|
version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.3, 2012/10/09 09:29:52
|
|
Line 1
|
Line 1
|
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) | SUDOERS(4) Programmer's Manual SUDOERS(4) |
| |
|
| |
|
| |
|
| N�NA�AM�ME�E |
N�NA�AM�ME�E |
| sudoers - default sudo security policy module | s�su�ud�do�oe�er�rs�s - default sudo security policy module |
| |
|
| D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
| The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is | The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is the |
| the default s�su�ud�do�o policy plugin. The policy is driven by the | default s�su�ud�do�o policy plugin. The policy is driven by the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file or, optionally in LDAP. The policy format is | file or, optionally in LDAP. The policy format is described in detail in |
| described in detail in the "SUDOERS FILE FORMAT" section. For | the _�S_�U_�D_�O_�E_�R_�S _�F_�I_�L_�E _�F_�O_�R_�M_�A_�T section. For information on storing _�s_�u_�d_�o_�e_�r_�s |
| information on storing _�s_�u_�d_�o_�e_�r_�s policy information in LDAP, please see | policy information in LDAP, please see sudoers.ldap(4). |
| _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4). | |
| |
|
| A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d L�Lo�og�gg�gi�in�ng�g | A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d l�lo�og�gg�gi�in�ng�g |
| The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate | The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate |
| themselves before they can use s�su�ud�do�o. A password is not required if the | themselves before they can use s�su�ud�do�o. A password is not required if the |
| invoking user is root, if the target user is the same as the invoking | invoking user is root, if the target user is the same as the invoking |
| user, or if the policy has disabled authentication for the user or | user, or if the policy has disabled authentication for the user or |
| command. Unlike _�s_�u(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it | command. Unlike su(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it |
| validates the invoking user's credentials, not the target user's (or | validates the invoking user's credentials, not the target user's (or |
| root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and | root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and |
| _�r_�u_�n_�a_�s_�p_�w flags, described later. | _�r_�u_�n_�a_�s_�p_�w flags, described later. |
| |
|
| If a user who is not listed in the policy tries to run a command via | If a user who is not listed in the policy tries to run a command via |
| s�su�ud�do�o, mail is sent to the proper authorities. The address used for | s�su�ud�do�o, mail is sent to the proper authorities. The address used for such |
| such mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described | mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described later) and |
| later) and defaults to root. | defaults to root. |
| |
|
| Note that mail will not be sent if an unauthorized user tries to run | Note that mail will not be sent if an unauthorized user tries to run s�su�ud�do�o |
| s�su�ud�do�o with the -�-l�l or -�-v�v option. This allows users to determine for | with the -�-l�l or -�-v�v option. This allows users to determine for themselves |
| themselves whether or not they are allowed to use s�su�ud�do�o. | whether or not they are allowed to use s�su�ud�do�o. |
| |
|
| If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set, | If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set, the |
| the _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user | _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user is. |
| is. This can be used by a user to log commands through sudo even when | This can be used by a user to log commands through sudo even when a root |
| a root shell has been invoked. It also allows the -�-e�e option to remain | shell has been invoked. It also allows the -�-e�e option to remain useful |
| useful even when invoked via a sudo-run script or program. Note, | even when invoked via a sudo-run script or program. Note, however, that |
| however, that the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user | the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user specified by |
| specified by SUDO_USER. | SUDO_USER. |
| |
|
| _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has | _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has |
| been authenticated, a time stamp is updated and the user may then use | been authenticated, the time stamp is updated and the user may then use |
| sudo without a password for a short period of time (5 minutes unless | sudo without a password for a short period of time (5 minutes unless |
| overridden by the _�t_�i_�m_�e_�o_�u_�t option. By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based | overridden by the _�t_�i_�m_�e_�o_�u_�t option). By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based |
| time stamp which means that there is a separate time stamp for each of | time stamp which means that there is a separate time stamp for each of a |
| a user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to | user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to force |
| force the use of a single time stamp for all of a user's sessions. | the use of a single time stamp for all of a user's sessions. |
| |
|
| _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as | _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as |
| errors) to _�s_�y_�s_�l_�o_�g(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will | errors) to syslog(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will log |
| log via _�s_�y_�s_�l_�o_�g(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e | via syslog(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e Defaults |
| Defaults settings. | settings. |
| |
|
| _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams. | _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams. I/O |
| I/O logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t | logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t and |
| and _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT | _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command |
| command tags. | tags. |
| |
|
| C�Co�om�mm�ma�an�nd�d E�En�nv�vi�ir�ro�on�nm�me�en�nt�t | C�Co�om�mm�ma�an�nd�d e�en�nv�vi�ir�ro�on�nm�me�en�nt�t |
| Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s | Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s |
| provides a means to restrict which variables from the user's | provides a means to restrict which variables from the user's environment |
| environment are inherited by the command to be run. There are two | are inherited by the command to be run. There are two distinct ways |
| distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables. | _�s_�u_�d_�o_�e_�r_�s can deal with environment variables. |
| |
|
| By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to | By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to be |
| be executed with a new, minimal environment. On AIX (and Linux systems | executed with a new, minimal environment. On AIX (and Linux systems |
| without PAM), the environment is initialized with the contents of the | without PAM), the environment is initialized with the contents of the |
| _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is | _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is |
| enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v | enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v |
| settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM, | settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM, |
| PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables | PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in |
| in addition to variables from the invoking process permitted by the | addition to variables from the invoking process permitted by the |
| _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for | _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for |
| environment variables. | environment variables. |
| |
|
| If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not | If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not |
| explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited | explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited |
| from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e | from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e behave |
| behave like a blacklist. Since it is not possible to blacklist all | like a blacklist. Since it is not possible to blacklist all potentially |
| potentially dangerous environment variables, use of the default | dangerous environment variables, use of the default _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is |
| _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is encouraged. | encouraged. |
| |
|
| In all cases, environment variables with a value beginning with () are | In all cases, environment variables with a value beginning with () are |
| removed as they could be interpreted as b�ba�as�sh�h functions. The list of | removed as they could be interpreted as b�ba�as�sh�h functions. The list of |
| environment variables that s�su�ud�do�o allows or denies is contained in the | environment variables that s�su�ud�do�o allows or denies is contained in the |
| output of sudo -V when run as root. | output of ``sudo -V'' when run as root. |
| |
|
| Note that the dynamic linker on most operating systems will remove | Note that the dynamic linker on most operating systems will remove |
| variables that can control dynamic linking from the environment of | variables that can control dynamic linking from the environment of setuid |
| setuid executables, including s�su�ud�do�o. Depending on the operating system | executables, including s�su�ud�do�o. Depending on the operating system this may |
| this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and | include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. |
| others. These type of variables are removed from the environment | These type of variables are removed from the environment before s�su�ud�do�o even |
| before s�su�ud�do�o even begins execution and, as such, it is not possible for | begins execution and, as such, it is not possible for s�su�ud�do�o to preserve |
| s�su�ud�do�o to preserve them. | them. |
| |
|
| As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified, | As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified, |
| _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of | _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of |
| _�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged; | _�e_�n_�v_�__�r_�e_�s_�e_�t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, |
| _�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user. | MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX |
| On AIX (and Linux systems without PAM), the contents of | (and Linux systems without PAM), the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are |
| _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also included. On BSD systems, if the | also included. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled, |
| _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled, the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in | the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All |
| _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All other environment variables are | other environment variables are removed. |
| removed. | |
| |
|
| Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in | Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in that |
| that file will be set to their specified values as long as they would | file will be set to their specified values as long as they would not |
| not conflict with an existing environment variable. | conflict with an existing environment variable. |
| |
|
| S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T |
S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T |
| The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases | The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases (basically |
| (basically variables) and user specifications (which specify who may | variables) and user specifications (which specify who may run what). |
| run what). | |
| |
|
| When multiple entries match for a user, they are applied in order. | When multiple entries match for a user, they are applied in order. Where |
| Where there are multiple matches, the last match is used (which is not | there are multiple matches, the last match is used (which is not |
| necessarily the most specific match). | necessarily the most specific match). |
| |
|
| The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur | The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur Form |
| Form (EBNF). Don't despair if you don't know what EBNF is; it is | (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly |
| fairly simple, and the definitions below are annotated. | simple, and the definitions below are annotated. |
| |
|
| Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F |
Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F |
| EBNF is a concise and exact way of describing the grammar of a | EBNF is a concise and exact way of describing the grammar of a language. |
| language. Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g., | Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g., |
| |
|
| symbol ::= definition | alternate1 | alternate2 ... | symbol ::= definition | alternate1 | alternate2 ... |
| |
|
| Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for | Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for |
| the language. EBNF also contains the following operators, which many | the language. EBNF also contains the following operators, which many |
| readers will recognize from regular expressions. Do not, however, | readers will recognize from regular expressions. Do not, however, |
| confuse them with "wildcard" characters, which have different meanings. | confuse them with ``wildcard'' characters, which have different meanings. |
| |
|
| ? Means that the preceding symbol (or group of symbols) is optional. | ? Means that the preceding symbol (or group of symbols) is optional. |
| That is, it may appear once or not at all. |
That is, it may appear once or not at all. |
| |
|
| * Means that the preceding symbol (or group of symbols) may appear | * Means that the preceding symbol (or group of symbols) may appear |
| zero or more times. |
zero or more times. |
| |
|
| + Means that the preceding symbol (or group of symbols) may appear | + Means that the preceding symbol (or group of symbols) may appear |
| one or more times. |
one or more times. |
| |
|
| Parentheses may be used to group symbols together. For clarity, we | Parentheses may be used to group symbols together. For clarity, we will |
| will use single quotes ('') to designate what is a verbatim character | use single quotes ('') to designate what is a verbatim character string |
| string (as opposed to a symbol name). | (as opposed to a symbol name). |
| |
|
| A�Al�li�ia�as�se�es�s |
A�Al�li�ia�as�se�es�s |
| There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias | There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and |
| and Cmnd_Alias. | Cmnd_Alias. |
| |
|
| Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | | Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | |
| 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | | 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | |
| 'Host_Alias' Host_Alias (':' Host_Alias)* | | 'Host_Alias' Host_Alias (':' Host_Alias)* | |
| 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* | 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* |
| |
|
| User_Alias ::= NAME '=' User_List | User_Alias ::= NAME '=' User_List |
| |
|
| Runas_Alias ::= NAME '=' Runas_List | Runas_Alias ::= NAME '=' Runas_List |
| |
|
| Host_Alias ::= NAME '=' Host_List | Host_Alias ::= NAME '=' Host_List |
| |
|
| Cmnd_Alias ::= NAME '=' Cmnd_List | Cmnd_Alias ::= NAME '=' Cmnd_List |
| |
|
| NAME ::= [A-Z]([A-Z][0-9]_)* | NAME ::= [A-Z]([A-Z][0-9]_)* |
| |
|
| Each _�a_�l_�i_�a_�s definition is of the form | Each _�a_�l_�i_�a_�s definition is of the form |
| |
|
| Alias_Type NAME = item1, item2, ... | Alias_Type NAME = item1, item2, ... |
| |
|
| where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or | where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or |
| Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and | Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and |
| underscore characters ('_'). A NAME m�mu�us�st�t start with an uppercase | underscore characters (`_'). A NAME m�mu�us�st�t start with an uppercase letter. |
| letter. It is possible to put several alias definitions of the same | It is possible to put several alias definitions of the same type on a |
| type on a single line, joined by a colon (':'). E.g., | single line, joined by a colon (`:'). E.g., |
| |
|
| Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 | Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
| |
|
| The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow. | The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow. |
| |
|
| User_List ::= User | | User_List ::= User | |
| User ',' User_List | User ',' User_List |
| |
|
| User ::= '!'* user name | | User ::= '!'* user name | |
| '!'* #uid | | '!'* #uid | |
| '!'* %group | | '!'* %group | |
| '!'* %#gid | | '!'* %#gid | |
| '!'* +netgroup | | '!'* +netgroup | |
| '!'* %:nonunix_group | | '!'* %:nonunix_group | |
| '!'* %:#nonunix_gid | | '!'* %:#nonunix_gid | |
| '!'* User_Alias | '!'* User_Alias |
| |
|
| A User_List is made up of one or more user names, user ids (prefixed | A User_List is made up of one or more user names, user ids (prefixed with |
| with '#'), system group names and ids (prefixed with '%' and '%#' | `#'), system group names and ids (prefixed with `%' and `%#' |
| respectively), netgroups (prefixed with '+'), non-Unix group names and | respectively), netgroups (prefixed with `+'), non-Unix group names and |
| IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each | IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each |
| list item may be prefixed with zero or more '!' operators. An odd | list item may be prefixed with zero or more `!' operators. An odd number |
| number of '!' operators negate the value of the item; an even number | of `!' operators negate the value of the item; an even number just cancel |
| just cancel each other out. | each other out. |
| |
|
| A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid | A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may |
| may be enclosed in double quotes to avoid the need for escaping special | be enclosed in double quotes to avoid the need for escaping special |
| characters. Alternately, special characters may be specified in | characters. Alternately, special characters may be specified in escaped |
| escaped hex mode, e.g. \x20 for space. When using double quotes, any | hex mode, e.g. \x20 for space. When using double quotes, any prefix |
| prefix characters must be included inside the quotes. | characters must be included inside the quotes. |
| |
|
| The actual nonunix_group and nonunix_gid syntax depends on the | The actual nonunix_group and nonunix_gid syntax depends on the underlying |
| underlying group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description | group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description below). For |
| below). For instance, the QAS AD plugin supports the following | instance, the QAS AD plugin supports the following formats: |
| formats: | |
| |
|
| o Group in the same domain: "Group Name" | o�o Group in the same domain: "%:Group Name" |
| |
|
| o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" | o�o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" |
| |
|
| o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" | o�o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" |
| |
|
| Note that quotes around group names are optional. Unquoted strings | Note that quotes around group names are optional. Unquoted strings must |
| must use a backslash (\) to escape spaces and special characters. See | use a backslash (`\') to escape spaces and special characters. See _�O_�t_�h_�e_�r |
| "Other special characters and reserved words" for a list of characters | _�s_�p_�e_�c_�i_�a_�l _�c_�h_�a_�r_�a_�c_�t_�e_�r_�s _�a_�n_�d _�r_�e_�s_�e_�r_�v_�e_�d _�w_�o_�r_�d_�s for a list of characters that need |
| that need to be escaped. | to be escaped. |
| |
|
| Runas_List ::= Runas_Member | | Runas_List ::= Runas_Member | |
| Runas_Member ',' Runas_List | Runas_Member ',' Runas_List |
| |
|
| Runas_Member ::= '!'* user name | | Runas_Member ::= '!'* user name | |
| '!'* #uid | | '!'* #uid | |
| '!'* %group | | '!'* %group | |
| '!'* %#gid | | '!'* %#gid | |
| '!'* %:nonunix_group | | '!'* %:nonunix_group | |
| '!'* %:#nonunix_gid | | '!'* %:#nonunix_gid | |
