From ae581a19fbe896a797450b9d9573fb66f2735227 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:37:38 +0200 Subject: Adding upstream version 1.9.13p3. Signed-off-by: Daniel Baumann --- examples/Makefile.in | 137 +++++++++++++++++++++++ examples/cvtsudoers.conf | 82 ++++++++++++++ examples/pam.conf | 30 +++++ examples/sudo.conf.in | 131 ++++++++++++++++++++++ examples/sudo_logsrvd.conf.in | 251 ++++++++++++++++++++++++++++++++++++++++++ examples/sudoers.in | 133 ++++++++++++++++++++++ examples/syslog.conf.in | 26 +++++ 7 files changed, 790 insertions(+) create mode 100644 examples/Makefile.in create mode 100644 examples/cvtsudoers.conf create mode 100644 examples/pam.conf create mode 100644 examples/sudo.conf.in create mode 100644 examples/sudo_logsrvd.conf.in create mode 100644 examples/sudoers.in create mode 100644 examples/syslog.conf.in (limited to 'examples') diff --git a/examples/Makefile.in b/examples/Makefile.in new file mode 100644 index 0000000..706e6cc --- /dev/null +++ b/examples/Makefile.in @@ -0,0 +1,137 @@ +# +# SPDX-License-Identifier: ISC +# +# Copyright (c) 2014, 2017-2022 Todd C. Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# @configure_input@ +# + +#### Start of system configuration section. #### + +srcdir = @srcdir@ +abs_srcdir = @abs_srcdir@ +top_srcdir = @top_srcdir@ +abs_top_srcdir = @abs_top_srcdir@ +top_builddir = @top_builddir@ +abs_top_builddir = @abs_top_builddir@ +exampledir = @exampledir@ +docdir = @docdir@ +scriptdir = $(top_srcdir)/scripts + +# Our install program supports extra flags... +INSTALL = $(SHELL) $(scriptdir)/install-sh -c +INSTALL_OWNER = -o $(install_uid) -g $(install_gid) + +# Where to install things... +prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ +datarootdir = @datarootdir@ +localstatedir = @localstatedir@ + +# User and group ids the installed files should be "owned" by +install_uid = 0 +install_gid = 0 + +#### End of system configuration section. #### + +SHELL = @SHELL@ + +LOGSRVD_CONF = @LOGSRVD_CONF@ + +EXAMPLES = $(srcdir)/cvtsudoers.conf $(srcdir)/pam.conf sudo.conf \ + $(LOGSRVD_CONF) sudoers syslog.conf + +VERSION = @PACKAGE_VERSION@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ + +all: $(EXAMPLES) + +depend: + +Makefile: $(srcdir)/Makefile.in + cd $(top_builddir) && ./config.status --file examples/Makefile + +sudoers: $(srcdir)/sudoers.in + cd $(top_builddir) && ./config.status --file examples/sudoers + +sudo.conf: $(srcdir)/sudo.conf.in + cd $(top_builddir) && ./config.status --file examples/sudo.conf + +sudo_logsrvd.conf: $(srcdir)/sudo_logsrvd.conf.in + cd $(top_builddir) && ./config.status --file examples/sudo_logsrvd.conf + +syslog.conf: $(srcdir)/syslog.conf.in + cd $(top_builddir) && ./config.status --file examples/syslog.conf + +pre-install: + +install: install-doc + +install-dirs: + $(SHELL) $(scriptdir)/mkinstalldirs $(DESTDIR)$(exampledir) + +install-binaries: + +install-includes: + +install-doc: install-dirs + for f in $(EXAMPLES); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(exampledir); done + test -r $(DESTDIR)$(sysconfdir)/sudo.conf || \ + $(INSTALL) $(INSTALL_OWNER) -m 0644 sudo.conf $(DESTDIR)$(sysconfdir) + if test -n "$(LOGSRVD_CONF)" -a ! -r $(DESTDIR)$(sysconfdir)/sudo_logsrvd.conf; then \ + $(INSTALL) $(INSTALL_OWNER) -m 0644 $(LOGSRVD_CONF) $(DESTDIR)$(sysconfdir); \ + fi + +install-plugin: + +install-fuzzer: + +uninstall: + -rm -rf $(DESTDIR)$(exampledir) + +splint: + +cppcheck: + +pvs-log-files: + +pvs-studio: + +fuzz: + +check-fuzzer: + +check: check-fuzzer + +check-verbose: check + +clean: + +mostlyclean: clean + +distclean: clean + -rm -rf Makefile sudo.conf sudo_logsrvd.conf sudoers syslog.conf + +clobber: distclean + +realclean: distclean + +cleandir: distclean + +.PHONY: clean mostlyclean distclean cleandir clobber realclean diff --git a/examples/cvtsudoers.conf b/examples/cvtsudoers.conf new file mode 100644 index 0000000..3d21154 --- /dev/null +++ b/examples/cvtsudoers.conf @@ -0,0 +1,82 @@ +# +# Example /etc/cvtsudoers.conf file +# +# This file is optional and allows you to override the cvtsudoers +# default values. +# + +# Only convert Defaults entries of the specified types. +# One or more Defaults types may be specified, separated by a comma (','). +# The supported types are: all, global, user, runas, host, command. +#defaults = all + +# Expand aliases in input_file. Aliases are preserved by +# default when the output format is JSON or sudoers. +#expand_aliases = no + +# Use an alternate group file. When "match_local" is also enabled, perform +# group queries using the specified file instead of the system group database. +#group_file = /etc/group + +# Default input format. Only the sudoers and LDIF formats are supported. +#input_format = sudoers + +# Only output rules that match the specified filter. A filter expression +# is made up of one or more key = value pairs, separated by a comma (','). +# The key may be "cmnd" (or "cmd"), "host", "group", or "user". +#match = user=www,group=wheel + +# Match locally. If enabled, use password and group database information +# when matching users and groups in the filter. Only users and groups +# in the filter that exist on the local system will match, and a user's +# groups will automatically be added to the filter. By default, users and +# groups in the filter do not need to exist on the local system, but all +# groups used for matching must be explicitly listed in the filter. +#match_local = no + +# When generating LDIF output, increment each sudoOrder attribute by the +# specified number. Defaults to an increment of 1. +#order_increment = 1 + +# When generating LDIF output, use the number specified by "start_point" +# in the sudoOrder attribute of the first sudoRole object. Subsequent +# sudoRole object use a sudoOrder value generated by adding the +# increment set by "order_increment". Defaults to a starting point +# of 1. A starting point of 0 will disable the generation of sudoOrder +# attributes in the resulting LDIF file. +#order_start = 1 + +# Specify the default output format (case-insensitive). The following +# formats are supported: csv | json | ldif | sudoers. +# Defaults to LDIF. +#output_format = ldif + +# When generating LDIF output, construct the initial sudoOrder value +# by concatenating order_start and increment, padding the increment +# with zeros until it consists of padding digits. For example, if +# order_start is 1027, padding is 3, and increment is 1, the value +# of sudoOrder for the first entry will be 1027000, followed by +# 1027001, 1027002, etc. If the number of sudoRole entries is larger +# than the padding would allow, cvtsudoers will exit with an error. +# By default, no padding is performed. +#padding = 0 + +# Use an alternate passwd file. When "match_local" is also enabled, perform +# passwd queries using the specified file instead of the system passwd database. +#passwd_file = /etc/passwd + +# When "match_local" is also enabled, cvtsudoers will prune +# out non-matching users, groups and hosts from matching entries. +# Defaults to no. +#prune_matches = no + +# The base DN (distinguished name) that will be used when performing LDAP +# queries. If this option is not specified, the value of the SUDOERS_BASE +# environment variable will be used instead. +#sudoers_base = ou=SUDOers,dc=my-domain,dc=com + +# Suppress the output of specific sections of the security policy. +# One or more section names may be specified, separated by a comma (','). +# The supported section name are: defaults, aliases and privileges +# (which may be shortened to privs). +#suppress = defaults,aliases,privs diff --git a/examples/pam.conf b/examples/pam.conf new file mode 100644 index 0000000..d56e712 --- /dev/null +++ b/examples/pam.conf @@ -0,0 +1,30 @@ +#%PAM-1.0 +# Sample /etc/pam.d/sudo file for RedHat 9 / Fedora Core. +# For other Linux distributions you may want to +# use /etc/pam.d/sshd or /etc/pam.d/su as a guide. +# +# There are two basic ways to configure PAM, either via pam_stack +# or by explicitly specifying the various methods to use. +# +# Here we use pam_stack +auth required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth +# +# Alternately, you can specify the authentication method directly. +# Here we use pam_unix for normal password authentication. +#auth required pam_env.so +#auth sufficient pam_unix.so +#account required pam_unix.so +#password required pam_cracklib.so retry=3 type= +#password required pam_unix.so nullok use_authtok md5 shadow +#session required pam_limits.so +#session required pam_unix.so +# +# Another option is to use SMB for authentication. +#auth required pam_env.so +#auth sufficient pam_smb_auth.so +#account required pam_smb_auth.so +#password required pam_smb_auth.so +#session required pam_limits.so diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in new file mode 100644 index 0000000..2187457 --- /dev/null +++ b/examples/sudo.conf.in @@ -0,0 +1,131 @@ +# +# Default @sysconfdir@/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to @plugindir@ unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy @sudoers_plugin@ +#Plugin sudoers_io @sudoers_plugin@ +#Plugin sudoers_audit @sudoers_plugin@ + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept @intercept_file@ + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec @noexec_file@ + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir @plugindir@ + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo @log_dir@/sudo_debug all@debug +#Debug sudoers.so @log_dir@/sudoers_debug all@debug diff --git a/examples/sudo_logsrvd.conf.in b/examples/sudo_logsrvd.conf.in new file mode 100644 index 0000000..86fda90 --- /dev/null +++ b/examples/sudo_logsrvd.conf.in @@ -0,0 +1,251 @@ +# +# sudo logsrv daemon configuration +# + +[server] +# The host name or IP address