1: SUDOERS(4) Programmer's Manual SUDOERS(4)
2:
3: N�NA�AM�ME�E
4: s�su�ud�do�oe�er�rs�s - default sudo security policy module
5:
6: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
7: The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is the
8: default s�su�ud�do�o policy plugin. The policy is driven by the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s
9: file or, optionally in LDAP. The policy format is described in detail in
10: the _�S_�U_�D_�O_�E_�R_�S _�F_�I_�L_�E _�F_�O_�R_�M_�A_�T section. For information on storing _�s_�u_�d_�o_�e_�r_�s
11: policy information in LDAP, please see sudoers.ldap(4).
12:
13: A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d l�lo�og�gg�gi�in�ng�g
14: The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate
15: themselves before they can use s�su�ud�do�o. A password is not required if the
16: invoking user is root, if the target user is the same as the invoking
17: user, or if the policy has disabled authentication for the user or
18: command. Unlike su(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it
19: validates the invoking user's credentials, not the target user's (or
20: root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
21: _�r_�u_�n_�a_�s_�p_�w flags, described later.
22:
23: If a user who is not listed in the policy tries to run a command via
24: s�su�ud�do�o, mail is sent to the proper authorities. The address used for such
25: mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described later) and
26: defaults to root.
27:
28: Note that mail will not be sent if an unauthorized user tries to run s�su�ud�do�o
29: with the -�-l�l or -�-v�v option. This allows users to determine for themselves
30: whether or not they are allowed to use s�su�ud�do�o.
31:
32: If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set, the
33: _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user is.
34: This can be used by a user to log commands through sudo even when a root
35: shell has been invoked. It also allows the -�-e�e option to remain useful
36: even when invoked via a sudo-run script or program. Note, however, that
37: the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user specified by
38: SUDO_USER.
39:
40: _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has
41: been authenticated, the time stamp is updated and the user may then use
42: sudo without a password for a short period of time (5 minutes unless
43: overridden by the _�t_�i_�m_�e_�o_�u_�t option). By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based
44: time stamp which means that there is a separate time stamp for each of a
45: user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to force
46: the use of a single time stamp for all of a user's sessions.
47:
48: _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as
49: errors) to syslog(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will log
50: via syslog(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e Defaults
51: settings.
52:
53: _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams. I/O
54: logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t and
55: _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
56: tags.
57:
58: C�Co�om�mm�ma�an�nd�d e�en�nv�vi�ir�ro�on�nm�me�en�nt�t
59: Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s
60: provides a means to restrict which variables from the user's environment
61: are inherited by the command to be run. There are two distinct ways
62: _�s_�u_�d_�o_�e_�r_�s can deal with environment variables.
63:
64: By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to be
65: executed with a new, minimal environment. On AIX (and Linux systems
66: without PAM), the environment is initialized with the contents of the
67: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is
68: enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v
69: settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM,
70: PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
71: addition to variables from the invoking process permitted by the
72: _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for
73: environment variables.
74:
75: If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not
76: explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited
77: from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e behave
78: like a blacklist. Since it is not possible to blacklist all potentially
79: dangerous environment variables, use of the default _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is
80: encouraged.
81:
82: In all cases, environment variables with a value beginning with () are
83: removed as they could be interpreted as b�ba�as�sh�h functions. The list of
84: environment variables that s�su�ud�do�o allows or denies is contained in the
85: output of ``sudo -V'' when run as root.
86:
87: Note that the dynamic linker on most operating systems will remove
88: variables that can control dynamic linking from the environment of setuid
89: executables, including s�su�ud�do�o. Depending on the operating system this may
90: include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
91: These type of variables are removed from the environment before s�su�ud�do�o even
92: begins execution and, as such, it is not possible for s�su�ud�do�o to preserve
93: them.
94:
95: As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified,
96: _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of
97: _�e_�n_�v_�__�r_�e_�s_�e_�t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
98: MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
99: (and Linux systems without PAM), the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are
100: also included. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled,
101: the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All
102: other environment variables are removed.
103:
104: Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in that
105: file will be set to their specified values as long as they would not
106: conflict with an existing environment variable.
107:
108: S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
109: The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases (basically
110: variables) and user specifications (which specify who may run what).
111:
112: When multiple entries match for a user, they are applied in order. Where
113: there are multiple matches, the last match is used (which is not
114: necessarily the most specific match).
115:
116: The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur Form
117: (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
118: simple, and the definitions below are annotated.
119:
120: Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F
121: EBNF is a concise and exact way of describing the grammar of a language.
122: Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g.,
123:
124: symbol ::= definition | alternate1 | alternate2 ...
125:
126: Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for
127: the language. EBNF also contains the following operators, which many
128: readers will recognize from regular expressions. Do not, however,
129: confuse them with ``wildcard'' characters, which have different meanings.
130:
131: ? Means that the preceding symbol (or group of symbols) is optional.
132: That is, it may appear once or not at all.
133:
134: * Means that the preceding symbol (or group of symbols) may appear
135: zero or more times.
136:
137: + Means that the preceding symbol (or group of symbols) may appear
138: one or more times.
139:
140: Parentheses may be used to group symbols together. For clarity, we will
141: use single quotes ('') to designate what is a verbatim character string
142: (as opposed to a symbol name).
143:
144: A�Al�li�ia�as�se�es�s
145: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
146: Cmnd_Alias.
147:
148: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
149: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
150: 'Host_Alias' Host_Alias (':' Host_Alias)* |
151: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
152:
153: User_Alias ::= NAME '=' User_List
154:
155: Runas_Alias ::= NAME '=' Runas_List
156:
157: Host_Alias ::= NAME '=' Host_List
158:
159: Cmnd_Alias ::= NAME '=' Cmnd_List
160:
161: NAME ::= [A-Z]([A-Z][0-9]_)*
162:
163: Each _�a_�l_�i_�a_�s definition is of the form
164:
165: Alias_Type NAME = item1, item2, ...
166:
167: where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or
168: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
169: underscore characters (`_'). A NAME m�mu�us�st�t start with an uppercase letter.
170: It is possible to put several alias definitions of the same type on a
171: single line, joined by a colon (`:'). E.g.,
172:
173: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
174:
175: The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow.
176:
177: User_List ::= User |
178: User ',' User_List
179:
180: User ::= '!'* user name |
181: '!'* #uid |
182: '!'* %group |
183: '!'* %#gid |
184: '!'* +netgroup |
185: '!'* %:nonunix_group |
186: '!'* %:#nonunix_gid |
187: '!'* User_Alias
188:
189: A User_List is made up of one or more user names, user ids (prefixed with
190: `#'), system group names and ids (prefixed with `%' and `%#'
191: respectively), netgroups (prefixed with `+'), non-Unix group names and
192: IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
193: list item may be prefixed with zero or more `!' operators. An odd number
194: of `!' operators negate the value of the item; an even number just cancel
195: each other out.
196:
197: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
198: be enclosed in double quotes to avoid the need for escaping special
199: characters. Alternately, special characters may be specified in escaped
200: hex mode, e.g. \x20 for space. When using double quotes, any prefix
201: characters must be included inside the quotes.
202:
203: The actual nonunix_group and nonunix_gid syntax depends on the underlying
204: group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description below). For
205: instance, the QAS AD plugin supports the following formats:
206:
207: o�o Group in the same domain: "%:Group Name"
208:
209: o�o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
210:
211: o�o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
212:
213: Note that quotes around group names are optional. Unquoted strings must
214: use a backslash (`\') to escape spaces and special characters. See _�O_�t_�h_�e_�r
215: _�s_�p_�e_�c_�i_�a_�l _�c_�h_�a_�r_�a_�c_�t_�e_�r_�s _�a_�n_�d _�r_�e_�s_�e_�r_�v_�e_�d _�w_�o_�r_�d_�s for a list of characters that need
216: to be escaped.
217:
218: Runas_List ::= Runas_Member |
219: Runas_Member ',' Runas_List
220:
221: Runas_Member ::= '!'* user name |
222: '!'* #uid |
223: '!'* %group |
224: '!'* %#gid |
225: '!'* %:nonunix_group |
226: '!'* %:#nonunix_gid |
227: '!'* +netgroup |
228: '!'* Runas_Alias
229:
230: A Runas_List is similar to a User_List except that instead of
231: User_Aliases it can contain Runas_Aliases. Note that user names and
232: groups are matched as strings. In other words, two users (groups) with
233: the same uid (gid) are considered to be distinct. If you wish to match
234: all user names with the same uid (e.g. root and toor), you can use a uid
235: instead (#0 in the example given).
236:
237: Host_List ::= Host |
238: Host ',' Host_List
239:
240: Host ::= '!'* host name |
241: '!'* ip_addr |
242: '!'* network(/netmask)? |
243: '!'* +netgroup |
244: '!'* Host_Alias
245:
246: A Host_List is made up of one or more host names, IP addresses, network
247: numbers, netgroups (prefixed with `+') and other aliases. Again, the
248: value of an item may be negated with the `!' operator. If you do not
249: specify a netmask along with the network number, s�su�ud�do�o will query each of
250: the local host's network interfaces and, if the network number
251: corresponds to one of the hosts's network interfaces, the corresponding
252: netmask will be used. The netmask may be specified either in standard IP
253: address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
254: notation (number of bits, e.g. 24 or 64). A host name may include shell-
255: style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below), but unless the host
256: name command on your machine returns the fully qualified host name,
257: you'll need to use the _�f_�q_�d_�n option for wildcards to be useful. Note that
258: s�su�ud�do�o only inspects actual network interfaces; this means that IP address
259: 127.0.0.1 (localhost) will never match. Also, the host name
260: ``localhost'' will only match if that is the actual host name, which is
261: usually only the case for non-networked systems.
262:
263: Cmnd_List ::= Cmnd |
264: Cmnd ',' Cmnd_List
265:
266: command name ::= file name |
267: file name args |
268: file name '""'
269:
270: Cmnd ::= '!'* command name |
271: '!'* directory |
272: '!'* "sudoedit" |
273: '!'* Cmnd_Alias
274:
275: A Cmnd_List is a list of one or more command names, directories, and
276: other aliases. A command name is a fully qualified file name which may
277: include shell-style wildcards (see the _�W_�i_�l_�d_�c_�a_�r_�d_�s section below). A
278: simple file name allows the user to run the command with any arguments
279: he/she wishes. However, you may also specify command line arguments
280: (including wildcards). Alternately, you can specify "" to indicate that
281: the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A directory
282: is a fully qualified path name ending in a `/'. When you specify a
283: directory in a Cmnd_List, the user will be able to run any file within
284: that directory (but not in any sub-directories therein).
285:
286: If a Cmnd has associated command line arguments, then the arguments in
287: the Cmnd must match exactly those given by the user on the command line
288: (or match the wildcards if there are any). Note that the following
289: characters must be escaped with a `\' if they are used in command
290: arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
291: to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It may
292: take command line arguments just as a normal command does.
293:
294: D�De�ef�fa�au�ul�lt�ts�s
295: Certain configuration options may be changed from their default values at
296: run-time via one or more Default_Entry lines. These may affect all users
297: on any host, all users on a specific host, a specific user, a specific
298: command, or commands being run as a specific user. Note that per-command
299: entries may not include command line arguments. If you need to specify
300: arguments, define a Cmnd_Alias and reference that instead.
301:
302: Default_Type ::= 'Defaults' |
303: 'Defaults' '@' Host_List |
304: 'Defaults' ':' User_List |
305: 'Defaults' '!' Cmnd_List |
306: 'Defaults' '>' Runas_List
307:
308: Default_Entry ::= Default_Type Parameter_List
309:
310: Parameter_List ::= Parameter |
311: Parameter ',' Parameter_List
312:
313: Parameter ::= Parameter '=' Value |
314: Parameter '+=' Value |
315: Parameter '-=' Value |
316: '!'* Parameter
317:
318: Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
319: implicitly boolean and can be turned off via the `!' operator. Some
320: integer, string and list parameters may also be used in a boolean context
321: to disable them. Values may be enclosed in double quotes ("") when they
322: contain multiple words. Special characters may be escaped with a
323: backslash (`\').
324:
325: Lists have two additional assignment operators, += and -=. These
326: operators are used to add to and delete from a list respectively. It is
327: not an error to use the -= operator to remove an element that does not
328: exist in a list.
329:
330: Defaults entries are parsed in the following order: generic, host and
331: user Defaults first, then runas Defaults and finally command defaults.
332:
333: See _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S for a list of supported Defaults parameters.
334:
335: U�Us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n
336: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
337: (':' Host_List '=' Cmnd_Spec_List)*
338:
339: Cmnd_Spec_List ::= Cmnd_Spec |
340: Cmnd_Spec ',' Cmnd_Spec_List
341:
342: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
343:
344: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
345:
346: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
347:
348: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
349:
350: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
351: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
352: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
353:
354: A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as
355: what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t, but
356: this can be changed on a per-command basis.
357:
358: The basic structure of a user specification is ``who where = (as_whom)
359: what''. Let's break that down into its constituent parts:
360:
361: R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
362: A Runas_Spec determines the user and/or the group that a command may be
363: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
364: defined above) separated by a colon (`:') and enclosed in a set of
365: parentheses. The first Runas_List indicates which users the command may
366: be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of groups that
367: can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists are
368: specified, the command may be run with any combination of users and
369: groups listed in their respective Runas_Lists. If only the first is
370: specified, the command may be run as any user in the list but no -�-g�g
371: option may be specified. If the first Runas_List is empty but the second
372: is specified, the command may be run as the invoking user with the group
373: set to any listed in the Runas_List. If both Runas_Lists are empty, the
374: command may only be run as the invoking user. If no Runas_Spec is
375: specified the command may be run as r�ro�oo�ot�t and no group may be specified.
376:
377: A Runas_Spec sets the default for the commands that follow it. What this
378: means is that for the entry:
379:
380: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
381:
382: The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m--but only as
383: o�op�pe�er�ra�at�to�or�r. E.g.,
384:
385: $ sudo -u operator /bin/ls
386:
387: It is also possible to override a Runas_Spec later on in an entry. If we
388: modify the entry like so:
389:
390: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
391:
392: Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l
393: and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t.
394:
395: We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or
396: group set to o�op�pe�er�ra�at�to�or�r:
397:
398: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
399: /usr/bin/lprm
400:
401: Note that while the group portion of the Runas_Spec permits the user to
402: run as command with that group, it does not force the user to do so. If
403: no group is specified on the command line, the command will run with the
404: group listed in the target user's password database entry. The following
405: would all be permitted by the sudoers entry above:
406:
407: $ sudo -u operator /bin/ls
408: $ sudo -u operator -g operator /bin/ls
409: $ sudo -g operator /bin/ls
410:
411: In the following example, user t�tc�cm�m may run commands that access a modem
412: device file with the dialer group.
413:
414: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
415: /usr/local/bin/minicom
416:
417: Note that in this example only the group will be set, the command still
418: runs as user t�tc�cm�m. E.g.
419:
420: $ sudo -g dialer /usr/bin/cu
421:
422: Multiple users and groups may be present in a Runas_Spec, in which case
423: the user may select any combination of users and groups via the -�-u�u and -�-g�g
424: options. In this example:
425:
426: alan ALL = (root, bin : operator, system) ALL
427:
428: user a�al�la�an�n may run any command as either user root or bin, optionally
429: setting the group to operator or system.
430:
431: S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
432: On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
433: SELinux role and/or type associated with a command. If a role or type is
434: specified with the command it will override any default values specified
435: in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line, however, will
436: supersede the values in _�s_�u_�d_�o_�e_�r_�s.
437:
438: S�So�ol�la�ar�ri�is�s_�_P�Pr�ri�iv�v_�_S�Sp�pe�ec�c
439: On Solaris systems, _�s_�u_�d_�o_�e_�r_�s entries may optionally specify Solaris
440: privilege set and/or limit privilege set associated with a command. If
441: privileges or limit privileges are specified with the command it will
442: override any default values specified in _�s_�u_�d_�o_�e_�r_�s.
443:
444: A privilege set is a comma-separated list of privilege names. The
445: ppriv(1) command can be used to list all privileges known to the system.
446: For example:
447:
448: $ ppriv -l
449:
450: In addition, there are several ``special'' privilege strings:
451:
452: none the empty set
453:
454: all the set of all privileges
455:
456: zone the set of all privileges available in the current zone
457:
458: basic the default set of privileges normal users are granted at login
459: time
460:
461: Privileges can be excluded from a set by prefixing the privilege name
462: with either an `!' or `-' character.
463:
464: T�Ta�ag�g_�_S�Sp�pe�ec�c
465: A command may have zero or more tags associated with it. There are ten
466: possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
467: LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
468: on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
469: it is overridden by the opposite tag (in other words, PASSWD overrides
470: NOPASSWD and NOEXEC overrides EXEC).
471:
472: _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D
473:
474: By default, s�su�ud�do�o requires that a user authenticate him or herself before
475: running a command. This behavior can be modified via the NOPASSWD tag.
476: Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
477: follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
478: to reverse things. For example:
479:
480: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
481:
482: would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as
483: r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we only
484: want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry would
485: be:
486:
487: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
488:
489: Note, however, that the PASSWD tag has no effect on users who are in the
490: group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option.
491:
492: By default, if the NOPASSWD tag is applied to any of the entries for a
493: user on the current host, he or she will be able to run ``sudo -l''
494: without a password. Additionally, a user may only run ``sudo -v''
495: without a password if the NOPASSWD tag is present for all a user's
496: entries that pertain to the current host. This behavior may be
497: overridden via the _�v_�e_�r_�i_�f_�y_�p_�w and _�l_�i_�s_�t_�p_�w options.
498:
499: _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C
500:
501: If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying
502: operating system supports it, the NOEXEC tag can be used to prevent a
503: dynamically-linked executable from running further commands itself.
504:
505: In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and
506: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled.
507:
508: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
509:
510: See the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section below for more details on how
511: NOEXEC works and whether or not it will work on your system.
512:
513: _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
514:
515: These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
516: basis. Note that if SETENV has been set for a command, the user may
517: disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
518: Additionally, environment variables set on the command line are not
519: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
520: _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set variables
521: in this manner. If the command matched is A�AL�LL�L, the SETENV tag is implied
522: for that command; this default may be overridden by use of the NOSETENV
523: tag.
524:
525: _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
526:
527: These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command
528: basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the
529: _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below.
530:
531: _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T
532:
533: These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command
534: basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the
535: _�S_�U_�D_�O_�E_�R_�S _�O_�P_�T_�I_�O_�N_�S section below.
536:
537: W�Wi�il�ld�dc�ca�ar�rd�ds�s
538: s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be
539: used in host names, path names and command line arguments in the _�s_�u_�d_�o_�e_�r_�s
540: file. Wildcard matching is done via the P�PO�OS�SI�IX�X glob(3) and fnmatch(3)
541: routines. Note that these are _�n_�o_�t regular expressions.
542:
543: * Matches any set of zero or more characters.
544:
545: ? Matches any single character.
546:
547: [...] Matches any character in the specified range.
548:
549: [!...] Matches any character n�no�ot�t in the specified range.
550:
551: \x For any character `x', evaluates to `x'. This is used to
552: escape special characters such as: `*', `?', `[', and `]'.
553:
554: POSIX character classes may also be used if your system's glob(3) and
555: fnmatch(3) functions support them. However, because the `:' character
556: has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example:
557:
558: /bin/ls [[:alpha:]]*
559:
560: Would match any file name beginning with a letter.
561:
562: Note that a forward slash (`/') will n�no�ot�t be matched by wildcards used in
563: the path name. This is to make a path like:
564:
565: /usr/bin/*
566:
567: match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
568:
569: When matching the command line arguments, however, a slash d�do�oe�es�s get
570: matched by wildcards since command line arguments may contain arbitrary
571: strings and not just path names.
572:
573: Wildcards in command line arguments should be used with care. Because
574: command line arguments are matched as a single, concatenated string, a
575: wildcard such as `?' or `*' can match multiple words. For example, while
576: a sudoers entry like:
577:
578: %operator ALL = /bin/cat /var/log/messages*
579:
580: will allow command like:
581:
582: $ sudo cat /var/log/messages.1
583:
584: It will also allow:
585:
586: $ sudo cat /var/log/messages /etc/shadow
587:
588: which is probably not what was intended.
589:
590: E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
591: The following exceptions apply to the above rules:
592:
593: "" If the empty string "" is the only command line argument in the
594: _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
595: with a�an�ny�y arguments.
596:
597: sudoedit Command line arguments to the _�s_�u_�d_�o_�e_�d_�i_�t built-in command should
598: always be path names, so a forward slash (`/') will not be
599: matched by a wildcard.
600:
601: I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
602: It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
603: file currently being parsed using the #include and #includedir
604: directives.
605:
606: This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in
607: addition to a local, per-machine file. For the sake of this example the
608: site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will be
609: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within
610: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s:
611:
612: #include /etc/sudoers.local
613:
614: When s�su�ud�do�o reaches this line it will suspend processing of the current
615: file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching the
616: end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be processed.
617: Files that are included may themselves include other files. A hard limit
618: of 128 nested include files is enforced to prevent include file loops.
619:
620: If the path to the include file is not fully-qualified (does not begin
621: with a `/', it must be located in the same directory as the sudoers file
622: it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line:
623:
624: #include sudoers.local
625:
626: the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l.
627:
628: The file name may also include the %h escape, signifying the short form
629: of the host name. In other words, if the machine's host name is
630: ``xerxes'', then
631:
632: #include /etc/sudoers.%h
633:
634: will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s.
635:
636: The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that
637: the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of package
638: installation. For example, given:
639:
640: #includedir /etc/sudoers.d
641:
642: s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that end
643: in `~' or contain a `.' character to avoid causing problems with package
644: manager or editor temporary/backup files. Files are parsed in sorted
645: lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed before
646: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is lexical,
647: not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r
648: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes in
649: the file names can be used to avoid such problems.
650:
651: Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
652: files in a #includedir directory unless one of them contains a syntax
653: error. It is still possible to run v�vi�is�su�ud�do�o with the -�-f�f flag to edit the
654: files directly.
655:
656: O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
657: The pound sign (`#') is used to indicate a comment (unless it is part of
658: a #include directive or unless it occurs in the context of a user name
659: and is followed by one or more digits, in which case it is treated as a
660: uid). Both the comment character and any text after it, up to the end of
661: the line, are ignored.
662:
663: The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
664: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
665: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
666: your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in
667: preference to your own. Please note that using A�AL�LL�L can be dangerous
668: since in a command context, it allows the user to run a�an�ny�y command on the
669: system.
670:
671: An exclamation point (`!') can be used as a logical _�n_�o_�t operator both in
672: an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain
673: values. Note, however, that using a `!' in conjunction with the built-in
674: A�AL�LL�L alias to allow a user to run ``all but a few'' commands rarely works
675: as intended (see _�S_�E_�C_�U_�R_�I_�T_�Y _�N_�O_�T_�E_�S below).
676:
677: Long lines can be continued with a backslash (`\') as the last character
678: on the line.
679:
680: White space between elements in a list as well as special syntactic
681: characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n (`=', `:', `(', `)') is optional.
682:
683: The following characters must be escaped with a backslash (`\') when used
684: as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
685: `(', `)', `\'.
686:
687: S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
688: s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
689: earlier. A list of all supported Defaults parameters, grouped by type,
690: are listed below.
691:
692: B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s:
693:
694: always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable
695: to the home directory of the target user (which is root
696: unless the -�-u�u option is used). This effectively means
697: that the -�-H�H option is always implied. Note that HOME
698: is already set when the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is
699: enabled, so _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e is only effective for
700: configurations where either _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or
701: HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f
702: by default.
703:
704: authenticate If set, users must authenticate themselves via a
705: password (or other means of authentication) before they
706: may run commands. This default may be overridden via
707: the PASSWD and NOPASSWD tags. This flag is _�o_�n by
708: default.
709:
710: closefrom_override
711: If set, the user may use s�su�ud�do�o's -�-C�C option which
712: overrides the default starting point at which s�su�ud�do�o
713: begins closing open file descriptors. This flag is _�o_�f_�f
714: by default.
715:
716: compress_io If set, and s�su�ud�do�o is configured to log a command's input
717: or output, the I/O logs will be compressed using z�zl�li�ib�b.
718: This flag is _�o_�n by default when s�su�ud�do�o is compiled with
719: z�zl�li�ib�b support.
720:
721: env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or
722: VISUAL environment variables before falling back on the
723: default editor list. Note that this may create a
724: security hole as it allows the user to run any
725: arbitrary command as root without logging. A safer
726: alternative is to place a colon-separated list of
727: editors in the editor variable. v�vi�is�su�ud�do�o will then only
728: use the EDITOR or VISUAL if they match a value
729: specified in editor. This flag is _�o_�f_�f by default.
730:
731: env_reset If set, s�su�ud�do�o will run the command in a minimal
732: environment containing the TERM, PATH, HOME, MAIL,
733: SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
734: Any variables in the caller's environment that match
735: the env_keep and env_check lists are then added,
736: followed by any variables present in the file specified
737: by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents
738: of the env_keep and env_check lists are displayed when
739: s�su�ud�do�o is run by root with the -�-V�V option. If the
740: _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for
741: the PATH environment variable. This flag is _�o_�n by
742: default.
743:
744: fast_glob Normally, s�su�ud�do�o uses the glob(3) function to do shell-
745: style globbing when matching path names. However,
746: since it accesses the file system, glob(3) can take a
747: long time to complete for some patterns, especially
748: when the pattern references a network file system that
749: is mounted on demand (auto mounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b
750: option causes s�su�ud�do�o to use the fnmatch(3) function,
751: which does not access the file system to do its
752: matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is
753: unable to match relative path names such as _�._�/_�l_�s or
754: _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path
755: names that include globbing characters are used with
756: the negation operator, `!', as such rules can be
757: trivially bypassed. As such, this option should not be
758: used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated
759: path names which include globbing characters. This
760: flag is _�o_�f_�f by default.
761:
762: fqdn Set this flag if you want to put fully qualified host
763: names in the _�s_�u_�d_�o_�e_�r_�s file when the local host name (as
764: returned by the hostname command) does not contain the
765: domain name. In other words, instead of myhost you
766: would use myhost.mydomain.edu. You may still use the
767: short form if you wish (and even mix the two). This
768: option is only effective when the ``canonical'' host
769: name, as returned by the g�ge�et�ta�ad�dd�dr�ri�in�nf�fo�o() or
770: g�ge�et�th�ho�os�st�tb�by�yn�na�am�me�e() function, is a fully-qualified domain
771: name. This is usually the case when the system is
772: configured to use DNS for host name resolution.
773:
774: If the system is configured to use the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file
775: in preference to DNS, the ``canonical'' host name may
776: not be fully-qualified. The order that sources are
777: queried for hosts name resolution is usually specified
778: in the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f,
779: _�/_�e_�t_�c_�/_�h_�o_�s_�t_�._�c_�o_�n_�f, or, in some cases, _�/_�e_�t_�c_�/_�r_�e_�s_�o_�l_�v_�._�c_�o_�n_�f
780: file. In the _�/_�e_�t_�c_�/_�h_�o_�s_�t_�s file, the first host name of
781: the entry is considered to be the ``canonical'' name;
782: subsequent names are aliases that are not used by
783: s�su�ud�do�oe�er�rs�s. For example, the following hosts file line
784: for the machine ``xyzzy'' has the fully-qualified
785: domain name as the ``canonical'' host name, and the
786: short version as an alias.
787:
788: 192.168.1.1 xyzzy.sudo.ws xyzzy
789:
790: If the machine's hosts file entry is not formatted
791: properly, the _�f_�q_�d_�n option will not be effective if it
792: is queried before DNS.
793:
794: Beware that when using DNS for host name resolution,
795: turning on _�f_�q_�d_�n requires s�su�ud�do�oe�er�rs�s to make DNS lookups
796: which renders s�su�ud�do�o unusable if DNS stops working (for
797: example if the machine is disconnected from the
798: network). Also note that just like with the hosts
799: file, you must use the ``canonical'' name as DNS knows
800: it. That is, you may not use a host alias (CNAME
801: entry) due to performance issues and the fact that
802: there is no way to get all aliases from DNS.
803:
804: This flag is _�o_�f_�f by default.
805:
806: ignore_dot If set, s�su�ud�do�o will ignore "." or "" (both denoting
807: current directory) in the PATH environment variable;
808: the PATH itself is not modified. This flag is _�o_�f_�f by
809: default.
810:
811: ignore_local_sudoers
812: If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
813: skipped. This is intended for Enterprises that wish to
814: prevent the usage of local sudoers files so that only
815: LDAP is used. This thwarts the efforts of rogue
816: operators who would attempt to add roles to
817: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present,
818: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this
819: option tells s�su�ud�do�o how to behave when no specific LDAP
820: entries have been matched, this sudoOption is only
821: meaningful for the cn=defaults section. This flag is
822: _�o_�f_�f by default.
823:
824: insults If set, s�su�ud�do�o will insult users when they enter an
825: incorrect password. This flag is _�o_�f_�f by default.
826:
827: log_host If set, the host name will be logged in the (non-
828: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
829:
830: log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
831: log all user input. If the standard input is not
832: connected to the user's tty, due to I/O redirection or
833: because the command is part of a pipeline, that input
834: is also captured and stored in a separate log file.
835:
836: Input is logged to the directory specified by the
837: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
838: unique session ID that is included in the normal s�su�ud�do�o
839: log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
840: option may be used to control the format of the session
841: ID.
842:
843: Note that user input may contain sensitive information
844: such as passwords (even if they are not echoed to the
845: screen), which will be stored in the log file
846: unencrypted. In most cases, logging the command output
847: via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
848:
849: log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
850: log all output that is sent to the screen, similar to
851: the script(1) command. If the standard output or
852: standard error is not connected to the user's tty, due
853: to I/O redirection or because the command is part of a
854: pipeline, that output is also captured and stored in
855: separate log files.
856:
857: Output is logged to the directory specified by the
858: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
859: unique session ID that is included in the normal s�su�ud�do�o
860: log line, prefixed with ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
861: option may be used to control the format of the session
862: ID.
863:
864: Output logs may be viewed with the sudoreplay(1m)
865: utility, which can also be used to list or search the
866: available logs.
867:
868: log_year If set, the four-digit year will be logged in the (non-
869: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
870:
871: long_otp_prompt When validating with a One Time Password (OTP) scheme
872: such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to
873: make it easier to cut and paste the challenge to a
874: local window. It's not as pretty as the default but
875: some people find it more convenient. This flag is _�o_�f_�f
876: by default.
877:
878: mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs
879: s�su�ud�do�o. This flag is _�o_�f_�f by default.
880:
881: mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o
882: does not enter the correct password. If the command
883: the user is attempting to run is not permitted by
884: _�s_�u_�d_�o_�e_�r_�s and one of the _�m_�a_�i_�l_�__�a_�l_�w_�a_�y_�s, _�m_�a_�i_�l_�__�n_�o_�__�h_�o_�s_�t,
885: _�m_�a_�i_�l_�__�n_�o_�__�p_�e_�r_�m_�s or _�m_�a_�i_�l_�__�n_�o_�__�u_�s_�e_�r flags are set, this flag
886: will have no effect. This flag is _�o_�f_�f by default.
887:
888: mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
889: invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not
890: allowed to run commands on the current host. This flag
891: is _�o_�f_�f by default.
892:
893: mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
894: invoking user is allowed to use s�su�ud�do�o but the command
895: they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file
896: entry or is explicitly denied. This flag is _�o_�f_�f by
897: default.
898:
899: mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
900: invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
901: _�o_�n by default.
902:
903: noexec If set, all commands run via s�su�ud�do�o will behave as if the
904: NOEXEC tag has been set, unless overridden by a EXEC
905: tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
906: well as the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section at the end
907: of this manual. This flag is _�o_�f_�f by default.
908:
909: path_info Normally, s�su�ud�do�o will tell the user when a command could
910: not be found in their PATH environment variable. Some
911: sites may wish to disable this as it could be used to
912: gather information on the location of executables that
913: the normal user does not have access to. The
914: disadvantage is that if the executable is simply not in
915: the user's PATH, s�su�ud�do�o will tell the user that they are
916: not allowed to run it, which can be confusing. This
917: flag is _�o_�n by default.
918:
919: passprompt_override
920: The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will
921: normally only be used if the password prompt provided
922: by systems such as PAM matches the string
923: ``Password:''. If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set,
924: _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always be used. This flag is _�o_�f_�f by
925: default.
926:
927: preserve_groups By default, s�su�ud�do�o will initialize the group vector to
928: the list of groups the target user is in. When
929: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group
930: vector is left unaltered. The real and effective group
931: IDs, however, are still set to match the target user.
932: This flag is _�o_�f_�f by default.
933:
934: pwfeedback By default, s�su�ud�do�o reads the password like most other
935: Unix programs, by turning off echo until the user hits
936: the return (or enter) key. Some users become confused
937: by this as it appears to them that s�su�ud�do�o has hung at
938: this point. When _�p_�w_�f_�e_�e_�d_�b_�a_�c_�k is set, s�su�ud�do�o will provide
939: visual feedback when the user presses a key. Note that
940: this does have a security impact as an onlooker may be
941: able to determine the length of the password being
942: entered. This flag is _�o_�f_�f by default.
943:
944: requiretty If set, s�su�ud�do�o will only run when the user is logged in
945: to a real tty. When this flag is set, s�su�ud�do�o can only be
946: run from a login session and not via other means such
947: as cron(1m) or cgi-bin scripts. This flag is _�o_�f_�f by
948: default.
949:
950: root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling
951: this prevents users from ``chaining'' s�su�ud�do�o commands to
952: get a root shell by doing something like ``sudo sudo
953: /bin/sh''. Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
954: will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
955: Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
956: security; it exists purely for historical reasons.
957: This flag is _�o_�n by default.
958:
959: rootpw If set, s�su�ud�do�o will prompt for the root password instead
960: of the password of the invoking user. This flag is _�o_�f_�f
961: by default.
962:
963: runaspw If set, s�su�ud�do�o will prompt for the password of the user
964: defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
965: instead of the password of the invoking user. This
966: flag is _�o_�f_�f by default.
967:
968: set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the
969: HOME environment variable will be set to the home
970: directory of the target user (which is root unless the
971: -�-u�u option is used). This effectively makes the -�-s�s
972: option imply -�-H�H. Note that HOME is already set when
973: the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so _�s_�e_�t_�__�h_�o_�m_�e is
974: only effective for configurations where either
975: _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the
976: _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default.
977:
978: set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME
979: environment variables to the name of the target user
980: (usually root unless the -�-u�u option is given). However,
981: since some programs (including the RCS revision control
982: system) use LOGNAME to determine the real identity of
983: the user, it may be desirable to change this behavior.
984: This can be done by negating the set_logname option.
985: Note that if the _�e_�n_�v_�__�r_�e_�s_�e_�t option has not been
986: disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override
987: the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default.
988:
989: set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or
990: utmpx) file when a pseudo-tty is allocated. A pseudo-
991: tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
992: or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new
993: entry will be a copy of the user's existing utmp entry
994: (if any), with the tty, time, type and pid fields
995: updated. This flag is _�o_�n by default.
996:
997: setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the
998: command line via the -�-E�E option. Additionally,
999: environment variables set via the command line are not
1000: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k,
1001: _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users
1002: should be allowed to set variables in this manner.
1003: This flag is _�o_�f_�f by default.
1004:
1005: shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as
1006: if the -�-s�s option had been given. That is, it runs a
1007: shell as root (the shell is determined by the SHELL
1008: environment variable if it is set, falling back on the
1009: shell listed in the invoking user's /etc/passwd entry
1010: if not). This flag is _�o_�f_�f by default.
1011:
1012: stay_setuid Normally, when s�su�ud�do�o executes a command the real and
1013: effective UIDs are set to the target user (root by
1014: default). This option changes that behavior such that
1015: the real UID is left as the invoking user's UID. In
1016: other words, this makes s�su�ud�do�o act as a setuid wrapper.
1017: This can be useful on systems that disable some
1018: potentially dangerous functionality when a program is
1019: run setuid. This option is only effective on systems
1020: that support either the setreuid(2) or setresuid(2)
1021: system call. This flag is _�o_�f_�f by default.
1022:
1023: targetpw If set, s�su�ud�do�o will prompt for the password of the user
1024: specified by the -�-u�u option (defaults to root) instead
1025: of the password of the invoking user. In addition, the
1026: time stamp file name will include the target user's
1027: name. Note that this flag precludes the use of a uid
1028: not listed in the passwd database as an argument to the
1029: -�-u�u option. This flag is _�o_�f_�f by default.
1030:
1031: tty_tickets If set, users must authenticate on a per-tty basis.
1032: With this flag enabled, s�su�ud�do�o will use a file named for
1033: the tty the user is logged in on in the user's time
1034: stamp directory. If disabled, the time stamp of the
1035: directory is used instead. This flag is _�o_�n by default.
1036:
1037: umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s
1038: without modification. This makes it possible to
1039: specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the
1040: user's own umask and matches historical behavior. If
1041: _�u_�m_�a_�s_�k_�__�o_�v_�e_�r_�r_�i_�d_�e is not set, s�su�ud�do�o will set the umask to
1042: be the union of the user's umask and what is specified
1043: in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
1044:
1045: use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
1046: target user's login class if one exists. Only
1047: available if s�su�ud�do�o is configured with the
1048: --with-logincap option. This flag is _�o_�f_�f by default.
1049:
1050: use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
1051: if no I/O logging is being gone. A malicious program
1052: run under s�su�ud�do�o could conceivably fork a background
1053: process that retains to the user's terminal device
1054: after the main program has finished executing. Use of
1055: this option will make that impossible. This flag is
1056: _�o_�f_�f by default.
1057:
1058: utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
1059: updating the utmp (or utmpx) file. By default, s�su�ud�do�o
1060: stores the name of the invoking user. This flag is _�o_�f_�f
1061: by default.
1062:
1063: visiblepw By default, s�su�ud�do�o will refuse to run if the user must
1064: enter a password but it is not possible to disable echo
1065: on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o
1066: will prompt for a password even when it would be
1067: visible on the screen. This makes it possible to run
1068: things like ``ssh somehost sudo ls'' since by default,
1069: ssh(1) does not allocate a tty when running a command.
1070: This flag is _�o_�f_�f by default.
1071:
1072: I�In�nt�te�eg�ge�er�rs�s:
1073:
1074: closefrom Before it executes a command, s�su�ud�do�o will close all open
1075: file descriptors other than standard input, standard
1076: output and standard error (ie: file descriptors 0-2).
1077: The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different
1078: file descriptor at which to start closing. The default
1079: is 3.
1080:
1081: passwd_tries The number of tries a user gets to enter his/her
1082: password before s�su�ud�do�o logs the failure and exits. The
1083: default is 3.
1084:
1085: I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1086:
1087: loglinelen Number of characters per line for the file log. This
1088: value is used to decide when to wrap lines for nicer
1089: log files. This has no effect on the syslog log file,
1090: only the file log. The default is 80 (use 0 or negate
1091: the option to disable word wrap).
1092:
1093: passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times
1094: out, or 0 for no timeout. The timeout may include a
1095: fractional component if minute granularity is
1096: insufficient, for example 2.5. The default is 5.
1097:
1098: timestamp_timeout
1099: Number of minutes that can elapse before s�su�ud�do�o will ask
1100: for a passwd again. The timeout may include a
1101: fractional component if minute granularity is
1102: insufficient, for example 2.5. The default is 5. Set
1103: this to 0 to always prompt for a password. If set to a
1104: value less than 0 the user's time stamp will never
1105: expire. This can be used to allow users to create or
1106: delete their own time stamps via ``sudo -v'' and ``sudo
1107: -k'' respectively.
1108:
1109: umask Umask to use when running the command. Negate this
1110: option or set it to 0777 to preserve the user's umask.
1111: The actual umask that is used will be the union of the
1112: user's umask and the value of the _�u_�m_�a_�s_�k option, which
1113: defaults to 0022. This guarantees that s�su�ud�do�o never
1114: lowers the umask when running a command. Note: on
1115: systems that use PAM, the default PAM configuration may
1116: specify its own umask which will override the value set
1117: in _�s_�u_�d_�o_�e_�r_�s.
1118:
1119: S�St�tr�ri�in�ng�gs�s:
1120:
1121: badpass_message Message that is displayed if a user enters an incorrect
1122: password. The default is Sorry, try again. unless
1123: insults are enabled.
1124:
1125: editor A colon (`:') separated list of editors allowed to be
1126: used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that
1127: matches the user's EDITOR environment variable if
1128: possible, or the first editor in the list that exists
1129: and is executable. The default is _�v_�i.
1130:
1131: iolog_dir The top-level directory to use when constructing the
1132: path name for the input/output log directory. Only
1133: used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled
1134: or when the LOG_INPUT or LOG_OUTPUT tags are present
1135: for a command. The session sequence number, if any, is
1136: stored in the directory. The default is
1137: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o.
1138:
1139: The following percent (`%') escape sequences are
1140: supported:
1141:
1142: %{seq}
1143: expanded to a monotonically increasing base-36
1144: sequence number, such as 0100A5, where every two
1145: digits are used to form a new directory, e.g.
1146: _�0_�1_�/_�0_�0_�/_�A_�5
1147:
1148: %{user}
1149: expanded to the invoking user's login name
1150:
1151: %{group}
1152: expanded to the name of the invoking user's real
1153: group ID
1154:
1155: %{runas_user}
1156: expanded to the login name of the user the
1157: command will be run as (e.g. root)
1158:
1159: %{runas_group}
1160: expanded to the group name of the user the
1161: command will be run as (e.g. wheel)
1162:
1163: %{hostname}
1164: expanded to the local host name without the
1165: domain name
1166:
1167: %{command}
1168: expanded to the base name of the command being
1169: run
1170:
1171: In addition, any escape sequences supported by the
1172: system's strftime(3) function will be expanded.
1173:
1174: To include a literal `%' character, the string `%%'
1175: should be used.
1176:
1177: iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store
1178: input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
1179: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1180: tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1181: may contain directory components. The default is
1182: ``%{seq}''.
1183:
1184: See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported
1185: percent (`%') escape sequences.
1186:
1187: In addition to the escape sequences, path names that
1188: end in six or more Xs will have the Xs replaced with a
1189: unique combination of digits and letters, similar to
1190: the mktemp(3) function.
1191:
1192: limitprivs The default Solaris limit privileges to use when
1193: constructing a new privilege set for a command. This
1194: bounds all privileges of the executing process. The
1195: default limit privileges may be overridden on a per-
1196: command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only
1197: available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher.
1198:
1199: mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The
1200: escape %h will expand to the host name of the machine.
1201: Default is ``*** SECURITY information for %h ***''.
1202:
1203: noexec_file This option is no longer supported. The path to the
1204: noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
1205: file.
1206:
1207: passprompt The default prompt to use when asking for a password;
1208: can be overridden via the -�-p�p option or the SUDO_PROMPT
1209: environment variable. The following percent (`%')
1210: escape sequences are supported:
1211:
1212: %H expanded to the local host name including the
1213: domain name (only if the machine's host name is
1214: fully qualified or the _�f_�q_�d_�n option is set)
1215:
1216: %h expanded to the local host name without the
1217: domain name
1218:
1219: %p expanded to the user whose password is being
1220: asked for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
1221: _�r_�u_�n_�a_�s_�p_�w flags in _�s_�u_�d_�o_�e_�r_�s)
1222:
1223: %U expanded to the login name of the user the
1224: command will be run as (defaults to root)
1225:
1226: %u expanded to the invoking user's login name
1227:
1228: %% two consecutive % characters are collapsed into a
1229: single % character
1230:
1231: The default value is ``Password:''.
1232:
1233: privs The default Solaris privileges to use when constructing
1234: a new privilege set for a command. This is passed to
1235: the executing process via the inherited privilege set,
1236: but is bounded by the limit privileges. If the _�p_�r_�i_�v_�s
1237: option is specified but the _�l_�i_�m_�i_�t_�p_�r_�i_�v_�s option is not,
1238: the limit privileges of the executing process is set to
1239: _�p_�r_�i_�v_�s. The default privileges may be overridden on a
1240: per-command basis in _�s_�u_�d_�o_�e_�r_�s. This option is only
1241: available if s�su�ud�do�oe�er�rs�s is built on Solaris 10 or higher.
1242:
1243: role The default SELinux role to use when constructing a new
1244: security context to run the command. The default role
1245: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1246: via command line options. This option is only
1247: available when s�su�ud�do�o is built with SELinux support.
1248:
1249: runas_default The default user to run commands as if the -�-u�u option is
1250: not specified on the command line. This defaults to
1251: root.
1252:
1253: syslog_badpri Syslog priority to use when user authenticates
1254: unsuccessfully. Defaults to alert.
1255:
1256: The following syslog priorities are supported: a�al�le�er�rt�t,
1257: c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g.
1258:
1259: syslog_goodpri Syslog priority to use when user authenticates
1260: successfully. Defaults to notice.
1261:
1262: See _�s_�y_�s_�l_�o_�g_�__�b_�a_�d_�p_�r_�i for the list of supported syslog
1263: priorities.
1264:
1265: sudoers_locale Locale to use when parsing the sudoers file, logging
1266: commands, and sending email. Note that changing the
1267: locale may affect how sudoers is interpreted. Defaults
1268: to ``C''.
1269:
1270: timestampdir The directory in which s�su�ud�do�o stores its time stamp
1271: files. The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o.
1272:
1273: timestampowner The owner of the time stamp directory and the time
1274: stamps stored therein. The default is root.
1275:
1276: type The default SELinux type to use when constructing a new
1277: security context to run the command. The default type
1278: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1279: via command line options. This option is only
1280: available when s�su�ud�do�o is built with SELinux support.
1281:
1282: S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1283:
1284: env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a
1285: file containing variables to be set in the environment of
1286: the program being run. Entries in this file should either
1287: be of the form ``VARIABLE=value'' or ``export
1288: VARIABLE=value''. The value may optionally be surrounded
1289: by single or double quotes. Variables in this file are
1290: subject to other s�su�ud�do�o environment settings such as _�e_�n_�v_�__�k_�e_�e_�p
1291: and _�e_�n_�v_�__�c_�h_�e_�c_�k.
1292:
1293: exempt_group Users in this group are exempt from password and PATH
1294: requirements. The group name specified should not include
1295: a % prefix. This is not set by default.
1296:
1297: group_plugin A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional
1298: arguments. This can be used to implement support for the
1299: nonunix_group syntax described earlier. The string should
1300: consist of the plugin path, either fully-qualified or
1301: relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory, followed by
1302: any configuration arguments the plugin requires. These
1303: arguments (if any) will be passed to the plugin's
1304: initialization function. If arguments are present, the
1305: string must be enclosed in double quotes ("").
1306:
1307: For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix
1308: group format, the sample group plugin can be used:
1309:
1310: Defaults group_plugin="sample_group.so /etc/sudo-group"
1311:
1312: For more information see sudo_plugin(4).
1313:
1314: lecture This option controls when a short lecture will be printed
1315: along with the password prompt. It has the following
1316: possible values:
1317:
1318: always Always lecture the user.
1319:
1320: never Never lecture the user.
1321:
1322: once Only lecture the user the first time they run s�su�ud�do�o.
1323:
1324: If no value is specified, a value of _�o_�n_�c_�e is implied.
1325: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1326: The default value is _�o_�n_�c_�e.
1327:
1328: lecture_file Path to a file containing an alternate s�su�ud�do�o lecture that
1329: will be used in place of the standard lecture if the named
1330: file exists. By default, s�su�ud�do�o uses a built-in lecture.
1331:
1332: listpw This option controls when a password will be required when
1333: a user runs s�su�ud�do�o with the -�-l�l option. It has the following
1334: possible values:
1335:
1336: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current
1337: host must have the NOPASSWD flag set to avoid
1338: entering a password.
1339:
1340: always The user must always enter a password to use the
1341: -�-l�l option.
1342:
1343: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for
1344: the current host must have the NOPASSWD flag set
1345: to avoid entering a password.
1346:
1347: never The user need never enter a password to use the
1348: -�-l�l option.
1349:
1350: If no value is specified, a value of _�a_�n_�y is implied.
1351: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1352: The default value is _�a_�n_�y.
1353:
1354: logfile Path to the s�su�ud�do�o log file (not the syslog log file).
1355: Setting a path turns on logging to a file; negating this
1356: option turns it off. By default, s�su�ud�do�o logs via syslog.
1357:
1358: mailerflags Flags to use when invoking mailer. Defaults to -�-t�t.
1359:
1360: mailerpath Path to mail program used to send warning mail. Defaults
1361: to the path to sendmail found at configure time.
1362:
1363: mailfrom Address to use for the ``from'' address when sending
1364: warning and error mail. The address should be enclosed in
1365: double quotes ("") to protect against s�su�ud�do�o interpreting the
1366: @ sign. Defaults to the name of the user running s�su�ud�do�o.
1367:
1368: mailto Address to send warning and error mail to. The address
1369: should be enclosed in double quotes ("") to protect against
1370: s�su�ud�do�o interpreting the @ sign. Defaults to root.
1371:
1372: secure_path Path used for every command run from s�su�ud�do�o. If you don't
1373: trust the people running s�su�ud�do�o to have a sane PATH
1374: environment variable you may want to use this. Another use
1375: is if you want to have the ``root path'' be separate from
1376: the ``user path''. Users in the group specified by the
1377: _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This
1378: option is not set by default.
1379:
1380: syslog Syslog facility if syslog is being used for logging (negate
1381: to disable syslog logging). Defaults to auth.
1382:
1383: The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if
1384: your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1,
1385: l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7.
1386:
1387: verifypw This option controls when a password will be required when
1388: a user runs s�su�ud�do�o with the -�-v�v option. It has the following
1389: possible values:
1390:
1391: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1392: must have the NOPASSWD flag set to avoid entering a
1393: password.
1394:
1395: always The user must always enter a password to use the -�-v�v
1396: option.
1397:
1398: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1399: current host must have the NOPASSWD flag set to
1400: avoid entering a password.
1401:
1402: never The user need never enter a password to use the -�-v�v
1403: option.
1404:
1405: If no value is specified, a value of _�a_�l_�l is implied.
1406: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1407: The default value is _�a_�l_�l.
1408:
1409: L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1410:
1411: env_check Environment variables to be removed from the user's
1412: environment if the variable's value contains `%' or `/'
1413: characters. This can be used to guard against printf-
1414: style format vulnerabilities in poorly-written
1415: programs. The argument may be a double-quoted, space-
1416: separated list or a single value without double-quotes.
1417: The list can be replaced, added to, deleted from, or
1418: disabled by using the =, +=, -=, and ! operators
1419: respectively. Regardless of whether the env_reset
1420: option is enabled or disabled, variables specified by
1421: env_check will be preserved in the environment if they
1422: pass the aforementioned check. The default list of
1423: environment variables to check is displayed when s�su�ud�do�o
1424: is run by root with the -�-V�V option.
1425:
1426: env_delete Environment variables to be removed from the user's
1427: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
1428: The argument may be a double-quoted, space-separated
1429: list or a single value without double-quotes. The list
1430: can be replaced, added to, deleted from, or disabled by
1431: using the =, +=, -=, and ! operators respectively. The
1432: default list of environment variables to remove is
1433: displayed when s�su�ud�do�o is run by root with the -�-V�V option.
1434: Note that many operating systems will remove
1435: potentially dangerous variables from the environment of
1436: any setuid process (such as s�su�ud�do�o).
1437:
1438: env_keep Environment variables to be preserved in the user's
1439: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect.
1440: This allows fine-grained control over the environment
1441: s�su�ud�do�o-spawned processes will receive. The argument may
1442: be a double-quoted, space-separated list or a single
1443: value without double-quotes. The list can be replaced,
1444: added to, deleted from, or disabled by using the =, +=,
1445: -=, and ! operators respectively. The default list of
1446: variables to keep is displayed when s�su�ud�do�o is run by root
1447: with the -�-V�V option.
1448:
1449: L�LO�OG�G F�FO�OR�RM�MA�AT�T
1450: s�su�ud�do�oe�er�rs�s can log events using either syslog(3) or a simple log file. In
1451: each case the log format is almost identical.
1452:
1453: A�Ac�cc�ce�ep�pt�te�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s
1454: Commands that sudo runs are logged using the following format (split into
1455: multiple lines for readability):
1456:
1457: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1458: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1459: ENV=env_vars COMMAND=command
1460:
1461: Where the fields are as follows:
1462:
1463: date The date the command was run. Typically, this is in the
1464: format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1465: the actual date format is controlled by the syslog daemon.
1466: If logging to a file and the _�l_�o_�g_�__�y_�e_�a_�r option is enabled,
1467: the date will also include the year.
1468:
1469: hostname The name of the host s�su�ud�do�o was run on. This field is only
1470: present when logging via syslog(3).
1471:
1472: progname The name of the program, usually _�s_�u_�d_�o or _�s_�u_�d_�o_�e_�d_�i_�t. This
1473: field is only present when logging via syslog(3).
1474:
1475: username The login name of the user who ran s�su�ud�do�o.
1476:
1477: ttyname The short name of the terminal (e.g. ``console'',
1478: ``tty01'', or ``pts/0'') s�su�ud�do�o was run on, or ``unknown'' if
1479: there was no terminal present.
1480:
1481: cwd The current working directory that s�su�ud�do�o was run in.
1482:
1483: runasuser The user the command was run as.
1484:
1485: runasgroup The group the command was run as if one was specified on
1486: the command line.
1487:
1488: logid An I/O log identifier that can be used to replay the
1489: command's output. This is only present when the _�l_�o_�g_�__�i_�n_�p_�u_�t
1490: or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option is enabled.
1491:
1492: env_vars A list of environment variables specified on the command
1493: line, if specified.
1494:
1495: command The actual command that was executed.
1496:
1497: Messages are logged using the locale specified by _�s_�u_�d_�o_�e_�r_�s_�__�l_�o_�c_�a_�l_�e, which
1498: defaults to the ``C'' locale.
1499:
1500: D�De�en�ni�ie�ed�d c�co�om�mm�ma�an�nd�d l�lo�og�g e�en�nt�tr�ri�ie�es�s
1501: If the user is not allowed to run the command, the reason for the denial
1502: will follow the user name. Possible reasons include:
1503:
1504: user NOT in sudoers
1505: The user is not listed in the _�s_�u_�d_�o_�e_�r_�s file.
1506:
1507: user NOT authorized on host
1508: The user is listed in the _�s_�u_�d_�o_�e_�r_�s file but is not allowed to run
1509: commands on the host.
1510:
1511: command not allowed
1512: The user is listed in the _�s_�u_�d_�o_�e_�r_�s file for the host but they are not
1513: allowed to run the specified command.
1514:
1515: 3 incorrect password attempts
1516: The user failed to enter their password after 3 tries. The actual
1517: number of tries will vary based on the number of failed attempts and
1518: the value of the _�p_�a_�s_�s_�w_�d_�__�t_�r_�i_�e_�s option.
1519:
1520: a password is required
1521: s�su�ud�do�o's -�-n�n option was specified but a password was required.
1522:
1523: sorry, you are not allowed to set the following environment variables
1524: The user specified environment variables on the command line that were
1525: not allowed by _�s_�u_�d_�o_�e_�r_�s.
1526:
1527: E�Er�rr�ro�or�r l�lo�og�g e�en�nt�tr�ri�ie�es�s
1528: If an error occurs, s�su�ud�do�oe�er�rs�s will log a message and, in most cases, send a
1529: message to the administrator via email. Possible errors include:
1530:
1531: parse error in /etc/sudoers near line N
1532: s�su�ud�do�oe�er�rs�s encountered an error when parsing the specified file. In some
1533: cases, the actual error may be one line above or below the line number
1534: listed, depending on the type of error.
1535:
1536: problem with defaults entries
1537: The _�s_�u_�d_�o_�e_�r_�s file contains one or more unknown Defaults settings. This
1538: does not prevent s�su�ud�do�o from running, but the _�s_�u_�d_�o_�e_�r_�s file should be
1539: checked using v�vi�is�su�ud�do�o.
1540:
1541: timestamp owner (username): No such user
1542: The time stamp directory owner, as specified by the _�t_�i_�m_�e_�s_�t_�a_�m_�p_�o_�w_�n_�e_�r
1543: setting, could not be found in the password database.
1544:
1545: unable to open/read /etc/sudoers
1546: The _�s_�u_�d_�o_�e_�r_�s file could not be opened for reading. This can happen
1547: when the _�s_�u_�d_�o_�e_�r_�s file is located on a remote file system that maps
1548: user ID 0 to a different value. Normally, s�su�ud�do�oe�er�rs�s tries to open
1549: _�s_�u_�d_�o_�e_�r_�s using group permissions to avoid this problem. Consider
1550: changing the ownership of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s by adding an option like
1551: ``sudoers_uid=N'' (where `N' is the user ID that owns the _�s_�u_�d_�o_�e_�r_�s
1552: file) to the s�su�ud�do�oe�er�rs�s plugin line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1553:
1554: unable to stat /etc/sudoers
1555: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file is missing.
1556:
1557: /etc/sudoers is not a regular file
1558: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file exists but is not a regular file or symbolic
1559: link.
1560:
1561: /etc/sudoers is owned by uid N, should be 0
1562: The _�s_�u_�d_�o_�e_�r_�s file has the wrong owner. If you wish to change the
1563: _�s_�u_�d_�o_�e_�r_�s file owner, please add ``sudoers_uid=N'' (where `N' is the
1564: user ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s plugin line in the
1565: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1566:
1567: /etc/sudoers is world writable
1568: The permissions on the _�s_�u_�d_�o_�e_�r_�s file allow all users to write to it.
1569: The _�s_�u_�d_�o_�e_�r_�s file must not be world-writable, the default file mode is
1570: 0440 (readable by owner and group, writable by none). The default
1571: mode may be changed via the ``sudoers_mode'' option to the s�su�ud�do�oe�er�rs�s
1572: plugin line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1573:
1574: /etc/sudoers is owned by gid N, should be 1
1575: The _�s_�u_�d_�o_�e_�r_�s file has the wrong group ownership. If you wish to change
1576: the _�s_�u_�d_�o_�e_�r_�s file group ownership, please add ``sudoers_gid=N'' (where
1577: `N' is the group ID that owns the _�s_�u_�d_�o_�e_�r_�s file) to the s�su�ud�do�oe�er�rs�s plugin
1578: line in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1579:
1580: unable to open /var/adm/sudo/username/ttyname
1581: _�s_�u_�d_�o_�e_�r_�s was unable to read or create the user's time stamp file.
1582:
1583: unable to write to /var/adm/sudo/username/ttyname
1584: _�s_�u_�d_�o_�e_�r_�s was unable to write to the user's time stamp file.
1585:
1586: unable to mkdir to /var/adm/sudo/username
1587: _�s_�u_�d_�o_�e_�r_�s was unable to create the user's time stamp directory.
1588:
1589: N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g v�vi�ia�a s�sy�ys�sl�lo�og�g
1590: By default, _�s_�u_�d_�o_�e_�r_�s logs messages via syslog(3). The _�d_�a_�t_�e, _�h_�o_�s_�t_�n_�a_�m_�e, and
1591: _�p_�r_�o_�g_�n_�a_�m_�e fields are added by the syslog daemon, not _�s_�u_�d_�o_�e_�r_�s itself. As
1592: such, they may vary in format on different systems.
1593:
1594: On most systems, syslog(3) has a relatively small log buffer. To prevent
1595: the command line arguments from being truncated, s�su�ud�do�oe�er�rs�s will split up
1596: log messages that are larger than 960 characters (not including the date,
1597: hostname, and the string ``sudo''). When a message is split, additional
1598: parts will include the string ``(command continued)'' after the user name
1599: and before the continued command line arguments.
1600:
1601: N�No�ot�te�es�s o�on�n l�lo�og�gg�gi�in�ng�g t�to�o a�a f�fi�il�le�e
1602: If the _�l_�o_�g_�f_�i_�l_�e option is set, _�s_�u_�d_�o_�e_�r_�s will log to a local file, such as
1603: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o. When logging to a file, _�s_�u_�d_�o_�e_�r_�s uses a format similar to
1604: syslog(3), with a few important differences:
1605:
1606: 1. The _�p_�r_�o_�g_�n_�a_�m_�e and _�h_�o_�s_�t_�n_�a_�m_�e fields are not present.
1607:
1608: 2. If the _�l_�o_�g_�__�y_�e_�a_�r option is enabled, the date will also include the
1609: year.
1610:
1611: 3. Lines that are longer than _�l_�o_�g_�l_�i_�n_�e_�l_�e_�n characters (80 by default) are
1612: word-wrapped and continued on the next line with a four character
1613: indent. This makes entries easier to read for a human being, but
1614: makes it more difficult to use grep(1) on the log files. If the
1615: _�l_�o_�g_�l_�i_�n_�e_�l_�e_�n option is set to 0 (or negated with a `!'), word wrap
1616: will be disabled.
1617:
1618: S�SU�UD�DO�O.�.C�CO�ON�NF�F
1619: The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file determines which plugins the s�su�ud�do�o front end will
1620: load. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it contains no Plugin
1621: lines, s�su�ud�do�o will use the _�s_�u_�d_�o_�e_�r_�s security policy and I/O logging, which
1622: corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1623:
1624: #
1625: # Default /etc/sudo.conf file
1626: #
1627: # Format:
1628: # Plugin plugin_name plugin_path plugin_options ...
1629: # Path askpass /path/to/askpass
1630: # Path noexec /path/to/sudo_noexec.so
1631: # Debug sudo /var/log/sudo_debug all@warn
1632: # Set disable_coredump true
1633: #
1634: # The plugin_path is relative to /usr/local/libexec unless
1635: # fully qualified.
1636: # The plugin_name corresponds to a global symbol in the plugin
1637: # that contains the plugin interface structure.
1638: # The plugin_options are optional.
1639: #
1640: Plugin policy_plugin sudoers.so
1641: Plugin io_plugin sudoers.so
1642:
1643: P�Pl�lu�ug�gi�in�n o�op�pt�ti�io�on�ns�s
1644: Starting with s�su�ud�do�o 1.8.5, it is possible to pass options to the _�s_�u_�d_�o_�e_�r_�s
1645: plugin. Options may be listed after the path to the plugin (i.e. after
1646: _�s_�u_�d_�o_�e_�r_�s_�._�s_�o); multiple options should be space-separated. For example:
1647:
1648: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1649:
1650: The following plugin options are supported:
1651:
1652: sudoers_file=pathname
1653: The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e option can be used to override the default
1654: path to the _�s_�u_�d_�o_�e_�r_�s file.
1655:
1656: sudoers_uid=uid
1657: The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d option can be used to override the default
1658: owner of the sudoers file. It should be specified as a numeric
1659: user ID.
1660:
1661: sudoers_gid=gid
1662: The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d option can be used to override the default
1663: group of the sudoers file. It should be specified as a numeric
1664: group ID.
1665:
1666: sudoers_mode=mode
1667: The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e option can be used to override the default
1668: file mode for the sudoers file. It should be specified as an
1669: octal value.
1670:
1671: D�De�eb�bu�ug�g f�fl�la�ag�gs�s
1672: Versions 1.8.4 and higher of the _�s_�u_�d_�o_�e_�r_�s plugin supports a debugging
1673: framework that can help track down what the plugin is doing internally if
1674: there is a problem. This can be configured in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file as
1675: described in sudo(1m).
1676:
1677: The _�s_�u_�d_�o_�e_�r_�s plugin uses the same debug flag format as the s�su�ud�do�o front-end:
1678: _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y.
1679:
1680: The priorities used by _�s_�u_�d_�o_�e_�r_�s, in order of decreasing severity, are:
1681: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority,
1682: when specified, also includes all priorities higher than it. For
1683: example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at
1684: _�n_�o_�t_�i_�c_�e and higher.
1685:
1686: The following subsystems are used by _�s_�u_�d_�o_�e_�r_�s:
1687:
1688: _�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1689:
1690: _�a_�l_�l matches every subsystem
1691:
1692: _�a_�u_�d_�i_�t BSM and Linux audit code
1693:
1694: _�a_�u_�t_�h user authentication
1695:
1696: _�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings
1697:
1698: _�e_�n_�v environment handling
1699:
1700: _�l_�d_�a_�p LDAP-based sudoers
1701:
1702: _�l_�o_�g_�g_�i_�n_�g logging support
1703:
1704: _�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s
1705:
1706: _�n_�e_�t_�i_�f network interface handling
1707:
1708: _�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s
1709:
1710: _�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing
1711:
1712: _�p_�e_�r_�m_�s permission setting
1713:
1714: _�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin.
1715:
1716: _�p_�t_�y pseudo-tty related code
1717:
1718: _�r_�b_�t_�r_�e_�e redblack tree internals
1719:
1720: _�u_�t_�i_�l utility functions
1721:
1722: F�FI�IL�LE�ES�S
1723: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration
1724:
1725: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what
1726:
1727: _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file
1728:
1729: _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
1730:
1731: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
1732:
1733: _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the
1734: _�s_�u_�d_�o_�e_�r_�s security policy
1735:
1736: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and
1737: Linux systems
1738:
1739: E�EX�XA�AM�MP�PL�LE�ES�S
1740: Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit
1741: contrived. First, we allow a few environment variables to pass and then
1742: define our _�a_�l_�i_�a_�s_�e_�s:
1743:
1744: # Run X applications through sudo; HOME is used to find the
1745: # .Xauthority file. Note that other programs use HOME to find
1746: # configuration files and this may lead to privilege escalation!
1747: Defaults env_keep += "DISPLAY HOME"
1748:
1749: # User alias specification
1750: User_Alias FULLTIMERS = millert, mikef, dowdy
1751: User_Alias PARTTIMERS = bostley, jwfox, crawl
1752: User_Alias WEBMASTERS = will, wendy, wim
1753:
1754: # Runas alias specification
1755: Runas_Alias OP = root, operator
1756: Runas_Alias DB = oracle, sybase
1757: Runas_Alias ADMINGRP = adm, oper
1758:
1759: # Host alias specification
1760: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1761: SGI = grolsch, dandelion, black :\
1762: ALPHA = widget, thalamus, foobar :\
1763: HPPA = boa, nag, python
1764: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1765: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1766: Host_Alias SERVERS = master, mail, www, ns
1767: Host_Alias CDROM = orion, perseus, hercules
1768:
1769: # Cmnd alias specification
1770: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1771: /usr/sbin/restore, /usr/sbin/rrestore
1772: Cmnd_Alias KILL = /usr/bin/kill
1773: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1774: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1775: Cmnd_Alias HALT = /usr/sbin/halt
1776: Cmnd_Alias REBOOT = /usr/sbin/reboot
1777: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1778: /usr/local/bin/tcsh, /usr/bin/rsh,\
1779: /usr/local/bin/zsh
1780: Cmnd_Alias SU = /usr/bin/su
1781: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1782:
1783: Here we override some of the compiled in default values. We want s�su�ud�do�o to
1784: log via syslog(3) using the _�a_�u_�t_�h facility in all cases. We don't want to
1785: subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t need not
1786: give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1787: environment variables when running commands as root. Additionally, on
1788: the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an additional local log
1789: file and make sure we log the year in each log line since the log entries
1790: will be kept around for several years. Lastly, we disable shell escapes
1791: for the commands in the PAGERS Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and
1792: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s).
1793:
1794: # Override built-in defaults
1795: Defaults syslog=auth
1796: Defaults>root !set_logname
1797: Defaults:FULLTIMERS !lecture
1798: Defaults:millert !authenticate
1799: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1800: Defaults!PAGERS noexec
1801:
1802: The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run
1803: what.
1804:
1805: root ALL = (ALL) ALL
1806: %wheel ALL = (ALL) ALL
1807:
1808: We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as
1809: any user.
1810:
1811: FULLTIMERS ALL = NOPASSWD: ALL
1812:
1813: Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on
1814: any host without authenticating themselves.
1815:
1816: PARTTIMERS ALL = ALL
1817:
1818: Part time sysadmins b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on any
1819: host but they must authenticate themselves first (since the entry lacks
1820: the NOPASSWD tag).
1821:
1822: jack CSNETS = ALL
1823:
1824: The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
1825: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1826: networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1827: indicating it is a class C network. For the other networks in _�C_�S_�N_�E_�T_�S,
1828: the local machine's netmask will be used during matching.
1829:
1830: lisa CUNETS = ALL
1831:
1832: The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the
1833: class B network 128.138.0.0).
1834:
1835: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1836: sudoedit /etc/printcap, /usr/oper/bin/
1837:
1838: The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance. Here,
1839: those are commands related to backups, killing processes, the printing
1840: system, shutting down the system, and any commands in the directory
1841: _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/.
1842:
1843: joe ALL = /usr/bin/su operator
1844:
1845: The user j�jo�oe�e may only su(1) to operator.
1846:
1847: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1848:
1849: %opers ALL = (: ADMINGRP) /usr/sbin/
1850:
1851: Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves
1852: with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups).
1853:
1854: The user p�pe�et�te�e is allowed to change anyone's password except for root on
1855: the _�H_�P_�P_�A machines. Note that this assumes passwd(1) does not take
1856: multiple user names on the command line.
1857:
1858: bob SPARC = (OP) ALL : SGI = (OP) ALL
1859:
1860: The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user
1861: listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r.)
1862:
1863: jim +biglab = ALL
1864:
1865: The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup.
1866: s�su�ud�do�o knows that ``biglab'' is a netgroup due to the `+' prefix.
1867:
1868: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1869:
1870: Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as
1871: well as add and remove users, so they are allowed to run those commands
1872: on all machines.
1873:
1874: fred ALL = (DB) NOPASSWD: ALL
1875:
1876: The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias (o�or�ra�ac�cl�le�e
1877: or s�sy�yb�ba�as�se�e) without giving a password.
1878:
1879: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1880:
1881: On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
1882: not allowed to specify any options to the su(1) command.
1883:
1884: jen ALL, !SERVERS = ALL
1885:
1886: The user j�je�en�n may run any command on any machine except for those in the
1887: _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns).
1888:
1889: jill SERVERS = /usr/bin/, !SU, !SHELLS
1890:
1891: For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in
1892: the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U and
1893: _�S_�H_�E_�L_�L_�S Cmnd_Aliases.
1894:
1895: steve CSNETS = (operator) /usr/local/op_commands/
1896:
1897: The user s�st�te�ev�ve�e may run any command in the directory
1898: /usr/local/op_commands/ but only as user operator.
1899:
1900: matt valkyrie = KILL
1901:
1902: On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill hung
1903: processes.
1904:
1905: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1906:
1907: On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy, and
1908: wim), may run any command as user www (which owns the web pages) or
1909: simply su(1) to www.
1910:
1911: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1912: /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1913:
1914: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1915: Host_Alias (orion, perseus, hercules) without entering a password. This
1916: is a bit tedious for users to type, so it is a prime candidate for
1917: encapsulating in a shell script.
1918:
1919: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1920: L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e `�`!�!'�' o�op�pe�er�ra�at�to�or�r
1921: It is generally not effective to ``subtract'' commands from A�AL�LL�L using the
1922: `!' operator. A user can trivially circumvent this by copying the
1923: desired command to a different name and then executing that. For
1924: example:
1925:
1926: bill ALL = ALL, !SU, !SHELLS
1927:
1928: Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or
1929: _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or
1930: use a shell escape from an editor or other program. Therefore, these
1931: kind of restrictions should be considered advisory at best (and
1932: reinforced by policy).
1933:
1934: In general, if a user has sudo A�AL�LL�L there is nothing to prevent them from
1935: creating their own program that gives them a root shell (or making their
1936: own copy of a shell) regardless of any `!' elements in the user
1937: specification.
1938:
1939: S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b
1940: If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably negate
1941: commands where the path name includes globbing (aka wildcard) characters.
1942: This is because the C library's fnmatch(3) function cannot resolve
1943: relative paths. While this is typically only an inconvenience for rules
1944: that grant privileges, it can result in a security issue for rules that
1945: subtract or revoke privileges.
1946:
1947: For example, given the following _�s_�u_�d_�o_�e_�r_�s entry:
1948:
1949: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
1950: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1951:
1952: User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by
1953: changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead.
1954:
1955: P�Pr�re�ev�ve�en�nt�ti�in�ng�g s�sh�he�el�ll�l e�es�sc�ca�ap�pe�es�s
1956: Once s�su�ud�do�o executes a program, that program is free to do whatever it
1957: pleases, including run other programs. This can be a security issue
1958: since it is not uncommon for a program to allow shell escapes, which lets
1959: a user bypass s�su�ud�do�o's access control and logging. Common programs that
1960: permit shell escapes include shells (obviously), editors, paginators,
1961: mail and terminal programs.
1962:
1963: There are two basic approaches to this problem:
1964:
1965: restrict Avoid giving users access to commands that allow the user to
1966: run arbitrary commands. Many editors have a restricted mode
1967: where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better
1968: solution to running editors via s�su�ud�do�o. Due to the large number
1969: of programs that offer shell escapes, restricting users to the
1970: set of programs that do not is often unworkable.
1971:
1972: noexec Many systems that support shared libraries have the ability to
1973: override default library functions by pointing an environment
1974: variable (usually LD_PRELOAD) to an alternate shared library.
1975: On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality can be used to
1976: prevent a program run by s�su�ud�do�o from executing any other
1977: programs. Note, however, that this applies only to native
1978: dynamically-linked executables. Statically-linked executables
1979: and foreign executables running under binary emulation are not
1980: affected.
1981:
1982: The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD,
1983: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1984: above. It should be supported on most operating systems that
1985: support the LD_PRELOAD environment variable. Check your
1986: operating system's manual pages for the dynamic linker (usually
1987: ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
1988: LD_PRELOAD is supported.
1989:
1990: On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges
1991: instead of the LD_PRELOAD environment variable.
1992:
1993: To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as
1994: documented in the User Specification section above. Here is
1995: that example again:
1996:
1997: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1998:
1999: This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i
2000: with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands from
2001: executing other commands (such as a shell). If you are unsure
2002: whether or not your system is capable of supporting _�n_�o_�e_�x_�e_�c you
2003: can always just try it out and check whether shell escapes work
2004: when _�n_�o_�e_�x_�e_�c is enabled.
2005:
2006: Note that restricting shell escapes is not a panacea. Programs running
2007: as root are still capable of many potentially hazardous operations (such
2008: as changing or overwriting files) that could lead to unintended privilege
2009: escalation. In the specific case of an editor, a safer approach is to
2010: give the user permission to run s�su�ud�do�oe�ed�di�it�t.
2011:
2012: T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s
2013: _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory
2014: (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is
2015: not owned by root or if it is writable by a user other than root. On
2016: systems that allow non-root users to give away files via chown(2), if the
2017: time stamp directory is located in a world-writable directory (e.g.,
2018: _�/_�t_�m_�p), it is possible for a user to create the time stamp directory
2019: before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the ownership and
2020: mode of the directory and its contents, the only damage that can be done
2021: is to ``hide'' files by putting them in the time stamp dir. This is
2022: unlikely to happen since once the time stamp dir is owned by root and
2023: inaccessible by any other user, the user placing files there would be
2024: unable to get them back out.
2025:
2026: _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps
2027: with a date greater than current_time + 2 * TIMEOUT will be ignored and
2028: sudo will log and complain. This is done to keep a user from creating
2029: his/her own time stamp with a bogus date on systems that allow users to
2030: give away files if the time stamp directory is located in a world-
2031: writable directory.
2032:
2033: On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time
2034: stamps that date from before the machine booted.
2035:
2036: Since time stamp files live in the file system, they can outlive a user's
2037: login session. As a result, a user may be able to login, run a command
2038: with s�su�ud�do�o after authenticating, logout, login again, and run s�su�ud�do�o without
2039: authenticating so long as the time stamp file's modification time is
2040: within 5 minutes (or whatever the timeout is set to in _�s_�u_�d_�o_�e_�r_�s). When
2041: the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp has per-tty granularity
2042: but still may outlive the user's session. On Linux systems where the
2043: devpts filesystem is used, Solaris systems with the devices filesystem,
2044: as well as other systems that utilize a devfs filesystem that
2045: monotonically increase the inode number of devices as they are created
2046: (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when a tty-based time
2047: stamp file is stale and will ignore it. Administrators should not rely
2048: on this feature as it is not universally available.
2049:
2050: S�SE�EE�E A�AL�LS�SO�O
2051: ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
2052: sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
2053:
2054: C�CA�AV�VE�EA�AT�TS�S
2055: The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which
2056: locks the file and does grammatical checking. It is imperative that
2057: _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a
2058: syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file.
2059:
2060: When using netgroups of machines (as opposed to users), if you store
2061: fully qualified host name in the netgroup (as is usually the case), you
2062: either need to have the machine's host name be fully qualified as
2063: returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s.
2064:
2065: B�BU�UG�GS�S
2066: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
2067: http://www.sudo.ws/sudo/bugs/
2068:
2069: S�SU�UP�PP�PO�OR�RT�T
2070: Limited free support is available via the sudo-users mailing list, see
2071: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2072: archives.
2073:
2074: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
2075: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
2076: including, but not limited to, the implied warranties of merchantability
2077: and fitness for a particular purpose are disclaimed. See the LICENSE
2078: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
2079: complete details.
2080:
2081: Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc