horok/sudo
1
0
Fork 0
Code Activity

Adding upstream version 1.9.16p2.

Browse source 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
This commit is contained in:
Daniel Baumann 2025-06-22 09:52:37 +02:00
parent ebbaee52bc
commit 182f151a13
Signed by: daniel.baumann
GPG key ID: BCC918A2ABD66424
1342 changed files with 621215 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

80369
ChangeLog Normal file
View file

File diff suppressed because it is too large Load diff

368
INSTALL.configure Normal file
View file

@ -0,0 +1,368 @@
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2016 Free Software
Foundation, Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Basic Installation
==================
Briefly, the shell command './configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the 'README' file for
instructions specific to this package. Some packages provide this
'INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
The 'configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a 'Makefile' in each directory of the package.
It may also create one or more '.h' files containing system-dependent
definitions. Finally, it creates a shell script 'config.status' that
you can run in the future to recreate the current configuration, and a
file 'config.log' containing compiler output (useful mainly for
debugging 'configure').
It can also use an optional file (typically called 'config.cache' and
enabled with '--cache-file=config.cache' or simply '-C') that saves the
results of its tests to speed up reconfiguring. Caching is disabled by
default to prevent problems with accidental use of stale cache files.
If you need to do unusual things to compile the package, please try
to figure out how 'configure' could check whether to do them, and mail
diffs or instructions to the address given in the 'README' so they can
be considered for the next release. If you are using the cache, and at
some point 'config.cache' contains results you don't want to keep, you
may remove or edit it.
The file 'configure.ac' (or 'configure.in') is used to create
'configure' by a program called 'autoconf'. You need 'configure.ac' if
you want to change it or regenerate 'configure' using a newer version of
'autoconf'.
The simplest way to compile this package is:
1. 'cd' to the directory containing the package's source code and type
'./configure' to configure the package for your system.
Running 'configure' might take a while. While running, it prints
some messages telling which features it is checking for.
2. Type 'make' to compile the package.
3. Optionally, type 'make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
4. Type 'make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the 'make install' phase executed with root
privileges.
5. Optionally, type 'make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior 'make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing 'make clean'. To also remove the
files that 'configure' created (so you can compile the package for
a different kind of computer), type 'make distclean'. There is
also a 'make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type 'make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide 'make
distcheck', which can by used by developers to test that all other
targets like 'make install' and 'make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the 'configure' script does not know about. Run './configure --help'
for details on some of the pertinent environment variables.
You can give 'configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here is
an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU 'make'. 'cd' to the
directory where you want the object files and executables to go and run
the 'configure' script. 'configure' automatically checks for the source
code in the directory that 'configure' is in and in '..'. This is known
as a "VPATH" build.
With a non-GNU 'make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use 'make distclean' before
reconfiguring for another architecture.
On macOS 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple '-arch' options to the
compiler but only a single '-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the 'lipo' tool if you have problems.
Installation Names
==================
By default, 'make install' installs the package's commands under
'/usr/local/bin', include files under '/usr/local/include', etc. You
can specify an installation prefix other than '/usr/local' by giving
'configure' the option '--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option '--exec-prefix=PREFIX' to 'configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like '--bindir=DIR' to specify different values for particular
kinds of files. Run 'configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the default
for these options is expressed in terms of '${prefix}', so that
specifying just '--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to 'configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
'make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, 'make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
'${prefix}'. Any directories that were specified during 'configure',
but not in terms of '${prefix}', must each be overridden at install time
for the entire installation to be relocated. The approach of makefile
variable overrides for each directory variable is required by the GNU
Coding Standards, and ideally causes no recompilation. However, some
platforms have known limitations with the semantics of shared libraries
that end up requiring recompilation when using this method, particularly
noticeable in packages that use GNU Libtool.
The second method involves providing the 'DESTDIR' variable. For
example, 'make install DESTDIR=/alternate/directory' will prepend
'/alternate/directory' before all installation names. The approach of
'DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of '${prefix}'
at 'configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving 'configure' the
option '--program-prefix=PREFIX' or '--program-suffix=SUFFIX'.
Some packages pay attention to '--enable-FEATURE' options to
'configure', where FEATURE indicates an optional part of the package.
They may also pay attention to '--with-PACKAGE' options, where PACKAGE
is something like 'gnu-as' or 'x' (for the X Window System). The
'README' should mention any '--enable-' and '--with-' options that the
package recognizes.
For packages that use the X Window System, 'configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the 'configure' options '--x-includes=DIR' and
'--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of 'make' will be. For these packages, running './configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with 'make V=1'; while running './configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with 'make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC
is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX 'make' updates targets which have the same time stamps as their
prerequisites, which makes it generally unusable when shipped generated
files such as 'configure' are involved. Use GNU 'make' instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its '<wchar.h>' header file. The option '-nodtk' can be used as a
workaround. If GNU CC is not installed, it is therefore recommended to
try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put '/usr/ucb' early in your 'PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in '/usr/bin'. So, if you need '/usr/ucb'
in your 'PATH', put it _after_ '/usr/bin'.
On Haiku, software installed for all users goes in '/boot/common',
not '/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features 'configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, 'configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
'--build=TYPE' option. TYPE can either be a short name for the system
type, such as 'sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file 'config.sub' for the possible values of each field. If
'config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option '--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with '--host=TYPE'.
Sharing Defaults
================
If you want to set default values for 'configure' scripts to share,
you can create a site shell script called 'config.site' that gives
default values for variables like 'CC', 'cache_file', and 'prefix'.
'configure' looks for 'PREFIX/share/config.site' if it exists, then
'PREFIX/etc/config.site' if it exists. Or, you can set the
'CONFIG_SITE' environment variable to the location of the site script.
A warning: not all 'configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to 'configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the 'configure' command line, using 'VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified 'gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for 'CONFIG_SHELL' due to an
Autoconf limitation. Until the limitation is lifted, you can use this
workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
'configure' Invocation
======================
'configure' recognizes the following options to control how it
operates.
'--help'
'-h'
Print a summary of all of the options to 'configure', and exit.
'--help=short'
'--help=recursive'
Print a summary of the options unique to this package's
'configure', and exit. The 'short' variant lists options used only
in the top level, while the 'recursive' variant lists options also
present in any nested packages.
'--version'
'-V'
Print the version of Autoconf used to generate the 'configure'
script, and exit.
'--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally 'config.cache'. FILE defaults to '/dev/null' to
disable caching.
'--config-cache'
'-C'
Alias for '--cache-file=config.cache'.
'--quiet'
'--silent'
'-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to '/dev/null' (any error
messages will still be shown).
'--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
'configure' can determine that directory automatically.
'--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names:: for
more details, including other options available for fine-tuning the
installation locations.
'--no-create'
'-n'
Run the configure checks, but stop before creating any output
files.
'configure' also accepts some other, not widely useful, options. Run
'configure --help' for more details.

1097
INSTALL.md Normal file
View file

File diff suppressed because it is too large Load diff

351
LICENSE.md Normal file
View file

@ -0,0 +1,351 @@
Sudo is distributed under the following license:
Copyright (c) 1994-1996, 1998-2024
Todd C. Miller <Todd.Miller@sudo.ws>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
The Python plugin bindings bear the following license:
Copyright (c) 2019-2020 Robert Manner <robert.manner@oneidentity.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files hostcheck.c and hostcheck.h bear the following license:
Copyright (c) 2020 Laszlo Orban <laszlo.orban@oneidentity.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file redblack.c bears the following license:
Copyright (c) 2001 Emin Martinian
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that neither the name of Emin
Martinian nor the names of any contributors are be used to endorse or
promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The file sssd.c bears the following license:
Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com>
This code is derived from software contributed by Aaron Spangler.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files bsm_audit.c and bsm_audit.h bear the following license:
Copyright (c) 2009 Christian S.J. Peron
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files solaris_audit.c and solaris_audit.h bear the following license:
Copyright (c) 2014, Oracle and/or its affiliates.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file reallocarray.c bears the following license:
Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The files getcwd.c, glob.c, glob.h, snprintf.c and sudo_queue.h bear the
following license:
Copyright (c) 1989, 1990, 1991, 1993
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
The file fnmatch.c bears the following license:
Copyright (c) 2011, VMware, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the VMware, Inc. nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The file getopt_long.c bears the following license:
Copyright (c) 2000 The NetBSD Foundation, Inc.
All rights reserved.
This code is derived from software contributed to The NetBSD Foundation
by Dieter Baron and Thomas Klausner.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The file inet_pton.c bears the following license:
Copyright (c) 1996 by Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
The file arc4random.c bears the following license:
Copyright (c) 1996, David Mazieres <dm@uun.org>
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file arc4random_uniform.c bears the following license:
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The file getentropy.c bears the following license:
Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
Copyright (c) 2014 Bob Beck <beck@obtuse.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The embedded copy of zlib bears the following license:
Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not
be misrepresented as being the original software.
3. This notice may not be removed or altered from any source
distribution.
Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu
The embedded copy of protobuf-c bears the following license:
Copyright (c) 2008-2022, Dave Benson and the protobuf-c authors.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1342
MANIFEST Normal file
View file

File diff suppressed because it is too large Load diff

466
Makefile.in Normal file
View file

@ -0,0 +1,466 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2010-2015, 2017-2023 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
srcdir = @srcdir@
abs_srcdir = @abs_srcdir@
top_srcdir = @top_srcdir@
abs_top_srcdir = @abs_top_srcdir@
top_builddir = @top_builddir@
abs_top_builddir = @abs_top_builddir@
devdir = @devdir@
scriptdir = $(top_srcdir)/scripts
# Installation paths for package building
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
adminconfdir = @adminconfdir@
libexecdir = @libexecdir@
includedir = @includedir@
datarootdir = @datarootdir@
localedir = @localedir@
localstatedir = @localstatedir@
exampledir = @exampledir@
docdir = @docdir@
mandir = @mandir@
rundir = @rundir@
vardir = @vardir@
# User and group ids the installed files should be "owned" by
install_uid = 0
install_gid = 0
# sudoers owner and mode for package building
sudoers_uid = @SUDOERS_UID@
sudoers_gid = @SUDOERS_GID@
sudoers_mode = @SUDOERS_MODE@
shlib_mode = @SHLIB_MODE@
# Version of python detected by configure (major.minor)
python_version = @PYTHON_VERSION@
SUBDIRS = lib/util @ZLIB_SRC@ lib/eventlog lib/fuzzstub lib/iolog \
lib/protobuf-c @SSL_COMPAT_SRC@ @LOGSRV_SRC@ @LOGSRVD_SRC@ \
plugins/audit_json plugins/group_file plugins/sudoers \
plugins/system_group @PYTHON_PLUGIN_SRC@ src include \
docs examples
SAMPLES = plugins/sample plugins/sample_approval
VERSION = @PACKAGE_VERSION@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
SHELL = @SHELL@
EGREP = @EGREP@
SED = @SED@
INSTALL = $(SHELL) $(scriptdir)/install-sh -c
INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
ECHO_N = @ECHO_N@
ECHO_C = @ECHO_C@
# Message catalog support
NLS = @SUDO_NLS@
POTFILES = po/sudo.pot plugins/sudoers/po/sudoers.pot
LOCALEDIR_SUFFIX = @LOCALEDIR_SUFFIX@
MSGFMT = msgfmt
MSGMERGE = msgmerge
XGETTEXT = xgettext
XGETTEXT_OPTS = -F -k_ -kN_ -kU_ --copyright-holder="Todd C. Miller" \
"--msgid-bugs-address=https://bugzilla.sudo.ws" \
--package-name=@PACKAGE_NAME@ --package-version=$(VERSION) \
--flag warning:1:c-format --flag warningx:1:c-format \
--flag fatal:1:c-format --flag fatalx:1:c-format \
--flag easprintf:3:c-format --flag sudo_lbuf_append:2:c-format \
--flag sudo_lbuf_append_quoted:3:c-format --foreign-user
# Default cppcheck options when run from the top-level Makefile
CPPCHECK_OPTS = -q --enable=warning,performance,portability --suppress=constStatement --suppress=compareBoolExpressionWithInt --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
# Default splint options when run from the top-level Makefile
SPLINT_OPTS = -D__restrict= -checks
# Default PVS-studio options when run from the top-level Makefile
PVS_CFG = $(top_builddir)/PVS-Studio.cfg
PVS_IGNORE = 'V707,V011,V002,V536,V568'
PVS_LOG_OPTS = -a 'GA:1,2' -e -t errorfile -d $(PVS_IGNORE)
all: config.status
for d in $(SUBDIRS) $(SAMPLES); do \
(cd $$d && exec $(MAKE) $@) && continue; \
exit $$?; \
done
check check-verbose check-fuzzer fuzz pre-install: config.status
for d in $(SUBDIRS) $(SAMPLES); do \
(cd $$d && exec $(MAKE) $@) && continue; \
exit $$?; \
done
uncrustify.files: Makefile
$(EGREP) '\.[ch]$$' $(top_srcdir)/MANIFEST | $(EGREP) -v '(/zlib/|/(arc4random|arc4random_uniform|chacha_private|charclass|fnmatch|getaddrinfo|getcwd|getdate|getentropy|getopt|getopt_long|glob|gram|inet_ntop|inet_pton|log_server.pb-c|mktemp|pw_dup|reallocarray|mktemp_test|protobuf-c|snprintf|stdbool|strlcat|strlcpy|sudo_queue|toke)\.[ch]$$)' > uncrustify.files
reformat: uncrustify.files
( cd $(top_srcdir) && uncrustify -c etc/uncrustify.cfg --replace --no-backup -F $(top_builddir)/uncrustify.files )
check-format: uncrustify.files
( cd $(top_srcdir) && uncrustify -c etc/uncrustify.cfg --check -F $(top_builddir)/uncrustify.files )
spell:
( cd $(top_srcdir) && codespell -I etc/codespell.ignore -x etc/codespell.exclude `$(EGREP) -v -f etc/codespell.skip MANIFEST` )
cppcheck: config.status
rval=0; \
for d in $(SUBDIRS) $(SAMPLES); do \
echo checking $$d; \
(cd $$d && exec $(MAKE) CPPCHECK_OPTS="$(CPPCHECK_OPTS)" $@) || rval=`expr $$rval + $$?`; \
done; \
exit $$rval
splint: config.status
rval=0; \
for d in $(SUBDIRS) $(SAMPLES); do \
echo splinting $$d; \
(cd $$d && exec $(MAKE) SPLINT_OPTS="$(SPLINT_OPTS)" $@) || rval=`expr $$rval + $$?`; \
done; \
exit $$rval
cov-build:
make clean
cov-build --dir cov-int make $(MFLAGS) all
cov-upload:
tar zcf cov-int.tgz cov-int
curl --form token=$$COVERITY_SUDO_TOKEN \
--form email=todd.miller@sudo.ws \
--form file=@cov-int.tgz \
--form version="$(VERSION)" \
https://scan.coverity.com/builds?project=sudo
cov-analyze: cov-upload
pvs-studio: config.status
files=; \
rval=0; \
for d in $(SUBDIRS) $(SAMPLES); do \
(cd $$d && exec $(MAKE) PVS_IGNORE="$(PVS_IGNORE)" pvs-log-files) || rval=`expr $$rval + $$?`; \
for f in $$d/*.plog; do \
if test "$$f" != "$$d/*.plog"; then \
files="$$files $$f"; \
fi; \
done; \
done; \
if test $$rval -ne 0; then \
exit $$rval; \
fi; \
plog-converter $(PVS_LOG_OPTS) $$files
install-dirs install-binaries install-fuzzer install-includes install-plugin: config.status pre-install
for d in $(SUBDIRS); do \
(cd $$d && exec $(MAKE) "INSTALL_OWNER=$(INSTALL_OWNER)" $@) && continue; \
exit $$?; \
done
install-doc: config.status ChangeLog
for d in $(SUBDIRS); do \
(cd $$d && exec $(MAKE) "INSTALL_OWNER=$(INSTALL_OWNER)" $@) && continue; \
exit $$?; \
done
install: config.status ChangeLog pre-install install-nls
for d in $(SUBDIRS); do \
(cd $$d && exec $(MAKE) "INSTALL_OWNER=$(INSTALL_OWNER)" $@) && continue; \
exit $$?; \
done
postinstall:
@POSTINSTALL@
uninstall: uninstall-nls
for d in $(SUBDIRS); do \
(cd $$d && exec $(MAKE) $@) && continue; \
exit $$?; \
done
uninstall-nls:
for pot in $(POTFILES); do \
domain=`basename $$pot .pot`; \
rm -f $(DESTDIR)$(localedir)/*/LC_MESSAGES/$$domain.mo; \
done
siglist.c signame.c:
cd lib/util && exec $(MAKE) $@
tsgetusershell.c:
cd plugins/sudoers && exec $(MAKE) $@
depend: siglist.c signame.c tsgetusershell.c
$(scriptdir)/mkdep.pl \
--srcdir=$(abs_top_srcdir) --builddir=$(abs_top_builddir) \
lib/util/Makefile.in lib/zlib/Makefile.in \
lib/fuzzstub/Makefile.in lib/eventlog/Makefile.in \
lib/iolog/Makefile.in lib/logsrv/Makefile.in logsrvd/Makefile.in \
lib/protobuf-c/Makefile.in lib/ssl_compat/Makefile.in \
plugins/group_file/Makefile.in plugins/audit_json/Makefile.in \
plugins/sample/Makefile.in plugins/sample_approval/Makefile.in \
plugins/sudoers/Makefile.in plugins/system_group/Makefile.in \
plugins/python/Makefile.in src/Makefile.in && \
$(top_builddir)/config.status --file $(top_builddir)/lib/util/Makefile \
--file $(top_builddir)/lib/zlib/Makefile \
--file $(top_builddir)/lib/fuzzstub/Makefile \
--file $(top_builddir)/lib/eventlog/Makefile \
--file $(top_builddir)/lib/iolog/Makefile \
--file $(top_builddir)/lib/logsrv/Makefile \
--file $(top_builddir)/lib/protobuf-c/Makefile \
--file $(top_builddir)/lib/ssl_compat/Makefile \
--file $(top_builddir)/logsrvd/Makefile \
--file $(top_builddir)/plugins/group_file/Makefile \
--file $(top_builddir)/plugins/audit_json/Makefile \
--file $(top_builddir)/plugins/sample/Makefile \
--file $(top_builddir)/plugins/sample_approval/Makefile \
--file $(top_builddir)/plugins/sudoers/Makefile \
--file $(top_builddir)/plugins/system_group/Makefile \
--file $(top_builddir)/plugins/python/Makefile \
--file $(top_builddir)/src/Makefile
# Only try to build ChangeLog from a repo checkout, not a release tarball.
# The CODEOWNERS file is not present in the release tarball.
ChangeLog:
if test -f $(srcdir)/docs/CODEOWNERS; then \
if test -d $(srcdir)/.hg && hg -R $(srcdir) identify -ibt >stamp-$@.tmp 2>&1; then \
cmp stamp-$@.tmp stamp-$@ >/dev/null 2>&1 || { \
mv -f stamp-$@.tmp stamp-$@; \
if hg log -R $(srcdir) --template=changelog -r "sort(branch(.) or follow(), -date)" > $@.tmp; then \
mv -f $@.tmp $(srcdir)/$@; \
fi; \
}; \
elif test -d $(srcdir)/.git && git --git-dir $(srcdir)/.git describe --tags >stamp-$@.tmp 2>&1; then \
cmp stamp-$@.tmp stamp-$@ >/dev/null 2>&1 || { \
mv -f stamp-$@.tmp stamp-$@; \
if $(scriptdir)/log2cl.pl -R $(srcdir)/.git > $@.tmp; then \
mv -f $@.tmp $(srcdir)/$@; \
fi; \
}; \
fi; \
rm -f $@.tmp stamp-$@.tmp; \
fi
if test ! -f $(srcdir)/$@; then \
echo "ChangeLog data not available" > $(srcdir)/$@; \
fi
config.status:
@if [ ! -s config.status ]; then \
echo "Please run configure first"; \
exit 1; \
fi
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status --recheck
Makefile: $(srcdir)/Makefile.in
./config.status --file Makefile
sync-po: rsync-po compile-po
rsync-po:
rsync -Lrtvz translationproject.org::tp/latest/sudo/ po/
rsync -Lrtvz translationproject.org::tp/latest/sudoers/ plugins/sudoers/po/
update-pot:
@if $(XGETTEXT) --help >/dev/null 2>&1; then \
cd $(top_srcdir); \
for pot in $(POTFILES); do \
echo "Updating $$pot"; \
domain=`basename $$pot .pot`; \
case "$$domain" in \
sudo) tmpfiles=; cfiles="src/*.c lib/util/*.c";; \
sudoers) \
echo "gettext \"syntax error\"" > confstr.sh; \
$(SED) -n 's/^.*--with-passprompt=\(.*\)$$/gettext \"\1\"/p' $(scriptdir)/mkpkg | sort -u >> confstr.sh; \
$(SED) -n -e 's/^badpass_message="/gettext "/p' \
-e 's/^passprompt="/gettext "/p' \
-e 's/^mailsub="/gettext "/p' configure.ac \
>> confstr.sh; \
tmpfiles=confstr.sh; \
cfiles="lib/eventlog/*.c lib/iolog/*.c logsrvd/*.c plugins/sudoers/*.c plugins/sudoers/auth/*.c";; \
*) echo unknown domain $$domain; continue;; \
esac; \
$(XGETTEXT) $(XGETTEXT_OPTS) -d$$domain $$cfiles $$tmpfiles -o $$pot.tmp; \
test -n "$$tmpfiles" && rm -f $$tmpfiles; \
if diff -I'^.POT-Creation-Date' -I'^.Project-Id-Version' -I'^#' $$pot.tmp $$pot >/dev/null; then \
rm -f $$pot.tmp; \
else \
printf '/^#$$/+1,$$d\nw\nq\n' | ed - $$pot; \
$(SED) '1,/^#$$/d' $$pot.tmp >> $$pot; \
rm -f $$pot.tmp; \
fi; \
done; \
else \
echo "Unable to update .pot files: $(XGETTEXT) not found" 1>&2; \
fi
update-po: update-pot
@if $(MSGFMT) --help >/dev/null 2>&1; then \
cd $(top_srcdir); \
for pot in $(POTFILES); do \
podir=`dirname $$pot`; \
for po in $$podir/*.po; do \
echo $(ECHO_N) "Updating $$po$(ECHO_C)"; \
$(MSGMERGE) --update $$po $$pot; \
$(MSGFMT) --output /dev/null --check-format $$po || exit 1; \
done; \
done; \
else \
echo "Unable to update .po files: $(MSGFMT) not found" 1>&2; \
fi
compile-po:
@if $(MSGFMT) --help >/dev/null 2>&1; then \
cd $(top_srcdir); \
rm -f Makefile.$$$$; \
POFILES=""; \
for pot in $(POTFILES); do \
podir=`dirname $$pot`; \
for po in $$podir/*.po; do \
POFILES="$$POFILES $$po"; \
done; \
done; \
echo "all: `echo $$POFILES | $(SED) 's/\.po/.mo/g'`" >> Makefile.$$$$; \
echo "" >> Makefile.$$$$; \
for po in $$POFILES; do \
mo=`echo $$po | $(SED) 's/po$$/mo/'`; \
echo "$$mo: $$po" >> Makefile.$$$$; \
echo " $(MSGFMT) --statistics -c -o $$mo $$po" >> Makefile.$$$$; \
done; \
$(MAKE) -f Makefile.$$$$; \
rm -f Makefile.$$$$; \
else \
echo "Unable to compile message catalogs: $(MSGFMT) not found" 1>&2; \
fi
install-nls:
@if test "$(NLS)" = "enabled"; then \
for pot in $(POTFILES); do \
podir=`dirname $(top_srcdir)/$$pot`; \
domain=`basename $$pot .pot`; \
SUDO_LINGUAS=$${LINGUAS-"`echo $$podir/*.mo | $(SED) 's:'$$podir'/\([^ ]*\).mo:\1:g'`"}; \
echo $(ECHO_N) "Installing $$domain message catalogs:$(ECHO_C)"; \
for lang in $$SUDO_LINGUAS; do \
test -s $$podir/$$lang.mo || continue; \
echo $(ECHO_N) " $$lang$(ECHO_C)"; \
$(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES; \
if test -n "$(LOCALEDIR_SUFFIX)"; then \
if test ! -d $(DESTDIR)$(localedir)/$$lang$(LOCALEDIR_SUFFIX); then \
ln -s $$lang $(DESTDIR)$(localedir)/$$lang$(LOCALEDIR_SUFFIX); \
fi; \
fi; \
$(INSTALL) $(INSTALL_OWNER) -m 0644 $$podir/$$lang.mo $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$$domain.mo; \
done; \
echo ""; \
done; \
fi
mkdefaults:
cd plugins/sudoers && exec $(MAKE) DEVEL=1 ./def_data.c ./def_data.h
check-dist: update-pot compile-po mkdefaults
@if test -d $(srcdir)/.hg && cd $(srcdir); then \
if test `hg stat -am | wc -l` -ne 0; then \
echo "Uncommitted changes" 1>&2; \
hg stat -am 1>&2; \
exit 1; \
fi; \
fi
dist: check-dist force-dist
force-dist: ChangeLog $(srcdir)/MANIFEST
cd $(top_srcdir) && $(SED) 's/[ ].*//' MANIFEST | \
pax -w -x ustar -f ../$(PACKAGE_TARNAME)-$(VERSION).tar \
-s '/^/$(PACKAGE_TARNAME)-$(VERSION)\//' && \
gzip -9f ../$(PACKAGE_TARNAME)-$(VERSION).tar && \
ls -l ../$(PACKAGE_TARNAME)-$(VERSION).tar.gz
package: @PPFILES@
DESTDIR=$(abs_top_builddir)/destdir; rm -rf $$DESTDIR; \
$(MAKE) install INSTALL_OWNER= DESTDIR=$$DESTDIR && \
$(MAKE) postinstall INSTALL_OWNER= DESTDIR=$$DESTDIR && \
for p in @PPFILES@; do \
$(SHELL) $(scriptdir)/pp $(PPFLAGS) --destdir=$$DESTDIR $$p \
srcdir=$(top_srcdir) \
prefix=$(prefix) \
bindir=$(bindir) \
sbindir=$(sbindir) \
libexecdir=$(libexecdir) \
includedir=$(includedir) \
vardir=$(vardir) \
rundir=$(rundir) \
mandir=$(mandir) \
localedir=$(localedir) \
docdir=$(docdir) \
exampledir=$(exampledir) \
sysconfdir=$(sysconfdir) \
sudoers_uid=$(sudoers_uid) \
sudoers_gid=$(sudoers_gid) \
sudoers_mode=$(sudoers_mode) \
shlib_mode=$(shlib_mode) \
python_version=$(python_version) \
version=$(VERSION) $(PPVARS); \
done
clean: config.status
for d in $(SUBDIRS) $(SAMPLES); do \
(cd $$d && exec $(MAKE) $@); \
done
-rm -rf cov-int cov-int.tgz uncrustify.files
mostlyclean: clean
distclean: config.status
for d in $(SUBDIRS) $(SAMPLES); do \
(cd $$d && exec $(MAKE) $@); \
done
-rm -rf autom4te.cache ChangeLog config.cache config.h config.log \
config.status etc/init.d/*.sh etc/init.d/sudo.conf libtool \
Makefile pathnames.h stamp-*
cleandir: distclean
clobber: distclean
realclean: distclean
me:
a:
sandwich:
@if test -n "$$SUDO_USER"; then \
echo "Okay."; \
else \
echo "What? Make it yourself!"; \
fi
.PHONY: clean mostlyclean distclean cleandir clobber realclean ChangeLog \
me a sandwich check-format reformat

4605
NEWS Normal file
View file

File diff suppressed because it is too large Load diff

218
README.LDAP.md Normal file
View file

@ -0,0 +1,218 @@
This file explains how to build the optional LDAP functionality of SUDO to
store /etc/sudoers information. This feature is distinct from LDAP passwords.
For general sudo LDAP configuration details, see the sudoers.ldap manual that
comes with the sudo distribution. A pre-formatted version of the manual may
be found in the sudoers.ldap.cat file.
The sudo binary compiled with LDAP support should be totally backward
compatible and be syntactically and source code equivalent to its
non LDAP-enabled build.
## LDAP philosophy
As times change and servers become cheap, an enterprise can easily have 500+
UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
others across an enterprise can greatly reduce the administrative overhead.
In the past, sudo has used a single local configuration file, /etc/sudoers.
While the same sudoers file can be shared among machines, no built-in
mechanism exists to distribute it. Some have attempted to workaround this
by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
By using LDAP for sudoers we gain a centrally administered, globally
available configuration source for sudo.
For information on OpenLDAP, see https://www.openldap.org/.
## Definitions
Many times the word 'Directory' is used in the document to refer to the LDAP
server, structure, and contents.
Many times 'options' are used in this document to refer to sudoer 'defaults'.
They are one and the same.
## Build instructions
The simplest way to build sudo with LDAP support is to include the
`--with-ldap` option.
$ ./configure --with-ldap
If your ldap libraries and headers are in a non-standard place, you will need
to specify them at configure time. E.g.
$ ./configure --with-ldap=/usr/local/ldapsdk
Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
(such as those present in Solaris) and IBM LDAP are also known to work.
If special configuration was required to build an LDAP-enabled sudo,
let the sudo workers mailing list <sudo-workers@sudo.ws> know so
we can improve sudo.
## Schema Changes
You must add the appropriate schema to your LDAP server before it
can store sudoers content.
For OpenLDAP, there are two options, depending on how slapd is configured.
The first option is to copy the file schema.OpenLDAP to the schema
directory (e.g., /etc/openldap/schema). You must then edit your
slapd.conf and add an include line the new schema, for example:
# Sudo LDAP schema
include /etc/openldap/schema/sudo.schema
In order for sudoRole LDAP queries to be efficient, the server must index
the attribute 'sudoUser', for example:
# Indices to maintain
index sudoUser eq
After making the changes to slapd.conf, restart slapd.
The second option is only for OpenLDAP 2.3 and higher where slapd.conf
has been configured to use on-line configuration. If your slapd.conf
file includes the line:
database config
it should be possible to use the schema.olcSudo file.
You can apply schema.olcSudo using the ldapadd utility or another
suitable LDAP browser. For example:
# ldapadd -f schema.olcSudo -H ldap://ldapserver -W -x \
-D cn=Manager,dc=example,dc=com
There is no need to restart slapd when updating on-line configuration.
For Netscape-derived LDAP servers such as SunONE, iPlanet, or Fedora Directory,
copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
On Solaris, schemas are stored in /var/Sun/mps/slapd-\`hostname\`/config/schema/.
For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
For IBM Directory Server, IBM Tivoli Directory Server, IBM Security
Directory Server, and IBM Security Verify Directory, the schema is
supplied in LDIF format. It can be installed using the ldapmodify
utility:
# ldapmodify -c -f schema.IBM_LDAP -h ldapserver:port -w passwod \
-D cn=Manager,dc=example,dc=com
For schema files other than schema.olcSudo and schema.IBM_LDAP, you
will need to restart the LDAP server after copying the schema file
into place.
Finally, using an LDAP browser/editor, enable indexing by editing the
client profile to provide a Service Search Descriptor (SSD) for sudoers,
replacing example.com with your domain:
serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
If using an Active Directory server, copy schema.ActiveDirectory
to your Windows domain controller and run the following command:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
## Importing /etc/sudoers into LDAP
Importing sudoers is a two-step process.
1. Ask your LDAP Administrator where to create the ou=SUDOers container.
For instance, if using OpenLDAP:
```
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
```
(An example location is shown below). Then use the cvtsudoers utility to
convert your sudoers file into LDIF format.
```
# SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
# export SUDOERS_BASE
# cvtsudoers -f ldif -o /tmp/sudoers.ldif /etc/sudoers
```
2. Import into your directory server. The following example is for
OpenLDAP. If you are using another directory, provide the LDIF
file to your LDAP Administrator.
```
# ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver \
-D cn=Manager,dc=example,dc=com -W -x
```
3. Verify the sudoers LDAP data:
```
# ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,dc=example,dc=com -W -x
```
## Managing LDAP entries
Doing a one-time bulk load of your ldap entries is fine. However what if you
need to make minor changes on a daily basis? It doesn't make sense to delete
and re-add objects. (You can, but this is tedious).
I recommend using any of the following LDAP browsers to administer your SUDOers.
* GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
and since it is Schema aware, I don't need to create a sudoRole template.
https://sourceforge.net/projects/gqclient/
* phpQLAdmin - Open Source - phpQLAdmin is an administration tool,
originally for QmailLDAP, that supports editing sudoRole objects
in version 2.3.2 and higher.
http://phpqladmin.com/
* LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
and Solaris. It runs anywhere in a Java Virtual Machine including
web pages. You have to make a template from an existing sudoRole entry.
http://pi.hv.pl/Gawor%20ldapbrowser/
* Apache Directory Studio - Open Source - an Eclipse-based LDAP
development platform. Includes an LDAP browser, and LDIF editor,
a schema editor and more.
https://directory.apache.org/studio
There are dozens of others, some Open Source, some free, some not.
## Configure your /etc/ldap.conf and /etc/nsswitch.conf
The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
and other ldap applications and modules. IBM Secureway unfortunately uses
the same file name but has a different syntax. If you need to change where
this file is stored, re-run configure with the `--with-ldap-conf-file=PATH`
option.
See the "Configuring ldap.conf" section in the sudoers.ldap manual
for a list of supported ldap.conf parameters and an example ldap.conf
Make sure you sudoers_base matches the location you specified when you
imported the sudoers ldif data.
After configuring /etc/ldap.conf, you must add a line in the
/etc/nsswitch.conf file to tell sudo to look in LDAP for sudoers.
See the "Configuring nsswitch.conf" section in the sudoers.ldap
manual for details. Sudo will use /etc/nsswitch.conf even if the
underlying operating system does not support it. To disable nsswitch
support, run configure with the `--with-nsswitch=no` option. This
will cause sudo to consult LDAP first and /etc/sudoers second,
unless the ignore_sudoers_file flag is set in the global LDAP options.
## Debugging your LDAP configuration
Enable debugging if you believe sudo is not parsing LDAP the way you think it
should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
debugging. A value of 2 shows the results of the matches themselves. Make
sure to set the value back to zero so that other users don't get confused by
the debugging messages.

105
README.md Normal file
View file

@ -0,0 +1,105 @@
## The sudo philosophy
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity. The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.
## Where to find sudo
Before building sudo, make sure you have the current version. The
latest sudo may always be gotten via anonymous ftp from ftp.sudo.ws
in the directory /pub/sudo/ or from the sudo web site, https://www.sudo.ws/
The distribution is sudo-M.m.tar.gz where _M_ is the major version
number and _m_ is the minor version number. Beta versions of sudo may
also be available. If you join the _sudo-workers_ mailing list you
will get the beta announcements (see the Mailing lists section below).
## What's new
See the NEWS file for a list of major changes in this release. For
a complete list of changes, see the [ChangeLog](ChangeLog).
For a summary of major changes to the current stable release, see
https://www.sudo.ws/releases/stable/.
If you are upgrading from an earlier version of Sudo, read
[docs/UPGRADE.md](docs/UPGRADE.md) for information on changes in
behavior that may affect you.
For a history of sudo see [docs/HISTORY.md](docs/HISTORY.md).
You can find a list of contributors to sudo in
[docs/CONTRIBUTORS.md](docs/CONTRIBUTORS.md).
## Building the release
Read the installation guide, [INSTALL.md](INSTALL.md), before trying
to build sudo. Pay special attention to the "OS dependent notes" section.
## How to contribute
See [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md) for information on
how you can help contribute to sudo.
## Copyright
Sudo is distributed under an ISC-style license.
Refer to [LICENSE.md](LICENSE.md) for details.
## Mailing lists
#### sudo-announce
This list receives announcements whenever a new version of sudo is
released. https://www.sudo.ws/mailman/listinfo/sudo-announce
#### sudo-blog
This list receives a message when a new sudo blog article is
available. https://www.sudo.ws/mailman/listinfo/sudo-blog
#### sudo-commits
This list receives a message for each commit made to the sudo source
repository. https://www.sudo.ws/mailman/listinfo/sudo-commits
#### sudo-users
This list is for questions and general discussion about sudo.
https://www.sudo.ws/mailman/listinfo/sudo-users
#### sudo-workers
This list is for people working on and porting sudo.
https://www.sudo.ws/mailman/listinfo/sudo-workers
To subscribe to a list, visit its url (listed above) and enter your
email address to subscribe. Digest versions are available but these are
fairly low traffic lists so the digest versions are not a significant win.
Mailing list archives are also available. See the mailing list web sites
for the appropriate links.
## Sudo web page
There is a sudo web page at https://www.sudo.ws/ that contains
documentation, downloads, a bug tracker, the source repo, the sudo
blog, information about beta versions and other useful info.
## Filing bug reports/issues
If you believe you have found a bug, you can either file a bug
report in the sudo bug database, https://bugzilla.sudo.ws/, or open
a [GitHub issue](https://github.com/sudo-project/sudo/issues),
whichever you find easier. If you would prefer to use email,
messages may be sent to the [sudo-workers@sudo.ws mailing
list](https://www.sudo.ws/mailman/listinfo/sudo-workers) (public)
or to sudo@sudo.ws (private).
For sudo's security policy and how to report security issues, see
[docs/SECURITY.md](docs/SECURITY.md).
Please check [docs/TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md)
*before* submitting a bug report. When reporting bugs, be sure to
include the version of sudo you are using, the operating system
and/or distro that is affected, and, if possible, step-by-step
instructions to reproduce the problem.

36
aclocal.m4 vendored Normal file
View file

@ -0,0 +1,36 @@
# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
# Copyright (C) 1996-2021 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
m4_include([m4/ax_append_flag.m4])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/ax_func_getaddrinfo.m4])
m4_include([m4/ax_func_snprintf.m4])
m4_include([m4/ax_gcc_builtin.m4])
m4_include([m4/ax_prog_cc_for_build.m4])
m4_include([m4/gettext.m4])
m4_include([m4/hardening.m4])
m4_include([m4/ldap.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])
m4_include([m4/openssl.m4])
m4_include([m4/pie.m4])
m4_include([m4/python.m4])
m4_include([m4/runlog.m4])
m4_include([m4/sanitizer.m4])
m4_include([m4/sudo.m4])
m4_include([m4/visibility.m4])

20
autogen.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/sh
# OpenBSD may have multiple versions of autoconf and automake installed
# If the user hasn't chosen one themselves, we do here.
if [ "`/usr/bin/uname 2>&1`" = "OpenBSD" ]; then
if [ X"$AUTOMAKE_VERSION" = X"" ]; then
AUTOMAKE_VERSION=1.16; export AUTOMAKE_VERSION
fi
if [ X"$AUTOCONF_VERSION" = X"" ]; then
AUTOCONF_VERSION=2.71; export AUTOCONF_VERSION
fi
fi
set -ex
autoreconf -f -i -v -Wall -I m4
rm -rf autom4te.cache
exit 0

1705
config.h.in Normal file
View file

File diff suppressed because it is too large Load diff

38790
configure vendored Executable file
View file

File diff suppressed because it is too large Load diff

4958
configure.ac Normal file
View file

File diff suppressed because it is too large Load diff

45
docker/README Normal file
View file

@ -0,0 +1,45 @@
Container images are stored in https://hub.docker.com/repositories as
user sudoproject. Build images are named based on the distro and use
the tag to differentiate between different versions and architectures.
There should always be a "latest" tag (or manifest).
When creating a new Dockerfile, use one of the Debian or Fedora files
as a template. The examples below use podman rather than docker but it
should be possible to them interchangeably.
To build Debian containers for both amd64 and i386 (others only have amd64):
podman build --arch amd64 --pull -t sudoproject/debian:latest.amd64 \
docker/debian/latest
podman build --arch 386 --pull -t sudoproject/debian:latest.i386 \
docker/debian/latest
Then push it to dockerhub (may need to run "podman login" first):
podman push sudoproject/debian:latest.amd64
podman push sudoproject/debian:latest.i386
Multi-arch containers are supported by creating a manifest, e.g.:
podman manifest create sudoproject/debian:latest
podman manifest add sudoproject/debian:latest \
sudoproject/debian:latest.amd64
podman manifest add sudoproject/debian:latest \
sudoproject/debian:latest.i386
Finally push the manifest to dockerhub:
podman push sudoproject/debian:latest
When building bleeding edge images it is possible that the seccomp
filter will be out of date with respect to system calls. It may
be necessary to pass podman the --security-opt=seccomp=unconfined
option in this case.
Note that memory sanitizer uses ptrace which is not allowed for
non-root containers by default. This will cause a failure when
running the tests if sudo is configured with --enable-sanitizer.
The simplest solution is to run the container with the SYS_PTRACE
capability. E.g.
podman run -it --cap-add SYS_PTRACE ...
Alternately, disable leak sanitizer by setting
ASAN_OPTIONS=detect_leaks=0
in the environment of the container doing "make check".

10
docker/debian/latest/Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM docker.io/library/debian:latest
RUN DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get update && \
DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get install -y \
build-essential curl dpkg-dev ed fakeroot file git libapparmor-dev \
libaudit-dev libkrb5-dev libldap2-dev libpam0g-dev libpython3-dev \
libsasl2-dev libselinux1-dev libsepol-dev libssl-dev libwolfssl-dev \
lsb-release ncurses-term openssh-client pkg-config procps python3-dev \
ssh zlib1g-dev
RUN useradd -ms /bin/bash build

10
docker/debian/testing/Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM docker.io/library/debian:testing
RUN DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get update && \
DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get install -y \
build-essential curl dpkg-dev ed fakeroot file git libapparmor-dev \
libaudit-dev libkrb5-dev libldap2-dev libpam0g-dev libpython3-dev \
libsasl2-dev libselinux1-dev libsepol-dev libssl-dev libwolfssl-dev \
lsb-release ncurses-term openssh-client pkg-config procps python3-dev \
ssh zlib1g-dev
RUN useradd -ms /bin/bash build

8
docker/fedora/latest/Dockerfile Normal file
View file

@ -0,0 +1,8 @@
FROM docker.io/library/fedora:latest
ENV TZ=America/Denver
RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel krb5-devel \
libasan libubsan libselinux-devel libsepol-devel make openldap-devel \
openssl-devel pam-devel python3-devel rpm-build zlib-devel binutils \
ed gcc gdb git openssh pkg-config procps which
RUN useradd -ms /bin/bash build

8
docker/fedora/rawhide/Dockerfile Normal file
View file

@ -0,0 +1,8 @@
FROM docker.io/library/fedora:rawhide
ENV TZ=America/Denver
RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel krb5-devel \
libasan libubsan libselinux-devel libsepol-devel make openldap-devel \
openssl-devel pam-devel python3-devel rpm-build zlib-devel binutils \
ed gcc gdb git openssh pkg-config procps which
RUN useradd -ms /bin/bash build

10
docker/ubuntu/devel/Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM docker.io/library/ubuntu:devel
RUN DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get update && \
DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get install -y \
build-essential curl dpkg-dev ed fakeroot file git libapparmor-dev \
libaudit-dev libkrb5-dev libldap2-dev libpam0g-dev libpython3-dev \
libsasl2-dev libselinux1-dev libsepol-dev libssl-dev libwolfssl-dev \
lsb-release ncurses-term openssh-client pkg-config procps python3-dev \
ssh zlib1g-dev
RUN useradd -ms /bin/bash build

10
docker/ubuntu/latest/Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM docker.io/library/ubuntu:latest
RUN DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get update && \
DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get install -y \
build-essential curl dpkg-dev ed fakeroot file git libapparmor-dev \
libaudit-dev libkrb5-dev libldap2-dev libpam0g-dev libpython3-dev \
libsasl2-dev libselinux1-dev libsepol-dev libssl-dev libwolfssl-dev \
lsb-release ncurses-term openssh-client pkg-config procps python3-dev \
ssh zlib1g-dev
RUN useradd -ms /bin/bash build

10
docker/ubuntu/rolling/Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM docker.io/library/ubuntu:rolling
RUN DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get update && \
DEBIAN_FRONTEND=noninteractive TZ=America/Denver apt-get install -y \
build-essential curl dpkg-dev ed fakeroot file git libapparmor-dev \
libaudit-dev libkrb5-dev libldap2-dev libpam0g-dev libpython3-dev \
libsasl2-dev libselinux1-dev libsepol-dev libssl-dev libwolfssl-dev \
lsb-release ncurses-term openssh-client pkg-config procps python3-dev \
ssh zlib1g-dev
RUN useradd -ms /bin/bash build

88
docs/CONTRIBUTING.md Normal file
View file

@ -0,0 +1,88 @@
Contributing to Sudo
====================
Thank you for your interest in contributing to Sudo! There are a
number of way you can help make Sudo better.
## Getting started
To get an overview of Sudo, see the [README.md](../README.md) file.
There are multiple ways to contribute, some of which don't require
writing a single line of code.
## Filing bug reports/issues
If you believe you have found a bug, you can either file a bug
report in the sudo bug database, https://bugzilla.sudo.ws/, or open
a [GitHub issue](https://github.com/sudo-project/sudo/issues),
whichever you find easier. If you would prefer to use email,
messages may be sent to the [sudo-workers@sudo.ws mailing
list](https://www.sudo.ws/mailman/listinfo/sudo-workers) (public)
or to sudo@sudo.ws (private).
For sudo's security policy and how to report security issues, see
[SECURITY.md](SECURITY.md).
Please check [TROUBLESHOOTING.md](TROUBLESHOOTING.md) *before*
submitting a bug report. When reporting bugs, be sure to include
the version of sudo you are using, the operating system and/or
distro that is affected, and, if possible, step-by-step instructions
to reproduce the problem.
## Making changes to Sudo
If you are interested in making changes to Sudo there are two main
work flows:
* clone the [sudo repo](https://github.com/sudo-project/sudo), make
your changes, and submit a Pull Request (PR).
* send a diff with your changes to the [sudo-workers@sudo.ws mailing
list](https://www.sudo.ws/mailman/listinfo/sudo-workers) to start
a discussion.
In addition to the [GitHub repo](https://github.com/sudo-project/sudo),
there is also a [mercurial repo](https://www.sudo.ws/repos/sudo).
## sudo-workers mailing list
If you would like to discuss your changes before submitting a
PR, you may do so on the [sudo-workers@sudo.ws mailing
list](https://www.sudo.ws/mailman/listinfo/sudo-workers).
Otherwise, discussion can simply occur as part of the PR work flow.
## Fuzzing
Sudo uses the [oss-fuzz project](https://github.com/google/oss-fuzz.git)
to perform fuzzing. Each commit to the _main_ branch will trigger
a short fuzzing run via the [CIFuzz
action](https://github.com/sudo-project/sudo/actions/workflows/main.yml).
The history of that action shows successful and failed fuzzing runs.
Longer fuzzing runs occur using the ClusterFuzz infrastructure. These
fuzzing runs are longer than those used by CIFuzz. A [public list of
failures](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=sudoers)
is available.
For more information, see https://www.sudo.ws/security/fuzzing/.
## Translations
Sudo uses [GNU gettext](https://www.gnu.org/software/gettext/) for
its National Language Support (NLS). Strings in sudo and related
programs are collected in `.pot` files that can be translated into
multiple languages.
Translations for sudo are coordinated by the [Translation
Project](https://translationproject.org). If you would like to
contribute to Sudo's translations, please join a translation team
at the Translation Project instead of contributing a `.po` file
directly. This will avoid duplicated work if there is already a
translation in progress. If you would like to become a member of
a translation team, please follow the [instructions for
translators](https://translationproject.org/html/translators.html).
There are currently two translation domains: [one for the sudo
front-end](https://translationproject.org/domain/sudo.html) and a
[separate one for the sudoers module and related
utilities](https://translationproject.org/domain/sudoers.html).

