1SUDO.CONF(5)                BSD File Formats Manual               SUDO.CONF(5)


4     sudo.conf — configuration for sudo front-end


7     The sudo.conf file is used to configure the sudo front-end.  It is used
8     to configure sudo plugins, plugin-agnostic path names, debug flags, and
9     other settings.
11     The sudo.conf file supports the following directives, described in detail
12     below.
14     Plugin  an approval, audit, I/O logging, or security policy plugin
16     Path    a plugin-agnostic path
18     Set     a front-end setting, such as disable_coredump or group_source
20     Debug   debug flags to aid in debugging sudo, sudoreplay, visudo, and the
21             sudoers plugin.
23     The pound sign (‘#’) is used to indicate a comment.  Both the comment
24     character and any text after it, up to the end of the line, are ignored.
26     Long lines can be continued with a backslash (‘\’) as the last character
27     on the line.  Leading white space is removed from the beginning of lines
28     even when a continuation character is used.
30     Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
31     silently ignored.
33     The sudo.conf file is always parsed in the ‘C’ locale.
35   Plugin configuration
36     sudo supports a plugin architecture for security policies and input/out‐
37     put logging.  Third parties can develop and distribute their own policy
38     and I/O logging plugins to work seamlessly with the sudo front-end.
39     Plugins are dynamically loaded based on the contents of sudo.conf.
41     A Plugin line consists of the Plugin keyword, followed by the symbol_name
42     and the path to the dynamic shared object that contains the plugin.  The
43     symbol_name is the name of the struct approval_plugin, struct
44     audit_plugin, struct io_plugin, or struct policy_plugin defined by the
45     plugin.  If a plugin implements multiple plugin types, there must be a
46     Plugin line for each unique symbol name.  The path may be fully qualified
47     or relative.  If not fully qualified, it is relative to the directory
48     specified by the plugin_dir Path setting, which defaults to
49     /usr/libexec/sudo.  In other words:
51         Plugin sudoers_policy sudoers.so
53     is equivalent to:
55         Plugin sudoers_policy /usr/libexec/sudo/sudoers.so
57     If the plugin was compiled statically into the sudo binary instead of be‐
58     ing installed as a dynamic shared object, the path should be specified
59     without a leading directory, as it does not actually exist in the file
60     system.  For example:
62         Plugin sudoers_policy sudoers.so
64     Starting with sudo 1.8.5, any additional parameters after the path are
65     passed as arguments to the plugin's open function.  For example, to over‐
66     ride the compile-time default sudoers file mode:
68         Plugin sudoers_policy sudoers.so sudoers_mode=0440
70     See the sudoers(5) manual for a list of supported arguments.
72     The same dynamic shared object may contain multiple plugins, each with a
73     different symbol name.  The file must be owned by user-ID 0 and only
74     writable by its owner.  Because of ambiguities that arise from composite
75     policies, only a single policy plugin may be specified.  This limitation
76     does not apply to I/O plugins.
78     If no sudo.conf file is present, or if it contains no Plugin lines, the
79     sudoers plugin will be used as the default security policy, for I/O log‐
80     ging (if enabled by the policy), and for auditing.  This is equivalent to
81     the following:
83         Plugin sudoers_policy sudoers.so
84         Plugin sudoers_io sudoers.so
85         Plugin sudoers_audit sudoers.so
87     Starting with sudo version 1.9.1, some of the logging functionality of
88     the sudoers plugin has been moved from the policy plugin to an audit
89     plugin.  To maintain compatibility with sudo.conf files from older sudo
90     versions, if sudoers is configured as the security policy, it will be
91     used as an audit plugin as well.  This guarantees that the logging behav‐
92     ior will be consistnet with that of sudo versions 1.9.0 and below.
94     For more information on the sudo plugin architecture, see the
95     sudo_plugin(5) manual.
97   Path settings
98     A Path line consists of the Path keyword, followed by the name of the
99     path to set and its value.  For example:
101         Path intercept disabled
102         Path noexec /usr/libexec/sudo/sudo_noexec.so
103         Path askpass /usr/X11R6/bin/ssh-askpass
105     If no path name is specified, features relying on the specified setting
106     will be disabled.  Disabling Path settings is only supported in sudo ver‐
107     sion 1.8.16 and higher.
109     The following plugin-agnostic paths may be set in the /etc/sudo.conf
110     file:
112     askpass
113           The fully qualified path to a helper program used to read the
114           user's password when no terminal is available.  This may be the
115           case when sudo is executed from a graphical (as opposed to text-
116           based) application.  The program specified by askpass should dis‐
117           play the argument passed to it as the prompt and write the user's
118           password to the standard output.  The value of askpass may be over‐
119           ridden by the SUDO_ASKPASS environment variable.
121     devsearch
122           An ordered, colon-separated search path of directories to look in
123           for device nodes.  This is used when mapping the process's tty de‐
