreasing
|
|
 |
1b092f |
+ severity, are: _?c_?r_?i_?t, _?e_?r_?r, _?w_?a_?r_?n, _?n_?o_?t_?i_?c_?e, _?d_?i_?a_?g, _?i_?n_?f_?o, _?t_?r_?a_?c_?e and _?d_?e_?b_?u_?g.
|
|
 |
1b092f |
+ Each priority, when specified, also includes all priorities higher than
|
|
 |
1b092f |
+ it. For example, a priority of _?n_?o_?t_?i_?c_?e would include debug messages
|
|
 |
1b092f |
+ logged at _?n_?o_?t_?i_?c_?e and higher.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ The following subsystems are used by the s?su?ud?do?o front-end:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?a_?l_?l matches every subsystem
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?a_?r_?g_?s command line argument processing
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?c_?o_?n_?v user conversation
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?e_?d_?i_?t sudoedit
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?e_?x_?e_?c command execution
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?m_?a_?i_?n s?su?ud?do?o main function
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?n_?e_?t_?i_?f network interface handling
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?p_?c_?o_?m_?m communication with the plugin
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?p_?l_?u_?g_?i_?n plugin configuration
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?p_?t_?y pseudo-tty related code
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?s_?e_?l_?i_?n_?u_?x SELinux-specific handling
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?u_?t_?i_?l utility functions
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ _?u_?t_?m_?p utmp handling
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+F?FI?IL?LE?ES?S
|
|
 |
1b092f |
+ _?/_?e_?t_?c_?/_?s_?u_?d_?o_?._?c_?o_?n_?f s?su?ud?do?o front end configuration
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+E?EX?XA?AM?MP?PL?LE?ES?S
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Default /etc/sudo.conf file
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Format:
|
|
 |
1b092f |
+ # Plugin plugin_name plugin_path plugin_options ...
|
|
 |
1b092f |
+ # Path askpass /path/to/askpass
|
|
 |
1b092f |
+ # Path noexec /path/to/sudo_noexec.so
|
|
 |
1b092f |
+ # Debug sudo /var/log/sudo_debug all@warn
|
|
 |
1b092f |
+ # Set disable_coredump true
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # The plugin_path is relative to /usr/local/libexec unless
|
|
 |
1b092f |
+ # fully qualified.
|
|
 |
1b092f |
+ # The plugin_name corresponds to a global symbol in the plugin
|
|
 |
1b092f |
+ # that contains the plugin interface structure.
|
|
 |
1b092f |
+ # The plugin_options are optional.
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # The sudoers plugin is used by default if no Plugin lines are
|
|
 |
1b092f |
+ # present.
|
|
 |
1b092f |
+ Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+ Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Sudo askpass:
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # An askpass helper program may be specified to provide a graphical
|
|
 |
1b092f |
+ # password prompt for "sudo -A" support. Sudo does not ship with
|
|
 |
1b092f |
+ # its own askpass program but can use the OpenSSH askpass.
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Use the OpenSSH askpass
|
|
 |
1b092f |
+ #Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Use the Gnome OpenSSH askpass
|
|
 |
1b092f |
+ #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Sudo noexec:
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Path to a shared library containing dummy versions of the execv(),
|
|
 |
1b092f |
+ # execve() and fexecve() library functions that just return an error.
|
|
 |
1b092f |
+ # This is used to implement the "noexec" functionality on systems that
|
|
 |
1b092f |
+ # support C<LD_PRELOAD> or its equivalent.
|
|
 |
1b092f |
+ # The compiled-in value is usually sufficient and should only be
|
|
 |
1b092f |
+ # changed if you rename or move the sudo_noexec.so file.
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ #Path noexec /usr/local/libexec/sudo_noexec.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # Core dumps:
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ # By default, sudo disables core dumps while it is executing
|
|
 |
1b092f |
+ # (they are re-enabled for the command that is run).
|
|
 |
1b092f |
+ # To aid in debugging sudo problems, you may wish to enable core
|
|
 |
1b092f |
+ # dumps by setting "disable_coredump" to false.
|
|
 |
1b092f |
+ #
|
|
 |
1b092f |
+ #Set disable_coredump false
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+S?SE?EE?E A?AL?LS?SO?O
|
|
 |
1b092f |
+ sudoers(4), sudo(1m), sudo_plugin(1m),
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+H?HI?IS?ST?TO?OR?RY?Y
|
|
 |
1b092f |
+ See the HISTORY file in the s?su?ud?do?o distribution
|
|
 |
1b092f |
+ (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+A?AU?UT?TH?HO?OR?RS?S
|
|
 |
1b092f |
+ Many people have worked on s?su?ud?do?o over the years; this version consists of
|
|
 |
1b092f |
+ code written primarily by:
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ Todd C. Miller
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+ See the CONTRIBUTORS file in the s?su?ud?do?o distribution
|
|
 |
1b092f |
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
|
|
 |
1b092f |
+ people who have contributed to s?su?ud?do?o.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+B?BU?UG?GS?S
|
|
 |
1b092f |
+ If you feel you have found a bug in s?su?ud?do?o, please submit a bug report at
|
|
 |
1b092f |
+ http://www.sudo.ws/sudo/bugs/
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+S?SU?UP?PP?PO?OR?RT?T
|
|
 |
1b092f |
+ Limited free support is available via the sudo-users mailing list, see
|
|
 |
1b092f |
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
|
|
 |
1b092f |
+ archives.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+D?DI?IS?SC?CL?LA?AI?IM?ME?ER?R
|
|
 |
1b092f |
+ s?su?ud?do?o is provided ``AS IS'' and any express or implied warranties,
|
|
 |
1b092f |
+ including, but not limited to, the implied warranties of merchantability
|
|
 |
1b092f |
+ and fitness for a particular purpose are disclaimed. See the LICENSE
|
|
 |
1b092f |
+ file distributed with s?su?ud?do?o or http://www.sudo.ws/sudo/license.html for
|
|
 |
1b092f |
+ complete details.
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+Sudo 1.8.6p7 February 1, 2013 Sudo 1.8.6p7
|
|
 |
1b092f |
diff -up sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman sudo-1.8.6p7/doc/sudo.conf.man.in
|
|
 |
1b092f |
--- sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman 2013-07-30 13:58:15.401285217 +0200
|
|
 |
1b092f |
+++ sudo-1.8.6p7/doc/sudo.conf.man.in 2013-07-30 13:58:25.733323538 +0200
|
|
 |
1b092f |
@@ -0,0 +1,470 @@
|
|
 |
1b092f |
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
|
|
 |
1b092f |
+.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" Permission to use, copy, modify, and distribute this software for any
|
|
 |
1b092f |
+.\" purpose with or without fee is hereby granted, provided that the above
|
|
 |
1b092f |
+.\" copyright notice and this permission notice appear in all copies.
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
 |
1b092f |
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
 |
1b092f |
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
 |
1b092f |
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
 |
1b092f |
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
 |
1b092f |
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
 |
1b092f |
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
 |
1b092f |
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
|
|
 |
1b092f |
+.nh
|
|
 |
1b092f |
+.if n .ad l
|
|
 |
1b092f |
+.SH "NAME"
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+\- configuration for sudo front end
|
|
 |
1b092f |
+.SH "DESCRIPTION"
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+file is used to configure the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front end.
|
|
 |
1b092f |
+It specifies the security policy and I/O logging plugins, debug flags
|
|
 |
1b092f |
+as well as plugin-agnostic path names and settings.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+file supports the following directives, described in detail below.
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+Plugin
|
|
 |
1b092f |
+a security policy or I/O logging plugin
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+Path
|
|
 |
1b092f |
+a plugin-agnostic path
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+Set
|
|
 |
1b092f |
+a front end setting, such as
|
|
 |
1b092f |
+\fIdisable_coredump\fR
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+\fIgroup_source\fR
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+Debug
|
|
 |
1b092f |
+debug flags to aid in debugging
|
|
 |
1b092f |
+\fBsudo\fR,
|
|
 |
1b092f |
+\fBsudoreplay\fR,
|
|
 |
1b092f |
+\fBvisudo\fR,
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+\fBsudoers\fR
|
|
 |
1b092f |
+plugin.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The pound sign
|
|
 |
1b092f |
+(`#')
|
|
 |
1b092f |
+is used to indicate a comment.
|
|
 |
1b092f |
+Both the comment character and any text after it, up to the end of
|
|
 |
1b092f |
+the line, are ignored.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+Non-comment lines that don't begin with
|
|
 |
1b092f |
+\fRPlugin\fR,
|
|
 |
1b092f |
+\fRPath\fR,
|
|
 |
1b092f |
+\fRDebug\fR,
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+\fRSet\fR
|
|
 |
1b092f |
+are silently ignored.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+file is always parsed in the
|
|
 |
1b092f |
+``\fRC\fR''
|
|
 |
1b092f |
+locale.
|
|
 |
1b092f |
+.SS "Plugin configuration"
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+supports a plugin architecture for security policies and input/output
|
|
 |
1b092f |
+logging.
|
|
 |
1b092f |
+Third parties can develop and distribute their own policy and I/O
|
|
 |
1b092f |
+logging plugins to work seamlessly with the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front end.
|
|
 |
1b092f |
+Plugins are dynamically loaded based on the contents of
|
|
 |
1b092f |
+\fBsudo.conf\fR.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+\fRPlugin\fR
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+\fRPlugin\fR
|
|
 |
1b092f |
+keyword, followed by the
|
|
 |
1b092f |
+\fIsymbol_name\fR
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+\fIpath\fR
|
|
 |
1b092f |
+to the shared object containing the plugin.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fIsymbol_name\fR
|
|
 |
1b092f |
+is the name of the
|
|
 |
1b092f |
+\fRstruct policy_plugin\fR
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+\fRstruct io_plugin\fR
|
|
 |
1b092f |
+in the plugin shared object.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fIpath\fR
|
|
 |
1b092f |
+may be fully qualified or relative.
|
|
 |
1b092f |
+If not fully qualified, it is relative to the
|
|
 |
1b092f |
+\fI@PLUGINDIR@\fR
|
|
 |
1b092f |
+directory.
|
|
 |
1b092f |
+In other words:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Plugin sudoers_policy sudoers.so
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+is equivalent to:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+Any additional parameters after the
|
|
 |
1b092f |
+\fIpath\fR
|
|
 |
1b092f |
+are passed as arguments to the plugin's
|
|
 |
1b092f |
+\fIopen\fR
|
|
 |
1b092f |
+function.
