Annotation of embedaddon/sudo/doc/sudoers.cat, revision 1.1.1.6
1.1.1.3 misho 1: SUDOERS(4) Programmer's Manual SUDOERS(4)
1.1 misho 2:
3: N�NA�AM�ME�E
1.1.1.4 misho 4: s�su�ud�do�oe�er�rs�s - default sudo security policy plugin
1.1 misho 5:
6: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
1.1.1.4 misho 7: The _�s_�u_�d_�o_�e_�r_�s policy plugin determines a user's s�su�ud�do�o privileges. It is the
1.1.1.3 misho 8: default s�su�ud�do�o policy plugin. The policy is driven by the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s
9: file or, optionally in LDAP. The policy format is described in detail in
10: the _�S_�U_�D_�O_�E_�R_�S _�F_�I_�L_�E _�F_�O_�R_�M_�A_�T section. For information on storing _�s_�u_�d_�o_�e_�r_�s
11: policy information in LDAP, please see sudoers.ldap(4).
12:
1.1.1.4 misho 13: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g s�su�ud�do�o.�.c�co�on�nf�f f�fo�or�r s�su�ud�do�oe�er�rs�s
14: s�su�ud�do�o consults the sudo.conf(4) file to determine which policy and and I/O
15: logging plugins to load. If no sudo.conf(4) file is present, or if it
16: contains no Plugin lines, s�su�ud�do�oe�er�rs�s will be used for policy decisions and
17: I/O logging. To explicitly configure sudo.conf(4) to use the s�su�ud�do�oe�er�rs�s
18: plugin, the following configuration can be used.
19:
20: Plugin sudoers_policy sudoers.so
21: Plugin sudoers_io sudoers.so
22:
23: Starting with s�su�ud�do�o 1.8.5, it is possible to specify optional arguments to
24: the s�su�ud�do�oe�er�rs�s plugin in the sudo.conf(4) file. These arguments, if
25: present, should be listed after the path to the plugin (i.e. after
26: _�s_�u_�d_�o_�e_�r_�s_�._�s_�o). Multiple arguments may be specified, separated by white
27: space. For example:
28:
29: Plugin sudoers_policy sudoers.so sudoers_mode=0400
30:
31: The following plugin arguments are supported:
32:
33: ldap_conf=pathname
34: The _�l_�d_�a_�p_�__�c_�o_�n_�f argument can be used to override the default path
35: to the _�l_�d_�a_�p_�._�c_�o_�n_�f file.
36:
37: ldap_secret=pathname
38: The _�l_�d_�a_�p_�__�s_�e_�c_�r_�e_�t argument can be used to override the default
39: path to the _�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t file.
40:
41: sudoers_file=pathname
42: The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e argument can be used to override the default
43: path to the _�s_�u_�d_�o_�e_�r_�s file.
44:
45: sudoers_uid=uid
46: The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d argument can be used to override the default
47: owner of the sudoers file. It should be specified as a numeric
48: user ID.
49:
50: sudoers_gid=gid
51: The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d argument can be used to override the default
52: group of the sudoers file. It must be specified as a numeric
53: group ID (not a group name).
54:
55: sudoers_mode=mode
56: The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e argument can be used to override the default
57: file mode for the sudoers file. It should be specified as an
58: octal value.
59:
60: For more information on configuring sudo.conf(4), please refer to its
61: manual.
62:
1.1.1.3 misho 63: A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d l�lo�og�gg�gi�in�ng�g
64: The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate
65: themselves before they can use s�su�ud�do�o. A password is not required if the
66: invoking user is root, if the target user is the same as the invoking
67: user, or if the policy has disabled authentication for the user or
68: command. Unlike su(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it
69: validates the invoking user's credentials, not the target user's (or
70: root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
71: _�r_�u_�n_�a_�s_�p_�w flags, described later.
72:
73: If a user who is not listed in the policy tries to run a command via
74: s�su�ud�do�o, mail is sent to the proper authorities. The address used for such
75: mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described later) and
76: defaults to root.
77:
78: Note that mail will not be sent if an unauthorized user tries to run s�su�ud�do�o
79: with the -�-l�l or -�-v�v option. This allows users to determine for themselves
80: whether or not they are allowed to use s�su�ud�do�o.
81:
82: If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set, the
83: _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user is.
84: This can be used by a user to log commands through sudo even when a root
85: shell has been invoked. It also allows the -�-e�e option to remain useful
86: even when invoked via a sudo-run script or program. Note, however, that
87: the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user specified by
88: SUDO_USER.
89:
1.1.1.6 ! misho 90: _�s_�u_�d_�o_�e_�r_�s uses per-user time stamp files for credential caching. Once a
! 91: user has been authenticated, a record is written containing the uid that
! 92: was used to authenticate, the terminal session ID, and a time stamp
! 93: (using a monotonic clock if one is available). The user may then use
! 94: s�su�ud�do�o without a password for a short period of time (5 minutes unless
! 95: overridden by the _�t_�i_�m_�e_�o_�u_�t option). By default, _�s_�u_�d_�o_�e_�r_�s uses a separate
! 96: record for each tty, which means that a user's login sessions are
! 97: authenticated separately. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to
! 98: force the use of a single time stamp for all of a user's sessions.
1.1.1.3 misho 99:
100: _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as
101: errors) to syslog(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will log
102: via syslog(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e Defaults
103: settings.
104:
105: _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams. I/O
106: logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t and
107: _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
108: tags.
109:
110: C�Co�om�mm�ma�an�nd�d e�en�nv�vi�ir�ro�on�nm�me�en�nt�t
111: Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s
112: provides a means to restrict which variables from the user's environment
113: are inherited by the command to be run. There are two distinct ways
114: _�s_�u_�d_�o_�e_�r_�s can deal with environment variables.
115:
116: By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to be
117: executed with a new, minimal environment. On AIX (and Linux systems
118: without PAM), the environment is initialized with the contents of the
119: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is
120: enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v
121: settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM,
122: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
123: addition to variables from the invoking process permitted by the
124: _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for
125: environment variables.
126:
127: If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not
128: explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited
129: from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e behave
130: like a blacklist. Since it is not possible to blacklist all potentially
131: dangerous environment variables, use of the default _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is
132: encouraged.
133:
134: In all cases, environment variables with a value beginning with () are
135: removed as they could be interpreted as b�ba�as�sh�h functions. The list of
136: environment variables that s�su�ud�do�o allows or denies is contained in the
137: output of ``sudo -V'' when run as root.
138:
139: Note that the dynamic linker on most operating systems will remove
140: variables that can control dynamic linking from the environment of setuid
141: executables, including s�su�ud�do�o. Depending on the operating system this may
142: include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
143: These type of variables are removed from the environment before s�su�ud�do�o even
144: begins execution and, as such, it is not possible for s�su�ud�do�o to preserve
145: them.
146:
147: As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified,
148: _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of
149: _�e_�n_�v_�__�r_�e_�s_�e_�t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
150: MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
151: (and Linux systems without PAM), the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are
152: also included. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled,
153: the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All
154: other environment variables are removed.
155:
156: Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in that
157: file will be set to their specified values as long as they would not
158: conflict with an existing environment variable.
1.1 misho 159:
160: S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
1.1.1.3 misho 161: The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases (basically
162: variables) and user specifications (which specify who may run what).
163:
164: When multiple entries match for a user, they are applied in order. Where
165: there are multiple matches, the last match is used (which is not
166: necessarily the most specific match).
167:
168: The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur Form
169: (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
170: simple, and the definitions below are annotated.
1.1 misho 171:
172: Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F
1.1.1.3 misho 173: EBNF is a concise and exact way of describing the grammar of a language.
174: Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g.,
1.1 misho 175:
1.1.1.3 misho 176: symbol ::= definition | alternate1 | alternate2 ...
1.1 misho 177:
1.1.1.3 misho 178: Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for
179: the language. EBNF also contains the following operators, which many
180: readers will recognize from regular expressions. Do not, however,
181: confuse them with ``wildcard'' characters, which have different meanings.
1.1 misho 182:
1.1.1.3 misho 183: ? Means that the preceding symbol (or group of symbols) is optional.
1.1 misho 184: That is, it may appear once or not at all.
185:
1.1.1.3 misho 186: * Means that the preceding symbol (or group of symbols) may appear
1.1 misho 187: zero or more times.
188:
1.1.1.3 misho 189: + Means that the preceding symbol (or group of symbols) may appear
1.1 misho 190: one or more times.
191:
1.1.1.3 misho 192: Parentheses may be used to group symbols together. For clarity, we will
193: use single quotes ('') to designate what is a verbatim character string
194: (as opposed to a symbol name).
1.1 misho 195:
196: A�Al�li�ia�as�se�es�s
1.1.1.3 misho 197: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
198: Cmnd_Alias.
1.1 misho 199:
1.1.1.3 misho 200: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
201: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
202: 'Host_Alias' Host_Alias (':' Host_Alias)* |
203: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
204:
205: User_Alias ::= NAME '=' User_List
206:
207: Runas_Alias ::= NAME '=' Runas_List
208:
209: Host_Alias ::= NAME '=' Host_List
210:
211: Cmnd_Alias ::= NAME '=' Cmnd_List
212:
213: NAME ::= [A-Z]([A-Z][0-9]_)*
214:
215: Each _�a_�l_�i_�a_�s definition is of the form
216:
217: Alias_Type NAME = item1, item2, ...
218:
219: where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or
220: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
221: underscore characters (`_'). A NAME m�mu�us�st�t start with an uppercase letter.
222: It is possible to put several alias definitions of the same type on a
223: single line, joined by a colon (`:'). E.g.,
224:
225: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
226:
227: The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow.
228:
229: User_List ::= User |
230: User ',' User_List
231:
232: User ::= '!'* user name |
233: '!'* #uid |
234: '!'* %group |
235: '!'* %#gid |
236: '!'* +netgroup |
237: '!'* %:nonunix_group |
238: '!'* %:#nonunix_gid |
239: '!'* User_Alias
240:
1.1.1.4 misho 241: A User_List is made up of one or more user names, user IDs (prefixed with
242: `#'), system group names and IDs (prefixed with `%' and `%#'
1.1.1.3 misho 243: respectively), netgroups (prefixed with `+'), non-Unix group names and
244: IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
245: list item may be prefixed with zero or more `!' operators. An odd number
246: of `!' operators negate the value of the item; an even number just cancel
247: each other out.
248:
249: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
250: be enclosed in double quotes to avoid the need for escaping special
251: characters. Alternately, special characters may be specified in escaped
252: hex mode, e.g. \x20 for space. When using double quotes, any prefix
253: characters must be included inside the quotes.
254:
255: The actual nonunix_group and nonunix_gid syntax depends on the underlying
1.1.1.4 misho 256: group provider plugin. For instance, the QAS AD plugin supports the
257: following formats:
1.1.1.3 misho 258:
259: o�o Group in the same domain: "%:Group Name"
260:
261: o�o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
262:
263: o�o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
264:
1.1.1.4 misho 265: See _�G_�R_�O_�U_�P _�P_�R_�O_�V_�I_�D_�E_�R _�P_�L_�U_�G_�I_�N_�S for more information.
266:
1.1.1.3 misho 267: Note that quotes around group names are optional. Unquoted strings must
268: use a backslash (`\') to escape spaces and special characters. See _�O_�t_�h_�e_�r
269: _�s_�p_�e_�c_�i_�a_�l _�c_�h_�a_�r_�a_�c_�t_�e_�r_�s _�a_�n_�d _�r_�e_�s_�e_�r_�v_�e_�d _�w_�o_�r_�d_�s for a list of characters that need
270: to be escaped.
271:
272: Runas_List ::= Runas_Member |
273: Runas_Member ',' Runas_List
274:
275: Runas_Member ::= '!'* user name |
276: '!'* #uid |
277: '!'* %group |
278: '!'* %#gid |
279: '!'* %:nonunix_group |
280: '!'* %:#nonunix_gid |
281: '!'* +netgroup |
282: '!'* Runas_Alias
283:
284: A Runas_List is similar to a User_List except that instead of
285: User_Aliases it can contain Runas_Aliases. Note that user names and
286: groups are matched as strings. In other words, two users (groups) with
287: the same uid (gid) are considered to be distinct. If you wish to match
288: all user names with the same uid (e.g. root and toor), you can use a uid
289: instead (#0 in the example given).
290:
291: Host_List ::= Host |
292: Host ',' Host_List
293:
294: Host ::= '!'* host name |
295: '!'* ip_addr |
296: '!'* network(/netmask)? |
297: '!'* +netgroup |
298: '!'* Host_Alias
299:
300: A Host_List is made up of one or more host names, IP addresses, network
301: numbers, netgroups (prefixed with `+') and other aliases. Again, the
302: value of an item may be negated with the `!' operator. If you do not
303: specify a netmask along with the network number, s�su�ud�do�o will query each of
304: the local host's network interfaces and, if the network number
305: corresponds to one of the hosts's network interfaces, the corresponding
306: netmask will be used. The netmask may be specified either in standard IP
307: address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
308: notation (number of bits, e.g. 24 or 64). A host name may include shell-
309: style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below), but unless the host
310: name command on your machine returns the fully qualified host name,
311: you'll need to use the _�f_�q_�d_�n option for wildcards to be useful. Note that
312: s�su�ud�do�o only inspects actual network interfaces; this means that IP address
313: 127.0.0.1 (localhost) will never match. Also, the host name
314: ``localhost'' will only match if that is the actual host name, which is
315: usually only the case for non-networked systems.
