Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.2
1.1 misho 1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
2:
3:
4:
5: NNAAMMEE
6: sudoers - default sudo security policy module
7:
8: DDEESSCCRRIIPPTTIIOONN
9: The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is
10: the default ssuuddoo policy plugin. The policy is driven by the
11: _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is
12: described in detail in the "SUDOERS FILE FORMAT" section. For
13: information on storing _s_u_d_o_e_r_s policy information in LDAP, please see
14: _s_u_d_o_e_r_s_._l_d_a_p(4).
15:
16: AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg
17: The _s_u_d_o_e_r_s security policy requires that most users authenticate
18: themselves before they can use ssuuddoo. A password is not required if the
19: invoking user is root, if the target user is the same as the invoking
20: user, or if the policy has disabled authentication for the user or
21: command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it
22: validates the invoking user's credentials, not the target user's (or
23: root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
24: _r_u_n_a_s_p_w flags, described later.
25:
26: If a user who is not listed in the policy tries to run a command via
27: ssuuddoo, mail is sent to the proper authorities. The address used for
28: such mail is configurable via the _m_a_i_l_t_o Defaults entry (described
29: later) and defaults to root.
30:
31: Note that mail will not be sent if an unauthorized user tries to run
32: ssuuddoo with the --ll or --vv option. This allows users to determine for
33: themselves whether or not they are allowed to use ssuuddoo.
34:
35: If ssuuddoo is run by root and the SUDO_USER environment variable is set,
36: the _s_u_d_o_e_r_s policy will use this value to determine who the actual user
37: is. This can be used by a user to log commands through sudo even when
38: a root shell has been invoked. It also allows the --ee option to remain
39: useful even when invoked via a sudo-run script or program. Note,
40: however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user
41: specified by SUDO_USER.
42:
43: _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
44: been authenticated, a time stamp is updated and the user may then use
45: sudo without a password for a short period of time (5 minutes unless
46: overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based
47: time stamp which means that there is a separate time stamp for each of
48: a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
49: force the use of a single time stamp for all of a user's sessions.
50:
51: _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
52: errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will
53: log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e
54: Defaults settings.
55:
56: _s_u_d_o_e_r_s also supports logging a command's input and output streams.
57: I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
58: and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
59: command tags.
60:
61: CCoommmmaanndd EEnnvviirroonnmmeenntt
62: Since environment variables can influence program behavior, _s_u_d_o_e_r_s
63: provides a means to restrict which variables from the user's
64: environment are inherited by the command to be run. There are two
65: distinct ways _s_u_d_o_e_r_s can deal with environment variables.
66:
67: By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to
1.1.1.2 ! misho 68: be executed with a new, minimal environment. On AIX (and Linux systems
! 69: without PAM), the environment is initialized with the contents of the
! 70: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
! 71: enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
! 72: settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
! 73: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
! 74: in addition to variables from the invoking process permitted by the
! 75: _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
! 76: environment variables.
1.1 misho 77:
78: If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
79: explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
80: from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e
81: behave like a blacklist. Since it is not possible to blacklist all
82: potentially dangerous environment variables, use of the default
83: _e_n_v___r_e_s_e_t behavior is encouraged.
84:
85: In all cases, environment variables with a value beginning with () are
86: removed as they could be interpreted as bbaasshh functions. The list of
87: environment variables that ssuuddoo allows or denies is contained in the
88: output of sudo -V when run as root.
89:
90: Note that the dynamic linker on most operating systems will remove
91: variables that can control dynamic linking from the environment of
92: setuid executables, including ssuuddoo. Depending on the operating system
93: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
94: others. These type of variables are removed from the environment
95: before ssuuddoo even begins execution and, as such, it is not possible for
96: ssuuddoo to preserve them.
97:
98: As a special case, if ssuuddoo's --ii option (initial login) is specified,
99: _s_u_d_o_e_r_s will initialize the environment regardless of the value of
100: _e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged;
101: _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user.
1.1.1.2 ! misho 102: On AIX (and Linux systems without PAM), the contents of
! 103: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the
! 104: _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in
! 105: _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are
! 106: removed.
! 107:
! 108: Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in
! 109: that file will be set to their specified values as long as they would
! 110: not conflict with an existing environment variable.
1.1 misho 111:
112: SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
113: The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
114: (basically variables) and user specifications (which specify who may
115: run what).
116:
117: When multiple entries match for a user, they are applied in order.
118: Where there are multiple matches, the last match is used (which is not
119: necessarily the most specific match).
120:
121: The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur
122: Form (EBNF). Don't despair if you don't know what EBNF is; it is
123: fairly simple, and the definitions below are annotated.
124:
125: QQuuiicckk gguuiiddee ttoo EEBBNNFF
126: EBNF is a concise and exact way of describing the grammar of a
127: language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
128:
129: symbol ::= definition | alternate1 | alternate2 ...
130:
131: Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
132: the language. EBNF also contains the following operators, which many
133: readers will recognize from regular expressions. Do not, however,
134: confuse them with "wildcard" characters, which have different meanings.
135:
136: ? Means that the preceding symbol (or group of symbols) is optional.
137: That is, it may appear once or not at all.
138:
139: * Means that the preceding symbol (or group of symbols) may appear
140: zero or more times.
141:
142: + Means that the preceding symbol (or group of symbols) may appear
143: one or more times.
144:
145: Parentheses may be used to group symbols together. For clarity, we
146: will use single quotes ('') to designate what is a verbatim character
147: string (as opposed to a symbol name).
148:
149: AAlliiaasseess
150: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
151: and Cmnd_Alias.
152:
153: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
154: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
155: 'Host_Alias' Host_Alias (':' Host_Alias)* |
156: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
157:
158: User_Alias ::= NAME '=' User_List
159:
160: Runas_Alias ::= NAME '=' Runas_List
161:
162: Host_Alias ::= NAME '=' Host_List
163:
164: Cmnd_Alias ::= NAME '=' Cmnd_List
165:
166: NAME ::= [A-Z]([A-Z][0-9]_)*
167:
168: Each _a_l_i_a_s definition is of the form
169:
170: Alias_Type NAME = item1, item2, ...
171:
172: where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
173: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
174: underscore characters ('_'). A NAME mmuusstt start with an uppercase
175: letter. It is possible to put several alias definitions of the same
176: type on a single line, joined by a colon (':'). E.g.,
177:
178: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
179:
180: The definitions of what constitutes a valid _a_l_i_a_s member follow.
181:
182: User_List ::= User |
183: User ',' User_List
184:
185: User ::= '!'* user name |
186: '!'* #uid |
187: '!'* %group |
188: '!'* %#gid |
189: '!'* +netgroup |
190: '!'* %:nonunix_group |
191: '!'* %:#nonunix_gid |
192: '!'* User_Alias
193:
194: A User_List is made up of one or more user names, user ids (prefixed
195: with '#'), system group names and ids (prefixed with '%' and '%#'
196: respectively), netgroups (prefixed with '+'), non-Unix group names and
197: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
198: list item may be prefixed with zero or more '!' operators. An odd
199: number of '!' operators negate the value of the item; an even number
200: just cancel each other out.
201:
202: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
203: may be enclosed in double quotes to avoid the need for escaping special
204: characters. Alternately, special characters may be specified in
205: escaped hex mode, e.g. \x20 for space. When using double quotes, any
206: prefix characters must be included inside the quotes.
207:
208: The actual nonunix_group and nonunix_gid syntax depends on the
209: underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description
210: below). For instance, the QAS AD plugin supports the following
211: formats:
212:
1.1.1.2 ! misho 213: o Group in the same domain: "Group Name"
1.1 misho 214:
1.1.1.2 ! misho 215: o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
1.1 misho 216:
1.1.1.2 ! misho 217: o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
1.1 misho 218:
219: Note that quotes around group names are optional. Unquoted strings
220: must use a backslash (\) to escape spaces and special characters. See
221: "Other special characters and reserved words" for a list of characters
222: that need to be escaped.