252
docs/CONTRIBUTORS.md Normal file
View file

@ -0,0 +1,252 @@
The following list of people, sorted by last name, have contributed
code or patches to this implementation of sudo since I began
maintaining it in 1993. This list is known to be incomplete--if
you believe you should be listed, send a note to sudo@sudo.ws.
Ackeret, Matt
Adler, Mark
Allbery, Russ
Anderson, Jamie
Andrew, Nick
Andric, Dimitry
Barron, Danny
Bates, Tom
Behan, Zdeněk
Bellis, Ray
Benali, Elias
Beverly, Jamie
Boardman, Spider
Bos, Sander
Bostley, P.J.
Bowes, Keith
Boyce, Keith Garry
Brantley, Michael
Braun, Rob
Březina, Pavel
Brooks, Piete
Brown, Jerry
Burr, Michael E
Burton, Ross
Bussjaeger, Andreas
Calvin, Gary
Campbell, Aaron
Chazelas, Stephane
Cheloha, Scott
Čížek, Vítězslav
Coleman, Chris
Corzine, Deven T.
Cusack, Frank
Dai, Wei
Dill, David
Earickson, Jeff
Eckhardt, Drew
Edgington, Ben
Esipovich, Marc
Espie, Marc
Faigon, Ariel
Farrell, Brian
Fobes, Steve
Frysinger, Mike
G., Daniel Richard
Gailly, Jean-loup
Gelman, Stephen
Gerraty, Simon J.
Graber, Stephane
Guillory, B.
Hayman, Randy M.
Henke, Joachim
Hideaki, Yoshifuji
Hieb, Dave
Holloway, Nick
Hoover, Adam
Hunter, Michael T.
Hutchings, Ben
Irrgang, Eric
Jackson, Brian
Jackson, John R.
Jackson, Richard L., Jr.
Janssen, Mark
Jindrák, Jaroslav
Jepeway, Chris
Jorge, Joel Peláe
Jover, Guillem
Juhani, Timo
Kikuchi, Ayamura
Kadow, Kevin
Kasal, Stepan
Kienenberger, Mike
King, Dale
King, Michael
Klyachkin, Andrey
Knoble, Jim
Knox, Tim
Komarnitsky, Alek O.
Kondrashov, Nikolai
Kopeček, Daniel
Kranenburg, Paul
Krause, David
Lakin, Eric
Larsen, Case
Levin, Dmitry V.
Libby, Kendall
Lobbes, Phillip E.
McIntyre, Jason
MacKenzie, David J.
McLaughlin, Tom
Makey, Jeff
Mallayya, Sangamesh
Manner, Róbert
Marchionna, Michael D.
Markham, Paul
Martinian, Emin
Meskes, Michael
Michael, David
Miller, Todd C.
Minier, Loïc
Moffat, Darren
Moldung, Jan Thomas
Morris, Charles
Mueller, Andreas
Müller, Dworkin
Nieusma, Jeff
Nikitser, Peter A.
Nussel, Ludwig
Orbán, László
Ouellet, Jean-Philippe
Paquet, Eric
Paradis, Chantal
Pasteleurs, Frederic
Percival, Ted
Perera, Andres
Peron, Christian S.J.
Peschel, Aaron
Peslyak, Alexander
Peterson, Toby
Pettenò, Diego Elio
Pickett, Joel
Plotnick, Alex
de Raadt, Theo
Rasch, Gudleik
Reid, Steve
Richards, Matt
Rossum, Guido van
Rouillard, John P.
Rowe, William A., Jr.
Roy, Alain
Ruusamäe, Elan
Ryabinkin, Eygene
Sato, Yuichi
Sánchez, Wilfredo
Sanders, Miguel
Sasaki, Kan
Saucier, Jean-Francois
Schoenfeld, Patrick
Schuring, Arno
Schwarze, Ingo
Scott, Dougal
Shand, Will
Sieger, Nick
Simon, Thor Lancelot
Skoll, Dianne
Slemko, Marc
Smith, Andy
Sobrado, Igor
Soulen, Steven
Spangler, Aaron
Spradling, Cloyce D.
Spradling, Michael
Stier, Matthew
Stoeckmann, Tobias
Street, Russell
Stritzky, Tilo
Stroucken, Michael
Tarrall, Robert
Thomas, Matthew
Todd, Giles
Toft, Martin
Torek, Chris
Tucker, Darren
Uhl, Robert
Uzel, Petr
Valery, Reznic
Van Dinter, Theo
Venckus, Martynas
de Vries, Maarten
Wagner, Klaus
Walsh, Dan
Warburton, John
Webb, Kirk
Wetzel, Timm
Wieringen, Marco van
Wilk, Jakub
Winiger, Gary
Wood, David
Zacarias, Gustavo
Zolnowsky, John
The following people have worked to translate sudo into
other languages as part of the Translation Project, see
https://translationproject.org for more details.
Albuquerque, Pedro
Blättermann, Mario
Bogusz, Jakub
Buo-ren, Lin
Casagrande, Milo
Castro, Felipe
Cho, Seong-ho
Chornoivan, Yuri
Diéguez, Francisco
Doghonadze, Temuri
Fontenelle, Rafael
García-Fontes, Walter
Gezer, Volkan
Hamasaki, Takeshi
Hamming, Peter
Hansen, Joe
Hantrais, Frédéric
Hein, Jochen
Hufthammer, Karl Ove
Jerovšek, Damir
Karvonen, Jorma
Kazik, Dušan
Kelemen, Gábor
Keçeci, Mehmet
Košir, Klemen
Kozlov, Yuri
Kramer, Jakob
Krznar, Tomislav
Marchal, Frédéric
Margevičius, Algimantas
Maryanov, Pavel
Florentina Mușat
Nurmi, Lauri
Nikolić, Miroslav
Nylander, Daniel
Pan, Yi-Jyun
Písař, Petr
Puente, Enol
Putanec, Božidar
Quân, Trần Ngọc
Rasmussen, Sebastian
Regueiro, Leandro
Sarıer, Özgür
Selimaj, Agron
Sendón, Abel
Șerbănescu, Daniel
Shahedany, Eshagh
Sikrom, Åka
Spingos, Dimitris
Taniguchi, Yasuaki
Tomat, Fábio
Triwidada, Andika
Úr, Balázs
Uranga, Mikel Olasagasti
Vorotnikov, Artem
Wang, Wylmer
Yang, Boyuan
The following people designed the artwork used on the sudo website:
Shield logo: Badger, Trent
Sandwich logo (inspired by xkcd): Stillman, Mark

78
docs/HISTORY.md Normal file
View file

@ -0,0 +1,78 @@
A Brief History of Sudo
=======================
## The Early Years
Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer
around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on
a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel,
Cliff Spencer, Gretchen Phillips, John LoVerso, and Don Gworek, was posted to
the net.sources Usenet newsgroup in December of 1985.
## Sudo at CU-Boulder
In the Summer of 1986, Garth Snyder released an enhanced version of sudo.
For the next 5 years, sudo was fed and watered by a handful of folks at
CU-Boulder, including Bob Coggeshall, Bob Manchek, and Trent Hein.
## Root Group Sudo
In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo with an
enhanced sudoers format under contract to a consulting firm called "The Root
Group". This version was later released under the GNU public license.
## CU Sudo
In 1994, after maintaining sudo informally within CU-Boulder for some time,
Todd C. Miller made a public release of "CU sudo" (version 1.3) with bug
fixes and support for more operating systems. The "CU" was added to
differentiate it from the "official" version from "The Root Group".
In 1995, a new parser for the sudoers file was contributed by Chris Jepeway.
The new parser was a proper grammar (unlike the old one) and could work with
both sudo and visudo (previously they had slightly different parsers).
In 1996, Todd, who had been maintaining sudo for several years in his spare
time, moved distribution of sudo from a CU-Boulder ftp site to his domain,
courtesan.com.
## Just Plain Sudo
In 1999, the "CU" prefix was dropped from the name since there had been no
formal release of sudo from "The Root Group" since 1991 (the original
authors now work elsewhere). As of version 1.6, Sudo no longer contains any
of the original "Root Group" code and is available under an ISC-style
license.
In 2001, the sudo web site, ftp site, and mailing lists were moved from
courtesan.com to the sudo.ws domain (sudo.org was already taken).
## LDAP Integration
In 2003, Nationwide Mutual Insurance Company contributed code written by
Aaron Spangler to store the sudoers data in LDAP. These changes were
incorporated into Sudo 1.6.8.
## New Parser
In 2005, Todd rewrote the sudoers parser to better support the features that
had been added in the past ten years. This new parser removes some
limitations of the previous one, removes ordering constraints and adds
support for including multiple sudoers files.
## Quest Sponsorship
In 2010, Quest Software began sponsoring Sudo development by hiring
Todd to work on Sudo as part of his full-time job. This enabled
the addition of I/O logging, the plugin API, the log server,
additional regression and fuzz tests, support for binary packages
and more regular releases. Quest's sponsorship of Sudo ended in
February of 2024.
## Present Day
Sudo, in its current form, is maintained by:
Todd C. Miller <Todd.Miller@sudo.ws>
Todd continues to enhance sudo and fix bugs.

450
docs/Makefile.in Normal file
View file

@ -0,0 +1,450 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2010-2015, 2017-2023 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# @configure_input@
#
#### Start of system configuration section. ####
srcdir = @srcdir@
abs_srcdir = @abs_srcdir@
top_srcdir = @top_srcdir@
abs_top_srcdir = @abs_top_srcdir@
top_builddir = @top_builddir@
abs_top_builddir = @abs_top_builddir@
docdir = @docdir@
scriptdir = $(top_srcdir)/scripts
# Tools to use
SED = @SED@
IGOR = igor
MANDOC = mandoc
MANCOMPRESS = @MANCOMPRESS@
MANCOMPRESSEXT = @MANCOMPRESSEXT@
TR = @TRPROG@
# Our install program supports extra flags...
INSTALL = $(SHELL) $(scriptdir)/install-sh -c
INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
# Where to install things...
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
adminconfdir = @adminconfdir@
libexecdir = @libexecdir@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
mandir = @mandir@
# Directory in which to install the man page
mantype = @MANTYPE@
mansectsu = @mansectsu@
mansectform = @mansectform@
mandirexe = $(mandir)/@MANDIRTYPE@1
mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
install_gid = 0
# Set to non-empty for development mode
DEVEL = @DEVEL@
#### End of system configuration section. ####
SHELL = @SHELL@
DOCS = ./cvtsudoers.$(mantype) ./sudo.$(mantype) ./sudo.conf.$(mantype) \
./sudo_logsrvd.$(mantype) ./sudo_logsrv.proto.$(mantype) \
./sudo_logsrvd.conf.$(mantype) ./sudo_plugin.$(mantype) \
./sudo_plugin_python.$(mantype) ./sudo_sendlog.$(mantype) \
./sudoers.$(mantype) ./sudoers.ldap.$(mantype) \
./sudoers_timestamp.$(mantype) \
./sudoreplay.$(mantype) ./visudo.$(mantype)
DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \
$(srcdir)/sudo.man.in $(srcdir)/sudo_logsrvd.man.in \
$(srcdir)/sudo_logsrv.proto.man.in \
$(srcdir)/sudo_logsrvd.conf.man.in \
$(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin_python.man.in \
$(srcdir)/sudo_sendlog.man.in $(srcdir)/sudoers.ldap.man.in \
$(srcdir)/sudoers.man.in $(srcdir)/sudoers_timestamp.man.in \
$(srcdir)/sudoreplay.man.in $(srcdir)/visudo.man.in
OTHER_DOCS = $(top_srcdir)/ChangeLog $(top_srcdir)/NEWS \
$(top_srcdir)/README.md $(srcdir)/CONTRIBUTING.md \
$(top_srcdir)/LICENSE.md $(srcdir)/CONTRIBUTORS.md \
$(srcdir)/HISTORY.md $(srcdir)/SECURITY.md \
$(srcdir)/TROUBLESHOOTING.md $(srcdir)/UPGRADE.md
OTHER_DOCS_LDAP = $(top_srcdir)/README.LDAP.md $(srcdir)/schema.*
VERSION = @PACKAGE_VERSION@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
all: $(DEVDOCS) $(DOCS)
igor:
@rval=0; \
for f in *.mdoc.in; do \
echo $(IGOR) -D $$f; \
$(IGOR) -D $$f || rval=`expr $$rval + $$?`; \
done; \
for f in $(OTHER_DOCS) $(OTHER_DOCS_LDAP); do \
case `basename $$f` in \
[A-Z][A-Z]*) \
echo $(IGOR) -abrw $$f; \
$(IGOR) -abrw $$f || rval=`expr $$rval + $$?`;; \
esac; \
done; \
exit $$rval
lint: all
@if [ "$(mantype)" != "mdoc" ]; then \
echo "make lint only supported for mdoc manuals" 1>&2; \
exit 1; \
else \
rval=0; \
for m in $(DOCS); do \
echo $(MANDOC) -Tlint -Wwarning $$m; \
$(MANDOC) -Tlint -Wwarning $$m || rval=`expr $$rval + $$?`; \
done; \
exit $$rval; \
fi
depend:
Makefile: $(srcdir)/Makefile.in
cd $(top_builddir) && ./config.status --file docs/Makefile
.SUFFIXES: .man
$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo.mdoc.in/' -f $(srcdir)/sudo.man.in.sed > $@; \
fi
fixman.sed: $(srcdir)/fixman.sh
$(SHELL) $(srcdir)/fixman.sh $@
./sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@
./sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in
printf '.\\" Automatically generated from the sudo.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.mdoc.in >> $@
$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the visudo.mdoc.in/' > $@; \
fi
./visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@
./visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in
printf '.\\" Automatically generated from the visudo.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.mdoc.in >> $@
$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo.conf.mdoc.in/' -f $(srcdir)/sudo.conf.man.in.sed > $@; \
fi
./sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@
./sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in
printf '.\\" Automatically generated from the sudo.conf.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.mdoc.in >> $@
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers.mdoc.in/' -f $(srcdir)/sudoers.man.in.sed> $@; \
fi
./sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@
./sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed
printf '.\\" Automatically generated from the sudoers.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed >> $@
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers.ldap.mdoc.in/' > $@; \
fi
./sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@
./sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in
printf '.\\" Automatically generated from the sudoers.ldap.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.mdoc.in >> $@
$(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS_TIMESTAMP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers_timestamp.mdoc.in/' > $@; \
fi
./sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@
./sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in
printf '.\\" Automatically generated from the sudoers_timestamp.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.mdoc.in >> $@
$(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the cvtsudoers.mdoc.in/' > $@; \
fi
./cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@
./cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in
printf '.\\" Automatically generated from the cvtsudoers.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.mdoc.in >> $@
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoreplay.mdoc.in/' > $@; \
fi
./sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@
./sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
printf '.\\" Automatically generated from the sudoreplay.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.mdoc.in >> $@
$(srcdir)/sudo_logsrvd.man.in: $(srcdir)/sudo_logsrvd.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_logsrvd.mdoc.in/' > $@; \
fi
./sudo_logsrvd.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in
printf '.\\" Automatically generated from the sudo_logsrvd.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.mdoc.in >> $@
$(srcdir)/sudo_logsrv.proto.man.in: $(srcdir)/sudo_logsrv.proto.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrv.proto.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRV.PROTO" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" -e 's/an mdoc input/the sudo_logsrv.proto.mdoc.in/' > $@; \
fi
./sudo_logsrv.proto.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrv.proto.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.mdoc.in
printf '.\\" Automatically generated from the sudo_logsrv.proto.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.mdoc.in >> $@
$(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" -e 's/an mdoc input/the sudo_logsrvd.conf.mdoc.in/' > $@; \
fi
./sudo_logsrvd.conf.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.mdoc.in
printf '.\\" Automatically generated from the sudo_logsrvd.conf.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.mdoc.in >> $@
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_plugin.mdoc.in/' > $@; \
fi
./sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
printf '.\\" Automatically generated from the sudo_plugin.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.mdoc.in >> $@
$(srcdir)/sudo_plugin_python.man.in: $(srcdir)/sudo_plugin_python.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin_python.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN_PYTHON" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_plugin_python.mdoc.in/' > $@; \
fi
./sudo_plugin_python.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin_python.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin_python.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.mdoc.in
printf '.\\" Automatically generated from the sudo_plugin_python.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin_python.mdoc.in >> $@
$(srcdir)/sudo_sendlog.man.in: $(srcdir)/sudo_sendlog.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_sendlog.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_SENDLOG" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_sendlog.mdoc.in/' > $@; \
fi
./sudo_sendlog.man: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.man.in | $(SED) -f fixman.sed > $@
./sudo_sendlog.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.mdoc.in
printf '.\\" Automatically generated from the sudo_sendlog.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.mdoc.in >> $@
pre-install:
install: install-doc
install-dirs:
$(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(docdir) \
$(DESTDIR)$(mandirexe) $(DESTDIR)$(mandirform) $(DESTDIR)$(mandirsu)
install-binaries:
install-includes:
install-doc: install-dirs
for f in $(OTHER_DOCS); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done
@LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./cvtsudoers.$(mantype) $(DESTDIR)$(mandirexe)/cvtsudoers.1
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrvd.$(mantype) $(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_plugin.$(mantype) $(DESTDIR)$(mandirform)/sudo_plugin.$(mansectform)
@PYTHON_PLUGIN@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_plugin_python.$(mantype) $(DESTDIR)$(mandirform)/sudo_plugin_python.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_sendlog.$(mantype) $(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrv.proto.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform)
@LOGSRV@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudo_logsrvd.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
@LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 ./sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@if test -n "$(MANCOMPRESS)"; then \
for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_logsrvd.$(mansectsu) $(mandirform)/sudo_plugin.$(mansectform) $(mandirform)/sudo_plugin_python.$(mansectform) $(mandirsu)/sudo_sendlog.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudo_logsrv.proto.$(mansectform) $(mandirform)/sudo_logsrvd.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
if test -f $(DESTDIR)$$f; then \
echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
$(MANCOMPRESS) -f $(DESTDIR)$$f; \
fi; \
done; \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
else \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
fi
install-plugin:
install-fuzzer:
uninstall:
-rm -rf $(DESTDIR)$(docdir)
-rm -f $(DESTDIR)$(mandirexe)/cvtsudoers.1 \
$(DESTDIR)$(mandirsu)/sudo.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrv.proto.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_plugin.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_plugin_python.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
splint:
cppcheck:
pvs-log-files:
pvs-studio:
fuzz:
check-fuzzer:
check: check-fuzzer
check-verbose: check
clean:
-rm -f fixman.sed
mostlyclean: clean
distclean: clean
-rm -rf Makefile config.log *.man *.mdoc
clobber: distclean
realclean: distclean
cleandir: distclean
.PHONY: clean mostlyclean distclean cleandir clobber realclean

43
docs/SECURITY.md Normal file
View file

@ -0,0 +1,43 @@
Sudo Security Policy
====================
The Sudo Project takes security seriously. If you believe you have found a security vulnerability in Sudo, you can report it to us as described below.
## Reporting Security Issues
**Do not report security vulnerabilities through public GitHub issues or Bugzilla.**
Instead, report them via email to <Todd.Miller@sudo.ws>. You may encrypt your message with PGP if you would like. The current PGP key has the fingerprint 59D1 E9CC BA2B 3767 04FD D35B A9F4 C021 CEA4 70FB and may be downloaded from [the sudo.ws web site](https://www.sudo.ws/dist/PGPKEYS) or the [OpenPGP Key Server](https://keys.openpgp.org/search?q=0xa9f4c021cea470fb).
We try to respond to security issues in a timely manner but understand that Sudo is a volunteer project.
Include as much of the following information as possible to help us better understand the nature and scope of the potential issue:
* Type of issue (e.g., buffer overflow, privilege escalation, etc.)
* Full paths of source file(s) related to the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* The operating system and/or distro affected
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
As a volunteer-led project, we are not able to offer bug bounties.
However, we'd be happy to send you Sudo stickers as a way of saying
thank you!
## Preferred Languages
We prefer all communications to be in English.
## Disclosure Policy
The Sudo Project follows the principle of [Coordinated Vulnerability Disclosure](https://vuls.cert.org/confluence/display/CVD/Executive+Summary). Disclosure is usually coordinated using the [distros mailing list](https://oss-security.openwall.org/wiki/mailing-lists/distros).
## Security Advisories
The Sudo web site contains an archive of [sudo security advisories](https://www.sudo.ws/security/advisories/).
Additionally, information about vulnerabilities in sudo is sent to the
[oss-security mailing list](https://oss-security.openwall.org/wiki/mailing-lists/oss-security) once the information becomes public.

359
docs/TROUBLESHOOTING.md Normal file
View file

@ -0,0 +1,359 @@
Troubleshooting tips and FAQ for Sudo
=====================================
#### When I run configure, it says "C compiler cannot create executables".
> This usually means you either don't have a working compiler. This
> could be due to the lack of a license or that some component of the
> compiler suite could not be found. Check config.log for clues as
> to why this is happening. On many systems, compiler components live
> in /usr/ccs/bin which may not be in your PATH environment variable.
#### When I run configure, it says "sudo requires the 'ar' utility to build".
> As part of the build process, sudo creates a temporary library
> containing objects that are shared amongst the different sudo
> executables. On Unix systems, the 'ar' utility is used to do this.
> This error indicates that 'ar' is missing on your system. On Solaris
> systems, you may need to install the SUNWbtool package. On other
> systems 'ar' may be included in the GNU binutils package.
#### Sudo compiles and installs successfully but when I try to run it I get:
The "no new privileges" flag is set, which prevents sudo from
running as root. If sudo is running in a container, you may
need to adjust the container configuration to disable the flag.
> Sudo was run by a process that has the Linux "no new privileges"
> flag set. This causes the set-user-ID bit to be ignored when running
> an executable, which will prevent sudo from functioning. The most
> likely cause for this is running sudo within a container that sets
> this flag. Check the documentation to see if it is possible to
> configure the container such that the flag is not set.
#### Sudo compiles and installs successfully but when I try to run it I get:
/usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
> Sudo must be set-user-ID root to do its work. Either `/usr/local/bin/sudo`
> is not owned by user-ID 0 or the set-user-ID bit is not set. This should
> have been done for you by `make install` but you can fix it manually by
> running the following as root:
chown root /usr/local/bin/sudo; chmod 4755 /usr/local/bin/sudo
#### Sudo compiles and installs successfully but when I try to run it I get:
effective uid is not 0, is /usr/local/bin/sudo on a file system with the
'nosuid' option set or an NFS file system without root privileges?
> The owner and permissions on the sudo binary appear to be OK but when
> sudo ran, the set-user-ID bit did not have an effect. There are two
> common causes for this. The first is that the file system the sudo
> binary is located on is mounted with the 'nosuid' mount option, which
> disables set-user-ID binaries. The output of the 'mount' command should
> tell you if the file system is mounted with the 'nosuid' option. The
> other possible cause is that sudo is installed on an NFS-mounted file
> system that is exported without root privileges. By default, NFS file
> systems are exported with user-ID 0 mapped to a non-privileged ID (usually
> -2). You should be able to determine whether sudo is located on an
> NFS-mounted filesystem by running "df \`which sudo\`".
#### Sudo never gives me a chance to enter a password using PAM
It just says "Sorry, try again." three times and exits.
> You didn't setup PAM to work with sudo. On RedHat or Fedora Linux
> this generally means installing the sample pam.conf file as
> /etc/pam.d/sudo. See the example pam.conf file for hints on what
> to use for other Linux systems.
#### Sudo says my account has expired but I know it has not
> If you get the following error from sudo:
Account expired or PAM config lacks an 'account' section for sudo,
contact your system administrator`
> double-check the `/etc/shadow` file to verify that the target user
> (for example, root) does not have the password expiration field set.
> A common way to disable access to an account is to set the expiration
> date to 1, such as via `usermod -e 1`. If the account is marked as
> expired, sudo will not allow you to access it.
>
> If, however, the account has not expired, it is possible that the PAM
> configuration lacks an 'account' specification. On Linux this usually
> means you are missing a line in /etc/pam.d/sudo similar to:
account required pam_unix.so
#### Sudo is configured use syslog but nothing gets logged
> Make sure you have an entry in your syslog.conf file to save
> the sudo messages (see the example syslog.conf file). The default
> log facility is authpriv (changeable via configure or in sudoers).
> Don't forget to send a SIGHUP to your syslogd so that it re-reads
> its conf file. Also, remember that syslogd does *not* create
> log files, you need to create the file before syslogd will log
> to it (e.g., `touch /var/log/sudo`).
> The facility (e.g., 'auth.debug') must be separated from
> the destination (e.g., '/var/log/auth' or '@loghost') by tabs,
> *not* spaces. This is a common error.
#### Sudo won't accept my password, even when entered correctly
> If you are not using pam and your system uses shadow passwords,
> it is possible that sudo didn't properly detect that shadow
> passwords are in use. Take a look at the generated config.h
> file and verify that the C function used for shadow password
> look ups was detected. For instance, for SVR4-style shadow
> passwords, `HAVE_GETSPNAM` should be defined (you can search for
> the string 'shadow passwords' in config.h with your editor).
> There is no define needed for 4.4BSD-based shadow passwords
> which just use the standard getpw* routines.
#### Can sudo use the ssh agent instead of asking for the user's password?
> Not directly, but you can use a PAM module like pam_ssh_agent_auth
> or pam_ssh for this purpose.
#### I want to place the sudoers file in a directory other than /etc
> Use the `--sysconfdir` option to configure. For example:
configure --sysconfdir=/dir/you/want/sudoers/in
> Alternately, you can set the path in the sudo.conf file as an
> argument to the sudoers.so plugin. For example:
Plugin sudoers_policy sudoers.so sudoers_file=/path/to/sudoers
#### Can I put the sudoers file in NIS/NIS+?
> There is no support for making an NIS/NIS+ map/table out of the sudoers
> file at this time. You can distribute the sudoers file via rsync or rdist.
> It is also possible to NFS-mount the sudoers file. If you use LDAP at your
> site you may be interested in sudo's LDAP sudoers support, see
> [README.LDAP.md](../README.LDAP.md) and the sudoers.ldap manual.
#### I don't run sendmail, can I still use sudo?
> Yes, you just need to disable mailing with a line like:
Defaults !mailerpath
> in your sudoers file or run configure with the `--without-sendmail`
> option.
#### How can I make visudo use a different editor?
> You can specify the editor to use in visudo in the sudoers file.
> See the 'editor' and 'env_editor' entries in the sudoers manual.
> The defaults can also be set at configure time using the
> `--with-editor` and `--with-env-editor` configure options.
#### Why does sudo modify the command's environment?
> By default, sudo runs commands with a new, minimal environment.
> The 'env_keep' setting in sudoers can be used to control which
> environment variables are preserved from the invoking user's
> environment via the 'env_keep' setting in sudoers.
>
> While it is possible to disable the 'env_reset' setting, which
> will preserve all environment variables that don't match a black
> list, doing so is strongly discouraged. See the "Command
> environment" section of the sudoers manual for more information.
#### Why does sudo reset the HOME environment variable?
> Many programs use the HOME environment variable to locate
> configuration and data files. Often, these configuration files
> are treated as trusted input that affects how the program operates.
> By controlling the configuration files, a user may be able to
> cause the program to execute other commands without sudo's
> restrictions or logging.
>
> Some programs perform extra checks when the real and effective
> user-IDs differ, but because sudo runs commands with all user-IDs
> set to the target user, these checks are insufficient.
>
> While it is possible to preserve the value of the HOME environment
> variable by adding it to the 'env_keep' list in the sudoers file,
> doing so is strongly discouraged. Users wishing to edit files
> with sudo should run sudoedit (or sudo -e) to get their accustomed
> editor configuration instead of invoking the editor directly.
#### How can I prevent sudo from asking for a password?
> To specify this on a per-user (and per-command) basis, use the
> 'NOPASSWD' tag right before the command list in sudoers. See
> the sudoers man page and examples/sudoers for details. To disable
> passwords completely, add '!authenticate' to the Defaults line
> in /etc/sudoers. You can also turn off authentication on a
> per-user or per-host basis using a user or host-specific Defaults
> entry in sudoers. To hard-code the global default, you can
> configure with the `--without-passwd` option.
#### The configure scripts says `no acceptable cc found in $PATH`
> /usr/ucb/cc was the only C compiler that configure could find.
> You need to tell configure the path to the 'real' C compiler
> via the `--with-CC option`. On Solaris, the path is probably
> something like /opt/SUNWspro/SC4.0/bin/cc. If you have gcc
> that will also work.
#### The configure scripts says "config.cache exists from another platform!"
> configure caches the results of its tests in a file called
> config.cache to make re-running configure speedy. However,
> if you are building sudo for a different platform the results
> in config.cache will be wrong so you need to remove the config.cache file.
> You can do this via `rm config.cache`, or `make realclean` to also
> remove any object files and configure temp files that are present.
#### When I run 'visudo' it says "sudoers file busy, try again later."
> Someone else is currently editing the sudoers file with visudo.
#### When I try to use 'cd' with sudo it says "cd: command not found"
> 'cd' is a shell built-in command, you can't run it as a command
> since a child process (sudo) cannot affect the current working
> directory of the parent (your shell).
#### When I try to use 'cd' with sudo nothing happens.
> Even though 'cd' is a shell built-in command, some operating systems
> include a /usr/bin/cd command for completeness. A standalone
> "cd' command is totally useless since a child process (cd) cannot
> affect the current working directory of the parent (your shell).
> Thus, `sudo cd /foo` will start a child process, change the
> directory and immediately exit without doing anything useful.
#### How can I run a command via sudo as a user other than root?
> The default user sudo tries to run things as is always root, even if
> the invoking user can only run commands as a single, specific user.
> This may change in the future but at the present time you have to
> work around this using the 'runas_default' option in sudoers.
> For example, given the following sudoers rule:
bob ALL=(oracle) ALL
> You can cause sudo to run all commands as 'oracle' for user 'bob'
> with a sudoers entry like:
Defaults:bob runas_default=oracle
#### When I try to run sudo via ssh, I get an error:
sudo: a terminal is required to read the password; either use the -S
option to read from standard input or configure an askpass helper
> If sudo needs to authenticate a user, it requires access to the user's
> terminal to disable echo so the password is not displayed to the screen.
> The above message indicates that no terminal was present.
> When running a command via ssh, a terminal is not allocated by default
> which can cause this message. The '-t' option to ssh will force it to
> allocate a tty. Alternately, you may be able to use the ssh-askpass
> utility to prompt for the password if X11 forwarding is enabled and an
> askpass helper is configured in the sudo.conf file. If you do not mind
> your password being echoed to the screen, you may use sudo's -S option
> to read the password from the standard input. Alternately, you may set
> the 'visiblepw' sudoers option which will allow the password to be entered
> even when echo cannot be disabled, though this is not recommended.
#### When I try to use SSL-enabled LDAP with sudo I get an error:
unable to initialize SSL cert and key db: security library: bad database.
you must set TLS_CERT in /etc/ldap.conf to use SSL
> On systems that use a Mozilla-derived LDAP SDK there must be a
> certificate database in place to use SSL-encrypted LDAP connections.
> This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
> The actual number after 'cert' will vary, depending on the version
> of the LDAP SDK that is being used. If you do not have a certificate
> database you can either copy one from a mozilla-derived browser, such
> as firefox, or create one using the `certutil` command. You can run
> `certutil` as follows and press the <return> (or <enter>) key at the
> password prompt:
# certutil -N -d /var/ldap
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
Enter new password: <return>
Re-enter password: <return>
#### After upgrading my system, sudo_logsrvd gives the error:
X509_verify_cert: CA cert does not include key usage extension
> This can happen if you are using self-signed certificates that do not
> include the key usage extension. This error can occur if the certificates
> were generated using OpenSSL 1.x but sudo_logsrvd now uses OpenSSL 3.x,
> for example after a system upgrade. The x509 certificate validation in
> OpenSSL 3.x now requires that the key usage extension be present.
> One way to address this is to disable certificate verification in
> sudo_logsrvd by setting the _tls_verify_ key in the `[server]` section
> to _false_. Alternately, you can simply remove your old CA and the
> associated certificates and create a new one using an updated
> `/etc/ssl/openssl.cnf` file. See the sudo_logsrvd manual for more
> information on creating self-signed certificates.
#### On HP-UX, the umask setting in sudoers has no effect.
> If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
> enabled, you may need to a add line like the following to pam.conf:
> sudo session required libpam_hpsec.so.1 bypass_umask
#### When I run `sudo -i shell_alias` I get "command not found"
> Commands run via `sudo -i` are executed by the shell in
> non-interactive mode. The bash shell will only parse aliases in
> interactive mode unless the 'expand_aliases' shell option is
> set. If you add `shopt -s expand_aliases` to your .bash_profile
> (or .profile if using that instead) the aliases should now be
> available to `sudo -i`.
#### When I run sudo on AIX I get the following error:
setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
> AIX's Enhanced RBAC is preventing sudo from running. To fix
> this, add the following entry to /etc/security/privcmds (adjust
> the path to sudo as needed) and run the setkst command as root:
/usr/local/bin/sudo:
accessauths = ALLOW_ALL
innateprivs = PV_DAC_GID,PV_DAC_R,PV_DAC_UID,PV_DAC_X,PV_FS_CHOWN,PV_PROC_PRIO,PV_NET_PORT,PV_NET_CNTL,PV_SU_UID
secflags = FSF_EPS
#### Sudo builds without error but when I run it I get a Segmentation fault.
> If you are on a Linux system, the first thing to try is to run
> configure with the `--disable-pie` option, then `make clean` and
> `make`. If that fixes the problem then your operating system
> does not properly support position independent executables.
> Send a message to sudo@sudo.ws with system details such as the
> Linux distro, kernel version, and CPU architecture.
#### When I run configure I get the following error:
dlopen present but libtool doesn't appear to support your platform.
> Libtool doesn't know how to support dynamic linking on the operating
> system you are building for. If you are cross-compiling, you need to
> specify the operating system, not just the CPU type. For example,
> `--host powerpc-unknown-linux`
> instead of just:
> `--host powerpc`
#### How do you pronounce 'sudo'?
> The official pronunciation is soo-doo (for su 'do'). However, an
> alternate pronunciation, a homophone of 'pseudo', is also common.

636
docs/UPGRADE.md Normal file
View file

@ -0,0 +1,636 @@
Notes on upgrading from an older release
========================================
* Upgrading from a version prior to 1.9.15:
The sudoers plugin now uses a time stamp path name that is based
on the user-ID instead of the user name. For example, a time
stamp file that was /var/run/sudo/ts/root in sudo 1.9.14 will
now be /var/run/sudo/ts/0. The lecture flag file name is now
also based on the user-ID, which will result in users receiving
the sudo lecture again on upgrade to sudo 1.9.15.
* Upgrading from a version prior to 1.9.14:
Sudo now runs commands in a new pseudo-terminal by default. This
can prevent a malicious program run via sudo from accessing the
user's terminal device after the command completes.
When sudo runs a command in a new pseudo-terminal, an additional
process is created to monitor the command's status and pass
terminal control signals between the two terminals. See the
"Process model" subsection in the sudo manual and the description
of the "use_pty" option in the sudoers manual for more information.
A side effect of running the command in a new pseudo-terminal
is that sudo must pass input from the user's terminal to the
pseudo-terminal, even if the command being run does not require
the input. The "exec_background" option in sudoers can be used
to prevent this, but some screen-oriented commands may not operate
properly when run as a background process.
To restore the historic behavior where a command is run in the
user's terminal, add the following line to the sudoers file:
Defaults !use_pty
* Upgrading from a version prior to 1.9.13:
Sudo now builds AIX-style shared libraries and dynamic shared
objects by default instead of svr4-style. This means that the
default sudo plugins are now .a (archive) files that contain a
.so shared object file instead of bare .so files. This was done
to improve compatibility with the AIX Freeware ecosystem,
specifically, the AIX Freeware build of OpenSSL. When loading
a .a file as a plugin the name of the included .so file must
also be specified, for example /usr/libexec/sudo/sudoers.a(sudoers.so).
Sudo is still capable of loading svr4-style .so plugins and if
a .so file is requested, either via sudo.conf or the sudoers
file, and only the .a file is present, sudo will convert the
path from plugin.so to plugin.a(plugin.so). This ensures
compatibility with existing configurations. To restore the old,
pre-1.9.13 behavior, run configure using the --with-aix-soname=svr4
option.
* Upgrading from a version prior to 1.9.10:
Sudo now interprets a command line argument in sudoers that
begins with a '^' character as a regular expression. To start
a command argument with a literal '^' character, it must be
escaped with a backslash ('\'). This may result in a syntax
error after upgrading for existing sudoers rules where the command
line arguments begin with a '^'.
A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user.
* Upgrading from a version prior to 1.9.9:
Sudo now runs commands with the core limit resource limit set
to 0 by default. While most operating systems restrict core
dumps of set-user-ID programs like sudo, this protection is
lost when sudo executes a command. By disabling core dumps by
default, it is possible to avoid potential security problems
such as those seen with the Linux logrotate utility, which could
interpret a core dump as a valid configuration file.
To restore the historic core dump file size behavior, add the
following line to the sudoers file:
Defaults rlimit_core=default
* Upgrading from a version prior to 1.9.7:
Sudo now links with OpenSSL 1.0.1 or higher by default if it
is present on the system unless it is explicitly disabled (via
`--disable-openssl`), or unless the sudo log client and server
code is disabled (via `--disable-log-client` and `--disable-log-server`).
As a result, the sudo log server (and the client built into the
sudoers plugin) now support TLS connections by default.
* Upgrading from a version prior to 1.9.3:
Due to the addition of the CHROOT and CWD options, it is no
longer possible to declare an alias with one of those names.
If a sudoers file has an alias with one of those names, sudo
and visudo will report a syntax error with a message like
"syntax error: unexpected CHROOT, expecting ALIAS".
Starting with version 1.9.3, sudoers rules must end in either
a newline or the end-of-file. This makes it possible to provide
better error messages. Previously, it was possible to include
multiple rules on a single line, separated by white space.
Starting with version 1.9.3, sudo will attempt to recover from
a syntax error in the sudoers file by discarding the portion
of the line that contains the error until the end of the line.
To restore the historic behavior of refusing to run when a
syntax error is encountered, add `error_recovery=false` as a
plugin option in sudo.conf for the "sudoers_audit" plugin, (or
"sudoers_policy" if there is no "sudoers_audit" plugin configured).
* Upgrading from a version prior to 1.9.1:
Starting with version 1.9.1, sudoers plugin arguments in sudo.conf
should be specified for the "sudoers_audit" plugin, not
"sudoers_policy". This is because the sudoers file is now
opened and parsed by the "sudoers_audit" plugin. Previously,
this was done by the "sudoers_policy" plugin. The use of an
audit plugin makes it possible for the sudoers module to detect
when a command has been rejected by an approval plugin and only
log commands that are allowed by both policy and approval
plugins.
* Upgrading from a version prior to 1.8.30:
Starting with version 1.8.30, sudo will no longer allow commands
to be run as a user or group ID that is not in the password or
group databases by default. Previously, sudo would always allow
unknown user or group IDs if the sudoers entry permitted it,
including via the _ALL_ alias. The old behavior can be restored
by setting the new "allow_unknown_runas_id" Defaults setting
in the sudoers file.
* Upgrading from a version prior to 1.8.29:
Starting with version 1.8.29, if the umask is explicitly set
in sudoers, that value is used regardless of the umask specified
by PAM or login.conf. However, if the umask is not explicitly
set in sudoers, PAM, or login.conf may now override the default
sudoers umask. Previously, the sudoers umask always overrode
the umask set by PAM, which was not the documented behavior.
* Upgrading from a version prior to 1.8.28:
Starting with version 1.8.28, sudo stores the signal that caused
a command to be suspended or resumed as a string in the I/O log
timing file. The version of sudoreplay included with sudo
1.8.28 can process either type of I/O log file but older versions
of sudoreplay are unable to replay the newer logs.
Starting with version 1.8.28, sudoedit honors the umask and
umask_override settings in sudoers. Previously, the user's
umask was used as-is.
* Upgrading from a version prior to 1.8.26:
Starting with version 1.8.26, sudo no long sets the USERNAME
environment variable when running commands. This is a non-standard
environment variable that was set on some older Linux systems.
Sudo still sets the LOGNAME, USER, and, on AIX systems, LOGIN
environment variables.
Handling of the LOGNAME, USER (and on AIX, LOGIN) environment
variables has changed slightly in version 1.8.26. Sudo now
treats those variables as a single unit. This means that if
one variable is preserved or removed from the environment using
env_keep, env_check, or env_delete, the others are too.
* Upgrading from a version prior to 1.8.23:
In sudo 1.8.23 the "sudoers2ldif" script and the `visudo -x`
functionality has been superseded by the "cvtsudoers" utility.
The cvtsudoers utility is intended to be a drop-in replacement
for "sudoers2ldif". Because it uses the same parser as sudo
and visudo, cvtsudoers can perform a more accurate conversion
than sudoers2ldif could.
To convert a sudoers file to JSON, the format option must be
specified. For example, instead of:
visudo -f sudoers_file -x output_file
one would use:
cvtsudoers -f json -o output_file sudoers_file
Unlike "visudo -x", "cvtsudoers" reads from the standard input
by default. Also, the base DN may be specified on the command
line, if desired, using the -b option.
* Upgrading from a version prior to 1.8.20:
Due to the addition of the TIMEOUT, NOTBEFORE, and NOTAFTTER
options, it is no longer possible to declare an alias with one
of those names. If a sudoers file has an alias with one of
those names, sudo, and visudo will report a syntax error with a
message like "syntax error: unexpected TIMEOUT, expecting ALIAS".
Prior to version 1.8.20, when log_input, log_output, or use_pty
were enabled, if any of the standard input, output, or error
were not connected to a terminal, sudo would use a pipe. The
pipe allows sudo to interpose itself between the old standard
input, output, or error and log the contents. Beginning with
version 1.8.20, a pipe is only used when I/O logging is enabled.
If use_pty is set without log_input or log_output, no pipe will
be used. Additionally, if log_input is set without log_output,
a pipe is only used for the standard input. Likewise, if
log_output is set without log_input, a pipe is only used for
the standard output and standard error. This results in a
noticeable change in behavior if the use_pty flag is set and no
terminal is present when running commands such as scripts that
execute other commands asynchronously (in the background).
Previously, sudo would exit immediately, causing background
commands to terminate with a broken pipe if they attempt to
write to the standard output or standard error. As of version
1.8.20, a pipe will not be used in this case so the command
will no longer be terminated.
* Upgrading from a version prior to 1.8.16:
When editing files with sudoedit, files in a directory that is
writable by the invoking user may no longer be edited by default.
Also, sudoedit will refuse to follow a symbolic link in the
path to be edited if that directory containing the link is
writable by the user. This behavior can be disabled by negating
the sudoedit_checkdir sudoers option, which is now enabled by
default.
* Upgrading from a version prior to 1.8.15:
Prior to version 1.8.15, when env_reset was enabled (the default)
and the -s option was not used, the SHELL environment variable
was set to the shell of the invoking user. In 1.8.15 and above,
when env_reset is enabled and the -s option is not used, SHELL
is set based on the target user.
When editing files with sudoedit, symbolic links will no longer
be followed by default. The old behavior can be restored by
enabling the sudoedit_follow option in sudoers or on a per-command
basis with the FOLLOW and NOFOLLOW tags.
Prior to version 1.8.15, groups listed in sudoers that were not
found in the system group database were passed to the group
plugin, if any. Starting with 1.8.15, only groups of the form
%:group are resolved via the group plugin by default. The old
behavior can be restored by using the always_query_group_plugin
sudoers option.
Locking of the time stamp file has changed in sudo 1.8.15.
Previously, the user's entire time stamp file was locked while
retrieving and updating a time stamp record. Now, only a single
record, specific to the tty or parent process ID, is locked.
This lock is held while the user enters their password. If
sudo is suspended at the password prompt (or run in the
background), the lock is dropped until sudo is resumed, at which
point it will be reacquired. This allows sudo to be used in a
pipeline even when a password is required--only one instance
of sudo will prompt for a password.
* Upgrading from a version prior to 1.8.14:
On HP-UX, sudo will no longer check for "plugin.sl" if "plugin.so"
is specified but does not exist. This was a temporary hack for
backward compatibility with Sudo 1.8.6 and below when the
plugin path name was not listed in sudo.conf. A plugin path
name that explicitly ends in ".sl" will still work as expected.
* Upgrading from a version prior to 1.8.12:
On Solaris, sudo is now able to determine the NIS domain name.
As a result, if you had previously been using netgroups that
do not include the domain, you will need to either set the
domain in the entry or leave the domain part of the tuple blank.
For example, the following will no longer work:
my-hosts (foo,-,-) (bar,-,-) (baz,-,-)
and should be changed to:
my-hosts (foo,-,) (bar,-,) (baz,-,)
* Upgrading from a version prior to 1.8.10:
The time stamp file format has changed in sudo 1.8.10. There
is now a single time stamp file for each user, even when tty-based
time stamps are used. Each time stamp file may contain multiple
records to support tty-based time stamps as well as multiple
authentication users. On systems that support it, monotonic
time is stored instead of wall clock time. As a result, it is
important that the time stamp files not persist when the system
reboots. For this reason, the default location for the time
stamp files has changed back to a directory located in `/var/run`.
Systems that do not have `/var/run` (e.g., AIX) or that do not clear
it on boot (e.g., HP-UX) will need to clear the time stamp
directory via a start up script. Such a script is installed by
default on AIX and HP-UX systems.
Because there is now a single time stamp file per user, the -K
option will remove all of the user's time stamps, not just the
time stamp for the current terminal.
Lecture status is now stored separately from the time stamps in a
separate directory: `/var/db/sudo/lectured`, `/var/lib/sudo/lectured`
or `/var/adm/sudo/lectured` depending on what is present on the system.
LDAP-based sudoers now uses a default search filter of
(objectClass=sudoRole) for more efficient queries. It is
possible to disable the default search filter by specifying
SUDOERS_SEARCH_FILTER in ldap.conf but omitting a value.
* Upgrading from a version prior to 1.8.7:
Sudo now stores its libexec files in a "sudo" sub-directory
instead of in libexec itself. For backward compatibility, if
the plugin is not found in the default plugin directory, sudo
will check the parent directory default directory ends in `/sudo`.
The default sudo plugins now all use the .so extension, regardless
of the extension used by system shared libraries. For backward
compatibility, sudo on HP-UX will also search for a plugin with
an .sl extension if the .so version is not found.
Handling of users belonging to a large number of groups has
changed. Previously, sudo would only use the group list from
the kernel unless the system_group plugin was enabled in sudoers.
Now, sudo will query the groups database if the user belongs
to the maximum number of groups supported by the kernel. See
the group_source and max_groups settings in the sudo.conf manual
for details.
* Upgrading from a version prior to 1.8.2:
When matching Unix groups in the sudoers file, sudo will now
match based on the name of the group as it appears in sudoers
instead of the group-ID. This can substantially reduce the
number of group lookups for sudoers files that contain a large
number of groups. There are a few side effects of this change.
1) Unix groups with different names but the same group-ID are
can no longer be used interchangeably. Sudo will look up all
of a user's groups by group-ID and use the resulting group
names when matching sudoers entries. If there are multiple
groups with the same ID, the group name returned by the
system getgrgid() library function is the name that will be
used when matching sudoers entries.
2) Unix group names specified in the sudoers file that are
longer than the system maximum will no longer match. For
instance, if there is a Unix group "fireflie" on a system
where group names are limited to eight characters, "%fireflies"
in sudoers will no longer match "fireflie". Previously, a
lookup by name of the group "fireflies" would have matched
the "fireflie" group on most systems.
The legacy group matching behavior may be restored by enabling
the match_group_by_gid Defaults option in sudoers available
in sudo 1.8.18 and higher.
* Upgrading from a version prior to 1.8.1:
Changes in the sudoers parser could result in parse errors for
existing sudoers file. These changes cause certain erroneous
entries to be flagged as errors where before they allowed.
Changes include:
Combining multiple Defaults entries with a backslash. E.g.
Defaults set_path \
Defaults syslog
which should be:
Defaults set_path
Defaults syslog
Also, double-quoted strings with a missing end-quote are now
detected and result in an error. Previously, text starting a
double quote and ending with a newline was ignored. E.g.
Defaults set_path"foo
In previous versions of sudo, the _"foo_ portion would have
been ignored.
To avoid problems, sudo 1.8.1's `make install` will not install
a new sudo binary if the existing sudoers file has errors.
In Sudo 1.8.1 the _noexec_ functionality has moved out of the
sudoers policy plugin and into the sudo front-end. As a result,
the path to the noexec file is now specified in the sudo.conf
file instead of the sudoers file. If you have a sudoers file
that uses the "noexec_file" option, you will need to move the
definition to the sudo.conf file instead.
Old style in `/etc/sudoers`:
Defaults noexec_file=/usr/local/libexec/sudo_noexec.so
New style in `/etc/sudo.conf`:
Path noexec /usr/local/libexec/sudo_noexec.so
* Upgrading from a version prior to 1.8.0:
Starting with version 1.8.0, sudo uses a modular framework to
support policy and I/O logging plugins. The default policy
plugin is "sudoers" which provides the traditional sudoers
evaluation and I/O logging. Plugins are typically located in
`/usr/libexec` or `/usr/local/libexec`, though this is system-dependent.
The sudoers plugin is named "sudoers.so" on most systems.
The sudo.conf file, usually stored in `/etc`, is used to configure
plugins. This file is optional--if no plugins are specified
in sudo.conf, the "sudoers" plugin is used. See the example
sudo.conf file in the docs directory or refer to the updated
sudo manual to see how to configure sudo.conf.
The "askpass" setting has moved from the sudoers file to the
sudo.conf file. If you have a sudoers file that uses the
"askpass" option, you will need to move the definition to the
sudo.conf file.
Old style in `/etc/sudoers`:
Defaults askpass=/usr/X11R6/bin/ssh-askpass
New style in `/etc/sudo.conf`:
Path askpass /usr/X11R6/bin/ssh-askpass
* Upgrading from a version prior to 1.7.5:
Sudo 1.7.5 includes an updated LDAP schema with support for
the sudoNotBefore, sudoNotAfter, and sudoOrder attributes.
The sudoNotBefore and sudoNotAfter attribute support is only
used when the SUDOERS_TIMED setting is enabled in ldap.conf.
If enabled, those attributes are used directly when constructing
an LDAP filter. As a result, your LDAP server must have the
updated schema if you want to use sudoNotBefore and sudoNotAfter.
The sudoOrder support does not affect the LDAP filter sudo
constructs and so there is no need to explicitly enable it in
ldap.conf. If the sudoOrder attribute is not present in an
entry, a value of 0 is used. If no entries contain sudoOrder
attributes, the results are in whatever order the LDAP server
returns them, as in past versions of sudo.
Older versions of sudo will simply ignore the new attributes
if they are present in an entry. There are no compatibility
problems using the updated schema with older versions of sudo.
* Upgrading from a version prior to 1.7.4:
Starting with sudo 1.7.4, the time stamp files have moved from
`/var/run/sudo` to either `/var/db/sudo`, `/var/lib/sudo`, or
`/var/adm/sudo`. The directories are checked for existence in
that order. This prevents users from receiving the sudo lecture
every time the system reboots. Time stamp files older than the
boot time are ignored on systems where it is possible to determine
this.
Additionally, the tty_tickets sudoers option is now enabled by
default. To restore the old behavior (single time stamp per user),
add a line like:
Defaults !tty_tickets
to sudoers or use the `--without-tty-tickets` configure option.
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
Preserving HOME has security implications since many programs
use it when searching for configuration files. Adding HOME to
env_keep may enable a user to run unrestricted commands via sudo.
The default syslog facility has changed from "local2" to "authpriv"
(or "auth" if the operating system doesn't have "authpriv").
The `--with-logfac` configure option can be used to change this
or it can be changed in the sudoers file.
* Upgrading from a version prior to 1.7.0:
Starting with sudo 1.7.0, comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
('#'). Otherwise, the comment may be interpreted as a user or
group-ID.
When sudo is build with LDAP support the `/etc/nsswitch.conf` file is
now used to determine the sudoers sea ch order. sudo will default to
only using `/etc/sudoers` unless `/etc/nsswitch.conf` says otherwise.
This can be changed with an nsswitch.conf line, for example:
sudoers: ldap files
Would case LDAP to be searched first, then the sudoers file.
To restore the pre-1.7.0 behavior, run configure with the
`--with-nsswitch=no` flag.
Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in `/etc/ldap.conf` (or whichever file
was specified by configure's `--with-ldap-conf-file` option).
If you are using TLS, you may now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).
* Upgrading from a version prior to 1.6.9:
Starting with sudo 1.6.9, if an OS supports a modular authentication
method such as PAM, it will be used by default by configure.
Environment variable handling has changed significantly in sudo
1.6.9. Prior to version 1.6.9, sudo would preserve the user's
environment, pruning out potentially dangerous variables.
Beginning with sudo 1.6.9, the environment is reset to a default
set of values with only a small number of "safe" variables
preserved. To preserve specific environment variables, add
them to the "env_keep" list in sudoers. E.g.
Defaults env_keep += "EDITOR"
The old behavior can be restored by negating the "env_reset"
option in sudoers. E.g.
Defaults !env_reset
There have also been changes to how the "env_keep" and
"env_check" options behave.
Prior to sudo 1.6.9, the TERM and PATH environment variables
would always be preserved even if the env_keep option was
redefined. That is no longer the case. Consequently, if
env_keep is set with "=" and not simply appended to (i.e., using
"+="), PATH and TERM must be explicitly included in the list
of environment variables to keep. The LOGNAME, SHELL, USER,
and USERNAME environment variables are still always set.
Additionally, the env_check setting previously had no effect
when env_reset was set (which is now on by default). Starting
with sudo 1.6.9, environment variables listed in env_check are
also preserved in the env_reset case, provided that they do not
contain a '/' or '%' character. It is not necessary to also
list a variable in env_keep--having it in env_check is sufficient.
The default lists of variables to be preserved and/or checked
are displayed when sudo is run by root with the -V flag.
* Upgrading from a version prior to 1.6.8:
Prior to sudo 1.6.8, if `/var/run` did not exist, sudo would put
the time stamp files in `/tmp/.odus`. As of sudo 1.6.8, the
time stamp files will be placed in `/var/adm/sudo` or `/usr/adm/sudo`
if there is no `/var/run directory`. This directory will be
created if it does not already exist.
Previously, a sudoers entry that explicitly prohibited running
a command as a certain user did not override a previous entry
allowing the same command. This has been fixed in sudo 1.6.8
such that the last match is now used (as it is documented).
Hopefully no one was depending on the previous (buggy) behavior.
* Upgrading from a version prior to 1.6:
As of sudo 1.6, parsing of runas entries and the NOPASSWD tag
has changed. Prior to 1.6, a runas specifier applied only to
a single command directly following it. Likewise, the NOPASSWD
tag only allowed the command directly following it to be run
without a password. Starting with sudo 1.6, both the runas
specifier and the NOPASSWD tag are "sticky" for an entire
command list. So, given the following line in sudo < 1.6
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls
millert would be able to run `/usr/bin/whoami` as user daemon
without a password and `/bin/ls` as root with a password.
As of sudo 1.6, the same line now means that millert is able
to run both `/usr/bin/whoami` and `/bin/ls` as user daemon
without a password. To expand on this, take the following
example:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \
/sbin/dump
millert can run `/usr/bin/whoami` as daemon and `/bin/ls` and
`/sbin/dump` as root. No password need be given for either
command. In other words, the "(root)" sets the default runas
user to root for the rest of the list. If we wanted to require
a password for `/bin/ls` and `/sbin/dump` the line could be written
as:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
(root) PASSWD:/bin/ls, /sbin/dump
Additionally, sudo now uses a per-user time stamp directory
instead of a time stamp file. This allows tty time stamps to
simply be files within the user's time stamp dir. For the
default, non-tty case, the time stamp on the directory itself
is used.
Also, the temporary file used by visudo is now `/etc/sudoers.tmp`
since some versions of vipw on systems with shadow passwords use
`/etc/stmp` for the temporary shadow file.
* Upgrading from a version prior to 1.5:
By default, sudo expects the sudoers file to be mode 0440 and
to be owned by user and group 0. This differs from version 1.4
and below which expected the sudoers file to be mode 0400 and
to be owned by root. Doing a `make install` will set the sudoers
file to the new mode and group. If sudo encounters a sudoers
file with the old permissions it will attempt to update it to
the new scheme. You cannot, however, use a sudoers file with
the new permissions with an old sudo binary. It is suggested
that if have a means of distributing sudo you distribute the
new binaries first, then the new sudoers file (or you can leave
sudoers as is and sudo will fix the permissions itself as long
as sudoers is on a local file system).

