1SUDO.CONF(5)                BSD File Formats Manual               SUDO.CONF(5)
2

NAME

4     sudo.conf — configuration for sudo front end
5

DESCRIPTION

7     The sudo.conf file is used to configure the sudo front end.  It specifies
8     the security policy and I/O logging plugins, debug flags as well as plug‐
9     in-agnostic path names and settings.
10
11     The sudo.conf file supports the following directives, described in detail
12     below.
13
14     Plugin    a security policy or I/O logging plugin
15
16     Path      a plugin-agnostic path
17
18     Set       a front end setting, such as disable_coredump or group_source
19
20     Debug     debug flags to aid in debugging sudo, sudoreplay, visudo, and
21               the sudoers plugin.
22
23     The pound sign (‘#’) is used to indicate a comment.  Both the comment
24     character and any text after it, up to the end of the line, are ignored.
25
26     Long lines can be continued with a backslash (‘\’) as the last character
27     on the line.  Note that leading white space is removed from the beginning
28     of lines even when the continuation character is used.
29
30     Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
31     silently ignored.
32
33     The sudo.conf file is always parsed in the “C” locale.
34
35   Plugin configuration
36     sudo supports a plugin architecture for security policies and input/out‐
37     put logging.  Third parties can develop and distribute their own policy
38     and I/O logging plugins to work seamlessly with the sudo front end.
39     Plugins are dynamically loaded based on the contents of sudo.conf.
40
41     A Plugin line consists of the Plugin keyword, followed by the symbol_name
42     and the path to the dynamic shared object that contains the plugin.  The
43     symbol_name is the name of the struct policy_plugin or struct io_plugin
44     symbol contained in the plugin.  The path may be fully qualified or rela‐
45     tive.  If not fully qualified, it is relative to the directory specified
46     by the plugin_dir Path setting, which defaults to /usr/libexec/sudo.  In
47     other words:
48
49           Plugin sudoers_policy sudoers.so
50
51     is equivalent to:
52
53           Plugin sudoers_policy /usr/libexec/sudo/sudoers.so
54
55     If the plugin was compiled statically into the sudo binary instead of
56     being installed as a dynamic shared object, the path should be specified
57     without a leading directory, as it does not actually exist in the file
58     system.  For example:
59
60           Plugin sudoers_policy sudoers.so
61
62     Starting with sudo 1.8.5, any additional parameters after the path are
63     passed as arguments to the plugin's open function.  For example, to over‐
64     ride the compile-time default sudoers file mode:
65
66           Plugin sudoers_policy sudoers.so sudoers_mode=0440
67
68     See the sudoers(5) manual for a list of supported arguments.
69
70     The same dynamic shared object may contain multiple plugins, each with a
71     different symbol name.  The file must be owned by uid 0 and only writable
72     by its owner.  Because of ambiguities that arise from composite policies,
73     only a single policy plugin may be specified.  This limitation does not
74     apply to I/O plugins.
75
76     If no sudo.conf file is present, or if it contains no Plugin lines, the
77     sudoers plugin will be used as the default security policy and for I/O
78     logging (if enabled by the policy).  This is equivalent to the following:
79
80           Plugin sudoers_policy sudoers.so
81           Plugin sudoers_io sudoers.so
82
83     For more information on the sudo plugin architecture, see the
84     sudo_plugin(5) manual.
85
86   Path settings
87     A Path line consists of the Path keyword, followed by the name of the
88     path to set and its value.  For example:
89
90           Path noexec /usr/libexec/sudo/sudo_noexec.so
91           Path askpass /usr/X11R6/bin/ssh-askpass
92
93     If no path name is specified, features relying on the specified setting
94     will be disabled.  Disabling Path settings is only supported in sudo ver‐
95     sion 1.8.16 and higher.
96
97     The following plugin-agnostic paths may be set in the /etc/sudo.conf
98     file:
99
100     askpass   The fully qualified path to a helper program used to read the
101               user's password when no terminal is available.  This may be the
102               case when sudo is executed from a graphical (as opposed to
103               text-based) application.  The program specified by askpass
104               should display the argument passed to it as the prompt and
105               write the user's password to the standard output.  The value of
106               askpass may be overridden by the SUDO_ASKPASS environment vari‐
107               able.
108
109     devsearch
110               An ordered, colon-separated search path of directories to look
111               in for device nodes.  This is used when mapping the process's
112               tty device number to a device name on systems that do not pro‐
113               vide such a mechanism.  Sudo will not recurse into sub-directo‐
114               ries.  If terminal devices may be located in a sub-directory of
115               /dev, that path must be explicitly listed in devsearch.  The
116               default value is
117               /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
118
119               This option is ignored on systems that support either the
120               devname() or _ttyname_dev() functions, for example BSD, macOS
121               and Solaris.
122
123     noexec    The fully-qualified path to a shared library containing wrap‐
124               pers for the execl(), execle(), execlp(), exect(), execv(),
125               execve(), execvP(), execvp(), execvpe(), fexecve(), popen(),
126               posix_spawn(), posix_spawnp(), system(), and wordexp() library
127               functions that prevent the execution of further commands.  This
128               is used to implement the noexec functionality on systems that
129               support LD_PRELOAD or its equivalent.  The default value is
130               /usr/libexec/sudo/sudo_noexec.so.
131
132     plugin_dir
133               The default directory to use when searching for plugins that
134               are specified without a fully qualified path name.  The default
135               value is /usr/libexec/sudo.
136
137     sesh      The fully-qualified path to the sesh binary.  This setting is
138               only used when sudo is built with SELinux support.  The default
139               value is /usr/libexec/sudo/sesh.
140
141   Other settings
142     The sudo.conf file also supports the following front end settings:
143
144     disable_coredump
145               Core dumps of sudo itself are disabled by default to prevent
146               the disclosure of potentially sensitive information.  To aid in
147               debugging sudo crashes, you may wish to re-enable core dumps by
148               setting “disable_coredump” to false in sudo.conf as follows:
149
150                     Set disable_coredump false
151
152               All modern operating systems place restrictions on core dumps
153               from set-user-ID processes like sudo so this option can be
154               enabled without compromising security.  To actually get a sudo
155               core file you will likely need to enable core dumps for set-
156               user-ID processes.  On BSD and Linux systems this is accom‐
157               plished in the sysctl(8) command.  On Solaris, the coreadm(1m)
158               command is used to configure core dump behavior.
159
160               This setting is only available in sudo version 1.8.4 and
161               higher.
162
163     developer_mode
164               By default sudo refuses to load plugins which can be modified
165               by other than the root user.  The plugin should be owned by
166               root and write access permissions should be disabled for
167               “group” and “other”.  To make development of a plugin easier,
168               you can disable that by setting “developer_mode” option to true
169               in sudo.conf as follows:
170
171                     Set developer_mode true
172
173               Please note that this creates a security risk, so it is not
174               recommended on critical systems such as a desktop machine for
175               daily use, but is intended to be used in development environ‐
176               ments (VM, container, etc).  Before enabling developer mode,
177               ensure you understand the implications.
178
179               This setting is only available in sudo version 1.9.0 and
180               higher.
181
182     group_source
183               sudo passes the invoking user's group list to the policy and
184               I/O plugins.  On most systems, there is an upper limit to the
185               number of groups that a user may belong to simultaneously (typ‐
186               ically 16 for compatibility with NFS).  On systems with the
187               getconf(1) utility, running:
188                     getconf NGROUPS_MAX
189               will return the maximum number of groups.
190
191               However, it is still possible to be a member of a larger number
192               of groups--they simply won't be included in the group list
193               returned by the kernel for the user.  Starting with sudo ver‐
194               sion 1.8.7, if the user's kernel group list has the maximum
195               number of entries, sudo will consult the group database
196               directly to determine the group list.  This makes it possible
197               for the security policy to perform matching by group name even
198               when the user is a member of more than the maximum number of
199               groups.
200
201               The group_source setting allows the administrator to change
202               this default behavior.  Supported values for group_source are:
203
204               static    Use the static group list that the kernel returns.
205                         Retrieving the group list this way is very fast but
206                         it is subject to an upper limit as described above.
207                         It is “static” in that it does not reflect changes to
208                         the group database made after the user logs in.  This
209                         was the default behavior prior to sudo 1.8.7.
210
211               dynamic   Always query the group database directly.  It is
212                         “dynamic” in that changes made to the group database
213                         after the user logs in will be reflected in the group
214                         list.  On some systems, querying the group database
215                         for all of a user's groups can be time consuming when
216                         querying a network-based group database.  Most oper‐
217                         ating systems provide an efficient method of perform‐
218                         ing such queries.  Currently, sudo supports efficient
219                         group queries on AIX, BSD, HP-UX, Linux and Solaris.
220
221               adaptive  Only query the group database if the static group
222                         list returned by the kernel has the maximum number of
223                         entries.  This is the default behavior in sudo 1.8.7
224                         and higher.
225
226               For example, to cause sudo to only use the kernel's static list
227               of groups for the user:
228
229                     Set group_source static
230
231               This setting is only available in sudo version 1.8.7 and
232               higher.
233
234     max_groups
235               The maximum number of user groups to retrieve from the group
236               database.  Values less than one will be ignored.  This setting
237               is only used when querying the group database directly.  It is
238               intended to be used on systems where it is not possible to
239               detect when the array to be populated with group entries is not
240               sufficiently large.  By default, sudo will allocate four times
241               the system's maximum number of groups (see above) and retry
242               with double that number if the group database query fails.
243
244               This setting is only available in sudo version 1.8.7 and
245               higher.  It should not be required in sudo versions 1.8.24 and
246               higher and may be removed in a later release.
247
248     probe_interfaces
249               By default, sudo will probe the system's network interfaces and
250               pass the IP address of each enabled interface to the policy
251               plugin.  This makes it possible for the plugin to match rules
252               based on the IP address without having to query DNS.  On Linux
253               systems with a large number of virtual interfaces, this may
254               take a non-negligible amount of time.  If IP-based matching is
255               not required, network interface probing can be disabled as fol‐
256               lows:
257
258                     Set probe_interfaces false
259
260               This setting is only available in sudo version 1.8.10 and
261               higher.
262
263   Debug flags
264     sudo versions 1.8.4 and higher support a flexible debugging framework
265     that can help track down what sudo is doing internally if there is a
266     problem.
267
268     A Debug line consists of the Debug keyword, followed by the name of the
269     program (or plugin) to debug (sudo, visudo, sudoreplay, sudoers), the
270     debug file name and a comma-separated list of debug flags.  The debug
271     flag syntax used by sudo and the sudoers plugin is subsystem@priority but
272     a plugin is free to use a different format so long as it does not include
273     a comma (‘,’).
274
275     For example:
276
277           Debug sudo /var/log/sudo_debug all@warn,plugin@info
278
279     would log all debugging statements at the warn level and higher in addi‐
280     tion to those at the info level for the plugin subsystem.
281
282     As of sudo 1.8.12, multiple Debug entries may be specified per program.
283     Older versions of sudo only support a single Debug entry per program.
284     Plugin-specific Debug entries are also supported starting with sudo
285     1.8.12 and are matched by either the base name of the plugin that was
286     loaded (for example sudoers.so) or by the plugin's fully-qualified path
287     name.  Previously, the sudoers plugin shared the same Debug entry as the
288     sudo front end and could not be configured separately.
289
290     The following priorities are supported, in order of decreasing severity:
291     crit, err, warn, notice, diag, info, trace and debug.  Each priority,
292     when specified, also includes all priorities higher than it.  For exam‐
293     ple, a priority of notice would include debug messages logged at notice
294     and higher.
295
296     The priorities trace and debug also include function call tracing which
297     logs when a function is entered and when it returns.  For example, the
298     following trace is for the get_user_groups() function located in
299     src/sudo.c:
300
301           sudo[123] -> get_user_groups @ src/sudo.c:385
302           sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
303
304     When the function is entered, indicated by a right arrow ‘->’, the pro‐
305     gram, process ID, function, source file and line number are logged.  When
306     the function returns, indicated by a left arrow ‘<-’, the same informa‐
307     tion is logged along with the return value.  In this case, the return
308     value is a string.
309
310     The following subsystems are used by the sudo front-end:
311
312     all         matches every subsystem
313
314     args        command line argument processing
315
316     conv        user conversation
317
318     edit        sudoedit
319
320     event       event subsystem
321
322     exec        command execution
323
324     main        sudo main function
325
326     netif       network interface handling
327
328     pcomm       communication with the plugin
329
330     plugin      plugin configuration
331
332     pty         pseudo-terminal related code
333
334     selinux     SELinux-specific handling
335
336     util        utility functions
337
338     utmp        utmp handling
339
340     The sudoers(5) plugin includes support for additional subsystems.
341

