diff -up sudo-1.8.6p7/doc/Makefile.in.sudoconfman sudo-1.8.6p7/doc/Makefile.in --- sudo-1.8.6p7/doc/Makefile.in.sudoconfman 2013-07-30 13:57:00.000004193 +0200 +++ sudo-1.8.6p7/doc/Makefile.in 2013-07-30 13:58:25.732323525 +0200 @@ -64,12 +64,13 @@ DEVEL = @DEVEL@ SHELL = @SHELL@ -DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \ - sudoers.ldap.$(mantype) sudoers.$(mantype) \ +DOCS = sudo.$(mantype) visudo.$(mantype) sudo.conf.$(mantype) \ + sudoers.$(mantype) sudoers.ldap.$(mantype) sudoers.$(mantype) \ sudoreplay.$(mantype) sudo_plugin.$(mantype) DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \ $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \ + $(srcdir)/sudo.conf.man.in $(srcdir)/sudo.conf.cat \ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \ @@ -158,6 +159,34 @@ $(srcdir)/visudo.cat: varsub $(srcdir)/v visudo.cat: $(srcdir)/visudo.cat +$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.conf.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi + +sudo.conf.man.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ + +sudo.conf.man: $(srcdir)/sudo.conf.man.in sudo.conf.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ + +sudo.conf.mdoc: $(srcdir)/sudo.conf.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) + +$(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi + +sudo.conf.cat: $(srcdir)/sudo.conf.cat + $(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ @@ -292,10 +321,11 @@ install-doc: install-dirs $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) + $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) @if test -n "$(MANCOMPRESS)"; then \ - for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \ + for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \ if test -f $(DESTDIR)$$f; then \ echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \ $(MANCOMPRESS) -f $(DESTDIR)$$f; \ @@ -319,6 +349,7 @@ uninstall: $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) diff -up sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman sudo-1.8.6p7/doc/sudo.conf.cat --- sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman 2013-07-30 13:58:15.401285217 +0200 +++ sudo-1.8.6p7/doc/sudo.conf.cat 2013-07-30 13:58:25.733323538 +0200 @@ -0,0 +1,263 @@ +SUDO(4) Programmer's Manual SUDO(4) + +NNAAMMEE + ssuuddoo..ccoonnff - configuration for sudo front end + +DDEESSCCRRIIPPTTIIOONN + The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end. It specifies + the security policy and I/O logging plugins, debug flags as well as + plugin-agnostic path names and settings. + + The ssuuddoo..ccoonnff file supports the following directives, described in detail + below. + + Plugin a security policy or I/O logging plugin + + Path a plugin-agnostic path + + Set a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e + + Debug debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and + the ssuuddooeerrss plugin. + + The pound sign (`#') is used to indicate a comment. Both the comment + character and any text after it, up to the end of the line, are ignored. + + Non-comment lines that don't begin with Plugin, Path, Debug, or Set are + silently ignored. + + The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale. + + PPlluuggiinn ccoonnffiigguurraattiioonn + ssuuddoo supports a plugin architecture for security policies and + input/output logging. Third parties can develop and distribute their own + policy and I/O logging plugins to work seamlessly with the ssuuddoo front + end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff. + + A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e + and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e + is the name of the struct policy_plugin or struct io_plugin in the plugin + shared object. The _p_a_t_h may be fully qualified or relative. If not + fully qualified, it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. In + other words: + + Plugin sudoers_policy sudoers.so + + is equivalent to: + + Plugin sudoers_policy /usr/local/libexec/sudoers.so + + Any additional parameters after the _p_a_t_h are passed as arguments to the + plugin's _o_p_e_n function. For example, to override the compile-time + default sudoers file mode: + + Plugin sudoers_policy sudoers.so sudoers_mode=0440 + + If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the + ssuuddooeerrss plugin will be used as the default security policy and for I/O + logging (if enabled by the policy). This is equivalent to the following: + + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + + For more information on the ssuuddoo plugin architecture, see the + sudo_plugin(1m) manual. + + PPaatthh sseettttiinnggss + A Path line consists of the Path keyword, followed by the name of the + path to set and its value. For example: + + Path noexec /usr/local/libexec/sudo_noexec.so + Path askpass /usr/X11R6/bin/ssh-askpass + + The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file: + + askpass The fully qualified path to a helper program used to read the + user's password when no terminal is available. This may be the + case when ssuuddoo is executed from a graphical (as opposed to + text-based) application. The program specified by _a_s_k_p_a_s_s + should display the argument passed to it as the prompt and + write the user's password to the standard output. The value of + _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment + variable. + + noexec The fully-qualified path to a shared library containing dummy + versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library + functions that just return an error. This is used to implement + the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or + its equivalent. The default value is: + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + + OOtthheerr sseettttiinnggss + The ssuuddoo..ccoonnff file also supports the following front end settings: + + disable_coredump + Core dumps of ssuuddoo itself are disabled by default. To aid in + debugging ssuuddoo crashes, you may wish to re-enable core dumps by + setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows: + + Set disable_coredump false + + Note that most operating systems disable core dumps from setuid + programs, including ssuuddoo. To actually get a ssuuddoo core file you + will likely need to enable core dumps for setuid processes. On + BSD and Linux systems this is accomplished via the sysctl + command. On Solaris, the coreadm command is used to configure + core dump behavior. + + This setting is only available in ssuuddoo version 1.8.4 and + higher. + + DDeebbuugg ffllaaggss + ssuuddoo versions 1.8.4 and higher support a flexible debugging framework + that can help track down what ssuuddoo is doing internally if there is a + problem. + + A Debug line consists of the Debug keyword, followed by the name of the + program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the + debug file name and a comma-separated list of debug flags. The debug + flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but + a plugin is free to use a different format so long as it does not include + a comma (`,'). + + For example: + + Debug sudo /var/log/sudo_debug all@warn,plugin@info + + would log all debugging statements at the _w_a_r_n level and higher in + addition to those at the _i_n_f_o level for the plugin subsystem. + + Currently, only one Debug entry per program is supported. The ssuuddoo Debug + entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A + future release may add support for per-plugin Debug lines and/or support + for multiple debugging files for a single program. + + The priorities used by the ssuuddoo front end, in order of decreasing + severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. + Each priority, when specified, also includes all priorities higher than + it. For example, a priority of _n_o_t_i_c_e would include debug messages + logged at _n_o_t_i_c_e and higher. + + The following subsystems are used by the ssuuddoo front-end: + + _a_l_l matches every subsystem + + _a_r_g_s command line argument processing + + _c_o_n_v user conversation + + _e_d_i_t sudoedit + + _e_x_e_c command execution + + _m_a_i_n ssuuddoo main function + + _n_e_t_i_f network interface handling + + _p_c_o_m_m communication with the plugin + + _p_l_u_g_i_n plugin configuration + + _p_t_y pseudo-tty related code + + _s_e_l_i_n_u_x SELinux-specific handling + + _u_t_i_l utility functions + + _u_t_m_p utmp handling + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration + +EEXXAAMMPPLLEESS + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + # The sudoers plugin is used by default if no Plugin lines are + # present. + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + + # + # Sudo askpass: + # + # An askpass helper program may be specified to provide a graphical + # password prompt for "sudo -A" support. Sudo does not ship with + # its own askpass program but can use the OpenSSH askpass. + # + # Use the OpenSSH askpass + #Path askpass /usr/X11R6/bin/ssh-askpass + # + # Use the Gnome OpenSSH askpass + #Path askpass /usr/libexec/openssh/gnome-ssh-askpass + + # + # Sudo noexec: + # + # Path to a shared library containing dummy versions of the execv(), + # execve() and fexecve() library functions that just return an error. + # This is used to implement the "noexec" functionality on systems that + # support C or its equivalent. + # The compiled-in value is usually sufficient and should only be + # changed if you rename or move the sudo_noexec.so file. + # + #Path noexec /usr/local/libexec/sudo_noexec.so + + # + # Core dumps: + # + # By default, sudo disables core dumps while it is executing + # (they are re-enabled for the command that is run). + # To aid in debugging sudo problems, you may wish to enable core + # dumps by setting "disable_coredump" to false. + # + #Set disable_coredump false + +SSEEEE AALLSSOO + sudoers(4), sudo(1m), sudo_plugin(1m), + +HHIISSTTOORRYY + See the HISTORY file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/history.html) for a brief history of sudo. + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of + people who have contributed to ssuuddoo. + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. + +Sudo 1.8.6p7 February 1, 2013 Sudo 1.8.6p7 diff -up sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman sudo-1.8.6p7/doc/sudo.conf.man.in --- sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman 2013-07-30 13:58:15.401285217 +0200 +++ sudo-1.8.6p7/doc/sudo.conf.man.in 2013-07-30 13:58:25.733323538 +0200 @@ -0,0 +1,470 @@ +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in +.\" +.\" Copyright (c) 2010-2013 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.nh +.if n .ad l +.SH "NAME" +\fBsudo.conf\fR +\- configuration for sudo front end +.SH "DESCRIPTION" +The +\fBsudo.conf\fR +file is used to configure the +\fBsudo\fR +front end. +It specifies the security policy and I/O logging plugins, debug flags +as well as plugin-agnostic path names and settings. +.PP +The +\fBsudo.conf\fR +file supports the following directives, described in detail below. +.TP 10n +Plugin +a security policy or I/O logging plugin +.TP 10n +Path +a plugin-agnostic path +.TP 10n +Set +a front end setting, such as +\fIdisable_coredump\fR +or +\fIgroup_source\fR +.TP 10n +Debug +debug flags to aid in debugging +\fBsudo\fR, +\fBsudoreplay\fR, +\fBvisudo\fR, +and the +\fBsudoers\fR +plugin. +.PP +The pound sign +(`#') +is used to indicate a comment. +Both the comment character and any text after it, up to the end of +the line, are ignored. +.PP +Non-comment lines that don't begin with +\fRPlugin\fR, +\fRPath\fR, +\fRDebug\fR, +or +\fRSet\fR +are silently ignored. +.PP +The +\fBsudo.conf\fR +file is always parsed in the +``\fRC\fR'' +locale. +.SS "Plugin configuration" +\fBsudo\fR +supports a plugin architecture for security policies and input/output +logging. +Third parties can develop and distribute their own policy and I/O +logging plugins to work seamlessly with the +\fBsudo\fR +front end. +Plugins are dynamically loaded based on the contents of +\fBsudo.conf\fR. +.PP +A +\fRPlugin\fR +line consists of the +\fRPlugin\fR +keyword, followed by the +\fIsymbol_name\fR +and the +\fIpath\fR +to the shared object containing the plugin. +The +\fIsymbol_name\fR +is the name of the +\fRstruct policy_plugin\fR +or +\fRstruct io_plugin\fR +in the plugin shared object. +The +\fIpath\fR +may be fully qualified or relative. +If not fully qualified, it is relative to the +\fI@PLUGINDIR@\fR +directory. +In other words: +.nf +.sp +.RS 6n +Plugin sudoers_policy sudoers.so +.RE +.fi +.PP +is equivalent to: +.nf +.sp +.RS 6n +Plugin sudoers_policy @PLUGINDIR@/sudoers.so +.RE +.fi +.PP +Any additional parameters after the +\fIpath\fR +are passed as arguments to the plugin's +\fIopen\fR +function. +For example, to override the compile-time default sudoers file mode: +.nf +.sp +.RS 6n +Plugin sudoers_policy sudoers.so sudoers_mode=0440 +.RE +.fi +.PP +If no +\fBsudo.conf\fR +file is present, or if it contains no +\fRPlugin\fR +lines, the +\fBsudoers\fR +plugin will be used as the default security policy and for I/O logging +(if enabled by the policy). +This is equivalent to the following: +.nf +.sp +.RS 6n +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.RE +.fi +.PP +For more information on the +\fBsudo\fR +plugin architecture, see the +sudo_plugin(@mansectsu@) +manual. +.SS "Path settings" +A +\fRPath\fR +line consists of the +\fRPath\fR +keyword, followed by the name of the path to set and its value. +For example: +.nf +.sp +.RS 6n +Path noexec @noexec_file@ +Path askpass /usr/X11R6/bin/ssh-askpass +.RE +.fi +.PP +The following plugin-agnostic paths may be set in the +\fI@sysconfdir@/sudo.conf\fR +file: +.TP 10n +askpass +The fully qualified path to a helper program used to read the user's +password when no terminal is available. +This may be the case when +\fBsudo\fR +is executed from a graphical (as opposed to text-based) application. +The program specified by +\fIaskpass\fR +should display the argument passed to it as the prompt and write +the user's password to the standard output. +The value of +\fIaskpass\fR +may be overridden by the +\fRSUDO_ASKPASS\fR +environment variable. +.TP 10n +noexec +The fully-qualified path to a shared library containing dummy +versions of the +\fBexecv\fR(), +\fBexecve\fR() +and +\fBfexecve\fR() +library functions that just return an error. +This is used to implement the +\fInoexec\fR +functionality on systems that support +\fRLD_PRELOAD\fR +or its equivalent. +The default value is: +\fI@noexec_file@\fR. +.SS "Other settings" +The +\fBsudo.conf\fR +file also supports the following front end settings: +.TP 10n +disable_coredump +Core dumps of +\fBsudo\fR +itself are disabled by default. +To aid in debugging +\fBsudo\fR +crashes, you may wish to re-enable core dumps by setting +``disable_coredump'' +to false in +\fBsudo.conf\fR +as follows: +.RS +.nf +.sp +.RS 6n +Set disable_coredump false +.RE +.fi +.sp +Note that most operating systems disable core dumps from setuid programs, +including +\fBsudo\fR. +To actually get a +\fBsudo\fR +core file you will likely need to enable core dumps for setuid processes. +On BSD and Linux systems this is accomplished via the +sysctl +command. +On Solaris, the +coreadm +command is used to configure core dump behavior. +.sp +This setting is only available in +\fBsudo\fR +version 1.8.4 and higher. +.PP +.RE +.SS "Debug flags" +\fBsudo\fR +versions 1.8.4 and higher support a flexible debugging framework +that can help track down what +\fBsudo\fR +is doing internally if there is a problem. +.PP +A +\fRDebug\fR +line consists of the +\fRDebug\fR +keyword, followed by the name of the program (or plugin) to debug +(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR), +the debug file name and a comma-separated list of debug flags. +The debug flag syntax used by +\fBsudo\fR +and the +\fBsudoers\fR +plugin is +\fIsubsystem\fR@\fIpriority\fR +but a plugin is free to use a different format so long as it does +not include a comma +(`\&,'). +.PP +For example: +.nf +.sp +.RS 6n +Debug sudo /var/log/sudo_debug all@warn,plugin@info +.RE +.fi +.PP +would log all debugging statements at the +\fIwarn\fR +level and higher in addition to those at the +\fIinfo\fR +level for the plugin subsystem. +.PP +Currently, only one +\fRDebug\fR +entry per program is supported. +The +\fBsudo\fR +\fRDebug\fR +entry is shared by the +\fBsudo\fR +front end, +\fBsudoedit\fR +and the plugins. +A future release may add support for per-plugin +\fRDebug\fR +lines and/or support for multiple debugging files for a single +program. +.PP +The priorities used by the +\fBsudo\fR +front end, in order of decreasing severity, are: +\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR +and +\fIdebug\fR. +Each priority, when specified, also includes all priorities higher +than it. +For example, a priority of +\fInotice\fR +would include debug messages logged at +\fInotice\fR +and higher. +.PP +The following subsystems are used by the +\fBsudo\fR +front-end: +.TP 12n +\fIall\fR +matches every subsystem +.TP 12n +\fIargs\fR +command line argument processing +.TP 12n +\fIconv\fR +user conversation +.TP 12n +\fIedit\fR +sudoedit +.TP 12n +\fIexec\fR +command execution +.TP 12n +\fImain\fR +\fBsudo\fR +main function +.TP 12n +\fInetif\fR +network interface handling +.TP 12n +\fIpcomm\fR +communication with the plugin +.TP 12n +\fIplugin\fR +plugin configuration +.TP 12n +\fIpty\fR +pseudo-tty related code +.TP 12n +\fIselinux\fR +SELinux-specific handling +.TP 12n +\fIutil\fR +utility functions +.TP 12n +\fIutmp\fR +utmp handling +.SH "FILES" +.TP 26n +\fI@sysconfdir@/sudo.conf\fR +\fBsudo\fR +front end configuration +.SH "EXAMPLES" +.nf +.RS 0n +# +# Default @sysconfdir@/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# The plugin_path is relative to @PLUGINDIR@ unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are +# present. +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with +# its own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be +# changed if you rename or move the sudo_noexec.so file. +# +#Path noexec @noexec_file@ + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing +# (they are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false +.RE +.fi +.SH "SEE ALSO" +sudoers(@mansectform@), +sudo(@mansectsu@), +sudo_plugin(@mansectsu@), +.SH "HISTORY" +See the HISTORY file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/history.html) for a brief +history of sudo. +.SH "AUTHORS" +Many people have worked on +\fBsudo\fR +over the years; this version consists of code written primarily by: +.sp +.RS 6n +Todd C. Miller +.RE +.PP +See the CONTRIBUTORS file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +\fBsudo\fR. +.SH "BUGS" +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.SH "DISCLAIMER" +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff -up sudo-1.8.6p7/doc/sudo.conf.mdoc.in.sudoconfman sudo-1.8.6p7/doc/sudo.conf.mdoc.in --- sudo-1.8.6p7/doc/sudo.conf.mdoc.in.sudoconfman 2013-07-30 13:58:15.401285217 +0200 +++ sudo-1.8.6p7/doc/sudo.conf.mdoc.in 2013-07-30 13:58:25.734323547 +0200 @@ -0,0 +1,430 @@ +.\" +.\" Copyright (c) 2010-2013 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 5, 2013 +.Dt SUDO @mansectform@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm sudo.conf +.Nd configuration for sudo front end +.Sh DESCRIPTION +The +.Nm sudo.conf +file is used to configure the +.Nm sudo +front end. +It specifies the security policy and I/O logging plugins, debug flags +as well as plugin-agnostic path names and settings. +.Pp +The +.Nm sudo.conf +file supports the following directives, described in detail below. +.Bl -tag -width 8n +.It Plugin +a security policy or I/O logging plugin +.It Path +a plugin-agnostic path +.It Set +a front end setting, such as +.Em disable_coredump +or +.Em group_source +.It Debug +debug flags to aid in debugging +.Nm sudo , +.Nm sudoreplay , +.Nm visudo , +and the +.Nm sudoers +plugin. +.El +.Pp +The pound sign +.Pq Ql # +is used to indicate a comment. +Both the comment character and any text after it, up to the end of +the line, are ignored. +.Pp +Non-comment lines that don't begin with +.Li Plugin , +.Li Path , +.Li Debug , +or +.Li Set +are silently ignored. +.Pp +The +.Nm sudo.conf +file is always parsed in the +.Dq Li C +locale. +.Ss Plugin configuration +.Nm sudo +supports a plugin architecture for security policies and input/output +logging. +Third parties can develop and distribute their own policy and I/O +logging plugins to work seamlessly with the +.Nm sudo +front end. +Plugins are dynamically loaded based on the contents of +.Nm sudo.conf . +.Pp +A +.Li Plugin +line consists of the +.Li Plugin +keyword, followed by the +.Em symbol_name +and the +.Em path +to the shared object containing the plugin. +The +.Em symbol_name +is the name of the +.Li struct policy_plugin +or +.Li struct io_plugin +in the plugin shared object. +The +.Em path +may be fully qualified or relative. +If not fully qualified, it is relative to the +.Pa @PLUGINDIR@ +directory. +In other words: +.Bd -literal -offset indent +Plugin sudoers_policy sudoers.so +.Ed +.Pp +is equivalent to: +.Bd -literal -offset indent +Plugin sudoers_policy @PLUGINDIR@/sudoers.so +.Ed +.Pp +Any additional parameters after the +.Em path +are passed as arguments to the plugin's +.Em open +function. +For example, to override the compile-time default sudoers file mode: +.Bd -literal -offset indent +Plugin sudoers_policy sudoers.so sudoers_mode=0440 +.Ed +.Pp +If no +.Nm sudo.conf +file is present, or if it contains no +.Li Plugin +lines, the +.Nm sudoers +plugin will be used as the default security policy and for I/O logging +(if enabled by the policy). +This is equivalent to the following: +.Bd -literal -offset indent +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so +.Ed +.Pp +For more information on the +.Nm sudo +plugin architecture, see the +.Xr sudo_plugin @mansectsu@ +manual. +.Ss Path settings +A +.Li Path +line consists of the +.Li Path +keyword, followed by the name of the path to set and its value. +For example: +.Bd -literal -offset indent +Path noexec @noexec_file@ +Path askpass /usr/X11R6/bin/ssh-askpass +.Ed +.Pp +The following plugin-agnostic paths may be set in the +.Pa @sysconfdir@/sudo.conf +file: +.Bl -tag -width 8n +.It askpass +The fully qualified path to a helper program used to read the user's +password when no terminal is available. +This may be the case when +.Nm sudo +is executed from a graphical (as opposed to text-based) application. +The program specified by +.Em askpass +should display the argument passed to it as the prompt and write +the user's password to the standard output. +The value of +.Em askpass +may be overridden by the +.Ev SUDO_ASKPASS +environment variable. +.It noexec +The fully-qualified path to a shared library containing dummy +versions of the +.Fn execv , +.Fn execve +and +.Fn fexecve +library functions that just return an error. +This is used to implement the +.Em noexec +functionality on systems that support +.Ev LD_PRELOAD +or its equivalent. +The default value is: +.Pa @noexec_file@ . +.El +.Ss Other settings +The +.Nm sudo.conf +file also supports the following front end settings: +.Bl -tag -width 8n +.It disable_coredump +Core dumps of +.Nm sudo +itself are disabled by default. +To aid in debugging +.Nm sudo +crashes, you may wish to re-enable core dumps by setting +.Dq disable_coredump +to false in +.Nm sudo.conf +as follows: +.Bd -literal -offset indent +Set disable_coredump false +.Ed +.Pp +Note that most operating systems disable core dumps from setuid programs, +including +.Nm sudo . +To actually get a +.Nm sudo +core file you will likely need to enable core dumps for setuid processes. +On BSD and Linux systems this is accomplished via the +.Xr sysctl +command. +On Solaris, the +.Xr coreadm +command is used to configure core