316:
1.1.1.4 misho 317: digest ::= [A-Fa-f0-9]+ |
318: [[A-Za-z0-9+/=]+
319:
320: Digest_Spec ::= "sha224" ':' digest |
321: "sha256" ':' digest |
322: "sha384" ':' digest |
323: "sha512" ':' digest
324:
1.1.1.3 misho 325: Cmnd_List ::= Cmnd |
326: Cmnd ',' Cmnd_List
327:
328: command name ::= file name |
329: file name args |
330: file name '""'
331:
1.1.1.4 misho 332: Cmnd ::= Digest_Spec? '!'* command name |
1.1.1.3 misho 333: '!'* directory |
334: '!'* "sudoedit" |
335: '!'* Cmnd_Alias
336:
337: A Cmnd_List is a list of one or more command names, directories, and
338: other aliases. A command name is a fully qualified file name which may
339: include shell-style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below). A
340: simple file name allows the user to run the command with any arguments
341: he/she wishes. However, you may also specify command line arguments
342: (including wildcards). Alternately, you can specify "" to indicate that
343: the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A directory
344: is a fully qualified path name ending in a `/'. When you specify a
345: directory in a Cmnd_List, the user will be able to run any file within
346: that directory (but not in any sub-directories therein).
347:
348: If a Cmnd has associated command line arguments, then the arguments in
349: the Cmnd must match exactly those given by the user on the command line
350: (or match the wildcards if there are any). Note that the following
351: characters must be escaped with a `\' if they are used in command
1.1.1.4 misho 352: arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
1.1.1.3 misho 353: to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It may
1.1.1.4 misho 354: take command line arguments just as a normal command does. Note that
355: ``sudoedit'' is a command built into s�su�ud�do�o itself and must be specified in
356: _�s_�u_�d_�o_�e_�r_�s without a leading path.
357:
358: If a command name is prefixed with a Digest_Spec, the command will only
359: match successfully if it can be verified using the specified SHA-2
360: digest. This may be useful in situations where the user invoking s�su�ud�do�o
361: has write access to the command or its parent directory. The following
362: digest formats are supported: sha224, sha256, sha384 and sha512. The
363: string may be specified in either hex or base64 format (base64 is more
364: compact). There are several utilities capable of generating SHA-2
365: digests in hex format such as openssl, shasum, sha224sum, sha256sum,
366: sha384sum, sha512sum.
367:
368: For example, using openssl:
369:
370: $ openssl dgst -sha224 /bin/ls
371: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
372:
373: It is also possible to use openssl to generate base64 output:
374:
375: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
376: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
377:
378: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 379:
380: D�De�ef�fa�au�ul�lt�ts�s
1.1.1.3 misho 381: Certain configuration options may be changed from their default values at
382: run-time via one or more Default_Entry lines. These may affect all users
383: on any host, all users on a specific host, a specific user, a specific
384: command, or commands being run as a specific user. Note that per-command
385: entries may not include command line arguments. If you need to specify
386: arguments, define a Cmnd_Alias and reference that instead.
387:
388: Default_Type ::= 'Defaults' |
389: 'Defaults' '@' Host_List |
390: 'Defaults' ':' User_List |
391: 'Defaults' '!' Cmnd_List |
392: 'Defaults' '>' Runas_List
393:
394: Default_Entry ::= Default_Type Parameter_List
395:
396: Parameter_List ::= Parameter |
397: Parameter ',' Parameter_List
398:
399: Parameter ::= Parameter '=' Value |
400: Parameter '+=' Value |
401: Parameter '-=' Value |
402: '!'* Parameter
403:
404: Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
405: implicitly boolean and can be turned off via the `!' operator. Some
406: integer, string and list parameters may also be used in a boolean context
407: to disable them. Values may be enclosed in double quotes ("") when they
408: contain multiple words. Special characters may be escaped with a
409: backslash (`\').
410:
411: Lists have two additional assignment operators, += and -=. These
412: operators are used to add to and delete from a list respectively. It is
413: not an error to use the -= operator to remove an element that does not
414: exist in a list.
415:
416: Defaults entries are parsed in the following order: generic, host and
417: user Defaults first, then runas Defaults and finally command defaults.
418:
419: See _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S for a list of supported Defaults parameters.
420:
421: U�Us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n
422: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
423: (':' Host_List '=' Cmnd_Spec_List)*
424:
425: Cmnd_Spec_List ::= Cmnd_Spec |
426: Cmnd_Spec ',' Cmnd_Spec_List
427:
428: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
429:
430: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
431:
432: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
1.1 misho 433:
1.1.1.3 misho 434: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
435:
436: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
437: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
438: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
439:
440: A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as
441: what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t, but
442: this can be changed on a per-command basis.
443:
444: The basic structure of a user specification is ``who where = (as_whom)
445: what''. Let's break that down into its constituent parts:
1.1 misho 446:
447: R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
1.1.1.3 misho 448: A Runas_Spec determines the user and/or the group that a command may be
449: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
450: defined above) separated by a colon (`:') and enclosed in a set of
451: parentheses. The first Runas_List indicates which users the command may
452: be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of groups that
453: can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists are
454: specified, the command may be run with any combination of users and
455: groups listed in their respective Runas_Lists. If only the first is
456: specified, the command may be run as any user in the list but no -�-g�g
457: option may be specified. If the first Runas_List is empty but the second
458: is specified, the command may be run as the invoking user with the group
459: set to any listed in the Runas_List. If both Runas_Lists are empty, the
460: command may only be run as the invoking user. If no Runas_Spec is
461: specified the command may be run as r�ro�oo�ot�t and no group may be specified.
1.1 misho 462:
1.1.1.3 misho 463: A Runas_Spec sets the default for the commands that follow it. What this
464: means is that for the entry:
1.1 misho 465:
1.1.1.3 misho 466: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1.1 misho 467:
1.1.1.3 misho 468: The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m--but only as
469: o�op�pe�er�ra�at�to�or�r. E.g.,
1.1 misho 470:
1.1.1.3 misho 471: $ sudo -u operator /bin/ls
1.1 misho 472:
1.1.1.3 misho 473: It is also possible to override a Runas_Spec later on in an entry. If we
474: modify the entry like so:
1.1 misho 475:
1.1.1.3 misho 476: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1.1 misho 477:
1.1.1.3 misho 478: Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l
479: and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t.
1.1 misho 480:
1.1.1.3 misho 481: We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or
482: group set to o�op�pe�er�ra�at�to�or�r:
1.1 misho 483:
1.1.1.3 misho 484: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
485: /usr/bin/lprm
1.1 misho 486:
1.1.1.3 misho 487: Note that while the group portion of the Runas_Spec permits the user to
488: run as command with that group, it does not force the user to do so. If
489: no group is specified on the command line, the command will run with the
490: group listed in the target user's password database entry. The following
491: would all be permitted by the sudoers entry above:
1.1 misho 492:
1.1.1.3 misho 493: $ sudo -u operator /bin/ls
494: $ sudo -u operator -g operator /bin/ls
495: $ sudo -g operator /bin/ls
1.1 misho 496:
1.1.1.3 misho 497: In the following example, user t�tc�cm�m may run commands that access a modem
498: device file with the dialer group.
1.1 misho 499:
1.1.1.3 misho 500: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
501: /usr/local/bin/minicom
1.1 misho 502:
1.1.1.3 misho 503: Note that in this example only the group will be set, the command still
504: runs as user t�tc�cm�m. E.g.
1.1 misho 505:
1.1.1.3 misho 506: $ sudo -g dialer /usr/bin/cu
1.1 misho 507:
1.1.1.3 misho 508: Multiple users and groups may be present in a Runas_Spec, in which case
509: the user may select any combination of users and groups via the -�-u�u and -�-g�g
510: options. In this example:
1.1 misho 511:
1.1.1.3 misho 512: alan ALL = (root, bin : operator, system) ALL
1.1 misho 513:
1.1.1.3 misho 514: user a�al�la�an�n may run any command as either user root or bin, optionally
515: setting the group to operator or system.
1.1 misho 516:
517: S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
1.1.1.3 misho 518: On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
519: SELinux role and/or type associated with a command. If a role or type is
520: specified with the command it will override any default values specified
521: in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line, however, will
522: supersede the values in _�s_�u_�d_�o_�e_�r_�s.
523:
524: S�So�ol�la�ar�ri�is�s_�_P�Pr�ri�iv�v_�_S�Sp�pe�ec�c
525: On Solaris systems, _�s_�u_�d_�o_�e_�r_�s entries may optionally specify Solaris
526: privilege set and/or limit privilege set associated with a command. If
527: privileges or limit privileges are specified with the command it will
528: override any default values specified in _�s_�u_�d_�o_�e_�r_�s.
529:
530: A privilege set is a comma-separated list of privilege names. The
531: ppriv(1) command can be used to list all privileges known to the system.
532: For example:
533:
534: $ ppriv -l
535:
536: In addition, there are several ``special'' privilege strings:
537:
538: none the empty set
539:
540: all the set of all privileges
541:
542: zone the set of all privileges available in the current zone
543:
544: basic the default set of privileges normal users are granted at login
545: time
546:
547: Privileges can be excluded from a set by prefixing the privilege name
548: with either an `!' or `-' character.
1.1 misho 549:
550: T�Ta�ag�g_�_S�Sp�pe�ec�c
1.1.1.3 misho 551: A command may have zero or more tags associated with it. There are ten
552: possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
553: LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
554: on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
555: it is overridden by the opposite tag (in other words, PASSWD overrides
556: NOPASSWD and NOEXEC overrides EXEC).
1.1 misho 557:
1.1.1.4 misho 558: _�N_�O_�P_�A_�S_�S_�W_�D and _�P_�A_�S_�S_�W_�D
1.1 misho 559:
1.1.1.4 misho 560: By default, s�su�ud�do�o requires that a user authenticate him or herself
561: before running a command. This behavior can be modified via the
562: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
563: the commands that follow it in the Cmnd_Spec_List. Conversely, the
564: PASSWD tag can be used to reverse things. For example:
1.1 misho 565:
1.1.1.4 misho 566: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1.1 misho 567:
1.1.1.4 misho 568: would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m
569: as r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we
570: only want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry
571: would be:
1.1 misho 572:
1.1.1.4 misho 573: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1.1 misho 574:
1.1.1.4 misho 575: Note, however, that the PASSWD tag has no effect on users who are in
576: the group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option.
1.1 misho 577:
1.1.1.4 misho 578: By default, if the NOPASSWD tag is applied to any of the entries for a
579: user on the current host, he or she will be able to run ``sudo -l''
580: without a password. Additionally, a user may only run ``sudo -v''
581: without a password if the NOPASSWD tag is present for all a user's
582: entries that pertain to the current host. This behavior may be
583: overridden via the _�v_�e_�r_�i_�f_�y_�p_�w and _�l_�i_�s_�t_�p_�w options.
1.1 misho 584:
1.1.1.4 misho 585: _�N_�O_�E_�X_�E_�C and _�E_�X_�E_�C
1.1 misho 586:
1.1.1.4 misho 587: If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying
588: operating system supports it, the NOEXEC tag can be used to prevent a
589: dynamically-linked executable from running further commands itself.
1.1 misho 590:
1.1.1.4 misho 591: In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and
592: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled.
1.1 misho 593:
1.1.1.4 misho 594: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1.1 misho 595:
1.1.1.4 misho 596: See the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section below for more details on how
597: NOEXEC works and whether or not it will work on your system.
1.1 misho 598:
1.1.1.4 misho 599: _�S_�E_�T_�E_�N_�V and _�N_�O_�S_�E_�T_�E_�N_�V
1.1 misho 600:
1.1.1.4 misho 601: These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
602: basis. Note that if SETENV has been set for a command, the user may
603: disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
604: Additionally, environment variables set on the command line are not
605: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
606: _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set
607: variables in this manner. If the command matched is A�AL�LL�L, the SETENV
608: tag is implied for that command; this default may be overridden by use
609: of the NOSETENV tag.
1.1 misho 610:
1.1.1.4 misho 611: _�L_�O_�G_�__�I_�N_�P_�U_�T and _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
1.1 misho 612:
1.1.1.4 misho 613: These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command
614: basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the
615: _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below.
1.1 misho 616:
1.1.1.4 misho 617: _�L_�O_�G_�__�O_�U_�T_�P_�U_�T and _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T
1.1 misho 618:
1.1.1.4 misho 619: These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command
620: basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the
621: _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below.
1.1 misho 622:
623: W�Wi�il�ld�dc�ca�ar�rd�ds�s
1.1.1.3 misho 624: s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be
625: used in host names, path names and command line arguments in the _�s_�u_�d_�o_�e_�r_�s
1.1.1.4 misho 626: file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
627: as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _�n_�o_�t
628: regular expressions.
1.1.1.3 misho 629:
630: * Matches any set of zero or more characters.
631:
632: ? Matches any single character.
633:
634: [...] Matches any character in the specified range.
635:
636: [!...] Matches any character n�no�ot�t in the specified range.
1.1 misho 637:
1.1.1.3 misho 638: \x For any character `x', evaluates to `x'. This is used to
639: escape special characters such as: `*', `?', `[', and `]'.
1.1 misho 640:
1.1.1.4 misho 641: Character classes may also be used if your system's glob(3) and
1.1.1.3 misho 642: fnmatch(3) functions support them. However, because the `:' character
643: has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example:
1.1 misho 644:
1.1.1.3 misho 645: /bin/ls [[:alpha:]]*
1.1 misho 646:
1.1.1.3 misho 647: Would match any file name beginning with a letter.
1.1 misho 648:
1.1.1.3 misho 649: Note that a forward slash (`/') will n�no�ot�t be matched by wildcards used in
650: the path name. This is to make a path like:
1.1 misho 651:
1.1.1.3 misho 652: /usr/bin/*
1.1 misho 653:
1.1.1.3 misho 654: match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
1.1 misho 655:
1.1.1.3 misho 656: When matching the command line arguments, however, a slash d�do�oe�es�s get
657: matched by wildcards since command line arguments may contain arbitrary
658: strings and not just path names.
1.1 misho 659:
1.1.1.3 misho 660: Wildcards in command line arguments should be used with care. Because
661: command line arguments are matched as a single, concatenated string, a
662: wildcard such as `?' or `*' can match multiple words. For example, while
663: a sudoers entry like:
1.1 misho 664:
1.1.1.3 misho 665: %operator ALL = /bin/cat /var/log/messages*
1.1 misho 666:
1.1.1.3 misho 667: will allow command like:
668:
669: $ sudo cat /var/log/messages.1
670:
671: It will also allow:
672:
673: $ sudo cat /var/log/messages /etc/shadow
674:
675: which is probably not what was intended.
1.1 misho 676:
677: E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
1.1.1.3 misho 678: The following exceptions apply to the above rules:
1.1 misho 679:
1.1.1.3 misho 680: "" If the empty string "" is the only command line argument in the
1.1 misho 681: _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
682: with a�an�ny�y arguments.
683:
1.1.1.3 misho 684: sudoedit Command line arguments to the _�s_�u_�d_�o_�e_�d_�i_�t built-in command should
685: always be path names, so a forward slash (`/') will not be
686: matched by a wildcard.
687:
1.1 misho 688: I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
1.1.1.3 misho 689: It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
690: file currently being parsed using the #include and #includedir
691: directives.
692:
693: This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in
694: addition to a local, per-machine file. For the sake of this example the
695: site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will be
696: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within
697: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s:
698:
699: #include /etc/sudoers.local
700:
701: When s�su�ud�do�o reaches this line it will suspend processing of the current
702: file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching the
703: end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be processed.
704: Files that are included may themselves include other files. A hard limit
705: of 128 nested include files is enforced to prevent include file loops.
706:
707: If the path to the include file is not fully-qualified (does not begin
708: with a `/', it must be located in the same directory as the sudoers file
709: it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line:
710:
711: #include sudoers.local
712:
713: the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l.
714:
715: The file name may also include the %h escape, signifying the short form
716: of the host name. In other words, if the machine's host name is
717: ``xerxes'', then
718:
719: #include /etc/sudoers.%h
720:
721: will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s.
722:
723: The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that
724: the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of package
725: installation. For example, given:
726:
727: #includedir /etc/sudoers.d
728:
729: s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that end
730: in `~' or contain a `.' character to avoid causing problems with package
731: manager or editor temporary/backup files. Files are parsed in sorted
732: lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed before
733: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is lexical,
734: not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r
735: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes in
736: the file names can be used to avoid such problems.
737:
738: Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
739: files in a #includedir directory unless one of them contains a syntax
740: error. It is still possible to run v�vi�is�su�ud�do�o with the -�-f�f flag to edit the
741: files directly.
1.1 misho 742:
743: O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
1.1.1.3 misho 744: The pound sign (`#') is used to indicate a comment (unless it is part of
745: a #include directive or unless it occurs in the context of a user name
746: and is followed by one or more digits, in which case it is treated as a
747: uid). Both the comment character and any text after it, up to the end of
748: the line, are ignored.
749:
750: The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
751: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
752: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
753: your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in
754: preference to your own. Please note that using A�AL�LL�L can be dangerous
755: since in a command context, it allows the user to run a�an�ny�y command on the
756: system.
757:
1.1.1.4 misho 758: An exclamation point (`!') can be used as a logical _�n_�o_�t operator in a
759: list or _�a_�l_�i_�a_�s as well as in front of a Cmnd. This allows one to exclude
760: certain values. For the `!' operator to be effective, there must be
761: something for it to exclude. For example, to match all users except for
762: root one would use:
763:
764: ALL,!root
765:
766: If the A�AL�LL�L, is omitted, as in:
767:
768: !root
769:
770: it would explicitly deny root but not match any other users. This is
771: different from a true ``negation'' operator.
772:
773: Note, however, that using a `!' in conjunction with the built-in A�AL�LL�L
774: alias to allow a user to run ``all but a few'' commands rarely works as
775: intended (see _�S_�E_�C_�U_�R_�I_�T_�Y _�N_�O_�T_�E_�S below).
1.1.1.3 misho 776:
777: Long lines can be continued with a backslash (`\') as the last character
778: on the line.
779:
780: White space between elements in a list as well as special syntactic
781: characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n (`=', `:', `(', `)') is optional.
782:
783: The following characters must be escaped with a backslash (`\') when used
784: as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
785: `(', `)', `\'.
1.1 misho 786:
787: S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
1.1.1.3 misho 788: s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
789: earlier. A list of all supported Defaults parameters, grouped by type,
790: are listed below.
1.1 misho 791:
1.1.1.3 misho 792: B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s:
1.1 misho 793:
1.1.1.3 misho 794: always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable
1.1 misho 795: to the home directory of the target user (which is root
796: unless the -�-u�u option is used). This effectively means
797: that the -�-H�H option is always implied. Note that HOME
1.1.1.5 misho 798: is already set when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so
799: _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e is only effective for configurations
800: where either _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present
801: in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default.
1.1 misho 802:
1.1.1.3 misho 803: authenticate If set, users must authenticate themselves via a
1.1 misho 804: password (or other means of authentication) before they
805: may run commands. This default may be overridden via
806: the PASSWD and NOPASSWD tags. This flag is _�o_�n by
807: default.
808:
1.1.1.3 misho 809: closefrom_override
1.1 misho 810: If set, the user may use s�su�ud�do�o's -�-C�C option which
811: overrides the default starting point at which s�su�ud�do�o
812: begins closing open file descriptors. This flag is _�o_�f_�f
813: by default.
814:
1.1.1.3 misho 815: compress_io If set, and s�su�ud�do�o is configured to log a command's input
1.1 misho 816: or output, the I/O logs will be compressed using z�zl�li�ib�b.
817: This flag is _�o_�n by default when s�su�ud�do�o is compiled with
818: z�zl�li�ib�b support.
819:
1.1.1.6 ! misho 820: use_netgroups If set, netgroups (prefixed with `+'), may be used in
! 821: place of a user or host. For LDAP-based sudoers,
! 822: netgroup support requires an expensive substring match
! 823: on the server. If netgroups are not needed, this
! 824: option can be disabled to reduce the load on the LDAP
! 825: server. This flag is _�o_�n by default.
! 826:
1.1.1.4 misho 827: exec_background By default, s�su�ud�do�o runs a command as the foreground
828: process as long as s�su�ud�do�o itself is running in the
829: foreground. When the _�e_�x_�e_�c_�__�b_�a_�c_�k_�g_�r_�o_�u_�n_�d flag is enabled
830: and the command is being run in a pty (due to I/O
831: logging or the _�u_�s_�e_�__�p_�t_�y flag), the command will be run
832: as a background process. Attempts to read from the
833: controlling terminal (or to change terminal settings)
834: will result in the command being suspended with the
835: SIGTTIN signal (or SIGTTOU in the case of terminal
836: settings). If this happens when s�su�ud�do�o is a foreground
837: process, the command will be granted the controlling
838: terminal and resumed in the foreground with no user
839: intervention required. The advantage of initially
840: running the command in the background is that s�su�ud�do�o need
841: not read from the terminal unless the command
842: explicitly requests it. Otherwise, any terminal input
843: must be passed to the command, whether it has required
844: it or not (the kernel buffers terminals so it is not
845: possible to tell whether the command really wants the
846: input). This is different from historic _�s_�u_�d_�o behavior
847: or when the command is not being run in a pty.
848:
849: For this to work seamlessly, the operating system must
850: support the automatic restarting of system calls.
851: Unfortunately, not all operating systems do this by
852: default, and even those that do may have bugs. For
853: example, Mac OS X fails to restart the t�tc�cg�ge�et�ta�at�tt�tr�r() and
854: t�tc�cs�se�et�ta�at�tt�tr�r() system calls (this is a bug in Mac OS X).
855: Furthermore, because this behavior depends on the
856: command stopping with the SIGTTIN or SIGTTOU signals,
857: programs that catch these signals and suspend
858: themselves with a different signal (usually SIGTOP)
859: will not be automatically foregrounded. Some versions
860: of the linux su(1) command behave this way.
861:
862: This setting is only supported by version 1.8.7 or
863: higher. It has no effect unless I/O logging is enabled
864: or the _�u_�s_�e_�__�p_�t_�y flag is enabled.
865:
1.1.1.3 misho 866: env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or
1.1 misho 867: VISUAL environment variables before falling back on the
868: default editor list. Note that this may create a
869: security hole as it allows the user to run any
870: arbitrary command as root without logging. A safer
871: alternative is to place a colon-separated list of
872: editors in the editor variable. v�vi�is�su�ud�do�o will then only
873: use the EDITOR or VISUAL if they match a value
874: specified in editor. This flag is _�o_�f_�f by default.
875:
1.1.1.3 misho 876: env_reset If set, s�su�ud�do�o will run the command in a minimal
1.1.1.2 misho 877: environment containing the TERM, PATH, HOME, MAIL,
878: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
879: Any variables in the caller's environment that match
880: the env_keep and env_check lists are then added,
881: followed by any variables present in the file specified
882: by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents
883: of the env_keep and env_check lists are displayed when
1.1.1.3 misho 884: s�su�ud�do�o is run by root with the -�-V�V option. If the
1.1.1.2 misho 885: _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for
886: the PATH environment variable. This flag is _�o_�n by
887: default.
1.1 misho 888:
1.1.1.3 misho 889: fast_glob Normally, s�su�ud�do�o uses the glob(3) function to do shell-
1.1 misho 890: style globbing when matching path names. However,
1.1.1.3 misho 891: since it accesses the file system, glob(3) can take a
1.1 misho 892: long time to complete for some patterns, especially
893: when the pattern references a network file system that
1.1.1.3 misho 894: is mounted on demand (auto mounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b
895: option causes s�su�ud�do�o to use the fnmatch(3) function,
1.1 misho 896: which does not access the file system to do its
897: matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is
898: unable to match relative path names such as _�._�/_�l_�s or
899: _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path
900: names that include globbing characters are used with
1.1.1.3 misho 901: the negation operator, `!', as such rules can be
1.1 misho 902: trivially bypassed. As such, this option should not be
903: used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated
904: path names which include globbing characters. This
905: flag is _�o_�f_�f by default.
906:
1.1.1.3 misho 907: fqdn Set this flag if you want to put fully qualified host
908: names in the _�s_�u_�d_�o_�e_�r_�s file when the local host name (as
909: returned by the hostname command) does not contain the
910: domain name. In other words, instead of myhost you
1.1 misho 911: would use myhost.mydomain.edu. You may still use the
1.1.1.3 misho 912: short form if you wish (and even mix the two). This
913: option is only effective when the ``canonical'' host
914: name, as returned by the g�ge�et�ta�ad�dd�dr�ri�in�nf�fo�o() or
915: g�ge�et�th�ho�os�st�tb�by�yn�na�am�me�e() function, is a fully-qualified domain
916: name. This is usually the case when the system is
917: configured to use DNS for host name resolution.
918:
919: If the system is configured to use the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file
920: in preference to DNS, the ``canonical'' host name may
921: not be fully-qualified. The order that sources are
1.1.1.6 ! misho 922: queried for host name resolution is usually specified
1.1.1.3 misho 923: in the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f,
924: _�/_�e_�t_�c_�/_�h_�o_�s_�t_�._�c_�o_�n_�f, or, in some cases, _�/_�e_�t_�c_�/_�r_�e_�s_�o_�l_�v_�._�c_�o_�n_�f
925: file. In the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file, the first host name of
926: the entry is considered to be the ``canonical'' name;
927: subsequent names are aliases that are not used by
928: s�su�ud�do�oe�er�rs�s. For example, the following hosts file line
929: for the machine ``xyzzy'' has the fully-qualified
930: domain name as the ``canonical'' host name, and the
931: short version as an alias.
932:
933: 192.168.1.1 xyzzy.sudo.ws xyzzy
934:
935: If the machine's hosts file entry is not formatted
936: properly, the _�f_�q_�d_�n option will not be effective if it
937: is queried before DNS.
938:
939: Beware that when using DNS for host name resolution,
940: turning on _�f_�q_�d_�n requires s�su�ud�do�oe�er�rs�s to make DNS lookups
941: which renders s�su�ud�do�o unusable if DNS stops working (for
942: example if the machine is disconnected from the
943: network). Also note that just like with the hosts
944: file, you must use the ``canonical'' name as DNS knows
945: it. That is, you may not use a host alias (CNAME
946: entry) due to performance issues and the fact that
947: there is no way to get all aliases from DNS.
948:
949: This flag is _�o_�f_�f by default.
1.1 misho 950:
1.1.1.3 misho 951: ignore_dot If set, s�su�ud�do�o will ignore "." or "" (both denoting
952: current directory) in the PATH environment variable;
953: the PATH itself is not modified. This flag is _�o_�f_�f by
954: default.
1.1 misho 955:
1.1.1.3 misho 956: ignore_local_sudoers
1.1 misho 957: If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
958: skipped. This is intended for Enterprises that wish to
959: prevent the usage of local sudoers files so that only
960: LDAP is used. This thwarts the efforts of rogue
961: operators who would attempt to add roles to
962: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present,
1.1.1.3 misho 963: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this
1.1 misho 964: option tells s�su�ud�do�o how to behave when no specific LDAP
965: entries have been matched, this sudoOption is only
966: meaningful for the cn=defaults section. This flag is
967: _�o_�f_�f by default.
968:
1.1.1.3 misho 969: insults If set, s�su�ud�do�o will insult users when they enter an
1.1 misho 970: incorrect password. This flag is _�o_�f_�f by default.
971:
1.1.1.3 misho 972: log_host If set, the host name will be logged in the (non-
1.1 misho 973: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
974:
1.1.1.3 misho 975: log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
1.1 misho 976: log all user input. If the standard input is not
977: connected to the user's tty, due to I/O redirection or
978: because the command is part of a pipeline, that input
979: is also captured and stored in a separate log file.
980:
981: Input is logged to the directory specified by the
982: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
983: unique session ID that is included in the normal s�su�ud�do�o
1.1.1.3 misho 984: log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
985: option may be used to control the format of the session
986: ID.
1.1 misho 987:
988: Note that user input may contain sensitive information
989: such as passwords (even if they are not echoed to the
990: screen), which will be stored in the log file
991: unencrypted. In most cases, logging the command output
992: via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
993:
1.1.1.3 misho 994: log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
1.1 misho 995: log all output that is sent to the screen, similar to
1.1.1.3 misho 996: the script(1) command. If the standard output or
1.1 misho 997: standard error is not connected to the user's tty, due
998: to I/O redirection or because the command is part of a
999: pipeline, that output is also captured and stored in
1000: separate log files.
1001:
1002: Output is logged to the directory specified by the
1003: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
1004: unique session ID that is included in the normal s�su�ud�do�o
1.1.1.3 misho 1005: log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1006: option may be used to control the format of the session
1007: ID.
1.1 misho 1008:
1.1.1.3 misho 1009: Output logs may be viewed with the sudoreplay(1m)
1.1 misho 1010: utility, which can also be used to list or search the
1011: available logs.
1012:
1.1.1.3 misho 1013: log_year If set, the four-digit year will be logged in the (non-
1.1 misho 1014: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
1015:
1.1.1.3 misho 1016: long_otp_prompt When validating with a One Time Password (OTP) scheme
1.1 misho 1017: such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to
1018: make it easier to cut and paste the challenge to a
1019: local window. It's not as pretty as the default but
1020: some people find it more convenient. This flag is _�o_�f_�f
1021: by default.
1022:
1.1.1.3 misho 1023: mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs
1.1 misho 1024: s�su�ud�do�o. This flag is _�o_�f_�f by default.
1025:
1.1.1.3 misho 1026: mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o
1027: does not enter the correct password. If the command
1028: the user is attempting to run is not permitted by
1029: _�s_�u_�d_�o_�e_�r_�s and one of the _�m_�a_�i_�l_�__�a_�l_�w_�a_�y_�s, _�m_�a_�i_�l_�__�n_�o_�__�h_�o_�s_�t,
1030: _�m_�a_�i_�l_�__�n_�o_�__�p_�e_�r_�m_�s or _�m_�a_�i_�l_�__�n_�o_�__�u_�s_�e_�r flags are set, this flag
1031: will have no effect. This flag is _�o_�f_�f by default.
1.1 misho 1032:
1.1.1.3 misho 1033: mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
1.1 misho 1034: invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not
1035: allowed to run commands on the current host. This flag
1036: is _�o_�f_�f by default.
1037:
1.1.1.3 misho 1038: mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
1.1 misho 1039: invoking user is allowed to use s�su�ud�do�o but the command
1040: they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file
1041: entry or is explicitly denied. This flag is _�o_�f_�f by
1042: default.
1043:
1.1.1.3 misho 1044: mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
1.1 misho 1045: invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
1046: _�o_�n by default.
1047:
1.1.1.3 misho 1048: noexec If set, all commands run via s�su�ud�do�o will behave as if the
1.1 misho 1049: NOEXEC tag has been set, unless overridden by a EXEC
1050: tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
1.1.1.3 misho 1051: well as the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section at the end
1052: of this manual. This flag is _�o_�f_�f by default.
1.1 misho 1053:
1.1.1.4 misho 1054: pam_session On systems that use PAM for authentication, s�su�ud�do�o will
1055: create a new PAM session for the command to be run in.
1056: Disabling _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n may be needed on older PAM
1057: implementations or on operating systems where opening a
1058: PAM session changes the utmp or wtmp files. If PAM
1059: session support is disabled, resource limits may not be
1.1.1.5 misho 1060: updated for the command being run. If _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n,
1061: _�p_�a_�m_�__�s_�e_�t_�c_�r_�e_�d, and _�u_�s_�e_�__�p_�t_�y are disabled and I/O logging
1062: has not been configured, s�su�ud�do�o will execute the command
1063: directly instead of running it as a child process.
1064: This flag is _�o_�n by default.
1.1.1.4 misho 1065:
1066: This setting is only supported by version 1.8.7 or
1067: higher.
1068:
1.1.1.5 misho 1069: pam_setcred On systems that use PAM for authentication, s�su�ud�do�o will
1070: attempt to establish credentials for the target user by
1071: default, if supported by the underlying authentication
1072: system. One example of a credential is a Kerberos
1073: ticket. If _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n, _�p_�a_�m_�__�s_�e_�t_�c_�r_�e_�d, and _�u_�s_�e_�__�p_�t_�y are
1074: disabled and I/O logging has not been configured, s�su�ud�do�o
1075: will execute the command directly instead of running it
1076: as a child process. This flag is _�o_�n by default.
1077:
1078: This setting is only supported by version 1.8.8 or
1079: higher.
1080:
1.1.1.4 misho 1081: passprompt_override
1082: The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will
1083: normally only be used if the password prompt provided
1084: by systems such as PAM matches the string
1085: ``Password:''. If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set,
1086: _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always be used. This flag is _�o_�f_�f by
1087: default.
1088:
1.1.1.3 misho 1089: path_info Normally, s�su�ud�do�o will tell the user when a command could
1.1 misho 1090: not be found in their PATH environment variable. Some
1091: sites may wish to disable this as it could be used to
1092: gather information on the location of executables that
1093: the normal user does not have access to. The
1094: disadvantage is that if the executable is simply not in
1095: the user's PATH, s�su�ud�do�o will tell the user that they are
1096: not allowed to run it, which can be confusing. This
1097: flag is _�o_�n by default.
1098:
1.1.1.3 misho 1099: preserve_groups By default, s�su�ud�do�o will initialize the group vector to
1.1 misho 1100: the list of groups the target user is in. When
1101: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group
1102: vector is left unaltered. The real and effective group
1103: IDs, however, are still set to match the target user.
1104: This flag is _�o_�f_�f by default.
1105:
1.1.1.3 misho 1106: pwfeedback By default, s�su�ud�do�o reads the password like most other
1.1 misho 1107: Unix programs, by turning off echo until the user hits
1108: the return (or enter) key. Some users become confused
1109: by this as it appears to them that s�su�ud�do�o has hung at
1110: this point. When _�p_�w_�f_�e_�e_�d_�b_�a_�c_�k is set, s�su�ud�do�o will provide
1111: visual feedback when the user presses a key. Note that
1112: this does have a security impact as an onlooker may be
1113: able to determine the length of the password being
1114: entered. This flag is _�o_�f_�f by default.
1115:
1.1.1.3 misho 1116: requiretty If set, s�su�ud�do�o will only run when the user is logged in
1.1 misho 1117: to a real tty. When this flag is set, s�su�ud�do�o can only be
1118: run from a login session and not via other means such
1.1.1.3 misho 1119: as cron(1m) or cgi-bin scripts. This flag is _�o_�f_�f by
1.1 misho 1120: default.
1121:
1.1.1.3 misho 1122: root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling
1123: this prevents users from ``chaining'' s�su�ud�do�o commands to
1124: get a root shell by doing something like ``sudo sudo
1125: /bin/sh''. Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
1.1 misho 1126: will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
1127: Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
1128: security; it exists purely for historical reasons.
1129: This flag is _�o_�n by default.
1130:
1.1.1.3 misho 1131: rootpw If set, s�su�ud�do�o will prompt for the root password instead
1.1.1.6 ! misho 1132: of the password of the invoking user when running a
! 1133: command or editing a file. This flag is _�o_�f_�f by
! 1134: default.
1.1 misho 1135:
1.1.1.3 misho 1136: runaspw If set, s�su�ud�do�o will prompt for the password of the user
1.1 misho 1137: defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
1.1.1.6 ! misho 1138: instead of the password of the invoking user when
! 1139: running a command or editing a file. This flag is _�o_�f_�f
! 1140: by default.
1.1 misho 1141:
1.1.1.3 misho 1142: set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the
1.1 misho 1143: HOME environment variable will be set to the home
1144: directory of the target user (which is root unless the
1145: -�-u�u option is used). This effectively makes the -�-s�s
1146: option imply -�-H�H. Note that HOME is already set when
1.1.1.5 misho 1147: the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so _�s_�e_�t_�__�h_�o_�m_�e is only
1148: effective for configurations where either _�e_�n_�v_�__�r_�e_�s_�e_�t is
1149: disabled or HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This
1150: flag is _�o_�f_�f by default.
1.1 misho 1151:
1.1.1.3 misho 1152: set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME
1.1 misho 1153: environment variables to the name of the target user
1154: (usually root unless the -�-u�u option is given). However,
1155: since some programs (including the RCS revision control
1156: system) use LOGNAME to determine the real identity of
1157: the user, it may be desirable to change this behavior.
1158: This can be done by negating the set_logname option.
1159: Note that if the _�e_�n_�v_�__�r_�e_�s_�e_�t option has not been
1160: disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override
1161: the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default.
1162:
1.1.1.3 misho 1163: set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or
1.1 misho 1164: utmpx) file when a pseudo-tty is allocated. A pseudo-
1165: tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
1166: or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new
1167: entry will be a copy of the user's existing utmp entry
1168: (if any), with the tty, time, type and pid fields
1169: updated. This flag is _�o_�n by default.
1170:
1.1.1.3 misho 1171: setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the
1.1 misho 1172: command line via the -�-E�E option. Additionally,
1173: environment variables set via the command line are not
1174: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k,
1175: _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users
1176: should be allowed to set variables in this manner.
1177: This flag is _�o_�f_�f by default.
1178:
1.1.1.3 misho 1179: shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as
1.1 misho 1180: if the -�-s�s option had been given. That is, it runs a
1181: shell as root (the shell is determined by the SHELL
1182: environment variable if it is set, falling back on the
1183: shell listed in the invoking user's /etc/passwd entry
1184: if not). This flag is _�o_�f_�f by default.
1185:
1.1.1.3 misho 1186: stay_setuid Normally, when s�su�ud�do�o executes a command the real and
1.1 misho 1187: effective UIDs are set to the target user (root by
1188: default). This option changes that behavior such that
1189: the real UID is left as the invoking user's UID. In
1190: other words, this makes s�su�ud�do�o act as a setuid wrapper.
1191: This can be useful on systems that disable some
1192: potentially dangerous functionality when a program is
1193: run setuid. This option is only effective on systems
1.1.1.3 misho 1194: that support either the setreuid(2) or setresuid(2)
1195: system call. This flag is _�o_�f_�f by default.
1.1 misho 1196:
1.1.1.3 misho 1197: targetpw If set, s�su�ud�do�o will prompt for the password of the user
1.1 misho 1198: specified by the -�-u�u option (defaults to root) instead
1.1.1.6 ! misho 1199: of the password of the invoking user when running a
! 1200: command or editing a file. Note that this flag
! 1201: precludes the use of a uid not listed in the passwd
! 1202: database as an argument to the -�-u�u option. This flag is
! 1203: _�o_�f_�f by default.
1.1 misho 1204:
1.1.1.3 misho 1205: tty_tickets If set, users must authenticate on a per-tty basis.
1.1.1.6 ! misho 1206: With this flag enabled, s�su�ud�do�o will use a separate record
! 1207: in the time stamp file for each tty. If disabled, a
! 1208: single record is used for all login sessions. This
! 1209: flag is _�o_�n by default.
1.1 misho 1210:
1.1.1.3 misho 1211: umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s
1.1 misho 1212: without modification. This makes it possible to
1213: specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the
1214: user's own umask and matches historical behavior. If
1215: _�u_�m_�a_�s_�k_�__�o_�v_�e_�r_�r_�i_�d_�e is not set, s�su�ud�do�o will set the umask to
1216: be the union of the user's umask and what is specified
1217: in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
1218:
1.1.1.3 misho 1219: use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
1.1 misho 1220: target user's login class if one exists. Only
1221: available if s�su�ud�do�o is configured with the
1222: --with-logincap option. This flag is _�o_�f_�f by default.
1223:
1.1.1.3 misho 1224: use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
1.1 misho 1225: if no I/O logging is being gone. A malicious program
1226: run under s�su�ud�do�o could conceivably fork a background
1227: process that retains to the user's terminal device
1228: after the main program has finished executing. Use of
1229: this option will make that impossible. This flag is
1230: _�o_�f_�f by default.
1231:
1.1.1.3 misho 1232: utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
1.1 misho 1233: updating the utmp (or utmpx) file. By default, s�su�ud�do�o
1234: stores the name of the invoking user. This flag is _�o_�f_�f
1235: by default.
1236:
1.1.1.3 misho 1237: visiblepw By default, s�su�ud�do�o will refuse to run if the user must
1.1 misho 1238: enter a password but it is not possible to disable echo
1239: on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o
1240: will prompt for a password even when it would be
1241: visible on the screen. This makes it possible to run
1.1.1.3 misho 1242: things like ``ssh somehost sudo ls'' since by default,
1243: ssh(1) does not allocate a tty when running a command.
1244: This flag is _�o_�f_�f by default.
1.1 misho 1245:
1.1.1.3 misho 1246: I�In�nt�te�eg�ge�er�rs�s:
1.1 misho 1247:
1.1.1.3 misho 1248: closefrom Before it executes a command, s�su�ud�do�o will close all open
1.1 misho 1249: file descriptors other than standard input, standard
1250: output and standard error (ie: file descriptors 0-2).
1251: The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different
1252: file descriptor at which to start closing. The default
1253: is 3.
1254:
1.1.1.3 misho 1255: passwd_tries The number of tries a user gets to enter his/her
1.1 misho 1256: password before s�su�ud�do�o logs the failure and exits. The
1257: default is 3.
1258:
1.1.1.3 misho 1259: I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1.1 misho 1260:
1.1.1.3 misho 1261: loglinelen Number of characters per line for the file log. This
1.1 misho 1262: value is used to decide when to wrap lines for nicer
1263: log files. This has no effect on the syslog log file,
1264: only the file log. The default is 80 (use 0 or negate
1265: the option to disable word wrap).
1266:
1.1.1.3 misho 1267: passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times
1.1 misho 1268: out, or 0 for no timeout. The timeout may include a
1269: fractional component if minute granularity is
1270: insufficient, for example 2.5. The default is 5.
1271:
1.1.1.3 misho 1272: timestamp_timeout
1.1 misho 1273: Number of minutes that can elapse before s�su�ud�do�o will ask
1274: for a passwd again. The timeout may include a
1275: fractional component if minute granularity is
1276: insufficient, for example 2.5. The default is 5. Set
1277: this to 0 to always prompt for a password. If set to a
1.1.1.3 misho 1278: value less than 0 the user's time stamp will never
1.1 misho 1279: expire. This can be used to allow users to create or
1.1.1.3 misho 1280: delete their own time stamps via ``sudo -v'' and ``sudo
1281: -k'' respectively.
1.1 misho 1282:
1.1.1.3 misho 1283: umask Umask to use when running the command. Negate this
1.1 misho 1284: option or set it to 0777 to preserve the user's umask.
1285: The actual umask that is used will be the union of the
1286: user's umask and the value of the _�u_�m_�a_�s_�k option, which
1287: defaults to 0022. This guarantees that s�su�ud�do�o never
1.1.1.3 misho 1288: lowers the umask when running a command. Note: on
1.1 misho 1289: systems that use PAM, the default PAM configuration may
1290: specify its own umask which will override the value set
1291: in _�s_�u_�d_�o_�e_�r_�s.
1292:
1.1.1.3 misho 1293: S�St�tr�ri�in�ng�gs�s:
1.1 misho 1294:
1.1.1.3 misho 1295: badpass_message Message that is displayed if a user enters an incorrect
1.1 misho 1296: password. The default is Sorry, try again. unless
1297: insults are enabled.
1298:
1.1.1.3 misho 1299: editor A colon (`:') separated list of editors allowed to be
1.1 misho 1300: used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that
1301: matches the user's EDITOR environment variable if
1302: possible, or the first editor in the list that exists
1.1.1.3 misho 1303: and is executable. The default is _�v_�i.
1.1 misho 1304:
1.1.1.3 misho 1305: iolog_dir The top-level directory to use when constructing the
1.1 misho 1306: path name for the input/output log directory. Only
1307: used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled
1308: or when the LOG_INPUT or LOG_OUTPUT tags are present
1309: for a command. The session sequence number, if any, is
1310: stored in the directory. The default is
1.1.1.3 misho 1311: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o.
1.1 misho 1312:
1313: The following percent (`%') escape sequences are
1314: supported:
1315:
1316: %{seq}
1.1.1.3 misho 1317: expanded to a monotonically increasing base-36
1318: sequence number, such as 0100A5, where every two
1319: digits are used to form a new directory, e.g.
1320: _�0_�1_�/_�0_�0_�/_�A_�5
1.1 misho 1321:
1322: %{user}
1.1.1.3 misho 1323: expanded to the invoking user's login name
1.1 misho 1324:
1325: %{group}
1.1.1.3 misho 1326: expanded to the name of the invoking user's real
1327: group ID
1.1 misho 1328:
1329: %{runas_user}
1.1.1.3 misho 1330: expanded to the login name of the user the
1331: command will be run as (e.g. root)
1.1 misho 1332:
1333: %{runas_group}
1.1.1.3 misho 1334: expanded to the group name of the user the
1335: command will be run as (e.g. wheel)
1.1 misho 1336:
1337: %{hostname}
1.1.1.3 misho 1338: expanded to the local host name without the
1339: domain name
1.1 misho 1340:
1341: %{command}
1.1.1.3 misho 1342: expanded to the base name of the command being
1343: run
1.1 misho 1344:
1345: In addition, any escape sequences supported by the
1.1.1.3 misho 1346: system's strftime(3) function will be expanded.
1.1 misho 1347:
1348: To include a literal `%' character, the string `%%'
1349: should be used.
1350:
1.1.1.3 misho 1351: iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store
1.1 misho 1352: input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
1353: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1354: tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1355: may contain directory components. The default is
1.1.1.3 misho 1356: ``%{seq}''.
1.1 misho 1357:
1358: See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported
1359: percent (`%') escape sequences.
1360:
1361: In addition to the escape sequences, path names that
1362: end in six or more Xs will have the Xs replaced with a
1363: unique combination of digits and letters, similar to
1.1.1.3 misho 1364: the mktemp(3) function.
1.1 misho 1365:
1.1.1.4 misho 1366: If the path created by concatenating _�i_�o_�l_�o_�g_�__�d_�i_�r and
1367: _�i_�o_�l_�o_�g_�__�f_�i_�l_�e already exists, the existing I/O log file
1368: will be truncated and overwritten unless _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1369: ends in six or more Xs.
1370:
1.1.1.6 ! misho 1371: lecture_status_dir
! 1372: The directory in which s�su�ud�do�o stores per-user lecture
! 1373: status files. Once a user has received the lecture, a
! 1374: zero-length file is created in this directory so that
! 1375: s�su�ud�do�o will not lecture the user again. This directory
! 1376: should _�n_�o_�t be cleared when the system reboots. The
! 1377: default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o_�/_�l_�e_�c_�t_�u_�r_�e_�d.
! 1378:
1.1.1.3 misho 1379: limitprivs The default Solaris limit privileges to use when
1380: constructing a new privilege set for a command. This
1381: bounds all privileges of the executing process. The
1382: default limit privileges may be overridden on a per-
1383: command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only
1384: available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher.
1385:
1386: mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The
1387: escape %h will expand to the host name of the machine.
1388: Default is ``*** SECURITY information for %h ***''.
1.1 misho 1389:
1.1.1.4 misho 1390: maxseq The maximum sequence number that will be substituted
1391: for the ``%{seq}'' escape in the I/O log file (see the
1392: _�i_�o_�l_�o_�g_�__�d_�i_�r description above for more information).
1393: While the value substituted for ``%{seq}'' is in base
1394: 36, _�m_�a_�x_�s_�e_�q itself should be expressed in decimal.
1395: Values larger than 2176782336 (which corresponds to the
1396: base 36 sequence number ``ZZZZZZ'') will be silently
1397: truncated to 2176782336. The default value is
1398: 2176782336.
1399:
1400: Once the local sequence number reaches the value of
1401: _�m_�a_�x_�s_�e_�q, it will ``roll over'' to zero, after which
1402: s�su�ud�do�oe�er�rs�s will truncate and re-use any existing I/O log
1.1.1.6 ! misho 1403: path names.
1.1.1.4 misho 1404:
1405: This setting is only supported by version 1.8.7 or
1406: higher.
1407:
1408: noexec_file As of s�su�ud�do�o version 1.8.1 this option is no longer
1409: supported. The path to the noexec file should now be
1410: set in the sudo.conf(4) file.
1.1 misho 1411:
1.1.1.5 misho 1412: pam_login_service
1413: On systems that use PAM for authentication, this is the
1414: service name used when the -�-i�i option is specified. The
1415: default value is ``sudo''. See the description of
1416: _�p_�a_�m_�__�s_�e_�r_�v_�i_�c_�e for more information.
1417:
1418: This setting is only supported by version 1.8.8 or
1419: higher.
1420:
1421: pam_service On systems that use PAM for authentication, the service
1422: name specifies the PAM policy to apply. This usually
1423: corresponds to an entry in the _�p_�a_�m_�._�c_�o_�n_�f file or a file
1424: in the _�/_�e_�t_�c_�/_�p_�a_�m_�._�d directory. The default value is
1425: ``sudo''.
1426:
1427: This setting is only supported by version 1.8.8 or
1428: higher.
1429:
1.1.1.3 misho 1430: passprompt The default prompt to use when asking for a password;
1.1 misho 1431: can be overridden via the -�-p�p option or the SUDO_PROMPT
1432: environment variable. The following percent (`%')
1433: escape sequences are supported:
1434:
1.1.1.3 misho 1435: %H expanded to the local host name including the
1436: domain name (only if the machine's host name is
1437: fully qualified or the _�f_�q_�d_�n option is set)
1438:
1439: %h expanded to the local host name without the
1440: domain name
1441:
1442: %p expanded to the user whose password is being
1443: asked for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
1444: _�r_�u_�n_�a_�s_�p_�w flags in _�s_�u_�d_�o_�e_�r_�s)
1445:
1446: %U expanded to the login name of the user the
1447: command will be run as (defaults to root)
1448:
1449: %u expanded to the invoking user's login name
1450:
1451: %% two consecutive % characters are collapsed into a
1452: single % character
1453:
1454: The default value is ``Password:''.
1455:
1456: privs The default Solaris privileges to use when constructing
1457: a new privilege set for a command. This is passed to
1458: the executing process via the inherited privilege set,
1459: but is bounded by the limit privileges. If the _�p_�r_�i_�v_�s
1460: option is specified but the _�l_�i_�m_�i_�t_�p_�r_�i_�v_�s option is not,
1461: the limit privileges of the executing process is set to
1462: _�p_�r_�i_�v_�s. The default privileges may be overridden on a
1463: per-command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only
1464: available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher.
1.1 misho 1465:
1.1.1.3 misho 1466: role The default SELinux role to use when constructing a new
1.1 misho 1467: security context to run the command. The default role
1468: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1469: via command line options. This option is only
1.1.1.3 misho 1470: available when s�su�ud�do�o is built with SELinux support.
1.1 misho 1471:
1.1.1.3 misho 1472: runas_default The default user to run commands as if the -�-u�u option is
1.1 misho 1473: not specified on the command line. This defaults to
1474: root.
1475:
1.1.1.3 misho 1476: syslog_badpri Syslog priority to use when user authenticates
1.1 misho 1477: unsuccessfully. Defaults to alert.
1478:
1479: The following syslog priorities are supported: a�al�le�er�rt�t,
1480: c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g.
1481:
1.1.1.3 misho 1482: syslog_goodpri Syslog priority to use when user authenticates
1.1 misho 1483: successfully. Defaults to notice.
1484:
1.1.1.3 misho 1485: See _�s_�y_�s_�l_�o_�g_�__�b_�a_�d_�p_�r_�i for the list of supported syslog
1.1 misho 1486: priorities.
1487:
1.1.1.3 misho 1488: sudoers_locale Locale to use when parsing the sudoers file, logging
1.1 misho 1489: commands, and sending email. Note that changing the
1490: locale may affect how sudoers is interpreted. Defaults
1.1.1.3 misho 1491: to ``C''.
1.1 misho 1492:
1.1.1.3 misho 1493: timestampdir The directory in which s�su�ud�do�o stores its time stamp
1.1.1.6 ! misho 1494: files. This directory should be cleared when the
! 1495: system reboots. The default is _�/_�v_�a_�r_�/_�r_�u_�n_�/_�s_�u_�d_�o_�/_�t_�s.
1.1 misho 1496:
1.1.1.6 ! misho 1497: timestampowner The owner of the lecture status directory, time stamp
! 1498: directory and all files stored therein. The default is
! 1499: root.
1.1 misho 1500:
1.1.1.3 misho 1501: type The default SELinux type to use when constructing a new
1.1 misho 1502: security context to run the command. The default type
1503: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1504: via command line options. This option is only
1.1.1.3 misho 1505: available when s�su�ud�do�o is built with SELinux support.
1.1 misho 1506:
1.1.1.3 misho 1507: S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1.1 misho 1508:
1.1.1.3 misho 1509: env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a
1.1.1.2 misho 1510: file containing variables to be set in the environment of
1.1 misho 1511: the program being run. Entries in this file should either
1.1.1.3 misho 1512: be of the form ``VARIABLE=value'' or ``export
1513: VARIABLE=value''. The value may optionally be surrounded
1514: by single or double quotes. Variables in this file are
1515: subject to other s�su�ud�do�o environment settings such as _�e_�n_�v_�__�k_�e_�e_�p
1516: and _�e_�n_�v_�__�c_�h_�e_�c_�k.