1411
docs/cvtsudoers.man.in Normal file
View file

File diff suppressed because it is too large Load diff

1227
docs/cvtsudoers.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

39
docs/fixman.sh Executable file
View file

@ -0,0 +1,39 @@
#!/bin/sh
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2012-2014, 2017 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
OUTFILE="$1"
rm -f "$OUTFILE"
> "$OUTFILE"
# HP-UX friendly header/footer for all man pages
if [ X"`uname 2>&1`" = X"HP-UX" ]; then
cat >>"$OUTFILE" <<-'EOF'
s/^\.TH \("[^"]*"\) \("[^"]*"\) "\([^"]*\)" "\([^"]*\)" \("[^"]*"\)/.TH \1 \2\
.ds )H \4\
.ds ]W \3/
EOF
fi
# Replace "0 minutes" with "unlimited"
cat >>"$OUTFILE" <<-'EOF'
/^\\fR0\\fR$/ {
N
s/^\\fR0\\fR\nminutes\.$/unlimited./
}
EOF

5
docs/fixmdoc.sed Normal file
View file

@ -0,0 +1,5 @@
# Replace "0 minutes" with "unlimited"
/^\.Li 0$/ {
N
s/^\.Li 0\nminutes\.$/unlimited./
}

255
docs/schema.ActiveDirectory Normal file
View file

@ -0,0 +1,255 @@
#
# Active Directory Schema for sudo configuration (sudoers)
#
# To extend your Active Directory schema, run one of the following command
# on your Windows DC (default port - Active Directory):
#
# ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" "#schemaNamingContext"
#
# or on your Windows DC if using another port (with Active Directory LightWeight Directory Services / ADAM-Active Directory Application Mode)
# Port 50000 by example (or any other port specified when defining the ADLDS/ADAM instance
#
# ldifde -i -f schema.ActiveDirectory -t 50000 -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
# or
#
# ldifde -i -f schema.ActiveDirectory -s server:port -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
#
# Can add username domain and password
#
# -b username domain password
#
# Can create Log file in current or any directory
#
# -j .
#
dn: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoUser
distinguishedName: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.1
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoUser
adminDescription: User(s) who may run sudo
oMSyntax: 22
searchFlags: 1
lDAPDisplayName: sudoUser
name: sudoUser
schemaIDGUID:: JrGcaKpnoU+0s+HgeFjAbg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoHost
distinguishedName: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.2
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoHost
adminDescription: Host(s) who may run sudo
oMSyntax: 22
lDAPDisplayName: sudoHost
name: sudoHost
schemaIDGUID:: d0TTjg+Y6U28g/Y+ns2k4w==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoCommand
distinguishedName: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.3
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoCommand
adminDescription: Command(s) to be executed by sudo
oMSyntax: 22
lDAPDisplayName: sudoCommand
name: sudoCommand
schemaIDGUID:: D6QR4P5UyUen3RGYJCHCPg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAs
distinguishedName: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.4
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAs
adminDescription: User(s) impersonated by sudo (deprecated)
oMSyntax: 22
lDAPDisplayName: sudoRunAs
name: sudoRunAs
schemaIDGUID:: CP98mCQTyUKKxGrQeM80hQ==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoOption
distinguishedName: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.5
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOption
adminDescription: Option(s) followed by sudo
oMSyntax: 22
lDAPDisplayName: sudoOption
name: sudoOption
schemaIDGUID:: ojaPzBBlAEmsvrHxQctLnA==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsUser
distinguishedName: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.6
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsUser
adminDescription: User(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsUser
name: sudoRunAsUser
schemaIDGUID:: 9C52yPYd3RG3jMR2VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsGroup
distinguishedName: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.7
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsGroup
adminDescription: Groups(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsGroup
name: sudoRunAsGroup
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoNotBefore
distinguishedName: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.8
attributeSyntax: 2.5.5.11
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotBefore
adminDescription: Start of time interval for which the entry is valid
oMSyntax: 24
lDAPDisplayName: sudoNotBefore
name: sudoNotBefore
schemaIDGUID:: dm1HnRfY4RGf4gopYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoNotAfter
distinguishedName: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.9
attributeSyntax: 2.5.5.11
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotAfter
adminDescription: End of time interval for which the entry is valid
oMSyntax: 24
lDAPDisplayName: sudoNotAfter
name: sudoNotAfter
schemaIDGUID:: OAr/pBfY4RG9dBIpYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoOrder
distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.10
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOrder
adminDescription: an integer to order the sudoRole entries
oMSyntax: 2
lDAPDisplayName: sudoOrder
name: sudoOrder
schemaIDGUID:: 0J8yrRfY4RGIYBUpYYhwmw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoCommand
mayContain: sudoHost
mayContain: sudoOption
mayContain: sudoRunAs
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoUser
mayContain: sudoNotBefore
mayContain: sudoNotAfter
mayContain: sudoOrder
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=X

91
docs/schema.IBM_LDAP Normal file
View file

@ -0,0 +1,91 @@
#
# sudoers schema for IBM Directory Server, also known as Tivoli Directory
# Server, IBM Security Directory Server, and IBM Security Verify Directory.
#
# To import: ldapmodify -c -D binddn -h host:port -w password -f schema.IBM_LDAP
# Substitute the correct values for binddn, host:port and password.
#
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 DBNAME( 'sudoUser' 'sudoUser' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 DBNAME( 'sudoHost' 'sudoHost' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 DBNAME( 'sudoCommand' 'sudoCommand' ) ACCESS-CLASS normal LENGTH 2048 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 DBNAME( 'sudoRunAs' 'sudoRunAs' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 DBNAME( 'sudoOption' 'sudoOption' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 DBNAME( 'sudoRunAsUser' 'sudoRunAsUser' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 DBNAME( 'sudoRunAsGroup' 'sudoRunAsGroup' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 DBNAME( 'sudoNotBefore' 'sudoNotBefore' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 DBNAME( 'sudoNotAfter' 'sudoNotAfter' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.10 DBNAME( 'sudoOrder' 'sudoOrder' ) ACCESS-CLASS normal )
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )

78
docs/schema.OpenLDAP Normal file
View file

@ -0,0 +1,78 @@
#
# OpenLDAP schema file for Sudo
# Save as /etc/openldap/schema/sudo.schema and restart slapd.
# For a version that uses online configuration, see schema.olcSudo.
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $
sudoNotAfter $ description )
)

12
docs/schema.iPlanet Normal file
View file

@ -0,0 +1,12 @@
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) X-ORIGIN 'SUDO' )

79
docs/schema.olcSudo Normal file
View file

@ -0,0 +1,79 @@
dn: cn=sudoschema,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoschema
#
# OpenLDAP schema file for Sudo in on-line configuration (OLC) format.
# Import using ldapadd or another suitable LDAP browser.
# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be>
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
#
olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
description )
)

941
docs/sudo.conf.man.in Normal file
View file

@ -0,0 +1,941 @@
.\" Automatically generated from the sudo.conf.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "November 6, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo.conf\fR
\- configuration for sudo front-end
.SH "DESCRIPTION"
The
\fBsudo.conf\fR
file is used to configure the
\fBsudo\fR
front-end.
It is used to configure sudo plugins, plugin-agnostic path names,
debug flags, and other settings.
.PP
The
\fBsudo.conf\fR
file supports the following directives, described in detail below.
.TP 8n
Plugin
an approval, audit, I/O logging, or security policy plugin
.TP 8n
Path
a plugin-agnostic path
.TP 8n
Set
a front-end setting, such as
\fIdisable_coredump\fR
or
\fIgroup_source\fR
.TP 8n
Debug
debug flags to aid in debugging
\fBsudo\fR,
\fBsudoreplay\fR,
\fBvisudo\fR,
and the
\fBsudoers\fR
plugin.
.PP
The pound sign
(\(oq#\(cq)
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
.PP
Long lines can be continued with a backslash
(\(oq\e\(cq)
as the last character on the line.
Leading white space is removed from the beginning of lines
even when a continuation character is used.
.PP
Non-comment lines that don't begin with
\fIPlugin\fR,
\fIPath\fR,
\fIDebug\fR,
or
\fISet\fR
are silently ignored.
.PP
The
\fBsudo.conf\fR
file is always parsed in the
\(oqC\(cq
locale.
.SS "Plugin configuration"
\fBsudo\fR
supports a plugin architecture for security policies and input/output
logging.
Third parties can develop and distribute their own policy and I/O
logging plugins to work seamlessly with the
\fBsudo\fR
front-end.
Plugins are dynamically loaded based on the contents of
\fBsudo.conf\fR.
.PP
A
\fIPlugin\fR
line consists of the
\fIPlugin\fR
keyword, followed by the
\fIsymbol_name\fR
and the
\fIpath\fR
to the dynamic shared object that contains the plugin.
The
\fIsymbol_name\fR
is the name of the
\fIstruct approval_plugin\fR,
\fIstruct audit_plugin\fR,
\fIstruct io_plugin\fR,
or
\fIstruct policy_plugin\fR
defined by the plugin.
If a plugin implements multiple plugin types, there must be a
\fIPlugin\fR
line for each unique symbol name.
The
\fIpath\fR
may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
\fIplugin_dir\fR
\fIPath\fR
setting, which defaults to
\fI@plugindir@\fR.
In other words:
.nf
.sp
.RS 4n
Plugin sudoers_policy @sudoers_plugin@
.RE
.fi
.PP
is equivalent to:
.nf
.sp
.RS 4n
Plugin sudoers_policy @plugindir@/@sudoers_plugin@
.RE
.fi
.PP
If the plugin was compiled statically into the
\fBsudo\fR
binary instead of being installed as a dynamic shared object, the
\fIpath\fR
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.nf
.sp
.RS 4n
Plugin sudoers_policy @sudoers_plugin@
.RE
.fi
.PP
On AIX systems, the plugin may be either a shared object
ending in
\(oq.so\(cq
or an archive file containing a shared object ending in
\(oq.a\(cq
with the name of the shared object in parentheses at the end.
.PP
Starting with
\fBsudo\fR
1.8.5, any additional parameters after the
\fIpath\fR
are passed as arguments to the plugin's
\fIopen\fR
function.
For example, to override the compile-time default sudoers file mode:
.nf
.sp
.RS 4n
Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0440
.RE
.fi
.PP
See the
sudoers(@mansectform@)
manual for a list of supported arguments.
.PP
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by user-ID 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.PP
If no
\fBsudo.conf\fR
file is present, or if it contains no
\fIPlugin\fR
lines, the
\fBsudoers\fR
plugin will be used as the default security policy, for I/O logging
(if enabled by the policy), and for auditing.
This is equivalent to the following:
.nf
.sp
.RS 4n
Plugin sudoers_policy @sudoers_plugin@
Plugin sudoers_io @sudoers_plugin@
Plugin sudoers_audit @sudoers_plugin@
.RE
.fi
.PP
Starting with
\fBsudo\fR
version 1.9.1, some of the logging functionality of the
\fBsudoers\fR
plugin has been moved from the policy plugin to an audit plugin.
To maintain compatibility with
\fBsudo.conf\fR
files from older
\fBsudo\fR
versions, if
\fBsudoers\fR
is configured as the security policy, it will be used as an audit
plugin as well.
This guarantees that the logging behavior will be consistent with that of
\fBsudo\fR
versions 1.9.0 and below.
.PP
For more information on the
\fBsudo\fR
plugin architecture, see the
sudo_plugin(@mansectform@)
manual.
.SS "Path settings"
A
\fIPath\fR
line consists of the
\fIPath\fR
keyword, followed by the name of the path to set and its value.
For example:
.nf
.sp
.RS 4n
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.RE
.fi
.PP
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
\fIPath\fR
settings is only supported in
\fBsudo\fR
version 1.8.16 and higher.
.PP
The following plugin-agnostic paths may be set in the
\fI@sysconfdir@/sudo.conf\fR
file:
.TP 6n
askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
\fBsudo\fR
is executed from a graphical (as opposed to text-based) application.
The program specified by
\fIaskpass\fR
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
\fIaskpass\fR
may be overridden by the
\fRSUDO_ASKPASS\fR
environment variable.
.TP 6n
devsearch
An ordered, colon-separated search path of directories to look in for
device nodes.
This is used when mapping the process's tty device number to a device name
on systems that do not provide such a mechanism.
Sudo will
\fInot\fR
recurse into sub-directories.
If terminal devices may be located in a sub-directory of
\fI/dev\fR,
that path must be explicitly listed in
\fIdevsearch\fR.
The default value is
\fI/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
.sp
This option is ignored on systems that support either the
\fBdevname\fR()
or
\fB_ttyname_dev\fR()
functions, for example
BSD,
macOS and Solaris.
.TP 6n
intercept
The path to a shared library containing a wrappers for the
execve(2),
execl(3),
execle(3),
execlp(3),
execv(3),
execvp(3),
execvpe(3),
and
system(3)
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
\fIintercept\fR
and
\fIlog_subcmds\fR
functionality on systems that support
\fRLD_PRELOAD\fR
or the equivalent.
.sp
The
\fIintercept\fR
path may be set to either a single fully-qualified path, or, for systems
that support separate
\fRLD_PRELOAD\fR
environment variables for 32-bit and 64-bit executables, it may optionally
be set to two fully-qualified paths separated by a colon
(\(oq:\&\(cq).
The first path should be the 32-bit version and the second the
64-bit version.
This two-path form is currently only supported on AIX and Solaris
systems.
The default value is
\fI@intercept_file@\fR.
.TP 6n
noexec
The path to a shared library containing wrappers for the
execve(2),
execl(3),
execle(3),
execlp(3),
exect(3),
execv(3),
execveat(3),
execvP(3),
execvp(3),
execvpe(3),
fexecve(3),
popen(3),
posix_spawn(3),
posix_spawnp(3),
system(3),
and
wordexp(3)
library functions that prevent the execution of further commands.
This is used to implement the
\fInoexec\fR
functionality on systems that support
\fRLD_PRELOAD\fR
or the equivalent.
.sp
The
\fInoexec\fR
path may be set to either a single fully-qualified path, or, for systems
that support separate
\fRLD_PRELOAD\fR
environment variables for 32-bit and 64-bit executables, it may optionally
be set to two fully-qualified paths separated by a colon
(\(oq:\&\(cq).
The first path should be the 32-bit version and the second the
64-bit version.
This two-path form is currently only supported on AIX and Solaris
systems.
The default value is
\fI@noexec_file@\fR.
.TP 6n
plugin_dir
The default directory to use when searching for plugins
that are specified without a fully qualified path name.
The default value is
\fI@plugindir@\fR.
.TP 6n
sesh
The fully-qualified path to the
\fBsesh\fR
binary.
This setting is only used when
\fBsudo\fR
is built with SELinux support.
The default value is
\fI@sesh_file@\fR.
.\}
.SS "Other settings"
The
\fBsudo.conf\fR
file also supports the following front-end settings:
.TP 6n
disable_coredump
Core dumps of
\fBsudo\fR
itself are disabled by default to prevent the disclosure of potentially
sensitive information.
To aid in debugging
\fBsudo\fR
crashes, you may wish to re-enable core dumps by setting
\(lqdisable_coredump\(rq
to false in
\fBsudo.conf\fR
as follows:
.nf
.sp
.RS 10n
Set disable_coredump false
.RE
.fi
.RS 6n
.sp
All modern operating systems place restrictions on core dumps
from set-user-ID processes like
\fBsudo\fR
so this option can be enabled without compromising security.
To actually get a
\fBsudo\fR
core file you will likely need to enable core dumps for set-user-ID processes.
On
BSD
and Linux systems this is accomplished in the
sysctl(@mansectsu@)
command.
On Solaris, the
coreadm(1m)
command is used to configure core dump behavior.
.sp
This setting is only available in
\fBsudo\fR
version 1.8.4 and higher.
.RE
.TP 6n
group_source
\fBsudo\fR
passes the invoking user's group list to the policy and I/O plugins.
On most systems, there is an upper limit to the number of groups that
a user may belong to simultaneously (typically 16 for compatibility
with NFS).
On systems with the
getconf(1)
utility, running:
.RS 12n
getconf NGROUPS_MAX
.RE
.RS 6n
will return the maximum number of groups.
.sp
However, it is still possible to be a member of a larger number of
groups--they simply won't be included in the group list returned
by the kernel for the user.
Starting with
\fBsudo\fR
version 1.8.7, if the user's kernel group list has the maximum number
of entries,
\fBsudo\fR
will consult the group database directly to determine the group list.
This makes it possible for the security policy to perform matching by group
name even when the user is a member of more than the maximum number of groups.
.sp
The
\fIgroup_source\fR
setting allows the administrator to change this default behavior.
Supported values for
\fIgroup_source\fR
are:
.TP 6n
static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject
to an upper limit as described above.
It is
\(lqstatic\(rq
in that it does not reflect changes to the group database made
after the user logs in.
This was the default behavior prior to
\fBsudo\fR
1.8.7.
.TP 6n
dynamic
Always query the group database directly.
It is
\(lqdynamic\(rq
in that changes made to the group database after the user logs in
will be reflected in the group list.
On some systems, querying the group database for all of a user's
groups can be time consuming when querying a network-based group
database.
Most operating systems provide an efficient method of performing
such queries.
Currently,
\fBsudo\fR
supports efficient group queries on AIX,
BSD,
Linux, macOS, and Solaris.
This is the default behavior on macOS in
\fBsudo\fR
1.9.6 and higher.
.TP 6n
adaptive
Only query the group database if the static group list returned
by the kernel has the maximum number of entries.
This is the default behavior on systems other than macOS in
\fBsudo\fR
1.8.7 and higher.
.PP
For example, to cause
\fBsudo\fR
to only use the kernel's static list of groups for the user:
.nf
.sp
.RS 10n
Set group_source static
.RE
.fi
.sp
This setting is only available in
\fBsudo\fR
version 1.8.7 and higher.
.RE
.TP 6n
max_groups
The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored.
This setting is only used when querying the group database directly.
It is intended to be used on systems where it is not possible to detect
when the array to be populated with group entries is not sufficiently large.
By default,
\fBsudo\fR
will allocate four times the system's maximum number of groups (see above)
and retry with double that number if the group database query fails.
.sp
This setting is only available in
\fBsudo\fR
version 1.8.7 and higher.
It should not be required in
\fBsudo\fR
versions 1.8.24 and higher and may be removed in a later release.
.TP 6n
probe_interfaces
By default,
\fBsudo\fR
will probe the system's network interfaces and pass the IP address
of each enabled interface to the policy plugin.
This makes it possible for the plugin to match rules based on the IP address
without having to query DNS.
On Linux systems with a large number of virtual interfaces, this may
take a non-negligible amount of time.
If IP-based matching is not required, network interface probing
can be disabled as follows:
.nf
.sp
.RS 10n
Set probe_interfaces false
.RE
.fi
.RS 6n
.sp
This setting is only available in
\fBsudo\fR
version 1.8.10 and higher.
.RE
.SS "Debug settings"
\fBsudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that can log what
\fBsudo\fR
is doing internally if there is a problem.
.PP
A
\fIDebug\fR
line consists of the
\fIDebug\fR
keyword, followed by the name of the program, plugin, or shared object
to debug, the debug file name, and a comma-separated list of debug flags.
The debug flag syntax used by
\fBsudo\fR,
the
\fBsudoers\fR
plugin along with its associated programs and shared objects is
\fIsubsystem\fR@\fIpriority\fR
but a third-party plugin is free to use a different format so long
as it does not include a comma
(\(oq\&,\(cq).
.PP
On AIX systems, a
\fIDebug\fR
line will match a plugin specified as either the name of an
SVR4-style shared object file ending in
\(oq.so\(cq,
an archive file ending in
\(oq.a\(cq,
or an archive file ending in
\(oq.a\(cq
with the name of the shared object in parentheses.
.PP
Examples:
.nf
.sp
.RS 4n
Debug sudo @log_dir@/sudo_debug all@warn,plugin@info
.RE
.fi
.PP
would log all debugging statements at the
\fIwarn\fR
level and higher in addition to those at the
\fIinfo\fR
level for the plugin subsystem.
.nf
.sp
.RS 4n
Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
.RE
.fi
.PP
would log all debugging statements, regardless of level, for the
\fIsudo_intercept.so\fR
shared library that implements
\fBsudo\fR's
intercept functionality on some systems.
.nf
.sp
.RS 4n
Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.RE
.fi
.PP
would log all debugging statements, regardless of level, for the
\fBsudoers\fR
plugin.
See
sudoers(@mansectform@)
for the full list of subsystems supported by the
\fBsudoers\fR
plugin.
.PP
As of
\fBsudo\fR
1.8.12, multiple
\fIDebug\fR
entries may be specified per program.
Older versions of
\fBsudo\fR
only support a single
\fIDebug\fR
entry per program.
Plugin-specific
\fIDebug\fR
entries are also supported starting with
\fBsudo\fR
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
\fI@sudoers_plugin@\fR)
or by the plugin's fully-qualified path name.
Previously, the
\fBsudoers\fR
plugin shared the same
\fIDebug\fR
entry as the
\fBsudo\fR
front-end and could not be configured separately.
.PP
The following priorities are supported, in order of decreasing severity:
\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR,
and
\fIdebug\fR.
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
\fInotice\fR
would include debug messages logged at
\fInotice\fR
and higher.
.PP
The priorities
\fItrace\fR
and
\fIdebug\fR
also include function call tracing which logs when a function is
entered and when it returns.
For example, the following trace is for the
\fBget_user_groups\fR()
function located in src/sudo.c:
.nf
.sp
.RS 4n
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.RE
.fi
.PP
When the function is entered, indicated by a right arrow
\(oq->\(cq,
the program, process ID, function, source file, and line number
are logged.
When the function returns, indicated by a left arrow
\(oq<-\(cq,
the same information is logged along with the return value.
In this case, the return value is a string.
.PP
The following subsystems are used by the
\fBsudo\fR
front-end:
.TP 12n
\fIall\fR
matches every subsystem
.TP 12n
\fIargs\fR
command line argument processing
.TP 12n
\fIconv\fR
user conversation
.TP 12n
\fIedit\fR
sudoedit
.TP 12n
\fIevent\fR
event subsystem
.TP 12n
\fIexec\fR
command execution
.TP 12n
\fImain\fR
\fBsudo\fR
main function
.TP 12n
\fInetif\fR
network interface handling
.TP 12n
\fIpcomm\fR
communication with the plugin
.TP 12n
\fIplugin\fR
plugin configuration
.TP 12n
\fIpty\fR
pseudo-terminal related code
.TP 12n
\fIselinux\fR
SELinux-specific handling
.TP 12n
\fIutil\fR
utility functions
.TP 12n
\fIutmp\fR
utmp handling
.PP
The
sudoers(@mansectform@)
plugin includes support for additional subsystems.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
\fBsudo\fR
front-end configuration
.SH "EXAMPLES"
.nf
.RS 0n
#
# Default @sysconfdir@/sudo.conf file
#
# Sudo plugins:
# Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to @plugindir@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy @sudoers_plugin@
#Plugin sudoers_io @sudoers_plugin@
#Plugin sudoers_audit @sudoers_plugin@
#
# Sudo askpass:
# Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo device search path:
# Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
#
# Sudo command interception:
# Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv()
# and execve() library functions that perform a policy check to verify
# the command is allowed and simply return an error if not. This is
# used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept @intercept_file@
#
# Sudo noexec:
# Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv()
# family of library functions that just return an error. This is
# used to implement the "noexec" functionality on systems that support
# LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec @noexec_file@
#
# Sudo plugin directory:
# Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir @plugindir@
#
# Core dumps:
# Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false
#
# User groups:
# Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
# static - use the user's list of groups returned by the kernel.
# dynamic - query the group database to find the list of groups.
# adaptive - if user is in less than the maximum number of groups.
# use the kernel list, else query the group database.
#
#Set group_source static
#
# Sudo interface probing:
# Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false
#
# Sudo debug files:
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo @log_dir@/sudo_debug all@debug
#Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.RE
.fi
.SH "SEE ALSO"
sudo_plugin(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo.conf\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

15
docs/sudo.conf.man.in.sed Normal file
View file

@ -0,0 +1,15 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
\1/
/^\.TP 10n$/ {
N
/^.TP 10n\nsesh$/ {
i\
.if \\n(SL \\{\\
}
}
/^\\fI@sesh_file@\\fR\.$/ {
a\
.\\}
}

871
docs/sudo.conf.mdoc.in Normal file
View file

@ -0,0 +1,871 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.Dd November 6, 2023
.Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo.conf
.Nd configuration for sudo front-end
.Sh DESCRIPTION
The
.Nm sudo.conf
file is used to configure the
.Nm sudo
front-end.
It is used to configure sudo plugins, plugin-agnostic path names,
debug flags, and other settings.
.Pp
The
.Nm
file supports the following directives, described in detail below.
.Bl -tag -width "Plugin"
.It Plugin
an approval, audit, I/O logging, or security policy plugin
.It Path
a plugin-agnostic path
.It Set
a front-end setting, such as
.Em disable_coredump
or
.Em group_source
.It Debug
debug flags to aid in debugging
.Nm sudo ,
.Nm sudoreplay ,
.Nm visudo ,
and the
.Nm sudoers
plugin.
.El
.Pp
The pound sign
.Pq Ql #
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
.Pp
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
Leading white space is removed from the beginning of lines
even when a continuation character is used.
.Pp
Non-comment lines that don't begin with
.Em Plugin ,
.Em Path ,
.Em Debug ,
or
.Em Set
are silently ignored.
.Pp
The
.Nm
file is always parsed in the
.Ql C
locale.
.Ss Plugin configuration
.Nm sudo
supports a plugin architecture for security policies and input/output
logging.
Third parties can develop and distribute their own policy and I/O
logging plugins to work seamlessly with the
.Nm sudo
front-end.
Plugins are dynamically loaded based on the contents of
.Nm .
.Pp
A
.Em Plugin
line consists of the
.Em Plugin
keyword, followed by the
.Em symbol_name
and the
.Em path
to the dynamic shared object that contains the plugin.
The
.Em symbol_name
is the name of the
.Vt struct approval_plugin ,
.Vt struct audit_plugin ,
.Vt struct io_plugin ,
or
.Vt struct policy_plugin
defined by the plugin.
If a plugin implements multiple plugin types, there must be a
.Em Plugin
line for each unique symbol name.
The
.Em path
may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
.Em plugin_dir
.Em Path
setting, which defaults to
.Pa @plugindir@ .
In other words:
.Bd -literal -offset 4n
Plugin sudoers_policy @sudoers_plugin@
.Ed
.Pp
is equivalent to:
.Bd -literal -offset 4n
Plugin sudoers_policy @plugindir@/@sudoers_plugin@
.Ed
.Pp
If the plugin was compiled statically into the
.Nm sudo
binary instead of being installed as a dynamic shared object, the
.Em path
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.Bd -literal -offset 4n
Plugin sudoers_policy @sudoers_plugin@
.Ed
.Pp
On AIX systems, the plugin may be either a shared object
ending in
.Ql .so
or an archive file containing a shared object ending in
.Ql .a
with the name of the shared object in parentheses at the end.
.Pp
Starting with
.Nm sudo
1.8.5, any additional parameters after the
.Em path
are passed as arguments to the plugin's
.Em open
function.
For example, to override the compile-time default sudoers file mode:
.Bd -literal -offset 4n
Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0440
.Ed
.Pp
See the
.Xr sudoers @mansectform@
manual for a list of supported arguments.
.Pp
The same dynamic shared object may contain multiple plugins,
each with a different symbol name.
The file must be owned by user-ID 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.Pp
If no
.Nm
file is present, or if it contains no
.Em Plugin
lines, the
.Nm sudoers
plugin will be used as the default security policy, for I/O logging
(if enabled by the policy), and for auditing.
This is equivalent to the following:
.Bd -literal -offset 4n
Plugin sudoers_policy @sudoers_plugin@
Plugin sudoers_io @sudoers_plugin@
Plugin sudoers_audit @sudoers_plugin@
.Ed
.Pp
Starting with
.Nm sudo
version 1.9.1, some of the logging functionality of the
.Nm sudoers
plugin has been moved from the policy plugin to an audit plugin.
To maintain compatibility with
.Nm
files from older
.Nm sudo
versions, if
.Nm sudoers
is configured as the security policy, it will be used as an audit
plugin as well.
This guarantees that the logging behavior will be consistent with that of
.Nm sudo
versions 1.9.0 and below.
.Pp
For more information on the
.Nm sudo
plugin architecture, see the
.Xr sudo_plugin @mansectform@
manual.
.Ss Path settings
A
.Em Path
line consists of the
.Em Path
keyword, followed by the name of the path to set and its value.
For example:
.Bd -literal -offset 4n
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.Ed
.Pp
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
.Em Path
settings is only supported in
.Nm sudo
version 1.8.16 and higher.
.Pp
The following plugin-agnostic paths may be set in the
.Pa @sysconfdir@/sudo.conf
file:
.Bl -tag -width 4n
.It askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
.Nm sudo
is executed from a graphical (as opposed to text-based) application.
The program specified by
.Em askpass
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
.Em askpass
may be overridden by the
.Ev SUDO_ASKPASS
environment variable.
.It devsearch
An ordered, colon-separated search path of directories to look in for
device nodes.
This is used when mapping the process's tty device number to a device name
on systems that do not provide such a mechanism.
Sudo will
.Em not
recurse into sub-directories.
If terminal devices may be located in a sub-directory of
.Pa /dev ,
that path must be explicitly listed in
.Em devsearch .
The default value is
.Pa /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
.Pp
This option is ignored on systems that support either the
.Fn devname
or
.Fn _ttyname_dev
functions, for example
.Bx ,
macOS and Solaris.
.It intercept
The path to a shared library containing a wrappers for the
.Xr execve 2 ,
.Xr execl 3 ,
.Xr execle 3 ,
.Xr execlp 3 ,
.Xr execv 3 ,
.Xr execvp 3 ,
.Xr execvpe 3 ,
and
.Xr system 3
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
.Em intercept
and
.Em log_subcmds
functionality on systems that support
.Ev LD_PRELOAD
or the equivalent.
.Pp
The
.Em intercept
path may be set to either a single fully-qualified path, or, for systems
that support separate
.Dv LD_PRELOAD
environment variables for 32-bit and 64-bit executables, it may optionally
be set to two fully-qualified paths separated by a colon
.Pq Ql :\& .
The first path should be the 32-bit version and the second the
64-bit version.
This two-path form is currently only supported on AIX and Solaris
systems.
The default value is
.Pa @intercept_file@ .
.It noexec
The path to a shared library containing wrappers for the
.Xr execve 2 ,
.Xr execl 3 ,
.Xr execle 3 ,
.Xr execlp 3 ,
.Xr exect 3 ,
.Xr execv 3 ,
.Xr execveat 3 ,
.Xr execvP 3 ,
.Xr execvp 3 ,
.Xr execvpe 3 ,
.Xr fexecve 3 ,
.Xr popen 3 ,
.Xr posix_spawn 3 ,
.Xr posix_spawnp 3 ,
.Xr system 3 ,
and
.Xr wordexp 3
library functions that prevent the execution of further commands.
This is used to implement the
.Em noexec
functionality on systems that support
.Ev LD_PRELOAD
or the equivalent.
.Pp
The
.Em noexec
path may be set to either a single fully-qualified path, or, for systems
that support separate
.Dv LD_PRELOAD
environment variables for 32-bit and 64-bit executables, it may optionally
be set to two fully-qualified paths separated by a colon
.Pq Ql :\& .
The first path should be the 32-bit version and the second the
64-bit version.
This two-path form is currently only supported on AIX and Solaris
systems.
The default value is
.Pa @noexec_file@ .
.It plugin_dir
The default directory to use when searching for plugins
that are specified without a fully qualified path name.
The default value is
.Pa @plugindir@ .
.if \n(SL \{\
.It sesh
The fully-qualified path to the
.Nm sesh
binary.
This setting is only used when
.Nm sudo
is built with SELinux support.
The default value is
.Pa @sesh_file@ .
.\}
.El
.Ss Other settings
The
.Nm
file also supports the following front-end settings:
.Bl -tag -width 4n
.It disable_coredump
Core dumps of
.Nm sudo
itself are disabled by default to prevent the disclosure of potentially
sensitive information.
To aid in debugging
.Nm sudo
crashes, you may wish to re-enable core dumps by setting
.Dq disable_coredump
to false in
.Nm
as follows:
.Bd -literal -offset 4n
Set disable_coredump false
.Ed
.Pp
All modern operating systems place restrictions on core dumps
from set-user-ID processes like
.Nm sudo
so this option can be enabled without compromising security.
To actually get a
.Nm sudo
core file you will likely need to enable core dumps for set-user-ID processes.
On
.Bx
and Linux systems this is accomplished in the
.Xr sysctl 8
command.
On Solaris, the
.Xr coreadm 1m
command is used to configure core dump behavior.
.Pp
This setting is only available in
.Nm sudo
version 1.8.4 and higher.
.It group_source
.Nm sudo
passes the invoking user's group list to the policy and I/O plugins.
On most systems, there is an upper limit to the number of groups that
a user may belong to simultaneously (typically 16 for compatibility
with NFS).
On systems with the
.Xr getconf 1
utility, running:
.Dl getconf NGROUPS_MAX
will return the maximum number of groups.
.Pp
However, it is still possible to be a member of a larger number of
groups--they simply won't be included in the group list returned
by the kernel for the user.
Starting with
.Nm sudo
version 1.8.7, if the user's kernel group list has the maximum number
of entries,
.Nm sudo
will consult the group database directly to determine the group list.
This makes it possible for the security policy to perform matching by group
name even when the user is a member of more than the maximum number of groups.
.Pp
The
.Em group_source
setting allows the administrator to change this default behavior.
Supported values for
.Em group_source
are:
.Bl -tag -width 4n
.It static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject
to an upper limit as described above.
It is
.Dq static
in that it does not reflect changes to the group database made
after the user logs in.
This was the default behavior prior to
.Nm sudo
1.8.7.
.It dynamic
Always query the group database directly.
It is
.Dq dynamic
in that changes made to the group database after the user logs in
will be reflected in the group list.
On some systems, querying the group database for all of a user's
groups can be time consuming when querying a network-based group
database.
Most operating systems provide an efficient method of performing
such queries.
Currently,
.Nm sudo
supports efficient group queries on AIX,
.Bx ,
Linux, macOS, and Solaris.
This is the default behavior on macOS in
.Nm sudo
1.9.6 and higher.
.It adaptive
Only query the group database if the static group list returned
by the kernel has the maximum number of entries.
This is the default behavior on systems other than macOS in
.Nm sudo
1.8.7 and higher.
.El
.Pp
For example, to cause
.Nm sudo
to only use the kernel's static list of groups for the user:
.Bd -literal -offset 4n
Set group_source static
.Ed
.Pp
This setting is only available in
.Nm sudo
version 1.8.7 and higher.
.It max_groups
The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored.
This setting is only used when querying the group database directly.
It is intended to be used on systems where it is not possible to detect
when the array to be populated with group entries is not sufficiently large.
By default,
.Nm sudo
will allocate four times the system's maximum number of groups (see above)
and retry with double that number if the group database query fails.
.Pp
This setting is only available in
.Nm sudo
version 1.8.7 and higher.
It should not be required in
.Nm sudo
versions 1.8.24 and higher and may be removed in a later release.
.It probe_interfaces
By default,
.Nm sudo
will probe the system's network interfaces and pass the IP address
of each enabled interface to the policy plugin.
This makes it possible for the plugin to match rules based on the IP address
without having to query DNS.
On Linux systems with a large number of virtual interfaces, this may
take a non-negligible amount of time.
If IP-based matching is not required, network interface probing
can be disabled as follows:
.Bd -literal -offset 4n
Set probe_interfaces false
.Ed
.Pp
This setting is only available in
.Nm sudo
version 1.8.10 and higher.
.El
.Ss Debug settings
.Nm sudo
versions 1.8.4 and higher support a flexible debugging framework
that can log what
.Nm sudo
is doing internally if there is a problem.
.Pp
A
.Em Debug
line consists of the
.Em Debug
keyword, followed by the name of the program, plugin, or shared object
to debug, the debug file name, and a comma-separated list of debug flags.
The debug flag syntax used by
.Nm sudo ,
the
.Nm sudoers
plugin along with its associated programs and shared objects is
.Em subsystem Ns @ Ns Em priority
but a third-party plugin is free to use a different format so long
as it does not include a comma
.Pq Ql \&, .
.Pp
On AIX systems, a
.Em Debug
line will match a plugin specified as either the name of an
SVR4-style shared object file ending in
.Ql .so ,
an archive file ending in
.Ql .a ,
or an archive file ending in
.Ql .a
with the name of the shared object in parentheses.
.Pp
Examples:
.Bd -literal -offset 4n
Debug sudo @log_dir@/sudo_debug all@warn,plugin@info
.Ed
.Pp
would log all debugging statements at the
.Em warn
level and higher in addition to those at the
.Em info
level for the plugin subsystem.
.Bd -literal -offset 4n
Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
.Ed
.Pp
would log all debugging statements, regardless of level, for the
.Pa sudo_intercept.so
shared library that implements
.Nm sudo Ns 's
intercept functionality on some systems.
.Bd -literal -offset 4n
Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.Ed
.Pp
would log all debugging statements, regardless of level, for the
.Nm sudoers
plugin.
See
.Xr sudoers @mansectform@
for the full list of subsystems supported by the
.Nm sudoers
plugin.
.Pp
As of
.Nm sudo
1.8.12, multiple
.Em Debug
entries may be specified per program.
Older versions of
.Nm sudo
only support a single
.Em Debug
entry per program.
Plugin-specific
.Em Debug
entries are also supported starting with
.Nm sudo
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
.Pa @sudoers_plugin@ )
or by the plugin's fully-qualified path name.
Previously, the
.Nm sudoers
plugin shared the same
.Em Debug
entry as the
.Nm sudo
front-end and could not be configured separately.
.Pp
The following priorities are supported, in order of decreasing severity:
.Em crit , err , warn , notice , diag , info , trace ,
and
.Em debug .
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
.Em notice
would include debug messages logged at
.Em notice
and higher.
.Pp
The priorities
.Em trace
and
.Em debug
also include function call tracing which logs when a function is
entered and when it returns.
For example, the following trace is for the
.Fn get_user_groups
function located in src/sudo.c:
.Bd -literal -offset 4n
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.Ed
.Pp
When the function is entered, indicated by a right arrow
.Ql -> ,
the program, process ID, function, source file, and line number
are logged.
When the function returns, indicated by a left arrow
.Ql <- ,
the same information is logged along with the return value.
In this case, the return value is a string.
.Pp
The following subsystems are used by the
.Nm sudo
front-end:
.Bl -tag -width Fl
.It Em all
matches every subsystem
.It Em args
command line argument processing
.It Em conv
user conversation
.It Em edit
sudoedit
.It Em event
event subsystem
.It Em exec
command execution
.It Em main
.Nm sudo
main function
.It Em netif
network interface handling
.It Em pcomm
communication with the plugin
.It Em plugin
plugin configuration
.It Em pty
pseudo-terminal related code
.It Em selinux
SELinux-specific handling
.It Em util
utility functions
.It Em utmp
utmp handling
.El
.Pp
The
.Xr sudoers @mansectform@
plugin includes support for additional subsystems.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
.Nm sudo
front-end configuration
.El
.Sh EXAMPLES
.Bd -literal
#
# Default @sysconfdir@/sudo.conf file
#
# Sudo plugins:
# Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to @plugindir@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy @sudoers_plugin@
#Plugin sudoers_io @sudoers_plugin@
#Plugin sudoers_audit @sudoers_plugin@
#
# Sudo askpass:
# Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo device search path:
# Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
#
# Sudo command interception:
# Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv()
# and execve() library functions that perform a policy check to verify
# the command is allowed and simply return an error if not. This is
# used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept @intercept_file@
#
# Sudo noexec:
# Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv()
# family of library functions that just return an error. This is
# used to implement the "noexec" functionality on systems that support
# LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec @noexec_file@
#
# Sudo plugin directory:
# Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir @plugindir@
#
# Core dumps:
# Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false
#
# User groups:
# Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
# static - use the user's list of groups returned by the kernel.
# dynamic - query the group database to find the list of groups.
# adaptive - if user is in less than the maximum number of groups.
# use the kernel list, else query the group database.
#
#Set group_source static
#
# Sudo interface probing:
# Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false
#
# Sudo debug files:
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo @log_dir@/sudo_debug all@debug
#Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.Ed
.Sh SEE ALSO
.Xr sudo_plugin @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

1754
docs/sudo.man.in Normal file
View file

File diff suppressed because it is too large Load diff

76
docs/sudo.man.in.sed Normal file
View file

@ -0,0 +1,76 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
.nr BA @BAMAN@\
.nr LC @LCMAN@\
.nr PS @PSMAN@\
\1/
s/^\(\[\\fB\\-a\\fR.*\\fItype\\fR\]\) *$/.if \\n(BA \1/
s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/
s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/
s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/
/^\.TP 12n$/ {
N
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\
.if \\n(BA \\{\\
/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\
.if \\n(LC \\{\\
/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\
.if \\n(SL \\{\\
/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\
.\\}
}
}
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
/^\.TP 12n/ {
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\
.if \\n(SL \\{\\
/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\
.\\}
}
}
}
/^\.TP 3n$/ {
N
N
/^.TP 3n\n\\fB\\(bu\\fR\nSELinux role and type$/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nSolaris project$/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nSolaris privileges$/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^.TP 3n\n\\fB\\(bu\\fR\nBSD$/ {
N
i\
.if \\n(LC \\{\\
a\
.\\}
}
}

1642
docs/sudo.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

923
docs/sudo_logsrv.proto.man.in Normal file
View file

@ -0,0 +1,923 @@
.\" Automatically generated from the sudo_logsrv.proto.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrv.proto\fR
\- Sudo log server protocol
.SH "DESCRIPTION"
Starting with version 1.9.0,
\fBsudo\fR
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
\fIEXAMPLES\fR
section includes a complete description of the protocol in Protocol
Buffers format.
.PP
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
\(lqlength-prefix framing\(rq
and is how Google suggests handling the lack of message delimiters.
.PP
The protocol is made up of two basic messages,
\fIClientMessage\fR
and
\fIServerMessage\fR,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.SH "Client Messages"
A
\fIClientMessage\fR
is a container used to encapsulate all the possible message types
a client may send to the server.
.nf
.sp
.RS 0n
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
ClientHello hello_msg = 13;
}
}
.RE
.fi
.PP
The different
\fIClientMessage\fR
sub-messages the client may sent to the server are described below.
.SS "TimeSpec"
.nf
.RS 0n
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.RE
.fi
.PP
A
\fITimeSpec\fR
is the equivalent of a POSIX
\fIstruct timespec\fR,
containing seconds and nanoseconds members.
The
\fItv_sec\fR
member is a 64-bit integer to support dates after the year 2038.
.SS "InfoMessage"
.nf
.RS 0n
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.RE
.fi
.PP
An
\fIInfoMessage\fR
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings, or an array of 64-bit integers.
The event log data is composed of
\fIInfoMessage\fR
entries.
See the
\fIEVENT LOG VARIABLES\fR
section for more information.
.SS "ClientHello hello_msg"
.nf
.RS 0n
message ClientHello {
string client_id = 1;
}
.RE
.fi
.PP
A
\fIClientHello\fR
message consists of client information that may be sent to the
server when the client first connects.
.TP 8n
client_id
A free-form client description.
This usually includes the name and version of the client implementation.
.SS "AcceptMessage accept_msg"
.nf
.RS 0n
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.RE
.fi
.PP
An
\fIAcceptMessage\fR
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
.TP 8n
expect_iobufs
Set to true if the server should expect
\fIIoBuffer\fR
messages to follow (for I/O logging) or false if the server should only
store the event log.
.PP
If an
\fIAcceptMessage\fR
is sent, the client must not send a
\fIRejectMessage\fR
or
\fIRestartMessage\fR.
.SS "RejectMessage reject_msg"
.nf
.RS 0n
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.RE
.fi
.PP
A
\fIRejectMessage\fR
is sent by the client when a command is denied by the security policy.
It contains the following members:
.TP 8n
submit_time
The wall clock time when the command was submitted to the security policy.
.TP 8n
reason
The reason the security policy gave for denying the command.
.TP 8n
info_msgs
An array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.PP
If a
\fIRejectMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRestartMessage\fR.
.SS "ExitMessage exit_msg"
.nf
.RS 0n
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.PP
.RE
.fi
An
\fIExitMessage\fR
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.TP 8n
run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.TP 8n
exit_value
The command's exit value in the range 0-255.
.TP 8n
dumped_core
True if the command was terminated by a signal and dumped core.
.TP 8n
signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
\(lqSIG\(rq.
For example,
\fRINT\fR,
\fRTERM\fR,
\fRKILL\fR,
\fRSEGV\fR.
.TP 8n
error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.PP
When performing I/O logging, the client should wait for a
\fIcommit_point\fR
corresponding to the final
\fIIoBuffer\fR
before closing the connection unless the final
\fIcommit_point\fR
has already been received.
.SS "RestartMessage restart_msg"
.nf
.RS 0n
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.RE
.fi
.PP
A
\fIRestartMessage\fR
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.TP 8n
log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.TP 8n
resume_point
The point in time after which to resume the I/O log.
This is in the form of a
\fITimeSpec\fR
representing the amount of time since the command started, not
the wall clock time.
The
\fIresume_point\fR
should correspond to a
\fIcommit_point\fR
previously sent to the client by the server.
If the server receives a
\fIRestartMessage\fR
containing a
\fIresume_point\fR
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.PP
If a
\fIRestartMessage\fR
is sent, the client must not send an
\fIAcceptMessage\fR
or
\fIRejectMessage\fR.
.SS "AlertMessage alert_msg"
.nf
.RS 0n
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.RE
.fi
.PP
An
\fIAlertMessage\fR
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.TP 8n
alert_time
The wall clock time when the alert occurred.
.TP 8n
reason
The reason for the alert.
.TP 8n
info_msgs
An optional array of
\fIInfoMessage\fR
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.SS "IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf"
.nf
.RS 0n
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.RE
.fi
.PP
An
\fIIoBuffer\fR
is used to represent data from terminal input, terminal
output, standard input, standard output, or standard error.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
data
The binary I/O log data from terminal input, terminal output,
standard input, standard output, or standard error.
.SS "ChangeWindowSize winsize_event"
.nf
.RS 0n
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.RE
.fi
.PP
A
\fIChangeWindowSize\fR
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
rows
The new number of terminal rows.
.TP 8n
cols
The new number of terminal columns.
.SS "CommandSuspend suspend_event"
.nf
.RS 0n
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.RE
.fi
.PP
A
\fICommandSuspend\fR
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.TP 8n
delay
The elapsed time since the last record in the form of a
\fITimeSpec\fR.
The
\fIdelay\fR
should be calculated using a monotonic clock where possible.
.TP 8n
signal
The signal name without the leading
\(lqSIG\(rq.
For example,
\fRSTOP\fR,
\fRTSTP\fR,
\fRCONT\fR.
.SH "Server Messages"
A
\fIServerMessage\fR
is a container used to encapsulate all the possible message types
the server may send to a client.
.nf
.sp
.RS 0n
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.RE
.fi
.PP
The different
\fIServerMessage\fR
sub-messages the server may sent to the client are described below.
.SS "ServerHello hello"
.nf
.RS 0n
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
bool subcommands = 4;
}
.RE
.fi
.PP
The
\fIServerHello\fR
message consists of server information sent when the client first connects.
It contains the following members:
.TP 8n
server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.TP 8n
redirect
A host and port separated by a colon
(\(oq\(cq):
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
\fIServerHello\fR
when it includes a
\fBredirect\fR.
.TP 8n
servers
.br
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.TP 8n
subcommands
If set, the server supports logging additional commands during a session.
The client may send an
\fIAcceptMessage\fR
or
\fIRejectMessage\fR
when
\fBsudo\fR
is running in
\fIintercept\fR
mode.
In this mode, commands spawned from the initial command authorized by
\fBsudo\fR
are subject to policy restrictions and/or are logged.
If
\fIsubcommands\fR
is false, the client must not attempt to log additional commands.
.SS "TimeSpec commit_point"
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
\fIIoBuffer\fR
but rather at a server-configurable interval.
When the server receives an
\fIExitMessage\fR,
it will respond with a
\fIcommit_point\fR
corresponding to the last received
\fIIoBuffer\fR
before closing the connection.
.SS "string log_id"
The server-side ID of the I/O log being stored, sent in response
to an
\fIAcceptMessage\fR
where
\fIexpect_iobufs\fR
is true.
.SS "string error"
A fatal server-side error.
The server will close the connection after sending the
\fIerror\fR
message.
.SS "string abort"
An
\fIabort\fR
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
\fIabort\fR
message.
.SH "Protocol flow of control"
The expected protocol flow is as follows:
.TP 5n
1.\&
Client connects to the first available server.
If the client is configured to use TLS, a TLS handshake will be
attempted.
.TP 5n
2.\&
Client sends
\fIClientHello\fR.
This is currently optional but allows the server to detect a
non-TLS connection on the TLS port.
.TP 5n
3.\&
Server sends
\fIServerHello\fR.
.TP 5n
4.\&
Client responds with either
\fIAcceptMessage\fR,
\fIRejectMessage\fR,
or
\fIRestartMessage\fR.
.TP 5n
5.\&
If client sent a
\fIAcceptMessage\fR
with
\fIexpect_iobufs\fR
set, server creates a new I/O log and responds with a
\fIlog_id\fR.
.TP 5n
6.\&
Client sends zero or more
\fIIoBuffer\fR
messages.
.TP 5n
7.\&
Server periodically responds to
\fIIoBuffer\fR
messages with a
\fIcommit_point\fR.
.TP 5n
8.\&
Client sends an
\fIExitMessage\fR
when the command exits or is killed.
.TP 5n
9.\&
Server sends the final
\fIcommit_point\fR
if one is pending.
.TP 5n
10.\&
Server closes the connection.
After receiving the final
\fIcommit_point\fR,
the client shuts down its side of the TLS connection if TLS
is in use, and closes the connection.
.TP 5n
11.\&
Server shuts down its side of the TLS connection if TLS is in use,
and closes the connection.
.PP
At any point, the server may send an
\fIerror\fR
or
\fIabort\fR
message to the client at which point the server will close the
connection.
If an
\fIabort\fR
message is received, the client should terminate the running command.
.SH "EVENT LOG VARIABLES"
\fIAcceptMessage\fR,
\fIAlertMessage\fR
and
\fIRejectMessage\fR
classes contain an array of
\fIInfoMessage\fR
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.PP
Some variables have a
\fIclient\fR,
\fIrun\fR,
or
\fIsubmit\fR
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
\fIclient\fR
prefix pertain to the program performing the connection to the log
server, for example
\fBsudo\fR.
Variables with a
\fIrun\fR
prefix pertain to the command that the user requested be run.
Variables with a
\fIsubmit\fR
prefix pertain to the user submitting the request
(the user running \fBsudo\fR).
.PP
The following
\fIInfoMessage\fR
entries are required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
command string command that was submitted
.PP
runuser string name of user the command was run as
.PP
submithost string name of host the command was submitted on
.PP
submituser string name of user submitting the command
.TE
.PP
The following
\fIInfoMessage\fR
entries are recognized, but not required:
.TS
l l l.
.PP
\fBKey\fR \fBType\fR \fBDescription\fR
.PP
clientargv StringList client's original argument vector
.PP
clientpid int64 client's process ID
.PP
clientppid int64 client's parent process ID
.PP
clientsid int64 client's terminal session ID
.PP
columns int64 number of columns in the terminal
.PP
lines int64 number of lines in the terminal
.PP
runargv StringList argument vector of command to run
.PP
runchroot string root directory of command to run
.PP
runcwd string running command's working directory
.PP
runenv StringList the running command's environment
.PP
rungid int64 primary group-ID of the command
.PP
rungids NumberList supplementary group-IDs for the command
.PP
rungroup string primary group name of the command
.PP
rungroups StringList supplementary group names for the command
.PP
runuid int64 run user's user-ID
.PP
submitcwd string submit user's current working directory
.PP
submitenv StringList the submit user's environment
.PP
submitgid int64 submit user's primary group-ID
.PP
submitgids NumberList submit user's supplementary group-IDs
.PP
submitgroup string submitting user's primary group name
.PP
submitgroups StringList submit user's supplementary group names
.PP
submituid int64 submit user's user-ID
.PP
ttyname string the terminal the command was submitted from
.TE
.PP
The server must accept other variables not listed above but may
ignore them.
.SH "EXAMPLES"
The Protocol Buffers description of the log server protocol, using
\(lqproto3\(rq
syntax, is included in full below.
.nf
.sp
.RS 0n
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* policy alert error string */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.RE
.fi
.SH "SEE ALSO"
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(8),
sudo_logsrvd(8)
.PP
\fIProtocol Buffers\fR,
https://developers.google.com/protocol-buffers/.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo_logsrv.proto\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

840
docs/sudo_logsrv.proto.mdoc.in Normal file
View file

@ -0,0 +1,840 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 13, 2022
.Dt SUDO_LOGSRV.PROTO @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrv.proto
.Nd Sudo log server protocol
.Sh DESCRIPTION
Starting with version 1.9.0,
.Nm sudo
supports sending event and I/O logs to a log server.
The protocol used is written in Google's Protocol Buffers domain
specific language.
The
.Sx EXAMPLES
section includes a complete description of the protocol in Protocol
Buffers format.
.Pp
Because there is no way to determine message boundaries when using
Protocol Buffers, the wire size of each message is sent immediately
preceding the message itself as a 32-bit unsigned integer in network
byte order.
This is referred to as
.Dq length-prefix framing
and is how Google suggests handling the lack of message delimiters.
.Pp
The protocol is made up of two basic messages,
.Em ClientMessage
and
.Em ServerMessage ,
described below.
The server must accept messages up to two megabytes in size.
The server may return an error if the client tries to send a message
larger than two megabytes.
.Sh Client Messages
A
.Em ClientMessage
is a container used to encapsulate all the possible message types
a client may send to the server.
.Bd -literal
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
ClientHello hello_msg = 13;
}
}
.Ed
.Pp
The different
.Em ClientMessage
sub-messages the client may sent to the server are described below.
.Ss TimeSpec
.Bd -literal
message TimeSpec {
int64 tv_sec = 1;
int32 tv_nsec = 2;
}
.Ed
.Pp
A
.Em TimeSpec
is the equivalent of a POSIX
.Vt struct timespec ,
containing seconds and nanoseconds members.
The
.Em tv_sec
member is a 64-bit integer to support dates after the year 2038.
.Ss InfoMessage
.Bd -literal
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
.Ed
.Pp
An
.Em InfoMessage
is used to represent information about the invoking user as well as the
execution environment the command runs in the form of key-value pairs.
The key is always a string but the value may be a 64-bit integer,
a string, an array of strings, or an array of 64-bit integers.
The event log data is composed of
.Em InfoMessage
entries.
See the
.Sx EVENT LOG VARIABLES
section for more information.
.Ss ClientHello hello_msg
.Bd -literal
message ClientHello {
string client_id = 1;
}
.Ed
.Pp
A
.Em ClientHello
message consists of client information that may be sent to the
server when the client first connects.
.Bl -tag -width Ds
.It client_id
A free-form client description.
This usually includes the name and version of the client implementation.
.El
.Ss AcceptMessage accept_msg
.Bd -literal
message AcceptMessage {
TimeSpec submit_time = 1;
repeated InfoMessage info_msgs = 2;
bool expect_iobufs = 3;
}
.Ed
.Pp
An
.Em AcceptMessage
is sent by the client when a command is allowed by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry and may also be
used by server to determine where and how the I/O log is stored.
.It expect_iobufs
Set to true if the server should expect
.Em IoBuffer
messages to follow (for I/O logging) or false if the server should only
store the event log.
.El
.Pp
If an
.Em AcceptMessage
is sent, the client must not send a
.Em RejectMessage
or
.Em RestartMessage .
.Ss RejectMessage reject_msg
.Bd -literal
message RejectMessage {
TimeSpec submit_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.Ed
.Pp
A
.Em RejectMessage
is sent by the client when a command is denied by the security policy.
It contains the following members:
.Bl -tag -width Ds
.It submit_time
The wall clock time when the command was submitted to the security policy.
.It reason
The reason the security policy gave for denying the command.
.It info_msgs
An array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.El
.Pp
If a
.Em RejectMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RestartMessage .
.Ss ExitMessage exit_msg
.Bd -literal
message ExitMessage {
TimeSpec run_time = 1;
int32 exit_value = 2;
bool dumped_core = 3;
string signal = 4;
string error = 5;
}
.Pp
.Ed
An
.Em ExitMessage
is sent by the client after the command has exited or has been
terminated by a signal.
It contains the following members:
.Bl -tag -width Ds
.It run_time
The total amount of elapsed time since the command started,
calculated using a monotonic clock where possible.
This is not the wall clock time.
.It exit_value
The command's exit value in the range 0-255.
.It dumped_core
True if the command was terminated by a signal and dumped core.
.It signal
If the command was terminated by a signal, this is set to the
name of the signal without the leading
.Dq SIG .
For example,
.Dv INT ,
.Dv TERM ,
.Dv KILL ,
.Dv SEGV .
.It error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
.El
.Pp
When performing I/O logging, the client should wait for a
.Em commit_point
corresponding to the final
.Em IoBuffer
before closing the connection unless the final
.Em commit_point
has already been received.
.Ss RestartMessage restart_msg
.Bd -literal
message RestartMessage {
string log_id = 1;
TimeSpec resume_point = 2;
}
.Ed
.Pp
A
.Em RestartMessage
is sent by the client to resume sending an existing I/O log that
was previously interrupted.
It contains the following members:
.Bl -tag -width Ds
.It log_id
The the server-side name for an I/O log that was previously
sent to the client by the server.
This may be a path name on the server or some other kind of server-side
identifier.
.It resume_point
The point in time after which to resume the I/O log.
This is in the form of a
.Em TimeSpec
representing the amount of time since the command started, not
the wall clock time.
The
.Em resume_point
should correspond to a
.Em commit_point
previously sent to the client by the server.
If the server receives a
.Em RestartMessage
containing a
.Em resume_point
it has not previously seen, an error will be returned to the client
and the connection will be dropped.
.El
.Pp
If a
.Em RestartMessage
is sent, the client must not send an
.Em AcceptMessage
or
.Em RejectMessage .
.Ss AlertMessage alert_msg
.Bd -literal
message AlertMessage {
TimeSpec alert_time = 1;
string reason = 2;
repeated InfoMessage info_msgs = 3;
}
.Ed
.Pp
An
.Em AlertMessage
is sent by the client to indicate a problem detected by the security
policy while the command is running that should be stored in the event log.
It contains the following members:
.Bl -tag -width Ds
.It alert_time
The wall clock time when the alert occurred.
.It reason
The reason for the alert.
.It info_msgs
An optional array of
.Em InfoMessage
describing the user who submitted the command as well as the execution
environment of the command.
This information is used to generate an event log entry.
.El
.Ss IoBuffer ttyin_buf | ttyout_buf | stdin_buf | stdout_buf | stderr_buf
.Bd -literal
message IoBuffer {
TimeSpec delay = 1;
bytes data = 2;
}
.Ed
.Pp
An
.Em IoBuffer
is used to represent data from terminal input, terminal
output, standard input, standard output, or standard error.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It data
The binary I/O log data from terminal input, terminal output,
standard input, standard output, or standard error.
.El
.Ss ChangeWindowSize winsize_event
.Bd -literal
message ChangeWindowSize {
TimeSpec delay = 1;
int32 rows = 2;
int32 cols = 3;
}
.Ed
.Pp
A
.Em ChangeWindowSize
message is sent by the client when the terminal running the command
changes size.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It rows
The new number of terminal rows.
.It cols
The new number of terminal columns.
.El
.Ss CommandSuspend suspend_event
.Bd -literal
message CommandSuspend {
TimeSpec delay = 1;
string signal = 2;
}
.Ed
.Pp
A
.Em CommandSuspend
message is sent by the client when the command is either suspended
or resumed.
It contains the following members:
.Bl -tag -width Ds
.It delay
The elapsed time since the last record in the form of a
.Em TimeSpec .
The
.Em delay
should be calculated using a monotonic clock where possible.
.It signal
The signal name without the leading
.Dq SIG .
For example,
.Dv STOP ,
.Dv TSTP ,
.Dv CONT .
.El
.Sh Server Messages
A
.Em ServerMessage
is a container used to encapsulate all the possible message types
the server may send to a client.
.Bd -literal
message ServerMessage {
oneof type {
ServerHello hello = 1;
TimeSpec commit_point = 2;
string log_id = 3;
string error = 4;
string abort = 5;
}
}
.Ed
.Pp
The different
.Em ServerMessage
sub-messages the server may sent to the client are described below.
.Ss ServerHello hello
.Bd -literal
message ServerHello {
string server_id = 1;
string redirect = 2;
repeated string servers = 3;
bool subcommands = 4;
}
.Ed
.Pp
The
.Em ServerHello
message consists of server information sent when the client first connects.
It contains the following members:
.Bl -tag -width Ds
.It server_id
A free-form server description.
Usually this includes the name and version of the implementation
running on the log server.
This member is always present.
.It redirect
A host and port separated by a colon
.Pq Ql :
that the client should connect to instead.
The host may be a host name, an IPv4 address, or an IPv6 address
in square brackets.
This may be used for server load balancing.
The server will disconnect after sending the
.Em ServerHello
when it includes a
.Sy redirect .
.It servers
A list of other known log servers.
This can be used to implement log server redundancy and allows the
client to discover all other log servers simply by connecting to
one known server.
This member may be omitted when there is only a single log server.
.It subcommands
If set, the server supports logging additional commands during a session.
The client may send an
.Em AcceptMessage
or
.Em RejectMessage
when
.Nm sudo
is running in
.Em intercept
mode.
In this mode, commands spawned from the initial command authorized by
.Nm sudo
are subject to policy restrictions and/or are logged.
If
.Em subcommands
is false, the client must not attempt to log additional commands.
.El
.Ss TimeSpec commit_point
A periodic time stamp sent by the server to indicate when I/O log
buffers have been committed to storage.
This message is not sent after every
.Em IoBuffer
but rather at a server-configurable interval.
When the server receives an
.Em ExitMessage ,
it will respond with a
.Em commit_point
corresponding to the last received
.Em IoBuffer
before closing the connection.
.Ss string log_id
The server-side ID of the I/O log being stored, sent in response
to an
.Em AcceptMessage
where
.Em expect_iobufs
is true.
.Ss string error
A fatal server-side error.
The server will close the connection after sending the
.Em error
message.
.Ss string abort
An
.Em abort
message from the server indicates that the client should kill the
command and terminate the session.
It may be used to implement simple server-side policy.
The server will close the connection after sending the
.Em abort
message.
.Sh Protocol flow of control
The expected protocol flow is as follows:
.Bl -enum
.It
Client connects to the first available server.
If the client is configured to use TLS, a TLS handshake will be
attempted.
.It
Client sends
.Em ClientHello .
This is currently optional but allows the server to detect a
non-TLS connection on the TLS port.
.It
Server sends
.Em ServerHello .
.It
Client responds with either
.Em AcceptMessage ,
.Em RejectMessage ,
or
.Em RestartMessage .
.It
If client sent a
.Em AcceptMessage
with
.Em expect_iobufs
set, server creates a new I/O log and responds with a
.Em log_id .
.It
Client sends zero or more
.Em IoBuffer
messages.
.It
Server periodically responds to
.Em IoBuffer
messages with a
.Em commit_point .
.It
Client sends an
.Em ExitMessage
when the command exits or is killed.
.It
Server sends the final
.Em commit_point
if one is pending.
.It
Server closes the connection.
After receiving the final
.Em commit_point ,
the client shuts down its side of the TLS connection if TLS
is in use, and closes the connection.
.It
Server shuts down its side of the TLS connection if TLS is in use,
and closes the connection.
.El
.Pp
At any point, the server may send an
.Em error
or
.Em abort
message to the client at which point the server will close the
connection.
If an
.Em abort
message is received, the client should terminate the running command.
.Sh EVENT LOG VARIABLES
.Em AcceptMessage ,
.Em AlertMessage
and
.Em RejectMessage
classes contain an array of
.Em InfoMessage
that should contain information about the user who submitted the command
as well as information about the execution environment of the command
if it was accepted.
.Pp
Some variables have a
.Em client ,
.Em run ,
or
.Em submit
prefix.
These prefixes are used to eliminate ambiguity for variables that
could apply to the client program, the user submitting the command,
or the command being run.
Variables with a
.Em client
prefix pertain to the program performing the connection to the log
server, for example
.Nm sudo .
Variables with a
.Em run
prefix pertain to the command that the user requested be run.
Variables with a
.Em submit
prefix pertain to the user submitting the request
.Pq the user running Nm sudo .
.Pp
The following
.Em InfoMessage
entries are required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It command Ta string Ta command that was submitted
.It runuser Ta string Ta name of user the command was run as
.It submithost Ta string Ta name of host the command was submitted on
.It submituser Ta string Ta name of user submitting the command
.El
.Pp
The following
.Em InfoMessage
entries are recognized, but not required:
.Bl -column "submitgroup" "stringlist" "name of host the command was submitted on"
.It Sy Key Ta Sy Type Ta Sy Description
.It clientargv Ta StringList Ta client's original argument vector
.It clientpid Ta int64 Ta client's process ID
.It clientppid Ta int64 Ta client's parent process ID
.It clientsid Ta int64 Ta client's terminal session ID
.It columns Ta int64 Ta number of columns in the terminal
.It lines Ta int64 Ta number of lines in the terminal
.It runargv Ta StringList Ta argument vector of command to run
.It runchroot Ta string Ta root directory of command to run
.It runcwd Ta string Ta running command's working directory
.It runenv Ta StringList Ta the running command's environment
.It rungid Ta int64 Ta primary group-ID of the command
.It rungids Ta NumberList Ta supplementary group-IDs for the command
.It rungroup Ta string Ta primary group name of the command
.It rungroups Ta StringList Ta supplementary group names for the command
.It runuid Ta int64 Ta run user's user-ID
.It submitcwd Ta string Ta submit user's current working directory
.It submitenv Ta StringList Ta the submit user's environment
.It submitgid Ta int64 Ta submit user's primary group-ID
.It submitgids Ta NumberList Ta submit user's supplementary group-IDs
.It submitgroup Ta string Ta submitting user's primary group name
.It submitgroups Ta StringList Ta submit user's supplementary group names
.It submituid Ta int64 Ta submit user's user-ID
.It ttyname Ta string Ta the terminal the command was submitted from
.El
.Pp
The server must accept other variables not listed above but may
ignore them.
.Sh EXAMPLES
The Protocol Buffers description of the log server protocol, using
.Dq proto3
syntax, is included in full below.
.Bd -literal
syntax = "proto3";
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ClientMessage {
oneof type {
AcceptMessage accept_msg = 1;
RejectMessage reject_msg = 2;
ExitMessage exit_msg = 3;
RestartMessage restart_msg = 4;
AlertMessage alert_msg = 5;
IoBuffer ttyin_buf = 6;
IoBuffer ttyout_buf = 7;
IoBuffer stdin_buf = 8;
IoBuffer stdout_buf = 9;
IoBuffer stderr_buf = 10;
ChangeWindowSize winsize_event = 11;
CommandSuspend suspend_event = 12;
}
}
/* Equivalent of POSIX struct timespec */
message TimeSpec {
int64 tv_sec = 1; /* seconds */
int32 tv_nsec = 2; /* nanoseconds */
}
/* I/O buffer with keystroke data */
message IoBuffer {
TimeSpec delay = 1; /* elapsed time since last record */
bytes data = 2; /* keystroke data */
}
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
message InfoMessage {
message StringList {
repeated string strings = 1;
}
message NumberList {
repeated int64 numbers = 1;
}
string key = 1;
oneof value {
int64 numval = 2;
string strval = 3;
StringList strlistval = 4;
NumberList numlistval = 5;
}
}
/*
* Event log data for command accepted by the policy.
*/
message AcceptMessage {
TimeSpec submit_time = 1; /* when command was submitted */
repeated InfoMessage info_msgs = 2; /* key,value event log data */
bool expect_iobufs = 3; /* true if I/O logging enabled */
}
/*
* Event log data for command rejected by the policy.
*/
message RejectMessage {
TimeSpec submit_time = 1; /* when command was submitted */
string reason = 2; /* reason command was rejected */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Message sent by client when command exits. */
/* Might revisit runtime and use end_time instead */
message ExitMessage {
TimeSpec run_time = 1; /* total elapsed run time */
int32 exit_value = 2; /* 0-255 */
bool dumped_core = 3; /* true if command dumped core */
string signal = 4; /* signal name if killed by signal */
string error = 5; /* if killed due to other error */
}
/* Alert message, policy module-specific. */
message AlertMessage {
TimeSpec alert_time = 1; /* time alert message occurred */
string reason = 2; /* policy alert error string */
repeated InfoMessage info_msgs = 3; /* key,value event log data */
}
/* Used to restart an existing I/O log on the server. */
message RestartMessage {
string log_id = 1; /* ID of log being restarted */
TimeSpec resume_point = 2; /* resume point (elapsed time) */
}
/* Window size change event. */
message ChangeWindowSize {
TimeSpec delay = 1; /* elapsed time since last record */
int32 rows = 2; /* new number of rows */
int32 cols = 3; /* new number of columns */
}
/* Command suspend/resume event. */
message CommandSuspend {
TimeSpec delay = 1; /* elapsed time since last record */
string signal = 2; /* signal that caused suspend/resume */
}
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
message ServerMessage {
oneof type {
ServerHello hello = 1; /* server hello message */
TimeSpec commit_point = 2; /* cumulative time of records stored */
string log_id = 3; /* ID of server-side I/O log */
string error = 4; /* error message from server */
string abort = 5; /* abort message, kill command */
}
}
/* Hello message from server when client connects. */
message ServerHello {
string server_id = 1; /* free-form server description */
string redirect = 2; /* optional redirect if busy */
repeated string servers = 3; /* optional list of known servers */
}
.Ed
.Sh SEE ALSO
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Rs
.%T Protocol Buffers
.%U https://developers.google.com/protocol-buffers/
.Re
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

1169
docs/sudo_logsrvd.conf.man.in Normal file
View file

File diff suppressed because it is too large Load diff

1086
docs/sudo_logsrvd.conf.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

492
docs/sudo_logsrvd.man.in Normal file
View file

@ -0,0 +1,492 @@
.\" Automatically generated from the sudo_logsrvd.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD" "@mansectsu@" "July 14, 2024" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrvd\fR
\- sudo event and I/O log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_logsrvd\fR
[\fB\-hnV\fR]
[\fB\-f\fR\ \fIfile\fR]
[\fB\-R\fR\ \fIpercentage\fR]
.SH "DESCRIPTION"
\fBsudo_logsrvd\fR
is a high-performance log server that accepts event and I/O logs from
\fBsudo\fR.
It can be used to implement centralized logging of
\fBsudo\fR
logs.
The server has two modes of operation: local and relay.
By default,
\fBsudo_logsrvd\fR
stores the logs locally but it can also be configured to
relay them to another server that supports the
sudo_logsrv.proto(@mansectform@)
protocol.
.PP
When not relaying, event log entries may be logged either via
syslog(3)
or to a local file.
I/O Logs stored locally by
\fBsudo_logsrvd\fR
can be replayed via the
sudoreplay(@mansectsu@)
utility in the same way as logs generated directly by the
\fBsudoers\fR
plugin.
.PP
The server also supports restarting interrupted log transfers.
To distinguish completed I/O logs from incomplete ones, the
I/O log timing file is set to be read-only when the log is complete.
.PP
Configuration parameters for
\fBsudo_logsrvd\fR
may be specified in the
sudo_logsrvd.conf(@mansectform@)
file or the file specified via the
\fB\-f\fR
option.
.PP
\fBsudo_logsrvd\fR
rereads its configuration file when it receives SIGHUP and writes server
state to the debug file (if one is configured) when it receives SIGUSR1.
.PP
The options are as follows:
.TP 8n
\fB\-f\fR \fIfile\fR, \fB\--file\fR=\fIfile\fR
Read configuration from
\fIfile\fR
instead of the default,
\fI@sysconfdir@/sudo_logsrvd.conf\fR.
.TP 8n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 8n
\fB\-n\fR, \fB\--no-fork\fR
Run
\fBsudo_logsrvd\fR
in the foreground instead of detaching from the terminal and becoming
a daemon.
.TP 8n
\fB\-R\fR \fIpercentage\fR, \fB\--random-drop\fR=\fIpercentage\fR
For each message, there is a
\fIpercentage\fR
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.TP 8n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_logsrvd\fR
version and exit.
.SS "Securing server connections"
The I/O log data sent to
\fBsudo_logsrvd\fR
may contain sensitive information such as passwords and should be
secured using Transport Layer Security (TLS).
Doing so requires having a signed certificate on the server and, if
\fItls_checkpeer\fR
is enabled in
sudo_logsrvd.conf(@mansectform@),
a signed certificate on the client as well.
.PP
The certificates can either be signed by a well-known Certificate
Authority (CA), or a private CA can be used.
Instructions for creating a private CA are included below in the
\fIEXAMPLES\fR
section.
.SS "Debugging sudo_logsrvd"
\fBsudo_logsrvd\fR
supports a flexible debugging framework that is configured via
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.TP 26n
\fI@sysconfdir@/sudo_logsrvd.conf\fR
Sudo log server configuration file
.TP 26n
\fI@relay_dir@/incoming\fR
Directory where new journals are stored when the
\fIstore_first relay\fR
setting is enabled.
.TP 26n
\fI@relay_dir@/outgoing\fR
Directory where completed journals are stored when the
\fIstore_first relay\fR
setting is enabled.
.TP 26n
\fI@iolog_dir@\fR
Default I/O log file location
.TP 26n
\fI@rundir@/sudo_logsrvd.pid\fR
.br
Process ID file for
\fBsudo_logsrvd\fR
.SH "EXAMPLES"
.SS "Creating self-signed certificates"
Unless you are using certificates signed by a well-known Certificate
Authority (or a local enterprise CA), you will need to create your
own CA that can sign the certificates used by
\fBsudo_logsrvd\fR,
\fBsudo_sendlog\fR,
and the
\fBsudoers\fR
plugin.
The following steps use the
openssl(1)
command to create keys and certificates.
.SS "Initial setup"
First, we need to create a directory structure to store the
files for the CA.
We'll create a new directory hierarchy in
\fI/etc/ssl/sudo\fR
for this purpose.
.nf
.sp
.RS 4n
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
.RE
.fi
.PP
The serial and index.txt files are used to keep track of signed certificates.
.PP
Next, we need to make a copy of the openssl.conf file and customize
it for our new CA.
The path to openssl.cnf is system-dependent but
\fI/etc/ssl/openssl.cnf\fR
is the most common location.
You will need to adjust the example below if it has a different location on
your system.
.nf
.sp
.RS 4n
# cp /etc/ssl/openssl.cnf .
.RE
.fi
.PP
Now edit the
\fIopenssl.cnf\fR
file in the current directory and make sure it contains
\(lqca\(rq,
\(lqCA_default\(rq,
\(lqv3_ca\(rq,
and
\(lqusr_cert\(rq
sections.
Those sections should include at least the following settings:
.nf
.sp
.RS 4n
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/sudo
certs = $dir/certs
database = $dir/index.txt
certificate = $dir/cacert.pem
serial = $dir/serial
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, \e
keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
.RE
.fi
.PP
If your
\fIopenssl.conf\fR
file already has a
\(lqCA_default\(rq
section, you may only need to modify the
\(lqdir\(rq
setting and enable the
\(lqkeyUsage\(rq
settings if they are commented out.
.SS "Creating the CA key and certificate"
In order to create and sign our own certificates, we need to create
a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.nf
.sp
.RS 4n
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.RE
.fi
.PP
Next, generate the root certificate, using appropriate values for
the site-specific fields:
.nf
.sp
.RS 4n
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
# chmod 444 cacert.pem
.RE
.fi
.PP
Finally, verify the root certificate:
.nf
.sp
.RS 4n
# openssl x509 -noout -text -in cacert.pem
.RE
.fi
.SS "Creating and signing certificates"
The server and client certificates will be signed by the previously
created root CA.
Usually, the root CA is not used to sign server/client certificates
directly.
Instead, intermediate certificates are created and signed with the
root CA and the intermediate certs are used to sign CSRs (Certificate
Signing Request).
In this example we'll skip this part for simplicity's sake and sign the
CSRs with the root CA.
.PP
First, generate the private key without a pass phrase.
.nf
.sp
.RS 4n
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.RE
.fi
.PP
Next, create a certificate signing request (CSR) for the server's certificate.
The organization name must match the name given in the root certificate.
The common name should be either the server's IP address or a fully
qualified domain name.
.nf
.sp
.RS 4n
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
Enter pass phrase for private/logsrvd_key.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
.RE
.fi
.PP
Now sign the CSR that was just created:
.nf
.sp
.RS 4n
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 11 14:05:05 2019 GMT
Not After : Nov 20 14:05:05 2020 GMT
Subject:
countryName = US
stateOrProvinceName = Colorado
organizationName = sudo
organizationalUnitName = sudo log server
commonName = logserve.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5
X509v3 Authority Key Identifier:
keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C
Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
.RE
.fi
.PP
Finally, verify the new certificate:
.nf
.sp
.RS 4n
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.RE
.fi
.PP
The
\fI/etc/ssl/sudo/certs\fR
directory now contains a signed and verified certificate for use with
\fBsudo_logsrvd\fR.
.PP
To generate a client certificate, repeat the process above using
a different file name.
.SS "Configuring sudo_logsrvd to use TLS"
To use TLS for client/server communication, both
\fBsudo_logsrvd\fR
and the
\fBsudoers\fR
plugin need to be configured to use TLS.
Configuring
\fBsudo_logsrvd\fR
for TLS requires the following settings, assuming the same path
names used earlier:
.nf
.sp
.RS 4n
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)
# Path to the certificate authority bundle file in PEM format.
tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
.RE
.fi
.PP
The root CA cert
(\fIcacert.pem\fR)
must be installed on the system running
\fBsudo_logsrvd\fR.
If peer authentication is enabled on the client, a copy of
\fIcacert.pem\fR
must be present on the client system too.
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo_logsrv.proto(@mansectform@),
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
sudo_sendlog(@mansectsu@),
sudoreplay(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo_logsrvd\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_logsrvd\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

448
docs/sudo_logsrvd.mdoc.in Normal file
View file

@ -0,0 +1,448 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd July 14, 2024
.Dt SUDO_LOGSRVD @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd
.Nd sudo event and I/O log server
.Sh SYNOPSIS
.Nm sudo_logsrvd
.Op Fl hnV
.Op Fl f Ar file
.Op Fl R Ar percentage
.Sh DESCRIPTION
.Nm
is a high-performance log server that accepts event and I/O logs from
.Nm sudo .
It can be used to implement centralized logging of
.Nm sudo
logs.
The server has two modes of operation: local and relay.
By default,
.Nm
stores the logs locally but it can also be configured to
relay them to another server that supports the
.Xr sudo_logsrv.proto @mansectform@
protocol.
.Pp
When not relaying, event log entries may be logged either via
.Xr syslog 3
or to a local file.
I/O Logs stored locally by
.Nm
can be replayed via the
.Xr sudoreplay @mansectsu@
utility in the same way as logs generated directly by the
.Nm sudoers
plugin.
.Pp
The server also supports restarting interrupted log transfers.
To distinguish completed I/O logs from incomplete ones, the
I/O log timing file is set to be read-only when the log is complete.
.Pp
Configuration parameters for
.Nm
may be specified in the
.Xr sudo_logsrvd.conf @mansectform@
file or the file specified via the
.Fl f
option.
.Pp
.Nm
rereads its configuration file when it receives SIGHUP and writes server
state to the debug file (if one is configured) when it receives SIGUSR1.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl f Ar file , Fl -file Ns = Ns Ar file
Read configuration from
.Ar file
instead of the default,
.Pa @sysconfdir@/sudo_logsrvd.conf .
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl n , -no-fork
Run
.Nm
in the foreground instead of detaching from the terminal and becoming
a daemon.
.It Fl R Ar percentage , Fl -random-drop Ns = Ns Ar percentage
For each message, there is a
.Ar percentage
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Ss Securing server connections
The I/O log data sent to
.Nm
may contain sensitive information such as passwords and should be
secured using Transport Layer Security (TLS).
Doing so requires having a signed certificate on the server and, if
.Em tls_checkpeer
is enabled in
.Xr sudo_logsrvd.conf @mansectform@ ,
a signed certificate on the client as well.
.Pp
The certificates can either be signed by a well-known Certificate
Authority (CA), or a private CA can be used.
Instructions for creating a private CA are included below in the
.Sx EXAMPLES
section.
.Ss Debugging sudo_logsrvd
.Nm
supports a flexible debugging framework that is configured via
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.It Pa @relay_dir@/incoming
Directory where new journals are stored when the
.Em store_first relay
setting is enabled.
.It Pa @relay_dir@/outgoing
Directory where completed journals are stored when the
.Em store_first relay
setting is enabled.
.It Pa @iolog_dir@
Default I/O log file location
.It Pa @rundir@/sudo_logsrvd.pid
Process ID file for
.Nm
.El
.Sh EXAMPLES
.Ss Creating self-signed certificates
Unless you are using certificates signed by a well-known Certificate
Authority (or a local enterprise CA), you will need to create your
own CA that can sign the certificates used by
.Nm ,
.Nm sudo_sendlog ,
and the
.Nm sudoers
plugin.
The following steps use the
.Xr openssl 1
command to create keys and certificates.
.Ss Initial setup
First, we need to create a directory structure to store the
files for the CA.
We'll create a new directory hierarchy in
.Pa /etc/ssl/sudo
for this purpose.
.Bd -literal -offset 4n
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
.Ed
.Pp
The serial and index.txt files are used to keep track of signed certificates.
.Pp
Next, we need to make a copy of the openssl.conf file and customize
it for our new CA.
The path to openssl.cnf is system-dependent but
.Pa /etc/ssl/openssl.cnf
is the most common location.
You will need to adjust the example below if it has a different location on
your system.
.Bd -literal -offset 4n
# cp /etc/ssl/openssl.cnf .
.Ed
.Pp
Now edit the
.Pa openssl.cnf
file in the current directory and make sure it contains
.Dq ca ,
.Dq CA_default ,
.Dq v3_ca ,
and
.Dq usr_cert
sections.
Those sections should include at least the following settings:
.Bd -literal -offset 4n
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/sudo
certs = $dir/certs
database = $dir/index.txt
certificate = $dir/cacert.pem
serial = $dir/serial
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, \e
keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
.Ed
.Pp
If your
.Pa openssl.conf
file already has a
.Dq CA_default
section, you may only need to modify the
.Dq dir
setting and enable the
.Dq keyUsage
settings if they are commented out.
.Ss Creating the CA key and certificate
In order to create and sign our own certificates, we need to create
a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.Bd -literal -offset 4n
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.Ed
.Pp
Next, generate the root certificate, using appropriate values for
the site-specific fields:
.Bd -literal -offset 4n
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
# chmod 444 cacert.pem
.Ed
.Pp
Finally, verify the root certificate:
.Bd -literal -offset 4n
# openssl x509 -noout -text -in cacert.pem
.Ed
.Ss Creating and signing certificates
The server and client certificates will be signed by the previously
created root CA.
Usually, the root CA is not used to sign server/client certificates
directly.
Instead, intermediate certificates are created and signed with the
root CA and the intermediate certs are used to sign CSRs (Certificate
Signing Request).
In this example we'll skip this part for simplicity's sake and sign the
CSRs with the root CA.
.Pp
First, generate the private key without a pass phrase.
.Bd -literal -offset 4n
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.Ed
.Pp
Next, create a certificate signing request (CSR) for the server's certificate.
The organization name must match the name given in the root certificate.
The common name should be either the server's IP address or a fully
qualified domain name.
.Bd -literal -offset 4n
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
Enter pass phrase for private/logsrvd_key.pem:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
.Ed
.Pp
Now sign the CSR that was just created:
.Bd -literal -offset 4n
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 11 14:05:05 2019 GMT
Not After : Nov 20 14:05:05 2020 GMT
Subject:
countryName = US
stateOrProvinceName = Colorado
organizationName = sudo
organizationalUnitName = sudo log server
commonName = logserve.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5
X509v3 Authority Key Identifier:
keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C
Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
.Ed
.Pp
Finally, verify the new certificate:
.Bd -literal -offset 4n
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.Ed
.Pp
The
.Pa /etc/ssl/sudo/certs
directory now contains a signed and verified certificate for use with
.Nm sudo_logsrvd .
.Pp
To generate a client certificate, repeat the process above using
a different file name.
.Ss Configuring sudo_logsrvd to use TLS
To use TLS for client/server communication, both
.Nm
and the
.Nm sudoers
plugin need to be configured to use TLS.
Configuring
.Nm
for TLS requires the following settings, assuming the same path
names used earlier:
.Bd -literal -offset 4n
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)
# Path to the certificate authority bundle file in PEM format.
tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
.Ed
.Pp
The root CA cert
.Pq Pa cacert.pem
must be installed on the system running
.Nm .
If peer authentication is enabled on the client, a copy of
.Pa cacert.pem
must be present on the client system too.
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo_logsrv.proto @mansectform@ ,
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_sendlog @mansectsu@ ,
.Xr sudoreplay @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

