.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "April 30, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers\fR
-\- default sudo security policy module
+\- default sudo security policy plugin
.SH "DESCRIPTION"
The
\fIsudoers\fR
-policy module determines a user's
+policy plugin determines a user's
\fBsudo\fR
privileges.
It is the default
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
+.SS "Configuring sudo.conf for sudoers"
+\fBsudo\fR
+consults the
+sudo.conf(@mansectform@)
+file to determine which policy and and I/O logging plugins to load.
+If no
+sudo.conf(@mansectform@)
+file is present, or if it contains no
+\fRPlugin\fR
+lines,
+\fBsudoers\fR
+will be used for policy decisions and I/O logging.
+To explicitly configure
+sudo.conf(@mansectform@)
+to use the
+\fBsudoers\fR
+plugin, the following configuration can be used.
+.nf
+.sp
+.RS 6n
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+.RE
+.fi
+.PP
+Starting with
+\fBsudo\fR
+1.8.5, it is possible to specify optional arguments to the
+\fBsudoers\fR
+plugin in the
+sudo.conf(@mansectform@)
+file.
+These arguments, if present, should be listed after the path to the plugin
+(i.e.\& after
+\fIsudoers.so\fR).
+Multiple arguments may be specified, separated by white space.
+For example:
+.nf
+.sp
+.RS 6n
+Plugin sudoers_policy sudoers.so sudoers_mode=0400
+.RE
+.fi
+.PP
+The following plugin arguments are supported:
+.TP 10n
+ldap_conf=pathname
+The
+\fIldap_conf\fR
+argument can be used to override the default path to the
+\fIldap.conf\fR
+file.
+.TP 10n
+ldap_secret=pathname
+The
+\fIldap_secret\fR
+argument can be used to override the default path to the
+\fIldap.secret\fR
+file.
+.TP 10n
+sudoers_file=pathname
+The
+\fIsudoers_file\fR
+argument can be used to override the default path to the
+\fIsudoers\fR
+file.
+.TP 10n
+sudoers_uid=uid
+The
+\fIsudoers_uid\fR
+argument can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.TP 10n
+sudoers_gid=gid
+The
+\fIsudoers_gid\fR
+argument can be used to override the default group of the sudoers file.
+It must be specified as a numeric group ID (not a group name).
+.TP 10n
+sudoers_mode=mode
+The
+\fIsudoers_mode\fR
+argument can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.PP
+For more information on configuring
+sudo.conf(@mansectform@),
+please refer to its manual.
.SS "Authentication and logging"
The
\fIsudoers\fR
.PP
A
\fRUser_List\fR
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
(prefixed with
`#'),
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
`%'
and
`%#'
and
\fRnonunix_gid\fR
syntax depends on
-the underlying group provider plugin (see the
-\fIgroup_plugin\fR
-description below).
+the underlying group provider plugin.
For instance, the QAS AD plugin supports the following formats:
.TP 6n
\fBo\fR
\fBo\fR
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
.PP
+See
+\fIGROUP PROVIDER PLUGINS\fR
+for more information.
+.PP
Note that quotes around group names are optional.
Unquoted strings must use a backslash
(`\e')
.nf
.sp
.RS 0n
+digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
`:\&',
`=\&',
`\e'.
-The special command
+The built-in command
``\fRsudoedit\fR''
is used to permit a user to run
\fBsudo\fR
option (or as
\fBsudoedit\fR).
It may take command line arguments just as a normal command does.
+Note that
+``\fRsudoedit\fR''
+is a command built into
+\fBsudo\fR
+itself and must be specified in
+\fIsudoers\fR
+without a leading path.
+.PP
+If a
+\fRcommand name\fR
+is prefixed with a
+\fRDigest_Spec\fR,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.PP
+For example, using openssl:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.RE
+.fi
+.PP
+It is also possible to use openssl to generate base64 output:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.RE
+.fi
+.PP
+Command digests are only supported by version 1.8.7 or higher.
.SS "Defaults"
Certain configuration options may be changed from their default
values at run-time via one or more
\fRNOEXEC\fR
overrides
\fREXEC\fR).
-.PP
-\fINOPASSWD and PASSWD\fR
-.PP
+.TP 2n
+\fINOPASSWD\fR and \fIPASSWD\fR
+.sp
By default,
\fBsudo\fR
requires that a user authenticate him or herself
\fRPASSWD\fR
tag can be used to reverse things.
For example:
+.RS
.nf
.sp
.RS 0n
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
.RE
.fi
-.PP
+.sp
would allow the user
\fBray\fR
to run
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
.RE
.fi
-.PP
+.sp
Note, however, that the
\fRPASSWD\fR
tag has no effect on users who are in the group specified by the
\fIexempt_group\fR
option.
-.PP
+.sp
By default, if the
\fRNOPASSWD\fR
tag is applied to any of the entries for a user on the current host,
\fIlistpw\fR
options.
.PP
-\fINOEXEC and EXEC\fR
-.PP
+.RE
+.PD 0
+.TP 2n
+\fINOEXEC\fR and \fIEXEC\fR
+.sp
If
\fBsudo\fR
has been compiled with
\fRNOEXEC\fR
tag can be used to prevent a dynamically-linked executable from
running further commands itself.
-.PP
+.sp
In the following example, user
\fBaaron\fR
may run
and
\fI/usr/bin/vi\fR
but shell escapes will be disabled.
+.RS
.nf
.sp
.RS 0n
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.RE
.fi
-.PP
+.sp
See the
\fIPreventing shell escapes\fR
section below for more details on how
\fRNOEXEC\fR
works and whether or not it will work on your system.
+.PD
.PP
-\fISETENV and NOSETENV\fR
-.PP
+.RE
+.PD 0
+.TP 2n
+\fISETENV\fR and \fINOSETENV\fR
+.sp
These tags override the value of the
\fIsetenv\fR
option on a per-command basis.
tag is implied for that command; this default may be overridden by use of the
\fRNOSETENV\fR
tag.
-.PP
-\fILOG_INPUT and NOLOG_INPUT\fR
-.PP
+.PD
+.TP 2n
+\fILOG_INPUT\fR and \fINOLOG_INPUT\fR
+.sp
These tags override the value of the
\fIlog_input\fR
option on a per-command basis.
in the
\fISUDOERS OPTIONS\fR
section below.
-.PP
-\fILOG_OUTPUT and NOLOG_OUTPUT\fR
-.PP
+.TP 2n
+\fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
+.sp
These tags override the value of the
\fIlog_output\fR
option on a per-command basis.
\fIsudoers\fR
file.
Wildcard matching is done via the
-\fBPOSIX\fR
glob(3)
and
fnmatch(3)
-routines.
+functions as specified by
+IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
Note that these are
\fInot\fR
regular expressions.
and
`]\&'.
.PP
-POSIX character classes may also be used if your system's
+Character classes may also be used if your system's
glob(3)
and
fnmatch(3)
(`\&!')
can be used as a logical
\fInot\fR
-operator both in an
+operator in a list or
\fIalias\fR
-and in front of a
+as well as in front of a
\fRCmnd\fR.
This allows one to exclude certain values.
+For the
+`\&!'
+operator to be effective, there must be something for it to exclude.
+For example, to match all users except for root one would use:
+.nf
+.sp
+.RS 4n
+ALL,!root
+.RE
+.fi
+.PP
+If the
+\fBALL\fR,
+is omitted, as in:
+.nf
+.sp
+.RS 4n
+!root
+.RE
+.fi
+.PP
+it would explicitly deny root but not match any other users.
+This is different from a true
+``negation''
+operator.
+.PP
Note, however, that using a
`\&!'
in conjunction with the built-in
\fBzlib\fR
support.
.TP 18n
+exec_background
+By default,
+\fBsudo\fR
+runs a command as the foreground process as long as
+\fBsudo\fR
+itself is running in the foreground.
+When the
+\fIexec_background\fR
+flag is enabled and the command is being run in a pty (due to I/O logging
+or the
+\fIuse_pty\fR
+flag), the command will be run as a background process.
+Attempts to read from the controlling terminal (or to change terminal
+settings) will result in the command being suspended with the
+\fRSIGTTIN\fR
+signal (or
+\fRSIGTTOU\fR
+in the case of terminal settings).
+If this happens when
+\fBsudo\fR
+is a foreground process, the command will be granted the controlling terminal
+and resumed in the foreground with no user intervention required.
+The advantage of initially running the command in the background is that
+\fBsudo\fR
+need not read from the terminal unless the command explicitly requests it.
+Otherwise, any terminal input must be passed to the command, whether it
+has required it or not (the kernel buffers terminals so it is not possible
+to tell whether the command really wants the input).
+This is different from historic
+\fIsudo\fR
+behavior or when the command is not being run in a pty.
+.sp
+For this to work seamlessly, the operating system must support the
+automatic restarting of system calls.
+Unfortunately, not all operating systems do this by default,
+and even those that do may have bugs.
+For example, Mac OS X fails to restart the
+\fBtcgetattr\fR()
+and
+\fBtcsetattr\fR()
+system calls (this is a bug in Mac OS X).
+Furthermore, because this behavior depends on the command stopping with the
+\fRSIGTTIN\fR
+or
+\fRSIGTTOU\fR
+signals, programs that catch these signals and suspend themselves
+with a different signal (usually
+\fRSIGTOP\fR)
+will not be automatically foregrounded.
+Some versions of the linux
+su(1)
+command behave this way.
+.sp
+This setting is only supported by version 1.8.7 or higher.
+It has no effect unless I/O logging is enabled or the
+\fIuse_pty\fR
+flag is enabled.
+.TP 18n
env_editor
If set,
\fBvisudo\fR
\fIoff\fR
by default.
.TP 18n
-path_info
-Normally,
-\fBsudo\fR
-will tell the user when a command could not be
-found in their
-\fRPATH\fR
-environment variable.
-Some sites may wish to disable this as it could be used to gather
-information on the location of executables that the normal user does
-not have access to.
-The disadvantage is that if the executable is simply not in the user's
-\fRPATH\fR,
+pam_session
+On systems that use PAM for authentication,
\fBsudo\fR
-will tell the user that they are not allowed to run it, which can be confusing.
+will create a new PAM session for the command to be run in.
+Disabling
+\fIpam_session\fR
+may be needed on older PAM implementations or on operating systems where
+opening a PAM session changes the utmp or wtmp files.
+If PAM session support is disabled, resource limits may not be updated
+for the command being run.
This flag is
-\fI@path_info@\fR
+\fI@pam_session@\fR
by default.
+.sp
+This setting is only supported by version 1.8.7 or higher.
.TP 18n
passprompt_override
The password prompt specified by
\fIoff\fR
by default.
.TP 18n
+path_info
+Normally,
+\fBsudo\fR
+will tell the user when a command could not be
+found in their
+\fRPATH\fR
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+\fRPATH\fR,
+\fBsudo\fR
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+\fI@path_info@\fR
+by default.
+.TP 18n
preserve_groups
By default,
\fBsudo\fR
replaced with a unique combination of digits and letters, similar to the
mktemp(3)
function.
+.sp
+If the path created by concatenating
+\fIiolog_dir\fR
+and
+\fIiolog_file\fR
+already exists, the existing I/O log file will be truncated and
+overwritten unless
+\fIiolog_file\fR
+ends in six or
+more
+\fRX\fRs.
.PD
.TP 18n
limitprivs
Default is
``\fR@mailsub@\fR''.
.TP 18n
+maxseq
+The maximum sequence number that will be substituted for the
+``\fR%{seq}\fR''
+escape in the I/O log file (see the
+\fIiolog_dir\fR
+description above for more information).
+While the value substituted for
+``\fR%{seq}\fR''
+is in base 36,
+\fImaxseq\fR
+itself should be expressed in decimal.
+Values larger than 2176782336 (which corresponds to the
+base 36 sequence number
+``ZZZZZZ'')
+will be silently truncated to 2176782336.
+The default value is 2176782336.
+.sp
+Once the local sequence number reaches the value of
+\fImaxseq\fR,
+it will
+``roll over''
+to zero, after which
+\fBsudoers\fR
+will truncate and re-use any existing I/O log pathnames.
+.sp
+This setting is only supported by version 1.8.7 or higher.
+.TP 18n
noexec_file
-This option is no longer supported.
+As of
+\fBsudo\fR
+version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
file.
.TP 18n
passprompt
A string containing a
\fIsudoers\fR
group plugin with optional arguments.
-This can be used to implement support for the
-\fRnonunix_group\fR
-syntax described earlier.
The string should consist of the plugin
path, either fully-qualified or relative to the
-\fI@prefix@/libexec\fR
+\fI@PLUGINDIR@\fR
directory, followed by any configuration arguments the plugin requires.
These arguments (if any) will be passed to the plugin's initialization function.
If arguments are present, the string must be enclosed in double quotes
(\&"").
.sp
-For example, given
-\fI/etc/sudo-group\fR,
-a group file in Unix group format, the sample group plugin can be used:
-.RS
-.nf
-.sp
-.RS 0n
-Defaults group_plugin="sample_group.so /etc/sudo-group"
-.RE
-.fi
-.sp
For more information see
-sudo_plugin(@mansectform@).
-.PP
-.RE
-.PD 0
+GROUP PROVIDER PLUGINS.
.TP 14n
lecture
This option controls when a short lecture will be printed along with
the password prompt.
It has the following possible values:
.RS
-.PD
.TP 8n
always
Always lecture the user.
is run by root with the
\fB\-V\fR
option.
+.SH "GROUP PROVIDER PLUGINS"
+The
+\fBsudoers\fR
+plugin supports its own plugin interface to allow non-Unix
+group lookups which can query a group source other
+than the standard Unix group database.
+This can be used to implement support for the
+\fRnonunix_group\fR
+syntax described earlier.
+.PP
+Group provider plugins are specified via the
+\fIgroup_plugin\fR
+Defaults setting.
+The argument to
+\fIgroup_plugin\fR
+should consist of the plugin path, either fully-qualified or relative to the
+\fI@PLUGINDIR@\fR
+directory, followed by any configuration options the plugin requires.
+These options (if specified) will be passed to the plugin's initialization
+function.
+If options are present, the string must be enclosed in double quotes
+(\&"").
+.PP
+The following group provider plugins are installed by default:
+.TP 10n
+group_file
+The
+\fIgroup_file\fR
+plugin supports an alternate group file that uses the same syntax as the
+\fI/etc/group\fR
+file.
+The path to the group file should be specified as an option
+to the plugin.
+For example, if the group file to be used is
+\fI/etc/sudo-group\fR:
+.RS
+.nf
+.sp
+.RS 0n
+Defaults group_plugin="group_file.so /etc/sudo-group"
+.RE
+.fi
+.PP
+.RE
+.PD 0
+.TP 10n
+system_group
+The
+\fIsystem_group\fR
+plugin supports group lookups via the standard C library functions
+\fBgetgrnam\fR()
+and
+\fBgetgrid\fR().
+This plugin can be used in instances where the user belongs to
+groups not present in the user's supplemental group vector.
+This plugin takes no options:
+.RS
+.nf
+.sp
+.RS 0n
+Defaults group_plugin=system_group.so
+.RE
+.fi
+.RE
+.PD
+.PP
+The group provider plugin API is described in detail in
+sudo_plugin(@mansectsu@).
.SH "LOG FORMAT"
\fBsudoers\fR
can log events using either
tries to open
\fIsudoers\fR
using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
-by adding an option like
+or adding an argument like
``sudoers_uid=N''
(where
`N'
is the user ID that owns the
\fIsudoers\fR
-file) to the
+file) to the end of the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
unable to stat @sysconfdir@/sudoers
\fIsudoers\fR
file) to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is world writable
``sudoers_mode''
option to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1
\fIsudoers\fR
file) to the
\fBsudoers\fR
-plugin line in the
-\fI@sysconfdir@/sudo.conf\fR
+\fRPlugin\fR
+line in the
+sudo.conf(@mansectform@)
file.
.TP 3n
unable to open @timedir@/username/ttyname
option is set to 0 (or negated with a
`\&!'),
word wrap will be disabled.
-.SH "SUDO.CONF"
-The
-\fI@sysconfdir@/sudo.conf\fR
-file determines which plugins the
-\fBsudo\fR
-front end will load.
-If no
-\fI@sysconfdir@/sudo.conf\fR
-file
-is present, or it contains no
-\fRPlugin\fR
-lines,
-\fBsudo\fR
-will use the
-\fIsudoers\fR
-security policy and I/O logging, which corresponds to the following
-\fI@sysconfdir@/sudo.conf\fR
-file.
-.nf
-.sp
-.RS 0n
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @prefix@/libexec unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.RE
-.fi
-.SS "Plugin options"
-Starting with
-\fBsudo\fR
-1.8.5, it is possible to pass options to the
-\fIsudoers\fR
-plugin.
-Options may be listed after the path to the plugin (i.e.\& after
-\fIsudoers.so\fR);
-multiple options should be space-separated.
-For example:
-.nf
-.sp
-.RS 0n
-Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-.RE
-.fi
-.PP
-The following plugin options are supported:
-.TP 10n
-sudoers_file=pathname
-The
-\fIsudoers_file\fR
-option can be used to override the default path
-to the
-\fIsudoers\fR
-file.
-.TP 10n
-sudoers_uid=uid
-The
-\fIsudoers_uid\fR
-option can be used to override the default owner of the sudoers file.
-It should be specified as a numeric user ID.
-.TP 10n
-sudoers_gid=gid
-The
-\fIsudoers_gid\fR
-option can be used to override the default group of the sudoers file.
-It should be specified as a numeric group ID.
-.TP 10n
-sudoers_mode=mode
-The
-\fIsudoers_mode\fR
-option can be used to override the default file mode for the sudoers file.
-It should be specified as an octal value.
-.SS "Debug flags"
-Versions 1.8.4 and higher of the
-\fIsudoers\fR
-plugin supports a debugging framework that can help track down what the
-plugin is doing internally if there is a problem.
-This can be configured in the
-\fI@sysconfdir@/sudo.conf\fR
-file as described in
-sudo(@mansectsu@).
-.PP
-The
-\fIsudoers\fR
-plugin uses the same debug flag format as the
-\fBsudo\fR
-front-end:
-\fIsubsystem\fR@\fIpriority\fR.
-.PP
-The priorities used by
-\fIsudoers\fR,
-in order of decreasing severity,
-are:
-\fIcrit\fR,
-\fIerr\fR,
-\fIwarn\fR,
-\fInotice\fR,
-\fIdiag\fR,
-\fIinfo\fR,
-\fItrace\fR
-and
-\fIdebug\fR.
-Each priority, when specified, also includes all priorities higher than it.
-For example, a priority of
-\fInotice\fR
-would include debug messages logged at
-\fInotice\fR
-and higher.
-.PP
-The following subsystems are used by
-\fIsudoers\fR:
-.TP 10n
-\fIalias\fR
-\fRUser_Alias\fR,
-\fRRunas_Alias\fR,
-\fRHost_Alias\fR
-and
-\fRCmnd_Alias\fR
-processing
-.TP 10n
-\fIall\fR
-matches every subsystem
-.TP 10n
-\fIaudit\fR
-BSM and Linux audit code
-.TP 10n
-\fIauth\fR
-user authentication
-.TP 10n
-\fIdefaults\fR
-\fIsudoers\fR
-\fIDefaults\fR
-settings
-.TP 10n
-\fIenv\fR
-environment handling
-.TP 10n
-\fIldap\fR
-LDAP-based sudoers
-.TP 10n
-\fIlogging\fR
-logging support
-.TP 10n
-\fImatch\fR
-matching of users, groups, hosts and netgroups in
-\fIsudoers\fR
-.TP 10n
-\fInetif\fR
-network interface handling
-.TP 10n
-\fInss\fR
-network service switch handling in
-\fIsudoers\fR
-.TP 10n
-\fIparser\fR
-\fIsudoers\fR
-file parsing
-.TP 10n
-\fIperms\fR
-permission setting
-.TP 10n
-\fIplugin\fR
-The equivalent of
-\fImain\fR
-for the plugin.
-.TP 10n
-\fIpty\fR
-pseudo-tty related code
-.TP 10n
-\fIrbtree\fR
-redblack tree internals
-.TP 10n
-\fIutil\fR
-utility functions
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\e
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
printing system, shutting down the system, and any commands in the
directory
\fI/usr/oper/bin/\fR.
+Note that one command in the
+\fRDUMPS\fR
+Cmnd_Alias includes a sha224 digest,
+\fI/home/operator/bin/start_backups\fR.
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+\fBsudo\fR.
.nf
.sp
.RS 0n
ignore it.
Administrators should not rely on this feature as it is not universally
available.
+.SH "DEBUGGING"
+Versions 1.8.4 and higher of the
+\fBsudoers\fR
+plugin support a flexible debugging framework that can help track
+down what the plugin is doing internally if there is a problem.
+This can be configured in the
+sudo.conf(@mansectform@)
+file.
+.PP
+The
+\fBsudoers\fR
+plugin uses the same debug flag format as the
+\fBsudo\fR
+front-end:
+\fIsubsystem\fR@\fIpriority\fR.
+.PP
+The priorities used by
+\fBsudoers\fR,
+in order of decreasing severity,
+are:
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+and
+\fIdebug\fR.
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+\fInotice\fR
+would include debug messages logged at
+\fInotice\fR
+and higher.
+.PP
+The following subsystems are used by the
+\fBsudoers\fR
+plugin:
+.TP 10n
+\fIalias\fR
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR
+and
+\fRCmnd_Alias\fR
+processing
+.TP 10n
+\fIall\fR
+matches every subsystem
+.TP 10n
+\fIaudit\fR
+BSM and Linux audit code
+.TP 10n
+\fIauth\fR
+user authentication
+.TP 10n
+\fIdefaults\fR
+\fIsudoers\fR
+\fIDefaults\fR
+settings
+.TP 10n
+\fIenv\fR
+environment handling
+.TP 10n
+\fIldap\fR
+LDAP-based sudoers
+.TP 10n
+\fIlogging\fR
+logging support
+.TP 10n
+\fImatch\fR
+matching of users, groups, hosts and netgroups in
+\fIsudoers\fR
+.TP 10n
+\fInetif\fR
+network interface handling
+.TP 10n
+\fInss\fR
+network service switch handling in
+\fIsudoers\fR
+.TP 10n
+\fIparser\fR
+\fIsudoers\fR
+file parsing
+.TP 10n
+\fIperms\fR
+permission setting
+.TP 10n
+\fIplugin\fR
+The equivalent of
+\fImain\fR
+for the plugin.
+.TP 10n
+\fIpty\fR
+pseudo-tty related code
+.TP 10n
+\fIrbtree\fR
+redblack tree internals
+.TP 10n
+\fIutil\fR
+utility functions
+.PD 0
+.PP
+.PD
+For example:
+.nf
+.sp
+.RS 0n
+Debug sudo /var/log/sudo_debug match@info,nss@info
+.RE
+.fi
+.PP
+For more information, see the
+sudo.conf(@mansectform@)
+manual.
.SH "SEE ALSO"
ssh(1),
su(1),
glob(3),
mktemp(3),
strftime(3),
+sudo.conf(@mansectform@),
sudoers.ldap(@mansectform@),
sudo_plugin(@mansectsu@),
sudo(@mansectsu@),
projects / debian / sudo / blobdiff