Annotation of embedaddon/sudo/doc/sudoers.man.in, revision 1.1.1.4
1.1.1.3 misho 1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
3: .\"
1.1.1.4 ! misho 4: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
! 5: .\" Todd C. Miller <Todd.Miller@courtesan.com>
1.1.1.3 misho 6: .\"
1.1 misho 7: .\" Permission to use, copy, modify, and distribute this software for any
8: .\" purpose with or without fee is hereby granted, provided that the above
9: .\" copyright notice and this permission notice appear in all copies.
1.1.1.3 misho 10: .\"
1.1 misho 11: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1.1.3 misho 19: .\"
1.1 misho 20: .\" Sponsored in part by the Defense Advanced Research Projects
21: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: .\"
1.1.1.4 ! misho 24: .TH "SUDOERS" "@mansectsu@" "April 30, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
1.1 misho 25: .nh
1.1.1.3 misho 26: .if n .ad l
1.1 misho 27: .SH "NAME"
1.1.1.3 misho 28: \fBsudoers\fR
1.1.1.4 ! misho 29: \- default sudo security policy plugin
1.1 misho 30: .SH "DESCRIPTION"
1.1.1.3 misho 31: The
32: \fIsudoers\fR
1.1.1.4 ! misho 33: policy plugin determines a user's
1.1.1.3 misho 34: \fBsudo\fR
35: privileges.
36: It is the default
37: \fBsudo\fR
38: policy plugin.
39: The policy is driven by
40: the
41: \fI@sysconfdir@/sudoers\fR
42: file or, optionally in LDAP.
43: The policy format is described in detail in the
44: \fISUDOERS FILE FORMAT\fR
45: section.
46: For information on storing
47: \fIsudoers\fR
48: policy information
49: in LDAP, please see
50: sudoers.ldap(@mansectform@).
1.1.1.4 ! misho 51: .SS "Configuring sudo.conf for sudoers"
! 52: \fBsudo\fR
! 53: consults the
! 54: sudo.conf(@mansectform@)
! 55: file to determine which policy and and I/O logging plugins to load.
! 56: If no
! 57: sudo.conf(@mansectform@)
! 58: file is present, or if it contains no
! 59: \fRPlugin\fR
! 60: lines,
! 61: \fBsudoers\fR
! 62: will be used for policy decisions and I/O logging.
! 63: To explicitly configure
! 64: sudo.conf(@mansectform@)
! 65: to use the
! 66: \fBsudoers\fR
! 67: plugin, the following configuration can be used.
! 68: .nf
! 69: .sp
! 70: .RS 6n
! 71: Plugin sudoers_policy sudoers.so
! 72: Plugin sudoers_io sudoers.so
! 73: .RE
! 74: .fi
! 75: .PP
! 76: Starting with
! 77: \fBsudo\fR
! 78: 1.8.5, it is possible to specify optional arguments to the
! 79: \fBsudoers\fR
! 80: plugin in the
! 81: sudo.conf(@mansectform@)
! 82: file.
! 83: These arguments, if present, should be listed after the path to the plugin
! 84: (i.e.\& after
! 85: \fIsudoers.so\fR).
! 86: Multiple arguments may be specified, separated by white space.
! 87: For example:
! 88: .nf
! 89: .sp
! 90: .RS 6n
! 91: Plugin sudoers_policy sudoers.so sudoers_mode=0400
! 92: .RE
! 93: .fi
! 94: .PP
! 95: The following plugin arguments are supported:
! 96: .TP 10n
! 97: ldap_conf=pathname
! 98: The
! 99: \fIldap_conf\fR
! 100: argument can be used to override the default path to the
! 101: \fIldap.conf\fR
! 102: file.
! 103: .TP 10n
! 104: ldap_secret=pathname
! 105: The
! 106: \fIldap_secret\fR
! 107: argument can be used to override the default path to the
! 108: \fIldap.secret\fR
! 109: file.
! 110: .TP 10n
! 111: sudoers_file=pathname
! 112: The
! 113: \fIsudoers_file\fR
! 114: argument can be used to override the default path to the
! 115: \fIsudoers\fR
! 116: file.
! 117: .TP 10n
! 118: sudoers_uid=uid
! 119: The
! 120: \fIsudoers_uid\fR
! 121: argument can be used to override the default owner of the sudoers file.
! 122: It should be specified as a numeric user ID.
! 123: .TP 10n
! 124: sudoers_gid=gid
! 125: The
! 126: \fIsudoers_gid\fR
! 127: argument can be used to override the default group of the sudoers file.
! 128: It must be specified as a numeric group ID (not a group name).
! 129: .TP 10n
! 130: sudoers_mode=mode
! 131: The
! 132: \fIsudoers_mode\fR
! 133: argument can be used to override the default file mode for the sudoers file.
! 134: It should be specified as an octal value.
! 135: .PP
! 136: For more information on configuring
! 137: sudo.conf(@mansectform@),
! 138: please refer to its manual.
1.1.1.3 misho 139: .SS "Authentication and logging"
140: The
141: \fIsudoers\fR
142: security policy requires that most users authenticate
143: themselves before they can use
144: \fBsudo\fR.
145: A password is not required
1.1 misho 146: if the invoking user is root, if the target user is the same as the
147: invoking user, or if the policy has disabled authentication for the
1.1.1.3 misho 148: user or command.
149: Unlike
150: su(1),
151: when
152: \fIsudoers\fR
153: requires
1.1 misho 154: authentication, it validates the invoking user's credentials, not
1.1.1.3 misho 155: the target user's (or root's) credentials.
156: This can be changed via
157: the
158: \fIrootpw\fR,
159: \fItargetpw\fR
160: and
161: \fIrunaspw\fR
162: flags, described later.
1.1 misho 163: .PP
164: If a user who is not listed in the policy tries to run a command
1.1.1.3 misho 165: via
166: \fBsudo\fR,
167: mail is sent to the proper authorities.
168: The address
169: used for such mail is configurable via the
170: \fImailto\fR
171: Defaults entry
172: (described later) and defaults to
173: \fR@mailto@\fR.
1.1 misho 174: .PP
175: Note that mail will not be sent if an unauthorized user tries to
1.1.1.3 misho 176: run
177: \fBsudo\fR
178: with the
179: \fB\-l\fR
180: or
181: \fB\-v\fR
182: option.
183: This allows users to
1.1 misho 184: determine for themselves whether or not they are allowed to use
1.1.1.3 misho 185: \fBsudo\fR.
1.1 misho 186: .PP
1.1.1.3 misho 187: If
188: \fBsudo\fR
189: is run by root and the
190: \fRSUDO_USER\fR
191: environment variable
192: is set, the
193: \fIsudoers\fR
194: policy will use this value to determine who
195: the actual user is.
196: This can be used by a user to log commands
197: through sudo even when a root shell has been invoked.
198: It also
199: allows the
200: \fB\-e\fR
201: option to remain useful even when invoked via a
202: sudo-run script or program.
203: Note, however, that the
204: \fIsudoers\fR
205: lookup is still done for root, not the user specified by
206: \fRSUDO_USER\fR.
207: .PP
208: \fIsudoers\fR
209: uses time stamp files for credential caching.
210: Once a
211: user has been authenticated, the time stamp is updated and the user
1.1 misho 212: may then use sudo without a password for a short period of time
1.1.1.3 misho 213: (\fR@timeout@\fR
214: minutes unless overridden by the
215: \fItimeout\fR
216: option)
217: \&.
218: By default,
219: \fIsudoers\fR
220: uses a tty-based time stamp which means that
1.1 misho 221: there is a separate time stamp for each of a user's login sessions.
1.1.1.3 misho 222: The
223: \fItty_tickets\fR
224: option can be disabled to force the use of a
1.1 misho 225: single time stamp for all of a user's sessions.
226: .PP
1.1.1.3 misho 227: \fIsudoers\fR
228: can log both successful and unsuccessful attempts (as well
229: as errors) to
230: syslog(3),
231: a log file, or both.
232: By default,
233: \fIsudoers\fR
234: will log via
235: syslog(3)
236: but this is changeable via the
237: \fIsyslog\fR
238: and
239: \fIlogfile\fR
240: Defaults settings.
241: .PP
242: \fIsudoers\fR
243: also supports logging a command's input and output
244: streams.
245: I/O logging is not on by default but can be enabled using
246: the
247: \fIlog_input\fR
248: and
249: \fIlog_output\fR
250: Defaults flags as well as the
251: \fRLOG_INPUT\fR
252: and
253: \fRLOG_OUTPUT\fR
254: command tags.
255: .SS "Command environment"
256: Since environment variables can influence program behavior,
257: \fIsudoers\fR
1.1 misho 258: provides a means to restrict which variables from the user's
1.1.1.3 misho 259: environment are inherited by the command to be run.
260: There are two
261: distinct ways
262: \fIsudoers\fR
263: can deal with environment variables.
264: .PP
265: By default, the
266: \fIenv_reset\fR
267: option is enabled.
268: This causes commands
269: to be executed with a new, minimal environment.
270: On AIX (and Linux
271: systems without PAM), the environment is initialized with the
272: contents of the
273: \fI/etc/environment\fR
274: file.
275: On BSD systems, if the
276: \fIuse_loginclass\fR
277: option is enabled, the environment is initialized
278: based on the
279: \fIpath\fR
280: and
281: \fIsetenv\fR
282: settings in
283: \fI/etc/login.conf\fR.
284: The new environment contains the
285: \fRTERM\fR,
286: \fRPATH\fR,
287: \fRHOME\fR,
288: \fRMAIL\fR,
289: \fRSHELL\fR,
290: \fRLOGNAME\fR,
291: \fRUSER\fR,
292: \fRUSERNAME\fR
293: and
294: \fRSUDO_*\fR
295: variables
1.1.1.2 misho 296: in addition to variables from the invoking process permitted by the
1.1.1.3 misho 297: \fIenv_check\fR
298: and
299: \fIenv_keep\fR
300: options.
301: This is effectively a whitelist
1.1 misho 302: for environment variables.
303: .PP
1.1.1.3 misho 304: If, however, the
305: \fIenv_reset\fR
306: option is disabled, any variables not
307: explicitly denied by the
308: \fIenv_check\fR
309: and
310: \fIenv_delete\fR
311: options are
312: inherited from the invoking process.
313: In this case,
314: \fIenv_check\fR
315: and
316: \fIenv_delete\fR
317: behave like a blacklist.
318: Since it is not possible
1.1 misho 319: to blacklist all potentially dangerous environment variables, use
1.1.1.3 misho 320: of the default
321: \fIenv_reset\fR
322: behavior is encouraged.
1.1 misho 323: .PP
324: In all cases, environment variables with a value beginning with
1.1.1.3 misho 325: \fR()\fR
326: are removed as they could be interpreted as
327: \fBbash\fR
328: functions.
329: The list of environment variables that
330: \fBsudo\fR
331: allows or denies is
332: contained in the output of
333: ``\fRsudo -V\fR''
334: when run as root.
1.1 misho 335: .PP
336: Note that the dynamic linker on most operating systems will remove
337: variables that can control dynamic linking from the environment of
1.1.1.3 misho 338: setuid executables, including
339: \fBsudo\fR.
340: Depending on the operating
341: system this may include
342: \fR_RLD*\fR,
343: \fRDYLD_*\fR,
344: \fRLD_*\fR,
345: \fRLDR_*\fR,
346: \fRLIBPATH\fR,
347: \fRSHLIB_PATH\fR,
348: and others.
349: These type of variables are
350: removed from the environment before
351: \fBsudo\fR
352: even begins execution
353: and, as such, it is not possible for
354: \fBsudo\fR
355: to preserve them.
356: .PP
357: As a special case, if
358: \fBsudo\fR's
359: \fB\-i\fR
360: option (initial login) is
361: specified,
362: \fIsudoers\fR
363: will initialize the environment regardless
364: of the value of
365: \fIenv_reset\fR.
366: The
367: \fRDISPLAY\fR,
368: \fRPATH\fR
369: and
370: \fRTERM\fR
371: variables remain unchanged;
372: \fRHOME\fR,
373: \fRMAIL\fR,
374: \fRSHELL\fR,
375: \fRUSER\fR,
376: and
377: \fRLOGNAME\fR
378: are set based on the target user.
379: On AIX (and Linux
380: systems without PAM), the contents of
381: \fI/etc/environment\fR
382: are also
383: included.
384: On BSD systems, if the
385: \fIuse_loginclass\fR
386: option is
387: enabled, the
388: \fIpath\fR
389: and
390: \fIsetenv\fR
391: variables in
392: \fI/etc/login.conf\fR
393: are also applied.
394: All other environment variables are removed.
395: .PP
396: Finally, if the
397: \fIenv_file\fR
398: option is defined, any variables present
1.1.1.2 misho 399: in that file will be set to their specified values as long as they
400: would not conflict with an existing environment variable.
1.1 misho 401: .SH "SUDOERS FILE FORMAT"
1.1.1.3 misho 402: The
403: \fIsudoers\fR
404: file is composed of two types of entries: aliases
1.1 misho 405: (basically variables) and user specifications (which specify who
406: may run what).
407: .PP
408: When multiple entries match for a user, they are applied in order.
409: Where there are multiple matches, the last match is used (which is
410: not necessarily the most specific match).
411: .PP
1.1.1.3 misho 412: The
413: \fIsudoers\fR
414: grammar will be described below in Extended Backus-Naur
415: Form (EBNF).
416: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
417: and the definitions below are annotated.
418: .SS "Quick guide to EBNF"
419: EBNF is a concise and exact way of describing the grammar of a language.
420: Each EBNF definition is made up of
421: \fIproduction rules\fR.
422: E.g.,
423: .PP
424: \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
425: .PP
426: Each
427: \fIproduction rule\fR
428: references others and thus makes up a
429: grammar for the language.
430: EBNF also contains the following
1.1 misho 431: operators, which many readers will recognize from regular
1.1.1.3 misho 432: expressions.
433: Do not, however, confuse them with
434: ``wildcard''
1.1 misho 435: characters, which have different meanings.
1.1.1.3 misho 436: .TP 6n
437: \fR\&?\fR
1.1 misho 438: Means that the preceding symbol (or group of symbols) is optional.
439: That is, it may appear once or not at all.
1.1.1.3 misho 440: .TP 6n
441: \fR*\fR
1.1 misho 442: Means that the preceding symbol (or group of symbols) may appear
443: zero or more times.
1.1.1.3 misho 444: .TP 6n
445: \fR+\fR
1.1 misho 446: Means that the preceding symbol (or group of symbols) may appear
447: one or more times.
448: .PP
1.1.1.3 misho 449: Parentheses may be used to group symbols together.
450: For clarity,
451: we will use single quotes
452: ('')
453: to designate what is a verbatim character string (as opposed to a symbol name).
1.1 misho 454: .SS "Aliases"
1.1.1.3 misho 455: There are four kinds of aliases:
456: \fRUser_Alias\fR,
457: \fRRunas_Alias\fR,
458: \fRHost_Alias\fR
459: and
460: \fRCmnd_Alias\fR.
461: .nf
462: .sp
463: .RS 0n
464: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
465: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
466: 'Host_Alias' Host_Alias (':' Host_Alias)* |
467: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
468:
469: User_Alias ::= NAME '=' User_List
470:
471: Runas_Alias ::= NAME '=' Runas_List
472:
473: Host_Alias ::= NAME '=' Host_List
474:
475: Cmnd_Alias ::= NAME '=' Cmnd_List
476:
477: NAME ::= [A-Z]([A-Z][0-9]_)*
478: .RE
479: .fi
480: .PP
481: Each
482: \fIalias\fR
483: definition is of the form
484: .nf
485: .sp
486: .RS 0n
487: Alias_Type NAME = item1, item2, ...
488: .RE
489: .fi
490: .PP
491: where
492: \fIAlias_Type\fR
493: is one of
494: \fRUser_Alias\fR,
495: \fRRunas_Alias\fR,
496: \fRHost_Alias\fR,
497: or
498: \fRCmnd_Alias\fR.
499: A
500: \fRNAME\fR
501: is a string of uppercase letters, numbers,
502: and underscore characters
503: (`_').
504: A
505: \fRNAME\fR
506: \fBmust\fR
507: start with an
508: uppercase letter.
509: It is possible to put several alias definitions
510: of the same type on a single line, joined by a colon
511: (`:\&').
512: E.g.,
513: .nf
514: .sp
515: .RS 0n
516: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
517: .RE
518: .fi
519: .PP
520: The definitions of what constitutes a valid
521: \fIalias\fR
522: member follow.
523: .nf
524: .sp
525: .RS 0n
526: User_List ::= User |
527: User ',' User_List
528:
529: User ::= '!'* user name |
530: '!'* #uid |
531: '!'* %group |
532: '!'* %#gid |
533: '!'* +netgroup |
534: '!'* %:nonunix_group |
535: '!'* %:#nonunix_gid |
536: '!'* User_Alias
537: .RE
538: .fi
539: .PP
540: A
541: \fRUser_List\fR
1.1.1.4 ! misho 542: is made up of one or more user names, user IDs
1.1.1.3 misho 543: (prefixed with
544: `#'),
1.1.1.4 ! misho 545: system group names and IDs (prefixed with
1.1.1.3 misho 546: `%'
547: and
548: `%#'
549: respectively), netgroups (prefixed with
550: `+'),
551: non-Unix group names and IDs (prefixed with
552: `%:'
553: and
554: `%:#'
555: respectively) and
556: \fRUser_Alias\fRes.
557: Each list item may be prefixed with zero or more
558: `\&!'
559: operators.
560: An odd number of
561: `\&!'
562: operators negate the value of
1.1 misho 563: the item; an even number just cancel each other out.
564: .PP
1.1.1.3 misho 565: A
566: \fRuser name\fR,
567: \fRuid\fR,
568: \fRgroup\fR,
569: \fRgid\fR,
570: \fRnetgroup\fR,
571: \fRnonunix_group\fR
572: or
573: \fRnonunix_gid\fR
574: may be enclosed in double quotes to avoid the
575: need for escaping special characters.
576: Alternately, special characters
577: may be specified in escaped hex mode, e.g.\& \ex20 for space.
578: When
1.1 misho 579: using double quotes, any prefix characters must be included inside
580: the quotes.
581: .PP
1.1.1.3 misho 582: The actual
583: \fRnonunix_group\fR
584: and
585: \fRnonunix_gid\fR
586: syntax depends on
1.1.1.4 ! misho 587: the underlying group provider plugin.
1.1.1.3 misho 588: For instance, the QAS AD plugin supports the following formats:
589: .TP 6n
590: \fBo\fR
591: Group in the same domain: "%:Group Name"
592: .TP 6n
593: \fBo\fR
594: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
595: .TP 6n
596: \fBo\fR
597: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
598: .PP
1.1.1.4 ! misho 599: See
! 600: \fIGROUP PROVIDER PLUGINS\fR
! 601: for more information.
! 602: .PP
1.1.1.3 misho 603: Note that quotes around group names are optional.
604: Unquoted strings must use a backslash
605: (`\e')
606: to escape spaces and special characters.
607: See
608: \fIOther special characters and reserved words\fR
609: for a list of
1.1 misho 610: characters that need to be escaped.
1.1.1.3 misho 611: .nf
612: .sp
613: .RS 0n
614: Runas_List ::= Runas_Member |
615: Runas_Member ',' Runas_List
616:
617: Runas_Member ::= '!'* user name |
618: '!'* #uid |
619: '!'* %group |
620: '!'* %#gid |
621: '!'* %:nonunix_group |
622: '!'* %:#nonunix_gid |
623: '!'* +netgroup |
624: '!'* Runas_Alias
625: .RE
626: .fi
1.1 misho 627: .PP
1.1.1.3 misho 628: A
629: \fRRunas_List\fR
630: is similar to a
631: \fRUser_List\fR
632: except that instead
633: of
634: \fRUser_Alias\fRes
635: it can contain
636: \fRRunas_Alias\fRes.
637: Note that
638: user names and groups are matched as strings.
639: In other words, two
1.1 misho 640: users (groups) with the same uid (gid) are considered to be distinct.
1.1.1.3 misho 641: If you wish to match all user names with the same uid (e.g.\&
642: root and toor), you can use a uid instead (#0 in the example given).
643: .nf
644: .sp
645: .RS 0n
646: Host_List ::= Host |
647: Host ',' Host_List
648:
649: Host ::= '!'* host name |
650: '!'* ip_addr |
651: '!'* network(/netmask)? |
652: '!'* +netgroup |
653: '!'* Host_Alias
654: .RE
655: .fi
1.1 misho 656: .PP
1.1.1.3 misho 657: A
658: \fRHost_List\fR
659: is made up of one or more host names, IP addresses,
660: network numbers, netgroups (prefixed with
661: `+')
662: and other aliases.
663: Again, the value of an item may be negated with the
664: `\&!'
665: operator.
1.1 misho 666: If you do not specify a netmask along with the network number,
1.1.1.3 misho 667: \fBsudo\fR
668: will query each of the local host's network interfaces and,
1.1 misho 669: if the network number corresponds to one of the hosts's network
1.1.1.3 misho 670: interfaces, the corresponding netmask will be used.
671: The netmask
672: may be specified either in standard IP address notation
673: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
674: or CIDR notation (number of bits, e.g.\& 24 or 64).
675: A host name may include shell-style wildcards (see the
676: \fIWildcards\fR
677: section below),
678: but unless the
679: \fRhost name\fR
680: command on your machine returns the fully
681: qualified host name, you'll need to use the
682: \fIfqdn\fR
683: option for wildcards to be useful.
684: Note that
685: \fBsudo\fR
686: only inspects actual network interfaces; this means that IP address
687: 127.0.0.1 (localhost) will never match.
688: Also, the host name
689: ``localhost''
690: will only match if that is the actual host name, which is usually
691: only the case for non-networked systems.
692: .nf
693: .sp
694: .RS 0n
1.1.1.4 ! misho 695: digest ::= [A-Fa-f0-9]+ |
! 696: [[A-Za-z0-9\+/=]+
! 697:
! 698: Digest_Spec ::= "sha224" ':' digest |
! 699: "sha256" ':' digest |
! 700: "sha384" ':' digest |
! 701: "sha512" ':' digest
! 702:
1.1.1.3 misho 703: Cmnd_List ::= Cmnd |
704: Cmnd ',' Cmnd_List
705:
706: command name ::= file name |
707: file name args |
708: file name '""'
709:
1.1.1.4 ! misho 710: Cmnd ::= Digest_Spec? '!'* command name |
1.1.1.3 misho 711: '!'* directory |
712: '!'* "sudoedit" |
713: '!'* Cmnd_Alias
714: .RE
715: .fi
716: .PP
717: A
718: \fRCmnd_List\fR
719: is a list of one or more command names, directories, and other aliases.
720: A command name is a fully qualified file name which may include
721: shell-style wildcards (see the
722: \fIWildcards\fR
723: section below).
724: A simple file name allows the user to run the command with any
725: arguments he/she wishes.
726: However, you may also specify command line arguments (including
727: wildcards).
728: Alternately, you can specify
729: \fR\&""\fR
730: to indicate that the command
731: may only be run
732: \fBwithout\fR
733: command line arguments.
734: A directory is a
735: fully qualified path name ending in a
736: `/'.
737: When you specify a directory in a
738: \fRCmnd_List\fR,
739: the user will be able to run any file within that directory
740: (but not in any sub-directories therein).
741: .PP
742: If a
743: \fRCmnd\fR
744: has associated command line arguments, then the arguments
745: in the
746: \fRCmnd\fR
747: must match exactly those given by the user on the command line
748: (or match the wildcards if there are any).
749: Note that the following characters must be escaped with a
750: `\e'
751: if they are used in command arguments:
752: `,\&',
753: `:\&',
754: `=\&',
755: `\e'.
1.1.1.4 ! misho 756: The built-in command
1.1.1.3 misho 757: ``\fRsudoedit\fR''
758: is used to permit a user to run
759: \fBsudo\fR
760: with the
761: \fB\-e\fR
762: option (or as
763: \fBsudoedit\fR).
764: It may take command line arguments just as a normal command does.
1.1.1.4 ! misho 765: Note that
! 766: ``\fRsudoedit\fR''
! 767: is a command built into
! 768: \fBsudo\fR
! 769: itself and must be specified in
! 770: \fIsudoers\fR
! 771: without a leading path.
! 772: .PP
! 773: If a
! 774: \fRcommand name\fR
! 775: is prefixed with a
! 776: \fRDigest_Spec\fR,
! 777: the command will only match successfully if it can be verified
! 778: using the specified SHA-2 digest.
! 779: This may be useful in situations where the user invoking
! 780: \fBsudo\fR
! 781: has write access to the command or its parent directory.
! 782: The following digest formats are supported: sha224, sha256, sha384 and sha512.
! 783: The string may be specified in either hex or base64 format
! 784: (base64 is more compact).
! 785: There are several utilities capable of generating SHA-2 digests in hex
! 786: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
! 787: .PP
! 788: For example, using openssl:
! 789: .nf
! 790: .sp
! 791: .RS 0n
! 792: $ openssl dgst -sha224 /bin/ls
! 793: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
! 794: .RE
! 795: .fi
! 796: .PP
! 797: It is also possible to use openssl to generate base64 output:
! 798: .nf
! 799: .sp
! 800: .RS 0n
! 801: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
! 802: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
! 803: .RE
! 804: .fi
! 805: .PP
! 806: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 807: .SS "Defaults"
808: Certain configuration options may be changed from their default
1.1.1.3 misho 809: values at run-time via one or more
810: \fRDefault_Entry\fR
811: lines.
812: These may affect all users on any host, all users on a specific host, a
1.1 misho 813: specific user, a specific command, or commands being run as a specific user.
814: Note that per-command entries may not include command line arguments.
1.1.1.3 misho 815: If you need to specify arguments, define a
816: \fRCmnd_Alias\fR
817: and reference
1.1 misho 818: that instead.
1.1.1.3 misho 819: .nf
820: .sp
821: .RS 0n
822: Default_Type ::= 'Defaults' |
823: 'Defaults' '@' Host_List |
824: 'Defaults' ':' User_List |
825: 'Defaults' '!' Cmnd_List |
826: 'Defaults' '>' Runas_List
827:
828: Default_Entry ::= Default_Type Parameter_List
829:
830: Parameter_List ::= Parameter |
831: Parameter ',' Parameter_List
832:
833: Parameter ::= Parameter '=' Value |
834: Parameter '+=' Value |
835: Parameter '-=' Value |
836: '!'* Parameter
837: .RE
838: .fi
1.1 misho 839: .PP
1.1.1.3 misho 840: Parameters may be
841: \fBflags\fR,
842: \fBinteger\fR
843: values,
844: \fBstrings\fR,
845: or
846: \fBlists\fR.
847: Flags are implicitly boolean and can be turned off via the
848: `\&!'
849: operator.
850: Some integer, string and list parameters may also be
851: used in a boolean context to disable them.
852: Values may be enclosed
853: in double quotes
854: (\&"")
855: when they contain multiple words.
856: Special characters may be escaped with a backslash
857: (`\e').
858: .PP
859: Lists have two additional assignment operators,
860: \fR+=\fR
861: and
862: \fR-=\fR.
1.1 misho 863: These operators are used to add to and delete from a list respectively.
1.1.1.3 misho 864: It is not an error to use the
865: \fR-=\fR
866: operator to remove an element
1.1 misho 867: that does not exist in a list.
868: .PP
869: Defaults entries are parsed in the following order: generic, host
870: and user Defaults first, then runas Defaults and finally command
871: defaults.
872: .PP
1.1.1.3 misho 873: See
874: \fISUDOERS OPTIONS\fR
875: for a list of supported Defaults parameters.
876: .SS "User specification"
877: .nf
878: .RS 0n
879: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
880: (':' Host_List '=' Cmnd_Spec_List)*
881:
882: Cmnd_Spec_List ::= Cmnd_Spec |
883: Cmnd_Spec ',' Cmnd_Spec_List
884:
885: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
886:
887: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
888:
889: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
890:
891: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
892:
893: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
894: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
895: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
896: .RE
897: .fi
1.1 misho 898: .PP
1.1.1.3 misho 899: A
900: \fBuser specification\fR
901: determines which commands a user may run
902: (and as what user) on specified hosts.
903: By default, commands are
904: run as
905: \fBroot\fR,
906: but this can be changed on a per-command basis.
907: .PP
908: The basic structure of a user specification is
909: ``who where = (as_whom) what''.
910: Let's break that down into its constituent parts:
1.1 misho 911: .SS "Runas_Spec"
1.1.1.3 misho 912: A
913: \fRRunas_Spec\fR
914: determines the user and/or the group that a command
915: may be run as.
916: A fully-specified
917: \fRRunas_Spec\fR
918: consists of two
919: \fRRunas_List\fRs
920: (as defined above) separated by a colon
921: (`:\&')
922: and enclosed in a set of parentheses.
923: The first
924: \fRRunas_List\fR
925: indicates
926: which users the command may be run as via
927: \fBsudo\fR's
928: \fB\-u\fR
929: option.
1.1 misho 930: The second defines a list of groups that can be specified via
1.1.1.3 misho 931: \fBsudo\fR's
932: \fB\-g\fR
933: option.
934: If both
935: \fRRunas_List\fRs
936: are specified, the command may be run with any combination of users
937: and groups listed in their respective
938: \fRRunas_List\fRs.
939: If only the first is specified, the command may be run as any user
940: in the list but no
941: \fB\-g\fR
942: option
943: may be specified.
944: If the first
945: \fRRunas_List\fR
946: is empty but the
1.1 misho 947: second is specified, the command may be run as the invoking user
1.1.1.3 misho 948: with the group set to any listed in the
949: \fRRunas_List\fR.
950: If both
951: \fRRunas_List\fRs
952: are empty, the command may only be run as the invoking user.
953: If no
954: \fRRunas_Spec\fR
955: is specified the command may be run as
956: \fBroot\fR
957: and
1.1 misho 958: no group may be specified.
959: .PP
1.1.1.3 misho 960: A
961: \fRRunas_Spec\fR
962: sets the default for the commands that follow it.
1.1 misho 963: What this means is that for the entry:
1.1.1.3 misho 964: .nf
965: .sp
966: .RS 0n
967: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
968: .RE
969: .fi
1.1 misho 970: .PP
1.1.1.3 misho 971: The user
972: \fBdgb\fR
973: may run
974: \fI/bin/ls\fR,
975: \fI/bin/kill\fR,
976: and
977: \fI/usr/bin/lprm\fR\(embut
978: only as
979: \fBoperator\fR.
980: E.g.,
981: .nf
982: .sp
983: .RS 0n
984: $ sudo -u operator /bin/ls
985: .RE
986: .fi
1.1 misho 987: .PP
1.1.1.3 misho 988: It is also possible to override a
989: \fRRunas_Spec\fR
990: later on in an entry.
991: If we modify the entry like so:
992: .nf
993: .sp
994: .RS 0n
995: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
996: .RE
997: .fi
1.1 misho 998: .PP
1.1.1.3 misho 999: Then user
1000: \fBdgb\fR
1001: is now allowed to run
1002: \fI/bin/ls\fR
1003: as
1004: \fBoperator\fR,
1005: but
1006: \fI/bin/kill\fR
1007: and
1008: \fI/usr/bin/lprm\fR
1009: as
1010: \fBroot\fR.
1011: .PP
1012: We can extend this to allow
1013: \fBdgb\fR
1014: to run
1015: \fR/bin/ls\fR
1016: with either
1017: the user or group set to
1018: \fBoperator\fR:
1019: .nf
1020: .sp
1021: .RS 0n
1022: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1023: /usr/bin/lprm
1024: .RE
1025: .fi
1.1 misho 1026: .PP
1.1.1.3 misho 1027: Note that while the group portion of the
1028: \fRRunas_Spec\fR
1029: permits the
1.1 misho 1030: user to run as command with that group, it does not force the user
1.1.1.3 misho 1031: to do so.
1032: If no group is specified on the command line, the command
1.1 misho 1033: will run with the group listed in the target user's password database
1.1.1.3 misho 1034: entry.
1035: The following would all be permitted by the sudoers entry above:
1036: .nf
1037: .sp
1038: .RS 0n
1039: $ sudo -u operator /bin/ls
1040: $ sudo -u operator -g operator /bin/ls
1041: $ sudo -g operator /bin/ls
1042: .RE
1043: .fi
1.1 misho 1044: .PP
1.1.1.3 misho 1045: In the following example, user
1046: \fBtcm\fR
1047: may run commands that access
1.1 misho 1048: a modem device file with the dialer group.
1.1.1.3 misho 1049: .nf
1050: .sp
1051: .RS 0n
1052: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1053: /usr/local/bin/minicom
1054: .RE
1055: .fi
1.1 misho 1056: .PP
1057: Note that in this example only the group will be set, the command
1.1.1.3 misho 1058: still runs as user
1059: \fBtcm\fR.
1060: E.g.\&
1061: .nf
1062: .sp
1063: .RS 0n
1064: $ sudo -g dialer /usr/bin/cu
1065: .RE
1066: .fi
1.1 misho 1067: .PP
1.1.1.3 misho 1068: Multiple users and groups may be present in a
1069: \fRRunas_Spec\fR,
1070: in which case the user may select any combination of users and groups via the
1071: \fB\-u\fR
1072: and
1073: \fB\-g\fR
1074: options.
1075: In this example:
1076: .nf
1077: .sp
1078: .RS 0n
1079: alan ALL = (root, bin : operator, system) ALL
1080: .RE
1081: .fi
1.1 misho 1082: .PP
1.1.1.3 misho 1083: user
1084: \fBalan\fR
1085: may run any command as either user root or bin,
1.1 misho 1086: optionally setting the group to operator or system.
1087: .SS "SELinux_Spec"
1.1.1.3 misho 1088: On systems with SELinux support,
1089: \fIsudoers\fR
1090: entries may optionally have an SELinux role and/or type associated
1091: with a command.
1092: If a role or
1.1 misho 1093: type is specified with the command it will override any default values
1.1.1.3 misho 1094: specified in
1095: \fIsudoers\fR.
1096: A role or type specified on the command line,
1097: however, will supersede the values in
1098: \fIsudoers\fR.
1099: .SS "Solaris_Priv_Spec"
1100: On Solaris systems,
1101: \fIsudoers\fR
1102: entries may optionally specify Solaris privilege set and/or limit
1103: privilege set associated with a command.
1104: If privileges or limit privileges are specified with the command
1105: it will override any default values specified in
1106: \fIsudoers\fR.
1107: .PP
1108: A privilege set is a comma-separated list of privilege names.
1109: The
1110: ppriv(1)
1111: command can be used to list all privileges known to the system.
1112: For example:
1113: .nf
1114: .sp
1115: .RS 0n
1116: $ ppriv -l
1117: .RE
1118: .fi
1119: .PP
1120: In addition, there are several
1121: ``special''
1122: privilege strings:
1123: .TP 10n
1124: none
1125: the empty set
1126: .TP 10n
1127: all
1128: the set of all privileges
1129: .TP 10n
1130: zone
1131: the set of all privileges available in the current zone
1132: .TP 10n
1133: basic
1134: the default set of privileges normal users are granted at login time
1135: .PP
1136: Privileges can be excluded from a set by prefixing the privilege
1137: name with either an
1138: `\&!'
1139: or
1140: `\-'
1141: character.
1.1 misho 1142: .SS "Tag_Spec"
1.1.1.3 misho 1143: A command may have zero or more tags associated with it.
1144: There are
1145: ten possible tag values:
1146: \fRNOPASSWD\fR,
1147: \fRPASSWD\fR,
1148: \fRNOEXEC\fR,
1149: \fREXEC\fR,
1150: \fRSETENV\fR,
1151: \fRNOSETENV\fR,
1152: \fRLOG_INPUT\fR,
1153: \fRNOLOG_INPUT\fR,
1154: \fRLOG_OUTPUT\fR
1155: and
1156: \fRNOLOG_OUTPUT\fR.
1157: Once a tag is set on a
1158: \fRCmnd\fR,
1159: subsequent
1160: \fRCmnd\fRs
1161: in the
1162: \fRCmnd_Spec_List\fR,
1163: inherit the tag unless it is overridden by the opposite tag (in other words,
1164: \fRPASSWD\fR
1165: overrides
1166: \fRNOPASSWD\fR
1167: and
1168: \fRNOEXEC\fR
1169: overrides
1170: \fREXEC\fR).
1.1.1.4 ! misho 1171: .TP 2n
! 1172: \fINOPASSWD\fR and \fIPASSWD\fR
! 1173: .sp
1.1.1.3 misho 1174: By default,
1175: \fBsudo\fR
1176: requires that a user authenticate him or herself
1177: before running a command.
1178: This behavior can be modified via the
1179: \fRNOPASSWD\fR
1180: tag.
1181: Like a
1182: \fRRunas_Spec\fR,
1183: the
1184: \fRNOPASSWD\fR
1185: tag sets
1186: a default for the commands that follow it in the
1187: \fRCmnd_Spec_List\fR.
1188: Conversely, the
1189: \fRPASSWD\fR
1190: tag can be used to reverse things.
1.1 misho 1191: For example:
1.1.1.4 ! misho 1192: .RS
1.1.1.3 misho 1193: .nf
1194: .sp
1195: .RS 0n
1196: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1197: .RE
1198: .fi
1.1.1.4 ! misho 1199: .sp
1.1.1.3 misho 1200: would allow the user
1201: \fBray\fR
1202: to run
1203: \fI/bin/kill\fR,
1204: \fI/bin/ls\fR,
1205: and
1206: \fI/usr/bin/lprm\fR
1207: as
1208: \fBroot\fR
1209: on the machine rushmore without authenticating himself.
1210: If we only want
1211: \fBray\fR
1212: to be able to
1213: run
1214: \fI/bin/kill\fR
1215: without a password the entry would be:
1216: .nf
1217: .sp
1218: .RS 0n
1219: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1220: .RE
1221: .fi
1.1.1.4 ! misho 1222: .sp
1.1.1.3 misho 1223: Note, however, that the
1224: \fRPASSWD\fR
1225: tag has no effect on users who are in the group specified by the
1226: \fIexempt_group\fR
1227: option.
1.1.1.4 ! misho 1228: .sp
1.1.1.3 misho 1229: By default, if the
1230: \fRNOPASSWD\fR
1231: tag is applied to any of the entries for a user on the current host,
1232: he or she will be able to run
1233: ``\fRsudo -l\fR''
1234: without a password.
1235: Additionally, a user may only run
1236: ``\fRsudo -v\fR''
1237: without a password if the
1238: \fRNOPASSWD\fR
1239: tag is present for all a user's entries that pertain to the current host.
1240: This behavior may be overridden via the
1241: \fIverifypw\fR
1242: and
1243: \fIlistpw\fR
1244: options.
1245: .PP
1.1.1.4 ! misho 1246: .RE
! 1247: .PD 0
! 1248: .TP 2n
! 1249: \fINOEXEC\fR and \fIEXEC\fR
! 1250: .sp
1.1.1.3 misho 1251: If
1252: \fBsudo\fR
1253: has been compiled with
1254: \fInoexec\fR
1255: support and the underlying operating system supports it, the
1256: \fRNOEXEC\fR
1257: tag can be used to prevent a dynamically-linked executable from
1258: running further commands itself.
1.1.1.4 ! misho 1259: .sp
1.1.1.3 misho 1260: In the following example, user
1261: \fBaaron\fR
1262: may run
1263: \fI/usr/bin/more\fR
1264: and
1265: \fI/usr/bin/vi\fR
1266: but shell escapes will be disabled.
1.1.1.4 ! misho 1267: .RS
1.1.1.3 misho 1268: .nf
1269: .sp
1270: .RS 0n
1271: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1272: .RE
1273: .fi
1.1.1.4 ! misho 1274: .sp
1.1.1.3 misho 1275: See the
1276: \fIPreventing shell escapes\fR
1277: section below for more details on how
1278: \fRNOEXEC\fR
1279: works and whether or not it will work on your system.
1.1.1.4 ! misho 1280: .PD
1.1.1.3 misho 1281: .PP
1.1.1.4 ! misho 1282: .RE
! 1283: .PD 0
! 1284: .TP 2n
! 1285: \fISETENV\fR and \fINOSETENV\fR
! 1286: .sp
1.1.1.3 misho 1287: These tags override the value of the
1288: \fIsetenv\fR
1289: option on a per-command basis.
1290: Note that if
1291: \fRSETENV\fR
1292: has been set for a command, the user may disable the
1293: \fIenv_reset\fR
1294: option from the command line via the
1295: \fB\-E\fR
1296: option.
1297: Additionally, environment variables set on the command
1298: line are not subject to the restrictions imposed by
1299: \fIenv_check\fR,
1300: \fIenv_delete\fR,
1301: or
1302: \fIenv_keep\fR.
1303: As such, only trusted users should be allowed to set variables in this manner.
1304: If the command matched is
1305: \fBALL\fR,
1306: the
1307: \fRSETENV\fR
1308: tag is implied for that command; this default may be overridden by use of the
1309: \fRNOSETENV\fR
1310: tag.
1.1.1.4 ! misho 1311: .PD
! 1312: .TP 2n
! 1313: \fILOG_INPUT\fR and \fINOLOG_INPUT\fR
! 1314: .sp
1.1.1.3 misho 1315: These tags override the value of the
1316: \fIlog_input\fR
1317: option on a per-command basis.
1318: For more information, see the description of
1319: \fIlog_input\fR
1320: in the
1321: \fISUDOERS OPTIONS\fR
1322: section below.
1.1.1.4 ! misho 1323: .TP 2n
! 1324: \fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
! 1325: .sp
1.1.1.3 misho 1326: These tags override the value of the
1327: \fIlog_output\fR
1328: option on a per-command basis.
1329: For more information, see the description of
1330: \fIlog_output\fR
1331: in the
1332: \fISUDOERS OPTIONS\fR
1333: section below.
1.1 misho 1334: .SS "Wildcards"
1.1.1.3 misho 1335: \fBsudo\fR
1336: allows shell-style
1337: \fIwildcards\fR
1338: (aka meta or glob characters)
1339: to be used in host names, path names and command line arguments in the
1340: \fIsudoers\fR
1341: file.
1342: Wildcard matching is done via the
1343: glob(3)
1344: and
1345: fnmatch(3)
1.1.1.4 ! misho 1346: functions as specified by
! 1347: IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
1.1.1.3 misho 1348: Note that these are
1349: \fInot\fR
1.1 misho 1350: regular expressions.
1.1.1.3 misho 1351: .TP 10n
1352: \fR*\fR
1.1 misho 1353: Matches any set of zero or more characters.
1.1.1.3 misho 1354: .TP 10n
1355: \fR\&?\fR
1.1 misho 1356: Matches any single character.
1.1.1.3 misho 1357: .TP 10n
1358: \fR[...]\fR
1.1 misho 1359: Matches any character in the specified range.
1.1.1.3 misho 1360: .TP 10n
1361: \fR[!...]\fR
1362: Matches any character
1363: \fBnot\fR
1364: in the specified range.
1365: .TP 10n
1366: \fR\ex\fR
1367: For any character
1368: `x',
1369: evaluates to
1370: `x'.
1371: This is used to escape special characters such as:
1372: `*',
1373: `\&?',
1374: `[\&',
1375: and
1376: `]\&'.
1377: .PP
1.1.1.4 ! misho 1378: Character classes may also be used if your system's
1.1.1.3 misho 1379: glob(3)
1380: and
1381: fnmatch(3)
1382: functions support them.
1383: However, because the
1384: `:\&'
1385: character has special meaning in
1386: \fIsudoers\fR,
1387: it must be
1388: escaped.
1389: For example:
1390: .nf
1391: .sp
1392: .RS 4n
1393: /bin/ls [[\:alpha\:]]*
1394: .RE
1395: .fi
1.1 misho 1396: .PP
1397: Would match any file name beginning with a letter.
1398: .PP
1.1.1.3 misho 1399: Note that a forward slash
1400: (`/')
1401: will
1402: \fBnot\fR
1403: be matched by
1404: wildcards used in the path name.
1405: This is to make a path like:
1406: .nf
1407: .sp
1408: .RS 4n
1409: /usr/bin/*
1410: .RE
1411: .fi
1412: .PP
1413: match
1414: \fI/usr/bin/who\fR
1415: but not
1416: \fI/usr/bin/X11/xterm\fR.
1417: .PP
1418: When matching the command line arguments, however, a slash
1419: \fBdoes\fR
1420: get matched by wildcards since command line arguments may contain
1421: arbitrary strings and not just path names.
1422: .PP
1423: Wildcards in command line arguments should be used with care.
1424: Because command line arguments are matched as a single, concatenated
1425: string, a wildcard such as
1426: `\&?'
1427: or
1428: `*'
1429: can match multiple words.
1430: For example, while a sudoers entry like:
1431: .nf
1432: .sp
1433: .RS 4n
1434: %operator ALL = /bin/cat /var/log/messages*
1435: .RE
1436: .fi
1437: .PP
1438: will allow command like:
1439: .nf
1440: .sp
1441: .RS 4n
1442: $ sudo cat /var/log/messages.1
1443: .RE
1444: .fi
1445: .PP
1446: It will also allow:
1447: .nf
1448: .sp
1449: .RS 4n
1450: $ sudo cat /var/log/messages /etc/shadow
1451: .RE
1452: .fi
1.1 misho 1453: .PP
1.1.1.3 misho 1454: which is probably not what was intended.
1.1 misho 1455: .SS "Exceptions to wildcard rules"
1456: The following exceptions apply to the above rules:
1.1.1.3 misho 1457: .TP 10n
1458: \fR\&""\fR
1459: If the empty string
1460: \fR\&""\fR
1461: is the only command line argument in the
1462: \fIsudoers\fR
1463: entry it means that command is not allowed to be run with
1464: \fBany\fR
1465: arguments.
1466: .TP 10n
1467: sudoedit
1468: Command line arguments to the
1469: \fIsudoedit\fR
1470: built-in command should always be path names, so a forward slash
1471: (`/')
1472: will not be matched by a wildcard.
1.1 misho 1473: .SS "Including other files from within sudoers"
1.1.1.3 misho 1474: It is possible to include other
1475: \fIsudoers\fR
1476: files from within the
1477: \fIsudoers\fR
1478: file currently being parsed using the
1479: \fR#include\fR
1480: and
1481: \fR#includedir\fR
1482: directives.
1483: .PP
1484: This can be used, for example, to keep a site-wide
1485: \fIsudoers\fR
1486: file in addition to a local, per-machine file.
1487: For the sake of this example the site-wide
1488: \fIsudoers\fR
1489: will be
1490: \fI/etc/sudoers\fR
1491: and the per-machine one will be
1492: \fI/etc/sudoers.local\fR.
1493: To include
1494: \fI/etc/sudoers.local\fR
1495: from within
1496: \fI/etc/sudoers\fR
1497: we would use the
1498: following line in
1499: \fI/etc/sudoers\fR:
1500: .nf
1501: .sp
1502: .RS 4n
1503: #include /etc/sudoers.local
1504: .RE
1505: .fi
1506: .PP
1507: When
1508: \fBsudo\fR
1509: reaches this line it will suspend processing of the current file
1510: (\fI/etc/sudoers\fR)
1511: and switch to
1512: \fI/etc/sudoers.local\fR.
1513: Upon reaching the end of
1514: \fI/etc/sudoers.local\fR,
1515: the rest of
1516: \fI/etc/sudoers\fR
1517: will be processed.
1518: Files that are included may themselves include other files.
1519: A hard limit of 128 nested include files is enforced to prevent include
1520: file loops.
1.1 misho 1521: .PP
1.1.1.2 misho 1522: If the path to the include file is not fully-qualified (does not
1.1.1.3 misho 1523: begin with a
1524: `/',
1525: it must be located in the same directory as the sudoers file it was
1526: included from.
1527: For example, if
1528: \fI/etc/sudoers\fR
1.1.1.2 misho 1529: contains the line:
1.1.1.3 misho 1530: .nf
1531: .sp
1532: .RS 4n
1533: \fR#include sudoers.local\fR
1.1.1.2 misho 1534: .RE
1.1.1.3 misho 1535: .fi
1.1.1.2 misho 1536: .PP
1.1.1.3 misho 1537: the file that will be included is
1538: \fI/etc/sudoers.local\fR.
1.1 misho 1539: .PP
1.1.1.3 misho 1540: The file name may also include the
1541: \fR%h\fR
1542: escape, signifying the short form of the host name.
1543: In other words, if the machine's host name is
1544: ``xerxes'',
1545: then
1546: .nf
1547: .sp
1548: .RS 4n
1549: #include /etc/sudoers.%h
1550: .RE
1551: .fi
1.1 misho 1552: .PP
1.1.1.3 misho 1553: will cause
1554: \fBsudo\fR
1555: to include the file
1556: \fI/etc/sudoers.xerxes\fR.
1557: .PP
1558: The
1559: \fR#includedir\fR
1560: directive can be used to create a
1561: \fIsudo.d\fR
1562: directory that the system package manager can drop
1563: \fIsudoers\fR
1564: rules
1565: into as part of package installation.
1566: For example, given:
1567: .nf
1568: .sp
1569: .RS 4n
1570: #includedir /etc/sudoers.d
1571: .RE
1572: .fi
1.1 misho 1573: .PP
1.1.1.3 misho 1574: \fBsudo\fR
1575: will read each file in
1576: \fI/etc/sudoers.d\fR,
1577: skipping file names that end in
1578: `~'
1579: or contain a
1580: `.\&'
1581: character to avoid causing problems with package manager or editor
1582: temporary/backup files.
1583: Files are parsed in sorted lexical order.
1584: That is,
1585: \fI/etc/sudoers.d/01_first\fR
1586: will be parsed before
1587: \fI/etc/sudoers.d/10_second\fR.
1588: Be aware that because the sorting is lexical, not numeric,
1589: \fI/etc/sudoers.d/1_whoops\fR
1590: would be loaded
1591: \fBafter\fR
1592: \fI/etc/sudoers.d/10_second\fR.
1593: Using a consistent number of leading zeroes in the file names can be used
1594: to avoid such problems.
1595: .PP
1596: Note that unlike files included via
1597: \fR#include\fR,
1598: \fBvisudo\fR
1599: will not edit the files in a
1600: \fR#includedir\fR
1601: directory unless one of them contains a syntax error.
1602: It is still possible to run
1603: \fBvisudo\fR
1604: with the
1605: \fB\-f\fR
1606: flag to edit the files directly.
1.1 misho 1607: .SS "Other special characters and reserved words"
1.1.1.3 misho 1608: The pound sign
1609: (`#')
1610: is used to indicate a comment (unless it is part of a #include
1611: directive or unless it occurs in the context of a user name and is
1612: followed by one or more digits, in which case it is treated as a
1613: uid).
1614: Both the comment character and any text after it, up to the end of
1615: the line, are ignored.
1616: .PP
1617: The reserved word
1618: \fBALL\fR
1619: is a built-in
1620: \fIalias\fR
1621: that always causes a match to succeed.
1622: It can be used wherever one might otherwise use a
1623: \fRCmnd_Alias\fR,
1624: \fRUser_Alias\fR,
1625: \fRRunas_Alias\fR,
1626: or
1627: \fRHost_Alias\fR.
1628: You should not try to define your own
1629: \fIalias\fR
1630: called
1631: \fBALL\fR
1632: as the built-in alias will be used in preference to your own.
1633: Please note that using
1634: \fBALL\fR
1635: can be dangerous since in a command context, it allows the user to run
1636: \fBany\fR
1637: command on the system.
1638: .PP
1639: An exclamation point
1640: (`\&!')
1641: can be used as a logical
1642: \fInot\fR
1.1.1.4 ! misho 1643: operator in a list or
1.1.1.3 misho 1644: \fIalias\fR
1.1.1.4 ! misho 1645: as well as in front of a
1.1.1.3 misho 1646: \fRCmnd\fR.
1647: This allows one to exclude certain values.
1.1.1.4 ! misho 1648: For the
! 1649: `\&!'
! 1650: operator to be effective, there must be something for it to exclude.
! 1651: For example, to match all users except for root one would use:
! 1652: .nf
! 1653: .sp
! 1654: .RS 4n
! 1655: ALL,!root
! 1656: .RE
! 1657: .fi
! 1658: .PP
! 1659: If the
! 1660: \fBALL\fR,
! 1661: is omitted, as in:
! 1662: .nf
! 1663: .sp
! 1664: .RS 4n
! 1665: !root
! 1666: .RE
! 1667: .fi
! 1668: .PP
! 1669: it would explicitly deny root but not match any other users.
! 1670: This is different from a true
! 1671: ``negation''
! 1672: operator.
! 1673: .PP
1.1.1.3 misho 1674: Note, however, that using a
1675: `\&!'
1676: in conjunction with the built-in
1677: \fBALL\fR
1678: alias to allow a user to run
1679: ``all but a few''
1680: commands rarely works as intended (see
1681: \fISECURITY NOTES\fR
1682: below).
1683: .PP
1684: Long lines can be continued with a backslash
1685: (`\e')
1686: as the last character on the line.
1687: .PP
1688: White space between elements in a list as well as special syntactic
1689: characters in a
1690: \fIUser Specification\fR
1691: (`=\&',
1692: `:\&',
1693: `(\&',
1694: `)\&')
1695: is optional.
1696: .PP
1697: The following characters must be escaped with a backslash
1698: (`\e')
1699: when used as part of a word (e.g.\& a user name or host name):
1700: `\&!',
1701: `=\&',
1702: `:\&',
1703: `,\&',
1704: `(\&',
1705: `)\&',
1706: `\e'.
1.1 misho 1707: .SH "SUDOERS OPTIONS"
1.1.1.3 misho 1708: \fBsudo\fR's
1709: behavior can be modified by
1710: \fRDefault_Entry\fR
1711: lines, as explained earlier.
1712: A list of all supported Defaults parameters, grouped by type, are listed below.
1713: .PP
1714: \fBBoolean Flags\fR:
1715: .TP 18n
1716: always_set_home
1717: If enabled,
1718: \fBsudo\fR
1719: will set the
1720: \fRHOME\fR
1721: environment variable to the home directory of the target user
1722: (which is root unless the
1723: \fB\-u\fR
1724: option is used).
1725: This effectively means that the
1726: \fB\-H\fR
1727: option is always implied.
1728: Note that
1729: \fRHOME\fR
1730: is already set when the the
1731: \fIenv_reset\fR
1732: option is enabled, so
1733: \fIalways_set_home\fR
1734: is only effective for configurations where either
1735: \fIenv_reset\fR
1736: is disabled or
1737: \fRHOME\fR
1738: is present in the
1739: \fIenv_keep\fR
1740: list.
1741: This flag is
1742: \fIoff\fR
1743: by default.
1744: .TP 18n
1745: authenticate
1.1 misho 1746: If set, users must authenticate themselves via a password (or other
1.1.1.3 misho 1747: means of authentication) before they may run commands.
1748: This default may be overridden via the
1749: \fRPASSWD\fR
1750: and
1751: \fRNOPASSWD\fR
1752: tags.
1753: This flag is
1754: \fIon\fR
1755: by default.
1756: .TP 18n
1757: closefrom_override
1758: If set, the user may use
1759: \fBsudo\fR's
1760: \fB\-C\fR
1761: option which overrides the default starting point at which
1762: \fBsudo\fR
1763: begins closing open file descriptors.