124           vice number to a device name on systems that do not provide such a
125           mechanism.  Sudo will not recurse into sub-directories.  If termi‐
126           nal devices may be located in a sub-directory of /dev, that path
127           must be explicitly listed in devsearch.  The default value is
128           /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
130           This option is ignored on systems that support either the devname()
131           or _ttyname_dev() functions, for example BSD, macOS and Solaris.
133     intercept
134           The fully-qualified path to a shared library containing a wrappers
135           for the execve(2), execl(3), execle(3), execlp(3), execv(3),
136           execvp(3), execvpe(3), and system(3) library functions that inter‐
137           cepts attempts to run further commands and performs a policy check
138           before allowing them to be executed.  This is used to implement the
139           intercept functionality on systems that support LD_PRELOAD or its
140           equivalent.  The default value is disabled.
142     noexec
143           The fully-qualified path to a shared library containing wrappers
144           for the execve(2), execl(3), execle(3), execlp(3), exect(3),
145           execv(3), execveat(3), execvP(3), execvp(3), execvpe(3),
146           fexecve(3), popen(3), posix_spawn(3), posix_spawnp(3), system(3),
147           and wordexp(3) library functions that prevent the execution of fur‐
148           ther commands.  This is used to implement the noexec functionality
149           on systems that support LD_PRELOAD or its equivalent.  The default
150           value is /usr/libexec/sudo/sudo_noexec.so.
152     plugin_dir
153           The default directory to use when searching for plugins that are
154           specified without a fully qualified path name.  The default value
155           is /usr/libexec/sudo.
157     sesh  The fully-qualified path to the sesh binary.  This setting is only
158           used when sudo is built with SELinux support.  The default value is
159           /usr/libexec/sudo/sesh.
161   Other settings
162     The sudo.conf file also supports the following front-end settings:
164     disable_coredump
165           Core dumps of sudo itself are disabled by default to prevent the
166           disclosure of potentially sensitive information.  To aid in debug‐
167           ging sudo crashes, you may wish to re-enable core dumps by setting
168           “disable_coredump” to false in sudo.conf as follows:
170               Set disable_coredump false
172           All modern operating systems place restrictions on core dumps from
173           set-user-ID processes like sudo so this option can be enabled with‐
174           out compromising security.  To actually get a sudo core file you
175           will likely need to enable core dumps for set-user-ID processes.
176           On BSD and Linux systems this is accomplished in the sysctl(8) com‐
177           mand.  On Solaris, the coreadm(1m) command is used to configure
178           core dump behavior.
180           This setting is only available in sudo version 1.8.4 and higher.
182     group_source
183           sudo passes the invoking user's group list to the policy and I/O
184           plugins.  On most systems, there is an upper limit to the number of
185           groups that a user may belong to simultaneously (typically 16 for
186           compatibility with NFS).  On systems with the getconf(1) utility,
187           running:
188                 getconf NGROUPS_MAX
189           will return the maximum number of groups.
191           However, it is still possible to be a member of a larger number of
192           groups--they simply won't be included in the group list returned by
193           the kernel for the user.  Starting with sudo version 1.8.7, if the
194           user's kernel group list has the maximum number of entries, sudo
195           will consult the group database directly to determine the group
196           list.  This makes it possible for the security policy to perform
197           matching by group name even when the user is a member of more than
198           the maximum number of groups.
200           The group_source setting allows the administrator to change this
201           default behavior.  Supported values for group_source are:
203           static
204                 Use the static group list that the kernel returns.  Retriev‐
205                 ing the group list this way is very fast but it is subject to
206                 an upper limit as described above.  It is “static” in that it
207                 does not reflect changes to the group database made after the
208                 user logs in.  This was the default behavior prior to sudo
209                 1.8.7.
211           dynamic
212                 Always query the group database directly.  It is “dynamic” in
213                 that changes made to the group database after the user logs
214                 in will be reflected in the group list.  On some systems,
215                 querying the group database for all of a user's groups can be
216                 time consuming when querying a network-based group database.
217                 Most operating systems provide an efficient method of per‐
218                 forming such queries.  Currently, sudo supports efficient
219                 group queries on AIX, BSD, HP-UX, Linux, macOS, and Solaris.
220                 This is the default behavior on macOS in sudo 1.9.6 and
221                 higher.
223           adaptive
224                 Only query the group database if the static group list re‐
225                 turned by the kernel has the maximum number of entries.  This
226                 is the default behavior on systems other than macOS in sudo
227                 1.8.7 and higher.
229           For example, to cause sudo to only use the kernel's static list of
230           groups for the user:
232               Set group_source static
234           This setting is only available in sudo version 1.8.7 and higher.
236     max_groups
237           The maximum number of user groups to retrieve from the group data‐
238           base.  Values less than one or larger than 1024 will be ignored.
239           This setting is only used when querying the group database di‐
240           rectly.  It is intended to be used on systems where it is not pos‐
241           sible to detect when the array to be populated with group entries
242           is not sufficiently large.  By default, sudo will allocate four
243           times the system's maximum number of groups (see above) and retry
244           with double that number if the group database query fails.
246           This setting is only available in sudo version 1.8.7 and higher.
247           It should not be required in sudo versions 1.8.24 and higher and
248           may be removed in a later release.
250     probe_interfaces
251           By default, sudo will probe the system's network interfaces and
252           pass the IP address of each enabled interface to the policy plugin.
253           This makes it possible for the plugin to match rules based on the
254           IP address without having to query DNS.  On Linux systems with a
255           large number of virtual interfaces, this may take a non-negligible
256           amount of time.  If IP-based matching is not required, network in‐
257           terface probing can be disabled as follows:
259               Set probe_interfaces false
261           This setting is only available in sudo version 1.8.10 and higher.
263   Debug settings
264     sudo versions 1.8.4 and higher support a flexible debugging framework
265     that can log what sudo is doing internally if there is a problem.
267     A Debug line consists of the Debug keyword, followed by the name of the
268     program, plugin, or shared object to debug, the debug file name, and a
269     comma-separated list of debug flags.  The debug flag syntax used by sudo,
270     the sudoers plugin along with its associated programs and shared objects
271     is subsystem@priority but a third-party plugin is free to use a different
272     format so long as it does not include a comma (‘,’).
274     Examples:
276         Debug sudo /var/log/sudo_debug all@warn,plugin@info
278     would log all debugging statements at the warn level and higher in addi‐
279     tion to those at the info level for the plugin subsystem.
281         Debug sudo_intercept.so /var/log/intercept_debug all@debug
283     would log all debugging statements, regardless of level, for the
284     sudo_intercept.so shared library that implements sudo's intercept func‐
285     tionality on some systems.
287     As of sudo 1.8.12, multiple Debug entries may be specified per program.
288     Older versions of sudo only support a single Debug entry per program.
289     Plugin-specific Debug entries are also supported starting with sudo
290     1.8.12 and are matched by either the base name of the plugin that was
291     loaded (for example sudoers.so) or by the plugin's fully-qualified path
292     name.  Previously, the sudoers plugin shared the same Debug entry as the
293     sudo front-end and could not be configured separately.
295     The following priorities are supported, in order of decreasing severity:
296     crit, err, warn, notice, diag, info, trace, and debug.  Each priority,
297     when specified, also includes all priorities higher than it.  For exam‐
298     ple, a priority of notice would include debug messages logged at notice
299     and higher.
301     The priorities trace and debug also include function call tracing which
302     logs when a function is entered and when it returns.  For example, the
303     following trace is for the get_user_groups() function located in
304     src/sudo.c:
306         sudo[123] -> get_user_groups @ src/sudo.c:385
307         sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
309     When the function is entered, indicated by a right arrow ‘->’, the pro‐
310     gram, process ID, function, source file, and line number are logged.
311     When the function returns, indicated by a left arrow ‘<-’, the same in‐
312     formation is logged along with the return value.  In this case, the re‐
313     turn value is a string.
315     The following subsystems are used by the sudo front-end:
317     all         matches every subsystem
319     args        command line argument processing
321     conv        user conversation
323     edit        sudoedit
325     event       event subsystem
327     exec        command execution
329     main        sudo main function
331     netif       network interface handling
333     pcomm       communication with the plugin
335     plugin      plugin configuration
337     pty         pseudo-terminal related code
339     selinux     SELinux-specific handling
341     util        utility functions
343     utmp        utmp handling
345     The sudoers(5) plugin includes support for additional subsystems.


348     /etc/sudo.conf            sudo front-end configuration


351     #
352     # Default /etc/sudo.conf file
353     #
354     # Sudo plugins:
355     #   Plugin plugin_name plugin_path plugin_options ...
356     #
357     # The plugin_path is relative to /usr/libexec/sudo unless
358     #   fully qualified.
359     # The plugin_name corresponds to a global symbol in the plugin
360     #   that contains the plugin interface structure.
361     # The plugin_options are optional.
362     #
363     # The sudoers plugin is used by default if no Plugin lines are present.
364     #Plugin sudoers_policy sudoers.so
365     #Plugin sudoers_io sudoers.so
366     #Plugin sudoers_audit sudoers.so
368     #
369     # Sudo askpass:
370     #   Path askpass /path/to/askpass
371     #
372     # An askpass helper program may be specified to provide a graphical
373     # password prompt for "sudo -A" support.  Sudo does not ship with its
374     # own askpass program but can use the OpenSSH askpass.
375     #
376     # Use the OpenSSH askpass
377     #Path askpass /usr/X11R6/bin/ssh-askpass
378     #
379     # Use the Gnome OpenSSH askpass
380     #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
382     #
383     # Sudo device search path:
384     #   Path devsearch /dev/path1:/dev/path2:/dev
385     #
386     # A colon-separated list of paths to check when searching for a user's
387     # terminal device.
388     #
389     #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
391     #
392     # Sudo command interception:
393     #   Path intercept /path/to/sudo_intercept.so
394     #
395     # Path to a shared library containing replacements for the execv()
396     # and execve() library functions that perform a policy check to verify
397     # the command is allowed and simply return an error if not.  This is
398     # used to implement the "intercept" functionality on systems that
399     # support LD_PRELOAD or its equivalent.
400     #
401     # The compiled-in value is usually sufficient and should only be changed
402     # if you rename or move the sudo_intercept.so file.
403     #
404     #Path intercept disabled
406     #
407     # Sudo noexec:
408     #   Path noexec /path/to/sudo_noexec.so
409     #
410     # Path to a shared library containing replacements for the execv()
411     # family of library functions that just return an error.  This is
412     # used to implement the "noexec" functionality on systems that support
413     # LD_PRELOAD or its equivalent.
414     #
415     # The compiled-in value is usually sufficient and should only be changed
416     # if you rename or move the sudo_noexec.so file.
417     #
418     #Path noexec /usr/libexec/sudo/sudo_noexec.so
420     #
421     # Sudo plugin directory:
422     #   Path plugin_dir /path/to/plugins
423     #
424     # The default directory to use when searching for plugins that are
425     # specified without a fully qualified path name.
426     #
427     #Path plugin_dir /usr/libexec/sudo
429     #
430     # Core dumps:
431     #   Set disable_coredump true|false
432     #
433     # By default, sudo disables core dumps while it is executing (they
434     # are re-enabled for the command that is run).
435     # To aid in debugging sudo problems, you may wish to enable core
436     # dumps by setting "disable_coredump" to false.
437     #
438     #Set disable_coredump false
440     #
441     # User groups:
442     #   Set group_source static|dynamic|adaptive
443     #
444     # Sudo passes the user's group list to the policy plugin.
445     # If the user is a member of the maximum number of groups (usually 16),
446     # sudo will query the group database directly to be sure to include
447     # the full list of groups.
448     #
449     # On some systems, this can be expensive so the behavior is configurable.
450     # The "group_source" setting has three possible values:
451     #   static   - use the user's list of groups returned by the kernel.
452     #   dynamic  - query the group database to find the list of groups.
453     #   adaptive - if user is in less than the maximum number of groups.
454     #              use the kernel list, else query the group database.
455     #
456     #Set group_source static
458     #
459     # Sudo interface probing:
460     #   Set probe_interfaces true|false
461     #
462     # By default, sudo will probe the system's network interfaces and
463     # pass the IP address of each enabled interface to the policy plugin.
464     # On systems with a large number of virtual interfaces this may take
465     # a noticeable amount of time.
466     #
467     #Set probe_interfaces false
469     #
470     # Sudo debug files:
471     #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
472     #
473     # Sudo and related programs support logging debug information to a file.
474     # The program is typically sudo, sudoers.so, sudoreplay, or visudo.
475     #
476     # Subsystems vary based on the program; "all" matches all subsystems.
477     # Priority may be crit, err, warn, notice, diag, info, trace, or debug.
478     # Multiple subsystem@priority may be specified, separated by a comma.
479     #
480     #Debug sudo /var/log/sudo_debug all@debug
481     #Debug sudoers.so /var/log/sudoers_debug all@debug


484     sudo_plugin(5), sudoers(5), sudo(8)


487     Many people have worked on sudo over the years; this version consists of
488     code written primarily by:
490           Todd C. Miller
492     See the CONTRIBUTORS.md file in the sudo distribution
493     (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
494     ple who have contributed to sudo.


497     If you believe you have found a bug in sudo, you can submit a bug report
498     at https://bugzilla.sudo.ws/


501     Limited free support is available via the sudo-users mailing list, see
502     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
503     the archives.


506     sudo is provided “AS IS” and any express or implied warranties, includ‐
507     ing, but not limited to, the implied warranties of merchantability and
508     fitness for a particular purpose are disclaimed.  See the LICENSE.md file
509     distributed with sudo or https://www.sudo.ws/about/license/ for complete
510     details.
512Sudo 1.9.14p3                  January 16, 2023                  Sudo 1.9.14p3