Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.5
1.1.1.3 misho 1: SUDOERS(4) Programmer's Manual SUDOERS(4)
1.1 misho 2:
3: NNAAMMEE
1.1.1.4 misho 4: ssuuddooeerrss - default sudo security policy plugin
1.1 misho 5:
6: DDEESSCCRRIIPPTTIIOONN
1.1.1.4 misho 7: The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the
1.1.1.3 misho 8: default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
9: file or, optionally in LDAP. The policy format is described in detail in
10: the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
11: policy information in LDAP, please see sudoers.ldap(4).
12:
1.1.1.4 misho 13: CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
14: ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O
15: logging plugins to load. If no sudo.conf(4) file is present, or if it
16: contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and
17: I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss
18: plugin, the following configuration can be used.
19:
20: Plugin sudoers_policy sudoers.so
21: Plugin sudoers_io sudoers.so
22:
23: Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to
24: the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if
25: present, should be listed after the path to the plugin (i.e. after
26: _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white
27: space. For example:
28:
29: Plugin sudoers_policy sudoers.so sudoers_mode=0400
30:
31: The following plugin arguments are supported:
32:
33: ldap_conf=pathname
34: The _l_d_a_p___c_o_n_f argument can be used to override the default path
35: to the _l_d_a_p_._c_o_n_f file.
36:
37: ldap_secret=pathname
38: The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default
39: path to the _l_d_a_p_._s_e_c_r_e_t file.
40:
41: sudoers_file=pathname
42: The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default
43: path to the _s_u_d_o_e_r_s file.
44:
45: sudoers_uid=uid
46: The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default
47: owner of the sudoers file. It should be specified as a numeric
48: user ID.
49:
50: sudoers_gid=gid
51: The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default
52: group of the sudoers file. It must be specified as a numeric
53: group ID (not a group name).
54:
55: sudoers_mode=mode
56: The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default
57: file mode for the sudoers file. It should be specified as an
58: octal value.
59:
60: For more information on configuring sudo.conf(4), please refer to its
61: manual.
62:
1.1.1.3 misho 63: AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
64: The _s_u_d_o_e_r_s security policy requires that most users authenticate
65: themselves before they can use ssuuddoo. A password is not required if the
66: invoking user is root, if the target user is the same as the invoking
67: user, or if the policy has disabled authentication for the user or
68: command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
69: validates the invoking user's credentials, not the target user's (or
70: root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
71: _r_u_n_a_s_p_w flags, described later.
72:
73: If a user who is not listed in the policy tries to run a command via
74: ssuuddoo, mail is sent to the proper authorities. The address used for such
75: mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and
76: defaults to root.
77:
78: Note that mail will not be sent if an unauthorized user tries to run ssuuddoo
79: with the --ll or --vv option. This allows users to determine for themselves
80: whether or not they are allowed to use ssuuddoo.
81:
82: If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
83: _s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
84: This can be used by a user to log commands through sudo even when a root
85: shell has been invoked. It also allows the --ee option to remain useful
86: even when invoked via a sudo-run script or program. Note, however, that
87: the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
88: SUDO_USER.
89:
90: _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
91: been authenticated, the time stamp is updated and the user may then use
92: sudo without a password for a short period of time (5 minutes unless
93: overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based
94: time stamp which means that there is a separate time stamp for each of a
95: user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force
96: the use of a single time stamp for all of a user's sessions.
97:
98: _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
99: errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
100: via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
101: settings.
102:
103: _s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O
104: logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and
105: _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
106: tags.
107:
108: CCoommmmaanndd eennvviirroonnmmeenntt
109: Since environment variables can influence program behavior, _s_u_d_o_e_r_s
110: provides a means to restrict which variables from the user's environment
111: are inherited by the command to be run. There are two distinct ways
112: _s_u_d_o_e_r_s can deal with environment variables.
113:
114: By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
115: executed with a new, minimal environment. On AIX (and Linux systems
116: without PAM), the environment is initialized with the contents of the
117: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
118: enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
119: settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
120: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
121: addition to variables from the invoking process permitted by the
122: _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
123: environment variables.
124:
125: If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
126: explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
127: from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave
128: like a blacklist. Since it is not possible to blacklist all potentially
129: dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is
130: encouraged.
131:
132: In all cases, environment variables with a value beginning with () are
133: removed as they could be interpreted as bbaasshh functions. The list of
134: environment variables that ssuuddoo allows or denies is contained in the
135: output of ``sudo -V'' when run as root.
136:
137: Note that the dynamic linker on most operating systems will remove
138: variables that can control dynamic linking from the environment of setuid
139: executables, including ssuuddoo. Depending on the operating system this may
140: include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
141: These type of variables are removed from the environment before ssuuddoo even
142: begins execution and, as such, it is not possible for ssuuddoo to preserve
143: them.
144:
145: As a special case, if ssuuddoo's --ii option (initial login) is specified,
146: _s_u_d_o_e_r_s will initialize the environment regardless of the value of
147: _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
148: MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
149: (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
150: also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled,
151: the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All
152: other environment variables are removed.
153:
154: Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that
155: file will be set to their specified values as long as they would not
156: conflict with an existing environment variable.
1.1 misho 157:
158: SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
1.1.1.3 misho 159: The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically
160: variables) and user specifications (which specify who may run what).
161:
162: When multiple entries match for a user, they are applied in order. Where
163: there are multiple matches, the last match is used (which is not
164: necessarily the most specific match).
165:
166: The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
167: (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
168: simple, and the definitions below are annotated.
1.1 misho 169:
170: QQuuiicckk gguuiiddee ttoo EEBBNNFF
1.1.1.3 misho 171: EBNF is a concise and exact way of describing the grammar of a language.
172: Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
1.1 misho 173:
1.1.1.3 misho 174: symbol ::= definition | alternate1 | alternate2 ...
1.1 misho 175:
1.1.1.3 misho 176: Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
177: the language. EBNF also contains the following operators, which many
178: readers will recognize from regular expressions. Do not, however,
179: confuse them with ``wildcard'' characters, which have different meanings.
1.1 misho 180:
1.1.1.3 misho 181: ? Means that the preceding symbol (or group of symbols) is optional.
1.1 misho 182: That is, it may appear once or not at all.
183:
1.1.1.3 misho 184: * Means that the preceding symbol (or group of symbols) may appear
1.1 misho 185: zero or more times.
186:
1.1.1.3 misho 187: + Means that the preceding symbol (or group of symbols) may appear
1.1 misho 188: one or more times.
189:
1.1.1.3 misho 190: Parentheses may be used to group symbols together. For clarity, we will
191: use single quotes ('') to designate what is a verbatim character string
192: (as opposed to a symbol name).
1.1 misho 193:
194: AAlliiaasseess
1.1.1.3 misho 195: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
196: Cmnd_Alias.
1.1 misho 197:
1.1.1.3 misho 198: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
199: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
200: 'Host_Alias' Host_Alias (':' Host_Alias)* |
201: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
202:
203: User_Alias ::= NAME '=' User_List
204:
205: Runas_Alias ::= NAME '=' Runas_List
206:
207: Host_Alias ::= NAME '=' Host_List
208:
209: Cmnd_Alias ::= NAME '=' Cmnd_List
210:
211: NAME ::= [A-Z]([A-Z][0-9]_)*
212:
213: Each _a_l_i_a_s definition is of the form
214:
215: Alias_Type NAME = item1, item2, ...
216:
217: where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
218: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
219: underscore characters (`_'). A NAME mmuusstt start with an uppercase letter.
220: It is possible to put several alias definitions of the same type on a
221: single line, joined by a colon (`:'). E.g.,
222:
223: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
224:
225: The definitions of what constitutes a valid _a_l_i_a_s member follow.
226:
227: User_List ::= User |
228: User ',' User_List
229:
230: User ::= '!'* user name |
231: '!'* #uid |
232: '!'* %group |
233: '!'* %#gid |
234: '!'* +netgroup |
235: '!'* %:nonunix_group |
236: '!'* %:#nonunix_gid |
237: '!'* User_Alias
238:
1.1.1.4 misho 239: A User_List is made up of one or more user names, user IDs (prefixed with
240: `#'), system group names and IDs (prefixed with `%' and `%#'
1.1.1.3 misho 241: respectively), netgroups (prefixed with `+'), non-Unix group names and
242: IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
243: list item may be prefixed with zero or more `!' operators. An odd number
244: of `!' operators negate the value of the item; an even number just cancel
245: each other out.
246:
247: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
248: be enclosed in double quotes to avoid the need for escaping special
249: characters. Alternately, special characters may be specified in escaped
250: hex mode, e.g. \x20 for space. When using double quotes, any prefix
251: characters must be included inside the quotes.
252:
253: The actual nonunix_group and nonunix_gid syntax depends on the underlying
1.1.1.4 misho 254: group provider plugin. For instance, the QAS AD plugin supports the
255: following formats:
1.1.1.3 misho 256:
257: oo Group in the same domain: "%:Group Name"
258:
259: oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
260:
261: oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
262:
1.1.1.4 misho 263: See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information.
264:
1.1.1.3 misho 265: Note that quotes around group names are optional. Unquoted strings must
266: use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r
267: _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need
268: to be escaped.
269:
270: Runas_List ::= Runas_Member |
271: Runas_Member ',' Runas_List
272:
273: Runas_Member ::= '!'* user name |
274: '!'* #uid |
275: '!'* %group |
276: '!'* %#gid |
277: '!'* %:nonunix_group |
278: '!'* %:#nonunix_gid |
279: '!'* +netgroup |
280: '!'* Runas_Alias
281:
282: A Runas_List is similar to a User_List except that instead of
283: User_Aliases it can contain Runas_Aliases. Note that user names and
284: groups are matched as strings. In other words, two users (groups) with
285: the same uid (gid) are considered to be distinct. If you wish to match
286: all user names with the same uid (e.g. root and toor), you can use a uid
287: instead (#0 in the example given).
288:
289: Host_List ::= Host |
290: Host ',' Host_List
291:
292: Host ::= '!'* host name |
293: '!'* ip_addr |
294: '!'* network(/netmask)? |
295: '!'* +netgroup |
296: '!'* Host_Alias
297:
298: A Host_List is made up of one or more host names, IP addresses, network
299: numbers, netgroups (prefixed with `+') and other aliases. Again, the
300: value of an item may be negated with the `!' operator. If you do not
301: specify a netmask along with the network number, ssuuddoo will query each of
302: the local host's network interfaces and, if the network number
303: corresponds to one of the hosts's network interfaces, the corresponding
304: netmask will be used. The netmask may be specified either in standard IP
305: address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
306: notation (number of bits, e.g. 24 or 64). A host name may include shell-
307: style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
308: name command on your machine returns the fully qualified host name,
309: you'll need to use the _f_q_d_n option for wildcards to be useful. Note that
310: ssuuddoo only inspects actual network interfaces; this means that IP address
311: 127.0.0.1 (localhost) will never match. Also, the host name
312: ``localhost'' will only match if that is the actual host name, which is
313: usually only the case for non-networked systems.
314:
1.1.1.4 misho 315: digest ::= [A-Fa-f0-9]+ |
316: [[A-Za-z0-9+/=]+
317:
318: Digest_Spec ::= "sha224" ':' digest |
319: "sha256" ':' digest |
320: "sha384" ':' digest |
321: "sha512" ':' digest
322:
1.1.1.3 misho 323: Cmnd_List ::= Cmnd |
324: Cmnd ',' Cmnd_List
325:
326: command name ::= file name |
327: file name args |
328: file name '""'
329:
1.1.1.4 misho 330: Cmnd ::= Digest_Spec? '!'* command name |
1.1.1.3 misho 331: '!'* directory |
332: '!'* "sudoedit" |
333: '!'* Cmnd_Alias
334:
335: A Cmnd_List is a list of one or more command names, directories, and
336: other aliases. A command name is a fully qualified file name which may
337: include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A
338: simple file name allows the user to run the command with any arguments
339: he/she wishes. However, you may also specify command line arguments
340: (including wildcards). Alternately, you can specify "" to indicate that
341: the command may only be run wwiitthhoouutt command line arguments. A directory
342: is a fully qualified path name ending in a `/'. When you specify a
343: directory in a Cmnd_List, the user will be able to run any file within
344: that directory (but not in any sub-directories therein).
345:
346: If a Cmnd has associated command line arguments, then the arguments in
347: the Cmnd must match exactly those given by the user on the command line
348: (or match the wildcards if there are any). Note that the following
349: characters must be escaped with a `\' if they are used in command
1.1.1.4 misho 350: arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
1.1.1.3 misho 351: to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
1.1.1.4 misho 352: take command line arguments just as a normal command does. Note that
353: ``sudoedit'' is a command built into ssuuddoo itself and must be specified in
354: _s_u_d_o_e_r_s without a leading path.
355:
356: If a command name is prefixed with a Digest_Spec, the command will only
357: match successfully if it can be verified using the specified SHA-2
358: digest. This may be useful in situations where the user invoking ssuuddoo
359: has write access to the command or its parent directory. The following
360: digest formats are supported: sha224, sha256, sha384 and sha512. The
361: string may be specified in either hex or base64 format (base64 is more
362: compact). There are several utilities capable of generating SHA-2
363: digests in hex format such as openssl, shasum, sha224sum, sha256sum,
364: sha384sum, sha512sum.
365:
366: For example, using openssl:
367:
368: $ openssl dgst -sha224 /bin/ls
369: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
370:
371: It is also possible to use openssl to generate base64 output:
372:
373: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
374: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
375:
376: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 377:
378: DDeeffaauullttss
1.1.1.3 misho 379: Certain configuration options may be changed from their default values at
380: run-time via one or more Default_Entry lines. These may affect all users
381: on any host, all users on a specific host, a specific user, a specific
382: command, or commands being run as a specific user. Note that per-command
383: entries may not include command line arguments. If you need to specify
384: arguments, define a Cmnd_Alias and reference that instead.
385:
386: Default_Type ::= 'Defaults' |
387: 'Defaults' '@' Host_List |
388: 'Defaults' ':' User_List |
389: 'Defaults' '!' Cmnd_List |
390: 'Defaults' '>' Runas_List
391:
392: Default_Entry ::= Default_Type Parameter_List
393:
394: Parameter_List ::= Parameter |
395: Parameter ',' Parameter_List
396:
397: Parameter ::= Parameter '=' Value |
398: Parameter '+=' Value |
399: Parameter '-=' Value |
400: '!'* Parameter
401:
402: Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
403: implicitly boolean and can be turned off via the `!' operator. Some
404: integer, string and list parameters may also be used in a boolean context
405: to disable them. Values may be enclosed in double quotes ("") when they
406: contain multiple words. Special characters may be escaped with a
407: backslash (`\').
408:
409: Lists have two additional assignment operators, += and -=. These
410: operators are used to add to and delete from a list respectively. It is
411: not an error to use the -= operator to remove an element that does not
412: exist in a list.
413:
414: Defaults entries are parsed in the following order: generic, host and
415: user Defaults first, then runas Defaults and finally command defaults.
416:
417: See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
418:
419: UUsseerr ssppeecciiffiiccaattiioonn
420: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
421: (':' Host_List '=' Cmnd_Spec_List)*
422:
423: Cmnd_Spec_List ::= Cmnd_Spec |
424: Cmnd_Spec ',' Cmnd_Spec_List
425:
426: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
427:
428: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
429:
430: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
1.1 misho 431:
1.1.1.3 misho 432: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
433:
434: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
435: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
436: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
437:
438: A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
439: what user) on specified hosts. By default, commands are run as rroooott, but
440: this can be changed on a per-command basis.
441:
442: The basic structure of a user specification is ``who where = (as_whom)
443: what''. Let's break that down into its constituent parts:
1.1 misho 444:
445: RRuunnaass__SSppeecc
1.1.1.3 misho 446: A Runas_Spec determines the user and/or the group that a command may be
447: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
448: defined above) separated by a colon (`:') and enclosed in a set of
449: parentheses. The first Runas_List indicates which users the command may
450: be run as via ssuuddoo's --uu option. The second defines a list of groups that
451: can be specified via ssuuddoo's --gg option. If both Runas_Lists are
452: specified, the command may be run with any combination of users and
453: groups listed in their respective Runas_Lists. If only the first is
454: specified, the command may be run as any user in the list but no --gg
455: option may be specified. If the first Runas_List is empty but the second
456: is specified, the command may be run as the invoking user with the group
457: set to any listed in the Runas_List. If both Runas_Lists are empty, the
458: command may only be run as the invoking user. If no Runas_Spec is
459: specified the command may be run as rroooott and no group may be specified.
1.1 misho 460:
1.1.1.3 misho 461: A Runas_Spec sets the default for the commands that follow it. What this
462: means is that for the entry:
1.1 misho 463:
1.1.1.3 misho 464: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1.1 misho 465:
1.1.1.3 misho 466: The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as
467: ooppeerraattoorr. E.g.,
1.1 misho 468:
1.1.1.3 misho 469: $ sudo -u operator /bin/ls
1.1 misho 470:
1.1.1.3 misho 471: It is also possible to override a Runas_Spec later on in an entry. If we
472: modify the entry like so:
1.1 misho 473:
1.1.1.3 misho 474: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1.1 misho 475:
1.1.1.3 misho 476: Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
477: and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.1 misho 478:
1.1.1.3 misho 479: We can extend this to allow ddggbb to run /bin/ls with either the user or
480: group set to ooppeerraattoorr:
1.1 misho 481:
1.1.1.3 misho 482: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
483: /usr/bin/lprm
1.1 misho 484:
1.1.1.3 misho 485: Note that while the group portion of the Runas_Spec permits the user to
486: run as command with that group, it does not force the user to do so. If
487: no group is specified on the command line, the command will run with the
488: group listed in the target user's password database entry. The following
489: would all be permitted by the sudoers entry above:
1.1 misho 490:
1.1.1.3 misho 491: $ sudo -u operator /bin/ls
492: $ sudo -u operator -g operator /bin/ls
493: $ sudo -g operator /bin/ls
1.1 misho 494:
1.1.1.3 misho 495: In the following example, user ttccmm may run commands that access a modem
496: device file with the dialer group.
1.1 misho 497:
1.1.1.3 misho 498: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
499: /usr/local/bin/minicom
1.1 misho 500:
1.1.1.3 misho 501: Note that in this example only the group will be set, the command still
502: runs as user ttccmm. E.g.
1.1 misho 503:
1.1.1.3 misho 504: $ sudo -g dialer /usr/bin/cu
1.1 misho 505:
1.1.1.3 misho 506: Multiple users and groups may be present in a Runas_Spec, in which case
507: the user may select any combination of users and groups via the --uu and --gg
508: options. In this example:
1.1 misho 509:
1.1.1.3 misho 510: alan ALL = (root, bin : operator, system) ALL
1.1 misho 511:
1.1.1.3 misho 512: user aallaann may run any command as either user root or bin, optionally
513: setting the group to operator or system.
1.1 misho 514:
515: SSEELLiinnuuxx__SSppeecc
1.1.1.3 misho 516: On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
517: SELinux role and/or type associated with a command. If a role or type is
518: specified with the command it will override any default values specified
519: in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
520: supersede the values in _s_u_d_o_e_r_s.
521:
522: SSoollaarriiss__PPrriivv__SSppeecc
523: On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
524: privilege set and/or limit privilege set associated with a command. If
525: privileges or limit privileges are specified with the command it will
526: override any default values specified in _s_u_d_o_e_r_s.
527:
528: A privilege set is a comma-separated list of privilege names. The
529: ppriv(1) command can be used to list all privileges known to the system.
530: For example:
531:
532: $ ppriv -l
533:
534: In addition, there are several ``special'' privilege strings:
535:
536: none the empty set
537:
538: all the set of all privileges
539:
540: zone the set of all privileges available in the current zone
541:
542: basic the default set of privileges normal users are granted at login
543: time
544:
545: Privileges can be excluded from a set by prefixing the privilege name
546: with either an `!' or `-' character.
1.1 misho 547:
548: TTaagg__SSppeecc
1.1.1.3 misho 549: A command may have zero or more tags associated with it. There are ten
550: possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
551: LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
552: on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
553: it is overridden by the opposite tag (in other words, PASSWD overrides
554: NOPASSWD and NOEXEC overrides EXEC).
1.1 misho 555:
1.1.1.4 misho 556: _N_O_P_A_S_S_W_D and _P_A_S_S_W_D
1.1 misho 557:
1.1.1.4 misho 558: By default, ssuuddoo requires that a user authenticate him or herself
559: before running a command. This behavior can be modified via the
560: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
561: the commands that follow it in the Cmnd_Spec_List. Conversely, the
562: PASSWD tag can be used to reverse things. For example:
1.1 misho 563:
1.1.1.4 misho 564: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1.1 misho 565:
1.1.1.4 misho 566: would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
567: as rroooott on the machine rushmore without authenticating himself. If we
568: only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
569: would be:
1.1 misho 570:
1.1.1.4 misho 571: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1.1 misho 572:
1.1.1.4 misho 573: Note, however, that the PASSWD tag has no effect on users who are in
574: the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
1.1 misho 575:
1.1.1.4 misho 576: By default, if the NOPASSWD tag is applied to any of the entries for a
577: user on the current host, he or she will be able to run ``sudo -l''
578: without a password. Additionally, a user may only run ``sudo -v''
579: without a password if the NOPASSWD tag is present for all a user's
580: entries that pertain to the current host. This behavior may be
581: overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
1.1 misho 582:
1.1.1.4 misho 583: _N_O_E_X_E_C and _E_X_E_C
1.1 misho 584:
1.1.1.4 misho 585: If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
586: operating system supports it, the NOEXEC tag can be used to prevent a
587: dynamically-linked executable from running further commands itself.
1.1 misho 588:
1.1.1.4 misho 589: In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
590: _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
1.1 misho 591:
1.1.1.4 misho 592: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1.1 misho 593:
1.1.1.4 misho 594: See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
595: NOEXEC works and whether or not it will work on your system.
1.1 misho 596:
1.1.1.4 misho 597: _S_E_T_E_N_V and _N_O_S_E_T_E_N_V
1.1 misho 598:
1.1.1.4 misho 599: These tags override the value of the _s_e_t_e_n_v option on a per-command
600: basis. Note that if SETENV has been set for a command, the user may
601: disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
602: Additionally, environment variables set on the command line are not
603: subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
604: _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
605: variables in this manner. If the command matched is AALLLL, the SETENV
606: tag is implied for that command; this default may be overridden by use
607: of the NOSETENV tag.
1.1 misho 608:
1.1.1.4 misho 609: _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T
1.1 misho 610:
1.1.1.4 misho 611: These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
612: basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
613: _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
1.1 misho 614:
1.1.1.4 misho 615: _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T
1.1 misho 616:
1.1.1.4 misho 617: These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
618: basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
619: _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
1.1 misho 620:
621: WWiillddccaarrddss
1.1.1.3 misho 622: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
623: used in host names, path names and command line arguments in the _s_u_d_o_e_r_s
1.1.1.4 misho 624: file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
625: as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _n_o_t
626: regular expressions.
1.1.1.3 misho 627:
628: * Matches any set of zero or more characters.
629:
630: ? Matches any single character.
631:
632: [...] Matches any character in the specified range.
633:
634: [!...] Matches any character nnoott in the specified range.
1.1 misho 635:
1.1.1.3 misho 636: \x For any character `x', evaluates to `x'. This is used to
637: escape special characters such as: `*', `?', `[', and `]'.
1.1 misho 638:
1.1.1.4 misho 639: Character classes may also be used if your system's glob(3) and
1.1.1.3 misho 640: fnmatch(3) functions support them. However, because the `:' character
641: has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
1.1 misho 642:
1.1.1.3 misho 643: /bin/ls [[:alpha:]]*
1.1 misho 644:
1.1.1.3 misho 645: Would match any file name beginning with a letter.
1.1 misho 646:
1.1.1.3 misho 647: Note that a forward slash (`/') will nnoott be matched by wildcards used in
648: the path name. This is to make a path like:
1.1 misho 649:
1.1.1.3 misho 650: /usr/bin/*
1.1 misho 651:
1.1.1.3 misho 652: match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
1.1 misho 653:
1.1.1.3 misho 654: When matching the command line arguments, however, a slash ddooeess get
655: matched by wildcards since command line arguments may contain arbitrary
656: strings and not just path names.
1.1 misho 657:
1.1.1.3 misho 658: Wildcards in command line arguments should be used with care. Because
659: command line arguments are matched as a single, concatenated string, a
660: wildcard such as `?' or `*' can match multiple words. For example, while
661: a sudoers entry like:
1.1 misho 662:
1.1.1.3 misho 663: %operator ALL = /bin/cat /var/log/messages*
1.1 misho 664:
1.1.1.3 misho 665: will allow command like:
666:
667: $ sudo cat /var/log/messages.1
668:
669: It will also allow:
670:
671: $ sudo cat /var/log/messages /etc/shadow
672:
673: which is probably not what was intended.
1.1 misho 674:
675: EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
1.1.1.3 misho 676: The following exceptions apply to the above rules:
1.1 misho 677:
1.1.1.3 misho 678: "" If the empty string "" is the only command line argument in the
1.1 misho 679: _s_u_d_o_e_r_s entry it means that command is not allowed to be run
680: with aannyy arguments.
681:
1.1.1.3 misho 682: sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
683: always be path names, so a forward slash (`/') will not be
684: matched by a wildcard.
685:
1.1 misho 686: IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
1.1.1.3 misho 687: It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
688: file currently being parsed using the #include and #includedir
689: directives.
690:
691: This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
692: addition to a local, per-machine file. For the sake of this example the
693: site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
694: _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
695: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
696:
697: #include /etc/sudoers.local
698:
699: When ssuuddoo reaches this line it will suspend processing of the current
700: file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the
701: end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed.
702: Files that are included may themselves include other files. A hard limit
703: of 128 nested include files is enforced to prevent include file loops.
704:
705: If the path to the include file is not fully-qualified (does not begin
706: with a `/', it must be located in the same directory as the sudoers file
707: it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
708:
709: #include sudoers.local
710:
711: the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
712:
713: The file name may also include the %h escape, signifying the short form
714: of the host name. In other words, if the machine's host name is
715: ``xerxes'', then
716:
717: #include /etc/sudoers.%h
718:
719: will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
720:
721: The #includedir directive can be used to create a _s_u_d_o_._d directory that
722: the system package manager can drop _s_u_d_o_e_r_s rules into as part of package
723: installation. For example, given:
724:
725: #includedir /etc/sudoers.d
726:
727: ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end
728: in `~' or contain a `.' character to avoid causing problems with package
729: manager or editor temporary/backup files. Files are parsed in sorted
730: lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before
731: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical,
732: not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
733: _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in
734: the file names can be used to avoid such problems.
735:
736: Note that unlike files included via #include, vviissuuddoo will not edit the
737: files in a #includedir directory unless one of them contains a syntax
738: error. It is still possible to run vviissuuddoo with the --ff flag to edit the
739: files directly.
1.1 misho 740:
741: OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
1.1.1.3 misho 742: The pound sign (`#') is used to indicate a comment (unless it is part of
743: a #include directive or unless it occurs in the context of a user name
744: and is followed by one or more digits, in which case it is treated as a
745: uid). Both the comment character and any text after it, up to the end of
746: the line, are ignored.
747:
748: The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
749: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
750: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
751: your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
752: preference to your own. Please note that using AALLLL can be dangerous
753: since in a command context, it allows the user to run aannyy command on the
754: system.
755:
1.1.1.4 misho 756: An exclamation point (`!') can be used as a logical _n_o_t operator in a
757: list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude
758: certain values. For the `!' operator to be effective, there must be
759: something for it to exclude. For example, to match all users except for
760: root one would use:
761:
762: ALL,!root
763:
764: If the AALLLL, is omitted, as in:
765:
766: !root
767:
768: it would explicitly deny root but not match any other users. This is
769: different from a true ``negation'' operator.
770:
771: Note, however, that using a `!' in conjunction with the built-in AALLLL
772: alias to allow a user to run ``all but a few'' commands rarely works as
773: intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below).
1.1.1.3 misho 774:
775: Long lines can be continued with a backslash (`\') as the last character
776: on the line.
777:
778: White space between elements in a list as well as special syntactic
779: characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
780:
781: The following characters must be escaped with a backslash (`\') when used
782: as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
783: `(', `)', `\'.
1.1 misho 784:
785: SSUUDDOOEERRSS OOPPTTIIOONNSS
1.1.1.3 misho 786: ssuuddoo's behavior can be modified by Default_Entry lines, as explained
787: earlier. A list of all supported Defaults parameters, grouped by type,
788: are listed below.
1.1 misho 789:
1.1.1.3 misho 790: BBoooolleeaann FFllaaggss:
1.1 misho 791:
1.1.1.3 misho 792: always_set_home If enabled, ssuuddoo will set the HOME environment variable
1.1 misho 793: to the home directory of the target user (which is root
794: unless the --uu option is used). This effectively means
795: that the --HH option is always implied. Note that HOME
1.1.1.5 ! misho 796: is already set when the _e_n_v___r_e_s_e_t option is enabled, so
! 797: _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for configurations
! 798: where either _e_n_v___r_e_s_e_t is disabled or HOME is present
! 799: in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
1.1 misho 800:
1.1.1.3 misho 801: authenticate If set, users must authenticate themselves via a
1.1 misho 802: password (or other means of authentication) before they
803: may run commands. This default may be overridden via
804: the PASSWD and NOPASSWD tags. This flag is _o_n by
805: default.
806:
1.1.1.3 misho 807: closefrom_override
1.1 misho 808: If set, the user may use ssuuddoo's --CC option which
809: overrides the default starting point at which ssuuddoo
810: begins closing open file descriptors. This flag is _o_f_f
811: by default.
812:
1.1.1.3 misho 813: compress_io If set, and ssuuddoo is configured to log a command's input
1.1 misho 814: or output, the I/O logs will be compressed using zzlliibb.
815: This flag is _o_n by default when ssuuddoo is compiled with
816: zzlliibb support.
817:
1.1.1.4 misho 818: exec_background By default, ssuuddoo runs a command as the foreground
819: process as long as ssuuddoo itself is running in the
820: foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled
821: and the command is being run in a pty (due to I/O
822: logging or the _u_s_e___p_t_y flag), the command will be run
823: as a background process. Attempts to read from the
824: controlling terminal (or to change terminal settings)
825: will result in the command being suspended with the
826: SIGTTIN signal (or SIGTTOU in the case of terminal
827: settings). If this happens when ssuuddoo is a foreground
828: process, the command will be granted the controlling
829: terminal and resumed in the foreground with no user
830: intervention required. The advantage of initially
831: running the command in the background is that ssuuddoo need
832: not read from the terminal unless the command
833: explicitly requests it. Otherwise, any terminal input
834: must be passed to the command, whether it has required
835: it or not (the kernel buffers terminals so it is not
836: possible to tell whether the command really wants the
837: input). This is different from historic _s_u_d_o behavior
838: or when the command is not being run in a pty.
839:
840: For this to work seamlessly, the operating system must
841: support the automatic restarting of system calls.
842: Unfortunately, not all operating systems do this by
843: default, and even those that do may have bugs. For
844: example, Mac OS X fails to restart the ttccggeettaattttrr() and
845: ttccsseettaattttrr() system calls (this is a bug in Mac OS X).
846: Furthermore, because this behavior depends on the
847: command stopping with the SIGTTIN or SIGTTOU signals,
848: programs that catch these signals and suspend
849: themselves with a different signal (usually SIGTOP)
850: will not be automatically foregrounded. Some versions
851: of the linux su(1) command behave this way.
852:
853: This setting is only supported by version 1.8.7 or
854: higher. It has no effect unless I/O logging is enabled
855: or the _u_s_e___p_t_y flag is enabled.
856:
1.1.1.3 misho 857: env_editor If set, vviissuuddoo will use the value of the EDITOR or
1.1 misho 858: VISUAL environment variables before falling back on the
859: default editor list. Note that this may create a
860: security hole as it allows the user to run any
861: arbitrary command as root without logging. A safer
862: alternative is to place a colon-separated list of
863: editors in the editor variable. vviissuuddoo will then only
864: use the EDITOR or VISUAL if they match a value
865: specified in editor. This flag is _o_f_f by default.
866:
1.1.1.3 misho 867: env_reset If set, ssuuddoo will run the command in a minimal
1.1.1.2 misho 868: environment containing the TERM, PATH, HOME, MAIL,
869: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
870: Any variables in the caller's environment that match
871: the env_keep and env_check lists are then added,
872: followed by any variables present in the file specified
873: by the _e_n_v___f_i_l_e option (if any). The default contents
874: of the env_keep and env_check lists are displayed when
1.1.1.3 misho 875: ssuuddoo is run by root with the --VV option. If the
1.1.1.2 misho 876: _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for
877: the PATH environment variable. This flag is _o_n by
878: default.
1.1 misho 879:
1.1.1.3 misho 880: fast_glob Normally, ssuuddoo uses the glob(3) function to do shell-
1.1 misho 881: style globbing when matching path names. However,
1.1.1.3 misho 882: since it accesses the file system, glob(3) can take a
1.1 misho 883: long time to complete for some patterns, especially
884: when the pattern references a network file system that
1.1.1.3 misho 885: is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b
886: option causes ssuuddoo to use the fnmatch(3) function,
1.1 misho 887: which does not access the file system to do its
888: matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
889: unable to match relative path names such as _._/_l_s or
890: _._._/_b_i_n_/_l_s. This has security implications when path
891: names that include globbing characters are used with
1.1.1.3 misho 892: the negation operator, `!', as such rules can be
1.1 misho 893: trivially bypassed. As such, this option should not be
894: used when _s_u_d_o_e_r_s contains rules that contain negated
895: path names which include globbing characters. This
896: flag is _o_f_f by default.
897:
1.1.1.3 misho 898: fqdn Set this flag if you want to put fully qualified host
899: names in the _s_u_d_o_e_r_s file when the local host name (as
900: returned by the hostname command) does not contain the
901: domain name. In other words, instead of myhost you
1.1 misho 902: would use myhost.mydomain.edu. You may still use the
1.1.1.3 misho 903: short form if you wish (and even mix the two). This
904: option is only effective when the ``canonical'' host
905: name, as returned by the ggeettaaddddrriinnffoo() or
906: ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain
907: name. This is usually the case when the system is
908: configured to use DNS for host name resolution.
909:
910: If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file
911: in preference to DNS, the ``canonical'' host name may
912: not be fully-qualified. The order that sources are
913: queried for hosts name resolution is usually specified
914: in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f,
915: _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f
916: file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of
917: the entry is considered to be the ``canonical'' name;
918: subsequent names are aliases that are not used by
919: ssuuddooeerrss. For example, the following hosts file line
920: for the machine ``xyzzy'' has the fully-qualified
921: domain name as the ``canonical'' host name, and the
922: short version as an alias.
923:
924: 192.168.1.1 xyzzy.sudo.ws xyzzy
925:
926: If the machine's hosts file entry is not formatted
927: properly, the _f_q_d_n option will not be effective if it
928: is queried before DNS.
929:
930: Beware that when using DNS for host name resolution,
931: turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups
932: which renders ssuuddoo unusable if DNS stops working (for
933: example if the machine is disconnected from the
934: network). Also note that just like with the hosts
935: file, you must use the ``canonical'' name as DNS knows
936: it. That is, you may not use a host alias (CNAME
937: entry) due to performance issues and the fact that
938: there is no way to get all aliases from DNS.
939:
940: This flag is _o_f_f by default.
1.1 misho 941:
1.1.1.3 misho 942: ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
943: current directory) in the PATH environment variable;
944: the PATH itself is not modified. This flag is _o_f_f by
945: default.
1.1 misho 946:
1.1.1.3 misho 947: ignore_local_sudoers
1.1 misho 948: If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
949: skipped. This is intended for Enterprises that wish to
950: prevent the usage of local sudoers files so that only
951: LDAP is used. This thwarts the efforts of rogue
952: operators who would attempt to add roles to
953: _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
1.1.1.3 misho 954: _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
1.1 misho 955: option tells ssuuddoo how to behave when no specific LDAP
956: entries have been matched, this sudoOption is only
957: meaningful for the cn=defaults section. This flag is
958: _o_f_f by default.
959:
1.1.1.3 misho 960: insults If set, ssuuddoo will insult users when they enter an
1.1 misho 961: incorrect password. This flag is _o_f_f by default.
962:
1.1.1.3 misho 963: log_host If set, the host name will be logged in the (non-
1.1 misho 964: syslog) ssuuddoo log file. This flag is _o_f_f by default.
965:
1.1.1.3 misho 966: log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
1.1 misho 967: log all user input. If the standard input is not
968: connected to the user's tty, due to I/O redirection or
969: because the command is part of a pipeline, that input
970: is also captured and stored in a separate log file.
971:
972: Input is logged to the directory specified by the
973: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
974: unique session ID that is included in the normal ssuuddoo
1.1.1.3 misho 975: log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
976: option may be used to control the format of the session
977: ID.
1.1 misho 978:
979: Note that user input may contain sensitive information
980: such as passwords (even if they are not echoed to the
981: screen), which will be stored in the log file
982: unencrypted. In most cases, logging the command output
983: via _l_o_g___o_u_t_p_u_t is all that is required.
984:
1.1.1.3 misho 985: log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
1.1 misho 986: log all output that is sent to the screen, similar to
1.1.1.3 misho 987: the script(1) command. If the standard output or
1.1 misho 988: standard error is not connected to the user's tty, due
989: to I/O redirection or because the command is part of a
990: pipeline, that output is also captured and stored in
991: separate log files.
992:
993: Output is logged to the directory specified by the
994: _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
995: unique session ID that is included in the normal ssuuddoo
1.1.1.3 misho 996: log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
997: option may be used to control the format of the session
998: ID.
1.1 misho 999:
1.1.1.3 misho 1000: Output logs may be viewed with the sudoreplay(1m)
1.1 misho 1001: utility, which can also be used to list or search the
1002: available logs.
1003:
1.1.1.3 misho 1004: log_year If set, the four-digit year will be logged in the (non-
1.1 misho 1005: syslog) ssuuddoo log file. This flag is _o_f_f by default.
1006:
1.1.1.3 misho 1007: long_otp_prompt When validating with a One Time Password (OTP) scheme
1.1 misho 1008: such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
1009: make it easier to cut and paste the challenge to a
1010: local window. It's not as pretty as the default but
1011: some people find it more convenient. This flag is _o_f_f
1012: by default.
1013:
1.1.1.3 misho 1014: mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
1.1 misho 1015: ssuuddoo. This flag is _o_f_f by default.
1016:
1.1.1.3 misho 1017: mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
1018: does not enter the correct password. If the command
1019: the user is attempting to run is not permitted by
1020: _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t,
1021: _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag
1022: will have no effect. This flag is _o_f_f by default.
1.1 misho 1023:
1.1.1.3 misho 1024: mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 1025: invoking user exists in the _s_u_d_o_e_r_s file, but is not
1026: allowed to run commands on the current host. This flag
1027: is _o_f_f by default.
1028:
1.1.1.3 misho 1029: mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 1030: invoking user is allowed to use ssuuddoo but the command
1031: they are trying is not listed in their _s_u_d_o_e_r_s file
1032: entry or is explicitly denied. This flag is _o_f_f by
1033: default.
1034:
1.1.1.3 misho 1035: mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
1.1 misho 1036: invoking user is not in the _s_u_d_o_e_r_s file. This flag is
1037: _o_n by default.
1038:
1.1.1.3 misho 1039: noexec If set, all commands run via ssuuddoo will behave as if the
1.1 misho 1040: NOEXEC tag has been set, unless overridden by a EXEC
1041: tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
1.1.1.3 misho 1042: well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
1043: of this manual. This flag is _o_f_f by default.
1.1 misho 1044:
1.1.1.4 misho 1045: pam_session On systems that use PAM for authentication, ssuuddoo will
1046: create a new PAM session for the command to be run in.
1047: Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM
1048: implementations or on operating systems where opening a
1049: PAM session changes the utmp or wtmp files. If PAM
1050: session support is disabled, resource limits may not be
1.1.1.5 ! misho 1051: updated for the command being run. If _p_a_m___s_e_s_s_i_o_n,
! 1052: _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging
! 1053: has not been configured, ssuuddoo will execute the command
! 1054: directly instead of running it as a child process.
! 1055: This flag is _o_n by default.
1.1.1.4 misho 1056:
1057: This setting is only supported by version 1.8.7 or
1058: higher.
1059:
1.1.1.5 ! misho 1060: pam_setcred On systems that use PAM for authentication, ssuuddoo will
! 1061: attempt to establish credentials for the target user by
! 1062: default, if supported by the underlying authentication
! 1063: system. One example of a credential is a Kerberos
! 1064: ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are
! 1065: disabled and I/O logging has not been configured, ssuuddoo
! 1066: will execute the command directly instead of running it
! 1067: as a child process. This flag is _o_n by default.
! 1068:
! 1069: This setting is only supported by version 1.8.8 or
! 1070: higher.
! 1071:
1.1.1.4 misho 1072: passprompt_override
1073: The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
1074: normally only be used if the password prompt provided
1075: by systems such as PAM matches the string
1076: ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set,
1077: _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by
1078: default.
1079:
1.1.1.3 misho 1080: path_info Normally, ssuuddoo will tell the user when a command could
1.1 misho 1081: not be found in their PATH environment variable. Some
1082: sites may wish to disable this as it could be used to
1083: gather information on the location of executables that
1084: the normal user does not have access to. The
1085: disadvantage is that if the executable is simply not in
1086: the user's PATH, ssuuddoo will tell the user that they are
1087: not allowed to run it, which can be confusing. This
1088: flag is _o_n by default.
1089:
1.1.1.3 misho 1090: preserve_groups By default, ssuuddoo will initialize the group vector to
1.1 misho 1091: the list of groups the target user is in. When
1092: _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
1093: vector is left unaltered. The real and effective group
1094: IDs, however, are still set to match the target user.
1095: This flag is _o_f_f by default.
1096:
1.1.1.3 misho 1097: pwfeedback By default, ssuuddoo reads the password like most other
1.1 misho 1098: Unix programs, by turning off echo until the user hits
1099: the return (or enter) key. Some users become confused
1100: by this as it appears to them that ssuuddoo has hung at
1101: this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
1102: visual feedback when the user presses a key. Note that
1103: this does have a security impact as an onlooker may be
1104: able to determine the length of the password being
1105: entered. This flag is _o_f_f by default.
1106:
1.1.1.3 misho 1107: requiretty If set, ssuuddoo will only run when the user is logged in
1.1 misho 1108: to a real tty. When this flag is set, ssuuddoo can only be
1109: run from a login session and not via other means such
1.1.1.3 misho 1110: as cron(1m) or cgi-bin scripts. This flag is _o_f_f by
1.1 misho 1111: default.
1112:
1.1.1.3 misho 1113: root_sudo If set, root is allowed to run ssuuddoo too. Disabling
1114: this prevents users from ``chaining'' ssuuddoo commands to
1115: get a root shell by doing something like ``sudo sudo
1116: /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o
1.1 misho 1117: will also prevent root from running ssuuddooeeddiitt.
1118: Disabling _r_o_o_t___s_u_d_o provides no real additional
1119: security; it exists purely for historical reasons.
1120: This flag is _o_n by default.
1121:
1.1.1.3 misho 1122: rootpw If set, ssuuddoo will prompt for the root password instead
1.1 misho 1123: of the password of the invoking user. This flag is _o_f_f
1124: by default.
1125:
1.1.1.3 misho 1126: runaspw If set, ssuuddoo will prompt for the password of the user
1.1 misho 1127: defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
1128: instead of the password of the invoking user. This
1129: flag is _o_f_f by default.
1130:
1.1.1.3 misho 1131: set_home If enabled and ssuuddoo is invoked with the --ss option the
1.1 misho 1132: HOME environment variable will be set to the home
1133: directory of the target user (which is root unless the
1134: --uu option is used). This effectively makes the --ss
1135: option imply --HH. Note that HOME is already set when
1.1.1.5 ! misho 1136: the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is only
! 1137: effective for configurations where either _e_n_v___r_e_s_e_t is
! 1138: disabled or HOME is present in the _e_n_v___k_e_e_p list. This
! 1139: flag is _o_f_f by default.
1.1 misho 1140:
1.1.1.3 misho 1141: set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
1.1 misho 1142: environment variables to the name of the target user
1143: (usually root unless the --uu option is given). However,
1144: since some programs (including the RCS revision control
1145: system) use LOGNAME to determine the real identity of
1146: the user, it may be desirable to change this behavior.
1147: This can be done by negating the set_logname option.
1148: Note that if the _e_n_v___r_e_s_e_t option has not been
1149: disabled, entries in the _e_n_v___k_e_e_p list will override
1150: the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
1151:
1.1.1.3 misho 1152: set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
1.1 misho 1153: utmpx) file when a pseudo-tty is allocated. A pseudo-
1154: tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
1155: or _u_s_e___p_t_y flags are enabled. By default, the new
1156: entry will be a copy of the user's existing utmp entry
1157: (if any), with the tty, time, type and pid fields
1158: updated. This flag is _o_n by default.
1159:
1.1.1.3 misho 1160: setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
1.1 misho 1161: command line via the --EE option. Additionally,
1162: environment variables set via the command line are not
1163: subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
1164: _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
1165: should be allowed to set variables in this manner.
1166: This flag is _o_f_f by default.
1167:
1.1.1.3 misho 1168: shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
1.1 misho 1169: if the --ss option had been given. That is, it runs a
1170: shell as root (the shell is determined by the SHELL
1171: environment variable if it is set, falling back on the
1172: shell listed in the invoking user's /etc/passwd entry
1173: if not). This flag is _o_f_f by default.
1174:
1.1.1.3 misho 1175: stay_setuid Normally, when ssuuddoo executes a command the real and
1.1 misho 1176: effective UIDs are set to the target user (root by
1177: default). This option changes that behavior such that
1178: the real UID is left as the invoking user's UID. In
1179: other words, this makes ssuuddoo act as a setuid wrapper.
1180: This can be useful on systems that disable some
1181: potentially dangerous functionality when a program is
1182: run setuid. This option is only effective on systems
1.1.1.3 misho 1183: that support either the setreuid(2) or setresuid(2)
1184: system call. This flag is _o_f_f by default.
1.1 misho 1185:
1.1.1.3 misho 1186: targetpw If set, ssuuddoo will prompt for the password of the user
1.1 misho 1187: specified by the --uu option (defaults to root) instead
1188: of the password of the invoking user. In addition, the
1.1.1.3 misho 1189: time stamp file name will include the target user's
1.1 misho 1190: name. Note that this flag precludes the use of a uid
1191: not listed in the passwd database as an argument to the
1192: --uu option. This flag is _o_f_f by default.
1193:
1.1.1.3 misho 1194: tty_tickets If set, users must authenticate on a per-tty basis.
1.1 misho 1195: With this flag enabled, ssuuddoo will use a file named for
1196: the tty the user is logged in on in the user's time
1197: stamp directory. If disabled, the time stamp of the
1198: directory is used instead. This flag is _o_n by default.
1199:
1.1.1.3 misho 1200: umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
1.1 misho 1201: without modification. This makes it possible to
1202: specify a more permissive umask in _s_u_d_o_e_r_s than the
1203: user's own umask and matches historical behavior. If
1204: _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
1205: be the union of the user's umask and what is specified
1206: in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
1207:
1.1.1.3 misho 1208: use_loginclass If set, ssuuddoo will apply the defaults specified for the
1.1 misho 1209: target user's login class if one exists. Only
1210: available if ssuuddoo is configured with the
1211: --with-logincap option. This flag is _o_f_f by default.
1212:
1.1.1.3 misho 1213: use_pty If set, ssuuddoo will run the command in a pseudo-pty even
1.1 misho 1214: if no I/O logging is being gone. A malicious program
1215: run under ssuuddoo could conceivably fork a background
1216: process that retains to the user's terminal device
1217: after the main program has finished executing. Use of
1218: this option will make that impossible. This flag is
1219: _o_f_f by default.
1220:
1.1.1.3 misho 1221: utmp_runas If set, ssuuddoo will store the name of the runas user when
1.1 misho 1222: updating the utmp (or utmpx) file. By default, ssuuddoo
1223: stores the name of the invoking user. This flag is _o_f_f
1224: by default.
1225:
1.1.1.3 misho 1226: visiblepw By default, ssuuddoo will refuse to run if the user must
1.1 misho 1227: enter a password but it is not possible to disable echo
1228: on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
1229: will prompt for a password even when it would be
1230: visible on the screen. This makes it possible to run
1.1.1.3 misho 1231: things like ``ssh somehost sudo ls'' since by default,
1232: ssh(1) does not allocate a tty when running a command.
1233: This flag is _o_f_f by default.
1.1 misho 1234:
1.1.1.3 misho 1235: IInntteeggeerrss:
1.1 misho 1236:
1.1.1.3 misho 1237: closefrom Before it executes a command, ssuuddoo will close all open
1.1 misho 1238: file descriptors other than standard input, standard
1239: output and standard error (ie: file descriptors 0-2).
1240: The _c_l_o_s_e_f_r_o_m option can be used to specify a different
1241: file descriptor at which to start closing. The default
1242: is 3.
1243:
1.1.1.3 misho 1244: passwd_tries The number of tries a user gets to enter his/her
1.1 misho 1245: password before ssuuddoo logs the failure and exits. The
1246: default is 3.
1247:
1.1.1.3 misho 1248: IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1249:
1.1.1.3 misho 1250: loglinelen Number of characters per line for the file log. This
1.1 misho 1251: value is used to decide when to wrap lines for nicer
1252: log files. This has no effect on the syslog log file,
1253: only the file log. The default is 80 (use 0 or negate
1254: the option to disable word wrap).
1255:
1.1.1.3 misho 1256: passwd_timeout Number of minutes before the ssuuddoo password prompt times
1.1 misho 1257: out, or 0 for no timeout. The timeout may include a
1258: fractional component if minute granularity is
1259: insufficient, for example 2.5. The default is 5.
1260:
1.1.1.3 misho 1261: timestamp_timeout
1.1 misho 1262: Number of minutes that can elapse before ssuuddoo will ask
1263: for a passwd again. The timeout may include a
1264: fractional component if minute granularity is
1265: insufficient, for example 2.5. The default is 5. Set
1266: this to 0 to always prompt for a password. If set to a
1.1.1.3 misho 1267: value less than 0 the user's time stamp will never
1.1 misho 1268: expire. This can be used to allow users to create or
1.1.1.3 misho 1269: delete their own time stamps via ``sudo -v'' and ``sudo
1270: -k'' respectively.
1.1 misho 1271:
1.1.1.3 misho 1272: umask Umask to use when running the command. Negate this
1.1 misho 1273: option or set it to 0777 to preserve the user's umask.
1274: The actual umask that is used will be the union of the
1275: user's umask and the value of the _u_m_a_s_k option, which
1276: defaults to 0022. This guarantees that ssuuddoo never
1.1.1.3 misho 1277: lowers the umask when running a command. Note: on
1.1 misho 1278: systems that use PAM, the default PAM configuration may
1279: specify its own umask which will override the value set
1280: in _s_u_d_o_e_r_s.
1281:
1.1.1.3 misho 1282: SSttrriinnggss:
1.1 misho 1283:
1.1.1.3 misho 1284: badpass_message Message that is displayed if a user enters an incorrect
1.1 misho 1285: password. The default is Sorry, try again. unless
1286: insults are enabled.
1287:
1.1.1.3 misho 1288: editor A colon (`:') separated list of editors allowed to be
1.1 misho 1289: used with vviissuuddoo. vviissuuddoo will choose the editor that
1290: matches the user's EDITOR environment variable if
1291: possible, or the first editor in the list that exists
1.1.1.3 misho 1292: and is executable. The default is _v_i.
1.1 misho 1293:
1.1.1.3 misho 1294: iolog_dir The top-level directory to use when constructing the
1.1 misho 1295: path name for the input/output log directory. Only
1296: used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
1297: or when the LOG_INPUT or LOG_OUTPUT tags are present
1298: for a command. The session sequence number, if any, is
1299: stored in the directory. The default is
1.1.1.3 misho 1300: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
1.1 misho 1301:
1302: The following percent (`%') escape sequences are
1303: supported:
1304:
1305: %{seq}
1.1.1.3 misho 1306: expanded to a monotonically increasing base-36
1307: sequence number, such as 0100A5, where every two
1308: digits are used to form a new directory, e.g.
1309: _0_1_/_0_0_/_A_5
1.1 misho 1310:
1311: %{user}
1.1.1.3 misho 1312: expanded to the invoking user's login name
1.1 misho 1313:
1314: %{group}
1.1.1.3 misho 1315: expanded to the name of the invoking user's real
1316: group ID
1.1 misho 1317:
1318: %{runas_user}
1.1.1.3 misho 1319: expanded to the login name of the user the
1320: command will be run as (e.g. root)
1.1 misho 1321:
1322: %{runas_group}
1.1.1.3 misho 1323: expanded to the group name of the user the
1324: command will be run as (e.g. wheel)
1.1 misho 1325:
1326: %{hostname}
1.1.1.3 misho 1327: expanded to the local host name without the
1328: domain name
1.1 misho 1329:
1330: %{command}
1.1.1.3 misho 1331: expanded to the base name of the command being
1332: run
1.1 misho 1333:
1334: In addition, any escape sequences supported by the
1.1.1.3 misho 1335: system's strftime(3) function will be expanded.
1.1 misho 1336:
1337: To include a literal `%' character, the string `%%'
1338: should be used.
1339:
1.1.1.3 misho 1340: iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1.1 misho 1341: input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
1342: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1343: tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
1344: may contain directory components. The default is
1.1.1.3 misho 1345: ``%{seq}''.
1.1 misho 1346:
1347: See the _i_o_l_o_g___d_i_r option above for a list of supported
1348: percent (`%') escape sequences.
1349:
1350: In addition to the escape sequences, path names that
1351: end in six or more Xs will have the Xs replaced with a
1352: unique combination of digits and letters, similar to
1.1.1.3 misho 1353: the mktemp(3) function.
1.1 misho 1354:
1.1.1.4 misho 1355: If the path created by concatenating _i_o_l_o_g___d_i_r and
1356: _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file
1357: will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e
1358: ends in six or more Xs.
1359:
1.1.1.3 misho 1360: limitprivs The default Solaris limit privileges to use when
1361: constructing a new privilege set for a command. This
1362: bounds all privileges of the executing process. The
1363: default limit privileges may be overridden on a per-
1364: command basis in _s_u_d_o_e_r_s. This option is only
1365: available if ssuuddooeerrss is built on Solaris 10 or higher.
1366:
1367: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The
1368: escape %h will expand to the host name of the machine.
1369: Default is ``*** SECURITY information for %h ***''.
1.1 misho 1370:
1.1.1.4 misho 1371: maxseq The maximum sequence number that will be substituted
1372: for the ``%{seq}'' escape in the I/O log file (see the
1373: _i_o_l_o_g___d_i_r description above for more information).
1374: While the value substituted for ``%{seq}'' is in base
1375: 36, _m_a_x_s_e_q itself should be expressed in decimal.
1376: Values larger than 2176782336 (which corresponds to the
1377: base 36 sequence number ``ZZZZZZ'') will be silently
1378: truncated to 2176782336. The default value is
1379: 2176782336.
1380:
1381: Once the local sequence number reaches the value of
1382: _m_a_x_s_e_q, it will ``roll over'' to zero, after which
1383: ssuuddooeerrss will truncate and re-use any existing I/O log
1384: pathnames.
1385:
1386: This setting is only supported by version 1.8.7 or
1387: higher.
1388:
1389: noexec_file As of ssuuddoo version 1.8.1 this option is no longer
1390: supported. The path to the noexec file should now be
1391: set in the sudo.conf(4) file.
1.1 misho 1392:
1.1.1.5 ! misho 1393: pam_login_service
! 1394: On systems that use PAM for authentication, this is the
! 1395: service name used when the --ii option is specified. The
! 1396: default value is ``sudo''. See the description of
! 1397: _p_a_m___s_e_r_v_i_c_e for more information.
! 1398:
! 1399: This setting is only supported by version 1.8.8 or
! 1400: higher.
! 1401:
! 1402: pam_service On systems that use PAM for authentication, the service
! 1403: name specifies the PAM policy to apply. This usually
! 1404: corresponds to an entry in the _p_a_m_._c_o_n_f file or a file
! 1405: in the _/_e_t_c_/_p_a_m_._d directory. The default value is
! 1406: ``sudo''.
! 1407:
! 1408: This setting is only supported by version 1.8.8 or
! 1409: higher.
! 1410:
1.1.1.3 misho 1411: passprompt The default prompt to use when asking for a password;
1.1 misho 1412: can be overridden via the --pp option or the SUDO_PROMPT
1413: environment variable. The following percent (`%')
1414: escape sequences are supported:
1415:
1.1.1.3 misho 1416: %H expanded to the local host name including the
1417: domain name (only if the machine's host name is
1418: fully qualified or the _f_q_d_n option is set)
1419:
1420: %h expanded to the local host name without the
1421: domain name
1422:
1423: %p expanded to the user whose password is being
1424: asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
1425: _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s)
1426:
1427: %U expanded to the login name of the user the
1428: command will be run as (defaults to root)
1429:
1430: %u expanded to the invoking user's login name
1431:
1432: %% two consecutive % characters are collapsed into a
1433: single % character
1434:
1435: The default value is ``Password:''.
1436:
1437: privs The default Solaris privileges to use when constructing
1438: a new privilege set for a command. This is passed to
1439: the executing process via the inherited privilege set,
1440: but is bounded by the limit privileges. If the _p_r_i_v_s
1441: option is specified but the _l_i_m_i_t_p_r_i_v_s option is not,
1442: the limit privileges of the executing process is set to
1443: _p_r_i_v_s. The default privileges may be overridden on a
1444: per-command basis in _s_u_d_o_e_r_s. This option is only
1445: available if ssuuddooeerrss is built on Solaris 10 or higher.
1.1 misho 1446:
1.1.1.3 misho 1447: role The default SELinux role to use when constructing a new
1.1 misho 1448: security context to run the command. The default role
1449: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1450: via command line options. This option is only
1.1.1.3 misho 1451: available when ssuuddoo is built with SELinux support.
1.1 misho 1452:
1.1.1.3 misho 1453: runas_default The default user to run commands as if the --uu option is
1.1 misho 1454: not specified on the command line. This defaults to
1455: root.
1456:
1.1.1.3 misho 1457: syslog_badpri Syslog priority to use when user authenticates
1.1 misho 1458: unsuccessfully. Defaults to alert.
1459:
1460: The following syslog priorities are supported: aalleerrtt,
1461: ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
1462:
1.1.1.3 misho 1463: syslog_goodpri Syslog priority to use when user authenticates
1.1 misho 1464: successfully. Defaults to notice.
1465:
1.1.1.3 misho 1466: See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog
1.1 misho 1467: priorities.
1468:
1.1.1.3 misho 1469: sudoers_locale Locale to use when parsing the sudoers file, logging
1.1 misho 1470: commands, and sending email. Note that changing the
1471: locale may affect how sudoers is interpreted. Defaults
1.1.1.3 misho 1472: to ``C''.
1.1 misho 1473:
1.1.1.3 misho 1474: timestampdir The directory in which ssuuddoo stores its time stamp
1475: files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1.1 misho 1476:
1.1.1.3 misho 1477: timestampowner The owner of the time stamp directory and the time
1478: stamps stored therein. The default is root.
1.1 misho 1479:
1.1.1.3 misho 1480: type The default SELinux type to use when constructing a new
1.1 misho 1481: security context to run the command. The default type
1482: may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1483: via command line options. This option is only
1.1.1.3 misho 1484: available when ssuuddoo is built with SELinux support.
1.1 misho 1485:
1.1.1.3 misho 1486: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1487:
1.1.1.3 misho 1488: env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
1.1.1.2 misho 1489: file containing variables to be set in the environment of
1.1 misho 1490: the program being run. Entries in this file should either
1.1.1.3 misho 1491: be of the form ``VARIABLE=value'' or ``export
1492: VARIABLE=value''. The value may optionally be surrounded
1493: by single or double quotes. Variables in this file are
1494: subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p
1495: and _e_n_v___c_h_e_c_k.
1.1 misho 1496:
1.1.1.3 misho 1497: exempt_group Users in this group are exempt from password and PATH
1.1 misho 1498: requirements. The group name specified should not include
1499: a % prefix. This is not set by default.
1500:
1.1.1.3 misho 1501: group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional
1.1.1.4 misho 1502: arguments. The string should consist of the plugin path,
1503: either fully-qualified or relative to the
1504: _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any
1505: configuration arguments the plugin requires. These
1.1 misho 1506: arguments (if any) will be passed to the plugin's
1507: initialization function. If arguments are present, the
1.1.1.3 misho 1508: string must be enclosed in double quotes ("").
1.1 misho 1509:
1.1.1.4 misho 1510: For more information see GROUP PROVIDER PLUGINS.
1.1 misho 1511:
1.1.1.3 misho 1512: lecture This option controls when a short lecture will be printed
1.1 misho 1513: along with the password prompt. It has the following
1514: possible values:
1515:
1516: always Always lecture the user.
1517:
1518: never Never lecture the user.
1519:
1520: once Only lecture the user the first time they run ssuuddoo.
1521:
1522: If no value is specified, a value of _o_n_c_e is implied.
1523: Negating the option results in a value of _n_e_v_e_r being used.
1524: The default value is _o_n_c_e.
1525:
1.1.1.3 misho 1526: lecture_file Path to a file containing an alternate ssuuddoo lecture that
1.1 misho 1527: will be used in place of the standard lecture if the named
1528: file exists. By default, ssuuddoo uses a built-in lecture.
1529:
1.1.1.3 misho 1530: listpw This option controls when a password will be required when
1.1 misho 1531: a user runs ssuuddoo with the --ll option. It has the following
1532: possible values:
1533:
1.1.1.3 misho 1534: all All the user's _s_u_d_o_e_r_s entries for the current
1535: host must have the NOPASSWD flag set to avoid
1536: entering a password.
1537:
1538: always The user must always enter a password to use the
1539: --ll option.
1540:
1541: any At least one of the user's _s_u_d_o_e_r_s entries for
1542: the current host must have the NOPASSWD flag set
1543: to avoid entering a password.
1.1 misho 1544:
1.1.1.3 misho 1545: never The user need never enter a password to use the
1546: --ll option.
1.1 misho 1547:
1548: If no value is specified, a value of _a_n_y is implied.
1549: Negating the option results in a value of _n_e_v_e_r being used.
1550: The default value is _a_n_y.
1551:
1.1.1.3 misho 1552: logfile Path to the ssuuddoo log file (not the syslog log file).
1.1 misho 1553: Setting a path turns on logging to a file; negating this
1554: option turns it off. By default, ssuuddoo logs via syslog.
1555:
1.1.1.3 misho 1556: mailerflags Flags to use when invoking mailer. Defaults to --tt.
1.1 misho 1557:
1.1.1.3 misho 1558: mailerpath Path to mail program used to send warning mail. Defaults
1.1 misho 1559: to the path to sendmail found at configure time.
1560:
1.1.1.3 misho 1561: mailfrom Address to use for the ``from'' address when sending
1562: warning and error mail. The address should be enclosed in
1563: double quotes ("") to protect against ssuuddoo interpreting the
1564: @ sign. Defaults to the name of the user running ssuuddoo.
1.1 misho 1565:
1.1.1.3 misho 1566: mailto Address to send warning and error mail to. The address
1567: should be enclosed in double quotes ("") to protect against
1.1 misho 1568: ssuuddoo interpreting the @ sign. Defaults to root.
1569:
1.1.1.3 misho 1570: secure_path Path used for every command run from ssuuddoo. If you don't
1.1 misho 1571: trust the people running ssuuddoo to have a sane PATH
1572: environment variable you may want to use this. Another use
1.1.1.3 misho 1573: is if you want to have the ``root path'' be separate from
1574: the ``user path''. Users in the group specified by the
1.1 misho 1575: _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
1576: option is not set by default.
1577:
1.1.1.3 misho 1578: syslog Syslog facility if syslog is being used for logging (negate
1.1 misho 1579: to disable syslog logging). Defaults to auth.
1580:
1581: The following syslog facilities are supported: aauutthhpprriivv (if
1582: your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
1583: llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
1584:
1.1.1.3 misho 1585: verifypw This option controls when a password will be required when
1.1 misho 1586: a user runs ssuuddoo with the --vv option. It has the following
1587: possible values:
1588:
1589: all All the user's _s_u_d_o_e_r_s entries for the current host
1590: must have the NOPASSWD flag set to avoid entering a
1591: password.
1592:
1593: always The user must always enter a password to use the --vv
1594: option.
1595:
1596: any At least one of the user's _s_u_d_o_e_r_s entries for the
1597: current host must have the NOPASSWD flag set to
1598: avoid entering a password.
1599:
1600: never The user need never enter a password to use the --vv
1601: option.
1602:
1603: If no value is specified, a value of _a_l_l is implied.
1604: Negating the option results in a value of _n_e_v_e_r being used.
1605: The default value is _a_l_l.
1606:
1.1.1.3 misho 1607: LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.1 misho 1608:
1.1.1.3 misho 1609: env_check Environment variables to be removed from the user's
1610: environment if the variable's value contains `%' or `/'
1.1 misho 1611: characters. This can be used to guard against printf-
1612: style format vulnerabilities in poorly-written
1613: programs. The argument may be a double-quoted, space-
1614: separated list or a single value without double-quotes.
1615: The list can be replaced, added to, deleted from, or
1616: disabled by using the =, +=, -=, and ! operators
1617: respectively. Regardless of whether the env_reset
1618: option is enabled or disabled, variables specified by
1619: env_check will be preserved in the environment if they
1620: pass the aforementioned check. The default list of
1621: environment variables to check is displayed when ssuuddoo
1.1.1.3 misho 1622: is run by root with the --VV option.
1.1 misho 1623:
1.1.1.3 misho 1624: env_delete Environment variables to be removed from the user's
1.1 misho 1625: environment when the _e_n_v___r_e_s_e_t option is not in effect.
1626: The argument may be a double-quoted, space-separated
1627: list or a single value without double-quotes. The list
1628: can be replaced, added to, deleted from, or disabled by
1629: using the =, +=, -=, and ! operators respectively. The
1630: default list of environment variables to remove is
1.1.1.3 misho 1631: displayed when ssuuddoo is run by root with the --VV option.
1.1 misho 1632: Note that many operating systems will remove
1633: potentially dangerous variables from the environment of
1634: any setuid process (such as ssuuddoo).
1635:
1.1.1.3 misho 1636: env_keep Environment variables to be preserved in the user's
1.1 misho 1637: environment when the _e_n_v___r_e_s_e_t option is in effect.
1638: This allows fine-grained control over the environment
1639: ssuuddoo-spawned processes will receive. The argument may
1640: be a double-quoted, space-separated list or a single
1641: value without double-quotes. The list can be replaced,
1642: added to, deleted from, or disabled by using the =, +=,
1643: -=, and ! operators respectively. The default list of
1644: variables to keep is displayed when ssuuddoo is run by root
1.1.1.3 misho 1645: with the --VV option.
1646:
1.1.1.4 misho 1647: GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS
1648: The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix
1649: group lookups which can query a group source other than the standard Unix
1650: group database. This can be used to implement support for the
1651: nonunix_group syntax described earlier.
1652:
1653: Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults
1654: setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path,
1655: either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o
1656: directory, followed by any configuration options the plugin requires.
1657: These options (if specified) will be passed to the plugin's
1658: initialization function. If options are present, the string must be
1659: enclosed in double quotes ("").
1660:
1661: The following group provider plugins are installed by default:
1662:
1663: group_file
1664: The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that
1665: uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the
1666: group file should be specified as an option to the plugin. For
1667: example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p:
1668:
1669: Defaults group_plugin="group_file.so /etc/sudo-group"
1670:
1671: system_group
1672: The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard
1673: C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can
1674: be used in instances where the user belongs to groups not
1675: present in the user's supplemental group vector. This plugin
1676: takes no options:
1677:
1678: Defaults group_plugin=system_group.so
1679:
1680: The group provider plugin API is described in detail in sudo_plugin(1m).
1681:
1.1.1.3 misho 1682: LLOOGG FFOORRMMAATT
1683: ssuuddooeerrss can log events using either syslog(3) or a simple log file. In
1684: each case the log format is almost identical.
1685:
1686: AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
1687: Commands that sudo runs are logged using the following format (split into
1688: multiple lines for readability):
1689:
1690: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1691: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1692: ENV=env_vars COMMAND=command
1693:
1694: Where the fields are as follows:
1695:
1696: date The date the command was run. Typically, this is in the
1697: format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1698: the actual date format is controlled by the syslog daemon.
1699: If logging to a file and the _l_o_g___y_e_a_r option is enabled,
1700: the date will also include the year.
1701:
1702: hostname The name of the host ssuuddoo was run on. This field is only
1703: present when logging via syslog(3).
1704:
1705: progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This
1706: field is only present when logging via syslog(3).
1707:
1708: username The login name of the user who ran ssuuddoo.
1709:
1710: ttyname The short name of the terminal (e.g. ``console'',
1711: ``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if
1712: there was no terminal present.
1713:
1714: cwd The current working directory that ssuuddoo was run in.
1715:
1716: runasuser The user the command was run as.
1717:
1718: runasgroup The group the command was run as if one was specified on
1719: the command line.
1720:
1721: logid An I/O log identifier that can be used to replay the
1722: command's output. This is only present when the _l_o_g___i_n_p_u_t
1723: or _l_o_g___o_u_t_p_u_t option is enabled.
1724:
1725: env_vars A list of environment variables specified on the command
1726: line, if specified.
1727:
1728: command The actual command that was executed.
1729:
1730: Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
1731: defaults to the ``C'' locale.
1732:
1733: DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
1734: If the user is not allowed to run the command, the reason for the denial
1735: will follow the user name. Possible reasons include:
1736:
1737: user NOT in sudoers
1738: The user is not listed in the _s_u_d_o_e_r_s file.
1739:
1740: user NOT authorized on host
1741: The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run
1742: commands on the host.
1743:
1744: command not allowed
1745: The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
1746: allowed to run the specified command.
1747:
1748: 3 incorrect password attempts
1749: The user failed to enter their password after 3 tries. The actual
1750: number of tries will vary based on the number of failed attempts and
1751: the value of the _p_a_s_s_w_d___t_r_i_e_s option.
1752:
1753: a password is required
1754: ssuuddoo's --nn option was specified but a password was required.
1755:
1756: sorry, you are not allowed to set the following environment variables
1757: The user specified environment variables on the command line that were
1758: not allowed by _s_u_d_o_e_r_s.
1759:
1760: EErrrroorr lloogg eennttrriieess
1761: If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
1762: message to the administrator via email. Possible errors include:
1763:
1764: parse error in /etc/sudoers near line N
1765: ssuuddooeerrss encountered an error when parsing the specified file. In some
1766: cases, the actual error may be one line above or below the line number
1767: listed, depending on the type of error.
1768:
1769: problem with defaults entries
1770: The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
1771: does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
1772: checked using vviissuuddoo.
1773:
1774: timestamp owner (username): No such user
1775: The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
1776: setting, could not be found in the password database.
1777:
1778: unable to open/read /etc/sudoers
1779: The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
1780: when the _s_u_d_o_e_r_s file is located on a remote file system that maps
1781: user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
1782: _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
1.1.1.4 misho 1783: either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
1784: like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
1785: file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
1.1.1.3 misho 1786:
1787: unable to stat /etc/sudoers
1788: The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
1789:
1790: /etc/sudoers is not a regular file
1791: The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
1792: link.
1793:
1794: /etc/sudoers is owned by uid N, should be 0
1795: The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
1796: _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
1.1.1.4 misho 1797: user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the
1798: sudo.conf(4) file.
1.1.1.3 misho 1799:
1800: /etc/sudoers is world writable
1801: The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
1802: The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
1803: 0440 (readable by owner and group, writable by none). The default
1804: mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
1.1.1.4 misho 1805: Plugin line in the sudo.conf(4) file.
1.1.1.3 misho 1806:
1807: /etc/sudoers is owned by gid N, should be 1
1808: The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
1809: the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
1.1.1.4 misho 1810: `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin
1811: line in the sudo.conf(4) file.
1.1.1.3 misho 1812:
1813: unable to open /var/adm/sudo/username/ttyname
1814: _s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
1815:
1816: unable to write to /var/adm/sudo/username/ttyname
1817: _s_u_d_o_e_r_s was unable to write to the user's time stamp file.
1818:
1819: unable to mkdir to /var/adm/sudo/username
1820: _s_u_d_o_e_r_s was unable to create the user's time stamp directory.
1821:
1822: NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
1823: By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
1824: _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
1825: such, they may vary in format on different systems.
1826:
1827: On most systems, syslog(3) has a relatively small log buffer. To prevent
1828: the command line arguments from being truncated, ssuuddooeerrss will split up
1829: log messages that are larger than 960 characters (not including the date,
1830: hostname, and the string ``sudo''). When a message is split, additional
1831: parts will include the string ``(command continued)'' after the user name
1832: and before the continued command line arguments.
1833:
1834: NNootteess oonn llooggggiinngg ttoo aa ffiillee
1835: If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
1836: _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
1837: syslog(3), with a few important differences:
1838:
1839: 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
1840:
1841: 2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the
1842: year.
1843:
1844: 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are
1845: word-wrapped and continued on the next line with a four character
1846: indent. This makes entries easier to read for a human being, but
1847: makes it more difficult to use grep(1) on the log files. If the
1848: _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
1849: will be disabled.
1.1 misho 1850:
1851: FFIILLEESS
1.1.1.3 misho 1852: _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1.1.1.2 misho 1853:
1.1.1.3 misho 1854: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1.1 misho 1855:
1.1.1.3 misho 1856: _/_e_t_c_/_g_r_o_u_p Local groups file
1.1 misho 1857:
1.1.1.3 misho 1858: _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1.1 misho 1859:
1.1.1.3 misho 1860: _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1.1 misho 1861:
1.1.1.3 misho 1862: _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1.1 misho 1863: _s_u_d_o_e_r_s security policy
1864:
1.1.1.3 misho 1865: _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1.1.1.2 misho 1866: Linux systems
1.1 misho 1867:
1868: EEXXAAMMPPLLEESS
1.1.1.3 misho 1869: Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1870: contrived. First, we allow a few environment variables to pass and then
1871: define our _a_l_i_a_s_e_s:
1.1 misho 1872:
1.1.1.3 misho 1873: # Run X applications through sudo; HOME is used to find the
1874: # .Xauthority file. Note that other programs use HOME to find
1875: # configuration files and this may lead to privilege escalation!
1876: Defaults env_keep += "DISPLAY HOME"
1.1 misho 1877:
1.1.1.3 misho 1878: # User alias specification
1879: User_Alias FULLTIMERS = millert, mikef, dowdy
1880: User_Alias PARTTIMERS = bostley, jwfox, crawl
1881: User_Alias WEBMASTERS = will, wendy, wim
1.1 misho 1882:
1.1.1.3 misho 1883: # Runas alias specification
1884: Runas_Alias OP = root, operator
1885: Runas_Alias DB = oracle, sybase
1886: Runas_Alias ADMINGRP = adm, oper
1.1 misho 1887:
1.1.1.3 misho 1888: # Host alias specification
1889: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1890: SGI = grolsch, dandelion, black :\
1891: ALPHA = widget, thalamus, foobar :\
1892: HPPA = boa, nag, python
1893: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1894: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1895: Host_Alias SERVERS = master, mail, www, ns
1896: Host_Alias CDROM = orion, perseus, hercules
1.1 misho 1897:
1.1.1.3 misho 1898: # Cmnd alias specification
1899: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1.1.1.4 misho 1900: /usr/sbin/restore, /usr/sbin/rrestore,\
1901: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
1902: /home/operator/bin/start_backups
1.1.1.3 misho 1903: Cmnd_Alias KILL = /usr/bin/kill
1904: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1905: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1906: Cmnd_Alias HALT = /usr/sbin/halt
1907: Cmnd_Alias REBOOT = /usr/sbin/reboot
1908: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1909: /usr/local/bin/tcsh, /usr/bin/rsh,\
1910: /usr/local/bin/zsh
1911: Cmnd_Alias SU = /usr/bin/su
1912: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 misho 1913:
1.1.1.3 misho 1914: Here we override some of the compiled in default values. We want ssuuddoo to
1915: log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to
1916: subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not
1917: give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1918: environment variables when running commands as root. Additionally, on
1919: the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log
1920: file and make sure we log the year in each log line since the log entries
1921: will be kept around for several years. Lastly, we disable shell escapes
1922: for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
1.1.1.5 ! misho 1923: _/_u_s_r_/_b_i_n_/_l_e_s_s). Note that this will not effectively constrain users with
! 1924: ssuuddoo AALLLL privileges.
1.1 misho 1925:
1.1.1.3 misho 1926: # Override built-in defaults
1927: Defaults syslog=auth
1928: Defaults>root !set_logname
1929: Defaults:FULLTIMERS !lecture
1930: Defaults:millert !authenticate
1931: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1932: Defaults!PAGERS noexec
1.1 misho 1933:
1.1.1.3 misho 1934: The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1935: what.
1.1 misho 1936:
1.1.1.3 misho 1937: root ALL = (ALL) ALL
1938: %wheel ALL = (ALL) ALL
1.1 misho 1939:
1.1.1.3 misho 1940: We let rroooott and any user in group wwhheeeell run any command on any host as
1941: any user.
1.1 misho 1942:
1.1.1.3 misho 1943: FULLTIMERS ALL = NOPASSWD: ALL
1.1 misho 1944:
1.1.1.3 misho 1945: Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1946: any host without authenticating themselves.
1.1 misho 1947:
1.1.1.3 misho 1948: PARTTIMERS ALL = ALL
1.1 misho 1949:
1.1.1.3 misho 1950: Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any
1951: host but they must authenticate themselves first (since the entry lacks
1952: the NOPASSWD tag).
1.1 misho 1953:
1.1.1.3 misho 1954: jack CSNETS = ALL
1.1 misho 1955:
1.1.1.3 misho 1956: The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1957: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1958: networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1959: indicating it is a class C network. For the other networks in _C_S_N_E_T_S,
1960: the local machine's netmask will be used during matching.
1.1 misho 1961:
1.1.1.3 misho 1962: lisa CUNETS = ALL
1.1 misho 1963:
1.1.1.3 misho 1964: The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1965: class B network 128.138.0.0).
1.1 misho 1966:
1.1.1.3 misho 1967: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1968: sudoedit /etc/printcap, /usr/oper/bin/
1.1 misho 1969:
1.1.1.3 misho 1970: The ooppeerraattoorr user may run commands limited to simple maintenance. Here,
1971: those are commands related to backups, killing processes, the printing
1972: system, shutting down the system, and any commands in the directory
1.1.1.4 misho 1973: _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a
1974: sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the
1975: directory containing the script is writable by the operator user. If the
1976: script is modified (resulting in a digest mismatch) it will no longer be
1977: possible to run it via ssuuddoo.
1.1 misho 1978:
1.1.1.3 misho 1979: joe ALL = /usr/bin/su operator
1.1 misho 1980:
1.1.1.3 misho 1981: The user jjooee may only su(1) to operator.
1.1 misho 1982:
1.1.1.3 misho 1983: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1.1 misho 1984:
1.1.1.3 misho 1985: %opers ALL = (: ADMINGRP) /usr/sbin/
1.1 misho 1986:
1.1.1.3 misho 1987: Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1988: with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1.1 misho 1989:
1.1.1.3 misho 1990: The user ppeettee is allowed to change anyone's password except for root on
1991: the _H_P_P_A machines. Note that this assumes passwd(1) does not take
1992: multiple user names on the command line.
1.1 misho 1993:
1.1.1.3 misho 1994: bob SPARC = (OP) ALL : SGI = (OP) ALL
1.1 misho 1995:
1.1.1.3 misho 1996: The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1997: listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.)
1.1 misho 1998:
1.1.1.3 misho 1999: jim +biglab = ALL
1.1 misho 2000:
1.1.1.3 misho 2001: The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
2002: ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix.
1.1 misho 2003:
1.1.1.3 misho 2004: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1.1 misho 2005:
1.1.1.3 misho 2006: Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
2007: well as add and remove users, so they are allowed to run those commands
2008: on all machines.
1.1 misho 2009:
1.1.1.3 misho 2010: fred ALL = (DB) NOPASSWD: ALL
1.1 misho 2011:
1.1.1.3 misho 2012: The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee
2013: or ssyybbaassee) without giving a password.
1.1 misho 2014:
1.1.1.3 misho 2015: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.1 misho 2016:
1.1.1.3 misho 2017: On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
2018: not allowed to specify any options to the su(1) command.
1.1 misho 2019:
1.1.1.3 misho 2020: jen ALL, !SERVERS = ALL
1.1 misho 2021:
1.1.1.3 misho 2022: The user jjeenn may run any command on any machine except for those in the
2023: _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1.1 misho 2024:
1.1.1.3 misho 2025: jill SERVERS = /usr/bin/, !SU, !SHELLS
1.1 misho 2026:
1.1.1.3 misho 2027: For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
2028: the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
1.1.1.5 ! misho 2029: _S_H_E_L_L_S Cmnd_Aliases. While not specifically mentioned in the rule, the
! 2030: commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the
! 2031: _n_o_e_x_e_c option set.
1.1 misho 2032:
1.1.1.3 misho 2033: steve CSNETS = (operator) /usr/local/op_commands/
1.1 misho 2034:
1.1.1.3 misho 2035: The user sstteevvee may run any command in the directory
2036: /usr/local/op_commands/ but only as user operator.
1.1 misho 2037:
1.1.1.3 misho 2038: matt valkyrie = KILL
1.1 misho 2039:
1.1.1.3 misho 2040: On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung
2041: processes.
1.1 misho 2042:
1.1.1.3 misho 2043: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1.1 misho 2044:
1.1.1.3 misho 2045: On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and
2046: wim), may run any command as user www (which owns the web pages) or
2047: simply su(1) to www.
1.1 misho 2048:
1.1.1.3 misho 2049: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2050: /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1.1 misho 2051:
1.1.1.3 misho 2052: Any user may mount or unmount a CD-ROM on the machines in the CDROM
2053: Host_Alias (orion, perseus, hercules) without entering a password. This
2054: is a bit tedious for users to type, so it is a prime candidate for
2055: encapsulating in a shell script.
1.1 misho 2056:
2057: SSEECCUURRIITTYY NNOOTTEESS
1.1.1.3 misho 2058: LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr
2059: It is generally not effective to ``subtract'' commands from AALLLL using the
2060: `!' operator. A user can trivially circumvent this by copying the
2061: desired command to a different name and then executing that. For
2062: example:
2063:
2064: bill ALL = ALL, !SU, !SHELLS
2065:
2066: Doesn't really prevent bbiillll from running the commands listed in _S_U or
2067: _S_H_E_L_L_S since he can simply copy those commands to a different name, or
2068: use a shell escape from an editor or other program. Therefore, these
2069: kind of restrictions should be considered advisory at best (and
2070: reinforced by policy).
2071:
2072: In general, if a user has sudo AALLLL there is nothing to prevent them from
2073: creating their own program that gives them a root shell (or making their
2074: own copy of a shell) regardless of any `!' elements in the user
2075: specification.
1.1.1.2 misho 2076:
2077: SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
1.1.1.3 misho 2078: If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate
2079: commands where the path name includes globbing (aka wildcard) characters.
2080: This is because the C library's fnmatch(3) function cannot resolve
2081: relative paths. While this is typically only an inconvenience for rules
2082: that grant privileges, it can result in a security issue for rules that
2083: subtract or revoke privileges.
2084:
2085: For example, given the following _s_u_d_o_e_r_s entry:
2086:
2087: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2088: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2089:
2090: User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
2091: changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
2092:
2093: PPrreevveennttiinngg sshheellll eessccaappeess
2094: Once ssuuddoo executes a program, that program is free to do whatever it
2095: pleases, including run other programs. This can be a security issue
2096: since it is not uncommon for a program to allow shell escapes, which lets
2097: a user bypass ssuuddoo's access control and logging. Common programs that
2098: permit shell escapes include shells (obviously), editors, paginators,
2099: mail and terminal programs.
2100:
2101: There are two basic approaches to this problem:
2102:
2103: restrict Avoid giving users access to commands that allow the user to
2104: run arbitrary commands. Many editors have a restricted mode
2105: where shell escapes are disabled, though ssuuddooeeddiitt is a better
2106: solution to running editors via ssuuddoo. Due to the large number
2107: of programs that offer shell escapes, restricting users to the
2108: set of programs that do not is often unworkable.
2109:
2110: noexec Many systems that support shared libraries have the ability to
2111: override default library functions by pointing an environment
2112: variable (usually LD_PRELOAD) to an alternate shared library.
2113: On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to
2114: prevent a program run by ssuuddoo from executing any other
2115: programs. Note, however, that this applies only to native
2116: dynamically-linked executables. Statically-linked executables
2117: and foreign executables running under binary emulation are not
2118: affected.
2119:
2120: The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
2121: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
2122: above. It should be supported on most operating systems that
2123: support the LD_PRELOAD environment variable. Check your
2124: operating system's manual pages for the dynamic linker (usually
2125: ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2126: LD_PRELOAD is supported.
2127:
2128: On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
2129: instead of the LD_PRELOAD environment variable.
2130:
2131: To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
2132: documented in the User Specification section above. Here is
2133: that example again:
2134:
2135: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2136:
2137: This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
2138: with _n_o_e_x_e_c enabled. This will prevent those two commands from
2139: executing other commands (such as a shell). If you are unsure
2140: whether or not your system is capable of supporting _n_o_e_x_e_c you
2141: can always just try it out and check whether shell escapes work
2142: when _n_o_e_x_e_c is enabled.
2143:
2144: Note that restricting shell escapes is not a panacea. Programs running
2145: as root are still capable of many potentially hazardous operations (such
2146: as changing or overwriting files) that could lead to unintended privilege
2147: escalation. In the specific case of an editor, a safer approach is to
2148: give the user permission to run ssuuddooeeddiitt.
1.1 misho 2149:
1.1.1.2 misho 2150: TTiimmee ssttaammpp ffiillee cchheecckkss
1.1.1.3 misho 2151: _s_u_d_o_e_r_s will check the ownership of its time stamp directory
2152: (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
2153: not owned by root or if it is writable by a user other than root. On
2154: systems that allow non-root users to give away files via chown(2), if the
2155: time stamp directory is located in a world-writable directory (e.g.,
2156: _/_t_m_p), it is possible for a user to create the time stamp directory
2157: before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and
2158: mode of the directory and its contents, the only damage that can be done
2159: is to ``hide'' files by putting them in the time stamp dir. This is
2160: unlikely to happen since once the time stamp dir is owned by root and
2161: inaccessible by any other user, the user placing files there would be
2162: unable to get them back out.
2163:
2164: _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
2165: with a date greater than current_time + 2 * TIMEOUT will be ignored and
2166: sudo will log and complain. This is done to keep a user from creating
2167: his/her own time stamp with a bogus date on systems that allow users to
2168: give away files if the time stamp directory is located in a world-
2169: writable directory.
2170:
2171: On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
2172: stamps that date from before the machine booted.
2173:
2174: Since time stamp files live in the file system, they can outlive a user's
2175: login session. As a result, a user may be able to login, run a command
2176: with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
2177: authenticating so long as the time stamp file's modification time is
2178: within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When
2179: the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity
2180: but still may outlive the user's session. On Linux systems where the
2181: devpts filesystem is used, Solaris systems with the devices filesystem,
2182: as well as other systems that utilize a devfs filesystem that
2183: monotonically increase the inode number of devices as they are created
2184: (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time
2185: stamp file is stale and will ignore it. Administrators should not rely
2186: on this feature as it is not universally available.
1.1 misho 2187:
1.1.1.4 misho 2188: DDEEBBUUGGGGIINNGG
2189: Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
2190: debugging framework that can help track down what the plugin is doing
2191: internally if there is a problem. This can be configured in the
2192: sudo.conf(4) file.
2193:
2194: The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end:
2195: _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
2196:
2197: The priorities used by ssuuddooeerrss, in order of decreasing severity, are:
2198: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
2199: when specified, also includes all priorities higher than it. For
2200: example, a priority of _n_o_t_i_c_e would include debug messages logged at
2201: _n_o_t_i_c_e and higher.
2202:
2203: The following subsystems are used by the ssuuddooeerrss plugin:
2204:
2205: _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2206:
2207: _a_l_l matches every subsystem
2208:
2209: _a_u_d_i_t BSM and Linux audit code
2210:
2211: _a_u_t_h user authentication
2212:
2213: _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
2214:
2215: _e_n_v environment handling
2216:
2217: _l_d_a_p LDAP-based sudoers
2218:
2219: _l_o_g_g_i_n_g logging support
2220:
2221: _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
2222:
2223: _n_e_t_i_f network interface handling
2224:
2225: _n_s_s network service switch handling in _s_u_d_o_e_r_s
2226:
2227: _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
2228:
2229: _p_e_r_m_s permission setting
2230:
2231: _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
2232:
2233: _p_t_y pseudo-tty related code
2234:
2235: _r_b_t_r_e_e redblack tree internals
2236:
2237: _u_t_i_l utility functions
2238: For example:
2239:
2240: Debug sudo /var/log/sudo_debug match@info,nss@info
2241:
2242: For more information, see the sudo.conf(4) manual.
2243:
1.1 misho 2244: SSEEEE AALLSSOO
1.1.1.4 misho 2245: ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
1.1.1.3 misho 2246: sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
1.1 misho 2247:
2248: CCAAVVEEAATTSS
1.1.1.3 misho 2249: The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
2250: locks the file and does grammatical checking. It is imperative that
2251: _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
2252: syntactically incorrect _s_u_d_o_e_r_s file.
2253:
2254: When using netgroups of machines (as opposed to users), if you store
2255: fully qualified host name in the netgroup (as is usually the case), you
2256: either need to have the machine's host name be fully qualified as
2257: returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1.1 misho 2258:
2259: BBUUGGSS
1.1.1.3 misho 2260: If you feel you have found a bug in ssuuddoo, please submit a bug report at
2261: http://www.sudo.ws/sudo/bugs/
1.1 misho 2262:
2263: SSUUPPPPOORRTT
1.1.1.3 misho 2264: Limited free support is available via the sudo-users mailing list, see
2265: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2266: archives.
1.1 misho 2267:
2268: DDIISSCCLLAAIIMMEERR
1.1.1.3 misho 2269: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
2270: including, but not limited to, the implied warranties of merchantability
2271: and fitness for a particular purpose are disclaimed. See the LICENSE
2272: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
2273: complete details.
1.1 misho 2274:
1.1.1.5 ! misho 2275: Sudo 1.8.8 August 31, 2013 Sudo 1.8.8
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>