Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1
1.1 ! misho 1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
! 2:
! 3:
! 4:
! 5: NNAAMMEE
! 6: sudoers - default sudo security policy module
! 7:
! 8: DDEESSCCRRIIPPTTIIOONN
! 9: The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is
! 10: the default ssuuddoo policy plugin. The policy is driven by the
! 11: _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is
! 12: described in detail in the "SUDOERS FILE FORMAT" section. For
! 13: information on storing _s_u_d_o_e_r_s policy information in LDAP, please see
! 14: _s_u_d_o_e_r_s_._l_d_a_p(4).
! 15:
! 16: AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg
! 17: The _s_u_d_o_e_r_s security policy requires that most users authenticate
! 18: themselves before they can use ssuuddoo. A password is not required if the
! 19: invoking user is root, if the target user is the same as the invoking
! 20: user, or if the policy has disabled authentication for the user or
! 21: command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it
! 22: validates the invoking user's credentials, not the target user's (or
! 23: root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
! 24: _r_u_n_a_s_p_w flags, described later.
! 25:
! 26: If a user who is not listed in the policy tries to run a command via
! 27: ssuuddoo, mail is sent to the proper authorities. The address used for
! 28: such mail is configurable via the _m_a_i_l_t_o Defaults entry (described
! 29: later) and defaults to root.
! 30:
! 31: Note that mail will not be sent if an unauthorized user tries to run
! 32: ssuuddoo with the --ll or --vv option. This allows users to determine for
! 33: themselves whether or not they are allowed to use ssuuddoo.
! 34:
! 35: If ssuuddoo is run by root and the SUDO_USER environment variable is set,
! 36: the _s_u_d_o_e_r_s policy will use this value to determine who the actual user
! 37: is. This can be used by a user to log commands through sudo even when
! 38: a root shell has been invoked. It also allows the --ee option to remain
! 39: useful even when invoked via a sudo-run script or program. Note,
! 40: however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user
! 41: specified by SUDO_USER.
! 42:
! 43: _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
! 44: been authenticated, a time stamp is updated and the user may then use
! 45: sudo without a password for a short period of time (5 minutes unless
! 46: overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based
! 47: time stamp which means that there is a separate time stamp for each of
! 48: a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
! 49: force the use of a single time stamp for all of a user's sessions.
! 50:
! 51: _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
! 52: errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will
! 53: log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e
! 54: Defaults settings.
! 55:
! 56: _s_u_d_o_e_r_s also supports logging a command's input and output streams.
! 57: I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
! 58: and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
! 59: command tags.
! 60:
! 61: CCoommmmaanndd EEnnvviirroonnmmeenntt
! 62: Since environment variables can influence program behavior, _s_u_d_o_e_r_s
! 63: provides a means to restrict which variables from the user's
! 64: environment are inherited by the command to be run. There are two
! 65: distinct ways _s_u_d_o_e_r_s can deal with environment variables.
! 66:
! 67: By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to
! 68: be executed with a minimal environment containing TERM, PATH, HOME,
! 69: MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
! 70: the invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options.
! 71: This is effectively a whitelist for environment variables.
! 72:
! 73: If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
! 74: explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
! 75: from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e
! 76: behave like a blacklist. Since it is not possible to blacklist all
! 77: potentially dangerous environment variables, use of the default
! 78: _e_n_v___r_e_s_e_t behavior is encouraged.
! 79:
! 80: In all cases, environment variables with a value beginning with () are
! 81: removed as they could be interpreted as bbaasshh functions. The list of
! 82: environment variables that ssuuddoo allows or denies is contained in the
! 83: output of sudo -V when run as root.
! 84:
! 85: Note that the dynamic linker on most operating systems will remove
! 86: variables that can control dynamic linking from the environment of
! 87: setuid executables, including ssuuddoo. Depending on the operating system
! 88: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
! 89: others. These type of variables are removed from the environment
! 90: before ssuuddoo even begins execution and, as such, it is not possible for
! 91: ssuuddoo to preserve them.
! 92:
! 93: As a special case, if ssuuddoo's --ii option (initial login) is specified,
! 94: _s_u_d_o_e_r_s will initialize the environment regardless of the value of
! 95: _e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged;
! 96: _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user.
! 97: On Linux and AIX systems the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also
! 98: included. All other environment variables are removed.
! 99:
! 100: SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
! 101: The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
! 102: (basically variables) and user specifications (which specify who may
! 103: run what).
! 104:
! 105: When multiple entries match for a user, they are applied in order.
! 106: Where there are multiple matches, the last match is used (which is not
! 107: necessarily the most specific match).
! 108:
! 109: The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur
! 110: Form (EBNF). Don't despair if you don't know what EBNF is; it is
! 111: fairly simple, and the definitions below are annotated.
! 112:
! 113: QQuuiicckk gguuiiddee ttoo EEBBNNFF
! 114: EBNF is a concise and exact way of describing the grammar of a
! 115: language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
! 116:
! 117: symbol ::= definition | alternate1 | alternate2 ...
! 118:
! 119: Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
! 120: the language. EBNF also contains the following operators, which many
! 121: readers will recognize from regular expressions. Do not, however,
! 122: confuse them with "wildcard" characters, which have different meanings.
! 123:
! 124: ? Means that the preceding symbol (or group of symbols) is optional.
! 125: That is, it may appear once or not at all.
! 126:
! 127: * Means that the preceding symbol (or group of symbols) may appear
! 128: zero or more times.
! 129:
! 130: + Means that the preceding symbol (or group of symbols) may appear
! 131: one or more times.
! 132:
! 133: Parentheses may be used to group symbols together. For clarity, we
! 134: will use single quotes ('') to designate what is a verbatim character
! 135: string (as opposed to a symbol name).
! 136:
! 137: AAlliiaasseess
! 138: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
! 139: and Cmnd_Alias.
! 140:
! 141: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 142: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 143: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 144: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 145:
! 146: User_Alias ::= NAME '=' User_List
! 147:
! 148: Runas_Alias ::= NAME '=' Runas_List
! 149:
! 150: Host_Alias ::= NAME '=' Host_List
! 151:
! 152: Cmnd_Alias ::= NAME '=' Cmnd_List
! 153:
! 154: NAME ::= [A-Z]([A-Z][0-9]_)*
! 155:
! 156: Each _a_l_i_a_s definition is of the form
! 157:
! 158: Alias_Type NAME = item1, item2, ...
! 159:
! 160: where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
! 161: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
! 162: underscore characters ('_'). A NAME mmuusstt start with an uppercase
! 163: letter. It is possible to put several alias definitions of the same
! 164: type on a single line, joined by a colon (':'). E.g.,
! 165:
! 166: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 167:
! 168: The definitions of what constitutes a valid _a_l_i_a_s member follow.
! 169:
! 170: User_List ::= User |
! 171: User ',' User_List
! 172:
! 173: User ::= '!'* user name |
! 174: '!'* #uid |
! 175: '!'* %group |
! 176: '!'* %#gid |
! 177: '!'* +netgroup |
! 178: '!'* %:nonunix_group |
! 179: '!'* %:#nonunix_gid |
! 180: '!'* User_Alias
! 181:
! 182: A User_List is made up of one or more user names, user ids (prefixed
! 183: with '#'), system group names and ids (prefixed with '%' and '%#'
! 184: respectively), netgroups (prefixed with '+'), non-Unix group names and
! 185: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
! 186: list item may be prefixed with zero or more '!' operators. An odd
! 187: number of '!' operators negate the value of the item; an even number
! 188: just cancel each other out.
! 189:
! 190: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
! 191: may be enclosed in double quotes to avoid the need for escaping special
! 192: characters. Alternately, special characters may be specified in
! 193: escaped hex mode, e.g. \x20 for space. When using double quotes, any
! 194: prefix characters must be included inside the quotes.
! 195:
! 196: The actual nonunix_group and nonunix_gid syntax depends on the
! 197: underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description
! 198: below). For instance, the QAS AD plugin supports the following
! 199: formats:
! 200:
! 201: +o Group in the same domain: "Group Name"
! 202:
! 203: +o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
! 204:
! 205: +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
! 206:
! 207: Note that quotes around group names are optional. Unquoted strings
! 208: must use a backslash (\) to escape spaces and special characters. See
! 209: "Other special characters and reserved words" for a list of characters
! 210: that need to be escaped.
