1SUDO_PLUGIN(5) BSD File Formats Manual SUDO_PLUGIN(5)
2
4 sudo_plugin — Sudo Plugin API
5
7 Starting with version 1.8, sudo supports a plugin API for policy and ses‐
8 sion logging. Plugins may be compiled as dynamic shared objects (the
9 default on systems that support them) or compiled statically into the
10 sudo binary itself. By default, the sudoers policy plugin and an associ‐
11 ated I/O logging plugin are used. Via the plugin API, sudo can be con‐
12 figured to use alternate policy and/or I/O logging plugins provided by
13 third parties. The plugins to be used are specified in the sudo.conf(5)
14 file.
15
16 The API is versioned with a major and minor number. The minor version
17 number is incremented when additions are made. The major number is
18 incremented when incompatible changes are made. A plugin should be check
19 the version passed to it and make sure that the major version matches.
20
21 The plugin API is defined by the sudo_plugin.h header file.
22
23 Policy plugin API
24 A policy plugin must declare and populate a policy_plugin struct in the
25 global scope. This structure contains pointers to the functions that
26 implement the sudo policy checks. The name of the symbol should be spec‐
27 ified in sudo.conf(5) along with a path to the plugin so that sudo can
28 load it.
29
30 struct policy_plugin {
31 #define SUDO_POLICY_PLUGIN 1
32 unsigned int type; /* always SUDO_POLICY_PLUGIN */
33 unsigned int version; /* always SUDO_API_VERSION */
34 int (*open)(unsigned int version, sudo_conv_t conversation,
35 sudo_printf_t plugin_printf, char * const settings[],
36 char * const user_info[], char * const user_env[],
37 char * const plugin_options[]);
38 void (*close)(int exit_status, int error);
39 int (*show_version)(int verbose);
40 int (*check_policy)(int argc, char * const argv[],
41 char *env_add[], char **command_info[],
42 char **argv_out[], char **user_env_out[]);
43 int (*list)(int argc, char * const argv[], int verbose,
44 const char *list_user);
45 int (*validate)(void);
46 void (*invalidate)(int remove);
47 int (*init_session)(struct passwd *pwd, char **user_env[]);
48 void (*register_hooks)(int version,
49 int (*register_hook)(struct sudo_hook *hook));
50 void (*deregister_hooks)(int version,
51 int (*deregister_hook)(struct sudo_hook *hook));
52 };
53
54 The policy_plugin struct has the following fields:
55
56 type The type field should always be set to SUDO_POLICY_PLUGIN.
57
58 version
59 The version field should be set to SUDO_API_VERSION.
60
61 This allows sudo to determine the API version the plugin was built
62 against.
63
64 open
65 int (*open)(unsigned int version, sudo_conv_t conversation,
66 sudo_printf_t plugin_printf, char * const settings[],
67 char * const user_info[], char * const user_env[],
68 char * const plugin_options[]);
69
70 Returns 1 on success, 0 on failure, -1 if a general error occurred,
71 or -2 if there was a usage error. In the latter case, sudo will
72 print a usage message before it exits. If an error occurs, the
73 plugin may optionally call the conversation() or plugin_printf()
74 function with SUDO_CONF_ERROR_MSG to present additional error
75 information to the user.
76
77 The function arguments are as follows:
78
79 version
80 The version passed in by sudo allows the plugin to determine
81 the major and minor version number of the plugin API sup‐
82 ported by sudo.
83
84 conversation
85 A pointer to the conversation() function that can be used by
86 the plugin to interact with the user (see below). Returns 0
87 on success and -1 on failure.
88
89 plugin_printf
90 A pointer to a printf()-style function that may be used to
91 display informational or error messages (see below). Returns
92 the number of characters printed on success and -1 on fail‐
93 ure.
94
95 settings
96 A vector of user-supplied sudo settings in the form of
97 “name=value” strings. The vector is terminated by a NULL
98 pointer. These settings correspond to flags the user speci‐
99 fied when running sudo. As such, they will only be present
100 when the corresponding flag has been specified on the command
101 line.
102
103 When parsing settings, the plugin should split on the first
104 equal sign (‘=’) since the name field will never include one
105 itself but the value might.
106
107 bsdauth_type=string
108 Authentication type, if specified by the -a flag, to
109 use on systems where BSD authentication is supported.
110
111 closefrom=number
112 If specified, the user has requested via the -C flag
113 that sudo close all files descriptors with a value of
114 number or higher. The plugin may optionally pass this,
115 or another value, back in the command_info list.
116
117 debug_flags=string
118 A debug file path name followed by a space and a comma-
119 separated list of debug flags that correspond to the
120 plugin's Debug entry in sudo.conf(5), if there is one.
121 The flags are passed to the plugin exactly as they
122 appear in sudo.conf(5). The syntax used by sudo and
123 the sudoers plugin is subsystem@priority but a plugin
124 is free to use a different format so long as it does
125 not include a comma (‘,’). Prior to sudo 1.8.12, there
126 was no way to specify plugin-specific debug_flags so
127 the value was always the same as that used by the sudo
128 front end and did not include a path name, only the
129 flags themselves. As of version 1.7 of the plugin
130 interface, sudo will only pass debug_flags if
131 sudo.conf(5) contains a plugin-specific Debug entry.
132
133 debug_level=number
134 This setting has been deprecated in favor of
135 debug_flags.
136
137 ignore_ticket=bool
138 Set to true if the user specified the -k flag along
139 with a command, indicating that the user wishes to
140 ignore any cached authentication credentials.
141 implied_shell to true. This allows sudo with no argu‐
142 ments to be used similarly to su(1). If the plugin
143 does not to support this usage, it may return a value
144 of -2 from the check_policy() function, which will
145 cause sudo to print a usage message and exit.
146
147 implied_shell=bool
148 If the user does not specify a program on the command
149 line, sudo will pass the plugin the path to the user's
150 shell and set
151
152 login_class=string
153 BSD login class to use when setting resource limits and
154 nice value, if specified by the -c flag.
155
156 login_shell=bool
157 Set to true if the user specified the -i flag, indicat‐
158 ing that the user wishes to run a login shell.
159
160 max_groups=int
161 The maximum number of groups a user may belong to.
162 This will only be present if there is a corresponding
163 setting in sudo.conf(5).
164
165 network_addrs=list
166 A space-separated list of IP network addresses and net‐
167 masks in the form “addr/netmask”, e.g.
168 “192.168.1.2/255.255.255.0”. The address and netmask
169 pairs may be either IPv4 or IPv6, depending on what the
170 operating system supports. If the address contains a
171 colon (‘:’), it is an IPv6 address, else it is IPv4.
172
173 noninteractive=bool
174 Set to true if the user specified the -n flag, indicat‐
175 ing that sudo should operate in non-interactive mode.
176 The plugin may reject a command run in non-interactive
177 mode if user interaction is required.
178
179 plugin_dir=string
180 The default plugin directory used by the sudo front
181 end. This is the default directory set at compile time
182 and may not correspond to the directory the running
183 plugin was loaded from. It may be used by a plugin to
184 locate support files.
185
186 plugin_path=string
187 The path name of plugin loaded by the sudo front end.
188 The path name will be a fully-qualified unless the
189 plugin was statically compiled into sudo.
190
191 preserve_environment=bool
192 Set to true if the user specified the -E flag, indicat‐
193 ing that the user wishes to preserve the environment.
194
195 preserve_groups=bool
196 Set to true if the user specified the -P flag, indicat‐
197 ing that the user wishes to preserve the group vector
198 instead of setting it based on the runas user.
199
200 progname=string
201 The command name that sudo was run as, typically “sudo”
202 or “sudoedit”.
203
204 prompt=string
205 The prompt to use when requesting a password, if speci‐
206 fied via the -p flag.
207
208 remote_host=string
209 The name of the remote host to run the command on, if
210 specified via the -h option. Support for running the
211 command on a remote host is meant to be implemented via
212 a helper program that is executed in place of the user-
213 specified command. The sudo front end is only capable
214 of executing commands on the local host. Only avail‐
215 able starting with API version 1.4.
216
217 run_shell=bool
218 Set to true if the user specified the -s flag, indicat‐
219 ing that the user wishes to run a shell.
220
221 runas_group=string
222 The group name or gid to run the command as, if speci‐
223 fied via the -g flag.
224
225 runas_user=string
226 The user name or uid to run the command as, if speci‐
227 fied via the -u flag.
228
229 selinux_role=string
230 SELinux role to use when executing the command, if
231 specified by the -r flag.
232
233 selinux_type=string
234 SELinux type to use when executing the command, if
235 specified by the -t flag.
236
237 set_home=bool
238 Set to true if the user specified the -H flag. If
239 true, set the HOME environment variable to the target
240 user's home directory.
241
242 sudoedit=bool
243 Set to true when the -e flag is is specified or if
244 invoked as sudoedit. The plugin shall substitute an
245 editor into argv in the check_policy() function or
246 return -2 with a usage error if the plugin does not
247 support sudoedit. For more information, see the
248 check_policy section.
249
250 timeout=string
251 User-specified command timeout. Not all plugins sup‐
252 port command timeouts and the ability for the user to
253 set a timeout may be restricted by policy. The format
254 of the timeout string is plugin-specific.
255
256 Additional settings may be added in the future so the plugin
257 should silently ignore settings that it does not recognize.
258
259 user_info
260 A vector of information about the user running the command in
261 the form of “name=value” strings. The vector is terminated
262 by a NULL pointer.
263
264 When parsing user_info, the plugin should split on the first
265 equal sign (‘=’) since the name field will never include one
266 itself but the value might.
267
268 cols=int
269 The number of columns the user's terminal supports. If
270 there is no terminal device available, a default value
271 of 80 is used.
272
273 cwd=string
274 The user's current working directory.
275
276 egid=gid_t
277 The effective group ID of the user invoking sudo.
278
279 euid=uid_t
280 The effective user ID of the user invoking sudo.
281
282 gid=gid_t
283 The real group ID of the user invoking sudo.
284
285 groups=list
286 The user's supplementary group list formatted as a
287 string of comma-separated group IDs.
288
289 host=string
290 The local machine's hostname as returned by the
291 gethostname(2) system call.
292
293 lines=int
294 The number of lines the user's terminal supports. If
295 there is no terminal device available, a default value
296 of 24 is used.
297
298 pgid=int
299 The ID of the process group that the running sudo
300 process is a member of. Only available starting with
301 API version 1.2.
302
303 pid=int
304 The process ID of the running sudo process. Only
305 available starting with API version 1.2.
306
307 plugin_options
308 Any (non-comment) strings immediately after the plugin
309 path are passed as arguments to the plugin. These
310 arguments are split on a white space boundary and are
311 passed to the plugin in the form of a NULL-terminated
312 array of strings. If no arguments were specified,
313 plugin_options will be the NULL pointer.
314
315 NOTE: the plugin_options parameter is only available
316 starting with API version 1.2. A plugin must check the
317 API version specified by the sudo front end before
318 using plugin_options. Failure to do so may result in a
319 crash.
320
321 ppid=int
322 The parent process ID of the running sudo process.
323 Only available starting with API version 1.2.
324
325 sid=int
326 The session ID of the running sudo process or 0 if sudo
327 is not part of a POSIX job control session. Only
328 available starting with API version 1.2.
329
330 tcpgid=int
331 The ID of the foreground process group associated with
332 the terminal device associated with the sudo process or
333 -1 if there is no terminal present. Only available
334 starting with API version 1.2.
335
336 tty=string
337 The path to the user's terminal device. If the user
338 has no terminal device associated with the session, the
339 value will be empty, as in “tty=”.
340
341 uid=uid_t
342 The real user ID of the user invoking sudo.
343
344 umask=octal
345 The invoking user's file creation mask. Only available
346 starting with API version 1.10.
347
348 user=string
349 The name of the user invoking sudo.
350
351 user_env
352 The user's environment in the form of a NULL-terminated
353 vector of “name=value” strings.
354
355 When parsing user_env, the plugin should split on the first
356 equal sign (‘=’) since the name field will never include one
357 itself but the value might.
358
359 close
360 void (*close)(int exit_status, int error);
361
362 The close() function is called when the command being run by sudo
363 finishes.
364
365 The function arguments are as follows:
366
367 exit_status
368 The command's exit status, as returned by the wait(2) system
369 call. The value of exit_status is undefined if error is non-
370 zero.
371
372 error
373 If the command could not be executed, this is set to the
374 value of errno set by the execve(2) system call. The plugin
375 is responsible for displaying error information via the
376 conversation() or plugin_printf() function. If the command
377 was successfully executed, the value of error is 0.
378
379 If no close() function is defined, no I/O logging plugins are
380 loaded, and neither the timeout not use_pty options are set in the
381 command_info list, the sudo front end may execute the command
382 directly instead of running it as a child process.
383
384 show_version
385 int (*show_version)(int verbose);
386
387 The show_version() function is called by sudo when the user speci‐
388 fies the -V option. The plugin may display its version information
389 to the user via the conversation() or plugin_printf() function
390 using SUDO_CONV_INFO_MSG. If the user requests detailed version
391 information, the verbose flag will be set.
392
393 check_policy
394 int (*check_policy)(int argc, char * const argv[]
395 char *env_add[], char **command_info[],
396 char **argv_out[], char **user_env_out[]);
397
398 The check_policy() function is called by sudo to determine whether
399 the user is allowed to run the specified commands.
400
401 If the sudoedit option was enabled in the settings array passed to
402 the open() function, the user has requested sudoedit mode.
403 sudoedit is a mechanism for editing one or more files where an edi‐
404 tor is run with the user's credentials instead of with elevated
405 privileges. sudo achieves this by creating user-writable temporary
406 copies of the files to be edited and then overwriting the originals
407 with the temporary copies after editing is complete. If the plugin
408 supports sudoedit, it should choose the editor to be used, poten‐
409 tially from a variable in the user's environment, such as EDITOR,
410 and include it in argv_out (note that environment variables may
411 include command line flags). The files to be edited should be
412 copied from argv into argv_out, separated from the editor and its
413 arguments by a “--” element. The “--” will be removed by sudo
414 before the editor is executed. The plugin should also set
415 sudoedit=true in the command_info list.
416
417 The check_policy() function returns 1 if the command is allowed, 0
418 if not allowed, -1 for a general error, or -2 for a usage error or
419 if sudoedit was specified but is unsupported by the plugin. In the
420 latter case, sudo will print a usage message before it exits. If
421 an error occurs, the plugin may optionally call the conversation()
422 or plugin_printf() function with SUDO_CONF_ERROR_MSG to present
423 additional error information to the user.
424
425 The function arguments are as follows:
426
427 argc The number of elements in argv, not counting the final NULL
428 pointer.
429
430 argv The argument vector describing the command the user wishes to
431 run, in the same form as what would be passed to the
432 execve(2) system call. The vector is terminated by a NULL
433 pointer.
434
435 env_add
436 Additional environment variables specified by the user on the
437 command line in the form of a NULL-terminated vector of
438 “name=value” strings. The plugin may reject the command if
439 one or more variables are not allowed to be set, or it may
440 silently ignore such variables.
441
442 When parsing env_add, the plugin should split on the first
443 equal sign (‘=’) since the name field will never include one
444 itself but the value might.
445
446 command_info
447 Information about the command being run in the form of
448 “name=value” strings. These values are used by sudo to set
449 the execution environment when running a command. The plugin
450 is responsible for creating and populating the vector, which
451 must be terminated with a NULL pointer. The following values
452 are recognized by sudo:
453
454 chroot=string
455 The root directory to use when running the command.
456
457 closefrom=number
458 If specified, sudo will close all files descriptors
459 with a value of number or higher.
460
461 command=string
462 Fully qualified path to the command to be executed.
463
464 cwd=string
465 The current working directory to change to when execut‐
466 ing the command.
467
468 exec_background=bool
469 By default, sudo runs a command as the foreground
470 process as long as sudo itself is running in the fore‐
471 ground. When exec_background is enabled and the com‐
472 mand is being run in a pty (due to I/O logging or the
473 use_pty setting), the command will be run as a back‐
474 ground process. Attempts to read from the controlling
475 terminal (or to change terminal settings) will result
476 in the command being suspended with the SIGTTIN signal
477 (or SIGTTOU in the case of terminal settings). If this
478 happens when sudo is a foreground process, the command
479 will be granted the controlling terminal and resumed in
480 the foreground with no user intervention required. The
481 advantage of initially running the command in the back‐
482 ground is that sudo need not read from the terminal
483 unless the command explicitly requests it. Otherwise,
484 any terminal input must be passed to the command,
485 whether it has required it or not (the kernel buffers
486 terminals so it is not possible to tell whether the
487 command really wants the input). This is different
488 from historic sudo behavior or when the command is not
489 being run in a pty.
490
491 For this to work seamlessly, the operating system must
492 support the automatic restarting of system calls.
493 Unfortunately, not all operating systems do this by
494 default, and even those that do may have bugs. For
495 example, macOS fails to restart the tcgetattr() and
496 tcsetattr() system calls (this is a bug in macOS).
497 Furthermore, because this behavior depends on the com‐
498 mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
499 grams that catch these signals and suspend themselves
500 with a different signal (usually SIGTOP) will not be
501 automatically foregrounded. Some versions of the linux
502 su(1) command behave this way. Because of this, a
503 plugin should not set exec_background unless it is
504 explicitly enabled by the administrator and there
505 should be a way to enabled or disable it on a per-com‐
506 mand basis.
507
508 This setting has no effect unless I/O logging is
509 enabled or use_pty is enabled.
510
511 execfd=number
512 If specified, sudo will use the fexecve(2) system call
513 to execute the command instead of execve(2). The spec‐
514 ified number must refer to an open file descriptor.
515
516 iolog_compress=bool
517 Set to true if the I/O logging plugins, if any, should
518 compress the log data. This is a hint to the I/O log‐
519 ging plugin which may choose to ignore it.
520
521 iolog_group=string
522 The group that will own newly created I/O log files and
523 directories. This is a hint to the I/O logging plugin
524 which may choose to ignore it.
525
526 iolog_mode=octal
527 The file permission mode to use when creating I/O log
528 files and directories. This is a hint to the I/O log‐
529 ging plugin which may choose to ignore it.
530
531 iolog_user=string
532 The user that will own newly created I/O log files and
533 directories. This is a hint to the I/O logging plugin
534 which may choose to ignore it.
535
536 iolog_path=string
537 Fully qualified path to the file or directory in which
538 I/O log is to be stored. This is a hint to the I/O
539 logging plugin which may choose to ignore it. If no
540 I/O logging plugin is loaded, this setting has no
541 effect.
542
543 iolog_stdin=bool
544 Set to true if the I/O logging plugins, if any, should
545 log the standard input if it is not connected to a ter‐
546 minal device. This is a hint to the I/O logging plugin
547 which may choose to ignore it.
548
549 iolog_stdout=bool
550 Set to true if the I/O logging plugins, if any, should
551 log the standard output if it is not connected to a
552 terminal device. This is a hint to the I/O logging
553 plugin which may choose to ignore it.
554
555 iolog_stderr=bool
556 Set to true if the I/O logging plugins, if any, should
557 log the standard error if it is not connected to a ter‐
558 minal device. This is a hint to the I/O logging plugin
559 which may choose to ignore it.
560
561 iolog_ttyin=bool
562 Set to true if the I/O logging plugins, if any, should
563 log all terminal input. This only includes input typed
564 by the user and not from a pipe or redirected from a
565 file. This is a hint to the I/O logging plugin which
566 may choose to ignore it.
567
568 iolog_ttyout=bool
569 Set to true if the I/O logging plugins, if any, should
570 log all terminal output. This only includes output to
571 the screen, not output to a pipe or file. This is a
572 hint to the I/O logging plugin which may choose to
573 ignore it.
574
575 login_class=string
576 BSD login class to use when setting resource limits and
577 nice value (optional). This option is only set on sys‐
578 tems that support login classes.
579
580 nice=int
581 Nice value (priority) to use when executing the com‐
582 mand. The nice value, if specified, overrides the pri‐
583 ority associated with the login_class on BSD systems.
584
585 noexec=bool
586 If set, prevent the command from executing other pro‐
587 grams.
588
589 preserve_fds=list
590 A comma-separated list of file descriptors that should
591 be preserved, regardless of the value of the closefrom
592 setting. Only available starting with API version 1.5.
593
594 preserve_groups=bool
595 If set, sudo will preserve the user's group vector
596 instead of initializing the group vector based on
597 runas_user.
598
599 runas_egid=gid
600 Effective group ID to run the command as. If not spec‐
601 ified, the value of runas_gid is used.
602
603 runas_euid=uid
604 Effective user ID to run the command as. If not speci‐
605 fied, the value of runas_uid is used.
606
607 runas_gid=gid
608 Group ID to run the command as.
609
610 runas_groups=list
611 The supplementary group vector to use for the command
612 in the form of a comma-separated list of group IDs. If
613 preserve_groups is set, this option is ignored.
614
615 runas_uid=uid
616 User ID to run the command as.
617
618 selinux_role=string
619 SELinux role to use when executing the command.
620
621 selinux_type=string
622 SELinux type to use when executing the command.
623
624 set_utmp=bool
625 Create a utmp (or utmpx) entry when a pseudo-tty is
626 allocated. By default, the new entry will be a copy of
627 the user's existing utmp entry (if any), with the tty,
628 time, type and pid fields updated.
629
630 sudoedit=bool
631 Set to true when in sudoedit mode. The plugin may
632 enable sudoedit mode even if sudo was not invoked as
633 sudoedit. This allows the plugin to perform command
634 substitution and transparently enable sudoedit when the
635 user attempts to run an editor.
636
637 sudoedit_checkdir=bool
638 Set to false to disable directory writability checks in
639 sudoedit. By default, sudoedit 1.8.16 and higher will
640 check all directory components of the path to be edited
641 for writability by the invoking user. Symbolic links
642 will not be followed in writable directories and
643 sudoedit will refuse to edit a file located in a
644 writable directory. These restrictions are not
645 enforced when sudoedit is run by root. The
646 sudoedit_follow option can be set to false to disable
647 this check. Only available starting with API version
648 1.8.
649
650 sudoedit_follow=bool
651 Set to true to allow sudoedit to edit files that are
652 symbolic links. By default, sudoedit 1.8.15 and higher
653 will refuse to open a symbolic link. The
654 sudoedit_follow option can be used to restore the older
655 behavior and allow sudoedit to open symbolic links.
656 Only available starting with API version 1.8.
657
658 timeout=int
659 Command timeout. If non-zero then when the timeout
660 expires the command will be killed.
661
662 umask=octal
663 The file creation mask to use when executing the com‐
664 mand.
665
666 use_pty=bool
667 Allocate a pseudo-tty to run the command in, regardless
668 of whether or not I/O logging is in use. By default,
669 sudo will only run the command in a pty when an I/O log
670 plugin is loaded.
671
672 utmp_user=string
673 User name to use when constructing a new utmp (or
674 utmpx) entry when set_utmp is enabled. This option can
675 be used to set the user field in the utmp entry to the
676 user the command runs as rather than the invoking user.
677 If not set, sudo will base the new entry on the invok‐
678 ing user's existing entry.
679
680 Unsupported values will be ignored.
681
682 argv_out
683 The NULL-terminated argument vector to pass to the execve(2)
684 system call when executing the command. The plugin is
685 responsible for allocating and populating the vector.
686
687 user_env_out
688 The NULL-terminated environment vector to use when executing
689 the command. The plugin is responsible for allocating and
690 populating the vector.
691
692 list
693 int (*list)(int verbose, const char *list_user,
694 int argc, char * const argv[]);
695
696 List available privileges for the invoking user. Returns 1 on suc‐
697 cess, 0 on failure and -1 on error. On error, the plugin may
698 optionally call the conversation() or plugin_printf() function with
699 SUDO_CONF_ERROR_MSG to present additional error information to the
700 user.
701
702 Privileges should be output via the conversation() or
703 plugin_printf() function using SUDO_CONV_INFO_MSG,
704
705 verbose
706 Flag indicating whether to list in verbose mode or not.
707
708 list_user
709 The name of a different user to list privileges for if the
710 policy allows it. If NULL, the plugin should list the privi‐
711 leges of the invoking user.
712
713 argc The number of elements in argv, not counting the final NULL
714 pointer.
715
716 argv If non-NULL, an argument vector describing a command the user
717 wishes to check against the policy in the same form as what
718 would be passed to the execve(2) system call. If the command
719 is permitted by the policy, the fully-qualified path to the
720 command should be displayed along with any command line argu‐
721 ments.
722
723 validate
724 int (*validate)(void);
725
726 The validate() function is called when sudo is run with the -v
727 flag. For policy plugins such as sudoers that cache authentication
728 credentials, this function will validate and cache the credentials.
729
730 The validate() function should be NULL if the plugin does not sup‐
731 port credential caching.
732
733 Returns 1 on success, 0 on failure and -1 on error. On error, the
734 plugin may optionally call the conversation() or plugin_printf()
735 function with SUDO_CONF_ERROR_MSG to present additional error
736 information to the user.
737
738 invalidate
739 void (*invalidate)(int remove);
740
741 The invalidate() function is called when sudo is called with the -k
742 or -K flag. For policy plugins such as sudoers that cache authen‐
743 tication credentials, this function will invalidate the creden‐
744 tials. If the remove flag is set, the plugin may remove the cre‐
745 dentials instead of simply invalidating them.
746
747 The invalidate() function should be NULL if the plugin does not
748 support credential caching.
749
750 init_session
751 int (*init_session)(struct passwd *pwd, char **user_envp[);
752
753 The init_session() function is called before sudo sets up the exe‐
754 cution environment for the command. It is run in the parent sudo
755 process and before any uid or gid changes. This can be used to
756 perform session setup that is not supported by command_info, such
757 as opening the PAM session. The close() function can be used to
758 tear down the session that was opened by init_session.
759
760 The pwd argument points to a passwd struct for the user the command
761 will be run as if the uid the command will run as was found in the
762 password database, otherwise it will be NULL.
763
764 The user_env argument points to the environment the command will
765 run in, in the form of a NULL-terminated vector of “name=value”
766 strings. This is the same string passed back to the front end via
767 the Policy Plugin's user_env_out parameter. If the init_session()
768 function needs to modify the user environment, it should update the
769 pointer stored in user_env. The expected use case is to merge the
770 contents of the PAM environment (if any) with the contents of
771 user_env. NOTE: the user_env parameter is only available starting
772 with API version 1.2. A plugin must check the API version speci‐
773 fied by the sudo front end before using user_env. Failure to do so
774 may result in a crash.
775
776 Returns 1 on success, 0 on failure and -1 on error. On error, the
777 plugin may optionally call the conversation() or plugin_printf()
778 function with SUDO_CONF_ERROR_MSG to present additional error
779 information to the user.
780
781 register_hooks
782 void (*register_hooks)(int version,
783 int (*register_hook)(struct sudo_hook *hook));
784
785 The register_hooks() function is called by the sudo front end to
786 register any hooks the plugin needs. If the plugin does not sup‐
787 port hooks, register_hooks should be set to the NULL pointer.
788
789 The version argument describes the version of the hooks API sup‐
790 ported by the sudo front end.
791
792 The register_hook() function should be used to register any sup‐
793 ported hooks the plugin needs. It returns 0 on success, 1 if the
794 hook type is not supported and -1 if the major version in struct
795 hook does not match the front end's major hook API version.
796
797 See the Hook function API section below for more information about
798 hooks.
799
800 NOTE: the register_hooks() function is only available starting with
801 API version 1.2. If the sudo front end doesn't support API version
802 1.2 or higher, register_hooks will not be called.
803
804 deregister_hooks
805 void (*deregister_hooks)(int version,
806 int (*deregister_hook)(struct sudo_hook *hook));
807
808 The deregister_hooks() function is called by the sudo front end to
809 deregister any hooks the plugin has registered. If the plugin does
810 not support hooks, deregister_hooks should be set to the NULL
811 pointer.
812
813 The version argument describes the version of the hooks API sup‐
814 ported by the sudo front end.
815
816 The deregister_hook() function should be used to deregister any
817 hooks that were put in place by the register_hook() function. If
818 the plugin tries to deregister a hook that the front end does not
819 support, deregister_hook will return an error.
820
821 See the Hook function API section below for more information about
822 hooks.
823
824 NOTE: the deregister_hooks() function is only available starting
825 with API version 1.2. If the sudo front end doesn't support API
826 version 1.2 or higher, deregister_hooks will not be called.
827
828 Policy Plugin Version Macros
829
830 /* Plugin API version major/minor. */
831 #define SUDO_API_VERSION_MAJOR 1
832 #define SUDO_API_VERSION_MINOR 2
833 #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
834 #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
835 SUDO_API_VERSION_MINOR)
836
837 /* Getters and setters for API version */
838 #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
839 #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
840 #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
841 *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
842 } while(0)
843 #define SUDO_API_VERSION_SET_MINOR(vp, n) do { \
844 *(vp) = (*(vp) & 0xffff0000) | (n); \
845 } while(0)
846
847 I/O plugin API
848 struct io_plugin {
849 #define SUDO_IO_PLUGIN 2
850 unsigned int type; /* always SUDO_IO_PLUGIN */
851 unsigned int version; /* always SUDO_API_VERSION */
852 int (*open)(unsigned int version, sudo_conv_t conversation,
853 sudo_printf_t plugin_printf, char * const settings[],
854 char * const user_info[], char * const command_info[],
855 int argc, char * const argv[], char * const user_env[],
856 char * const plugin_options[]);
857 void (*close)(int exit_status, int error); /* wait status or error */
858 int (*show_version)(int verbose);
859 int (*log_ttyin)(const char *buf, unsigned int len);
860 int (*log_ttyout)(const char *buf, unsigned int len);
861 int (*log_stdin)(const char *buf, unsigned int len);
862 int (*log_stdout)(const char *buf, unsigned int len);
863 int (*log_stderr)(const char *buf, unsigned int len);
864 void (*register_hooks)(int version,
865 int (*register_hook)(struct sudo_hook *hook));
866 void (*deregister_hooks)(int version,
867 int (*deregister_hook)(struct sudo_hook *hook));
868 int (*change_winsize)(unsigned int lines, unsigned int cols);
869 };
870
871 When an I/O plugin is loaded, sudo runs the command in a pseudo-tty.
872 This makes it possible to log the input and output from the user's ses‐
873 sion. If any of the standard input, standard output or standard error do
874 not correspond to a tty, sudo will open a pipe to capture the I/O for
875 logging before passing it on.
876
877 The log_ttyin function receives the raw user input from the terminal
878 device (note that this will include input even when echo is disabled,
879 such as when a password is read). The log_ttyout function receives out‐
880 put from the pseudo-tty that is suitable for replaying the user's session
881 at a later time. The log_stdin(), log_stdout() and log_stderr() func‐
882 tions are only called if the standard input, standard output or standard
883 error respectively correspond to something other than a tty.
884
885 Any of the logging functions may be set to the NULL pointer if no logging
886 is to be performed. If the open function returns 0, no I/O will be sent
887 to the plugin.
888
889 If a logging function returns an error (-1), the running command will be
890 terminated and all of the plugin's logging functions will be disabled.
891 Other I/O logging plugins will still receive any remaining input or out‐
892 put that has not yet been processed.
893
894 If an input logging function rejects the data by returning 0, the command
895 will be terminated and the data will not be passed to the command, though
896 it will still be sent to any other I/O logging plugins. If an output
897 logging function rejects the data by returning 0, the command will be
898 terminated and the data will not be written to the terminal, though it
899 will still be sent to any other I/O logging plugins.
900
901 The io_plugin struct has the following fields:
902
903 type The type field should always be set to SUDO_IO_PLUGIN.
904
905 version
906 The version field should be set to SUDO_API_VERSION.
907
908 This allows sudo to determine the API version the plugin was built
909 against.
910
911 open
912 int (*open)(unsigned int version, sudo_conv_t conversation,
913 sudo_printf_t plugin_printf, char * const settings[],
914 char * const user_info[], int argc, char * const argv[],
915 char * const user_env[], char * const plugin_options[]);
916
917 The open() function is run before the log_ttyin(), log_ttyout(),
918 log_stdin(), log_stdout(), log_stderr(), or show_version() func‐
919 tions are called. It is only called if the version is being
920 requested or if the policy plugin's check_policy() function has
921 returned successfully. It returns 1 on success, 0 on failure, -1
922 if a general error occurred, or -2 if there was a usage error. In
923 the latter case, sudo will print a usage message before it exits.
924 If an error occurs, the plugin may optionally call the
925 conversation() or plugin_printf() function with SUDO_CONF_ERROR_MSG
926 to present additional error information to the user.
927
928 The function arguments are as follows:
929
930 version
931 The version passed in by sudo allows the plugin to determine
932 the major and minor version number of the plugin API sup‐
933 ported by sudo.
934
935 conversation
936 A pointer to the conversation() function that may be used by
937 the show_version() function to display version information
938 (see show_version() below). The conversation() function may
939 also be used to display additional error message to the user.
940 The conversation() function returns 0 on success and -1 on
941 failure.
942
943 plugin_printf
944 A pointer to a printf()-style function that may be used by
945 the show_version() function to display version information
946 (see show_version below). The plugin_printf() function may
947 also be used to display additional error message to the user.
948 The plugin_printf() function returns number of characters
949 printed on success and -1 on failure.
950
951 settings
952 A vector of user-supplied sudo settings in the form of
953 “name=value” strings. The vector is terminated by a NULL
954 pointer. These settings correspond to flags the user speci‐
955 fied when running sudo. As such, they will only be present
956 when the corresponding flag has been specified on the command
957 line.
958
959 When parsing settings, the plugin should split on the first
960 equal sign (‘=’) since the name field will never include one
961 itself but the value might.
962
963 See the Policy plugin API section for a list of all possible
964 settings.
965
966 user_info
967 A vector of information about the user running the command in
968 the form of “name=value” strings. The vector is terminated
969 by a NULL pointer.
970
971 When parsing user_info, the plugin should split on the first
972 equal sign (‘=’) since the name field will never include one
973 itself but the value might.
974
975 See the Policy plugin API section for a list of all possible
976 strings.
977
978 argc The number of elements in argv, not counting the final NULL
979 pointer.
980
981 argv If non-NULL, an argument vector describing a command the user
982 wishes to run in the same form as what would be passed to the
983 execve(2) system call.
984
985 user_env
986 The user's environment in the form of a NULL-terminated vec‐
987 tor of “name=value” strings.
988
989 When parsing user_env, the plugin should split on the first
990 equal sign (‘=’) since the name field will never include one
991 itself but the value might.
992
993 plugin_options
994 Any (non-comment) strings immediately after the plugin path
995 are treated as arguments to the plugin. These arguments are
996 split on a white space boundary and are passed to the plugin
997 in the form of a NULL-terminated array of strings. If no
998 arguments were specified, plugin_options will be the NULL
999 pointer.
1000
1001 NOTE: the plugin_options parameter is only available starting
1002 with API version 1.2. A plugin must check the API version
1003 specified by the sudo front end before using plugin_options.
1004 Failure to do so may result in a crash.
1005
1006 close
1007 void (*close)(int exit_status, int error);
1008
1009 The close() function is called when the command being run by sudo
1010 finishes.
1011
1012 The function arguments are as follows:
1013
1014 exit_status
1015 The command's exit status, as returned by the wait(2) system
1016 call. The value of exit_status is undefined if error is non-
1017 zero.
1018
1019 error
1020 If the command could not be executed, this is set to the
1021 value of errno set by the execve(2) system call. If the com‐
1022 mand was successfully executed, the value of error is 0.
1023
1024 show_version
1025 int (*show_version)(int verbose);
1026
1027 The show_version() function is called by sudo when the user speci‐
1028 fies the -V option. The plugin may display its version information
1029 to the user via the conversation() or plugin_printf() function
1030 using SUDO_CONV_INFO_MSG. If the user requests detailed version
1031 information, the verbose flag will be set.
1032
1033 log_ttyin
1034 int (*log_ttyin)(const char *buf, unsigned int len);
1035
1036 The log_ttyin() function is called whenever data can be read from
1037 the user but before it is passed to the running command. This
1038 allows the plugin to reject data if it chooses to (for instance if
1039 the input contains banned content). Returns 1 if the data should
1040 be passed to the command, 0 if the data is rejected (which will
1041 terminate the running command) or -1 if an error occurred.
1042
1043 The function arguments are as follows:
1044
1045 buf The buffer containing user input.
1046
1047 len The length of buf in bytes.
1048
1049 log_ttyout
1050 int (*log_ttyout)(const char *buf, unsigned int len);
1051
1052 The log_ttyout() function is called whenever data can be read from
1053 the command but before it is written to the user's terminal. This
1054 allows the plugin to reject data if it chooses to (for instance if
1055 the output contains banned content). Returns 1 if the data should
1056 be passed to the user, 0 if the data is rejected (which will termi‐
1057 nate the running command) or -1 if an error occurred.
1058
1059 The function arguments are as follows:
1060
1061 buf The buffer containing command output.
1062
1063 len The length of buf in bytes.
1064
1065 log_stdin
1066 int (*log_stdin)(const char *buf, unsigned int len);
1067
1068 The log_stdin() function is only used if the standard input does
1069 not correspond to a tty device. It is called whenever data can be
1070 read from the standard input but before it is passed to the running
1071 command. This allows the plugin to reject data if it chooses to
1072 (for instance if the input contains banned content). Returns 1 if
1073 the data should be passed to the command, 0 if the data is rejected
1074 (which will terminate the running command) or -1 if an error
1075 occurred.
1076
1077 The function arguments are as follows:
1078
1079 buf The buffer containing user input.
1080
1081 len The length of buf in bytes.
1082
1083 log_stdout
1084 int (*log_stdout)(const char *buf, unsigned int len);
1085
1086 The log_stdout() function is only used if the standard output does
1087 not correspond to a tty device. It is called whenever data can be
1088 read from the command but before it is written to the standard out‐
1089 put. This allows the plugin to reject data if it chooses to (for
1090 instance if the output contains banned content). Returns 1 if the
1091 data should be passed to the user, 0 if the data is rejected (which
1092 will terminate the running command) or -1 if an error occurred.
1093
1094 The function arguments are as follows:
1095
1096 buf The buffer containing command output.
1097
1098 len The length of buf in bytes.
1099
1100 log_stderr
1101 int (*log_stderr)(const char *buf, unsigned int len);
1102
1103 The log_stderr() function is only used if the standard error does
1104 not correspond to a tty device. It is called whenever data can be
1105 read from the command but before it is written to the standard
1106 error. This allows the plugin to reject data if it chooses to (for
1107 instance if the output contains banned content). Returns 1 if the
1108 data should be passed to the user, 0 if the data is rejected (which
1109 will terminate the running command) or -1 if an error occurred.
1110
1111 The function arguments are as follows:
1112
1113 buf The buffer containing command output.
1114
1115 len The length of buf in bytes.
1116
1117 register_hooks
1118 See the Policy plugin API section for a description of
1119 register_hooks.
1120
1121 deregister_hooks
1122 See the Policy plugin API section for a description of
1123 deregister_hooks.
1124
1125 change_winsize
1126 int (*change_winsize)(unsigned int lines, unsigned int cols);
1127
1128 The change_winsize() function is called whenever the window size of
1129 the terminal changes from the initial values specified in the
1130 user_info list. It returns 1 on success, 0 on failure, -1 if an
1131 error occurred (which will terminate the running command).
1132
1133 I/O Plugin Version Macros
1134
1135 Same as for the Policy plugin API.
1136
1137 Signal handlers
1138 The sudo front end installs default signal handlers to trap common sig‐
1139 nals while the plugin functions are run. The following signals are
1140 trapped by default before the command is executed:
1141
1142 · SIGALRM
1143 · SIGHUP
1144 · SIGINT
1145 · SIGPIPE
1146 · SIGQUIT
1147 · SIGTERM
1148 · SIGTSTP
1149 · SIGUSR1
1150 · SIGUSR2
1151
1152 If a fatal signal is received before the command is executed, sudo will
1153 call the plugin's close() function with an exit status of 128 plus the
1154 value of the signal that was received. This allows for consistent log‐
1155 ging of commands killed by a signal for plugins that log such information
1156 in their close() function. An exception to this is SIGPIPE, which is
1157 ignored until the command is executed.
1158
1159 A plugin may temporarily install its own signal handlers but must restore
1160 the original handler before the plugin function returns.
1161
1162 Hook function API
1163 Beginning with plugin API version 1.2, it is possible to install hooks
1164 for certain functions called by the sudo front end.
1165
1166 Currently, the only supported hooks relate to the handling of environment
1167 variables. Hooks can be used to intercept attempts to get, set, or
1168 remove environment variables so that these changes can be reflected in
1169 the version of the environment that is used to execute a command. A
1170 future version of the API will support hooking internal sudo front end
1171 functions as well.
1172
1173 Hook structure
1174
1175 Hooks in sudo are described by the following structure:
1176
1177 typedef int (*sudo_hook_fn_t)();
1178
1179 struct sudo_hook {
1180 unsigned int hook_version;
1181 unsigned int hook_type;
1182 sudo_hook_fn_t hook_fn;
1183 void *closure;
1184 };
1185
1186 The sudo_hook structure has the following fields:
1187
1188 hook_version
1189 The hook_version field should be set to SUDO_HOOK_VERSION.
1190
1191 hook_type
1192 The hook_type field may be one of the following supported hook
1193 types:
1194
1195 SUDO_HOOK_SETENV
1196 The C library setenv(3) function. Any registered hooks will
1197 run before the C library implementation. The hook_fn field
1198 should be a function that matches the following typedef:
1199
1200 typedef int (*sudo_hook_fn_setenv_t)(const char *name,
1201 const char *value, int overwrite, void *closure);
1202
1203 If the registered hook does not match the typedef the results
1204 are unspecified.
1205
1206 SUDO_HOOK_UNSETENV
1207 The C library unsetenv(3) function. Any registered hooks
1208 will run before the C library implementation. The hook_fn
1209 field should be a function that matches the following type‐
1210 def:
1211
1212 typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
1213 void *closure);
1214
1215 SUDO_HOOK_GETENV
1216 The C library getenv(3) function. Any registered hooks will
1217 run before the C library implementation. The hook_fn field
1218 should be a function that matches the following typedef:
1219
1220 typedef int (*sudo_hook_fn_getenv_t)(const char *name,
1221 char **value, void *closure);
1222
1223 If the registered hook does not match the typedef the results
1224 are unspecified.
1225
1226 SUDO_HOOK_PUTENV
1227 The C library putenv(3) function. Any registered hooks will
1228 run before the C library implementation. The hook_fn field
1229 should be a function that matches the following typedef:
1230
1231 typedef int (*sudo_hook_fn_putenv_t)(char *string,
1232 void *closure);
1233
1234 If the registered hook does not match the typedef the results
1235 are unspecified.
1236
1237 hook_fn
1238 sudo_hook_fn_t hook_fn;
1239
1240 The hook_fn field should be set to the plugin's hook implementa‐
1241 tion. The actual function arguments will vary depending on the
1242 hook_type (see hook_type above). In all cases, the closure field
1243 of struct sudo_hook is passed as the last function parameter. This
1244 can be used to pass arbitrary data to the plugin's hook implementa‐
1245 tion.
1246
1247 The function return value may be one of the following:
1248
1249 SUDO_HOOK_RET_ERROR
1250 The hook function encountered an error.
1251
1252 SUDO_HOOK_RET_NEXT
1253 The hook completed without error, go on to the next hook
1254 (including the native implementation if applicable). For
1255 example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if
1256 the specified variable was not found in the private copy of
1257 the environment.
1258
1259 SUDO_HOOK_RET_STOP
1260 The hook completed without error, stop processing hooks for
1261 this invocation. This can be used to replace the native
1262 implementation. For example, a setenv hook that operates on
1263 a private copy of the environment but leaves environ
1264 unchanged.
1265
1266 Note that it is very easy to create an infinite loop when hooking C
1267 library functions. For example, a getenv(3) hook that calls the
1268 snprintf(3) function may create a loop if the snprintf(3) implementation
1269 calls getenv(3) to check the locale. To prevent this, you may wish to
1270 use a static variable in the hook function to guard against nested calls.
1271 For example:
1272
1273 static int in_progress = 0; /* avoid recursion */
1274 if (in_progress)
1275 return SUDO_HOOK_RET_NEXT;
1276 in_progress = 1;
1277 ...
1278 in_progress = 0;
1279 return SUDO_HOOK_RET_STOP;
1280
1281 Hook API Version Macros
1282
1283 /* Hook API version major/minor */
1284 #define SUDO_HOOK_VERSION_MAJOR 1
1285 #define SUDO_HOOK_VERSION_MINOR 0
1286 #define SUDO_HOOK_VERSION SUDO_API_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
1287 SUDO_HOOK_VERSION_MINOR)
1288
1289 For getters and setters see the Policy plugin API.
1290
1291 Remote command execution
1292 The sudo front end does not have native support for running remote com‐
1293 mands. However, starting with sudo 1.8.8, the -h option may be used to
1294 specify a remote host that is passed to the policy plugin. A plugin may
1295 also accept a runas_user in the form of “user@hostname” which will work
1296 with older versions of sudo. It is anticipated that remote commands will
1297 be supported by executing a “helper” program. The policy plugin should
1298 setup the execution environment such that the sudo front end will run the
1299 helper which, in turn, will connect to the remote host and run the com‐
1300 mand.
1301
1302 For example, the policy plugin could utilize ssh to perform remote com‐
1303 mand execution. The helper program would be responsible for running ssh
1304 with the proper options to use a private key or certificate that the
1305 remote host will accept and run a program on the remote host that would
1306 setup the execution environment accordingly.
1307
1308 Note that remote sudoedit functionality must be handled by the policy
1309 plugin, not sudo itself as the front end has no knowledge that a remote
1310 command is being executed. This may be addressed in a future revision of
1311 the plugin API.
1312
1313 Conversation API
1314 If the plugin needs to interact with the user, it may do so via the
1315 conversation() function. A plugin should not attempt to read directly
1316 from the standard input or the user's tty (neither of which are guaran‐
1317 teed to exist). The caller must include a trailing newline in msg if one
1318 is to be printed.
1319
1320 A printf()-style function is also available that can be used to display
1321 informational or error messages to the user, which is usually more conve‐
1322 nient for simple messages where no use input is required.
1323
1324 Conversation function structures
1325
1326 The conversation function takes as arguments pointers to the following
1327 structures:
1328
1329 struct sudo_conv_message {
1330 #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
1331 #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
1332 #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
1333 #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
1334 #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
1335 #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
1336 int msg_type;
1337 int timeout;
1338 const char *msg;
1339 };
1340
1341 #define SUDO_CONV_REPL_MAX 255
1342
1343 struct sudo_conv_reply {
1344 char *reply;
1345 };
1346
1347 typedef int (*sudo_conv_callback_fn_t)(int signo, void *closure);
1348 struct sudo_conv_callback {
1349 unsigned int version;
1350 void *closure;
1351 sudo_conv_callback_fn_t on_suspend;
1352 sudo_conv_callback_fn_t on_resume;
1353 };
1354
1355 Pointers to the conversation() and printf()-style functions are passed in
1356 to the plugin's open() function when the plugin is initialized. The fol‐
1357 lowing type definitions can be used in the declaration of the open()
1358 function:
1359
1360 typedef int (*sudo_conv_t)(int num_msgs,
1361 const struct sudo_conv_message msgs[],
1362 struct sudo_conv_reply replies[],
1363 struct sudo_conv_callback *callback);
1364
1365 typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
1366
1367 To use the conversation() function, the plugin must pass an array of
1368 sudo_conv_message and sudo_conv_reply structures. There must be a struct
1369 sudo_conv_message and struct sudo_conv_reply for each message in the con‐
1370 versation. The struct sudo_conv_callback pointer, if not NULL, should
1371 contain function pointers to be called when the sudo process is suspended
1372 and/or resumed during conversation input. The on_suspend and on_resume
1373 functions are called with the signal that caused sudo to be suspended and
1374 the closure pointer from the struct sudo_conv_callback. These functions
1375 should return 0 on success and -1 on error. On error, the conversation
1376 will end and the conversation function will return a value of -1. The
1377 intended use is to allow the plugin to release resources, such as locks,
1378 that should not be held indefinitely while suspended and then reacquire
1379 them when the process is resumed. Note that the functions are not actu‐
1380 ally invoked from within a signal handler.
1381
1382 The plugin is responsible for freeing the reply buffer located in each
1383 struct sudo_conv_reply, if it is not NULL. SUDO_CONV_REPL_MAX represents
1384 the maximum length of the reply buffer (not including the trailing NUL
1385 character). In practical terms, this is the longest password sudo will
1386 support. It is also useful as a maximum value for the memset_s() func‐
1387 tion when clearing passwords filled in by the conversation function.
1388
1389 The printf()-style function uses the same underlying mechanism as the
1390 conversation() function but only supports SUDO_CONV_INFO_MSG and
1391 SUDO_CONV_ERROR_MSG for the msg_type parameter. It can be more conve‐
1392 nient than using the conversation() function if no user reply is needed
1393 and supports standard printf() escape sequences.
1394
1395 See the sample plugin for an example of the conversation() function
1396 usage.
1397
1398 Sudoers group plugin API
1399 The sudoers plugin supports its own plugin interface to allow non-Unix
1400 group lookups. This can be used to query a group source other than the
1401 standard Unix group database. Two sample group plugins are bundled with
1402 sudo, group_file and system_group, are detailed in sudoers(5). Third
1403 party group plugins include a QAS AD plugin available from Quest Soft‐
1404 ware.
1405
1406 A group plugin must declare and populate a sudoers_group_plugin struct in
1407 the global scope. This structure contains pointers to the functions that
1408 implement plugin initialization, cleanup and group lookup.
1409
1410 struct sudoers_group_plugin {
1411 unsigned int version;
1412 int (*init)(int version, sudo_printf_t sudo_printf,
1413 char *const argv[]);
1414 void (*cleanup)(void);
1415 int (*query)(const char *user, const char *group,
1416 const struct passwd *pwd);
1417 };
1418
1419 The sudoers_group_plugin struct has the following fields:
1420
1421 version
1422 The version field should be set to GROUP_API_VERSION.
1423
1424 This allows sudoers to determine the API version the group plugin
1425 was built against.
1426
1427 init
1428 int (*init)(int version, sudo_printf_t plugin_printf,
1429 char *const argv[]);
1430
1431 The init() function is called after sudoers has been parsed but
1432 before any policy checks. It returns 1 on success, 0 on failure
1433 (or if the plugin is not configured), and -1 if a error occurred.
1434 If an error occurs, the plugin may call the plugin_printf() func‐
1435 tion with SUDO_CONF_ERROR_MSG to present additional error informa‐
1436 tion to the user.
1437
1438 The function arguments are as follows:
1439
1440 version
1441 The version passed in by sudoers allows the plugin to deter‐
1442 mine the major and minor version number of the group plugin
1443 API supported by sudoers.
1444
1445 plugin_printf
1446 A pointer to a printf()-style function that may be used to
1447 display informational or error message to the user. Returns
1448 the number of characters printed on success and -1 on fail‐
1449 ure.
1450
1451 argv A NULL-terminated array of arguments generated from the
1452 group_plugin option in sudoers. If no arguments were given,
1453 argv will be NULL.
1454
1455 cleanup
1456 void (*cleanup)();
1457
1458 The cleanup() function is called when sudoers has finished its
1459 group checks. The plugin should free any memory it has allocated
1460 and close open file handles.
1461
1462 query
1463 int (*query)(const char *user, const char *group,
1464 const struct passwd *pwd);
1465
1466 The query() function is used to ask the group plugin whether user
1467 is a member of group.
1468
1469 The function arguments are as follows:
1470
1471 user The name of the user being looked up in the external group
1472 database.
1473
1474 group
1475 The name of the group being queried.
1476
1477 pwd The password database entry for user, if any. If user is not
1478 present in the password database, pwd will be NULL.
1479
1480 Group API Version Macros
1481
1482 /* Sudoers group plugin version major/minor */
1483 #define GROUP_API_VERSION_MAJOR 1
1484 #define GROUP_API_VERSION_MINOR 0
1485 #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
1486 GROUP_API_VERSION_MINOR)
1487 For getters and setters see the Policy plugin API.
1488
1490 The following revisions have been made to the Sudo Plugin API.
1491
1492 Version 1.0
1493 Initial API version.
1494
1495 Version 1.1 (sudo 1.8.0)
1496 The I/O logging plugin's open() function was modified to take the
1497 command_info list as an argument.
1498
1499 Version 1.2 (sudo 1.8.5)
1500 The Policy and I/O logging plugins' open() functions are now passed
1501 a list of plugin parameters if any are specified in sudo.conf(5).
1502
1503 A simple hooks API has been introduced to allow plugins to hook in
1504 to the system's environment handling functions.
1505
1506 The init_session Policy plugin function is now passed a pointer to
1507 the user environment which can be updated as needed. This can be
1508 used to merge in environment variables stored in the PAM handle
1509 before a command is run.
1510
1511 Version 1.3 (sudo 1.8.7)
1512 Support for the exec_background entry has been added to the
1513 command_info list.
1514
1515 The max_groups and plugin_dir entries were added to the settings
1516 list.
1517
1518 The version() and close() functions are now optional. Previously,
1519 a missing version() or close() function would result in a crash.
1520 If no policy plugin close() function is defined, a default close()
1521 function will be provided by the sudo front end that displays a
1522 warning if the command could not be executed.
1523
1524 The sudo front end now installs default signal handlers to trap
1525 common signals while the plugin functions are run.
1526
1527 Version 1.4 (sudo 1.8.8)
1528 The remote_host entry was added to the settings list.
1529
1530 Version 1.5 (sudo 1.8.9)
1531 The preserve_fds entry was added to the command_info list.
1532
1533 Version 1.6 (sudo 1.8.11)
1534 The behavior when an I/O logging plugin returns an error (-1) has
1535 changed. Previously, the sudo front end took no action when the
1536 log_ttyin(), log_ttyout(), log_stdin(), log_stdout(), or
1537 log_stderr() function returned an error.
1538
1539 The behavior when an I/O logging plugin returns 0 has changed.
1540 Previously, output from the command would be displayed to the ter‐
1541 minal even if an output logging function returned 0.
1542
1543 Version 1.7 (sudo 1.8.12)
1544 The plugin_path entry was added to the settings list.
1545
1546 The debug_flags entry now starts with a debug file path name and
1547 may occur multiple times if there are multiple plugin-specific
1548 Debug lines in the sudo.conf(5) file.
1549
1550 Version 1.8 (sudo 1.8.15)
1551 The sudoedit_checkdir and sudoedit_follow entries were added to the
1552 command_info list. The default value of sudoedit_checkdir was
1553 changed to true in sudo 1.8.16.
1554
1555 The sudo conversation function now takes a pointer to a struct
1556 sudo_conv_callback as its fourth argument. The sudo_conv_t defini‐
1557 tion has been updated to match. The plugin must specify that it
1558 supports plugin API version 1.8 or higher to receive a conversation
1559 function pointer that supports this argument.
1560
1561 Version 1.9 (sudo 1.8.16)
1562 The execfd entry was added to the command_info list.
1563
1564 Version 1.10 (sudo 1.8.19)
1565 The umask entry was added to the user_info list. The iolog_group,
1566 iolog_mode, and iolog_user entries were added to the command_info
1567 list.
1568
1569 Version 1.11 (sudo 1.8.20)
1570 The timeout entry was added to the settings list.
1571
1572 Version 1.12 (sudo 1.8.21)
1573 The change_winsize field was added to the io_plugin struct.
1574
1576 sudo.conf(5), sudoers(5), sudo(8)
1577
1579 Many people have worked on sudo over the years; this version consists of
1580 code written primarily by:
1581
1582 Todd C. Miller
1583
1584 See the CONTRIBUTORS file in the sudo distribution
1585 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
1586 who have contributed to sudo.
1587
1589 If you feel you have found a bug in sudo, please submit a bug report at
1590 https://bugzilla.sudo.ws/
1591
1593 Limited free support is available via the sudo-users mailing list, see
1594 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1595 the archives.
1596
1598 sudo is provided “AS IS” and any express or implied warranties, includ‐
1599 ing, but not limited to, the implied warranties of merchantability and
1600 fitness for a particular purpose are disclaimed. See the LICENSE file
1601 distributed with sudo or https://www.sudo.ws/license.html for complete
1602 details.
1603
1604Sudo 1.8.23 March 21, 2018 Sudo 1.8.23