5539
docs/sudo_plugin.man.in Normal file
View file

File diff suppressed because it is too large Load diff

4920
docs/sudo_plugin.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

1917
docs/sudo_plugin_python.man.in Normal file
View file

File diff suppressed because it is too large Load diff

1568
docs/sudo_plugin_python.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

217
docs/sudo_sendlog.man.in Normal file
View file

@ -0,0 +1,217 @@
.\" Automatically generated from the sudo_sendlog.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_SENDLOG" "@mansectsu@" "July 14, 2024" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_sendlog\fR
\- send sudo I/O log to log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_sendlog\fR
[\fB\-AnV\fR]
[\fB\-b\fR\ \fIca_bundle\fR]
[\fB\-c\fR\ \fIcert_file\fR]
[\fB\-h\fR\ \fIhost\fR]
[\fB\-i\fR\ \fIiolog-id\fR]
[\fB\-k\fR\ \fIkey_file\fR]
[\fB\-p\fR\ \fIport\fR]
[\fB\-r\fR\ \fIrestart-point\fR]
[\fB\-R\fR\ \fIreject-reason\fR]
[\fB\-s\fR\ \fIstop-point\fR]
[\fB\-t\fR\ \fInumber\fR]
\fIpath\fR
.SH "DESCRIPTION"
\fBsudo_sendlog\fR
can be used to send the existing
\fBsudoers\fR
I/O log
\fIpath\fR
to a remote log server such as
sudo_logsrvd(@mansectsu@)
for central storage.
.PP
The options are as follows:
.TP 8n
\fB\-A\fR, \fB\--accept-only\fR
Only send the accept event, not the I/O associated with the log.
This can be used to test the logging of accept events without
any associated I/O.
.TP 8n
\fB\-b\fR, \fB\--ca-bundle\fR
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating the log server.
The default is to use the system's default certificate authority database.
.TP 8n
\fB\-c\fR, \fB\--cert\fR
The path to the client's certificate file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.TP 8n
\fB\--help\fR
.br
Display a short help message to the standard output and exit.
.TP 8n
\fB\-h\fR, \fB\--host\fR
Connect to the specified
\fIhost\fR
instead of localhost.
.TP 8n
\fB\-i\fR, \fB\--iolog-id\fR
Use the specified
\fIiolog-id\fR
when restarting a log transfer.
The
\fIiolog-id\fR
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
\fB\-r\fR
option.
.TP 8n
\fB\-k\fR, \fB\--key\fR
The path to the client's private key file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.TP 8n
\fB\-n\fR, \fB\--no-verify\fR
If specified, the server's certificate will not be verified during
the TLS handshake.
By default,
\fBsudo_sendlog\fR
verifies that the server's certificate is valid and that it contains either
the server's host name or its IP address.
This setting is only supported when the connection to the remote log server
is secured with TLS.
.TP 8n
\fB\-p\fR, \fB\--port\fR
Use the specified network
\fIport\fR
when connecting to the log server instead of the
default, port 30344.
.TP 8n
\fB\-r\fR, \fB\--restart\fR
Restart an interrupted connection to the log server.
The specified
\fIrestart-point\fR
is used to tell the server the point in time at which to continue the log.
The
\fIrestart-point\fR
is specified in the form
\(lqseconds,nanoseconds\(rq
and is usually the last commit point received from the server.
The
\fB\-i\fR
option must also be specified when restarting a transfer.
.TP 8n
\fB\-R\fR, \fB\--reject\fR
Send a reject event for the command using the specified
\fIreject-reason\fR,
even though it was actually accepted locally.
This can be used to test the logging of reject events; no I/O
will be sent.
.TP 8n
\fB\-s\fR, \fB\--stop-after\fR
Stop sending log records and close the connection when
\fIstop-point\fR
is reached.
This can be used for testing purposes to send a partial I/O log to the server.
Partial logs can be restarted using the
\fB\-r\fR
option.
The
\fIstop-point\fR
is an elapsed time specified in the form
\(lqseconds,nanoseconds\(rq.
.TP 8n
\fB\-t\fR, \fB\--test\fR
Open
\fInumber\fR
simultaneous connections to the log server and send the specified
I/O log file on each one.
This option is useful for performance testing.
.TP 8n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_sendlog\fR
version and exit.
.SS "Debugging sendlog"
\fBsudo_sendlog\fR
supports a flexible debugging framework that is configured via
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo(@mansectsu@),
sudo_logsrv.proto(@mansectform@),
sudo_logsrvd(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo_sendlog\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_sendlog\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

202
docs/sudo_sendlog.mdoc.in Normal file
View file

@ -0,0 +1,202 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd July 14, 2024
.Dt SUDO_SENDLOG @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_sendlog
.Nd send sudo I/O log to log server
.Sh SYNOPSIS
.Nm sudo_sendlog
.Op Fl AnV
.Op Fl b Ar ca_bundle
.Op Fl c Ar cert_file
.Op Fl h Ar host
.Op Fl i Ar iolog-id
.Op Fl k Ar key_file
.Op Fl p Ar port
.Op Fl r Ar restart-point
.Op Fl R Ar reject-reason
.Op Fl s Ar stop-point
.Op Fl t Ar number
.Ar path
.Sh DESCRIPTION
.Nm
can be used to send the existing
.Nm sudoers
I/O log
.Ar path
to a remote log server such as
.Xr sudo_logsrvd @mansectsu@
for central storage.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl A , -accept-only
Only send the accept event, not the I/O associated with the log.
This can be used to test the logging of accept events without
any associated I/O.
.It Fl b , -ca-bundle
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating the log server.
The default is to use the system's default certificate authority database.
.It Fl c , -cert
The path to the client's certificate file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.It Fl -help
Display a short help message to the standard output and exit.
.It Fl h , -host
Connect to the specified
.Ar host
instead of localhost.
.It Fl i , -iolog-id
Use the specified
.Ar iolog-id
when restarting a log transfer.
The
.Ar iolog-id
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
.Fl r
option.
.It Fl k , -key
The path to the client's private key file in PEM format.
This setting is required when the connection to the remote log server
is secured with TLS.
.It Fl n , -no-verify
If specified, the server's certificate will not be verified during
the TLS handshake.
By default,
.Nm
verifies that the server's certificate is valid and that it contains either
the server's host name or its IP address.
This setting is only supported when the connection to the remote log server
is secured with TLS.
.It Fl p , -port
Use the specified network
.Ar port
when connecting to the log server instead of the
default, port 30344.
.It Fl r , -restart
Restart an interrupted connection to the log server.
The specified
.Ar restart-point
is used to tell the server the point in time at which to continue the log.
The
.Ar restart-point
is specified in the form
.Dq seconds,nanoseconds
and is usually the last commit point received from the server.
The
.Fl i
option must also be specified when restarting a transfer.
.It Fl R , -reject
Send a reject event for the command using the specified
.Ar reject-reason ,
even though it was actually accepted locally.
This can be used to test the logging of reject events; no I/O
will be sent.
.It Fl s , -stop-after
Stop sending log records and close the connection when
.Ar stop-point
is reached.
This can be used for testing purposes to send a partial I/O log to the server.
Partial logs can be restarted using the
.Fl r
option.
The
.Ar stop-point
is an elapsed time specified in the form
.Dq seconds,nanoseconds .
.It Fl t , -test
Open
.Ar number
simultaneous connections to the log server and send the specified
I/O log file on each one.
This option is useful for performance testing.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Ss Debugging sendlog
.Nm
supports a flexible debugging framework that is configured via
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrv.proto @mansectform@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

1817
docs/sudoers.ldap.man.in Normal file
View file

File diff suppressed because it is too large Load diff

1668
docs/sudoers.ldap.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

8142
docs/sudoers.man.in Normal file
View file

File diff suppressed because it is too large Load diff

150
docs/sudoers.man.in.sed Normal file
View file

@ -0,0 +1,150 @@
s/^\(.TH .*\)/.nr SL @SEMAN@\
.nr BA @BAMAN@\
.nr LC @LCMAN@\
.nr PS @PSMAN@\
\1/
/^On$/N
/^On\nBSD$/,/^.*\.$/ {
/^On\nBSD$/i\
.if \\n(LC \\{\\
/\.$/a\
.\\}
}
/^\.SS "SELinux_Spec"$/,/^\.SS/ {
/^\.SS / {
/^\.SS "SELinux_Spec"$/i\
.if \\n(SL \\{\\
/^\.SS "SELinux_Spec"$/!i\
.\\}
}
}
/^\.SS "Solaris_Priv_Spec"$/,/^\.SS/ {
/^\.SS / {
/^\.SS "Solaris_Priv_Spec"$/i\
.if \\n(PS \\{\\
/^\.SS "Solaris_Priv_Spec"$/!i\
.\\}
}
}
/^Option_Spec ::= / {
s/^.*$/.ie \\n(SL \\{\\\
.ie \\n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\
.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)\
.\\}\
.el \\{\\\
.ie \\n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\
.el Option_Spec ::= (Date_Spec | Timeout_Spec)\
.\\}/
}
/^SELinux_Spec ::=/ {
i\
.if \\n(SL \\{\\
N
a\
.\\}
}
/^Solaris_Priv_Spec ::=/ {
i\
.if \\n(PS \\{\\
N
a\
.\\}
}
/^SELinux roles.*types,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^Solaris privileges sets,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\.TP 18n$/ {
N
/^\.TP 18n\nuse_loginclass$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nuse_loginclass$/i\
.if \\n(BA \\{\\
/^\.TP 18n\nuse_loginclass$/!i\
.\\}
}
}
/^\.TP 18n\nlimitprivs$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nlimitprivs$/i\
.if \\n(PS \\{\\
/^\.TP 18n\nlimitprivs$/!i\
.\\}
}
}
/^\.TP 18n\nprivs$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nprivs$/i\
.if \\n(PS \\{\\
/^\.TP 18n\nprivs$/!i\
.\\}
}
}
/^\.TP 18n\nselinux$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nselinux$/i\
.if \\n(SL \\{\\
/^\.TP 18n\nselinux$/!i\
.\\}
}
}
/^\.TP 18n\nrole$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\nrole$/i\
.if \\n(SL \\{\\
/^\.TP 18n\nrole$/!i\
.\\}
}
}
/^\.TP 18n\ntype$/,/^\.TP 18n/ {
/^\.TP 18n/ {
/^\.TP 18n\ntype$/i\
.if \\n(SL \\{\\
/^\.TP 18n\ntype$/!i\
.\\}
}
}
}
/^\\fRPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRLIMITPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRROLE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^\\fRTYPE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}

7544
docs/sudoers.mdoc.in Normal file
View file

File diff suppressed because it is too large Load diff

337
docs/sudoers_timestamp.man.in Normal file
View file

@ -0,0 +1,337 @@
.\" Automatically generated from the sudoers_timestamp.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2017-2020, 2022-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "November 26, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers_timestamp\fR
\- Sudoers Time Stamp Format
.SH "DESCRIPTION"
The
\fBsudoers\fR
plugin uses per-user-ID time stamp files for credential caching.
Once a user has been authenticated, they may use
\fBsudo\fR
without a password for a short period of time
(\fI@timeout@\fR
minutes unless overridden by the
\fItimestamp_timeout\fR
option)
\&.
By default,
\fBsudoers\fR
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
\fItimestamp_type\fR
option can be used to select the type of time stamp record
\fBsudoers\fR
will use.
.PP
A multi-record time stamp file format was introduced in
\fBsudo\fR
1.8.10 that uses a single file per user.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled.
The new format is extensible and records of multiple types and versions
may coexist within the same file.
.PP
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
.PP
Time stamp records have the following structure:
.nf
.sp
.RS 0n
/* Time stamp entry types */
#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */
#define TS_TTY 0x02U /* restricted by tty */
#define TS_PPID 0x03U /* restricted by ppid */
#define TS_LOCKEXCL 0x04U /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01U /* entry disabled */
#define TS_ANYUID 0x02U /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
unsigned short size; /* entry size */
unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
unsigned short flags; /* TS_DISABLED, TS_ANYUID */
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
} u;
};
.RE
.fi
.PP
The timestamp_entry struct fields are as follows:
.TP 6n
version
The version number of the timestamp_entry struct.
New entries are created with a version number of 2.
Records with different version numbers may coexist in the
same file but are not inter-operable.
.TP 6n
size
The size of the record in bytes.
.TP 6n
type
The record type, currently
\fRTS_GLOBAL\fR,
\fRTS_TTY\fR,
or
\fRTS_PPID\fR.
.TP 6n
flags
.br
Zero or more record flags which can be bit-wise ORed together.
Supported flags are
\fRTS_DISABLED\fR,
for records disabled via
\fBsudo\fR
\fB\-k\fR
and
\fRTS_ANYUID\fR,
which is used only when matching records.
.TP 6n
auth_uid
The user-ID that was used for authentication.
Depending on the value of the
\fIrootpw\fR,
\fIrunaspw\fR
and
\fItargetpw\fR
options, the user-ID may be that of the invoking user, the root user,
the default runas user or the target user.
.TP 6n
sid
The ID of the user's terminal session, if present.
The session ID is only used when matching records of type
\fRTS_TTY\fR.
.TP 6n
start_time
The start time of the session leader for records of type
\fRTS_TTY\fR
or of the parent process for records of type
\fRTS_PPID\fR.
The
\fIstart_time\fR
is used to help prevent reuse of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
The
\fIstart_time\fR
field was added in
\fBsudoers\fR
version 1.8.22 for the second revision of the timestamp_entry struct.
.TP 6n
ts
The actual time stamp.
A monotonic time source (which does not move backward) is used if the
system supports it.
Where possible,
\fBsudoers\fR
uses a monotonic timer that increments even while the system
is suspended.
The value of
\fIts\fR
is updated each time a command is run via
\fBsudo\fR.
If the difference between
\fIts\fR
and the current time is less than the value of the
\fItimestamp_timeout\fR
option, no password is required.
.TP 6n
u.ttydev
The device number of the terminal associated with the session for
records of type
\fRTS_TTY\fR.
.TP 6n
u.ppid
The ID of the parent process for records of type
\fRTS_PPID\fR.
.PP
The
\fBtsdump\fR
utility, included with the sudo source distribution, can be used to
display the contents of a
\fIsudoers\fR
time stamp file.
.SH "LOCKING"
In
\fBsudoers\fR
versions 1.8.10 through 1.8.14, the entire time stamp file was
locked for exclusive access when reading or writing to the file.
Starting in
\fBsudoers\fR
1.8.15, individual records are locked in the time stamp file instead
of the entire file and the lock is held for a longer period of time.
This scheme is described below.
.PP
The first record in the time stamp file is of type
\fRTS_LOCKEXCL\fR
and is used as a
\fIlock\fR
record to prevent more than one
\fBsudo\fR
process from adding a new record at the same time.
Once the desired time stamp record has been located or created (and
locked), the
\fRTS_LOCKEXCL\fR
record is unlocked.
The lock on the individual time stamp record, however, is held until
authentication is complete.
This allows
\fBsudoers\fR
to avoid prompting for a password multiple times when it
is used more than once in a pipeline.
.PP
Records of type
\fRTS_GLOBAL\fR
cannot be locked for a long period of time since doing so would
interfere with other
\fBsudo\fR
processes.
Instead, a separate lock record is used to prevent multiple
\fBsudo\fR
processes using the same terminal (or parent process ID) from
prompting for a password as the same time.
.SH "SEE ALSO"
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "HISTORY"
Originally,
\fBsudo\fR
used a single zero-length file per user and the file's modification
time was used as the time stamp.
Later versions of
\fBsudo\fR
added restrictions on the ownership of the time stamp files and
directory as well as checks on the validity of the time stamp itself.
Notable changes were introduced in the following
\fBsudo\fR
versions:
.TP 6n
1.4.0
.br
Support for tty-based time stamp file was added
by appending the terminal name to the time stamp file name.
.TP 6n
1.6.2
.br
The time stamp file was replaced by a per-user directory which
contained any tty-based time stamp files.
.TP 6n
1.6.3p2
The target user name was added to the time stamp file name when the
\fItargetpw\fR
option was set.
.TP 6n
1.7.3
.br
Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent reuse of the time stamp file after logout.
.TP 6n
1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent reuse of the time stamp by the same user in a different
terminal session.
It also helped prevent reuse of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.TP 6n
1.8.10
A new, multi-record time stamp file format was introduced that uses a
single file per user.
The terminal device's change time was not included since most
systems now update the change time after a write is performed
as required by POSIX.
.TP 6n
1.8.15
Individual records are locked in the time stamp file instead of the
entire file and the lock is held until authentication is complete.
.TP 6n
1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents reuse of the time stamp file after logout in most cases.
.sp
Support was added for the kernel-based tty time stamps available in
OpenBSD
which do not use an on-disk time stamp file.
.TP 6n
1.9.15
Time stamp file path names are now based on the invoking user-ID
instead of the user name.
This avoids problems with user names that include a path separator
character.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudoers_timestamp\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

314
docs/sudoers_timestamp.mdoc.in Normal file
View file

@ -0,0 +1,314 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2017-2020, 2022-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd November 26, 2023
.Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers_timestamp
.Nd Sudoers Time Stamp Format
.Sh DESCRIPTION
The
.Nm sudoers
plugin uses per-user-ID time stamp files for credential caching.
Once a user has been authenticated, they may use
.Nm sudo
without a password for a short period of time
.Po
.Em @timeout@
minutes unless overridden by the
.Em timestamp_timeout
option
.Pc .
By default,
.Nm sudoers
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
.Em timestamp_type
option can be used to select the type of time stamp record
.Nm sudoers
will use.
.Pp
A multi-record time stamp file format was introduced in
.Nm sudo
1.8.10 that uses a single file per user.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled.
The new format is extensible and records of multiple types and versions
may coexist within the same file.
.Pp
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
.Pp
Time stamp records have the following structure:
.Bd -literal
/* Time stamp entry types */
#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */
#define TS_TTY 0x02U /* restricted by tty */
#define TS_PPID 0x03U /* restricted by ppid */
#define TS_LOCKEXCL 0x04U /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01U /* entry disabled */
#define TS_ANYUID 0x02U /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
unsigned short size; /* entry size */
unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
unsigned short flags; /* TS_DISABLED, TS_ANYUID */
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
} u;
};
.Ed
.Pp
The timestamp_entry struct fields are as follows:
.Bl -tag -width 4n
.It version
The version number of the timestamp_entry struct.
New entries are created with a version number of 2.
Records with different version numbers may coexist in the
same file but are not inter-operable.
.It size
The size of the record in bytes.
.It type
The record type, currently
.Dv TS_GLOBAL ,
.Dv TS_TTY ,
or
.Dv TS_PPID .
.It flags
Zero or more record flags which can be bit-wise ORed together.
Supported flags are
.Dv TS_DISABLED ,
for records disabled via
.Nm sudo
.Fl k
and
.Dv TS_ANYUID ,
which is used only when matching records.
.It auth_uid
The user-ID that was used for authentication.
Depending on the value of the
.Em rootpw ,
.Em runaspw
and
.Em targetpw
options, the user-ID may be that of the invoking user, the root user,
the default runas user or the target user.
.It sid
The ID of the user's terminal session, if present.
The session ID is only used when matching records of type
.Dv TS_TTY .
.It start_time
The start time of the session leader for records of type
.Dv TS_TTY
or of the parent process for records of type
.Dv TS_PPID .
The
.Em start_time
is used to help prevent reuse of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
The
.Em start_time
field was added in
.Nm sudoers
version 1.8.22 for the second revision of the timestamp_entry struct.
.It ts
The actual time stamp.
A monotonic time source (which does not move backward) is used if the
system supports it.
Where possible,
.Nm sudoers
uses a monotonic timer that increments even while the system
is suspended.
The value of
.Em ts
is updated each time a command is run via
.Nm sudo .
If the difference between
.Em ts
and the current time is less than the value of the
.Em timestamp_timeout
option, no password is required.
.It u.ttydev
The device number of the terminal associated with the session for
records of type
.Dv TS_TTY .
.It u.ppid
The ID of the parent process for records of type
.Dv TS_PPID .
.El
.Pp
The
.Nm tsdump
utility, included with the sudo source distribution, can be used to
display the contents of a
.Em sudoers
time stamp file.
.Sh LOCKING
In
.Nm sudoers
versions 1.8.10 through 1.8.14, the entire time stamp file was
locked for exclusive access when reading or writing to the file.
Starting in
.Nm sudoers
1.8.15, individual records are locked in the time stamp file instead
of the entire file and the lock is held for a longer period of time.
This scheme is described below.
.Pp
The first record in the time stamp file is of type
.Dv TS_LOCKEXCL
and is used as a
.Em lock
record to prevent more than one
.Nm sudo
process from adding a new record at the same time.
Once the desired time stamp record has been located or created (and
locked), the
.Dv TS_LOCKEXCL
record is unlocked.
The lock on the individual time stamp record, however, is held until
authentication is complete.
This allows
.Nm sudoers
to avoid prompting for a password multiple times when it
is used more than once in a pipeline.
.Pp
Records of type
.Dv TS_GLOBAL
cannot be locked for a long period of time since doing so would
interfere with other
.Nm sudo
processes.
Instead, a separate lock record is used to prevent multiple
.Nm sudo
processes using the same terminal (or parent process ID) from
prompting for a password as the same time.
.Sh SEE ALSO
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh HISTORY
Originally,
.Nm sudo
used a single zero-length file per user and the file's modification
time was used as the time stamp.
Later versions of
.Nm sudo
added restrictions on the ownership of the time stamp files and
directory as well as checks on the validity of the time stamp itself.
Notable changes were introduced in the following
.Nm sudo
versions:
.Bl -tag -width 4n
.It 1.4.0
Support for tty-based time stamp file was added
by appending the terminal name to the time stamp file name.
.It 1.6.2
The time stamp file was replaced by a per-user directory which
contained any tty-based time stamp files.
.It 1.6.3p2
The target user name was added to the time stamp file name when the
.Em targetpw
option was set.
.It 1.7.3
Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent reuse of the time stamp file after logout.
.It 1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent reuse of the time stamp by the same user in a different
terminal session.
It also helped prevent reuse of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.It 1.8.10
A new, multi-record time stamp file format was introduced that uses a
single file per user.
The terminal device's change time was not included since most
systems now update the change time after a write is performed
as required by POSIX.
.It 1.8.15
Individual records are locked in the time stamp file instead of the
entire file and the lock is held until authentication is complete.
.It 1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents reuse of the time stamp file after logout in most cases.
.Pp
Support was added for the kernel-based tty time stamps available in
.Ox
which do not use an on-disk time stamp file.
.It 1.9.15
Time stamp file path names are now based on the invoking user-ID
instead of the user name.
This avoids problems with user names that include a path separator
character.
.El
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

547
docs/sudoreplay.man.in Normal file
View file

@ -0,0 +1,547 @@
.\" Automatically generated from the sudoreplay.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOREPLAY" "@mansectsu@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoreplay\fR
\- replay sudo session logs
.SH "SYNOPSIS"
.HP 11n
\fBsudoreplay\fR
[\fB\-FhnRS\fR]
[\fB\-d\fR\ \fIdir\fR]
[\fB\-f\fR\ \fIfilter\fR]
[\fB\-m\fR\ \fInum\fR]
[\fB\-s\fR\ \fInum\fR]
ID[\fI@offset\fR]
.HP 11n
\fBsudoreplay\fR
[\fB\-h\fR]
[\fB\-d\fR\ \fIdir\fR]
\fB\-l\fR
[search\ expression]
.SH "DESCRIPTION"
\fBsudoreplay\fR
plays back or lists the output logs created by
\fBsudo\fR.
When replaying,
\fBsudoreplay\fR
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.PP
The
\fIID\fR
should either be a six character sequence of digits and
upper case letters, e.g.,
\(lq0100A5\(rq
or a path name.
The
\fIID\fR
may include an optional
\fI@offset\fR
suffix which may be used to start replaying at a specific time offset.
The
\fI@offset\fR
is specified as a number in seconds since the start of the session
with an optional decimal fraction.
.PP
Path names may be relative to the I/O log directory
\fI@iolog_dir@\fR
(unless overridden by the
\fB\-d\fR
option) or fully qualified, beginning with a
\(oq/\(cq
character.
When a command is run via
\fBsudo\fR
with
\fIlog_output\fR
enabled in the
\fIsudoers\fR
file, a
\(lqTSID=ID\(rq
string is logged via
syslog(3)
or to the
\fBsudo\fR
log file.
The
\fIID\fR
may also be determined using
\fBsudoreplay\fR's
list mode.
.PP
In list mode,
\fBsudoreplay\fR
can be used to find the ID of a session based on a number of criteria
such as the user, tty, or command run.
.PP
In replay mode, if the standard input and output are connected to a terminal
and the
\fB\-n\fR
option is not specified,
\fBsudoreplay\fR
will operate interactively.
In interactive mode,
\fBsudoreplay\fR
will attempt to adjust the terminal size to match that of the session and
write directly to the terminal (not all terminals support this).
Additionally, it will poll the keyboard and act on the following keys:
.TP 14n
\(oq\fR\en\fR\(cq or \(oq\fR\er\fR\(cq
Skip to the next replay event; useful for long pauses.
.TP 14n
\(oq\fR\ \fR\(cq (space)
Pause output; press any key to resume.
.TP 14n
\(oq<\(cq
Reduce the playback speed by one half.
.TP 14n
\(oq>\(cq
Double the playback speed.
.PP
The session can be interrupted via control-C.
When the session has finished, the terminal is restored to its
original size if it was changed during playback.
.PP
The options are as follows:
.TP 8n
\fB\-d\fR \fIdir\fR, \fB\--directory\fR=\fIdir\fR
Store session logs in
\fIdir\fR
instead of the default,
\fI@iolog_dir@\fR.
.TP 8n
\fB\-f\fR \fIfilter\fR, \fB\--filter\fR=\fIfilter\fR
Select which I/O type(s) to display.
By default,
\fBsudoreplay\fR
will display the command's standard output, standard error, and tty output.
The
\fIfilter\fR
argument is a comma-separated list, consisting of one or more of following:
\fIstdin\fR,
\fIstdout\fR,
\fIstderr\fR,
\fIttyin\fR,
and
\fIttyout\fR.
.TP 8n
\fB\-F\fR, \fB\--follow\fR
Enable
\(lqfollow mode\(rq.
When replaying a session,
\fBsudoreplay\fR
will ignore end-of-file and keep replaying until the log is complete.
This can be used to replay a session that is still in progress,
similar to
\(lqtail -f\(rq.
An I/O log file is considered to be complete when the write bits
have been cleared on the session's timing file.
Versions of
\fBsudo\fR
prior to 1.9.1 do not clear the write bits upon completion.
.TP 8n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 8n
\fB\-l\fR, \fB\--list\fR [\fIsearch expression\fR]
Enable
\(lqlist mode\(rq.
In this mode,
\fBsudoreplay\fR
will list available sessions in a format similar to the
\fBsudo\fR
log file format, sorted by file name (or sequence number).
Any control characters present in the log data are formatted in octal
with a leading
\(oq#\(cq
character.
For example, a horizontal tab is displayed as
\(oq#011\(cq
and an embedded carriage return is displayed as
\(oq#015\(cq.
Space characters in the command name and arguments are also formatted in octal.
.sp
If a
\fIsearch expression\fR
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.PP
.RS 8n
.PD 0
.TP 8n
command \fIpattern\fR
Evaluates to true if the command run matches the POSIX extended
regular expression
\fIpattern\fR.
.PD
.TP 8n
cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current
working directory.
.TP 8n
fromdate \fIdate\fR
Evaluates to true if the command was run on or after
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
group \fIrunas_group\fR
Evaluates to true if the command was run with the specified
\fIrunas_group\fR.
Unless a
\fIrunas_group\fR
was explicitly specified when
\fBsudo\fR
was run this field will be empty in the log.
.TP 8n
host \fIhostname\fR
Evaluates to true if the command was run on the specified
\fIhostname\fR.
.TP 8n
runas \fIrunas_user\fR
Evaluates to true if the command was run as the specified
\fIrunas_user\fR.
By default,
\fBsudo\fR
runs commands as the
\fBroot\fR
user.
.TP 8n
todate \fIdate\fR
Evaluates to true if the command was run on or prior to
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
tty \fItty name\fR
Evaluates to true if the command was run on the specified terminal device.
The
\fItty name\fR
should be specified without the
\fI/dev/\fR
prefix, e.g.,
\fItty01\fR
instead of
\fI/dev/tty01\fR.
.TP 8n
user \fIuser name\fR
Evaluates to true if the ID matches a command run by
\fIuser name\fR.
.PP
Predicates may be abbreviated to the shortest unique string.
.sp
Predicates may be combined using
\fIand\fR,
\fIor\fR,
and
\fI\&!\fR
operators as well as
\(oq\&(\(cq
and
\(oq\&)\(cq
grouping (parentheses must generally be escaped from the shell).
The
\fIand\fR
operator is optional, adjacent predicates have an implied
\fIand\fR
unless separated by an
\fIor\fR.
.RE
.TP 8n
\fB\-m\fR, \fB\--max-wait\fR \fImax_wait\fR
Specify an upper bound on how long to wait between key presses or output data.
By default,
\fBsudoreplay\fR
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
\fB\-m\fR
option is specified,
\fBsudoreplay\fR
will limit these pauses to at most
\fImax_wait\fR
seconds.
The value may be specified as a floating point number, e.g.,
\fI2.5\fR.
A
\fImax_wait\fR
of zero or less will eliminate the pauses entirely.
.TP 8n
\fB\-n\fR, \fB\--non-interactive\fR
Do not prompt for user input or attempt to re-size the terminal.
The session is written to the standard output, not directly to
the user's terminal.
.TP 8n
\fB\-R\fR, \fB\--no-resize\fR
Do not attempt to re-size the terminal to match the terminal size
of the session.
.TP 8n
\fB\-S\fR, \fB\--suspend-wait\fR
Wait while the command was suspended.
By default,
\fBsudoreplay\fR
will ignore the time interval between when the command was suspended
and when it was resumed.
If the
\fB\-S\fR
option is specified,
\fBsudoreplay\fR
will wait instead.
.TP 8n
\fB\-s\fR, \fB\--speed\fR \fIspeed_factor\fR
This option causes
\fBsudoreplay\fR
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
\fIspeed_factor\fR
of
\fI2\fR
would make the output twice as fast whereas a
\fIspeed_factor\fR
of
\fI.5\fR
would make the output twice as slow.
.TP 8n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudoreplay\fR
versions version number and exit.
.SS "Date and time format"
The time and date may be specified multiple ways, common formats include:
.TP 8n
HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.TP 8n
HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated.
Month and day of the week names must be specified in English.
.TP 8n
CCYY-MM-DD HH:MM:SS
ISO time format
.TP 8n
DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.PP
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.PP
The following are all valid time and date specifications:
.TP 8n
now
The current time and date.
.TP 8n
tomorrow
Exactly one day from now.
.TP 8n
yesterday
24 hours ago.
.TP 8n
2 hours ago
2 hours ago.
.TP 8n
next Friday
The first second of the Friday in the next (upcoming) week.
Not to be confused with
\(lqthis Friday\(rq
which would match the Friday of the current week.
.TP 8n
last week
The current time but 7 days ago.
This is equivalent to
\(lqa week ago\(rq.
.TP 8n
a fortnight ago
The current time but 14 days ago.
.TP 8n
10:01 am 9/17/2009
10:01 am, September 17, 2009.
.TP 8n
10:01 am
10:01 am on the current day.
.TP 8n
10
10:00 am on the current day.
.TP 8n
9/17/2009
00:00 am, September 17, 2009.
.TP 8n
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.PP
Relative time specifications do not always work as expected.
For example, the
\(lqnext\(rq
qualifier is intended to be used in conjunction with a day such as
\(lqnext Monday\(rq.
When used with units of weeks, months, years, etc
the result will be one more than expected.
For example,
\(lqnext week\(rq
will result in a time exactly two weeks from now, which is probably
not what was intended.
This will be addressed in a future version of
\fBsudoreplay\fR.
.SS "Debugging sudoreplay"
\fBsudoreplay\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Debugging framework configuration
.TP 26n
\fI@iolog_dir@\fR
The default I/O log directory.
.TP 26n
\fI@iolog_dir@/00/00/01/log\fR
Example session log info.
.TP 26n
\fI@iolog_dir@/00/00/01/log.json\fR
Example session log info (JSON format).
.TP 26n
\fI@iolog_dir@/00/00/01/stdin\fR
Example session standard input log.
.TP 26n
\fI@iolog_dir@/00/00/01/stdout\fR
Example session standard output log.
.TP 26n
\fI@iolog_dir@/00/00/01/stderr\fR
Example session standard error log.
.TP 26n
\fI@iolog_dir@/00/00/01/ttyin\fR
Example session tty input file.
.TP 26n
\fI@iolog_dir@/00/00/01/ttyout\fR
Example session tty output file.
.TP 26n
\fI@iolog_dir@/00/00/01/timing\fR
Example session timing file.
.PP
The
\fIstdin\fR,
\fIstdout\fR
and
\fIstderr\fR
files will be empty unless
\fBsudo\fR
was used as part of a pipeline for a particular command.
.SH "EXAMPLES"
List sessions run by user
\fImillert\fR:
.nf
.sp
.RS 4n
# sudoreplay -l user millert
.RE
.fi
.PP
List sessions run by user
\fIbob\fR
with a command containing the string vi:
.nf
.sp
.RS 4n
# sudoreplay -l user bob command vi
.RE
.fi
.PP
List sessions run by user
\fIjeff\fR
that match a regular expression:
.nf
.sp
.RS 4n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.RE
.fi
.PP
List sessions run by jeff or bob on the console:
.nf
.sp
.RS 4n
# sudoreplay -l ( user jeff or user bob ) tty console
.RE
.fi
.SH "SEE ALSO"
script(1),
sudo.conf(@mansectform@),
sudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudoreplay\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudoreplay\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

489
docs/sudoreplay.mdoc.in Normal file
View file

@ -0,0 +1,489 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoreplay
.Nd replay sudo session logs
.Sh SYNOPSIS
.Nm sudoreplay
.Op Fl FhnRS
.Op Fl d Ar dir
.Op Fl f Ar filter
.Op Fl m Ar num
.Op Fl s Ar num
.No ID Ns Op Ar @offset
.Pp
.Nm
.Op Fl h
.Op Fl d Ar dir
.Fl l
.Op search expression
.Sh DESCRIPTION
.Nm
plays back or lists the output logs created by
.Nm sudo .
When replaying,
.Nm
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.Pp
The
.Em ID
should either be a six character sequence of digits and
upper case letters, e.g.,
.Dq 0100A5
or a path name.
The
.Em ID
may include an optional
.Ar @offset
suffix which may be used to start replaying at a specific time offset.
The
.Ar @offset
is specified as a number in seconds since the start of the session
with an optional decimal fraction.
.Pp
Path names may be relative to the I/O log directory
.Pa @iolog_dir@
(unless overridden by the
.Fl d
option) or fully qualified, beginning with a
.Ql /
character.
When a command is run via
.Nm sudo
with
.Em log_output
enabled in the
.Em sudoers
file, a
.Dq TSID=ID
string is logged via
.Xr syslog 3
or to the
.Nm sudo
log file.
The
.Em ID
may also be determined using
.Nm sudoreplay Ns 's
list mode.
.Pp
In list mode,
.Nm
can be used to find the ID of a session based on a number of criteria
such as the user, tty, or command run.
.Pp
In replay mode, if the standard input and output are connected to a terminal
and the
.Fl n
option is not specified,
.Nm
will operate interactively.
In interactive mode,
.Nm
will attempt to adjust the terminal size to match that of the session and
write directly to the terminal (not all terminals support this).
Additionally, it will poll the keyboard and act on the following keys:
.Bl -tag -width 12n
.It So Li \en Sc No or So Li \er Sc
Skip to the next replay event; useful for long pauses.
.It So Li \ Sc Pq space
Pause output; press any key to resume.
.It Ql <
Reduce the playback speed by one half.
.It Ql >
Double the playback speed.
.El
.Pp
The session can be interrupted via control-C.
When the session has finished, the terminal is restored to its
original size if it was changed during playback.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl d Ar dir , Fl -directory Ns = Ns Ar dir
Store session logs in
.Ar dir
instead of the default,
.Pa @iolog_dir@ .
.It Fl f Ar filter , Fl -filter Ns = Ns Ar filter
Select which I/O type(s) to display.
By default,
.Nm
will display the command's standard output, standard error, and tty output.
The
.Ar filter
argument is a comma-separated list, consisting of one or more of following:
.Em stdin ,
.Em stdout ,
.Em stderr ,
.Em ttyin ,
and
.Em ttyout .
.It Fl F , -follow
Enable
.Dq follow mode .
When replaying a session,
.Nm
will ignore end-of-file and keep replaying until the log is complete.
This can be used to replay a session that is still in progress,
similar to
.Dq tail -f .
An I/O log file is considered to be complete when the write bits
have been cleared on the session's timing file.
Versions of
.Nm sudo
prior to 1.9.1 do not clear the write bits upon completion.
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl l , -list Op Ar search expression
Enable
.Dq list mode .
In this mode,
.Nm
will list available sessions in a format similar to the
.Nm sudo
log file format, sorted by file name (or sequence number).
Any control characters present in the log data are formatted in octal
with a leading
.Ql #
character.
For example, a horizontal tab is displayed as
.Ql #011
and an embedded carriage return is displayed as
.Ql #015 .
Space characters in the command name and arguments are also formatted in octal.
.Pp
If a
.Ar search expression
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.Bl -tag -width 6n
.It command Ar pattern
Evaluates to true if the command run matches the POSIX extended
regular expression
.Ar pattern .
.It cwd Ar directory
Evaluates to true if the command was run with the specified current
working directory.
.It fromdate Ar date
Evaluates to true if the command was run on or after
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It group Ar runas_group
Evaluates to true if the command was run with the specified
.Ar runas_group .
Unless a
.Ar runas_group
was explicitly specified when
.Nm sudo
was run this field will be empty in the log.
.It host Ar hostname
Evaluates to true if the command was run on the specified
.Ar hostname .
.It runas Ar runas_user
Evaluates to true if the command was run as the specified
.Ar runas_user .
By default,
.Nm sudo
runs commands as the
.Sy root
user.
.It todate Ar date
Evaluates to true if the command was run on or prior to
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It tty Ar tty name
Evaluates to true if the command was run on the specified terminal device.
The
.Ar tty name
should be specified without the
.Pa /dev/
prefix, e.g.,
.Pa tty01
instead of
.Pa /dev/tty01 .
.It user Ar user name
Evaluates to true if the ID matches a command run by
.Ar user name .
.El
.Pp
Predicates may be abbreviated to the shortest unique string.
.Pp
Predicates may be combined using
.Em and ,
.Em or ,
and
.Em \&!
operators as well as
.Ql \&(
and
.Ql \&)
grouping (parentheses must generally be escaped from the shell).
The
.Em and
operator is optional, adjacent predicates have an implied
.Em and
unless separated by an
.Em or .
.It Fl m , -max-wait Ar max_wait
Specify an upper bound on how long to wait between key presses or output data.
By default,
.Nm
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
.Fl m
option is specified,
.Nm
will limit these pauses to at most
.Em max_wait
seconds.
The value may be specified as a floating point number, e.g.,
.Em 2.5 .
A
.Em max_wait
of zero or less will eliminate the pauses entirely.
.It Fl n , -non-interactive
Do not prompt for user input or attempt to re-size the terminal.
The session is written to the standard output, not directly to
the user's terminal.
.It Fl R , -no-resize
Do not attempt to re-size the terminal to match the terminal size
of the session.
.It Fl S , -suspend-wait
Wait while the command was suspended.
By default,
.Nm
will ignore the time interval between when the command was suspended
and when it was resumed.
If the
.Fl S
option is specified,
.Nm
will wait instead.
.It Fl s , -speed Ar speed_factor
This option causes
.Nm
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
.Ar speed_factor
of
.Em 2
would make the output twice as fast whereas a
.Ar speed_factor
of
.Em .5
would make the output twice as slow.
.It Fl V , -version
Print the
.Nm
versions version number and exit.
.El
.Ss Date and time format
The time and date may be specified multiple ways, common formats include:
.Bl -tag -width 6n
.It HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.It HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated.
Month and day of the week names must be specified in English.
.It CCYY-MM-DD HH:MM:SS
ISO time format
.It DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.El
.Pp
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.Pp
The following are all valid time and date specifications:
.Bl -tag -width 6n
.It now
The current time and date.
.It tomorrow
Exactly one day from now.
.It yesterday
24 hours ago.
.It 2 hours ago
2 hours ago.
.It next Friday
The first second of the Friday in the next (upcoming) week.
Not to be confused with
.Dq this Friday
which would match the Friday of the current week.
.It last week
The current time but 7 days ago.
This is equivalent to
.Dq a week ago .
.It a fortnight ago
The current time but 14 days ago.
.It 10:01 am 9/17/2009
10:01 am, September 17, 2009.
.It 10:01 am
10:01 am on the current day.
.It 10
10:00 am on the current day.
.It 9/17/2009
00:00 am, September 17, 2009.
.It 10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.El
.Pp
Relative time specifications do not always work as expected.
For example, the
.Dq next
qualifier is intended to be used in conjunction with a day such as
.Dq next Monday .
When used with units of weeks, months, years, etc
the result will be one more than expected.
For example,
.Dq next week
will result in a time exactly two weeks from now, which is probably
not what was intended.
This will be addressed in a future version of
.Nm .
.Ss Debugging sudoreplay
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Debugging framework configuration
.It Pa @iolog_dir@
The default I/O log directory.
.It Pa @iolog_dir@/00/00/01/log
Example session log info.
.It Pa @iolog_dir@/00/00/01/log.json
Example session log info (JSON format).
.It Pa @iolog_dir@/00/00/01/stdin
Example session standard input log.
.It Pa @iolog_dir@/00/00/01/stdout
Example session standard output log.
.It Pa @iolog_dir@/00/00/01/stderr
Example session standard error log.
.It Pa @iolog_dir@/00/00/01/ttyin
Example session tty input file.
.It Pa @iolog_dir@/00/00/01/ttyout
Example session tty output file.
.It Pa @iolog_dir@/00/00/01/timing
Example session timing file.
.El
.Pp
The
.Em stdin ,
.Em stdout
and
.Em stderr
files will be empty unless
.Nm sudo
was used as part of a pipeline for a particular command.
.Sh EXAMPLES
List sessions run by user
.Em millert :
.Bd -literal -offset 4n
# sudoreplay -l user millert
.Ed
.Pp
List sessions run by user
.Em bob
with a command containing the string vi:
.Bd -literal -offset 4n
# sudoreplay -l user bob command vi
.Ed
.Pp
List sessions run by user
.Em jeff
that match a regular expression:
.Bd -literal -offset 4n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.Ed
.Pp
List sessions run by jeff or bob on the console:
.Bd -literal -offset 4n
# sudoreplay -l ( user jeff or user bob ) tty console
.Ed
.Sh SEE ALSO
.Xr script 1 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

560
docs/visudo.man.in Normal file
View file

@ -0,0 +1,560 @@
.\" Automatically generated from the visudo.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "VISUDO" "@mansectsu@" "July 27, 2023" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBvisudo\fR
\- edit the sudoers file
.SH "SYNOPSIS"
.HP 7n
\fBvisudo\fR
[\fB\-chIOPqsV\fR]
[[\fB\-f\fR]\ \fIsudoers\fR]
.SH "DESCRIPTION"
\fBvisudo\fR
edits the
\fIsudoers\fR
file in a safe fashion, analogous to
vipw(@mansectsu@).
\fBvisudo\fR
locks the
\fIsudoers\fR
file against multiple simultaneous edits, performs basic validity checks,
and checks for syntax errors before installing the edited file.
If the
\fIsudoers\fR
file is currently being edited you will receive a message to try again later.
.PP
If the
\fIsudoers\fR
file does not exist, it will be created unless the editor exits
without writing to the file.
.PP
\fBvisudo\fR
parses the
\fIsudoers\fR
file after editing and will not save the changes if there is a syntax error.
Upon finding an error,
\fBvisudo\fR
will print a message stating the line number(s)
where the error occurred and the user will receive the
\(lqWhat now?\(rq
prompt.
At this point the user may enter
\(oqe\(cq
to re-edit the
\fIsudoers\fR
file,
\(oqx\(cq
to exit without saving the changes, or
\(oqQ\(cq
to quit and save changes.
The
\(oqQ\(cq
option should be used with extreme caution because if
\fBvisudo\fR
believes there to be a syntax error, so will
\fBsudo\fR.
If
\(oqe\(cq
is typed to edit the
\fIsudoers\fR
file after a syntax error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.PP
There are two
\fIsudoers\fR
settings that determine which editor
\fBvisudo\fR
will run.
.TP 12n
editor
A colon
(\(oq:\&\(cq)
separated list of editors allowed to be used with
\fBvisudo\fR.
\fBvisudo\fR
will choose the editor that matches the user's
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR,
or
\fREDITOR\fR
environment variable if possible, or the first editor in the
list that exists and is executable.
\fBsudo\fR
does not preserve the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR,
or
\fREDITOR\fR
environment variables unless they are present in the
\fIenv_keep\fR
list or the
\fIenv_reset\fR
option is disabled in the
\fIsudoers\fR
file.
The default editor path is
\fI@editor@\fR
which can be set at compile time via the
\fR--with-editor\fR
configure option.
.TP 12n
env_editor
If set,
\fBvisudo\fR
will use the value of the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR,
or
\fREDITOR\fR
environment variables before falling back on the default editor list.
\fBvisudo\fR
is typically run as root so this option may allow a user with
\fBvisudo\fR
privileges to run arbitrary commands as root without logging.
An alternative is to place a colon-separated list of
\(lqsafe\(rq
editors in the
\fIeditor\fR
variable.
\fBvisudo\fR
will then only use
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR,
or
\fREDITOR\fR
if they match a value specified in
\fIeditor\fR.
If the
\fIenv_reset\fR
flag is enabled, the
\fRSUDO_EDITOR\fR,
\fRVISUAL\fR,
and/or
\fREDITOR\fR
environment variables must be present in the
\fIenv_keep\fR
list for the
\fIenv_editor\fR
flag to function when
\fBvisudo\fR
is invoked via
\fBsudo\fR.
The default value is
\fI@env_editor@\fR,
which can be set at compile time via the
\fR--with-env-editor\fR
configure option.
.PP
The options are as follows:
.TP 8n
\fB\-c\fR, \fB\--check\fR
Enable
\fIcheck-only\fR
mode.
The existing
\fIsudoers\fR
file (and any other files it includes) will be
checked for syntax errors.
If the path to the
\fIsudoers\fR
file was not specified,
\fBvisudo\fR
will also check the file ownership and permissions (see the
\fB\-O\fR
and
\fB\-P\fR
options).
A message will be printed to the standard output describing the status of
\fIsudoers\fR
unless the
\fB\-q\fR
option was specified.
If the check completes successfully,
\fBvisudo\fR
will exit with a value of 0.
If an error is encountered,
\fBvisudo\fR
will exit with a value of 1.
.TP 8n
\fB\-f\fR \fIsudoers\fR, \fB\--file\fR=\fIsudoers\fR
Specify an alternate
\fIsudoers\fR
file location, see below.
As of version 1.8.27, the
\fIsudoers\fR
path can be specified without using the
\fB\-f\fR
option.
.TP 8n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 8n
\fB\-I\fR, \fB\--no-includes\fR
Disable the editing of include files unless there is a pre-existing
syntax error.
By default,
\fBvisudo\fR
will edit the main
\fIsudoers\fR
file and any files included via
\fI@include\fR
or
\fI#include\fR
directives.
Files included via
\fI@includedir\fR
or
\fI#includedir\fR
are never edited unless they contain a syntax error.
.TP 8n
\fB\-O\fR, \fB\--owner\fR
Enforce the default ownership (user and group) of the
\fIsudoers\fR
file.
In edit mode, the owner of the edited file will be set to the default.
In check mode
(\fB\-c\fR),
an error will be reported if the owner is incorrect.
This option is enabled by default if the
\fIsudoers\fR
file was not specified.
.TP 8n
\fB\-P\fR, \fB\--perms\fR
Enforce the default permissions (mode) of the
\fIsudoers\fR
file.
In edit mode, the permissions of the edited file will be set to the default.
In check mode
(\fB\-c\fR),
an error will be reported if the file permissions are incorrect.
This option is enabled by default if the
\fIsudoers\fR
file was not specified.
.TP 8n
\fB\-q\fR, \fB\--quiet\fR
Enable
\fIquiet\fR
mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
\fB\-c\fR
option.
.TP 8n
\fB\-s\fR, \fB\--strict\fR
Enable
\fIstrict\fR
checking of the
\fIsudoers\fR
file.
If an alias is referenced but not actually defined
or if there is a cycle in an alias,
\fBvisudo\fR
will consider this a syntax error.
It is not possible to differentiate between an alias and a host
name or user name that consists solely of uppercase letters, digits,
and the underscore
(\(oq_\(cq)
character.
.TP 8n
\fB\-V\fR, \fB\--version\fR
Print the
\fBvisudo\fR
and
\fIsudoers\fR
grammar versions and exit.
.PP
A
\fIsudoers\fR
file may be specified instead of the default,
\fI@sysconfdir@/sudoers\fR.
The temporary file used is the specified
\fIsudoers\fR
file with
\(lq\.tmp\(rq
appended to it.
In
\fIcheck-only\fR
mode only,
\(oq-\(cq
may be used to indicate that
\fIsudoers\fR
will be read from the standard input.
Because the policy is evaluated in its entirety, it is not sufficient
to check an individual
\fIsudoers\fR
include file for syntax errors.
.SS "Debugging and sudoers plugin arguments"
\fBvisudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
Starting with
\fBsudo\fR
1.8.12,
\fBvisudo\fR
will also parse the arguments to the
\fIsudoers\fR
plugin to override the default
\fIsudoers\fR
path name, user-ID, group-ID, and file mode.
These arguments, if present, should be listed after the path to the plugin
(i.e., after
\fI@sudoers_plugin@\fR).
Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 4n
Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.RE
.fi
.PP
The following arguments are supported:
.TP 6n
sudoers_file=pathname
The
\fIsudoers_file\fR
argument can be used to override the default path to the
\fIsudoers\fR
file.
.TP 6n
sudoers_uid=user-ID
The
\fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.TP 6n
sudoers_gid=group-ID
The
\fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.TP 6n
sudoers_mode=mode
The
\fIsudoers_mode\fR
argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.PP
For more information on configuring
sudo.conf(@mansectform@),
refer to its manual.
.SH "ENVIRONMENT"
The following environment variables may be consulted depending on
the value of the
\fIeditor\fR
and
\fIenv_editor\fR
\fIsudoers\fR
settings:
.TP 17n
\fRSUDO_EDITOR\fR
Invoked by
\fBvisudo\fR
as the editor to use
.TP 17n
\fRVISUAL\fR
Used by
\fBvisudo\fR
if
\fRSUDO_EDITOR\fR
is not set
.TP 17n
\fREDITOR\fR
Used by
\fBvisudo\fR
if neither
\fRSUDO_EDITOR\fR
nor
\fRVISUAL\fR
is set
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front-end configuration
.TP 26n
\fI@sysconfdir@/sudoers\fR
List of who can run what
.TP 26n
\fI@sysconfdir@/sudoers.tmp\fR
Default temporary file used by visudo
.SH "DIAGNOSTICS"
In addition to reporting
\fIsudoers\fR
syntax errors,
\fBvisudo\fR
may produce the following messages:
.TP 6n
\fRsudoers file busy, try again later.\fR
Someone else is currently editing the
\fIsudoers\fR
file.
.TP 6n
\fR@sysconfdir@/sudoers: Permission denied\fR
You didn't run
\fBvisudo\fR
as root.
.TP 6n
\fRyou do not exist in the passwd database\fR
Your user-ID does not appear in the system passwd database.
.TP 6n
\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore
(\(oq_\(cq)
character.
In the latter case, you can ignore the warnings
(\fBsudo\fR
will not complain)
\&.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the undefined alias was used.
In
\fB\-s\fR
(strict) mode these are errors, not warnings.
.TP 6n
\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the unused alias was defined.
You may wish to comment out or remove the unused alias.
.TP 6n
\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes.
The message is prefixed with the path name of the
\fIsudoers\fR
file and the line number where the cycle was detected.
This is only a warning unless
\fBvisudo\fR
is run in
\fB\-s\fR
(strict) mode as
\fBsudo\fR
will ignore cycles when parsing
the
\fIsudoers\fR
file.
.TP 6n
\fRignoring editor backup file\fR
While processing a
\fI@includedir\fR
or
\fI#includedir\fR,
a file was found with a name that ends in
\(oq~\(cq
or
\fI.bak\fR.
Such files are skipped by
\fBsudo\fR
and
\fBvisudo\fR.
.TP 6n
\fRignoring file name containing '.'\fR
While processing a
\fI@includedir\fR
or
\fI#includedir\fR,
a file was found with a name that contains a
\(oq.\&\(cq
character.
Such files are skipped by
\fBsudo\fR
and
\fBvisudo\fR.
.TP 6n
\fRunknown defaults entry \&"name\&"\fR
The
\fIsudoers\fR
file contains a
\fIDefaults\fR
setting not recognized by
\fBvisudo\fR.
.SH "SEE ALSO"
vi(1),
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
vipw(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS.md file in the
\fBsudo\fR
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
the editor used by
\fBvisudo\fR
allows shell escapes.
.SH "BUGS"
If you believe you have found a bug in
\fBvisudo\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBvisudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
\fBsudo\fR
or https://www.sudo.ws/about/license/ for complete details.

