Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.3
1.1.1.3 ! misho 1: SUDOERS(4) Programmer's Manual SUDOERS(4)
1.1 misho 2:
3: NNAAMMEE
1.1.1.3 ! misho 4: ssuuddooeerrss - default sudo security policy module
1.1 misho 5:
6: DDEESSCCRRIIPPTTIIOONN
1.1.1.3 ! misho 7: The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the
! 8: default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
! 9: file or, optionally in LDAP. The policy format is described in detail in
! 10: the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
! 11: policy information in LDAP, please see sudoers.ldap(4).
! 12:
! 13: AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
! 14: The _s_u_d_o_e_r_s security policy requires that most users authenticate
! 15: themselves before they can use ssuuddoo. A password is not required if the
! 16: invoking user is root, if the target user is the same as the invoking
! 17: user, or if the policy has disabled authentication for the user or
! 18: command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
! 19: validates the invoking user's credentials, not the target user's (or
! 20: root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
! 21: _r_u_n_a_s_p_w flags, described later.
! 22:
! 23: If a user who is not listed in the policy tries to run a command via
! 24: ssuuddoo, mail is sent to the proper authorities. The address used for such
! 25: mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and
! 26: defaults to root.
! 27:
! 28: Note that mail will not be sent if an unauthorized user tries to run ssuuddoo
! 29: with the --ll or --vv option. This allows users to determine for themselves
! 30: whether or not they are allowed to use ssuuddoo.
! 31:
! 32: If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
! 33: _s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
! 34: This can be used by a user to log commands through sudo even when a root
! 35: shell has been invoked. It also allows the --ee option to remain useful
! 36: even when invoked via a sudo-run script or program. Note, however, that
! 37: the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
! 38: SUDO_USER.
! 39:
! 40: _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
! 41: been authenticated, the time stamp is updated and the user may then use
! 42: sudo without a password for a short period of time (5 minutes unless
! 43: overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based
! 44: time stamp which means that there is a separate time stamp for each of a
! 45: user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force
! 46: the use of a single time stamp for all of a user's sessions.
! 47:
! 48: _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
! 49: errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
! 50: via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
! 51: settings.
! 52:
! 53: _s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O
! 54: logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and
! 55: _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
! 56: tags.
! 57:
! 58: CCoommmmaanndd eennvviirroonnmmeenntt
! 59: Since environment variables can influence program behavior, _s_u_d_o_e_r_s
! 60: provides a means to restrict which variables from the user's environment
! 61: are inherited by the command to be run. There are two distinct ways
! 62: _s_u_d_o_e_r_s can deal with environment variables.
! 63:
! 64: By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
! 65: executed with a new, minimal environment. On AIX (and Linux systems
! 66: without PAM), the environment is initialized with the contents of the
! 67: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
! 68: enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
! 69: settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
! 70: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
! 71: addition to variables from the invoking process permitted by the
! 72: _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
! 73: environment variables.
! 74:
! 75: If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
! 76: explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
! 77: from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave
! 78: like a blacklist. Since it is not possible to blacklist all potentially
! 79: dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is
! 80: encouraged.
! 81:
! 82: In all cases, environment variables with a value beginning with () are
! 83: removed as they could be interpreted as bbaasshh functions. The list of
! 84: environment variables that ssuuddoo allows or denies is contained in the
! 85: output of ``sudo -V'' when run as root.
! 86:
! 87: Note that the dynamic linker on most operating systems will remove
! 88: variables that can control dynamic linking from the environment of setuid
! 89: executables, including ssuuddoo. Depending on the operating system this may
! 90: include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
! 91: These type of variables are removed from the environment before ssuuddoo even
! 92: begins execution and, as such, it is not possible for ssuuddoo to preserve
! 93: them.
! 94:
! 95: As a special case, if ssuuddoo's --ii option (initial login) is specified,
! 96: _s_u_d_o_e_r_s will initialize the environment regardless of the value of
! 97: _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
! 98: MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
! 99: (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
! 100: also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled,
! 101: the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All
! 102: other environment variables are removed.
! 103:
! 104: Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that
! 105: file will be set to their specified values as long as they would not
! 106: conflict with an existing environment variable.
1.1 misho 107:
108: SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
1.1.1.3 ! misho 109: The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically
! 110: variables) and user specifications (which specify who may run what).
! 111:
! 112: When multiple entries match for a user, they are applied in order. Where
! 113: there are multiple matches, the last match is used (which is not
! 114: necessarily the most specific match).
! 115:
! 116: The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
! 117: (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
! 118: simple, and the definitions below are annotated.
1.1 misho 119:
120: QQuuiicckk gguuiiddee ttoo EEBBNNFF
1.1.1.3 ! misho 121: EBNF is a concise and exact way of describing the grammar of a language.
! 122: Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
1.1 misho 123:
1.1.1.3 ! misho 124: symbol ::= definition | alternate1 | alternate2 ...
1.1 misho 125:
1.1.1.3 ! misho 126: Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
! 127: the language. EBNF also contains the following operators, which many
! 128: readers will recognize from regular expressions. Do not, however,
! 129: confuse them with ``wildcard'' characters, which have different meanings.
1.1 misho 130:
1.1.1.3 ! misho 131: ? Means that the preceding symbol (or group of symbols) is optional.
1.1 misho 132: That is, it may appear once or not at all.
133:
1.1.1.3 ! misho 134: * Means that the preceding symbol (or group of symbols) may appear
1.1 misho 135: zero or more times.
136:
1.1.1.3 ! misho 137: + Means that the preceding symbol (or group of symbols) may appear
1.1 misho 138: one or more times.
139:
1.1.1.3 ! misho 140: Parentheses may be used to group symbols together. For clarity, we will
! 141: use single quotes ('') to designate what is a verbatim character string
! 142: (as opposed to a symbol name).
1.1 misho 143:
144: AAlliiaasseess
1.1.1.3 ! misho 145: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
! 146: Cmnd_Alias.
1.1 misho 147:
1.1.1.3 ! misho 148: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 149: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 150: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 151: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 152:
! 153: User_Alias ::= NAME '=' User_List
! 154:
! 155: Runas_Alias ::= NAME '=' Runas_List
! 156:
! 157: Host_Alias ::= NAME '=' Host_List
! 158:
! 159: Cmnd_Alias ::= NAME '=' Cmnd_List
! 160:
! 161: NAME ::= [A-Z]([A-Z][0-9]_)*
! 162:
! 163: Each _a_l_i_a_s definition is of the form
! 164:
! 165: Alias_Type NAME = item1, item2, ...
! 166:
! 167: where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
! 168: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
! 169: underscore characters (`_'). A NAME mmuusstt start with an uppercase letter.
! 170: It is possible to put several alias definitions of the same type on a
! 171: single line, joined by a colon (`:'). E.g.,
! 172:
! 173: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 174:
! 175: The definitions of what constitutes a valid _a_l_i_a_s member follow.
! 176:
! 177: User_List ::= User |
! 178: User ',' User_List
! 179:
! 180: User ::= '!'* user name |
! 181: '!'* #uid |
! 182: '!'* %group |
! 183: '!'* %#gid |
! 184: '!'* +netgroup |
! 185: '!'* %:nonunix_group |
! 186: '!'* %:#nonunix_gid |
! 187: '!'* User_Alias
! 188:
! 189: A User_List is made up of one or more user names, user ids (prefixed with
! 190: `#'), system group names and ids (prefixed with `%' and `%#'
! 191: respectively), netgroups (prefixed with `+'), non-Unix group names and
! 192: IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
! 193: list item may be prefixed with zero or more `!' operators. An odd number
! 194: of `!' operators negate the value of the item; an even number just cancel
! 195: each other out.
! 196:
! 197: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
! 198: be enclosed in double quotes to avoid the need for escaping special
! 199: characters. Alternately, special characters may be specified in escaped
! 200: hex mode, e.g. \x20 for space. When using double quotes, any prefix
! 201: characters must be included inside the quotes.
! 202:
! 203: The actual nonunix_group and nonunix_gid syntax depends on the underlying
! 204: group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For
! 205: instance, the QAS AD plugin supports the following formats:
! 206:
! 207: oo Group in the same domain: "%:Group Name"
! 208:
! 209: oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
! 210:
! 211: oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
! 212:
! 213: Note that quotes around group names are optional. Unquoted strings must
! 214: use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r
! 215: _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need
! 216: to be escaped.
! 217:
! 218: Runas_List ::= Runas_Member |
! 219: Runas_Member ',' Runas_List
! 220:
! 221: Runas_Member ::= '!'* user name |
! 222: '!'* #uid |
! 223: '!'* %group |
! 224: '!'* %#gid |
! 225: '!'* %:nonunix_group |
! 226: '!'* %:#nonunix_gid |
! 227: '!'* +netgroup |
! 228: '!'* Runas_Alias
! 229:
! 230: A Runas_List is similar to a User_List except that instead of
! 231: User_Aliases it can contain Runas_Aliases. Note that user names and
! 232: groups are matched as strings. In other words, two users (groups) with
! 233: the same uid (gid) are considered to be distinct. If you wish to match
! 234: all user names with the same uid (e.g. root and toor), you can use a uid
! 235: instead (#0 in the example given).
! 236:
! 237: Host_List ::= Host |
! 238: Host ',' Host_List
! 239:
! 240: Host ::= '!'* host name |
! 241: '!'* ip_addr |
! 242: '!'* network(/netmask)? |
! 243: '!'* +netgroup |
! 244: '!'* Host_Alias
! 245:
! 246: A Host_List is made up of one or more host names, IP addresses, network
! 247: numbers, netgroups (prefixed with `+') and other aliases. Again, the
! 248: value of an item may be negated with the `!' operator. If you do not
! 249: specify a netmask along with the network number, ssuuddoo will query each of
! 250: the local host's network interfaces and, if the network number
! 251: corresponds to one of the hosts's network interfaces, the corresponding
! 252: netmask will be used. The netmask may be specified either in standard IP
! 253: address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
! 254: notation (number of bits, e.g. 24 or 64). A host name may include shell-
! 255: style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
! 256: name command on your machine returns the fully qualified host name,
! 257: you'll need to use the _f_q_d_n option for wildcards to be useful. Note that
! 258: ssuuddoo only inspects actual network interfaces; this means that IP address
! 259: 127.0.0.1 (localhost) will never match. Also, the host name
! 260: ``localhost'' will only match if that is the actual host name, which is
! 261: usually only the case for non-networked systems.
! 262:
! 263: Cmnd_List ::= Cmnd |
! 264: Cmnd ',' Cmnd_List
! 265:
! 266: command name ::= file name |
! 267: file name args |
! 268: file name '""'
! 269:
! 270: Cmnd ::= '!'* command name |
! 271: '!'* directory |
! 272: '!'* "sudoedit" |
! 273: '!'* Cmnd_Alias
! 274:
! 275: A Cmnd_List is a list of one or more command names, directories, and
! 276: other aliases. A command name is a fully qualified file name which may
! 277: include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A
! 278: simple file name allows the user to run the command with any arguments
! 279: he/she wishes. However, you may also specify command line arguments
! 280: (including wildcards). Alternately, you can specify "" to indicate that
! 281: the command may only be run wwiitthhoouutt command line arguments. A directory
! 282: is a fully qualified path name ending in a `/'. When you specify a
! 283: directory in a Cmnd_List, the user will be able to run any file within
! 284: that directory (but not in any sub-directories therein).
! 285:
! 286: If a Cmnd has associated command line arguments, then the arguments in
! 287: the Cmnd must match exactly those given by the user on the command line
! 288: (or match the wildcards if there are any). Note that the following
! 289: characters must be escaped with a `\' if they are used in command
! 290: arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
! 291: to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
! 292: take command line arguments just as a normal command does.
1.1 misho 293:
294: DDeeffaauullttss
1.1.1.3 ! misho 295: Certain configuration options may be changed from their default values at
! 296: run-time via one or more Default_Entry lines. These may affect all users
! 297: on any host, all users on a specific host, a specific user, a specific
! 298: command, or commands being run as a specific user. Note that per-command
! 299: entries may not include command line arguments. If you need to specify
! 300: arguments, define a Cmnd_Alias and reference that instead.
! 301:
! 302: Default_Type ::= 'Defaults' |
! 303: 'Defaults' '@' Host_List |
! 304: 'Defaults' ':' User_List |
! 305: 'Defaults' '!' Cmnd_List |
! 306: 'Defaults' '>' Runas_List
! 307:
! 308: Default_Entry ::= Default_Type Parameter_List
! 309:
! 310: Parameter_List ::= Parameter |
! 311: Parameter ',' Parameter_List
! 312:
! 313: Parameter ::= Parameter '=' Value |
! 314: Parameter '+=' Value |
! 315: Parameter '-=' Value |
! 316: '!'* Parameter
! 317:
! 318: Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
! 319: implicitly boolean and can be turned off via the `!' operator. Some
! 320: integer, string and list parameters may also be used in a boolean context
! 321: to disable them. Values may be enclosed in double quotes ("") when they
! 322: contain multiple words. Special characters may be escaped with a
! 323: backslash (`\').
! 324:
! 325: Lists have two additional assignment operators, += and -=. These
! 326: operators are used to add to and delete from a list respectively. It is
! 327: not an error to use the -= operator to remove an element that does not
! 328: exist in a list.
! 329:
! 330: Defaults entries are parsed in the following order: generic, host and
! 331: user Defaults first, then runas Defaults and finally command defaults.
! 332:
! 333: See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
! 334:
! 335: UUsseerr ssppeecciiffiiccaattiioonn
! 336: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
! 337: (':' Host_List '=' Cmnd_Spec_List)*
! 338:
! 339: Cmnd_Spec_List ::= Cmnd_Spec |
! 340: Cmnd_Spec ',' Cmnd_Spec_List
! 341:
! 342: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
! 343:
! 344: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 345:
! 346: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
1.1 misho 347:
1.1.1.3 ! misho 348: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
! 349:
! 350: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 351: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 352: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 353:
! 354: A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
! 355: what user) on specified hosts. By default, commands are run as rroooott, but
! 356: this can be changed on a per-command basis.
! 357:
! 358: The basic structure of a user specification is ``who where = (as_whom)
! 359: what''. Let's break that down into its constituent parts:
1.1 misho 360:
361: RRuunnaass__SSppeecc
1.1.1.3 ! misho 362: A Runas_Spec determines the user and/or the group that a command may be
! 363: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
! 364: defined above) separated by a colon (`:') and enclosed in a set of
! 365: parentheses. The first Runas_List indicates which users the command may
! 366: be run as via ssuuddoo's --uu option. The second defines a list of groups that
! 367: can be specified via ssuuddoo's --gg option. If both Runas_Lists are
! 368: specified, the command may be run with any combination of users and
! 369: groups listed in their respective Runas_Lists. If only the first is
! 370: specified, the command may be run as any user in the list but no --gg
! 371: option may be specified. If the first Runas_List is empty but the second
! 372: is specified, the command may be run as the invoking user with the group
! 373: set to any listed in the Runas_List. If both Runas_Lists are empty, the
! 374: command may only be run as the invoking user. If no Runas_Spec is
! 375: specified the command may be run as rroooott and no group may be specified.
1.1 misho 376:
1.1.1.3 ! misho 377: A Runas_Spec sets the default for the commands that follow it. What this
! 378: means is that for the entry:
1.1 misho 379:
1.1.1.3 ! misho 380: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1.1 misho 381:
1.1.1.3 ! misho 382: The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as
! 383: ooppeerraattoorr. E.g.,
1.1 misho 384:
1.1.1.3 ! misho 385: $ sudo -u operator /bin/ls
1.1 misho 386:
1.1.1.3 ! misho 387: It is also possible to override a Runas_Spec later on in an entry. If we
! 388: modify the entry like so:
1.1 misho 389:
1.1.1.3 ! misho 390: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1.1 misho 391:
1.1.1.3 ! misho 392: Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
! 393: and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.1 misho 394:
1.1.1.3 ! misho 395: We can extend this to allow ddggbb to run /bin/ls with either the user or
! 396: group set to ooppeerraattoorr:
1.1 misho 397:
1.1.1.3 ! misho 398: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
! 399: /usr/bin/lprm
1.1 misho 400:
1.1.1.3 ! misho 401: Note that while the group portion of the Runas_Spec permits the user to
! 402: run as command with that group, it does not force the user to do so. If
! 403: no group is specified on the command line, the command will run with the
! 404: group listed in the target user's password database entry. The following
! 405: would all be permitted by the sudoers entry above:
1.1 misho 406:
1.1.1.3 ! misho 407: $ sudo -u operator /bin/ls
! 408: $ sudo -u operator -g operator /bin/ls
! 409: $ sudo -g operator /bin/ls
1.1 misho 410:
1.1.1.3 ! misho 411: In the following example, user ttccmm may run commands that access a modem
! 412: device file with the dialer group.
1.1 misho 413:
1.1.1.3 ! misho 414: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
! 415: /usr/local/bin/minicom
1.1 misho 416:
1.1.1.3 ! misho 417: Note that in this example only the group will be set, the command still
! 418: runs as user ttccmm. E.g.
1.1 misho 419:
1.1.1.3 ! misho 420: $ sudo -g dialer /usr/bin/cu
1.1 misho 421:
1.1.1.3 ! misho 422: Multiple users and groups may be present in a Runas_Spec, in which case
! 423: the user may select any combination of users and groups via the --uu and --gg
! 424: options. In this example:
1.1 misho 425:
1.1.1.3 ! misho 426: alan ALL = (root, bin : operator, system) ALL
1.1 misho 427:
1.1.1.3 ! misho 428: user aallaann may run any command as either user root or bin, optionally
! 429: setting the group to operator or system.
1.1 misho 430:
431: SSEELLiinnuuxx__SSppeecc
1.1.1.3 ! misho 432: On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
! 433: SELinux role and/or type associated with a command. If a role or type is
! 434: specified with the command it will override any default values specified
! 435: in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
! 436: supersede the values in _s_u_d_o_e_r_s.
! 437:
! 438: SSoollaarriiss__PPrriivv__SSppeecc
! 439: On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
! 440: privilege set and/or limit privilege set associated with a command. If
! 441: privileges or limit privileges are specified with the command it will
! 442: override any default values specified in _s_u_d_o_e_r_s.
! 443:
! 444: A privilege set is a comma-separated list of privilege names. The
! 445: ppriv(1) command can be used to list all privileges known to the system.
! 446: For example:
! 447:
! 448: $ ppriv -l
! 449:
! 450: In addition, there are several ``special'' privilege strings:
! 451:
! 452: none the empty set
! 453:
! 454: all the set of all privileges
! 455:
! 456: zone the set of all privileges available in the current zone
! 457:
! 458: basic the default set of privileges normal users are granted at login
! 459: time
! 460:
! 461: Privileges can be excluded from a set by prefixing the privilege name
! 462: with either an `!' or `-' character.
1.1 misho 463:
464: TTaagg__SSppeecc
1.1.1.3 ! misho 465: A command may have zero or more tags associated with it. There are ten
! 466: possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
! 467: LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
! 468: on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
! 469: it is overridden by the opposite tag (in other words, PASSWD overrides
! 470: NOPASSWD and NOEXEC overrides EXEC).
1.1 misho 471:
1.1.1.3 ! misho 472: _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
1.1 misho 473:
1.1.1.3 ! misho 474: By default, ssuuddoo requires that a user authenticate him or herself before
! 475: running a command. This behavior can be modified via the NOPASSWD tag.
! 476: Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
! 477: follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
! 478: to reverse things. For example:
1.1 misho 479:
1.1.1.3 ! misho 480: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1.1 misho 481:
1.1.1.3 ! misho 482: would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as
! 483: rroooott on the machine rushmore without authenticating himself. If we only
! 484: want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would
! 485: be:
1.1 misho 486:
1.1.1.3 ! misho 487: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1.1 misho 488:
1.1.1.3 ! misho 489: Note, however, that the PASSWD tag has no effect on users who are in the
! 490: group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
1.1 misho 491:
1.1.1.3 ! misho 492: By default, if the NOPASSWD tag is applied to any of the entries for a
! 493: user on the current host, he or she will be able to run ``sudo -l''
! 494: without a password. Additionally, a user may only run ``sudo -v''
! 495: without a password if the NOPASSWD tag is present for all a user's
! 496: entries that pertain to the current host. This behavior may be
! 497: overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
1.1 misho 498:
1.1.1.3 ! misho 499: _N_O_E_X_E_C _a_n_d _E_X_E_C
1.1 misho 500:
1.1.1.3 ! misho 501: If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
! 502: operating system supports it, the NOEXEC tag can be used to prevent a
! 503: dynamically-linked executable from running further commands itself.
1.1 misho 504:
1.1.1.3 ! misho 505: In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
! 506: _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
1.1 misho 507:
1.1.1.3 ! misho 508: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1.1 misho 509:
1.1.1.3 ! misho 510: See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
! 511: NOEXEC works and whether or not it will work on your system.
1.1 misho 512:
1.1.1.3 ! misho 513: _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
1.1 misho 514:
1.1.1.3 ! misho 515: These tags override the value of the _s_e_t_e_n_v option on a per-command
! 516: basis. Note that if SETENV has been set for a command, the user may
! 517: disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
! 518: Additionally, environment variables set on the command line are not
! 519: subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
! 520: _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables
! 521: in this manner. If the command matched is AALLLL, the SETENV tag is implied
! 522: for that command; this default may be overridden by use of the NOSETENV
! 523: tag.
1.1 misho 524:
1.1.1.3 ! misho 525: _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
1.1 misho 526:
1.1.1.3 ! misho 527: These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
! 528: basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
! 529: _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
1.1 misho 530:
1.1.1.3 ! misho 531: _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
1.1 misho 532:
1.1.1.3 ! misho 533: These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
! 534: basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
! 535: _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
1.1 misho 536:
537: WWiillddccaarrddss
1.1.1.3 ! misho 538: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
! 539: used in host names, path names and command line arguments in the _s_u_d_o_e_r_s
! 540: file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3)
! 541: routines. Note that these are _n_o_t regular expressions.
! 542:
! 543: * Matches any set of zero or more characters.
! 544:
! 545: ? Matches any single character.
! 546:
! 547: [...] Matches any character in the specified range.
! 548:
! 549: [!...] Matches any character nnoott in the specified range.
1.1 misho 550:
1.1.1.3 ! misho 551: \x For any character `x', evaluates to `x'. This is used to
! 552: escape special characters such as: `*', `?', `[', and `]'.
1.1 misho 553:
1.1.1.3 ! misho 554: POSIX character classes may also be used if your system's glob(3) and
! 555: fnmatch(3) functions support them. However, because the `:' character
! 556: has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
1.1 misho 557:
1.1.1.3 ! misho 558: /bin/ls [[:alpha:]]*
1.1 misho 559:
1.1.1.3 ! misho 560: Would match any file name beginning with a letter.
1.1 misho 561:
1.1.1.3 ! misho 562: Note that a forward slash (`/') will nnoott be matched by wildcards used in
! 563: the path name. This is to make a path like:
1.1 misho 564:
1.1.1.3 ! misho 565: /usr/bin/*
1.1 misho 566:
1.1.1.3 ! misho 567: match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
1.1 misho 568:
1.1.1.3 ! misho 569: When matching the command line arguments, however, a slash ddooeess get
! 570: matched by wildcards since command line arguments may contain arbitrary
! 571: strings and not just path names.
1.1 misho 572:
1.1.1.3 ! misho 573: Wildcards in command line arguments should be used with care. Because
! 574: command line arguments are matched as a single, concatenated string, a
! 575: wildcard such as `?' or `*' can match multiple words. For example, while
! 576: a sudoers entry like:
1.1 misho 577:
1.1.1.3 ! misho 578: %operator ALL = /bin/cat /var/log/messages*
1.1 misho 579:
1.1.1.3 ! misho 580: will allow command like:
! 581:
! 582: $ sudo cat /var/log/messages.1
! 583:
! 584: It will also allow:
! 585:
! 586: $ sudo cat /var/log/messages /etc/shadow
! 587:
! 588: which is probably not what was intended.
1.1 misho 589:
590: EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
1.1.1.3 ! misho 591: The following exceptions apply to the above rules:
1.1 misho 592:
1.1.1.3 ! misho 593: "" If the empty string "" is the only command line argument in the
1.1 misho 594: _s_u_d_o_e_r_s entry it means that command is not allowed to be run
595: with aannyy arguments.
596:
1.1.1.3 ! misho 597: sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
! 598: always be path names, so a forward slash (`/') will not be
! 599: matched by a wildcard.
! 600:
1.1 misho 601: IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
1.1.1.3 ! misho 602: It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
! 603: file currently being parsed using the #include and #includedir
! 604: directives.
! 605:
! 606: This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
! 607: addition to a local, per-machine file. For the sake of this example the
! 608: site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
! 609: _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
! 610: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
! 611:
! 612: #include /etc/sudoers.local
! 613:
! 614: When ssuuddoo reaches this line it will suspend processing of the current
! 615: file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the
! 616: end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed.
! 617: Files that are included may themselves include other files. A hard limit
! 618: of 128 nested include files is enforced to prevent include file loops.
! 619:
! 620: If the path to the include file is not fully-qualified (does not begin
! 621: with a `/', it must be located in the same directory as the sudoers file
! 622: it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
! 623:
! 624: #include sudoers.local
! 625:
! 626: the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
! 627:
! 628: The file name may also include the %h escape, signifying the short form
! 629: of the host name. In other words, if the machine's host name is
! 630: ``xerxes'', then
! 631:
! 632: #include /etc/sudoers.%h
! 633:
! 634: will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
! 635:
! 636: The #includedir directive can be used to create a _s_u_d_o_._d directory that
! 637: the system package manager can drop _s_u_d_o_e_r_s rules into as part of package
! 638: installation. For example, given:
! 639:
! 640: #includedir /etc/sudoers.d
! 641:
! 642: ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end
! 643: in `~' or contain a `.' character to avoid causing problems with package
! 644: manager or editor temporary/backup files. Files are parsed in sorted
! 645: lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before
! 646: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical,
! 647: not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
! 648: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in
! 649: the file names can be used to avoid such problems.
! 650:
! 651: Note that unlike files included via #include, vviissuuddoo will not edit the
! 652: files in a #includedir directory unless one of them contains a syntax
! 653: error. It is still possible to run vviissuuddoo with the --ff flag to edit the
! 654: files directly.
1.1 misho 655:
656: OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
1.1.1.3 ! misho 657: The pound sign (`#') is used to indicate a comment (unless it is part of
! 658: a #include directive or unless it occurs in the context of a user name
! 659: and is followed by one or more digits, in which case it is treated as a
! 660: uid). Both the comment character and any text after it, up to the end of
! 661: the line, are ignored.
! 662:
! 663: The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
! 664: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
! 665: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
! 666: your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
! 667: preference to your own. Please note that using AALLLL can be dangerous
! 668: since in a command context, it allows the user to run aannyy command on the
! 669: system.
! 670:
! 671: An exclamation point (`!') can be used as a logical _n_o_t operator both in
! 672: an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
! 673: values. Note, however, that using a `!' in conjunction with the built-in
! 674: AALLLL alias to allow a user to run ``all but a few'' commands rarely works
! 675: as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below).
! 676:
! 677: Long lines can be continued with a backslash (`\') as the last character
! 678: on the line.
! 679:
! 680: White space between elements in a list as well as special syntactic
! 681: characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
! 682:
! 683: The following characters must be escaped with a backslash (`\') when used
! 684: as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
! 685: `(', `)', `\'.
1.1 misho 686:
687: SSUUDDOOEERRSS OOPPTTIIOONNSS
1.1.1.3 ! misho 688: ssuuddoo's behavior can be modified by Default_Entry lines, as explained
! 689: earlier. A list of all supported Defaults parameters, grouped by type,
! 690: are listed below.
1.1 misho 691:
1.1.1.3 ! misho 692: BBoooolleeaann FFllaaggss:
1.1 misho 693:
1.1.1.3 ! misho 694: always_set_home If enabled, ssuuddoo will set the HOME environment variable
1.1 misho 695: to the home directory of the target user (which is root
696: unless the --uu option is used). This effectively means
697: that the --HH option is always implied. Note that HOME
698: is already set when the the _e_n_v___r_e_s_e_t option is
699: enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
700: configurations where either _e_n_v___r_e_s_e_t is disabled or
701: HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
702: by default.
703:
1.1.1.3 ! misho 704: authenticate If set, users must authenticate themselves via a
1.1 misho 705: password (or other means of authentication) before they
706: may run commands. This default may be overridden via
707: the PASSWD and NOPASSWD tags. This flag is _o_n by
708: default.
709:
1.1.1.3 ! misho 710: closefrom_override
1.1 misho 711: If set, the user may use ssuuddoo's --CC option which
712: overrides the default starting point at which ssuuddoo
713: begins closing open file descriptors. This flag is _o_f_f
714: by default.
715:
1.1.1.3 ! misho 716: compress_io If set, and ssuuddoo is configured to log a command's input
1.1 misho 717: or output, the I/O logs will be compressed using zzlliibb.
718: This flag is _o_n by default when ssuuddoo is compiled with
719: zzlliibb support.
720:
1.1.1.3 ! misho 721: env_editor If set, vviissuuddoo will use the value of the EDITOR or
1.1 misho 722: VISUAL environment variables before falling back on the
723: default editor list. Note that this may create a
724: security hole as it allows the user to run any
725: arbitrary command as root without logging. A safer
726: alternative is to place a colon-separated list of
727: editors in the editor variable. vviissuuddoo will then only
728: use the EDITOR or VISUAL if they match a value
729: specified in editor. This flag is _o_f_f by default.
730:
1.1.1.3 ! misho 731: env_reset If set, ssuuddoo will run the command in a minimal
1.1.1.2 misho 732: environment containing the TERM, PATH, HOME, MAIL,
733: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
734: Any variables in the caller's environment that match
735: the env_keep and env_check lists are then added,
736: followed by any variables present in the file specified
737: by the _e_n_v___f_i_l_e option (if any). The default contents
738: of the env_keep and env_check lists are displayed when
1.1.1.3 ! misho 739: ssuuddoo is run by root with the --VV option. If the
1.1.1.2 misho 740: _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for
741: the PATH environment variable. This flag is _o_n by
742: default.
1.1 misho 743:
1.1.1.3 ! misho 744: fast_glob Normally, ssuuddoo uses the glob(3) function to do shell-
1.1 misho 745: style globbing when matching path names. However,
1.1.1.3 ! misho 746: since it accesses the file system, glob(3) can take a
1.1 misho 747: long time to complete for some patterns, especially
748: when the pattern references a network file system that
1.1.1.3 ! misho 749: is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b
! 750: option causes ssuuddoo to use the fnmatch(3) function,
1.1 misho 751: which does not access the file system to do its
752: matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
753: unable to match relative path names such as _._/_l_s or
754: _._._/_b_i_n_/_l_s. This has security implications when path
755: names that include globbing characters are used with
1.1.1.3 ! misho 756: the negation operator, `!', as such rules can be
1.1 misho 757: trivially bypassed. As such, this option should not be
758: used when _s_u_d_o_e_r_s contains rules that contain negated
759: path names which include globbing characters. This
760: flag is _o_f_f by default.
761:
1.1.1.3 ! misho 762: fqdn Set this flag if you want to put fully qualified host
! 763: names in the _s_u_d_o_e_r_s file when the local host name (as
! 764: returned by the hostname command) does not contain the
! 765: domain name. In other words, instead of myhost you
1.1 misho 766: would use myhost.mydomain.edu. You may still use the
1.1.1.3 ! misho 767: short form if you wish (and even mix the two). This
! 768: option is only effective when the ``canonical'' host
! 769: name, as returned by the ggeettaaddddrriinnffoo() or
! 770: ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain
! 771: name. This is usually the case when the system is
! 772: configured to use DNS for host name resolution.
! 773:
! 774: If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file
! 775: in preference to DNS, the ``canonical'' host name may
! 776: not be fully-qualified. The order that sources are
! 777: queried for hosts name resolution is usually specified
! 778: in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f,
! 779: _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f
! 780: file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of
! 781: the entry is considered to be the ``canonical'' name;
! 782: subsequent names are aliases that are not used by
! 783: ssuuddooeerrss. For example, the following hosts file line
! 784: for the machine ``xyzzy'' has the fully-qualified
! 785: domain name as the ``canonical'' host name, and the
! 786: short version as an alias.
! 787:
! 788: 192.168.1.1 xyzzy.sudo.ws xyzzy
! 789:
! 790: If the machine's hosts file entry is not formatted
! 791: properly, the _f_q_d_n option will not be effective if it
! 792: is queried before DNS.
! 793:
! 794: Beware that when using DNS for host name resolution,
! 795: turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups
! 796: which renders ssuuddoo unusable if DNS stops working (for
! 797: example if the machine is disconnected from the
! 798: network). Also note that just like with the hosts
! 799: file, you must use the ``canonical'' name as DNS knows
! 800: it. That is, you may not use a host alias (CNAME
! 801: entry) due to performance issues and the fact that
! 802: there is no way to get all aliases from DNS.
! 803:
! 804: This flag is _o_f_f by default.
1.1 misho 805:
1.1.1.3 ! misho 806: ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
! 807: current directory) in the PATH environment variable;
! 808: the PATH itself is not modified. This flag is _o_f_f by
! 809: default.
1.1 misho 810:
1.1.1.3 ! misho 811: ignore_local_sudoers
1.1 misho 812: If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
813: skipped. This is intended for Enterprises that wish to
814: prevent the usage of local sudoers files so that only
815: LDAP is used. This thwarts the efforts of rogue
816: operators who would attempt to add roles to
817: _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
1.1.1.3 ! misho 818: _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
1.1 misho 819: option tells ssuuddoo how to behave when no specific LDAP
820: entries have been matched, this sudoOption is only
821: meaningful for the cn=defaults section. This flag is
822: _o_f_f by default.
823:
1.1.1.3 ! misho 824: insults If set, ssuuddoo will insult users when they enter an
1.1 misho 825: incorrect password. This flag is _o_f_f by default.
826:
1.1.1.3 ! misho 827: log_host If set, the host name will be logged in the (non-
1.1 misho 828: syslog) ssuuddoo log file. This flag is _o_f_f by default.
829:
1.1.1.3 ! misho 830: log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
1.1 misho 831: log all user input. If the standard input is not
832: connected to the user's tty, due to I/O redirection or
833: because the command is part of a pipeline, that input
834: is also captured and stored in a separate log file.
835:
836: Input is logged to the directory specified by the
837: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
838: unique session ID that is included in the normal ssuuddoo
1.1.1.3 ! misho 839: log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
! 840: option may be used to control the format of the session
! 841: ID.
1.1 misho 842:
843: Note that user input may contain sensitive information
844: such as passwords (even if they are not echoed to the
845: screen), which will be stored in the log file
846: unencrypted. In most cases, logging the command output
847: via _l_o_g___o_u_t_p_u_t is all that is required.
848:
1.1.1.3 ! misho 849: log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
1.1 misho 850: log all output that is sent to the screen, similar to
1.1.1.3 ! misho 851: the script(1) command. If the standard output or
1.1 misho 852: standard error is not connected to the user's tty, due
853: to I/O redirection or because the command is part of a
854: pipeline, that output is also captured and stored in
855: separate log files.
856:
857: Output is logged to the directory specified by the
858: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
859: unique session ID that is included in the normal ssuuddoo
1.1.1.3 ! misho 860: log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
! 861: option may be used to control the format of the session
! 862: ID.
1.1 misho 863:
1.1.1.3 ! misho 864: Output logs may be viewed with the sudoreplay(1m)
1.1 misho 865: utility, which can also be used to list or search the
866: available logs.
867:
1.1.1.3 ! misho 868: log_year If set, the four-digit year will be logged in the (non-
1.1 misho 869: syslog) ssuuddoo log file. This flag is _o_f_f by default.
870:
1.1.1.3 ! misho 871: long_otp_prompt When validating with a One Time Password (OTP) scheme
1.1 misho 872: such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
873: make it easier to cut and paste the challenge to a
874: local window. It's not as pretty as the default but
875: some people find it more convenient. This flag is _o_f_f
876: by default.
877:
1.1.1.3 ! misho 878: mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
1.1 misho 879: ssuuddoo. This flag is _o_f_f by default.
880:
1.1.1.3 ! misho 881: mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
! 882: does not enter the correct password. If the command
! 883: the user is attempting to run is not permitted by
! 884: _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t,
! 885: _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag
! 886: will have no effect. This flag is _o_f_f by default.
1.1 misho 887:
1.1.1.3 ! misho 888: mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 889: invoking user exists in the _s_u_d_o_e_r_s file, but is not
890: allowed to run commands on the current host. This flag
891: is _o_f_f by default.
892:
1.1.1.3 ! misho 893: mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 894: invoking user is allowed to use ssuuddoo but the command
895: they are trying is not listed in their _s_u_d_o_e_r_s file
896: entry or is explicitly denied. This flag is _o_f_f by
897: default.
898:
1.1.1.3 ! misho 899: mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 900: invoking user is not in the _s_u_d_o_e_r_s file. This flag is
901: _o_n by default.
902:
1.1.1.3 ! misho 903: noexec If set, all commands run via ssuuddoo will behave as if the
1.1 misho 904: NOEXEC tag has been set, unless overridden by a EXEC
905: tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
1.1.1.3 ! misho 906: well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
! 907: of this manual. This flag is _o_f_f by default.
1.1 misho 908:
1.1.1.3 ! misho 909: path_info Normally, ssuuddoo will tell the user when a command could
1.1 misho 910: not be found in their PATH environment variable. Some
911: sites may wish to disable this as it could be used to
912: gather information on the location of executables that
913: the normal user does not have access to. The
914: disadvantage is that if the executable is simply not in
915: the user's PATH, ssuuddoo will tell the user that they are
916: not allowed to run it, which can be confusing. This
917: flag is _o_n by default.
918:
1.1.1.3 ! misho 919: passprompt_override
1.1 misho 920: The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
921: normally only be used if the password prompt provided
1.1.1.3 ! misho 922: by systems such as PAM matches the string
! 923: ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set,
! 924: _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by
! 925: default.
1.1 misho 926:
1.1.1.3 ! misho 927: preserve_groups By default, ssuuddoo will initialize the group vector to
1.1 misho 928: the list of groups the target user is in. When
929: _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
930: vector is left unaltered. The real and effective group
931: IDs, however, are still set to match the target user.
932: This flag is _o_f_f by default.
933:
1.1.1.3 ! misho 934: pwfeedback By default, ssuuddoo reads the password like most other
1.1 misho 935: Unix programs, by turning off echo until the user hits
936: the return (or enter) key. Some users become confused
937: by this as it appears to them that ssuuddoo has hung at
938: this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
939: visual feedback when the user presses a key. Note that
940: this does have a security impact as an onlooker may be
941: able to determine the length of the password being
942: entered. This flag is _o_f_f by default.
943:
1.1.1.3 ! misho 944: requiretty If set, ssuuddoo will only run when the user is logged in
1.1 misho 945: to a real tty. When this flag is set, ssuuddoo can only be
946: run from a login session and not via other means such
1.1.1.3 ! misho 947: as cron(1m) or cgi-bin scripts. This flag is _o_f_f by
1.1 misho 948: default.
949:
1.1.1.3 ! misho 950: root_sudo If set, root is allowed to run ssuuddoo too. Disabling
! 951: this prevents users from ``chaining'' ssuuddoo commands to
! 952: get a root shell by doing something like ``sudo sudo
! 953: /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o
1.1 misho 954: will also prevent root from running ssuuddooeeddiitt.
955: Disabling _r_o_o_t___s_u_d_o provides no real additional
956: security; it exists purely for historical reasons.
957: This flag is _o_n by default.
958:
1.1.1.3 ! misho 959: rootpw If set, ssuuddoo will prompt for the root password instead
1.1 misho 960: of the password of the invoking user. This flag is _o_f_f
961: by default.
962:
1.1.1.3 ! misho 963: runaspw If set, ssuuddoo will prompt for the password of the user
1.1 misho 964: defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
965: instead of the password of the invoking user. This
966: flag is _o_f_f by default.
967:
1.1.1.3 ! misho 968: set_home If enabled and ssuuddoo is invoked with the --ss option the
1.1 misho 969: HOME environment variable will be set to the home
970: directory of the target user (which is root unless the
971: --uu option is used). This effectively makes the --ss
972: option imply --HH. Note that HOME is already set when
973: the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
974: only effective for configurations where either
975: _e_n_v___r_e_s_e_t is disabled or HOME is present in the
976: _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
977:
1.1.1.3 ! misho 978: set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
1.1 misho 979: environment variables to the name of the target user
980: (usually root unless the --uu option is given). However,
981: since some programs (including the RCS revision control
982: system) use LOGNAME to determine the real identity of
983: the user, it may be desirable to change this behavior.
984: This can be done by negating the set_logname option.
985: Note that if the _e_n_v___r_e_s_e_t option has not been
986: disabled, entries in the _e_n_v___k_e_e_p list will override
987: the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
988:
1.1.1.3 ! misho 989: set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
1.1 misho 990: utmpx) file when a pseudo-tty is allocated. A pseudo-
991: tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
992: or _u_s_e___p_t_y flags are enabled. By default, the new
993: entry will be a copy of the user's existing utmp entry
994: (if any), with the tty, time, type and pid fields
995: updated. This flag is _o_n by default.
996:
1.1.1.3 ! misho 997: setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
1.1 misho 998: command line via the --EE option. Additionally,
999: environment variables set via the command line are not
1000: subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
1001: _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
1002: should be allowed to set variables in this manner.
1003: This flag is _o_f_f by default.
1004:
1.1.1.3 ! misho 1005: shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
1.1 misho 1006: if the --ss option had been given. That is, it runs a
1007: shell as root (the shell is determined by the SHELL
1008: environment variable if it is set, falling back on the
1009: shell listed in the invoking user's /etc/passwd entry
1010: if not). This flag is _o_f_f by default.
1011:
1.1.1.3 ! misho 1012: stay_setuid Normally, when ssuuddoo executes a command the real and
1.1 misho 1013: effective UIDs are set to the target user (root by
1014: default). This option changes that behavior such that
1015: the real UID is left as the invoking user's UID. In
1016: other words, this makes ssuuddoo act as a setuid wrapper.
1017: This can be useful on systems that disable some
1018: potentially dangerous functionality when a program is
1019: run setuid. This option is only effective on systems
1.1.1.3 ! misho 1020: that support either the setreuid(2) or setresuid(2)
! 1021: system call. This flag is _o_f_f by default.
1.1 misho 1022:
1.1.1.3 ! misho 1023: targetpw If set, ssuuddoo will prompt for the password of the user
1.1 misho 1024: specified by the --uu option (defaults to root) instead
1025: of the password of the invoking user. In addition, the
1.1.1.3 ! misho 1026: time stamp file name will include the target user's
1.1 misho 1027: name. Note that this flag precludes the use of a uid
1028: not listed in the passwd database as an argument to the
1029: --uu option. This flag is _o_f_f by default.
1030:
1.1.1.3 ! misho 1031: tty_tickets If set, users must authenticate on a per-tty basis.
1.1 misho 1032: With this flag enabled, ssuuddoo will use a file named for
1033: the tty the user is logged in on in the user's time
1034: stamp directory. If disabled, the time stamp of the
1035: directory is used instead. This flag is _o_n by default.
1036:
1.1.1.3 ! misho 1037: umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
1.1 misho 1038: without modification. This makes it possible to
1039: specify a more permissive umask in _s_u_d_o_e_r_s than the
1040: user's own umask and matches historical behavior. If
1041: _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
1042: be the union of the user's umask and what is specified
1043: in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
1044:
1.1.1.3 ! misho 1045: use_loginclass If set, ssuuddoo will apply the defaults specified for the
1.1 misho 1046: target user's login class if one exists. Only
1047: available if ssuuddoo is configured with the
1048: --with-logincap option. This flag is _o_f_f by default.
1049:
1.1.1.3 ! misho 1050: use_pty If set, ssuuddoo will run the command in a pseudo-pty even
1.1 misho 1051: if no I/O logging is being gone. A malicious program
1052: run under ssuuddoo could conceivably fork a background
1053: process that retains to the user's terminal device
1054: after the main program has finished executing. Use of
1055: this option will make that impossible. This flag is
1056: _o_f_f by default.
1057:
1.1.1.3 ! misho 1058: utmp_runas If set, ssuuddoo will store the name of the runas user when
1.1 misho 1059: updating the utmp (or utmpx) file. By default, ssuuddoo
1060: stores the name of the invoking user. This flag is _o_f_f
1061: by default.
1062:
1.1.1.3 ! misho 1063: visiblepw By default, ssuuddoo will refuse to run if the user must
1.1 misho 1064: enter a password but it is not possible to disable echo
1065: on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
1066: will prompt for a password even when it would be
1067: visible on the screen. This makes it possible to run
1.1.1.3 ! misho 1068: things like ``ssh somehost sudo ls'' since by default,
! 1069: ssh(1) does not allocate a tty when running a command.
! 1070: This flag is _o_f_f by default.
1.1 misho 1071:
1.1.1.3 ! misho 1072: IInntteeggeerrss:
1.1 misho 1073:
1.1.1.3 ! misho 1074: closefrom Before it executes a command, ssuuddoo will close all open
1.1 misho 1075: file descriptors other than standard input, standard
1076: output and standard error (ie: file descriptors 0-2).
1077: The _c_l_o_s_e_f_r_o_m option can be used to specify a different
1078: file descriptor at which to start closing. The default
1079: is 3.
1080:
1.1.1.3 ! misho 1081: passwd_tries The number of tries a user gets to enter his/her
1.1 misho 1082: password before ssuuddoo logs the failure and exits. The
1083: default is 3.
1084:
1.1.1.3 ! misho 1085: IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1086:
1.1.1.3 ! misho 1087: loglinelen Number of characters per line for the file log. This
1.1 misho 1088: value is used to decide when to wrap lines for nicer
1089: log files. This has no effect on the syslog log file,
1090: only the file log. The default is 80 (use 0 or negate
1091: the option to disable word wrap).
1092:
1.1.1.3 ! misho 1093: passwd_timeout Number of minutes before the ssuuddoo password prompt times
1.1 misho 1094: out, or 0 for no timeout. The timeout may include a
1095: fractional component if minute granularity is
1096: insufficient, for example 2.5. The default is 5.
1097:
1.1.1.3 ! misho 1098: timestamp_timeout
1.1 misho 1099: Number of minutes that can elapse before ssuuddoo will ask
1100: for a passwd again. The timeout may include a
1101: fractional component if minute granularity is
1102: insufficient, for example 2.5. The default is 5. Set
1103: this to 0 to always prompt for a password. If set to a
1.1.1.3 ! misho 1104: value less than 0 the user's time stamp will never
1.1 misho 1105: expire. This can be used to allow users to create or
1.1.1.3 ! misho 1106: delete their own time stamps via ``sudo -v'' and ``sudo
! 1107: -k'' respectively.
1.1 misho 1108:
1.1.1.3 ! misho 1109: umask Umask to use when running the command. Negate this
1.1 misho 1110: option or set it to 0777 to preserve the user's umask.
1111: The actual umask that is used will be the union of the
1112: user's umask and the value of the _u_m_a_s_k option, which
1113: defaults to 0022. This guarantees that ssuuddoo never
1.1.1.3 ! misho 1114: lowers the umask when running a command. Note: on
1.1 misho 1115: systems that use PAM, the default PAM configuration may
1116: specify its own umask which will override the value set
1117: in _s_u_d_o_e_r_s.
1118:
1.1.1.3 ! misho 1119: SSttrriinnggss:
1.1 misho 1120:
1.1.1.3 ! misho 1121: badpass_message Message that is displayed if a user enters an incorrect
1.1 misho 1122: password. The default is Sorry, try again. unless
1123: insults are enabled.
1124:
1.1.1.3 ! misho 1125: editor A colon (`:') separated list of editors allowed to be
1.1 misho 1126: used with vviissuuddoo. vviissuuddoo will choose the editor that
1127: matches the user's EDITOR environment variable if
1128: possible, or the first editor in the list that exists
1.1.1.3 ! misho 1129: and is executable. The default is _v_i.
1.1 misho 1130:
1.1.1.3 ! misho 1131: iolog_dir The top-level directory to use when constructing the
1.1 misho 1132: path name for the input/output log directory. Only
1133: used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
1134: or when the LOG_INPUT or LOG_OUTPUT tags are present
1135: for a command. The session sequence number, if any, is
1136: stored in the directory. The default is
1.1.1.3 ! misho 1137: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
1.1 misho 1138:
1139: The following percent (`%') escape sequences are
1140: supported:
1141:
1142: %{seq}
1.1.1.3 ! misho 1143: expanded to a monotonically increasing base-36
! 1144: sequence number, such as 0100A5, where every two
! 1145: digits are used to form a new directory, e.g.
! 1146: _0_1_/_0_0_/_A_5
1.1 misho 1147:
1148: %{user}
1.1.1.3 ! misho 1149: expanded to the invoking user's login name
1.1 misho 1150:
1151: %{group}
1.1.1.3 ! misho 1152: expanded to the name of the invoking user's real
! 1153: group ID
1.1 misho 1154:
1155: %{runas_user}
1.1.1.3 ! misho 1156: expanded to the login name of the user the
! 1157: command will be run as (e.g. root)
1.1 misho 1158:
1159: %{runas_group}
1.1.1.3 ! misho 1160: expanded to the group name of the user the
! 1161: command will be run as (e.g. wheel)
1.1 misho 1162:
1163: %{hostname}
1.1.1.3 ! misho 1164: expanded to the local host name without the
! 1165: domain name
1.1 misho 1166:
1167: %{command}
1.1.1.3 ! misho 1168: expanded to the base name of the command being
! 1169: run
1.1 misho 1170:
1171: In addition, any escape sequences supported by the
1.1.1.3 ! misho 1172: system's strftime(3) function will be expanded.
1.1 misho 1173:
1174: To include a literal `%' character, the string `%%'
1175: should be used.
1176:
1.1.1.3 ! misho 1177: iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1.1 misho 1178: input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
1179: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1180: tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
1181: may contain directory components. The default is
1.1.1.3 ! misho 1182: ``%{seq}''.
1.1 misho 1183:
1184: See the _i_o_l_o_g___d_i_r option above for a list of supported
1185: percent (`%') escape sequences.
1186:
1187: In addition to the escape sequences, path names that
1188: end in six or more Xs will have the Xs replaced with a
1189: unique combination of digits and letters, similar to
1.1.1.3 ! misho 1190: the mktemp(3) function.
1.1 misho 1191:
1.1.1.3 ! misho 1192: limitprivs The default Solaris limit privileges to use when
! 1193: constructing a new privilege set for a command. This
! 1194: bounds all privileges of the executing process. The
! 1195: default limit privileges may be overridden on a per-
! 1196: command basis in _s_u_d_o_e_r_s. This option is only
! 1197: available if ssuuddooeerrss is built on Solaris 10 or higher.
! 1198:
! 1199: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The
! 1200: escape %h will expand to the host name of the machine.
! 1201: Default is ``*** SECURITY information for %h ***''.
1.1 misho 1202:
1.1.1.3 ! misho 1203: noexec_file This option is no longer supported. The path to the
1.1.1.2 misho 1204: noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
1205: file.
1.1 misho 1206:
1.1.1.3 ! misho 1207: passprompt The default prompt to use when asking for a password;
1.1 misho 1208: can be overridden via the --pp option or the SUDO_PROMPT
1209: environment variable. The following percent (`%')
1210: escape sequences are supported:
1211:
1.1.1.3 ! misho 1212: %H expanded to the local host name including the
! 1213: domain name (only if the machine's host name is
! 1214: fully qualified or the _f_q_d_n option is set)
! 1215:
! 1216: %h expanded to the local host name without the
! 1217: domain name
! 1218:
! 1219: %p expanded to the user whose password is being
! 1220: asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
! 1221: _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s)
! 1222:
! 1223: %U expanded to the login name of the user the
! 1224: command will be run as (defaults to root)
! 1225:
! 1226: %u expanded to the invoking user's login name
! 1227:
! 1228: %% two consecutive % characters are collapsed into a
! 1229: single % character
! 1230:
! 1231: The default value is ``Password:''.
! 1232:
! 1233: privs The default Solaris privileges to use when constructing
! 1234: a new privilege set for a command. This is passed to
! 1235: the executing process via the inherited privilege set,
! 1236: but is bounded by the limit privileges. If the _p_r_i_v_s
! 1237: option is specified but the _l_i_m_i_t_p_r_i_v_s option is not,
! 1238: the limit privileges of the executing process is set to
! 1239: _p_r_i_v_s. The default privileges may be overridden on a
! 1240: per-command basis in _s_u_d_o_e_r_s. This option is only
! 1241: available if ssuuddooeerrss is built on Solaris 10 or higher.
1.1 misho 1242:
1.1.1.3 ! misho 1243: role The default SELinux role to use when constructing a new
1.1 misho 1244: security context to run the command. The default role
1245: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1246: via command line options. This option is only
1.1.1.3 ! misho 1247: available when ssuuddoo is built with SELinux support.
1.1 misho 1248:
1.1.1.3 ! misho 1249: runas_default The default user to run commands as if the --uu option is
1.1 misho 1250: not specified on the command line. This defaults to
1251: root.
1252:
1.1.1.3 ! misho 1253: syslog_badpri Syslog priority to use when user authenticates
1.1 misho 1254: unsuccessfully. Defaults to alert.
1255:
1256: The following syslog priorities are supported: aalleerrtt,
1257: ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
1258:
1.1.1.3 ! misho 1259: syslog_goodpri Syslog priority to use when user authenticates
1.1 misho 1260: successfully. Defaults to notice.
1261:
1.1.1.3 ! misho 1262: See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog
1.1 misho 1263: priorities.
1264:
1.1.1.3 ! misho 1265: sudoers_locale Locale to use when parsing the sudoers file, logging
1.1 misho 1266: commands, and sending email. Note that changing the
1267: locale may affect how sudoers is interpreted. Defaults
1.1.1.3 ! misho 1268: to ``C''.
1.1 misho 1269:
1.1.1.3 ! misho 1270: timestampdir The directory in which ssuuddoo stores its time stamp
! 1271: files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1.1 misho 1272:
1.1.1.3 ! misho 1273: timestampowner The owner of the time stamp directory and the time
! 1274: stamps stored therein. The default is root.
1.1 misho 1275:
1.1.1.3 ! misho 1276: type The default SELinux type to use when constructing a new
1.1 misho 1277: security context to run the command. The default type
1278: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1279: via command line options. This option is only
1.1.1.3 ! misho 1280: available when ssuuddoo is built with SELinux support.
1.1 misho 1281:
1.1.1.3 ! misho 1282: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1283:
1.1.1.3 ! misho 1284: env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
1.1.1.2 misho 1285: file containing variables to be set in the environment of
1.1 misho 1286: the program being run. Entries in this file should either
1.1.1.3 ! misho 1287: be of the form ``VARIABLE=value'' or ``export
! 1288: VARIABLE=value''. The value may optionally be surrounded
! 1289: by single or double quotes. Variables in this file are
! 1290: subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p
! 1291: and _e_n_v___c_h_e_c_k.
1.1 misho 1292:
1.1.1.3 ! misho 1293: exempt_group Users in this group are exempt from password and PATH
1.1 misho 1294: requirements. The group name specified should not include
1295: a % prefix. This is not set by default.
1296:
1.1.1.3 ! misho 1297: group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional
1.1 misho 1298: arguments. This can be used to implement support for the
1299: nonunix_group syntax described earlier. The string should
1300: consist of the plugin path, either fully-qualified or
1301: relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by
1302: any configuration arguments the plugin requires. These
1303: arguments (if any) will be passed to the plugin's
1304: initialization function. If arguments are present, the
1.1.1.3 ! misho 1305: string must be enclosed in double quotes ("").
1.1 misho 1306:
1307: For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix
1308: group format, the sample group plugin can be used:
1309:
1.1.1.3 ! misho 1310: Defaults group_plugin="sample_group.so /etc/sudo-group"
1.1 misho 1311:
1.1.1.3 ! misho 1312: For more information see sudo_plugin(4).
1.1 misho 1313:
1.1.1.3 ! misho 1314: lecture This option controls when a short lecture will be printed
1.1 misho 1315: along with the password prompt. It has the following
1316: possible values:
1317:
1318: always Always lecture the user.
1319:
1320: never Never lecture the user.
1321:
1322: once Only lecture the user the first time they run ssuuddoo.
1323:
1324: If no value is specified, a value of _o_n_c_e is implied.
1325: Negating the option results in a value of _n_e_v_e_r being used.
1326: The default value is _o_n_c_e.
1327:
1.1.1.3 ! misho 1328: lecture_file Path to a file containing an alternate ssuuddoo lecture that
1.1 misho 1329: will be used in place of the standard lecture if the named
1330: file exists. By default, ssuuddoo uses a built-in lecture.
1331:
1.1.1.3 ! misho 1332: listpw This option controls when a password will be required when
1.1 misho 1333: a user runs ssuuddoo with the --ll option. It has the following
1334: possible values:
1335:
1.1.1.3 ! misho 1336: all All the user's _s_u_d_o_e_r_s entries for the current
! 1337: host must have the NOPASSWD flag set to avoid
! 1338: entering a password.
! 1339:
! 1340: always The user must always enter a password to use the
! 1341: --ll option.
! 1342:
! 1343: any At least one of the user's _s_u_d_o_e_r_s entries for
! 1344: the current host must have the NOPASSWD flag set
! 1345: to avoid entering a password.
1.1 misho 1346:
1.1.1.3 ! misho 1347: never The user need never enter a password to use the
! 1348: --ll option.
1.1 misho 1349:
1350: If no value is specified, a value of _a_n_y is implied.
1351: Negating the option results in a value of _n_e_v_e_r being used.
1352: The default value is _a_n_y.
1353:
1.1.1.3 ! misho 1354: logfile Path to the ssuuddoo log file (not the syslog log file).
1.1 misho 1355: Setting a path turns on logging to a file; negating this
1356: option turns it off. By default, ssuuddoo logs via syslog.
1357:
1.1.1.3 ! misho 1358: mailerflags Flags to use when invoking mailer. Defaults to --tt.
1.1 misho 1359:
1.1.1.3 ! misho 1360: mailerpath Path to mail program used to send warning mail. Defaults
1.1 misho 1361: to the path to sendmail found at configure time.
1362:
1.1.1.3 ! misho 1363: mailfrom Address to use for the ``from'' address when sending
! 1364: warning and error mail. The address should be enclosed in
! 1365: double quotes ("") to protect against ssuuddoo interpreting the
! 1366: @ sign. Defaults to the name of the user running ssuuddoo.
1.1 misho 1367:
1.1.1.3 ! misho 1368: mailto Address to send warning and error mail to. The address
! 1369: should be enclosed in double quotes ("") to protect against
1.1 misho 1370: ssuuddoo interpreting the @ sign. Defaults to root.
1371:
1.1.1.3 ! misho 1372: secure_path Path used for every command run from ssuuddoo. If you don't
1.1 misho 1373: trust the people running ssuuddoo to have a sane PATH
1374: environment variable you may want to use this. Another use
1.1.1.3 ! misho 1375: is if you want to have the ``root path'' be separate from
! 1376: the ``user path''. Users in the group specified by the
1.1 misho 1377: _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
1378: option is not set by default.
1379:
1.1.1.3 ! misho 1380: syslog Syslog facility if syslog is being used for logging (negate
1.1 misho 1381: to disable syslog logging). Defaults to auth.
1382:
1383: The following syslog facilities are supported: aauutthhpprriivv (if
1384: your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
1385: llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
1386:
1.1.1.3 ! misho 1387: verifypw This option controls when a password will be required when
1.1 misho 1388: a user runs ssuuddoo with the --vv option. It has the following
1389: possible values:
1390:
1391: all All the user's _s_u_d_o_e_r_s entries for the current host
1392: must have the NOPASSWD flag set to avoid entering a
1393: password.
1394:
1395: always The user must always enter a password to use the --vv
1396: option.
1397:
1398: any At least one of the user's _s_u_d_o_e_r_s entries for the
1399: current host must have the NOPASSWD flag set to
1400: avoid entering a password.
1401:
1402: never The user need never enter a password to use the --vv
1403: option.
1404:
1405: If no value is specified, a value of _a_l_l is implied.
1406: Negating the option results in a value of _n_e_v_e_r being used.
1407: The default value is _a_l_l.
1408:
1.1.1.3 ! misho 1409: LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1410:
1.1.1.3 ! misho 1411: env_check Environment variables to be removed from the user's
! 1412: environment if the variable's value contains `%' or `/'
1.1 misho 1413: characters. This can be used to guard against printf-
1414: style format vulnerabilities in poorly-written
1415: programs. The argument may be a double-quoted, space-
1416: separated list or a single value without double-quotes.
1417: The list can be replaced, added to, deleted from, or
1418: disabled by using the =, +=, -=, and ! operators
1419: respectively. Regardless of whether the env_reset
1420: option is enabled or disabled, variables specified by
1421: env_check will be preserved in the environment if they
1422: pass the aforementioned check. The default list of
1423: environment variables to check is displayed when ssuuddoo
1.1.1.3 ! misho 1424: is run by root with the --VV option.
1.1 misho 1425:
1.1.1.3 ! misho 1426: env_delete Environment variables to be removed from the user's
1.1 misho 1427: environment when the _e_n_v___r_e_s_e_t option is not in effect.
1428: The argument may be a double-quoted, space-separated
1429: list or a single value without double-quotes. The list
1430: can be replaced, added to, deleted from, or disabled by
1431: using the =, +=, -=, and ! operators respectively. The
1432: default list of environment variables to remove is
1.1.1.3 ! misho 1433: displayed when ssuuddoo is run by root with the --VV option.
1.1 misho 1434: Note that many operating systems will remove
1435: potentially dangerous variables from the environment of
1436: any setuid process (such as ssuuddoo).
1437:
1.1.1.3 ! misho 1438: env_keep Environment variables to be preserved in the user's
1.1 misho 1439: environment when the _e_n_v___r_e_s_e_t option is in effect.
1440: This allows fine-grained control over the environment
1441: ssuuddoo-spawned processes will receive. The argument may
1442: be a double-quoted, space-separated list or a single
1443: value without double-quotes. The list can be replaced,
1444: added to, deleted from, or disabled by using the =, +=,
1445: -=, and ! operators respectively. The default list of
1446: variables to keep is displayed when ssuuddoo is run by root
1.1.1.3 ! misho 1447: with the --VV option.
! 1448:
! 1449: LLOOGG FFOORRMMAATT
! 1450: ssuuddooeerrss can log events using either syslog(3) or a simple log file. In
! 1451: each case the log format is almost identical.
! 1452:
! 1453: AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
! 1454: Commands that sudo runs are logged using the following format (split into
! 1455: multiple lines for readability):
! 1456:
! 1457: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
! 1458: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
! 1459: ENV=env_vars COMMAND=command
! 1460:
! 1461: Where the fields are as follows:
! 1462:
! 1463: date The date the command was run. Typically, this is in the
! 1464: format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
! 1465: the actual date format is controlled by the syslog daemon.
! 1466: If logging to a file and the _l_o_g___y_e_a_r option is enabled,
! 1467: the date will also include the year.
! 1468:
! 1469: hostname The name of the host ssuuddoo was run on. This field is only
! 1470: present when logging via syslog(3).
! 1471:
! 1472: progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This
! 1473: field is only present when logging via syslog(3).
! 1474:
! 1475: username The login name of the user who ran ssuuddoo.
! 1476:
! 1477: ttyname The short name of the terminal (e.g. ``console'',
! 1478: ``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if
! 1479: there was no terminal present.
! 1480:
! 1481: cwd The current working directory that ssuuddoo was run in.
! 1482:
! 1483: runasuser The user the command was run as.
! 1484:
! 1485: runasgroup The group the command was run as if one was specified on
! 1486: the command line.
! 1487:
! 1488: logid An I/O log identifier that can be used to replay the
! 1489: command's output. This is only present when the _l_o_g___i_n_p_u_t
! 1490: or _l_o_g___o_u_t_p_u_t option is enabled.
! 1491:
! 1492: env_vars A list of environment variables specified on the command
! 1493: line, if specified.
! 1494:
! 1495: command The actual command that was executed.
! 1496:
! 1497: Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
! 1498: defaults to the ``C'' locale.
! 1499:
! 1500: DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
! 1501: If the user is not allowed to run the command, the reason for the denial
! 1502: will follow the user name. Possible reasons include:
! 1503:
! 1504: user NOT in sudoers
! 1505: The user is not listed in the _s_u_d_o_e_r_s file.
! 1506:
! 1507: user NOT authorized on host
! 1508: The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run
! 1509: commands on the host.
! 1510:
! 1511: command not allowed
! 1512: The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
! 1513: allowed to run the specified command.
! 1514:
! 1515: 3 incorrect password attempts
! 1516: The user failed to enter their password after 3 tries. The actual
! 1517: number of tries will vary based on the number of failed attempts and
! 1518: the value of the _p_a_s_s_w_d___t_r_i_e_s option.
! 1519:
! 1520: a password is required
! 1521: ssuuddoo's --nn option was specified but a password was required.
! 1522:
! 1523: sorry, you are not allowed to set the following environment variables
! 1524: The user specified environment variables on the command line that were
! 1525: not allowed by _s_u_d_o_e_r_s.
! 1526:
! 1527: EErrrroorr lloogg eennttrriieess
! 1528: If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
! 1529: message to the administrator via email. Possible errors include:
! 1530:
! 1531: parse error in /etc/sudoers near line N
! 1532: ssuuddooeerrss encountered an error when parsing the specified file. In some
! 1533: cases, the actual error may be one line above or below the line number
! 1534: listed, depending on the type of error.
! 1535:
! 1536: problem with defaults entries
! 1537: The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
! 1538: does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
! 1539: checked using vviissuuddoo.
! 1540:
! 1541: timestamp owner (username): No such user
! 1542: The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
! 1543: setting, could not be found in the password database.
! 1544:
! 1545: unable to open/read /etc/sudoers
! 1546: The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
! 1547: when the _s_u_d_o_e_r_s file is located on a remote file system that maps
! 1548: user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
! 1549: _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
! 1550: changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
! 1551: ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
! 1552: file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1553:
! 1554: unable to stat /etc/sudoers
! 1555: The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
! 1556:
! 1557: /etc/sudoers is not a regular file
! 1558: The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
! 1559: link.
! 1560:
! 1561: /etc/sudoers is owned by uid N, should be 0
! 1562: The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
! 1563: _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
! 1564: user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
! 1565: _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1566:
! 1567: /etc/sudoers is world writable
! 1568: The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
! 1569: The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
! 1570: 0440 (readable by owner and group, writable by none). The default
! 1571: mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
! 1572: plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1573:
! 1574: /etc/sudoers is owned by gid N, should be 1
! 1575: The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
! 1576: the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
! 1577: `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
! 1578: line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
! 1579:
! 1580: unable to open /var/adm/sudo/username/ttyname
! 1581: _s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
! 1582:
! 1583: unable to write to /var/adm/sudo/username/ttyname
! 1584: _s_u_d_o_e_r_s was unable to write to the user's time stamp file.
! 1585:
! 1586: unable to mkdir to /var/adm/sudo/username
! 1587: _s_u_d_o_e_r_s was unable to create the user's time stamp directory.
! 1588:
! 1589: NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
! 1590: By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
! 1591: _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
! 1592: such, they may vary in format on different systems.
! 1593:
! 1594: On most systems, syslog(3) has a relatively small log buffer. To prevent
! 1595: the command line arguments from being truncated, ssuuddooeerrss will split up
! 1596: log messages that are larger than 960 characters (not including the date,
! 1597: hostname, and the string ``sudo''). When a message is split, additional
! 1598: parts will include the string ``(command continued)'' after the user name
! 1599: and before the continued command line arguments.
! 1600:
! 1601: NNootteess oonn llooggggiinngg ttoo aa ffiillee
! 1602: If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
! 1603: _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
! 1604: syslog(3), with a few important differences:
! 1605:
! 1606: 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
! 1607:
! 1608: 2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the
! 1609: year.
! 1610:
! 1611: 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are
! 1612: word-wrapped and continued on the next line with a four character
! 1613: indent. This makes entries easier to read for a human being, but
! 1614: makes it more difficult to use grep(1) on the log files. If the
! 1615: _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
! 1616: will be disabled.
1.1 misho 1617:
1.1.1.2 misho 1618: SSUUDDOO..CCOONNFF
1.1.1.3 ! misho 1619: The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will
! 1620: load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin
! 1621: lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which
! 1622: corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1.1.1.2 misho 1623:
1.1.1.3 ! misho 1624: #
! 1625: # Default /etc/sudo.conf file
! 1626: #
! 1627: # Format:
! 1628: # Plugin plugin_name plugin_path plugin_options ...
! 1629: # Path askpass /path/to/askpass
! 1630: # Path noexec /path/to/sudo_noexec.so
! 1631: # Debug sudo /var/log/sudo_debug all@warn
! 1632: # Set disable_coredump true
! 1633: #
! 1634: # The plugin_path is relative to /usr/local/libexec unless
! 1635: # fully qualified.
! 1636: # The plugin_name corresponds to a global symbol in the plugin
! 1637: # that contains the plugin interface structure.
! 1638: # The plugin_options are optional.
! 1639: #
! 1640: Plugin policy_plugin sudoers.so
! 1641: Plugin io_plugin sudoers.so
1.1.1.2 misho 1642:
1.1.1.3 ! misho 1643: PPlluuggiinn ooppttiioonnss
! 1644: Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s
! 1645: plugin. Options may be listed after the path to the plugin (i.e. after
! 1646: _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
1.1.1.2 misho 1647:
1.1.1.3 ! misho 1648: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1.1.1.2 misho 1649:
1.1.1.3 ! misho 1650: The following plugin options are supported:
1.1.1.2 misho 1651:
1.1.1.3 ! misho 1652: sudoers_file=pathname
! 1653: The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
! 1654: path to the _s_u_d_o_e_r_s file.
1.1.1.2 misho 1655:
1.1.1.3 ! misho 1656: sudoers_uid=uid
! 1657: The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
! 1658: owner of the sudoers file. It should be specified as a numeric
! 1659: user ID.
1.1.1.2 misho 1660:
1.1.1.3 ! misho 1661: sudoers_gid=gid
! 1662: The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
! 1663: group of the sudoers file. It should be specified as a numeric
! 1664: group ID.
1.1.1.2 misho 1665:
1.1.1.3 ! misho 1666: sudoers_mode=mode
! 1667: The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
! 1668: file mode for the sudoers file. It should be specified as an
! 1669: octal value.
1.1.1.2 misho 1670:
1.1.1.3 ! misho 1671: DDeebbuugg ffllaaggss
! 1672: Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
! 1673: framework that can help track down what the plugin is doing internally if
! 1674: there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as
! 1675: described in sudo(1m).
1.1.1.2 misho 1676:
1.1.1.3 ! misho 1677: The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end:
! 1678: _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
1.1.1.2 misho 1679:
1.1.1.3 ! misho 1680: The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
! 1681: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
! 1682: when specified, also includes all priorities higher than it. For
! 1683: example, a priority of _n_o_t_i_c_e would include debug messages logged at
! 1684: _n_o_t_i_c_e and higher.
1.1.1.2 misho 1685:
1.1.1.3 ! misho 1686: The following subsystems are used by _s_u_d_o_e_r_s:
1.1.1.2 misho 1687:
1.1.1.3 ! misho 1688: _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1.1.1.2 misho 1689:
1.1.1.3 ! misho 1690: _a_l_l matches every subsystem
1.1.1.2 misho 1691:
1.1.1.3 ! misho 1692: _a_u_d_i_t BSM and Linux audit code
1.1.1.2 misho 1693:
1.1.1.3 ! misho 1694: _a_u_t_h user authentication
1.1.1.2 misho 1695:
1.1.1.3 ! misho 1696: _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
1.1.1.2 misho 1697:
1.1.1.3 ! misho 1698: _e_n_v environment handling
1.1.1.2 misho 1699:
1.1.1.3 ! misho 1700: _l_d_a_p LDAP-based sudoers
1.1.1.2 misho 1701:
1.1.1.3 ! misho 1702: _l_o_g_g_i_n_g logging support
1.1.1.2 misho 1703:
1.1.1.3 ! misho 1704: _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
1.1.1.2 misho 1705:
1.1.1.3 ! misho 1706: _n_e_t_i_f network interface handling
1.1.1.2 misho 1707:
1.1.1.3 ! misho 1708: _n_s_s network service switch handling in _s_u_d_o_e_r_s
1.1.1.2 misho 1709:
1.1.1.3 ! misho 1710: _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
1.1.1.2 misho 1711:
1.1.1.3 ! misho 1712: _p_e_r_m_s permission setting
1.1.1.2 misho 1713:
1.1.1.3 ! misho 1714: _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
1.1.1.2 misho 1715:
1.1.1.3 ! misho 1716: _p_t_y pseudo-tty related code
1.1.1.2 misho 1717:
1.1.1.3 ! misho 1718: _r_b_t_r_e_e redblack tree internals
1.1.1.2 misho 1719:
1.1.1.3 ! misho 1720: _u_t_i_l utility functions
1.1.1.2 misho 1721:
1.1 misho 1722: FFIILLEESS
1.1.1.3 ! misho 1723: _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1.1.1.2 misho 1724:
1.1.1.3 ! misho 1725: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1.1 misho 1726:
1.1.1.3 ! misho 1727: _/_e_t_c_/_g_r_o_u_p Local groups file
1.1 misho 1728:
1.1.1.3 ! misho 1729: _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1.1 misho 1730:
1.1.1.3 ! misho 1731: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1.1 misho 1732:
1.1.1.3 ! misho 1733: _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1.1 misho 1734: _s_u_d_o_e_r_s security policy
1735:
1.1.1.3 ! misho 1736: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1.1.1.2 misho 1737: Linux systems
1.1 misho 1738:
1739: EEXXAAMMPPLLEESS
1.1.1.3 ! misho 1740: Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
! 1741: contrived. First, we allow a few environment variables to pass and then
! 1742: define our _a_l_i_a_s_e_s:
1.1 misho 1743:
1.1.1.3 ! misho 1744: # Run X applications through sudo; HOME is used to find the
! 1745: # .Xauthority file. Note that other programs use HOME to find
! 1746: # configuration files and this may lead to privilege escalation!
! 1747: Defaults env_keep += "DISPLAY HOME"
1.1 misho 1748:
1.1.1.3 ! misho 1749: # User alias specification
! 1750: User_Alias FULLTIMERS = millert, mikef, dowdy
! 1751: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 1752: User_Alias WEBMASTERS = will, wendy, wim
1.1 misho 1753:
1.1.1.3 ! misho 1754: # Runas alias specification
! 1755: Runas_Alias OP = root, operator
! 1756: Runas_Alias DB = oracle, sybase
! 1757: Runas_Alias ADMINGRP = adm, oper
1.1 misho 1758:
1.1.1.3 ! misho 1759: # Host alias specification
! 1760: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
! 1761: SGI = grolsch, dandelion, black :\
! 1762: ALPHA = widget, thalamus, foobar :\
! 1763: HPPA = boa, nag, python
! 1764: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 1765: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 1766: Host_Alias SERVERS = master, mail, www, ns
! 1767: Host_Alias CDROM = orion, perseus, hercules
1.1 misho 1768:
1.1.1.3 ! misho 1769: # Cmnd alias specification
! 1770: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
! 1771: /usr/sbin/restore, /usr/sbin/rrestore
! 1772: Cmnd_Alias KILL = /usr/bin/kill
! 1773: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 1774: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 1775: Cmnd_Alias HALT = /usr/sbin/halt
! 1776: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 1777: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
! 1778: /usr/local/bin/tcsh, /usr/bin/rsh,\
! 1779: /usr/local/bin/zsh
! 1780: Cmnd_Alias SU = /usr/bin/su
! 1781: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 misho 1782:
1.1.1.3 ! misho 1783: Here we override some of the compiled in default values. We want ssuuddoo to
! 1784: log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to
! 1785: subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not
! 1786: give a password, and we don't want to reset the LOGNAME, USER or USERNAME
! 1787: environment variables when running commands as root. Additionally, on
! 1788: the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log
! 1789: file and make sure we log the year in each log line since the log entries
! 1790: will be kept around for several years. Lastly, we disable shell escapes
! 1791: for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
! 1792: _/_u_s_r_/_b_i_n_/_l_e_s_s).
1.1 misho 1793:
1.1.1.3 ! misho 1794: # Override built-in defaults
! 1795: Defaults syslog=auth
! 1796: Defaults>root !set_logname
! 1797: Defaults:FULLTIMERS !lecture
! 1798: Defaults:millert !authenticate
! 1799: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 1800: Defaults!PAGERS noexec
1.1 misho 1801:
1.1.1.3 ! misho 1802: The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
! 1803: what.
1.1 misho 1804:
1.1.1.3 ! misho 1805: root ALL = (ALL) ALL
! 1806: %wheel ALL = (ALL) ALL
1.1 misho 1807:
1.1.1.3 ! misho 1808: We let rroooott and any user in group wwhheeeell run any command on any host as
! 1809: any user.
1.1 misho 1810:
1.1.1.3 ! misho 1811: FULLTIMERS ALL = NOPASSWD: ALL
1.1 misho 1812:
1.1.1.3 ! misho 1813: Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
! 1814: any host without authenticating themselves.
1.1 misho 1815:
1.1.1.3 ! misho 1816: PARTTIMERS ALL = ALL
1.1 misho 1817:
1.1.1.3 ! misho 1818: Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any
! 1819: host but they must authenticate themselves first (since the entry lacks
! 1820: the NOPASSWD tag).
1.1 misho 1821:
1.1.1.3 ! misho 1822: jack CSNETS = ALL
1.1 misho 1823:
1.1.1.3 ! misho 1824: The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
! 1825: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
! 1826: networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
! 1827: indicating it is a class C network. For the other networks in _C_S_N_E_T_S,
! 1828: the local machine's netmask will be used during matching.
1.1 misho 1829:
1.1.1.3 ! misho 1830: lisa CUNETS = ALL
1.1 misho 1831:
1.1.1.3 ! misho 1832: The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
! 1833: class B network 128.138.0.0).
1.1 misho 1834:
1.1.1.3 ! misho 1835: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
! 1836: sudoedit /etc/printcap, /usr/oper/bin/
1.1 misho 1837:
1.1.1.3 ! misho 1838: The ooppeerraattoorr user may run commands limited to simple maintenance. Here,
! 1839: those are commands related to backups, killing processes, the printing
! 1840: system, shutting down the system, and any commands in the directory
! 1841: _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1.1 misho 1842:
1.1.1.3 ! misho 1843: joe ALL = /usr/bin/su operator
1.1 misho 1844:
1.1.1.3 ! misho 1845: The user jjooee may only su(1) to operator.
1.1 misho 1846:
1.1.1.3 ! misho 1847: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1.1 misho 1848:
1.1.1.3 ! misho 1849: %opers ALL = (: ADMINGRP) /usr/sbin/
1.1 misho 1850:
1.1.1.3 ! misho 1851: Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
! 1852: with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1.1 misho 1853:
1.1.1.3 ! misho 1854: The user ppeettee is allowed to change anyone's password except for root on
! 1855: the _H_P_P_A machines. Note that this assumes passwd(1) does not take
! 1856: multiple user names on the command line.
1.1 misho 1857:
1.1.1.3 ! misho 1858: bob SPARC = (OP) ALL : SGI = (OP) ALL
1.1 misho 1859:
1.1.1.3 ! misho 1860: The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
! 1861: listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.)
1.1 misho 1862:
1.1.1.3 ! misho 1863: jim +biglab = ALL
1.1 misho 1864:
1.1.1.3 ! misho 1865: The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
! 1866: ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix.
1.1 misho 1867:
1.1.1.3 ! misho 1868: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1.1 misho 1869:
1.1.1.3 ! misho 1870: Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
! 1871: well as add and remove users, so they are allowed to run those commands
! 1872: on all machines.
1.1 misho 1873:
1.1.1.3 ! misho 1874: fred ALL = (DB) NOPASSWD: ALL
1.1 misho 1875:
1.1.1.3 ! misho 1876: The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee
! 1877: or ssyybbaassee) without giving a password.
1.1 misho 1878:
1.1.1.3 ! misho 1879: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.1 misho 1880:
1.1.1.3 ! misho 1881: On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
! 1882: not allowed to specify any options to the su(1) command.
1.1 misho 1883:
1.1.1.3 ! misho 1884: jen ALL, !SERVERS = ALL
1.1 misho 1885:
1.1.1.3 ! misho 1886: The user jjeenn may run any command on any machine except for those in the
! 1887: _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1.1 misho 1888:
1.1.1.3 ! misho 1889: jill SERVERS = /usr/bin/, !SU, !SHELLS
1.1 misho 1890:
1.1.1.3 ! misho 1891: For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
! 1892: the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
! 1893: _S_H_E_L_L_S Cmnd_Aliases.
1.1 misho 1894:
1.1.1.3 ! misho 1895: steve CSNETS = (operator) /usr/local/op_commands/
1.1 misho 1896:
1.1.1.3 ! misho 1897: The user sstteevvee may run any command in the directory
! 1898: /usr/local/op_commands/ but only as user operator.
1.1 misho 1899:
1.1.1.3 ! misho 1900: matt valkyrie = KILL
1.1 misho 1901:
1.1.1.3 ! misho 1902: On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung
! 1903: processes.
1.1 misho 1904:
1.1.1.3 ! misho 1905: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1.1 misho 1906:
1.1.1.3 ! misho 1907: On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and
! 1908: wim), may run any command as user www (which owns the web pages) or
! 1909: simply su(1) to www.
1.1 misho 1910:
1.1.1.3 ! misho 1911: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
! 1912: /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1.1 misho 1913:
1.1.1.3 ! misho 1914: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 1915: Host_Alias (orion, perseus, hercules) without entering a password. This
! 1916: is a bit tedious for users to type, so it is a prime candidate for
! 1917: encapsulating in a shell script.
1.1 misho 1918:
1919: SSEECCUURRIITTYY NNOOTTEESS
1.1.1.3 ! misho 1920: LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr
! 1921: It is generally not effective to ``subtract'' commands from AALLLL using the
! 1922: `!' operator. A user can trivially circumvent this by copying the
! 1923: desired command to a different name and then executing that. For
! 1924: example:
! 1925:
! 1926: bill ALL = ALL, !SU, !SHELLS
! 1927:
! 1928: Doesn't really prevent bbiillll from running the commands listed in _S_U or
! 1929: _S_H_E_L_L_S since he can simply copy those commands to a different name, or
! 1930: use a shell escape from an editor or other program. Therefore, these
! 1931: kind of restrictions should be considered advisory at best (and
! 1932: reinforced by policy).
! 1933:
! 1934: In general, if a user has sudo AALLLL there is nothing to prevent them from
! 1935: creating their own program that gives them a root shell (or making their
! 1936: own copy of a shell) regardless of any `!' elements in the user
! 1937: specification.
1.1.1.2 misho 1938:
1939: SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
1.1.1.3 ! misho 1940: If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate
! 1941: commands where the path name includes globbing (aka wildcard) characters.
! 1942: This is because the C library's fnmatch(3) function cannot resolve
! 1943: relative paths. While this is typically only an inconvenience for rules
! 1944: that grant privileges, it can result in a security issue for rules that
! 1945: subtract or revoke privileges.
! 1946:
! 1947: For example, given the following _s_u_d_o_e_r_s entry:
! 1948:
! 1949: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
! 1950: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 1951:
! 1952: User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
! 1953: changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
! 1954:
! 1955: PPrreevveennttiinngg sshheellll eessccaappeess
! 1956: Once ssuuddoo executes a program, that program is free to do whatever it
! 1957: pleases, including run other programs. This can be a security issue
! 1958: since it is not uncommon for a program to allow shell escapes, which lets
! 1959: a user bypass ssuuddoo's access control and logging. Common programs that
! 1960: permit shell escapes include shells (obviously), editors, paginators,
! 1961: mail and terminal programs.
! 1962:
! 1963: There are two basic approaches to this problem:
! 1964:
! 1965: restrict Avoid giving users access to commands that allow the user to
! 1966: run arbitrary commands. Many editors have a restricted mode
! 1967: where shell escapes are disabled, though ssuuddooeeddiitt is a better
! 1968: solution to running editors via ssuuddoo. Due to the large number
! 1969: of programs that offer shell escapes, restricting users to the
! 1970: set of programs that do not is often unworkable.
! 1971:
! 1972: noexec Many systems that support shared libraries have the ability to
! 1973: override default library functions by pointing an environment
! 1974: variable (usually LD_PRELOAD) to an alternate shared library.
! 1975: On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to
! 1976: prevent a program run by ssuuddoo from executing any other
! 1977: programs. Note, however, that this applies only to native
! 1978: dynamically-linked executables. Statically-linked executables
! 1979: and foreign executables running under binary emulation are not
! 1980: affected.
! 1981:
! 1982: The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
! 1983: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
! 1984: above. It should be supported on most operating systems that
! 1985: support the LD_PRELOAD environment variable. Check your
! 1986: operating system's manual pages for the dynamic linker (usually
! 1987: ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
! 1988: LD_PRELOAD is supported.
! 1989:
! 1990: On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
! 1991: instead of the LD_PRELOAD environment variable.
! 1992:
! 1993: To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
! 1994: documented in the User Specification section above. Here is
! 1995: that example again:
! 1996:
! 1997: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1998:
! 1999: This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
! 2000: with _n_o_e_x_e_c enabled. This will prevent those two commands from
! 2001: executing other commands (such as a shell). If you are unsure
! 2002: whether or not your system is capable of supporting _n_o_e_x_e_c you
! 2003: can always just try it out and check whether shell escapes work
! 2004: when _n_o_e_x_e_c is enabled.
! 2005:
! 2006: Note that restricting shell escapes is not a panacea. Programs running
! 2007: as root are still capable of many potentially hazardous operations (such
! 2008: as changing or overwriting files) that could lead to unintended privilege
! 2009: escalation. In the specific case of an editor, a safer approach is to
! 2010: give the user permission to run ssuuddooeeddiitt.
1.1 misho 2011:
1.1.1.2 misho 2012: TTiimmee ssttaammpp ffiillee cchheecckkss
1.1.1.3 ! misho 2013: _s_u_d_o_e_r_s will check the ownership of its time stamp directory
! 2014: (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
! 2015: not owned by root or if it is writable by a user other than root. On
! 2016: systems that allow non-root users to give away files via chown(2), if the
! 2017: time stamp directory is located in a world-writable directory (e.g.,
! 2018: _/_t_m_p), it is possible for a user to create the time stamp directory
! 2019: before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and
! 2020: mode of the directory and its contents, the only damage that can be done
! 2021: is to ``hide'' files by putting them in the time stamp dir. This is
! 2022: unlikely to happen since once the time stamp dir is owned by root and
! 2023: inaccessible by any other user, the user placing files there would be
! 2024: unable to get them back out.
! 2025:
! 2026: _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
! 2027: with a date greater than current_time + 2 * TIMEOUT will be ignored and
! 2028: sudo will log and complain. This is done to keep a user from creating
! 2029: his/her own time stamp with a bogus date on systems that allow users to
! 2030: give away files if the time stamp directory is located in a world-
! 2031: writable directory.
! 2032:
! 2033: On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
! 2034: stamps that date from before the machine booted.
! 2035:
! 2036: Since time stamp files live in the file system, they can outlive a user's
! 2037: login session. As a result, a user may be able to login, run a command
! 2038: with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
! 2039: authenticating so long as the time stamp file's modification time is
! 2040: within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When
! 2041: the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity
! 2042: but still may outlive the user's session. On Linux systems where the
! 2043: devpts filesystem is used, Solaris systems with the devices filesystem,
! 2044: as well as other systems that utilize a devfs filesystem that
! 2045: monotonically increase the inode number of devices as they are created
! 2046: (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time
! 2047: stamp file is stale and will ignore it. Administrators should not rely
! 2048: on this feature as it is not universally available.
1.1 misho 2049:
2050: SSEEEE AALLSSOO
1.1.1.3 ! misho 2051: ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
! 2052: sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
1.1 misho 2053:
2054: CCAAVVEEAATTSS
1.1.1.3 ! misho 2055: The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
! 2056: locks the file and does grammatical checking. It is imperative that
! 2057: _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
! 2058: syntactically incorrect _s_u_d_o_e_r_s file.
! 2059:
! 2060: When using netgroups of machines (as opposed to users), if you store
! 2061: fully qualified host name in the netgroup (as is usually the case), you
! 2062: either need to have the machine's host name be fully qualified as
! 2063: returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1.1 misho 2064:
2065: BBUUGGSS
1.1.1.3 ! misho 2066: If you feel you have found a bug in ssuuddoo, please submit a bug report at
! 2067: http://www.sudo.ws/sudo/bugs/
1.1 misho 2068:
2069: SSUUPPPPOORRTT
1.1.1.3 ! misho 2070: Limited free support is available via the sudo-users mailing list, see
! 2071: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
! 2072: archives.
1.1 misho 2073:
2074: DDIISSCCLLAAIIMMEERR
1.1.1.3 ! misho 2075: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
! 2076: including, but not limited to, the implied warranties of merchantability
! 2077: and fitness for a particular purpose are disclaimed. See the LICENSE
! 2078: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
! 2079: complete details.
1.1 misho 2080:
1.1.1.3 ! misho 2081: Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>