223:
224: Runas_List ::= Runas_Member |
225: Runas_Member ',' Runas_List
226:
227: Runas_Member ::= '!'* user name |
228: '!'* #uid |
229: '!'* %group |
230: '!'* %#gid |
231: '!'* %:nonunix_group |
232: '!'* %:#nonunix_gid |
233: '!'* +netgroup |
234: '!'* Runas_Alias
235:
236: A Runas_List is similar to a User_List except that instead of
237: User_Aliases it can contain Runas_Aliases. Note that user names and
238: groups are matched as strings. In other words, two users (groups) with
239: the same uid (gid) are considered to be distinct. If you wish to match
240: all user names with the same uid (e.g. root and toor), you can use a
241: uid instead (#0 in the example given).
242:
243: Host_List ::= Host |
244: Host ',' Host_List
245:
246: Host ::= '!'* host name |
247: '!'* ip_addr |
248: '!'* network(/netmask)? |
249: '!'* +netgroup |
250: '!'* Host_Alias
251:
252: A Host_List is made up of one or more host names, IP addresses, network
253: numbers, netgroups (prefixed with '+') and other aliases. Again, the
254: value of an item may be negated with the '!' operator. If you do not
255: specify a netmask along with the network number, ssuuddoo will query each
256: of the local host's network interfaces and, if the network number
257: corresponds to one of the hosts's network interfaces, the corresponding
258: netmask will be used. The netmask may be specified either in standard
259: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
260: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
261: shell-style wildcards (see the Wildcards section below), but unless the
262: host name command on your machine returns the fully qualified host
263: name, you'll need to use the _f_q_d_n option for wildcards to be useful.
264: Note ssuuddoo only inspects actual network interfaces; this means that IP
265: address 127.0.0.1 (localhost) will never match. Also, the host name
266: "localhost" will only match if that is the actual host name, which is
267: usually only the case for non-networked systems.
268:
269: Cmnd_List ::= Cmnd |
270: Cmnd ',' Cmnd_List
271:
272: commandname ::= file name |
273: file name args |
274: file name '""'
275:
276: Cmnd ::= '!'* commandname |
277: '!'* directory |
278: '!'* "sudoedit" |
279: '!'* Cmnd_Alias
280:
281: A Cmnd_List is a list of one or more commandnames, directories, and
282: other aliases. A commandname is a fully qualified file name which may
283: include shell-style wildcards (see the Wildcards section below). A
284: simple file name allows the user to run the command with any arguments
285: he/she wishes. However, you may also specify command line arguments
286: (including wildcards). Alternately, you can specify "" to indicate
287: that the command may only be run wwiitthhoouutt command line arguments. A
288: directory is a fully qualified path name ending in a '/'. When you
289: specify a directory in a Cmnd_List, the user will be able to run any
290: file within that directory (but not in any subdirectories therein).
291:
292: If a Cmnd has associated command line arguments, then the arguments in
293: the Cmnd must match exactly those given by the user on the command line
294: (or match the wildcards if there are any). Note that the following
295: characters must be escaped with a '\' if they are used in command
296: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
297: to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
298: may take command line arguments just as a normal command does.
299:
300: DDeeffaauullttss
301: Certain configuration options may be changed from their default values
302: at runtime via one or more Default_Entry lines. These may affect all
303: users on any host, all users on a specific host, a specific user, a
304: specific command, or commands being run as a specific user. Note that
305: per-command entries may not include command line arguments. If you
306: need to specify arguments, define a Cmnd_Alias and reference that
307: instead.
308:
309: Default_Type ::= 'Defaults' |
310: 'Defaults' '@' Host_List |
311: 'Defaults' ':' User_List |
312: 'Defaults' '!' Cmnd_List |
313: 'Defaults' '>' Runas_List
314:
315: Default_Entry ::= Default_Type Parameter_List
316:
317: Parameter_List ::= Parameter |
318: Parameter ',' Parameter_List
319:
320: Parameter ::= Parameter '=' Value |
321: Parameter '+=' Value |
322: Parameter '-=' Value |
323: '!'* Parameter
324:
325: Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
326: implicitly boolean and can be turned off via the '!' operator. Some
327: integer, string and list parameters may also be used in a boolean
328: context to disable them. Values may be enclosed in double quotes (")
329: when they contain multiple words. Special characters may be escaped
330: with a backslash (\).
331:
332: Lists have two additional assignment operators, += and -=. These
333: operators are used to add to and delete from a list respectively. It
334: is not an error to use the -= operator to remove an element that does
335: not exist in a list.
336:
337: Defaults entries are parsed in the following order: generic, host and
338: user Defaults first, then runas Defaults and finally command defaults.
339:
340: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
341:
342: UUsseerr SSppeecciiffiiccaattiioonn
343: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
344: (':' Host_List '=' Cmnd_Spec_List)*
345:
346: Cmnd_Spec_List ::= Cmnd_Spec |
347: Cmnd_Spec ',' Cmnd_Spec_List
348:
349: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
350:
351: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
352:
353: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
354:
355: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
356: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
357: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
358:
359: A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
360: what user) on specified hosts. By default, commands are run as rroooott,
361: but this can be changed on a per-command basis.
362:
363: The basic structure of a user specification is `who where = (as_whom)
364: what'. Let's break that down into its constituent parts:
365:
366: RRuunnaass__SSppeecc
367: A Runas_Spec determines the user and/or the group that a command may be
368: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
369: defined above) separated by a colon (':') and enclosed in a set of
370: parentheses. The first Runas_List indicates which users the command
371: may be run as via ssuuddoo's --uu option. The second defines a list of
372: groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists
373: are specified, the command may be run with any combination of users and
374: groups listed in their respective Runas_Lists. If only the first is
375: specified, the command may be run as any user in the list but no --gg
376: option may be specified. If the first Runas_List is empty but the
377: second is specified, the command may be run as the invoking user with
378: the group set to any listed in the Runas_List. If no Runas_Spec is
379: specified the command may be run as rroooott and no group may be specified.
380:
381: A Runas_Spec sets the default for the commands that follow it. What
382: this means is that for the entry:
383:
384: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
385:
386: The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
387: as ooppeerraattoorr. E.g.,
388:
389: $ sudo -u operator /bin/ls
390:
391: It is also possible to override a Runas_Spec later on in an entry. If
392: we modify the entry like so:
393:
394: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
395:
396: Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
397: and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
398:
399: We can extend this to allow ddggbb to run /bin/ls with either the user or
400: group set to ooppeerraattoorr:
401:
402: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
403: /usr/bin/lprm
404:
405: Note that while the group portion of the Runas_Spec permits the user to
406: run as command with that group, it does not force the user to do so.
407: If no group is specified on the command line, the command will run with
408: the group listed in the target user's password database entry. The
409: following would all be permitted by the sudoers entry above:
410:
411: $ sudo -u operator /bin/ls
412: $ sudo -u operator -g operator /bin/ls
413: $ sudo -g operator /bin/ls
414:
415: In the following example, user ttccmm may run commands that access a modem
416: device file with the dialer group.
417:
418: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
419: /usr/local/bin/minicom
420:
421: Note that in this example only the group will be set, the command still
422: runs as user ttccmm. E.g.
423:
424: $ sudo -g dialer /usr/bin/cu
425:
426: Multiple users and groups may be present in a Runas_Spec, in which case
427: the user may select any combination of users and groups via the --uu and
428: --gg options. In this example:
429:
430: alan ALL = (root, bin : operator, system) ALL
431:
432: user aallaann may run any command as either user root or bin, optionally
433: setting the group to operator or system.
434:
435: SSEELLiinnuuxx__SSppeecc
436: On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
437: SELinux role and/or type associated with a command. If a role or type
438: is specified with the command it will override any default values
439: specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
440: however, will supercede the values in _s_u_d_o_e_r_s.
441:
442: TTaagg__SSppeecc
443: A command may have zero or more tags associated with it. There are
444: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
445: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
446: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
447: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
448: overrides NOPASSWD and NOEXEC overrides EXEC).
449:
450: _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
451:
452: By default, ssuuddoo requires that a user authenticate him or herself
453: before running a command. This behavior can be modified via the
454: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
455: the commands that follow it in the Cmnd_Spec_List. Conversely, the
456: PASSWD tag can be used to reverse things. For example:
457:
458: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
459:
460: would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
461: as rroooott on the machine rushmore without authenticating himself. If we
462: only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
463: would be:
464:
465: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
466:
467: Note, however, that the PASSWD tag has no effect on users who are in
468: the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
469:
470: By default, if the NOPASSWD tag is applied to any of the entries for a
471: user on the current host, he or she will be able to run sudo -l without
472: a password. Additionally, a user may only run sudo -v without a
473: password if the NOPASSWD tag is present for all a user's entries that
474: pertain to the current host. This behavior may be overridden via the
475: verifypw and listpw options.
476:
477: _N_O_E_X_E_C _a_n_d _E_X_E_C
478:
479: If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
480: operating system supports it, the NOEXEC tag can be used to prevent a
481: dynamically-linked executable from running further commands itself.
482:
483: In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
484: _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
485:
486: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
487:
1.1.1.2 ! misho 488: See the "Preventing Shell Escapes" section below for more details on
1.1 misho 489: how NOEXEC works and whether or not it will work on your system.
490:
491: _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
492:
493: These tags override the value of the _s_e_t_e_n_v option on a per-command
494: basis. Note that if SETENV has been set for a command, the user may
495: disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
496: Additionally, environment variables set on the command line are not
497: subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
498: _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
499: variables in this manner. If the command matched is AALLLL, the SETENV
500: tag is implied for that command; this default may be overridden by use
501: of the NOSETENV tag.
502:
503: _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
504:
505: These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
506: basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
507: "SUDOERS OPTIONS" section below.
508:
509: _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
510:
511: These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
512: basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
513: "SUDOERS OPTIONS" section below.
514:
515: WWiillddccaarrddss
516: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
517: used in host names, path names and command line arguments in the
518: _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
519: _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
520:
521: * Matches any set of zero or more characters.
522:
523: ? Matches any single character.
524:
525: [...] Matches any character in the specified range.
526:
527: [!...] Matches any character nnoott in the specified range.
528:
529: \x For any character "x", evaluates to "x". This is used to
530: escape special characters such as: "*", "?", "[", and "}".
531:
532: POSIX character classes may also be used if your system's _g_l_o_b(3) and
533: _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character
534: has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
535:
536: /bin/ls [[\:alpha\:]]*
537:
538: Would match any file name beginning with a letter.
539:
540: Note that a forward slash ('/') will nnoott be matched by wildcards used
541: in the path name. When matching the command line arguments, however, a
542: slash ddooeess get matched by wildcards. This is to make a path like:
543:
544: /usr/bin/*
545:
546: match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
547:
548: EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
549: The following exceptions apply to the above rules:
550:
551: "" If the empty string "" is the only command line argument in the
552: _s_u_d_o_e_r_s entry it means that command is not allowed to be run
553: with aannyy arguments.
554:
555: IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
556: It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
557: file currently being parsed using the #include and #includedir
558: directives.
559:
560: This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
561: addition to a local, per-machine file. For the sake of this example
562: the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
563: be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
564: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
565:
566: #include /etc/sudoers.local
567:
568: When ssuuddoo reaches this line it will suspend processing of the current
569: file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
570: the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
571: processed. Files that are included may themselves include other files.
572: A hard limit of 128 nested include files is enforced to prevent include
573: file loops.
574:
1.1.1.2 ! misho 575: If the path to the include file is not fully-qualified (does not begin
! 576: with a _/), it must be located in the same directory as the sudoers file
! 577: it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
! 578:
! 579: #include sudoers.local
! 580:
! 581: the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
! 582:
! 583: The file name may also include the %h escape, signifying the short form
! 584: of the host name. I.e., if the machine's host name is "xerxes", then
1.1 misho 585:
586: #include /etc/sudoers.%h
587:
588: will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
589:
590: The #includedir directive can be used to create a _s_u_d_o_._d directory that
591: the system package manager can drop _s_u_d_o_e_r_s rules into as part of
592: package installation. For example, given:
593:
594: #includedir /etc/sudoers.d
595:
596: ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
597: end in ~ or contain a . character to avoid causing problems with
598: package manager or editor temporary/backup files. Files are parsed in
599: sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
600: before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
601: lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
602: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
603: in the file names can be used to avoid such problems.
604:
605: Note that unlike files included via #include, vviissuuddoo will not edit the
606: files in a #includedir directory unless one of them contains a syntax
607: error. It is still possible to run vviissuuddoo with the -f flag to edit the
608: files directly.
609:
610: OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
611: The pound sign ('#') is used to indicate a comment (unless it is part
612: of a #include directive or unless it occurs in the context of a user
613: name and is followed by one or more digits, in which case it is treated
614: as a uid). Both the comment character and any text after it, up to the
615: end of the line, are ignored.
616:
617: The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
618: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
619: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
620: your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
621: preference to your own. Please note that using AALLLL can be dangerous
622: since in a command context, it allows the user to run aannyy command on
623: the system.
624:
625: An exclamation point ('!') can be used as a logical _n_o_t operator both
626: in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
627: values. Note, however, that using a ! in conjunction with the built-in
628: ALL alias to allow a user to run "all but a few" commands rarely works
629: as intended (see SECURITY NOTES below).
630:
631: Long lines can be continued with a backslash ('\') as the last
632: character on the line.
633:
634: Whitespace between elements in a list as well as special syntactic
635: characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
636:
637: The following characters must be escaped with a backslash ('\') when
638: used as part of a word (e.g. a user name or host name): '!', '=', ':',
639: ',', '(', ')', '\'.
640:
641: SSUUDDOOEERRSS OOPPTTIIOONNSS
642: ssuuddoo's behavior can be modified by Default_Entry lines, as explained
643: earlier. A list of all supported Defaults parameters, grouped by type,
644: are listed below.
645:
646: BBoooolleeaann FFllaaggss:
647:
648: always_set_home If enabled, ssuuddoo will set the HOME environment variable
649: to the home directory of the target user (which is root
650: unless the --uu option is used). This effectively means
651: that the --HH option is always implied. Note that HOME
652: is already set when the the _e_n_v___r_e_s_e_t option is
653: enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
654: configurations where either _e_n_v___r_e_s_e_t is disabled or
655: HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
656: by default.
657:
658: authenticate If set, users must authenticate themselves via a
659: password (or other means of authentication) before they
660: may run commands. This default may be overridden via
661: the PASSWD and NOPASSWD tags. This flag is _o_n by
662: default.
663:
664: closefrom_override
665: If set, the user may use ssuuddoo's --CC option which
666: overrides the default starting point at which ssuuddoo
667: begins closing open file descriptors. This flag is _o_f_f
668: by default.
669:
670: compress_io If set, and ssuuddoo is configured to log a command's input
671: or output, the I/O logs will be compressed using zzlliibb.
672: This flag is _o_n by default when ssuuddoo is compiled with
673: zzlliibb support.
674:
675: env_editor If set, vviissuuddoo will use the value of the EDITOR or
676: VISUAL environment variables before falling back on the
677: default editor list. Note that this may create a
678: security hole as it allows the user to run any
679: arbitrary command as root without logging. A safer
680: alternative is to place a colon-separated list of
681: editors in the editor variable. vviissuuddoo will then only
682: use the EDITOR or VISUAL if they match a value
683: specified in editor. This flag is _o_f_f by default.
684:
1.1.1.2 ! misho 685: env_reset If set, ssuuddoo will run the command in a minimal
! 686: environment containing the TERM, PATH, HOME, MAIL,
! 687: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
! 688: Any variables in the caller's environment that match
! 689: the env_keep and env_check lists are then added,
! 690: followed by any variables present in the file specified
! 691: by the _e_n_v___f_i_l_e option (if any). The default contents
! 692: of the env_keep and env_check lists are displayed when
! 693: ssuuddoo is run by root with the _-_V option. If the
! 694: _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for
! 695: the PATH environment variable. This flag is _o_n by
! 696: default.
1.1 misho 697:
698: fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
699: style globbing when matching path names. However,
700: since it accesses the file system, _g_l_o_b(3) can take a
701: long time to complete for some patterns, especially
702: when the pattern references a network file system that
703: is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
704: option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
705: which does not access the file system to do its
706: matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
707: unable to match relative path names such as _._/_l_s or
708: _._._/_b_i_n_/_l_s. This has security implications when path
709: names that include globbing characters are used with
710: the negation operator, '!', as such rules can be
711: trivially bypassed. As such, this option should not be
712: used when _s_u_d_o_e_r_s contains rules that contain negated
713: path names which include globbing characters. This
714: flag is _o_f_f by default.
715:
716: fqdn Set this flag if you want to put fully qualified host
717: names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
718: would use myhost.mydomain.edu. You may still use the
719: short form if you wish (and even mix the two). Beware
720: that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
721: which may make ssuuddoo unusable if DNS stops working (for
722: example if the machine is not plugged into the
723: network). Also note that you must use the host's
724: official name as DNS knows it. That is, you may not
725: use a host alias (CNAME entry) due to performance
726: issues and the fact that there is no way to get all
727: aliases from DNS. If your machine's host name (as
728: returned by the hostname command) is already fully
729: qualified you shouldn't need to set _f_q_d_n. This flag is
730: _o_f_f by default.
731:
732: ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
733: PATH environment variable; the PATH itself is not
734: modified. This flag is _o_f_f by default.
735:
736: ignore_local_sudoers
737: If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
738: skipped. This is intended for Enterprises that wish to
739: prevent the usage of local sudoers files so that only
740: LDAP is used. This thwarts the efforts of rogue
741: operators who would attempt to add roles to
742: _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
743: _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
744: option tells ssuuddoo how to behave when no specific LDAP
745: entries have been matched, this sudoOption is only
746: meaningful for the cn=defaults section. This flag is
747: _o_f_f by default.
748:
749: insults If set, ssuuddoo will insult users when they enter an
750: incorrect password. This flag is _o_f_f by default.
751:
752: log_host If set, the host name will be logged in the (non-
753: syslog) ssuuddoo log file. This flag is _o_f_f by default.
754:
755: log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
756: log all user input. If the standard input is not
757: connected to the user's tty, due to I/O redirection or
758: because the command is part of a pipeline, that input
759: is also captured and stored in a separate log file.
760:
761: Input is logged to the directory specified by the
762: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
763: unique session ID that is included in the normal ssuuddoo
764: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
765: may be used to control the format of the session ID.
766:
767: Note that user input may contain sensitive information
768: such as passwords (even if they are not echoed to the
769: screen), which will be stored in the log file
770: unencrypted. In most cases, logging the command output
771: via _l_o_g___o_u_t_p_u_t is all that is required.
772:
773: log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
774: log all output that is sent to the screen, similar to
775: the _s_c_r_i_p_t(1) command. If the standard output or
776: standard error is not connected to the user's tty, due
777: to I/O redirection or because the command is part of a
778: pipeline, that output is also captured and stored in
779: separate log files.
780:
781: Output is logged to the directory specified by the
782: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
783: unique session ID that is included in the normal ssuuddoo
784: log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
785: may be used to control the format of the session ID.
786:
787: Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
788: utility, which can also be used to list or search the
789: available logs.
790:
791: log_year If set, the four-digit year will be logged in the (non-
792: syslog) ssuuddoo log file. This flag is _o_f_f by default.
793:
794: long_otp_prompt When validating with a One Time Password (OTP) scheme
795: such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
796: make it easier to cut and paste the challenge to a
797: local window. It's not as pretty as the default but
798: some people find it more convenient. This flag is _o_f_f
799: by default.
800:
801: mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
802: ssuuddoo. This flag is _o_f_f by default.
803:
804: mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
805: does not enter the correct password. This flag is _o_f_f
806: by default.
807:
808: mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
809: invoking user exists in the _s_u_d_o_e_r_s file, but is not
810: allowed to run commands on the current host. This flag
811: is _o_f_f by default.
812:
813: mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
814: invoking user is allowed to use ssuuddoo but the command
815: they are trying is not listed in their _s_u_d_o_e_r_s file
816: entry or is explicitly denied. This flag is _o_f_f by
817: default.
818:
819: mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
820: invoking user is not in the _s_u_d_o_e_r_s file. This flag is
821: _o_n by default.
822:
823: noexec If set, all commands run via ssuuddoo will behave as if the
824: NOEXEC tag has been set, unless overridden by a EXEC
825: tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
1.1.1.2 ! misho 826: well as the "Preventing Shell Escapes" section at the
1.1 misho 827: end of this manual. This flag is _o_f_f by default.
828:
829: path_info Normally, ssuuddoo will tell the user when a command could
830: not be found in their PATH environment variable. Some
831: sites may wish to disable this as it could be used to
832: gather information on the location of executables that
833: the normal user does not have access to. The
834: disadvantage is that if the executable is simply not in
835: the user's PATH, ssuuddoo will tell the user that they are
836: not allowed to run it, which can be confusing. This
837: flag is _o_n by default.
838:
839: passprompt_override
840: The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
841: normally only be used if the password prompt provided
842: by systems such as PAM matches the string "Password:".
843: If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always
844: be used. This flag is _o_f_f by default.
845:
846: preserve_groups By default, ssuuddoo will initialize the group vector to
847: the list of groups the target user is in. When
848: _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
849: vector is left unaltered. The real and effective group
850: IDs, however, are still set to match the target user.
851: This flag is _o_f_f by default.
852:
853: pwfeedback By default, ssuuddoo reads the password like most other
854: Unix programs, by turning off echo until the user hits
855: the return (or enter) key. Some users become confused
856: by this as it appears to them that ssuuddoo has hung at
857: this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
858: visual feedback when the user presses a key. Note that
859: this does have a security impact as an onlooker may be
860: able to determine the length of the password being
861: entered. This flag is _o_f_f by default.
862:
863: requiretty If set, ssuuddoo will only run when the user is logged in
864: to a real tty. When this flag is set, ssuuddoo can only be
865: run from a login session and not via other means such
866: as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
867: default.
868:
869: root_sudo If set, root is allowed to run ssuuddoo too. Disabling
870: this prevents users from "chaining" ssuuddoo commands to
871: get a root shell by doing something like "sudo sudo
872: /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
873: will also prevent root from running ssuuddooeeddiitt.
874: Disabling _r_o_o_t___s_u_d_o provides no real additional
875: security; it exists purely for historical reasons.
876: This flag is _o_n by default.
877:
878: rootpw If set, ssuuddoo will prompt for the root password instead
879: of the password of the invoking user. This flag is _o_f_f
880: by default.
881:
882: runaspw If set, ssuuddoo will prompt for the password of the user
883: defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
884: instead of the password of the invoking user. This
885: flag is _o_f_f by default.
886:
887: set_home If enabled and ssuuddoo is invoked with the --ss option the
888: HOME environment variable will be set to the home
889: directory of the target user (which is root unless the
890: --uu option is used). This effectively makes the --ss
891: option imply --HH. Note that HOME is already set when
892: the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
893: only effective for configurations where either
894: _e_n_v___r_e_s_e_t is disabled or HOME is present in the
895: _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
896:
897: set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
898: environment variables to the name of the target user
899: (usually root unless the --uu option is given). However,
900: since some programs (including the RCS revision control
901: system) use LOGNAME to determine the real identity of
902: the user, it may be desirable to change this behavior.
903: This can be done by negating the set_logname option.
904: Note that if the _e_n_v___r_e_s_e_t option has not been
905: disabled, entries in the _e_n_v___k_e_e_p list will override
906: the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
907:
908: set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
909: utmpx) file when a pseudo-tty is allocated. A pseudo-
910: tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
911: or _u_s_e___p_t_y flags are enabled. By default, the new
912: entry will be a copy of the user's existing utmp entry
913: (if any), with the tty, time, type and pid fields
914: updated. This flag is _o_n by default.
915:
916: setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
917: command line via the --EE option. Additionally,
918: environment variables set via the command line are not
919: subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
920: _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
921: should be allowed to set variables in this manner.
922: This flag is _o_f_f by default.
923:
924: shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
925: if the --ss option had been given. That is, it runs a
926: shell as root (the shell is determined by the SHELL
927: environment variable if it is set, falling back on the
928: shell listed in the invoking user's /etc/passwd entry
929: if not). This flag is _o_f_f by default.
930:
931: stay_setuid Normally, when ssuuddoo executes a command the real and
932: effective UIDs are set to the target user (root by
933: default). This option changes that behavior such that
934: the real UID is left as the invoking user's UID. In
935: other words, this makes ssuuddoo act as a setuid wrapper.
936: This can be useful on systems that disable some
937: potentially dangerous functionality when a program is
938: run setuid. This option is only effective on systems
939: with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
940: This flag is _o_f_f by default.
941:
942: targetpw If set, ssuuddoo will prompt for the password of the user
943: specified by the --uu option (defaults to root) instead
944: of the password of the invoking user. In addition, the
945: timestamp file name will include the target user's
946: name. Note that this flag precludes the use of a uid
947: not listed in the passwd database as an argument to the
948: --uu option. This flag is _o_f_f by default.
949:
950: tty_tickets If set, users must authenticate on a per-tty basis.
951: With this flag enabled, ssuuddoo will use a file named for
952: the tty the user is logged in on in the user's time
953: stamp directory. If disabled, the time stamp of the
954: directory is used instead. This flag is _o_n by default.
955:
956: umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
957: without modification. This makes it possible to
958: specify a more permissive umask in _s_u_d_o_e_r_s than the
959: user's own umask and matches historical behavior. If
960: _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
961: be the union of the user's umask and what is specified
962: in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
963:
964: use_loginclass If set, ssuuddoo will apply the defaults specified for the
965: target user's login class if one exists. Only
966: available if ssuuddoo is configured with the
967: --with-logincap option. This flag is _o_f_f by default.
968:
969: use_pty If set, ssuuddoo will run the command in a pseudo-pty even
970: if no I/O logging is being gone. A malicious program
971: run under ssuuddoo could conceivably fork a background
972: process that retains to the user's terminal device
973: after the main program has finished executing. Use of
974: this option will make that impossible. This flag is
975: _o_f_f by default.
976:
977: utmp_runas If set, ssuuddoo will store the name of the runas user when
978: updating the utmp (or utmpx) file. By default, ssuuddoo
979: stores the name of the invoking user. This flag is _o_f_f
980: by default.
981:
982: visiblepw By default, ssuuddoo will refuse to run if the user must
983: enter a password but it is not possible to disable echo
984: on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
985: will prompt for a password even when it would be
986: visible on the screen. This makes it possible to run
987: things like "rsh somehost sudo ls" since _r_s_h(1) does
988: not allocate a tty. This flag is _o_f_f by default.
989:
990: IInntteeggeerrss:
991:
992: closefrom Before it executes a command, ssuuddoo will close all open
993: file descriptors other than standard input, standard
994: output and standard error (ie: file descriptors 0-2).
995: The _c_l_o_s_e_f_r_o_m option can be used to specify a different
996: file descriptor at which to start closing. The default
997: is 3.
998:
999: passwd_tries The number of tries a user gets to enter his/her
1000: password before ssuuddoo logs the failure and exits. The
1001: default is 3.
1002:
1003: IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1004:
1005: loglinelen Number of characters per line for the file log. This
1006: value is used to decide when to wrap lines for nicer
1007: log files. This has no effect on the syslog log file,
1008: only the file log. The default is 80 (use 0 or negate
1009: the option to disable word wrap).
1010:
1011: passwd_timeout Number of minutes before the ssuuddoo password prompt times
1012: out, or 0 for no timeout. The timeout may include a
1013: fractional component if minute granularity is
1014: insufficient, for example 2.5. The default is 5.
1015:
1016: timestamp_timeout
1017: Number of minutes that can elapse before ssuuddoo will ask
1018: for a passwd again. The timeout may include a
1019: fractional component if minute granularity is
1020: insufficient, for example 2.5. The default is 5. Set
1021: this to 0 to always prompt for a password. If set to a
1022: value less than 0 the user's timestamp will never
1023: expire. This can be used to allow users to create or
1024: delete their own timestamps via sudo -v and sudo -k
1025: respectively.
1026:
1027: umask Umask to use when running the command. Negate this
1028: option or set it to 0777 to preserve the user's umask.
1029: The actual umask that is used will be the union of the
1030: user's umask and the value of the _u_m_a_s_k option, which
1031: defaults to 0022. This guarantees that ssuuddoo never
1032: lowers the umask when running a command. Note on
1033: systems that use PAM, the default PAM configuration may
1034: specify its own umask which will override the value set
1035: in _s_u_d_o_e_r_s.
1036:
1037: SSttrriinnggss:
1038:
1039: badpass_message Message that is displayed if a user enters an incorrect
1040: password. The default is Sorry, try again. unless
1041: insults are enabled.
1042:
1043: editor A colon (':') separated list of editors allowed to be
1044: used with vviissuuddoo. vviissuuddoo will choose the editor that
1045: matches the user's EDITOR environment variable if
1046: possible, or the first editor in the list that exists
1047: and is executable. The default is "vi".
1048:
1049: iolog_dir The top-level directory to use when constructing the
1050: path name for the input/output log directory. Only
1051: used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
1052: or when the LOG_INPUT or LOG_OUTPUT tags are present
1053: for a command. The session sequence number, if any, is
1054: stored in the directory. The default is
1055: "/var/log/sudo-io".
1056:
1057: The following percent (`%') escape sequences are
1058: supported:
1059:
1060: %{seq}
1061: expanded to a monotonically increasing base-36
1062: sequence number, such as 0100A5, where every two
1063: digits are used to form a new directory, e.g.
1064: _0_1_/_0_0_/_A_5
1065:
1066: %{user}
1067: expanded to the invoking user's login name
1068:
1069: %{group}
1070: expanded to the name of the invoking user's real
1071: group ID
1072:
1073: %{runas_user}
1074: expanded to the login name of the user the command
1075: will be run as (e.g. root)
1076:
1077: %{runas_group}
1078: expanded to the group name of the user the command
1079: will be run as (e.g. wheel)
1080:
1081: %{hostname}
1082: expanded to the local host name without the domain
1083: name
1084:
1085: %{command}
1086: expanded to the base name of the command being run
1087:
1088: In addition, any escape sequences supported by the
1089: system's _s_t_r_f_t_i_m_e_(_) function will be expanded.
1090:
1091: To include a literal `%' character, the string `%%'
1092: should be used.
1093:
1094: iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1095: input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
1096: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1097: tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
1098: may contain directory components. The default is
1099: "%{seq}".
1100:
1101: See the _i_o_l_o_g___d_i_r option above for a list of supported
1102: percent (`%') escape sequences.
1103:
1104: In addition to the escape sequences, path names that
1105: end in six or more Xs will have the Xs replaced with a
1106: unique combination of digits and letters, similar to
1107: the _m_k_t_e_m_p_(_) function.
1108:
1109: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape
1110: %h will expand to the host name of the machine.
1111: Default is *** SECURITY information for %h ***.
1112:
1.1.1.2 ! misho 1113: noexec_file This option is no longer supported. The path to the
! 1114: noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
! 1115: file.
1.1 misho 1116:
1117: passprompt The default prompt to use when asking for a password;
1118: can be overridden via the --pp option or the SUDO_PROMPT
1119: environment variable. The following percent (`%')
1120: escape sequences are supported:
1121:
1122: %H expanded to the local host name including the
1123: domain name (only if the machine's host name is
1124: fully qualified or the _f_q_d_n option is set)
1125:
1126: %h expanded to the local host name without the domain
1127: name
1128:
1129: %p expanded to the user whose password is being asked
1130: for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w
1131: flags in _s_u_d_o_e_r_s)
1132:
1133: %U expanded to the login name of the user the command
1134: will be run as (defaults to root)
1135:
1136: %u expanded to the invoking user's login name
1137:
1138: %% two consecutive % characters are collapsed into a
1139: single % character
1140:
1141: The default value is Password:.
1142:
1143: role The default SELinux role to use when constructing a new
1144: security context to run the command. The default role
1145: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1146: via command line options. This option is only
1147: available whe ssuuddoo is built with SELinux support.
1148:
1149: runas_default The default user to run commands as if the --uu option is
1150: not specified on the command line. This defaults to
1151: root.
1152:
1153: syslog_badpri Syslog priority to use when user authenticates
1154: unsuccessfully. Defaults to alert.
1155:
1156: The following syslog priorities are supported: aalleerrtt,
1157: ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
1158:
1159: syslog_goodpri Syslog priority to use when user authenticates
1160: successfully. Defaults to notice.
1161:
1162: See syslog_badpri for the list of supported syslog
1163: priorities.
1164:
1165: sudoers_locale Locale to use when parsing the sudoers file, logging
1166: commands, and sending email. Note that changing the
1167: locale may affect how sudoers is interpreted. Defaults
1168: to "C".
1169:
1170: timestampdir The directory in which ssuuddoo stores its timestamp files.
1171: The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1172:
1173: timestampowner The owner of the timestamp directory and the timestamps
1174: stored therein. The default is root.
1175:
1176: type The default SELinux type to use when constructing a new
1177: security context to run the command. The default type
1178: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1179: via command line options. This option is only
1180: available whe ssuuddoo is built with SELinux support.
1181:
1182: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1183:
1.1.1.2 ! misho 1184: env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
! 1185: file containing variables to be set in the environment of
1.1 misho 1186: the program being run. Entries in this file should either
1187: be of the form VARIABLE=value or export VARIABLE=value.
1188: The value may optionally be surrounded by single or double
1189: quotes. Variables in this file are subject to other ssuuddoo
1190: environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
1191:
1192: exempt_group
1193: Users in this group are exempt from password and PATH
1194: requirements. The group name specified should not include
1195: a % prefix. This is not set by default.
1196:
1197: group_plugin
1198: A string containing a _s_u_d_o_e_r_s group plugin with optional
1199: arguments. This can be used to implement support for the
1200: nonunix_group syntax described earlier. The string should
1201: consist of the plugin path, either fully-qualified or
1202: relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by
1203: any configuration arguments the plugin requires. These
1204: arguments (if any) will be passed to the plugin's
1205: initialization function. If arguments are present, the
1206: string must be enclosed in double quotes (").
1207:
1208: For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix
1209: group format, the sample group plugin can be used:
1210:
1211: Defaults group_plugin="sample_group.so /etc/sudo-group"
1212:
1213: For more information see _s_u_d_o___p_l_u_g_i_n(4).
1214:
1215: lecture This option controls when a short lecture will be printed
1216: along with the password prompt. It has the following
1217: possible values:
1218:
1219: always Always lecture the user.
1220:
1221: never Never lecture the user.
1222:
1223: once Only lecture the user the first time they run ssuuddoo.
1224:
1225: If no value is specified, a value of _o_n_c_e is implied.
1226: Negating the option results in a value of _n_e_v_e_r being used.
1227: The default value is _o_n_c_e.
1228:
1229: lecture_file
1230: Path to a file containing an alternate ssuuddoo lecture that
1231: will be used in place of the standard lecture if the named
1232: file exists. By default, ssuuddoo uses a built-in lecture.
1233:
1234: listpw This option controls when a password will be required when
1235: a user runs ssuuddoo with the --ll option. It has the following
1236: possible values:
1237:
1238: all All the user's _s_u_d_o_e_r_s entries for the current host
1239: must have the NOPASSWD flag set to avoid entering a
1240: password.
1241:
1242: always The user must always enter a password to use the --ll
1243: option.
1244:
1245: any At least one of the user's _s_u_d_o_e_r_s entries for the
1246: current host must have the NOPASSWD flag set to
1247: avoid entering a password.
1248:
1249: never The user need never enter a password to use the --ll
1250: option.
1251:
1252: If no value is specified, a value of _a_n_y is implied.
1253: Negating the option results in a value of _n_e_v_e_r being used.
1254: The default value is _a_n_y.
1255:
1256: logfile Path to the ssuuddoo log file (not the syslog log file).
1257: Setting a path turns on logging to a file; negating this
1258: option turns it off. By default, ssuuddoo logs via syslog.
1259:
1260: mailerflags Flags to use when invoking mailer. Defaults to --tt.
1261:
1262: mailerpath Path to mail program used to send warning mail. Defaults
1263: to the path to sendmail found at configure time.
1264:
1265: mailfrom Address to use for the "from" address when sending warning
1266: and error mail. The address should be enclosed in double
1267: quotes (") to protect against ssuuddoo interpreting the @ sign.
1268: Defaults to the name of the user running ssuuddoo.
1269:
1270: mailto Address to send warning and error mail to. The address
1271: should be enclosed in double quotes (") to protect against
1272: ssuuddoo interpreting the @ sign. Defaults to root.
1273:
1274: secure_path Path used for every command run from ssuuddoo. If you don't
1275: trust the people running ssuuddoo to have a sane PATH
1276: environment variable you may want to use this. Another use
1277: is if you want to have the "root path" be separate from the
1278: "user path." Users in the group specified by the
1279: _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
1280: option is not set by default.
1281:
1282: syslog Syslog facility if syslog is being used for logging (negate
1283: to disable syslog logging). Defaults to auth.
1284:
1285: The following syslog facilities are supported: aauutthhpprriivv (if
1286: your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
1287: llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
1288:
1289: verifypw This option controls when a password will be required when
1290: a user runs ssuuddoo with the --vv option. It has the following
1291: possible values:
1292:
1293: all All the user's _s_u_d_o_e_r_s entries for the current host
1294: must have the NOPASSWD flag set to avoid entering a
1295: password.
1296:
1297: always The user must always enter a password to use the --vv
1298: option.
1299:
1300: any At least one of the user's _s_u_d_o_e_r_s entries for the
1301: current host must have the NOPASSWD flag set to
1302: avoid entering a password.
1303:
1304: never The user need never enter a password to use the --vv
1305: option.
1306:
1307: If no value is specified, a value of _a_l_l is implied.
1308: Negating the option results in a value of _n_e_v_e_r being used.
1309: The default value is _a_l_l.
1310:
1311: LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1312:
1313: env_check Environment variables to be removed from the user's
1314: environment if the variable's value contains % or /
1315: characters. This can be used to guard against printf-
1316: style format vulnerabilities in poorly-written
1317: programs. The argument may be a double-quoted, space-
1318: separated list or a single value without double-quotes.
1319: The list can be replaced, added to, deleted from, or
1320: disabled by using the =, +=, -=, and ! operators
1321: respectively. Regardless of whether the env_reset
1322: option is enabled or disabled, variables specified by
1323: env_check will be preserved in the environment if they
1324: pass the aforementioned check. The default list of
1325: environment variables to check is displayed when ssuuddoo
1326: is run by root with the _-_V option.
1327:
1328: env_delete Environment variables to be removed from the user's
1329: environment when the _e_n_v___r_e_s_e_t option is not in effect.
1330: The argument may be a double-quoted, space-separated
1331: list or a single value without double-quotes. The list
1332: can be replaced, added to, deleted from, or disabled by
1333: using the =, +=, -=, and ! operators respectively. The
1334: default list of environment variables to remove is
1335: displayed when ssuuddoo is run by root with the _-_V option.
1336: Note that many operating systems will remove
1337: potentially dangerous variables from the environment of
1338: any setuid process (such as ssuuddoo).
1339:
1340: env_keep Environment variables to be preserved in the user's
1341: environment when the _e_n_v___r_e_s_e_t option is in effect.
1342: This allows fine-grained control over the environment
1343: ssuuddoo-spawned processes will receive. The argument may
1344: be a double-quoted, space-separated list or a single
1345: value without double-quotes. The list can be replaced,
1346: added to, deleted from, or disabled by using the =, +=,
1347: -=, and ! operators respectively. The default list of
1348: variables to keep is displayed when ssuuddoo is run by root
1349: with the _-_V option.
1350:
1.1.1.2 ! misho 1351: SSUUDDOO..CCOONNFF
! 1352: The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end
! 1353: will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no
! 1354: Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O
! 1355: logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1356:
! 1357: #
! 1358: # Default /etc/sudo.conf file
! 1359: #
! 1360: # Format:
! 1361: # Plugin plugin_name plugin_path plugin_options ...
! 1362: # Path askpass /path/to/askpass
! 1363: # Path noexec /path/to/sudo_noexec.so
! 1364: # Debug sudo /var/log/sudo_debug all@warn
! 1365: # Set disable_coredump true
! 1366: #
! 1367: # The plugin_path is relative to /usr/local/libexec unless
! 1368: # fully qualified.
! 1369: # The plugin_name corresponds to a global symbol in the plugin
! 1370: # that contains the plugin interface structure.
! 1371: # The plugin_options are optional.
! 1372: #
! 1373: Plugin policy_plugin sudoers.so
! 1374: Plugin io_plugin sudoers.so
! 1375:
! 1376: PPLLUUGGIINN OOPPTTIIOONNSS
! 1377: Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s
! 1378: plugin. Options may be listed after the path to the plugin (i.e. after
! 1379: _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
! 1380:
! 1381: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 1382:
! 1383: The following plugin options are supported:
! 1384:
! 1385: sudoers_file=pathname
! 1386: The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
! 1387: path to the _s_u_d_o_e_r_s file.
! 1388:
! 1389: sudoers_uid=uid
! 1390: The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
! 1391: owner of the sudoers file. It should be specified as a
! 1392: numeric user ID.
! 1393:
! 1394: sudoers_gid=gid
! 1395: The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
! 1396: group of the sudoers file. It should be specified as a
! 1397: numeric group ID.
! 1398:
! 1399: sudoers_mode=mode
! 1400: The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
! 1401: file mode for the sudoers file. It should be specified as an
! 1402: octal value.
! 1403:
! 1404: DDEEBBUUGG FFLLAAGGSS
! 1405: Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
! 1406: framework that can help track down what the plugin is doing internally
! 1407: if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
! 1408: file as described in _s_u_d_o(1m).
! 1409:
! 1410: The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself:
! 1411: _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
! 1412:
! 1413: The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
! 1414: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
! 1415: when specified, also includes all priorities higher than it. For
! 1416: example, a priority of _n_o_t_i_c_e would include debug messages logged at
! 1417: _n_o_t_i_c_e and higher.
! 1418:
! 1419: The following subsystems are used by _s_u_d_o_e_r_s:
! 1420:
! 1421: _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
! 1422:
! 1423: _a_l_l matches every subsystem
! 1424:
! 1425: _a_u_d_i_t BSM and Linux audit code
! 1426:
! 1427: _a_u_t_h user authentication
! 1428:
! 1429: _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
! 1430:
! 1431: _e_n_v environment handling
! 1432:
! 1433: _l_d_a_p LDAP-based sudoers
! 1434:
! 1435: _l_o_g_g_i_n_g logging support
! 1436:
! 1437: _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
! 1438:
! 1439: _n_e_t_i_f network interface handling
! 1440:
! 1441: _n_s_s network service switch handling in _s_u_d_o_e_r_s
! 1442:
! 1443: _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
! 1444:
! 1445: _p_e_r_m_s permission setting
! 1446:
! 1447: _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
! 1448:
! 1449: _p_t_y pseudo-tty related code
! 1450:
! 1451: _r_b_t_r_e_e redblack tree internals
! 1452:
! 1453: _u_t_i_l utility functions
! 1454:
1.1 misho 1455: FFIILLEESS
1.1.1.2 ! misho 1456: _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
! 1457:
1.1 misho 1458: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1459:
1460: _/_e_t_c_/_g_r_o_u_p Local groups file
1461:
1462: _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1463:
1464: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1465:
1466: _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1467: _s_u_d_o_e_r_s security policy
1468:
1.1.1.2 ! misho 1469: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
! 1470: Linux systems
1.1 misho 1471:
1472: EEXXAAMMPPLLEESS
1473: Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1474: contrived. First, we allow a few environment variables to pass and
1475: then define our _a_l_i_a_s_e_s:
1476:
1477: # Run X applications through sudo; HOME is used to find the
1478: # .Xauthority file. Note that other programs use HOME to find
1479: # configuration files and this may lead to privilege escalation!
1480: Defaults env_keep += "DISPLAY HOME"
1481:
1482: # User alias specification
1483: User_Alias FULLTIMERS = millert, mikef, dowdy
1484: User_Alias PARTTIMERS = bostley, jwfox, crawl
1485: User_Alias WEBMASTERS = will, wendy, wim
1486:
1487: # Runas alias specification
1488: Runas_Alias OP = root, operator
1489: Runas_Alias DB = oracle, sybase
1490: Runas_Alias ADMINGRP = adm, oper
1491:
1492: # Host alias specification
1493: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1494: SGI = grolsch, dandelion, black :\
1495: ALPHA = widget, thalamus, foobar :\
1496: HPPA = boa, nag, python
1497: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1498: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1499: Host_Alias SERVERS = master, mail, www, ns
1500: Host_Alias CDROM = orion, perseus, hercules
1501:
1502: # Cmnd alias specification
1503: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1504: /usr/sbin/restore, /usr/sbin/rrestore
1505: Cmnd_Alias KILL = /usr/bin/kill
1506: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1507: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1508: Cmnd_Alias HALT = /usr/sbin/halt
1509: Cmnd_Alias REBOOT = /usr/sbin/reboot
1510: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1511: /usr/local/bin/tcsh, /usr/bin/rsh, \
1512: /usr/local/bin/zsh
1513: Cmnd_Alias SU = /usr/bin/su
1514: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1515:
1516: Here we override some of the compiled in default values. We want ssuuddoo
1517: to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
1518: want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
1519: need not give a password, and we don't want to reset the LOGNAME, USER
1520: or USERNAME environment variables when running commands as root.
1521: Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an
1522: additional local log file and make sure we log the year in each log
1523: line since the log entries will be kept around for several years.
1524: Lastly, we disable shell escapes for the commands in the PAGERS
1525: Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
1526:
1527: # Override built-in defaults
1528: Defaults syslog=auth
1529: Defaults>root !set_logname
1530: Defaults:FULLTIMERS !lecture
1531: Defaults:millert !authenticate
1532: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1533: Defaults!PAGERS noexec
1534:
1535: The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1536: what.
1537:
1538: root ALL = (ALL) ALL
1539: %wheel ALL = (ALL) ALL
1540:
1541: We let rroooott and any user in group wwhheeeell run any command on any host as
1542: any user.
1543:
1544: FULLTIMERS ALL = NOPASSWD: ALL
1545:
1546: Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1547: any host without authenticating themselves.
1548:
1549: PARTTIMERS ALL = ALL
1550:
1551: Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
1552: any host but they must authenticate themselves first (since the entry
1553: lacks the NOPASSWD tag).
1554:
1555: jack CSNETS = ALL
1556:
1557: The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1558: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1559: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1560: notation) indicating it is a class C network. For the other networks
1561: in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
1562:
1563: lisa CUNETS = ALL
1564:
1565: The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1566: class B network 128.138.0.0).
1567:
1568: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1569: sudoedit /etc/printcap, /usr/oper/bin/
1570:
1571: The ooppeerraattoorr user may run commands limited to simple maintenance.
1572: Here, those are commands related to backups, killing processes, the
1573: printing system, shutting down the system, and any commands in the
1574: directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1575:
1576: joe ALL = /usr/bin/su operator
1577:
1578: The user jjooee may only _s_u(1) to operator.
1579:
1580: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1581:
1582: %opers ALL = (: ADMINGRP) /usr/sbin/
1583:
1584: Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1585: with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1586:
1587: The user ppeettee is allowed to change anyone's password except for root on
1588: the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
1589: multiple user names on the command line.
1590:
1591: bob SPARC = (OP) ALL : SGI = (OP) ALL
1592:
1593: The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1594: listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
1595:
1596: jim +biglab = ALL
1597:
1598: The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1599: ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
1600:
1601: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1602:
1603: Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1604: well as add and remove users, so they are allowed to run those commands
1605: on all machines.
1606:
1607: fred ALL = (DB) NOPASSWD: ALL
1608:
1609: The user ffrreedd can run commands as any user in the _D_B Runas_Alias
1610: (oorraaccllee or ssyybbaassee) without giving a password.
1611:
1612: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1613:
1614: On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1615: not allowed to specify any options to the _s_u(1) command.
1616:
1617: jen ALL, !SERVERS = ALL
1618:
1619: The user jjeenn may run any command on any machine except for those in the
1620: _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1621:
1622: jill SERVERS = /usr/bin/, !SU, !SHELLS
1623:
1624: For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1625: the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
1626: and _S_H_E_L_L_S Cmnd_Aliases.
1627:
1628: steve CSNETS = (operator) /usr/local/op_commands/
1629:
1630: The user sstteevvee may run any command in the directory
1631: /usr/local/op_commands/ but only as user operator.
1632:
1633: matt valkyrie = KILL
1634:
1635: On his personal workstation, valkyrie, mmaatttt needs to be able to kill
1636: hung processes.
1637:
1638: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1639:
1640: On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy,
1641: and wim), may run any command as user www (which owns the web pages) or
1642: simply _s_u(1) to www.
1643:
1644: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1645: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1646:
1647: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1648: Host_Alias (orion, perseus, hercules) without entering a password.
1649: This is a bit tedious for users to type, so it is a prime candidate for
1650: encapsulating in a shell script.
1651:
1652: SSEECCUURRIITTYY NNOOTTEESS
1.1.1.2 ! misho 1653: LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr
1.1 misho 1654: It is generally not effective to "subtract" commands from ALL using the
1655: '!' operator. A user can trivially circumvent this by copying the
1656: desired command to a different name and then executing that. For
1657: example:
1658:
1659: bill ALL = ALL, !SU, !SHELLS
1660:
1661: Doesn't really prevent bbiillll from running the commands listed in _S_U or
1662: _S_H_E_L_L_S since he can simply copy those commands to a different name, or
1663: use a shell escape from an editor or other program. Therefore, these
1664: kind of restrictions should be considered advisory at best (and
1665: reinforced by policy).
1666:
1.1.1.2 ! misho 1667: In general, if a user has sudo ALL there is nothing to prevent them
! 1668: from creating their own program that gives them a root shell (or making
! 1669: their own copy of a shell) regardless of any '!' elements in the user
! 1670: specification.
! 1671:
! 1672: SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
! 1673: If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably
! 1674: negate commands where the path name includes globbing (aka wildcard)
! 1675: characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot
! 1676: resolve relative paths. While this is typically only an inconvenience
! 1677: for rules that grant privileges, it can result in a security issue for
! 1678: rules that subtract or revoke privileges.
1.1 misho 1679:
1680: For example, given the following _s_u_d_o_e_r_s entry:
1681:
1682: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1683: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1684:
1685: User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1686: changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1687:
1.1.1.2 ! misho 1688: PPrreevveennttiinngg SShheellll EEssccaappeess
1.1 misho 1689: Once ssuuddoo executes a program, that program is free to do whatever it
1690: pleases, including run other programs. This can be a security issue
1691: since it is not uncommon for a program to allow shell escapes, which
1692: lets a user bypass ssuuddoo's access control and logging. Common programs
1693: that permit shell escapes include shells (obviously), editors,
1694: paginators, mail and terminal programs.
1695:
1696: There are two basic approaches to this problem:
1697:
1698: restrict Avoid giving users access to commands that allow the user to
1699: run arbitrary commands. Many editors have a restricted mode
1700: where shell escapes are disabled, though ssuuddooeeddiitt is a better
1701: solution to running editors via ssuuddoo. Due to the large
1702: number of programs that offer shell escapes, restricting
1703: users to the set of programs that do not is often unworkable.
1704:
1705: noexec Many systems that support shared libraries have the ability
1706: to override default library functions by pointing an
1707: environment variable (usually LD_PRELOAD) to an alternate
1708: shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
1709: can be used to prevent a program run by ssuuddoo from executing
1710: any other programs. Note, however, that this applies only to
1711: native dynamically-linked executables. Statically-linked
1712: executables and foreign executables running under binary
1713: emulation are not affected.
1714:
1715: The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1716: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1717: above. It should be supported on most operating systems that
1718: support the LD_PRELOAD environment variable. Check your
1719: operating system's manual pages for the dynamic linker
1720: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1721: if LD_PRELOAD is supported.
1722:
1723: On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1724: instead of the LD_PRELOAD environment variable.
1725:
1726: To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1727: documented in the User Specification section above. Here is
1728: that example again:
1729:
1730: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1731:
1732: This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
1733: with _n_o_e_x_e_c enabled. This will prevent those two commands
1734: from executing other commands (such as a shell). If you are
1735: unsure whether or not your system is capable of supporting
1736: _n_o_e_x_e_c you can always just try it out and check whether shell
1737: escapes work when _n_o_e_x_e_c is enabled.
1738:
1739: Note that restricting shell escapes is not a panacea. Programs running
1740: as root are still capable of many potentially hazardous operations
1741: (such as changing or overwriting files) that could lead to unintended
1742: privilege escalation. In the specific case of an editor, a safer
1743: approach is to give the user permission to run ssuuddooeeddiitt.
1744:
1.1.1.2 ! misho 1745: TTiimmee ssttaammpp ffiillee cchheecckkss
1.1 misho 1746: _s_u_d_o_e_r_s will check the ownership of its time stamp directory
1747: (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
1748: not owned by root or if it is writable by a user other than root. On
1749: systems that allow non-root users to give away files via _c_h_o_w_n(2), if
1750: the time stamp directory is located in a world-writable directory
1751: (e.g., _/_t_m_p), it is possible for a user to create the time stamp
1752: directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the
1753: ownership and mode of the directory and its contents, the only damage
1754: that can be done is to "hide" files by putting them in the time stamp
1755: dir. This is unlikely to happen since once the time stamp dir is owned
1756: by root and inaccessible by any other user, the user placing files
1757: there would be unable to get them back out.
1758:
1759: _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
1760: with a date greater than current_time + 2 * TIMEOUT will be ignored and
1761: sudo will log and complain. This is done to keep a user from creating
1762: his/her own time stamp with a bogus date on systems that allow users to
1763: give away files if the time stamp directory is located in a world-
1764: writable directory.
1765:
1766: On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
1767: stamps that date from before the machine booted.
1768:
1769: Since time stamp files live in the file system, they can outlive a
1770: user's login session. As a result, a user may be able to login, run a
1771: command with ssuuddoo after authenticating, logout, login again, and run
1772: ssuuddoo without authenticating so long as the time stamp file's
1773: modification time is within 5 minutes (or whatever the timeout is set
1774: to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp
1775: has per-tty granularity but still may outlive the user's session. On
1776: Linux systems where the devpts filesystem is used, Solaris systems with
1777: the devices filesystem, as well as other systems that utilize a devfs
1778: filesystem that monotonically increase the inode number of devices as
1779: they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when
1780: a tty-based time stamp file is stale and will ignore it.
1781: Administrators should not rely on this feature as it is not universally
1782: available.
1783:
1784: SSEEEE AALLSSOO
1785: _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3),
1786: _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
1787:
1788: CCAAVVEEAATTSS
1789: The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
1790: locks the file and does grammatical checking. It is imperative that
1791: _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
1792: syntactically incorrect _s_u_d_o_e_r_s file.
1793:
1794: When using netgroups of machines (as opposed to users), if you store
1795: fully qualified host name in the netgroup (as is usually the case), you
1796: either need to have the machine's host name be fully qualified as
1797: returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1798:
1799: BBUUGGSS
1800: If you feel you have found a bug in ssuuddoo, please submit a bug report at
1801: http://www.sudo.ws/sudo/bugs/
1802:
1803: SSUUPPPPOORRTT
1804: Limited free support is available via the sudo-users mailing list, see
1805: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1806: the archives.
1807:
1808: DDIISSCCLLAAIIMMEERR
1809: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
1810: including, but not limited to, the implied warranties of
1811: merchantability and fitness for a particular purpose are disclaimed.
1812: See the LICENSE file distributed with ssuuddoo or
1813: http://www.sudo.ws/sudo/license.html for complete details.
1814:
1815:
1816:
1.1.1.2 ! misho 1817: 1.8.5 March 28, 2012 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>