Annotation of embedaddon/sudo/doc/sudoers.man.in, revision 1.1.1.1
1.1 misho 1: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .\" Sponsored in part by the Defense Advanced Research Projects
18: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
19: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
20: .\"
21: .nr SL @SEMAN@
22: .nr BA @BAMAN@
23: .nr LC @LCMAN@
24: .\"
25: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
26: .\"
27: .\" Standard preamble:
28: .\" ========================================================================
29: .de Sp \" Vertical space (when we can't use .PP)
30: .if t .sp .5v
31: .if n .sp
32: ..
33: .de Vb \" Begin verbatim text
34: .ft CW
35: .nf
36: .ne \\$1
37: ..
38: .de Ve \" End verbatim text
39: .ft R
40: .fi
41: ..
42: .\" Set up some character translations and predefined strings. \*(-- will
43: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
44: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
45: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
46: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
47: .\" nothing in troff, for use with C<>.
48: .tr \(*W-
49: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
50: .ie n \{\
51: . ds -- \(*W-
52: . ds PI pi
53: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
54: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
55: . ds L" ""
56: . ds R" ""
57: . ds C`
58: . ds C'
59: 'br\}
60: .el\{\
61: . ds -- \|\(em\|
62: . ds PI \(*p
63: . ds L" ``
64: . ds R" ''
65: 'br\}
66: .\"
67: .\" Escape single quotes in literal strings from groff's Unicode transform.
68: .ie \n(.g .ds Aq \(aq
69: .el .ds Aq '
70: .\"
71: .\" If the F register is turned on, we'll generate index entries on stderr for
72: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
73: .\" entries marked with X<> in POD. Of course, you'll have to process the
74: .\" output yourself in some meaningful fashion.
75: .ie \nF \{\
76: . de IX
77: . tm Index:\\$1\t\\n%\t"\\$2"
78: ..
79: . nr % 0
80: . rr F
81: .\}
82: .el \{\
83: . de IX
84: ..
85: .\}
86: .\"
87: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
88: .\" Fear. Run. Save yourself. No user-serviceable parts.
89: . \" fudge factors for nroff and troff
90: .if n \{\
91: . ds #H 0
92: . ds #V .8m
93: . ds #F .3m
94: . ds #[ \f1
95: . ds #] \fP
96: .\}
97: .if t \{\
98: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
99: . ds #V .6m
100: . ds #F 0
101: . ds #[ \&
102: . ds #] \&
103: .\}
104: . \" simple accents for nroff and troff
105: .if n \{\
106: . ds ' \&
107: . ds ` \&
108: . ds ^ \&
109: . ds , \&
110: . ds ~ ~
111: . ds /
112: .\}
113: .if t \{\
114: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
115: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
116: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
117: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
118: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
119: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
120: .\}
121: . \" troff and (daisy-wheel) nroff accents
122: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
123: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
124: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
125: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
126: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
127: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
128: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
129: .ds ae a\h'-(\w'a'u*4/10)'e
130: .ds Ae A\h'-(\w'A'u*4/10)'E
131: . \" corrections for vroff
132: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
133: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
134: . \" for low resolution devices (crt and lpr)
135: .if \n(.H>23 .if \n(.V>19 \
136: \{\
137: . ds : e
138: . ds 8 ss
139: . ds o a
140: . ds d- d\h'-1'\(ga
141: . ds D- D\h'-1'\(hy
142: . ds th \o'bp'
143: . ds Th \o'LP'
144: . ds ae ae
145: . ds Ae AE
146: .\}
147: .rm #[ #] #H #V #F C
148: .\" ========================================================================
149: .\"
150: .IX Title "SUDOERS @mansectform@"
151: .TH SUDOERS @mansectform@ "September 16, 2011" "1.8.3" "MAINTENANCE COMMANDS"
152: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
153: .\" way too many mistakes in technical documents.
154: .if n .ad l
155: .nh
156: .SH "NAME"
157: sudoers \- default sudo security policy module
158: .SH "DESCRIPTION"
159: .IX Header "DESCRIPTION"
160: The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
161: It is the default \fBsudo\fR policy plugin. The policy is driven by
162: the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
163: format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
164: section. For information on storing \fIsudoers\fR policy information
165: in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@).
166: .SS "Authentication and Logging"
167: .IX Subsection "Authentication and Logging"
168: The \fIsudoers\fR security policy requires that most users authenticate
169: themselves before they can use \fBsudo\fR. A password is not required
170: if the invoking user is root, if the target user is the same as the
171: invoking user, or if the policy has disabled authentication for the
172: user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
173: authentication, it validates the invoking user's credentials, not
174: the target user's (or root's) credentials. This can be changed via
175: the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
176: .PP
177: If a user who is not listed in the policy tries to run a command
178: via \fBsudo\fR, mail is sent to the proper authorities. The address
179: used for such mail is configurable via the \fImailto\fR Defaults entry
180: (described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR.
181: .PP
182: Note that mail will not be sent if an unauthorized user tries to
183: run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
184: determine for themselves whether or not they are allowed to use
185: \&\fBsudo\fR.
186: .PP
187: If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
188: is set, the \fIsudoers\fR policy will use this value to determine who
189: the actual user is. This can be used by a user to log commands
190: through sudo even when a root shell has been invoked. It also
191: allows the \fB\-e\fR option to remain useful even when invoked via a
192: sudo-run script or program. Note, however, that the \fIsudoers\fR
193: lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
194: .PP
195: \&\fIsudoers\fR uses time stamp files for credential caching. Once a
196: user has been authenticated, a time stamp is updated and the user
197: may then use sudo without a password for a short period of time
198: (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
199: By default, \fIsudoers\fR uses a tty-based time stamp which means that
200: there is a separate time stamp for each of a user's login sessions.
201: The \fItty_tickets\fR option can be disabled to force the use of a
202: single time stamp for all of a user's sessions.
203: .PP
204: \&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
205: as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
206: will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
207: and \fIlogfile\fR Defaults settings.
208: .PP
209: \&\fIsudoers\fR also supports logging a command's input and output
210: streams. I/O logging is not on by default but can be enabled using
211: the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
212: \&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
213: .SS "Command Environment"
214: .IX Subsection "Command Environment"
215: Since environment variables can influence program behavior, \fIsudoers\fR
216: provides a means to restrict which variables from the user's
217: environment are inherited by the command to be run. There are two
218: distinct ways \fIsudoers\fR can deal with environment variables.
219: .PP
220: By default, the \fIenv_reset\fR option is enabled. This causes commands
221: to be executed with a minimal environment containing \f(CW\*(C`TERM\*(C'\fR,
222: \&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR in
223: addition to variables from the invoking process permitted by the
224: \&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
225: for environment variables.
226: .PP
227: If, however, the \fIenv_reset\fR option is disabled, any variables not
228: explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
229: inherited from the invoking process. In this case, \fIenv_check\fR
230: and \fIenv_delete\fR behave like a blacklist. Since it is not possible
231: to blacklist all potentially dangerous environment variables, use
232: of the default \fIenv_reset\fR behavior is encouraged.
233: .PP
234: In all cases, environment variables with a value beginning with
235: \&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
236: The list of environment variables that \fBsudo\fR allows or denies is
237: contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
238: .PP
239: Note that the dynamic linker on most operating systems will remove
240: variables that can control dynamic linking from the environment of
241: setuid executables, including \fBsudo\fR. Depending on the operating
242: system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
243: \&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
244: removed from the environment before \fBsudo\fR even begins execution
245: and, as such, it is not possible for \fBsudo\fR to preserve them.
246: .PP
247: As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
248: specified, \fIsudoers\fR will initialize the environment regardless
249: of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
250: variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
251: and \fI\s-1LOGNAME\s0\fR are set based on the target user. On Linux and \s-1AIX\s0
252: systems the contents of \fI/etc/environment\fR are also included. All
253: other environment variables are removed.
254: .SH "SUDOERS FILE FORMAT"
255: .IX Header "SUDOERS FILE FORMAT"
256: The \fIsudoers\fR file is composed of two types of entries: aliases
257: (basically variables) and user specifications (which specify who
258: may run what).
259: .PP
260: When multiple entries match for a user, they are applied in order.
261: Where there are multiple matches, the last match is used (which is
262: not necessarily the most specific match).
263: .PP
264: The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
265: Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
266: fairly simple, and the definitions below are annotated.
267: .SS "Quick guide to \s-1EBNF\s0"
268: .IX Subsection "Quick guide to EBNF"
269: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
270: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
271: .PP
272: .Vb 1
273: \& symbol ::= definition | alternate1 | alternate2 ...
274: .Ve
275: .PP
276: Each \fIproduction rule\fR references others and thus makes up a
277: grammar for the language. \s-1EBNF\s0 also contains the following
278: operators, which many readers will recognize from regular
279: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
280: characters, which have different meanings.
281: .ie n .IP "\*(C`?\*(C'" 4
282: .el .IP "\f(CW\*(C`?\*(C'\fR" 4
283: .IX Item "?"
284: Means that the preceding symbol (or group of symbols) is optional.
285: That is, it may appear once or not at all.
286: .ie n .IP "\*(C`*\*(C'" 4
287: .el .IP "\f(CW\*(C`*\*(C'\fR" 4
288: .IX Item "*"
289: Means that the preceding symbol (or group of symbols) may appear
290: zero or more times.
291: .ie n .IP "\*(C`+\*(C'" 4
292: .el .IP "\f(CW\*(C`+\*(C'\fR" 4
293: .IX Item "+"
294: Means that the preceding symbol (or group of symbols) may appear
295: one or more times.
296: .PP
297: Parentheses may be used to group symbols together. For clarity,
298: we will use single quotes ('') to designate what is a verbatim character
299: string (as opposed to a symbol name).
300: .SS "Aliases"
301: .IX Subsection "Aliases"
302: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
303: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
304: .PP
305: .Vb 4
306: \& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
307: \& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
308: \& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
309: \& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
310: \&
311: \& User_Alias ::= NAME \*(Aq=\*(Aq User_List
312: \&
313: \& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
314: \&
315: \& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
316: \&
317: \& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
318: \&
319: \& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
320: .Ve
321: .PP
322: Each \fIalias\fR definition is of the form
323: .PP
324: .Vb 1
325: \& Alias_Type NAME = item1, item2, ...
326: .Ve
327: .PP
328: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
329: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
330: and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
331: uppercase letter. It is possible to put several alias definitions
332: of the same type on a single line, joined by a colon (':'). E.g.,
333: .PP
334: .Vb 1
335: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
336: .Ve
337: .PP
338: The definitions of what constitutes a valid \fIalias\fR member follow.
339: .PP
340: .Vb 2
341: \& User_List ::= User |
342: \& User \*(Aq,\*(Aq User_List
343: \&
344: \& User ::= \*(Aq!\*(Aq* user name |
345: \& \*(Aq!\*(Aq* #uid |
346: \& \*(Aq!\*(Aq* %group |
347: \& \*(Aq!\*(Aq* %#gid |
348: \& \*(Aq!\*(Aq* +netgroup |
349: \& \*(Aq!\*(Aq* %:nonunix_group |
350: \& \*(Aq!\*(Aq* %:#nonunix_gid |
351: \& \*(Aq!\*(Aq* User_Alias
352: .Ve
353: .PP
354: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
355: (prefixed with '#'), system group names and ids (prefixed with '%'
356: and '%#' respectively), netgroups (prefixed with '+'), non-Unix
357: group names and IDs (prefixed with '%:' and '%:#' respectively) and
358: \&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
359: \&'!' operators. An odd number of '!' operators negate the value of
360: the item; an even number just cancel each other out.
361: .PP
362: A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
363: or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
364: need for escaping special characters. Alternately, special characters
365: may be specified in escaped hex mode, e.g. \ex20 for space. When
366: using double quotes, any prefix characters must be included inside
367: the quotes.
368: .PP
369: The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
370: the underlying group provider plugin (see the \fIgroup_plugin\fR
371: description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
372: following formats:
373: .IP "\(bu" 4
374: Group in the same domain: \*(L"Group Name\*(R"
375: .IP "\(bu" 4
376: Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
377: .IP "\(bu" 4
378: Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
379: .PP
380: Note that quotes around group names are optional. Unquoted strings
381: must use a backslash (\e) to escape spaces and special characters.
382: See \*(L"Other special characters and reserved words\*(R" for a list of
383: characters that need to be escaped.
384: .PP
385: .Vb 2
386: \& Runas_List ::= Runas_Member |
387: \& Runas_Member \*(Aq,\*(Aq Runas_List
388: \&
389: \& Runas_Member ::= \*(Aq!\*(Aq* user name |
390: \& \*(Aq!\*(Aq* #uid |
391: \& \*(Aq!\*(Aq* %group |
392: \& \*(Aq!\*(Aq* %#gid |
393: \& \*(Aq!\*(Aq* %:nonunix_group |
394: \& \*(Aq!\*(Aq* %:#nonunix_gid |
395: \& \*(Aq!\*(Aq* +netgroup |
396: \& \*(Aq!\*(Aq* Runas_Alias
397: .Ve
398: .PP
399: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
400: of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
401: user names and groups are matched as strings. In other words, two
402: users (groups) with the same uid (gid) are considered to be distinct.
403: If you wish to match all user names with the same uid (e.g.\ root
404: and toor), you can use a uid instead (#0 in the example given).
405: .PP
406: .Vb 2
407: \& Host_List ::= Host |
408: \& Host \*(Aq,\*(Aq Host_List
409: \&
410: \& Host ::= \*(Aq!\*(Aq* host name |
411: \& \*(Aq!\*(Aq* ip_addr |
412: \& \*(Aq!\*(Aq* network(/netmask)? |
413: \& \*(Aq!\*(Aq* +netgroup |
414: \& \*(Aq!\*(Aq* Host_Alias
415: .Ve
416: .PP
417: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
418: network numbers, netgroups (prefixed with '+') and other aliases.
419: Again, the value of an item may be negated with the '!' operator.
420: If you do not specify a netmask along with the network number,
421: \&\fBsudo\fR will query each of the local host's network interfaces and,
422: if the network number corresponds to one of the hosts's network
423: interfaces, the corresponding netmask will be used. The netmask
424: may be specified either in standard \s-1IP\s0 address notation
425: (e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
426: or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
427: include shell-style wildcards (see the Wildcards section below),
428: but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
429: qualified host name, you'll need to use the \fIfqdn\fR option for
430: wildcards to be useful. Note \fBsudo\fR only inspects actual network
431: interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
432: never match. Also, the host name \*(L"localhost\*(R" will only match if
433: that is the actual host name, which is usually only the case for
434: non-networked systems.
435: .PP
436: .Vb 2
437: \& Cmnd_List ::= Cmnd |
438: \& Cmnd \*(Aq,\*(Aq Cmnd_List
439: \&
440: \& commandname ::= file name |
441: \& file name args |
442: \& file name \*(Aq""\*(Aq
443: \&
444: \& Cmnd ::= \*(Aq!\*(Aq* commandname |
445: \& \*(Aq!\*(Aq* directory |
446: \& \*(Aq!\*(Aq* "sudoedit" |
447: \& \*(Aq!\*(Aq* Cmnd_Alias
448: .Ve
449: .PP
450: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
451: aliases. A commandname is a fully qualified file name which may include
452: shell-style wildcards (see the Wildcards section below). A simple
453: file name allows the user to run the command with any arguments he/she
454: wishes. However, you may also specify command line arguments (including
455: wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
456: may only be run \fBwithout\fR command line arguments. A directory is a
457: fully qualified path name ending in a '/'. When you specify a directory
458: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
459: (but not in any subdirectories therein).
460: .PP
461: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
462: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
463: (or match the wildcards if there are any). Note that the following
464: characters must be escaped with a '\e' if they are used in command
465: arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
466: is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
467: as \fBsudoedit\fR). It may take command line arguments just as
468: a normal command does.
469: .SS "Defaults"
470: .IX Subsection "Defaults"
471: Certain configuration options may be changed from their default
472: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
473: may affect all users on any host, all users on a specific host, a
474: specific user, a specific command, or commands being run as a specific user.
475: Note that per-command entries may not include command line arguments.
476: If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
477: that instead.
478: .PP
479: .Vb 5
480: \& Default_Type ::= \*(AqDefaults\*(Aq |
481: \& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
482: \& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
483: \& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
484: \& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
485: \&
486: \& Default_Entry ::= Default_Type Parameter_List
487: \&
488: \& Parameter_List ::= Parameter |
489: \& Parameter \*(Aq,\*(Aq Parameter_List
490: \&
491: \& Parameter ::= Parameter \*(Aq=\*(Aq Value |
492: \& Parameter \*(Aq+=\*(Aq Value |
493: \& Parameter \*(Aq\-=\*(Aq Value |
494: \& \*(Aq!\*(Aq* Parameter
495: .Ve
496: .PP
497: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
498: Flags are implicitly boolean and can be turned off via the '!'
499: operator. Some integer, string and list parameters may also be
500: used in a boolean context to disable them. Values may be enclosed
501: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
502: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
503: .PP
504: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
505: These operators are used to add to and delete from a list respectively.
506: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
507: that does not exist in a list.
508: .PP
509: Defaults entries are parsed in the following order: generic, host
510: and user Defaults first, then runas Defaults and finally command
511: defaults.
512: .PP
513: See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
514: .SS "User Specification"
515: .IX Subsection "User Specification"
516: .Vb 2
517: \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
518: \& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
519: \&
520: \& Cmnd_Spec_List ::= Cmnd_Spec |
521: \& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
522: \&
523: .ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
524: .el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
525: \&
526: \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
527: \&
528: .if \n(SL \{\
529: \& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
530: \&
531: \}
532: \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
533: \& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
534: \& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
535: .Ve
536: .PP
537: A \fBuser specification\fR determines which commands a user may run
538: (and as what user) on specified hosts. By default, commands are
539: run as \fBroot\fR, but this can be changed on a per-command basis.
540: .PP
541: The basic structure of a user specification is `who where = (as_whom)
542: what'. Let's break that down into its constituent parts:
543: .SS "Runas_Spec"
544: .IX Subsection "Runas_Spec"
545: A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
546: may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
547: \&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
548: enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
549: which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
550: The second defines a list of groups that can be specified via
551: \&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
552: command may be run with any combination of users and groups listed
553: in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
554: the command may be run as any user in the list but no \fB\-g\fR option
555: may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
556: second is specified, the command may be run as the invoking user
557: with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
558: \&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
559: no group may be specified.
560: .PP
561: A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
562: What this means is that for the entry:
563: .PP
564: .Vb 1
565: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
566: .Ve
567: .PP
568: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
569: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
570: .PP
571: .Vb 1
572: \& $ sudo \-u operator /bin/ls
573: .Ve
574: .PP
575: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
576: entry. If we modify the entry like so:
577: .PP
578: .Vb 1
579: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
580: .Ve
581: .PP
582: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
583: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
584: .PP
585: We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
586: the user or group set to \fBoperator\fR:
587: .PP
588: .Vb 2
589: \& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
590: \& /usr/bin/lprm
591: .Ve
592: .PP
593: Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
594: user to run as command with that group, it does not force the user
595: to do so. If no group is specified on the command line, the command
596: will run with the group listed in the target user's password database
597: entry. The following would all be permitted by the sudoers entry above:
598: .PP
599: .Vb 3
600: \& $ sudo \-u operator /bin/ls
601: \& $ sudo \-u operator \-g operator /bin/ls
602: \& $ sudo \-g operator /bin/ls
603: .Ve
604: .PP
605: In the following example, user \fBtcm\fR may run commands that access
606: a modem device file with the dialer group.
607: .PP
608: .Vb 2
609: \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
610: \& /usr/local/bin/minicom
611: .Ve
612: .PP
613: Note that in this example only the group will be set, the command
614: still runs as user \fBtcm\fR. E.g.
615: .PP
616: .Vb 1
617: \& $ sudo \-g dialer /usr/bin/cu
618: .Ve
619: .PP
620: Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
621: which case the user may select any combination of users and groups
622: via the \fB\-u\fR and \fB\-g\fR options. In this example:
623: .PP
624: .Vb 1
625: \& alan ALL = (root, bin : operator, system) ALL
626: .Ve
627: .PP
628: user \fBalan\fR may run any command as either user root or bin,
629: optionally setting the group to operator or system.
630: .if \n(SL \{\
631: .SS "SELinux_Spec"
632: .IX Subsection "SELinux_Spec"
633: On systems with SELinux support, \fIsudoers\fR entries may optionally have
634: an SELinux role and/or type associated with a command. If a role or
635: type is specified with the command it will override any default values
636: specified in \fIsudoers\fR. A role or type specified on the command line,
637: however, will supercede the values in \fIsudoers\fR.
638: \}
639: .SS "Tag_Spec"
640: .IX Subsection "Tag_Spec"
641: A command may have zero or more tags associated with it. There are
642: eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
643: \&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
644: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
645: subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
646: it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
647: \&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
648: .PP
649: \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
650: .IX Subsection "NOPASSWD and PASSWD"
651: .PP
652: By default, \fBsudo\fR requires that a user authenticate him or herself
653: before running a command. This behavior can be modified via the
654: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
655: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
656: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
657: For example:
658: .PP
659: .Vb 1
660: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
661: .Ve
662: .PP
663: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
664: \&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
665: authenticating himself. If we only want \fBray\fR to be able to
666: run \fI/bin/kill\fR without a password the entry would be:
667: .PP
668: .Vb 1
669: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
670: .Ve
671: .PP
672: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
673: in the group specified by the \fIexempt_group\fR option.
674: .PP
675: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
676: for a user on the current host, he or she will be able to run
677: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
678: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
679: for all a user's entries that pertain to the current host.
680: This behavior may be overridden via the verifypw and listpw options.
681: .PP
682: \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
683: .IX Subsection "NOEXEC and EXEC"
684: .PP
685: If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
686: operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
687: a dynamically-linked executable from running further commands itself.
688: .PP
689: In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
690: and \fI/usr/bin/vi\fR but shell escapes will be disabled.
691: .PP
692: .Vb 1
693: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
694: .Ve
695: .PP
696: See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
697: on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
698: .PP
699: \fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
700: .IX Subsection "SETENV and NOSETENV"
701: .PP
702: These tags override the value of the \fIsetenv\fR option on a per-command
703: basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
704: may disable the \fIenv_reset\fR option from the command line via the
705: \&\fB\-E\fR option. Additionally, environment variables set on the command
706: line are not subject to the restrictions imposed by \fIenv_check\fR,
707: \&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
708: be allowed to set variables in this manner. If the command matched
709: is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
710: default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
711: .PP
712: \fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
713: .IX Subsection "LOG_INPUT and NOLOG_INPUT"
714: .PP
715: These tags override the value of the \fIlog_input\fR option on a
716: per-command basis. For more information, see the description of
717: \&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
718: .PP
719: \fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
720: .IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
721: .PP
722: These tags override the value of the \fIlog_output\fR option on a
723: per-command basis. For more information, see the description of
724: \&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
725: .SS "Wildcards"
726: .IX Subsection "Wildcards"
727: \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
728: to be used in host names, path names and command line arguments in
729: the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
730: \&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
731: regular expressions.
732: .ie n .IP "\*(C`*\*(C'" 8
733: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
734: .IX Item "*"
735: Matches any set of zero or more characters.
736: .ie n .IP "\*(C`?\*(C'" 8
737: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
738: .IX Item "?"
739: Matches any single character.
740: .ie n .IP "\*(C`[...]\*(C'" 8
741: .el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
742: .IX Item "[...]"
743: Matches any character in the specified range.
744: .ie n .IP "\*(C`[!...]\*(C'" 8
745: .el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
746: .IX Item "[!...]"
747: Matches any character \fBnot\fR in the specified range.
748: .ie n .IP "\*(C`\ex\*(C'" 8
749: .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
750: .IX Item "x"
751: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
752: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
753: .PP
754: \&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
755: and \fIfnmatch\fR\|(3) functions support them. However, because the
756: \&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
757: escaped. For example:
758: .PP
759: .Vb 1
760: \& /bin/ls [[\e:alpha\e:]]*
761: .Ve
762: .PP
763: Would match any file name beginning with a letter.
764: .PP
765: Note that a forward slash ('/') will \fBnot\fR be matched by
766: wildcards used in the path name. When matching the command
767: line arguments, however, a slash \fBdoes\fR get matched by
768: wildcards. This is to make a path like:
769: .PP
770: .Vb 1
771: \& /usr/bin/*
772: .Ve
773: .PP
774: match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
775: .SS "Exceptions to wildcard rules"
776: .IX Subsection "Exceptions to wildcard rules"
777: The following exceptions apply to the above rules:
778: .ie n .IP """""" 8
779: .el .IP "\f(CW``''\fR" 8
780: .IX Item """"""
781: If the empty string \f(CW""\fR is the only command line argument in the
782: \&\fIsudoers\fR entry it means that command is not allowed to be run
783: with \fBany\fR arguments.
784: .SS "Including other files from within sudoers"
785: .IX Subsection "Including other files from within sudoers"
786: It is possible to include other \fIsudoers\fR files from within the
787: \&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
788: \&\f(CW\*(C`#includedir\*(C'\fR directives.
789: .PP
790: This can be used, for example, to keep a site-wide \fIsudoers\fR file
791: in addition to a local, per-machine file. For the sake of this
792: example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
793: per-machine one will be \fI/etc/sudoers.local\fR. To include
794: \&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
795: following line in \fI/etc/sudoers\fR:
796: .Sp
797: .RS 4
798: \&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
799: .RE
800: .PP
801: When \fBsudo\fR reaches this line it will suspend processing of the
802: current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
803: Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
804: \&\fI/etc/sudoers\fR will be processed. Files that are included may
805: themselves include other files. A hard limit of 128 nested include
806: files is enforced to prevent include file loops.
807: .PP
808: The file name may include the \f(CW%h\fR escape, signifying the short form
809: of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
810: .PP
811: \&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
812: .PP
813: will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
814: .PP
815: The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
816: directory that the system package manager can drop \fIsudoers\fR rules
817: into as part of package installation. For example, given:
818: .PP
819: \&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
820: .PP
821: \&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
822: names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
823: problems with package manager or editor temporary/backup files.
824: Files are parsed in sorted lexical order. That is,
825: \&\fI/etc/sudoers.d/01_first\fR will be parsed before
826: \&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
827: lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
828: \&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
829: of leading zeroes in the file names can be used to avoid such
830: problems.
831: .PP
832: Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
833: edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
834: contains a syntax error. It is still possible to run \fBvisudo\fR
835: with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
836: .SS "Other special characters and reserved words"
837: .IX Subsection "Other special characters and reserved words"
838: The pound sign ('#') is used to indicate a comment (unless it is
839: part of a #include directive or unless it occurs in the context of
840: a user name and is followed by one or more digits, in which case
841: it is treated as a uid). Both the comment character and any text
842: after it, up to the end of the line, are ignored.
843: .PP
844: The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
845: a match to succeed. It can be used wherever one might otherwise
846: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
847: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
848: built-in alias will be used in preference to your own. Please note
849: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
850: allows the user to run \fBany\fR command on the system.
851: .PP
852: An exclamation point ('!') can be used as a logical \fInot\fR operator
853: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
854: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
855: conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
856: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
857: \&\s-1NOTES\s0 below).
858: .PP
859: Long lines can be continued with a backslash ('\e') as the last
860: character on the line.
861: .PP
862: Whitespace between elements in a list as well as special syntactic
863: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
864: .PP
865: The following characters must be escaped with a backslash ('\e') when
866: used as part of a word (e.g.\ a user name or host name):
867: \&'!', '=', ':', ',', '(', ')', '\e'.
868: .SH "SUDOERS OPTIONS"
869: .IX Header "SUDOERS OPTIONS"
870: \&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
871: explained earlier. A list of all supported Defaults parameters,
872: grouped by type, are listed below.
873: .PP
874: \&\fBBoolean Flags\fR:
875: .IP "always_set_home" 16
876: .IX Item "always_set_home"
877: If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
878: home directory of the target user (which is root unless the \fB\-u\fR
879: option is used). This effectively means that the \fB\-H\fR option is
880: always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
881: \&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
882: effective for configurations where either \fIenv_reset\fR is disabled
883: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
884: This flag is \fIoff\fR by default.
885: .IP "authenticate" 16
886: .IX Item "authenticate"
887: If set, users must authenticate themselves via a password (or other
888: means of authentication) before they may run commands. This default
889: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
890: This flag is \fIon\fR by default.
891: .IP "closefrom_override" 16
892: .IX Item "closefrom_override"
893: If set, the user may use \fBsudo\fR's \fB\-C\fR option which
894: overrides the default starting point at which \fBsudo\fR begins
895: closing open file descriptors. This flag is \fIoff\fR by default.
896: .IP "compress_io" 16
897: .IX Item "compress_io"
898: If set, and \fBsudo\fR is configured to log a command's input or output,
899: the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
900: by default when \fBsudo\fR is compiled with \fBzlib\fR support.
901: .IP "env_editor" 16
902: .IX Item "env_editor"
903: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
904: environment variables before falling back on the default editor list.
905: Note that this may create a security hole as it allows the user to
906: run any arbitrary command as root without logging. A safer alternative
907: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
908: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
909: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
910: default.
911: .IP "env_reset" 16
912: .IX Item "env_reset"
913: If set, \fBsudo\fR will reset the environment to only contain the
914: \&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
915: variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
916: and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
917: \&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
918: run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
919: is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
920: This flag is \fI@env_reset@\fR by default.
921: .IP "fast_glob" 16
922: .IX Item "fast_glob"
923: Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
924: globbing when matching path names. However, since it accesses the
925: file system, \fIglob\fR\|(3) can take a long time to complete for some
926: patterns, especially when the pattern references a network file
927: system that is mounted on demand (automounted). The \fIfast_glob\fR
928: option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
929: not access the file system to do its matching. The disadvantage
930: of \fIfast_glob\fR is that it is unable to match relative path names
931: such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
932: when path names that include globbing characters are used with the
933: negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
934: As such, this option should not be used when \fIsudoers\fR contains rules
935: that contain negated path names which include globbing characters.
936: This flag is \fIoff\fR by default.
937: .IP "fqdn" 16
938: .IX Item "fqdn"
939: Set this flag if you want to put fully qualified host names in the
940: \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
941: You may still use the short form if you wish (and even mix the two).
942: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
943: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
944: if the machine is not plugged into the network). Also note that
945: you must use the host's official name as \s-1DNS\s0 knows it. That is,
946: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
947: issues and the fact that there is no way to get all aliases from
948: \&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
949: command) is already fully qualified you shouldn't need to set
950: \&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
951: .IP "ignore_dot" 16
952: .IX Item "ignore_dot"
953: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
954: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
955: flag is \fI@ignore_dot@\fR by default.
956: .IP "ignore_local_sudoers" 16
957: .IX Item "ignore_local_sudoers"
958: If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
959: This is intended for Enterprises that wish to prevent the usage of local
960: sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
961: rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
962: When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
963: exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
964: entries have been matched, this sudoOption is only meaningful for the
965: \&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
966: .IP "insults" 16
967: .IX Item "insults"
968: If set, \fBsudo\fR will insult users when they enter an incorrect
969: password. This flag is \fI@insults@\fR by default.
970: .IP "log_host" 16
971: .IX Item "log_host"
972: If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
973: This flag is \fIoff\fR by default.
974: .IP "log_input" 16
975: .IX Item "log_input"
976: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
977: user input.
978: If the standard input is not connected to the user's tty, due to
979: I/O redirection or because the command is part of a pipeline, that
980: input is also captured and stored in a separate log file.
981: .Sp
982: Input is logged to the directory specified by the \fIiolog_dir\fR
983: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
984: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
985: The \fIiolog_file\fR option may be used to control the format of the
986: session \s-1ID\s0.
987: .Sp
988: Note that user input may contain sensitive information such as
989: passwords (even if they are not echoed to the screen), which will
990: be stored in the log file unencrypted. In most cases, logging the
991: command output via \fIlog_output\fR is all that is required.
992: .IP "log_output" 16
993: .IX Item "log_output"
994: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
995: output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
996: If the standard output or standard error is not connected to the
997: user's tty, due to I/O redirection or because the command is part
998: of a pipeline, that output is also captured and stored in separate
999: log files.
1000: .Sp
1001: Output is logged to the directory specified by the \fIiolog_dir\fR
1002: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1003: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1004: The \fIiolog_file\fR option may be used to control the format of the
1005: session \s-1ID\s0.
1006: .Sp
1007: Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
1008: can also be used to list or search the available logs.
1009: .IP "log_year" 16
1010: .IX Item "log_year"
1011: If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
1012: This flag is \fIoff\fR by default.
1013: .IP "long_otp_prompt" 16
1014: .IX Item "long_otp_prompt"
1015: When validating with a One Time Password (\s-1OTP\s0) scheme such as
1016: \&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
1017: to cut and paste the challenge to a local window. It's not as
1018: pretty as the default but some people find it more convenient. This
1019: flag is \fI@long_otp_prompt@\fR by default.
1020: .IP "mail_always" 16
1021: .IX Item "mail_always"
1022: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1023: This flag is \fIoff\fR by default.
1024: .IP "mail_badpass" 16
1025: .IX Item "mail_badpass"
1026: Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
1027: enter the correct password. This flag is \fIoff\fR by default.
1028: .IP "mail_no_host" 16
1029: .IX Item "mail_no_host"
1030: If set, mail will be sent to the \fImailto\fR user if the invoking
1031: user exists in the \fIsudoers\fR file, but is not allowed to run
1032: commands on the current host. This flag is \fI@mail_no_host@\fR by default.
1033: .IP "mail_no_perms" 16
1034: .IX Item "mail_no_perms"
1035: If set, mail will be sent to the \fImailto\fR user if the invoking
1036: user is allowed to use \fBsudo\fR but the command they are trying is not
1037: listed in their \fIsudoers\fR file entry or is explicitly denied.
1038: This flag is \fI@mail_no_perms@\fR by default.
1039: .IP "mail_no_user" 16
1040: .IX Item "mail_no_user"
1041: If set, mail will be sent to the \fImailto\fR user if the invoking
1042: user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
1043: by default.
1044: .IP "noexec" 16
1045: .IX Item "noexec"
1046: If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
1047: tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
1048: description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
1049: \&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
1050: .IP "path_info" 16
1051: .IX Item "path_info"
1052: Normally, \fBsudo\fR will tell the user when a command could not be
1053: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
1054: to disable this as it could be used to gather information on the
1055: location of executables that the normal user does not have access
1056: to. The disadvantage is that if the executable is simply not in
1057: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
1058: allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
1059: by default.
1060: .IP "passprompt_override" 16
1061: .IX Item "passprompt_override"
1062: The password prompt specified by \fIpassprompt\fR will normally only
1063: be used if the password prompt provided by systems such as \s-1PAM\s0 matches
1064: the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
1065: will always be used. This flag is \fIoff\fR by default.
1066: .IP "preserve_groups" 16
1067: .IX Item "preserve_groups"
1068: By default, \fBsudo\fR will initialize the group vector to the list of
1069: groups the target user is in. When \fIpreserve_groups\fR is set, the
1070: user's existing group vector is left unaltered. The real and
1071: effective group IDs, however, are still set to match the target
1072: user. This flag is \fIoff\fR by default.
1073: .IP "pwfeedback" 16
1074: .IX Item "pwfeedback"
1075: By default, \fBsudo\fR reads the password like most other Unix programs,
1076: by turning off echo until the user hits the return (or enter) key.
1077: Some users become confused by this as it appears to them that \fBsudo\fR
1078: has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
1079: provide visual feedback when the user presses a key. Note that
1080: this does have a security impact as an onlooker may be able to
1081: determine the length of the password being entered.
1082: This flag is \fIoff\fR by default.
1083: .IP "requiretty" 16
1084: .IX Item "requiretty"
1085: If set, \fBsudo\fR will only run when the user is logged in to a real
1086: tty. When this flag is set, \fBsudo\fR can only be run from a login
1087: session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
1088: This flag is \fIoff\fR by default.
1089: .IP "root_sudo" 16
1090: .IX Item "root_sudo"
1091: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
1092: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1093: like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
1094: will also prevent root from running \fBsudoedit\fR.
1095: Disabling \fIroot_sudo\fR provides no real additional security; it
1096: exists purely for historical reasons.
1097: This flag is \fI@root_sudo@\fR by default.
1098: .IP "rootpw" 16
1099: .IX Item "rootpw"
1100: If set, \fBsudo\fR will prompt for the root password instead of the password
1101: of the invoking user. This flag is \fIoff\fR by default.
1102: .IP "runaspw" 16
1103: .IX Item "runaspw"
1104: If set, \fBsudo\fR will prompt for the password of the user defined by the
1105: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
1106: password of the invoking user. This flag is \fIoff\fR by default.
1107: .IP "set_home" 16
1108: .IX Item "set_home"
1109: If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
1110: environment variable will be set to the home directory of the target
1111: user (which is root unless the \fB\-u\fR option is used). This effectively
1112: makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
1113: set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
1114: only effective for configurations where either \fIenv_reset\fR is disabled
1115: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
1116: This flag is \fIoff\fR by default.
1117: .IP "set_logname" 16
1118: .IX Item "set_logname"
1119: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
1120: environment variables to the name of the target user (usually root
1121: unless the \fB\-u\fR option is given). However, since some programs
1122: (including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
1123: determine the real identity of the user, it may be desirable to
1124: change this behavior. This can be done by negating the set_logname
1125: option. Note that if the \fIenv_reset\fR option has not been disabled,
1126: entries in the \fIenv_keep\fR list will override the value of
1127: \&\fIset_logname\fR. This flag is \fIon\fR by default.
1128: .IP "set_utmp" 16
1129: .IX Item "set_utmp"
1130: When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
1131: file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1132: \&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
1133: are enabled. By default, the new entry will be a copy of the user's
1134: existing utmp entry (if any), with the tty, time, type and pid
1135: fields updated. This flag is \fIon\fR by default.
1136: .IP "setenv" 16
1137: .IX Item "setenv"
1138: Allow the user to disable the \fIenv_reset\fR option from the command
1139: line via the \fB\-E\fR option. Additionally, environment variables set
1140: via the command line are not subject to the restrictions imposed
1141: by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
1142: trusted users should be allowed to set variables in this manner.
1143: This flag is \fIoff\fR by default.
1144: .IP "shell_noargs" 16
1145: .IX Item "shell_noargs"
1146: If set and \fBsudo\fR is invoked with no arguments it acts as if the
1147: \&\fB\-s\fR option had been given. That is, it runs a shell as root (the
1148: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1149: set, falling back on the shell listed in the invoking user's
1150: /etc/passwd entry if not). This flag is \fIoff\fR by default.
1151: .IP "stay_setuid" 16
1152: .IX Item "stay_setuid"
1153: Normally, when \fBsudo\fR executes a command the real and effective
1154: UIDs are set to the target user (root by default). This option
1155: changes that behavior such that the real \s-1UID\s0 is left as the invoking
1156: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
1157: wrapper. This can be useful on systems that disable some potentially
1158: dangerous functionality when a program is run setuid. This option
1159: is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
1160: function. This flag is \fIoff\fR by default.
1161: .IP "targetpw" 16
1162: .IX Item "targetpw"
1163: If set, \fBsudo\fR will prompt for the password of the user specified
1164: by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
1165: of the invoking user. In addition, the timestamp file name will
1166: include the target user's name. Note that this flag precludes the
1167: use of a uid not listed in the passwd database as an argument to
1168: the \fB\-u\fR option. This flag is \fIoff\fR by default.
1169: .IP "tty_tickets" 16
1170: .IX Item "tty_tickets"
1171: If set, users must authenticate on a per-tty basis. With this flag
1172: enabled, \fBsudo\fR will use a file named for the tty the user is
1173: logged in on in the user's time stamp directory. If disabled, the
1174: time stamp of the directory is used instead. This flag is
1175: \&\fI@tty_tickets@\fR by default.
1176: .IP "umask_override" 16
1177: .IX Item "umask_override"
1178: If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
1179: modification. This makes it possible to specify a more permissive
1180: umask in \fIsudoers\fR than the user's own umask and matches historical
1181: behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
1182: umask to be the union of the user's umask and what is specified in
1183: \&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
1184: .if \n(LC \{\
1185: .IP "use_loginclass" 16
1186: .IX Item "use_loginclass"
1187: If set, \fBsudo\fR will apply the defaults specified for the target user's
1188: login class if one exists. Only available if \fBsudo\fR is configured with
1189: the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1190: \}
1191: .IP "use_pty" 16
1192: .IX Item "use_pty"
1193: If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
1194: logging is being gone. A malicious program run under \fBsudo\fR could
1195: conceivably fork a background process that retains to the user's
1196: terminal device after the main program has finished executing. Use
1197: of this option will make that impossible. This flag is \fIoff\fR by default.
1198: .IP "utmp_runas" 16
1199: .IX Item "utmp_runas"
1200: If set, \fBsudo\fR will store the name of the runas user when updating
1201: the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
1202: the invoking user. This flag is \fIoff\fR by default.
1203: .IP "visiblepw" 16
1204: .IX Item "visiblepw"
1205: By default, \fBsudo\fR will refuse to run if the user must enter a
1206: password but it is not possible to disable echo on the terminal.
1207: If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
1208: even when it would be visible on the screen. This makes it possible
1209: to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
1210: not allocate a tty. This flag is \fIoff\fR by default.
1211: .PP
1212: \&\fBIntegers\fR:
1213: .IP "closefrom" 16
1214: .IX Item "closefrom"
1215: Before it executes a command, \fBsudo\fR will close all open file
1216: descriptors other than standard input, standard output and standard
1217: error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
1218: to specify a different file descriptor at which to start closing.
1219: The default is \f(CW3\fR.
1220: .IP "passwd_tries" 16
1221: .IX Item "passwd_tries"
1222: The number of tries a user gets to enter his/her password before
1223: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
1224: .PP
1225: \&\fBIntegers that can be used in a boolean context\fR:
1226: .IP "loglinelen" 16
1227: .IX Item "loglinelen"
1228: Number of characters per line for the file log. This value is used
1229: to decide when to wrap lines for nicer log files. This has no
1230: effect on the syslog log file, only the file log. The default is
1231: \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
1232: .IP "passwd_timeout" 16
1233: .IX Item "passwd_timeout"
1234: Number of minutes before the \fBsudo\fR password prompt times out, or
1235: \&\f(CW0\fR for no timeout. The timeout may include a fractional component
1236: if minute granularity is insufficient, for example \f(CW2.5\fR. The
1237: default is \f(CW\*(C`@password_timeout@\*(C'\fR.
1238: .IP "timestamp_timeout" 16
1239: .IX Item "timestamp_timeout"
1240: Number of minutes that can elapse before \fBsudo\fR will ask for a
1241: passwd again. The timeout may include a fractional component if
1242: minute granularity is insufficient, for example \f(CW2.5\fR. The default
1243: is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
1244: If set to a value less than \f(CW0\fR the user's timestamp will never
1245: expire. This can be used to allow users to create or delete their
1246: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1247: .IP "umask" 16
1248: .IX Item "umask"
1249: Umask to use when running the command. Negate this option or set
1250: it to 0777 to preserve the user's umask. The actual umask that is
1251: used will be the union of the user's umask and the value of the
1252: \&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
1253: that \fBsudo\fR never lowers the umask when running a command. Note
1254: on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
1255: its own umask which will override the value set in \fIsudoers\fR.
1256: .PP
1257: \&\fBStrings\fR:
1258: .IP "badpass_message" 16
1259: .IX Item "badpass_message"
1260: Message that is displayed if a user enters an incorrect password.
1261: The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
1262: .IP "editor" 16
1263: .IX Item "editor"
1264: A colon (':') separated list of editors allowed to be used with
1265: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
1266: \&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
1267: list that exists and is executable. The default is \f(CW"@editor@"\fR.
1268: .IP "iolog_dir" 16
1269: .IX Item "iolog_dir"
1270: The top-level directory to use when constructing the path name for
1271: the input/output log directory. Only used if the \fIlog_input\fR or
1272: \&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
1273: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
1274: number, if any, is stored in the directory.
1275: The default is \f(CW"@iolog_dir@"\fR.
1276: .Sp
1277: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1278: .RS 16
1279: .ie n .IP "\*(C`%{seq}\*(C'" 4
1280: .el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
1281: .IX Item "%{seq}"
1282: expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
1283: where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
1284: .ie n .IP "\*(C`%{user}\*(C'" 4
1285: .el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
1286: .IX Item "%{user}"
1287: expanded to the invoking user's login name
1288: .ie n .IP "\*(C`%{group}\*(C'" 4
1289: .el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
1290: .IX Item "%{group}"
1291: expanded to the name of the invoking user's real group \s-1ID\s0
1292: .ie n .IP "\*(C`%{runas_user}\*(C'" 4
1293: .el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
1294: .IX Item "%{runas_user}"
1295: expanded to the login name of the user the command will
1296: be run as (e.g. root)
1297: .ie n .IP "\*(C`%{runas_group}\*(C'" 4
1298: .el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
1299: .IX Item "%{runas_group}"
1300: expanded to the group name of the user the command will
1301: be run as (e.g. wheel)
1302: .ie n .IP "\*(C`%{hostname}\*(C'" 4
1303: .el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
1304: .IX Item "%{hostname}"
1305: expanded to the local host name without the domain name
1306: .ie n .IP "\*(C`%{command}\*(C'" 4
1307: .el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
1308: .IX Item "%{command}"
1309: expanded to the base name of the command being run
1310: .RE
1311: .RS 16
1312: .Sp
1313: In addition, any escape sequences supported by the system's \fIstrftime()\fR
1314: function will be expanded.
1315: .Sp
1316: To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
1317: be used.
1318: .RE
1319: .IP "iolog_file" 16
1320: .IX Item "iolog_file"
1321: The path name, relative to \fIiolog_dir\fR, in which to store input/output
1322: logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
1323: when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
1324: Note that \fIiolog_file\fR may contain directory components.
1325: The default is \f(CW"%{seq}"\fR.
1326: .Sp
1327: See the \fIiolog_dir\fR option above for a list of supported percent
1328: (`\f(CW\*(C`%\*(C'\fR') escape sequences.
1329: .Sp
1330: In addition to the escape sequences, path names that end in six or
1331: more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
1332: of digits and letters, similar to the \fImktemp()\fR function.
1333: .IP "mailsub" 16
1334: .IX Item "mailsub"
1335: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
1336: will expand to the host name of the machine.
1337: Default is \f(CW\*(C`@mailsub@\*(C'\fR.
1338: .IP "noexec_file" 16
1339: .IX Item "noexec_file"
1340: This option is deprecated and will be removed in a future release
1341: of \fBsudo\fR. The path to the noexec file should now be set in the
1342: \&\fI@sysconfdir@/sudo.conf\fR file.
1343: .IP "passprompt" 16
1344: .IX Item "passprompt"
1345: The default prompt to use when asking for a password; can be overridden
1346: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
1347: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1348: .RS 16
1349: .ie n .IP "%H" 4
1350: .el .IP "\f(CW%H\fR" 4
1351: .IX Item "%H"
1352: expanded to the local host name including the domain name
1353: (only if the machine's host name is fully qualified or the \fIfqdn\fR
1354: option is set)
1355: .ie n .IP "%h" 4
1356: .el .IP "\f(CW%h\fR" 4
1357: .IX Item "%h"
1358: expanded to the local host name without the domain name
1359: .ie n .IP "%p" 4
1360: .el .IP "\f(CW%p\fR" 4
1361: .IX Item "%p"
1362: expanded to the user whose password is being asked for (respects the
1363: \&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
1364: .ie n .IP "%U" 4
1365: .el .IP "\f(CW%U\fR" 4
1366: .IX Item "%U"
1367: expanded to the login name of the user the command will
1368: be run as (defaults to root)
1369: .ie n .IP "%u" 4
1370: .el .IP "\f(CW%u\fR" 4
1371: .IX Item "%u"
1372: expanded to the invoking user's login name
1373: .ie n .IP "\*(C`%%\*(C'" 4
1374: .el .IP "\f(CW\*(C`%%\*(C'\fR" 4
1375: .IX Item "%%"
1376: two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
1377: .RE
1378: .RS 16
1379: .Sp
1380: The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
1381: .RE
1382: .if \n(SL \{\
1383: .IP "role" 16
1384: .IX Item "role"
1385: The default SELinux role to use when constructing a new security
1386: context to run the command. The default role may be overridden on
1387: a per-command basis in \fIsudoers\fR or via command line options.
1388: This option is only available whe \fBsudo\fR is built with SELinux support.
1389: \}
1390: .IP "runas_default" 16
1391: .IX Item "runas_default"
1392: The default user to run commands as if the \fB\-u\fR option is not specified
1393: on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
1394: .IP "syslog_badpri" 16
1395: .IX Item "syslog_badpri"
1396: Syslog priority to use when user authenticates unsuccessfully.
1397: Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
1398: .Sp
1399: The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
1400: \&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1401: .IP "syslog_goodpri" 16
1402: .IX Item "syslog_goodpri"
1403: Syslog priority to use when user authenticates successfully.
1404: Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
1405: .Sp
1406: See syslog_badpri for the list of supported syslog priorities.
1407: .IP "sudoers_locale" 16
1408: .IX Item "sudoers_locale"
1409: Locale to use when parsing the sudoers file, logging commands, and
1410: sending email. Note that changing the locale may affect how sudoers
1411: is interpreted. Defaults to \f(CW"C"\fR.
1412: .IP "timestampdir" 16
1413: .IX Item "timestampdir"
1414: The directory in which \fBsudo\fR stores its timestamp files.
1415: The default is \fI@timedir@\fR.
1416: .IP "timestampowner" 16
1417: .IX Item "timestampowner"
1418: The owner of the timestamp directory and the timestamps stored therein.
1419: The default is \f(CW\*(C`root\*(C'\fR.
1420: .if \n(SL \{\
1421: .IP "type" 16
1422: .IX Item "type"
1423: The default SELinux type to use when constructing a new security
1424: context to run the command. The default type may be overridden on
1425: a per-command basis in \fIsudoers\fR or via command line options.
1426: This option is only available whe \fBsudo\fR is built with SELinux support.
1427: \}
1428: .PP
1429: \&\fBStrings that can be used in a boolean context\fR:
1430: .IP "env_file" 12
1431: .IX Item "env_file"
1432: The \fIenv_file\fR options specifies the fully qualified path to a
1433: file containing variables to be set in the environment of the program
1434: being run. Entries in this file should either be of the form
1435: \&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
1436: optionally be surrounded by single or double quotes. Variables in
1437: this file are subject to other \fBsudo\fR environment settings such
1438: as \fIenv_keep\fR and \fIenv_check\fR.
1439: .IP "exempt_group" 12
1440: .IX Item "exempt_group"
1441: Users in this group are exempt from password and \s-1PATH\s0 requirements.
1442: The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
1443: This is not set by default.
1444: .IP "group_plugin" 12
1445: .IX Item "group_plugin"
1446: A string containing a \fIsudoers\fR group plugin with optional arguments.
1447: This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
1448: syntax described earlier. The string should consist of the plugin
1449: path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
1450: directory, followed by any configuration arguments the plugin
1451: requires. These arguments (if any) will be passed to the plugin's
1452: initialization function. If arguments are present, the string must
1453: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
1454: .Sp
1455: For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
1456: format, the sample group plugin can be used:
1457: .Sp
1458: .Vb 1
1459: \& Defaults group_plugin="sample_group.so /etc/sudo\-group"
1460: .Ve
1461: .Sp
1462: For more information see \fIsudo_plugin\fR\|(@mansectform@).
1463: .IP "lecture" 12
1464: .IX Item "lecture"
1465: This option controls when a short lecture will be printed along with
1466: the password prompt. It has the following possible values:
1467: .RS 12
1468: .IP "always" 8
1469: .IX Item "always"
1470: Always lecture the user.
1471: .IP "never" 8
1472: .IX Item "never"
1473: Never lecture the user.
1474: .IP "once" 8
1475: .IX Item "once"
1476: Only lecture the user the first time they run \fBsudo\fR.
1477: .RE
1478: .RS 12
1479: .Sp
1480: If no value is specified, a value of \fIonce\fR is implied.
1481: Negating the option results in a value of \fInever\fR being used.
1482: The default value is \fI@lecture@\fR.
1483: .RE
1484: .IP "lecture_file" 12
1485: .IX Item "lecture_file"
1486: Path to a file containing an alternate \fBsudo\fR lecture that will
1487: be used in place of the standard lecture if the named file exists.
1488: By default, \fBsudo\fR uses a built-in lecture.
1489: .IP "listpw" 12
1490: .IX Item "listpw"
1491: This option controls when a password will be required when a
1492: user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
1493: .RS 12
1494: .IP "all" 8
1495: .IX Item "all"
1496: All the user's \fIsudoers\fR entries for the current host must have
1497: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1498: .IP "always" 8
1499: .IX Item "always"
1500: The user must always enter a password to use the \fB\-l\fR option.
1501: .IP "any" 8
1502: .IX Item "any"
1503: At least one of the user's \fIsudoers\fR entries for the current host
1504: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1505: .IP "never" 8
1506: .IX Item "never"
1507: The user need never enter a password to use the \fB\-l\fR option.
1508: .RE
1509: .RS 12
1510: .Sp
1511: If no value is specified, a value of \fIany\fR is implied.
1512: Negating the option results in a value of \fInever\fR being used.
1513: The default value is \fIany\fR.
1514: .RE
1515: .IP "logfile" 12
1516: .IX Item "logfile"
1517: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1518: turns on logging to a file; negating this option turns it off.
1519: By default, \fBsudo\fR logs via syslog.
1520: .IP "mailerflags" 12
1521: .IX Item "mailerflags"
1522: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1523: .IP "mailerpath" 12
1524: .IX Item "mailerpath"
1525: Path to mail program used to send warning mail.
1526: Defaults to the path to sendmail found at configure time.
1527: .IP "mailfrom" 12
1528: .IX Item "mailfrom"
1529: Address to use for the \*(L"from\*(R" address when sending warning and error
1530: mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
1531: protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
1532: the name of the user running \fBsudo\fR.
1533: .IP "mailto" 12
1534: .IX Item "mailto"
1535: Address to send warning and error mail to. The address should
1536: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
1537: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
1538: .IP "secure_path" 12
1539: .IX Item "secure_path"
1540: Path used for every command run from \fBsudo\fR. If you don't trust the
1541: people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
1542: want to use this. Another use is if you want to have the \*(L"root path\*(R"
1543: be separate from the \*(L"user path.\*(R" Users in the group specified by the
1544: \&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
1545: This option is @secure_path@ by default.
1546: .IP "syslog" 12
1547: .IX Item "syslog"
1548: Syslog facility if syslog is being used for logging (negate to
1549: disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
1550: .Sp
1551: The following syslog facilities are supported: \fBauthpriv\fR (if your
1552: \&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
1553: \&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
1554: .IP "verifypw" 12
1555: .IX Item "verifypw"
1556: This option controls when a password will be required when a user runs
1557: \&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
1558: .RS 12
1559: .IP "all" 8
1560: .IX Item "all"
1561: All the user's \fIsudoers\fR entries for the current host must have
1562: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1563: .IP "always" 8
1564: .IX Item "always"
1565: The user must always enter a password to use the \fB\-v\fR option.
1566: .IP "any" 8
1567: .IX Item "any"
1568: At least one of the user's \fIsudoers\fR entries for the current host
1569: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1570: .IP "never" 8
1571: .IX Item "never"
1572: The user need never enter a password to use the \fB\-v\fR option.
1573: .RE
1574: .RS 12
1575: .Sp
1576: If no value is specified, a value of \fIall\fR is implied.
1577: Negating the option results in a value of \fInever\fR being used.
1578: The default value is \fIall\fR.
1579: .RE
1580: .PP
1581: \&\fBLists that can be used in a boolean context\fR:
1582: .IP "env_check" 16
1583: .IX Item "env_check"
1584: Environment variables to be removed from the user's environment if
1585: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1586: be used to guard against printf-style format vulnerabilities in
1587: poorly-written programs. The argument may be a double-quoted,
1588: space-separated list or a single value without double-quotes. The
1589: list can be replaced, added to, deleted from, or disabled by using
1590: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
1591: of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
1592: specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
1593: they pass the aforementioned check. The default list of environment
1594: variables to check is displayed when \fBsudo\fR is run by root with
1595: the \fI\-V\fR option.
1596: .IP "env_delete" 16
1597: .IX Item "env_delete"
1598: Environment variables to be removed from the user's environment
1599: when the \fIenv_reset\fR option is not in effect. The argument may
1600: be a double-quoted, space-separated list or a single value without
1601: double-quotes. The list can be replaced, added to, deleted from,
1602: or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
1603: respectively. The default list of environment variables to remove
1604: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1605: Note that many operating systems will remove potentially dangerous
1606: variables from the environment of any setuid process (such as
1607: \&\fBsudo\fR).
1608: .IP "env_keep" 16
1609: .IX Item "env_keep"
1610: Environment variables to be preserved in the user's environment
1611: when the \fIenv_reset\fR option is in effect. This allows fine-grained
1612: control over the environment \fBsudo\fR\-spawned processes will receive.
1613: The argument may be a double-quoted, space-separated list or a
1614: single value without double-quotes. The list can be replaced, added
1615: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
1616: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
1617: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1618: .SH "FILES"
1619: .IX Header "FILES"
1620: .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
1621: .el .IP "\fI@sysconfdir@/sudoers\fR" 24
1622: .IX Item "@sysconfdir@/sudoers"
1623: List of who can run what
1624: .IP "\fI/etc/group\fR" 24
1625: .IX Item "/etc/group"
1626: Local groups file
1627: .IP "\fI/etc/netgroup\fR" 24
1628: .IX Item "/etc/netgroup"
1629: List of network groups
1630: .ie n .IP "\fI@iolog_dir@\fR" 24
1631: .el .IP "\fI@iolog_dir@\fR" 24
1632: .IX Item "@iolog_dir@"
1633: I/O log files
1634: .ie n .IP "\fI@timedir@\fR" 24
1635: .el .IP "\fI@timedir@\fR" 24
1636: .IX Item "@timedir@"
1637: Directory containing time stamps for the \fIsudoers\fR security policy
1638: .IP "\fI/etc/environment\fR" 24
1639: .IX Item "/etc/environment"
1640: Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
1641: .SH "EXAMPLES"
1642: .IX Header "EXAMPLES"
1643: Below are example \fIsudoers\fR entries. Admittedly, some of
1644: these are a bit contrived. First, we allow a few environment
1645: variables to pass and then define our \fIaliases\fR:
1646: .PP
1647: .Vb 4
1648: \& # Run X applications through sudo; HOME is used to find the
1649: \& # .Xauthority file. Note that other programs use HOME to find
1650: \& # configuration files and this may lead to privilege escalation!
1651: \& Defaults env_keep += "DISPLAY HOME"
1652: \&
1653: \& # User alias specification
1654: \& User_Alias FULLTIMERS = millert, mikef, dowdy
1655: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
1656: \& User_Alias WEBMASTERS = will, wendy, wim
1657: \&
1658: \& # Runas alias specification
1659: \& Runas_Alias OP = root, operator
1660: \& Runas_Alias DB = oracle, sybase
1661: \& Runas_Alias ADMINGRP = adm, oper
1662: \&
1663: \& # Host alias specification
1664: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1665: \& SGI = grolsch, dandelion, black :\e
1666: \& ALPHA = widget, thalamus, foobar :\e
1667: \& HPPA = boa, nag, python
1668: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1669: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1670: \& Host_Alias SERVERS = master, mail, www, ns
1671: \& Host_Alias CDROM = orion, perseus, hercules
1672: \&
1673: \& # Cmnd alias specification
1674: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1675: \& /usr/sbin/restore, /usr/sbin/rrestore
1676: \& Cmnd_Alias KILL = /usr/bin/kill
1677: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1678: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1679: \& Cmnd_Alias HALT = /usr/sbin/halt
1680: \& Cmnd_Alias REBOOT = /usr/sbin/reboot
1681: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1682: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1683: \& /usr/local/bin/zsh
1684: \& Cmnd_Alias SU = /usr/bin/su
1685: \& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1686: .Ve
1687: .PP
1688: Here we override some of the compiled in default values. We want
1689: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1690: cases. We don't want to subject the full time staff to the \fBsudo\fR
1691: lecture, user \fBmillert\fR need not give a password, and we don't
1692: want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
1693: variables when running commands as root. Additionally, on the
1694: machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1695: local log file and make sure we log the year in each log line since
1696: the log entries will be kept around for several years. Lastly, we
1697: disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
1698: (\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
1699: .PP
1700: .Vb 7
1701: \& # Override built\-in defaults
1702: \& Defaults syslog=auth
1703: \& Defaults>root !set_logname
1704: \& Defaults:FULLTIMERS !lecture
1705: \& Defaults:millert !authenticate
1706: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1707: \& Defaults!PAGERS noexec
1708: .Ve
1709: .PP
1710: The \fIUser specification\fR is the part that actually determines who may
1711: run what.
1712: .PP
1713: .Vb 2
1714: \& root ALL = (ALL) ALL
1715: \& %wheel ALL = (ALL) ALL
1716: .Ve
1717: .PP
1718: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1719: host as any user.
1720: .PP
1721: .Vb 1
1722: \& FULLTIMERS ALL = NOPASSWD: ALL
1723: .Ve
1724: .PP
1725: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1726: command on any host without authenticating themselves.
1727: .PP
1728: .Vb 1
1729: \& PARTTIMERS ALL = ALL
1730: .Ve
1731: .PP
1732: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1733: command on any host but they must authenticate themselves first
1734: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1735: .PP
1736: .Vb 1
1737: \& jack CSNETS = ALL
1738: .Ve
1739: .PP
1740: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1741: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1742: Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1743: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1744: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1745: during matching.
1746: .PP
1747: .Vb 1
1748: \& lisa CUNETS = ALL
1749: .Ve
1750: .PP
1751: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1752: (the class B network \f(CW128.138.0.0\fR).
1753: .PP
1754: .Vb 2
1755: \& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
1756: \& sudoedit /etc/printcap, /usr/oper/bin/
1757: .Ve
1758: .PP
1759: The \fBoperator\fR user may run commands limited to simple maintenance.
1760: Here, those are commands related to backups, killing processes, the
1761: printing system, shutting down the system, and any commands in the
1762: directory \fI/usr/oper/bin/\fR.
1763: .PP
1764: .Vb 1
1765: \& joe ALL = /usr/bin/su operator
1766: .Ve
1767: .PP
1768: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1769: .PP
1770: .Vb 1
1771: \& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
1772: \&
1773: \& %opers ALL = (: ADMINGRP) /usr/sbin/
1774: .Ve
1775: .PP
1776: Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
1777: with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
1778: groups).
1779: .PP
1780: The user \fBpete\fR is allowed to change anyone's password except for
1781: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1782: does not take multiple user names on the command line.
1783: .PP
1784: .Vb 1
1785: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
1786: .Ve
1787: .PP
1788: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1789: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1790: .PP
1791: .Vb 1
1792: \& jim +biglab = ALL
1793: .Ve
1794: .PP
1795: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1796: \&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1797: .PP
1798: .Vb 1
1799: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1800: .Ve
1801: .PP
1802: Users in the \fBsecretaries\fR netgroup need to help manage the printers
1803: as well as add and remove users, so they are allowed to run those
1804: commands on all machines.
1805: .PP
1806: .Vb 1
1807: \& fred ALL = (DB) NOPASSWD: ALL
1808: .Ve
1809: .PP
1810: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1811: (\fBoracle\fR or \fBsybase\fR) without giving a password.
1812: .PP
1813: .Vb 1
1814: \& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
1815: .Ve
1816: .PP
1817: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1818: but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
1819: .PP
1820: .Vb 1
1821: \& jen ALL, !SERVERS = ALL
1822: .Ve
1823: .PP
1824: The user \fBjen\fR may run any command on any machine except for those
1825: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1826: .PP
1827: .Vb 1
1828: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
1829: .Ve
1830: .PP
1831: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1832: any commands in the directory \fI/usr/bin/\fR except for those commands
1833: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1834: .PP
1835: .Vb 1
1836: \& steve CSNETS = (operator) /usr/local/op_commands/
1837: .Ve
1838: .PP
1839: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1840: but only as user operator.
1841: .PP
1842: .Vb 1
1843: \& matt valkyrie = KILL
1844: .Ve
1845: .PP
1846: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1847: kill hung processes.
1848: .PP
1849: .Vb 1
1850: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1851: .Ve
1852: .PP
1853: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
1854: wendy, and wim), may run any command as user www (which owns the
1855: web pages) or simply \fIsu\fR\|(1) to www.
1856: .PP
1857: .Vb 2
1858: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1859: \& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
1860: .Ve
1861: .PP
1862: Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
1863: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
1864: This is a bit tedious for users to type, so it is a prime candidate
1865: for encapsulating in a shell script.
1866: .SH "SECURITY NOTES"
1867: .IX Header "SECURITY NOTES"
1868: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
1869: using the '!' operator. A user can trivially circumvent this
1870: by copying the desired command to a different name and then
1871: executing that. For example:
1872: .PP
1873: .Vb 1
1874: \& bill ALL = ALL, !SU, !SHELLS
1875: .Ve
1876: .PP
1877: Doesn't really prevent \fBbill\fR from running the commands listed in
1878: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
1879: different name, or use a shell escape from an editor or other
1880: program. Therefore, these kind of restrictions should be considered
1881: advisory at best (and reinforced by policy).
1882: .PP
1883: Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
1884: to reliably negate commands where the path name includes globbing
1885: (aka wildcard) characters. This is because the C library's
1886: \&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
1887: is typically only an inconvenience for rules that grant privileges,
1888: it can result in a security issue for rules that subtract or revoke
1889: privileges.
1890: .PP
1891: For example, given the following \fIsudoers\fR entry:
1892: .PP
1893: .Vb 2
1894: \& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
1895: \& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
1896: .Ve
1897: .PP
1898: User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
1899: enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
1900: .SH "PREVENTING SHELL ESCAPES"
1901: .IX Header "PREVENTING SHELL ESCAPES"
1902: Once \fBsudo\fR executes a program, that program is free to do whatever
1903: it pleases, including run other programs. This can be a security
1904: issue since it is not uncommon for a program to allow shell escapes,
1905: which lets a user bypass \fBsudo\fR's access control and logging.
1906: Common programs that permit shell escapes include shells (obviously),
1907: editors, paginators, mail and terminal programs.
1908: .PP
1909: There are two basic approaches to this problem:
1910: .IP "restrict" 10
1911: .IX Item "restrict"
1912: Avoid giving users access to commands that allow the user to run
1913: arbitrary commands. Many editors have a restricted mode where shell
1914: escapes are disabled, though \fBsudoedit\fR is a better solution to
1915: running editors via \fBsudo\fR. Due to the large number of programs that
1916: offer shell escapes, restricting users to the set of programs that
1917: do not is often unworkable.
1918: .IP "noexec" 10
1919: .IX Item "noexec"
1920: Many systems that support shared libraries have the ability to
1921: override default library functions by pointing an environment
1922: variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
1923: On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
1924: prevent a program run by \fBsudo\fR from executing any other programs.
1925: Note, however, that this applies only to native dynamically-linked
1926: executables. Statically-linked executables and foreign executables
1927: running under binary emulation are not affected.
1928: .Sp
1929: The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
1930: Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
1931: It should be supported on most operating systems that support the
1932: \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
1933: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1934: dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
1935: .Sp
1936: On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
1937: of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
1938: .Sp
1939: To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
1940: in the User Specification section above. Here is that example again:
1941: .Sp
1942: .Vb 1
1943: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1944: .Ve
1945: .Sp
1946: This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
1947: with \fInoexec\fR enabled. This will prevent those two commands from
1948: executing other commands (such as a shell). If you are unsure
1949: whether or not your system is capable of supporting \fInoexec\fR you
1950: can always just try it out and check whether shell escapes work
1951: when \fInoexec\fR is enabled.
1952: .PP
1953: Note that restricting shell escapes is not a panacea. Programs
1954: running as root are still capable of many potentially hazardous
1955: operations (such as changing or overwriting files) that could lead
1956: to unintended privilege escalation. In the specific case of an
1957: editor, a safer approach is to give the user permission to run
1958: \&\fBsudoedit\fR.
1959: .SH "SECURITY NOTES"
1960: .IX Header "SECURITY NOTES"
1961: \&\fIsudoers\fR will check the ownership of its time stamp directory
1962: (\fI@timedir@\fR by default) and ignore the directory's contents if
1963: it is not owned by root or if it is writable by a user other than
1964: root. On systems that allow non-root users to give away files via
1965: \&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
1966: directory (e.g., \fI/tmp\fR), it is possible for a user to create the
1967: time stamp directory before \fBsudo\fR is run. However, because
1968: \&\fIsudoers\fR checks the ownership and mode of the directory and its
1969: contents, the only damage that can be done is to \*(L"hide\*(R" files by
1970: putting them in the time stamp dir. This is unlikely to happen
1971: since once the time stamp dir is owned by root and inaccessible by
1972: any other user, the user placing files there would be unable to get
1973: them back out.
1974: .PP
1975: \&\fIsudoers\fR will not honor time stamps set far in the future. Time
1976: stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
1977: be ignored and sudo will log and complain. This is done to keep a
1978: user from creating his/her own time stamp with a bogus date on
1979: systems that allow users to give away files if the time stamp directory
1980: is located in a world-writable directory.
1981: .PP
1982: On systems where the boot time is available, \fIsudoers\fR will ignore
1983: time stamps that date from before the machine booted.
1984: .PP
1985: Since time stamp files live in the file system, they can outlive a
1986: user's login session. As a result, a user may be able to login,
1987: run a command with \fBsudo\fR after authenticating, logout, login
1988: again, and run \fBsudo\fR without authenticating so long as the time
1989: stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
1990: whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
1991: option is enabled, the time stamp has per-tty granularity but still
1992: may outlive the user's session. On Linux systems where the devpts
1993: filesystem is used, Solaris systems with the devices filesystem,
1994: as well as other systems that utilize a devfs filesystem that
1995: monotonically increase the inode number of devices as they are
1996: created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
1997: tty-based time stamp file is stale and will ignore it. Administrators
1998: should not rely on this feature as it is not universally available.
1999: .PP
2000: If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
2001: creating their own program that gives them a root shell (or making
2002: their own copy of a shell) regardless of any '!' elements in the
2003: user specification.
2004: .SH "SEE ALSO"
2005: .IX Header "SEE ALSO"
2006: \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
2007: \&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
2008: .SH "CAVEATS"
2009: .IX Header "CAVEATS"
2010: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
2011: command which locks the file and does grammatical checking. It is
2012: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
2013: will not run with a syntactically incorrect \fIsudoers\fR file.
2014: .PP
2015: When using netgroups of machines (as opposed to users), if you
2016: store fully qualified host name in the netgroup (as is usually the
2017: case), you either need to have the machine's host name be fully qualified
2018: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
2019: \&\fIsudoers\fR.
2020: .SH "BUGS"
2021: .IX Header "BUGS"
2022: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
2023: at http://www.sudo.ws/sudo/bugs/
2024: .SH "SUPPORT"
2025: .IX Header "SUPPORT"
2026: Limited free support is available via the sudo-users mailing list,
2027: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
2028: search the archives.
2029: .SH "DISCLAIMER"
2030: .IX Header "DISCLAIMER"
2031: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
2032: including, but not limited to, the implied warranties of merchantability
2033: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
2034: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
2035: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>