! 211:
! 212: Runas_List ::= Runas_Member |
! 213: Runas_Member ',' Runas_List
! 214:
! 215: Runas_Member ::= '!'* user name |
! 216: '!'* #uid |
! 217: '!'* %group |
! 218: '!'* %#gid |
! 219: '!'* %:nonunix_group |
! 220: '!'* %:#nonunix_gid |
! 221: '!'* +netgroup |
! 222: '!'* Runas_Alias
! 223:
! 224: A Runas_List is similar to a User_List except that instead of
! 225: User_Aliases it can contain Runas_Aliases. Note that user names and
! 226: groups are matched as strings. In other words, two users (groups) with
! 227: the same uid (gid) are considered to be distinct. If you wish to match
! 228: all user names with the same uid (e.g. root and toor), you can use a
! 229: uid instead (#0 in the example given).
! 230:
! 231: Host_List ::= Host |
! 232: Host ',' Host_List
! 233:
! 234: Host ::= '!'* host name |
! 235: '!'* ip_addr |
! 236: '!'* network(/netmask)? |
! 237: '!'* +netgroup |
! 238: '!'* Host_Alias
! 239:
! 240: A Host_List is made up of one or more host names, IP addresses, network
! 241: numbers, netgroups (prefixed with '+') and other aliases. Again, the
! 242: value of an item may be negated with the '!' operator. If you do not
! 243: specify a netmask along with the network number, ssuuddoo will query each
! 244: of the local host's network interfaces and, if the network number
! 245: corresponds to one of the hosts's network interfaces, the corresponding
! 246: netmask will be used. The netmask may be specified either in standard
! 247: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
! 248: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
! 249: shell-style wildcards (see the Wildcards section below), but unless the
! 250: host name command on your machine returns the fully qualified host
! 251: name, you'll need to use the _f_q_d_n option for wildcards to be useful.
! 252: Note ssuuddoo only inspects actual network interfaces; this means that IP
! 253: address 127.0.0.1 (localhost) will never match. Also, the host name
! 254: "localhost" will only match if that is the actual host name, which is
! 255: usually only the case for non-networked systems.
! 256:
! 257: Cmnd_List ::= Cmnd |
! 258: Cmnd ',' Cmnd_List
! 259:
! 260: commandname ::= file name |
! 261: file name args |
! 262: file name '""'
! 263:
! 264: Cmnd ::= '!'* commandname |
! 265: '!'* directory |
! 266: '!'* "sudoedit" |
! 267: '!'* Cmnd_Alias
! 268:
! 269: A Cmnd_List is a list of one or more commandnames, directories, and
! 270: other aliases. A commandname is a fully qualified file name which may
! 271: include shell-style wildcards (see the Wildcards section below). A
! 272: simple file name allows the user to run the command with any arguments
! 273: he/she wishes. However, you may also specify command line arguments
! 274: (including wildcards). Alternately, you can specify "" to indicate
! 275: that the command may only be run wwiitthhoouutt command line arguments. A
! 276: directory is a fully qualified path name ending in a '/'. When you
! 277: specify a directory in a Cmnd_List, the user will be able to run any
! 278: file within that directory (but not in any subdirectories therein).
! 279:
! 280: If a Cmnd has associated command line arguments, then the arguments in
! 281: the Cmnd must match exactly those given by the user on the command line
! 282: (or match the wildcards if there are any). Note that the following
! 283: characters must be escaped with a '\' if they are used in command
! 284: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
! 285: to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
! 286: may take command line arguments just as a normal command does.
! 287:
! 288: DDeeffaauullttss
! 289: Certain configuration options may be changed from their default values
! 290: at runtime via one or more Default_Entry lines. These may affect all
! 291: users on any host, all users on a specific host, a specific user, a
! 292: specific command, or commands being run as a specific user. Note that
! 293: per-command entries may not include command line arguments. If you
! 294: need to specify arguments, define a Cmnd_Alias and reference that
! 295: instead.
! 296:
! 297: Default_Type ::= 'Defaults' |
! 298: 'Defaults' '@' Host_List |
! 299: 'Defaults' ':' User_List |
! 300: 'Defaults' '!' Cmnd_List |
! 301: 'Defaults' '>' Runas_List
! 302:
! 303: Default_Entry ::= Default_Type Parameter_List
! 304:
! 305: Parameter_List ::= Parameter |
! 306: Parameter ',' Parameter_List
! 307:
! 308: Parameter ::= Parameter '=' Value |
! 309: Parameter '+=' Value |
! 310: Parameter '-=' Value |
! 311: '!'* Parameter
! 312:
! 313: Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
! 314: implicitly boolean and can be turned off via the '!' operator. Some
! 315: integer, string and list parameters may also be used in a boolean
! 316: context to disable them. Values may be enclosed in double quotes (")
! 317: when they contain multiple words. Special characters may be escaped
! 318: with a backslash (\).
! 319:
! 320: Lists have two additional assignment operators, += and -=. These
! 321: operators are used to add to and delete from a list respectively. It
! 322: is not an error to use the -= operator to remove an element that does
! 323: not exist in a list.
! 324:
! 325: Defaults entries are parsed in the following order: generic, host and
! 326: user Defaults first, then runas Defaults and finally command defaults.
! 327:
! 328: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
! 329:
! 330: UUsseerr SSppeecciiffiiccaattiioonn
! 331: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
! 332: (':' Host_List '=' Cmnd_Spec_List)*
! 333:
! 334: Cmnd_Spec_List ::= Cmnd_Spec |
! 335: Cmnd_Spec ',' Cmnd_Spec_List
! 336:
! 337: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
! 338:
! 339: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 340:
! 341: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
! 342:
! 343: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 344: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 345: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 346:
! 347: A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
! 348: what user) on specified hosts. By default, commands are run as rroooott,
! 349: but this can be changed on a per-command basis.
! 350:
! 351: The basic structure of a user specification is `who where = (as_whom)
! 352: what'. Let's break that down into its constituent parts:
! 353:
! 354: RRuunnaass__SSppeecc
! 355: A Runas_Spec determines the user and/or the group that a command may be
! 356: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
! 357: defined above) separated by a colon (':') and enclosed in a set of
! 358: parentheses. The first Runas_List indicates which users the command
! 359: may be run as via ssuuddoo's --uu option. The second defines a list of
! 360: groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists
! 361: are specified, the command may be run with any combination of users and
! 362: groups listed in their respective Runas_Lists. If only the first is
! 363: specified, the command may be run as any user in the list but no --gg
! 364: option may be specified. If the first Runas_List is empty but the
! 365: second is specified, the command may be run as the invoking user with
! 366: the group set to any listed in the Runas_List. If no Runas_Spec is
! 367: specified the command may be run as rroooott and no group may be specified.
! 368:
! 369: A Runas_Spec sets the default for the commands that follow it. What
! 370: this means is that for the entry:
! 371:
! 372: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 373:
! 374: The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
! 375: as ooppeerraattoorr. E.g.,
! 376:
! 377: $ sudo -u operator /bin/ls
! 378:
! 379: It is also possible to override a Runas_Spec later on in an entry. If
! 380: we modify the entry like so:
! 381:
! 382: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 383:
! 384: Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
! 385: and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
! 386:
! 387: We can extend this to allow ddggbb to run /bin/ls with either the user or
! 388: group set to ooppeerraattoorr:
! 389:
! 390: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
! 391: /usr/bin/lprm
! 392:
! 393: Note that while the group portion of the Runas_Spec permits the user to
! 394: run as command with that group, it does not force the user to do so.
! 395: If no group is specified on the command line, the command will run with
! 396: the group listed in the target user's password database entry. The
! 397: following would all be permitted by the sudoers entry above:
! 398:
! 399: $ sudo -u operator /bin/ls
! 400: $ sudo -u operator -g operator /bin/ls
! 401: $ sudo -g operator /bin/ls
! 402:
! 403: In the following example, user ttccmm may run commands that access a modem
! 404: device file with the dialer group.
! 405:
! 406: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
! 407: /usr/local/bin/minicom
! 408:
! 409: Note that in this example only the group will be set, the command still
! 410: runs as user ttccmm. E.g.
! 411:
! 412: $ sudo -g dialer /usr/bin/cu
! 413:
! 414: Multiple users and groups may be present in a Runas_Spec, in which case
! 415: the user may select any combination of users and groups via the --uu and
! 416: --gg options. In this example:
! 417:
! 418: alan ALL = (root, bin : operator, system) ALL
! 419:
! 420: user aallaann may run any command as either user root or bin, optionally
! 421: setting the group to operator or system.
! 422:
! 423: SSEELLiinnuuxx__SSppeecc
! 424: On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
! 425: SELinux role and/or type associated with a command. If a role or type
! 426: is specified with the command it will override any default values
! 427: specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
! 428: however, will supercede the values in _s_u_d_o_e_r_s.
! 429:
! 430: TTaagg__SSppeecc
! 431: A command may have zero or more tags associated with it. There are
! 432: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
! 433: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
! 434: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
! 435: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
! 436: overrides NOPASSWD and NOEXEC overrides EXEC).
! 437:
! 438: _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
! 439:
! 440: By default, ssuuddoo requires that a user authenticate him or herself
! 441: before running a command. This behavior can be modified via the
! 442: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
! 443: the commands that follow it in the Cmnd_Spec_List. Conversely, the
! 444: PASSWD tag can be used to reverse things. For example:
! 445:
! 446: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 447:
! 448: would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
! 449: as rroooott on the machine rushmore without authenticating himself. If we
! 450: only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
! 451: would be:
! 452:
! 453: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 454:
! 455: Note, however, that the PASSWD tag has no effect on users who are in
! 456: the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
! 457:
! 458: By default, if the NOPASSWD tag is applied to any of the entries for a
! 459: user on the current host, he or she will be able to run sudo -l without
! 460: a password. Additionally, a user may only run sudo -v without a
! 461: password if the NOPASSWD tag is present for all a user's entries that
! 462: pertain to the current host. This behavior may be overridden via the
! 463: verifypw and listpw options.
! 464:
! 465: _N_O_E_X_E_C _a_n_d _E_X_E_C
! 466:
! 467: If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
! 468: operating system supports it, the NOEXEC tag can be used to prevent a
! 469: dynamically-linked executable from running further commands itself.
! 470:
! 471: In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
! 472: _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
! 473:
! 474: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 475:
! 476: See the "PREVENTING SHELL ESCAPES" section below for more details on
! 477: how NOEXEC works and whether or not it will work on your system.
! 478:
! 479: _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
! 480:
! 481: These tags override the value of the _s_e_t_e_n_v option on a per-command
! 482: basis. Note that if SETENV has been set for a command, the user may
! 483: disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
! 484: Additionally, environment variables set on the command line are not
! 485: subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
! 486: _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
! 487: variables in this manner. If the command matched is AALLLL, the SETENV
! 488: tag is implied for that command; this default may be overridden by use
! 489: of the NOSETENV tag.
! 490:
! 491: _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
! 492:
! 493: These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
! 494: basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
! 495: "SUDOERS OPTIONS" section below.
! 496:
! 497: _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
! 498:
! 499: These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
! 500: basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
! 501: "SUDOERS OPTIONS" section below.
! 502:
! 503: WWiillddccaarrddss
! 504: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
! 505: used in host names, path names and command line arguments in the
! 506: _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
! 507: _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
! 508:
! 509: * Matches any set of zero or more characters.
! 510:
! 511: ? Matches any single character.
! 512:
! 513: [...] Matches any character in the specified range.
! 514:
! 515: [!...] Matches any character nnoott in the specified range.
! 516:
! 517: \x For any character "x", evaluates to "x". This is used to
! 518: escape special characters such as: "*", "?", "[", and "}".
! 519:
! 520: POSIX character classes may also be used if your system's _g_l_o_b(3) and
! 521: _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character
! 522: has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
! 523:
! 524: /bin/ls [[\:alpha\:]]*
! 525:
! 526: Would match any file name beginning with a letter.
! 527:
! 528: Note that a forward slash ('/') will nnoott be matched by wildcards used
! 529: in the path name. When matching the command line arguments, however, a
! 530: slash ddooeess get matched by wildcards. This is to make a path like:
! 531:
! 532: /usr/bin/*
! 533:
! 534: match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
! 535:
! 536: EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
! 537: The following exceptions apply to the above rules:
! 538:
! 539: "" If the empty string "" is the only command line argument in the
! 540: _s_u_d_o_e_r_s entry it means that command is not allowed to be run
! 541: with aannyy arguments.
! 542:
! 543: IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
! 544: It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
! 545: file currently being parsed using the #include and #includedir
! 546: directives.
! 547:
! 548: This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
! 549: addition to a local, per-machine file. For the sake of this example
! 550: the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
! 551: be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
! 552: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
! 553:
! 554: #include /etc/sudoers.local
! 555:
! 556: When ssuuddoo reaches this line it will suspend processing of the current
! 557: file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
! 558: the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
! 559: processed. Files that are included may themselves include other files.
! 560: A hard limit of 128 nested include files is enforced to prevent include
! 561: file loops.
! 562:
! 563: The file name may include the %h escape, signifying the short form of
! 564: the host name. I.e., if the machine's host name is "xerxes", then
! 565:
! 566: #include /etc/sudoers.%h
! 567:
! 568: will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
! 569:
! 570: The #includedir directive can be used to create a _s_u_d_o_._d directory that
! 571: the system package manager can drop _s_u_d_o_e_r_s rules into as part of
! 572: package installation. For example, given:
! 573:
! 574: #includedir /etc/sudoers.d
! 575:
! 576: ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
! 577: end in ~ or contain a . character to avoid causing problems with
! 578: package manager or editor temporary/backup files. Files are parsed in
! 579: sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
! 580: before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
! 581: lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
! 582: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
! 583: in the file names can be used to avoid such problems.
! 584:
! 585: Note that unlike files included via #include, vviissuuddoo will not edit the
! 586: files in a #includedir directory unless one of them contains a syntax
! 587: error. It is still possible to run vviissuuddoo with the -f flag to edit the
! 588: files directly.
! 589:
! 590: OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
! 591: The pound sign ('#') is used to indicate a comment (unless it is part
! 592: of a #include directive or unless it occurs in the context of a user
! 593: name and is followed by one or more digits, in which case it is treated
! 594: as a uid). Both the comment character and any text after it, up to the
! 595: end of the line, are ignored.
! 596:
! 597: The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
! 598: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
! 599: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
! 600: your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
! 601: preference to your own. Please note that using AALLLL can be dangerous
! 602: since in a command context, it allows the user to run aannyy command on
! 603: the system.
! 604:
! 605: An exclamation point ('!') can be used as a logical _n_o_t operator both
! 606: in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
! 607: values. Note, however, that using a ! in conjunction with the built-in
! 608: ALL alias to allow a user to run "all but a few" commands rarely works
! 609: as intended (see SECURITY NOTES below).
! 610:
! 611: Long lines can be continued with a backslash ('\') as the last
! 612: character on the line.
! 613:
! 614: Whitespace between elements in a list as well as special syntactic
! 615: characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
! 616:
! 617: The following characters must be escaped with a backslash ('\') when
! 618: used as part of a word (e.g. a user name or host name): '!', '=', ':',
! 619: ',', '(', ')', '\'.
! 620:
! 621: SSUUDDOOEERRSS OOPPTTIIOONNSS
! 622: ssuuddoo's behavior can be modified by Default_Entry lines, as explained
! 623: earlier. A list of all supported Defaults parameters, grouped by type,
! 624: are listed below.
! 625:
! 626: BBoooolleeaann FFllaaggss:
! 627:
! 628: always_set_home If enabled, ssuuddoo will set the HOME environment variable
! 629: to the home directory of the target user (which is root
! 630: unless the --uu option is used). This effectively means
! 631: that the --HH option is always implied. Note that HOME
! 632: is already set when the the _e_n_v___r_e_s_e_t option is
! 633: enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
! 634: configurations where either _e_n_v___r_e_s_e_t is disabled or
! 635: HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
! 636: by default.
! 637:
! 638: authenticate If set, users must authenticate themselves via a
! 639: password (or other means of authentication) before they
! 640: may run commands. This default may be overridden via
! 641: the PASSWD and NOPASSWD tags. This flag is _o_n by
! 642: default.
! 643:
! 644: closefrom_override
! 645: If set, the user may use ssuuddoo's --CC option which
! 646: overrides the default starting point at which ssuuddoo
! 647: begins closing open file descriptors. This flag is _o_f_f
! 648: by default.
! 649:
! 650: compress_io If set, and ssuuddoo is configured to log a command's input
! 651: or output, the I/O logs will be compressed using zzlliibb.
! 652: This flag is _o_n by default when ssuuddoo is compiled with
! 653: zzlliibb support.
! 654:
! 655: env_editor If set, vviissuuddoo will use the value of the EDITOR or
! 656: VISUAL environment variables before falling back on the
! 657: default editor list. Note that this may create a
! 658: security hole as it allows the user to run any
! 659: arbitrary command as root without logging. A safer
! 660: alternative is to place a colon-separated list of
! 661: editors in the editor variable. vviissuuddoo will then only
! 662: use the EDITOR or VISUAL if they match a value
! 663: specified in editor. This flag is _o_f_f by default.
! 664:
! 665: env_reset If set, ssuuddoo will reset the environment to only contain
! 666: the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
! 667: variables. Any variables in the caller's environment
! 668: that match the env_keep and env_check lists are then
! 669: added. The default contents of the env_keep and
! 670: env_check lists are displayed when ssuuddoo is run by root
! 671: with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set,
! 672: its value will be used for the PATH environment
! 673: variable. This flag is _o_n by default.
! 674:
! 675: fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
! 676: style globbing when matching path names. However,
! 677: since it accesses the file system, _g_l_o_b(3) can take a
! 678: long time to complete for some patterns, especially
! 679: when the pattern references a network file system that
! 680: is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
! 681: option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
! 682: which does not access the file system to do its
! 683: matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
! 684: unable to match relative path names such as _._/_l_s or
! 685: _._._/_b_i_n_/_l_s. This has security implications when path
! 686: names that include globbing characters are used with
! 687: the negation operator, '!', as such rules can be
! 688: trivially bypassed. As such, this option should not be
! 689: used when _s_u_d_o_e_r_s contains rules that contain negated
! 690: path names which include globbing characters. This
! 691: flag is _o_f_f by default.
! 692:
! 693: fqdn Set this flag if you want to put fully qualified host
! 694: names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
! 695: would use myhost.mydomain.edu. You may still use the
! 696: short form if you wish (and even mix the two). Beware
! 697: that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
! 698: which may make ssuuddoo unusable if DNS stops working (for
! 699: example if the machine is not plugged into the
! 700: network). Also note that you must use the host's
! 701: official name as DNS knows it. That is, you may not
! 702: use a host alias (CNAME entry) due to performance
! 703: issues and the fact that there is no way to get all
! 704: aliases from DNS. If your machine's host name (as
! 705: returned by the hostname command) is already fully
! 706: qualified you shouldn't need to set _f_q_d_n. This flag is
! 707: _o_f_f by default.
! 708:
! 709: ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
! 710: PATH environment variable; the PATH itself is not
! 711: modified. This flag is _o_f_f by default.
! 712:
! 713: ignore_local_sudoers
! 714: If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
! 715: skipped. This is intended for Enterprises that wish to
! 716: prevent the usage of local sudoers files so that only
! 717: LDAP is used. This thwarts the efforts of rogue
! 718: operators who would attempt to add roles to
! 719: _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
! 720: _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
! 721: option tells ssuuddoo how to behave when no specific LDAP
! 722: entries have been matched, this sudoOption is only
! 723: meaningful for the cn=defaults section. This flag is
! 724: _o_f_f by default.
! 725:
! 726: insults If set, ssuuddoo will insult users when they enter an
! 727: incorrect password. This flag is _o_f_f by default.
! 728:
! 729: log_host If set, the host name will be logged in the (non-
! 730: syslog) ssuuddoo log file. This flag is _o_f_f by default.
! 731:
! 732: log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
! 733: log all user input. If the standard input is not
! 734: connected to the user's tty, due to I/O redirection or
! 735: because the command is part of a pipeline, that input
! 736: is also captured and stored in a separate log file.
! 737:
! 738: Input is logged to the directory specified by the
! 739: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
! 740: unique session ID that is included in the normal ssuuddoo
! 741: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
! 742: may be used to control the format of the session ID.
! 743:
! 744: Note that user input may contain sensitive information
! 745: such as passwords (even if they are not echoed to the
! 746: screen), which will be stored in the log file
! 747: unencrypted. In most cases, logging the command output
! 748: via _l_o_g___o_u_t_p_u_t is all that is required.
! 749:
! 750: log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
! 751: log all output that is sent to the screen, similar to
! 752: the _s_c_r_i_p_t(1) command. If the standard output or
! 753: standard error is not connected to the user's tty, due
! 754: to I/O redirection or because the command is part of a
! 755: pipeline, that output is also captured and stored in
! 756: separate log files.
! 757:
! 758: Output is logged to the directory specified by the
! 759: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
! 760: unique session ID that is included in the normal ssuuddoo
! 761: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
! 762: may be used to control the format of the session ID.
! 763:
! 764: Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
! 765: utility, which can also be used to list or search the
! 766: available logs.
! 767:
! 768: log_year If set, the four-digit year will be logged in the (non-
! 769: syslog) ssuuddoo log file. This flag is _o_f_f by default.
! 770:
! 771: long_otp_prompt When validating with a One Time Password (OTP) scheme
! 772: such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
! 773: make it easier to cut and paste the challenge to a
! 774: local window. It's not as pretty as the default but
! 775: some people find it more convenient. This flag is _o_f_f
! 776: by default.
! 777:
! 778: mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
! 779: ssuuddoo. This flag is _o_f_f by default.
! 780:
! 781: mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
! 782: does not enter the correct password. This flag is _o_f_f
! 783: by default.
! 784:
! 785: mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
! 786: invoking user exists in the _s_u_d_o_e_r_s file, but is not
! 787: allowed to run commands on the current host. This flag
! 788: is _o_f_f by default.
! 789:
! 790: mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
! 791: invoking user is allowed to use ssuuddoo but the command
! 792: they are trying is not listed in their _s_u_d_o_e_r_s file
! 793: entry or is explicitly denied. This flag is _o_f_f by
! 794: default.
! 795:
! 796: mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
! 797: invoking user is not in the _s_u_d_o_e_r_s file. This flag is
! 798: _o_n by default.
! 799:
! 800: noexec If set, all commands run via ssuuddoo will behave as if the
! 801: NOEXEC tag has been set, unless overridden by a EXEC
! 802: tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
! 803: well as the "PREVENTING SHELL ESCAPES" section at the
! 804: end of this manual. This flag is _o_f_f by default.
! 805:
! 806: path_info Normally, ssuuddoo will tell the user when a command could
! 807: not be found in their PATH environment variable. Some
! 808: sites may wish to disable this as it could be used to
! 809: gather information on the location of executables that
! 810: the normal user does not have access to. The
! 811: disadvantage is that if the executable is simply not in
! 812: the user's PATH, ssuuddoo will tell the user that they are
! 813: not allowed to run it, which can be confusing. This
! 814: flag is _o_n by default.
! 815:
! 816: passprompt_override
! 817: The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
! 818: normally only be used if the password prompt provided
! 819: by systems such as PAM matches the string "Password:".
! 820: If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always
! 821: be used. This flag is _o_f_f by default.
! 822:
! 823: preserve_groups By default, ssuuddoo will initialize the group vector to
! 824: the list of groups the target user is in. When
! 825: _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
! 826: vector is left unaltered. The real and effective group
! 827: IDs, however, are still set to match the target user.
! 828: This flag is _o_f_f by default.
! 829:
! 830: pwfeedback By default, ssuuddoo reads the password like most other
! 831: Unix programs, by turning off echo until the user hits
! 832: the return (or enter) key. Some users become confused
! 833: by this as it appears to them that ssuuddoo has hung at
! 834: this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
! 835: visual feedback when the user presses a key. Note that
! 836: this does have a security impact as an onlooker may be
! 837: able to determine the length of the password being
! 838: entered. This flag is _o_f_f by default.
! 839:
! 840: requiretty If set, ssuuddoo will only run when the user is logged in
! 841: to a real tty. When this flag is set, ssuuddoo can only be
! 842: run from a login session and not via other means such
! 843: as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
! 844: default.
! 845:
! 846: root_sudo If set, root is allowed to run ssuuddoo too. Disabling
! 847: this prevents users from "chaining" ssuuddoo commands to
! 848: get a root shell by doing something like "sudo sudo
! 849: /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
! 850: will also prevent root from running ssuuddooeeddiitt.
! 851: Disabling _r_o_o_t___s_u_d_o provides no real additional
! 852: security; it exists purely for historical reasons.
! 853: This flag is _o_n by default.
! 854:
! 855: rootpw If set, ssuuddoo will prompt for the root password instead
! 856: of the password of the invoking user. This flag is _o_f_f
! 857: by default.
! 858:
! 859: runaspw If set, ssuuddoo will prompt for the password of the user
! 860: defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
! 861: instead of the password of the invoking user. This
! 862: flag is _o_f_f by default.
! 863:
! 864: set_home If enabled and ssuuddoo is invoked with the --ss option the
! 865: HOME environment variable will be set to the home
! 866: directory of the target user (which is root unless the
! 867: --uu option is used). This effectively makes the --ss
! 868: option imply --HH. Note that HOME is already set when
! 869: the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
! 870: only effective for configurations where either
! 871: _e_n_v___r_e_s_e_t is disabled or HOME is present in the
! 872: _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
! 873:
! 874: set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
! 875: environment variables to the name of the target user
! 876: (usually root unless the --uu option is given). However,
! 877: since some programs (including the RCS revision control
! 878: system) use LOGNAME to determine the real identity of
! 879: the user, it may be desirable to change this behavior.
! 880: This can be done by negating the set_logname option.
! 881: Note that if the _e_n_v___r_e_s_e_t option has not been
! 882: disabled, entries in the _e_n_v___k_e_e_p list will override
! 883: the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
! 884:
! 885: set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
! 886: utmpx) file when a pseudo-tty is allocated. A pseudo-
! 887: tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
! 888: or _u_s_e___p_t_y flags are enabled. By default, the new
! 889: entry will be a copy of the user's existing utmp entry
! 890: (if any), with the tty, time, type and pid fields
! 891: updated. This flag is _o_n by default.
! 892:
! 893: setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
! 894: command line via the --EE option. Additionally,
! 895: environment variables set via the command line are not
! 896: subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
! 897: _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
! 898: should be allowed to set variables in this manner.
! 899: This flag is _o_f_f by default.
! 900:
! 901: shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
! 902: if the --ss option had been given. That is, it runs a
! 903: shell as root (the shell is determined by the SHELL
! 904: environment variable if it is set, falling back on the
! 905: shell listed in the invoking user's /etc/passwd entry
! 906: if not). This flag is _o_f_f by default.
! 907:
! 908: stay_setuid Normally, when ssuuddoo executes a command the real and
! 909: effective UIDs are set to the target user (root by
! 910: default). This option changes that behavior such that
! 911: the real UID is left as the invoking user's UID. In
! 912: other words, this makes ssuuddoo act as a setuid wrapper.
! 913: This can be useful on systems that disable some
! 914: potentially dangerous functionality when a program is
! 915: run setuid. This option is only effective on systems
! 916: with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
! 917: This flag is _o_f_f by default.
! 918:
! 919: targetpw If set, ssuuddoo will prompt for the password of the user
! 920: specified by the --uu option (defaults to root) instead
! 921: of the password of the invoking user. In addition, the
! 922: timestamp file name will include the target user's
! 923: name. Note that this flag precludes the use of a uid
! 924: not listed in the passwd database as an argument to the
! 925: --uu option. This flag is _o_f_f by default.
! 926:
! 927: tty_tickets If set, users must authenticate on a per-tty basis.
! 928: With this flag enabled, ssuuddoo will use a file named for
! 929: the tty the user is logged in on in the user's time
! 930: stamp directory. If disabled, the time stamp of the
! 931: directory is used instead. This flag is _o_n by default.
! 932:
! 933: umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
! 934: without modification. This makes it possible to
! 935: specify a more permissive umask in _s_u_d_o_e_r_s than the
! 936: user's own umask and matches historical behavior. If
! 937: _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
! 938: be the union of the user's umask and what is specified
! 939: in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
! 940:
! 941: use_loginclass If set, ssuuddoo will apply the defaults specified for the
! 942: target user's login class if one exists. Only
! 943: available if ssuuddoo is configured with the
! 944: --with-logincap option. This flag is _o_f_f by default.
! 945:
! 946: use_pty If set, ssuuddoo will run the command in a pseudo-pty even
! 947: if no I/O logging is being gone. A malicious program
! 948: run under ssuuddoo could conceivably fork a background
! 949: process that retains to the user's terminal device
! 950: after the main program has finished executing. Use of
! 951: this option will make that impossible. This flag is
! 952: _o_f_f by default.
! 953:
! 954: utmp_runas If set, ssuuddoo will store the name of the runas user when
! 955: updating the utmp (or utmpx) file. By default, ssuuddoo
! 956: stores the name of the invoking user. This flag is _o_f_f
! 957: by default.
! 958:
! 959: visiblepw By default, ssuuddoo will refuse to run if the user must
! 960: enter a password but it is not possible to disable echo
! 961: on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
! 962: will prompt for a password even when it would be
! 963: visible on the screen. This makes it possible to run
! 964: things like "rsh somehost sudo ls" since _r_s_h(1) does
! 965: not allocate a tty. This flag is _o_f_f by default.
! 966:
! 967: IInntteeggeerrss:
! 968:
! 969: closefrom Before it executes a command, ssuuddoo will close all open
! 970: file descriptors other than standard input, standard
! 971: output and standard error (ie: file descriptors 0-2).
! 972: The _c_l_o_s_e_f_r_o_m option can be used to specify a different
! 973: file descriptor at which to start closing. The default
! 974: is 3.
! 975:
! 976: passwd_tries The number of tries a user gets to enter his/her
! 977: password before ssuuddoo logs the failure and exits. The
! 978: default is 3.
! 979:
! 980: IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
! 981:
! 982: loglinelen Number of characters per line for the file log. This
! 983: value is used to decide when to wrap lines for nicer
! 984: log files. This has no effect on the syslog log file,
! 985: only the file log. The default is 80 (use 0 or negate
! 986: the option to disable word wrap).
! 987:
! 988: passwd_timeout Number of minutes before the ssuuddoo password prompt times
! 989: out, or 0 for no timeout. The timeout may include a
! 990: fractional component if minute granularity is
! 991: insufficient, for example 2.5. The default is 5.
! 992:
! 993: timestamp_timeout
! 994: Number of minutes that can elapse before ssuuddoo will ask
! 995: for a passwd again. The timeout may include a
! 996: fractional component if minute granularity is
! 997: insufficient, for example 2.5. The default is 5. Set
! 998: this to 0 to always prompt for a password. If set to a
! 999: value less than 0 the user's timestamp will never
! 1000: expire. This can be used to allow users to create or
! 1001: delete their own timestamps via sudo -v and sudo -k
! 1002: respectively.
! 1003:
! 1004: umask Umask to use when running the command. Negate this
! 1005: option or set it to 0777 to preserve the user's umask.
! 1006: The actual umask that is used will be the union of the
! 1007: user's umask and the value of the _u_m_a_s_k option, which
! 1008: defaults to 0022. This guarantees that ssuuddoo never
! 1009: lowers the umask when running a command. Note on
! 1010: systems that use PAM, the default PAM configuration may
! 1011: specify its own umask which will override the value set
! 1012: in _s_u_d_o_e_r_s.
! 1013:
! 1014: SSttrriinnggss:
! 1015:
! 1016: badpass_message Message that is displayed if a user enters an incorrect
! 1017: password. The default is Sorry, try again. unless
! 1018: insults are enabled.
! 1019:
! 1020: editor A colon (':') separated list of editors allowed to be
! 1021: used with vviissuuddoo. vviissuuddoo will choose the editor that
! 1022: matches the user's EDITOR environment variable if
! 1023: possible, or the first editor in the list that exists
! 1024: and is executable. The default is "vi".
! 1025:
! 1026: iolog_dir The top-level directory to use when constructing the
! 1027: path name for the input/output log directory. Only
! 1028: used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
! 1029: or when the LOG_INPUT or LOG_OUTPUT tags are present
! 1030: for a command. The session sequence number, if any, is
! 1031: stored in the directory. The default is
! 1032: "/var/log/sudo-io".
! 1033:
! 1034: The following percent (`%') escape sequences are
! 1035: supported:
! 1036:
! 1037: %{seq}
! 1038: expanded to a monotonically increasing base-36
! 1039: sequence number, such as 0100A5, where every two
! 1040: digits are used to form a new directory, e.g.
! 1041: _0_1_/_0_0_/_A_5
! 1042:
! 1043: %{user}
! 1044: expanded to the invoking user's login name
! 1045:
! 1046: %{group}
! 1047: expanded to the name of the invoking user's real
! 1048: group ID
! 1049:
! 1050: %{runas_user}
! 1051: expanded to the login name of the user the command
! 1052: will be run as (e.g. root)
! 1053:
! 1054: %{runas_group}
! 1055: expanded to the group name of the user the command
! 1056: will be run as (e.g. wheel)
! 1057:
! 1058: %{hostname}
! 1059: expanded to the local host name without the domain
! 1060: name
! 1061:
! 1062: %{command}
! 1063: expanded to the base name of the command being run
! 1064:
! 1065: In addition, any escape sequences supported by the
! 1066: system's _s_t_r_f_t_i_m_e_(_) function will be expanded.
! 1067:
! 1068: To include a literal `%' character, the string `%%'
! 1069: should be used.
! 1070:
! 1071: iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
! 1072: input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
! 1073: options are enabled or when the LOG_INPUT or LOG_OUTPUT
! 1074: tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
! 1075: may contain directory components. The default is
! 1076: "%{seq}".
! 1077:
! 1078: See the _i_o_l_o_g___d_i_r option above for a list of supported
! 1079: percent (`%') escape sequences.
! 1080:
! 1081: In addition to the escape sequences, path names that
! 1082: end in six or more Xs will have the Xs replaced with a
! 1083: unique combination of digits and letters, similar to
! 1084: the _m_k_t_e_m_p_(_) function.
! 1085:
! 1086: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape
! 1087: %h will expand to the host name of the machine.
! 1088: Default is *** SECURITY information for %h ***.
! 1089:
! 1090: noexec_file This option is deprecated and will be removed in a
! 1091: future release of ssuuddoo. The path to the noexec file
! 1092: should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1093:
! 1094: passprompt The default prompt to use when asking for a password;
! 1095: can be overridden via the --pp option or the SUDO_PROMPT
! 1096: environment variable. The following percent (`%')
! 1097: escape sequences are supported:
! 1098:
! 1099: %H expanded to the local host name including the
! 1100: domain name (only if the machine's host name is
! 1101: fully qualified or the _f_q_d_n option is set)
! 1102:
! 1103: %h expanded to the local host name without the domain
! 1104: name
! 1105:
! 1106: %p expanded to the user whose password is being asked
! 1107: for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w
! 1108: flags in _s_u_d_o_e_r_s)
! 1109:
! 1110: %U expanded to the login name of the user the command
! 1111: will be run as (defaults to root)
! 1112:
! 1113: %u expanded to the invoking user's login name
! 1114:
! 1115: %% two consecutive % characters are collapsed into a
! 1116: single % character
! 1117:
! 1118: The default value is Password:.
! 1119:
! 1120: role The default SELinux role to use when constructing a new
! 1121: security context to run the command. The default role
! 1122: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
! 1123: via command line options. This option is only
! 1124: available whe ssuuddoo is built with SELinux support.
! 1125:
! 1126: runas_default The default user to run commands as if the --uu option is
! 1127: not specified on the command line. This defaults to
! 1128: root.
! 1129:
! 1130: syslog_badpri Syslog priority to use when user authenticates
! 1131: unsuccessfully. Defaults to alert.
! 1132:
! 1133: The following syslog priorities are supported: aalleerrtt,
! 1134: ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
! 1135:
! 1136: syslog_goodpri Syslog priority to use when user authenticates
! 1137: successfully. Defaults to notice.
! 1138:
! 1139: See syslog_badpri for the list of supported syslog
! 1140: priorities.
! 1141:
! 1142: sudoers_locale Locale to use when parsing the sudoers file, logging
! 1143: commands, and sending email. Note that changing the
! 1144: locale may affect how sudoers is interpreted. Defaults
! 1145: to "C".
! 1146:
! 1147: timestampdir The directory in which ssuuddoo stores its timestamp files.
! 1148: The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
! 1149:
! 1150: timestampowner The owner of the timestamp directory and the timestamps
! 1151: stored therein. The default is root.
! 1152:
! 1153: type The default SELinux type to use when constructing a new
! 1154: security context to run the command. The default type
! 1155: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
! 1156: via command line options. This option is only
! 1157: available whe ssuuddoo is built with SELinux support.
! 1158:
! 1159: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
! 1160:
! 1161: env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to
! 1162: a file containing variables to be set in the environment of
! 1163: the program being run. Entries in this file should either
! 1164: be of the form VARIABLE=value or export VARIABLE=value.
! 1165: The value may optionally be surrounded by single or double
! 1166: quotes. Variables in this file are subject to other ssuuddoo
! 1167: environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
! 1168:
! 1169: exempt_group
! 1170: Users in this group are exempt from password and PATH
! 1171: requirements. The group name specified should not include
! 1172: a % prefix. This is not set by default.
! 1173:
! 1174: group_plugin
! 1175: A string containing a _s_u_d_o_e_r_s group plugin with optional
! 1176: arguments. This can be used to implement support for the
! 1177: nonunix_group syntax described earlier. The string should
! 1178: consist of the plugin path, either fully-qualified or
! 1179: relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by
! 1180: any configuration arguments the plugin requires. These
! 1181: arguments (if any) will be passed to the plugin's
! 1182: initialization function. If arguments are present, the
! 1183: string must be enclosed in double quotes (").
! 1184:
! 1185: For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix
! 1186: group format, the sample group plugin can be used:
! 1187:
! 1188: Defaults group_plugin="sample_group.so /etc/sudo-group"
! 1189:
! 1190: For more information see _s_u_d_o___p_l_u_g_i_n(4).
! 1191:
! 1192: lecture This option controls when a short lecture will be printed
! 1193: along with the password prompt. It has the following
! 1194: possible values:
! 1195:
! 1196: always Always lecture the user.
! 1197:
! 1198: never Never lecture the user.
! 1199:
! 1200: once Only lecture the user the first time they run ssuuddoo.
! 1201:
! 1202: If no value is specified, a value of _o_n_c_e is implied.
! 1203: Negating the option results in a value of _n_e_v_e_r being used.
! 1204: The default value is _o_n_c_e.
! 1205:
! 1206: lecture_file
! 1207: Path to a file containing an alternate ssuuddoo lecture that
! 1208: will be used in place of the standard lecture if the named
! 1209: file exists. By default, ssuuddoo uses a built-in lecture.
! 1210:
! 1211: listpw This option controls when a password will be required when
! 1212: a user runs ssuuddoo with the --ll option. It has the following
! 1213: possible values:
! 1214:
! 1215: all All the user's _s_u_d_o_e_r_s entries for the current host
! 1216: must have the NOPASSWD flag set to avoid entering a
! 1217: password.
! 1218:
! 1219: always The user must always enter a password to use the --ll
! 1220: option.
! 1221:
! 1222: any At least one of the user's _s_u_d_o_e_r_s entries for the
! 1223: current host must have the NOPASSWD flag set to
! 1224: avoid entering a password.
! 1225:
! 1226: never The user need never enter a password to use the --ll
! 1227: option.
! 1228:
! 1229: If no value is specified, a value of _a_n_y is implied.
! 1230: Negating the option results in a value of _n_e_v_e_r being used.
! 1231: The default value is _a_n_y.
! 1232:
! 1233: logfile Path to the ssuuddoo log file (not the syslog log file).
! 1234: Setting a path turns on logging to a file; negating this
! 1235: option turns it off. By default, ssuuddoo logs via syslog.
! 1236:
! 1237: mailerflags Flags to use when invoking mailer. Defaults to --tt.
! 1238:
! 1239: mailerpath Path to mail program used to send warning mail. Defaults
! 1240: to the path to sendmail found at configure time.
! 1241:
! 1242: mailfrom Address to use for the "from" address when sending warning
! 1243: and error mail. The address should be enclosed in double
! 1244: quotes (") to protect against ssuuddoo interpreting the @ sign.
! 1245: Defaults to the name of the user running ssuuddoo.
! 1246:
! 1247: mailto Address to send warning and error mail to. The address
! 1248: should be enclosed in double quotes (") to protect against
! 1249: ssuuddoo interpreting the @ sign. Defaults to root.
! 1250:
! 1251: secure_path Path used for every command run from ssuuddoo. If you don't
! 1252: trust the people running ssuuddoo to have a sane PATH
! 1253: environment variable you may want to use this. Another use
! 1254: is if you want to have the "root path" be separate from the
! 1255: "user path." Users in the group specified by the
! 1256: _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
! 1257: option is not set by default.
! 1258:
! 1259: syslog Syslog facility if syslog is being used for logging (negate
! 1260: to disable syslog logging). Defaults to auth.
! 1261:
! 1262: The following syslog facilities are supported: aauutthhpprriivv (if
! 1263: your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
! 1264: llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
! 1265:
! 1266: verifypw This option controls when a password will be required when
! 1267: a user runs ssuuddoo with the --vv option. It has the following
! 1268: possible values:
! 1269:
! 1270: all All the user's _s_u_d_o_e_r_s entries for the current host
! 1271: must have the NOPASSWD flag set to avoid entering a
! 1272: password.
! 1273:
! 1274: always The user must always enter a password to use the --vv
! 1275: option.
! 1276:
! 1277: any At least one of the user's _s_u_d_o_e_r_s entries for the
! 1278: current host must have the NOPASSWD flag set to
! 1279: avoid entering a password.
! 1280:
! 1281: never The user need never enter a password to use the --vv
! 1282: option.
! 1283:
! 1284: If no value is specified, a value of _a_l_l is implied.
! 1285: Negating the option results in a value of _n_e_v_e_r being used.
! 1286: The default value is _a_l_l.
! 1287:
! 1288: LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
! 1289:
! 1290: env_check Environment variables to be removed from the user's
! 1291: environment if the variable's value contains % or /
! 1292: characters. This can be used to guard against printf-
! 1293: style format vulnerabilities in poorly-written
! 1294: programs. The argument may be a double-quoted, space-
! 1295: separated list or a single value without double-quotes.
! 1296: The list can be replaced, added to, deleted from, or
! 1297: disabled by using the =, +=, -=, and ! operators
! 1298: respectively. Regardless of whether the env_reset
! 1299: option is enabled or disabled, variables specified by
! 1300: env_check will be preserved in the environment if they
! 1301: pass the aforementioned check. The default list of
! 1302: environment variables to check is displayed when ssuuddoo
! 1303: is run by root with the _-_V option.
! 1304:
! 1305: env_delete Environment variables to be removed from the user's
! 1306: environment when the _e_n_v___r_e_s_e_t option is not in effect.
! 1307: The argument may be a double-quoted, space-separated
! 1308: list or a single value without double-quotes. The list
! 1309: can be replaced, added to, deleted from, or disabled by
! 1310: using the =, +=, -=, and ! operators respectively. The
! 1311: default list of environment variables to remove is
! 1312: displayed when ssuuddoo is run by root with the _-_V option.
! 1313: Note that many operating systems will remove
! 1314: potentially dangerous variables from the environment of
! 1315: any setuid process (such as ssuuddoo).
! 1316:
! 1317: env_keep Environment variables to be preserved in the user's
! 1318: environment when the _e_n_v___r_e_s_e_t option is in effect.
! 1319: This allows fine-grained control over the environment
! 1320: ssuuddoo-spawned processes will receive. The argument may
! 1321: be a double-quoted, space-separated list or a single
! 1322: value without double-quotes. The list can be replaced,
! 1323: added to, deleted from, or disabled by using the =, +=,
! 1324: -=, and ! operators respectively. The default list of
! 1325: variables to keep is displayed when ssuuddoo is run by root
! 1326: with the _-_V option.
! 1327:
! 1328: FFIILLEESS
! 1329: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
! 1330:
! 1331: _/_e_t_c_/_g_r_o_u_p Local groups file
! 1332:
! 1333: _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
! 1334:
! 1335: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
! 1336:
! 1337: _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
! 1338: _s_u_d_o_e_r_s security policy
! 1339:
! 1340: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and
! 1341: AIX
! 1342:
! 1343: EEXXAAMMPPLLEESS
! 1344: Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
! 1345: contrived. First, we allow a few environment variables to pass and
! 1346: then define our _a_l_i_a_s_e_s:
! 1347:
! 1348: # Run X applications through sudo; HOME is used to find the
! 1349: # .Xauthority file. Note that other programs use HOME to find
! 1350: # configuration files and this may lead to privilege escalation!
! 1351: Defaults env_keep += "DISPLAY HOME"
! 1352:
! 1353: # User alias specification
! 1354: User_Alias FULLTIMERS = millert, mikef, dowdy
! 1355: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 1356: User_Alias WEBMASTERS = will, wendy, wim
! 1357:
! 1358: # Runas alias specification
! 1359: Runas_Alias OP = root, operator
! 1360: Runas_Alias DB = oracle, sybase
! 1361: Runas_Alias ADMINGRP = adm, oper
! 1362:
! 1363: # Host alias specification
! 1364: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
! 1365: SGI = grolsch, dandelion, black :\
! 1366: ALPHA = widget, thalamus, foobar :\
! 1367: HPPA = boa, nag, python
! 1368: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 1369: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 1370: Host_Alias SERVERS = master, mail, www, ns
! 1371: Host_Alias CDROM = orion, perseus, hercules
! 1372:
! 1373: # Cmnd alias specification
! 1374: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
! 1375: /usr/sbin/restore, /usr/sbin/rrestore
! 1376: Cmnd_Alias KILL = /usr/bin/kill
! 1377: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 1378: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 1379: Cmnd_Alias HALT = /usr/sbin/halt
! 1380: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 1381: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
! 1382: /usr/local/bin/tcsh, /usr/bin/rsh, \
! 1383: /usr/local/bin/zsh
! 1384: Cmnd_Alias SU = /usr/bin/su
! 1385: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 1386:
! 1387: Here we override some of the compiled in default values. We want ssuuddoo
! 1388: to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
! 1389: want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
! 1390: need not give a password, and we don't want to reset the LOGNAME, USER
! 1391: or USERNAME environment variables when running commands as root.
! 1392: Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an
! 1393: additional local log file and make sure we log the year in each log
! 1394: line since the log entries will be kept around for several years.
! 1395: Lastly, we disable shell escapes for the commands in the PAGERS
! 1396: Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
! 1397:
! 1398: # Override built-in defaults
! 1399: Defaults syslog=auth
! 1400: Defaults>root !set_logname
! 1401: Defaults:FULLTIMERS !lecture
! 1402: Defaults:millert !authenticate
! 1403: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 1404: Defaults!PAGERS noexec
! 1405:
! 1406: The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
! 1407: what.
! 1408:
! 1409: root ALL = (ALL) ALL
! 1410: %wheel ALL = (ALL) ALL
! 1411:
! 1412: We let rroooott and any user in group wwhheeeell run any command on any host as
! 1413: any user.
! 1414:
! 1415: FULLTIMERS ALL = NOPASSWD: ALL
! 1416:
! 1417: Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
! 1418: any host without authenticating themselves.
! 1419:
! 1420: PARTTIMERS ALL = ALL
! 1421:
! 1422: Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
! 1423: any host but they must authenticate themselves first (since the entry
! 1424: lacks the NOPASSWD tag).
! 1425:
! 1426: jack CSNETS = ALL
! 1427:
! 1428: The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
! 1429: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
! 1430: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
! 1431: notation) indicating it is a class C network. For the other networks
! 1432: in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
! 1433:
! 1434: lisa CUNETS = ALL
! 1435:
! 1436: The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
! 1437: class B network 128.138.0.0).
! 1438:
! 1439: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
! 1440: sudoedit /etc/printcap, /usr/oper/bin/
! 1441:
! 1442: The ooppeerraattoorr user may run commands limited to simple maintenance.
! 1443: Here, those are commands related to backups, killing processes, the
! 1444: printing system, shutting down the system, and any commands in the
! 1445: directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
! 1446:
! 1447: joe ALL = /usr/bin/su operator
! 1448:
! 1449: The user jjooee may only _s_u(1) to operator.
! 1450:
! 1451: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 1452:
! 1453: %opers ALL = (: ADMINGRP) /usr/sbin/
! 1454:
! 1455: Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
! 1456: with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
! 1457:
! 1458: The user ppeettee is allowed to change anyone's password except for root on
! 1459: the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
! 1460: multiple user names on the command line.
! 1461:
! 1462: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 1463:
! 1464: The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
! 1465: listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
! 1466:
! 1467: jim +biglab = ALL
! 1468:
! 1469: The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
! 1470: ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
! 1471:
! 1472: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 1473:
! 1474: Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
! 1475: well as add and remove users, so they are allowed to run those commands
! 1476: on all machines.
! 1477:
! 1478: fred ALL = (DB) NOPASSWD: ALL
! 1479:
! 1480: The user ffrreedd can run commands as any user in the _D_B Runas_Alias
! 1481: (oorraaccllee or ssyybbaassee) without giving a password.
! 1482:
! 1483: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 1484:
! 1485: On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
! 1486: not allowed to specify any options to the _s_u(1) command.
! 1487:
! 1488: jen ALL, !SERVERS = ALL
! 1489:
! 1490: The user jjeenn may run any command on any machine except for those in the
! 1491: _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
! 1492:
! 1493: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 1494:
! 1495: For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
! 1496: the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
! 1497: and _S_H_E_L_L_S Cmnd_Aliases.
! 1498:
! 1499: steve CSNETS = (operator) /usr/local/op_commands/
! 1500:
! 1501: The user sstteevvee may run any command in the directory
! 1502: /usr/local/op_commands/ but only as user operator.
! 1503:
! 1504: matt valkyrie = KILL
! 1505:
! 1506: On his personal workstation, valkyrie, mmaatttt needs to be able to kill
! 1507: hung processes.
! 1508:
! 1509: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 1510:
! 1511: On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy,
! 1512: and wim), may run any command as user www (which owns the web pages) or
! 1513: simply _s_u(1) to www.
! 1514:
! 1515: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
! 1516: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 1517:
! 1518: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 1519: Host_Alias (orion, perseus, hercules) without entering a password.
! 1520: This is a bit tedious for users to type, so it is a prime candidate for
! 1521: encapsulating in a shell script.
! 1522:
! 1523: SSEECCUURRIITTYY NNOOTTEESS
! 1524: It is generally not effective to "subtract" commands from ALL using the
! 1525: '!' operator. A user can trivially circumvent this by copying the
! 1526: desired command to a different name and then executing that. For
! 1527: example:
! 1528:
! 1529: bill ALL = ALL, !SU, !SHELLS
! 1530:
! 1531: Doesn't really prevent bbiillll from running the commands listed in _S_U or
! 1532: _S_H_E_L_L_S since he can simply copy those commands to a different name, or
! 1533: use a shell escape from an editor or other program. Therefore, these
! 1534: kind of restrictions should be considered advisory at best (and
! 1535: reinforced by policy).
! 1536:
! 1537: Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to
! 1538: reliably negate commands where the path name includes globbing (aka
! 1539: wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3)
! 1540: function cannot resolve relative paths. While this is typically only
! 1541: an inconvenience for rules that grant privileges, it can result in a
! 1542: security issue for rules that subtract or revoke privileges.
! 1543:
! 1544: For example, given the following _s_u_d_o_e_r_s entry:
! 1545:
! 1546: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
! 1547: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 1548:
! 1549: User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
! 1550: changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
! 1551:
! 1552: PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
! 1553: Once ssuuddoo executes a program, that program is free to do whatever it
! 1554: pleases, including run other programs. This can be a security issue
! 1555: since it is not uncommon for a program to allow shell escapes, which
! 1556: lets a user bypass ssuuddoo's access control and logging. Common programs
! 1557: that permit shell escapes include shells (obviously), editors,
! 1558: paginators, mail and terminal programs.
! 1559:
! 1560: There are two basic approaches to this problem:
! 1561:
! 1562: restrict Avoid giving users access to commands that allow the user to
! 1563: run arbitrary commands. Many editors have a restricted mode
! 1564: where shell escapes are disabled, though ssuuddooeeddiitt is a better
! 1565: solution to running editors via ssuuddoo. Due to the large
! 1566: number of programs that offer shell escapes, restricting
! 1567: users to the set of programs that do not is often unworkable.
! 1568:
! 1569: noexec Many systems that support shared libraries have the ability
! 1570: to override default library functions by pointing an
! 1571: environment variable (usually LD_PRELOAD) to an alternate
! 1572: shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
! 1573: can be used to prevent a program run by ssuuddoo from executing
! 1574: any other programs. Note, however, that this applies only to
! 1575: native dynamically-linked executables. Statically-linked
! 1576: executables and foreign executables running under binary
! 1577: emulation are not affected.
! 1578:
! 1579: The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
! 1580: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
! 1581: above. It should be supported on most operating systems that
! 1582: support the LD_PRELOAD environment variable. Check your
! 1583: operating system's manual pages for the dynamic linker
! 1584: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
! 1585: if LD_PRELOAD is supported.
! 1586:
! 1587: On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
! 1588: instead of the LD_PRELOAD environment variable.
! 1589:
! 1590: To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
! 1591: documented in the User Specification section above. Here is
! 1592: that example again:
! 1593:
! 1594: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1595:
! 1596: This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
! 1597: with _n_o_e_x_e_c enabled. This will prevent those two commands
! 1598: from executing other commands (such as a shell). If you are
! 1599: unsure whether or not your system is capable of supporting
! 1600: _n_o_e_x_e_c you can always just try it out and check whether shell
! 1601: escapes work when _n_o_e_x_e_c is enabled.
! 1602:
! 1603: Note that restricting shell escapes is not a panacea. Programs running
! 1604: as root are still capable of many potentially hazardous operations
! 1605: (such as changing or overwriting files) that could lead to unintended
! 1606: privilege escalation. In the specific case of an editor, a safer
! 1607: approach is to give the user permission to run ssuuddooeeddiitt.
! 1608:
! 1609: SSEECCUURRIITTYY NNOOTTEESS
! 1610: _s_u_d_o_e_r_s will check the ownership of its time stamp directory
! 1611: (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
! 1612: not owned by root or if it is writable by a user other than root. On
! 1613: systems that allow non-root users to give away files via _c_h_o_w_n(2), if
! 1614: the time stamp directory is located in a world-writable directory
! 1615: (e.g., _/_t_m_p), it is possible for a user to create the time stamp
! 1616: directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the
! 1617: ownership and mode of the directory and its contents, the only damage
! 1618: that can be done is to "hide" files by putting them in the time stamp
! 1619: dir. This is unlikely to happen since once the time stamp dir is owned
! 1620: by root and inaccessible by any other user, the user placing files
! 1621: there would be unable to get them back out.
! 1622:
! 1623: _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
! 1624: with a date greater than current_time + 2 * TIMEOUT will be ignored and
! 1625: sudo will log and complain. This is done to keep a user from creating
! 1626: his/her own time stamp with a bogus date on systems that allow users to
! 1627: give away files if the time stamp directory is located in a world-
! 1628: writable directory.
! 1629:
! 1630: On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
! 1631: stamps that date from before the machine booted.
! 1632:
! 1633: Since time stamp files live in the file system, they can outlive a
! 1634: user's login session. As a result, a user may be able to login, run a
! 1635: command with ssuuddoo after authenticating, logout, login again, and run
! 1636: ssuuddoo without authenticating so long as the time stamp file's
! 1637: modification time is within 5 minutes (or whatever the timeout is set
! 1638: to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp
! 1639: has per-tty granularity but still may outlive the user's session. On
! 1640: Linux systems where the devpts filesystem is used, Solaris systems with
! 1641: the devices filesystem, as well as other systems that utilize a devfs
! 1642: filesystem that monotonically increase the inode number of devices as
! 1643: they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when
! 1644: a tty-based time stamp file is stale and will ignore it.
! 1645: Administrators should not rely on this feature as it is not universally
! 1646: available.
! 1647:
! 1648: If users have sudo ALL there is nothing to prevent them from creating
! 1649: their own program that gives them a root shell (or making their own
! 1650: copy of a shell) regardless of any '!' elements in the user
! 1651: specification.
! 1652:
! 1653: SSEEEE AALLSSOO
! 1654: _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3),
! 1655: _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
! 1656:
! 1657: CCAAVVEEAATTSS
! 1658: The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
! 1659: locks the file and does grammatical checking. It is imperative that
! 1660: _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
! 1661: syntactically incorrect _s_u_d_o_e_r_s file.
! 1662:
! 1663: When using netgroups of machines (as opposed to users), if you store
! 1664: fully qualified host name in the netgroup (as is usually the case), you
! 1665: either need to have the machine's host name be fully qualified as
! 1666: returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
! 1667:
! 1668: BBUUGGSS
! 1669: If you feel you have found a bug in ssuuddoo, please submit a bug report at
! 1670: http://www.sudo.ws/sudo/bugs/
! 1671:
! 1672: SSUUPPPPOORRTT
! 1673: Limited free support is available via the sudo-users mailing list, see
! 1674: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
! 1675: the archives.
! 1676:
! 1677: DDIISSCCLLAAIIMMEERR
! 1678: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
! 1679: including, but not limited to, the implied warranties of
! 1680: merchantability and fitness for a particular purpose are disclaimed.
! 1681: See the LICENSE file distributed with ssuuddoo or
! 1682: http://www.sudo.ws/sudo/license.html for complete details.
! 1683:
! 1684:
! 1685:
! 1686: 1.8.3 September 16, 2011 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>