| '!'* +netgroup | | '!'* +netgroup | |
| '!'* Runas_Alias | '!'* Runas_Alias |
| |
|
| A Runas_List is similar to a User_List except that instead of | A Runas_List is similar to a User_List except that instead of |
| User_Aliases it can contain Runas_Aliases. Note that user names and | User_Aliases it can contain Runas_Aliases. Note that user names and |
| groups are matched as strings. In other words, two users (groups) with | groups are matched as strings. In other words, two users (groups) with |
| the same uid (gid) are considered to be distinct. If you wish to match | the same uid (gid) are considered to be distinct. If you wish to match |
| all user names with the same uid (e.g. root and toor), you can use a | all user names with the same uid (e.g. root and toor), you can use a uid |
| uid instead (#0 in the example given). | instead (#0 in the example given). |
| |
|
| Host_List ::= Host | | Host_List ::= Host | |
| Host ',' Host_List | Host ',' Host_List |
| |
|
| Host ::= '!'* host name | | Host ::= '!'* host name | |
| '!'* ip_addr | | '!'* ip_addr | |
| '!'* network(/netmask)? | | '!'* network(/netmask)? | |
| '!'* +netgroup | | '!'* +netgroup | |
| '!'* Host_Alias | '!'* Host_Alias |
| |
|
| A Host_List is made up of one or more host names, IP addresses, network | A Host_List is made up of one or more host names, IP addresses, network |
| numbers, netgroups (prefixed with '+') and other aliases. Again, the | numbers, netgroups (prefixed with `+') and other aliases. Again, the |
| value of an item may be negated with the '!' operator. If you do not | value of an item may be negated with the `!' operator. If you do not |
| specify a netmask along with the network number, s�su�ud�do�o will query each | specify a netmask along with the network number, s�su�ud�do�o will query each of |
| of the local host's network interfaces and, if the network number | the local host's network interfaces and, if the network number |
| corresponds to one of the hosts's network interfaces, the corresponding | corresponds to one of the hosts's network interfaces, the corresponding |
| netmask will be used. The netmask may be specified either in standard | netmask will be used. The netmask may be specified either in standard IP |
| IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or | address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR |
| CIDR notation (number of bits, e.g. 24 or 64). A host name may include | notation (number of bits, e.g. 24 or 64). A host name may include shell- |
| shell-style wildcards (see the Wildcards section below), but unless the | style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below), but unless the host |
| host name command on your machine returns the fully qualified host | name command on your machine returns the fully qualified host name, |
| name, you'll need to use the _�f_�q_�d_�n option for wildcards to be useful. | you'll need to use the _�f_�q_�d_�n option for wildcards to be useful. Note that |
| Note s�su�ud�do�o only inspects actual network interfaces; this means that IP | s�su�ud�do�o only inspects actual network interfaces; this means that IP address |
| address 127.0.0.1 (localhost) will never match. Also, the host name | 127.0.0.1 (localhost) will never match. Also, the host name |
| "localhost" will only match if that is the actual host name, which is | ``localhost'' will only match if that is the actual host name, which is |
| usually only the case for non-networked systems. | usually only the case for non-networked systems. |
| |
|
| Cmnd_List ::= Cmnd | | Cmnd_List ::= Cmnd | |
| Cmnd ',' Cmnd_List | Cmnd ',' Cmnd_List |
| |
|
| commandname ::= file name | | command name ::= file name | |
| file name args | | file name args | |
| file name '""' | file name '""' |
| |
|
| Cmnd ::= '!'* commandname | | Cmnd ::= '!'* command name | |
| '!'* directory | | '!'* directory | |
| '!'* "sudoedit" | | '!'* "sudoedit" | |
| '!'* Cmnd_Alias | '!'* Cmnd_Alias |
| |
|
| A Cmnd_List is a list of one or more commandnames, directories, and | A Cmnd_List is a list of one or more command names, directories, and |
| other aliases. A commandname is a fully qualified file name which may | other aliases. A command name is a fully qualified file name which may |
| include shell-style wildcards (see the Wildcards section below). A | include shell-style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below). A |
| simple file name allows the user to run the command with any arguments | simple file name allows the user to run the command with any arguments |
| he/she wishes. However, you may also specify command line arguments | he/she wishes. However, you may also specify command line arguments |
| (including wildcards). Alternately, you can specify "" to indicate | (including wildcards). Alternately, you can specify "" to indicate that |
| that the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A | the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A directory |
| directory is a fully qualified path name ending in a '/'. When you | is a fully qualified path name ending in a `/'. When you specify a |
| specify a directory in a Cmnd_List, the user will be able to run any | directory in a Cmnd_List, the user will be able to run any file within |
| file within that directory (but not in any subdirectories therein). | that directory (but not in any sub-directories therein). |
| |
|
| If a Cmnd has associated command line arguments, then the arguments in | If a Cmnd has associated command line arguments, then the arguments in |
| the Cmnd must match exactly those given by the user on the command line | the Cmnd must match exactly those given by the user on the command line |
| (or match the wildcards if there are any). Note that the following | (or match the wildcards if there are any). Note that the following |
| characters must be escaped with a '\' if they are used in command | characters must be escaped with a `\' if they are used in command |
| arguments: ',', ':', '=', '\'. The special command "sudoedit" is used | arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used |
| to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It | to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It may |
| may take command line arguments just as a normal command does. | take command line arguments just as a normal command does. |
| |
|
| D�De�ef�fa�au�ul�lt�ts�s |
D�De�ef�fa�au�ul�lt�ts�s |
| Certain configuration options may be changed from their default values | Certain configuration options may be changed from their default values at |
| at runtime via one or more Default_Entry lines. These may affect all | run-time via one or more Default_Entry lines. These may affect all users |
| users on any host, all users on a specific host, a specific user, a | on any host, all users on a specific host, a specific user, a specific |
| specific command, or commands being run as a specific user. Note that | command, or commands being run as a specific user. Note that per-command |
| per-command entries may not include command line arguments. If you | entries may not include command line arguments. If you need to specify |
| need to specify arguments, define a Cmnd_Alias and reference that | arguments, define a Cmnd_Alias and reference that instead. |
| instead. | |
| |
|
| Default_Type ::= 'Defaults' | | Default_Type ::= 'Defaults' | |
| 'Defaults' '@' Host_List | | 'Defaults' '@' Host_List | |
| 'Defaults' ':' User_List | | 'Defaults' ':' User_List | |
| 'Defaults' '!' Cmnd_List | | 'Defaults' '!' Cmnd_List | |
| 'Defaults' '>' Runas_List | 'Defaults' '>' Runas_List |
| |
|
| Default_Entry ::= Default_Type Parameter_List | Default_Entry ::= Default_Type Parameter_List |
| |
|
| Parameter_List ::= Parameter | | Parameter_List ::= Parameter | |
| Parameter ',' Parameter_List | Parameter ',' Parameter_List |
| |
|
| Parameter ::= Parameter '=' Value | | Parameter ::= Parameter '=' Value | |
| Parameter '+=' Value | | Parameter '+=' Value | |
| Parameter '-=' Value | | Parameter '-=' Value | |
| '!'* Parameter | '!'* Parameter |
| |
|
| Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are | Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are |
| implicitly boolean and can be turned off via the '!' operator. Some | implicitly boolean and can be turned off via the `!' operator. Some |
| integer, string and list parameters may also be used in a boolean | integer, string and list parameters may also be used in a boolean context |
| context to disable them. Values may be enclosed in double quotes (") | to disable them. Values may be enclosed in double quotes ("") when they |
| when they contain multiple words. Special characters may be escaped | contain multiple words. Special characters may be escaped with a |
| with a backslash (\). | backslash (`\'). |
| |
|
| Lists have two additional assignment operators, += and -=. These | Lists have two additional assignment operators, += and -=. These |
| operators are used to add to and delete from a list respectively. It | operators are used to add to and delete from a list respectively. It is |
| is not an error to use the -= operator to remove an element that does | not an error to use the -= operator to remove an element that does not |
| not exist in a list. | exist in a list. |
| |
|
| Defaults entries are parsed in the following order: generic, host and | Defaults entries are parsed in the following order: generic, host and |
| user Defaults first, then runas Defaults and finally command defaults. | user Defaults first, then runas Defaults and finally command defaults. |
| |
|
| See "SUDOERS OPTIONS" for a list of supported Defaults parameters. | See _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S for a list of supported Defaults parameters. |
| |
|
| U�Us�se�er�r S�Sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n | U�Us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n |
| User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ | User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ |
| (':' Host_List '=' Cmnd_Spec_List)* | (':' Host_List '=' Cmnd_Spec_List)* |
| |
|
| Cmnd_Spec_List ::= Cmnd_Spec | | Cmnd_Spec_List ::= Cmnd_Spec | |
| Cmnd_Spec ',' Cmnd_Spec_List | Cmnd_Spec ',' Cmnd_Spec_List |
| |
|
| Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd | Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd |
| |
|
| Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' | Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' |
| |
|
| SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') | SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') |
| |
|
| Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | | Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') |
| 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | | |
| 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') | |
| |
|
| A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as | Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
| what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t, | 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | |
| but this can be changed on a per-command basis. | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') |
| |
|
| The basic structure of a user specification is `who where = (as_whom) | A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as |
| what'. Let's break that down into its constituent parts: | what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t, but |
| | this can be changed on a per-command basis. |
| |
|
| |
The basic structure of a user specification is ``who where = (as_whom) |
| |
what''. Let's break that down into its constituent parts: |
| |
|
| R�Ru�un�na�as�s_�_S�Sp�pe�ec�c |
R�Ru�un�na�as�s_�_S�Sp�pe�ec�c |
| A Runas_Spec determines the user and/or the group that a command may be | A Runas_Spec determines the user and/or the group that a command may be |
| run as. A fully-specified Runas_Spec consists of two Runas_Lists (as | run as. A fully-specified Runas_Spec consists of two Runas_Lists (as |
| defined above) separated by a colon (':') and enclosed in a set of | defined above) separated by a colon (`:') and enclosed in a set of |
| parentheses. The first Runas_List indicates which users the command | parentheses. The first Runas_List indicates which users the command may |
| may be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of | be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of groups that |
| groups that can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists | can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists are |
| are specified, the command may be run with any combination of users and | specified, the command may be run with any combination of users and |
| groups listed in their respective Runas_Lists. If only the first is | groups listed in their respective Runas_Lists. If only the first is |
| specified, the command may be run as any user in the list but no -�-g�g | specified, the command may be run as any user in the list but no -�-g�g |
| option may be specified. If the first Runas_List is empty but the | option may be specified. If the first Runas_List is empty but the second |
| second is specified, the command may be run as the invoking user with | is specified, the command may be run as the invoking user with the group |
| the group set to any listed in the Runas_List. If no Runas_Spec is | set to any listed in the Runas_List. If both Runas_Lists are empty, the |
| specified the command may be run as r�ro�oo�ot�t and no group may be specified. | command may only be run as the invoking user. If no Runas_Spec is |
| | specified the command may be run as r�ro�oo�ot�t and no group may be specified. |
| |
|
| A Runas_Spec sets the default for the commands that follow it. What | A Runas_Spec sets the default for the commands that follow it. What this |
| this means is that for the entry: | means is that for the entry: |
| |
|
| dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm | dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
| |
|
| The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only | The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m--but only as |
| as o�op�pe�er�ra�at�to�or�r. E.g., | o�op�pe�er�ra�at�to�or�r. E.g., |
| |
|
| $ sudo -u operator /bin/ls | $ sudo -u operator /bin/ls |
| |
|
| It is also possible to override a Runas_Spec later on in an entry. If | It is also possible to override a Runas_Spec later on in an entry. If we |
| we modify the entry like so: | modify the entry like so: |
| |
|
| dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm | dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm |
| |
|
| Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l | Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l |
| and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t. | and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t. |
| |
|
| We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or | We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or |
| group set to o�op�pe�er�ra�at�to�or�r: | group set to o�op�pe�er�ra�at�to�or�r: |
| |
|
| dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ | |
| /usr/bin/lprm | /usr/bin/lprm |
| |
|
| Note that while the group portion of the Runas_Spec permits the user to | Note that while the group portion of the Runas_Spec permits the user to |
| run as command with that group, it does not force the user to do so. | run as command with that group, it does not force the user to do so. If |
| If no group is specified on the command line, the command will run with | no group is specified on the command line, the command will run with the |
| the group listed in the target user's password database entry. The | group listed in the target user's password database entry. The following |
| following would all be permitted by the sudoers entry above: | would all be permitted by the sudoers entry above: |
| |
|
| $ sudo -u operator /bin/ls | $ sudo -u operator /bin/ls |
| $ sudo -u operator -g operator /bin/ls | $ sudo -u operator -g operator /bin/ls |
| $ sudo -g operator /bin/ls | $ sudo -g operator /bin/ls |
| |
|
| In the following example, user t�tc�cm�m may run commands that access a modem | In the following example, user t�tc�cm�m may run commands that access a modem |
| device file with the dialer group. | device file with the dialer group. |
| |
|
| tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ | |
| /usr/local/bin/minicom | /usr/local/bin/minicom |
| |
|
| Note that in this example only the group will be set, the command still | Note that in this example only the group will be set, the command still |
| runs as user t�tc�cm�m. E.g. | runs as user t�tc�cm�m. E.g. |
| |
|
| $ sudo -g dialer /usr/bin/cu | $ sudo -g dialer /usr/bin/cu |
| |
|
| Multiple users and groups may be present in a Runas_Spec, in which case | Multiple users and groups may be present in a Runas_Spec, in which case |
| the user may select any combination of users and groups via the -�-u�u and | the user may select any combination of users and groups via the -�-u�u and -�-g�g |
| -�-g�g options. In this example: | options. In this example: |
| |
|
| alan ALL = (root, bin : operator, system) ALL | alan ALL = (root, bin : operator, system) ALL |
| |
|
| user a�al�la�an�n may run any command as either user root or bin, optionally | user a�al�la�an�n may run any command as either user root or bin, optionally |
| setting the group to operator or system. | setting the group to operator or system. |
| |
|
| S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c |
S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c |
| On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an | On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an |
| SELinux role and/or type associated with a command. If a role or type | SELinux role and/or type associated with a command. If a role or type is |
| is specified with the command it will override any default values | specified with the command it will override any default values specified |
| specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line, | in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line, however, will |
| however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s. | supersede the values in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| |
S�So�ol�la�ar�ri�is�s_�_P�Pr�ri�iv�v_�_S�Sp�pe�ec�c |
| |
On Solaris systems, _�s_�u_�d_�o_�e_�r_�s entries may optionally specify Solaris |
| |
privilege set and/or limit privilege set associated with a command. If |
| |
privileges or limit privileges are specified with the command it will |
| |
override any default values specified in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| |
A privilege set is a comma-separated list of privilege names. The |
| |
ppriv(1) command can be used to list all privileges known to the system. |
| |
For example: |
| |
|
| |
$ ppriv -l |
| |
|
| |
In addition, there are several ``special'' privilege strings: |
| |
|
| |
none the empty set |
| |
|
| |
all the set of all privileges |
| |
|
| |
zone the set of all privileges available in the current zone |
| |
|
| |
basic the default set of privileges normal users are granted at login |
| |
time |
| |
|
| |
Privileges can be excluded from a set by prefixing the privilege name |
| |
with either an `!' or `-' character. |
| |
|
| T�Ta�ag�g_�_S�Sp�pe�ec�c |
T�Ta�ag�g_�_S�Sp�pe�ec�c |
| A command may have zero or more tags associated with it. There are | A command may have zero or more tags associated with it. There are ten |
| eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, | possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, |
| NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a | LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set |
| tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit | on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless |
| the tag unless it is overridden by the opposite tag (i.e.: PASSWD | it is overridden by the opposite tag (in other words, PASSWD overrides |
| overrides NOPASSWD and NOEXEC overrides EXEC). | NOPASSWD and NOEXEC overrides EXEC). |
| |
|
| _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D | _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D |
| |
|
| By default, s�su�ud�do�o requires that a user authenticate him or herself | By default, s�su�ud�do�o requires that a user authenticate him or herself before |
| before running a command. This behavior can be modified via the | running a command. This behavior can be modified via the NOPASSWD tag. |
| NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for | Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that |
| the commands that follow it in the Cmnd_Spec_List. Conversely, the | follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used |
| PASSWD tag can be used to reverse things. For example: | to reverse things. For example: |
| |
|
| ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
| |
|
| would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m | would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as |
| as r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we | r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we only |
| only want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry | want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry would |
| would be: | be: |
| |
|
| ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
| |
|
| Note, however, that the PASSWD tag has no effect on users who are in | Note, however, that the PASSWD tag has no effect on users who are in the |
| the group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option. | group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option. |
| |
|
| By default, if the NOPASSWD tag is applied to any of the entries for a | By default, if the NOPASSWD tag is applied to any of the entries for a |
| user on the current host, he or she will be able to run sudo -l without | user on the current host, he or she will be able to run ``sudo -l'' |
| a password. Additionally, a user may only run sudo -v without a | without a password. Additionally, a user may only run ``sudo -v'' |
| password if the NOPASSWD tag is present for all a user's entries that | without a password if the NOPASSWD tag is present for all a user's |
| pertain to the current host. This behavior may be overridden via the | entries that pertain to the current host. This behavior may be |
| verifypw and listpw options. | overridden via the _�v_�e_�r_�i_�f_�y_�p_�w and _�l_�i_�s_�t_�p_�w options. |
| |
|
| _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C | _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C |
| |
|
| If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying | If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying |
| operating system supports it, the NOEXEC tag can be used to prevent a | operating system supports it, the NOEXEC tag can be used to prevent a |
| dynamically-linked executable from running further commands itself. | dynamically-linked executable from running further commands itself. |
| |
|
| In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and | In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and |
| _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled. | _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled. |
| |
|
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi | aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
|
| See the "Preventing Shell Escapes" section below for more details on | See the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section below for more details on how |
| how NOEXEC works and whether or not it will work on your system. | NOEXEC works and whether or not it will work on your system. |
| |
|
| _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V | _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V |
| |
|
| These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command | These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command |
| basis. Note that if SETENV has been set for a command, the user may | basis. Note that if SETENV has been set for a command, the user may |
| disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option. | disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option. |
| Additionally, environment variables set on the command line are not | Additionally, environment variables set on the command line are not |
| subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or | subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or |
| _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set | _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set variables |
| variables in this manner. If the command matched is A�AL�LL�L, the SETENV | in this manner. If the command matched is A�AL�LL�L, the SETENV tag is implied |
| tag is implied for that command; this default may be overridden by use | for that command; this default may be overridden by use of the NOSETENV |
| of the NOSETENV tag. | tag. |
| |
|
| _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T | _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T |
| |
|
| These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command | These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command |
| basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the | basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the |
| "SUDOERS OPTIONS" section below. | _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below. |
| |
|
| _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T | _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T |
| |
|
| These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command | These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command |
| basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the | basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the |
| "SUDOERS OPTIONS" section below. | _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below. |
| |
|
| W�Wi�il�ld�dc�ca�ar�rd�ds�s |
W�Wi�il�ld�dc�ca�ar�rd�ds�s |
| s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be | s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be |
| used in host names, path names and command line arguments in the | used in host names, path names and command line arguments in the _�s_�u_�d_�o_�e_�r_�s |
| _�s_�u_�d_�o_�e_�r_�s file. Wildcard matching is done via the P�PO�OS�SI�IX�X _�g_�l_�o_�b(3) and | file. Wildcard matching is done via the P�PO�OS�SI�IX�X glob(3) and fnmatch(3) |
| _�f_�n_�m_�a_�t_�c_�h(3) routines. Note that these are _�n_�o_�t regular expressions. | routines. Note that these are _�n_�o_�t regular expressions. |
| |
|
| * Matches any set of zero or more characters. | * Matches any set of zero or more characters. |
| |
|
| ? Matches any single character. | ? Matches any single character. |
| |
|
| [...] Matches any character in the specified range. | [...] Matches any character in the specified range. |
| |
|
| [!...] Matches any character n�no�ot�t in the specified range. | [!...] Matches any character n�no�ot�t in the specified range. |
| |
|
| \x For any character "x", evaluates to "x". This is used to | \x For any character `x', evaluates to `x'. This is used to |
| escape special characters such as: "*", "?", "[", and "}". | escape special characters such as: `*', `?', `[', and `]'. |
| |
|
| POSIX character classes may also be used if your system's _�g_�l_�o_�b(3) and | POSIX character classes may also be used if your system's glob(3) and |
| _�f_�n_�m_�a_�t_�c_�h(3) functions support them. However, because the ':' character | fnmatch(3) functions support them. However, because the `:' character |
| has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example: | has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example: |
| |
|
| /bin/ls [[\:alpha\:]]* | /bin/ls [[:alpha:]]* |
| |
|
| Would match any file name beginning with a letter. | Would match any file name beginning with a letter. |
| |
|
| Note that a forward slash ('/') will n�no�ot�t be matched by wildcards used | Note that a forward slash (`/') will n�no�ot�t be matched by wildcards used in |
| in the path name. When matching the command line arguments, however, a | the path name. This is to make a path like: |
| slash d�do�oe�es�s get matched by wildcards. This is to make a path like: | |
| |
|
| /usr/bin/* | /usr/bin/* |
| |
|
| match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m. | match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m. |
| |
|
| |
When matching the command line arguments, however, a slash d�do�oe�es�s get |
| |
matched by wildcards since command line arguments may contain arbitrary |
| |
strings and not just path names. |
| |
|
| |
Wildcards in command line arguments should be used with care. Because |
| |
command line arguments are matched as a single, concatenated string, a |
| |
wildcard such as `?' or `*' can match multiple words. For example, while |
| |
a sudoers entry like: |
| |
|
| |
%operator ALL = /bin/cat /var/log/messages* |
| |
|
| |
will allow command like: |
| |
|
| |
$ sudo cat /var/log/messages.1 |
| |
|
| |
It will also allow: |
| |
|
| |
$ sudo cat /var/log/messages /etc/shadow |
| |
|
| |
which is probably not what was intended. |
| |
|
| E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s |
E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s |
| The following exceptions apply to the above rules: | The following exceptions apply to the above rules: |
| |
|
| "" If the empty string "" is the only command line argument in the | "" If the empty string "" is the only command line argument in the |
| _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run |
_�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run |
| with a�an�ny�y arguments. |
with a�an�ny�y arguments. |
| |
|
| |
sudoedit Command line arguments to the _�s_�u_�d_�o_�e_�d_�i_�t built-in command should |
| |
always be path names, so a forward slash (`/') will not be |
| |
matched by a wildcard. |
| |
|
| I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s |
I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s |
| It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s | It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s |
| file currently being parsed using the #include and #includedir | file currently being parsed using the #include and #includedir |
| directives. | directives. |
| |
|
| This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in | This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in |
| addition to a local, per-machine file. For the sake of this example | addition to a local, per-machine file. For the sake of this example the |
| the site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will | site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will be |
| be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s: | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s: |
| |
|
| #include /etc/sudoers.local | #include /etc/sudoers.local |
| |
|
| When s�su�ud�do�o reaches this line it will suspend processing of the current | When s�su�ud�do�o reaches this line it will suspend processing of the current |
| file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching | file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching the |
| the end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be | end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be processed. |
| processed. Files that are included may themselves include other files. | Files that are included may themselves include other files. A hard limit |
| A hard limit of 128 nested include files is enforced to prevent include | of 128 nested include files is enforced to prevent include file loops. |
| file loops. | |
| |
|
| If the path to the include file is not fully-qualified (does not begin | If the path to the include file is not fully-qualified (does not begin |
| with a _�/), it must be located in the same directory as the sudoers file | with a `/', it must be located in the same directory as the sudoers file |
| it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line: | it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line: |
| |
|
| #include sudoers.local | #include sudoers.local |
| |
|
| the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. | the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. |
| |
|
| The file name may also include the %h escape, signifying the short form | The file name may also include the %h escape, signifying the short form |
| of the host name. I.e., if the machine's host name is "xerxes", then | of the host name. In other words, if the machine's host name is |
| | ``xerxes'', then |
| |
|
| #include /etc/sudoers.%h | #include /etc/sudoers.%h |
| |
|
| will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s. | will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s. |
| |
|
| The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that | The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that |
| the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of | the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of package |
| package installation. For example, given: | installation. For example, given: |
| |
|
| #includedir /etc/sudoers.d | #includedir /etc/sudoers.d |
| |
|
| s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that | s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that end |
| end in ~ or contain a . character to avoid causing problems with | in `~' or contain a `.' character to avoid causing problems with package |
| package manager or editor temporary/backup files. Files are parsed in | manager or editor temporary/backup files. Files are parsed in sorted |
| sorted lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed | lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed before |
| before _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is lexical, |
| lexical, not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r | not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes in |
| in the file names can be used to avoid such problems. | the file names can be used to avoid such problems. |
| |
|
| Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the | Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the |
| files in a #includedir directory unless one of them contains a syntax | files in a #includedir directory unless one of them contains a syntax |
| error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the | error. It is still possible to run v�vi�is�su�ud�do�o with the -�-f�f flag to edit the |
| files directly. | files directly. |
| |
|
| O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s |
O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s |
| The pound sign ('#') is used to indicate a comment (unless it is part | The pound sign (`#') is used to indicate a comment (unless it is part of |
| of a #include directive or unless it occurs in the context of a user | a #include directive or unless it occurs in the context of a user name |
| name and is followed by one or more digits, in which case it is treated | and is followed by one or more digits, in which case it is treated as a |
| as a uid). Both the comment character and any text after it, up to the | uid). Both the comment character and any text after it, up to the end of |
| end of the line, are ignored. | the line, are ignored. |
| |
|
| The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to | The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to |
| succeed. It can be used wherever one might otherwise use a Cmnd_Alias, | succeed. It can be used wherever one might otherwise use a Cmnd_Alias, |
| User_Alias, Runas_Alias, or Host_Alias. You should not try to define | User_Alias, Runas_Alias, or Host_Alias. You should not try to define |
| your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in | your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in |
| preference to your own. Please note that using A�AL�LL�L can be dangerous | preference to your own. Please note that using A�AL�LL�L can be dangerous |
| since in a command context, it allows the user to run a�an�ny�y command on | since in a command context, it allows the user to run a�an�ny�y command on the |
| the system. | system. |
| |
|
| An exclamation point ('!') can be used as a logical _�n_�o_�t operator both | An exclamation point (`!') can be used as a logical _�n_�o_�t operator both in |
| in an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain | an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain |
| values. Note, however, that using a ! in conjunction with the built-in | values. Note, however, that using a `!' in conjunction with the built-in |
| ALL alias to allow a user to run "all but a few" commands rarely works | A�AL�LL�L alias to allow a user to run ``all but a few'' commands rarely works |
| as intended (see SECURITY NOTES below). | as intended (see _�S_�E_�C_�U_�R_�I_�T_�Y _�N_�O_�T_�E_�S below). |
| |
|
| Long lines can be continued with a backslash ('\') as the last | Long lines can be continued with a backslash (`\') as the last character |
| character on the line. | on the line. |
| |
|
| Whitespace between elements in a list as well as special syntactic | White space between elements in a list as well as special syntactic |
| characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n ('=', ':', '(', ')') is optional. | characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n (`=', `:', `(', `)') is optional. |
| |
|
| The following characters must be escaped with a backslash ('\') when | The following characters must be escaped with a backslash (`\') when used |
| used as part of a word (e.g. a user name or host name): '!', '=', ':', | as part of a word (e.g. a user name or host name): `!', `=', `:', `,', |
| ',', '(', ')', '\'. | `(', `)', `\'. |
| |
|
| S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S |
S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S |
| s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained | s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained |
| earlier. A list of all supported Defaults parameters, grouped by type, | earlier. A list of all supported Defaults parameters, grouped by type, |
| are listed below. | are listed below. |
| |
|
| B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s: | B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s: |
| |
|
| always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable | always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable |
| to the home directory of the target user (which is root |
to the home directory of the target user (which is root |
| unless the -�-u�u option is used). This effectively means |
unless the -�-u�u option is used). This effectively means |
| that the -�-H�H option is always implied. Note that HOME |
that the -�-H�H option is always implied. Note that HOME |
|
Line 655 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 701 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f |
HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f |
| by default. |
by default. |
| |
|
| authenticate If set, users must authenticate themselves via a | authenticate If set, users must authenticate themselves via a |
| password (or other means of authentication) before they |
password (or other means of authentication) before they |
| may run commands. This default may be overridden via |
may run commands. This default may be overridden via |
| the PASSWD and NOPASSWD tags. This flag is _�o_�n by |
the PASSWD and NOPASSWD tags. This flag is _�o_�n by |
| default. |
default. |
| |
|
| closefrom_override | closefrom_override |
| If set, the user may use s�su�ud�do�o's -�-C�C option which |
If set, the user may use s�su�ud�do�o's -�-C�C option which |
| overrides the default starting point at which s�su�ud�do�o |
overrides the default starting point at which s�su�ud�do�o |
| begins closing open file descriptors. This flag is _�o_�f_�f |
begins closing open file descriptors. This flag is _�o_�f_�f |
| by default. |
by default. |
| |
|
| compress_io If set, and s�su�ud�do�o is configured to log a command's input | compress_io If set, and s�su�ud�do�o is configured to log a command's input |
| or output, the I/O logs will be compressed using z�zl�li�ib�b. |
or output, the I/O logs will be compressed using z�zl�li�ib�b. |
| This flag is _�o_�n by default when s�su�ud�do�o is compiled with |
This flag is _�o_�n by default when s�su�ud�do�o is compiled with |
| z�zl�li�ib�b support. |
z�zl�li�ib�b support. |
| |
|
| env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or | env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or |
| VISUAL environment variables before falling back on the |
VISUAL environment variables before falling back on the |
| default editor list. Note that this may create a |
default editor list. Note that this may create a |
| security hole as it allows the user to run any |
security hole as it allows the user to run any |
|
Line 682 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 728 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| use the EDITOR or VISUAL if they match a value |
use the EDITOR or VISUAL if they match a value |
| specified in editor. This flag is _�o_�f_�f by default. |
specified in editor. This flag is _�o_�f_�f by default. |
| |
|
| env_reset If set, s�su�ud�do�o will run the command in a minimal | env_reset If set, s�su�ud�do�o will run the command in a minimal |
| environment containing the TERM, PATH, HOME, MAIL, |
environment containing the TERM, PATH, HOME, MAIL, |
| SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. |
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. |
| Any variables in the caller's environment that match |
Any variables in the caller's environment that match |
|
Line 690 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 736 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| followed by any variables present in the file specified |
followed by any variables present in the file specified |
| by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents |
by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents |
| of the env_keep and env_check lists are displayed when |
of the env_keep and env_check lists are displayed when |
| s�su�ud�do�o is run by root with the _�-_�V option. If the | s�su�ud�do�o is run by root with the -�-V�V option. If the |
| _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for |
_�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for |
| the PATH environment variable. This flag is _�o_�n by |
the PATH environment variable. This flag is _�o_�n by |
| default. |
default. |
| |
|
| fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell- | fast_glob Normally, s�su�ud�do�o uses the glob(3) function to do shell- |
| style globbing when matching path names. However, |
style globbing when matching path names. However, |
| since it accesses the file system, _�g_�l_�o_�b(3) can take a | since it accesses the file system, glob(3) can take a |
| long time to complete for some patterns, especially |
long time to complete for some patterns, especially |
| when the pattern references a network file system that |
when the pattern references a network file system that |
| is mounted on demand (automounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b | is mounted on demand (auto mounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b |
| option causes s�su�ud�do�o to use the _�f_�n_�m_�a_�t_�c_�h(3) function, | option causes s�su�ud�do�o to use the fnmatch(3) function, |
| which does not access the file system to do its |
which does not access the file system to do its |
| matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is |
matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is |
| unable to match relative path names such as _�._�/_�l_�s or |
unable to match relative path names such as _�._�/_�l_�s or |
| _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path |
_�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path |
| names that include globbing characters are used with |
names that include globbing characters are used with |
| the negation operator, '!', as such rules can be | the negation operator, `!', as such rules can be |
| trivially bypassed. As such, this option should not be |
trivially bypassed. As such, this option should not be |
| used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated |
used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated |
| path names which include globbing characters. This |
path names which include globbing characters. This |
| flag is _�o_�f_�f by default. |
flag is _�o_�f_�f by default. |
| |
|
| fqdn Set this flag if you want to put fully qualified host | fqdn Set this flag if you want to put fully qualified host |
| names in the _�s_�u_�d_�o_�e_�r_�s file. I.e., instead of myhost you | names in the _�s_�u_�d_�o_�e_�r_�s file when the local host name (as |
| | returned by the hostname command) does not contain the |
| | domain name. In other words, instead of myhost you |
| would use myhost.mydomain.edu. You may still use the |
would use myhost.mydomain.edu. You may still use the |
| short form if you wish (and even mix the two). Beware | short form if you wish (and even mix the two). This |
| that turning on _�f_�q_�d_�n requires s�su�ud�do�o to make DNS lookups | option is only effective when the ``canonical'' host |
| which may make s�su�ud�do�o unusable if DNS stops working (for | name, as returned by the g�ge�et�ta�ad�dd�dr�ri�in�nf�fo�o() or |
| example if the machine is not plugged into the | g�ge�et�th�ho�os�st�tb�by�yn�na�am�me�e() function, is a fully-qualified domain |
| network). Also note that you must use the host's | name. This is usually the case when the system is |
| official name as DNS knows it. That is, you may not | configured to use DNS for host name resolution. |
| use a host alias (CNAME entry) due to performance | |
| issues and the fact that there is no way to get all | |
| aliases from DNS. If your machine's host name (as | |
| returned by the hostname command) is already fully | |
| qualified you shouldn't need to set _�f_�q_�d_�n. This flag is | |
| _�o_�f_�f by default. | |
| |
|
| ignore_dot If set, s�su�ud�do�o will ignore '.' or '' (current dir) in the | If the system is configured to use the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file |
| PATH environment variable; the PATH itself is not | in preference to DNS, the ``canonical'' host name may |
| modified. This flag is _�o_�f_�f by default. | not be fully-qualified. The order that sources are |
| | queried for hosts name resolution is usually specified |
| | in the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f, |
| | _�/_�e_�t_�c_�/_�h_�o_�s_�t_�._�c_�o_�n_�f, or, in some cases, _�/_�e_�t_�c_�/_�r_�e_�s_�o_�l_�v_�._�c_�o_�n_�f |
| | file. In the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file, the first host name of |
| | the entry is considered to be the ``canonical'' name; |
| | subsequent names are aliases that are not used by |
| | s�su�ud�do�oe�er�rs�s. For example, the following hosts file line |
| | for the machine ``xyzzy'' has the fully-qualified |
| | domain name as the ``canonical'' host name, and the |
| | short version as an alias. |
| |
|
| ignore_local_sudoers | 192.168.1.1 xyzzy.sudo.ws xyzzy |
| | |
| | If the machine's hosts file entry is not formatted |
| | properly, the _�f_�q_�d_�n option will not be effective if it |
| | is queried before DNS. |
| | |
| | Beware that when using DNS for host name resolution, |
| | turning on _�f_�q_�d_�n requires s�su�ud�do�oe�er�rs�s to make DNS lookups |
| | which renders s�su�ud�do�o unusable if DNS stops working (for |
| | example if the machine is disconnected from the |
| | network). Also note that just like with the hosts |
| | file, you must use the ``canonical'' name as DNS knows |
| | it. That is, you may not use a host alias (CNAME |
| | entry) due to performance issues and the fact that |
| | there is no way to get all aliases from DNS. |
| | |
| | This flag is _�o_�f_�f by default. |
| | |
| | ignore_dot If set, s�su�ud�do�o will ignore "." or "" (both denoting |
| | current directory) in the PATH environment variable; |
| | the PATH itself is not modified. This flag is _�o_�f_�f by |
| | default. |
| | |
| | ignore_local_sudoers |
| If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be |
If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be |
| skipped. This is intended for Enterprises that wish to |
skipped. This is intended for Enterprises that wish to |
| prevent the usage of local sudoers files so that only |
prevent the usage of local sudoers files so that only |
| LDAP is used. This thwarts the efforts of rogue |
LDAP is used. This thwarts the efforts of rogue |
| operators who would attempt to add roles to |
operators who would attempt to add roles to |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present, |
_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present, |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this |
| option tells s�su�ud�do�o how to behave when no specific LDAP |
option tells s�su�ud�do�o how to behave when no specific LDAP |
| entries have been matched, this sudoOption is only |
entries have been matched, this sudoOption is only |
| meaningful for the cn=defaults section. This flag is |
meaningful for the cn=defaults section. This flag is |
| _�o_�f_�f by default. |
_�o_�f_�f by default. |
| |
|
| insults If set, s�su�ud�do�o will insult users when they enter an | insults If set, s�su�ud�do�o will insult users when they enter an |
| incorrect password. This flag is _�o_�f_�f by default. |
incorrect password. This flag is _�o_�f_�f by default. |
| |
|
| log_host If set, the host name will be logged in the (non- | log_host If set, the host name will be logged in the (non- |
| syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default. |
syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default. |
| |
|
| log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and | log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and |
| log all user input. If the standard input is not |
log all user input. If the standard input is not |
| connected to the user's tty, due to I/O redirection or |
connected to the user's tty, due to I/O redirection or |
| because the command is part of a pipeline, that input |
because the command is part of a pipeline, that input |
|
Line 761 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 836 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| Input is logged to the directory specified by the |
Input is logged to the directory specified by the |
| _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a |
_�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a |
| unique session ID that is included in the normal s�su�ud�do�o |
unique session ID that is included in the normal s�su�ud�do�o |
| log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option | log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e |
| may be used to control the format of the session ID. | option may be used to control the format of the session |
| | ID. |
| |
|
| Note that user input may contain sensitive information |
Note that user input may contain sensitive information |
| such as passwords (even if they are not echoed to the |
such as passwords (even if they are not echoed to the |
|
Line 770 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 846 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| unencrypted. In most cases, logging the command output |
unencrypted. In most cases, logging the command output |
| via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required. |
via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required. |
| |
|
| log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and | log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and |
| log all output that is sent to the screen, similar to |
log all output that is sent to the screen, similar to |
| the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or | the script(1) command. If the standard output or |
| standard error is not connected to the user's tty, due |
standard error is not connected to the user's tty, due |
| to I/O redirection or because the command is part of a |
to I/O redirection or because the command is part of a |
| pipeline, that output is also captured and stored in |
pipeline, that output is also captured and stored in |
|
Line 781 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 857 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| Output is logged to the directory specified by the |
Output is logged to the directory specified by the |
| _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a |
_�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a |
| unique session ID that is included in the normal s�su�ud�do�o |
unique session ID that is included in the normal s�su�ud�do�o |
| log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option | log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e |
| may be used to control the format of the session ID. | option may be used to control the format of the session |
| | ID. |
| |
|
| Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m) | Output logs may be viewed with the sudoreplay(1m) |
| utility, which can also be used to list or search the |
utility, which can also be used to list or search the |
| available logs. |
available logs. |
| |
|
| log_year If set, the four-digit year will be logged in the (non- | log_year If set, the four-digit year will be logged in the (non- |
| syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default. |
syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default. |
| |
|
| long_otp_prompt When validating with a One Time Password (OTP) scheme | long_otp_prompt When validating with a One Time Password (OTP) scheme |
| such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to |
such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to |
| make it easier to cut and paste the challenge to a |
make it easier to cut and paste the challenge to a |
| local window. It's not as pretty as the default but |
local window. It's not as pretty as the default but |
| some people find it more convenient. This flag is _�o_�f_�f |
some people find it more convenient. This flag is _�o_�f_�f |
| by default. |
by default. |
| |
|
| mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs | mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs |
| s�su�ud�do�o. This flag is _�o_�f_�f by default. |
s�su�ud�do�o. This flag is _�o_�f_�f by default. |
| |
|
| mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o | mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o |
| does not enter the correct password. This flag is _�o_�f_�f | does not enter the correct password. If the command |
| by default. | the user is attempting to run is not permitted by |
| | _�s_�u_�d_�o_�e_�r_�s and one of the _�m_�a_�i_�l_�__�a_�l_�w_�a_�y_�s, _�m_�a_�i_�l_�__�n_�o_�__�h_�o_�s_�t, |
| | _�m_�a_�i_�l_�__�n_�o_�__�p_�e_�r_�m_�s or _�m_�a_�i_�l_�__�n_�o_�__�u_�s_�e_�r flags are set, this flag |
| | will have no effect. This flag is _�o_�f_�f by default. |
| |
|
| mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the | mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the |
| invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not |
invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not |
| allowed to run commands on the current host. This flag |
allowed to run commands on the current host. This flag |
| is _�o_�f_�f by default. |
is _�o_�f_�f by default. |
| |
|
| mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the | mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the |
| invoking user is allowed to use s�su�ud�do�o but the command |
invoking user is allowed to use s�su�ud�do�o but the command |
| they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file |
they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file |
| entry or is explicitly denied. This flag is _�o_�f_�f by |
entry or is explicitly denied. This flag is _�o_�f_�f by |
| default. |
default. |
| |
|
| mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the | mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the |
| invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is |
invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is |
| _�o_�n by default. |
_�o_�n by default. |
| |
|
| noexec If set, all commands run via s�su�ud�do�o will behave as if the | noexec If set, all commands run via s�su�ud�do�o will behave as if the |
| NOEXEC tag has been set, unless overridden by a EXEC |
NOEXEC tag has been set, unless overridden by a EXEC |
| tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as |
tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as |
| well as the "Preventing Shell Escapes" section at the | well as the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section at the end |
| end of this manual. This flag is _�o_�f_�f by default. | of this manual. This flag is _�o_�f_�f by default. |
| |
|
| path_info Normally, s�su�ud�do�o will tell the user when a command could | path_info Normally, s�su�ud�do�o will tell the user when a command could |
| not be found in their PATH environment variable. Some |
not be found in their PATH environment variable. Some |
| sites may wish to disable this as it could be used to |
sites may wish to disable this as it could be used to |
| gather information on the location of executables that |
gather information on the location of executables that |
|
Line 836 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 916 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| not allowed to run it, which can be confusing. This |
not allowed to run it, which can be confusing. This |
| flag is _�o_�n by default. |
flag is _�o_�n by default. |
| |
|
| passprompt_override | passprompt_override |
| The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will |
The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will |
| normally only be used if the password prompt provided |
normally only be used if the password prompt provided |
| by systems such as PAM matches the string "Password:". | by systems such as PAM matches the string |
| If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set, _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always | ``Password:''. If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set, |
| be used. This flag is _�o_�f_�f by default. | _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always be used. This flag is _�o_�f_�f by |
| | default. |
| |
|
| preserve_groups By default, s�su�ud�do�o will initialize the group vector to | preserve_groups By default, s�su�ud�do�o will initialize the group vector to |
| the list of groups the target user is in. When |
the list of groups the target user is in. When |
| _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group |
_�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group |
| vector is left unaltered. The real and effective group |
vector is left unaltered. The real and effective group |
| IDs, however, are still set to match the target user. |
IDs, however, are still set to match the target user. |
| This flag is _�o_�f_�f by default. |
This flag is _�o_�f_�f by default. |
| |
|
| pwfeedback By default, s�su�ud�do�o reads the password like most other | pwfeedback By default, s�su�ud�do�o reads the password like most other |
| Unix programs, by turning off echo until the user hits |
Unix programs, by turning off echo until the user hits |
| the return (or enter) key. Some users become confused |
the return (or enter) key. Some users become confused |
| by this as it appears to them that s�su�ud�do�o has hung at |
by this as it appears to them that s�su�ud�do�o has hung at |
|
Line 860 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 941 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| able to determine the length of the password being |
able to determine the length of the password being |
| entered. This flag is _�o_�f_�f by default. |
entered. This flag is _�o_�f_�f by default. |
| |
|
| requiretty If set, s�su�ud�do�o will only run when the user is logged in | requiretty If set, s�su�ud�do�o will only run when the user is logged in |
| to a real tty. When this flag is set, s�su�ud�do�o can only be |
to a real tty. When this flag is set, s�su�ud�do�o can only be |
| run from a login session and not via other means such |
run from a login session and not via other means such |
| as _�c_�r_�o_�n(1m) or cgi-bin scripts. This flag is _�o_�f_�f by | as cron(1m) or cgi-bin scripts. This flag is _�o_�f_�f by |
| default. |
default. |
| |
|
| root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling | root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling |
| this prevents users from "chaining" s�su�ud�do�o commands to | this prevents users from ``chaining'' s�su�ud�do�o commands to |
| get a root shell by doing something like "sudo sudo | get a root shell by doing something like ``sudo sudo |
| /bin/sh". Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o | /bin/sh''. Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o |
| will also prevent root from running s�su�ud�do�oe�ed�di�it�t. |
will also prevent root from running s�su�ud�do�oe�ed�di�it�t. |
| Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional |
Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional |
| security; it exists purely for historical reasons. |
security; it exists purely for historical reasons. |
| This flag is _�o_�n by default. |
This flag is _�o_�n by default. |
| |
|
| rootpw If set, s�su�ud�do�o will prompt for the root password instead | rootpw If set, s�su�ud�do�o will prompt for the root password instead |
| of the password of the invoking user. This flag is _�o_�f_�f |
of the password of the invoking user. This flag is _�o_�f_�f |
| by default. |
by default. |
| |
|
| runaspw If set, s�su�ud�do�o will prompt for the password of the user | runaspw If set, s�su�ud�do�o will prompt for the password of the user |
| defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root) |
defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root) |
| instead of the password of the invoking user. This |
instead of the password of the invoking user. This |
| flag is _�o_�f_�f by default. |
flag is _�o_�f_�f by default. |
| |
|
| set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the | set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the |
| HOME environment variable will be set to the home |
HOME environment variable will be set to the home |
| directory of the target user (which is root unless the |
directory of the target user (which is root unless the |
| -�-u�u option is used). This effectively makes the -�-s�s |
-�-u�u option is used). This effectively makes the -�-s�s |
|
Line 894 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 975 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the |
_�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the |
| _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default. |
_�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default. |
| |
|
| set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME | set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME |
| environment variables to the name of the target user |
environment variables to the name of the target user |
| (usually root unless the -�-u�u option is given). However, |
(usually root unless the -�-u�u option is given). However, |
| since some programs (including the RCS revision control |
since some programs (including the RCS revision control |
|
Line 905 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 986 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override |
disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override |
| the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default. |
the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default. |
| |
|
| set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or | set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or |
| utmpx) file when a pseudo-tty is allocated. A pseudo- |
utmpx) file when a pseudo-tty is allocated. A pseudo- |
| tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t |
tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t |
| or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new |
or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new |
|
Line 913 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 994 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| (if any), with the tty, time, type and pid fields |
(if any), with the tty, time, type and pid fields |
| updated. This flag is _�o_�n by default. |
updated. This flag is _�o_�n by default. |
| |
|
| setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the | setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the |
| command line via the -�-E�E option. Additionally, |
command line via the -�-E�E option. Additionally, |
| environment variables set via the command line are not |
environment variables set via the command line are not |
| subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, |
subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, |
|
Line 921 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1002 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| should be allowed to set variables in this manner. |
should be allowed to set variables in this manner. |
| This flag is _�o_�f_�f by default. |
This flag is _�o_�f_�f by default. |
| |
|
| shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as | shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as |
| if the -�-s�s option had been given. That is, it runs a |
if the -�-s�s option had been given. That is, it runs a |
| shell as root (the shell is determined by the SHELL |
shell as root (the shell is determined by the SHELL |
| environment variable if it is set, falling back on the |
environment variable if it is set, falling back on the |
| shell listed in the invoking user's /etc/passwd entry |
shell listed in the invoking user's /etc/passwd entry |
| if not). This flag is _�o_�f_�f by default. |
if not). This flag is _�o_�f_�f by default. |
| |
|
| stay_setuid Normally, when s�su�ud�do�o executes a command the real and | stay_setuid Normally, when s�su�ud�do�o executes a command the real and |
| effective UIDs are set to the target user (root by |
effective UIDs are set to the target user (root by |
| default). This option changes that behavior such that |
default). This option changes that behavior such that |
| the real UID is left as the invoking user's UID. In |
the real UID is left as the invoking user's UID. In |
|
Line 936 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1017 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| This can be useful on systems that disable some |
This can be useful on systems that disable some |
| potentially dangerous functionality when a program is |
potentially dangerous functionality when a program is |
| run setuid. This option is only effective on systems |
run setuid. This option is only effective on systems |
| with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function. | that support either the setreuid(2) or setresuid(2) |
| This flag is _�o_�f_�f by default. | system call. This flag is _�o_�f_�f by default. |
| |
|
| targetpw If set, s�su�ud�do�o will prompt for the password of the user | targetpw If set, s�su�ud�do�o will prompt for the password of the user |
| specified by the -�-u�u option (defaults to root) instead |
specified by the -�-u�u option (defaults to root) instead |
| of the password of the invoking user. In addition, the |
of the password of the invoking user. In addition, the |
| timestamp file name will include the target user's | time stamp file name will include the target user's |
| name. Note that this flag precludes the use of a uid |
name. Note that this flag precludes the use of a uid |
| not listed in the passwd database as an argument to the |
not listed in the passwd database as an argument to the |
| -�-u�u option. This flag is _�o_�f_�f by default. |
-�-u�u option. This flag is _�o_�f_�f by default. |
| |
|
| tty_tickets If set, users must authenticate on a per-tty basis. | tty_tickets If set, users must authenticate on a per-tty basis. |
| With this flag enabled, s�su�ud�do�o will use a file named for |
With this flag enabled, s�su�ud�do�o will use a file named for |
| the tty the user is logged in on in the user's time |
the tty the user is logged in on in the user's time |
| stamp directory. If disabled, the time stamp of the |
stamp directory. If disabled, the time stamp of the |
| directory is used instead. This flag is _�o_�n by default. |
directory is used instead. This flag is _�o_�n by default. |
| |
|
| umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s | umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s |
| without modification. This makes it possible to |
without modification. This makes it possible to |
| specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the |
specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the |
| user's own umask and matches historical behavior. If |
user's own umask and matches historical behavior. If |
|
Line 961 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1042 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| be the union of the user's umask and what is specified |
be the union of the user's umask and what is specified |
| in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default. |
in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default. |
| |
|
| use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the | use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the |
| target user's login class if one exists. Only |
target user's login class if one exists. Only |
| available if s�su�ud�do�o is configured with the |
available if s�su�ud�do�o is configured with the |
| --with-logincap option. This flag is _�o_�f_�f by default. |
--with-logincap option. This flag is _�o_�f_�f by default. |
| |
|
| use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even | use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even |
| if no I/O logging is being gone. A malicious program |
if no I/O logging is being gone. A malicious program |
| run under s�su�ud�do�o could conceivably fork a background |
run under s�su�ud�do�o could conceivably fork a background |
| process that retains to the user's terminal device |
process that retains to the user's terminal device |
|
Line 974 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1055 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| this option will make that impossible. This flag is |
this option will make that impossible. This flag is |
| _�o_�f_�f by default. |
_�o_�f_�f by default. |
| |
|
| utmp_runas If set, s�su�ud�do�o will store the name of the runas user when | utmp_runas If set, s�su�ud�do�o will store the name of the runas user when |
| updating the utmp (or utmpx) file. By default, s�su�ud�do�o |
updating the utmp (or utmpx) file. By default, s�su�ud�do�o |
| stores the name of the invoking user. This flag is _�o_�f_�f |
stores the name of the invoking user. This flag is _�o_�f_�f |
| by default. |
by default. |
| |
|
| visiblepw By default, s�su�ud�do�o will refuse to run if the user must | visiblepw By default, s�su�ud�do�o will refuse to run if the user must |
| enter a password but it is not possible to disable echo |
enter a password but it is not possible to disable echo |
| on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o |
on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o |
| will prompt for a password even when it would be |
will prompt for a password even when it would be |
| visible on the screen. This makes it possible to run |
visible on the screen. This makes it possible to run |
| things like "rsh somehost sudo ls" since _�r_�s_�h(1) does | things like ``ssh somehost sudo ls'' since by default, |
| not allocate a tty. This flag is _�o_�f_�f by default. | ssh(1) does not allocate a tty when running a command. |
| | This flag is _�o_�f_�f by default. |
| |
|
| I�In�nt�te�eg�ge�er�rs�s: | I�In�nt�te�eg�ge�er�rs�s: |
| |
|
| closefrom Before it executes a command, s�su�ud�do�o will close all open | closefrom Before it executes a command, s�su�ud�do�o will close all open |
| file descriptors other than standard input, standard |
file descriptors other than standard input, standard |
| output and standard error (ie: file descriptors 0-2). |
output and standard error (ie: file descriptors 0-2). |
| The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different |
The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different |
| file descriptor at which to start closing. The default |
file descriptor at which to start closing. The default |
| is 3. |
is 3. |
| |
|
| passwd_tries The number of tries a user gets to enter his/her | passwd_tries The number of tries a user gets to enter his/her |
| password before s�su�ud�do�o logs the failure and exits. The |
password before s�su�ud�do�o logs the failure and exits. The |
| default is 3. |
default is 3. |
| |
|
| I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: | I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
| |
|
| loglinelen Number of characters per line for the file log. This | loglinelen Number of characters per line for the file log. This |
| value is used to decide when to wrap lines for nicer |
value is used to decide when to wrap lines for nicer |
| log files. This has no effect on the syslog log file, |
log files. This has no effect on the syslog log file, |
| only the file log. The default is 80 (use 0 or negate |
only the file log. The default is 80 (use 0 or negate |
| the option to disable word wrap). |
the option to disable word wrap). |
| |
|
| passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times | passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times |
| out, or 0 for no timeout. The timeout may include a |
out, or 0 for no timeout. The timeout may include a |
| fractional component if minute granularity is |
fractional component if minute granularity is |
| insufficient, for example 2.5. The default is 5. |
insufficient, for example 2.5. The default is 5. |
| |
|
| timestamp_timeout | timestamp_timeout |
| Number of minutes that can elapse before s�su�ud�do�o will ask |
Number of minutes that can elapse before s�su�ud�do�o will ask |
| for a passwd again. The timeout may include a |
for a passwd again. The timeout may include a |
| fractional component if minute granularity is |
fractional component if minute granularity is |
| insufficient, for example 2.5. The default is 5. Set |
insufficient, for example 2.5. The default is 5. Set |
| this to 0 to always prompt for a password. If set to a |
this to 0 to always prompt for a password. If set to a |
| value less than 0 the user's timestamp will never | value less than 0 the user's time stamp will never |
| expire. This can be used to allow users to create or |
expire. This can be used to allow users to create or |
| delete their own timestamps via sudo -v and sudo -k | delete their own time stamps via ``sudo -v'' and ``sudo |
| respectively. | -k'' respectively. |
| |
|
| umask Umask to use when running the command. Negate this | umask Umask to use when running the command. Negate this |
| option or set it to 0777 to preserve the user's umask. |
option or set it to 0777 to preserve the user's umask. |
| The actual umask that is used will be the union of the |
The actual umask that is used will be the union of the |
| user's umask and the value of the _�u_�m_�a_�s_�k option, which |
user's umask and the value of the _�u_�m_�a_�s_�k option, which |
| defaults to 0022. This guarantees that s�su�ud�do�o never |
defaults to 0022. This guarantees that s�su�ud�do�o never |
| lowers the umask when running a command. Note on | lowers the umask when running a command. Note: on |
| systems that use PAM, the default PAM configuration may |
systems that use PAM, the default PAM configuration may |
| specify its own umask which will override the value set |
specify its own umask which will override the value set |
| in _�s_�u_�d_�o_�e_�r_�s. |
in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| S�St�tr�ri�in�ng�gs�s: | S�St�tr�ri�in�ng�gs�s: |
| |
|
| badpass_message Message that is displayed if a user enters an incorrect | badpass_message Message that is displayed if a user enters an incorrect |
| password. The default is Sorry, try again. unless |
password. The default is Sorry, try again. unless |
| insults are enabled. |
insults are enabled. |
| |
|
| editor A colon (':') separated list of editors allowed to be | editor A colon (`:') separated list of editors allowed to be |
| used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that |
used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that |
| matches the user's EDITOR environment variable if |
matches the user's EDITOR environment variable if |
| possible, or the first editor in the list that exists |
possible, or the first editor in the list that exists |
| and is executable. The default is "vi". | and is executable. The default is _�v_�i. |
| |
|
| iolog_dir The top-level directory to use when constructing the | iolog_dir The top-level directory to use when constructing the |
| path name for the input/output log directory. Only |
path name for the input/output log directory. Only |
| used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled |
used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled |
| or when the LOG_INPUT or LOG_OUTPUT tags are present |
or when the LOG_INPUT or LOG_OUTPUT tags are present |
| for a command. The session sequence number, if any, is |
for a command. The session sequence number, if any, is |
| stored in the directory. The default is |
stored in the directory. The default is |
| "/var/log/sudo-io". | _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o. |
| |
|
| The following percent (`%') escape sequences are |
The following percent (`%') escape sequences are |
| supported: |
supported: |
| |
|
| %{seq} |
%{seq} |
| expanded to a monotonically increasing base-36 | expanded to a monotonically increasing base-36 |
| sequence number, such as 0100A5, where every two | sequence number, such as 0100A5, where every two |
| digits are used to form a new directory, e.g. | digits are used to form a new directory, e.g. |
| _�0_�1_�/_�0_�0_�/_�A_�5 | _�0_�1_�/_�0_�0_�/_�A_�5 |
| |
|
| %{user} |
%{user} |
| expanded to the invoking user's login name | expanded to the invoking user's login name |
| |
|
| %{group} |
%{group} |
| expanded to the name of the invoking user's real | expanded to the name of the invoking user's real |
| group ID | group ID |
| |
|
| %{runas_user} |
%{runas_user} |
| expanded to the login name of the user the command | expanded to the login name of the user the |
| will be run as (e.g. root) | command will be run as (e.g. root) |
| |
|
| %{runas_group} |
%{runas_group} |
| expanded to the group name of the user the command | expanded to the group name of the user the |
| will be run as (e.g. wheel) | command will be run as (e.g. wheel) |
| |
|
| %{hostname} |
%{hostname} |
| expanded to the local host name without the domain | expanded to the local host name without the |
| name | domain name |
| |
|
| %{command} |
%{command} |
| expanded to the base name of the command being run | expanded to the base name of the command being |
| | run |
| |
|
| In addition, any escape sequences supported by the |
In addition, any escape sequences supported by the |
| system's _�s_�t_�r_�f_�t_�i_�m_�e_�(_�) function will be expanded. | system's strftime(3) function will be expanded. |
| |
|
| To include a literal `%' character, the string `%%' |
To include a literal `%' character, the string `%%' |
| should be used. |
should be used. |
| |
|
| iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store | iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store |
| input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t |
input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t |
| options are enabled or when the LOG_INPUT or LOG_OUTPUT |
options are enabled or when the LOG_INPUT or LOG_OUTPUT |
| tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e |
tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e |
| may contain directory components. The default is |
may contain directory components. The default is |
| "%{seq}". | ``%{seq}''. |
| |
|
| See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported |
See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported |
| percent (`%') escape sequences. |
percent (`%') escape sequences. |
|
Line 1104 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1187 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| In addition to the escape sequences, path names that |
In addition to the escape sequences, path names that |
| end in six or more Xs will have the Xs replaced with a |
end in six or more Xs will have the Xs replaced with a |
| unique combination of digits and letters, similar to |
unique combination of digits and letters, similar to |
| the _�m_�k_�t_�e_�m_�p_�(_�) function. | the mktemp(3) function. |
| |
|
| mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The escape | limitprivs The default Solaris limit privileges to use when |
| %h will expand to the host name of the machine. | constructing a new privilege set for a command. This |
| Default is *** SECURITY information for %h ***. | bounds all privileges of the executing process. The |
| | default limit privileges may be overridden on a per- |
| | command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only |
| | available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher. |
| |
|
| noexec_file This option is no longer supported. The path to the | mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The |
| | escape %h will expand to the host name of the machine. |
| | Default is ``*** SECURITY information for %h ***''. |
| | |
| | noexec_file This option is no longer supported. The path to the |
| noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
| file. |
file. |
| |
|
| passprompt The default prompt to use when asking for a password; | passprompt The default prompt to use when asking for a password; |
| can be overridden via the -�-p�p option or the SUDO_PROMPT |
can be overridden via the -�-p�p option or the SUDO_PROMPT |
| environment variable. The following percent (`%') |
environment variable. The following percent (`%') |
| escape sequences are supported: |
escape sequences are supported: |
| |
|
| %H expanded to the local host name including the | %H expanded to the local host name including the |
| domain name (only if the machine's host name is | domain name (only if the machine's host name is |
| fully qualified or the _�f_�q_�d_�n option is set) | fully qualified or the _�f_�q_�d_�n option is set) |
| |
|
| %h expanded to the local host name without the domain | |
| name | domain name |
| |
|
| %p expanded to the user whose password is being asked | %p expanded to the user whose password is being |
| for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and _�r_�u_�n_�a_�s_�p_�w | |
| flags in _�s_�u_�d_�o_�e_�r_�s) | _�r_�u_�n_�a_�s_�p_�w flags in _�s_�u_�d_�o_�e_�r_�s) |
| |
|
| %U expanded to the login name of the user the command | |
| will be run as (defaults to root) | command will be run as (defaults to root) |
| |
|
| %u expanded to the invoking user's login name | %u expanded to the invoking user's login name |
| |
|
| %% two consecutive % characters are collapsed into a | %% two consecutive % characters are collapsed into a |
| single % character | single % character |
| |
|
| The default value is Password:. | The default value is ``Password:''. |
| |
|
| role The default SELinux role to use when constructing a new | privs The default Solaris privileges to use when constructing |
| | a new privilege set for a command. This is passed to |
| | the executing process via the inherited privilege set, |
| | but is bounded by the limit privileges. If the _�p_�r_�i_�v_�s |
| | option is specified but the _�l_�i_�m_�i_�t_�p_�r_�i_�v_�s option is not, |
| | the limit privileges of the executing process is set to |
| | _�p_�r_�i_�v_�s. The default privileges may be overridden on a |
| | per-command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only |
| | available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher. |
| | |
| | role The default SELinux role to use when constructing a new |
| security context to run the command. The default role |
security context to run the command. The default role |
| may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or |
may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or |
| via command line options. This option is only |
via command line options. This option is only |
| available whe s�su�ud�do�o is built with SELinux support. | available when s�su�ud�do�o is built with SELinux support. |
| |
|
| runas_default The default user to run commands as if the -�-u�u option is | runas_default The default user to run commands as if the -�-u�u option is |
| not specified on the command line. This defaults to |
not specified on the command line. This defaults to |
| root. |
root. |
| |
|
| syslog_badpri Syslog priority to use when user authenticates | syslog_badpri Syslog priority to use when user authenticates |
| unsuccessfully. Defaults to alert. |
unsuccessfully. Defaults to alert. |
| |
|
| The following syslog priorities are supported: a�al�le�er�rt�t, |
The following syslog priorities are supported: a�al�le�er�rt�t, |
| c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g. |
c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g. |
| |
|
| syslog_goodpri Syslog priority to use when user authenticates | syslog_goodpri Syslog priority to use when user authenticates |
| successfully. Defaults to notice. |
successfully. Defaults to notice. |
| |
|
| See syslog_badpri for the list of supported syslog | See _�s_�y_�s_�l_�o_�g_�__�b_�a_�d_�p_�r_�i for the list of supported syslog |
| priorities. |
priorities. |
| |
|
| sudoers_locale Locale to use when parsing the sudoers file, logging | sudoers_locale Locale to use when parsing the sudoers file, logging |
| commands, and sending email. Note that changing the |
commands, and sending email. Note that changing the |
| locale may affect how sudoers is interpreted. Defaults |
locale may affect how sudoers is interpreted. Defaults |
| to "C". | to ``C''. |
| |
|
| timestampdir The directory in which s�su�ud�do�o stores its timestamp files. | timestampdir The directory in which s�su�ud�do�o stores its time stamp |
| The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o. | files. The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o. |
| |
|
| timestampowner The owner of the timestamp directory and the timestamps | timestampowner The owner of the time stamp directory and the time |
| stored therein. The default is root. | stamps stored therein. The default is root. |
| |
|
| type The default SELinux type to use when constructing a new | type The default SELinux type to use when constructing a new |
| security context to run the command. The default type |
security context to run the command. The default type |
| may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or |
may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or |
| via command line options. This option is only |
via command line options. This option is only |
| available whe s�su�ud�do�o is built with SELinux support. | available when s�su�ud�do�o is built with SELinux support. |
| |
|
| S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: | S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
| |
|
| env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a | env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a |
| file containing variables to be set in the environment of |
file containing variables to be set in the environment of |
| the program being run. Entries in this file should either |
the program being run. Entries in this file should either |
| be of the form VARIABLE=value or export VARIABLE=value. | be of the form ``VARIABLE=value'' or ``export |
| The value may optionally be surrounded by single or double | VARIABLE=value''. The value may optionally be surrounded |
| quotes. Variables in this file are subject to other s�su�ud�do�o | by single or double quotes. Variables in this file are |
| environment settings such as _�e_�n_�v_�__�k_�e_�e_�p and _�e_�n_�v_�__�c_�h_�e_�c_�k. | subject to other s�su�ud�do�o environment settings such as _�e_�n_�v_�__�k_�e_�e_�p |
| | and _�e_�n_�v_�__�c_�h_�e_�c_�k. |
| |
|
| exempt_group | exempt_group Users in this group are exempt from password and PATH |
| Users in this group are exempt from password and PATH | |
| requirements. The group name specified should not include |
requirements. The group name specified should not include |
| a % prefix. This is not set by default. |
a % prefix. This is not set by default. |
| |
|
| group_plugin | group_plugin A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional |
| A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional | |
| arguments. This can be used to implement support for the |
arguments. This can be used to implement support for the |
| nonunix_group syntax described earlier. The string should |
nonunix_group syntax described earlier. The string should |
| consist of the plugin path, either fully-qualified or |
consist of the plugin path, either fully-qualified or |
|
Line 1203 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1302 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| any configuration arguments the plugin requires. These |
any configuration arguments the plugin requires. These |
| arguments (if any) will be passed to the plugin's |
arguments (if any) will be passed to the plugin's |
| initialization function. If arguments are present, the |
initialization function. If arguments are present, the |
| string must be enclosed in double quotes ("). | string must be enclosed in double quotes (""). |
| |
|
| For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix |
For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix |
| group format, the sample group plugin can be used: |
group format, the sample group plugin can be used: |
| |
|
| Defaults group_plugin="sample_group.so /etc/sudo-group" | Defaults group_plugin="sample_group.so /etc/sudo-group" |
| |
|
| For more information see _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(4). | For more information see sudo_plugin(4). |
| |
|
| lecture This option controls when a short lecture will be printed | lecture This option controls when a short lecture will be printed |
| along with the password prompt. It has the following |
along with the password prompt. It has the following |
| possible values: |
possible values: |
| |
|
|
Line 1226 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1325 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
| The default value is _�o_�n_�c_�e. |
The default value is _�o_�n_�c_�e. |
| |
|
| lecture_file | lecture_file Path to a file containing an alternate s�su�ud�do�o lecture that |
| Path to a file containing an alternate s�su�ud�do�o lecture that | |
| will be used in place of the standard lecture if the named |
will be used in place of the standard lecture if the named |
| file exists. By default, s�su�ud�do�o uses a built-in lecture. |
file exists. By default, s�su�ud�do�o uses a built-in lecture. |
| |
|
| listpw This option controls when a password will be required when | listpw This option controls when a password will be required when |
| a user runs s�su�ud�do�o with the -�-l�l option. It has the following |
a user runs s�su�ud�do�o with the -�-l�l option. It has the following |
| possible values: |
possible values: |
| |
|
| all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host | all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current |
| must have the NOPASSWD flag set to avoid entering a | |
| password. | entering a password. |
| |
|
| always The user must always enter a password to use the -�-l�l | always The user must always enter a password to use the |
| option. | -�-l�l option. |
| |
|
| any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the | any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for |
| current host must have the NOPASSWD flag set to | the current host must have the NOPASSWD flag se the current host must have the NOPASSWD flag se |
| avoid entering a password. | to avoid entering a password. |
| |
|
| never The user need never enter a password to use the -�-l�l | never The user need never enter a password to use the |
| option. | -�-l�l option. |
| |
|
| If no value is specified, a value of _�a_�n_�y is implied. |
If no value is specified, a value of _�a_�n_�y is implied. |
| Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
| The default value is _�a_�n_�y. |
The default value is _�a_�n_�y. |
| |
|
| logfile Path to the s�su�ud�do�o log file (not the syslog log file). | logfile Path to the s�su�ud�do�o log file (not the syslog log file). |
| Setting a path turns on logging to a file; negating this |
Setting a path turns on logging to a file; negating this |
| option turns it off. By default, s�su�ud�do�o logs via syslog. |
option turns it off. By default, s�su�ud�do�o logs via syslog. |
| |
|
| mailerflags Flags to use when invoking mailer. Defaults to -�-t�t. | mailerflags Flags to use when invoking mailer. Defaults to -�-t�t. |
| |
|
| mailerpath Path to mail program used to send warning mail. Defaults | mailerpath Path to mail program used to send warning mail. Defaults |
| to the path to sendmail found at configure time. |
to the path to sendmail found at configure time. |
| |
|
| mailfrom Address to use for the "from" address when sending warning | mailfrom Address to use for the ``from'' address when sending |
| and error mail. The address should be enclosed in double | warning and error mail. The address should be enclosed in |
| quotes (") to protect against s�su�ud�do�o interpreting the @ sign. | double quotes ("") to protect against s�su�ud�do�o interpreting the |
| Defaults to the name of the user running s�su�ud�do�o. | @ sign. Defaults to the name of the user running s�su�ud�do�o. |
| |
|
| mailto Address to send warning and error mail to. The address | mailto Address to send warning and error mail to. The address |
| should be enclosed in double quotes (") to protect against | should be enclosed in double quotes ("") to protect against |
| s�su�ud�do�o interpreting the @ sign. Defaults to root. |
s�su�ud�do�o interpreting the @ sign. Defaults to root. |
| |
|
| secure_path Path used for every command run from s�su�ud�do�o. If you don't | secure_path Path used for every command run from s�su�ud�do�o. If you don't |
| trust the people running s�su�ud�do�o to have a sane PATH |
trust the people running s�su�ud�do�o to have a sane PATH |
| environment variable you may want to use this. Another use |
environment variable you may want to use this. Another use |
| is if you want to have the "root path" be separate from the | is if you want to have the ``root path'' be separate from |
| "user path." Users in the group specified by the | the ``user path''. Users in the group specified by the |
| _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This |
_�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This |
| option is not set by default. |
option is not set by default. |
| |
|
| syslog Syslog facility if syslog is being used for logging (negate | syslog Syslog facility if syslog is being used for logging (negate |
| to disable syslog logging). Defaults to auth. |
to disable syslog logging). Defaults to auth. |
| |
|
| The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if |
The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if |
| your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1, |
your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1, |
| l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7. |
l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7. |
| |
|
| verifypw This option controls when a password will be required when | verifypw This option controls when a password will be required when |
| a user runs s�su�ud�do�o with the -�-v�v option. It has the following |
a user runs s�su�ud�do�o with the -�-v�v option. It has the following |
| possible values: |
possible values: |
| |
|
|
Line 1308 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1406 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
Negating the option results in a value of _�n_�e_�v_�e_�r being used. |
| The default value is _�a_�l_�l. |
The default value is _�a_�l_�l. |
| |
|
| L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: | L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
| |
|
| env_check Environment variables to be removed from the user's | env_check Environment variables to be removed from the user's |
| environment if the variable's value contains % or / | environment if the variable's value contains `%' or `/' |
| characters. This can be used to guard against printf- |
characters. This can be used to guard against printf- |
| style format vulnerabilities in poorly-written |
style format vulnerabilities in poorly-written |
| programs. The argument may be a double-quoted, space- |
programs. The argument may be a double-quoted, space- |
|
Line 1323 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1421 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| env_check will be preserved in the environment if they |
env_check will be preserved in the environment if they |
| pass the aforementioned check. The default list of |
pass the aforementioned check. The default list of |
| environment variables to check is displayed when s�su�ud�do�o |
environment variables to check is displayed when s�su�ud�do�o |
| is run by root with the _�-_�V option. | is run by root with the -�-V�V option. |
| |
|
| env_delete Environment variables to be removed from the user's | env_delete Environment variables to be removed from the user's |
| environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect. |
environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect. |
| The argument may be a double-quoted, space-separated |
The argument may be a double-quoted, space-separated |
| list or a single value without double-quotes. The list |
list or a single value without double-quotes. The list |
| can be replaced, added to, deleted from, or disabled by |
can be replaced, added to, deleted from, or disabled by |
| using the =, +=, -=, and ! operators respectively. The |
using the =, +=, -=, and ! operators respectively. The |
| default list of environment variables to remove is |
default list of environment variables to remove is |
| displayed when s�su�ud�do�o is run by root with the _�-_�V option. | displayed when s�su�ud�do�o is run by root with the -�-V�V option. |
| Note that many operating systems will remove |
Note that many operating systems will remove |
| potentially dangerous variables from the environment of |
potentially dangerous variables from the environment of |
| any setuid process (such as s�su�ud�do�o). |
any setuid process (such as s�su�ud�do�o). |
| |
|
| env_keep Environment variables to be preserved in the user's | env_keep Environment variables to be preserved in the user's |
| environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect. |
environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect. |
| This allows fine-grained control over the environment |
This allows fine-grained control over the environment |
| s�su�ud�do�o-spawned processes will receive. The argument may |
s�su�ud�do�o-spawned processes will receive. The argument may |
|
Line 1346 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1444 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| added to, deleted from, or disabled by using the =, +=, |
added to, deleted from, or disabled by using the =, +=, |
| -=, and ! operators respectively. The default list of |
-=, and ! operators respectively. The default list of |
| variables to keep is displayed when s�su�ud�do�o is run by root |
variables to keep is displayed when s�su�ud�do�o is run by root |
| with the _�-_�V option. | with the -�-V�V option. |
| |
|
| |
L�LO�OG�G F�FO�OR�RM�MA�AT�T |
| |
s�su�ud�do�oe�er�rs�s can log events using either syslog(3) or a simple log file. In |
| |
each case the log format is almost identical. |
| |
|
| |
A�Ac�cc�ce�ep�pt�te�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s |
| |
Commands that sudo runs are logged using the following format (split into |
| |
multiple lines for readability): |
| |
|
| |
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ |
| |
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ |
| |
ENV=env_vars COMMAND=command |
| |
|
| |
Where the fields are as follows: |
| |
|
| |
date The date the command was run. Typically, this is in the |
| |
format ``MMM, DD, HH:MM:SS''. If logging via syslog(3), |
| |
the actual date format is controlled by the syslog daemon. |
| |
If logging to a file and the _�l_�o_�g_�__�y_�e_�a_�r option is enabled, |
| |
the date will also include the year. |
| |
|
| |
hostname The name of the host s�su�ud�do�o was run on. This field is only |
| |
present when logging via syslog(3). |
| |
|
| |
progname The name of the program, usually _�s_�u_�d_�o or _�s_�u_�d_�o_�e_�d_�i_�t. This |
| |
field is only present when logging via syslog(3). |
| |
|
| |
username The login name of the user who ran s�su�ud�do�o. |
| |
|
| |
ttyname The short name of the terminal (e.g. ``console'', |
| |
``tty01'', or ``pts/0'') s�su�ud�do�o was run on, or ``unknown'' if |
| |
there was no terminal present. |
| |
|
| |
cwd The current working directory that s�su�ud�do�o was run in. |
| |
|
| |
runasuser The user the command was run as. |
| |
|
| |
runasgroup The group the command was run as if one was specified on |
| |
the command line. |
| |
|
| |
logid An I/O log identifier that can be used to replay the |
| |
command's output. This is only present when the _�l_�o_�g_�__�i_�n_�p_�u_�t |
| |
or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option is enabled. |
| |
|
| |
env_vars A list of environment variables specified on the command |
| |
line, if specified. |
| |
|
| |
command The actual command that was executed. |
| |
|
| |
Messages are logged using the locale specified by _�s_�u_�d_�o_�e_�r_�s_�__�l_�o_�c_�a_�l_�e, which |
| |
defaults to the ``C'' locale. |
| |
|
| |
D�De�en�ni�ie�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s |
| |
If the user is not allowed to run the command, the reason for the denial |
| |
will follow the user name. Possible reasons include: |
| |
|
| |
user NOT in sudoers |
| |
The user is not listed in the _�s_�u_�d_�o_�e_�r_�s file. |
| |
|
| |
user NOT authorized on host |
| |
The user is listed in the _�s_�u_�d_�o_�e_�r_�s file but is not allowed to run |
| |
commands on the host. |
| |
|
| |
command not allowed |
| |
The user is listed in the _�s_�u_�d_�o_�e_�r_�s file for the host but they are not |
| |
allowed to run the specified command. |
| |
|
| |
3 incorrect password attempts |
| |
The user failed to enter their password after 3 tries. The actual |
| |
number of tries will vary based on the number of failed attempts and |
| |
the value of the _�p_�a_�s_�s_�w_�d_�__�t_�r_�i_�e_�s option. |
| |
|
| |
a password is required |
| |
s�su�ud�do�o's -�-n�n option was specified but a password was required. |
| |
|
| |
sorry, you are not allowed to set the following environment variables |
| |
The user specified environment variables on the command line that were |
| |
not allowed by _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| |
E�Er�rr�ro�or�r l�lo�og�g e�en�nt�tr�ri�ie�es�s |
| |
If an error occurs, s�su�ud�do�oe�er�rs�s will log a message and, in most cases, send a |
| |
message to the administrator via email. Possible errors include: |
| |
|
| |
parse error in /etc/sudoers near line N |
| |
s�su�ud�do�oe�er�rs�s encountered an error when parsing the specified file. In some |
| |
cases, the actual error may be one line above or below the line number |
| |
listed, depending on the type of error. |
| |
|
| |
problem with defaults entries |
| |
The _�s_�u_�d_�o_�e_�r_�s file contains one or more unknown Defaults settings. This |
| |
does not prevent s�su�ud�do�o from running, but the _�s_�u_�d_�o_�e_�r_�s file should be |
| |
checked using v�vi�is�su�ud�do�o. |
| |
|
| |
timestamp owner (username): No such user |
| |
The time stamp directory owner, as specified by the _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r |
| |
setting, could not be found in the password database. |
| |
|
| |
unable to open/read /etc/sudoers |
| |
The _�s_�u_�d_�o_�e_�r_�s file could not be opened for reading. This can happen |
| |
when the _�s_�u_�d_�o_�e_�r_�s file is located on a remote file system that maps |
| |
user ID 0 to a different value. Normally, s�su�ud�do�oe�er�rs�s tries to open |
| |
_�s_�u_�d_�o_�e_�r_�s using group permissions to avoid this problem. Consider |
| |
changing the ownership of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s by adding an option like |
| |
``sudoers_uid=N'' (where `N' is the user ID that owns the _�s_�u_�d_�o_�e_�r_�s |
| |
file) to the s�su�ud�do�oe�er�rs�s plugin line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| |
unable to stat /etc/sudoers |
| |
The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file is missing. |
| |
|
| |
/etc/sudoers is not a regular file |
| |
The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file exists but is not a regular file or symbolic |
| |
link. |
| |
|
| |
/etc/sudoers is owned by uid N, should be 0 |
| |
The _�s_�u_�d_�o_�e_�r_�s file has the wrong owner. If you wish to change the |
| |
_�s_�u_�d_�o_�e_�r_�s file owner, please add ``sudoers_uid=N'' (where `N' is the |
| |
user ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s plugin line in the |
| |
_�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| |
/etc/sudoers is world writable |
| |
The permissions on the _�s_�u_�d_�o_�e_�r_�s file allow all users to write to it. |
| |
The _�s_�u_�d_�o_�e_�r_�s file must not be world-writable, the default file mode is |
| |
0440 (readable by owner and group, writable by none). The default |
| |
mode may be changed via the ``sudoers_mode'' option to the s�su�ud�do�oe�er�rs�s |
| |
plugin line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| |
/etc/sudoers is owned by gid N, should be 1 |
| |
The _�s_�u_�d_�o_�e_�r_�s file has the wrong group ownership. If you wish to change |
| |
the _�s_�u_�d_�o_�e_�r_�s file group ownership, please add ``sudoers_gid=N'' (where |
| |
`N' is the group ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s plugin |
| |
line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| |
unable to open /var/adm/sudo/username/ttyname |
| |
_�s_�u_�d_�o_�e_�r_�s was unable to read or create the user's time stamp file. |
| |
|
| |
unable to write to /var/adm/sudo/username/ttyname |
| |
_�s_�u_�d_�o_�e_�r_�s was unable to write to the user's time stamp file. |
| |
|
| |
unable to mkdir to /var/adm/sudo/username |
| |
_�s_�u_�d_�o_�e_�r_�s was unable to create the user's time stamp directory. |
| |
|
| |
N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g v�vi�ia�a s�sy�ys�sl�lo�og�g |
| |
By default, _�s_�u_�d_�o_�e_�r_�s logs messages via syslog(3). The _�d_�a_�t_�e, _�h_�o_�s_�t_�n_�a_�m_�e, and |
| |
_�p_�r_�o_�g_�n_�a_�m_�e fields are added by the syslog daemon, not _�s_�u_�d_�o_�e_�r_�s itself. As |
| |
such, they may vary in format on different systems. |
| |
|
| |
On most systems, syslog(3) has a relatively small log buffer. To prevent |
| |
the command line arguments from being truncated, s�su�ud�do�oe�er�rs�s will split up |
| |
log messages that are larger than 960 characters (not including the date, |
| |
hostname, and the string ``sudo''). When a message is split, additional |
| |
parts will include the string ``(command continued)'' after the user name |
| |
and before the continued command line arguments. |
| |
|
| |
N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g t�to�o a�a f�fi�il�le�e |
| |
If the _�l_�o_�g_�f_�i_�l_�e option is set, _�s_�u_�d_�o_�e_�r_�s will log to a local file, such as |
| |
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o. When logging to a file, _�s_�u_�d_�o_�e_�r_�s uses a format similar to |
| |
syslog(3), with a few important differences: |
| |
|
| |
1. The _�p_�r_�o_�g_�n_�a_�m_�e and _�h_�o_�s_�t_�n_�a_�m_�e fields are not present. |
| |
|
| |
2. If the _�l_�o_�g_�__�y_�e_�a_�r option is enabled, the date will also include the |
| |
year. |
| |
|
| |
3. Lines that are longer than _�l_�o_�g_�l_�i_�n_�e_�l_�e_�n characters (80 by default) are |
| |
word-wrapped and continued on the next line with a four character |
| |
indent. This makes entries easier to read for a human being, but |
| |
makes it more difficult to use grep(1) on the log files. If the |
| |
_�l_�o_�g_�l_�i_�n_�e_�l_�e_�n option is set to 0 (or negated with a `!'), word wrap |
| |
will be disabled. |
| |
|
| S�SU�UD�DO�O.�.C�CO�ON�NF�F |
S�SU�UD�DO�O.�.C�CO�ON�NF�F |
| The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file determines which plugins the s�su�ud�do�o front end | The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file determines which plugins the s�su�ud�do�o front end will |
| will load. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it contains no | load. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it contains no Plugin |
| Plugin lines, s�su�ud�do�o will use the _�s_�u_�d_�o_�e_�r_�s security policy and I/O | lines, s�su�ud�do�o will use the _�s_�u_�d_�o_�e_�r_�s security policy and I/O logging, which |
| logging, which corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. | corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| # | # |
| # Default /etc/sudo.conf file | # Default /etc/sudo.conf file |
| # | # |
| # Format: | # Format: |
| # Plugin plugin_name plugin_path plugin_options ... | # Plugin plugin_name plugin_path plugin_options ... |
| # Path askpass /path/to/askpass | # Path askpass /path/to/askpass |
| # Path noexec /path/to/sudo_noexec.so | # Path noexec /path/to/sudo_noexec.so |
| # Debug sudo /var/log/sudo_debug all@warn | # Debug sudo /var/log/sudo_debug all@warn |
| # Set disable_coredump true | # Set disable_coredump true |
| # | # |
| # The plugin_path is relative to /usr/local/libexec unless | # The plugin_path is relative to /usr/local/libexec unless |
| # fully qualified. | # fully qualified. |
| # The plugin_name corresponds to a global symbol in the plugin | # The plugin_name corresponds to a global symbol in the plugin |
| # that contains the plugin interface structure. | # that contains the plugin interface structure. |
| # The plugin_options are optional. | # The plugin_options are optional. |
| # | # |
| Plugin policy_plugin sudoers.so | Plugin policy_plugin sudoers.so |
| Plugin io_plugin sudoers.so | Plugin io_plugin sudoers.so |
| |
|
| P�PL�LU�UG�GI�IN�N O�OP�PT�TI�IO�ON�NS�S | P�Pl�lu�ug�gi�in�n o�op�pt�ti�io�on�ns�s |
| Starting with s�su�ud�do�o 1.8.5 it is possible to pass options to the _�s_�u_�d_�o_�e_�r_�s | Starting with s�su�ud�do�o 1.8.5, it is possible to pass options to the _�s_�u_�d_�o_�e_�r_�s |
| plugin. Options may be listed after the path to the plugin (i.e. after | plugin. Options may be listed after the path to the plugin (i.e. after |
| _�s_�u_�d_�o_�e_�r_�s_�._�s_�o); multiple options should be space-separated. For example: | _�s_�u_�d_�o_�e_�r_�s_�._�s_�o); multiple options should be space-separated. For example: |
| |
|
| Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 | Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 |
| |
|
| The following plugin options are supported: | The following plugin options are supported: |
| |
|
| sudoers_file=pathname | sudoers_file=pathname |
| The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e option can be used to override the default | The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e option can be used to override the default |
| path to the _�s_�u_�d_�o_�e_�r_�s file. | path to the _�s_�u_�d_�o_�e_�r_�s file. |
| |
|
| sudoers_uid=uid | sudoers_uid=uid |
| The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d option can be used to override the default | The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d option can be used to override the default |
| owner of the sudoers file. It should be specified as a | owner of the sudoers file. It should be specified as a numeric |
| numeric user ID. | user ID. |
| |
|
| sudoers_gid=gid | sudoers_gid=gid |
| The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d option can be used to override the default | The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d option can be used to override the default |
| group of the sudoers file. It should be specified as a | group of the sudoers file. It should be specified as a numeric |
| numeric group ID. | group ID. |
| |
|
| sudoers_mode=mode | sudoers_mode=mode |
| The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e option can be used to override the default | The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e option can be used to override the default |
| file mode for the sudoers file. It should be specified as an | file mode for the sudoers file. It should be specified as an |
| octal value. | octal value. |
| |
|
| D�DE�EB�BU�UG�G F�FL�LA�AG�GS�S | D�De�eb�bu�ug�g f�fl�la�ag�gs�s |
| Versions 1.8.4 and higher of the _�s_�u_�d_�o_�e_�r_�s plugin supports a debugging | Versions 1.8.4 and higher of the _�s_�u_�d_�o_�e_�r_�s plugin supports a debugging |
| framework that can help track down what the plugin is doing internally | framework that can help track down what the plugin is doing internally if |
| if there is a problem. This can be configured in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f | there is a problem. This can be configured in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file as |
| file as described in _�s_�u_�d_�o(1m). | described in sudo(1m). |
| |
|
| The _�s_�u_�d_�o_�e_�r_�s plugin uses the same debug flag format as s�su�ud�do�o itself: | The _�s_�u_�d_�o_�e_�r_�s plugin uses the same debug flag format as the s�su�ud�do�o front-end: |
| _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y. | _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y. |
| |
|
| The priorities used by _�s_�u_�d_�o_�e_�r_�s, in order of decreasing severity, are: | The priorities used by _�s_�u_�d_�o_�e_�r_�s, in order of decreasing severity, are: |
| _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority, | _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority, |
| when specified, also includes all priorities higher than it. For | when specified, also includes all priorities higher than it. For |
| example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at | example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at |
| _�n_�o_�t_�i_�c_�e and higher. | _�n_�o_�t_�i_�c_�e and higher. |
| |
|
| The following subsystems are used by _�s_�u_�d_�o_�e_�r_�s: | The following subsystems are used by _�s_�u_�d_�o_�e_�r_�s: |
| |
|
| _�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing | _�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
| |
|
| _�a_�l_�l matches every subsystem | _�a_�l_�l matches every subsystem |
| |
|
| _�a_�u_�d_�i_�t BSM and Linux audit code | _�a_�u_�d_�i_�t BSM and Linux audit code |
| |
|
| _�a_�u_�t_�h user authentication | _�a_�u_�t_�h user authentication |
| |
|
| _�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings | _�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings |
| |
|
| _�e_�n_�v environment handling | _�e_�n_�v environment handling |
| |
|
| _�l_�d_�a_�p LDAP-based sudoers | _�l_�d_�a_�p LDAP-based sudoers |
| |
|
| _�l_�o_�g_�g_�i_�n_�g logging support | _�l_�o_�g_�g_�i_�n_�g logging support |
| |
|
| _�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s | _�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s |
| |
|
| _�n_�e_�t_�i_�f network interface handling | _�n_�e_�t_�i_�f network interface handling |
| |
|
| _�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s | _�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s |
| |
|
| _�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing | _�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing |
| |
|
| _�p_�e_�r_�m_�s permission setting | _�p_�e_�r_�m_�s permission setting |
| |
|
| _�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin. | _�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin. |
| |
|
| _�p_�t_�y pseudo-tty related code | _�p_�t_�y pseudo-tty related code |
| |
|
| _�r_�b_�t_�r_�e_�e redblack tree internals | _�r_�b_�t_�r_�e_�e redblack tree internals |
| |
|
| _�u_�t_�i_�l utility functions | _�u_�t_�i_�l utility functions |
| |
|
| F�FI�IL�LE�ES�S |
F�FI�IL�LE�ES�S |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration |
| |
|
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what |
| |
|
| _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file | _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file |
| |
|
| _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups | _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups |
| |
|
| _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files | _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files |
| |
|
| _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the | _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the |
| _�s_�u_�d_�o_�e_�r_�s security policy |
_�s_�u_�d_�o_�e_�r_�s security policy |
| |
|
| _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and | _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and |
| Linux systems |
Linux systems |
| |
|
| E�EX�XA�AM�MP�PL�LE�ES�S |
E�EX�XA�AM�MP�PL�LE�ES�S |
| Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit | Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit |
| contrived. First, we allow a few environment variables to pass and | contrived. First, we allow a few environment variables to pass and then |
| then define our _�a_�l_�i_�a_�s_�e_�s: | define our _�a_�l_�i_�a_�s_�e_�s: |
| |
|
| # Run X applications through sudo; HOME is used to find the | # Run X applications through sudo; HOME is used to find the |
| # .Xauthority file. Note that other programs use HOME to find | # .Xauthority file. Note that other programs use HOME to find |
| # configuration files and this may lead to privilege escalation! | # configuration files and this may lead to privilege escalation! |
| Defaults env_keep += "DISPLAY HOME" | Defaults env_keep += "DISPLAY HOME" |
| |
|
| # User alias specification | # User alias specification |
| User_Alias FULLTIMERS = millert, mikef, dowdy | User_Alias FULLTIMERS = millert, mikef, dowdy |
| User_Alias PARTTIMERS = bostley, jwfox, crawl | User_Alias PARTTIMERS = bostley, jwfox, crawl |
| User_Alias WEBMASTERS = will, wendy, wim | User_Alias WEBMASTERS = will, wendy, wim |
| |
|
| # Runas alias specification | # Runas alias specification |
| Runas_Alias OP = root, operator | Runas_Alias OP = root, operator |
| Runas_Alias DB = oracle, sybase | Runas_Alias DB = oracle, sybase |
| Runas_Alias ADMINGRP = adm, oper | Runas_Alias ADMINGRP = adm, oper |
| |
|
| # Host alias specification | # Host alias specification |
| Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ | Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
| SGI = grolsch, dandelion, black :\ | SGI = grolsch, dandelion, black :\ |
| ALPHA = widget, thalamus, foobar :\ | ALPHA = widget, thalamus, foobar :\ |
| HPPA = boa, nag, python | HPPA = boa, nag, python |
| Host_Alias CUNETS = 128.138.0.0/255.255.0.0 | Host_Alias CUNETS = 128.138.0.0/255.255.0.0 |
| Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 | Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 |
| Host_Alias SERVERS = master, mail, www, ns | Host_Alias SERVERS = master, mail, www, ns |
| Host_Alias CDROM = orion, perseus, hercules | Host_Alias CDROM = orion, perseus, hercules |
| |
|
| # Cmnd alias specification | # Cmnd alias specification |
| Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ | Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
| /usr/sbin/restore, /usr/sbin/rrestore | /usr/sbin/restore, /usr/sbin/rrestore |
| Cmnd_Alias KILL = /usr/bin/kill | Cmnd_Alias KILL = /usr/bin/kill |
| Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm | Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
| Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown | Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
| Cmnd_Alias HALT = /usr/sbin/halt | Cmnd_Alias HALT = /usr/sbin/halt |
| Cmnd_Alias REBOOT = /usr/sbin/reboot | Cmnd_Alias REBOOT = /usr/sbin/reboot |
| Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ | Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ |
| /usr/local/bin/tcsh, /usr/bin/rsh, \ | /usr/local/bin/tcsh, /usr/bin/rsh,\ |
| /usr/local/bin/zsh | /usr/local/bin/zsh |
| Cmnd_Alias SU = /usr/bin/su | Cmnd_Alias SU = /usr/bin/su |
| Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less | Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less |
| |
|
| Here we override some of the compiled in default values. We want s�su�ud�do�o | Here we override some of the compiled in default values. We want s�su�ud�do�o to |
| to log via _�s_�y_�s_�l_�o_�g(3) using the _�a_�u_�t_�h facility in all cases. We don't | log via syslog(3) using the _�a_�u_�t_�h facility in all cases. We don't want to |
| want to subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t | subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t need not |
| need not give a password, and we don't want to reset the LOGNAME, USER | give a password, and we don't want to reset the LOGNAME, USER or USERNAME |
| or USERNAME environment variables when running commands as root. | environment variables when running commands as root. Additionally, on |
| Additionally, on the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an | the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an additional local log |
| additional local log file and make sure we log the year in each log | file and make sure we log the year in each log line since the log entries |
| line since the log entries will be kept around for several years. | will be kept around for several years. Lastly, we disable shell escapes |
| Lastly, we disable shell escapes for the commands in the PAGERS | for the commands in the PAGERS Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and |
| Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s). | _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s). |
| |
|
| # Override built-in defaults | # Override built-in defaults |
| Defaults syslog=auth | Defaults syslog=auth |
| Defaults>root !set_logname | Defaults>root !set_logname |
| Defaults:FULLTIMERS !lecture | Defaults:FULLTIMERS !lecture |
| Defaults:millert !authenticate | Defaults:millert !authenticate |
| Defaults@SERVERS log_year, logfile=/var/log/sudo.log | Defaults@SERVERS log_year, logfile=/var/log/sudo.log |
| Defaults!PAGERS noexec | Defaults!PAGERS noexec |
| |
|
| The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run | The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run |
| what. | what. |
| |
|
| root ALL = (ALL) ALL | root ALL = (ALL) ALL |
| %wheel ALL = (ALL) ALL | %wheel ALL = (ALL) ALL |
| |
|
| We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as | We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as |
| any user. | any user. |
| |
|
| FULLTIMERS ALL = NOPASSWD: ALL | FULLTIMERS ALL = NOPASSWD: ALL |
| |
|
| Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on | Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on |
| any host without authenticating themselves. | any host without authenticating themselves. |
| |
|
| PARTTIMERS ALL = ALL | PARTTIMERS ALL = ALL |
| |
|
| Part time sysadmins (b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on | Part time sysadmins b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on any |
| any host but they must authenticate themselves first (since the entry | host but they must authenticate themselves first (since the entry lacks |
| lacks the NOPASSWD tag). | the NOPASSWD tag). |
| |
|
| jack CSNETS = ALL | jack CSNETS = ALL |
| |
|
| The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias | The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias |
| (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of | (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those |
| those networks, only 128.138.204.0 has an explicit netmask (in CIDR | networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) |
| notation) indicating it is a class C network. For the other networks | indicating it is a class C network. For the other networks in _�C_�S_�N_�E_�T_�S, |
| in _�C_�S_�N_�E_�T_�S, the local machine's netmask will be used during matching. | the local machine's netmask will be used during matching. |
| |
|
| lisa CUNETS = ALL | lisa CUNETS = ALL |
| |
|
| The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the | The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the |
| class B network 128.138.0.0). | class B network 128.138.0.0). |
| |
|
| operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ | operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ |
| sudoedit /etc/printcap, /usr/oper/bin/ | sudoedit /etc/printcap, /usr/oper/bin/ |
| |
|
| The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance. | The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance. Here, |
| Here, those are commands related to backups, killing processes, the | those are commands related to backups, killing processes, the printing |
| printing system, shutting down the system, and any commands in the | system, shutting down the system, and any commands in the directory |
| directory _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/. | _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/. |
| |
|
| joe ALL = /usr/bin/su operator | joe ALL = /usr/bin/su operator |
| |
|
| The user j�jo�oe�e may only _�s_�u(1) to operator. | The user j�jo�oe�e may only su(1) to operator. |
| |
|
| pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root | pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
| |
|
| %opers ALL = (: ADMINGRP) /usr/sbin/ | %opers ALL = (: ADMINGRP) /usr/sbin/ |
| |
|
| Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves | Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves |
| with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups). | with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups). |
| |
|
| The user p�pe�et�te�e is allowed to change anyone's password except for root on | The user p�pe�et�te�e is allowed to change anyone's password except for root on |
| the _�H_�P_�P_�A machines. Note that this assumes _�p_�a_�s_�s_�w_�d(1) does not take | the _�H_�P_�P_�A machines. Note that this assumes passwd(1) does not take |
| multiple user names on the command line. | multiple user names on the command line. |
| |
|
| bob SPARC = (OP) ALL : SGI = (OP) ALL | bob SPARC = (OP) ALL : SGI = (OP) ALL |
| |
|
| The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user | The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user |
| listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r). | listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r.) |
| |
|
| jim +biglab = ALL | jim +biglab = ALL |
| |
|
| The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup. | The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup. |
| s�su�ud�do�o knows that "biglab" is a netgroup due to the '+' prefix. | s�su�ud�do�o knows that ``biglab'' is a netgroup due to the `+' prefix. |
| |
|
| +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser | +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser |
| |
|
| Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as | Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as |
| well as add and remove users, so they are allowed to run those commands | well as add and remove users, so they are allowed to run those commands |
| on all machines. | on all machines. |
| |
|
| fred ALL = (DB) NOPASSWD: ALL | fred ALL = (DB) NOPASSWD: ALL |
| |
|
| The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias | The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias (o�or�ra�ac�cl�le�e |
| (o�or�ra�ac�cl�le�e or s�sy�yb�ba�as�se�e) without giving a password. | or s�sy�yb�ba�as�se�e) without giving a password. |
| |
|
| john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* | john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* |
| |
|
| On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is | On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is |
| not allowed to specify any options to the _�s_�u(1) command. | not allowed to specify any options to the su(1) command. |
| |
|
| jen ALL, !SERVERS = ALL | jen ALL, !SERVERS = ALL |
| |
|
| The user j�je�en�n may run any command on any machine except for those in the | The user j�je�en�n may run any command on any machine except for those in the |
| _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns). | _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns). |
| |
|
| jill SERVERS = /usr/bin/, !SU, !SHELLS | jill SERVERS = /usr/bin/, !SU, !SHELLS |
| |
|
| For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in | For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in |
| the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U | the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U and |
| and _�S_�H_�E_�L_�L_�S Cmnd_Aliases. | _�S_�H_�E_�L_�L_�S Cmnd_Aliases. |
| |
|
| steve CSNETS = (operator) /usr/local/op_commands/ | steve CSNETS = (operator) /usr/local/op_commands/ |
| |
|
| The user s�st�te�ev�ve�e may run any command in the directory | The user s�st�te�ev�ve�e may run any command in the directory |
| /usr/local/op_commands/ but only as user operator. | /usr/local/op_commands/ but only as user operator. |
| |
|
| matt valkyrie = KILL | matt valkyrie = KILL |
| |
|
| On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill | On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill hung |
| hung processes. | processes. |
| |
|
| WEBMASTERS www = (www) ALL, (root) /usr/bin/su www | WEBMASTERS www = (www) ALL, (root) /usr/bin/su www |
| |
|
| On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy, | On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy, and |
| and wim), may run any command as user www (which owns the web pages) or | wim), may run any command as user www (which owns the web pages) or |
| simply _�s_�u(1) to www. | simply su(1) to www. |
| |
|
| ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ | ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ |
| /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM | /sbin/mount -o nosuid,node /sbin/mount -o nosuid,node |
| |
|
| Any user may mount or unmount a CD-ROM on the machines in the CDROM | Any user may mount or unmount a CD-ROM on the machines in the CDROM |
| Host_Alias (orion, perseus, hercules) without entering a password. | Host_Alias (orion, perseus, hercules) without entering a password. This |
| This is a bit tedious for users to type, so it is a prime candidate for | is a bit tedious for users to type, so it is a prime candidate for |
| encapsulating in a shell script. | encapsulating in a shell script. |
| |
|
| S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
| L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e '�'!�!'�' o�op�pe�er�ra�at�to�or�r | L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e `�`!�!'�' o�op�pe�er�ra�at�to�or�r |
| It is generally not effective to "subtract" commands from ALL using the | It is generally not effective to ``subtract'' commands from A�AL�LL�L using the |
| '!' operator. A user can trivially circumvent this by copying the | `!' operator. A user can trivially circumvent this by copying the |
| desired command to a different name and then executing that. For | desired command to a different name and then executing that. For |
| example: | example: |
| |
|
| bill ALL = ALL, !SU, !SHELLS | bill ALL = ALL, !SU, !SHELLS |
| |
|
| Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or | Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or |
| _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or | _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or |
| use a shell escape from an editor or other program. Therefore, these | use a shell escape from an editor or other program. Therefore, these |
| kind of restrictions should be considered advisory at best (and | kind of restrictions should be considered advisory at best (and |
| reinforced by policy). | reinforced by policy). |
| |
|
| In general, if a user has sudo ALL there is nothing to prevent them | In general, if a user has sudo A�AL�LL�L there is nothing to prevent them from |
| from creating their own program that gives them a root shell (or making | creating their own program that gives them a root shell (or making their |
| their own copy of a shell) regardless of any '!' elements in the user | own copy of a shell) regardless of any `!' elements in the user |
| specification. | specification. |
| |
|
| S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b |
S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b |
| If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably | If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably negate |
| negate commands where the path name includes globbing (aka wildcard) | commands where the path name includes globbing (aka wildcard) characters. |
| characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3) function cannot | This is because the C library's fnmatch(3) function cannot resolve |
| resolve relative paths. While this is typically only an inconvenience | relative paths. While this is typically only an inconvenience for rules |
| for rules that grant privileges, it can result in a security issue for | that grant privileges, it can result in a security issue for rules that |
| rules that subtract or revoke privileges. | subtract or revoke privileges. |
| |
|
| For example, given the following _�s_�u_�d_�o_�e_�r_�s entry: | For example, given the following _�s_�u_�d_�o_�e_�r_�s entry: |
| |
|
| john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, | john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ |
| /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root | /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root |
| |
|
| User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by | User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by |
| changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead. | changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead. |
| |
|
| P�Pr�re�ev�ve�en�nt�ti�in�ng�g S�Sh�he�el�ll�l E�Es�sc�ca�ap�pe�es�s | P�Pr�re�ev�ve�en�nt�ti�in�ng�g s�sh�he�el�ll�l e�es�sc�ca�ap�pe�es�s |
| Once s�su�ud�do�o executes a program, that program is free to do whatever it | Once s�su�ud�do�o executes a program, that program is free to do whatever it |
| pleases, including run other programs. This can be a security issue | pleases, including run other programs. This can be a security issue |
| since it is not uncommon for a program to allow shell escapes, which | since it is not uncommon for a program to allow shell escapes, which lets |
| lets a user bypass s�su�ud�do�o's access control and logging. Common programs | a user bypass s�su�ud�do�o's access control and logging. Common programs that |
| that permit shell escapes include shells (obviously), editors, | permit shell escapes include shells (obviously), editors, paginators, |
| paginators, mail and terminal programs. | mail and terminal programs. |
| |
|
| There are two basic approaches to this problem: | There are two basic approaches to this problem: |
| |
|
| restrict Avoid giving users access to commands that allow the user to | restrict Avoid giving users access to commands that allow the user to |
| run arbitrary commands. Many editors have a restricted mode | run arbitrary commands. Many editors have a restricted mode |
| where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better | where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better |
| solution to running editors via s�su�ud�do�o. Due to the large | solution to running editors via s�su�ud�do�o. Due to the large number |
| number of programs that offer shell escapes, restricting | of programs that offer shell escapes, restricting users to the |
| users to the set of programs that do not is often unworkable. | set of programs that do not is often unworkable. |
| |
|
| noexec Many systems that support shared libraries have the ability | noexec Many systems that support shared libraries have the ability to |
| to override default library functions by pointing an | override default library functions by pointing an environment |
| environment variable (usually LD_PRELOAD) to an alternate | variable (usually LD_PRELOAD) to an alternate shared library. |
| shared library. On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality | On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality can be used to |
| can be used to prevent a program run by s�su�ud�do�o from executing | prevent a program run by s�su�ud�do�o from executing any other |
| any other programs. Note, however, that this applies only to | programs. Note, however, that this applies only to native |
| native dynamically-linked executables. Statically-linked | dynamically-linked executables. Statically-linked executables |
| executables and foreign executables running under binary | and foreign executables running under binary emulation are not |
| emulation are not affected. | affected. |
| |
|
| The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD, | The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD, |
| Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and | Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and |
| above. It should be supported on most operating systems that | above. It should be supported on most operating systems that |
| support the LD_PRELOAD environment variable. Check your | support the LD_PRELOAD environment variable. Check your |
| operating system's manual pages for the dynamic linker | operating system's manual pages for the dynamic linker (usually |
| (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see | ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if |
| if LD_PRELOAD is supported. | LD_PRELOAD is supported. |
| |
|
| On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges | On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges |
| instead of the LD_PRELOAD environment variable. | instead of the LD_PRELOAD environment variable. |
| |
|
| To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as | To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as |
| documented in the User Specification section above. Here is | documented in the User Specification section above. Here is |
| that example again: | that example again: |
| |
|
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi | aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
|
| This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i | This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i |
| with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands | with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands from |
| from executing other commands (such as a shell). If you are | executing other commands (such as a shell). If you are unsure |
| unsure whether or not your system is capable of supporting | whether or not your system is capable of supporting _�n_�o_�e_�x_�e_�c you |
| _�n_�o_�e_�x_�e_�c you can always just try it out and check whether shell | can always just try it out and check whether shell escapes work |
| escapes work when _�n_�o_�e_�x_�e_�c is enabled. | when _�n_�o_�e_�x_�e_�c is enabled. |
| |
|
| Note that restricting shell escapes is not a panacea. Programs running | Note that restricting shell escapes is not a panacea. Programs running |
| as root are still capable of many potentially hazardous operations | as root are still capable of many potentially hazardous operations (such |
| (such as changing or overwriting files) that could lead to unintended | as changing or overwriting files) that could lead to unintended privilege |
| privilege escalation. In the specific case of an editor, a safer | escalation. In the specific case of an editor, a safer approach is to |
| approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t. | give the user permission to run s�su�ud�do�oe�ed�di�it�t. |
| |
|
| T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s |
T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s |
| _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory | _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory |
| (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is | (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is |
| not owned by root or if it is writable by a user other than root. On | not owned by root or if it is writable by a user other than root. On |
| systems that allow non-root users to give away files via _�c_�h_�o_�w_�n(2), if | systems that allow non-root users to give away files via chown(2), if the |
| the time stamp directory is located in a world-writable directory | time stamp directory is located in a world-writable directory (e.g., |
| (e.g., _�/_�t_�m_�p), it is possible for a user to create the time stamp | _�/_�t_�m_�p), it is possible for a user to create the time stamp directory |
| directory before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the | before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the ownership and |
| ownership and mode of the directory and its contents, the only damage | mode of the directory and its contents, the only damage that can be done |
| that can be done is to "hide" files by putting them in the time stamp | is to ``hide'' files by putting them in the time stamp dir. This is |
| dir. This is unlikely to happen since once the time stamp dir is owned | unlikely to happen since once the time stamp dir is owned by root and |
| by root and inaccessible by any other user, the user placing files | inaccessible by any other user, the user placing files there would be |
| there would be unable to get them back out. | unable to get them back out. |
| |
|
| _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps | _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps |
| with a date greater than current_time + 2 * TIMEOUT will be ignored and | with a date greater than current_time + 2 * TIMEOUT will be ignored and |
| sudo will log and complain. This is done to keep a user from creating | sudo will log and complain. This is done to keep a user from creating |
| his/her own time stamp with a bogus date on systems that allow users to | his/her own time stamp with a bogus date on systems that allow users to |
| give away files if the time stamp directory is located in a world- | give away files if the time stamp directory is located in a world- |
| writable directory. | writable directory. |
| |
|
| On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time | On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time |
| stamps that date from before the machine booted. | stamps that date from before the machine booted. |
| |
|
| Since time stamp files live in the file system, they can outlive a | Since time stamp files live in the file system, they can outlive a user's |
| user's login session. As a result, a user may be able to login, run a | login session. As a result, a user may be able to login, run a command |
| command with s�su�ud�do�o after authenticating, logout, login again, and run | with s�su�ud�do�o after authenticating, logout, login again, and run s�su�ud�do�o without |
| s�su�ud�do�o without authenticating so long as the time stamp file's | authenticating so long as the time stamp file's modification time is |
| modification time is within 5 minutes (or whatever the timeout is set | within 5 minutes (or whatever the timeout is set to in _�s_�u_�d_�o_�e_�r_�s). When |
| to in _�s_�u_�d_�o_�e_�r_�s). When the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp | the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp has per-tty granularity |
| has per-tty granularity but still may outlive the user's session. On | but still may outlive the user's session. On Linux systems where the |
| Linux systems where the devpts filesystem is used, Solaris systems with | devpts filesystem is used, Solaris systems with the devices filesystem, |
| the devices filesystem, as well as other systems that utilize a devfs | as well as other systems that utilize a devfs filesystem that |
| filesystem that monotonically increase the inode number of devices as | monotonically increase the inode number of devices as they are created |
| they are created (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when | (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when a tty-based time |
| a tty-based time stamp file is stale and will ignore it. | stamp file is stale and will ignore it. Administrators should not rely |
| Administrators should not rely on this feature as it is not universally | on this feature as it is not universally available. |
| available. | |
| |
|
| S�SE�EE�E A�AL�LS�SO�O |
S�SE�EE�E A�AL�LS�SO�O |
| _�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3), | ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), |
| _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m) | sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) |
| |
|
| C�CA�AV�VE�EA�AT�TS�S |
C�CA�AV�VE�EA�AT�TS�S |
| The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which | The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which |
| locks the file and does grammatical checking. It is imperative that | locks the file and does grammatical checking. It is imperative that |
| _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a | _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a |
| syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file. | syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file. |
| |
|
| When using netgroups of machines (as opposed to users), if you store | When using netgroups of machines (as opposed to users), if you store |
| fully qualified host name in the netgroup (as is usually the case), you | fully qualified host name in the netgroup (as is usually the case), you |
| either need to have the machine's host name be fully qualified as | either need to have the machine's host name be fully qualified as |
| returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s. | returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| B�BU�UG�GS�S |
B�BU�UG�GS�S |
| If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at | If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ | http://www.sudo.ws/sudo/bugs/ |
| |
|
| S�SU�UP�PP�PO�OR�RT�T |
S�SU�UP�PP�PO�OR�RT�T |
| Limited free support is available via the sudo-users mailing list, see | Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search | http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the |
| the archives. | archives. |
| |
|
| D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R |
D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R |
| s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties, | s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of | including, but not limited to, the implied warranties of merchantability |
| merchantability and fitness for a particular purpose are disclaimed. | and fitness for a particular purpose are disclaimed. See the LICENSE |
| See the LICENSE file distributed with s�su�ud�do�o or | file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
| http://www.sudo.ws/sudo/license.html for complete details. | complete details. |
| |
|
| Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 |
| |
| 1.8.5 March 28, 2012 SUDOERS(4) | |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc