diff options
Diffstat (limited to '')
-rw-r--r-- | doc/sudo.conf.cat | 434 |
1 files changed, 434 insertions, 0 deletions
diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat new file mode 100644 index 0000000..b43217b --- /dev/null +++ b/doc/sudo.conf.cat @@ -0,0 +1,434 @@ +SUDO.CONF(4) File Formats Manual SUDO.CONF(4) + +NNAAMMEE + ssuuddoo..ccoonnff - configuration for sudo front end + +DDEESSCCRRIIPPTTIIOONN + The ssuuddoo..ccoonnff file is used to configure the ssuuddoo front end. It specifies + the security policy and I/O logging plugins, debug flags as well as + plugin-agnostic path names and settings. + + The ssuuddoo..ccoonnff file supports the following directives, described in detail + below. + + Plugin a security policy or I/O logging plugin + + Path a plugin-agnostic path + + Set a front end setting, such as _d_i_s_a_b_l_e___c_o_r_e_d_u_m_p or _g_r_o_u_p___s_o_u_r_c_e + + Debug debug flags to aid in debugging ssuuddoo, ssuuddoorreeppllaayy, vviissuuddoo, and + the ssuuddooeerrss plugin. + + The pound sign (`#') is used to indicate a comment. Both the comment + character and any text after it, up to the end of the line, are ignored. + + Long lines can be continued with a backslash (`\') as the last character + on the line. Note that leading white space is removed from the beginning + of lines even when the continuation character is used. + + Non-comment lines that don't begin with Plugin, Path, Debug, or Set are + silently ignored. + + The ssuuddoo..ccoonnff file is always parsed in the "C" locale. + + PPlluuggiinn ccoonnffiigguurraattiioonn + ssuuddoo supports a plugin architecture for security policies and + input/output logging. Third parties can develop and distribute their own + policy and I/O logging plugins to work seamlessly with the ssuuddoo front + end. Plugins are dynamically loaded based on the contents of ssuuddoo..ccoonnff. + + A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e + and the _p_a_t_h to the dynamic shared object that contains the plugin. The + _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct io_plugin + symbol contained in the plugin. The _p_a_t_h may be fully qualified or + relative. If not fully qualified, it is relative to the directory + specified by the _p_l_u_g_i_n___d_i_r Path setting, which defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. In other words: + + Plugin sudoers_policy sudoers.so + + is equivalent to: + + Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so + + If the plugin was compiled statically into the ssuuddoo binary instead of + being installed as a dynamic shared object, the _p_a_t_h should be specified + without a leading directory, as it does not actually exist in the file + system. For example: + + Plugin sudoers_policy sudoers.so + + Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are + passed as arguments to the plugin's _o_p_e_n function. For example, to + override the compile-time default sudoers file mode: + + Plugin sudoers_policy sudoers.so sudoers_mode=0440 + + See the sudoers(4) manual for a list of supported arguments. + + The same dynamic shared object may contain multiple plugins, each with a + different symbol name. The file must be owned by uid 0 and only writable + by its owner. Because of ambiguities that arise from composite policies, + only a single policy plugin may be specified. This limitation does not + apply to I/O plugins. + + If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the + ssuuddooeerrss plugin will be used as the default security policy and for I/O + logging (if enabled by the policy). This is equivalent to the following: + + Plugin sudoers_policy sudoers.so + Plugin sudoers_io sudoers.so + + For more information on the ssuuddoo plugin architecture, see the + sudo_plugin(4) manual. + + PPaatthh sseettttiinnggss + A Path line consists of the Path keyword, followed by the name of the + path to set and its value. For example: + + Path noexec /usr/local/libexec/sudo/sudo_noexec.so + Path askpass /usr/X11R6/bin/ssh-askpass + + If no path name is specified, features relying on the specified setting + will be disabled. Disabling Path settings is only supported in ssuuddoo + version 1.8.16 and higher. + + The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file: + + askpass The fully qualified path to a helper program used to read the + user's password when no terminal is available. This may be the + case when ssuuddoo is executed from a graphical (as opposed to + text-based) application. The program specified by _a_s_k_p_a_s_s + should display the argument passed to it as the prompt and + write the user's password to the standard output. The value of + _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment + variable. + + devsearch + An ordered, colon-separated search path of directories to look + in for device nodes. This is used when mapping the process's + tty device number to a device name on systems that do not + provide such a mechanism. Sudo will _n_o_t recurse into sub- + directories. If terminal devices may be located in a sub- + directory of _/_d_e_v, that path must be explicitly listed in + _d_e_v_s_e_a_r_c_h. The default value is: + /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + + This option is ignored on systems that support either the + ddeevvnnaammee() or __ttttyynnaammee__ddeevv() functions, for example BSD, macOS + and Solaris. + + noexec The fully-qualified path to a shared library containing + wrappers for the eexxeeccll(), eexxeeccllee(), eexxeeccllpp(), eexxeecctt(), eexxeeccvv(), + eexxeeccvvee(), eexxeeccvvPP(), eexxeeccvvpp(), eexxeeccvvppee(), ffeexxeeccvvee(), ppooppeenn(), + ppoossiixx__ssppaawwnn(), ppoossiixx__ssppaawwnnpp(), ssyysstteemm(), and wwoorrddeexxpp() library + functions that prevent the execution of further commands. This + is used to implement the _n_o_e_x_e_c functionality on systems that + support LD_PRELOAD or its equivalent. The default value is: + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_u_d_o___n_o_e_x_e_c_._s_o. + + plugin_dir + The default directory to use when searching for plugins that + are specified without a fully qualified path name. The default + value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o. + + sesh The fully-qualified path to the sseesshh binary. This setting is + only used when ssuuddoo is built with SELinux support. The default + value is _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o_/_s_e_s_h. + + OOtthheerr sseettttiinnggss + The ssuuddoo..ccoonnff file also supports the following front end settings: + + disable_coredump + Core dumps of ssuuddoo itself are disabled by default to prevent + the disclosure of potentially sensitive information. To aid in + debugging ssuuddoo crashes, you may wish to re-enable core dumps by + setting "disable_coredump" to false in ssuuddoo..ccoonnff as follows: + + Set disable_coredump false + + All modern operating systems place restrictions on core dumps + from setuid processes like ssuuddoo so this option can be enabled + without compromising security. To actually get a ssuuddoo core + file you will likely need to enable core dumps for setuid + processes. On BSD and Linux systems this is accomplished in + the sysctl(1m) command. On Solaris, the coreadm(1m) command is + used to configure core dump behavior. + + This setting is only available in ssuuddoo version 1.8.4 and + higher. + + group_source + ssuuddoo passes the invoking user's group list to the policy and + I/O plugins. On most systems, there is an upper limit to the + number of groups that a user may belong to simultaneously + (typically 16 for compatibility with NFS). On systems with the + getconf(1) utility, running: + getconf NGROUPS_MAX + will return the maximum number of groups. + + However, it is still possible to be a member of a larger number + of groups--they simply won't be included in the group list + returned by the kernel for the user. Starting with ssuuddoo + version 1.8.7, if the user's kernel group list has the maximum + number of entries, ssuuddoo will consult the group database + directly to determine the group list. This makes it possible + for the security policy to perform matching by group name even + when the user is a member of more than the maximum number of + groups. + + The _g_r_o_u_p___s_o_u_r_c_e setting allows the administrator to change + this default behavior. Supported values for _g_r_o_u_p___s_o_u_r_c_e are: + + static Use the static group list that the kernel returns. + Retrieving the group list this way is very fast but + it is subject to an upper limit as described above. + It is "static" in that it does not reflect changes to + the group database made after the user logs in. This + was the default behavior prior to ssuuddoo 1.8.7. + + dynamic Always query the group database directly. It is + "dynamic" in that changes made to the group database + after the user logs in will be reflected in the group + list. On some systems, querying the group database + for all of a user's groups can be time consuming when + querying a network-based group database. Most + operating systems provide an efficient method of + performing such queries. Currently, ssuuddoo supports + efficient group queries on AIX, BSD, HP-UX, Linux and + Solaris. + + adaptive Only query the group database if the static group + list returned by the kernel has the maximum number of + entries. This is the default behavior in ssuuddoo 1.8.7 + and higher. + + For example, to cause ssuuddoo to only use the kernel's static list + of groups for the user: + + Set group_source static + + This setting is only available in ssuuddoo version 1.8.7 and + higher. + + max_groups + The maximum number of user groups to retrieve from the group + database. Values less than one will be ignored. This setting + is only used when querying the group database directly. It is + intended to be used on systems where it is not possible to + detect when the array to be populated with group entries is not + sufficiently large. By default, ssuuddoo will allocate four times + the system's maximum number of groups (see above) and retry + with double that number if the group database query fails. + + This setting is only available in ssuuddoo version 1.8.7 and + higher. It should not be required in ssuuddoo versions 1.8.24 and + higher and may be removed in a later release. + + probe_interfaces + By default, ssuuddoo will probe the system's network interfaces and + pass the IP address of each enabled interface to the policy + plugin. This makes it possible for the plugin to match rules + based on the IP address without having to query DNS. On Linux + systems with a large number of virtual interfaces, this may + take a non-negligible amount of time. If IP-based matching is + not required, network interface probing can be disabled as + follows: + + Set probe_interfaces false + + This setting is only available in ssuuddoo version 1.8.10 and + higher. + + DDeebbuugg ffllaaggss + ssuuddoo versions 1.8.4 and higher support a flexible debugging framework + that can help track down what ssuuddoo is doing internally if there is a + problem. + + A Debug line consists of the Debug keyword, followed by the name of the + program (or plugin) to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy, ssuuddooeerrss), the + debug file name and a comma-separated list of debug flags. The debug + flag syntax used by ssuuddoo and the ssuuddooeerrss plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but + a plugin is free to use a different format so long as it does not include + a comma (`,'). + + For example: + + Debug sudo /var/log/sudo_debug all@warn,plugin@info + + would log all debugging statements at the _w_a_r_n level and higher in + addition to those at the _i_n_f_o level for the plugin subsystem. + + As of ssuuddoo 1.8.12, multiple Debug entries may be specified per program. + Older versions of ssuuddoo only support a single Debug entry per program. + Plugin-specific Debug entries are also supported starting with ssuuddoo + 1.8.12 and are matched by either the base name of the plugin that was + loaded (for example sudoers.so) or by the plugin's fully-qualified path + name. Previously, the ssuuddooeerrss plugin shared the same Debug entry as the + ssuuddoo front end and could not be configured separately. + + The following priorities are supported, in order of decreasing severity: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. + + The priorities _t_r_a_c_e and _d_e_b_u_g also include function call tracing which + logs when a function is entered and when it returns. For example, the + following trace is for the ggeett__uusseerr__ggrroouuppss() function located in + src/sudo.c: + + sudo[123] -> get_user_groups @ src/sudo.c:385 + sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5 + + When the function is entered, indicated by a right arrow `->', the + program, process ID, function, source file and line number are logged. + When the function returns, indicated by a left arrow `<-', the same + information is logged along with the return value. In this case, the + return value is a string. + + The following subsystems are used by the ssuuddoo front-end: + + _a_l_l matches every subsystem + + _a_r_g_s command line argument processing + + _c_o_n_v user conversation + + _e_d_i_t sudoedit + + _e_v_e_n_t event subsystem + + _e_x_e_c command execution + + _m_a_i_n ssuuddoo main function + + _n_e_t_i_f network interface handling + + _p_c_o_m_m communication with the plugin + + _p_l_u_g_i_n plugin configuration + + _p_t_y pseudo-tty related code + + _s_e_l_i_n_u_x SELinux-specific handling + + _u_t_i_l utility functions + + _u_t_m_p utmp handling + + The sudoers(4) plugin includes support for additional subsystems. + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration + +EEXXAAMMPPLLEESS + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec/sudo unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + # The sudoers plugin is used by default if no Plugin lines are + # present. + Plugin sudoers_policy sudoers.so + Plugin sudoers_io sudoers.so + + # + # Sudo askpass: + # + # An askpass helper program may be specified to provide a graphical + # password prompt for "sudo -A" support. Sudo does not ship with + # its own askpass program but can use the OpenSSH askpass. + # + # Use the OpenSSH askpass + #Path askpass /usr/X11R6/bin/ssh-askpass + # + # Use the Gnome OpenSSH askpass + #Path askpass /usr/libexec/openssh/gnome-ssh-askpass + + # + # Sudo noexec: + # + # Path to a shared library containing dummy versions of the execv(), + # execve() and fexecve() library functions that just return an error. + # This is used to implement the "noexec" functionality on systems that + # support C<LD_PRELOAD> or its equivalent. + # The compiled-in value is usually sufficient and should only be + # changed if you rename or move the sudo_noexec.so file. + # + #Path noexec /usr/local/libexec/sudo/sudo_noexec.so + + # + # Core dumps: + # + # By default, sudo disables core dumps while it is executing + # (they are re-enabled for the command that is run). + # To aid in debugging sudo problems, you may wish to enable core + # dumps by setting "disable_coredump" to false. + # + #Set disable_coredump false + + # + # User groups: + # + # Sudo passes the user's group list to the policy plugin. + # If the user is a member of the maximum number of groups (usually 16), + # sudo will query the group database directly to be sure to include + # the full list of groups. + # + # On some systems, this can be expensive so the behavior is configurable. + # The "group_source" setting has three possible values: + # static - use the user's list of groups returned by the kernel. + # dynamic - query the group database to find the list of groups. + # adaptive - if user is in less than the maximum number of groups. + # use the kernel list, else query the group database. + # + #Set group_source static + +SSEEEE AALLSSOO + sudo_plugin(4), sudoers(4), sudo(1m) + +HHIISSTTOORRYY + See the HISTORY file in the ssuuddoo distribution + (https://www.sudo.ws/history.html) for a brief history of sudo. + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 October 7, 2018 Sudo 1.8.26 |