1 SUDO(4) Programmer's Manual SUDO(4)
4 s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf - configuration for sudo front end
6 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
7 The s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf file is used to configure the s
\bsu
\bud
\bdo
\bo front end. It specifies
8 the security policy and I/O logging plugins, debug flags as well as
9 plugin-agnostic path names and settings.
11 The s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf file supports the following directives, described in detail
14 Plugin a security policy or I/O logging plugin
16 Path a plugin-agnostic path
18 Set a front end setting, such as _
\bd_
\bi_
\bs_
\ba_
\bb_
\bl_
\be_
\b__
\bc_
\bo_
\br_
\be_
\bd_
\bu_
\bm_
\bp or _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bs_
\bo_
\bu_
\br_
\bc_
\be
20 Debug debug flags to aid in debugging s
\bsu
\bud
\bdo
\bo, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, v
\bvi
\bis
\bsu
\bud
\bdo
\bo, and
21 the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin.
23 The pound sign (`#') is used to indicate a comment. Both the comment
24 character and any text after it, up to the end of the line, are ignored.
26 Long lines can be continued with a backslash (`\') as the last character
27 on the line. Note that leading white space is removed from the beginning
28 of lines even when the continuation character is used.
30 Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
33 The s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf file is always parsed in the ``C'' locale.
35 P
\bPl
\blu
\bug
\bgi
\bin
\bn c
\bco
\bon
\bnf
\bfi
\big
\bgu
\bur
\bra
\bat
\bti
\bio
\bon
\bn
36 s
\bsu
\bud
\bdo
\bo supports a plugin architecture for security policies and
37 input/output logging. Third parties can develop and distribute their own
38 policy and I/O logging plugins to work seamlessly with the s
\bsu
\bud
\bdo
\bo front
39 end. Plugins are dynamically loaded based on the contents of s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf.
41 A Plugin line consists of the Plugin keyword, followed by the _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be
42 and the _
\bp_
\ba_
\bt_
\bh to the shared object containing the plugin. The _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be
43 is the name of the struct policy_plugin or struct io_plugin in the plugin
44 shared object. The _
\bp_
\ba_
\bt_
\bh may be fully qualified or relative. If not
45 fully qualified, it is relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo directory.
48 Plugin sudoers_policy sudoers.so
52 Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
54 Starting with s
\bsu
\bud
\bdo
\bo 1.8.5, any additional parameters after the _
\bp_
\ba_
\bt_
\bh are
55 passed as arguments to the plugin's _
\bo_
\bp_
\be_
\bn function. For example, to
56 override the compile-time default sudoers file mode:
58 Plugin sudoers_policy sudoers.so sudoers_mode=0440
60 The same shared object may contain multiple plugins, each with a
61 different symbol name. The shared object file must be owned by uid 0 and
62 only writable by its owner. Because of ambiguities that arise from
63 composite policies, only a single policy plugin may be specified. This
64 limitation does not apply to I/O plugins.
66 If no s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf file is present, or if it contains no Plugin lines, the
67 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin will be used as the default security policy and for I/O
68 logging (if enabled by the policy). This is equivalent to the following:
70 Plugin sudoers_policy sudoers.so
71 Plugin sudoers_io sudoers.so
73 For more information on the s
\bsu
\bud
\bdo
\bo plugin architecture, see the
74 sudo_plugin(1m) manual.
76 P
\bPa
\bat
\bth
\bh s
\bse
\bet
\btt
\bti
\bin
\bng
\bgs
\bs
77 A Path line consists of the Path keyword, followed by the name of the
78 path to set and its value. For example:
80 Path noexec /usr/local/libexec/sudo/sudo_noexec.so
81 Path askpass /usr/X11R6/bin/ssh-askpass
83 The following plugin-agnostic paths may be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
86 askpass The fully qualified path to a helper program used to read the
87 user's password when no terminal is available. This may be the
88 case when s
\bsu
\bud
\bdo
\bo is executed from a graphical (as opposed to
89 text-based) application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs
90 should display the argument passed to it as the prompt and
91 write the user's password to the standard output. The value of
92 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
95 noexec The fully-qualified path to a shared library containing dummy
96 versions of the e
\bex
\bxe
\bec
\bcv
\bv(), e
\bex
\bxe
\bec
\bcv
\bve
\be() and f
\bfe
\bex
\bxe
\bec
\bcv
\bve
\be() library
97 functions that just return an error. This is used to implement
98 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support LD_PRELOAD or
99 its equivalent. The default value is:
100 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
102 sesh The fully-qualified path to the s
\bse
\bes
\bsh
\bh binary. This setting is
103 only used when s
\bsu
\bud
\bdo
\bo is built with SELinux support. The default
104 value is _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b/_
\bs_
\be_
\bs_
\bh.
106 O
\bOt
\bth
\bhe
\ber
\br s
\bse
\bet
\btt
\bti
\bin
\bng
\bgs
\bs
107 The s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf file also supports the following front end settings:
110 Core dumps of s
\bsu
\bud
\bdo
\bo itself are disabled by default. To aid in
111 debugging s
\bsu
\bud
\bdo
\bo crashes, you may wish to re-enable core dumps by
112 setting ``disable_coredump'' to false in s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf as follows:
114 Set disable_coredump false
116 Note that most operating systems disable core dumps from setuid
117 programs, including s
\bsu
\bud
\bdo
\bo. To actually get a s
\bsu
\bud
\bdo
\bo core file you
118 will likely need to enable core dumps for setuid processes. On
119 BSD and Linux systems this is accomplished in the sysctl
120 command. On Solaris, the coreadm command is used to configure
123 This setting is only available in s
\bsu
\bud
\bdo
\bo version 1.8.4 and
127 s
\bsu
\bud
\bdo
\bo passes the invoking user's group list to the policy and
128 I/O plugins. On most systems, there is an upper limit to the
129 number of groups that a user may belong to simultaneously
130 (typically 16 for compatibility with NFS). On systems with the
131 getconf(1) utility, running:
133 will return the maximum number of groups.
135 However, it is still possible to be a member of a larger number
136 of groups--they simply won't be included in the group list
137 returned by the kernel for the user. Starting with s
\bsu
\bud
\bdo
\bo
138 version 1.8.7, if the user's kernel group list has the maximum
139 number of entries, s
\bsu
\bud
\bdo
\bo will consult the group database
140 directly to determine the group list. This makes it possible
141 for the security policy to perform matching by group name even
142 when the user is a member of more than the maximum number of
145 The _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bs_
\bo_
\bu_
\br_
\bc_
\be setting allows the administrator to change
146 this default behavior. Supported values for _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bs_
\bo_
\bu_
\br_
\bc_
\be are:
148 static Use the static group list that the kernel returns.
149 Retrieving the group list this way is very fast but
150 it is subject to an upper limit as described above.
151 It is ``static'' in that it does not reflect changes
152 to the group database made after the user logs in.
153 This was the default behavior prior to s
\bsu
\bud
\bdo
\bo 1.8.7.
155 dynamic Always query the group database directly. It is
156 ``dynamic'' in that changes made to the group
157 database after the user logs in will be reflected in
158 the group list. On some systems, querying the group
159 database for all of a user's groups can be time
160 consuming when querying a network-based group
161 database. Most operating systems provide an
162 efficient method of performing such queries.
163 Currently, s
\bsu
\bud
\bdo
\bo supports efficient group queries on
164 AIX, BSD, HP-UX, Linux and Solaris.
166 adaptive Only query the group database if the static group
167 list returned by the kernel has the maximum number of
168 entries. This is the default behavior in s
\bsu
\bud
\bdo
\bo 1.8.7
171 For example, to cause s
\bsu
\bud
\bdo
\bo to only use the kernel's static list
172 of groups for the user:
174 Set group_source static
176 This setting is only available in s
\bsu
\bud
\bdo
\bo version 1.8.7 and
180 The maximum number of user groups to retrieve from the group
181 database. This setting is only used when querying the group
182 database directly. It is intended to be used on systems where
183 it is not possible to detect when the array to be populated
184 with group entries is not sufficiently large. By default, s
\bsu
\bud
\bdo
\bo
185 will allocate four times the system's maximum number of groups
186 (see above) and retry with double that number if the group
187 database query fails. However, some systems just return as
188 many entries as will fit and do not indicate an error when
189 there is a lack of space.
191 This setting is only available in s
\bsu
\bud
\bdo
\bo version 1.8.7 and
194 D
\bDe
\beb
\bbu
\bug
\bg f
\bfl
\bla
\bag
\bgs
\bs
195 s
\bsu
\bud
\bdo
\bo versions 1.8.4 and higher support a flexible debugging framework
196 that can help track down what s
\bsu
\bud
\bdo
\bo is doing internally if there is a
199 A Debug line consists of the Debug keyword, followed by the name of the
200 program (or plugin) to debug (s
\bsu
\bud
\bdo
\bo, v
\bvi
\bis
\bsu
\bud
\bdo
\bo, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs), the
201 debug file name and a comma-separated list of debug flags. The debug
202 flag syntax used by s
\bsu
\bud
\bdo
\bo and the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin is _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by but
203 a plugin is free to use a different format so long as it does not include
208 Debug sudo /var/log/sudo_debug all@warn,plugin@info
210 would log all debugging statements at the _
\bw_
\ba_
\br_
\bn level and higher in
211 addition to those at the _
\bi_
\bn_
\bf_
\bo level for the plugin subsystem.
213 Currently, only one Debug entry per program is supported. The s
\bsu
\bud
\bdo
\bo Debug
214 entry is shared by the s
\bsu
\bud
\bdo
\bo front end, s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt and the plugins. A
215 future release may add support for per-plugin Debug lines and/or support
216 for multiple debugging files for a single program.
218 The priorities used by the s
\bsu
\bud
\bdo
\bo front end, in order of decreasing
219 severity, are: _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg.
220 Each priority, when specified, also includes all priorities higher than
221 it. For example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages
222 logged at _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
224 The following subsystems are used by the s
\bsu
\bud
\bdo
\bo front-end:
226 _
\ba_
\bl_
\bl matches every subsystem
228 _
\ba_
\br_
\bg_
\bs command line argument processing
230 _
\bc_
\bo_
\bn_
\bv user conversation
232 _
\be_
\bd_
\bi_
\bt sudoedit
234 _
\be_
\bx_
\be_
\bc command execution
236 _
\bm_
\ba_
\bi_
\bn s
\bsu
\bud
\bdo
\bo main function
238 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
240 _
\bp_
\bc_
\bo_
\bm_
\bm communication with the plugin
242 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn plugin configuration
244 _
\bp_
\bt_
\by pseudo-tty related code
246 _
\bs_
\be_
\bl_
\bi_
\bn_
\bu_
\bx SELinux-specific handling
248 _
\bu_
\bt_
\bi_
\bl utility functions
250 _
\bu_
\bt_
\bm_
\bp utmp handling
252 The sudoers(4) plugin includes support for additional subsystems.
255 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf s
\bsu
\bud
\bdo
\bo front end configuration
257 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
259 # Default /etc/sudo.conf file
262 # Plugin plugin_name plugin_path plugin_options ...
263 # Path askpass /path/to/askpass
264 # Path noexec /path/to/sudo_noexec.so
265 # Debug sudo /var/log/sudo_debug all@warn
266 # Set disable_coredump true
268 # The plugin_path is relative to /usr/local/libexec/sudo unless
270 # The plugin_name corresponds to a global symbol in the plugin
271 # that contains the plugin interface structure.
272 # The plugin_options are optional.
274 # The sudoers plugin is used by default if no Plugin lines are
276 Plugin sudoers_policy sudoers.so
277 Plugin sudoers_io sudoers.so
282 # An askpass helper program may be specified to provide a graphical
283 # password prompt for "sudo -A" support. Sudo does not ship with
284 # its own askpass program but can use the OpenSSH askpass.
286 # Use the OpenSSH askpass
287 #Path askpass /usr/X11R6/bin/ssh-askpass
289 # Use the Gnome OpenSSH askpass
290 #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
295 # Path to a shared library containing dummy versions of the execv(),
296 # execve() and fexecve() library functions that just return an error.
297 # This is used to implement the "noexec" functionality on systems that
298 # support C<LD_PRELOAD> or its equivalent.
299 # The compiled-in value is usually sufficient and should only be
300 # changed if you rename or move the sudo_noexec.so file.
302 #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
307 # By default, sudo disables core dumps while it is executing
308 # (they are re-enabled for the command that is run).
309 # To aid in debugging sudo problems, you may wish to enable core
310 # dumps by setting "disable_coredump" to false.
312 #Set disable_coredump false
317 # Sudo passes the user's group list to the policy plugin.
318 # If the user is a member of the maximum number of groups (usually 16),
319 # sudo will query the group database directly to be sure to include
320 # the full list of groups.
322 # On some systems, this can be expensive so the behavior is configurable.
323 # The "group_source" setting has three possible values:
324 # static - use the user's list of groups returned by the kernel.
325 # dynamic - query the group database to find the list of groups.
326 # adaptive - if user is in less than the maximum number of groups.
327 # use the kernel list, else query the group database.
329 #Set group_source static
331 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
332 sudoers(4), sudo(1m), sudo_plugin(1m)
334 H
\bHI
\bIS
\bST
\bTO
\bOR
\bRY
\bY
335 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution
336 (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
338 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
339 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this version consists of
340 code written primarily by:
344 See the CONTRIBUTORS file in the s
\bsu
\bud
\bdo
\bo distribution
345 (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
346 people who have contributed to s
\bsu
\bud
\bdo
\bo.
349 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
350 http://www.sudo.ws/sudo/bugs/
352 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
353 Limited free support is available via the sudo-users mailing list, see
354 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
357 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
358 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
359 including, but not limited to, the implied warranties of merchantability
360 and fitness for a particular purpose are disclaimed. See the LICENSE
361 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
364 Sudo 1.8.7 March 14, 2013 Sudo 1.8.7
projects / debian / sudo / blob