Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.1
1.1 misho 1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
2:
3:
4:
5: NNAAMMEE
6: sudoers - default sudo security policy module
7:
8: DDEESSCCRRIIPPTTIIOONN
9: The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is
10: the default ssuuddoo policy plugin. The policy is driven by the
11: _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is
12: described in detail in the "SUDOERS FILE FORMAT" section. For
13: information on storing _s_u_d_o_e_r_s policy information in LDAP, please see
14: _s_u_d_o_e_r_s_._l_d_a_p(4).
15:
16: AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg
17: The _s_u_d_o_e_r_s security policy requires that most users authenticate
18: themselves before they can use ssuuddoo. A password is not required if the
19: invoking user is root, if the target user is the same as the invoking
20: user, or if the policy has disabled authentication for the user or
21: command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it
22: validates the invoking user's credentials, not the target user's (or
23: root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
24: _r_u_n_a_s_p_w flags, described later.
25:
26: If a user who is not listed in the policy tries to run a command via
27: ssuuddoo, mail is sent to the proper authorities. The address used for
28: such mail is configurable via the _m_a_i_l_t_o Defaults entry (described
29: later) and defaults to root.
30:
31: Note that mail will not be sent if an unauthorized user tries to run
32: ssuuddoo with the --ll or --vv option. This allows users to determine for
33: themselves whether or not they are allowed to use ssuuddoo.
34:
35: If ssuuddoo is run by root and the SUDO_USER environment variable is set,
36: the _s_u_d_o_e_r_s policy will use this value to determine who the actual user
37: is. This can be used by a user to log commands through sudo even when
38: a root shell has been invoked. It also allows the --ee option to remain
39: useful even when invoked via a sudo-run script or program. Note,
40: however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user
41: specified by SUDO_USER.
42:
43: _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
44: been authenticated, a time stamp is updated and the user may then use
45: sudo without a password for a short period of time (5 minutes unless
46: overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based
47: time stamp which means that there is a separate time stamp for each of
48: a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
49: force the use of a single time stamp for all of a user's sessions.
50:
51: _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
52: errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will
53: log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e
54: Defaults settings.
55:
56: _s_u_d_o_e_r_s also supports logging a command's input and output streams.
57: I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
58: and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
59: command tags.
60:
61: CCoommmmaanndd EEnnvviirroonnmmeenntt
62: Since environment variables can influence program behavior, _s_u_d_o_e_r_s
63: provides a means to restrict which variables from the user's
64: environment are inherited by the command to be run. There are two
65: distinct ways _s_u_d_o_e_r_s can deal with environment variables.
66:
67: By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to
68: be executed with a minimal environment containing TERM, PATH, HOME,
69: MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
70: the invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options.
71: This is effectively a whitelist for environment variables.
72:
73: If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
74: explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
75: from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e
76: behave like a blacklist. Since it is not possible to blacklist all
77: potentially dangerous environment variables, use of the default
78: _e_n_v___r_e_s_e_t behavior is encouraged.
79:
80: In all cases, environment variables with a value beginning with () are
81: removed as they could be interpreted as bbaasshh functions. The list of
82: environment variables that ssuuddoo allows or denies is contained in the
83: output of sudo -V when run as root.
84:
85: Note that the dynamic linker on most operating systems will remove
86: variables that can control dynamic linking from the environment of
87: setuid executables, including ssuuddoo. Depending on the operating system
88: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
89: others. These type of variables are removed from the environment
90: before ssuuddoo even begins execution and, as such, it is not possible for
91: ssuuddoo to preserve them.
92:
93: As a special case, if ssuuddoo's --ii option (initial login) is specified,
94: _s_u_d_o_e_r_s will initialize the environment regardless of the value of
95: _e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged;
96: _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user.
97: On Linux and AIX systems the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also
98: included. All other environment variables are removed.
99:
100: SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
101: The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
102: (basically variables) and user specifications (which specify who may
103: run what).
104:
105: When multiple entries match for a user, they are applied in order.
106: Where there are multiple matches, the last match is used (which is not
107: necessarily the most specific match).
108:
109: The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur
110: Form (EBNF). Don't despair if you don't know what EBNF is; it is
111: fairly simple, and the definitions below are annotated.
112:
113: QQuuiicckk gguuiiddee ttoo EEBBNNFF
114: EBNF is a concise and exact way of describing the grammar of a
115: language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
116:
117: symbol ::= definition | alternate1 | alternate2 ...
118:
119: Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
120: the language. EBNF also contains the following operators, which many
121: readers will recognize from regular expressions. Do not, however,
122: confuse them with "wildcard" characters, which have different meanings.
123:
124: ? Means that the preceding symbol (or group of symbols) is optional.
125: That is, it may appear once or not at all.
126:
127: * Means that the preceding symbol (or group of symbols) may appear
128: zero or more times.
129:
130: + Means that the preceding symbol (or group of symbols) may appear
131: one or more times.
132:
133: Parentheses may be used to group symbols together. For clarity, we
134: will use single quotes ('') to designate what is a verbatim character
135: string (as opposed to a symbol name).
136:
137: AAlliiaasseess
138: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
139: and Cmnd_Alias.
140:
141: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
142: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
143: 'Host_Alias' Host_Alias (':' Host_Alias)* |
144: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
145:
146: User_Alias ::= NAME '=' User_List
147:
148: Runas_Alias ::= NAME '=' Runas_List
149:
150: Host_Alias ::= NAME '=' Host_List
151:
152: Cmnd_Alias ::= NAME '=' Cmnd_List
153:
154: NAME ::= [A-Z]([A-Z][0-9]_)*
155:
156: Each _a_l_i_a_s definition is of the form
157:
158: Alias_Type NAME = item1, item2, ...
159:
160: where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
161: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
162: underscore characters ('_'). A NAME mmuusstt start with an uppercase
163: letter. It is possible to put several alias definitions of the same
164: type on a single line, joined by a colon (':'). E.g.,
165:
166: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
167:
168: The definitions of what constitutes a valid _a_l_i_a_s member follow.
169:
170: User_List ::= User |
171: User ',' User_List
172:
173: User ::= '!'* user name |
174: '!'* #uid |
175: '!'* %group |
176: '!'* %#gid |
177: '!'* +netgroup |
178: '!'* %:nonunix_group |
179: '!'* %:#nonunix_gid |
180: '!'* User_Alias
181:
182: A User_List is made up of one or more user names, user ids (prefixed
183: with '#'), system group names and ids (prefixed with '%' and '%#'
184: respectively), netgroups (prefixed with '+'), non-Unix group names and
185: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
186: list item may be prefixed with zero or more '!' operators. An odd
187: number of '!' operators negate the value of the item; an even number
188: just cancel each other out.
189:
190: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
191: may be enclosed in double quotes to avoid the need for escaping special
192: characters. Alternately, special characters may be specified in
193: escaped hex mode, e.g. \x20 for space. When using double quotes, any
194: prefix characters must be included inside the quotes.
195:
196: The actual nonunix_group and nonunix_gid syntax depends on the
197: underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description
198: below). For instance, the QAS AD plugin supports the following
199: formats:
200:
201: +o Group in the same domain: "Group Name"
202:
203: +o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
204:
205: +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
206:
207: Note that quotes around group names are optional. Unquoted strings
208: must use a backslash (\) to escape spaces and special characters. See
209: "Other special characters and reserved words" for a list of characters
210: that need to be escaped.
211:
212: Runas_List ::= Runas_Member |
213: Runas_Member ',' Runas_List
214:
215: Runas_Member ::= '!'* user name |
216: '!'* #uid |
217: '!'* %group |
218: '!'* %#gid |
219: '!'* %:nonunix_group |
220: '!'* %:#nonunix_gid |
221: '!'* +netgroup |
222: '!'* Runas_Alias
223:
224: A Runas_List is similar to a User_List except that instead of
225: User_Aliases it can contain Runas_Aliases. Note that user names and
226: groups are matched as strings. In other words, two users (groups) with
227: the same uid (gid) are considered to be distinct. If you wish to match
228: all user names with the same uid (e.g. root and toor), you can use a
229: uid instead (#0 in the example given).
230:
231: Host_List ::= Host |
232: Host ',' Host_List
233:
234: Host ::= '!'* host name |
235: '!'* ip_addr |
236: '!'* network(/netmask)? |
237: '!'* +netgroup |
238: '!'* Host_Alias
239:
240: A Host_List is made up of one or more host names, IP addresses, network
241: numbers, netgroups (prefixed with '+') and other aliases. Again, the
242: value of an item may be negated with the '!' operator. If you do not
243: specify a netmask along with the network number, ssuuddoo will query each
244: of the local host's network interfaces and, if the network number
245: corresponds to one of the hosts's network interfaces, the corresponding
246: netmask will be used. The netmask may be specified either in standard
247: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
248: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
249: shell-style wildcards (see the Wildcards section below), but unless the
250: host name command on your machine returns the fully qualified host
251: name, you'll need to use the _f_q_d_n option for wildcards to be useful.
252: Note ssuuddoo only inspects actual network interfaces; this means that IP
253: address 127.0.0.1 (localhost) will never match. Also, the host name
254: "localhost" will only match if that is the actual host name, which is
255: usually only the case for non-networked systems.
256:
257: Cmnd_List ::= Cmnd |
258: Cmnd ',' Cmnd_List
259:
260: commandname ::= file name |
261: file name args |
262: file name '""'
263:
264: Cmnd ::= '!'* commandname |
265: '!'* directory |
266: '!'* "sudoedit" |
267: '!'* Cmnd_Alias
268:
269: A Cmnd_List is a list of one or more commandnames, directories, and
270: other aliases. A commandname is a fully qualified file name which may
271: include shell-style wildcards (see the Wildcards section below). A
272: simple file name allows the user to run the command with any arguments
273: he/she wishes. However, you may also specify command line arguments
274: (including wildcards). Alternately, you can specify "" to indicate
275: that the command may only be run wwiitthhoouutt command line arguments. A
276: directory is a fully qualified path name ending in a '/'. When you
277: specify a directory in a Cmnd_List, the user will be able to run any
278: file within that directory (but not in any subdirectories therein).
279:
280: If a Cmnd has associated command line arguments, then the arguments in
281: the Cmnd must match exactly those given by the user on the command line
282: (or match the wildcards if there are any). Note that the following
283: characters must be escaped with a '\' if they are used in command
284: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
285: to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
286: may take command line arguments just as a normal command does.
287:
288: DDeeffaauullttss
289: Certain configuration options may be changed from their default values
290: at runtime via one or more Default_Entry lines. These may affect all
291: users on any host, all users on a specific host, a specific user, a
292: specific command, or commands being run as a specific user. Note that
293: per-command entries may not include command line arguments. If you
294: need to specify arguments, define a Cmnd_Alias and reference that
295: instead.
296:
297: Default_Type ::= 'Defaults' |
298: 'Defaults' '@' Host_List |
299: 'Defaults' ':' User_List |
300: 'Defaults' '!' Cmnd_List |
301: 'Defaults' '>' Runas_List
302:
303: Default_Entry ::= Default_Type Parameter_List
304:
305: Parameter_List ::= Parameter |
306: Parameter ',' Parameter_List
307:
308: Parameter ::= Parameter '=' Value |
309: Parameter '+=' Value |
310: Parameter '-=' Value |
311: '!'* Parameter
312:
313: Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
314: implicitly boolean and can be turned off via the '!' operator. Some
315: integer, string and list parameters may also be used in a boolean
316: context to disable them. Values may be enclosed in double quotes (")
317: when they contain multiple words. Special characters may be escaped
318: with a backslash (\).
319:
320: Lists have two additional assignment operators, += and -=. These
321: operators are used to add to and delete from a list respectively. It
322: is not an error to use the -= operator to remove an element that does
323: not exist in a list.
324:
325: Defaults entries are parsed in the following order: generic, host and
326: user Defaults first, then runas Defaults and finally command defaults.
327:
328: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
329:
330: UUsseerr SSppeecciiffiiccaattiioonn
331: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
332: (':' Host_List '=' Cmnd_Spec_List)*
333:
334: Cmnd_Spec_List ::= Cmnd_Spec |
335: Cmnd_Spec ',' Cmnd_Spec_List
336:
337: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
338:
339: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
340:
341: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
342:
343: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
344: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
345: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
346:
347: A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
348: what user) on specified hosts. By default, commands are run as rroooott,
349: but this can be changed on a per-command basis.
350:
351: The basic structure of a user specification is `who where = (as_whom)
352: what'. Let's break that down into its constituent parts:
353:
354: RRuunnaass__SSppeecc
355: A Runas_Spec determines the user and/or the group that a command may be
356: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
357: defined above) separated by a colon (':') and enclosed in a set of
358: parentheses. The first Runas_List indicates which users the command
359: may be run as via ssuuddoo's --uu option. The second defines a list of
360: groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists
361: are specified, the command may be run with any combination of users and
362: groups listed in their respective Runas_Lists. If only the first is
363: specified, the command may be run as any user in the list but no --gg
364: option may be specified. If the first Runas_List is empty but the
365: second is specified, the command may be run as the invoking user with
366: the group set to any listed in the Runas_List. If no Runas_Spec is
367: specified the command may be run as rroooott and no group may be specified.
368:
369: A Runas_Spec sets the default for the commands that follow it. What
370: this means is that for the entry:
371:
372: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
373:
374: The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
375: as ooppeerraattoorr. E.g.,
376:
377: $ sudo -u operator /bin/ls
378:
379: It is also possible to override a Runas_Spec later on in an entry. If
380: we modify the entry like so:
381:
382: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
383:
384: Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
385: and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
386:
387: We can extend this to allow ddggbb to run /bin/ls with either the user or
388: group set to ooppeerraattoorr:
389:
390: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
391: /usr/bin/lprm
392:
393: Note that while the group portion of the Runas_Spec permits the user to
394: run as command with that group, it does not force the user to do so.
395: If no group is specified on the command line, the command will run with
396: the group listed in the target user's password database entry. The
397: following would all be permitted by the sudoers entry above:
398:
399: $ sudo -u operator /bin/ls
400: $ sudo -u operator -g operator /bin/ls
401: $ sudo -g operator /bin/ls
402:
403: In the following example, user ttccmm may run commands that access a modem
404: device file with the dialer group.
405:
406: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
407: /usr/local/bin/minicom
408:
409: Note that in this example only the group will be set, the command still
410: runs as user ttccmm. E.g.
411:
412: $ sudo -g dialer /usr/bin/cu
413:
414: Multiple users and groups may be present in a Runas_Spec, in which case
415: the user may select any combination of users and groups via the --uu and
416: --gg options. In this example:
417:
418: alan ALL = (root, bin : operator, system) ALL
419:
420: user aallaann may run any command as either user root or bin, optionally
421: setting the group to operator or system.
422:
423: SSEELLiinnuuxx__SSppeecc
424: On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
425: SELinux role and/or type associated with a command. If a role or type
426: is specified with the command it will override any default values
427: specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
428: however, will supercede the values in _s_u_d_o_e_r_s.
429:
430: TTaagg__SSppeecc
431: A command may have zero or more tags associated with it. There are
432: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
433: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
434: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
435: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
436: overrides NOPASSWD and NOEXEC overrides EXEC).
437:
438: _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
439:
440: By default, ssuuddoo requires that a user authenticate him or herself
441: before running a command. This behavior can be modified via the
442: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
443: the commands that follow it in the Cmnd_Spec_List. Conversely, the
444: PASSWD tag can be used to reverse things. For example:
445:
446: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
447:
448: would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
449: as rroooott on the machine rushmore without authenticating himself. If we
450: only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
451: would be:
452:
453: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
454:
455: Note, however, that the PASSWD tag has no effect on users who are in
456: the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
457:
458: By default, if the NOPASSWD tag is applied to any of the entries for a
459: user on the current host, he or she will be able to run sudo -l without
460: a password. Additionally, a user may only run sudo -v without a
461: password if the NOPASSWD tag is present for all a user's entries that
462: pertain to the current host. This behavior may be overridden via the
463: verifypw and listpw options.
464:
465: _N_O_E_X_E_C _a_n_d _E_X_E_C
466:
467: If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
468: operating system supports it, the NOEXEC tag can be used to prevent a
469: dynamically-linked executable from running further commands itself.
470:
471: In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
472: _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
473:
474: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
475:
476: See the "PREVENTING SHELL ESCAPES" section below for more details on
477: how NOEXEC works and whether or not it will work on your system.
478:
479: _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
480:
481: These tags override the value of the _s_e_t_e_n_v option on a per-command
482: basis. Note that if SETENV has been set for a command, the user may
483: disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
484: Additionally, environment variables set on the command line are not
485: subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
486: _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
487: variables in this manner. If the command matched is AALLLL, the SETENV
488: tag is implied for that command; this default may be overridden by use
489: of the NOSETENV tag.
490:
491: _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
492:
493: These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
494: basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
495: "SUDOERS OPTIONS" section below.
496:
497: _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
498:
499: These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
500: basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
501: "SUDOERS OPTIONS" section below.
502:
503: WWiillddccaarrddss
504: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
505: used in host names, path names and command line arguments in the
506: _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
507: _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
508:
509: * Matches any set of zero or more characters.
510:
511: ? Matches any single character.
512:
513: [...] Matches any character in the specified range.
514:
515: [!...] Matches any character nnoott in the specified range.
516:
517: \x For any character "x", evaluates to "x". This is used to
518: escape special characters such as: "*", "?", "[", and "}".
519:
520: POSIX character classes may also be used if your system's _g_l_o_b(3) and
521: _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character
522: has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
523:
524: /bin/ls [[\:alpha\:]]*
525:
526: Would match any file name beginning with a letter.
527:
528: Note that a forward slash ('/') will nnoott be matched by wildcards used
529: in the path name. When matching the command line arguments, however, a
530: slash ddooeess get matched by wildcards. This is to make a path like:
531:
532: /usr/bin/*
533:
534: match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
535:
536: EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
537: The following exceptions apply to the above rules:
538:
539: "" If the empty string "" is the only command line argument in the
540: _s_u_d_o_e_r_s entry it means that command is not allowed to be run
541: with aannyy arguments.
542:
543: IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
544: It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
545: file currently being parsed using the #include and #includedir
546: directives.
547:
548: This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
549: addition to a local, per-machine file. For the sake of this example
550: the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
551: be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
552: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
553:
554: #include /etc/sudoers.local
555:
556: When ssuuddoo reaches this line it will suspend processing of the current
557: file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
558: the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
559: processed. Files that are included may themselves include other files.
560: A hard limit of 128 nested include files is enforced to prevent include
561: file loops.
562:
563: The file name may include the %h escape, signifying the short form of
564: the host name. I.e., if the machine's host name is "xerxes", then
565:
566: #include /etc/sudoers.%h
567:
568: will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
569:
570: The #includedir directive can be used to create a _s_u_d_o_._d directory that
571: the system package manager can drop _s_u_d_o_e_r_s rules into as part of
572: package installation. For example, given:
573:
574: #includedir /etc/sudoers.d
575:
576: ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
577: end in ~ or contain a . character to avoid causing problems with
578: package manager or editor temporary/backup files. Files are parsed in
579: sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
580: before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
581: lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
582: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
583: in the file names can be used to avoid such problems.
584:
585: Note that unlike files included via #include, vviissuuddoo will not edit the
586: files in a #includedir directory unless one of them contains a syntax
587: error. It is still possible to run vviissuuddoo with the -f flag to edit the
588: files directly.
589:
590: OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
591: The pound sign ('#') is used to indicate a comment (unless it is part
592: of a #include directive or unless it occurs in the context of a user
593: name and is followed by one or more digits, in which case it is treated
594: as a uid). Both the comment character and any text after it, up to the
595: end of the line, are ignored.
596:
597: The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
598: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
599: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
600: your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
601: preference to your own. Please note that using AALLLL can be dangerous
602: since in a command context, it allows the user to run aannyy command on
603: the system.
604:
605: An exclamation point ('!') can be used as a logical _n_o_t operator both
606: in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
607: values. Note, however, that using a ! in conjunction with the built-in
608: ALL alias to allow a user to run "all but a few" commands rarely works
609: as intended (see SECURITY NOTES below).
610:
611: Long lines can be continued with a backslash ('\') as the last
612: character on the line.
613:
614: Whitespace between elements in a list as well as special syntactic
615: characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
616:
617: The following characters must be escaped with a backslash ('\') when
618: used as part of a word (e.g. a user name or host name): '!', '=', ':',
619: ',', '(', ')', '\'.
620:
621: SSUUDDOOEERRSS OOPPTTIIOONNSS
622: ssuuddoo's behavior can be modified by Default_Entry lines, as explained
623: earlier. A list of all supported Defaults parameters, grouped by type,
624: are listed below.
625:
626: BBoooolleeaann FFllaaggss:
627:
628: always_set_home If enabled, ssuuddoo will set the HOME environment variable
629: to the home directory of the target user (which is root
630: unless the --uu option is used). This effectively means
631: that the --HH option is always implied. Note that HOME
632: is already set when the the _e_n_v___r_e_s_e_t option is
633: enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
634: configurations where either _e_n_v___r_e_s_e_t is disabled or
635: HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
636: by default.
637:
638: authenticate If set, users must authenticate themselves via a
639: password (or other means of authentication) before they
640: may run commands. This default may be overridden via
641: the PASSWD and NOPASSWD tags. This flag is _o_n by
642: default.
643:
644: closefrom_override
645: If set, the user may use ssuuddoo's --CC option which
646: overrides the default starting point at which ssuuddoo
647: begins closing open file descriptors. This flag is _o_f_f
648: by default.
649:
650: compress_io If set, and ssuuddoo is configured to log a command's input
651: or output, the I/O logs will be compressed using zzlliibb.
652: This flag is _o_n by default when ssuuddoo is compiled with
653: zzlliibb support.
654:
655: env_editor If set, vviissuuddoo will use the value of the EDITOR or
656: VISUAL environment variables before falling back on the
657: default editor list. Note that this may create a
658: security hole as it allows the user to run any
659: arbitrary command as root without logging. A safer
660: alternative is to place a colon-separated list of
661: editors in the editor variable. vviissuuddoo will then only
662: use the EDITOR or VISUAL if they match a value
663: specified in editor. This flag is _o_f_f by default.
664:
665: env_reset If set, ssuuddoo will reset the environment to only contain
666: the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
667: variables. Any variables in the caller's environment
668: that match the env_keep and env_check lists are then
669: added. The default contents of the env_keep and
670: env_check lists are displayed when ssuuddoo is run by root
671: with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set,
672: its value will be used for the PATH environment
673: variable. This flag is _o_n by default.
674:
675: fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
676: style globbing when matching path names. However,
677: since it accesses the file system, _g_l_o_b(3) can take a
678: long time to complete for some patterns, especially
679: when the pattern references a network file system that
680: is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
681: option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
682: which does not access the file system to do its
683: matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
684: unable to match relative path names such as _._/_l_s or
685: _._._/_b_i_n_/_l_s. This has security implications when path
686: names that include globbing characters are used with
687: the negation operator, '!', as such rules can be
688: trivially bypassed. As such, this option should not be
689: used when _s_u_d_o_e_r_s contains rules that contain negated
690: path names which include globbing characters. This
691: flag is _o_f_f by default.
692:
693: fqdn Set this flag if you want to put fully qualified host
694: names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
695: would use myhost.mydomain.edu. You may still use the
696: short form if you wish (and even mix the two). Beware
697: that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
698: which may make ssuuddoo unusable if DNS stops working (for
699: example if the machine is not plugged into the
700: network). Also note that you must use the host's
701: official name as DNS knows it. That is, you may not
702: use a host alias (CNAME entry) due to performance
703: issues and the fact that there is no way to get all
704: aliases from DNS. If your machine's host name (as
705: returned by the hostname command) is already fully
706: qualified you shouldn't need to set _f_q_d_n. This flag is
707: _o_f_f by default.
708:
709: ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
710: PATH environment variable; the PATH itself is not
711: modified. This flag is _o_f_f by default.
712:
713: ignore_local_sudoers
714: If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
715: skipped. This is intended for Enterprises that wish to
716: prevent the usage of local sudoers files so that only
717: LDAP is used. This thwarts the efforts of rogue
718: operators who would attempt to add roles to
719: _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
720: _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
721: option tells ssuuddoo how to behave when no specific LDAP
722: entries have been matched, this sudoOption is only
723: meaningful for the cn=defaults section. This flag is
724: _o_f_f by default.
725:
726: insults If set, ssuuddoo will insult users when they enter an
727: incorrect password. This flag is _o_f_f by default.
728:
729: log_host If set, the host name will be logged in the (non-
730: syslog) ssuuddoo log file. This flag is _o_f_f by default.
731:
732: log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
733: log all user input. If the standard input is not
734: connected to the user's tty, due to I/O redirection or
735: because the command is part of a pipeline, that input
736: is also captured and stored in a separate log file.
737:
738: Input is logged to the directory specified by the
739: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
740: unique session ID that is included in the normal ssuuddoo
741: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
742: may be used to control the format of the session ID.
743:
744: Note that user input may contain sensitive information
745: such as passwords (even if they are not echoed to the
746: screen), which will be stored in the log file
747: unencrypted. In most cases, logging the command output
748: via _l_o_g___o_u_t_p_u_t is all that is required.
749:
750: log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
751: log all output that is sent to the screen, similar to
752: the _s_c_r_i_p_t(1) command. If the standard output or
753: standard error is not connected to the user's tty, due
754: to I/O redirection or because the command is part of a
755: pipeline, that output is also captured and stored in
756: separate log files.
757:
758: Output is logged to the directory specified by the
759: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
760: unique session ID that is included in the normal ssuuddoo
761: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
762: may be used to control the format of the session ID.
763:
764: Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
765: utility, which can also be used to list or search the
766: available logs.
767:
768: log_year If set, the four-digit year will be logged in the (non-
769: syslog) ssuuddoo log file. This flag is _o_f_f by default.
770:
771: long_otp_prompt When validating with a One Time Password (OTP) scheme
772: such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
773: make it easier to cut and paste the challenge to a
774: local window. It's not as pretty as the default but
775: some people find it more convenient. This flag is _o_f_f
776: by default.
777:
778: mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
779: ssuuddoo. This flag is _o_f_f by default.
780:
781: mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
782: does not enter the correct password. This flag is _o_f_f
783: by default.
784:
785: mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
786: invoking user exists in the _s_u_d_o_e_r_s file, but is not
787: allowed to run commands on the current host. This flag
788: is _o_f_f by default.
789:
790: mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
791: invoking user is allowed to use ssuuddoo but the command
792: they are trying is not listed in their _s_u_d_o_e_r_s file
793: entry or is explicitly denied. This flag is _o_f_f by
794: default.
795:
796: mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
797: invoking user is not in the _s_u_d_o_e_r_s file. This flag is
798: _o_n by default.
799:
800: noexec If set, all commands run via ssuuddoo will behave as if the
801: NOEXEC tag has been set, unless overridden by a EXEC
802: tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
803: well as the "PREVENTING SHELL ESCAPES" section at the
804: end of this manual. This flag is _o_f_f by default.
805:
806: path_info Normally, ssuuddoo will tell the user when a command could
807: not be found in their PATH environment variable. Some
808: sites may wish to disable this as it could be used to
809: gather information on the location of executables that
810: the normal user does not have access to. The
811: disadvantage is that if the executable is simply not in
812: the user's PATH, ssuuddoo will tell the user that they are
813: not allowed to run it, which can be confusing. This
814: flag is _o_n by default.
815:
816: passprompt_override
817: The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
818: normally only be used if the password prompt provided
819: by systems such as PAM matches the string "Password:".
820: If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always
821: be used. This flag is _o_f_f by default.
822:
823: preserve_groups By default, ssuuddoo will initialize the group vector to
824: the list of groups the target user is in. When
825: _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
826: vector is left unaltered. The real and effective group
827: IDs, however, are still set to match the target user.
828: This flag is _o_f_f by default.
829:
830: pwfeedback By default, ssuuddoo reads the password like most other
831: Unix programs, by turning off echo until the user hits
832: the return (or enter) key. Some users become confused
833: by this as it appears to them that ssuuddoo has hung at
834: this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
835: visual feedback when the user presses a key. Note that
836: this does have a security impact as an onlooker may be
837: able to determine the length of the password being
838: entered. This flag is _o_f_f by default.
839:
840: requiretty If set, ssuuddoo will only run when the user is logged in
841: to a real tty. When this flag is set, ssuuddoo can only be
842: run from a login session and not via other means such
843: as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
844: default.
845:
846: root_sudo If set, root is allowed to run ssuuddoo too. Disabling
847: this prevents users from "chaining" ssuuddoo commands to
848: get a root shell by doing something like "sudo sudo
849: /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
850: will also prevent root from running ssuuddooeeddiitt.
851: Disabling _r_o_o_t___s_u_d_o provides no real additional
852: security; it exists purely for historical reasons.
853: This flag is _o_n by default.
854:
855: rootpw If set, ssuuddoo will prompt for the root password instead
856: of the password of the invoking user. This flag is _o_f_f
857: by default.
858:
859: runaspw If set, ssuuddoo will prompt for the password of the user
860: defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
861: instead of the password of the invoking user. This
862: flag is _o_f_f by default.
863:
864: set_home If enabled and ssuuddoo is invoked with the --ss option the
865: HOME environment variable will be set to the home
866: directory of the target user (which is root unless the
867: --uu option is used). This effectively makes the --ss
868: option imply --HH. Note that HOME is already set when
869: the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
870: only effective for configurations where either
871: _e_n_v___r_e_s_e_t is disabled or HOME is present in the
872: _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
873:
874: set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
875: environment variables to the name of the target user
876: (usually root unless the --uu option is given). However,
877: since some programs (including the RCS revision control
878: system) use LOGNAME to determine the real identity of
879: the user, it may be desirable to change this behavior.
880: This can be done by negating the set_logname option.
881: Note that if the _e_n_v___r_e_s_e_t option has not been
882: disabled, entries in the _e_n_v___k_e_e_p list will override
883: the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
884:
885: set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
886: utmpx) file when a pseudo-tty is allocated. A pseudo-
887: tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
888: or _u_s_e___p_t_y flags are enabled. By default, the new
889: entry will be a copy of the user's existing utmp entry
890: (if any), with the tty, time, type and pid fields
891: updated. This flag is _o_n by default.
892:
893: setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
894: command line via the --EE option. Additionally,
895: environment variables set via the command line are not
896: subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
897: _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
898: should be allowed to set variables in this manner.
899: This flag is _o_f_f by default.
900:
901: shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
902: if the --ss option had been given. That is, it runs a
903: shell as root (the shell is determined by the SHELL
904: environment variable if it is set, falling back on the
905: shell listed in the invoking user's /etc/passwd entry
906: if not). This flag is _o_f_f by default.
907:
908: stay_setuid Normally, when ssuuddoo executes a command the real and
909: effective UIDs are set to the target user (root by
910: default). This option changes that behavior such that
911: the real UID is left as the invoking user's UID. In
912: other words, this makes ssuuddoo act as a setuid wrapper.
913: This can be useful on systems that disable some
914: potentially dangerous functionality when a program is
915: run setuid. This option is only effective on systems
916: with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
917: This flag is _o_f_f by default.
918:
919: targetpw If set, ssuuddoo will prompt for the password of the user
920: specified by the --uu option (defaults to root) instead
921: of the password of the invoking user. In addition, the
922: timestamp file name will include the target user's
923: name. Note that this flag precludes the use of a uid
924: not listed in the passwd database as an argument to the
925: --uu option. This flag is _o_f_f by default.
926:
927: tty_tickets If set, users must authenticate on a per-tty basis.
928: With this flag enabled, ssuuddoo will use a file named for
929: the tty the user is logged in on in the user's time
930: stamp directory. If disabled, the time stamp of the
931: directory is used instead. This flag is _o_n by default.
932:
933: umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
934: without modification. This makes it possible to
935: specify a more permissive umask in _s_u_d_o_e_r_s than the
936: user's own umask and matches historical behavior. If
937: _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
938: be the union of the user's umask and what is specified
939: in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
940:
941: use_loginclass If set, ssuuddoo will apply the defaults specified for the
942: target user's login class if one exists. Only
943: available if ssuuddoo is configured with the
944: --with-logincap option. This flag is _o_f_f by default.
945:
946: use_pty If set, ssuuddoo will run the command in a pseudo-pty even
947: if no I/O logging is being gone. A malicious program
948: run under ssuuddoo could conceivably fork a background
949: process that retains to the user's terminal device
950: after the main program has finished executing. Use of
951: this option will make that impossible. This flag is
952: _o_f_f by default.
953:
954: utmp_runas If set, ssuuddoo will store the name of the runas user when
955: updating the utmp (or utmpx) file. By default, ssuuddoo
956: stores the name of the invoking user. This flag is _o_f_f
957: by default.
958:
959: visiblepw By default, ssuuddoo will refuse to run if the user must
960: enter a password but it is not possible to disable echo
961: on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
962: will prompt for a password even when it would be
963: visible on the screen. This makes it possible to run
964: things like "rsh somehost sudo ls" since _r_s_h(1) does
965: not allocate a tty. This flag is _o_f_f by default.
966:
967: IInntteeggeerrss:
968:
969: closefrom Before it executes a command, ssuuddoo will close all open
970: file descriptors other than standard input, standard
971: output and standard error (ie: file descriptors 0-2).
972: The _c_l_o_s_e_f_r_o_m option can be used to specify a different
973: file descriptor at which to start closing. The default
974: is 3.
975:
976: passwd_tries The number of tries a user gets to enter his/her
977: password before ssuuddoo logs the failure and exits. The
978: default is 3.
979:
980: IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
981:
982: loglinelen Number of characters per line for the file log. This
983: value is used to decide when to wrap lines for nicer
984: log files. This has no effect on the syslog log file,
985: only the file log. The default is 80 (use 0 or negate
986: the option to disable word wrap).
987:
988: passwd_timeout Number of minutes before the ssuuddoo password prompt times
989: out, or 0 for no timeout. The timeout may include a
990: fractional component if minute granularity is
991: insufficient, for example 2.5. The default is 5.
992:
993: timestamp_timeout
994: Number of minutes that can elapse before ssuuddoo will ask
995: for a passwd again. The timeout may include a
996: fractional component if minute granularity is
997: insufficient, for example 2.5. The default is 5. Set
998: this to 0 to always prompt for a password. If set to a
999: value less than 0 the user's timestamp will never
1000: expire. This can be used to allow users to create or
1001: delete their own timestamps via sudo -v and sudo -k
1002: respectively.
1003:
1004: umask Umask to use when running the command. Negate this
1005: option or set it to 0777 to preserve the user's umask.
1006: The actual umask that is used will be the union of the
1007: user's umask and the value of the _u_m_a_s_k option, which
1008: defaults to 0022. This guarantees that ssuuddoo never
1009: lowers the umask when running a command. Note on
1010: systems that use PAM, the default PAM configuration may
1011: specify its own umask which will override the value set
1012: in _s_u_d_o_e_r_s.
1013:
1014: SSttrriinnggss:
1015:
1016: badpass_message Message that is displayed if a user enters an incorrect
1017: password. The default is Sorry, try again. unless
1018: insults are enabled.
1019:
1020: editor A colon (':') separated list of editors allowed to be
1021: used with vviissuuddoo. vviissuuddoo will choose the editor that
1022: matches the user's EDITOR environment variable if
1023: possible, or the first editor in the list that exists
1024: and is executable. The default is "vi".
1025:
1026: iolog_dir The top-level directory to use when constructing the
1027: path name for the input/output log directory. Only
1028: used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
1029: or when the LOG_INPUT or LOG_OUTPUT tags are present
1030: for a command. The session sequence number, if any, is
1031: stored in the directory. The default is
1032: "/var/log/sudo-io".
1033:
1034: The following percent (`%') escape sequences are
1035: supported:
1036:
1037: %{seq}
1038: expanded to a monotonically increasing base-36
1039: sequence number, such as 0100A5, where every two
1040: digits are used to form a new directory, e.g.
1041: _0_1_/_0_0_/_A_5
1042:
1043: %{user}
1044: expanded to the invoking user's login name
1045:
1046: %{group}
1047: expanded to the name of the invoking user's real
1048: group ID
1049:
1050: %{runas_user}
1051: expanded to the login name of the user the command
1052: will be run as (e.g. root)
1053:
1054: %{runas_group}
1055: expanded to the group name of the user the command
1056: will be run as (e.g. wheel)
1057:
1058: %{hostname}
1059: expanded to the local host name without the domain
1060: name
1061:
1062: %{command}
1063: expanded to the base name of the command being run
1064:
1065: In addition, any escape sequences supported by the
1066: system's _s_t_r_f_t_i_m_e_(_) function will be expanded.
1067:
1068: To include a literal `%' character, the string `%%'
1069: should be used.
1070:
1071: iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1072: input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
1073: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1074: tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
1075: may contain directory components. The default is
1076: "%{seq}".
1077:
1078: See the _i_o_l_o_g___d_i_r option above for a list of supported
1079: percent (`%') escape sequences.
1080:
1081: In addition to the escape sequences, path names that
1082: end in six or more Xs will have the Xs replaced with a
1083: unique combination of digits and letters, similar to
1084: the _m_k_t_e_m_p_(_) function.
1085:
1086: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape
1087: %h will expand to the host name of the machine.
1088: Default is *** SECURITY information for %h ***.
1089:
1090: noexec_file This option is deprecated and will be removed in a
1091: future release of ssuuddoo. The path to the noexec file
1092: should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1093:
1094: passprompt The default prompt to use when asking for a password;
1095: can be overridden via the --pp option or the SUDO_PROMPT
1096: environment variable. The following percent (`%')
1097: escape sequences are supported:
1098:
1099: %H expanded to the local host name including the
1100: domain name (only if the machine's host name is
1101: fully qualified or the _f_q_d_n option is set)
1102:
1103: %h expanded to the local host name without the domain
1104: name
1105:
1106: %p expanded to the user whose password is being asked
1107: for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w
1108: flags in _s_u_d_o_e_r_s)
1109:
1110: %U expanded to the login name of the user the command
1111: will be run as (defaults to root)
1112:
1113: %u expanded to the invoking user's login name
1114:
1115: %% two consecutive % characters are collapsed into a
1116: single % character
1117:
1118: The default value is Password:.
1119:
1120: role The default SELinux role to use when constructing a new
1121: security context to run the command. The default role
1122: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1123: via command line options. This option is only
1124: available whe ssuuddoo is built with SELinux support.
1125:
1126: runas_default The default user to run commands as if the --uu option is
1127: not specified on the command line. This defaults to
1128: root.
1129:
1130: syslog_badpri Syslog priority to use when user authenticates
1131: unsuccessfully. Defaults to alert.
1132:
1133: The following syslog priorities are supported: aalleerrtt,
1134: ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
1135:
1136: syslog_goodpri Syslog priority to use when user authenticates
1137: successfully. Defaults to notice.
1138:
1139: See syslog_badpri for the list of supported syslog
1140: priorities.
1141:
1142: sudoers_locale Locale to use when parsing the sudoers file, logging
1143: commands, and sending email. Note that changing the
1144: locale may affect how sudoers is interpreted. Defaults
1145: to "C".
1146:
1147: timestampdir The directory in which ssuuddoo stores its timestamp files.
1148: The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1149:
1150: timestampowner The owner of the timestamp directory and the timestamps
1151: stored therein. The default is root.
1152:
1153: type The default SELinux type to use when constructing a new
1154: security context to run the command. The default type
1155: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1156: via command line options. This option is only
1157: available whe ssuuddoo is built with SELinux support.
1158:
1159: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1160:
1161: env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to
1162: a file containing variables to be set in the environment of
1163: the program being run. Entries in this file should either
1164: be of the form VARIABLE=value or export VARIABLE=value.
1165: The value may optionally be surrounded by single or double
1166: quotes. Variables in this file are subject to other ssuuddoo
1167: environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
1168:
1169: exempt_group
1170: Users in this group are exempt from password and PATH
1171: requirements. The group name specified should not include
1172: a % prefix. This is not set by default.
1173:
1174: group_plugin
1175: A string containing a _s_u_d_o_e_r_s group plugin with optional
1176: arguments. This can be used to implement support for the
1177: nonunix_group syntax described earlier. The string should
1178: consist of the plugin path, either fully-qualified or
1179: relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by
1180: any configuration arguments the plugin requires. These
1181: arguments (if any) will be passed to the plugin's
1182: initialization function. If arguments are present, the
1183: string must be enclosed in double quotes (").
1184:
1185: For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix
1186: group format, the sample group plugin can be used:
1187:
1188: Defaults group_plugin="sample_group.so /etc/sudo-group"
1189:
1190: For more information see _s_u_d_o___p_l_u_g_i_n(4).
1191:
1192: lecture This option controls when a short lecture will be printed
1193: along with the password prompt. It has the following
1194: possible values:
1195:
1196: always Always lecture the user.
1197:
1198: never Never lecture the user.
1199:
1200: once Only lecture the user the first time they run ssuuddoo.
1201:
1202: If no value is specified, a value of _o_n_c_e is implied.
1203: Negating the option results in a value of _n_e_v_e_r being used.
1204: The default value is _o_n_c_e.
1205:
1206: lecture_file
1207: Path to a file containing an alternate ssuuddoo lecture that
1208: will be used in place of the standard lecture if the named
1209: file exists. By default, ssuuddoo uses a built-in lecture.
1210:
1211: listpw This option controls when a password will be required when
1212: a user runs ssuuddoo with the --ll option. It has the following
1213: possible values:
1214:
1215: all All the user's _s_u_d_o_e_r_s entries for the current host
1216: must have the NOPASSWD flag set to avoid entering a
1217: password.
1218:
1219: always The user must always enter a password to use the --ll
1220: option.
1221:
1222: any At least one of the user's _s_u_d_o_e_r_s entries for the
1223: current host must have the NOPASSWD flag set to
1224: avoid entering a password.
1225:
1226: never The user need never enter a password to use the --ll
1227: option.
1228:
1229: If no value is specified, a value of _a_n_y is implied.
1230: Negating the option results in a value of _n_e_v_e_r being used.
1231: The default value is _a_n_y.
1232:
1233: logfile Path to the ssuuddoo log file (not the syslog log file).
1234: Setting a path turns on logging to a file; negating this
1235: option turns it off. By default, ssuuddoo logs via syslog.
1236:
1237: mailerflags Flags to use when invoking mailer. Defaults to --tt.
1238:
1239: mailerpath Path to mail program used to send warning mail. Defaults
1240: to the path to sendmail found at configure time.
1241:
1242: mailfrom Address to use for the "from" address when sending warning
1243: and error mail. The address should be enclosed in double
1244: quotes (") to protect against ssuuddoo interpreting the @ sign.
1245: Defaults to the name of the user running ssuuddoo.
1246:
1247: mailto Address to send warning and error mail to. The address
1248: should be enclosed in double quotes (") to protect against
1249: ssuuddoo interpreting the @ sign. Defaults to root.
1250:
1251: secure_path Path used for every command run from ssuuddoo. If you don't
1252: trust the people running ssuuddoo to have a sane PATH
1253: environment variable you may want to use this. Another use
1254: is if you want to have the "root path" be separate from the
1255: "user path." Users in the group specified by the
1256: _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
1257: option is not set by default.
1258:
1259: syslog Syslog facility if syslog is being used for logging (negate
1260: to disable syslog logging). Defaults to auth.
1261:
1262: The following syslog facilities are supported: aauutthhpprriivv (if
1263: your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
1264: llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
1265:
1266: verifypw This option controls when a password will be required when
1267: a user runs ssuuddoo with the --vv option. It has the following
1268: possible values:
1269:
1270: all All the user's _s_u_d_o_e_r_s entries for the current host
1271: must have the NOPASSWD flag set to avoid entering a
1272: password.
1273:
1274: always The user must always enter a password to use the --vv
1275: option.
1276:
1277: any At least one of the user's _s_u_d_o_e_r_s entries for the
1278: current host must have the NOPASSWD flag set to
1279: avoid entering a password.
1280:
1281: never The user need never enter a password to use the --vv
1282: option.
1283:
1284: If no value is specified, a value of _a_l_l is implied.
1285: Negating the option results in a value of _n_e_v_e_r being used.
1286: The default value is _a_l_l.
1287:
1288: LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1289:
1290: env_check Environment variables to be removed from the user's
1291: environment if the variable's value contains % or /
1292: characters. This can be used to guard against printf-
1293: style format vulnerabilities in poorly-written
1294: programs. The argument may be a double-quoted, space-
1295: separated list or a single value without double-quotes.
1296: The list can be replaced, added to, deleted from, or
1297: disabled by using the =, +=, -=, and ! operators
1298: respectively. Regardless of whether the env_reset
1299: option is enabled or disabled, variables specified by
1300: env_check will be preserved in the environment if they
1301: pass the aforementioned check. The default list of
1302: environment variables to check is displayed when ssuuddoo
1303: is run by root with the _-_V option.
1304:
1305: env_delete Environment variables to be removed from the user's
1306: environment when the _e_n_v___r_e_s_e_t option is not in effect.
1307: The argument may be a double-quoted, space-separated
1308: list or a single value without double-quotes. The list
1309: can be replaced, added to, deleted from, or disabled by
1310: using the =, +=, -=, and ! operators respectively. The
1311: default list of environment variables to remove is
1312: displayed when ssuuddoo is run by root with the _-_V option.
1313: Note that many operating systems will remove
1314: potentially dangerous variables from the environment of
1315: any setuid process (such as ssuuddoo).
1316:
1317: env_keep Environment variables to be preserved in the user's
1318: environment when the _e_n_v___r_e_s_e_t option is in effect.
1319: This allows fine-grained control over the environment
1320: ssuuddoo-spawned processes will receive. The argument may
1321: be a double-quoted, space-separated list or a single
1322: value without double-quotes. The list can be replaced,
1323: added to, deleted from, or disabled by using the =, +=,
1324: -=, and ! operators respectively. The default list of
1325: variables to keep is displayed when ssuuddoo is run by root
1326: with the _-_V option.
1327:
1328: FFIILLEESS
1329: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1330:
1331: _/_e_t_c_/_g_r_o_u_p Local groups file
1332:
1333: _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1334:
1335: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1336:
1337: _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1338: _s_u_d_o_e_r_s security policy
1339:
1340: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and
1341: AIX
1342:
1343: EEXXAAMMPPLLEESS
1344: Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1345: contrived. First, we allow a few environment variables to pass and
1346: then define our _a_l_i_a_s_e_s:
1347:
1348: # Run X applications through sudo; HOME is used to find the
1349: # .Xauthority file. Note that other programs use HOME to find
1350: # configuration files and this may lead to privilege escalation!
1351: Defaults env_keep += "DISPLAY HOME"
1352:
1353: # User alias specification
1354: User_Alias FULLTIMERS = millert, mikef, dowdy
1355: User_Alias PARTTIMERS = bostley, jwfox, crawl
1356: User_Alias WEBMASTERS = will, wendy, wim
1357:
1358: # Runas alias specification
1359: Runas_Alias OP = root, operator
1360: Runas_Alias DB = oracle, sybase
1361: Runas_Alias ADMINGRP = adm, oper
1362:
1363: # Host alias specification
1364: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1365: SGI = grolsch, dandelion, black :\
1366: ALPHA = widget, thalamus, foobar :\
1367: HPPA = boa, nag, python
1368: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1369: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1370: Host_Alias SERVERS = master, mail, www, ns
1371: Host_Alias CDROM = orion, perseus, hercules
1372:
1373: # Cmnd alias specification
1374: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1375: /usr/sbin/restore, /usr/sbin/rrestore
1376: Cmnd_Alias KILL = /usr/bin/kill
1377: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1378: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1379: Cmnd_Alias HALT = /usr/sbin/halt
1380: Cmnd_Alias REBOOT = /usr/sbin/reboot
1381: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1382: /usr/local/bin/tcsh, /usr/bin/rsh, \
1383: /usr/local/bin/zsh
1384: Cmnd_Alias SU = /usr/bin/su
1385: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1386:
1387: Here we override some of the compiled in default values. We want ssuuddoo
1388: to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
1389: want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
1390: need not give a password, and we don't want to reset the LOGNAME, USER
1391: or USERNAME environment variables when running commands as root.
1392: Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an
1393: additional local log file and make sure we log the year in each log
1394: line since the log entries will be kept around for several years.
1395: Lastly, we disable shell escapes for the commands in the PAGERS
1396: Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
1397:
1398: # Override built-in defaults
1399: Defaults syslog=auth
1400: Defaults>root !set_logname
1401: Defaults:FULLTIMERS !lecture
1402: Defaults:millert !authenticate
1403: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1404: Defaults!PAGERS noexec
1405:
1406: The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1407: what.
1408:
1409: root ALL = (ALL) ALL
1410: %wheel ALL = (ALL) ALL
1411:
1412: We let rroooott and any user in group wwhheeeell run any command on any host as
1413: any user.
1414:
1415: FULLTIMERS ALL = NOPASSWD: ALL
1416:
1417: Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1418: any host without authenticating themselves.
1419:
1420: PARTTIMERS ALL = ALL
1421:
1422: Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
1423: any host but they must authenticate themselves first (since the entry
1424: lacks the NOPASSWD tag).
1425:
1426: jack CSNETS = ALL
1427:
1428: The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1429: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1430: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1431: notation) indicating it is a class C network. For the other networks
1432: in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
1433:
1434: lisa CUNETS = ALL
1435:
1436: The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1437: class B network 128.138.0.0).
1438:
1439: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1440: sudoedit /etc/printcap, /usr/oper/bin/
1441:
1442: The ooppeerraattoorr user may run commands limited to simple maintenance.
1443: Here, those are commands related to backups, killing processes, the
1444: printing system, shutting down the system, and any commands in the
1445: directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1446:
1447: joe ALL = /usr/bin/su operator
1448:
1449: The user jjooee may only _s_u(1) to operator.
1450:
1451: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1452:
1453: %opers ALL = (: ADMINGRP) /usr/sbin/
1454:
1455: Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1456: with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1457:
1458: The user ppeettee is allowed to change anyone's password except for root on
1459: the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
1460: multiple user names on the command line.
1461:
1462: bob SPARC = (OP) ALL : SGI = (OP) ALL
1463:
1464: The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1465: listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
1466:
1467: jim +biglab = ALL
1468:
1469: The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1470: ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
1471:
1472: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1473:
1474: Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1475: well as add and remove users, so they are allowed to run those commands
1476: on all machines.
1477:
1478: fred ALL = (DB) NOPASSWD: ALL
1479:
1480: The user ffrreedd can run commands as any user in the _D_B Runas_Alias
1481: (oorraaccllee or ssyybbaassee) without giving a password.
1482:
1483: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1484:
1485: On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1486: not allowed to specify any options to the _s_u(1) command.
1487:
1488: jen ALL, !SERVERS = ALL
1489:
1490: The user jjeenn may run any command on any machine except for those in the
1491: _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1492:
1493: jill SERVERS = /usr/bin/, !SU, !SHELLS
1494:
1495: For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1496: the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
1497: and _S_H_E_L_L_S Cmnd_Aliases.
1498:
1499: steve CSNETS = (operator) /usr/local/op_commands/
1500:
1501: The user sstteevvee may run any command in the directory
1502: /usr/local/op_commands/ but only as user operator.
1503:
1504: matt valkyrie = KILL
1505:
1506: On his personal workstation, valkyrie, mmaatttt needs to be able to kill
1507: hung processes.
1508:
1509: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1510:
1511: On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy,
1512: and wim), may run any command as user www (which owns the web pages) or
1513: simply _s_u(1) to www.
1514:
1515: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1516: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1517:
1518: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1519: Host_Alias (orion, perseus, hercules) without entering a password.
1520: This is a bit tedious for users to type, so it is a prime candidate for
1521: encapsulating in a shell script.
1522:
1523: SSEECCUURRIITTYY NNOOTTEESS
1524: It is generally not effective to "subtract" commands from ALL using the
1525: '!' operator. A user can trivially circumvent this by copying the
1526: desired command to a different name and then executing that. For
1527: example:
1528:
1529: bill ALL = ALL, !SU, !SHELLS
1530:
1531: Doesn't really prevent bbiillll from running the commands listed in _S_U or
1532: _S_H_E_L_L_S since he can simply copy those commands to a different name, or
1533: use a shell escape from an editor or other program. Therefore, these
1534: kind of restrictions should be considered advisory at best (and
1535: reinforced by policy).
1536:
1537: Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to
1538: reliably negate commands where the path name includes globbing (aka
1539: wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3)
1540: function cannot resolve relative paths. While this is typically only
1541: an inconvenience for rules that grant privileges, it can result in a
1542: security issue for rules that subtract or revoke privileges.
1543:
1544: For example, given the following _s_u_d_o_e_r_s entry:
1545:
1546: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1547: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1548:
1549: User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1550: changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1551:
1552: PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
1553: Once ssuuddoo executes a program, that program is free to do whatever it
1554: pleases, including run other programs. This can be a security issue
1555: since it is not uncommon for a program to allow shell escapes, which
1556: lets a user bypass ssuuddoo's access control and logging. Common programs
1557: that permit shell escapes include shells (obviously), editors,
1558: paginators, mail and terminal programs.
1559:
1560: There are two basic approaches to this problem:
1561:
1562: restrict Avoid giving users access to commands that allow the user to
1563: run arbitrary commands. Many editors have a restricted mode
1564: where shell escapes are disabled, though ssuuddooeeddiitt is a better
1565: solution to running editors via ssuuddoo. Due to the large
1566: number of programs that offer shell escapes, restricting
1567: users to the set of programs that do not is often unworkable.
1568:
1569: noexec Many systems that support shared libraries have the ability
1570: to override default library functions by pointing an
1571: environment variable (usually LD_PRELOAD) to an alternate
1572: shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
1573: can be used to prevent a program run by ssuuddoo from executing
1574: any other programs. Note, however, that this applies only to
1575: native dynamically-linked executables. Statically-linked
1576: executables and foreign executables running under binary
1577: emulation are not affected.
1578:
1579: The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1580: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1581: above. It should be supported on most operating systems that
1582: support the LD_PRELOAD environment variable. Check your
1583: operating system's manual pages for the dynamic linker
1584: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1585: if LD_PRELOAD is supported.
1586:
1587: On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1588: instead of the LD_PRELOAD environment variable.
1589:
1590: To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1591: documented in the User Specification section above. Here is
1592: that example again:
1593:
1594: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1595:
1596: This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
1597: with _n_o_e_x_e_c enabled. This will prevent those two commands
1598: from executing other commands (such as a shell). If you are
1599: unsure whether or not your system is capable of supporting
1600: _n_o_e_x_e_c you can always just try it out and check whether shell
1601: escapes work when _n_o_e_x_e_c is enabled.
1602:
1603: Note that restricting shell escapes is not a panacea. Programs running
1604: as root are still capable of many potentially hazardous operations
1605: (such as changing or overwriting files) that could lead to unintended
1606: privilege escalation. In the specific case of an editor, a safer
1607: approach is to give the user permission to run ssuuddooeeddiitt.
1608:
1609: SSEECCUURRIITTYY NNOOTTEESS
1610: _s_u_d_o_e_r_s will check the ownership of its time stamp directory
1611: (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
1612: not owned by root or if it is writable by a user other than root. On
1613: systems that allow non-root users to give away files via _c_h_o_w_n(2), if
1614: the time stamp directory is located in a world-writable directory
1615: (e.g., _/_t_m_p), it is possible for a user to create the time stamp
1616: directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the
1617: ownership and mode of the directory and its contents, the only damage
1618: that can be done is to "hide" files by putting them in the time stamp
1619: dir. This is unlikely to happen since once the time stamp dir is owned
1620: by root and inaccessible by any other user, the user placing files
1621: there would be unable to get them back out.
1622:
1623: _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
1624: with a date greater than current_time + 2 * TIMEOUT will be ignored and
1625: sudo will log and complain. This is done to keep a user from creating
1626: his/her own time stamp with a bogus date on systems that allow users to
1627: give away files if the time stamp directory is located in a world-
1628: writable directory.
1629:
1630: On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
1631: stamps that date from before the machine booted.
1632:
1633: Since time stamp files live in the file system, they can outlive a
1634: user's login session. As a result, a user may be able to login, run a
1635: command with ssuuddoo after authenticating, logout, login again, and run
1636: ssuuddoo without authenticating so long as the time stamp file's
1637: modification time is within 5 minutes (or whatever the timeout is set
1638: to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp
1639: has per-tty granularity but still may outlive the user's session. On
1640: Linux systems where the devpts filesystem is used, Solaris systems with
1641: the devices filesystem, as well as other systems that utilize a devfs
1642: filesystem that monotonically increase the inode number of devices as
1643: they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when
1644: a tty-based time stamp file is stale and will ignore it.
1645: Administrators should not rely on this feature as it is not universally
1646: available.
1647:
1648: If users have sudo ALL there is nothing to prevent them from creating
1649: their own program that gives them a root shell (or making their own
1650: copy of a shell) regardless of any '!' elements in the user
1651: specification.
1652:
1653: SSEEEE AALLSSOO
1654: _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3),
1655: _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
1656:
1657: CCAAVVEEAATTSS
1658: The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
1659: locks the file and does grammatical checking. It is imperative that
1660: _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
1661: syntactically incorrect _s_u_d_o_e_r_s file.
1662:
1663: When using netgroups of machines (as opposed to users), if you store
1664: fully qualified host name in the netgroup (as is usually the case), you
1665: either need to have the machine's host name be fully qualified as
1666: returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1667:
1668: BBUUGGSS
1669: If you feel you have found a bug in ssuuddoo, please submit a bug report at
1670: http://www.sudo.ws/sudo/bugs/
1671:
1672: SSUUPPPPOORRTT
1673: Limited free support is available via the sudo-users mailing list, see
1674: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1675: the archives.
1676:
1677: DDIISSCCLLAAIIMMEERR
1678: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
1679: including, but not limited to, the implied warranties of
1680: merchantability and fitness for a particular purpose are disclaimed.
1681: See the LICENSE file distributed with ssuuddoo or
1682: http://www.sudo.ws/sudo/license.html for complete details.
1683:
1684:
1685:
1686: 1.8.3 September 16, 2011 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>