and port to listen on with an optional TLS +# flag. If no port is specified, port 30343 will be used for plaintext +# connections and port 30344 will be used to TLS connections. +# The following forms are accepted: +# listen_address = hostname(tls) +# listen_address = hostname:port(tls) +# listen_address = IPv4_address(tls) +# listen_address = IPv4_address:port(tls) +# listen_address = [IPv6_address](tls) +# listen_address = [IPv6_address]:port(tls) +# +# The (tls) suffix should be omitted for plaintext connections. +# +# Multiple listen_address settings may be specified. +# The default is to listen on all addresses. +#listen_address = *:30343 +#listen_address = *:30344(tls) + +# The file containing the ID of the running sudo_logsrvd process. +#pid_file = @rundir@/sudo_logsrvd.pid + +# Where to log server warnings: none, stderr, syslog, or a path name. +#server_log = syslog + +# If true, enable the SO_KEEPALIVE socket option on client connections. +# Defaults to true. +#tcp_keepalive = true + +# The amount of time, in seconds, the server will wait for the client to +# respond. A value of 0 will disable the timeout. The default value is 30. +#timeout = 30 + +# If true, the server will validate its own certificate at startup. +# Defaults to true. +#tls_verify = true + +# If true, client certificates will be validated by the server; +# clients without a valid certificate will be unable to connect. +# By default, client certs are not checked. +#tls_checkpeer = false + +# Path to a certificate authority bundle file in PEM format to use +# instead of the system's default certificate authority database. +#tls_cacert = /etc/ssl/sudo/cacert.pem + +# Path to the server's certificate file in PEM format. +# Required for TLS connections. +#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem + +# Path to the server's private key file in PEM format. +# Required for TLS connections. +#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem + +# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual). +# This setting is only effective if the negotiated protocol is TLS version +# 1.2. The default cipher list is HIGH:!aNULL. +#tls_ciphers_v12 = HIGH:!aNULL + +# TLS cipher list if the negotiated protocol is TLS version 1.3. +# The default cipher list is TLS_AES_256_GCM_SHA384. +#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384 + +# Path to the Diffie-Hellman parameter file in PEM format. +# If not set, the server will use the OpenSSL defaults. +#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem + +[relay] +# The host name or IP address and port to send logs to in relay mode. +# The syntax is identical to listen_address with the exception of +# the wild card ('*') syntax. When this setting is enabled, logs will +# be relayed to the specified host instead of being stored locally. +# This setting is not enabled by default. +#relay_host = relayhost.dom.ain +#relay_host = relayhost.dom.ain(tls) + +# The amount of time, in seconds, the server will wait for a connection +# to the relay server to complete. A value of 0 will disable the timeout. +# The default value is 30. +#connect_timeout = 30 + +# The directory to store messages in before they are sent to the relay. +# Messages are stored in wire format. +# The default value is @relay_dir@. +#relay_dir = @relay_dir@ + +# The number of seconds to wait after a connection error before +# making a new attempt to forward a message to a relay host. +# The default value is 30. +#retry_interval = 30 + +# Whether to store the log before relaying it. If true, enable store +# and forward mode. If false, the client connection is immediately +# relayed. Defaults to false. +#store_first = true + +# If true, enable the SO_KEEPALIVE socket option on relay connections. +# Defaults to true. +#tcp_keepalive = true + +# The amount of time, in seconds, the server will wait for the relay to +# respond. A value of 0 will disable the timeout. The default value is 30. +#timeout = 30 + +# If true, the server's relay certificate will be verified at startup. +# The default is to use the value in the [server] section. +#tls_verify = true + +# Whether to verify the relay's certificate for TLS connections. +# The default is to use the value in the [server] section. +#tls_checkpeer = false + +# Path to a certificate authority bundle file in PEM format to use +# instead of the system's default certificate authority database. +# The default is to use the value in the [server] section. +#tls_cacert = /etc/ssl/sudo/cacert.pem + +# Path to the server's certificate file in PEM format. +# The default is to use the certificate in the [server] section. +#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem + +# Path to the server's private key file in PEM format. +# The default is to use the key in the [server] section. +#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem + +# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual). +# this setting is only effective if the negotiated protocol is TLS version +# 1.2. The default is to use the value in the [server] section. +#tls_ciphers_v12 = HIGH:!aNULL + +# TLS cipher list if the negotiated protocol is TLS version 1.3. +# The default is to use the value in the [server] section. +#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384 + +# Path to the Diffie-Hellman parameter file in PEM format. +# The default is to use the value in the [server] section. +#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem + +[iolog] +# The top-level directory to use when constructing the path name for the +# I/O log directory. The session sequence number, if any, is stored here. +#iolog_dir = @iolog_dir@ + +# The path name, relative to iolog_dir, in which to store I/O logs. +# It is possible for iolog_file to contain directory components. +#iolog_file = %{seq} + +# If set, I/O logs will be compressed using zlib. Enabling compression can +# make it harder to view the logs in real-time as the program is executing. +#iolog_compress = false + +# If set, I/O log data is flushed to disk after each write instead of +# buffering it. This makes it possible to view the logs in real-time +# as the program is executing but reduces the effectiveness of compression. +#iolog_flush = true + +# The group to use when creating new I/O log files and directories. +# If iolog_group is not set, the primary group-ID of the user specified +# by iolog_user is used. If neither iolog_group nor iolog_user +# are set, I/O log files and directories are created with group-ID 0. +#iolog_group = wheel + +# The user to use when setting the user-ID and group-ID of new I/O +# log files and directories. If iolog_group is set, it will be used +# instead of the user's primary group-ID. By default, I/O log files +# and directories are created with user and group-ID 0. +#iolog_user = root + +# The file mode to use when creating I/O log files. The file permissions +# will always include the owner read and write bits, even if they are +# not present in the specified mode. When creating I/O log directories, +# search (execute) bits are added to match the read and write bits +# specified by iolog_mode. +#iolog_mode = 0600 + +# If disabled, sudo_logsrvd will attempt to avoid logging plaintext +# password in the terminal input using passprompt_regex. +#log_passwords = true + +# The maximum sequence number that will be substituted for the "%{seq}" +# escape in the I/O log file. While the value substituted for "%{seq}" +# is in base 36, maxseq itself should be expressed in decimal. Values +# larger than 2176782336 (which corresponds to the base 36 sequence +# number "ZZZZZZ") will be silently truncated to 2176782336. +#maxseq = 2176782336 + +# One or more POSIX extended regular expressions used to match +# password prompts in the terminal output when log_passwords is +# disabled. Multiple passprompt_regex settings may be specified. +#passprompt_regex = [Pp]assword[: ]* +#passprompt_regex = [Pp]assword for [a-z0-9]+: * + +[eventlog] +# Where to log accept, reject, exit, and alert events. +# Accepted values are syslog, logfile, or none. +# Defaults to syslog +#log_type = syslog + +# Whether to log an event when a command exits or is terminated by a signal. +# Defaults to false +#log_exit = true + +# Event log format. +# Supported log formats are "sudo" and "json" +# Defaults to sudo +#log_format = sudo + +[syslog] +# The maximum length of a syslog payload. +# On many systems, syslog(3) has a relatively small log buffer. +# IETF RFC 5424 states that syslog servers must support messages +# of at least 480 bytes and should support messages up to 2048 bytes. +# Messages larger than this value will be split into multiple messages. +#maxlen = 960 + +# The syslog facility to use for event log messages. +# The following syslog facilities are supported: authpriv (if your OS +# supports it), auth, daemon, user, local0, local1, local2, local3, +# local4, local5, local6, and local7. +#facility = @logfac@ + +# Syslog priority to use for event log accept messages, when the command +# is allowed by the security policy. The following syslog priorities are +# supported: alert, crit, debug, emerg, err, info, notice, warning, none. +#accept_priority = @goodpri@ + +# Syslog priority to use for event log reject messages, when the command +# is not allowed by the security policy. +#reject_priority = @badpri@ + +# Syslog priority to use for event log alert messages reported by the +# client. +#alert_priority = @badpri@ + +# The syslog facility to use for server warning messages. +# Defaults to daemon. +#server_facility = daemon + +[logfile] +# The path to the file-based event log. +# This path must be fully-qualified and start with a '/' character. +#path = @logpath@ + +# The format string used when formatting the date and time for +# file-based event logs. Formatting is performed via strftime(3) so +# any format string supported by that function is allowed. +#time_format = %h %e %T diff --git a/examples/sudoers.in b/examples/sudoers.in new file mode 100644 index 0000000..46953d6 --- /dev/null +++ b/examples/sudoers.in @@ -0,0 +1,133 @@ +# +# Sample /etc/sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. + +## +# Override built-in defaults +## +Defaults syslog=auth,runcwd=~ +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture,runchroot=* +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=@log_dir@/sudo.log +Defaults!PAGERS noexec + +## +# User alias specification +## +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBADMIN = will, wendy, wim + +## +# Runas alias specification +## +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase + +## +# Host alias specification +## +Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ + SGI = grolsch, dandelion, black:\ + ALPHA = widget, thalamus, foobar:\ + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = primary, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +## +# Cmnd alias specification +## +Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt, \ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups +Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +## +# User specification +## + +# root and users in group wheel can run anything on any machine as any user +root ALL = (ALL:ALL) ALL +%wheel ALL = (ALL:ALL) ALL + +# full time sysadmins can run anything on any machine without a password +FULLTIMERS ALL = (ALL:ALL) NOPASSWD: ALL + +# part time sysadmins may run anything as root but need a password +PARTTIMERS ALL = ALL + +# jack may run anything on machines in CSNETS +jack CSNETS = ALL + +# lisa may run any command on any host in CUNETS (a class B network) +lisa CUNETS = ALL + +# operator may run maintenance commands and anything in /usr/oper/bin/ +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + +# joe may su only to operator +joe ALL = /usr/bin/su operator + +# pete may change passwords for anyone but root on the hp snakes +pete HPPA = /usr/bin/passwd ^[a-zA-Z0-9_]+$, !/usr/bin/passwd root + +# bob may run anything on the sparc and sgi machines as any user +# listed in the Runas_Alias "OP" (ie: root and operator) +bob SPARC = (OP) ALL : SGI = (OP) ALL + +# jim may run anything on machines in the biglab netgroup +jim +biglab = ALL + +# users in the secretaries netgroup need to help manage the printers +# as well as add and remove users ++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + +# fred can run commands as oracle or sybase without a password +fred ALL = (DB) NOPASSWD: ALL + +# on the alphas, john may su to anyone except root, no flags are allowed. +john ALPHA = /usr/bin/su ^[a-zA-Z0-9_]+$, !/usr/bin/su root + +# jen can run anything on all machines except the ones +# in the "SERVERS" Host_Alias +jen ALL, !SERVERS = ALL + +# jill can run any commands in the directory /usr/bin/, except for +# those in the SU and SHELLS aliases. +jill SERVERS = /usr/bin/, !SU, !SHELLS + +# steve can run any command in the directory /usr/local/op_commands/ +# as user operator. +steve CSNETS = (operator) /usr/local/op_commands/ + +# matt needs to be able to kill things on his workstation when +# they get hung. +matt valkyrie = KILL + +# users in the WEBADMIN User_Alias (will, wendy, and wim) +# may run any command as user www (which owns the web pages) +# or simply su to www. +WEBADMIN www = (www) ALL, (root) /usr/bin/su www + +# anyone can mount/unmount a cd-rom on the machines in the CDROM alias +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM diff --git a/examples/syslog.conf.in b/examples/syslog.conf.in new file mode 100644 index 0000000..eff72ac --- /dev/null +++ b/examples/syslog.conf.in @@ -0,0 +1,26 @@ +# This is a sample syslog.conf fragment for use with Sudo. +# +# By default, sudo logs to "authpriv" if your system supports it, else it +# uses "auth". The facility can be set via the --with-logfac configure +# option or in the sudoers file. +# To see what syslog facility a sudo binary uses, run `sudo -V' as *root*. +# +# NOTES: +# The whitespace in the following line is made up of +# characters, *not* spaces. You cannot just cut and paste! +# +# If you edit syslog.conf you need to send syslogd a HUP signal. +# Ie: kill -HUP process_id +# +# Syslogd will not create new log files for you, you must first +# create the file before syslogd will log to it. Eg. +# 'touch @log_dir@/sudo' + +# This logs successful and failed sudo attempts to the file @log_dir@/auth +# If your system has the authpriv syslog facility, use authpriv.debug +auth.debug @log_dir@/auth + +# To log to a remote machine, use something like the following, +# where "loghost" is the name of the remote machine. +# If your system has the authpriv syslog facility, use authpriv.debug +auth.debug @loghost -- cgit v1.2.3