Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1
1.1 ! misho 1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
! 2:
! 3:
! 4:
! 5: N�NA�AM�ME�E
! 6: sudoers - default sudo security policy module
! 7:
! 8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
! 9: The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is
! 10: the default s�su�ud�do�o policy plugin. The policy is driven by the
! 11: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file or, optionally in LDAP. The policy format is
! 12: described in detail in the "SUDOERS FILE FORMAT" section. For
! 13: information on storing _�s_�u_�d_�o_�e_�r_�s policy information in LDAP, please see
! 14: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4).
! 15:
! 16: A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d L�Lo�og�gg�gi�in�ng�g
! 17: The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate
! 18: themselves before they can use s�su�ud�do�o. A password is not required if the
! 19: invoking user is root, if the target user is the same as the invoking
! 20: user, or if the policy has disabled authentication for the user or
! 21: command. Unlike _�s_�u(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it
! 22: validates the invoking user's credentials, not the target user's (or
! 23: root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
! 24: _�r_�u_�n_�a_�s_�p_�w flags, described later.
! 25:
! 26: If a user who is not listed in the policy tries to run a command via
! 27: s�su�ud�do�o, mail is sent to the proper authorities. The address used for
! 28: such mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described
! 29: later) and defaults to root.
! 30:
! 31: Note that mail will not be sent if an unauthorized user tries to run
! 32: s�su�ud�do�o with the -�-l�l or -�-v�v option. This allows users to determine for
! 33: themselves whether or not they are allowed to use s�su�ud�do�o.
! 34:
! 35: If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set,
! 36: the _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user
! 37: is. This can be used by a user to log commands through sudo even when
! 38: a root shell has been invoked. It also allows the -�-e�e option to remain
! 39: useful even when invoked via a sudo-run script or program. Note,
! 40: however, that the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user
! 41: specified by SUDO_USER.
! 42:
! 43: _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has
! 44: been authenticated, a time stamp is updated and the user may then use
! 45: sudo without a password for a short period of time (5 minutes unless
! 46: overridden by the _�t_�i_�m_�e_�o_�u_�t option. By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based
! 47: time stamp which means that there is a separate time stamp for each of
! 48: a user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to
! 49: force the use of a single time stamp for all of a user's sessions.
! 50:
! 51: _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as
! 52: errors) to _�s_�y_�s_�l_�o_�g(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will
! 53: log via _�s_�y_�s_�l_�o_�g(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e
! 54: Defaults settings.
! 55:
! 56: _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams.
! 57: I/O logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t
! 58: and _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
! 59: command tags.
! 60:
! 61: C�Co�om�mm�ma�an�nd�d E�En�nv�vi�ir�ro�on�nm�me�en�nt�t
! 62: Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s
! 63: provides a means to restrict which variables from the user's
! 64: environment are inherited by the command to be run. There are two
! 65: distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables.
! 66:
! 67: By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to
! 68: be executed with a minimal environment containing TERM, PATH, HOME,
! 69: MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
! 70: the invoking process permitted by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options.
! 71: This is effectively a whitelist for environment variables.
! 72:
! 73: If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not
! 74: explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited
! 75: from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e
! 76: behave like a blacklist. Since it is not possible to blacklist all
! 77: potentially dangerous environment variables, use of the default
! 78: _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is encouraged.
! 79:
! 80: In all cases, environment variables with a value beginning with () are
! 81: removed as they could be interpreted as b�ba�as�sh�h functions. The list of
! 82: environment variables that s�su�ud�do�o allows or denies is contained in the
! 83: output of sudo -V when run as root.
! 84:
! 85: Note that the dynamic linker on most operating systems will remove
! 86: variables that can control dynamic linking from the environment of
! 87: setuid executables, including s�su�ud�do�o. Depending on the operating system
! 88: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
! 89: others. These type of variables are removed from the environment
! 90: before s�su�ud�do�o even begins execution and, as such, it is not possible for
! 91: s�su�ud�do�o to preserve them.
! 92:
! 93: As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified,
! 94: _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of
! 95: _�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged;
! 96: _�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user.
! 97: On Linux and AIX systems the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also
! 98: included. All other environment variables are removed.
! 99:
! 100: S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
! 101: The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases
! 102: (basically variables) and user specifications (which specify who may
! 103: run what).
! 104:
! 105: When multiple entries match for a user, they are applied in order.
! 106: Where there are multiple matches, the last match is used (which is not
! 107: necessarily the most specific match).
! 108:
! 109: The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur
! 110: Form (EBNF). Don't despair if you don't know what EBNF is; it is
! 111: fairly simple, and the definitions below are annotated.
! 112:
! 113: Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F
! 114: EBNF is a concise and exact way of describing the grammar of a
! 115: language. Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g.,
! 116:
! 117: symbol ::= definition | alternate1 | alternate2 ...
! 118:
! 119: Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for
! 120: the language. EBNF also contains the following operators, which many
! 121: readers will recognize from regular expressions. Do not, however,
! 122: confuse them with "wildcard" characters, which have different meanings.
! 123:
! 124: ? Means that the preceding symbol (or group of symbols) is optional.
! 125: That is, it may appear once or not at all.
! 126:
! 127: * Means that the preceding symbol (or group of symbols) may appear
! 128: zero or more times.
! 129:
! 130: + Means that the preceding symbol (or group of symbols) may appear
! 131: one or more times.
! 132:
! 133: Parentheses may be used to group symbols together. For clarity, we
! 134: will use single quotes ('') to designate what is a verbatim character
! 135: string (as opposed to a symbol name).
! 136:
! 137: A�Al�li�ia�as�se�es�s
! 138: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
! 139: and Cmnd_Alias.
! 140:
! 141: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 142: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 143: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 144: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 145:
! 146: User_Alias ::= NAME '=' User_List
! 147:
! 148: Runas_Alias ::= NAME '=' Runas_List
! 149:
! 150: Host_Alias ::= NAME '=' Host_List
! 151:
! 152: Cmnd_Alias ::= NAME '=' Cmnd_List
! 153:
! 154: NAME ::= [A-Z]([A-Z][0-9]_)*
! 155:
! 156: Each _�a_�l_�i_�a_�s definition is of the form
! 157:
! 158: Alias_Type NAME = item1, item2, ...
! 159:
! 160: where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or
! 161: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
! 162: underscore characters ('_'). A NAME m�mu�us�st�t start with an uppercase
! 163: letter. It is possible to put several alias definitions of the same
! 164: type on a single line, joined by a colon (':'). E.g.,
! 165:
! 166: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 167:
! 168: The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow.
! 169:
! 170: User_List ::= User |
! 171: User ',' User_List
! 172:
! 173: User ::= '!'* user name |
! 174: '!'* #uid |
! 175: '!'* %group |
! 176: '!'* %#gid |
! 177: '!'* +netgroup |
! 178: '!'* %:nonunix_group |
! 179: '!'* %:#nonunix_gid |
! 180: '!'* User_Alias
! 181:
! 182: A User_List is made up of one or more user names, user ids (prefixed
! 183: with '#'), system group names and ids (prefixed with '%' and '%#'
! 184: respectively), netgroups (prefixed with '+'), non-Unix group names and
! 185: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
! 186: list item may be prefixed with zero or more '!' operators. An odd
! 187: number of '!' operators negate the value of the item; an even number
! 188: just cancel each other out.
! 189:
! 190: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
! 191: may be enclosed in double quotes to avoid the need for escaping special
! 192: characters. Alternately, special characters may be specified in
! 193: escaped hex mode, e.g. \x20 for space. When using double quotes, any
! 194: prefix characters must be included inside the quotes.
! 195:
! 196: The actual nonunix_group and nonunix_gid syntax depends on the
! 197: underlying group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description
! 198: below). For instance, the QAS AD plugin supports the following
! 199: formats:
! 200:
! 201: +�o Group in the same domain: "Group Name"
! 202:
! 203: +�o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
! 204:
! 205: +�o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
! 206:
! 207: Note that quotes around group names are optional. Unquoted strings
! 208: must use a backslash (\) to escape spaces and special characters. See
! 209: "Other special characters and reserved words" for a list of characters
! 210: that need to be escaped.
! 211:
! 212: Runas_List ::= Runas_Member |
! 213: Runas_Member ',' Runas_List
! 214:
! 215: Runas_Member ::= '!'* user name |
! 216: '!'* #uid |
! 217: '!'* %group |
! 218: '!'* %#gid |
! 219: '!'* %:nonunix_group |
! 220: '!'* %:#nonunix_gid |
! 221: '!'* +netgroup |
! 222: '!'* Runas_Alias
! 223:
! 224: A Runas_List is similar to a User_List except that instead of
! 225: User_Aliases it can contain Runas_Aliases. Note that user names and
! 226: groups are matched as strings. In other words, two users (groups) with
! 227: the same uid (gid) are considered to be distinct. If you wish to match
! 228: all user names with the same uid (e.g. root and toor), you can use a
! 229: uid instead (#0 in the example given).
! 230:
! 231: Host_List ::= Host |
! 232: Host ',' Host_List
! 233:
! 234: Host ::= '!'* host name |
! 235: '!'* ip_addr |
! 236: '!'* network(/netmask)? |
! 237: '!'* +netgroup |
! 238: '!'* Host_Alias
! 239:
! 240: A Host_List is made up of one or more host names, IP addresses, network
! 241: numbers, netgroups (prefixed with '+') and other aliases. Again, the
! 242: value of an item may be negated with the '!' operator. If you do not
! 243: specify a netmask along with the network number, s�su�ud�do�o will query each
! 244: of the local host's network interfaces and, if the network number
! 245: corresponds to one of the hosts's network interfaces, the corresponding
! 246: netmask will be used. The netmask may be specified either in standard
! 247: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
! 248: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
! 249: shell-style wildcards (see the Wildcards section below), but unless the
! 250: host name command on your machine returns the fully qualified host
! 251: name, you'll need to use the _�f_�q_�d_�n option for wildcards to be useful.
! 252: Note s�su�ud�do�o only inspects actual network interfaces; this means that IP
! 253: address 127.0.0.1 (localhost) will never match. Also, the host name
! 254: "localhost" will only match if that is the actual host name, which is
! 255: usually only the case for non-networked systems.
! 256:
! 257: Cmnd_List ::= Cmnd |
! 258: Cmnd ',' Cmnd_List
! 259:
! 260: commandname ::= file name |
! 261: file name args |
! 262: file name '""'
! 263:
! 264: Cmnd ::= '!'* commandname |
! 265: '!'* directory |
! 266: '!'* "sudoedit" |
! 267: '!'* Cmnd_Alias
! 268:
! 269: A Cmnd_List is a list of one or more commandnames, directories, and
! 270: other aliases. A commandname is a fully qualified file name which may
! 271: include shell-style wildcards (see the Wildcards section below). A
! 272: simple file name allows the user to run the command with any arguments
! 273: he/she wishes. However, you may also specify command line arguments
! 274: (including wildcards). Alternately, you can specify "" to indicate
! 275: that the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A
! 276: directory is a fully qualified path name ending in a '/'. When you
! 277: specify a directory in a Cmnd_List, the user will be able to run any
! 278: file within that directory (but not in any subdirectories therein).
! 279:
! 280: If a Cmnd has associated command line arguments, then the arguments in
! 281: the Cmnd must match exactly those given by the user on the command line
! 282: (or match the wildcards if there are any). Note that the following
! 283: characters must be escaped with a '\' if they are used in command
! 284: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
! 285: to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It
! 286: may take command line arguments just as a normal command does.
! 287:
! 288: D�De�ef�fa�au�ul�lt�ts�s
! 289: Certain configuration options may be changed from their default values
! 290: at runtime via one or more Default_Entry lines. These may affect all
! 291: users on any host, all users on a specific host, a specific user, a
! 292: specific command, or commands being run as a specific user. Note that
! 293: per-command entries may not include command line arguments. If you
! 294: need to specify arguments, define a Cmnd_Alias and reference that
! 295: instead.
! 296:
! 297: Default_Type ::= 'Defaults' |
! 298: 'Defaults' '@' Host_List |
! 299: 'Defaults' ':' User_List |
! 300: 'Defaults' '!' Cmnd_List |
! 301: 'Defaults' '>' Runas_List
! 302:
! 303: Default_Entry ::= Default_Type Parameter_List
! 304:
! 305: Parameter_List ::= Parameter |
! 306: Parameter ',' Parameter_List
! 307:
! 308: Parameter ::= Parameter '=' Value |
! 309: Parameter '+=' Value |
! 310: Parameter '-=' Value |
! 311: '!'* Parameter
! 312:
! 313: Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
! 314: implicitly boolean and can be turned off via the '!' operator. Some
! 315: integer, string and list parameters may also be used in a boolean
! 316: context to disable them. Values may be enclosed in double quotes (")
! 317: when they contain multiple words. Special characters may be escaped
! 318: with a backslash (\).
! 319:
! 320: Lists have two additional assignment operators, += and -=. These
! 321: operators are used to add to and delete from a list respectively. It
! 322: is not an error to use the -= operator to remove an element that does
! 323: not exist in a list.
! 324:
! 325: Defaults entries are parsed in the following order: generic, host and
! 326: user Defaults first, then runas Defaults and finally command defaults.
! 327:
! 328: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
! 329:
! 330: U�Us�se�er�r S�Sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n
! 331: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
! 332: (':' Host_List '=' Cmnd_Spec_List)*
! 333:
! 334: Cmnd_Spec_List ::= Cmnd_Spec |
! 335: Cmnd_Spec ',' Cmnd_Spec_List
! 336:
! 337: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
! 338:
! 339: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 340:
! 341: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
! 342:
! 343: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 344: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 345: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 346:
! 347: A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as
! 348: what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t,
! 349: but this can be changed on a per-command basis.
! 350:
! 351: The basic structure of a user specification is `who where = (as_whom)
! 352: what'. Let's break that down into its constituent parts:
! 353:
! 354: R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
! 355: A Runas_Spec determines the user and/or the group that a command may be
! 356: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
! 357: defined above) separated by a colon (':') and enclosed in a set of
! 358: parentheses. The first Runas_List indicates which users the command
! 359: may be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of
! 360: groups that can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists
! 361: are specified, the command may be run with any combination of users and
! 362: groups listed in their respective Runas_Lists. If only the first is
! 363: specified, the command may be run as any user in the list but no -�-g�g
! 364: option may be specified. If the first Runas_List is empty but the
! 365: second is specified, the command may be run as the invoking user with
! 366: the group set to any listed in the Runas_List. If no Runas_Spec is
! 367: specified the command may be run as r�ro�oo�ot�t and no group may be specified.
! 368:
! 369: A Runas_Spec sets the default for the commands that follow it. What
! 370: this means is that for the entry:
! 371:
! 372: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 373:
! 374: The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only
! 375: as o�op�pe�er�ra�at�to�or�r. E.g.,
! 376:
! 377: $ sudo -u operator /bin/ls
! 378:
! 379: It is also possible to override a Runas_Spec later on in an entry. If
! 380: we modify the entry like so:
! 381:
! 382: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 383:
! 384: Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l
! 385: and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t.
! 386:
! 387: We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or
! 388: group set to o�op�pe�er�ra�at�to�or�r:
! 389:
! 390: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
! 391: /usr/bin/lprm
! 392:
! 393: Note that while the group portion of the Runas_Spec permits the user to
! 394: run as command with that group, it does not force the user to do so.
! 395: If no group is specified on the command line, the command will run with
! 396: the group listed in the target user's password database entry. The
! 397: following would all be permitted by the sudoers entry above:
! 398:
! 399: $ sudo -u operator /bin/ls
! 400: $ sudo -u operator -g operator /bin/ls
! 401: $ sudo -g operator /bin/ls
! 402:
! 403: In the following example, user t�tc�cm�m may run commands that access a modem
! 404: device file with the dialer group.
! 405:
! 406: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
! 407: /usr/local/bin/minicom
! 408:
! 409: Note that in this example only the group will be set, the command still
! 410: runs as user t�tc�cm�m. E.g.
! 411:
! 412: $ sudo -g dialer /usr/bin/cu
! 413:
! 414: Multiple users and groups may be present in a Runas_Spec, in which case
! 415: the user may select any combination of users and groups via the -�-u�u and
! 416: -�-g�g options. In this example:
! 417:
! 418: alan ALL = (root, bin : operator, system) ALL
! 419:
! 420: user a�al�la�an�n may run any command as either user root or bin, optionally
! 421: setting the group to operator or system.
! 422:
! 423: S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
! 424: On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
! 425: SELinux role and/or type associated with a command. If a role or type
! 426: is specified with the command it will override any default values
! 427: specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line,
! 428: however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s.
! 429:
! 430: T�Ta�ag�g_�_S�Sp�pe�ec�c
! 431: A command may have zero or more tags associated with it. There are
! 432: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
! 433: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
! 434: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
! 435: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
! 436: overrides NOPASSWD and NOEXEC overrides EXEC).
! 437:
! 438: _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D
! 439:
! 440: By default, s�su�ud�do�o requires that a user authenticate him or herself
! 441: before running a command. This behavior can be modified via the
! 442: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
! 443: the commands that follow it in the Cmnd_Spec_List. Conversely, the
! 444: PASSWD tag can be used to reverse things. For example:
! 445:
! 446: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 447:
! 448: would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m
! 449: as r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we
! 450: only want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry
! 451: would be:
! 452:
! 453: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 454:
! 455: Note, however, that the PASSWD tag has no effect on users who are in
! 456: the group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option.
! 457:
! 458: By default, if the NOPASSWD tag is applied to any of the entries for a
! 459: user on the current host, he or she will be able to run sudo -l without
! 460: a password. Additionally, a user may only run sudo -v without a
! 461: password if the NOPASSWD tag is present for all a user's entries that
! 462: pertain to the current host. This behavior may be overridden via the
! 463: verifypw and listpw options.
! 464:
! 465: _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C
! 466:
! 467: If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying
! 468: operating system supports it, the NOEXEC tag can be used to prevent a
! 469: dynamically-linked executable from running further commands itself.
! 470:
! 471: In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and
! 472: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled.
! 473:
! 474: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 475:
! 476: See the "PREVENTING SHELL ESCAPES" section below for more details on
! 477: how NOEXEC works and whether or not it will work on your system.
! 478:
! 479: _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
! 480:
! 481: These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
! 482: basis. Note that if SETENV has been set for a command, the user may
! 483: disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
! 484: Additionally, environment variables set on the command line are not
! 485: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
! 486: _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set
! 487: variables in this manner. If the command matched is A�AL�LL�L, the SETENV
! 488: tag is implied for that command; this default may be overridden by use
! 489: of the NOSETENV tag.
! 490:
! 491: _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
! 492:
! 493: These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command
! 494: basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the
! 495: "SUDOERS OPTIONS" section below.
! 496:
! 497: _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T
! 498:
! 499: These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command
! 500: basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the
! 501: "SUDOERS OPTIONS" section below.
! 502:
! 503: W�Wi�il�ld�dc�ca�ar�rd�ds�s
! 504: s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be
! 505: used in host names, path names and command line arguments in the
! 506: _�s_�u_�d_�o_�e_�r_�s file. Wildcard matching is done via the P�PO�OS�SI�IX�X _�g_�l_�o_�b(3) and
! 507: _�f_�n_�m_�a_�t_�c_�h(3) routines. Note that these are _�n_�o_�t regular expressions.
! 508:
! 509: * Matches any set of zero or more characters.
! 510:
! 511: ? Matches any single character.
! 512:
! 513: [...] Matches any character in the specified range.
! 514:
! 515: [!...] Matches any character n�no�ot�t in the specified range.
! 516:
! 517: \x For any character "x", evaluates to "x". This is used to
! 518: escape special characters such as: "*", "?", "[", and "}".
! 519:
! 520: POSIX character classes may also be used if your system's _�g_�l_�o_�b(3) and
! 521: _�f_�n_�m_�a_�t_�c_�h(3) functions support them. However, because the ':' character
! 522: has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example:
! 523:
! 524: /bin/ls [[\:alpha\:]]*
! 525:
! 526: Would match any file name beginning with a letter.
! 527:
! 528: Note that a forward slash ('/') will n�no�ot�t be matched by wildcards used
! 529: in the path name. When matching the command line arguments, however, a
! 530: slash d�do�oe�es�s get matched by wildcards. This is to make a path like:
! 531:
! 532: /usr/bin/*
! 533:
! 534: match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
! 535:
! 536: E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
! 537: The following exceptions apply to the above rules:
! 538:
! 539: "" If the empty string "" is the only command line argument in the
! 540: _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
! 541: with a�an�ny�y arguments.
! 542:
! 543: I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
! 544: It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
! 545: file currently being parsed using the #include and #includedir
! 546: directives.
! 547:
! 548: This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in
! 549: addition to a local, per-machine file. For the sake of this example
! 550: the site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will
! 551: be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within
! 552: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s:
! 553:
! 554: #include /etc/sudoers.local
! 555:
! 556: When s�su�ud�do�o reaches this line it will suspend processing of the current
! 557: file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching
! 558: the end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
! 559: processed. Files that are included may themselves include other files.
! 560: A hard limit of 128 nested include files is enforced to prevent include
! 561: file loops.
! 562:
! 563: The file name may include the %h escape, signifying the short form of
! 564: the host name. I.e., if the machine's host name is "xerxes", then
! 565:
! 566: #include /etc/sudoers.%h
! 567:
! 568: will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s.
! 569:
! 570: The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that
! 571: the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of
! 572: package installation. For example, given:
! 573:
! 574: #includedir /etc/sudoers.d
! 575:
! 576: s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that
! 577: end in ~ or contain a . character to avoid causing problems with
! 578: package manager or editor temporary/backup files. Files are parsed in
! 579: sorted lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed
! 580: before _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is
! 581: lexical, not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r
! 582: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes
! 583: in the file names can be used to avoid such problems.
! 584:
! 585: Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
! 586: files in a #includedir directory unless one of them contains a syntax
! 587: error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the
! 588: files directly.
! 589:
! 590: O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
! 591: The pound sign ('#') is used to indicate a comment (unless it is part
! 592: of a #include directive or unless it occurs in the context of a user
! 593: name and is followed by one or more digits, in which case it is treated
! 594: as a uid). Both the comment character and any text after it, up to the
! 595: end of the line, are ignored.
! 596:
! 597: The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
! 598: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
! 599: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
! 600: your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in
! 601: preference to your own. Please note that using A�AL�LL�L can be dangerous
! 602: since in a command context, it allows the user to run a�an�ny�y command on
! 603: the system.
! 604:
! 605: An exclamation point ('!') can be used as a logical _�n_�o_�t operator both
! 606: in an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain
! 607: values. Note, however, that using a ! in conjunction with the built-in
! 608: ALL alias to allow a user to run "all but a few" commands rarely works
! 609: as intended (see SECURITY NOTES below).
! 610:
! 611: Long lines can be continued with a backslash ('\') as the last
! 612: character on the line.
! 613:
! 614: Whitespace between elements in a list as well as special syntactic
! 615: characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n ('=', ':', '(', ')') is optional.
! 616:
! 617: The following characters must be escaped with a backslash ('\') when
! 618: used as part of a word (e.g. a user name or host name): '!', '=', ':',
! 619: ',', '(', ')', '\'.
! 620:
! 621: S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
! 622: s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
! 623: earlier. A list of all supported Defaults parameters, grouped by type,
! 624: are listed below.
! 625:
! 626: B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s:
! 627:
! 628: always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable
! 629: to the home directory of the target user (which is root
! 630: unless the -�-u�u option is used). This effectively means
! 631: that the -�-H�H option is always implied. Note that HOME
! 632: is already set when the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is
! 633: enabled, so _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e is only effective for
! 634: configurations where either _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or
! 635: HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f
! 636: by default.
! 637:
! 638: authenticate If set, users must authenticate themselves via a
! 639: password (or other means of authentication) before they
! 640: may run commands. This default may be overridden via
! 641: the PASSWD and NOPASSWD tags. This flag is _�o_�n by
! 642: default.
! 643:
! 644: closefrom_override
! 645: If set, the user may use s�su�ud�do�o's -�-C�C option which
! 646: overrides the default starting point at which s�su�ud�do�o
! 647: begins closing open file descriptors. This flag is _�o_�f_�f
! 648: by default.
! 649:
! 650: compress_io If set, and s�su�ud�do�o is configured to log a command's input
! 651: or output, the I/O logs will be compressed using z�zl�li�ib�b.
! 652: This flag is _�o_�n by default when s�su�ud�do�o is compiled with
! 653: z�zl�li�ib�b support.
! 654:
! 655: env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or
! 656: VISUAL environment variables before falling back on the
! 657: default editor list. Note that this may create a
! 658: security hole as it allows the user to run any
! 659: arbitrary command as root without logging. A safer
! 660: alternative is to place a colon-separated list of
! 661: editors in the editor variable. v�vi�is�su�ud�do�o will then only
! 662: use the EDITOR or VISUAL if they match a value
! 663: specified in editor. This flag is _�o_�f_�f by default.
! 664:
! 665: env_reset If set, s�su�ud�do�o will reset the environment to only contain
! 666: the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
! 667: variables. Any variables in the caller's environment
! 668: that match the env_keep and env_check lists are then
! 669: added. The default contents of the env_keep and
! 670: env_check lists are displayed when s�su�ud�do�o is run by root
! 671: with the _�-_�V option. If the _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set,
! 672: its value will be used for the PATH environment
! 673: variable. This flag is _�o_�n by default.
! 674:
! 675: fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell-
! 676: style globbing when matching path names. However,
! 677: since it accesses the file system, _�g_�l_�o_�b(3) can take a
! 678: long time to complete for some patterns, especially
! 679: when the pattern references a network file system that
! 680: is mounted on demand (automounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b
! 681: option causes s�su�ud�do�o to use the _�f_�n_�m_�a_�t_�c_�h(3) function,
! 682: which does not access the file system to do its
! 683: matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is
! 684: unable to match relative path names such as _�._�/_�l_�s or
! 685: _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path
! 686: names that include globbing characters are used with
! 687: the negation operator, '!', as such rules can be
! 688: trivially bypassed. As such, this option should not be
! 689: used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated
! 690: path names which include globbing characters. This
! 691: flag is _�o_�f_�f by default.
! 692:
! 693: fqdn Set this flag if you want to put fully qualified host
! 694: names in the _�s_�u_�d_�o_�e_�r_�s file. I.e., instead of myhost you
! 695: would use myhost.mydomain.edu. You may still use the
! 696: short form if you wish (and even mix the two). Beware
! 697: that turning on _�f_�q_�d_�n requires s�su�ud�do�o to make DNS lookups
! 698: which may make s�su�ud�do�o unusable if DNS stops working (for
! 699: example if the machine is not plugged into the
! 700: network). Also note that you must use the host's
! 701: official name as DNS knows it. That is, you may not
! 702: use a host alias (CNAME entry) due to performance
! 703: issues and the fact that there is no way to get all
! 704: aliases from DNS. If your machine's host name (as
! 705: returned by the hostname command) is already fully
! 706: qualified you shouldn't need to set _�f_�q_�d_�n. This flag is
! 707: _�o_�f_�f by default.
! 708:
! 709: ignore_dot If set, s�su�ud�do�o will ignore '.' or '' (current dir) in the
! 710: PATH environment variable; the PATH itself is not
! 711: modified. This flag is _�o_�f_�f by default.
! 712:
! 713: ignore_local_sudoers
! 714: If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
! 715: skipped. This is intended for Enterprises that wish to
! 716: prevent the usage of local sudoers files so that only
! 717: LDAP is used. This thwarts the efforts of rogue
! 718: operators who would attempt to add roles to
! 719: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present,
! 720: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this
! 721: option tells s�su�ud�do�o how to behave when no specific LDAP
! 722: entries have been matched, this sudoOption is only
! 723: meaningful for the cn=defaults section. This flag is
! 724: _�o_�f_�f by default.
! 725:
! 726: insults If set, s�su�ud�do�o will insult users when they enter an
! 727: incorrect password. This flag is _�o_�f_�f by default.
! 728:
! 729: log_host If set, the host name will be logged in the (non-
! 730: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
! 731:
! 732: log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
! 733: log all user input. If the standard input is not
! 734: connected to the user's tty, due to I/O redirection or
! 735: because the command is part of a pipeline, that input
! 736: is also captured and stored in a separate log file.
! 737:
! 738: Input is logged to the directory specified by the
! 739: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
! 740: unique session ID that is included in the normal s�su�ud�do�o
! 741: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
! 742: may be used to control the format of the session ID.
! 743:
! 744: Note that user input may contain sensitive information
! 745: such as passwords (even if they are not echoed to the
! 746: screen), which will be stored in the log file
! 747: unencrypted. In most cases, logging the command output
! 748: via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
! 749:
! 750: log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
! 751: log all output that is sent to the screen, similar to
! 752: the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or
! 753: standard error is not connected to the user's tty, due
! 754: to I/O redirection or because the command is part of a
! 755: pipeline, that output is also captured and stored in
! 756: separate log files.
! 757:
! 758: Output is logged to the directory specified by the
! 759: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
! 760: unique session ID that is included in the normal s�su�ud�do�o
! 761: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
! 762: may be used to control the format of the session ID.
! 763:
! 764: Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m)
! 765: utility, which can also be used to list or search the
! 766: available logs.
! 767:
! 768: log_year If set, the four-digit year will be logged in the (non-
! 769: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
! 770:
! 771: long_otp_prompt When validating with a One Time Password (OTP) scheme
! 772: such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to
! 773: make it easier to cut and paste the challenge to a
! 774: local window. It's not as pretty as the default but
! 775: some people find it more convenient. This flag is _�o_�f_�f
! 776: by default.
! 777:
! 778: mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs
! 779: s�su�ud�do�o. This flag is _�o_�f_�f by default.
! 780:
! 781: mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o
! 782: does not enter the correct password. This flag is _�o_�f_�f
! 783: by default.
! 784:
! 785: mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
! 786: invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not
! 787: allowed to run commands on the current host. This flag
! 788: is _�o_�f_�f by default.
! 789:
! 790: mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
! 791: invoking user is allowed to use s�su�ud�do�o but the command
! 792: they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file
! 793: entry or is explicitly denied. This flag is _�o_�f_�f by
! 794: default.
! 795:
! 796: mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
! 797: invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
! 798: _�o_�n by default.
! 799:
! 800: noexec If set, all commands run via s�su�ud�do�o will behave as if the
! 801: NOEXEC tag has been set, unless overridden by a EXEC
! 802: tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
! 803: well as the "PREVENTING SHELL ESCAPES" section at the
! 804: end of this manual. This flag is _�o_�f_�f by default.
! 805:
! 806: path_info Normally, s�su�ud�do�o will tell the user when a command could
! 807: not be found in their PATH environment variable. Some
! 808: sites may wish to disable this as it could be used to
! 809: gather information on the location of executables that
! 810: the normal user does not have access to. The
! 811: disadvantage is that if the executable is simply not in
! 812: the user's PATH, s�su�ud�do�o will tell the user that they are
! 813: not allowed to run it, which can be confusing. This
! 814: flag is _�o_�n by default.
! 815:
! 816: passprompt_override
! 817: The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will
! 818: normally only be used if the password prompt provided
! 819: by systems such as PAM matches the string "Password:".
! 820: If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set, _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always
! 821: be used. This flag is _�o_�f_�f by default.
! 822:
! 823: preserve_groups By default, s�su�ud�do�o will initialize the group vector to
! 824: the list of groups the target user is in. When
! 825: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group
! 826: vector is left unaltered. The real and effective group
! 827: IDs, however, are still set to match the target user.
! 828: This flag is _�o_�f_�f by default.
! 829:
! 830: pwfeedback By default, s�su�ud�do�o reads the password like most other
! 831: Unix programs, by turning off echo until the user hits
! 832: the return (or enter) key. Some users become confused
! 833: by this as it appears to them that s�su�ud�do�o has hung at
! 834: this point. When _�p_�w_�f_�e_�e_�d_�b_�a_�c_�k is set, s�su�ud�do�o will provide
! 835: visual feedback when the user presses a key. Note that
! 836: this does have a security impact as an onlooker may be
! 837: able to determine the length of the password being
! 838: entered. This flag is _�o_�f_�f by default.
! 839:
! 840: requiretty If set, s�su�ud�do�o will only run when the user is logged in
! 841: to a real tty. When this flag is set, s�su�ud�do�o can only be
! 842: run from a login session and not via other means such
! 843: as _�c_�r_�o_�n(1m) or cgi-bin scripts. This flag is _�o_�f_�f by
! 844: default.
! 845:
! 846: root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling
! 847: this prevents users from "chaining" s�su�ud�do�o commands to
! 848: get a root shell by doing something like "sudo sudo
! 849: /bin/sh". Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
! 850: will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
! 851: Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
! 852: security; it exists purely for historical reasons.
! 853: This flag is _�o_�n by default.
! 854:
! 855: rootpw If set, s�su�ud�do�o will prompt for the root password instead
! 856: of the password of the invoking user. This flag is _�o_�f_�f
! 857: by default.
! 858:
! 859: runaspw If set, s�su�ud�do�o will prompt for the password of the user
! 860: defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
! 861: instead of the password of the invoking user. This
! 862: flag is _�o_�f_�f by default.
! 863:
! 864: set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the
! 865: HOME environment variable will be set to the home
! 866: directory of the target user (which is root unless the
! 867: -�-u�u option is used). This effectively makes the -�-s�s
! 868: option imply -�-H�H. Note that HOME is already set when
! 869: the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so _�s_�e_�t_�__�h_�o_�m_�e is
! 870: only effective for configurations where either
! 871: _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the
! 872: _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default.
! 873:
! 874: set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME
! 875: environment variables to the name of the target user
! 876: (usually root unless the -�-u�u option is given). However,
! 877: since some programs (including the RCS revision control
! 878: system) use LOGNAME to determine the real identity of
! 879: the user, it may be desirable to change this behavior.
! 880: This can be done by negating the set_logname option.
! 881: Note that if the _�e_�n_�v_�__�r_�e_�s_�e_�t option has not been
! 882: disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override
! 883: the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default.
! 884:
! 885: set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or
! 886: utmpx) file when a pseudo-tty is allocated. A pseudo-
! 887: tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
! 888: or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new
! 889: entry will be a copy of the user's existing utmp entry
! 890: (if any), with the tty, time, type and pid fields
! 891: updated. This flag is _�o_�n by default.
! 892:
! 893: setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the
! 894: command line via the -�-E�E option. Additionally,
! 895: environment variables set via the command line are not
! 896: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k,
! 897: _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users
! 898: should be allowed to set variables in this manner.
! 899: This flag is _�o_�f_�f by default.
! 900:
! 901: shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as
! 902: if the -�-s�s option had been given. That is, it runs a
! 903: shell as root (the shell is determined by the SHELL
! 904: environment variable if it is set, falling back on the
! 905: shell listed in the invoking user's /etc/passwd entry
! 906: if not). This flag is _�o_�f_�f by default.
! 907:
! 908: stay_setuid Normally, when s�su�ud�do�o executes a command the real and
! 909: effective UIDs are set to the target user (root by
! 910: default). This option changes that behavior such that
! 911: the real UID is left as the invoking user's UID. In
! 912: other words, this makes s�su�ud�do�o act as a setuid wrapper.
! 913: This can be useful on systems that disable some
! 914: potentially dangerous functionality when a program is
! 915: run setuid. This option is only effective on systems
! 916: with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function.
! 917: This flag is _�o_�f_�f by default.
! 918:
! 919: targetpw If set, s�su�ud�do�o will prompt for the password of the user
! 920: specified by the -�-u�u option (defaults to root) instead
! 921: of the password of the invoking user. In addition, the
! 922: timestamp file name will include the target user's
! 923: name. Note that this flag precludes the use of a uid
! 924: not listed in the passwd database as an argument to the
! 925: -�-u�u option. This flag is _�o_�f_�f by default.
! 926:
! 927: tty_tickets If set, users must authenticate on a per-tty basis.
! 928: With this flag enabled, s�su�ud�do�o will use a file named for
! 929: the tty the user is logged in on in the user's time
! 930: stamp directory. If disabled, the time stamp of the
! 931: directory is used instead. This flag is _�o_�n by default.
! 932:
! 933: umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s
! 934: without modification. This makes it possible to
! 935: specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the
! 936: user's own umask and matches historical behavior. If
! 937: _�u_�m_�a_�s_�k_�__�o_�v_�e_�r_�r_�i_�d_�e is not set, s�su�ud�do�o will set the umask to
! 938: be the union of the user's umask and what is specified
! 939: in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
! 940:
! 941: use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
! 942: target user's login class if one exists. Only
! 943: available if s�su�ud�do�o is configured with the
! 944: --with-logincap option. This flag is _�o_�f_�f by default.
! 945:
! 946: use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
! 947: if no I/O logging is being gone. A malicious program
! 948: run under s�su�ud�do�o could conceivably fork a background
! 949: process that retains to the user's terminal device
! 950: after the main program has finished executing. Use of
! 951: this option will make that impossible. This flag is
! 952: _�o_�f_�f by default.
! 953:
! 954: utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
! 955: updating the utmp (or utmpx) file. By default, s�su�ud�do�o
! 956: stores the name of the invoking user. This flag is _�o_�f_�f
! 957: by default.
! 958:
! 959: visiblepw By default, s�su�ud�do�o will refuse to run if the user must
! 960: enter a password but it is not possible to disable echo
! 961: on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o
! 962: will prompt for a password even when it would be
! 963: visible on the screen. This makes it possible to run
! 964: things like "rsh somehost sudo ls" since _�r_�s_�h(1) does
! 965: not allocate a tty. This flag is _�o_�f_�f by default.
! 966:
! 967: I�In�nt�te�eg�ge�er�rs�s:
! 968:
! 969: closefrom Before it executes a command, s�su�ud�do�o will close all open
! 970: file descriptors other than standard input, standard
! 971: output and standard error (ie: file descriptors 0-2).
! 972: The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different
! 973: file descriptor at which to start closing. The default
! 974: is 3.
! 975:
! 976: passwd_tries The number of tries a user gets to enter his/her
! 977: password before s�su�ud�do�o logs the failure and exits. The
! 978: default is 3.
! 979:
! 980: I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
! 981:
! 982: loglinelen Number of characters per line for the file log. This
! 983: value is used to decide when to wrap lines for nicer
! 984: log files. This has no effect on the syslog log file,
! 985: only the file log. The default is 80 (use 0 or negate
! 986: the option to disable word wrap).
! 987:
! 988: passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times
! 989: out, or 0 for no timeout. The timeout may include a
! 990: fractional component if minute granularity is
! 991: insufficient, for example 2.5. The default is 5.
! 992:
! 993: timestamp_timeout
! 994: Number of minutes that can elapse before s�su�ud�do�o will ask
! 995: for a passwd again. The timeout may include a
! 996: fractional component if minute granularity is
! 997: insufficient, for example 2.5. The default is 5. Set
! 998: this to 0 to always prompt for a password. If set to a
! 999: value less than 0 the user's timestamp will never
! 1000: expire. This can be used to allow users to create or
! 1001: delete their own timestamps via sudo -v and sudo -k
! 1002: respectively.
! 1003:
! 1004: umask Umask to use when running the command. Negate this
! 1005: option or set it to 0777 to preserve the user's umask.
! 1006: The actual umask that is used will be the union of the
! 1007: user's umask and the value of the _�u_�m_�a_�s_�k option, which
! 1008: defaults to 0022. This guarantees that s�su�ud�do�o never
! 1009: lowers the umask when running a command. Note on
! 1010: systems that use PAM, the default PAM configuration may
! 1011: specify its own umask which will override the value set
! 1012: in _�s_�u_�d_�o_�e_�r_�s.
! 1013:
! 1014: S�St�tr�ri�in�ng�gs�s:
! 1015:
! 1016: badpass_message Message that is displayed if a user enters an incorrect
! 1017: password. The default is Sorry, try again. unless
! 1018: insults are enabled.
! 1019:
! 1020: editor A colon (':') separated list of editors allowed to be
! 1021: used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that
! 1022: matches the user's EDITOR environment variable if
! 1023: possible, or the first editor in the list that exists
! 1024: and is executable. The default is "vi".
! 1025:
! 1026: iolog_dir The top-level directory to use when constructing the
! 1027: path name for the input/output log directory. Only
! 1028: used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled
! 1029: or when the LOG_INPUT or LOG_OUTPUT tags are present
! 1030: for a command. The session sequence number, if any, is
! 1031: stored in the directory. The default is
! 1032: "/var/log/sudo-io".
! 1033:
! 1034: The following percent (`%') escape sequences are
! 1035: supported:
! 1036:
! 1037: %{seq}
! 1038: expanded to a monotonically increasing base-36
! 1039: sequence number, such as 0100A5, where every two
! 1040: digits are used to form a new directory, e.g.
! 1041: _�0_�1_�/_�0_�0_�/_�A_�5
! 1042:
! 1043: %{user}
! 1044: expanded to the invoking user's login name
! 1045:
! 1046: %{group}
! 1047: expanded to the name of the invoking user's real
! 1048: group ID
! 1049:
! 1050: %{runas_user}
! 1051: expanded to the login name of the user the command
! 1052: will be run as (e.g. root)
! 1053:
! 1054: %{runas_group}
! 1055: expanded to the group name of the user the command
! 1056: will be run as (e.g. wheel)
! 1057:
! 1058: %{hostname}
! 1059: expanded to the local host name without the domain
! 1060: name
! 1061:
! 1062: %{command}
! 1063: expanded to the base name of the command being run
! 1064:
! 1065: In addition, any escape sequences supported by the
! 1066: system's _�s_�t_�r_�f_�t_�i_�m_�e_�(_�) function will be expanded.
! 1067:
! 1068: To include a literal `%' character, the string `%%'
! 1069: should be used.
! 1070:
! 1071: iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store
! 1072: input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
! 1073: options are enabled or when the LOG_INPUT or LOG_OUTPUT
! 1074: tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
! 1075: may contain directory components. The default is
! 1076: "%{seq}".
! 1077:
! 1078: See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported
! 1079: percent (`%') escape sequences.
! 1080:
! 1081: In addition to the escape sequences, path names that
! 1082: end in six or more Xs will have the Xs replaced with a
! 1083: unique combination of digits and letters, similar to
! 1084: the _�m_�k_�t_�e_�m_�p_�(_�) function.
! 1085:
! 1086: mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The escape
! 1087: %h will expand to the host name of the machine.
! 1088: Default is *** SECURITY information for %h ***.
! 1089:
! 1090: noexec_file This option is deprecated and will be removed in a
! 1091: future release of s�su�ud�do�o. The path to the noexec file
! 1092: should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
! 1093:
! 1094: passprompt The default prompt to use when asking for a password;
! 1095: can be overridden via the -�-p�p option or the SUDO_PROMPT
! 1096: environment variable. The following percent (`%')
! 1097: escape sequences are supported:
! 1098:
! 1099: %H expanded to the local host name including the
! 1100: domain name (only if the machine's host name is
! 1101: fully qualified or the _�f_�q_�d_�n option is set)
! 1102:
! 1103: %h expanded to the local host name without the domain
! 1104: name
! 1105:
! 1106: %p expanded to the user whose password is being asked
! 1107: for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and _�r_�u_�n_�a_�s_�p_�w
! 1108: flags in _�s_�u_�d_�o_�e_�r_�s)
! 1109:
! 1110: %U expanded to the login name of the user the command
! 1111: will be run as (defaults to root)
! 1112:
! 1113: %u expanded to the invoking user's login name
! 1114:
! 1115: %% two consecutive % characters are collapsed into a
! 1116: single % character
! 1117:
! 1118: The default value is Password:.
! 1119:
! 1120: role The default SELinux role to use when constructing a new
! 1121: security context to run the command. The default role
! 1122: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
! 1123: via command line options. This option is only
! 1124: available whe s�su�ud�do�o is built with SELinux support.
! 1125:
! 1126: runas_default The default user to run commands as if the -�-u�u option is
! 1127: not specified on the command line. This defaults to
! 1128: root.
! 1129:
! 1130: syslog_badpri Syslog priority to use when user authenticates
! 1131: unsuccessfully. Defaults to alert.
! 1132:
! 1133: The following syslog priorities are supported: a�al�le�er�rt�t,
! 1134: c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g.
! 1135:
! 1136: syslog_goodpri Syslog priority to use when user authenticates
! 1137: successfully. Defaults to notice.
! 1138:
! 1139: See syslog_badpri for the list of supported syslog
! 1140: priorities.
! 1141:
! 1142: sudoers_locale Locale to use when parsing the sudoers file, logging
! 1143: commands, and sending email. Note that changing the
! 1144: locale may affect how sudoers is interpreted. Defaults
! 1145: to "C".
! 1146:
! 1147: timestampdir The directory in which s�su�ud�do�o stores its timestamp files.
! 1148: The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o.
! 1149:
! 1150: timestampowner The owner of the timestamp directory and the timestamps
! 1151: stored therein. The default is root.
! 1152:
! 1153: type The default SELinux type to use when constructing a new
! 1154: security context to run the command. The default type
! 1155: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
! 1156: via command line options. This option is only
! 1157: available whe s�su�ud�do�o is built with SELinux support.
! 1158:
! 1159: S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
! 1160:
! 1161: env_file The _�e_�n_�v_�__�f_�i_�l_�e options specifies the fully qualified path to
! 1162: a file containing variables to be set in the environment of
! 1163: the program being run. Entries in this file should either
! 1164: be of the form VARIABLE=value or export VARIABLE=value.
! 1165: The value may optionally be surrounded by single or double
! 1166: quotes. Variables in this file are subject to other s�su�ud�do�o
! 1167: environment settings such as _�e_�n_�v_�__�k_�e_�e_�p and _�e_�n_�v_�__�c_�h_�e_�c_�k.
! 1168:
! 1169: exempt_group
! 1170: Users in this group are exempt from password and PATH
! 1171: requirements. The group name specified should not include
! 1172: a % prefix. This is not set by default.
! 1173:
! 1174: group_plugin
! 1175: A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional
! 1176: arguments. This can be used to implement support for the
! 1177: nonunix_group syntax described earlier. The string should
! 1178: consist of the plugin path, either fully-qualified or
! 1179: relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory, followed by
! 1180: any configuration arguments the plugin requires. These
! 1181: arguments (if any) will be passed to the plugin's
! 1182: initialization function. If arguments are present, the
! 1183: string must be enclosed in double quotes (").
! 1184:
! 1185: For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix
! 1186: group format, the sample group plugin can be used:
! 1187:
! 1188: Defaults group_plugin="sample_group.so /etc/sudo-group"
! 1189:
! 1190: For more information see _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(4).
! 1191:
! 1192: lecture This option controls when a short lecture will be printed
! 1193: along with the password prompt. It has the following
! 1194: possible values:
! 1195:
! 1196: always Always lecture the user.
! 1197:
! 1198: never Never lecture the user.
! 1199:
! 1200: once Only lecture the user the first time they run s�su�ud�do�o.
! 1201:
! 1202: If no value is specified, a value of _�o_�n_�c_�e is implied.
! 1203: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
! 1204: The default value is _�o_�n_�c_�e.
! 1205:
! 1206: lecture_file
! 1207: Path to a file containing an alternate s�su�ud�do�o lecture that
! 1208: will be used in place of the standard lecture if the named
! 1209: file exists. By default, s�su�ud�do�o uses a built-in lecture.
! 1210:
! 1211: listpw This option controls when a password will be required when
! 1212: a user runs s�su�ud�do�o with the -�-l�l option. It has the following
! 1213: possible values:
! 1214:
! 1215: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
! 1216: must have the NOPASSWD flag set to avoid entering a
! 1217: password.
! 1218:
! 1219: always The user must always enter a password to use the -�-l�l
! 1220: option.
! 1221:
! 1222: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
! 1223: current host must have the NOPASSWD flag set to
! 1224: avoid entering a password.
! 1225:
! 1226: never The user need never enter a password to use the -�-l�l
! 1227: option.
! 1228:
! 1229: If no value is specified, a value of _�a_�n_�y is implied.
! 1230: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
! 1231: The default value is _�a_�n_�y.
! 1232:
! 1233: logfile Path to the s�su�ud�do�o log file (not the syslog log file).
! 1234: Setting a path turns on logging to a file; negating this
! 1235: option turns it off. By default, s�su�ud�do�o logs via syslog.
! 1236:
! 1237: mailerflags Flags to use when invoking mailer. Defaults to -�-t�t.
! 1238:
! 1239: mailerpath Path to mail program used to send warning mail. Defaults
! 1240: to the path to sendmail found at configure time.
! 1241:
! 1242: mailfrom Address to use for the "from" address when sending warning
! 1243: and error mail. The address should be enclosed in double
! 1244: quotes (") to protect against s�su�ud�do�o interpreting the @ sign.
! 1245: Defaults to the name of the user running s�su�ud�do�o.
! 1246:
! 1247: mailto Address to send warning and error mail to. The address
! 1248: should be enclosed in double quotes (") to protect against
! 1249: s�su�ud�do�o interpreting the @ sign. Defaults to root.
! 1250:
! 1251: secure_path Path used for every command run from s�su�ud�do�o. If you don't
! 1252: trust the people running s�su�ud�do�o to have a sane PATH
! 1253: environment variable you may want to use this. Another use
! 1254: is if you want to have the "root path" be separate from the
! 1255: "user path." Users in the group specified by the
! 1256: _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This
! 1257: option is not set by default.
! 1258:
! 1259: syslog Syslog facility if syslog is being used for logging (negate
! 1260: to disable syslog logging). Defaults to auth.
! 1261:
! 1262: The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if
! 1263: your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1,
! 1264: l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7.
! 1265:
! 1266: verifypw This option controls when a password will be required when
! 1267: a user runs s�su�ud�do�o with the -�-v�v option. It has the following
! 1268: possible values:
! 1269:
! 1270: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
! 1271: must have the NOPASSWD flag set to avoid entering a
! 1272: password.
! 1273:
! 1274: always The user must always enter a password to use the -�-v�v
! 1275: option.
! 1276:
! 1277: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
! 1278: current host must have the NOPASSWD flag set to
! 1279: avoid entering a password.
! 1280:
! 1281: never The user need never enter a password to use the -�-v�v
! 1282: option.
! 1283:
! 1284: If no value is specified, a value of _�a_�l_�l is implied.
! 1285: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
! 1286: The default value is _�a_�l_�l.
! 1287:
! 1288: L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
! 1289:
! 1290: env_check Environment variables to be removed from the user's
! 1291: environment if the variable's value contains % or /
! 1292: characters. This can be used to guard against printf-
! 1293: style format vulnerabilities in poorly-written
! 1294: programs. The argument may be a double-quoted, space-
! 1295: separated list or a single value without double-quotes.
! 1296: The list can be replaced, added to, deleted from, or
! 1297: disabled by using the =, +=, -=, and ! operators
! 1298: respectively. Regardless of whether the env_reset
! 1299: option is enabled or disabled, variables specified by
! 1300: env_check will be preserved in the environment if they
! 1301: pass the aforementioned check. The default list of
! 1302: environment variables to check is displayed when s�su�ud�do�o
! 1303: is run by root with the _�-_�V option.
! 1304:
! 1305: env_delete Environment variables to be removed from the user's
! 1306: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
! 1307: The argument may be a double-quoted, space-separated
! 1308: list or a single value without double-quotes. The list
! 1309: can be replaced, added to, deleted from, or disabled by
! 1310: using the =, +=, -=, and ! operators respectively. The
! 1311: default list of environment variables to remove is
! 1312: displayed when s�su�ud�do�o is run by root with the _�-_�V option.
! 1313: Note that many operating systems will remove
! 1314: potentially dangerous variables from the environment of
! 1315: any setuid process (such as s�su�ud�do�o).
! 1316:
! 1317: env_keep Environment variables to be preserved in the user's
! 1318: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect.
! 1319: This allows fine-grained control over the environment
! 1320: s�su�ud�do�o-spawned processes will receive. The argument may
! 1321: be a double-quoted, space-separated list or a single
! 1322: value without double-quotes. The list can be replaced,
! 1323: added to, deleted from, or disabled by using the =, +=,
! 1324: -=, and ! operators respectively. The default list of
! 1325: variables to keep is displayed when s�su�ud�do�o is run by root
! 1326: with the _�-_�V option.
! 1327:
! 1328: F�FI�IL�LE�ES�S
! 1329: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what
! 1330:
! 1331: _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file
! 1332:
! 1333: _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
! 1334:
! 1335: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
! 1336:
! 1337: _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the
! 1338: _�s_�u_�d_�o_�e_�r_�s security policy
! 1339:
! 1340: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on Linux and
! 1341: AIX
! 1342:
! 1343: E�EX�XA�AM�MP�PL�LE�ES�S
! 1344: Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit
! 1345: contrived. First, we allow a few environment variables to pass and
! 1346: then define our _�a_�l_�i_�a_�s_�e_�s:
! 1347:
! 1348: # Run X applications through sudo; HOME is used to find the
! 1349: # .Xauthority file. Note that other programs use HOME to find
! 1350: # configuration files and this may lead to privilege escalation!
! 1351: Defaults env_keep += "DISPLAY HOME"
! 1352:
! 1353: # User alias specification
! 1354: User_Alias FULLTIMERS = millert, mikef, dowdy
! 1355: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 1356: User_Alias WEBMASTERS = will, wendy, wim
! 1357:
! 1358: # Runas alias specification
! 1359: Runas_Alias OP = root, operator
! 1360: Runas_Alias DB = oracle, sybase
! 1361: Runas_Alias ADMINGRP = adm, oper
! 1362:
! 1363: # Host alias specification
! 1364: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
! 1365: SGI = grolsch, dandelion, black :\
! 1366: ALPHA = widget, thalamus, foobar :\
! 1367: HPPA = boa, nag, python
! 1368: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 1369: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 1370: Host_Alias SERVERS = master, mail, www, ns
! 1371: Host_Alias CDROM = orion, perseus, hercules
! 1372:
! 1373: # Cmnd alias specification
! 1374: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
! 1375: /usr/sbin/restore, /usr/sbin/rrestore
! 1376: Cmnd_Alias KILL = /usr/bin/kill
! 1377: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 1378: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 1379: Cmnd_Alias HALT = /usr/sbin/halt
! 1380: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 1381: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
! 1382: /usr/local/bin/tcsh, /usr/bin/rsh, \
! 1383: /usr/local/bin/zsh
! 1384: Cmnd_Alias SU = /usr/bin/su
! 1385: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 1386:
! 1387: Here we override some of the compiled in default values. We want s�su�ud�do�o
! 1388: to log via _�s_�y_�s_�l_�o_�g(3) using the _�a_�u_�t_�h facility in all cases. We don't
! 1389: want to subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t
! 1390: need not give a password, and we don't want to reset the LOGNAME, USER
! 1391: or USERNAME environment variables when running commands as root.
! 1392: Additionally, on the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an
! 1393: additional local log file and make sure we log the year in each log
! 1394: line since the log entries will be kept around for several years.
! 1395: Lastly, we disable shell escapes for the commands in the PAGERS
! 1396: Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s).
! 1397:
! 1398: # Override built-in defaults
! 1399: Defaults syslog=auth
! 1400: Defaults>root !set_logname
! 1401: Defaults:FULLTIMERS !lecture
! 1402: Defaults:millert !authenticate
! 1403: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 1404: Defaults!PAGERS noexec
! 1405:
! 1406: The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run
! 1407: what.
! 1408:
! 1409: root ALL = (ALL) ALL
! 1410: %wheel ALL = (ALL) ALL
! 1411:
! 1412: We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as
! 1413: any user.
! 1414:
! 1415: FULLTIMERS ALL = NOPASSWD: ALL
! 1416:
! 1417: Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on
! 1418: any host without authenticating themselves.
! 1419:
! 1420: PARTTIMERS ALL = ALL
! 1421:
! 1422: Part time sysadmins (b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on
! 1423: any host but they must authenticate themselves first (since the entry
! 1424: lacks the NOPASSWD tag).
! 1425:
! 1426: jack CSNETS = ALL
! 1427:
! 1428: The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
! 1429: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
! 1430: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
! 1431: notation) indicating it is a class C network. For the other networks
! 1432: in _�C_�S_�N_�E_�T_�S, the local machine's netmask will be used during matching.
! 1433:
! 1434: lisa CUNETS = ALL
! 1435:
! 1436: The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the
! 1437: class B network 128.138.0.0).
! 1438:
! 1439: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
! 1440: sudoedit /etc/printcap, /usr/oper/bin/
! 1441:
! 1442: The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance.
! 1443: Here, those are commands related to backups, killing processes, the
! 1444: printing system, shutting down the system, and any commands in the
! 1445: directory _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/.
! 1446:
! 1447: joe ALL = /usr/bin/su operator
! 1448:
! 1449: The user j�jo�oe�e may only _�s_�u(1) to operator.
! 1450:
! 1451: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 1452:
! 1453: %opers ALL = (: ADMINGRP) /usr/sbin/
! 1454:
! 1455: Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves
! 1456: with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups).
! 1457:
! 1458: The user p�pe�et�te�e is allowed to change anyone's password except for root on
! 1459: the _�H_�P_�P_�A machines. Note that this assumes _�p_�a_�s_�s_�w_�d(1) does not take
! 1460: multiple user names on the command line.
! 1461:
! 1462: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 1463:
! 1464: The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user
! 1465: listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r).
! 1466:
! 1467: jim +biglab = ALL
! 1468:
! 1469: The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup.
! 1470: s�su�ud�do�o knows that "biglab" is a netgroup due to the '+' prefix.
! 1471:
! 1472: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 1473:
! 1474: Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as
! 1475: well as add and remove users, so they are allowed to run those commands
! 1476: on all machines.
! 1477:
! 1478: fred ALL = (DB) NOPASSWD: ALL
! 1479:
! 1480: The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias
! 1481: (o�or�ra�ac�cl�le�e or s�sy�yb�ba�as�se�e) without giving a password.
! 1482:
! 1483: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 1484:
! 1485: On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
! 1486: not allowed to specify any options to the _�s_�u(1) command.
! 1487:
! 1488: jen ALL, !SERVERS = ALL
! 1489:
! 1490: The user j�je�en�n may run any command on any machine except for those in the
! 1491: _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns).
! 1492:
! 1493: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 1494:
! 1495: For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in
! 1496: the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U
! 1497: and _�S_�H_�E_�L_�L_�S Cmnd_Aliases.
! 1498:
! 1499: steve CSNETS = (operator) /usr/local/op_commands/
! 1500:
! 1501: The user s�st�te�ev�ve�e may run any command in the directory
! 1502: /usr/local/op_commands/ but only as user operator.
! 1503:
! 1504: matt valkyrie = KILL
! 1505:
! 1506: On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill
! 1507: hung processes.
! 1508:
! 1509: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 1510:
! 1511: On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy,
! 1512: and wim), may run any command as user www (which owns the web pages) or
! 1513: simply _�s_�u(1) to www.
! 1514:
! 1515: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
! 1516: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 1517:
! 1518: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 1519: Host_Alias (orion, perseus, hercules) without entering a password.
! 1520: This is a bit tedious for users to type, so it is a prime candidate for
! 1521: encapsulating in a shell script.
! 1522:
! 1523: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
! 1524: It is generally not effective to "subtract" commands from ALL using the
! 1525: '!' operator. A user can trivially circumvent this by copying the
! 1526: desired command to a different name and then executing that. For
! 1527: example:
! 1528:
! 1529: bill ALL = ALL, !SU, !SHELLS
! 1530:
! 1531: Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or
! 1532: _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or
! 1533: use a shell escape from an editor or other program. Therefore, these
! 1534: kind of restrictions should be considered advisory at best (and
! 1535: reinforced by policy).
! 1536:
! 1537: Furthermore, if the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to
! 1538: reliably negate commands where the path name includes globbing (aka
! 1539: wildcard) characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3)
! 1540: function cannot resolve relative paths. While this is typically only
! 1541: an inconvenience for rules that grant privileges, it can result in a
! 1542: security issue for rules that subtract or revoke privileges.
! 1543:
! 1544: For example, given the following _�s_�u_�d_�o_�e_�r_�s entry:
! 1545:
! 1546: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
! 1547: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 1548:
! 1549: User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by
! 1550: changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead.
! 1551:
! 1552: P�PR�RE�EV�VE�EN�NT�TI�IN�NG�G S�SH�HE�EL�LL�L E�ES�SC�CA�AP�PE�ES�S
! 1553: Once s�su�ud�do�o executes a program, that program is free to do whatever it
! 1554: pleases, including run other programs. This can be a security issue
! 1555: since it is not uncommon for a program to allow shell escapes, which
! 1556: lets a user bypass s�su�ud�do�o's access control and logging. Common programs
! 1557: that permit shell escapes include shells (obviously), editors,
! 1558: paginators, mail and terminal programs.
! 1559:
! 1560: There are two basic approaches to this problem:
! 1561:
! 1562: restrict Avoid giving users access to commands that allow the user to
! 1563: run arbitrary commands. Many editors have a restricted mode
! 1564: where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better
! 1565: solution to running editors via s�su�ud�do�o. Due to the large
! 1566: number of programs that offer shell escapes, restricting
! 1567: users to the set of programs that do not is often unworkable.
! 1568:
! 1569: noexec Many systems that support shared libraries have the ability
! 1570: to override default library functions by pointing an
! 1571: environment variable (usually LD_PRELOAD) to an alternate
! 1572: shared library. On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality
! 1573: can be used to prevent a program run by s�su�ud�do�o from executing
! 1574: any other programs. Note, however, that this applies only to
! 1575: native dynamically-linked executables. Statically-linked
! 1576: executables and foreign executables running under binary
! 1577: emulation are not affected.
! 1578:
! 1579: The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD,
! 1580: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
! 1581: above. It should be supported on most operating systems that
! 1582: support the LD_PRELOAD environment variable. Check your
! 1583: operating system's manual pages for the dynamic linker
! 1584: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
! 1585: if LD_PRELOAD is supported.
! 1586:
! 1587: On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges
! 1588: instead of the LD_PRELOAD environment variable.
! 1589:
! 1590: To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as
! 1591: documented in the User Specification section above. Here is
! 1592: that example again:
! 1593:
! 1594: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1595:
! 1596: This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i
! 1597: with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands
! 1598: from executing other commands (such as a shell). If you are
! 1599: unsure whether or not your system is capable of supporting
! 1600: _�n_�o_�e_�x_�e_�c you can always just try it out and check whether shell
! 1601: escapes work when _�n_�o_�e_�x_�e_�c is enabled.
! 1602:
! 1603: Note that restricting shell escapes is not a panacea. Programs running
! 1604: as root are still capable of many potentially hazardous operations
! 1605: (such as changing or overwriting files) that could lead to unintended
! 1606: privilege escalation. In the specific case of an editor, a safer
! 1607: approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t.
! 1608:
! 1609: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
! 1610: _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory
! 1611: (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is
! 1612: not owned by root or if it is writable by a user other than root. On
! 1613: systems that allow non-root users to give away files via _�c_�h_�o_�w_�n(2), if
! 1614: the time stamp directory is located in a world-writable directory
! 1615: (e.g., _�/_�t_�m_�p), it is possible for a user to create the time stamp
! 1616: directory before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the
! 1617: ownership and mode of the directory and its contents, the only damage
! 1618: that can be done is to "hide" files by putting them in the time stamp
! 1619: dir. This is unlikely to happen since once the time stamp dir is owned
! 1620: by root and inaccessible by any other user, the user placing files
! 1621: there would be unable to get them back out.
! 1622:
! 1623: _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps
! 1624: with a date greater than current_time + 2 * TIMEOUT will be ignored and
! 1625: sudo will log and complain. This is done to keep a user from creating
! 1626: his/her own time stamp with a bogus date on systems that allow users to
! 1627: give away files if the time stamp directory is located in a world-
! 1628: writable directory.
! 1629:
! 1630: On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time
! 1631: stamps that date from before the machine booted.
! 1632:
! 1633: Since time stamp files live in the file system, they can outlive a
! 1634: user's login session. As a result, a user may be able to login, run a
! 1635: command with s�su�ud�do�o after authenticating, logout, login again, and run
! 1636: s�su�ud�do�o without authenticating so long as the time stamp file's
! 1637: modification time is within 5 minutes (or whatever the timeout is set
! 1638: to in _�s_�u_�d_�o_�e_�r_�s). When the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp
! 1639: has per-tty granularity but still may outlive the user's session. On
! 1640: Linux systems where the devpts filesystem is used, Solaris systems with
! 1641: the devices filesystem, as well as other systems that utilize a devfs
! 1642: filesystem that monotonically increase the inode number of devices as
! 1643: they are created (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when
! 1644: a tty-based time stamp file is stale and will ignore it.
! 1645: Administrators should not rely on this feature as it is not universally
! 1646: available.
! 1647:
! 1648: If users have sudo ALL there is nothing to prevent them from creating
! 1649: their own program that gives them a root shell (or making their own
! 1650: copy of a shell) regardless of any '!' elements in the user
! 1651: specification.
! 1652:
! 1653: S�SE�EE�E A�AL�LS�SO�O
! 1654: _�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3),
! 1655: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m)
! 1656:
! 1657: C�CA�AV�VE�EA�AT�TS�S
! 1658: The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which
! 1659: locks the file and does grammatical checking. It is imperative that
! 1660: _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a
! 1661: syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file.
! 1662:
! 1663: When using netgroups of machines (as opposed to users), if you store
! 1664: fully qualified host name in the netgroup (as is usually the case), you
! 1665: either need to have the machine's host name be fully qualified as
! 1666: returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s.
! 1667:
! 1668: B�BU�UG�GS�S
! 1669: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
! 1670: http://www.sudo.ws/sudo/bugs/
! 1671:
! 1672: S�SU�UP�PP�PO�OR�RT�T
! 1673: Limited free support is available via the sudo-users mailing list, see
! 1674: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
! 1675: the archives.
! 1676:
! 1677: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
! 1678: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
! 1679: including, but not limited to, the implied warranties of
! 1680: merchantability and fitness for a particular purpose are disclaimed.
! 1681: See the LICENSE file distributed with s�su�ud�do�o or
! 1682: http://www.sudo.ws/sudo/license.html for complete details.
! 1683:
! 1684:
! 1685:
! 1686: 1.8.3 September 16, 2011 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc