SUDO integration proposal using sudo policy plugin¶
SUDO plugin API¶
Since version 1.8 SUDO supports replacing standard policy behaviour using plugins.
Referral plugin API documentation can be found here: http://www.gratisoft.us/sudo/man/1.8.2/sudo_plugin.man.html
Basically to create a policy plugin, one must define a policy_plugin structure:
struct policy_plugin {
#define SUDO_POLICY_PLUGIN 1
unsigned int type; /* always SUDO_POLICY_PLUGIN */
unsigned int version; /* always SUDO_API_VERSION */
int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], char * const user_env[]);
void (*close)(int exit_status, int error);
int (*show_version)(int verbose);
int (*check_policy)(int argc, char * const argv[],
char *env_add[], char **command_info[],
char **argv_out[], char **user_env_out[]);
int (*list)(int argc, char * const argv[], int verbose,
const char *list_user);
int (*validate)(void);
void (*invalidate)(int remove);
int (*init_session)(struct passwd *pwd);
};
To use the plugin, just edit /etc/sudo.conf:
Plugin policy_struct_name plugin.so
Only one policy plugin may be configured.
The most important functions are open(), close() and check_policy().
open()¶
Initializes plugin with data passed by SUDO as arguments of this function.
close()¶
Does a data clean up and checks a return code of the command.
check_policy()¶
Determines whether the user can run the command or not.
Integration in SSSD¶
SSSD SUDO plugin¶
All decision logic is done by responder and therefore this plugin should be as light weight as possible.
Communication with responder is done by SSS CLI sockets interface.
SSSD SUDO responder¶
Plugin <=> responder protocol¶
Query¶
Byte array with format:
qualified_command_path\0argv[0]\0argv[i]\0\0env_add\0\0user_env\0\0settings\0\0user_info\0\0
where env_add, user_env, settings and user_info are in the form of NAME=VALUE pairs.
All fields are interpreted as char*.
qualified_command_path is a full name of executed command (/bin/ls, ./my-program)
argv[] arguments passed to executed programs
env_add environment variables that user wants to add
user_env current environment variables (provided in open() function by SUDO)
settings provided in open() function by SUDO (see plugin API open())
user_info provided in open() function by SUDO (see plugin API open())
Response¶
Byte array with format:
(result)argv\0\0command_info\0\0user_env\0\0
where command_info and user_env are in the form of NAME=VALUE pairs.
All fields except result are interpreted as char*.
result interpreted as an integer value
argv[] arguments passed to executed programs
command_info information about the command (see plugin API check_policy())
user_env environment variables that should be kept / added.