1.1 misho 1517:
1.1.1.3 misho 1518: exempt_group Users in this group are exempt from password and PATH
1.1 misho 1519: requirements. The group name specified should not include
1520: a % prefix. This is not set by default.
1521:
1.1.1.3 misho 1522: group_plugin A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional
1.1.1.4 misho 1523: arguments. The string should consist of the plugin path,
1524: either fully-qualified or relative to the
1525: _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o directory, followed by any
1526: configuration arguments the plugin requires. These
1.1 misho 1527: arguments (if any) will be passed to the plugin's
1528: initialization function. If arguments are present, the
1.1.1.3 misho 1529: string must be enclosed in double quotes ("").
1.1 misho 1530:
1.1.1.4 misho 1531: For more information see GROUP PROVIDER PLUGINS.
1.1 misho 1532:
1.1.1.3 misho 1533: lecture This option controls when a short lecture will be printed
1.1 misho 1534: along with the password prompt. It has the following
1535: possible values:
1536:
1537: always Always lecture the user.
1538:
1539: never Never lecture the user.
1540:
1541: once Only lecture the user the first time they run s�su�ud�do�o.
1542:
1543: If no value is specified, a value of _�o_�n_�c_�e is implied.
1544: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1545: The default value is _�o_�n_�c_�e.
1546:
1.1.1.3 misho 1547: lecture_file Path to a file containing an alternate s�su�ud�do�o lecture that
1.1 misho 1548: will be used in place of the standard lecture if the named
1549: file exists. By default, s�su�ud�do�o uses a built-in lecture.
1550:
1.1.1.3 misho 1551: listpw This option controls when a password will be required when
1.1 misho 1552: a user runs s�su�ud�do�o with the -�-l�l option. It has the following
1553: possible values:
1554:
1.1.1.3 misho 1555: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current
1556: host must have the NOPASSWD flag set to avoid
1557: entering a password.
1558:
1559: always The user must always enter a password to use the
1560: -�-l�l option.
1561:
1562: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for
1563: the current host must have the NOPASSWD flag set
1564: to avoid entering a password.
1.1 misho 1565:
1.1.1.3 misho 1566: never The user need never enter a password to use the
1567: -�-l�l option.
1.1 misho 1568:
1569: If no value is specified, a value of _�a_�n_�y is implied.
1570: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1571: The default value is _�a_�n_�y.
1572:
1.1.1.3 misho 1573: logfile Path to the s�su�ud�do�o log file (not the syslog log file).
1.1 misho 1574: Setting a path turns on logging to a file; negating this
1575: option turns it off. By default, s�su�ud�do�o logs via syslog.
1576:
1.1.1.3 misho 1577: mailerflags Flags to use when invoking mailer. Defaults to -�-t�t.
1.1 misho 1578:
1.1.1.3 misho 1579: mailerpath Path to mail program used to send warning mail. Defaults
1.1 misho 1580: to the path to sendmail found at configure time.
1581:
1.1.1.3 misho 1582: mailfrom Address to use for the ``from'' address when sending
1583: warning and error mail. The address should be enclosed in
1584: double quotes ("") to protect against s�su�ud�do�o interpreting the
1585: @ sign. Defaults to the name of the user running s�su�ud�do�o.
1.1 misho 1586:
1.1.1.3 misho 1587: mailto Address to send warning and error mail to. The address
1588: should be enclosed in double quotes ("") to protect against
1.1 misho 1589: s�su�ud�do�o interpreting the @ sign. Defaults to root.
1590:
1.1.1.3 misho 1591: secure_path Path used for every command run from s�su�ud�do�o. If you don't
1.1 misho 1592: trust the people running s�su�ud�do�o to have a sane PATH
1593: environment variable you may want to use this. Another use
1.1.1.3 misho 1594: is if you want to have the ``root path'' be separate from
1595: the ``user path''. Users in the group specified by the
1.1 misho 1596: _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This
1597: option is not set by default.
1598:
1.1.1.3 misho 1599: syslog Syslog facility if syslog is being used for logging (negate
1.1 misho 1600: to disable syslog logging). Defaults to auth.
1601:
1602: The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if
1603: your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1,
1604: l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7.
1605:
1.1.1.3 misho 1606: verifypw This option controls when a password will be required when
1.1 misho 1607: a user runs s�su�ud�do�o with the -�-v�v option. It has the following
1608: possible values:
1609:
1610: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1611: must have the NOPASSWD flag set to avoid entering a
1612: password.
1613:
1614: always The user must always enter a password to use the -�-v�v
1615: option.
1616:
1617: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1618: current host must have the NOPASSWD flag set to
1619: avoid entering a password.
1620:
1621: never The user need never enter a password to use the -�-v�v
1622: option.
1623:
1624: If no value is specified, a value of _�a_�l_�l is implied.
1625: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1626: The default value is _�a_�l_�l.
1627:
1.1.1.3 misho 1628: L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1.1 misho 1629:
1.1.1.3 misho 1630: env_check Environment variables to be removed from the user's
1631: environment if the variable's value contains `%' or `/'
1.1 misho 1632: characters. This can be used to guard against printf-
1633: style format vulnerabilities in poorly-written
1634: programs. The argument may be a double-quoted, space-
1635: separated list or a single value without double-quotes.
1636: The list can be replaced, added to, deleted from, or
1637: disabled by using the =, +=, -=, and ! operators
1638: respectively. Regardless of whether the env_reset
1639: option is enabled or disabled, variables specified by
1640: env_check will be preserved in the environment if they
1641: pass the aforementioned check. The default list of
1642: environment variables to check is displayed when s�su�ud�do�o
1.1.1.3 misho 1643: is run by root with the -�-V�V option.
1.1 misho 1644:
1.1.1.3 misho 1645: env_delete Environment variables to be removed from the user's
1.1 misho 1646: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
1647: The argument may be a double-quoted, space-separated
1648: list or a single value without double-quotes. The list
1649: can be replaced, added to, deleted from, or disabled by
1650: using the =, +=, -=, and ! operators respectively. The
1651: default list of environment variables to remove is
1.1.1.3 misho 1652: displayed when s�su�ud�do�o is run by root with the -�-V�V option.
1.1 misho 1653: Note that many operating systems will remove
1654: potentially dangerous variables from the environment of
1655: any setuid process (such as s�su�ud�do�o).
1656:
1.1.1.3 misho 1657: env_keep Environment variables to be preserved in the user's
1.1 misho 1658: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect.
1659: This allows fine-grained control over the environment
1660: s�su�ud�do�o-spawned processes will receive. The argument may
1661: be a double-quoted, space-separated list or a single
1662: value without double-quotes. The list can be replaced,
1663: added to, deleted from, or disabled by using the =, +=,
1664: -=, and ! operators respectively. The default list of
1665: variables to keep is displayed when s�su�ud�do�o is run by root
1.1.1.3 misho 1666: with the -�-V�V option.
1667:
1.1.1.4 misho 1668: G�GR�RO�OU�UP�P P�PR�RO�OV�VI�ID�DE�ER�R P�PL�LU�UG�GI�IN�NS�S
1669: The s�su�ud�do�oe�er�rs�s plugin supports its own plugin interface to allow non-Unix
1670: group lookups which can query a group source other than the standard Unix
1671: group database. This can be used to implement support for the
1672: nonunix_group syntax described earlier.
1673:
1674: Group provider plugins are specified via the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n Defaults
1675: setting. The argument to _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n should consist of the plugin path,
1676: either fully-qualified or relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o
1677: directory, followed by any configuration options the plugin requires.
1678: These options (if specified) will be passed to the plugin's
1679: initialization function. If options are present, the string must be
1680: enclosed in double quotes ("").
1681:
1682: The following group provider plugins are installed by default:
1683:
1684: group_file
1685: The _�g_�r_�o_�u_�p_�__�f_�i_�l_�e plugin supports an alternate group file that
1686: uses the same syntax as the _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p file. The path to the
1687: group file should be specified as an option to the plugin. For
1688: example, if the group file to be used is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p:
1689:
1690: Defaults group_plugin="group_file.so /etc/sudo-group"
1691:
1692: system_group
1693: The _�s_�y_�s_�t_�e_�m_�__�g_�r_�o_�u_�p plugin supports group lookups via the standard
1694: C library functions g�ge�et�tg�gr�rn�na�am�m() and g�ge�et�tg�gr�ri�id�d(). This plugin can
1695: be used in instances where the user belongs to groups not
1696: present in the user's supplemental group vector. This plugin
1697: takes no options:
1698:
1699: Defaults group_plugin=system_group.so
1700:
1701: The group provider plugin API is described in detail in sudo_plugin(1m).
1702:
1.1.1.3 misho 1703: L�LO�OG�G F�FO�OR�RM�MA�AT�T
1704: s�su�ud�do�oe�er�rs�s can log events using either syslog(3) or a simple log file. In
1705: each case the log format is almost identical.
1706:
1707: A�Ac�cc�ce�ep�pt�te�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s
1708: Commands that sudo runs are logged using the following format (split into
1709: multiple lines for readability):
1710:
1711: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1712: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1713: ENV=env_vars COMMAND=command
1714:
1715: Where the fields are as follows:
1716:
1717: date The date the command was run. Typically, this is in the
1718: format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1719: the actual date format is controlled by the syslog daemon.
1720: If logging to a file and the _�l_�o_�g_�__�y_�e_�a_�r option is enabled,
1721: the date will also include the year.
1722:
1723: hostname The name of the host s�su�ud�do�o was run on. This field is only
1724: present when logging via syslog(3).
1725:
1726: progname The name of the program, usually _�s_�u_�d_�o or _�s_�u_�d_�o_�e_�d_�i_�t. This
1727: field is only present when logging via syslog(3).
1728:
1729: username The login name of the user who ran s�su�ud�do�o.
1730:
1731: ttyname The short name of the terminal (e.g. ``console'',
1732: ``tty01'', or ``pts/0'') s�su�ud�do�o was run on, or ``unknown'' if
1733: there was no terminal present.
1734:
1735: cwd The current working directory that s�su�ud�do�o was run in.
1736:
1737: runasuser The user the command was run as.
1738:
1739: runasgroup The group the command was run as if one was specified on
1740: the command line.
1741:
1742: logid An I/O log identifier that can be used to replay the
1743: command's output. This is only present when the _�l_�o_�g_�__�i_�n_�p_�u_�t
1744: or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option is enabled.
1745:
1746: env_vars A list of environment variables specified on the command
1747: line, if specified.
1748:
1749: command The actual command that was executed.
1750:
1751: Messages are logged using the locale specified by _�s_�u_�d_�o_�e_�r_�s_�__�l_�o_�c_�a_�l_�e, which
1752: defaults to the ``C'' locale.
1753:
1754: D�De�en�ni�ie�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s
1755: If the user is not allowed to run the command, the reason for the denial
1756: will follow the user name. Possible reasons include:
1757:
1758: user NOT in sudoers
1759: The user is not listed in the _�s_�u_�d_�o_�e_�r_�s file.
1760:
1761: user NOT authorized on host
1762: The user is listed in the _�s_�u_�d_�o_�e_�r_�s file but is not allowed to run
1763: commands on the host.
1764:
1765: command not allowed
1766: The user is listed in the _�s_�u_�d_�o_�e_�r_�s file for the host but they are not
1767: allowed to run the specified command.
1768:
1769: 3 incorrect password attempts
1770: The user failed to enter their password after 3 tries. The actual
1771: number of tries will vary based on the number of failed attempts and
1772: the value of the _�p_�a_�s_�s_�w_�d_�__�t_�r_�i_�e_�s option.
1773:
1774: a password is required
1775: s�su�ud�do�o's -�-n�n option was specified but a password was required.
1776:
1777: sorry, you are not allowed to set the following environment variables
1778: The user specified environment variables on the command line that were
1779: not allowed by _�s_�u_�d_�o_�e_�r_�s.
1780:
1781: E�Er�rr�ro�or�r l�lo�og�g e�en�nt�tr�ri�ie�es�s
1782: If an error occurs, s�su�ud�do�oe�er�rs�s will log a message and, in most cases, send a
1783: message to the administrator via email. Possible errors include:
1784:
1785: parse error in /etc/sudoers near line N
1786: s�su�ud�do�oe�er�rs�s encountered an error when parsing the specified file. In some
1787: cases, the actual error may be one line above or below the line number
1788: listed, depending on the type of error.
1789:
1790: problem with defaults entries
1791: The _�s_�u_�d_�o_�e_�r_�s file contains one or more unknown Defaults settings. This
1792: does not prevent s�su�ud�do�o from running, but the _�s_�u_�d_�o_�e_�r_�s file should be
1793: checked using v�vi�is�su�ud�do�o.
1794:
1795: timestamp owner (username): No such user
1796: The time stamp directory owner, as specified by the _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r
1797: setting, could not be found in the password database.
1798:
1799: unable to open/read /etc/sudoers
1800: The _�s_�u_�d_�o_�e_�r_�s file could not be opened for reading. This can happen
1801: when the _�s_�u_�d_�o_�e_�r_�s file is located on a remote file system that maps
1802: user ID 0 to a different value. Normally, s�su�ud�do�oe�er�rs�s tries to open
1803: _�s_�u_�d_�o_�e_�r_�s using group permissions to avoid this problem. Consider
1.1.1.4 misho 1804: either changing the ownership of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s or adding an argument
1805: like ``sudoers_uid=N'' (where `N' is the user ID that owns the _�s_�u_�d_�o_�e_�r_�s
1806: file) to the end of the s�su�ud�do�oe�er�rs�s Plugin line in the sudo.conf(4) file.
1.1.1.3 misho 1807:
1808: unable to stat /etc/sudoers
1809: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file is missing.
1810:
1811: /etc/sudoers is not a regular file
1812: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file exists but is not a regular file or symbolic
1813: link.
1814:
1815: /etc/sudoers is owned by uid N, should be 0
1816: The _�s_�u_�d_�o_�e_�r_�s file has the wrong owner. If you wish to change the
1817: _�s_�u_�d_�o_�e_�r_�s file owner, please add ``sudoers_uid=N'' (where `N' is the
1.1.1.4 misho 1818: user ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s Plugin line in the
1819: sudo.conf(4) file.
1.1.1.3 misho 1820:
1821: /etc/sudoers is world writable
1822: The permissions on the _�s_�u_�d_�o_�e_�r_�s file allow all users to write to it.
1823: The _�s_�u_�d_�o_�e_�r_�s file must not be world-writable, the default file mode is
1824: 0440 (readable by owner and group, writable by none). The default
1825: mode may be changed via the ``sudoers_mode'' option to the s�su�ud�do�oe�er�rs�s
1.1.1.4 misho 1826: Plugin line in the sudo.conf(4) file.
1.1.1.3 misho 1827:
1828: /etc/sudoers is owned by gid N, should be 1
1829: The _�s_�u_�d_�o_�e_�r_�s file has the wrong group ownership. If you wish to change
1830: the _�s_�u_�d_�o_�e_�r_�s file group ownership, please add ``sudoers_gid=N'' (where
1.1.1.4 misho 1831: `N' is the group ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s Plugin
1832: line in the sudo.conf(4) file.
1.1.1.3 misho 1833:
1.1.1.6 ! misho 1834: unable to open /var/run/sudo/ts/username
! 1835: _�s_�u_�d_�o_�e_�r_�s was unable to read or create the user's time stamp file. This
! 1836: can happen when _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r is set to a user other than root and
! 1837: the mode on _�/_�v_�a_�r_�/_�r_�u_�n_�/_�s_�u_�d_�o is not searchable by group or other. The
! 1838: default mode for _�/_�v_�a_�r_�/_�r_�u_�n_�/_�s_�u_�d_�o is 0711.
1.1.1.3 misho 1839:
1.1.1.6 ! misho 1840: unable to write to /var/run/sudo/ts/username
1.1.1.3 misho 1841: _�s_�u_�d_�o_�e_�r_�s was unable to write to the user's time stamp file.
1842:
1.1.1.6 ! misho 1843: /var/run/sudo/ts is owned by uid X, should be Y
! 1844: The time stamp directory is owned by a user other than _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r.
! 1845: This can occur when the value of _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r has been changed.
! 1846: _�s_�u_�d_�o_�e_�r_�s will ignore the time stamp directory until the owner is
! 1847: corrected.
! 1848:
! 1849: /var/run/sudo/ts is group writable
! 1850: The time stamp directory is group-writable; it should be writable only
! 1851: by _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r. The default mode for the time stamp directory is
! 1852: 0700. _�s_�u_�d_�o_�e_�r_�s will ignore the time stamp directory until the mode is
! 1853: corrected.
1.1.1.3 misho 1854:
1855: N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g v�vi�ia�a s�sy�ys�sl�lo�og�g
1856: By default, _�s_�u_�d_�o_�e_�r_�s logs messages via syslog(3). The _�d_�a_�t_�e, _�h_�o_�s_�t_�n_�a_�m_�e, and
1857: _�p_�r_�o_�g_�n_�a_�m_�e fields are added by the syslog daemon, not _�s_�u_�d_�o_�e_�r_�s itself. As
1858: such, they may vary in format on different systems.
1859:
1860: On most systems, syslog(3) has a relatively small log buffer. To prevent
1861: the command line arguments from being truncated, s�su�ud�do�oe�er�rs�s will split up
1862: log messages that are larger than 960 characters (not including the date,
1863: hostname, and the string ``sudo''). When a message is split, additional
1864: parts will include the string ``(command continued)'' after the user name
1865: and before the continued command line arguments.
1866:
1867: N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g t�to�o a�a f�fi�il�le�e
1868: If the _�l_�o_�g_�f_�i_�l_�e option is set, _�s_�u_�d_�o_�e_�r_�s will log to a local file, such as
1869: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o. When logging to a file, _�s_�u_�d_�o_�e_�r_�s uses a format similar to
1870: syslog(3), with a few important differences:
1871:
1872: 1. The _�p_�r_�o_�g_�n_�a_�m_�e and _�h_�o_�s_�t_�n_�a_�m_�e fields are not present.
1873:
1874: 2. If the _�l_�o_�g_�__�y_�e_�a_�r option is enabled, the date will also include the
1875: year.
1876:
1877: 3. Lines that are longer than _�l_�o_�g_�l_�i_�n_�e_�l_�e_�n characters (80 by default) are
1878: word-wrapped and continued on the next line with a four character
1879: indent. This makes entries easier to read for a human being, but
1880: makes it more difficult to use grep(1) on the log files. If the
1881: _�l_�o_�g_�l_�i_�n_�e_�l_�e_�n option is set to 0 (or negated with a `!'), word wrap
1882: will be disabled.
1.1 misho 1883:
1884: F�FI�IL�LE�ES�S
1.1.1.3 misho 1885: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration
1.1.1.2 misho 1886:
1.1.1.3 misho 1887: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what
1.1 misho 1888:
1.1.1.3 misho 1889: _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file
1.1 misho 1890:
1.1.1.3 misho 1891: _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
1.1 misho 1892:
1.1.1.3 misho 1893: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
1.1 misho 1894:
1.1.1.6 ! misho 1895: _�/_�v_�a_�r_�/_�r_�u_�n_�/_�s_�u_�d_�o_�/_�t_�s Directory containing time stamps for the
1.1 misho 1896: _�s_�u_�d_�o_�e_�r_�s security policy
1897:
1.1.1.6 ! misho 1898: _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o_�/_�l_�e_�c_�t_�u_�r_�e_�d Directory containing lecture status files for
! 1899: the _�s_�u_�d_�o_�e_�r_�s security policy
! 1900:
1.1.1.3 misho 1901: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and
1.1.1.2 misho 1902: Linux systems
1.1 misho 1903:
1904: E�EX�XA�AM�MP�PL�LE�ES�S
1.1.1.3 misho 1905: Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit
1906: contrived. First, we allow a few environment variables to pass and then
1907: define our _�a_�l_�i_�a_�s_�e_�s:
1.1 misho 1908:
1.1.1.3 misho 1909: # Run X applications through sudo; HOME is used to find the
1910: # .Xauthority file. Note that other programs use HOME to find
1911: # configuration files and this may lead to privilege escalation!
1912: Defaults env_keep += "DISPLAY HOME"
1.1 misho 1913:
1.1.1.3 misho 1914: # User alias specification
1915: User_Alias FULLTIMERS = millert, mikef, dowdy
1916: User_Alias PARTTIMERS = bostley, jwfox, crawl
1917: User_Alias WEBMASTERS = will, wendy, wim
1.1 misho 1918:
1.1.1.3 misho 1919: # Runas alias specification
1920: Runas_Alias OP = root, operator
1921: Runas_Alias DB = oracle, sybase
1922: Runas_Alias ADMINGRP = adm, oper
1.1 misho 1923:
1.1.1.3 misho 1924: # Host alias specification
1925: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1926: SGI = grolsch, dandelion, black :\
1927: ALPHA = widget, thalamus, foobar :\
1928: HPPA = boa, nag, python
1929: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1930: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1931: Host_Alias SERVERS = master, mail, www, ns
1932: Host_Alias CDROM = orion, perseus, hercules
1.1 misho 1933:
1.1.1.3 misho 1934: # Cmnd alias specification
1935: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1.1.1.4 misho 1936: /usr/sbin/restore, /usr/sbin/rrestore,\
1937: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
1938: /home/operator/bin/start_backups
1.1.1.3 misho 1939: Cmnd_Alias KILL = /usr/bin/kill
1940: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1941: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1942: Cmnd_Alias HALT = /usr/sbin/halt
1943: Cmnd_Alias REBOOT = /usr/sbin/reboot
1944: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1945: /usr/local/bin/tcsh, /usr/bin/rsh,\
1946: /usr/local/bin/zsh
1947: Cmnd_Alias SU = /usr/bin/su
1948: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 misho 1949:
1.1.1.3 misho 1950: Here we override some of the compiled in default values. We want s�su�ud�do�o to
1951: log via syslog(3) using the _�a_�u_�t_�h facility in all cases. We don't want to
1952: subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t need not
1953: give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1954: environment variables when running commands as root. Additionally, on
1955: the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an additional local log
1956: file and make sure we log the year in each log line since the log entries
1957: will be kept around for several years. Lastly, we disable shell escapes
1958: for the commands in the PAGERS Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and
1.1.1.5 misho 1959: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s). Note that this will not effectively constrain users with
1960: s�su�ud�do�o A�AL�LL�L privileges.
1.1 misho 1961:
1.1.1.3 misho 1962: # Override built-in defaults
1963: Defaults syslog=auth
1964: Defaults>root !set_logname
1965: Defaults:FULLTIMERS !lecture
1966: Defaults:millert !authenticate
1967: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1968: Defaults!PAGERS noexec
1.1 misho 1969:
1.1.1.3 misho 1970: The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run
1971: what.
1.1 misho 1972:
1.1.1.3 misho 1973: root ALL = (ALL) ALL
1974: %wheel ALL = (ALL) ALL
1.1 misho 1975:
1.1.1.3 misho 1976: We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as
1977: any user.
1.1 misho 1978:
1.1.1.3 misho 1979: FULLTIMERS ALL = NOPASSWD: ALL
1.1 misho 1980:
1.1.1.3 misho 1981: Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on
1982: any host without authenticating themselves.
1.1 misho 1983:
1.1.1.3 misho 1984: PARTTIMERS ALL = ALL
1.1 misho 1985:
1.1.1.3 misho 1986: Part time sysadmins b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on any
1987: host but they must authenticate themselves first (since the entry lacks
1988: the NOPASSWD tag).
1.1 misho 1989:
1.1.1.3 misho 1990: jack CSNETS = ALL
1.1 misho 1991:
1.1.1.3 misho 1992: The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
1993: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1994: networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1995: indicating it is a class C network. For the other networks in _�C_�S_�N_�E_�T_�S,
1996: the local machine's netmask will be used during matching.
1.1 misho 1997:
1.1.1.3 misho 1998: lisa CUNETS = ALL
1.1 misho 1999:
1.1.1.3 misho 2000: The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the
2001: class B network 128.138.0.0).
1.1 misho 2002:
1.1.1.3 misho 2003: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2004: sudoedit /etc/printcap, /usr/oper/bin/
1.1 misho 2005:
1.1.1.3 misho 2006: The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance. Here,
2007: those are commands related to backups, killing processes, the printing
2008: system, shutting down the system, and any commands in the directory
1.1.1.4 misho 2009: _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/. Note that one command in the DUMPS Cmnd_Alias includes a
2010: sha224 digest, _�/_�h_�o_�m_�e_�/_�o_�p_�e_�r_�a_�t_�o_�r_�/_�b_�i_�n_�/_�s_�t_�a_�r_�t_�__�b_�a_�c_�k_�u_�p_�s. This is because the
2011: directory containing the script is writable by the operator user. If the
2012: script is modified (resulting in a digest mismatch) it will no longer be
2013: possible to run it via s�su�ud�do�o.
1.1 misho 2014:
1.1.1.3 misho 2015: joe ALL = /usr/bin/su operator
1.1 misho 2016:
1.1.1.3 misho 2017: The user j�jo�oe�e may only su(1) to operator.
1.1 misho 2018:
1.1.1.3 misho 2019: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1.1 misho 2020:
1.1.1.3 misho 2021: %opers ALL = (: ADMINGRP) /usr/sbin/
1.1 misho 2022:
1.1.1.3 misho 2023: Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves
2024: with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups).
1.1 misho 2025:
1.1.1.3 misho 2026: The user p�pe�et�te�e is allowed to change anyone's password except for root on
2027: the _�H_�P_�P_�A machines. Note that this assumes passwd(1) does not take
2028: multiple user names on the command line.
1.1 misho 2029:
1.1.1.3 misho 2030: bob SPARC = (OP) ALL : SGI = (OP) ALL
1.1 misho 2031:
1.1.1.3 misho 2032: The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user
2033: listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r.)
1.1 misho 2034:
1.1.1.3 misho 2035: jim +biglab = ALL
1.1 misho 2036:
1.1.1.3 misho 2037: The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup.
2038: s�su�ud�do�o knows that ``biglab'' is a netgroup due to the `+' prefix.
1.1 misho 2039:
1.1.1.3 misho 2040: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1.1 misho 2041:
1.1.1.3 misho 2042: Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as
2043: well as add and remove users, so they are allowed to run those commands
2044: on all machines.
1.1 misho 2045:
1.1.1.3 misho 2046: fred ALL = (DB) NOPASSWD: ALL
1.1 misho 2047:
1.1.1.3 misho 2048: The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias (o�or�ra�ac�cl�le�e
2049: or s�sy�yb�ba�as�se�e) without giving a password.
1.1 misho 2050:
1.1.1.3 misho 2051: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.1 misho 2052:
1.1.1.3 misho 2053: On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
2054: not allowed to specify any options to the su(1) command.
1.1 misho 2055:
1.1.1.3 misho 2056: jen ALL, !SERVERS = ALL
1.1 misho 2057:
1.1.1.3 misho 2058: The user j�je�en�n may run any command on any machine except for those in the
2059: _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns).
1.1 misho 2060:
1.1.1.3 misho 2061: jill SERVERS = /usr/bin/, !SU, !SHELLS
1.1 misho 2062:
1.1.1.3 misho 2063: For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in
2064: the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U and
1.1.1.5 misho 2065: _�S_�H_�E_�L_�L_�S Cmnd_Aliases. While not specifically mentioned in the rule, the
2066: commands in the _�P_�A_�G_�E_�R_�S Cmnd_Alias all reside in _�/_�u_�s_�r_�/_�b_�i_�n and have the
2067: _�n_�o_�e_�x_�e_�c option set.
1.1 misho 2068:
1.1.1.3 misho 2069: steve CSNETS = (operator) /usr/local/op_commands/
1.1 misho 2070:
1.1.1.3 misho 2071: The user s�st�te�ev�ve�e may run any command in the directory
2072: /usr/local/op_commands/ but only as user operator.
1.1 misho 2073:
1.1.1.3 misho 2074: matt valkyrie = KILL
1.1 misho 2075:
1.1.1.3 misho 2076: On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill hung
2077: processes.
1.1 misho 2078:
1.1.1.3 misho 2079: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1.1 misho 2080:
1.1.1.3 misho 2081: On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy, and
2082: wim), may run any command as user www (which owns the web pages) or
2083: simply su(1) to www.
1.1 misho 2084:
1.1.1.3 misho 2085: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2086: /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1.1 misho 2087:
1.1.1.3 misho 2088: Any user may mount or unmount a CD-ROM on the machines in the CDROM
2089: Host_Alias (orion, perseus, hercules) without entering a password. This
2090: is a bit tedious for users to type, so it is a prime candidate for
2091: encapsulating in a shell script.
1.1 misho 2092:
2093: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1.1.1.3 misho 2094: L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e `�`!�!'�' o�op�pe�er�ra�at�to�or�r
2095: It is generally not effective to ``subtract'' commands from A�AL�LL�L using the
2096: `!' operator. A user can trivially circumvent this by copying the
2097: desired command to a different name and then executing that. For
2098: example:
2099:
2100: bill ALL = ALL, !SU, !SHELLS
2101:
2102: Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or
2103: _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or
2104: use a shell escape from an editor or other program. Therefore, these
2105: kind of restrictions should be considered advisory at best (and
2106: reinforced by policy).
2107:
2108: In general, if a user has sudo A�AL�LL�L there is nothing to prevent them from
2109: creating their own program that gives them a root shell (or making their
2110: own copy of a shell) regardless of any `!' elements in the user
2111: specification.
1.1.1.2 misho 2112:
2113: S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b
1.1.1.3 misho 2114: If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably negate
2115: commands where the path name includes globbing (aka wildcard) characters.
2116: This is because the C library's fnmatch(3) function cannot resolve
2117: relative paths. While this is typically only an inconvenience for rules
2118: that grant privileges, it can result in a security issue for rules that
2119: subtract or revoke privileges.
2120:
2121: For example, given the following _�s_�u_�d_�o_�e_�r_�s entry:
2122:
2123: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2124: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2125:
2126: User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by
2127: changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead.
2128:
2129: P�Pr�re�ev�ve�en�nt�ti�in�ng�g s�sh�he�el�ll�l e�es�sc�ca�ap�pe�es�s
2130: Once s�su�ud�do�o executes a program, that program is free to do whatever it
2131: pleases, including run other programs. This can be a security issue
2132: since it is not uncommon for a program to allow shell escapes, which lets
2133: a user bypass s�su�ud�do�o's access control and logging. Common programs that
2134: permit shell escapes include shells (obviously), editors, paginators,
2135: mail and terminal programs.
2136:
2137: There are two basic approaches to this problem:
2138:
2139: restrict Avoid giving users access to commands that allow the user to
2140: run arbitrary commands. Many editors have a restricted mode
2141: where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better
2142: solution to running editors via s�su�ud�do�o. Due to the large number
2143: of programs that offer shell escapes, restricting users to the
2144: set of programs that do not is often unworkable.
2145:
2146: noexec Many systems that support shared libraries have the ability to
2147: override default library functions by pointing an environment
2148: variable (usually LD_PRELOAD) to an alternate shared library.
2149: On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality can be used to
2150: prevent a program run by s�su�ud�do�o from executing any other
2151: programs. Note, however, that this applies only to native
2152: dynamically-linked executables. Statically-linked executables
2153: and foreign executables running under binary emulation are not
2154: affected.
2155:
2156: The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD,
2157: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
2158: above. It should be supported on most operating systems that
2159: support the LD_PRELOAD environment variable. Check your
2160: operating system's manual pages for the dynamic linker (usually
2161: ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2162: LD_PRELOAD is supported.
2163:
2164: On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges
2165: instead of the LD_PRELOAD environment variable.
2166:
2167: To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as
2168: documented in the User Specification section above. Here is
2169: that example again:
2170:
2171: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2172:
2173: This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i
2174: with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands from
2175: executing other commands (such as a shell). If you are unsure
2176: whether or not your system is capable of supporting _�n_�o_�e_�x_�e_�c you
2177: can always just try it out and check whether shell escapes work
2178: when _�n_�o_�e_�x_�e_�c is enabled.
2179:
2180: Note that restricting shell escapes is not a panacea. Programs running
2181: as root are still capable of many potentially hazardous operations (such
2182: as changing or overwriting files) that could lead to unintended privilege
2183: escalation. In the specific case of an editor, a safer approach is to
1.1.1.6 ! misho 2184: give the user permission to run s�su�ud�do�oe�ed�di�it�t (see below).
! 2185:
! 2186: S�Se�ec�cu�ur�re�e e�ed�di�it�ti�in�ng�g
! 2187: The _�s_�u_�d_�o_�e_�r_�s plugin includes s�su�ud�do�oe�ed�di�it�t support which allows users to
! 2188: securely edit files with the editor of their choice. As s�su�ud�do�oe�ed�di�it�t is a
! 2189: built-in command, it must be specified in _�s_�u_�d_�o_�e_�r_�s without a leading path.
! 2190: However, it may take command line arguments just as a normal command
! 2191: does. For example, to allow user operator to edit the ``message of the
! 2192: day'' file:
! 2193:
! 2194: operator sudoedit /etc/motd
! 2195:
! 2196: The operator user then runs s�su�ud�do�oe�ed�di�it�t as follows:
! 2197:
! 2198: $ sudoedit /etc/motd
! 2199:
! 2200: The editor will run as the operator user, not root, on a temporary copy
! 2201: of _�/_�e_�t_�c_�/_�m_�o_�t_�d. After the file has been edited, _�/_�e_�t_�c_�/_�m_�o_�t_�d will be updated
! 2202: with the contents of the temporary copy.
1.1 misho 2203:
1.1.1.2 misho 2204: T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s
1.1.1.3 misho 2205: _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory
1.1.1.6 ! misho 2206: (_�/_�v_�a_�r_�/_�r_�u_�n_�/_�s_�u_�d_�o_�/_�t_�s by default) and ignore the directory's contents if it
! 2207: is not owned by root or if it is writable by a user other than root.
! 2208: Older versions of s�su�ud�do�o stored time stamp files in _�/_�t_�m_�p; this is no longer
! 2209: recommended as it may be possible for a user to create the time stamp
! 2210: themselves on systems that allow unprivileged users to change the
! 2211: ownership of files they create.
! 2212:
! 2213: While the time stamp directory _�s_�h_�o_�u_�l_�d be cleared at reboot time, not all
! 2214: systems contain a _�/_�v_�a_�r_�/_�r_�u_�n directory. To avoid potential problems,
! 2215: _�s_�u_�d_�o_�e_�r_�s will ignore time stamp files that date from before the machine
! 2216: booted on systems where the boot time is available.
! 2217:
! 2218: Some systems with graphical desktop environments allow unprivileged users
! 2219: to change the system clock. Since _�s_�u_�d_�o_�e_�r_�s relies on the system clock for
! 2220: time stamp validation, it may be possible on such systems for a user to
! 2221: run s�su�ud�do�o for longer than _�t_�i_�m_�e_�s_�t_�a_�m_�p_�__�t_�i_�m_�e_�o_�u_�t by setting the clock back. To
! 2222: combat this, _�s_�u_�d_�o_�e_�r_�s uses a monotonic clock (which never moves backwards)
! 2223: for its time stamps if the system supports it.
1.1.1.3 misho 2224:
2225: _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps
2226: with a date greater than current_time + 2 * TIMEOUT will be ignored and
1.1.1.6 ! misho 2227: _�s_�u_�d_�o_�e_�r_�s will log and complain.
1.1.1.3 misho 2228:
2229: Since time stamp files live in the file system, they can outlive a user's
2230: login session. As a result, a user may be able to login, run a command
2231: with s�su�ud�do�o after authenticating, logout, login again, and run s�su�ud�do�o without
1.1.1.6 ! misho 2232: authenticating so long as the record's time stamp is within 5 minutes (or
! 2233: whatever value the timeout is set to in _�s_�u_�d_�o_�e_�r_�s). When the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s
! 2234: option is enabled, the time stamp record includes the device number of
! 2235: the terminal the user authenticated with. This provides per-tty
! 2236: granularity but time stamp records still may outlive the user's session.
! 2237: The time stamp record also includes the session ID of the process that
! 2238: last authenticated. This prevents processes in different terminal
! 2239: sessions from using the same time stamp record. It also helps reduce the
! 2240: chance that a user will be able to run s�su�ud�do�o without entering a password
! 2241: when logging out and back in again on the same terminal.
1.1 misho 2242:
1.1.1.4 misho 2243: D�DE�EB�BU�UG�GG�GI�IN�NG�G
2244: Versions 1.8.4 and higher of the s�su�ud�do�oe�er�rs�s plugin support a flexible
2245: debugging framework that can help track down what the plugin is doing
2246: internally if there is a problem. This can be configured in the
2247: sudo.conf(4) file.
2248:
2249: The s�su�ud�do�oe�er�rs�s plugin uses the same debug flag format as the s�su�ud�do�o front-end:
2250: _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y.
2251:
2252: The priorities used by s�su�ud�do�oe�er�rs�s, in order of decreasing severity, are:
2253: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority,
2254: when specified, also includes all priorities higher than it. For
2255: example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at
2256: _�n_�o_�t_�i_�c_�e and higher.
2257:
2258: The following subsystems are used by the s�su�ud�do�oe�er�rs�s plugin:
2259:
2260: _�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2261:
2262: _�a_�l_�l matches every subsystem
2263:
2264: _�a_�u_�d_�i_�t BSM and Linux audit code
2265:
2266: _�a_�u_�t_�h user authentication
2267:
2268: _�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings
2269:
2270: _�e_�n_�v environment handling
2271:
2272: _�l_�d_�a_�p LDAP-based sudoers
2273:
2274: _�l_�o_�g_�g_�i_�n_�g logging support
2275:
2276: _�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s
2277:
2278: _�n_�e_�t_�i_�f network interface handling
2279:
2280: _�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s
2281:
2282: _�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing
2283:
2284: _�p_�e_�r_�m_�s permission setting
2285:
2286: _�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin.
2287:
2288: _�p_�t_�y pseudo-tty related code
2289:
2290: _�r_�b_�t_�r_�e_�e redblack tree internals
2291:
1.1.1.6 ! misho 2292: _�s_�s_�s_�d SSSD-based sudoers
! 2293:
1.1.1.4 misho 2294: _�u_�t_�i_�l utility functions
2295: For example:
2296:
2297: Debug sudo /var/log/sudo_debug match@info,nss@info
2298:
2299: For more information, see the sudo.conf(4) manual.
2300:
1.1 misho 2301: S�SE�EE�E A�AL�LS�SO�O
1.1.1.4 misho 2302: ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
1.1.1.3 misho 2303: sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
1.1 misho 2304:
2305: C�CA�AV�VE�EA�AT�TS�S
1.1.1.3 misho 2306: The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which
2307: locks the file and does grammatical checking. It is imperative that
2308: _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a
2309: syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file.
2310:
2311: When using netgroups of machines (as opposed to users), if you store
2312: fully qualified host name in the netgroup (as is usually the case), you
2313: either need to have the machine's host name be fully qualified as
2314: returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s.
1.1 misho 2315:
2316: B�BU�UG�GS�S
1.1.1.3 misho 2317: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
2318: http://www.sudo.ws/sudo/bugs/
1.1 misho 2319:
2320: S�SU�UP�PP�PO�OR�RT�T
1.1.1.3 misho 2321: Limited free support is available via the sudo-users mailing list, see
2322: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2323: archives.
1.1 misho 2324:
2325: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1.1.1.3 misho 2326: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
2327: including, but not limited to, the implied warranties of merchantability
2328: and fitness for a particular purpose are disclaimed. See the LICENSE
2329: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
2330: complete details.
1.1 misho 2331:
1.1.1.6 ! misho 2332: Sudo 1.8.10 February 15, 2014 Sudo 1.8.10
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc