1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in
4 .\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 .TH "SUDO" "5" "March 14, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
24 \- configuration for sudo front end
28 file is used to configure the
31 It specifies the security policy and I/O logging plugins, debug flags
32 as well as plugin-agnostic path names and settings.
36 file supports the following directives, described in detail below.
39 a security policy or I/O logging plugin
42 a plugin-agnostic path
45 a front end setting, such as
46 \fIdisable_coredump\fR
51 debug flags to aid in debugging
61 is used to indicate a comment.
62 Both the comment character and any text after it, up to the end of
63 the line, are ignored.
65 Long lines can be continued with a backslash
67 as the last character on the line.
68 Note that leading white space is removed from the beginning of lines
69 even when the continuation character is used.
71 Non-comment lines that don't begin with
81 file is always parsed in the
84 .SS "Plugin configuration"
86 supports a plugin architecture for security policies and input/output
88 Third parties can develop and distribute their own policy and I/O
89 logging plugins to work seamlessly with the
92 Plugins are dynamically loaded based on the contents of
99 keyword, followed by the
103 to the shared object containing the plugin.
107 \fRstruct policy_plugin\fR
109 \fRstruct io_plugin\fR
110 in the plugin shared object.
113 may be fully qualified or relative.
114 If not fully qualified, it is relative to the
121 Plugin sudoers_policy sudoers.so
129 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
135 1.8.5, any additional parameters after the
137 are passed as arguments to the plugin's
140 For example, to override the compile-time default sudoers file mode:
144 Plugin sudoers_policy sudoers.so sudoers_mode=0440
148 The same shared object may contain multiple plugins, each with a
149 different symbol name.
150 The shared object file must be owned by uid 0 and only writable by its owner.
151 Because of ambiguities that arise from composite policies, only a single
152 policy plugin may be specified.
153 This limitation does not apply to I/O plugins.
157 file is present, or if it contains no
161 plugin will be used as the default security policy and for I/O logging
162 (if enabled by the policy).
163 This is equivalent to the following:
167 Plugin sudoers_policy sudoers.so
168 Plugin sudoers_io sudoers.so
172 For more information on the
174 plugin architecture, see the
175 sudo_plugin(@mansectsu@)
182 keyword, followed by the name of the path to set and its value.
187 Path noexec @noexec_file@
188 Path askpass /usr/X11R6/bin/ssh-askpass
192 The following plugin-agnostic paths may be set in the
193 \fI@sysconfdir@/sudo.conf\fR
197 The fully qualified path to a helper program used to read the user's
198 password when no terminal is available.
199 This may be the case when
201 is executed from a graphical (as opposed to text-based) application.
202 The program specified by
204 should display the argument passed to it as the prompt and write
205 the user's password to the standard output.
208 may be overridden by the
210 environment variable.
213 The fully-qualified path to a shared library containing dummy
219 library functions that just return an error.
220 This is used to implement the
222 functionality on systems that support
225 The default value is:
229 The fully-qualified path to the
232 This setting is only used when
234 is built with SELinux support.
240 file also supports the following front end settings:
245 itself are disabled by default.
248 crashes, you may wish to re-enable core dumps by setting
257 Set disable_coredump false
261 Note that most operating systems disable core dumps from setuid programs,
266 core file you will likely need to enable core dumps for setuid processes.
267 On BSD and Linux systems this is accomplished in the
272 command is used to configure core dump behavior.
274 This setting is only available in
276 version 1.8.4 and higher.
283 passes the invoking user's group list to the policy and I/O plugins.
284 On most systems, there is an upper limit to the number of groups that
285 a user may belong to simultaneously (typically 16 for compatibility
293 will return the maximum number of groups.
295 However, it is still possible to be a member of a larger number of
296 groups--they simply won't be included in the group list returned
297 by the kernel for the user.
300 version 1.8.7, if the user's kernel group list has the maximum number
303 will consult the group database directly to determine the group list.
304 This makes it possible for the security policy to perform matching by group
305 name even when the user is a member of more than the maximum number of groups.
309 setting allows the administrator to change this default behavior.
317 Use the static group list that the kernel returns.
318 Retrieving the group list this way is very fast but it is subject
319 to an upper limit as described above.
322 in that it does not reflect changes to the group database made
323 after the user logs in.
324 This was the default behavior prior to
329 Always query the group database directly.
332 in that changes made to the group database after the user logs in
333 will be reflected in the group list.
334 On some systems, querying the group database for all of a user's
335 groups can be time consuming when querying a network-based group
337 Most operating systems provide an efficient method of performing
341 supports efficient group queries on AIX, BSD, HP-UX, Linux and
345 Only query the group database if the static group list returned
346 by the kernel has the maximum number of entries.
347 This is the default behavior in
351 For example, to cause
353 to only use the kernel's static list of groups for the user:
357 Set group_source static
361 This setting is only available in
363 version 1.8.7 and higher.
369 The maximum number of user groups to retrieve from the group database.
370 This setting is only used when querying the group database directly.
371 It is intended to be used on systems where it is not possible to detect
372 when the array to be populated with group entries is not sufficiently large.
375 will allocate four times the system's maximum number of groups (see above)
376 and retry with double that number if the group database query fails.
377 However, some systems just return as many entries as will fit and
378 do not indicate an error when there is a lack of space.
380 This setting is only available in
382 version 1.8.7 and higher.
386 versions 1.8.4 and higher support a flexible debugging framework
387 that can help track down what
389 is doing internally if there is a problem.
395 keyword, followed by the name of the program (or plugin) to debug
396 (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR),
397 the debug file name and a comma-separated list of debug flags. The
398 debug flag syntax used by
403 \fIsubsystem\fR@\fIpriority\fR
404 but a plugin is free to use a different format so long as it does
412 Debug sudo /var/log/sudo_debug all@warn,plugin@info
416 would log all debugging statements at the
418 level and higher in addition to those at the
420 level for the plugin subsystem.
424 entry per program is supported. The
427 entry is shared by the
431 and the plugins. A future release may add support for per-plugin
433 lines and/or support for multiple debugging files for a single
436 The priorities used by the
438 front end, in order of decreasing severity, are:
439 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
442 Each priority, when specified, also includes all priorities higher
443 than it. For example, a priority of
445 would include debug messages logged at
449 The following subsystems are used by the
454 matches every subsystem
457 command line argument processing
473 network interface handling
476 communication with the plugin
482 pseudo-tty related code
485 SELinux-specific handling
494 sudoers(@mansectform@)
495 plugin includes support for additional subsystems.
498 \fI@sysconfdir@/sudo.conf\fR
500 front end configuration
505 # Default @sysconfdir@/sudo.conf file
508 # Plugin plugin_name plugin_path plugin_options ...
509 # Path askpass /path/to/askpass
510 # Path noexec /path/to/sudo_noexec.so
511 # Debug sudo /var/log/sudo_debug all@warn
512 # Set disable_coredump true
514 # The plugin_path is relative to @PLUGINDIR@ unless
516 # The plugin_name corresponds to a global symbol in the plugin
517 # that contains the plugin interface structure.
518 # The plugin_options are optional.
520 # The sudoers plugin is used by default if no Plugin lines are
522 Plugin sudoers_policy sudoers.so
523 Plugin sudoers_io sudoers.so
528 # An askpass helper program may be specified to provide a graphical
529 # password prompt for "sudo -A" support. Sudo does not ship with
530 # its own askpass program but can use the OpenSSH askpass.
532 # Use the OpenSSH askpass
533 #Path askpass /usr/X11R6/bin/ssh-askpass
535 # Use the Gnome OpenSSH askpass
536 #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
541 # Path to a shared library containing dummy versions of the execv(),
542 # execve() and fexecve() library functions that just return an error.
543 # This is used to implement the "noexec" functionality on systems that
544 # support C<LD_PRELOAD> or its equivalent.
545 # The compiled-in value is usually sufficient and should only be
546 # changed if you rename or move the sudo_noexec.so file.
548 #Path noexec @noexec_file@
553 # By default, sudo disables core dumps while it is executing
554 # (they are re-enabled for the command that is run).
555 # To aid in debugging sudo problems, you may wish to enable core
556 # dumps by setting "disable_coredump" to false.
558 #Set disable_coredump false
563 # Sudo passes the user's group list to the policy plugin.
564 # If the user is a member of the maximum number of groups (usually 16),
565 # sudo will query the group database directly to be sure to include
566 # the full list of groups.
568 # On some systems, this can be expensive so the behavior is configurable.
569 # The "group_source" setting has three possible values:
570 # static - use the user's list of groups returned by the kernel.
571 # dynamic - query the group database to find the list of groups.
572 # adaptive - if user is in less than the maximum number of groups.
573 # use the kernel list, else query the group database.
575 #Set group_source static
579 sudoers(@mansectform@),
581 sudo_plugin(@mansectsu@)
583 See the HISTORY file in the
585 distribution (http://www.sudo.ws/sudo/history.html) for a brief
588 Many people have worked on
590 over the years; this version consists of code written primarily by:
596 See the CONTRIBUTORS file in the
598 distribution (http://www.sudo.ws/sudo/contributors.html) for an
599 exhaustive list of people who have contributed to
602 If you feel you have found a bug in
604 please submit a bug report at http://www.sudo.ws/sudo/bugs/
606 Limited free support is available via the sudo-users mailing list,
607 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
613 and any express or implied warranties, including, but not limited
614 to, the implied warranties of merchantability and fitness for a
615 particular purpose are disclaimed.
616 See the LICENSE file distributed with
618 or http://www.sudo.ws/sudo/license.html for complete details.