1764: This flag is
1765: \fIoff\fR
1766: by default.
1767: .TP 18n
1768: compress_io
1769: If set, and
1770: \fBsudo\fR
1771: is configured to log a command's input or output,
1772: the I/O logs will be compressed using
1773: \fBzlib\fR.
1774: This flag is
1775: \fIon\fR
1776: by default when
1777: \fBsudo\fR
1778: is compiled with
1779: \fBzlib\fR
1780: support.
1781: .TP 18n
1.1.1.4 ! misho 1782: exec_background
! 1783: By default,
! 1784: \fBsudo\fR
! 1785: runs a command as the foreground process as long as
! 1786: \fBsudo\fR
! 1787: itself is running in the foreground.
! 1788: When the
! 1789: \fIexec_background\fR
! 1790: flag is enabled and the command is being run in a pty (due to I/O logging
! 1791: or the
! 1792: \fIuse_pty\fR
! 1793: flag), the command will be run as a background process.
! 1794: Attempts to read from the controlling terminal (or to change terminal
! 1795: settings) will result in the command being suspended with the
! 1796: \fRSIGTTIN\fR
! 1797: signal (or
! 1798: \fRSIGTTOU\fR
! 1799: in the case of terminal settings).
! 1800: If this happens when
! 1801: \fBsudo\fR
! 1802: is a foreground process, the command will be granted the controlling terminal
! 1803: and resumed in the foreground with no user intervention required.
! 1804: The advantage of initially running the command in the background is that
! 1805: \fBsudo\fR
! 1806: need not read from the terminal unless the command explicitly requests it.
! 1807: Otherwise, any terminal input must be passed to the command, whether it
! 1808: has required it or not (the kernel buffers terminals so it is not possible
! 1809: to tell whether the command really wants the input).
! 1810: This is different from historic
! 1811: \fIsudo\fR
! 1812: behavior or when the command is not being run in a pty.
! 1813: .sp
! 1814: For this to work seamlessly, the operating system must support the
! 1815: automatic restarting of system calls.
! 1816: Unfortunately, not all operating systems do this by default,
! 1817: and even those that do may have bugs.
! 1818: For example, Mac OS X fails to restart the
! 1819: \fBtcgetattr\fR()
! 1820: and
! 1821: \fBtcsetattr\fR()
! 1822: system calls (this is a bug in Mac OS X).
! 1823: Furthermore, because this behavior depends on the command stopping with the
! 1824: \fRSIGTTIN\fR
! 1825: or
! 1826: \fRSIGTTOU\fR
! 1827: signals, programs that catch these signals and suspend themselves
! 1828: with a different signal (usually
! 1829: \fRSIGTOP\fR)
! 1830: will not be automatically foregrounded.
! 1831: Some versions of the linux
! 1832: su(1)
! 1833: command behave this way.
! 1834: .sp
! 1835: This setting is only supported by version 1.8.7 or higher.
! 1836: It has no effect unless I/O logging is enabled or the
! 1837: \fIuse_pty\fR
! 1838: flag is enabled.
! 1839: .TP 18n
1.1.1.3 misho 1840: env_editor
1841: If set,
1842: \fBvisudo\fR
1843: will use the value of the
1844: \fREDITOR\fR
1845: or
1846: \fRVISUAL\fR
1.1 misho 1847: environment variables before falling back on the default editor list.
1848: Note that this may create a security hole as it allows the user to
1.1.1.3 misho 1849: run any arbitrary command as root without logging.
1850: A safer alternative is to place a colon-separated list of editors
1851: in the
1852: \fReditor\fR
1853: variable.
1854: \fBvisudo\fR
1855: will then only use the
1856: \fREDITOR\fR
1857: or
1858: \fRVISUAL\fR
1859: if they match a value specified in
1860: \fReditor\fR.
1861: This flag is
1862: \fI@env_editor@\fR
1863: by
1.1.1.2 misho 1864: default.
1.1.1.3 misho 1865: .TP 18n
1866: env_reset
1867: If set,
1868: \fBsudo\fR
1869: will run the command in a minimal environment containing the
1870: \fRTERM\fR,
1871: \fRPATH\fR,
1872: \fRHOME\fR,
1873: \fRMAIL\fR,
1874: \fRSHELL\fR,
1875: \fRLOGNAME\fR,
1876: \fRUSER\fR,
1877: \fRUSERNAME\fR
1878: and
1879: \fRSUDO_*\fR
1880: variables.
1881: Any
1882: variables in the caller's environment that match the
1883: \fRenv_keep\fR
1884: and
1885: \fRenv_check\fR
1886: lists are then added, followed by any variables present in the file
1887: specified by the
1888: \fIenv_file\fR
1889: option (if any).
1890: The default contents of the
1891: \fRenv_keep\fR
1892: and
1893: \fRenv_check\fR
1894: lists are displayed when
1895: \fBsudo\fR
1896: is run by root with the
1897: \fB\-V\fR
1898: option.
1899: If the
1900: \fIsecure_path\fR
1901: option is set, its value will be used for the
1902: \fRPATH\fR
1903: environment variable.
1904: This flag is
1905: \fI@env_reset@\fR
1906: by default.
1907: .TP 18n
1908: fast_glob
1909: Normally,
1910: \fBsudo\fR
1911: uses the
1912: glob(3)
1913: function to do shell-style globbing when matching path names.
1914: However, since it accesses the file system,
1915: glob(3)
1916: can take a long time to complete for some patterns, especially
1917: when the pattern references a network file system that is mounted
1918: on demand (auto mounted).
1919: The
1920: \fIfast_glob\fR
1921: option causes
1922: \fBsudo\fR
1923: to use the
1924: fnmatch(3)
1925: function, which does not access the file system to do its matching.
1926: The disadvantage of
1927: \fIfast_glob\fR
1928: is that it is unable to match relative path names such as
1929: \fI./ls\fR
1930: or
1931: \fI../bin/ls\fR.
1932: This has security implications when path names that include globbing
1933: characters are used with the negation operator,
1934: `!\&',
1935: as such rules can be trivially bypassed.
1936: As such, this option should not be used when
1937: \fIsudoers\fR
1938: contains rules that contain negated path names which include globbing
1939: characters.
1940: This flag is
1941: \fIoff\fR
1942: by default.
1943: .TP 18n
1944: fqdn
1.1 misho 1945: Set this flag if you want to put fully qualified host names in the
1.1.1.3 misho 1946: \fIsudoers\fR
1947: file when the local host name (as returned by the
1948: \fRhostname\fR
1949: command) does not contain the domain name.
1950: In other words, instead of myhost you would use myhost.mydomain.edu.
1.1 misho 1951: You may still use the short form if you wish (and even mix the two).
1.1.1.3 misho 1952: This option is only effective when the
1953: ``canonical''
1954: host name, as returned by the
1955: \fBgetaddrinfo\fR()
1956: or
1957: \fBgethostbyname\fR()
1958: function, is a fully-qualified domain name.
1959: This is usually the case when the system is configured to use DNS
1960: for host name resolution.
1961: .sp
1962: If the system is configured to use the
1963: \fI/etc/hosts\fR
1964: file in preference to DNS, the
1965: ``canonical''
1966: host name may not be fully-qualified.
1967: The order that sources are queried for hosts name resolution
1968: is usually specified in the
1969: \fI@nsswitch_conf@\fR,
1970: \fI@netsvc_conf@\fR,
1971: \fI/etc/host.conf\fR,
1972: or, in some cases,
1973: \fI/etc/resolv.conf\fR
1974: file.
1975: In the
1976: \fI/etc/hosts\fR
1977: file, the first host name of the entry is considered to be the
1978: ``canonical''
1979: name; subsequent names are aliases that are not used by
1980: \fBsudoers\fR.
1981: For example, the following hosts file line for the machine
1982: ``xyzzy''
1983: has the fully-qualified domain name as the
1984: ``canonical''
1985: host name, and the short version as an alias.
1986: .sp
1987: .RS 6n
1988: 192.168.1.1 xyzzy.sudo.ws xyzzy
1989: .RE
1990: .sp
1991: If the machine's hosts file entry is not formatted properly, the
1992: \fIfqdn\fR
1993: option will not be effective if it is queried before DNS.
1994: .sp
1995: Beware that when using DNS for host name resolution, turning on
1996: \fIfqdn\fR
1997: requires
1998: \fBsudoers\fR
1999: to make DNS lookups which renders
2000: \fBsudo\fR
2001: unusable if DNS stops working (for example if the machine is disconnected
2002: from the network).
2003: Also note that just like with the hosts file, you must use the
2004: ``canonical''
2005: name as DNS knows it.
2006: That is, you may not use a host alias
2007: (\fRCNAME\fR
2008: entry)
2009: due to performance issues and the fact that there is no way to get all
2010: aliases from DNS.
2011: .sp
2012: This flag is
2013: \fI@fqdn@\fR
2014: by default.
2015: .TP 18n
2016: ignore_dot
2017: If set,
2018: \fBsudo\fR
2019: will ignore "." or "" (both denoting current directory) in the
2020: \fRPATH\fR
2021: environment variable; the
2022: \fRPATH\fR
2023: itself is not modified.
2024: This flag is
2025: \fI@ignore_dot@\fR
2026: by default.
2027: .TP 18n
2028: ignore_local_sudoers
2029: If set via LDAP, parsing of
2030: \fI@sysconfdir@/sudoers\fR
2031: will be skipped.
1.1 misho 2032: This is intended for Enterprises that wish to prevent the usage of local
1.1.1.3 misho 2033: sudoers files so that only LDAP is used.
2034: This thwarts the efforts of rogue operators who would attempt to add roles to
2035: \fI@sysconfdir@/sudoers\fR.
2036: When this option is present,
2037: \fI@sysconfdir@/sudoers\fR
2038: does not even need to exist.
2039: Since this option tells
2040: \fBsudo\fR
2041: how to behave when no specific LDAP entries have been matched, this
2042: sudoOption is only meaningful for the
2043: \fRcn=defaults\fR
2044: section.
2045: This flag is
2046: \fIoff\fR
2047: by default.
2048: .TP 18n
2049: insults
2050: If set,
2051: \fBsudo\fR
2052: will insult users when they enter an incorrect password.
2053: This flag is
2054: \fI@insults@\fR
2055: by default.
2056: .TP 18n
2057: log_host
2058: If set, the host name will be logged in the (non-syslog)
2059: \fBsudo\fR
2060: log file.
2061: This flag is
2062: \fIoff\fR
2063: by default.
2064: .TP 18n
2065: log_input
2066: If set,
2067: \fBsudo\fR
2068: will run the command in a
2069: \fIpseudo tty\fR
2070: and log all user input.
1.1 misho 2071: If the standard input is not connected to the user's tty, due to
2072: I/O redirection or because the command is part of a pipeline, that
2073: input is also captured and stored in a separate log file.
1.1.1.3 misho 2074: .sp
2075: Input is logged to the directory specified by the
2076: \fIiolog_dir\fR
2077: option
2078: (\fI@iolog_dir@\fR
2079: by default)
2080: using a unique session ID that is included in the normal
2081: \fBsudo\fR
2082: log line, prefixed with
2083: ``\fRTSID=\fR''.
2084: The
2085: \fIiolog_file\fR
2086: option may be used to control the format of the session ID.
2087: .sp
1.1 misho 2088: Note that user input may contain sensitive information such as
2089: passwords (even if they are not echoed to the screen), which will
1.1.1.3 misho 2090: be stored in the log file unencrypted.
2091: In most cases, logging the command output via
2092: \fIlog_output\fR
2093: is all that is required.
2094: .TP 18n
2095: log_output
2096: If set,
2097: \fBsudo\fR
2098: will run the command in a
2099: \fIpseudo tty\fR
2100: and log all output that is sent to the screen, similar to the
2101: script(1)
2102: command.
1.1 misho 2103: If the standard output or standard error is not connected to the
2104: user's tty, due to I/O redirection or because the command is part
2105: of a pipeline, that output is also captured and stored in separate
2106: log files.
1.1.1.3 misho 2107: .sp
2108: Output is logged to the directory specified by the
2109: \fIiolog_dir\fR
2110: option
2111: (\fI@iolog_dir@\fR
2112: by default)
2113: using a unique session ID that is included in the normal
2114: \fBsudo\fR
2115: log line, prefixed with
2116: ``\fRTSID=\fR''.
2117: The
2118: \fIiolog_file\fR
2119: option may be used to control the format of the session ID.
2120: .sp
2121: Output logs may be viewed with the
2122: sudoreplay(@mansectsu@)
2123: utility, which can also be used to list or search the available logs.
2124: .TP 18n
2125: log_year
2126: If set, the four-digit year will be logged in the (non-syslog)
2127: \fBsudo\fR
2128: log file.
2129: This flag is
2130: \fIoff\fR
2131: by default.
2132: .TP 18n
2133: long_otp_prompt
2134: When validating with a One Time Password (OTP) scheme such as
2135: \fBS/Key\fR
2136: or
2137: \fBOPIE\fR,
2138: a two-line prompt is used to make it easier
2139: to cut and paste the challenge to a local window.
2140: It's not as pretty as the default but some people find it more convenient.
2141: This flag is
2142: \fI@long_otp_prompt@\fR
2143: by default.
2144: .TP 18n
2145: mail_always
2146: Send mail to the
2147: \fImailto\fR
2148: user every time a users runs
2149: \fBsudo\fR.
2150: This flag is
2151: \fIoff\fR
2152: by default.
2153: .TP 18n
2154: mail_badpass
2155: Send mail to the
2156: \fImailto\fR
2157: user if the user running
2158: \fBsudo\fR
2159: does not enter the correct password.
2160: If the command the user is attempting to run is not permitted by
2161: \fIsudoers\fR
2162: and one of the
2163: \fImail_always\fR,
2164: \fImail_no_host\fR,
2165: \fImail_no_perms\fR
2166: or
2167: \fImail_no_user\fR
2168: flags are set, this flag will have no effect.
2169: This flag is
2170: \fIoff\fR
2171: by default.
2172: .TP 18n
2173: mail_no_host
2174: If set, mail will be sent to the
2175: \fImailto\fR
2176: user if the invoking user exists in the
2177: \fIsudoers\fR
2178: file, but is not allowed to run commands on the current host.
2179: This flag is
2180: \fI@mail_no_host@\fR
2181: by default.
2182: .TP 18n
2183: mail_no_perms
2184: If set, mail will be sent to the
2185: \fImailto\fR
2186: user if the invoking user is allowed to use
2187: \fBsudo\fR
2188: but the command they are trying is not listed in their
2189: \fIsudoers\fR
2190: file entry or is explicitly denied.
2191: This flag is
2192: \fI@mail_no_perms@\fR
2193: by default.
2194: .TP 18n
2195: mail_no_user
2196: If set, mail will be sent to the
2197: \fImailto\fR
2198: user if the invoking user is not in the
2199: \fIsudoers\fR
2200: file.
2201: This flag is
2202: \fI@mail_no_user@\fR
2203: by default.
2204: .TP 18n
2205: noexec
2206: If set, all commands run via
2207: \fBsudo\fR
2208: will behave as if the
2209: \fRNOEXEC\fR
2210: tag has been set, unless overridden by a
2211: \fREXEC\fR
2212: tag.
2213: See the description of
2214: \fINOEXEC and EXEC\fR
2215: below as well as the
2216: \fIPreventing shell escapes\fR
2217: section at the end of this manual.
2218: This flag is
2219: \fIoff\fR
2220: by default.
2221: .TP 18n
1.1.1.4 ! misho 2222: pam_session
! 2223: On systems that use PAM for authentication,
1.1.1.3 misho 2224: \fBsudo\fR
1.1.1.4 ! misho 2225: will create a new PAM session for the command to be run in.
! 2226: Disabling
! 2227: \fIpam_session\fR
! 2228: may be needed on older PAM implementations or on operating systems where
! 2229: opening a PAM session changes the utmp or wtmp files.
! 2230: If PAM session support is disabled, resource limits may not be updated
! 2231: for the command being run.
1.1.1.3 misho 2232: This flag is
1.1.1.4 ! misho 2233: \fI@pam_session@\fR
1.1.1.3 misho 2234: by default.
1.1.1.4 ! misho 2235: .sp
! 2236: This setting is only supported by version 1.8.7 or higher.
1.1.1.3 misho 2237: .TP 18n
2238: passprompt_override
2239: The password prompt specified by
2240: \fIpassprompt\fR
2241: will normally only be used if the password prompt provided by systems
2242: such as PAM matches the string
2243: ``Password:''.
2244: If
2245: \fIpassprompt_override\fR
2246: is set,
2247: \fIpassprompt\fR
2248: will always be used.
2249: This flag is
2250: \fIoff\fR
2251: by default.
2252: .TP 18n
1.1.1.4 ! misho 2253: path_info
! 2254: Normally,
! 2255: \fBsudo\fR
! 2256: will tell the user when a command could not be
! 2257: found in their
! 2258: \fRPATH\fR
! 2259: environment variable.
! 2260: Some sites may wish to disable this as it could be used to gather
! 2261: information on the location of executables that the normal user does
! 2262: not have access to.
! 2263: The disadvantage is that if the executable is simply not in the user's
! 2264: \fRPATH\fR,
! 2265: \fBsudo\fR
! 2266: will tell the user that they are not allowed to run it, which can be confusing.
! 2267: This flag is
! 2268: \fI@path_info@\fR
! 2269: by default.
! 2270: .TP 18n
1.1.1.3 misho 2271: preserve_groups
2272: By default,
2273: \fBsudo\fR
2274: will initialize the group vector to the list of groups the target user is in.
2275: When
2276: \fIpreserve_groups\fR
2277: is set, the user's existing group vector is left unaltered.
2278: The real and effective group IDs, however, are still set to match the
2279: target user.
2280: This flag is
2281: \fIoff\fR
2282: by default.
2283: .TP 18n
2284: pwfeedback
2285: By default,
2286: \fBsudo\fR
2287: reads the password like most other Unix programs,
1.1 misho 2288: by turning off echo until the user hits the return (or enter) key.
1.1.1.3 misho 2289: Some users become confused by this as it appears to them that
2290: \fBsudo\fR
2291: has hung at this point.
2292: When
2293: \fIpwfeedback\fR
2294: is set,
2295: \fBsudo\fR
2296: will provide visual feedback when the user presses a key.
2297: Note that this does have a security impact as an onlooker may be able to
1.1 misho 2298: determine the length of the password being entered.
1.1.1.3 misho 2299: This flag is
2300: \fIoff\fR
2301: by default.
2302: .TP 18n
2303: requiretty
2304: If set,
2305: \fBsudo\fR
2306: will only run when the user is logged in to a real tty.
2307: When this flag is set,
2308: \fBsudo\fR
2309: can only be run from a login session and not via other means such as
2310: cron(@mansectsu@)
2311: or cgi-bin scripts.
2312: This flag is
2313: \fIoff\fR
2314: by default.
2315: .TP 18n
2316: root_sudo
2317: If set, root is allowed to run
2318: \fBsudo\fR
2319: too.
2320: Disabling this prevents users from
2321: ``chaining''
2322: \fBsudo\fR
2323: commands to get a root shell by doing something like
2324: ``\fRsudo sudo /bin/sh\fR''.
2325: Note, however, that turning off
2326: \fIroot_sudo\fR
2327: will also prevent root from running
2328: \fBsudoedit\fR.
2329: Disabling
2330: \fIroot_sudo\fR
2331: provides no real additional security; it exists purely for historical reasons.
2332: This flag is
2333: \fI@root_sudo@\fR
2334: by default.
2335: .TP 18n
2336: rootpw
2337: If set,
2338: \fBsudo\fR
2339: will prompt for the root password instead of the password of the invoking user.
2340: This flag is
2341: \fIoff\fR
2342: by default.
2343: .TP 18n
2344: runaspw
2345: If set,
2346: \fBsudo\fR
2347: will prompt for the password of the user defined by the
2348: \fIrunas_default\fR
2349: option (defaults to
2350: \fR@runas_default@\fR)
2351: instead of the password of the invoking user.
2352: This flag is
2353: \fIoff\fR
2354: by default.
2355: .TP 18n
2356: set_home
2357: If enabled and
2358: \fBsudo\fR
2359: is invoked with the
2360: \fB\-s\fR
2361: option the
2362: \fRHOME\fR
1.1 misho 2363: environment variable will be set to the home directory of the target
1.1.1.3 misho 2364: user (which is root unless the
2365: \fB\-u\fR
2366: option is used).
2367: This effectively makes the
2368: \fB\-s\fR
2369: option imply
2370: \fB\-H\fR.
2371: Note that
2372: \fRHOME\fR
2373: is already set when the the
2374: \fIenv_reset\fR
2375: option is enabled, so
2376: \fIset_home\fR
2377: is only effective for configurations where either
2378: \fIenv_reset\fR
2379: is disabled
2380: or
2381: \fRHOME\fR
2382: is present in the
2383: \fIenv_keep\fR
2384: list.
2385: This flag is
2386: \fIoff\fR
2387: by default.
2388: .TP 18n
2389: set_logname
2390: Normally,
2391: \fBsudo\fR
2392: will set the
2393: \fRLOGNAME\fR,
2394: \fRUSER\fR
2395: and
2396: \fRUSERNAME\fR
2397: environment variables to the name of the target user (usually root unless the
2398: \fB\-u\fR
2399: option is given).
2400: However, since some programs (including the RCS revision control system) use
2401: \fRLOGNAME\fR
2402: to determine the real identity of the user, it may be desirable to
2403: change this behavior.
2404: This can be done by negating the set_logname option.
2405: Note that if the
2406: \fIenv_reset\fR
2407: option has not been disabled, entries in the
2408: \fIenv_keep\fR
2409: list will override the value of
2410: \fIset_logname\fR.
2411: This flag is
2412: \fIon\fR
2413: by default.
2414: .TP 18n
2415: set_utmp
2416: When enabled,
2417: \fBsudo\fR
2418: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2419: is allocated.
2420: A pseudo-tty is allocated by
2421: \fBsudo\fR
2422: when the
2423: \fIlog_input\fR,
2424: \fIlog_output\fR
2425: or
2426: \fIuse_pty\fR
2427: flags are enabled.
2428: By default, the new entry will be a copy of the user's existing utmp
2429: entry (if any), with the tty, time, type and pid fields updated.
2430: This flag is
2431: \fIon\fR
2432: by default.
2433: .TP 18n
2434: setenv
2435: Allow the user to disable the
2436: \fIenv_reset\fR
2437: option from the command line via the
2438: \fB\-E\fR
2439: option.
2440: Additionally, environment variables set via the command line are
2441: not subject to the restrictions imposed by
2442: \fIenv_check\fR,
2443: \fIenv_delete\fR,
2444: or
2445: \fIenv_keep\fR.
2446: As such, only trusted users should be allowed to set variables in this manner.
2447: This flag is
2448: \fIoff\fR
2449: by default.
2450: .TP 18n
2451: shell_noargs
2452: If set and
2453: \fBsudo\fR
2454: is invoked with no arguments it acts as if the
2455: \fB\-s\fR
2456: option had been given.
2457: That is, it runs a shell as root (the shell is determined by the
2458: \fRSHELL\fR
2459: environment variable if it is set, falling back on the shell listed
2460: in the invoking user's /etc/passwd entry if not).
2461: This flag is
2462: \fIoff\fR
2463: by default.
2464: .TP 18n
2465: stay_setuid
2466: Normally, when
2467: \fBsudo\fR
2468: executes a command the real and effective UIDs are set to the target
2469: user (root by default).
2470: This option changes that behavior such that the real UID is left
2471: as the invoking user's UID.
2472: In other words, this makes
2473: \fBsudo\fR
2474: act as a setuid wrapper.
2475: This can be useful on systems that disable some potentially
2476: dangerous functionality when a program is run setuid.
2477: This option is only effective on systems that support either the
2478: setreuid(2)
2479: or
2480: setresuid(2)
2481: system call.
2482: This flag is
2483: \fIoff\fR
2484: by default.
2485: .TP 18n
2486: targetpw
2487: If set,
2488: \fBsudo\fR
2489: will prompt for the password of the user specified
2490: by the
2491: \fB\-u\fR
2492: option (defaults to
2493: \fRroot\fR)
2494: instead of the password of the invoking user.
2495: In addition, the time stamp file name will include the target user's name.
2496: Note that this flag precludes the use of a uid not listed in the passwd
2497: database as an argument to the
2498: \fB\-u\fR
2499: option.
2500: This flag is
2501: \fIoff\fR
2502: by default.
2503: .TP 18n
2504: tty_tickets
2505: If set, users must authenticate on a per-tty basis.
2506: With this flag enabled,
2507: \fBsudo\fR
2508: will use a file named for the tty the user is
2509: logged in on in the user's time stamp directory.
2510: If disabled, the time stamp of the directory is used instead.
2511: This flag is
2512: \fI@tty_tickets@\fR
2513: by default.
2514: .TP 18n
2515: umask_override
2516: If set,
2517: \fBsudo\fR
2518: will set the umask as specified by
2519: \fIsudoers\fR
2520: without modification.
2521: This makes it possible to specify a more permissive umask in
2522: \fIsudoers\fR
2523: than the user's own umask and matches historical behavior.
2524: If
2525: \fIumask_override\fR
2526: is not set,
2527: \fBsudo\fR
2528: will set the umask to be the union of the user's umask and what is specified in
2529: \fIsudoers\fR.
2530: This flag is
2531: \fI@umask_override@\fR
2532: by default.
2533: .TP 18n
2534: use_loginclass
2535: If set,
2536: \fBsudo\fR
2537: will apply the defaults specified for the target user's login class
2538: if one exists.
2539: Only available if
2540: \fBsudo\fR
2541: is configured with the
2542: \fR--with-logincap\fR
2543: option.
2544: This flag is
2545: \fIoff\fR
2546: by default.
2547: .TP 18n
2548: use_pty
2549: If set,
2550: \fBsudo\fR
2551: will run the command in a pseudo-pty even if no I/O logging is being gone.
2552: A malicious program run under
2553: \fBsudo\fR
2554: could conceivably fork a background process that retains to the user's
2555: terminal device after the main program has finished executing.
2556: Use of this option will make that impossible.
2557: This flag is
2558: \fIoff\fR
2559: by default.
2560: .TP 18n
2561: utmp_runas
2562: If set,
2563: \fBsudo\fR
2564: will store the name of the runas user when updating the utmp (or utmpx) file.
2565: By default,
2566: \fBsudo\fR
2567: stores the name of the invoking user.
2568: This flag is
2569: \fIoff\fR
2570: by default.
2571: .TP 18n
2572: visiblepw
2573: By default,
2574: \fBsudo\fR
2575: will refuse to run if the user must enter a password but it is not
2576: possible to disable echo on the terminal.
2577: If the
2578: \fIvisiblepw\fR
2579: flag is set,
2580: \fBsudo\fR
2581: will prompt for a password even when it would be visible on the screen.
2582: This makes it possible to run things like
2583: ``\fRssh somehost sudo ls\fR''
2584: since by default,
2585: ssh(1)
2586: does
2587: not allocate a tty when running a command.
2588: This flag is
2589: \fIoff\fR
2590: by default.
1.1 misho 2591: .PP
1.1.1.3 misho 2592: \fBIntegers\fR:
2593: .TP 18n
2594: closefrom
2595: Before it executes a command,
2596: \fBsudo\fR
2597: will close all open file descriptors other than standard input,
2598: standard output and standard error (ie: file descriptors 0-2).
2599: The
2600: \fIclosefrom\fR
2601: option can be used to specify a different file descriptor at which
2602: to start closing.
2603: The default is
2604: \fR3\fR.
2605: .TP 18n
2606: passwd_tries
2607: The number of tries a user gets to enter his/her password before
2608: \fBsudo\fR
2609: logs the failure and exits.
2610: The default is
2611: \fR@passwd_tries@\fR.
2612: .PP
2613: \fBIntegers that can be used in a boolean context\fR:
2614: .TP 18n
2615: loglinelen
2616: Number of characters per line for the file log.
2617: This value is used to decide when to wrap lines for nicer log files.
2618: This has no effect on the syslog log file, only the file log.
2619: The default is
2620: \fR@loglen@\fR
2621: (use 0 or negate the option to disable word wrap).
2622: .TP 18n
2623: passwd_timeout
2624: Number of minutes before the
2625: \fBsudo\fR
2626: password prompt times out, or
2627: \fR0\fR
2628: for no timeout.
2629: The timeout may include a fractional component
2630: if minute granularity is insufficient, for example
2631: \fR2.5\fR.
2632: The
2633: default is
2634: \fR@password_timeout@\fR.
2635: .TP 18n
2636: timestamp_timeout
2637: .br
2638: Number of minutes that can elapse before
2639: \fBsudo\fR
2640: will ask for a passwd again.
2641: The timeout may include a fractional component if
2642: minute granularity is insufficient, for example
2643: \fR2.5\fR.
2644: The default is
2645: \fR@timeout@\fR.
2646: Set this to
2647: \fR0\fR
2648: to always prompt for a password.
2649: If set to a value less than
2650: \fR0\fR
2651: the user's time stamp will never expire.
2652: This can be used to allow users to create or delete their own time stamps via
2653: ``\fRsudo -v\fR''
2654: and
2655: ``\fRsudo -k\fR''
2656: respectively.
2657: .TP 18n
2658: umask
2659: Umask to use when running the command.
2660: Negate this option or set it to 0777 to preserve the user's umask.
2661: The actual umask that is used will be the union of the user's umask
2662: and the value of the
2663: \fIumask\fR
2664: option, which defaults to
2665: \fR@sudo_umask@\fR.
2666: This guarantees
2667: that
2668: \fBsudo\fR
2669: never lowers the umask when running a command.
2670: Note: on systems that use PAM, the default PAM configuration may specify
2671: its own umask which will override the value set in
2672: \fIsudoers\fR.
2673: .PP
2674: \fBStrings\fR:
2675: .TP 18n
2676: badpass_message
1.1 misho 2677: Message that is displayed if a user enters an incorrect password.
1.1.1.3 misho 2678: The default is
2679: \fR@badpass_message@\fR
2680: unless insults are enabled.
2681: .TP 18n
2682: editor
2683: A colon
2684: (`:\&')
2685: separated list of editors allowed to be used with
2686: \fBvisudo\fR.
2687: \fBvisudo\fR
2688: will choose the editor that matches the user's
2689: \fREDITOR\fR
2690: environment variable if possible, or the first editor in the
2691: list that exists and is executable.
2692: The default is
2693: \fI@editor@\fR.
2694: .TP 18n
2695: iolog_dir
1.1 misho 2696: The top-level directory to use when constructing the path name for
1.1.1.3 misho 2697: the input/output log directory.
2698: Only used if the
2699: \fIlog_input\fR
2700: or
2701: \fIlog_output\fR
2702: options are enabled or when the
2703: \fRLOG_INPUT\fR
2704: or
2705: \fRLOG_OUTPUT\fR
2706: tags are present for a command.
2707: The session sequence number, if any, is stored in the directory.
2708: The default is
2709: \fI@iolog_dir@\fR.
2710: .sp
2711: The following percent
2712: (`%')
2713: escape sequences are supported:
2714: .RS
2715: .TP 6n
2716: \fR%{seq}\fR
2717: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2718: where every two digits are used to form a new directory, e.g.\&
2719: \fI01/00/A5\fR
2720: .TP 6n
2721: \fR%{user}\fR
1.1 misho 2722: expanded to the invoking user's login name
1.1.1.3 misho 2723: .TP 6n
2724: \fR%{group}\fR
2725: expanded to the name of the invoking user's real group ID
2726: .TP 6n
2727: \fR%{runas_user}\fR
1.1 misho 2728: expanded to the login name of the user the command will
1.1.1.3 misho 2729: be run as (e.g.\& root)
2730: .TP 6n
2731: \fR%{runas_group}\fR
1.1 misho 2732: expanded to the group name of the user the command will
1.1.1.3 misho 2733: be run as (e.g.\& wheel)
2734: .TP 6n
2735: \fR%{hostname}\fR
1.1 misho 2736: expanded to the local host name without the domain name
1.1.1.3 misho 2737: .TP 6n
2738: \fR%{command}\fR
1.1 misho 2739: expanded to the base name of the command being run
1.1.1.3 misho 2740: .PP
2741: In addition, any escape sequences supported by the system's
2742: strftime(3)
1.1 misho 2743: function will be expanded.
1.1.1.3 misho 2744: .sp
2745: To include a literal
2746: `%'
2747: character, the string
2748: `%%'
2749: should be used.
2750: .PP
2751: .RE
2752: .PD 0
2753: .TP 18n
2754: iolog_file
2755: The path name, relative to
2756: \fIiolog_dir\fR,
2757: in which to store input/output logs when the
2758: \fIlog_input\fR
2759: or
2760: \fIlog_output\fR
2761: options are enabled or when the
2762: \fRLOG_INPUT\fR
2763: or
2764: \fRLOG_OUTPUT\fR
2765: tags are present for a command.
2766: Note that
2767: \fIiolog_file\fR
2768: may contain directory components.
2769: The default is
2770: ``\fR%{seq}\fR''.
2771: .sp
2772: See the
2773: \fIiolog_dir\fR
2774: option above for a list of supported percent
2775: (`%')
2776: escape sequences.
2777: .sp
1.1 misho 2778: In addition to the escape sequences, path names that end in six or
1.1.1.3 misho 2779: more
2780: \fRX\fRs
2781: will have the
2782: \fRX\fRs
2783: replaced with a unique combination of digits and letters, similar to the
2784: mktemp(3)
2785: function.
1.1.1.4 ! misho 2786: .sp
! 2787: If the path created by concatenating
! 2788: \fIiolog_dir\fR
! 2789: and
! 2790: \fIiolog_file\fR
! 2791: already exists, the existing I/O log file will be truncated and
! 2792: overwritten unless
! 2793: \fIiolog_file\fR
! 2794: ends in six or
! 2795: more
! 2796: \fRX\fRs.
1.1.1.3 misho 2797: .PD
2798: .TP 18n
2799: limitprivs
2800: The default Solaris limit privileges to use when constructing a new
2801: privilege set for a command.
2802: This bounds all privileges of the executing process.
2803: The default limit privileges may be overridden on a per-command basis in
2804: \fIsudoers\fR.
2805: This option is only available if
2806: \fBsudoers\fR
2807: is built on Solaris 10 or higher.
2808: .TP 18n
2809: mailsub
2810: Subject of the mail sent to the
2811: \fImailto\fR
2812: user.
2813: The escape
2814: \fR%h\fR
1.1 misho 2815: will expand to the host name of the machine.
1.1.1.3 misho 2816: Default is
2817: ``\fR@mailsub@\fR''.
2818: .TP 18n
1.1.1.4 ! misho 2819: maxseq
! 2820: The maximum sequence number that will be substituted for the
! 2821: ``\fR%{seq}\fR''
! 2822: escape in the I/O log file (see the
! 2823: \fIiolog_dir\fR
! 2824: description above for more information).
! 2825: While the value substituted for
! 2826: ``\fR%{seq}\fR''
! 2827: is in base 36,
! 2828: \fImaxseq\fR
! 2829: itself should be expressed in decimal.
! 2830: Values larger than 2176782336 (which corresponds to the
! 2831: base 36 sequence number
! 2832: ``ZZZZZZ'')
! 2833: will be silently truncated to 2176782336.
! 2834: The default value is 2176782336.
! 2835: .sp
! 2836: Once the local sequence number reaches the value of
! 2837: \fImaxseq\fR,
! 2838: it will
! 2839: ``roll over''
! 2840: to zero, after which
! 2841: \fBsudoers\fR
! 2842: will truncate and re-use any existing I/O log pathnames.
! 2843: .sp
! 2844: This setting is only supported by version 1.8.7 or higher.
! 2845: .TP 18n
1.1.1.3 misho 2846: noexec_file
1.1.1.4 ! misho 2847: As of
! 2848: \fBsudo\fR
! 2849: version 1.8.1 this option is no longer supported.
1.1.1.3 misho 2850: The path to the noexec file should now be set in the
1.1.1.4 ! misho 2851: sudo.conf(@mansectform@)
1.1.1.3 misho 2852: file.
2853: .TP 18n
2854: passprompt
2855: The default prompt to use when asking for a password; can be overridden via the
2856: \fB\-p\fR
2857: option or the
2858: \fRSUDO_PROMPT\fR
2859: environment variable.
2860: The following percent
2861: (`%')
2862: escape sequences are supported:
2863: .RS
2864: .TP 6n
2865: \fR%H\fR
1.1 misho 2866: expanded to the local host name including the domain name
1.1.1.3 misho 2867: (only if the machine's host name is fully qualified or the
2868: \fIfqdn\fR
1.1 misho 2869: option is set)
1.1.1.3 misho 2870: .TP 6n
2871: \fR%h\fR
1.1 misho 2872: expanded to the local host name without the domain name
1.1.1.3 misho 2873: .TP 6n
2874: \fR%p\fR
2875: expanded to the user whose password is being asked for (respects the
2876: \fIrootpw\fR,
2877: \fItargetpw\fR
2878: and
2879: \fIrunaspw\fR
2880: flags in
2881: \fIsudoers\fR)
2882: .TP 6n
2883: \fR\&%U\fR
1.1 misho 2884: expanded to the login name of the user the command will
2885: be run as (defaults to root)
1.1.1.3 misho 2886: .TP 6n
2887: \fR%u\fR
1.1 misho 2888: expanded to the invoking user's login name
1.1.1.3 misho 2889: .TP 6n
2890: \fR%%\fR
2891: two consecutive
2892: \fR%\fR
2893: characters are collapsed into a single
2894: \fR%\fR
2895: character
2896: .PP
2897: The default value is
2898: ``\fR@passprompt@\fR''.
2899: .PP
2900: .RE
2901: .PD 0
2902: .TP 18n
2903: privs
2904: The default Solaris privileges to use when constructing a new
2905: privilege set for a command.
2906: This is passed to the executing process via the inherited privilege set,
2907: but is bounded by the limit privileges.
2908: If the
2909: \fIprivs\fR
2910: option is specified but the
2911: \fIlimitprivs\fR
2912: option is not, the limit privileges of the executing process is set to
2913: \fIprivs\fR.
2914: The default privileges may be overridden on a per-command basis in
2915: \fIsudoers\fR.
2916: This option is only available if
2917: \fBsudoers\fR
2918: is built on Solaris 10 or higher.
2919: .PD
2920: .TP 18n
2921: role
1.1 misho 2922: The default SELinux role to use when constructing a new security
1.1.1.3 misho 2923: context to run the command.
2924: The default role may be overridden on a per-command basis in
2925: \fIsudoers\fR
2926: or via command line options.
2927: This option is only available when
2928: \fBsudo\fR
2929: is built with SELinux support.
2930: .TP 18n
2931: runas_default
2932: The default user to run commands as if the
2933: \fB\-u\fR
2934: option is not specified on the command line.
2935: This defaults to
2936: \fR@runas_default@\fR.
2937: .TP 18n
2938: syslog_badpri
1.1 misho 2939: Syslog priority to use when user authenticates unsuccessfully.
1.1.1.3 misho 2940: Defaults to
2941: \fR@badpri@\fR.
2942: .sp
2943: The following syslog priorities are supported:
2944: \fBalert\fR,
2945: \fBcrit\fR,
2946: \fBdebug\fR,
2947: \fBemerg\fR,
2948: \fBerr\fR,
2949: \fBinfo\fR,
2950: \fBnotice\fR,
2951: and
2952: \fBwarning\fR.
2953: .TP 18n
2954: syslog_goodpri
1.1 misho 2955: Syslog priority to use when user authenticates successfully.
1.1.1.3 misho 2956: Defaults to
2957: \fR@goodpri@\fR.
2958: .sp
2959: See
2960: \fIsyslog_badpri\fR
2961: for the list of supported syslog priorities.
2962: .TP 18n
2963: sudoers_locale
1.1 misho 2964: Locale to use when parsing the sudoers file, logging commands, and
1.1.1.3 misho 2965: sending email.
2966: Note that changing the locale may affect how sudoers is interpreted.
2967: Defaults to
2968: ``\fRC\fR''.
2969: .TP 18n
2970: timestampdir
2971: The directory in which
2972: \fBsudo\fR
2973: stores its time stamp files.
2974: The default is
2975: \fI@timedir@\fR.
2976: .TP 18n
2977: timestampowner
2978: The owner of the time stamp directory and the time stamps stored therein.
2979: The default is
2980: \fRroot\fR.
2981: .TP 18n
2982: type
1.1 misho 2983: The default SELinux type to use when constructing a new security
1.1.1.3 misho 2984: context to run the command.
2985: The default type may be overridden on a per-command basis in
2986: \fIsudoers\fR
2987: or via command line options.
2988: This option is only available when
2989: \fBsudo\fR
2990: is built with SELinux support.
2991: .PP
2992: \fBStrings that can be used in a boolean context\fR:
2993: .TP 14n
2994: env_file
2995: The
2996: \fIenv_file\fR
2997: option specifies the fully qualified path to a file containing variables
2998: to be set in the environment of the program being run.
2999: Entries in this file should either be of the form
3000: ``\fRVARIABLE=value\fR''
3001: or
3002: ``\fRexport VARIABLE=value\fR''.
3003: The value may optionally be surrounded by single or double quotes.
3004: Variables in this file are subject to other
3005: \fBsudo\fR
3006: environment settings such as
3007: \fIenv_keep\fR
3008: and
3009: \fIenv_check\fR.
3010: .TP 14n
3011: exempt_group
3012: Users in this group are exempt from password and PATH requirements.
3013: The group name specified should not include a
3014: \fR%\fR
3015: prefix.
1.1 misho 3016: This is not set by default.
1.1.1.3 misho 3017: .TP 14n
3018: group_plugin
3019: A string containing a
3020: \fIsudoers\fR
3021: group plugin with optional arguments.
3022: The string should consist of the plugin
3023: path, either fully-qualified or relative to the
1.1.1.4 ! misho 3024: \fI@PLUGINDIR@\fR
1.1.1.3 misho 3025: directory, followed by any configuration arguments the plugin requires.
3026: These arguments (if any) will be passed to the plugin's initialization function.
3027: If arguments are present, the string must be enclosed in double quotes
3028: (\&"").
3029: .sp
3030: For more information see
1.1.1.4 ! misho 3031: GROUP PROVIDER PLUGINS.
1.1.1.3 misho 3032: .TP 14n
3033: lecture
1.1 misho 3034: This option controls when a short lecture will be printed along with
1.1.1.3 misho 3035: the password prompt.
3036: It has the following possible values:
3037: .RS
3038: .TP 8n
3039: always
1.1 misho 3040: Always lecture the user.
1.1.1.3 misho 3041: .TP 8n
3042: never
1.1 misho 3043: Never lecture the user.
1.1.1.3 misho 3044: .TP 8n
3045: once
3046: Only lecture the user the first time they run
3047: \fBsudo\fR.
3048: .PP
3049: If no value is specified, a value of
3050: \fIonce\fR
3051: is implied.
3052: Negating the option results in a value of
3053: \fInever\fR
3054: being used.
3055: The default value is
3056: \fI@lecture@\fR.
3057: .PP
3058: .RE
3059: .PD 0
3060: .TP 14n
3061: lecture_file
3062: Path to a file containing an alternate
3063: \fBsudo\fR
3064: lecture that will be used in place of the standard lecture if the named
3065: file exists.
3066: By default,
3067: \fBsudo\fR
3068: uses a built-in lecture.
3069: .PD
3070: .TP 14n
3071: listpw
3072: This option controls when a password will be required when a user runs
3073: \fBsudo\fR
3074: with the
3075: \fB\-l\fR
3076: option.
3077: It has the following possible values:
3078: .RS
3079: .TP 10n
3080: all
3081: All the user's
3082: \fIsudoers\fR
3083: entries for the current host must have
3084: the
3085: \fRNOPASSWD\fR
3086: flag set to avoid entering a password.
3087: .TP 10n
3088: always
3089: The user must always enter a password to use the
3090: \fB\-l\fR
3091: option.
3092: .TP 10n
3093: any
3094: At least one of the user's
3095: \fIsudoers\fR
3096: entries for the current host
3097: must have the
3098: \fRNOPASSWD\fR
3099: flag set to avoid entering a password.
3100: .TP 10n
3101: never
3102: The user need never enter a password to use the
3103: \fB\-l\fR
3104: option.
3105: .PP
3106: If no value is specified, a value of
3107: \fIany\fR
3108: is implied.
3109: Negating the option results in a value of
3110: \fInever\fR
3111: being used.
3112: The default value is
3113: \fIany\fR.
3114: .PP
3115: .RE
3116: .PD 0
3117: .TP 14n
3118: logfile
3119: Path to the
3120: \fBsudo\fR
3121: log file (not the syslog log file).
3122: Setting a path turns on logging to a file;
3123: negating this option turns it off.
3124: By default,
3125: \fBsudo\fR
3126: logs via syslog.
3127: .PD
3128: .TP 14n
3129: mailerflags
3130: Flags to use when invoking mailer. Defaults to
3131: \fB\-t\fR.
3132: .TP 14n
3133: mailerpath
1.1 misho 3134: Path to mail program used to send warning mail.
3135: Defaults to the path to sendmail found at configure time.
1.1.1.3 misho 3136: .TP 14n
3137: mailfrom
3138: Address to use for the
3139: ``from''
3140: address when sending warning and error mail.
3141: The address should be enclosed in double quotes
3142: (\&"")
3143: to protect against
3144: \fBsudo\fR
3145: interpreting the
3146: \fR@\fR
3147: sign.
3148: Defaults to the name of the user running
3149: \fBsudo\fR.
3150: .TP 14n
3151: mailto
3152: Address to send warning and error mail to.
3153: The address should be enclosed in double quotes
3154: (\&"")
3155: to protect against
3156: \fBsudo\fR
3157: interpreting the
3158: \fR@\fR
3159: sign.
3160: Defaults to
3161: \fR@mailto@\fR.
3162: .TP 14n
3163: secure_path
3164: Path used for every command run from
3165: \fBsudo\fR.
3166: If you don't trust the
3167: people running
3168: \fBsudo\fR
3169: to have a sane
3170: \fRPATH\fR
3171: environment variable you may want to use this.
3172: Another use is if you want to have the
3173: ``root path''
3174: be separate from the
3175: ``user path''.
3176: Users in the group specified by the
3177: \fIexempt_group\fR
3178: option are not affected by
3179: \fIsecure_path\fR.
1.1 misho 3180: This option is @secure_path@ by default.
1.1.1.3 misho 3181: .TP 14n
3182: syslog
1.1 misho 3183: Syslog facility if syslog is being used for logging (negate to
1.1.1.3 misho 3184: disable syslog logging).
3185: Defaults to
3186: \fR@logfac@\fR.
3187: .sp
3188: The following syslog facilities are supported:
3189: \fBauthpriv\fR
3190: (if your
3191: OS supports it),
3192: \fBauth\fR,
3193: \fBdaemon\fR,
3194: \fBuser\fR,
3195: \fBlocal0\fR,
3196: \fBlocal1\fR,
3197: \fBlocal2\fR,
3198: \fBlocal3\fR,
3199: \fBlocal4\fR,
3200: \fBlocal5\fR,
3201: \fBlocal6\fR,
3202: and
3203: \fBlocal7\fR.
3204: .TP 14n
3205: verifypw
1.1 misho 3206: This option controls when a password will be required when a user runs
1.1.1.3 misho 3207: \fBsudo\fR
3208: with the
3209: \fB\-v\fR
3210: option.
3211: It has the following possible values:
3212: .RS
3213: .TP 8n
3214: all
3215: All the user's
3216: \fIsudoers\fR
3217: entries for the current host must have the
3218: \fRNOPASSWD\fR
3219: flag set to avoid entering a password.
3220: .TP 8n
3221: always
3222: The user must always enter a password to use the
3223: \fB\-v\fR
3224: option.
3225: .TP 8n
3226: any
3227: At least one of the user's
3228: \fIsudoers\fR
3229: entries for the current host must have the
3230: \fRNOPASSWD\fR
3231: flag set to avoid entering a password.
3232: .TP 8n
3233: never
3234: The user need never enter a password to use the
3235: \fB\-v\fR
3236: option.
3237: .PP
3238: If no value is specified, a value of
3239: \fIall\fR
3240: is implied.
3241: Negating the option results in a value of
3242: \fInever\fR
3243: being used.
3244: The default value is
3245: \fIall\fR.
3246: .RE
3247: .PP
3248: \fBLists that can be used in a boolean context\fR:
3249: .TP 18n
3250: env_check
1.1 misho 3251: Environment variables to be removed from the user's environment if
1.1.1.3 misho 3252: the variable's value contains
3253: `%'
3254: or
3255: `/'
3256: characters.
3257: This can be used to guard against printf-style format vulnerabilities
3258: in poorly-written programs.
3259: The argument may be a double-quoted, space-separated list or a
3260: single value without double-quotes.
3261: The list can be replaced, added to, deleted from, or disabled by using
3262: the
3263: \fR=\fR,
3264: \fR+=\fR,
3265: \fR-=\fR,
3266: and
3267: \fR\&!\fR
3268: operators respectively.
3269: Regardless of whether the
3270: \fRenv_reset\fR
3271: option is enabled or disabled, variables specified by
3272: \fRenv_check\fR
3273: will be preserved in the environment if they pass the aforementioned check.
3274: The default list of environment variables to check is displayed when
3275: \fBsudo\fR
3276: is run by root with
3277: the
3278: \fB\-V\fR
3279: option.
3280: .TP 18n
3281: env_delete
3282: Environment variables to be removed from the user's environment when the
3283: \fIenv_reset\fR
3284: option is not in effect.
3285: The argument may be a double-quoted, space-separated list or a
3286: single value without double-quotes.
3287: The list can be replaced, added to, deleted from, or disabled by using the
3288: \fR=\fR,
3289: \fR+=\fR,
3290: \fR-=\fR,
3291: and
3292: \fR\&!\fR
3293: operators respectively.
3294: The default list of environment variables to remove is displayed when
3295: \fBsudo\fR
3296: is run by root with the
3297: \fB\-V\fR
3298: option.
1.1 misho 3299: Note that many operating systems will remove potentially dangerous
3300: variables from the environment of any setuid process (such as
1.1.1.3 misho 3301: \fBsudo\fR).
3302: .TP 18n
3303: env_keep
3304: Environment variables to be preserved in the user's environment when the
3305: \fIenv_reset\fR
3306: option is in effect.
3307: This allows fine-grained control over the environment
3308: \fBsudo\fR-spawned
3309: processes will receive.
1.1 misho 3310: The argument may be a double-quoted, space-separated list or a
1.1.1.3 misho 3311: single value without double-quotes.
3312: The list can be replaced, added to, deleted from, or disabled by using the
3313: \fR=\fR,
3314: \fR+=\fR,
3315: \fR-=\fR,
3316: and
3317: \fR\&!\fR
3318: operators respectively.
3319: The default list of variables to keep
3320: is displayed when
3321: \fBsudo\fR
3322: is run by root with the
3323: \fB\-V\fR
3324: option.
1.1.1.4 ! misho 3325: .SH "GROUP PROVIDER PLUGINS"
! 3326: The
! 3327: \fBsudoers\fR
! 3328: plugin supports its own plugin interface to allow non-Unix
! 3329: group lookups which can query a group source other
! 3330: than the standard Unix group database.
! 3331: This can be used to implement support for the
! 3332: \fRnonunix_group\fR
! 3333: syntax described earlier.
! 3334: .PP
! 3335: Group provider plugins are specified via the
! 3336: \fIgroup_plugin\fR
! 3337: Defaults setting.
! 3338: The argument to
! 3339: \fIgroup_plugin\fR
! 3340: should consist of the plugin path, either fully-qualified or relative to the
! 3341: \fI@PLUGINDIR@\fR
! 3342: directory, followed by any configuration options the plugin requires.
! 3343: These options (if specified) will be passed to the plugin's initialization
! 3344: function.
! 3345: If options are present, the string must be enclosed in double quotes
! 3346: (\&"").
! 3347: .PP
! 3348: The following group provider plugins are installed by default:
! 3349: .TP 10n
! 3350: group_file
! 3351: The
! 3352: \fIgroup_file\fR
! 3353: plugin supports an alternate group file that uses the same syntax as the
! 3354: \fI/etc/group\fR
! 3355: file.
! 3356: The path to the group file should be specified as an option
! 3357: to the plugin.
! 3358: For example, if the group file to be used is
! 3359: \fI/etc/sudo-group\fR:
! 3360: .RS
! 3361: .nf
! 3362: .sp
! 3363: .RS 0n
! 3364: Defaults group_plugin="group_file.so /etc/sudo-group"
! 3365: .RE
! 3366: .fi
! 3367: .PP
! 3368: .RE
! 3369: .PD 0
! 3370: .TP 10n
! 3371: system_group
! 3372: The
! 3373: \fIsystem_group\fR
! 3374: plugin supports group lookups via the standard C library functions
! 3375: \fBgetgrnam\fR()
! 3376: and
! 3377: \fBgetgrid\fR().
! 3378: This plugin can be used in instances where the user belongs to
! 3379: groups not present in the user's supplemental group vector.
! 3380: This plugin takes no options:
! 3381: .RS
! 3382: .nf
! 3383: .sp
! 3384: .RS 0n
! 3385: Defaults group_plugin=system_group.so
! 3386: .RE
! 3387: .fi
! 3388: .RE
! 3389: .PD
! 3390: .PP
! 3391: The group provider plugin API is described in detail in
! 3392: sudo_plugin(@mansectsu@).
1.1.1.3 misho 3393: .SH "LOG FORMAT"
3394: \fBsudoers\fR
3395: can log events using either
3396: syslog(3)
3397: or a simple log file.
3398: In each case the log format is almost identical.
3399: .SS "Accepted command log entries"
3400: Commands that sudo runs are logged using the following format (split
3401: into multiple lines for readability):
3402: .nf
3403: .sp
3404: .RS 4n
3405: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3406: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3407: ENV=env_vars COMMAND=command
3408: .RE
3409: .fi
3410: .PP
3411: Where the fields are as follows:
3412: .TP 14n
3413: date
3414: The date the command was run.
3415: Typically, this is in the format
3416: ``MMM, DD, HH:MM:SS''.
3417: If logging via
3418: syslog(3),
3419: the actual date format is controlled by the syslog daemon.
3420: If logging to a file and the
3421: \fIlog_year\fR
3422: option is enabled,
3423: the date will also include the year.
3424: .TP 14n
3425: hostname
3426: The name of the host
3427: \fBsudo\fR
3428: was run on.
3429: This field is only present when logging via
3430: syslog(3).
3431: .TP 14n
3432: progname
3433: The name of the program, usually
3434: \fIsudo\fR
3435: or
3436: \fIsudoedit\fR.
3437: This field is only present when logging via
3438: syslog(3).
3439: .TP 14n
3440: username
3441: The login name of the user who ran
3442: \fBsudo\fR.
3443: .TP 14n
3444: ttyname
3445: The short name of the terminal (e.g.\&
3446: ``console'',
3447: ``tty01'',
3448: or
3449: ``pts/0'')
3450: \fBsudo\fR
3451: was run on, or
3452: ``unknown''
3453: if there was no terminal present.
3454: .TP 14n
3455: cwd
3456: The current working directory that
3457: \fBsudo\fR
3458: was run in.
3459: .TP 14n
3460: runasuser
3461: The user the command was run as.
3462: .TP 14n
3463: runasgroup
3464: The group the command was run as if one was specified on the command line.
3465: .TP 14n
3466: logid
3467: An I/O log identifier that can be used to replay the command's output.
3468: This is only present when the
3469: \fIlog_input\fR
3470: or
3471: \fIlog_output\fR
3472: option is enabled.
3473: .TP 14n
3474: env_vars
3475: A list of environment variables specified on the command line,
3476: if specified.
3477: .TP 14n
3478: command
3479: The actual command that was executed.
3480: .PP
3481: Messages are logged using the locale specified by
3482: \fIsudoers_locale\fR,
3483: which defaults to the
3484: ``\fRC\fR''
3485: locale.
3486: .SS "Denied command log entries"
3487: If the user is not allowed to run the command, the reason for the denial
3488: will follow the user name.
3489: Possible reasons include:
3490: .TP 3n
3491: user NOT in sudoers
3492: The user is not listed in the
3493: \fIsudoers\fR
3494: file.
3495: .TP 3n
3496: user NOT authorized on host
3497: The user is listed in the
3498: \fIsudoers\fR
3499: file but is not allowed to run commands on the host.
3500: .TP 3n
3501: command not allowed
3502: The user is listed in the
3503: \fIsudoers\fR
3504: file for the host but they are not allowed to run the specified command.
3505: .TP 3n
3506: 3 incorrect password attempts
3507: The user failed to enter their password after 3 tries.
3508: The actual number of tries will vary based on the number of
3509: failed attempts and the value of the
3510: \fIpasswd_tries\fR
3511: option.
3512: .TP 3n
3513: a password is required
3514: \fBsudo\fR's
3515: \fB\-n\fR
3516: option was specified but a password was required.
3517: .TP 3n
3518: sorry, you are not allowed to set the following environment variables
3519: The user specified environment variables on the command line that
3520: were not allowed by
3521: \fIsudoers\fR.
3522: .SS "Error log entries"
3523: If an error occurs,
3524: \fBsudoers\fR
3525: will log a message and, in most cases, send a message to the
3526: administrator via email.
3527: Possible errors include:
3528: .TP 3n
3529: parse error in @sysconfdir@/sudoers near line N
3530: \fBsudoers\fR
3531: encountered an error when parsing the specified file.
3532: In some cases, the actual error may be one line above or below the
3533: line number listed, depending on the type of error.
3534: .TP 3n
3535: problem with defaults entries
3536: The
3537: \fIsudoers\fR
3538: file contains one or more unknown Defaults settings.
3539: This does not prevent
3540: \fBsudo\fR
3541: from running, but the
3542: \fIsudoers\fR
3543: file should be checked using
3544: \fBvisudo\fR.
3545: .TP 3n
3546: timestamp owner (username): \&No such user
3547: The time stamp directory owner, as specified by the
3548: \fItimestampowner\fR
3549: setting, could not be found in the password database.
3550: .TP 3n
3551: unable to open/read @sysconfdir@/sudoers
3552: The
3553: \fIsudoers\fR
3554: file could not be opened for reading.
3555: This can happen when the
3556: \fIsudoers\fR
3557: file is located on a remote file system that maps user ID 0 to
3558: a different value.
3559: Normally,
3560: \fBsudoers\fR
3561: tries to open
3562: \fIsudoers\fR
3563: using group permissions to avoid this problem.
1.1.1.4 ! misho 3564: Consider either changing the ownership of
1.1.1.3 misho 3565: \fI@sysconfdir@/sudoers\fR
1.1.1.4 ! misho 3566: or adding an argument like
1.1.1.3 misho 3567: ``sudoers_uid=N''
3568: (where
3569: `N'
3570: is the user ID that owns the
3571: \fIsudoers\fR
1.1.1.4 ! misho 3572: file) to the end of the
1.1.1.3 misho 3573: \fBsudoers\fR
1.1.1.4 ! misho 3574: \fRPlugin\fR
! 3575: line in the
! 3576: sudo.conf(@mansectform@)
1.1.1.3 misho 3577: file.
3578: .TP 3n
3579: unable to stat @sysconfdir@/sudoers
3580: The
3581: \fI@sysconfdir@/sudoers\fR
3582: file is missing.
3583: .TP 3n
3584: @sysconfdir@/sudoers is not a regular file
3585: The
3586: \fI@sysconfdir@/sudoers\fR
3587: file exists but is not a regular file or symbolic link.
3588: .TP 3n
3589: @sysconfdir@/sudoers is owned by uid N, should be 0
3590: The
3591: \fIsudoers\fR
3592: file has the wrong owner.
3593: If you wish to change the
3594: \fIsudoers\fR
3595: file owner, please add
3596: ``sudoers_uid=N''
3597: (where
3598: `N'
3599: is the user ID that owns the
3600: \fIsudoers\fR
3601: file) to the
3602: \fBsudoers\fR
1.1.1.4 ! misho 3603: \fRPlugin\fR
! 3604: line in the
! 3605: sudo.conf(@mansectform@)
1.1.1.3 misho 3606: file.
3607: .TP 3n
3608: @sysconfdir@/sudoers is world writable
3609: The permissions on the
3610: \fIsudoers\fR
3611: file allow all users to write to it.
3612: The
3613: \fIsudoers\fR
3614: file must not be world-writable, the default file mode
3615: is 0440 (readable by owner and group, writable by none).
3616: The default mode may be changed via the
3617: ``sudoers_mode''
3618: option to the
3619: \fBsudoers\fR
1.1.1.4 ! misho 3620: \fRPlugin\fR
! 3621: line in the
! 3622: sudo.conf(@mansectform@)
1.1.1.3 misho 3623: file.
3624: .TP 3n
3625: @sysconfdir@/sudoers is owned by gid N, should be 1
3626: The
3627: \fIsudoers\fR
3628: file has the wrong group ownership.
3629: If you wish to change the
3630: \fIsudoers\fR
3631: file group ownership, please add
3632: ``sudoers_gid=N''
3633: (where
3634: `N'
3635: is the group ID that owns the
3636: \fIsudoers\fR
3637: file) to the
3638: \fBsudoers\fR
1.1.1.4 ! misho 3639: \fRPlugin\fR
! 3640: line in the
! 3641: sudo.conf(@mansectform@)
1.1.1.3 misho 3642: file.
3643: .TP 3n
3644: unable to open @timedir@/username/ttyname
3645: \fIsudoers\fR
3646: was unable to read or create the user's time stamp file.
3647: .TP 3n
3648: unable to write to @timedir@/username/ttyname
3649: \fIsudoers\fR
3650: was unable to write to the user's time stamp file.
3651: .TP 3n
3652: unable to mkdir to @timedir@/username
3653: \fIsudoers\fR
3654: was unable to create the user's time stamp directory.
3655: .SS "Notes on logging via syslog"
3656: By default,
3657: \fIsudoers\fR
3658: logs messages via
3659: syslog(3).
3660: The
3661: \fIdate\fR,
3662: \fIhostname\fR,
3663: and
3664: \fIprogname\fR
3665: fields are added by the syslog daemon, not
3666: \fIsudoers\fR
3667: itself.
3668: As such, they may vary in format on different systems.
3669: .PP
3670: On most systems,
3671: syslog(3)
3672: has a relatively small log buffer.
3673: To prevent the command line arguments from being truncated,
3674: \fBsudoers\fR
3675: will split up log messages that are larger than 960 characters
3676: (not including the date, hostname, and the string
3677: ``sudo'').
3678: When a message is split, additional parts will include the string
3679: ``(command continued)''
3680: after the user name and before the continued command line arguments.
3681: .SS "Notes on logging to a file"
3682: If the
3683: \fIlogfile\fR
3684: option is set,
3685: \fIsudoers\fR
3686: will log to a local file, such as
3687: \fI/var/log/sudo\fR.
3688: When logging to a file,
3689: \fIsudoers\fR
3690: uses a format similar to
3691: syslog(3),
3692: with a few important differences:
3693: .TP 5n
3694: 1.
3695: The
3696: \fIprogname\fR
3697: and
3698: \fIhostname\fR
3699: fields are not present.
3700: .TP 5n
3701: 2.
3702: If the
3703: \fIlog_year\fR
3704: option is enabled,
3705: the date will also include the year.
3706: .TP 5n
3707: 3.
3708: Lines that are longer than
3709: \fIloglinelen\fR
3710: characters (80 by default) are word-wrapped and continued on the
3711: next line with a four character indent.
3712: This makes entries easier to read for a human being, but makes it
3713: more difficult to use
3714: grep(1)
3715: on the log files.
3716: If the
3717: \fIloglinelen\fR
3718: option is set to 0 (or negated with a
3719: `\&!'),
3720: word wrap will be disabled.
1.1 misho 3721: .SH "FILES"
1.1.1.3 misho 3722: .TP 26n
3723: \fI@sysconfdir@/sudo.conf\fR
1.1.1.2 misho 3724: Sudo front end configuration
1.1.1.3 misho 3725: .TP 26n
3726: \fI@sysconfdir@/sudoers\fR
1.1 misho 3727: List of who can run what
1.1.1.3 misho 3728: .TP 26n
3729: \fI/etc/group\fR
1.1 misho 3730: Local groups file
1.1.1.3 misho 3731: .TP 26n
3732: \fI/etc/netgroup\fR
1.1 misho 3733: List of network groups
1.1.1.3 misho 3734: .TP 26n
3735: \fI@iolog_dir@\fR
1.1 misho 3736: I/O log files
1.1.1.3 misho 3737: .TP 26n
3738: \fI@timedir@\fR
3739: Directory containing time stamps for the
3740: \fIsudoers\fR
3741: security policy
3742: .TP 26n
3743: \fI/etc/environment\fR
3744: Initial environment for
3745: \fB\-i\fR
3746: mode on AIX and Linux systems
1.1 misho 3747: .SH "EXAMPLES"
1.1.1.3 misho 3748: Below are example
3749: \fIsudoers\fR
3750: entries.
3751: Admittedly, some of these are a bit contrived.
3752: First, we allow a few environment variables to pass and then define our
3753: \fIaliases\fR:
3754: .nf
3755: .sp
3756: .RS 0n
3757: # Run X applications through sudo; HOME is used to find the
3758: # .Xauthority file. Note that other programs use HOME to find
3759: # configuration files and this may lead to privilege escalation!
3760: Defaults env_keep += "DISPLAY HOME"
3761:
3762: # User alias specification
3763: User_Alias FULLTIMERS = millert, mikef, dowdy
3764: User_Alias PARTTIMERS = bostley, jwfox, crawl
3765: User_Alias WEBMASTERS = will, wendy, wim
3766:
3767: # Runas alias specification
3768: Runas_Alias OP = root, operator
3769: Runas_Alias DB = oracle, sybase
3770: Runas_Alias ADMINGRP = adm, oper
3771:
3772: # Host alias specification
3773: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3774: SGI = grolsch, dandelion, black :\e
3775: ALPHA = widget, thalamus, foobar :\e
3776: HPPA = boa, nag, python
3777: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3778: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3779: Host_Alias SERVERS = master, mail, www, ns
3780: Host_Alias CDROM = orion, perseus, hercules
3781:
3782: # Cmnd alias specification
3783: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1.1.1.4 ! misho 3784: /usr/sbin/restore, /usr/sbin/rrestore,\e
! 3785: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
! 3786: /home/operator/bin/start_backups
1.1.1.3 misho 3787: Cmnd_Alias KILL = /usr/bin/kill
3788: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3789: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3790: Cmnd_Alias HALT = /usr/sbin/halt
3791: Cmnd_Alias REBOOT = /usr/sbin/reboot
3792: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3793: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3794: /usr/local/bin/zsh
3795: Cmnd_Alias SU = /usr/bin/su
3796: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3797: .RE
3798: .fi
1.1 misho 3799: .PP
1.1.1.3 misho 3800: Here we override some of the compiled in default values.
3801: We want
3802: \fBsudo\fR
3803: to log via
3804: syslog(3)
3805: using the
3806: \fIauth\fR
3807: facility in all cases.
3808: We don't want to subject the full time staff to the
3809: \fBsudo\fR
3810: lecture, user
3811: \fBmillert\fR
3812: need not give a password, and we don't want to reset the
3813: \fRLOGNAME\fR,
3814: \fRUSER\fR
3815: or
3816: \fRUSERNAME\fR
3817: environment variables when running commands as root.
3818: Additionally, on the machines in the
3819: \fISERVERS\fR
3820: \fRHost_Alias\fR,
3821: we keep an additional local log file and make sure we log the year
3822: in each log line since the log entries will be kept around for several years.
3823: Lastly, we disable shell escapes for the commands in the PAGERS
3824: \fRCmnd_Alias\fR
3825: (\fI/usr/bin/more\fR,
3826: \fI/usr/bin/pg\fR
3827: and
3828: \fI/usr/bin/less\fR)
3829: \&.
3830: .nf
3831: .sp
3832: .RS 0n
3833: # Override built-in defaults
3834: Defaults syslog=auth
3835: Defaults>root !set_logname
3836: Defaults:FULLTIMERS !lecture
3837: Defaults:millert !authenticate
3838: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3839: Defaults!PAGERS noexec
3840: .RE
3841: .fi
1.1 misho 3842: .PP
1.1.1.3 misho 3843: The
3844: \fIUser specification\fR
3845: is the part that actually determines who may run what.
3846: .nf
3847: .sp
3848: .RS 0n
3849: root ALL = (ALL) ALL
3850: %wheel ALL = (ALL) ALL
3851: .RE
3852: .fi
1.1 misho 3853: .PP
1.1.1.3 misho 3854: We let
3855: \fBroot\fR
3856: and any user in group
3857: \fBwheel\fR
3858: run any command on any host as any user.
3859: .nf
3860: .sp
3861: .RS 0n
3862: FULLTIMERS ALL = NOPASSWD: ALL
3863: .RE
3864: .fi
1.1 misho 3865: .PP
1.1.1.3 misho 3866: Full time sysadmins
3867: (\fBmillert\fR,
3868: \fBmikef\fR,
3869: and
3870: \fBdowdy\fR)
3871: may run any command on any host without authenticating themselves.
3872: .nf
3873: .sp
3874: .RS 0n
3875: PARTTIMERS ALL = ALL
3876: .RE
3877: .fi
1.1 misho 3878: .PP
1.1.1.3 misho 3879: Part time sysadmins
3880: \fBbostley\fR,
3881: \fBjwfox\fR,
3882: and
3883: \fBcrawl\fR)
3884: may run any command on any host but they must authenticate themselves
3885: first (since the entry lacks the
3886: \fRNOPASSWD\fR
3887: tag).
3888: .nf
3889: .sp
3890: .RS 0n
3891: jack CSNETS = ALL
3892: .RE
3893: .fi
1.1 misho 3894: .PP
1.1.1.3 misho 3895: The user
3896: \fBjack\fR
3897: may run any command on the machines in the
3898: \fICSNETS\fR
3899: alias (the networks
3900: \fR128.138.243.0\fR,
3901: \fR128.138.204.0\fR,
3902: and
3903: \fR128.138.242.0\fR).
3904: Of those networks, only
3905: \fR128.138.204.0\fR
3906: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3907: For the other networks in
3908: \fICSNETS\fR,
3909: the local machine's netmask will be used during matching.
3910: .nf
3911: .sp
3912: .RS 0n
3913: lisa CUNETS = ALL
3914: .RE
3915: .fi
1.1 misho 3916: .PP
1.1.1.3 misho 3917: The user
3918: \fBlisa\fR
3919: may run any command on any host in the
3920: \fICUNETS\fR
3921: alias (the class B network
3922: \fR128.138.0.0\fR).
3923: .nf
3924: .sp
3925: .RS 0n
3926: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3927: sudoedit /etc/printcap, /usr/oper/bin/
3928: .RE
3929: .fi
1.1 misho 3930: .PP
1.1.1.3 misho 3931: The
3932: \fBoperator\fR
3933: user may run commands limited to simple maintenance.
3934: Here, those are commands related to backups, killing processes, the
3935: printing system, shutting down the system, and any commands in the
3936: directory
3937: \fI/usr/oper/bin/\fR.
1.1.1.4 ! misho 3938: Note that one command in the
! 3939: \fRDUMPS\fR
! 3940: Cmnd_Alias includes a sha224 digest,
! 3941: \fI/home/operator/bin/start_backups\fR.
! 3942: This is because the directory containing the script is writable by the
! 3943: operator user.
! 3944: If the script is modified (resulting in a digest mismatch) it will no longer
! 3945: be possible to run it via
! 3946: \fBsudo\fR.
1.1.1.3 misho 3947: .nf
3948: .sp
3949: .RS 0n
3950: joe ALL = /usr/bin/su operator
3951: .RE
3952: .fi
1.1 misho 3953: .PP
1.1.1.3 misho 3954: The user
3955: \fBjoe\fR
3956: may only
3957: su(1)
3958: to operator.
3959: .nf
3960: .sp
3961: .RS 0n
3962: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3963:
3964: %opers ALL = (: ADMINGRP) /usr/sbin/
3965: .RE
3966: .fi
1.1 misho 3967: .PP
1.1.1.3 misho 3968: Users in the
3969: \fBopers\fR
3970: group may run commands in
3971: \fI/usr/sbin/\fR
3972: as themselves
3973: with any group in the
3974: \fIADMINGRP\fR
3975: \fRRunas_Alias\fR
3976: (the
3977: \fBadm\fR
3978: and
3979: \fBoper\fR
3980: groups).
1.1 misho 3981: .PP
1.1.1.3 misho 3982: The user
3983: \fBpete\fR
3984: is allowed to change anyone's password except for
3985: root on the
3986: \fIHPPA\fR
3987: machines.
3988: Note that this assumes
3989: passwd(1)
3990: does not take multiple user names on the command line.
3991: .nf
3992: .sp
3993: .RS 0n
3994: bob SPARC = (OP) ALL : SGI = (OP) ALL
3995: .RE
3996: .fi
1.1 misho 3997: .PP
1.1.1.3 misho 3998: The user
3999: \fBbob\fR
4000: may run anything on the
4001: \fISPARC\fR
4002: and
4003: \fISGI\fR
4004: machines as any user listed in the
4005: \fIOP\fR
4006: \fRRunas_Alias\fR
4007: (\fBroot\fR
4008: and
4009: \fBoperator\fR.)
4010: .nf
4011: .sp
4012: .RS 0n
4013: jim +biglab = ALL
4014: .RE
4015: .fi
1.1 misho 4016: .PP
1.1.1.3 misho 4017: The user
4018: \fBjim\fR
4019: may run any command on machines in the
4020: \fIbiglab\fR
4021: netgroup.
4022: \fBsudo\fR
4023: knows that
4024: ``biglab''
4025: is a netgroup due to the
4026: `+'
4027: prefix.
4028: .nf
4029: .sp
4030: .RS 0n
4031: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
4032: .RE
4033: .fi
1.1 misho 4034: .PP
1.1.1.3 misho 4035: Users in the
4036: \fBsecretaries\fR
4037: netgroup need to help manage the printers as well as add and remove users,
4038: so they are allowed to run those commands on all machines.
4039: .nf
4040: .sp
4041: .RS 0n
4042: fred ALL = (DB) NOPASSWD: ALL
4043: .RE
4044: .fi
1.1 misho 4045: .PP
1.1.1.3 misho 4046: The user
4047: \fBfred\fR
4048: can run commands as any user in the
4049: \fIDB\fR
4050: \fRRunas_Alias\fR
4051: (\fBoracle\fR
4052: or
4053: \fBsybase\fR)
4054: without giving a password.
4055: .nf
4056: .sp
4057: .RS 0n
4058: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
4059: .RE
4060: .fi
1.1 misho 4061: .PP
1.1.1.3 misho 4062: On the
4063: \fIALPHA\fR
4064: machines, user
4065: \fBjohn\fR
4066: may su to anyone except root but he is not allowed to specify any options
4067: to the
4068: su(1)
4069: command.
4070: .nf
4071: .sp
4072: .RS 0n
4073: jen ALL, !SERVERS = ALL
4074: .RE
4075: .fi
1.1 misho 4076: .PP
1.1.1.3 misho 4077: The user
4078: \fBjen\fR
4079: may run any command on any machine except for those in the
4080: \fISERVERS\fR
4081: \fRHost_Alias\fR
4082: (master, mail, www and ns).
4083: .nf
4084: .sp
4085: .RS 0n
4086: jill SERVERS = /usr/bin/, !SU, !SHELLS
4087: .RE
4088: .fi
1.1 misho 4089: .PP
1.1.1.3 misho 4090: For any machine in the
4091: \fISERVERS\fR
4092: \fRHost_Alias\fR,
4093: \fBjill\fR
4094: may run
4095: any commands in the directory
4096: \fI/usr/bin/\fR
4097: except for those commands
4098: belonging to the
4099: \fISU\fR
4100: and
4101: \fISHELLS\fR
4102: \fRCmnd_Aliases\fR.
4103: .nf
4104: .sp
4105: .RS 0n
4106: steve CSNETS = (operator) /usr/local/op_commands/
4107: .RE
4108: .fi
1.1 misho 4109: .PP
1.1.1.3 misho 4110: The user
4111: \fBsteve\fR
4112: may run any command in the directory /usr/local/op_commands/
1.1 misho 4113: but only as user operator.
1.1.1.3 misho 4114: .nf
4115: .sp
4116: .RS 0n
4117: matt valkyrie = KILL
4118: .RE
4119: .fi
1.1 misho 4120: .PP
1.1.1.3 misho 4121: On his personal workstation, valkyrie,
4122: \fBmatt\fR
4123: needs to be able to kill hung processes.
4124: .nf
4125: .sp
4126: .RS 0n
4127: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
4128: .RE
4129: .fi
1.1 misho 4130: .PP
1.1.1.3 misho 4131: On the host www, any user in the
4132: \fIWEBMASTERS\fR
4133: \fRUser_Alias\fR
4134: (will, wendy, and wim), may run any command as user www (which owns the
4135: web pages) or simply
4136: su(1)
4137: to www.
4138: .nf
4139: .sp
4140: .RS 0n
4141: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
4142: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
4143: .RE
4144: .fi
4145: .PP
4146: Any user may mount or unmount a CD-ROM on the machines in the CDROM
4147: \fRHost_Alias\fR
4148: (orion, perseus, hercules) without entering a password.
1.1 misho 4149: This is a bit tedious for users to type, so it is a prime candidate
4150: for encapsulating in a shell script.
4151: .SH "SECURITY NOTES"
1.1.1.3 misho 4152: .SS "Limitations of the `!\&' operator"
4153: It is generally not effective to
4154: ``subtract''
4155: commands from
4156: \fBALL\fR
4157: using the
4158: `!\&'
4159: operator.
4160: A user can trivially circumvent this by copying the desired command
4161: to a different name and then executing that.
4162: For example:
4163: .nf
4164: .sp
4165: .RS 0n
4166: bill ALL = ALL, !SU, !SHELLS
4167: .RE
4168: .fi
1.1 misho 4169: .PP
1.1.1.3 misho 4170: Doesn't really prevent
4171: \fBbill\fR
4172: from running the commands listed in
4173: \fISU\fR
4174: or
4175: \fISHELLS\fR
4176: since he can simply copy those commands to a different name, or use
4177: a shell escape from an editor or other program.
4178: Therefore, these kind of restrictions should be considered
4179: advisory at best (and reinforced by policy).
1.1 misho 4180: .PP
1.1.1.3 misho 4181: In general, if a user has sudo
4182: \fBALL\fR
4183: there is nothing to prevent them from creating their own program that gives
4184: them a root shell (or making their own copy of a shell) regardless of any
4185: `!\&'
4186: elements in the user specification.
4187: .SS "Security implications of \fIfast_glob\fR"
4188: If the
4189: \fIfast_glob\fR
4190: option is in use, it is not possible to reliably negate commands where the
4191: path name includes globbing (aka wildcard) characters.
4192: This is because the C library's
4193: fnmatch(3)
4194: function cannot resolve relative paths.
4195: While this is typically only an inconvenience for rules that grant privileges,
4196: it can result in a security issue for rules that subtract or revoke privileges.
4197: .PP
4198: For example, given the following
4199: \fIsudoers\fR
4200: entry:
4201: .nf
4202: .sp
4203: .RS 0n
4204: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4205: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4206: .RE
4207: .fi
1.1 misho 4208: .PP
1.1.1.3 misho 4209: User
4210: \fBjohn\fR
4211: can still run
4212: \fR/usr/bin/passwd root\fR
4213: if
4214: \fIfast_glob\fR
4215: is enabled by changing to
4216: \fI/usr/bin\fR
4217: and running
4218: \fR./passwd root\fR
4219: instead.
4220: .SS "Preventing shell escapes"
4221: Once
4222: \fBsudo\fR
4223: executes a program, that program is free to do whatever
4224: it pleases, including run other programs.
4225: This can be a security issue since it is not uncommon for a program to
4226: allow shell escapes, which lets a user bypass
4227: \fBsudo\fR's
4228: access control and logging.
1.1 misho 4229: Common programs that permit shell escapes include shells (obviously),
4230: editors, paginators, mail and terminal programs.
4231: .PP
4232: There are two basic approaches to this problem:
1.1.1.3 misho 4233: .TP 10n
4234: restrict
1.1 misho 4235: Avoid giving users access to commands that allow the user to run
1.1.1.3 misho 4236: arbitrary commands.
4237: Many editors have a restricted mode where shell
4238: escapes are disabled, though
4239: \fBsudoedit\fR
4240: is a better solution to
4241: running editors via
4242: \fBsudo\fR.
4243: Due to the large number of programs that
1.1 misho 4244: offer shell escapes, restricting users to the set of programs that
4245: do not is often unworkable.
1.1.1.3 misho 4246: .TP 10n
4247: noexec
1.1 misho 4248: Many systems that support shared libraries have the ability to
4249: override default library functions by pointing an environment
1.1.1.3 misho 4250: variable (usually
4251: \fRLD_PRELOAD\fR)
4252: to an alternate shared library.
4253: On such systems,
4254: \fBsudo\fR's
4255: \fInoexec\fR
4256: functionality can be used to prevent a program run by
4257: \fBsudo\fR
4258: from executing any other programs.
1.1 misho 4259: Note, however, that this applies only to native dynamically-linked
1.1.1.3 misho 4260: executables.
4261: Statically-linked executables and foreign executables
1.1 misho 4262: running under binary emulation are not affected.
1.1.1.3 misho 4263: .sp
4264: The
4265: \fInoexec\fR
4266: feature is known to work on SunOS, Solaris, *BSD,
4267: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
1.1 misho 4268: It should be supported on most operating systems that support the
1.1.1.3 misho 4269: \fRLD_PRELOAD\fR
4270: environment variable.
4271: Check your operating system's manual pages for the dynamic linker
4272: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4273: \fRLD_PRELOAD\fR
4274: is supported.
4275: .sp
4276: On Solaris 10 and higher,
4277: \fInoexec\fR
4278: uses Solaris privileges instead of the
4279: \fRLD_PRELOAD\fR
4280: environment variable.
4281: .sp
4282: To enable
4283: \fInoexec\fR
4284: for a command, use the
4285: \fRNOEXEC\fR
4286: tag as documented
4287: in the User Specification section above.
4288: Here is that example again:
4289: .RS
4290: .nf
4291: .sp
4292: .RS 0n
4293: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4294: .RE
4295: .fi
4296: .sp
4297: This allows user
4298: \fBaaron\fR
4299: to run
4300: \fI/usr/bin/more\fR
4301: and
4302: \fI/usr/bin/vi\fR
4303: with
4304: \fInoexec\fR
4305: enabled.
4306: This will prevent those two commands from
4307: executing other commands (such as a shell).
4308: If you are unsure whether or not your system is capable of supporting
4309: \fInoexec\fR
4310: you can always just try it out and check whether shell escapes work when
4311: \fInoexec\fR
4312: is enabled.
4313: .RE
1.1 misho 4314: .PP
1.1.1.3 misho 4315: Note that restricting shell escapes is not a panacea.
4316: Programs running as root are still capable of many potentially hazardous
1.1 misho 4317: operations (such as changing or overwriting files) that could lead
1.1.1.3 misho 4318: to unintended privilege escalation.
4319: In the specific case of an editor, a safer approach is to give the
4320: user permission to run
4321: \fBsudoedit\fR.
1.1.1.2 misho 4322: .SS "Time stamp file checks"
1.1.1.3 misho 4323: \fIsudoers\fR
4324: will check the ownership of its time stamp directory
4325: (\fI@timedir@\fR
4326: by default)
4327: and ignore the directory's contents if it is not owned by root or
4328: if it is writable by a user other than root.
4329: On systems that allow non-root users to give away files via
4330: chown(2),
4331: if the time stamp directory is located in a world-writable
4332: directory (e.g.\&,
4333: \fI/tmp\fR),
4334: it is possible for a user to create the time stamp directory before
4335: \fBsudo\fR
4336: is run.
4337: However, because
4338: \fIsudoers\fR
4339: checks the ownership and mode of the directory and its
4340: contents, the only damage that can be done is to
4341: ``hide''
4342: files by putting them in the time stamp dir.
4343: This is unlikely to happen since once the time stamp dir is owned by root
4344: and inaccessible by any other user, the user placing files there would be
4345: unable to get them back out.
4346: .PP
4347: \fIsudoers\fR
4348: will not honor time stamps set far in the future.
4349: Time stamps with a date greater than current_time + 2 *
4350: \fRTIMEOUT\fR
4351: will be ignored and sudo will log and complain.
4352: This is done to keep a user from creating his/her own time stamp with a
4353: bogus date on systems that allow users to give away files if the time
4354: stamp directory is located in a world-writable directory.
4355: .PP
4356: On systems where the boot time is available,
4357: \fIsudoers\fR
4358: will ignore time stamps that date from before the machine booted.
1.1 misho 4359: .PP
4360: Since time stamp files live in the file system, they can outlive a
1.1.1.3 misho 4361: user's login session.
4362: As a result, a user may be able to login, run a command with
4363: \fBsudo\fR
4364: after authenticating, logout, login again, and run
4365: \fBsudo\fR
4366: without authenticating so long as the time stamp file's modification
4367: time is within
4368: \fR@timeout@\fR
4369: minutes (or whatever the timeout is set to in
4370: \fIsudoers\fR).
4371: When the
4372: \fItty_tickets\fR
1.1 misho 4373: option is enabled, the time stamp has per-tty granularity but still
1.1.1.3 misho 4374: may outlive the user's session.
4375: On Linux systems where the devpts filesystem is used, Solaris systems
4376: with the devices filesystem, as well as other systems that utilize a
4377: devfs filesystem that monotonically increase the inode number of devices
4378: as they are created (such as Mac OS X),
4379: \fIsudoers\fR
4380: is able to determine when a tty-based time stamp file is stale and will
4381: ignore it.
4382: Administrators should not rely on this feature as it is not universally
4383: available.
1.1.1.4 ! misho 4384: .SH "DEBUGGING"
! 4385: Versions 1.8.4 and higher of the
! 4386: \fBsudoers\fR
! 4387: plugin support a flexible debugging framework that can help track
! 4388: down what the plugin is doing internally if there is a problem.
! 4389: This can be configured in the
! 4390: sudo.conf(@mansectform@)
! 4391: file.
! 4392: .PP
! 4393: The
! 4394: \fBsudoers\fR
! 4395: plugin uses the same debug flag format as the
! 4396: \fBsudo\fR
! 4397: front-end:
! 4398: \fIsubsystem\fR@\fIpriority\fR.
! 4399: .PP
! 4400: The priorities used by
! 4401: \fBsudoers\fR,
! 4402: in order of decreasing severity,
! 4403: are:
! 4404: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
! 4405: and
! 4406: \fIdebug\fR.
! 4407: Each priority, when specified, also includes all priorities higher
! 4408: than it.
! 4409: For example, a priority of
! 4410: \fInotice\fR
! 4411: would include debug messages logged at
! 4412: \fInotice\fR
! 4413: and higher.
! 4414: .PP
! 4415: The following subsystems are used by the
! 4416: \fBsudoers\fR
! 4417: plugin:
! 4418: .TP 10n
! 4419: \fIalias\fR
! 4420: \fRUser_Alias\fR,
! 4421: \fRRunas_Alias\fR,
! 4422: \fRHost_Alias\fR
! 4423: and
! 4424: \fRCmnd_Alias\fR
! 4425: processing
! 4426: .TP 10n
! 4427: \fIall\fR
! 4428: matches every subsystem
! 4429: .TP 10n
! 4430: \fIaudit\fR
! 4431: BSM and Linux audit code
! 4432: .TP 10n
! 4433: \fIauth\fR
! 4434: user authentication
! 4435: .TP 10n
! 4436: \fIdefaults\fR
! 4437: \fIsudoers\fR
! 4438: \fIDefaults\fR
! 4439: settings
! 4440: .TP 10n
! 4441: \fIenv\fR
! 4442: environment handling
! 4443: .TP 10n
! 4444: \fIldap\fR
! 4445: LDAP-based sudoers
! 4446: .TP 10n
! 4447: \fIlogging\fR
! 4448: logging support
! 4449: .TP 10n
! 4450: \fImatch\fR
! 4451: matching of users, groups, hosts and netgroups in
! 4452: \fIsudoers\fR
! 4453: .TP 10n
! 4454: \fInetif\fR
! 4455: network interface handling
! 4456: .TP 10n
! 4457: \fInss\fR
! 4458: network service switch handling in
! 4459: \fIsudoers\fR
! 4460: .TP 10n
! 4461: \fIparser\fR
! 4462: \fIsudoers\fR
! 4463: file parsing
! 4464: .TP 10n
! 4465: \fIperms\fR
! 4466: permission setting
! 4467: .TP 10n
! 4468: \fIplugin\fR
! 4469: The equivalent of
! 4470: \fImain\fR
! 4471: for the plugin.
! 4472: .TP 10n
! 4473: \fIpty\fR
! 4474: pseudo-tty related code
! 4475: .TP 10n
! 4476: \fIrbtree\fR
! 4477: redblack tree internals
! 4478: .TP 10n
! 4479: \fIutil\fR
! 4480: utility functions
! 4481: .PD 0
! 4482: .PP
! 4483: .PD
! 4484: For example:
! 4485: .nf
! 4486: .sp
! 4487: .RS 0n
! 4488: Debug sudo /var/log/sudo_debug match@info,nss@info
! 4489: .RE
! 4490: .fi
! 4491: .PP
! 4492: For more information, see the
! 4493: sudo.conf(@mansectform@)
! 4494: manual.
1.1 misho 4495: .SH "SEE ALSO"
1.1.1.3 misho 4496: ssh(1),
4497: su(1),
4498: fnmatch(3),
4499: glob(3),
4500: mktemp(3),
4501: strftime(3),
1.1.1.4 ! misho 4502: sudo.conf(@mansectform@),
1.1.1.3 misho 4503: sudoers.ldap(@mansectform@),
4504: sudo_plugin(@mansectsu@),
4505: sudo(@mansectsu@),
4506: visudo(@mansectsu@)
1.1 misho 4507: .SH "CAVEATS"
1.1.1.3 misho 4508: The
4509: \fIsudoers\fR
4510: file should
4511: \fBalways\fR
4512: be edited by the
4513: \fBvisudo\fR
4514: command which locks the file and does grammatical checking.
4515: It is
4516: imperative that
4517: \fIsudoers\fR
4518: be free of syntax errors since
4519: \fBsudo\fR
4520: will not run with a syntactically incorrect
4521: \fIsudoers\fR
4522: file.
1.1 misho 4523: .PP
4524: When using netgroups of machines (as opposed to users), if you
4525: store fully qualified host name in the netgroup (as is usually the
4526: case), you either need to have the machine's host name be fully qualified
1.1.1.3 misho 4527: as returned by the
4528: \fRhostname\fR
4529: command or use the
4530: \fIfqdn\fR
4531: option in
4532: \fIsudoers\fR.
1.1 misho 4533: .SH "BUGS"
1.1.1.3 misho 4534: If you feel you have found a bug in
4535: \fBsudo\fR,
4536: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1.1 misho 4537: .SH "SUPPORT"
4538: Limited free support is available via the sudo-users mailing list,
1.1.1.3 misho 4539: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1.1 misho 4540: search the archives.
4541: .SH "DISCLAIMER"
1.1.1.3 misho 4542: \fBsudo\fR
4543: is provided
4544: ``AS IS''
4545: and any express or implied warranties, including, but not limited
4546: to, the implied warranties of merchantability and fitness for a
4547: particular purpose are disclaimed.
4548: See the LICENSE file distributed with
4549: \fBsudo\fR
4550: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>