1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in
4 .\" Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 .TH "SUDO.CONF" "5" "June 15, 2016" "Sudo 1.8.17" "File Formats Manual"
24 \- configuration for sudo front end
28 file is used to configure the
31 It specifies the security policy and I/O logging plugins, debug flags
32 as well as plugin-agnostic path names and settings.
36 file supports the following directives, described in detail below.
39 a security policy or I/O logging plugin
42 a plugin-agnostic path
45 a front end setting, such as
46 \fIdisable_coredump\fR
51 debug flags to aid in debugging
61 is used to indicate a comment.
62 Both the comment character and any text after it, up to the end of
63 the line, are ignored.
65 Long lines can be continued with a backslash
67 as the last character on the line.
68 Note that leading white space is removed from the beginning of lines
69 even when the continuation character is used.
71 Non-comment lines that don't begin with
81 file is always parsed in the
84 .SS "Plugin configuration"
86 supports a plugin architecture for security policies and input/output
88 Third parties can develop and distribute their own policy and I/O
89 logging plugins to work seamlessly with the
92 Plugins are dynamically loaded based on the contents of
99 keyword, followed by the
103 to the dynamic shared object that contains the plugin.
107 \fRstruct policy_plugin\fR
109 \fRstruct io_plugin\fR
110 symbol contained in the plugin.
113 may be fully qualified or relative.
114 If not fully qualified, it is relative to the directory
118 setting, which defaults to
119 \fI/usr/local/libexec/sudo\fR.
124 Plugin sudoers_policy sudoers.so
132 Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
136 If the plugin was compiled statically into the
138 binary instead of being installed as a dynamic shared object, the
140 should be specified without a leading directory,
141 as it does not actually exist in the file system.
146 Plugin sudoers_policy sudoers.so
152 1.8.5, any additional parameters after the
154 are passed as arguments to the plugin's
157 For example, to override the compile-time default sudoers file mode:
161 Plugin sudoers_policy sudoers.so sudoers_mode=0440
167 manual for a list of supported arguments.
169 The same dynamic shared object may contain multiple plugins,
170 each with a different symbol name.
171 The file must be owned by uid 0 and only writable by its owner.
172 Because of ambiguities that arise from composite policies, only a single
173 policy plugin may be specified.
174 This limitation does not apply to I/O plugins.
178 file is present, or if it contains no
182 plugin will be used as the default security policy and for I/O logging
183 (if enabled by the policy).
184 This is equivalent to the following:
188 Plugin sudoers_policy sudoers.so
189 Plugin sudoers_io sudoers.so
193 For more information on the
195 plugin architecture, see the
203 keyword, followed by the name of the path to set and its value.
208 Path noexec /usr/local/libexec/sudo/sudo_noexec.so
209 Path askpass /usr/X11R6/bin/ssh-askpass
213 If no path name is specified, features relying on the specified
214 setting will be disabled.
217 settings is only supported in
219 version 1.8.16 and higher.
221 The following plugin-agnostic paths may be set in the
226 The fully qualified path to a helper program used to read the user's
227 password when no terminal is available.
228 This may be the case when
230 is executed from a graphical (as opposed to text-based) application.
231 The program specified by
233 should display the argument passed to it as the prompt and write
234 the user's password to the standard output.
237 may be overridden by the
239 environment variable.
242 The fully-qualified path to a shared library containing dummy
256 \fBposix_spawnp\fR(),
259 library functions that just return an error.
260 This is used to implement the
262 functionality on systems that support
265 The default value is:
266 \fI/usr/local/libexec/sudo/sudo_noexec.so\fR.
269 The default directory to use when searching for plugins
270 that are specified without a fully qualified path name.
272 \fI/usr/local/libexec/sudo\fR.
275 The fully-qualified path to the
278 This setting is only used when
280 is built with SELinux support.
282 \fI/usr/local/libexec/sudo/sesh\fR.
286 file also supports the following front end settings:
291 itself are disabled by default to prevent the disclosure of potentially
292 sensitive information.
295 crashes, you may wish to re-enable core dumps by setting
296 \(Lqdisable_coredump\(Rq
303 Set disable_coredump false
308 All modern operating systems place restrictions on core dumps
309 from setuid processes like
311 so this option can be enabled without compromising security.
314 core file you will likely need to enable core dumps for setuid processes.
315 On BSD and Linux systems this is accomplished in the
320 command is used to configure core dump behavior.
322 This setting is only available in
324 version 1.8.4 and higher.
329 passes the invoking user's group list to the policy and I/O plugins.
330 On most systems, there is an upper limit to the number of groups that
331 a user may belong to simultaneously (typically 16 for compatibility
340 will return the maximum number of groups.
342 However, it is still possible to be a member of a larger number of
343 groups--they simply won't be included in the group list returned
344 by the kernel for the user.
347 version 1.8.7, if the user's kernel group list has the maximum number
350 will consult the group database directly to determine the group list.
351 This makes it possible for the security policy to perform matching by group
352 name even when the user is a member of more than the maximum number of groups.
356 setting allows the administrator to change this default behavior.
362 Use the static group list that the kernel returns.
363 Retrieving the group list this way is very fast but it is subject
364 to an upper limit as described above.
367 in that it does not reflect changes to the group database made
368 after the user logs in.
369 This was the default behavior prior to
374 Always query the group database directly.
377 in that changes made to the group database after the user logs in
378 will be reflected in the group list.
379 On some systems, querying the group database for all of a user's
380 groups can be time consuming when querying a network-based group
382 Most operating systems provide an efficient method of performing
386 supports efficient group queries on AIX, BSD, HP-UX, Linux and
390 Only query the group database if the static group list returned
391 by the kernel has the maximum number of entries.
392 This is the default behavior in
396 For example, to cause
398 to only use the kernel's static list of groups for the user:
402 Set group_source static
406 This setting is only available in
408 version 1.8.7 and higher.
412 The maximum number of user groups to retrieve from the group database.
413 Values less than one will be ignored.
414 This setting is only used when querying the group database directly.
415 It is intended to be used on systems where it is not possible to detect
416 when the array to be populated with group entries is not sufficiently large.
419 will allocate four times the system's maximum number of groups (see above)
420 and retry with double that number if the group database query fails.
421 However, some systems just return as many entries as will fit and
422 do not indicate an error when there is a lack of space.
424 This setting is only available in
426 version 1.8.7 and higher.
431 will probe the system's network interfaces and pass the IP address
432 of each enabled interface to the policy plugin. This makes it
433 possible for the plugin to match rules based on the IP address
434 without having to query DNS. On Linux systems with a large number
435 of virtual interfaces, this may take a non-negligible amount of time.
436 If IP-based matching is not required, network interface probing
437 can be disabled as follows:
441 Set probe_interfaces false
446 This setting is only available in
448 version 1.8.10 and higher.
452 versions 1.8.4 and higher support a flexible debugging framework
453 that can help track down what
455 is doing internally if there is a problem.
461 keyword, followed by the name of the program (or plugin) to debug
462 (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR),
463 the debug file name and a comma-separated list of debug flags. The
464 debug flag syntax used by
469 \fIsubsystem\fR@\fIpriority\fR
470 but a plugin is free to use a different format so long as it does
478 Debug sudo /var/log/sudo_debug all@warn,plugin@info
482 would log all debugging statements at the
484 level and higher in addition to those at the
486 level for the plugin subsystem.
492 entries may be specified per program.
495 only support a single
500 entries are also supported starting with
502 1.8.12 and are matched by either the base name of the plugin that was loaded
505 or by the plugin's fully-qualified path name.
508 plugin shared the same
512 front end and could not be configured separately.
514 The following priorities are supported, in order of decreasing severity:
515 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
518 Each priority, when specified, also includes all priorities higher
519 than it. For example, a priority of
521 would include debug messages logged at
529 also include function call tracing which logs when a function is
530 entered and when it returns.
531 For example, the following trace is for the get_user_groups()
532 function located in src/sudo.c:
536 sudo[123] -> get_user_groups @ src/sudo.c:385
537 sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
541 When the function is entered, indicated by a right arrow
543 the program, process ID, function, source file and line number
545 When the function returns, indicated by a left arrow
547 the same information is logged along with the return value.
548 In this case, the return value is a string.
550 The following subsystems are used by the
555 matches every subsystem
558 command line argument processing
577 network interface handling
580 communication with the plugin
586 pseudo-tty related code
589 SELinux-specific handling
599 plugin includes support for additional subsystems.
604 front end configuration
609 # Default /etc/sudo.conf file
612 # Plugin plugin_name plugin_path plugin_options ...
613 # Path askpass /path/to/askpass
614 # Path noexec /path/to/sudo_noexec.so
615 # Debug sudo /var/log/sudo_debug all@warn
616 # Set disable_coredump true
618 # The plugin_path is relative to /usr/local/libexec/sudo unless
620 # The plugin_name corresponds to a global symbol in the plugin
621 # that contains the plugin interface structure.
622 # The plugin_options are optional.
624 # The sudoers plugin is used by default if no Plugin lines are
626 Plugin sudoers_policy sudoers.so
627 Plugin sudoers_io sudoers.so
632 # An askpass helper program may be specified to provide a graphical
633 # password prompt for "sudo -A" support. Sudo does not ship with
634 # its own askpass program but can use the OpenSSH askpass.
636 # Use the OpenSSH askpass
637 #Path askpass /usr/X11R6/bin/ssh-askpass
639 # Use the Gnome OpenSSH askpass
640 #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
645 # Path to a shared library containing dummy versions of the execv(),
646 # execve() and fexecve() library functions that just return an error.
647 # This is used to implement the "noexec" functionality on systems that
648 # support C<LD_PRELOAD> or its equivalent.
649 # The compiled-in value is usually sufficient and should only be
650 # changed if you rename or move the sudo_noexec.so file.
652 #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
657 # By default, sudo disables core dumps while it is executing
658 # (they are re-enabled for the command that is run).
659 # To aid in debugging sudo problems, you may wish to enable core
660 # dumps by setting "disable_coredump" to false.
662 #Set disable_coredump false
667 # Sudo passes the user's group list to the policy plugin.
668 # If the user is a member of the maximum number of groups (usually 16),
669 # sudo will query the group database directly to be sure to include
670 # the full list of groups.
672 # On some systems, this can be expensive so the behavior is configurable.
673 # The "group_source" setting has three possible values:
674 # static - use the user's list of groups returned by the kernel.
675 # dynamic - query the group database to find the list of groups.
676 # adaptive - if user is in less than the maximum number of groups.
677 # use the kernel list, else query the group database.
679 #Set group_source static
687 See the HISTORY file in the
689 distribution (https://www.sudo.ws/history.html) for a brief
692 Many people have worked on
694 over the years; this version consists of code written primarily by:
700 See the CONTRIBUTORS file in the
702 distribution (https://www.sudo.ws/contributors.html) for an
703 exhaustive list of people who have contributed to
706 If you feel you have found a bug in
708 please submit a bug report at https://bugzilla.sudo.ws/
710 Limited free support is available via the sudo-users mailing list,
711 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
717 and any express or implied warranties, including, but not limited
718 to, the implied warranties of merchantability and fitness for a
719 particular purpose are disclaimed.
720 See the LICENSE file distributed with
722 or https://www.sudo.ws/license.html for complete details.