--- /dev/null
+The sudo philosophy
+===================
+Sudo is a program designed to allow a sysadmin to give limited root privileges
+to users and log root activity. The basic philosophy is to give as few
+privileges as possible but still allow people to get their work done.
+
+Where to find sudo
+==================
+Before you try and build sudo, *please* make sure you have the current
+version. The latest sudo may always be gotten via anonymous ftp from
+ftp.sudo.ws in the directory /pub/sudo/ or from the sudo web site,
+http://www.sudo.ws/
+
+The distribution is sudo-M.m.tar.gz where `M' is the major version
+number and `m' is the minor version number. BETA versions of sudo may
+also be available. If you join the `sudo-workers' mailing list you
+will get the BETA announcements (see the `Mailing lists' section below).
+
+What's new
+==========
+See the NEWS file for a list of major changes in this release.
+For a complete list of changes, see the ChangeLog file. For a
+summary of major changes to the current stable release, see the web
+page, http://www.sudo.ws/sudo/stable.html.
+
+If you are upgrading from an earlier version of Sudo, please see
+the UPGRADE file in the doc directory.
+
+For a history of sudo please see the HISTORY file in the doc directory.
+You can find a list of contributors to sudo in the doc/CONTRIBUTORS file.
+
+System requirements
+===================
+To build sudo from the source distribution you need a POSIX-compliant
+operating system (any modern version of BSD, Linux or Unix should
+work), an ANSI/ISO C compiler that supports variadic marcos (a C99
+feature) and the ar, make and ranlib utilities.
+
+If you wish to modify the parser then you will need flex version
+2.5.2 or later and either bison or byacc (sudo comes with a pre-flex'd
+tokenizer and pre-yacc'd grammar parser). You'll also have to
+uncomment a few lines from the Makefile or run configure with the
+--with-devel option. You can get flex from http://flex.sourceforge.net/.
+You can get GNU bison from ftp://ftp.gnu.org/pub/gnu/bison/ or any
+GNU mirror.
+
+Building the release
+====================
+Please read the installation guide in the `INSTALL' file before
+trying to build sudo. Pay special attention to the "OS dependent notes"
+section.
+
+Copyright
+=========
+Sudo is distributed under an ISC-style license.
+Please refer to the `LICENSE' file included with the release for details.
+
+Mailing lists
+=============
+sudo-announce This list receives announcements whenever a new version
+ of sudo is released.
+ http://www.sudo.ws/mailman/listinfo/sudo-announce
+
+sudo-users This list is for questions and general discussion about sudo.
+ http://www.sudo.ws/mailman/listinfo/sudo-users
+
+sudo-workers This list is for people working on and porting sudo.
+ http://www.sudo.ws/mailman/listinfo/sudo-workers
+
+sudo-commits This list receives a message for each commit made to
+ the sudo source repository.
+ http://www.sudo.ws/mailman/listinfo/sudo-commits
+
+To subscribe to a list, visit its url (as listed above) and enter
+your email address to subscribe. Digest versions are available but
+these are fairly low traffic lists so the digest versions are not
+a significant win.
+
+Mailing list archives are also available. See the mailing list web sites
+for the appropriate links.
+
+Web page
+========
+There is a sudo web page at http://www.sudo.ws/ that contains
+an overview of sudo, documentation, downloads, information about
+beta versions and other useful info.
+
+Bug reports
+===========
+If you have found what you believe to be a bug, you can file a bug
+report in the sudo bug database, on the web at http://www.sudo.ws/bugs/.
+
+Please read over the `TROUBLESHOOTING' file in the doc directory *before*
+submitting a bug report. When reporting bugs, please be sure to include
+the version of sudo you are using as well as the platform you are running
+it on.
-sudo 1.6.6 ¤Î man ¥Ú¡¼¥¸¤Ï ./configure ¥³¥Þ¥ó¥É¤Ç
+sudo 1.8.4p4 ¤Î man ¥Ú¡¼¥¸¤Ï ./configure ¥³¥Þ¥ó¥É¤Ç
À¸À®¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
¤³¤Î¥Ç¥£¥ì¥¯¥È¥ê°Ê²¼¤ËÃÖ¤¤¤¿³Æ man ¥Ú¡¼¥¸¤Ï¡¢
-Debian GNU Linux 3.0 ¤Î´Ä¶¤Ç¡¢¥Õ¥é¥°¤ò»ØÄꤻ¤º¤Ë
-./configure ¤ò¼Â¹Ô¤·¤ÆÀ¸À®¤µ¤ì¤¿¤â¤Î¤Ç¤¹¡£
+Ubuntu 12.04 ¤Î´Ä¶¤Ç¡¢¥Õ¥é¥°¤ò»ØÄꤻ¤º¤Ë
+./configure && cd doc && make ¤ò¼Â¹Ô¤·¤ÆÀ¸À®¤µ¤ì¤¿¤â¤Î¤Ç¤¹¡£
-2002-09-11 NAKANO Takeo
+2012-04-03 Akihiro MOTOKI
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.80 2009/06/30 12:41:09 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.nr SL 0
+.nr BA 0
+.nr LC 0
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS 5"
-.TH SUDOERS 5 "June 30, 2009" "1.7.2p1" "MAINTENANCE COMMANDS"
+.TH SUDOERS 5 "February 5, 2012" "1.8.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
-sudoers \- list of which users may execute what
+sudoers \- default sudo security policy module
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
+The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
+It is the default \fBsudo\fR policy plugin. The policy is driven by
+the \fI/etc/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
+format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
+section. For information on storing \fIsudoers\fR policy information
+in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(5).
+.SS "Authentication and Logging"
+.IX Subsection "Authentication and Logging"
+The \fIsudoers\fR security policy requires that most users authenticate
+themselves before they can use \fBsudo\fR. A password is not required
+if the invoking user is root, if the target user is the same as the
+invoking user, or if the policy has disabled authentication for the
+user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
+authentication, it validates the invoking user's credentials, not
+the target user's (or root's) credentials. This can be changed via
+the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
+.PP
+If a user who is not listed in the policy tries to run a command
+via \fBsudo\fR, mail is sent to the proper authorities. The address
+used for such mail is configurable via the \fImailto\fR Defaults entry
+(described later) and defaults to \f(CW\*(C`root\*(C'\fR.
+.PP
+Note that mail will not be sent if an unauthorized user tries to
+run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
+determine for themselves whether or not they are allowed to use
+\&\fBsudo\fR.
+.PP
+If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
+is set, the \fIsudoers\fR policy will use this value to determine who
+the actual user is. This can be used by a user to log commands
+through sudo even when a root shell has been invoked. It also
+allows the \fB\-e\fR option to remain useful even when invoked via a
+sudo-run script or program. Note, however, that the \fIsudoers\fR
+lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
+.PP
+\&\fIsudoers\fR uses time stamp files for credential caching. Once a
+user has been authenticated, a time stamp is updated and the user
+may then use sudo without a password for a short period of time
+(\f(CW\*(C`5\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
+By default, \fIsudoers\fR uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The \fItty_tickets\fR option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
+.PP
+\&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
+as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
+will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
+and \fIlogfile\fR Defaults settings.
+.PP
+\&\fIsudoers\fR also supports logging a command's input and output
+streams. I/O logging is not on by default but can be enabled using
+the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
+\&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
+.SS "Command Environment"
+.IX Subsection "Command Environment"
+Since environment variables can influence program behavior, \fIsudoers\fR
+provides a means to restrict which variables from the user's
+environment are inherited by the command to be run. There are two
+distinct ways \fIsudoers\fR can deal with environment variables.
+.PP
+By default, the \fIenv_reset\fR option is enabled. This causes commands
+to be executed with a minimal environment containing the \f(CW\*(C`TERM\*(C'\fR,
+\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR
+and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from the
+invoking process permitted by the \fIenv_check\fR and \fIenv_keep\fR
+options. This is effectively a whitelist for environment variables.
+.PP
+If, however, the \fIenv_reset\fR option is disabled, any variables not
+explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
+inherited from the invoking process. In this case, \fIenv_check\fR
+and \fIenv_delete\fR behave like a blacklist. Since it is not possible
+to blacklist all potentially dangerous environment variables, use
+of the default \fIenv_reset\fR behavior is encouraged.
+.PP
+In all cases, environment variables with a value beginning with
+\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
+The list of environment variables that \fBsudo\fR allows or denies is
+contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+.PP
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including \fBsudo\fR. Depending on the operating
+system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
+\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
+removed from the environment before \fBsudo\fR even begins execution
+and, as such, it is not possible for \fBsudo\fR to preserve them.
+.PP
+As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
+specified, \fIsudoers\fR will initialize the environment regardless
+of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
+variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
+and \fI\s-1LOGNAME\s0\fR are set based on the target user. On Linux and \s-1AIX\s0
+systems the contents of \fI/etc/environment\fR are also included. All
+other environment variables are removed.
+.PP
+Lastly, if the \fIenv_file\fR option is defined, any variables present
+in that file will be set to their specified values.
+.SH "SUDOERS FILE FORMAT"
+.IX Header "SUDOERS FILE FORMAT"
The \fIsudoers\fR file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who
may run what).
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
fairly simple, and the definitions below are annotated.
-.Sh "Quick guide to \s-1EBNF\s0"
+.SS "Quick guide to \s-1EBNF\s0"
.IX Subsection "Quick guide to EBNF"
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
Parentheses may be used to group symbols together. For clarity,
we will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
-.Sh "Aliases"
+.SS "Aliases"
.IX Subsection "Aliases"
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
\& User_List ::= User |
\& User \*(Aq,\*(Aq User_List
\&
-\& User ::= \*(Aq!\*(Aq* username |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
+\& User ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-.PP
-A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
-.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
-For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+.PP
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.PP
+The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
+the underlying group provider plugin (see the \fIgroup_plugin\fR
+description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
+following formats:
.IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R"
.IP "\(bu" 4
.IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
-\& Runas_Member ::= \*(Aq!\*(Aq* username |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& Runas_Member ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Runas_Alias
.Ve
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-usernames and groups are matched as strings. In other words, two
+user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all usernames with the same uid (e.g.\ root
+If you wish to match all user names with the same uid (e.g.\ root
and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
\& Host \*(Aq,\*(Aq Host_List
\&
-\& Host ::= \*(Aq!\*(Aq* hostname |
+\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
+A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard \s-1IP\s0 address notation
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
-qualified hostname, you'll need to use the \fIfqdn\fR option for
-wildcards to be useful.
+but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
+qualified host name, you'll need to use the \fIfqdn\fR option for
+wildcards to be useful. Note \fBsudo\fR only inspects actual network
+interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
+never match. Also, the host name \*(L"localhost\*(R" will only match if
+that is the actual host name, which is usually only the case for
+non-networked systems.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
\& Cmnd \*(Aq,\*(Aq Cmnd_List
\&
-\& commandname ::= filename |
-\& filename args |
-\& filename \*(Aq""\*(Aq
+\& commandname ::= file name |
+\& file name args |
+\& file name \*(Aq""\*(Aq
\&
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
\& \*(Aq!\*(Aq* directory |
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified filename which may include
+aliases. A commandname is a fully qualified file name which may include
shell-style wildcards (see the Wildcards section below). A simple
-filename allows the user to run the command with any arguments he/she
+file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified pathname ending in a '/'. When you specify a directory
+fully qualified path name ending in a '/'. When you specify a directory
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
(but not in any subdirectories therein).
.PP
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
-.Sh "Defaults"
+.SS "Defaults"
.IX Subsection "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
defaults.
.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.Sh "User Specification"
+.SS "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
\&
-\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
\&
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
+.if \n(SL \{\
+\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
+\&
+\}
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
+\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
-.Sh "Runas_Spec"
+.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
-\& $ sudo \-u operator /bin/ls.
+\& $ sudo \-u operator /bin/ls
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
\& /usr/bin/lprm
.Ve
.PP
+Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+.PP
+.Vb 3
+\& $ sudo \-u operator /bin/ls
+\& $ sudo \-u operator \-g operator /bin/ls
+\& $ sudo \-g operator /bin/ls
+.Ve
+.PP
In the following example, user \fBtcm\fR may run commands that access
-a modem device file with the dialer group. Note that in this example
-only the group will be set, the command still runs as user \fBtcm\fR.
+a modem device file with the dialer group.
.PP
.Vb 2
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
-.Sh "Tag_Spec"
+.PP
+Note that in this example only the group will be set, the command
+still runs as user \fBtcm\fR. E.g.
+.PP
+.Vb 1
+\& $ sudo \-g dialer /usr/bin/cu
+.Ve
+.PP
+Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
+which case the user may select any combination of users and groups
+via the \fB\-u\fR and \fB\-g\fR options. In this example:
+.PP
+.Vb 1
+\& alan ALL = (root, bin : operator, system) ALL
+.Ve
+.PP
+user \fBalan\fR may run any command as either user root or bin,
+optionally setting the group to operator or system.
+.if \n(SL \{\
+.SS "SELinux_Spec"
+.IX Subsection "SELinux_Spec"
+On systems with SELinux support, \fIsudoers\fR entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in \fIsudoers\fR. A role or type specified on the command line,
+however, will supercede the values in \fIsudoers\fR.
+\}
+.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR.
-Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
-\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
-overrides \f(CW\*(C`EXEC\*(C'\fR).
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
+\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
+subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
+it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
+\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
-\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
-be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
-.Sh "Wildcards"
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
+may disable the \fIenv_reset\fR option from the command line via the
+\&\fB\-E\fR option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
+default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
+.PP
+\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
+.IX Subsection "LOG_INPUT and NOLOG_INPUT"
+.PP
+These tags override the value of the \fIlog_input\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.PP
+\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
+.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+.PP
+These tags override the value of the \fIlog_output\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in
+to be used in host names, path names and command line arguments in
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
regular expressions.
\& /bin/ls [[\e:alpha\e:]]*
.Ve
.PP
-Would match any filename beginning with a letter.
+Would match any file name beginning with a letter.
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the pathname. When matching the command
+wildcards used in the path name. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.Sh "Exceptions to wildcard rules"
+.SS "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
-.Sh "Including other files from within sudoers"
+.SS "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.PP
-The filename may include the \f(CW%h\fR escape, signifying the short form
-of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
+If the path to the include file is not fully-qualified (does not
+begin with a \fI/\fR), it must be located in the same directory as the
+sudoers file it was included from. For example, if \fI/etc/sudoers\fR
+contains the line:
+.Sp
+.RS 4
+\&\f(CW\*(C`#include sudoers.local\*(C'\fR
+.RE
+.PP
+the file that will be included is \fI/etc/sudoers.local\fR.
+.PP
+The file name may also include the \f(CW%h\fR escape, signifying the short form
+of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
contains a syntax error. It is still possible to run \fBvisudo\fR
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
-.Sh "Other special characters and reserved words"
+.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a username or hostname):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+used as part of a word (e.g.\ a user name or host name):
+\&'!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
explained earlier. A list of all supported Defaults parameters,
grouped by type, are listed below.
.PP
-\&\fBFlags\fR:
+\&\fBBoolean Flags\fR:
.IP "always_set_home" 16
.IX Item "always_set_home"
-If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
-directory of the target user (which is root unless the \fB\-u\fR option is used).
-This effectively means that the \fB\-H\fR option is always implied.
+If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
+home directory of the target user (which is root unless the \fB\-u\fR
+option is used). This effectively means that the \fB\-H\fR option is
+always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
+\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
+effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
This flag is \fIoff\fR by default.
.IP "authenticate" 16
.IX Item "authenticate"
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
overrides the default starting point at which \fBsudo\fR begins
closing open file descriptors. This flag is \fIoff\fR by default.
+.IP "compress_io" 16
+.IX Item "compress_io"
+If set, and \fBsudo\fR is configured to log a command's input or output,
+the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
+by default when \fBsudo\fR is compiled with \fBzlib\fR support.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
default.
.IP "env_reset" 16
.IX Item "env_reset"
-If set, \fBsudo\fR will reset the environment to only contain the
-\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+If set, \fBsudo\fR will run the command in a minimal environment
+containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
+\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
-\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
-run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
-is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fIon\fR by default.
+and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
+present in the file specified by the \fIenv_file\fR option (if any).
+The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
+displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
+the \fIsecure_path\fR option is set, its value will be used for the
+\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fIon\fR by
+default.
+.IP "fast_glob" 16
+.IX Item "fast_glob"
+Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
+globbing when matching path names. However, since it accesses the
+file system, \fIglob\fR\|(3) can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The \fIfast_glob\fR
+option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
+not access the file system to do its matching. The disadvantage
+of \fIfast_glob\fR is that it is unable to match relative path names
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
-Set this flag if you want to put fully qualified hostnames in the
+Set this flag if you want to put fully qualified host names in the
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
you must use the host's official name as \s-1DNS\s0 knows it. That is,
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
+\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
command) is already fully qualified you shouldn't need to set
\&\fIfqdn\fR. This flag is \fIoff\fR by default.
.IP "ignore_dot" 16
password. This flag is \fIoff\fR by default.
.IP "log_host" 16
.IX Item "log_host"
-If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI/var/log/sudo-io\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+The \fIiolog_file\fR option may be used to control the format of the
+session \s-1ID\s0.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI/var/log/sudo-io\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+The \fIiolog_file\fR option may be used to control the format of the
+session \s-1ID\s0.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(8) utility, which
+can also be used to list or search the available logs.
.IP "log_year" 16
.IX Item "log_year"
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OPT\s0) scheme such as
+When validating with a One Time Password (\s-1OTP\s0) scheme such as
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
to cut and paste the challenge to a local window. It's not as
pretty as the default but some people find it more convenient. This
.IP "passprompt_override" 16
.IX Item "passprompt_override"
The password prompt specified by \fIpassprompt\fR will normally only
-be used if the passwod prompt provided by systems such as \s-1PAM\s0 matches
+be used if the password prompt provided by systems such as \s-1PAM\s0 matches
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
will always be used. This flag is \fIoff\fR by default.
.IP "preserve_groups" 16
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root and from running \fBsudoedit\fR.
+will also prevent root from running \fBsudoedit\fR.
Disabling \fIroot_sudo\fR provides no real additional security; it
exists purely for historical reasons.
This flag is \fIon\fR by default.
password of the invoking user. This flag is \fIoff\fR by default.
.IP "set_home" 16
.IX Item "set_home"
-If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
+If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
environment variable will be set to the home directory of the target
user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default.
+makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
+set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
+only effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
+This flag is \fIoff\fR by default.
.IP "set_logname" 16
.IX Item "set_logname"
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
change this behavior. This can be done by negating the set_logname
option. Note that if the \fIenv_reset\fR option has not been disabled,
entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR. This flag is \fIoff\fR by default.
+\&\fIset_logname\fR. This flag is \fIon\fR by default.
+.IP "set_utmp" 16
+.IX Item "set_utmp"
+When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
+file when a pseudo-tty is allocated. A pseudo-tty is allocated by
+\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
+are enabled. By default, the new entry will be a copy of the user's
+existing utmp entry (if any), with the tty, time, type and pid
+fields updated. This flag is \fIon\fR by default.
.IP "setenv" 16
.IX Item "setenv"
Allow the user to disable the \fIenv_reset\fR option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner. This flag is \fIoff\fR
-by default.
+line via the \fB\-E\fR option. Additionally, environment variables set
+via the command line are not subject to the restrictions imposed
+by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
+trusted users should be allowed to set variables in this manner.
+This flag is \fIoff\fR by default.
.IP "shell_noargs" 16
.IX Item "shell_noargs"
If set and \fBsudo\fR is invoked with no arguments it acts as if the
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching pathnames. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative pathnames
-such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
function. This flag is \fIoff\fR by default.
.IP "targetpw" 16
.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
-invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR option.
-This flag is \fIoff\fR by default.
+If set, \fBsudo\fR will prompt for the password of the user specified
+by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the \fB\-u\fR option. This flag is \fIoff\fR by default.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. Normally,
-\&\fBsudo\fR uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, \fBsudo\fR will use a
-file named for the tty the user is logged in on in that directory.
-This flag is \fIoff\fR by default.
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, \fBsudo\fR will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+\&\fIon\fR by default.
.IP "umask_override" 16
.IX Item "umask_override"
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
umask to be the union of the user's umask and what is specified in
\&\fIsudoers\fR. This flag is \fIoff\fR by default.
-.\" .IP "use_loginclass" 16
-.\" .IX Item "use_loginclass"
-.\" If set, \fBsudo\fR will apply the defaults specified for the target user's
-.\" login class if one exists. Only available if \fBsudo\fR is configured with
-.\" the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+.if \n(LC \{\
+.IP "use_loginclass" 16
+.IX Item "use_loginclass"
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists. Only available if \fBsudo\fR is configured with
+the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+\}
+.IP "use_pty" 16
+.IX Item "use_pty"
+If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
+logging is being gone. A malicious program run under \fBsudo\fR could
+conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing. Use
+of this option will make that impossible. This flag is \fIoff\fR by default.
+.IP "utmp_runas" 16
+.IX Item "utmp_runas"
+If set, \fBsudo\fR will store the name of the runas user when updating
+the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
+the invoking user. This flag is \fIoff\fR by default.
.IP "visiblepw" 16
.IX Item "visiblepw"
By default, \fBsudo\fR will refuse to run if the user must enter a
\&\f(CW\*(C`80\*(C'\fR (use 0 or negate the option to disable word wrap).
.IP "passwd_timeout" 16
.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out.
-The default is \f(CW\*(C`5\*(C'\fR; set this to \f(CW0\fR for no password timeout.
+Number of minutes before the \fBsudo\fR password prompt times out, or
+\&\f(CW0\fR for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example \f(CW2.5\fR. The
+default is \f(CW\*(C`5\*(C'\fR.
.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The default is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW0\fR to always
-prompt for a password.
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example \f(CW2.5\fR. The default
+is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
If set to a value less than \f(CW0\fR the user's timestamp will never
expire. This can be used to allow users to create or delete their
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
.IX Item "umask"
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and \f(CW\*(C`0022\*(C'\fR.
-This guarantees that \fBsudo\fR never lowers the umask when running a
-command. Note on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration
-may specify its own umask which will override the value set in
-\&\fIsudoers\fR.
+used will be the union of the user's umask and the value of the
+\&\fIumask\fR option, which defaults to \f(CW\*(C`0022\*(C'\fR. This guarantees
+that \fBsudo\fR never lowers the umask when running a command. Note
+on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
+its own umask which will override the value set in \fIsudoers\fR.
.PP
\&\fBStrings\fR:
.IP "badpass_message" 16
A colon (':') separated list of editors allowed to be used with
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is the path to vi
-on your system.
+list that exists and is executable. The default is \f(CW"/usr/bin/vi"\fR.
+.IP "iolog_dir" 16
+.IX Item "iolog_dir"
+The top-level directory to use when constructing the path name for
+the input/output log directory. Only used if the \fIlog_input\fR or
+\&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
+number, if any, is stored in the directory.
+The default is \f(CW"/var/log/sudo-io"\fR.
+.Sp
+The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
+.RS 16
+.ie n .IP "\*(C`%{seq}\*(C'" 4
+.el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
+.IX Item "%{seq}"
+expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
+where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
+.ie n .IP "\*(C`%{user}\*(C'" 4
+.el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
+.IX Item "%{user}"
+expanded to the invoking user's login name
+.ie n .IP "\*(C`%{group}\*(C'" 4
+.el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
+.IX Item "%{group}"
+expanded to the name of the invoking user's real group \s-1ID\s0
+.ie n .IP "\*(C`%{runas_user}\*(C'" 4
+.el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
+.IX Item "%{runas_user}"
+expanded to the login name of the user the command will
+be run as (e.g. root)
+.ie n .IP "\*(C`%{runas_group}\*(C'" 4
+.el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
+.IX Item "%{runas_group}"
+expanded to the group name of the user the command will
+be run as (e.g. wheel)
+.ie n .IP "\*(C`%{hostname}\*(C'" 4
+.el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
+.IX Item "%{hostname}"
+expanded to the local host name without the domain name
+.ie n .IP "\*(C`%{command}\*(C'" 4
+.el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
+.IX Item "%{command}"
+expanded to the base name of the command being run
+.RE
+.RS 16
+.Sp
+In addition, any escape sequences supported by the system's \fIstrftime()\fR
+function will be expanded.
+.Sp
+To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
+be used.
+.RE
+.IP "iolog_file" 16
+.IX Item "iolog_file"
+The path name, relative to \fIiolog_dir\fR, in which to store input/output
+logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
+when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
+Note that \fIiolog_file\fR may contain directory components.
+The default is \f(CW"%{seq}"\fR.
+.Sp
+See the \fIiolog_dir\fR option above for a list of supported percent
+(`\f(CW\*(C`%\*(C'\fR') escape sequences.
+.Sp
+In addition to the escape sequences, path names that end in six or
+more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
+of digits and letters, similar to the \fImktemp()\fR function.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
-will expand to the hostname of the machine.
+will expand to the host name of the machine.
Default is \f(CW\*(C`*** SECURITY information for %h ***\*(C'\fR.
.IP "noexec_file" 16
.IX Item "noexec_file"
-Path to a shared library containing dummy versions of the \fIexecv()\fR,
-\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
-This is used to implement the \fInoexec\fR functionality on systems that
-support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/local/libexec/sudo_noexec.so\fR.
+This option is no longer supported. The path to the noexec file
+should now be set in the \fI/etc/sudo.conf\fR file.
.IP "passprompt" 16
.IX Item "passprompt"
The default prompt to use when asking for a password; can be overridden
via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
-The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
+The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
.RS 16
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
+expanded to the local host name including the domain name
+(only if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
.Sp
The default value is \f(CW\*(C`Password:\*(C'\fR.
.RE
-.\" .IP "role" 16
-.\" .IX Item "role"
-.\" The default SELinux role to use when constructing a new security
-.\" context to run the command. The default role may be overridden on
-.\" a per-command basis in \fIsudoers\fR or via command line options.
-.\" This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "role" 16
+.IX Item "role"
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.
-Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
-any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
.IP "syslog_badpri" 16
.IX Item "syslog_badpri"
Syslog priority to use when user authenticates unsuccessfully.
Defaults to \f(CW\*(C`alert\*(C'\fR.
+.Sp
+The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
+\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
.IP "syslog_goodpri" 16
.IX Item "syslog_goodpri"
Syslog priority to use when user authenticates successfully.
Defaults to \f(CW\*(C`notice\*(C'\fR.
+.Sp
+See syslog_badpri for the list of supported syslog priorities.
.IP "sudoers_locale" 16
.IX Item "sudoers_locale"
-Locale to use when parsing the sudoers file. Note that changing
-the locale may affect how sudoers is interpreted.
-Defaults to \f(CW"C"\fR.
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to \f(CW"C"\fR.
.IP "timestampdir" 16
.IX Item "timestampdir"
The directory in which \fBsudo\fR stores its timestamp files.
-The default is \fI/var/run/sudo\fR.
+The default is \fI/var/lib/sudo\fR.
.IP "timestampowner" 16
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
-.\" .IP "type" 16
-.\" .IX Item "type"
-.\" The default SELinux type to use when constructing a new security
-.\" context to run the command. The default type may be overridden on
-.\" a per-command basis in \fIsudoers\fR or via command line options.
-.\" This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "type" 16
+.IX Item "type"
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.PP
\&\fBStrings that can be used in a boolean context\fR:
-.IP "askpass" 12
-.IX Item "askpass"
-The \fIaskpass\fR option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when \fBsudo\fR is executed from a
-graphical (as opposed to text-based) application. The program
-specified by \fIaskpass\fR should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
-environment variable.
.IP "env_file" 12
.IX Item "env_file"
-The \fIenv_file\fR options specifies the fully qualified path to a
+The \fIenv_file\fR option specifies the fully qualified path to a
file containing variables to be set in the environment of the program
being run. Entries in this file should either be of the form
\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
+The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
This is not set by default.
+.IP "group_plugin" 12
+.IX Item "group_plugin"
+A string containing a \fIsudoers\fR group plugin with optional arguments.
+This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
+syntax described earlier. The string should consist of the plugin
+path, either fully-qualified or relative to the \fI/usr/local/libexec\fR
+directory, followed by any configuration arguments the plugin
+requires. These arguments (if any) will be passed to the plugin's
+initialization function. If arguments are present, the string must
+be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
+.Sp
+For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
+format, the sample group plugin can be used:
+.Sp
+.Vb 1
+\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
+.Ve
+.Sp
+For more information see \fIsudo_plugin\fR\|(5).
.IP "lecture" 12
.IX Item "lecture"
This option controls when a short lecture will be printed along with
want to use this. Another use is if you want to have the \*(L"root path\*(R"
be separate from the \*(L"user path.\*(R" Users in the group specified by the
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
-This is not set by default.
+This option is not set by default.
.IP "syslog" 12
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`local2\*(C'\fR.
+disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR.
+.Sp
+The following syslog facilities are supported: \fBauthpriv\fR (if your
+\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
+\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
-.PP
-When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
-for the syslog facility (the value of the \fBsyslog\fR Parameter):
-\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
-\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
-\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
-supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
-\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI/etc/sudoers\fR" 24
.IP "\fI/etc/netgroup\fR" 24
.IX Item "/etc/netgroup"
List of network groups
+.ie n .IP "\fI/var/log/sudo-io\fR" 24
+.el .IP "\fI/var/log/sudo-io\fR" 24
+.IX Item "/var/log/sudo-io"
+I/O log files
+.ie n .IP "\fI/var/lib/sudo\fR" 24
+.el .IP "\fI/var/lib/sudo\fR" 24
+.IX Item "/var/lib/sudo"
+Directory containing time stamps for the \fIsudoers\fR security policy
+.IP "\fI/etc/environment\fR" 24
+.IX Item "/etc/environment"
+Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
-these are a bit contrived. First, we define our \fIaliases\fR:
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our \fIaliases\fR:
.PP
.Vb 4
+\& # Run X applications through sudo; HOME is used to find the
+\& # .Xauthority file. Note that other programs use HOME to find
+\& # configuration files and this may lead to privilege escalation!
+\& Defaults env_keep += "DISPLAY HOME"
+\&
\& # User alias specification
\& User_Alias FULLTIMERS = millert, mikef, dowdy
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
.PP
The user \fBpete\fR is allowed to change anyone's password except for
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple usernames on the command line.
+does not take multiple user names on the command line.
.PP
.Vb 1
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever
escapes are disabled, though \fBsudoedit\fR is a better solution to
running editors via \fBsudo\fR. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
-do not if often unworkable.
+do not is often unworkable.
.IP "noexec" 10
.IX Item "noexec"
Many systems that support shared libraries have the ability to
executables. Statically-linked executables and foreign executables
running under binary emulation are not affected.
.Sp
-To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
-the following as root:
-.Sp
-.Vb 1
-\& sudo \-V | grep "dummy exec"
-.Ve
-.Sp
-If the resulting output contains a line that begins with:
-.Sp
-.Vb 1
-\& File containing dummy exec functions:
-.Ve
-.Sp
-then \fBsudo\fR may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
-SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
-11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
-is expected to work on most operating systems that support the
+The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
+Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
+It should be supported on most operating systems that support the
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
.Sp
+On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
+of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
+.Sp
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
in the User Specification section above. Here is that example again:
.Sp
with \fInoexec\fR enabled. This will prevent those two commands from
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
-can always just try it out and see if it works.
+can always just try it out and check whether shell escapes work
+when \fInoexec\fR is enabled.
.PP
Note that restricting shell escapes is not a panacea. Programs
running as root are still capable of many potentially hazardous
to unintended privilege escalation. In the specific case of an
editor, a safer approach is to give the user permission to run
\&\fBsudoedit\fR.
+.SH "DEBUG FLAGS"
+.IX Header "DEBUG FLAGS"
+Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
+debugging framework that can help track down what the plugin is
+doing internally if there is a problem. This can be configured in
+the \fI/etc/sudo.conf\fR file as described in \fIsudo\fR\|(8).
+.PP
+The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
+itself: \fIsubsystem\fR@\fIpriority\fR.
+.PP
+The priorities used by \fIsudoers\fR, in order of decreasing severity,
+are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+and \fIdebug\fR. Each priority, when specified, also includes all
+priorities higher than it. For example, a priority of \fInotice\fR
+would include debug messages logged at \fInotice\fR and higher.
+.PP
+The following subsystems are used by \fIsudoers\fR:
+.IP "\fIalias\fR" 10
+.IX Item "alias"
+\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
+.IP "\fIall\fR" 10
+.IX Item "all"
+matches every subsystem
+.IP "\fIaudit\fR" 10
+.IX Item "audit"
+\&\s-1BSM\s0 and Linux audit code
+.IP "\fIauth\fR" 10
+.IX Item "auth"
+user authentication
+.IP "\fIdefaults\fR" 10
+.IX Item "defaults"
+\&\fIsudoers\fR \fIDefaults\fR settings
+.IP "\fIenv\fR" 10
+.IX Item "env"
+environment handling
+.IP "\fIldap\fR" 10
+.IX Item "ldap"
+LDAP-based sudoers
+.IP "\fIlogging\fR" 10
+.IX Item "logging"
+logging support
+.IP "\fImatch\fR" 10
+.IX Item "match"
+matching of users, groups, hosts and netgroups in \fIsudoers\fR
+.IP "\fInetif\fR" 10
+.IX Item "netif"
+network interface handling
+.IP "\fInss\fR" 10
+.IX Item "nss"
+network service switch handling in \fIsudoers\fR
+.IP "\fIparser\fR" 10
+.IX Item "parser"
+\&\fIsudoers\fR file parsing
+.IP "\fIperms\fR" 10
+.IX Item "perms"
+permission setting
+.IP "\fIplugin\fR" 10
+.IX Item "plugin"
+The equivalent of \fImain\fR for the plugin.
+.IP "\fIpty\fR" 10
+.IX Item "pty"
+pseudo-tty related code
+.IP "\fIrbtree\fR" 10
+.IX Item "rbtree"
+redblack tree internals
+.IP "\fIutil\fR" 10
+.IX Item "util"
+utility functions
+.SH "SECURITY NOTES"
+.IX Header "SECURITY NOTES"
+\&\fIsudoers\fR will check the ownership of its time stamp directory
+(\fI/var/lib/sudo\fR by default) and ignore the directory's contents if
+it is not owned by root or if it is writable by a user other than
+root. On systems that allow non-root users to give away files via
+\&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
+directory (e.g., \fI/tmp\fR), it is possible for a user to create the
+time stamp directory before \fBsudo\fR is run. However, because
+\&\fIsudoers\fR checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to \*(L"hide\*(R" files by
+putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
+any other user, the user placing files there would be unable to get
+them back out.
+.PP
+\&\fIsudoers\fR will not honor time stamps set far in the future. Time
+stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
+be ignored and sudo will log and complain. This is done to keep a
+user from creating his/her own time stamp with a bogus date on
+systems that allow users to give away files if the time stamp directory
+is located in a world-writable directory.
+.PP
+On systems where the boot time is available, \fIsudoers\fR will ignore
+time stamps that date from before the machine booted.
+.PP
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with \fBsudo\fR after authenticating, logout, login
+again, and run \fBsudo\fR without authenticating so long as the time
+stamp file's modification time is within \f(CW\*(C`5\*(C'\fR minutes (or
+whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+option is enabled, the time stamp has per-tty granularity but still
+may outlive the user's session. On Linux systems where the devpts
+filesystem is used, Solaris systems with the devices filesystem,
+as well as other systems that utilize a devfs filesystem that
+monotonically increase the inode number of devices as they are
+created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+.PP
+If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
+creating their own program that gives them a root shell (or making
+their own copy of a shell) regardless of any '!' elements in the
+user specification.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(8), \fIvisudo\fR\|(8)
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
+\&\fIsudoers.ldap\fR\|(5), \fIsudo_plugin\fR\|(8), \fIsudo\fR\|(8), \fIvisudo\fR\|(8)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
will not run with a syntactically incorrect \fIsudoers\fR file.
.PP
When using netgroups of machines (as opposed to users), if you
-store fully qualified hostnames in the netgroup (as is usually the
-case), you either need to have the machine's hostname be fully qualified
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR.
.SH "BUGS"
-.\" Copyright (c) 2003-2009
+.\" Copyright (c) 2003-2011
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $Sudo: sudoers.ldap.man.in,v 1.13 2009/06/11 20:29:12 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP 5"
-.TH SUDOERS.LDAP 5 "June 11, 2009" "1.7.2p1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP 5 "January 6, 2012" "1.8.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
-via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
+via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
.PP
For the most part, there is really no need for \fBsudo\fR\-specific
Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and RunasAliases. Host netgroups can be used in place
-of HostAliases. Since Unix groups and netgroups can also be stored
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
.PP
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a sudoRole. Instead of defining
+to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
-a sudoRole that contains the commands and assign multiple users
+a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
to it.
-.Sh "SUDOers \s-1LDAP\s0 container"
+.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
.Ve
.PP
The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
-the following components:
+the following attributes:
.IP "\fBsudoUser\fR" 4
.IX Item "sudoUser"
-A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
-a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
+A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
+\&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup
+(prefixed with \f(CW\*(Aq+\*(Aq\fR).
.IP "\fBsudoHost\fR" 4
.IX Item "sudoHost"
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
+.Sp
+The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
+attribute instead.
.IP "\fBsudoRunAsGroup\fR" 4
.IX Item "sudoRunAsGroup"
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.Sp
+The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher.
+.IP "\fBsudoNotBefore\fR" 4
+.IX Item "sudoNotBefore"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
+a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
+.Sp
+The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI/etc/ldap.conf\fR.
+.IP "\fBsudoNotAfter\fR" 4
+.IX Item "sudoNotAfter"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
+date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
+.Sp
+The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI/etc/ldap.conf\fR.
+.IP "\fBsudoOrder\fR" 4
+.IX Item "sudoOrder"
+The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
+inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
+floating point value for \s-1LDAP\s0 servers that support it) that is used
+to sort the matching entries. This allows LDAP-based sudoers entries
+to more closely mimic the behaviour of the sudoers file, where the
+of the entries influences the result. If multiple entries match,
+the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
+corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
+the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
+.Sp
+The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher.
.PP
-Each component listed above should contain a single value, but there
-may be multiple instances of each component type. A sudoRole must
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
.PP
The following example allows users in group wheel to run any command
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
-.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup"
+.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
-.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.PP
+If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
+directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any.
+.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order. If there are
-conflicting command rules on an entry, the negative takes precedence.
+and Entries are returned in any specific order.
+.PP
+The order in which different entries are applied can be controlled
+using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
+the order of attributes within a specific entry. If there are
+conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
.PP
.Ve
.PP
Another difference is that negations on the Host, User or Runas are
-currently ignorred. For example, the following attributes do not
+currently ignored. For example, the following attributes do not
behave the way one might expect.
.PP
.Vb 3
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
-.Sh "Sudoers Schema"
+.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
-.Sh "Configuring ldap.conf"
+.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
-Only those options explicitly listed in \fI/etc/ldap.conf\fR that are
+Only those options explicitly listed in \fI/etc/ldap.conf\fR as being
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
.IX Item "URI ldap[s]://[hostname[:port]] ..."
Specifies a whitespace-delimited list of one or more URIs describing
-the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR
-or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
-encryption. If no \fIport\fR is specified, the default is port 389 for
-\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
-\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
-libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
-The Netscape-derived libraries used on most commercial versions of
-Unix are only capable of supporting one or the other.
+the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
+\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
+(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
+389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
+is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
+lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
the next one in the list.
+.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
+.IX Item "NETWORK_TIMEOUT seconds"
+An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
.IX Item "TIMELIMIT seconds"
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
to wait for a response to an \s-1LDAP\s0 query.
+.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
+.IX Item "TIMEOUT seconds"
+The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
+to wait for a response from the various \s-1LDAP\s0 APIs.
.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
.IX Item "SUDOERS_BASE base"
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
-\&\f(CW\*(C`example.com\*(C'\fR.
+\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
+in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
+.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
+An \s-1LDAP\s0 filter which is used to restrict the set of records returned
+when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
+form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
+.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
+.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
+Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
+attributes that implement time-dependent sudoers entries.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
-is disabled, no check is made.
+is disabled, no check is made. Note that disabling the check creates
+an opportunity for man-in-the-middle attacks since the server's
+identity will not be authenticated. If possible, the \s-1CA\s0's certificate
+should be installed locally so it can be verified.
+.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
+.IX Item "TLS_CACERT file name"
+An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
.IX Item "TLS_CACERTFILE file name"
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
+Netscape-derived \s-1LDAP\s0 libraries use the same certificate
+database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
.IX Item "TLS_CACERTDIR directory"
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
.IX Item "KRB5_CCNAME file name"
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
+.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
+.IX Item "DEREF never/searching/finding/always"
+How alias dereferencing is to be performed when searching. See the
+\&\fIldap.conf\fR\|(5) manual for a full description of this option.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
-.Sh "Configuring nsswitch.conf"
+.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
Service Switch file, \fI/etc/nsswitch.conf\fR, to specify the \fIsudoers\fR
.PP
Note that \fI/etc/nsswitch.conf\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
-.Sh "Configuring netsvc.conf"
+.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI/etc/netsvc.conf\fR file is consulted instead of
\&\fI/etc/nsswitch.conf\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-.Sh "Example ldap.conf"
+.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& # The amount of time, in seconds, to wait while performing an LDAP query.
\& timelimit 30
\& #
-\& # must be set or sudo will ignore LDAP
+\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
\& sudoers_base ou=SUDOers,dc=example,dc=com
\& #
\& # verbose sudoers matching from ldap
\& #sudoers_debug 2
\& #
+\& # Enable support for time\-based entries in sudoers.
+\& #sudoers_timed yes
+\& #
\& # optional proxy credentials
\& #binddn <who to search as>
\& #bindpw <password>
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
-\& # sasl_auth_id <SASL username>
+\& # sasl_auth_id <SASL user name>
\& # rootuse_sasl yes
-\& # rootsasl_auth_id <SASL username for root access>
+\& # rootsasl_auth_id <SASL user name for root access>
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
-.Sh "Sudo schema for OpenLDAP"
+.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
-The following schema is in OpenLDAP format. Simply copy it to the
-schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
-\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
+The following schema, in OpenLDAP format, is included with \fBsudo\fR
+source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
+it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
+proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
+\& NAME \*(AqsudoNotBefore\*(Aq
+\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
+\& NAME \*(AqsudoNotAfter\*(Aq
+\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+\& NAME \*(AqsudoOrder\*(Aq
+\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
+\& EQUALITY integerMatch
+\& ORDERING integerOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+\&
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
\& DESC \*(AqSudoer Entries\*(Aq
\& MUST ( cn )
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ description )
+\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+\& sudoOrder $ description )
\& )
.Ve
.SH "SEE ALSO"
\&\fIldap.conf\fR\|(5), \fIsudoers\fR\|(5)
.SH "CAVEATS"
.IX Header "CAVEATS"
-The way that \fIsudoers\fR is parsed differs between Note that there
-are differences in the way that LDAP-based \fIsudoers\fR is parsed
-compared to file-based \fIsudoers\fR. See the \*(L"Differences between
-\&\s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+Note that there are differences in the way that LDAP-based \fIsudoers\fR
+is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
+between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudo.man.in,v 1.56 2009/06/29 13:36:42 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.nr SL 0
+.nr BA 0
+.nr LC 0
+.nr PT 5
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDO 8"
-.TH SUDO 8 "June 15, 2009" "1.7.2p1" "MAINTENANCE COMMANDS"
+.TH SUDO 8 "February 5, 2012" "1.8.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
+\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
-.\" [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-p\fR\ \fIprompt\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
-.\" [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
-.\" [\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.\" [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-.\" [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
-.\" [\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.\" [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
-superuser or another user, as specified in the \fIsudoers\fR file.
+superuser or another user, as specified by the security policy.
The real and effective uid and gid are set to match those of the
-target user as specified in the passwd file and the group vector
-is initialized based on the group file (unless the \fB\-P\fR option was
-specified). If the invoking user is root or if the target user is
-the same as the invoking user, no password is required. Otherwise,
-\&\fBsudo\fR requires that users authenticate themselves with a password
-by default (\s-1NOTE:\s0 in the default configuration this is the user's
-password, not the root password). Once a user has been authenticated,
-a timestamp is updated and the user may then use sudo without a
-password for a short period of time (\f(CW\*(C`5\*(C'\fR minutes unless
-overridden in \fIsudoers\fR).
+target user, as specified in the password database, and the group
+vector is initialized based on the group database (unless the \fB\-P\fR
+option was specified).
+.PP
+\&\fBsudo\fR supports a plugin architecture for security policies and
+input/output logging. Third parties can develop and distribute
+their own policy and I/O logging modules to work seamlessly with
+the \fBsudo\fR front end. The default security policy is \fIsudoers\fR,
+which is configured via the file \fI/etc/sudoers\fR, or via
+\&\s-1LDAP\s0. See the \s-1PLUGINS\s0 section for more information.
+.PP
+The security policy determines what privileges, if any, a user has
+to run \fBsudo\fR. The policy may require that users authenticate
+themselves with a password or another authentication mechanism. If
+authentication is required, \fBsudo\fR will exit if the user's password
+is not entered within a configurable time limit. This limit is
+policy-specific; the default password prompt timeout for the
+\&\fIsudoers\fR security policy is
+.ie \n(PT \f(CW\*(C`5\*(C'\fR minutes.
+.el unlimited.
+.PP
+Security policies may support credential caching to allow the user
+to run \fBsudo\fR again for a period of time without requiring
+authentication. The \fIsudoers\fR policy caches credentials for
+\&\f(CW\*(C`5\*(C'\fR minutes, unless overridden in \fIsudoers\fR\|(5). By
+running \fBsudo\fR with the \fB\-v\fR option, a user can update the cached
+credentials without running a \fIcommand\fR.
.PP
When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
is implied.
.PP
-\&\fBsudo\fR determines who is an authorized user by consulting the file
-\&\fI/etc/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
-a user can update the time stamp without running a \fIcommand\fR. The
-password prompt itself will also time out if the user's password
-is not entered within \f(CW\*(C`5\*(C'\fR minutes (unless overridden
-via \fIsudoers\fR).
-.PP
-If a user who is not listed in the \fIsudoers\fR file tries to run a
-command via \fBsudo\fR, mail is sent to the proper authorities, as
-defined at configure time or in the \fIsudoers\fR file (defaults to
-\&\f(CW\*(C`root\*(C'\fR). Note that the mail will not be sent if an unauthorized
-user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows
-users to determine for themselves whether or not they are allowed
-to use \fBsudo\fR.
-.PP
-If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
-is set, \fBsudo\fR will use this value to determine who the actual
-user is. This can be used by a user to log commands through sudo
-even when a root shell has been invoked. It also allows the \fB\-e\fR
-option to remain useful even when being run via a sudo-run script or
-program. Note however, that the sudoers lookup is still done for
-root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
-.PP
-\&\fBsudo\fR can log both successful and unsuccessful attempts (as well
-as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
-will log via \fIsyslog\fR\|(3) but this is changeable at configure time
-or via the \fIsudoers\fR file.
+Security policies may log successful and failed attempts to use
+\&\fBsudo\fR. If an I/O plugin is configured, the running command's
+input and output may be logged as well.
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options:
.IP "\-A" 12
.IX Item "-A"
Normally, if \fBsudo\fR requires a password, it will read it from the
-current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
-a (possibly graphical) helper program is executed to read the
-user's password and output the password to the standard output. If
-the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
-path to the helper program. Otherwise, the value specified by the
-\&\fIaskpass\fR option in \fIsudoers\fR\|(5) is used.
-.\" .IP "\-a \fItype\fR" 12
-.\" .IX Item "-a type"
-.\" The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-.\" specified authentication type when validating the user, as allowed
-.\" by \fI/etc/login.conf\fR. The system administrator may specify a list
-.\" of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
-.\" entry in \fI/etc/login.conf\fR. This option is only available on systems
-.\" that support \s-1BSD\s0 authentication.
+user's terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
+a (possibly graphical) helper program is executed to read the user's
+password and output the password to the standard output. If the
+\&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path
+to the helper program. Otherwise, if \fI/etc/sudo.conf\fR
+contains a line specifying the askpass program, that value will be
+used. For example:
+.Sp
+.Vb 2
+\& # Path to askpass helper program
+\& Path askpass /usr/X11R6/bin/ssh\-askpass
+.Ve
+.Sp
+If no askpass program is available, sudo will exit with an error.
+.if \n(BA \{\
+.IP "\-a \fItype\fR" 12
+.IX Item "-a type"
+The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+specified authentication type when validating the user, as allowed
+by \fI/etc/login.conf\fR. The system administrator may specify a list
+of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
+entry in \fI/etc/login.conf\fR. This option is only available on systems
+that support \s-1BSD\s0 authentication.
+\}
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
command in the background. Note that if you use the \fB\-b\fR
option you cannot use shell job control to manipulate the process.
+Most interactive commands will fail to work properly in background
+mode.
.IP "\-C \fIfd\fR" 12
.IX Item "-C fd"
Normally, \fBsudo\fR will close all open file descriptors other than
standard input, standard output and standard error. The \fB\-C\fR
(\fIclose from\fR) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
-three are not permitted. This option is only available if the
-administrator has enabled the \fIclosefrom_override\fR option in
-\&\fIsudoers\fR\|(5).
-.\" .IP "\-c \fIclass\fR" 12
-.\" .IX Item "-c class"
-.\" The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-.\" with resources limited by the specified login class. The \fIclass\fR
-.\" argument can be either a class name as defined in \fI/etc/login.conf\fR,
-.\" or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-.\" that the command should be run restricted by the default login
-.\" capabilities for the user the command is run as. If the \fIclass\fR
-.\" argument specifies an existing user class, the command must be run
-.\" as root, or the \fBsudo\fR command must be run from a shell that is already
-.\" root. This option is only available on systems with \s-1BSD\s0 login classes.
+three are not permitted. The security policy may restrict the
+user's ability to use the \fB\-C\fR option. The \fIsudoers\fR policy only
+permits use of the \fB\-C\fR option when the administrator has enabled
+the \fIclosefrom_override\fR option.
+.if \n(LC \{\
+.IP "\-c \fIclass\fR" 12
+.IX Item "-c class"
+The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
+with resources limited by the specified login class. The \fIclass\fR
+argument can be either a class name as defined in \fI/etc/login.conf\fR,
+or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
+that the command should be run restricted by the default login
+capabilities for the user the command is run as. If the \fIclass\fR
+argument specifies an existing user class, the command must be run
+as root, or the \fBsudo\fR command must be run from a shell that is already
+root. This option is only available on systems with \s-1BSD\s0 login classes.
+\}
.IP "\-E" 12
.IX Item "-E"
-The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
-\&\fIenv_reset\fR option in \fIsudoers\fR\|(5)). It is only
-available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
-or the \fIsetenv\fR option is set in \fIsudoers\fR\|(5).
+The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the
+security policy that the user wishes to preserve their existing
+environment variables. The security policy may return an error if
+the \fB\-E\fR option is specified and the user does not have permission
+to preserve the environment.
.IP "\-e" 12
.IX Item "-e"
-The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
-a command, the user wishes to edit one or more files. In lieu
-of a command, the string \*(L"sudoedit\*(R" is used when consulting
-the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
-the following steps are taken:
+The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running a
+command, the user wishes to edit one or more files. In lieu of a
+command, the string \*(L"sudoedit\*(R" is used when consulting the security
+policy. If the user is authorized by the policy, the following
+steps are taken:
.RS 12
.IP "1." 4
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
.IP "2." 4
-The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
-environment variables is run to edit the temporary files. If none
-of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
-listed in the \fIeditor\fR \fIsudoers\fR variable is used.
+The editor specified by the policy is run to edit the temporary files.
+The \fIsudoers\fR policy uses the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR and \f(CW\*(C`EDITOR\*(C'\fR
+environment variables (in that order). If none of \f(CW\*(C`SUDO_EDITOR\*(C'\fR,
+\&\f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program listed in the
+\&\fIeditor\fR \fIsudoers\fR\|(5) option is used.
.IP "3." 4
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
.RE
.IP "\-g \fIgroup\fR" 12
.IX Item "-g group"
-Normally, \fBsudo\fR sets the primary group to the one specified by
-the passwd database for the user the command is being run as (by
-default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
-the specified command with the primary group set to \fIgroup\fR. To
-specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
-running commands as a \fIgid\fR, many shells require that the '#' be
-escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
-the command will be run as the invoking user (not root). In either
-case, the primary group will be set to \fIgroup\fR.
+Normally, \fBsudo\fR runs a command with the primary group set to the
+one specified by the password database for the user the command is
+being run as (by default, root). The \fB\-g\fR (\fIgroup\fR) option causes
+\&\fBsudo\fR to run the command with the primary group set to \fIgroup\fR
+instead. To specify a \fIgid\fR instead of a \fIgroup name\fR, use
+\&\fI#gid\fR. When running commands as a \fIgid\fR, many shells require
+that the '#' be escaped with a backslash ('\e'). If no \fB\-u\fR option
+is specified, the command will be run as the invoking user (not
+root). In either case, the primary group will be set to \fIgroup\fR.
.IP "\-H" 12
.IX Item "-H"
-The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
-to the homedir of the target user (root by default) as specified
-in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
-(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(5)).
+The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set
+the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target
+user (root by default) as specified by the password database.
+Depending on the policy, this may be the default behavior.
.IP "\-h" 12
.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
+The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message
+to the standard output and exit.
.IP "\-i [command]" 12
.IX Item "-i [command]"
The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
-in the \fIpasswd\fR\|(5) entry of the target user as a login shell. This
-means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or
-\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
-it is passed to the shell for execution. Otherwise, an interactive
-shell is executed. \fBsudo\fR attempts to change to that user's home
-directory before running the shell. It also initializes the
-environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
-\&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
-the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
-All other environment variables are removed.
+by the password database entry of the target user as a login shell.
+This means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR
+or \f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
+it is passed to the shell for execution via the shell's \fB\-c\fR option.
+If no command is specified, an interactive shell is executed.
+\&\fBsudo\fR attempts to change to that user's home directory before
+running the shell. The security policy shall initialize the
+environment to a minimal set of variables, similar to what is present
+when a user logs in. The \fICommand Environment\fR section in the
+\&\fIsudoers\fR\|(5) manual documents how the \fB\-i\fR option affects the
+environment in which a command is run when the \fIsudoers\fR policy
+is in use.
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's timestamp entirely and may not be used in conjunction
-with a command or other option. This option does not require a
-password.
-.IP "\-k" 12
-.IX Item "-k"
-When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
-the user's timestamp by setting the time on it to the Epoch. The
-next time \fBsudo\fR is run a password will be required. This option
-does not require a password and was added to allow a user to revoke
-\&\fBsudo\fR permissions from a .logout file.
+the user's cached credentials entirely and may not be used in
+conjunction with a command or other option. This option does not
+require a password. Not all security policies support credential
+caching.
+.IP "\-k [command]" 12
+.IX Item "-k [command]"
+When used alone, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
+the user's cached credentials. The next time \fBsudo\fR is run a
+password will be required. This option does not require a password
+and was added to allow a user to revoke \fBsudo\fR permissions from a
+\&.logout file. Not all security policies support credential
+caching.
.Sp
When used in conjunction with a command or an option that may require
a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
-timestamp file. As a result, \fBsudo\fR will prompt for a password
-(if one is required by \fIsudoers\fR) and will not update the user's
-timestamp file.
-.IP "\-L" 12
-.IX Item "-L"
-The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
-that may be set in a \fIDefaults\fR line along with a short description
-for each. This option is useful in conjunction with \fIgrep\fR\|(1).
+cached credentials. As a result, \fBsudo\fR will prompt for a password
+(if one is required by the security policy) and will not update the
+user's cached credentials.
.IP "\-l[l] [\fIcommand\fR]" 12
.IX Item "-l[l] [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
the allowed (and forbidden) commands for the invoking user (or the
user specified by the \fB\-U\fR option) on the current host. If a
-\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
-fully-qualified path to the command is displayed along with any
+\&\fIcommand\fR is specified and is permitted by the security policy,
+the fully-qualified path to the command is displayed along with any
command line arguments. If \fIcommand\fR is specified but not allowed,
-\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is
-specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
-is specified multiple times, a longer list format is used.
+\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option
+is specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR is
+specified multiple times, a longer list format is used.
.IP "\-n" 12
.IX Item "-n"
The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
.IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
preserve the invoking user's group vector unaltered. By default,
-\&\fBsudo\fR will initialize the group vector to the list of groups the
-target user is in. The real and effective group IDs, however, are
-still set to match the target user.
+the \fIsudoers\fR policy will initialize the group vector to the list
+of groups the target user is in. The real and effective group IDs,
+however, are still set to match the target user.
.IP "\-p \fIprompt\fR" 12
.IX Item "-p prompt"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
-escapes are supported:
+escapes are supported by the \fIsudoers\fR policy:
.RS 12
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
-\&\fIsudoers\fR option is set)
+expanded to the host name including the domain name (on if
+the machine's host name is fully qualified or the \fIfqdn\fR option
+is set in \fIsudoers\fR\|(5))
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
-expanded to the user whose password is being asked for (respects the
-\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
+expanded to the name of the user whose password is being requested
+(respects the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in
+\&\fIsudoers\fR\|(5))
.ie n .IP "%U" 4
.el .IP "\f(CW%U\fR" 4
.IX Item "%U"
-expanded to the login name of the user the command will
-be run as (defaults to root)
+expanded to the login name of the user the command will be run as
+(defaults to root unless the \f(CW\*(C`\-u\*(C'\fR option is also specified)
.ie n .IP "%u" 4
.el .IP "\f(CW%u\fR" 4
.IX Item "%u"
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
-.\" .IP "\-r \fIrole\fR" 12
-.\" .IX Item "-r role"
-.\" The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-.\" have the role specified by \fIrole\fR.
+.if \n(SL \{\
+.IP "\-r \fIrole\fR" 12
+.IX Item "-r role"
+The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+have the role specified by \fIrole\fR.
+\}
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
-the standard input instead of the terminal device.
+the standard input instead of the terminal device. The password must
+be followed by a newline character.
.IP "\-s [command]" 12
.IX Item "-s [command]"
The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
-environment variable if it is set or the shell as specified in
-\&\fIpasswd\fR\|(5). If a command is specified, it is passed to the shell
-for execution. Otherwise, an interactive shell is executed.
-.\" .IP "\-t \fItype\fR" 12
-.\" .IX Item "-t type"
-.\" The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-.\" have the type specified by \fItype\fR. If no type is specified, the default
-.\" type is derived from the specified role.
+environment variable if it is set or the shell as specified in the
+password database. If a command is specified, it is passed to the
+shell for execution via the shell's \fB\-c\fR option. If no command
+is specified, an interactive shell is executed.
+.if \n(SL \{\
+.IP "\-t \fItype\fR" 12
+.IX Item "-t type"
+The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+have the type specified by \fItype\fR. If no type is specified, the default
+type is derived from the specified role.
+\}
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
-The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
-option to specify the user whose privileges should be listed. Only
-root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
-option.
+The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the
+\&\fB\-l\fR option to specify the user whose privileges should be listed.
+The security policy may restrict listing other users' privileges.
+The \fIsudoers\fR policy only allows root or a user with the \f(CW\*(C`ALL\*(C'\fR
+privilege on the current host to use this option.
.IP "\-u \fIuser\fR" 12
.IX Item "-u user"
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
many shells require that the '#' be escaped with a backslash ('\e').
-Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(5))
-it is not possible to run commands with a uid not listed in the
-password database.
+Security policies may restrict \fIuid\fRs to those listed in the
+password database. The \fIsudoers\fR policy allows \fIuid\fRs that are
+not in the password database as long as the \fItargetpw\fR option is
+not set. Other security policies may not support this.
.IP "\-V" 12
.IX Item "-V"
-The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
-number and exit. If the invoking user is already root the \fB\-V\fR
-option will print out a list of the defaults \fBsudo\fR was compiled
-with as well as the machine's local network addresses.
+The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print its version
+string and the version string of the security policy plugin and any
+I/O plugins. If the invoking user is already root the \fB\-V\fR option
+will display the arguments passed to configure when \fIsudo\fR was
+built and plugins may display more verbose information such as
+default options.
.IP "\-v" 12
.IX Item "-v"
-If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
-user's timestamp, prompting for the user's password if necessary.
-This extends the \fBsudo\fR timeout for another \f(CW\*(C`5\*(C'\fR minutes
-(or whatever the timeout is set to in \fIsudoers\fR) but does not run
-a command.
+When given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
+user's cached credentials, authenticating the user's password if
+necessary. For the \fIsudoers\fR plugin, this extends the \fBsudo\fR
+timeout for another \f(CW\*(C`5\*(C'\fR minutes (or whatever the timeout
+is set to in \fIsudoers\fR) but does not run a command. Not all
+security policies support cached credentials.
.IP "\-\-" 12
The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
-line arguments. It is most useful in conjunction with the \fB\-s\fR option.
+line arguments.
.PP
Environment variables to be set for the command may also be passed
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
variables with one important exception. If the \fIsetenv\fR option
is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
-that would overwise be forbidden. See \fIsudoers\fR\|(5) for more information.
+that would otherwise be forbidden. See \fIsudoers\fR\|(5) for more information.
+.SH "PLUGINS"
+.IX Header "PLUGINS"
+Plugins are dynamically loaded based on the contents of the
+\&\fI/etc/sudo.conf\fR file. If no \fI/etc/sudo.conf\fR
+file is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR
+will use the traditional \fIsudoers\fR security policy and I/O logging,
+which corresponds to the following \fI/etc/sudo.conf\fR file.
+.PP
+.Vb 10
+\& #
+\& # Default /etc/sudo.conf file
+\& #
+\& # Format:
+\& # Plugin plugin_name plugin_path
+\& # Path askpass /path/to/askpass
+\& # Path noexec /path/to/noexec.so
+\& # Debug sudo /var/log/sudo_debug all@warn
+\& # Set disable_coredump true
+\& #
+\& # The plugin_path is relative to /usr/local/libexec unless
+\& # fully qualified.
+\& # The plugin_name corresponds to a global symbol in the plugin
+\& # that contains the plugin interface structure.
+\& #
+\& Plugin policy_plugin sudoers.so
+\& Plugin io_plugin sudoers.so
+.Ve
+.PP
+A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the
+\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the
+plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
+or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
+may be fully qualified or relative. If not fully qualified it is
+relative to the \fI/usr/local/libexec\fR directory. Any additional
+parameters after the \fIpath\fR are ignored. Lines that don't begin
+with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored
+.PP
+For more information, see the \fIsudo_plugin\fR\|(8) manual.
+.SH "PATHS"
+.IX Header "PATHS"
+A \f(CW\*(C`Path\*(C'\fR line consists of the \f(CW\*(C`Path\*(C'\fR keyword, followed by the
+name of the path to set and its value. E.g.
+.PP
+.Vb 2
+\& Path noexec /usr/local/libexec/sudo_noexec.so
+\& Path askpass /usr/X11R6/bin/ssh\-askpass
+.Ve
+.PP
+The following plugin-agnostic paths may be set in the
+\&\fI/etc/sudo.conf\fR file.
+.IP "askpass" 16
+.IX Item "askpass"
+The fully qualified path to a helper program used to read the user's
+password when no terminal is available. This may be the case when
+\&\fBsudo\fR is executed from a graphical (as opposed to text-based)
+application. The program specified by \fIaskpass\fR should display
+the argument passed to it as the prompt and write the user's password
+to the standard output. The value of \fIaskpass\fR may be overridden
+by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable.
+.IP "noexec" 16
+.IX Item "noexec"
+The fully-qualified path to a shared library containing dummy
+versions of the \fIexecv()\fR, \fIexecve()\fR and \fIfexecve()\fR library functions
+that just return an error. This is used to implement the \fInoexec\fR
+functionality on systems that support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent.
+Defaults to \fI/usr/local/libexec/sudo_noexec.so\fR.
+.SH "DEBUG FLAGS"
+.IX Header "DEBUG FLAGS"
+\&\fBsudo\fR versions 1.8.4 and higher support a flexible debugging
+framework that can help track down what \fBsudo\fR is doing internally
+if there is a problem.
+.PP
+A \f(CW\*(C`Debug\*(C'\fR line consists of the \f(CW\*(C`Debug\*(C'\fR keyword, followed by the
+name of the program to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
+the debug file name and a comma-separated list of debug flags.
+The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
+\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
+format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+.PP
+For instance:
+.PP
+.Vb 1
+\& Debug sudo /var/log/sudo_debug all@warn,plugin@info
+.Ve
+.PP
+would log all debugging statements at the \fIwarn\fR level and higher
+in addition to those at the \fIinfo\fR level for the plugin subsystem.
+.PP
+Currently, only one \f(CW\*(C`Debug\*(C'\fR entry per program is supported. The
+\&\f(CW\*(C`sudo\*(C'\fR \f(CW\*(C`Debug\*(C'\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR
+and the plugins. A future release may add support for per-plugin
+\&\f(CW\*(C`Debug\*(C'\fR lines and/or support for multiple debugging files for a
+single program.
+.PP
+The priorities used by the \fBsudo\fR front end, in order of decreasing
+severity, are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR,
+\&\fItrace\fR and \fIdebug\fR. Each priority, when specified, also includes
+all priorities higher than it. For example, a priority of \fInotice\fR
+would include debug messages logged at \fInotice\fR and higher.
+.PP
+The following subsystems are used by \fBsudo\fR:
+.IP "\fIall\fR" 10
+.IX Item "all"
+matches every subsystem
+.IP "\fIargs\fR" 10
+.IX Item "args"
+command line argument processing
+.IP "\fIconv\fR" 10
+.IX Item "conv"
+user conversation
+.IP "\fIedit\fR" 10
+.IX Item "edit"
+sudoedit
+.IP "\fIexec\fR" 10
+.IX Item "exec"
+command execution
+.IP "\fImain\fR" 10
+.IX Item "main"
+\&\fBsudo\fR main function
+.IP "\fInetif\fR" 10
+.IX Item "netif"
+network interface handling
+.IP "\fIpcomm\fR" 10
+.IX Item "pcomm"
+communication with the plugin
+.IP "\fIplugin\fR" 10
+.IX Item "plugin"
+plugin configuration
+.IP "\fIpty\fR" 10
+.IX Item "pty"
+pseudo-tty related code
+.IP "\fIselinux\fR" 10
+.IX Item "selinux"
+SELinux-specific handling
+.IP "\fIutil\fR" 10
+.IX Item "util"
+utility functions
+.IP "\fIutmp\fR" 10
+.IX Item "utmp"
+utmp handling
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the exit status from \fBsudo\fR
will simply be the exit status of the program that was executed.
.PP
-Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
+Otherwise, \fBsudo\fR exits with a value of 1 if there is a
configuration/permission problem or if \fBsudo\fR cannot execute the
given command. In the latter case the error string is printed to
-stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
-\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
-exist or if it is not really a directory, the entry is ignored and
-no error is printed.) This should not happen under normal
-circumstances. The most common reason for \fIstat\fR\|(2) to return
-\&\*(L"permission denied\*(R" is if you are running an automounter and one
-of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
-unreachable.
+the standard error. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries
+in the user's \f(CW\*(C`PATH\*(C'\fR, an error is printed on stderr. (If the
+directory does not exist or if it is not really a directory, the
+entry is ignored and no error is printed.) This should not happen
+under normal circumstances. The most common reason for \fIstat\fR\|(2)
+to return \*(L"permission denied\*(R" is if you are running an automounter
+and one of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is
+currently unreachable.
.SH "SECURITY NOTES"
.IX Header "SECURITY NOTES"
\&\fBsudo\fR tries to be safe when executing external commands.
.PP
-There are two distinct ways to deal with environment variables.
-By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
-This causes commands to be executed with a minimal environment
-containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
-and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
-permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
-There is effectively a whitelist for environment variables.
-.PP
-If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
-variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
-options are inherited from the invoking process. In this case,
-\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
-is not possible to blacklist all potentially dangerous environment
-variables, use of the default \fIenv_reset\fR behavior is encouraged.
-.PP
-In all cases, environment variables with a value beginning with
-\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
-The list of environment variables that \fBsudo\fR allows or denies is
-contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
-.PP
-Note that the dynamic linker on most operating systems will remove
-variables that can control dynamic linking from the environment of
-setuid executables, including \fBsudo\fR. Depending on the operating
-system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
-\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
-removed from the environment before \fBsudo\fR even begins execution
-and, as such, it is not possible for \fBsudo\fR to preserve them.
-.PP
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
current directory) last when searching for a command in the user's
\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes.
.PP
-\&\fBsudo\fR will check the ownership of its timestamp directory
-(\fI/var/run/sudo\fR by default) and ignore the directory's contents if
-it is not owned by root or if it is writable by a user other than
-root. On systems that allow non-root users to give away files via
-\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
-writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
-create the timestamp directory before \fBsudo\fR is run. However,
-because \fBsudo\fR checks the ownership and mode of the directory and
-its contents, the only damage that can be done is to \*(L"hide\*(R" files
-by putting them in the timestamp dir. This is unlikely to happen
-since once the timestamp dir is owned by root and inaccessible by
-any other user, the user placing files there would be unable to get
-them back out. To get around this issue you can use a directory
-that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
-instance) or create \fI/var/run/sudo\fR with the appropriate owner (root)
-and permissions (0700) in the system startup files.
-.PP
-\&\fBsudo\fR will not honor timestamps set far in the future.
-Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
-will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own timestamp with a bogus
-date on systems that allow users to give away files.
-.PP
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
-\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
-logged, nor will \fBsudo\fR's access control affect them. The same
-is true for commands that offer shell escapes (including most
-editors). Because of this, care must be taken when giving users
-access to commands via \fBsudo\fR to verify that the command does not
-inadvertently give the user an effective root shell. For more
-information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
-\&\fIsudoers\fR\|(5).
+\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell are not subject
+to \fBsudo\fR's security policy. The same is true for commands that
+offer shell escapes (including most editors). If I/O logging is
+enabled, subsequent commands will have their input and/or output
+logged, but there will not be traditional logs for those commands.
+Because of this, care must be taken when giving users access to
+commands via \fBsudo\fR to verify that the command does not inadvertently
+give the user an effective root shell. For more information, please
+see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in \fIsudoers\fR\|(5).
+.PP
+To prevent the disclosure of potentially sensitive information,
+\&\fBsudo\fR disables core dumps by default while it is executing (they
+are re-enabled for the command that is run). To aid in debugging
+\&\fBsudo\fR crashes, you may wish to re-enable core dumps by setting
+\&\*(L"disable_coredump\*(R" to false in the \fI/etc/sudo.conf\fR file.
+.PP
+.Vb 1
+\& Set disable_coredump false
+.Ve
+.PP
+Note that by default, most operating systems disable core dumps
+from setuid programs, which includes \fBsudo\fR. To actually get a
+\&\fBsudo\fR core file you may need to enable core dumps for setuid
+processes. On \s-1BSD\s0 and Linux systems this is accomplished via the
+sysctl command, on Solaris the coreadm command can be used.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
-\&\fBsudo\fR utilizes the following environment variables:
+\&\fBsudo\fR utilizes the following environment variables. The security
+policy has control over the content of the command's environment.
.ie n .IP "\*(C`EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
nor \f(CW\*(C`VISUAL\*(C'\fR is set
+.ie n .IP "\*(C`MAIL\*(C'" 16
+.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
+.IX Item "MAIL"
+In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
+to the mail spool of the target user
.ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME"
-In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the
-\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user
+Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
+specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
+or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
+\&\fIsudoers\fR
.ie n .IP "\*(C`PATH\*(C'" 16
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
.IX Item "PATH"
-Set to a sane value if the \fIsecure_path\fR sudoers option is set.
+May be overridden by the security policy.
.ie n .IP "\*(C`SHELL\*(C'" 16
.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
.IX Item "SHELL"
is not set
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI/etc/sudoers\fR" 24
-.el .IP "\fI/etc/sudoers\fR" 24
-.IX Item "/etc/sudoers"
-List of who can run what
-.ie n .IP "\fI/var/run/sudo\fR" 24
-.el .IP "\fI/var/run/sudo\fR" 24
-.IX Item "/var/run/sudo"
-Directory containing timestamps
-.IP "\fI/etc/environment\fR" 24
-.IX Item "/etc/environment"
-Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
+.ie n .IP "\fI/etc/sudo.conf\fR" 24
+.el .IP "\fI/etc/sudo.conf\fR" 24
+.IX Item "/etc/sudo.conf"
+\&\fBsudo\fR front end configuration
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-Note: the following examples assume suitable \fIsudoers\fR\|(5) entries.
+Note: the following examples assume a properly configured security policy.
.PP
To get a file listing of an unreadable directory:
.PP
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
-.\" \&\fIlogin_cap\fR\|(3),
-\&\fIpasswd\fR\|(5), \fIsudoers\fR\|(5), \fIvisudo\fR\|(8)
+.if \n(LC \&\fIlogin_cap\fR\|(3),
+\&\fIpasswd\fR\|(5), \fIsudoers\fR\|(5), \fIsudo_plugin\fR\|(8), \fIsudoreplay\fR\|(8), \fIvisudo\fR\|(8)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
\& Todd C. Miller
.Ve
.PP
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
-http://www.sudo.ws/sudo/history.html for a short history
-of \fBsudo\fR.
+See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/contributors.html) for a list of people
+who have contributed to \fBsudo\fR.
+.SH "HISTORY"
+.IX Header "HISTORY"
+See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
-most systems it is possible to prevent shell escapes with \fBsudo\fR's
-\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(5) manual
-for details.
+most systems it is possible to prevent shell escapes with the
+\&\fIsudoers\fR\|(5) module's \fInoexec\fR functionality.
.PP
It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
.PP
since when the command exits the parent process (your shell) will
still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
.PP
-If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
-creating their own program that gives them a root shell regardless
-of any '!' elements in the user specification.
-.PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
has a /dev/fd/ directory, setuid shell scripts are generally safe).
--- /dev/null
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDO_PLUGIN 8"
+.TH SUDO_PLUGIN 8 "January 6, 2012" "1.8.4" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudo_plugin \- Sudo Plugin API
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+Starting with version 1.8, \fBsudo\fR supports a plugin \s-1API\s0
+for policy and session logging. By default, the \fIsudoers\fR policy
+plugin and an associated I/O logging plugin are used. Via the plugin
+\&\s-1API\s0, \fBsudo\fR can be configured to use alternate policy and/or I/O
+logging plugins provided by third parties. The plugins to be used
+are specified via the \fI/etc/sudo.conf\fR file.
+.PP
+The \s-1API\s0 is versioned with a major and minor number. The minor
+version number is incremented when additions are made. The major
+number is incremented when incompatible changes are made. A plugin
+should be check the version passed to it and make sure that the
+major version matches.
+.PP
+The plugin \s-1API\s0 is defined by the \f(CW\*(C`sudo_plugin.h\*(C'\fR header file.
+.SS "The sudo.conf File"
+.IX Subsection "The sudo.conf File"
+The \fI/etc/sudo.conf\fR file contains plugin configuration directives.
+Currently, the only supported keyword is the \f(CW\*(C`Plugin\*(C'\fR directive,
+which causes a plugin plugin to be loaded.
+.PP
+A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the
+\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the
+plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
+or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
+may be fully qualified or relative. If not fully qualified it is
+relative to the \fI/usr/local/libexec\fR directory. Any additional
+parameters after the \fIpath\fR are ignored. Lines that don't begin
+with \f(CW\*(C`Plugin\*(C'\fR or \f(CW\*(C`Path\*(C'\fR are silently ignored.
+.PP
+The same shared object may contain multiple plugins, each with a
+different symbol name. The shared object file must be owned by uid
+0 and only writable by its owner. Because of ambiguities that arise
+from composite policies, only a single policy plugin may be specified.
+This limitation does not apply to I/O plugins.
+.PP
+.Vb 10
+\& #
+\& # Default /etc/sudo.conf file
+\& #
+\& # Format:
+\& # Plugin plugin_name plugin_path
+\& # Path askpass /path/to/askpass
+\& #
+\& # The plugin_path is relative to /usr/local/libexec unless
+\& # fully qualified.
+\& # The plugin_name corresponds to a global symbol in the plugin
+\& # that contains the plugin interface structure.
+\& #
+\& Plugin sudoers_policy sudoers.so
+\& Plugin sudoers_io sudoers.so
+.Ve
+.SS "Policy Plugin \s-1API\s0"
+.IX Subsection "Policy Plugin API"
+A policy plugin must declare and populate a \f(CW\*(C`policy_plugin\*(C'\fR struct
+in the global scope. This structure contains pointers to the functions
+that implement the \fBsudo\fR policy checks. The name of the symbol should
+be specified in \fI/etc/sudo.conf\fR along with a path to the plugin
+so that \fBsudo\fR can load it.
+.PP
+.Vb 10
+\& struct policy_plugin {
+\& #define SUDO_POLICY_PLUGIN 1
+\& unsigned int type; /* always SUDO_POLICY_PLUGIN */
+\& unsigned int version; /* always SUDO_API_VERSION */
+\& int (*open)(unsigned int version, sudo_conv_t conversation,
+\& sudo_printf_t plugin_printf, char * const settings[],
+\& char * const user_info[], char * const user_env[]);
+\& void (*close)(int exit_status, int error);
+\& int (*show_version)(int verbose);
+\& int (*check_policy)(int argc, char * const argv[],
+\& char *env_add[], char **command_info[],
+\& char **argv_out[], char **user_env_out[]);
+\& int (*list)(int argc, char * const argv[], int verbose,
+\& const char *list_user);
+\& int (*validate)(void);
+\& void (*invalidate)(int remove);
+\& int (*init_session)(struct passwd *pwd);
+\& };
+.Ve
+.PP
+The policy_plugin struct has the following fields:
+.IP "type" 4
+.IX Item "type"
+The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_POLICY_PLUGIN\s0.
+.IP "version" 4
+.IX Item "version"
+The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0.
+.Sp
+This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was
+built against.
+.IP "open" 4
+.IX Item "open"
+.Vb 3
+\& int (*open)(unsigned int version, sudo_conv_t conversation,
+\& sudo_printf_t plugin_printf, char * const settings[],
+\& char * const user_info[], char * const user_env[]);
+.Ve
+.Sp
+Returns 1 on success, 0 on failure, \-1 if a general error occurred,
+or \-2 if there was a usage error. In the latter case, \fBsudo\fR will
+print a usage message before it exits. If an error occurs, the
+plugin may optionally call the conversation or plugin_printf function
+with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information
+to the user.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "version" 4
+.IX Item "version"
+The version passed in by \fBsudo\fR allows the plugin to determine the
+major and minor version number of the plugin \s-1API\s0 supported by
+\&\fBsudo\fR.
+.IP "conversation" 4
+.IX Item "conversation"
+A pointer to the conversation function that can be used by the
+plugin to interact with the user (see below).
+Returns 0 on success and \-1 on failure.
+.IP "plugin_printf" 4
+.IX Item "plugin_printf"
+A pointer to a printf-style function that may be used to display
+informational or error messages (see below).
+Returns the number of characters printed on success and \-1 on failure.
+.IP "settings" 4
+.IX Item "settings"
+A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R"
+strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These
+settings correspond to flags the user specified when running \fBsudo\fR.
+As such, they will only be present when the corresponding flag has
+been specified on the command line.
+.Sp
+When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.RS 4
+.IP "debug_flags=string" 4
+.IX Item "debug_flags=string"
+A comma-separated list of debug flags that correspond to \fBsudo\fR's
+\&\f(CW\*(C`Debug\*(C'\fR entry in \fI/etc/sudo.conf\fR, if there is one. The
+flags are passed to the plugin as they appear in \fI/etc/sudo.conf\fR.
+The syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
+\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
+format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+.Sp
+For reference, the priorities supported by the \fBsudo\fR front end and
+\&\fIsudoers\fR are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR,
+\&\fIinfo\fR, \fItrace\fR and \fIdebug\fR.
+.Sp
+The following subsystems are defined: \fImain\fR, \fImemory\fR, \fIargs\fR,
+\&\fIexec\fR, \fIpty\fR, \fIutmp\fR, \fIconv\fR, \fIpcomm\fR, \fIutil\fR, \fIlist\fR,
+\&\fInetif\fR, \fIaudit\fR, \fIedit\fR, \fIselinux\fR, \fIldap\fR, \fImatch\fR, \fIparser\fR,
+\&\fIalias\fR, \fIdefaults\fR, \fIauth\fR, \fIenv\fR, \fIlogging\fR, \fInss\fR, \fIrbtree\fR,
+\&\fIperms\fR, \fIplugin\fR. The subsystem \fIall\fR includes every subsystem.
+.Sp
+There is not currently a way to specify a set of debug flags specific
+to the plugin\*(--the flags are shared by \fBsudo\fR and the plugin.
+.IP "debug_level=number" 4
+.IX Item "debug_level=number"
+This setting has been deprecated in favor of \fIdebug_flags\fR.
+.IP "runas_user=string" 4
+.IX Item "runas_user=string"
+The user name or uid to to run the command as, if specified via the
+\&\f(CW\*(C`\-u\*(C'\fR flag.
+.IP "runas_group=string" 4
+.IX Item "runas_group=string"
+The group name or gid to to run the command as, if specified via
+the \f(CW\*(C`\-g\*(C'\fR flag.
+.IP "prompt=string" 4
+.IX Item "prompt=string"
+The prompt to use when requesting a password, if specified via
+the \f(CW\*(C`\-p\*(C'\fR flag.
+.IP "set_home=bool" 4
+.IX Item "set_home=bool"
+Set to true if the user specified the \f(CW\*(C`\-H\*(C'\fR flag. If true, set the
+\&\f(CW\*(C`HOME\*(C'\fR environment variable to the target user's home directory.
+.IP "preserve_environment=bool" 4
+.IX Item "preserve_environment=bool"
+Set to true if the user specified the \f(CW\*(C`\-E\*(C'\fR flag, indicating that
+the user wishes to preserve the environment.
+.IP "run_shell=bool" 4
+.IX Item "run_shell=bool"
+Set to true if the user specified the \f(CW\*(C`\-s\*(C'\fR flag, indicating that
+the user wishes to run a shell.
+.IP "login_shell=bool" 4
+.IX Item "login_shell=bool"
+Set to true if the user specified the \f(CW\*(C`\-i\*(C'\fR flag, indicating that
+the user wishes to run a login shell.
+.IP "implied_shell=bool" 4
+.IX Item "implied_shell=bool"
+If the user does not specify a program on the command line, \fBsudo\fR
+will pass the plugin the path to the user's shell and set
+\&\fIimplied_shell\fR to true. This allows \fBsudo\fR with no arguments
+to be used similarly to \fIsu\fR\|(1). If the plugin does not to support
+this usage, it may return a value of \-2 from the \f(CW\*(C`check_policy\*(C'\fR
+function, which will cause \fBsudo\fR to print a usage message and
+exit.
+.IP "preserve_groups=bool" 4
+.IX Item "preserve_groups=bool"
+Set to true if the user specified the \f(CW\*(C`\-P\*(C'\fR flag, indicating that
+the user wishes to preserve the group vector instead of setting it
+based on the runas user.
+.IP "ignore_ticket=bool" 4
+.IX Item "ignore_ticket=bool"
+Set to true if the user specified the \f(CW\*(C`\-k\*(C'\fR flag along with a
+command, indicating that the user wishes to ignore any cached
+authentication credentials.
+.IP "noninteractive=bool" 4
+.IX Item "noninteractive=bool"
+Set to true if the user specified the \f(CW\*(C`\-n\*(C'\fR flag, indicating that
+\&\fBsudo\fR should operate in non-interactive mode. The plugin may
+reject a command run in non-interactive mode if user interaction
+is required.
+.IP "login_class=string" 4
+.IX Item "login_class=string"
+\&\s-1BSD\s0 login class to use when setting resource limits and nice value,
+if specified by the \f(CW\*(C`\-c\*(C'\fR flag.
+.IP "selinux_role=string" 4
+.IX Item "selinux_role=string"
+SELinux role to use when executing the command, if specified by
+the \f(CW\*(C`\-r\*(C'\fR flag.
+.IP "selinux_type=string" 4
+.IX Item "selinux_type=string"
+SELinux type to use when executing the command, if specified by
+the \f(CW\*(C`\-t\*(C'\fR flag.
+.IP "bsdauth_type=string" 4
+.IX Item "bsdauth_type=string"
+Authentication type, if specified by the \f(CW\*(C`\-a\*(C'\fR flag, to use on
+systems where \s-1BSD\s0 authentication is supported.
+.IP "network_addrs=list" 4
+.IX Item "network_addrs=list"
+A space-separated list of \s-1IP\s0 network addresses and netmasks in the
+form \*(L"addr/netmask\*(R", e.g. \*(L"192.168.1.2/255.255.255.0\*(R". The address
+and netmask pairs may be either IPv4 or IPv6, depending on what the
+operating system supports. If the address contains a colon (':'),
+it is an IPv6 address, else it is IPv4.
+.IP "progname=string" 4
+.IX Item "progname=string"
+The command name that sudo was run as, typically \*(L"sudo\*(R" or \*(L"sudoedit\*(R".
+.IP "sudoedit=bool" 4
+.IX Item "sudoedit=bool"
+Set to true when the \f(CW\*(C`\-e\*(C'\fR flag is is specified or if invoked as
+\&\fBsudoedit\fR. The plugin shall substitute an editor into \fIargv\fR
+in the \fIcheck_policy\fR function or return \f(CW\*(C`\-2\*(C'\fR with a usage error
+if the plugin does not support \fIsudoedit\fR. For more information,
+see the \fIcheck_policy\fR section.
+.IP "closefrom=number" 4
+.IX Item "closefrom=number"
+If specified, the user has requested via the \f(CW\*(C`\-C\*(C'\fR flag that \fBsudo\fR
+close all files descriptors with a value of \fInumber\fR or higher.
+The plugin may optionally pass this, or another value, back in the
+\&\fIcommand_info\fR list.
+.RE
+.RS 4
+.Sp
+Additional settings may be added in the future so the plugin should
+silently ignore settings that it does not recognize.
+.RE
+.IP "user_info" 4
+.IX Item "user_info"
+A vector of information about the user running the command in the form of
+\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
+.Sp
+When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.RS 4
+.IP "user=string" 4
+.IX Item "user=string"
+The name of the user invoking \fBsudo\fR.
+.IP "uid=uid_t" 4
+.IX Item "uid=uid_t"
+The real user \s-1ID\s0 of the user invoking \fBsudo\fR.
+.IP "gid=gid_t" 4
+.IX Item "gid=gid_t"
+The real group \s-1ID\s0 of the user invoking \fBsudo\fR.
+.IP "groups=list" 4
+.IX Item "groups=list"
+The user's supplementary group list formatted as a string of
+comma-separated group IDs.
+.IP "cwd=string" 4
+.IX Item "cwd=string"
+The user's current working directory.
+.IP "tty=string" 4
+.IX Item "tty=string"
+The path to the user's terminal device. If the user has no terminal
+device associated with the session, the value will be empty, as in
+\&\f(CW\*(C`tty=\*(C'\fR.
+.IP "host=string" 4
+.IX Item "host=string"
+The local machine's hostname as returned by the \f(CW\*(C`gethostname()\*(C'\fR
+system call.
+.IP "lines=int" 4
+.IX Item "lines=int"
+The number of lines the user's terminal supports. If there is
+no terminal device available, a default value of 24 is used.
+.IP "cols=int" 4
+.IX Item "cols=int"
+The number of columns the user's terminal supports. If there is
+no terminal device available, a default value of 80 is used.
+.RE
+.RS 4
+.RE
+.IP "user_env" 4
+.IX Item "user_env"
+The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of
+\&\*(L"name=value\*(R" strings.
+.Sp
+When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.RE
+.RS 4
+.RE
+.IP "close" 4
+.IX Item "close"
+.Vb 1
+\& void (*close)(int exit_status, int error);
+.Ve
+.Sp
+The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR
+finishes.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "exit_status" 4
+.IX Item "exit_status"
+The command's exit status, as returned by the \fIwait\fR\|(2) system call.
+The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero.
+.IP "error" 4
+.IX Item "error"
+If the command could not be executed, this is set to the value of
+\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. The plugin is responsible
+for displaying error information via the conversation or plugin_printf
+function. If the command was successfully executed, the value of
+\&\f(CW\*(C`error\*(C'\fR is 0.
+.RE
+.RS 4
+.RE
+.IP "show_version" 4
+.IX Item "show_version"
+.Vb 1
+\& int (*show_version)(int verbose);
+.Ve
+.Sp
+The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies
+the \f(CW\*(C`\-V\*(C'\fR option. The plugin may display its version information
+to the user via the conversation or plugin_printf function using
+\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version
+information, the verbose flag will be set.
+.IP "check_policy" 4
+.IX Item "check_policy"
+.Vb 3
+\& int (*check_policy)(int argc, char * const argv[]
+\& char *env_add[], char **command_info[],
+\& char **argv_out[], char **user_env_out[]);
+.Ve
+.Sp
+The \fIcheck_policy\fR function is called by \fBsudo\fR to determine
+whether the user is allowed to run the specified commands.
+.Sp
+If the \fIsudoedit\fR option was enabled in the \fIsettings\fR array
+passed to the \fIopen\fR function, the user has requested \fIsudoedit\fR
+mode. \fIsudoedit\fR is a mechanism for editing one or more files
+where an editor is run with the user's credentials instead of with
+elevated privileges. \fBsudo\fR achieves this by creating user-writable
+temporary copies of the files to be edited and then overwriting the
+originals with the temporary copies after editing is complete. If
+the plugin supports \fBsudoedit\fR, it should choose the editor to be
+used, potentially from a variable in the user's environment, such
+as \f(CW\*(C`EDITOR\*(C'\fR, and include it in \fIargv_out\fR (note that environment
+variables may include command line flags). The files to be edited
+should be copied from \fIargv\fR into \fIargv_out\fR, separated from the
+editor and its arguments by a \f(CW"\-\-"\fR element. The \f(CW"\-\-"\fR will
+be removed by \fBsudo\fR before the editor is executed. The plugin
+should also set \fIsudoedit=true\fR in the \fIcommand_info\fR list.
+.Sp
+The \fIcheck_policy\fR function returns 1 if the command is allowed,
+0 if not allowed, \-1 for a general error, or \-2 for a usage error
+or if \fBsudoedit\fR was specified but is unsupported by the plugin.
+In the latter case, \fBsudo\fR will print a usage message before it
+exits. If an error occurs, the plugin may optionally call the
+conversation or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR
+to present additional error information to the user.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "argc" 4
+.IX Item "argc"
+The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+pointer.
+.IP "argv" 4
+.IX Item "argv"
+The argument vector describing the command the user wishes to run,
+in the same form as what would be passed to the \fIexecve()\fR system
+call. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
+.IP "env_add" 4
+.IX Item "env_add"
+Additional environment variables specified by the user on the command
+line in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of \*(L"name=value\*(R"
+strings. The plugin may reject the command if one or more variables
+are not allowed to be set, or it may silently ignore such variables.
+.Sp
+When parsing \fIenv_add\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.IP "command_info" 4
+.IX Item "command_info"
+Information about the command being run in the form of \*(L"name=value\*(R"
+strings. These values are used by \fBsudo\fR to set the execution
+environment when running a command. The plugin is responsible for
+creating and populating the vector, which must be terminated with
+a \f(CW\*(C`NULL\*(C'\fR pointer. The following values are recognized by \fBsudo\fR:
+.RS 4
+.IP "command=string" 4
+.IX Item "command=string"
+Fully qualified path to the command to be executed.
+.IP "runas_uid=uid" 4
+.IX Item "runas_uid=uid"
+User \s-1ID\s0 to run the command as.
+.IP "runas_euid=uid" 4
+.IX Item "runas_euid=uid"
+Effective user \s-1ID\s0 to run the command as.
+If not specified, the value of \fIrunas_uid\fR is used.
+.IP "runas_gid=gid" 4
+.IX Item "runas_gid=gid"
+Group \s-1ID\s0 to run the command as.
+.IP "runas_egid=gid" 4
+.IX Item "runas_egid=gid"
+Effective group \s-1ID\s0 to run the command as.
+If not specified, the value of \fIrunas_gid\fR is used.
+.IP "runas_groups=list" 4
+.IX Item "runas_groups=list"
+The supplementary group vector to use for the command in the form
+of a comma-separated list of group IDs. If \fIpreserve_groups\fR
+is set, this option is ignored.
+.IP "login_class=string" 4
+.IX Item "login_class=string"
+\&\s-1BSD\s0 login class to use when setting resource limits and nice value
+(optional). This option is only set on systems that support login
+classes.
+.IP "preserve_groups=bool" 4
+.IX Item "preserve_groups=bool"
+If set, \fBsudo\fR will preserve the user's group vector instead of
+initializing the group vector based on \f(CW\*(C`runas_user\*(C'\fR.
+.IP "cwd=string" 4
+.IX Item "cwd=string"
+The current working directory to change to when executing the command.
+.IP "noexec=bool" 4
+.IX Item "noexec=bool"
+If set, prevent the command from executing other programs.
+.IP "chroot=string" 4
+.IX Item "chroot=string"
+The root directory to use when running the command.
+.IP "nice=int" 4
+.IX Item "nice=int"
+Nice value (priority) to use when executing the command. The nice
+value, if specified, overrides the priority associated with the
+\&\fIlogin_class\fR on \s-1BSD\s0 systems.
+.IP "umask=octal" 4
+.IX Item "umask=octal"
+The file creation mask to use when executing the command.
+.IP "selinux_role=string" 4
+.IX Item "selinux_role=string"
+SELinux role to use when executing the command.
+.IP "selinux_type=string" 4
+.IX Item "selinux_type=string"
+SELinux type to use when executing the command.
+.IP "timeout=int" 4
+.IX Item "timeout=int"
+Command timeout. If non-zero then when the timeout expires the
+command will be killed.
+.IP "sudoedit=bool" 4
+.IX Item "sudoedit=bool"
+Set to true when in \fIsudoedit\fR mode. The plugin may enable
+\&\fIsudoedit\fR mode even if \fBsudo\fR was not invoked as \fBsudoedit\fR.
+This allows the plugin to perform command substitution and transparently
+enable \fIsudoedit\fR when the user attempts to run an editor.
+.IP "closefrom=number" 4
+.IX Item "closefrom=number"
+If specified, \fBsudo\fR will close all files descriptors with a value
+of \fInumber\fR or higher.
+.IP "iolog_compress=bool" 4
+.IX Item "iolog_compress=bool"
+Set to true if the I/O logging plugins, if any, should compress the
+log data. This is a hint to the I/O logging plugin which may choose
+to ignore it.
+.IP "iolog_path=string" 4
+.IX Item "iolog_path=string"
+Fully qualified path to the file or directory in which I/O log is
+to be stored. This is a hint to the I/O logging plugin which may
+choose to ignore it. If no I/O logging plugin is loaded, this
+setting has no effect.
+.IP "iolog_stdin=bool" 4
+.IX Item "iolog_stdin=bool"
+Set to true if the I/O logging plugins, if any, should log the
+standard input if it is not connected to a terminal device. This
+is a hint to the I/O logging plugin which may choose to ignore it.
+.IP "iolog_stdout=bool" 4
+.IX Item "iolog_stdout=bool"
+Set to true if the I/O logging plugins, if any, should log the
+standard output if it is not connected to a terminal device. This
+is a hint to the I/O logging plugin which may choose to ignore it.
+.IP "iolog_stderr=bool" 4
+.IX Item "iolog_stderr=bool"
+Set to true if the I/O logging plugins, if any, should log the
+standard error if it is not connected to a terminal device. This
+is a hint to the I/O logging plugin which may choose to ignore it.
+.IP "iolog_ttyin=bool" 4
+.IX Item "iolog_ttyin=bool"
+Set to true if the I/O logging plugins, if any, should log all
+terminal input. This only includes input typed by the user and not
+from a pipe or redirected from a file. This is a hint to the I/O
+logging plugin which may choose to ignore it.
+.IP "iolog_ttyout=bool" 4
+.IX Item "iolog_ttyout=bool"
+Set to true if the I/O logging plugins, if any, should log all
+terminal output. This only includes output to the screen, not
+output to a pipe or file. This is a hint to the I/O logging plugin
+which may choose to ignore it.
+.IP "use_pty=bool" 4
+.IX Item "use_pty=bool"
+Allocate a pseudo-tty to run the command in, regardless of whether
+or not I/O logging is in use. By default, \fBsudo\fR will only run
+the command in a pty when an I/O log plugin is loaded.
+.IP "set_utmp=bool" 4
+.IX Item "set_utmp=bool"
+Create a utmp (or utmpx) entry when a pseudo-tty is allocated. By
+default, the new entry will be a copy of the user's existing utmp
+entry (if any), with the tty, time, type and pid fields updated.
+.IP "utmp_user=string" 4
+.IX Item "utmp_user=string"
+User name to use when constructing a new utmp (or utmpx) entry when
+\&\fIset_utmp\fR is enabled. This option can be used to set the user
+field in the utmp entry to the user the command runs as rather than
+the invoking user. If not set, \fBsudo\fR will base the new entry on
+the invoking user's existing entry.
+.RE
+.RS 4
+.Sp
+Unsupported values will be ignored.
+.RE
+.IP "argv_out" 4
+.IX Item "argv_out"
+The \f(CW\*(C`NULL\*(C'\fR\-terminated argument vector to pass to the \fIexecve()\fR
+system call when executing the command. The plugin is responsible
+for allocating and populating the vector.
+.IP "user_env_out" 4
+.IX Item "user_env_out"
+The \f(CW\*(C`NULL\*(C'\fR\-terminated environment vector to use when executing the
+command. The plugin is responsible for allocating and populating
+the vector.
+.RE
+.RS 4
+.RE
+.IP "list" 4
+.IX Item "list"
+.Vb 2
+\& int (*list)(int verbose, const char *list_user,
+\& int argc, char * const argv[]);
+.Ve
+.Sp
+List available privileges for the invoking user. Returns 1 on
+success, 0 on failure and \-1 on error. On error, the plugin may
+optionally call the conversation or plugin_printf function with
+\&\f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information to
+the user.
+.Sp
+Privileges should be output via the conversation or plugin_printf
+function using \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR.
+.RS 4
+.IP "verbose" 4
+.IX Item "verbose"
+Flag indicating whether to list in verbose mode or not.
+.IP "list_user" 4
+.IX Item "list_user"
+The name of a different user to list privileges for if the policy
+allows it. If \f(CW\*(C`NULL\*(C'\fR, the plugin should list the privileges of
+the invoking user.
+.IP "argc" 4
+.IX Item "argc"
+The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+pointer.
+.IP "argv" 4
+.IX Item "argv"
+If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user
+wishes to check against the policy in the same form as what would
+be passed to the \fIexecve()\fR system call. If the command is permitted
+by the policy, the fully-qualified path to the command should be
+displayed along with any command line arguments.
+.RE
+.RS 4
+.RE
+.IP "validate" 4
+.IX Item "validate"
+.Vb 1
+\& int (*validate)(void);
+.Ve
+.Sp
+The \f(CW\*(C`validate\*(C'\fR function is called when \fBsudo\fR is run with the
+\&\f(CW\*(C`\-v\*(C'\fR flag. For policy plugins such as \fIsudoers\fR that cache
+authentication credentials, this function will validate and cache
+the credentials.
+.Sp
+The \f(CW\*(C`validate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not
+support credential caching.
+.Sp
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the conversation or plugin_printf
+function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional
+error information to the user.
+.IP "invalidate" 4
+.IX Item "invalidate"
+.Vb 1
+\& void (*invalidate)(int remove);
+.Ve
+.Sp
+The \f(CW\*(C`invalidate\*(C'\fR function is called when \fBsudo\fR is called with
+the \f(CW\*(C`\-k\*(C'\fR or \f(CW\*(C`\-K\*(C'\fR flag. For policy plugins such as \fIsudoers\fR that
+cache authentication credentials, this function will invalidate the
+credentials. If the \fIremove\fR flag is set, the plugin may remove
+the credentials instead of simply invalidating them.
+.Sp
+The \f(CW\*(C`invalidate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not
+support credential caching.
+.IP "init_session" 4
+.IX Item "init_session"
+.Vb 1
+\& int (*init_session)(struct passwd *pwd);
+.Ve
+.Sp
+The \f(CW\*(C`init_session\*(C'\fR function is called when \fBsudo\fR sets up the
+execution environment for the command, immediately before the
+contents of the \fIcommand_info\fR list are applied (before the uid
+changes). This can be used to do session setup that is not supported
+by \fIcommand_info\fR, such as opening the \s-1PAM\s0 session.
+.Sp
+The \fIpwd\fR argument points to a passwd struct for the user the
+command will be run as if the uid the command will run as was found
+in the password database, otherwise it will be \s-1NULL\s0.
+.Sp
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the conversation or plugin_printf
+function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional
+error information to the user.
+.PP
+\fIVersion macros\fR
+.IX Subsection "Version macros"
+.PP
+.Vb 8
+\& #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+\& #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+\& #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+\& } while(0)
+\& #define SUDO_VERSION_SET_MINOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
+\& } while(0)
+\&
+\& #define SUDO_API_VERSION_MAJOR 1
+\& #define SUDO_API_VERSION_MINOR 0
+\& #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \e
+\& SUDO_API_VERSION_MINOR)
+.Ve
+.SS "I/O Plugin \s-1API\s0"
+.IX Subsection "I/O Plugin API"
+.Vb 10
+\& struct io_plugin {
+\& #define SUDO_IO_PLUGIN 2
+\& unsigned int type; /* always SUDO_IO_PLUGIN */
+\& unsigned int version; /* always SUDO_API_VERSION */
+\& int (*open)(unsigned int version, sudo_conv_t conversation
+\& sudo_printf_t plugin_printf, char * const settings[],
+\& char * const user_info[], int argc, char * const argv[],
+\& char * const user_env[]);
+\& void (*close)(int exit_status, int error); /* wait status or error */
+\& int (*show_version)(int verbose);
+\& int (*log_ttyin)(const char *buf, unsigned int len);
+\& int (*log_ttyout)(const char *buf, unsigned int len);
+\& int (*log_stdin)(const char *buf, unsigned int len);
+\& int (*log_stdout)(const char *buf, unsigned int len);
+\& int (*log_stderr)(const char *buf, unsigned int len);
+\& };
+.Ve
+.PP
+When an I/O plugin is loaded, \fBsudo\fR runs the command in a pseudo-tty.
+This makes it possible to log the input and output from the user's
+session. If any of the standard input, standard output or standard
+error do not correspond to a tty, \fBsudo\fR will open a pipe to capture
+the I/O for logging before passing it on.
+.PP
+The log_ttyin function receives the raw user input from the terminal
+device (note that this will include input even when echo is disabled,
+such as when a password is read). The log_ttyout function receives
+output from the pseudo-tty that is suitable for replaying the user's
+session at a later time. The log_stdin, log_stdout and log_stderr
+functions are only called if the standard input, standard output
+or standard error respectively correspond to something other than
+a tty.
+.PP
+Any of the logging functions may be set to the \s-1NULL\s0
+pointer if no logging is to be performed. If the open function
+returns \f(CW0\fR, no I/O will be sent to the plugin.
+.PP
+The io_plugin struct has the following fields:
+.IP "type" 4
+.IX Item "type"
+The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_IO_PLUGIN\s0
+.IP "version" 4
+.IX Item "version"
+The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0.
+.Sp
+This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was
+built against.
+.IP "open" 4
+.IX Item "open"
+.Vb 4
+\& int (*open)(unsigned int version, sudo_conv_t conversation
+\& sudo_printf_t plugin_printf, char * const settings[],
+\& char * const user_info[], int argc, char * const argv[],
+\& char * const user_env[]);
+.Ve
+.Sp
+The \fIopen\fR function is run before the \fIlog_input\fR, \fIlog_output\fR
+or \fIshow_version\fR functions are called. It is only called if the
+version is being requested or the \fIcheck_policy\fR function has
+returned successfully. It returns 1 on success, 0 on failure, \-1
+if a general error occurred, or \-2 if there was a usage error. In
+the latter case, \fBsudo\fR will print a usage message before it exits.
+If an error occurs, the plugin may optionally call the conversation
+or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present
+additional error information to the user.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "version" 4
+.IX Item "version"
+The version passed in by \fBsudo\fR allows the plugin to determine the
+major and minor version number of the plugin \s-1API\s0 supported by
+\&\fBsudo\fR.
+.IP "conversation" 4
+.IX Item "conversation"
+A pointer to the conversation function that may be used by the
+\&\fIshow_version\fR function to display version information (see
+show_version below). The conversation function may also be used
+to display additional error message to the user.
+The conversation function returns 0 on success and \-1 on failure.
+.IP "plugin_printf" 4
+.IX Item "plugin_printf"
+A pointer to a printf-style function that may be used by the
+\&\fIshow_version\fR function to display version information (see
+show_version below). The plugin_printf function may also be used
+to display additional error message to the user.
+The plugin_printf function returns number of characters printed on
+success and \-1 on failure.
+.IP "settings" 4
+.IX Item "settings"
+A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R"
+strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These
+settings correspond to flags the user specified when running \fBsudo\fR.
+As such, they will only be present when the corresponding flag has
+been specified on the command line.
+.Sp
+When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.Sp
+See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible settings.
+.IP "user_info" 4
+.IX Item "user_info"
+A vector of information about the user running the command in the form of
+\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
+.Sp
+When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.Sp
+See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible strings.
+.IP "argc" 4
+.IX Item "argc"
+The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+pointer.
+.IP "argv" 4
+.IX Item "argv"
+If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user
+wishes to run in the same form as what would be passed to the
+\&\fIexecve()\fR system call.
+.IP "user_env" 4
+.IX Item "user_env"
+The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of
+\&\*(L"name=value\*(R" strings.
+.Sp
+When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
+equal sign ('=') since the \fIname\fR field will never include one
+itself but the \fIvalue\fR might.
+.RE
+.RS 4
+.RE
+.IP "close" 4
+.IX Item "close"
+.Vb 1
+\& void (*close)(int exit_status, int error);
+.Ve
+.Sp
+The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR
+finishes.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "exit_status" 4
+.IX Item "exit_status"
+The command's exit status, as returned by the \fIwait\fR\|(2) system call.
+The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero.
+.IP "error" 4
+.IX Item "error"
+If the command could not be executed, this is set to the value of
+\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. If the command was
+successfully executed, the value of \f(CW\*(C`error\*(C'\fR is 0.
+.RE
+.RS 4
+.RE
+.IP "show_version" 4
+.IX Item "show_version"
+.Vb 1
+\& int (*show_version)(int verbose);
+.Ve
+.Sp
+The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies
+the \f(CW\*(C`\-V\*(C'\fR option. The plugin may display its version information
+to the user via the conversation or plugin_printf function using
+\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version
+information, the verbose flag will be set.
+.IP "log_ttyin" 4
+.IX Item "log_ttyin"
+.Vb 1
+\& int (*log_ttyin)(const char *buf, unsigned int len);
+.Ve
+.Sp
+The \fIlog_ttyin\fR function is called whenever data can be read from
+the user but before it is passed to the running command. This
+allows the plugin to reject data if it chooses to (for instance
+if the input contains banned content). Returns \f(CW1\fR if the data
+should be passed to the command, \f(CW0\fR if the data is rejected
+(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "buf" 4
+.IX Item "buf"
+The buffer containing user input.
+.IP "len" 4
+.IX Item "len"
+The length of \fIbuf\fR in bytes.
+.RE
+.RS 4
+.RE
+.IP "log_ttyout" 4
+.IX Item "log_ttyout"
+.Vb 1
+\& int (*log_ttyout)(const char *buf, unsigned int len);
+.Ve
+.Sp
+The \fIlog_ttyout\fR function is called whenever data can be read from
+the command but before it is written to the user's terminal. This
+allows the plugin to reject data if it chooses to (for instance
+if the output contains banned content). Returns \f(CW1\fR if the data
+should be passed to the user, \f(CW0\fR if the data is rejected
+(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "buf" 4
+.IX Item "buf"
+The buffer containing command output.
+.IP "len" 4
+.IX Item "len"
+The length of \fIbuf\fR in bytes.
+.RE
+.RS 4
+.RE
+.IP "log_stdin" 4
+.IX Item "log_stdin"
+.Vb 1
+\& int (*log_stdin)(const char *buf, unsigned int len);
+.Ve
+.Sp
+The \fIlog_stdin\fR function is only used if the standard input does
+not correspond to a tty device. It is called whenever data can be
+read from the standard input but before it is passed to the running
+command. This allows the plugin to reject data if it chooses to
+(for instance if the input contains banned content). Returns \f(CW1\fR
+if the data should be passed to the command, \f(CW0\fR if the data is
+rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
+occurred.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "buf" 4
+.IX Item "buf"
+The buffer containing user input.
+.IP "len" 4
+.IX Item "len"
+The length of \fIbuf\fR in bytes.
+.RE
+.RS 4
+.RE
+.IP "log_stdout" 4
+.IX Item "log_stdout"
+.Vb 1
+\& int (*log_stdout)(const char *buf, unsigned int len);
+.Ve
+.Sp
+The \fIlog_stdout\fR function is only used if the standard output does
+not correspond to a tty device. It is called whenever data can be
+read from the command but before it is written to the standard
+output. This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content). Returns \f(CW1\fR
+if the data should be passed to the user, \f(CW0\fR if the data is
+rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
+occurred.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "buf" 4
+.IX Item "buf"
+The buffer containing command output.
+.IP "len" 4
+.IX Item "len"
+The length of \fIbuf\fR in bytes.
+.RE
+.RS 4
+.RE
+.IP "log_stderr" 4
+.IX Item "log_stderr"
+.Vb 1
+\& int (*log_stderr)(const char *buf, unsigned int len);
+.Ve
+.Sp
+The \fIlog_stderr\fR function is only used if the standard error does
+not correspond to a tty device. It is called whenever data can be
+read from the command but before it is written to the standard
+error. This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content). Returns \f(CW1\fR
+if the data should be passed to the user, \f(CW0\fR if the data is
+rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
+occurred.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "buf" 4
+.IX Item "buf"
+The buffer containing command output.
+.IP "len" 4
+.IX Item "len"
+The length of \fIbuf\fR in bytes.
+.RE
+.RS 4
+.RE
+.PP
+\fIVersion macros\fR
+.IX Subsection "Version macros"
+.PP
+Same as for the \*(L"Policy Plugin \s-1API\s0\*(R".
+.SS "Conversation \s-1API\s0"
+.IX Subsection "Conversation API"
+If the plugin needs to interact with the user, it may do so via the
+conversation function. A plugin should not attempt to read directly
+from the standard input or the user's tty (neither of which are
+guaranteed to exist). The caller must include a trailing newline
+in \f(CW\*(C`msg\*(C'\fR if one is to be printed.
+.PP
+A printf-style function is also available that can be used to display
+informational or error messages to the user, which is usually more
+convenient for simple messages where no use input is required.
+.PP
+.Vb 12
+\& struct sudo_conv_message {
+\& #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
+\& #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
+\& #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
+\& #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
+\& #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+\& #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
+\& #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
+\& int msg_type;
+\& int timeout;
+\& const char *msg;
+\& };
+\&
+\& struct sudo_conv_reply {
+\& char *reply;
+\& };
+\&
+\& typedef int (*sudo_conv_t)(int num_msgs,
+\& const struct sudo_conv_message msgs[],
+\& struct sudo_conv_reply replies[]);
+\&
+\& typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
+.Ve
+.PP
+Pointers to the conversation and printf-style functions are passed
+in to the plugin's \f(CW\*(C`open\*(C'\fR function when the plugin is initialized.
+.PP
+To use the conversation function, the plugin must pass an array of
+\&\f(CW\*(C`sudo_conv_message\*(C'\fR and \f(CW\*(C`sudo_conv_reply\*(C'\fR structures. There must
+be a \f(CW\*(C`struct sudo_conv_message\*(C'\fR and \f(CW\*(C`struct sudo_conv_reply\*(C'\fR for
+each message in the conversation. The plugin is responsible for
+freeing the reply buffer filled in to the \f(CW\*(C`struct sudo_conv_reply\*(C'\fR,
+if any.
+.PP
+The printf-style function uses the same underlying mechanism as the
+conversation function but only supports \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR,
+\&\f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_DEBUG_MSG\*(C'\fR for the \fImsg_type\fR
+parameter. It can be more convenient than using the conversation
+function if no user reply is needed and supports standard \fIprintf()\fR
+escape sequences.
+.PP
+Unlike, \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR, messages
+sent with the <\s-1SUDO_CONV_DEBUG_MSG\s0> \fImsg_type\fR are not directly
+user-visible. Instead, they are logged to the file specified in
+the \f(CW\*(C`Debug\*(C'\fR statement (if any) in the \fI/etc/sudo.conf\fR
+file. This allows a plugin to log debugging information and is
+intended to be used in conjunction with the \fIdebug_flags\fR setting.
+.PP
+See the sample plugin for an example of the conversation function usage.
+.SS "Sudoers Group Plugin \s-1API\s0"
+.IX Subsection "Sudoers Group Plugin API"
+The \fIsudoers\fR module supports a plugin interface to allow non-Unix
+group lookups. This can be used to query a group source other than
+the standard Unix group database. A sample group plugin is bundled
+with \fBsudo\fR that implements file-based lookups. Third party group
+plugins include a \s-1QAS\s0 \s-1AD\s0 plugin available from Quest Software.
+.PP
+A group plugin must declare and populate a \f(CW\*(C`sudoers_group_plugin\*(C'\fR
+struct in the global scope. This structure contains pointers to
+the functions that implement plugin initialization, cleanup and
+group lookup.
+.PP
+.Vb 8
+\& struct sudoers_group_plugin {
+\& unsigned int version;
+\& int (*init)(int version, sudo_printf_t sudo_printf,
+\& char *const argv[]);
+\& void (*cleanup)(void);
+\& int (*query)(const char *user, const char *group,
+\& const struct passwd *pwd);
+\&};
+.Ve
+.PP
+The \f(CW\*(C`sudoers_group_plugin\*(C'\fR struct has the following fields:
+.IP "version" 4
+.IX Item "version"
+The \f(CW\*(C`version\*(C'\fR field should be set to \s-1GROUP_API_VERSION\s0.
+.Sp
+This allows \fIsudoers\fR to determine the \s-1API\s0 version the group plugin
+was built against.
+.IP "init" 4
+.IX Item "init"
+.Vb 2
+\& int (*init)(int version, sudo_printf_t plugin_printf,
+\& char *const argv[]);
+.Ve
+.Sp
+The \fIinit\fR function is called after \fIsudoers\fR has been parsed but
+before any policy checks. It returns 1 on success, 0 on failure
+(or if the plugin is not configured), and \-1 if a error occurred.
+If an error occurs, the plugin may call the plugin_printf function
+with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information
+to the user.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "version" 4
+.IX Item "version"
+The version passed in by \fIsudoers\fR allows the plugin to determine the
+major and minor version number of the group plugin \s-1API\s0 supported by
+\&\fIsudoers\fR.
+.IP "plugin_printf" 4
+.IX Item "plugin_printf"
+A pointer to a printf-style function that may be used to display
+informational or error message to the user.
+Returns the number of characters printed on success and \-1 on failure.
+.IP "argv" 4
+.IX Item "argv"
+A NULL-terminated array of arguments generated from the \fIgroup_plugin\fR
+option in \fIsudoers\fR. If no arguments were given, \fIargv\fR will be
+\&\s-1NULL\s0.
+.RE
+.RS 4
+.RE
+.IP "cleanup" 4
+.IX Item "cleanup"
+.Vb 1
+\& void (*cleanup)();
+.Ve
+.Sp
+The \fIcleanup\fR function is called when \fIsudoers\fR has finished its
+group checks. The plugin should free any memory it has allocated
+and close open file handles.
+.IP "query" 4
+.IX Item "query"
+.Vb 2
+\& int (*query)(const char *user, const char *group,
+\& const struct passwd *pwd);
+.Ve
+.Sp
+The \fIquery\fR function is used to ask the group plugin whether \fIuser\fR
+is a member of \fIgroup\fR.
+.Sp
+The function arguments are as follows:
+.RS 4
+.IP "user" 4
+.IX Item "user"
+The name of the user being looked up in the external group database.
+.IP "group" 4
+.IX Item "group"
+The name of the group being queried.
+.IP "pwd" 4
+.IX Item "pwd"
+The password database entry for \fIuser\fR, if any. If \fIuser\fR is not
+present in the password database, \fIpwd\fR will be \f(CW\*(C`NULL\*(C'\fR.
+.RE
+.RS 4
+.RE
+.PP
+\fIVersion Macros\fR
+.IX Subsection "Version Macros"
+.PP
+.Vb 5
+\& /* Sudoers group plugin version major/minor */
+\& #define GROUP_API_VERSION_MAJOR 1
+\& #define GROUP_API_VERSION_MINOR 0
+\& #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e
+\& GROUP_API_VERSION_MINOR)
+\&
+\& /* Getters and setters for group version */
+\& #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+\& #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+\& #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+\& } while(0)
+\& #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e
+\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
+\& } while(0)
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIsudoers\fR\|(5), \fIsudo\fR\|(8)
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-workers mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-workers to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
--- /dev/null
+.so man8/sudo.8
--- /dev/null
+.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDOREPLAY 8"
+.TH SUDOREPLAY 8 "January 6, 2012" "1.8.4" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudoreplay \- replay sudo session logs
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
+.PP
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR.
+When replaying, \fBsudoreplay\fR can play the session back in real-time,
+or the playback speed may be adjusted (faster or slower) based on
+the command line options.
+.PP
+The \fI\s-1ID\s0\fR should either be a six character sequence of digits and
+upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the
+\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run
+via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a
+\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file.
+The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode.
+.PP
+In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
+based on a number of criteria such as the user, tty or command run.
+.PP
+In replay mode, if the standard output has not been redirected,
+\&\fBsudoreplay\fR will act on the following keys:
+.IP "' ' (space)" 8
+.IX Item "' ' (space)"
+Pause output; press any key to resume.
+.IP "'<'" 8
+Reduce the playback speed by one half.
+.IP "'>'" 8
+Double the playback speed.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+\&\fBsudoreplay\fR accepts the following command line options:
+.IP "\-d \fIdirectory\fR" 12
+.IX Item "-d directory"
+Use \fIdirectory\fR to for the session logs instead of the default,
+\&\fI/var/log/sudo\-io\fR.
+.IP "\-f \fIfilter\fR" 12
+.IX Item "-f filter"
+By default, \fBsudoreplay\fR will play back the command's standard
+output, standard error and tty output. The \fI\-f\fR option can be
+used to select which of these to output. The \fIfilter\fR argument
+is a comma-separated list, consisting of one or more of following:
+\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
+.IP "\-h" 12
+.IX Item "-h"
+The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short
+help message to the standard output and exit.
+.IP "\-l [\fIsearch expression\fR]" 12
+.IX Item "-l [search expression]"
+Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
+session IDs. If a \fIsearch expression\fR is specified, it will be
+used to restrict the IDs that are displayed. An expression is
+composed of the following predicates:
+.RS 12
+.IP "command \fIcommand pattern\fR" 8
+.IX Item "command command pattern"
+Evaluates to true if the command run matches \fIcommand pattern\fR.
+On systems with \s-1POSIX\s0 regular expression support, the pattern may
+be an extended regular expression. On systems without \s-1POSIX\s0 regular
+expression support, a simple substring match is performed instead.
+.IP "cwd \fIdirectory\fR" 8
+.IX Item "cwd directory"
+Evaluates to true if the command was run with the specified current
+working directory.
+.IP "fromdate \fIdate\fR" 8
+.IX Item "fromdate date"
+Evaluates to true if the command was run on or after \fIdate\fR.
+See \*(L"Date and time format\*(R" for a description of supported
+date and time formats.
+.IP "group \fIrunas_group\fR" 8
+.IX Item "group runas_group"
+Evaluates to true if the command was run with the specified
+\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
+specified when \fBsudo\fR was run this field will be empty in the log.
+.IP "runas \fIrunas_user\fR" 8
+.IX Item "runas runas_user"
+Evaluates to true if the command was run as the specified \fIrunas_user\fR.
+Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
+.IP "todate \fIdate\fR" 8
+.IX Item "todate date"
+Evaluates to true if the command was run on or prior to \fIdate\fR.
+See \*(L"Date and time format\*(R" for a description of supported
+date and time formats.
+.IP "tty \fItty\fR" 8
+.IX Item "tty tty"
+Evaluates to true if the command was run on the specified terminal
+device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
+e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
+.IP "user \fIuser name\fR" 8
+.IX Item "user user name"
+Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
+.RE
+.RS 12
+.Sp
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+.Sp
+Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
+as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
+must generally be escaped from the shell). The \fIand\fR operator is
+optional, adjacent predicates have an implied \fIand\fR unless separated
+by an \fIor\fR.
+.RE
+.IP "\-m \fImax_wait\fR" 12
+.IX Item "-m max_wait"
+Specify an upper bound on how long to wait between key presses or
+output data. By default, \fBsudo_replay\fR will accurately reproduce
+the delays between key presses or program output. However, this
+can be tedious when the session includes long pauses. When the
+\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
+to at most \fImax_wait\fR seconds. The value may be specified as a
+floating point number, .e.g. \fI2.5\fR.
+.IP "\-s \fIspeed_factor\fR" 12
+.IX Item "-s speed_factor"
+This option causes \fBsudoreplay\fR to adjust the number of seconds
+it will wait between key presses or program output. This can be
+used to slow down or speed up the display. For example, a
+\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
+a \fIspeed_factor\fR of <.5> would make the output twice as slow.
+.IP "\-V" 12
+.IX Item "-V"
+The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
+and exit.
+.SS "Date and time format"
+.IX Subsection "Date and time format"
+The time and date may be specified multiple ways, common formats include:
+.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
+.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
+24 hour time may be used in place of am/pm.
+.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
+.IX Item "HH:MM:SS am Month, Day Year timezone"
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated. Note that month and day of the week names must
+be specified in English.
+.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
+.IX Item "CCYY-MM-DD HH:MM:SS"
+\&\s-1ISO\s0 time format
+.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
+.IX Item "DD Month CCYY HH:MM:SS"
+The month name may be abbreviated.
+.PP
+Either time or date may be omitted, the am/pm and timezone are
+optional. If no date is specified, the current day is assumed; if
+no time is specified, the first second of the specified date is
+used. The less significant parts of both time and date may also
+be omitted, in which case zero is assumed. For example, the following
+are all valid:
+.PP
+The following are all valid time and date specifications:
+.IP "now" 8
+.IX Item "now"
+The current time and date.
+.IP "tomorrow" 8
+.IX Item "tomorrow"
+Exactly one day from now.
+.IP "yesterday" 8
+.IX Item "yesterday"
+24 hours ago.
+.IP "2 hours ago" 8
+.IX Item "2 hours ago"
+2 hours ago.
+.IP "next Friday" 8
+.IX Item "next Friday"
+The first second of the next Friday.
+.IP "this week" 8
+.IX Item "this week"
+The current time but the first day of the coming week.
+.IP "a fortnight ago" 8
+.IX Item "a fortnight ago"
+The current time but 14 days ago.
+.IP "10:01 am 9/17/2009" 8
+.IX Item "10:01 am 9/17/2009"
+10:01 am, September 17, 2009.
+.IP "10:01 am" 8
+.IX Item "10:01 am"
+10:01 am on the current day.
+.IP "10" 8
+.IX Item "10"
+10:00 am on the current day.
+.IP "9/17/2009" 8
+.IX Item "9/17/2009"
+00:00 am, September 17, 2009.
+.IP "10:01 am Sep 17, 2009" 8
+.IX Item "10:01 am Sep 17, 2009"
+10:01 am, September 17, 2009.
+.SH "FILES"
+.IX Header "FILES"
+.IP "\fI/var/log/sudo\-io\fR" 24
+.IX Item "/var/log/sudo-io"
+The default I/O log directory.
+.IP "\fI/var/log/sudo\-io/00/00/01/log\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/log"
+Example session log info.
+.IP "\fI/var/log/sudo\-io/00/00/01/stdin\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stdin"
+Example session standard input log.
+.IP "\fI/var/log/sudo\-io/00/00/01/stdout\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stdout"
+Example session standard output log.
+.IP "\fI/var/log/sudo\-io/00/00/01/stderr\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stderr"
+Example session standard error log.
+.IP "\fI/var/log/sudo\-io/00/00/01/ttyin\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/ttyin"
+Example session tty input file.
+.IP "\fI/var/log/sudo\-io/00/00/01/ttyout\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/ttyout"
+Example session tty output file.
+.IP "\fI/var/log/sudo\-io/00/00/01/timing\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/timing"
+Example session timing file.
+.PP
+Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
+unless \fBsudo\fR was used as part of a pipeline for a particular
+command.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+List sessions run by user \fImillert\fR:
+.PP
+.Vb 1
+\& sudoreplay \-l user millert
+.Ve
+.PP
+List sessions run by user \fIbob\fR with a command containing the string vi:
+.PP
+.Vb 1
+\& sudoreplay \-l user bob command vi
+.Ve
+.PP
+List sessions run by user \fIjeff\fR that match a regular expression:
+.PP
+.Vb 1
+\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
+.Ve
+.PP
+List sessions run by jeff or bob on the console:
+.PP
+.Vb 1
+\& sudoreplay \-l ( user jeff or user bob ) tty console
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIsudo\fR\|(8), \fIscript\fR\|(1)
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Todd C. Miller
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
-.\" Copyright (c) 1996,1998-2005, 2007-2008
+.\" Copyright (c) 1996,1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: visudo.man.in,v 1.34 2009/06/11 20:29:12 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "VISUDO 8"
-.TH VISUDO 8 "June 11, 2009" "1.7.2p1" "MAINTENANCE COMMANDS"
+.TH VISUDO 8 "March 12, 2012" "1.8.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
visudo \- edit the sudoers file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBvisudo\fR [\fB\-c\fR] [\fB\-q\fR] [\fB\-s\fR] [\fB\-V\fR] [\fB\-f\fR \fIsudoers\fR]
+\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
for parse errors. If the \fIsudoers\fR file is currently being
edited you will receive a message to try again later.
.PP
-There is a hard-coded list of editors that \fBvisudo\fR will use set
-at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
-\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to the path to \fIvi\fR\|(1) on
-your system, as determined by the \fIconfigure\fR script. Normally,
+There is a hard-coded list of one or more editors that \fBvisudo\fR will
+use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
+\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"/usr/bin/vi"\fR. Normally,
\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables unless they contain an editor in the aforementioned editors
-list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR
+list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
Note that this can be a security hole since it allows the user to
.IP "\-c" 12
.IX Item "-c"
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
-checked for syntax and a message will be printed to the
-standard output detailing the status of \fIsudoers\fR.
-If the syntax check completes successfully, \fBvisudo\fR will
-exit with a value of 0. If a syntax error is encountered,
+checked for syntax errors, owner and mode. A message will be printed
+to the standard output describing the status of \fIsudoers\fR unless
+the \fB\-q\fR option was specified. If the check completes successfully,
+\&\fBvisudo\fR will exit with a value of 0. If an error is encountered,
\&\fBvisudo\fR will exit with a value of 1.
.IP "\-f \fIsudoers\fR" 12
.IX Item "-f sudoers"
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
instead of the default, \fI/etc/sudoers\fR. The lock file used
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
+In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R",
+indicating that \fIsudoers\fR will be read from the standard input.
+.IP "\-h" 12
+.IX Item "-h"
+The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message
+to the standard output and exit.
.IP "\-q" 12
.IX Item "-q"
Enable \fBquiet\fR mode. In this mode details about syntax errors
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an
-alias and a hostname or username that consists solely of uppercase
+alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
.IP "\-V" 12
.IX Item "-V"
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
-or you have a user or hostname listed that consists solely of
+or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
+.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4
+.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias"
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes. This is
+only a warning by default as \fBsudo\fR will ignore cycles when parsing
+the \fIsudoers\fR file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(5), \fIsudo\fR\|(8), \fIvipw\fR\|(8)
.SH "AUTHOR"
.IX Header "AUTHOR"
-Many people have worked on \fIsudo\fR over the years; this version of
+Many people have worked on \fBsudo\fR over the years; this version of
\&\fBvisudo\fR was written by:
.PP
.Vb 1
\& Todd Miller
.Ve
.PP
-See the \s-1HISTORY\s0 file in the sudo distribution or visit
-http://www.sudo.ws/sudo/history.html for more details.
+See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/contributors.html) for a list of people
+who have contributed to \fBsudo\fR.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
+++ /dev/null
-This is Sudo version 1.6.9
-
-The sudo philosophy
-===================
-Sudo is a program designed to allow a sysadmin to give limited root privileges
-to users and log root activity. The basic philosophy is to give as few
-privileges as possible but still allow people to get their work done.
-
-Where to find sudo
-==================
-Before you try and build sudo, *please* make sure you have the current
-version. The latest sudo may always be gotten via anonymous ftp
-from ftp.sudo.ws in the directory /pub/sudo/.
-The distribution is sudo-M.m.tar.gz where `M' is the major
-version number and `m' is the minor version number.
-BETA versions of sudo may also be available. If you join
-the `sudo-workers' mailing list you will get the BETA announcements
-(see the `Mailing lists' section below).
-
-What's new
-==========
-For a history of sudo please see the HISTORY file that came with this
-release.
-
-For a complete list of changes, see the CHANGES file. For a summary,
-see the web page, http://www.sudo.ws/sudo/.
-
-If you are upgrading from an earlier version of Sudo, please see
-the UPGRADE file.
-
-NOTE: Starting with sudo 1.5.7 the configuration method has changed
- significantly as compared to previous versions. All options
- are now set via the configure script. See the `INSTALL' file
- for a list of all the configure options.
-
-System requirements
-===================
-To build sudo from the source distribution you need a machine running
-UN*X (most flavors of BSD, SYSV, or POSIX will do), a working C
-compiler, and the make utility.
-
-If you wish to modify the parser then you will need flex version
-2.5.2 or later and either bison or byacc (sudo comes with a pre-flex'd
-tokenizer and pre-yacc'd grammar parser). You'll also have to
-uncomment a few lines from the Makefile or run configure with the
---with-devel option. You can get flex via anonymous ftp from
-ftp://ftp.ee.lbl.gov/pub/flex* as well as any GNU mirror. You can
-get GNU bison from ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU
-mirror.
-
-Building the release
-====================
-Please read the installation guide in the `INSTALL' file before
-trying to build sudo.
-
-Copyright
-=========
-Sudo is distributed under an ISC-style license.
-Please refer to the `LICENSE' file included with the release for details.
-
-Mailing lists
-=============
-sudo-announce This list receives announcements whenever a new version
- of sudo is released.
- http://www.sudo.ws/mailman/listinfo/sudo-announce
-
-sudo-users This list is for questions and general discussion about sudo.
- http://www.sudo.ws/mailman/listinfo/sudo-users
-
-sudo-workers This list is for people working on and porting sudo.
- http://www.sudo.ws/mailman/listinfo/sudo-workers
-
-To subscribe to a list, visit its url (as listed above) and enter
-your email address to subscribe. Digest versions are available but
-these are fairly low traffic lists so the digest versions are not
-a significant win.
-
-Mailing list archives are also available. See the mailing list web sites
-for the appropriate links.
-
-Web page
-========
-There is a sudo `web page' at http://www.sudo.ws/sudo/
-that contains an overview of sudo as well as pointers to BETA versions
-and other useful info.
-
-Bug reports
-===========
-A list of known bugs may be found in the `BUGS' file. If you have
-found what you believe to be a bug, you can file a bug report with
-the sudo bug database, on at web at http://www.sudo.ws/bugs/.
-
-Please read over the `TROUBLESHOOTING' file *before* submitting a
-bug report. When reporting bugs, please be sure to include the
-version of sudo you are using as well as the platform you are running
-it on.
-○:sudo:1.7.2p1:0000/00/00:sudoers:5:2009/11/24:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
-○:sudo:1.7.2p1:0000/00/00:sudoers.ldap:5:2009/11/14::cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
-○:sudo:1.7.2p1:0000/00/00:sudo:8:2009/11/14:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
-○:sudo:1.7.2p1:0000/00/00:visudo:8:2009/11/14:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
+☆:sudo:1.7.2p1=>1.8.4p4:2012/02/05:sudoers:5:2009/11/24:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
+☆:sudo:1.7.2p1=>1.8.4p4:2012/01/06:sudoers.ldap:5:2009/11/14::cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
+☆:sudo:1.7.2p1=>1.8.4p4:2012/02/05:sudo:8:2009/11/14:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
+×:sudo:1.8.4p4:2012/01/06:sudo_plugin:8:::::
+@:sudo:1.8.4p4:2012/02/05:sudoedit:8:sudo:8:
+×:sudo:1.8.4p4:2012/01/06:sudoreplay:8:::::
+☆:sudo:1.7.2p1=>1.8.4p4:2012/03/12:visudo:8:2009/11/14:B:cyoichi@maple.ocn.ne.jp:Chonan Yoichi:
OSDN Git Service
