Annotation of embedaddon/sudo/doc/sudoers.man.in, revision 1.1.1.3
1.1.1.3 ! misho 1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
! 2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
! 3: .\"
1.1.1.2 misho 4: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
1.1.1.3 ! misho 5: .\" Todd C. Miller <Todd.Miller@courtesan.com>
! 6: .\"
1.1 misho 7: .\" Permission to use, copy, modify, and distribute this software for any
8: .\" purpose with or without fee is hereby granted, provided that the above
9: .\" copyright notice and this permission notice appear in all copies.
1.1.1.3 ! misho 10: .\"
1.1 misho 11: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1.1.3 ! misho 19: .\"
1.1 misho 20: .\" Sponsored in part by the Defense Advanced Research Projects
21: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: .\"
1.1.1.3 ! misho 24: .TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
1.1 misho 25: .nh
1.1.1.3 ! misho 26: .if n .ad l
1.1 misho 27: .SH "NAME"
1.1.1.3 ! misho 28: \fBsudoers\fR
! 29: \- default sudo security policy module
1.1 misho 30: .SH "DESCRIPTION"
1.1.1.3 ! misho 31: The
! 32: \fIsudoers\fR
! 33: policy module determines a user's
! 34: \fBsudo\fR
! 35: privileges.
! 36: It is the default
! 37: \fBsudo\fR
! 38: policy plugin.
! 39: The policy is driven by
! 40: the
! 41: \fI@sysconfdir@/sudoers\fR
! 42: file or, optionally in LDAP.
! 43: The policy format is described in detail in the
! 44: \fISUDOERS FILE FORMAT\fR
! 45: section.
! 46: For information on storing
! 47: \fIsudoers\fR
! 48: policy information
! 49: in LDAP, please see
! 50: sudoers.ldap(@mansectform@).
! 51: .SS "Authentication and logging"
! 52: The
! 53: \fIsudoers\fR
! 54: security policy requires that most users authenticate
! 55: themselves before they can use
! 56: \fBsudo\fR.
! 57: A password is not required
1.1 misho 58: if the invoking user is root, if the target user is the same as the
59: invoking user, or if the policy has disabled authentication for the
1.1.1.3 ! misho 60: user or command.
! 61: Unlike
! 62: su(1),
! 63: when
! 64: \fIsudoers\fR
! 65: requires
1.1 misho 66: authentication, it validates the invoking user's credentials, not
1.1.1.3 ! misho 67: the target user's (or root's) credentials.
! 68: This can be changed via
! 69: the
! 70: \fIrootpw\fR,
! 71: \fItargetpw\fR
! 72: and
! 73: \fIrunaspw\fR
! 74: flags, described later.
1.1 misho 75: .PP
76: If a user who is not listed in the policy tries to run a command
1.1.1.3 ! misho 77: via
! 78: \fBsudo\fR,
! 79: mail is sent to the proper authorities.
! 80: The address
! 81: used for such mail is configurable via the
! 82: \fImailto\fR
! 83: Defaults entry
! 84: (described later) and defaults to
! 85: \fR@mailto@\fR.
1.1 misho 86: .PP
87: Note that mail will not be sent if an unauthorized user tries to
1.1.1.3 ! misho 88: run
! 89: \fBsudo\fR
! 90: with the
! 91: \fB\-l\fR
! 92: or
! 93: \fB\-v\fR
! 94: option.
! 95: This allows users to
1.1 misho 96: determine for themselves whether or not they are allowed to use
1.1.1.3 ! misho 97: \fBsudo\fR.
1.1 misho 98: .PP
1.1.1.3 ! misho 99: If
! 100: \fBsudo\fR
! 101: is run by root and the
! 102: \fRSUDO_USER\fR
! 103: environment variable
! 104: is set, the
! 105: \fIsudoers\fR
! 106: policy will use this value to determine who
! 107: the actual user is.
! 108: This can be used by a user to log commands
! 109: through sudo even when a root shell has been invoked.
! 110: It also
! 111: allows the
! 112: \fB\-e\fR
! 113: option to remain useful even when invoked via a
! 114: sudo-run script or program.
! 115: Note, however, that the
! 116: \fIsudoers\fR
! 117: lookup is still done for root, not the user specified by
! 118: \fRSUDO_USER\fR.
! 119: .PP
! 120: \fIsudoers\fR
! 121: uses time stamp files for credential caching.
! 122: Once a
! 123: user has been authenticated, the time stamp is updated and the user
1.1 misho 124: may then use sudo without a password for a short period of time
1.1.1.3 ! misho 125: (\fR@timeout@\fR
! 126: minutes unless overridden by the
! 127: \fItimeout\fR
! 128: option)
! 129: \&.
! 130: By default,
! 131: \fIsudoers\fR
! 132: uses a tty-based time stamp which means that
1.1 misho 133: there is a separate time stamp for each of a user's login sessions.
1.1.1.3 ! misho 134: The
! 135: \fItty_tickets\fR
! 136: option can be disabled to force the use of a
1.1 misho 137: single time stamp for all of a user's sessions.
138: .PP
1.1.1.3 ! misho 139: \fIsudoers\fR
! 140: can log both successful and unsuccessful attempts (as well
! 141: as errors) to
! 142: syslog(3),
! 143: a log file, or both.
! 144: By default,
! 145: \fIsudoers\fR
! 146: will log via
! 147: syslog(3)
! 148: but this is changeable via the
! 149: \fIsyslog\fR
! 150: and
! 151: \fIlogfile\fR
! 152: Defaults settings.
! 153: .PP
! 154: \fIsudoers\fR
! 155: also supports logging a command's input and output
! 156: streams.
! 157: I/O logging is not on by default but can be enabled using
! 158: the
! 159: \fIlog_input\fR
! 160: and
! 161: \fIlog_output\fR
! 162: Defaults flags as well as the
! 163: \fRLOG_INPUT\fR
! 164: and
! 165: \fRLOG_OUTPUT\fR
! 166: command tags.
! 167: .SS "Command environment"
! 168: Since environment variables can influence program behavior,
! 169: \fIsudoers\fR
1.1 misho 170: provides a means to restrict which variables from the user's
1.1.1.3 ! misho 171: environment are inherited by the command to be run.
! 172: There are two
! 173: distinct ways
! 174: \fIsudoers\fR
! 175: can deal with environment variables.
! 176: .PP
! 177: By default, the
! 178: \fIenv_reset\fR
! 179: option is enabled.
! 180: This causes commands
! 181: to be executed with a new, minimal environment.
! 182: On AIX (and Linux
! 183: systems without PAM), the environment is initialized with the
! 184: contents of the
! 185: \fI/etc/environment\fR
! 186: file.
! 187: On BSD systems, if the
! 188: \fIuse_loginclass\fR
! 189: option is enabled, the environment is initialized
! 190: based on the
! 191: \fIpath\fR
! 192: and
! 193: \fIsetenv\fR
! 194: settings in
! 195: \fI/etc/login.conf\fR.
! 196: The new environment contains the
! 197: \fRTERM\fR,
! 198: \fRPATH\fR,
! 199: \fRHOME\fR,
! 200: \fRMAIL\fR,
! 201: \fRSHELL\fR,
! 202: \fRLOGNAME\fR,
! 203: \fRUSER\fR,
! 204: \fRUSERNAME\fR
! 205: and
! 206: \fRSUDO_*\fR
! 207: variables
1.1.1.2 misho 208: in addition to variables from the invoking process permitted by the
1.1.1.3 ! misho 209: \fIenv_check\fR
! 210: and
! 211: \fIenv_keep\fR
! 212: options.
! 213: This is effectively a whitelist
1.1 misho 214: for environment variables.
215: .PP
1.1.1.3 ! misho 216: If, however, the
! 217: \fIenv_reset\fR
! 218: option is disabled, any variables not
! 219: explicitly denied by the
! 220: \fIenv_check\fR
! 221: and
! 222: \fIenv_delete\fR
! 223: options are
! 224: inherited from the invoking process.
! 225: In this case,
! 226: \fIenv_check\fR
! 227: and
! 228: \fIenv_delete\fR
! 229: behave like a blacklist.
! 230: Since it is not possible
1.1 misho 231: to blacklist all potentially dangerous environment variables, use
1.1.1.3 ! misho 232: of the default
! 233: \fIenv_reset\fR
! 234: behavior is encouraged.
1.1 misho 235: .PP
236: In all cases, environment variables with a value beginning with
1.1.1.3 ! misho 237: \fR()\fR
! 238: are removed as they could be interpreted as
! 239: \fBbash\fR
! 240: functions.
! 241: The list of environment variables that
! 242: \fBsudo\fR
! 243: allows or denies is
! 244: contained in the output of
! 245: ``\fRsudo -V\fR''
! 246: when run as root.
1.1 misho 247: .PP
248: Note that the dynamic linker on most operating systems will remove
249: variables that can control dynamic linking from the environment of
1.1.1.3 ! misho 250: setuid executables, including
! 251: \fBsudo\fR.
! 252: Depending on the operating
! 253: system this may include
! 254: \fR_RLD*\fR,
! 255: \fRDYLD_*\fR,
! 256: \fRLD_*\fR,
! 257: \fRLDR_*\fR,
! 258: \fRLIBPATH\fR,
! 259: \fRSHLIB_PATH\fR,
! 260: and others.
! 261: These type of variables are
! 262: removed from the environment before
! 263: \fBsudo\fR
! 264: even begins execution
! 265: and, as such, it is not possible for
! 266: \fBsudo\fR
! 267: to preserve them.
! 268: .PP
! 269: As a special case, if
! 270: \fBsudo\fR's
! 271: \fB\-i\fR
! 272: option (initial login) is
! 273: specified,
! 274: \fIsudoers\fR
! 275: will initialize the environment regardless
! 276: of the value of
! 277: \fIenv_reset\fR.
! 278: The
! 279: \fRDISPLAY\fR,
! 280: \fRPATH\fR
! 281: and
! 282: \fRTERM\fR
! 283: variables remain unchanged;
! 284: \fRHOME\fR,
! 285: \fRMAIL\fR,
! 286: \fRSHELL\fR,
! 287: \fRUSER\fR,
! 288: and
! 289: \fRLOGNAME\fR
! 290: are set based on the target user.
! 291: On AIX (and Linux
! 292: systems without PAM), the contents of
! 293: \fI/etc/environment\fR
! 294: are also
! 295: included.
! 296: On BSD systems, if the
! 297: \fIuse_loginclass\fR
! 298: option is
! 299: enabled, the
! 300: \fIpath\fR
! 301: and
! 302: \fIsetenv\fR
! 303: variables in
! 304: \fI/etc/login.conf\fR
! 305: are also applied.
! 306: All other environment variables are removed.
! 307: .PP
! 308: Finally, if the
! 309: \fIenv_file\fR
! 310: option is defined, any variables present
1.1.1.2 misho 311: in that file will be set to their specified values as long as they
312: would not conflict with an existing environment variable.
1.1 misho 313: .SH "SUDOERS FILE FORMAT"
1.1.1.3 ! misho 314: The
! 315: \fIsudoers\fR
! 316: file is composed of two types of entries: aliases
1.1 misho 317: (basically variables) and user specifications (which specify who
318: may run what).
319: .PP
320: When multiple entries match for a user, they are applied in order.
321: Where there are multiple matches, the last match is used (which is
322: not necessarily the most specific match).
323: .PP
1.1.1.3 ! misho 324: The
! 325: \fIsudoers\fR
! 326: grammar will be described below in Extended Backus-Naur
! 327: Form (EBNF).
! 328: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
! 329: and the definitions below are annotated.
! 330: .SS "Quick guide to EBNF"
! 331: EBNF is a concise and exact way of describing the grammar of a language.
! 332: Each EBNF definition is made up of
! 333: \fIproduction rules\fR.
! 334: E.g.,
! 335: .PP
! 336: \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
! 337: .PP
! 338: Each
! 339: \fIproduction rule\fR
! 340: references others and thus makes up a
! 341: grammar for the language.
! 342: EBNF also contains the following
1.1 misho 343: operators, which many readers will recognize from regular
1.1.1.3 ! misho 344: expressions.
! 345: Do not, however, confuse them with
! 346: ``wildcard''
1.1 misho 347: characters, which have different meanings.
1.1.1.3 ! misho 348: .TP 6n
! 349: \fR\&?\fR
1.1 misho 350: Means that the preceding symbol (or group of symbols) is optional.
351: That is, it may appear once or not at all.
1.1.1.3 ! misho 352: .TP 6n
! 353: \fR*\fR
1.1 misho 354: Means that the preceding symbol (or group of symbols) may appear
355: zero or more times.
1.1.1.3 ! misho 356: .TP 6n
! 357: \fR+\fR
1.1 misho 358: Means that the preceding symbol (or group of symbols) may appear
359: one or more times.
360: .PP
1.1.1.3 ! misho 361: Parentheses may be used to group symbols together.
! 362: For clarity,
! 363: we will use single quotes
! 364: ('')
! 365: to designate what is a verbatim character string (as opposed to a symbol name).
1.1 misho 366: .SS "Aliases"
1.1.1.3 ! misho 367: There are four kinds of aliases:
! 368: \fRUser_Alias\fR,
! 369: \fRRunas_Alias\fR,
! 370: \fRHost_Alias\fR
! 371: and
! 372: \fRCmnd_Alias\fR.
! 373: .nf
! 374: .sp
! 375: .RS 0n
! 376: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 377: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 378: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 379: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 380:
! 381: User_Alias ::= NAME '=' User_List
! 382:
! 383: Runas_Alias ::= NAME '=' Runas_List
! 384:
! 385: Host_Alias ::= NAME '=' Host_List
! 386:
! 387: Cmnd_Alias ::= NAME '=' Cmnd_List
! 388:
! 389: NAME ::= [A-Z]([A-Z][0-9]_)*
! 390: .RE
! 391: .fi
! 392: .PP
! 393: Each
! 394: \fIalias\fR
! 395: definition is of the form
! 396: .nf
! 397: .sp
! 398: .RS 0n
! 399: Alias_Type NAME = item1, item2, ...
! 400: .RE
! 401: .fi
! 402: .PP
! 403: where
! 404: \fIAlias_Type\fR
! 405: is one of
! 406: \fRUser_Alias\fR,
! 407: \fRRunas_Alias\fR,
! 408: \fRHost_Alias\fR,
! 409: or
! 410: \fRCmnd_Alias\fR.
! 411: A
! 412: \fRNAME\fR
! 413: is a string of uppercase letters, numbers,
! 414: and underscore characters
! 415: (`_').
! 416: A
! 417: \fRNAME\fR
! 418: \fBmust\fR
! 419: start with an
! 420: uppercase letter.
! 421: It is possible to put several alias definitions
! 422: of the same type on a single line, joined by a colon
! 423: (`:\&').
! 424: E.g.,
! 425: .nf
! 426: .sp
! 427: .RS 0n
! 428: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 429: .RE
! 430: .fi
! 431: .PP
! 432: The definitions of what constitutes a valid
! 433: \fIalias\fR
! 434: member follow.
! 435: .nf
! 436: .sp
! 437: .RS 0n
! 438: User_List ::= User |
! 439: User ',' User_List
! 440:
! 441: User ::= '!'* user name |
! 442: '!'* #uid |
! 443: '!'* %group |
! 444: '!'* %#gid |
! 445: '!'* +netgroup |
! 446: '!'* %:nonunix_group |
! 447: '!'* %:#nonunix_gid |
! 448: '!'* User_Alias
! 449: .RE
! 450: .fi
! 451: .PP
! 452: A
! 453: \fRUser_List\fR
! 454: is made up of one or more user names, user ids
! 455: (prefixed with
! 456: `#'),
! 457: system group names and ids (prefixed with
! 458: `%'
! 459: and
! 460: `%#'
! 461: respectively), netgroups (prefixed with
! 462: `+'),
! 463: non-Unix group names and IDs (prefixed with
! 464: `%:'
! 465: and
! 466: `%:#'
! 467: respectively) and
! 468: \fRUser_Alias\fRes.
! 469: Each list item may be prefixed with zero or more
! 470: `\&!'
! 471: operators.
! 472: An odd number of
! 473: `\&!'
! 474: operators negate the value of
1.1 misho 475: the item; an even number just cancel each other out.
476: .PP
1.1.1.3 ! misho 477: A
! 478: \fRuser name\fR,
! 479: \fRuid\fR,
! 480: \fRgroup\fR,
! 481: \fRgid\fR,
! 482: \fRnetgroup\fR,
! 483: \fRnonunix_group\fR
! 484: or
! 485: \fRnonunix_gid\fR
! 486: may be enclosed in double quotes to avoid the
! 487: need for escaping special characters.
! 488: Alternately, special characters
! 489: may be specified in escaped hex mode, e.g.\& \ex20 for space.
! 490: When
1.1 misho 491: using double quotes, any prefix characters must be included inside
492: the quotes.
493: .PP
1.1.1.3 ! misho 494: The actual
! 495: \fRnonunix_group\fR
! 496: and
! 497: \fRnonunix_gid\fR
! 498: syntax depends on
! 499: the underlying group provider plugin (see the
! 500: \fIgroup_plugin\fR
! 501: description below).
! 502: For instance, the QAS AD plugin supports the following formats:
! 503: .TP 6n
! 504: \fBo\fR
! 505: Group in the same domain: "%:Group Name"
! 506: .TP 6n
! 507: \fBo\fR
! 508: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
! 509: .TP 6n
! 510: \fBo\fR
! 511: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
! 512: .PP
! 513: Note that quotes around group names are optional.
! 514: Unquoted strings must use a backslash
! 515: (`\e')
! 516: to escape spaces and special characters.
! 517: See
! 518: \fIOther special characters and reserved words\fR
! 519: for a list of
1.1 misho 520: characters that need to be escaped.
1.1.1.3 ! misho 521: .nf
! 522: .sp
! 523: .RS 0n
! 524: Runas_List ::= Runas_Member |
! 525: Runas_Member ',' Runas_List
! 526:
! 527: Runas_Member ::= '!'* user name |
! 528: '!'* #uid |
! 529: '!'* %group |
! 530: '!'* %#gid |
! 531: '!'* %:nonunix_group |
! 532: '!'* %:#nonunix_gid |
! 533: '!'* +netgroup |
! 534: '!'* Runas_Alias
! 535: .RE
! 536: .fi
1.1 misho 537: .PP
1.1.1.3 ! misho 538: A
! 539: \fRRunas_List\fR
! 540: is similar to a
! 541: \fRUser_List\fR
! 542: except that instead
! 543: of
! 544: \fRUser_Alias\fRes
! 545: it can contain
! 546: \fRRunas_Alias\fRes.
! 547: Note that
! 548: user names and groups are matched as strings.
! 549: In other words, two
1.1 misho 550: users (groups) with the same uid (gid) are considered to be distinct.
1.1.1.3 ! misho 551: If you wish to match all user names with the same uid (e.g.\&
! 552: root and toor), you can use a uid instead (#0 in the example given).
! 553: .nf
! 554: .sp
! 555: .RS 0n
! 556: Host_List ::= Host |
! 557: Host ',' Host_List
! 558:
! 559: Host ::= '!'* host name |
! 560: '!'* ip_addr |
! 561: '!'* network(/netmask)? |
! 562: '!'* +netgroup |
! 563: '!'* Host_Alias
! 564: .RE
! 565: .fi
1.1 misho 566: .PP
1.1.1.3 ! misho 567: A
! 568: \fRHost_List\fR
! 569: is made up of one or more host names, IP addresses,
! 570: network numbers, netgroups (prefixed with
! 571: `+')
! 572: and other aliases.
! 573: Again, the value of an item may be negated with the
! 574: `\&!'
! 575: operator.
1.1 misho 576: If you do not specify a netmask along with the network number,
1.1.1.3 ! misho 577: \fBsudo\fR
! 578: will query each of the local host's network interfaces and,
1.1 misho 579: if the network number corresponds to one of the hosts's network
1.1.1.3 ! misho 580: interfaces, the corresponding netmask will be used.
! 581: The netmask
! 582: may be specified either in standard IP address notation
! 583: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
! 584: or CIDR notation (number of bits, e.g.\& 24 or 64).
! 585: A host name may include shell-style wildcards (see the
! 586: \fIWildcards\fR
! 587: section below),
! 588: but unless the
! 589: \fRhost name\fR
! 590: command on your machine returns the fully
! 591: qualified host name, you'll need to use the
! 592: \fIfqdn\fR
! 593: option for wildcards to be useful.
! 594: Note that
! 595: \fBsudo\fR
! 596: only inspects actual network interfaces; this means that IP address
! 597: 127.0.0.1 (localhost) will never match.
! 598: Also, the host name
! 599: ``localhost''
! 600: will only match if that is the actual host name, which is usually
! 601: only the case for non-networked systems.
! 602: .nf
! 603: .sp
! 604: .RS 0n
! 605: Cmnd_List ::= Cmnd |
! 606: Cmnd ',' Cmnd_List
! 607:
! 608: command name ::= file name |
! 609: file name args |
! 610: file name '""'
! 611:
! 612: Cmnd ::= '!'* command name |
! 613: '!'* directory |
! 614: '!'* "sudoedit" |
! 615: '!'* Cmnd_Alias
! 616: .RE
! 617: .fi
! 618: .PP
! 619: A
! 620: \fRCmnd_List\fR
! 621: is a list of one or more command names, directories, and other aliases.
! 622: A command name is a fully qualified file name which may include
! 623: shell-style wildcards (see the
! 624: \fIWildcards\fR
! 625: section below).
! 626: A simple file name allows the user to run the command with any
! 627: arguments he/she wishes.
! 628: However, you may also specify command line arguments (including
! 629: wildcards).
! 630: Alternately, you can specify
! 631: \fR\&""\fR
! 632: to indicate that the command
! 633: may only be run
! 634: \fBwithout\fR
! 635: command line arguments.
! 636: A directory is a
! 637: fully qualified path name ending in a
! 638: `/'.
! 639: When you specify a directory in a
! 640: \fRCmnd_List\fR,
! 641: the user will be able to run any file within that directory
! 642: (but not in any sub-directories therein).
! 643: .PP
! 644: If a
! 645: \fRCmnd\fR
! 646: has associated command line arguments, then the arguments
! 647: in the
! 648: \fRCmnd\fR
! 649: must match exactly those given by the user on the command line
! 650: (or match the wildcards if there are any).
! 651: Note that the following characters must be escaped with a
! 652: `\e'
! 653: if they are used in command arguments:
! 654: `,\&',
! 655: `:\&',
! 656: `=\&',
! 657: `\e'.
! 658: The special command
! 659: ``\fRsudoedit\fR''
! 660: is used to permit a user to run
! 661: \fBsudo\fR
! 662: with the
! 663: \fB\-e\fR
! 664: option (or as
! 665: \fBsudoedit\fR).
! 666: It may take command line arguments just as a normal command does.
1.1 misho 667: .SS "Defaults"
668: Certain configuration options may be changed from their default
1.1.1.3 ! misho 669: values at run-time via one or more
! 670: \fRDefault_Entry\fR
! 671: lines.
! 672: These may affect all users on any host, all users on a specific host, a
1.1 misho 673: specific user, a specific command, or commands being run as a specific user.
674: Note that per-command entries may not include command line arguments.
1.1.1.3 ! misho 675: If you need to specify arguments, define a
! 676: \fRCmnd_Alias\fR
! 677: and reference
1.1 misho 678: that instead.
1.1.1.3 ! misho 679: .nf
! 680: .sp
! 681: .RS 0n
! 682: Default_Type ::= 'Defaults' |
! 683: 'Defaults' '@' Host_List |
! 684: 'Defaults' ':' User_List |
! 685: 'Defaults' '!' Cmnd_List |
! 686: 'Defaults' '>' Runas_List
! 687:
! 688: Default_Entry ::= Default_Type Parameter_List
! 689:
! 690: Parameter_List ::= Parameter |
! 691: Parameter ',' Parameter_List
! 692:
! 693: Parameter ::= Parameter '=' Value |
! 694: Parameter '+=' Value |
! 695: Parameter '-=' Value |
! 696: '!'* Parameter
! 697: .RE
! 698: .fi
1.1 misho 699: .PP
1.1.1.3 ! misho 700: Parameters may be
! 701: \fBflags\fR,
! 702: \fBinteger\fR
! 703: values,
! 704: \fBstrings\fR,
! 705: or
! 706: \fBlists\fR.
! 707: Flags are implicitly boolean and can be turned off via the
! 708: `\&!'
! 709: operator.
! 710: Some integer, string and list parameters may also be
! 711: used in a boolean context to disable them.
! 712: Values may be enclosed
! 713: in double quotes
! 714: (\&"")
! 715: when they contain multiple words.
! 716: Special characters may be escaped with a backslash
! 717: (`\e').
! 718: .PP
! 719: Lists have two additional assignment operators,
! 720: \fR+=\fR
! 721: and
! 722: \fR-=\fR.
1.1 misho 723: These operators are used to add to and delete from a list respectively.
1.1.1.3 ! misho 724: It is not an error to use the
! 725: \fR-=\fR
! 726: operator to remove an element
1.1 misho 727: that does not exist in a list.
728: .PP
729: Defaults entries are parsed in the following order: generic, host
730: and user Defaults first, then runas Defaults and finally command
731: defaults.
732: .PP
1.1.1.3 ! misho 733: See
! 734: \fISUDOERS OPTIONS\fR
! 735: for a list of supported Defaults parameters.
! 736: .SS "User specification"
! 737: .nf
! 738: .RS 0n
! 739: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
! 740: (':' Host_List '=' Cmnd_Spec_List)*
! 741:
! 742: Cmnd_Spec_List ::= Cmnd_Spec |
! 743: Cmnd_Spec ',' Cmnd_Spec_List
! 744:
! 745: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
! 746:
! 747: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 748:
! 749: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
! 750:
! 751: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
! 752:
! 753: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 754: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 755: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 756: .RE
! 757: .fi
1.1 misho 758: .PP
1.1.1.3 ! misho 759: A
! 760: \fBuser specification\fR
! 761: determines which commands a user may run
! 762: (and as what user) on specified hosts.
! 763: By default, commands are
! 764: run as
! 765: \fBroot\fR,
! 766: but this can be changed on a per-command basis.
! 767: .PP
! 768: The basic structure of a user specification is
! 769: ``who where = (as_whom) what''.
! 770: Let's break that down into its constituent parts:
1.1 misho 771: .SS "Runas_Spec"
1.1.1.3 ! misho 772: A
! 773: \fRRunas_Spec\fR
! 774: determines the user and/or the group that a command
! 775: may be run as.
! 776: A fully-specified
! 777: \fRRunas_Spec\fR
! 778: consists of two
! 779: \fRRunas_List\fRs
! 780: (as defined above) separated by a colon
! 781: (`:\&')
! 782: and enclosed in a set of parentheses.
! 783: The first
! 784: \fRRunas_List\fR
! 785: indicates
! 786: which users the command may be run as via
! 787: \fBsudo\fR's
! 788: \fB\-u\fR
! 789: option.
1.1 misho 790: The second defines a list of groups that can be specified via
1.1.1.3 ! misho 791: \fBsudo\fR's
! 792: \fB\-g\fR
! 793: option.
! 794: If both
! 795: \fRRunas_List\fRs
! 796: are specified, the command may be run with any combination of users
! 797: and groups listed in their respective
! 798: \fRRunas_List\fRs.
! 799: If only the first is specified, the command may be run as any user
! 800: in the list but no
! 801: \fB\-g\fR
! 802: option
! 803: may be specified.
! 804: If the first
! 805: \fRRunas_List\fR
! 806: is empty but the
1.1 misho 807: second is specified, the command may be run as the invoking user
1.1.1.3 ! misho 808: with the group set to any listed in the
! 809: \fRRunas_List\fR.
! 810: If both
! 811: \fRRunas_List\fRs
! 812: are empty, the command may only be run as the invoking user.
! 813: If no
! 814: \fRRunas_Spec\fR
! 815: is specified the command may be run as
! 816: \fBroot\fR
! 817: and
1.1 misho 818: no group may be specified.
819: .PP
1.1.1.3 ! misho 820: A
! 821: \fRRunas_Spec\fR
! 822: sets the default for the commands that follow it.
1.1 misho 823: What this means is that for the entry:
1.1.1.3 ! misho 824: .nf
! 825: .sp
! 826: .RS 0n
! 827: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 828: .RE
! 829: .fi
1.1 misho 830: .PP
1.1.1.3 ! misho 831: The user
! 832: \fBdgb\fR
! 833: may run
! 834: \fI/bin/ls\fR,
! 835: \fI/bin/kill\fR,
! 836: and
! 837: \fI/usr/bin/lprm\fR\(embut
! 838: only as
! 839: \fBoperator\fR.
! 840: E.g.,
! 841: .nf
! 842: .sp
! 843: .RS 0n
! 844: $ sudo -u operator /bin/ls
! 845: .RE
! 846: .fi
1.1 misho 847: .PP
1.1.1.3 ! misho 848: It is also possible to override a
! 849: \fRRunas_Spec\fR
! 850: later on in an entry.
! 851: If we modify the entry like so:
! 852: .nf
! 853: .sp
! 854: .RS 0n
! 855: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 856: .RE
! 857: .fi
1.1 misho 858: .PP
1.1.1.3 ! misho 859: Then user
! 860: \fBdgb\fR
! 861: is now allowed to run
! 862: \fI/bin/ls\fR
! 863: as
! 864: \fBoperator\fR,
! 865: but
! 866: \fI/bin/kill\fR
! 867: and
! 868: \fI/usr/bin/lprm\fR
! 869: as
! 870: \fBroot\fR.
! 871: .PP
! 872: We can extend this to allow
! 873: \fBdgb\fR
! 874: to run
! 875: \fR/bin/ls\fR
! 876: with either
! 877: the user or group set to
! 878: \fBoperator\fR:
! 879: .nf
! 880: .sp
! 881: .RS 0n
! 882: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
! 883: /usr/bin/lprm
! 884: .RE
! 885: .fi
1.1 misho 886: .PP
1.1.1.3 ! misho 887: Note that while the group portion of the
! 888: \fRRunas_Spec\fR
! 889: permits the
1.1 misho 890: user to run as command with that group, it does not force the user
1.1.1.3 ! misho 891: to do so.
! 892: If no group is specified on the command line, the command
1.1 misho 893: will run with the group listed in the target user's password database
1.1.1.3 ! misho 894: entry.
! 895: The following would all be permitted by the sudoers entry above:
! 896: .nf
! 897: .sp
! 898: .RS 0n
! 899: $ sudo -u operator /bin/ls
! 900: $ sudo -u operator -g operator /bin/ls
! 901: $ sudo -g operator /bin/ls
! 902: .RE
! 903: .fi
1.1 misho 904: .PP
1.1.1.3 ! misho 905: In the following example, user
! 906: \fBtcm\fR
! 907: may run commands that access
1.1 misho 908: a modem device file with the dialer group.
1.1.1.3 ! misho 909: .nf
! 910: .sp
! 911: .RS 0n
! 912: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
! 913: /usr/local/bin/minicom
! 914: .RE
! 915: .fi
1.1 misho 916: .PP
917: Note that in this example only the group will be set, the command
1.1.1.3 ! misho 918: still runs as user
! 919: \fBtcm\fR.
! 920: E.g.\&
! 921: .nf
! 922: .sp
! 923: .RS 0n
! 924: $ sudo -g dialer /usr/bin/cu
! 925: .RE
! 926: .fi
1.1 misho 927: .PP
1.1.1.3 ! misho 928: Multiple users and groups may be present in a
! 929: \fRRunas_Spec\fR,
! 930: in which case the user may select any combination of users and groups via the
! 931: \fB\-u\fR
! 932: and
! 933: \fB\-g\fR
! 934: options.
! 935: In this example:
! 936: .nf
! 937: .sp
! 938: .RS 0n
! 939: alan ALL = (root, bin : operator, system) ALL
! 940: .RE
! 941: .fi
1.1 misho 942: .PP
1.1.1.3 ! misho 943: user
! 944: \fBalan\fR
! 945: may run any command as either user root or bin,
1.1 misho 946: optionally setting the group to operator or system.
947: .SS "SELinux_Spec"
1.1.1.3 ! misho 948: On systems with SELinux support,
! 949: \fIsudoers\fR
! 950: entries may optionally have an SELinux role and/or type associated
! 951: with a command.
! 952: If a role or
1.1 misho 953: type is specified with the command it will override any default values
1.1.1.3 ! misho 954: specified in
! 955: \fIsudoers\fR.
! 956: A role or type specified on the command line,
! 957: however, will supersede the values in
! 958: \fIsudoers\fR.
! 959: .SS "Solaris_Priv_Spec"
! 960: On Solaris systems,
! 961: \fIsudoers\fR
! 962: entries may optionally specify Solaris privilege set and/or limit
! 963: privilege set associated with a command.
! 964: If privileges or limit privileges are specified with the command
! 965: it will override any default values specified in
! 966: \fIsudoers\fR.
! 967: .PP
! 968: A privilege set is a comma-separated list of privilege names.
! 969: The
! 970: ppriv(1)
! 971: command can be used to list all privileges known to the system.
! 972: For example:
! 973: .nf
! 974: .sp
! 975: .RS 0n
! 976: $ ppriv -l
! 977: .RE
! 978: .fi
! 979: .PP
! 980: In addition, there are several
! 981: ``special''
! 982: privilege strings:
! 983: .TP 10n
! 984: none
! 985: the empty set
! 986: .TP 10n
! 987: all
! 988: the set of all privileges
! 989: .TP 10n
! 990: zone
! 991: the set of all privileges available in the current zone
! 992: .TP 10n
! 993: basic
! 994: the default set of privileges normal users are granted at login time
! 995: .PP
! 996: Privileges can be excluded from a set by prefixing the privilege
! 997: name with either an
! 998: `\&!'
! 999: or
! 1000: `\-'
! 1001: character.
1.1 misho 1002: .SS "Tag_Spec"
1.1.1.3 ! misho 1003: A command may have zero or more tags associated with it.
! 1004: There are
! 1005: ten possible tag values:
! 1006: \fRNOPASSWD\fR,
! 1007: \fRPASSWD\fR,
! 1008: \fRNOEXEC\fR,
! 1009: \fREXEC\fR,
! 1010: \fRSETENV\fR,
! 1011: \fRNOSETENV\fR,
! 1012: \fRLOG_INPUT\fR,
! 1013: \fRNOLOG_INPUT\fR,
! 1014: \fRLOG_OUTPUT\fR
! 1015: and
! 1016: \fRNOLOG_OUTPUT\fR.
! 1017: Once a tag is set on a
! 1018: \fRCmnd\fR,
! 1019: subsequent
! 1020: \fRCmnd\fRs
! 1021: in the
! 1022: \fRCmnd_Spec_List\fR,
! 1023: inherit the tag unless it is overridden by the opposite tag (in other words,
! 1024: \fRPASSWD\fR
! 1025: overrides
! 1026: \fRNOPASSWD\fR
! 1027: and
! 1028: \fRNOEXEC\fR
! 1029: overrides
! 1030: \fREXEC\fR).
! 1031: .PP
! 1032: \fINOPASSWD and PASSWD\fR
! 1033: .PP
! 1034: By default,
! 1035: \fBsudo\fR
! 1036: requires that a user authenticate him or herself
! 1037: before running a command.
! 1038: This behavior can be modified via the
! 1039: \fRNOPASSWD\fR
! 1040: tag.
! 1041: Like a
! 1042: \fRRunas_Spec\fR,
! 1043: the
! 1044: \fRNOPASSWD\fR
! 1045: tag sets
! 1046: a default for the commands that follow it in the
! 1047: \fRCmnd_Spec_List\fR.
! 1048: Conversely, the
! 1049: \fRPASSWD\fR
! 1050: tag can be used to reverse things.
1.1 misho 1051: For example:
1.1.1.3 ! misho 1052: .nf
! 1053: .sp
! 1054: .RS 0n
! 1055: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 1056: .RE
! 1057: .fi
1.1 misho 1058: .PP
1.1.1.3 ! misho 1059: would allow the user
! 1060: \fBray\fR
! 1061: to run
! 1062: \fI/bin/kill\fR,
! 1063: \fI/bin/ls\fR,
! 1064: and
! 1065: \fI/usr/bin/lprm\fR
! 1066: as
! 1067: \fBroot\fR
! 1068: on the machine rushmore without authenticating himself.
! 1069: If we only want
! 1070: \fBray\fR
! 1071: to be able to
! 1072: run
! 1073: \fI/bin/kill\fR
! 1074: without a password the entry would be:
! 1075: .nf
! 1076: .sp
! 1077: .RS 0n
! 1078: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 1079: .RE
! 1080: .fi
! 1081: .PP
! 1082: Note, however, that the
! 1083: \fRPASSWD\fR
! 1084: tag has no effect on users who are in the group specified by the
! 1085: \fIexempt_group\fR
! 1086: option.
! 1087: .PP
! 1088: By default, if the
! 1089: \fRNOPASSWD\fR
! 1090: tag is applied to any of the entries for a user on the current host,
! 1091: he or she will be able to run
! 1092: ``\fRsudo -l\fR''
! 1093: without a password.
! 1094: Additionally, a user may only run
! 1095: ``\fRsudo -v\fR''
! 1096: without a password if the
! 1097: \fRNOPASSWD\fR
! 1098: tag is present for all a user's entries that pertain to the current host.
! 1099: This behavior may be overridden via the
! 1100: \fIverifypw\fR
! 1101: and
! 1102: \fIlistpw\fR
! 1103: options.
! 1104: .PP
! 1105: \fINOEXEC and EXEC\fR
! 1106: .PP
! 1107: If
! 1108: \fBsudo\fR
! 1109: has been compiled with
! 1110: \fInoexec\fR
! 1111: support and the underlying operating system supports it, the
! 1112: \fRNOEXEC\fR
! 1113: tag can be used to prevent a dynamically-linked executable from
! 1114: running further commands itself.
! 1115: .PP
! 1116: In the following example, user
! 1117: \fBaaron\fR
! 1118: may run
! 1119: \fI/usr/bin/more\fR
! 1120: and
! 1121: \fI/usr/bin/vi\fR
! 1122: but shell escapes will be disabled.
! 1123: .nf
! 1124: .sp
! 1125: .RS 0n
! 1126: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1127: .RE
! 1128: .fi
! 1129: .PP
! 1130: See the
! 1131: \fIPreventing shell escapes\fR
! 1132: section below for more details on how
! 1133: \fRNOEXEC\fR
! 1134: works and whether or not it will work on your system.
! 1135: .PP
! 1136: \fISETENV and NOSETENV\fR
! 1137: .PP
! 1138: These tags override the value of the
! 1139: \fIsetenv\fR
! 1140: option on a per-command basis.
! 1141: Note that if
! 1142: \fRSETENV\fR
! 1143: has been set for a command, the user may disable the
! 1144: \fIenv_reset\fR
! 1145: option from the command line via the
! 1146: \fB\-E\fR
! 1147: option.
! 1148: Additionally, environment variables set on the command
! 1149: line are not subject to the restrictions imposed by
! 1150: \fIenv_check\fR,
! 1151: \fIenv_delete\fR,
! 1152: or
! 1153: \fIenv_keep\fR.
! 1154: As such, only trusted users should be allowed to set variables in this manner.
! 1155: If the command matched is
! 1156: \fBALL\fR,
! 1157: the
! 1158: \fRSETENV\fR
! 1159: tag is implied for that command; this default may be overridden by use of the
! 1160: \fRNOSETENV\fR
! 1161: tag.
! 1162: .PP
! 1163: \fILOG_INPUT and NOLOG_INPUT\fR
! 1164: .PP
! 1165: These tags override the value of the
! 1166: \fIlog_input\fR
! 1167: option on a per-command basis.
! 1168: For more information, see the description of
! 1169: \fIlog_input\fR
! 1170: in the
! 1171: \fISUDOERS OPTIONS\fR
! 1172: section below.
! 1173: .PP
! 1174: \fILOG_OUTPUT and NOLOG_OUTPUT\fR
! 1175: .PP
! 1176: These tags override the value of the
! 1177: \fIlog_output\fR
! 1178: option on a per-command basis.
! 1179: For more information, see the description of
! 1180: \fIlog_output\fR
! 1181: in the
! 1182: \fISUDOERS OPTIONS\fR
! 1183: section below.
1.1 misho 1184: .SS "Wildcards"
1.1.1.3 ! misho 1185: \fBsudo\fR
! 1186: allows shell-style
! 1187: \fIwildcards\fR
! 1188: (aka meta or glob characters)
! 1189: to be used in host names, path names and command line arguments in the
! 1190: \fIsudoers\fR
! 1191: file.
! 1192: Wildcard matching is done via the
! 1193: \fBPOSIX\fR
! 1194: glob(3)
! 1195: and
! 1196: fnmatch(3)
! 1197: routines.
! 1198: Note that these are
! 1199: \fInot\fR
1.1 misho 1200: regular expressions.
1.1.1.3 ! misho 1201: .TP 10n
! 1202: \fR*\fR
1.1 misho 1203: Matches any set of zero or more characters.
1.1.1.3 ! misho 1204: .TP 10n
! 1205: \fR\&?\fR
1.1 misho 1206: Matches any single character.
1.1.1.3 ! misho 1207: .TP 10n
! 1208: \fR[...]\fR
1.1 misho 1209: Matches any character in the specified range.
1.1.1.3 ! misho 1210: .TP 10n
! 1211: \fR[!...]\fR
! 1212: Matches any character
! 1213: \fBnot\fR
! 1214: in the specified range.
! 1215: .TP 10n
! 1216: \fR\ex\fR
! 1217: For any character
! 1218: `x',
! 1219: evaluates to
! 1220: `x'.
! 1221: This is used to escape special characters such as:
! 1222: `*',
! 1223: `\&?',
! 1224: `[\&',
! 1225: and
! 1226: `]\&'.
! 1227: .PP
! 1228: POSIX character classes may also be used if your system's
! 1229: glob(3)
! 1230: and
! 1231: fnmatch(3)
! 1232: functions support them.
! 1233: However, because the
! 1234: `:\&'
! 1235: character has special meaning in
! 1236: \fIsudoers\fR,
! 1237: it must be
! 1238: escaped.
! 1239: For example:
! 1240: .nf
! 1241: .sp
! 1242: .RS 4n
! 1243: /bin/ls [[\:alpha\:]]*
! 1244: .RE
! 1245: .fi
1.1 misho 1246: .PP
1247: Would match any file name beginning with a letter.
1248: .PP
1.1.1.3 ! misho 1249: Note that a forward slash
! 1250: (`/')
! 1251: will
! 1252: \fBnot\fR
! 1253: be matched by
! 1254: wildcards used in the path name.
! 1255: This is to make a path like:
! 1256: .nf
! 1257: .sp
! 1258: .RS 4n
! 1259: /usr/bin/*
! 1260: .RE
! 1261: .fi
! 1262: .PP
! 1263: match
! 1264: \fI/usr/bin/who\fR
! 1265: but not
! 1266: \fI/usr/bin/X11/xterm\fR.
! 1267: .PP
! 1268: When matching the command line arguments, however, a slash
! 1269: \fBdoes\fR
! 1270: get matched by wildcards since command line arguments may contain
! 1271: arbitrary strings and not just path names.
! 1272: .PP
! 1273: Wildcards in command line arguments should be used with care.
! 1274: Because command line arguments are matched as a single, concatenated
! 1275: string, a wildcard such as
! 1276: `\&?'
! 1277: or
! 1278: `*'
! 1279: can match multiple words.
! 1280: For example, while a sudoers entry like:
! 1281: .nf
! 1282: .sp
! 1283: .RS 4n
! 1284: %operator ALL = /bin/cat /var/log/messages*
! 1285: .RE
! 1286: .fi
! 1287: .PP
! 1288: will allow command like:
! 1289: .nf
! 1290: .sp
! 1291: .RS 4n
! 1292: $ sudo cat /var/log/messages.1
! 1293: .RE
! 1294: .fi
! 1295: .PP
! 1296: It will also allow:
! 1297: .nf
! 1298: .sp
! 1299: .RS 4n
! 1300: $ sudo cat /var/log/messages /etc/shadow
! 1301: .RE
! 1302: .fi
1.1 misho 1303: .PP
1.1.1.3 ! misho 1304: which is probably not what was intended.
1.1 misho 1305: .SS "Exceptions to wildcard rules"
1306: The following exceptions apply to the above rules:
1.1.1.3 ! misho 1307: .TP 10n
! 1308: \fR\&""\fR
! 1309: If the empty string
! 1310: \fR\&""\fR
! 1311: is the only command line argument in the
! 1312: \fIsudoers\fR
! 1313: entry it means that command is not allowed to be run with
! 1314: \fBany\fR
! 1315: arguments.
! 1316: .TP 10n
! 1317: sudoedit
! 1318: Command line arguments to the
! 1319: \fIsudoedit\fR
! 1320: built-in command should always be path names, so a forward slash
! 1321: (`/')
! 1322: will not be matched by a wildcard.
1.1 misho 1323: .SS "Including other files from within sudoers"
1.1.1.3 ! misho 1324: It is possible to include other
! 1325: \fIsudoers\fR
! 1326: files from within the
! 1327: \fIsudoers\fR
! 1328: file currently being parsed using the
! 1329: \fR#include\fR
! 1330: and
! 1331: \fR#includedir\fR
! 1332: directives.
! 1333: .PP
! 1334: This can be used, for example, to keep a site-wide
! 1335: \fIsudoers\fR
! 1336: file in addition to a local, per-machine file.
! 1337: For the sake of this example the site-wide
! 1338: \fIsudoers\fR
! 1339: will be
! 1340: \fI/etc/sudoers\fR
! 1341: and the per-machine one will be
! 1342: \fI/etc/sudoers.local\fR.
! 1343: To include
! 1344: \fI/etc/sudoers.local\fR
! 1345: from within
! 1346: \fI/etc/sudoers\fR
! 1347: we would use the
! 1348: following line in
! 1349: \fI/etc/sudoers\fR:
! 1350: .nf
! 1351: .sp
! 1352: .RS 4n
! 1353: #include /etc/sudoers.local
! 1354: .RE
! 1355: .fi
! 1356: .PP
! 1357: When
! 1358: \fBsudo\fR
! 1359: reaches this line it will suspend processing of the current file
! 1360: (\fI/etc/sudoers\fR)
! 1361: and switch to
! 1362: \fI/etc/sudoers.local\fR.
! 1363: Upon reaching the end of
! 1364: \fI/etc/sudoers.local\fR,
! 1365: the rest of
! 1366: \fI/etc/sudoers\fR
! 1367: will be processed.
! 1368: Files that are included may themselves include other files.
! 1369: A hard limit of 128 nested include files is enforced to prevent include
! 1370: file loops.
1.1 misho 1371: .PP
1.1.1.2 misho 1372: If the path to the include file is not fully-qualified (does not
1.1.1.3 ! misho 1373: begin with a
! 1374: `/',
! 1375: it must be located in the same directory as the sudoers file it was
! 1376: included from.
! 1377: For example, if
! 1378: \fI/etc/sudoers\fR
1.1.1.2 misho 1379: contains the line:
1.1.1.3 ! misho 1380: .nf
! 1381: .sp
! 1382: .RS 4n
! 1383: \fR#include sudoers.local\fR
1.1.1.2 misho 1384: .RE
1.1.1.3 ! misho 1385: .fi
1.1.1.2 misho 1386: .PP
1.1.1.3 ! misho 1387: the file that will be included is
! 1388: \fI/etc/sudoers.local\fR.
1.1 misho 1389: .PP
1.1.1.3 ! misho 1390: The file name may also include the
! 1391: \fR%h\fR
! 1392: escape, signifying the short form of the host name.
! 1393: In other words, if the machine's host name is
! 1394: ``xerxes'',
! 1395: then
! 1396: .nf
! 1397: .sp
! 1398: .RS 4n
! 1399: #include /etc/sudoers.%h
! 1400: .RE
! 1401: .fi
1.1 misho 1402: .PP
1.1.1.3 ! misho 1403: will cause
! 1404: \fBsudo\fR
! 1405: to include the file
! 1406: \fI/etc/sudoers.xerxes\fR.
! 1407: .PP
! 1408: The
! 1409: \fR#includedir\fR
! 1410: directive can be used to create a
! 1411: \fIsudo.d\fR
! 1412: directory that the system package manager can drop
! 1413: \fIsudoers\fR
! 1414: rules
! 1415: into as part of package installation.
! 1416: For example, given:
! 1417: .nf
! 1418: .sp
! 1419: .RS 4n
! 1420: #includedir /etc/sudoers.d
! 1421: .RE
! 1422: .fi
1.1 misho 1423: .PP
1.1.1.3 ! misho 1424: \fBsudo\fR
! 1425: will read each file in
! 1426: \fI/etc/sudoers.d\fR,
! 1427: skipping file names that end in
! 1428: `~'
! 1429: or contain a
! 1430: `.\&'
! 1431: character to avoid causing problems with package manager or editor
! 1432: temporary/backup files.
! 1433: Files are parsed in sorted lexical order.
! 1434: That is,
! 1435: \fI/etc/sudoers.d/01_first\fR
! 1436: will be parsed before
! 1437: \fI/etc/sudoers.d/10_second\fR.
! 1438: Be aware that because the sorting is lexical, not numeric,
! 1439: \fI/etc/sudoers.d/1_whoops\fR
! 1440: would be loaded
! 1441: \fBafter\fR
! 1442: \fI/etc/sudoers.d/10_second\fR.
! 1443: Using a consistent number of leading zeroes in the file names can be used
! 1444: to avoid such problems.
! 1445: .PP
! 1446: Note that unlike files included via
! 1447: \fR#include\fR,
! 1448: \fBvisudo\fR
! 1449: will not edit the files in a
! 1450: \fR#includedir\fR
! 1451: directory unless one of them contains a syntax error.
! 1452: It is still possible to run
! 1453: \fBvisudo\fR
! 1454: with the
! 1455: \fB\-f\fR
! 1456: flag to edit the files directly.
1.1 misho 1457: .SS "Other special characters and reserved words"
1.1.1.3 ! misho 1458: The pound sign
! 1459: (`#')
! 1460: is used to indicate a comment (unless it is part of a #include
! 1461: directive or unless it occurs in the context of a user name and is
! 1462: followed by one or more digits, in which case it is treated as a
! 1463: uid).
! 1464: Both the comment character and any text after it, up to the end of
! 1465: the line, are ignored.
! 1466: .PP
! 1467: The reserved word
! 1468: \fBALL\fR
! 1469: is a built-in
! 1470: \fIalias\fR
! 1471: that always causes a match to succeed.
! 1472: It can be used wherever one might otherwise use a
! 1473: \fRCmnd_Alias\fR,
! 1474: \fRUser_Alias\fR,
! 1475: \fRRunas_Alias\fR,
! 1476: or
! 1477: \fRHost_Alias\fR.
! 1478: You should not try to define your own
! 1479: \fIalias\fR
! 1480: called
! 1481: \fBALL\fR
! 1482: as the built-in alias will be used in preference to your own.
! 1483: Please note that using
! 1484: \fBALL\fR
! 1485: can be dangerous since in a command context, it allows the user to run
! 1486: \fBany\fR
! 1487: command on the system.
! 1488: .PP
! 1489: An exclamation point
! 1490: (`\&!')
! 1491: can be used as a logical
! 1492: \fInot\fR
! 1493: operator both in an
! 1494: \fIalias\fR
! 1495: and in front of a
! 1496: \fRCmnd\fR.
! 1497: This allows one to exclude certain values.
! 1498: Note, however, that using a
! 1499: `\&!'
! 1500: in conjunction with the built-in
! 1501: \fBALL\fR
! 1502: alias to allow a user to run
! 1503: ``all but a few''
! 1504: commands rarely works as intended (see
! 1505: \fISECURITY NOTES\fR
! 1506: below).
! 1507: .PP
! 1508: Long lines can be continued with a backslash
! 1509: (`\e')
! 1510: as the last character on the line.
! 1511: .PP
! 1512: White space between elements in a list as well as special syntactic
! 1513: characters in a
! 1514: \fIUser Specification\fR
! 1515: (`=\&',
! 1516: `:\&',
! 1517: `(\&',
! 1518: `)\&')
! 1519: is optional.
! 1520: .PP
! 1521: The following characters must be escaped with a backslash
! 1522: (`\e')
! 1523: when used as part of a word (e.g.\& a user name or host name):
! 1524: `\&!',
! 1525: `=\&',
! 1526: `:\&',
! 1527: `,\&',
! 1528: `(\&',
! 1529: `)\&',
! 1530: `\e'.
1.1 misho 1531: .SH "SUDOERS OPTIONS"
1.1.1.3 ! misho 1532: \fBsudo\fR's
! 1533: behavior can be modified by
! 1534: \fRDefault_Entry\fR
! 1535: lines, as explained earlier.
! 1536: A list of all supported Defaults parameters, grouped by type, are listed below.
! 1537: .PP
! 1538: \fBBoolean Flags\fR:
! 1539: .TP 18n
! 1540: always_set_home
! 1541: If enabled,
! 1542: \fBsudo\fR
! 1543: will set the
! 1544: \fRHOME\fR
! 1545: environment variable to the home directory of the target user
! 1546: (which is root unless the
! 1547: \fB\-u\fR
! 1548: option is used).
! 1549: This effectively means that the
! 1550: \fB\-H\fR
! 1551: option is always implied.
! 1552: Note that
! 1553: \fRHOME\fR
! 1554: is already set when the the
! 1555: \fIenv_reset\fR
! 1556: option is enabled, so
! 1557: \fIalways_set_home\fR
! 1558: is only effective for configurations where either
! 1559: \fIenv_reset\fR
! 1560: is disabled or
! 1561: \fRHOME\fR
! 1562: is present in the
! 1563: \fIenv_keep\fR
! 1564: list.
! 1565: This flag is
! 1566: \fIoff\fR
! 1567: by default.
! 1568: .TP 18n
! 1569: authenticate
1.1 misho 1570: If set, users must authenticate themselves via a password (or other
1.1.1.3 ! misho 1571: means of authentication) before they may run commands.
! 1572: This default may be overridden via the
! 1573: \fRPASSWD\fR
! 1574: and
! 1575: \fRNOPASSWD\fR
! 1576: tags.
! 1577: This flag is
! 1578: \fIon\fR
! 1579: by default.
! 1580: .TP 18n
! 1581: closefrom_override
! 1582: If set, the user may use
! 1583: \fBsudo\fR's
! 1584: \fB\-C\fR
! 1585: option which overrides the default starting point at which
! 1586: \fBsudo\fR
! 1587: begins closing open file descriptors.
! 1588: This flag is
! 1589: \fIoff\fR
! 1590: by default.
! 1591: .TP 18n
! 1592: compress_io
! 1593: If set, and
! 1594: \fBsudo\fR
! 1595: is configured to log a command's input or output,
! 1596: the I/O logs will be compressed using
! 1597: \fBzlib\fR.
! 1598: This flag is
! 1599: \fIon\fR
! 1600: by default when
! 1601: \fBsudo\fR
! 1602: is compiled with
! 1603: \fBzlib\fR
! 1604: support.
! 1605: .TP 18n
! 1606: env_editor
! 1607: If set,
! 1608: \fBvisudo\fR
! 1609: will use the value of the
! 1610: \fREDITOR\fR
! 1611: or
! 1612: \fRVISUAL\fR
1.1 misho 1613: environment variables before falling back on the default editor list.
1614: Note that this may create a security hole as it allows the user to
1.1.1.3 ! misho 1615: run any arbitrary command as root without logging.
! 1616: A safer alternative is to place a colon-separated list of editors
! 1617: in the
! 1618: \fReditor\fR
! 1619: variable.
! 1620: \fBvisudo\fR
! 1621: will then only use the
! 1622: \fREDITOR\fR
! 1623: or
! 1624: \fRVISUAL\fR
! 1625: if they match a value specified in
! 1626: \fReditor\fR.
! 1627: This flag is
! 1628: \fI@env_editor@\fR
! 1629: by
1.1.1.2 misho 1630: default.
1.1.1.3 ! misho 1631: .TP 18n
! 1632: env_reset
! 1633: If set,
! 1634: \fBsudo\fR
! 1635: will run the command in a minimal environment containing the
! 1636: \fRTERM\fR,
! 1637: \fRPATH\fR,
! 1638: \fRHOME\fR,
! 1639: \fRMAIL\fR,
! 1640: \fRSHELL\fR,
! 1641: \fRLOGNAME\fR,
! 1642: \fRUSER\fR,
! 1643: \fRUSERNAME\fR
! 1644: and
! 1645: \fRSUDO_*\fR
! 1646: variables.
! 1647: Any
! 1648: variables in the caller's environment that match the
! 1649: \fRenv_keep\fR
! 1650: and
! 1651: \fRenv_check\fR
! 1652: lists are then added, followed by any variables present in the file
! 1653: specified by the
! 1654: \fIenv_file\fR
! 1655: option (if any).
! 1656: The default contents of the
! 1657: \fRenv_keep\fR
! 1658: and
! 1659: \fRenv_check\fR
! 1660: lists are displayed when
! 1661: \fBsudo\fR
! 1662: is run by root with the
! 1663: \fB\-V\fR
! 1664: option.
! 1665: If the
! 1666: \fIsecure_path\fR
! 1667: option is set, its value will be used for the
! 1668: \fRPATH\fR
! 1669: environment variable.
! 1670: This flag is
! 1671: \fI@env_reset@\fR
! 1672: by default.
! 1673: .TP 18n
! 1674: fast_glob
! 1675: Normally,
! 1676: \fBsudo\fR
! 1677: uses the
! 1678: glob(3)
! 1679: function to do shell-style globbing when matching path names.
! 1680: However, since it accesses the file system,
! 1681: glob(3)
! 1682: can take a long time to complete for some patterns, especially
! 1683: when the pattern references a network file system that is mounted
! 1684: on demand (auto mounted).
! 1685: The
! 1686: \fIfast_glob\fR
! 1687: option causes
! 1688: \fBsudo\fR
! 1689: to use the
! 1690: fnmatch(3)
! 1691: function, which does not access the file system to do its matching.
! 1692: The disadvantage of
! 1693: \fIfast_glob\fR
! 1694: is that it is unable to match relative path names such as
! 1695: \fI./ls\fR
! 1696: or
! 1697: \fI../bin/ls\fR.
! 1698: This has security implications when path names that include globbing
! 1699: characters are used with the negation operator,
! 1700: `!\&',
! 1701: as such rules can be trivially bypassed.
! 1702: As such, this option should not be used when
! 1703: \fIsudoers\fR
! 1704: contains rules that contain negated path names which include globbing
! 1705: characters.
! 1706: This flag is
! 1707: \fIoff\fR
! 1708: by default.
! 1709: .TP 18n
! 1710: fqdn
1.1 misho 1711: Set this flag if you want to put fully qualified host names in the
1.1.1.3 ! misho 1712: \fIsudoers\fR
! 1713: file when the local host name (as returned by the
! 1714: \fRhostname\fR
! 1715: command) does not contain the domain name.
! 1716: In other words, instead of myhost you would use myhost.mydomain.edu.
1.1 misho 1717: You may still use the short form if you wish (and even mix the two).
1.1.1.3 ! misho 1718: This option is only effective when the
! 1719: ``canonical''
! 1720: host name, as returned by the
! 1721: \fBgetaddrinfo\fR()
! 1722: or
! 1723: \fBgethostbyname\fR()
! 1724: function, is a fully-qualified domain name.
! 1725: This is usually the case when the system is configured to use DNS
! 1726: for host name resolution.
! 1727: .sp
! 1728: If the system is configured to use the
! 1729: \fI/etc/hosts\fR
! 1730: file in preference to DNS, the
! 1731: ``canonical''
! 1732: host name may not be fully-qualified.
! 1733: The order that sources are queried for hosts name resolution
! 1734: is usually specified in the
! 1735: \fI@nsswitch_conf@\fR,
! 1736: \fI@netsvc_conf@\fR,
! 1737: \fI/etc/host.conf\fR,
! 1738: or, in some cases,
! 1739: \fI/etc/resolv.conf\fR
! 1740: file.
! 1741: In the
! 1742: \fI/etc/hosts\fR
! 1743: file, the first host name of the entry is considered to be the
! 1744: ``canonical''
! 1745: name; subsequent names are aliases that are not used by
! 1746: \fBsudoers\fR.
! 1747: For example, the following hosts file line for the machine
! 1748: ``xyzzy''
! 1749: has the fully-qualified domain name as the
! 1750: ``canonical''
! 1751: host name, and the short version as an alias.
! 1752: .sp
! 1753: .RS 6n
! 1754: 192.168.1.1 xyzzy.sudo.ws xyzzy
! 1755: .RE
! 1756: .sp
! 1757: If the machine's hosts file entry is not formatted properly, the
! 1758: \fIfqdn\fR
! 1759: option will not be effective if it is queried before DNS.
! 1760: .sp
! 1761: Beware that when using DNS for host name resolution, turning on
! 1762: \fIfqdn\fR
! 1763: requires
! 1764: \fBsudoers\fR
! 1765: to make DNS lookups which renders
! 1766: \fBsudo\fR
! 1767: unusable if DNS stops working (for example if the machine is disconnected
! 1768: from the network).
! 1769: Also note that just like with the hosts file, you must use the
! 1770: ``canonical''
! 1771: name as DNS knows it.
! 1772: That is, you may not use a host alias
! 1773: (\fRCNAME\fR
! 1774: entry)
! 1775: due to performance issues and the fact that there is no way to get all
! 1776: aliases from DNS.
! 1777: .sp
! 1778: This flag is
! 1779: \fI@fqdn@\fR
! 1780: by default.
! 1781: .TP 18n
! 1782: ignore_dot
! 1783: If set,
! 1784: \fBsudo\fR
! 1785: will ignore "." or "" (both denoting current directory) in the
! 1786: \fRPATH\fR
! 1787: environment variable; the
! 1788: \fRPATH\fR
! 1789: itself is not modified.
! 1790: This flag is
! 1791: \fI@ignore_dot@\fR
! 1792: by default.
! 1793: .TP 18n
! 1794: ignore_local_sudoers
! 1795: If set via LDAP, parsing of
! 1796: \fI@sysconfdir@/sudoers\fR
! 1797: will be skipped.
1.1 misho 1798: This is intended for Enterprises that wish to prevent the usage of local
1.1.1.3 ! misho 1799: sudoers files so that only LDAP is used.
! 1800: This thwarts the efforts of rogue operators who would attempt to add roles to
! 1801: \fI@sysconfdir@/sudoers\fR.
! 1802: When this option is present,
! 1803: \fI@sysconfdir@/sudoers\fR
! 1804: does not even need to exist.
! 1805: Since this option tells
! 1806: \fBsudo\fR
! 1807: how to behave when no specific LDAP entries have been matched, this
! 1808: sudoOption is only meaningful for the
! 1809: \fRcn=defaults\fR
! 1810: section.
! 1811: This flag is
! 1812: \fIoff\fR
! 1813: by default.
! 1814: .TP 18n
! 1815: insults
! 1816: If set,
! 1817: \fBsudo\fR
! 1818: will insult users when they enter an incorrect password.
! 1819: This flag is
! 1820: \fI@insults@\fR
! 1821: by default.
! 1822: .TP 18n
! 1823: log_host
! 1824: If set, the host name will be logged in the (non-syslog)
! 1825: \fBsudo\fR
! 1826: log file.
! 1827: This flag is
! 1828: \fIoff\fR
! 1829: by default.
! 1830: .TP 18n
! 1831: log_input
! 1832: If set,
! 1833: \fBsudo\fR
! 1834: will run the command in a
! 1835: \fIpseudo tty\fR
! 1836: and log all user input.
1.1 misho 1837: If the standard input is not connected to the user's tty, due to
1838: I/O redirection or because the command is part of a pipeline, that
1839: input is also captured and stored in a separate log file.
1.1.1.3 ! misho 1840: .sp
! 1841: Input is logged to the directory specified by the
! 1842: \fIiolog_dir\fR
! 1843: option
! 1844: (\fI@iolog_dir@\fR
! 1845: by default)
! 1846: using a unique session ID that is included in the normal
! 1847: \fBsudo\fR
! 1848: log line, prefixed with
! 1849: ``\fRTSID=\fR''.
! 1850: The
! 1851: \fIiolog_file\fR
! 1852: option may be used to control the format of the session ID.
! 1853: .sp
1.1 misho 1854: Note that user input may contain sensitive information such as
1855: passwords (even if they are not echoed to the screen), which will
1.1.1.3 ! misho 1856: be stored in the log file unencrypted.
! 1857: In most cases, logging the command output via
! 1858: \fIlog_output\fR
! 1859: is all that is required.
! 1860: .TP 18n
! 1861: log_output
! 1862: If set,
! 1863: \fBsudo\fR
! 1864: will run the command in a
! 1865: \fIpseudo tty\fR
! 1866: and log all output that is sent to the screen, similar to the
! 1867: script(1)
! 1868: command.
1.1 misho 1869: If the standard output or standard error is not connected to the
1870: user's tty, due to I/O redirection or because the command is part
1871: of a pipeline, that output is also captured and stored in separate
1872: log files.
1.1.1.3 ! misho 1873: .sp
! 1874: Output is logged to the directory specified by the
! 1875: \fIiolog_dir\fR
! 1876: option
! 1877: (\fI@iolog_dir@\fR
! 1878: by default)
! 1879: using a unique session ID that is included in the normal
! 1880: \fBsudo\fR
! 1881: log line, prefixed with
! 1882: ``\fRTSID=\fR''.
! 1883: The
! 1884: \fIiolog_file\fR
! 1885: option may be used to control the format of the session ID.
! 1886: .sp
! 1887: Output logs may be viewed with the
! 1888: sudoreplay(@mansectsu@)
! 1889: utility, which can also be used to list or search the available logs.
! 1890: .TP 18n
! 1891: log_year
! 1892: If set, the four-digit year will be logged in the (non-syslog)
! 1893: \fBsudo\fR
! 1894: log file.
! 1895: This flag is
! 1896: \fIoff\fR
! 1897: by default.
! 1898: .TP 18n
! 1899: long_otp_prompt
! 1900: When validating with a One Time Password (OTP) scheme such as
! 1901: \fBS/Key\fR
! 1902: or
! 1903: \fBOPIE\fR,
! 1904: a two-line prompt is used to make it easier
! 1905: to cut and paste the challenge to a local window.
! 1906: It's not as pretty as the default but some people find it more convenient.
! 1907: This flag is
! 1908: \fI@long_otp_prompt@\fR
! 1909: by default.
! 1910: .TP 18n
! 1911: mail_always
! 1912: Send mail to the
! 1913: \fImailto\fR
! 1914: user every time a users runs
! 1915: \fBsudo\fR.
! 1916: This flag is
! 1917: \fIoff\fR
! 1918: by default.
! 1919: .TP 18n
! 1920: mail_badpass
! 1921: Send mail to the
! 1922: \fImailto\fR
! 1923: user if the user running
! 1924: \fBsudo\fR
! 1925: does not enter the correct password.
! 1926: If the command the user is attempting to run is not permitted by
! 1927: \fIsudoers\fR
! 1928: and one of the
! 1929: \fImail_always\fR,
! 1930: \fImail_no_host\fR,
! 1931: \fImail_no_perms\fR
! 1932: or
! 1933: \fImail_no_user\fR
! 1934: flags are set, this flag will have no effect.
! 1935: This flag is
! 1936: \fIoff\fR
! 1937: by default.
! 1938: .TP 18n
! 1939: mail_no_host
! 1940: If set, mail will be sent to the
! 1941: \fImailto\fR
! 1942: user if the invoking user exists in the
! 1943: \fIsudoers\fR
! 1944: file, but is not allowed to run commands on the current host.
! 1945: This flag is
! 1946: \fI@mail_no_host@\fR
! 1947: by default.
! 1948: .TP 18n
! 1949: mail_no_perms
! 1950: If set, mail will be sent to the
! 1951: \fImailto\fR
! 1952: user if the invoking user is allowed to use
! 1953: \fBsudo\fR
! 1954: but the command they are trying is not listed in their
! 1955: \fIsudoers\fR
! 1956: file entry or is explicitly denied.
! 1957: This flag is
! 1958: \fI@mail_no_perms@\fR
! 1959: by default.
! 1960: .TP 18n
! 1961: mail_no_user
! 1962: If set, mail will be sent to the
! 1963: \fImailto\fR
! 1964: user if the invoking user is not in the
! 1965: \fIsudoers\fR
! 1966: file.
! 1967: This flag is
! 1968: \fI@mail_no_user@\fR
! 1969: by default.
! 1970: .TP 18n
! 1971: noexec
! 1972: If set, all commands run via
! 1973: \fBsudo\fR
! 1974: will behave as if the
! 1975: \fRNOEXEC\fR
! 1976: tag has been set, unless overridden by a
! 1977: \fREXEC\fR
! 1978: tag.
! 1979: See the description of
! 1980: \fINOEXEC and EXEC\fR
! 1981: below as well as the
! 1982: \fIPreventing shell escapes\fR
! 1983: section at the end of this manual.
! 1984: This flag is
! 1985: \fIoff\fR
! 1986: by default.
! 1987: .TP 18n
! 1988: path_info
! 1989: Normally,
! 1990: \fBsudo\fR
! 1991: will tell the user when a command could not be
! 1992: found in their
! 1993: \fRPATH\fR
! 1994: environment variable.
! 1995: Some sites may wish to disable this as it could be used to gather
! 1996: information on the location of executables that the normal user does
! 1997: not have access to.
! 1998: The disadvantage is that if the executable is simply not in the user's
! 1999: \fRPATH\fR,
! 2000: \fBsudo\fR
! 2001: will tell the user that they are not allowed to run it, which can be confusing.
! 2002: This flag is
! 2003: \fI@path_info@\fR
! 2004: by default.
! 2005: .TP 18n
! 2006: passprompt_override
! 2007: The password prompt specified by
! 2008: \fIpassprompt\fR
! 2009: will normally only be used if the password prompt provided by systems
! 2010: such as PAM matches the string
! 2011: ``Password:''.
! 2012: If
! 2013: \fIpassprompt_override\fR
! 2014: is set,
! 2015: \fIpassprompt\fR
! 2016: will always be used.
! 2017: This flag is
! 2018: \fIoff\fR
! 2019: by default.
! 2020: .TP 18n
! 2021: preserve_groups
! 2022: By default,
! 2023: \fBsudo\fR
! 2024: will initialize the group vector to the list of groups the target user is in.
! 2025: When
! 2026: \fIpreserve_groups\fR
! 2027: is set, the user's existing group vector is left unaltered.
! 2028: The real and effective group IDs, however, are still set to match the
! 2029: target user.
! 2030: This flag is
! 2031: \fIoff\fR
! 2032: by default.
! 2033: .TP 18n
! 2034: pwfeedback
! 2035: By default,
! 2036: \fBsudo\fR
! 2037: reads the password like most other Unix programs,
1.1 misho 2038: by turning off echo until the user hits the return (or enter) key.
1.1.1.3 ! misho 2039: Some users become confused by this as it appears to them that
! 2040: \fBsudo\fR
! 2041: has hung at this point.
! 2042: When
! 2043: \fIpwfeedback\fR
! 2044: is set,
! 2045: \fBsudo\fR
! 2046: will provide visual feedback when the user presses a key.
! 2047: Note that this does have a security impact as an onlooker may be able to
1.1 misho 2048: determine the length of the password being entered.
1.1.1.3 ! misho 2049: This flag is
! 2050: \fIoff\fR
! 2051: by default.
! 2052: .TP 18n
! 2053: requiretty
! 2054: If set,
! 2055: \fBsudo\fR
! 2056: will only run when the user is logged in to a real tty.
! 2057: When this flag is set,
! 2058: \fBsudo\fR
! 2059: can only be run from a login session and not via other means such as
! 2060: cron(@mansectsu@)
! 2061: or cgi-bin scripts.
! 2062: This flag is
! 2063: \fIoff\fR
! 2064: by default.
! 2065: .TP 18n
! 2066: root_sudo
! 2067: If set, root is allowed to run
! 2068: \fBsudo\fR
! 2069: too.
! 2070: Disabling this prevents users from
! 2071: ``chaining''
! 2072: \fBsudo\fR
! 2073: commands to get a root shell by doing something like
! 2074: ``\fRsudo sudo /bin/sh\fR''.
! 2075: Note, however, that turning off
! 2076: \fIroot_sudo\fR
! 2077: will also prevent root from running
! 2078: \fBsudoedit\fR.
! 2079: Disabling
! 2080: \fIroot_sudo\fR
! 2081: provides no real additional security; it exists purely for historical reasons.
! 2082: This flag is
! 2083: \fI@root_sudo@\fR
! 2084: by default.
! 2085: .TP 18n
! 2086: rootpw
! 2087: If set,
! 2088: \fBsudo\fR
! 2089: will prompt for the root password instead of the password of the invoking user.
! 2090: This flag is
! 2091: \fIoff\fR
! 2092: by default.
! 2093: .TP 18n
! 2094: runaspw
! 2095: If set,
! 2096: \fBsudo\fR
! 2097: will prompt for the password of the user defined by the
! 2098: \fIrunas_default\fR
! 2099: option (defaults to
! 2100: \fR@runas_default@\fR)
! 2101: instead of the password of the invoking user.
! 2102: This flag is
! 2103: \fIoff\fR
! 2104: by default.
! 2105: .TP 18n
! 2106: set_home
! 2107: If enabled and
! 2108: \fBsudo\fR
! 2109: is invoked with the
! 2110: \fB\-s\fR
! 2111: option the
! 2112: \fRHOME\fR
1.1 misho 2113: environment variable will be set to the home directory of the target
1.1.1.3 ! misho 2114: user (which is root unless the
! 2115: \fB\-u\fR
! 2116: option is used).
! 2117: This effectively makes the
! 2118: \fB\-s\fR
! 2119: option imply
! 2120: \fB\-H\fR.
! 2121: Note that
! 2122: \fRHOME\fR
! 2123: is already set when the the
! 2124: \fIenv_reset\fR
! 2125: option is enabled, so
! 2126: \fIset_home\fR
! 2127: is only effective for configurations where either
! 2128: \fIenv_reset\fR
! 2129: is disabled
! 2130: or
! 2131: \fRHOME\fR
! 2132: is present in the
! 2133: \fIenv_keep\fR
! 2134: list.
! 2135: This flag is
! 2136: \fIoff\fR
! 2137: by default.
! 2138: .TP 18n
! 2139: set_logname
! 2140: Normally,
! 2141: \fBsudo\fR
! 2142: will set the
! 2143: \fRLOGNAME\fR,
! 2144: \fRUSER\fR
! 2145: and
! 2146: \fRUSERNAME\fR
! 2147: environment variables to the name of the target user (usually root unless the
! 2148: \fB\-u\fR
! 2149: option is given).
! 2150: However, since some programs (including the RCS revision control system) use
! 2151: \fRLOGNAME\fR
! 2152: to determine the real identity of the user, it may be desirable to
! 2153: change this behavior.
! 2154: This can be done by negating the set_logname option.
! 2155: Note that if the
! 2156: \fIenv_reset\fR
! 2157: option has not been disabled, entries in the
! 2158: \fIenv_keep\fR
! 2159: list will override the value of
! 2160: \fIset_logname\fR.
! 2161: This flag is
! 2162: \fIon\fR
! 2163: by default.
! 2164: .TP 18n
! 2165: set_utmp
! 2166: When enabled,
! 2167: \fBsudo\fR
! 2168: will create an entry in the utmp (or utmpx) file when a pseudo-tty
! 2169: is allocated.
! 2170: A pseudo-tty is allocated by
! 2171: \fBsudo\fR
! 2172: when the
! 2173: \fIlog_input\fR,
! 2174: \fIlog_output\fR
! 2175: or
! 2176: \fIuse_pty\fR
! 2177: flags are enabled.
! 2178: By default, the new entry will be a copy of the user's existing utmp
! 2179: entry (if any), with the tty, time, type and pid fields updated.
! 2180: This flag is
! 2181: \fIon\fR
! 2182: by default.
! 2183: .TP 18n
! 2184: setenv
! 2185: Allow the user to disable the
! 2186: \fIenv_reset\fR
! 2187: option from the command line via the
! 2188: \fB\-E\fR
! 2189: option.
! 2190: Additionally, environment variables set via the command line are
! 2191: not subject to the restrictions imposed by
! 2192: \fIenv_check\fR,
! 2193: \fIenv_delete\fR,
! 2194: or
! 2195: \fIenv_keep\fR.
! 2196: As such, only trusted users should be allowed to set variables in this manner.
! 2197: This flag is
! 2198: \fIoff\fR
! 2199: by default.
! 2200: .TP 18n
! 2201: shell_noargs
! 2202: If set and
! 2203: \fBsudo\fR
! 2204: is invoked with no arguments it acts as if the
! 2205: \fB\-s\fR
! 2206: option had been given.
! 2207: That is, it runs a shell as root (the shell is determined by the
! 2208: \fRSHELL\fR
! 2209: environment variable if it is set, falling back on the shell listed
! 2210: in the invoking user's /etc/passwd entry if not).
! 2211: This flag is
! 2212: \fIoff\fR
! 2213: by default.
! 2214: .TP 18n
! 2215: stay_setuid
! 2216: Normally, when
! 2217: \fBsudo\fR
! 2218: executes a command the real and effective UIDs are set to the target
! 2219: user (root by default).
! 2220: This option changes that behavior such that the real UID is left
! 2221: as the invoking user's UID.
! 2222: In other words, this makes
! 2223: \fBsudo\fR
! 2224: act as a setuid wrapper.
! 2225: This can be useful on systems that disable some potentially
! 2226: dangerous functionality when a program is run setuid.
! 2227: This option is only effective on systems that support either the
! 2228: setreuid(2)
! 2229: or
! 2230: setresuid(2)
! 2231: system call.
! 2232: This flag is
! 2233: \fIoff\fR
! 2234: by default.
! 2235: .TP 18n
! 2236: targetpw
! 2237: If set,
! 2238: \fBsudo\fR
! 2239: will prompt for the password of the user specified
! 2240: by the
! 2241: \fB\-u\fR
! 2242: option (defaults to
! 2243: \fRroot\fR)
! 2244: instead of the password of the invoking user.
! 2245: In addition, the time stamp file name will include the target user's name.
! 2246: Note that this flag precludes the use of a uid not listed in the passwd
! 2247: database as an argument to the
! 2248: \fB\-u\fR
! 2249: option.
! 2250: This flag is
! 2251: \fIoff\fR
! 2252: by default.
! 2253: .TP 18n
! 2254: tty_tickets
! 2255: If set, users must authenticate on a per-tty basis.
! 2256: With this flag enabled,
! 2257: \fBsudo\fR
! 2258: will use a file named for the tty the user is
! 2259: logged in on in the user's time stamp directory.
! 2260: If disabled, the time stamp of the directory is used instead.
! 2261: This flag is
! 2262: \fI@tty_tickets@\fR
! 2263: by default.
! 2264: .TP 18n
! 2265: umask_override
! 2266: If set,
! 2267: \fBsudo\fR
! 2268: will set the umask as specified by
! 2269: \fIsudoers\fR
! 2270: without modification.
! 2271: This makes it possible to specify a more permissive umask in
! 2272: \fIsudoers\fR
! 2273: than the user's own umask and matches historical behavior.
! 2274: If
! 2275: \fIumask_override\fR
! 2276: is not set,
! 2277: \fBsudo\fR
! 2278: will set the umask to be the union of the user's umask and what is specified in
! 2279: \fIsudoers\fR.
! 2280: This flag is
! 2281: \fI@umask_override@\fR
! 2282: by default.
! 2283: .TP 18n
! 2284: use_loginclass
! 2285: If set,
! 2286: \fBsudo\fR
! 2287: will apply the defaults specified for the target user's login class
! 2288: if one exists.
! 2289: Only available if
! 2290: \fBsudo\fR
! 2291: is configured with the
! 2292: \fR--with-logincap\fR
! 2293: option.
! 2294: This flag is
! 2295: \fIoff\fR
! 2296: by default.
! 2297: .TP 18n
! 2298: use_pty
! 2299: If set,
! 2300: \fBsudo\fR
! 2301: will run the command in a pseudo-pty even if no I/O logging is being gone.
! 2302: A malicious program run under
! 2303: \fBsudo\fR
! 2304: could conceivably fork a background process that retains to the user's
! 2305: terminal device after the main program has finished executing.
! 2306: Use of this option will make that impossible.
! 2307: This flag is
! 2308: \fIoff\fR
! 2309: by default.
! 2310: .TP 18n
! 2311: utmp_runas
! 2312: If set,
! 2313: \fBsudo\fR
! 2314: will store the name of the runas user when updating the utmp (or utmpx) file.
! 2315: By default,
! 2316: \fBsudo\fR
! 2317: stores the name of the invoking user.
! 2318: This flag is
! 2319: \fIoff\fR
! 2320: by default.
! 2321: .TP 18n
! 2322: visiblepw
! 2323: By default,
! 2324: \fBsudo\fR
! 2325: will refuse to run if the user must enter a password but it is not
! 2326: possible to disable echo on the terminal.
! 2327: If the
! 2328: \fIvisiblepw\fR
! 2329: flag is set,
! 2330: \fBsudo\fR
! 2331: will prompt for a password even when it would be visible on the screen.
! 2332: This makes it possible to run things like
! 2333: ``\fRssh somehost sudo ls\fR''
! 2334: since by default,
! 2335: ssh(1)
! 2336: does
! 2337: not allocate a tty when running a command.
! 2338: This flag is
! 2339: \fIoff\fR
! 2340: by default.
1.1 misho 2341: .PP
1.1.1.3 ! misho 2342: \fBIntegers\fR:
! 2343: .TP 18n
! 2344: closefrom
! 2345: Before it executes a command,
! 2346: \fBsudo\fR
! 2347: will close all open file descriptors other than standard input,
! 2348: standard output and standard error (ie: file descriptors 0-2).
! 2349: The
! 2350: \fIclosefrom\fR
! 2351: option can be used to specify a different file descriptor at which
! 2352: to start closing.
! 2353: The default is
! 2354: \fR3\fR.
! 2355: .TP 18n
! 2356: passwd_tries
! 2357: The number of tries a user gets to enter his/her password before
! 2358: \fBsudo\fR
! 2359: logs the failure and exits.
! 2360: The default is
! 2361: \fR@passwd_tries@\fR.
! 2362: .PP
! 2363: \fBIntegers that can be used in a boolean context\fR:
! 2364: .TP 18n
! 2365: loglinelen
! 2366: Number of characters per line for the file log.
! 2367: This value is used to decide when to wrap lines for nicer log files.
! 2368: This has no effect on the syslog log file, only the file log.
! 2369: The default is
! 2370: \fR@loglen@\fR
! 2371: (use 0 or negate the option to disable word wrap).
! 2372: .TP 18n
! 2373: passwd_timeout
! 2374: Number of minutes before the
! 2375: \fBsudo\fR
! 2376: password prompt times out, or
! 2377: \fR0\fR
! 2378: for no timeout.
! 2379: The timeout may include a fractional component
! 2380: if minute granularity is insufficient, for example
! 2381: \fR2.5\fR.
! 2382: The
! 2383: default is
! 2384: \fR@password_timeout@\fR.
! 2385: .TP 18n
! 2386: timestamp_timeout
! 2387: .br
! 2388: Number of minutes that can elapse before
! 2389: \fBsudo\fR
! 2390: will ask for a passwd again.
! 2391: The timeout may include a fractional component if
! 2392: minute granularity is insufficient, for example
! 2393: \fR2.5\fR.
! 2394: The default is
! 2395: \fR@timeout@\fR.
! 2396: Set this to
! 2397: \fR0\fR
! 2398: to always prompt for a password.
! 2399: If set to a value less than
! 2400: \fR0\fR
! 2401: the user's time stamp will never expire.
! 2402: This can be used to allow users to create or delete their own time stamps via
! 2403: ``\fRsudo -v\fR''
! 2404: and
! 2405: ``\fRsudo -k\fR''
! 2406: respectively.
! 2407: .TP 18n
! 2408: umask
! 2409: Umask to use when running the command.
! 2410: Negate this option or set it to 0777 to preserve the user's umask.
! 2411: The actual umask that is used will be the union of the user's umask
! 2412: and the value of the
! 2413: \fIumask\fR
! 2414: option, which defaults to
! 2415: \fR@sudo_umask@\fR.
! 2416: This guarantees
! 2417: that
! 2418: \fBsudo\fR
! 2419: never lowers the umask when running a command.
! 2420: Note: on systems that use PAM, the default PAM configuration may specify
! 2421: its own umask which will override the value set in
! 2422: \fIsudoers\fR.
! 2423: .PP
! 2424: \fBStrings\fR:
! 2425: .TP 18n
! 2426: badpass_message
1.1 misho 2427: Message that is displayed if a user enters an incorrect password.
1.1.1.3 ! misho 2428: The default is
! 2429: \fR@badpass_message@\fR
! 2430: unless insults are enabled.
! 2431: .TP 18n
! 2432: editor
! 2433: A colon
! 2434: (`:\&')
! 2435: separated list of editors allowed to be used with
! 2436: \fBvisudo\fR.
! 2437: \fBvisudo\fR
! 2438: will choose the editor that matches the user's
! 2439: \fREDITOR\fR
! 2440: environment variable if possible, or the first editor in the
! 2441: list that exists and is executable.
! 2442: The default is
! 2443: \fI@editor@\fR.
! 2444: .TP 18n
! 2445: iolog_dir
1.1 misho 2446: The top-level directory to use when constructing the path name for
1.1.1.3 ! misho 2447: the input/output log directory.
! 2448: Only used if the
! 2449: \fIlog_input\fR
! 2450: or
! 2451: \fIlog_output\fR
! 2452: options are enabled or when the
! 2453: \fRLOG_INPUT\fR
! 2454: or
! 2455: \fRLOG_OUTPUT\fR
! 2456: tags are present for a command.
! 2457: The session sequence number, if any, is stored in the directory.
! 2458: The default is
! 2459: \fI@iolog_dir@\fR.
! 2460: .sp
! 2461: The following percent
! 2462: (`%')
! 2463: escape sequences are supported:
! 2464: .RS
! 2465: .TP 6n
! 2466: \fR%{seq}\fR
! 2467: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
! 2468: where every two digits are used to form a new directory, e.g.\&
! 2469: \fI01/00/A5\fR
! 2470: .TP 6n
! 2471: \fR%{user}\fR
1.1 misho 2472: expanded to the invoking user's login name
1.1.1.3 ! misho 2473: .TP 6n
! 2474: \fR%{group}\fR
! 2475: expanded to the name of the invoking user's real group ID
! 2476: .TP 6n
! 2477: \fR%{runas_user}\fR
1.1 misho 2478: expanded to the login name of the user the command will
1.1.1.3 ! misho 2479: be run as (e.g.\& root)
! 2480: .TP 6n
! 2481: \fR%{runas_group}\fR
1.1 misho 2482: expanded to the group name of the user the command will
1.1.1.3 ! misho 2483: be run as (e.g.\& wheel)
! 2484: .TP 6n
! 2485: \fR%{hostname}\fR
1.1 misho 2486: expanded to the local host name without the domain name
1.1.1.3 ! misho 2487: .TP 6n
! 2488: \fR%{command}\fR
1.1 misho 2489: expanded to the base name of the command being run
1.1.1.3 ! misho 2490: .PP
! 2491: In addition, any escape sequences supported by the system's
! 2492: strftime(3)
1.1 misho 2493: function will be expanded.
1.1.1.3 ! misho 2494: .sp
! 2495: To include a literal
! 2496: `%'
! 2497: character, the string
! 2498: `%%'
! 2499: should be used.
! 2500: .PP
! 2501: .RE
! 2502: .PD 0
! 2503: .TP 18n
! 2504: iolog_file
! 2505: The path name, relative to
! 2506: \fIiolog_dir\fR,
! 2507: in which to store input/output logs when the
! 2508: \fIlog_input\fR
! 2509: or
! 2510: \fIlog_output\fR
! 2511: options are enabled or when the
! 2512: \fRLOG_INPUT\fR
! 2513: or
! 2514: \fRLOG_OUTPUT\fR
! 2515: tags are present for a command.
! 2516: Note that
! 2517: \fIiolog_file\fR
! 2518: may contain directory components.
! 2519: The default is
! 2520: ``\fR%{seq}\fR''.
! 2521: .sp
! 2522: See the
! 2523: \fIiolog_dir\fR
! 2524: option above for a list of supported percent
! 2525: (`%')
! 2526: escape sequences.
! 2527: .sp
1.1 misho 2528: In addition to the escape sequences, path names that end in six or
1.1.1.3 ! misho 2529: more
! 2530: \fRX\fRs
! 2531: will have the
! 2532: \fRX\fRs
! 2533: replaced with a unique combination of digits and letters, similar to the
! 2534: mktemp(3)
! 2535: function.
! 2536: .PD
! 2537: .TP 18n
! 2538: limitprivs
! 2539: The default Solaris limit privileges to use when constructing a new
! 2540: privilege set for a command.
! 2541: This bounds all privileges of the executing process.
! 2542: The default limit privileges may be overridden on a per-command basis in
! 2543: \fIsudoers\fR.
! 2544: This option is only available if
! 2545: \fBsudoers\fR
! 2546: is built on Solaris 10 or higher.
! 2547: .TP 18n
! 2548: mailsub
! 2549: Subject of the mail sent to the
! 2550: \fImailto\fR
! 2551: user.
! 2552: The escape
! 2553: \fR%h\fR
1.1 misho 2554: will expand to the host name of the machine.
1.1.1.3 ! misho 2555: Default is
! 2556: ``\fR@mailsub@\fR''.
! 2557: .TP 18n
! 2558: noexec_file
! 2559: This option is no longer supported.
! 2560: The path to the noexec file should now be set in the
! 2561: \fI@sysconfdir@/sudo.conf\fR
! 2562: file.
! 2563: .TP 18n
! 2564: passprompt
! 2565: The default prompt to use when asking for a password; can be overridden via the
! 2566: \fB\-p\fR
! 2567: option or the
! 2568: \fRSUDO_PROMPT\fR
! 2569: environment variable.
! 2570: The following percent
! 2571: (`%')
! 2572: escape sequences are supported:
! 2573: .RS
! 2574: .TP 6n
! 2575: \fR%H\fR
1.1 misho 2576: expanded to the local host name including the domain name
1.1.1.3 ! misho 2577: (only if the machine's host name is fully qualified or the
! 2578: \fIfqdn\fR
1.1 misho 2579: option is set)
1.1.1.3 ! misho 2580: .TP 6n
! 2581: \fR%h\fR
1.1 misho 2582: expanded to the local host name without the domain name
1.1.1.3 ! misho 2583: .TP 6n
! 2584: \fR%p\fR
! 2585: expanded to the user whose password is being asked for (respects the
! 2586: \fIrootpw\fR,
! 2587: \fItargetpw\fR
! 2588: and
! 2589: \fIrunaspw\fR
! 2590: flags in
! 2591: \fIsudoers\fR)
! 2592: .TP 6n
! 2593: \fR\&%U\fR
1.1 misho 2594: expanded to the login name of the user the command will
2595: be run as (defaults to root)
1.1.1.3 ! misho 2596: .TP 6n
! 2597: \fR%u\fR
1.1 misho 2598: expanded to the invoking user's login name
1.1.1.3 ! misho 2599: .TP 6n
! 2600: \fR%%\fR
! 2601: two consecutive
! 2602: \fR%\fR
! 2603: characters are collapsed into a single
! 2604: \fR%\fR
! 2605: character
! 2606: .PP
! 2607: The default value is
! 2608: ``\fR@passprompt@\fR''.
! 2609: .PP
! 2610: .RE
! 2611: .PD 0
! 2612: .TP 18n
! 2613: privs
! 2614: The default Solaris privileges to use when constructing a new
! 2615: privilege set for a command.
! 2616: This is passed to the executing process via the inherited privilege set,
! 2617: but is bounded by the limit privileges.
! 2618: If the
! 2619: \fIprivs\fR
! 2620: option is specified but the
! 2621: \fIlimitprivs\fR
! 2622: option is not, the limit privileges of the executing process is set to
! 2623: \fIprivs\fR.
! 2624: The default privileges may be overridden on a per-command basis in
! 2625: \fIsudoers\fR.
! 2626: This option is only available if
! 2627: \fBsudoers\fR
! 2628: is built on Solaris 10 or higher.
! 2629: .PD
! 2630: .TP 18n
! 2631: role
1.1 misho 2632: The default SELinux role to use when constructing a new security
1.1.1.3 ! misho 2633: context to run the command.
! 2634: The default role may be overridden on a per-command basis in
! 2635: \fIsudoers\fR
! 2636: or via command line options.
! 2637: This option is only available when
! 2638: \fBsudo\fR
! 2639: is built with SELinux support.
! 2640: .TP 18n
! 2641: runas_default
! 2642: The default user to run commands as if the
! 2643: \fB\-u\fR
! 2644: option is not specified on the command line.
! 2645: This defaults to
! 2646: \fR@runas_default@\fR.
! 2647: .TP 18n
! 2648: syslog_badpri
1.1 misho 2649: Syslog priority to use when user authenticates unsuccessfully.
1.1.1.3 ! misho 2650: Defaults to
! 2651: \fR@badpri@\fR.
! 2652: .sp
! 2653: The following syslog priorities are supported:
! 2654: \fBalert\fR,
! 2655: \fBcrit\fR,
! 2656: \fBdebug\fR,
! 2657: \fBemerg\fR,
! 2658: \fBerr\fR,
! 2659: \fBinfo\fR,
! 2660: \fBnotice\fR,
! 2661: and
! 2662: \fBwarning\fR.
! 2663: .TP 18n
! 2664: syslog_goodpri
1.1 misho 2665: Syslog priority to use when user authenticates successfully.
1.1.1.3 ! misho 2666: Defaults to
! 2667: \fR@goodpri@\fR.
! 2668: .sp
! 2669: See
! 2670: \fIsyslog_badpri\fR
! 2671: for the list of supported syslog priorities.
! 2672: .TP 18n
! 2673: sudoers_locale
1.1 misho 2674: Locale to use when parsing the sudoers file, logging commands, and
1.1.1.3 ! misho 2675: sending email.
! 2676: Note that changing the locale may affect how sudoers is interpreted.
! 2677: Defaults to
! 2678: ``\fRC\fR''.
! 2679: .TP 18n
! 2680: timestampdir
! 2681: The directory in which
! 2682: \fBsudo\fR
! 2683: stores its time stamp files.
! 2684: The default is
! 2685: \fI@timedir@\fR.
! 2686: .TP 18n
! 2687: timestampowner
! 2688: The owner of the time stamp directory and the time stamps stored therein.
! 2689: The default is
! 2690: \fRroot\fR.
! 2691: .TP 18n
! 2692: type
1.1 misho 2693: The default SELinux type to use when constructing a new security
1.1.1.3 ! misho 2694: context to run the command.
! 2695: The default type may be overridden on a per-command basis in
! 2696: \fIsudoers\fR
! 2697: or via command line options.
! 2698: This option is only available when
! 2699: \fBsudo\fR
! 2700: is built with SELinux support.
! 2701: .PP
! 2702: \fBStrings that can be used in a boolean context\fR:
! 2703: .TP 14n
! 2704: env_file
! 2705: The
! 2706: \fIenv_file\fR
! 2707: option specifies the fully qualified path to a file containing variables
! 2708: to be set in the environment of the program being run.
! 2709: Entries in this file should either be of the form
! 2710: ``\fRVARIABLE=value\fR''
! 2711: or
! 2712: ``\fRexport VARIABLE=value\fR''.
! 2713: The value may optionally be surrounded by single or double quotes.
! 2714: Variables in this file are subject to other
! 2715: \fBsudo\fR
! 2716: environment settings such as
! 2717: \fIenv_keep\fR
! 2718: and
! 2719: \fIenv_check\fR.
! 2720: .TP 14n
! 2721: exempt_group
! 2722: Users in this group are exempt from password and PATH requirements.
! 2723: The group name specified should not include a
! 2724: \fR%\fR
! 2725: prefix.
1.1 misho 2726: This is not set by default.
1.1.1.3 ! misho 2727: .TP 14n
! 2728: group_plugin
! 2729: A string containing a
! 2730: \fIsudoers\fR
! 2731: group plugin with optional arguments.
! 2732: This can be used to implement support for the
! 2733: \fRnonunix_group\fR
! 2734: syntax described earlier.
! 2735: The string should consist of the plugin
! 2736: path, either fully-qualified or relative to the
! 2737: \fI@prefix@/libexec\fR
! 2738: directory, followed by any configuration arguments the plugin requires.
! 2739: These arguments (if any) will be passed to the plugin's initialization function.
! 2740: If arguments are present, the string must be enclosed in double quotes
! 2741: (\&"").
! 2742: .sp
! 2743: For example, given
! 2744: \fI/etc/sudo-group\fR,
! 2745: a group file in Unix group format, the sample group plugin can be used:
! 2746: .RS
! 2747: .nf
! 2748: .sp
! 2749: .RS 0n
! 2750: Defaults group_plugin="sample_group.so /etc/sudo-group"
! 2751: .RE
! 2752: .fi
! 2753: .sp
! 2754: For more information see
! 2755: sudo_plugin(@mansectform@).
! 2756: .PP
! 2757: .RE
! 2758: .PD 0
! 2759: .TP 14n
! 2760: lecture
1.1 misho 2761: This option controls when a short lecture will be printed along with
1.1.1.3 ! misho 2762: the password prompt.
! 2763: It has the following possible values:
! 2764: .RS
! 2765: .PD
! 2766: .TP 8n
! 2767: always
1.1 misho 2768: Always lecture the user.
1.1.1.3 ! misho 2769: .TP 8n
! 2770: never
1.1 misho 2771: Never lecture the user.
1.1.1.3 ! misho 2772: .TP 8n
! 2773: once
! 2774: Only lecture the user the first time they run
! 2775: \fBsudo\fR.
! 2776: .PP
! 2777: If no value is specified, a value of
! 2778: \fIonce\fR
! 2779: is implied.
! 2780: Negating the option results in a value of
! 2781: \fInever\fR
! 2782: being used.
! 2783: The default value is
! 2784: \fI@lecture@\fR.
! 2785: .PP
! 2786: .RE
! 2787: .PD 0
! 2788: .TP 14n
! 2789: lecture_file
! 2790: Path to a file containing an alternate
! 2791: \fBsudo\fR
! 2792: lecture that will be used in place of the standard lecture if the named
! 2793: file exists.
! 2794: By default,
! 2795: \fBsudo\fR
! 2796: uses a built-in lecture.
! 2797: .PD
! 2798: .TP 14n
! 2799: listpw
! 2800: This option controls when a password will be required when a user runs
! 2801: \fBsudo\fR
! 2802: with the
! 2803: \fB\-l\fR
! 2804: option.
! 2805: It has the following possible values:
! 2806: .RS
! 2807: .TP 10n
! 2808: all
! 2809: All the user's
! 2810: \fIsudoers\fR
! 2811: entries for the current host must have
! 2812: the
! 2813: \fRNOPASSWD\fR
! 2814: flag set to avoid entering a password.
! 2815: .TP 10n
! 2816: always
! 2817: The user must always enter a password to use the
! 2818: \fB\-l\fR
! 2819: option.
! 2820: .TP 10n
! 2821: any
! 2822: At least one of the user's
! 2823: \fIsudoers\fR
! 2824: entries for the current host
! 2825: must have the
! 2826: \fRNOPASSWD\fR
! 2827: flag set to avoid entering a password.
! 2828: .TP 10n
! 2829: never
! 2830: The user need never enter a password to use the
! 2831: \fB\-l\fR
! 2832: option.
! 2833: .PP
! 2834: If no value is specified, a value of
! 2835: \fIany\fR
! 2836: is implied.
! 2837: Negating the option results in a value of
! 2838: \fInever\fR
! 2839: being used.
! 2840: The default value is
! 2841: \fIany\fR.
! 2842: .PP
! 2843: .RE
! 2844: .PD 0
! 2845: .TP 14n
! 2846: logfile
! 2847: Path to the
! 2848: \fBsudo\fR
! 2849: log file (not the syslog log file).
! 2850: Setting a path turns on logging to a file;
! 2851: negating this option turns it off.
! 2852: By default,
! 2853: \fBsudo\fR
! 2854: logs via syslog.
! 2855: .PD
! 2856: .TP 14n
! 2857: mailerflags
! 2858: Flags to use when invoking mailer. Defaults to
! 2859: \fB\-t\fR.
! 2860: .TP 14n
! 2861: mailerpath
1.1 misho 2862: Path to mail program used to send warning mail.
2863: Defaults to the path to sendmail found at configure time.
1.1.1.3 ! misho 2864: .TP 14n
! 2865: mailfrom
! 2866: Address to use for the
! 2867: ``from''
! 2868: address when sending warning and error mail.
! 2869: The address should be enclosed in double quotes
! 2870: (\&"")
! 2871: to protect against
! 2872: \fBsudo\fR
! 2873: interpreting the
! 2874: \fR@\fR
! 2875: sign.
! 2876: Defaults to the name of the user running
! 2877: \fBsudo\fR.
! 2878: .TP 14n
! 2879: mailto
! 2880: Address to send warning and error mail to.
! 2881: The address should be enclosed in double quotes
! 2882: (\&"")
! 2883: to protect against
! 2884: \fBsudo\fR
! 2885: interpreting the
! 2886: \fR@\fR
! 2887: sign.
! 2888: Defaults to
! 2889: \fR@mailto@\fR.
! 2890: .TP 14n
! 2891: secure_path
! 2892: Path used for every command run from
! 2893: \fBsudo\fR.
! 2894: If you don't trust the
! 2895: people running
! 2896: \fBsudo\fR
! 2897: to have a sane
! 2898: \fRPATH\fR
! 2899: environment variable you may want to use this.
! 2900: Another use is if you want to have the
! 2901: ``root path''
! 2902: be separate from the
! 2903: ``user path''.
! 2904: Users in the group specified by the
! 2905: \fIexempt_group\fR
! 2906: option are not affected by
! 2907: \fIsecure_path\fR.
1.1 misho 2908: This option is @secure_path@ by default.
1.1.1.3 ! misho 2909: .TP 14n
! 2910: syslog
1.1 misho 2911: Syslog facility if syslog is being used for logging (negate to
1.1.1.3 ! misho 2912: disable syslog logging).
! 2913: Defaults to
! 2914: \fR@logfac@\fR.
! 2915: .sp
! 2916: The following syslog facilities are supported:
! 2917: \fBauthpriv\fR
! 2918: (if your
! 2919: OS supports it),
! 2920: \fBauth\fR,
! 2921: \fBdaemon\fR,
! 2922: \fBuser\fR,
! 2923: \fBlocal0\fR,
! 2924: \fBlocal1\fR,
! 2925: \fBlocal2\fR,
! 2926: \fBlocal3\fR,
! 2927: \fBlocal4\fR,
! 2928: \fBlocal5\fR,
! 2929: \fBlocal6\fR,
! 2930: and
! 2931: \fBlocal7\fR.
! 2932: .TP 14n
! 2933: verifypw
1.1 misho 2934: This option controls when a password will be required when a user runs
1.1.1.3 ! misho 2935: \fBsudo\fR
! 2936: with the
! 2937: \fB\-v\fR
! 2938: option.
! 2939: It has the following possible values:
! 2940: .RS
! 2941: .TP 8n
! 2942: all
! 2943: All the user's
! 2944: \fIsudoers\fR
! 2945: entries for the current host must have the
! 2946: \fRNOPASSWD\fR
! 2947: flag set to avoid entering a password.
! 2948: .TP 8n
! 2949: always
! 2950: The user must always enter a password to use the
! 2951: \fB\-v\fR
! 2952: option.
! 2953: .TP 8n
! 2954: any
! 2955: At least one of the user's
! 2956: \fIsudoers\fR
! 2957: entries for the current host must have the
! 2958: \fRNOPASSWD\fR
! 2959: flag set to avoid entering a password.
! 2960: .TP 8n
! 2961: never
! 2962: The user need never enter a password to use the
! 2963: \fB\-v\fR
! 2964: option.
! 2965: .PP
! 2966: If no value is specified, a value of
! 2967: \fIall\fR
! 2968: is implied.
! 2969: Negating the option results in a value of
! 2970: \fInever\fR
! 2971: being used.
! 2972: The default value is
! 2973: \fIall\fR.
! 2974: .RE
! 2975: .PP
! 2976: \fBLists that can be used in a boolean context\fR:
! 2977: .TP 18n
! 2978: env_check
1.1 misho 2979: Environment variables to be removed from the user's environment if
1.1.1.3 ! misho 2980: the variable's value contains
! 2981: `%'
! 2982: or
! 2983: `/'
! 2984: characters.
! 2985: This can be used to guard against printf-style format vulnerabilities
! 2986: in poorly-written programs.
! 2987: The argument may be a double-quoted, space-separated list or a
! 2988: single value without double-quotes.
! 2989: The list can be replaced, added to, deleted from, or disabled by using
! 2990: the
! 2991: \fR=\fR,
! 2992: \fR+=\fR,
! 2993: \fR-=\fR,
! 2994: and
! 2995: \fR\&!\fR
! 2996: operators respectively.
! 2997: Regardless of whether the
! 2998: \fRenv_reset\fR
! 2999: option is enabled or disabled, variables specified by
! 3000: \fRenv_check\fR
! 3001: will be preserved in the environment if they pass the aforementioned check.
! 3002: The default list of environment variables to check is displayed when
! 3003: \fBsudo\fR
! 3004: is run by root with
! 3005: the
! 3006: \fB\-V\fR
! 3007: option.
! 3008: .TP 18n
! 3009: env_delete
! 3010: Environment variables to be removed from the user's environment when the
! 3011: \fIenv_reset\fR
! 3012: option is not in effect.
! 3013: The argument may be a double-quoted, space-separated list or a
! 3014: single value without double-quotes.
! 3015: The list can be replaced, added to, deleted from, or disabled by using the
! 3016: \fR=\fR,
! 3017: \fR+=\fR,
! 3018: \fR-=\fR,
! 3019: and
! 3020: \fR\&!\fR
! 3021: operators respectively.
! 3022: The default list of environment variables to remove is displayed when
! 3023: \fBsudo\fR
! 3024: is run by root with the
! 3025: \fB\-V\fR
! 3026: option.
1.1 misho 3027: Note that many operating systems will remove potentially dangerous
3028: variables from the environment of any setuid process (such as
1.1.1.3 ! misho 3029: \fBsudo\fR).
! 3030: .TP 18n
! 3031: env_keep
! 3032: Environment variables to be preserved in the user's environment when the
! 3033: \fIenv_reset\fR
! 3034: option is in effect.
! 3035: This allows fine-grained control over the environment
! 3036: \fBsudo\fR-spawned
! 3037: processes will receive.
1.1 misho 3038: The argument may be a double-quoted, space-separated list or a
1.1.1.3 ! misho 3039: single value without double-quotes.
! 3040: The list can be replaced, added to, deleted from, or disabled by using the
! 3041: \fR=\fR,
! 3042: \fR+=\fR,
! 3043: \fR-=\fR,
! 3044: and
! 3045: \fR\&!\fR
! 3046: operators respectively.
! 3047: The default list of variables to keep
! 3048: is displayed when
! 3049: \fBsudo\fR
! 3050: is run by root with the
! 3051: \fB\-V\fR
! 3052: option.
! 3053: .SH "LOG FORMAT"
! 3054: \fBsudoers\fR
! 3055: can log events using either
! 3056: syslog(3)
! 3057: or a simple log file.
! 3058: In each case the log format is almost identical.
! 3059: .SS "Accepted command log entries"
! 3060: Commands that sudo runs are logged using the following format (split
! 3061: into multiple lines for readability):
! 3062: .nf
! 3063: .sp
! 3064: .RS 4n
! 3065: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
! 3066: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
! 3067: ENV=env_vars COMMAND=command
! 3068: .RE
! 3069: .fi
! 3070: .PP
! 3071: Where the fields are as follows:
! 3072: .TP 14n
! 3073: date
! 3074: The date the command was run.
! 3075: Typically, this is in the format
! 3076: ``MMM, DD, HH:MM:SS''.
! 3077: If logging via
! 3078: syslog(3),
! 3079: the actual date format is controlled by the syslog daemon.
! 3080: If logging to a file and the
! 3081: \fIlog_year\fR
! 3082: option is enabled,
! 3083: the date will also include the year.
! 3084: .TP 14n
! 3085: hostname
! 3086: The name of the host
! 3087: \fBsudo\fR
! 3088: was run on.
! 3089: This field is only present when logging via
! 3090: syslog(3).
! 3091: .TP 14n
! 3092: progname
! 3093: The name of the program, usually
! 3094: \fIsudo\fR
! 3095: or
! 3096: \fIsudoedit\fR.
! 3097: This field is only present when logging via
! 3098: syslog(3).
! 3099: .TP 14n
! 3100: username
! 3101: The login name of the user who ran
! 3102: \fBsudo\fR.
! 3103: .TP 14n
! 3104: ttyname
! 3105: The short name of the terminal (e.g.\&
! 3106: ``console'',
! 3107: ``tty01'',
! 3108: or
! 3109: ``pts/0'')
! 3110: \fBsudo\fR
! 3111: was run on, or
! 3112: ``unknown''
! 3113: if there was no terminal present.
! 3114: .TP 14n
! 3115: cwd
! 3116: The current working directory that
! 3117: \fBsudo\fR
! 3118: was run in.
! 3119: .TP 14n
! 3120: runasuser
! 3121: The user the command was run as.
! 3122: .TP 14n
! 3123: runasgroup
! 3124: The group the command was run as if one was specified on the command line.
! 3125: .TP 14n
! 3126: logid
! 3127: An I/O log identifier that can be used to replay the command's output.
! 3128: This is only present when the
! 3129: \fIlog_input\fR
! 3130: or
! 3131: \fIlog_output\fR
! 3132: option is enabled.
! 3133: .TP 14n
! 3134: env_vars
! 3135: A list of environment variables specified on the command line,
! 3136: if specified.
! 3137: .TP 14n
! 3138: command
! 3139: The actual command that was executed.
! 3140: .PP
! 3141: Messages are logged using the locale specified by
! 3142: \fIsudoers_locale\fR,
! 3143: which defaults to the
! 3144: ``\fRC\fR''
! 3145: locale.
! 3146: .SS "Denied command log entries"
! 3147: If the user is not allowed to run the command, the reason for the denial
! 3148: will follow the user name.
! 3149: Possible reasons include:
! 3150: .TP 3n
! 3151: user NOT in sudoers
! 3152: The user is not listed in the
! 3153: \fIsudoers\fR
! 3154: file.
! 3155: .TP 3n
! 3156: user NOT authorized on host
! 3157: The user is listed in the
! 3158: \fIsudoers\fR
! 3159: file but is not allowed to run commands on the host.
! 3160: .TP 3n
! 3161: command not allowed
! 3162: The user is listed in the
! 3163: \fIsudoers\fR
! 3164: file for the host but they are not allowed to run the specified command.
! 3165: .TP 3n
! 3166: 3 incorrect password attempts
! 3167: The user failed to enter their password after 3 tries.
! 3168: The actual number of tries will vary based on the number of
! 3169: failed attempts and the value of the
! 3170: \fIpasswd_tries\fR
! 3171: option.
! 3172: .TP 3n
! 3173: a password is required
! 3174: \fBsudo\fR's
! 3175: \fB\-n\fR
! 3176: option was specified but a password was required.
! 3177: .TP 3n
! 3178: sorry, you are not allowed to set the following environment variables
! 3179: The user specified environment variables on the command line that
! 3180: were not allowed by
! 3181: \fIsudoers\fR.
! 3182: .SS "Error log entries"
! 3183: If an error occurs,
! 3184: \fBsudoers\fR
! 3185: will log a message and, in most cases, send a message to the
! 3186: administrator via email.
! 3187: Possible errors include:
! 3188: .TP 3n
! 3189: parse error in @sysconfdir@/sudoers near line N
! 3190: \fBsudoers\fR
! 3191: encountered an error when parsing the specified file.
! 3192: In some cases, the actual error may be one line above or below the
! 3193: line number listed, depending on the type of error.
! 3194: .TP 3n
! 3195: problem with defaults entries
! 3196: The
! 3197: \fIsudoers\fR
! 3198: file contains one or more unknown Defaults settings.
! 3199: This does not prevent
! 3200: \fBsudo\fR
! 3201: from running, but the
! 3202: \fIsudoers\fR
! 3203: file should be checked using
! 3204: \fBvisudo\fR.
! 3205: .TP 3n
! 3206: timestamp owner (username): \&No such user
! 3207: The time stamp directory owner, as specified by the
! 3208: \fItimestampowner\fR
! 3209: setting, could not be found in the password database.
! 3210: .TP 3n
! 3211: unable to open/read @sysconfdir@/sudoers
! 3212: The
! 3213: \fIsudoers\fR
! 3214: file could not be opened for reading.
! 3215: This can happen when the
! 3216: \fIsudoers\fR
! 3217: file is located on a remote file system that maps user ID 0 to
! 3218: a different value.
! 3219: Normally,
! 3220: \fBsudoers\fR
! 3221: tries to open
! 3222: \fIsudoers\fR
! 3223: using group permissions to avoid this problem.
! 3224: Consider changing the ownership of
! 3225: \fI@sysconfdir@/sudoers\fR
! 3226: by adding an option like
! 3227: ``sudoers_uid=N''
! 3228: (where
! 3229: `N'
! 3230: is the user ID that owns the
! 3231: \fIsudoers\fR
! 3232: file) to the
! 3233: \fBsudoers\fR
! 3234: plugin line in the
! 3235: \fI@sysconfdir@/sudo.conf\fR
! 3236: file.
! 3237: .TP 3n
! 3238: unable to stat @sysconfdir@/sudoers
! 3239: The
! 3240: \fI@sysconfdir@/sudoers\fR
! 3241: file is missing.
! 3242: .TP 3n
! 3243: @sysconfdir@/sudoers is not a regular file
! 3244: The
! 3245: \fI@sysconfdir@/sudoers\fR
! 3246: file exists but is not a regular file or symbolic link.
! 3247: .TP 3n
! 3248: @sysconfdir@/sudoers is owned by uid N, should be 0
! 3249: The
! 3250: \fIsudoers\fR
! 3251: file has the wrong owner.
! 3252: If you wish to change the
! 3253: \fIsudoers\fR
! 3254: file owner, please add
! 3255: ``sudoers_uid=N''
! 3256: (where
! 3257: `N'
! 3258: is the user ID that owns the
! 3259: \fIsudoers\fR
! 3260: file) to the
! 3261: \fBsudoers\fR
! 3262: plugin line in the
! 3263: \fI@sysconfdir@/sudo.conf\fR
! 3264: file.
! 3265: .TP 3n
! 3266: @sysconfdir@/sudoers is world writable
! 3267: The permissions on the
! 3268: \fIsudoers\fR
! 3269: file allow all users to write to it.
! 3270: The
! 3271: \fIsudoers\fR
! 3272: file must not be world-writable, the default file mode
! 3273: is 0440 (readable by owner and group, writable by none).
! 3274: The default mode may be changed via the
! 3275: ``sudoers_mode''
! 3276: option to the
! 3277: \fBsudoers\fR
! 3278: plugin line in the
! 3279: \fI@sysconfdir@/sudo.conf\fR
! 3280: file.
! 3281: .TP 3n
! 3282: @sysconfdir@/sudoers is owned by gid N, should be 1
! 3283: The
! 3284: \fIsudoers\fR
! 3285: file has the wrong group ownership.
! 3286: If you wish to change the
! 3287: \fIsudoers\fR
! 3288: file group ownership, please add
! 3289: ``sudoers_gid=N''
! 3290: (where
! 3291: `N'
! 3292: is the group ID that owns the
! 3293: \fIsudoers\fR
! 3294: file) to the
! 3295: \fBsudoers\fR
! 3296: plugin line in the
! 3297: \fI@sysconfdir@/sudo.conf\fR
! 3298: file.
! 3299: .TP 3n
! 3300: unable to open @timedir@/username/ttyname
! 3301: \fIsudoers\fR
! 3302: was unable to read or create the user's time stamp file.
! 3303: .TP 3n
! 3304: unable to write to @timedir@/username/ttyname
! 3305: \fIsudoers\fR
! 3306: was unable to write to the user's time stamp file.
! 3307: .TP 3n
! 3308: unable to mkdir to @timedir@/username
! 3309: \fIsudoers\fR
! 3310: was unable to create the user's time stamp directory.
! 3311: .SS "Notes on logging via syslog"
! 3312: By default,
! 3313: \fIsudoers\fR
! 3314: logs messages via
! 3315: syslog(3).
! 3316: The
! 3317: \fIdate\fR,
! 3318: \fIhostname\fR,
! 3319: and
! 3320: \fIprogname\fR
! 3321: fields are added by the syslog daemon, not
! 3322: \fIsudoers\fR
! 3323: itself.
! 3324: As such, they may vary in format on different systems.
! 3325: .PP
! 3326: On most systems,
! 3327: syslog(3)
! 3328: has a relatively small log buffer.
! 3329: To prevent the command line arguments from being truncated,
! 3330: \fBsudoers\fR
! 3331: will split up log messages that are larger than 960 characters
! 3332: (not including the date, hostname, and the string
! 3333: ``sudo'').
! 3334: When a message is split, additional parts will include the string
! 3335: ``(command continued)''
! 3336: after the user name and before the continued command line arguments.
! 3337: .SS "Notes on logging to a file"
! 3338: If the
! 3339: \fIlogfile\fR
! 3340: option is set,
! 3341: \fIsudoers\fR
! 3342: will log to a local file, such as
! 3343: \fI/var/log/sudo\fR.
! 3344: When logging to a file,
! 3345: \fIsudoers\fR
! 3346: uses a format similar to
! 3347: syslog(3),
! 3348: with a few important differences:
! 3349: .TP 5n
! 3350: 1.
! 3351: The
! 3352: \fIprogname\fR
! 3353: and
! 3354: \fIhostname\fR
! 3355: fields are not present.
! 3356: .TP 5n
! 3357: 2.
! 3358: If the
! 3359: \fIlog_year\fR
! 3360: option is enabled,
! 3361: the date will also include the year.
! 3362: .TP 5n
! 3363: 3.
! 3364: Lines that are longer than
! 3365: \fIloglinelen\fR
! 3366: characters (80 by default) are word-wrapped and continued on the
! 3367: next line with a four character indent.
! 3368: This makes entries easier to read for a human being, but makes it
! 3369: more difficult to use
! 3370: grep(1)
! 3371: on the log files.
! 3372: If the
! 3373: \fIloglinelen\fR
! 3374: option is set to 0 (or negated with a
! 3375: `\&!'),
! 3376: word wrap will be disabled.
1.1.1.2 misho 3377: .SH "SUDO.CONF"
1.1.1.3 ! misho 3378: The
! 3379: \fI@sysconfdir@/sudo.conf\fR
! 3380: file determines which plugins the
! 3381: \fBsudo\fR
! 3382: front end will load.
! 3383: If no
! 3384: \fI@sysconfdir@/sudo.conf\fR
! 3385: file
! 3386: is present, or it contains no
! 3387: \fRPlugin\fR
! 3388: lines,
! 3389: \fBsudo\fR
! 3390: will use the
! 3391: \fIsudoers\fR
! 3392: security policy and I/O logging, which corresponds to the following
! 3393: \fI@sysconfdir@/sudo.conf\fR
! 3394: file.
! 3395: .nf
! 3396: .sp
! 3397: .RS 0n
! 3398: #
! 3399: # Default @sysconfdir@/sudo.conf file
! 3400: #
! 3401: # Format:
! 3402: # Plugin plugin_name plugin_path plugin_options ...
! 3403: # Path askpass /path/to/askpass
! 3404: # Path noexec /path/to/sudo_noexec.so
! 3405: # Debug sudo /var/log/sudo_debug all@warn
! 3406: # Set disable_coredump true
! 3407: #
! 3408: # The plugin_path is relative to @prefix@/libexec unless
! 3409: # fully qualified.
! 3410: # The plugin_name corresponds to a global symbol in the plugin
! 3411: # that contains the plugin interface structure.
! 3412: # The plugin_options are optional.
! 3413: #
! 3414: Plugin policy_plugin sudoers.so
! 3415: Plugin io_plugin sudoers.so
! 3416: .RE
! 3417: .fi
! 3418: .SS "Plugin options"
! 3419: Starting with
! 3420: \fBsudo\fR
! 3421: 1.8.5, it is possible to pass options to the
! 3422: \fIsudoers\fR
! 3423: plugin.
! 3424: Options may be listed after the path to the plugin (i.e.\& after
! 3425: \fIsudoers.so\fR);
! 3426: multiple options should be space-separated.
! 3427: For example:
! 3428: .nf
! 3429: .sp
! 3430: .RS 0n
! 3431: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 3432: .RE
! 3433: .fi
1.1.1.2 misho 3434: .PP
3435: The following plugin options are supported:
1.1.1.3 ! misho 3436: .TP 10n
! 3437: sudoers_file=pathname
! 3438: The
! 3439: \fIsudoers_file\fR
! 3440: option can be used to override the default path
! 3441: to the
! 3442: \fIsudoers\fR
! 3443: file.
! 3444: .TP 10n
! 3445: sudoers_uid=uid
! 3446: The
! 3447: \fIsudoers_uid\fR
! 3448: option can be used to override the default owner of the sudoers file.
! 3449: It should be specified as a numeric user ID.
! 3450: .TP 10n
! 3451: sudoers_gid=gid
! 3452: The
! 3453: \fIsudoers_gid\fR
! 3454: option can be used to override the default group of the sudoers file.
! 3455: It should be specified as a numeric group ID.
! 3456: .TP 10n
! 3457: sudoers_mode=mode
! 3458: The
! 3459: \fIsudoers_mode\fR
! 3460: option can be used to override the default file mode for the sudoers file.
! 3461: It should be specified as an octal value.
! 3462: .SS "Debug flags"
! 3463: Versions 1.8.4 and higher of the
! 3464: \fIsudoers\fR
! 3465: plugin supports a debugging framework that can help track down what the
! 3466: plugin is doing internally if there is a problem.
! 3467: This can be configured in the
! 3468: \fI@sysconfdir@/sudo.conf\fR
! 3469: file as described in
! 3470: sudo(@mansectsu@).
! 3471: .PP
! 3472: The
! 3473: \fIsudoers\fR
! 3474: plugin uses the same debug flag format as the
! 3475: \fBsudo\fR
! 3476: front-end:
! 3477: \fIsubsystem\fR@\fIpriority\fR.
! 3478: .PP
! 3479: The priorities used by
! 3480: \fIsudoers\fR,
! 3481: in order of decreasing severity,
! 3482: are:
! 3483: \fIcrit\fR,
! 3484: \fIerr\fR,
! 3485: \fIwarn\fR,
! 3486: \fInotice\fR,
! 3487: \fIdiag\fR,
! 3488: \fIinfo\fR,
! 3489: \fItrace\fR
! 3490: and
! 3491: \fIdebug\fR.
! 3492: Each priority, when specified, also includes all priorities higher than it.
! 3493: For example, a priority of
! 3494: \fInotice\fR
! 3495: would include debug messages logged at
! 3496: \fInotice\fR
! 3497: and higher.
! 3498: .PP
! 3499: The following subsystems are used by
! 3500: \fIsudoers\fR:
! 3501: .TP 10n
! 3502: \fIalias\fR
! 3503: \fRUser_Alias\fR,
! 3504: \fRRunas_Alias\fR,
! 3505: \fRHost_Alias\fR
! 3506: and
! 3507: \fRCmnd_Alias\fR
! 3508: processing
! 3509: .TP 10n
! 3510: \fIall\fR
1.1.1.2 misho 3511: matches every subsystem
1.1.1.3 ! misho 3512: .TP 10n
! 3513: \fIaudit\fR
! 3514: BSM and Linux audit code
! 3515: .TP 10n
! 3516: \fIauth\fR
1.1.1.2 misho 3517: user authentication
1.1.1.3 ! misho 3518: .TP 10n
! 3519: \fIdefaults\fR
! 3520: \fIsudoers\fR
! 3521: \fIDefaults\fR
! 3522: settings
! 3523: .TP 10n
! 3524: \fIenv\fR
1.1.1.2 misho 3525: environment handling
1.1.1.3 ! misho 3526: .TP 10n
! 3527: \fIldap\fR
1.1.1.2 misho 3528: LDAP-based sudoers
1.1.1.3 ! misho 3529: .TP 10n
! 3530: \fIlogging\fR
1.1.1.2 misho 3531: logging support
1.1.1.3 ! misho 3532: .TP 10n
! 3533: \fImatch\fR
! 3534: matching of users, groups, hosts and netgroups in
! 3535: \fIsudoers\fR
! 3536: .TP 10n
! 3537: \fInetif\fR
1.1.1.2 misho 3538: network interface handling
1.1.1.3 ! misho 3539: .TP 10n
! 3540: \fInss\fR
! 3541: network service switch handling in
! 3542: \fIsudoers\fR
! 3543: .TP 10n
! 3544: \fIparser\fR
! 3545: \fIsudoers\fR
! 3546: file parsing
! 3547: .TP 10n
! 3548: \fIperms\fR
1.1.1.2 misho 3549: permission setting
1.1.1.3 ! misho 3550: .TP 10n
! 3551: \fIplugin\fR
! 3552: The equivalent of
! 3553: \fImain\fR
! 3554: for the plugin.
! 3555: .TP 10n
! 3556: \fIpty\fR
1.1.1.2 misho 3557: pseudo-tty related code
1.1.1.3 ! misho 3558: .TP 10n
! 3559: \fIrbtree\fR
1.1.1.2 misho 3560: redblack tree internals
1.1.1.3 ! misho 3561: .TP 10n
! 3562: \fIutil\fR
1.1.1.2 misho 3563: utility functions
1.1 misho 3564: .SH "FILES"
1.1.1.3 ! misho 3565: .TP 26n
! 3566: \fI@sysconfdir@/sudo.conf\fR
1.1.1.2 misho 3567: Sudo front end configuration
1.1.1.3 ! misho 3568: .TP 26n
! 3569: \fI@sysconfdir@/sudoers\fR
1.1 misho 3570: List of who can run what
1.1.1.3 ! misho 3571: .TP 26n
! 3572: \fI/etc/group\fR
1.1 misho 3573: Local groups file
1.1.1.3 ! misho 3574: .TP 26n
! 3575: \fI/etc/netgroup\fR
1.1 misho 3576: List of network groups
1.1.1.3 ! misho 3577: .TP 26n
! 3578: \fI@iolog_dir@\fR
1.1 misho 3579: I/O log files
1.1.1.3 ! misho 3580: .TP 26n
! 3581: \fI@timedir@\fR
! 3582: Directory containing time stamps for the
! 3583: \fIsudoers\fR
! 3584: security policy
! 3585: .TP 26n
! 3586: \fI/etc/environment\fR
! 3587: Initial environment for
! 3588: \fB\-i\fR
! 3589: mode on AIX and Linux systems
1.1 misho 3590: .SH "EXAMPLES"
1.1.1.3 ! misho 3591: Below are example
! 3592: \fIsudoers\fR
! 3593: entries.
! 3594: Admittedly, some of these are a bit contrived.
! 3595: First, we allow a few environment variables to pass and then define our
! 3596: \fIaliases\fR:
! 3597: .nf
! 3598: .sp
! 3599: .RS 0n
! 3600: # Run X applications through sudo; HOME is used to find the
! 3601: # .Xauthority file. Note that other programs use HOME to find
! 3602: # configuration files and this may lead to privilege escalation!
! 3603: Defaults env_keep += "DISPLAY HOME"
! 3604:
! 3605: # User alias specification
! 3606: User_Alias FULLTIMERS = millert, mikef, dowdy
! 3607: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 3608: User_Alias WEBMASTERS = will, wendy, wim
! 3609:
! 3610: # Runas alias specification
! 3611: Runas_Alias OP = root, operator
! 3612: Runas_Alias DB = oracle, sybase
! 3613: Runas_Alias ADMINGRP = adm, oper
! 3614:
! 3615: # Host alias specification
! 3616: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
! 3617: SGI = grolsch, dandelion, black :\e
! 3618: ALPHA = widget, thalamus, foobar :\e
! 3619: HPPA = boa, nag, python
! 3620: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 3621: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 3622: Host_Alias SERVERS = master, mail, www, ns
! 3623: Host_Alias CDROM = orion, perseus, hercules
! 3624:
! 3625: # Cmnd alias specification
! 3626: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
! 3627: /usr/sbin/restore, /usr/sbin/rrestore
! 3628: Cmnd_Alias KILL = /usr/bin/kill
! 3629: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 3630: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 3631: Cmnd_Alias HALT = /usr/sbin/halt
! 3632: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 3633: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
! 3634: /usr/local/bin/tcsh, /usr/bin/rsh,\e
! 3635: /usr/local/bin/zsh
! 3636: Cmnd_Alias SU = /usr/bin/su
! 3637: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 3638: .RE
! 3639: .fi
1.1 misho 3640: .PP
1.1.1.3 ! misho 3641: Here we override some of the compiled in default values.
! 3642: We want
! 3643: \fBsudo\fR
! 3644: to log via
! 3645: syslog(3)
! 3646: using the
! 3647: \fIauth\fR
! 3648: facility in all cases.
! 3649: We don't want to subject the full time staff to the
! 3650: \fBsudo\fR
! 3651: lecture, user
! 3652: \fBmillert\fR
! 3653: need not give a password, and we don't want to reset the
! 3654: \fRLOGNAME\fR,
! 3655: \fRUSER\fR
! 3656: or
! 3657: \fRUSERNAME\fR
! 3658: environment variables when running commands as root.
! 3659: Additionally, on the machines in the
! 3660: \fISERVERS\fR
! 3661: \fRHost_Alias\fR,
! 3662: we keep an additional local log file and make sure we log the year
! 3663: in each log line since the log entries will be kept around for several years.
! 3664: Lastly, we disable shell escapes for the commands in the PAGERS
! 3665: \fRCmnd_Alias\fR
! 3666: (\fI/usr/bin/more\fR,
! 3667: \fI/usr/bin/pg\fR
! 3668: and
! 3669: \fI/usr/bin/less\fR)
! 3670: \&.
! 3671: .nf
! 3672: .sp
! 3673: .RS 0n
! 3674: # Override built-in defaults
! 3675: Defaults syslog=auth
! 3676: Defaults>root !set_logname
! 3677: Defaults:FULLTIMERS !lecture
! 3678: Defaults:millert !authenticate
! 3679: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 3680: Defaults!PAGERS noexec
! 3681: .RE
! 3682: .fi
1.1 misho 3683: .PP
1.1.1.3 ! misho 3684: The
! 3685: \fIUser specification\fR
! 3686: is the part that actually determines who may run what.
! 3687: .nf
! 3688: .sp
! 3689: .RS 0n
! 3690: root ALL = (ALL) ALL
! 3691: %wheel ALL = (ALL) ALL
! 3692: .RE
! 3693: .fi
1.1 misho 3694: .PP
1.1.1.3 ! misho 3695: We let
! 3696: \fBroot\fR
! 3697: and any user in group
! 3698: \fBwheel\fR
! 3699: run any command on any host as any user.
! 3700: .nf
! 3701: .sp
! 3702: .RS 0n
! 3703: FULLTIMERS ALL = NOPASSWD: ALL
! 3704: .RE
! 3705: .fi
1.1 misho 3706: .PP
1.1.1.3 ! misho 3707: Full time sysadmins
! 3708: (\fBmillert\fR,
! 3709: \fBmikef\fR,
! 3710: and
! 3711: \fBdowdy\fR)
! 3712: may run any command on any host without authenticating themselves.
! 3713: .nf
! 3714: .sp
! 3715: .RS 0n
! 3716: PARTTIMERS ALL = ALL
! 3717: .RE
! 3718: .fi
1.1 misho 3719: .PP
1.1.1.3 ! misho 3720: Part time sysadmins
! 3721: \fBbostley\fR,
! 3722: \fBjwfox\fR,
! 3723: and
! 3724: \fBcrawl\fR)
! 3725: may run any command on any host but they must authenticate themselves
! 3726: first (since the entry lacks the
! 3727: \fRNOPASSWD\fR
! 3728: tag).
! 3729: .nf
! 3730: .sp
! 3731: .RS 0n
! 3732: jack CSNETS = ALL
! 3733: .RE
! 3734: .fi
1.1 misho 3735: .PP
1.1.1.3 ! misho 3736: The user
! 3737: \fBjack\fR
! 3738: may run any command on the machines in the
! 3739: \fICSNETS\fR
! 3740: alias (the networks
! 3741: \fR128.138.243.0\fR,
! 3742: \fR128.138.204.0\fR,
! 3743: and
! 3744: \fR128.138.242.0\fR).
! 3745: Of those networks, only
! 3746: \fR128.138.204.0\fR
! 3747: has an explicit netmask (in CIDR notation) indicating it is a class C network.
! 3748: For the other networks in
! 3749: \fICSNETS\fR,
! 3750: the local machine's netmask will be used during matching.
! 3751: .nf
! 3752: .sp
! 3753: .RS 0n
! 3754: lisa CUNETS = ALL
! 3755: .RE
! 3756: .fi
1.1 misho 3757: .PP
1.1.1.3 ! misho 3758: The user
! 3759: \fBlisa\fR
! 3760: may run any command on any host in the
! 3761: \fICUNETS\fR
! 3762: alias (the class B network
! 3763: \fR128.138.0.0\fR).
! 3764: .nf
! 3765: .sp
! 3766: .RS 0n
! 3767: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
! 3768: sudoedit /etc/printcap, /usr/oper/bin/
! 3769: .RE
! 3770: .fi
1.1 misho 3771: .PP
1.1.1.3 ! misho 3772: The
! 3773: \fBoperator\fR
! 3774: user may run commands limited to simple maintenance.
! 3775: Here, those are commands related to backups, killing processes, the
! 3776: printing system, shutting down the system, and any commands in the
! 3777: directory
! 3778: \fI/usr/oper/bin/\fR.
! 3779: .nf
! 3780: .sp
! 3781: .RS 0n
! 3782: joe ALL = /usr/bin/su operator
! 3783: .RE
! 3784: .fi
1.1 misho 3785: .PP
1.1.1.3 ! misho 3786: The user
! 3787: \fBjoe\fR
! 3788: may only
! 3789: su(1)
! 3790: to operator.
! 3791: .nf
! 3792: .sp
! 3793: .RS 0n
! 3794: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 3795:
! 3796: %opers ALL = (: ADMINGRP) /usr/sbin/
! 3797: .RE
! 3798: .fi
1.1 misho 3799: .PP
1.1.1.3 ! misho 3800: Users in the
! 3801: \fBopers\fR
! 3802: group may run commands in
! 3803: \fI/usr/sbin/\fR
! 3804: as themselves
! 3805: with any group in the
! 3806: \fIADMINGRP\fR
! 3807: \fRRunas_Alias\fR
! 3808: (the
! 3809: \fBadm\fR
! 3810: and
! 3811: \fBoper\fR
! 3812: groups).
1.1 misho 3813: .PP
1.1.1.3 ! misho 3814: The user
! 3815: \fBpete\fR
! 3816: is allowed to change anyone's password except for
! 3817: root on the
! 3818: \fIHPPA\fR
! 3819: machines.
! 3820: Note that this assumes
! 3821: passwd(1)
! 3822: does not take multiple user names on the command line.
! 3823: .nf
! 3824: .sp
! 3825: .RS 0n
! 3826: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 3827: .RE
! 3828: .fi
1.1 misho 3829: .PP
1.1.1.3 ! misho 3830: The user
! 3831: \fBbob\fR
! 3832: may run anything on the
! 3833: \fISPARC\fR
! 3834: and
! 3835: \fISGI\fR
! 3836: machines as any user listed in the
! 3837: \fIOP\fR
! 3838: \fRRunas_Alias\fR
! 3839: (\fBroot\fR
! 3840: and
! 3841: \fBoperator\fR.)
! 3842: .nf
! 3843: .sp
! 3844: .RS 0n
! 3845: jim +biglab = ALL
! 3846: .RE
! 3847: .fi
1.1 misho 3848: .PP
1.1.1.3 ! misho 3849: The user
! 3850: \fBjim\fR
! 3851: may run any command on machines in the
! 3852: \fIbiglab\fR
! 3853: netgroup.
! 3854: \fBsudo\fR
! 3855: knows that
! 3856: ``biglab''
! 3857: is a netgroup due to the
! 3858: `+'
! 3859: prefix.
! 3860: .nf
! 3861: .sp
! 3862: .RS 0n
! 3863: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 3864: .RE
! 3865: .fi
1.1 misho 3866: .PP
1.1.1.3 ! misho 3867: Users in the
! 3868: \fBsecretaries\fR
! 3869: netgroup need to help manage the printers as well as add and remove users,
! 3870: so they are allowed to run those commands on all machines.
! 3871: .nf
! 3872: .sp
! 3873: .RS 0n
! 3874: fred ALL = (DB) NOPASSWD: ALL
! 3875: .RE
! 3876: .fi
1.1 misho 3877: .PP
1.1.1.3 ! misho 3878: The user
! 3879: \fBfred\fR
! 3880: can run commands as any user in the
! 3881: \fIDB\fR
! 3882: \fRRunas_Alias\fR
! 3883: (\fBoracle\fR
! 3884: or
! 3885: \fBsybase\fR)
! 3886: without giving a password.
! 3887: .nf
! 3888: .sp
! 3889: .RS 0n
! 3890: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 3891: .RE
! 3892: .fi
1.1 misho 3893: .PP
1.1.1.3 ! misho 3894: On the
! 3895: \fIALPHA\fR
! 3896: machines, user
! 3897: \fBjohn\fR
! 3898: may su to anyone except root but he is not allowed to specify any options
! 3899: to the
! 3900: su(1)
! 3901: command.
! 3902: .nf
! 3903: .sp
! 3904: .RS 0n
! 3905: jen ALL, !SERVERS = ALL
! 3906: .RE
! 3907: .fi
1.1 misho 3908: .PP
1.1.1.3 ! misho 3909: The user
! 3910: \fBjen\fR
! 3911: may run any command on any machine except for those in the
! 3912: \fISERVERS\fR
! 3913: \fRHost_Alias\fR
! 3914: (master, mail, www and ns).
! 3915: .nf
! 3916: .sp
! 3917: .RS 0n
! 3918: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 3919: .RE
! 3920: .fi
1.1 misho 3921: .PP
1.1.1.3 ! misho 3922: For any machine in the
! 3923: \fISERVERS\fR
! 3924: \fRHost_Alias\fR,
! 3925: \fBjill\fR
! 3926: may run
! 3927: any commands in the directory
! 3928: \fI/usr/bin/\fR
! 3929: except for those commands
! 3930: belonging to the
! 3931: \fISU\fR
! 3932: and
! 3933: \fISHELLS\fR
! 3934: \fRCmnd_Aliases\fR.
! 3935: .nf
! 3936: .sp
! 3937: .RS 0n
! 3938: steve CSNETS = (operator) /usr/local/op_commands/
! 3939: .RE
! 3940: .fi
1.1 misho 3941: .PP
1.1.1.3 ! misho 3942: The user
! 3943: \fBsteve\fR
! 3944: may run any command in the directory /usr/local/op_commands/
1.1 misho 3945: but only as user operator.
1.1.1.3 ! misho 3946: .nf
! 3947: .sp
! 3948: .RS 0n
! 3949: matt valkyrie = KILL
! 3950: .RE
! 3951: .fi
1.1 misho 3952: .PP
1.1.1.3 ! misho 3953: On his personal workstation, valkyrie,
! 3954: \fBmatt\fR
! 3955: needs to be able to kill hung processes.
! 3956: .nf
! 3957: .sp
! 3958: .RS 0n
! 3959: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 3960: .RE
! 3961: .fi
1.1 misho 3962: .PP
1.1.1.3 ! misho 3963: On the host www, any user in the
! 3964: \fIWEBMASTERS\fR
! 3965: \fRUser_Alias\fR
! 3966: (will, wendy, and wim), may run any command as user www (which owns the
! 3967: web pages) or simply
! 3968: su(1)
! 3969: to www.
! 3970: .nf
! 3971: .sp
! 3972: .RS 0n
! 3973: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
! 3974: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 3975: .RE
! 3976: .fi
! 3977: .PP
! 3978: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 3979: \fRHost_Alias\fR
! 3980: (orion, perseus, hercules) without entering a password.
1.1 misho 3981: This is a bit tedious for users to type, so it is a prime candidate
3982: for encapsulating in a shell script.
3983: .SH "SECURITY NOTES"
1.1.1.3 ! misho 3984: .SS "Limitations of the `!\&' operator"
! 3985: It is generally not effective to
! 3986: ``subtract''
! 3987: commands from
! 3988: \fBALL\fR
! 3989: using the
! 3990: `!\&'
! 3991: operator.
! 3992: A user can trivially circumvent this by copying the desired command
! 3993: to a different name and then executing that.
! 3994: For example:
! 3995: .nf
! 3996: .sp
! 3997: .RS 0n
! 3998: bill ALL = ALL, !SU, !SHELLS
! 3999: .RE
! 4000: .fi
1.1 misho 4001: .PP
1.1.1.3 ! misho 4002: Doesn't really prevent
! 4003: \fBbill\fR
! 4004: from running the commands listed in
! 4005: \fISU\fR
! 4006: or
! 4007: \fISHELLS\fR
! 4008: since he can simply copy those commands to a different name, or use
! 4009: a shell escape from an editor or other program.
! 4010: Therefore, these kind of restrictions should be considered
! 4011: advisory at best (and reinforced by policy).
1.1 misho 4012: .PP
1.1.1.3 ! misho 4013: In general, if a user has sudo
! 4014: \fBALL\fR
! 4015: there is nothing to prevent them from creating their own program that gives
! 4016: them a root shell (or making their own copy of a shell) regardless of any
! 4017: `!\&'
! 4018: elements in the user specification.
! 4019: .SS "Security implications of \fIfast_glob\fR"
! 4020: If the
! 4021: \fIfast_glob\fR
! 4022: option is in use, it is not possible to reliably negate commands where the
! 4023: path name includes globbing (aka wildcard) characters.
! 4024: This is because the C library's
! 4025: fnmatch(3)
! 4026: function cannot resolve relative paths.
! 4027: While this is typically only an inconvenience for rules that grant privileges,
! 4028: it can result in a security issue for rules that subtract or revoke privileges.
! 4029: .PP
! 4030: For example, given the following
! 4031: \fIsudoers\fR
! 4032: entry:
! 4033: .nf
! 4034: .sp
! 4035: .RS 0n
! 4036: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
! 4037: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 4038: .RE
! 4039: .fi
1.1 misho 4040: .PP
1.1.1.3 ! misho 4041: User
! 4042: \fBjohn\fR
! 4043: can still run
! 4044: \fR/usr/bin/passwd root\fR
! 4045: if
! 4046: \fIfast_glob\fR
! 4047: is enabled by changing to
! 4048: \fI/usr/bin\fR
! 4049: and running
! 4050: \fR./passwd root\fR
! 4051: instead.
! 4052: .SS "Preventing shell escapes"
! 4053: Once
! 4054: \fBsudo\fR
! 4055: executes a program, that program is free to do whatever
! 4056: it pleases, including run other programs.
! 4057: This can be a security issue since it is not uncommon for a program to
! 4058: allow shell escapes, which lets a user bypass
! 4059: \fBsudo\fR's
! 4060: access control and logging.
1.1 misho 4061: Common programs that permit shell escapes include shells (obviously),
4062: editors, paginators, mail and terminal programs.
4063: .PP
4064: There are two basic approaches to this problem:
1.1.1.3 ! misho 4065: .TP 10n
! 4066: restrict
1.1 misho 4067: Avoid giving users access to commands that allow the user to run
1.1.1.3 ! misho 4068: arbitrary commands.
! 4069: Many editors have a restricted mode where shell
! 4070: escapes are disabled, though
! 4071: \fBsudoedit\fR
! 4072: is a better solution to
! 4073: running editors via
! 4074: \fBsudo\fR.
! 4075: Due to the large number of programs that
1.1 misho 4076: offer shell escapes, restricting users to the set of programs that
4077: do not is often unworkable.
1.1.1.3 ! misho 4078: .TP 10n
! 4079: noexec
1.1 misho 4080: Many systems that support shared libraries have the ability to
4081: override default library functions by pointing an environment
1.1.1.3 ! misho 4082: variable (usually
! 4083: \fRLD_PRELOAD\fR)
! 4084: to an alternate shared library.
! 4085: On such systems,
! 4086: \fBsudo\fR's
! 4087: \fInoexec\fR
! 4088: functionality can be used to prevent a program run by
! 4089: \fBsudo\fR
! 4090: from executing any other programs.
1.1 misho 4091: Note, however, that this applies only to native dynamically-linked
1.1.1.3 ! misho 4092: executables.
! 4093: Statically-linked executables and foreign executables
1.1 misho 4094: running under binary emulation are not affected.
1.1.1.3 ! misho 4095: .sp
! 4096: The
! 4097: \fInoexec\fR
! 4098: feature is known to work on SunOS, Solaris, *BSD,
! 4099: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
1.1 misho 4100: It should be supported on most operating systems that support the
1.1.1.3 ! misho 4101: \fRLD_PRELOAD\fR
! 4102: environment variable.
! 4103: Check your operating system's manual pages for the dynamic linker
! 4104: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
! 4105: \fRLD_PRELOAD\fR
! 4106: is supported.
! 4107: .sp
! 4108: On Solaris 10 and higher,
! 4109: \fInoexec\fR
! 4110: uses Solaris privileges instead of the
! 4111: \fRLD_PRELOAD\fR
! 4112: environment variable.
! 4113: .sp
! 4114: To enable
! 4115: \fInoexec\fR
! 4116: for a command, use the
! 4117: \fRNOEXEC\fR
! 4118: tag as documented
! 4119: in the User Specification section above.
! 4120: Here is that example again:
! 4121: .RS
! 4122: .nf
! 4123: .sp
! 4124: .RS 0n
! 4125: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 4126: .RE
! 4127: .fi
! 4128: .sp
! 4129: This allows user
! 4130: \fBaaron\fR
! 4131: to run
! 4132: \fI/usr/bin/more\fR
! 4133: and
! 4134: \fI/usr/bin/vi\fR
! 4135: with
! 4136: \fInoexec\fR
! 4137: enabled.
! 4138: This will prevent those two commands from
! 4139: executing other commands (such as a shell).
! 4140: If you are unsure whether or not your system is capable of supporting
! 4141: \fInoexec\fR
! 4142: you can always just try it out and check whether shell escapes work when
! 4143: \fInoexec\fR
! 4144: is enabled.
! 4145: .RE
1.1 misho 4146: .PP
1.1.1.3 ! misho 4147: Note that restricting shell escapes is not a panacea.
! 4148: Programs running as root are still capable of many potentially hazardous
1.1 misho 4149: operations (such as changing or overwriting files) that could lead
1.1.1.3 ! misho 4150: to unintended privilege escalation.
! 4151: In the specific case of an editor, a safer approach is to give the
! 4152: user permission to run
! 4153: \fBsudoedit\fR.
1.1.1.2 misho 4154: .SS "Time stamp file checks"
1.1.1.3 ! misho 4155: \fIsudoers\fR
! 4156: will check the ownership of its time stamp directory
! 4157: (\fI@timedir@\fR
! 4158: by default)
! 4159: and ignore the directory's contents if it is not owned by root or
! 4160: if it is writable by a user other than root.
! 4161: On systems that allow non-root users to give away files via
! 4162: chown(2),
! 4163: if the time stamp directory is located in a world-writable
! 4164: directory (e.g.\&,
! 4165: \fI/tmp\fR),
! 4166: it is possible for a user to create the time stamp directory before
! 4167: \fBsudo\fR
! 4168: is run.
! 4169: However, because
! 4170: \fIsudoers\fR
! 4171: checks the ownership and mode of the directory and its
! 4172: contents, the only damage that can be done is to
! 4173: ``hide''
! 4174: files by putting them in the time stamp dir.
! 4175: This is unlikely to happen since once the time stamp dir is owned by root
! 4176: and inaccessible by any other user, the user placing files there would be
! 4177: unable to get them back out.
! 4178: .PP
! 4179: \fIsudoers\fR
! 4180: will not honor time stamps set far in the future.
! 4181: Time stamps with a date greater than current_time + 2 *
! 4182: \fRTIMEOUT\fR
! 4183: will be ignored and sudo will log and complain.
! 4184: This is done to keep a user from creating his/her own time stamp with a
! 4185: bogus date on systems that allow users to give away files if the time
! 4186: stamp directory is located in a world-writable directory.
! 4187: .PP
! 4188: On systems where the boot time is available,
! 4189: \fIsudoers\fR
! 4190: will ignore time stamps that date from before the machine booted.
1.1 misho 4191: .PP
4192: Since time stamp files live in the file system, they can outlive a
1.1.1.3 ! misho 4193: user's login session.
! 4194: As a result, a user may be able to login, run a command with
! 4195: \fBsudo\fR
! 4196: after authenticating, logout, login again, and run
! 4197: \fBsudo\fR
! 4198: without authenticating so long as the time stamp file's modification
! 4199: time is within
! 4200: \fR@timeout@\fR
! 4201: minutes (or whatever the timeout is set to in
! 4202: \fIsudoers\fR).
! 4203: When the
! 4204: \fItty_tickets\fR
1.1 misho 4205: option is enabled, the time stamp has per-tty granularity but still
1.1.1.3 ! misho 4206: may outlive the user's session.
! 4207: On Linux systems where the devpts filesystem is used, Solaris systems
! 4208: with the devices filesystem, as well as other systems that utilize a
! 4209: devfs filesystem that monotonically increase the inode number of devices
! 4210: as they are created (such as Mac OS X),
! 4211: \fIsudoers\fR
! 4212: is able to determine when a tty-based time stamp file is stale and will
! 4213: ignore it.
! 4214: Administrators should not rely on this feature as it is not universally
! 4215: available.
1.1 misho 4216: .SH "SEE ALSO"
1.1.1.3 ! misho 4217: ssh(1),
! 4218: su(1),
! 4219: fnmatch(3),
! 4220: glob(3),
! 4221: mktemp(3),
! 4222: strftime(3),
! 4223: sudoers.ldap(@mansectform@),
! 4224: sudo_plugin(@mansectsu@),
! 4225: sudo(@mansectsu@),
! 4226: visudo(@mansectsu@)
1.1 misho 4227: .SH "CAVEATS"
1.1.1.3 ! misho 4228: The
! 4229: \fIsudoers\fR
! 4230: file should
! 4231: \fBalways\fR
! 4232: be edited by the
! 4233: \fBvisudo\fR
! 4234: command which locks the file and does grammatical checking.
! 4235: It is
! 4236: imperative that
! 4237: \fIsudoers\fR
! 4238: be free of syntax errors since
! 4239: \fBsudo\fR
! 4240: will not run with a syntactically incorrect
! 4241: \fIsudoers\fR
! 4242: file.
1.1 misho 4243: .PP
4244: When using netgroups of machines (as opposed to users), if you
4245: store fully qualified host name in the netgroup (as is usually the
4246: case), you either need to have the machine's host name be fully qualified
1.1.1.3 ! misho 4247: as returned by the
! 4248: \fRhostname\fR
! 4249: command or use the
! 4250: \fIfqdn\fR
! 4251: option in
! 4252: \fIsudoers\fR.
1.1 misho 4253: .SH "BUGS"
1.1.1.3 ! misho 4254: If you feel you have found a bug in
! 4255: \fBsudo\fR,
! 4256: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1.1 misho 4257: .SH "SUPPORT"
4258: Limited free support is available via the sudo-users mailing list,
1.1.1.3 ! misho 4259: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1.1 misho 4260: search the archives.
4261: .SH "DISCLAIMER"
1.1.1.3 ! misho 4262: \fBsudo\fR
! 4263: is provided
! 4264: ``AS IS''
! 4265: and any express or implied warranties, including, but not limited
! 4266: to, the implied warranties of merchantability and fitness for a
! 4267: particular purpose are disclaimed.
! 4268: See the LICENSE file distributed with
! 4269: \fBsudo\fR
! 4270: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>