537
docs/visudo.mdoc.in Normal file
View file

@ -0,0 +1,537 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd July 27, 2023
.Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm visudo
.Nd edit the sudoers file
.Sh SYNOPSIS
.Nm visudo
.Op Fl chIOPqsV
.Op Bo Fl f Bc Ar sudoers
.Sh DESCRIPTION
.Nm
edits the
.Em sudoers
file in a safe fashion, analogous to
.Xr vipw @mansectsu@ .
.Nm
locks the
.Em sudoers
file against multiple simultaneous edits, performs basic validity checks,
and checks for syntax errors before installing the edited file.
If the
.Em sudoers
file is currently being edited you will receive a message to try again later.
.Pp
If the
.Em sudoers
file does not exist, it will be created unless the editor exits
without writing to the file.
.Pp
.Nm
parses the
.Em sudoers
file after editing and will not save the changes if there is a syntax error.
Upon finding an error,
.Nm
will print a message stating the line number(s)
where the error occurred and the user will receive the
.Dq What now?
prompt.
At this point the user may enter
.Ql e
to re-edit the
.Em sudoers
file,
.Ql x
to exit without saving the changes, or
.Ql Q
to quit and save changes.
The
.Ql Q
option should be used with extreme caution because if
.Nm
believes there to be a syntax error, so will
.Nm sudo .
If
.Ql e
is typed to edit the
.Em sudoers
file after a syntax error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.Pp
There are two
.Em sudoers
settings that determine which editor
.Nm visudo
will run.
.Bl -tag -width "env_editor"
.It editor
A colon
.Pq Ql :\&
separated list of editors allowed to be used with
.Nm .
.Nm
will choose the editor that matches the user's
.Ev SUDO_EDITOR ,
.Ev VISUAL ,
or
.Ev EDITOR
environment variable if possible, or the first editor in the
list that exists and is executable.
.Nm sudo
does not preserve the
.Ev SUDO_EDITOR ,
.Ev VISUAL ,
or
.Ev EDITOR
environment variables unless they are present in the
.Em env_keep
list or the
.Em env_reset
option is disabled in the
.Em sudoers
file.
The default editor path is
.Pa @editor@
which can be set at compile time via the
.Li --with-editor
configure option.
.It env_editor
If set,
.Nm
will use the value of the
.Ev SUDO_EDITOR ,
.Ev VISUAL ,
or
.Ev EDITOR
environment variables before falling back on the default editor list.
.Nm visudo
is typically run as root so this option may allow a user with
.Nm visudo
privileges to run arbitrary commands as root without logging.
An alternative is to place a colon-separated list of
.Dq safe
editors in the
.Em editor
variable.
.Nm
will then only use
.Ev SUDO_EDITOR ,
.Ev VISUAL ,
or
.Ev EDITOR
if they match a value specified in
.Em editor .
If the
.Em env_reset
flag is enabled, the
.Ev SUDO_EDITOR ,
.Ev VISUAL ,
and/or
.Ev EDITOR
environment variables must be present in the
.Em env_keep
list for the
.Em env_editor
flag to function when
.Nm
is invoked via
.Nm sudo .
The default value is
.Em @env_editor@ ,
which can be set at compile time via the
.Li --with-env-editor
configure option.
.El
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl c , -check
Enable
.Em check-only
mode.
The existing
.Em sudoers
file (and any other files it includes) will be
checked for syntax errors.
If the path to the
.Em sudoers
file was not specified,
.Nm
will also check the file ownership and permissions (see the
.Fl O
and
.Fl P
options).
A message will be printed to the standard output describing the status of
.Em sudoers
unless the
.Fl q
option was specified.
If the check completes successfully,
.Nm
will exit with a value of 0.
If an error is encountered,
.Nm
will exit with a value of 1.
.It Fl f Ar sudoers , Fl -file Ns = Ns Ar sudoers
Specify an alternate
.Em sudoers
file location, see below.
As of version 1.8.27, the
.Em sudoers
path can be specified without using the
.Fl f
option.
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl I , -no-includes
Disable the editing of include files unless there is a pre-existing
syntax error.
By default,
.Nm
will edit the main
.Ar sudoers
file and any files included via
.Em @include
or
.Em #include
directives.
Files included via
.Em @includedir
or
.Em #includedir
are never edited unless they contain a syntax error.
.It Fl O , -owner
Enforce the default ownership (user and group) of the
.Em sudoers
file.
In edit mode, the owner of the edited file will be set to the default.
In check mode
.Pq Fl c ,
an error will be reported if the owner is incorrect.
This option is enabled by default if the
.Em sudoers
file was not specified.
.It Fl P , -perms
Enforce the default permissions (mode) of the
.Em sudoers
file.
In edit mode, the permissions of the edited file will be set to the default.
In check mode
.Pq Fl c ,
an error will be reported if the file permissions are incorrect.
This option is enabled by default if the
.Em sudoers
file was not specified.
.It Fl q , -quiet
Enable
.Em quiet
mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
.Fl c
option.
.It Fl s , -strict
Enable
.Em strict
checking of the
.Em sudoers
file.
If an alias is referenced but not actually defined
or if there is a cycle in an alias,
.Nm
will consider this a syntax error.
It is not possible to differentiate between an alias and a host
name or user name that consists solely of uppercase letters, digits,
and the underscore
.Pq Ql _
character.
.It Fl V , -version
Print the
.Nm
and
.Em sudoers
grammar versions and exit.
.El
.Pp
A
.Em sudoers
file may be specified instead of the default,
.Pa @sysconfdir@/sudoers .
The temporary file used is the specified
.Em sudoers
file with
.Dq \.tmp
appended to it.
In
.Em check-only
mode only,
.Ql -
may be used to indicate that
.Em sudoers
will be read from the standard input.
Because the policy is evaluated in its entirety, it is not sufficient
to check an individual
.Em sudoers
include file for syntax errors.
.Ss Debugging and sudoers plugin arguments
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
Starting with
.Nm sudo
1.8.12,
.Nm
will also parse the arguments to the
.Em sudoers
plugin to override the default
.Em sudoers
path name, user-ID, group-ID, and file mode.
These arguments, if present, should be listed after the path to the plugin
(i.e., after
.Pa @sudoers_plugin@ ) .
Multiple arguments may be specified, separated by white space.
For example:
.Bd -literal -offset 4n
Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.Ed
.Pp
The following arguments are supported:
.Bl -tag -width 4n
.It sudoers_file=pathname
The
.Em sudoers_file
argument can be used to override the default path to the
.Em sudoers
file.
.It sudoers_uid=user-ID
The
.Em sudoers_uid
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.It sudoers_gid=group-ID
The
.Em sudoers_gid
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.It sudoers_mode=mode
The
.Em sudoers_mode
argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.El
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
refer to its manual.
.Sh ENVIRONMENT
The following environment variables may be consulted depending on
the value of the
.Em editor
and
.Em env_editor
.Em sudoers
settings:
.Bl -tag -width 15n
.It Ev SUDO_EDITOR
Invoked by
.Nm
as the editor to use
.It Ev VISUAL
Used by
.Nm
if
.Ev SUDO_EDITOR
is not set
.It Ev EDITOR
Used by
.Nm
if neither
.Ev SUDO_EDITOR
nor
.Ev VISUAL
is set
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front-end configuration
.It Pa @sysconfdir@/sudoers
List of who can run what
.It Pa @sysconfdir@/sudoers.tmp
Default temporary file used by visudo
.El
.Sh DIAGNOSTICS
In addition to reporting
.Em sudoers
syntax errors,
.Nm
may produce the following messages:
.Bl -tag -width 4n
.It Li sudoers file busy, try again later.
Someone else is currently editing the
.Em sudoers
file.
.It Li @sysconfdir@/sudoers: Permission denied
You didn't run
.Nm
as root.
.It Li you do not exist in the passwd database
Your user-ID does not appear in the system passwd database.
.It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore
.Pq Ql _
character.
In the latter case, you can ignore the warnings
.Po
.Nm sudo
will not complain
.Pc .
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the undefined alias was used.
In
.Fl s
(strict) mode these are errors, not warnings.
.It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used.
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the unused alias was defined.
You may wish to comment out or remove the unused alias.
.It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes.
The message is prefixed with the path name of the
.Em sudoers
file and the line number where the cycle was detected.
This is only a warning unless
.Nm
is run in
.Fl s
(strict) mode as
.Nm sudo
will ignore cycles when parsing
the
.Em sudoers
file.
.It Li ignoring editor backup file
While processing a
.Em @includedir
or
.Em #includedir ,
a file was found with a name that ends in
.Ql ~
or
.Em .bak .
Such files are skipped by
.Nm sudo
and
.Nm .
.It Li ignoring file name containing '.'
While processing a
.Em @includedir
or
.Em #includedir ,
a file was found with a name that contains a
.Ql .\&
character.
Such files are skipped by
.Nm sudo
and
.Nm .
.It Li unknown defaults entry \&"name\&"
The
.Em sudoers
file contains a
.Em Defaults
setting not recognized by
.Nm .
.El
.Sh SEE ALSO
.Xr vi 1 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr vipw @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh CAVEATS
There is no easy way to prevent a user from gaining a root shell if
the editor used by
.Nm
allows shell escapes.
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.

36
etc/codespell.exclude Normal file
View file

@ -0,0 +1,36 @@
N_("You empty-headed animal food trough wiper!"),
* Returns true if any tags set in nt differ between ot and nt, else false.
#define TAGS_CHANGED(ot, nt) \
((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
(TAG_SET((nt).intercept) && (nt).intercept != (ot).intercept) || \
(TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
(TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \
(TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
(TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \
(TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \
(TAG_SET((nt).send_mail) && (nt).send_mail != (ot).send_mail))
sv sw ta te tg th tr uk ur vi wa wo zh_CN zh_HK
if (!PyArg_ParseTupleAndKeywords(py_args ? py_args : py_empty, py_kwargs, "Ois|i:sudo.ConvMessage", (char **)keywords,
$ans = <STDIN>;
if ($ans =~ /^[yY]/) {
.nr BA @BAMAN@
.if \n(BA \{\
.Nd convert between sudoers file formats
.Nd configuration for sudo front-end
.Nd execute a command as another user
.Nd Sudo log server protocol
.Nd configuration for sudo_logsrvd
.Nd sudo event and I/O log server
.Nd Sudo Plugin API
.Nd Sudo Plugin API (Python)
.Nd send sudo I/O log to log server
.Nd sudo LDAP configuration
.Nd default sudo security policy plugin
.Nd Sudoers Time Stamp Format
.Nd replay sudo session logs
.Nd edit the sudoers file
* If path doesn't end in /, return true iff cmnd & path name the same inode;
* Tim Fraser
echo ".Nd sudo" >> conftest
* as per FIPS 180-4: Secure Hash Standard (SHS)
{ "wast", tZONE, -HOUR(7) }, /* West Australian Standard */

19
etc/codespell.ignore Normal file
View file

@ -0,0 +1,19 @@
SOM
VAS
alloced
anull
clen
edn
fIDN
fpt
ist
nome
numer
pleas
sav
siz
statics
thur
toke
vas
wit

25
etc/codespell.skip Normal file
View file

@ -0,0 +1,25 @@
\.in\.sed$
/data
Makefile\.in
^ChangeLog$
^MANIFEST$
^aclocal\.m4$
^autogen\.sh$
^config\.h\.in$
^configure$
^docs/.*\.man\.in$
^docs/CONTRIBUTORS$
^etc/codespell
^lib/util/fnmatch\.c$
^lib/util/getaddrinfo\.c$
^lib/zlib/
^libtool$
^m4/libtool\.m4$
^m4/lt.*\.m4$
^plugins/sudoers/po/
^po/
^scripts/config\.guess$
^scripts/config\.sub$
^scripts/ltmain\.sh$
^scripts/mkinstalldirs$
^scripts/pp$

25
etc/init.d/aix.sh.in Normal file
View file

@ -0,0 +1,25 @@
#!/bin/sh
#
# Simple AIX rc.d script to remove the sudo timestamp directory on boot.
# This is needed because AIX does not have /var/run.
# Install as /etc/rc.d/init.d/sudo with a link /etc/rc.d/rc2.d/S90sudo
#
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
TSDIR="@rundir@/ts"
rval=0
case "$1" in
start)
echo "Removing the $TSDIR directory"
rm -rf "$TSDIR"
;;
*)
echo "usage: $0 start"
rval=1
;;
esac
exit $rval

27
etc/init.d/hpux.sh.in Normal file
View file

@ -0,0 +1,27 @@
#!/sbin/sh
#
# Simple HP-UX init.d script to remove the sudo timestamp directory on boot.
# This is needed because HP-UX does not clear /var/run on its own.
# Install as /sbin/init.d/sudo with a link /sbin/rc2.d/S900sudo
#
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
TSDIR="@rundir@/ts"
rval=0
case "$1" in
start_msg)
echo "Removing the $TSDIR directory"
;;
start)
rm -rf "$TSDIR"
;;
*)
echo "usage: $0 {start|start_msg}"
rval=1
;;
esac
exit $rval

6
etc/init.d/sudo.conf.in Normal file
View file

@ -0,0 +1,6 @@
# Create an empty sudo time stamp directory on OSes using systemd.
# Sudo will create the directory itself but this can cause problems
# on systems that have SELinux enabled since the directories will be
# created with the user's security context.
d @rundir@ 0711 root root
D @rundir@/ts 0700 root root

BIN
etc/macos-background.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 18 KiB

272
etc/sudo-logsrvd.pp Normal file
View file

@ -0,0 +1,272 @@
%set
name="sudo-logsrvd"
summary="Sudo event and I/O log server"
description="The sudo_logsrvd daemon collects event and I/O logs \
from sudo clients.
This makes it possible to have all sudo I/O logs on a central server."
vendor="Todd C. Miller"
copyright="Copyright 2019-2024 Todd C. Miller"
%if [aix]
# Convert to 4 part version for AIX, including patch level
pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
# Don't use sudo to list the package.
pp_aix_sudo=
%endif
%if [sd]
pp_sd_vendor_tag="TCM"
%endif
%if [solaris]
pp_solaris_name="TCM${name}"
pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
%endif
%if [macos]
# System Integrity Protection on macOS won't allow us to write
# directly to /etc or /var. We must install in /private instead.
case "$sysconfdir" in
/etc|/etc/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/etc; then
mv ${pp_destdir}/etc ${pp_destdir}/private/etc
fi
sysconfdir="/private${sysconfdir}"
;;
esac
case "$vardir" in
/var|/var/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/var; then
mv ${pp_destdir}/var ${pp_destdir}/private/var
fi
vardir="/private${vardir}"
;;
esac
case "$rundir" in
/var|/var/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/var; then
mv ${pp_destdir}/var ${pp_destdir}/private/var
fi
rundir="/private${rundir}"
;;
esac
%endif
%if [rpm,deb]
# Convert patch level into release and remove from version
pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
pp_rpm_license="BSD"
pp_rpm_url="https://www.sudo.ws"
pp_rpm_group="Applications/System"
pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
%else
# We install sudo_logsrvd.conf from the example dir during post-install
rm -f ${pp_destdir}$sysconfdir/sudo_logsrvd.conf
%endif
# Stash original docdir and exampledir
odocdir="${docdir}"
oexampledir="${exampledir}"
# docdir and exampledir are installed with "sudo" as the package
# name which may not be correct.
docdir="`echo \"${docdir}\" | sed 's#/sudo$#/'\"${name}\"'#'`"
if test "${exampledir}" = "${odocdir}/examples"; then
exampledir="${docdir}/examples"
else
exampledir="`echo \"${exampledir}\" | sed 's#/sudo$#/'\"${name}\"'#'`"
fi
# For RedHat the doc dir is expected to include version and release
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
exampledir="${docdir}/examples"
;;
esac
# Copy docdir and exampledir to new names if needed
if test ! -d "${pp_destdir}${docdir}"; then
cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
if test ! -d "${pp_destdir}${exampledir}"; then
cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
%if [deb]
pp_deb_maintainer="$pp_rpm_packager"
pp_deb_release="$pp_rpm_release"
pp_deb_version="$pp_rpm_version"
pp_deb_section=admin
install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
# Create lintian override file
mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
# Sudo ships with debugging symbols
$name: unstripped-binary-or-object
EOF
chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
# If libssl_dep not passed in, try to figure it out
if test -z "$libssl_dep"; then
libssl_dep="`ldd $libexecdir/sudo/sudoers.so 2>&1 | sed -n 's/^[ ]*libssl\.so\([0-9.]*\).*/libssl\1/p'`"
fi
%endif
%if [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
# CentOS Stream has a single-digit version
if test $osrelease -lt 10; then
osrelease="${osrelease}0"
fi
pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
;;
sles*)
pp_rpm_release="$pp_rpm_release.sles$osrelease"
;;
esac
%endif
%if [macos]
pp_macos_pkg_type=flat
pp_macos_bundle_id=ws.sudo.pkg.sudo-logsrvd
pp_macos_pkg_background=${srcdir}/etc/macos-background.png
pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png
pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md
pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
%endif
%if X"$aix_freeware" = X"true"
# Create links from /opt/freeware/sbin -> /usr/sbin
mkdir -p ${pp_destdir}/usr/sbin
ln -s -f ${sbindir}/sudo_logsrvd ${pp_destdir}/usr/sbin
%endif
%if [!rpm,deb]
# Package parent directories when not installing under /usr
if test "${prefix}" != "/usr"; then
extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
extradirs="$extradirs `dirname $docdir` `dirname $rundir`"
test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
for dir in $sbindir $extradirs; do
while test "$dir" != "/"; do
parentdirs="${parentdirs}${parentdirs+ }$dir/"
dir=`dirname $dir`
done
done
parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
fi
%endif
%depend [deb]
libc6, zlib1g, sudo
%fixup [deb]
if test -n "%{libssl_dep}"; then
DEPENDS="%{libssl_dep}"
cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
fi
echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
%fixup [rpm]
cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
/^%files/ {
i\
%clean\
:\
}
EOF
mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
%files
/** ignore
%if X"$parentdirs" != X""
$parentdirs - ignore-others
%endif
$sbindir/sudo_logsrvd 0755 ignore-others
$mandir/man*/*logsrv* 0644 ignore-others
$rundir/ 0711 root: ignore-others
$docdir/ 0755 ignore-others
$exampledir/ 0755 ignore-others
$exampledir/*logsrv* 0644 ignore-others
%if [rpm,deb]
$sysconfdir/sudo_logsrvd.conf 0644 root: volatile,ignore-others
%endif
%if X"$aix_freeware" = X"true"
# Links for binaries from /opt/freeware to /usr
/usr/sbin/sudo_logsrvd 0755 root: symlink,ignore-others $sbindir/logsrvd
%endif
%post [!rpm,deb]
# Don't overwrite existing sudo_logsrvd.conf files
%if [solaris]
sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir}
exampledir=${PKG_INSTALL_ROOT}%{exampledir}
%else
sysconfdir=%{sysconfdir}
exampledir=%{exampledir}
%endif
if test ! -r $sysconfdir/sudo_logsrvd.conf; then
cp $exampledir/sudo_logsrvd.conf $sysconfdir/sudo_logsrvd.conf
chmod 644 $sysconfdir/sudo_logsrvd.conf
chown root $sysconfdir/sudo_logsrvd.conf
fi
%service sudo_logsrvd
%if [aix,macos]
cmd="${sbindir}/sudo_logsrvd -n"
%else
cmd=${sbindir}/sudo_logsrvd
pidfile=${rundir}/sudo_logsrvd.pid
%endif
%if [macos]
pp_macos_service_id=ws.sudo.sudo_logsrvd
%endif
%if [rpm,deb]
# Only include systemd support if it exists on the build machine.
# This assumes that we are building on the same distro that the
# package will be installed on (which is the case for sudo).
if test -d /etc/systemd; then
for d in `pkg-config systemd --variable=systemdsystemunitdir 2>/dev/null` /lib/systemd/system /usr/lib/systemd/system; do
if test -d "$d"; then
break
fi
done
pp_systemd_service_description="Sudo central log server"
pp_systemd_service_dir="$d"
pp_systemd_service_exec="${cmd}"
pp_systemd_service_exec_args="-n"
pp_systemd_service_man="man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5)"
pp_systemd_service_documentation="https://www.sudo.ws/man.html"
pp_systemd_service_after="network.target auditd.service"
pp_systemd_service_killmode="process"
pp_systemd_service_type="exec"
pp_systemd_system_target="multi-user.target"
else
# No systemd support
pp_systemd_disabled=true
fi
%endif

161
etc/sudo-python.pp Normal file
View file

@ -0,0 +1,161 @@
%set
name="sudo-python"
summary="Sudo Python plugin framework"
description="The sudo Python plugin allows you to extend sudo using Python."
vendor="Todd C. Miller"
copyright="Copyright 2019-2024 Todd C. Miller"
%if [aix]
# Convert to 4 part version for AIX, including patch level
pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
# Don't use sudo to list the package.
pp_aix_sudo=
%endif
%if [sd]
pp_sd_vendor_tag="TCM"
%endif
%if [solaris]
pp_solaris_name="TCM${name}"
pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
%endif
%if [rpm,deb]
# Convert patch level into release and remove from version
pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
pp_rpm_license="BSD"
pp_rpm_url="https://www.sudo.ws"
pp_rpm_group="Applications/System"
pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
%endif
# Stash original docdir and exampledir
odocdir="${docdir}"
oexampledir="${exampledir}"
# docdir and exampledir are installed with "sudo" as the package
# name which may not be correct.
docdir="`echo \"${docdir}\" | sed 's#/sudo$#/'\"${name}\"'#'`"
if test "${exampledir}" = "${odocdir}/examples"; then
exampledir="${docdir}/examples"
else
exampledir="`echo \"${exampledir}\" | sed 's#/sudo$#/'\"${name}\"'#'`"
fi
# For RedHat the doc dir is expected to include version and release
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
exampledir="${docdir}/examples"
;;
esac
# Copy docdir and exampledir to new names if needed
if test ! -d "${pp_destdir}${docdir}"; then
cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
if test ! -d "${pp_destdir}${exampledir}"; then
cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
%if [deb]
pp_deb_maintainer="$pp_rpm_packager"
pp_deb_release="$pp_rpm_release"
pp_deb_version="$pp_rpm_version"
pp_deb_section=admin
install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
# Create lintian override file
mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
# Sudo ships with debugging symbols
$name: unstripped-binary-or-object
EOF
chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
%endif
%if [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
# CentOS Stream has a single-digit version
if test $osrelease -lt 10; then
osrelease="${osrelease}0"
fi
pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
;;
sles*)
pp_rpm_release="$pp_rpm_release.sles$osrelease"
;;
esac
%endif
%if [macos]
pp_macos_pkg_type=flat
pp_macos_bundle_id=ws.sudo.pkg.sudo-python
pp_macos_pkg_background=${srcdir}/etc/macos-background.png
pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png
pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md
pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
%endif
%if [!rpm,deb]
# Package parent directories when not installing under /usr
if test "${prefix}" != "/usr"; then
extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
extradirs="$extradirs `dirname $docdir`"
test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
for dir in $libexecdir $extradirs; do
while test "$dir" != "/"; do
parentdirs="${parentdirs}${parentdirs+ }$dir/"
dir=`dirname $dir`
done
done
parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
fi
%endif
%depend [deb]
libc6, libpython@PYTHON_VERSION@, sudo
%fixup [deb]
cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
sed "s/@PYTHON_VERSION@/%{python_version}/g" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
%fixup [rpm]
cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
/^%files/ {
i\
%clean\
:\
}
EOF
mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
%files
/** ignore
%if X"$parentdirs" != X""
$parentdirs - ignore-others
%endif
$libexecdir/sudo/ 0755 ignore-others
$libexecdir/sudo/python* $shlib_mode ignore-others
$docdir/ 0755 ignore-others
$exampledir/ 0755 ignore-others
$exampledir/*.py 0644 ignore-others
$mandir/man*/*python* 0644 ignore-others

571
etc/sudo.pp Normal file
View file

@ -0,0 +1,571 @@
%set
if test -n "$flavor"; then
name="sudo-$flavor"
else
name="sudo"
fi
summary="Provide limited super-user privileges to specific users"
description="Sudo is a program designed to allow a sysadmin to give \
limited root privileges to users and log root activity. \
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
vendor="Todd C. Miller"
copyright="Copyright 1994-1996,1998-2024 Todd C. Miller"
sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"`
sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'`
%if [aix]
# AIX package summary is limited to 40 characters
summary="Configurable super-user privileges"
# Convert to 4 part version for AIX, including patch level
pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
# Don't use sudo to list the package.
pp_aix_sudo=
%endif
%if [sd]
pp_sd_vendor_tag="TCM"
%endif
%if [solaris]
pp_solaris_name="TCM${name}"
pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
%endif
%if [macos]
# System Integrity Protection on macOS won't allow us to write
# directly to /etc or /var. We must install in /private instead.
case "$sysconfdir" in
/etc|/etc/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/etc; then
mv ${pp_destdir}/etc ${pp_destdir}/private/etc
fi
sysconfdir="/private${sysconfdir}"
;;
esac
case "$vardir" in
/var|/var/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/var; then
mv ${pp_destdir}/var ${pp_destdir}/private/var
fi
vardir="/private${vardir}"
;;
esac
case "$rundir" in
/var|/var/*)
mkdir -p ${pp_destdir}/private
chmod 755 ${pp_destdir}/private
if test -d ${pp_destdir}/var; then
mv ${pp_destdir}/var ${pp_destdir}/private/var
fi
rundir="/private${rundir}"
;;
esac
%endif
%if [rpm,deb]
# Convert patch level into release and remove from version
pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
pp_rpm_license="BSD"
pp_rpm_url="https://www.sudo.ws"
pp_rpm_group="Applications/System"
pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
if test -n "$linux_audit"; then
pp_rpm_requires="audit-libs >= $linux_audit"
fi
# The package manager will handle an existing sudoers file
rm -f ${pp_destdir}${sysconfdir}/sudoers.dist
%else
# For all but RPM and Debian we copy sudoers in a post-install script.
rm -f ${pp_destdir}${sysconfdir}/sudoers
# We install sudo.conf from the example dir in a post-install script.
rm -f ${pp_destdir}${sysconfdir}/sudo.conf
%endif
# Stash original docdir and exampledir
odocdir="${docdir}"
oexampledir="${exampledir}"
# For RedHat the doc dir is expected to include version and release
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
exampledir="${docdir}/examples"
;;
esac
if test -n "$flavor"; then
# docdir and exampledir are installed with "sudo" as the package
# name which is not be correct for flavors.
docdir="`echo \"${docdir}\" | sed \"s#/sudo#/${name}#g\"`"
exampledir="`echo \"${exampledir}\" | sed \"s#/sudo#/${name}#g\"`"
fi
# Copy docdir and exampledir to new names if needed
if test ! -d "${pp_destdir}${docdir}"; then
cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
if test ! -d "${pp_destdir}${exampledir}"; then
cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
fi
%if [deb]
pp_deb_maintainer="$pp_rpm_packager"
pp_deb_release="$pp_rpm_release"
pp_deb_version="$pp_rpm_version"
pp_deb_section=admin
install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
# Create lintian override file, must be tab indented for "<<-"
mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
# The sudo binary must be setuid root
$name: setuid-binary usr/bin/sudo 4755 root/root
# Sudo configuration and data dirs must not be world-readable
$name: non-standard-file-perm etc/sudoers 0440 != 0644
$name: non-standard-dir-perm etc/sudoers.d/ 0750 != 0755
$name: non-standard-dir-perm var/lib/sudo/ 0700 != 0755
# Sudo ships with debugging symbols
$name: unstripped-binary-or-object
EOF
chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
# If libssl_dep not passed in, try to figure it out
if test -z "$libssl_dep"; then
libssl_dep="`ldd $libexecdir/sudo/sudoers.so 2>&1 | sed -n 's/^[ ]*libssl\.so\([0-9.]*\).*/libssl\1/p'`"
fi
%endif
%if [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
# CentOS Stream has a single-digit version
if test $osrelease -lt 10; then
osrelease="${osrelease}0"
fi
pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
;;
sles*)
pp_rpm_release="$pp_rpm_release.sles$osrelease"
;;
esac
# Uncomment some Defaults in sudoers
case "$pp_rpm_distro" in
centos*|rhel*|f[0-9]*)
sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/Desktop path settings/{ N;s/\(\n\)# /\1/; }' -e '/allow members of group wheel to execute any command/{ N;s/\(\n\)# /\1/; }' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$
mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers
;;
sles*)
sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/ConsoleKit session/{ N;s/\(\n\)# /\1/; }' -e '/allow any user to run sudo if they know the password/{ N;N;N;s/\(\n\)# /\1/g; }' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$
mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers
;;
esac
# Choose the correct PAM file by distro, must be tab indented for "<<-"
case "$pp_rpm_distro" in
centos*|rhel*)
mkdir -p ${pp_destdir}/etc/pam.d
if test $osrelease -lt 50; then
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_limits.so
EOF
else
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
EOF
cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
EOF
fi
;;
f[0-9]*)
# XXX - share with rhel
mkdir -p ${pp_destdir}/etc/pam.d
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
EOF
cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
EOF
;;
sles*)
mkdir -p ${pp_destdir}/etc/pam.d
if test $osrelease -lt 10; then
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_unix2.so
session required pam_limits.so
EOF
else
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
EOF
fi
;;
esac
%endif
%if [deb]
# Uncomment some Defaults and the %sudo rule in sudoers
sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/X11 resource/{ N;s/\(\n\)# /\1/; }' -e 's/^# \(Defaults secure_path\)/\1/' -e 's/^# \(Defaults mail_badpass\)/\1/' -e 's/^# \(\%sudo\)/\1/' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$
mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers
mkdir -p ${pp_destdir}/etc/pam.d
# Create Debian PAM file, must be tab indented for "<<-"
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
@include common-auth
@include common-account
session required pam_permit.so
session required pam_limits.so
EOF
%endif
%if [macos]
pp_macos_pkg_type=flat
pp_macos_bundle_id=ws.sudo.pkg.sudo
pp_macos_pkg_background=${srcdir}/etc/macos-background.png
pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png
pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md
pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
%endif
%if X"$aix_freeware" = X"true"
# Create links from /opt/freeware/{bin,sbin} -> /usr/{bin,sbin}
mkdir -p ${pp_destdir}/usr/bin ${pp_destdir}/usr/sbin
ln -s -f ${bindir}/cvtsudoers ${pp_destdir}/usr/bin
ln -s -f ${bindir}/sudo ${pp_destdir}/usr/bin
ln -s -f ${bindir}/sudoedit ${pp_destdir}/usr/bin
ln -s -f ${bindir}/sudoreplay ${pp_destdir}/usr/bin
ln -s -f ${sbindir}/sudo_sendlog ${pp_destdir}/usr/sbin
ln -s -f ${sbindir}/visudo ${pp_destdir}/usr/sbin
%endif
%if [!rpm,deb]
# Package parent directories when not installing under /usr
if test "${prefix}" != "/usr"; then
extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
extradirs="$extradirs `dirname $docdir` `dirname $rundir` `dirname $vardir`"
test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir"
for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
while test "$dir" != "/"; do
parentdirs="${parentdirs}${parentdirs+ }$dir/"
dir=`dirname $dir`
done
done
parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
fi
%endif
%depend [deb]
libc6, libpam0g, libpam-modules, zlib1g, libapparmor1
%fixup [deb]
# Add Conflicts, Replaces headers and add libldap dependency as needed.
DEPENDS="%{linux_audit}"
if test -z "%{flavor}"; then
echo "Conflicts: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Replaces: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
elif test "%{flavor}" = "ldap"; then
echo "Conflicts: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Replaces: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Provides: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
DEPENDS="${DEPENDS}${DEPENDS:+, }libldap-2.4-2"
fi
if test -n "%{libssl_dep}"; then
DEPENDS="${DEPENDS}${DEPENDS:+, }%{libssl_dep}"
fi
cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
if test -n "${DEPENDS}"; then
sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
fi
rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
%fixup [rpm]
# Must be tab indented for "<<-".
cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
/^%files/ {
i\
%clean\
:\
}
EOF
mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
%files
%if X"$parentdirs" != X""
$parentdirs -
%endif
%if X"$odocdir" != X"$docdir"
$odocdir/ ignore
$odocdir/** ignore
%endif
%if X"$oexampledir" != X"$exampledir" -a X"$exampledir" != X"$docdir/examples"
$oexampledir/ ignore
$oexampledir/** ignore
%endif
$bindir/cvtsudoers 0755 root:
$bindir/sudo 4755 root:
$bindir/sudoedit 0755 root: symlink sudo
$bindir/sudoreplay 0755
$sbindir/sudo_sendlog 0755
$sbindir/sudo_logsrvd optional,ignore
$sbindir/visudo 0755
$includedir/sudo_plugin.h 0644
$libexecdir/sudo/ 0755
$libexecdir/sudo/sesh 0755 optional,ignore-others
$libexecdir/sudo/python* optional,ignore,ignore-others
$libexecdir/sudo/* $shlib_mode optional
$sysconfdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
$rundir/ 0711 root:
$vardir/ 0711 root: ignore-others
$vardir/lectured/ 0700 root:
$docdir/ 0755
$docdir/** 0644
%if [deb]
$docdir/LICENSE.md ignore,ignore-others
$docdir/ChangeLog ignore,ignore-others
%endif
$exampledir/ 0755 ignore-others
%if X"$exampledir" != X"$docdir/examples"
$exampledir/* 0644
%endif
$exampledir/sudo_logsrv* optional,ignore,ignore-others
$exampledir/*.py optional,ignore,ignore-others
$localedir/*/ - optional
$localedir/*/LC_MESSAGES/ - optional
$localedir/*/LC_MESSAGES/* 0644 optional
/etc/pam.d/* 0644 volatile,optional
%if [rpm,deb]
$sysconfdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
$sysconfdir/sudo.conf 0644 root: volatile
%else
$sysconfdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid
%endif
$sysconfdir/sudo_logsrvd.conf optional,ignore,ignore-others
%if X"$aix_freeware" = X"true"
# Links for binaries from /opt/freeware to /usr
/usr/bin/cvtsudoers 0755 root: symlink $bindir/cvtsudoers
/usr/bin/sudo 0755 root: symlink $bindir/sudo
/usr/bin/sudoedit 0755 root: symlink $bindir/sudoedit
/usr/bin/sudoreplay 0755 root: symlink $bindir/sudoreplay
/usr/sbin/sudo_sendlog 0755 root: symlink $sbindir/sendlog
/usr/sbin/visudo 0755 root: symlink $sbindir/visudo
%endif
%if [rpm]
/etc/rc.d/init.d/sudo 0755 root: optional
%endif
%if [aix]
/etc/rc.d/ ignore
/etc/rc.d/rc2.d/ ignore
/etc/rc.d/rc2.d/** ignore
/etc/rc.d/init.d/ ignore
/etc/rc.d/init.d/sudo 0755 root:
%endif
%if [sd]
/sbin/ ignore
/sbin/rc2.d/ ignore
/sbin/rc2.d/** ignore
/sbin/init.d/ ignore
/sbin/init.d/sudo 0755 root:
%endif
$mandir/man*/* 0644
$mandir/man*/sudo_logsrv* ignore,ignore-others
$mandir/man*/*python* ignore,ignore-others
$sudoedit_man 0644 symlink,ignore-others $sudoedit_man_target
%pre [aix]
if rpm -q %{name} >/dev/null 2>&1; then
echo "Another version of sudo is currently installed via rpm." 2>&1
echo "Please either uninstall the rpm version of sudo by running \"rpm -e sudo\"" 2>&1
echo "or upgrade the existing version of sudo using the .rpm packagae instead" 2>&1
echo "instead of the .bff package." 2>&1
echo "" 2>&1
echo "Note that you may need to pass rpm the --oldpackage flag when upgrading" 2>&1
echo "the AIX Toolbox version of sudo to the latest sudo rpm from sudo.ws." 2>&1
echo "" 2>&1
exit 1
fi
%post [!rpm,deb]
# Don't overwrite existing sudoers or sudo.conf files
%if [solaris]
sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir}
exampledir=${PKG_INSTALL_ROOT}%{exampledir}
%else
sysconfdir=%{sysconfdir}
exampledir=%{exampledir}
%endif
if test ! -r $sysconfdir/sudoers; then
cp $sysconfdir/sudoers.dist $sysconfdir/sudoers
chmod %{sudoers_mode} $sysconfdir/sudoers
chown %{sudoers_uid} $sysconfdir/sudoers
chgrp %{sudoers_gid} $sysconfdir/sudoers
fi
if test ! -r $sysconfdir/sudo.conf; then
cp $exampledir/sudo.conf $sysconfdir/sudo.conf
chmod 644 $sysconfdir/sudo.conf
chown root $sysconfdir/sudo.conf
fi
%post [deb]
set -e
# dpkg-deb does not maintain the mode on the sudoers file, and
# installs it 0640 when sudo requires 0440
chmod %{sudoers_mode} %{sysconfdir}/sudoers
# create symlink to ease transition to new path for ldap config
# if old config file exists and new one doesn't
if test X"%{flavor}" = X"ldap" -a \
-r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
fi
# Debian uses a sudo group in its default sudoers file
perl -e '
exit 0 if getgrnam("sudo");
$gid = 27; # default debian sudo gid
setgrent();
while (getgrgid($gid)) { $gid++; }
if ($gid != 27) {
print "On Debian we normally use gid 27 for \"sudo\".\n";
$gname = getgrgid(27);
print "However, on your system gid 27 is group \"$gname\".\n\n";
print "Would you like me to stop configuring sudo so that you can change this? [n] ";
$ans = <STDIN>;
if ($ans =~ /^[yY]/) {
print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
exit 1;
}
}
print "Creating group \"sudo\" with gid = $gid\n";
system("groupadd -g $gid sudo");
exit 0;
'
%post [rpm]
case "%{pp_rpm_distro}" in
aix*)
# Create /etc/rc.d/rc2.d/S90sudo link if possible
if [ -d /etc/rc.d/rc2.d ]; then
rm -f /etc/rc.d/rc2.d/S90sudo
ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo
fi
;;
esac
%post [rpm,deb]
# Create /usr/lib/tmpfiles.d/sudo.conf if systemd is configured.
# Must be tab indented for "<<-".
if [ -f /usr/lib/tmpfiles.d/systemd.conf ]; then
cat > /usr/lib/tmpfiles.d/sudo.conf <<-EOF
# Create an empty sudo time stamp directory on OSes using systemd.
# Sudo will create the directory itself but this can cause problems
# on systems that have SELinux enabled since the directories will be
# created with the user's security context.
d %{rundir} 0711 root root
D %{rundir}/ts 0700 root root
EOF
fi
%post [aix]
# Create /etc/rc.d/rc2.d/S90sudo link if /etc/rc.d exists
if [ -d /etc/rc.d ]; then
rm -f /etc/rc.d/rc2.d/S90sudo
ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo
fi
%post [sd]
# Create /sbin/rc2.d/S900sudo link
rm -f /sbin/rc2.d/S900sudo
ln -s /sbin/init.d/sudo /sbin/rc2.d/S900sudo
%preun
# Remove the time stamp dir and its contents
# We currently leave the lecture status files installed
rm -rf %{rundir}/ts
%if [deb]
set -e
# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
# it matches what we created in the postinstall script.
if test X"%{flavor}" = X"ldap" -a \
X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
rm -f /etc/sudo-ldap.conf
fi
# Remove systemd tmpfile config
rm -f /usr/lib/tmpfiles.d/sudo.conf
%endif
%if [rpm]
case "%{pp_rpm_distro}" in
aix*)
# Remove /etc/rc.d/rc2.d/S90sudo link
rm -f /etc/rc.d/rc2.d/S90sudo
;;
*)
# Remove systemd tmpfile config
rm -f /usr/lib/tmpfiles.d/sudo.conf
;;
esac
%endif
%if [aix]
# Remove /etc/rc.d/rc2.d/S90sudo link
rm -f /etc/rc.d/rc2.d/S90sudo
%endif
%if [sd]
# Remove /sbin/rc2.d/S900sudo link
rm -f /sbin/rc2.d/S900sudo
%endif

138
examples/Makefile.in Normal file
View file

@ -0,0 +1,138 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2014, 2017-2023 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# @configure_input@
#
#### Start of system configuration section. ####
srcdir = @srcdir@
abs_srcdir = @abs_srcdir@
top_srcdir = @top_srcdir@
abs_top_srcdir = @abs_top_srcdir@
top_builddir = @top_builddir@
abs_top_builddir = @abs_top_builddir@
exampledir = @exampledir@
docdir = @docdir@
scriptdir = $(top_srcdir)/scripts
# Our install program supports extra flags...
INSTALL = $(SHELL) $(scriptdir)/install-sh -c
INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
# Where to install things...
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
adminconfdir = @adminconfdir@
libexecdir = @libexecdir@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
# User and group ids the installed files should be "owned" by
install_uid = 0
install_gid = 0
#### End of system configuration section. ####
SHELL = @SHELL@
LOGSRVD_CONF = @LOGSRVD_CONF@
EXAMPLES = $(srcdir)/cvtsudoers.conf $(srcdir)/pam.conf sudo.conf \
$(LOGSRVD_CONF) sudoers syslog.conf
VERSION = @PACKAGE_VERSION@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
all: $(EXAMPLES)
depend:
Makefile: $(srcdir)/Makefile.in
cd $(top_builddir) && ./config.status --file examples/Makefile
sudoers: $(srcdir)/sudoers.in
cd $(top_builddir) && ./config.status --file examples/sudoers
sudo.conf: $(srcdir)/sudo.conf.in
cd $(top_builddir) && ./config.status --file examples/sudo.conf
sudo_logsrvd.conf: $(srcdir)/sudo_logsrvd.conf.in
cd $(top_builddir) && ./config.status --file examples/sudo_logsrvd.conf
syslog.conf: $(srcdir)/syslog.conf.in
cd $(top_builddir) && ./config.status --file examples/syslog.conf
pre-install:
install: install-doc
install-dirs:
$(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(exampledir)
install-binaries:
install-includes:
install-doc: install-dirs
for f in $(EXAMPLES); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(exampledir); done
test -r $(DESTDIR)$(sysconfdir)/sudo.conf || \
$(INSTALL) $(INSTALL_OWNER) -m 0644 sudo.conf $(DESTDIR)$(sysconfdir)
if test -n "$(LOGSRVD_CONF)" -a ! -r $(DESTDIR)$(sysconfdir)/sudo_logsrvd.conf; then \
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(LOGSRVD_CONF) $(DESTDIR)$(sysconfdir); \
fi
install-plugin:
install-fuzzer:
uninstall:
-rm -rf $(DESTDIR)$(exampledir)
splint:
cppcheck:
pvs-log-files:
pvs-studio:
fuzz:
check-fuzzer:
check: check-fuzzer
check-verbose: check
clean:
mostlyclean: clean
distclean: clean
-rm -rf Makefile sudo.conf sudo_logsrvd.conf sudoers syslog.conf
clobber: distclean
realclean: distclean
cleandir: distclean
.PHONY: clean mostlyclean distclean cleandir clobber realclean

82
examples/cvtsudoers.conf Normal file
View file

@ -0,0 +1,82 @@
#
# Example /etc/cvtsudoers.conf file
#
# This file is optional and allows you to override the cvtsudoers
# default values.
#
# Only convert Defaults entries of the specified types.
# One or more Defaults types may be specified, separated by a comma (',').
# The supported types are: all, global, user, runas, host, command.
#defaults = all
# Expand aliases in input_file. Aliases are preserved by
# default when the output format is JSON or sudoers.
#expand_aliases = no
# Use an alternate group file. When "match_local" is also enabled, perform
# group queries using the specified file instead of the system group database.
#group_file = /etc/group
# Default input format. Only the sudoers and LDIF formats are supported.
#input_format = sudoers
# Only output rules that match the specified filter. A filter expression
# is made up of one or more key = value pairs, separated by a comma (',').
# The key may be "cmnd" (or "cmd"), "host", "group", or "user".
#match = user=www,group=wheel
# Match locally. If enabled, use password and group database information
# when matching users and groups in the filter. Only users and groups
# in the filter that exist on the local system will match, and a user's
# groups will automatically be added to the filter. By default, users and
# groups in the filter do not need to exist on the local system, but all
# groups used for matching must be explicitly listed in the filter.
#match_local = no
# When generating LDIF output, increment each sudoOrder attribute by the
# specified number. Defaults to an increment of 1.
#order_increment = 1
# When generating LDIF output, use the number specified by "start_point"
# in the sudoOrder attribute of the first sudoRole object. Subsequent
# sudoRole object use a sudoOrder value generated by adding the
# increment set by "order_increment". Defaults to a starting point
# of 1. A starting point of 0 will disable the generation of sudoOrder
# attributes in the resulting LDIF file.
#order_start = 1
# Specify the default output format (case-insensitive). The following
# formats are supported: csv | json | ldif | sudoers.
# Defaults to LDIF.
#output_format = ldif
# When generating LDIF output, construct the initial sudoOrder value
# by concatenating order_start and increment, padding the increment
# with zeros until it consists of padding digits. For example, if
# order_start is 1027, padding is 3, and increment is 1, the value
# of sudoOrder for the first entry will be 1027000, followed by
# 1027001, 1027002, etc. If the number of sudoRole entries is larger
# than the padding would allow, cvtsudoers will exit with an error.
# By default, no padding is performed.
#padding = 0
# Use an alternate passwd file. When "match_local" is also enabled, perform
# passwd queries using the specified file instead of the system passwd database.
#passwd_file = /etc/passwd
# When "match_local" is also enabled, cvtsudoers will prune
# out non-matching users, groups and hosts from matching entries.
# Defaults to no.
#prune_matches = no
# The base DN (distinguished name) that will be used when performing LDAP
# queries. If this option is not specified, the value of the SUDOERS_BASE
# environment variable will be used instead.
#sudoers_base = ou=SUDOers,dc=my-domain,dc=com
# Suppress the output of specific sections of the security policy.
# One or more section names may be specified, separated by a comma (',').
# The supported section name are: defaults, aliases and privileges
# (which may be shortened to privs).
#suppress = defaults,aliases,privs

30
examples/pam.conf Normal file
View file

@ -0,0 +1,30 @@
#%PAM-1.0
# Sample /etc/pam.d/sudo file for RedHat 9 / Fedora Core.
# For other Linux distributions you may want to
# use /etc/pam.d/sshd or /etc/pam.d/su as a guide.
#
# There are two basic ways to configure PAM, either via pam_stack
# or by explicitly specifying the various methods to use.
#
# Here we use pam_stack
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
#
# Alternately, you can specify the authentication method directly.
# Here we use pam_unix for normal password authentication.
#auth required pam_env.so
#auth sufficient pam_unix.so
#account required pam_unix.so
#password required pam_cracklib.so retry=3 type=
#password required pam_unix.so nullok use_authtok md5 shadow
#session required pam_limits.so
#session required pam_unix.so
#
# Another option is to use SMB for authentication.
#auth required pam_env.so
#auth sufficient pam_smb_auth.so
#account required pam_smb_auth.so
#password required pam_smb_auth.so
#session required pam_limits.so

131
examples/sudo.conf.in Normal file
View file

@ -0,0 +1,131 @@
#
# Default @sysconfdir@/sudo.conf file
#
# Sudo plugins:
# Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to @plugindir@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy @sudoers_plugin@
#Plugin sudoers_io @sudoers_plugin@
#Plugin sudoers_audit @sudoers_plugin@
#
# Sudo askpass:
# Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo device search path:
# Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
#
# Sudo command interception:
# Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv(),
# execve() and fexecve() library functions that perform a policy check
# to verify the command is allowed and simply return an error if not.
# This is used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept @intercept_file@
#
# Sudo noexec:
# Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv(),
# execve() and fexecve() library functions that just return an error.
# This is used to implement the "noexec" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec @noexec_file@
#
# Sudo plugin directory:
# Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir @plugindir@
#
# Core dumps:
# Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false
#
# User groups:
# Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
# static - use the user's list of groups returned by the kernel.
# dynamic - query the group database to find the list of groups.
# adaptive - if user is in less than the maximum number of groups.
# use the kernel list, else query the group database.
#
#Set group_source static
#
# Sudo interface probing:
# Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false
#
# Sudo debug files:
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo @log_dir@/sudo_debug all@debug
#Debug sudoers.so @log_dir@/sudoers_debug all@debug

251
examples/sudo_logsrvd.conf.in Normal file
View file

@ -0,0 +1,251 @@
#
# sudo logsrv daemon configuration
#
[server]
# The host name or IP address and port to listen on with an optional TLS
# flag. If no port is specified, port 30343 will be used for plaintext
# connections and port 30344 will be used to TLS connections.
# The following forms are accepted:
# listen_address = hostname(tls)
# listen_address = hostname:port(tls)
# listen_address = IPv4_address(tls)
# listen_address = IPv4_address:port(tls)
# listen_address = [IPv6_address](tls)
# listen_address = [IPv6_address]:port(tls)
#
# The (tls) suffix should be omitted for plaintext connections.
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30343
#listen_address = *:30344(tls)
# The file containing the ID of the running sudo_logsrvd process.
#pid_file = @rundir@/sudo_logsrvd.pid
# Where to log server warnings: none, stderr, syslog, or a path name.
#server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server will validate its own certificate at startup.
# Defaults to true.
#tls_verify = true
# If true, client certificates will be validated by the server;
# clients without a valid certificate will be unable to connect.
# By default, client certs are not checked.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# Required for TLS connections.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# Required for TLS connections.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# This setting is only effective if the negotiated protocol is TLS version
# 1.2. The default cipher list is HIGH:!aNULL.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default cipher list is TLS_AES_256_GCM_SHA384.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# If not set, the server will use the OpenSSL defaults.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[relay]
# The host name or IP address and port to send logs to in relay mode.
# The syntax is identical to listen_address with the exception of
# the wild card ('*') syntax. When this setting is enabled, logs will
# be relayed to the specified host instead of being stored locally.
# This setting is not enabled by default.
#relay_host = relayhost.dom.ain
#relay_host = relayhost.dom.ain(tls)
# The amount of time, in seconds, the server will wait for a connection
# to the relay server to complete. A value of 0 will disable the timeout.
# The default value is 30.
#connect_timeout = 30
# The directory to store messages in before they are sent to the relay.
# Messages are stored in wire format.
# The default value is @relay_dir@.
#relay_dir = @relay_dir@
# The number of seconds to wait after a connection error before
# making a new attempt to forward a message to a relay host.
# The default value is 30.
#retry_interval = 30
# Whether to store the log before relaying it. If true, enable store
# and forward mode. If false, the client connection is immediately
# relayed. Defaults to false.
#store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server's relay certificate will be verified at startup.
# The default is to use the value in the [server] section.
#tls_verify = true
# Whether to verify the relay's certificate for TLS connections.
# The default is to use the value in the [server] section.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
# The default is to use the value in the [server] section.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# The default is to use the certificate in the [server] section.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# The default is to use the key in the [server] section.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# this setting is only effective if the negotiated protocol is TLS version
# 1.2. The default is to use the value in the [server] section.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default is to use the value in the [server] section.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# The default is to use the value in the [server] section.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
#iolog_dir = @iolog_dir@
# The path name, relative to iolog_dir, in which to store I/O logs.
# It is possible for iolog_file to contain directory components.
#iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O
# log files and directories. If iolog_group is set, it will be used
# instead of the user's primary group-ID. By default, I/O log files
# and directories are created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are
# not present in the specified mode. When creating I/O log directories,
# search (execute) bits are added to match the read and write bits
# specified by iolog_mode.
#iolog_mode = 0600
# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
# password in the terminal input using passprompt_regex.
#log_passwords = true
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence
# number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336
# One or more POSIX extended regular expressions used to match
# password prompts in the terminal output when log_passwords is
# disabled. Multiple passprompt_regex settings may be specified.
#passprompt_regex = [Pp]assword[: ]*
#passprompt_regex = [Pp]assword for [a-z0-9]+: *
[eventlog]
# Where to log accept, reject, exit, and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format.
# Supported log formats are "sudo" and "json"
# Defaults to sudo
#log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3,
# local4, local5, local6, and local7.
#facility = @logfac@
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = @goodpri@
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = @badpri@
# Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = @badpri@
# The syslog facility to use for server warning messages.
# Defaults to daemon.
#server_facility = daemon
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = @logpath@
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T

133
examples/sudoers.in Normal file
View file

@ -0,0 +1,133 @@
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
##
# Override built-in defaults
##
Defaults syslog=auth,runcwd=~
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture,runchroot=*
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=@log_dir@/sudo.log
Defaults!PAGERS noexec
##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBADMIN = will, wendy, wim
##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = primary, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt, \
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
/home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL:ALL) ALL
%wheel ALL = (ALL:ALL) ALL
# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = (ALL:ALL) NOPASSWD: ALL
# part time sysadmins may run anything as root but need a password
PARTTIMERS ALL = ALL
# jack may run anything on machines in CSNETS
jack CSNETS = ALL
# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL
# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
joe ALL = /usr/bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd ^[a-zA-Z0-9_]+$, !/usr/bin/passwd root
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL
# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone except root, no flags are allowed.
john ALPHA = /usr/bin/su ^[a-zA-Z0-9_]+$, !/usr/bin/su root
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
# users in the WEBADMIN User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBADMIN www = (www) ALL, (root) /usr/bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

26
examples/syslog.conf.in Normal file
View file

@ -0,0 +1,26 @@
# This is a sample syslog.conf fragment for use with Sudo.
#
# By default, sudo logs to "authpriv" if your system supports it, else it
# uses "auth". The facility can be set via the --with-logfac configure
# option or in the sudoers file.
# To see what syslog facility a sudo binary uses, run `sudo -V' as *root*.
#
# NOTES:
# The whitespace in the following line is made up of <TAB>
# characters, *not* spaces. You cannot just cut and paste!
#
# If you edit syslog.conf you need to send syslogd a HUP signal.
# Ie: kill -HUP process_id
#
# Syslogd will not create new log files for you, you must first
# create the file before syslogd will log to it. Eg.
# 'touch @log_dir@/sudo'
# This logs successful and failed sudo attempts to the file @log_dir@/auth
# If your system has the authpriv syslog facility, use authpriv.debug
auth.debug @log_dir@/auth
# To log to a remote machine, use something like the following,
# where "loghost" is the name of the remote machine.
# If your system has the authpriv syslog facility, use authpriv.debug
auth.debug @loghost

115
include/Makefile.in Normal file
View file

@ -0,0 +1,115 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2011-2015, 2017-2023 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# @configure_input@
#
#### Start of system configuration section. ####
srcdir = @srcdir@
abs_srcdir = @abs_srcdir@
top_srcdir = @top_srcdir@
abs_top_srcdir = @abs_top_srcdir@
top_builddir = @top_builddir@
abs_top_builddir = @abs_top_builddir@
includedir = @includedir@
scriptdir = $(top_srcdir)/scripts
cross_compiling = @CROSS_COMPILING@
# Our install program supports extra flags...
INSTALL = $(SHELL) $(scriptdir)/install-sh -c
INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
# Where to install things...
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
adminconfdir = @adminconfdir@
libexecdir = @libexecdir@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
# User and group ids the installed files should be "owned" by
install_uid = 0
install_gid = 0
#### End of system configuration section. ####
SHELL = @SHELL@
all:
depend:
Makefile: $(srcdir)/Makefile.in
cd $(top_builddir) && ./config.status --file include/Makefile
.SUFFIXES: .h
pre-install:
install: install-includes
install-dirs:
$(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(includedir)
install-binaries:
install-doc:
install-includes: install-dirs
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(srcdir)/sudo_plugin.h $(DESTDIR)$(includedir)
install-plugin:
install-fuzzer:
uninstall:
-rm -f $(DESTDIR)$(includedir)/sudo_plugin.h
splint:
cppcheck:
pvs-log-files:
pvs-studio:
fuzz:
check-fuzzer:
check: check-fuzzer
check-verbose: check
clean:
mostlyclean: clean
distclean: clean
-rm -rf Makefile
clobber: distclean
realclean: distclean
cleandir: distclean
.PHONY: clean mostlyclean distclean cleandir clobber realclean

41
include/compat/charclass.h Normal file
View file

@ -0,0 +1,41 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2008, 2010 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* POSIX character class support for fnmatch() and glob().
*/
static struct cclass {
const char *name;
int (*isctype)(int);
} cclasses[] = {
{ "alnum", isalnum },
{ "alpha", isalpha },
{ "blank", isblank },
{ "cntrl", iscntrl },
{ "digit", isdigit },
{ "graph", isgraph },
{ "lower", islower },
{ "print", isprint },
{ "punct", ispunct },
{ "space", isspace },
{ "upper", isupper },
{ "xdigit", isxdigit },
{ NULL, NULL }
};
#define NCCLASSES (nitems(cclasses) - 1)

80
include/compat/endian.h Normal file
View file

@ -0,0 +1,80 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2013, 2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef COMPAT_ENDIAN_H
#define COMPAT_ENDIAN_H
#ifndef BYTE_ORDER
# undef LITTLE_ENDIAN
# define LITTLE_ENDIAN 1234
# undef BIG_ENDIAN
# define BIG_ENDIAN 4321
# undef UNKNOWN_ENDIAN
# define UNKNOWN_ENDIAN 0
/*
* Attempt to guess endianness.
* Solaris may define _LITTLE_ENDIAN and _BIG_ENDIAN to 1
* HP-UX may define __LITTLE_ENDIAN__ and __BIG_ENDIAN__ to 1
* Otherwise, check for cpu-specific cpp defines.
* Note that some CPUs are bi-endian, including: arm, powerpc, alpha,
* sparc64, mips, hppa, sh4 and ia64.
* We just check for the most common uses.
*/
# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
(__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
# define BYTE_ORDER LITTLE_ENDIAN
# elif defined(__BYTE_ORDER__) && defined(__ORDER_BIG_ENDIAN__) && \
(__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
# define BYTE_ORDER BIG_ENDIAN
# elif defined(__BYTE_ORDER)
# define BYTE_ORDER __BYTE_ORDER
# elif defined(_BYTE_ORDER)
# define BYTE_ORDER _BYTE_ORDER
# elif defined(_LITTLE_ENDIAN) || defined(__LITTLE_ENDIAN__)
# define BYTE_ORDER LITTLE_ENDIAN
# elif defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__)
# define BYTE_ORDER BIG_ENDIAN
# elif defined(__alpha__) || defined(__alpha) || defined(__amd64) || \
defined(BIT_ZERO_ON_RIGHT) || defined(i386) || defined(__i386) || \
defined(MIPSEL) || defined(_MIPSEL) || defined(ns32000) || \
defined(__ns3200) || defined(sun386) || defined(vax) || \
defined(__vax) || defined(__x86__) || defined(__riscv) || \
(defined(sun) && defined(__powerpc)) || \
(!defined(__hpux) && defined(__ia64))
# define BYTE_ORDER LITTLE_ENDIAN
# elif defined(__68k__) || defined(apollo) || defined(BIT_ZERO_ON_LEFT) || \
defined(__convex__) || defined(_CRAY) || defined(DGUX) || \
defined(__hppa) || defined(__hp9000) || defined(__hp9000s300) || \
defined(__hp9000s700) || defined(__hp3000s900) || \
defined(ibm032) || defined(ibm370) || defined(_IBMR2) || \
defined(is68k) || defined(mc68000) || defined(m68k) || \
defined(__m68k) || defined(m88k) || defined(__m88k) || \
defined(MIPSEB) || defined(_MIPSEB) || defined(MPE) || \
defined(pyr) || defined(__powerpc) || defined(__powerpc__) || \
defined(sel) || defined(__sparc) || defined(__sparc__) || \
defined(tahoe) || (defined(__hpux) && defined(__ia64)) || \
(defined(sun) && defined(__powerpc))
# define BYTE_ORDER BIG_ENDIAN
# else
# define BYTE_ORDER UNKNOWN_ENDIAN
# endif
#endif /* BYTE_ORDER */
#endif /* COMPAT_ENDIAN_H */

34
include/compat/fnmatch.h Normal file
View file

@ -0,0 +1,34 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2011 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef COMPAT_FNMATCH_H
#define COMPAT_FNMATCH_H
#define FNM_NOMATCH 1 /* String does not match pattern */
#define FNM_PATHNAME (1 << 0) /* Globbing chars don't match '/' */
#define FNM_PERIOD (1 << 1) /* Leading '.' in string must exactly */
#define FNM_NOESCAPE (1 << 2) /* Backslash treated as ordinary char */
#define FNM_LEADING_DIR (1 << 3) /* Only match the leading directory */
#define FNM_CASEFOLD (1 << 4) /* Case insensitive matching */
sudo_dso_public int sudo_fnmatch(const char *pattern, const char *string, int flags);
#define fnmatch(_a, _b, _c) sudo_fnmatch((_a), (_b), (_c))
#endif /* COMPAT_FNMATCH_H */

83
include/compat/getaddrinfo.h Normal file
View file

@ -0,0 +1,83 @@
/*
* Replacement implementation of getaddrinfo.
*
* This is an implementation of the getaddrinfo family of functions for
* systems that lack it, so that code can use getaddrinfo always. It provides
* IPv4 support only; for IPv6 support, a system getaddrinfo implementation is
* required.
*
* The canonical version of this file is maintained in the rra-c-util package,
* which can be found at <http://www.eyrie.org/~eagle/software/rra-c-util/>.
*
* Written by Russ Allbery <rra@stanford.edu>
*
* The authors hereby relinquish any claim to any copyright that they may have
* in this work, whether granted under contract or by operation of law or
* international treaty, and hereby commit to the public, at large, that they
* shall not, at any time in the future, seek to enforce any copyright in this
* work against any person or entity, or prevent any person or entity from
* copying, publishing, distributing or creating derivative works of this
* work.
*/
#ifndef COMPAT_GETADDRINFO_H
#define COMPAT_GETADDRINFO_H
#include <config.h>
/* Skip this entire file if a system getaddrinfo was detected. */
#ifndef HAVE_GETADDRINFO
/* OpenBSD likes to have sys/types.h included before sys/socket.h. */
#include <sys/types.h>
#include <sys/socket.h>
/* The struct returned by getaddrinfo, from RFC 3493. */
struct addrinfo {
int ai_flags; /* AI_PASSIVE, AI_CANONNAME, .. */
int ai_family; /* AF_xxx */
int ai_socktype; /* SOCK_xxx */
int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
socklen_t ai_addrlen; /* Length of ai_addr */
char *ai_canonname; /* Canonical name for nodename */
struct sockaddr *ai_addr; /* Binary address */
struct addrinfo *ai_next; /* Next structure in linked list */
};
/* Constants for ai_flags from RFC 3493, combined with binary or. */
#define AI_PASSIVE 0x0001
#define AI_CANONNAME 0x0002
#define AI_NUMERICHOST 0x0004
#define AI_NUMERICSERV 0x0008
#define AI_V4MAPPED 0x0010
#define AI_ALL 0x0020
#define AI_ADDRCONFIG 0x0040
/* Error return codes from RFC 3493. */
#define EAI_AGAIN 1 /* Temporary name resolution failure */
#define EAI_BADFLAGS 2 /* Invalid value in ai_flags parameter */
#define EAI_FAIL 3 /* Permanent name resolution failure */
#define EAI_FAMILY 4 /* Address family not recognized */
#define EAI_MEMORY 5 /* Memory allocation failure */
#define EAI_NONAME 6 /* nodename or servname unknown */
#define EAI_SERVICE 7 /* Service not recognized for socket type */
#define EAI_SOCKTYPE 8 /* Socket type not recognized */
#define EAI_SYSTEM 9 /* System error occurred, see errno */
#define EAI_OVERFLOW 10 /* An argument buffer overflowed */
/* Function prototypes. */
sudo_dso_public int sudo_getaddrinfo(const char *nodename, const char *servname,
const struct addrinfo *hints, struct addrinfo **res);
sudo_dso_public void sudo_freeaddrinfo(struct addrinfo *ai);
sudo_dso_public const char *sudo_gai_strerror(int ecode);
/* Map sudo_* to RFC 3493 names. */
#undef getaddrinfo
#define getaddrinfo(_a, _b, _c, _d) sudo_getaddrinfo((_a), (_b), (_c), (_d))
#undef freeaddrinfo
#define freeaddrinfo(_a) sudo_freeaddrinfo((_a))
#undef gai_strerror
#define gai_strerror(_a) sudo_gai_strerror((_a))
#endif /* !HAVE_GETADDRINFO */
#endif /* COMPAT_GETADDRINFO_H */

83
include/compat/getopt.h Normal file
View file

@ -0,0 +1,83 @@
/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */
/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */
/* $FreeBSD: head/include/getopt.h 203963 2010-02-16 19:28:10Z imp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2000 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Dieter Baron and Thomas Klausner.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef COMPAT_GETOPT_H
#define COMPAT_GETOPT_H
/*
* GNU-like getopt_long()/getopt_long_only() with 4.4BSD optreset extension.
*/
#define no_argument 0
#define required_argument 1
#define optional_argument 2
struct option {
/* name of long option */
const char *name;
/*
* one of no_argument, required_argument, and optional_argument:
* whether option takes an argument
*/
int has_arg;
/* if not NULL, set *flag to val when option found */
int *flag;
/* if flag not NULL, value to set *flag to; else return value */
int val;
};
sudo_dso_public int sudo_getopt_long(int, char * const *, const char *,
const struct option *, int *);
#undef getopt_long
#define getopt_long(_a, _b, _c, _d, _e) \
sudo_getopt_long((_a), (_b), (_c), (_d), (_e))
sudo_dso_public int sudo_getopt_long_only(int, char * const *, const char *,
const struct option *, int *);
#undef getopt_long_only
#define getopt_long_only(_a, _b, _c, _d, _e) \
sudo_getopt_long_only((_a), (_b), (_c), (_d), (_e))
#if 0
sudo_dso_public int sudo_getopt(int, char * const [], const char *);
#undef getopt
#define getopt(_a, _b, _c) sudo_getopt((_a), (_b), (_c))
#endif
extern char *optarg; /* getopt(3) external variables */
extern int opterr;
extern int optind;
extern int optopt;
extern int optreset;
#endif /* !COMPAT_GETOPT_H */

78
include/compat/glob.h Normal file
View file

@ -0,0 +1,78 @@
/*
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Guido van Rossum.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)glob.h 8.1 (Berkeley) 6/2/93
*/
#ifndef COMPAT_GLOB_H
#define COMPAT_GLOB_H
struct stat;
typedef struct {
size_t gl_pathc; /* Count of total paths so far. */
size_t gl_matchc; /* Count of paths matching pattern. */
size_t gl_offs; /* Reserved at beginning of gl_pathv. */
int gl_flags; /* Copy of flags parameter to glob. */
char **gl_pathv; /* List of paths matching pattern. */
/* Copy of errfunc parameter to glob. */
int (*gl_errfunc)(const char *, int);
} glob_t;
/* Flags */
#define GLOB_APPEND 0x0001 /* Append to output from previous call. */
#define GLOB_DOOFFS 0x0002 /* Use gl_offs. */
#define GLOB_ERR 0x0004 /* Return on error. */
#define GLOB_MARK 0x0008 /* Append / to matching directories. */
#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */
#define GLOB_NOSORT 0x0020 /* Don't sort. */
#define GLOB_NOESCAPE 0x0040 /* Disable backslash escaping. */
/* Non-POSIX extensions */
#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */
#define GLOB_MAGCHAR 0x0100 /* Pattern had globbing characters. */
#define GLOB_TILDE 0x0200 /* Expand tilde names from the passwd file. */
#define GLOB_LIMIT 0x0400 /* Limit pattern match output to ARG_MAX */
/* Error values returned by glob(3) */
#define GLOB_NOSPACE (-1) /* Malloc call failed. */
#define GLOB_ABORTED (-2) /* Unignored error. */
#define GLOB_NOMATCH (-3) /* No match and GLOB_NOCHECK not set. */
#define GLOB_NOSYS (-4) /* Function not supported. */
sudo_dso_public int sudo_glob(const char * restrict, int, int (*)(const char *, int), glob_t * restrict);
sudo_dso_public void sudo_globfree(glob_t *);
#define glob(_a, _b, _c, _d) sudo_glob((_a), (_b), (_c), (_d))
#define globfree(_a) sudo_globfree((_a))
#endif /* !COMPAT_GLOB_H */

110
include/compat/nss_dbdefs.h Normal file
View file

@ -0,0 +1,110 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2013 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef COMPAT_NSS_DBDEFS_H
#define COMPAT_NSS_DBDEFS_H
/*
* Bits of nss_dbdefs.h and nss_common.h needed to implement
* getgrouplist(3) using nss_search(3).
*
* HP-UX does not ship those headers so we need this compatibility header.
* It may also work on other systems that use a Solaris-derived nsswitch
* API.
*/
#ifdef NEED_HPUX_MUTEX
# include <synch.h>
#endif
typedef enum {
NSS_SUCCESS,
NSS_NOTFOUND,
NSS_UNAVAIL,
NSS_TRYAGAIN
} nss_status_t;
typedef struct nss_db_params {
const char *name;
const char *config_name;
const char *default_config;
unsigned int max_active_per_src;
unsigned int max_dormant_per_src;
int flags;
void *finders;
void *private;
void (*cleanup)(struct nss_db_params *);
} nss_db_params_t;
struct nss_groupsbymem {
const char *username;
gid_t *gid_array;
int maxgids;
int force_slow_way;
int (*str2ent)(const char *instr, int instr_len, void *ent, char *buffer, int buflen);
nss_status_t (*process_cstr)(const char *instr, int instr_len, struct nss_groupsbymem *);
int numgids;
};
typedef struct {
void *result; /* group struct to fill in. */
char *buffer; /* string buffer for above */
int buflen; /* string buffer size */
} nss_XbyY_buf_t;
struct nss_db_state;
typedef struct {
struct nss_db_state *s;
#ifdef NEED_HPUX_MUTEX
lwp_mutex_t lock;
#endif
} nss_db_root_t;
#ifdef NEED_HPUX_MUTEX
# define NSS_DB_ROOT_INIT { 0, LWP_MUTEX_INITIALIZER }
#else
# define NSS_DB_ROOT_INIT { 0 }
#endif
#define DEFINE_NSS_DB_ROOT(name) nss_db_root_t name = NSS_DB_ROOT_INIT
/* Backend function to find all groups a user belongs to for initgroups(). */
#define NSS_DBOP_GROUP_BYMEMBER 6
/* str2ent function return values */
#define NSS_STR_PARSE_SUCCESS 0
#define NSS_STR_PARSE_PARSE 1
#define NSS_STR_PARSE_ERANGE 2
/* Max length for an /etc/group file line. */
#define NSS_BUFLEN_GROUP 8192
/* HP-UX uses an extra underscore for these functions. */
#ifdef HAVE___NSS_INITF_GROUP
# define _nss_initf_group __nss_initf_group
#endif
#ifdef HAVE___NSS_XBYY_BUF_ALLOC
# define _nss_XbyY_buf_alloc __nss_XbyY_buf_alloc
# define _nss_XbyY_buf_free __nss_XbyY_buf_free
#endif
typedef void (*nss_db_initf_t)(nss_db_params_t *);
extern nss_status_t nss_search(nss_db_root_t *, nss_db_initf_t, int search_fnum, void *search_args);
extern nss_XbyY_buf_t *_nss_XbyY_buf_alloc(int struct_size, int buffer_size);
extern void _nss_XbyY_buf_free(nss_XbyY_buf_t *);
#endif /* COMPAT_NSS_DBDEFS_H */

100
include/compat/sha2.h Normal file
View file

@ -0,0 +1,100 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2013-2015 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Derived from the public domain SHA-1 and SHA-2 implementations
* by Steve Reid and Wei Dai respectively.
*/
#ifndef COMPAT_SHA2_H
#define COMPAT_SHA2_H
#define SHA224_BLOCK_LENGTH 64
#define SHA224_DIGEST_LENGTH 28
#define SHA224_DIGEST_STRING_LENGTH (SHA224_DIGEST_LENGTH * 2 + 1)
#define SHA256_BLOCK_LENGTH 64
#define SHA256_DIGEST_LENGTH 32
#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
#define SHA384_BLOCK_LENGTH 128
#define SHA384_DIGEST_LENGTH 48
#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
#define SHA512_BLOCK_LENGTH 128
#define SHA512_DIGEST_LENGTH 64
#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
typedef struct {
union {
uint32_t st32[8]; /* sha224 and sha256 */
uint64_t st64[8]; /* sha384 and sha512 */
} state;
uint64_t count[2];
uint8_t buffer[SHA512_BLOCK_LENGTH];
} SHA2_CTX;
sudo_dso_public void sudo_SHA224Init(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA224Pad(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH]);
sudo_dso_public void sudo_SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
sudo_dso_public void sudo_SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx);
#define SHA224Init sudo_SHA224Init
#define SHA224Pad sudo_SHA224Pad
#define SHA224Transform sudo_SHA224Transform
#define SHA224Update sudo_SHA224Update
#define SHA224Final sudo_SHA224Final
sudo_dso_public void sudo_SHA256Init(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA256Pad(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA256Transform(uint32_t state[8], const uint8_t buffer[SHA256_BLOCK_LENGTH]);
sudo_dso_public void sudo_SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
sudo_dso_public void sudo_SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx);
#define SHA256Init sudo_SHA256Init
#define SHA256Pad sudo_SHA256Pad
#define SHA256Transform sudo_SHA256Transform
#define SHA256Update sudo_SHA256Update
#define SHA256Final sudo_SHA256Final
sudo_dso_public void sudo_SHA384Init(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA384Pad(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA384Transform(uint64_t state[8], const uint8_t buffer[SHA384_BLOCK_LENGTH]);
sudo_dso_public void sudo_SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
sudo_dso_public void sudo_SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx);
#define SHA384Init sudo_SHA384Init
#define SHA384Pad sudo_SHA384Pad
#define SHA384Transform sudo_SHA384Transform
#define SHA384Update sudo_SHA384Update
#define SHA384Final sudo_SHA384Final
sudo_dso_public void sudo_SHA512Init(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA512Pad(SHA2_CTX *ctx);
sudo_dso_public void sudo_SHA512Transform(uint64_t state[8], const uint8_t buffer[SHA512_BLOCK_LENGTH]);
sudo_dso_public void sudo_SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
sudo_dso_public void sudo_SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx);
#define SHA512Init sudo_SHA512Init
#define SHA512Pad sudo_SHA512Pad
#define SHA512Transform sudo_SHA512Transform
#define SHA512Update sudo_SHA512Update
#define SHA512Final sudo_SHA512Final
#endif /* COMPAT_SHA2_H */

44
include/compat/stdbool.h Normal file
View file

@ -0,0 +1,44 @@
/* $OpenBSD: stdbool.h,v 1.5 2010/07/24 22:17:03 guenther Exp $ */
/*
* Written by Marc Espie, September 25, 1999
* Public domain.
*/
#ifndef COMPAT_STDBOOL_H
#define COMPAT_STDBOOL_H
#ifndef __cplusplus
#if (defined(HAVE__BOOL) && HAVE__BOOL > 0) || defined(lint)
/* Support for _C99: type _Bool is already built-in. */
#define false 0
#define true 1
#else
/* `_Bool' type must promote to `int' or `unsigned int'. */
typedef enum {
false = 0,
true = 1
} _Bool;
/* And those constants must also be available as macros. */
#define false false
#define true true
#endif
/* User visible type `bool' is provided as a macro which may be redefined */
#define bool _Bool
#else /* __cplusplus */
#define _Bool bool
#define bool bool
#define false false
#define true true
#endif /* __cplusplus */
/* Inform that everything is fine */
#define __bool_true_false_are_defined 1
#endif /* COMPAT_STDBOOL_H */

37
include/hostcheck.h Normal file
View file

@ -0,0 +1,37 @@
/*
* Copyright (c) 2020 Laszlo Orban <laszlo.orban@oneidentity.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef SUDO_HOSTCHECK_H
#define SUDO_HOSTCHECK_H
#if defined(HAVE_OPENSSL)
# include <openssl/x509v3.h>
typedef enum {
MatchFound,
MatchNotFound,
NoSANPresent,
MalformedCertificate,
Error
} HostnameValidationResult;
HostnameValidationResult validate_hostname(const X509 *cert,
const char *hostname, const char *ipaddr, int resolve);
#endif /* HAVE_OPENSSL */
#endif /* SUDO_HOSTCHECK_H */

369
include/intercept.pb-c.h Normal file
View file

@ -0,0 +1,369 @@
/* Generated by the protocol buffer compiler. DO NOT EDIT! */
/* Generated from: intercept.proto */
#ifndef PROTOBUF_C_intercept_2eproto__INCLUDED
#define PROTOBUF_C_intercept_2eproto__INCLUDED
#include <protobuf-c/protobuf-c.h>
PROTOBUF_C__BEGIN_DECLS
#if PROTOBUF_C_VERSION_NUMBER < 1003000
# error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
#elif 1004000 < PROTOBUF_C_MIN_COMPILER_VERSION
# error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
#endif
typedef struct InterceptRequest InterceptRequest;
typedef struct InterceptHello InterceptHello;
typedef struct HelloResponse HelloResponse;
typedef struct PolicyCheckRequest PolicyCheckRequest;
typedef struct PolicyAcceptMessage PolicyAcceptMessage;
typedef struct PolicyRejectMessage PolicyRejectMessage;
typedef struct PolicyErrorMessage PolicyErrorMessage;
typedef struct InterceptResponse InterceptResponse;
/* --- enums --- */
/* --- messages --- */
typedef enum {
INTERCEPT_REQUEST__TYPE__NOT_SET = 0,
INTERCEPT_REQUEST__TYPE_POLICY_CHECK_REQ = 1,
INTERCEPT_REQUEST__TYPE_HELLO = 2
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(INTERCEPT_REQUEST__TYPE__CASE)
} InterceptRequest__TypeCase;
/*
* Intercept message from sudo_intercept.so. Messages on the
* wire are prefixed with a 32-bit size in network byte order.
*/
struct InterceptRequest
{
ProtobufCMessage base;
InterceptRequest__TypeCase type_case;
union {
PolicyCheckRequest *policy_check_req;
InterceptHello *hello;
} u;
};
#define INTERCEPT_REQUEST__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&intercept_request__descriptor) \
, INTERCEPT_REQUEST__TYPE__NOT_SET, {0} }
/*
* Hello message from sudo_intercept.so to main sudo process.
* Sudo sends back the token and localhost port number.
*/
struct InterceptHello
{
ProtobufCMessage base;
int32_t pid;
};
#define INTERCEPT_HELLO__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&intercept_hello__descriptor) \
, 0 }
/*
* Sudo response to an InterceptHello from sudo_intercept.so.
* The client uses the port number and token to connect back to sudo.
* If log_only is set there is no InterceptResponse to a PolicyCheckRequest.
*/
struct HelloResponse
{
ProtobufCMessage base;
uint64_t token_lo;
uint64_t token_hi;
int32_t portno;
protobuf_c_boolean log_only;
};
#define HELLO_RESPONSE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&hello_response__descriptor) \
, 0, 0, 0, 0 }
/*
* Policy check request from sudo_intercept.so.
* Note that the plugin API only currently supports passing
* the new environment in to the open() function.
*/
struct PolicyCheckRequest
{
ProtobufCMessage base;
char *command;
char *cwd;
size_t n_argv;
char **argv;
size_t n_envp;
char **envp;
int32_t intercept_fd;
};
#define POLICY_CHECK_REQUEST__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_check_request__descriptor) \
, (char *)protobuf_c_empty_string, (char *)protobuf_c_empty_string, 0,NULL, 0,NULL, 0 }
struct PolicyAcceptMessage
{
ProtobufCMessage base;
char *run_command;
size_t n_run_argv;
char **run_argv;
size_t n_run_envp;
char **run_envp;
};
#define POLICY_ACCEPT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_accept_message__descriptor) \
, (char *)protobuf_c_empty_string, 0,NULL, 0,NULL }
struct PolicyRejectMessage
{
ProtobufCMessage base;
char *reject_message;
};
#define POLICY_REJECT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_reject_message__descriptor) \
, (char *)protobuf_c_empty_string }
struct PolicyErrorMessage
{
ProtobufCMessage base;
char *error_message;
};
#define POLICY_ERROR_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_error_message__descriptor) \
, (char *)protobuf_c_empty_string }
typedef enum {
INTERCEPT_RESPONSE__TYPE__NOT_SET = 0,
INTERCEPT_RESPONSE__TYPE_HELLO_RESP = 1,
INTERCEPT_RESPONSE__TYPE_ACCEPT_MSG = 2,
INTERCEPT_RESPONSE__TYPE_REJECT_MSG = 3,
INTERCEPT_RESPONSE__TYPE_ERROR_MSG = 4
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(INTERCEPT_RESPONSE__TYPE__CASE)
} InterceptResponse__TypeCase;
/*
* Response sent back to sudo_intercept.so.
*/
struct InterceptResponse
{
ProtobufCMessage base;
InterceptResponse__TypeCase type_case;
union {
HelloResponse *hello_resp;
PolicyAcceptMessage *accept_msg;
PolicyRejectMessage *reject_msg;
PolicyErrorMessage *error_msg;
} u;
};
#define INTERCEPT_RESPONSE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&intercept_response__descriptor) \
, INTERCEPT_RESPONSE__TYPE__NOT_SET, {0} }
/* InterceptRequest methods */
void intercept_request__init
(InterceptRequest *message);
size_t intercept_request__get_packed_size
(const InterceptRequest *message);
size_t intercept_request__pack
(const InterceptRequest *message,
uint8_t *out);
size_t intercept_request__pack_to_buffer
(const InterceptRequest *message,
ProtobufCBuffer *buffer);
InterceptRequest *
intercept_request__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void intercept_request__free_unpacked
(InterceptRequest *message,
ProtobufCAllocator *allocator);
/* InterceptHello methods */
void intercept_hello__init
(InterceptHello *message);
size_t intercept_hello__get_packed_size
(const InterceptHello *message);
size_t intercept_hello__pack
(const InterceptHello *message,
uint8_t *out);
size_t intercept_hello__pack_to_buffer
(const InterceptHello *message,
ProtobufCBuffer *buffer);
InterceptHello *
intercept_hello__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void intercept_hello__free_unpacked
(InterceptHello *message,
ProtobufCAllocator *allocator);
/* HelloResponse methods */
void hello_response__init
(HelloResponse *message);
size_t hello_response__get_packed_size
(const HelloResponse *message);
size_t hello_response__pack
(const HelloResponse *message,
uint8_t *out);
size_t hello_response__pack_to_buffer
(const HelloResponse *message,
ProtobufCBuffer *buffer);
HelloResponse *
hello_response__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void hello_response__free_unpacked
(HelloResponse *message,
ProtobufCAllocator *allocator);
/* PolicyCheckRequest methods */
void policy_check_request__init
(PolicyCheckRequest *message);
size_t policy_check_request__get_packed_size
(const PolicyCheckRequest *message);
size_t policy_check_request__pack
(const PolicyCheckRequest *message,
uint8_t *out);
size_t policy_check_request__pack_to_buffer
(const PolicyCheckRequest *message,
ProtobufCBuffer *buffer);
PolicyCheckRequest *
policy_check_request__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_check_request__free_unpacked
(PolicyCheckRequest *message,
ProtobufCAllocator *allocator);
/* PolicyAcceptMessage methods */
void policy_accept_message__init
(PolicyAcceptMessage *message);
size_t policy_accept_message__get_packed_size
(const PolicyAcceptMessage *message);
size_t policy_accept_message__pack
(const PolicyAcceptMessage *message,
uint8_t *out);
size_t policy_accept_message__pack_to_buffer
(const PolicyAcceptMessage *message,
ProtobufCBuffer *buffer);
PolicyAcceptMessage *
policy_accept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_accept_message__free_unpacked
(PolicyAcceptMessage *message,
ProtobufCAllocator *allocator);
/* PolicyRejectMessage methods */
void policy_reject_message__init
(PolicyRejectMessage *message);
size_t policy_reject_message__get_packed_size
(const PolicyRejectMessage *message);
size_t policy_reject_message__pack
(const PolicyRejectMessage *message,
uint8_t *out);
size_t policy_reject_message__pack_to_buffer
(const PolicyRejectMessage *message,
ProtobufCBuffer *buffer);
PolicyRejectMessage *
policy_reject_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_reject_message__free_unpacked
(PolicyRejectMessage *message,
ProtobufCAllocator *allocator);
/* PolicyErrorMessage methods */
void policy_error_message__init
(PolicyErrorMessage *message);
size_t policy_error_message__get_packed_size
(const PolicyErrorMessage *message);
size_t policy_error_message__pack
(const PolicyErrorMessage *message,
uint8_t *out);
size_t policy_error_message__pack_to_buffer
(const PolicyErrorMessage *message,
ProtobufCBuffer *buffer);
PolicyErrorMessage *
policy_error_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_error_message__free_unpacked
(PolicyErrorMessage *message,
ProtobufCAllocator *allocator);
/* InterceptResponse methods */
void intercept_response__init
(InterceptResponse *message);
size_t intercept_response__get_packed_size
(const InterceptResponse *message);
size_t intercept_response__pack
(const InterceptResponse *message,
uint8_t *out);
size_t intercept_response__pack_to_buffer
(const InterceptResponse *message,
ProtobufCBuffer *buffer);
InterceptResponse *
intercept_response__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void intercept_response__free_unpacked
(InterceptResponse *message,
ProtobufCAllocator *allocator);
/* --- per-message closures --- */
typedef void (*InterceptRequest_Closure)
(const InterceptRequest *message,
void *closure_data);
typedef void (*InterceptHello_Closure)
(const InterceptHello *message,
void *closure_data);
typedef void (*HelloResponse_Closure)
(const HelloResponse *message,
void *closure_data);
typedef void (*PolicyCheckRequest_Closure)
(const PolicyCheckRequest *message,
void *closure_data);
typedef void (*PolicyAcceptMessage_Closure)
(const PolicyAcceptMessage *message,
void *closure_data);
typedef void (*PolicyRejectMessage_Closure)
(const PolicyRejectMessage *message,
void *closure_data);
typedef void (*PolicyErrorMessage_Closure)
(const PolicyErrorMessage *message,
void *closure_data);
typedef void (*InterceptResponse_Closure)
(const InterceptResponse *message,
void *closure_data);
/* --- services --- */
/* --- descriptors --- */
extern const ProtobufCMessageDescriptor intercept_request__descriptor;
extern const ProtobufCMessageDescriptor intercept_hello__descriptor;
extern const ProtobufCMessageDescriptor hello_response__descriptor;
extern const ProtobufCMessageDescriptor policy_check_request__descriptor;
extern const ProtobufCMessageDescriptor policy_accept_message__descriptor;
extern const ProtobufCMessageDescriptor policy_reject_message__descriptor;
extern const ProtobufCMessageDescriptor policy_error_message__descriptor;
extern const ProtobufCMessageDescriptor intercept_response__descriptor;
PROTOBUF_C__END_DECLS
#endif /* PROTOBUF_C_intercept_2eproto__INCLUDED */

790
include/log_server.pb-c.h Normal file
View file

@ -0,0 +1,790 @@
/* Generated by the protocol buffer compiler. DO NOT EDIT! */
/* Generated from: log_server.proto */
#ifndef PROTOBUF_C_log_5fserver_2eproto__INCLUDED
#define PROTOBUF_C_log_5fserver_2eproto__INCLUDED
#include <protobuf-c/protobuf-c.h>
PROTOBUF_C__BEGIN_DECLS
#if PROTOBUF_C_VERSION_NUMBER < 1003000
# error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
#elif 1004000 < PROTOBUF_C_MIN_COMPILER_VERSION
# error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
#endif
typedef struct ClientMessage ClientMessage;
typedef struct TimeSpec TimeSpec;
typedef struct IoBuffer IoBuffer;
typedef struct InfoMessage InfoMessage;
typedef struct InfoMessage__StringList InfoMessage__StringList;
typedef struct InfoMessage__NumberList InfoMessage__NumberList;
typedef struct AcceptMessage AcceptMessage;
typedef struct RejectMessage RejectMessage;
typedef struct ExitMessage ExitMessage;
typedef struct AlertMessage AlertMessage;
typedef struct RestartMessage RestartMessage;
typedef struct ChangeWindowSize ChangeWindowSize;
typedef struct CommandSuspend CommandSuspend;
typedef struct ClientHello ClientHello;
typedef struct ServerMessage ServerMessage;
typedef struct ServerHello ServerHello;
/* --- enums --- */
/* --- messages --- */
typedef enum {
CLIENT_MESSAGE__TYPE__NOT_SET = 0,
CLIENT_MESSAGE__TYPE_ACCEPT_MSG = 1,
CLIENT_MESSAGE__TYPE_REJECT_MSG = 2,
CLIENT_MESSAGE__TYPE_EXIT_MSG = 3,
CLIENT_MESSAGE__TYPE_RESTART_MSG = 4,
CLIENT_MESSAGE__TYPE_ALERT_MSG = 5,
CLIENT_MESSAGE__TYPE_TTYIN_BUF = 6,
CLIENT_MESSAGE__TYPE_TTYOUT_BUF = 7,
CLIENT_MESSAGE__TYPE_STDIN_BUF = 8,
CLIENT_MESSAGE__TYPE_STDOUT_BUF = 9,
CLIENT_MESSAGE__TYPE_STDERR_BUF = 10,
CLIENT_MESSAGE__TYPE_WINSIZE_EVENT = 11,
CLIENT_MESSAGE__TYPE_SUSPEND_EVENT = 12,
CLIENT_MESSAGE__TYPE_HELLO_MSG = 13
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(CLIENT_MESSAGE__TYPE__CASE)
} ClientMessage__TypeCase;
/*
* Client message to the server. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
struct ClientMessage
{
ProtobufCMessage base;
ClientMessage__TypeCase type_case;
union {
AcceptMessage *accept_msg;
RejectMessage *reject_msg;
ExitMessage *exit_msg;
RestartMessage *restart_msg;
AlertMessage *alert_msg;
IoBuffer *ttyin_buf;
IoBuffer *ttyout_buf;
IoBuffer *stdin_buf;
IoBuffer *stdout_buf;
IoBuffer *stderr_buf;
ChangeWindowSize *winsize_event;
CommandSuspend *suspend_event;
ClientHello *hello_msg;
} u;
};
#define CLIENT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&client_message__descriptor) \
, CLIENT_MESSAGE__TYPE__NOT_SET, {0} }
/*
* Equivalent of POSIX struct timespec
*/
struct TimeSpec
{
ProtobufCMessage base;
/*
* seconds
*/
int64_t tv_sec;
/*
* nanoseconds
*/
int32_t tv_nsec;
};
#define TIME_SPEC__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&time_spec__descriptor) \
, 0, 0 }
/*
* I/O buffer with keystroke data
*/
struct IoBuffer
{
ProtobufCMessage base;
/*
* elapsed time since last record
*/
TimeSpec *delay;
/*
* keystroke data
*/
ProtobufCBinaryData data;
};
#define IO_BUFFER__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&io_buffer__descriptor) \
, NULL, {0,NULL} }
struct InfoMessage__StringList
{
ProtobufCMessage base;
size_t n_strings;
char **strings;
};
#define INFO_MESSAGE__STRING_LIST__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&info_message__string_list__descriptor) \
, 0,NULL }
struct InfoMessage__NumberList
{
ProtobufCMessage base;
size_t n_numbers;
int64_t *numbers;
};
#define INFO_MESSAGE__NUMBER_LIST__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&info_message__number_list__descriptor) \
, 0,NULL }
typedef enum {
INFO_MESSAGE__VALUE__NOT_SET = 0,
INFO_MESSAGE__VALUE_NUMVAL = 2,
INFO_MESSAGE__VALUE_STRVAL = 3,
INFO_MESSAGE__VALUE_STRLISTVAL = 4,
INFO_MESSAGE__VALUE_NUMLISTVAL = 5
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(INFO_MESSAGE__VALUE__CASE)
} InfoMessage__ValueCase;
/*
* Key/value pairs, like Privilege Manager struct info.
* The value may be a number, a string, or a list of strings.
*/
struct InfoMessage
{
ProtobufCMessage base;
char *key;
InfoMessage__ValueCase value_case;
union {
int64_t numval;
char *strval;
InfoMessage__StringList *strlistval;
InfoMessage__NumberList *numlistval;
} u;
};
#define INFO_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&info_message__descriptor) \
, (char *)protobuf_c_empty_string, INFO_MESSAGE__VALUE__NOT_SET, {0} }
/*
* Event log data for command accepted by the policy.
*/
struct AcceptMessage
{
ProtobufCMessage base;
/*
* when command was submitted
*/
TimeSpec *submit_time;
/*
* key,value event log data
*/
size_t n_info_msgs;
InfoMessage **info_msgs;
/*
* true if I/O logging enabled
*/
protobuf_c_boolean expect_iobufs;
};
#define ACCEPT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&accept_message__descriptor) \
, NULL, 0,NULL, 0 }
/*
* Event log data for command rejected by the policy.
*/
struct RejectMessage
{
ProtobufCMessage base;
/*
* when command was submitted
*/
TimeSpec *submit_time;
/*
* reason command was rejected
*/
char *reason;
/*
* key,value event log data
*/
size_t n_info_msgs;
InfoMessage **info_msgs;
};
#define REJECT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&reject_message__descriptor) \
, NULL, (char *)protobuf_c_empty_string, 0,NULL }
/*
* Might revisit runtime and use end_time instead
*/
struct ExitMessage
{
ProtobufCMessage base;
/*
* total elapsed run time
*/
TimeSpec *run_time;
/*
* 0-255
*/
int32_t exit_value;
/*
* true if command dumped core
*/
protobuf_c_boolean dumped_core;
/*
* signal name if killed by signal
*/
char *signal;
/*
* if killed due to other error
*/
char *error;
};
#define EXIT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&exit_message__descriptor) \
, NULL, 0, 0, (char *)protobuf_c_empty_string, (char *)protobuf_c_empty_string }
/*
* Alert message, policy module-specific.
*/
struct AlertMessage
{
ProtobufCMessage base;
/*
* time alert message occurred
*/
TimeSpec *alert_time;
/*
* policy alert error string
*/
char *reason;
/*
* optional key,value event log data
*/
size_t n_info_msgs;
InfoMessage **info_msgs;
};
#define ALERT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&alert_message__descriptor) \
, NULL, (char *)protobuf_c_empty_string, 0,NULL }
/*
* Used to restart an existing I/O log on the server.
*/
struct RestartMessage
{
ProtobufCMessage base;
/*
* ID of log being restarted
*/
char *log_id;
/*
* resume point (elapsed time)
*/
TimeSpec *resume_point;
};
#define RESTART_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&restart_message__descriptor) \
, (char *)protobuf_c_empty_string, NULL }
/*
* Window size change event.
*/
struct ChangeWindowSize
{
ProtobufCMessage base;
/*
* elapsed time since last record
*/
TimeSpec *delay;
/*
* new number of rows
*/
int32_t rows;
/*
* new number of columns
*/
int32_t cols;
};
#define CHANGE_WINDOW_SIZE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&change_window_size__descriptor) \
, NULL, 0, 0 }
/*
* Command suspend/resume event.
*/
struct CommandSuspend
{
ProtobufCMessage base;
/*
* elapsed time since last record
*/
TimeSpec *delay;
/*
* signal that caused suspend/resume
*/
char *signal;
};
#define COMMAND_SUSPEND__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&command_suspend__descriptor) \
, NULL, (char *)protobuf_c_empty_string }
/*
* Hello message from client when connecting to server.
*/
struct ClientHello
{
ProtobufCMessage base;
/*
* free-form client description
*/
char *client_id;
};
#define CLIENT_HELLO__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&client_hello__descriptor) \
, (char *)protobuf_c_empty_string }
typedef enum {
SERVER_MESSAGE__TYPE__NOT_SET = 0,
SERVER_MESSAGE__TYPE_HELLO = 1,
SERVER_MESSAGE__TYPE_COMMIT_POINT = 2,
SERVER_MESSAGE__TYPE_LOG_ID = 3,
SERVER_MESSAGE__TYPE_ERROR = 4,
SERVER_MESSAGE__TYPE_ABORT = 5
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(SERVER_MESSAGE__TYPE__CASE)
} ServerMessage__TypeCase;
/*
* Server messages to the client. Messages on the wire are
* prefixed with a 32-bit size in network byte order.
*/
struct ServerMessage
{
ProtobufCMessage base;
ServerMessage__TypeCase type_case;
union {
/*
* server hello message
*/
ServerHello *hello;
/*
* cumulative time of records stored
*/
TimeSpec *commit_point;
/*
* ID of server-side I/O log
*/
char *log_id;
/*
* error message from server
*/
char *error;
/*
* abort message, kill command
*/
char *abort;
} u;
};
#define SERVER_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&server_message__descriptor) \
, SERVER_MESSAGE__TYPE__NOT_SET, {0} }
/*
* Hello message from server when client connects.
*/
struct ServerHello
{
ProtobufCMessage base;
/*
* free-form server description
*/
char *server_id;
/*
* optional redirect if busy
*/
char *redirect;
/*
* optional list of known servers
*/
size_t n_servers;
char **servers;
/*
* flag: server supports sub-commands
*/
protobuf_c_boolean subcommands;
};
#define SERVER_HELLO__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&server_hello__descriptor) \
, (char *)protobuf_c_empty_string, (char *)protobuf_c_empty_string, 0,NULL, 0 }
/* ClientMessage methods */
void client_message__init
(ClientMessage *message);
size_t client_message__get_packed_size
(const ClientMessage *message);
size_t client_message__pack
(const ClientMessage *message,
uint8_t *out);
size_t client_message__pack_to_buffer
(const ClientMessage *message,
ProtobufCBuffer *buffer);
ClientMessage *
client_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void client_message__free_unpacked
(ClientMessage *message,
ProtobufCAllocator *allocator);
/* TimeSpec methods */
void time_spec__init
(TimeSpec *message);
size_t time_spec__get_packed_size
(const TimeSpec *message);
size_t time_spec__pack
(const TimeSpec *message,
uint8_t *out);
size_t time_spec__pack_to_buffer
(const TimeSpec *message,
ProtobufCBuffer *buffer);
TimeSpec *
time_spec__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void time_spec__free_unpacked
(TimeSpec *message,
ProtobufCAllocator *allocator);
/* IoBuffer methods */
void io_buffer__init
(IoBuffer *message);
size_t io_buffer__get_packed_size
(const IoBuffer *message);
size_t io_buffer__pack
(const IoBuffer *message,
uint8_t *out);
size_t io_buffer__pack_to_buffer
(const IoBuffer *message,
ProtobufCBuffer *buffer);
IoBuffer *
io_buffer__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void io_buffer__free_unpacked
(IoBuffer *message,
ProtobufCAllocator *allocator);
/* InfoMessage__StringList methods */
void info_message__string_list__init
(InfoMessage__StringList *message);
/* InfoMessage__NumberList methods */
void info_message__number_list__init
(InfoMessage__NumberList *message);
/* InfoMessage methods */
void info_message__init
(InfoMessage *message);
size_t info_message__get_packed_size
(const InfoMessage *message);
size_t info_message__pack
(const InfoMessage *message,
uint8_t *out);
size_t info_message__pack_to_buffer
(const InfoMessage *message,
ProtobufCBuffer *buffer);
InfoMessage *
info_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void info_message__free_unpacked
(InfoMessage *message,
ProtobufCAllocator *allocator);
/* AcceptMessage methods */
void accept_message__init
(AcceptMessage *message);
size_t accept_message__get_packed_size
(const AcceptMessage *message);
size_t accept_message__pack
(const AcceptMessage *message,
uint8_t *out);
size_t accept_message__pack_to_buffer
(const AcceptMessage *message,
ProtobufCBuffer *buffer);
AcceptMessage *
accept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void accept_message__free_unpacked
(AcceptMessage *message,
ProtobufCAllocator *allocator);
/* RejectMessage methods */
void reject_message__init
(RejectMessage *message);
size_t reject_message__get_packed_size
(const RejectMessage *message);
size_t reject_message__pack
(const RejectMessage *message,
uint8_t *out);
size_t reject_message__pack_to_buffer
(const RejectMessage *message,
ProtobufCBuffer *buffer);
RejectMessage *
reject_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void reject_message__free_unpacked
(RejectMessage *message,
ProtobufCAllocator *allocator);
/* ExitMessage methods */
void exit_message__init
(ExitMessage *message);
size_t exit_message__get_packed_size
(const ExitMessage *message);
size_t exit_message__pack
(const ExitMessage *message,
uint8_t *out);
size_t exit_message__pack_to_buffer
(const ExitMessage *message,
ProtobufCBuffer *buffer);
ExitMessage *
exit_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void exit_message__free_unpacked
(ExitMessage *message,
ProtobufCAllocator *allocator);
/* AlertMessage methods */
void alert_message__init
(AlertMessage *message);
size_t alert_message__get_packed_size
(const AlertMessage *message);
size_t alert_message__pack
(const AlertMessage *message,
uint8_t *out);
size_t alert_message__pack_to_buffer
(const AlertMessage *message,
ProtobufCBuffer *buffer);
AlertMessage *
alert_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void alert_message__free_unpacked
(AlertMessage *message,
ProtobufCAllocator *allocator);
/* RestartMessage methods */
void restart_message__init
(RestartMessage *message);
size_t restart_message__get_packed_size
(const RestartMessage *message);
size_t restart_message__pack
(const RestartMessage *message,
uint8_t *out);
size_t restart_message__pack_to_buffer
(const RestartMessage *message,
ProtobufCBuffer *buffer);
RestartMessage *
restart_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void restart_message__free_unpacked
(RestartMessage *message,
ProtobufCAllocator *allocator);
/* ChangeWindowSize methods */
void change_window_size__init
(ChangeWindowSize *message);
size_t change_window_size__get_packed_size
(const ChangeWindowSize *message);
size_t change_window_size__pack
(const ChangeWindowSize *message,
uint8_t *out);
size_t change_window_size__pack_to_buffer
(const ChangeWindowSize *message,
ProtobufCBuffer *buffer);
ChangeWindowSize *
change_window_size__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void change_window_size__free_unpacked
(ChangeWindowSize *message,
ProtobufCAllocator *allocator);
/* CommandSuspend methods */
void command_suspend__init
(CommandSuspend *message);
size_t command_suspend__get_packed_size
(const CommandSuspend *message);
size_t command_suspend__pack
(const CommandSuspend *message,
uint8_t *out);
size_t command_suspend__pack_to_buffer
(const CommandSuspend *message,
ProtobufCBuffer *buffer);
CommandSuspend *
command_suspend__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void command_suspend__free_unpacked
(CommandSuspend *message,
ProtobufCAllocator *allocator);
/* ClientHello methods */
void client_hello__init
(ClientHello *message);
size_t client_hello__get_packed_size
(const ClientHello *message);
size_t client_hello__pack
(const ClientHello *message,
uint8_t *out);
size_t client_hello__pack_to_buffer
(const ClientHello *message,
ProtobufCBuffer *buffer);
ClientHello *
client_hello__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void client_hello__free_unpacked
(ClientHello *message,
ProtobufCAllocator *allocator);
/* ServerMessage methods */
void server_message__init
(ServerMessage *message);
size_t server_message__get_packed_size
(const ServerMessage *message);
size_t server_message__pack
(const ServerMessage *message,
uint8_t *out);
size_t server_message__pack_to_buffer
(const ServerMessage *message,
ProtobufCBuffer *buffer);
ServerMessage *
server_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void server_message__free_unpacked
(ServerMessage *message,
ProtobufCAllocator *allocator);
/* ServerHello methods */
void server_hello__init
(ServerHello *message);
size_t server_hello__get_packed_size
(const ServerHello *message);
size_t server_hello__pack
(const ServerHello *message,
uint8_t *out);
size_t server_hello__pack_to_buffer
(const ServerHello *message,
ProtobufCBuffer *buffer);
ServerHello *
server_hello__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void server_hello__free_unpacked
(ServerHello *message,
ProtobufCAllocator *allocator);
/* --- per-message closures --- */
typedef void (*ClientMessage_Closure)
(const ClientMessage *message,
void *closure_data);
typedef void (*TimeSpec_Closure)
(const TimeSpec *message,
void *closure_data);
typedef void (*IoBuffer_Closure)
(const IoBuffer *message,
void *closure_data);
typedef void (*InfoMessage__StringList_Closure)
(const InfoMessage__StringList *message,
void *closure_data);
typedef void (*InfoMessage__NumberList_Closure)
(const InfoMessage__NumberList *message,
void *closure_data);
typedef void (*InfoMessage_Closure)
(const InfoMessage *message,
void *closure_data);
typedef void (*AcceptMessage_Closure)
(const AcceptMessage *message,
void *closure_data);
typedef void (*RejectMessage_Closure)
(const RejectMessage *message,
void *closure_data);
typedef void (*ExitMessage_Closure)
(const ExitMessage *message,
void *closure_data);
typedef void (*AlertMessage_Closure)
(const AlertMessage *message,
void *closure_data);
typedef void (*RestartMessage_Closure)
(const RestartMessage *message,
void *closure_data);
typedef void (*ChangeWindowSize_Closure)
(const ChangeWindowSize *message,
void *closure_data);
typedef void (*CommandSuspend_Closure)
(const CommandSuspend *message,
void *closure_data);
typedef void (*ClientHello_Closure)
(const ClientHello *message,
void *closure_data);
typedef void (*ServerMessage_Closure)
(const ServerMessage *message,
void *closure_data);
typedef void (*ServerHello_Closure)
(const ServerHello *message,
void *closure_data);
/* --- services --- */
/* --- descriptors --- */
extern const ProtobufCMessageDescriptor client_message__descriptor;
extern const ProtobufCMessageDescriptor time_spec__descriptor;
extern const ProtobufCMessageDescriptor io_buffer__descriptor;
extern const ProtobufCMessageDescriptor info_message__descriptor;
extern const ProtobufCMessageDescriptor info_message__string_list__descriptor;
extern const ProtobufCMessageDescriptor info_message__number_list__descriptor;
extern const ProtobufCMessageDescriptor accept_message__descriptor;
extern const ProtobufCMessageDescriptor reject_message__descriptor;
extern const ProtobufCMessageDescriptor exit_message__descriptor;
extern const ProtobufCMessageDescriptor alert_message__descriptor;
extern const ProtobufCMessageDescriptor restart_message__descriptor;
extern const ProtobufCMessageDescriptor change_window_size__descriptor;
extern const ProtobufCMessageDescriptor command_suspend__descriptor;
extern const ProtobufCMessageDescriptor client_hello__descriptor;
extern const ProtobufCMessageDescriptor server_message__descriptor;
extern const ProtobufCMessageDescriptor server_hello__descriptor;
PROTOBUF_C__END_DECLS
#endif /* PROTOBUF_C_log_5fserver_2eproto__INCLUDED */

1110
include/protobuf-c/protobuf-c.h Normal file
View file

File diff suppressed because it is too large Load diff

569
include/sudo_compat.h Normal file
View file

@ -0,0 +1,569 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1996, 1998-2005, 2008, 2009-2023
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
#ifndef SUDO_COMPAT_H
#define SUDO_COMPAT_H
#include <sys/types.h> /* for gid_t, mode_t, size_t, ssize_t, time_t, uid_t */
#include <sys/stat.h> /* to avoid problems with mismatched headers and libc */
#include <unistd.h> /* to avoid problems with mismatched headers and libc */
#include <stdio.h>
#if !defined(HAVE_UTIMENSAT) || !defined(HAVE_FUTIMENS)
# include <time.h>
#endif
#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_VASPRINTF) || \
!defined(HAVE_VSYSLOG) || defined(PREFER_PORTABLE_SNPRINTF)
# include <stdarg.h>
#endif
/*
* Macros and functions that may be missing on some operating systems.
*/
/*
* Given the pointer x to the member m of the struct s, return
* a pointer to the containing structure.
*/
#ifndef __containerof
# define __containerof(x, s, m) ((s *)((char *)(x) - offsetof(s, m)))
#endif
/*
* Pre-C99 compilers may lack a va_copy macro.
*/
#ifndef HAVE_VA_COPY
# ifdef HAVE___VA_COPY
# define va_copy(d, s) __va_copy(d, s)
# else
# define va_copy(d, s) memcpy(&(d), &(s), sizeof(d));
# endif
#endif
/*
* Some systems lack full limit definitions.
*/
#if defined(HAVE_DECL_LLONG_MAX) && !HAVE_DECL_LLONG_MAX
# if defined(HAVE_DECL_QUAD_MAX) && HAVE_DECL_QUAD_MAX
# define LLONG_MAX QUAD_MAX
# else
# define LLONG_MAX 0x7fffffffffffffffLL
# endif
#endif
#if defined(HAVE_DECL_LLONG_MIN) && !HAVE_DECL_LLONG_MIN
# if defined(HAVE_DECL_QUAD_MIN) && HAVE_DECL_QUAD_MIN
# define LLONG_MIN QUAD_MIN
# else
# define LLONG_MIN (-0x7fffffffffffffffLL-1)
# endif
#endif
#if defined(HAVE_DECL_ULLONG_MAX) && !HAVE_DECL_ULLONG_MAX
# if defined(HAVE_DECL_UQUAD_MAX) && HAVE_DECL_UQUAD_MAX
# define ULLONG_MAX UQUAD_MAX
# else
# define ULLONG_MAX 0xffffffffffffffffULL
# endif
#endif
#if defined(HAVE_DECL_SIZE_MAX) && !HAVE_DECL_SIZE_MAX
# if defined(HAVE_DECL_SIZE_T_MAX) && HAVE_DECL_SIZE_T_MAX
# define SIZE_MAX SIZE_T_MAX
# else
# define SIZE_MAX ULONG_MAX
# endif
#endif
#if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX
# define SSIZE_MAX LONG_MAX
#endif
#if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX
# if defined(HAVE_DECL__POSIX_PATH_MAX) && HAVE_DECL__POSIX_PATH_MAX
# define PATH_MAX _POSIX_PATH_MAX
# else
# define PATH_MAX 256
# endif
#endif
/* ACCESSPERMS and ALLPERMS are handy BSDisms. */
#ifndef ACCESSPERMS
# define ACCESSPERMS 00777
#endif /* ACCESSPERMS */
#ifndef ALLPERMS
# define ALLPERMS 07777
#endif /* ALLPERMS */
/* For futimens() and utimensat() emulation. */
#if !defined(HAVE_FUTIMENS) && !defined(HAVE_UTIMENSAT)
# ifndef UTIME_OMIT
# define UTIME_OMIT -1L
# endif
# ifndef UTIME_NOW
# define UTIME_NOW -2L
# endif
#endif
#if !defined(HAVE_OPENAT) || (!defined(HAVE_FUTIMENS) && !defined(HAVE_UTIMENSAT)) || !defined(HAVE_FCHMODAT) || !defined(HAVE_FSTATAT) || !defined(HAVE_UNLINKAT)
# ifndef AT_FDCWD
# define AT_FDCWD -100
# endif
# ifndef AT_SYMLINK_NOFOLLOW
# define AT_SYMLINK_NOFOLLOW 0x02
# endif
#endif
/* For dup3() and pipe2() emulation. */
#if (!defined(HAVE_PIPE2) || !defined(HAVE_DUP3)) && defined(O_NONBLOCK)
# if !defined(O_CLOEXEC) || O_CLOEXEC > 0xffffffff
# undef O_CLOEXEC
# define O_CLOEXEC 0x80000000
# endif
#endif
/*
* BSD defines these in <sys/param.h> but we don't include that anymore.
*/
#ifndef MIN
# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
#ifndef MAX
# define MAX(a,b) (((a)>(b))?(a):(b))
#endif
/* Macros to set/clear/test flags. */
#undef SET
#define SET(t, f) ((t) |= (f))
#undef CLR
#define CLR(t, f) ((t) &= ~(f))
#undef ISSET
#define ISSET(t, f) ((t) & (f))
/*
* Some systems define this in <sys/param.h> but we don't include that anymore.
*/
#ifndef howmany
# define howmany(x, y) (((x) + ((y) - 1)) / (y))
#endif
/*
* Simple isblank() macro and function for systems without it.
*/
#ifndef HAVE_ISBLANK
sudo_dso_public int isblank(int);
# define isblank(_x) ((_x) == ' ' || (_x) == '\t')
#endif
/*
* NCR's SVr4 has _innetgr(3) instead of innetgr(3) for some reason.
*/
#ifdef HAVE__INNETGR
# define innetgr(n, h, u, d) (_innetgr(n, h, u, d))
# define HAVE_INNETGR 1
#endif /* HAVE__INNETGR */
/*
* The nitems macro may be defined in sys/param.h
*/
#ifndef nitems
# define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
#endif
/*
* If dirfd() does not exists, hopefully dd_fd does.
*/
#if !defined(HAVE_DIRFD) && defined(HAVE_DD_FD)
# define dirfd(_d) ((_d)->dd_fd)
# define HAVE_DIRFD
#endif
#if !defined(HAVE_KILLPG) && !defined(killpg)
# define killpg(p, s) kill(-(p), (s))
#endif
/*
* Declare errno if errno.h doesn't do it for us.
*/
#if defined(HAVE_DECL_ERRNO) && !HAVE_DECL_ERRNO
extern int errno;
#endif /* !HAVE_DECL_ERRNO */
/* Not all systems define NSIG in signal.h */
#if defined(HAVE_DECL_NSIG) && !HAVE_DECL_NSIG
# if defined(HAVE_DECL__NSIG) && HAVE_DECL__NSIG
# define NSIG _NSIG
# elif defined(HAVE_DECL___NSIG) && HAVE_DECL___NSIG
# define NSIG __NSIG
# else
# define NSIG 64
# endif
#endif
/* For sig2str() */
#if !defined(HAVE_DECL_SIG2STR_MAX) || !HAVE_DECL_SIG2STR_MAX
# define SIG2STR_MAX 32
#endif
/* WCOREDUMP is not POSIX, this usually works (verified on AIX). */
#ifndef WCOREDUMP
# define WCOREDUMP(x) ((x) & 0x80)
#endif
/* W_EXITCODE is not POSIX but the encoding of wait status is. */
#ifndef W_EXITCODE
# define W_EXITCODE(ret, sig) ((ret) << 8 | (sig))
#endif
/* Number of bits in a byte. */
#ifndef NBBY
# ifdef __NBBY
# define NBBY __NBBY
# else
# define NBBY 8
# endif
#endif
#ifndef HAVE_SETEUID
# if defined(HAVE_SETRESUID)
# define seteuid(u) setresuid(-1, (u), -1)
# define setegid(g) setresgid(-1, (g), -1)
# define HAVE_SETEUID 1
# elif defined(HAVE_SETREUID)
# define seteuid(u) setreuid(-1, (u))
# define setegid(g) setregid(-1, (g))
# define HAVE_SETEUID 1
# endif
#endif /* HAVE_SETEUID */
/*
* Older HP-UX does not declare setresuid() or setresgid().
*/
#if defined(HAVE_DECL_SETRESUID) && !HAVE_DECL_SETRESUID
int setresuid(uid_t, uid_t, uid_t);
int setresgid(gid_t, gid_t, gid_t);
#endif
#if defined(HAVE_DECL_GETRESUID) && !HAVE_DECL_GETRESUID
int getresuid(uid_t *, uid_t *, uid_t *);
int getresgid(gid_t *, gid_t *, gid_t *);
#endif
/*
* HP-UX does not declare innetgr() or getdomainname().
* Solaris does not declare getdomainname().
*/
#if defined(HAVE_DECL_INNETGR) && !HAVE_DECL_INNETGR
int innetgr(const char *, const char *, const char *, const char *);
#endif
#if defined(HAVE_DECL__INNETGR) && !HAVE_DECL__INNETGR
int _innetgr(const char *, const char *, const char *, const char *);
#endif
#if defined(HAVE_DECL_GETDOMAINNAME) && !HAVE_DECL_GETDOMAINNAME
int getdomainname(char *, size_t);
#endif
/*
* HP-UX 11.00 has broken pread/pwrite on 32-bit machines when
* _FILE_OFFSET_BITS == 64. Use pread64/pwrite64 instead.
*/
#if defined(__hpux) && !defined(__LP64__)
# ifdef HAVE_PREAD64
# undef pread
# define pread(_a, _b, _c, _d) pread64((_a), (_b), (_c), (_d))
# if defined(HAVE_DECL_PREAD64) && !HAVE_DECL_PREAD64
ssize_t pread64(int fd, void *buf, size_t nbytes, off64_t offset);
# endif
# endif
# ifdef HAVE_PWRITE64
# undef pwrite
# define pwrite(_a, _b, _c, _d) pwrite64((_a), (_b), (_c), (_d))
# if defined(HAVE_DECL_PWRITE64) && !HAVE_DECL_PWRITE64
ssize_t pwrite64(int fd, const void *buf, size_t nbytes, off64_t offset);
# endif
# endif
#endif /* __hpux && !__LP64__ */
/*
* Older systems may lack fseeko(3), just use fseek(3) instead.
*/
#ifndef HAVE_FSEEKO
# define fseeko(f, o, w) fseek((f), (long)(o), (w))
#endif
/*
* Functions "missing" from libc.
* All libc replacements are prefixed with "sudo_" to avoid namespace issues.
*/
struct passwd;
struct stat;
struct timespec;
struct termios;
struct tm;
#ifndef HAVE_CFMAKERAW
sudo_dso_public void sudo_cfmakeraw(struct termios *term);
# undef cfmakeraw
# define cfmakeraw(_a) sudo_cfmakeraw((_a))
#endif /* HAVE_CFMAKERAW */
#ifndef HAVE_CLOSEFROM
sudo_dso_public void sudo_closefrom(int);
# undef closefrom
# define closefrom(_a) sudo_closefrom((_a))
#endif /* HAVE_CLOSEFROM */
#ifndef HAVE_EXPLICIT_BZERO
sudo_dso_public void sudo_explicit_bzero(void *s, size_t n);
# undef explicit_bzero
# define explicit_bzero(_a, _b) sudo_explicit_bzero((_a), (_b))
#endif /* HAVE_EXPLICIT_BZERO */
#ifndef HAVE_FREEZERO
sudo_dso_public void sudo_freezero(void *p, size_t n);
# undef freezero
# define freezero(_a, _b) sudo_freezero((_a), (_b))
#endif /* HAVE_FREEZERO */
#ifndef HAVE_GETGROUPLIST
sudo_dso_public int sudo_getgrouplist(const char *name, GETGROUPS_T basegid, GETGROUPS_T *groups, int *ngroupsp);
# undef getgrouplist
# define getgrouplist(_a, _b, _c, _d) sudo_getgrouplist((_a), (_b), (_c), (_d))
#endif /* GETGROUPLIST */
#if !defined(HAVE_GETDELIM)
sudo_dso_public ssize_t sudo_getdelim(char ** restrict bufp, size_t * restrict bufsizep, int delim, FILE * restrict fp);
# undef getdelim
# define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
#elif defined(HAVE_DECL_GETDELIM) && !HAVE_DECL_GETDELIM
/* getdelim present in libc but missing prototype (old gcc fixed includes?) */
ssize_t getdelim(char ** restrict bufp, size_t * restrict bufsizep, int delim, FILE * restrict fp);
#endif /* HAVE_GETDELIM */
#ifndef HAVE_GETUSERSHELL
sudo_dso_public char *sudo_getusershell(void);
# undef getusershell
# define getusershell() sudo_getusershell()
sudo_dso_public void sudo_setusershell(void);
# undef setusershell
# define setusershell() sudo_setusershell()
sudo_dso_public void sudo_endusershell(void);
# undef endusershell
# define endusershell() sudo_endusershell()
#elif HAVE_DECL_GETUSERSHELL == 0
/* Older Solaris has getusershell() et al but does not declare it. */
char *getusershell(void);
void setusershell(void);
void endusershell(void);
#endif /* HAVE_GETUSERSHELL */
#ifndef HAVE_GMTIME_R
sudo_dso_public struct tm *sudo_gmtime_r(const time_t * restrict, struct tm * restrict);
# undef gmtime_r
# define gmtime_r(_a, _b) sudo_gmtime_r((_a), (_b))
#endif /* HAVE_GMTIME_R */
#ifndef HAVE_LOCALTIME_R
sudo_dso_public struct tm *sudo_localtime_r(const time_t * restrict, struct tm * restrict);
# undef localtime_r
# define localtime_r(_a, _b) sudo_localtime_r((_a), (_b))
#endif /* HAVE_LOCALTIME_R */
#ifndef HAVE_TIMEGM
sudo_dso_public time_t sudo_timegm(struct tm *);
#endif /* HAVE_TIMEGM */
#ifndef HAVE_UTIMENSAT
sudo_dso_public int sudo_utimensat(int fd, const char *file, const struct timespec times[2], int flag);
# undef utimensat
# define utimensat(_a, _b, _c, _d) sudo_utimensat((_a), (_b), (_c), (_d))
#endif /* HAVE_UTIMENSAT */
#ifndef HAVE_FCHMODAT
sudo_dso_public int sudo_fchmodat(int dfd, const char *path, mode_t mode, int flag);
# undef fchmodat
# define fchmodat(_a, _b, _c, _d) sudo_fchmodat((_a), (_b), (_c), (_d))
#endif /* HAVE_FCHMODAT */
#ifndef HAVE_FSTATAT
sudo_dso_public int sudo_fstatat(int dfd, const char * restrict path, struct stat * restrict sb, int flag);
# undef fstatat
# define fstatat(_a, _b, _c, _d) sudo_fstatat((_a), (_b), (_c), (_d))
#endif /* HAVE_FSTATAT */
#ifndef HAVE_FUTIMENS
sudo_dso_public int sudo_futimens(int fd, const struct timespec times[2]);
# undef futimens
# define futimens(_a, _b) sudo_futimens((_a), (_b))
#endif /* HAVE_FUTIMENS */
#if !defined(HAVE_SNPRINTF) || defined(PREFER_PORTABLE_SNPRINTF)
sudo_dso_public int sudo_snprintf(char * restrict str, size_t n, char const * restrict fmt, ...) sudo_printflike(3, 4);
# undef snprintf
# define snprintf sudo_snprintf
#endif /* HAVE_SNPRINTF */
#if !defined(HAVE_VSNPRINTF) || defined(PREFER_PORTABLE_SNPRINTF)
sudo_dso_public int sudo_vsnprintf(char * restrict str, size_t n, const char * restrict fmt, va_list ap) sudo_printflike(3, 0);
# undef vsnprintf
# define vsnprintf sudo_vsnprintf
#endif /* HAVE_VSNPRINTF */
#if !defined(HAVE_ASPRINTF) || defined(PREFER_PORTABLE_SNPRINTF)
sudo_dso_public int sudo_asprintf(char ** restrict str, char const * restrict fmt, ...) sudo_printflike(2, 3);
# undef asprintf
# define asprintf sudo_asprintf
#endif /* HAVE_ASPRINTF */
#if !defined(HAVE_VASPRINTF) || defined(PREFER_PORTABLE_SNPRINTF)
sudo_dso_public int sudo_vasprintf(char ** restrict str, const char * restrict fmt, va_list ap) sudo_printflike(2, 0);
# undef vasprintf
# define vasprintf sudo_vasprintf
#endif /* HAVE_VASPRINTF */
#ifndef HAVE_STRLCAT
sudo_dso_public size_t sudo_strlcat(char * restrict dst, const char * restrict src, size_t siz);
# undef strlcat
# define strlcat(_a, _b, _c) sudo_strlcat((_a), (_b), (_c))
#endif /* HAVE_STRLCAT */
#ifndef HAVE_STRLCPY
sudo_dso_public size_t sudo_strlcpy(char * restrict dst, const char * restrict src, size_t siz);
# undef strlcpy
# define strlcpy(_a, _b, _c) sudo_strlcpy((_a), (_b), (_c))
#endif /* HAVE_STRLCPY */
#ifndef HAVE_STRNDUP
sudo_dso_public char *sudo_strndup(const char *str, size_t maxlen);
# undef strndup
# define strndup(_a, _b) sudo_strndup((_a), (_b))
#endif /* HAVE_STRNDUP */
#ifndef HAVE_STRNLEN
sudo_dso_public size_t sudo_strnlen(const char *str, size_t maxlen);
# undef strnlen
# define strnlen(_a, _b) sudo_strnlen((_a), (_b))
#endif /* HAVE_STRNLEN */
#ifndef HAVE_FCHOWNAT
sudo_dso_public int sudo_fchownat(int dfd, const char *path, uid_t uid, gid_t gid, int flag);
# undef fchownat
# define fchownat(_a, _b, _c, _d, _e) sudo_fchownat((_a), (_b), (_c), (_d), (_e))
#endif /* HAVE_FCHOWNAT */
#ifndef HAVE_MEMRCHR
sudo_dso_public void *sudo_memrchr(const void *s, int c, size_t n);
# undef memrchr
# define memrchr(_a, _b, _c) sudo_memrchr((_a), (_b), (_c))
#endif /* HAVE_MEMRCHR */
#ifndef HAVE_MKDIRAT
sudo_dso_public int sudo_mkdirat(int dfd, const char *path, mode_t mode);
# undef mkdirat
# define mkdirat(_a, _b, _c) sudo_mkdirat((_a), (_b), (_c))
#endif /* HAVE_MKDIRAT */
#if !defined(HAVE_MKDTEMPAT) || !defined(HAVE_MKOSTEMPSAT)
# if defined(HAVE_MKDTEMPAT_NP) && defined(HAVE_MKOSTEMPSAT_NP)
# undef mkdtempat
# define mkdtempat mkdtempat_np
# undef mkostempsat
# define mkostempsat mkostempsat_np
# else
sudo_dso_public char *sudo_mkdtemp(char *path);
# undef mkdtemp
# define mkdtemp(_a) sudo_mkdtemp((_a))
sudo_dso_public char *sudo_mkdtempat(int dfd, char *path);
# undef mkdtempat
# define mkdtempat(_a, _b) sudo_mkdtempat((_a), (_b))
sudo_dso_public int sudo_mkostempsat(int dfd, char *path, int slen, int flags);
# undef mkostempsat
# define mkostempsat(_a, _b, _c, _d) sudo_mkostempsat((_a), (_b), (_c), (_d))
sudo_dso_public int sudo_mkstemp(char *path);
# undef mkstemp
# define mkstemp(_a) sudo_mkstemp((_a))
sudo_dso_public int sudo_mkstemps(char *path, int slen);
# undef mkstemps
# define mkstemps(_a, _b) sudo_mkstemps((_a), (_b))
# endif /* HAVE_MKDTEMPAT_NP || HAVE_MKOSTEMPSAT_NP */
#endif /* !HAVE_MKDTEMPAT || !HAVE_MKOSTEMPSAT */
#ifndef HAVE_NANOSLEEP
sudo_dso_public int sudo_nanosleep(const struct timespec *timeout, struct timespec *remainder);
#undef nanosleep
# define nanosleep(_a, _b) sudo_nanosleep((_a), (_b))
#endif /* HAVE_NANOSLEEP */
#ifndef HAVE_OPENAT
sudo_dso_public int sudo_openat(int dfd, const char *path, int flags, mode_t mode);
# undef openat
# define openat(_a, _b, _c, _d) sudo_openat((_a), (_b), (_c), (_d))
#endif /* HAVE_OPENAT */
#ifndef HAVE_PW_DUP
sudo_dso_public struct passwd *sudo_pw_dup(const struct passwd *pw);
# undef pw_dup
# define pw_dup(_a) sudo_pw_dup((_a))
#endif /* HAVE_PW_DUP */
#ifndef HAVE_STRSIGNAL
sudo_dso_public char *sudo_strsignal(int signo);
# undef strsignal
# define strsignal(_a) sudo_strsignal((_a))
#endif /* HAVE_STRSIGNAL */
#ifndef HAVE_SIG2STR
sudo_dso_public int sudo_sig2str(int signo, char *signame);
# undef sig2str
# define sig2str(_a, _b) sudo_sig2str((_a), (_b))
#endif /* HAVE_SIG2STR */
#ifndef HAVE_STR2SIG
sudo_dso_public int sudo_str2sig(const char *signame, int *signum);
# undef str2sig
# define str2sig(_a, _b) sudo_str2sig((_a), (_b))
#endif /* HAVE_STR2SIG */
#if !defined(HAVE_INET_NTOP) && defined(NEED_INET_NTOP)
sudo_dso_public const char *sudo_inet_ntop(int af, const void * restrict src, char * restrict dst, socklen_t size);
# undef inet_ntop
# define inet_ntop(_a, _b, _c, _d) sudo_inet_ntop((_a), (_b), (_c), (_d))
#endif /* HAVE_INET_NTOP */
#ifndef HAVE_INET_PTON
sudo_dso_public int sudo_inet_pton(int af, const char * restrict src, void * restrict dst);
# undef inet_pton
# define inet_pton(_a, _b, _c) sudo_inet_pton((_a), (_b), (_c))
#endif /* HAVE_INET_PTON */
#ifndef HAVE_GETPROGNAME
sudo_dso_public const char *sudo_getprogname(void);
# undef getprogname
# define getprogname() sudo_getprogname()
#endif /* HAVE_GETPROGNAME */
#ifndef HAVE_SETPROGNAME
sudo_dso_public void sudo_setprogname(const char *name);
# undef setprogname
# define setprogname(_a) sudo_setprogname(_a)
#endif /* HAVE_SETPROGNAME */
#ifndef HAVE_REALLOCARRAY
sudo_dso_public void *sudo_reallocarray(void *ptr, size_t nmemb, size_t size);
# undef reallocarray
# define reallocarray(_a, _b, _c) sudo_reallocarray((_a), (_b), (_c))
#endif /* HAVE_REALLOCARRAY */
#ifndef HAVE_REALPATH
sudo_dso_public char *sudo_realpath(const char * restrict path, char * restrict resolved);
# undef realpath
# define realpath(_a, _b) sudo_realpath((_a), (_b))
#endif /* HAVE_REALPATH */
#ifndef HAVE_DUP3
sudo_dso_public int sudo_dup3(int oldd, int newd, int flags);
# undef dup3
# define dup3(_a, _b, _c) sudo_dup3((_a), (_b), (_c))
#endif /* HAVE_DUP3 */
#ifndef HAVE_PIPE2
sudo_dso_public int sudo_pipe2(int fildes[2], int flags);
# undef pipe2
# define pipe2(_a, _b) sudo_pipe2((_a), (_b))
#endif /* HAVE_PIPE2 */
#ifndef HAVE_PREAD
sudo_dso_public ssize_t sudo_pread(int fd, void *buf, size_t nbytes, off_t offset);
# undef pread
# define pread(_a, _b, _c, _d) sudo_pread((_a), (_b), (_c), (_d))
#endif /* HAVE_PREAD */
#ifndef HAVE_PWRITE
sudo_dso_public ssize_t sudo_pwrite(int fd, const void *buf, size_t nbytes, off_t offset);
# undef pwrite
# define pwrite(_a, _b, _c, _d) sudo_pwrite((_a), (_b), (_c), (_d))
#endif /* HAVE_PWRITE */
#ifndef HAVE_UNLINKAT
sudo_dso_public int sudo_unlinkat(int dfd, const char *path, int flag);
# undef unlinkat
# define unlinkat(_a, _b, _c) sudo_unlinkat((_a), (_b), (_c))
#endif /* HAVE_UNLINKAT */
#endif /* SUDO_COMPAT_H */

97
include/sudo_conf.h Normal file
View file

@ -0,0 +1,97 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2011-2017, 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef SUDO_CONF_H
#define SUDO_CONF_H
#ifdef HAVE_STDBOOL_H
# include <stdbool.h>
#else
# include <compat/stdbool.h>
#endif
#include <sudo_queue.h>
/* Flags for sudo_conf_read() */
#define SUDO_CONF_DEBUG 0x01
#define SUDO_CONF_PATHS 0x02
#define SUDO_CONF_PLUGINS 0x04
#define SUDO_CONF_SETTINGS 0x08
#define SUDO_CONF_ALL 0x0f
/* Values of sudo_conf_group_source() */
#define GROUP_SOURCE_ADAPTIVE 0
#define GROUP_SOURCE_STATIC 1
#define GROUP_SOURCE_DYNAMIC 2
struct sudo_debug_file;
TAILQ_HEAD(sudo_conf_debug_file_list, sudo_debug_file);
struct plugin_info {
TAILQ_ENTRY(plugin_info) entries;
char *path;
char *symbol_name;
char **options;
unsigned int lineno;
};
TAILQ_HEAD(plugin_info_list, plugin_info);
struct sudo_conf_debug {
TAILQ_ENTRY(sudo_conf_debug) entries;
struct sudo_conf_debug_file_list debug_files;
char *progname;
};
TAILQ_HEAD(sudo_conf_debug_list, sudo_conf_debug);
/* Read main sudo.conf file. */
sudo_dso_public int sudo_conf_read_v1(const char *conf_file, int conf_types);
#define sudo_conf_read(_a, _b) sudo_conf_read_v1((_a), (_b))
/* Accessor functions. */
sudo_dso_public const char *sudo_conf_askpass_path_v1(void);
sudo_dso_public const char *sudo_conf_sesh_path_v1(void);
sudo_dso_public const char *sudo_conf_intercept_path_v1(void);
sudo_dso_public const char *sudo_conf_noexec_path_v1(void);
sudo_dso_public const char *sudo_conf_plugin_dir_path_v1(void);
sudo_dso_public const char *sudo_conf_devsearch_path_v1(void);
sudo_dso_public struct sudo_conf_debug_list *sudo_conf_debugging_v1(void);
sudo_dso_public struct sudo_conf_debug_file_list *sudo_conf_debug_files_v1(const char *progname);
sudo_dso_public struct plugin_info_list *sudo_conf_plugins_v1(void);
sudo_dso_public bool sudo_conf_disable_coredump_v1(void);
sudo_dso_public bool sudo_conf_developer_mode_v1(void);
sudo_dso_public bool sudo_conf_probe_interfaces_v1(void);
sudo_dso_public int sudo_conf_group_source_v1(void);
sudo_dso_public int sudo_conf_max_groups_v1(void);
sudo_dso_public void sudo_conf_clear_paths_v1(void);
#define sudo_conf_askpass_path() sudo_conf_askpass_path_v1()
#define sudo_conf_sesh_path() sudo_conf_sesh_path_v1()
#define sudo_conf_intercept_path() sudo_conf_intercept_path_v1()
#define sudo_conf_noexec_path() sudo_conf_noexec_path_v1()
#define sudo_conf_plugin_dir_path() sudo_conf_plugin_dir_path_v1()
#define sudo_conf_devsearch_path() sudo_conf_devsearch_path_v1()
#define sudo_conf_debugging() sudo_conf_debugging_v1()
#define sudo_conf_debug_files(_a) sudo_conf_debug_files_v1((_a))
#define sudo_conf_plugins() sudo_conf_plugins_v1()
#define sudo_conf_disable_coredump() sudo_conf_disable_coredump_v1()
#define sudo_conf_developer_mode() sudo_conf_developer_mode_v1()
#define sudo_conf_probe_interfaces() sudo_conf_probe_interfaces_v1()
#define sudo_conf_group_source() sudo_conf_group_source_v1()
#define sudo_conf_max_groups() sudo_conf_max_groups_v1()
#define sudo_conf_clear_paths() sudo_conf_clear_paths_v1()
#endif /* SUDO_CONF_H */

Some files were not shown because too many files have changed in this diff Show more