FILES

343     /etc/sudo.conf            sudo front end configuration
344

EXAMPLES

346     #
347     # Default /etc/sudo.conf file
348     #
349     # Sudo plugins:
350     #   Plugin plugin_name plugin_path plugin_options ...
351     #
352     # The plugin_path is relative to /usr/libexec/sudo unless
353     #   fully qualified.
354     # The plugin_name corresponds to a global symbol in the plugin
355     #   that contains the plugin interface structure.
356     # The plugin_options are optional.
357     #
358     # The sudoers plugin is used by default if no Plugin lines are present.
359     Plugin sudoers_policy sudoers.so
360     Plugin sudoers_io sudoers.so
361
362     #
363     # Sudo askpass:
364     #   Path askpass /path/to/askpass
365     #
366     # An askpass helper program may be specified to provide a graphical
367     # password prompt for "sudo -A" support.  Sudo does not ship with its
368     # own askpass program but can use the OpenSSH askpass.
369     #
370     # Use the OpenSSH askpass
371     #Path askpass /usr/X11R6/bin/ssh-askpass
372     #
373     # Use the Gnome OpenSSH askpass
374     #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
375
376     #
377     # Sudo device search path:
378     #   Path devsearch /dev/path1:/dev/path2:/dev
379     #
380     # A colon-separated list of paths to check when searching for a user's
381     # terminal device.
382     #
383     #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
384
385     #
386     # Sudo noexec:
387     #   Path noexec /path/to/sudo_noexec.so
388     #
389     # Path to a shared library containing dummy versions of the execv(),
390     # execve() and fexecve() library functions that just return an error.
391     # This is used to implement the "noexec" functionality on systems that
392     # support LD_PRELOAD or its equivalent.
393     #
394     # The compiled-in value is usually sufficient and should only be changed
395     # if you rename or move the sudo_noexec.so file.
396     #
397     #Path noexec /usr/libexec/sudo/sudo_noexec.so
398
399     #
400     # Sudo plugin directory:
401     #   Path plugin_dir /path/to/plugins
402     #
403     # The default directory to use when searching for plugins that are
404     # specified without a fully qualified path name.
405     #
406     #Path plugin_dir /usr/libexec/sudo
407
408     #
409     # Sudo developer mode:
410     #   Set developer_mode true|false
411     #
412     # Allow loading of plugins that are owned by non-root or are writable
413     # by "group" or "other".  Should only be used during plugin development.
414     #Set developer_mode true
415
416     #
417     # Core dumps:
418     #   Set disable_coredump true|false
419     #
420     # By default, sudo disables core dumps while it is executing (they
421     # are re-enabled for the command that is run).
422     # To aid in debugging sudo problems, you may wish to enable core
423     # dumps by setting "disable_coredump" to false.
424     #
425     #Set disable_coredump false
426
427     #
428     # User groups:
429     #   Set group_source static|dynamic|adaptive
430     #
431     # Sudo passes the user's group list to the policy plugin.
432     # If the user is a member of the maximum number of groups (usually 16),
433     # sudo will query the group database directly to be sure to include
434     # the full list of groups.
435     #
436     # On some systems, this can be expensive so the behavior is configurable.
437     # The "group_source" setting has three possible values:
438     #   static   - use the user's list of groups returned by the kernel.
439     #   dynamic  - query the group database to find the list of groups.
440     #   adaptive - if user is in less than the maximum number of groups.
441     #              use the kernel list, else query the group database.
442     #
443     #Set group_source static
444
445     #
446     # Sudo interface probing:
447     #   Set probe_interfaces true|false
448     #
449     # By default, sudo will probe the system's network interfaces and
450     # pass the IP address of each enabled interface to the policy plugin.
451     # On systems with a large number of virtual interfaces this may take
452     # a noticeable amount of time.
453     #
454     #Set probe_interfaces false
455
456     #
457     # Sudo debug files:
458     #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
459     #
460     # Sudo and related programs support logging debug information to a file.
461     # The program is typically sudo, sudoers.so, sudoreplay or visudo.
462     #
463     # Subsystems vary based on the program; "all" matches all subsystems.
464     # Priority may be crit, err, warn, notice, diag, info, trace or debug.
465     # Multiple subsystem@priority may be specified, separated by a comma.
466     #
467     #Debug sudo /var/log/sudo_debug all@debug
468     #Debug sudoers.so /var/log/sudoers_debug all@debug
469

SEE ALSO

471     sudo_plugin(5), sudoers(5), sudo(8)
472

HISTORY

474     See the HISTORY file in the sudo distribution (https://www.sudo.ws/his
475     tory.html) for a brief history of sudo.
476

AUTHORS

478     Many people have worked on sudo over the years; this version consists of
479     code written primarily by:
480
481           Todd C. Miller
482
483     See the CONTRIBUTORS file in the sudo distribution
484     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
485     who have contributed to sudo.
486

BUGS

488     If you feel you have found a bug in sudo, please submit a bug report at
489     https://bugzilla.sudo.ws/
490

SUPPORT

492     Limited free support is available via the sudo-users mailing list, see
493     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
494     the archives.
495

DISCLAIMER

497     sudo is provided “AS IS” and any express or implied warranties, includ‐
498     ing, but not limited to, the implied warranties of merchantability and
499     fitness for a particular purpose are disclaimed.  See the LICENSE file
500     distributed with sudo or https://www.sudo.ws/license.html for complete
501     details.
502
503Sudo 1.9.0b4                   October 20, 2019                   Sudo 1.9.0b4
Impressum