1SUDO.CONF(5) BSD File Formats Manual SUDO.CONF(5)
2
4 sudo.conf — configuration for sudo front end
5
7 The sudo.conf file is used to configure the sudo front end. It specifies
8 the security policy and I/O logging plugins, debug flags as well as plug‐
9 in-agnostic path names and settings.
10 The sudo.conf file supports the following directives, described in detail
12 below.
13 Plugin a security policy or I/O logging plugin
15 Path a plugin-agnostic path
17 Set a front end setting, such as disable_coredump or group_source
19 Debug debug flags to aid in debugging sudo, sudoreplay, visudo, and
21 the sudoers plugin.
22 The pound sign (‘#’) is used to indicate a comment. Both the comment
24 character and any text after it, up to the end of the line, are ignored.
25 Long lines can be continued with a backslash (‘\’) as the last character
27 on the line. Note that leading white space is removed from the beginning
28 of lines even when the continuation character is used.
29 Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
31 silently ignored.
32 The sudo.conf file is always parsed in the “C” locale.
34 Plugin configuration
36 sudo supports a plugin architecture for security policies and input/out‐
37 put logging. Third parties can develop and distribute their own policy
38 and I/O logging plugins to work seamlessly with the sudo front end.
39 Plugins are dynamically loaded based on the contents of sudo.conf.
40 A Plugin line consists of the Plugin keyword, followed by the symbol_name
42 and the path to the dynamic shared object that contains the plugin. The
43 symbol_name is the name of the struct policy_plugin or struct io_plugin
44 symbol contained in the plugin. The path may be fully qualified or rela‐
45 tive. If not fully qualified, it is relative to the directory specified
46 by the plugin_dir Path setting, which defaults to /usr/libexec/sudo. In
47 other words:
48 Plugin sudoers_policy sudoers.so
50 is equivalent to:
52 Plugin sudoers_policy /usr/libexec/sudo/sudoers.so
54 If the plugin was compiled statically into the sudo binary instead of
56 being installed as a dynamic shared object, the path should be specified
57 without a leading directory, as it does not actually exist in the file
58 system. For example:
59 Plugin sudoers_policy sudoers.so
61 Starting with sudo 1.8.5, any additional parameters after the path are
63 passed as arguments to the plugin's open function. For example, to over‐
64 ride the compile-time default sudoers file mode:
65 Plugin sudoers_policy sudoers.so sudoers_mode=0440
67 See the sudoers(5) manual for a list of supported arguments.
69 The same dynamic shared object may contain multiple plugins, each with a
71 different symbol name. The file must be owned by uid 0 and only writable
72 by its owner. Because of ambiguities that arise from composite policies,
73 only a single policy plugin may be specified. This limitation does not
74 apply to I/O plugins.
75 If no sudo.conf file is present, or if it contains no Plugin lines, the
77 sudoers plugin will be used as the default security policy and for I/O
78 logging (if enabled by the policy). This is equivalent to the following:
79 Plugin sudoers_policy sudoers.so
81 Plugin sudoers_io sudoers.so
82 For more information on the sudo plugin architecture, see the
84 sudo_plugin(5) manual.
85 Path settings
87 A Path line consists of the Path keyword, followed by the name of the
88 path to set and its value. For example:
89 Path noexec /usr/libexec/sudo/sudo_noexec.so
91 Path askpass /usr/X11R6/bin/ssh-askpass
92 If no path name is specified, features relying on the specified setting
94 will be disabled. Disabling Path settings is only supported in sudo ver‐
95 sion 1.8.16 and higher.
96 The following plugin-agnostic paths may be set in the /etc/sudo.conf
98 file:
99 askpass The fully qualified path to a helper program used to read the
101 user's password when no terminal is available. This may be the
102 case when sudo is executed from a graphical (as opposed to
103 text-based) application. The program specified by askpass
104 should display the argument passed to it as the prompt and
105 write the user's password to the standard output. The value of
106 askpass may be overridden by the SUDO_ASKPASS environment vari‐
107 able.
108 devsearch
110 An ordered, colon-separated search path of directories to look
111 in for device nodes. This is used when mapping the process's
112 tty device number to a device name on systems that do not pro‐
113 vide such a mechanism. Sudo will not recurse into sub-directo‐
114 ries. If terminal devices may be located in a sub-directory of
115 /dev, that path must be explicitly listed in devsearch. The
116 default value is:
117 /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
118 This option is ignored on systems that support either the
120 devname() or _ttyname_dev() functions, for example BSD, macOS
121 and Solaris.
122 noexec The fully-qualified path to a shared library containing wrap‐
124 pers for the execl(), execle(), execlp(), exect(), execv(),
125 execve(), execvP(), execvp(), execvpe(), fexecve(), popen(),
126 posix_spawn(), posix_spawnp(), system(), and wordexp() library
127 functions that prevent the execution of further commands. This
128 is used to implement the noexec functionality on systems that
129 support LD_PRELOAD or its equivalent. The default value is:
130 /usr/libexec/sudo/sudo_noexec.so.
131 plugin_dir
133 The default directory to use when searching for plugins that
134 are specified without a fully qualified path name. The default
135 value is /usr/libexec/sudo.
136 sesh The fully-qualified path to the sesh binary. This setting is
138 only used when sudo is built with SELinux support. The default
139 value is /usr/libexec/sudo/sesh.
140 Other settings
142 The sudo.conf file also supports the following front end settings:
143 disable_coredump
145 Core dumps of sudo itself are disabled by default to prevent
146 the disclosure of potentially sensitive information. To aid in
147 debugging sudo crashes, you may wish to re-enable core dumps by
148 setting “disable_coredump” to false in sudo.conf as follows:
149 Set disable_coredump false
151 All modern operating systems place restrictions on core dumps
153 from setuid processes like sudo so this option can be enabled
154 without compromising security. To actually get a sudo core
155 file you will likely need to enable core dumps for setuid pro‐
156 cesses. On BSD and Linux systems this is accomplished in the
157 sysctl command. On Solaris, the coreadm command is used to
158 configure core dump behavior.
159 This setting is only available in sudo version 1.8.4 and
161 higher.
162 group_source
164 sudo passes the invoking user's group list to the policy and
165 I/O plugins. On most systems, there is an upper limit to the
166 number of groups that a user may belong to simultaneously (typ‐
167 ically 16 for compatibility with NFS). On systems with the
168 getconf(1) utility, running:
169 getconf NGROUPS_MAX
170 will return the maximum number of groups.
171 However, it is still possible to be a member of a larger number
173 of groups--they simply won't be included in the group list
174 returned by the kernel for the user. Starting with sudo ver‐
175 sion 1.8.7, if the user's kernel group list has the maximum
176 number of entries, sudo will consult the group database
177 directly to determine the group list. This makes it possible
178 for the security policy to perform matching by group name even
179 when the user is a member of more than the maximum number of
180 groups.
181 The group_source setting allows the administrator to change
183 this default behavior. Supported values for group_source are:
184 static Use the static group list that the kernel returns.
186 Retrieving the group list this way is very fast but
187 it is subject to an upper limit as described above.
188 It is “static” in that it does not reflect changes to
189 the group database made after the user logs in. This
190 was the default behavior prior to sudo 1.8.7.
191 dynamic Always query the group database directly. It is
193 “dynamic” in that changes made to the group database
194 after the user logs in will be reflected in the group
195 list. On some systems, querying the group database
196 for all of a user's groups can be time consuming when
197 querying a network-based group database. Most oper‐
198 ating systems provide an efficient method of perform‐
199 ing such queries. Currently, sudo supports efficient
200 group queries on AIX, BSD, HP-UX, Linux and Solaris.
201 adaptive Only query the group database if the static group
203 list returned by the kernel has the maximum number of
204 entries. This is the default behavior in sudo 1.8.7
205 and higher.
206 For example, to cause sudo to only use the kernel's static list
208 of groups for the user:
209 Set group_source static
211 This setting is only available in sudo version 1.8.7 and
213 higher.
214 max_groups
216 The maximum number of user groups to retrieve from the group
217 database. Values less than one will be ignored. This setting
218 is only used when querying the group database directly. It is
219 intended to be used on systems where it is not possible to
220 detect when the array to be populated with group entries is not
221 sufficiently large. By default, sudo will allocate four times
222 the system's maximum number of groups (see above) and retry
223 with double that number if the group database query fails.
224 However, some systems just return as many entries as will fit
225 and do not indicate an error when there is a lack of space.
226 This setting is only available in sudo version 1.8.7 and
228 higher.
229 probe_interfaces
231 By default, sudo will probe the system's network interfaces and
232 pass the IP address of each enabled interface to the policy
233 plugin. This makes it possible for the plugin to match rules
234 based on the IP address without having to query DNS. On Linux
235 systems with a large number of virtual interfaces, this may
236 take a non-negligible amount of time. If IP-based matching is
237 not required, network interface probing can be disabled as fol‐
238 lows:
239 Set probe_interfaces false
241 This setting is only available in sudo version 1.8.10 and
243 higher.
244 Debug flags
246 sudo versions 1.8.4 and higher support a flexible debugging framework
247 that can help track down what sudo is doing internally if there is a
248 problem.
249 A Debug line consists of the Debug keyword, followed by the name of the
251 program (or plugin) to debug (sudo, visudo, sudoreplay, sudoers), the
252 debug file name and a comma-separated list of debug flags. The debug
253 flag syntax used by sudo and the sudoers plugin is subsystem@priority but
254 a plugin is free to use a different format so long as it does not include
255 a comma (‘,’).
256 For example:
258 Debug sudo /var/log/sudo_debug all@warn,plugin@info
260 would log all debugging statements at the warn level and higher in addi‐
262 tion to those at the info level for the plugin subsystem.
263 As of sudo 1.8.12, multiple Debug entries may be specified per program.
265 Older versions of sudo only support a single Debug entry per program.
266 Plugin-specific Debug entries are also supported starting with sudo
267 1.8.12 and are matched by either the base name of the plugin that was
268 loaded (for example sudoers.so) or by the plugin's fully-qualified path
269 name. Previously, the sudoers plugin shared the same Debug entry as the
270 sudo front end and could not be configured separately.
271 The following priorities are supported, in order of decreasing severity:
273 crit, err, warn, notice, diag, info, trace and debug. Each priority,
274 when specified, also includes all priorities higher than it. For exam‐
275 ple, a priority of notice would include debug messages logged at notice
276 and higher.
277 The priorities trace and debug also include function call tracing which
279 logs when a function is entered and when it returns. For example, the
280 following trace is for the get_user_groups() function located in
281 src/sudo.c:
282 sudo[123] -> get_user_groups @ src/sudo.c:385
284 sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
285 When the function is entered, indicated by a right arrow ‘->’, the pro‐
287 gram, process ID, function, source file and line number are logged. When
288 the function returns, indicated by a left arrow ‘<-’, the same informa‐
289 tion is logged along with the return value. In this case, the return
290 value is a string.
291 The following subsystems are used by the sudo front-end:
293 all matches every subsystem
295 args command line argument processing
297 conv user conversation
299 edit sudoedit
301 event event subsystem
303 exec command execution
305 main sudo main function
307 netif network interface handling
309 pcomm communication with the plugin
311 plugin plugin configuration
313 pty pseudo-tty related code
315 selinux SELinux-specific handling
317 util utility functions
319 utmp utmp handling
321 The sudoers(5) plugin includes support for additional subsystems.
323
325 /etc/sudo.conf sudo front end configuration
326
328 #
329 # Default /etc/sudo.conf file
330 #
331 # Format:
332 # Plugin plugin_name plugin_path plugin_options ...
333 # Path askpass /path/to/askpass
334 # Path noexec /path/to/sudo_noexec.so
335 # Debug sudo /var/log/sudo_debug all@warn
336 # Set disable_coredump true
337 #
338 # The plugin_path is relative to /usr/libexec/sudo unless
339 # fully qualified.
340 # The plugin_name corresponds to a global symbol in the plugin
341 # that contains the plugin interface structure.
342 # The plugin_options are optional.
343 #
344 # The sudoers plugin is used by default if no Plugin lines are
345 # present.
346 Plugin sudoers_policy sudoers.so
347 Plugin sudoers_io sudoers.so
348 #
350 # Sudo askpass:
351 #
352 # An askpass helper program may be specified to provide a graphical
353 # password prompt for "sudo -A" support. Sudo does not ship with
354 # its own askpass program but can use the OpenSSH askpass.
355 #
356 # Use the OpenSSH askpass
357 #Path askpass /usr/X11R6/bin/ssh-askpass
358 #
359 # Use the Gnome OpenSSH askpass
360 #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
361 #
363 # Sudo noexec:
364 #
365 # Path to a shared library containing dummy versions of the execv(),
366 # execve() and fexecve() library functions that just return an error.
367 # This is used to implement the "noexec" functionality on systems that
368 # support C<LD_PRELOAD> or its equivalent.
369 # The compiled-in value is usually sufficient and should only be
370 # changed if you rename or move the sudo_noexec.so file.
371 #
372 #Path noexec /usr/libexec/sudo/sudo_noexec.so
373 #
375 # Core dumps:
376 #
377 # By default, sudo disables core dumps while it is executing
378 # (they are re-enabled for the command that is run).
379 # To aid in debugging sudo problems, you may wish to enable core
380 # dumps by setting "disable_coredump" to false.
381 #
382 #Set disable_coredump false
383 #
385 # User groups:
386 #
387 # Sudo passes the user's group list to the policy plugin.
388 # If the user is a member of the maximum number of groups (usually 16),
389 # sudo will query the group database directly to be sure to include
390 # the full list of groups.
391 #
392 # On some systems, this can be expensive so the behavior is configurable.
393 # The "group_source" setting has three possible values:
394 # static - use the user's list of groups returned by the kernel.
395 # dynamic - query the group database to find the list of groups.
396 # adaptive - if user is in less than the maximum number of groups.
397 # use the kernel list, else query the group database.
398 #
399 #Set group_source static
400
402 sudoers(5), sudo(8), sudo_plugin(5)
403
405 See the HISTORY file in the sudo distribution (https://www.sudo.ws/his‐
406 tory.html) for a brief history of sudo.
407
409 Many people have worked on sudo over the years; this version consists of
410 code written primarily by:
411 Todd C. Miller
413 See the CONTRIBUTORS file in the sudo distribution
415 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
416 who have contributed to sudo.
417
419 If you feel you have found a bug in sudo, please submit a bug report at
420 https://bugzilla.sudo.ws/
421
423 Limited free support is available via the sudo-users mailing list, see
424 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
425 the archives.
426
428 sudo is provided “AS IS” and any express or implied warranties, includ‐
429 ing, but not limited to, the implied warranties of merchantability and
430 fitness for a particular purpose are disclaimed. See the LICENSE file
431 distributed with sudo or https://www.sudo.ws/license.html for complete
432 details.
433Sudo 1.8.23 July 21, 2017 Sudo 1.8.23