diff -up /dev/null sudo-1.6.9p12/sesh.c --- /dev/null 2008-02-05 17:16:01.642928004 +0100 +++ sudo-1.6.9p12/sesh.c 2008-02-06 13:06:50.000000000 +0100 @@ -0,0 +1,46 @@ +#include +#include +#include +#include +#include +#include + +main (int argc, char **argv) { + char buf[PATH_MAX]; + pid_t pid; + if ( argc < 2 ) { + fprintf(stderr,"%s: Requires at least one argument\n", argv[0]); + exit(-1); + } + + if ((pid = fork()) < 0) { + snprintf(buf, sizeof(buf), "%s: Couldn't fork",argv[0]); + perror(buf); + exit(-1); + } else if (pid > 0) { + /* Parent */ + int status; + int ret; + + do { + if ((ret = waitpid(pid, &status, 0)) < 0 && errno == EINTR) + continue; + else if (ret < 0) { + perror("waitpid failed"); + exit(1); + } + } while (0); + + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else + exit(1); + } else { + /* Child */ + execv(argv[1], &argv[1]); + + snprintf(buf, sizeof(buf), "%s: Error execing %s", argv[0], argv[1]); + perror(buf); + exit(-1); + } +} diff -up sudo-1.6.9p12/configure.in.selinux sudo-1.6.9p12/configure.in --- sudo-1.6.9p12/configure.in.selinux 2008-02-06 12:45:07.000000000 +0100 +++ sudo-1.6.9p12/configure.in 2008-02-06 13:06:50.000000000 +0100 @@ -102,7 +102,7 @@ dnl dnl Initial values for Makefile variables listed above dnl May be overridden by environment variables.. dnl -PROGS="sudo visudo" +PROGS="sudo visudo sesh" : ${MANTYPE='man'} : ${mansrcdir='.'} : ${SUDOERS_MODE='0440'} diff -up /dev/null sudo-1.6.9p12/selinux.c --- /dev/null 2008-02-05 17:16:01.642928004 +0100 +++ sudo-1.6.9p12/selinux.c 2008-02-06 13:06:50.000000000 +0100 @@ -0,0 +1,425 @@ +/* + * Copyright (c) 2008 Dan Walsh + * + * Borrowed heavily from newrole source code + * Authors: + * Anthony Colatrella + * Tim Fraser + * Steve Grubb + * Darrel Goeddel + * Michael Thompson + * Dan Walsh + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + */ +#ifdef WITH_SELINUX +#include +#include +#include +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif /* STDC_HEADERS */ +#ifdef HAVE_STRING_H +# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS) +# include +# endif +# include +#else +# ifdef HAVE_STRINGS_H +# include +# endif +#endif /* HAVE_STRING_H */ +#ifdef HAVE_UNISTD_H +# include +#endif /* HAVE_UNISTD_H */ +#include +#include +#include + +#ifdef WITH_AUDIT +#include +#endif + +#include "sudo.h" + +#include + +#ifdef USE_AUDIT +#include +#endif + +#include /* for SECCLASS_CHR_FILE */ +#include /* for is_selinux_enabled() */ +#include /* for context-mangling functions */ +#include +#include + +/** + * This function attempts to revert the relabeling done to the tty. + * fd - referencing the opened ttyn + * ttyn - name of tty to restore + * tty_context - original context of the tty + * new_tty_context - context tty was relabeled to + * + * Returns zero on success, non-zero otherwise + */ +static int restore_tty_label(int fd, const char *ttyn, + security_context_t tty_context, + security_context_t new_tty_context) +{ + int rc = 0; + security_context_t chk_tty_context = NULL; + + if (!ttyn) + goto skip_relabel; + + if (!new_tty_context) + goto skip_relabel; + + /* Verify that the tty still has the context set by newrole. */ + if ((rc = fgetfilecon(fd, &chk_tty_context)) < 0) { + fprintf(stderr, "Could not fgetfilecon %s.\n", ttyn); + goto skip_relabel; + } + + if ((rc = strcmp(chk_tty_context, new_tty_context))) { + fprintf(stderr, "%s changed labels.\n", ttyn); + goto skip_relabel; + } + + if ((rc = fsetfilecon(fd, tty_context)) < 0) + fprintf(stderr, + "Warning! Could not restore context for %s\n", ttyn); + skip_relabel: + freecon(chk_tty_context); + return rc; +} + +/** + * This function attempts to relabel the tty. If this function fails, then + * the fd is closed, the contexts are free'd and -1 is returned. On success, + * a valid fd is returned and tty_context and new_tty_context are set. + * + * This function will not fail if it can not relabel the tty when selinux is + * in permissive mode. + */ +static int relabel_tty(const char *ttyn, security_context_t new_context, + security_context_t * tty_context, + security_context_t * new_tty_context) +{ + int fd; + int enforcing = security_getenforce(); + security_context_t tty_con = NULL; + security_context_t new_tty_con = NULL; + + if (!ttyn) + return 0; + + if (enforcing < 0) { + fprintf(stderr, "Could not determine enforcing mode.\n"); + return -1; + } + + /* Re-open TTY descriptor */ + fd = open(ttyn, O_RDWR | O_NONBLOCK); + if (fd < 0) { + fprintf(stderr, "Error! Could not open %s.\n", ttyn); + return fd; + } + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + + if (fgetfilecon(fd, &tty_con) < 0) { + fprintf(stderr, "%s! Could not get current context " + "for %s, not relabeling tty.\n", + enforcing ? "Error" : "Warning", ttyn); + if (enforcing) + goto close_fd; + } + + if (tty_con && + (security_compute_relabel(new_context, tty_con, + SECCLASS_CHR_FILE, &new_tty_con) < 0)) { + fprintf(stderr, "%s! Could not get new context for %s, " + "not relabeling tty.\n", + enforcing ? "Error" : "Warning", ttyn); + if (enforcing) + goto close_fd; + } + + if (new_tty_con) + if (fsetfilecon(fd, new_tty_con) < 0) { + fprintf(stderr, + "%s! Could not set new context for %s\n", + enforcing ? "Error" : "Warning", ttyn); + freecon(new_tty_con); + new_tty_con = NULL; + if (enforcing) + goto close_fd; + } + + *tty_context = tty_con; + *new_tty_context = new_tty_con; + return fd; + + close_fd: + freecon(tty_con); + close(fd); + return -1; +} + +security_context_t get_exec_context(security_context_t old_context, char *role_s, char *type_s) { + + /* our target security ID ("sid") */ + security_context_t new_context=NULL; + + /* manipulatable form of context_s */ + context_t context; + + if( !role_s ) { + fprintf(stderr,"You must specify a role.\n"); + return NULL; + } + + + /* + * Get the SID and context of the caller, and extract + * the username from the context. Don't rely on the Linux + * uid information - it isn't trustworthy. + */ + + /* + * Create a context structure so that we extract and modify + * components easily. + */ + context=context_new(old_context); + + /* + * + * Step 3: Construct a new SID based on our old SID and the + * arguments specified on the command line. + * + */ + + /* The first step in constructing a new SID for the new shell we * + * plan to exec is to take our old context in `context' as a * + * starting point, and modify it according to the options the user * + * specified on the command line. */ + + /* If the user specified a new role on the command line (if `role_s' * + * is set), then replace the old role in `context' with this new role. */ + if( !type_s ) { + if( get_default_type(role_s,&type_s) ) + { + fprintf(stderr,"Couldn't get default type.\n"); + goto err; + } + } + + if( context_role_set(context,role_s)) { + fprintf(stderr,"failed to set new role %s\n",role_s); + goto err; + } + + /* If the user specified a new type on the command line (if `type_s' * + * is set), then replace the old type in `context' with this new type. */ + if( type_s ) { + if( context_type_set(context,type_s)) { + fprintf(stderr,"failed to set new type %s\n",type_s); + goto err; + } + } /* if user specified new type */ + + /* The second step in creating the new SID is to convert our modified * + * `context' structure back to a context string and then to a SID. */ + + /* Make `context_s' point to a string version of the new `context'. */ + if( !(new_context=strdup(context_str(context)))) { + fprintf(stderr,"failed to convert new context to string\n" ); + goto err; + } + + if (security_check_context(new_context) < 0) { + fprintf(stderr, "%s is not a valid context\n", new_context); + goto err; + } + +#ifdef DEBUG + printf("Your new context is %s\n",new_context); +#endif + + context_free(context); + return new_context; + + err: + context_free(context); + freecon(new_context); + return NULL; + +} + +void selinux_exec(char *role_s, char *type_s, char *safe_cmd, int NewArgc, char **NewArgv, char **environ){ + pid_t childPid = 0; + int ttyfd = -1; + /* our original securiy ID ("old_context") */ + security_context_t old_context=NULL; + + /* security context to change to while running command*/ + security_context_t new_tty_context=NULL; + /* current security context of tty */ + security_context_t tty_context=NULL; + + char *ttyn = NULL; /* tty path */ + + /* our target security ID ("sid") */ + security_context_t new_context=NULL; + /* Put the caller's SID into `old_context'. */ + if (getprevcon(&old_context)) { + fprintf(stderr,"failed to get old_context.\n"); + exit(-1); + } + +#ifdef DEBUG + printf( "Your old context was %s\n", old_context ); +#endif + new_context=get_exec_context(old_context, role_s,type_s); + if (! new_context) { + fprintf(stderr, "Could not set exec context to %s.\n", new_context); + exit(-1); + } + + ttyn = ttyname(STDIN_FILENO); + if (!ttyn || *ttyn == '\0') { + fprintf(stderr, + "Warning! Could not retrieve tty information.\n"); + } + + ttyfd = relabel_tty(ttyn, new_context, &tty_context, &new_tty_context); + if (ttyfd < 0) { + fprintf(stderr, "Could not setup tty context for %s.\n", new_context); + exit(-1); + } + +#ifdef DEBUG + printf("Your old tty context is %s\n",tty_context); + printf("Your new tty context is %s\n",new_tty_context); +#endif + + + childPid = fork(); + if (childPid < 0) { + /* fork failed, no child to worry about */ + int errsv = errno; + fprintf(stderr, "newrole: failure forking: %s", + strerror(errsv)); + if (restore_tty_label(ttyfd, ttyn, tty_context, new_tty_context)) + fprintf(stderr, "Unable to restore tty label...\n"); + if (close(ttyfd)) + fprintf(stderr, "Failed to close tty properly\n"); + goto err; + } else if (childPid) { + /* PARENT + * It doesn't make senes to exit early on errors at this point, + * since we are doing cleanup which needs to be done. + * We can exit with a bad rc though + */ + pid_t pid; + int exit_code = 0; + int status; + + do { + pid = wait(&status); + } while (pid < 0 && errno == EINTR); + + /* Preserve child exit status, unless there is another error. */ + if (WIFEXITED(status)) + exit_code = WEXITSTATUS(status); + + if (restore_tty_label(ttyfd, ttyn, tty_context, new_tty_context)) { + fprintf(stderr, "Unable to restore tty label...\n"); + exit_code = -1; + } + freecon(tty_context); + freecon(new_tty_context); + if (close(ttyfd)) { + fprintf(stderr, "Failed to close tty properly\n"); + exit_code = -1; + } + exit(exit_code); + } + /* CHILD */ + /* Close the tty and reopen descriptors 0 through 2 */ + if (ttyn) { + if (close(ttyfd) || close(0) || close(1) || close(2)) { + fprintf(stderr, "Could not close descriptors.\n"); + goto err; + } + ttyfd = open(ttyn, O_RDONLY | O_NONBLOCK); + if (ttyfd != 0) + goto err; + fcntl(ttyfd, F_SETFL, fcntl(ttyfd, F_GETFL, 0) & ~O_NONBLOCK); + ttyfd = open(ttyn, O_RDWR | O_NONBLOCK); + if (ttyfd != 1) + goto err; + fcntl(ttyfd, F_SETFL, fcntl(ttyfd, F_GETFL, 0) & ~O_NONBLOCK); + ttyfd = open(ttyn, O_RDWR | O_NONBLOCK); + if (ttyfd != 2) + goto err; + fcntl(ttyfd, F_SETFL, fcntl(ttyfd, F_GETFL, 0) & ~O_NONBLOCK); + } + if (setexeccon(new_context)) { + fprintf(stderr, "Could not set exec context to %s.\n", + new_context); + goto err; + } + +#ifdef USE_AUDIT + if (send_audit_message(1, old_context, new_context, ttyn)) + goto err; +#endif + + { + /* + SELinux will only not transition properly with the following + code. Basically if the user chooses to use a different security + context. We need to start the selinux shell, before executing + the command. This way the process transition will happen + correctly. For example if they user wants to run rpm from + sysadm_r. Sudo will exec the /usr/sbin/sesh followed by the + specified command.*/ + char **dst, **src = NewArgv+1; + NewArgv = (char **) emalloc2((++NewArgc + 1), sizeof(char *)); + NewArgv[0] = estrdup("/usr/sbin/sesh"); + NewArgv[1] = safe_cmd; + safe_cmd = estrdup("/usr/sbin/sesh"); + /* copy the args from Argv */ + for (dst = NewArgv + 2; (*dst = *src) != NULL; ++src, ++dst) + ; + } + freecon(old_context); + freecon(new_context); + + execve(safe_cmd, NewArgv, environ); /* run the command */ + + perror("failed to exec shell\n"); + err: + freecon(old_context); + freecon(new_context); + exit(-1); +} +#endif /* WITH_SELINUX */ diff -up sudo-1.6.9p12/Makefile.in.selinux sudo-1.6.9p12/Makefile.in --- sudo-1.6.9p12/Makefile.in.selinux 2008-02-06 12:45:07.000000000 +0100 +++ sudo-1.6.9p12/Makefile.in 2008-02-06 13:08:50.000000000 +0100 @@ -43,7 +43,8 @@ INSTALL = $(SHELL) $(srcdir)/install-sh # Libraries LIBS = @LIBS@ NET_LIBS = @NET_LIBS@ -SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) +SELINUX_LIBS = -lselinux +SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) $(SELINUX_LIBS) # C preprocessor flags CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@ @@ -91,7 +92,7 @@ sudoers_gid = @SUDOERS_GID@ sudoers_mode = @SUDOERS_MODE@ # Pass in paths and uid/gid + OS dependent defined -DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode) +DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode) -DWITH_SELINUX #### End of system configuration section. #### @@ -105,7 +106,7 @@ SRCS = alloc.c alloca.c check.c closefro logging.c memrchr.c mkstemp.c parse.c parse.lex parse.yacc set_perms.c \ sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c \ sudo.c sudo_noexec.c sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c \ - utimes.c visudo.c zero_bytes.c $(AUTH_SRCS) + utimes.c visudo.c zero_bytes.c $(AUTH_SRCS) selinux.c sesh.c AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ @@ -124,11 +125,13 @@ AUDIT_OBJS = audit_help.o PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \ + interfaces.o logging.o parse.o set_perms.o sudo.o selinux.o sudo_edit.o \ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS) VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) +SESH_OBJS = sesh.o + TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ @@ -149,7 +152,7 @@ DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES BINFILES= BUGS CHANGES HISTORY LICENSE README TROUBLESHOOTING \ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \ - sudoers.pod visudo visudo.cat visudo.man visudo.pod + sudoers.pod visudo visudo.cat visudo.man visudo.pod sesh BINSPECIAL= INSTALL.binary Makefile.binary libtool @@ -181,6 +184,9 @@ sudo: $(SUDOBJS) $(LIBOBJS) visudo: $(VISUDOBJS) $(LIBOBJS) $(CC) -o $@ $(VISUDOBJS) $(LIBOBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS) +sesh: $(SESH_OBJS) + $(CC) -o $@ $(SESH_OBJS) $(LDFLAGS) $(LIBS) + testsudoers: $(TESTOBJS) $(LIBOBJS) $(CC) -o $@ $(TESTOBJS) $(LIBOBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS) @@ -222,6 +228,7 @@ logging.o: logging.c $(SUDODEP) set_perms.o: set_perms.c $(SUDODEP) tgetpass.o: tgetpass.c $(SUDODEP) visudo.o: visudo.c $(SUDODEP) version.h +sesh.o: sesh.c sudo.o: sudo.c $(SUDODEP) interfaces.h version.h interfaces.o: interfaces.c $(SUDODEP) interfaces.h testsudoers.o: testsudoers.c $(SUDODEP) parse.h interfaces.h @@ -320,6 +327,7 @@ install-binaries: $(PROGS) ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo + $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(visudodir)/sesh install-noexec: sudo_noexec.la $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir) diff -up sudo-1.6.9p12/sudo.c.selinux sudo-1.6.9p12/sudo.c --- sudo-1.6.9p12/sudo.c.selinux 2008-02-06 12:45:07.000000000 +0100 +++ sudo-1.6.9p12/sudo.c 2008-02-06 13:06:50.000000000 +0100 @@ -101,6 +101,14 @@ #include #endif +#ifdef WITH_SELINUX +#include +static char *role_s = NULL; /* role spec'd by user in argv[] */ +static char *type_s = NULL; /* type spec'd by user in argv[] */ +extern void selinux_exec(char *role_s, char *type_s, char *safe_cmnd, int NewArgc, char **NewArgv, char **environ); + +#endif + #include "sudo.h" #include "interfaces.h" #include "version.h" @@ -487,6 +495,12 @@ main(argc, argv, envp) if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) exit(0); else { +#ifdef WITH_SELINUX + if( is_selinux_enabled() >0 && role_s) { + selinux_exec(role_s, type_s, safe_cmnd, NewArgc, NewArgv, environ); /* run the command */ + exit(-1); + } +#endif execve(safe_cmnd, NewArgv, environ); } #else @@ -817,6 +831,30 @@ parse_args(argc, argv) NewArgv++; break; #endif +#ifdef WITH_SELINUX + case 'r': + /* Must have an associated SELinux role. */ + if (NewArgv[1] == NULL) + usage(1); + + role_s = NewArgv[1]; + + /* Shift Argv over and adjust Argc. */ + NewArgc--; + NewArgv++; + break; + case 't': + /* Must have an associated SELinux type. */ + if (NewArgv[1] == NULL) + usage(1); + + type_s = NewArgv[1]; + + /* Shift Argv over and adjust Argc. */ + NewArgc--; + NewArgv++; + break; +#endif #ifdef HAVE_LOGIN_CAP_H case 'c': /* Must have an associated login class. */ @@ -1318,6 +1356,9 @@ usage(exit_val) #ifdef HAVE_BSD_AUTH_H " [-a auth_type]", #endif +#ifdef WITH_SELINUX + " [-r role] [-t type] ", +#endif #ifdef HAVE_LOGIN_CAP_H " [-c class|-]", #endif diff -up sudo-1.6.9p12/sudo.man.in.selinux sudo-1.6.9p12/sudo.man.in --- sudo-1.6.9p12/sudo.man.in.selinux 2008-01-14 13:22:57.000000000 +0100 +++ sudo-1.6.9p12/sudo.man.in 2008-02-06 13:06:50.000000000 +0100 @@ -159,6 +159,7 @@ sudo, sudoedit \- execute a command as a .PP \&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\-r\fR \fIrole\fR ] [\fB\-t\fR \fItype\fR ] [\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} .PP \&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] @@ -323,6 +324,16 @@ preserve the invoking user's group vecto \&\fBsudo\fR will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. +.IP "\-r" 4 +.IX Item "-r" +The \fB\-r\fR (\fRrole\fR) option causes the new (SELinux) security context to have the role specified by +\fIROLE\fR. +.IP "\-t" 4 +.IX Item "-t" +The \fB\-t\fR (\fRtype\fR) option causes the new (SELinux) security context to have the have the type (domain) +specified by +\fITYPE\fR. +If no type is specified, the default type is derived from the specified role. .IP "\-p" 4 .IX Item "-p" The \fB\-p\fR (\fIprompt\fR) option allows you to override the default