1: SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
2:
3:
4:
5: N�NA�AM�ME�E
6: sudoers - default sudo security policy module
7:
8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
9: The _�s_�u_�d_�o_�e_�r_�s policy module determines a user's s�su�ud�do�o privileges. It is
10: the default s�su�ud�do�o policy plugin. The policy is driven by the
11: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file or, optionally in LDAP. The policy format is
12: described in detail in the "SUDOERS FILE FORMAT" section. For
13: information on storing _�s_�u_�d_�o_�e_�r_�s policy information in LDAP, please see
14: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4).
15:
16: A�Au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n a�an�nd�d L�Lo�og�gg�gi�in�ng�g
17: The _�s_�u_�d_�o_�e_�r_�s security policy requires that most users authenticate
18: themselves before they can use s�su�ud�do�o. A password is not required if the
19: invoking user is root, if the target user is the same as the invoking
20: user, or if the policy has disabled authentication for the user or
21: command. Unlike _�s_�u(1), when _�s_�u_�d_�o_�e_�r_�s requires authentication, it
22: validates the invoking user's credentials, not the target user's (or
23: root's) credentials. This can be changed via the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and
24: _�r_�u_�n_�a_�s_�p_�w flags, described later.
25:
26: If a user who is not listed in the policy tries to run a command via
27: s�su�ud�do�o, mail is sent to the proper authorities. The address used for
28: such mail is configurable via the _�m_�a_�i_�l_�t_�o Defaults entry (described
29: later) and defaults to root.
30:
31: Note that mail will not be sent if an unauthorized user tries to run
32: s�su�ud�do�o with the -�-l�l or -�-v�v option. This allows users to determine for
33: themselves whether or not they are allowed to use s�su�ud�do�o.
34:
35: If s�su�ud�do�o is run by root and the SUDO_USER environment variable is set,
36: the _�s_�u_�d_�o_�e_�r_�s policy will use this value to determine who the actual user
37: is. This can be used by a user to log commands through sudo even when
38: a root shell has been invoked. It also allows the -�-e�e option to remain
39: useful even when invoked via a sudo-run script or program. Note,
40: however, that the _�s_�u_�d_�o_�e_�r_�s lookup is still done for root, not the user
41: specified by SUDO_USER.
42:
43: _�s_�u_�d_�o_�e_�r_�s uses time stamp files for credential caching. Once a user has
44: been authenticated, a time stamp is updated and the user may then use
45: sudo without a password for a short period of time (5 minutes unless
46: overridden by the _�t_�i_�m_�e_�o_�u_�t option. By default, _�s_�u_�d_�o_�e_�r_�s uses a tty-based
47: time stamp which means that there is a separate time stamp for each of
48: a user's login sessions. The _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option can be disabled to
49: force the use of a single time stamp for all of a user's sessions.
50:
51: _�s_�u_�d_�o_�e_�r_�s can log both successful and unsuccessful attempts (as well as
52: errors) to _�s_�y_�s_�l_�o_�g(3), a log file, or both. By default, _�s_�u_�d_�o_�e_�r_�s will
53: log via _�s_�y_�s_�l_�o_�g(3) but this is changeable via the _�s_�y_�s_�l_�o_�g and _�l_�o_�g_�f_�i_�l_�e
54: Defaults settings.
55:
56: _�s_�u_�d_�o_�e_�r_�s also supports logging a command's input and output streams.
57: I/O logging is not on by default but can be enabled using the _�l_�o_�g_�__�i_�n_�p_�u_�t
58: and _�l_�o_�g_�__�o_�u_�t_�p_�u_�t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
59: command tags.
60:
61: C�Co�om�mm�ma�an�nd�d E�En�nv�vi�ir�ro�on�nm�me�en�nt�t
62: Since environment variables can influence program behavior, _�s_�u_�d_�o_�e_�r_�s
63: provides a means to restrict which variables from the user's
64: environment are inherited by the command to be run. There are two
65: distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables.
66:
67: By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to
68: be executed with a minimal environment containing TERM, PATH, HOME,
69: MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
70: the invoking process permitted by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options.
71: This is effectively a whitelist for environment variables.
72:
73: If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not
74: explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited
75: from the invoking process. In this case, _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e
76: behave like a blacklist. Since it is not possible to blacklist all
77: potentially dangerous environment variables, use of the default
78: _�e_�n_�v_�__�r_�e_�s_�e_�t behavior is encouraged.
79:
80: In all cases, environment variables with a value beginning with () are
81: removed as they could be interpreted as b�ba�as�sh�h functions. The list of
82: environment variables that s�su�ud�do�o allows or denies is contained in the
83: output of sudo -V when run as root.
84:
85: Note that the dynamic linker on most operating systems will remove
86: variables that can control dynamic linking from the environment of
87: setuid executables, including s�su�ud�do�o. Depending on the operating system
88: this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
89: others. These type of variables are removed from the environment
90: before s�su�ud�do�o even begins execution and, as such, it is not possible for
91: s�su�ud�do�o to preserve them.
92:
93: As a special case, if s�su�ud�do�o's -�-i�i option (initial login) is specified,
94: _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of
95: _�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged;
96: _�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user.
97: On Linux and AIX systems the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also
98: included. All other environment variables are removed.
99:
100: S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
101: The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases
102: (basically variables) and user specifications (which specify who may
103: run what).
104:
105: When multiple entries match for a user, they are applied in order.
106: Where there are multiple matches, the last match is used (which is not
107: necessarily the most specific match).
108:
109: The _�s_�u_�d_�o_�e_�r_�s grammar will be described below in Extended Backus-Naur
110: Form (EBNF). Don't despair if you don't know what EBNF is; it is
111: fairly simple, and the definitions below are annotated.
112:
113: Q�Qu�ui�ic�ck�k g�gu�ui�id�de�e t�to�o E�EB�BN�NF�F
114: EBNF is a concise and exact way of describing the grammar of a
115: language. Each EBNF definition is made up of _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e_�s. E.g.,
116:
117: symbol ::= definition | alternate1 | alternate2 ...
118:
119: Each _�p_�r_�o_�d_�u_�c_�t_�i_�o_�n _�r_�u_�l_�e references others and thus makes up a grammar for
120: the language. EBNF also contains the following operators, which many
121: readers will recognize from regular expressions. Do not, however,
122: confuse them with "wildcard" characters, which have different meanings.
123:
124: ? Means that the preceding symbol (or group of symbols) is optional.
125: That is, it may appear once or not at all.
126:
127: * Means that the preceding symbol (or group of symbols) may appear
128: zero or more times.
129:
130: + Means that the preceding symbol (or group of symbols) may appear
131: one or more times.
132:
133: Parentheses may be used to group symbols together. For clarity, we
134: will use single quotes ('') to designate what is a verbatim character
135: string (as opposed to a symbol name).
136:
137: A�Al�li�ia�as�se�es�s
138: There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
139: and Cmnd_Alias.
140:
141: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
142: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
143: 'Host_Alias' Host_Alias (':' Host_Alias)* |
144: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
145:
146: User_Alias ::= NAME '=' User_List
147:
148: Runas_Alias ::= NAME '=' Runas_List
149:
150: Host_Alias ::= NAME '=' Host_List
151:
152: Cmnd_Alias ::= NAME '=' Cmnd_List
153:
154: NAME ::= [A-Z]([A-Z][0-9]_)*
155:
156: Each _�a_�l_�i_�a_�s definition is of the form
157:
158: Alias_Type NAME = item1, item2, ...
159:
160: where _�A_�l_�i_�a_�s_�__�T_�y_�p_�e is one of User_Alias, Runas_Alias, Host_Alias, or
161: Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
162: underscore characters ('_'). A NAME m�mu�us�st�t start with an uppercase
163: letter. It is possible to put several alias definitions of the same
164: type on a single line, joined by a colon (':'). E.g.,
165:
166: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
167:
168: The definitions of what constitutes a valid _�a_�l_�i_�a_�s member follow.
169:
170: User_List ::= User |
171: User ',' User_List
172:
173: User ::= '!'* user name |
174: '!'* #uid |
175: '!'* %group |
176: '!'* %#gid |
177: '!'* +netgroup |
178: '!'* %:nonunix_group |
179: '!'* %:#nonunix_gid |
180: '!'* User_Alias
181:
182: A User_List is made up of one or more user names, user ids (prefixed
183: with '#'), system group names and ids (prefixed with '%' and '%#'
184: respectively), netgroups (prefixed with '+'), non-Unix group names and
185: IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
186: list item may be prefixed with zero or more '!' operators. An odd
187: number of '!' operators negate the value of the item; an even number
188: just cancel each other out.
189:
190: A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
191: may be enclosed in double quotes to avoid the need for escaping special
192: characters. Alternately, special characters may be specified in
193: escaped hex mode, e.g. \x20 for space. When using double quotes, any
194: prefix characters must be included inside the quotes.
195:
196: The actual nonunix_group and nonunix_gid syntax depends on the
197: underlying group provider plugin (see the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n description
198: below). For instance, the QAS AD plugin supports the following
199: formats:
200:
201: +�o Group in the same domain: "Group Name"
202:
203: +�o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
204:
205: +�o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
206:
207: Note that quotes around group names are optional. Unquoted strings
208: must use a backslash (\) to escape spaces and special characters. See
209: "Other special characters and reserved words" for a list of characters
210: that need to be escaped.
