Annotation of embedaddon/sudo/doc/sudoers.man.in, revision 1.1.1.2
1.1.1.2 ! misho 1: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
1.1 misho 2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .\" Sponsored in part by the Defense Advanced Research Projects
18: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
19: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
20: .\"
21: .nr SL @SEMAN@
22: .nr BA @BAMAN@
23: .nr LC @LCMAN@
24: .\"
25: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
26: .\"
27: .\" Standard preamble:
28: .\" ========================================================================
29: .de Sp \" Vertical space (when we can't use .PP)
30: .if t .sp .5v
31: .if n .sp
32: ..
33: .de Vb \" Begin verbatim text
34: .ft CW
35: .nf
36: .ne \\$1
37: ..
38: .de Ve \" End verbatim text
39: .ft R
40: .fi
41: ..
42: .\" Set up some character translations and predefined strings. \*(-- will
43: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
44: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
45: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
46: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
47: .\" nothing in troff, for use with C<>.
48: .tr \(*W-
49: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
50: .ie n \{\
51: . ds -- \(*W-
52: . ds PI pi
53: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
54: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
55: . ds L" ""
56: . ds R" ""
57: . ds C`
58: . ds C'
59: 'br\}
60: .el\{\
61: . ds -- \|\(em\|
62: . ds PI \(*p
63: . ds L" ``
64: . ds R" ''
65: 'br\}
66: .\"
67: .\" Escape single quotes in literal strings from groff's Unicode transform.
68: .ie \n(.g .ds Aq \(aq
69: .el .ds Aq '
70: .\"
71: .\" If the F register is turned on, we'll generate index entries on stderr for
72: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
73: .\" entries marked with X<> in POD. Of course, you'll have to process the
74: .\" output yourself in some meaningful fashion.
75: .ie \nF \{\
76: . de IX
77: . tm Index:\\$1\t\\n%\t"\\$2"
78: ..
79: . nr % 0
80: . rr F
81: .\}
82: .el \{\
83: . de IX
84: ..
85: .\}
86: .\"
87: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
88: .\" Fear. Run. Save yourself. No user-serviceable parts.
89: . \" fudge factors for nroff and troff
90: .if n \{\
91: . ds #H 0
92: . ds #V .8m
93: . ds #F .3m
94: . ds #[ \f1
95: . ds #] \fP
96: .\}
97: .if t \{\
98: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
99: . ds #V .6m
100: . ds #F 0
101: . ds #[ \&
102: . ds #] \&
103: .\}
104: . \" simple accents for nroff and troff
105: .if n \{\
106: . ds ' \&
107: . ds ` \&
108: . ds ^ \&
109: . ds , \&
110: . ds ~ ~
111: . ds /
112: .\}
113: .if t \{\
114: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
115: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
116: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
117: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
118: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
119: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
120: .\}
121: . \" troff and (daisy-wheel) nroff accents
122: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
123: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
124: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
125: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
126: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
127: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
128: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
129: .ds ae a\h'-(\w'a'u*4/10)'e
130: .ds Ae A\h'-(\w'A'u*4/10)'E
131: . \" corrections for vroff
132: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
133: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
134: . \" for low resolution devices (crt and lpr)
135: .if \n(.H>23 .if \n(.V>19 \
136: \{\
137: . ds : e
138: . ds 8 ss
139: . ds o a
140: . ds d- d\h'-1'\(ga
141: . ds D- D\h'-1'\(hy
142: . ds th \o'bp'
143: . ds Th \o'LP'
144: . ds ae ae
145: . ds Ae AE
146: .\}
147: .rm #[ #] #H #V #F C
148: .\" ========================================================================
149: .\"
150: .IX Title "SUDOERS @mansectform@"
1.1.1.2 ! misho 151: .TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS"
1.1 misho 152: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
153: .\" way too many mistakes in technical documents.
154: .if n .ad l
155: .nh
156: .SH "NAME"
157: sudoers \- default sudo security policy module
158: .SH "DESCRIPTION"
159: .IX Header "DESCRIPTION"
160: The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
161: It is the default \fBsudo\fR policy plugin. The policy is driven by
162: the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
163: format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
164: section. For information on storing \fIsudoers\fR policy information
165: in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@).
166: .SS "Authentication and Logging"
167: .IX Subsection "Authentication and Logging"
168: The \fIsudoers\fR security policy requires that most users authenticate
169: themselves before they can use \fBsudo\fR. A password is not required
170: if the invoking user is root, if the target user is the same as the
171: invoking user, or if the policy has disabled authentication for the
172: user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
173: authentication, it validates the invoking user's credentials, not
174: the target user's (or root's) credentials. This can be changed via
175: the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
176: .PP
177: If a user who is not listed in the policy tries to run a command
178: via \fBsudo\fR, mail is sent to the proper authorities. The address
179: used for such mail is configurable via the \fImailto\fR Defaults entry
180: (described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR.
181: .PP
182: Note that mail will not be sent if an unauthorized user tries to
183: run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
184: determine for themselves whether or not they are allowed to use
185: \&\fBsudo\fR.
186: .PP
187: If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
188: is set, the \fIsudoers\fR policy will use this value to determine who
189: the actual user is. This can be used by a user to log commands
190: through sudo even when a root shell has been invoked. It also
191: allows the \fB\-e\fR option to remain useful even when invoked via a
192: sudo-run script or program. Note, however, that the \fIsudoers\fR
193: lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
194: .PP
195: \&\fIsudoers\fR uses time stamp files for credential caching. Once a
196: user has been authenticated, a time stamp is updated and the user
197: may then use sudo without a password for a short period of time
198: (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
199: By default, \fIsudoers\fR uses a tty-based time stamp which means that
200: there is a separate time stamp for each of a user's login sessions.
201: The \fItty_tickets\fR option can be disabled to force the use of a
202: single time stamp for all of a user's sessions.
203: .PP
204: \&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
205: as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
206: will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
207: and \fIlogfile\fR Defaults settings.
208: .PP
209: \&\fIsudoers\fR also supports logging a command's input and output
210: streams. I/O logging is not on by default but can be enabled using
211: the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
212: \&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
213: .SS "Command Environment"
214: .IX Subsection "Command Environment"
215: Since environment variables can influence program behavior, \fIsudoers\fR
216: provides a means to restrict which variables from the user's
217: environment are inherited by the command to be run. There are two
218: distinct ways \fIsudoers\fR can deal with environment variables.
219: .PP
220: By default, the \fIenv_reset\fR option is enabled. This causes commands
1.1.1.2 ! misho 221: to be executed with a new, minimal environment. On \s-1AIX\s0 (and Linux
! 222: systems without \s-1PAM\s0), the environment is initialized with the
! 223: contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems, if the
! 224: \&\fIuse_loginclass\fR option is enabled, the environment is initialized
! 225: based on the \fIpath\fR and \fIsetenv\fR settings in \fI/etc/login.conf\fR.
! 226: The new environment contains the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR,
! 227: \&\f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables
! 228: in addition to variables from the invoking process permitted by the
1.1 misho 229: \&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
230: for environment variables.
231: .PP
232: If, however, the \fIenv_reset\fR option is disabled, any variables not
233: explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
234: inherited from the invoking process. In this case, \fIenv_check\fR
235: and \fIenv_delete\fR behave like a blacklist. Since it is not possible
236: to blacklist all potentially dangerous environment variables, use
237: of the default \fIenv_reset\fR behavior is encouraged.
238: .PP
239: In all cases, environment variables with a value beginning with
240: \&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
241: The list of environment variables that \fBsudo\fR allows or denies is
242: contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
243: .PP
244: Note that the dynamic linker on most operating systems will remove
245: variables that can control dynamic linking from the environment of
246: setuid executables, including \fBsudo\fR. Depending on the operating
247: system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
248: \&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
249: removed from the environment before \fBsudo\fR even begins execution
250: and, as such, it is not possible for \fBsudo\fR to preserve them.
251: .PP
252: As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
253: specified, \fIsudoers\fR will initialize the environment regardless
254: of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
255: variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
1.1.1.2 ! misho 256: and \fI\s-1LOGNAME\s0\fR are set based on the target user. On \s-1AIX\s0 (and Linux
! 257: systems without \s-1PAM\s0), the contents of \fI/etc/environment\fR are also
! 258: included. On \s-1BSD\s0 systems, if the \fIuse_loginclass\fR option is
! 259: enabled, the \fIpath\fR and \fIsetenv\fR variables in \fI/etc/login.conf\fR
! 260: are also applied. All other environment variables are removed.
! 261: .PP
! 262: Finally, if the \fIenv_file\fR option is defined, any variables present
! 263: in that file will be set to their specified values as long as they
! 264: would not conflict with an existing environment variable.
1.1 misho 265: .SH "SUDOERS FILE FORMAT"
266: .IX Header "SUDOERS FILE FORMAT"
267: The \fIsudoers\fR file is composed of two types of entries: aliases
268: (basically variables) and user specifications (which specify who
269: may run what).
270: .PP
271: When multiple entries match for a user, they are applied in order.
272: Where there are multiple matches, the last match is used (which is
273: not necessarily the most specific match).
274: .PP
275: The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
276: Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
277: fairly simple, and the definitions below are annotated.
278: .SS "Quick guide to \s-1EBNF\s0"
279: .IX Subsection "Quick guide to EBNF"
280: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
281: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
282: .PP
283: .Vb 1
284: \& symbol ::= definition | alternate1 | alternate2 ...
285: .Ve
286: .PP
287: Each \fIproduction rule\fR references others and thus makes up a
288: grammar for the language. \s-1EBNF\s0 also contains the following
289: operators, which many readers will recognize from regular
290: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
291: characters, which have different meanings.
292: .ie n .IP "\*(C`?\*(C'" 4
293: .el .IP "\f(CW\*(C`?\*(C'\fR" 4
294: .IX Item "?"
295: Means that the preceding symbol (or group of symbols) is optional.
296: That is, it may appear once or not at all.
297: .ie n .IP "\*(C`*\*(C'" 4
298: .el .IP "\f(CW\*(C`*\*(C'\fR" 4
299: .IX Item "*"
300: Means that the preceding symbol (or group of symbols) may appear
301: zero or more times.
302: .ie n .IP "\*(C`+\*(C'" 4
303: .el .IP "\f(CW\*(C`+\*(C'\fR" 4
304: .IX Item "+"
305: Means that the preceding symbol (or group of symbols) may appear
306: one or more times.
307: .PP
308: Parentheses may be used to group symbols together. For clarity,
309: we will use single quotes ('') to designate what is a verbatim character
310: string (as opposed to a symbol name).
311: .SS "Aliases"
312: .IX Subsection "Aliases"
313: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
314: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
315: .PP
316: .Vb 4
317: \& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
318: \& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
319: \& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
320: \& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
321: \&
322: \& User_Alias ::= NAME \*(Aq=\*(Aq User_List
323: \&
324: \& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
325: \&
326: \& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
327: \&
328: \& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
329: \&
330: \& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
331: .Ve
332: .PP
333: Each \fIalias\fR definition is of the form
334: .PP
335: .Vb 1
336: \& Alias_Type NAME = item1, item2, ...
337: .Ve
338: .PP
339: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
340: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
341: and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
342: uppercase letter. It is possible to put several alias definitions
343: of the same type on a single line, joined by a colon (':'). E.g.,
344: .PP
345: .Vb 1
346: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
347: .Ve
348: .PP
349: The definitions of what constitutes a valid \fIalias\fR member follow.
350: .PP
351: .Vb 2
352: \& User_List ::= User |
353: \& User \*(Aq,\*(Aq User_List
354: \&
355: \& User ::= \*(Aq!\*(Aq* user name |
356: \& \*(Aq!\*(Aq* #uid |
357: \& \*(Aq!\*(Aq* %group |
358: \& \*(Aq!\*(Aq* %#gid |
359: \& \*(Aq!\*(Aq* +netgroup |
360: \& \*(Aq!\*(Aq* %:nonunix_group |
361: \& \*(Aq!\*(Aq* %:#nonunix_gid |
362: \& \*(Aq!\*(Aq* User_Alias
363: .Ve
364: .PP
365: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
366: (prefixed with '#'), system group names and ids (prefixed with '%'
367: and '%#' respectively), netgroups (prefixed with '+'), non-Unix
368: group names and IDs (prefixed with '%:' and '%:#' respectively) and
369: \&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
370: \&'!' operators. An odd number of '!' operators negate the value of
371: the item; an even number just cancel each other out.
372: .PP
373: A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
374: or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
375: need for escaping special characters. Alternately, special characters
376: may be specified in escaped hex mode, e.g. \ex20 for space. When
377: using double quotes, any prefix characters must be included inside
378: the quotes.
379: .PP
380: The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
381: the underlying group provider plugin (see the \fIgroup_plugin\fR
382: description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
383: following formats:
384: .IP "\(bu" 4
385: Group in the same domain: \*(L"Group Name\*(R"
386: .IP "\(bu" 4
387: Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
388: .IP "\(bu" 4
389: Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
390: .PP
391: Note that quotes around group names are optional. Unquoted strings
392: must use a backslash (\e) to escape spaces and special characters.
393: See \*(L"Other special characters and reserved words\*(R" for a list of
394: characters that need to be escaped.
395: .PP
396: .Vb 2
397: \& Runas_List ::= Runas_Member |
398: \& Runas_Member \*(Aq,\*(Aq Runas_List
399: \&
400: \& Runas_Member ::= \*(Aq!\*(Aq* user name |
401: \& \*(Aq!\*(Aq* #uid |
402: \& \*(Aq!\*(Aq* %group |
403: \& \*(Aq!\*(Aq* %#gid |
404: \& \*(Aq!\*(Aq* %:nonunix_group |
405: \& \*(Aq!\*(Aq* %:#nonunix_gid |
406: \& \*(Aq!\*(Aq* +netgroup |
407: \& \*(Aq!\*(Aq* Runas_Alias
408: .Ve
409: .PP
410: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
411: of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
412: user names and groups are matched as strings. In other words, two
413: users (groups) with the same uid (gid) are considered to be distinct.
414: If you wish to match all user names with the same uid (e.g.\ root
415: and toor), you can use a uid instead (#0 in the example given).
416: .PP
417: .Vb 2
418: \& Host_List ::= Host |
419: \& Host \*(Aq,\*(Aq Host_List
420: \&
421: \& Host ::= \*(Aq!\*(Aq* host name |
422: \& \*(Aq!\*(Aq* ip_addr |
423: \& \*(Aq!\*(Aq* network(/netmask)? |
424: \& \*(Aq!\*(Aq* +netgroup |
425: \& \*(Aq!\*(Aq* Host_Alias
426: .Ve
427: .PP
428: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
429: network numbers, netgroups (prefixed with '+') and other aliases.
430: Again, the value of an item may be negated with the '!' operator.
431: If you do not specify a netmask along with the network number,
432: \&\fBsudo\fR will query each of the local host's network interfaces and,
433: if the network number corresponds to one of the hosts's network
434: interfaces, the corresponding netmask will be used. The netmask
435: may be specified either in standard \s-1IP\s0 address notation
436: (e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
437: or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
438: include shell-style wildcards (see the Wildcards section below),
439: but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
440: qualified host name, you'll need to use the \fIfqdn\fR option for
441: wildcards to be useful. Note \fBsudo\fR only inspects actual network
442: interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
443: never match. Also, the host name \*(L"localhost\*(R" will only match if
444: that is the actual host name, which is usually only the case for
445: non-networked systems.
446: .PP
447: .Vb 2
448: \& Cmnd_List ::= Cmnd |
449: \& Cmnd \*(Aq,\*(Aq Cmnd_List
450: \&
451: \& commandname ::= file name |
452: \& file name args |
453: \& file name \*(Aq""\*(Aq
454: \&
455: \& Cmnd ::= \*(Aq!\*(Aq* commandname |
456: \& \*(Aq!\*(Aq* directory |
457: \& \*(Aq!\*(Aq* "sudoedit" |
458: \& \*(Aq!\*(Aq* Cmnd_Alias
459: .Ve
460: .PP
461: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
462: aliases. A commandname is a fully qualified file name which may include
463: shell-style wildcards (see the Wildcards section below). A simple
464: file name allows the user to run the command with any arguments he/she
465: wishes. However, you may also specify command line arguments (including
466: wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
467: may only be run \fBwithout\fR command line arguments. A directory is a
468: fully qualified path name ending in a '/'. When you specify a directory
469: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
470: (but not in any subdirectories therein).
471: .PP
472: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
473: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
474: (or match the wildcards if there are any). Note that the following
475: characters must be escaped with a '\e' if they are used in command
476: arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
477: is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
478: as \fBsudoedit\fR). It may take command line arguments just as
479: a normal command does.
480: .SS "Defaults"
481: .IX Subsection "Defaults"
482: Certain configuration options may be changed from their default
483: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
484: may affect all users on any host, all users on a specific host, a
485: specific user, a specific command, or commands being run as a specific user.
486: Note that per-command entries may not include command line arguments.
487: If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
488: that instead.
489: .PP
490: .Vb 5
491: \& Default_Type ::= \*(AqDefaults\*(Aq |
492: \& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
493: \& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
494: \& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
495: \& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
496: \&
497: \& Default_Entry ::= Default_Type Parameter_List
498: \&
499: \& Parameter_List ::= Parameter |
500: \& Parameter \*(Aq,\*(Aq Parameter_List
501: \&
502: \& Parameter ::= Parameter \*(Aq=\*(Aq Value |
503: \& Parameter \*(Aq+=\*(Aq Value |
504: \& Parameter \*(Aq\-=\*(Aq Value |
505: \& \*(Aq!\*(Aq* Parameter
506: .Ve
507: .PP
508: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
509: Flags are implicitly boolean and can be turned off via the '!'
510: operator. Some integer, string and list parameters may also be
511: used in a boolean context to disable them. Values may be enclosed
512: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
513: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
514: .PP
515: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
516: These operators are used to add to and delete from a list respectively.
517: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
518: that does not exist in a list.
519: .PP
520: Defaults entries are parsed in the following order: generic, host
521: and user Defaults first, then runas Defaults and finally command
522: defaults.
523: .PP
524: See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
525: .SS "User Specification"
526: .IX Subsection "User Specification"
527: .Vb 2
528: \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
529: \& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
530: \&
531: \& Cmnd_Spec_List ::= Cmnd_Spec |
532: \& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
533: \&
534: .ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
535: .el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
536: \&
537: \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
538: \&
539: .if \n(SL \{\
540: \& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
541: \&
542: \}
543: \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
544: \& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
545: \& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
546: .Ve
547: .PP
548: A \fBuser specification\fR determines which commands a user may run
549: (and as what user) on specified hosts. By default, commands are
550: run as \fBroot\fR, but this can be changed on a per-command basis.
551: .PP
552: The basic structure of a user specification is `who where = (as_whom)
553: what'. Let's break that down into its constituent parts:
554: .SS "Runas_Spec"
555: .IX Subsection "Runas_Spec"
556: A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
557: may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
558: \&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
559: enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
560: which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
561: The second defines a list of groups that can be specified via
562: \&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
563: command may be run with any combination of users and groups listed
564: in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
565: the command may be run as any user in the list but no \fB\-g\fR option
566: may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
567: second is specified, the command may be run as the invoking user
568: with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
569: \&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
570: no group may be specified.
571: .PP
572: A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
573: What this means is that for the entry:
574: .PP
575: .Vb 1
576: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
577: .Ve
578: .PP
579: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
580: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
581: .PP
582: .Vb 1
583: \& $ sudo \-u operator /bin/ls
584: .Ve
585: .PP
586: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
587: entry. If we modify the entry like so:
588: .PP
589: .Vb 1
590: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
591: .Ve
592: .PP
593: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
594: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
595: .PP
596: We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
597: the user or group set to \fBoperator\fR:
598: .PP
599: .Vb 2
600: \& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
601: \& /usr/bin/lprm
602: .Ve
603: .PP
604: Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
605: user to run as command with that group, it does not force the user
606: to do so. If no group is specified on the command line, the command
607: will run with the group listed in the target user's password database
608: entry. The following would all be permitted by the sudoers entry above:
609: .PP
610: .Vb 3
611: \& $ sudo \-u operator /bin/ls
612: \& $ sudo \-u operator \-g operator /bin/ls
613: \& $ sudo \-g operator /bin/ls
614: .Ve
615: .PP
616: In the following example, user \fBtcm\fR may run commands that access
617: a modem device file with the dialer group.
618: .PP
619: .Vb 2
620: \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
621: \& /usr/local/bin/minicom
622: .Ve
623: .PP
624: Note that in this example only the group will be set, the command
625: still runs as user \fBtcm\fR. E.g.
626: .PP
627: .Vb 1
628: \& $ sudo \-g dialer /usr/bin/cu
629: .Ve
630: .PP
631: Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
632: which case the user may select any combination of users and groups
633: via the \fB\-u\fR and \fB\-g\fR options. In this example:
634: .PP
635: .Vb 1
636: \& alan ALL = (root, bin : operator, system) ALL
637: .Ve
638: .PP
639: user \fBalan\fR may run any command as either user root or bin,
640: optionally setting the group to operator or system.
641: .if \n(SL \{\
642: .SS "SELinux_Spec"
643: .IX Subsection "SELinux_Spec"
644: On systems with SELinux support, \fIsudoers\fR entries may optionally have
645: an SELinux role and/or type associated with a command. If a role or
646: type is specified with the command it will override any default values
647: specified in \fIsudoers\fR. A role or type specified on the command line,
648: however, will supercede the values in \fIsudoers\fR.
649: \}
650: .SS "Tag_Spec"
651: .IX Subsection "Tag_Spec"
652: A command may have zero or more tags associated with it. There are
653: eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
654: \&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
655: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
656: subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
657: it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
658: \&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
659: .PP
660: \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
661: .IX Subsection "NOPASSWD and PASSWD"
662: .PP
663: By default, \fBsudo\fR requires that a user authenticate him or herself
664: before running a command. This behavior can be modified via the
665: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
666: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
667: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
668: For example:
669: .PP
670: .Vb 1
671: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
672: .Ve
673: .PP
674: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
675: \&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
676: authenticating himself. If we only want \fBray\fR to be able to
677: run \fI/bin/kill\fR without a password the entry would be:
678: .PP
679: .Vb 1
680: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
681: .Ve
682: .PP
683: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
684: in the group specified by the \fIexempt_group\fR option.
685: .PP
686: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
687: for a user on the current host, he or she will be able to run
688: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
689: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
690: for all a user's entries that pertain to the current host.
691: This behavior may be overridden via the verifypw and listpw options.
692: .PP
693: \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
694: .IX Subsection "NOEXEC and EXEC"
695: .PP
696: If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
697: operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
698: a dynamically-linked executable from running further commands itself.
699: .PP
700: In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
701: and \fI/usr/bin/vi\fR but shell escapes will be disabled.
702: .PP
703: .Vb 1
704: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
705: .Ve
706: .PP
1.1.1.2 ! misho 707: See the \*(L"Preventing Shell Escapes\*(R" section below for more details
1.1 misho 708: on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
709: .PP
710: \fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
711: .IX Subsection "SETENV and NOSETENV"
712: .PP
713: These tags override the value of the \fIsetenv\fR option on a per-command
714: basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
715: may disable the \fIenv_reset\fR option from the command line via the
716: \&\fB\-E\fR option. Additionally, environment variables set on the command
717: line are not subject to the restrictions imposed by \fIenv_check\fR,
718: \&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
719: be allowed to set variables in this manner. If the command matched
720: is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
721: default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
722: .PP
723: \fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
724: .IX Subsection "LOG_INPUT and NOLOG_INPUT"
725: .PP
726: These tags override the value of the \fIlog_input\fR option on a
727: per-command basis. For more information, see the description of
728: \&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
729: .PP
730: \fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
731: .IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
732: .PP
733: These tags override the value of the \fIlog_output\fR option on a
734: per-command basis. For more information, see the description of
735: \&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
736: .SS "Wildcards"
737: .IX Subsection "Wildcards"
738: \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
739: to be used in host names, path names and command line arguments in
740: the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
741: \&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
742: regular expressions.
743: .ie n .IP "\*(C`*\*(C'" 8
744: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
745: .IX Item "*"
746: Matches any set of zero or more characters.
747: .ie n .IP "\*(C`?\*(C'" 8
748: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
749: .IX Item "?"
750: Matches any single character.
751: .ie n .IP "\*(C`[...]\*(C'" 8
752: .el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
753: .IX Item "[...]"
754: Matches any character in the specified range.
755: .ie n .IP "\*(C`[!...]\*(C'" 8
756: .el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
757: .IX Item "[!...]"
758: Matches any character \fBnot\fR in the specified range.
759: .ie n .IP "\*(C`\ex\*(C'" 8
760: .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
761: .IX Item "x"
762: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
763: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
764: .PP
765: \&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
766: and \fIfnmatch\fR\|(3) functions support them. However, because the
767: \&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
768: escaped. For example:
769: .PP
770: .Vb 1
771: \& /bin/ls [[\e:alpha\e:]]*
772: .Ve
773: .PP
774: Would match any file name beginning with a letter.
775: .PP
776: Note that a forward slash ('/') will \fBnot\fR be matched by
777: wildcards used in the path name. When matching the command
778: line arguments, however, a slash \fBdoes\fR get matched by
779: wildcards. This is to make a path like:
780: .PP
781: .Vb 1
782: \& /usr/bin/*
783: .Ve
784: .PP
785: match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
786: .SS "Exceptions to wildcard rules"
787: .IX Subsection "Exceptions to wildcard rules"
788: The following exceptions apply to the above rules:
789: .ie n .IP """""" 8
790: .el .IP "\f(CW``''\fR" 8
791: .IX Item """"""
792: If the empty string \f(CW""\fR is the only command line argument in the
793: \&\fIsudoers\fR entry it means that command is not allowed to be run
794: with \fBany\fR arguments.
795: .SS "Including other files from within sudoers"
796: .IX Subsection "Including other files from within sudoers"
797: It is possible to include other \fIsudoers\fR files from within the
798: \&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
799: \&\f(CW\*(C`#includedir\*(C'\fR directives.
800: .PP
801: This can be used, for example, to keep a site-wide \fIsudoers\fR file
802: in addition to a local, per-machine file. For the sake of this
803: example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
804: per-machine one will be \fI/etc/sudoers.local\fR. To include
805: \&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
806: following line in \fI/etc/sudoers\fR:
807: .Sp
808: .RS 4
809: \&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
810: .RE
811: .PP
812: When \fBsudo\fR reaches this line it will suspend processing of the
813: current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
814: Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
815: \&\fI/etc/sudoers\fR will be processed. Files that are included may
816: themselves include other files. A hard limit of 128 nested include
817: files is enforced to prevent include file loops.
818: .PP
1.1.1.2 ! misho 819: If the path to the include file is not fully-qualified (does not
! 820: begin with a \fI/\fR), it must be located in the same directory as the
! 821: sudoers file it was included from. For example, if \fI/etc/sudoers\fR
! 822: contains the line:
! 823: .Sp
! 824: .RS 4
! 825: \&\f(CW\*(C`#include sudoers.local\*(C'\fR
! 826: .RE
! 827: .PP
! 828: the file that will be included is \fI/etc/sudoers.local\fR.
! 829: .PP
! 830: The file name may also include the \f(CW%h\fR escape, signifying the short form
1.1 misho 831: of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
832: .PP
833: \&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
834: .PP
835: will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
836: .PP
837: The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
838: directory that the system package manager can drop \fIsudoers\fR rules
839: into as part of package installation. For example, given:
840: .PP
841: \&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
842: .PP
843: \&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
844: names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
845: problems with package manager or editor temporary/backup files.
846: Files are parsed in sorted lexical order. That is,
847: \&\fI/etc/sudoers.d/01_first\fR will be parsed before
848: \&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
849: lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
850: \&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
851: of leading zeroes in the file names can be used to avoid such
852: problems.
853: .PP
854: Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
855: edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
856: contains a syntax error. It is still possible to run \fBvisudo\fR
857: with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
858: .SS "Other special characters and reserved words"
859: .IX Subsection "Other special characters and reserved words"
860: The pound sign ('#') is used to indicate a comment (unless it is
861: part of a #include directive or unless it occurs in the context of
862: a user name and is followed by one or more digits, in which case
863: it is treated as a uid). Both the comment character and any text
864: after it, up to the end of the line, are ignored.
865: .PP
866: The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
867: a match to succeed. It can be used wherever one might otherwise
868: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
869: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
870: built-in alias will be used in preference to your own. Please note
871: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
872: allows the user to run \fBany\fR command on the system.
873: .PP
874: An exclamation point ('!') can be used as a logical \fInot\fR operator
875: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
876: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
877: conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
878: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
879: \&\s-1NOTES\s0 below).
880: .PP
881: Long lines can be continued with a backslash ('\e') as the last
882: character on the line.
883: .PP
884: Whitespace between elements in a list as well as special syntactic
885: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
886: .PP
887: The following characters must be escaped with a backslash ('\e') when
888: used as part of a word (e.g.\ a user name or host name):
889: \&'!', '=', ':', ',', '(', ')', '\e'.
890: .SH "SUDOERS OPTIONS"
891: .IX Header "SUDOERS OPTIONS"
892: \&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
893: explained earlier. A list of all supported Defaults parameters,
894: grouped by type, are listed below.
895: .PP
896: \&\fBBoolean Flags\fR:
897: .IP "always_set_home" 16
898: .IX Item "always_set_home"
899: If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
900: home directory of the target user (which is root unless the \fB\-u\fR
901: option is used). This effectively means that the \fB\-H\fR option is
902: always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
903: \&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
904: effective for configurations where either \fIenv_reset\fR is disabled
905: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
906: This flag is \fIoff\fR by default.
907: .IP "authenticate" 16
908: .IX Item "authenticate"
909: If set, users must authenticate themselves via a password (or other
910: means of authentication) before they may run commands. This default
911: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
912: This flag is \fIon\fR by default.
913: .IP "closefrom_override" 16
914: .IX Item "closefrom_override"
915: If set, the user may use \fBsudo\fR's \fB\-C\fR option which
916: overrides the default starting point at which \fBsudo\fR begins
917: closing open file descriptors. This flag is \fIoff\fR by default.
918: .IP "compress_io" 16
919: .IX Item "compress_io"
920: If set, and \fBsudo\fR is configured to log a command's input or output,
921: the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
922: by default when \fBsudo\fR is compiled with \fBzlib\fR support.
923: .IP "env_editor" 16
924: .IX Item "env_editor"
925: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
926: environment variables before falling back on the default editor list.
927: Note that this may create a security hole as it allows the user to
928: run any arbitrary command as root without logging. A safer alternative
929: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
930: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
931: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
932: default.
933: .IP "env_reset" 16
934: .IX Item "env_reset"
1.1.1.2 ! misho 935: If set, \fBsudo\fR will run the command in a minimal environment
! 936: containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
! 937: \&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
1.1 misho 938: variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
1.1.1.2 ! misho 939: and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
! 940: present in the file specified by the \fIenv_file\fR option (if any).
! 941: The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
! 942: displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
! 943: the \fIsecure_path\fR option is set, its value will be used for the
! 944: \&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
! 945: default.
1.1 misho 946: .IP "fast_glob" 16
947: .IX Item "fast_glob"
948: Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
949: globbing when matching path names. However, since it accesses the
950: file system, \fIglob\fR\|(3) can take a long time to complete for some
951: patterns, especially when the pattern references a network file
952: system that is mounted on demand (automounted). The \fIfast_glob\fR
953: option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
954: not access the file system to do its matching. The disadvantage
955: of \fIfast_glob\fR is that it is unable to match relative path names
956: such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
957: when path names that include globbing characters are used with the
958: negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
959: As such, this option should not be used when \fIsudoers\fR contains rules
960: that contain negated path names which include globbing characters.
961: This flag is \fIoff\fR by default.
962: .IP "fqdn" 16
963: .IX Item "fqdn"
964: Set this flag if you want to put fully qualified host names in the
965: \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
966: You may still use the short form if you wish (and even mix the two).
967: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
968: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
969: if the machine is not plugged into the network). Also note that
970: you must use the host's official name as \s-1DNS\s0 knows it. That is,
971: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
972: issues and the fact that there is no way to get all aliases from
973: \&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
974: command) is already fully qualified you shouldn't need to set
975: \&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
976: .IP "ignore_dot" 16
977: .IX Item "ignore_dot"
978: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
979: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
980: flag is \fI@ignore_dot@\fR by default.
981: .IP "ignore_local_sudoers" 16
982: .IX Item "ignore_local_sudoers"
983: If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
984: This is intended for Enterprises that wish to prevent the usage of local
985: sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
986: rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
987: When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
988: exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
989: entries have been matched, this sudoOption is only meaningful for the
990: \&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
991: .IP "insults" 16
992: .IX Item "insults"
993: If set, \fBsudo\fR will insult users when they enter an incorrect
994: password. This flag is \fI@insults@\fR by default.
995: .IP "log_host" 16
996: .IX Item "log_host"
997: If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
998: This flag is \fIoff\fR by default.
999: .IP "log_input" 16
1000: .IX Item "log_input"
1001: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1002: user input.
1003: If the standard input is not connected to the user's tty, due to
1004: I/O redirection or because the command is part of a pipeline, that
1005: input is also captured and stored in a separate log file.
1006: .Sp
1007: Input is logged to the directory specified by the \fIiolog_dir\fR
1008: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1009: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1010: The \fIiolog_file\fR option may be used to control the format of the
1011: session \s-1ID\s0.
1012: .Sp
1013: Note that user input may contain sensitive information such as
1014: passwords (even if they are not echoed to the screen), which will
1015: be stored in the log file unencrypted. In most cases, logging the
1016: command output via \fIlog_output\fR is all that is required.
1017: .IP "log_output" 16
1018: .IX Item "log_output"
1019: If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1020: output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
1021: If the standard output or standard error is not connected to the
1022: user's tty, due to I/O redirection or because the command is part
1023: of a pipeline, that output is also captured and stored in separate
1024: log files.
1025: .Sp
1026: Output is logged to the directory specified by the \fIiolog_dir\fR
1027: option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1028: is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1029: The \fIiolog_file\fR option may be used to control the format of the
1030: session \s-1ID\s0.
1031: .Sp
1032: Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
1033: can also be used to list or search the available logs.
1034: .IP "log_year" 16
1035: .IX Item "log_year"
1036: If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
1037: This flag is \fIoff\fR by default.
1038: .IP "long_otp_prompt" 16
1039: .IX Item "long_otp_prompt"
1040: When validating with a One Time Password (\s-1OTP\s0) scheme such as
1041: \&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
1042: to cut and paste the challenge to a local window. It's not as
1043: pretty as the default but some people find it more convenient. This
1044: flag is \fI@long_otp_prompt@\fR by default.
1045: .IP "mail_always" 16
1046: .IX Item "mail_always"
1047: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1048: This flag is \fIoff\fR by default.
1049: .IP "mail_badpass" 16
1050: .IX Item "mail_badpass"
1051: Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
1052: enter the correct password. This flag is \fIoff\fR by default.
1053: .IP "mail_no_host" 16
1054: .IX Item "mail_no_host"
1055: If set, mail will be sent to the \fImailto\fR user if the invoking
1056: user exists in the \fIsudoers\fR file, but is not allowed to run
1057: commands on the current host. This flag is \fI@mail_no_host@\fR by default.
1058: .IP "mail_no_perms" 16
1059: .IX Item "mail_no_perms"
1060: If set, mail will be sent to the \fImailto\fR user if the invoking
1061: user is allowed to use \fBsudo\fR but the command they are trying is not
1062: listed in their \fIsudoers\fR file entry or is explicitly denied.
1063: This flag is \fI@mail_no_perms@\fR by default.
1064: .IP "mail_no_user" 16
1065: .IX Item "mail_no_user"
1066: If set, mail will be sent to the \fImailto\fR user if the invoking
1067: user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
1068: by default.
1069: .IP "noexec" 16
1070: .IX Item "noexec"
1071: If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
1072: tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
1.1.1.2 ! misho 1073: description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell
! 1074: Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
1.1 misho 1075: .IP "path_info" 16
1076: .IX Item "path_info"
1077: Normally, \fBsudo\fR will tell the user when a command could not be
1078: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
1079: to disable this as it could be used to gather information on the
1080: location of executables that the normal user does not have access
1081: to. The disadvantage is that if the executable is simply not in
1082: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
1083: allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
1084: by default.
1085: .IP "passprompt_override" 16
1086: .IX Item "passprompt_override"
1087: The password prompt specified by \fIpassprompt\fR will normally only
1088: be used if the password prompt provided by systems such as \s-1PAM\s0 matches
1089: the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
1090: will always be used. This flag is \fIoff\fR by default.
1091: .IP "preserve_groups" 16
1092: .IX Item "preserve_groups"
1093: By default, \fBsudo\fR will initialize the group vector to the list of
1094: groups the target user is in. When \fIpreserve_groups\fR is set, the
1095: user's existing group vector is left unaltered. The real and
1096: effective group IDs, however, are still set to match the target
1097: user. This flag is \fIoff\fR by default.
1098: .IP "pwfeedback" 16
1099: .IX Item "pwfeedback"
1100: By default, \fBsudo\fR reads the password like most other Unix programs,
1101: by turning off echo until the user hits the return (or enter) key.
1102: Some users become confused by this as it appears to them that \fBsudo\fR
1103: has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
1104: provide visual feedback when the user presses a key. Note that
1105: this does have a security impact as an onlooker may be able to
1106: determine the length of the password being entered.
1107: This flag is \fIoff\fR by default.
1108: .IP "requiretty" 16
1109: .IX Item "requiretty"
1110: If set, \fBsudo\fR will only run when the user is logged in to a real
1111: tty. When this flag is set, \fBsudo\fR can only be run from a login
1112: session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
1113: This flag is \fIoff\fR by default.
1114: .IP "root_sudo" 16
1115: .IX Item "root_sudo"
1116: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
1117: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1118: like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
1119: will also prevent root from running \fBsudoedit\fR.
1120: Disabling \fIroot_sudo\fR provides no real additional security; it
1121: exists purely for historical reasons.
1122: This flag is \fI@root_sudo@\fR by default.
1123: .IP "rootpw" 16
1124: .IX Item "rootpw"
1125: If set, \fBsudo\fR will prompt for the root password instead of the password
1126: of the invoking user. This flag is \fIoff\fR by default.
1127: .IP "runaspw" 16
1128: .IX Item "runaspw"
1129: If set, \fBsudo\fR will prompt for the password of the user defined by the
1130: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
1131: password of the invoking user. This flag is \fIoff\fR by default.
1132: .IP "set_home" 16
1133: .IX Item "set_home"
1134: If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
1135: environment variable will be set to the home directory of the target
1136: user (which is root unless the \fB\-u\fR option is used). This effectively
1137: makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
1138: set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
1139: only effective for configurations where either \fIenv_reset\fR is disabled
1140: or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
1141: This flag is \fIoff\fR by default.
1142: .IP "set_logname" 16
1143: .IX Item "set_logname"
1144: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
1145: environment variables to the name of the target user (usually root
1146: unless the \fB\-u\fR option is given). However, since some programs
1147: (including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
1148: determine the real identity of the user, it may be desirable to
1149: change this behavior. This can be done by negating the set_logname
1150: option. Note that if the \fIenv_reset\fR option has not been disabled,
1151: entries in the \fIenv_keep\fR list will override the value of
1152: \&\fIset_logname\fR. This flag is \fIon\fR by default.
1153: .IP "set_utmp" 16
1154: .IX Item "set_utmp"
1155: When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
1156: file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1157: \&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
1158: are enabled. By default, the new entry will be a copy of the user's
1159: existing utmp entry (if any), with the tty, time, type and pid
1160: fields updated. This flag is \fIon\fR by default.
1161: .IP "setenv" 16
1162: .IX Item "setenv"
1163: Allow the user to disable the \fIenv_reset\fR option from the command
1164: line via the \fB\-E\fR option. Additionally, environment variables set
1165: via the command line are not subject to the restrictions imposed
1166: by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
1167: trusted users should be allowed to set variables in this manner.
1168: This flag is \fIoff\fR by default.
1169: .IP "shell_noargs" 16
1170: .IX Item "shell_noargs"
1171: If set and \fBsudo\fR is invoked with no arguments it acts as if the
1172: \&\fB\-s\fR option had been given. That is, it runs a shell as root (the
1173: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1174: set, falling back on the shell listed in the invoking user's
1175: /etc/passwd entry if not). This flag is \fIoff\fR by default.
1176: .IP "stay_setuid" 16
1177: .IX Item "stay_setuid"
1178: Normally, when \fBsudo\fR executes a command the real and effective
1179: UIDs are set to the target user (root by default). This option
1180: changes that behavior such that the real \s-1UID\s0 is left as the invoking
1181: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
1182: wrapper. This can be useful on systems that disable some potentially
1183: dangerous functionality when a program is run setuid. This option
1184: is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
1185: function. This flag is \fIoff\fR by default.
1186: .IP "targetpw" 16
1187: .IX Item "targetpw"
1188: If set, \fBsudo\fR will prompt for the password of the user specified
1189: by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
1190: of the invoking user. In addition, the timestamp file name will
1191: include the target user's name. Note that this flag precludes the
1192: use of a uid not listed in the passwd database as an argument to
1193: the \fB\-u\fR option. This flag is \fIoff\fR by default.
1194: .IP "tty_tickets" 16
1195: .IX Item "tty_tickets"
1196: If set, users must authenticate on a per-tty basis. With this flag
1197: enabled, \fBsudo\fR will use a file named for the tty the user is
1198: logged in on in the user's time stamp directory. If disabled, the
1199: time stamp of the directory is used instead. This flag is
1200: \&\fI@tty_tickets@\fR by default.
1201: .IP "umask_override" 16
1202: .IX Item "umask_override"
1203: If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
1204: modification. This makes it possible to specify a more permissive
1205: umask in \fIsudoers\fR than the user's own umask and matches historical
1206: behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
1207: umask to be the union of the user's umask and what is specified in
1208: \&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
1209: .if \n(LC \{\
1210: .IP "use_loginclass" 16
1211: .IX Item "use_loginclass"
1212: If set, \fBsudo\fR will apply the defaults specified for the target user's
1213: login class if one exists. Only available if \fBsudo\fR is configured with
1214: the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1215: \}
1216: .IP "use_pty" 16
1217: .IX Item "use_pty"
1218: If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
1219: logging is being gone. A malicious program run under \fBsudo\fR could
1220: conceivably fork a background process that retains to the user's
1221: terminal device after the main program has finished executing. Use
1222: of this option will make that impossible. This flag is \fIoff\fR by default.
1223: .IP "utmp_runas" 16
1224: .IX Item "utmp_runas"
1225: If set, \fBsudo\fR will store the name of the runas user when updating
1226: the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
1227: the invoking user. This flag is \fIoff\fR by default.
1228: .IP "visiblepw" 16
1229: .IX Item "visiblepw"
1230: By default, \fBsudo\fR will refuse to run if the user must enter a
1231: password but it is not possible to disable echo on the terminal.
1232: If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
1233: even when it would be visible on the screen. This makes it possible
1234: to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
1235: not allocate a tty. This flag is \fIoff\fR by default.
1236: .PP
1237: \&\fBIntegers\fR:
1238: .IP "closefrom" 16
1239: .IX Item "closefrom"
1240: Before it executes a command, \fBsudo\fR will close all open file
1241: descriptors other than standard input, standard output and standard
1242: error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
1243: to specify a different file descriptor at which to start closing.
1244: The default is \f(CW3\fR.
1245: .IP "passwd_tries" 16
1246: .IX Item "passwd_tries"
1247: The number of tries a user gets to enter his/her password before
1248: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
1249: .PP
1250: \&\fBIntegers that can be used in a boolean context\fR:
1251: .IP "loglinelen" 16
1252: .IX Item "loglinelen"
1253: Number of characters per line for the file log. This value is used
1254: to decide when to wrap lines for nicer log files. This has no
1255: effect on the syslog log file, only the file log. The default is
1256: \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
1257: .IP "passwd_timeout" 16
1258: .IX Item "passwd_timeout"
1259: Number of minutes before the \fBsudo\fR password prompt times out, or
1260: \&\f(CW0\fR for no timeout. The timeout may include a fractional component
1261: if minute granularity is insufficient, for example \f(CW2.5\fR. The
1262: default is \f(CW\*(C`@password_timeout@\*(C'\fR.
1263: .IP "timestamp_timeout" 16
1264: .IX Item "timestamp_timeout"
1265: Number of minutes that can elapse before \fBsudo\fR will ask for a
1266: passwd again. The timeout may include a fractional component if
1267: minute granularity is insufficient, for example \f(CW2.5\fR. The default
1268: is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
1269: If set to a value less than \f(CW0\fR the user's timestamp will never
1270: expire. This can be used to allow users to create or delete their
1271: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1272: .IP "umask" 16
1273: .IX Item "umask"
1274: Umask to use when running the command. Negate this option or set
1275: it to 0777 to preserve the user's umask. The actual umask that is
1276: used will be the union of the user's umask and the value of the
1277: \&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
1278: that \fBsudo\fR never lowers the umask when running a command. Note
1279: on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
1280: its own umask which will override the value set in \fIsudoers\fR.
1281: .PP
1282: \&\fBStrings\fR:
1283: .IP "badpass_message" 16
1284: .IX Item "badpass_message"
1285: Message that is displayed if a user enters an incorrect password.
1286: The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
1287: .IP "editor" 16
1288: .IX Item "editor"
1289: A colon (':') separated list of editors allowed to be used with
1290: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
1291: \&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
1292: list that exists and is executable. The default is \f(CW"@editor@"\fR.
1293: .IP "iolog_dir" 16
1294: .IX Item "iolog_dir"
1295: The top-level directory to use when constructing the path name for
1296: the input/output log directory. Only used if the \fIlog_input\fR or
1297: \&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
1298: \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
1299: number, if any, is stored in the directory.
1300: The default is \f(CW"@iolog_dir@"\fR.
1301: .Sp
1302: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1303: .RS 16
1304: .ie n .IP "\*(C`%{seq}\*(C'" 4
1305: .el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
1306: .IX Item "%{seq}"
1307: expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
1308: where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
1309: .ie n .IP "\*(C`%{user}\*(C'" 4
1310: .el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
1311: .IX Item "%{user}"
1312: expanded to the invoking user's login name
1313: .ie n .IP "\*(C`%{group}\*(C'" 4
1314: .el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
1315: .IX Item "%{group}"
1316: expanded to the name of the invoking user's real group \s-1ID\s0
1317: .ie n .IP "\*(C`%{runas_user}\*(C'" 4
1318: .el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
1319: .IX Item "%{runas_user}"
1320: expanded to the login name of the user the command will
1321: be run as (e.g. root)
1322: .ie n .IP "\*(C`%{runas_group}\*(C'" 4
1323: .el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
1324: .IX Item "%{runas_group}"
1325: expanded to the group name of the user the command will
1326: be run as (e.g. wheel)
1327: .ie n .IP "\*(C`%{hostname}\*(C'" 4
1328: .el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
1329: .IX Item "%{hostname}"
1330: expanded to the local host name without the domain name
1331: .ie n .IP "\*(C`%{command}\*(C'" 4
1332: .el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
1333: .IX Item "%{command}"
1334: expanded to the base name of the command being run
1335: .RE
1336: .RS 16
1337: .Sp
1338: In addition, any escape sequences supported by the system's \fIstrftime()\fR
1339: function will be expanded.
1340: .Sp
1341: To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
1342: be used.
1343: .RE
1344: .IP "iolog_file" 16
1345: .IX Item "iolog_file"
1346: The path name, relative to \fIiolog_dir\fR, in which to store input/output
1347: logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
1348: when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
1349: Note that \fIiolog_file\fR may contain directory components.
1350: The default is \f(CW"%{seq}"\fR.
1351: .Sp
1352: See the \fIiolog_dir\fR option above for a list of supported percent
1353: (`\f(CW\*(C`%\*(C'\fR') escape sequences.
1354: .Sp
1355: In addition to the escape sequences, path names that end in six or
1356: more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
1357: of digits and letters, similar to the \fImktemp()\fR function.
1358: .IP "mailsub" 16
1359: .IX Item "mailsub"
1360: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
1361: will expand to the host name of the machine.
1362: Default is \f(CW\*(C`@mailsub@\*(C'\fR.
1363: .IP "noexec_file" 16
1364: .IX Item "noexec_file"
1.1.1.2 ! misho 1365: This option is no longer supported. The path to the noexec file
! 1366: should now be set in the \fI@sysconfdir@/sudo.conf\fR file.
1.1 misho 1367: .IP "passprompt" 16
1368: .IX Item "passprompt"
1369: The default prompt to use when asking for a password; can be overridden
1370: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
1371: The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1372: .RS 16
1373: .ie n .IP "%H" 4
1374: .el .IP "\f(CW%H\fR" 4
1375: .IX Item "%H"
1376: expanded to the local host name including the domain name
1377: (only if the machine's host name is fully qualified or the \fIfqdn\fR
1378: option is set)
1379: .ie n .IP "%h" 4
1380: .el .IP "\f(CW%h\fR" 4
1381: .IX Item "%h"
1382: expanded to the local host name without the domain name
1383: .ie n .IP "%p" 4
1384: .el .IP "\f(CW%p\fR" 4
1385: .IX Item "%p"
1386: expanded to the user whose password is being asked for (respects the
1387: \&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
1388: .ie n .IP "%U" 4
1389: .el .IP "\f(CW%U\fR" 4
1390: .IX Item "%U"
1391: expanded to the login name of the user the command will
1392: be run as (defaults to root)
1393: .ie n .IP "%u" 4
1394: .el .IP "\f(CW%u\fR" 4
1395: .IX Item "%u"
1396: expanded to the invoking user's login name
1397: .ie n .IP "\*(C`%%\*(C'" 4
1398: .el .IP "\f(CW\*(C`%%\*(C'\fR" 4
1399: .IX Item "%%"
1400: two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
1401: .RE
1402: .RS 16
1403: .Sp
1404: The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
1405: .RE
1406: .if \n(SL \{\
1407: .IP "role" 16
1408: .IX Item "role"
1409: The default SELinux role to use when constructing a new security
1410: context to run the command. The default role may be overridden on
1411: a per-command basis in \fIsudoers\fR or via command line options.
1412: This option is only available whe \fBsudo\fR is built with SELinux support.
1413: \}
1414: .IP "runas_default" 16
1415: .IX Item "runas_default"
1416: The default user to run commands as if the \fB\-u\fR option is not specified
1417: on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
1418: .IP "syslog_badpri" 16
1419: .IX Item "syslog_badpri"
1420: Syslog priority to use when user authenticates unsuccessfully.
1421: Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
1422: .Sp
1423: The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
1424: \&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1425: .IP "syslog_goodpri" 16
1426: .IX Item "syslog_goodpri"
1427: Syslog priority to use when user authenticates successfully.
1428: Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
1429: .Sp
1430: See syslog_badpri for the list of supported syslog priorities.
1431: .IP "sudoers_locale" 16
1432: .IX Item "sudoers_locale"
1433: Locale to use when parsing the sudoers file, logging commands, and
1434: sending email. Note that changing the locale may affect how sudoers
1435: is interpreted. Defaults to \f(CW"C"\fR.
1436: .IP "timestampdir" 16
1437: .IX Item "timestampdir"
1438: The directory in which \fBsudo\fR stores its timestamp files.
1439: The default is \fI@timedir@\fR.
1440: .IP "timestampowner" 16
1441: .IX Item "timestampowner"
1442: The owner of the timestamp directory and the timestamps stored therein.
1443: The default is \f(CW\*(C`root\*(C'\fR.
1444: .if \n(SL \{\
1445: .IP "type" 16
1446: .IX Item "type"
1447: The default SELinux type to use when constructing a new security
1448: context to run the command. The default type may be overridden on
1449: a per-command basis in \fIsudoers\fR or via command line options.
1450: This option is only available whe \fBsudo\fR is built with SELinux support.
1451: \}
1452: .PP
1453: \&\fBStrings that can be used in a boolean context\fR:
1454: .IP "env_file" 12
1455: .IX Item "env_file"
1.1.1.2 ! misho 1456: The \fIenv_file\fR option specifies the fully qualified path to a
1.1 misho 1457: file containing variables to be set in the environment of the program
1458: being run. Entries in this file should either be of the form
1459: \&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
1460: optionally be surrounded by single or double quotes. Variables in
1461: this file are subject to other \fBsudo\fR environment settings such
1462: as \fIenv_keep\fR and \fIenv_check\fR.
1463: .IP "exempt_group" 12
1464: .IX Item "exempt_group"
1465: Users in this group are exempt from password and \s-1PATH\s0 requirements.
1466: The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
1467: This is not set by default.
1468: .IP "group_plugin" 12
1469: .IX Item "group_plugin"
1470: A string containing a \fIsudoers\fR group plugin with optional arguments.
1471: This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
1472: syntax described earlier. The string should consist of the plugin
1473: path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
1474: directory, followed by any configuration arguments the plugin
1475: requires. These arguments (if any) will be passed to the plugin's
1476: initialization function. If arguments are present, the string must
1477: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
1478: .Sp
1479: For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
1480: format, the sample group plugin can be used:
1481: .Sp
1482: .Vb 1
1483: \& Defaults group_plugin="sample_group.so /etc/sudo\-group"
1484: .Ve
1485: .Sp
1486: For more information see \fIsudo_plugin\fR\|(@mansectform@).
1487: .IP "lecture" 12
1488: .IX Item "lecture"
1489: This option controls when a short lecture will be printed along with
1490: the password prompt. It has the following possible values:
1491: .RS 12
1492: .IP "always" 8
1493: .IX Item "always"
1494: Always lecture the user.
1495: .IP "never" 8
1496: .IX Item "never"
1497: Never lecture the user.
1498: .IP "once" 8
1499: .IX Item "once"
1500: Only lecture the user the first time they run \fBsudo\fR.
1501: .RE
1502: .RS 12
1503: .Sp
1504: If no value is specified, a value of \fIonce\fR is implied.
1505: Negating the option results in a value of \fInever\fR being used.
1506: The default value is \fI@lecture@\fR.
1507: .RE
1508: .IP "lecture_file" 12
1509: .IX Item "lecture_file"
1510: Path to a file containing an alternate \fBsudo\fR lecture that will
1511: be used in place of the standard lecture if the named file exists.
1512: By default, \fBsudo\fR uses a built-in lecture.
1513: .IP "listpw" 12
1514: .IX Item "listpw"
1515: This option controls when a password will be required when a
1516: user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
1517: .RS 12
1518: .IP "all" 8
1519: .IX Item "all"
1520: All the user's \fIsudoers\fR entries for the current host must have
1521: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1522: .IP "always" 8
1523: .IX Item "always"
1524: The user must always enter a password to use the \fB\-l\fR option.
1525: .IP "any" 8
1526: .IX Item "any"
1527: At least one of the user's \fIsudoers\fR entries for the current host
1528: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1529: .IP "never" 8
1530: .IX Item "never"
1531: The user need never enter a password to use the \fB\-l\fR option.
1532: .RE
1533: .RS 12
1534: .Sp
1535: If no value is specified, a value of \fIany\fR is implied.
1536: Negating the option results in a value of \fInever\fR being used.
1537: The default value is \fIany\fR.
1538: .RE
1539: .IP "logfile" 12
1540: .IX Item "logfile"
1541: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1542: turns on logging to a file; negating this option turns it off.
1543: By default, \fBsudo\fR logs via syslog.
1544: .IP "mailerflags" 12
1545: .IX Item "mailerflags"
1546: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1547: .IP "mailerpath" 12
1548: .IX Item "mailerpath"
1549: Path to mail program used to send warning mail.
1550: Defaults to the path to sendmail found at configure time.
1551: .IP "mailfrom" 12
1552: .IX Item "mailfrom"
1553: Address to use for the \*(L"from\*(R" address when sending warning and error
1554: mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
1555: protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
1556: the name of the user running \fBsudo\fR.
1557: .IP "mailto" 12
1558: .IX Item "mailto"
1559: Address to send warning and error mail to. The address should
1560: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
1561: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
1562: .IP "secure_path" 12
1563: .IX Item "secure_path"
1564: Path used for every command run from \fBsudo\fR. If you don't trust the
1565: people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
1566: want to use this. Another use is if you want to have the \*(L"root path\*(R"
1567: be separate from the \*(L"user path.\*(R" Users in the group specified by the
1568: \&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
1569: This option is @secure_path@ by default.
1570: .IP "syslog" 12
1571: .IX Item "syslog"
1572: Syslog facility if syslog is being used for logging (negate to
1573: disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
1574: .Sp
1575: The following syslog facilities are supported: \fBauthpriv\fR (if your
1576: \&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
1577: \&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
1578: .IP "verifypw" 12
1579: .IX Item "verifypw"
1580: This option controls when a password will be required when a user runs
1581: \&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
1582: .RS 12
1583: .IP "all" 8
1584: .IX Item "all"
1585: All the user's \fIsudoers\fR entries for the current host must have
1586: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1587: .IP "always" 8
1588: .IX Item "always"
1589: The user must always enter a password to use the \fB\-v\fR option.
1590: .IP "any" 8
1591: .IX Item "any"
1592: At least one of the user's \fIsudoers\fR entries for the current host
1593: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1594: .IP "never" 8
1595: .IX Item "never"
1596: The user need never enter a password to use the \fB\-v\fR option.
1597: .RE
1598: .RS 12
1599: .Sp
1600: If no value is specified, a value of \fIall\fR is implied.
1601: Negating the option results in a value of \fInever\fR being used.
1602: The default value is \fIall\fR.
1603: .RE
1604: .PP
1605: \&\fBLists that can be used in a boolean context\fR:
1606: .IP "env_check" 16
1607: .IX Item "env_check"
1608: Environment variables to be removed from the user's environment if
1609: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1610: be used to guard against printf-style format vulnerabilities in
1611: poorly-written programs. The argument may be a double-quoted,
1612: space-separated list or a single value without double-quotes. The
1613: list can be replaced, added to, deleted from, or disabled by using
1614: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
1615: of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
1616: specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
1617: they pass the aforementioned check. The default list of environment
1618: variables to check is displayed when \fBsudo\fR is run by root with
1619: the \fI\-V\fR option.
1620: .IP "env_delete" 16
1621: .IX Item "env_delete"
1622: Environment variables to be removed from the user's environment
1623: when the \fIenv_reset\fR option is not in effect. The argument may
1624: be a double-quoted, space-separated list or a single value without
1625: double-quotes. The list can be replaced, added to, deleted from,
1626: or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
1627: respectively. The default list of environment variables to remove
1628: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1629: Note that many operating systems will remove potentially dangerous
1630: variables from the environment of any setuid process (such as
1631: \&\fBsudo\fR).
1632: .IP "env_keep" 16
1633: .IX Item "env_keep"
1634: Environment variables to be preserved in the user's environment
1635: when the \fIenv_reset\fR option is in effect. This allows fine-grained
1636: control over the environment \fBsudo\fR\-spawned processes will receive.
1637: The argument may be a double-quoted, space-separated list or a
1638: single value without double-quotes. The list can be replaced, added
1639: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
1640: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
1641: is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1.1.1.2 ! misho 1642: .SH "SUDO.CONF"
! 1643: .IX Header "SUDO.CONF"
! 1644: The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the
! 1645: \&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file
! 1646: is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the
! 1647: \&\fIsudoers\fR security policy and I/O logging, which corresponds to
! 1648: the following \fI@sysconfdir@/sudo.conf\fR file.
! 1649: .PP
! 1650: .Vb 10
! 1651: \& #
! 1652: \& # Default @sysconfdir@/sudo.conf file
! 1653: \& #
! 1654: \& # Format:
! 1655: \& # Plugin plugin_name plugin_path plugin_options ...
! 1656: \& # Path askpass /path/to/askpass
! 1657: \& # Path noexec /path/to/sudo_noexec.so
! 1658: \& # Debug sudo /var/log/sudo_debug all@warn
! 1659: \& # Set disable_coredump true
! 1660: \& #
! 1661: \& # The plugin_path is relative to @prefix@/libexec unless
! 1662: \& # fully qualified.
! 1663: \& # The plugin_name corresponds to a global symbol in the plugin
! 1664: \& # that contains the plugin interface structure.
! 1665: \& # The plugin_options are optional.
! 1666: \& #
! 1667: \& Plugin policy_plugin sudoers.so
! 1668: \& Plugin io_plugin sudoers.so
! 1669: .Ve
! 1670: .SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0"
! 1671: .IX Subsection "PLUGIN OPTIONS"
! 1672: Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the
! 1673: \&\fIsudoers\fR plugin. Options may be listed after the path to the
! 1674: plugin (i.e. after \fIsudoers.so\fR); multiple options should be
! 1675: space-separated. For example:
! 1676: .PP
! 1677: .Vb 1
! 1678: \& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 1679: .Ve
! 1680: .PP
! 1681: The following plugin options are supported:
! 1682: .IP "sudoers_file=pathname" 10
! 1683: .IX Item "sudoers_file=pathname"
! 1684: The \fIsudoers_file\fR option can be used to override the default path
! 1685: to the \fIsudoers\fR file.
! 1686: .IP "sudoers_uid=uid" 10
! 1687: .IX Item "sudoers_uid=uid"
! 1688: The \fIsudoers_uid\fR option can be used to override the default owner
! 1689: of the sudoers file. It should be specified as a numeric user \s-1ID\s0.
! 1690: .IP "sudoers_gid=gid" 10
! 1691: .IX Item "sudoers_gid=gid"
! 1692: The \fIsudoers_gid\fR option can be used to override the default group
! 1693: of the sudoers file. It should be specified as a numeric group \s-1ID\s0.
! 1694: .IP "sudoers_mode=mode" 10
! 1695: .IX Item "sudoers_mode=mode"
! 1696: The \fIsudoers_mode\fR option can be used to override the default file
! 1697: mode for the sudoers file. It should be specified as an octal value.
! 1698: .SS "\s-1DEBUG\s0 \s-1FLAGS\s0"
! 1699: .IX Subsection "DEBUG FLAGS"
! 1700: Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
! 1701: debugging framework that can help track down what the plugin is
! 1702: doing internally if there is a problem. This can be configured in
! 1703: the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@).
! 1704: .PP
! 1705: The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
! 1706: itself: \fIsubsystem\fR@\fIpriority\fR.
! 1707: .PP
! 1708: The priorities used by \fIsudoers\fR, in order of decreasing severity,
! 1709: are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
! 1710: and \fIdebug\fR. Each priority, when specified, also includes all
! 1711: priorities higher than it. For example, a priority of \fInotice\fR
! 1712: would include debug messages logged at \fInotice\fR and higher.
! 1713: .PP
! 1714: The following subsystems are used by \fIsudoers\fR:
! 1715: .IP "\fIalias\fR" 10
! 1716: .IX Item "alias"
! 1717: \&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
! 1718: .IP "\fIall\fR" 10
! 1719: .IX Item "all"
! 1720: matches every subsystem
! 1721: .IP "\fIaudit\fR" 10
! 1722: .IX Item "audit"
! 1723: \&\s-1BSM\s0 and Linux audit code
! 1724: .IP "\fIauth\fR" 10
! 1725: .IX Item "auth"
! 1726: user authentication
! 1727: .IP "\fIdefaults\fR" 10
! 1728: .IX Item "defaults"
! 1729: \&\fIsudoers\fR \fIDefaults\fR settings
! 1730: .IP "\fIenv\fR" 10
! 1731: .IX Item "env"
! 1732: environment handling
! 1733: .IP "\fIldap\fR" 10
! 1734: .IX Item "ldap"
! 1735: LDAP-based sudoers
! 1736: .IP "\fIlogging\fR" 10
! 1737: .IX Item "logging"
! 1738: logging support
! 1739: .IP "\fImatch\fR" 10
! 1740: .IX Item "match"
! 1741: matching of users, groups, hosts and netgroups in \fIsudoers\fR
! 1742: .IP "\fInetif\fR" 10
! 1743: .IX Item "netif"
! 1744: network interface handling
! 1745: .IP "\fInss\fR" 10
! 1746: .IX Item "nss"
! 1747: network service switch handling in \fIsudoers\fR
! 1748: .IP "\fIparser\fR" 10
! 1749: .IX Item "parser"
! 1750: \&\fIsudoers\fR file parsing
! 1751: .IP "\fIperms\fR" 10
! 1752: .IX Item "perms"
! 1753: permission setting
! 1754: .IP "\fIplugin\fR" 10
! 1755: .IX Item "plugin"
! 1756: The equivalent of \fImain\fR for the plugin.
! 1757: .IP "\fIpty\fR" 10
! 1758: .IX Item "pty"
! 1759: pseudo-tty related code
! 1760: .IP "\fIrbtree\fR" 10
! 1761: .IX Item "rbtree"
! 1762: redblack tree internals
! 1763: .IP "\fIutil\fR" 10
! 1764: .IX Item "util"
! 1765: utility functions
1.1 misho 1766: .SH "FILES"
1767: .IX Header "FILES"
1.1.1.2 ! misho 1768: .ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
! 1769: .el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
! 1770: .IX Item "@sysconfdir@/sudo.conf"
! 1771: Sudo front end configuration
1.1 misho 1772: .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
1773: .el .IP "\fI@sysconfdir@/sudoers\fR" 24
1774: .IX Item "@sysconfdir@/sudoers"
1775: List of who can run what
1776: .IP "\fI/etc/group\fR" 24
1777: .IX Item "/etc/group"
1778: Local groups file
1779: .IP "\fI/etc/netgroup\fR" 24
1780: .IX Item "/etc/netgroup"
1781: List of network groups
1782: .ie n .IP "\fI@iolog_dir@\fR" 24
1783: .el .IP "\fI@iolog_dir@\fR" 24
1784: .IX Item "@iolog_dir@"
1785: I/O log files
1786: .ie n .IP "\fI@timedir@\fR" 24
1787: .el .IP "\fI@timedir@\fR" 24
1788: .IX Item "@timedir@"
1789: Directory containing time stamps for the \fIsudoers\fR security policy
1790: .IP "\fI/etc/environment\fR" 24
1791: .IX Item "/etc/environment"
1.1.1.2 ! misho 1792: Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
1.1 misho 1793: .SH "EXAMPLES"
1794: .IX Header "EXAMPLES"
1795: Below are example \fIsudoers\fR entries. Admittedly, some of
1796: these are a bit contrived. First, we allow a few environment
1797: variables to pass and then define our \fIaliases\fR:
1798: .PP
1799: .Vb 4
1800: \& # Run X applications through sudo; HOME is used to find the
1801: \& # .Xauthority file. Note that other programs use HOME to find
1802: \& # configuration files and this may lead to privilege escalation!
1803: \& Defaults env_keep += "DISPLAY HOME"
1804: \&
1805: \& # User alias specification
1806: \& User_Alias FULLTIMERS = millert, mikef, dowdy
1807: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
1808: \& User_Alias WEBMASTERS = will, wendy, wim
1809: \&
1810: \& # Runas alias specification
1811: \& Runas_Alias OP = root, operator
1812: \& Runas_Alias DB = oracle, sybase
1813: \& Runas_Alias ADMINGRP = adm, oper
1814: \&
1815: \& # Host alias specification
1816: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1817: \& SGI = grolsch, dandelion, black :\e
1818: \& ALPHA = widget, thalamus, foobar :\e
1819: \& HPPA = boa, nag, python
1820: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1821: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1822: \& Host_Alias SERVERS = master, mail, www, ns
1823: \& Host_Alias CDROM = orion, perseus, hercules
1824: \&
1825: \& # Cmnd alias specification
1826: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1827: \& /usr/sbin/restore, /usr/sbin/rrestore
1828: \& Cmnd_Alias KILL = /usr/bin/kill
1829: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1830: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1831: \& Cmnd_Alias HALT = /usr/sbin/halt
1832: \& Cmnd_Alias REBOOT = /usr/sbin/reboot
1833: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1834: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1835: \& /usr/local/bin/zsh
1836: \& Cmnd_Alias SU = /usr/bin/su
1837: \& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1838: .Ve
1839: .PP
1840: Here we override some of the compiled in default values. We want
1841: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1842: cases. We don't want to subject the full time staff to the \fBsudo\fR
1843: lecture, user \fBmillert\fR need not give a password, and we don't
1844: want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
1845: variables when running commands as root. Additionally, on the
1846: machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1847: local log file and make sure we log the year in each log line since
1848: the log entries will be kept around for several years. Lastly, we
1849: disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
1850: (\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
1851: .PP
1852: .Vb 7
1853: \& # Override built\-in defaults
1854: \& Defaults syslog=auth
1855: \& Defaults>root !set_logname
1856: \& Defaults:FULLTIMERS !lecture
1857: \& Defaults:millert !authenticate
1858: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1859: \& Defaults!PAGERS noexec
1860: .Ve
1861: .PP
1862: The \fIUser specification\fR is the part that actually determines who may
1863: run what.
1864: .PP
1865: .Vb 2
1866: \& root ALL = (ALL) ALL
1867: \& %wheel ALL = (ALL) ALL
1868: .Ve
1869: .PP
1870: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1871: host as any user.
1872: .PP
1873: .Vb 1
1874: \& FULLTIMERS ALL = NOPASSWD: ALL
1875: .Ve
1876: .PP
1877: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1878: command on any host without authenticating themselves.
1879: .PP
1880: .Vb 1
1881: \& PARTTIMERS ALL = ALL
1882: .Ve
1883: .PP
1884: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1885: command on any host but they must authenticate themselves first
1886: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1887: .PP
1888: .Vb 1
1889: \& jack CSNETS = ALL
1890: .Ve
1891: .PP
1892: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1893: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1894: Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1895: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1896: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1897: during matching.
1898: .PP
1899: .Vb 1
1900: \& lisa CUNETS = ALL
1901: .Ve
1902: .PP
1903: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1904: (the class B network \f(CW128.138.0.0\fR).
1905: .PP
1906: .Vb 2
1907: \& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
1908: \& sudoedit /etc/printcap, /usr/oper/bin/
1909: .Ve
1910: .PP
1911: The \fBoperator\fR user may run commands limited to simple maintenance.
1912: Here, those are commands related to backups, killing processes, the
1913: printing system, shutting down the system, and any commands in the
1914: directory \fI/usr/oper/bin/\fR.
1915: .PP
1916: .Vb 1
1917: \& joe ALL = /usr/bin/su operator
1918: .Ve
1919: .PP
1920: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1921: .PP
1922: .Vb 1
1923: \& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
1924: \&
1925: \& %opers ALL = (: ADMINGRP) /usr/sbin/
1926: .Ve
1927: .PP
1928: Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
1929: with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
1930: groups).
1931: .PP
1932: The user \fBpete\fR is allowed to change anyone's password except for
1933: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1934: does not take multiple user names on the command line.
1935: .PP
1936: .Vb 1
1937: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
1938: .Ve
1939: .PP
1940: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1941: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1942: .PP
1943: .Vb 1
1944: \& jim +biglab = ALL
1945: .Ve
1946: .PP
1947: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1948: \&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1949: .PP
1950: .Vb 1
1951: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1952: .Ve
1953: .PP
1954: Users in the \fBsecretaries\fR netgroup need to help manage the printers
1955: as well as add and remove users, so they are allowed to run those
1956: commands on all machines.
1957: .PP
1958: .Vb 1
1959: \& fred ALL = (DB) NOPASSWD: ALL
1960: .Ve
1961: .PP
1962: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1963: (\fBoracle\fR or \fBsybase\fR) without giving a password.
1964: .PP
1965: .Vb 1
1966: \& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
1967: .Ve
1968: .PP
1969: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1970: but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
1971: .PP
1972: .Vb 1
1973: \& jen ALL, !SERVERS = ALL
1974: .Ve
1975: .PP
1976: The user \fBjen\fR may run any command on any machine except for those
1977: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1978: .PP
1979: .Vb 1
1980: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
1981: .Ve
1982: .PP
1983: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1984: any commands in the directory \fI/usr/bin/\fR except for those commands
1985: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1986: .PP
1987: .Vb 1
1988: \& steve CSNETS = (operator) /usr/local/op_commands/
1989: .Ve
1990: .PP
1991: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1992: but only as user operator.
1993: .PP
1994: .Vb 1
1995: \& matt valkyrie = KILL
1996: .Ve
1997: .PP
1998: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1999: kill hung processes.
2000: .PP
2001: .Vb 1
2002: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2003: .Ve
2004: .PP
2005: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
2006: wendy, and wim), may run any command as user www (which owns the
2007: web pages) or simply \fIsu\fR\|(1) to www.
2008: .PP
2009: .Vb 2
2010: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
2011: \& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
2012: .Ve
2013: .PP
2014: Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
2015: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
2016: This is a bit tedious for users to type, so it is a prime candidate
2017: for encapsulating in a shell script.
2018: .SH "SECURITY NOTES"
2019: .IX Header "SECURITY NOTES"
1.1.1.2 ! misho 2020: .SS "Limitations of the '!' operator"
! 2021: .IX Subsection "Limitations of the '!' operator"
1.1 misho 2022: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
2023: using the '!' operator. A user can trivially circumvent this
2024: by copying the desired command to a different name and then
2025: executing that. For example:
2026: .PP
2027: .Vb 1
2028: \& bill ALL = ALL, !SU, !SHELLS
2029: .Ve
2030: .PP
2031: Doesn't really prevent \fBbill\fR from running the commands listed in
2032: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
2033: different name, or use a shell escape from an editor or other
2034: program. Therefore, these kind of restrictions should be considered
2035: advisory at best (and reinforced by policy).
2036: .PP
1.1.1.2 ! misho 2037: In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent
! 2038: them from creating their own program that gives them a root shell
! 2039: (or making their own copy of a shell) regardless of any '!' elements
! 2040: in the user specification.
! 2041: .SS "Security implications of \fIfast_glob\fP"
! 2042: .IX Subsection "Security implications of fast_glob"
! 2043: If the \fIfast_glob\fR option is in use, it is not possible
1.1 misho 2044: to reliably negate commands where the path name includes globbing
2045: (aka wildcard) characters. This is because the C library's
2046: \&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
2047: is typically only an inconvenience for rules that grant privileges,
2048: it can result in a security issue for rules that subtract or revoke
2049: privileges.
2050: .PP
2051: For example, given the following \fIsudoers\fR entry:
2052: .PP
2053: .Vb 2
2054: \& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
2055: \& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
2056: .Ve
2057: .PP
2058: User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
2059: enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
1.1.1.2 ! misho 2060: .SS "Preventing Shell Escapes"
! 2061: .IX Subsection "Preventing Shell Escapes"
1.1 misho 2062: Once \fBsudo\fR executes a program, that program is free to do whatever
2063: it pleases, including run other programs. This can be a security
2064: issue since it is not uncommon for a program to allow shell escapes,
2065: which lets a user bypass \fBsudo\fR's access control and logging.
2066: Common programs that permit shell escapes include shells (obviously),
2067: editors, paginators, mail and terminal programs.
2068: .PP
2069: There are two basic approaches to this problem:
2070: .IP "restrict" 10
2071: .IX Item "restrict"
2072: Avoid giving users access to commands that allow the user to run
2073: arbitrary commands. Many editors have a restricted mode where shell
2074: escapes are disabled, though \fBsudoedit\fR is a better solution to
2075: running editors via \fBsudo\fR. Due to the large number of programs that
2076: offer shell escapes, restricting users to the set of programs that
2077: do not is often unworkable.
2078: .IP "noexec" 10
2079: .IX Item "noexec"
2080: Many systems that support shared libraries have the ability to
2081: override default library functions by pointing an environment
2082: variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
2083: On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
2084: prevent a program run by \fBsudo\fR from executing any other programs.
2085: Note, however, that this applies only to native dynamically-linked
2086: executables. Statically-linked executables and foreign executables
2087: running under binary emulation are not affected.
2088: .Sp
2089: The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
2090: Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
2091: It should be supported on most operating systems that support the
2092: \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
2093: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
2094: dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
2095: .Sp
2096: On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
2097: of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
2098: .Sp
2099: To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
2100: in the User Specification section above. Here is that example again:
2101: .Sp
2102: .Vb 1
2103: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2104: .Ve
2105: .Sp
2106: This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
2107: with \fInoexec\fR enabled. This will prevent those two commands from
2108: executing other commands (such as a shell). If you are unsure
2109: whether or not your system is capable of supporting \fInoexec\fR you
2110: can always just try it out and check whether shell escapes work
2111: when \fInoexec\fR is enabled.
2112: .PP
2113: Note that restricting shell escapes is not a panacea. Programs
2114: running as root are still capable of many potentially hazardous
2115: operations (such as changing or overwriting files) that could lead
2116: to unintended privilege escalation. In the specific case of an
2117: editor, a safer approach is to give the user permission to run
2118: \&\fBsudoedit\fR.
1.1.1.2 ! misho 2119: .SS "Time stamp file checks"
! 2120: .IX Subsection "Time stamp file checks"
1.1 misho 2121: \&\fIsudoers\fR will check the ownership of its time stamp directory
2122: (\fI@timedir@\fR by default) and ignore the directory's contents if
2123: it is not owned by root or if it is writable by a user other than
2124: root. On systems that allow non-root users to give away files via
2125: \&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
2126: directory (e.g., \fI/tmp\fR), it is possible for a user to create the
2127: time stamp directory before \fBsudo\fR is run. However, because
2128: \&\fIsudoers\fR checks the ownership and mode of the directory and its
2129: contents, the only damage that can be done is to \*(L"hide\*(R" files by
2130: putting them in the time stamp dir. This is unlikely to happen
2131: since once the time stamp dir is owned by root and inaccessible by
2132: any other user, the user placing files there would be unable to get
2133: them back out.
2134: .PP
2135: \&\fIsudoers\fR will not honor time stamps set far in the future. Time
2136: stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
2137: be ignored and sudo will log and complain. This is done to keep a
2138: user from creating his/her own time stamp with a bogus date on
2139: systems that allow users to give away files if the time stamp directory
2140: is located in a world-writable directory.
2141: .PP
2142: On systems where the boot time is available, \fIsudoers\fR will ignore
2143: time stamps that date from before the machine booted.
2144: .PP
2145: Since time stamp files live in the file system, they can outlive a
2146: user's login session. As a result, a user may be able to login,
2147: run a command with \fBsudo\fR after authenticating, logout, login
2148: again, and run \fBsudo\fR without authenticating so long as the time
2149: stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
2150: whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
2151: option is enabled, the time stamp has per-tty granularity but still
2152: may outlive the user's session. On Linux systems where the devpts
2153: filesystem is used, Solaris systems with the devices filesystem,
2154: as well as other systems that utilize a devfs filesystem that
2155: monotonically increase the inode number of devices as they are
2156: created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
2157: tty-based time stamp file is stale and will ignore it. Administrators
2158: should not rely on this feature as it is not universally available.
2159: .SH "SEE ALSO"
2160: .IX Header "SEE ALSO"
2161: \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
2162: \&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
2163: .SH "CAVEATS"
2164: .IX Header "CAVEATS"
2165: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
2166: command which locks the file and does grammatical checking. It is
2167: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
2168: will not run with a syntactically incorrect \fIsudoers\fR file.
2169: .PP
2170: When using netgroups of machines (as opposed to users), if you
2171: store fully qualified host name in the netgroup (as is usually the
2172: case), you either need to have the machine's host name be fully qualified
2173: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
2174: \&\fIsudoers\fR.
2175: .SH "BUGS"
2176: .IX Header "BUGS"
2177: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
2178: at http://www.sudo.ws/sudo/bugs/
2179: .SH "SUPPORT"
2180: .IX Header "SUPPORT"
2181: Limited free support is available via the sudo-users mailing list,
2182: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
2183: search the archives.
2184: .SH "DISCLAIMER"
2185: .IX Header "DISCLAIMER"
2186: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
2187: including, but not limited to, the implied warranties of merchantability
2188: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
2189: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
2190: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>