dump behavior. +.Pp +This setting is only available in +.Nm sudo +version 1.8.4 and higher. +.El +.Ss Debug flags +.Nm sudo +versions 1.8.4 and higher support a flexible debugging framework +that can help track down what +.Nm sudo +is doing internally if there is a problem. +.Pp +A +.Li Debug +line consists of the +.Li Debug +keyword, followed by the name of the program (or plugin) to debug +.Pq Nm sudo , Nm visudo , Nm sudoreplay , Nm sudoers , +the debug file name and a comma-separated list of debug flags. +The debug flag syntax used by +.Nm sudo +and the +.Nm sudoers +plugin is +.Em subsystem Ns No @ Ns Em priority +but a plugin is free to use a different format so long as it does +not include a comma +.Pq Ql \&, . +.Pp +For example: +.Bd -literal -offset indent +Debug sudo /var/log/sudo_debug all@warn,plugin@info +.Ed +.Pp +would log all debugging statements at the +.Em warn +level and higher in addition to those at the +.Em info +level for the plugin subsystem. +.Pp +Currently, only one +.Li Debug +entry per program is supported. +The +.Nm sudo +.Li Debug +entry is shared by the +.Nm sudo +front end, +.Nm sudoedit +and the plugins. +A future release may add support for per-plugin +.Li Debug +lines and/or support for multiple debugging files for a single +program. +.Pp +The priorities used by the +.Nm sudo +front end, in order of decreasing severity, are: +.Em crit , err , warn , notice , diag , info , trace +and +.Em debug . +Each priority, when specified, also includes all priorities higher +than it. +For example, a priority of +.Em notice +would include debug messages logged at +.Em notice +and higher. +.Pp +The following subsystems are used by the +.Nm sudo +front-end: +.Bl -tag -width Fl +.It Em all +matches every subsystem +.It Em args +command line argument processing +.It Em conv +user conversation +.It Em edit +sudoedit +.It Em exec +command execution +.It Em main +.Nm sudo +main function +.It Em netif +network interface handling +.It Em pcomm +communication with the plugin +.It Em plugin +plugin configuration +.It Em pty +pseudo-tty related code +.It Em selinux +SELinux-specific handling +.It Em util +utility functions +.It Em utmp +utmp handling +.El +.Sh FILES +.Bl -tag -width 24n +.It Pa @sysconfdir@/sudo.conf +.Nm sudo +front end configuration +.El +.Sh EXAMPLES +.Bd -literal +# +# Default @sysconfdir@/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# The plugin_path is relative to @PLUGINDIR@ unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are +# present. +Plugin policy_plugin sudoers.so +Plugin io_plugin sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with +# its own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be +# changed if you rename or move the sudo_noexec.so file. +# +#Path noexec @noexec_file@ + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing +# (they are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false +.Ed +.Sh SEE ALSO +.Xr sudoers @mansectform@ , +.Xr sudo @mansectsu@ , +.Xr sudo_plugin @mansectsu@ +.Sh HISTORY +See the HISTORY file in the +.Nm sudo +distribution (http://www.sudo.ws/sudo/history.html) for a brief +history of sudo. +.Sh AUTHORS +Many people have worked on +.Nm sudo +over the years; this version consists of code written primarily by: +.Bd -ragged -offset indent +Todd C. Miller +.Ed +.Pp +See the CONTRIBUTORS file in the +.Nm sudo +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +.Nm sudo . +.Sh BUGS +If you feel you have found a bug in +.Nm sudo , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm sudo +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff -up sudo-1.8.6p7/MANIFEST.sudoconfman sudo-1.8.6p7/MANIFEST --- sudo-1.8.6p7/MANIFEST.sudoconfman 2013-07-30 13:56:49.585965170 +0200 +++ sudo-1.8.6p7/MANIFEST 2013-07-30 13:58:25.731323515 +0200 @@ -348,6 +348,9 @@ src/tgetpass.c src/ttyname.c src/utmp.c sudo.pp +sudo/sudo.conf.cat +sudo/sudo.conf.man.in +sudo/sudo.conf.mdoc.in zlib/Makefile.in zlib/adler32.c zlib/compress.c