|
|
 |
1b092f |
+For example, to override the compile-time default sudoers file mode:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+If no
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+file is present, or if it contains no
|
|
 |
1b092f |
+\fRPlugin\fR
|
|
 |
1b092f |
+lines, the
|
|
 |
1b092f |
+\fBsudoers\fR
|
|
 |
1b092f |
+plugin will be used as the default security policy and for I/O logging
|
|
 |
1b092f |
+(if enabled by the policy).
|
|
 |
1b092f |
+This is equivalent to the following:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+For more information on the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+plugin architecture, see the
|
|
 |
1b092f |
+sudo_plugin(@mansectsu@)
|
|
 |
1b092f |
+manual.
|
|
 |
1b092f |
+.SS "Path settings"
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+\fRPath\fR
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+\fRPath\fR
|
|
 |
1b092f |
+keyword, followed by the name of the path to set and its value.
|
|
 |
1b092f |
+For example:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Path noexec @noexec_file@
|
|
 |
1b092f |
+Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The following plugin-agnostic paths may be set in the
|
|
 |
1b092f |
+\fI@sysconfdir@/sudo.conf\fR
|
|
 |
1b092f |
+file:
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+askpass
|
|
 |
1b092f |
+The fully qualified path to a helper program used to read the user's
|
|
 |
1b092f |
+password when no terminal is available.
|
|
 |
1b092f |
+This may be the case when
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+is executed from a graphical (as opposed to text-based) application.
|
|
 |
1b092f |
+The program specified by
|
|
 |
1b092f |
+\fIaskpass\fR
|
|
 |
1b092f |
+should display the argument passed to it as the prompt and write
|
|
 |
1b092f |
+the user's password to the standard output.
|
|
 |
1b092f |
+The value of
|
|
 |
1b092f |
+\fIaskpass\fR
|
|
 |
1b092f |
+may be overridden by the
|
|
 |
1b092f |
+\fRSUDO_ASKPASS\fR
|
|
 |
1b092f |
+environment variable.
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+noexec
|
|
 |
1b092f |
+The fully-qualified path to a shared library containing dummy
|
|
 |
1b092f |
+versions of the
|
|
 |
1b092f |
+\fBexecv\fR(),
|
|
 |
1b092f |
+\fBexecve\fR()
|
|
 |
1b092f |
+and
|
|
 |
1b092f |
+\fBfexecve\fR()
|
|
 |
1b092f |
+library functions that just return an error.
|
|
 |
1b092f |
+This is used to implement the
|
|
 |
1b092f |
+\fInoexec\fR
|
|
 |
1b092f |
+functionality on systems that support
|
|
 |
1b092f |
+\fRLD_PRELOAD\fR
|
|
 |
1b092f |
+or its equivalent.
|
|
 |
1b092f |
+The default value is:
|
|
 |
1b092f |
+\fI@noexec_file@\fR.
|
|
 |
1b092f |
+.SS "Other settings"
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+file also supports the following front end settings:
|
|
 |
1b092f |
+.TP 10n
|
|
 |
1b092f |
+disable_coredump
|
|
 |
1b092f |
+Core dumps of
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+itself are disabled by default.
|
|
 |
1b092f |
+To aid in debugging
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+crashes, you may wish to re-enable core dumps by setting
|
|
 |
1b092f |
+``disable_coredump''
|
|
 |
1b092f |
+to false in
|
|
 |
1b092f |
+\fBsudo.conf\fR
|
|
 |
1b092f |
+as follows:
|
|
 |
1b092f |
+.RS
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Set disable_coredump false
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+Note that most operating systems disable core dumps from setuid programs,
|
|
 |
1b092f |
+including
|
|
 |
1b092f |
+\fBsudo\fR.
|
|
 |
1b092f |
+To actually get a
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+core file you will likely need to enable core dumps for setuid processes.
|
|
 |
1b092f |
+On BSD and Linux systems this is accomplished via the
|
|
 |
1b092f |
+sysctl
|
|
 |
1b092f |
+command.
|
|
 |
1b092f |
+On Solaris, the
|
|
 |
1b092f |
+coreadm
|
|
 |
1b092f |
+command is used to configure core dump behavior.
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+This setting is only available in
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+version 1.8.4 and higher.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.SS "Debug flags"
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+versions 1.8.4 and higher support a flexible debugging framework
|
|
 |
1b092f |
+that can help track down what
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+is doing internally if there is a problem.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+\fRDebug\fR
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+\fRDebug\fR
|
|
 |
1b092f |
+keyword, followed by the name of the program (or plugin) to debug
|
|
 |
1b092f |
+(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR),
|
|
 |
1b092f |
+the debug file name and a comma-separated list of debug flags.
|
|
 |
1b092f |
+The debug flag syntax used by
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+\fBsudoers\fR
|
|
 |
1b092f |
+plugin is
|
|
 |
1b092f |
+\fIsubsystem\fR@\fIpriority\fR
|
|
 |
1b092f |
+but a plugin is free to use a different format so long as it does
|
|
 |
1b092f |
+not include a comma
|
|
 |
1b092f |
+(`\&,').
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+For example:
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Debug sudo /var/log/sudo_debug all@warn,plugin@info
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+would log all debugging statements at the
|
|
 |
1b092f |
+\fIwarn\fR
|
|
 |
1b092f |
+level and higher in addition to those at the
|
|
 |
1b092f |
+\fIinfo\fR
|
|
 |
1b092f |
+level for the plugin subsystem.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+Currently, only one
|
|
 |
1b092f |
+\fRDebug\fR
|
|
 |
1b092f |
+entry per program is supported.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+\fRDebug\fR
|
|
 |
1b092f |
+entry is shared by the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front end,
|
|
 |
1b092f |
+\fBsudoedit\fR
|
|
 |
1b092f |
+and the plugins.
|
|
 |
1b092f |
+A future release may add support for per-plugin
|
|
 |
1b092f |
+\fRDebug\fR
|
|
 |
1b092f |
+lines and/or support for multiple debugging files for a single
|
|
 |
1b092f |
+program.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The priorities used by the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front end, in order of decreasing severity, are:
|
|
 |
1b092f |
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
|
|
 |
1b092f |
+and
|
|
 |
1b092f |
+\fIdebug\fR.
|
|
 |
1b092f |
+Each priority, when specified, also includes all priorities higher
|
|
 |
1b092f |
+than it.
|
|
 |
1b092f |
+For example, a priority of
|
|
 |
1b092f |
+\fInotice\fR
|
|
 |
1b092f |
+would include debug messages logged at
|
|
 |
1b092f |
+\fInotice\fR
|
|
 |
1b092f |
+and higher.
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+The following subsystems are used by the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front-end:
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIall\fR
|
|
 |
1b092f |
+matches every subsystem
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIargs\fR
|
|
 |
1b092f |
+command line argument processing
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIconv\fR
|
|
 |
1b092f |
+user conversation
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIedit\fR
|
|
 |
1b092f |
+sudoedit
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIexec\fR
|
|
 |
1b092f |
+command execution
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fImain\fR
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+main function
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fInetif\fR
|
|
 |
1b092f |
+network interface handling
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIpcomm\fR
|
|
 |
1b092f |
+communication with the plugin
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIplugin\fR
|
|
 |
1b092f |
+plugin configuration
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIpty\fR
|
|
 |
1b092f |
+pseudo-tty related code
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIselinux\fR
|
|
 |
1b092f |
+SELinux-specific handling
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIutil\fR
|
|
 |
1b092f |
+utility functions
|
|
 |
1b092f |
+.TP 12n
|
|
 |
1b092f |
+\fIutmp\fR
|
|
 |
1b092f |
+utmp handling
|
|
 |
1b092f |
+.SH "FILES"
|
|
 |
1b092f |
+.TP 26n
|
|
 |
1b092f |
+\fI@sysconfdir@/sudo.conf\fR
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+front end configuration
|
|
 |
1b092f |
+.SH "EXAMPLES"
|
|
 |
1b092f |
+.nf
|
|
 |
1b092f |
+.RS 0n
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Default @sysconfdir@/sudo.conf file
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Format:
|
|
 |
1b092f |
+# Plugin plugin_name plugin_path plugin_options ...
|
|
 |
1b092f |
+# Path askpass /path/to/askpass
|
|
 |
1b092f |
+# Path noexec /path/to/sudo_noexec.so
|
|
 |
1b092f |
+# Debug sudo /var/log/sudo_debug all@warn
|
|
 |
1b092f |
+# Set disable_coredump true
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# The plugin_path is relative to @PLUGINDIR@ unless
|
|
 |
1b092f |
+# fully qualified.
|
|
 |
1b092f |
+# The plugin_name corresponds to a global symbol in the plugin
|
|
 |
1b092f |
+# that contains the plugin interface structure.
|
|
 |
1b092f |
+# The plugin_options are optional.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# The sudoers plugin is used by default if no Plugin lines are
|
|
 |
1b092f |
+# present.
|
|
 |
1b092f |
+Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Sudo askpass:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# An askpass helper program may be specified to provide a graphical
|
|
 |
1b092f |
+# password prompt for "sudo -A" support. Sudo does not ship with
|
|
 |
1b092f |
+# its own askpass program but can use the OpenSSH askpass.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Use the OpenSSH askpass
|
|
 |
1b092f |
+#Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Use the Gnome OpenSSH askpass
|
|
 |
1b092f |
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Sudo noexec:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Path to a shared library containing dummy versions of the execv(),
|
|
 |
1b092f |
+# execve() and fexecve() library functions that just return an error.
|
|
 |
1b092f |
+# This is used to implement the "noexec" functionality on systems that
|
|
 |
1b092f |
+# support C<LD_PRELOAD> or its equivalent.
|
|
 |
1b092f |
+# The compiled-in value is usually sufficient and should only be
|
|
 |
1b092f |
+# changed if you rename or move the sudo_noexec.so file.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+#Path noexec @noexec_file@
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Core dumps:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# By default, sudo disables core dumps while it is executing
|
|
 |
1b092f |
+# (they are re-enabled for the command that is run).
|
|
 |
1b092f |
+# To aid in debugging sudo problems, you may wish to enable core
|
|
 |
1b092f |
+# dumps by setting "disable_coredump" to false.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+#Set disable_coredump false
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.fi
|
|
 |
1b092f |
+.SH "SEE ALSO"
|
|
 |
1b092f |
+sudoers(@mansectform@),
|
|
 |
1b092f |
+sudo(@mansectsu@),
|
|
 |
1b092f |
+sudo_plugin(@mansectsu@),
|
|
 |
1b092f |
+.SH "HISTORY"
|
|
 |
1b092f |
+See the HISTORY file in the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
|
|
 |
1b092f |
+history of sudo.
|
|
 |
1b092f |
+.SH "AUTHORS"
|
|
 |
1b092f |
+Many people have worked on
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+over the years; this version consists of code written primarily by:
|
|
 |
1b092f |
+.sp
|
|
 |
1b092f |
+.RS 6n
|
|
 |
1b092f |
+Todd C. Miller
|
|
 |
1b092f |
+.RE
|
|
 |
1b092f |
+.PP
|
|
 |
1b092f |
+See the CONTRIBUTORS file in the
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
|
|
 |
1b092f |
+exhaustive list of people who have contributed to
|
|
 |
1b092f |
+\fBsudo\fR.
|
|
 |
1b092f |
+.SH "BUGS"
|
|
 |
1b092f |
+If you feel you have found a bug in
|
|
 |
1b092f |
+\fBsudo\fR,
|
|
 |
1b092f |
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
|
|
 |
1b092f |
+.SH "SUPPORT"
|
|
 |
1b092f |
+Limited free support is available via the sudo-users mailing list,
|
|
 |
1b092f |
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
|
|
 |
1b092f |
+search the archives.
|
|
 |
1b092f |
+.SH "DISCLAIMER"
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+is provided
|
|
 |
1b092f |
+``AS IS''
|
|
 |
1b092f |
+and any express or implied warranties, including, but not limited
|
|
 |
1b092f |
+to, the implied warranties of merchantability and fitness for a
|
|
 |
1b092f |
+particular purpose are disclaimed.
|
|
 |
1b092f |
+See the LICENSE file distributed with
|
|
 |
1b092f |
+\fBsudo\fR
|
|
 |
1b092f |
+or http://www.sudo.ws/sudo/license.html for complete details.
|
|
 |
1b092f |
diff -up sudo-1.8.6p7/doc/sudo.conf.mdoc.in.sudoconfman sudo-1.8.6p7/doc/sudo.conf.mdoc.in
|
|
 |
1b092f |
--- sudo-1.8.6p7/doc/sudo.conf.mdoc.in.sudoconfman 2013-07-30 13:58:15.401285217 +0200
|
|
 |
1b092f |
+++ sudo-1.8.6p7/doc/sudo.conf.mdoc.in 2013-07-30 13:58:25.734323547 +0200
|
|
 |
1b092f |
@@ -0,0 +1,430 @@
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" Permission to use, copy, modify, and distribute this software for any
|
|
 |
1b092f |
+.\" purpose with or without fee is hereby granted, provided that the above
|
|
 |
1b092f |
+.\" copyright notice and this permission notice appear in all copies.
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
 |
1b092f |
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
 |
1b092f |
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
 |
1b092f |
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
 |
1b092f |
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
 |
1b092f |
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
 |
1b092f |
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
 |
1b092f |
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
 |
1b092f |
+.\"
|
|
 |
1b092f |
+.Dd February 5, 2013
|
|
 |
1b092f |
+.Dt SUDO @mansectform@
|
|
 |
1b092f |
+.Os Sudo @PACKAGE_VERSION@
|
|
 |
1b092f |
+.Sh NAME
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+.Nd configuration for sudo front end
|
|
 |
1b092f |
+.Sh DESCRIPTION
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+file is used to configure the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front end.
|
|
 |
1b092f |
+It specifies the security policy and I/O logging plugins, debug flags
|
|
 |
1b092f |
+as well as plugin-agnostic path names and settings.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+file supports the following directives, described in detail below.
|
|
 |
1b092f |
+.Bl -tag -width 8n
|
|
 |
1b092f |
+.It Plugin
|
|
 |
1b092f |
+a security policy or I/O logging plugin
|
|
 |
1b092f |
+.It Path
|
|
 |
1b092f |
+a plugin-agnostic path
|
|
 |
1b092f |
+.It Set
|
|
 |
1b092f |
+a front end setting, such as
|
|
 |
1b092f |
+.Em disable_coredump
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+.Em group_source
|
|
 |
1b092f |
+.It Debug
|
|
 |
1b092f |
+debug flags to aid in debugging
|
|
 |
1b092f |
+.Nm sudo ,
|
|
 |
1b092f |
+.Nm sudoreplay ,
|
|
 |
1b092f |
+.Nm visudo ,
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+.Nm sudoers
|
|
 |
1b092f |
+plugin.
|
|
 |
1b092f |
+.El
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The pound sign
|
|
 |
1b092f |
+.Pq Ql #
|
|
 |
1b092f |
+is used to indicate a comment.
|
|
 |
1b092f |
+Both the comment character and any text after it, up to the end of
|
|
 |
1b092f |
+the line, are ignored.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+Non-comment lines that don't begin with
|
|
 |
1b092f |
+.Li Plugin ,
|
|
 |
1b092f |
+.Li Path ,
|
|
 |
1b092f |
+.Li Debug ,
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+.Li Set
|
|
 |
1b092f |
+are silently ignored.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+file is always parsed in the
|
|
 |
1b092f |
+.Dq Li C
|
|
 |
1b092f |
+locale.
|
|
 |
1b092f |
+.Ss Plugin configuration
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+supports a plugin architecture for security policies and input/output
|
|
 |
1b092f |
+logging.
|
|
 |
1b092f |
+Third parties can develop and distribute their own policy and I/O
|
|
 |
1b092f |
+logging plugins to work seamlessly with the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front end.
|
|
 |
1b092f |
+Plugins are dynamically loaded based on the contents of
|
|
 |
1b092f |
+.Nm sudo.conf .
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+.Li Plugin
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+.Li Plugin
|
|
 |
1b092f |
+keyword, followed by the
|
|
 |
1b092f |
+.Em symbol_name
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+.Em path
|
|
 |
1b092f |
+to the shared object containing the plugin.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Em symbol_name
|
|
 |
1b092f |
+is the name of the
|
|
 |
1b092f |
+.Li struct policy_plugin
|
|
 |
1b092f |
+or
|
|
 |
1b092f |
+.Li struct io_plugin
|
|
 |
1b092f |
+in the plugin shared object.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Em path
|
|
 |
1b092f |
+may be fully qualified or relative.
|
|
 |
1b092f |
+If not fully qualified, it is relative to the
|
|
 |
1b092f |
+.Pa @PLUGINDIR@
|
|
 |
1b092f |
+directory.
|
|
 |
1b092f |
+In other words:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Plugin sudoers_policy sudoers.so
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+is equivalent to:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Plugin sudoers_policy @PLUGINDIR@/sudoers.so
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+Any additional parameters after the
|
|
 |
1b092f |
+.Em path
|
|
 |
1b092f |
+are passed as arguments to the plugin's
|
|
 |
1b092f |
+.Em open
|
|
 |
1b092f |
+function.
|
|
 |
1b092f |
+For example, to override the compile-time default sudoers file mode:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Plugin sudoers_policy sudoers.so sudoers_mode=0440
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+If no
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+file is present, or if it contains no
|
|
 |
1b092f |
+.Li Plugin
|
|
 |
1b092f |
+lines, the
|
|
 |
1b092f |
+.Nm sudoers
|
|
 |
1b092f |
+plugin will be used as the default security policy and for I/O logging
|
|
 |
1b092f |
+(if enabled by the policy).
|
|
 |
1b092f |
+This is equivalent to the following:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+For more information on the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+plugin architecture, see the
|
|
 |
1b092f |
+.Xr sudo_plugin @mansectsu@
|
|
 |
1b092f |
+manual.
|
|
 |
1b092f |
+.Ss Path settings
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+.Li Path
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+.Li Path
|
|
 |
1b092f |
+keyword, followed by the name of the path to set and its value.
|
|
 |
1b092f |
+For example:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Path noexec @noexec_file@
|
|
 |
1b092f |
+Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The following plugin-agnostic paths may be set in the
|
|
 |
1b092f |
+.Pa @sysconfdir@/sudo.conf
|
|
 |
1b092f |
+file:
|
|
 |
1b092f |
+.Bl -tag -width 8n
|
|
 |
1b092f |
+.It askpass
|
|
 |
1b092f |
+The fully qualified path to a helper program used to read the user's
|
|
 |
1b092f |
+password when no terminal is available.
|
|
 |
1b092f |
+This may be the case when
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+is executed from a graphical (as opposed to text-based) application.
|
|
 |
1b092f |
+The program specified by
|
|
 |
1b092f |
+.Em askpass
|
|
 |
1b092f |
+should display the argument passed to it as the prompt and write
|
|
 |
1b092f |
+the user's password to the standard output.
|
|
 |
1b092f |
+The value of
|
|
 |
1b092f |
+.Em askpass
|
|
 |
1b092f |
+may be overridden by the
|
|
 |
1b092f |
+.Ev SUDO_ASKPASS
|
|
 |
1b092f |
+environment variable.
|
|
 |
1b092f |
+.It noexec
|
|
 |
1b092f |
+The fully-qualified path to a shared library containing dummy
|
|
 |
1b092f |
+versions of the
|
|
 |
1b092f |
+.Fn execv ,
|
|
 |
1b092f |
+.Fn execve
|
|
 |
1b092f |
+and
|
|
 |
1b092f |
+.Fn fexecve
|
|
 |
1b092f |
+library functions that just return an error.
|
|
 |
1b092f |
+This is used to implement the
|
|
 |
1b092f |
+.Em noexec
|
|
 |
1b092f |
+functionality on systems that support
|
|
 |
1b092f |
+.Ev LD_PRELOAD
|
|
 |
1b092f |
+or its equivalent.
|
|
 |
1b092f |
+The default value is:
|
|
 |
1b092f |
+.Pa @noexec_file@ .
|
|
 |
1b092f |
+.El
|
|
 |
1b092f |
+.Ss Other settings
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+file also supports the following front end settings:
|
|
 |
1b092f |
+.Bl -tag -width 8n
|
|
 |
1b092f |
+.It disable_coredump
|
|
 |
1b092f |
+Core dumps of
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+itself are disabled by default.
|
|
 |
1b092f |
+To aid in debugging
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+crashes, you may wish to re-enable core dumps by setting
|
|
 |
1b092f |
+.Dq disable_coredump
|
|
 |
1b092f |
+to false in
|
|
 |
1b092f |
+.Nm sudo.conf
|
|
 |
1b092f |
+as follows:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Set disable_coredump false
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+Note that most operating systems disable core dumps from setuid programs,
|
|
 |
1b092f |
+including
|
|
 |
1b092f |
+.Nm sudo .
|
|
 |
1b092f |
+To actually get a
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+core file you will likely need to enable core dumps for setuid processes.
|
|
 |
1b092f |
+On BSD and Linux systems this is accomplished via the
|
|
 |
1b092f |
+.Xr sysctl
|
|
 |
1b092f |
+command.
|
|
 |
1b092f |
+On Solaris, the
|
|
 |
1b092f |
+.Xr coreadm
|
|
 |
1b092f |
+command is used to configure core dump behavior.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+This setting is only available in
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+version 1.8.4 and higher.
|
|
 |
1b092f |
+.El
|
|
 |
1b092f |
+.Ss Debug flags
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+versions 1.8.4 and higher support a flexible debugging framework
|
|
 |
1b092f |
+that can help track down what
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+is doing internally if there is a problem.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+A
|
|
 |
1b092f |
+.Li Debug
|
|
 |
1b092f |
+line consists of the
|
|
 |
1b092f |
+.Li Debug
|
|
 |
1b092f |
+keyword, followed by the name of the program (or plugin) to debug
|
|
 |
1b092f |
+.Pq Nm sudo , Nm visudo , Nm sudoreplay , Nm sudoers ,
|
|
 |
1b092f |
+the debug file name and a comma-separated list of debug flags.
|
|
 |
1b092f |
+The debug flag syntax used by
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+and the
|
|
 |
1b092f |
+.Nm sudoers
|
|
 |
1b092f |
+plugin is
|
|
 |
1b092f |
+.Em subsystem Ns No @ Ns Em priority
|
|
 |
1b092f |
+but a plugin is free to use a different format so long as it does
|
|
 |
1b092f |
+not include a comma
|
|
 |
1b092f |
+.Pq Ql \&, .
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+For example:
|
|
 |
1b092f |
+.Bd -literal -offset indent
|
|
 |
1b092f |
+Debug sudo /var/log/sudo_debug all@warn,plugin@info
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+would log all debugging statements at the
|
|
 |
1b092f |
+.Em warn
|
|
 |
1b092f |
+level and higher in addition to those at the
|
|
 |
1b092f |
+.Em info
|
|
 |
1b092f |
+level for the plugin subsystem.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+Currently, only one
|
|
 |
1b092f |
+.Li Debug
|
|
 |
1b092f |
+entry per program is supported.
|
|
 |
1b092f |
+The
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+.Li Debug
|
|
 |
1b092f |
+entry is shared by the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front end,
|
|
 |
1b092f |
+.Nm sudoedit
|
|
 |
1b092f |
+and the plugins.
|
|
 |
1b092f |
+A future release may add support for per-plugin
|
|
 |
1b092f |
+.Li Debug
|
|
 |
1b092f |
+lines and/or support for multiple debugging files for a single
|
|
 |
1b092f |
+program.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The priorities used by the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front end, in order of decreasing severity, are:
|
|
 |
1b092f |
+.Em crit , err , warn , notice , diag , info , trace
|
|
 |
1b092f |
+and
|
|
 |
1b092f |
+.Em debug .
|
|
 |
1b092f |
+Each priority, when specified, also includes all priorities higher
|
|
 |
1b092f |
+than it.
|
|
 |
1b092f |
+For example, a priority of
|
|
 |
1b092f |
+.Em notice
|
|
 |
1b092f |
+would include debug messages logged at
|
|
 |
1b092f |
+.Em notice
|
|
 |
1b092f |
+and higher.
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+The following subsystems are used by the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front-end:
|
|
 |
1b092f |
+.Bl -tag -width Fl
|
|
 |
1b092f |
+.It Em all
|
|
 |
1b092f |
+matches every subsystem
|
|
 |
1b092f |
+.It Em args
|
|
 |
1b092f |
+command line argument processing
|
|
 |
1b092f |
+.It Em conv
|
|
 |
1b092f |
+user conversation
|
|
 |
1b092f |
+.It Em edit
|
|
 |
1b092f |
+sudoedit
|
|
 |
1b092f |
+.It Em exec
|
|
 |
1b092f |
+command execution
|
|
 |
1b092f |
+.It Em main
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+main function
|
|
 |
1b092f |
+.It Em netif
|
|
 |
1b092f |
+network interface handling
|
|
 |
1b092f |
+.It Em pcomm
|
|
 |
1b092f |
+communication with the plugin
|
|
 |
1b092f |
+.It Em plugin
|
|
 |
1b092f |
+plugin configuration
|
|
 |
1b092f |
+.It Em pty
|
|
 |
1b092f |
+pseudo-tty related code
|
|
 |
1b092f |
+.It Em selinux
|
|
 |
1b092f |
+SELinux-specific handling
|
|
 |
1b092f |
+.It Em util
|
|
 |
1b092f |
+utility functions
|
|
 |
1b092f |
+.It Em utmp
|
|
 |
1b092f |
+utmp handling
|
|
 |
1b092f |
+.El
|
|
 |
1b092f |
+.Sh FILES
|
|
 |
1b092f |
+.Bl -tag -width 24n
|
|
 |
1b092f |
+.It Pa @sysconfdir@/sudo.conf
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+front end configuration
|
|
 |
1b092f |
+.El
|
|
 |
1b092f |
+.Sh EXAMPLES
|
|
 |
1b092f |
+.Bd -literal
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Default @sysconfdir@/sudo.conf file
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Format:
|
|
 |
1b092f |
+# Plugin plugin_name plugin_path plugin_options ...
|
|
 |
1b092f |
+# Path askpass /path/to/askpass
|
|
 |
1b092f |
+# Path noexec /path/to/sudo_noexec.so
|
|
 |
1b092f |
+# Debug sudo /var/log/sudo_debug all@warn
|
|
 |
1b092f |
+# Set disable_coredump true
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# The plugin_path is relative to @PLUGINDIR@ unless
|
|
 |
1b092f |
+# fully qualified.
|
|
 |
1b092f |
+# The plugin_name corresponds to a global symbol in the plugin
|
|
 |
1b092f |
+# that contains the plugin interface structure.
|
|
 |
1b092f |
+# The plugin_options are optional.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# The sudoers plugin is used by default if no Plugin lines are
|
|
 |
1b092f |
+# present.
|
|
 |
1b092f |
+Plugin policy_plugin sudoers.so
|
|
 |
1b092f |
+Plugin io_plugin sudoers.so
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Sudo askpass:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# An askpass helper program may be specified to provide a graphical
|
|
 |
1b092f |
+# password prompt for "sudo -A" support. Sudo does not ship with
|
|
 |
1b092f |
+# its own askpass program but can use the OpenSSH askpass.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Use the OpenSSH askpass
|
|
 |
1b092f |
+#Path askpass /usr/X11R6/bin/ssh-askpass
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Use the Gnome OpenSSH askpass
|
|
 |
1b092f |
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Sudo noexec:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Path to a shared library containing dummy versions of the execv(),
|
|
 |
1b092f |
+# execve() and fexecve() library functions that just return an error.
|
|
 |
1b092f |
+# This is used to implement the "noexec" functionality on systems that
|
|
 |
1b092f |
+# support C<LD_PRELOAD> or its equivalent.
|
|
 |
1b092f |
+# The compiled-in value is usually sufficient and should only be
|
|
 |
1b092f |
+# changed if you rename or move the sudo_noexec.so file.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+#Path noexec @noexec_file@
|
|
 |
1b092f |
+
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# Core dumps:
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+# By default, sudo disables core dumps while it is executing
|
|
 |
1b092f |
+# (they are re-enabled for the command that is run).
|
|
 |
1b092f |
+# To aid in debugging sudo problems, you may wish to enable core
|
|
 |
1b092f |
+# dumps by setting "disable_coredump" to false.
|
|
 |
1b092f |
+#
|
|
 |
1b092f |
+#Set disable_coredump false
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Sh SEE ALSO
|
|
 |
1b092f |
+.Xr sudoers @mansectform@ ,
|
|
 |
1b092f |
+.Xr sudo @mansectsu@ ,
|
|
 |
1b092f |
+.Xr sudo_plugin @mansectsu@
|
|
 |
1b092f |
+.Sh HISTORY
|
|
 |
1b092f |
+See the HISTORY file in the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
|
|
 |
1b092f |
+history of sudo.
|
|
 |
1b092f |
+.Sh AUTHORS
|
|
 |
1b092f |
+Many people have worked on
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+over the years; this version consists of code written primarily by:
|
|
 |
1b092f |
+.Bd -ragged -offset indent
|
|
 |
1b092f |
+Todd C. Miller
|
|
 |
1b092f |
+.Ed
|
|
 |
1b092f |
+.Pp
|
|
 |
1b092f |
+See the CONTRIBUTORS file in the
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
|
|
 |
1b092f |
+exhaustive list of people who have contributed to
|
|
 |
1b092f |
+.Nm sudo .
|
|
 |
1b092f |
+.Sh BUGS
|
|
 |
1b092f |
+If you feel you have found a bug in
|
|
 |
1b092f |
+.Nm sudo ,
|
|
 |
1b092f |
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
|
|
 |
1b092f |
+.Sh SUPPORT
|
|
 |
1b092f |
+Limited free support is available via the sudo-users mailing list,
|
|
 |
1b092f |
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
|
|
 |
1b092f |
+search the archives.
|
|
 |
1b092f |
+.Sh DISCLAIMER
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+is provided
|
|
 |
1b092f |
+.Dq AS IS
|
|
 |
1b092f |
+and any express or implied warranties, including, but not limited
|
|
 |
1b092f |
+to, the implied warranties of merchantability and fitness for a
|
|
 |
1b092f |
+particular purpose are disclaimed.
|
|
 |
1b092f |
+See the LICENSE file distributed with
|
|
 |
1b092f |
+.Nm sudo
|
|
 |
1b092f |
+or http://www.sudo.ws/sudo/license.html for complete details.
|
|
 |
1b092f |
diff -up sudo-1.8.6p7/MANIFEST.sudoconfman sudo-1.8.6p7/MANIFEST
|
|
 |
1b092f |
--- sudo-1.8.6p7/MANIFEST.sudoconfman 2013-07-30 13:56:49.585965170 +0200
|
|
 |
1b092f |
+++ sudo-1.8.6p7/MANIFEST 2013-07-30 13:58:25.731323515 +0200
|
|
 |
1b092f |
@@ -348,6 +348,9 @@ src/tgetpass.c
|
|
 |
1b092f |
src/ttyname.c
|
|
 |
1b092f |
src/utmp.c
|
|
 |
1b092f |
sudo.pp
|
|
 |
1b092f |
+sudo/sudo.conf.cat
|
|
 |
1b092f |
+sudo/sudo.conf.man.in
|
|
 |
1b092f |
+sudo/sudo.conf.mdoc.in
|
|
 |
1b092f |
zlib/Makefile.in
|
|
 |
1b092f |
zlib/adler32.c
|
|
 |
1b092f |
zlib/compress.c
|