diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 02:23:56 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 02:23:56 +0000 |
commit | 9620f76a210d9d8c1aaff25e99d6dc513f87e6e9 (patch) | |
tree | ceecc90fb95780872c35da764c5163f38e4727c4 /doc/sudo_plugin.cat | |
parent | Initial commit. (diff) | |
download | sudo-9620f76a210d9d8c1aaff25e99d6dc513f87e6e9.tar.xz sudo-9620f76a210d9d8c1aaff25e99d6dc513f87e6e9.zip |
Adding upstream version 1.8.27.upstream/1.8.27upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/sudo_plugin.cat')
-rw-r--r-- | doc/sudo_plugin.cat | 1683 |
1 files changed, 1683 insertions, 0 deletions
diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat new file mode 100644 index 0000000..eda4ceb --- /dev/null +++ b/doc/sudo_plugin.cat @@ -0,0 +1,1683 @@ +SUDO_PLUGIN(4) File Formats Manual SUDO_PLUGIN(4) + +NNAAMMEE + ssuuddoo__pplluuggiinn - Sudo Plugin API + +DDEESSCCRRIIPPTTIIOONN + Starting with version 1.8, ssuuddoo supports a plugin API for policy and + session logging. Plugins may be compiled as dynamic shared objects (the + default on systems that support them) or compiled statically into the + ssuuddoo binary itself. By default, the ssuuddooeerrss policy plugin and an + associated I/O logging plugin are used. Via the plugin API, ssuuddoo can be + configured to use alternate policy and/or I/O logging plugins provided by + third parties. The plugins to be used are specified in the sudo.conf(4) + file. + + The API is versioned with a major and minor number. The minor version + number is incremented when additions are made. The major number is + incremented when incompatible changes are made. A plugin should be check + the version passed to it and make sure that the major version matches. + + The plugin API is defined by the sudo_plugin.h header file. + + PPoolliiccyy pplluuggiinn AAPPII + A policy plugin must declare and populate a policy_plugin struct in the + global scope. This structure contains pointers to the functions that + implement the ssuuddoo policy checks. The name of the symbol should be + specified in sudo.conf(4) along with a path to the plugin so that ssuuddoo + can load it. + + struct policy_plugin { + #define SUDO_POLICY_PLUGIN 1 + unsigned int type; /* always SUDO_POLICY_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); + void (*close)(int exit_status, int error); + int (*show_version)(int verbose); + int (*check_policy)(int argc, char * const argv[], + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); + int (*list)(int argc, char * const argv[], int verbose, + const char *list_user); + int (*validate)(void); + void (*invalidate)(int remove); + int (*init_session)(struct passwd *pwd, char **user_env[]); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); + }; + + The policy_plugin struct has the following fields: + + type The type field should always be set to SUDO_POLICY_PLUGIN. + + version + The version field should be set to SUDO_API_VERSION. + + This allows ssuuddoo to determine the API version the plugin was built + against. + + open + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const user_env[], + char * const plugin_options[]); + + Returns 1 on success, 0 on failure, -1 if a general error occurred, + or -2 if there was a usage error. In the latter case, ssuuddoo will + print a usage message before it exits. If an error occurs, the + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. + + The function arguments are as follows: + + version + The version passed in by ssuuddoo allows the plugin to determine + the major and minor version number of the plugin API + supported by ssuuddoo. + + conversation + A pointer to the ccoonnvveerrssaattiioonn() function that can be used by + the plugin to interact with the user (see below). Returns 0 + on success and -1 on failure. + + plugin_printf + A pointer to a pprriinnttff()-style function that may be used to + display informational or error messages (see below). Returns + the number of characters printed on success and -1 on + failure. + + settings + A vector of user-supplied ssuuddoo settings in the form of + "name=value" strings. The vector is terminated by a NULL + pointer. These settings correspond to flags the user + specified when running ssuuddoo. As such, they will only be + present when the corresponding flag has been specified on the + command line. + + When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + bsdauth_type=string + Authentication type, if specified by the --aa flag, to + use on systems where BSD authentication is supported. + + closefrom=number + If specified, the user has requested via the --CC flag + that ssuuddoo close all files descriptors with a value of + _n_u_m_b_e_r or higher. The plugin may optionally pass this, + or another value, back in the _c_o_m_m_a_n_d___i_n_f_o list. + + debug_flags=string + A debug file path name followed by a space and a comma- + separated list of debug flags that correspond to the + plugin's Debug entry in sudo.conf(4), if there is one. + The flags are passed to the plugin exactly as they + appear in sudo.conf(4). The syntax used by ssuuddoo and + the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but a plugin + is free to use a different format so long as it does + not include a comma (`,'). Prior to ssuuddoo 1.8.12, there + was no way to specify plugin-specific _d_e_b_u_g___f_l_a_g_s so + the value was always the same as that used by the ssuuddoo + front end and did not include a path name, only the + flags themselves. As of version 1.7 of the plugin + interface, ssuuddoo will only pass _d_e_b_u_g___f_l_a_g_s if + sudo.conf(4) contains a plugin-specific Debug entry. + + debug_level=number + This setting has been deprecated in favor of + _d_e_b_u_g___f_l_a_g_s. + + ignore_ticket=bool + Set to true if the user specified the --kk flag along + with a command, indicating that the user wishes to + ignore any cached authentication credentials. + _i_m_p_l_i_e_d___s_h_e_l_l to true. This allows ssuuddoo with no + arguments to be used similarly to su(1). If the plugin + does not to support this usage, it may return a value + of -2 from the cchheecckk__ppoolliiccyy() function, which will + cause ssuuddoo to print a usage message and exit. + + implied_shell=bool + If the user does not specify a program on the command + line, ssuuddoo will pass the plugin the path to the user's + shell and set + + login_class=string + BSD login class to use when setting resource limits and + nice value, if specified by the --cc flag. + + login_shell=bool + Set to true if the user specified the --ii flag, + indicating that the user wishes to run a login shell. + + max_groups=int + The maximum number of groups a user may belong to. + This will only be present if there is a corresponding + setting in sudo.conf(4). + + network_addrs=list + A space-separated list of IP network addresses and + netmasks in the form "addr/netmask", e.g., + "192.168.1.2/255.255.255.0". The address and netmask + pairs may be either IPv4 or IPv6, depending on what the + operating system supports. If the address contains a + colon (`:'), it is an IPv6 address, else it is IPv4. + + noninteractive=bool + Set to true if the user specified the --nn flag, + indicating that ssuuddoo should operate in non-interactive + mode. The plugin may reject a command run in non- + interactive mode if user interaction is required. + + plugin_dir=string + The default plugin directory used by the ssuuddoo front + end. This is the default directory set at compile time + and may not correspond to the directory the running + plugin was loaded from. It may be used by a plugin to + locate support files. + + plugin_path=string + The path name of plugin loaded by the ssuuddoo front end. + The path name will be a fully-qualified unless the + plugin was statically compiled into ssuuddoo. + + preserve_environment=bool + Set to true if the user specified the --EE flag, + indicating that the user wishes to preserve the + environment. + + preserve_groups=bool + Set to true if the user specified the --PP flag, + indicating that the user wishes to preserve the group + vector instead of setting it based on the runas user. + + progname=string + The command name that sudo was run as, typically "sudo" + or "sudoedit". + + prompt=string + The prompt to use when requesting a password, if + specified via the --pp flag. + + remote_host=string + The name of the remote host to run the command on, if + specified via the --hh option. Support for running the + command on a remote host is meant to be implemented via + a helper program that is executed in place of the user- + specified command. The ssuuddoo front end is only capable + of executing commands on the local host. Only + available starting with API version 1.4. + + run_shell=bool + Set to true if the user specified the --ss flag, + indicating that the user wishes to run a shell. + + runas_group=string + The group name or gid to run the command as, if + specified via the --gg flag. + + runas_user=string + The user name or uid to run the command as, if + specified via the --uu flag. + + selinux_role=string + SELinux role to use when executing the command, if + specified by the --rr flag. + + selinux_type=string + SELinux type to use when executing the command, if + specified by the --tt flag. + + set_home=bool + Set to true if the user specified the --HH flag. If + true, set the HOME environment variable to the target + user's home directory. + + sudoedit=bool + Set to true when the --ee flag is specified or if invoked + as ssuuddooeeddiitt. The plugin shall substitute an editor + into _a_r_g_v in the cchheecckk__ppoolliiccyy() function or return -2 + with a usage error if the plugin does not support + _s_u_d_o_e_d_i_t. For more information, see the _c_h_e_c_k___p_o_l_i_c_y + section. + + timeout=string + User-specified command timeout. Not all plugins + support command timeouts and the ability for the user + to set a timeout may be restricted by policy. The + format of the timeout string is plugin-specific. + + Additional settings may be added in the future so the plugin + should silently ignore settings that it does not recognize. + + user_info + A vector of information about the user running the command in + the form of "name=value" strings. The vector is terminated + by a NULL pointer. + + When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + cols=int + The number of columns the user's terminal supports. If + there is no terminal device available, a default value + of 80 is used. + + cwd=string + The user's current working directory. + + egid=gid_t + The effective group ID of the user invoking ssuuddoo. + + euid=uid_t + The effective user ID of the user invoking ssuuddoo. + + gid=gid_t + The real group ID of the user invoking ssuuddoo. + + groups=list + The user's supplementary group list formatted as a + string of comma-separated group IDs. + + host=string + The local machine's hostname as returned by the + gethostname(2) system call. + + lines=int + The number of lines the user's terminal supports. If + there is no terminal device available, a default value + of 24 is used. + + pgid=int + The ID of the process group that the running ssuuddoo + process is a member of. Only available starting with + API version 1.2. + + pid=int + The process ID of the running ssuuddoo process. Only + available starting with API version 1.2. + + plugin_options + Any (non-comment) strings immediately after the plugin + path are passed as arguments to the plugin. These + arguments are split on a white space boundary and are + passed to the plugin in the form of a NULL-terminated + array of strings. If no arguments were specified, + _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL pointer. + + NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available + starting with API version 1.2. A plugin mmuusstt check the + API version specified by the ssuuddoo front end before + using _p_l_u_g_i_n___o_p_t_i_o_n_s. Failure to do so may result in a + crash. + + ppid=int + The parent process ID of the running ssuuddoo process. + Only available starting with API version 1.2. + + sid=int + The session ID of the running ssuuddoo process or 0 if ssuuddoo + is not part of a POSIX job control session. Only + available starting with API version 1.2. + + tcpgid=int + The ID of the foreground process group associated with + the terminal device associated with the ssuuddoo process or + -1 if there is no terminal present. Only available + starting with API version 1.2. + + tty=string + The path to the user's terminal device. If the user + has no terminal device associated with the session, the + value will be empty, as in "tty=". + + uid=uid_t + The real user ID of the user invoking ssuuddoo. + + umask=octal + The invoking user's file creation mask. Only available + starting with API version 1.10. + + user=string + The name of the user invoking ssuuddoo. + + user_env + The user's environment in the form of a NULL-terminated + vector of "name=value" strings. + + When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + close + void (*close)(int exit_status, int error); + + The cclloossee() function is called when the command being run by ssuuddoo + finishes. + + The function arguments are as follows: + + exit_status + The command's exit status, as returned by the wait(2) system + call. The value of exit_status is undefined if error is non- + zero. + + error + If the command could not be executed, this is set to the + value of errno set by the execve(2) system call. The plugin + is responsible for displaying error information via the + ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function. If the command + was successfully executed, the value of error is 0. + + If no cclloossee() function is defined, no I/O logging plugins are + loaded, and neither the _t_i_m_e_o_u_t not _u_s_e___p_t_y options are set in the + command_info list, the ssuuddoo front end may execute the command + directly instead of running it as a child process. + + show_version + int (*show_version)(int verbose); + + The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user + specifies the --VV option. The plugin may display its version + information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function using SUDO_CONV_INFO_MSG. If the user requests detailed + version information, the verbose flag will be set. + + Returns 1 on success, 0 on failure, -1 if a general error occurred, + or -2 if there was a usage error, although the return value is + currently ignored. + + check_policy + int (*check_policy)(int argc, char * const argv[], + char *env_add[], char **command_info[], + char **argv_out[], char **user_env_out[]); + + The cchheecckk__ppoolliiccyy() function is called by ssuuddoo to determine whether + the user is allowed to run the specified commands. + + If the _s_u_d_o_e_d_i_t option was enabled in the _s_e_t_t_i_n_g_s array passed to + the ooppeenn() function, the user has requested _s_u_d_o_e_d_i_t mode. + _s_u_d_o_e_d_i_t is a mechanism for editing one or more files where an + editor is run with the user's credentials instead of with elevated + privileges. ssuuddoo achieves this by creating user-writable temporary + copies of the files to be edited and then overwriting the originals + with the temporary copies after editing is complete. If the plugin + supports _s_u_d_o_e_d_i_t, it should choose the editor to be used, + potentially from a variable in the user's environment, such as + EDITOR, and include it in _a_r_g_v___o_u_t (note that environment variables + may include command line flags). The files to be edited should be + copied from _a_r_g_v into _a_r_g_v___o_u_t, separated from the editor and its + arguments by a "--" element. The "--" will be removed by ssuuddoo + before the editor is executed. The plugin should also set + _s_u_d_o_e_d_i_t_=_t_r_u_e in the _c_o_m_m_a_n_d___i_n_f_o list. + + The cchheecckk__ppoolliiccyy() function returns 1 if the command is allowed, 0 + if not allowed, -1 for a general error, or -2 for a usage error or + if _s_u_d_o_e_d_i_t was specified but is unsupported by the plugin. In the + latter case, ssuuddoo will print a usage message before it