version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.5, 2013/10/14 07:56:34
|
Line 1
|
Line 1
|
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) | SUDOERS(4) Programmer's Manual SUDOERS(4) |
|
|
|
|
|
|
NNAAMMEE |
NNAAMMEE |
sudoers - default sudo security policy module | ssuuddooeerrss - default sudo security policy plugin |
|
|
DDEESSCCRRIIPPTTIIOONN |
DDEESSCCRRIIPPTTIIOONN |
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is | The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the |
the default ssuuddoo policy plugin. The policy is driven by the | default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s |
_/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is | file or, optionally in LDAP. The policy format is described in detail in |
described in detail in the "SUDOERS FILE FORMAT" section. For | the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s |
information on storing _s_u_d_o_e_r_s policy information in LDAP, please see | policy information in LDAP, please see sudoers.ldap(4). |
_s_u_d_o_e_r_s_._l_d_a_p(4). | |
|
|
AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg | CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss |
The _s_u_d_o_e_r_s security policy requires that most users authenticate | ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O |
themselves before they can use ssuuddoo. A password is not required if the | logging plugins to load. If no sudo.conf(4) file is present, or if it |
invoking user is root, if the target user is the same as the invoking | contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and |
user, or if the policy has disabled authentication for the user or | I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss |
command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it | plugin, the following configuration can be used. |
validates the invoking user's credentials, not the target user's (or | |
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and | |
_r_u_n_a_s_p_w flags, described later. | |
|
|
If a user who is not listed in the policy tries to run a command via | Plugin sudoers_policy sudoers.so |
ssuuddoo, mail is sent to the proper authorities. The address used for | Plugin sudoers_io sudoers.so |
such mail is configurable via the _m_a_i_l_t_o Defaults entry (described | |
later) and defaults to root. | |
|
|
Note that mail will not be sent if an unauthorized user tries to run | Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to |
ssuuddoo with the --ll or --vv option. This allows users to determine for | the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if |
themselves whether or not they are allowed to use ssuuddoo. | present, should be listed after the path to the plugin (i.e. after |
| _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white |
| space. For example: |
|
|
If ssuuddoo is run by root and the SUDO_USER environment variable is set, | Plugin sudoers_policy sudoers.so sudoers_mode=0400 |
the _s_u_d_o_e_r_s policy will use this value to determine who the actual user | |
is. This can be used by a user to log commands through sudo even when | |
a root shell has been invoked. It also allows the --ee option to remain | |
useful even when invoked via a sudo-run script or program. Note, | |
however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user | |
specified by SUDO_USER. | |
|
|
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has | The following plugin arguments are supported: |
been authenticated, a time stamp is updated and the user may then use | |
sudo without a password for a short period of time (5 minutes unless | |
overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based | |
time stamp which means that there is a separate time stamp for each of | |
a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to | |
force the use of a single time stamp for all of a user's sessions. | |
|
|
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as | ldap_conf=pathname |
errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will | The _l_d_a_p___c_o_n_f argument can be used to override the default path |
log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e | to the _l_d_a_p_._c_o_n_f file. |
Defaults settings. | |
|
|
_s_u_d_o_e_r_s also supports logging a command's input and output streams. | ldap_secret=pathname |
I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t | The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default |
and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT | path to the _l_d_a_p_._s_e_c_r_e_t file. |
command tags. | |
|
|
CCoommmmaanndd EEnnvviirroonnmmeenntt | sudoers_file=pathname |
Since environment variables can influence program behavior, _s_u_d_o_e_r_s | The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default |
provides a means to restrict which variables from the user's | path to the _s_u_d_o_e_r_s file. |
environment are inherited by the command to be run. There are two | |
distinct ways _s_u_d_o_e_r_s can deal with environment variables. | |
|
|
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to | sudoers_uid=uid |
be executed with a minimal environment containing TERM, PATH, HOME, | The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default |
MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from | owner of the sudoers file. It should be specified as a numeric |
the invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. | user ID. |
This is effectively a whitelist for environment variables. | |
|
|
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not | sudoers_gid=gid |
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited | The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default |
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e | group of the sudoers file. It must be specified as a numeric |
behave like a blacklist. Since it is not possible to blacklist all | group ID (not a group name). |
potentially dangerous environment variables, use of the default | |
_e_n_v___r_e_s_e_t behavior is encouraged. | |
|
|
In all cases, environment variables with a value beginning with () are | sudoers_mode=mode |
removed as they could be interpreted as bbaasshh functions. The list of | The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default |
environment variables that ssuuddoo allows or denies is contained in the | file mode for the sudoers file. It should be specified as an |
output of sudo -V when run as root. | octal value. |
|
|
Note that the dynamic linker on most operating systems will remove | For more information on configuring sudo.conf(4), please refer to its |
variables that can control dynamic linking from the environment of | manual. |
setuid executables, including ssuuddoo. Depending on the operating system | |
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and | |
others. These type of variables are removed from the environment | |
before ssuuddoo even begins execution and, as such, it is not possible for | |
ssuuddoo to preserve them. | |
|
|
As a special case, if ssuuddoo's --ii option (initial login) is specified, | AAuutthheennttiiccaattiioonn aanndd llooggggiinngg |
_s_u_d_o_e_r_s will initialize the environment regardless of the value of | The _s_u_d_o_e_r_s security policy requires that most users authenticate |
_e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged; | themselves before they can use ssuuddoo. A password is not required if the |
_H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user. | invoking user is root, if the target user is the same as the invoking |
On Linux and AIX systems the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also | user, or if the policy has disabled authentication for the user or |
included. All other environment variables are removed. | command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it |
| validates the invoking user's credentials, not the target user's (or |
| root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and |
| _r_u_n_a_s_p_w flags, described later. |
|
|
|
If a user who is not listed in the policy tries to run a command via |
|
ssuuddoo, mail is sent to the proper authorities. The address used for such |
|
mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and |
|
defaults to root. |
|
|
|
Note that mail will not be sent if an unauthorized user tries to run ssuuddoo |
|
with the --ll or --vv option. This allows users to determine for themselves |
|
whether or not they are allowed to use ssuuddoo. |
|
|
|
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the |
|
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is. |
|
This can be used by a user to log commands through sudo even when a root |
|
shell has been invoked. It also allows the --ee option to remain useful |
|
even when invoked via a sudo-run script or program. Note, however, that |
|
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by |
|
SUDO_USER. |
|
|
|
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has |
|
been authenticated, the time stamp is updated and the user may then use |
|
sudo without a password for a short period of time (5 minutes unless |
|
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based |
|
time stamp which means that there is a separate time stamp for each of a |
|
user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force |
|
the use of a single time stamp for all of a user's sessions. |
|
|
|
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as |
|
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log |
|
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults |
|
settings. |
|
|
|
_s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O |
|
logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and |
|
_l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command |
|
tags. |
|
|
|
CCoommmmaanndd eennvviirroonnmmeenntt |
|
Since environment variables can influence program behavior, _s_u_d_o_e_r_s |
|
provides a means to restrict which variables from the user's environment |
|
are inherited by the command to be run. There are two distinct ways |
|
_s_u_d_o_e_r_s can deal with environment variables. |
|
|
|
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be |
|
executed with a new, minimal environment. On AIX (and Linux systems |
|
without PAM), the environment is initialized with the contents of the |
|
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is |
|
enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v |
|
settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, |
|
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in |
|
addition to variables from the invoking process permitted by the |
|
_e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for |
|
environment variables. |
|
|
|
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not |
|
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited |
|
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave |
|
like a blacklist. Since it is not possible to blacklist all potentially |
|
dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is |
|
encouraged. |
|
|
|
In all cases, environment variables with a value beginning with () are |
|
removed as they could be interpreted as bbaasshh functions. The list of |
|
environment variables that ssuuddoo allows or denies is contained in the |
|
output of ``sudo -V'' when run as root. |
|
|
|
Note that the dynamic linker on most operating systems will remove |
|
variables that can control dynamic linking from the environment of setuid |
|
executables, including ssuuddoo. Depending on the operating system this may |
|
include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. |
|
These type of variables are removed from the environment before ssuuddoo even |
|
begins execution and, as such, it is not possible for ssuuddoo to preserve |
|
them. |
|
|
|
As a special case, if ssuuddoo's --ii option (initial login) is specified, |
|
_s_u_d_o_e_r_s will initialize the environment regardless of the value of |
|
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, |
|
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX |
|
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are |
|
also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, |
|
the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All |
|
other environment variables are removed. |
|
|
|
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that |
|
file will be set to their specified values as long as they would not |
|
conflict with an existing environment variable. |
|
|
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT |
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT |
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases | The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically |
(basically variables) and user specifications (which specify who may | variables) and user specifications (which specify who may run what). |
run what). | |
|
|
When multiple entries match for a user, they are applied in order. | When multiple entries match for a user, they are applied in order. Where |
Where there are multiple matches, the last match is used (which is not | there are multiple matches, the last match is used (which is not |
necessarily the most specific match). | necessarily the most specific match). |
|
|
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur | The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form |
Form (EBNF). Don't despair if you don't know what EBNF is; it is | (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly |
fairly simple, and the definitions below are annotated. | simple, and the definitions below are annotated. |
|
|
QQuuiicckk gguuiiddee ttoo EEBBNNFF |
QQuuiicckk gguuiiddee ttoo EEBBNNFF |
EBNF is a concise and exact way of describing the grammar of a | EBNF is a concise and exact way of describing the grammar of a language. |
language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., | Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., |
|
|
symbol ::= definition | alternate1 | alternate2 ... | symbol ::= definition | alternate1 | alternate2 ... |
|
|
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for | Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for |
the language. EBNF also contains the following operators, which many | the language. EBNF also contains the following operators, which many |
readers will recognize from regular expressions. Do not, however, | readers will recognize from regular expressions. Do not, however, |
confuse them with "wildcard" characters, which have different meanings. | confuse them with ``wildcard'' characters, which have different meanings. |
|
|
? Means that the preceding symbol (or group of symbols) is optional. | ? Means that the preceding symbol (or group of symbols) is optional. |
That is, it may appear once or not at all. |
That is, it may appear once or not at all. |
|
|
* Means that the preceding symbol (or group of symbols) may appear | * Means that the preceding symbol (or group of symbols) may appear |
zero or more times. |
zero or more times. |
|
|
+ Means that the preceding symbol (or group of symbols) may appear | + Means that the preceding symbol (or group of symbols) may appear |
one or more times. |
one or more times. |
|
|
Parentheses may be used to group symbols together. For clarity, we | Parentheses may be used to group symbols together. For clarity, we will |
will use single quotes ('') to designate what is a verbatim character | use single quotes ('') to designate what is a verbatim character string |
string (as opposed to a symbol name). | (as opposed to a symbol name). |
|
|
AAlliiaasseess |
AAlliiaasseess |
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias | There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and |
and Cmnd_Alias. | Cmnd_Alias. |
|
|
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | | Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | |
'Runas_Alias' Runas_Alias (':' Runas_Alias)* | | 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | |
'Host_Alias' Host_Alias (':' Host_Alias)* | | 'Host_Alias' Host_Alias (':' Host_Alias)* | |
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* | 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* |
|
|
User_Alias ::= NAME '=' User_List | User_Alias ::= NAME '=' User_List |
|
|
Runas_Alias ::= NAME '=' Runas_List | Runas_Alias ::= NAME '=' Runas_List |
|
|
Host_Alias ::= NAME '=' Host_List | Host_Alias ::= NAME '=' Host_List |
|
|
Cmnd_Alias ::= NAME '=' Cmnd_List | Cmnd_Alias ::= NAME '=' Cmnd_List |
|
|
NAME ::= [A-Z]([A-Z][0-9]_)* | NAME ::= [A-Z]([A-Z][0-9]_)* |
|
|
Each _a_l_i_a_s definition is of the form | Each _a_l_i_a_s definition is of the form |
|
|
Alias_Type NAME = item1, item2, ... | Alias_Type NAME = item1, item2, ... |
|
|
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or | where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or |
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and | Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and |
underscore characters ('_'). A NAME mmuusstt start with an uppercase | underscore characters (`_'). A NAME mmuusstt start with an uppercase letter. |
letter. It is possible to put several alias definitions of the same | It is possible to put several alias definitions of the same type on a |
type on a single line, joined by a colon (':'). E.g., | single line, joined by a colon (`:'). E.g., |
|
|
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 | Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
|
|
The definitions of what constitutes a valid _a_l_i_a_s member follow. | The definitions of what constitutes a valid _a_l_i_a_s member follow. |
|
|
User_List ::= User | | User_List ::= User | |
User ',' User_List | User ',' User_List |
|
|
User ::= '!'* user name | | User ::= '!'* user name | |
'!'* #uid | | '!'* #uid | |
'!'* %group | | '!'* %group | |
'!'* %#gid | | '!'* %#gid | |
'!'* +netgroup | | '!'* +netgroup | |
'!'* %:nonunix_group | | '!'* %:nonunix_group | |
'!'* %:#nonunix_gid | | '!'* %:#nonunix_gid | |
'!'* User_Alias | '!'* User_Alias |
|
|
A User_List is made up of one or more user names, user ids (prefixed | A User_List is made up of one or more user names, user IDs (prefixed with |
with '#'), system group names and ids (prefixed with '%' and '%#' | `#'), system group names and IDs (prefixed with `%' and `%#' |
respectively), netgroups (prefixed with '+'), non-Unix group names and | respectively), netgroups (prefixed with `+'), non-Unix group names and |
IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each | IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each |
list item may be prefixed with zero or more '!' operators. An odd | list item may be prefixed with zero or more `!' operators. An odd number |
number of '!' operators negate the value of the item; an even number | of `!' operators negate the value of the item; an even number just cancel |
just cancel each other out. | each other out. |
|
|
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid | A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may |
may be enclosed in double quotes to avoid the need for escaping special | be enclosed in double quotes to avoid the need for escaping special |
characters. Alternately, special characters may be specified in | characters. Alternately, special characters may be specified in escaped |
escaped hex mode, e.g. \x20 for space. When using double quotes, any | hex mode, e.g. \x20 for space. When using double quotes, any prefix |
prefix characters must be included inside the quotes. | characters must be included inside the quotes. |
|
|
The actual nonunix_group and nonunix_gid syntax depends on the | The actual nonunix_group and nonunix_gid syntax depends on the underlying |
underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description | group provider plugin. For instance, the QAS AD plugin supports the |
below). For instance, the QAS AD plugin supports the following | following formats: |
formats: | |
|
|
+o Group in the same domain: "Group Name" | oo Group in the same domain: "%:Group Name" |
|
|
+o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" | oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" |
|
|
+o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" | oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" |
|
|
Note that quotes around group names are optional. Unquoted strings | See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. |
must use a backslash (\) to escape spaces and special characters. See | |
"Other special characters and reserved words" for a list of characters | |
that need to be escaped. | |
|
|
Runas_List ::= Runas_Member | | Note that quotes around group names are optional. Unquoted strings must |
Runas_Member ',' Runas_List | use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r |
| _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need |
| to be escaped. |
|
|
Runas_Member ::= '!'* user name | | Runas_List ::= Runas_Member | |
'!'* #uid | | Runas_Member ',' Runas_List |
'!'* %group | | |
'!'* %#gid | | |
'!'* %:nonunix_group | | |
'!'* %:#nonunix_gid | | |
'!'* +netgroup | | |
'!'* Runas_Alias | |
|
|
A Runas_List is similar to a User_List except that instead of | Runas_Member ::= '!'* user name | |
User_Aliases it can contain Runas_Aliases. Note that user names and | '!'* #uid | |
groups are matched as strings. In other words, two users (groups) with | '!'* %group | |
the same uid (gid) are considered to be distinct. If you wish to match | '!'* %#gid | |
all user names with the same uid (e.g. root and toor), you can use a | '!'* %:nonunix_group | |
uid instead (#0 in the example given). | '!'* %:#nonunix_gid | |
| '!'* +netgroup | |
| '!'* Runas_Alias |
|
|
Host_List ::= Host | | A Runas_List is similar to a User_List except that instead of |
Host ',' Host_List | User_Aliases it can contain Runas_Aliases. Note that user names and |
| groups are matched as strings. In other words, two users (groups) with |
| the same uid (gid) are considered to be distinct. If you wish to match |
| all user names with the same uid (e.g. root and toor), you can use a uid |
| instead (#0 in the example given). |
|
|
Host ::= '!'* host name | | Host_List ::= Host | |
'!'* ip_addr | | Host ',' Host_List |
'!'* network(/netmask)? | | |
'!'* +netgroup | | |
'!'* Host_Alias | |
|
|
A Host_List is made up of one or more host names, IP addresses, network | Host ::= '!'* host name | |
numbers, netgroups (prefixed with '+') and other aliases. Again, the | '!'* ip_addr | |
value of an item may be negated with the '!' operator. If you do not | '!'* network(/netmask)? | |
specify a netmask along with the network number, ssuuddoo will query each | '!'* +netgroup | |
of the local host's network interfaces and, if the network number | '!'* Host_Alias |
corresponds to one of the hosts's network interfaces, the corresponding | |
netmask will be used. The netmask may be specified either in standard | |
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or | |
CIDR notation (number of bits, e.g. 24 or 64). A host name may include | |
shell-style wildcards (see the Wildcards section below), but unless the | |
host name command on your machine returns the fully qualified host | |
name, you'll need to use the _f_q_d_n option for wildcards to be useful. | |
Note ssuuddoo only inspects actual network interfaces; this means that IP | |
address 127.0.0.1 (localhost) will never match. Also, the host name | |
"localhost" will only match if that is the actual host name, which is | |
usually only the case for non-networked systems. | |
|
|
Cmnd_List ::= Cmnd | | A Host_List is made up of one or more host names, IP addresses, network |
Cmnd ',' Cmnd_List | numbers, netgroups (prefixed with `+') and other aliases. Again, the |
| value of an item may be negated with the `!' operator. If you do not |
| specify a netmask along with the network number, ssuuddoo will query each of |
| the local host's network interfaces and, if the network number |
| corresponds to one of the hosts's network interfaces, the corresponding |
| netmask will be used. The netmask may be specified either in standard IP |
| address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR |
| notation (number of bits, e.g. 24 or 64). A host name may include shell- |
| style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host |
| name command on your machine returns the fully qualified host name, |
| you'll need to use the _f_q_d_n option for wildcards to be useful. Note that |
| ssuuddoo only inspects actual network interfaces; this means that IP address |
| 127.0.0.1 (localhost) will never match. Also, the host name |
| ``localhost'' will only match if that is the actual host name, which is |
| usually only the case for non-networked systems. |
|
|
commandname ::= file name | | digest ::= [A-Fa-f0-9]+ | |
file name args | | [[A-Za-z0-9+/=]+ |
file name '""' | |
|
|
Cmnd ::= '!'* commandname | | Digest_Spec ::= "sha224" ':' digest | |
'!'* directory | | "sha256" ':' digest | |
'!'* "sudoedit" | | "sha384" ':' digest | |
'!'* Cmnd_Alias | "sha512" ':' digest |
|
|
A Cmnd_List is a list of one or more commandnames, directories, and | Cmnd_List ::= Cmnd | |
other aliases. A commandname is a fully qualified file name which may | Cmnd ',' Cmnd_List |
include shell-style wildcards (see the Wildcards section below). A | |
simple file name allows the user to run the command with any arguments | |
he/she wishes. However, you may also specify command line arguments | |
(including wildcards). Alternately, you can specify "" to indicate | |
that the command may only be run wwiitthhoouutt command line arguments. A | |
directory is a fully qualified path name ending in a '/'. When you | |
specify a directory in a Cmnd_List, the user will be able to run any | |
file within that directory (but not in any subdirectories therein). | |
|
|
If a Cmnd has associated command line arguments, then the arguments in | command name ::= file name | |
the Cmnd must match exactly those given by the user on the command line | file name args | |
(or match the wildcards if there are any). Note that the following | file name '""' |
characters must be escaped with a '\' if they are used in command | |
arguments: ',', ':', '=', '\'. The special command "sudoedit" is used | |
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It | |
may take command line arguments just as a normal command does. | |
|
|
|
Cmnd ::= Digest_Spec? '!'* command name | |
|
'!'* directory | |
|
'!'* "sudoedit" | |
|
'!'* Cmnd_Alias |
|
|
|
A Cmnd_List is a list of one or more command names, directories, and |
|
other aliases. A command name is a fully qualified file name which may |
|
include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A |
|
simple file name allows the user to run the command with any arguments |
|
he/she wishes. However, you may also specify command line arguments |
|
(including wildcards). Alternately, you can specify "" to indicate that |
|
the command may only be run wwiitthhoouutt command line arguments. A directory |
|
is a fully qualified path name ending in a `/'. When you specify a |
|
directory in a Cmnd_List, the user will be able to run any file within |
|
that directory (but not in any sub-directories therein). |
|
|
|
If a Cmnd has associated command line arguments, then the arguments in |
|
the Cmnd must match exactly those given by the user on the command line |
|
(or match the wildcards if there are any). Note that the following |
|
characters must be escaped with a `\' if they are used in command |
|
arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used |
|
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may |
|
take command line arguments just as a normal command does. Note that |
|
``sudoedit'' is a command built into ssuuddoo itself and must be specified in |
|
_s_u_d_o_e_r_s without a leading path. |
|
|
|
If a command name is prefixed with a Digest_Spec, the command will only |
|
match successfully if it can be verified using the specified SHA-2 |
|
digest. This may be useful in situations where the user invoking ssuuddoo |
|
has write access to the command or its parent directory. The following |
|
digest formats are supported: sha224, sha256, sha384 and sha512. The |
|
string may be specified in either hex or base64 format (base64 is more |
|
compact). There are several utilities capable of generating SHA-2 |
|
digests in hex format such as openssl, shasum, sha224sum, sha256sum, |
|
sha384sum, sha512sum. |
|
|
|
For example, using openssl: |
|
|
|
$ openssl dgst -sha224 /bin/ls |
|
SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 |
|
|
|
It is also possible to use openssl to generate base64 output: |
|
|
|
$ openssl dgst -binary -sha224 /bin/ls | openssl base64 |
|
EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== |
|
|
|
Command digests are only supported by version 1.8.7 or higher. |
|
|
DDeeffaauullttss |
DDeeffaauullttss |
Certain configuration options may be changed from their default values | Certain configuration options may be changed from their default values at |
at runtime via one or more Default_Entry lines. These may affect all | run-time via one or more Default_Entry lines. These may affect all users |
users on any host, all users on a specific host, a specific user, a | on any host, all users on a specific host, a specific user, a specific |
specific command, or commands being run as a specific user. Note that | command, or commands being run as a specific user. Note that per-command |
per-command entries may not include command line arguments. If you | entries may not include command line arguments. If you need to specify |
need to specify arguments, define a Cmnd_Alias and reference that | arguments, define a Cmnd_Alias and reference that instead. |
instead. | |
|
|
Default_Type ::= 'Defaults' | | Default_Type ::= 'Defaults' | |
'Defaults' '@' Host_List | | 'Defaults' '@' Host_List | |
'Defaults' ':' User_List | | 'Defaults' ':' User_List | |
'Defaults' '!' Cmnd_List | | 'Defaults' '!' Cmnd_List | |
'Defaults' '>' Runas_List | 'Defaults' '>' Runas_List |
|
|
Default_Entry ::= Default_Type Parameter_List | Default_Entry ::= Default_Type Parameter_List |
|
|
Parameter_List ::= Parameter | | Parameter_List ::= Parameter | |
Parameter ',' Parameter_List | Parameter ',' Parameter_List |
|
|
Parameter ::= Parameter '=' Value | | Parameter ::= Parameter '=' Value | |
Parameter '+=' Value | | Parameter '+=' Value | |
Parameter '-=' Value | | Parameter '-=' Value | |
'!'* Parameter | '!'* Parameter |
|
|
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are | Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are |
implicitly boolean and can be turned off via the '!' operator. Some | implicitly boolean and can be turned off via the `!' operator. Some |
integer, string and list parameters may also be used in a boolean | integer, string and list parameters may also be used in a boolean context |
context to disable them. Values may be enclosed in double quotes (") | to disable them. Values may be enclosed in double quotes ("") when they |
when they contain multiple words. Special characters may be escaped | contain multiple words. Special characters may be escaped with a |
with a backslash (\). | backslash (`\'). |
|
|
Lists have two additional assignment operators, += and -=. These | Lists have two additional assignment operators, += and -=. These |
operators are used to add to and delete from a list respectively. It | operators are used to add to and delete from a list respectively. It is |
is not an error to use the -= operator to remove an element that does | not an error to use the -= operator to remove an element that does not |
not exist in a list. | exist in a list. |
|
|
Defaults entries are parsed in the following order: generic, host and | Defaults entries are parsed in the following order: generic, host and |
user Defaults first, then runas Defaults and finally command defaults. | user Defaults first, then runas Defaults and finally command defaults. |
|
|
See "SUDOERS OPTIONS" for a list of supported Defaults parameters. | See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. |
|
|
UUsseerr SSppeecciiffiiccaattiioonn | UUsseerr ssppeecciiffiiccaattiioonn |
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ | User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ |
(':' Host_List '=' Cmnd_Spec_List)* | (':' Host_List '=' Cmnd_Spec_List)* |
|
|
Cmnd_Spec_List ::= Cmnd_Spec | | Cmnd_Spec_List ::= Cmnd_Spec | |
Cmnd_Spec ',' Cmnd_Spec_List | Cmnd_Spec ',' Cmnd_Spec_List |
|
|
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd | Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd |
|
|
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' | Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' |
|
|
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') | SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') |
|
|
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | | Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | | |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') | |
|
|
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as | Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
what user) on specified hosts. By default, commands are run as rroooott, | 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | |
but this can be changed on a per-command basis. | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') |
|
|
The basic structure of a user specification is `who where = (as_whom) | A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as |
what'. Let's break that down into its constituent parts: | what user) on specified hosts. By default, commands are run as rroooott, but |
| this can be changed on a per-command basis. |
|
|
|
The basic structure of a user specification is ``who where = (as_whom) |
|
what''. Let's break that down into its constituent parts: |
|
|
RRuunnaass__SSppeecc |
RRuunnaass__SSppeecc |
A Runas_Spec determines the user and/or the group that a command may be | A Runas_Spec determines the user and/or the group that a command may be |
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as | run as. A fully-specified Runas_Spec consists of two Runas_Lists (as |
defined above) separated by a colon (':') and enclosed in a set of | defined above) separated by a colon (`:') and enclosed in a set of |
parentheses. The first Runas_List indicates which users the command | parentheses. The first Runas_List indicates which users the command may |
may be run as via ssuuddoo's --uu option. The second defines a list of | be run as via ssuuddoo's --uu option. The second defines a list of groups that |
groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists | can be specified via ssuuddoo's --gg option. If both Runas_Lists are |
are specified, the command may be run with any combination of users and | specified, the command may be run with any combination of users and |
groups listed in their respective Runas_Lists. If only the first is | groups listed in their respective Runas_Lists. If only the first is |
specified, the command may be run as any user in the list but no --gg | specified, the command may be run as any user in the list but no --gg |
option may be specified. If the first Runas_List is empty but the | option may be specified. If the first Runas_List is empty but the second |
second is specified, the command may be run as the invoking user with | is specified, the command may be run as the invoking user with the group |
the group set to any listed in the Runas_List. If no Runas_Spec is | set to any listed in the Runas_List. If both Runas_Lists are empty, the |
specified the command may be run as rroooott and no group may be specified. | command may only be run as the invoking user. If no Runas_Spec is |
| specified the command may be run as rroooott and no group may be specified. |
|
|
A Runas_Spec sets the default for the commands that follow it. What | A Runas_Spec sets the default for the commands that follow it. What this |
this means is that for the entry: | means is that for the entry: |
|
|
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm | dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
|
|
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only | The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as |
as ooppeerraattoorr. E.g., | ooppeerraattoorr. E.g., |
|
|
$ sudo -u operator /bin/ls | $ sudo -u operator /bin/ls |
|
|
It is also possible to override a Runas_Spec later on in an entry. If | It is also possible to override a Runas_Spec later on in an entry. If we |
we modify the entry like so: | modify the entry like so: |
|
|
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm | dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm |
|
|
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l | Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l |
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. | and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. |
|
|
We can extend this to allow ddggbb to run /bin/ls with either the user or | We can extend this to allow ddggbb to run /bin/ls with either the user or |
group set to ooppeerraattoorr: | group set to ooppeerraattoorr: |
|
|
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ | |
/usr/bin/lprm | /usr/bin/lprm |
|
|
Note that while the group portion of the Runas_Spec permits the user to | Note that while the group portion of the Runas_Spec permits the user to |
run as command with that group, it does not force the user to do so. | run as command with that group, it does not force the user to do so. If |
If no group is specified on the command line, the command will run with | no group is specified on the command line, the command will run with the |
the group listed in the target user's password database entry. The | group listed in the target user's password database entry. The following |
following would all be permitted by the sudoers entry above: | would all be permitted by the sudoers entry above: |
|
|
$ sudo -u operator /bin/ls | $ sudo -u operator /bin/ls |
$ sudo -u operator -g operator /bin/ls | $ sudo -u operator -g operator /bin/ls |
$ sudo -g operator /bin/ls | $ sudo -g operator /bin/ls |
|
|
In the following example, user ttccmm may run commands that access a modem | In the following example, user ttccmm may run commands that access a modem |
device file with the dialer group. | device file with the dialer group. |
|
|
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ | |
/usr/local/bin/minicom | /usr/local/bin/minicom |
|
|
Note that in this example only the group will be set, the command still | Note that in this example only the group will be set, the command still |
runs as user ttccmm. E.g. | runs as user ttccmm. E.g. |
|
|
$ sudo -g dialer /usr/bin/cu | $ sudo -g dialer /usr/bin/cu |
|
|
Multiple users and groups may be present in a Runas_Spec, in which case | Multiple users and groups may be present in a Runas_Spec, in which case |
the user may select any combination of users and groups via the --uu and | the user may select any combination of users and groups via the --uu and --gg |
--gg options. In this example: | options. In this example: |
|
|
alan ALL = (root, bin : operator, system) ALL | alan ALL = (root, bin : operator, system) ALL |
|
|
user aallaann may run any command as either user root or bin, optionally | user aallaann may run any command as either user root or bin, optionally |
setting the group to operator or system. | setting the group to operator or system. |
|
|
SSEELLiinnuuxx__SSppeecc |
SSEELLiinnuuxx__SSppeecc |
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an | On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an |
SELinux role and/or type associated with a command. If a role or type | SELinux role and/or type associated with a command. If a role or type is |
is specified with the command it will override any default values | specified with the command it will override any default values specified |
specified in _s_u_d_o_e_r_s. A role or type specified on the command line, | in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will |
however, will supercede the values in _s_u_d_o_e_r_s. | supersede the values in _s_u_d_o_e_r_s. |
|
|
|
SSoollaarriiss__PPrriivv__SSppeecc |
|
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris |
|
privilege set and/or limit privilege set associated with a command. If |
|
privileges or limit privileges are specified with the command it will |
|
override any default values specified in _s_u_d_o_e_r_s. |
|
|
|
A privilege set is a comma-separated list of privilege names. The |
|
ppriv(1) command can be used to list all privileges known to the system. |
|
For example: |
|
|
|
$ ppriv -l |
|
|
|
In addition, there are several ``special'' privilege strings: |
|
|
|
none the empty set |
|
|
|
all the set of all privileges |
|
|
|
zone the set of all privileges available in the current zone |
|
|
|
basic the default set of privileges normal users are granted at login |
|
time |
|
|
|
Privileges can be excluded from a set by prefixing the privilege name |
|
with either an `!' or `-' character. |
|
|
TTaagg__SSppeecc |
TTaagg__SSppeecc |
A command may have zero or more tags associated with it. There are | A command may have zero or more tags associated with it. There are ten |
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, | possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, |
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a | LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set |
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit | on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless |
the tag unless it is overridden by the opposite tag (i.e.: PASSWD | it is overridden by the opposite tag (in other words, PASSWD overrides |
overrides NOPASSWD and NOEXEC overrides EXEC). | NOPASSWD and NOEXEC overrides EXEC). |
|
|
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D | _N_O_P_A_S_S_W_D and _P_A_S_S_W_D |
|
|
By default, ssuuddoo requires that a user authenticate him or herself |
By default, ssuuddoo requires that a user authenticate him or herself |
before running a command. This behavior can be modified via the |
before running a command. This behavior can be modified via the |
Line 443 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 561 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
the commands that follow it in the Cmnd_Spec_List. Conversely, the |
the commands that follow it in the Cmnd_Spec_List. Conversely, the |
PASSWD tag can be used to reverse things. For example: |
PASSWD tag can be used to reverse things. For example: |
|
|
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
|
|
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m |
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m |
as rroooott on the machine rushmore without authenticating himself. If we |
as rroooott on the machine rushmore without authenticating himself. If we |
only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry |
only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry |
would be: |
would be: |
|
|
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
|
|
Note, however, that the PASSWD tag has no effect on users who are in |
Note, however, that the PASSWD tag has no effect on users who are in |
the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. |
the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. |
|
|
By default, if the NOPASSWD tag is applied to any of the entries for a |
By default, if the NOPASSWD tag is applied to any of the entries for a |
user on the current host, he or she will be able to run sudo -l without | user on the current host, he or she will be able to run ``sudo -l'' |
a password. Additionally, a user may only run sudo -v without a | without a password. Additionally, a user may only run ``sudo -v'' |
password if the NOPASSWD tag is present for all a user's entries that | without a password if the NOPASSWD tag is present for all a user's |
pertain to the current host. This behavior may be overridden via the | entries that pertain to the current host. This behavior may be |
verifypw and listpw options. | overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. |
|
|
_N_O_E_X_E_C _a_n_d _E_X_E_C | _N_O_E_X_E_C and _E_X_E_C |
|
|
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying |
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying |
operating system supports it, the NOEXEC tag can be used to prevent a |
operating system supports it, the NOEXEC tag can be used to prevent a |
Line 471 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 589 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and |
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and |
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. |
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. |
|
|
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi | aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
|
|
See the "PREVENTING SHELL ESCAPES" section below for more details on | See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how |
how NOEXEC works and whether or not it will work on your system. | NOEXEC works and whether or not it will work on your system. |
|
|
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V | _S_E_T_E_N_V and _N_O_S_E_T_E_N_V |
|
|
These tags override the value of the _s_e_t_e_n_v option on a per-command |
These tags override the value of the _s_e_t_e_n_v option on a per-command |
basis. Note that if SETENV has been set for a command, the user may |
basis. Note that if SETENV has been set for a command, the user may |
Line 488 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 606 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
tag is implied for that command; this default may be overridden by use |
tag is implied for that command; this default may be overridden by use |
of the NOSETENV tag. |
of the NOSETENV tag. |
|
|
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T | _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T |
|
|
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command |
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command |
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the |
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the |
"SUDOERS OPTIONS" section below. | _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. |
|
|
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T | _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T |
|
|
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command |
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command |
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the |
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the |
"SUDOERS OPTIONS" section below. | _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. |
|
|
WWiillddccaarrddss |
WWiillddccaarrddss |
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be | ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be |
used in host names, path names and command line arguments in the | used in host names, path names and command line arguments in the _s_u_d_o_e_r_s |
_s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and | file. Wildcard matching is done via the glob(3) and fnmatch(3) functions |
_f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. | as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _n_o_t |
| regular expressions. |
|
|
* Matches any set of zero or more characters. | * Matches any set of zero or more characters. |
|
|
? Matches any single character. | ? Matches any single character. |
|
|
[...] Matches any character in the specified range. | [...] Matches any character in the specified range. |
|
|
[!...] Matches any character nnoott in the specified range. | [!...] Matches any character nnoott in the specified range. |
|
|
\x For any character "x", evaluates to "x". This is used to | \x For any character `x', evaluates to `x'. This is used to |
escape special characters such as: "*", "?", "[", and "}". | escape special characters such as: `*', `?', `[', and `]'. |
|
|
POSIX character classes may also be used if your system's _g_l_o_b(3) and | Character classes may also be used if your system's glob(3) and |
_f_n_m_a_t_c_h(3) functions support them. However, because the ':' character | fnmatch(3) functions support them. However, because the `:' character |
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: | has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: |
|
|
/bin/ls [[\:alpha\:]]* | /bin/ls [[:alpha:]]* |
|
|
Would match any file name beginning with a letter. | Would match any file name beginning with a letter. |
|
|
Note that a forward slash ('/') will nnoott be matched by wildcards used | Note that a forward slash (`/') will nnoott be matched by wildcards used in |
in the path name. When matching the command line arguments, however, a | the path name. This is to make a path like: |
slash ddooeess get matched by wildcards. This is to make a path like: | |
|
|
/usr/bin/* | /usr/bin/* |
|
|
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. | match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. |
|
|
|
When matching the command line arguments, however, a slash ddooeess get |
|
matched by wildcards since command line arguments may contain arbitrary |
|
strings and not just path names. |
|
|
|
Wildcards in command line arguments should be used with care. Because |
|
command line arguments are matched as a single, concatenated string, a |
|
wildcard such as `?' or `*' can match multiple words. For example, while |
|
a sudoers entry like: |
|
|
|
%operator ALL = /bin/cat /var/log/messages* |
|
|
|
will allow command like: |
|
|
|
$ sudo cat /var/log/messages.1 |
|
|
|
It will also allow: |
|
|
|
$ sudo cat /var/log/messages /etc/shadow |
|
|
|
which is probably not what was intended. |
|
|
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess |
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess |
The following exceptions apply to the above rules: | The following exceptions apply to the above rules: |
|
|
"" If the empty string "" is the only command line argument in the | "" If the empty string "" is the only command line argument in the |
_s_u_d_o_e_r_s entry it means that command is not allowed to be run |
_s_u_d_o_e_r_s entry it means that command is not allowed to be run |
with aannyy arguments. |
with aannyy arguments. |
|
|
|
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should |
|
always be path names, so a forward slash (`/') will not be |
|
matched by a wildcard. |
|
|
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss |
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss |
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s | It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s |
file currently being parsed using the #include and #includedir | file currently being parsed using the #include and #includedir |
directives. | directives. |
|
|
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in | This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in |
addition to a local, per-machine file. For the sake of this example | addition to a local, per-machine file. For the sake of this example the |
the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will | site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be |
be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within | _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within |
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: | _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: |
|
|
#include /etc/sudoers.local | #include /etc/sudoers.local |
|
|
When ssuuddoo reaches this line it will suspend processing of the current | When ssuuddoo reaches this line it will suspend processing of the current |
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching | file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the |
the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be | end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. |
processed. Files that are included may themselves include other files. | Files that are included may themselves include other files. A hard limit |
A hard limit of 128 nested include files is enforced to prevent include | of 128 nested include files is enforced to prevent include file loops. |
file loops. | |
|
|
The file name may include the %h escape, signifying the short form of | If the path to the include file is not fully-qualified (does not begin |
the host name. I.e., if the machine's host name is "xerxes", then | with a `/', it must be located in the same directory as the sudoers file |
| it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: |
|
|
#include /etc/sudoers.%h | #include sudoers.local |
|
|
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. | the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. |
|
|
The #includedir directive can be used to create a _s_u_d_o_._d directory that | The file name may also include the %h escape, signifying the short form |
the system package manager can drop _s_u_d_o_e_r_s rules into as part of | of the host name. In other words, if the machine's host name is |
package installation. For example, given: | ``xerxes'', then |
|
|
#includedir /etc/sudoers.d | #include /etc/sudoers.%h |
|
|
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that | will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. |
end in ~ or contain a . character to avoid causing problems with | |
package manager or editor temporary/backup files. Files are parsed in | |
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed | |
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is | |
lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr | |
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes | |
in the file names can be used to avoid such problems. | |
|
|
Note that unlike files included via #include, vviissuuddoo will not edit the | The #includedir directive can be used to create a _s_u_d_o_._d directory that |
files in a #includedir directory unless one of them contains a syntax | the system package manager can drop _s_u_d_o_e_r_s rules into as part of package |
error. It is still possible to run vviissuuddoo with the -f flag to edit the | installation. For example, given: |
files directly. | |
|
|
|
#includedir /etc/sudoers.d |
|
|
|
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end |
|
in `~' or contain a `.' character to avoid causing problems with package |
|
manager or editor temporary/backup files. Files are parsed in sorted |
|
lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before |
|
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, |
|
not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr |
|
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in |
|
the file names can be used to avoid such problems. |
|
|
|
Note that unlike files included via #include, vviissuuddoo will not edit the |
|
files in a #includedir directory unless one of them contains a syntax |
|
error. It is still possible to run vviissuuddoo with the --ff flag to edit the |
|
files directly. |
|
|
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss |
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss |
The pound sign ('#') is used to indicate a comment (unless it is part | The pound sign (`#') is used to indicate a comment (unless it is part of |
of a #include directive or unless it occurs in the context of a user | a #include directive or unless it occurs in the context of a user name |
name and is followed by one or more digits, in which case it is treated | and is followed by one or more digits, in which case it is treated as a |
as a uid). Both the comment character and any text after it, up to the | uid). Both the comment character and any text after it, up to the end of |
end of the line, are ignored. | the line, are ignored. |
|
|
The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to | The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to |
succeed. It can be used wherever one might otherwise use a Cmnd_Alias, | succeed. It can be used wherever one might otherwise use a Cmnd_Alias, |
User_Alias, Runas_Alias, or Host_Alias. You should not try to define | User_Alias, Runas_Alias, or Host_Alias. You should not try to define |
your own _a_l_i_a_s called AALLLL as the built-in alias will be used in | your own _a_l_i_a_s called AALLLL as the built-in alias will be used in |
preference to your own. Please note that using AALLLL can be dangerous | preference to your own. Please note that using AALLLL can be dangerous |
since in a command context, it allows the user to run aannyy command on | since in a command context, it allows the user to run aannyy command on the |
the system. | system. |
|
|
An exclamation point ('!') can be used as a logical _n_o_t operator both | An exclamation point (`!') can be used as a logical _n_o_t operator in a |
in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain | list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude |
values. Note, however, that using a ! in conjunction with the built-in | certain values. For the `!' operator to be effective, there must be |
ALL alias to allow a user to run "all but a few" commands rarely works | something for it to exclude. For example, to match all users except for |
as intended (see SECURITY NOTES below). | root one would use: |
|
|
Long lines can be continued with a backslash ('\') as the last | ALL,!root |
character on the line. | |
|
|
Whitespace between elements in a list as well as special syntactic | If the AALLLL, is omitted, as in: |
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. | |
|
|
The following characters must be escaped with a backslash ('\') when | !root |
used as part of a word (e.g. a user name or host name): '!', '=', ':', | |
',', '(', ')', '\'. | |
|
|
|
it would explicitly deny root but not match any other users. This is |
|
different from a true ``negation'' operator. |
|
|
|
Note, however, that using a `!' in conjunction with the built-in AALLLL |
|
alias to allow a user to run ``all but a few'' commands rarely works as |
|
intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). |
|
|
|
Long lines can be continued with a backslash (`\') as the last character |
|
on the line. |
|
|
|
White space between elements in a list as well as special syntactic |
|
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. |
|
|
|
The following characters must be escaped with a backslash (`\') when used |
|
as part of a word (e.g. a user name or host name): `!', `=', `:', `,', |
|
`(', `)', `\'. |
|
|
SSUUDDOOEERRSS OOPPTTIIOONNSS |
SSUUDDOOEERRSS OOPPTTIIOONNSS |
ssuuddoo's behavior can be modified by Default_Entry lines, as explained | ssuuddoo's behavior can be modified by Default_Entry lines, as explained |
earlier. A list of all supported Defaults parameters, grouped by type, | earlier. A list of all supported Defaults parameters, grouped by type, |
are listed below. | are listed below. |
|
|
BBoooolleeaann FFllaaggss: | BBoooolleeaann FFllaaggss: |
|
|
always_set_home If enabled, ssuuddoo will set the HOME environment variable | always_set_home If enabled, ssuuddoo will set the HOME environment variable |
to the home directory of the target user (which is root |
to the home directory of the target user (which is root |
unless the --uu option is used). This effectively means |
unless the --uu option is used). This effectively means |
that the --HH option is always implied. Note that HOME |
that the --HH option is always implied. Note that HOME |
is already set when the the _e_n_v___r_e_s_e_t option is | is already set when the _e_n_v___r_e_s_e_t option is enabled, so |
enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for | _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for configurations |
configurations where either _e_n_v___r_e_s_e_t is disabled or | where either _e_n_v___r_e_s_e_t is disabled or HOME is present |
HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f | in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. |
by default. | |
|
|
authenticate If set, users must authenticate themselves via a | authenticate If set, users must authenticate themselves via a |
password (or other means of authentication) before they |
password (or other means of authentication) before they |
may run commands. This default may be overridden via |
may run commands. This default may be overridden via |
the PASSWD and NOPASSWD tags. This flag is _o_n by |
the PASSWD and NOPASSWD tags. This flag is _o_n by |
default. |
default. |
|
|
closefrom_override | closefrom_override |
If set, the user may use ssuuddoo's --CC option which |
If set, the user may use ssuuddoo's --CC option which |
overrides the default starting point at which ssuuddoo |
overrides the default starting point at which ssuuddoo |
begins closing open file descriptors. This flag is _o_f_f |
begins closing open file descriptors. This flag is _o_f_f |
by default. |
by default. |
|
|
compress_io If set, and ssuuddoo is configured to log a command's input | compress_io If set, and ssuuddoo is configured to log a command's input |
or output, the I/O logs will be compressed using zzlliibb. |
or output, the I/O logs will be compressed using zzlliibb. |
This flag is _o_n by default when ssuuddoo is compiled with |
This flag is _o_n by default when ssuuddoo is compiled with |
zzlliibb support. |
zzlliibb support. |
|
|
env_editor If set, vviissuuddoo will use the value of the EDITOR or | exec_background By default, ssuuddoo runs a command as the foreground |
| process as long as ssuuddoo itself is running in the |
| foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled |
| and the command is being run in a pty (due to I/O |
| logging or the _u_s_e___p_t_y flag), the command will be run |
| as a background process. Attempts to read from the |
| controlling terminal (or to change terminal settings) |
| will result in the command being suspended with the |
| SIGTTIN signal (or SIGTTOU in the case of terminal |
| settings). If this happens when ssuuddoo is a foreground |
| process, the command will be granted the controlling |
| terminal and resumed in the foreground with no user |
| intervention required. The advantage of initially |
| running the command in the background is that ssuuddoo need |
| not read from the terminal unless the command |
| explicitly requests it. Otherwise, any terminal input |
| must be passed to the command, whether it has required |
| it or not (the kernel buffers terminals so it is not |
| possible to tell whether the command really wants the |
| input). This is different from historic _s_u_d_o behavior |
| or when the command is not being run in a pty. |
| |
| For this to work seamlessly, the operating system must |
| support the automatic restarting of system calls. |
| Unfortunately, not all operating systems do this by |
| default, and even those that do may have bugs. For |
| example, Mac OS X fails to restart the ttccggeettaattttrr() and |
| ttccsseettaattttrr() system calls (this is a bug in Mac OS X). |
| Furthermore, because this behavior depends on the |
| command stopping with the SIGTTIN or SIGTTOU signals, |
| programs that catch these signals and suspend |
| themselves with a different signal (usually SIGTOP) |
| will not be automatically foregrounded. Some versions |
| of the linux su(1) command behave this way. |
| |
| This setting is only supported by version 1.8.7 or |
| higher. It has no effect unless I/O logging is enabled |
| or the _u_s_e___p_t_y flag is enabled. |
| |
| env_editor If set, vviissuuddoo will use the value of the EDITOR or |
VISUAL environment variables before falling back on the |
VISUAL environment variables before falling back on the |
default editor list. Note that this may create a |
default editor list. Note that this may create a |
security hole as it allows the user to run any |
security hole as it allows the user to run any |
Line 662 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 864 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
use the EDITOR or VISUAL if they match a value |
use the EDITOR or VISUAL if they match a value |
specified in editor. This flag is _o_f_f by default. |
specified in editor. This flag is _o_f_f by default. |
|
|
env_reset If set, ssuuddoo will reset the environment to only contain | env_reset If set, ssuuddoo will run the command in a minimal |
the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* | environment containing the TERM, PATH, HOME, MAIL, |
variables. Any variables in the caller's environment | SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. |
that match the env_keep and env_check lists are then | Any variables in the caller's environment that match |
added. The default contents of the env_keep and | the env_keep and env_check lists are then added, |
env_check lists are displayed when ssuuddoo is run by root | followed by any variables present in the file specified |
with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, | by the _e_n_v___f_i_l_e option (if any). The default contents |
its value will be used for the PATH environment | of the env_keep and env_check lists are displayed when |
variable. This flag is _o_n by default. | ssuuddoo is run by root with the --VV option. If the |
| _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for |
| the PATH environment variable. This flag is _o_n by |
| default. |
|
|
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- | fast_glob Normally, ssuuddoo uses the glob(3) function to do shell- |
style globbing when matching path names. However, |
style globbing when matching path names. However, |
since it accesses the file system, _g_l_o_b(3) can take a | since it accesses the file system, glob(3) can take a |
long time to complete for some patterns, especially |
long time to complete for some patterns, especially |
when the pattern references a network file system that |
when the pattern references a network file system that |
is mounted on demand (automounted). The _f_a_s_t___g_l_o_b | is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b |
option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, | option causes ssuuddoo to use the fnmatch(3) function, |
which does not access the file system to do its |
which does not access the file system to do its |
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is |
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is |
unable to match relative path names such as _._/_l_s or |
unable to match relative path names such as _._/_l_s or |
_._._/_b_i_n_/_l_s. This has security implications when path |
_._._/_b_i_n_/_l_s. This has security implications when path |
names that include globbing characters are used with |
names that include globbing characters are used with |
the negation operator, '!', as such rules can be | the negation operator, `!', as such rules can be |
trivially bypassed. As such, this option should not be |
trivially bypassed. As such, this option should not be |
used when _s_u_d_o_e_r_s contains rules that contain negated |
used when _s_u_d_o_e_r_s contains rules that contain negated |
path names which include globbing characters. This |
path names which include globbing characters. This |
flag is _o_f_f by default. |
flag is _o_f_f by default. |
|
|
fqdn Set this flag if you want to put fully qualified host | fqdn Set this flag if you want to put fully qualified host |
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you | names in the _s_u_d_o_e_r_s file when the local host name (as |
| returned by the hostname command) does not contain the |
| domain name. In other words, instead of myhost you |
would use myhost.mydomain.edu. You may still use the |
would use myhost.mydomain.edu. You may still use the |
short form if you wish (and even mix the two). Beware | short form if you wish (and even mix the two). This |
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups | option is only effective when the ``canonical'' host |
which may make ssuuddoo unusable if DNS stops working (for | name, as returned by the ggeettaaddddrriinnffoo() or |
example if the machine is not plugged into the | ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain |
network). Also note that you must use the host's | name. This is usually the case when the system is |
official name as DNS knows it. That is, you may not | configured to use DNS for host name resolution. |
use a host alias (CNAME entry) due to performance | |
issues and the fact that there is no way to get all | |
aliases from DNS. If your machine's host name (as | |
returned by the hostname command) is already fully | |
qualified you shouldn't need to set _f_q_d_n. This flag is | |
_o_f_f by default. | |
|
|
ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the | If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file |
PATH environment variable; the PATH itself is not | in preference to DNS, the ``canonical'' host name may |
modified. This flag is _o_f_f by default. | not be fully-qualified. The order that sources are |
| queried for hosts name resolution is usually specified |
| in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, |
| _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f |
| file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of |
| the entry is considered to be the ``canonical'' name; |
| subsequent names are aliases that are not used by |
| ssuuddooeerrss. For example, the following hosts file line |
| for the machine ``xyzzy'' has the fully-qualified |
| domain name as the ``canonical'' host name, and the |
| short version as an alias. |
|
|
ignore_local_sudoers | 192.168.1.1 xyzzy.sudo.ws xyzzy |
| |
| If the machine's hosts file entry is not formatted |
| properly, the _f_q_d_n option will not be effective if it |
| is queried before DNS. |
| |
| Beware that when using DNS for host name resolution, |
| turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups |
| which renders ssuuddoo unusable if DNS stops working (for |
| example if the machine is disconnected from the |
| network). Also note that just like with the hosts |
| file, you must use the ``canonical'' name as DNS knows |
| it. That is, you may not use a host alias (CNAME |
| entry) due to performance issues and the fact that |
| there is no way to get all aliases from DNS. |
| |
| This flag is _o_f_f by default. |
| |
| ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting |
| current directory) in the PATH environment variable; |
| the PATH itself is not modified. This flag is _o_f_f by |
| default. |
| |
| ignore_local_sudoers |
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be |
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be |
skipped. This is intended for Enterprises that wish to |
skipped. This is intended for Enterprises that wish to |
prevent the usage of local sudoers files so that only |
prevent the usage of local sudoers files so that only |
LDAP is used. This thwarts the efforts of rogue |
LDAP is used. This thwarts the efforts of rogue |
operators who would attempt to add roles to |
operators who would attempt to add roles to |
_/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, |
_/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, |
_/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this | _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this |
option tells ssuuddoo how to behave when no specific LDAP |
option tells ssuuddoo how to behave when no specific LDAP |
entries have been matched, this sudoOption is only |
entries have been matched, this sudoOption is only |
meaningful for the cn=defaults section. This flag is |
meaningful for the cn=defaults section. This flag is |
_o_f_f by default. |
_o_f_f by default. |
|
|
insults If set, ssuuddoo will insult users when they enter an | insults If set, ssuuddoo will insult users when they enter an |
incorrect password. This flag is _o_f_f by default. |
incorrect password. This flag is _o_f_f by default. |
|
|
log_host If set, the host name will be logged in the (non- | log_host If set, the host name will be logged in the (non- |
syslog) ssuuddoo log file. This flag is _o_f_f by default. |
syslog) ssuuddoo log file. This flag is _o_f_f by default. |
|
|
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and | log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and |
log all user input. If the standard input is not |
log all user input. If the standard input is not |
connected to the user's tty, due to I/O redirection or |
connected to the user's tty, due to I/O redirection or |
because the command is part of a pipeline, that input |
because the command is part of a pipeline, that input |
Line 738 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 972 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Input is logged to the directory specified by the |
Input is logged to the directory specified by the |
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a |
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a |
unique session ID that is included in the normal ssuuddoo |
unique session ID that is included in the normal ssuuddoo |
log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option | log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e |
may be used to control the format of the session ID. | option may be used to control the format of the session |
| ID. |
|
|
Note that user input may contain sensitive information |
Note that user input may contain sensitive information |
such as passwords (even if they are not echoed to the |
such as passwords (even if they are not echoed to the |
Line 747 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 982 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
unencrypted. In most cases, logging the command output |
unencrypted. In most cases, logging the command output |
via _l_o_g___o_u_t_p_u_t is all that is required. |
via _l_o_g___o_u_t_p_u_t is all that is required. |
|
|
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and | log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and |
log all output that is sent to the screen, similar to |
log all output that is sent to the screen, similar to |
the _s_c_r_i_p_t(1) command. If the standard output or | the script(1) command. If the standard output or |
standard error is not connected to the user's tty, due |
standard error is not connected to the user's tty, due |
to I/O redirection or because the command is part of a |
to I/O redirection or because the command is part of a |
pipeline, that output is also captured and stored in |
pipeline, that output is also captured and stored in |
Line 758 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 993 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Output is logged to the directory specified by the |
Output is logged to the directory specified by the |
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a |
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a |
unique session ID that is included in the normal ssuuddoo |
unique session ID that is included in the normal ssuuddoo |
log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option | log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e |
may be used to control the format of the session ID. | option may be used to control the format of the session |
| ID. |
|
|
Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) | Output logs may be viewed with the sudoreplay(1m) |
utility, which can also be used to list or search the |
utility, which can also be used to list or search the |
available logs. |
available logs. |
|
|
log_year If set, the four-digit year will be logged in the (non- | log_year If set, the four-digit year will be logged in the (non- |
syslog) ssuuddoo log file. This flag is _o_f_f by default. |
syslog) ssuuddoo log file. This flag is _o_f_f by default. |
|
|
long_otp_prompt When validating with a One Time Password (OTP) scheme | long_otp_prompt When validating with a One Time Password (OTP) scheme |
such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to |
such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to |
make it easier to cut and paste the challenge to a |
make it easier to cut and paste the challenge to a |
local window. It's not as pretty as the default but |
local window. It's not as pretty as the default but |
some people find it more convenient. This flag is _o_f_f |
some people find it more convenient. This flag is _o_f_f |
by default. |
by default. |
|
|
mail_always Send mail to the _m_a_i_l_t_o user every time a users runs | mail_always Send mail to the _m_a_i_l_t_o user every time a users runs |
ssuuddoo. This flag is _o_f_f by default. |
ssuuddoo. This flag is _o_f_f by default. |
|
|
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo | mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo |
does not enter the correct password. This flag is _o_f_f | does not enter the correct password. If the command |
by default. | the user is attempting to run is not permitted by |
| _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t, |
| _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag |
| will have no effect. This flag is _o_f_f by default. |
|
|
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the | mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the |
invoking user exists in the _s_u_d_o_e_r_s file, but is not |
invoking user exists in the _s_u_d_o_e_r_s file, but is not |
allowed to run commands on the current host. This flag |
allowed to run commands on the current host. This flag |
is _o_f_f by default. |
is _o_f_f by default. |
|
|
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the | mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the |
invoking user is allowed to use ssuuddoo but the command |
invoking user is allowed to use ssuuddoo but the command |
they are trying is not listed in their _s_u_d_o_e_r_s file |
they are trying is not listed in their _s_u_d_o_e_r_s file |
entry or is explicitly denied. This flag is _o_f_f by |
entry or is explicitly denied. This flag is _o_f_f by |
default. |
default. |
|
|
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the | mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the |
invoking user is not in the _s_u_d_o_e_r_s file. This flag is |
invoking user is not in the _s_u_d_o_e_r_s file. This flag is |
_o_n by default. |
_o_n by default. |
|
|
noexec If set, all commands run via ssuuddoo will behave as if the | noexec If set, all commands run via ssuuddoo will behave as if the |
NOEXEC tag has been set, unless overridden by a EXEC |
NOEXEC tag has been set, unless overridden by a EXEC |
tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as |
tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as |
well as the "PREVENTING SHELL ESCAPES" section at the | well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end |
end of this manual. This flag is _o_f_f by default. | of this manual. This flag is _o_f_f by default. |
|
|
path_info Normally, ssuuddoo will tell the user when a command could | pam_session On systems that use PAM for authentication, ssuuddoo will |
| create a new PAM session for the command to be run in. |
| Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM |
| implementations or on operating systems where opening a |
| PAM session changes the utmp or wtmp files. If PAM |
| session support is disabled, resource limits may not be |
| updated for the command being run. If _p_a_m___s_e_s_s_i_o_n, |
| _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging |
| has not been configured, ssuuddoo will execute the command |
| directly instead of running it as a child process. |
| This flag is _o_n by default. |
| |
| This setting is only supported by version 1.8.7 or |
| higher. |
| |
| pam_setcred On systems that use PAM for authentication, ssuuddoo will |
| attempt to establish credentials for the target user by |
| default, if supported by the underlying authentication |
| system. One example of a credential is a Kerberos |
| ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are |
| disabled and I/O logging has not been configured, ssuuddoo |
| will execute the command directly instead of running it |
| as a child process. This flag is _o_n by default. |
| |
| This setting is only supported by version 1.8.8 or |
| higher. |
| |
| passprompt_override |
| The password prompt specified by _p_a_s_s_p_r_o_m_p_t will |
| normally only be used if the password prompt provided |
| by systems such as PAM matches the string |
| ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, |
| _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by |
| default. |
| |
| path_info Normally, ssuuddoo will tell the user when a command could |
not be found in their PATH environment variable. Some |
not be found in their PATH environment variable. Some |
sites may wish to disable this as it could be used to |
sites may wish to disable this as it could be used to |
gather information on the location of executables that |
gather information on the location of executables that |
Line 813 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1087 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
not allowed to run it, which can be confusing. This |
not allowed to run it, which can be confusing. This |
flag is _o_n by default. |
flag is _o_n by default. |
|
|
passprompt_override | preserve_groups By default, ssuuddoo will initialize the group vector to |
The password prompt specified by _p_a_s_s_p_r_o_m_p_t will | |
normally only be used if the password prompt provided | |
by systems such as PAM matches the string "Password:". | |
If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always | |
be used. This flag is _o_f_f by default. | |
| |
preserve_groups By default, ssuuddoo will initialize the group vector to | |
the list of groups the target user is in. When |
the list of groups the target user is in. When |
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group |
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group |
vector is left unaltered. The real and effective group |
vector is left unaltered. The real and effective group |
IDs, however, are still set to match the target user. |
IDs, however, are still set to match the target user. |
This flag is _o_f_f by default. |
This flag is _o_f_f by default. |
|
|
pwfeedback By default, ssuuddoo reads the password like most other | pwfeedback By default, ssuuddoo reads the password like most other |
Unix programs, by turning off echo until the user hits |
Unix programs, by turning off echo until the user hits |
the return (or enter) key. Some users become confused |
the return (or enter) key. Some users become confused |
by this as it appears to them that ssuuddoo has hung at |
by this as it appears to them that ssuuddoo has hung at |
Line 837 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1104 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
able to determine the length of the password being |
able to determine the length of the password being |
entered. This flag is _o_f_f by default. |
entered. This flag is _o_f_f by default. |
|
|
requiretty If set, ssuuddoo will only run when the user is logged in | requiretty If set, ssuuddoo will only run when the user is logged in |
to a real tty. When this flag is set, ssuuddoo can only be |
to a real tty. When this flag is set, ssuuddoo can only be |
run from a login session and not via other means such |
run from a login session and not via other means such |
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by | as cron(1m) or cgi-bin scripts. This flag is _o_f_f by |
default. |
default. |
|
|
root_sudo If set, root is allowed to run ssuuddoo too. Disabling | root_sudo If set, root is allowed to run ssuuddoo too. Disabling |
this prevents users from "chaining" ssuuddoo commands to | this prevents users from ``chaining'' ssuuddoo commands to |
get a root shell by doing something like "sudo sudo | get a root shell by doing something like ``sudo sudo |
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o | /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o |
will also prevent root from running ssuuddooeeddiitt. |
will also prevent root from running ssuuddooeeddiitt. |
Disabling _r_o_o_t___s_u_d_o provides no real additional |
Disabling _r_o_o_t___s_u_d_o provides no real additional |
security; it exists purely for historical reasons. |
security; it exists purely for historical reasons. |
This flag is _o_n by default. |
This flag is _o_n by default. |
|
|
rootpw If set, ssuuddoo will prompt for the root password instead | rootpw If set, ssuuddoo will prompt for the root password instead |
of the password of the invoking user. This flag is _o_f_f |
of the password of the invoking user. This flag is _o_f_f |
by default. |
by default. |
|
|
runaspw If set, ssuuddoo will prompt for the password of the user | runaspw If set, ssuuddoo will prompt for the password of the user |
defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) |
defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) |
instead of the password of the invoking user. This |
instead of the password of the invoking user. This |
flag is _o_f_f by default. |
flag is _o_f_f by default. |
|
|
set_home If enabled and ssuuddoo is invoked with the --ss option the | set_home If enabled and ssuuddoo is invoked with the --ss option the |
HOME environment variable will be set to the home |
HOME environment variable will be set to the home |
directory of the target user (which is root unless the |
directory of the target user (which is root unless the |
--uu option is used). This effectively makes the --ss |
--uu option is used). This effectively makes the --ss |
option imply --HH. Note that HOME is already set when |
option imply --HH. Note that HOME is already set when |
the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is | the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is only |
only effective for configurations where either | effective for configurations where either _e_n_v___r_e_s_e_t is |
_e_n_v___r_e_s_e_t is disabled or HOME is present in the | disabled or HOME is present in the _e_n_v___k_e_e_p list. This |
_e_n_v___k_e_e_p list. This flag is _o_f_f by default. | flag is _o_f_f by default. |
|
|
set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME | set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME |
environment variables to the name of the target user |
environment variables to the name of the target user |
(usually root unless the --uu option is given). However, |
(usually root unless the --uu option is given). However, |
since some programs (including the RCS revision control |
since some programs (including the RCS revision control |
Line 882 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1149 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
disabled, entries in the _e_n_v___k_e_e_p list will override |
disabled, entries in the _e_n_v___k_e_e_p list will override |
the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. |
the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. |
|
|
set_utmp When enabled, ssuuddoo will create an entry in the utmp (or | set_utmp When enabled, ssuuddoo will create an entry in the utmp (or |
utmpx) file when a pseudo-tty is allocated. A pseudo- |
utmpx) file when a pseudo-tty is allocated. A pseudo- |
tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t |
tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t |
or _u_s_e___p_t_y flags are enabled. By default, the new |
or _u_s_e___p_t_y flags are enabled. By default, the new |
Line 890 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1157 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
(if any), with the tty, time, type and pid fields |
(if any), with the tty, time, type and pid fields |
updated. This flag is _o_n by default. |
updated. This flag is _o_n by default. |
|
|
setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the | setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the |
command line via the --EE option. Additionally, |
command line via the --EE option. Additionally, |
environment variables set via the command line are not |
environment variables set via the command line are not |
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, |
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, |
Line 898 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1165 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
should be allowed to set variables in this manner. |
should be allowed to set variables in this manner. |
This flag is _o_f_f by default. |
This flag is _o_f_f by default. |
|
|
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as | shell_noargs If set and ssuuddoo is invoked with no arguments it acts as |
if the --ss option had been given. That is, it runs a |
if the --ss option had been given. That is, it runs a |
shell as root (the shell is determined by the SHELL |
shell as root (the shell is determined by the SHELL |
environment variable if it is set, falling back on the |
environment variable if it is set, falling back on the |
shell listed in the invoking user's /etc/passwd entry |
shell listed in the invoking user's /etc/passwd entry |
if not). This flag is _o_f_f by default. |
if not). This flag is _o_f_f by default. |
|
|
stay_setuid Normally, when ssuuddoo executes a command the real and | stay_setuid Normally, when ssuuddoo executes a command the real and |
effective UIDs are set to the target user (root by |
effective UIDs are set to the target user (root by |
default). This option changes that behavior such that |
default). This option changes that behavior such that |
the real UID is left as the invoking user's UID. In |
the real UID is left as the invoking user's UID. In |
Line 913 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1180 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
This can be useful on systems that disable some |
This can be useful on systems that disable some |
potentially dangerous functionality when a program is |
potentially dangerous functionality when a program is |
run setuid. This option is only effective on systems |
run setuid. This option is only effective on systems |
with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. | that support either the setreuid(2) or setresuid(2) |
This flag is _o_f_f by default. | system call. This flag is _o_f_f by default. |
|
|
targetpw If set, ssuuddoo will prompt for the password of the user | targetpw If set, ssuuddoo will prompt for the password of the user |
specified by the --uu option (defaults to root) instead |
specified by the --uu option (defaults to root) instead |
of the password of the invoking user. In addition, the |
of the password of the invoking user. In addition, the |
timestamp file name will include the target user's | time stamp file name will include the target user's |
name. Note that this flag precludes the use of a uid |
name. Note that this flag precludes the use of a uid |
not listed in the passwd database as an argument to the |
not listed in the passwd database as an argument to the |
--uu option. This flag is _o_f_f by default. |
--uu option. This flag is _o_f_f by default. |
|
|
tty_tickets If set, users must authenticate on a per-tty basis. | tty_tickets If set, users must authenticate on a per-tty basis. |
With this flag enabled, ssuuddoo will use a file named for |
With this flag enabled, ssuuddoo will use a file named for |
the tty the user is logged in on in the user's time |
the tty the user is logged in on in the user's time |
stamp directory. If disabled, the time stamp of the |
stamp directory. If disabled, the time stamp of the |
directory is used instead. This flag is _o_n by default. |
directory is used instead. This flag is _o_n by default. |
|
|
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s | umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s |
without modification. This makes it possible to |
without modification. This makes it possible to |
specify a more permissive umask in _s_u_d_o_e_r_s than the |
specify a more permissive umask in _s_u_d_o_e_r_s than the |
user's own umask and matches historical behavior. If |
user's own umask and matches historical behavior. If |
Line 938 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1205 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
be the union of the user's umask and what is specified |
be the union of the user's umask and what is specified |
in _s_u_d_o_e_r_s. This flag is _o_f_f by default. |
in _s_u_d_o_e_r_s. This flag is _o_f_f by default. |
|
|
use_loginclass If set, ssuuddoo will apply the defaults specified for the | use_loginclass If set, ssuuddoo will apply the defaults specified for the |
target user's login class if one exists. Only |
target user's login class if one exists. Only |
available if ssuuddoo is configured with the |
available if ssuuddoo is configured with the |
--with-logincap option. This flag is _o_f_f by default. |
--with-logincap option. This flag is _o_f_f by default. |
|
|
use_pty If set, ssuuddoo will run the command in a pseudo-pty even | use_pty If set, ssuuddoo will run the command in a pseudo-pty even |
if no I/O logging is being gone. A malicious program |
if no I/O logging is being gone. A malicious program |
run under ssuuddoo could conceivably fork a background |
run under ssuuddoo could conceivably fork a background |
process that retains to the user's terminal device |
process that retains to the user's terminal device |
Line 951 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1218 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
this option will make that impossible. This flag is |
this option will make that impossible. This flag is |
_o_f_f by default. |
_o_f_f by default. |
|
|
utmp_runas If set, ssuuddoo will store the name of the runas user when | utmp_runas If set, ssuuddoo will store the name of the runas user when |
updating the utmp (or utmpx) file. By default, ssuuddoo |
updating the utmp (or utmpx) file. By default, ssuuddoo |
stores the name of the invoking user. This flag is _o_f_f |
stores the name of the invoking user. This flag is _o_f_f |
by default. |
by default. |
|
|
visiblepw By default, ssuuddoo will refuse to run if the user must | visiblepw By default, ssuuddoo will refuse to run if the user must |
enter a password but it is not possible to disable echo |
enter a password but it is not possible to disable echo |
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo |
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo |
will prompt for a password even when it would be |
will prompt for a password even when it would be |
visible on the screen. This makes it possible to run |
visible on the screen. This makes it possible to run |
things like "rsh somehost sudo ls" since _r_s_h(1) does | things like ``ssh somehost sudo ls'' since by default, |
not allocate a tty. This flag is _o_f_f by default. | ssh(1) does not allocate a tty when running a command. |
| This flag is _o_f_f by default. |
|
|
IInntteeggeerrss: | IInntteeggeerrss: |
|
|
closefrom Before it executes a command, ssuuddoo will close all open | closefrom Before it executes a command, ssuuddoo will close all open |
file descriptors other than standard input, standard |
file descriptors other than standard input, standard |
output and standard error (ie: file descriptors 0-2). |
output and standard error (ie: file descriptors 0-2). |
The _c_l_o_s_e_f_r_o_m option can be used to specify a different |
The _c_l_o_s_e_f_r_o_m option can be used to specify a different |
file descriptor at which to start closing. The default |
file descriptor at which to start closing. The default |
is 3. |
is 3. |
|
|
passwd_tries The number of tries a user gets to enter his/her | passwd_tries The number of tries a user gets to enter his/her |
password before ssuuddoo logs the failure and exits. The |
password before ssuuddoo logs the failure and exits. The |
default is 3. |
default is 3. |
|
|
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: | IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
|
|
loglinelen Number of characters per line for the file log. This | loglinelen Number of characters per line for the file log. This |
value is used to decide when to wrap lines for nicer |
value is used to decide when to wrap lines for nicer |
log files. This has no effect on the syslog log file, |
log files. This has no effect on the syslog log file, |
only the file log. The default is 80 (use 0 or negate |
only the file log. The default is 80 (use 0 or negate |
the option to disable word wrap). |
the option to disable word wrap). |
|
|
passwd_timeout Number of minutes before the ssuuddoo password prompt times | passwd_timeout Number of minutes before the ssuuddoo password prompt times |
out, or 0 for no timeout. The timeout may include a |
out, or 0 for no timeout. The timeout may include a |
fractional component if minute granularity is |
fractional component if minute granularity is |
insufficient, for example 2.5. The default is 5. |
insufficient, for example 2.5. The default is 5. |
|
|
timestamp_timeout | timestamp_timeout |
Number of minutes that can elapse before ssuuddoo will ask |
Number of minutes that can elapse before ssuuddoo will ask |
for a passwd again. The timeout may include a |
for a passwd again. The timeout may include a |
fractional component if minute granularity is |
fractional component if minute granularity is |
insufficient, for example 2.5. The default is 5. Set |
insufficient, for example 2.5. The default is 5. Set |
this to 0 to always prompt for a password. If set to a |
this to 0 to always prompt for a password. If set to a |
value less than 0 the user's timestamp will never | value less than 0 the user's time stamp will never |
expire. This can be used to allow users to create or |
expire. This can be used to allow users to create or |
delete their own timestamps via sudo -v and sudo -k | delete their own time stamps via ``sudo -v'' and ``sudo |
respectively. | -k'' respectively. |
|
|
umask Umask to use when running the command. Negate this | umask Umask to use when running the command. Negate this |
option or set it to 0777 to preserve the user's umask. |
option or set it to 0777 to preserve the user's umask. |
The actual umask that is used will be the union of the |
The actual umask that is used will be the union of the |
user's umask and the value of the _u_m_a_s_k option, which |
user's umask and the value of the _u_m_a_s_k option, which |
defaults to 0022. This guarantees that ssuuddoo never |
defaults to 0022. This guarantees that ssuuddoo never |
lowers the umask when running a command. Note on | lowers the umask when running a command. Note: on |
systems that use PAM, the default PAM configuration may |
systems that use PAM, the default PAM configuration may |
specify its own umask which will override the value set |
specify its own umask which will override the value set |
in _s_u_d_o_e_r_s. |
in _s_u_d_o_e_r_s. |
|
|
SSttrriinnggss: | SSttrriinnggss: |
|
|
badpass_message Message that is displayed if a user enters an incorrect | badpass_message Message that is displayed if a user enters an incorrect |
password. The default is Sorry, try again. unless |
password. The default is Sorry, try again. unless |
insults are enabled. |
insults are enabled. |
|
|
editor A colon (':') separated list of editors allowed to be | editor A colon (`:') separated list of editors allowed to be |
used with vviissuuddoo. vviissuuddoo will choose the editor that |
used with vviissuuddoo. vviissuuddoo will choose the editor that |
matches the user's EDITOR environment variable if |
matches the user's EDITOR environment variable if |
possible, or the first editor in the list that exists |
possible, or the first editor in the list that exists |
and is executable. The default is "vi". | and is executable. The default is _v_i. |
|
|
iolog_dir The top-level directory to use when constructing the | iolog_dir The top-level directory to use when constructing the |
path name for the input/output log directory. Only |
path name for the input/output log directory. Only |
used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled |
used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled |
or when the LOG_INPUT or LOG_OUTPUT tags are present |
or when the LOG_INPUT or LOG_OUTPUT tags are present |
for a command. The session sequence number, if any, is |
for a command. The session sequence number, if any, is |
stored in the directory. The default is |
stored in the directory. The default is |
"/var/log/sudo-io". | _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. |
|
|
The following percent (`%') escape sequences are |
The following percent (`%') escape sequences are |
supported: |
supported: |
|
|
%{seq} |
%{seq} |
expanded to a monotonically increasing base-36 | expanded to a monotonically increasing base-36 |
sequence number, such as 0100A5, where every two | sequence number, such as 0100A5, where every two |
digits are used to form a new directory, e.g. | digits are used to form a new directory, e.g. |
_0_1_/_0_0_/_A_5 | _0_1_/_0_0_/_A_5 |
|
|
%{user} |
%{user} |
expanded to the invoking user's login name | expanded to the invoking user's login name |
|
|
%{group} |
%{group} |
expanded to the name of the invoking user's real | expanded to the name of the invoking user's real |
group ID | group ID |
|
|
%{runas_user} |
%{runas_user} |
expanded to the login name of the user the command | expanded to the login name of the user the |
will be run as (e.g. root) | command will be run as (e.g. root) |
|
|
%{runas_group} |
%{runas_group} |
expanded to the group name of the user the command | expanded to the group name of the user the |
will be run as (e.g. wheel) | command will be run as (e.g. wheel) |
|
|
%{hostname} |
%{hostname} |
expanded to the local host name without the domain | expanded to the local host name without the |
name | domain name |
|
|
%{command} |
%{command} |
expanded to the base name of the command being run | expanded to the base name of the command being |
| run |
|
|
In addition, any escape sequences supported by the |
In addition, any escape sequences supported by the |
system's _s_t_r_f_t_i_m_e_(_) function will be expanded. | system's strftime(3) function will be expanded. |
|
|
To include a literal `%' character, the string `%%' |
To include a literal `%' character, the string `%%' |
should be used. |
should be used. |
|
|
iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store | iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store |
input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t |
input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t |
options are enabled or when the LOG_INPUT or LOG_OUTPUT |
options are enabled or when the LOG_INPUT or LOG_OUTPUT |
tags are present for a command. Note that _i_o_l_o_g___f_i_l_e |
tags are present for a command. Note that _i_o_l_o_g___f_i_l_e |
may contain directory components. The default is |
may contain directory components. The default is |
"%{seq}". | ``%{seq}''. |
|
|
See the _i_o_l_o_g___d_i_r option above for a list of supported |
See the _i_o_l_o_g___d_i_r option above for a list of supported |
percent (`%') escape sequences. |
percent (`%') escape sequences. |
Line 1081 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1350 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
In addition to the escape sequences, path names that |
In addition to the escape sequences, path names that |
end in six or more Xs will have the Xs replaced with a |
end in six or more Xs will have the Xs replaced with a |
unique combination of digits and letters, similar to |
unique combination of digits and letters, similar to |
the _m_k_t_e_m_p_(_) function. | the mktemp(3) function. |
|
|
mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape | If the path created by concatenating _i_o_l_o_g___d_i_r and |
%h will expand to the host name of the machine. | _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file |
Default is *** SECURITY information for %h ***. | will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e |
| ends in six or more Xs. |
|
|
noexec_file This option is deprecated and will be removed in a | limitprivs The default Solaris limit privileges to use when |
future release of ssuuddoo. The path to the noexec file | constructing a new privilege set for a command. This |
should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. | bounds all privileges of the executing process. The |
| default limit privileges may be overridden on a per- |
| command basis in _s_u_d_o_e_r_s. This option is only |
| available if ssuuddooeerrss is built on Solaris 10 or higher. |
|
|
passprompt The default prompt to use when asking for a password; | mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The |
| escape %h will expand to the host name of the machine. |
| Default is ``*** SECURITY information for %h ***''. |
| |
| maxseq The maximum sequence number that will be substituted |
| for the ``%{seq}'' escape in the I/O log file (see the |
| _i_o_l_o_g___d_i_r description above for more information). |
| While the value substituted for ``%{seq}'' is in base |
| 36, _m_a_x_s_e_q itself should be expressed in decimal. |
| Values larger than 2176782336 (which corresponds to the |
| base 36 sequence number ``ZZZZZZ'') will be silently |
| truncated to 2176782336. The default value is |
| 2176782336. |
| |
| Once the local sequence number reaches the value of |
| _m_a_x_s_e_q, it will ``roll over'' to zero, after which |
| ssuuddooeerrss will truncate and re-use any existing I/O log |
| pathnames. |
| |
| This setting is only supported by version 1.8.7 or |
| higher. |
| |
| noexec_file As of ssuuddoo version 1.8.1 this option is no longer |
| supported. The path to the noexec file should now be |
| set in the sudo.conf(4) file. |
| |
| pam_login_service |
| On systems that use PAM for authentication, this is the |
| service name used when the --ii option is specified. The |
| default value is ``sudo''. See the description of |
| _p_a_m___s_e_r_v_i_c_e for more information. |
| |
| This setting is only supported by version 1.8.8 or |
| higher. |
| |
| pam_service On systems that use PAM for authentication, the service |
| name specifies the PAM policy to apply. This usually |
| corresponds to an entry in the _p_a_m_._c_o_n_f file or a file |
| in the _/_e_t_c_/_p_a_m_._d directory. The default value is |
| ``sudo''. |
| |
| This setting is only supported by version 1.8.8 or |
| higher. |
| |
| passprompt The default prompt to use when asking for a password; |
can be overridden via the --pp option or the SUDO_PROMPT |
can be overridden via the --pp option or the SUDO_PROMPT |
environment variable. The following percent (`%') |
environment variable. The following percent (`%') |
escape sequences are supported: |
escape sequences are supported: |
|
|
%H expanded to the local host name including the | %H expanded to the local host name including the |
domain name (only if the machine's host name is | domain name (only if the machine's host name is |
fully qualified or the _f_q_d_n option is set) | fully qualified or the _f_q_d_n option is set) |
|
|
%h expanded to the local host name without the domain | |
name | domain name |
|
|
%p expanded to the user whose password is being asked | %p expanded to the user whose password is being |
for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w | |
flags in _s_u_d_o_e_r_s) | _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) |
|
|
%U expanded to the login name of the user the command | |
will be run as (defaults to root) | command will be run as (defaults to root) |
|
|
%u expanded to the invoking user's login name | %u expanded to the invoking user's login name |
|
|
%% two consecutive % characters are collapsed into a | %% two consecutive % characters are collapsed into a |
single % character | single % character |
|
|
The default value is Password:. | The default value is ``Password:''. |
|
|
role The default SELinux role to use when constructing a new | privs The default Solaris privileges to use when constructing |
| a new privilege set for a command. This is passed to |
| the executing process via the inherited privilege set, |
| but is bounded by the limit privileges. If the _p_r_i_v_s |
| option is specified but the _l_i_m_i_t_p_r_i_v_s option is not, |
| the limit privileges of the executing process is set to |
| _p_r_i_v_s. The default privileges may be overridden on a |
| per-command basis in _s_u_d_o_e_r_s. This option is only |
| available if ssuuddooeerrss is built on Solaris 10 or higher. |
| |
| role The default SELinux role to use when constructing a new |
security context to run the command. The default role |
security context to run the command. The default role |
may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
via command line options. This option is only |
via command line options. This option is only |
available whe ssuuddoo is built with SELinux support. | available when ssuuddoo is built with SELinux support. |
|
|
runas_default The default user to run commands as if the --uu option is | runas_default The default user to run commands as if the --uu option is |
not specified on the command line. This defaults to |
not specified on the command line. This defaults to |
root. |
root. |
|
|
syslog_badpri Syslog priority to use when user authenticates | syslog_badpri Syslog priority to use when user authenticates |
unsuccessfully. Defaults to alert. |
unsuccessfully. Defaults to alert. |
|
|
The following syslog priorities are supported: aalleerrtt, |
The following syslog priorities are supported: aalleerrtt, |
ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. |
ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. |
|
|
syslog_goodpri Syslog priority to use when user authenticates | syslog_goodpri Syslog priority to use when user authenticates |
successfully. Defaults to notice. |
successfully. Defaults to notice. |
|
|
See syslog_badpri for the list of supported syslog | See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog |
priorities. |
priorities. |
|
|
sudoers_locale Locale to use when parsing the sudoers file, logging | sudoers_locale Locale to use when parsing the sudoers file, logging |
commands, and sending email. Note that changing the |
commands, and sending email. Note that changing the |
locale may affect how sudoers is interpreted. Defaults |
locale may affect how sudoers is interpreted. Defaults |
to "C". | to ``C''. |
|
|
timestampdir The directory in which ssuuddoo stores its timestamp files. | timestampdir The directory in which ssuuddoo stores its time stamp |
The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. | files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. |
|
|
timestampowner The owner of the timestamp directory and the timestamps | timestampowner The owner of the time stamp directory and the time |
stored therein. The default is root. | stamps stored therein. The default is root. |
|
|
type The default SELinux type to use when constructing a new | type The default SELinux type to use when constructing a new |
security context to run the command. The default type |
security context to run the command. The default type |
may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
via command line options. This option is only |
via command line options. This option is only |
available whe ssuuddoo is built with SELinux support. | available when ssuuddoo is built with SELinux support. |
|
|
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: | SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
|
|
env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to | env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a |
a file containing variables to be set in the environment of | file containing variables to be set in the environment of |
the program being run. Entries in this file should either |
the program being run. Entries in this file should either |
be of the form VARIABLE=value or export VARIABLE=value. | be of the form ``VARIABLE=value'' or ``export |
The value may optionally be surrounded by single or double | VARIABLE=value''. The value may optionally be surrounded |
quotes. Variables in this file are subject to other ssuuddoo | by single or double quotes. Variables in this file are |
environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. | subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p |
| and _e_n_v___c_h_e_c_k. |
|
|
exempt_group | exempt_group Users in this group are exempt from password and PATH |
Users in this group are exempt from password and PATH | |
requirements. The group name specified should not include |
requirements. The group name specified should not include |
a % prefix. This is not set by default. |
a % prefix. This is not set by default. |
|
|
group_plugin | group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional |
A string containing a _s_u_d_o_e_r_s group plugin with optional | arguments. The string should consist of the plugin path, |
arguments. This can be used to implement support for the | either fully-qualified or relative to the |
nonunix_group syntax described earlier. The string should | _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any |
consist of the plugin path, either fully-qualified or | configuration arguments the plugin requires. These |
relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by | |
any configuration arguments the plugin requires. These | |
arguments (if any) will be passed to the plugin's |
arguments (if any) will be passed to the plugin's |
initialization function. If arguments are present, the |
initialization function. If arguments are present, the |
string must be enclosed in double quotes ("). | string must be enclosed in double quotes (""). |
|
|
For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix | For more information see GROUP PROVIDER PLUGINS. |
group format, the sample group plugin can be used: | |
|
|
Defaults group_plugin="sample_group.so /etc/sudo-group" | lecture This option controls when a short lecture will be printed |
| |
For more information see _s_u_d_o___p_l_u_g_i_n(4). | |
| |
lecture This option controls when a short lecture will be printed | |
along with the password prompt. It has the following |
along with the password prompt. It has the following |
possible values: |
possible values: |
|
|
Line 1203 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1523 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Negating the option results in a value of _n_e_v_e_r being used. |
Negating the option results in a value of _n_e_v_e_r being used. |
The default value is _o_n_c_e. |
The default value is _o_n_c_e. |
|
|
lecture_file | lecture_file Path to a file containing an alternate ssuuddoo lecture that |
Path to a file containing an alternate ssuuddoo lecture that | |
will be used in place of the standard lecture if the named |
will be used in place of the standard lecture if the named |
file exists. By default, ssuuddoo uses a built-in lecture. |
file exists. By default, ssuuddoo uses a built-in lecture. |
|
|
listpw This option controls when a password will be required when | listpw This option controls when a password will be required when |
a user runs ssuuddoo with the --ll option. It has the following |
a user runs ssuuddoo with the --ll option. It has the following |
possible values: |
possible values: |
|
|
all All the user's _s_u_d_o_e_r_s entries for the current host | all All the user's _s_u_d_o_e_r_s entries for the current |
must have the NOPASSWD flag set to avoid entering a | |
password. | entering a password. |
|
|
always The user must always enter a password to use the --ll | always The user must always enter a password to use the |
option. | --ll option. |
|
|
any At least one of the user's _s_u_d_o_e_r_s entries for the | any At least one of the user's _s_u_d_o_e_r_s entries for |
current host must have the NOPASSWD flag set to | the current host must have the NOPASSWD flag se the current host must have the NOPASSWD flag se |
avoid entering a password. | to avoid entering a password. |
|
|
never The user need never enter a password to use the --ll | never The user need never enter a password to use the |
option. | --ll option. |
|
|
If no value is specified, a value of _a_n_y is implied. |
If no value is specified, a value of _a_n_y is implied. |
Negating the option results in a value of _n_e_v_e_r being used. |
Negating the option results in a value of _n_e_v_e_r being used. |
The default value is _a_n_y. |
The default value is _a_n_y. |
|
|
logfile Path to the ssuuddoo log file (not the syslog log file). | logfile Path to the ssuuddoo log file (not the syslog log file). |
Setting a path turns on logging to a file; negating this |
Setting a path turns on logging to a file; negating this |
option turns it off. By default, ssuuddoo logs via syslog. |
option turns it off. By default, ssuuddoo logs via syslog. |
|
|
mailerflags Flags to use when invoking mailer. Defaults to --tt. | mailerflags Flags to use when invoking mailer. Defaults to --tt. |
|
|
mailerpath Path to mail program used to send warning mail. Defaults | mailerpath Path to mail program used to send warning mail. Defaults |
to the path to sendmail found at configure time. |
to the path to sendmail found at configure time. |
|
|
mailfrom Address to use for the "from" address when sending warning | mailfrom Address to use for the ``from'' address when sending |
and error mail. The address should be enclosed in double | warning and error mail. The address should be enclosed in |
quotes (") to protect against ssuuddoo interpreting the @ sign. | double quotes ("") to protect against ssuuddoo interpreting the |
Defaults to the name of the user running ssuuddoo. | @ sign. Defaults to the name of the user running ssuuddoo. |
|
|
mailto Address to send warning and error mail to. The address | mailto Address to send warning and error mail to. The address |
should be enclosed in double quotes (") to protect against | should be enclosed in double quotes ("") to protect against |
ssuuddoo interpreting the @ sign. Defaults to root. |
ssuuddoo interpreting the @ sign. Defaults to root. |
|
|
secure_path Path used for every command run from ssuuddoo. If you don't | secure_path Path used for every command run from ssuuddoo. If you don't |
trust the people running ssuuddoo to have a sane PATH |
trust the people running ssuuddoo to have a sane PATH |
environment variable you may want to use this. Another use |
environment variable you may want to use this. Another use |
is if you want to have the "root path" be separate from the | is if you want to have the ``root path'' be separate from |
"user path." Users in the group specified by the | the ``user path''. Users in the group specified by the |
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This |
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This |
option is not set by default. |
option is not set by default. |
|
|
syslog Syslog facility if syslog is being used for logging (negate | syslog Syslog facility if syslog is being used for logging (negate |
to disable syslog logging). Defaults to auth. |
to disable syslog logging). Defaults to auth. |
|
|
The following syslog facilities are supported: aauutthhpprriivv (if |
The following syslog facilities are supported: aauutthhpprriivv (if |
your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, |
your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, |
llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. |
llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. |
|
|
verifypw This option controls when a password will be required when | verifypw This option controls when a password will be required when |
a user runs ssuuddoo with the --vv option. It has the following |
a user runs ssuuddoo with the --vv option. It has the following |
possible values: |
possible values: |
|
|
Line 1285 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1604 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Negating the option results in a value of _n_e_v_e_r being used. |
Negating the option results in a value of _n_e_v_e_r being used. |
The default value is _a_l_l. |
The default value is _a_l_l. |
|
|
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: | LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
|
|
env_check Environment variables to be removed from the user's | env_check Environment variables to be removed from the user's |
environment if the variable's value contains % or / | environment if the variable's value contains `%' or `/' |
characters. This can be used to guard against printf- |
characters. This can be used to guard against printf- |
style format vulnerabilities in poorly-written |
style format vulnerabilities in poorly-written |
programs. The argument may be a double-quoted, space- |
programs. The argument may be a double-quoted, space- |
Line 1300 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1619 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
env_check will be preserved in the environment if they |
env_check will be preserved in the environment if they |
pass the aforementioned check. The default list of |
pass the aforementioned check. The default list of |
environment variables to check is displayed when ssuuddoo |
environment variables to check is displayed when ssuuddoo |
is run by root with the _-_V option. | is run by root with the --VV option. |
|
|
env_delete Environment variables to be removed from the user's | env_delete Environment variables to be removed from the user's |
environment when the _e_n_v___r_e_s_e_t option is not in effect. |
environment when the _e_n_v___r_e_s_e_t option is not in effect. |
The argument may be a double-quoted, space-separated |
The argument may be a double-quoted, space-separated |
list or a single value without double-quotes. The list |
list or a single value without double-quotes. The list |
can be replaced, added to, deleted from, or disabled by |
can be replaced, added to, deleted from, or disabled by |
using the =, +=, -=, and ! operators respectively. The |
using the =, +=, -=, and ! operators respectively. The |
default list of environment variables to remove is |
default list of environment variables to remove is |
displayed when ssuuddoo is run by root with the _-_V option. | displayed when ssuuddoo is run by root with the --VV option. |
Note that many operating systems will remove |
Note that many operating systems will remove |
potentially dangerous variables from the environment of |
potentially dangerous variables from the environment of |
any setuid process (such as ssuuddoo). |
any setuid process (such as ssuuddoo). |
|
|
env_keep Environment variables to be preserved in the user's | env_keep Environment variables to be preserved in the user's |
environment when the _e_n_v___r_e_s_e_t option is in effect. |
environment when the _e_n_v___r_e_s_e_t option is in effect. |
This allows fine-grained control over the environment |
This allows fine-grained control over the environment |
ssuuddoo-spawned processes will receive. The argument may |
ssuuddoo-spawned processes will receive. The argument may |
Line 1323 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1642 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
added to, deleted from, or disabled by using the =, +=, |
added to, deleted from, or disabled by using the =, +=, |
-=, and ! operators respectively. The default list of |
-=, and ! operators respectively. The default list of |
variables to keep is displayed when ssuuddoo is run by root |
variables to keep is displayed when ssuuddoo is run by root |
with the _-_V option. | with the --VV option. |
|
|
|
GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS |
|
The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix |
|
group lookups which can query a group source other than the standard Unix |
|
group database. This can be used to implement support for the |
|
nonunix_group syntax described earlier. |
|
|
|
Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults |
|
setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path, |
|
either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o |
|
directory, followed by any configuration options the plugin requires. |
|
These options (if specified) will be passed to the plugin's |
|
initialization function. If options are present, the string must be |
|
enclosed in double quotes (""). |
|
|
|
The following group provider plugins are installed by default: |
|
|
|
group_file |
|
The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that |
|
uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the |
|
group file should be specified as an option to the plugin. For |
|
example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p: |
|
|
|
Defaults group_plugin="group_file.so /etc/sudo-group" |
|
|
|
system_group |
|
The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard |
|
C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can |
|
be used in instances where the user belongs to groups not |
|
present in the user's supplemental group vector. This plugin |
|
takes no options: |
|
|
|
Defaults group_plugin=system_group.so |
|
|
|
The group provider plugin API is described in detail in sudo_plugin(1m). |
|
|
|
LLOOGG FFOORRMMAATT |
|
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In |
|
each case the log format is almost identical. |
|
|
|
AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess |
|
Commands that sudo runs are logged using the following format (split into |
|
multiple lines for readability): |
|
|
|
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ |
|
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ |
|
ENV=env_vars COMMAND=command |
|
|
|
Where the fields are as follows: |
|
|
|
date The date the command was run. Typically, this is in the |
|
format ``MMM, DD, HH:MM:SS''. If logging via syslog(3), |
|
the actual date format is controlled by the syslog daemon. |
|
If logging to a file and the _l_o_g___y_e_a_r option is enabled, |
|
the date will also include the year. |
|
|
|
hostname The name of the host ssuuddoo was run on. This field is only |
|
present when logging via syslog(3). |
|
|
|
progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This |
|
field is only present when logging via syslog(3). |
|
|
|
username The login name of the user who ran ssuuddoo. |
|
|
|
ttyname The short name of the terminal (e.g. ``console'', |
|
``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if |
|
there was no terminal present. |
|
|
|
cwd The current working directory that ssuuddoo was run in. |
|
|
|
runasuser The user the command was run as. |
|
|
|
runasgroup The group the command was run as if one was specified on |
|
the command line. |
|
|
|
logid An I/O log identifier that can be used to replay the |
|
command's output. This is only present when the _l_o_g___i_n_p_u_t |
|
or _l_o_g___o_u_t_p_u_t option is enabled. |
|
|
|
env_vars A list of environment variables specified on the command |
|
line, if specified. |
|
|
|
command The actual command that was executed. |
|
|
|
Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which |
|
defaults to the ``C'' locale. |
|
|
|
DDeenniieedd ccoommmmaanndd lloogg eennttrriieess |
|
If the user is not allowed to run the command, the reason for the denial |
|
will follow the user name. Possible reasons include: |
|
|
|
user NOT in sudoers |
|
The user is not listed in the _s_u_d_o_e_r_s file. |
|
|
|
user NOT authorized on host |
|
The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run |
|
commands on the host. |
|
|
|
command not allowed |
|
The user is listed in the _s_u_d_o_e_r_s file for the host but they are not |
|
allowed to run the specified command. |
|
|
|
3 incorrect password attempts |
|
The user failed to enter their password after 3 tries. The actual |
|
number of tries will vary based on the number of failed attempts and |
|
the value of the _p_a_s_s_w_d___t_r_i_e_s option. |
|
|
|
a password is required |
|
ssuuddoo's --nn option was specified but a password was required. |
|
|
|
sorry, you are not allowed to set the following environment variables |
|
The user specified environment variables on the command line that were |
|
not allowed by _s_u_d_o_e_r_s. |
|
|
|
EErrrroorr lloogg eennttrriieess |
|
If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a |
|
message to the administrator via email. Possible errors include: |
|
|
|
parse error in /etc/sudoers near line N |
|
ssuuddooeerrss encountered an error when parsing the specified file. In some |
|
cases, the actual error may be one line above or below the line number |
|
listed, depending on the type of error. |
|
|
|
problem with defaults entries |
|
The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This |
|
does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be |
|
checked using vviissuuddoo. |
|
|
|
timestamp owner (username): No such user |
|
The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r |
|
setting, could not be found in the password database. |
|
|
|
unable to open/read /etc/sudoers |
|
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen |
|
when the _s_u_d_o_e_r_s file is located on a remote file system that maps |
|
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open |
|
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider |
|
either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument |
|
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s |
|
file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. |
|
|
|
unable to stat /etc/sudoers |
|
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. |
|
|
|
/etc/sudoers is not a regular file |
|
The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic |
|
link. |
|
|
|
/etc/sudoers is owned by uid N, should be 0 |
|
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the |
|
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the |
|
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the |
|
sudo.conf(4) file. |
|
|
|
/etc/sudoers is world writable |
|
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. |
|
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is |
|
0440 (readable by owner and group, writable by none). The default |
|
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss |
|
Plugin line in the sudo.conf(4) file. |
|
|
|
/etc/sudoers is owned by gid N, should be 1 |
|
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change |
|
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where |
|
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin |
|
line in the sudo.conf(4) file. |
|
|
|
unable to open /var/adm/sudo/username/ttyname |
|
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. |
|
|
|
unable to write to /var/adm/sudo/username/ttyname |
|
_s_u_d_o_e_r_s was unable to write to the user's time stamp file. |
|
|
|
unable to mkdir to /var/adm/sudo/username |
|
_s_u_d_o_e_r_s was unable to create the user's time stamp directory. |
|
|
|
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg |
|
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and |
|
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As |
|
such, they may vary in format on different systems. |
|
|
|
On most systems, syslog(3) has a relatively small log buffer. To prevent |
|
the command line arguments from being truncated, ssuuddooeerrss will split up |
|
log messages that are larger than 960 characters (not including the date, |
|
hostname, and the string ``sudo''). When a message is split, additional |
|
parts will include the string ``(command continued)'' after the user name |
|
and before the continued command line arguments. |
|
|
|
NNootteess oonn llooggggiinngg ttoo aa ffiillee |
|
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as |
|
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to |
|
syslog(3), with a few important differences: |
|
|
|
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. |
|
|
|
2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the |
|
year. |
|
|
|
3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are |
|
word-wrapped and continued on the next line with a four character |
|
indent. This makes entries easier to read for a human being, but |
|
makes it more difficult to use grep(1) on the log files. If the |
|
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap |
|
will be disabled. |
|
|
FFIILLEESS |
FFIILLEESS |
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what | _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration |
|
|
_/_e_t_c_/_g_r_o_u_p Local groups file | _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what |
|
|
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups | _/_e_t_c_/_g_r_o_u_p Local groups file |
|
|
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files | _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups |
|
|
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the | _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files |
| |
| _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the |
_s_u_d_o_e_r_s security policy |
_s_u_d_o_e_r_s security policy |
|
|
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and | _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and |
AIX | Linux systems |
|
|
EEXXAAMMPPLLEESS |
EEXXAAMMPPLLEESS |
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit | Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit |
contrived. First, we allow a few environment variables to pass and | contrived. First, we allow a few environment variables to pass and then |
then define our _a_l_i_a_s_e_s: | define our _a_l_i_a_s_e_s: |
|
|
# Run X applications through sudo; HOME is used to find the | # Run X applications through sudo; HOME is used to find the |
# .Xauthority file. Note that other programs use HOME to find | # .Xauthority file. Note that other programs use HOME to find |
# configuration files and this may lead to privilege escalation! | # configuration files and this may lead to privilege escalation! |
Defaults env_keep += "DISPLAY HOME" | Defaults env_keep += "DISPLAY HOME" |
|
|
# User alias specification | # User alias specification |
User_Alias FULLTIMERS = millert, mikef, dowdy | User_Alias FULLTIMERS = millert, mikef, dowdy |
User_Alias PARTTIMERS = bostley, jwfox, crawl | User_Alias PARTTIMERS = bostley, jwfox, crawl |
User_Alias WEBMASTERS = will, wendy, wim | User_Alias WEBMASTERS = will, wendy, wim |
|
|
# Runas alias specification | # Runas alias specification |
Runas_Alias OP = root, operator | Runas_Alias OP = root, operator |
Runas_Alias DB = oracle, sybase | Runas_Alias DB = oracle, sybase |
Runas_Alias ADMINGRP = adm, oper | Runas_Alias ADMINGRP = adm, oper |
|
|
# Host alias specification | # Host alias specification |
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ | Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
SGI = grolsch, dandelion, black :\ | SGI = grolsch, dandelion, black :\ |
ALPHA = widget, thalamus, foobar :\ | ALPHA = widget, thalamus, foobar :\ |
HPPA = boa, nag, python | HPPA = boa, nag, python |
Host_Alias CUNETS = 128.138.0.0/255.255.0.0 | Host_Alias CUNETS = 128.138.0.0/255.255.0.0 |
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 | Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 |
Host_Alias SERVERS = master, mail, www, ns | Host_Alias SERVERS = master, mail, www, ns |
Host_Alias CDROM = orion, perseus, hercules | Host_Alias CDROM = orion, perseus, hercules |
|
|
# Cmnd alias specification | # Cmnd alias specification |
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ | Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
/usr/sbin/restore, /usr/sbin/rrestore | /usr/sbin/restore, /usr/sbin/rrestore,\ |
Cmnd_Alias KILL = /usr/bin/kill | sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ |
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm | /home/operator/bin/start_backups |
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown | Cmnd_Alias KILL = /usr/bin/kill |
Cmnd_Alias HALT = /usr/sbin/halt | Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
Cmnd_Alias REBOOT = /usr/sbin/reboot | Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ | Cmnd_Alias HALT = /usr/sbin/halt |
/usr/local/bin/tcsh, /usr/bin/rsh, \ | Cmnd_Alias REBOOT = /usr/sbin/reboot |
/usr/local/bin/zsh | Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ |
Cmnd_Alias SU = /usr/bin/su | /usr/local/bin/tcsh, /usr/bin/rsh,\ |
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less | /usr/local/bin/zsh |
| Cmnd_Alias SU = /usr/bin/su |
| Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less |
|
|
Here we override some of the compiled in default values. We want ssuuddoo | Here we override some of the compiled in default values. We want ssuuddoo to |
to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't | log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to |
want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt | subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not |
need not give a password, and we don't want to reset the LOGNAME, USER | give a password, and we don't want to reset the LOGNAME, USER or USERNAME |
or USERNAME environment variables when running commands as root. | environment variables when running commands as root. Additionally, on |
Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an | the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log |
additional local log file and make sure we log the year in each log | file and make sure we log the year in each log line since the log entries |
line since the log entries will be kept around for several years. | will be kept around for several years. Lastly, we disable shell escapes |
Lastly, we disable shell escapes for the commands in the PAGERS | for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and |
Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). | _/_u_s_r_/_b_i_n_/_l_e_s_s). Note that this will not effectively constrain users with |
| ssuuddoo AALLLL privileges. |
|
|
# Override built-in defaults | # Override built-in defaults |
Defaults syslog=auth | Defaults syslog=auth |
Defaults>root !set_logname | Defaults>root !set_logname |
Defaults:FULLTIMERS !lecture | Defaults:FULLTIMERS !lecture |
Defaults:millert !authenticate | Defaults:millert !authenticate |
Defaults@SERVERS log_year, logfile=/var/log/sudo.log | Defaults@SERVERS log_year, logfile=/var/log/sudo.log |
Defaults!PAGERS noexec | Defaults!PAGERS noexec |
|
|
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run | The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run |
what. | what. |
|
|
root ALL = (ALL) ALL | root ALL = (ALL) ALL |
%wheel ALL = (ALL) ALL | %wheel ALL = (ALL) ALL |
|
|
We let rroooott and any user in group wwhheeeell run any command on any host as | We let rroooott and any user in group wwhheeeell run any command on any host as |
any user. | any user. |
|
|
FULLTIMERS ALL = NOPASSWD: ALL | FULLTIMERS ALL = NOPASSWD: ALL |
|
|
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on | Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on |
any host without authenticating themselves. | any host without authenticating themselves. |
|
|
PARTTIMERS ALL = ALL | PARTTIMERS ALL = ALL |
|
|
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on | Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any |
any host but they must authenticate themselves first (since the entry | host but they must authenticate themselves first (since the entry lacks |
lacks the NOPASSWD tag). | the NOPASSWD tag). |
|
|
jack CSNETS = ALL | jack CSNETS = ALL |
|
|
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias | The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias |
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of | (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those |
those networks, only 128.138.204.0 has an explicit netmask (in CIDR | networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) |
notation) indicating it is a class C network. For the other networks | indicating it is a class C network. For the other networks in _C_S_N_E_T_S, |
in _C_S_N_E_T_S, the local machine's netmask will be used during matching. | the local machine's netmask will be used during matching. |
|
|
lisa CUNETS = ALL | lisa CUNETS = ALL |
|
|
The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the | The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the |
class B network 128.138.0.0). | class B network 128.138.0.0). |
|
|
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ | operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ |
sudoedit /etc/printcap, /usr/oper/bin/ | sudoedit /etc/printcap, /usr/oper/bin/ |
|
|
The ooppeerraattoorr user may run commands limited to simple maintenance. | The ooppeerraattoorr user may run commands limited to simple maintenance. Here, |
Here, those are commands related to backups, killing processes, the | those are commands related to backups, killing processes, the printing |
printing system, shutting down the system, and any commands in the | system, shutting down the system, and any commands in the directory |
directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. | _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a |
| sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the |
| directory containing the script is writable by the operator user. If the |
| script is modified (resulting in a digest mismatch) it will no longer be |
| possible to run it via ssuuddoo. |
|
|
joe ALL = /usr/bin/su operator | joe ALL = /usr/bin/su operator |
|
|
The user jjooee may only _s_u(1) to operator. | The user jjooee may only su(1) to operator. |
|
|
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root | pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
|
|
%opers ALL = (: ADMINGRP) /usr/sbin/ | %opers ALL = (: ADMINGRP) /usr/sbin/ |
|
|
Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves | Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves |
with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). | with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). |
|
|
The user ppeettee is allowed to change anyone's password except for root on | The user ppeettee is allowed to change anyone's password except for root on |
the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take | the _H_P_P_A machines. Note that this assumes passwd(1) does not take |
multiple user names on the command line. | multiple user names on the command line. |
|
|
bob SPARC = (OP) ALL : SGI = (OP) ALL | bob SPARC = (OP) ALL : SGI = (OP) ALL |
|
|
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user | The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user |
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). | listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.) |
|
|
jim +biglab = ALL | jim +biglab = ALL |
|
|
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. | The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. |
ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. | ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix. |
|
|
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser | +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser |
|
|
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as | Users in the sseeccrreettaarriieess netgroup need to help manage the printers as |
well as add and remove users, so they are allowed to run those commands | well as add and remove users, so they are allowed to run those commands |
on all machines. | on all machines. |
|
|
fred ALL = (DB) NOPASSWD: ALL | fred ALL = (DB) NOPASSWD: ALL |
|
|
The user ffrreedd can run commands as any user in the _D_B Runas_Alias | The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee |
(oorraaccllee or ssyybbaassee) without giving a password. | or ssyybbaassee) without giving a password. |
|
|
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* | john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* |
|
|
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is | On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is |
not allowed to specify any options to the _s_u(1) command. | not allowed to specify any options to the su(1) command. |
|
|
jen ALL, !SERVERS = ALL | jen ALL, !SERVERS = ALL |
|
|
The user jjeenn may run any command on any machine except for those in the | The user jjeenn may run any command on any machine except for those in the |
_S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). | _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). |
|
|
jill SERVERS = /usr/bin/, !SU, !SHELLS | jill SERVERS = /usr/bin/, !SU, !SHELLS |
|
|
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in | For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in |
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U | the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and |
and _S_H_E_L_L_S Cmnd_Aliases. | _S_H_E_L_L_S Cmnd_Aliases. While not specifically mentioned in the rule, the |
| commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the |
| _n_o_e_x_e_c option set. |
|
|
steve CSNETS = (operator) /usr/local/op_commands/ | steve CSNETS = (operator) /usr/local/op_commands/ |
|
|
The user sstteevvee may run any command in the directory | The user sstteevvee may run any command in the directory |
/usr/local/op_commands/ but only as user operator. | /usr/local/op_commands/ but only as user operator. |
|
|
matt valkyrie = KILL | matt valkyrie = KILL |
|
|
On his personal workstation, valkyrie, mmaatttt needs to be able to kill | On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung |
hung processes. | processes. |
|
|
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www | WEBMASTERS www = (www) ALL, (root) /usr/bin/su www |
|
|
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, | On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and |
and wim), may run any command as user www (which owns the web pages) or | wim), may run any command as user www (which owns the web pages) or |
simply _s_u(1) to www. | simply su(1) to www. |
|
|
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ | ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ |
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM | /sbin/mount -o nosuid,node /sbin/mount -o nosuid,node |
|
|
Any user may mount or unmount a CD-ROM on the machines in the CDROM | Any user may mount or unmount a CD-ROM on the machines in the CDROM |
Host_Alias (orion, perseus, hercules) without entering a password. | Host_Alias (orion, perseus, hercules) without entering a password. This |
This is a bit tedious for users to type, so it is a prime candidate for | is a bit tedious for users to type, so it is a prime candidate for |
encapsulating in a shell script. | encapsulating in a shell script. |
|
|
SSEECCUURRIITTYY NNOOTTEESS |
SSEECCUURRIITTYY NNOOTTEESS |
It is generally not effective to "subtract" commands from ALL using the | LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr |
'!' operator. A user can trivially circumvent this by copying the | It is generally not effective to ``subtract'' commands from AALLLL using the |
desired command to a different name and then executing that. For | `!' operator. A user can trivially circumvent this by copying the |
example: | desired command to a different name and then executing that. For |
| example: |
|
|
bill ALL = ALL, !SU, !SHELLS | bill ALL = ALL, !SU, !SHELLS |
|
|
Doesn't really prevent bbiillll from running the commands listed in _S_U or | Doesn't really prevent bbiillll from running the commands listed in _S_U or |
_S_H_E_L_L_S since he can simply copy those commands to a different name, or | _S_H_E_L_L_S since he can simply copy those commands to a different name, or |
use a shell escape from an editor or other program. Therefore, these | use a shell escape from an editor or other program. Therefore, these |
kind of restrictions should be considered advisory at best (and | kind of restrictions should be considered advisory at best (and |
reinforced by policy). | reinforced by policy). |
|
|
Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to | In general, if a user has sudo AALLLL there is nothing to prevent them from |
reliably negate commands where the path name includes globbing (aka | creating their own program that gives them a root shell (or making their |
wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) | own copy of a shell) regardless of any `!' elements in the user |
function cannot resolve relative paths. While this is typically only | specification. |
an inconvenience for rules that grant privileges, it can result in a | |
security issue for rules that subtract or revoke privileges. | |
|
|
For example, given the following _s_u_d_o_e_r_s entry: | SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b |
| If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate |
| commands where the path name includes globbing (aka wildcard) characters. |
| This is because the C library's fnmatch(3) function cannot resolve |
| relative paths. While this is typically only an inconvenience for rules |
| that grant privileges, it can result in a security issue for rules that |
| subtract or revoke privileges. |
|
|
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, | For example, given the following _s_u_d_o_e_r_s entry: |
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root | |
|
|
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by | john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ |
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. | /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root |
|
|
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS | User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by |
Once ssuuddoo executes a program, that program is free to do whatever it | changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. |
pleases, including run other programs. This can be a security issue | |
since it is not uncommon for a program to allow shell escapes, which | |
lets a user bypass ssuuddoo's access control and logging. Common programs | |
that permit shell escapes include shells (obviously), editors, | |
paginators, mail and terminal programs. | |
|
|
There are two basic approaches to this problem: | PPrreevveennttiinngg sshheellll eessccaappeess |
| Once ssuuddoo executes a program, that program is free to do whatever it |
| pleases, including run other programs. This can be a security issue |
| since it is not uncommon for a program to allow shell escapes, which lets |
| a user bypass ssuuddoo's access control and logging. Common programs that |
| permit shell escapes include shells (obviously), editors, paginators, |
| mail and terminal programs. |
|
|
restrict Avoid giving users access to commands that allow the user to | There are two basic approaches to this problem: |
run arbitrary commands. Many editors have a restricted mode | |
where shell escapes are disabled, though ssuuddooeeddiitt is a better | |
solution to running editors via ssuuddoo. Due to the large | |
number of programs that offer shell escapes, restricting | |
users to the set of programs that do not is often unworkable. | |
|
|
noexec Many systems that support shared libraries have the ability | restrict Avoid giving users access to commands that allow the user to |
to override default library functions by pointing an | run arbitrary commands. Many editors have a restricted mode |
environment variable (usually LD_PRELOAD) to an alternate | where shell escapes are disabled, though ssuuddooeeddiitt is a better |
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality | solution to running editors via ssuuddoo. Due to the large number |
can be used to prevent a program run by ssuuddoo from executing | of programs that offer shell escapes, restricting users to the |
any other programs. Note, however, that this applies only to | set of programs that do not is often unworkable. |
native dynamically-linked executables. Statically-linked | |
executables and foreign executables running under binary | |
emulation are not affected. | |
|
|
The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, | noexec Many systems that support shared libraries have the ability to |
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and | override default library functions by pointing an environment |
above. It should be supported on most operating systems that | variable (usually LD_PRELOAD) to an alternate shared library. |
support the LD_PRELOAD environment variable. Check your | On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to |
operating system's manual pages for the dynamic linker | prevent a program run by ssuuddoo from executing any other |
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see | programs. Note, however, that this applies only to native |
if LD_PRELOAD is supported. | dynamically-linked executables. Statically-linked executables |
| and foreign executables running under binary emulation are not |
| affected. |
|
|
On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges | The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, |
instead of the LD_PRELOAD environment variable. | Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and |
| above. It should be supported on most operating systems that |
| support the LD_PRELOAD environment variable. Check your |
| operating system's manual pages for the dynamic linker (usually |
| ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if |
| LD_PRELOAD is supported. |
|
|
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as | On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges |
documented in the User Specification section above. Here is | instead of the LD_PRELOAD environment variable. |
that example again: | |
|
|
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi | To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as |
| documented in the User Specification section above. Here is |
| that example again: |
|
|
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i | aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
with _n_o_e_x_e_c enabled. This will prevent those two commands | |
from executing other commands (such as a shell). If you are | |
unsure whether or not your system is capable of supporting | |
_n_o_e_x_e_c you can always just try it out and check whether shell | |
escapes work when _n_o_e_x_e_c is enabled. | |
|
|
Note that restricting shell escapes is not a panacea. Programs running | This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i |
as root are still capable of many potentially hazardous operations | with _n_o_e_x_e_c enabled. This will prevent those two commands from |
(such as changing or overwriting files) that could lead to unintended | executing other commands (such as a shell). If you are unsure |
privilege escalation. In the specific case of an editor, a safer | whether or not your system is capable of supporting _n_o_e_x_e_c you |
approach is to give the user permission to run ssuuddooeeddiitt. | can always just try it out and check whether shell escapes work |
| when _n_o_e_x_e_c is enabled. |
|
|
SSEECCUURRIITTYY NNOOTTEESS | Note that restricting shell escapes is not a panacea. Programs running |
_s_u_d_o_e_r_s will check the ownership of its time stamp directory | as root are still capable of many potentially hazardous operations (such |
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is | as changing or overwriting files) that could lead to unintended privilege |
not owned by root or if it is writable by a user other than root. On | escalation. In the specific case of an editor, a safer approach is to |
systems that allow non-root users to give away files via _c_h_o_w_n(2), if | give the user permission to run ssuuddooeeddiitt. |
the time stamp directory is located in a world-writable directory | |
(e.g., _/_t_m_p), it is possible for a user to create the time stamp | |
directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the | |
ownership and mode of the directory and its contents, the only damage | |
that can be done is to "hide" files by putting them in the time stamp | |
dir. This is unlikely to happen since once the time stamp dir is owned | |
by root and inaccessible by any other user, the user placing files | |
there would be unable to get them back out. | |
|
|
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps | TTiimmee ssttaammpp ffiillee cchheecckkss |
with a date greater than current_time + 2 * TIMEOUT will be ignored and | _s_u_d_o_e_r_s will check the ownership of its time stamp directory |
sudo will log and complain. This is done to keep a user from creating | (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is |
his/her own time stamp with a bogus date on systems that allow users to | not owned by root or if it is writable by a user other than root. On |
give away files if the time stamp directory is located in a world- | systems that allow non-root users to give away files via chown(2), if the |
writable directory. | time stamp directory is located in a world-writable directory (e.g., |
| _/_t_m_p), it is possible for a user to create the time stamp directory |
| before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and |
| mode of the directory and its contents, the only damage that can be done |
| is to ``hide'' files by putting them in the time stamp dir. This is |
| unlikely to happen since once the time stamp dir is owned by root and |
| inaccessible by any other user, the user placing files there would be |
| unable to get them back out. |
|
|
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time | _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps |
stamps that date from before the machine booted. | with a date greater than current_time + 2 * TIMEOUT will be ignored and |
| sudo will log and complain. This is done to keep a user from creating |
| his/her own time stamp with a bogus date on systems that allow users to |
| give away files if the time stamp directory is located in a world- |
| writable directory. |
|
|
Since time stamp files live in the file system, they can outlive a | On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time |
user's login session. As a result, a user may be able to login, run a | stamps that date from before the machine booted. |
command with ssuuddoo after authenticating, logout, login again, and run | |
ssuuddoo without authenticating so long as the time stamp file's | |
modification time is within 5 minutes (or whatever the timeout is set | |
to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp | |
has per-tty granularity but still may outlive the user's session. On | |
Linux systems where the devpts filesystem is used, Solaris systems with | |
the devices filesystem, as well as other systems that utilize a devfs | |
filesystem that monotonically increase the inode number of devices as | |
they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when | |
a tty-based time stamp file is stale and will ignore it. | |
Administrators should not rely on this feature as it is not universally | |
available. | |
|
|
If users have sudo ALL there is nothing to prevent them from creating | Since time stamp files live in the file system, they can outlive a user's |
their own program that gives them a root shell (or making their own | login session. As a result, a user may be able to login, run a command |
copy of a shell) regardless of any '!' elements in the user | with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without |
specification. | authenticating so long as the time stamp file's modification time is |
| within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When |
| the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity |
| but still may outlive the user's session. On Linux systems where the |
| devpts filesystem is used, Solaris systems with the devices filesystem, |
| as well as other systems that utilize a devfs filesystem that |
| monotonically increase the inode number of devices as they are created |
| (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time |
| stamp file is stale and will ignore it. Administrators should not rely |
| on this feature as it is not universally available. |
|
|
|
DDEEBBUUGGGGIINNGG |
|
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible |
|
debugging framework that can help track down what the plugin is doing |
|
internally if there is a problem. This can be configured in the |
|
sudo.conf(4) file. |
|
|
|
The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: |
|
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. |
|
|
|
The priorities used by ssuuddooeerrss, in order of decreasing severity, are: |
|
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, |
|
when specified, also includes all priorities higher than it. For |
|
example, a priority of _n_o_t_i_c_e would include debug messages logged at |
|
_n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by the ssuuddooeerrss plugin: |
|
|
|
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_u_d_i_t BSM and Linux audit code |
|
|
|
_a_u_t_h user authentication |
|
|
|
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings |
|
|
|
_e_n_v environment handling |
|
|
|
_l_d_a_p LDAP-based sudoers |
|
|
|
_l_o_g_g_i_n_g logging support |
|
|
|
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_n_s_s network service switch handling in _s_u_d_o_e_r_s |
|
|
|
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing |
|
|
|
_p_e_r_m_s permission setting |
|
|
|
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_r_b_t_r_e_e redblack tree internals |
|
|
|
_u_t_i_l utility functions |
|
For example: |
|
|
|
Debug sudo /var/log/sudo_debug match@info,nss@info |
|
|
|
For more information, see the sudo.conf(4) manual. |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), | ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), |
_s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) | sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) |
|
|
CCAAVVEEAATTSS |
CCAAVVEEAATTSS |
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which | The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which |
locks the file and does grammatical checking. It is imperative that | locks the file and does grammatical checking. It is imperative that |
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a | _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a |
syntactically incorrect _s_u_d_o_e_r_s file. | syntactically incorrect _s_u_d_o_e_r_s file. |
|
|
When using netgroups of machines (as opposed to users), if you store | When using netgroups of machines (as opposed to users), if you store |
fully qualified host name in the netgroup (as is usually the case), you | fully qualified host name in the netgroup (as is usually the case), you |
either need to have the machine's host name be fully qualified as | either need to have the machine's host name be fully qualified as |
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. | returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. |
|
|
BBUUGGSS |
BBUUGGSS |
If you feel you have found a bug in ssuuddoo, please submit a bug report at | If you feel you have found a bug in ssuuddoo, please submit a bug report at |
http://www.sudo.ws/sudo/bugs/ | http://www.sudo.ws/sudo/bugs/ |
|
|
SSUUPPPPOORRTT |
SSUUPPPPOORRTT |
Limited free support is available via the sudo-users mailing list, see | Limited free support is available via the sudo-users mailing list, see |
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search | http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the |
the archives. | archives. |
|
|
DDIISSCCLLAAIIMMEERR |
DDIISSCCLLAAIIMMEERR |
ssuuddoo is provided ``AS IS'' and any express or implied warranties, | ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
including, but not limited to, the implied warranties of | including, but not limited to, the implied warranties of merchantability |
merchantability and fitness for a particular purpose are disclaimed. | and fitness for a particular purpose are disclaimed. See the LICENSE |
See the LICENSE file distributed with ssuuddoo or | file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
http://www.sudo.ws/sudo/license.html for complete details. | complete details. |
|
|
| Sudo 1.8.8 August 31, 2013 Sudo 1.8.8 |
| |
1.8.3 September 16, 2011 SUDOERS(4) | |