1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
3: .\"
4: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
5: .\" Todd C. Miller <Todd.Miller@courtesan.com>
6: .\"
7: .\" Permission to use, copy, modify, and distribute this software for any
8: .\" purpose with or without fee is hereby granted, provided that the above
9: .\" copyright notice and this permission notice appear in all copies.
10: .\"
11: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19: .\"
20: .\" Sponsored in part by the Defense Advanced Research Projects
21: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: .\"
24: .TH "SUDOERS" "@mansectsu@" "August 31, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
25: .nh
26: .if n .ad l
27: .SH "NAME"
28: \fBsudoers\fR
29: \- default sudo security policy plugin
30: .SH "DESCRIPTION"
31: The
32: \fIsudoers\fR
33: policy plugin determines a user's
34: \fBsudo\fR
35: privileges.
36: It is the default
37: \fBsudo\fR
38: policy plugin.
39: The policy is driven by
40: the
41: \fI@sysconfdir@/sudoers\fR
42: file or, optionally in LDAP.
43: The policy format is described in detail in the
44: \fISUDOERS FILE FORMAT\fR
45: section.
46: For information on storing
47: \fIsudoers\fR
48: policy information
49: in LDAP, please see
50: sudoers.ldap(@mansectform@).
51: .SS "Configuring sudo.conf for sudoers"
52: \fBsudo\fR
53: consults the
54: sudo.conf(@mansectform@)
55: file to determine which policy and and I/O logging plugins to load.
56: If no
57: sudo.conf(@mansectform@)
58: file is present, or if it contains no
59: \fRPlugin\fR
60: lines,
61: \fBsudoers\fR
62: will be used for policy decisions and I/O logging.
63: To explicitly configure
64: sudo.conf(@mansectform@)
65: to use the
66: \fBsudoers\fR
67: plugin, the following configuration can be used.
68: .nf
69: .sp
70: .RS 6n
71: Plugin sudoers_policy sudoers.so
72: Plugin sudoers_io sudoers.so
73: .RE
74: .fi
75: .PP
76: Starting with
77: \fBsudo\fR
78: 1.8.5, it is possible to specify optional arguments to the
79: \fBsudoers\fR
80: plugin in the
81: sudo.conf(@mansectform@)
82: file.
83: These arguments, if present, should be listed after the path to the plugin
84: (i.e.\& after
85: \fIsudoers.so\fR).
86: Multiple arguments may be specified, separated by white space.
87: For example:
88: .nf
89: .sp
90: .RS 6n
91: Plugin sudoers_policy sudoers.so sudoers_mode=0400
92: .RE
93: .fi
94: .PP
95: The following plugin arguments are supported:
96: .TP 10n
97: ldap_conf=pathname
98: The
99: \fIldap_conf\fR
100: argument can be used to override the default path to the
101: \fIldap.conf\fR
102: file.
103: .TP 10n
104: ldap_secret=pathname
105: The
106: \fIldap_secret\fR
107: argument can be used to override the default path to the
108: \fIldap.secret\fR
109: file.
110: .TP 10n
111: sudoers_file=pathname
112: The
113: \fIsudoers_file\fR
114: argument can be used to override the default path to the
115: \fIsudoers\fR
116: file.
117: .TP 10n
118: sudoers_uid=uid
119: The
120: \fIsudoers_uid\fR
121: argument can be used to override the default owner of the sudoers file.
122: It should be specified as a numeric user ID.
123: .TP 10n
124: sudoers_gid=gid
125: The
126: \fIsudoers_gid\fR
127: argument can be used to override the default group of the sudoers file.
128: It must be specified as a numeric group ID (not a group name).
129: .TP 10n
130: sudoers_mode=mode
131: The
132: \fIsudoers_mode\fR
133: argument can be used to override the default file mode for the sudoers file.
134: It should be specified as an octal value.
135: .PP
136: For more information on configuring
137: sudo.conf(@mansectform@),
138: please refer to its manual.
139: .SS "Authentication and logging"
140: The
141: \fIsudoers\fR
142: security policy requires that most users authenticate
143: themselves before they can use
144: \fBsudo\fR.
145: A password is not required
146: if the invoking user is root, if the target user is the same as the
147: invoking user, or if the policy has disabled authentication for the
148: user or command.
149: Unlike
150: su(1),
151: when
152: \fIsudoers\fR
153: requires
154: authentication, it validates the invoking user's credentials, not
155: the target user's (or root's) credentials.
156: This can be changed via
157: the
158: \fIrootpw\fR,
159: \fItargetpw\fR
160: and
161: \fIrunaspw\fR
162: flags, described later.
163: .PP
164: If a user who is not listed in the policy tries to run a command
165: via
166: \fBsudo\fR,
167: mail is sent to the proper authorities.
168: The address
169: used for such mail is configurable via the
170: \fImailto\fR
171: Defaults entry
172: (described later) and defaults to
173: \fR@mailto@\fR.
174: .PP
175: Note that mail will not be sent if an unauthorized user tries to
176: run
177: \fBsudo\fR
178: with the
179: \fB\-l\fR
180: or
181: \fB\-v\fR
182: option.
183: This allows users to
184: determine for themselves whether or not they are allowed to use
185: \fBsudo\fR.
186: .PP
187: If
188: \fBsudo\fR
189: is run by root and the
190: \fRSUDO_USER\fR
191: environment variable
192: is set, the
193: \fIsudoers\fR
194: policy will use this value to determine who
195: the actual user is.
196: This can be used by a user to log commands
197: through sudo even when a root shell has been invoked.
198: It also
199: allows the
200: \fB\-e\fR
201: option to remain useful even when invoked via a
202: sudo-run script or program.
203: Note, however, that the
204: \fIsudoers\fR
205: lookup is still done for root, not the user specified by
206: \fRSUDO_USER\fR.
207: .PP
208: \fIsudoers\fR
209: uses time stamp files for credential caching.
210: Once a
211: user has been authenticated, the time stamp is updated and the user
212: may then use sudo without a password for a short period of time
213: (\fR@timeout@\fR
214: minutes unless overridden by the
215: \fItimeout\fR
216: option)
217: \&.
218: By default,
219: \fIsudoers\fR
220: uses a tty-based time stamp which means that
221: there is a separate time stamp for each of a user's login sessions.
222: The
223: \fItty_tickets\fR
224: option can be disabled to force the use of a
225: single time stamp for all of a user's sessions.
226: .PP
227: \fIsudoers\fR
228: can log both successful and unsuccessful attempts (as well
229: as errors) to
230: syslog(3),
231: a log file, or both.
232: By default,
233: \fIsudoers\fR
234: will log via
235: syslog(3)
236: but this is changeable via the
237: \fIsyslog\fR
238: and
239: \fIlogfile\fR
240: Defaults settings.
241: .PP
242: \fIsudoers\fR
243: also supports logging a command's input and output
244: streams.
245: I/O logging is not on by default but can be enabled using
246: the
247: \fIlog_input\fR
248: and
249: \fIlog_output\fR
250: Defaults flags as well as the
251: \fRLOG_INPUT\fR
252: and
253: \fRLOG_OUTPUT\fR
254: command tags.
255: .SS "Command environment"
256: Since environment variables can influence program behavior,
257: \fIsudoers\fR
258: provides a means to restrict which variables from the user's
259: environment are inherited by the command to be run.
260: There are two
261: distinct ways
262: \fIsudoers\fR
263: can deal with environment variables.
264: .PP
265: By default, the
266: \fIenv_reset\fR
267: option is enabled.
268: This causes commands
269: to be executed with a new, minimal environment.
270: On AIX (and Linux
271: systems without PAM), the environment is initialized with the
272: contents of the
273: \fI/etc/environment\fR
274: file.
275: On BSD systems, if the
276: \fIuse_loginclass\fR
277: option is enabled, the environment is initialized
278: based on the
279: \fIpath\fR
280: and
281: \fIsetenv\fR
282: settings in
283: \fI/etc/login.conf\fR.
284: The new environment contains the
285: \fRTERM\fR,
286: \fRPATH\fR,
287: \fRHOME\fR,
288: \fRMAIL\fR,
289: \fRSHELL\fR,
290: \fRLOGNAME\fR,
291: \fRUSER\fR,
292: \fRUSERNAME\fR
293: and
294: \fRSUDO_*\fR
295: variables
296: in addition to variables from the invoking process permitted by the
297: \fIenv_check\fR
298: and
299: \fIenv_keep\fR
300: options.
301: This is effectively a whitelist
302: for environment variables.
303: .PP
304: If, however, the
305: \fIenv_reset\fR
306: option is disabled, any variables not
307: explicitly denied by the
308: \fIenv_check\fR
309: and
310: \fIenv_delete\fR
311: options are
312: inherited from the invoking process.
313: In this case,
314: \fIenv_check\fR
315: and
316: \fIenv_delete\fR
317: behave like a blacklist.
318: Since it is not possible
319: to blacklist all potentially dangerous environment variables, use
320: of the default
321: \fIenv_reset\fR
322: behavior is encouraged.
323: .PP
324: In all cases, environment variables with a value beginning with
325: \fR()\fR
326: are removed as they could be interpreted as
327: \fBbash\fR
328: functions.
329: The list of environment variables that
330: \fBsudo\fR
331: allows or denies is
332: contained in the output of
333: ``\fRsudo -V\fR''
334: when run as root.
335: .PP
336: Note that the dynamic linker on most operating systems will remove
337: variables that can control dynamic linking from the environment of
338: setuid executables, including
339: \fBsudo\fR.
340: Depending on the operating
341: system this may include
342: \fR_RLD*\fR,
343: \fRDYLD_*\fR,
344: \fRLD_*\fR,
345: \fRLDR_*\fR,
346: \fRLIBPATH\fR,
347: \fRSHLIB_PATH\fR,
348: and others.
349: These type of variables are
350: removed from the environment before
351: \fBsudo\fR
352: even begins execution
353: and, as such, it is not possible for
354: \fBsudo\fR
355: to preserve them.
356: .PP
357: As a special case, if
358: \fBsudo\fR's
359: \fB\-i\fR
360: option (initial login) is
361: specified,
362: \fIsudoers\fR
363: will initialize the environment regardless
364: of the value of
365: \fIenv_reset\fR.
366: The
367: \fRDISPLAY\fR,
368: \fRPATH\fR
369: and
370: \fRTERM\fR
371: variables remain unchanged;
372: \fRHOME\fR,
373: \fRMAIL\fR,
374: \fRSHELL\fR,
375: \fRUSER\fR,
376: and
377: \fRLOGNAME\fR
378: are set based on the target user.
379: On AIX (and Linux
380: systems without PAM), the contents of
381: \fI/etc/environment\fR
382: are also
383: included.
384: On BSD systems, if the
385: \fIuse_loginclass\fR
386: option is
387: enabled, the
388: \fIpath\fR
389: and
390: \fIsetenv\fR
391: variables in
392: \fI/etc/login.conf\fR
393: are also applied.
394: All other environment variables are removed.
395: .PP
396: Finally, if the
397: \fIenv_file\fR
398: option is defined, any variables present
399: in that file will be set to their specified values as long as they
400: would not conflict with an existing environment variable.
401: .SH "SUDOERS FILE FORMAT"
402: The
403: \fIsudoers\fR
404: file is composed of two types of entries: aliases
405: (basically variables) and user specifications (which specify who
406: may run what).
407: .PP
408: When multiple entries match for a user, they are applied in order.
409: Where there are multiple matches, the last match is used (which is
410: not necessarily the most specific match).
411: .PP
412: The
413: \fIsudoers\fR
414: grammar will be described below in Extended Backus-Naur
415: Form (EBNF).
416: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
417: and the definitions below are annotated.
418: .SS "Quick guide to EBNF"
419: EBNF is a concise and exact way of describing the grammar of a language.
420: Each EBNF definition is made up of
421: \fIproduction rules\fR.
422: E.g.,
423: .PP
424: \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
425: .PP
426: Each
427: \fIproduction rule\fR
428: references others and thus makes up a
429: grammar for the language.
430: EBNF also contains the following
431: operators, which many readers will recognize from regular
432: expressions.
433: Do not, however, confuse them with
434: ``wildcard''
435: characters, which have different meanings.
436: .TP 6n
437: \fR\&?\fR
438: Means that the preceding symbol (or group of symbols) is optional.
439: That is, it may appear once or not at all.
440: .TP 6n
441: \fR*\fR
442: Means that the preceding symbol (or group of symbols) may appear
443: zero or more times.
444: .TP 6n
445: \fR+\fR
446: Means that the preceding symbol (or group of symbols) may appear
447: one or more times.
448: .PP
449: Parentheses may be used to group symbols together.
450: For clarity,
451: we will use single quotes
452: ('')
453: to designate what is a verbatim character string (as opposed to a symbol name).
454: .SS "Aliases"
455: There are four kinds of aliases:
456: \fRUser_Alias\fR,
457: \fRRunas_Alias\fR,
458: \fRHost_Alias\fR
459: and
460: \fRCmnd_Alias\fR.
461: .nf
462: .sp
463: .RS 0n
464: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
465: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
466: 'Host_Alias' Host_Alias (':' Host_Alias)* |
467: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
468:
469: User_Alias ::= NAME '=' User_List
470:
471: Runas_Alias ::= NAME '=' Runas_List
472:
473: Host_Alias ::= NAME '=' Host_List
474:
475: Cmnd_Alias ::= NAME '=' Cmnd_List
476:
477: NAME ::= [A-Z]([A-Z][0-9]_)*
478: .RE
479: .fi
480: .PP
481: Each
482: \fIalias\fR
483: definition is of the form
484: .nf
485: .sp
486: .RS 0n
487: Alias_Type NAME = item1, item2, ...
488: .RE
489: .fi
490: .PP
491: where
492: \fIAlias_Type\fR
493: is one of
494: \fRUser_Alias\fR,
495: \fRRunas_Alias\fR,
496: \fRHost_Alias\fR,
497: or
498: \fRCmnd_Alias\fR.
499: A
500: \fRNAME\fR
501: is a string of uppercase letters, numbers,
502: and underscore characters
503: (`_').
504: A
505: \fRNAME\fR
506: \fBmust\fR
507: start with an
508: uppercase letter.
509: It is possible to put several alias definitions
510: of the same type on a single line, joined by a colon
511: (`:\&').
512: E.g.,
513: .nf
514: .sp
515: .RS 0n
516: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
517: .RE
518: .fi
519: .PP
520: The definitions of what constitutes a valid
521: \fIalias\fR
522: member follow.
523: .nf
524: .sp
525: .RS 0n
526: User_List ::= User |
527: User ',' User_List
528:
529: User ::= '!'* user name |
530: '!'* #uid |
531: '!'* %group |
532: '!'* %#gid |
533: '!'* +netgroup |
534: '!'* %:nonunix_group |
535: '!'* %:#nonunix_gid |
536: '!'* User_Alias
537: .RE
538: .fi
539: .PP
540: A
541: \fRUser_List\fR
542: is made up of one or more user names, user IDs
543: (prefixed with
544: `#'),
545: system group names and IDs (prefixed with
546: `%'
547: and
548: `%#'
549: respectively), netgroups (prefixed with
550: `+'),
551: non-Unix group names and IDs (prefixed with
552: `%:'
553: and
554: `%:#'
555: respectively) and
556: \fRUser_Alias\fRes.
557: Each list item may be prefixed with zero or more
558: `\&!'
559: operators.
560: An odd number of
561: `\&!'
562: operators negate the value of
563: the item; an even number just cancel each other out.
564: .PP
565: A
566: \fRuser name\fR,
567: \fRuid\fR,
568: \fRgroup\fR,
569: \fRgid\fR,
570: \fRnetgroup\fR,
571: \fRnonunix_group\fR
572: or
573: \fRnonunix_gid\fR
574: may be enclosed in double quotes to avoid the
575: need for escaping special characters.
576: Alternately, special characters
577: may be specified in escaped hex mode, e.g.\& \ex20 for space.
578: When
579: using double quotes, any prefix characters must be included inside
580: the quotes.
581: .PP
582: The actual
583: \fRnonunix_group\fR
584: and
585: \fRnonunix_gid\fR
586: syntax depends on
587: the underlying group provider plugin.
588: For instance, the QAS AD plugin supports the following formats:
589: .TP 6n
590: \fBo\fR
591: Group in the same domain: "%:Group Name"
592: .TP 6n
593: \fBo\fR
594: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
595: .TP 6n
596: \fBo\fR
597: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
598: .PP
599: See
600: \fIGROUP PROVIDER PLUGINS\fR
601: for more information.
602: .PP
603: Note that quotes around group names are optional.
604: Unquoted strings must use a backslash
605: (`\e')
606: to escape spaces and special characters.
607: See
608: \fIOther special characters and reserved words\fR
609: for a list of
610: characters that need to be escaped.
611: .nf
612: .sp
613: .RS 0n
614: Runas_List ::= Runas_Member |
615: Runas_Member ',' Runas_List
616:
617: Runas_Member ::= '!'* user name |
618: '!'* #uid |
619: '!'* %group |
620: '!'* %#gid |
621: '!'* %:nonunix_group |
622: '!'* %:#nonunix_gid |
623: '!'* +netgroup |
624: '!'* Runas_Alias
625: .RE
626: .fi
627: .PP
628: A
629: \fRRunas_List\fR
630: is similar to a
631: \fRUser_List\fR
632: except that instead
633: of
634: \fRUser_Alias\fRes
635: it can contain
636: \fRRunas_Alias\fRes.
637: Note that
638: user names and groups are matched as strings.
639: In other words, two
640: users (groups) with the same uid (gid) are considered to be distinct.
641: If you wish to match all user names with the same uid (e.g.\&
642: root and toor), you can use a uid instead (#0 in the example given).
643: .nf
644: .sp
645: .RS 0n
646: Host_List ::= Host |
647: Host ',' Host_List
648:
649: Host ::= '!'* host name |
650: '!'* ip_addr |
651: '!'* network(/netmask)? |
652: '!'* +netgroup |
653: '!'* Host_Alias
654: .RE
655: .fi
656: .PP
657: A
658: \fRHost_List\fR
659: is made up of one or more host names, IP addresses,
660: network numbers, netgroups (prefixed with
661: `+')
662: and other aliases.
663: Again, the value of an item may be negated with the
664: `\&!'
665: operator.
666: If you do not specify a netmask along with the network number,
667: \fBsudo\fR
668: will query each of the local host's network interfaces and,
669: if the network number corresponds to one of the hosts's network
670: interfaces, the corresponding netmask will be used.
671: The netmask
672: may be specified either in standard IP address notation
673: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
674: or CIDR notation (number of bits, e.g.\& 24 or 64).
675: A host name may include shell-style wildcards (see the
676: \fIWildcards\fR
677: section below),
678: but unless the
679: \fRhost name\fR
680: command on your machine returns the fully
681: qualified host name, you'll need to use the
682: \fIfqdn\fR
683: option for wildcards to be useful.
684: Note that
685: \fBsudo\fR
686: only inspects actual network interfaces; this means that IP address
687: 127.0.0.1 (localhost) will never match.
688: Also, the host name
689: ``localhost''
690: will only match if that is the actual host name, which is usually
691: only the case for non-networked systems.
692: .nf
693: .sp
694: .RS 0n
695: digest ::= [A-Fa-f0-9]+ |
696: [[A-Za-z0-9\+/=]+
697:
698: Digest_Spec ::= "sha224" ':' digest |
699: "sha256" ':' digest |
700: "sha384" ':' digest |
701: "sha512" ':' digest
702:
703: Cmnd_List ::= Cmnd |
704: Cmnd ',' Cmnd_List
705:
706: command name ::= file name |
707: file name args |
708: file name '""'
709:
710: Cmnd ::= Digest_Spec? '!'* command name |
711: '!'* directory |
712: '!'* "sudoedit" |
713: '!'* Cmnd_Alias
714: .RE
715: .fi
716: .PP
717: A
718: \fRCmnd_List\fR
719: is a list of one or more command names, directories, and other aliases.
720: A command name is a fully qualified file name which may include
721: shell-style wildcards (see the
722: \fIWildcards\fR
723: section below).
724: A simple file name allows the user to run the command with any
725: arguments he/she wishes.
726: However, you may also specify command line arguments (including
727: wildcards).
728: Alternately, you can specify
729: \fR\&""\fR
730: to indicate that the command
731: may only be run
732: \fBwithout\fR
733: command line arguments.
734: A directory is a
735: fully qualified path name ending in a
736: `/'.
737: When you specify a directory in a
738: \fRCmnd_List\fR,
739: the user will be able to run any file within that directory
740: (but not in any sub-directories therein).
741: .PP
742: If a
743: \fRCmnd\fR
744: has associated command line arguments, then the arguments
745: in the
746: \fRCmnd\fR
747: must match exactly those given by the user on the command line
748: (or match the wildcards if there are any).
749: Note that the following characters must be escaped with a
750: `\e'
751: if they are used in command arguments:
752: `,\&',
753: `:\&',
754: `=\&',
755: `\e'.
756: The built-in command
757: ``\fRsudoedit\fR''
758: is used to permit a user to run
759: \fBsudo\fR
760: with the
761: \fB\-e\fR
762: option (or as
763: \fBsudoedit\fR).
764: It may take command line arguments just as a normal command does.
765: Note that
766: ``\fRsudoedit\fR''
767: is a command built into
768: \fBsudo\fR
769: itself and must be specified in
770: \fIsudoers\fR
771: without a leading path.
772: .PP
773: If a
774: \fRcommand name\fR
775: is prefixed with a
776: \fRDigest_Spec\fR,
777: the command will only match successfully if it can be verified
778: using the specified SHA-2 digest.
779: This may be useful in situations where the user invoking
780: \fBsudo\fR
781: has write access to the command or its parent directory.
782: The following digest formats are supported: sha224, sha256, sha384 and sha512.
783: The string may be specified in either hex or base64 format
784: (base64 is more compact).
785: There are several utilities capable of generating SHA-2 digests in hex
786: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
787: .PP
788: For example, using openssl:
789: .nf
790: .sp
791: .RS 0n
792: $ openssl dgst -sha224 /bin/ls
793: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
794: .RE
795: .fi
796: .PP
797: It is also possible to use openssl to generate base64 output:
798: .nf
799: .sp
800: .RS 0n
801: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
802: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
803: .RE
804: .fi
805: .PP
806: Command digests are only supported by version 1.8.7 or higher.
807: .SS "Defaults"
808: Certain configuration options may be changed from their default
809: values at run-time via one or more
810: \fRDefault_Entry\fR
811: lines.
812: These may affect all users on any host, all users on a specific host, a
813: specific user, a specific command, or commands being run as a specific user.
814: Note that per-command entries may not include command line arguments.
815: If you need to specify arguments, define a
816: \fRCmnd_Alias\fR
817: and reference
818: that instead.
819: .nf
820: .sp
821: .RS 0n
822: Default_Type ::= 'Defaults' |
823: 'Defaults' '@' Host_List |
824: 'Defaults' ':' User_List |
825: 'Defaults' '!' Cmnd_List |
826: 'Defaults' '>' Runas_List
827:
828: Default_Entry ::= Default_Type Parameter_List
829:
830: Parameter_List ::= Parameter |
831: Parameter ',' Parameter_List
832:
833: Parameter ::= Parameter '=' Value |
834: Parameter '+=' Value |
835: Parameter '-=' Value |
836: '!'* Parameter
837: .RE
838: .fi
839: .PP
840: Parameters may be
841: \fBflags\fR,
842: \fBinteger\fR
843: values,
844: \fBstrings\fR,
845: or
846: \fBlists\fR.
847: Flags are implicitly boolean and can be turned off via the
848: `\&!'
849: operator.
850: Some integer, string and list parameters may also be
851: used in a boolean context to disable them.
852: Values may be enclosed
853: in double quotes
854: (\&"")
855: when they contain multiple words.
856: Special characters may be escaped with a backslash
857: (`\e').
858: .PP
859: Lists have two additional assignment operators,
860: \fR+=\fR
861: and
862: \fR-=\fR.
863: These operators are used to add to and delete from a list respectively.
864: It is not an error to use the
865: \fR-=\fR
866: operator to remove an element
867: that does not exist in a list.
868: .PP
869: Defaults entries are parsed in the following order: generic, host
870: and user Defaults first, then runas Defaults and finally command
871: defaults.
872: .PP
873: See
874: \fISUDOERS OPTIONS\fR
875: for a list of supported Defaults parameters.
876: .SS "User specification"
877: .nf
878: .RS 0n
879: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
880: (':' Host_List '=' Cmnd_Spec_List)*
881:
882: Cmnd_Spec_List ::= Cmnd_Spec |
883: Cmnd_Spec ',' Cmnd_Spec_List
884:
885: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
886:
887: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
888:
889: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
890:
891: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
892:
893: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
894: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
895: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
896: .RE
897: .fi
898: .PP
899: A
900: \fBuser specification\fR
901: determines which commands a user may run
902: (and as what user) on specified hosts.
903: By default, commands are
904: run as
905: \fBroot\fR,
906: but this can be changed on a per-command basis.
907: .PP
908: The basic structure of a user specification is
909: ``who where = (as_whom) what''.
910: Let's break that down into its constituent parts:
911: .SS "Runas_Spec"
912: A
913: \fRRunas_Spec\fR
914: determines the user and/or the group that a command
915: may be run as.
916: A fully-specified
917: \fRRunas_Spec\fR
918: consists of two
919: \fRRunas_List\fRs
920: (as defined above) separated by a colon
921: (`:\&')
922: and enclosed in a set of parentheses.
923: The first
924: \fRRunas_List\fR
925: indicates
926: which users the command may be run as via
927: \fBsudo\fR's
928: \fB\-u\fR
929: option.
930: The second defines a list of groups that can be specified via
931: \fBsudo\fR's
932: \fB\-g\fR
933: option.
934: If both
935: \fRRunas_List\fRs
936: are specified, the command may be run with any combination of users
937: and groups listed in their respective
938: \fRRunas_List\fRs.
939: If only the first is specified, the command may be run as any user
940: in the list but no
941: \fB\-g\fR
942: option
943: may be specified.
944: If the first
945: \fRRunas_List\fR
946: is empty but the
947: second is specified, the command may be run as the invoking user
948: with the group set to any listed in the
949: \fRRunas_List\fR.
950: If both
951: \fRRunas_List\fRs
952: are empty, the command may only be run as the invoking user.
953: If no
954: \fRRunas_Spec\fR
955: is specified the command may be run as
956: \fBroot\fR
957: and
958: no group may be specified.
959: .PP
960: A
961: \fRRunas_Spec\fR
962: sets the default for the commands that follow it.
963: What this means is that for the entry:
964: .nf
965: .sp
966: .RS 0n
967: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
968: .RE
969: .fi
970: .PP
971: The user
972: \fBdgb\fR
973: may run
974: \fI/bin/ls\fR,
975: \fI/bin/kill\fR,
976: and
977: \fI/usr/bin/lprm\fR\(embut
978: only as
979: \fBoperator\fR.
980: E.g.,
981: .nf
982: .sp
983: .RS 0n
984: $ sudo -u operator /bin/ls
985: .RE
986: .fi
987: .PP
988: It is also possible to override a
989: \fRRunas_Spec\fR
990: later on in an entry.
991: If we modify the entry like so:
992: .nf
993: .sp
994: .RS 0n
995: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
996: .RE
997: .fi
998: .PP
999: Then user
1000: \fBdgb\fR
1001: is now allowed to run
1002: \fI/bin/ls\fR
1003: as
1004: \fBoperator\fR,
1005: but
1006: \fI/bin/kill\fR
1007: and
1008: \fI/usr/bin/lprm\fR
1009: as
1010: \fBroot\fR.
1011: .PP
1012: We can extend this to allow
1013: \fBdgb\fR
1014: to run
1015: \fR/bin/ls\fR
1016: with either
1017: the user or group set to
1018: \fBoperator\fR:
1019: .nf
1020: .sp
1021: .RS 0n
1022: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1023: /usr/bin/lprm
1024: .RE
1025: .fi
1026: .PP
1027: Note that while the group portion of the
1028: \fRRunas_Spec\fR
1029: permits the
1030: user to run as command with that group, it does not force the user
1031: to do so.
1032: If no group is specified on the command line, the command
1033: will run with the group listed in the target user's password database
1034: entry.
1035: The following would all be permitted by the sudoers entry above:
1036: .nf
1037: .sp
1038: .RS 0n
1039: $ sudo -u operator /bin/ls
1040: $ sudo -u operator -g operator /bin/ls
1041: $ sudo -g operator /bin/ls
1042: .RE
1043: .fi
1044: .PP
1045: In the following example, user
1046: \fBtcm\fR
1047: may run commands that access
1048: a modem device file with the dialer group.
1049: .nf
1050: .sp
1051: .RS 0n
1052: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1053: /usr/local/bin/minicom
1054: .RE
1055: .fi
1056: .PP
1057: Note that in this example only the group will be set, the command
1058: still runs as user
1059: \fBtcm\fR.
1060: E.g.\&
1061: .nf
1062: .sp
1063: .RS 0n
1064: $ sudo -g dialer /usr/bin/cu
1065: .RE
1066: .fi
1067: .PP
1068: Multiple users and groups may be present in a
1069: \fRRunas_Spec\fR,
1070: in which case the user may select any combination of users and groups via the
1071: \fB\-u\fR
1072: and
1073: \fB\-g\fR
1074: options.
1075: In this example:
1076: .nf
1077: .sp
1078: .RS 0n
1079: alan ALL = (root, bin : operator, system) ALL
1080: .RE
1081: .fi
1082: .PP
1083: user
1084: \fBalan\fR
1085: may run any command as either user root or bin,
1086: optionally setting the group to operator or system.
1087: .SS "SELinux_Spec"
1088: On systems with SELinux support,
1089: \fIsudoers\fR
1090: entries may optionally have an SELinux role and/or type associated
1091: with a command.
1092: If a role or
1093: type is specified with the command it will override any default values
1094: specified in
1095: \fIsudoers\fR.
1096: A role or type specified on the command line,
1097: however, will supersede the values in
1098: \fIsudoers\fR.
1099: .SS "Solaris_Priv_Spec"
1100: On Solaris systems,
1101: \fIsudoers\fR
1102: entries may optionally specify Solaris privilege set and/or limit
1103: privilege set associated with a command.
1104: If privileges or limit privileges are specified with the command
1105: it will override any default values specified in
1106: \fIsudoers\fR.
1107: .PP
1108: A privilege set is a comma-separated list of privilege names.
1109: The
1110: ppriv(1)
1111: command can be used to list all privileges known to the system.
1112: For example:
1113: .nf
1114: .sp
1115: .RS 0n
1116: $ ppriv -l
1117: .RE
1118: .fi
1119: .PP
1120: In addition, there are several
1121: ``special''
1122: privilege strings:
1123: .TP 10n
1124: none
1125: the empty set
1126: .TP 10n
1127: all
1128: the set of all privileges
1129: .TP 10n
1130: zone
1131: the set of all privileges available in the current zone
1132: .TP 10n
1133: basic
1134: the default set of privileges normal users are granted at login time
1135: .PP
1136: Privileges can be excluded from a set by prefixing the privilege
1137: name with either an
1138: `\&!'
1139: or
1140: `\-'
1141: character.
1142: .SS "Tag_Spec"
1143: A command may have zero or more tags associated with it.
1144: There are
1145: ten possible tag values:
1146: \fRNOPASSWD\fR,
1147: \fRPASSWD\fR,
1148: \fRNOEXEC\fR,
1149: \fREXEC\fR,
1150: \fRSETENV\fR,
1151: \fRNOSETENV\fR,
1152: \fRLOG_INPUT\fR,
1153: \fRNOLOG_INPUT\fR,
1154: \fRLOG_OUTPUT\fR
1155: and
1156: \fRNOLOG_OUTPUT\fR.
1157: Once a tag is set on a
1158: \fRCmnd\fR,
1159: subsequent
1160: \fRCmnd\fRs
1161: in the
1162: \fRCmnd_Spec_List\fR,
1163: inherit the tag unless it is overridden by the opposite tag (in other words,
1164: \fRPASSWD\fR
1165: overrides
1166: \fRNOPASSWD\fR
1167: and
1168: \fRNOEXEC\fR
1169: overrides
1170: \fREXEC\fR).
1171: .TP 2n
1172: \fINOPASSWD\fR and \fIPASSWD\fR
1173: .sp
1174: By default,
1175: \fBsudo\fR
1176: requires that a user authenticate him or herself
1177: before running a command.
1178: This behavior can be modified via the
1179: \fRNOPASSWD\fR
1180: tag.
1181: Like a
1182: \fRRunas_Spec\fR,
1183: the
1184: \fRNOPASSWD\fR
1185: tag sets
1186: a default for the commands that follow it in the
1187: \fRCmnd_Spec_List\fR.
1188: Conversely, the
1189: \fRPASSWD\fR
1190: tag can be used to reverse things.
1191: For example:
1192: .RS
1193: .nf
1194: .sp
1195: .RS 0n
1196: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1197: .RE
1198: .fi
1199: .sp
1200: would allow the user
1201: \fBray\fR
1202: to run
1203: \fI/bin/kill\fR,
1204: \fI/bin/ls\fR,
1205: and
1206: \fI/usr/bin/lprm\fR
1207: as
1208: \fBroot\fR
1209: on the machine rushmore without authenticating himself.
1210: If we only want
1211: \fBray\fR
1212: to be able to
1213: run
1214: \fI/bin/kill\fR
1215: without a password the entry would be:
1216: .nf
1217: .sp
1218: .RS 0n
1219: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1220: .RE
1221: .fi
1222: .sp
1223: Note, however, that the
1224: \fRPASSWD\fR
1225: tag has no effect on users who are in the group specified by the
1226: \fIexempt_group\fR
1227: option.
1228: .sp
1229: By default, if the
1230: \fRNOPASSWD\fR
1231: tag is applied to any of the entries for a user on the current host,
1232: he or she will be able to run
1233: ``\fRsudo -l\fR''
1234: without a password.
1235: Additionally, a user may only run
1236: ``\fRsudo -v\fR''
1237: without a password if the
1238: \fRNOPASSWD\fR
1239: tag is present for all a user's entries that pertain to the current host.
1240: This behavior may be overridden via the
1241: \fIverifypw\fR
1242: and
1243: \fIlistpw\fR
1244: options.
1245: .PP
1246: .RE
1247: .PD 0
1248: .TP 2n
1249: \fINOEXEC\fR and \fIEXEC\fR
1250: .sp
1251: If
1252: \fBsudo\fR
1253: has been compiled with
1254: \fInoexec\fR
1255: support and the underlying operating system supports it, the
1256: \fRNOEXEC\fR
1257: tag can be used to prevent a dynamically-linked executable from
1258: running further commands itself.
1259: .sp
1260: In the following example, user
1261: \fBaaron\fR
1262: may run
1263: \fI/usr/bin/more\fR
1264: and
1265: \fI/usr/bin/vi\fR
1266: but shell escapes will be disabled.
1267: .RS
1268: .nf
1269: .sp
1270: .RS 0n
1271: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1272: .RE
1273: .fi
1274: .sp
1275: See the
1276: \fIPreventing shell escapes\fR
1277: section below for more details on how
1278: \fRNOEXEC\fR
1279: works and whether or not it will work on your system.
1280: .PD
1281: .PP
1282: .RE
1283: .PD 0
1284: .TP 2n
1285: \fISETENV\fR and \fINOSETENV\fR
1286: .sp
1287: These tags override the value of the
1288: \fIsetenv\fR
1289: option on a per-command basis.
1290: Note that if
1291: \fRSETENV\fR
1292: has been set for a command, the user may disable the
1293: \fIenv_reset\fR
1294: option from the command line via the
1295: \fB\-E\fR
1296: option.
1297: Additionally, environment variables set on the command
1298: line are not subject to the restrictions imposed by
1299: \fIenv_check\fR,
1300: \fIenv_delete\fR,
1301: or
1302: \fIenv_keep\fR.
1303: As such, only trusted users should be allowed to set variables in this manner.
1304: If the command matched is
1305: \fBALL\fR,
1306: the
1307: \fRSETENV\fR
1308: tag is implied for that command; this default may be overridden by use of the
1309: \fRNOSETENV\fR
1310: tag.
1311: .PD
1312: .TP 2n
1313: \fILOG_INPUT\fR and \fINOLOG_INPUT\fR
1314: .sp
1315: These tags override the value of the
1316: \fIlog_input\fR
1317: option on a per-command basis.
1318: For more information, see the description of
1319: \fIlog_input\fR
1320: in the
1321: \fISUDOERS OPTIONS\fR
1322: section below.
1323: .TP 2n
1324: \fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
1325: .sp
1326: These tags override the value of the
1327: \fIlog_output\fR
1328: option on a per-command basis.
1329: For more information, see the description of
1330: \fIlog_output\fR
1331: in the
1332: \fISUDOERS OPTIONS\fR
1333: section below.
1334: .SS "Wildcards"
1335: \fBsudo\fR
1336: allows shell-style
1337: \fIwildcards\fR
1338: (aka meta or glob characters)
1339: to be used in host names, path names and command line arguments in the
1340: \fIsudoers\fR
1341: file.
1342: Wildcard matching is done via the
1343: glob(3)
1344: and
1345: fnmatch(3)
1346: functions as specified by
1347: IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
1348: Note that these are
1349: \fInot\fR
1350: regular expressions.
1351: .TP 10n
1352: \fR*\fR
1353: Matches any set of zero or more characters.
1354: .TP 10n
1355: \fR\&?\fR
1356: Matches any single character.
1357: .TP 10n
1358: \fR[...]\fR
1359: Matches any character in the specified range.
1360: .TP 10n
1361: \fR[!...]\fR
1362: Matches any character
1363: \fBnot\fR
1364: in the specified range.
1365: .TP 10n
1366: \fR\ex\fR
1367: For any character
1368: `x',
1369: evaluates to
1370: `x'.
1371: This is used to escape special characters such as:
1372: `*',
1373: `\&?',
1374: `[\&',
1375: and
1376: `]\&'.
1377: .PP
1378: Character classes may also be used if your system's
1379: glob(3)
1380: and
1381: fnmatch(3)
1382: functions support them.
1383: However, because the
1384: `:\&'
1385: character has special meaning in
1386: \fIsudoers\fR,
1387: it must be
1388: escaped.
1389: For example:
1390: .nf
1391: .sp
1392: .RS 4n
1393: /bin/ls [[\:alpha\:]]*
1394: .RE
1395: .fi
1396: .PP
1397: Would match any file name beginning with a letter.
1398: .PP
1399: Note that a forward slash
1400: (`/')
1401: will
1402: \fBnot\fR
1403: be matched by
1404: wildcards used in the path name.
1405: This is to make a path like:
1406: .nf
1407: .sp
1408: .RS 4n
1409: /usr/bin/*
1410: .RE
1411: .fi
1412: .PP
1413: match
1414: \fI/usr/bin/who\fR
1415: but not
1416: \fI/usr/bin/X11/xterm\fR.
1417: .PP
1418: When matching the command line arguments, however, a slash
1419: \fBdoes\fR
1420: get matched by wildcards since command line arguments may contain
1421: arbitrary strings and not just path names.
1422: .PP
1423: Wildcards in command line arguments should be used with care.
1424: Because command line arguments are matched as a single, concatenated
1425: string, a wildcard such as
1426: `\&?'
1427: or
1428: `*'
1429: can match multiple words.
1430: For example, while a sudoers entry like:
1431: .nf
1432: .sp
1433: .RS 4n
1434: %operator ALL = /bin/cat /var/log/messages*
1435: .RE
1436: .fi
1437: .PP
1438: will allow command like:
1439: .nf
1440: .sp
1441: .RS 4n
1442: $ sudo cat /var/log/messages.1
1443: .RE
1444: .fi
1445: .PP
1446: It will also allow:
1447: .nf
1448: .sp
1449: .RS 4n
1450: $ sudo cat /var/log/messages /etc/shadow
1451: .RE
1452: .fi
1453: .PP
1454: which is probably not what was intended.
1455: .SS "Exceptions to wildcard rules"
1456: The following exceptions apply to the above rules:
1457: .TP 10n
1458: \fR\&""\fR
1459: If the empty string
1460: \fR\&""\fR
1461: is the only command line argument in the
1462: \fIsudoers\fR
1463: entry it means that command is not allowed to be run with
1464: \fBany\fR
1465: arguments.
1466: .TP 10n
1467: sudoedit
1468: Command line arguments to the
1469: \fIsudoedit\fR
1470: built-in command should always be path names, so a forward slash
1471: (`/')
1472: will not be matched by a wildcard.
1473: .SS "Including other files from within sudoers"
1474: It is possible to include other
1475: \fIsudoers\fR
1476: files from within the
1477: \fIsudoers\fR
1478: file currently being parsed using the
1479: \fR#include\fR
1480: and
1481: \fR#includedir\fR
1482: directives.
1483: .PP
1484: This can be used, for example, to keep a site-wide
1485: \fIsudoers\fR
1486: file in addition to a local, per-machine file.
1487: For the sake of this example the site-wide
1488: \fIsudoers\fR
1489: will be
1490: \fI/etc/sudoers\fR
1491: and the per-machine one will be
1492: \fI/etc/sudoers.local\fR.
1493: To include
1494: \fI/etc/sudoers.local\fR
1495: from within
1496: \fI/etc/sudoers\fR
1497: we would use the
1498: following line in
1499: \fI/etc/sudoers\fR:
1500: .nf
1501: .sp
1502: .RS 4n
1503: #include /etc/sudoers.local
1504: .RE
1505: .fi
1506: .PP
1507: When
1508: \fBsudo\fR
1509: reaches this line it will suspend processing of the current file
1510: (\fI/etc/sudoers\fR)
1511: and switch to
1512: \fI/etc/sudoers.local\fR.
1513: Upon reaching the end of
1514: \fI/etc/sudoers.local\fR,
1515: the rest of
1516: \fI/etc/sudoers\fR
1517: will be processed.
1518: Files that are included may themselves include other files.
1519: A hard limit of 128 nested include files is enforced to prevent include
1520: file loops.
1521: .PP
1522: If the path to the include file is not fully-qualified (does not
1523: begin with a
1524: `/',
1525: it must be located in the same directory as the sudoers file it was
1526: included from.
1527: For example, if
1528: \fI/etc/sudoers\fR
1529: contains the line:
1530: .nf
1531: .sp
1532: .RS 4n
1533: \fR#include sudoers.local\fR
1534: .RE
1535: .fi
1536: .PP
1537: the file that will be included is
1538: \fI/etc/sudoers.local\fR.
1539: .PP
1540: The file name may also include the
1541: \fR%h\fR
1542: escape, signifying the short form of the host name.
1543: In other words, if the machine's host name is
1544: ``xerxes'',
1545: then
1546: .nf
1547: .sp
1548: .RS 4n
1549: #include /etc/sudoers.%h
1550: .RE
1551: .fi
1552: .PP
1553: will cause
1554: \fBsudo\fR
1555: to include the file
1556: \fI/etc/sudoers.xerxes\fR.
1557: .PP
1558: The
1559: \fR#includedir\fR
1560: directive can be used to create a
1561: \fIsudo.d\fR
1562: directory that the system package manager can drop
1563: \fIsudoers\fR
1564: rules
1565: into as part of package installation.
1566: For example, given:
1567: .nf
1568: .sp
1569: .RS 4n
1570: #includedir /etc/sudoers.d
1571: .RE
1572: .fi
1573: .PP
1574: \fBsudo\fR
1575: will read each file in
1576: \fI/etc/sudoers.d\fR,
1577: skipping file names that end in
1578: `~'
1579: or contain a
1580: `.\&'
1581: character to avoid causing problems with package manager or editor
1582: temporary/backup files.
1583: Files are parsed in sorted lexical order.
1584: That is,
1585: \fI/etc/sudoers.d/01_first\fR
1586: will be parsed before
1587: \fI/etc/sudoers.d/10_second\fR.
1588: Be aware that because the sorting is lexical, not numeric,
1589: \fI/etc/sudoers.d/1_whoops\fR
1590: would be loaded
1591: \fBafter\fR
1592: \fI/etc/sudoers.d/10_second\fR.
1593: Using a consistent number of leading zeroes in the file names can be used
1594: to avoid such problems.
1595: .PP
1596: Note that unlike files included via
1597: \fR#include\fR,
1598: \fBvisudo\fR
1599: will not edit the files in a
1600: \fR#includedir\fR
1601: directory unless one of them contains a syntax error.
1602: It is still possible to run
1603: \fBvisudo\fR
1604: with the
1605: \fB\-f\fR
1606: flag to edit the files directly.
1607: .SS "Other special characters and reserved words"
1608: The pound sign
1609: (`#')
1610: is used to indicate a comment (unless it is part of a #include
1611: directive or unless it occurs in the context of a user name and is
1612: followed by one or more digits, in which case it is treated as a
1613: uid).
1614: Both the comment character and any text after it, up to the end of
1615: the line, are ignored.
1616: .PP
1617: The reserved word
1618: \fBALL\fR
1619: is a built-in
1620: \fIalias\fR
1621: that always causes a match to succeed.
1622: It can be used wherever one might otherwise use a
1623: \fRCmnd_Alias\fR,
1624: \fRUser_Alias\fR,
1625: \fRRunas_Alias\fR,
1626: or
1627: \fRHost_Alias\fR.
1628: You should not try to define your own
1629: \fIalias\fR
1630: called
1631: \fBALL\fR
1632: as the built-in alias will be used in preference to your own.
1633: Please note that using
1634: \fBALL\fR
1635: can be dangerous since in a command context, it allows the user to run
1636: \fBany\fR
1637: command on the system.
1638: .PP
1639: An exclamation point
1640: (`\&!')
1641: can be used as a logical
1642: \fInot\fR
1643: operator in a list or
1644: \fIalias\fR
1645: as well as in front of a
1646: \fRCmnd\fR.
1647: This allows one to exclude certain values.
1648: For the
1649: `\&!'
1650: operator to be effective, there must be something for it to exclude.
1651: For example, to match all users except for root one would use:
1652: .nf
1653: .sp
1654: .RS 4n
1655: ALL,!root
1656: .RE
1657: .fi
1658: .PP
1659: If the
1660: \fBALL\fR,
1661: is omitted, as in:
1662: .nf
1663: .sp
1664: .RS 4n
1665: !root
1666: .RE
1667: .fi
1668: .PP
1669: it would explicitly deny root but not match any other users.
1670: This is different from a true
1671: ``negation''
1672: operator.
1673: .PP
1674: Note, however, that using a
1675: `\&!'
1676: in conjunction with the built-in
1677: \fBALL\fR
1678: alias to allow a user to run
1679: ``all but a few''
1680: commands rarely works as intended (see
1681: \fISECURITY NOTES\fR
1682: below).
1683: .PP
1684: Long lines can be continued with a backslash
1685: (`\e')
1686: as the last character on the line.
1687: .PP
1688: White space between elements in a list as well as special syntactic
1689: characters in a
1690: \fIUser Specification\fR
1691: (`=\&',
1692: `:\&',
1693: `(\&',
1694: `)\&')
1695: is optional.
1696: .PP
1697: The following characters must be escaped with a backslash
1698: (`\e')
1699: when used as part of a word (e.g.\& a user name or host name):
1700: `\&!',
1701: `=\&',
1702: `:\&',
1703: `,\&',
1704: `(\&',
1705: `)\&',
1706: `\e'.
1707: .SH "SUDOERS OPTIONS"
1708: \fBsudo\fR's
1709: behavior can be modified by
1710: \fRDefault_Entry\fR
1711: lines, as explained earlier.
1712: A list of all supported Defaults parameters, grouped by type, are listed below.
1713: .PP
1714: \fBBoolean Flags\fR:
1715: .TP 18n
1716: always_set_home
1717: If enabled,
1718: \fBsudo\fR
1719: will set the
1720: \fRHOME\fR
1721: environment variable to the home directory of the target user
1722: (which is root unless the
1723: \fB\-u\fR
1724: option is used).
1725: This effectively means that the
1726: \fB\-H\fR
1727: option is always implied.
1728: Note that
1729: \fRHOME\fR
1730: is already set when the
1731: \fIenv_reset\fR
1732: option is enabled, so
1733: \fIalways_set_home\fR
1734: is only effective for configurations where either
1735: \fIenv_reset\fR
1736: is disabled or
1737: \fRHOME\fR
1738: is present in the
1739: \fIenv_keep\fR
1740: list.
1741: This flag is
1742: \fIoff\fR
1743: by default.
1744: .TP 18n
1745: authenticate
1746: If set, users must authenticate themselves via a password (or other
1747: means of authentication) before they may run commands.
1748: This default may be overridden via the
1749: \fRPASSWD\fR
1750: and
1751: \fRNOPASSWD\fR
1752: tags.
1753: This flag is
1754: \fIon\fR
1755: by default.
1756: .TP 18n
1757: closefrom_override
1758: If set, the user may use
1759: \fBsudo\fR's
1760: \fB\-C\fR
1761: option which overrides the default starting point at which
1762: \fBsudo\fR
1763: begins closing open file descriptors.
1764: This flag is
1765: \fIoff\fR
1766: by default.
1767: .TP 18n
1768: compress_io
1769: If set, and
1770: \fBsudo\fR
1771: is configured to log a command's input or output,
1772: the I/O logs will be compressed using
1773: \fBzlib\fR.
1774: This flag is
1775: \fIon\fR
1776: by default when
1777: \fBsudo\fR
1778: is compiled with
1779: \fBzlib\fR
1780: support.
1781: .TP 18n
1782: exec_background
1783: By default,
1784: \fBsudo\fR
1785: runs a command as the foreground process as long as
1786: \fBsudo\fR
1787: itself is running in the foreground.
1788: When the
1789: \fIexec_background\fR
1790: flag is enabled and the command is being run in a pty (due to I/O logging
1791: or the
1792: \fIuse_pty\fR
1793: flag), the command will be run as a background process.
1794: Attempts to read from the controlling terminal (or to change terminal
1795: settings) will result in the command being suspended with the
1796: \fRSIGTTIN\fR
1797: signal (or
1798: \fRSIGTTOU\fR
1799: in the case of terminal settings).
1800: If this happens when
1801: \fBsudo\fR
1802: is a foreground process, the command will be granted the controlling terminal
1803: and resumed in the foreground with no user intervention required.
1804: The advantage of initially running the command in the background is that
1805: \fBsudo\fR
1806: need not read from the terminal unless the command explicitly requests it.
1807: Otherwise, any terminal input must be passed to the command, whether it
1808: has required it or not (the kernel buffers terminals so it is not possible
1809: to tell whether the command really wants the input).
1810: This is different from historic
1811: \fIsudo\fR
1812: behavior or when the command is not being run in a pty.
1813: .sp
1814: For this to work seamlessly, the operating system must support the
1815: automatic restarting of system calls.
1816: Unfortunately, not all operating systems do this by default,
1817: and even those that do may have bugs.
1818: For example, Mac OS X fails to restart the
1819: \fBtcgetattr\fR()
1820: and
1821: \fBtcsetattr\fR()
1822: system calls (this is a bug in Mac OS X).
1823: Furthermore, because this behavior depends on the command stopping with the
1824: \fRSIGTTIN\fR
1825: or
1826: \fRSIGTTOU\fR
1827: signals, programs that catch these signals and suspend themselves
1828: with a different signal (usually
1829: \fRSIGTOP\fR)
1830: will not be automatically foregrounded.
1831: Some versions of the linux
1832: su(1)
1833: command behave this way.
1834: .sp
1835: This setting is only supported by version 1.8.7 or higher.
1836: It has no effect unless I/O logging is enabled or the
1837: \fIuse_pty\fR
1838: flag is enabled.
1839: .TP 18n
1840: env_editor
1841: If set,
1842: \fBvisudo\fR
1843: will use the value of the
1844: \fREDITOR\fR
1845: or
1846: \fRVISUAL\fR
1847: environment variables before falling back on the default editor list.
1848: Note that this may create a security hole as it allows the user to
1849: run any arbitrary command as root without logging.
1850: A safer alternative is to place a colon-separated list of editors
1851: in the
1852: \fReditor\fR
1853: variable.
1854: \fBvisudo\fR
1855: will then only use the
1856: \fREDITOR\fR
1857: or
1858: \fRVISUAL\fR
1859: if they match a value specified in
1860: \fReditor\fR.
1861: This flag is
1862: \fI@env_editor@\fR
1863: by
1864: default.
1865: .TP 18n
1866: env_reset
1867: If set,
1868: \fBsudo\fR
1869: will run the command in a minimal environment containing the
1870: \fRTERM\fR,
1871: \fRPATH\fR,
1872: \fRHOME\fR,
1873: \fRMAIL\fR,
1874: \fRSHELL\fR,
1875: \fRLOGNAME\fR,
1876: \fRUSER\fR,
1877: \fRUSERNAME\fR
1878: and
1879: \fRSUDO_*\fR
1880: variables.
1881: Any
1882: variables in the caller's environment that match the
1883: \fRenv_keep\fR
1884: and
1885: \fRenv_check\fR
1886: lists are then added, followed by any variables present in the file
1887: specified by the
1888: \fIenv_file\fR
1889: option (if any).
1890: The default contents of the
1891: \fRenv_keep\fR
1892: and
1893: \fRenv_check\fR
1894: lists are displayed when
1895: \fBsudo\fR
1896: is run by root with the
1897: \fB\-V\fR
1898: option.
1899: If the
1900: \fIsecure_path\fR
1901: option is set, its value will be used for the
1902: \fRPATH\fR
1903: environment variable.
1904: This flag is
1905: \fI@env_reset@\fR
1906: by default.
1907: .TP 18n
1908: fast_glob
1909: Normally,
1910: \fBsudo\fR
1911: uses the
1912: glob(3)
1913: function to do shell-style globbing when matching path names.
1914: However, since it accesses the file system,
1915: glob(3)
1916: can take a long time to complete for some patterns, especially
1917: when the pattern references a network file system that is mounted
1918: on demand (auto mounted).
1919: The
1920: \fIfast_glob\fR
1921: option causes
1922: \fBsudo\fR
1923: to use the
1924: fnmatch(3)
1925: function, which does not access the file system to do its matching.
1926: The disadvantage of
1927: \fIfast_glob\fR
1928: is that it is unable to match relative path names such as
1929: \fI./ls\fR
1930: or
1931: \fI../bin/ls\fR.
1932: This has security implications when path names that include globbing
1933: characters are used with the negation operator,
1934: `!\&',
1935: as such rules can be trivially bypassed.
1936: As such, this option should not be used when
1937: \fIsudoers\fR
1938: contains rules that contain negated path names which include globbing
1939: characters.
1940: This flag is
1941: \fIoff\fR
1942: by default.
1943: .TP 18n
1944: fqdn
1945: Set this flag if you want to put fully qualified host names in the
1946: \fIsudoers\fR
1947: file when the local host name (as returned by the
1948: \fRhostname\fR
1949: command) does not contain the domain name.
1950: In other words, instead of myhost you would use myhost.mydomain.edu.
1951: You may still use the short form if you wish (and even mix the two).
1952: This option is only effective when the
1953: ``canonical''
1954: host name, as returned by the
1955: \fBgetaddrinfo\fR()
1956: or
1957: \fBgethostbyname\fR()
1958: function, is a fully-qualified domain name.
1959: This is usually the case when the system is configured to use DNS
1960: for host name resolution.
1961: .sp
1962: If the system is configured to use the
1963: \fI/etc/hosts\fR
1964: file in preference to DNS, the
1965: ``canonical''
1966: host name may not be fully-qualified.
1967: The order that sources are queried for hosts name resolution
1968: is usually specified in the
1969: \fI@nsswitch_conf@\fR,
1970: \fI@netsvc_conf@\fR,
1971: \fI/etc/host.conf\fR,
1972: or, in some cases,
1973: \fI/etc/resolv.conf\fR
1974: file.
1975: In the
1976: \fI/etc/hosts\fR
1977: file, the first host name of the entry is considered to be the
1978: ``canonical''
1979: name; subsequent names are aliases that are not used by
1980: \fBsudoers\fR.
1981: For example, the following hosts file line for the machine
1982: ``xyzzy''
1983: has the fully-qualified domain name as the
1984: ``canonical''
1985: host name, and the short version as an alias.
1986: .sp
1987: .RS 6n
1988: 192.168.1.1 xyzzy.sudo.ws xyzzy
1989: .RE
1990: .sp
1991: If the machine's hosts file entry is not formatted properly, the
1992: \fIfqdn\fR
1993: option will not be effective if it is queried before DNS.
1994: .sp
1995: Beware that when using DNS for host name resolution, turning on
1996: \fIfqdn\fR
1997: requires
1998: \fBsudoers\fR
1999: to make DNS lookups which renders
2000: \fBsudo\fR
2001: unusable if DNS stops working (for example if the machine is disconnected
2002: from the network).
2003: Also note that just like with the hosts file, you must use the
2004: ``canonical''
2005: name as DNS knows it.
2006: That is, you may not use a host alias
2007: (\fRCNAME\fR
2008: entry)
2009: due to performance issues and the fact that there is no way to get all
2010: aliases from DNS.
2011: .sp
2012: This flag is
2013: \fI@fqdn@\fR
2014: by default.
2015: .TP 18n
2016: ignore_dot
2017: If set,
2018: \fBsudo\fR
2019: will ignore "." or "" (both denoting current directory) in the
2020: \fRPATH\fR
2021: environment variable; the
2022: \fRPATH\fR
2023: itself is not modified.
2024: This flag is
2025: \fI@ignore_dot@\fR
2026: by default.
2027: .TP 18n
2028: ignore_local_sudoers
2029: If set via LDAP, parsing of
2030: \fI@sysconfdir@/sudoers\fR
2031: will be skipped.
2032: This is intended for Enterprises that wish to prevent the usage of local
2033: sudoers files so that only LDAP is used.
2034: This thwarts the efforts of rogue operators who would attempt to add roles to
2035: \fI@sysconfdir@/sudoers\fR.
2036: When this option is present,
2037: \fI@sysconfdir@/sudoers\fR
2038: does not even need to exist.
2039: Since this option tells
2040: \fBsudo\fR
2041: how to behave when no specific LDAP entries have been matched, this
2042: sudoOption is only meaningful for the
2043: \fRcn=defaults\fR
2044: section.
2045: This flag is
2046: \fIoff\fR
2047: by default.
2048: .TP 18n
2049: insults
2050: If set,
2051: \fBsudo\fR
2052: will insult users when they enter an incorrect password.
2053: This flag is
2054: \fI@insults@\fR
2055: by default.
2056: .TP 18n
2057: log_host
2058: If set, the host name will be logged in the (non-syslog)
2059: \fBsudo\fR
2060: log file.
2061: This flag is
2062: \fIoff\fR
2063: by default.
2064: .TP 18n
2065: log_input
2066: If set,
2067: \fBsudo\fR
2068: will run the command in a
2069: \fIpseudo tty\fR
2070: and log all user input.
2071: If the standard input is not connected to the user's tty, due to
2072: I/O redirection or because the command is part of a pipeline, that
2073: input is also captured and stored in a separate log file.
2074: .sp
2075: Input is logged to the directory specified by the
2076: \fIiolog_dir\fR
2077: option
2078: (\fI@iolog_dir@\fR
2079: by default)
2080: using a unique session ID that is included in the normal
2081: \fBsudo\fR
2082: log line, prefixed with
2083: ``\fRTSID=\fR''.
2084: The
2085: \fIiolog_file\fR
2086: option may be used to control the format of the session ID.
2087: .sp
2088: Note that user input may contain sensitive information such as
2089: passwords (even if they are not echoed to the screen), which will
2090: be stored in the log file unencrypted.
2091: In most cases, logging the command output via
2092: \fIlog_output\fR
2093: is all that is required.
2094: .TP 18n
2095: log_output
2096: If set,
2097: \fBsudo\fR
2098: will run the command in a
2099: \fIpseudo tty\fR
2100: and log all output that is sent to the screen, similar to the
2101: script(1)
2102: command.
2103: If the standard output or standard error is not connected to the
2104: user's tty, due to I/O redirection or because the command is part
2105: of a pipeline, that output is also captured and stored in separate
2106: log files.
2107: .sp
2108: Output is logged to the directory specified by the
2109: \fIiolog_dir\fR
2110: option
2111: (\fI@iolog_dir@\fR
2112: by default)
2113: using a unique session ID that is included in the normal
2114: \fBsudo\fR
2115: log line, prefixed with
2116: ``\fRTSID=\fR''.
2117: The
2118: \fIiolog_file\fR
2119: option may be used to control the format of the session ID.
2120: .sp
2121: Output logs may be viewed with the
2122: sudoreplay(@mansectsu@)
2123: utility, which can also be used to list or search the available logs.
2124: .TP 18n
2125: log_year
2126: If set, the four-digit year will be logged in the (non-syslog)
2127: \fBsudo\fR
2128: log file.
2129: This flag is
2130: \fIoff\fR
2131: by default.
2132: .TP 18n
2133: long_otp_prompt
2134: When validating with a One Time Password (OTP) scheme such as
2135: \fBS/Key\fR
2136: or
2137: \fBOPIE\fR,
2138: a two-line prompt is used to make it easier
2139: to cut and paste the challenge to a local window.
2140: It's not as pretty as the default but some people find it more convenient.
2141: This flag is
2142: \fI@long_otp_prompt@\fR
2143: by default.
2144: .TP 18n
2145: mail_always
2146: Send mail to the
2147: \fImailto\fR
2148: user every time a users runs
2149: \fBsudo\fR.
2150: This flag is
2151: \fIoff\fR
2152: by default.
2153: .TP 18n
2154: mail_badpass
2155: Send mail to the
2156: \fImailto\fR
2157: user if the user running
2158: \fBsudo\fR
2159: does not enter the correct password.
2160: If the command the user is attempting to run is not permitted by
2161: \fIsudoers\fR
2162: and one of the
2163: \fImail_always\fR,
2164: \fImail_no_host\fR,
2165: \fImail_no_perms\fR
2166: or
2167: \fImail_no_user\fR
2168: flags are set, this flag will have no effect.
2169: This flag is
2170: \fIoff\fR
2171: by default.
2172: .TP 18n
2173: mail_no_host
2174: If set, mail will be sent to the
2175: \fImailto\fR
2176: user if the invoking user exists in the
2177: \fIsudoers\fR
2178: file, but is not allowed to run commands on the current host.
2179: This flag is
2180: \fI@mail_no_host@\fR
2181: by default.
2182: .TP 18n
2183: mail_no_perms
2184: If set, mail will be sent to the
2185: \fImailto\fR
2186: user if the invoking user is allowed to use
2187: \fBsudo\fR
2188: but the command they are trying is not listed in their
2189: \fIsudoers\fR
2190: file entry or is explicitly denied.
2191: This flag is
2192: \fI@mail_no_perms@\fR
2193: by default.
2194: .TP 18n
2195: mail_no_user
2196: If set, mail will be sent to the
2197: \fImailto\fR
2198: user if the invoking user is not in the
2199: \fIsudoers\fR
2200: file.
2201: This flag is
2202: \fI@mail_no_user@\fR
2203: by default.
2204: .TP 18n
2205: noexec
2206: If set, all commands run via
2207: \fBsudo\fR
2208: will behave as if the
2209: \fRNOEXEC\fR
2210: tag has been set, unless overridden by a
2211: \fREXEC\fR
2212: tag.
2213: See the description of
2214: \fINOEXEC and EXEC\fR
2215: below as well as the
2216: \fIPreventing shell escapes\fR
2217: section at the end of this manual.
2218: This flag is
2219: \fIoff\fR
2220: by default.
2221: .TP 18n
2222: pam_session
2223: On systems that use PAM for authentication,
2224: \fBsudo\fR
2225: will create a new PAM session for the command to be run in.
2226: Disabling
2227: \fIpam_session\fR
2228: may be needed on older PAM implementations or on operating systems where
2229: opening a PAM session changes the utmp or wtmp files.
2230: If PAM session support is disabled, resource limits may not be updated
2231: for the command being run.
2232: If
2233: \fIpam_session\fR,
2234: \fIpam_setcred\fR,
2235: and
2236: \fIuse_pty\fR
2237: are disabled and I/O logging has not been configured,
2238: \fBsudo\fR
2239: will execute the command directly instead of running it as a child
2240: process.
2241: This flag is
2242: \fI@pam_session@\fR
2243: by default.
2244: .sp
2245: This setting is only supported by version 1.8.7 or higher.
2246: .TP 18n
2247: pam_setcred
2248: On systems that use PAM for authentication,
2249: \fBsudo\fR
2250: will attempt to establish credentials for the target user by default,
2251: if supported by the underlying authentication system.
2252: One example of a credential is a Kerberos ticket.
2253: If
2254: \fIpam_session\fR,
2255: \fIpam_setcred\fR,
2256: and
2257: \fIuse_pty\fR
2258: are disabled and I/O logging has not been configured,
2259: \fBsudo\fR
2260: will execute the command directly instead of running it as a child
2261: process.
2262: This flag is
2263: \fIon\fR
2264: by default.
2265: .sp
2266: This setting is only supported by version 1.8.8 or higher.
2267: .TP 18n
2268: passprompt_override
2269: The password prompt specified by
2270: \fIpassprompt\fR
2271: will normally only be used if the password prompt provided by systems
2272: such as PAM matches the string
2273: ``Password:''.
2274: If
2275: \fIpassprompt_override\fR
2276: is set,
2277: \fIpassprompt\fR
2278: will always be used.
2279: This flag is
2280: \fIoff\fR
2281: by default.
2282: .TP 18n
2283: path_info
2284: Normally,
2285: \fBsudo\fR
2286: will tell the user when a command could not be
2287: found in their
2288: \fRPATH\fR
2289: environment variable.
2290: Some sites may wish to disable this as it could be used to gather
2291: information on the location of executables that the normal user does
2292: not have access to.
2293: The disadvantage is that if the executable is simply not in the user's
2294: \fRPATH\fR,
2295: \fBsudo\fR
2296: will tell the user that they are not allowed to run it, which can be confusing.
2297: This flag is
2298: \fI@path_info@\fR
2299: by default.
2300: .TP 18n
2301: preserve_groups
2302: By default,
2303: \fBsudo\fR
2304: will initialize the group vector to the list of groups the target user is in.
2305: When
2306: \fIpreserve_groups\fR
2307: is set, the user's existing group vector is left unaltered.
2308: The real and effective group IDs, however, are still set to match the
2309: target user.
2310: This flag is
2311: \fIoff\fR
2312: by default.
2313: .TP 18n
2314: pwfeedback
2315: By default,
2316: \fBsudo\fR
2317: reads the password like most other Unix programs,
2318: by turning off echo until the user hits the return (or enter) key.
2319: Some users become confused by this as it appears to them that
2320: \fBsudo\fR
2321: has hung at this point.
2322: When
2323: \fIpwfeedback\fR
2324: is set,
2325: \fBsudo\fR
2326: will provide visual feedback when the user presses a key.
2327: Note that this does have a security impact as an onlooker may be able to
2328: determine the length of the password being entered.
2329: This flag is
2330: \fIoff\fR
2331: by default.
2332: .TP 18n
2333: requiretty
2334: If set,
2335: \fBsudo\fR
2336: will only run when the user is logged in to a real tty.
2337: When this flag is set,
2338: \fBsudo\fR
2339: can only be run from a login session and not via other means such as
2340: cron(@mansectsu@)
2341: or cgi-bin scripts.
2342: This flag is
2343: \fIoff\fR
2344: by default.
2345: .TP 18n
2346: root_sudo
2347: If set, root is allowed to run
2348: \fBsudo\fR
2349: too.
2350: Disabling this prevents users from
2351: ``chaining''
2352: \fBsudo\fR
2353: commands to get a root shell by doing something like
2354: ``\fRsudo sudo /bin/sh\fR''.
2355: Note, however, that turning off
2356: \fIroot_sudo\fR
2357: will also prevent root from running
2358: \fBsudoedit\fR.
2359: Disabling
2360: \fIroot_sudo\fR
2361: provides no real additional security; it exists purely for historical reasons.
2362: This flag is
2363: \fI@root_sudo@\fR
2364: by default.
2365: .TP 18n
2366: rootpw
2367: If set,
2368: \fBsudo\fR
2369: will prompt for the root password instead of the password of the invoking user.
2370: This flag is
2371: \fIoff\fR
2372: by default.
2373: .TP 18n
2374: runaspw
2375: If set,
2376: \fBsudo\fR
2377: will prompt for the password of the user defined by the
2378: \fIrunas_default\fR
2379: option (defaults to
2380: \fR@runas_default@\fR)
2381: instead of the password of the invoking user.
2382: This flag is
2383: \fIoff\fR
2384: by default.
2385: .TP 18n
2386: set_home
2387: If enabled and
2388: \fBsudo\fR
2389: is invoked with the
2390: \fB\-s\fR
2391: option the
2392: \fRHOME\fR
2393: environment variable will be set to the home directory of the target
2394: user (which is root unless the
2395: \fB\-u\fR
2396: option is used).
2397: This effectively makes the
2398: \fB\-s\fR
2399: option imply
2400: \fB\-H\fR.
2401: Note that
2402: \fRHOME\fR
2403: is already set when the
2404: \fIenv_reset\fR
2405: option is enabled, so
2406: \fIset_home\fR
2407: is only effective for configurations where either
2408: \fIenv_reset\fR
2409: is disabled
2410: or
2411: \fRHOME\fR
2412: is present in the
2413: \fIenv_keep\fR
2414: list.
2415: This flag is
2416: \fIoff\fR
2417: by default.
2418: .TP 18n
2419: set_logname
2420: Normally,
2421: \fBsudo\fR
2422: will set the
2423: \fRLOGNAME\fR,
2424: \fRUSER\fR
2425: and
2426: \fRUSERNAME\fR
2427: environment variables to the name of the target user (usually root unless the
2428: \fB\-u\fR
2429: option is given).
2430: However, since some programs (including the RCS revision control system) use
2431: \fRLOGNAME\fR
2432: to determine the real identity of the user, it may be desirable to
2433: change this behavior.
2434: This can be done by negating the set_logname option.
2435: Note that if the
2436: \fIenv_reset\fR
2437: option has not been disabled, entries in the
2438: \fIenv_keep\fR
2439: list will override the value of
2440: \fIset_logname\fR.
2441: This flag is
2442: \fIon\fR
2443: by default.
2444: .TP 18n
2445: set_utmp
2446: When enabled,
2447: \fBsudo\fR
2448: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2449: is allocated.
2450: A pseudo-tty is allocated by
2451: \fBsudo\fR
2452: when the
2453: \fIlog_input\fR,
2454: \fIlog_output\fR
2455: or
2456: \fIuse_pty\fR
2457: flags are enabled.
2458: By default, the new entry will be a copy of the user's existing utmp
2459: entry (if any), with the tty, time, type and pid fields updated.
2460: This flag is
2461: \fIon\fR
2462: by default.
2463: .TP 18n
2464: setenv
2465: Allow the user to disable the
2466: \fIenv_reset\fR
2467: option from the command line via the
2468: \fB\-E\fR
2469: option.
2470: Additionally, environment variables set via the command line are
2471: not subject to the restrictions imposed by
2472: \fIenv_check\fR,
2473: \fIenv_delete\fR,
2474: or
2475: \fIenv_keep\fR.
2476: As such, only trusted users should be allowed to set variables in this manner.
2477: This flag is
2478: \fIoff\fR
2479: by default.
2480: .TP 18n
2481: shell_noargs
2482: If set and
2483: \fBsudo\fR
2484: is invoked with no arguments it acts as if the
2485: \fB\-s\fR
2486: option had been given.
2487: That is, it runs a shell as root (the shell is determined by the
2488: \fRSHELL\fR
2489: environment variable if it is set, falling back on the shell listed
2490: in the invoking user's /etc/passwd entry if not).
2491: This flag is
2492: \fIoff\fR
2493: by default.
2494: .TP 18n
2495: stay_setuid
2496: Normally, when
2497: \fBsudo\fR
2498: executes a command the real and effective UIDs are set to the target
2499: user (root by default).
2500: This option changes that behavior such that the real UID is left
2501: as the invoking user's UID.
2502: In other words, this makes
2503: \fBsudo\fR
2504: act as a setuid wrapper.
2505: This can be useful on systems that disable some potentially
2506: dangerous functionality when a program is run setuid.
2507: This option is only effective on systems that support either the
2508: setreuid(2)
2509: or
2510: setresuid(2)
2511: system call.
2512: This flag is
2513: \fIoff\fR
2514: by default.
2515: .TP 18n
2516: targetpw
2517: If set,
2518: \fBsudo\fR
2519: will prompt for the password of the user specified
2520: by the
2521: \fB\-u\fR
2522: option (defaults to
2523: \fRroot\fR)
2524: instead of the password of the invoking user.
2525: In addition, the time stamp file name will include the target user's name.
2526: Note that this flag precludes the use of a uid not listed in the passwd
2527: database as an argument to the
2528: \fB\-u\fR
2529: option.
2530: This flag is
2531: \fIoff\fR
2532: by default.
2533: .TP 18n
2534: tty_tickets
2535: If set, users must authenticate on a per-tty basis.
2536: With this flag enabled,
2537: \fBsudo\fR
2538: will use a file named for the tty the user is
2539: logged in on in the user's time stamp directory.
2540: If disabled, the time stamp of the directory is used instead.
2541: This flag is
2542: \fI@tty_tickets@\fR
2543: by default.
2544: .TP 18n
2545: umask_override
2546: If set,
2547: \fBsudo\fR
2548: will set the umask as specified by
2549: \fIsudoers\fR
2550: without modification.
2551: This makes it possible to specify a more permissive umask in
2552: \fIsudoers\fR
2553: than the user's own umask and matches historical behavior.
2554: If
2555: \fIumask_override\fR
2556: is not set,
2557: \fBsudo\fR
2558: will set the umask to be the union of the user's umask and what is specified in
2559: \fIsudoers\fR.
2560: This flag is
2561: \fI@umask_override@\fR
2562: by default.
2563: .TP 18n
2564: use_loginclass
2565: If set,
2566: \fBsudo\fR
2567: will apply the defaults specified for the target user's login class
2568: if one exists.
2569: Only available if
2570: \fBsudo\fR
2571: is configured with the
2572: \fR--with-logincap\fR
2573: option.
2574: This flag is
2575: \fIoff\fR
2576: by default.
2577: .TP 18n
2578: use_pty
2579: If set,
2580: \fBsudo\fR
2581: will run the command in a pseudo-pty even if no I/O logging is being gone.
2582: A malicious program run under
2583: \fBsudo\fR
2584: could conceivably fork a background process that retains to the user's
2585: terminal device after the main program has finished executing.
2586: Use of this option will make that impossible.
2587: This flag is
2588: \fIoff\fR
2589: by default.
2590: .TP 18n
2591: utmp_runas
2592: If set,
2593: \fBsudo\fR
2594: will store the name of the runas user when updating the utmp (or utmpx) file.
2595: By default,
2596: \fBsudo\fR
2597: stores the name of the invoking user.
2598: This flag is
2599: \fIoff\fR
2600: by default.
2601: .TP 18n
2602: visiblepw
2603: By default,
2604: \fBsudo\fR
2605: will refuse to run if the user must enter a password but it is not
2606: possible to disable echo on the terminal.
2607: If the
2608: \fIvisiblepw\fR
2609: flag is set,
2610: \fBsudo\fR
2611: will prompt for a password even when it would be visible on the screen.
2612: This makes it possible to run things like
2613: ``\fRssh somehost sudo ls\fR''
2614: since by default,
2615: ssh(1)
2616: does
2617: not allocate a tty when running a command.
2618: This flag is
2619: \fIoff\fR
2620: by default.
2621: .PP
2622: \fBIntegers\fR:
2623: .TP 18n
2624: closefrom
2625: Before it executes a command,
2626: \fBsudo\fR
2627: will close all open file descriptors other than standard input,
2628: standard output and standard error (ie: file descriptors 0-2).
2629: The
2630: \fIclosefrom\fR
2631: option can be used to specify a different file descriptor at which
2632: to start closing.
2633: The default is
2634: \fR3\fR.
2635: .TP 18n
2636: passwd_tries
2637: The number of tries a user gets to enter his/her password before
2638: \fBsudo\fR
2639: logs the failure and exits.
2640: The default is
2641: \fR@passwd_tries@\fR.
2642: .PP
2643: \fBIntegers that can be used in a boolean context\fR:
2644: .TP 18n
2645: loglinelen
2646: Number of characters per line for the file log.
2647: This value is used to decide when to wrap lines for nicer log files.
2648: This has no effect on the syslog log file, only the file log.
2649: The default is
2650: \fR@loglen@\fR
2651: (use 0 or negate the option to disable word wrap).
2652: .TP 18n
2653: passwd_timeout
2654: Number of minutes before the
2655: \fBsudo\fR
2656: password prompt times out, or
2657: \fR0\fR
2658: for no timeout.
2659: The timeout may include a fractional component
2660: if minute granularity is insufficient, for example
2661: \fR2.5\fR.
2662: The
2663: default is
2664: \fR@password_timeout@\fR.
2665: .TP 18n
2666: timestamp_timeout
2667: .br
2668: Number of minutes that can elapse before
2669: \fBsudo\fR
2670: will ask for a passwd again.
2671: The timeout may include a fractional component if
2672: minute granularity is insufficient, for example
2673: \fR2.5\fR.
2674: The default is
2675: \fR@timeout@\fR.
2676: Set this to
2677: \fR0\fR
2678: to always prompt for a password.
2679: If set to a value less than
2680: \fR0\fR
2681: the user's time stamp will never expire.
2682: This can be used to allow users to create or delete their own time stamps via
2683: ``\fRsudo -v\fR''
2684: and
2685: ``\fRsudo -k\fR''
2686: respectively.
2687: .TP 18n
2688: umask
2689: Umask to use when running the command.
2690: Negate this option or set it to 0777 to preserve the user's umask.
2691: The actual umask that is used will be the union of the user's umask
2692: and the value of the
2693: \fIumask\fR
2694: option, which defaults to
2695: \fR@sudo_umask@\fR.
2696: This guarantees
2697: that
2698: \fBsudo\fR
2699: never lowers the umask when running a command.
2700: Note: on systems that use PAM, the default PAM configuration may specify
2701: its own umask which will override the value set in
2702: \fIsudoers\fR.
2703: .PP
2704: \fBStrings\fR:
2705: .TP 18n
2706: badpass_message
2707: Message that is displayed if a user enters an incorrect password.
2708: The default is
2709: \fR@badpass_message@\fR
2710: unless insults are enabled.
2711: .TP 18n
2712: editor
2713: A colon
2714: (`:\&')
2715: separated list of editors allowed to be used with
2716: \fBvisudo\fR.
2717: \fBvisudo\fR
2718: will choose the editor that matches the user's
2719: \fREDITOR\fR
2720: environment variable if possible, or the first editor in the
2721: list that exists and is executable.
2722: The default is
2723: \fI@editor@\fR.
2724: .TP 18n
2725: iolog_dir
2726: The top-level directory to use when constructing the path name for
2727: the input/output log directory.
2728: Only used if the
2729: \fIlog_input\fR
2730: or
2731: \fIlog_output\fR
2732: options are enabled or when the
2733: \fRLOG_INPUT\fR
2734: or
2735: \fRLOG_OUTPUT\fR
2736: tags are present for a command.
2737: The session sequence number, if any, is stored in the directory.
2738: The default is
2739: \fI@iolog_dir@\fR.
2740: .sp
2741: The following percent
2742: (`%')
2743: escape sequences are supported:
2744: .RS
2745: .TP 6n
2746: \fR%{seq}\fR
2747: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2748: where every two digits are used to form a new directory, e.g.\&
2749: \fI01/00/A5\fR
2750: .TP 6n
2751: \fR%{user}\fR
2752: expanded to the invoking user's login name
2753: .TP 6n
2754: \fR%{group}\fR
2755: expanded to the name of the invoking user's real group ID
2756: .TP 6n
2757: \fR%{runas_user}\fR
2758: expanded to the login name of the user the command will
2759: be run as (e.g.\& root)
2760: .TP 6n
2761: \fR%{runas_group}\fR
2762: expanded to the group name of the user the command will
2763: be run as (e.g.\& wheel)
2764: .TP 6n
2765: \fR%{hostname}\fR
2766: expanded to the local host name without the domain name
2767: .TP 6n
2768: \fR%{command}\fR
2769: expanded to the base name of the command being run
2770: .PP
2771: In addition, any escape sequences supported by the system's
2772: strftime(3)
2773: function will be expanded.
2774: .sp
2775: To include a literal
2776: `%'
2777: character, the string
2778: `%%'
2779: should be used.
2780: .PP
2781: .RE
2782: .PD 0
2783: .TP 18n
2784: iolog_file
2785: The path name, relative to
2786: \fIiolog_dir\fR,
2787: in which to store input/output logs when the
2788: \fIlog_input\fR
2789: or
2790: \fIlog_output\fR
2791: options are enabled or when the
2792: \fRLOG_INPUT\fR
2793: or
2794: \fRLOG_OUTPUT\fR
2795: tags are present for a command.
2796: Note that
2797: \fIiolog_file\fR
2798: may contain directory components.
2799: The default is
2800: ``\fR%{seq}\fR''.
2801: .sp
2802: See the
2803: \fIiolog_dir\fR
2804: option above for a list of supported percent
2805: (`%')
2806: escape sequences.
2807: .sp
2808: In addition to the escape sequences, path names that end in six or
2809: more
2810: \fRX\fRs
2811: will have the
2812: \fRX\fRs
2813: replaced with a unique combination of digits and letters, similar to the
2814: mktemp(3)
2815: function.
2816: .sp
2817: If the path created by concatenating
2818: \fIiolog_dir\fR
2819: and
2820: \fIiolog_file\fR
2821: already exists, the existing I/O log file will be truncated and
2822: overwritten unless
2823: \fIiolog_file\fR
2824: ends in six or
2825: more
2826: \fRX\fRs.
2827: .PD
2828: .TP 18n
2829: limitprivs
2830: The default Solaris limit privileges to use when constructing a new
2831: privilege set for a command.
2832: This bounds all privileges of the executing process.
2833: The default limit privileges may be overridden on a per-command basis in
2834: \fIsudoers\fR.
2835: This option is only available if
2836: \fBsudoers\fR
2837: is built on Solaris 10 or higher.
2838: .TP 18n
2839: mailsub
2840: Subject of the mail sent to the
2841: \fImailto\fR
2842: user.
2843: The escape
2844: \fR%h\fR
2845: will expand to the host name of the machine.
2846: Default is
2847: ``\fR@mailsub@\fR''.
2848: .TP 18n
2849: maxseq
2850: The maximum sequence number that will be substituted for the
2851: ``\fR%{seq}\fR''
2852: escape in the I/O log file (see the
2853: \fIiolog_dir\fR
2854: description above for more information).
2855: While the value substituted for
2856: ``\fR%{seq}\fR''
2857: is in base 36,
2858: \fImaxseq\fR
2859: itself should be expressed in decimal.
2860: Values larger than 2176782336 (which corresponds to the
2861: base 36 sequence number
2862: ``ZZZZZZ'')
2863: will be silently truncated to 2176782336.
2864: The default value is 2176782336.
2865: .sp
2866: Once the local sequence number reaches the value of
2867: \fImaxseq\fR,
2868: it will
2869: ``roll over''
2870: to zero, after which
2871: \fBsudoers\fR
2872: will truncate and re-use any existing I/O log pathnames.
2873: .sp
2874: This setting is only supported by version 1.8.7 or higher.
2875: .TP 18n
2876: noexec_file
2877: As of
2878: \fBsudo\fR
2879: version 1.8.1 this option is no longer supported.
2880: The path to the noexec file should now be set in the
2881: sudo.conf(@mansectform@)
2882: file.
2883: .TP 18n
2884: pam_login_service
2885: .br
2886: On systems that use PAM for authentication, this is the service
2887: name used when the
2888: \fB\-i\fR
2889: option is specified.
2890: The default value is
2891: ``\fR@pam_login_service@\fR''.
2892: See the description of
2893: \fIpam_service\fR
2894: for more information.
2895: .sp
2896: This setting is only supported by version 1.8.8 or higher.
2897: .TP 18n
2898: pam_service
2899: On systems that use PAM for authentication, the service name
2900: specifies the PAM policy to apply.
2901: This usually corresponds to an entry in the
2902: \fIpam.conf\fR
2903: file or a file in the
2904: \fI/etc/pam.d\fR
2905: directory.
2906: The default value is
2907: ``\fRsudo\fR''.
2908: .sp
2909: This setting is only supported by version 1.8.8 or higher.
2910: .TP 18n
2911: passprompt
2912: The default prompt to use when asking for a password; can be overridden via the
2913: \fB\-p\fR
2914: option or the
2915: \fRSUDO_PROMPT\fR
2916: environment variable.
2917: The following percent
2918: (`%')
2919: escape sequences are supported:
2920: .RS
2921: .TP 6n
2922: \fR%H\fR
2923: expanded to the local host name including the domain name
2924: (only if the machine's host name is fully qualified or the
2925: \fIfqdn\fR
2926: option is set)
2927: .TP 6n
2928: \fR%h\fR
2929: expanded to the local host name without the domain name
2930: .TP 6n
2931: \fR%p\fR
2932: expanded to the user whose password is being asked for (respects the
2933: \fIrootpw\fR,
2934: \fItargetpw\fR
2935: and
2936: \fIrunaspw\fR
2937: flags in
2938: \fIsudoers\fR)
2939: .TP 6n
2940: \fR\&%U\fR
2941: expanded to the login name of the user the command will
2942: be run as (defaults to root)
2943: .TP 6n
2944: \fR%u\fR
2945: expanded to the invoking user's login name
2946: .TP 6n
2947: \fR%%\fR
2948: two consecutive
2949: \fR%\fR
2950: characters are collapsed into a single
2951: \fR%\fR
2952: character
2953: .PP
2954: The default value is
2955: ``\fR@passprompt@\fR''.
2956: .PP
2957: .RE
2958: .PD 0
2959: .TP 18n
2960: privs
2961: The default Solaris privileges to use when constructing a new
2962: privilege set for a command.
2963: This is passed to the executing process via the inherited privilege set,
2964: but is bounded by the limit privileges.
2965: If the
2966: \fIprivs\fR
2967: option is specified but the
2968: \fIlimitprivs\fR
2969: option is not, the limit privileges of the executing process is set to
2970: \fIprivs\fR.
2971: The default privileges may be overridden on a per-command basis in
2972: \fIsudoers\fR.
2973: This option is only available if
2974: \fBsudoers\fR
2975: is built on Solaris 10 or higher.
2976: .PD
2977: .TP 18n
2978: role
2979: The default SELinux role to use when constructing a new security
2980: context to run the command.
2981: The default role may be overridden on a per-command basis in
2982: \fIsudoers\fR
2983: or via command line options.
2984: This option is only available when
2985: \fBsudo\fR
2986: is built with SELinux support.
2987: .TP 18n
2988: runas_default
2989: The default user to run commands as if the
2990: \fB\-u\fR
2991: option is not specified on the command line.
2992: This defaults to
2993: \fR@runas_default@\fR.
2994: .TP 18n
2995: syslog_badpri
2996: Syslog priority to use when user authenticates unsuccessfully.
2997: Defaults to
2998: \fR@badpri@\fR.
2999: .sp
3000: The following syslog priorities are supported:
3001: \fBalert\fR,
3002: \fBcrit\fR,
3003: \fBdebug\fR,
3004: \fBemerg\fR,
3005: \fBerr\fR,
3006: \fBinfo\fR,
3007: \fBnotice\fR,
3008: and
3009: \fBwarning\fR.
3010: .TP 18n
3011: syslog_goodpri
3012: Syslog priority to use when user authenticates successfully.
3013: Defaults to
3014: \fR@goodpri@\fR.
3015: .sp
3016: See
3017: \fIsyslog_badpri\fR
3018: for the list of supported syslog priorities.
3019: .TP 18n
3020: sudoers_locale
3021: Locale to use when parsing the sudoers file, logging commands, and
3022: sending email.
3023: Note that changing the locale may affect how sudoers is interpreted.
3024: Defaults to
3025: ``\fRC\fR''.
3026: .TP 18n
3027: timestampdir
3028: The directory in which
3029: \fBsudo\fR
3030: stores its time stamp files.
3031: The default is
3032: \fI@timedir@\fR.
3033: .TP 18n
3034: timestampowner
3035: The owner of the time stamp directory and the time stamps stored therein.
3036: The default is
3037: \fRroot\fR.
3038: .TP 18n
3039: type
3040: The default SELinux type to use when constructing a new security
3041: context to run the command.
3042: The default type may be overridden on a per-command basis in
3043: \fIsudoers\fR
3044: or via command line options.
3045: This option is only available when
3046: \fBsudo\fR
3047: is built with SELinux support.
3048: .PP
3049: \fBStrings that can be used in a boolean context\fR:
3050: .TP 14n
3051: env_file
3052: The
3053: \fIenv_file\fR
3054: option specifies the fully qualified path to a file containing variables
3055: to be set in the environment of the program being run.
3056: Entries in this file should either be of the form
3057: ``\fRVARIABLE=value\fR''
3058: or
3059: ``\fRexport VARIABLE=value\fR''.
3060: The value may optionally be surrounded by single or double quotes.
3061: Variables in this file are subject to other
3062: \fBsudo\fR
3063: environment settings such as
3064: \fIenv_keep\fR
3065: and
3066: \fIenv_check\fR.
3067: .TP 14n
3068: exempt_group
3069: Users in this group are exempt from password and PATH requirements.
3070: The group name specified should not include a
3071: \fR%\fR
3072: prefix.
3073: This is not set by default.
3074: .TP 14n
3075: group_plugin
3076: A string containing a
3077: \fIsudoers\fR
3078: group plugin with optional arguments.
3079: The string should consist of the plugin
3080: path, either fully-qualified or relative to the
3081: \fI@PLUGINDIR@\fR
3082: directory, followed by any configuration arguments the plugin requires.
3083: These arguments (if any) will be passed to the plugin's initialization function.
3084: If arguments are present, the string must be enclosed in double quotes
3085: (\&"").
3086: .sp
3087: For more information see
3088: GROUP PROVIDER PLUGINS.
3089: .TP 14n
3090: lecture
3091: This option controls when a short lecture will be printed along with
3092: the password prompt.
3093: It has the following possible values:
3094: .RS
3095: .TP 8n
3096: always
3097: Always lecture the user.
3098: .TP 8n
3099: never
3100: Never lecture the user.
3101: .TP 8n
3102: once
3103: Only lecture the user the first time they run
3104: \fBsudo\fR.
3105: .PP
3106: If no value is specified, a value of
3107: \fIonce\fR
3108: is implied.
3109: Negating the option results in a value of
3110: \fInever\fR
3111: being used.
3112: The default value is
3113: \fI@lecture@\fR.
3114: .PP
3115: .RE
3116: .PD 0
3117: .TP 14n
3118: lecture_file
3119: Path to a file containing an alternate
3120: \fBsudo\fR
3121: lecture that will be used in place of the standard lecture if the named
3122: file exists.
3123: By default,
3124: \fBsudo\fR
3125: uses a built-in lecture.
3126: .PD
3127: .TP 14n
3128: listpw
3129: This option controls when a password will be required when a user runs
3130: \fBsudo\fR
3131: with the
3132: \fB\-l\fR
3133: option.
3134: It has the following possible values:
3135: .RS
3136: .TP 10n
3137: all
3138: All the user's
3139: \fIsudoers\fR
3140: entries for the current host must have
3141: the
3142: \fRNOPASSWD\fR
3143: flag set to avoid entering a password.
3144: .TP 10n
3145: always
3146: The user must always enter a password to use the
3147: \fB\-l\fR
3148: option.
3149: .TP 10n
3150: any
3151: At least one of the user's
3152: \fIsudoers\fR
3153: entries for the current host
3154: must have the
3155: \fRNOPASSWD\fR
3156: flag set to avoid entering a password.
3157: .TP 10n
3158: never
3159: The user need never enter a password to use the
3160: \fB\-l\fR
3161: option.
3162: .PP
3163: If no value is specified, a value of
3164: \fIany\fR
3165: is implied.
3166: Negating the option results in a value of
3167: \fInever\fR
3168: being used.
3169: The default value is
3170: \fIany\fR.
3171: .PP
3172: .RE
3173: .PD 0
3174: .TP 14n
3175: logfile
3176: Path to the
3177: \fBsudo\fR
3178: log file (not the syslog log file).
3179: Setting a path turns on logging to a file;
3180: negating this option turns it off.
3181: By default,
3182: \fBsudo\fR
3183: logs via syslog.
3184: .PD
3185: .TP 14n
3186: mailerflags
3187: Flags to use when invoking mailer. Defaults to
3188: \fB\-t\fR.
3189: .TP 14n
3190: mailerpath
3191: Path to mail program used to send warning mail.
3192: Defaults to the path to sendmail found at configure time.
3193: .TP 14n
3194: mailfrom
3195: Address to use for the
3196: ``from''
3197: address when sending warning and error mail.
3198: The address should be enclosed in double quotes
3199: (\&"")
3200: to protect against
3201: \fBsudo\fR
3202: interpreting the
3203: \fR@\fR
3204: sign.
3205: Defaults to the name of the user running
3206: \fBsudo\fR.
3207: .TP 14n
3208: mailto
3209: Address to send warning and error mail to.
3210: The address should be enclosed in double quotes
3211: (\&"")
3212: to protect against
3213: \fBsudo\fR
3214: interpreting the
3215: \fR@\fR
3216: sign.
3217: Defaults to
3218: \fR@mailto@\fR.
3219: .TP 14n
3220: secure_path
3221: Path used for every command run from
3222: \fBsudo\fR.
3223: If you don't trust the
3224: people running
3225: \fBsudo\fR
3226: to have a sane
3227: \fRPATH\fR
3228: environment variable you may want to use this.
3229: Another use is if you want to have the
3230: ``root path''
3231: be separate from the
3232: ``user path''.
3233: Users in the group specified by the
3234: \fIexempt_group\fR
3235: option are not affected by
3236: \fIsecure_path\fR.
3237: This option is @secure_path@ by default.
3238: .TP 14n
3239: syslog
3240: Syslog facility if syslog is being used for logging (negate to
3241: disable syslog logging).
3242: Defaults to
3243: \fR@logfac@\fR.
3244: .sp
3245: The following syslog facilities are supported:
3246: \fBauthpriv\fR
3247: (if your
3248: OS supports it),
3249: \fBauth\fR,
3250: \fBdaemon\fR,
3251: \fBuser\fR,
3252: \fBlocal0\fR,
3253: \fBlocal1\fR,
3254: \fBlocal2\fR,
3255: \fBlocal3\fR,
3256: \fBlocal4\fR,
3257: \fBlocal5\fR,
3258: \fBlocal6\fR,
3259: and
3260: \fBlocal7\fR.
3261: .TP 14n
3262: verifypw
3263: This option controls when a password will be required when a user runs
3264: \fBsudo\fR
3265: with the
3266: \fB\-v\fR
3267: option.
3268: It has the following possible values:
3269: .RS
3270: .TP 8n
3271: all
3272: All the user's
3273: \fIsudoers\fR
3274: entries for the current host must have the
3275: \fRNOPASSWD\fR
3276: flag set to avoid entering a password.
3277: .TP 8n
3278: always
3279: The user must always enter a password to use the
3280: \fB\-v\fR
3281: option.
3282: .TP 8n
3283: any
3284: At least one of the user's
3285: \fIsudoers\fR
3286: entries for the current host must have the
3287: \fRNOPASSWD\fR
3288: flag set to avoid entering a password.
3289: .TP 8n
3290: never
3291: The user need never enter a password to use the
3292: \fB\-v\fR
3293: option.
3294: .PP
3295: If no value is specified, a value of
3296: \fIall\fR
3297: is implied.
3298: Negating the option results in a value of
3299: \fInever\fR
3300: being used.
3301: The default value is
3302: \fIall\fR.
3303: .RE
3304: .PP
3305: \fBLists that can be used in a boolean context\fR:
3306: .TP 18n
3307: env_check
3308: Environment variables to be removed from the user's environment if
3309: the variable's value contains
3310: `%'
3311: or
3312: `/'
3313: characters.
3314: This can be used to guard against printf-style format vulnerabilities
3315: in poorly-written programs.
3316: The argument may be a double-quoted, space-separated list or a
3317: single value without double-quotes.
3318: The list can be replaced, added to, deleted from, or disabled by using
3319: the
3320: \fR=\fR,
3321: \fR+=\fR,
3322: \fR-=\fR,
3323: and
3324: \fR\&!\fR
3325: operators respectively.
3326: Regardless of whether the
3327: \fRenv_reset\fR
3328: option is enabled or disabled, variables specified by
3329: \fRenv_check\fR
3330: will be preserved in the environment if they pass the aforementioned check.
3331: The default list of environment variables to check is displayed when
3332: \fBsudo\fR
3333: is run by root with
3334: the
3335: \fB\-V\fR
3336: option.
3337: .TP 18n
3338: env_delete
3339: Environment variables to be removed from the user's environment when the
3340: \fIenv_reset\fR
3341: option is not in effect.
3342: The argument may be a double-quoted, space-separated list or a
3343: single value without double-quotes.
3344: The list can be replaced, added to, deleted from, or disabled by using the
3345: \fR=\fR,
3346: \fR+=\fR,
3347: \fR-=\fR,
3348: and
3349: \fR\&!\fR
3350: operators respectively.
3351: The default list of environment variables to remove is displayed when
3352: \fBsudo\fR
3353: is run by root with the
3354: \fB\-V\fR
3355: option.
3356: Note that many operating systems will remove potentially dangerous
3357: variables from the environment of any setuid process (such as
3358: \fBsudo\fR).
3359: .TP 18n
3360: env_keep
3361: Environment variables to be preserved in the user's environment when the
3362: \fIenv_reset\fR
3363: option is in effect.
3364: This allows fine-grained control over the environment
3365: \fBsudo\fR-spawned
3366: processes will receive.
3367: The argument may be a double-quoted, space-separated list or a
3368: single value without double-quotes.
3369: The list can be replaced, added to, deleted from, or disabled by using the
3370: \fR=\fR,
3371: \fR+=\fR,
3372: \fR-=\fR,
3373: and
3374: \fR\&!\fR
3375: operators respectively.
3376: The default list of variables to keep
3377: is displayed when
3378: \fBsudo\fR
3379: is run by root with the
3380: \fB\-V\fR
3381: option.
3382: .SH "GROUP PROVIDER PLUGINS"
3383: The
3384: \fBsudoers\fR
3385: plugin supports its own plugin interface to allow non-Unix
3386: group lookups which can query a group source other
3387: than the standard Unix group database.
3388: This can be used to implement support for the
3389: \fRnonunix_group\fR
3390: syntax described earlier.
3391: .PP
3392: Group provider plugins are specified via the
3393: \fIgroup_plugin\fR
3394: Defaults setting.
3395: The argument to
3396: \fIgroup_plugin\fR
3397: should consist of the plugin path, either fully-qualified or relative to the
3398: \fI@PLUGINDIR@\fR
3399: directory, followed by any configuration options the plugin requires.
3400: These options (if specified) will be passed to the plugin's initialization
3401: function.
3402: If options are present, the string must be enclosed in double quotes
3403: (\&"").
3404: .PP
3405: The following group provider plugins are installed by default:
3406: .TP 10n
3407: group_file
3408: The
3409: \fIgroup_file\fR
3410: plugin supports an alternate group file that uses the same syntax as the
3411: \fI/etc/group\fR
3412: file.
3413: The path to the group file should be specified as an option
3414: to the plugin.
3415: For example, if the group file to be used is
3416: \fI/etc/sudo-group\fR:
3417: .RS
3418: .nf
3419: .sp
3420: .RS 0n
3421: Defaults group_plugin="group_file.so /etc/sudo-group"
3422: .RE
3423: .fi
3424: .PP
3425: .RE
3426: .PD 0
3427: .TP 10n
3428: system_group
3429: The
3430: \fIsystem_group\fR
3431: plugin supports group lookups via the standard C library functions
3432: \fBgetgrnam\fR()
3433: and
3434: \fBgetgrid\fR().
3435: This plugin can be used in instances where the user belongs to
3436: groups not present in the user's supplemental group vector.
3437: This plugin takes no options:
3438: .RS
3439: .nf
3440: .sp
3441: .RS 0n
3442: Defaults group_plugin=system_group.so
3443: .RE
3444: .fi
3445: .RE
3446: .PD
3447: .PP
3448: The group provider plugin API is described in detail in
3449: sudo_plugin(@mansectsu@).
3450: .SH "LOG FORMAT"
3451: \fBsudoers\fR
3452: can log events using either
3453: syslog(3)
3454: or a simple log file.
3455: In each case the log format is almost identical.
3456: .SS "Accepted command log entries"
3457: Commands that sudo runs are logged using the following format (split
3458: into multiple lines for readability):
3459: .nf
3460: .sp
3461: .RS 4n
3462: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3463: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3464: ENV=env_vars COMMAND=command
3465: .RE
3466: .fi
3467: .PP
3468: Where the fields are as follows:
3469: .TP 14n
3470: date
3471: The date the command was run.
3472: Typically, this is in the format
3473: ``MMM, DD, HH:MM:SS''.
3474: If logging via
3475: syslog(3),
3476: the actual date format is controlled by the syslog daemon.
3477: If logging to a file and the
3478: \fIlog_year\fR
3479: option is enabled,
3480: the date will also include the year.
3481: .TP 14n
3482: hostname
3483: The name of the host
3484: \fBsudo\fR
3485: was run on.
3486: This field is only present when logging via
3487: syslog(3).
3488: .TP 14n
3489: progname
3490: The name of the program, usually
3491: \fIsudo\fR
3492: or
3493: \fIsudoedit\fR.
3494: This field is only present when logging via
3495: syslog(3).
3496: .TP 14n
3497: username
3498: The login name of the user who ran
3499: \fBsudo\fR.
3500: .TP 14n
3501: ttyname
3502: The short name of the terminal (e.g.\&
3503: ``console'',
3504: ``tty01'',
3505: or
3506: ``pts/0'')
3507: \fBsudo\fR
3508: was run on, or
3509: ``unknown''
3510: if there was no terminal present.
3511: .TP 14n
3512: cwd
3513: The current working directory that
3514: \fBsudo\fR
3515: was run in.
3516: .TP 14n
3517: runasuser
3518: The user the command was run as.
3519: .TP 14n
3520: runasgroup
3521: The group the command was run as if one was specified on the command line.
3522: .TP 14n
3523: logid
3524: An I/O log identifier that can be used to replay the command's output.
3525: This is only present when the
3526: \fIlog_input\fR
3527: or
3528: \fIlog_output\fR
3529: option is enabled.
3530: .TP 14n
3531: env_vars
3532: A list of environment variables specified on the command line,
3533: if specified.
3534: .TP 14n
3535: command
3536: The actual command that was executed.
3537: .PP
3538: Messages are logged using the locale specified by
3539: \fIsudoers_locale\fR,
3540: which defaults to the
3541: ``\fRC\fR''
3542: locale.
3543: .SS "Denied command log entries"
3544: If the user is not allowed to run the command, the reason for the denial
3545: will follow the user name.
3546: Possible reasons include:
3547: .TP 3n
3548: user NOT in sudoers
3549: The user is not listed in the
3550: \fIsudoers\fR
3551: file.
3552: .TP 3n
3553: user NOT authorized on host
3554: The user is listed in the
3555: \fIsudoers\fR
3556: file but is not allowed to run commands on the host.
3557: .TP 3n
3558: command not allowed
3559: The user is listed in the
3560: \fIsudoers\fR
3561: file for the host but they are not allowed to run the specified command.
3562: .TP 3n
3563: 3 incorrect password attempts
3564: The user failed to enter their password after 3 tries.
3565: The actual number of tries will vary based on the number of
3566: failed attempts and the value of the
3567: \fIpasswd_tries\fR
3568: option.
3569: .TP 3n
3570: a password is required
3571: \fBsudo\fR's
3572: \fB\-n\fR
3573: option was specified but a password was required.
3574: .TP 3n
3575: sorry, you are not allowed to set the following environment variables
3576: The user specified environment variables on the command line that
3577: were not allowed by
3578: \fIsudoers\fR.
3579: .SS "Error log entries"
3580: If an error occurs,
3581: \fBsudoers\fR
3582: will log a message and, in most cases, send a message to the
3583: administrator via email.
3584: Possible errors include:
3585: .TP 3n
3586: parse error in @sysconfdir@/sudoers near line N
3587: \fBsudoers\fR
3588: encountered an error when parsing the specified file.
3589: In some cases, the actual error may be one line above or below the
3590: line number listed, depending on the type of error.
3591: .TP 3n
3592: problem with defaults entries
3593: The
3594: \fIsudoers\fR
3595: file contains one or more unknown Defaults settings.
3596: This does not prevent
3597: \fBsudo\fR
3598: from running, but the
3599: \fIsudoers\fR
3600: file should be checked using
3601: \fBvisudo\fR.
3602: .TP 3n
3603: timestamp owner (username): \&No such user
3604: The time stamp directory owner, as specified by the
3605: \fItimestampowner\fR
3606: setting, could not be found in the password database.
3607: .TP 3n
3608: unable to open/read @sysconfdir@/sudoers
3609: The
3610: \fIsudoers\fR
3611: file could not be opened for reading.
3612: This can happen when the
3613: \fIsudoers\fR
3614: file is located on a remote file system that maps user ID 0 to
3615: a different value.
3616: Normally,
3617: \fBsudoers\fR
3618: tries to open
3619: \fIsudoers\fR
3620: using group permissions to avoid this problem.
3621: Consider either changing the ownership of
3622: \fI@sysconfdir@/sudoers\fR
3623: or adding an argument like
3624: ``sudoers_uid=N''
3625: (where
3626: `N'
3627: is the user ID that owns the
3628: \fIsudoers\fR
3629: file) to the end of the
3630: \fBsudoers\fR
3631: \fRPlugin\fR
3632: line in the
3633: sudo.conf(@mansectform@)
3634: file.
3635: .TP 3n
3636: unable to stat @sysconfdir@/sudoers
3637: The
3638: \fI@sysconfdir@/sudoers\fR
3639: file is missing.
3640: .TP 3n
3641: @sysconfdir@/sudoers is not a regular file
3642: The
3643: \fI@sysconfdir@/sudoers\fR
3644: file exists but is not a regular file or symbolic link.
3645: .TP 3n
3646: @sysconfdir@/sudoers is owned by uid N, should be 0
3647: The
3648: \fIsudoers\fR
3649: file has the wrong owner.
3650: If you wish to change the
3651: \fIsudoers\fR
3652: file owner, please add
3653: ``sudoers_uid=N''
3654: (where
3655: `N'
3656: is the user ID that owns the
3657: \fIsudoers\fR
3658: file) to the
3659: \fBsudoers\fR
3660: \fRPlugin\fR
3661: line in the
3662: sudo.conf(@mansectform@)
3663: file.
3664: .TP 3n
3665: @sysconfdir@/sudoers is world writable
3666: The permissions on the
3667: \fIsudoers\fR
3668: file allow all users to write to it.
3669: The
3670: \fIsudoers\fR
3671: file must not be world-writable, the default file mode
3672: is 0440 (readable by owner and group, writable by none).
3673: The default mode may be changed via the
3674: ``sudoers_mode''
3675: option to the
3676: \fBsudoers\fR
3677: \fRPlugin\fR
3678: line in the
3679: sudo.conf(@mansectform@)
3680: file.
3681: .TP 3n
3682: @sysconfdir@/sudoers is owned by gid N, should be 1
3683: The
3684: \fIsudoers\fR
3685: file has the wrong group ownership.
3686: If you wish to change the
3687: \fIsudoers\fR
3688: file group ownership, please add
3689: ``sudoers_gid=N''
3690: (where
3691: `N'
3692: is the group ID that owns the
3693: \fIsudoers\fR
3694: file) to the
3695: \fBsudoers\fR
3696: \fRPlugin\fR
3697: line in the
3698: sudo.conf(@mansectform@)
3699: file.
3700: .TP 3n
3701: unable to open @timedir@/username/ttyname
3702: \fIsudoers\fR
3703: was unable to read or create the user's time stamp file.
3704: .TP 3n
3705: unable to write to @timedir@/username/ttyname
3706: \fIsudoers\fR
3707: was unable to write to the user's time stamp file.
3708: .TP 3n
3709: unable to mkdir to @timedir@/username
3710: \fIsudoers\fR
3711: was unable to create the user's time stamp directory.
3712: .SS "Notes on logging via syslog"
3713: By default,
3714: \fIsudoers\fR
3715: logs messages via
3716: syslog(3).
3717: The
3718: \fIdate\fR,
3719: \fIhostname\fR,
3720: and
3721: \fIprogname\fR
3722: fields are added by the syslog daemon, not
3723: \fIsudoers\fR
3724: itself.
3725: As such, they may vary in format on different systems.
3726: .PP
3727: On most systems,
3728: syslog(3)
3729: has a relatively small log buffer.
3730: To prevent the command line arguments from being truncated,
3731: \fBsudoers\fR
3732: will split up log messages that are larger than 960 characters
3733: (not including the date, hostname, and the string
3734: ``sudo'').
3735: When a message is split, additional parts will include the string
3736: ``(command continued)''
3737: after the user name and before the continued command line arguments.
3738: .SS "Notes on logging to a file"
3739: If the
3740: \fIlogfile\fR
3741: option is set,
3742: \fIsudoers\fR
3743: will log to a local file, such as
3744: \fI/var/log/sudo\fR.
3745: When logging to a file,
3746: \fIsudoers\fR
3747: uses a format similar to
3748: syslog(3),
3749: with a few important differences:
3750: .TP 5n
3751: 1.
3752: The
3753: \fIprogname\fR
3754: and
3755: \fIhostname\fR
3756: fields are not present.
3757: .TP 5n
3758: 2.
3759: If the
3760: \fIlog_year\fR
3761: option is enabled,
3762: the date will also include the year.
3763: .TP 5n
3764: 3.
3765: Lines that are longer than
3766: \fIloglinelen\fR
3767: characters (80 by default) are word-wrapped and continued on the
3768: next line with a four character indent.
3769: This makes entries easier to read for a human being, but makes it
3770: more difficult to use
3771: grep(1)
3772: on the log files.
3773: If the
3774: \fIloglinelen\fR
3775: option is set to 0 (or negated with a
3776: `\&!'),
3777: word wrap will be disabled.
3778: .SH "FILES"
3779: .TP 26n
3780: \fI@sysconfdir@/sudo.conf\fR
3781: Sudo front end configuration
3782: .TP 26n
3783: \fI@sysconfdir@/sudoers\fR
3784: List of who can run what
3785: .TP 26n
3786: \fI/etc/group\fR
3787: Local groups file
3788: .TP 26n
3789: \fI/etc/netgroup\fR
3790: List of network groups
3791: .TP 26n
3792: \fI@iolog_dir@\fR
3793: I/O log files
3794: .TP 26n
3795: \fI@timedir@\fR
3796: Directory containing time stamps for the
3797: \fIsudoers\fR
3798: security policy
3799: .TP 26n
3800: \fI/etc/environment\fR
3801: Initial environment for
3802: \fB\-i\fR
3803: mode on AIX and Linux systems
3804: .SH "EXAMPLES"
3805: Below are example
3806: \fIsudoers\fR
3807: entries.
3808: Admittedly, some of these are a bit contrived.
3809: First, we allow a few environment variables to pass and then define our
3810: \fIaliases\fR:
3811: .nf
3812: .sp
3813: .RS 0n
3814: # Run X applications through sudo; HOME is used to find the
3815: # .Xauthority file. Note that other programs use HOME to find
3816: # configuration files and this may lead to privilege escalation!
3817: Defaults env_keep += "DISPLAY HOME"
3818:
3819: # User alias specification
3820: User_Alias FULLTIMERS = millert, mikef, dowdy
3821: User_Alias PARTTIMERS = bostley, jwfox, crawl
3822: User_Alias WEBMASTERS = will, wendy, wim
3823:
3824: # Runas alias specification
3825: Runas_Alias OP = root, operator
3826: Runas_Alias DB = oracle, sybase
3827: Runas_Alias ADMINGRP = adm, oper
3828:
3829: # Host alias specification
3830: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3831: SGI = grolsch, dandelion, black :\e
3832: ALPHA = widget, thalamus, foobar :\e
3833: HPPA = boa, nag, python
3834: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3835: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3836: Host_Alias SERVERS = master, mail, www, ns
3837: Host_Alias CDROM = orion, perseus, hercules
3838:
3839: # Cmnd alias specification
3840: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3841: /usr/sbin/restore, /usr/sbin/rrestore,\e
3842: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3843: /home/operator/bin/start_backups
3844: Cmnd_Alias KILL = /usr/bin/kill
3845: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3846: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3847: Cmnd_Alias HALT = /usr/sbin/halt
3848: Cmnd_Alias REBOOT = /usr/sbin/reboot
3849: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3850: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3851: /usr/local/bin/zsh
3852: Cmnd_Alias SU = /usr/bin/su
3853: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3854: .RE
3855: .fi
3856: .PP
3857: Here we override some of the compiled in default values.
3858: We want
3859: \fBsudo\fR
3860: to log via
3861: syslog(3)
3862: using the
3863: \fIauth\fR
3864: facility in all cases.
3865: We don't want to subject the full time staff to the
3866: \fBsudo\fR
3867: lecture, user
3868: \fBmillert\fR
3869: need not give a password, and we don't want to reset the
3870: \fRLOGNAME\fR,
3871: \fRUSER\fR
3872: or
3873: \fRUSERNAME\fR
3874: environment variables when running commands as root.
3875: Additionally, on the machines in the
3876: \fISERVERS\fR
3877: \fRHost_Alias\fR,
3878: we keep an additional local log file and make sure we log the year
3879: in each log line since the log entries will be kept around for several years.
3880: Lastly, we disable shell escapes for the commands in the PAGERS
3881: \fRCmnd_Alias\fR
3882: (\fI/usr/bin/more\fR,
3883: \fI/usr/bin/pg\fR
3884: and
3885: \fI/usr/bin/less\fR)
3886: \&.
3887: Note that this will not effectively constrain users with
3888: \fBsudo\fR
3889: \fBALL\fR
3890: privileges.
3891: .nf
3892: .sp
3893: .RS 0n
3894: # Override built-in defaults
3895: Defaults syslog=auth
3896: Defaults>root !set_logname
3897: Defaults:FULLTIMERS !lecture
3898: Defaults:millert !authenticate
3899: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3900: Defaults!PAGERS noexec
3901: .RE
3902: .fi
3903: .PP
3904: The
3905: \fIUser specification\fR
3906: is the part that actually determines who may run what.
3907: .nf
3908: .sp
3909: .RS 0n
3910: root ALL = (ALL) ALL
3911: %wheel ALL = (ALL) ALL
3912: .RE
3913: .fi
3914: .PP
3915: We let
3916: \fBroot\fR
3917: and any user in group
3918: \fBwheel\fR
3919: run any command on any host as any user.
3920: .nf
3921: .sp
3922: .RS 0n
3923: FULLTIMERS ALL = NOPASSWD: ALL
3924: .RE
3925: .fi
3926: .PP
3927: Full time sysadmins
3928: (\fBmillert\fR,
3929: \fBmikef\fR,
3930: and
3931: \fBdowdy\fR)
3932: may run any command on any host without authenticating themselves.
3933: .nf
3934: .sp
3935: .RS 0n
3936: PARTTIMERS ALL = ALL
3937: .RE
3938: .fi
3939: .PP
3940: Part time sysadmins
3941: \fBbostley\fR,
3942: \fBjwfox\fR,
3943: and
3944: \fBcrawl\fR)
3945: may run any command on any host but they must authenticate themselves
3946: first (since the entry lacks the
3947: \fRNOPASSWD\fR
3948: tag).
3949: .nf
3950: .sp
3951: .RS 0n
3952: jack CSNETS = ALL
3953: .RE
3954: .fi
3955: .PP
3956: The user
3957: \fBjack\fR
3958: may run any command on the machines in the
3959: \fICSNETS\fR
3960: alias (the networks
3961: \fR128.138.243.0\fR,
3962: \fR128.138.204.0\fR,
3963: and
3964: \fR128.138.242.0\fR).
3965: Of those networks, only
3966: \fR128.138.204.0\fR
3967: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3968: For the other networks in
3969: \fICSNETS\fR,
3970: the local machine's netmask will be used during matching.
3971: .nf
3972: .sp
3973: .RS 0n
3974: lisa CUNETS = ALL
3975: .RE
3976: .fi
3977: .PP
3978: The user
3979: \fBlisa\fR
3980: may run any command on any host in the
3981: \fICUNETS\fR
3982: alias (the class B network
3983: \fR128.138.0.0\fR).
3984: .nf
3985: .sp
3986: .RS 0n
3987: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3988: sudoedit /etc/printcap, /usr/oper/bin/
3989: .RE
3990: .fi
3991: .PP
3992: The
3993: \fBoperator\fR
3994: user may run commands limited to simple maintenance.
3995: Here, those are commands related to backups, killing processes, the
3996: printing system, shutting down the system, and any commands in the
3997: directory
3998: \fI/usr/oper/bin/\fR.
3999: Note that one command in the
4000: \fRDUMPS\fR
4001: Cmnd_Alias includes a sha224 digest,
4002: \fI/home/operator/bin/start_backups\fR.
4003: This is because the directory containing the script is writable by the
4004: operator user.
4005: If the script is modified (resulting in a digest mismatch) it will no longer
4006: be possible to run it via
4007: \fBsudo\fR.
4008: .nf
4009: .sp
4010: .RS 0n
4011: joe ALL = /usr/bin/su operator
4012: .RE
4013: .fi
4014: .PP
4015: The user
4016: \fBjoe\fR
4017: may only
4018: su(1)
4019: to operator.
4020: .nf
4021: .sp
4022: .RS 0n
4023: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
4024:
4025: %opers ALL = (: ADMINGRP) /usr/sbin/
4026: .RE
4027: .fi
4028: .PP
4029: Users in the
4030: \fBopers\fR
4031: group may run commands in
4032: \fI/usr/sbin/\fR
4033: as themselves
4034: with any group in the
4035: \fIADMINGRP\fR
4036: \fRRunas_Alias\fR
4037: (the
4038: \fBadm\fR
4039: and
4040: \fBoper\fR
4041: groups).
4042: .PP
4043: The user
4044: \fBpete\fR
4045: is allowed to change anyone's password except for
4046: root on the
4047: \fIHPPA\fR
4048: machines.
4049: Note that this assumes
4050: passwd(1)
4051: does not take multiple user names on the command line.
4052: .nf
4053: .sp
4054: .RS 0n
4055: bob SPARC = (OP) ALL : SGI = (OP) ALL
4056: .RE
4057: .fi
4058: .PP
4059: The user
4060: \fBbob\fR
4061: may run anything on the
4062: \fISPARC\fR
4063: and
4064: \fISGI\fR
4065: machines as any user listed in the
4066: \fIOP\fR
4067: \fRRunas_Alias\fR
4068: (\fBroot\fR
4069: and
4070: \fBoperator\fR.)
4071: .nf
4072: .sp
4073: .RS 0n
4074: jim +biglab = ALL
4075: .RE
4076: .fi
4077: .PP
4078: The user
4079: \fBjim\fR
4080: may run any command on machines in the
4081: \fIbiglab\fR
4082: netgroup.
4083: \fBsudo\fR
4084: knows that
4085: ``biglab''
4086: is a netgroup due to the
4087: `+'
4088: prefix.
4089: .nf
4090: .sp
4091: .RS 0n
4092: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
4093: .RE
4094: .fi
4095: .PP
4096: Users in the
4097: \fBsecretaries\fR
4098: netgroup need to help manage the printers as well as add and remove users,
4099: so they are allowed to run those commands on all machines.
4100: .nf
4101: .sp
4102: .RS 0n
4103: fred ALL = (DB) NOPASSWD: ALL
4104: .RE
4105: .fi
4106: .PP
4107: The user
4108: \fBfred\fR
4109: can run commands as any user in the
4110: \fIDB\fR
4111: \fRRunas_Alias\fR
4112: (\fBoracle\fR
4113: or
4114: \fBsybase\fR)
4115: without giving a password.
4116: .nf
4117: .sp
4118: .RS 0n
4119: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
4120: .RE
4121: .fi
4122: .PP
4123: On the
4124: \fIALPHA\fR
4125: machines, user
4126: \fBjohn\fR
4127: may su to anyone except root but he is not allowed to specify any options
4128: to the
4129: su(1)
4130: command.
4131: .nf
4132: .sp
4133: .RS 0n
4134: jen ALL, !SERVERS = ALL
4135: .RE
4136: .fi
4137: .PP
4138: The user
4139: \fBjen\fR
4140: may run any command on any machine except for those in the
4141: \fISERVERS\fR
4142: \fRHost_Alias\fR
4143: (master, mail, www and ns).
4144: .nf
4145: .sp
4146: .RS 0n
4147: jill SERVERS = /usr/bin/, !SU, !SHELLS
4148: .RE
4149: .fi
4150: .PP
4151: For any machine in the
4152: \fISERVERS\fR
4153: \fRHost_Alias\fR,
4154: \fBjill\fR
4155: may run
4156: any commands in the directory
4157: \fI/usr/bin/\fR
4158: except for those commands
4159: belonging to the
4160: \fISU\fR
4161: and
4162: \fISHELLS\fR
4163: \fRCmnd_Aliases\fR.
4164: While not specifically mentioned in the rule, the commands in the
4165: \fIPAGERS\fR
4166: \fRCmnd_Alias\fR
4167: all reside in
4168: \fI/usr/bin\fR
4169: and have the
4170: \fInoexec\fR
4171: option set.
4172: .nf
4173: .sp
4174: .RS 0n
4175: steve CSNETS = (operator) /usr/local/op_commands/
4176: .RE
4177: .fi
4178: .PP
4179: The user
4180: \fBsteve\fR
4181: may run any command in the directory /usr/local/op_commands/
4182: but only as user operator.
4183: .nf
4184: .sp
4185: .RS 0n
4186: matt valkyrie = KILL
4187: .RE
4188: .fi
4189: .PP
4190: On his personal workstation, valkyrie,
4191: \fBmatt\fR
4192: needs to be able to kill hung processes.
4193: .nf
4194: .sp
4195: .RS 0n
4196: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
4197: .RE
4198: .fi
4199: .PP
4200: On the host www, any user in the
4201: \fIWEBMASTERS\fR
4202: \fRUser_Alias\fR
4203: (will, wendy, and wim), may run any command as user www (which owns the
4204: web pages) or simply
4205: su(1)
4206: to www.
4207: .nf
4208: .sp
4209: .RS 0n
4210: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
4211: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
4212: .RE
4213: .fi
4214: .PP
4215: Any user may mount or unmount a CD-ROM on the machines in the CDROM
4216: \fRHost_Alias\fR
4217: (orion, perseus, hercules) without entering a password.
4218: This is a bit tedious for users to type, so it is a prime candidate
4219: for encapsulating in a shell script.
4220: .SH "SECURITY NOTES"
4221: .SS "Limitations of the `!\&' operator"
4222: It is generally not effective to
4223: ``subtract''
4224: commands from
4225: \fBALL\fR
4226: using the
4227: `!\&'
4228: operator.
4229: A user can trivially circumvent this by copying the desired command
4230: to a different name and then executing that.
4231: For example:
4232: .nf
4233: .sp
4234: .RS 0n
4235: bill ALL = ALL, !SU, !SHELLS
4236: .RE
4237: .fi
4238: .PP
4239: Doesn't really prevent
4240: \fBbill\fR
4241: from running the commands listed in
4242: \fISU\fR
4243: or
4244: \fISHELLS\fR
4245: since he can simply copy those commands to a different name, or use
4246: a shell escape from an editor or other program.
4247: Therefore, these kind of restrictions should be considered
4248: advisory at best (and reinforced by policy).
4249: .PP
4250: In general, if a user has sudo
4251: \fBALL\fR
4252: there is nothing to prevent them from creating their own program that gives
4253: them a root shell (or making their own copy of a shell) regardless of any
4254: `!\&'
4255: elements in the user specification.
4256: .SS "Security implications of \fIfast_glob\fR"
4257: If the
4258: \fIfast_glob\fR
4259: option is in use, it is not possible to reliably negate commands where the
4260: path name includes globbing (aka wildcard) characters.
4261: This is because the C library's
4262: fnmatch(3)
4263: function cannot resolve relative paths.
4264: While this is typically only an inconvenience for rules that grant privileges,
4265: it can result in a security issue for rules that subtract or revoke privileges.
4266: .PP
4267: For example, given the following
4268: \fIsudoers\fR
4269: entry:
4270: .nf
4271: .sp
4272: .RS 0n
4273: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4274: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4275: .RE
4276: .fi
4277: .PP
4278: User
4279: \fBjohn\fR
4280: can still run
4281: \fR/usr/bin/passwd root\fR
4282: if
4283: \fIfast_glob\fR
4284: is enabled by changing to
4285: \fI/usr/bin\fR
4286: and running
4287: \fR./passwd root\fR
4288: instead.
4289: .SS "Preventing shell escapes"
4290: Once
4291: \fBsudo\fR
4292: executes a program, that program is free to do whatever
4293: it pleases, including run other programs.
4294: This can be a security issue since it is not uncommon for a program to
4295: allow shell escapes, which lets a user bypass
4296: \fBsudo\fR's
4297: access control and logging.
4298: Common programs that permit shell escapes include shells (obviously),
4299: editors, paginators, mail and terminal programs.
4300: .PP
4301: There are two basic approaches to this problem:
4302: .TP 10n
4303: restrict
4304: Avoid giving users access to commands that allow the user to run
4305: arbitrary commands.
4306: Many editors have a restricted mode where shell
4307: escapes are disabled, though
4308: \fBsudoedit\fR
4309: is a better solution to
4310: running editors via
4311: \fBsudo\fR.
4312: Due to the large number of programs that
4313: offer shell escapes, restricting users to the set of programs that
4314: do not is often unworkable.
4315: .TP 10n
4316: noexec
4317: Many systems that support shared libraries have the ability to
4318: override default library functions by pointing an environment
4319: variable (usually
4320: \fRLD_PRELOAD\fR)
4321: to an alternate shared library.
4322: On such systems,
4323: \fBsudo\fR's
4324: \fInoexec\fR
4325: functionality can be used to prevent a program run by
4326: \fBsudo\fR
4327: from executing any other programs.
4328: Note, however, that this applies only to native dynamically-linked
4329: executables.
4330: Statically-linked executables and foreign executables
4331: running under binary emulation are not affected.
4332: .sp
4333: The
4334: \fInoexec\fR
4335: feature is known to work on SunOS, Solaris, *BSD,
4336: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
4337: It should be supported on most operating systems that support the
4338: \fRLD_PRELOAD\fR
4339: environment variable.
4340: Check your operating system's manual pages for the dynamic linker
4341: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4342: \fRLD_PRELOAD\fR
4343: is supported.
4344: .sp
4345: On Solaris 10 and higher,
4346: \fInoexec\fR
4347: uses Solaris privileges instead of the
4348: \fRLD_PRELOAD\fR
4349: environment variable.
4350: .sp
4351: To enable
4352: \fInoexec\fR
4353: for a command, use the
4354: \fRNOEXEC\fR
4355: tag as documented
4356: in the User Specification section above.
4357: Here is that example again:
4358: .RS
4359: .nf
4360: .sp
4361: .RS 0n
4362: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4363: .RE
4364: .fi
4365: .sp
4366: This allows user
4367: \fBaaron\fR
4368: to run
4369: \fI/usr/bin/more\fR
4370: and
4371: \fI/usr/bin/vi\fR
4372: with
4373: \fInoexec\fR
4374: enabled.
4375: This will prevent those two commands from
4376: executing other commands (such as a shell).
4377: If you are unsure whether or not your system is capable of supporting
4378: \fInoexec\fR
4379: you can always just try it out and check whether shell escapes work when
4380: \fInoexec\fR
4381: is enabled.
4382: .RE
4383: .PP
4384: Note that restricting shell escapes is not a panacea.
4385: Programs running as root are still capable of many potentially hazardous
4386: operations (such as changing or overwriting files) that could lead
4387: to unintended privilege escalation.
4388: In the specific case of an editor, a safer approach is to give the
4389: user permission to run
4390: \fBsudoedit\fR.
4391: .SS "Time stamp file checks"
4392: \fIsudoers\fR
4393: will check the ownership of its time stamp directory
4394: (\fI@timedir@\fR
4395: by default)
4396: and ignore the directory's contents if it is not owned by root or
4397: if it is writable by a user other than root.
4398: On systems that allow non-root users to give away files via
4399: chown(2),
4400: if the time stamp directory is located in a world-writable
4401: directory (e.g.\&,
4402: \fI/tmp\fR),
4403: it is possible for a user to create the time stamp directory before
4404: \fBsudo\fR
4405: is run.
4406: However, because
4407: \fIsudoers\fR
4408: checks the ownership and mode of the directory and its
4409: contents, the only damage that can be done is to
4410: ``hide''
4411: files by putting them in the time stamp dir.
4412: This is unlikely to happen since once the time stamp dir is owned by root
4413: and inaccessible by any other user, the user placing files there would be
4414: unable to get them back out.
4415: .PP
4416: \fIsudoers\fR
4417: will not honor time stamps set far in the future.
4418: Time stamps with a date greater than current_time + 2 *
4419: \fRTIMEOUT\fR
4420: will be ignored and sudo will log and complain.
4421: This is done to keep a user from creating his/her own time stamp with a
4422: bogus date on systems that allow users to give away files if the time
4423: stamp directory is located in a world-writable directory.
4424: .PP
4425: On systems where the boot time is available,
4426: \fIsudoers\fR
4427: will ignore time stamps that date from before the machine booted.
4428: .PP
4429: Since time stamp files live in the file system, they can outlive a
4430: user's login session.
4431: As a result, a user may be able to login, run a command with
4432: \fBsudo\fR
4433: after authenticating, logout, login again, and run
4434: \fBsudo\fR
4435: without authenticating so long as the time stamp file's modification
4436: time is within
4437: \fR@timeout@\fR
4438: minutes (or whatever the timeout is set to in
4439: \fIsudoers\fR).
4440: When the
4441: \fItty_tickets\fR
4442: option is enabled, the time stamp has per-tty granularity but still
4443: may outlive the user's session.
4444: On Linux systems where the devpts filesystem is used, Solaris systems
4445: with the devices filesystem, as well as other systems that utilize a
4446: devfs filesystem that monotonically increase the inode number of devices
4447: as they are created (such as Mac OS X),
4448: \fIsudoers\fR
4449: is able to determine when a tty-based time stamp file is stale and will
4450: ignore it.
4451: Administrators should not rely on this feature as it is not universally
4452: available.
4453: .SH "DEBUGGING"
4454: Versions 1.8.4 and higher of the
4455: \fBsudoers\fR
4456: plugin support a flexible debugging framework that can help track
4457: down what the plugin is doing internally if there is a problem.
4458: This can be configured in the
4459: sudo.conf(@mansectform@)
4460: file.
4461: .PP
4462: The
4463: \fBsudoers\fR
4464: plugin uses the same debug flag format as the
4465: \fBsudo\fR
4466: front-end:
4467: \fIsubsystem\fR@\fIpriority\fR.
4468: .PP
4469: The priorities used by
4470: \fBsudoers\fR,
4471: in order of decreasing severity,
4472: are:
4473: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
4474: and
4475: \fIdebug\fR.
4476: Each priority, when specified, also includes all priorities higher
4477: than it.
4478: For example, a priority of
4479: \fInotice\fR
4480: would include debug messages logged at
4481: \fInotice\fR
4482: and higher.
4483: .PP
4484: The following subsystems are used by the
4485: \fBsudoers\fR
4486: plugin:
4487: .TP 10n
4488: \fIalias\fR
4489: \fRUser_Alias\fR,
4490: \fRRunas_Alias\fR,
4491: \fRHost_Alias\fR
4492: and
4493: \fRCmnd_Alias\fR
4494: processing
4495: .TP 10n
4496: \fIall\fR
4497: matches every subsystem
4498: .TP 10n
4499: \fIaudit\fR
4500: BSM and Linux audit code
4501: .TP 10n
4502: \fIauth\fR
4503: user authentication
4504: .TP 10n
4505: \fIdefaults\fR
4506: \fIsudoers\fR
4507: \fIDefaults\fR
4508: settings
4509: .TP 10n
4510: \fIenv\fR
4511: environment handling
4512: .TP 10n
4513: \fIldap\fR
4514: LDAP-based sudoers
4515: .TP 10n
4516: \fIlogging\fR
4517: logging support
4518: .TP 10n
4519: \fImatch\fR
4520: matching of users, groups, hosts and netgroups in
4521: \fIsudoers\fR
4522: .TP 10n
4523: \fInetif\fR
4524: network interface handling
4525: .TP 10n
4526: \fInss\fR
4527: network service switch handling in
4528: \fIsudoers\fR
4529: .TP 10n
4530: \fIparser\fR
4531: \fIsudoers\fR
4532: file parsing
4533: .TP 10n
4534: \fIperms\fR
4535: permission setting
4536: .TP 10n
4537: \fIplugin\fR
4538: The equivalent of
4539: \fImain\fR
4540: for the plugin.
4541: .TP 10n
4542: \fIpty\fR
4543: pseudo-tty related code
4544: .TP 10n
4545: \fIrbtree\fR
4546: redblack tree internals
4547: .TP 10n
4548: \fIutil\fR
4549: utility functions
4550: .PD 0
4551: .PP
4552: .PD
4553: For example:
4554: .nf
4555: .sp
4556: .RS 0n
4557: Debug sudo /var/log/sudo_debug match@info,nss@info
4558: .RE
4559: .fi
4560: .PP
4561: For more information, see the
4562: sudo.conf(@mansectform@)
4563: manual.
4564: .SH "SEE ALSO"
4565: ssh(1),
4566: su(1),
4567: fnmatch(3),
4568: glob(3),
4569: mktemp(3),
4570: strftime(3),
4571: sudo.conf(@mansectform@),
4572: sudoers.ldap(@mansectform@),
4573: sudo_plugin(@mansectsu@),
4574: sudo(@mansectsu@),
4575: visudo(@mansectsu@)
4576: .SH "CAVEATS"
4577: The
4578: \fIsudoers\fR
4579: file should
4580: \fBalways\fR
4581: be edited by the
4582: \fBvisudo\fR
4583: command which locks the file and does grammatical checking.
4584: It is
4585: imperative that
4586: \fIsudoers\fR
4587: be free of syntax errors since
4588: \fBsudo\fR
4589: will not run with a syntactically incorrect
4590: \fIsudoers\fR
4591: file.
4592: .PP
4593: When using netgroups of machines (as opposed to users), if you
4594: store fully qualified host name in the netgroup (as is usually the
4595: case), you either need to have the machine's host name be fully qualified
4596: as returned by the
4597: \fRhostname\fR
4598: command or use the
4599: \fIfqdn\fR
4600: option in
4601: \fIsudoers\fR.
4602: .SH "BUGS"
4603: If you feel you have found a bug in
4604: \fBsudo\fR,
4605: please submit a bug report at http://www.sudo.ws/sudo/bugs/
4606: .SH "SUPPORT"
4607: Limited free support is available via the sudo-users mailing list,
4608: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4609: search the archives.
4610: .SH "DISCLAIMER"
4611: \fBsudo\fR
4612: is provided
4613: ``AS IS''
4614: and any express or implied warranties, including, but not limited
4615: to, the implied warranties of merchantability and fitness for a
4616: particular purpose are disclaimed.
4617: See the LICENSE file distributed with
4618: \fBsudo\fR
4619: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.man.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc