Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.2
1.1 misho 1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
2:
3:
4:
5: N�NA�AM�ME�E
6: sudoers - default sudo security policy module
7:
8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
9: The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is
10: the default s�su�ud�do�o policy plugin. The policy is driven by the
11: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file or, optionally in LDAP. The policy format is
12: described in detail in the "SUDOERS FILE FORMAT" section. For
13: information on storing _�s_�u_�d_�o_�e_�r_�s policy information in LDAP, please see
14: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4).
15:
16: A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d L�Lo�og�gg�gi�in�ng�g
17: The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate
18: themselves before they can use s�su�ud�do�o. A password is not required if the
19: invoking user is root, if the target user is the same as the invoking
20: user, or if the policy has disabled authentication for the user or
21: command. Unlike _�s_�u(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it
22: validates the invoking user's credentials, not the target user's (or
23: root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
24: _�r_�u_�n_�a_�s_�p_�w flags, described later.
25:
26: If a user who is not listed in the policy tries to run a command via
27: s�su�ud�do�o, mail is sent to the proper authorities. The address used for
28: such mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described
29: later) and defaults to root.
30:
31: Note that mail will not be sent if an unauthorized user tries to run
32: s�su�ud�do�o with the -�-l�l or -�-v�v option. This allows users to determine for
33: themselves whether or not they are allowed to use s�su�ud�do�o.
34:
35: If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set,
36: the _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user
37: is. This can be used by a user to log commands through sudo even when
38: a root shell has been invoked. It also allows the -�-e�e option to remain
39: useful even when invoked via a sudo-run script or program. Note,
40: however, that the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user
41: specified by SUDO_USER.
42:
43: _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has
44: been authenticated, a time stamp is updated and the user may then use
45: sudo without a password for a short period of time (5 minutes unless
46: overridden by the _�t_�i_�m_�e_�o_�u_�t option. By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based
47: time stamp which means that there is a separate time stamp for each of
48: a user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to
49: force the use of a single time stamp for all of a user's sessions.
50:
51: _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as
52: errors) to _�s_�y_�s_�l_�o_�g(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will
53: log via _�s_�y_�s_�l_�o_�g(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e
54: Defaults settings.
55:
56: _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams.
57: I/O logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t
58: and _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
59: command tags.
60:
61: C�Co�om�mm�ma�an�nd�d E�En�nv�vi�ir�ro�on�nm�me�en�nt�t
62: Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s
63: provides a means to restrict which variables from the user's
64: environment are inherited by the command to be run. There are two
65: distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables.
66:
67: By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to
1.1.1.2 ! misho 68: be executed with a new, minimal environment. On AIX (and Linux systems
! 69: without PAM), the environment is initialized with the contents of the
! 70: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is
! 71: enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v
! 72: settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM,
! 73: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
! 74: in addition to variables from the invoking process permitted by the
! 75: _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for
! 76: environment variables.
1.1 misho 77:
78: If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not
79: explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited
80: from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e
81: behave like a blacklist. Since it is not possible to blacklist all
82: potentially dangerous environment variables, use of the default
83: _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is encouraged.
84:
85: In all cases, environment variables with a value beginning with () are
86: removed as they could be interpreted as b�ba�as�sh�h functions. The list of
87: environment variables that s�su�ud�do�o allows or denies is contained in the
88: output of sudo -V when run as root.
89:
90: Note that the dynamic linker on most operating systems will remove
91: variables that can control dynamic linking from the environment of
92: setuid executables, including s�su�ud�do�o. Depending on the operating system
93: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
94: others. These type of variables are removed from the environment
95: before s�su�ud�do�o even begins execution and, as such, it is not possible for
96: s�su�ud�do�o to preserve them.
97:
98: As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified,
99: _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of
100: _�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged;
101: _�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user.
1.1.1.2 ! misho 102: On AIX (and Linux systems without PAM), the contents of
! 103: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also included. On BSD systems, if the
! 104: _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled, the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in
! 105: _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All other environment variables are
! 106: removed.
! 107:
! 108: Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in
! 109: that file will be set to their specified values as long as they would
! 110: not conflict with an existing environment variable.
1.1 misho 111:
112: S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
113: The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases
114: (basically variables) and user specifications (which specify who may
115: run what).
116:
117: When multiple entries match for a user, they are applied in order.
118: Where there are multiple matches, the last match is used (which is not
119: necessarily the most specific match).
120:
121: The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur
122: Form (EBNF). Don't despair if you don't know what EBNF is; it is
123: fairly simple, and the definitions below are annotated.
124:
125: Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F
126: EBNF is a concise and exact way of describing the grammar of a
127: language. Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g.,
128:
129: symbol ::= definition | alternate1 | alternate2 ...
130:
131: Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for
132: the language. EBNF also contains the following operators, which many
133: readers will recognize from regular expressions. Do not, however,
134: confuse them with "wildcard" characters, which have different meanings.
135:
136: ? Means that the preceding symbol (or group of symbols) is optional.
137: That is, it may appear once or not at all.
138:
139: * Means that the preceding symbol (or group of symbols) may appear
140: zero or more times.
141:
142: + Means that the preceding symbol (or group of symbols) may appear
143: one or more times.
144:
145: Parentheses may be used to group symbols together. For clarity, we
146: will use single quotes ('') to designate what is a verbatim character
147: string (as opposed to a symbol name).
148:
149: A�Al�li�ia�as�se�es�s
150: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
151: and Cmnd_Alias.
152:
153: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
154: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
155: 'Host_Alias' Host_Alias (':' Host_Alias)* |
156: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
157:
158: User_Alias ::= NAME '=' User_List
159:
160: Runas_Alias ::= NAME '=' Runas_List
161:
162: Host_Alias ::= NAME '=' Host_List
163:
164: Cmnd_Alias ::= NAME '=' Cmnd_List
165:
166: NAME ::= [A-Z]([A-Z][0-9]_)*
167:
168: Each _�a_�l_�i_�a_�s definition is of the form
169:
170: Alias_Type NAME = item1, item2, ...
171:
172: where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or
173: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
174: underscore characters ('_'). A NAME m�mu�us�st�t start with an uppercase
175: letter. It is possible to put several alias definitions of the same
176: type on a single line, joined by a colon (':'). E.g.,
177:
178: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
179:
180: The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow.
181:
182: User_List ::= User |
183: User ',' User_List
184:
185: User ::= '!'* user name |
186: '!'* #uid |
187: '!'* %group |
188: '!'* %#gid |
189: '!'* +netgroup |
190: '!'* %:nonunix_group |
191: '!'* %:#nonunix_gid |
192: '!'* User_Alias
193:
194: A User_List is made up of one or more user names, user ids (prefixed
195: with '#'), system group names and ids (prefixed with '%' and '%#'
196: respectively), netgroups (prefixed with '+'), non-Unix group names and
197: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
198: list item may be prefixed with zero or more '!' operators. An odd
199: number of '!' operators negate the value of the item; an even number
200: just cancel each other out.
201:
202: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
203: may be enclosed in double quotes to avoid the need for escaping special
204: characters. Alternately, special characters may be specified in
205: escaped hex mode, e.g. \x20 for space. When using double quotes, any
206: prefix characters must be included inside the quotes.
207:
208: The actual nonunix_group and nonunix_gid syntax depends on the
209: underlying group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description
210: below). For instance, the QAS AD plugin supports the following
211: formats:
212:
1.1.1.2 ! misho 213: o Group in the same domain: "Group Name"
1.1 misho 214:
1.1.1.2 ! misho 215: o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
1.1 misho 216:
1.1.1.2 ! misho 217: o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
1.1 misho 218:
219: Note that quotes around group names are optional. Unquoted strings
220: must use a backslash (\) to escape spaces and special characters. See
221: "Other special characters and reserved words" for a list of characters
222: that need to be escaped.
223:
224: Runas_List ::= Runas_Member |
225: Runas_Member ',' Runas_List
226:
227: Runas_Member ::= '!'* user name |
228: '!'* #uid |
229: '!'* %group |
230: '!'* %#gid |
231: '!'* %:nonunix_group |
232: '!'* %:#nonunix_gid |
233: '!'* +netgroup |
234: '!'* Runas_Alias
235:
236: A Runas_List is similar to a User_List except that instead of
237: User_Aliases it can contain Runas_Aliases. Note that user names and
238: groups are matched as strings. In other words, two users (groups) with
239: the same uid (gid) are considered to be distinct. If you wish to match
240: all user names with the same uid (e.g. root and toor), you can use a
241: uid instead (#0 in the example given).
242:
243: Host_List ::= Host |
244: Host ',' Host_List
245:
246: Host ::= '!'* host name |
247: '!'* ip_addr |
248: '!'* network(/netmask)? |
249: '!'* +netgroup |
250: '!'* Host_Alias
251:
252: A Host_List is made up of one or more host names, IP addresses, network
253: numbers, netgroups (prefixed with '+') and other aliases. Again, the
254: value of an item may be negated with the '!' operator. If you do not
255: specify a netmask along with the network number, s�su�ud�do�o will query each
256: of the local host's network interfaces and, if the network number
257: corresponds to one of the hosts's network interfaces, the corresponding
258: netmask will be used. The netmask may be specified either in standard
259: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
260: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
261: shell-style wildcards (see the Wildcards section below), but unless the
262: host name command on your machine returns the fully qualified host
263: name, you'll need to use the _�f_�q_�d_�n option for wildcards to be useful.
264: Note s�su�ud�do�o only inspects actual network interfaces; this means that IP
265: address 127.0.0.1 (localhost) will never match. Also, the host name
266: "localhost" will only match if that is the actual host name, which is
267: usually only the case for non-networked systems.
268:
269: Cmnd_List ::= Cmnd |
270: Cmnd ',' Cmnd_List
271:
272: commandname ::= file name |
273: file name args |
274: file name '""'
275:
276: Cmnd ::= '!'* commandname |
277: '!'* directory |
278: '!'* "sudoedit" |
279: '!'* Cmnd_Alias
280:
281: A Cmnd_List is a list of one or more commandnames, directories, and
282: other aliases. A commandname is a fully qualified file name which may
283: include shell-style wildcards (see the Wildcards section below). A
284: simple file name allows the user to run the command with any arguments
285: he/she wishes. However, you may also specify command line arguments
286: (including wildcards). Alternately, you can specify "" to indicate
287: that the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A
288: directory is a fully qualified path name ending in a '/'. When you
289: specify a directory in a Cmnd_List, the user will be able to run any
290: file within that directory (but not in any subdirectories therein).
291:
292: If a Cmnd has associated command line arguments, then the arguments in
293: the Cmnd must match exactly those given by the user on the command line
294: (or match the wildcards if there are any). Note that the following
295: characters must be escaped with a '\' if they are used in command
296: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
297: to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It
298: may take command line arguments just as a normal command does.
299:
300: D�De�ef�fa�au�ul�lt�ts�s
301: Certain configuration options may be changed from their default values
302: at runtime via one or more Default_Entry lines. These may affect all
303: users on any host, all users on a specific host, a specific user, a
304: specific command, or commands being run as a specific user. Note that
305: per-command entries may not include command line arguments. If you
306: need to specify arguments, define a Cmnd_Alias and reference that
307: instead.
308:
309: Default_Type ::= 'Defaults' |
310: 'Defaults' '@' Host_List |
311: 'Defaults' ':' User_List |
312: 'Defaults' '!' Cmnd_List |
313: 'Defaults' '>' Runas_List
314:
315: Default_Entry ::= Default_Type Parameter_List
316:
317: Parameter_List ::= Parameter |
318: Parameter ',' Parameter_List
319:
320: Parameter ::= Parameter '=' Value |
321: Parameter '+=' Value |
322: Parameter '-=' Value |
323: '!'* Parameter
324:
325: Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
326: implicitly boolean and can be turned off via the '!' operator. Some
327: integer, string and list parameters may also be used in a boolean
328: context to disable them. Values may be enclosed in double quotes (")
329: when they contain multiple words. Special characters may be escaped
330: with a backslash (\).
331:
332: Lists have two additional assignment operators, += and -=. These
333: operators are used to add to and delete from a list respectively. It
334: is not an error to use the -= operator to remove an element that does
335: not exist in a list.
336:
337: Defaults entries are parsed in the following order: generic, host and
338: user Defaults first, then runas Defaults and finally command defaults.
339:
340: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
341:
342: U�Us�se�er�r S�Sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n
343: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
344: (':' Host_List '=' Cmnd_Spec_List)*
345:
346: Cmnd_Spec_List ::= Cmnd_Spec |
347: Cmnd_Spec ',' Cmnd_Spec_List
348:
349: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
350:
351: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
352:
353: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
354:
355: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
356: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
357: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
358:
359: A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as
360: what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t,
361: but this can be changed on a per-command basis.
362:
363: The basic structure of a user specification is `who where = (as_whom)
364: what'. Let's break that down into its constituent parts:
365:
366: R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
367: A Runas_Spec determines the user and/or the group that a command may be
368: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
369: defined above) separated by a colon (':') and enclosed in a set of
370: parentheses. The first Runas_List indicates which users the command
371: may be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of
372: groups that can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists
373: are specified, the command may be run with any combination of users and
374: groups listed in their respective Runas_Lists. If only the first is
375: specified, the command may be run as any user in the list but no -�-g�g
376: option may be specified. If the first Runas_List is empty but the
377: second is specified, the command may be run as the invoking user with
378: the group set to any listed in the Runas_List. If no Runas_Spec is
379: specified the command may be run as r�ro�oo�ot�t and no group may be specified.
380:
381: A Runas_Spec sets the default for the commands that follow it. What
382: this means is that for the entry:
383:
384: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
385:
386: The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only
387: as o�op�pe�er�ra�at�to�or�r. E.g.,
388:
389: $ sudo -u operator /bin/ls
390:
391: It is also possible to override a Runas_Spec later on in an entry. If
392: we modify the entry like so:
393:
394: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
395:
396: Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l
397: and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t.
398:
399: We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or
400: group set to o�op�pe�er�ra�at�to�or�r:
401:
402: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
403: /usr/bin/lprm
404:
405: Note that while the group portion of the Runas_Spec permits the user to
406: run as command with that group, it does not force the user to do so.
407: If no group is specified on the command line, the command will run with
408: the group listed in the target user's password database entry. The
409: following would all be permitted by the sudoers entry above:
410:
411: $ sudo -u operator /bin/ls
412: $ sudo -u operator -g operator /bin/ls
413: $ sudo -g operator /bin/ls
414:
415: In the following example, user t�tc�cm�m may run commands that access a modem
416: device file with the dialer group.
417:
418: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
419: /usr/local/bin/minicom
420:
421: Note that in this example only the group will be set, the command still
422: runs as user t�tc�cm�m. E.g.
423:
424: $ sudo -g dialer /usr/bin/cu
425:
426: Multiple users and groups may be present in a Runas_Spec, in which case
427: the user may select any combination of users and groups via the -�-u�u and
428: -�-g�g options. In this example:
429:
430: alan ALL = (root, bin : operator, system) ALL
431:
432: user a�al�la�an�n may run any command as either user root or bin, optionally
433: setting the group to operator or system.
434:
435: S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
436: On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
437: SELinux role and/or type associated with a command. If a role or type
438: is specified with the command it will override any default values
439: specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line,
440: however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s.
441:
442: T�Ta�ag�g_�_S�Sp�pe�ec�c
443: A command may have zero or more tags associated with it. There are
444: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
445: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
446: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
447: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
448: overrides NOPASSWD and NOEXEC overrides EXEC).
449:
450: _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D
451:
452: By default, s�su�ud�do�o requires that a user authenticate him or herself
453: before running a command. This behavior can be modified via the
454: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
455: the commands that follow it in the Cmnd_Spec_List. Conversely, the
456: PASSWD tag can be used to reverse things. For example:
457:
458: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
459:
460: would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m
461: as r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we
462: only want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry
463: would be:
464:
465: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
466:
467: Note, however, that the PASSWD tag has no effect on users who are in
468: the group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option.
469:
470: By default, if the NOPASSWD tag is applied to any of the entries for a
471: user on the current host, he or she will be able to run sudo -l without
472: a password. Additionally, a user may only run sudo -v without a
473: password if the NOPASSWD tag is present for all a user's entries that
474: pertain to the current host. This behavior may be overridden via the
475: verifypw and listpw options.
476:
477: _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C
478:
479: If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying
480: operating system supports it, the NOEXEC tag can be used to prevent a
481: dynamically-linked executable from running further commands itself.
482:
483: In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and
484: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled.
485:
486: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
487:
1.1.1.2 ! misho 488: See the "Preventing Shell Escapes" section below for more details on
1.1 misho 489: how NOEXEC works and whether or not it will work on your system.
490:
491: _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
492:
493: These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
494: basis. Note that if SETENV has been set for a command, the user may
495: disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
496: Additionally, environment variables set on the command line are not
497: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
498: _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set
499: variables in this manner. If the command matched is A�AL�LL�L, the SETENV
500: tag is implied for that command; this default may be overridden by use
501: of the NOSETENV tag.
502:
503: _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
504:
505: These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command
506: basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the
507: "SUDOERS OPTIONS" section below.
508:
509: _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T
510:
511: These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command
512: basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the
513: "SUDOERS OPTIONS" section below.
514:
515: W�Wi�il�ld�dc�ca�ar�rd�ds�s
516: s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be
517: used in host names, path names and command line arguments in the
518: _�s_�u_�d_�o_�e_�r_�s file. Wildcard matching is done via the P�PO�OS�SI�IX�X _�g_�l_�o_�b(3) and
519: _�f_�n_�m_�a_�t_�c_�h(3) routines. Note that these are _�n_�o_�t regular expressions.
520:
521: * Matches any set of zero or more characters.
522:
523: ? Matches any single character.
524:
525: [...] Matches any character in the specified range.
526:
527: [!...] Matches any character n�no�ot�t in the specified range.
528:
529: \x For any character "x", evaluates to "x". This is used to
530: escape special characters such as: "*", "?", "[", and "}".
531:
532: POSIX character classes may also be used if your system's _�g_�l_�o_�b(3) and
533: _�f_�n_�m_�a_�t_�c_�h(3) functions support them. However, because the ':' character
534: has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example:
535:
536: /bin/ls [[\:alpha\:]]*
537:
538: Would match any file name beginning with a letter.
539:
540: Note that a forward slash ('/') will n�no�ot�t be matched by wildcards used
541: in the path name. When matching the command line arguments, however, a
542: slash d�do�oe�es�s get matched by wildcards. This is to make a path like:
543:
544: /usr/bin/*
545:
546: match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
547:
548: E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
549: The following exceptions apply to the above rules:
550:
551: "" If the empty string "" is the only command line argument in the
552: _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
553: with a�an�ny�y arguments.
554:
555: I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
556: It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
557: file currently being parsed using the #include and #includedir
558: directives.
559:
560: This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in
561: addition to a local, per-machine file. For the sake of this example
562: the site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will
563: be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within
564: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s:
565:
566: #include /etc/sudoers.local
567:
568: When s�su�ud�do�o reaches this line it will suspend processing of the current
569: file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching
570: the end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
571: processed. Files that are included may themselves include other files.
572: A hard limit of 128 nested include files is enforced to prevent include
573: file loops.
574:
1.1.1.2 ! misho 575: If the path to the include file is not fully-qualified (does not begin
! 576: with a _�/), it must be located in the same directory as the sudoers file
! 577: it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line:
! 578:
! 579: #include sudoers.local
! 580:
! 581: the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l.
! 582:
! 583: The file name may also include the %h escape, signifying the short form
! 584: of the host name. I.e., if the machine's host name is "xerxes", then
1.1 misho 585:
586: #include /etc/sudoers.%h
587:
588: will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s.
589:
590: The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that
591: the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of
592: package installation. For example, given:
593:
594: #includedir /etc/sudoers.d
595:
596: s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that
597: end in ~ or contain a . character to avoid causing problems with
598: package manager or editor temporary/backup files. Files are parsed in
599: sorted lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed
600: before _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is
601: lexical, not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r
602: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes
603: in the file names can be used to avoid such problems.
604:
605: Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
606: files in a #includedir directory unless one of them contains a syntax
607: error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the
608: files directly.
609:
610: O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
611: The pound sign ('#') is used to indicate a comment (unless it is part
612: of a #include directive or unless it occurs in the context of a user
613: name and is followed by one or more digits, in which case it is treated
614: as a uid). Both the comment character and any text after it, up to the
615: end of the line, are ignored.
616:
617: The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
618: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
619: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
620: your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in
621: preference to your own. Please note that using A�AL�LL�L can be dangerous
622: since in a command context, it allows the user to run a�an�ny�y command on
623: the system.
624:
625: An exclamation point ('!') can be used as a logical _�n_�o_�t operator both
626: in an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain
627: values. Note, however, that using a ! in conjunction with the built-in
628: ALL alias to allow a user to run "all but a few" commands rarely works
629: as intended (see SECURITY NOTES below).
630:
631: Long lines can be continued with a backslash ('\') as the last
632: character on the line.
633:
634: Whitespace between elements in a list as well as special syntactic
635: characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n ('=', ':', '(', ')') is optional.
636:
637: The following characters must be escaped with a backslash ('\') when
638: used as part of a word (e.g. a user name or host name): '!', '=', ':',
639: ',', '(', ')', '\'.
640:
641: S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
642: s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
643: earlier. A list of all supported Defaults parameters, grouped by type,
644: are listed below.
645:
646: B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s:
647:
648: always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable
649: to the home directory of the target user (which is root
650: unless the -�-u�u option is used). This effectively means
651: that the -�-H�H option is always implied. Note that HOME
652: is already set when the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is
653: enabled, so _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e is only effective for
654: configurations where either _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or
655: HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f
656: by default.
657:
658: authenticate If set, users must authenticate themselves via a
659: password (or other means of authentication) before they
660: may run commands. This default may be overridden via
661: the PASSWD and NOPASSWD tags. This flag is _�o_�n by
662: default.
663:
664: closefrom_override
665: If set, the user may use s�su�ud�do�o's -�-C�C option which
666: overrides the default starting point at which s�su�ud�do�o
667: begins closing open file descriptors. This flag is _�o_�f_�f
668: by default.
669:
670: compress_io If set, and s�su�ud�do�o is configured to log a command's input
671: or output, the I/O logs will be compressed using z�zl�li�ib�b.
672: This flag is _�o_�n by default when s�su�ud�do�o is compiled with
673: z�zl�li�ib�b support.
674:
675: env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or
676: VISUAL environment variables before falling back on the
677: default editor list. Note that this may create a
678: security hole as it allows the user to run any
679: arbitrary command as root without logging. A safer
680: alternative is to place a colon-separated list of
681: editors in the editor variable. v�vi�is�su�ud�do�o will then only
682: use the EDITOR or VISUAL if they match a value
683: specified in editor. This flag is _�o_�f_�f by default.
684:
1.1.1.2 ! misho 685: env_reset If set, s�su�ud�do�o will run the command in a minimal
! 686: environment containing the TERM, PATH, HOME, MAIL,
! 687: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
! 688: Any variables in the caller's environment that match
! 689: the env_keep and env_check lists are then added,
! 690: followed by any variables present in the file specified
! 691: by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents
! 692: of the env_keep and env_check lists are displayed when
! 693: s�su�ud�do�o is run by root with the _�-_�V option. If the
! 694: _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for
! 695: the PATH environment variable. This flag is _�o_�n by
! 696: default.
1.1 misho 697:
698: fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell-
699: style globbing when matching path names. However,
700: since it accesses the file system, _�g_�l_�o_�b(3) can take a
701: long time to complete for some patterns, especially
702: when the pattern references a network file system that
703: is mounted on demand (automounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b
704: option causes s�su�ud�do�o to use the _�f_�n_�m_�a_�t_�c_�h(3) function,
705: which does not access the file system to do its
706: matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is
707: unable to match relative path names such as _�._�/_�l_�s or
708: _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path
709: names that include globbing characters are used with
710: the negation operator, '!', as such rules can be
711: trivially bypassed. As such, this option should not be
712: used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated
713: path names which include globbing characters. This
714: flag is _�o_�f_�f by default.
715:
716: fqdn Set this flag if you want to put fully qualified host
717: names in the _�s_�u_�d_�o_�e_�r_�s file. I.e., instead of myhost you
718: would use myhost.mydomain.edu. You may still use the
719: short form if you wish (and even mix the two). Beware
720: that turning on _�f_�q_�d_�n requires s�su�ud�do�o to make DNS lookups
721: which may make s�su�ud�do�o unusable if DNS stops working (for
722: example if the machine is not plugged into the
723: network). Also note that you must use the host's
724: official name as DNS knows it. That is, you may not
725: use a host alias (CNAME entry) due to performance
726: issues and the fact that there is no way to get all
727: aliases from DNS. If your machine's host name (as
728: returned by the hostname command) is already fully
729: qualified you shouldn't need to set _�f_�q_�d_�n. This flag is
730: _�o_�f_�f by default.
731:
732: ignore_dot If set, s�su�ud�do�o will ignore '.' or '' (current dir) in the
733: PATH environment variable; the PATH itself is not
734: modified. This flag is _�o_�f_�f by default.
735:
736: ignore_local_sudoers
737: If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
738: skipped. This is intended for Enterprises that wish to
739: prevent the usage of local sudoers files so that only
740: LDAP is used. This thwarts the efforts of rogue
741: operators who would attempt to add roles to
742: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present,
743: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this
744: option tells s�su�ud�do�o how to behave when no specific LDAP
745: entries have been matched, this sudoOption is only
746: meaningful for the cn=defaults section. This flag is
747: _�o_�f_�f by default.
748:
749: insults If set, s�su�ud�do�o will insult users when they enter an
750: incorrect password. This flag is _�o_�f_�f by default.
751:
752: log_host If set, the host name will be logged in the (non-
753: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
754:
755: log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
756: log all user input. If the standard input is not
757: connected to the user's tty, due to I/O redirection or
758: because the command is part of a pipeline, that input
759: is also captured and stored in a separate log file.
760:
761: Input is logged to the directory specified by the
762: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
763: unique session ID that is included in the normal s�su�ud�do�o
764: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
765: may be used to control the format of the session ID.
766:
767: Note that user input may contain sensitive information
768: such as passwords (even if they are not echoed to the
769: screen), which will be stored in the log file
770: unencrypted. In most cases, logging the command output
771: via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
772:
773: log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
774: log all output that is sent to the screen, similar to
775: the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or
776: standard error is not connected to the user's tty, due
777: to I/O redirection or because the command is part of a
778: pipeline, that output is also captured and stored in
779: separate log files.
780:
781: Output is logged to the directory specified by the
782: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
783: unique session ID that is included in the normal s�su�ud�do�o
784: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
785: may be used to control the format of the session ID.
786:
787: Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m)
788: utility, which can also be used to list or search the
789: available logs.
790:
791: log_year If set, the four-digit year will be logged in the (non-
792: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
793:
794: long_otp_prompt When validating with a One Time Password (OTP) scheme
795: such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to
796: make it easier to cut and paste the challenge to a
797: local window. It's not as pretty as the default but
798: some people find it more convenient. This flag is _�o_�f_�f
799: by default.
800:
801: mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs
802: s�su�ud�do�o. This flag is _�o_�f_�f by default.
803:
804: mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o
805: does not enter the correct password. This flag is _�o_�f_�f
806: by default.
807:
808: mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
809: invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not
810: allowed to run commands on the current host. This flag
811: is _�o_�f_�f by default.
812:
813: mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
814: invoking user is allowed to use s�su�ud�do�o but the command
815: they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file
816: entry or is explicitly denied. This flag is _�o_�f_�f by
817: default.
818:
819: mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
820: invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
821: _�o_�n by default.
822:
823: noexec If set, all commands run via s�su�ud�do�o will behave as if the
824: NOEXEC tag has been set, unless overridden by a EXEC
825: tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
1.1.1.2 ! misho 826: well as the "Preventing Shell Escapes" section at the
1.1 misho 827: end of this manual. This flag is _�o_�f_�f by default.
828:
829: path_info Normally, s�su�ud�do�o will tell the user when a command could
830: not be found in their PATH environment variable. Some
831: sites may wish to disable this as it could be used to
832: gather information on the location of executables that
833: the normal user does not have access to. The
834: disadvantage is that if the executable is simply not in
835: the user's PATH, s�su�ud�do�o will tell the user that they are
836: not allowed to run it, which can be confusing. This
837: flag is _�o_�n by default.
838:
839: passprompt_override
840: The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will
841: normally only be used if the password prompt provided
842: by systems such as PAM matches the string "Password:".
843: If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set, _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always
844: be used. This flag is _�o_�f_�f by default.
845:
846: preserve_groups By default, s�su�ud�do�o will initialize the group vector to
847: the list of groups the target user is in. When
848: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group
849: vector is left unaltered. The real and effective group
850: IDs, however, are still set to match the target user.
851: This flag is _�o_�f_�f by default.
852:
853: pwfeedback By default, s�su�ud�do�o reads the password like most other
854: Unix programs, by turning off echo until the user hits
855: the return (or enter) key. Some users become confused
856: by this as it appears to them that s�su�ud�do�o has hung at
857: this point. When _�p_�w_�f_�e_�e_�d_�b_�a_�c_�k is set, s�su�ud�do�o will provide
858: visual feedback when the user presses a key. Note that
859: this does have a security impact as an onlooker may be
860: able to determine the length of the password being
861: entered. This flag is _�o_�f_�f by default.
862:
863: requiretty If set, s�su�ud�do�o will only run when the user is logged in
864: to a real tty. When this flag is set, s�su�ud�do�o can only be
865: run from a login session and not via other means such
866: as _�c_�r_�o_�n(1m) or cgi-bin scripts. This flag is _�o_�f_�f by
867: default.
868:
869: root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling
870: this prevents users from "chaining" s�su�ud�do�o commands to
871: get a root shell by doing something like "sudo sudo
872: /bin/sh". Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
873: will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
874: Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
875: security; it exists purely for historical reasons.
876: This flag is _�o_�n by default.
877:
878: rootpw If set, s�su�ud�do�o will prompt for the root password instead
879: of the password of the invoking user. This flag is _�o_�f_�f
880: by default.
881:
882: runaspw If set, s�su�ud�do�o will prompt for the password of the user
883: defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
884: instead of the password of the invoking user. This
885: flag is _�o_�f_�f by default.
886:
887: set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the
888: HOME environment variable will be set to the home
889: directory of the target user (which is root unless the
890: -�-u�u option is used). This effectively makes the -�-s�s
891: option imply -�-H�H. Note that HOME is already set when
892: the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so _�s_�e_�t_�__�h_�o_�m_�e is
893: only effective for configurations where either
894: _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the
895: _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default.
896:
897: set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME
898: environment variables to the name of the target user
899: (usually root unless the -�-u�u option is given). However,
900: since some programs (including the RCS revision control
901: system) use LOGNAME to determine the real identity of
902: the user, it may be desirable to change this behavior.
903: This can be done by negating the set_logname option.
904: Note that if the _�e_�n_�v_�__�r_�e_�s_�e_�t option has not been
905: disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override
906: the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default.
907:
908: set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or
909: utmpx) file when a pseudo-tty is allocated. A pseudo-
910: tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
911: or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new
912: entry will be a copy of the user's existing utmp entry
913: (if any), with the tty, time, type and pid fields
914: updated. This flag is _�o_�n by default.
915:
916: setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the
917: command line via the -�-E�E option. Additionally,
918: environment variables set via the command line are not
919: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k,
920: _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users
921: should be allowed to set variables in this manner.
922: This flag is _�o_�f_�f by default.
923:
924: shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as
925: if the -�-s�s option had been given. That is, it runs a
926: shell as root (the shell is determined by the SHELL
927: environment variable if it is set, falling back on the
928: shell listed in the invoking user's /etc/passwd entry
929: if not). This flag is _�o_�f_�f by default.
930:
931: stay_setuid Normally, when s�su�ud�do�o executes a command the real and
932: effective UIDs are set to the target user (root by
933: default). This option changes that behavior such that
934: the real UID is left as the invoking user's UID. In
935: other words, this makes s�su�ud�do�o act as a setuid wrapper.
936: This can be useful on systems that disable some
937: potentially dangerous functionality when a program is
938: run setuid. This option is only effective on systems
939: with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function.
940: This flag is _�o_�f_�f by default.
941:
942: targetpw If set, s�su�ud�do�o will prompt for the password of the user
943: specified by the -�-u�u option (defaults to root) instead
944: of the password of the invoking user. In addition, the
945: timestamp file name will include the target user's
946: name. Note that this flag precludes the use of a uid
947: not listed in the passwd database as an argument to the
948: -�-u�u option. This flag is _�o_�f_�f by default.
949:
950: tty_tickets If set, users must authenticate on a per-tty basis.
951: With this flag enabled, s�su�ud�do�o will use a file named for
952: the tty the user is logged in on in the user's time
953: stamp directory. If disabled, the time stamp of the
954: directory is used instead. This flag is _�o_�n by default.
955:
956: umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s
957: without modification. This makes it possible to
958: specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the
959: user's own umask and matches historical behavior. If
960: _�u_�m_�a_�s_�k_�__�o_�v_�e_�r_�r_�i_�d_�e is not set, s�su�ud�do�o will set the umask to
961: be the union of the user's umask and what is specified
962: in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
963:
964: use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
965: target user's login class if one exists. Only
966: available if s�su�ud�do�o is configured with the
967: --with-logincap option. This flag is _�o_�f_�f by default.
968:
969: use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
970: if no I/O logging is being gone. A malicious program
971: run under s�su�ud�do�o could conceivably fork a background
972: process that retains to the user's terminal device
973: after the main program has finished executing. Use of
974: this option will make that impossible. This flag is
975: _�o_�f_�f by default.
976:
977: utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
978: updating the utmp (or utmpx) file. By default, s�su�ud�do�o
979: stores the name of the invoking user. This flag is _�o_�f_�f
980: by default.
981:
982: visiblepw By default, s�su�ud�do�o will refuse to run if the user must
983: enter a password but it is not possible to disable echo
984: on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o
985: will prompt for a password even when it would be
986: visible on the screen. This makes it possible to run
987: things like "rsh somehost sudo ls" since _�r_�s_�h(1) does
988: not allocate a tty. This flag is _�o_�f_�f by default.
989:
990: I�In�nt�te�eg�ge�er�rs�s:
991:
992: closefrom Before it executes a command, s�su�ud�do�o will close all open
993: file descriptors other than standard input, standard
994: output and standard error (ie: file descriptors 0-2).
995: The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different
996: file descriptor at which to start closing. The default
997: is 3.
998:
999: passwd_tries The number of tries a user gets to enter his/her
1000: password before s�su�ud�do�o logs the failure and exits. The
1001: default is 3.
1002:
1003: I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1004:
1005: loglinelen Number of characters per line for the file log. This
1006: value is used to decide when to wrap lines for nicer
1007: log files. This has no effect on the syslog log file,
1008: only the file log. The default is 80 (use 0 or negate
1009: the option to disable word wrap).
1010:
1011: passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times
1012: out, or 0 for no timeout. The timeout may include a
1013: fractional component if minute granularity is
1014: insufficient, for example 2.5. The default is 5.
1015:
1016: timestamp_timeout
1017: Number of minutes that can elapse before s�su�ud�do�o will ask
1018: for a passwd again. The timeout may include a
1019: fractional component if minute granularity is
1020: insufficient, for example 2.5. The default is 5. Set
1021: this to 0 to always prompt for a password. If set to a
1022: value less than 0 the user's timestamp will never
1023: expire. This can be used to allow users to create or
1024: delete their own timestamps via sudo -v and sudo -k
1025: respectively.
1026:
1027: umask Umask to use when running the command. Negate this
1028: option or set it to 0777 to preserve the user's umask.
1029: The actual umask that is used will be the union of the
1030: user's umask and the value of the _�u_�m_�a_�s_�k option, which
1031: defaults to 0022. This guarantees that s�su�ud�do�o never
1032: lowers the umask when running a command. Note on
1033: systems that use PAM, the default PAM configuration may
1034: specify its own umask which will override the value set
1035: in _�s_�u_�d_�o_�e_�r_�s.
1036:
1037: S�St�tr�ri�in�ng�gs�s:
1038:
1039: badpass_message Message that is displayed if a user enters an incorrect
1040: password. The default is Sorry, try again. unless
1041: insults are enabled.
1042:
1043: editor A colon (':') separated list of editors allowed to be
1044: used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that
1045: matches the user's EDITOR environment variable if
1046: possible, or the first editor in the list that exists
1047: and is executable. The default is "vi".
1048:
1049: iolog_dir The top-level directory to use when constructing the
1050: path name for the input/output log directory. Only
1051: used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled
1052: or when the LOG_INPUT or LOG_OUTPUT tags are present
1053: for a command. The session sequence number, if any, is
1054: stored in the directory. The default is
1055: "/var/log/sudo-io".
1056:
1057: The following percent (`%') escape sequences are
1058: supported:
1059:
1060: %{seq}
1061: expanded to a monotonically increasing base-36
1062: sequence number, such as 0100A5, where every two
1063: digits are used to form a new directory, e.g.
1064: _�0_�1_�/_�0_�0_�/_�A_�5
1065:
1066: %{user}
1067: expanded to the invoking user's login name
1068:
1069: %{group}
1070: expanded to the name of the invoking user's real
1071: group ID
1072:
1073: %{runas_user}
1074: expanded to the login name of the user the command
1075: will be run as (e.g. root)
1076:
1077: %{runas_group}
1078: expanded to the group name of the user the command
1079: will be run as (e.g. wheel)
1080:
1081: %{hostname}
1082: expanded to the local host name without the domain
1083: name
1084:
1085: %{command}
1086: expanded to the base name of the command being run
1087:
1088: In addition, any escape sequences supported by the
1089: system's _�s_�t_�r_�f_�t_�i_�m_�e_�(_�) function will be expanded.
1090:
1091: To include a literal `%' character, the string `%%'
1092: should be used.
1093:
1094: iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store
1095: input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
1096: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1097: tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1098: may contain directory components. The default is
1099: "%{seq}".
1100:
1101: See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported
1102: percent (`%') escape sequences.
1103:
1104: In addition to the escape sequences, path names that
1105: end in six or more Xs will have the Xs replaced with a
1106: unique combination of digits and letters, similar to
1107: the _�m_�k_�t_�e_�m_�p_�(_�) function.
1108:
1109: mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The escape
1110: %h will expand to the host name of the machine.
1111: Default is *** SECURITY information for %h ***.
1112:
1.1.1.2 ! misho 1113: noexec_file This option is no longer supported. The path to the
! 1114: noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
! 1115: file.
1.1 misho 1116:
1117: passprompt The default prompt to use when asking for a password;
1118: can be overridden via the -�-p�p option or the SUDO_PROMPT
1119: environment variable. The following percent (`%')
1120: escape sequences are supported:
1121:
1122: %H expanded to the local host name including the
1123: domain name (only if the machine's host name is
1124: fully qualified or the _�f_�q_�d_�n option is set)
1125:
1126: %h expanded to the local host name without the domain
1127: name
1128:
1129: %p expanded to the user whose password is being asked
1130: for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and _�r_�u_�n_�a_�s_�p_�w
1131: flags in _�s_�u_�d_�o_�e_�r_�s)
1132:
1133: %U expanded to the login name of the user the command
1134: will be run as (defaults to root)
1135:
1136: %u expanded to the invoking user's login name
1137:
1138: %% two consecutive % characters are collapsed into a
1139: single % character
1140:
1141: The default value is Password:.
1142:
1143: role The default SELinux role to use when constructing a new
1144: security context to run the command. The default role
1145: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1146: via command line options. This option is only
1147: available whe s�su�ud�do�o is built with SELinux support.
1148:
1149: runas_default The default user to run commands as if the -�-u�u option is
1150: not specified on the command line. This defaults to
1151: root.
1152:
1153: syslog_badpri Syslog priority to use when user authenticates
1154: unsuccessfully. Defaults to alert.
1155:
1156: The following syslog priorities are supported: a�al�le�er�rt�t,
1157: c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g.
1158:
1159: syslog_goodpri Syslog priority to use when user authenticates
1160: successfully. Defaults to notice.
1161:
1162: See syslog_badpri for the list of supported syslog
1163: priorities.
1164:
1165: sudoers_locale Locale to use when parsing the sudoers file, logging
1166: commands, and sending email. Note that changing the
1167: locale may affect how sudoers is interpreted. Defaults
1168: to "C".
1169:
1170: timestampdir The directory in which s�su�ud�do�o stores its timestamp files.
1171: The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o.
1172:
1173: timestampowner The owner of the timestamp directory and the timestamps
1174: stored therein. The default is root.
1175:
1176: type The default SELinux type to use when constructing a new
1177: security context to run the command. The default type
1178: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1179: via command line options. This option is only
1180: available whe s�su�ud�do�o is built with SELinux support.
1181:
1182: S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1183:
1.1.1.2 ! misho 1184: env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a
! 1185: file containing variables to be set in the environment of
1.1 misho 1186: the program being run. Entries in this file should either
1187: be of the form VARIABLE=value or export VARIABLE=value.
1188: The value may optionally be surrounded by single or double
1189: quotes. Variables in this file are subject to other s�su�ud�do�o
1190: environment settings such as _�e_�n_�v_�__�k_�e_�e_�p and _�e_�n_�v_�__�c_�h_�e_�c_�k.
1191:
1192: exempt_group
1193: Users in this group are exempt from password and PATH
1194: requirements. The group name specified should not include
1195: a % prefix. This is not set by default.
1196:
1197: group_plugin
1198: A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional
1199: arguments. This can be used to implement support for the
1200: nonunix_group syntax described earlier. The string should
1201: consist of the plugin path, either fully-qualified or
1202: relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory, followed by
1203: any configuration arguments the plugin requires. These
1204: arguments (if any) will be passed to the plugin's
1205: initialization function. If arguments are present, the
1206: string must be enclosed in double quotes (").
1207:
1208: For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix
1209: group format, the sample group plugin can be used:
1210:
1211: Defaults group_plugin="sample_group.so /etc/sudo-group"
1212:
1213: For more information see _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(4).
1214:
1215: lecture This option controls when a short lecture will be printed
1216: along with the password prompt. It has the following
1217: possible values:
1218:
1219: always Always lecture the user.
1220:
1221: never Never lecture the user.
1222:
1223: once Only lecture the user the first time they run s�su�ud�do�o.
1224:
1225: If no value is specified, a value of _�o_�n_�c_�e is implied.
1226: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1227: The default value is _�o_�n_�c_�e.
1228:
1229: lecture_file
1230: Path to a file containing an alternate s�su�ud�do�o lecture that
1231: will be used in place of the standard lecture if the named
1232: file exists. By default, s�su�ud�do�o uses a built-in lecture.
1233:
1234: listpw This option controls when a password will be required when
1235: a user runs s�su�ud�do�o with the -�-l�l option. It has the following
1236: possible values:
1237:
1238: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1239: must have the NOPASSWD flag set to avoid entering a
1240: password.
1241:
1242: always The user must always enter a password to use the -�-l�l
1243: option.
1244:
1245: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1246: current host must have the NOPASSWD flag set to
1247: avoid entering a password.
1248:
1249: never The user need never enter a password to use the -�-l�l
1250: option.
1251:
1252: If no value is specified, a value of _�a_�n_�y is implied.
1253: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1254: The default value is _�a_�n_�y.
1255:
1256: logfile Path to the s�su�ud�do�o log file (not the syslog log file).
1257: Setting a path turns on logging to a file; negating this
1258: option turns it off. By default, s�su�ud�do�o logs via syslog.
1259:
1260: mailerflags Flags to use when invoking mailer. Defaults to -�-t�t.
1261:
1262: mailerpath Path to mail program used to send warning mail. Defaults
1263: to the path to sendmail found at configure time.
1264:
1265: mailfrom Address to use for the "from" address when sending warning
1266: and error mail. The address should be enclosed in double
1267: quotes (") to protect against s�su�ud�do�o interpreting the @ sign.
1268: Defaults to the name of the user running s�su�ud�do�o.
1269:
1270: mailto Address to send warning and error mail to. The address
1271: should be enclosed in double quotes (") to protect against
1272: s�su�ud�do�o interpreting the @ sign. Defaults to root.
1273:
1274: secure_path Path used for every command run from s�su�ud�do�o. If you don't
1275: trust the people running s�su�ud�do�o to have a sane PATH
1276: environment variable you may want to use this. Another use
1277: is if you want to have the "root path" be separate from the
1278: "user path." Users in the group specified by the
1279: _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This
1280: option is not set by default.
1281:
1282: syslog Syslog facility if syslog is being used for logging (negate
1283: to disable syslog logging). Defaults to auth.
1284:
1285: The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if
1286: your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1,
1287: l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7.
1288:
1289: verifypw This option controls when a password will be required when
1290: a user runs s�su�ud�do�o with the -�-v�v option. It has the following
1291: possible values:
1292:
1293: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1294: must have the NOPASSWD flag set to avoid entering a
1295: password.
1296:
1297: always The user must always enter a password to use the -�-v�v
1298: option.
1299:
1300: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1301: current host must have the NOPASSWD flag set to
1302: avoid entering a password.
1303:
1304: never The user need never enter a password to use the -�-v�v
1305: option.
1306:
1307: If no value is specified, a value of _�a_�l_�l is implied.
1308: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1309: The default value is _�a_�l_�l.
1310:
1311: L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1312:
1313: env_check Environment variables to be removed from the user's
1314: environment if the variable's value contains % or /
1315: characters. This can be used to guard against printf-
1316: style format vulnerabilities in poorly-written
1317: programs. The argument may be a double-quoted, space-
1318: separated list or a single value without double-quotes.
1319: The list can be replaced, added to, deleted from, or
1320: disabled by using the =, +=, -=, and ! operators
1321: respectively. Regardless of whether the env_reset
1322: option is enabled or disabled, variables specified by
1323: env_check will be preserved in the environment if they
1324: pass the aforementioned check. The default list of
1325: environment variables to check is displayed when s�su�ud�do�o
1326: is run by root with the _�-_�V option.
1327:
1328: env_delete Environment variables to be removed from the user's
1329: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
1330: The argument may be a double-quoted, space-separated
1331: list or a single value without double-quotes. The list
1332: can be replaced, added to, deleted from, or disabled by
1333: using the =, +=, -=, and ! operators respectively. The
1334: default list of environment variables to remove is
1335: displayed when s�su�ud�do�o is run by root with the _�-_�V option.
1336: Note that many operating systems will remove
1337: potentially dangerous variables from the environment of
1338: any setuid process (such as s�su�ud�do�o).
1339:
1340: env_keep Environment variables to be preserved in the user's
1341: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect.
1342: This allows fine-grained control over the environment
1343: s�su�ud�do�o-spawned processes will receive. The argument may
1344: be a double-quoted, space-separated list or a single
1345: value without double-quotes. The list can be replaced,
1346: added to, deleted from, or disabled by using the =, +=,
1347: -=, and ! operators respectively. The default list of
1348: variables to keep is displayed when s�su�ud�do�o is run by root
1349: with the _�-_�V option.
1350:
1.1.1.2 ! misho 1351: S�SU�UD�DO�O.�.C�CO�ON�NF�F
! 1352: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file determines which plugins the s�su�ud�do�o front end
! 1353: will load. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it contains no
! 1354: Plugin lines, s�su�ud�do�o will use the _�s_�u_�d_�o_�e_�r_�s security policy and I/O
! 1355: logging, which corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
! 1356:
! 1357: #
! 1358: # Default /etc/sudo.conf file
! 1359: #
! 1360: # Format:
! 1361: # Plugin plugin_name plugin_path plugin_options ...
! 1362: # Path askpass /path/to/askpass
! 1363: # Path noexec /path/to/sudo_noexec.so
! 1364: # Debug sudo /var/log/sudo_debug all@warn
! 1365: # Set disable_coredump true
! 1366: #
! 1367: # The plugin_path is relative to /usr/local/libexec unless
! 1368: # fully qualified.
! 1369: # The plugin_name corresponds to a global symbol in the plugin
! 1370: # that contains the plugin interface structure.
! 1371: # The plugin_options are optional.
! 1372: #
! 1373: Plugin policy_plugin sudoers.so
! 1374: Plugin io_plugin sudoers.so
! 1375:
! 1376: P�PL�LU�UG�GI�IN�N O�OP�PT�TI�IO�ON�NS�S
! 1377: Starting with s�su�ud�do�o 1.8.5 it is possible to pass options to the _�s_�u_�d_�o_�e_�r_�s
! 1378: plugin. Options may be listed after the path to the plugin (i.e. after
! 1379: _�s_�u_�d_�o_�e_�r_�s_�._�s_�o); multiple options should be space-separated. For example:
! 1380:
! 1381: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 1382:
! 1383: The following plugin options are supported:
! 1384:
! 1385: sudoers_file=pathname
! 1386: The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e option can be used to override the default
! 1387: path to the _�s_�u_�d_�o_�e_�r_�s file.
! 1388:
! 1389: sudoers_uid=uid
! 1390: The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d option can be used to override the default
! 1391: owner of the sudoers file. It should be specified as a
! 1392: numeric user ID.
! 1393:
! 1394: sudoers_gid=gid
! 1395: The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d option can be used to override the default
! 1396: group of the sudoers file. It should be specified as a
! 1397: numeric group ID.
! 1398:
! 1399: sudoers_mode=mode
! 1400: The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e option can be used to override the default
! 1401: file mode for the sudoers file. It should be specified as an
! 1402: octal value.
! 1403:
! 1404: D�DE�EB�BU�UG�G F�FL�LA�AG�GS�S
! 1405: Versions 1.8.4 and higher of the _�s_�u_�d_�o_�e_�r_�s plugin supports a debugging
! 1406: framework that can help track down what the plugin is doing internally
! 1407: if there is a problem. This can be configured in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
! 1408: file as described in _�s_�u_�d_�o(1m).
! 1409:
! 1410: The _�s_�u_�d_�o_�e_�r_�s plugin uses the same debug flag format as s�su�ud�do�o itself:
! 1411: _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y.
! 1412:
! 1413: The priorities used by _�s_�u_�d_�o_�e_�r_�s, in order of decreasing severity, are:
! 1414: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority,
! 1415: when specified, also includes all priorities higher than it. For
! 1416: example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at
! 1417: _�n_�o_�t_�i_�c_�e and higher.
! 1418:
! 1419: The following subsystems are used by _�s_�u_�d_�o_�e_�r_�s:
! 1420:
! 1421: _�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
! 1422:
! 1423: _�a_�l_�l matches every subsystem
! 1424:
! 1425: _�a_�u_�d_�i_�t BSM and Linux audit code
! 1426:
! 1427: _�a_�u_�t_�h user authentication
! 1428:
! 1429: _�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings
! 1430:
! 1431: _�e_�n_�v environment handling
! 1432:
! 1433: _�l_�d_�a_�p LDAP-based sudoers
! 1434:
! 1435: _�l_�o_�g_�g_�i_�n_�g logging support
! 1436:
! 1437: _�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s
! 1438:
! 1439: _�n_�e_�t_�i_�f network interface handling
! 1440:
! 1441: _�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s
! 1442:
! 1443: _�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing
! 1444:
! 1445: _�p_�e_�r_�m_�s permission setting
! 1446:
! 1447: _�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin.
! 1448:
! 1449: _�p_�t_�y pseudo-tty related code
! 1450:
! 1451: _�r_�b_�t_�r_�e_�e redblack tree internals
! 1452:
! 1453: _�u_�t_�i_�l utility functions
! 1454:
1.1 misho 1455: F�FI�IL�LE�ES�S
1.1.1.2 ! misho 1456: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration
! 1457:
1.1 misho 1458: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what
1459:
1460: _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file
1461:
1462: _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
1463:
1464: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
1465:
1466: _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the
1467: _�s_�u_�d_�o_�e_�r_�s security policy
1468:
1.1.1.2 ! misho 1469: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and
! 1470: Linux systems
1.1 misho 1471:
1472: E�EX�XA�AM�MP�PL�LE�ES�S
1473: Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit
1474: contrived. First, we allow a few environment variables to pass and
1475: then define our _�a_�l_�i_�a_�s_�e_�s:
1476:
1477: # Run X applications through sudo; HOME is used to find the
1478: # .Xauthority file. Note that other programs use HOME to find
1479: # configuration files and this may lead to privilege escalation!
1480: Defaults env_keep += "DISPLAY HOME"
1481:
1482: # User alias specification
1483: User_Alias FULLTIMERS = millert, mikef, dowdy
1484: User_Alias PARTTIMERS = bostley, jwfox, crawl
1485: User_Alias WEBMASTERS = will, wendy, wim
1486:
1487: # Runas alias specification
1488: Runas_Alias OP = root, operator
1489: Runas_Alias DB = oracle, sybase
1490: Runas_Alias ADMINGRP = adm, oper
1491:
1492: # Host alias specification
1493: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1494: SGI = grolsch, dandelion, black :\
1495: ALPHA = widget, thalamus, foobar :\
1496: HPPA = boa, nag, python
1497: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1498: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1499: Host_Alias SERVERS = master, mail, www, ns
1500: Host_Alias CDROM = orion, perseus, hercules
1501:
1502: # Cmnd alias specification
1503: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1504: /usr/sbin/restore, /usr/sbin/rrestore
1505: Cmnd_Alias KILL = /usr/bin/kill
1506: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1507: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1508: Cmnd_Alias HALT = /usr/sbin/halt
1509: Cmnd_Alias REBOOT = /usr/sbin/reboot
1510: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1511: /usr/local/bin/tcsh, /usr/bin/rsh, \
1512: /usr/local/bin/zsh
1513: Cmnd_Alias SU = /usr/bin/su
1514: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1515:
1516: Here we override some of the compiled in default values. We want s�su�ud�do�o
1517: to log via _�s_�y_�s_�l_�o_�g(3) using the _�a_�u_�t_�h facility in all cases. We don't
1518: want to subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t
1519: need not give a password, and we don't want to reset the LOGNAME, USER
1520: or USERNAME environment variables when running commands as root.
1521: Additionally, on the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an
1522: additional local log file and make sure we log the year in each log
1523: line since the log entries will be kept around for several years.
1524: Lastly, we disable shell escapes for the commands in the PAGERS
1525: Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s).
1526:
1527: # Override built-in defaults
1528: Defaults syslog=auth
1529: Defaults>root !set_logname
1530: Defaults:FULLTIMERS !lecture
1531: Defaults:millert !authenticate
1532: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1533: Defaults!PAGERS noexec
1534:
1535: The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run
1536: what.
1537:
1538: root ALL = (ALL) ALL
1539: %wheel ALL = (ALL) ALL
1540:
1541: We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as
1542: any user.
1543:
1544: FULLTIMERS ALL = NOPASSWD: ALL
1545:
1546: Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on
1547: any host without authenticating themselves.
1548:
1549: PARTTIMERS ALL = ALL
1550:
1551: Part time sysadmins (b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on
1552: any host but they must authenticate themselves first (since the entry
1553: lacks the NOPASSWD tag).
1554:
1555: jack CSNETS = ALL
1556:
1557: The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
1558: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1559: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1560: notation) indicating it is a class C network. For the other networks
1561: in _�C_�S_�N_�E_�T_�S, the local machine's netmask will be used during matching.
1562:
1563: lisa CUNETS = ALL
1564:
1565: The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the
1566: class B network 128.138.0.0).
1567:
1568: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1569: sudoedit /etc/printcap, /usr/oper/bin/
1570:
1571: The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance.
1572: Here, those are commands related to backups, killing processes, the
1573: printing system, shutting down the system, and any commands in the
1574: directory _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/.
1575:
1576: joe ALL = /usr/bin/su operator
1577:
1578: The user j�jo�oe�e may only _�s_�u(1) to operator.
1579:
1580: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1581:
1582: %opers ALL = (: ADMINGRP) /usr/sbin/
1583:
1584: Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves
1585: with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups).
1586:
1587: The user p�pe�et�te�e is allowed to change anyone's password except for root on
1588: the _�H_�P_�P_�A machines. Note that this assumes _�p_�a_�s_�s_�w_�d(1) does not take
1589: multiple user names on the command line.
1590:
1591: bob SPARC = (OP) ALL : SGI = (OP) ALL
1592:
1593: The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user
1594: listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r).
1595:
1596: jim +biglab = ALL
1597:
1598: The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup.
1599: s�su�ud�do�o knows that "biglab" is a netgroup due to the '+' prefix.
1600:
1601: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1602:
1603: Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as
1604: well as add and remove users, so they are allowed to run those commands
1605: on all machines.
1606:
1607: fred ALL = (DB) NOPASSWD: ALL
1608:
1609: The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias
1610: (o�or�ra�ac�cl�le�e or s�sy�yb�ba�as�se�e) without giving a password.
1611:
1612: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1613:
1614: On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
1615: not allowed to specify any options to the _�s_�u(1) command.
1616:
1617: jen ALL, !SERVERS = ALL
1618:
1619: The user j�je�en�n may run any command on any machine except for those in the
1620: _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns).
1621:
1622: jill SERVERS = /usr/bin/, !SU, !SHELLS
1623:
1624: For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in
1625: the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U
1626: and _�S_�H_�E_�L_�L_�S Cmnd_Aliases.
1627:
1628: steve CSNETS = (operator) /usr/local/op_commands/
1629:
1630: The user s�st�te�ev�ve�e may run any command in the directory
1631: /usr/local/op_commands/ but only as user operator.
1632:
1633: matt valkyrie = KILL
1634:
1635: On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill
1636: hung processes.
1637:
1638: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1639:
1640: On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy,
1641: and wim), may run any command as user www (which owns the web pages) or
1642: simply _�s_�u(1) to www.
1643:
1644: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1645: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1646:
1647: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1648: Host_Alias (orion, perseus, hercules) without entering a password.
1649: This is a bit tedious for users to type, so it is a prime candidate for
1650: encapsulating in a shell script.
1651:
1652: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1.1.1.2 ! misho 1653: L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e '�'!�!'�' o�op�pe�er�ra�at�to�or�r
1.1 misho 1654: It is generally not effective to "subtract" commands from ALL using the
1655: '!' operator. A user can trivially circumvent this by copying the
1656: desired command to a different name and then executing that. For
1657: example:
1658:
1659: bill ALL = ALL, !SU, !SHELLS
1660:
1661: Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or
1662: _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or
1663: use a shell escape from an editor or other program. Therefore, these
1664: kind of restrictions should be considered advisory at best (and
1665: reinforced by policy).
1666:
1.1.1.2 ! misho 1667: In general, if a user has sudo ALL there is nothing to prevent them
! 1668: from creating their own program that gives them a root shell (or making
! 1669: their own copy of a shell) regardless of any '!' elements in the user
! 1670: specification.
! 1671:
! 1672: S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b
! 1673: If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably
! 1674: negate commands where the path name includes globbing (aka wildcard)
! 1675: characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3) function cannot
! 1676: resolve relative paths. While this is typically only an inconvenience
! 1677: for rules that grant privileges, it can result in a security issue for
! 1678: rules that subtract or revoke privileges.
1.1 misho 1679:
1680: For example, given the following _�s_�u_�d_�o_�e_�r_�s entry:
1681:
1682: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1683: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1684:
1685: User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by
1686: changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead.
1687:
1.1.1.2 ! misho 1688: P�Pr�re�ev�ve�en�nt�ti�in�ng�g S�Sh�he�el�ll�l E�Es�sc�ca�ap�pe�es�s
1.1 misho 1689: Once s�su�ud�do�o executes a program, that program is free to do whatever it
1690: pleases, including run other programs. This can be a security issue
1691: since it is not uncommon for a program to allow shell escapes, which
1692: lets a user bypass s�su�ud�do�o's access control and logging. Common programs
1693: that permit shell escapes include shells (obviously), editors,
1694: paginators, mail and terminal programs.
1695:
1696: There are two basic approaches to this problem:
1697:
1698: restrict Avoid giving users access to commands that allow the user to
1699: run arbitrary commands. Many editors have a restricted mode
1700: where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better
1701: solution to running editors via s�su�ud�do�o. Due to the large
1702: number of programs that offer shell escapes, restricting
1703: users to the set of programs that do not is often unworkable.
1704:
1705: noexec Many systems that support shared libraries have the ability
1706: to override default library functions by pointing an
1707: environment variable (usually LD_PRELOAD) to an alternate
1708: shared library. On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality
1709: can be used to prevent a program run by s�su�ud�do�o from executing
1710: any other programs. Note, however, that this applies only to
1711: native dynamically-linked executables. Statically-linked
1712: executables and foreign executables running under binary
1713: emulation are not affected.
1714:
1715: The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD,
1716: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1717: above. It should be supported on most operating systems that
1718: support the LD_PRELOAD environment variable. Check your
1719: operating system's manual pages for the dynamic linker
1720: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1721: if LD_PRELOAD is supported.
1722:
1723: On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges
1724: instead of the LD_PRELOAD environment variable.
1725:
1726: To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as
1727: documented in the User Specification section above. Here is
1728: that example again:
1729:
1730: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1731:
1732: This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i
1733: with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands
1734: from executing other commands (such as a shell). If you are
1735: unsure whether or not your system is capable of supporting
1736: _�n_�o_�e_�x_�e_�c you can always just try it out and check whether shell
1737: escapes work when _�n_�o_�e_�x_�e_�c is enabled.
1738:
1739: Note that restricting shell escapes is not a panacea. Programs running
1740: as root are still capable of many potentially hazardous operations
1741: (such as changing or overwriting files) that could lead to unintended
1742: privilege escalation. In the specific case of an editor, a safer
1743: approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t.
1744:
1.1.1.2 ! misho 1745: T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s
1.1 misho 1746: _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory
1747: (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is
1748: not owned by root or if it is writable by a user other than root. On
1749: systems that allow non-root users to give away files via _�c_�h_�o_�w_�n(2), if
1750: the time stamp directory is located in a world-writable directory
1751: (e.g., _�/_�t_�m_�p), it is possible for a user to create the time stamp
1752: directory before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the
1753: ownership and mode of the directory and its contents, the only damage
1754: that can be done is to "hide" files by putting them in the time stamp
1755: dir. This is unlikely to happen since once the time stamp dir is owned
1756: by root and inaccessible by any other user, the user placing files
1757: there would be unable to get them back out.
1758:
1759: _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps
1760: with a date greater than current_time + 2 * TIMEOUT will be ignored and
1761: sudo will log and complain. This is done to keep a user from creating
1762: his/her own time stamp with a bogus date on systems that allow users to
1763: give away files if the time stamp directory is located in a world-
1764: writable directory.
1765:
1766: On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time
1767: stamps that date from before the machine booted.
1768:
1769: Since time stamp files live in the file system, they can outlive a
1770: user's login session. As a result, a user may be able to login, run a
1771: command with s�su�ud�do�o after authenticating, logout, login again, and run
1772: s�su�ud�do�o without authenticating so long as the time stamp file's
1773: modification time is within 5 minutes (or whatever the timeout is set
1774: to in _�s_�u_�d_�o_�e_�r_�s). When the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp
1775: has per-tty granularity but still may outlive the user's session. On
1776: Linux systems where the devpts filesystem is used, Solaris systems with
1777: the devices filesystem, as well as other systems that utilize a devfs
1778: filesystem that monotonically increase the inode number of devices as
1779: they are created (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when
1780: a tty-based time stamp file is stale and will ignore it.
1781: Administrators should not rely on this feature as it is not universally
1782: available.
1783:
1784: S�SE�EE�E A�AL�LS�SO�O
1785: _�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3),
1786: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m)
1787:
1788: C�CA�AV�VE�EA�AT�TS�S
1789: The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which
1790: locks the file and does grammatical checking. It is imperative that
1791: _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a
1792: syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file.
1793:
1794: When using netgroups of machines (as opposed to users), if you store
1795: fully qualified host name in the netgroup (as is usually the case), you
1796: either need to have the machine's host name be fully qualified as
1797: returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s.
1798:
1799: B�BU�UG�GS�S
1800: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
1801: http://www.sudo.ws/sudo/bugs/
1802:
1803: S�SU�UP�PP�PO�OR�RT�T
1804: Limited free support is available via the sudo-users mailing list, see
1805: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1806: the archives.
1807:
1808: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1809: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
1810: including, but not limited to, the implied warranties of
1811: merchantability and fitness for a particular purpose are disclaimed.
1812: See the LICENSE file distributed with s�su�ud�do�o or
1813: http://www.sudo.ws/sudo/license.html for complete details.
1814:
1815:
1816:
1.1.1.2 ! misho 1817: 1.8.5 March 28, 2012 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc