version 1.1.1.5, 2013/10/14 07:56:34
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in |
.\" |
.\" |
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 | .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 |
.\" Todd C. Miller <Todd.Miller@courtesan.com> |
.\" Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
Line 21
|
Line 21
|
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" |
.\" |
.TH "SUDOERS" "@mansectsu@" "August 31, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" | .TH "SUDOERS" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" |
.nh |
.nh |
.if n .ad l |
.if n .ad l |
.SH "NAME" |
.SH "NAME" |
Line 206 lookup is still done for root, not the user specified
|
Line 206 lookup is still done for root, not the user specified
|
\fRSUDO_USER\fR. |
\fRSUDO_USER\fR. |
.PP |
.PP |
\fIsudoers\fR |
\fIsudoers\fR |
uses time stamp files for credential caching. | uses per-user time stamp files for credential caching. |
Once a | Once a user has been authenticated, a record is written |
user has been authenticated, the time stamp is updated and the user | containing the uid that was used to authenticate, the |
may then use sudo without a password for a short period of time | terminal session ID, and a time stamp |
| (using a monotonic clock if one is available). |
| The user may then use |
| \fBsudo\fR |
| without a password for a short period of time |
(\fR@timeout@\fR |
(\fR@timeout@\fR |
minutes unless overridden by the |
minutes unless overridden by the |
\fItimeout\fR |
\fItimeout\fR |
Line 217 option)
|
Line 221 option)
|
\&. |
\&. |
By default, |
By default, |
\fIsudoers\fR |
\fIsudoers\fR |
uses a tty-based time stamp which means that | uses a separate record for each tty, which means that |
there is a separate time stamp for each of a user's login sessions. | a user's login sessions are authenticated separately. |
The |
The |
\fItty_tickets\fR |
\fItty_tickets\fR |
option can be disabled to force the use of a |
option can be disabled to force the use of a |
Line 330 The list of environment variables that
|
Line 334 The list of environment variables that
|
\fBsudo\fR |
\fBsudo\fR |
allows or denies is |
allows or denies is |
contained in the output of |
contained in the output of |
``\fRsudo -V\fR'' | \(lq\fRsudo -V\fR\(rq |
when run as root. |
when run as root. |
.PP |
.PP |
Note that the dynamic linker on most operating systems will remove |
Note that the dynamic linker on most operating systems will remove |
Line 431 EBNF also contains the following
|
Line 435 EBNF also contains the following
|
operators, which many readers will recognize from regular |
operators, which many readers will recognize from regular |
expressions. |
expressions. |
Do not, however, confuse them with |
Do not, however, confuse them with |
``wildcard'' | \(lqwildcard\(rq |
characters, which have different meanings. |
characters, which have different meanings. |
.TP 6n |
.TP 6n |
\fR\&?\fR |
\fR\&?\fR |
Line 500 A
|
Line 504 A
|
\fRNAME\fR |
\fRNAME\fR |
is a string of uppercase letters, numbers, |
is a string of uppercase letters, numbers, |
and underscore characters |
and underscore characters |
(`_'). | (\(oq_\(cq). |
A |
A |
\fRNAME\fR |
\fRNAME\fR |
\fBmust\fR |
\fBmust\fR |
Line 508 start with an
|
Line 512 start with an
|
uppercase letter. |
uppercase letter. |
It is possible to put several alias definitions |
It is possible to put several alias definitions |
of the same type on a single line, joined by a colon |
of the same type on a single line, joined by a colon |
(`:\&'). | (\(oq:\&\(cq). |
E.g., |
E.g., |
.nf |
.nf |
.sp |
.sp |
Line 541 A
|
Line 545 A
|
\fRUser_List\fR |
\fRUser_List\fR |
is made up of one or more user names, user IDs |
is made up of one or more user names, user IDs |
(prefixed with |
(prefixed with |
`#'), | \(oq#\(cq), |
system group names and IDs (prefixed with |
system group names and IDs (prefixed with |
`%' | \(oq%\(cq |
and |
and |
`%#' | \(oq%#\(cq |
respectively), netgroups (prefixed with |
respectively), netgroups (prefixed with |
`+'), | \(oq+\(cq), |
non-Unix group names and IDs (prefixed with |
non-Unix group names and IDs (prefixed with |
`%:' | \(oq%:\(cq |
and |
and |
`%:#' | \(oq%:#\(cq |
respectively) and |
respectively) and |
\fRUser_Alias\fRes. |
\fRUser_Alias\fRes. |
Each list item may be prefixed with zero or more |
Each list item may be prefixed with zero or more |
`\&!' | \(oq\&!\(cq |
operators. |
operators. |
An odd number of |
An odd number of |
`\&!' | \(oq\&!\(cq |
operators negate the value of |
operators negate the value of |
the item; an even number just cancel each other out. |
the item; an even number just cancel each other out. |
.PP |
.PP |
Line 602 for more information.
|
Line 606 for more information.
|
.PP |
.PP |
Note that quotes around group names are optional. |
Note that quotes around group names are optional. |
Unquoted strings must use a backslash |
Unquoted strings must use a backslash |
(`\e') | (\(oq\e\(cq) |
to escape spaces and special characters. |
to escape spaces and special characters. |
See |
See |
\fIOther special characters and reserved words\fR |
\fIOther special characters and reserved words\fR |
Line 658 A
|
Line 662 A
|
\fRHost_List\fR |
\fRHost_List\fR |
is made up of one or more host names, IP addresses, |
is made up of one or more host names, IP addresses, |
network numbers, netgroups (prefixed with |
network numbers, netgroups (prefixed with |
`+') | \(oq+\(cq) |
and other aliases. |
and other aliases. |
Again, the value of an item may be negated with the |
Again, the value of an item may be negated with the |
`\&!' | \(oq\&!\(cq |
operator. |
operator. |
If you do not specify a netmask along with the network number, |
If you do not specify a netmask along with the network number, |
\fBsudo\fR |
\fBsudo\fR |
Line 686 Note that
|
Line 690 Note that
|
only inspects actual network interfaces; this means that IP address |
only inspects actual network interfaces; this means that IP address |
127.0.0.1 (localhost) will never match. |
127.0.0.1 (localhost) will never match. |
Also, the host name |
Also, the host name |
``localhost'' | \(lqlocalhost\(rq |
will only match if that is the actual host name, which is usually |
will only match if that is the actual host name, which is usually |
only the case for non-networked systems. |
only the case for non-networked systems. |
.nf |
.nf |
Line 733 may only be run
|
Line 737 may only be run
|
command line arguments. |
command line arguments. |
A directory is a |
A directory is a |
fully qualified path name ending in a |
fully qualified path name ending in a |
`/'. | \(oq/\(cq. |
When you specify a directory in a |
When you specify a directory in a |
\fRCmnd_List\fR, |
\fRCmnd_List\fR, |
the user will be able to run any file within that directory |
the user will be able to run any file within that directory |
Line 747 in the
|
Line 751 in the
|
must match exactly those given by the user on the command line |
must match exactly those given by the user on the command line |
(or match the wildcards if there are any). |
(or match the wildcards if there are any). |
Note that the following characters must be escaped with a |
Note that the following characters must be escaped with a |
`\e' | \(oq\e\(cq |
if they are used in command arguments: |
if they are used in command arguments: |
`,\&', | \(oq,\&\(cq, |
`:\&', | \(oq:\&\(cq, |
`=\&', | \(oq=\&\(cq, |
`\e'. | \(oq\e\(cq. |
The built-in command |
The built-in command |
``\fRsudoedit\fR'' | \(lq\fRsudoedit\fR\(rq |
is used to permit a user to run |
is used to permit a user to run |
\fBsudo\fR |
\fBsudo\fR |
with the |
with the |
Line 763 option (or as
|
Line 767 option (or as
|
\fBsudoedit\fR). |
\fBsudoedit\fR). |
It may take command line arguments just as a normal command does. |
It may take command line arguments just as a normal command does. |
Note that |
Note that |
``\fRsudoedit\fR'' | \(lq\fRsudoedit\fR\(rq |
is a command built into |
is a command built into |
\fBsudo\fR |
\fBsudo\fR |
itself and must be specified in |
itself and must be specified in |
Line 845 values,
|
Line 849 values,
|
or |
or |
\fBlists\fR. |
\fBlists\fR. |
Flags are implicitly boolean and can be turned off via the |
Flags are implicitly boolean and can be turned off via the |
`\&!' | \(oq\&!\(cq |
operator. |
operator. |
Some integer, string and list parameters may also be |
Some integer, string and list parameters may also be |
used in a boolean context to disable them. |
used in a boolean context to disable them. |
Line 854 in double quotes
|
Line 858 in double quotes
|
(\&"") |
(\&"") |
when they contain multiple words. |
when they contain multiple words. |
Special characters may be escaped with a backslash |
Special characters may be escaped with a backslash |
(`\e'). | (\(oq\e\(cq). |
.PP |
.PP |
Lists have two additional assignment operators, |
Lists have two additional assignment operators, |
\fR+=\fR |
\fR+=\fR |
Line 906 run as
|
Line 910 run as
|
but this can be changed on a per-command basis. |
but this can be changed on a per-command basis. |
.PP |
.PP |
The basic structure of a user specification is |
The basic structure of a user specification is |
``who where = (as_whom) what''. | \(lqwho where = (as_whom) what\(rq. |
Let's break that down into its constituent parts: |
Let's break that down into its constituent parts: |
.SS "Runas_Spec" |
.SS "Runas_Spec" |
A |
A |
Line 918 A fully-specified
|
Line 922 A fully-specified
|
consists of two |
consists of two |
\fRRunas_List\fRs |
\fRRunas_List\fRs |
(as defined above) separated by a colon |
(as defined above) separated by a colon |
(`:\&') | (\(oq:\&\(cq) |
and enclosed in a set of parentheses. |
and enclosed in a set of parentheses. |
The first |
The first |
\fRRunas_List\fR |
\fRRunas_List\fR |
Line 1118 $ ppriv -l
|
Line 1122 $ ppriv -l
|
.fi |
.fi |
.PP |
.PP |
In addition, there are several |
In addition, there are several |
``special'' | \(lqspecial\(rq |
privilege strings: |
privilege strings: |
.TP 10n |
.TP 10n |
none |
none |
Line 1135 the default set of privileges normal users are granted
|
Line 1139 the default set of privileges normal users are granted
|
.PP |
.PP |
Privileges can be excluded from a set by prefixing the privilege |
Privileges can be excluded from a set by prefixing the privilege |
name with either an |
name with either an |
`\&!' | \(oq\&!\(cq |
or |
or |
`\-' | \(oq\-\(cq |
character. |
character. |
.SS "Tag_Spec" |
.SS "Tag_Spec" |
A command may have zero or more tags associated with it. |
A command may have zero or more tags associated with it. |
Line 1189 Conversely, the
|
Line 1193 Conversely, the
|
\fRPASSWD\fR |
\fRPASSWD\fR |
tag can be used to reverse things. |
tag can be used to reverse things. |
For example: |
For example: |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 2n |
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
.RE |
.RE |
.fi |
.fi |
|
.RS 2n |
.sp |
.sp |
would allow the user |
would allow the user |
\fBray\fR |
\fBray\fR |
Line 1215 run
|
Line 1219 run
|
without a password the entry would be: |
without a password the entry would be: |
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 2n |
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
.RE |
.RE |
.fi |
.fi |
Line 1230 By default, if the
|
Line 1234 By default, if the
|
\fRNOPASSWD\fR |
\fRNOPASSWD\fR |
tag is applied to any of the entries for a user on the current host, |
tag is applied to any of the entries for a user on the current host, |
he or she will be able to run |
he or she will be able to run |
``\fRsudo -l\fR'' | \(lq\fRsudo -l\fR\(rq |
without a password. |
without a password. |
Additionally, a user may only run |
Additionally, a user may only run |
``\fRsudo -v\fR'' | \(lq\fRsudo -v\fR\(rq |
without a password if the |
without a password if the |
\fRNOPASSWD\fR |
\fRNOPASSWD\fR |
tag is present for all a user's entries that pertain to the current host. |
tag is present for all a user's entries that pertain to the current host. |
Line 1242 This behavior may be overridden via the
|
Line 1246 This behavior may be overridden via the
|
and |
and |
\fIlistpw\fR |
\fIlistpw\fR |
options. |
options. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 2n |
.TP 2n |
\fINOEXEC\fR and \fIEXEC\fR |
\fINOEXEC\fR and \fIEXEC\fR |
.sp |
.sp |
Line 1264 may run
|
Line 1266 may run
|
and |
and |
\fI/usr/bin/vi\fR |
\fI/usr/bin/vi\fR |
but shell escapes will be disabled. |
but shell escapes will be disabled. |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 2n |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
.RE |
.RE |
.fi |
.fi |
|
.RS 2n |
.sp |
.sp |
See the |
See the |
\fIPreventing shell escapes\fR |
\fIPreventing shell escapes\fR |
section below for more details on how |
section below for more details on how |
\fRNOEXEC\fR |
\fRNOEXEC\fR |
works and whether or not it will work on your system. |
works and whether or not it will work on your system. |
.PD |
|
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 2n |
.TP 2n |
\fISETENV\fR and \fINOSETENV\fR |
\fISETENV\fR and \fINOSETENV\fR |
.sp |
.sp |
Line 1308 the
|
Line 1307 the
|
tag is implied for that command; this default may be overridden by use of the |
tag is implied for that command; this default may be overridden by use of the |
\fRNOSETENV\fR |
\fRNOSETENV\fR |
tag. |
tag. |
.PD |
|
.TP 2n |
.TP 2n |
\fILOG_INPUT\fR and \fINOLOG_INPUT\fR |
\fILOG_INPUT\fR and \fINOLOG_INPUT\fR |
.sp |
.sp |
Line 1365 in the specified range.
|
Line 1363 in the specified range.
|
.TP 10n |
.TP 10n |
\fR\ex\fR |
\fR\ex\fR |
For any character |
For any character |
`x', | \(oqx\(cq, |
evaluates to |
evaluates to |
`x'. | \(oqx\(cq. |
This is used to escape special characters such as: |
This is used to escape special characters such as: |
`*', | \(oq*\(cq, |
`\&?', | \(oq\&?\(cq, |
`[\&', | \(oq[\&\(cq, |
and |
and |
`]\&'. | \(oq]\&\(cq. |
.PP |
.PP |
Character classes may also be used if your system's |
Character classes may also be used if your system's |
glob(3) |
glob(3) |
Line 1381 and
|
Line 1379 and
|
fnmatch(3) |
fnmatch(3) |
functions support them. |
functions support them. |
However, because the |
However, because the |
`:\&' | \(oq:\&\(cq |
character has special meaning in |
character has special meaning in |
\fIsudoers\fR, |
\fIsudoers\fR, |
it must be |
it must be |
Line 1390 For example:
|
Line 1388 For example:
|
.nf |
.nf |
.sp |
.sp |
.RS 4n |
.RS 4n |
/bin/ls [[\:alpha\:]]* | /bin/ls [[:\&alpha:\&]]* |
.RE |
.RE |
.fi |
.fi |
.PP |
.PP |
Would match any file name beginning with a letter. |
Would match any file name beginning with a letter. |
.PP |
.PP |
Note that a forward slash |
Note that a forward slash |
(`/') | (\(oq/\(cq) |
will |
will |
\fBnot\fR |
\fBnot\fR |
be matched by |
be matched by |
Line 1423 arbitrary strings and not just path names.
|
Line 1421 arbitrary strings and not just path names.
|
Wildcards in command line arguments should be used with care. |
Wildcards in command line arguments should be used with care. |
Because command line arguments are matched as a single, concatenated |
Because command line arguments are matched as a single, concatenated |
string, a wildcard such as |
string, a wildcard such as |
`\&?' | \(oq\&?\(cq |
or |
or |
`*' | \(oq*\(cq |
can match multiple words. |
can match multiple words. |
For example, while a sudoers entry like: |
For example, while a sudoers entry like: |
.nf |
.nf |
Line 1468 sudoedit
|
Line 1466 sudoedit
|
Command line arguments to the |
Command line arguments to the |
\fIsudoedit\fR |
\fIsudoedit\fR |
built-in command should always be path names, so a forward slash |
built-in command should always be path names, so a forward slash |
(`/') | (\(oq/\(cq) |
will not be matched by a wildcard. |
will not be matched by a wildcard. |
.SS "Including other files from within sudoers" |
.SS "Including other files from within sudoers" |
It is possible to include other |
It is possible to include other |
Line 1521 file loops.
|
Line 1519 file loops.
|
.PP |
.PP |
If the path to the include file is not fully-qualified (does not |
If the path to the include file is not fully-qualified (does not |
begin with a |
begin with a |
`/', | \(oq/\(cq, |
it must be located in the same directory as the sudoers file it was |
it must be located in the same directory as the sudoers file it was |
included from. |
included from. |
For example, if |
For example, if |
Line 1541 The file name may also include the
|
Line 1539 The file name may also include the
|
\fR%h\fR |
\fR%h\fR |
escape, signifying the short form of the host name. |
escape, signifying the short form of the host name. |
In other words, if the machine's host name is |
In other words, if the machine's host name is |
``xerxes'', | \(lqxerxes\(rq, |
then |
then |
.nf |
.nf |
.sp |
.sp |
Line 1575 For example, given:
|
Line 1573 For example, given:
|
will read each file in |
will read each file in |
\fI/etc/sudoers.d\fR, |
\fI/etc/sudoers.d\fR, |
skipping file names that end in |
skipping file names that end in |
`~' | \(oq~\(cq |
or contain a |
or contain a |
`.\&' | \(oq.\&\(cq |
character to avoid causing problems with package manager or editor |
character to avoid causing problems with package manager or editor |
temporary/backup files. |
temporary/backup files. |
Files are parsed in sorted lexical order. |
Files are parsed in sorted lexical order. |
Line 1606 with the
|
Line 1604 with the
|
flag to edit the files directly. |
flag to edit the files directly. |
.SS "Other special characters and reserved words" |
.SS "Other special characters and reserved words" |
The pound sign |
The pound sign |
(`#') | (\(oq#\(cq) |
is used to indicate a comment (unless it is part of a #include |
is used to indicate a comment (unless it is part of a #include |
directive or unless it occurs in the context of a user name and is |
directive or unless it occurs in the context of a user name and is |
followed by one or more digits, in which case it is treated as a |
followed by one or more digits, in which case it is treated as a |
Line 1637 can be dangerous since in a command context, it allows
|
Line 1635 can be dangerous since in a command context, it allows
|
command on the system. |
command on the system. |
.PP |
.PP |
An exclamation point |
An exclamation point |
(`\&!') | (\(oq\&!\(cq) |
can be used as a logical |
can be used as a logical |
\fInot\fR |
\fInot\fR |
operator in a list or |
operator in a list or |
Line 1646 as well as in front of a
|
Line 1644 as well as in front of a
|
\fRCmnd\fR. |
\fRCmnd\fR. |
This allows one to exclude certain values. |
This allows one to exclude certain values. |
For the |
For the |
`\&!' | \(oq\&!\(cq |
operator to be effective, there must be something for it to exclude. |
operator to be effective, there must be something for it to exclude. |
For example, to match all users except for root one would use: |
For example, to match all users except for root one would use: |
.nf |
.nf |
Line 1668 is omitted, as in:
|
Line 1666 is omitted, as in:
|
.PP |
.PP |
it would explicitly deny root but not match any other users. |
it would explicitly deny root but not match any other users. |
This is different from a true |
This is different from a true |
``negation'' | \(lqnegation\(rq |
operator. |
operator. |
.PP |
.PP |
Note, however, that using a |
Note, however, that using a |
`\&!' | \(oq\&!\(cq |
in conjunction with the built-in |
in conjunction with the built-in |
\fBALL\fR |
\fBALL\fR |
alias to allow a user to run |
alias to allow a user to run |
``all but a few'' | \(lqall but a few\(rq |
commands rarely works as intended (see |
commands rarely works as intended (see |
\fISECURITY NOTES\fR |
\fISECURITY NOTES\fR |
below). |
below). |
.PP |
.PP |
Long lines can be continued with a backslash |
Long lines can be continued with a backslash |
(`\e') | (\(oq\e\(cq) |
as the last character on the line. |
as the last character on the line. |
.PP |
.PP |
White space between elements in a list as well as special syntactic |
White space between elements in a list as well as special syntactic |
characters in a |
characters in a |
\fIUser Specification\fR |
\fIUser Specification\fR |
(`=\&', | (\(oq=\&\(cq, |
`:\&', | \(oq:\&\(cq, |
`(\&', | \(oq(\&\(cq, |
`)\&') | \(oq)\&\(cq) |
is optional. |
is optional. |
.PP |
.PP |
The following characters must be escaped with a backslash |
The following characters must be escaped with a backslash |
(`\e') | (\(oq\e\(cq) |
when used as part of a word (e.g.\& a user name or host name): |
when used as part of a word (e.g.\& a user name or host name): |
`\&!', | \(oq\&!\(cq, |
`=\&', | \(oq=\&\(cq, |
`:\&', | \(oq:\&\(cq, |
`,\&', | \(oq,\&\(cq, |
`(\&', | \(oq(\&\(cq, |
`)\&', | \(oq)\&\(cq, |
`\e'. | \(oq\e\(cq. |
.SH "SUDOERS OPTIONS" |
.SH "SUDOERS OPTIONS" |
\fBsudo\fR's |
\fBsudo\fR's |
behavior can be modified by |
behavior can be modified by |
Line 1779 is compiled with
|
Line 1777 is compiled with
|
\fBzlib\fR |
\fBzlib\fR |
support. |
support. |
.TP 18n |
.TP 18n |
|
use_netgroups |
|
If set, netgroups (prefixed with |
|
\(oq+\(cq), |
|
may be used in place of a user or host. |
|
For LDAP-based sudoers, netgroup support requires an expensive |
|
substring match on the server. |
|
If netgroups are not needed, this option can be disabled to reduce the |
|
load on the LDAP server. |
|
This flag is |
|
\fIon\fR |
|
by default. |
|
.TP 18n |
exec_background |
exec_background |
By default, |
By default, |
\fBsudo\fR |
\fBsudo\fR |
Line 1860 if they match a value specified in
|
Line 1870 if they match a value specified in
|
\fReditor\fR. |
\fReditor\fR. |
This flag is |
This flag is |
\fI@env_editor@\fR |
\fI@env_editor@\fR |
by | by default. |
default. | |
.TP 18n |
.TP 18n |
env_reset |
env_reset |
If set, |
If set, |
Line 1931 or
|
Line 1940 or
|
\fI../bin/ls\fR. |
\fI../bin/ls\fR. |
This has security implications when path names that include globbing |
This has security implications when path names that include globbing |
characters are used with the negation operator, |
characters are used with the negation operator, |
`!\&', | \(oq!\&\(cq, |
as such rules can be trivially bypassed. |
as such rules can be trivially bypassed. |
As such, this option should not be used when |
As such, this option should not be used when |
\fIsudoers\fR |
\fIsudoers\fR |
Line 1950 command) does not contain the domain name.
|
Line 1959 command) does not contain the domain name.
|
In other words, instead of myhost you would use myhost.mydomain.edu. |
In other words, instead of myhost you would use myhost.mydomain.edu. |
You may still use the short form if you wish (and even mix the two). |
You may still use the short form if you wish (and even mix the two). |
This option is only effective when the |
This option is only effective when the |
``canonical'' | \(lqcanonical\(rq |
host name, as returned by the |
host name, as returned by the |
\fBgetaddrinfo\fR() |
\fBgetaddrinfo\fR() |
or |
or |
Line 1962 for host name resolution.
|
Line 1971 for host name resolution.
|
If the system is configured to use the |
If the system is configured to use the |
\fI/etc/hosts\fR |
\fI/etc/hosts\fR |
file in preference to DNS, the |
file in preference to DNS, the |
``canonical'' | \(lqcanonical\(rq |
host name may not be fully-qualified. |
host name may not be fully-qualified. |
The order that sources are queried for hosts name resolution | The order that sources are queried for host name resolution |
is usually specified in the |
is usually specified in the |
\fI@nsswitch_conf@\fR, |
\fI@nsswitch_conf@\fR, |
\fI@netsvc_conf@\fR, |
\fI@netsvc_conf@\fR, |
Line 1975 file.
|
Line 1984 file.
|
In the |
In the |
\fI/etc/hosts\fR |
\fI/etc/hosts\fR |
file, the first host name of the entry is considered to be the |
file, the first host name of the entry is considered to be the |
``canonical'' | \(lqcanonical\(rq |
name; subsequent names are aliases that are not used by |
name; subsequent names are aliases that are not used by |
\fBsudoers\fR. |
\fBsudoers\fR. |
For example, the following hosts file line for the machine |
For example, the following hosts file line for the machine |
``xyzzy'' | \(lqxyzzy\(rq |
has the fully-qualified domain name as the |
has the fully-qualified domain name as the |
``canonical'' | \(lqcanonical\(rq |
host name, and the short version as an alias. |
host name, and the short version as an alias. |
.sp |
.sp |
.RS 6n | .RS 24n |
192.168.1.1 xyzzy.sudo.ws xyzzy |
192.168.1.1 xyzzy.sudo.ws xyzzy |
.RE |
.RE |
|
.RS 18n |
.sp |
.sp |
If the machine's hosts file entry is not formatted properly, the |
If the machine's hosts file entry is not formatted properly, the |
\fIfqdn\fR |
\fIfqdn\fR |
Line 2001 to make DNS lookups which renders
|
Line 2011 to make DNS lookups which renders
|
unusable if DNS stops working (for example if the machine is disconnected |
unusable if DNS stops working (for example if the machine is disconnected |
from the network). |
from the network). |
Also note that just like with the hosts file, you must use the |
Also note that just like with the hosts file, you must use the |
``canonical'' | \(lqcanonical\(rq |
name as DNS knows it. |
name as DNS knows it. |
That is, you may not use a host alias |
That is, you may not use a host alias |
(\fRCNAME\fR |
(\fRCNAME\fR |
Line 2012 aliases from DNS.
|
Line 2022 aliases from DNS.
|
This flag is |
This flag is |
\fI@fqdn@\fR |
\fI@fqdn@\fR |
by default. |
by default. |
|
.RE |
.TP 18n |
.TP 18n |
ignore_dot |
ignore_dot |
If set, |
If set, |
Line 2080 by default)
|
Line 2091 by default)
|
using a unique session ID that is included in the normal |
using a unique session ID that is included in the normal |
\fBsudo\fR |
\fBsudo\fR |
log line, prefixed with |
log line, prefixed with |
``\fRTSID=\fR''. | \(lq\fRTSID=\fR\(rq. |
The |
The |
\fIiolog_file\fR |
\fIiolog_file\fR |
option may be used to control the format of the session ID. |
option may be used to control the format of the session ID. |
Line 2113 by default)
|
Line 2124 by default)
|
using a unique session ID that is included in the normal |
using a unique session ID that is included in the normal |
\fBsudo\fR |
\fBsudo\fR |
log line, prefixed with |
log line, prefixed with |
``\fRTSID=\fR''. | \(lq\fRTSID=\fR\(rq. |
The |
The |
\fIiolog_file\fR |
\fIiolog_file\fR |
option may be used to control the format of the session ID. |
option may be used to control the format of the session ID. |
Line 2270 The password prompt specified by
|
Line 2281 The password prompt specified by
|
\fIpassprompt\fR |
\fIpassprompt\fR |
will normally only be used if the password prompt provided by systems |
will normally only be used if the password prompt provided by systems |
such as PAM matches the string |
such as PAM matches the string |
``Password:''. | \(lqPassword:\(rq. |
If |
If |
\fIpassprompt_override\fR |
\fIpassprompt_override\fR |
is set, |
is set, |
Line 2348 If set, root is allowed to run
|
Line 2359 If set, root is allowed to run
|
\fBsudo\fR |
\fBsudo\fR |
too. |
too. |
Disabling this prevents users from |
Disabling this prevents users from |
``chaining'' | \(lqchaining\(rq |
\fBsudo\fR |
\fBsudo\fR |
commands to get a root shell by doing something like |
commands to get a root shell by doing something like |
``\fRsudo sudo /bin/sh\fR''. | \(lq\fRsudo sudo /bin/sh\fR\(rq. |
Note, however, that turning off |
Note, however, that turning off |
\fIroot_sudo\fR |
\fIroot_sudo\fR |
will also prevent root from running |
will also prevent root from running |
Line 2366 by default.
|
Line 2377 by default.
|
rootpw |
rootpw |
If set, |
If set, |
\fBsudo\fR |
\fBsudo\fR |
will prompt for the root password instead of the password of the invoking user. | will prompt for the root password instead of the password of the invoking user |
| when running a command or editing a file. |
This flag is |
This flag is |
\fIoff\fR |
\fIoff\fR |
by default. |
by default. |
Line 2378 will prompt for the password of the user defined by th
|
Line 2390 will prompt for the password of the user defined by th
|
\fIrunas_default\fR |
\fIrunas_default\fR |
option (defaults to |
option (defaults to |
\fR@runas_default@\fR) |
\fR@runas_default@\fR) |
instead of the password of the invoking user. | instead of the password of the invoking user |
| when running a command or editing a file. |
This flag is |
This flag is |
\fIoff\fR |
\fIoff\fR |
by default. |
by default. |
Line 2521 by the
|
Line 2534 by the
|
\fB\-u\fR |
\fB\-u\fR |
option (defaults to |
option (defaults to |
\fRroot\fR) |
\fRroot\fR) |
instead of the password of the invoking user. | instead of the password of the invoking user |
In addition, the time stamp file name will include the target user's name. | when running a command or editing a file. |
Note that this flag precludes the use of a uid not listed in the passwd |
Note that this flag precludes the use of a uid not listed in the passwd |
database as an argument to the |
database as an argument to the |
\fB\-u\fR |
\fB\-u\fR |
Line 2535 tty_tickets
|
Line 2548 tty_tickets
|
If set, users must authenticate on a per-tty basis. |
If set, users must authenticate on a per-tty basis. |
With this flag enabled, |
With this flag enabled, |
\fBsudo\fR |
\fBsudo\fR |
will use a file named for the tty the user is | will use a separate record in the time stamp file for each tty. |
logged in on in the user's time stamp directory. | If disabled, a single record is used for all login sessions. |
If disabled, the time stamp of the directory is used instead. | |
This flag is |
This flag is |
\fI@tty_tickets@\fR |
\fI@tty_tickets@\fR |
by default. |
by default. |
Line 2610 flag is set,
|
Line 2622 flag is set,
|
\fBsudo\fR |
\fBsudo\fR |
will prompt for a password even when it would be visible on the screen. |
will prompt for a password even when it would be visible on the screen. |
This makes it possible to run things like |
This makes it possible to run things like |
``\fRssh somehost sudo ls\fR'' | \(lq\fRssh somehost sudo ls\fR\(rq |
since by default, |
since by default, |
ssh(1) |
ssh(1) |
does |
does |
Line 2680 If set to a value less than
|
Line 2692 If set to a value less than
|
\fR0\fR |
\fR0\fR |
the user's time stamp will never expire. |
the user's time stamp will never expire. |
This can be used to allow users to create or delete their own time stamps via |
This can be used to allow users to create or delete their own time stamps via |
``\fRsudo -v\fR'' | \(lq\fRsudo -v\fR\(rq |
and |
and |
``\fRsudo -k\fR'' | \(lq\fRsudo -k\fR\(rq |
respectively. |
respectively. |
.TP 18n |
.TP 18n |
umask |
umask |
Line 2711 unless insults are enabled.
|
Line 2723 unless insults are enabled.
|
.TP 18n |
.TP 18n |
editor |
editor |
A colon |
A colon |
(`:\&') | (\(oq:\&\(cq) |
separated list of editors allowed to be used with |
separated list of editors allowed to be used with |
\fBvisudo\fR. |
\fBvisudo\fR. |
\fBvisudo\fR |
\fBvisudo\fR |
Line 2739 The default is
|
Line 2751 The default is
|
\fI@iolog_dir@\fR. |
\fI@iolog_dir@\fR. |
.sp |
.sp |
The following percent |
The following percent |
(`%') | (\(oq%\(cq) |
escape sequences are supported: |
escape sequences are supported: |
.RS | .PP |
| .RS 18n |
| .PD 0 |
.TP 6n |
.TP 6n |
\fR%{seq}\fR |
\fR%{seq}\fR |
expanded to a monotonically increasing base-36 sequence number, such as 0100A5, |
expanded to a monotonically increasing base-36 sequence number, such as 0100A5, |
where every two digits are used to form a new directory, e.g.\& |
where every two digits are used to form a new directory, e.g.\& |
\fI01/00/A5\fR |
\fI01/00/A5\fR |
|
.PD |
.TP 6n |
.TP 6n |
\fR%{user}\fR |
\fR%{user}\fR |
expanded to the invoking user's login name |
expanded to the invoking user's login name |
Line 2773 strftime(3)
|
Line 2788 strftime(3)
|
function will be expanded. |
function will be expanded. |
.sp |
.sp |
To include a literal |
To include a literal |
`%' | \(oq%\(cq |
character, the string |
character, the string |
`%%' | \(oq%%\(cq |
should be used. |
should be used. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 18n |
.TP 18n |
iolog_file |
iolog_file |
The path name, relative to |
The path name, relative to |
Line 2797 Note that
|
Line 2810 Note that
|
\fIiolog_file\fR |
\fIiolog_file\fR |
may contain directory components. |
may contain directory components. |
The default is |
The default is |
``\fR%{seq}\fR''. | \(lq\fR%{seq}\fR\(rq. |
.sp |
.sp |
See the |
See the |
\fIiolog_dir\fR |
\fIiolog_dir\fR |
option above for a list of supported percent |
option above for a list of supported percent |
(`%') | (\(oq%\(cq) |
escape sequences. |
escape sequences. |
.sp |
.sp |
In addition to the escape sequences, path names that end in six or |
In addition to the escape sequences, path names that end in six or |
Line 2824 overwritten unless
|
Line 2837 overwritten unless
|
ends in six or |
ends in six or |
more |
more |
\fRX\fRs. |
\fRX\fRs. |
.PD |
|
.TP 18n |
.TP 18n |
|
lecture_status_dir |
|
The directory in which |
|
\fBsudo\fR |
|
stores per-user lecture status files. |
|
Once a user has received the lecture, a zero-length file is |
|
created in this directory so that |
|
\fBsudo\fR |
|
will not lecture the user again. |
|
This directory should |
|
\fInot\fR |
|
be cleared when the system reboots. |
|
The default is |
|
\fI@vardir@/lectured\fR. |
|
.TP 18n |
limitprivs |
limitprivs |
The default Solaris limit privileges to use when constructing a new |
The default Solaris limit privileges to use when constructing a new |
privilege set for a command. |
privilege set for a command. |
Line 2844 The escape
|
Line 2870 The escape
|
\fR%h\fR |
\fR%h\fR |
will expand to the host name of the machine. |
will expand to the host name of the machine. |
Default is |
Default is |
``\fR@mailsub@\fR''. | \(lq\fR@mailsub@\fR\(rq. |
.TP 18n |
.TP 18n |
maxseq |
maxseq |
The maximum sequence number that will be substituted for the |
The maximum sequence number that will be substituted for the |
``\fR%{seq}\fR'' | \(lq\fR%{seq}\fR\(rq |
escape in the I/O log file (see the |
escape in the I/O log file (see the |
\fIiolog_dir\fR |
\fIiolog_dir\fR |
description above for more information). |
description above for more information). |
While the value substituted for |
While the value substituted for |
``\fR%{seq}\fR'' | \(lq\fR%{seq}\fR\(rq |
is in base 36, |
is in base 36, |
\fImaxseq\fR |
\fImaxseq\fR |
itself should be expressed in decimal. |
itself should be expressed in decimal. |
Values larger than 2176782336 (which corresponds to the |
Values larger than 2176782336 (which corresponds to the |
base 36 sequence number |
base 36 sequence number |
``ZZZZZZ'') | \(lqZZZZZZ\(rq) |
will be silently truncated to 2176782336. |
will be silently truncated to 2176782336. |
The default value is 2176782336. |
The default value is 2176782336. |
.sp |
.sp |
Once the local sequence number reaches the value of |
Once the local sequence number reaches the value of |
\fImaxseq\fR, |
\fImaxseq\fR, |
it will |
it will |
``roll over'' | \(lqroll over\(rq |
to zero, after which |
to zero, after which |
\fBsudoers\fR |
\fBsudoers\fR |
will truncate and re-use any existing I/O log pathnames. | will truncate and re-use any existing I/O log path names. |
.sp |
.sp |
This setting is only supported by version 1.8.7 or higher. |
This setting is only supported by version 1.8.7 or higher. |
.TP 18n |
.TP 18n |
Line 2888 name used when the
|
Line 2914 name used when the
|
\fB\-i\fR |
\fB\-i\fR |
option is specified. |
option is specified. |
The default value is |
The default value is |
``\fR@pam_login_service@\fR''. | \(lq\fR@pam_login_service@\fR\(rq. |
See the description of |
See the description of |
\fIpam_service\fR |
\fIpam_service\fR |
for more information. |
for more information. |
Line 2904 file or a file in the
|
Line 2930 file or a file in the
|
\fI/etc/pam.d\fR |
\fI/etc/pam.d\fR |
directory. |
directory. |
The default value is |
The default value is |
``\fRsudo\fR''. | \(lq\fRsudo\fR\(rq. |
.sp |
.sp |
This setting is only supported by version 1.8.8 or higher. |
This setting is only supported by version 1.8.8 or higher. |
.TP 18n |
.TP 18n |
Line 2915 option or the
|
Line 2941 option or the
|
\fRSUDO_PROMPT\fR |
\fRSUDO_PROMPT\fR |
environment variable. |
environment variable. |
The following percent |
The following percent |
(`%') | (\(oq%\(cq) |
escape sequences are supported: |
escape sequences are supported: |
.RS | .PP |
| .RS 18n |
| .PD 0 |
.TP 6n |
.TP 6n |
\fR%H\fR |
\fR%H\fR |
expanded to the local host name including the domain name |
expanded to the local host name including the domain name |
(only if the machine's host name is fully qualified or the |
(only if the machine's host name is fully qualified or the |
\fIfqdn\fR |
\fIfqdn\fR |
option is set) |
option is set) |
|
.PD |
.TP 6n |
.TP 6n |
\fR%h\fR |
\fR%h\fR |
expanded to the local host name without the domain name |
expanded to the local host name without the domain name |
Line 2952 characters are collapsed into a single
|
Line 2981 characters are collapsed into a single
|
character |
character |
.PP |
.PP |
The default value is |
The default value is |
``\fR@passprompt@\fR''. | \(lq\fR@passprompt@\fR\(rq. |
.PP | |
.RE |
.RE |
.PD 0 |
|
.TP 18n |
.TP 18n |
privs |
privs |
The default Solaris privileges to use when constructing a new |
The default Solaris privileges to use when constructing a new |
Line 2973 The default privileges may be overridden on a per-comm
|
Line 3000 The default privileges may be overridden on a per-comm
|
This option is only available if |
This option is only available if |
\fBsudoers\fR |
\fBsudoers\fR |
is built on Solaris 10 or higher. |
is built on Solaris 10 or higher. |
.PD |
|
.TP 18n |
.TP 18n |
role |
role |
The default SELinux role to use when constructing a new security |
The default SELinux role to use when constructing a new security |
Line 3022 Locale to use when parsing the sudoers file, logging c
|
Line 3048 Locale to use when parsing the sudoers file, logging c
|
sending email. |
sending email. |
Note that changing the locale may affect how sudoers is interpreted. |
Note that changing the locale may affect how sudoers is interpreted. |
Defaults to |
Defaults to |
``\fRC\fR''. | \(lq\fRC\fR\(rq. |
.TP 18n |
.TP 18n |
timestampdir |
timestampdir |
The directory in which |
The directory in which |
\fBsudo\fR |
\fBsudo\fR |
stores its time stamp files. |
stores its time stamp files. |
|
This directory should be cleared when the system reboots. |
The default is |
The default is |
\fI@timedir@\fR. | \fI@rundir@/ts\fR. |
.TP 18n |
.TP 18n |
timestampowner |
timestampowner |
The owner of the time stamp directory and the time stamps stored therein. | The owner of the lecture status directory, time stamp directory and all |
| files stored therein. |
The default is |
The default is |
\fRroot\fR. |
\fRroot\fR. |
.TP 18n |
.TP 18n |
Line 3054 The
|
Line 3082 The
|
option specifies the fully qualified path to a file containing variables |
option specifies the fully qualified path to a file containing variables |
to be set in the environment of the program being run. |
to be set in the environment of the program being run. |
Entries in this file should either be of the form |
Entries in this file should either be of the form |
``\fRVARIABLE=value\fR'' | \(lq\fRVARIABLE=value\fR\(rq |
or |
or |
``\fRexport VARIABLE=value\fR''. | \(lq\fRexport VARIABLE=value\fR\(rq. |
The value may optionally be surrounded by single or double quotes. |
The value may optionally be surrounded by single or double quotes. |
Variables in this file are subject to other |
Variables in this file are subject to other |
\fBsudo\fR |
\fBsudo\fR |
Line 3091 lecture
|
Line 3119 lecture
|
This option controls when a short lecture will be printed along with |
This option controls when a short lecture will be printed along with |
the password prompt. |
the password prompt. |
It has the following possible values: |
It has the following possible values: |
.RS | .PP |
| .RS 14n |
| .PD 0 |
.TP 8n |
.TP 8n |
always |
always |
Always lecture the user. |
Always lecture the user. |
|
.PD |
.TP 8n |
.TP 8n |
never |
never |
Never lecture the user. |
Never lecture the user. |
Line 3111 Negating the option results in a value of
|
Line 3142 Negating the option results in a value of
|
being used. |
being used. |
The default value is |
The default value is |
\fI@lecture@\fR. |
\fI@lecture@\fR. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 14n |
.TP 14n |
lecture_file |
lecture_file |
Path to a file containing an alternate |
Path to a file containing an alternate |
Line 3123 file exists.
|
Line 3152 file exists.
|
By default, |
By default, |
\fBsudo\fR |
\fBsudo\fR |
uses a built-in lecture. |
uses a built-in lecture. |
.PD |
|
.TP 14n |
.TP 14n |
listpw |
listpw |
This option controls when a password will be required when a user runs |
This option controls when a password will be required when a user runs |
Line 3132 with the
|
Line 3160 with the
|
\fB\-l\fR |
\fB\-l\fR |
option. |
option. |
It has the following possible values: |
It has the following possible values: |
.RS | .PP |
| .RS 14n |
| .PD 0 |
.TP 10n |
.TP 10n |
all |
all |
All the user's |
All the user's |
Line 3141 entries for the current host must have
|
Line 3171 entries for the current host must have
|
the |
the |
\fRNOPASSWD\fR |
\fRNOPASSWD\fR |
flag set to avoid entering a password. |
flag set to avoid entering a password. |
|
.PD |
.TP 10n |
.TP 10n |
always |
always |
The user must always enter a password to use the |
The user must always enter a password to use the |
Line 3168 Negating the option results in a value of
|
Line 3199 Negating the option results in a value of
|
being used. |
being used. |
The default value is |
The default value is |
\fIany\fR. |
\fIany\fR. |
.PP |
|
.RE |
.RE |
.PD 0 |
|
.TP 14n |
.TP 14n |
logfile |
logfile |
Path to the |
Path to the |
Line 3181 negating this option turns it off.
|
Line 3210 negating this option turns it off.
|
By default, |
By default, |
\fBsudo\fR |
\fBsudo\fR |
logs via syslog. |
logs via syslog. |
.PD |
|
.TP 14n |
.TP 14n |
mailerflags |
mailerflags |
Flags to use when invoking mailer. Defaults to |
Flags to use when invoking mailer. Defaults to |
Line 3193 Defaults to the path to sendmail found at configure ti
|
Line 3221 Defaults to the path to sendmail found at configure ti
|
.TP 14n |
.TP 14n |
mailfrom |
mailfrom |
Address to use for the |
Address to use for the |
``from'' | \(lqfrom\(rq |
address when sending warning and error mail. |
address when sending warning and error mail. |
The address should be enclosed in double quotes |
The address should be enclosed in double quotes |
(\&"") |
(\&"") |
Line 3227 to have a sane
|
Line 3255 to have a sane
|
\fRPATH\fR |
\fRPATH\fR |
environment variable you may want to use this. |
environment variable you may want to use this. |
Another use is if you want to have the |
Another use is if you want to have the |
``root path'' | \(lqroot path\(rq |
be separate from the |
be separate from the |
``user path''. | \(lquser path\(rq. |
Users in the group specified by the |
Users in the group specified by the |
\fIexempt_group\fR |
\fIexempt_group\fR |
option are not affected by |
option are not affected by |
Line 3266 with the
|
Line 3294 with the
|
\fB\-v\fR |
\fB\-v\fR |
option. |
option. |
It has the following possible values: |
It has the following possible values: |
.RS | .PP |
| .RS 14n |
| .PD 0 |
.TP 8n |
.TP 8n |
all |
all |
All the user's |
All the user's |
Line 3274 All the user's
|
Line 3304 All the user's
|
entries for the current host must have the |
entries for the current host must have the |
\fRNOPASSWD\fR |
\fRNOPASSWD\fR |
flag set to avoid entering a password. |
flag set to avoid entering a password. |
|
.PD |
.TP 8n |
.TP 8n |
always |
always |
The user must always enter a password to use the |
The user must always enter a password to use the |
Line 3307 The default value is
|
Line 3338 The default value is
|
env_check |
env_check |
Environment variables to be removed from the user's environment if |
Environment variables to be removed from the user's environment if |
the variable's value contains |
the variable's value contains |
`%' | \(oq%\(cq |
or |
or |
`/' | \(oq/\(cq |
characters. |
characters. |
This can be used to guard against printf-style format vulnerabilities |
This can be used to guard against printf-style format vulnerabilities |
in poorly-written programs. |
in poorly-written programs. |
Line 3414 The path to the group file should be specified as an o
|
Line 3445 The path to the group file should be specified as an o
|
to the plugin. |
to the plugin. |
For example, if the group file to be used is |
For example, if the group file to be used is |
\fI/etc/sudo-group\fR: |
\fI/etc/sudo-group\fR: |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 10n |
Defaults group_plugin="group_file.so /etc/sudo-group" |
Defaults group_plugin="group_file.so /etc/sudo-group" |
.RE |
.RE |
.fi |
.fi |
.PP |
|
.RE |
|
.PD 0 |
|
.TP 10n |
.TP 10n |
system_group |
system_group |
The |
The |
Line 3435 and
|
Line 3462 and
|
This plugin can be used in instances where the user belongs to |
This plugin can be used in instances where the user belongs to |
groups not present in the user's supplemental group vector. |
groups not present in the user's supplemental group vector. |
This plugin takes no options: |
This plugin takes no options: |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 10n |
Defaults group_plugin=system_group.so |
Defaults group_plugin=system_group.so |
.RE |
.RE |
.fi |
.fi |
.RE |
|
.PD |
|
.PP |
.PP |
The group provider plugin API is described in detail in |
The group provider plugin API is described in detail in |
sudo_plugin(@mansectsu@). |
sudo_plugin(@mansectsu@). |
Line 3470 Where the fields are as follows:
|
Line 3494 Where the fields are as follows:
|
date |
date |
The date the command was run. |
The date the command was run. |
Typically, this is in the format |
Typically, this is in the format |
``MMM, DD, HH:MM:SS''. | \(lqMMM, DD, HH:MM:SS\(rq. |
If logging via |
If logging via |
syslog(3), |
syslog(3), |
the actual date format is controlled by the syslog daemon. |
the actual date format is controlled by the syslog daemon. |
Line 3500 The login name of the user who ran
|
Line 3524 The login name of the user who ran
|
.TP 14n |
.TP 14n |
ttyname |
ttyname |
The short name of the terminal (e.g.\& |
The short name of the terminal (e.g.\& |
``console'', | \(lqconsole\(rq, |
``tty01'', | \(lqtty01\(rq, |
or |
or |
``pts/0'') | \(lqpts/0\(rq) |
\fBsudo\fR |
\fBsudo\fR |
was run on, or |
was run on, or |
``unknown'' | \(lqunknown\(rq |
if there was no terminal present. |
if there was no terminal present. |
.TP 14n |
.TP 14n |
cwd |
cwd |
Line 3538 The actual command that was executed.
|
Line 3562 The actual command that was executed.
|
Messages are logged using the locale specified by |
Messages are logged using the locale specified by |
\fIsudoers_locale\fR, |
\fIsudoers_locale\fR, |
which defaults to the |
which defaults to the |
``\fRC\fR'' | \(lq\fRC\fR\(rq |
locale. |
locale. |
.SS "Denied command log entries" |
.SS "Denied command log entries" |
If the user is not allowed to run the command, the reason for the denial |
If the user is not allowed to run the command, the reason for the denial |
Line 3621 using group permissions to avoid this problem.
|
Line 3645 using group permissions to avoid this problem.
|
Consider either changing the ownership of |
Consider either changing the ownership of |
\fI@sysconfdir@/sudoers\fR |
\fI@sysconfdir@/sudoers\fR |
or adding an argument like |
or adding an argument like |
``sudoers_uid=N'' | \(lqsudoers_uid=N\(rq |
(where |
(where |
`N' | \(oqN\(cq |
is the user ID that owns the |
is the user ID that owns the |
\fIsudoers\fR |
\fIsudoers\fR |
file) to the end of the |
file) to the end of the |
Line 3650 file has the wrong owner.
|
Line 3674 file has the wrong owner.
|
If you wish to change the |
If you wish to change the |
\fIsudoers\fR |
\fIsudoers\fR |
file owner, please add |
file owner, please add |
``sudoers_uid=N'' | \(lqsudoers_uid=N\(rq |
(where |
(where |
`N' | \(oqN\(cq |
is the user ID that owns the |
is the user ID that owns the |
\fIsudoers\fR |
\fIsudoers\fR |
file) to the |
file) to the |
Line 3671 The
|
Line 3695 The
|
file must not be world-writable, the default file mode |
file must not be world-writable, the default file mode |
is 0440 (readable by owner and group, writable by none). |
is 0440 (readable by owner and group, writable by none). |
The default mode may be changed via the |
The default mode may be changed via the |
``sudoers_mode'' | \(lqsudoers_mode\(rq |
option to the |
option to the |
\fBsudoers\fR |
\fBsudoers\fR |
\fRPlugin\fR |
\fRPlugin\fR |
Line 3686 file has the wrong group ownership.
|
Line 3710 file has the wrong group ownership.
|
If you wish to change the |
If you wish to change the |
\fIsudoers\fR |
\fIsudoers\fR |
file group ownership, please add |
file group ownership, please add |
``sudoers_gid=N'' | \(lqsudoers_gid=N\(rq |
(where |
(where |
`N' | \(oqN\(cq |
is the group ID that owns the |
is the group ID that owns the |
\fIsudoers\fR |
\fIsudoers\fR |
file) to the |
file) to the |
Line 3698 line in the
|
Line 3722 line in the
|
sudo.conf(@mansectform@) |
sudo.conf(@mansectform@) |
file. |
file. |
.TP 3n |
.TP 3n |
unable to open @timedir@/username/ttyname | unable to open @rundir@/ts/username |
\fIsudoers\fR |
\fIsudoers\fR |
was unable to read or create the user's time stamp file. |
was unable to read or create the user's time stamp file. |
|
This can happen when |
|
\fItimestampowner\fR |
|
is set to a user other than root and the mode on |
|
\fI@rundir@\fR |
|
is not searchable by group or other. |
|
The default mode for |
|
\fI@rundir@\fR |
|
is 0711. |
.TP 3n |
.TP 3n |
unable to write to @timedir@/username/ttyname | unable to write to @rundir@/ts/username |
\fIsudoers\fR |
\fIsudoers\fR |
was unable to write to the user's time stamp file. |
was unable to write to the user's time stamp file. |
.TP 3n |
.TP 3n |
unable to mkdir to @timedir@/username | @rundir@/ts is owned by uid X, should be Y |
| The time stamp directory is owned by a user other than |
| \fItimestampowner\fR. |
| This can occur when the value of |
| \fItimestampowner\fR |
| has been changed. |
\fIsudoers\fR |
\fIsudoers\fR |
was unable to create the user's time stamp directory. | will ignore the time stamp directory until the owner is corrected. |
| .TP 3n |
| @rundir@/ts is group writable |
| The time stamp directory is group-writable; it should be writable only by |
| \fItimestampowner\fR. |
| The default mode for the time stamp directory is 0700. |
| \fIsudoers\fR |
| will ignore the time stamp directory until the mode is corrected. |
.SS "Notes on logging via syslog" |
.SS "Notes on logging via syslog" |
By default, |
By default, |
\fIsudoers\fR |
\fIsudoers\fR |
Line 3731 To prevent the command line arguments from being trunc
|
Line 3775 To prevent the command line arguments from being trunc
|
\fBsudoers\fR |
\fBsudoers\fR |
will split up log messages that are larger than 960 characters |
will split up log messages that are larger than 960 characters |
(not including the date, hostname, and the string |
(not including the date, hostname, and the string |
``sudo''). | \(lqsudo\(rq). |
When a message is split, additional parts will include the string |
When a message is split, additional parts will include the string |
``(command continued)'' | \(lq(command continued)\(rq |
after the user name and before the continued command line arguments. |
after the user name and before the continued command line arguments. |
.SS "Notes on logging to a file" |
.SS "Notes on logging to a file" |
If the |
If the |
Line 3773 on the log files.
|
Line 3817 on the log files.
|
If the |
If the |
\fIloglinelen\fR |
\fIloglinelen\fR |
option is set to 0 (or negated with a |
option is set to 0 (or negated with a |
`\&!'), | \(oq\&!\(cq), |
word wrap will be disabled. |
word wrap will be disabled. |
.SH "FILES" |
.SH "FILES" |
.TP 26n |
.TP 26n |
Line 3792 List of network groups
|
Line 3836 List of network groups
|
\fI@iolog_dir@\fR |
\fI@iolog_dir@\fR |
I/O log files |
I/O log files |
.TP 26n |
.TP 26n |
\fI@timedir@\fR | \fI@rundir@/ts\fR |
Directory containing time stamps for the |
Directory containing time stamps for the |
\fIsudoers\fR |
\fIsudoers\fR |
security policy |
security policy |
.TP 26n |
.TP 26n |
|
\fI@vardir@/lectured\fR |
|
Directory containing lecture status files for the |
|
\fIsudoers\fR |
|
security policy |
|
.TP 26n |
\fI/etc/environment\fR |
\fI/etc/environment\fR |
Initial environment for |
Initial environment for |
\fB\-i\fR |
\fB\-i\fR |
Line 4082 may run any command on machines in the
|
Line 4131 may run any command on machines in the
|
netgroup. |
netgroup. |
\fBsudo\fR |
\fBsudo\fR |
knows that |
knows that |
``biglab'' | \(lqbiglab\(rq |
is a netgroup due to the |
is a netgroup due to the |
`+' | \(oq+\(cq |
prefix. |
prefix. |
.nf |
.nf |
.sp |
.sp |
Line 4218 Any user may mount or unmount a CD-ROM on the machines
|
Line 4267 Any user may mount or unmount a CD-ROM on the machines
|
This is a bit tedious for users to type, so it is a prime candidate |
This is a bit tedious for users to type, so it is a prime candidate |
for encapsulating in a shell script. |
for encapsulating in a shell script. |
.SH "SECURITY NOTES" |
.SH "SECURITY NOTES" |
.SS "Limitations of the `!\&' operator" | .SS "Limitations of the \(oq!\&\(cq operator" |
It is generally not effective to |
It is generally not effective to |
``subtract'' | \(lqsubtract\(rq |
commands from |
commands from |
\fBALL\fR |
\fBALL\fR |
using the |
using the |
`!\&' | \(oq!\&\(cq |
operator. |
operator. |
A user can trivially circumvent this by copying the desired command |
A user can trivially circumvent this by copying the desired command |
to a different name and then executing that. |
to a different name and then executing that. |
Line 4251 In general, if a user has sudo
|
Line 4300 In general, if a user has sudo
|
\fBALL\fR |
\fBALL\fR |
there is nothing to prevent them from creating their own program that gives |
there is nothing to prevent them from creating their own program that gives |
them a root shell (or making their own copy of a shell) regardless of any |
them a root shell (or making their own copy of a shell) regardless of any |
`!\&' | \(oq!\&\(cq |
elements in the user specification. |
elements in the user specification. |
.SS "Security implications of \fIfast_glob\fR" |
.SS "Security implications of \fIfast_glob\fR" |
If the |
If the |
Line 4355 for a command, use the
|
Line 4404 for a command, use the
|
tag as documented |
tag as documented |
in the User Specification section above. |
in the User Specification section above. |
Here is that example again: |
Here is that example again: |
.RS |
|
.nf |
.nf |
.sp |
.sp |
.RS 0n | .RS 10n |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
.RE |
.RE |
.fi |
.fi |
|
.RS 10n |
.sp |
.sp |
This allows user |
This allows user |
\fBaaron\fR |
\fBaaron\fR |
Line 4387 operations (such as changing or overwriting files) tha
|
Line 4436 operations (such as changing or overwriting files) tha
|
to unintended privilege escalation. |
to unintended privilege escalation. |
In the specific case of an editor, a safer approach is to give the |
In the specific case of an editor, a safer approach is to give the |
user permission to run |
user permission to run |
\fBsudoedit\fR. | \fBsudoedit\fR |
| (see below). |
| .SS "Secure editing" |
| The |
| \fIsudoers\fR |
| plugin includes |
| \fBsudoedit\fR |
| support which allows users to securely edit files with the editor |
| of their choice. |
| As |
| \fBsudoedit\fR |
| is a built-in command, it must be specified in |
| \fIsudoers\fR |
| without a leading path. |
| However, it may take command line arguments just as a normal command does. |
| For example, to allow user operator to edit the |
| \(lqmessage of the day\(rq |
| file: |
| .nf |
| .sp |
| .RS 6n |
| operator sudoedit /etc/motd |
| .RE |
| .fi |
| .PP |
| The operator user then runs |
| \fBsudoedit\fR |
| as follows: |
| .nf |
| .sp |
| .RS 6n |
| $ sudoedit /etc/motd |
| .RE |
| .fi |
| .PP |
| The editor will run as the operator user, not root, on a temporary copy of |
| \fI/etc/motd\fR. |
| After the file has been edited, |
| \fI/etc/motd\fR |
| will be updated with the contents of the temporary copy. |
.SS "Time stamp file checks" |
.SS "Time stamp file checks" |
\fIsudoers\fR |
\fIsudoers\fR |
will check the ownership of its time stamp directory |
will check the ownership of its time stamp directory |
(\fI@timedir@\fR | (\fI@rundir@/ts\fR |
by default) |
by default) |
and ignore the directory's contents if it is not owned by root or |
and ignore the directory's contents if it is not owned by root or |
if it is writable by a user other than root. |
if it is writable by a user other than root. |
On systems that allow non-root users to give away files via | Older versions of |
chown(2), | |
if the time stamp directory is located in a world-writable | |
directory (e.g.\&, | |
\fI/tmp\fR), | |
it is possible for a user to create the time stamp directory before | |
\fBsudo\fR |
\fBsudo\fR |
is run. | stored time stamp files in |
However, because | \fI/tmp\fR; |
| this is no longer recommended as it may be possible for a user |
| to create the time stamp themselves on systems that allow |
| unprivileged users to change the ownership of files they create. |
| .PP |
| While the time stamp directory |
| \fIshould\fR |
| be cleared at reboot time, not all systems contain a |
| \fI/var/run\fR |
| directory. |
| To avoid potential problems, |
\fIsudoers\fR |
\fIsudoers\fR |
checks the ownership and mode of the directory and its | will ignore time stamp files that date from before the machine booted |
contents, the only damage that can be done is to | on systems where the boot time is available. |
``hide'' | |
files by putting them in the time stamp dir. | |
This is unlikely to happen since once the time stamp dir is owned by root | |
and inaccessible by any other user, the user placing files there would be | |
unable to get them back out. | |
.PP |
.PP |
|
Some systems with graphical desktop environments allow unprivileged |
|
users to change the system clock. |
|
Since |
\fIsudoers\fR |
\fIsudoers\fR |
|
relies on the system clock for time stamp validation, it may be |
|
possible on such systems for a user to run |
|
\fBsudo\fR |
|
for longer than |
|
\fItimestamp_timeout\fR |
|
by setting the clock back. |
|
To combat this, |
|
\fIsudoers\fR |
|
uses a monotonic clock (which never moves backwards) for its time stamps |
|
if the system supports it. |
|
.PP |
|
\fIsudoers\fR |
will not honor time stamps set far in the future. |
will not honor time stamps set far in the future. |
Time stamps with a date greater than current_time + 2 * |
Time stamps with a date greater than current_time + 2 * |
\fRTIMEOUT\fR |
\fRTIMEOUT\fR |
will be ignored and sudo will log and complain. | will be ignored and |
This is done to keep a user from creating his/her own time stamp with a | |
bogus date on systems that allow users to give away files if the time | |
stamp directory is located in a world-writable directory. | |
.PP | |
On systems where the boot time is available, | |
\fIsudoers\fR |
\fIsudoers\fR |
will ignore time stamps that date from before the machine booted. | will log and complain. |
.PP |
.PP |
Since time stamp files live in the file system, they can outlive a |
Since time stamp files live in the file system, they can outlive a |
user's login session. |
user's login session. |
Line 4432 As a result, a user may be able to login, run a comman
|
Line 4530 As a result, a user may be able to login, run a comman
|
\fBsudo\fR |
\fBsudo\fR |
after authenticating, logout, login again, and run |
after authenticating, logout, login again, and run |
\fBsudo\fR |
\fBsudo\fR |
without authenticating so long as the time stamp file's modification | without authenticating so long as the record's time stamp is within |
time is within | |
\fR@timeout@\fR |
\fR@timeout@\fR |
minutes (or whatever the timeout is set to in | minutes (or whatever value the timeout is set to in |
\fIsudoers\fR). |
\fIsudoers\fR). |
When the |
When the |
\fItty_tickets\fR |
\fItty_tickets\fR |
option is enabled, the time stamp has per-tty granularity but still | option is enabled, the time stamp record includes the device |
| number of the terminal the user authenticated with. |
| This provides per-tty granularity but time stamp records still |
may outlive the user's session. |
may outlive the user's session. |
On Linux systems where the devpts filesystem is used, Solaris systems | The time stamp record also includes the session ID of the process |
with the devices filesystem, as well as other systems that utilize a | that last authenticated. |
devfs filesystem that monotonically increase the inode number of devices | This prevents processes in different terminal sessions from using |
as they are created (such as Mac OS X), | the same time stamp record. |
\fIsudoers\fR | It also helps reduce the chance that a user will be able to run |
is able to determine when a tty-based time stamp file is stale and will | \fBsudo\fR |
ignore it. | without entering a password when logging out and back in again |
Administrators should not rely on this feature as it is not universally | on the same terminal. |
available. | |
.SH "DEBUGGING" |
.SH "DEBUGGING" |
Versions 1.8.4 and higher of the |
Versions 1.8.4 and higher of the |
\fBsudoers\fR |
\fBsudoers\fR |
Line 4545 pseudo-tty related code
|
Line 4643 pseudo-tty related code
|
\fIrbtree\fR |
\fIrbtree\fR |
redblack tree internals |
redblack tree internals |
.TP 10n |
.TP 10n |
|
\fIsssd\fR |
|
SSSD-based sudoers |
|
.TP 10n |
\fIutil\fR |
\fIutil\fR |
utility functions |
utility functions |
.PD 0 |
.PD 0 |
.PP |
.PP |
.PD |
|
For example: |
For example: |
.nf |
.nf |
.sp |
.sp |
Line 4557 For example:
|
Line 4657 For example:
|
Debug sudo /var/log/sudo_debug match@info,nss@info |
Debug sudo /var/log/sudo_debug match@info,nss@info |
.RE |
.RE |
.fi |
.fi |
|
.PD |
.PP |
.PP |
For more information, see the |
For more information, see the |
sudo.conf(@mansectform@) |
sudo.conf(@mansectform@) |
Line 4610 search the archives.
|
Line 4711 search the archives.
|
.SH "DISCLAIMER" |
.SH "DISCLAIMER" |
\fBsudo\fR |
\fBsudo\fR |
is provided |
is provided |
``AS IS'' | \(lqAS IS\(rq |
and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
particular purpose are disclaimed. |
particular purpose are disclaimed. |