1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
3: .\"
4: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014
5: .\" Todd C. Miller <Todd.Miller@courtesan.com>
6: .\"
7: .\" Permission to use, copy, modify, and distribute this software for any
8: .\" purpose with or without fee is hereby granted, provided that the above
9: .\" copyright notice and this permission notice appear in all copies.
10: .\"
11: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19: .\"
20: .\" Sponsored in part by the Defense Advanced Research Projects
21: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: .\"
24: .TH "SUDOERS" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
25: .nh
26: .if n .ad l
27: .SH "NAME"
28: \fBsudoers\fR
29: \- default sudo security policy plugin
30: .SH "DESCRIPTION"
31: The
32: \fIsudoers\fR
33: policy plugin determines a user's
34: \fBsudo\fR
35: privileges.
36: It is the default
37: \fBsudo\fR
38: policy plugin.
39: The policy is driven by
40: the
41: \fI@sysconfdir@/sudoers\fR
42: file or, optionally in LDAP.
43: The policy format is described in detail in the
44: \fISUDOERS FILE FORMAT\fR
45: section.
46: For information on storing
47: \fIsudoers\fR
48: policy information
49: in LDAP, please see
50: sudoers.ldap(@mansectform@).
51: .SS "Configuring sudo.conf for sudoers"
52: \fBsudo\fR
53: consults the
54: sudo.conf(@mansectform@)
55: file to determine which policy and and I/O logging plugins to load.
56: If no
57: sudo.conf(@mansectform@)
58: file is present, or if it contains no
59: \fRPlugin\fR
60: lines,
61: \fBsudoers\fR
62: will be used for policy decisions and I/O logging.
63: To explicitly configure
64: sudo.conf(@mansectform@)
65: to use the
66: \fBsudoers\fR
67: plugin, the following configuration can be used.
68: .nf
69: .sp
70: .RS 6n
71: Plugin sudoers_policy sudoers.so
72: Plugin sudoers_io sudoers.so
73: .RE
74: .fi
75: .PP
76: Starting with
77: \fBsudo\fR
78: 1.8.5, it is possible to specify optional arguments to the
79: \fBsudoers\fR
80: plugin in the
81: sudo.conf(@mansectform@)
82: file.
83: These arguments, if present, should be listed after the path to the plugin
84: (i.e.\& after
85: \fIsudoers.so\fR).
86: Multiple arguments may be specified, separated by white space.
87: For example:
88: .nf
89: .sp
90: .RS 6n
91: Plugin sudoers_policy sudoers.so sudoers_mode=0400
92: .RE
93: .fi
94: .PP
95: The following plugin arguments are supported:
96: .TP 10n
97: ldap_conf=pathname
98: The
99: \fIldap_conf\fR
100: argument can be used to override the default path to the
101: \fIldap.conf\fR
102: file.
103: .TP 10n
104: ldap_secret=pathname
105: The
106: \fIldap_secret\fR
107: argument can be used to override the default path to the
108: \fIldap.secret\fR
109: file.
110: .TP 10n
111: sudoers_file=pathname
112: The
113: \fIsudoers_file\fR
114: argument can be used to override the default path to the
115: \fIsudoers\fR
116: file.
117: .TP 10n
118: sudoers_uid=uid
119: The
120: \fIsudoers_uid\fR
121: argument can be used to override the default owner of the sudoers file.
122: It should be specified as a numeric user ID.
123: .TP 10n
124: sudoers_gid=gid
125: The
126: \fIsudoers_gid\fR
127: argument can be used to override the default group of the sudoers file.
128: It must be specified as a numeric group ID (not a group name).
129: .TP 10n
130: sudoers_mode=mode
131: The
132: \fIsudoers_mode\fR
133: argument can be used to override the default file mode for the sudoers file.
134: It should be specified as an octal value.
135: .PP
136: For more information on configuring
137: sudo.conf(@mansectform@),
138: please refer to its manual.
139: .SS "Authentication and logging"
140: The
141: \fIsudoers\fR
142: security policy requires that most users authenticate
143: themselves before they can use
144: \fBsudo\fR.
145: A password is not required
146: if the invoking user is root, if the target user is the same as the
147: invoking user, or if the policy has disabled authentication for the
148: user or command.
149: Unlike
150: su(1),
151: when
152: \fIsudoers\fR
153: requires
154: authentication, it validates the invoking user's credentials, not
155: the target user's (or root's) credentials.
156: This can be changed via
157: the
158: \fIrootpw\fR,
159: \fItargetpw\fR
160: and
161: \fIrunaspw\fR
162: flags, described later.
163: .PP
164: If a user who is not listed in the policy tries to run a command
165: via
166: \fBsudo\fR,
167: mail is sent to the proper authorities.
168: The address
169: used for such mail is configurable via the
170: \fImailto\fR
171: Defaults entry
172: (described later) and defaults to
173: \fR@mailto@\fR.
174: .PP
175: Note that mail will not be sent if an unauthorized user tries to
176: run
177: \fBsudo\fR
178: with the
179: \fB\-l\fR
180: or
181: \fB\-v\fR
182: option.
183: This allows users to
184: determine for themselves whether or not they are allowed to use
185: \fBsudo\fR.
186: .PP
187: If
188: \fBsudo\fR
189: is run by root and the
190: \fRSUDO_USER\fR
191: environment variable
192: is set, the
193: \fIsudoers\fR
194: policy will use this value to determine who
195: the actual user is.
196: This can be used by a user to log commands
197: through sudo even when a root shell has been invoked.
198: It also
199: allows the
200: \fB\-e\fR
201: option to remain useful even when invoked via a
202: sudo-run script or program.
203: Note, however, that the
204: \fIsudoers\fR
205: lookup is still done for root, not the user specified by
206: \fRSUDO_USER\fR.
207: .PP
208: \fIsudoers\fR
209: uses per-user time stamp files for credential caching.
210: Once a user has been authenticated, a record is written
211: containing the uid that was used to authenticate, the
212: terminal session ID, and a time stamp
213: (using a monotonic clock if one is available).
214: The user may then use
215: \fBsudo\fR
216: without a password for a short period of time
217: (\fR@timeout@\fR
218: minutes unless overridden by the
219: \fItimeout\fR
220: option)
221: \&.
222: By default,
223: \fIsudoers\fR
224: uses a separate record for each tty, which means that
225: a user's login sessions are authenticated separately.
226: The
227: \fItty_tickets\fR
228: option can be disabled to force the use of a
229: single time stamp for all of a user's sessions.
230: .PP
231: \fIsudoers\fR
232: can log both successful and unsuccessful attempts (as well
233: as errors) to
234: syslog(3),
235: a log file, or both.
236: By default,
237: \fIsudoers\fR
238: will log via
239: syslog(3)
240: but this is changeable via the
241: \fIsyslog\fR
242: and
243: \fIlogfile\fR
244: Defaults settings.
245: .PP
246: \fIsudoers\fR
247: also supports logging a command's input and output
248: streams.
249: I/O logging is not on by default but can be enabled using
250: the
251: \fIlog_input\fR
252: and
253: \fIlog_output\fR
254: Defaults flags as well as the
255: \fRLOG_INPUT\fR
256: and
257: \fRLOG_OUTPUT\fR
258: command tags.
259: .SS "Command environment"
260: Since environment variables can influence program behavior,
261: \fIsudoers\fR
262: provides a means to restrict which variables from the user's
263: environment are inherited by the command to be run.
264: There are two
265: distinct ways
266: \fIsudoers\fR
267: can deal with environment variables.
268: .PP
269: By default, the
270: \fIenv_reset\fR
271: option is enabled.
272: This causes commands
273: to be executed with a new, minimal environment.
274: On AIX (and Linux
275: systems without PAM), the environment is initialized with the
276: contents of the
277: \fI/etc/environment\fR
278: file.
279: On BSD systems, if the
280: \fIuse_loginclass\fR
281: option is enabled, the environment is initialized
282: based on the
283: \fIpath\fR
284: and
285: \fIsetenv\fR
286: settings in
287: \fI/etc/login.conf\fR.
288: The new environment contains the
289: \fRTERM\fR,
290: \fRPATH\fR,
291: \fRHOME\fR,
292: \fRMAIL\fR,
293: \fRSHELL\fR,
294: \fRLOGNAME\fR,
295: \fRUSER\fR,
296: \fRUSERNAME\fR
297: and
298: \fRSUDO_*\fR
299: variables
300: in addition to variables from the invoking process permitted by the
301: \fIenv_check\fR
302: and
303: \fIenv_keep\fR
304: options.
305: This is effectively a whitelist
306: for environment variables.
307: .PP
308: If, however, the
309: \fIenv_reset\fR
310: option is disabled, any variables not
311: explicitly denied by the
312: \fIenv_check\fR
313: and
314: \fIenv_delete\fR
315: options are
316: inherited from the invoking process.
317: In this case,
318: \fIenv_check\fR
319: and
320: \fIenv_delete\fR
321: behave like a blacklist.
322: Since it is not possible
323: to blacklist all potentially dangerous environment variables, use
324: of the default
325: \fIenv_reset\fR
326: behavior is encouraged.
327: .PP
328: In all cases, environment variables with a value beginning with
329: \fR()\fR
330: are removed as they could be interpreted as
331: \fBbash\fR
332: functions.
333: The list of environment variables that
334: \fBsudo\fR
335: allows or denies is
336: contained in the output of
337: \(lq\fRsudo -V\fR\(rq
338: when run as root.
339: .PP
340: Note that the dynamic linker on most operating systems will remove
341: variables that can control dynamic linking from the environment of
342: setuid executables, including
343: \fBsudo\fR.
344: Depending on the operating
345: system this may include
346: \fR_RLD*\fR,
347: \fRDYLD_*\fR,
348: \fRLD_*\fR,
349: \fRLDR_*\fR,
350: \fRLIBPATH\fR,
351: \fRSHLIB_PATH\fR,
352: and others.
353: These type of variables are
354: removed from the environment before
355: \fBsudo\fR
356: even begins execution
357: and, as such, it is not possible for
358: \fBsudo\fR
359: to preserve them.
360: .PP
361: As a special case, if
362: \fBsudo\fR's
363: \fB\-i\fR
364: option (initial login) is
365: specified,
366: \fIsudoers\fR
367: will initialize the environment regardless
368: of the value of
369: \fIenv_reset\fR.
370: The
371: \fRDISPLAY\fR,
372: \fRPATH\fR
373: and
374: \fRTERM\fR
375: variables remain unchanged;
376: \fRHOME\fR,
377: \fRMAIL\fR,
378: \fRSHELL\fR,
379: \fRUSER\fR,
380: and
381: \fRLOGNAME\fR
382: are set based on the target user.
383: On AIX (and Linux
384: systems without PAM), the contents of
385: \fI/etc/environment\fR
386: are also
387: included.
388: On BSD systems, if the
389: \fIuse_loginclass\fR
390: option is
391: enabled, the
392: \fIpath\fR
393: and
394: \fIsetenv\fR
395: variables in
396: \fI/etc/login.conf\fR
397: are also applied.
398: All other environment variables are removed.
399: .PP
400: Finally, if the
401: \fIenv_file\fR
402: option is defined, any variables present
403: in that file will be set to their specified values as long as they
404: would not conflict with an existing environment variable.
405: .SH "SUDOERS FILE FORMAT"
406: The
407: \fIsudoers\fR
408: file is composed of two types of entries: aliases
409: (basically variables) and user specifications (which specify who
410: may run what).
411: .PP
412: When multiple entries match for a user, they are applied in order.
413: Where there are multiple matches, the last match is used (which is
414: not necessarily the most specific match).
415: .PP
416: The
417: \fIsudoers\fR
418: grammar will be described below in Extended Backus-Naur
419: Form (EBNF).
420: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
421: and the definitions below are annotated.
422: .SS "Quick guide to EBNF"
423: EBNF is a concise and exact way of describing the grammar of a language.
424: Each EBNF definition is made up of
425: \fIproduction rules\fR.
426: E.g.,
427: .PP
428: \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
429: .PP
430: Each
431: \fIproduction rule\fR
432: references others and thus makes up a
433: grammar for the language.
434: EBNF also contains the following
435: operators, which many readers will recognize from regular
436: expressions.
437: Do not, however, confuse them with
438: \(lqwildcard\(rq
439: characters, which have different meanings.
440: .TP 6n
441: \fR\&?\fR
442: Means that the preceding symbol (or group of symbols) is optional.
443: That is, it may appear once or not at all.
444: .TP 6n
445: \fR*\fR
446: Means that the preceding symbol (or group of symbols) may appear
447: zero or more times.
448: .TP 6n
449: \fR+\fR
450: Means that the preceding symbol (or group of symbols) may appear
451: one or more times.
452: .PP
453: Parentheses may be used to group symbols together.
454: For clarity,
455: we will use single quotes
456: ('')
457: to designate what is a verbatim character string (as opposed to a symbol name).
458: .SS "Aliases"
459: There are four kinds of aliases:
460: \fRUser_Alias\fR,
461: \fRRunas_Alias\fR,
462: \fRHost_Alias\fR
463: and
464: \fRCmnd_Alias\fR.
465: .nf
466: .sp
467: .RS 0n
468: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
469: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
470: 'Host_Alias' Host_Alias (':' Host_Alias)* |
471: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
472:
473: User_Alias ::= NAME '=' User_List
474:
475: Runas_Alias ::= NAME '=' Runas_List
476:
477: Host_Alias ::= NAME '=' Host_List
478:
479: Cmnd_Alias ::= NAME '=' Cmnd_List
480:
481: NAME ::= [A-Z]([A-Z][0-9]_)*
482: .RE
483: .fi
484: .PP
485: Each
486: \fIalias\fR
487: definition is of the form
488: .nf
489: .sp
490: .RS 0n
491: Alias_Type NAME = item1, item2, ...
492: .RE
493: .fi
494: .PP
495: where
496: \fIAlias_Type\fR
497: is one of
498: \fRUser_Alias\fR,
499: \fRRunas_Alias\fR,
500: \fRHost_Alias\fR,
501: or
502: \fRCmnd_Alias\fR.
503: A
504: \fRNAME\fR
505: is a string of uppercase letters, numbers,
506: and underscore characters
507: (\(oq_\(cq).
508: A
509: \fRNAME\fR
510: \fBmust\fR
511: start with an
512: uppercase letter.
513: It is possible to put several alias definitions
514: of the same type on a single line, joined by a colon
515: (\(oq:\&\(cq).
516: E.g.,
517: .nf
518: .sp
519: .RS 0n
520: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
521: .RE
522: .fi
523: .PP
524: The definitions of what constitutes a valid
525: \fIalias\fR
526: member follow.
527: .nf
528: .sp
529: .RS 0n
530: User_List ::= User |
531: User ',' User_List
532:
533: User ::= '!'* user name |
534: '!'* #uid |
535: '!'* %group |
536: '!'* %#gid |
537: '!'* +netgroup |
538: '!'* %:nonunix_group |
539: '!'* %:#nonunix_gid |
540: '!'* User_Alias
541: .RE
542: .fi
543: .PP
544: A
545: \fRUser_List\fR
546: is made up of one or more user names, user IDs
547: (prefixed with
548: \(oq#\(cq),
549: system group names and IDs (prefixed with
550: \(oq%\(cq
551: and
552: \(oq%#\(cq
553: respectively), netgroups (prefixed with
554: \(oq+\(cq),
555: non-Unix group names and IDs (prefixed with
556: \(oq%:\(cq
557: and
558: \(oq%:#\(cq
559: respectively) and
560: \fRUser_Alias\fRes.
561: Each list item may be prefixed with zero or more
562: \(oq\&!\(cq
563: operators.
564: An odd number of
565: \(oq\&!\(cq
566: operators negate the value of
567: the item; an even number just cancel each other out.
568: .PP
569: A
570: \fRuser name\fR,
571: \fRuid\fR,
572: \fRgroup\fR,
573: \fRgid\fR,
574: \fRnetgroup\fR,
575: \fRnonunix_group\fR
576: or
577: \fRnonunix_gid\fR
578: may be enclosed in double quotes to avoid the
579: need for escaping special characters.
580: Alternately, special characters
581: may be specified in escaped hex mode, e.g.\& \ex20 for space.
582: When
583: using double quotes, any prefix characters must be included inside
584: the quotes.
585: .PP
586: The actual
587: \fRnonunix_group\fR
588: and
589: \fRnonunix_gid\fR
590: syntax depends on
591: the underlying group provider plugin.
592: For instance, the QAS AD plugin supports the following formats:
593: .TP 6n
594: \fBo\fR
595: Group in the same domain: "%:Group Name"
596: .TP 6n
597: \fBo\fR
598: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
599: .TP 6n
600: \fBo\fR
601: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
602: .PP
603: See
604: \fIGROUP PROVIDER PLUGINS\fR
605: for more information.
606: .PP
607: Note that quotes around group names are optional.
608: Unquoted strings must use a backslash
609: (\(oq\e\(cq)
610: to escape spaces and special characters.
611: See
612: \fIOther special characters and reserved words\fR
613: for a list of
614: characters that need to be escaped.
615: .nf
616: .sp
617: .RS 0n
618: Runas_List ::= Runas_Member |
619: Runas_Member ',' Runas_List
620:
621: Runas_Member ::= '!'* user name |
622: '!'* #uid |
623: '!'* %group |
624: '!'* %#gid |
625: '!'* %:nonunix_group |
626: '!'* %:#nonunix_gid |
627: '!'* +netgroup |
628: '!'* Runas_Alias
629: .RE
630: .fi
631: .PP
632: A
633: \fRRunas_List\fR
634: is similar to a
635: \fRUser_List\fR
636: except that instead
637: of
638: \fRUser_Alias\fRes
639: it can contain
640: \fRRunas_Alias\fRes.
641: Note that
642: user names and groups are matched as strings.
643: In other words, two
644: users (groups) with the same uid (gid) are considered to be distinct.
645: If you wish to match all user names with the same uid (e.g.\&
646: root and toor), you can use a uid instead (#0 in the example given).
647: .nf
648: .sp
649: .RS 0n
650: Host_List ::= Host |
651: Host ',' Host_List
652:
653: Host ::= '!'* host name |
654: '!'* ip_addr |
655: '!'* network(/netmask)? |
656: '!'* +netgroup |
657: '!'* Host_Alias
658: .RE
659: .fi
660: .PP
661: A
662: \fRHost_List\fR
663: is made up of one or more host names, IP addresses,
664: network numbers, netgroups (prefixed with
665: \(oq+\(cq)
666: and other aliases.
667: Again, the value of an item may be negated with the
668: \(oq\&!\(cq
669: operator.
670: If you do not specify a netmask along with the network number,
671: \fBsudo\fR
672: will query each of the local host's network interfaces and,
673: if the network number corresponds to one of the hosts's network
674: interfaces, the corresponding netmask will be used.
675: The netmask
676: may be specified either in standard IP address notation
677: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
678: or CIDR notation (number of bits, e.g.\& 24 or 64).
679: A host name may include shell-style wildcards (see the
680: \fIWildcards\fR
681: section below),
682: but unless the
683: \fRhost name\fR
684: command on your machine returns the fully
685: qualified host name, you'll need to use the
686: \fIfqdn\fR
687: option for wildcards to be useful.
688: Note that
689: \fBsudo\fR
690: only inspects actual network interfaces; this means that IP address
691: 127.0.0.1 (localhost) will never match.
692: Also, the host name
693: \(lqlocalhost\(rq
694: will only match if that is the actual host name, which is usually
695: only the case for non-networked systems.
696: .nf
697: .sp
698: .RS 0n
699: digest ::= [A-Fa-f0-9]+ |
700: [[A-Za-z0-9\+/=]+
701:
702: Digest_Spec ::= "sha224" ':' digest |
703: "sha256" ':' digest |
704: "sha384" ':' digest |
705: "sha512" ':' digest
706:
707: Cmnd_List ::= Cmnd |
708: Cmnd ',' Cmnd_List
709:
710: command name ::= file name |
711: file name args |
712: file name '""'
713:
714: Cmnd ::= Digest_Spec? '!'* command name |
715: '!'* directory |
716: '!'* "sudoedit" |
717: '!'* Cmnd_Alias
718: .RE
719: .fi
720: .PP
721: A
722: \fRCmnd_List\fR
723: is a list of one or more command names, directories, and other aliases.
724: A command name is a fully qualified file name which may include
725: shell-style wildcards (see the
726: \fIWildcards\fR
727: section below).
728: A simple file name allows the user to run the command with any
729: arguments he/she wishes.
730: However, you may also specify command line arguments (including
731: wildcards).
732: Alternately, you can specify
733: \fR\&""\fR
734: to indicate that the command
735: may only be run
736: \fBwithout\fR
737: command line arguments.
738: A directory is a
739: fully qualified path name ending in a
740: \(oq/\(cq.
741: When you specify a directory in a
742: \fRCmnd_List\fR,
743: the user will be able to run any file within that directory
744: (but not in any sub-directories therein).
745: .PP
746: If a
747: \fRCmnd\fR
748: has associated command line arguments, then the arguments
749: in the
750: \fRCmnd\fR
751: must match exactly those given by the user on the command line
752: (or match the wildcards if there are any).
753: Note that the following characters must be escaped with a
754: \(oq\e\(cq
755: if they are used in command arguments:
756: \(oq,\&\(cq,
757: \(oq:\&\(cq,
758: \(oq=\&\(cq,
759: \(oq\e\(cq.
760: The built-in command
761: \(lq\fRsudoedit\fR\(rq
762: is used to permit a user to run
763: \fBsudo\fR
764: with the
765: \fB\-e\fR
766: option (or as
767: \fBsudoedit\fR).
768: It may take command line arguments just as a normal command does.
769: Note that
770: \(lq\fRsudoedit\fR\(rq
771: is a command built into
772: \fBsudo\fR
773: itself and must be specified in
774: \fIsudoers\fR
775: without a leading path.
776: .PP
777: If a
778: \fRcommand name\fR
779: is prefixed with a
780: \fRDigest_Spec\fR,
781: the command will only match successfully if it can be verified
782: using the specified SHA-2 digest.
783: This may be useful in situations where the user invoking
784: \fBsudo\fR
785: has write access to the command or its parent directory.
786: The following digest formats are supported: sha224, sha256, sha384 and sha512.
787: The string may be specified in either hex or base64 format
788: (base64 is more compact).
789: There are several utilities capable of generating SHA-2 digests in hex
790: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
791: .PP
792: For example, using openssl:
793: .nf
794: .sp
795: .RS 0n
796: $ openssl dgst -sha224 /bin/ls
797: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
798: .RE
799: .fi
800: .PP
801: It is also possible to use openssl to generate base64 output:
802: .nf
803: .sp
804: .RS 0n
805: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
806: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
807: .RE
808: .fi
809: .PP
810: Command digests are only supported by version 1.8.7 or higher.
811: .SS "Defaults"
812: Certain configuration options may be changed from their default
813: values at run-time via one or more
814: \fRDefault_Entry\fR
815: lines.
816: These may affect all users on any host, all users on a specific host, a
817: specific user, a specific command, or commands being run as a specific user.
818: Note that per-command entries may not include command line arguments.
819: If you need to specify arguments, define a
820: \fRCmnd_Alias\fR
821: and reference
822: that instead.
823: .nf
824: .sp
825: .RS 0n
826: Default_Type ::= 'Defaults' |
827: 'Defaults' '@' Host_List |
828: 'Defaults' ':' User_List |
829: 'Defaults' '!' Cmnd_List |
830: 'Defaults' '>' Runas_List
831:
832: Default_Entry ::= Default_Type Parameter_List
833:
834: Parameter_List ::= Parameter |
835: Parameter ',' Parameter_List
836:
837: Parameter ::= Parameter '=' Value |
838: Parameter '+=' Value |
839: Parameter '-=' Value |
840: '!'* Parameter
841: .RE
842: .fi
843: .PP
844: Parameters may be
845: \fBflags\fR,
846: \fBinteger\fR
847: values,
848: \fBstrings\fR,
849: or
850: \fBlists\fR.
851: Flags are implicitly boolean and can be turned off via the
852: \(oq\&!\(cq
853: operator.
854: Some integer, string and list parameters may also be
855: used in a boolean context to disable them.
856: Values may be enclosed
857: in double quotes
858: (\&"")
859: when they contain multiple words.
860: Special characters may be escaped with a backslash
861: (\(oq\e\(cq).
862: .PP
863: Lists have two additional assignment operators,
864: \fR+=\fR
865: and
866: \fR-=\fR.
867: These operators are used to add to and delete from a list respectively.
868: It is not an error to use the
869: \fR-=\fR
870: operator to remove an element
871: that does not exist in a list.
872: .PP
873: Defaults entries are parsed in the following order: generic, host
874: and user Defaults first, then runas Defaults and finally command
875: defaults.
876: .PP
877: See
878: \fISUDOERS OPTIONS\fR
879: for a list of supported Defaults parameters.
880: .SS "User specification"
881: .nf
882: .RS 0n
883: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
884: (':' Host_List '=' Cmnd_Spec_List)*
885:
886: Cmnd_Spec_List ::= Cmnd_Spec |
887: Cmnd_Spec ',' Cmnd_Spec_List
888:
889: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
890:
891: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
892:
893: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
894:
895: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
896:
897: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
898: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
899: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
900: .RE
901: .fi
902: .PP
903: A
904: \fBuser specification\fR
905: determines which commands a user may run
906: (and as what user) on specified hosts.
907: By default, commands are
908: run as
909: \fBroot\fR,
910: but this can be changed on a per-command basis.
911: .PP
912: The basic structure of a user specification is
913: \(lqwho where = (as_whom) what\(rq.
914: Let's break that down into its constituent parts:
915: .SS "Runas_Spec"
916: A
917: \fRRunas_Spec\fR
918: determines the user and/or the group that a command
919: may be run as.
920: A fully-specified
921: \fRRunas_Spec\fR
922: consists of two
923: \fRRunas_List\fRs
924: (as defined above) separated by a colon
925: (\(oq:\&\(cq)
926: and enclosed in a set of parentheses.
927: The first
928: \fRRunas_List\fR
929: indicates
930: which users the command may be run as via
931: \fBsudo\fR's
932: \fB\-u\fR
933: option.
934: The second defines a list of groups that can be specified via
935: \fBsudo\fR's
936: \fB\-g\fR
937: option.
938: If both
939: \fRRunas_List\fRs
940: are specified, the command may be run with any combination of users
941: and groups listed in their respective
942: \fRRunas_List\fRs.
943: If only the first is specified, the command may be run as any user
944: in the list but no
945: \fB\-g\fR
946: option
947: may be specified.
948: If the first
949: \fRRunas_List\fR
950: is empty but the
951: second is specified, the command may be run as the invoking user
952: with the group set to any listed in the
953: \fRRunas_List\fR.
954: If both
955: \fRRunas_List\fRs
956: are empty, the command may only be run as the invoking user.
957: If no
958: \fRRunas_Spec\fR
959: is specified the command may be run as
960: \fBroot\fR
961: and
962: no group may be specified.
963: .PP
964: A
965: \fRRunas_Spec\fR
966: sets the default for the commands that follow it.
967: What this means is that for the entry:
968: .nf
969: .sp
970: .RS 0n
971: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
972: .RE
973: .fi
974: .PP
975: The user
976: \fBdgb\fR
977: may run
978: \fI/bin/ls\fR,
979: \fI/bin/kill\fR,
980: and
981: \fI/usr/bin/lprm\fR\(embut
982: only as
983: \fBoperator\fR.
984: E.g.,
985: .nf
986: .sp
987: .RS 0n
988: $ sudo -u operator /bin/ls
989: .RE
990: .fi
991: .PP
992: It is also possible to override a
993: \fRRunas_Spec\fR
994: later on in an entry.
995: If we modify the entry like so:
996: .nf
997: .sp
998: .RS 0n
999: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1000: .RE
1001: .fi
1002: .PP
1003: Then user
1004: \fBdgb\fR
1005: is now allowed to run
1006: \fI/bin/ls\fR
1007: as
1008: \fBoperator\fR,
1009: but
1010: \fI/bin/kill\fR
1011: and
1012: \fI/usr/bin/lprm\fR
1013: as
1014: \fBroot\fR.
1015: .PP
1016: We can extend this to allow
1017: \fBdgb\fR
1018: to run
1019: \fR/bin/ls\fR
1020: with either
1021: the user or group set to
1022: \fBoperator\fR:
1023: .nf
1024: .sp
1025: .RS 0n
1026: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1027: /usr/bin/lprm
1028: .RE
1029: .fi
1030: .PP
1031: Note that while the group portion of the
1032: \fRRunas_Spec\fR
1033: permits the
1034: user to run as command with that group, it does not force the user
1035: to do so.
1036: If no group is specified on the command line, the command
1037: will run with the group listed in the target user's password database
1038: entry.
1039: The following would all be permitted by the sudoers entry above:
1040: .nf
1041: .sp
1042: .RS 0n
1043: $ sudo -u operator /bin/ls
1044: $ sudo -u operator -g operator /bin/ls
1045: $ sudo -g operator /bin/ls
1046: .RE
1047: .fi
1048: .PP
1049: In the following example, user
1050: \fBtcm\fR
1051: may run commands that access
1052: a modem device file with the dialer group.
1053: .nf
1054: .sp
1055: .RS 0n
1056: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1057: /usr/local/bin/minicom
1058: .RE
1059: .fi
1060: .PP
1061: Note that in this example only the group will be set, the command
1062: still runs as user
1063: \fBtcm\fR.
1064: E.g.\&
1065: .nf
1066: .sp
1067: .RS 0n
1068: $ sudo -g dialer /usr/bin/cu
1069: .RE
1070: .fi
1071: .PP
1072: Multiple users and groups may be present in a
1073: \fRRunas_Spec\fR,
1074: in which case the user may select any combination of users and groups via the
1075: \fB\-u\fR
1076: and
1077: \fB\-g\fR
1078: options.
1079: In this example:
1080: .nf
1081: .sp
1082: .RS 0n
1083: alan ALL = (root, bin : operator, system) ALL
1084: .RE
1085: .fi
1086: .PP
1087: user
1088: \fBalan\fR
1089: may run any command as either user root or bin,
1090: optionally setting the group to operator or system.
1091: .SS "SELinux_Spec"
1092: On systems with SELinux support,
1093: \fIsudoers\fR
1094: entries may optionally have an SELinux role and/or type associated
1095: with a command.
1096: If a role or
1097: type is specified with the command it will override any default values
1098: specified in
1099: \fIsudoers\fR.
1100: A role or type specified on the command line,
1101: however, will supersede the values in
1102: \fIsudoers\fR.
1103: .SS "Solaris_Priv_Spec"
1104: On Solaris systems,
1105: \fIsudoers\fR
1106: entries may optionally specify Solaris privilege set and/or limit
1107: privilege set associated with a command.
1108: If privileges or limit privileges are specified with the command
1109: it will override any default values specified in
1110: \fIsudoers\fR.
1111: .PP
1112: A privilege set is a comma-separated list of privilege names.
1113: The
1114: ppriv(1)
1115: command can be used to list all privileges known to the system.
1116: For example:
1117: .nf
1118: .sp
1119: .RS 0n
1120: $ ppriv -l
1121: .RE
1122: .fi
1123: .PP
1124: In addition, there are several
1125: \(lqspecial\(rq
1126: privilege strings:
1127: .TP 10n
1128: none
1129: the empty set
1130: .TP 10n
1131: all
1132: the set of all privileges
1133: .TP 10n
1134: zone
1135: the set of all privileges available in the current zone
1136: .TP 10n
1137: basic
1138: the default set of privileges normal users are granted at login time
1139: .PP
1140: Privileges can be excluded from a set by prefixing the privilege
1141: name with either an
1142: \(oq\&!\(cq
1143: or
1144: \(oq\-\(cq
1145: character.
1146: .SS "Tag_Spec"
1147: A command may have zero or more tags associated with it.
1148: There are
1149: ten possible tag values:
1150: \fRNOPASSWD\fR,
1151: \fRPASSWD\fR,
1152: \fRNOEXEC\fR,
1153: \fREXEC\fR,
1154: \fRSETENV\fR,
1155: \fRNOSETENV\fR,
1156: \fRLOG_INPUT\fR,
1157: \fRNOLOG_INPUT\fR,
1158: \fRLOG_OUTPUT\fR
1159: and
1160: \fRNOLOG_OUTPUT\fR.
1161: Once a tag is set on a
1162: \fRCmnd\fR,
1163: subsequent
1164: \fRCmnd\fRs
1165: in the
1166: \fRCmnd_Spec_List\fR,
1167: inherit the tag unless it is overridden by the opposite tag (in other words,
1168: \fRPASSWD\fR
1169: overrides
1170: \fRNOPASSWD\fR
1171: and
1172: \fRNOEXEC\fR
1173: overrides
1174: \fREXEC\fR).
1175: .TP 2n
1176: \fINOPASSWD\fR and \fIPASSWD\fR
1177: .sp
1178: By default,
1179: \fBsudo\fR
1180: requires that a user authenticate him or herself
1181: before running a command.
1182: This behavior can be modified via the
1183: \fRNOPASSWD\fR
1184: tag.
1185: Like a
1186: \fRRunas_Spec\fR,
1187: the
1188: \fRNOPASSWD\fR
1189: tag sets
1190: a default for the commands that follow it in the
1191: \fRCmnd_Spec_List\fR.
1192: Conversely, the
1193: \fRPASSWD\fR
1194: tag can be used to reverse things.
1195: For example:
1196: .nf
1197: .sp
1198: .RS 2n
1199: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1200: .RE
1201: .fi
1202: .RS 2n
1203: .sp
1204: would allow the user
1205: \fBray\fR
1206: to run
1207: \fI/bin/kill\fR,
1208: \fI/bin/ls\fR,
1209: and
1210: \fI/usr/bin/lprm\fR
1211: as
1212: \fBroot\fR
1213: on the machine rushmore without authenticating himself.
1214: If we only want
1215: \fBray\fR
1216: to be able to
1217: run
1218: \fI/bin/kill\fR
1219: without a password the entry would be:
1220: .nf
1221: .sp
1222: .RS 2n
1223: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1224: .RE
1225: .fi
1226: .sp
1227: Note, however, that the
1228: \fRPASSWD\fR
1229: tag has no effect on users who are in the group specified by the
1230: \fIexempt_group\fR
1231: option.
1232: .sp
1233: By default, if the
1234: \fRNOPASSWD\fR
1235: tag is applied to any of the entries for a user on the current host,
1236: he or she will be able to run
1237: \(lq\fRsudo -l\fR\(rq
1238: without a password.
1239: Additionally, a user may only run
1240: \(lq\fRsudo -v\fR\(rq
1241: without a password if the
1242: \fRNOPASSWD\fR
1243: tag is present for all a user's entries that pertain to the current host.
1244: This behavior may be overridden via the
1245: \fIverifypw\fR
1246: and
1247: \fIlistpw\fR
1248: options.
1249: .RE
1250: .TP 2n
1251: \fINOEXEC\fR and \fIEXEC\fR
1252: .sp
1253: If
1254: \fBsudo\fR
1255: has been compiled with
1256: \fInoexec\fR
1257: support and the underlying operating system supports it, the
1258: \fRNOEXEC\fR
1259: tag can be used to prevent a dynamically-linked executable from
1260: running further commands itself.
1261: .sp
1262: In the following example, user
1263: \fBaaron\fR
1264: may run
1265: \fI/usr/bin/more\fR
1266: and
1267: \fI/usr/bin/vi\fR
1268: but shell escapes will be disabled.
1269: .nf
1270: .sp
1271: .RS 2n
1272: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1273: .RE
1274: .fi
1275: .RS 2n
1276: .sp
1277: See the
1278: \fIPreventing shell escapes\fR
1279: section below for more details on how
1280: \fRNOEXEC\fR
1281: works and whether or not it will work on your system.
1282: .RE
1283: .TP 2n
1284: \fISETENV\fR and \fINOSETENV\fR
1285: .sp
1286: These tags override the value of the
1287: \fIsetenv\fR
1288: option on a per-command basis.
1289: Note that if
1290: \fRSETENV\fR
1291: has been set for a command, the user may disable the
1292: \fIenv_reset\fR
1293: option from the command line via the
1294: \fB\-E\fR
1295: option.
1296: Additionally, environment variables set on the command
1297: line are not subject to the restrictions imposed by
1298: \fIenv_check\fR,
1299: \fIenv_delete\fR,
1300: or
1301: \fIenv_keep\fR.
1302: As such, only trusted users should be allowed to set variables in this manner.
1303: If the command matched is
1304: \fBALL\fR,
1305: the
1306: \fRSETENV\fR
1307: tag is implied for that command; this default may be overridden by use of the
1308: \fRNOSETENV\fR
1309: tag.
1310: .TP 2n
1311: \fILOG_INPUT\fR and \fINOLOG_INPUT\fR
1312: .sp
1313: These tags override the value of the
1314: \fIlog_input\fR
1315: option on a per-command basis.
1316: For more information, see the description of
1317: \fIlog_input\fR
1318: in the
1319: \fISUDOERS OPTIONS\fR
1320: section below.
1321: .TP 2n
1322: \fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
1323: .sp
1324: These tags override the value of the
1325: \fIlog_output\fR
1326: option on a per-command basis.
1327: For more information, see the description of
1328: \fIlog_output\fR
1329: in the
1330: \fISUDOERS OPTIONS\fR
1331: section below.
1332: .SS "Wildcards"
1333: \fBsudo\fR
1334: allows shell-style
1335: \fIwildcards\fR
1336: (aka meta or glob characters)
1337: to be used in host names, path names and command line arguments in the
1338: \fIsudoers\fR
1339: file.
1340: Wildcard matching is done via the
1341: glob(3)
1342: and
1343: fnmatch(3)
1344: functions as specified by
1345: IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
1346: Note that these are
1347: \fInot\fR
1348: regular expressions.
1349: .TP 10n
1350: \fR*\fR
1351: Matches any set of zero or more characters.
1352: .TP 10n
1353: \fR\&?\fR
1354: Matches any single character.
1355: .TP 10n
1356: \fR[...]\fR
1357: Matches any character in the specified range.
1358: .TP 10n
1359: \fR[!...]\fR
1360: Matches any character
1361: \fBnot\fR
1362: in the specified range.
1363: .TP 10n
1364: \fR\ex\fR
1365: For any character
1366: \(oqx\(cq,
1367: evaluates to
1368: \(oqx\(cq.
1369: This is used to escape special characters such as:
1370: \(oq*\(cq,
1371: \(oq\&?\(cq,
1372: \(oq[\&\(cq,
1373: and
1374: \(oq]\&\(cq.
1375: .PP
1376: Character classes may also be used if your system's
1377: glob(3)
1378: and
1379: fnmatch(3)
1380: functions support them.
1381: However, because the
1382: \(oq:\&\(cq
1383: character has special meaning in
1384: \fIsudoers\fR,
1385: it must be
1386: escaped.
1387: For example:
1388: .nf
1389: .sp
1390: .RS 4n
1391: /bin/ls [[:\&alpha:\&]]*
1392: .RE
1393: .fi
1394: .PP
1395: Would match any file name beginning with a letter.
1396: .PP
1397: Note that a forward slash
1398: (\(oq/\(cq)
1399: will
1400: \fBnot\fR
1401: be matched by
1402: wildcards used in the path name.
1403: This is to make a path like:
1404: .nf
1405: .sp
1406: .RS 4n
1407: /usr/bin/*
1408: .RE
1409: .fi
1410: .PP
1411: match
1412: \fI/usr/bin/who\fR
1413: but not
1414: \fI/usr/bin/X11/xterm\fR.
1415: .PP
1416: When matching the command line arguments, however, a slash
1417: \fBdoes\fR
1418: get matched by wildcards since command line arguments may contain
1419: arbitrary strings and not just path names.
1420: .PP
1421: Wildcards in command line arguments should be used with care.
1422: Because command line arguments are matched as a single, concatenated
1423: string, a wildcard such as
1424: \(oq\&?\(cq
1425: or
1426: \(oq*\(cq
1427: can match multiple words.
1428: For example, while a sudoers entry like:
1429: .nf
1430: .sp
1431: .RS 4n
1432: %operator ALL = /bin/cat /var/log/messages*
1433: .RE
1434: .fi
1435: .PP
1436: will allow command like:
1437: .nf
1438: .sp
1439: .RS 4n
1440: $ sudo cat /var/log/messages.1
1441: .RE
1442: .fi
1443: .PP
1444: It will also allow:
1445: .nf
1446: .sp
1447: .RS 4n
1448: $ sudo cat /var/log/messages /etc/shadow
1449: .RE
1450: .fi
1451: .PP
1452: which is probably not what was intended.
1453: .SS "Exceptions to wildcard rules"
1454: The following exceptions apply to the above rules:
1455: .TP 10n
1456: \fR\&""\fR
1457: If the empty string
1458: \fR\&""\fR
1459: is the only command line argument in the
1460: \fIsudoers\fR
1461: entry it means that command is not allowed to be run with
1462: \fBany\fR
1463: arguments.
1464: .TP 10n
1465: sudoedit
1466: Command line arguments to the
1467: \fIsudoedit\fR
1468: built-in command should always be path names, so a forward slash
1469: (\(oq/\(cq)
1470: will not be matched by a wildcard.
1471: .SS "Including other files from within sudoers"
1472: It is possible to include other
1473: \fIsudoers\fR
1474: files from within the
1475: \fIsudoers\fR
1476: file currently being parsed using the
1477: \fR#include\fR
1478: and
1479: \fR#includedir\fR
1480: directives.
1481: .PP
1482: This can be used, for example, to keep a site-wide
1483: \fIsudoers\fR
1484: file in addition to a local, per-machine file.
1485: For the sake of this example the site-wide
1486: \fIsudoers\fR
1487: will be
1488: \fI/etc/sudoers\fR
1489: and the per-machine one will be
1490: \fI/etc/sudoers.local\fR.
1491: To include
1492: \fI/etc/sudoers.local\fR
1493: from within
1494: \fI/etc/sudoers\fR
1495: we would use the
1496: following line in
1497: \fI/etc/sudoers\fR:
1498: .nf
1499: .sp
1500: .RS 4n
1501: #include /etc/sudoers.local
1502: .RE
1503: .fi
1504: .PP
1505: When
1506: \fBsudo\fR
1507: reaches this line it will suspend processing of the current file
1508: (\fI/etc/sudoers\fR)
1509: and switch to
1510: \fI/etc/sudoers.local\fR.
1511: Upon reaching the end of
1512: \fI/etc/sudoers.local\fR,
1513: the rest of
1514: \fI/etc/sudoers\fR
1515: will be processed.
1516: Files that are included may themselves include other files.
1517: A hard limit of 128 nested include files is enforced to prevent include
1518: file loops.
1519: .PP
1520: If the path to the include file is not fully-qualified (does not
1521: begin with a
1522: \(oq/\(cq,
1523: it must be located in the same directory as the sudoers file it was
1524: included from.
1525: For example, if
1526: \fI/etc/sudoers\fR
1527: contains the line:
1528: .nf
1529: .sp
1530: .RS 4n
1531: \fR#include sudoers.local\fR
1532: .RE
1533: .fi
1534: .PP
1535: the file that will be included is
1536: \fI/etc/sudoers.local\fR.
1537: .PP
1538: The file name may also include the
1539: \fR%h\fR
1540: escape, signifying the short form of the host name.
1541: In other words, if the machine's host name is
1542: \(lqxerxes\(rq,
1543: then
1544: .nf
1545: .sp
1546: .RS 4n
1547: #include /etc/sudoers.%h
1548: .RE
1549: .fi
1550: .PP
1551: will cause
1552: \fBsudo\fR
1553: to include the file
1554: \fI/etc/sudoers.xerxes\fR.
1555: .PP
1556: The
1557: \fR#includedir\fR
1558: directive can be used to create a
1559: \fIsudo.d\fR
1560: directory that the system package manager can drop
1561: \fIsudoers\fR
1562: rules
1563: into as part of package installation.
1564: For example, given:
1565: .nf
1566: .sp
1567: .RS 4n
1568: #includedir /etc/sudoers.d
1569: .RE
1570: .fi
1571: .PP
1572: \fBsudo\fR
1573: will read each file in
1574: \fI/etc/sudoers.d\fR,
1575: skipping file names that end in
1576: \(oq~\(cq
1577: or contain a
1578: \(oq.\&\(cq
1579: character to avoid causing problems with package manager or editor
1580: temporary/backup files.
1581: Files are parsed in sorted lexical order.
1582: That is,
1583: \fI/etc/sudoers.d/01_first\fR
1584: will be parsed before
1585: \fI/etc/sudoers.d/10_second\fR.
1586: Be aware that because the sorting is lexical, not numeric,
1587: \fI/etc/sudoers.d/1_whoops\fR
1588: would be loaded
1589: \fBafter\fR
1590: \fI/etc/sudoers.d/10_second\fR.
1591: Using a consistent number of leading zeroes in the file names can be used
1592: to avoid such problems.
1593: .PP
1594: Note that unlike files included via
1595: \fR#include\fR,
1596: \fBvisudo\fR
1597: will not edit the files in a
1598: \fR#includedir\fR
1599: directory unless one of them contains a syntax error.
1600: It is still possible to run
1601: \fBvisudo\fR
1602: with the
1603: \fB\-f\fR
1604: flag to edit the files directly.
1605: .SS "Other special characters and reserved words"
1606: The pound sign
1607: (\(oq#\(cq)
1608: is used to indicate a comment (unless it is part of a #include
1609: directive or unless it occurs in the context of a user name and is
1610: followed by one or more digits, in which case it is treated as a
1611: uid).
1612: Both the comment character and any text after it, up to the end of
1613: the line, are ignored.
1614: .PP
1615: The reserved word
1616: \fBALL\fR
1617: is a built-in
1618: \fIalias\fR
1619: that always causes a match to succeed.
1620: It can be used wherever one might otherwise use a
1621: \fRCmnd_Alias\fR,
1622: \fRUser_Alias\fR,
1623: \fRRunas_Alias\fR,
1624: or
1625: \fRHost_Alias\fR.
1626: You should not try to define your own
1627: \fIalias\fR
1628: called
1629: \fBALL\fR
1630: as the built-in alias will be used in preference to your own.
1631: Please note that using
1632: \fBALL\fR
1633: can be dangerous since in a command context, it allows the user to run
1634: \fBany\fR
1635: command on the system.
1636: .PP
1637: An exclamation point
1638: (\(oq\&!\(cq)
1639: can be used as a logical
1640: \fInot\fR
1641: operator in a list or
1642: \fIalias\fR
1643: as well as in front of a
1644: \fRCmnd\fR.
1645: This allows one to exclude certain values.
1646: For the
1647: \(oq\&!\(cq
1648: operator to be effective, there must be something for it to exclude.
1649: For example, to match all users except for root one would use:
1650: .nf
1651: .sp
1652: .RS 4n
1653: ALL,!root
1654: .RE
1655: .fi
1656: .PP
1657: If the
1658: \fBALL\fR,
1659: is omitted, as in:
1660: .nf
1661: .sp
1662: .RS 4n
1663: !root
1664: .RE
1665: .fi
1666: .PP
1667: it would explicitly deny root but not match any other users.
1668: This is different from a true
1669: \(lqnegation\(rq
1670: operator.
1671: .PP
1672: Note, however, that using a
1673: \(oq\&!\(cq
1674: in conjunction with the built-in
1675: \fBALL\fR
1676: alias to allow a user to run
1677: \(lqall but a few\(rq
1678: commands rarely works as intended (see
1679: \fISECURITY NOTES\fR
1680: below).
1681: .PP
1682: Long lines can be continued with a backslash
1683: (\(oq\e\(cq)
1684: as the last character on the line.
1685: .PP
1686: White space between elements in a list as well as special syntactic
1687: characters in a
1688: \fIUser Specification\fR
1689: (\(oq=\&\(cq,
1690: \(oq:\&\(cq,
1691: \(oq(\&\(cq,
1692: \(oq)\&\(cq)
1693: is optional.
1694: .PP
1695: The following characters must be escaped with a backslash
1696: (\(oq\e\(cq)
1697: when used as part of a word (e.g.\& a user name or host name):
1698: \(oq\&!\(cq,
1699: \(oq=\&\(cq,
1700: \(oq:\&\(cq,
1701: \(oq,\&\(cq,
1702: \(oq(\&\(cq,
1703: \(oq)\&\(cq,
1704: \(oq\e\(cq.
1705: .SH "SUDOERS OPTIONS"
1706: \fBsudo\fR's
1707: behavior can be modified by
1708: \fRDefault_Entry\fR
1709: lines, as explained earlier.
1710: A list of all supported Defaults parameters, grouped by type, are listed below.
1711: .PP
1712: \fBBoolean Flags\fR:
1713: .TP 18n
1714: always_set_home
1715: If enabled,
1716: \fBsudo\fR
1717: will set the
1718: \fRHOME\fR
1719: environment variable to the home directory of the target user
1720: (which is root unless the
1721: \fB\-u\fR
1722: option is used).
1723: This effectively means that the
1724: \fB\-H\fR
1725: option is always implied.
1726: Note that
1727: \fRHOME\fR
1728: is already set when the
1729: \fIenv_reset\fR
1730: option is enabled, so
1731: \fIalways_set_home\fR
1732: is only effective for configurations where either
1733: \fIenv_reset\fR
1734: is disabled or
1735: \fRHOME\fR
1736: is present in the
1737: \fIenv_keep\fR
1738: list.
1739: This flag is
1740: \fIoff\fR
1741: by default.
1742: .TP 18n
1743: authenticate
1744: If set, users must authenticate themselves via a password (or other
1745: means of authentication) before they may run commands.
1746: This default may be overridden via the
1747: \fRPASSWD\fR
1748: and
1749: \fRNOPASSWD\fR
1750: tags.
1751: This flag is
1752: \fIon\fR
1753: by default.
1754: .TP 18n
1755: closefrom_override
1756: If set, the user may use
1757: \fBsudo\fR's
1758: \fB\-C\fR
1759: option which overrides the default starting point at which
1760: \fBsudo\fR
1761: begins closing open file descriptors.
1762: This flag is
1763: \fIoff\fR
1764: by default.
1765: .TP 18n
1766: compress_io
1767: If set, and
1768: \fBsudo\fR
1769: is configured to log a command's input or output,
1770: the I/O logs will be compressed using
1771: \fBzlib\fR.
1772: This flag is
1773: \fIon\fR
1774: by default when
1775: \fBsudo\fR
1776: is compiled with
1777: \fBzlib\fR
1778: support.
1779: .TP 18n
1780: use_netgroups
1781: If set, netgroups (prefixed with
1782: \(oq+\(cq),
1783: may be used in place of a user or host.
1784: For LDAP-based sudoers, netgroup support requires an expensive
1785: substring match on the server.
1786: If netgroups are not needed, this option can be disabled to reduce the
1787: load on the LDAP server.
1788: This flag is
1789: \fIon\fR
1790: by default.
1791: .TP 18n
1792: exec_background
1793: By default,
1794: \fBsudo\fR
1795: runs a command as the foreground process as long as
1796: \fBsudo\fR
1797: itself is running in the foreground.
1798: When the
1799: \fIexec_background\fR
1800: flag is enabled and the command is being run in a pty (due to I/O logging
1801: or the
1802: \fIuse_pty\fR
1803: flag), the command will be run as a background process.
1804: Attempts to read from the controlling terminal (or to change terminal
1805: settings) will result in the command being suspended with the
1806: \fRSIGTTIN\fR
1807: signal (or
1808: \fRSIGTTOU\fR
1809: in the case of terminal settings).
1810: If this happens when
1811: \fBsudo\fR
1812: is a foreground process, the command will be granted the controlling terminal
1813: and resumed in the foreground with no user intervention required.
1814: The advantage of initially running the command in the background is that
1815: \fBsudo\fR
1816: need not read from the terminal unless the command explicitly requests it.
1817: Otherwise, any terminal input must be passed to the command, whether it
1818: has required it or not (the kernel buffers terminals so it is not possible
1819: to tell whether the command really wants the input).
1820: This is different from historic
1821: \fIsudo\fR
1822: behavior or when the command is not being run in a pty.
1823: .sp
1824: For this to work seamlessly, the operating system must support the
1825: automatic restarting of system calls.
1826: Unfortunately, not all operating systems do this by default,
1827: and even those that do may have bugs.
1828: For example, Mac OS X fails to restart the
1829: \fBtcgetattr\fR()
1830: and
1831: \fBtcsetattr\fR()
1832: system calls (this is a bug in Mac OS X).
1833: Furthermore, because this behavior depends on the command stopping with the
1834: \fRSIGTTIN\fR
1835: or
1836: \fRSIGTTOU\fR
1837: signals, programs that catch these signals and suspend themselves
1838: with a different signal (usually
1839: \fRSIGTOP\fR)
1840: will not be automatically foregrounded.
1841: Some versions of the linux
1842: su(1)
1843: command behave this way.
1844: .sp
1845: This setting is only supported by version 1.8.7 or higher.
1846: It has no effect unless I/O logging is enabled or the
1847: \fIuse_pty\fR
1848: flag is enabled.
1849: .TP 18n
1850: env_editor
1851: If set,
1852: \fBvisudo\fR
1853: will use the value of the
1854: \fREDITOR\fR
1855: or
1856: \fRVISUAL\fR
1857: environment variables before falling back on the default editor list.
1858: Note that this may create a security hole as it allows the user to
1859: run any arbitrary command as root without logging.
1860: A safer alternative is to place a colon-separated list of editors
1861: in the
1862: \fReditor\fR
1863: variable.
1864: \fBvisudo\fR
1865: will then only use the
1866: \fREDITOR\fR
1867: or
1868: \fRVISUAL\fR
1869: if they match a value specified in
1870: \fReditor\fR.
1871: This flag is
1872: \fI@env_editor@\fR
1873: by default.
1874: .TP 18n
1875: env_reset
1876: If set,
1877: \fBsudo\fR
1878: will run the command in a minimal environment containing the
1879: \fRTERM\fR,
1880: \fRPATH\fR,
1881: \fRHOME\fR,
1882: \fRMAIL\fR,
1883: \fRSHELL\fR,
1884: \fRLOGNAME\fR,
1885: \fRUSER\fR,
1886: \fRUSERNAME\fR
1887: and
1888: \fRSUDO_*\fR
1889: variables.
1890: Any
1891: variables in the caller's environment that match the
1892: \fRenv_keep\fR
1893: and
1894: \fRenv_check\fR
1895: lists are then added, followed by any variables present in the file
1896: specified by the
1897: \fIenv_file\fR
1898: option (if any).
1899: The default contents of the
1900: \fRenv_keep\fR
1901: and
1902: \fRenv_check\fR
1903: lists are displayed when
1904: \fBsudo\fR
1905: is run by root with the
1906: \fB\-V\fR
1907: option.
1908: If the
1909: \fIsecure_path\fR
1910: option is set, its value will be used for the
1911: \fRPATH\fR
1912: environment variable.
1913: This flag is
1914: \fI@env_reset@\fR
1915: by default.
1916: .TP 18n
1917: fast_glob
1918: Normally,
1919: \fBsudo\fR
1920: uses the
1921: glob(3)
1922: function to do shell-style globbing when matching path names.
1923: However, since it accesses the file system,
1924: glob(3)
1925: can take a long time to complete for some patterns, especially
1926: when the pattern references a network file system that is mounted
1927: on demand (auto mounted).
1928: The
1929: \fIfast_glob\fR
1930: option causes
1931: \fBsudo\fR
1932: to use the
1933: fnmatch(3)
1934: function, which does not access the file system to do its matching.
1935: The disadvantage of
1936: \fIfast_glob\fR
1937: is that it is unable to match relative path names such as
1938: \fI./ls\fR
1939: or
1940: \fI../bin/ls\fR.
1941: This has security implications when path names that include globbing
1942: characters are used with the negation operator,
1943: \(oq!\&\(cq,
1944: as such rules can be trivially bypassed.
1945: As such, this option should not be used when
1946: \fIsudoers\fR
1947: contains rules that contain negated path names which include globbing
1948: characters.
1949: This flag is
1950: \fIoff\fR
1951: by default.
1952: .TP 18n
1953: fqdn
1954: Set this flag if you want to put fully qualified host names in the
1955: \fIsudoers\fR
1956: file when the local host name (as returned by the
1957: \fRhostname\fR
1958: command) does not contain the domain name.
1959: In other words, instead of myhost you would use myhost.mydomain.edu.
1960: You may still use the short form if you wish (and even mix the two).
1961: This option is only effective when the
1962: \(lqcanonical\(rq
1963: host name, as returned by the
1964: \fBgetaddrinfo\fR()
1965: or
1966: \fBgethostbyname\fR()
1967: function, is a fully-qualified domain name.
1968: This is usually the case when the system is configured to use DNS
1969: for host name resolution.
1970: .sp
1971: If the system is configured to use the
1972: \fI/etc/hosts\fR
1973: file in preference to DNS, the
1974: \(lqcanonical\(rq
1975: host name may not be fully-qualified.
1976: The order that sources are queried for host name resolution
1977: is usually specified in the
1978: \fI@nsswitch_conf@\fR,
1979: \fI@netsvc_conf@\fR,
1980: \fI/etc/host.conf\fR,
1981: or, in some cases,
1982: \fI/etc/resolv.conf\fR
1983: file.
1984: In the
1985: \fI/etc/hosts\fR
1986: file, the first host name of the entry is considered to be the
1987: \(lqcanonical\(rq
1988: name; subsequent names are aliases that are not used by
1989: \fBsudoers\fR.
1990: For example, the following hosts file line for the machine
1991: \(lqxyzzy\(rq
1992: has the fully-qualified domain name as the
1993: \(lqcanonical\(rq
1994: host name, and the short version as an alias.
1995: .sp
1996: .RS 24n
1997: 192.168.1.1 xyzzy.sudo.ws xyzzy
1998: .RE
1999: .RS 18n
2000: .sp
2001: If the machine's hosts file entry is not formatted properly, the
2002: \fIfqdn\fR
2003: option will not be effective if it is queried before DNS.
2004: .sp
2005: Beware that when using DNS for host name resolution, turning on
2006: \fIfqdn\fR
2007: requires
2008: \fBsudoers\fR
2009: to make DNS lookups which renders
2010: \fBsudo\fR
2011: unusable if DNS stops working (for example if the machine is disconnected
2012: from the network).
2013: Also note that just like with the hosts file, you must use the
2014: \(lqcanonical\(rq
2015: name as DNS knows it.
2016: That is, you may not use a host alias
2017: (\fRCNAME\fR
2018: entry)
2019: due to performance issues and the fact that there is no way to get all
2020: aliases from DNS.
2021: .sp
2022: This flag is
2023: \fI@fqdn@\fR
2024: by default.
2025: .RE
2026: .TP 18n
2027: ignore_dot
2028: If set,
2029: \fBsudo\fR
2030: will ignore "." or "" (both denoting current directory) in the
2031: \fRPATH\fR
2032: environment variable; the
2033: \fRPATH\fR
2034: itself is not modified.
2035: This flag is
2036: \fI@ignore_dot@\fR
2037: by default.
2038: .TP 18n
2039: ignore_local_sudoers
2040: If set via LDAP, parsing of
2041: \fI@sysconfdir@/sudoers\fR
2042: will be skipped.
2043: This is intended for Enterprises that wish to prevent the usage of local
2044: sudoers files so that only LDAP is used.
2045: This thwarts the efforts of rogue operators who would attempt to add roles to
2046: \fI@sysconfdir@/sudoers\fR.
2047: When this option is present,
2048: \fI@sysconfdir@/sudoers\fR
2049: does not even need to exist.
2050: Since this option tells
2051: \fBsudo\fR
2052: how to behave when no specific LDAP entries have been matched, this
2053: sudoOption is only meaningful for the
2054: \fRcn=defaults\fR
2055: section.
2056: This flag is
2057: \fIoff\fR
2058: by default.
2059: .TP 18n
2060: insults
2061: If set,
2062: \fBsudo\fR
2063: will insult users when they enter an incorrect password.
2064: This flag is
2065: \fI@insults@\fR
2066: by default.
2067: .TP 18n
2068: log_host
2069: If set, the host name will be logged in the (non-syslog)
2070: \fBsudo\fR
2071: log file.
2072: This flag is
2073: \fIoff\fR
2074: by default.
2075: .TP 18n
2076: log_input
2077: If set,
2078: \fBsudo\fR
2079: will run the command in a
2080: \fIpseudo tty\fR
2081: and log all user input.
2082: If the standard input is not connected to the user's tty, due to
2083: I/O redirection or because the command is part of a pipeline, that
2084: input is also captured and stored in a separate log file.
2085: .sp
2086: Input is logged to the directory specified by the
2087: \fIiolog_dir\fR
2088: option
2089: (\fI@iolog_dir@\fR
2090: by default)
2091: using a unique session ID that is included in the normal
2092: \fBsudo\fR
2093: log line, prefixed with
2094: \(lq\fRTSID=\fR\(rq.
2095: The
2096: \fIiolog_file\fR
2097: option may be used to control the format of the session ID.
2098: .sp
2099: Note that user input may contain sensitive information such as
2100: passwords (even if they are not echoed to the screen), which will
2101: be stored in the log file unencrypted.
2102: In most cases, logging the command output via
2103: \fIlog_output\fR
2104: is all that is required.
2105: .TP 18n
2106: log_output
2107: If set,
2108: \fBsudo\fR
2109: will run the command in a
2110: \fIpseudo tty\fR
2111: and log all output that is sent to the screen, similar to the
2112: script(1)
2113: command.
2114: If the standard output or standard error is not connected to the
2115: user's tty, due to I/O redirection or because the command is part
2116: of a pipeline, that output is also captured and stored in separate
2117: log files.
2118: .sp
2119: Output is logged to the directory specified by the
2120: \fIiolog_dir\fR
2121: option
2122: (\fI@iolog_dir@\fR
2123: by default)
2124: using a unique session ID that is included in the normal
2125: \fBsudo\fR
2126: log line, prefixed with
2127: \(lq\fRTSID=\fR\(rq.
2128: The
2129: \fIiolog_file\fR
2130: option may be used to control the format of the session ID.
2131: .sp
2132: Output logs may be viewed with the
2133: sudoreplay(@mansectsu@)
2134: utility, which can also be used to list or search the available logs.
2135: .TP 18n
2136: log_year
2137: If set, the four-digit year will be logged in the (non-syslog)
2138: \fBsudo\fR
2139: log file.
2140: This flag is
2141: \fIoff\fR
2142: by default.
2143: .TP 18n
2144: long_otp_prompt
2145: When validating with a One Time Password (OTP) scheme such as
2146: \fBS/Key\fR
2147: or
2148: \fBOPIE\fR,
2149: a two-line prompt is used to make it easier
2150: to cut and paste the challenge to a local window.
2151: It's not as pretty as the default but some people find it more convenient.
2152: This flag is
2153: \fI@long_otp_prompt@\fR
2154: by default.
2155: .TP 18n
2156: mail_always
2157: Send mail to the
2158: \fImailto\fR
2159: user every time a users runs
2160: \fBsudo\fR.
2161: This flag is
2162: \fIoff\fR
2163: by default.
2164: .TP 18n
2165: mail_badpass
2166: Send mail to the
2167: \fImailto\fR
2168: user if the user running
2169: \fBsudo\fR
2170: does not enter the correct password.
2171: If the command the user is attempting to run is not permitted by
2172: \fIsudoers\fR
2173: and one of the
2174: \fImail_always\fR,
2175: \fImail_no_host\fR,
2176: \fImail_no_perms\fR
2177: or
2178: \fImail_no_user\fR
2179: flags are set, this flag will have no effect.
2180: This flag is
2181: \fIoff\fR
2182: by default.
2183: .TP 18n
2184: mail_no_host
2185: If set, mail will be sent to the
2186: \fImailto\fR
2187: user if the invoking user exists in the
2188: \fIsudoers\fR
2189: file, but is not allowed to run commands on the current host.
2190: This flag is
2191: \fI@mail_no_host@\fR
2192: by default.
2193: .TP 18n
2194: mail_no_perms
2195: If set, mail will be sent to the
2196: \fImailto\fR
2197: user if the invoking user is allowed to use
2198: \fBsudo\fR
2199: but the command they are trying is not listed in their
2200: \fIsudoers\fR
2201: file entry or is explicitly denied.
2202: This flag is
2203: \fI@mail_no_perms@\fR
2204: by default.
2205: .TP 18n
2206: mail_no_user
2207: If set, mail will be sent to the
2208: \fImailto\fR
2209: user if the invoking user is not in the
2210: \fIsudoers\fR
2211: file.
2212: This flag is
2213: \fI@mail_no_user@\fR
2214: by default.
2215: .TP 18n
2216: noexec
2217: If set, all commands run via
2218: \fBsudo\fR
2219: will behave as if the
2220: \fRNOEXEC\fR
2221: tag has been set, unless overridden by a
2222: \fREXEC\fR
2223: tag.
2224: See the description of
2225: \fINOEXEC and EXEC\fR
2226: below as well as the
2227: \fIPreventing shell escapes\fR
2228: section at the end of this manual.
2229: This flag is
2230: \fIoff\fR
2231: by default.
2232: .TP 18n
2233: pam_session
2234: On systems that use PAM for authentication,
2235: \fBsudo\fR
2236: will create a new PAM session for the command to be run in.
2237: Disabling
2238: \fIpam_session\fR
2239: may be needed on older PAM implementations or on operating systems where
2240: opening a PAM session changes the utmp or wtmp files.
2241: If PAM session support is disabled, resource limits may not be updated
2242: for the command being run.
2243: If
2244: \fIpam_session\fR,
2245: \fIpam_setcred\fR,
2246: and
2247: \fIuse_pty\fR
2248: are disabled and I/O logging has not been configured,
2249: \fBsudo\fR
2250: will execute the command directly instead of running it as a child
2251: process.
2252: This flag is
2253: \fI@pam_session@\fR
2254: by default.
2255: .sp
2256: This setting is only supported by version 1.8.7 or higher.
2257: .TP 18n
2258: pam_setcred
2259: On systems that use PAM for authentication,
2260: \fBsudo\fR
2261: will attempt to establish credentials for the target user by default,
2262: if supported by the underlying authentication system.
2263: One example of a credential is a Kerberos ticket.
2264: If
2265: \fIpam_session\fR,
2266: \fIpam_setcred\fR,
2267: and
2268: \fIuse_pty\fR
2269: are disabled and I/O logging has not been configured,
2270: \fBsudo\fR
2271: will execute the command directly instead of running it as a child
2272: process.
2273: This flag is
2274: \fIon\fR
2275: by default.
2276: .sp
2277: This setting is only supported by version 1.8.8 or higher.
2278: .TP 18n
2279: passprompt_override
2280: The password prompt specified by
2281: \fIpassprompt\fR
2282: will normally only be used if the password prompt provided by systems
2283: such as PAM matches the string
2284: \(lqPassword:\(rq.
2285: If
2286: \fIpassprompt_override\fR
2287: is set,
2288: \fIpassprompt\fR
2289: will always be used.
2290: This flag is
2291: \fIoff\fR
2292: by default.
2293: .TP 18n
2294: path_info
2295: Normally,
2296: \fBsudo\fR
2297: will tell the user when a command could not be
2298: found in their
2299: \fRPATH\fR
2300: environment variable.
2301: Some sites may wish to disable this as it could be used to gather
2302: information on the location of executables that the normal user does
2303: not have access to.
2304: The disadvantage is that if the executable is simply not in the user's
2305: \fRPATH\fR,
2306: \fBsudo\fR
2307: will tell the user that they are not allowed to run it, which can be confusing.
2308: This flag is
2309: \fI@path_info@\fR
2310: by default.
2311: .TP 18n
2312: preserve_groups
2313: By default,
2314: \fBsudo\fR
2315: will initialize the group vector to the list of groups the target user is in.
2316: When
2317: \fIpreserve_groups\fR
2318: is set, the user's existing group vector is left unaltered.
2319: The real and effective group IDs, however, are still set to match the
2320: target user.
2321: This flag is
2322: \fIoff\fR
2323: by default.
2324: .TP 18n
2325: pwfeedback
2326: By default,
2327: \fBsudo\fR
2328: reads the password like most other Unix programs,
2329: by turning off echo until the user hits the return (or enter) key.
2330: Some users become confused by this as it appears to them that
2331: \fBsudo\fR
2332: has hung at this point.
2333: When
2334: \fIpwfeedback\fR
2335: is set,
2336: \fBsudo\fR
2337: will provide visual feedback when the user presses a key.
2338: Note that this does have a security impact as an onlooker may be able to
2339: determine the length of the password being entered.
2340: This flag is
2341: \fIoff\fR
2342: by default.
2343: .TP 18n
2344: requiretty
2345: If set,
2346: \fBsudo\fR
2347: will only run when the user is logged in to a real tty.
2348: When this flag is set,
2349: \fBsudo\fR
2350: can only be run from a login session and not via other means such as
2351: cron(@mansectsu@)
2352: or cgi-bin scripts.
2353: This flag is
2354: \fIoff\fR
2355: by default.
2356: .TP 18n
2357: root_sudo
2358: If set, root is allowed to run
2359: \fBsudo\fR
2360: too.
2361: Disabling this prevents users from
2362: \(lqchaining\(rq
2363: \fBsudo\fR
2364: commands to get a root shell by doing something like
2365: \(lq\fRsudo sudo /bin/sh\fR\(rq.
2366: Note, however, that turning off
2367: \fIroot_sudo\fR
2368: will also prevent root from running
2369: \fBsudoedit\fR.
2370: Disabling
2371: \fIroot_sudo\fR
2372: provides no real additional security; it exists purely for historical reasons.
2373: This flag is
2374: \fI@root_sudo@\fR
2375: by default.
2376: .TP 18n
2377: rootpw
2378: If set,
2379: \fBsudo\fR
2380: will prompt for the root password instead of the password of the invoking user
2381: when running a command or editing a file.
2382: This flag is
2383: \fIoff\fR
2384: by default.
2385: .TP 18n
2386: runaspw
2387: If set,
2388: \fBsudo\fR
2389: will prompt for the password of the user defined by the
2390: \fIrunas_default\fR
2391: option (defaults to
2392: \fR@runas_default@\fR)
2393: instead of the password of the invoking user
2394: when running a command or editing a file.
2395: This flag is
2396: \fIoff\fR
2397: by default.
2398: .TP 18n
2399: set_home
2400: If enabled and
2401: \fBsudo\fR
2402: is invoked with the
2403: \fB\-s\fR
2404: option the
2405: \fRHOME\fR
2406: environment variable will be set to the home directory of the target
2407: user (which is root unless the
2408: \fB\-u\fR
2409: option is used).
2410: This effectively makes the
2411: \fB\-s\fR
2412: option imply
2413: \fB\-H\fR.
2414: Note that
2415: \fRHOME\fR
2416: is already set when the
2417: \fIenv_reset\fR
2418: option is enabled, so
2419: \fIset_home\fR
2420: is only effective for configurations where either
2421: \fIenv_reset\fR
2422: is disabled
2423: or
2424: \fRHOME\fR
2425: is present in the
2426: \fIenv_keep\fR
2427: list.
2428: This flag is
2429: \fIoff\fR
2430: by default.
2431: .TP 18n
2432: set_logname
2433: Normally,
2434: \fBsudo\fR
2435: will set the
2436: \fRLOGNAME\fR,
2437: \fRUSER\fR
2438: and
2439: \fRUSERNAME\fR
2440: environment variables to the name of the target user (usually root unless the
2441: \fB\-u\fR
2442: option is given).
2443: However, since some programs (including the RCS revision control system) use
2444: \fRLOGNAME\fR
2445: to determine the real identity of the user, it may be desirable to
2446: change this behavior.
2447: This can be done by negating the set_logname option.
2448: Note that if the
2449: \fIenv_reset\fR
2450: option has not been disabled, entries in the
2451: \fIenv_keep\fR
2452: list will override the value of
2453: \fIset_logname\fR.
2454: This flag is
2455: \fIon\fR
2456: by default.
2457: .TP 18n
2458: set_utmp
2459: When enabled,
2460: \fBsudo\fR
2461: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2462: is allocated.
2463: A pseudo-tty is allocated by
2464: \fBsudo\fR
2465: when the
2466: \fIlog_input\fR,
2467: \fIlog_output\fR
2468: or
2469: \fIuse_pty\fR
2470: flags are enabled.
2471: By default, the new entry will be a copy of the user's existing utmp
2472: entry (if any), with the tty, time, type and pid fields updated.
2473: This flag is
2474: \fIon\fR
2475: by default.
2476: .TP 18n
2477: setenv
2478: Allow the user to disable the
2479: \fIenv_reset\fR
2480: option from the command line via the
2481: \fB\-E\fR
2482: option.
2483: Additionally, environment variables set via the command line are
2484: not subject to the restrictions imposed by
2485: \fIenv_check\fR,
2486: \fIenv_delete\fR,
2487: or
2488: \fIenv_keep\fR.
2489: As such, only trusted users should be allowed to set variables in this manner.
2490: This flag is
2491: \fIoff\fR
2492: by default.
2493: .TP 18n
2494: shell_noargs
2495: If set and
2496: \fBsudo\fR
2497: is invoked with no arguments it acts as if the
2498: \fB\-s\fR
2499: option had been given.
2500: That is, it runs a shell as root (the shell is determined by the
2501: \fRSHELL\fR
2502: environment variable if it is set, falling back on the shell listed
2503: in the invoking user's /etc/passwd entry if not).
2504: This flag is
2505: \fIoff\fR
2506: by default.
2507: .TP 18n
2508: stay_setuid
2509: Normally, when
2510: \fBsudo\fR
2511: executes a command the real and effective UIDs are set to the target
2512: user (root by default).
2513: This option changes that behavior such that the real UID is left
2514: as the invoking user's UID.
2515: In other words, this makes
2516: \fBsudo\fR
2517: act as a setuid wrapper.
2518: This can be useful on systems that disable some potentially
2519: dangerous functionality when a program is run setuid.
2520: This option is only effective on systems that support either the
2521: setreuid(2)
2522: or
2523: setresuid(2)
2524: system call.
2525: This flag is
2526: \fIoff\fR
2527: by default.
2528: .TP 18n
2529: targetpw
2530: If set,
2531: \fBsudo\fR
2532: will prompt for the password of the user specified
2533: by the
2534: \fB\-u\fR
2535: option (defaults to
2536: \fRroot\fR)
2537: instead of the password of the invoking user
2538: when running a command or editing a file.
2539: Note that this flag precludes the use of a uid not listed in the passwd
2540: database as an argument to the
2541: \fB\-u\fR
2542: option.
2543: This flag is
2544: \fIoff\fR
2545: by default.
2546: .TP 18n
2547: tty_tickets
2548: If set, users must authenticate on a per-tty basis.
2549: With this flag enabled,
2550: \fBsudo\fR
2551: will use a separate record in the time stamp file for each tty.
2552: If disabled, a single record is used for all login sessions.
2553: This flag is
2554: \fI@tty_tickets@\fR
2555: by default.
2556: .TP 18n
2557: umask_override
2558: If set,
2559: \fBsudo\fR
2560: will set the umask as specified by
2561: \fIsudoers\fR
2562: without modification.
2563: This makes it possible to specify a more permissive umask in
2564: \fIsudoers\fR
2565: than the user's own umask and matches historical behavior.
2566: If
2567: \fIumask_override\fR
2568: is not set,
2569: \fBsudo\fR
2570: will set the umask to be the union of the user's umask and what is specified in
2571: \fIsudoers\fR.
2572: This flag is
2573: \fI@umask_override@\fR
2574: by default.
2575: .TP 18n
2576: use_loginclass
2577: If set,
2578: \fBsudo\fR
2579: will apply the defaults specified for the target user's login class
2580: if one exists.
2581: Only available if
2582: \fBsudo\fR
2583: is configured with the
2584: \fR--with-logincap\fR
2585: option.
2586: This flag is
2587: \fIoff\fR
2588: by default.
2589: .TP 18n
2590: use_pty
2591: If set,
2592: \fBsudo\fR
2593: will run the command in a pseudo-pty even if no I/O logging is being gone.
2594: A malicious program run under
2595: \fBsudo\fR
2596: could conceivably fork a background process that retains to the user's
2597: terminal device after the main program has finished executing.
2598: Use of this option will make that impossible.
2599: This flag is
2600: \fIoff\fR
2601: by default.
2602: .TP 18n
2603: utmp_runas
2604: If set,
2605: \fBsudo\fR
2606: will store the name of the runas user when updating the utmp (or utmpx) file.
2607: By default,
2608: \fBsudo\fR
2609: stores the name of the invoking user.
2610: This flag is
2611: \fIoff\fR
2612: by default.
2613: .TP 18n
2614: visiblepw
2615: By default,
2616: \fBsudo\fR
2617: will refuse to run if the user must enter a password but it is not
2618: possible to disable echo on the terminal.
2619: If the
2620: \fIvisiblepw\fR
2621: flag is set,
2622: \fBsudo\fR
2623: will prompt for a password even when it would be visible on the screen.
2624: This makes it possible to run things like
2625: \(lq\fRssh somehost sudo ls\fR\(rq
2626: since by default,
2627: ssh(1)
2628: does
2629: not allocate a tty when running a command.
2630: This flag is
2631: \fIoff\fR
2632: by default.
2633: .PP
2634: \fBIntegers\fR:
2635: .TP 18n
2636: closefrom
2637: Before it executes a command,
2638: \fBsudo\fR
2639: will close all open file descriptors other than standard input,
2640: standard output and standard error (ie: file descriptors 0-2).
2641: The
2642: \fIclosefrom\fR
2643: option can be used to specify a different file descriptor at which
2644: to start closing.
2645: The default is
2646: \fR3\fR.
2647: .TP 18n
2648: passwd_tries
2649: The number of tries a user gets to enter his/her password before
2650: \fBsudo\fR
2651: logs the failure and exits.
2652: The default is
2653: \fR@passwd_tries@\fR.
2654: .PP
2655: \fBIntegers that can be used in a boolean context\fR:
2656: .TP 18n
2657: loglinelen
2658: Number of characters per line for the file log.
2659: This value is used to decide when to wrap lines for nicer log files.
2660: This has no effect on the syslog log file, only the file log.
2661: The default is
2662: \fR@loglen@\fR
2663: (use 0 or negate the option to disable word wrap).
2664: .TP 18n
2665: passwd_timeout
2666: Number of minutes before the
2667: \fBsudo\fR
2668: password prompt times out, or
2669: \fR0\fR
2670: for no timeout.
2671: The timeout may include a fractional component
2672: if minute granularity is insufficient, for example
2673: \fR2.5\fR.
2674: The
2675: default is
2676: \fR@password_timeout@\fR.
2677: .TP 18n
2678: timestamp_timeout
2679: .br
2680: Number of minutes that can elapse before
2681: \fBsudo\fR
2682: will ask for a passwd again.
2683: The timeout may include a fractional component if
2684: minute granularity is insufficient, for example
2685: \fR2.5\fR.
2686: The default is
2687: \fR@timeout@\fR.
2688: Set this to
2689: \fR0\fR
2690: to always prompt for a password.
2691: If set to a value less than
2692: \fR0\fR
2693: the user's time stamp will never expire.
2694: This can be used to allow users to create or delete their own time stamps via
2695: \(lq\fRsudo -v\fR\(rq
2696: and
2697: \(lq\fRsudo -k\fR\(rq
2698: respectively.
2699: .TP 18n
2700: umask
2701: Umask to use when running the command.
2702: Negate this option or set it to 0777 to preserve the user's umask.
2703: The actual umask that is used will be the union of the user's umask
2704: and the value of the
2705: \fIumask\fR
2706: option, which defaults to
2707: \fR@sudo_umask@\fR.
2708: This guarantees
2709: that
2710: \fBsudo\fR
2711: never lowers the umask when running a command.
2712: Note: on systems that use PAM, the default PAM configuration may specify
2713: its own umask which will override the value set in
2714: \fIsudoers\fR.
2715: .PP
2716: \fBStrings\fR:
2717: .TP 18n
2718: badpass_message
2719: Message that is displayed if a user enters an incorrect password.
2720: The default is
2721: \fR@badpass_message@\fR
2722: unless insults are enabled.
2723: .TP 18n
2724: editor
2725: A colon
2726: (\(oq:\&\(cq)
2727: separated list of editors allowed to be used with
2728: \fBvisudo\fR.
2729: \fBvisudo\fR
2730: will choose the editor that matches the user's
2731: \fREDITOR\fR
2732: environment variable if possible, or the first editor in the
2733: list that exists and is executable.
2734: The default is
2735: \fI@editor@\fR.
2736: .TP 18n
2737: iolog_dir
2738: The top-level directory to use when constructing the path name for
2739: the input/output log directory.
2740: Only used if the
2741: \fIlog_input\fR
2742: or
2743: \fIlog_output\fR
2744: options are enabled or when the
2745: \fRLOG_INPUT\fR
2746: or
2747: \fRLOG_OUTPUT\fR
2748: tags are present for a command.
2749: The session sequence number, if any, is stored in the directory.
2750: The default is
2751: \fI@iolog_dir@\fR.
2752: .sp
2753: The following percent
2754: (\(oq%\(cq)
2755: escape sequences are supported:
2756: .PP
2757: .RS 18n
2758: .PD 0
2759: .TP 6n
2760: \fR%{seq}\fR
2761: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2762: where every two digits are used to form a new directory, e.g.\&
2763: \fI01/00/A5\fR
2764: .PD
2765: .TP 6n
2766: \fR%{user}\fR
2767: expanded to the invoking user's login name
2768: .TP 6n
2769: \fR%{group}\fR
2770: expanded to the name of the invoking user's real group ID
2771: .TP 6n
2772: \fR%{runas_user}\fR
2773: expanded to the login name of the user the command will
2774: be run as (e.g.\& root)
2775: .TP 6n
2776: \fR%{runas_group}\fR
2777: expanded to the group name of the user the command will
2778: be run as (e.g.\& wheel)
2779: .TP 6n
2780: \fR%{hostname}\fR
2781: expanded to the local host name without the domain name
2782: .TP 6n
2783: \fR%{command}\fR
2784: expanded to the base name of the command being run
2785: .PP
2786: In addition, any escape sequences supported by the system's
2787: strftime(3)
2788: function will be expanded.
2789: .sp
2790: To include a literal
2791: \(oq%\(cq
2792: character, the string
2793: \(oq%%\(cq
2794: should be used.
2795: .RE
2796: .TP 18n
2797: iolog_file
2798: The path name, relative to
2799: \fIiolog_dir\fR,
2800: in which to store input/output logs when the
2801: \fIlog_input\fR
2802: or
2803: \fIlog_output\fR
2804: options are enabled or when the
2805: \fRLOG_INPUT\fR
2806: or
2807: \fRLOG_OUTPUT\fR
2808: tags are present for a command.
2809: Note that
2810: \fIiolog_file\fR
2811: may contain directory components.
2812: The default is
2813: \(lq\fR%{seq}\fR\(rq.
2814: .sp
2815: See the
2816: \fIiolog_dir\fR
2817: option above for a list of supported percent
2818: (\(oq%\(cq)
2819: escape sequences.
2820: .sp
2821: In addition to the escape sequences, path names that end in six or
2822: more
2823: \fRX\fRs
2824: will have the
2825: \fRX\fRs
2826: replaced with a unique combination of digits and letters, similar to the
2827: mktemp(3)
2828: function.
2829: .sp
2830: If the path created by concatenating
2831: \fIiolog_dir\fR
2832: and
2833: \fIiolog_file\fR
2834: already exists, the existing I/O log file will be truncated and
2835: overwritten unless
2836: \fIiolog_file\fR
2837: ends in six or
2838: more
2839: \fRX\fRs.
2840: .TP 18n
2841: lecture_status_dir
2842: The directory in which
2843: \fBsudo\fR
2844: stores per-user lecture status files.
2845: Once a user has received the lecture, a zero-length file is
2846: created in this directory so that
2847: \fBsudo\fR
2848: will not lecture the user again.
2849: This directory should
2850: \fInot\fR
2851: be cleared when the system reboots.
2852: The default is
2853: \fI@vardir@/lectured\fR.
2854: .TP 18n
2855: limitprivs
2856: The default Solaris limit privileges to use when constructing a new
2857: privilege set for a command.
2858: This bounds all privileges of the executing process.
2859: The default limit privileges may be overridden on a per-command basis in
2860: \fIsudoers\fR.
2861: This option is only available if
2862: \fBsudoers\fR
2863: is built on Solaris 10 or higher.
2864: .TP 18n
2865: mailsub
2866: Subject of the mail sent to the
2867: \fImailto\fR
2868: user.
2869: The escape
2870: \fR%h\fR
2871: will expand to the host name of the machine.
2872: Default is
2873: \(lq\fR@mailsub@\fR\(rq.
2874: .TP 18n
2875: maxseq
2876: The maximum sequence number that will be substituted for the
2877: \(lq\fR%{seq}\fR\(rq
2878: escape in the I/O log file (see the
2879: \fIiolog_dir\fR
2880: description above for more information).
2881: While the value substituted for
2882: \(lq\fR%{seq}\fR\(rq
2883: is in base 36,
2884: \fImaxseq\fR
2885: itself should be expressed in decimal.
2886: Values larger than 2176782336 (which corresponds to the
2887: base 36 sequence number
2888: \(lqZZZZZZ\(rq)
2889: will be silently truncated to 2176782336.
2890: The default value is 2176782336.
2891: .sp
2892: Once the local sequence number reaches the value of
2893: \fImaxseq\fR,
2894: it will
2895: \(lqroll over\(rq
2896: to zero, after which
2897: \fBsudoers\fR
2898: will truncate and re-use any existing I/O log path names.
2899: .sp
2900: This setting is only supported by version 1.8.7 or higher.
2901: .TP 18n
2902: noexec_file
2903: As of
2904: \fBsudo\fR
2905: version 1.8.1 this option is no longer supported.
2906: The path to the noexec file should now be set in the
2907: sudo.conf(@mansectform@)
2908: file.
2909: .TP 18n
2910: pam_login_service
2911: .br
2912: On systems that use PAM for authentication, this is the service
2913: name used when the
2914: \fB\-i\fR
2915: option is specified.
2916: The default value is
2917: \(lq\fR@pam_login_service@\fR\(rq.
2918: See the description of
2919: \fIpam_service\fR
2920: for more information.
2921: .sp
2922: This setting is only supported by version 1.8.8 or higher.
2923: .TP 18n
2924: pam_service
2925: On systems that use PAM for authentication, the service name
2926: specifies the PAM policy to apply.
2927: This usually corresponds to an entry in the
2928: \fIpam.conf\fR
2929: file or a file in the
2930: \fI/etc/pam.d\fR
2931: directory.
2932: The default value is
2933: \(lq\fRsudo\fR\(rq.
2934: .sp
2935: This setting is only supported by version 1.8.8 or higher.
2936: .TP 18n
2937: passprompt
2938: The default prompt to use when asking for a password; can be overridden via the
2939: \fB\-p\fR
2940: option or the
2941: \fRSUDO_PROMPT\fR
2942: environment variable.
2943: The following percent
2944: (\(oq%\(cq)
2945: escape sequences are supported:
2946: .PP
2947: .RS 18n
2948: .PD 0
2949: .TP 6n
2950: \fR%H\fR
2951: expanded to the local host name including the domain name
2952: (only if the machine's host name is fully qualified or the
2953: \fIfqdn\fR
2954: option is set)
2955: .PD
2956: .TP 6n
2957: \fR%h\fR
2958: expanded to the local host name without the domain name
2959: .TP 6n
2960: \fR%p\fR
2961: expanded to the user whose password is being asked for (respects the
2962: \fIrootpw\fR,
2963: \fItargetpw\fR
2964: and
2965: \fIrunaspw\fR
2966: flags in
2967: \fIsudoers\fR)
2968: .TP 6n
2969: \fR\&%U\fR
2970: expanded to the login name of the user the command will
2971: be run as (defaults to root)
2972: .TP 6n
2973: \fR%u\fR
2974: expanded to the invoking user's login name
2975: .TP 6n
2976: \fR%%\fR
2977: two consecutive
2978: \fR%\fR
2979: characters are collapsed into a single
2980: \fR%\fR
2981: character
2982: .PP
2983: The default value is
2984: \(lq\fR@passprompt@\fR\(rq.
2985: .RE
2986: .TP 18n
2987: privs
2988: The default Solaris privileges to use when constructing a new
2989: privilege set for a command.
2990: This is passed to the executing process via the inherited privilege set,
2991: but is bounded by the limit privileges.
2992: If the
2993: \fIprivs\fR
2994: option is specified but the
2995: \fIlimitprivs\fR
2996: option is not, the limit privileges of the executing process is set to
2997: \fIprivs\fR.
2998: The default privileges may be overridden on a per-command basis in
2999: \fIsudoers\fR.
3000: This option is only available if
3001: \fBsudoers\fR
3002: is built on Solaris 10 or higher.
3003: .TP 18n
3004: role
3005: The default SELinux role to use when constructing a new security
3006: context to run the command.
3007: The default role may be overridden on a per-command basis in
3008: \fIsudoers\fR
3009: or via command line options.
3010: This option is only available when
3011: \fBsudo\fR
3012: is built with SELinux support.
3013: .TP 18n
3014: runas_default
3015: The default user to run commands as if the
3016: \fB\-u\fR
3017: option is not specified on the command line.
3018: This defaults to
3019: \fR@runas_default@\fR.
3020: .TP 18n
3021: syslog_badpri
3022: Syslog priority to use when user authenticates unsuccessfully.
3023: Defaults to
3024: \fR@badpri@\fR.
3025: .sp
3026: The following syslog priorities are supported:
3027: \fBalert\fR,
3028: \fBcrit\fR,
3029: \fBdebug\fR,
3030: \fBemerg\fR,
3031: \fBerr\fR,
3032: \fBinfo\fR,
3033: \fBnotice\fR,
3034: and
3035: \fBwarning\fR.
3036: .TP 18n
3037: syslog_goodpri
3038: Syslog priority to use when user authenticates successfully.
3039: Defaults to
3040: \fR@goodpri@\fR.
3041: .sp
3042: See
3043: \fIsyslog_badpri\fR
3044: for the list of supported syslog priorities.
3045: .TP 18n
3046: sudoers_locale
3047: Locale to use when parsing the sudoers file, logging commands, and
3048: sending email.
3049: Note that changing the locale may affect how sudoers is interpreted.
3050: Defaults to
3051: \(lq\fRC\fR\(rq.
3052: .TP 18n
3053: timestampdir
3054: The directory in which
3055: \fBsudo\fR
3056: stores its time stamp files.
3057: This directory should be cleared when the system reboots.
3058: The default is
3059: \fI@rundir@/ts\fR.
3060: .TP 18n
3061: timestampowner
3062: The owner of the lecture status directory, time stamp directory and all
3063: files stored therein.
3064: The default is
3065: \fRroot\fR.
3066: .TP 18n
3067: type
3068: The default SELinux type to use when constructing a new security
3069: context to run the command.
3070: The default type may be overridden on a per-command basis in
3071: \fIsudoers\fR
3072: or via command line options.
3073: This option is only available when
3074: \fBsudo\fR
3075: is built with SELinux support.
3076: .PP
3077: \fBStrings that can be used in a boolean context\fR:
3078: .TP 14n
3079: env_file
3080: The
3081: \fIenv_file\fR
3082: option specifies the fully qualified path to a file containing variables
3083: to be set in the environment of the program being run.
3084: Entries in this file should either be of the form
3085: \(lq\fRVARIABLE=value\fR\(rq
3086: or
3087: \(lq\fRexport VARIABLE=value\fR\(rq.
3088: The value may optionally be surrounded by single or double quotes.
3089: Variables in this file are subject to other
3090: \fBsudo\fR
3091: environment settings such as
3092: \fIenv_keep\fR
3093: and
3094: \fIenv_check\fR.
3095: .TP 14n
3096: exempt_group
3097: Users in this group are exempt from password and PATH requirements.
3098: The group name specified should not include a
3099: \fR%\fR
3100: prefix.
3101: This is not set by default.
3102: .TP 14n
3103: group_plugin
3104: A string containing a
3105: \fIsudoers\fR
3106: group plugin with optional arguments.
3107: The string should consist of the plugin
3108: path, either fully-qualified or relative to the
3109: \fI@PLUGINDIR@\fR
3110: directory, followed by any configuration arguments the plugin requires.
3111: These arguments (if any) will be passed to the plugin's initialization function.
3112: If arguments are present, the string must be enclosed in double quotes
3113: (\&"").
3114: .sp
3115: For more information see
3116: GROUP PROVIDER PLUGINS.
3117: .TP 14n
3118: lecture
3119: This option controls when a short lecture will be printed along with
3120: the password prompt.
3121: It has the following possible values:
3122: .PP
3123: .RS 14n
3124: .PD 0
3125: .TP 8n
3126: always
3127: Always lecture the user.
3128: .PD
3129: .TP 8n
3130: never
3131: Never lecture the user.
3132: .TP 8n
3133: once
3134: Only lecture the user the first time they run
3135: \fBsudo\fR.
3136: .PP
3137: If no value is specified, a value of
3138: \fIonce\fR
3139: is implied.
3140: Negating the option results in a value of
3141: \fInever\fR
3142: being used.
3143: The default value is
3144: \fI@lecture@\fR.
3145: .RE
3146: .TP 14n
3147: lecture_file
3148: Path to a file containing an alternate
3149: \fBsudo\fR
3150: lecture that will be used in place of the standard lecture if the named
3151: file exists.
3152: By default,
3153: \fBsudo\fR
3154: uses a built-in lecture.
3155: .TP 14n
3156: listpw
3157: This option controls when a password will be required when a user runs
3158: \fBsudo\fR
3159: with the
3160: \fB\-l\fR
3161: option.
3162: It has the following possible values:
3163: .PP
3164: .RS 14n
3165: .PD 0
3166: .TP 10n
3167: all
3168: All the user's
3169: \fIsudoers\fR
3170: entries for the current host must have
3171: the
3172: \fRNOPASSWD\fR
3173: flag set to avoid entering a password.
3174: .PD
3175: .TP 10n
3176: always
3177: The user must always enter a password to use the
3178: \fB\-l\fR
3179: option.
3180: .TP 10n
3181: any
3182: At least one of the user's
3183: \fIsudoers\fR
3184: entries for the current host
3185: must have the
3186: \fRNOPASSWD\fR
3187: flag set to avoid entering a password.
3188: .TP 10n
3189: never
3190: The user need never enter a password to use the
3191: \fB\-l\fR
3192: option.
3193: .PP
3194: If no value is specified, a value of
3195: \fIany\fR
3196: is implied.
3197: Negating the option results in a value of
3198: \fInever\fR
3199: being used.
3200: The default value is
3201: \fIany\fR.
3202: .RE
3203: .TP 14n
3204: logfile
3205: Path to the
3206: \fBsudo\fR
3207: log file (not the syslog log file).
3208: Setting a path turns on logging to a file;
3209: negating this option turns it off.
3210: By default,
3211: \fBsudo\fR
3212: logs via syslog.
3213: .TP 14n
3214: mailerflags
3215: Flags to use when invoking mailer. Defaults to
3216: \fB\-t\fR.
3217: .TP 14n
3218: mailerpath
3219: Path to mail program used to send warning mail.
3220: Defaults to the path to sendmail found at configure time.
3221: .TP 14n
3222: mailfrom
3223: Address to use for the
3224: \(lqfrom\(rq
3225: address when sending warning and error mail.
3226: The address should be enclosed in double quotes
3227: (\&"")
3228: to protect against
3229: \fBsudo\fR
3230: interpreting the
3231: \fR@\fR
3232: sign.
3233: Defaults to the name of the user running
3234: \fBsudo\fR.
3235: .TP 14n
3236: mailto
3237: Address to send warning and error mail to.
3238: The address should be enclosed in double quotes
3239: (\&"")
3240: to protect against
3241: \fBsudo\fR
3242: interpreting the
3243: \fR@\fR
3244: sign.
3245: Defaults to
3246: \fR@mailto@\fR.
3247: .TP 14n
3248: secure_path
3249: Path used for every command run from
3250: \fBsudo\fR.
3251: If you don't trust the
3252: people running
3253: \fBsudo\fR
3254: to have a sane
3255: \fRPATH\fR
3256: environment variable you may want to use this.
3257: Another use is if you want to have the
3258: \(lqroot path\(rq
3259: be separate from the
3260: \(lquser path\(rq.
3261: Users in the group specified by the
3262: \fIexempt_group\fR
3263: option are not affected by
3264: \fIsecure_path\fR.
3265: This option is @secure_path@ by default.
3266: .TP 14n
3267: syslog
3268: Syslog facility if syslog is being used for logging (negate to
3269: disable syslog logging).
3270: Defaults to
3271: \fR@logfac@\fR.
3272: .sp
3273: The following syslog facilities are supported:
3274: \fBauthpriv\fR
3275: (if your
3276: OS supports it),
3277: \fBauth\fR,
3278: \fBdaemon\fR,
3279: \fBuser\fR,
3280: \fBlocal0\fR,
3281: \fBlocal1\fR,
3282: \fBlocal2\fR,
3283: \fBlocal3\fR,
3284: \fBlocal4\fR,
3285: \fBlocal5\fR,
3286: \fBlocal6\fR,
3287: and
3288: \fBlocal7\fR.
3289: .TP 14n
3290: verifypw
3291: This option controls when a password will be required when a user runs
3292: \fBsudo\fR
3293: with the
3294: \fB\-v\fR
3295: option.
3296: It has the following possible values:
3297: .PP
3298: .RS 14n
3299: .PD 0
3300: .TP 8n
3301: all
3302: All the user's
3303: \fIsudoers\fR
3304: entries for the current host must have the
3305: \fRNOPASSWD\fR
3306: flag set to avoid entering a password.
3307: .PD
3308: .TP 8n
3309: always
3310: The user must always enter a password to use the
3311: \fB\-v\fR
3312: option.
3313: .TP 8n
3314: any
3315: At least one of the user's
3316: \fIsudoers\fR
3317: entries for the current host must have the
3318: \fRNOPASSWD\fR
3319: flag set to avoid entering a password.
3320: .TP 8n
3321: never
3322: The user need never enter a password to use the
3323: \fB\-v\fR
3324: option.
3325: .PP
3326: If no value is specified, a value of
3327: \fIall\fR
3328: is implied.
3329: Negating the option results in a value of
3330: \fInever\fR
3331: being used.
3332: The default value is
3333: \fIall\fR.
3334: .RE
3335: .PP
3336: \fBLists that can be used in a boolean context\fR:
3337: .TP 18n
3338: env_check
3339: Environment variables to be removed from the user's environment if
3340: the variable's value contains
3341: \(oq%\(cq
3342: or
3343: \(oq/\(cq
3344: characters.
3345: This can be used to guard against printf-style format vulnerabilities
3346: in poorly-written programs.
3347: The argument may be a double-quoted, space-separated list or a
3348: single value without double-quotes.
3349: The list can be replaced, added to, deleted from, or disabled by using
3350: the
3351: \fR=\fR,
3352: \fR+=\fR,
3353: \fR-=\fR,
3354: and
3355: \fR\&!\fR
3356: operators respectively.
3357: Regardless of whether the
3358: \fRenv_reset\fR
3359: option is enabled or disabled, variables specified by
3360: \fRenv_check\fR
3361: will be preserved in the environment if they pass the aforementioned check.
3362: The default list of environment variables to check is displayed when
3363: \fBsudo\fR
3364: is run by root with
3365: the
3366: \fB\-V\fR
3367: option.
3368: .TP 18n
3369: env_delete
3370: Environment variables to be removed from the user's environment when the
3371: \fIenv_reset\fR
3372: option is not in effect.
3373: The argument may be a double-quoted, space-separated list or a
3374: single value without double-quotes.
3375: The list can be replaced, added to, deleted from, or disabled by using the
3376: \fR=\fR,
3377: \fR+=\fR,
3378: \fR-=\fR,
3379: and
3380: \fR\&!\fR
3381: operators respectively.
3382: The default list of environment variables to remove is displayed when
3383: \fBsudo\fR
3384: is run by root with the
3385: \fB\-V\fR
3386: option.
3387: Note that many operating systems will remove potentially dangerous
3388: variables from the environment of any setuid process (such as
3389: \fBsudo\fR).
3390: .TP 18n
3391: env_keep
3392: Environment variables to be preserved in the user's environment when the
3393: \fIenv_reset\fR
3394: option is in effect.
3395: This allows fine-grained control over the environment
3396: \fBsudo\fR-spawned
3397: processes will receive.
3398: The argument may be a double-quoted, space-separated list or a
3399: single value without double-quotes.
3400: The list can be replaced, added to, deleted from, or disabled by using the
3401: \fR=\fR,
3402: \fR+=\fR,
3403: \fR-=\fR,
3404: and
3405: \fR\&!\fR
3406: operators respectively.
3407: The default list of variables to keep
3408: is displayed when
3409: \fBsudo\fR
3410: is run by root with the
3411: \fB\-V\fR
3412: option.
3413: .SH "GROUP PROVIDER PLUGINS"
3414: The
3415: \fBsudoers\fR
3416: plugin supports its own plugin interface to allow non-Unix
3417: group lookups which can query a group source other
3418: than the standard Unix group database.
3419: This can be used to implement support for the
3420: \fRnonunix_group\fR
3421: syntax described earlier.
3422: .PP
3423: Group provider plugins are specified via the
3424: \fIgroup_plugin\fR
3425: Defaults setting.
3426: The argument to
3427: \fIgroup_plugin\fR
3428: should consist of the plugin path, either fully-qualified or relative to the
3429: \fI@PLUGINDIR@\fR
3430: directory, followed by any configuration options the plugin requires.
3431: These options (if specified) will be passed to the plugin's initialization
3432: function.
3433: If options are present, the string must be enclosed in double quotes
3434: (\&"").
3435: .PP
3436: The following group provider plugins are installed by default:
3437: .TP 10n
3438: group_file
3439: The
3440: \fIgroup_file\fR
3441: plugin supports an alternate group file that uses the same syntax as the
3442: \fI/etc/group\fR
3443: file.
3444: The path to the group file should be specified as an option
3445: to the plugin.
3446: For example, if the group file to be used is
3447: \fI/etc/sudo-group\fR:
3448: .nf
3449: .sp
3450: .RS 10n
3451: Defaults group_plugin="group_file.so /etc/sudo-group"
3452: .RE
3453: .fi
3454: .TP 10n
3455: system_group
3456: The
3457: \fIsystem_group\fR
3458: plugin supports group lookups via the standard C library functions
3459: \fBgetgrnam\fR()
3460: and
3461: \fBgetgrid\fR().
3462: This plugin can be used in instances where the user belongs to
3463: groups not present in the user's supplemental group vector.
3464: This plugin takes no options:
3465: .nf
3466: .sp
3467: .RS 10n
3468: Defaults group_plugin=system_group.so
3469: .RE
3470: .fi
3471: .PP
3472: The group provider plugin API is described in detail in
3473: sudo_plugin(@mansectsu@).
3474: .SH "LOG FORMAT"
3475: \fBsudoers\fR
3476: can log events using either
3477: syslog(3)
3478: or a simple log file.
3479: In each case the log format is almost identical.
3480: .SS "Accepted command log entries"
3481: Commands that sudo runs are logged using the following format (split
3482: into multiple lines for readability):
3483: .nf
3484: .sp
3485: .RS 4n
3486: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3487: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3488: ENV=env_vars COMMAND=command
3489: .RE
3490: .fi
3491: .PP
3492: Where the fields are as follows:
3493: .TP 14n
3494: date
3495: The date the command was run.
3496: Typically, this is in the format
3497: \(lqMMM, DD, HH:MM:SS\(rq.
3498: If logging via
3499: syslog(3),
3500: the actual date format is controlled by the syslog daemon.
3501: If logging to a file and the
3502: \fIlog_year\fR
3503: option is enabled,
3504: the date will also include the year.
3505: .TP 14n
3506: hostname
3507: The name of the host
3508: \fBsudo\fR
3509: was run on.
3510: This field is only present when logging via
3511: syslog(3).
3512: .TP 14n
3513: progname
3514: The name of the program, usually
3515: \fIsudo\fR
3516: or
3517: \fIsudoedit\fR.
3518: This field is only present when logging via
3519: syslog(3).
3520: .TP 14n
3521: username
3522: The login name of the user who ran
3523: \fBsudo\fR.
3524: .TP 14n
3525: ttyname
3526: The short name of the terminal (e.g.\&
3527: \(lqconsole\(rq,
3528: \(lqtty01\(rq,
3529: or
3530: \(lqpts/0\(rq)
3531: \fBsudo\fR
3532: was run on, or
3533: \(lqunknown\(rq
3534: if there was no terminal present.
3535: .TP 14n
3536: cwd
3537: The current working directory that
3538: \fBsudo\fR
3539: was run in.
3540: .TP 14n
3541: runasuser
3542: The user the command was run as.
3543: .TP 14n
3544: runasgroup
3545: The group the command was run as if one was specified on the command line.
3546: .TP 14n
3547: logid
3548: An I/O log identifier that can be used to replay the command's output.
3549: This is only present when the
3550: \fIlog_input\fR
3551: or
3552: \fIlog_output\fR
3553: option is enabled.
3554: .TP 14n
3555: env_vars
3556: A list of environment variables specified on the command line,
3557: if specified.
3558: .TP 14n
3559: command
3560: The actual command that was executed.
3561: .PP
3562: Messages are logged using the locale specified by
3563: \fIsudoers_locale\fR,
3564: which defaults to the
3565: \(lq\fRC\fR\(rq
3566: locale.
3567: .SS "Denied command log entries"
3568: If the user is not allowed to run the command, the reason for the denial
3569: will follow the user name.
3570: Possible reasons include:
3571: .TP 3n
3572: user NOT in sudoers
3573: The user is not listed in the
3574: \fIsudoers\fR
3575: file.
3576: .TP 3n
3577: user NOT authorized on host
3578: The user is listed in the
3579: \fIsudoers\fR
3580: file but is not allowed to run commands on the host.
3581: .TP 3n
3582: command not allowed
3583: The user is listed in the
3584: \fIsudoers\fR
3585: file for the host but they are not allowed to run the specified command.
3586: .TP 3n
3587: 3 incorrect password attempts
3588: The user failed to enter their password after 3 tries.
3589: The actual number of tries will vary based on the number of
3590: failed attempts and the value of the
3591: \fIpasswd_tries\fR
3592: option.
3593: .TP 3n
3594: a password is required
3595: \fBsudo\fR's
3596: \fB\-n\fR
3597: option was specified but a password was required.
3598: .TP 3n
3599: sorry, you are not allowed to set the following environment variables
3600: The user specified environment variables on the command line that
3601: were not allowed by
3602: \fIsudoers\fR.
3603: .SS "Error log entries"
3604: If an error occurs,
3605: \fBsudoers\fR
3606: will log a message and, in most cases, send a message to the
3607: administrator via email.
3608: Possible errors include:
3609: .TP 3n
3610: parse error in @sysconfdir@/sudoers near line N
3611: \fBsudoers\fR
3612: encountered an error when parsing the specified file.
3613: In some cases, the actual error may be one line above or below the
3614: line number listed, depending on the type of error.
3615: .TP 3n
3616: problem with defaults entries
3617: The
3618: \fIsudoers\fR
3619: file contains one or more unknown Defaults settings.
3620: This does not prevent
3621: \fBsudo\fR
3622: from running, but the
3623: \fIsudoers\fR
3624: file should be checked using
3625: \fBvisudo\fR.
3626: .TP 3n
3627: timestamp owner (username): \&No such user
3628: The time stamp directory owner, as specified by the
3629: \fItimestampowner\fR
3630: setting, could not be found in the password database.
3631: .TP 3n
3632: unable to open/read @sysconfdir@/sudoers
3633: The
3634: \fIsudoers\fR
3635: file could not be opened for reading.
3636: This can happen when the
3637: \fIsudoers\fR
3638: file is located on a remote file system that maps user ID 0 to
3639: a different value.
3640: Normally,
3641: \fBsudoers\fR
3642: tries to open
3643: \fIsudoers\fR
3644: using group permissions to avoid this problem.
3645: Consider either changing the ownership of
3646: \fI@sysconfdir@/sudoers\fR
3647: or adding an argument like
3648: \(lqsudoers_uid=N\(rq
3649: (where
3650: \(oqN\(cq
3651: is the user ID that owns the
3652: \fIsudoers\fR
3653: file) to the end of the
3654: \fBsudoers\fR
3655: \fRPlugin\fR
3656: line in the
3657: sudo.conf(@mansectform@)
3658: file.
3659: .TP 3n
3660: unable to stat @sysconfdir@/sudoers
3661: The
3662: \fI@sysconfdir@/sudoers\fR
3663: file is missing.
3664: .TP 3n
3665: @sysconfdir@/sudoers is not a regular file
3666: The
3667: \fI@sysconfdir@/sudoers\fR
3668: file exists but is not a regular file or symbolic link.
3669: .TP 3n
3670: @sysconfdir@/sudoers is owned by uid N, should be 0
3671: The
3672: \fIsudoers\fR
3673: file has the wrong owner.
3674: If you wish to change the
3675: \fIsudoers\fR
3676: file owner, please add
3677: \(lqsudoers_uid=N\(rq
3678: (where
3679: \(oqN\(cq
3680: is the user ID that owns the
3681: \fIsudoers\fR
3682: file) to the
3683: \fBsudoers\fR
3684: \fRPlugin\fR
3685: line in the
3686: sudo.conf(@mansectform@)
3687: file.
3688: .TP 3n
3689: @sysconfdir@/sudoers is world writable
3690: The permissions on the
3691: \fIsudoers\fR
3692: file allow all users to write to it.
3693: The
3694: \fIsudoers\fR
3695: file must not be world-writable, the default file mode
3696: is 0440 (readable by owner and group, writable by none).
3697: The default mode may be changed via the
3698: \(lqsudoers_mode\(rq
3699: option to the
3700: \fBsudoers\fR
3701: \fRPlugin\fR
3702: line in the
3703: sudo.conf(@mansectform@)
3704: file.
3705: .TP 3n
3706: @sysconfdir@/sudoers is owned by gid N, should be 1
3707: The
3708: \fIsudoers\fR
3709: file has the wrong group ownership.
3710: If you wish to change the
3711: \fIsudoers\fR
3712: file group ownership, please add
3713: \(lqsudoers_gid=N\(rq
3714: (where
3715: \(oqN\(cq
3716: is the group ID that owns the
3717: \fIsudoers\fR
3718: file) to the
3719: \fBsudoers\fR
3720: \fRPlugin\fR
3721: line in the
3722: sudo.conf(@mansectform@)
3723: file.
3724: .TP 3n
3725: unable to open @rundir@/ts/username
3726: \fIsudoers\fR
3727: was unable to read or create the user's time stamp file.
3728: This can happen when
3729: \fItimestampowner\fR
3730: is set to a user other than root and the mode on
3731: \fI@rundir@\fR
3732: is not searchable by group or other.
3733: The default mode for
3734: \fI@rundir@\fR
3735: is 0711.
3736: .TP 3n
3737: unable to write to @rundir@/ts/username
3738: \fIsudoers\fR
3739: was unable to write to the user's time stamp file.
3740: .TP 3n
3741: @rundir@/ts is owned by uid X, should be Y
3742: The time stamp directory is owned by a user other than
3743: \fItimestampowner\fR.
3744: This can occur when the value of
3745: \fItimestampowner\fR
3746: has been changed.
3747: \fIsudoers\fR
3748: will ignore the time stamp directory until the owner is corrected.
3749: .TP 3n
3750: @rundir@/ts is group writable
3751: The time stamp directory is group-writable; it should be writable only by
3752: \fItimestampowner\fR.
3753: The default mode for the time stamp directory is 0700.
3754: \fIsudoers\fR
3755: will ignore the time stamp directory until the mode is corrected.
3756: .SS "Notes on logging via syslog"
3757: By default,
3758: \fIsudoers\fR
3759: logs messages via
3760: syslog(3).
3761: The
3762: \fIdate\fR,
3763: \fIhostname\fR,
3764: and
3765: \fIprogname\fR
3766: fields are added by the syslog daemon, not
3767: \fIsudoers\fR
3768: itself.
3769: As such, they may vary in format on different systems.
3770: .PP
3771: On most systems,
3772: syslog(3)
3773: has a relatively small log buffer.
3774: To prevent the command line arguments from being truncated,
3775: \fBsudoers\fR
3776: will split up log messages that are larger than 960 characters
3777: (not including the date, hostname, and the string
3778: \(lqsudo\(rq).
3779: When a message is split, additional parts will include the string
3780: \(lq(command continued)\(rq
3781: after the user name and before the continued command line arguments.
3782: .SS "Notes on logging to a file"
3783: If the
3784: \fIlogfile\fR
3785: option is set,
3786: \fIsudoers\fR
3787: will log to a local file, such as
3788: \fI/var/log/sudo\fR.
3789: When logging to a file,
3790: \fIsudoers\fR
3791: uses a format similar to
3792: syslog(3),
3793: with a few important differences:
3794: .TP 5n
3795: 1.
3796: The
3797: \fIprogname\fR
3798: and
3799: \fIhostname\fR
3800: fields are not present.
3801: .TP 5n
3802: 2.
3803: If the
3804: \fIlog_year\fR
3805: option is enabled,
3806: the date will also include the year.
3807: .TP 5n
3808: 3.
3809: Lines that are longer than
3810: \fIloglinelen\fR
3811: characters (80 by default) are word-wrapped and continued on the
3812: next line with a four character indent.
3813: This makes entries easier to read for a human being, but makes it
3814: more difficult to use
3815: grep(1)
3816: on the log files.
3817: If the
3818: \fIloglinelen\fR
3819: option is set to 0 (or negated with a
3820: \(oq\&!\(cq),
3821: word wrap will be disabled.
3822: .SH "FILES"
3823: .TP 26n
3824: \fI@sysconfdir@/sudo.conf\fR
3825: Sudo front end configuration
3826: .TP 26n
3827: \fI@sysconfdir@/sudoers\fR
3828: List of who can run what
3829: .TP 26n
3830: \fI/etc/group\fR
3831: Local groups file
3832: .TP 26n
3833: \fI/etc/netgroup\fR
3834: List of network groups
3835: .TP 26n
3836: \fI@iolog_dir@\fR
3837: I/O log files
3838: .TP 26n
3839: \fI@rundir@/ts\fR
3840: Directory containing time stamps for the
3841: \fIsudoers\fR
3842: security policy
3843: .TP 26n
3844: \fI@vardir@/lectured\fR
3845: Directory containing lecture status files for the
3846: \fIsudoers\fR
3847: security policy
3848: .TP 26n
3849: \fI/etc/environment\fR
3850: Initial environment for
3851: \fB\-i\fR
3852: mode on AIX and Linux systems
3853: .SH "EXAMPLES"
3854: Below are example
3855: \fIsudoers\fR
3856: entries.
3857: Admittedly, some of these are a bit contrived.
3858: First, we allow a few environment variables to pass and then define our
3859: \fIaliases\fR:
3860: .nf
3861: .sp
3862: .RS 0n
3863: # Run X applications through sudo; HOME is used to find the
3864: # .Xauthority file. Note that other programs use HOME to find
3865: # configuration files and this may lead to privilege escalation!
3866: Defaults env_keep += "DISPLAY HOME"
3867:
3868: # User alias specification
3869: User_Alias FULLTIMERS = millert, mikef, dowdy
3870: User_Alias PARTTIMERS = bostley, jwfox, crawl
3871: User_Alias WEBMASTERS = will, wendy, wim
3872:
3873: # Runas alias specification
3874: Runas_Alias OP = root, operator
3875: Runas_Alias DB = oracle, sybase
3876: Runas_Alias ADMINGRP = adm, oper
3877:
3878: # Host alias specification
3879: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3880: SGI = grolsch, dandelion, black :\e
3881: ALPHA = widget, thalamus, foobar :\e
3882: HPPA = boa, nag, python
3883: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3884: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3885: Host_Alias SERVERS = master, mail, www, ns
3886: Host_Alias CDROM = orion, perseus, hercules
3887:
3888: # Cmnd alias specification
3889: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3890: /usr/sbin/restore, /usr/sbin/rrestore,\e
3891: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3892: /home/operator/bin/start_backups
3893: Cmnd_Alias KILL = /usr/bin/kill
3894: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3895: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3896: Cmnd_Alias HALT = /usr/sbin/halt
3897: Cmnd_Alias REBOOT = /usr/sbin/reboot
3898: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3899: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3900: /usr/local/bin/zsh
3901: Cmnd_Alias SU = /usr/bin/su
3902: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3903: .RE
3904: .fi
3905: .PP
3906: Here we override some of the compiled in default values.
3907: We want
3908: \fBsudo\fR
3909: to log via
3910: syslog(3)
3911: using the
3912: \fIauth\fR
3913: facility in all cases.
3914: We don't want to subject the full time staff to the
3915: \fBsudo\fR
3916: lecture, user
3917: \fBmillert\fR
3918: need not give a password, and we don't want to reset the
3919: \fRLOGNAME\fR,
3920: \fRUSER\fR
3921: or
3922: \fRUSERNAME\fR
3923: environment variables when running commands as root.
3924: Additionally, on the machines in the
3925: \fISERVERS\fR
3926: \fRHost_Alias\fR,
3927: we keep an additional local log file and make sure we log the year
3928: in each log line since the log entries will be kept around for several years.
3929: Lastly, we disable shell escapes for the commands in the PAGERS
3930: \fRCmnd_Alias\fR
3931: (\fI/usr/bin/more\fR,
3932: \fI/usr/bin/pg\fR
3933: and
3934: \fI/usr/bin/less\fR)
3935: \&.
3936: Note that this will not effectively constrain users with
3937: \fBsudo\fR
3938: \fBALL\fR
3939: privileges.
3940: .nf
3941: .sp
3942: .RS 0n
3943: # Override built-in defaults
3944: Defaults syslog=auth
3945: Defaults>root !set_logname
3946: Defaults:FULLTIMERS !lecture
3947: Defaults:millert !authenticate
3948: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3949: Defaults!PAGERS noexec
3950: .RE
3951: .fi
3952: .PP
3953: The
3954: \fIUser specification\fR
3955: is the part that actually determines who may run what.
3956: .nf
3957: .sp
3958: .RS 0n
3959: root ALL = (ALL) ALL
3960: %wheel ALL = (ALL) ALL
3961: .RE
3962: .fi
3963: .PP
3964: We let
3965: \fBroot\fR
3966: and any user in group
3967: \fBwheel\fR
3968: run any command on any host as any user.
3969: .nf
3970: .sp
3971: .RS 0n
3972: FULLTIMERS ALL = NOPASSWD: ALL
3973: .RE
3974: .fi
3975: .PP
3976: Full time sysadmins
3977: (\fBmillert\fR,
3978: \fBmikef\fR,
3979: and
3980: \fBdowdy\fR)
3981: may run any command on any host without authenticating themselves.
3982: .nf
3983: .sp
3984: .RS 0n
3985: PARTTIMERS ALL = ALL
3986: .RE
3987: .fi
3988: .PP
3989: Part time sysadmins
3990: \fBbostley\fR,
3991: \fBjwfox\fR,
3992: and
3993: \fBcrawl\fR)
3994: may run any command on any host but they must authenticate themselves
3995: first (since the entry lacks the
3996: \fRNOPASSWD\fR
3997: tag).
3998: .nf
3999: .sp
4000: .RS 0n
4001: jack CSNETS = ALL
4002: .RE
4003: .fi
4004: .PP
4005: The user
4006: \fBjack\fR
4007: may run any command on the machines in the
4008: \fICSNETS\fR
4009: alias (the networks
4010: \fR128.138.243.0\fR,
4011: \fR128.138.204.0\fR,
4012: and
4013: \fR128.138.242.0\fR).
4014: Of those networks, only
4015: \fR128.138.204.0\fR
4016: has an explicit netmask (in CIDR notation) indicating it is a class C network.
4017: For the other networks in
4018: \fICSNETS\fR,
4019: the local machine's netmask will be used during matching.
4020: .nf
4021: .sp
4022: .RS 0n
4023: lisa CUNETS = ALL
4024: .RE
4025: .fi
4026: .PP
4027: The user
4028: \fBlisa\fR
4029: may run any command on any host in the
4030: \fICUNETS\fR
4031: alias (the class B network
4032: \fR128.138.0.0\fR).
4033: .nf
4034: .sp
4035: .RS 0n
4036: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
4037: sudoedit /etc/printcap, /usr/oper/bin/
4038: .RE
4039: .fi
4040: .PP
4041: The
4042: \fBoperator\fR
4043: user may run commands limited to simple maintenance.
4044: Here, those are commands related to backups, killing processes, the
4045: printing system, shutting down the system, and any commands in the
4046: directory
4047: \fI/usr/oper/bin/\fR.
4048: Note that one command in the
4049: \fRDUMPS\fR
4050: Cmnd_Alias includes a sha224 digest,
4051: \fI/home/operator/bin/start_backups\fR.
4052: This is because the directory containing the script is writable by the
4053: operator user.
4054: If the script is modified (resulting in a digest mismatch) it will no longer
4055: be possible to run it via
4056: \fBsudo\fR.
4057: .nf
4058: .sp
4059: .RS 0n
4060: joe ALL = /usr/bin/su operator
4061: .RE
4062: .fi
4063: .PP
4064: The user
4065: \fBjoe\fR
4066: may only
4067: su(1)
4068: to operator.
4069: .nf
4070: .sp
4071: .RS 0n
4072: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
4073:
4074: %opers ALL = (: ADMINGRP) /usr/sbin/
4075: .RE
4076: .fi
4077: .PP
4078: Users in the
4079: \fBopers\fR
4080: group may run commands in
4081: \fI/usr/sbin/\fR
4082: as themselves
4083: with any group in the
4084: \fIADMINGRP\fR
4085: \fRRunas_Alias\fR
4086: (the
4087: \fBadm\fR
4088: and
4089: \fBoper\fR
4090: groups).
4091: .PP
4092: The user
4093: \fBpete\fR
4094: is allowed to change anyone's password except for
4095: root on the
4096: \fIHPPA\fR
4097: machines.
4098: Note that this assumes
4099: passwd(1)
4100: does not take multiple user names on the command line.
4101: .nf
4102: .sp
4103: .RS 0n
4104: bob SPARC = (OP) ALL : SGI = (OP) ALL
4105: .RE
4106: .fi
4107: .PP
4108: The user
4109: \fBbob\fR
4110: may run anything on the
4111: \fISPARC\fR
4112: and
4113: \fISGI\fR
4114: machines as any user listed in the
4115: \fIOP\fR
4116: \fRRunas_Alias\fR
4117: (\fBroot\fR
4118: and
4119: \fBoperator\fR.)
4120: .nf
4121: .sp
4122: .RS 0n
4123: jim +biglab = ALL
4124: .RE
4125: .fi
4126: .PP
4127: The user
4128: \fBjim\fR
4129: may run any command on machines in the
4130: \fIbiglab\fR
4131: netgroup.
4132: \fBsudo\fR
4133: knows that
4134: \(lqbiglab\(rq
4135: is a netgroup due to the
4136: \(oq+\(cq
4137: prefix.
4138: .nf
4139: .sp
4140: .RS 0n
4141: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
4142: .RE
4143: .fi
4144: .PP
4145: Users in the
4146: \fBsecretaries\fR
4147: netgroup need to help manage the printers as well as add and remove users,
4148: so they are allowed to run those commands on all machines.
4149: .nf
4150: .sp
4151: .RS 0n
4152: fred ALL = (DB) NOPASSWD: ALL
4153: .RE
4154: .fi
4155: .PP
4156: The user
4157: \fBfred\fR
4158: can run commands as any user in the
4159: \fIDB\fR
4160: \fRRunas_Alias\fR
4161: (\fBoracle\fR
4162: or
4163: \fBsybase\fR)
4164: without giving a password.
4165: .nf
4166: .sp
4167: .RS 0n
4168: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
4169: .RE
4170: .fi
4171: .PP
4172: On the
4173: \fIALPHA\fR
4174: machines, user
4175: \fBjohn\fR
4176: may su to anyone except root but he is not allowed to specify any options
4177: to the
4178: su(1)
4179: command.
4180: .nf
4181: .sp
4182: .RS 0n
4183: jen ALL, !SERVERS = ALL
4184: .RE
4185: .fi
4186: .PP
4187: The user
4188: \fBjen\fR
4189: may run any command on any machine except for those in the
4190: \fISERVERS\fR
4191: \fRHost_Alias\fR
4192: (master, mail, www and ns).
4193: .nf
4194: .sp
4195: .RS 0n
4196: jill SERVERS = /usr/bin/, !SU, !SHELLS
4197: .RE
4198: .fi
4199: .PP
4200: For any machine in the
4201: \fISERVERS\fR
4202: \fRHost_Alias\fR,
4203: \fBjill\fR
4204: may run
4205: any commands in the directory
4206: \fI/usr/bin/\fR
4207: except for those commands
4208: belonging to the
4209: \fISU\fR
4210: and
4211: \fISHELLS\fR
4212: \fRCmnd_Aliases\fR.
4213: While not specifically mentioned in the rule, the commands in the
4214: \fIPAGERS\fR
4215: \fRCmnd_Alias\fR
4216: all reside in
4217: \fI/usr/bin\fR
4218: and have the
4219: \fInoexec\fR
4220: option set.
4221: .nf
4222: .sp
4223: .RS 0n
4224: steve CSNETS = (operator) /usr/local/op_commands/
4225: .RE
4226: .fi
4227: .PP
4228: The user
4229: \fBsteve\fR
4230: may run any command in the directory /usr/local/op_commands/
4231: but only as user operator.
4232: .nf
4233: .sp
4234: .RS 0n
4235: matt valkyrie = KILL
4236: .RE
4237: .fi
4238: .PP
4239: On his personal workstation, valkyrie,
4240: \fBmatt\fR
4241: needs to be able to kill hung processes.
4242: .nf
4243: .sp
4244: .RS 0n
4245: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
4246: .RE
4247: .fi
4248: .PP
4249: On the host www, any user in the
4250: \fIWEBMASTERS\fR
4251: \fRUser_Alias\fR
4252: (will, wendy, and wim), may run any command as user www (which owns the
4253: web pages) or simply
4254: su(1)
4255: to www.
4256: .nf
4257: .sp
4258: .RS 0n
4259: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
4260: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
4261: .RE
4262: .fi
4263: .PP
4264: Any user may mount or unmount a CD-ROM on the machines in the CDROM
4265: \fRHost_Alias\fR
4266: (orion, perseus, hercules) without entering a password.
4267: This is a bit tedious for users to type, so it is a prime candidate
4268: for encapsulating in a shell script.
4269: .SH "SECURITY NOTES"
4270: .SS "Limitations of the \(oq!\&\(cq operator"
4271: It is generally not effective to
4272: \(lqsubtract\(rq
4273: commands from
4274: \fBALL\fR
4275: using the
4276: \(oq!\&\(cq
4277: operator.
4278: A user can trivially circumvent this by copying the desired command
4279: to a different name and then executing that.
4280: For example:
4281: .nf
4282: .sp
4283: .RS 0n
4284: bill ALL = ALL, !SU, !SHELLS
4285: .RE
4286: .fi
4287: .PP
4288: Doesn't really prevent
4289: \fBbill\fR
4290: from running the commands listed in
4291: \fISU\fR
4292: or
4293: \fISHELLS\fR
4294: since he can simply copy those commands to a different name, or use
4295: a shell escape from an editor or other program.
4296: Therefore, these kind of restrictions should be considered
4297: advisory at best (and reinforced by policy).
4298: .PP
4299: In general, if a user has sudo
4300: \fBALL\fR
4301: there is nothing to prevent them from creating their own program that gives
4302: them a root shell (or making their own copy of a shell) regardless of any
4303: \(oq!\&\(cq
4304: elements in the user specification.
4305: .SS "Security implications of \fIfast_glob\fR"
4306: If the
4307: \fIfast_glob\fR
4308: option is in use, it is not possible to reliably negate commands where the
4309: path name includes globbing (aka wildcard) characters.
4310: This is because the C library's
4311: fnmatch(3)
4312: function cannot resolve relative paths.
4313: While this is typically only an inconvenience for rules that grant privileges,
4314: it can result in a security issue for rules that subtract or revoke privileges.
4315: .PP
4316: For example, given the following
4317: \fIsudoers\fR
4318: entry:
4319: .nf
4320: .sp
4321: .RS 0n
4322: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4323: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4324: .RE
4325: .fi
4326: .PP
4327: User
4328: \fBjohn\fR
4329: can still run
4330: \fR/usr/bin/passwd root\fR
4331: if
4332: \fIfast_glob\fR
4333: is enabled by changing to
4334: \fI/usr/bin\fR
4335: and running
4336: \fR./passwd root\fR
4337: instead.
4338: .SS "Preventing shell escapes"
4339: Once
4340: \fBsudo\fR
4341: executes a program, that program is free to do whatever
4342: it pleases, including run other programs.
4343: This can be a security issue since it is not uncommon for a program to
4344: allow shell escapes, which lets a user bypass
4345: \fBsudo\fR's
4346: access control and logging.
4347: Common programs that permit shell escapes include shells (obviously),
4348: editors, paginators, mail and terminal programs.
4349: .PP
4350: There are two basic approaches to this problem:
4351: .TP 10n
4352: restrict
4353: Avoid giving users access to commands that allow the user to run
4354: arbitrary commands.
4355: Many editors have a restricted mode where shell
4356: escapes are disabled, though
4357: \fBsudoedit\fR
4358: is a better solution to
4359: running editors via
4360: \fBsudo\fR.
4361: Due to the large number of programs that
4362: offer shell escapes, restricting users to the set of programs that
4363: do not is often unworkable.
4364: .TP 10n
4365: noexec
4366: Many systems that support shared libraries have the ability to
4367: override default library functions by pointing an environment
4368: variable (usually
4369: \fRLD_PRELOAD\fR)
4370: to an alternate shared library.
4371: On such systems,
4372: \fBsudo\fR's
4373: \fInoexec\fR
4374: functionality can be used to prevent a program run by
4375: \fBsudo\fR
4376: from executing any other programs.
4377: Note, however, that this applies only to native dynamically-linked
4378: executables.
4379: Statically-linked executables and foreign executables
4380: running under binary emulation are not affected.
4381: .sp
4382: The
4383: \fInoexec\fR
4384: feature is known to work on SunOS, Solaris, *BSD,
4385: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
4386: It should be supported on most operating systems that support the
4387: \fRLD_PRELOAD\fR
4388: environment variable.
4389: Check your operating system's manual pages for the dynamic linker
4390: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4391: \fRLD_PRELOAD\fR
4392: is supported.
4393: .sp
4394: On Solaris 10 and higher,
4395: \fInoexec\fR
4396: uses Solaris privileges instead of the
4397: \fRLD_PRELOAD\fR
4398: environment variable.
4399: .sp
4400: To enable
4401: \fInoexec\fR
4402: for a command, use the
4403: \fRNOEXEC\fR
4404: tag as documented
4405: in the User Specification section above.
4406: Here is that example again:
4407: .nf
4408: .sp
4409: .RS 10n
4410: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4411: .RE
4412: .fi
4413: .RS 10n
4414: .sp
4415: This allows user
4416: \fBaaron\fR
4417: to run
4418: \fI/usr/bin/more\fR
4419: and
4420: \fI/usr/bin/vi\fR
4421: with
4422: \fInoexec\fR
4423: enabled.
4424: This will prevent those two commands from
4425: executing other commands (such as a shell).
4426: If you are unsure whether or not your system is capable of supporting
4427: \fInoexec\fR
4428: you can always just try it out and check whether shell escapes work when
4429: \fInoexec\fR
4430: is enabled.
4431: .RE
4432: .PP
4433: Note that restricting shell escapes is not a panacea.
4434: Programs running as root are still capable of many potentially hazardous
4435: operations (such as changing or overwriting files) that could lead
4436: to unintended privilege escalation.
4437: In the specific case of an editor, a safer approach is to give the
4438: user permission to run
4439: \fBsudoedit\fR
4440: (see below).
4441: .SS "Secure editing"
4442: The
4443: \fIsudoers\fR
4444: plugin includes
4445: \fBsudoedit\fR
4446: support which allows users to securely edit files with the editor
4447: of their choice.
4448: As
4449: \fBsudoedit\fR
4450: is a built-in command, it must be specified in
4451: \fIsudoers\fR
4452: without a leading path.
4453: However, it may take command line arguments just as a normal command does.
4454: For example, to allow user operator to edit the
4455: \(lqmessage of the day\(rq
4456: file:
4457: .nf
4458: .sp
4459: .RS 6n
4460: operator sudoedit /etc/motd
4461: .RE
4462: .fi
4463: .PP
4464: The operator user then runs
4465: \fBsudoedit\fR
4466: as follows:
4467: .nf
4468: .sp
4469: .RS 6n
4470: $ sudoedit /etc/motd
4471: .RE
4472: .fi
4473: .PP
4474: The editor will run as the operator user, not root, on a temporary copy of
4475: \fI/etc/motd\fR.
4476: After the file has been edited,
4477: \fI/etc/motd\fR
4478: will be updated with the contents of the temporary copy.
4479: .SS "Time stamp file checks"
4480: \fIsudoers\fR
4481: will check the ownership of its time stamp directory
4482: (\fI@rundir@/ts\fR
4483: by default)
4484: and ignore the directory's contents if it is not owned by root or
4485: if it is writable by a user other than root.
4486: Older versions of
4487: \fBsudo\fR
4488: stored time stamp files in
4489: \fI/tmp\fR;
4490: this is no longer recommended as it may be possible for a user
4491: to create the time stamp themselves on systems that allow
4492: unprivileged users to change the ownership of files they create.
4493: .PP
4494: While the time stamp directory
4495: \fIshould\fR
4496: be cleared at reboot time, not all systems contain a
4497: \fI/var/run\fR
4498: directory.
4499: To avoid potential problems,
4500: \fIsudoers\fR
4501: will ignore time stamp files that date from before the machine booted
4502: on systems where the boot time is available.
4503: .PP
4504: Some systems with graphical desktop environments allow unprivileged
4505: users to change the system clock.
4506: Since
4507: \fIsudoers\fR
4508: relies on the system clock for time stamp validation, it may be
4509: possible on such systems for a user to run
4510: \fBsudo\fR
4511: for longer than
4512: \fItimestamp_timeout\fR
4513: by setting the clock back.
4514: To combat this,
4515: \fIsudoers\fR
4516: uses a monotonic clock (which never moves backwards) for its time stamps
4517: if the system supports it.
4518: .PP
4519: \fIsudoers\fR
4520: will not honor time stamps set far in the future.
4521: Time stamps with a date greater than current_time + 2 *
4522: \fRTIMEOUT\fR
4523: will be ignored and
4524: \fIsudoers\fR
4525: will log and complain.
4526: .PP
4527: Since time stamp files live in the file system, they can outlive a
4528: user's login session.
4529: As a result, a user may be able to login, run a command with
4530: \fBsudo\fR
4531: after authenticating, logout, login again, and run
4532: \fBsudo\fR
4533: without authenticating so long as the record's time stamp is within
4534: \fR@timeout@\fR
4535: minutes (or whatever value the timeout is set to in
4536: \fIsudoers\fR).
4537: When the
4538: \fItty_tickets\fR
4539: option is enabled, the time stamp record includes the device
4540: number of the terminal the user authenticated with.
4541: This provides per-tty granularity but time stamp records still
4542: may outlive the user's session.
4543: The time stamp record also includes the session ID of the process
4544: that last authenticated.
4545: This prevents processes in different terminal sessions from using
4546: the same time stamp record.
4547: It also helps reduce the chance that a user will be able to run
4548: \fBsudo\fR
4549: without entering a password when logging out and back in again
4550: on the same terminal.
4551: .SH "DEBUGGING"
4552: Versions 1.8.4 and higher of the
4553: \fBsudoers\fR
4554: plugin support a flexible debugging framework that can help track
4555: down what the plugin is doing internally if there is a problem.
4556: This can be configured in the
4557: sudo.conf(@mansectform@)
4558: file.
4559: .PP
4560: The
4561: \fBsudoers\fR
4562: plugin uses the same debug flag format as the
4563: \fBsudo\fR
4564: front-end:
4565: \fIsubsystem\fR@\fIpriority\fR.
4566: .PP
4567: The priorities used by
4568: \fBsudoers\fR,
4569: in order of decreasing severity,
4570: are:
4571: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
4572: and
4573: \fIdebug\fR.
4574: Each priority, when specified, also includes all priorities higher
4575: than it.
4576: For example, a priority of
4577: \fInotice\fR
4578: would include debug messages logged at
4579: \fInotice\fR
4580: and higher.
4581: .PP
4582: The following subsystems are used by the
4583: \fBsudoers\fR
4584: plugin:
4585: .TP 10n
4586: \fIalias\fR
4587: \fRUser_Alias\fR,
4588: \fRRunas_Alias\fR,
4589: \fRHost_Alias\fR
4590: and
4591: \fRCmnd_Alias\fR
4592: processing
4593: .TP 10n
4594: \fIall\fR
4595: matches every subsystem
4596: .TP 10n
4597: \fIaudit\fR
4598: BSM and Linux audit code
4599: .TP 10n
4600: \fIauth\fR
4601: user authentication
4602: .TP 10n
4603: \fIdefaults\fR
4604: \fIsudoers\fR
4605: \fIDefaults\fR
4606: settings
4607: .TP 10n
4608: \fIenv\fR
4609: environment handling
4610: .TP 10n
4611: \fIldap\fR
4612: LDAP-based sudoers
4613: .TP 10n
4614: \fIlogging\fR
4615: logging support
4616: .TP 10n
4617: \fImatch\fR
4618: matching of users, groups, hosts and netgroups in
4619: \fIsudoers\fR
4620: .TP 10n
4621: \fInetif\fR
4622: network interface handling
4623: .TP 10n
4624: \fInss\fR
4625: network service switch handling in
4626: \fIsudoers\fR
4627: .TP 10n
4628: \fIparser\fR
4629: \fIsudoers\fR
4630: file parsing
4631: .TP 10n
4632: \fIperms\fR
4633: permission setting
4634: .TP 10n
4635: \fIplugin\fR
4636: The equivalent of
4637: \fImain\fR
4638: for the plugin.
4639: .TP 10n
4640: \fIpty\fR
4641: pseudo-tty related code
4642: .TP 10n
4643: \fIrbtree\fR
4644: redblack tree internals
4645: .TP 10n
4646: \fIsssd\fR
4647: SSSD-based sudoers
4648: .TP 10n
4649: \fIutil\fR
4650: utility functions
4651: .PD 0
4652: .PP
4653: For example:
4654: .nf
4655: .sp
4656: .RS 0n
4657: Debug sudo /var/log/sudo_debug match@info,nss@info
4658: .RE
4659: .fi
4660: .PD
4661: .PP
4662: For more information, see the
4663: sudo.conf(@mansectform@)
4664: manual.
4665: .SH "SEE ALSO"
4666: ssh(1),
4667: su(1),
4668: fnmatch(3),
4669: glob(3),
4670: mktemp(3),
4671: strftime(3),
4672: sudo.conf(@mansectform@),
4673: sudoers.ldap(@mansectform@),
4674: sudo_plugin(@mansectsu@),
4675: sudo(@mansectsu@),
4676: visudo(@mansectsu@)
4677: .SH "CAVEATS"
4678: The
4679: \fIsudoers\fR
4680: file should
4681: \fBalways\fR
4682: be edited by the
4683: \fBvisudo\fR
4684: command which locks the file and does grammatical checking.
4685: It is
4686: imperative that
4687: \fIsudoers\fR
4688: be free of syntax errors since
4689: \fBsudo\fR
4690: will not run with a syntactically incorrect
4691: \fIsudoers\fR
4692: file.
4693: .PP
4694: When using netgroups of machines (as opposed to users), if you
4695: store fully qualified host name in the netgroup (as is usually the
4696: case), you either need to have the machine's host name be fully qualified
4697: as returned by the
4698: \fRhostname\fR
4699: command or use the
4700: \fIfqdn\fR
4701: option in
4702: \fIsudoers\fR.
4703: .SH "BUGS"
4704: If you feel you have found a bug in
4705: \fBsudo\fR,
4706: please submit a bug report at http://www.sudo.ws/sudo/bugs/
4707: .SH "SUPPORT"
4708: Limited free support is available via the sudo-users mailing list,
4709: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4710: search the archives.
4711: .SH "DISCLAIMER"
4712: \fBsudo\fR
4713: is provided
4714: \(lqAS IS\(rq
4715: and any express or implied warranties, including, but not limited
4716: to, the implied warranties of merchantability and fitness for a
4717: particular purpose are disclaimed.
4718: See the LICENSE file distributed with
4719: \fBsudo\fR
4720: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>