211:
212: Runas_List ::= Runas_Member |
213: Runas_Member ',' Runas_List
214:
215: Runas_Member ::= '!'* user name |
216: '!'* #uid |
217: '!'* %group |
218: '!'* %#gid |
219: '!'* %:nonunix_group |
220: '!'* %:#nonunix_gid |
221: '!'* +netgroup |
222: '!'* Runas_Alias
223:
224: A Runas_List is similar to a User_List except that instead of
225: User_Aliases it can contain Runas_Aliases. Note that user names and
226: groups are matched as strings. In other words, two users (groups) with
227: the same uid (gid) are considered to be distinct. If you wish to match
228: all user names with the same uid (e.g. root and toor), you can use a
229: uid instead (#0 in the example given).
230:
231: Host_List ::= Host |
232: Host ',' Host_List
233:
234: Host ::= '!'* host name |
235: '!'* ip_addr |
236: '!'* network(/netmask)? |
237: '!'* +netgroup |
238: '!'* Host_Alias
239:
240: A Host_List is made up of one or more host names, IP addresses, network
241: numbers, netgroups (prefixed with '+') and other aliases. Again, the
242: value of an item may be negated with the '!' operator. If you do not
243: specify a netmask along with the network number, s�su�ud�do�o will query each
244: of the local host's network interfaces and, if the network number
245: corresponds to one of the hosts's network interfaces, the corresponding
246: netmask will be used. The netmask may be specified either in standard
247: IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
248: CIDR notation (number of bits, e.g. 24 or 64). A host name may include
249: shell-style wildcards (see the Wildcards section below), but unless the
250: host name command on your machine returns the fully qualified host
251: name, you'll need to use the _�f_�q_�d_�n option for wildcards to be useful.
252: Note s�su�ud�do�o only inspects actual network interfaces; this means that IP
253: address 127.0.0.1 (localhost) will never match. Also, the host name
254: "localhost" will only match if that is the actual host name, which is
255: usually only the case for non-networked systems.
256:
257: Cmnd_List ::= Cmnd |
258: Cmnd ',' Cmnd_List
259:
260: commandname ::= file name |
261: file name args |
262: file name '""'
263:
264: Cmnd ::= '!'* commandname |
265: '!'* directory |
266: '!'* "sudoedit" |
267: '!'* Cmnd_Alias
268:
269: A Cmnd_List is a list of one or more commandnames, directories, and
270: other aliases. A commandname is a fully qualified file name which may
271: include shell-style wildcards (see the Wildcards section below). A
272: simple file name allows the user to run the command with any arguments
273: he/she wishes. However, you may also specify command line arguments
274: (including wildcards). Alternately, you can specify "" to indicate
275: that the command may only be run w�wi�it�th�ho�ou�ut�t command line arguments. A
276: directory is a fully qualified path name ending in a '/'. When you
277: specify a directory in a Cmnd_List, the user will be able to run any
278: file within that directory (but not in any subdirectories therein).
279:
280: If a Cmnd has associated command line arguments, then the arguments in
281: the Cmnd must match exactly those given by the user on the command line
282: (or match the wildcards if there are any). Note that the following
283: characters must be escaped with a '\' if they are used in command
284: arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
285: to permit a user to run s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It
286: may take command line arguments just as a normal command does.
287:
288: D�De�ef�fa�au�ul�lt�ts�s
289: Certain configuration options may be changed from their default values
290: at runtime via one or more Default_Entry lines. These may affect all
291: users on any host, all users on a specific host, a specific user, a
292: specific command, or commands being run as a specific user. Note that
293: per-command entries may not include command line arguments. If you
294: need to specify arguments, define a Cmnd_Alias and reference that
295: instead.
296:
297: Default_Type ::= 'Defaults' |
298: 'Defaults' '@' Host_List |
299: 'Defaults' ':' User_List |
300: 'Defaults' '!' Cmnd_List |
301: 'Defaults' '>' Runas_List
302:
303: Default_Entry ::= Default_Type Parameter_List
304:
305: Parameter_List ::= Parameter |
306: Parameter ',' Parameter_List
307:
308: Parameter ::= Parameter '=' Value |
309: Parameter '+=' Value |
310: Parameter '-=' Value |
311: '!'* Parameter
312:
313: Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
314: implicitly boolean and can be turned off via the '!' operator. Some
315: integer, string and list parameters may also be used in a boolean
316: context to disable them. Values may be enclosed in double quotes (")
317: when they contain multiple words. Special characters may be escaped
318: with a backslash (\).
319:
320: Lists have two additional assignment operators, += and -=. These
321: operators are used to add to and delete from a list respectively. It
322: is not an error to use the -= operator to remove an element that does
323: not exist in a list.
324:
325: Defaults entries are parsed in the following order: generic, host and
326: user Defaults first, then runas Defaults and finally command defaults.
327:
328: See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
329:
330: U�Us�se�er�r S�Sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n
331: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
332: (':' Host_List '=' Cmnd_Spec_List)*
333:
334: Cmnd_Spec_List ::= Cmnd_Spec |
335: Cmnd_Spec ',' Cmnd_Spec_List
336:
337: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
338:
339: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
340:
341: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
342:
343: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
344: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
345: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
346:
347: A u�us�se�er�r s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n determines which commands a user may run (and as
348: what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t,
349: but this can be changed on a per-command basis.
350:
351: The basic structure of a user specification is `who where = (as_whom)
352: what'. Let's break that down into its constituent parts:
353:
354: R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
355: A Runas_Spec determines the user and/or the group that a command may be
356: run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
357: defined above) separated by a colon (':') and enclosed in a set of
358: parentheses. The first Runas_List indicates which users the command
359: may be run as via s�su�ud�do�o's -�-u�u option. The second defines a list of
360: groups that can be specified via s�su�ud�do�o's -�-g�g option. If both Runas_Lists
361: are specified, the command may be run with any combination of users and
362: groups listed in their respective Runas_Lists. If only the first is
363: specified, the command may be run as any user in the list but no -�-g�g
364: option may be specified. If the first Runas_List is empty but the
365: second is specified, the command may be run as the invoking user with
366: the group set to any listed in the Runas_List. If no Runas_Spec is
367: specified the command may be run as r�ro�oo�ot�t and no group may be specified.
368:
369: A Runas_Spec sets the default for the commands that follow it. What
370: this means is that for the entry:
371:
372: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
373:
374: The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only
375: as o�op�pe�er�ra�at�to�or�r. E.g.,
376:
377: $ sudo -u operator /bin/ls
378:
379: It is also possible to override a Runas_Spec later on in an entry. If
380: we modify the entry like so:
381:
382: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
383:
384: Then user d�dg�gb�b is now allowed to run _�/_�b_�i_�n_�/_�l_�s as o�op�pe�er�ra�at�to�or�r, but _�/_�b_�i_�n_�/_�k_�i_�l_�l
385: and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m as r�ro�oo�ot�t.
386:
387: We can extend this to allow d�dg�gb�b to run /bin/ls with either the user or
388: group set to o�op�pe�er�ra�at�to�or�r:
389:
390: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
391: /usr/bin/lprm
392:
393: Note that while the group portion of the Runas_Spec permits the user to
394: run as command with that group, it does not force the user to do so.
395: If no group is specified on the command line, the command will run with
396: the group listed in the target user's password database entry. The
397: following would all be permitted by the sudoers entry above:
398:
399: $ sudo -u operator /bin/ls
400: $ sudo -u operator -g operator /bin/ls
401: $ sudo -g operator /bin/ls
402:
403: In the following example, user t�tc�cm�m may run commands that access a modem
404: device file with the dialer group.
405:
406: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
407: /usr/local/bin/minicom
408:
409: Note that in this example only the group will be set, the command still
410: runs as user t�tc�cm�m. E.g.
411:
412: $ sudo -g dialer /usr/bin/cu
413:
414: Multiple users and groups may be present in a Runas_Spec, in which case
415: the user may select any combination of users and groups via the -�-u�u and
416: -�-g�g options. In this example:
417:
418: alan ALL = (root, bin : operator, system) ALL
419:
420: user a�al�la�an�n may run any command as either user root or bin, optionally
421: setting the group to operator or system.
422:
423: S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
424: On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
425: SELinux role and/or type associated with a command. If a role or type
426: is specified with the command it will override any default values
427: specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line,
428: however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s.
429:
430: T�Ta�ag�g_�_S�Sp�pe�ec�c
431: A command may have zero or more tags associated with it. There are
432: eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
433: NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
434: tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
435: the tag unless it is overridden by the opposite tag (i.e.: PASSWD
436: overrides NOPASSWD and NOEXEC overrides EXEC).
437:
438: _�N_�O_�P_�A_�S_�S_�W_�D _�a_�n_�d _�P_�A_�S_�S_�W_�D
439:
440: By default, s�su�ud�do�o requires that a user authenticate him or herself
441: before running a command. This behavior can be modified via the
442: NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
443: the commands that follow it in the Cmnd_Spec_List. Conversely, the
444: PASSWD tag can be used to reverse things. For example:
445:
446: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
447:
448: would allow the user r�ra�ay�y to run _�/_�b_�i_�n_�/_�k_�i_�l_�l, _�/_�b_�i_�n_�/_�l_�s, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m
449: as r�ro�oo�ot�t on the machine rushmore without authenticating himself. If we
450: only want r�ra�ay�y to be able to run _�/_�b_�i_�n_�/_�k_�i_�l_�l without a password the entry
451: would be:
452:
453: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
454:
455: Note, however, that the PASSWD tag has no effect on users who are in
456: the group specified by the _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option.
457:
458: By default, if the NOPASSWD tag is applied to any of the entries for a
459: user on the current host, he or she will be able to run sudo -l without
460: a password. Additionally, a user may only run sudo -v without a
461: password if the NOPASSWD tag is present for all a user's entries that
462: pertain to the current host. This behavior may be overridden via the
463: verifypw and listpw options.
464:
465: _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C
466:
467: If s�su�ud�do�o has been compiled with _�n_�o_�e_�x_�e_�c support and the underlying
468: operating system supports it, the NOEXEC tag can be used to prevent a
469: dynamically-linked executable from running further commands itself.
470:
471: In the following example, user a�aa�ar�ro�on�n may run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and
472: _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i but shell escapes will be disabled.
473:
474: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
475:
476: See the "PREVENTING SHELL ESCAPES" section below for more details on
477: how NOEXEC works and whether or not it will work on your system.
478:
479: _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
480:
481: These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
482: basis. Note that if SETENV has been set for a command, the user may
483: disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
484: Additionally, environment variables set on the command line are not
485: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
486: _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set
487: variables in this manner. If the command matched is A�AL�LL�L, the SETENV
488: tag is implied for that command; this default may be overridden by use
489: of the NOSETENV tag.
490:
491: _�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
492:
493: These tags override the value of the _�l_�o_�g_�__�i_�n_�p_�u_�t option on a per-command
494: basis. For more information, see the description of _�l_�o_�g_�__�i_�n_�p_�u_�t in the
495: "SUDOERS OPTIONS" section below.
496:
497: _�L_�O_�G_�__�O_�U_�T_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�O_�U_�T_�P_�U_�T
498:
499: These tags override the value of the _�l_�o_�g_�__�o_�u_�t_�p_�u_�t option on a per-command
500: basis. For more information, see the description of _�l_�o_�g_�__�o_�u_�t_�p_�u_�t in the
501: "SUDOERS OPTIONS" section below.
502:
503: W�Wi�il�ld�dc�ca�ar�rd�ds�s
504: s�su�ud�do�o allows shell-style _�w_�i_�l_�d_�c_�a_�r_�d_�s (aka meta or glob characters) to be
505: used in host names, path names and command line arguments in the
506: _�s_�u_�d_�o_�e_�r_�s file. Wildcard matching is done via the P�PO�OS�SI�IX�X _�g_�l_�o_�b(3) and
507: _�f_�n_�m_�a_�t_�c_�h(3) routines. Note that these are _�n_�o_�t regular expressions.
508:
509: * Matches any set of zero or more characters.
510:
511: ? Matches any single character.
512:
513: [...] Matches any character in the specified range.
514:
515: [!...] Matches any character n�no�ot�t in the specified range.
516:
517: \x For any character "x", evaluates to "x". This is used to
518: escape special characters such as: "*", "?", "[", and "}".
519:
520: POSIX character classes may also be used if your system's _�g_�l_�o_�b(3) and
521: _�f_�n_�m_�a_�t_�c_�h(3) functions support them. However, because the ':' character
522: has special meaning in _�s_�u_�d_�o_�e_�r_�s, it must be escaped. For example:
523:
524: /bin/ls [[\:alpha\:]]*
525:
526: Would match any file name beginning with a letter.
527:
528: Note that a forward slash ('/') will n�no�ot�t be matched by wildcards used
529: in the path name. When matching the command line arguments, however, a
530: slash d�do�oe�es�s get matched by wildcards. This is to make a path like:
531:
532: /usr/bin/*
533:
534: match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
535:
536: E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
537: The following exceptions apply to the above rules:
538:
539: "" If the empty string "" is the only command line argument in the
540: _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
541: with a�an�ny�y arguments.
542:
543: I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
544: It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
545: file currently being parsed using the #include and #includedir
546: directives.
547:
548: This can be used, for example, to keep a site-wide _�s_�u_�d_�o_�e_�r_�s file in
549: addition to a local, per-machine file. For the sake of this example
550: the site-wide _�s_�u_�d_�o_�e_�r_�s will be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s and the per-machine one will
551: be _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. To include _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l from within
552: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s we would use the following line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s:
553:
554: #include /etc/sudoers.local
555:
556: When s�su�ud�do�o reaches this line it will suspend processing of the current
557: file (_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s) and switch to _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. Upon reaching
558: the end of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l, the rest of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
559: processed. Files that are included may themselves include other files.
560: A hard limit of 128 nested include files is enforced to prevent include
561: file loops.
562:
563: The file name may include the %h escape, signifying the short form of
564: the host name. I.e., if the machine's host name is "xerxes", then
565:
566: #include /etc/sudoers.%h
567:
568: will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s.
569:
570: The #includedir directive can be used to create a _�s_�u_�d_�o_�._�d directory that
571: the system package manager can drop _�s_�u_�d_�o_�e_�r_�s rules into as part of
572: package installation. For example, given:
573:
574: #includedir /etc/sudoers.d
575:
576: s�su�ud�do�o will read each file in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d, skipping file names that
577: end in ~ or contain a . character to avoid causing problems with
578: package manager or editor temporary/backup files. Files are parsed in
579: sorted lexical order. That is, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�0_�1_�__�f_�i_�r_�s_�t will be parsed
580: before _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Be aware that because the sorting is
581: lexical, not numeric, _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�__�w_�h_�o_�o_�p_�s would be loaded a�af�ft�te�er�r
582: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�d_�/_�1_�0_�__�s_�e_�c_�o_�n_�d. Using a consistent number of leading zeroes
583: in the file names can be used to avoid such problems.
584:
585: Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
586: files in a #includedir directory unless one of them contains a syntax
587: error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the
588: files directly.
589:
590: O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
591: The pound sign ('#') is used to indicate a comment (unless it is part
592: of a #include directive or unless it occurs in the context of a user
593: name and is followed by one or more digits, in which case it is treated
594: as a uid). Both the comment character and any text after it, up to the
595: end of the line, are ignored.
596:
597: The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
598: succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
599: User_Alias, Runas_Alias, or Host_Alias. You should not try to define
600: your own _�a_�l_�i_�a_�s called A�AL�LL�L as the built-in alias will be used in
601: preference to your own. Please note that using A�AL�LL�L can be dangerous
602: since in a command context, it allows the user to run a�an�ny�y command on
603: the system.
604:
605: An exclamation point ('!') can be used as a logical _�n_�o_�t operator both
606: in an _�a_�l_�i_�a_�s and in front of a Cmnd. This allows one to exclude certain
607: values. Note, however, that using a ! in conjunction with the built-in
608: ALL alias to allow a user to run "all but a few" commands rarely works
609: as intended (see SECURITY NOTES below).
610:
611: Long lines can be continued with a backslash ('\') as the last
612: character on the line.
613:
614: Whitespace between elements in a list as well as special syntactic
615: characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n ('=', ':', '(', ')') is optional.
616:
617: The following characters must be escaped with a backslash ('\') when
618: used as part of a word (e.g. a user name or host name): '!', '=', ':',
619: ',', '(', ')', '\'.
620:
621: S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
622: s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
623: earlier. A list of all supported Defaults parameters, grouped by type,
624: are listed below.
625:
626: B�Bo�oo�ol�le�ea�an�n F�Fl�la�ag�gs�s:
627:
628: always_set_home If enabled, s�su�ud�do�o will set the HOME environment variable
629: to the home directory of the target user (which is root
630: unless the -�-u�u option is used). This effectively means
631: that the -�-H�H option is always implied. Note that HOME
632: is already set when the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is
633: enabled, so _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e is only effective for
634: configurations where either _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or
635: HOME is present in the _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f
636: by default.
637:
638: authenticate If set, users must authenticate themselves via a
639: password (or other means of authentication) before they
640: may run commands. This default may be overridden via
641: the PASSWD and NOPASSWD tags. This flag is _�o_�n by
642: default.
643:
644: closefrom_override
645: If set, the user may use s�su�ud�do�o's -�-C�C option which
646: overrides the default starting point at which s�su�ud�do�o
647: begins closing open file descriptors. This flag is _�o_�f_�f
648: by default.
649:
650: compress_io If set, and s�su�ud�do�o is configured to log a command's input
651: or output, the I/O logs will be compressed using z�zl�li�ib�b.
652: This flag is _�o_�n by default when s�su�ud�do�o is compiled with
653: z�zl�li�ib�b support.
654:
655: env_editor If set, v�vi�is�su�ud�do�o will use the value of the EDITOR or
656: VISUAL environment variables before falling back on the
657: default editor list. Note that this may create a
658: security hole as it allows the user to run any
659: arbitrary command as root without logging. A safer
660: alternative is to place a colon-separated list of
661: editors in the editor variable. v�vi�is�su�ud�do�o will then only
662: use the EDITOR or VISUAL if they match a value
663: specified in editor. This flag is _�o_�f_�f by default.
664:
665: env_reset If set, s�su�ud�do�o will reset the environment to only contain
666: the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
667: variables. Any variables in the caller's environment
668: that match the env_keep and env_check lists are then
669: added. The default contents of the env_keep and
670: env_check lists are displayed when s�su�ud�do�o is run by root
671: with the _�-_�V option. If the _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set,
672: its value will be used for the PATH environment
673: variable. This flag is _�o_�n by default.
674:
675: fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell-
676: style globbing when matching path names. However,
677: since it accesses the file system, _�g_�l_�o_�b(3) can take a
678: long time to complete for some patterns, especially
679: when the pattern references a network file system that
680: is mounted on demand (automounted). The _�f_�a_�s_�t_�__�g_�l_�o_�b
681: option causes s�su�ud�do�o to use the _�f_�n_�m_�a_�t_�c_�h(3) function,
682: which does not access the file system to do its
683: matching. The disadvantage of _�f_�a_�s_�t_�__�g_�l_�o_�b is that it is
684: unable to match relative path names such as _�._�/_�l_�s or
685: _�._�._�/_�b_�i_�n_�/_�l_�s. This has security implications when path
686: names that include globbing characters are used with
687: the negation operator, '!', as such rules can be
688: trivially bypassed. As such, this option should not be
689: used when _�s_�u_�d_�o_�e_�r_�s contains rules that contain negated
690: path names which include globbing characters. This
691: flag is _�o_�f_�f by default.
692:
693: fqdn Set this flag if you want to put fully qualified host
694: names in the _�s_�u_�d_�o_�e_�r_�s file. I.e., instead of myhost you
695: would use myhost.mydomain.edu. You may still use the
696: short form if you wish (and even mix the two). Beware
697: that turning on _�f_�q_�d_�n requires s�su�ud�do�o to make DNS lookups
698: which may make s�su�ud�do�o unusable if DNS stops working (for
699: example if the machine is not plugged into the
700: network). Also note that you must use the host's
701: official name as DNS knows it. That is, you may not
702: use a host alias (CNAME entry) due to performance
703: issues and the fact that there is no way to get all
704: aliases from DNS. If your machine's host name (as
705: returned by the hostname command) is already fully
706: qualified you shouldn't need to set _�f_�q_�d_�n. This flag is
707: _�o_�f_�f by default.
708:
709: ignore_dot If set, s�su�ud�do�o will ignore '.' or '' (current dir) in the
710: PATH environment variable; the PATH itself is not
711: modified. This flag is _�o_�f_�f by default.
712:
713: ignore_local_sudoers
714: If set via LDAP, parsing of _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s will be
715: skipped. This is intended for Enterprises that wish to
716: prevent the usage of local sudoers files so that only
717: LDAP is used. This thwarts the efforts of rogue
718: operators who would attempt to add roles to
719: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. When this option is present,
720: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s does not even need to exist. Since this
721: option tells s�su�ud�do�o how to behave when no specific LDAP
722: entries have been matched, this sudoOption is only
723: meaningful for the cn=defaults section. This flag is
724: _�o_�f_�f by default.
725:
726: insults If set, s�su�ud�do�o will insult users when they enter an
727: incorrect password. This flag is _�o_�f_�f by default.
728:
729: log_host If set, the host name will be logged in the (non-
730: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
731:
732: log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
733: log all user input. If the standard input is not
734: connected to the user's tty, due to I/O redirection or
735: because the command is part of a pipeline, that input
736: is also captured and stored in a separate log file.
737:
738: Input is logged to the directory specified by the
739: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
740: unique session ID that is included in the normal s�su�ud�do�o
741: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
742: may be used to control the format of the session ID.
743:
744: Note that user input may contain sensitive information
745: such as passwords (even if they are not echoed to the
746: screen), which will be stored in the log file
747: unencrypted. In most cases, logging the command output
748: via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
749:
750: log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
751: log all output that is sent to the screen, similar to
752: the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or
753: standard error is not connected to the user's tty, due
754: to I/O redirection or because the command is part of a
755: pipeline, that output is also captured and stored in
756: separate log files.
757:
758: Output is logged to the directory specified by the
759: _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
760: unique session ID that is included in the normal s�su�ud�do�o
761: log line, prefixed with _�T_�S_�I_�D_�=. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
762: may be used to control the format of the session ID.
763:
764: Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m)
765: utility, which can also be used to list or search the
766: available logs.
767:
768: log_year If set, the four-digit year will be logged in the (non-
769: syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
770:
771: long_otp_prompt When validating with a One Time Password (OTP) scheme
772: such as S�S/�/K�Ke�ey�y or O�OP�PI�IE�E, a two-line prompt is used to
773: make it easier to cut and paste the challenge to a
774: local window. It's not as pretty as the default but
775: some people find it more convenient. This flag is _�o_�f_�f
776: by default.
777:
778: mail_always Send mail to the _�m_�a_�i_�l_�t_�o user every time a users runs
779: s�su�ud�do�o. This flag is _�o_�f_�f by default.
780:
781: mail_badpass Send mail to the _�m_�a_�i_�l_�t_�o user if the user running s�su�ud�do�o
782: does not enter the correct password. This flag is _�o_�f_�f
783: by default.
784:
785: mail_no_host If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
786: invoking user exists in the _�s_�u_�d_�o_�e_�r_�s file, but is not
787: allowed to run commands on the current host. This flag
788: is _�o_�f_�f by default.
789:
790: mail_no_perms If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
791: invoking user is allowed to use s�su�ud�do�o but the command
792: they are trying is not listed in their _�s_�u_�d_�o_�e_�r_�s file
793: entry or is explicitly denied. This flag is _�o_�f_�f by
794: default.
795:
796: mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
797: invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
798: _�o_�n by default.
799:
800: noexec If set, all commands run via s�su�ud�do�o will behave as if the
801: NOEXEC tag has been set, unless overridden by a EXEC
802: tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
803: well as the "PREVENTING SHELL ESCAPES" section at the
804: end of this manual. This flag is _�o_�f_�f by default.
805:
806: path_info Normally, s�su�ud�do�o will tell the user when a command could
807: not be found in their PATH environment variable. Some
808: sites may wish to disable this as it could be used to
809: gather information on the location of executables that
810: the normal user does not have access to. The
811: disadvantage is that if the executable is simply not in
812: the user's PATH, s�su�ud�do�o will tell the user that they are
813: not allowed to run it, which can be confusing. This
814: flag is _�o_�n by default.
815:
816: passprompt_override
817: The password prompt specified by _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will
818: normally only be used if the password prompt provided
819: by systems such as PAM matches the string "Password:".
820: If _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e is set, _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t will always
821: be used. This flag is _�o_�f_�f by default.
822:
823: preserve_groups By default, s�su�ud�do�o will initialize the group vector to
824: the list of groups the target user is in. When
825: _�p_�r_�e_�s_�e_�r_�v_�e_�__�g_�r_�o_�u_�p_�s is set, the user's existing group
826: vector is left unaltered. The real and effective group
827: IDs, however, are still set to match the target user.
828: This flag is _�o_�f_�f by default.
829:
830: pwfeedback By default, s�su�ud�do�o reads the password like most other
831: Unix programs, by turning off echo until the user hits
832: the return (or enter) key. Some users become confused
833: by this as it appears to them that s�su�ud�do�o has hung at
834: this point. When _�p_�w_�f_�e_�e_�d_�b_�a_�c_�k is set, s�su�ud�do�o will provide
835: visual feedback when the user presses a key. Note that
836: this does have a security impact as an onlooker may be
837: able to determine the length of the password being
838: entered. This flag is _�o_�f_�f by default.
839:
840: requiretty If set, s�su�ud�do�o will only run when the user is logged in
841: to a real tty. When this flag is set, s�su�ud�do�o can only be
842: run from a login session and not via other means such
843: as _�c_�r_�o_�n(1m) or cgi-bin scripts. This flag is _�o_�f_�f by
844: default.
845:
846: root_sudo If set, root is allowed to run s�su�ud�do�o too. Disabling
847: this prevents users from "chaining" s�su�ud�do�o commands to
848: get a root shell by doing something like "sudo sudo
849: /bin/sh". Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
850: will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
851: Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
852: security; it exists purely for historical reasons.
853: This flag is _�o_�n by default.
854:
855: rootpw If set, s�su�ud�do�o will prompt for the root password instead
856: of the password of the invoking user. This flag is _�o_�f_�f
857: by default.
858:
859: runaspw If set, s�su�ud�do�o will prompt for the password of the user
860: defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
861: instead of the password of the invoking user. This
862: flag is _�o_�f_�f by default.
863:
864: set_home If enabled and s�su�ud�do�o is invoked with the -�-s�s option the
865: HOME environment variable will be set to the home
866: directory of the target user (which is root unless the
867: -�-u�u option is used). This effectively makes the -�-s�s
868: option imply -�-H�H. Note that HOME is already set when
869: the the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled, so _�s_�e_�t_�__�h_�o_�m_�e is
870: only effective for configurations where either
871: _�e_�n_�v_�__�r_�e_�s_�e_�t is disabled or HOME is present in the
872: _�e_�n_�v_�__�k_�e_�e_�p list. This flag is _�o_�f_�f by default.
873:
874: set_logname Normally, s�su�ud�do�o will set the LOGNAME, USER and USERNAME
875: environment variables to the name of the target user
876: (usually root unless the -�-u�u option is given). However,
877: since some programs (including the RCS revision control
878: system) use LOGNAME to determine the real identity of
879: the user, it may be desirable to change this behavior.
880: This can be done by negating the set_logname option.
881: Note that if the _�e_�n_�v_�__�r_�e_�s_�e_�t option has not been
882: disabled, entries in the _�e_�n_�v_�__�k_�e_�e_�p list will override
883: the value of _�s_�e_�t_�__�l_�o_�g_�n_�a_�m_�e. This flag is _�o_�n by default.
884:
885: set_utmp When enabled, s�su�ud�do�o will create an entry in the utmp (or
886: utmpx) file when a pseudo-tty is allocated. A pseudo-
887: tty is allocated by s�su�ud�do�o when the _�l_�o_�g_�__�i_�n_�p_�u_�t, _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
888: or _�u_�s_�e_�__�p_�t_�y flags are enabled. By default, the new
889: entry will be a copy of the user's existing utmp entry
890: (if any), with the tty, time, type and pid fields
891: updated. This flag is _�o_�n by default.
892:
893: setenv Allow the user to disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the
894: command line via the -�-E�E option. Additionally,
895: environment variables set via the command line are not
896: subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k,
897: _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users
898: should be allowed to set variables in this manner.
899: This flag is _�o_�f_�f by default.
900:
901: shell_noargs If set and s�su�ud�do�o is invoked with no arguments it acts as
902: if the -�-s�s option had been given. That is, it runs a
903: shell as root (the shell is determined by the SHELL
904: environment variable if it is set, falling back on the
905: shell listed in the invoking user's /etc/passwd entry
906: if not). This flag is _�o_�f_�f by default.
907:
908: stay_setuid Normally, when s�su�ud�do�o executes a command the real and
909: effective UIDs are set to the target user (root by
910: default). This option changes that behavior such that
911: the real UID is left as the invoking user's UID. In
912: other words, this makes s�su�ud�do�o act as a setuid wrapper.
913: This can be useful on systems that disable some
914: potentially dangerous functionality when a program is
915: run setuid. This option is only effective on systems
916: with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function.
917: This flag is _�o_�f_�f by default.
918:
919: targetpw If set, s�su�ud�do�o will prompt for the password of the user
920: specified by the -�-u�u option (defaults to root) instead
921: of the password of the invoking user. In addition, the
922: timestamp file name will include the target user's
923: name. Note that this flag precludes the use of a uid
924: not listed in the passwd database as an argument to the
925: -�-u�u option. This flag is _�o_�f_�f by default.
926:
927: tty_tickets If set, users must authenticate on a per-tty basis.
928: With this flag enabled, s�su�ud�do�o will use a file named for
929: the tty the user is logged in on in the user's time
930: stamp directory. If disabled, the time stamp of the
931: directory is used instead. This flag is _�o_�n by default.
932:
933: umask_override If set, s�su�ud�do�o will set the umask as specified by _�s_�u_�d_�o_�e_�r_�s
934: without modification. This makes it possible to
935: specify a more permissive umask in _�s_�u_�d_�o_�e_�r_�s than the
936: user's own umask and matches historical behavior. If
937: _�u_�m_�a_�s_�k_�__�o_�v_�e_�r_�r_�i_�d_�e is not set, s�su�ud�do�o will set the umask to
938: be the union of the user's umask and what is specified
939: in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
940:
941: use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
942: target user's login class if one exists. Only
943: available if s�su�ud�do�o is configured with the
944: --with-logincap option. This flag is _�o_�f_�f by default.
945:
946: use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
947: if no I/O logging is being gone. A malicious program
948: run under s�su�ud�do�o could conceivably fork a background
949: process that retains to the user's terminal device
950: after the main program has finished executing. Use of
951: this option will make that impossible. This flag is
952: _�o_�f_�f by default.
953:
954: utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
955: updating the utmp (or utmpx) file. By default, s�su�ud�do�o
956: stores the name of the invoking user. This flag is _�o_�f_�f
957: by default.
958:
959: visiblepw By default, s�su�ud�do�o will refuse to run if the user must
960: enter a password but it is not possible to disable echo
961: on the terminal. If the _�v_�i_�s_�i_�b_�l_�e_�p_�w flag is set, s�su�ud�do�o
962: will prompt for a password even when it would be
963: visible on the screen. This makes it possible to run
964: things like "rsh somehost sudo ls" since _�r_�s_�h(1) does
965: not allocate a tty. This flag is _�o_�f_�f by default.
966:
967: I�In�nt�te�eg�ge�er�rs�s:
968:
969: closefrom Before it executes a command, s�su�ud�do�o will close all open
970: file descriptors other than standard input, standard
971: output and standard error (ie: file descriptors 0-2).
972: The _�c_�l_�o_�s_�e_�f_�r_�o_�m option can be used to specify a different
973: file descriptor at which to start closing. The default
974: is 3.
975:
976: passwd_tries The number of tries a user gets to enter his/her
977: password before s�su�ud�do�o logs the failure and exits. The
978: default is 3.
979:
980: I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
981:
982: loglinelen Number of characters per line for the file log. This
983: value is used to decide when to wrap lines for nicer
984: log files. This has no effect on the syslog log file,
985: only the file log. The default is 80 (use 0 or negate
986: the option to disable word wrap).
987:
988: passwd_timeout Number of minutes before the s�su�ud�do�o password prompt times
989: out, or 0 for no timeout. The timeout may include a
990: fractional component if minute granularity is
991: insufficient, for example 2.5. The default is 5.
992:
993: timestamp_timeout
994: Number of minutes that can elapse before s�su�ud�do�o will ask
995: for a passwd again. The timeout may include a
996: fractional component if minute granularity is
997: insufficient, for example 2.5. The default is 5. Set
998: this to 0 to always prompt for a password. If set to a
999: value less than 0 the user's timestamp will never
1000: expire. This can be used to allow users to create or
1001: delete their own timestamps via sudo -v and sudo -k
1002: respectively.
1003:
1004: umask Umask to use when running the command. Negate this
1005: option or set it to 0777 to preserve the user's umask.
1006: The actual umask that is used will be the union of the
1007: user's umask and the value of the _�u_�m_�a_�s_�k option, which
1008: defaults to 0022. This guarantees that s�su�ud�do�o never
1009: lowers the umask when running a command. Note on
1010: systems that use PAM, the default PAM configuration may
1011: specify its own umask which will override the value set
1012: in _�s_�u_�d_�o_�e_�r_�s.
1013:
1014: S�St�tr�ri�in�ng�gs�s:
1015:
1016: badpass_message Message that is displayed if a user enters an incorrect
1017: password. The default is Sorry, try again. unless
1018: insults are enabled.
1019:
1020: editor A colon (':') separated list of editors allowed to be
1021: used with v�vi�is�su�ud�do�o. v�vi�is�su�ud�do�o will choose the editor that
1022: matches the user's EDITOR environment variable if
1023: possible, or the first editor in the list that exists
1024: and is executable. The default is "vi".
1025:
1026: iolog_dir The top-level directory to use when constructing the
1027: path name for the input/output log directory. Only
1028: used if the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t options are enabled
1029: or when the LOG_INPUT or LOG_OUTPUT tags are present
1030: for a command. The session sequence number, if any, is
1031: stored in the directory. The default is
1032: "/var/log/sudo-io".
1033:
1034: The following percent (`%') escape sequences are
1035: supported:
1036:
1037: %{seq}
1038: expanded to a monotonically increasing base-36
1039: sequence number, such as 0100A5, where every two
1040: digits are used to form a new directory, e.g.
1041: _�0_�1_�/_�0_�0_�/_�A_�5
1042:
1043: %{user}
1044: expanded to the invoking user's login name
1045:
1046: %{group}
1047: expanded to the name of the invoking user's real
1048: group ID
1049:
1050: %{runas_user}
1051: expanded to the login name of the user the command
1052: will be run as (e.g. root)
1053:
1054: %{runas_group}
1055: expanded to the group name of the user the command
1056: will be run as (e.g. wheel)
1057:
1058: %{hostname}
1059: expanded to the local host name without the domain
1060: name
1061:
1062: %{command}
1063: expanded to the base name of the command being run
1064:
1065: In addition, any escape sequences supported by the
1066: system's _�s_�t_�r_�f_�t_�i_�m_�e_�(_�) function will be expanded.
1067:
1068: To include a literal `%' character, the string `%%'
1069: should be used.
1070:
1071: iolog_file The path name, relative to _�i_�o_�l_�o_�g_�__�d_�i_�r, in which to store
1072: input/output logs when the _�l_�o_�g_�__�i_�n_�p_�u_�t or _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
1073: options are enabled or when the LOG_INPUT or LOG_OUTPUT
1074: tags are present for a command. Note that _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
1075: may contain directory components. The default is
1076: "%{seq}".
1077:
1078: See the _�i_�o_�l_�o_�g_�__�d_�i_�r option above for a list of supported
1079: percent (`%') escape sequences.
1080:
1081: In addition to the escape sequences, path names that
1082: end in six or more Xs will have the Xs replaced with a
1083: unique combination of digits and letters, similar to
1084: the _�m_�k_�t_�e_�m_�p_�(_�) function.
1085:
1086: mailsub Subject of the mail sent to the _�m_�a_�i_�l_�t_�o user. The escape
1087: %h will expand to the host name of the machine.
1088: Default is *** SECURITY information for %h ***.
1089:
1090: noexec_file This option is deprecated and will be removed in a
1091: future release of s�su�ud�do�o. The path to the noexec file
1092: should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file.
1093:
1094: passprompt The default prompt to use when asking for a password;
1095: can be overridden via the -�-p�p option or the SUDO_PROMPT
1096: environment variable. The following percent (`%')
1097: escape sequences are supported:
1098:
1099: %H expanded to the local host name including the
1100: domain name (only if the machine's host name is
1101: fully qualified or the _�f_�q_�d_�n option is set)
1102:
1103: %h expanded to the local host name without the domain
1104: name
1105:
1106: %p expanded to the user whose password is being asked
1107: for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and _�r_�u_�n_�a_�s_�p_�w
1108: flags in _�s_�u_�d_�o_�e_�r_�s)
1109:
1110: %U expanded to the login name of the user the command
1111: will be run as (defaults to root)
1112:
1113: %u expanded to the invoking user's login name
1114:
1115: %% two consecutive % characters are collapsed into a
1116: single % character
1117:
1118: The default value is Password:.
1119:
1120: role The default SELinux role to use when constructing a new
1121: security context to run the command. The default role
1122: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1123: via command line options. This option is only
1124: available whe s�su�ud�do�o is built with SELinux support.
1125:
1126: runas_default The default user to run commands as if the -�-u�u option is
1127: not specified on the command line. This defaults to
1128: root.
1129:
1130: syslog_badpri Syslog priority to use when user authenticates
1131: unsuccessfully. Defaults to alert.
1132:
1133: The following syslog priorities are supported: a�al�le�er�rt�t,
1134: c�cr�ri�it�t, d�de�eb�bu�ug�g, e�em�me�er�rg�g, e�er�rr�r, i�in�nf�fo�o, n�no�ot�ti�ic�ce�e, and w�wa�ar�rn�ni�in�ng�g.
1135:
1136: syslog_goodpri Syslog priority to use when user authenticates
1137: successfully. Defaults to notice.
1138:
1139: See syslog_badpri for the list of supported syslog
1140: priorities.
1141:
1142: sudoers_locale Locale to use when parsing the sudoers file, logging
1143: commands, and sending email. Note that changing the
1144: locale may affect how sudoers is interpreted. Defaults
1145: to "C".
1146:
1147: timestampdir The directory in which s�su�ud�do�o stores its timestamp files.
1148: The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o.
1149:
1150: timestampowner The owner of the timestamp directory and the timestamps
1151: stored therein. The default is root.
1152:
1153: type The default SELinux type to use when constructing a new
1154: security context to run the command. The default type
1155: may be overridden on a per-command basis in _�s_�u_�d_�o_�e_�r_�s or
1156: via command line options. This option is only
1157: available whe s�su�ud�do�o is built with SELinux support.
1158:
1159: S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1160:
1161: env_file The _�e_�n_�v_�__�f_�i_�l_�e options specifies the fully qualified path to
1162: a file containing variables to be set in the environment of
1163: the program being run. Entries in this file should either
1164: be of the form VARIABLE=value or export VARIABLE=value.
1165: The value may optionally be surrounded by single or double
1166: quotes. Variables in this file are subject to other s�su�ud�do�o
1167: environment settings such as _�e_�n_�v_�__�k_�e_�e_�p and _�e_�n_�v_�__�c_�h_�e_�c_�k.
1168:
1169: exempt_group
1170: Users in this group are exempt from password and PATH
1171: requirements. The group name specified should not include
1172: a % prefix. This is not set by default.
1173:
1174: group_plugin
1175: A string containing a _�s_�u_�d_�o_�e_�r_�s group plugin with optional
1176: arguments. This can be used to implement support for the
1177: nonunix_group syntax described earlier. The string should
1178: consist of the plugin path, either fully-qualified or
1179: relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory, followed by
1180: any configuration arguments the plugin requires. These
1181: arguments (if any) will be passed to the plugin's
1182: initialization function. If arguments are present, the
1183: string must be enclosed in double quotes (").
1184:
1185: For example, given _�/_�e_�t_�c_�/_�s_�u_�d_�o_�-_�g_�r_�o_�u_�p, a group file in Unix
1186: group format, the sample group plugin can be used:
1187:
1188: Defaults group_plugin="sample_group.so /etc/sudo-group"
1189:
1190: For more information see _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(4).
1191:
1192: lecture This option controls when a short lecture will be printed
1193: along with the password prompt. It has the following
1194: possible values:
1195:
1196: always Always lecture the user.
1197:
1198: never Never lecture the user.
1199:
1200: once Only lecture the user the first time they run s�su�ud�do�o.
1201:
1202: If no value is specified, a value of _�o_�n_�c_�e is implied.
1203: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1204: The default value is _�o_�n_�c_�e.
1205:
1206: lecture_file
1207: Path to a file containing an alternate s�su�ud�do�o lecture that
1208: will be used in place of the standard lecture if the named
1209: file exists. By default, s�su�ud�do�o uses a built-in lecture.
1210:
1211: listpw This option controls when a password will be required when
1212: a user runs s�su�ud�do�o with the -�-l�l option. It has the following
1213: possible values:
1214:
1215: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1216: must have the NOPASSWD flag set to avoid entering a
1217: password.
1218:
1219: always The user must always enter a password to use the -�-l�l
1220: option.
1221:
1222: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1223: current host must have the NOPASSWD flag set to
1224: avoid entering a password.
1225:
1226: never The user need never enter a password to use the -�-l�l
1227: option.
1228:
1229: If no value is specified, a value of _�a_�n_�y is implied.
1230: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1231: The default value is _�a_�n_�y.
1232:
1233: logfile Path to the s�su�ud�do�o log file (not the syslog log file).
1234: Setting a path turns on logging to a file; negating this
1235: option turns it off. By default, s�su�ud�do�o logs via syslog.
1236:
1237: mailerflags Flags to use when invoking mailer. Defaults to -�-t�t.
1238:
1239: mailerpath Path to mail program used to send warning mail. Defaults
1240: to the path to sendmail found at configure time.
1241:
1242: mailfrom Address to use for the "from" address when sending warning
1243: and error mail. The address should be enclosed in double
1244: quotes (") to protect against s�su�ud�do�o interpreting the @ sign.
1245: Defaults to the name of the user running s�su�ud�do�o.
1246:
1247: mailto Address to send warning and error mail to. The address
1248: should be enclosed in double quotes (") to protect against
1249: s�su�ud�do�o interpreting the @ sign. Defaults to root.
1250:
1251: secure_path Path used for every command run from s�su�ud�do�o. If you don't
1252: trust the people running s�su�ud�do�o to have a sane PATH
1253: environment variable you may want to use this. Another use
1254: is if you want to have the "root path" be separate from the
1255: "user path." Users in the group specified by the
1256: _�e_�x_�e_�m_�p_�t_�__�g_�r_�o_�u_�p option are not affected by _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h. This
1257: option is not set by default.
1258:
1259: syslog Syslog facility if syslog is being used for logging (negate
1260: to disable syslog logging). Defaults to auth.
1261:
1262: The following syslog facilities are supported: a�au�ut�th�hp�pr�ri�iv�v (if
1263: your OS supports it), a�au�ut�th�h, d�da�ae�em�mo�on�n, u�us�se�er�r, l�lo�oc�ca�al�l0�0, l�lo�oc�ca�al�l1�1,
1264: l�lo�oc�ca�al�l2�2, l�lo�oc�ca�al�l3�3, l�lo�oc�ca�al�l4�4, l�lo�oc�ca�al�l5�5, l�lo�oc�ca�al�l6�6, and l�lo�oc�ca�al�l7�7.
1265:
1266: verifypw This option controls when a password will be required when
1267: a user runs s�su�ud�do�o with the -�-v�v option. It has the following
1268: possible values:
1269:
1270: all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
1271: must have the NOPASSWD flag set to avoid entering a
1272: password.
1273:
1274: always The user must always enter a password to use the -�-v�v
1275: option.
1276:
1277: any At least one of the user's _�s_�u_�d_�o_�e_�r_�s entries for the
1278: current host must have the NOPASSWD flag set to
1279: avoid entering a password.
1280:
1281: never The user need never enter a password to use the -�-v�v
1282: option.
1283:
1284: If no value is specified, a value of _�a_�l_�l is implied.
1285: Negating the option results in a value of _�n_�e_�v_�e_�r being used.
1286: The default value is _�a_�l_�l.
1287:
1288: L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
1289:
1290: env_check Environment variables to be removed from the user's
1291: environment if the variable's value contains % or /
1292: characters. This can be used to guard against printf-
1293: style format vulnerabilities in poorly-written
1294: programs. The argument may be a double-quoted, space-
1295: separated list or a single value without double-quotes.
1296: The list can be replaced, added to, deleted from, or
1297: disabled by using the =, +=, -=, and ! operators
1298: respectively. Regardless of whether the env_reset
1299: option is enabled or disabled, variables specified by
1300: env_check will be preserved in the environment if they
1301: pass the aforementioned check. The default list of
1302: environment variables to check is displayed when s�su�ud�do�o
1303: is run by root with the _�-_�V option.
1304:
1305: env_delete Environment variables to be removed from the user's
1306: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
1307: The argument may be a double-quoted, space-separated
1308: list or a single value without double-quotes. The list
1309: can be replaced, added to, deleted from, or disabled by
1310: using the =, +=, -=, and ! operators respectively. The
1311: default list of environment variables to remove is
1312: displayed when s�su�ud�do�o is run by root with the _�-_�V option.
1313: Note that many operating systems will remove
1314: potentially dangerous variables from the environment of
1315: any setuid process (such as s�su�ud�do�o).
1316:
1317: env_keep Environment variables to be preserved in the user's
1318: environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is in effect.
1319: This allows fine-grained control over the environment
1320: s�su�ud�do�o-spawned processes will receive. The argument may
1321: be a double-quoted, space-separated list or a single
1322: value without double-quotes. The list can be replaced,
1323: added to, deleted from, or disabled by using the =, +=,
1324: -=, and ! operators respectively. The default list of
1325: variables to keep is displayed when s�su�ud�do�o is run by root
1326: with the _�-_�V option.
1327:
1328: F�FI�IL�LE�ES�S
1329: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what
1330:
1331: _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file
1332:
1333: _�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
1334:
1335: _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
1336:
1337: _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the
1338: _�s_�u_�d_�o_�e_�r_�s security policy
1339:
1340: _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on Linux and
1341: AIX
1342:
1343: E�EX�XA�AM�MP�PL�LE�ES�S
1344: Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit
1345: contrived. First, we allow a few environment variables to pass and
1346: then define our _�a_�l_�i_�a_�s_�e_�s:
1347:
1348: # Run X applications through sudo; HOME is used to find the
1349: # .Xauthority file. Note that other programs use HOME to find
1350: # configuration files and this may lead to privilege escalation!
1351: Defaults env_keep += "DISPLAY HOME"
1352:
1353: # User alias specification
1354: User_Alias FULLTIMERS = millert, mikef, dowdy
1355: User_Alias PARTTIMERS = bostley, jwfox, crawl
1356: User_Alias WEBMASTERS = will, wendy, wim
1357:
1358: # Runas alias specification
1359: Runas_Alias OP = root, operator
1360: Runas_Alias DB = oracle, sybase
1361: Runas_Alias ADMINGRP = adm, oper
1362:
1363: # Host alias specification
1364: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1365: SGI = grolsch, dandelion, black :\
1366: ALPHA = widget, thalamus, foobar :\
1367: HPPA = boa, nag, python
1368: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1369: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1370: Host_Alias SERVERS = master, mail, www, ns
1371: Host_Alias CDROM = orion, perseus, hercules
1372:
1373: # Cmnd alias specification
1374: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1375: /usr/sbin/restore, /usr/sbin/rrestore
1376: Cmnd_Alias KILL = /usr/bin/kill
1377: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1378: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1379: Cmnd_Alias HALT = /usr/sbin/halt
1380: Cmnd_Alias REBOOT = /usr/sbin/reboot
1381: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1382: /usr/local/bin/tcsh, /usr/bin/rsh, \
1383: /usr/local/bin/zsh
1384: Cmnd_Alias SU = /usr/bin/su
1385: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1386:
1387: Here we override some of the compiled in default values. We want s�su�ud�do�o
1388: to log via _�s_�y_�s_�l_�o_�g(3) using the _�a_�u_�t_�h facility in all cases. We don't
1389: want to subject the full time staff to the s�su�ud�do�o lecture, user m�mi�il�ll�le�er�rt�t
1390: need not give a password, and we don't want to reset the LOGNAME, USER
1391: or USERNAME environment variables when running commands as root.
1392: Additionally, on the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an
1393: additional local log file and make sure we log the year in each log
1394: line since the log entries will be kept around for several years.
1395: Lastly, we disable shell escapes for the commands in the PAGERS
1396: Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s).
1397:
1398: # Override built-in defaults
1399: Defaults syslog=auth
1400: Defaults>root !set_logname
1401: Defaults:FULLTIMERS !lecture
1402: Defaults:millert !authenticate
1403: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1404: Defaults!PAGERS noexec
1405:
1406: The _�U_�s_�e_�r _�s_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n is the part that actually determines who may run
1407: what.
1408:
1409: root ALL = (ALL) ALL
1410: %wheel ALL = (ALL) ALL
1411:
1412: We let r�ro�oo�ot�t and any user in group w�wh�he�ee�el�l run any command on any host as
1413: any user.
1414:
1415: FULLTIMERS ALL = NOPASSWD: ALL
1416:
1417: Full time sysadmins (m�mi�il�ll�le�er�rt�t, m�mi�ik�ke�ef�f, and d�do�ow�wd�dy�y) may run any command on
1418: any host without authenticating themselves.
1419:
1420: PARTTIMERS ALL = ALL
1421:
1422: Part time sysadmins (b�bo�os�st�tl�le�ey�y, j�jw�wf�fo�ox�x, and c�cr�ra�aw�wl�l) may run any command on
1423: any host but they must authenticate themselves first (since the entry
1424: lacks the NOPASSWD tag).
1425:
1426: jack CSNETS = ALL
1427:
1428: The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
1429: (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1430: those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1431: notation) indicating it is a class C network. For the other networks
1432: in _�C_�S_�N_�E_�T_�S, the local machine's netmask will be used during matching.
1433:
1434: lisa CUNETS = ALL
1435:
1436: The user l�li�is�sa�a may run any command on any host in the _�C_�U_�N_�E_�T_�S alias (the
1437: class B network 128.138.0.0).
1438:
1439: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1440: sudoedit /etc/printcap, /usr/oper/bin/
1441:
1442: The o�op�pe�er�ra�at�to�or�r user may run commands limited to simple maintenance.
1443: Here, those are commands related to backups, killing processes, the
1444: printing system, shutting down the system, and any commands in the
1445: directory _�/_�u_�s_�r_�/_�o_�p_�e_�r_�/_�b_�i_�n_�/.
1446:
1447: joe ALL = /usr/bin/su operator
1448:
1449: The user j�jo�oe�e may only _�s_�u(1) to operator.
1450:
1451: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1452:
1453: %opers ALL = (: ADMINGRP) /usr/sbin/
1454:
1455: Users in the o�op�pe�er�rs�s group may run commands in _�/_�u_�s_�r_�/_�s_�b_�i_�n_�/ as themselves
1456: with any group in the _�A_�D_�M_�I_�N_�G_�R_�P Runas_Alias (the a�ad�dm�m and o�op�pe�er�r groups).
1457:
1458: The user p�pe�et�te�e is allowed to change anyone's password except for root on
1459: the _�H_�P_�P_�A machines. Note that this assumes _�p_�a_�s_�s_�w_�d(1) does not take
1460: multiple user names on the command line.
1461:
1462: bob SPARC = (OP) ALL : SGI = (OP) ALL
1463:
1464: The user b�bo�ob�b may run anything on the _�S_�P_�A_�R_�C and _�S_�G_�I machines as any user
1465: listed in the _�O_�P Runas_Alias (r�ro�oo�ot�t and o�op�pe�er�ra�at�to�or�r).
1466:
1467: jim +biglab = ALL
1468:
1469: The user j�ji�im�m may run any command on machines in the _�b_�i_�g_�l_�a_�b netgroup.
1470: s�su�ud�do�o knows that "biglab" is a netgroup due to the '+' prefix.
1471:
1472: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1473:
1474: Users in the s�se�ec�cr�re�et�ta�ar�ri�ie�es�s netgroup need to help manage the printers as
1475: well as add and remove users, so they are allowed to run those commands
1476: on all machines.
1477:
1478: fred ALL = (DB) NOPASSWD: ALL
1479:
1480: The user f�fr�re�ed�d can run commands as any user in the _�D_�B Runas_Alias
1481: (o�or�ra�ac�cl�le�e or s�sy�yb�ba�as�se�e) without giving a password.
1482:
1483: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1484:
1485: On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
1486: not allowed to specify any options to the _�s_�u(1) command.
1487:
1488: jen ALL, !SERVERS = ALL
1489:
1490: The user j�je�en�n may run any command on any machine except for those in the
1491: _�S_�E_�R_�V_�E_�R_�S Host_Alias (master, mail, www and ns).
1492:
1493: jill SERVERS = /usr/bin/, !SU, !SHELLS
1494:
1495: For any machine in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, j�ji�il�ll�l may run any commands in
1496: the directory _�/_�u_�s_�r_�/_�b_�i_�n_�/ except for those commands belonging to the _�S_�U
1497: and _�S_�H_�E_�L_�L_�S Cmnd_Aliases.
1498:
1499: steve CSNETS = (operator) /usr/local/op_commands/
1500:
1501: The user s�st�te�ev�ve�e may run any command in the directory
1502: /usr/local/op_commands/ but only as user operator.
1503:
1504: matt valkyrie = KILL
1505:
1506: On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill
1507: hung processes.
1508:
1509: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1510:
1511: On the host www, any user in the _�W_�E_�B_�M_�A_�S_�T_�E_�R_�S User_Alias (will, wendy,
1512: and wim), may run any command as user www (which owns the web pages) or
1513: simply _�s_�u(1) to www.
1514:
1515: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1516: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1517:
1518: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1519: Host_Alias (orion, perseus, hercules) without entering a password.
1520: This is a bit tedious for users to type, so it is a prime candidate for
1521: encapsulating in a shell script.
1522:
1523: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1524: It is generally not effective to "subtract" commands from ALL using the
1525: '!' operator. A user can trivially circumvent this by copying the
1526: desired command to a different name and then executing that. For
1527: example:
1528:
1529: bill ALL = ALL, !SU, !SHELLS
1530:
1531: Doesn't really prevent b�bi�il�ll�l from running the commands listed in _�S_�U or
1532: _�S_�H_�E_�L_�L_�S since he can simply copy those commands to a different name, or
1533: use a shell escape from an editor or other program. Therefore, these
1534: kind of restrictions should be considered advisory at best (and
1535: reinforced by policy).
1536:
1537: Furthermore, if the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to
1538: reliably negate commands where the path name includes globbing (aka
1539: wildcard) characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3)
1540: function cannot resolve relative paths. While this is typically only
1541: an inconvenience for rules that grant privileges, it can result in a
1542: security issue for rules that subtract or revoke privileges.
1543:
1544: For example, given the following _�s_�u_�d_�o_�e_�r_�s entry:
1545:
1546: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1547: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1548:
1549: User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by
1550: changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead.
1551:
1552: P�PR�RE�EV�VE�EN�NT�TI�IN�NG�G S�SH�HE�EL�LL�L E�ES�SC�CA�AP�PE�ES�S
1553: Once s�su�ud�do�o executes a program, that program is free to do whatever it
1554: pleases, including run other programs. This can be a security issue
1555: since it is not uncommon for a program to allow shell escapes, which
1556: lets a user bypass s�su�ud�do�o's access control and logging. Common programs
1557: that permit shell escapes include shells (obviously), editors,
1558: paginators, mail and terminal programs.
1559:
1560: There are two basic approaches to this problem:
1561:
1562: restrict Avoid giving users access to commands that allow the user to
1563: run arbitrary commands. Many editors have a restricted mode
1564: where shell escapes are disabled, though s�su�ud�do�oe�ed�di�it�t is a better
1565: solution to running editors via s�su�ud�do�o. Due to the large
1566: number of programs that offer shell escapes, restricting
1567: users to the set of programs that do not is often unworkable.
1568:
1569: noexec Many systems that support shared libraries have the ability
1570: to override default library functions by pointing an
1571: environment variable (usually LD_PRELOAD) to an alternate
1572: shared library. On such systems, s�su�ud�do�o's _�n_�o_�e_�x_�e_�c functionality
1573: can be used to prevent a program run by s�su�ud�do�o from executing
1574: any other programs. Note, however, that this applies only to
1575: native dynamically-linked executables. Statically-linked
1576: executables and foreign executables running under binary
1577: emulation are not affected.
1578:
1579: The _�n_�o_�e_�x_�e_�c feature is known to work on SunOS, Solaris, *BSD,
1580: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1581: above. It should be supported on most operating systems that
1582: support the LD_PRELOAD environment variable. Check your
1583: operating system's manual pages for the dynamic linker
1584: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1585: if LD_PRELOAD is supported.
1586:
1587: On Solaris 10 and higher, _�n_�o_�e_�x_�e_�c uses Solaris privileges
1588: instead of the LD_PRELOAD environment variable.
1589:
1590: To enable _�n_�o_�e_�x_�e_�c for a command, use the NOEXEC tag as
1591: documented in the User Specification section above. Here is
1592: that example again:
1593:
1594: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1595:
1596: This allows user a�aa�ar�ro�on�n to run _�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�v_�i
1597: with _�n_�o_�e_�x_�e_�c enabled. This will prevent those two commands
1598: from executing other commands (such as a shell). If you are
1599: unsure whether or not your system is capable of supporting
1600: _�n_�o_�e_�x_�e_�c you can always just try it out and check whether shell
1601: escapes work when _�n_�o_�e_�x_�e_�c is enabled.
1602:
1603: Note that restricting shell escapes is not a panacea. Programs running
1604: as root are still capable of many potentially hazardous operations
1605: (such as changing or overwriting files) that could lead to unintended
1606: privilege escalation. In the specific case of an editor, a safer
1607: approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t.
1608:
1609: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1610: _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory
1611: (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is
1612: not owned by root or if it is writable by a user other than root. On
1613: systems that allow non-root users to give away files via _�c_�h_�o_�w_�n(2), if
1614: the time stamp directory is located in a world-writable directory
1615: (e.g., _�/_�t_�m_�p), it is possible for a user to create the time stamp
1616: directory before s�su�ud�do�o is run. However, because _�s_�u_�d_�o_�e_�r_�s checks the
1617: ownership and mode of the directory and its contents, the only damage
1618: that can be done is to "hide" files by putting them in the time stamp
1619: dir. This is unlikely to happen since once the time stamp dir is owned
1620: by root and inaccessible by any other user, the user placing files
1621: there would be unable to get them back out.
1622:
1623: _�s_�u_�d_�o_�e_�r_�s will not honor time stamps set far in the future. Time stamps
1624: with a date greater than current_time + 2 * TIMEOUT will be ignored and
1625: sudo will log and complain. This is done to keep a user from creating
1626: his/her own time stamp with a bogus date on systems that allow users to
1627: give away files if the time stamp directory is located in a world-
1628: writable directory.
1629:
1630: On systems where the boot time is available, _�s_�u_�d_�o_�e_�r_�s will ignore time
1631: stamps that date from before the machine booted.
1632:
1633: Since time stamp files live in the file system, they can outlive a
1634: user's login session. As a result, a user may be able to login, run a
1635: command with s�su�ud�do�o after authenticating, logout, login again, and run
1636: s�su�ud�do�o without authenticating so long as the time stamp file's
1637: modification time is within 5 minutes (or whatever the timeout is set
1638: to in _�s_�u_�d_�o_�e_�r_�s). When the _�t_�t_�y_�__�t_�i_�c_�k_�e_�t_�s option is enabled, the time stamp
1639: has per-tty granularity but still may outlive the user's session. On
1640: Linux systems where the devpts filesystem is used, Solaris systems with
1641: the devices filesystem, as well as other systems that utilize a devfs
1642: filesystem that monotonically increase the inode number of devices as
1643: they are created (such as Mac OS X), _�s_�u_�d_�o_�e_�r_�s is able to determine when
1644: a tty-based time stamp file is stale and will ignore it.
1645: Administrators should not rely on this feature as it is not universally
1646: available.
1647:
1648: If users have sudo ALL there is nothing to prevent them from creating
1649: their own program that gives them a root shell (or making their own
1650: copy of a shell) regardless of any '!' elements in the user
1651: specification.
1652:
1653: S�SE�EE�E A�AL�LS�SO�O
1654: _�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3),
1655: _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m)
1656:
1657: C�CA�AV�VE�EA�AT�TS�S
1658: The _�s_�u_�d_�o_�e_�r_�s file should a�al�lw�wa�ay�ys�s be edited by the v�vi�is�su�ud�do�o command which
1659: locks the file and does grammatical checking. It is imperative that
1660: _�s_�u_�d_�o_�e_�r_�s be free of syntax errors since s�su�ud�do�o will not run with a
1661: syntactically incorrect _�s_�u_�d_�o_�e_�r_�s file.
1662:
1663: When using netgroups of machines (as opposed to users), if you store
1664: fully qualified host name in the netgroup (as is usually the case), you
1665: either need to have the machine's host name be fully qualified as
1666: returned by the hostname command or use the _�f_�q_�d_�n option in _�s_�u_�d_�o_�e_�r_�s.
1667:
1668: B�BU�UG�GS�S
1669: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
1670: http://www.sudo.ws/sudo/bugs/
1671:
1672: S�SU�UP�PP�PO�OR�RT�T
1673: Limited free support is available via the sudo-users mailing list, see
1674: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1675: the archives.
1676:
1677: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1678: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
1679: including, but not limited to, the implied warranties of
1680: merchantability and fitness for a particular purpose are disclaimed.
1681: See the LICENSE file distributed with s�su�ud�do�o or
1682: http://www.sudo.ws/sudo/license.html for complete details.
1683:
1684:
1685:
1686: 1.8.3 September 16, 2011 SUDOERS(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc