D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
Starting with version 1.8, s\bsu\bud\bdo\bo supports a plugin API for policy and
- session logging. By default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin and an associated
+ session logging. By default, the s\bsu\bud\bdo\boe\ber\brs\bs policy plugin and an associated
I/O logging plugin are used. Via the plugin API, s\bsu\bud\bdo\bo can be configured
to use alternate policy and/or I/O logging plugins provided by third
- parties. The plugins to be used are specified via the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
+ parties. The plugins to be used are specified in the sudo.conf(4) file.
The API is versioned with a major and minor number. The minor version
number is incremented when additions are made. The major number is
The plugin API is defined by the sudo_plugin.h header file.
- T\bTh\bhe\be s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfi\bil\ble\be
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file contains plugin configuration directives. The
- primary keyword is the Plugin directive, which causes a plugin to be
- loaded.
-
- A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- and the _\bp_\ba_\bt_\bh to the shared object containing the plugin. The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- is the name of the struct policy_plugin or struct io_plugin in the plugin
- shared object. The _\bp_\ba_\bt_\bh may be fully qualified or relative. If not
- fully qualified it is relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any
- additional parameters after the _\bp_\ba_\bt_\bh are passed as options to the
- plugin's o\bop\bpe\ben\bn() function. Lines that don't begin with Plugin, Path,
- Debug or Set are silently ignored.
-
- The same shared object may contain multiple plugins, each with a
- different symbol name. The shared object file must be owned by uid 0 and
- only writable by its owner. Because of ambiguities that arise from
- composite policies, only a single policy plugin may be specified. This
- limitation does not apply to I/O plugins.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
P\bPo\bol\bli\bic\bcy\by p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
A policy plugin must declare and populate a policy_plugin struct in the
global scope. This structure contains pointers to the functions that
implement the s\bsu\bud\bdo\bo policy checks. The name of the symbol should be
- specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf along with a path to the plugin so that s\bsu\bud\bdo\bo
+ specified in sudo.conf(4) along with a path to the plugin so that s\bsu\bud\bdo\bo
can load it.
struct policy_plugin {
equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
+ bsdauth_type=string
+ Authentication type, if specified by the -\b-a\ba flag, to
+ use on systems where BSD authentication is supported.
+
+ closefrom=number
+ If specified, the user has requested via the -\b-C\bC flag
+ that s\bsu\bud\bdo\bo close all files descriptors with a value of
+ _\bn_\bu_\bm_\bb_\be_\br or higher. The plugin may optionally pass this,
+ or another value, back in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
+
debug_flags=string
A comma-separated list of debug flags that correspond
- to s\bsu\bud\bdo\bo's Debug entry in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf, if there is
- one. The flags are passed to the plugin as they appear
- in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf. The syntax used by s\bsu\bud\bdo\bo and the
- _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
- free to use a different format so long as it does not
- include a comma (`,').
-
- For reference, the priorities supported by the s\bsu\bud\bdo\bo
- front end and _\bs_\bu_\bd_\bo_\be_\br_\bs are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be,
- _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
-
- The following subsystems are defined: _\bm_\ba_\bi_\bn, _\bm_\be_\bm_\bo_\br_\by,
- _\ba_\br_\bg_\bs, _\be_\bx_\be_\bc, _\bp_\bt_\by, _\bu_\bt_\bm_\bp, _\bc_\bo_\bn_\bv, _\bp_\bc_\bo_\bm_\bm, _\bu_\bt_\bi_\bl, _\bl_\bi_\bs_\bt, _\bn_\be_\bt_\bi_\bf,
- _\ba_\bu_\bd_\bi_\bt, _\be_\bd_\bi_\bt, _\bs_\be_\bl_\bi_\bn_\bu_\bx, _\bl_\bd_\ba_\bp, _\bm_\ba_\bt_\bc_\bh, _\bp_\ba_\br_\bs_\be_\br, _\ba_\bl_\bi_\ba_\bs,
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs, _\ba_\bu_\bt_\bh, _\be_\bn_\bv, _\bl_\bo_\bg_\bg_\bi_\bn_\bg, _\bn_\bs_\bs, _\br_\bb_\bt_\br_\be_\be, _\bp_\be_\br_\bm_\bs,
- _\bp_\bl_\bu_\bg_\bi_\bn. The subsystem _\ba_\bl_\bl includes every subsystem.
-
- There is not currently a way to specify a set of debug
- flags specific to the plugin--the flags are shared by
- s\bsu\bud\bdo\bo and the plugin.
+ to s\bsu\bud\bdo\bo's Debug entry in sudo.conf(4), if there is one.
+ The flags are passed to the plugin as they appear in
+ sudo.conf(4). The syntax used by s\bsu\bud\bdo\bo and the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to
+ use a different format so long as it does not include a
+ comma (`,'). There is not currently a way to specify a
+ set of debug flags specific to the plugin--the flags
+ are shared by s\bsu\bud\bdo\bo and the plugin.
debug_level=number
This setting has been deprecated in favor of
_\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs.
- runas_user=string
- The user name or uid to to run the command as, if
- specified via the -\b-u\bu flag.
+ ignore_ticket=bool
+ Set to true if the user specified the -\b-k\bk flag along
+ with a command, indicating that the user wishes to
+ ignore any cached authentication credentials.
+ _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo with no
+ arguments to be used similarly to su(1). If the plugin
+ does not to support this usage, it may return a value
+ of -2 from the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function, which will
+ cause s\bsu\bud\bdo\bo to print a usage message and exit.
- runas_group=string
- The group name or gid to to run the command as, if
- specified via the -\b-g\bg flag.
+ implied_shell=bool
+ If the user does not specify a program on the command
+ line, s\bsu\bud\bdo\bo will pass the plugin the path to the user's
+ shell and set
- prompt=string
- The prompt to use when requesting a password, if
- specified via the -\b-p\bp flag.
+ login_class=string
+ BSD login class to use when setting resource limits and
+ nice value, if specified by the -\b-c\bc flag.
- set_home=bool
- Set to true if the user specified the -\b-H\bH flag. If
- true, set the HOME environment variable to the target
- user's home directory.
+ login_shell=bool
+ Set to true if the user specified the -\b-i\bi flag,
+ indicating that the user wishes to run a login shell.
+
+ max_groups=int
+ The maximum number of groups a user may belong to.
+ This will only be present if there is a corresponding
+ setting in sudo.conf(4).
+
+ network_addrs=list
+ A space-separated list of IP network addresses and
+ netmasks in the form ``addr/netmask'', e.g.
+ ``192.168.1.2/255.255.255.0''. The address and netmask
+ pairs may be either IPv4 or IPv6, depending on what the
+ operating system supports. If the address contains a
+ colon (`:'), it is an IPv6 address, else it is IPv4.
+
+ noninteractive=bool
+ Set to true if the user specified the -\b-n\bn flag,
+ indicating that s\bsu\bud\bdo\bo should operate in non-interactive
+ mode. The plugin may reject a command run in non-
+ interactive mode if user interaction is required.
+
+ plugin_dir=string
+ The default plugin directory used by the s\bsu\bud\bdo\bo front
+ end. This is the default directory set at compile time
+ and may not correspond to the directory the running
+ plugin was loaded from. It may be used by a plugin to
+ locate support files.
preserve_environment=bool
Set to true if the user specified the -\b-E\bE flag,
indicating that the user wishes to preserve the
environment.
- run_shell=bool
- Set to true if the user specified the -\b-s\bs flag,
- indicating that the user wishes to run a shell.
-
- login_shell=bool
- Set to true if the user specified the -\b-i\bi flag,
- indicating that the user wishes to run a login shell.
-
- implied_shell=bool
- If the user does not specify a program on the command
- line, s\bsu\bud\bdo\bo will pass the plugin the path to the user's
- shell and set _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo
- with no arguments to be used similarly to su(1). If
- the plugin does not to support this usage, it may
- return a value of -2 from the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function,
- which will cause s\bsu\bud\bdo\bo to print a usage message and
- exit.
-
preserve_groups=bool
Set to true if the user specified the -\b-P\bP flag,
indicating that the user wishes to preserve the group
vector instead of setting it based on the runas user.
- ignore_ticket=bool
- Set to true if the user specified the -\b-k\bk flag along
- with a command, indicating that the user wishes to
- ignore any cached authentication credentials.
+ progname=string
+ The command name that sudo was run as, typically
+ ``sudo'' or ``sudoedit''.
- noninteractive=bool
- Set to true if the user specified the -\b-n\bn flag,
- indicating that s\bsu\bud\bdo\bo should operate in non-interactive
- mode. The plugin may reject a command run in non-
- interactive mode if user interaction is required.
+ prompt=string
+ The prompt to use when requesting a password, if
+ specified via the -\b-p\bp flag.
- login_class=string
- BSD login class to use when setting resource limits and
- nice value, if specified by the -\b-c\bc flag.
+ run_shell=bool
+ Set to true if the user specified the -\b-s\bs flag,
+ indicating that the user wishes to run a shell.
+
+ runas_group=string
+ The group name or gid to to run the command as, if
+ specified via the -\b-g\bg flag.
+
+ runas_user=string
+ The user name or uid to to run the command as, if
+ specified via the -\b-u\bu flag.
selinux_role=string
SELinux role to use when executing the command, if
SELinux type to use when executing the command, if
specified by the -\b-t\bt flag.
- bsdauth_type=string
- Authentication type, if specified by the -\b-a\ba flag, to
- use on systems where BSD authentication is supported.
-
- network_addrs=list
- A space-separated list of IP network addresses and
- netmasks in the form ``addr/netmask'', e.g.
- ``192.168.1.2/255.255.255.0''. The address and netmask
- pairs may be either IPv4 or IPv6, depending on what the
- operating system supports. If the address contains a
- colon (`:'), it is an IPv6 address, else it is IPv4.
-
- progname=string
- The command name that sudo was run as, typically
- ``sudo'' or ``sudoedit''.
+ set_home=bool
+ Set to true if the user specified the -\b-H\bH flag. If
+ true, set the HOME environment variable to the target
+ user's home directory.
sudoedit=bool
Set to true when the -\b-e\be flag is is specified or if
support _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. For more information, see the
_\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by section.
- closefrom=number
- If specified, the user has requested via the -\b-C\bC flag
- that s\bsu\bud\bdo\bo close all files descriptors with a value of
- _\bn_\bu_\bm_\bb_\be_\br or higher. The plugin may optionally pass this,
- or another value, back in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
-
Additional settings may be added in the future so the plugin
should silently ignore settings that it does not recognize.
equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
- pid=int
- The process ID of the running s\bsu\bud\bdo\bo process. Only
- available starting with API version 1.2
-
- ppid=int
- The parent process ID of the running s\bsu\bud\bdo\bo process.
- Only available starting with API version 1.2
-
- sid=int
- The session ID of the running s\bsu\bud\bdo\bo process or 0 if s\bsu\bud\bdo\bo
- is not part of a POSIX job control session. Only
- available starting with API version 1.2
-
- pgid=int
- The ID of the process group that the running s\bsu\bud\bdo\bo
- process belongs to. Only available starting with API
- version 1.2
+ cols=int
+ The number of columns the user's terminal supports. If
+ there is no terminal device available, a default value
+ of 80 is used.
- tcpgid=int
- The ID of the forground process group associated with
- the terminal device associcated with the s\bsu\bud\bdo\bo process
- or -1 if there is no terminal present. Only available
- starting with API version 1.2
+ cwd=string
+ The user's current working directory.
- user=string
- The name of the user invoking s\bsu\bud\bdo\bo.
+ egid=gid_t
+ The effective group ID of the user invoking s\bsu\bud\bdo\bo.
euid=uid_t
The effective user ID of the user invoking s\bsu\bud\bdo\bo.
- uid=uid_t
- The real user ID of the user invoking s\bsu\bud\bdo\bo.
-
- egid=gid_t
- The effective group ID of the user invoking s\bsu\bud\bdo\bo.
-
gid=gid_t
The real group ID of the user invoking s\bsu\bud\bdo\bo.
The user's supplementary group list formatted as a
string of comma-separated group IDs.
- cwd=string
- The user's current working directory.
-
- tty=string
- The path to the user's terminal device. If the user
- has no terminal device associated with the session, the
- value will be empty, as in ``tty=''.
-
host=string
The local machine's hostname as returned by the
gethostname(2) system call.
there is no terminal device available, a default value
of 24 is used.
- cols=int
- The number of columns the user's terminal supports. If
- there is no terminal device available, a default value
- of 80 is used.
+ pgid=int
+ The ID of the process group that the running s\bsu\bud\bdo\bo
+ process is a member of. Only available starting with
+ API version 1.2
+
+ pid=int
+ The process ID of the running s\bsu\bud\bdo\bo process. Only
+ available starting with API version 1.2
+
+ plugin_options
+ Any (non-comment) strings immediately after the plugin
+ path are passed as arguments to the plugin. These
+ arguments are split on a white space boundary and are
+ passed to the plugin in the form of a NULL-terminated
+ array of strings. If no arguments were specified,
+ _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL pointer.
+
+ NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available
+ starting with API version 1.2. A plugin m\bmu\bus\bst\bt check the
+ API version specified by the s\bsu\bud\bdo\bo front end before
+ using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs. Failure to do so may result in a
+ crash.
+
+ ppid=int
+ The parent process ID of the running s\bsu\bud\bdo\bo process.
+ Only available starting with API version 1.2
+
+ sid=int
+ The session ID of the running s\bsu\bud\bdo\bo process or 0 if s\bsu\bud\bdo\bo
+ is not part of a POSIX job control session. Only
+ available starting with API version 1.2
+
+ tcpgid=int
+ The ID of the foreground process group associated with
+ the terminal device associated with the s\bsu\bud\bdo\bo process or
+ -1 if there is no terminal present. Only available
+ starting with API version 1.2
+
+ tty=string
+ The path to the user's terminal device. If the user
+ has no terminal device associated with the session, the
+ value will be empty, as in ``tty=''.
+
+ uid=uid_t
+ The real user ID of the user invoking s\bsu\bud\bdo\bo.
+
+ user=string
+ The name of the user invoking s\bsu\bud\bdo\bo.
user_env
The user's environment in the form of a NULL-terminated
equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
itself but the _\bv_\ba_\bl_\bu_\be might.
- plugin_options
- Any (non-comment) strings immediately after the plugin path
- are treated as arguments to the plugin. These arguments are
- split on a white space boundary and are passed to the plugin
- in the form of a NULL-terminated array of strings. If no
- arguments were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL
- pointer.
-
- NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
- with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
- specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
- Failure to do so may result in a crash.
-
close
void (*close)(int exit_status, int error);
c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function. If the command
was successfully executed, the value of error is 0.
+ If no c\bcl\blo\bos\bse\be() function is defined, no I/O logging plugins are
+ loaded, and neither the _\bt_\bi_\bm_\be_\bo_\bu_\bt not _\bu_\bs_\be_\b__\bp_\bt_\by options are set in the
+ command_info list, the s\bsu\bud\bdo\bo front end may execute the command
+ directly instead of running it as a child process.
+
show_version
int (*show_version)(int verbose);
must be terminated with a NULL pointer. The following values
are recognized by s\bsu\bud\bdo\bo:
- command=string
- Fully qualified path to the command to be executed.
-
- runas_uid=uid
- User ID to run the command as.
-
- runas_euid=uid
- Effective user ID to run the command as. If not
- specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
-
- runas_gid=gid
- Group ID to run the command as.
-
- runas_egid=gid
- Effective group ID to run the command as. If not
- specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bg_\bi_\bd is used.
-
- runas_groups=list
- The supplementary group vector to use for the command
- in the form of a comma-separated list of group IDs. If
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
+ chroot=string
+ The root directory to use when running the command.
- login_class=string
- BSD login class to use when setting resource limits and
- nice value (optional). This option is only set on
- systems that support login classes.
+ closefrom=number
+ If specified, s\bsu\bud\bdo\bo will close all files descriptors
+ with a value of _\bn_\bu_\bm_\bb_\be_\br or higher.
- preserve_groups=bool
- If set, s\bsu\bud\bdo\bo will preserve the user's group vector
- instead of initializing the group vector based on
- runas_user.
+ command=string
+ Fully qualified path to the command to be executed.
cwd=string
The current working directory to change to when
executing the command.
- noexec=bool
- If set, prevent the command from executing other
- programs.
-
- chroot=string
- The root directory to use when running the command.
-
- nice=int
- Nice value (priority) to use when executing the
- command. The nice value, if specified, overrides the
- priority associated with the _\bl_\bo_\bg_\bi_\bn_\b__\bc_\bl_\ba_\bs_\bs on BSD
- systems.
-
- umask=octal
- The file creation mask to use when executing the
- command.
-
- selinux_role=string
- SELinux role to use when executing the command.
-
- selinux_type=string
- SELinux type to use when executing the command.
-
- timeout=int
- Command timeout. If non-zero then when the timeout
- expires the command will be killed.
-
- sudoedit=bool
- Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may
- enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt. This allows the plugin to perform command
- substitution and transparently enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt when the
- user attempts to run an editor.
-
- closefrom=number
- If specified, s\bsu\bud\bdo\bo will close all files descriptors
- with a value of _\bn_\bu_\bm_\bb_\be_\br or higher.
+ exec_background=bool
+ By default, s\bsu\bud\bdo\bo runs a command as the foreground
+ process as long as s\bsu\bud\bdo\bo itself is running in the
+ foreground. When _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd is enabled and the
+ command is being run in a pty (due to I/O logging or
+ the _\bu_\bs_\be_\b__\bp_\bt_\by setting), the command will be run as a
+ background process. Attempts to read from the
+ controlling terminal (or to change terminal settings)
+ will result in the command being suspended with the
+ SIGTTIN signal (or SIGTTOU in the case of terminal
+ settings). If this happens when s\bsu\bud\bdo\bo is a foreground
+ process, the command will be granted the controlling
+ terminal and resumed in the foreground with no user
+ intervention required. The advantage of initially
+ running the command in the background is that s\bsu\bud\bdo\bo need
+ not read from the terminal unless the command
+ explicitly requests it. Otherwise, any terminal input
+ must be passed to the command, whether it has required
+ it or not (the kernel buffers terminals so it is not
+ possible to tell whether the command really wants the
+ input). This is different from historic _\bs_\bu_\bd_\bo behavior
+ or when the command is not being run in a pty.
+
+ For this to work seamlessly, the operating system must
+ support the automatic restarting of system calls.
+ Unfortunately, not all operating systems do this by
+ default, and even those that do may have bugs. For
+ example, Mac OS X fails to restart the t\btc\bcg\bge\bet\bta\bat\btt\btr\br() and
+ t\btc\bcs\bse\bet\bta\bat\btt\btr\br() system calls (this is a bug in Mac OS X).
+ Furthermore, because this behavior depends on the
+ command stopping with the SIGTTIN or SIGTTOU signals,
+ programs that catch these signals and suspend
+ themselves with a different signal (usually SIGTOP)
+ will not be automatically foregrounded. Some versions
+ of the linux su(1) command behave this way. Because of
+ this, a plugin should not set _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd unless it
+ is explicitly enabled by the administrator and there
+ should be a way to enabled or disable it on a per-
+ command basis.
+
+ This setting has no effect unless I/O logging is
+ enabled or _\bu_\bs_\be_\b__\bp_\bt_\by is enabled.
iolog_compress=bool
Set to true if the I/O logging plugins, if any, should
hint to the I/O logging plugin which may choose to
ignore it.
- use_pty=bool
- Allocate a pseudo-tty to run the command in, regardless
- of whether or not I/O logging is in use. By default,
- s\bsu\bud\bdo\bo will only run the command in a pty when an I/O log
- plugin is loaded.
+ login_class=string
+ BSD login class to use when setting resource limits and
+ nice value (optional). This option is only set on
+ systems that support login classes.
+
+ nice=int
+ Nice value (priority) to use when executing the
+ command. The nice value, if specified, overrides the
+ priority associated with the _\bl_\bo_\bg_\bi_\bn_\b__\bc_\bl_\ba_\bs_\bs on BSD
+ systems.
+
+ noexec=bool
+ If set, prevent the command from executing other
+ programs.
+
+ preserve_groups=bool
+ If set, s\bsu\bud\bdo\bo will preserve the user's group vector
+ instead of initializing the group vector based on
+ runas_user.
+
+ runas_egid=gid
+ Effective group ID to run the command as. If not
+ specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bg_\bi_\bd is used.
+
+ runas_euid=uid
+ Effective user ID to run the command as. If not
+ specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
+
+ runas_gid=gid
+ Group ID to run the command as.
+
+ runas_groups=list
+ The supplementary group vector to use for the command
+ in the form of a comma-separated list of group IDs. If
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
+
+ runas_uid=uid
+ User ID to run the command as.
+
+ selinux_role=string
+ SELinux role to use when executing the command.
+
+ selinux_type=string
+ SELinux type to use when executing the command.
set_utmp=bool
Create a utmp (or utmpx) entry when a pseudo-tty is
the user's existing utmp entry (if any), with the tty,
time, type and pid fields updated.
+ sudoedit=bool
+ Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may
+ enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt. This allows the plugin to perform command
+ substitution and transparently enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt when the
+ user attempts to run an editor.
+
+ timeout=int
+ Command timeout. If non-zero then when the timeout
+ expires the command will be killed.
+
+ umask=octal
+ The file creation mask to use when executing the
+ command.
+
+ use_pty=bool
+ Allocate a pseudo-tty to run the command in, regardless
+ of whether or not I/O logging is in use. By default,
+ s\bsu\bud\bdo\bo will only run the command in a pty when an I/O log
+ plugin is loaded.
+
utmp_user=string
User name to use when constructing a new utmp (or
utmpx) entry when _\bs_\be_\bt_\b__\bu_\bt_\bm_\bp is enabled. This option can
int (*validate)(void);
The v\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is run with the -\b-v\bv
- flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache authentication
+ flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache authentication
credentials, this function will validate and cache the credentials.
The v\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
void (*invalidate)(int remove);
The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is called with the -\b-k\bk
- or -\b-K\bK flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache
+ or -\b-K\bK flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache
authentication credentials, this function will invalidate the
credentials. If the _\br_\be_\bm_\bo_\bv_\be flag is set, the plugin may remove the
credentials instead of simply invalidating them.
#define SUDO_IO_PLUGIN 2
unsigned int type; /* always SUDO_IO_PLUGIN */
unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation
+ int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], int argc, char * const argv[],
- char * const user_env[], char * const plugin_options[]);
+ char * const user_info[], char * const command_info[],
+ int argc, char * const argv[], char * const user_env[],
+ char * const plugin_options[]);
void (*close)(int exit_status, int error); /* wait status or error */
int (*show_version)(int verbose);
int (*log_ttyin)(const char *buf, unsigned int len);
against.
open
- int (*open)(unsigned int version, sudo_conv_t conversation
+ int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], int argc, char * const argv[],
char * const user_env[], char * const plugin_options[]);
Same as for the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI.
+ S\bSi\big\bgn\bna\bal\bl h\bha\ban\bnd\bdl\ble\ber\brs\bs
+ The s\bsu\bud\bdo\bo front end installs default signal handlers to trap common
+ signals while the plugin functions are run. The following signals are
+ trapped by default before the command is executed:
+
+ o\bo SIGALRM
+ o\bo SIGHUP
+ o\bo SIGINT
+ o\bo SIGQUIT
+ o\bo SIGTERM
+ o\bo SIGTSTP
+ o\bo SIGUSR1
+ o\bo SIGUSR2
+
+ If a fatal signal is received before the command is executed, s\bsu\bud\bdo\bo will
+ call the plugin's c\bcl\blo\bos\bse\be() function with an exit status of 128 plus the
+ value of the signal that was received. This allows for consistent
+ logging of commands killed by a signal for plugins that log such
+ information in their c\bcl\blo\bos\bse\be() function.
+
+ A plugin may temporarily install its own signal handlers but must restore
+ the original handler before the plugin function returns.
+
H\bHo\boo\bok\bk f\bfu\bun\bnc\bct\bti\bio\bon\bn A\bAP\bPI\bI
Beginning with plugin API version 1.2, it is possible to install hooks
for certain functions called by the s\bsu\bud\bdo\bo front end.
Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
with the SUDO_CONV_DEBUG_MSG _\bm_\bs_\bg_\b__\bt_\by_\bp_\be are not directly user-visible.
Instead, they are logged to the file specified in the Debug statement (if
- any) in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
-
- file. This allows a plugin to log debugging information and is intended
- to be used in conjunction with the _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
+ any) in the sudo.conf(4). file. This allows a plugin to log debugging
+ information and is intended to be used in conjunction with the
+ _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
See the sample plugin for an example of the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function
usage.
S\bSu\bud\bdo\boe\ber\brs\bs g\bgr\bro\bou\bup\bp p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- The _\bs_\bu_\bd_\bo_\be_\br_\bs module supports a plugin interface to allow non-Unix group
- lookups. This can be used to query a group source other than the
- standard Unix group database. A sample group plugin is bundled with s\bsu\bud\bdo\bo
- that implements file-based lookups. Third party group plugins include a
- QAS AD plugin available from Quest Software.
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
+ group lookups. This can be used to query a group source other than the
+ standard Unix group database. Two sample group plugins are bundled with
+ s\bsu\bud\bdo\bo, _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be and _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp, are detailed in sudoers(4). Third
+ party group plugins include a QAS AD plugin available from Quest
+ Software.
A group plugin must declare and populate a sudoers_group_plugin struct in
the global scope. This structure contains pointers to the functions that
version
The version field should be set to GROUP_API_VERSION.
- This allows _\bs_\bu_\bd_\bo_\be_\br_\bs to determine the API version the group plugin
+ This allows s\bsu\bud\bdo\boe\ber\brs\bs to determine the API version the group plugin
was built against.
init
The function arguments are as follows:
version
- The version passed in by _\bs_\bu_\bd_\bo_\be_\br_\bs allows the plugin to
+ The version passed in by s\bsu\bud\bdo\boe\ber\brs\bs allows the plugin to
determine the major and minor version number of the group
- plugin API supported by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ plugin API supported by s\bsu\bud\bdo\boe\ber\brs\bs.
plugin_printf
A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
cleanup
void (*cleanup)();
- The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when _\bs_\bu_\bd_\bo_\be_\br_\bs has finished its
+ The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when s\bsu\bud\bdo\boe\ber\brs\bs has finished its
group checks. The plugin should free any memory it has allocated
and close open file handles.
Version 1.0
Initial API version.
- Version 1.1
+ Version 1.1 (sudo 1.8.0)
The I/O logging plugin's o\bop\bpe\ben\bn() function was modified to take the
command_info list as an argument.
- Version 1.2
+ Version 1.2 (sudo 1.8.5)
The Policy and I/O logging plugins' o\bop\bpe\ben\bn() functions are now passed
- a list of plugin options if any are specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf.
+ a list of plugin parameters if any are specified in sudo.conf(4).
A simple hooks API has been introduced to allow plugins to hook in
to the system's environment handling functions.
used to merge in environment variables stored in the PAM handle
before a command is run.
+ Version 1.3 (sudo 1.8.7)
+ Support for the _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd entry has been added to the
+ command_info list.
+
+ The _\bm_\ba_\bx_\b__\bg_\br_\bo_\bu_\bp_\bs and _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bd_\bi_\br entries were added to the settings
+ list.
+
+ The v\bve\ber\brs\bsi\bio\bon\bn() and c\bcl\blo\bos\bse\be() functions are now optional. Previously,
+ a missing v\bve\ber\brs\bsi\bio\bon\bn() or c\bcl\blo\bos\bse\be() function would result in a crash.
+ If no policy plugin c\bcl\blo\bos\bse\be() function is defined, a default c\bcl\blo\bos\bse\be()
+ function will be provided by the s\bsu\bud\bdo\bo front end that displays a
+ warning if the command could not be executed.
+
+ The s\bsu\bud\bdo\bo front end now installs default signal handlers to trap
+ common signals while the plugin functions are run.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudoers(4), sudo(1m)
+ sudo.conf(4), sudoers(4), sudo(1m)
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
+Sudo 1.8.7 March 5, 2013 Sudo 1.8.7
projects / debian / sudo / blobdiff