Annotation of embedaddon/sudo/doc/sudoers.man.in, revision 1.1
1.1 ! misho 1: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
! 2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
! 3: .\"
! 4: .\" Permission to use, copy, modify, and distribute this software for any
! 5: .\" purpose with or without fee is hereby granted, provided that the above
! 6: .\" copyright notice and this permission notice appear in all copies.
! 7: .\"
! 8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 16: .\"
! 17: .\" Sponsored in part by the Defense Advanced Research Projects
! 18: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
! 19: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 20: .\"
! 21: .nr SL @SEMAN@
! 22: .nr BA @BAMAN@
! 23: .nr LC @LCMAN@
! 24: .\"
! 25: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
! 26: .\"
! 27: .\" Standard preamble:
! 28: .\" ========================================================================
! 29: .de Sp \" Vertical space (when we can't use .PP)
! 30: .if t .sp .5v
! 31: .if n .sp
! 32: ..
! 33: .de Vb \" Begin verbatim text
! 34: .ft CW
! 35: .nf
! 36: .ne \\$1
! 37: ..
! 38: .de Ve \" End verbatim text
! 39: .ft R
! 40: .fi
! 41: ..
! 42: .\" Set up some character translations and predefined strings. \*(-- will
! 43: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
! 44: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
! 45: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
! 46: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
! 47: .\" nothing in troff, for use with C<>.
! 48: .tr \(*W-
! 49: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
! 50: .ie n \{\
! 51: . ds -- \(*W-
! 52: . ds PI pi
! 53: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
! 54: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
! 55: . ds L" ""
! 56: . ds R" ""
! 57: . ds C`
! 58: . ds C'
! 59: 'br\}
! 60: .el\{\
! 61: . ds -- \|\(em\|
! 62: . ds PI \(*p
! 63: . ds L" ``
! 64: . ds R" ''
! 65: 'br\}
! 66: .\"
! 67: .\" Escape single quotes in literal strings from groff's Unicode transform.
! 68: .ie \n(.g .ds Aq \(aq
! 69: .el .ds Aq '
! 70: .\"
! 71: .\" If the F register is turned on, we'll generate index entries on stderr for
! 72: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
! 73: .\" entries marked with X<> in POD. Of course, you'll have to process the
! 74: .\" output yourself in some meaningful fashion.
! 75: .ie \nF \{\
! 76: . de IX
! 77: . tm Index:\\$1\t\\n%\t"\\$2"
! 78: ..
! 79: . nr % 0
! 80: . rr F
! 81: .\}
! 82: .el \{\
! 83: . de IX
! 84: ..
! 85: .\}
! 86: .\"
! 87: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
! 88: .\" Fear. Run. Save yourself. No user-serviceable parts.
! 89: . \" fudge factors for nroff and troff
! 90: .if n \{\
! 91: . ds #H 0
! 92: . ds #V .8m
! 93: . ds #F .3m
! 94: . ds #[ \f1
! 95: . ds #] \fP
! 96: .\}
! 97: .if t \{\
! 98: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
! 99: . ds #V .6m
! 100: . ds #F 0
! 101: . ds #[ \&
! 102: . ds #] \&
! 103: .\}
! 104: . \" simple accents for nroff and troff
! 105: .if n \{\
! 106: . ds ' \&
! 107: . ds ` \&
! 108: . ds ^ \&
! 109: . ds , \&
! 110: . ds ~ ~
! 111: . ds /
! 112: .\}
! 113: .if t \{\
! 114: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
! 115: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
! 116: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
! 117: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
! 118: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
! 119: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
! 120: .\}
! 121: . \" troff and (daisy-wheel) nroff accents
! 122: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
! 123: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
! 124: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
! 125: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
! 126: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
! 127: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
! 128: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
! 129: .ds ae a\h'-(\w'a'u*4/10)'e
! 130: .ds Ae A\h'-(\w'A'u*4/10)'E
! 131: . \" corrections for vroff
! 132: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
! 133: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
! 134: . \" for low resolution devices (crt and lpr)
! 135: .if \n(.H>23 .if \n(.V>19 \
! 136: \{\
! 137: . ds : e
! 138: . ds 8 ss
! 139: . ds o a
! 140: . ds d- d\h'-1'\(ga
! 141: . ds D- D\h'-1'\(hy
! 142: . ds th \o'bp'
! 143: . ds Th \o'LP'
! 144: . ds ae ae
! 145: . ds Ae AE
! 146: .\}
! 147: .rm #[ #] #H #V #F C
! 148: .\" ========================================================================
! 149: .\"
! 150: .IX Title "SUDOERS @mansectform@"
! 151: .TH SUDOERS @mansectform@ "September 16, 2011" "1.8.3" "MAINTENANCE COMMANDS"
! 152: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
! 153: .\" way too many mistakes in technical documents.
! 154: .if n .ad l
! 155: .nh
! 156: .SH "NAME"
! 157: sudoers \- default sudo security policy module
! 158: .SH "DESCRIPTION"
! 159: .IX Header "DESCRIPTION"
! 160: The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
! 161: It is the default \fBsudo\fR policy plugin. The policy is driven by
! 162: the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
! 163: format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
! 164: section. For information on storing \fIsudoers\fR policy information
! 165: in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@).
! 166: .SS "Authentication and Logging"
! 167: .IX Subsection "Authentication and Logging"
! 168: The \fIsudoers\fR security policy requires that most users authenticate
! 169: themselves before they can use \fBsudo\fR. A password is not required
! 170: if the invoking user is root, if the target user is the same as the
! 171: invoking user, or if the policy has disabled authentication for the
! 172: user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
! 173: authentication, it validates the invoking user's credentials, not
! 174: the target user's (or root's) credentials. This can be changed via
! 175: the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
! 176: .PP
! 177: If a user who is not listed in the policy tries to run a command
! 178: via \fBsudo\fR, mail is sent to the proper authorities. The address
! 179: used for such mail is configurable via the \fImailto\fR Defaults entry
! 180: (described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR.
! 181: .PP
! 182: Note that mail will not be sent if an unauthorized user tries to
! 183: run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
! 184: determine for themselves whether or not they are allowed to use
! 185: \&\fBsudo\fR.
! 186: .PP
! 187: If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
! 188: is set, the \fIsudoers\fR policy will use this value to determine who
! 189: the actual user is. This can be used by a user to log commands
! 190: through sudo even when a root shell has been invoked. It also
! 191: allows the \fB\-e\fR option to remain useful even when invoked via a
! 192: sudo-run script or program. Note, however, that the \fIsudoers\fR
! 193: lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
! 194: .PP
! 195: \&\fIsudoers\fR uses time stamp files for credential caching. Once a
! 196: user has been authenticated, a time stamp is updated and the user
! 197: may then use sudo without a password for a short period of time
! 198: (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
! 199: By default, \fIsudoers\fR uses a tty-based time stamp which means that
! 200: there is a separate time stamp for each of a user's login sessions.
! 201: The \fItty_tickets\fR option can be disabled to force the use of a
! 202: single time stamp for all of a user's sessions.
! 203: .PP
! 204: \&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
! 205: as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
! 206: will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
! 207: and \fIlogfile\fR Defaults settings.
! 208: .PP
! 209: \&\fIsudoers\fR also supports logging a command's input and output
! 210: streams. I/O logging is not on by default but can be enabled using
! 211: the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
! 212: \&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
! 213: .SS "Command Environment"
! 214: .IX Subsection "Command Environment"
! 215: Since environment variables can influence program behavior, \fIsudoers\fR
! 216: provides a means to restrict which variables from the user's
! 217: environment are inherited by the command to be run. There are two
! 218: distinct ways \fIsudoers\fR can deal with environment variables.
! 219: .PP
! 220: By default, the \fIenv_reset\fR option is enabled. This causes commands
! 221: to be executed with a minimal environment containing \f(CW\*(C`TERM\*(C'\fR,
! 222: \&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR in
! 223: addition to variables from the invoking process permitted by the
! 224: \&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
! 225: for environment variables.
! 226: .PP
! 227: If, however, the \fIenv_reset\fR option is disabled, any variables not
! 228: explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
! 229: inherited from the invoking process. In this case, \fIenv_check\fR
! 230: and \fIenv_delete\fR behave like a blacklist. Since it is not possible
! 231: to blacklist all potentially dangerous environment variables, use
! 232: of the default \fIenv_reset\fR behavior is encouraged.
! 233: .PP
! 234: In all cases, environment variables with a value beginning with
! 235: \&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
! 236: The list of environment variables that \fBsudo\fR allows or denies is
! 237: contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
! 238: .PP
! 239: Note that the dynamic linker on most operating systems will remove
! 240: variables that can control dynamic linking from the environment of
! 241: setuid executables, including \fBsudo\fR. Depending on the operating
! 242: system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
! 243: \&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
! 244: removed from the environment before \fBsudo\fR even begins execution
! 245: and, as such, it is not possible for \fBsudo\fR to preserve them.
! 246: .PP
! 247: As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
! 248: specified, \fIsudoers\fR will initialize the environment regardless
! 249: of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
! 250: variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
! 251: and \fI\s-1LOGNAME\s0\fR are set based on the target user. On Linux and \s-1AIX\s0
! 252: systems the contents of \fI/etc/environment\fR are also included. All
! 253: other environment variables are removed.
! 254: .SH "SUDOERS FILE FORMAT"
! 255: .IX Header "SUDOERS FILE FORMAT"
! 256: The \fIsudoers\fR file is composed of two types of entries: aliases
! 257: (basically variables) and user specifications (which specify who
! 258: may run what).
! 259: .PP
! 260: When multiple entries match for a user, they are applied in order.
! 261: Where there are multiple matches, the last match is used (which is
! 262: not necessarily the most specific match).
! 263: .PP
! 264: The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
! 265: Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
! 266: fairly simple, and the definitions below are annotated.
! 267: .SS "Quick guide to \s-1EBNF\s0"
! 268: .IX Subsection "Quick guide to EBNF"
! 269: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
! 270: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
! 271: .PP
! 272: .Vb 1
! 273: \& symbol ::= definition | alternate1 | alternate2 ...
! 274: .Ve
! 275: .PP
! 276: Each \fIproduction rule\fR references others and thus makes up a
! 277: grammar for the language. \s-1EBNF\s0 also contains the following
! 278: operators, which many readers will recognize from regular
! 279: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
! 280: characters, which have different meanings.
! 281: .ie n .IP "\*(C`?\*(C'" 4
! 282: .el .IP "\f(CW\*(C`?\*(C'\fR" 4
! 283: .IX Item "?"
! 284: Means that the preceding symbol (or group of symbols) is optional.
! 285: That is, it may appear once or not at all.
! 286: .ie n .IP "\*(C`*\*(C'" 4
! 287: .el .IP "\f(CW\*(C`*\*(C'\fR" 4
! 288: .IX Item "*"
! 289: Means that the preceding symbol (or group of symbols) may appear
! 290: zero or more times.
! 291: .ie n .IP "\*(C`+\*(C'" 4
! 292: .el .IP "\f(CW\*(C`+\*(C'\fR" 4
! 293: .IX Item "+"
! 294: Means that the preceding symbol (or group of symbols) may appear
! 295: one or more times.
! 296: .PP
! 297: Parentheses may be used to group symbols together. For clarity,
! 298: we will use single quotes ('') to designate what is a verbatim character
! 299: string (as opposed to a symbol name).
! 300: .SS "Aliases"
! 301: .IX Subsection "Aliases"
! 302: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
! 303: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
! 304: .PP
! 305: .Vb 4
! 306: \& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
! 307: \& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
! 308: \& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
! 309: \& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
! 310: \&
! 311: \& User_Alias ::= NAME \*(Aq=\*(Aq User_List
! 312: \&
! 313: \& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
! 314: \&
! 315: \& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
! 316: \&
! 317: \& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
! 318: \&
! 319: \& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
! 320: .Ve
! 321: .PP
! 322: Each \fIalias\fR definition is of the form
! 323: .PP
! 324: .Vb 1
! 325: \& Alias_Type NAME = item1, item2, ...
! 326: .Ve
! 327: .PP
! 328: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
! 329: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
! 330: and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
! 331: uppercase letter. It is possible to put several alias definitions
! 332: of the same type on a single line, joined by a colon (':'). E.g.,
! 333: .PP
! 334: .Vb 1
! 335: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 336: .Ve
! 337: .PP
! 338: The definitions of what constitutes a valid \fIalias\fR member follow.
! 339: .PP
! 340: .Vb 2
! 341: \& User_List ::= User |
! 342: \& User \*(Aq,\*(Aq User_List
! 343: \&
! 344: \& User ::= \*(Aq!\*(Aq* user name |
! 345: \& \*(Aq!\*(Aq* #uid |
! 346: \& \*(Aq!\*(Aq* %group |
! 347: \& \*(Aq!\*(Aq* %#gid |
! 348: \& \*(Aq!\*(Aq* +netgroup |
! 349: \& \*(Aq!\*(Aq* %:nonunix_group |
! 350: \& \*(Aq!\*(Aq* %:#nonunix_gid |
! 351: \& \*(Aq!\*(Aq* User_Alias
! 352: .Ve
! 353: .PP
! 354: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
! 355: (prefixed with '#'), system group names and ids (prefixed with '%'
! 356: and '%#' respectively), netgroups (prefixed with '+'), non-Unix
! 357: group names and IDs (prefixed with '%:' and '%:#' respectively) and
! 358: \&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
! 359: \&'!' operators. An odd number of '!' operators negate the value of
! 360: the item; an even number just cancel each other out.
! 361: .PP
! 362: A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
! 363: or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
! 364: need for escaping special characters. Alternately, special characters
! 365: may be specified in escaped hex mode, e.g. \ex20 for space. When
! 366: using double quotes, any prefix characters must be included inside
! 367: the quotes.
! 368: .PP
! 369: The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
! 370: the underlying group provider plugin (see the \fIgroup_plugin\fR
! 371: description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
! 372: following formats:
! 373: .IP "\(bu" 4
! 374: Group in the same domain: \*(L"Group Name\*(R"
! 375: .IP "\(bu" 4
! 376: Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
! 377: .IP "\(bu" 4
! 378: Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
! 379: .PP
! 380: Note that quotes around group names are optional. Unquoted strings
! 381: must use a backslash (\e) to escape spaces and special characters.
! 382: See \*(L"Other special characters and reserved words\*(R" for a list of
! 383: characters that need to be escaped.
! 384: .PP
! 385: .Vb 2
! 386: \& Runas_List ::= Runas_Member |
! 387: \& Runas_Member \*(Aq,\*(Aq Runas_List
! 388: \&
! 389: \& Runas_Member ::= \*(Aq!\*(Aq* user name |
! 390: \& \*(Aq!\*(Aq* #uid |
! 391: \& \*(Aq!\*(Aq* %group |
! 392: \& \*(Aq!\*(Aq* %#gid |
! 393: \& \*(Aq!\*(Aq* %:nonunix_group |
! 394: \& \*(Aq!\*(Aq* %:#nonunix_gid |
! 395: \& \*(Aq!\*(Aq* +netgroup |
! 396: \& \*(Aq!\*(Aq* Runas_Alias
! 397: .Ve
! 398: .PP
! 399: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
! 400: of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
! 401: user names and groups are matched as strings. In other words, two
! 402: users (groups) with the same uid (gid) are considered to be distinct.
! 403: If you wish to match all user names with the same uid (e.g.\ root
! 404: and toor), you can use a uid instead (#0 in the example given).
! 405: .PP
! 406: .Vb 2
! 407: \& Host_List ::= Host |
! 408: \& Host \*(Aq,\*(Aq Host_List
! 409: \&
! 410: \& Host ::= \*(Aq!\*(Aq* host name |
! 411: \& \*(Aq!\*(Aq* ip_addr |
! 412: \& \*(Aq!\*(Aq* network(/netmask)? |
! 413: \& \*(Aq!\*(Aq* +netgroup |
! 414: \& \*(Aq!\*(Aq* Host_Alias
! 415: .Ve
! 416: .PP
! 417: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
! 418: network numbers, netgroups (prefixed with '+') and other aliases.
! 419: Again, the value of an item may be negated with the '!' operator.
! 420: If you do not specify a netmask along with the network number,
! 421: \&\fBsudo\fR will query each of the local host's network interfaces and,
! 422: if the network number corresponds to one of the hosts's network
! 423: interfaces, the corresponding netmask will be used. The netmask
! 424: may be specified either in standard \s-1IP\s0 address notation
! 425: (e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
! 426: or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
! 427: include shell-style wildcards (see the Wildcards section below),
! 428: but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
! 429: qualified host name, you'll need to use the \fIfqdn\fR option for
! 430: wildcards to be useful. Note \fBsudo\fR only inspects actual network
! 431: interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
! 432: never match. Also, the host name \*(L"localhost\*(R" will only match if
! 433: that is the actual host name, which is usually only the case for
! 434: non-networked systems.
! 435: .PP
! 436: .Vb 2
! 437: \& Cmnd_List ::= Cmnd |
! 438: \& Cmnd \*(Aq,\*(Aq Cmnd_List
! 439: \&
! 440: \& commandname ::= file name |
! 441: \& file name args |
! 442: \& file name \*(Aq""\*(Aq
! 443: \&
! 444: \& Cmnd ::= \*(Aq!\*(Aq* commandname |
! 445: \& \*(Aq!\*(Aq* directory |
! 446: \& \*(Aq!\*(Aq* "sudoedit" |
! 447: \& \*(Aq!\*(Aq* Cmnd_Alias
! 448: .Ve
! 449: .PP
! 450: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
! 451: aliases. A commandname is a fully qualified file name which may include
! 452: shell-style wildcards (see the Wildcards section below). A simple
! 453: file name allows the user to run the command with any arguments he/she
! 454: wishes. However, you may also specify command line arguments (including
! 455: wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
! 456: may only be run \fBwithout\fR command line arguments. A directory is a
! 457: fully qualified path name ending in a '/'. When you specify a directory
! 458: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
! 459: (but not in any subdirectories therein).
! 460: .PP
! 461: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
! 462: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
! 463: (or match the wildcards if there are any). Note that the following
! 464: characters must be escaped with a '\e' if they are used in command
! 465: arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
! 466: is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
! 467: as \fBsudoedit\fR). It may take command line arguments just as
! 468: a normal command does.
! 469: .SS "Defaults"
! 470: .IX Subsection "Defaults"
! 471: Certain configuration options may be changed from their default
! 472: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
! 473: may affect all users on any host, all users on a specific host, a
! 474: specific user, a specific command, or commands being run as a specific user.
! 475: Note that per-command entries may not include command line arguments.
! 476: If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
! 477: that instead.
! 478: .PP
! 479: .Vb 5
! 480: \& Default_Type ::= \*(AqDefaults\*(Aq |
! 481: \& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
! 482: \& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
! 483: \& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
! 484: \& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
! 485: \&
! 486: \& Default_Entry ::= Default_Type Parameter_List
! 487: \&
! 488: \& Parameter_List ::= Parameter |
! 489: \& Parameter \*(Aq,\*(Aq Parameter_List
! 490: \&
! 491: \& Parameter ::= Parameter \*(Aq=\*(Aq Value |
! 492: \& Parameter \*(Aq+=\*(Aq Value |
! 493: \& Parameter \*(Aq\-=\*(Aq Value |
! 494: \& \*(Aq!\*(Aq* Parameter
! 495: .Ve
! 496: .PP
! 497: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
! 498: Flags are implicitly boolean and can be turned off via the '!'
! 499: operator. Some integer, string and list parameters may also be
! 500: used in a boolean context to disable them. Values may be enclosed
! 501: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
! 502: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
! 503: .PP
! 504: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
! 505: These operators are used to add to and delete from a list respectively.
! 506: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
! 507: that does not exist in a list.
! 508: .PP
! 509: Defaults entries are parsed in the following order: generic, host
! 510: and user Defaults first, then runas Defaults and finally command
! 511: defaults.
! 512: .PP
! 513: See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
! 514: .SS "User Specification"
! 515: .IX Subsection "User Specification"
! 516: .Vb 2
! 517: \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
! 518: \& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
! 519: \&
! 520: \& Cmnd_Spec_List ::= Cmnd_Spec |
! 521: \& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
! 522: \&
! 523: .ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
! 524: .el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
! 525: \&
! 526: \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
! 527: \&
! 528: .if \n(SL \{\
! 529: \& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
! 530: \&
! 531: \}
! 532: \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
! 533: \& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
! 534: \& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
! 535: .Ve
! 536: .PP
! 537: A \fBuser specification\fR determines which commands a user may run
! 538: (and as what user) on specified hosts. By default, commands are
! 539: run as \fBroot\fR, but this can be changed on a per-command basis.
! 540: .PP
! 541: The basic structure of a user specification is `who where = (as_whom)
! 542: what'. Let's break that down into its constituent parts:
! 543: .SS "Runas_Spec"
! 544: .IX Subsection "Runas_Spec"
! 545: A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
! 546: may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
! 547: \&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
! 548: enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
! 549: which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
! 550: The second defines a list of groups that can be specified via
! 551: \&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
! 552: command may be run with any combination of users and groups listed
! 553: in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
! 554: the command may be run as any user in the list but no \fB\-g\fR option
! 555: may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
! 556: second is specified, the command may be run as the invoking user
! 557: with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
! 558: \&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
! 559: no group may be specified.
! 560: .PP
! 561: A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
! 562: What this means is that for the entry:
! 563: .PP
! 564: .Vb 1
! 565: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 566: .Ve
! 567: .PP
! 568: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
! 569: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
! 570: .PP
! 571: .Vb 1
! 572: \& $ sudo \-u operator /bin/ls
! 573: .Ve
! 574: .PP
! 575: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
! 576: entry. If we modify the entry like so:
! 577: .PP
! 578: .Vb 1
! 579: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 580: .Ve
! 581: .PP
! 582: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
! 583: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
! 584: .PP
! 585: We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
! 586: the user or group set to \fBoperator\fR:
! 587: .PP
! 588: .Vb 2
! 589: \& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
! 590: \& /usr/bin/lprm
! 591: .Ve
! 592: .PP
! 593: Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
! 594: user to run as command with that group, it does not force the user
! 595: to do so. If no group is specified on the command line, the command
! 596: will run with the group listed in the target user's password database
! 597: entry. The following would all be permitted by the sudoers entry above:
! 598: .PP
! 599: .Vb 3
! 600: \& $ sudo \-u operator /bin/ls
! 601: \& $ sudo \-u operator \-g operator /bin/ls
! 602: \& $ sudo \-g operator /bin/ls
! 603: .Ve
! 604: .PP
! 605: In the following example, user \fBtcm\fR may run commands that access
! 606: a modem device file with the dialer group.
! 607: .PP
! 608: .Vb 2
! 609: \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
! 610: \& /usr/local/bin/minicom
! 611: .Ve
! 612: .PP
! 613: Note that in this example only the group will be set, the command
! 614: still runs as user \fBtcm\fR. E.g.
! 615: .PP
! 616: .Vb 1
! 617: \& $ sudo \-g dialer /usr/bin/cu
! 618: .Ve
! 619: .PP
! 620: Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
! 621: which case the user may select any combination of users and groups
! 622: via the \fB\-u\fR and \fB\-g\fR options. In this example:
! 623: .PP
! 624: .Vb 1
! 625: \& alan ALL = (root, bin : operator, system) ALL
! 626: .Ve
! 627: .PP
! 628: user \fBalan\fR may run any command as either user root or bin,
! 629: optionally setting the group to operator or system.
! 630: .if \n(SL \{\
! 631: .SS "SELinux_Spec"
! 632: .IX Subsection "SELinux_Spec"
! 633: On systems with SELinux support, \fIsudoers\fR entries may optionally have
! 634: an SELinux role and/or type associated with a command. If a role or
! 635: type is specified with the command it will override any default values
! 636: specified in \fIsudoers\fR. A role or type specified on the command line,
! 637: however, will supercede the values in \fIsudoers\fR.
! 638: \}
! 639: .SS "Tag_Spec"
! 640: .IX Subsection "Tag_Spec"
! 641: A command may have zero or more tags associated with it. There are
! 642: eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
! 643: \&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
! 644: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
! 645: subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
! 646: it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
! 647: \&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
! 648: .PP
! 649: \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
! 650: .IX Subsection "NOPASSWD and PASSWD"
! 651: .PP
! 652: By default, \fBsudo\fR requires that a user authenticate him or herself
! 653: before running a command. This behavior can be modified via the
! 654: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
! 655: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
! 656: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
! 657: For example:
! 658: .PP
! 659: .Vb 1
! 660: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 661: .Ve
! 662: .PP
! 663: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
! 664: \&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
! 665: authenticating himself. If we only want \fBray\fR to be able to
! 666: run \fI/bin/kill\fR without a password the entry would be:
! 667: .PP
! 668: .Vb 1
! 669: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 670: .Ve
! 671: .PP
! 672: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
! 673: in the group specified by the \fIexempt_group\fR option.
! 674: .PP
! 675: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
! 676: for a user on the current host, he or she will be able to run
! 677: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
! 678: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
! 679: for all a user's entries that pertain to the current host.
! 680: This behavior may be overridden via the verifypw and listpw options.
! 681: .PP
! 682: \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
! 683: .IX Subsection "NOEXEC and EXEC"
! 684: .PP
! 685: If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
! 686: operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
! 687: a dynamically-linked executable from running further commands itself.
! 688: .PP
! 689: In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
! 690: and \fI/usr/bin/vi\fR but shell escapes will be disabled.
! 691: .PP
! 692: .Vb 1
! 693: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 694: .Ve
! 695: .PP
! 696: See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
! 697: on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
! 698: .PP
! 699: \fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
! 700: .IX Subsection "SETENV and NOSETENV"
! 701: .PP
! 702: These tags override the value of the \fIsetenv\fR option on a per-command
! 703: basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
! 704: may disable the \fIenv_reset\fR option from the command line via the
! 705: \&\fB\-E\fR option. Additionally, environment variables set on the command
! 706: line are not subject to the restrictions imposed by \fIenv_check\fR,
! 707: \&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
! 708: be allowed to set variables in this manner. If the command matched
! 709: is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
! 710: default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
! 711: .PP
! 712: \fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
! 713: .IX Subsection "LOG_INPUT and NOLOG_INPUT"
! 714: .PP
! 715: These tags override the value of the \fIlog_input\fR option on a
! 716: per-command basis. For more information, see the description of
! 717: \&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
! 718: .PP
! 719: \fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
! 720: .IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
! 721: .PP
! 722: These tags override the value of the \fIlog_output\fR option on a
! 723: per-command basis. For more information, see the description of
! 724: \&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
! 725: .SS "Wildcards"
! 726: .IX Subsection "Wildcards"
! 727: \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
! 728: to be used in host names, path names and command line arguments in
! 729: the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
! 730: \&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
! 731: regular expressions.
! 732: .ie n .IP "\*(C`*\*(C'" 8
! 733: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
! 734: .IX Item "*"
! 735: Matches any set of zero or more characters.
! 736: .ie n .IP "\*(C`?\*(C'" 8
! 737: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
! 738: .IX Item "?"
! 739: Matches any single character.
! 740: .ie n .IP "\*(C`[...]\*(C'" 8
! 741: .el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
! 742: .IX Item "[...]"
! 743: Matches any character in the specified range.
! 744: .ie n .IP "\*(C`[!...]\*(C'" 8
! 745: .el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
! 746: .IX Item "[!...]"
! 747: Matches any character \fBnot\fR in the specified range.
! 748: .ie n .IP "\*(C`\ex\*(C'" 8
! 749: .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
! 750: .IX Item "x"
! 751: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
! 752: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
! 753: .PP
! 754: \&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
! 755: and \fIfnmatch\fR\|(3) functions support them. However, because the
! 756: \&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
! 757: escaped. For example:
! 758: .PP
! 759: .Vb 1
! 760: \& /bin/ls [[\e:alpha\e:]]*
! 761: .Ve
! 762: .PP
! 763: Would match any file name beginning with a letter.
! 764: .PP
! 765: Note that a forward slash ('/') will \fBnot\fR be matched by
! 766: wildcards used in the path name. When matching the command
! 767: line arguments, however, a slash \fBdoes\fR get matched by
! 768: wildcards. This is to make a path like:
! 769: .PP
! 770: .Vb 1
! 771: \& /usr/bin/*
! 772: .Ve
! 773: .PP
! 774: match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
! 775: .SS "Exceptions to wildcard rules"
! 776: .IX Subsection "Exceptions to wildcard rules"
! 777: The following exceptions apply to the above rules:
! 778: .ie n .IP """""" 8
! 779: .el .IP "\f(CW``''\fR" 8
! 780: .IX Item """"""
! 781: If the empty string \f(CW""\fR is the only command line argument in the
! 782: \&\fIsudoers\fR entry it means that command is not allowed to be run
! 783: with \fBany\fR arguments.
! 784: .SS "Including other files from within sudoers"
! 785: .IX Subsection "Including other files from within sudoers"
! 786: It is possible to include other \fIsudoers\fR files from within the
! 787: \&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
! 788: \&\f(CW\*(C`#includedir\*(C'\fR directives.
! 789: .PP
! 790: This can be used, for example, to keep a site-wide \fIsudoers\fR file
! 791: in addition to a local, per-machine file. For the sake of this
! 792: example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
! 793: per-machine one will be \fI/etc/sudoers.local\fR. To include
! 794: \&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
! 795: following line in \fI/etc/sudoers\fR:
! 796: .Sp
! 797: .RS 4
! 798: \&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
! 799: .RE
! 800: .PP
! 801: When \fBsudo\fR reaches this line it will suspend processing of the
! 802: current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
! 803: Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
! 804: \&\fI/etc/sudoers\fR will be processed. Files that are included may
! 805: themselves include other files. A hard limit of 128 nested include
! 806: files is enforced to prevent include file loops.
! 807: .PP
! 808: The file name may include the \f(CW%h\fR escape, signifying the short form
! 809: of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
! 810: .PP
! 811: \&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
! 812: .PP
! 813: will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
! 814: .PP
! 815: The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
! 816: directory that the system package manager can drop \fIsudoers\fR rules
! 817: into as part of package installation. For example, given:
! 818: .PP
! 819: \&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
! 820: .PP
! 821: \&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
! 822: names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
! 823: problems with package manager or editor temporary/backup files.
! 824: Files are parsed in sorted lexical order. That is,
! 825: \&\fI/etc/sudoers.d/01_first\fR will be parsed before
! 826: \&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
! 827: lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
! 828: \&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
! 829: of leading zeroes in the file names can be used to avoid such
! 830: problems.
! 831: .PP
! 832: Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
! 833: edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
! 834: contains a syntax error. It is still possible to run \fBvisudo\fR
! 835: with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
! 836: .SS "Other special characters and reserved words"
! 837: .IX Subsection "Other special characters and reserved words"
! 838: The pound sign ('#') is used to indicate a comment (unless it is
! 839: part of a #include directive or unless it occurs in the context of
! 840: a user name and is followed by one or more digits, in which case
! 841: it is treated as a uid). Both the comment character and any text
! 842: after it, up to the end of the line, are ignored.
! 843: .PP
! 844: The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
! 845: a match to succeed. It can be used wherever one might otherwise
! 846: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
! 847: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
! 848: built-in alias will be used in preference to your own. Please note
! 849: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
! 850: allows the user to run \fBany\fR command on the system.
! 851: .PP
! 852: An exclamation point ('!') can be used as a logical \fInot\fR operator
! 853: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
! 854: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
! 855: conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
! 856: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
! 857: \&\s-1NOTES\s0 below).
! 858: .PP
! 859: Long lines can be continued with a backslash ('\e') as the last
! 860: character on the line.
! 861: .PP
! 862: Whitespace between elements in a list as well as special syntactic
! 863: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
! 864: .PP
! 865: The following characters must be escaped with a backslash ('\e') when
! 866: used as part of a word (e.g.\ a user name or host name):
! 867: \&'!', '=', ':', ',', '(', ')', '\e'.
! 868: .SH "SUDOERS OPTIONS"
! 869: .IX Header "SUDOERS OPTIONS"
! 870: \&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
! 871: explained earlier. A list of all supported Defaults parameters,
! 872: grouped by type, are listed below.
! 873: .PP
! 874: \&\fBBoolean Flags\fR:
! 875: .IP "always_set_home" 16
! 876: .IX Item "always_set_home"
! 877: If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
! 878: home directory of the target user (which is root unless the \fB\-u\fR
! 879: option is used). This effectively means that the \fB\-H\fR option is
! 880: always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
! 881: \&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
! 882: effective for configurations where either \fIenv_reset\fR is disabled
! 883: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
! 884: This flag is \fIoff\fR by default.
! 885: .IP "authenticate" 16
! 886: .IX Item "authenticate"
! 887: If set, users must authenticate themselves via a password (or other
! 888: means of authentication) before they may run commands. This default
! 889: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
! 890: This flag is \fIon\fR by default.
! 891: .IP "closefrom_override" 16
! 892: .IX Item "closefrom_override"
! 893: If set, the user may use \fBsudo\fR's \fB\-C\fR option which
! 894: overrides the default starting point at which \fBsudo\fR begins
! 895: closing open file descriptors. This flag is \fIoff\fR by default.
! 896: .IP "compress_io" 16
! 897: .IX Item "compress_io"
! 898: If set, and \fBsudo\fR is configured to log a command's input or output,
! 899: the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
! 900: by default when \fBsudo\fR is compiled with \fBzlib\fR support.
! 901: .IP "env_editor" 16
! 902: .IX Item "env_editor"
! 903: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
! 904: environment variables before falling back on the default editor list.
! 905: Note that this may create a security hole as it allows the user to
! 906: run any arbitrary command as root without logging. A safer alternative
! 907: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
! 908: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
! 909: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
! 910: default.
! 911: .IP "env_reset" 16
! 912: .IX Item "env_reset"
! 913: If set, \fBsudo\fR will reset the environment to only contain the
! 914: \&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
! 915: variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
! 916: and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
! 917: \&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
! 918: run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
! 919: is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
! 920: This flag is \fI@env_reset@\fR by default.
! 921: .IP "fast_glob" 16
! 922: .IX Item "fast_glob"
! 923: Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
! 924: globbing when matching path names. However, since it accesses the
! 925: file system, \fIglob\fR\|(3) can take a long time to complete for some
! 926: patterns, especially when the pattern references a network file
! 927: system that is mounted on demand (automounted). The \fIfast_glob\fR
! 928: option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
! 929: not access the file system to do its matching. The disadvantage
! 930: of \fIfast_glob\fR is that it is unable to match relative path names
! 931: such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
! 932: when path names that include globbing characters are used with the
! 933: negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
! 934: As such, this option should not be used when \fIsudoers\fR contains rules
! 935: that contain negated path names which include globbing characters.
! 936: This flag is \fIoff\fR by default.
! 937: .IP "fqdn" 16
! 938: .IX Item "fqdn"
! 939: Set this flag if you want to put fully qualified host names in the
! 940: \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
! 941: You may still use the short form if you wish (and even mix the two).
! 942: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
! 943: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
! 944: if the machine is not plugged into the network). Also note that
! 945: you must use the host's official name as \s-1DNS\s0 knows it. That is,
! 946: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
! 947: issues and the fact that there is no way to get all aliases from
! 948: \&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
! 949: command) is already fully qualified you shouldn't need to set
! 950: \&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
! 951: .IP "ignore_dot" 16
! 952: .IX Item "ignore_dot"
! 953: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
! 954: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
! 955: flag is \fI@ignore_dot@\fR by default.
! 956: .IP "ignore_local_sudoers" 16
! 957: .IX Item "ignore_local_sudoers"
! 958: If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
! 959: This is intended for Enterprises that wish to prevent the usage of local
! 960: sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
! 961: rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
! 962: When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
! 963: exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
! 964: entries have been matched, this sudoOption is only meaningful for the
! 965: \&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
! 966: .IP "insults" 16
! 967: .IX Item "insults"
! 968: If set, \fBsudo\fR will insult users when they enter an incorrect
! 969: password. This flag is \fI@insults@\fR by default.
! 970: .IP "log_host" 16
! 971: .IX Item "log_host"
! 972: If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
! 973: This flag is \fIoff\fR by default.
! 974: .IP "log_input" 16
! 975: .IX Item "log_input"
! 976: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
! 977: user input.
! 978: If the standard input is not connected to the user's tty, due to
! 979: I/O redirection or because the command is part of a pipeline, that
! 980: input is also captured and stored in a separate log file.
! 981: .Sp
! 982: Input is logged to the directory specified by the \fIiolog_dir\fR
! 983: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
! 984: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
! 985: The \fIiolog_file\fR option may be used to control the format of the
! 986: session \s-1ID\s0.
! 987: .Sp
! 988: Note that user input may contain sensitive information such as
! 989: passwords (even if they are not echoed to the screen), which will
! 990: be stored in the log file unencrypted. In most cases, logging the
! 991: command output via \fIlog_output\fR is all that is required.
! 992: .IP "log_output" 16
! 993: .IX Item "log_output"
! 994: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
! 995: output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
! 996: If the standard output or standard error is not connected to the
! 997: user's tty, due to I/O redirection or because the command is part
! 998: of a pipeline, that output is also captured and stored in separate
! 999: log files.
! 1000: .Sp
! 1001: Output is logged to the directory specified by the \fIiolog_dir\fR
! 1002: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
! 1003: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
! 1004: The \fIiolog_file\fR option may be used to control the format of the
! 1005: session \s-1ID\s0.
! 1006: .Sp
! 1007: Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
! 1008: can also be used to list or search the available logs.
! 1009: .IP "log_year" 16
! 1010: .IX Item "log_year"
! 1011: If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
! 1012: This flag is \fIoff\fR by default.
! 1013: .IP "long_otp_prompt" 16
! 1014: .IX Item "long_otp_prompt"
! 1015: When validating with a One Time Password (\s-1OTP\s0) scheme such as
! 1016: \&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
! 1017: to cut and paste the challenge to a local window. It's not as
! 1018: pretty as the default but some people find it more convenient. This
! 1019: flag is \fI@long_otp_prompt@\fR by default.
! 1020: .IP "mail_always" 16
! 1021: .IX Item "mail_always"
! 1022: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
! 1023: This flag is \fIoff\fR by default.
! 1024: .IP "mail_badpass" 16
! 1025: .IX Item "mail_badpass"
! 1026: Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
! 1027: enter the correct password. This flag is \fIoff\fR by default.
! 1028: .IP "mail_no_host" 16
! 1029: .IX Item "mail_no_host"
! 1030: If set, mail will be sent to the \fImailto\fR user if the invoking
! 1031: user exists in the \fIsudoers\fR file, but is not allowed to run
! 1032: commands on the current host. This flag is \fI@mail_no_host@\fR by default.
! 1033: .IP "mail_no_perms" 16
! 1034: .IX Item "mail_no_perms"
! 1035: If set, mail will be sent to the \fImailto\fR user if the invoking
! 1036: user is allowed to use \fBsudo\fR but the command they are trying is not
! 1037: listed in their \fIsudoers\fR file entry or is explicitly denied.
! 1038: This flag is \fI@mail_no_perms@\fR by default.
! 1039: .IP "mail_no_user" 16
! 1040: .IX Item "mail_no_user"
! 1041: If set, mail will be sent to the \fImailto\fR user if the invoking
! 1042: user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
! 1043: by default.
! 1044: .IP "noexec" 16
! 1045: .IX Item "noexec"
! 1046: If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
! 1047: tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
! 1048: description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
! 1049: \&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
! 1050: .IP "path_info" 16
! 1051: .IX Item "path_info"
! 1052: Normally, \fBsudo\fR will tell the user when a command could not be
! 1053: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
! 1054: to disable this as it could be used to gather information on the
! 1055: location of executables that the normal user does not have access
! 1056: to. The disadvantage is that if the executable is simply not in
! 1057: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
! 1058: allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
! 1059: by default.
! 1060: .IP "passprompt_override" 16
! 1061: .IX Item "passprompt_override"
! 1062: The password prompt specified by \fIpassprompt\fR will normally only
! 1063: be used if the password prompt provided by systems such as \s-1PAM\s0 matches
! 1064: the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
! 1065: will always be used. This flag is \fIoff\fR by default.
! 1066: .IP "preserve_groups" 16
! 1067: .IX Item "preserve_groups"
! 1068: By default, \fBsudo\fR will initialize the group vector to the list of
! 1069: groups the target user is in. When \fIpreserve_groups\fR is set, the
! 1070: user's existing group vector is left unaltered. The real and
! 1071: effective group IDs, however, are still set to match the target
! 1072: user. This flag is \fIoff\fR by default.
! 1073: .IP "pwfeedback" 16
! 1074: .IX Item "pwfeedback"
! 1075: By default, \fBsudo\fR reads the password like most other Unix programs,
! 1076: by turning off echo until the user hits the return (or enter) key.
! 1077: Some users become confused by this as it appears to them that \fBsudo\fR
! 1078: has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
! 1079: provide visual feedback when the user presses a key. Note that
! 1080: this does have a security impact as an onlooker may be able to
! 1081: determine the length of the password being entered.
! 1082: This flag is \fIoff\fR by default.
! 1083: .IP "requiretty" 16
! 1084: .IX Item "requiretty"
! 1085: If set, \fBsudo\fR will only run when the user is logged in to a real
! 1086: tty. When this flag is set, \fBsudo\fR can only be run from a login
! 1087: session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
! 1088: This flag is \fIoff\fR by default.
! 1089: .IP "root_sudo" 16
! 1090: .IX Item "root_sudo"
! 1091: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
! 1092: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
! 1093: like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
! 1094: will also prevent root from running \fBsudoedit\fR.
! 1095: Disabling \fIroot_sudo\fR provides no real additional security; it
! 1096: exists purely for historical reasons.
! 1097: This flag is \fI@root_sudo@\fR by default.
! 1098: .IP "rootpw" 16
! 1099: .IX Item "rootpw"
! 1100: If set, \fBsudo\fR will prompt for the root password instead of the password
! 1101: of the invoking user. This flag is \fIoff\fR by default.
! 1102: .IP "runaspw" 16
! 1103: .IX Item "runaspw"
! 1104: If set, \fBsudo\fR will prompt for the password of the user defined by the
! 1105: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
! 1106: password of the invoking user. This flag is \fIoff\fR by default.
! 1107: .IP "set_home" 16
! 1108: .IX Item "set_home"
! 1109: If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
! 1110: environment variable will be set to the home directory of the target
! 1111: user (which is root unless the \fB\-u\fR option is used). This effectively
! 1112: makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
! 1113: set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
! 1114: only effective for configurations where either \fIenv_reset\fR is disabled
! 1115: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
! 1116: This flag is \fIoff\fR by default.
! 1117: .IP "set_logname" 16
! 1118: .IX Item "set_logname"
! 1119: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
! 1120: environment variables to the name of the target user (usually root
! 1121: unless the \fB\-u\fR option is given). However, since some programs
! 1122: (including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
! 1123: determine the real identity of the user, it may be desirable to
! 1124: change this behavior. This can be done by negating the set_logname
! 1125: option. Note that if the \fIenv_reset\fR option has not been disabled,
! 1126: entries in the \fIenv_keep\fR list will override the value of
! 1127: \&\fIset_logname\fR. This flag is \fIon\fR by default.
! 1128: .IP "set_utmp" 16
! 1129: .IX Item "set_utmp"
! 1130: When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
! 1131: file when a pseudo-tty is allocated. A pseudo-tty is allocated by
! 1132: \&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
! 1133: are enabled. By default, the new entry will be a copy of the user's
! 1134: existing utmp entry (if any), with the tty, time, type and pid
! 1135: fields updated. This flag is \fIon\fR by default.
! 1136: .IP "setenv" 16
! 1137: .IX Item "setenv"
! 1138: Allow the user to disable the \fIenv_reset\fR option from the command
! 1139: line via the \fB\-E\fR option. Additionally, environment variables set
! 1140: via the command line are not subject to the restrictions imposed
! 1141: by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
! 1142: trusted users should be allowed to set variables in this manner.
! 1143: This flag is \fIoff\fR by default.
! 1144: .IP "shell_noargs" 16
! 1145: .IX Item "shell_noargs"
! 1146: If set and \fBsudo\fR is invoked with no arguments it acts as if the
! 1147: \&\fB\-s\fR option had been given. That is, it runs a shell as root (the
! 1148: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
! 1149: set, falling back on the shell listed in the invoking user's
! 1150: /etc/passwd entry if not). This flag is \fIoff\fR by default.
! 1151: .IP "stay_setuid" 16
! 1152: .IX Item "stay_setuid"
! 1153: Normally, when \fBsudo\fR executes a command the real and effective
! 1154: UIDs are set to the target user (root by default). This option
! 1155: changes that behavior such that the real \s-1UID\s0 is left as the invoking
! 1156: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
! 1157: wrapper. This can be useful on systems that disable some potentially
! 1158: dangerous functionality when a program is run setuid. This option
! 1159: is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
! 1160: function. This flag is \fIoff\fR by default.
! 1161: .IP "targetpw" 16
! 1162: .IX Item "targetpw"
! 1163: If set, \fBsudo\fR will prompt for the password of the user specified
! 1164: by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
! 1165: of the invoking user. In addition, the timestamp file name will
! 1166: include the target user's name. Note that this flag precludes the
! 1167: use of a uid not listed in the passwd database as an argument to
! 1168: the \fB\-u\fR option. This flag is \fIoff\fR by default.
! 1169: .IP "tty_tickets" 16
! 1170: .IX Item "tty_tickets"
! 1171: If set, users must authenticate on a per-tty basis. With this flag
! 1172: enabled, \fBsudo\fR will use a file named for the tty the user is
! 1173: logged in on in the user's time stamp directory. If disabled, the
! 1174: time stamp of the directory is used instead. This flag is
! 1175: \&\fI@tty_tickets@\fR by default.
! 1176: .IP "umask_override" 16
! 1177: .IX Item "umask_override"
! 1178: If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
! 1179: modification. This makes it possible to specify a more permissive
! 1180: umask in \fIsudoers\fR than the user's own umask and matches historical
! 1181: behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
! 1182: umask to be the union of the user's umask and what is specified in
! 1183: \&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
! 1184: .if \n(LC \{\
! 1185: .IP "use_loginclass" 16
! 1186: .IX Item "use_loginclass"
! 1187: If set, \fBsudo\fR will apply the defaults specified for the target user's
! 1188: login class if one exists. Only available if \fBsudo\fR is configured with
! 1189: the \-\-with\-logincap option. This flag is \fIoff\fR by default.
! 1190: \}
! 1191: .IP "use_pty" 16
! 1192: .IX Item "use_pty"
! 1193: If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
! 1194: logging is being gone. A malicious program run under \fBsudo\fR could
! 1195: conceivably fork a background process that retains to the user's
! 1196: terminal device after the main program has finished executing. Use
! 1197: of this option will make that impossible. This flag is \fIoff\fR by default.
! 1198: .IP "utmp_runas" 16
! 1199: .IX Item "utmp_runas"
! 1200: If set, \fBsudo\fR will store the name of the runas user when updating
! 1201: the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
! 1202: the invoking user. This flag is \fIoff\fR by default.
! 1203: .IP "visiblepw" 16
! 1204: .IX Item "visiblepw"
! 1205: By default, \fBsudo\fR will refuse to run if the user must enter a
! 1206: password but it is not possible to disable echo on the terminal.
! 1207: If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
! 1208: even when it would be visible on the screen. This makes it possible
! 1209: to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
! 1210: not allocate a tty. This flag is \fIoff\fR by default.
! 1211: .PP
! 1212: \&\fBIntegers\fR:
! 1213: .IP "closefrom" 16
! 1214: .IX Item "closefrom"
! 1215: Before it executes a command, \fBsudo\fR will close all open file
! 1216: descriptors other than standard input, standard output and standard
! 1217: error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
! 1218: to specify a different file descriptor at which to start closing.
! 1219: The default is \f(CW3\fR.
! 1220: .IP "passwd_tries" 16
! 1221: .IX Item "passwd_tries"
! 1222: The number of tries a user gets to enter his/her password before
! 1223: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
! 1224: .PP
! 1225: \&\fBIntegers that can be used in a boolean context\fR:
! 1226: .IP "loglinelen" 16
! 1227: .IX Item "loglinelen"
! 1228: Number of characters per line for the file log. This value is used
! 1229: to decide when to wrap lines for nicer log files. This has no
! 1230: effect on the syslog log file, only the file log. The default is
! 1231: \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
! 1232: .IP "passwd_timeout" 16
! 1233: .IX Item "passwd_timeout"
! 1234: Number of minutes before the \fBsudo\fR password prompt times out, or
! 1235: \&\f(CW0\fR for no timeout. The timeout may include a fractional component
! 1236: if minute granularity is insufficient, for example \f(CW2.5\fR. The
! 1237: default is \f(CW\*(C`@password_timeout@\*(C'\fR.
! 1238: .IP "timestamp_timeout" 16
! 1239: .IX Item "timestamp_timeout"
! 1240: Number of minutes that can elapse before \fBsudo\fR will ask for a
! 1241: passwd again. The timeout may include a fractional component if
! 1242: minute granularity is insufficient, for example \f(CW2.5\fR. The default
! 1243: is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
! 1244: If set to a value less than \f(CW0\fR the user's timestamp will never
! 1245: expire. This can be used to allow users to create or delete their
! 1246: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
! 1247: .IP "umask" 16
! 1248: .IX Item "umask"
! 1249: Umask to use when running the command. Negate this option or set
! 1250: it to 0777 to preserve the user's umask. The actual umask that is
! 1251: used will be the union of the user's umask and the value of the
! 1252: \&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
! 1253: that \fBsudo\fR never lowers the umask when running a command. Note
! 1254: on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
! 1255: its own umask which will override the value set in \fIsudoers\fR.
! 1256: .PP
! 1257: \&\fBStrings\fR:
! 1258: .IP "badpass_message" 16
! 1259: .IX Item "badpass_message"
! 1260: Message that is displayed if a user enters an incorrect password.
! 1261: The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
! 1262: .IP "editor" 16
! 1263: .IX Item "editor"
! 1264: A colon (':') separated list of editors allowed to be used with
! 1265: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
! 1266: \&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
! 1267: list that exists and is executable. The default is \f(CW"@editor@"\fR.
! 1268: .IP "iolog_dir" 16
! 1269: .IX Item "iolog_dir"
! 1270: The top-level directory to use when constructing the path name for
! 1271: the input/output log directory. Only used if the \fIlog_input\fR or
! 1272: \&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
! 1273: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
! 1274: number, if any, is stored in the directory.
! 1275: The default is \f(CW"@iolog_dir@"\fR.
! 1276: .Sp
! 1277: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
! 1278: .RS 16
! 1279: .ie n .IP "\*(C`%{seq}\*(C'" 4
! 1280: .el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
! 1281: .IX Item "%{seq}"
! 1282: expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
! 1283: where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
! 1284: .ie n .IP "\*(C`%{user}\*(C'" 4
! 1285: .el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
! 1286: .IX Item "%{user}"
! 1287: expanded to the invoking user's login name
! 1288: .ie n .IP "\*(C`%{group}\*(C'" 4
! 1289: .el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
! 1290: .IX Item "%{group}"
! 1291: expanded to the name of the invoking user's real group \s-1ID\s0
! 1292: .ie n .IP "\*(C`%{runas_user}\*(C'" 4
! 1293: .el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
! 1294: .IX Item "%{runas_user}"
! 1295: expanded to the login name of the user the command will
! 1296: be run as (e.g. root)
! 1297: .ie n .IP "\*(C`%{runas_group}\*(C'" 4
! 1298: .el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
! 1299: .IX Item "%{runas_group}"
! 1300: expanded to the group name of the user the command will
! 1301: be run as (e.g. wheel)
! 1302: .ie n .IP "\*(C`%{hostname}\*(C'" 4
! 1303: .el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
! 1304: .IX Item "%{hostname}"
! 1305: expanded to the local host name without the domain name
! 1306: .ie n .IP "\*(C`%{command}\*(C'" 4
! 1307: .el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
! 1308: .IX Item "%{command}"
! 1309: expanded to the base name of the command being run
! 1310: .RE
! 1311: .RS 16
! 1312: .Sp
! 1313: In addition, any escape sequences supported by the system's \fIstrftime()\fR
! 1314: function will be expanded.
! 1315: .Sp
! 1316: To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
! 1317: be used.
! 1318: .RE
! 1319: .IP "iolog_file" 16
! 1320: .IX Item "iolog_file"
! 1321: The path name, relative to \fIiolog_dir\fR, in which to store input/output
! 1322: logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
! 1323: when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
! 1324: Note that \fIiolog_file\fR may contain directory components.
! 1325: The default is \f(CW"%{seq}"\fR.
! 1326: .Sp
! 1327: See the \fIiolog_dir\fR option above for a list of supported percent
! 1328: (`\f(CW\*(C`%\*(C'\fR') escape sequences.
! 1329: .Sp
! 1330: In addition to the escape sequences, path names that end in six or
! 1331: more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
! 1332: of digits and letters, similar to the \fImktemp()\fR function.
! 1333: .IP "mailsub" 16
! 1334: .IX Item "mailsub"
! 1335: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
! 1336: will expand to the host name of the machine.
! 1337: Default is \f(CW\*(C`@mailsub@\*(C'\fR.
! 1338: .IP "noexec_file" 16
! 1339: .IX Item "noexec_file"
! 1340: This option is deprecated and will be removed in a future release
! 1341: of \fBsudo\fR. The path to the noexec file should now be set in the
! 1342: \&\fI@sysconfdir@/sudo.conf\fR file.
! 1343: .IP "passprompt" 16
! 1344: .IX Item "passprompt"
! 1345: The default prompt to use when asking for a password; can be overridden
! 1346: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
! 1347: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
! 1348: .RS 16
! 1349: .ie n .IP "%H" 4
! 1350: .el .IP "\f(CW%H\fR" 4
! 1351: .IX Item "%H"
! 1352: expanded to the local host name including the domain name
! 1353: (only if the machine's host name is fully qualified or the \fIfqdn\fR
! 1354: option is set)
! 1355: .ie n .IP "%h" 4
! 1356: .el .IP "\f(CW%h\fR" 4
! 1357: .IX Item "%h"
! 1358: expanded to the local host name without the domain name
! 1359: .ie n .IP "%p" 4
! 1360: .el .IP "\f(CW%p\fR" 4
! 1361: .IX Item "%p"
! 1362: expanded to the user whose password is being asked for (respects the
! 1363: \&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
! 1364: .ie n .IP "%U" 4
! 1365: .el .IP "\f(CW%U\fR" 4
! 1366: .IX Item "%U"
! 1367: expanded to the login name of the user the command will
! 1368: be run as (defaults to root)
! 1369: .ie n .IP "%u" 4
! 1370: .el .IP "\f(CW%u\fR" 4
! 1371: .IX Item "%u"
! 1372: expanded to the invoking user's login name
! 1373: .ie n .IP "\*(C`%%\*(C'" 4
! 1374: .el .IP "\f(CW\*(C`%%\*(C'\fR" 4
! 1375: .IX Item "%%"
! 1376: two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
! 1377: .RE
! 1378: .RS 16
! 1379: .Sp
! 1380: The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
! 1381: .RE
! 1382: .if \n(SL \{\
! 1383: .IP "role" 16
! 1384: .IX Item "role"
! 1385: The default SELinux role to use when constructing a new security
! 1386: context to run the command. The default role may be overridden on
! 1387: a per-command basis in \fIsudoers\fR or via command line options.
! 1388: This option is only available whe \fBsudo\fR is built with SELinux support.
! 1389: \}
! 1390: .IP "runas_default" 16
! 1391: .IX Item "runas_default"
! 1392: The default user to run commands as if the \fB\-u\fR option is not specified
! 1393: on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
! 1394: .IP "syslog_badpri" 16
! 1395: .IX Item "syslog_badpri"
! 1396: Syslog priority to use when user authenticates unsuccessfully.
! 1397: Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
! 1398: .Sp
! 1399: The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
! 1400: \&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
! 1401: .IP "syslog_goodpri" 16
! 1402: .IX Item "syslog_goodpri"
! 1403: Syslog priority to use when user authenticates successfully.
! 1404: Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
! 1405: .Sp
! 1406: See syslog_badpri for the list of supported syslog priorities.
! 1407: .IP "sudoers_locale" 16
! 1408: .IX Item "sudoers_locale"
! 1409: Locale to use when parsing the sudoers file, logging commands, and
! 1410: sending email. Note that changing the locale may affect how sudoers
! 1411: is interpreted. Defaults to \f(CW"C"\fR.
! 1412: .IP "timestampdir" 16
! 1413: .IX Item "timestampdir"
! 1414: The directory in which \fBsudo\fR stores its timestamp files.
! 1415: The default is \fI@timedir@\fR.
! 1416: .IP "timestampowner" 16
! 1417: .IX Item "timestampowner"
! 1418: The owner of the timestamp directory and the timestamps stored therein.
! 1419: The default is \f(CW\*(C`root\*(C'\fR.
! 1420: .if \n(SL \{\
! 1421: .IP "type" 16
! 1422: .IX Item "type"
! 1423: The default SELinux type to use when constructing a new security
! 1424: context to run the command. The default type may be overridden on
! 1425: a per-command basis in \fIsudoers\fR or via command line options.
! 1426: This option is only available whe \fBsudo\fR is built with SELinux support.
! 1427: \}
! 1428: .PP
! 1429: \&\fBStrings that can be used in a boolean context\fR:
! 1430: .IP "env_file" 12
! 1431: .IX Item "env_file"
! 1432: The \fIenv_file\fR options specifies the fully qualified path to a
! 1433: file containing variables to be set in the environment of the program
! 1434: being run. Entries in this file should either be of the form
! 1435: \&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
! 1436: optionally be surrounded by single or double quotes. Variables in
! 1437: this file are subject to other \fBsudo\fR environment settings such
! 1438: as \fIenv_keep\fR and \fIenv_check\fR.
! 1439: .IP "exempt_group" 12
! 1440: .IX Item "exempt_group"
! 1441: Users in this group are exempt from password and \s-1PATH\s0 requirements.
! 1442: The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
! 1443: This is not set by default.
! 1444: .IP "group_plugin" 12
! 1445: .IX Item "group_plugin"
! 1446: A string containing a \fIsudoers\fR group plugin with optional arguments.
! 1447: This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
! 1448: syntax described earlier. The string should consist of the plugin
! 1449: path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
! 1450: directory, followed by any configuration arguments the plugin
! 1451: requires. These arguments (if any) will be passed to the plugin's
! 1452: initialization function. If arguments are present, the string must
! 1453: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
! 1454: .Sp
! 1455: For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
! 1456: format, the sample group plugin can be used:
! 1457: .Sp
! 1458: .Vb 1
! 1459: \& Defaults group_plugin="sample_group.so /etc/sudo\-group"
! 1460: .Ve
! 1461: .Sp
! 1462: For more information see \fIsudo_plugin\fR\|(@mansectform@).
! 1463: .IP "lecture" 12
! 1464: .IX Item "lecture"
! 1465: This option controls when a short lecture will be printed along with
! 1466: the password prompt. It has the following possible values:
! 1467: .RS 12
! 1468: .IP "always" 8
! 1469: .IX Item "always"
! 1470: Always lecture the user.
! 1471: .IP "never" 8
! 1472: .IX Item "never"
! 1473: Never lecture the user.
! 1474: .IP "once" 8
! 1475: .IX Item "once"
! 1476: Only lecture the user the first time they run \fBsudo\fR.
! 1477: .RE
! 1478: .RS 12
! 1479: .Sp
! 1480: If no value is specified, a value of \fIonce\fR is implied.
! 1481: Negating the option results in a value of \fInever\fR being used.
! 1482: The default value is \fI@lecture@\fR.
! 1483: .RE
! 1484: .IP "lecture_file" 12
! 1485: .IX Item "lecture_file"
! 1486: Path to a file containing an alternate \fBsudo\fR lecture that will
! 1487: be used in place of the standard lecture if the named file exists.
! 1488: By default, \fBsudo\fR uses a built-in lecture.
! 1489: .IP "listpw" 12
! 1490: .IX Item "listpw"
! 1491: This option controls when a password will be required when a
! 1492: user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
! 1493: .RS 12
! 1494: .IP "all" 8
! 1495: .IX Item "all"
! 1496: All the user's \fIsudoers\fR entries for the current host must have
! 1497: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 1498: .IP "always" 8
! 1499: .IX Item "always"
! 1500: The user must always enter a password to use the \fB\-l\fR option.
! 1501: .IP "any" 8
! 1502: .IX Item "any"
! 1503: At least one of the user's \fIsudoers\fR entries for the current host
! 1504: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 1505: .IP "never" 8
! 1506: .IX Item "never"
! 1507: The user need never enter a password to use the \fB\-l\fR option.
! 1508: .RE
! 1509: .RS 12
! 1510: .Sp
! 1511: If no value is specified, a value of \fIany\fR is implied.
! 1512: Negating the option results in a value of \fInever\fR being used.
! 1513: The default value is \fIany\fR.
! 1514: .RE
! 1515: .IP "logfile" 12
! 1516: .IX Item "logfile"
! 1517: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
! 1518: turns on logging to a file; negating this option turns it off.
! 1519: By default, \fBsudo\fR logs via syslog.
! 1520: .IP "mailerflags" 12
! 1521: .IX Item "mailerflags"
! 1522: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
! 1523: .IP "mailerpath" 12
! 1524: .IX Item "mailerpath"
! 1525: Path to mail program used to send warning mail.
! 1526: Defaults to the path to sendmail found at configure time.
! 1527: .IP "mailfrom" 12
! 1528: .IX Item "mailfrom"
! 1529: Address to use for the \*(L"from\*(R" address when sending warning and error
! 1530: mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
! 1531: protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
! 1532: the name of the user running \fBsudo\fR.
! 1533: .IP "mailto" 12
! 1534: .IX Item "mailto"
! 1535: Address to send warning and error mail to. The address should
! 1536: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
! 1537: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
! 1538: .IP "secure_path" 12
! 1539: .IX Item "secure_path"
! 1540: Path used for every command run from \fBsudo\fR. If you don't trust the
! 1541: people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
! 1542: want to use this. Another use is if you want to have the \*(L"root path\*(R"
! 1543: be separate from the \*(L"user path.\*(R" Users in the group specified by the
! 1544: \&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
! 1545: This option is @secure_path@ by default.
! 1546: .IP "syslog" 12
! 1547: .IX Item "syslog"
! 1548: Syslog facility if syslog is being used for logging (negate to
! 1549: disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
! 1550: .Sp
! 1551: The following syslog facilities are supported: \fBauthpriv\fR (if your
! 1552: \&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
! 1553: \&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
! 1554: .IP "verifypw" 12
! 1555: .IX Item "verifypw"
! 1556: This option controls when a password will be required when a user runs
! 1557: \&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
! 1558: .RS 12
! 1559: .IP "all" 8
! 1560: .IX Item "all"
! 1561: All the user's \fIsudoers\fR entries for the current host must have
! 1562: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 1563: .IP "always" 8
! 1564: .IX Item "always"
! 1565: The user must always enter a password to use the \fB\-v\fR option.
! 1566: .IP "any" 8
! 1567: .IX Item "any"
! 1568: At least one of the user's \fIsudoers\fR entries for the current host
! 1569: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 1570: .IP "never" 8
! 1571: .IX Item "never"
! 1572: The user need never enter a password to use the \fB\-v\fR option.
! 1573: .RE
! 1574: .RS 12
! 1575: .Sp
! 1576: If no value is specified, a value of \fIall\fR is implied.
! 1577: Negating the option results in a value of \fInever\fR being used.
! 1578: The default value is \fIall\fR.
! 1579: .RE
! 1580: .PP
! 1581: \&\fBLists that can be used in a boolean context\fR:
! 1582: .IP "env_check" 16
! 1583: .IX Item "env_check"
! 1584: Environment variables to be removed from the user's environment if
! 1585: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
! 1586: be used to guard against printf-style format vulnerabilities in
! 1587: poorly-written programs. The argument may be a double-quoted,
! 1588: space-separated list or a single value without double-quotes. The
! 1589: list can be replaced, added to, deleted from, or disabled by using
! 1590: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
! 1591: of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
! 1592: specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
! 1593: they pass the aforementioned check. The default list of environment
! 1594: variables to check is displayed when \fBsudo\fR is run by root with
! 1595: the \fI\-V\fR option.
! 1596: .IP "env_delete" 16
! 1597: .IX Item "env_delete"
! 1598: Environment variables to be removed from the user's environment
! 1599: when the \fIenv_reset\fR option is not in effect. The argument may
! 1600: be a double-quoted, space-separated list or a single value without
! 1601: double-quotes. The list can be replaced, added to, deleted from,
! 1602: or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
! 1603: respectively. The default list of environment variables to remove
! 1604: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
! 1605: Note that many operating systems will remove potentially dangerous
! 1606: variables from the environment of any setuid process (such as
! 1607: \&\fBsudo\fR).
! 1608: .IP "env_keep" 16
! 1609: .IX Item "env_keep"
! 1610: Environment variables to be preserved in the user's environment
! 1611: when the \fIenv_reset\fR option is in effect. This allows fine-grained
! 1612: control over the environment \fBsudo\fR\-spawned processes will receive.
! 1613: The argument may be a double-quoted, space-separated list or a
! 1614: single value without double-quotes. The list can be replaced, added
! 1615: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
! 1616: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
! 1617: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
! 1618: .SH "FILES"
! 1619: .IX Header "FILES"
! 1620: .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
! 1621: .el .IP "\fI@sysconfdir@/sudoers\fR" 24
! 1622: .IX Item "@sysconfdir@/sudoers"
! 1623: List of who can run what
! 1624: .IP "\fI/etc/group\fR" 24
! 1625: .IX Item "/etc/group"
! 1626: Local groups file
! 1627: .IP "\fI/etc/netgroup\fR" 24
! 1628: .IX Item "/etc/netgroup"
! 1629: List of network groups
! 1630: .ie n .IP "\fI@iolog_dir@\fR" 24
! 1631: .el .IP "\fI@iolog_dir@\fR" 24
! 1632: .IX Item "@iolog_dir@"
! 1633: I/O log files
! 1634: .ie n .IP "\fI@timedir@\fR" 24
! 1635: .el .IP "\fI@timedir@\fR" 24
! 1636: .IX Item "@timedir@"
! 1637: Directory containing time stamps for the \fIsudoers\fR security policy
! 1638: .IP "\fI/etc/environment\fR" 24
! 1639: .IX Item "/etc/environment"
! 1640: Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
! 1641: .SH "EXAMPLES"
! 1642: .IX Header "EXAMPLES"
! 1643: Below are example \fIsudoers\fR entries. Admittedly, some of
! 1644: these are a bit contrived. First, we allow a few environment
! 1645: variables to pass and then define our \fIaliases\fR:
! 1646: .PP
! 1647: .Vb 4
! 1648: \& # Run X applications through sudo; HOME is used to find the
! 1649: \& # .Xauthority file. Note that other programs use HOME to find
! 1650: \& # configuration files and this may lead to privilege escalation!
! 1651: \& Defaults env_keep += "DISPLAY HOME"
! 1652: \&
! 1653: \& # User alias specification
! 1654: \& User_Alias FULLTIMERS = millert, mikef, dowdy
! 1655: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
! 1656: \& User_Alias WEBMASTERS = will, wendy, wim
! 1657: \&
! 1658: \& # Runas alias specification
! 1659: \& Runas_Alias OP = root, operator
! 1660: \& Runas_Alias DB = oracle, sybase
! 1661: \& Runas_Alias ADMINGRP = adm, oper
! 1662: \&
! 1663: \& # Host alias specification
! 1664: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
! 1665: \& SGI = grolsch, dandelion, black :\e
! 1666: \& ALPHA = widget, thalamus, foobar :\e
! 1667: \& HPPA = boa, nag, python
! 1668: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 1669: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 1670: \& Host_Alias SERVERS = master, mail, www, ns
! 1671: \& Host_Alias CDROM = orion, perseus, hercules
! 1672: \&
! 1673: \& # Cmnd alias specification
! 1674: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
! 1675: \& /usr/sbin/restore, /usr/sbin/rrestore
! 1676: \& Cmnd_Alias KILL = /usr/bin/kill
! 1677: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 1678: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 1679: \& Cmnd_Alias HALT = /usr/sbin/halt
! 1680: \& Cmnd_Alias REBOOT = /usr/sbin/reboot
! 1681: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
! 1682: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
! 1683: \& /usr/local/bin/zsh
! 1684: \& Cmnd_Alias SU = /usr/bin/su
! 1685: \& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 1686: .Ve
! 1687: .PP
! 1688: Here we override some of the compiled in default values. We want
! 1689: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
! 1690: cases. We don't want to subject the full time staff to the \fBsudo\fR
! 1691: lecture, user \fBmillert\fR need not give a password, and we don't
! 1692: want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
! 1693: variables when running commands as root. Additionally, on the
! 1694: machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
! 1695: local log file and make sure we log the year in each log line since
! 1696: the log entries will be kept around for several years. Lastly, we
! 1697: disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
! 1698: (\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
! 1699: .PP
! 1700: .Vb 7
! 1701: \& # Override built\-in defaults
! 1702: \& Defaults syslog=auth
! 1703: \& Defaults>root !set_logname
! 1704: \& Defaults:FULLTIMERS !lecture
! 1705: \& Defaults:millert !authenticate
! 1706: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 1707: \& Defaults!PAGERS noexec
! 1708: .Ve
! 1709: .PP
! 1710: The \fIUser specification\fR is the part that actually determines who may
! 1711: run what.
! 1712: .PP
! 1713: .Vb 2
! 1714: \& root ALL = (ALL) ALL
! 1715: \& %wheel ALL = (ALL) ALL
! 1716: .Ve
! 1717: .PP
! 1718: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
! 1719: host as any user.
! 1720: .PP
! 1721: .Vb 1
! 1722: \& FULLTIMERS ALL = NOPASSWD: ALL
! 1723: .Ve
! 1724: .PP
! 1725: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
! 1726: command on any host without authenticating themselves.
! 1727: .PP
! 1728: .Vb 1
! 1729: \& PARTTIMERS ALL = ALL
! 1730: .Ve
! 1731: .PP
! 1732: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
! 1733: command on any host but they must authenticate themselves first
! 1734: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
! 1735: .PP
! 1736: .Vb 1
! 1737: \& jack CSNETS = ALL
! 1738: .Ve
! 1739: .PP
! 1740: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
! 1741: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
! 1742: Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
! 1743: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
! 1744: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
! 1745: during matching.
! 1746: .PP
! 1747: .Vb 1
! 1748: \& lisa CUNETS = ALL
! 1749: .Ve
! 1750: .PP
! 1751: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
! 1752: (the class B network \f(CW128.138.0.0\fR).
! 1753: .PP
! 1754: .Vb 2
! 1755: \& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
! 1756: \& sudoedit /etc/printcap, /usr/oper/bin/
! 1757: .Ve
! 1758: .PP
! 1759: The \fBoperator\fR user may run commands limited to simple maintenance.
! 1760: Here, those are commands related to backups, killing processes, the
! 1761: printing system, shutting down the system, and any commands in the
! 1762: directory \fI/usr/oper/bin/\fR.
! 1763: .PP
! 1764: .Vb 1
! 1765: \& joe ALL = /usr/bin/su operator
! 1766: .Ve
! 1767: .PP
! 1768: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
! 1769: .PP
! 1770: .Vb 1
! 1771: \& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
! 1772: \&
! 1773: \& %opers ALL = (: ADMINGRP) /usr/sbin/
! 1774: .Ve
! 1775: .PP
! 1776: Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
! 1777: with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
! 1778: groups).
! 1779: .PP
! 1780: The user \fBpete\fR is allowed to change anyone's password except for
! 1781: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
! 1782: does not take multiple user names on the command line.
! 1783: .PP
! 1784: .Vb 1
! 1785: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
! 1786: .Ve
! 1787: .PP
! 1788: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
! 1789: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
! 1790: .PP
! 1791: .Vb 1
! 1792: \& jim +biglab = ALL
! 1793: .Ve
! 1794: .PP
! 1795: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
! 1796: \&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
! 1797: .PP
! 1798: .Vb 1
! 1799: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 1800: .Ve
! 1801: .PP
! 1802: Users in the \fBsecretaries\fR netgroup need to help manage the printers
! 1803: as well as add and remove users, so they are allowed to run those
! 1804: commands on all machines.
! 1805: .PP
! 1806: .Vb 1
! 1807: \& fred ALL = (DB) NOPASSWD: ALL
! 1808: .Ve
! 1809: .PP
! 1810: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
! 1811: (\fBoracle\fR or \fBsybase\fR) without giving a password.
! 1812: .PP
! 1813: .Vb 1
! 1814: \& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
! 1815: .Ve
! 1816: .PP
! 1817: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
! 1818: but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
! 1819: .PP
! 1820: .Vb 1
! 1821: \& jen ALL, !SERVERS = ALL
! 1822: .Ve
! 1823: .PP
! 1824: The user \fBjen\fR may run any command on any machine except for those
! 1825: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
! 1826: .PP
! 1827: .Vb 1
! 1828: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
! 1829: .Ve
! 1830: .PP
! 1831: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
! 1832: any commands in the directory \fI/usr/bin/\fR except for those commands
! 1833: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
! 1834: .PP
! 1835: .Vb 1
! 1836: \& steve CSNETS = (operator) /usr/local/op_commands/
! 1837: .Ve
! 1838: .PP
! 1839: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
! 1840: but only as user operator.
! 1841: .PP
! 1842: .Vb 1
! 1843: \& matt valkyrie = KILL
! 1844: .Ve
! 1845: .PP
! 1846: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
! 1847: kill hung processes.
! 1848: .PP
! 1849: .Vb 1
! 1850: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 1851: .Ve
! 1852: .PP
! 1853: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
! 1854: wendy, and wim), may run any command as user www (which owns the
! 1855: web pages) or simply \fIsu\fR\|(1) to www.
! 1856: .PP
! 1857: .Vb 2
! 1858: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
! 1859: \& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
! 1860: .Ve
! 1861: .PP
! 1862: Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
! 1863: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
! 1864: This is a bit tedious for users to type, so it is a prime candidate
! 1865: for encapsulating in a shell script.
! 1866: .SH "SECURITY NOTES"
! 1867: .IX Header "SECURITY NOTES"
! 1868: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
! 1869: using the '!' operator. A user can trivially circumvent this
! 1870: by copying the desired command to a different name and then
! 1871: executing that. For example:
! 1872: .PP
! 1873: .Vb 1
! 1874: \& bill ALL = ALL, !SU, !SHELLS
! 1875: .Ve
! 1876: .PP
! 1877: Doesn't really prevent \fBbill\fR from running the commands listed in
! 1878: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
! 1879: different name, or use a shell escape from an editor or other
! 1880: program. Therefore, these kind of restrictions should be considered
! 1881: advisory at best (and reinforced by policy).
! 1882: .PP
! 1883: Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
! 1884: to reliably negate commands where the path name includes globbing
! 1885: (aka wildcard) characters. This is because the C library's
! 1886: \&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
! 1887: is typically only an inconvenience for rules that grant privileges,
! 1888: it can result in a security issue for rules that subtract or revoke
! 1889: privileges.
! 1890: .PP
! 1891: For example, given the following \fIsudoers\fR entry:
! 1892: .PP
! 1893: .Vb 2
! 1894: \& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
! 1895: \& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
! 1896: .Ve
! 1897: .PP
! 1898: User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
! 1899: enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
! 1900: .SH "PREVENTING SHELL ESCAPES"
! 1901: .IX Header "PREVENTING SHELL ESCAPES"
! 1902: Once \fBsudo\fR executes a program, that program is free to do whatever
! 1903: it pleases, including run other programs. This can be a security
! 1904: issue since it is not uncommon for a program to allow shell escapes,
! 1905: which lets a user bypass \fBsudo\fR's access control and logging.
! 1906: Common programs that permit shell escapes include shells (obviously),
! 1907: editors, paginators, mail and terminal programs.
! 1908: .PP
! 1909: There are two basic approaches to this problem:
! 1910: .IP "restrict" 10
! 1911: .IX Item "restrict"
! 1912: Avoid giving users access to commands that allow the user to run
! 1913: arbitrary commands. Many editors have a restricted mode where shell
! 1914: escapes are disabled, though \fBsudoedit\fR is a better solution to
! 1915: running editors via \fBsudo\fR. Due to the large number of programs that
! 1916: offer shell escapes, restricting users to the set of programs that
! 1917: do not is often unworkable.
! 1918: .IP "noexec" 10
! 1919: .IX Item "noexec"
! 1920: Many systems that support shared libraries have the ability to
! 1921: override default library functions by pointing an environment
! 1922: variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
! 1923: On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
! 1924: prevent a program run by \fBsudo\fR from executing any other programs.
! 1925: Note, however, that this applies only to native dynamically-linked
! 1926: executables. Statically-linked executables and foreign executables
! 1927: running under binary emulation are not affected.
! 1928: .Sp
! 1929: The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
! 1930: Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
! 1931: It should be supported on most operating systems that support the
! 1932: \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
! 1933: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
! 1934: dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
! 1935: .Sp
! 1936: On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
! 1937: of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
! 1938: .Sp
! 1939: To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
! 1940: in the User Specification section above. Here is that example again:
! 1941: .Sp
! 1942: .Vb 1
! 1943: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1944: .Ve
! 1945: .Sp
! 1946: This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
! 1947: with \fInoexec\fR enabled. This will prevent those two commands from
! 1948: executing other commands (such as a shell). If you are unsure
! 1949: whether or not your system is capable of supporting \fInoexec\fR you
! 1950: can always just try it out and check whether shell escapes work
! 1951: when \fInoexec\fR is enabled.
! 1952: .PP
! 1953: Note that restricting shell escapes is not a panacea. Programs
! 1954: running as root are still capable of many potentially hazardous
! 1955: operations (such as changing or overwriting files) that could lead
! 1956: to unintended privilege escalation. In the specific case of an
! 1957: editor, a safer approach is to give the user permission to run
! 1958: \&\fBsudoedit\fR.
! 1959: .SH "SECURITY NOTES"
! 1960: .IX Header "SECURITY NOTES"
! 1961: \&\fIsudoers\fR will check the ownership of its time stamp directory
! 1962: (\fI@timedir@\fR by default) and ignore the directory's contents if
! 1963: it is not owned by root or if it is writable by a user other than
! 1964: root. On systems that allow non-root users to give away files via
! 1965: \&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
! 1966: directory (e.g., \fI/tmp\fR), it is possible for a user to create the
! 1967: time stamp directory before \fBsudo\fR is run. However, because
! 1968: \&\fIsudoers\fR checks the ownership and mode of the directory and its
! 1969: contents, the only damage that can be done is to \*(L"hide\*(R" files by
! 1970: putting them in the time stamp dir. This is unlikely to happen
! 1971: since once the time stamp dir is owned by root and inaccessible by
! 1972: any other user, the user placing files there would be unable to get
! 1973: them back out.
! 1974: .PP
! 1975: \&\fIsudoers\fR will not honor time stamps set far in the future. Time
! 1976: stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
! 1977: be ignored and sudo will log and complain. This is done to keep a
! 1978: user from creating his/her own time stamp with a bogus date on
! 1979: systems that allow users to give away files if the time stamp directory
! 1980: is located in a world-writable directory.
! 1981: .PP
! 1982: On systems where the boot time is available, \fIsudoers\fR will ignore
! 1983: time stamps that date from before the machine booted.
! 1984: .PP
! 1985: Since time stamp files live in the file system, they can outlive a
! 1986: user's login session. As a result, a user may be able to login,
! 1987: run a command with \fBsudo\fR after authenticating, logout, login
! 1988: again, and run \fBsudo\fR without authenticating so long as the time
! 1989: stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
! 1990: whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
! 1991: option is enabled, the time stamp has per-tty granularity but still
! 1992: may outlive the user's session. On Linux systems where the devpts
! 1993: filesystem is used, Solaris systems with the devices filesystem,
! 1994: as well as other systems that utilize a devfs filesystem that
! 1995: monotonically increase the inode number of devices as they are
! 1996: created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
! 1997: tty-based time stamp file is stale and will ignore it. Administrators
! 1998: should not rely on this feature as it is not universally available.
! 1999: .PP
! 2000: If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
! 2001: creating their own program that gives them a root shell (or making
! 2002: their own copy of a shell) regardless of any '!' elements in the
! 2003: user specification.
! 2004: .SH "SEE ALSO"
! 2005: .IX Header "SEE ALSO"
! 2006: \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
! 2007: \&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
! 2008: .SH "CAVEATS"
! 2009: .IX Header "CAVEATS"
! 2010: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
! 2011: command which locks the file and does grammatical checking. It is
! 2012: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
! 2013: will not run with a syntactically incorrect \fIsudoers\fR file.
! 2014: .PP
! 2015: When using netgroups of machines (as opposed to users), if you
! 2016: store fully qualified host name in the netgroup (as is usually the
! 2017: case), you either need to have the machine's host name be fully qualified
! 2018: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
! 2019: \&\fIsudoers\fR.
! 2020: .SH "BUGS"
! 2021: .IX Header "BUGS"
! 2022: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
! 2023: at http://www.sudo.ws/sudo/bugs/
! 2024: .SH "SUPPORT"
! 2025: .IX Header "SUPPORT"
! 2026: Limited free support is available via the sudo-users mailing list,
! 2027: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
! 2028: search the archives.
! 2029: .SH "DISCLAIMER"
! 2030: .IX Header "DISCLAIMER"
! 2031: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
! 2032: including, but not limited to, the implied warranties of merchantability
! 2033: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
! 2034: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
! 2035: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>