exits. If + an error occurs, the plugin may optionally call the ccoonnvveerrssaattiioonn() + or pplluuggiinn__pprriinnttff() function with SUDO_CONF_ERROR_MSG to present + additional error information to the user. + + The function arguments are as follows: + + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. + + argv The argument vector describing the command the user wishes to + run, in the same form as what would be passed to the + execve(2) system call. The vector is terminated by a NULL + pointer. + + env_add + Additional environment variables specified by the user on the + command line in the form of a NULL-terminated vector of + "name=value" strings. The plugin may reject the command if + one or more variables are not allowed to be set, or it may + silently ignore such variables. + + When parsing _e_n_v___a_d_d, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + command_info + Information about the command being run in the form of + "name=value" strings. These values are used by ssuuddoo to set + the execution environment when running a command. The plugin + is responsible for creating and populating the vector, which + must be terminated with a NULL pointer. The following values + are recognized by ssuuddoo: + + chroot=string + The root directory to use when running the command. + + closefrom=number + If specified, ssuuddoo will close all files descriptors + with a value of _n_u_m_b_e_r or higher. + + command=string + Fully qualified path to the command to be executed. + + cwd=string + The current working directory to change to when + executing the command. + + exec_background=bool + By default, ssuuddoo runs a command as the foreground + process as long as ssuuddoo itself is running in the + foreground. When _e_x_e_c___b_a_c_k_g_r_o_u_n_d is enabled and the + command is being run in a pty (due to I/O logging or + the _u_s_e___p_t_y setting), the command will be run as a + background process. Attempts to read from the + controlling terminal (or to change terminal settings) + will result in the command being suspended with the + SIGTTIN signal (or SIGTTOU in the case of terminal + settings). If this happens when ssuuddoo is a foreground + process, the command will be granted the controlling + terminal and resumed in the foreground with no user + intervention required. The advantage of initially + running the command in the background is that ssuuddoo need + not read from the terminal unless the command + explicitly requests it. Otherwise, any terminal input + must be passed to the command, whether it has required + it or not (the kernel buffers terminals so it is not + possible to tell whether the command really wants the + input). This is different from historic _s_u_d_o behavior + or when the command is not being run in a pty. + + For this to work seamlessly, the operating system must + support the automatic restarting of system calls. + Unfortunately, not all operating systems do this by + default, and even those that do may have bugs. For + example, macOS fails to restart the ttccggeettaattttrr() and + ttccsseettaattttrr() system calls (this is a bug in macOS). + Furthermore, because this behavior depends on the + command stopping with the SIGTTIN or SIGTTOU signals, + programs that catch these signals and suspend + themselves with a different signal (usually SIGTOP) + will not be automatically foregrounded. Some versions + of the linux su(1) command behave this way. Because of + this, a plugin should not set _e_x_e_c___b_a_c_k_g_r_o_u_n_d unless it + is explicitly enabled by the administrator and there + should be a way to enabled or disable it on a per- + command basis. + + This setting has no effect unless I/O logging is + enabled or _u_s_e___p_t_y is enabled. + + execfd=number + If specified, ssuuddoo will use the fexecve(2) system call + to execute the command instead of execve(2). The + specified _n_u_m_b_e_r must refer to an open file descriptor. + + iolog_compress=bool + Set to true if the I/O logging plugins, if any, should + compress the log data. This is a hint to the I/O + logging plugin which may choose to ignore it. + + iolog_group=string + The group that will own newly created I/O log files and + directories. This is a hint to the I/O logging plugin + which may choose to ignore it. + + iolog_mode=octal + The file permission mode to use when creating I/O log + files and directories. This is a hint to the I/O + logging plugin which may choose to ignore it. + + iolog_user=string + The user that will own newly created I/O log files and + directories. This is a hint to the I/O logging plugin + which may choose to ignore it. + + iolog_path=string + Fully qualified path to the file or directory in which + I/O log is to be stored. This is a hint to the I/O + logging plugin which may choose to ignore it. If no + I/O logging plugin is loaded, this setting has no + effect. + + iolog_stdin=bool + Set to true if the I/O logging plugins, if any, should + log the standard input if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. + + iolog_stdout=bool + Set to true if the I/O logging plugins, if any, should + log the standard output if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. + + iolog_stderr=bool + Set to true if the I/O logging plugins, if any, should + log the standard error if it is not connected to a + terminal device. This is a hint to the I/O logging + plugin which may choose to ignore it. + + iolog_ttyin=bool + Set to true if the I/O logging plugins, if any, should + log all terminal input. This only includes input typed + by the user and not from a pipe or redirected from a + file. This is a hint to the I/O logging plugin which + may choose to ignore it. + + iolog_ttyout=bool + Set to true if the I/O logging plugins, if any, should + log all terminal output. This only includes output to + the screen, not output to a pipe or file. This is a + hint to the I/O logging plugin which may choose to + ignore it. + + login_class=string + BSD login class to use when setting resource limits and + nice value (optional). This option is only set on + systems that support login classes. + + nice=int + Nice value (priority) to use when executing the + command. The nice value, if specified, overrides the + priority associated with the _l_o_g_i_n___c_l_a_s_s on BSD + systems. + + noexec=bool + If set, prevent the command from executing other + programs. + + preserve_fds=list + A comma-separated list of file descriptors that should + be preserved, regardless of the value of the _c_l_o_s_e_f_r_o_m + setting. Only available starting with API version 1.5. + + preserve_groups=bool + If set, ssuuddoo will preserve the user's group vector + instead of initializing the group vector based on + runas_user. + + runas_egid=gid + Effective group ID to run the command as. If not + specified, the value of _r_u_n_a_s___g_i_d is used. + + runas_euid=uid + Effective user ID to run the command as. If not + specified, the value of _r_u_n_a_s___u_i_d is used. + + runas_gid=gid + Group ID to run the command as. + + runas_groups=list + The supplementary group vector to use for the command + in the form of a comma-separated list of group IDs. If + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, this option is ignored. + + runas_uid=uid + User ID to run the command as. + + selinux_role=string + SELinux role to use when executing the command. + + selinux_type=string + SELinux type to use when executing the command. + + set_utmp=bool + Create a utmp (or utmpx) entry when a pseudo-tty is + allocated. By default, the new entry will be a copy of + the user's existing utmp entry (if any), with the tty, + time, type and pid fields updated. + + sudoedit=bool + Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may + enable _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as + ssuuddooeeddiitt. This allows the plugin to perform command + substitution and transparently enable _s_u_d_o_e_d_i_t when the + user attempts to run an editor. + + sudoedit_checkdir=bool + Set to false to disable directory writability checks in + ssuuddooeeddiitt. By default, ssuuddooeeddiitt 1.8.16 and higher will + check all directory components of the path to be edited + for writability by the invoking user. Symbolic links + will not be followed in writable directories and + ssuuddooeeddiitt will refuse to edit a file located in a + writable directory. These restrictions are not + enforced when ssuuddooeeddiitt is run by root. The + _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be set to false to disable + this check. Only available starting with API version + 1.8. + + sudoedit_follow=bool + Set to true to allow ssuuddooeeddiitt to edit files that are + symbolic links. By default, ssuuddooeeddiitt 1.8.15 and higher + will refuse to open a symbolic link. The + _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be used to restore the older + behavior and allow ssuuddooeeddiitt to open symbolic links. + Only available starting with API version 1.8. + + timeout=int + Command timeout. If non-zero then when the timeout + expires the command will be killed. + + umask=octal + The file creation mask to use when executing the + command. + + use_pty=bool + Allocate a pseudo-tty to run the command in, regardless + of whether or not I/O logging is in use. By default, + ssuuddoo will only run the command in a pty when an I/O log + plugin is loaded. + + utmp_user=string + User name to use when constructing a new utmp (or + utmpx) entry when _s_e_t___u_t_m_p is enabled. This option can + be used to set the user field in the utmp entry to the + user the command runs as rather than the invoking user. + If not set, ssuuddoo will base the new entry on the + invoking user's existing entry. + + Unsupported values will be ignored. + + argv_out + The NULL-terminated argument vector to pass to the execve(2) + system call when executing the command. The plugin is + responsible for allocating and populating the vector. + + user_env_out + The NULL-terminated environment vector to use when executing + the command. The plugin is responsible for allocating and + populating the vector. + + list + int (*list)(int argc, char * const argv[], + int verbose, const char *list_user); + + List available privileges for the invoking user. Returns 1 on + success, 0 on failure and -1 on error. On error, the plugin may + optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() function with + SUDO_CONF_ERROR_MSG to present additional error information to the + user. + + Privileges should be output via the ccoonnvveerrssaattiioonn() or + pplluuggiinn__pprriinnttff() function using SUDO_CONV_INFO_MSG, + + verbose + Flag indicating whether to list in verbose mode or not. + + list_user + The name of a different user to list privileges for if the + policy allows it. If NULL, the plugin should list the + privileges of the invoking user. + + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. + + argv If non-NULL, an argument vector describing a command the user + wishes to check against the policy in the same form as what + would be passed to the execve(2) system call. If the command + is permitted by the policy, the fully-qualified path to the + command should be displayed along with any command line + arguments. + + validate + int (*validate)(void); + + The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv + flag. For policy plugins such as ssuuddooeerrss that cache authentication + credentials, this function will validate and cache the credentials. + + The vvaalliiddaattee() function should be NULL if the plugin does not + support credential caching. + + Returns 1 on success, 0 on failure and -1 on error. On error, the + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. + + invalidate + void (*invalidate)(int remove); + + The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk + or --KK flag. For policy plugins such as ssuuddooeerrss that cache + authentication credentials, this function will invalidate the + credentials. If the _r_e_m_o_v_e flag is set, the plugin may remove the + credentials instead of simply invalidating them. + + The iinnvvaalliiddaattee() function should be NULL if the plugin does not + support credential caching. + + init_session + int (*init_session)(struct passwd *pwd, char **user_envp[); + + The iinniitt__sseessssiioonn() function is called before ssuuddoo sets up the + execution environment for the command. It is run in the parent + ssuuddoo process and before any uid or gid changes. This can be used + to perform session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o, + such as opening the PAM session. The cclloossee() function can be used + to tear down the session that was opened by init_session. + + The _p_w_d argument points to a passwd struct for the user the command + will be run as if the uid the command will run as was found in the + password database, otherwise it will be NULL. + + The _u_s_e_r___e_n_v argument points to the environment the command will + run in, in the form of a NULL-terminated vector of "name=value" + strings. This is the same string passed back to the front end via + the Policy Plugin's _u_s_e_r___e_n_v___o_u_t parameter. If the iinniitt__sseessssiioonn() + function needs to modify the user environment, it should update the + pointer stored in _u_s_e_r___e_n_v. The expected use case is to merge the + contents of the PAM environment (if any) with the contents of + _u_s_e_r___e_n_v. NOTE: the _u_s_e_r___e_n_v parameter is only available starting + with API version 1.2. A plugin mmuusstt check the API version + specified by the ssuuddoo front end before using _u_s_e_r___e_n_v. Failure to + do so may result in a crash. + + Returns 1 on success, 0 on failure and -1 on error. On error, the + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. + + register_hooks + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + + The rreeggiisstteerr__hhooookkss() function is called by the sudo front end to + register any hooks the plugin needs. If the plugin does not + support hooks, register_hooks should be set to the NULL pointer. + + The _v_e_r_s_i_o_n argument describes the version of the hooks API + supported by the ssuuddoo front end. + + The rreeggiisstteerr__hhooookk() function should be used to register any + supported hooks the plugin needs. It returns 0 on success, 1 if + the hook type is not supported and -1 if the major version in + struct hook does not match the front end's major hook API version. + + See the _H_o_o_k _f_u_n_c_t_i_o_n _A_P_I section below for more information about + hooks. + + NOTE: the rreeggiisstteerr__hhooookkss() function is only available starting with + API version 1.2. If the ssuuddoo front end doesn't support API version + 1.2 or higher, register_hooks will not be called. + + deregister_hooks + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); + + The ddeerreeggiisstteerr__hhooookkss() function is called by the sudo front end to + deregister any hooks the plugin has registered. If the plugin does + not support hooks, deregister_hooks should be set to the NULL + pointer. + + The _v_e_r_s_i_o_n argument describes the version of the hooks API + supported by the ssuuddoo front end. + + The ddeerreeggiisstteerr__hhooookk() function should be used to deregister any + hooks that were put in place by the rreeggiisstteerr__hhooookk() function. If + the plugin tries to deregister a hook that the front end does not + support, deregister_hook will return an error. + + See the _H_o_o_k _f_u_n_c_t_i_o_n _A_P_I section below for more information about + hooks. + + NOTE: the ddeerreeggiisstteerr__hhooookkss() function is only available starting + with API version 1.2. If the ssuuddoo front end doesn't support API + version 1.2 or higher, deregister_hooks will not be called. + + _P_o_l_i_c_y _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s + + /* Plugin API version major/minor. */ + #define SUDO_API_VERSION_MAJOR 1 + #define SUDO_API_VERSION_MINOR 13 + #define SUDO_API_MKVERSION(x, y) ((x << 16) | y) + #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\ + SUDO_API_VERSION_MINOR) + + /* Getters and setters for API version */ + #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) + #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) + #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ + } while(0) + #define SUDO_API_VERSION_SET_MINOR(vp, n) do { \ + *(vp) = (*(vp) & 0xffff0000) | (n); \ + } while(0) + + II//OO pplluuggiinn AAPPII + struct io_plugin { + #define SUDO_IO_PLUGIN 2 + unsigned int type; /* always SUDO_IO_PLUGIN */ + unsigned int version; /* always SUDO_API_VERSION */ + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const command_info[], + int argc, char * const argv[], char * const user_env[], + char * const plugin_options[]); + void (*close)(int exit_status, int error); /* wait status or error */ + int (*show_version)(int verbose); + int (*log_ttyin)(const char *buf, unsigned int len); + int (*log_ttyout)(const char *buf, unsigned int len); + int (*log_stdin)(const char *buf, unsigned int len); + int (*log_stdout)(const char *buf, unsigned int len); + int (*log_stderr)(const char *buf, unsigned int len); + void (*register_hooks)(int version, + int (*register_hook)(struct sudo_hook *hook)); + void (*deregister_hooks)(int version, + int (*deregister_hook)(struct sudo_hook *hook)); + int (*change_winsize)(unsigned int lines, unsigned int cols); + int (*log_suspend)(int signo); + }; + + When an I/O plugin is loaded, ssuuddoo runs the command in a pseudo-tty. + This makes it possible to log the input and output from the user's + session. If any of the standard input, standard output or standard error + do not correspond to a tty, ssuuddoo will open a pipe to capture the I/O for + logging before passing it on. + + The log_ttyin function receives the raw user input from the terminal + device (note that this will include input even when echo is disabled, + such as when a password is read). The log_ttyout function receives + output from the pseudo-tty that is suitable for replaying the user's + session at a later time. The lloogg__ssttddiinn(), lloogg__ssttddoouutt() and lloogg__ssttddeerrrr() + functions are only called if the standard input, standard output or + standard error respectively correspond to something other than a tty. + + Any of the logging functions may be set to the NULL pointer if no logging + is to be performed. If the open function returns 0, no I/O will be sent + to the plugin. + + If a logging function returns an error (-1), the running command will be + terminated and all of the plugin's logging functions will be disabled. + Other I/O logging plugins will still receive any remaining input or + output that has not yet been processed. + + If an input logging function rejects the data by returning 0, the command + will be terminated and the data will not be passed to the command, though + it will still be sent to any other I/O logging plugins. If an output + logging function rejects the data by returning 0, the command will be + terminated and the data will not be written to the terminal, though it + will still be sent to any other I/O logging plugins. + + The io_plugin struct has the following fields: + + type The type field should always be set to SUDO_IO_PLUGIN. + + version + The version field should be set to SUDO_API_VERSION. + + This allows ssuuddoo to determine the API version the plugin was built + against. + + open + int (*open)(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], char * const command_info[], + int argc, char * const argv[], char * const user_env[], + char * const plugin_options[]); + + The ooppeenn() function is run before the lloogg__ttttyyiinn(), lloogg__ttttyyoouutt(), + lloogg__ssttddiinn(), lloogg__ssttddoouutt(), lloogg__ssttddeerrrr(), lloogg__ssuussppeenndd(), + cchhaannggee__wwiinnssiizzee(), or sshhooww__vveerrssiioonn() functions are called. It is + only called if the version is being requested or if the policy + plugin's cchheecckk__ppoolliiccyy() function has returned successfully. It + returns 1 on success, 0 on failure, -1 if a general error occurred, + or -2 if there was a usage error. In the latter case, ssuuddoo will + print a usage message before it exits. If an error occurs, the + plugin may optionally call the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. + + The function arguments are as follows: + + version + The version passed in by ssuuddoo allows the plugin to determine + the major and minor version number of the plugin API + supported by ssuuddoo. + + conversation + A pointer to the ccoonnvveerrssaattiioonn() function that may be used by + the sshhooww__vveerrssiioonn() function to display version information + (see sshhooww__vveerrssiioonn() below). The ccoonnvveerrssaattiioonn() function may + also be used to display additional error message to the user. + The ccoonnvveerrssaattiioonn() function returns 0 on success and -1 on + failure. + + plugin_printf + A pointer to a pprriinnttff()-style function that may be used by + the sshhooww__vveerrssiioonn() function to display version information + (see show_version below). The pplluuggiinn__pprriinnttff() function may + also be used to display additional error message to the user. + The pplluuggiinn__pprriinnttff() function returns number of characters + printed on success and -1 on failure. + + settings + A vector of user-supplied ssuuddoo settings in the form of + "name=value" strings. The vector is terminated by a NULL + pointer. These settings correspond to flags the user + specified when running ssuuddoo. As such, they will only be + present when the corresponding flag has been specified on the + command line. + + When parsing _s_e_t_t_i_n_g_s, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a list of all possible + settings. + + user_info + A vector of information about the user running the command in + the form of "name=value" strings. The vector is terminated + by a NULL pointer. + + When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a list of all possible + strings. + + argc The number of elements in _a_r_g_v, not counting the final NULL + pointer. It can be zero, when ssuuddoo is called with --VV. + + argv If non-NULL, an argument vector describing a command the user + wishes to run in the same form as what would be passed to the + execve(2) system call. + + user_env + The user's environment in the form of a NULL-terminated + vector of "name=value" strings. + + When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt + equal sign (`=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. + + plugin_options + Any (non-comment) strings immediately after the plugin path + are treated as arguments to the plugin. These arguments are + split on a white space boundary and are passed to the plugin + in the form of a NULL-terminated array of strings. If no + arguments were specified, _p_l_u_g_i_n___o_p_t_i_o_n_s will be the NULL + pointer. + + NOTE: the _p_l_u_g_i_n___o_p_t_i_o_n_s parameter is only available starting + with API version 1.2. A plugin mmuusstt check the API version + specified by the ssuuddoo front end before using _p_l_u_g_i_n___o_p_t_i_o_n_s. + Failure to do so may result in a crash. + + close + void (*close)(int exit_status, int error); + + The cclloossee() function is called when the command being run by ssuuddoo + finishes. + + The function arguments are as follows: + + exit_status + The command's exit status, as returned by the wait(2) system + call. The value of exit_status is undefined if error is non- + zero. + + error + If the command could not be executed, this is set to the + value of errno set by the execve(2) system call. If the + command was successfully executed, the value of error is 0. + + show_version + int (*show_version)(int verbose); + + The sshhooww__vveerrssiioonn() function is called by ssuuddoo when the user + specifies the --VV option. The plugin may display its version + information to the user via the ccoonnvveerrssaattiioonn() or pplluuggiinn__pprriinnttff() + function using SUDO_CONV_INFO_MSG. If the user requests detailed + version information, the verbose flag will be set. + + Returns 1 on success, 0 on failure, -1 if a general error occurred, + or -2 if there was a usage error, although the return value is + currently ignored. + + log_ttyin + int (*log_ttyin)(const char *buf, unsigned int len); + + The lloogg__ttttyyiinn() function is called whenever data can be read from + the user but before it is passed to the running command. This + allows the plugin to reject data if it chooses to (for instance if + the input contains banned content). Returns 1 if the data should + be passed to the command, 0 if the data is rejected (which will + terminate the running command) or -1 if an error occurred. + + The function arguments are as follows: + + buf The buffer containing user input. + + len The length of _b_u_f in bytes. + + log_ttyout + int (*log_ttyout)(const char *buf, unsigned int len); + + The lloogg__ttttyyoouutt() function is called whenever data can be read from + the command but before it is written to the user's terminal. This + allows the plugin to reject data if it chooses to (for instance if + the output contains banned content). Returns 1 if the data should + be passed to the user, 0 if the data is rejected (which will + terminate the running command) or -1 if an error occurred. + + The function arguments are as follows: + + buf The buffer containing command output. + + len The length of _b_u_f in bytes. + + log_stdin + int (*log_stdin)(const char *buf, unsigned int len); + + The lloogg__ssttddiinn() function is only used if the standard input does + not correspond to a tty device. It is called whenever data can be + read from the standard input but before it is passed to the running + command. This allows the plugin to reject data if it chooses to + (for instance if the input contains banned content). Returns 1 if + the data should be passed to the command, 0 if the data is rejected + (which will terminate the running command) or -1 if an error + occurred. + + The function arguments are as follows: + + buf The buffer containing user input. + + len The length of _b_u_f in bytes. + + log_stdout + int (*log_stdout)(const char *buf, unsigned int len); + + The lloogg__ssttddoouutt() function is only used if the standard output does + not correspond to a tty device. It is called whenever data can be + read from the command but before it is written to the standard + output. This allows the plugin to reject data if it chooses to + (for instance if the output contains banned content). Returns 1 if + the data should be passed to the user, 0 if the data is rejected + (which will terminate the running command) or -1 if an error + occurred. + + The function arguments are as follows: + + buf The buffer containing command output. + + len The length of _b_u_f in bytes. + + log_stderr + int (*log_stderr)(const char *buf, unsigned int len); + + The lloogg__ssttddeerrrr() function is only used if the standard error does + not correspond to a tty device. It is called whenever data can be + read from the command but before it is written to the standard + error. This allows the plugin to reject data if it chooses to (for + instance if the output contains banned content). Returns 1 if the + data should be passed to the user, 0 if the data is rejected (which + will terminate the running command) or -1 if an error occurred. + + The function arguments are as follows: + + buf The buffer containing command output. + + len The length of _b_u_f in bytes. + + register_hooks + See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a description of + register_hooks. + + deregister_hooks + See the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I section for a description of + deregister_hooks. + + change_winsize + int (*change_winsize)(unsigned int lines, unsigned int cols); + + The cchhaannggee__wwiinnssiizzee() function is called whenever the window size of + the terminal changes from the initial values specified in the + user_info list. Returns -1 if an error occurred, in which case no + further calls to cchhaannggee__wwiinnssiizzee() will be made, + + log_suspend + int (*log_suspend)(int signo); + + The lloogg__ssuussppeenndd() function is called whenever a command is + suspended or resumed. The _s_i_g_n_o argument is either the signal that + caused the command to be suspended or SIGCONT if the command was + resumed. Logging this information makes it possible to skip the + period of time when the command was suspended during playback of a + session. Returns -1 if an error occurred, in which case no further + calls to lloogg__ssuussppeenndd() will be made, + + _I_/_O _P_l_u_g_i_n _V_e_r_s_i_o_n _M_a_c_r_o_s + + Same as for the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. + + SSiiggnnaall hhaannddlleerrss + The ssuuddoo front end installs default signal handlers to trap common + signals while the plugin functions are run. The following signals are + trapped by default before the command is executed: + + ++oo SIGALRM + ++oo SIGHUP + ++oo SIGINT + ++oo SIGPIPE + ++oo SIGQUIT + ++oo SIGTERM + ++oo SIGTSTP + ++oo SIGUSR1 + ++oo SIGUSR2 + + If a fatal signal is received before the command is executed, ssuuddoo will + call the plugin's cclloossee() function with an exit status of 128 plus the + value of the signal that was received. This allows for consistent + logging of commands killed by a signal for plugins that log such + information in their cclloossee() function. An exception to this is SIGPIPE, + which is ignored until the command is executed. + + A plugin may temporarily install its own signal handlers but must restore + the original handler before the plugin function returns. + + HHooookk ffuunnccttiioonn AAPPII + Beginning with plugin API version 1.2, it is possible to install hooks + for certain functions called by the ssuuddoo front end. + + Currently, the only supported hooks relate to the handling of environment + variables. Hooks can be used to intercept attempts to get, set, or + remove environment variables so that these changes can be reflected in + the version of the environment that is used to execute a command. A + future version of the API will support hooking internal ssuuddoo front end + functions as well. + + _H_o_o_k _s_t_r_u_c_t_u_r_e + + Hooks in ssuuddoo are described by the following structure: + + typedef int (*sudo_hook_fn_t)(); + + struct sudo_hook { + unsigned int hook_version; + unsigned int hook_type; + sudo_hook_fn_t hook_fn; + void *closure; + }; + + The sudo_hook structure has the following fields: + + hook_version + The hook_version field should be set to SUDO_HOOK_VERSION. + + hook_type + The hook_type field may be one of the following supported hook + types: + + SUDO_HOOK_SETENV + The C library setenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: + + typedef int (*sudo_hook_fn_setenv_t)(const char *name, + const char *value, int overwrite, void *closure); + + If the registered hook does not match the typedef the results + are unspecified. + + SUDO_HOOK_UNSETENV + The C library unsetenv(3) function. Any registered hooks + will run before the C library implementation. The hook_fn + field should be a function that matches the following + typedef: + + typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, + void *closure); + + SUDO_HOOK_GETENV + The C library getenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: + + typedef int (*sudo_hook_fn_getenv_t)(const char *name, + char **value, void *closure); + + If the registered hook does not match the typedef the results + are unspecified. + + SUDO_HOOK_PUTENV + The C library putenv(3) function. Any registered hooks will + run before the C library implementation. The hook_fn field + should be a function that matches the following typedef: + + typedef int (*sudo_hook_fn_putenv_t)(char *string, + void *closure); + + If the registered hook does not match the typedef the results + are unspecified. + + hook_fn + sudo_hook_fn_t hook_fn; + + The hook_fn field should be set to the plugin's hook + implementation. The actual function arguments will vary depending + on the hook_type (see hook_type above). In all cases, the closure + field of struct sudo_hook is passed as the last function parameter. + This can be used to pass arbitrary data to the plugin's hook + implementation. + + The function return value may be one of the following: + + SUDO_HOOK_RET_ERROR + The hook function encountered an error. + + SUDO_HOOK_RET_NEXT + The hook completed without error, go on to the next hook + (including the native implementation if applicable). For + example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if + the specified variable was not found in the private copy of + the environment. + + SUDO_HOOK_RET_STOP + The hook completed without error, stop processing hooks for + this invocation. This can be used to replace the native + implementation. For example, a setenv hook that operates on + a private copy of the environment but leaves environ + unchanged. + + Note that it is very easy to create an infinite loop when hooking C + library functions. For example, a getenv(3) hook that calls the + snprintf(3) function may create a loop if the snprintf(3) implementation + calls getenv(3) to check the locale. To prevent this, you may wish to + use a static variable in the hook function to guard against nested calls. + For example: + + static int in_progress = 0; /* avoid recursion */ + if (in_progress) + return SUDO_HOOK_RET_NEXT; + in_progress = 1; + ... + in_progress = 0; + return SUDO_HOOK_RET_STOP; + + _H_o_o_k _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s + + /* Hook API version major/minor */ + #define SUDO_HOOK_VERSION_MAJOR 1 + #define SUDO_HOOK_VERSION_MINOR 0 + #define SUDO_HOOK_VERSION SUDO_API_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\ + SUDO_HOOK_VERSION_MINOR) + + For getters and setters see the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. + + RReemmoottee ccoommmmaanndd eexxeeccuuttiioonn + The ssuuddoo front end does not have native support for running remote + commands. However, starting with ssuuddoo 1.8.8, the --hh option may be used + to specify a remote host that is passed to the policy plugin. A plugin + may also accept a _r_u_n_a_s___u_s_e_r in the form of "user@hostname" which will + work with older versions of ssuuddoo. It is anticipated that remote commands + will be supported by executing a "helper" program. The policy plugin + should setup the execution environment such that the ssuuddoo front end will + run the helper which, in turn, will connect to the remote host and run + the command. + + For example, the policy plugin could utilize sssshh to perform remote + command execution. The helper program would be responsible for running + sssshh with the proper options to use a private key or certificate that the + remote host will accept and run a program on the remote host that would + setup the execution environment accordingly. + + Note that remote ssuuddooeeddiitt functionality must be handled by the policy + plugin, not ssuuddoo itself as the front end has no knowledge that a remote + command is being executed. This may be addressed in a future revision of + the plugin API. + + CCoonnvveerrssaattiioonn AAPPII + If the plugin needs to interact with the user, it may do so via the + ccoonnvveerrssaattiioonn() function. A plugin should not attempt to read directly + from the standard input or the user's tty (neither of which are + guaranteed to exist). The caller must include a trailing newline in msg + if one is to be printed. + + A pprriinnttff()-style function is also available that can be used to display + informational or error messages to the user, which is usually more + convenient for simple messages where no use input is required. + + _C_o_n_v_e_r_s_a_t_i_o_n _f_u_n_c_t_i_o_n _s_t_r_u_c_t_u_r_e_s + + The conversation function takes as arguments pointers to the following + structures: + + struct sudo_conv_message { + #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ + #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ + #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */ + #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */ + #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */ + #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */ + #define SUDO_CONV_PREFER_TTY 0x2000 /* flag: use tty if possible */ + int msg_type; + int timeout; + const char *msg; + }; + + #define SUDO_CONV_REPL_MAX 255 + + struct sudo_conv_reply { + char *reply; + }; + + typedef int (*sudo_conv_callback_fn_t)(int signo, void *closure); + struct sudo_conv_callback { + unsigned int version; + void *closure; + sudo_conv_callback_fn_t on_suspend; + sudo_conv_callback_fn_t on_resume; + }; + + Pointers to the ccoonnvveerrssaattiioonn() and pprriinnttff()-style functions are passed in + to the plugin's ooppeenn() function when the plugin is initialized. The + following type definitions can be used in the declaration of the ooppeenn() + function: + + typedef int (*sudo_conv_t)(int num_msgs, + const struct sudo_conv_message msgs[], + struct sudo_conv_reply replies[], + struct sudo_conv_callback *callback); + + typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); + + To use the ccoonnvveerrssaattiioonn() function, the plugin must pass an array of + sudo_conv_message and sudo_conv_reply structures. There must be a struct + sudo_conv_message and struct sudo_conv_reply for each message in the + conversation, that is, both arrays must have the same number of elements. + Each struct sudo_conv_reply must have its _r_e_p_l_y member initialized to + NULL. The struct sudo_conv_callback pointer, if not NULL, should contain + function pointers to be called when the ssuuddoo process is suspended and/or + resumed during conversation input. The _o_n___s_u_s_p_e_n_d and _o_n___r_e_s_u_m_e + functions are called with the signal that caused ssuuddoo to be suspended and + the _c_l_o_s_u_r_e pointer from the struct sudo_conv_callback. These functions + should return 0 on success and -1 on error. On error, the conversation + will end and the conversation function will return a value of -1. The + intended use is to allow the plugin to release resources, such as locks, + that should not be held indefinitely while suspended and then reacquire + them when the process is resumed. Note that the functions are not + actually invoked from within a signal handler. + + The _m_s_g___t_y_p_e must be set to one of the following values: + + SUDO_CONV_PROMPT_ECHO_OFF + Prompt the user for input with echo disabled; this is generally + used for passwords. The reply will be stored in the _r_e_p_l_i_e_s array, + and it will never be NULL. + + SUDO_CONV_PROMPT_ECHO_ON + Prompt the user for input with echo enabled. The reply will be + stored in the _r_e_p_l_i_e_s array, and it will never be NULL. + + SUDO_CONV_ERROR_MSG + Display an error message. The message is written to the standard + error unless the SUDO_CONV_PREFER_TTY flag is set, in which case it + is written to the user's terminal if possible. + + SUDO_CONV_INFO_MSG + Display a message. The message is written to the standard output + unless the SUDO_CONV_PREFER_TTY flag is set, in which case it is + written to the user's terminal if possible. + + SUDO_CONV_PROMPT_MASK + Prompt the user for input but echo an asterisk character for each + character read. The reply will be stored in the _r_e_p_l_i_e_s array, and + it will never be NULL. This can be used to provide visual feedback + to the user while reading sensitive information that should not be + displayed. + + In addition to the above values, the following flag bits may also be set: + + SUDO_CONV_PROMPT_ECHO_OK + Allow input to be read when echo cannot be disabled when the + message type is SUDO_CONV_PROMPT_ECHO_OFF or SUDO_CONV_PROMPT_MASK. + By default, ssuuddoo will refuse to read input if the echo cannot be + disabled for those message types. + + SUDO_CONV_PREFER_TTY + When displaying a message via SUDO_CONV_ERROR_MSG or + SUDO_CONV_INFO_MSG, try to write the message to the user's + terminal. If the terminal is unavailable, the standard error or + standard output will be used, depending upon whether The user's + terminal is always used when possible for input, this flag is only + used for output. SUDO_CONV_ERROR_MSG or SUDO_CONV_INFO_MSG was + used. + + The _t_i_m_e_o_u_t in seconds until the prompt will wait for no more input. A + zero value implies an infinite timeout. + + The plugin is responsible for freeing the reply buffer located in each + struct sudo_conv_reply, if it is not NULL. SUDO_CONV_REPL_MAX represents + the maximum length of the reply buffer (not including the trailing NUL + character). In practical terms, this is the longest password ssuuddoo will + support. It is also useful as a maximum value for the mmeemmsseett__ss() + function when clearing passwords filled in by the conversation function. + + The pprriinnttff()-style function uses the same underlying mechanism as the + ccoonnvveerrssaattiioonn() function but only supports SUDO_CONV_INFO_MSG and + SUDO_CONV_ERROR_MSG for the _m_s_g___t_y_p_e parameter. It can be more + convenient than using the ccoonnvveerrssaattiioonn() function if no user reply is + needed and supports standard pprriinnttff() escape sequences. + + See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function + usage. + + SSuuddooeerrss ggrroouupp pplluuggiinn AAPPII + The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix + group lookups. This can be used to query a group source other than the + standard Unix group database. Two sample group plugins are bundled with + ssuuddoo, _g_r_o_u_p___f_i_l_e and _s_y_s_t_e_m___g_r_o_u_p, are detailed in sudoers(4). Third + party group plugins include a QAS AD plugin available from Quest + Software. + + A group plugin must declare and populate a sudoers_group_plugin struct in + the global scope. This structure contains pointers to the functions that + implement plugin initialization, cleanup and group lookup. + + struct sudoers_group_plugin { + unsigned int version; + int (*init)(int version, sudo_printf_t sudo_printf, + char *const argv[]); + void (*cleanup)(void); + int (*query)(const char *user, const char *group, + const struct passwd *pwd); + }; + + The sudoers_group_plugin struct has the following fields: + + version + The version field should be set to GROUP_API_VERSION. + + This allows ssuuddooeerrss to determine the API version the group plugin + was built against. + + init + int (*init)(int version, sudo_printf_t plugin_printf, + char *const argv[]); + + The iinniitt() function is called after _s_u_d_o_e_r_s has been parsed but + before any policy checks. It returns 1 on success, 0 on failure + (or if the plugin is not configured), and -1 if a error occurred. + If an error occurs, the plugin may call the pplluuggiinn__pprriinnttff() + function with SUDO_CONF_ERROR_MSG to present additional error + information to the user. + + The function arguments are as follows: + + version + The version passed in by ssuuddooeerrss allows the plugin to + determine the major and minor version number of the group + plugin API supported by ssuuddooeerrss. + + plugin_printf + A pointer to a pprriinnttff()-style function that may be used to + display informational or error message to the user. Returns + the number of characters printed on success and -1 on + failure. + + argv A NULL-terminated array of arguments generated from the + _g_r_o_u_p___p_l_u_g_i_n option in _s_u_d_o_e_r_s. If no arguments were given, + _a_r_g_v will be NULL. + + cleanup + void (*cleanup)(); + + The cclleeaannuupp() function is called when ssuuddooeerrss has finished its + group checks. The plugin should free any memory it has allocated + and close open file handles. + + query + int (*query)(const char *user, const char *group, + const struct passwd *pwd); + + The qquueerryy() function is used to ask the group plugin whether _u_s_e_r + is a member of _g_r_o_u_p. + + The function arguments are as follows: + + user The name of the user being looked up in the external group + database. + + group + The name of the group being queried. + + pwd The password database entry for _u_s_e_r, if any. If _u_s_e_r is not + present in the password database, _p_w_d will be NULL. + + _G_r_o_u_p _A_P_I _V_e_r_s_i_o_n _M_a_c_r_o_s + + /* Sudoers group plugin version major/minor */ + #define GROUP_API_VERSION_MAJOR 1 + #define GROUP_API_VERSION_MINOR 0 + #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \ + GROUP_API_VERSION_MINOR) + For getters and setters see the _P_o_l_i_c_y _p_l_u_g_i_n _A_P_I. + +PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG + The following revisions have been made to the Sudo Plugin API. + + Version 1.0 + Initial API version. + + Version 1.1 (sudo 1.8.0) + The I/O logging plugin's ooppeenn() function was modified to take the + command_info list as an argument. + + Version 1.2 (sudo 1.8.5) + The Policy and I/O logging plugins' ooppeenn() functions are now passed + a list of plugin parameters if any are specified in sudo.conf(4). + + A simple hooks API has been introduced to allow plugins to hook in + to the system's environment handling functions. + + The init_session Policy plugin function is now passed a pointer to + the user environment which can be updated as needed. This can be + used to merge in environment variables stored in the PAM handle + before a command is run. + + Version 1.3 (sudo 1.8.7) + Support for the _e_x_e_c___b_a_c_k_g_r_o_u_n_d entry has been added to the + command_info list. + + The _m_a_x___g_r_o_u_p_s and _p_l_u_g_i_n___d_i_r entries were added to the settings + list. + + The vveerrssiioonn() and cclloossee() functions are now optional. Previously, + a missing vveerrssiioonn() or cclloossee() function would result in a crash. + If no policy plugin cclloossee() function is defined, a default cclloossee() + function will be provided by the ssuuddoo front end that displays a + warning if the command could not be executed. + + The ssuuddoo front end now installs default signal handlers to trap + common signals while the plugin functions are run. + + Version 1.4 (sudo 1.8.8) + The _r_e_m_o_t_e___h_o_s_t entry was added to the settings list. + + Version 1.5 (sudo 1.8.9) + The _p_r_e_s_e_r_v_e___f_d_s entry was added to the command_info list. + + Version 1.6 (sudo 1.8.11) + The behavior when an I/O logging plugin returns an error (-1) has + changed. Previously, the ssuuddoo front end took no action when the + lloogg__ttttyyiinn(), lloogg__ttttyyoouutt(), lloogg__ssttddiinn(), lloogg__ssttddoouutt(), or + lloogg__ssttddeerrrr() function returned an error. + + The behavior when an I/O logging plugin returns 0 has changed. + Previously, output from the command would be displayed to the + terminal even if an output logging function returned 0. + + Version 1.7 (sudo 1.8.12) + The _p_l_u_g_i_n___p_a_t_h entry was added to the settings list. + + The _d_e_b_u_g___f_l_a_g_s entry now starts with a debug file path name and + may occur multiple times if there are multiple plugin-specific + Debug lines in the sudo.conf(4) file. + + Version 1.8 (sudo 1.8.15) + The _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r and _s_u_d_o_e_d_i_t___f_o_l_l_o_w entries were added to the + command_info list. The default value of _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r was + changed to true in sudo 1.8.16. + + The sudo _c_o_n_v_e_r_s_a_t_i_o_n function now takes a pointer to a struct + sudo_conv_callback as its fourth argument. The sudo_conv_t + definition has been updated to match. The plugin must specify that + it supports plugin API version 1.8 or higher to receive a + conversation function pointer that supports this argument. + + Version 1.9 (sudo 1.8.16) + The _e_x_e_c_f_d entry was added to the command_info list. + + Version 1.10 (sudo 1.8.19) + The _u_m_a_s_k entry was added to the user_info list. The _i_o_l_o_g___g_r_o_u_p, + _i_o_l_o_g___m_o_d_e, and _i_o_l_o_g___u_s_e_r entries were added to the command_info + list. + + Version 1.11 (sudo 1.8.20) + The _t_i_m_e_o_u_t entry was added to the settings list. + + Version 1.12 (sudo 1.8.21) + The change_winsize field was added to the io_plugin struct. + + Version 1.13 (sudo 1.8.26) + The log_suspend field was added to the io_plugin struct. + +SSEEEE AALLSSOO + sudo.conf(4), sudoers(4), sudo(1m) + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 October 24, 2018 Sudo 1.8.26 |