Annotation of embedaddon/sudo/doc/sudoers.mdoc.in, revision 1.1
1.1 ! misho 1: .\"
! 2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
! 3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
! 4: .\"
! 5: .\" Permission to use, copy, modify, and distribute this software for any
! 6: .\" purpose with or without fee is hereby granted, provided that the above
! 7: .\" copyright notice and this permission notice appear in all copies.
! 8: .\"
! 9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 17: .\"
! 18: .\" Sponsored in part by the Defense Advanced Research Projects
! 19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
! 20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 21: .\"
! 22: .Dd July 16, 2012
! 23: .Dt SUDOERS @mansectform@
! 24: .Os Sudo @PACKAGE_VERSION@
! 25: .Sh NAME
! 26: .Nm sudoers
! 27: .Nd default sudo security policy module
! 28: .Sh DESCRIPTION
! 29: The
! 30: .Em sudoers
! 31: policy module determines a user's
! 32: .Nm sudo
! 33: privileges.
! 34: It is the default
! 35: .Nm sudo
! 36: policy plugin.
! 37: The policy is driven by
! 38: the
! 39: .Pa @sysconfdir@/sudoers
! 40: file or, optionally in LDAP.
! 41: The policy format is described in detail in the
! 42: .Sx SUDOERS FILE FORMAT
! 43: section.
! 44: For information on storing
! 45: .Em sudoers
! 46: policy information
! 47: in LDAP, please see
! 48: .Xr sudoers.ldap @mansectform@ .
! 49: .Ss Authentication and logging
! 50: The
! 51: .Em sudoers
! 52: security policy requires that most users authenticate
! 53: themselves before they can use
! 54: .Nm sudo .
! 55: A password is not required
! 56: if the invoking user is root, if the target user is the same as the
! 57: invoking user, or if the policy has disabled authentication for the
! 58: user or command.
! 59: Unlike
! 60: .Xr su 1 ,
! 61: when
! 62: .Em sudoers
! 63: requires
! 64: authentication, it validates the invoking user's credentials, not
! 65: the target user's (or root's) credentials.
! 66: This can be changed via
! 67: the
! 68: .Em rootpw ,
! 69: .Em targetpw
! 70: and
! 71: .Em runaspw
! 72: flags, described later.
! 73: .Pp
! 74: If a user who is not listed in the policy tries to run a command
! 75: via
! 76: .Nm sudo ,
! 77: mail is sent to the proper authorities.
! 78: The address
! 79: used for such mail is configurable via the
! 80: .Em mailto
! 81: Defaults entry
! 82: (described later) and defaults to
! 83: .Li @mailto@ .
! 84: .Pp
! 85: Note that mail will not be sent if an unauthorized user tries to
! 86: run
! 87: .Nm sudo
! 88: with the
! 89: .Fl l
! 90: or
! 91: .Fl v
! 92: option.
! 93: This allows users to
! 94: determine for themselves whether or not they are allowed to use
! 95: .Nm sudo .
! 96: .Pp
! 97: If
! 98: .Nm sudo
! 99: is run by root and the
! 100: .Ev SUDO_USER
! 101: environment variable
! 102: is set, the
! 103: .Em sudoers
! 104: policy will use this value to determine who
! 105: the actual user is.
! 106: This can be used by a user to log commands
! 107: through sudo even when a root shell has been invoked.
! 108: It also
! 109: allows the
! 110: .Fl e
! 111: option to remain useful even when invoked via a
! 112: sudo-run script or program.
! 113: Note, however, that the
! 114: .Em sudoers
! 115: lookup is still done for root, not the user specified by
! 116: .Ev SUDO_USER .
! 117: .Pp
! 118: .Em sudoers
! 119: uses time stamp files for credential caching.
! 120: Once a
! 121: user has been authenticated, the time stamp is updated and the user
! 122: may then use sudo without a password for a short period of time
! 123: .Po
! 124: .Li @timeout@
! 125: minutes unless overridden by the
! 126: .Em timeout
! 127: option
! 128: .Pc .
! 129: By default,
! 130: .Em sudoers
! 131: uses a tty-based time stamp which means that
! 132: there is a separate time stamp for each of a user's login sessions.
! 133: The
! 134: .Em tty_tickets
! 135: option can be disabled to force the use of a
! 136: single time stamp for all of a user's sessions.
! 137: .Pp
! 138: .Em sudoers
! 139: can log both successful and unsuccessful attempts (as well
! 140: as errors) to
! 141: .Xr syslog 3 ,
! 142: a log file, or both.
! 143: By default,
! 144: .Em sudoers
! 145: will log via
! 146: .Xr syslog 3
! 147: but this is changeable via the
! 148: .Em syslog
! 149: and
! 150: .Em logfile
! 151: Defaults settings.
! 152: .Pp
! 153: .Em sudoers
! 154: also supports logging a command's input and output
! 155: streams.
! 156: I/O logging is not on by default but can be enabled using
! 157: the
! 158: .Em log_input
! 159: and
! 160: .Em log_output
! 161: Defaults flags as well as the
! 162: .Li LOG_INPUT
! 163: and
! 164: .Li LOG_OUTPUT
! 165: command tags.
! 166: .Ss Command environment
! 167: Since environment variables can influence program behavior,
! 168: .Em sudoers
! 169: provides a means to restrict which variables from the user's
! 170: environment are inherited by the command to be run.
! 171: There are two
! 172: distinct ways
! 173: .Em sudoers
! 174: can deal with environment variables.
! 175: .Pp
! 176: By default, the
! 177: .Em env_reset
! 178: option is enabled.
! 179: This causes commands
! 180: to be executed with a new, minimal environment.
! 181: On AIX (and Linux
! 182: systems without PAM), the environment is initialized with the
! 183: contents of the
! 184: .Pa /etc/environment
! 185: file.
! 186: On BSD systems, if the
! 187: .Em use_loginclass
! 188: option is enabled, the environment is initialized
! 189: based on the
! 190: .Em path
! 191: and
! 192: .Em setenv
! 193: settings in
! 194: .Pa /etc/login.conf .
! 195: The new environment contains the
! 196: .Ev TERM ,
! 197: .Ev PATH ,
! 198: .Ev HOME ,
! 199: .Ev MAIL ,
! 200: .Ev SHELL ,
! 201: .Ev LOGNAME ,
! 202: .Ev USER ,
! 203: .Ev USERNAME
! 204: and
! 205: .Ev SUDO_*
! 206: variables
! 207: in addition to variables from the invoking process permitted by the
! 208: .Em env_check
! 209: and
! 210: .Em env_keep
! 211: options.
! 212: This is effectively a whitelist
! 213: for environment variables.
! 214: .Pp
! 215: If, however, the
! 216: .Em env_reset
! 217: option is disabled, any variables not
! 218: explicitly denied by the
! 219: .Em env_check
! 220: and
! 221: .Em env_delete
! 222: options are
! 223: inherited from the invoking process.
! 224: In this case,
! 225: .Em env_check
! 226: and
! 227: .Em env_delete
! 228: behave like a blacklist.
! 229: Since it is not possible
! 230: to blacklist all potentially dangerous environment variables, use
! 231: of the default
! 232: .Em env_reset
! 233: behavior is encouraged.
! 234: .Pp
! 235: In all cases, environment variables with a value beginning with
! 236: .Li ()
! 237: are removed as they could be interpreted as
! 238: .Sy bash
! 239: functions.
! 240: The list of environment variables that
! 241: .Nm sudo
! 242: allows or denies is
! 243: contained in the output of
! 244: .Dq Li sudo -V
! 245: when run as root.
! 246: .Pp
! 247: Note that the dynamic linker on most operating systems will remove
! 248: variables that can control dynamic linking from the environment of
! 249: setuid executables, including
! 250: .Nm sudo .
! 251: Depending on the operating
! 252: system this may include
! 253: .Ev _RLD* ,
! 254: .Ev DYLD_* ,
! 255: .Ev LD_* ,
! 256: .Ev LDR_* ,
! 257: .Ev LIBPATH ,
! 258: .Ev SHLIB_PATH ,
! 259: and others.
! 260: These type of variables are
! 261: removed from the environment before
! 262: .Nm sudo
! 263: even begins execution
! 264: and, as such, it is not possible for
! 265: .Nm sudo
! 266: to preserve them.
! 267: .Pp
! 268: As a special case, if
! 269: .Nm sudo Ns No 's
! 270: .Fl i
! 271: option (initial login) is
! 272: specified,
! 273: .Em sudoers
! 274: will initialize the environment regardless
! 275: of the value of
! 276: .Em env_reset .
! 277: The
! 278: .Ev DISPLAY ,
! 279: .Ev PATH
! 280: and
! 281: .Ev TERM
! 282: variables remain unchanged;
! 283: .Ev HOME ,
! 284: .Ev MAIL ,
! 285: .Ev SHELL ,
! 286: .Ev USER ,
! 287: and
! 288: .Ev LOGNAME
! 289: are set based on the target user.
! 290: On AIX (and Linux
! 291: systems without PAM), the contents of
! 292: .Pa /etc/environment
! 293: are also
! 294: included.
! 295: On BSD systems, if the
! 296: .Em use_loginclass
! 297: option is
! 298: enabled, the
! 299: .Em path
! 300: and
! 301: .Em setenv
! 302: variables in
! 303: .Pa /etc/login.conf
! 304: are also applied.
! 305: All other environment variables are removed.
! 306: .Pp
! 307: Finally, if the
! 308: .Em env_file
! 309: option is defined, any variables present
! 310: in that file will be set to their specified values as long as they
! 311: would not conflict with an existing environment variable.
! 312: .Sh SUDOERS FILE FORMAT
! 313: The
! 314: .Em sudoers
! 315: file is composed of two types of entries: aliases
! 316: (basically variables) and user specifications (which specify who
! 317: may run what).
! 318: .Pp
! 319: When multiple entries match for a user, they are applied in order.
! 320: Where there are multiple matches, the last match is used (which is
! 321: not necessarily the most specific match).
! 322: .Pp
! 323: The
! 324: .Em sudoers
! 325: grammar will be described below in Extended Backus-Naur
! 326: Form (EBNF).
! 327: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
! 328: and the definitions below are annotated.
! 329: .Ss Quick guide to EBNF
! 330: EBNF is a concise and exact way of describing the grammar of a language.
! 331: Each EBNF definition is made up of
! 332: .Em production rules .
! 333: E.g.,
! 334: .Pp
! 335: .Li symbol ::= definition | alternate1 | alternate2 ...
! 336: .Pp
! 337: Each
! 338: .Em production rule
! 339: references others and thus makes up a
! 340: grammar for the language.
! 341: EBNF also contains the following
! 342: operators, which many readers will recognize from regular
! 343: expressions.
! 344: Do not, however, confuse them with
! 345: .Dq wildcard
! 346: characters, which have different meanings.
! 347: .Bl -tag -width 4n
! 348: .It Li \&?
! 349: Means that the preceding symbol (or group of symbols) is optional.
! 350: That is, it may appear once or not at all.
! 351: .It Li *
! 352: Means that the preceding symbol (or group of symbols) may appear
! 353: zero or more times.
! 354: .It Li +
! 355: Means that the preceding symbol (or group of symbols) may appear
! 356: one or more times.
! 357: .El
! 358: .Pp
! 359: Parentheses may be used to group symbols together.
! 360: For clarity,
! 361: we will use single quotes
! 362: .Pq ''
! 363: to designate what is a verbatim character string (as opposed to a symbol name).
! 364: .Ss Aliases
! 365: There are four kinds of aliases:
! 366: .Li User_Alias ,
! 367: .Li Runas_Alias ,
! 368: .Li Host_Alias
! 369: and
! 370: .Li Cmnd_Alias .
! 371: .Bd -literal
! 372: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 373: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 374: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 375: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 376:
! 377: User_Alias ::= NAME '=' User_List
! 378:
! 379: Runas_Alias ::= NAME '=' Runas_List
! 380:
! 381: Host_Alias ::= NAME '=' Host_List
! 382:
! 383: Cmnd_Alias ::= NAME '=' Cmnd_List
! 384:
! 385: NAME ::= [A-Z]([A-Z][0-9]_)*
! 386: .Ed
! 387: .Pp
! 388: Each
! 389: .Em alias
! 390: definition is of the form
! 391: .Bd -literal
! 392: Alias_Type NAME = item1, item2, ...
! 393: .Ed
! 394: .Pp
! 395: where
! 396: .Em Alias_Type
! 397: is one of
! 398: .Li User_Alias ,
! 399: .Li Runas_Alias ,
! 400: .Li Host_Alias ,
! 401: or
! 402: .Li Cmnd_Alias .
! 403: A
! 404: .Li NAME
! 405: is a string of uppercase letters, numbers,
! 406: and underscore characters
! 407: .Pq Ql _ .
! 408: A
! 409: .Li NAME
! 410: .Sy must
! 411: start with an
! 412: uppercase letter.
! 413: It is possible to put several alias definitions
! 414: of the same type on a single line, joined by a colon
! 415: .Pq Ql :\& .
! 416: E.g.,
! 417: .Bd -literal
! 418: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 419: .Ed
! 420: .Pp
! 421: The definitions of what constitutes a valid
! 422: .Em alias
! 423: member follow.
! 424: .Bd -literal
! 425: User_List ::= User |
! 426: User ',' User_List
! 427:
! 428: User ::= '!'* user name |
! 429: '!'* #uid |
! 430: '!'* %group |
! 431: '!'* %#gid |
! 432: '!'* +netgroup |
! 433: '!'* %:nonunix_group |
! 434: '!'* %:#nonunix_gid |
! 435: '!'* User_Alias
! 436: .Ed
! 437: .Pp
! 438: A
! 439: .Li User_List
! 440: is made up of one or more user names, user ids
! 441: (prefixed with
! 442: .Ql # ) ,
! 443: system group names and ids (prefixed with
! 444: .Ql %
! 445: and
! 446: .Ql %#
! 447: respectively), netgroups (prefixed with
! 448: .Ql + ) ,
! 449: non-Unix group names and IDs (prefixed with
! 450: .Ql %:
! 451: and
! 452: .Ql %:#
! 453: respectively) and
! 454: .Li User_Alias Ns No es.
! 455: Each list item may be prefixed with zero or more
! 456: .Ql \&!
! 457: operators.
! 458: An odd number of
! 459: .Ql \&!
! 460: operators negate the value of
! 461: the item; an even number just cancel each other out.
! 462: .Pp
! 463: A
! 464: .Li user name ,
! 465: .Li uid ,
! 466: .Li group ,
! 467: .Li gid ,
! 468: .Li netgroup ,
! 469: .Li nonunix_group
! 470: or
! 471: .Li nonunix_gid
! 472: may be enclosed in double quotes to avoid the
! 473: need for escaping special characters.
! 474: Alternately, special characters
! 475: may be specified in escaped hex mode, e.g.\& \ex20 for space.
! 476: When
! 477: using double quotes, any prefix characters must be included inside
! 478: the quotes.
! 479: .Pp
! 480: The actual
! 481: .Li nonunix_group
! 482: and
! 483: .Li nonunix_gid
! 484: syntax depends on
! 485: the underlying group provider plugin (see the
! 486: .Em group_plugin
! 487: description below).
! 488: For instance, the QAS AD plugin supports the following formats:
! 489: .Bl -bullet -width 4n
! 490: .It
! 491: Group in the same domain: "%:Group Name"
! 492: .It
! 493: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
! 494: .It
! 495: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
! 496: .El
! 497: .Pp
! 498: Note that quotes around group names are optional.
! 499: Unquoted strings must use a backslash
! 500: .Pq Ql \e
! 501: to escape spaces and special characters.
! 502: See
! 503: .Sx Other special characters and reserved words
! 504: for a list of
! 505: characters that need to be escaped.
! 506: .Bd -literal
! 507: Runas_List ::= Runas_Member |
! 508: Runas_Member ',' Runas_List
! 509:
! 510: Runas_Member ::= '!'* user name |
! 511: '!'* #uid |
! 512: '!'* %group |
! 513: '!'* %#gid |
! 514: '!'* %:nonunix_group |
! 515: '!'* %:#nonunix_gid |
! 516: '!'* +netgroup |
! 517: '!'* Runas_Alias
! 518: .Ed
! 519: .Pp
! 520: A
! 521: .Li Runas_List
! 522: is similar to a
! 523: .Li User_List
! 524: except that instead
! 525: of
! 526: .Li User_Alias Ns No es
! 527: it can contain
! 528: .Li Runas_Alias Ns No es .
! 529: Note that
! 530: user names and groups are matched as strings.
! 531: In other words, two
! 532: users (groups) with the same uid (gid) are considered to be distinct.
! 533: If you wish to match all user names with the same uid (e.g.\&
! 534: root and toor), you can use a uid instead (#0 in the example given).
! 535: .Bd -literal
! 536: Host_List ::= Host |
! 537: Host ',' Host_List
! 538:
! 539: Host ::= '!'* host name |
! 540: '!'* ip_addr |
! 541: '!'* network(/netmask)? |
! 542: '!'* +netgroup |
! 543: '!'* Host_Alias
! 544: .Ed
! 545: .Pp
! 546: A
! 547: .Li Host_List
! 548: is made up of one or more host names, IP addresses,
! 549: network numbers, netgroups (prefixed with
! 550: .Ql + )
! 551: and other aliases.
! 552: Again, the value of an item may be negated with the
! 553: .Ql \&!
! 554: operator.
! 555: If you do not specify a netmask along with the network number,
! 556: .Nm sudo
! 557: will query each of the local host's network interfaces and,
! 558: if the network number corresponds to one of the hosts's network
! 559: interfaces, the corresponding netmask will be used.
! 560: The netmask
! 561: may be specified either in standard IP address notation
! 562: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
! 563: or CIDR notation (number of bits, e.g.\& 24 or 64).
! 564: A host name may include shell-style wildcards (see the
! 565: .Sx Wildcards
! 566: section below),
! 567: but unless the
! 568: .Li host name
! 569: command on your machine returns the fully
! 570: qualified host name, you'll need to use the
! 571: .Em fqdn
! 572: option for wildcards to be useful.
! 573: Note that
! 574: .Nm sudo
! 575: only inspects actual network interfaces; this means that IP address
! 576: 127.0.0.1 (localhost) will never match.
! 577: Also, the host name
! 578: .Dq localhost
! 579: will only match if that is the actual host name, which is usually
! 580: only the case for non-networked systems.
! 581: .Bd -literal
! 582: Cmnd_List ::= Cmnd |
! 583: Cmnd ',' Cmnd_List
! 584:
! 585: command name ::= file name |
! 586: file name args |
! 587: file name '""'
! 588:
! 589: Cmnd ::= '!'* command name |
! 590: '!'* directory |
! 591: '!'* "sudoedit" |
! 592: '!'* Cmnd_Alias
! 593: .Ed
! 594: .Pp
! 595: A
! 596: .Li Cmnd_List
! 597: is a list of one or more command names, directories, and other aliases.
! 598: A command name is a fully qualified file name which may include
! 599: shell-style wildcards (see the
! 600: .Sx Wildcards
! 601: section below).
! 602: A simple file name allows the user to run the command with any
! 603: arguments he/she wishes.
! 604: However, you may also specify command line arguments (including
! 605: wildcards).
! 606: Alternately, you can specify
! 607: .Li \&""
! 608: to indicate that the command
! 609: may only be run
! 610: .Sy without
! 611: command line arguments.
! 612: A directory is a
! 613: fully qualified path name ending in a
! 614: .Ql / .
! 615: When you specify a directory in a
! 616: .Li Cmnd_List ,
! 617: the user will be able to run any file within that directory
! 618: (but not in any sub-directories therein).
! 619: .Pp
! 620: If a
! 621: .Li Cmnd
! 622: has associated command line arguments, then the arguments
! 623: in the
! 624: .Li Cmnd
! 625: must match exactly those given by the user on the command line
! 626: (or match the wildcards if there are any).
! 627: Note that the following characters must be escaped with a
! 628: .Ql \e
! 629: if they are used in command arguments:
! 630: .Ql ,\& ,
! 631: .Ql :\& ,
! 632: .Ql =\& ,
! 633: .Ql \e .
! 634: The special command
! 635: .Dq Li sudoedit
! 636: is used to permit a user to run
! 637: .Nm sudo
! 638: with the
! 639: .Fl e
! 640: option (or as
! 641: .Nm sudoedit ) .
! 642: It may take command line arguments just as a normal command does.
! 643: .Ss Defaults
! 644: Certain configuration options may be changed from their default
! 645: values at run-time via one or more
! 646: .Li Default_Entry
! 647: lines.
! 648: These may affect all users on any host, all users on a specific host, a
! 649: specific user, a specific command, or commands being run as a specific user.
! 650: Note that per-command entries may not include command line arguments.
! 651: If you need to specify arguments, define a
! 652: .Li Cmnd_Alias
! 653: and reference
! 654: that instead.
! 655: .Bd -literal
! 656: Default_Type ::= 'Defaults' |
! 657: 'Defaults' '@' Host_List |
! 658: 'Defaults' ':' User_List |
! 659: 'Defaults' '!' Cmnd_List |
! 660: 'Defaults' '>' Runas_List
! 661:
! 662: Default_Entry ::= Default_Type Parameter_List
! 663:
! 664: Parameter_List ::= Parameter |
! 665: Parameter ',' Parameter_List
! 666:
! 667: Parameter ::= Parameter '=' Value |
! 668: Parameter '+=' Value |
! 669: Parameter '-=' Value |
! 670: '!'* Parameter
! 671: .Ed
! 672: .Pp
! 673: Parameters may be
! 674: .Sy flags ,
! 675: .Sy integer
! 676: values,
! 677: .Sy strings ,
! 678: or
! 679: .Sy lists .
! 680: Flags are implicitly boolean and can be turned off via the
! 681: .Ql \&!
! 682: operator.
! 683: Some integer, string and list parameters may also be
! 684: used in a boolean context to disable them.
! 685: Values may be enclosed
! 686: in double quotes
! 687: .Pq \&""
! 688: when they contain multiple words.
! 689: Special characters may be escaped with a backslash
! 690: .Pq Ql \e .
! 691: .Pp
! 692: Lists have two additional assignment operators,
! 693: .Li +=
! 694: and
! 695: .Li -= .
! 696: These operators are used to add to and delete from a list respectively.
! 697: It is not an error to use the
! 698: .Li -=
! 699: operator to remove an element
! 700: that does not exist in a list.
! 701: .Pp
! 702: Defaults entries are parsed in the following order: generic, host
! 703: and user Defaults first, then runas Defaults and finally command
! 704: defaults.
! 705: .Pp
! 706: See
! 707: .Sx SUDOERS OPTIONS
! 708: for a list of supported Defaults parameters.
! 709: .Ss User specification
! 710: .Bd -literal
! 711: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
! 712: (':' Host_List '=' Cmnd_Spec_List)*
! 713:
! 714: Cmnd_Spec_List ::= Cmnd_Spec |
! 715: Cmnd_Spec ',' Cmnd_Spec_List
! 716:
! 717: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
! 718:
! 719: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 720:
! 721: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
! 722:
! 723: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
! 724:
! 725: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 726: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 727: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 728: .Ed
! 729: .Pp
! 730: A
! 731: .Sy user specification
! 732: determines which commands a user may run
! 733: (and as what user) on specified hosts.
! 734: By default, commands are
! 735: run as
! 736: .Sy root ,
! 737: but this can be changed on a per-command basis.
! 738: .Pp
! 739: The basic structure of a user specification is
! 740: .Dq who where = (as_whom) what .
! 741: Let's break that down into its constituent parts:
! 742: .Ss Runas_Spec
! 743: A
! 744: .Li Runas_Spec
! 745: determines the user and/or the group that a command
! 746: may be run as.
! 747: A fully-specified
! 748: .Li Runas_Spec
! 749: consists of two
! 750: .Li Runas_List Ns No s
! 751: (as defined above) separated by a colon
! 752: .Pq Ql :\&
! 753: and enclosed in a set of parentheses.
! 754: The first
! 755: .Li Runas_List
! 756: indicates
! 757: which users the command may be run as via
! 758: .Nm sudo Ns No 's
! 759: .Fl u
! 760: option.
! 761: The second defines a list of groups that can be specified via
! 762: .Nm sudo Ns No 's
! 763: .Fl g
! 764: option.
! 765: If both
! 766: .Li Runas_List Ns No s
! 767: are specified, the command may be run with any combination of users
! 768: and groups listed in their respective
! 769: .Li Runas_List Ns No s.
! 770: If only the first is specified, the command may be run as any user
! 771: in the list but no
! 772: .Fl g
! 773: option
! 774: may be specified.
! 775: If the first
! 776: .Li Runas_List
! 777: is empty but the
! 778: second is specified, the command may be run as the invoking user
! 779: with the group set to any listed in the
! 780: .Li Runas_List .
! 781: If both
! 782: .Li Runas_List Ns No s
! 783: are empty, the command may only be run as the invoking user.
! 784: If no
! 785: .Li Runas_Spec
! 786: is specified the command may be run as
! 787: .Sy root
! 788: and
! 789: no group may be specified.
! 790: .Pp
! 791: A
! 792: .Li Runas_Spec
! 793: sets the default for the commands that follow it.
! 794: What this means is that for the entry:
! 795: .Bd -literal
! 796: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 797: .Ed
! 798: .Pp
! 799: The user
! 800: .Sy dgb
! 801: may run
! 802: .Pa /bin/ls ,
! 803: .Pa /bin/kill ,
! 804: and
! 805: .Pa /usr/bin/lprm Ns No \(em Ns but
! 806: only as
! 807: .Sy operator .
! 808: E.g.,
! 809: .Bd -literal
! 810: $ sudo -u operator /bin/ls
! 811: .Ed
! 812: .Pp
! 813: It is also possible to override a
! 814: .Li Runas_Spec
! 815: later on in an entry.
! 816: If we modify the entry like so:
! 817: .Bd -literal
! 818: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 819: .Ed
! 820: .Pp
! 821: Then user
! 822: .Sy dgb
! 823: is now allowed to run
! 824: .Pa /bin/ls
! 825: as
! 826: .Sy operator ,
! 827: but
! 828: .Pa /bin/kill
! 829: and
! 830: .Pa /usr/bin/lprm
! 831: as
! 832: .Sy root .
! 833: .Pp
! 834: We can extend this to allow
! 835: .Sy dgb
! 836: to run
! 837: .Li /bin/ls
! 838: with either
! 839: the user or group set to
! 840: .Sy operator :
! 841: .Bd -literal
! 842: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
! 843: /usr/bin/lprm
! 844: .Ed
! 845: .Pp
! 846: Note that while the group portion of the
! 847: .Li Runas_Spec
! 848: permits the
! 849: user to run as command with that group, it does not force the user
! 850: to do so.
! 851: If no group is specified on the command line, the command
! 852: will run with the group listed in the target user's password database
! 853: entry.
! 854: The following would all be permitted by the sudoers entry above:
! 855: .Bd -literal
! 856: $ sudo -u operator /bin/ls
! 857: $ sudo -u operator -g operator /bin/ls
! 858: $ sudo -g operator /bin/ls
! 859: .Ed
! 860: .Pp
! 861: In the following example, user
! 862: .Sy tcm
! 863: may run commands that access
! 864: a modem device file with the dialer group.
! 865: .Bd -literal
! 866: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
! 867: /usr/local/bin/minicom
! 868: .Ed
! 869: .Pp
! 870: Note that in this example only the group will be set, the command
! 871: still runs as user
! 872: .Sy tcm .
! 873: E.g.\&
! 874: .Bd -literal
! 875: $ sudo -g dialer /usr/bin/cu
! 876: .Ed
! 877: .Pp
! 878: Multiple users and groups may be present in a
! 879: .Li Runas_Spec ,
! 880: in which case the user may select any combination of users and groups via the
! 881: .Fl u
! 882: and
! 883: .Fl g
! 884: options.
! 885: In this example:
! 886: .Bd -literal
! 887: alan ALL = (root, bin : operator, system) ALL
! 888: .Ed
! 889: .Pp
! 890: user
! 891: .Sy alan
! 892: may run any command as either user root or bin,
! 893: optionally setting the group to operator or system.
! 894: .Ss SELinux_Spec
! 895: On systems with SELinux support,
! 896: .Em sudoers
! 897: entries may optionally have an SELinux role and/or type associated
! 898: with a command.
! 899: If a role or
! 900: type is specified with the command it will override any default values
! 901: specified in
! 902: .Em sudoers .
! 903: A role or type specified on the command line,
! 904: however, will supersede the values in
! 905: .Em sudoers .
! 906: .Ss Solaris_Priv_Spec
! 907: On Solaris systems,
! 908: .Em sudoers
! 909: entries may optionally specify Solaris privilege set and/or limit
! 910: privilege set associated with a command.
! 911: If privileges or limit privileges are specified with the command
! 912: it will override any default values specified in
! 913: .Em sudoers .
! 914: .Pp
! 915: A privilege set is a comma-separated list of privilege names.
! 916: The
! 917: .Xr ppriv 1
! 918: command can be used to list all privileges known to the system.
! 919: For example:
! 920: .Bd -literal
! 921: $ ppriv -l
! 922: .Ed
! 923: .Pp
! 924: In addition, there are several
! 925: .Dq special
! 926: privilege strings:
! 927: .Bl -tag -width 8n
! 928: .It none
! 929: the empty set
! 930: .It all
! 931: the set of all privileges
! 932: .It zone
! 933: the set of all privileges available in the current zone
! 934: .It basic
! 935: the default set of privileges normal users are granted at login time
! 936: .El
! 937: .Pp
! 938: Privileges can be excluded from a set by prefixing the privilege
! 939: name with either an
! 940: .Ql \&!
! 941: or
! 942: .Ql \-
! 943: character.
! 944: .Ss Tag_Spec
! 945: A command may have zero or more tags associated with it.
! 946: There are
! 947: ten possible tag values:
! 948: .Li NOPASSWD ,
! 949: .Li PASSWD ,
! 950: .Li NOEXEC ,
! 951: .Li EXEC ,
! 952: .Li SETENV ,
! 953: .Li NOSETENV ,
! 954: .Li LOG_INPUT ,
! 955: .Li NOLOG_INPUT ,
! 956: .Li LOG_OUTPUT
! 957: and
! 958: .Li NOLOG_OUTPUT .
! 959: Once a tag is set on a
! 960: .Li Cmnd ,
! 961: subsequent
! 962: .Li Cmnd Ns No s
! 963: in the
! 964: .Li Cmnd_Spec_List ,
! 965: inherit the tag unless it is overridden by the opposite tag (in other words,
! 966: .Li PASSWD
! 967: overrides
! 968: .Li NOPASSWD
! 969: and
! 970: .Li NOEXEC
! 971: overrides
! 972: .Li EXEC ) .
! 973: .Pp
! 974: .Em NOPASSWD and PASSWD
! 975: .Pp
! 976: By default,
! 977: .Nm sudo
! 978: requires that a user authenticate him or herself
! 979: before running a command.
! 980: This behavior can be modified via the
! 981: .Li NOPASSWD
! 982: tag.
! 983: Like a
! 984: .Li Runas_Spec ,
! 985: the
! 986: .Li NOPASSWD
! 987: tag sets
! 988: a default for the commands that follow it in the
! 989: .Li Cmnd_Spec_List .
! 990: Conversely, the
! 991: .Li PASSWD
! 992: tag can be used to reverse things.
! 993: For example:
! 994: .Bd -literal
! 995: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 996: .Ed
! 997: .Pp
! 998: would allow the user
! 999: .Sy ray
! 1000: to run
! 1001: .Pa /bin/kill ,
! 1002: .Pa /bin/ls ,
! 1003: and
! 1004: .Pa /usr/bin/lprm
! 1005: as
! 1006: .Sy root
! 1007: on the machine rushmore without authenticating himself.
! 1008: If we only want
! 1009: .Sy ray
! 1010: to be able to
! 1011: run
! 1012: .Pa /bin/kill
! 1013: without a password the entry would be:
! 1014: .Bd -literal
! 1015: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 1016: .Ed
! 1017: .Pp
! 1018: Note, however, that the
! 1019: .Li PASSWD
! 1020: tag has no effect on users who are in the group specified by the
! 1021: .Em exempt_group
! 1022: option.
! 1023: .Pp
! 1024: By default, if the
! 1025: .Li NOPASSWD
! 1026: tag is applied to any of the entries for a user on the current host,
! 1027: he or she will be able to run
! 1028: .Dq Li sudo -l
! 1029: without a password.
! 1030: Additionally, a user may only run
! 1031: .Dq Li sudo -v
! 1032: without a password if the
! 1033: .Li NOPASSWD
! 1034: tag is present for all a user's entries that pertain to the current host.
! 1035: This behavior may be overridden via the
! 1036: .Em verifypw
! 1037: and
! 1038: .Em listpw
! 1039: options.
! 1040: .Pp
! 1041: .Em NOEXEC and EXEC
! 1042: .Pp
! 1043: If
! 1044: .Nm sudo
! 1045: has been compiled with
! 1046: .Em noexec
! 1047: support and the underlying operating system supports it, the
! 1048: .Li NOEXEC
! 1049: tag can be used to prevent a dynamically-linked executable from
! 1050: running further commands itself.
! 1051: .Pp
! 1052: In the following example, user
! 1053: .Sy aaron
! 1054: may run
! 1055: .Pa /usr/bin/more
! 1056: and
! 1057: .Pa /usr/bin/vi
! 1058: but shell escapes will be disabled.
! 1059: .Bd -literal
! 1060: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1061: .Ed
! 1062: .Pp
! 1063: See the
! 1064: .Sx Preventing shell escapes
! 1065: section below for more details on how
! 1066: .Li NOEXEC
! 1067: works and whether or not it will work on your system.
! 1068: .Pp
! 1069: .Em SETENV and NOSETENV
! 1070: .Pp
! 1071: These tags override the value of the
! 1072: .Em setenv
! 1073: option on a per-command basis.
! 1074: Note that if
! 1075: .Li SETENV
! 1076: has been set for a command, the user may disable the
! 1077: .Em env_reset
! 1078: option from the command line via the
! 1079: .Fl E
! 1080: option.
! 1081: Additionally, environment variables set on the command
! 1082: line are not subject to the restrictions imposed by
! 1083: .Em env_check ,
! 1084: .Em env_delete ,
! 1085: or
! 1086: .Em env_keep .
! 1087: As such, only trusted users should be allowed to set variables in this manner.
! 1088: If the command matched is
! 1089: .Sy ALL ,
! 1090: the
! 1091: .Li SETENV
! 1092: tag is implied for that command; this default may be overridden by use of the
! 1093: .Li NOSETENV
! 1094: tag.
! 1095: .Pp
! 1096: .Em LOG_INPUT and NOLOG_INPUT
! 1097: .Pp
! 1098: These tags override the value of the
! 1099: .Em log_input
! 1100: option on a per-command basis.
! 1101: For more information, see the description of
! 1102: .Em log_input
! 1103: in the
! 1104: .Sx SUDOERS OPTIONS
! 1105: section below.
! 1106: .Pp
! 1107: .Em LOG_OUTPUT and NOLOG_OUTPUT
! 1108: .Pp
! 1109: These tags override the value of the
! 1110: .Em log_output
! 1111: option on a per-command basis.
! 1112: For more information, see the description of
! 1113: .Em log_output
! 1114: in the
! 1115: .Sx SUDOERS OPTIONS
! 1116: section below.
! 1117: .Ss Wildcards
! 1118: .Nm sudo
! 1119: allows shell-style
! 1120: .Em wildcards
! 1121: (aka meta or glob characters)
! 1122: to be used in host names, path names and command line arguments in the
! 1123: .Em sudoers
! 1124: file.
! 1125: Wildcard matching is done via the
! 1126: .Sy POSIX
! 1127: .Xr glob 3
! 1128: and
! 1129: .Xr fnmatch 3
! 1130: routines.
! 1131: Note that these are
! 1132: .Em not
! 1133: regular expressions.
! 1134: .Bl -tag -width 8n
! 1135: .It Li *
! 1136: Matches any set of zero or more characters.
! 1137: .It Li \&?
! 1138: Matches any single character.
! 1139: .It Li [...]
! 1140: Matches any character in the specified range.
! 1141: .It Li [!...]
! 1142: Matches any character
! 1143: .Sy not
! 1144: in the specified range.
! 1145: .It Li \ex
! 1146: For any character
! 1147: .Sq x ,
! 1148: evaluates to
! 1149: .Sq x .
! 1150: This is used to escape special characters such as:
! 1151: .Ql * ,
! 1152: .Ql \&? ,
! 1153: .Ql [\& ,
! 1154: and
! 1155: .Ql ]\& .
! 1156: .El
! 1157: .Pp
! 1158: POSIX character classes may also be used if your system's
! 1159: .Xr glob 3
! 1160: and
! 1161: .Xr fnmatch 3
! 1162: functions support them.
! 1163: However, because the
! 1164: .Ql :\&
! 1165: character has special meaning in
! 1166: .Em sudoers ,
! 1167: it must be
! 1168: escaped.
! 1169: For example:
! 1170: .Bd -literal -offset 4n
! 1171: /bin/ls [[\:alpha\:]]*
! 1172: .Ed
! 1173: .Pp
! 1174: Would match any file name beginning with a letter.
! 1175: .Pp
! 1176: Note that a forward slash
! 1177: .Pq Ql /
! 1178: will
! 1179: .Sy not
! 1180: be matched by
! 1181: wildcards used in the path name.
! 1182: This is to make a path like:
! 1183: .Bd -literal -offset 4n
! 1184: /usr/bin/*
! 1185: .Ed
! 1186: .Pp
! 1187: match
! 1188: .Pa /usr/bin/who
! 1189: but not
! 1190: .Pa /usr/bin/X11/xterm .
! 1191: .Pp
! 1192: When matching the command line arguments, however, a slash
! 1193: .Sy does
! 1194: get matched by wildcards since command line arguments may contain
! 1195: arbitrary strings and not just path names.
! 1196: .Pp
! 1197: Wildcards in command line arguments should be used with care.
! 1198: Because command line arguments are matched as a single, concatenated
! 1199: string, a wildcard such as
! 1200: .Ql \&?
! 1201: or
! 1202: .Ql *
! 1203: can match multiple words.
! 1204: For example, while a sudoers entry like:
! 1205: .Bd -literal -offset 4n
! 1206: %operator ALL = /bin/cat /var/log/messages*
! 1207: .Ed
! 1208: .Pp
! 1209: will allow command like:
! 1210: .Bd -literal -offset 4n
! 1211: $ sudo cat /var/log/messages.1
! 1212: .Ed
! 1213: .Pp
! 1214: It will also allow:
! 1215: .Bd -literal -offset 4n
! 1216: $ sudo cat /var/log/messages /etc/shadow
! 1217: .Ed
! 1218: .Pp
! 1219: which is probably not what was intended.
! 1220: .Ss Exceptions to wildcard rules
! 1221: The following exceptions apply to the above rules:
! 1222: .Bl -tag -width 8n
! 1223: .It Li \&""
! 1224: If the empty string
! 1225: .Li \&""
! 1226: is the only command line argument in the
! 1227: .Em sudoers
! 1228: entry it means that command is not allowed to be run with
! 1229: .Sy any
! 1230: arguments.
! 1231: .It sudoedit
! 1232: Command line arguments to the
! 1233: .Em sudoedit
! 1234: built-in command should always be path names, so a forward slash
! 1235: .Pq Ql /
! 1236: will not be matched by a wildcard.
! 1237: .El
! 1238: .Ss Including other files from within sudoers
! 1239: It is possible to include other
! 1240: .Em sudoers
! 1241: files from within the
! 1242: .Em sudoers
! 1243: file currently being parsed using the
! 1244: .Li #include
! 1245: and
! 1246: .Li #includedir
! 1247: directives.
! 1248: .Pp
! 1249: This can be used, for example, to keep a site-wide
! 1250: .Em sudoers
! 1251: file in addition to a local, per-machine file.
! 1252: For the sake of this example the site-wide
! 1253: .Em sudoers
! 1254: will be
! 1255: .Pa /etc/sudoers
! 1256: and the per-machine one will be
! 1257: .Pa /etc/sudoers.local .
! 1258: To include
! 1259: .Pa /etc/sudoers.local
! 1260: from within
! 1261: .Pa /etc/sudoers
! 1262: we would use the
! 1263: following line in
! 1264: .Pa /etc/sudoers :
! 1265: .Bd -literal -offset 4n
! 1266: #include /etc/sudoers.local
! 1267: .Ed
! 1268: .Pp
! 1269: When
! 1270: .Nm sudo
! 1271: reaches this line it will suspend processing of the current file
! 1272: .Pq Pa /etc/sudoers
! 1273: and switch to
! 1274: .Pa /etc/sudoers.local .
! 1275: Upon reaching the end of
! 1276: .Pa /etc/sudoers.local ,
! 1277: the rest of
! 1278: .Pa /etc/sudoers
! 1279: will be processed.
! 1280: Files that are included may themselves include other files.
! 1281: A hard limit of 128 nested include files is enforced to prevent include
! 1282: file loops.
! 1283: .Pp
! 1284: If the path to the include file is not fully-qualified (does not
! 1285: begin with a
! 1286: .Ql / ,
! 1287: it must be located in the same directory as the sudoers file it was
! 1288: included from.
! 1289: For example, if
! 1290: .Pa /etc/sudoers
! 1291: contains the line:
! 1292: .Bd -literal -offset 4n
! 1293: .Li #include sudoers.local
! 1294: .Ed
! 1295: .Pp
! 1296: the file that will be included is
! 1297: .Pa /etc/sudoers.local .
! 1298: .Pp
! 1299: The file name may also include the
! 1300: .Li %h
! 1301: escape, signifying the short form of the host name.
! 1302: In other words, if the machine's host name is
! 1303: .Dq xerxes ,
! 1304: then
! 1305: .Bd -literal -offset 4n
! 1306: #include /etc/sudoers.%h
! 1307: .Ed
! 1308: .Pp
! 1309: will cause
! 1310: .Nm sudo
! 1311: to include the file
! 1312: .Pa /etc/sudoers.xerxes .
! 1313: .Pp
! 1314: The
! 1315: .Li #includedir
! 1316: directive can be used to create a
! 1317: .Pa sudo.d
! 1318: directory that the system package manager can drop
! 1319: .Em sudoers
! 1320: rules
! 1321: into as part of package installation.
! 1322: For example, given:
! 1323: .Bd -literal -offset 4n
! 1324: #includedir /etc/sudoers.d
! 1325: .Ed
! 1326: .Pp
! 1327: .Nm sudo
! 1328: will read each file in
! 1329: .Pa /etc/sudoers.d ,
! 1330: skipping file names that end in
! 1331: .Ql ~
! 1332: or contain a
! 1333: .Ql .\&
! 1334: character to avoid causing problems with package manager or editor
! 1335: temporary/backup files.
! 1336: Files are parsed in sorted lexical order.
! 1337: That is,
! 1338: .Pa /etc/sudoers.d/01_first
! 1339: will be parsed before
! 1340: .Pa /etc/sudoers.d/10_second .
! 1341: Be aware that because the sorting is lexical, not numeric,
! 1342: .Pa /etc/sudoers.d/1_whoops
! 1343: would be loaded
! 1344: .Sy after
! 1345: .Pa /etc/sudoers.d/10_second .
! 1346: Using a consistent number of leading zeroes in the file names can be used
! 1347: to avoid such problems.
! 1348: .Pp
! 1349: Note that unlike files included via
! 1350: .Li #include ,
! 1351: .Nm visudo
! 1352: will not edit the files in a
! 1353: .Li #includedir
! 1354: directory unless one of them contains a syntax error.
! 1355: It is still possible to run
! 1356: .Nm visudo
! 1357: with the
! 1358: .Fl f
! 1359: flag to edit the files directly.
! 1360: .Ss Other special characters and reserved words
! 1361: The pound sign
! 1362: .Pq Ql #
! 1363: is used to indicate a comment (unless it is part of a #include
! 1364: directive or unless it occurs in the context of a user name and is
! 1365: followed by one or more digits, in which case it is treated as a
! 1366: uid).
! 1367: Both the comment character and any text after it, up to the end of
! 1368: the line, are ignored.
! 1369: .Pp
! 1370: The reserved word
! 1371: .Sy ALL
! 1372: is a built-in
! 1373: .Em alias
! 1374: that always causes a match to succeed.
! 1375: It can be used wherever one might otherwise use a
! 1376: .Li Cmnd_Alias ,
! 1377: .Li User_Alias ,
! 1378: .Li Runas_Alias ,
! 1379: or
! 1380: .Li Host_Alias .
! 1381: You should not try to define your own
! 1382: .Em alias
! 1383: called
! 1384: .Sy ALL
! 1385: as the built-in alias will be used in preference to your own.
! 1386: Please note that using
! 1387: .Sy ALL
! 1388: can be dangerous since in a command context, it allows the user to run
! 1389: .Sy any
! 1390: command on the system.
! 1391: .Pp
! 1392: An exclamation point
! 1393: .Pq Ql \&!
! 1394: can be used as a logical
! 1395: .Em not
! 1396: operator both in an
! 1397: .Em alias
! 1398: and in front of a
! 1399: .Li Cmnd .
! 1400: This allows one to exclude certain values.
! 1401: Note, however, that using a
! 1402: .Ql \&!
! 1403: in conjunction with the built-in
! 1404: .Sy ALL
! 1405: alias to allow a user to run
! 1406: .Dq all but a few
! 1407: commands rarely works as intended (see
! 1408: .Sx SECURITY NOTES
! 1409: below).
! 1410: .Pp
! 1411: Long lines can be continued with a backslash
! 1412: .Pq Ql \e
! 1413: as the last character on the line.
! 1414: .Pp
! 1415: White space between elements in a list as well as special syntactic
! 1416: characters in a
! 1417: .Em User Specification
! 1418: .Po
! 1419: .Ql =\& ,
! 1420: .Ql :\& ,
! 1421: .Ql (\& ,
! 1422: .Ql )\&
! 1423: .Pc
! 1424: is optional.
! 1425: .Pp
! 1426: The following characters must be escaped with a backslash
! 1427: .Pq Ql \e
! 1428: when used as part of a word (e.g.\& a user name or host name):
! 1429: .Ql \&! ,
! 1430: .Ql =\& ,
! 1431: .Ql :\& ,
! 1432: .Ql ,\& ,
! 1433: .Ql (\& ,
! 1434: .Ql )\& ,
! 1435: .Ql \e .
! 1436: .Sh SUDOERS OPTIONS
! 1437: .Nm sudo Ns No 's
! 1438: behavior can be modified by
! 1439: .Li Default_Entry
! 1440: lines, as explained earlier.
! 1441: A list of all supported Defaults parameters, grouped by type, are listed below.
! 1442: .Pp
! 1443: .Sy Boolean Flags :
! 1444: .Bl -tag -width 16n
! 1445: .It always_set_home
! 1446: If enabled,
! 1447: .Nm sudo
! 1448: will set the
! 1449: .Ev HOME
! 1450: environment variable to the home directory of the target user
! 1451: (which is root unless the
! 1452: .Fl u
! 1453: option is used).
! 1454: This effectively means that the
! 1455: .Fl H
! 1456: option is always implied.
! 1457: Note that
! 1458: .Ev HOME
! 1459: is already set when the the
! 1460: .Em env_reset
! 1461: option is enabled, so
! 1462: .Em always_set_home
! 1463: is only effective for configurations where either
! 1464: .Em env_reset
! 1465: is disabled or
! 1466: .Ev HOME
! 1467: is present in the
! 1468: .Em env_keep
! 1469: list.
! 1470: This flag is
! 1471: .Em off
! 1472: by default.
! 1473: .It authenticate
! 1474: If set, users must authenticate themselves via a password (or other
! 1475: means of authentication) before they may run commands.
! 1476: This default may be overridden via the
! 1477: .Li PASSWD
! 1478: and
! 1479: .Li NOPASSWD
! 1480: tags.
! 1481: This flag is
! 1482: .Em on
! 1483: by default.
! 1484: .It closefrom_override
! 1485: If set, the user may use
! 1486: .Nm sudo Ns No 's
! 1487: .Fl C
! 1488: option which overrides the default starting point at which
! 1489: .Nm sudo
! 1490: begins closing open file descriptors.
! 1491: This flag is
! 1492: .Em off
! 1493: by default.
! 1494: .It compress_io
! 1495: If set, and
! 1496: .Nm sudo
! 1497: is configured to log a command's input or output,
! 1498: the I/O logs will be compressed using
! 1499: .Sy zlib .
! 1500: This flag is
! 1501: .Em on
! 1502: by default when
! 1503: .Nm sudo
! 1504: is compiled with
! 1505: .Sy zlib
! 1506: support.
! 1507: .It env_editor
! 1508: If set,
! 1509: .Nm visudo
! 1510: will use the value of the
! 1511: .Ev EDITOR
! 1512: or
! 1513: .Ev VISUAL
! 1514: environment variables before falling back on the default editor list.
! 1515: Note that this may create a security hole as it allows the user to
! 1516: run any arbitrary command as root without logging.
! 1517: A safer alternative is to place a colon-separated list of editors
! 1518: in the
! 1519: .Li editor
! 1520: variable.
! 1521: .Nm visudo
! 1522: will then only use the
! 1523: .Ev EDITOR
! 1524: or
! 1525: .Ev VISUAL
! 1526: if they match a value specified in
! 1527: .Li editor .
! 1528: This flag is
! 1529: .Em @env_editor@
! 1530: by
! 1531: default.
! 1532: .It env_reset
! 1533: If set,
! 1534: .Nm sudo
! 1535: will run the command in a minimal environment containing the
! 1536: .Ev TERM ,
! 1537: .Ev PATH ,
! 1538: .Ev HOME ,
! 1539: .Ev MAIL ,
! 1540: .Ev SHELL ,
! 1541: .Ev LOGNAME ,
! 1542: .Ev USER ,
! 1543: .Ev USERNAME
! 1544: and
! 1545: .Ev SUDO_*
! 1546: variables.
! 1547: Any
! 1548: variables in the caller's environment that match the
! 1549: .Li env_keep
! 1550: and
! 1551: .Li env_check
! 1552: lists are then added, followed by any variables present in the file
! 1553: specified by the
! 1554: .Em env_file
! 1555: option (if any).
! 1556: The default contents of the
! 1557: .Li env_keep
! 1558: and
! 1559: .Li env_check
! 1560: lists are displayed when
! 1561: .Nm sudo
! 1562: is run by root with the
! 1563: .Fl V
! 1564: option.
! 1565: If the
! 1566: .Em secure_path
! 1567: option is set, its value will be used for the
! 1568: .Ev PATH
! 1569: environment variable.
! 1570: This flag is
! 1571: .Em @env_reset@
! 1572: by default.
! 1573: .It fast_glob
! 1574: Normally,
! 1575: .Nm sudo
! 1576: uses the
! 1577: .Xr glob 3
! 1578: function to do shell-style globbing when matching path names.
! 1579: However, since it accesses the file system,
! 1580: .Xr glob 3
! 1581: can take a long time to complete for some patterns, especially
! 1582: when the pattern references a network file system that is mounted
! 1583: on demand (auto mounted).
! 1584: The
! 1585: .Em fast_glob
! 1586: option causes
! 1587: .Nm sudo
! 1588: to use the
! 1589: .Xr fnmatch 3
! 1590: function, which does not access the file system to do its matching.
! 1591: The disadvantage of
! 1592: .Em fast_glob
! 1593: is that it is unable to match relative path names such as
! 1594: .Pa ./ls
! 1595: or
! 1596: .Pa ../bin/ls .
! 1597: This has security implications when path names that include globbing
! 1598: characters are used with the negation operator,
! 1599: .Ql !\& ,
! 1600: as such rules can be trivially bypassed.
! 1601: As such, this option should not be used when
! 1602: .Em sudoers
! 1603: contains rules that contain negated path names which include globbing
! 1604: characters.
! 1605: This flag is
! 1606: .Em off
! 1607: by default.
! 1608: .It fqdn
! 1609: Set this flag if you want to put fully qualified host names in the
! 1610: .Em sudoers
! 1611: file when the local host name (as returned by the
! 1612: .Li hostname
! 1613: command) does not contain the domain name.
! 1614: In other words, instead of myhost you would use myhost.mydomain.edu.
! 1615: You may still use the short form if you wish (and even mix the two).
! 1616: This option is only effective when the
! 1617: .Dq canonical
! 1618: host name, as returned by the
! 1619: .Fn getaddrinfo
! 1620: or
! 1621: .Fn gethostbyname
! 1622: function, is a fully-qualified domain name.
! 1623: This is usually the case when the system is configured to use DNS
! 1624: for host name resolution.
! 1625: .Pp
! 1626: If the system is configured to use the
! 1627: .Pa /etc/hosts
! 1628: file in preference to DNS, the
! 1629: .Dq canonical
! 1630: host name may not be fully-qualified.
! 1631: The order that sources are queried for hosts name resolution
! 1632: is usually specified in the
! 1633: .Pa @nsswitch_conf@ ,
! 1634: .Pa @netsvc_conf@ ,
! 1635: .Pa /etc/host.conf ,
! 1636: or, in some cases,
! 1637: .Pa /etc/resolv.conf
! 1638: file.
! 1639: In the
! 1640: .Pa /etc/hosts
! 1641: file, the first host name of the entry is considered to be the
! 1642: .Dq canonical
! 1643: name; subsequent names are aliases that are not used by
! 1644: .Nm sudoers .
! 1645: For example, the following hosts file line for the machine
! 1646: .Dq xyzzy
! 1647: has the fully-qualified domain name as the
! 1648: .Dq canonical
! 1649: host name, and the short version as an alias.
! 1650: .sp
! 1651: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
! 1652: .sp
! 1653: If the machine's hosts file entry is not formatted properly, the
! 1654: .Em fqdn
! 1655: option will not be effective if it is queried before DNS.
! 1656: .Pp
! 1657: Beware that when using DNS for host name resolution, turning on
! 1658: .Em fqdn
! 1659: requires
! 1660: .Nm sudoers
! 1661: to make DNS lookups which renders
! 1662: .Nm sudo
! 1663: unusable if DNS stops working (for example if the machine is disconnected
! 1664: from the network).
! 1665: Also note that just like with the hosts file, you must use the
! 1666: .Dq canonical
! 1667: name as DNS knows it.
! 1668: That is, you may not use a host alias
! 1669: .Po
! 1670: .Li CNAME
! 1671: entry
! 1672: .Pc
! 1673: due to performance issues and the fact that there is no way to get all
! 1674: aliases from DNS.
! 1675: .Pp
! 1676: This flag is
! 1677: .Em @fqdn@
! 1678: by default.
! 1679: .It ignore_dot
! 1680: If set,
! 1681: .Nm sudo
! 1682: will ignore "." or "" (both denoting current directory) in the
! 1683: .Ev PATH
! 1684: environment variable; the
! 1685: .Ev PATH
! 1686: itself is not modified.
! 1687: This flag is
! 1688: .Em @ignore_dot@
! 1689: by default.
! 1690: .It ignore_local_sudoers
! 1691: If set via LDAP, parsing of
! 1692: .Pa @sysconfdir@/sudoers
! 1693: will be skipped.
! 1694: This is intended for Enterprises that wish to prevent the usage of local
! 1695: sudoers files so that only LDAP is used.
! 1696: This thwarts the efforts of rogue operators who would attempt to add roles to
! 1697: .Pa @sysconfdir@/sudoers .
! 1698: When this option is present,
! 1699: .Pa @sysconfdir@/sudoers
! 1700: does not even need to exist.
! 1701: Since this option tells
! 1702: .Nm sudo
! 1703: how to behave when no specific LDAP entries have been matched, this
! 1704: sudoOption is only meaningful for the
! 1705: .Li cn=defaults
! 1706: section.
! 1707: This flag is
! 1708: .Em off
! 1709: by default.
! 1710: .It insults
! 1711: If set,
! 1712: .Nm sudo
! 1713: will insult users when they enter an incorrect password.
! 1714: This flag is
! 1715: .Em @insults@
! 1716: by default.
! 1717: .It log_host
! 1718: If set, the host name will be logged in the (non-syslog)
! 1719: .Nm sudo
! 1720: log file.
! 1721: This flag is
! 1722: .Em off
! 1723: by default.
! 1724: .It log_input
! 1725: If set,
! 1726: .Nm sudo
! 1727: will run the command in a
! 1728: .Em pseudo tty
! 1729: and log all user input.
! 1730: If the standard input is not connected to the user's tty, due to
! 1731: I/O redirection or because the command is part of a pipeline, that
! 1732: input is also captured and stored in a separate log file.
! 1733: .Pp
! 1734: Input is logged to the directory specified by the
! 1735: .Em iolog_dir
! 1736: option
! 1737: .Po
! 1738: .Pa @iolog_dir@
! 1739: by default
! 1740: .Pc
! 1741: using a unique session ID that is included in the normal
! 1742: .Nm sudo
! 1743: log line, prefixed with
! 1744: .Dq Li TSID= .
! 1745: The
! 1746: .Em iolog_file
! 1747: option may be used to control the format of the session ID.
! 1748: .Pp
! 1749: Note that user input may contain sensitive information such as
! 1750: passwords (even if they are not echoed to the screen), which will
! 1751: be stored in the log file unencrypted.
! 1752: In most cases, logging the command output via
! 1753: .Em log_output
! 1754: is all that is required.
! 1755: .It log_output
! 1756: If set,
! 1757: .Nm sudo
! 1758: will run the command in a
! 1759: .Em pseudo tty
! 1760: and log all output that is sent to the screen, similar to the
! 1761: .Xr script 1
! 1762: command.
! 1763: If the standard output or standard error is not connected to the
! 1764: user's tty, due to I/O redirection or because the command is part
! 1765: of a pipeline, that output is also captured and stored in separate
! 1766: log files.
! 1767: .Pp
! 1768: Output is logged to the directory specified by the
! 1769: .Em iolog_dir
! 1770: option
! 1771: .Po
! 1772: .Pa @iolog_dir@
! 1773: by default
! 1774: .Pc
! 1775: using a unique session ID that is included in the normal
! 1776: .Nm sudo
! 1777: log line, prefixed with
! 1778: .Dq Li TSID= .
! 1779: The
! 1780: .Em iolog_file
! 1781: option may be used to control the format of the session ID.
! 1782: .Pp
! 1783: Output logs may be viewed with the
! 1784: .Xr sudoreplay @mansectsu@
! 1785: utility, which can also be used to list or search the available logs.
! 1786: .It log_year
! 1787: If set, the four-digit year will be logged in the (non-syslog)
! 1788: .Nm sudo
! 1789: log file.
! 1790: This flag is
! 1791: .Em off
! 1792: by default.
! 1793: .It long_otp_prompt
! 1794: When validating with a One Time Password (OTP) scheme such as
! 1795: .Sy S/Key
! 1796: or
! 1797: .Sy OPIE ,
! 1798: a two-line prompt is used to make it easier
! 1799: to cut and paste the challenge to a local window.
! 1800: It's not as pretty as the default but some people find it more convenient.
! 1801: This flag is
! 1802: .Em @long_otp_prompt@
! 1803: by default.
! 1804: .It mail_always
! 1805: Send mail to the
! 1806: .Em mailto
! 1807: user every time a users runs
! 1808: .Nm sudo .
! 1809: This flag is
! 1810: .Em off
! 1811: by default.
! 1812: .It mail_badpass
! 1813: Send mail to the
! 1814: .Em mailto
! 1815: user if the user running
! 1816: .Nm sudo
! 1817: does not enter the correct password.
! 1818: If the command the user is attempting to run is not permitted by
! 1819: .Em sudoers
! 1820: and one of the
! 1821: .Em mail_always ,
! 1822: .Em mail_no_host ,
! 1823: .Em mail_no_perms
! 1824: or
! 1825: .Em mail_no_user
! 1826: flags are set, this flag will have no effect.
! 1827: This flag is
! 1828: .Em off
! 1829: by default.
! 1830: .It mail_no_host
! 1831: If set, mail will be sent to the
! 1832: .Em mailto
! 1833: user if the invoking user exists in the
! 1834: .Em sudoers
! 1835: file, but is not allowed to run commands on the current host.
! 1836: This flag is
! 1837: .Em @mail_no_host@
! 1838: by default.
! 1839: .It mail_no_perms
! 1840: If set, mail will be sent to the
! 1841: .Em mailto
! 1842: user if the invoking user is allowed to use
! 1843: .Nm sudo
! 1844: but the command they are trying is not listed in their
! 1845: .Em sudoers
! 1846: file entry or is explicitly denied.
! 1847: This flag is
! 1848: .Em @mail_no_perms@
! 1849: by default.
! 1850: .It mail_no_user
! 1851: If set, mail will be sent to the
! 1852: .Em mailto
! 1853: user if the invoking user is not in the
! 1854: .Em sudoers
! 1855: file.
! 1856: This flag is
! 1857: .Em @mail_no_user@
! 1858: by default.
! 1859: .It noexec
! 1860: If set, all commands run via
! 1861: .Nm sudo
! 1862: will behave as if the
! 1863: .Li NOEXEC
! 1864: tag has been set, unless overridden by a
! 1865: .Li EXEC
! 1866: tag.
! 1867: See the description of
! 1868: .Em NOEXEC and EXEC
! 1869: below as well as the
! 1870: .Sx Preventing shell escapes
! 1871: section at the end of this manual.
! 1872: This flag is
! 1873: .Em off
! 1874: by default.
! 1875: .It path_info
! 1876: Normally,
! 1877: .Nm sudo
! 1878: will tell the user when a command could not be
! 1879: found in their
! 1880: .Ev PATH
! 1881: environment variable.
! 1882: Some sites may wish to disable this as it could be used to gather
! 1883: information on the location of executables that the normal user does
! 1884: not have access to.
! 1885: The disadvantage is that if the executable is simply not in the user's
! 1886: .Ev PATH ,
! 1887: .Nm sudo
! 1888: will tell the user that they are not allowed to run it, which can be confusing.
! 1889: This flag is
! 1890: .Em @path_info@
! 1891: by default.
! 1892: .It passprompt_override
! 1893: The password prompt specified by
! 1894: .Em passprompt
! 1895: will normally only be used if the password prompt provided by systems
! 1896: such as PAM matches the string
! 1897: .Dq Password: .
! 1898: If
! 1899: .Em passprompt_override
! 1900: is set,
! 1901: .Em passprompt
! 1902: will always be used.
! 1903: This flag is
! 1904: .Em off
! 1905: by default.
! 1906: .It preserve_groups
! 1907: By default,
! 1908: .Nm sudo
! 1909: will initialize the group vector to the list of groups the target user is in.
! 1910: When
! 1911: .Em preserve_groups
! 1912: is set, the user's existing group vector is left unaltered.
! 1913: The real and effective group IDs, however, are still set to match the
! 1914: target user.
! 1915: This flag is
! 1916: .Em off
! 1917: by default.
! 1918: .It pwfeedback
! 1919: By default,
! 1920: .Nm sudo
! 1921: reads the password like most other Unix programs,
! 1922: by turning off echo until the user hits the return (or enter) key.
! 1923: Some users become confused by this as it appears to them that
! 1924: .Nm sudo
! 1925: has hung at this point.
! 1926: When
! 1927: .Em pwfeedback
! 1928: is set,
! 1929: .Nm sudo
! 1930: will provide visual feedback when the user presses a key.
! 1931: Note that this does have a security impact as an onlooker may be able to
! 1932: determine the length of the password being entered.
! 1933: This flag is
! 1934: .Em off
! 1935: by default.
! 1936: .It requiretty
! 1937: If set,
! 1938: .Nm sudo
! 1939: will only run when the user is logged in to a real tty.
! 1940: When this flag is set,
! 1941: .Nm sudo
! 1942: can only be run from a login session and not via other means such as
! 1943: .Xr cron @mansectsu@
! 1944: or cgi-bin scripts.
! 1945: This flag is
! 1946: .Em off
! 1947: by default.
! 1948: .It root_sudo
! 1949: If set, root is allowed to run
! 1950: .Nm sudo
! 1951: too.
! 1952: Disabling this prevents users from
! 1953: .Dq chaining
! 1954: .Nm sudo
! 1955: commands to get a root shell by doing something like
! 1956: .Dq Li sudo sudo /bin/sh .
! 1957: Note, however, that turning off
! 1958: .Em root_sudo
! 1959: will also prevent root from running
! 1960: .Nm sudoedit .
! 1961: Disabling
! 1962: .Em root_sudo
! 1963: provides no real additional security; it exists purely for historical reasons.
! 1964: This flag is
! 1965: .Em @root_sudo@
! 1966: by default.
! 1967: .It rootpw
! 1968: If set,
! 1969: .Nm sudo
! 1970: will prompt for the root password instead of the password of the invoking user.
! 1971: This flag is
! 1972: .Em off
! 1973: by default.
! 1974: .It runaspw
! 1975: If set,
! 1976: .Nm sudo
! 1977: will prompt for the password of the user defined by the
! 1978: .Em runas_default
! 1979: option (defaults to
! 1980: .Li @runas_default@ )
! 1981: instead of the password of the invoking user.
! 1982: This flag is
! 1983: .Em off
! 1984: by default.
! 1985: .It set_home
! 1986: If enabled and
! 1987: .Nm sudo
! 1988: is invoked with the
! 1989: .Fl s
! 1990: option the
! 1991: .Ev HOME
! 1992: environment variable will be set to the home directory of the target
! 1993: user (which is root unless the
! 1994: .Fl u
! 1995: option is used).
! 1996: This effectively makes the
! 1997: .Fl s
! 1998: option imply
! 1999: .Fl H .
! 2000: Note that
! 2001: .Ev HOME
! 2002: is already set when the the
! 2003: .Em env_reset
! 2004: option is enabled, so
! 2005: .Em set_home
! 2006: is only effective for configurations where either
! 2007: .Em env_reset
! 2008: is disabled
! 2009: or
! 2010: .Ev HOME
! 2011: is present in the
! 2012: .Em env_keep
! 2013: list.
! 2014: This flag is
! 2015: .Em off
! 2016: by default.
! 2017: .It set_logname
! 2018: Normally,
! 2019: .Nm sudo
! 2020: will set the
! 2021: .Ev LOGNAME ,
! 2022: .Ev USER
! 2023: and
! 2024: .Ev USERNAME
! 2025: environment variables to the name of the target user (usually root unless the
! 2026: .Fl u
! 2027: option is given).
! 2028: However, since some programs (including the RCS revision control system) use
! 2029: .Ev LOGNAME
! 2030: to determine the real identity of the user, it may be desirable to
! 2031: change this behavior.
! 2032: This can be done by negating the set_logname option.
! 2033: Note that if the
! 2034: .Em env_reset
! 2035: option has not been disabled, entries in the
! 2036: .Em env_keep
! 2037: list will override the value of
! 2038: .Em set_logname .
! 2039: This flag is
! 2040: .Em on
! 2041: by default.
! 2042: .It set_utmp
! 2043: When enabled,
! 2044: .Nm sudo
! 2045: will create an entry in the utmp (or utmpx) file when a pseudo-tty
! 2046: is allocated.
! 2047: A pseudo-tty is allocated by
! 2048: .Nm sudo
! 2049: when the
! 2050: .Em log_input ,
! 2051: .Em log_output
! 2052: or
! 2053: .Em use_pty
! 2054: flags are enabled.
! 2055: By default, the new entry will be a copy of the user's existing utmp
! 2056: entry (if any), with the tty, time, type and pid fields updated.
! 2057: This flag is
! 2058: .Em on
! 2059: by default.
! 2060: .It setenv
! 2061: Allow the user to disable the
! 2062: .Em env_reset
! 2063: option from the command line via the
! 2064: .Fl E
! 2065: option.
! 2066: Additionally, environment variables set via the command line are
! 2067: not subject to the restrictions imposed by
! 2068: .Em env_check ,
! 2069: .Em env_delete ,
! 2070: or
! 2071: .Em env_keep .
! 2072: As such, only trusted users should be allowed to set variables in this manner.
! 2073: This flag is
! 2074: .Em off
! 2075: by default.
! 2076: .It shell_noargs
! 2077: If set and
! 2078: .Nm sudo
! 2079: is invoked with no arguments it acts as if the
! 2080: .Fl s
! 2081: option had been given.
! 2082: That is, it runs a shell as root (the shell is determined by the
! 2083: .Ev SHELL
! 2084: environment variable if it is set, falling back on the shell listed
! 2085: in the invoking user's /etc/passwd entry if not).
! 2086: This flag is
! 2087: .Em off
! 2088: by default.
! 2089: .It stay_setuid
! 2090: Normally, when
! 2091: .Nm sudo
! 2092: executes a command the real and effective UIDs are set to the target
! 2093: user (root by default).
! 2094: This option changes that behavior such that the real UID is left
! 2095: as the invoking user's UID.
! 2096: In other words, this makes
! 2097: .Nm sudo
! 2098: act as a setuid wrapper.
! 2099: This can be useful on systems that disable some potentially
! 2100: dangerous functionality when a program is run setuid.
! 2101: This option is only effective on systems that support either the
! 2102: .Xr setreuid 2
! 2103: or
! 2104: .Xr setresuid 2
! 2105: system call.
! 2106: This flag is
! 2107: .Em off
! 2108: by default.
! 2109: .It targetpw
! 2110: If set,
! 2111: .Nm sudo
! 2112: will prompt for the password of the user specified
! 2113: by the
! 2114: .Fl u
! 2115: option (defaults to
! 2116: .Li root )
! 2117: instead of the password of the invoking user.
! 2118: In addition, the time stamp file name will include the target user's name.
! 2119: Note that this flag precludes the use of a uid not listed in the passwd
! 2120: database as an argument to the
! 2121: .Fl u
! 2122: option.
! 2123: This flag is
! 2124: .Em off
! 2125: by default.
! 2126: .It tty_tickets
! 2127: If set, users must authenticate on a per-tty basis.
! 2128: With this flag enabled,
! 2129: .Nm sudo
! 2130: will use a file named for the tty the user is
! 2131: logged in on in the user's time stamp directory.
! 2132: If disabled, the time stamp of the directory is used instead.
! 2133: This flag is
! 2134: .Em @tty_tickets@
! 2135: by default.
! 2136: .It umask_override
! 2137: If set,
! 2138: .Nm sudo
! 2139: will set the umask as specified by
! 2140: .Em sudoers
! 2141: without modification.
! 2142: This makes it possible to specify a more permissive umask in
! 2143: .Em sudoers
! 2144: than the user's own umask and matches historical behavior.
! 2145: If
! 2146: .Em umask_override
! 2147: is not set,
! 2148: .Nm sudo
! 2149: will set the umask to be the union of the user's umask and what is specified in
! 2150: .Em sudoers .
! 2151: This flag is
! 2152: .Em @umask_override@
! 2153: by default.
! 2154: .It use_loginclass
! 2155: If set,
! 2156: .Nm sudo
! 2157: will apply the defaults specified for the target user's login class
! 2158: if one exists.
! 2159: Only available if
! 2160: .Nm sudo
! 2161: is configured with the
! 2162: .Li --with-logincap
! 2163: option.
! 2164: This flag is
! 2165: .Em off
! 2166: by default.
! 2167: .It use_pty
! 2168: If set,
! 2169: .Nm sudo
! 2170: will run the command in a pseudo-pty even if no I/O logging is being gone.
! 2171: A malicious program run under
! 2172: .Nm sudo
! 2173: could conceivably fork a background process that retains to the user's
! 2174: terminal device after the main program has finished executing.
! 2175: Use of this option will make that impossible.
! 2176: This flag is
! 2177: .Em off
! 2178: by default.
! 2179: .It utmp_runas
! 2180: If set,
! 2181: .Nm sudo
! 2182: will store the name of the runas user when updating the utmp (or utmpx) file.
! 2183: By default,
! 2184: .Nm sudo
! 2185: stores the name of the invoking user.
! 2186: This flag is
! 2187: .Em off
! 2188: by default.
! 2189: .It visiblepw
! 2190: By default,
! 2191: .Nm sudo
! 2192: will refuse to run if the user must enter a password but it is not
! 2193: possible to disable echo on the terminal.
! 2194: If the
! 2195: .Em visiblepw
! 2196: flag is set,
! 2197: .Nm sudo
! 2198: will prompt for a password even when it would be visible on the screen.
! 2199: This makes it possible to run things like
! 2200: .Dq Li ssh somehost sudo ls
! 2201: since by default,
! 2202: .Xr ssh 1
! 2203: does
! 2204: not allocate a tty when running a command.
! 2205: This flag is
! 2206: .Em off
! 2207: by default.
! 2208: .El
! 2209: .Pp
! 2210: .Sy Integers :
! 2211: .Bl -tag -width 16n
! 2212: .It closefrom
! 2213: Before it executes a command,
! 2214: .Nm sudo
! 2215: will close all open file descriptors other than standard input,
! 2216: standard output and standard error (ie: file descriptors 0-2).
! 2217: The
! 2218: .Em closefrom
! 2219: option can be used to specify a different file descriptor at which
! 2220: to start closing.
! 2221: The default is
! 2222: .Li 3 .
! 2223: .It passwd_tries
! 2224: The number of tries a user gets to enter his/her password before
! 2225: .Nm sudo
! 2226: logs the failure and exits.
! 2227: The default is
! 2228: .Li @passwd_tries@ .
! 2229: .El
! 2230: .Pp
! 2231: .Sy Integers that can be used in a boolean context :
! 2232: .Bl -tag -width 16n
! 2233: .It loglinelen
! 2234: Number of characters per line for the file log.
! 2235: This value is used to decide when to wrap lines for nicer log files.
! 2236: This has no effect on the syslog log file, only the file log.
! 2237: The default is
! 2238: .Li @loglen@
! 2239: (use 0 or negate the option to disable word wrap).
! 2240: .It passwd_timeout
! 2241: Number of minutes before the
! 2242: .Nm sudo
! 2243: password prompt times out, or
! 2244: .Li 0
! 2245: for no timeout.
! 2246: The timeout may include a fractional component
! 2247: if minute granularity is insufficient, for example
! 2248: .Li 2.5 .
! 2249: The
! 2250: default is
! 2251: .Li @password_timeout@ .
! 2252: .It timestamp_timeout
! 2253: Number of minutes that can elapse before
! 2254: .Nm sudo
! 2255: will ask for a passwd again.
! 2256: The timeout may include a fractional component if
! 2257: minute granularity is insufficient, for example
! 2258: .Li 2.5 .
! 2259: The default is
! 2260: .Li @timeout@ .
! 2261: Set this to
! 2262: .Li 0
! 2263: to always prompt for a password.
! 2264: If set to a value less than
! 2265: .Li 0
! 2266: the user's time stamp will never expire.
! 2267: This can be used to allow users to create or delete their own time stamps via
! 2268: .Dq Li sudo -v
! 2269: and
! 2270: .Dq Li sudo -k
! 2271: respectively.
! 2272: .It umask
! 2273: Umask to use when running the command.
! 2274: Negate this option or set it to 0777 to preserve the user's umask.
! 2275: The actual umask that is used will be the union of the user's umask
! 2276: and the value of the
! 2277: .Em umask
! 2278: option, which defaults to
! 2279: .Li @sudo_umask@ .
! 2280: This guarantees
! 2281: that
! 2282: .Nm sudo
! 2283: never lowers the umask when running a command.
! 2284: Note: on systems that use PAM, the default PAM configuration may specify
! 2285: its own umask which will override the value set in
! 2286: .Em sudoers .
! 2287: .El
! 2288: .Pp
! 2289: .Sy Strings :
! 2290: .Bl -tag -width 16n
! 2291: .It badpass_message
! 2292: Message that is displayed if a user enters an incorrect password.
! 2293: The default is
! 2294: .Li @badpass_message@
! 2295: unless insults are enabled.
! 2296: .It editor
! 2297: A colon
! 2298: .Pq Ql :\&
! 2299: separated list of editors allowed to be used with
! 2300: .Nm visudo .
! 2301: .Nm visudo
! 2302: will choose the editor that matches the user's
! 2303: .Ev EDITOR
! 2304: environment variable if possible, or the first editor in the
! 2305: list that exists and is executable.
! 2306: The default is
! 2307: .Pa @editor@ .
! 2308: .It iolog_dir
! 2309: The top-level directory to use when constructing the path name for
! 2310: the input/output log directory.
! 2311: Only used if the
! 2312: .Em log_input
! 2313: or
! 2314: .Em log_output
! 2315: options are enabled or when the
! 2316: .Li LOG_INPUT
! 2317: or
! 2318: .Li LOG_OUTPUT
! 2319: tags are present for a command.
! 2320: The session sequence number, if any, is stored in the directory.
! 2321: The default is
! 2322: .Pa @iolog_dir@ .
! 2323: .Pp
! 2324: The following percent
! 2325: .Pq Ql %
! 2326: escape sequences are supported:
! 2327: .Bl -tag -width 4n
! 2328: .It Li %{seq}
! 2329: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
! 2330: where every two digits are used to form a new directory, e.g.\&
! 2331: .Pa 01/00/A5
! 2332: .It Li %{user}
! 2333: expanded to the invoking user's login name
! 2334: .It Li %{group}
! 2335: expanded to the name of the invoking user's real group ID
! 2336: .It Li %{runas_user}
! 2337: expanded to the login name of the user the command will
! 2338: be run as (e.g.\& root)
! 2339: .It Li %{runas_group}
! 2340: expanded to the group name of the user the command will
! 2341: be run as (e.g.\& wheel)
! 2342: .It Li %{hostname}
! 2343: expanded to the local host name without the domain name
! 2344: .It Li %{command}
! 2345: expanded to the base name of the command being run
! 2346: .El
! 2347: .Pp
! 2348: In addition, any escape sequences supported by the system's
! 2349: .Xr strftime 3
! 2350: function will be expanded.
! 2351: .Pp
! 2352: To include a literal
! 2353: .Ql %
! 2354: character, the string
! 2355: .Ql %%
! 2356: should be used.
! 2357: .It iolog_file
! 2358: The path name, relative to
! 2359: .Em iolog_dir ,
! 2360: in which to store input/output logs when the
! 2361: .Em log_input
! 2362: or
! 2363: .Em log_output
! 2364: options are enabled or when the
! 2365: .Li LOG_INPUT
! 2366: or
! 2367: .Li LOG_OUTPUT
! 2368: tags are present for a command.
! 2369: Note that
! 2370: .Em iolog_file
! 2371: may contain directory components.
! 2372: The default is
! 2373: .Dq Li %{seq} .
! 2374: .Pp
! 2375: See the
! 2376: .Em iolog_dir
! 2377: option above for a list of supported percent
! 2378: .Pq Ql %
! 2379: escape sequences.
! 2380: .Pp
! 2381: In addition to the escape sequences, path names that end in six or
! 2382: more
! 2383: .Li X Ns No s
! 2384: will have the
! 2385: .Li X Ns No s
! 2386: replaced with a unique combination of digits and letters, similar to the
! 2387: .Xr mktemp 3
! 2388: function.
! 2389: .It limitprivs
! 2390: The default Solaris limit privileges to use when constructing a new
! 2391: privilege set for a command.
! 2392: This bounds all privileges of the executing process.
! 2393: The default limit privileges may be overridden on a per-command basis in
! 2394: .Em sudoers .
! 2395: This option is only available if
! 2396: .Nm
! 2397: is built on Solaris 10 or higher.
! 2398: .It mailsub
! 2399: Subject of the mail sent to the
! 2400: .Em mailto
! 2401: user.
! 2402: The escape
! 2403: .Li %h
! 2404: will expand to the host name of the machine.
! 2405: Default is
! 2406: .Dq Li @mailsub@ .
! 2407: .It noexec_file
! 2408: This option is no longer supported.
! 2409: The path to the noexec file should now be set in the
! 2410: .Pa @sysconfdir@/sudo.conf
! 2411: file.
! 2412: .It passprompt
! 2413: The default prompt to use when asking for a password; can be overridden via the
! 2414: .Fl p
! 2415: option or the
! 2416: .Ev SUDO_PROMPT
! 2417: environment variable.
! 2418: The following percent
! 2419: .Pq Ql %
! 2420: escape sequences are supported:
! 2421: .Bl -tag -width 4n
! 2422: .It Li %H
! 2423: expanded to the local host name including the domain name
! 2424: (only if the machine's host name is fully qualified or the
! 2425: .Em fqdn
! 2426: option is set)
! 2427: .It Li %h
! 2428: expanded to the local host name without the domain name
! 2429: .It Li %p
! 2430: expanded to the user whose password is being asked for (respects the
! 2431: .Em rootpw ,
! 2432: .Em targetpw
! 2433: and
! 2434: .Em runaspw
! 2435: flags in
! 2436: .Em sudoers )
! 2437: .It Li \&%U
! 2438: expanded to the login name of the user the command will
! 2439: be run as (defaults to root)
! 2440: .It Li %u
! 2441: expanded to the invoking user's login name
! 2442: .It Li %%
! 2443: two consecutive
! 2444: .Li %
! 2445: characters are collapsed into a single
! 2446: .Li %
! 2447: character
! 2448: .El
! 2449: .Pp
! 2450: The default value is
! 2451: .Dq Li @passprompt@ .
! 2452: .It privs
! 2453: The default Solaris privileges to use when constructing a new
! 2454: privilege set for a command.
! 2455: This is passed to the executing process via the inherited privilege set,
! 2456: but is bounded by the limit privileges.
! 2457: If the
! 2458: .Em privs
! 2459: option is specified but the
! 2460: .Em limitprivs
! 2461: option is not, the limit privileges of the executing process is set to
! 2462: .Em privs .
! 2463: The default privileges may be overridden on a per-command basis in
! 2464: .Em sudoers .
! 2465: This option is only available if
! 2466: .Nm
! 2467: is built on Solaris 10 or higher.
! 2468: .It role
! 2469: The default SELinux role to use when constructing a new security
! 2470: context to run the command.
! 2471: The default role may be overridden on a per-command basis in
! 2472: .Em sudoers
! 2473: or via command line options.
! 2474: This option is only available when
! 2475: .Nm sudo
! 2476: is built with SELinux support.
! 2477: .It runas_default
! 2478: The default user to run commands as if the
! 2479: .Fl u
! 2480: option is not specified on the command line.
! 2481: This defaults to
! 2482: .Li @runas_default@ .
! 2483: .It syslog_badpri
! 2484: Syslog priority to use when user authenticates unsuccessfully.
! 2485: Defaults to
! 2486: .Li @badpri@ .
! 2487: .Pp
! 2488: The following syslog priorities are supported:
! 2489: .Sy alert ,
! 2490: .Sy crit ,
! 2491: .Sy debug ,
! 2492: .Sy emerg ,
! 2493: .Sy err ,
! 2494: .Sy info ,
! 2495: .Sy notice ,
! 2496: and
! 2497: .Sy warning .
! 2498: .It syslog_goodpri
! 2499: Syslog priority to use when user authenticates successfully.
! 2500: Defaults to
! 2501: .Li @goodpri@ .
! 2502: .Pp
! 2503: See
! 2504: .Sx syslog_badpri
! 2505: for the list of supported syslog priorities.
! 2506: .It sudoers_locale
! 2507: Locale to use when parsing the sudoers file, logging commands, and
! 2508: sending email.
! 2509: Note that changing the locale may affect how sudoers is interpreted.
! 2510: Defaults to
! 2511: .Dq Li C .
! 2512: .It timestampdir
! 2513: The directory in which
! 2514: .Nm sudo
! 2515: stores its time stamp files.
! 2516: The default is
! 2517: .Pa @timedir@ .
! 2518: .It timestampowner
! 2519: The owner of the time stamp directory and the time stamps stored therein.
! 2520: The default is
! 2521: .Li root .
! 2522: .It type
! 2523: The default SELinux type to use when constructing a new security
! 2524: context to run the command.
! 2525: The default type may be overridden on a per-command basis in
! 2526: .Em sudoers
! 2527: or via command line options.
! 2528: This option is only available when
! 2529: .Nm sudo
! 2530: is built with SELinux support.
! 2531: .El
! 2532: .Pp
! 2533: .Sy Strings that can be used in a boolean context :
! 2534: .Bl -tag -width 12n
! 2535: .It env_file
! 2536: The
! 2537: .Em env_file
! 2538: option specifies the fully qualified path to a file containing variables
! 2539: to be set in the environment of the program being run.
! 2540: Entries in this file should either be of the form
! 2541: .Dq Li VARIABLE=value
! 2542: or
! 2543: .Dq Li export VARIABLE=value .
! 2544: The value may optionally be surrounded by single or double quotes.
! 2545: Variables in this file are subject to other
! 2546: .Nm sudo
! 2547: environment settings such as
! 2548: .Em env_keep
! 2549: and
! 2550: .Em env_check .
! 2551: .It exempt_group
! 2552: Users in this group are exempt from password and PATH requirements.
! 2553: The group name specified should not include a
! 2554: .Li %
! 2555: prefix.
! 2556: This is not set by default.
! 2557: .It group_plugin
! 2558: A string containing a
! 2559: .Em sudoers
! 2560: group plugin with optional arguments.
! 2561: This can be used to implement support for the
! 2562: .Li nonunix_group
! 2563: syntax described earlier.
! 2564: The string should consist of the plugin
! 2565: path, either fully-qualified or relative to the
! 2566: .Pa @prefix@/libexec
! 2567: directory, followed by any configuration arguments the plugin requires.
! 2568: These arguments (if any) will be passed to the plugin's initialization function.
! 2569: If arguments are present, the string must be enclosed in double quotes
! 2570: .Pq \&"" .
! 2571: .Pp
! 2572: For example, given
! 2573: .Pa /etc/sudo-group ,
! 2574: a group file in Unix group format, the sample group plugin can be used:
! 2575: .Bd -literal
! 2576: Defaults group_plugin="sample_group.so /etc/sudo-group"
! 2577: .Ed
! 2578: .Pp
! 2579: For more information see
! 2580: .Xr sudo_plugin @mansectform@ .
! 2581: .It lecture
! 2582: This option controls when a short lecture will be printed along with
! 2583: the password prompt.
! 2584: It has the following possible values:
! 2585: .Bl -tag -width 6n
! 2586: .It always
! 2587: Always lecture the user.
! 2588: .It never
! 2589: Never lecture the user.
! 2590: .It once
! 2591: Only lecture the user the first time they run
! 2592: .Nm sudo .
! 2593: .El
! 2594: .Pp
! 2595: If no value is specified, a value of
! 2596: .Em once
! 2597: is implied.
! 2598: Negating the option results in a value of
! 2599: .Em never
! 2600: being used.
! 2601: The default value is
! 2602: .Em @lecture@ .
! 2603: .It lecture_file
! 2604: Path to a file containing an alternate
! 2605: .Nm sudo
! 2606: lecture that will be used in place of the standard lecture if the named
! 2607: file exists.
! 2608: By default,
! 2609: .Nm sudo
! 2610: uses a built-in lecture.
! 2611: .It listpw
! 2612: This option controls when a password will be required when a user runs
! 2613: .Nm sudo
! 2614: with the
! 2615: .Fl l
! 2616: option.
! 2617: It has the following possible values:
! 2618: .Bl -tag -width 8n
! 2619: .It all
! 2620: All the user's
! 2621: .Em sudoers
! 2622: entries for the current host must have
! 2623: the
! 2624: .Li NOPASSWD
! 2625: flag set to avoid entering a password.
! 2626: .It always
! 2627: The user must always enter a password to use the
! 2628: .Fl l
! 2629: option.
! 2630: .It any
! 2631: At least one of the user's
! 2632: .Em sudoers
! 2633: entries for the current host
! 2634: must have the
! 2635: .Li NOPASSWD
! 2636: flag set to avoid entering a password.
! 2637: .It never
! 2638: The user need never enter a password to use the
! 2639: .Fl l
! 2640: option.
! 2641: .El
! 2642: .Pp
! 2643: If no value is specified, a value of
! 2644: .Em any
! 2645: is implied.
! 2646: Negating the option results in a value of
! 2647: .Em never
! 2648: being used.
! 2649: The default value is
! 2650: .Em any .
! 2651: .It logfile
! 2652: Path to the
! 2653: .Nm sudo
! 2654: log file (not the syslog log file).
! 2655: Setting a path turns on logging to a file;
! 2656: negating this option turns it off.
! 2657: By default,
! 2658: .Nm sudo
! 2659: logs via syslog.
! 2660: .It mailerflags
! 2661: Flags to use when invoking mailer. Defaults to
! 2662: .Fl t .
! 2663: .It mailerpath
! 2664: Path to mail program used to send warning mail.
! 2665: Defaults to the path to sendmail found at configure time.
! 2666: .It mailfrom
! 2667: Address to use for the
! 2668: .Dq from
! 2669: address when sending warning and error mail.
! 2670: The address should be enclosed in double quotes
! 2671: .Pq \&""
! 2672: to protect against
! 2673: .Nm sudo
! 2674: interpreting the
! 2675: .Li @
! 2676: sign.
! 2677: Defaults to the name of the user running
! 2678: .Nm sudo .
! 2679: .It mailto
! 2680: Address to send warning and error mail to.
! 2681: The address should be enclosed in double quotes
! 2682: .Pq \&""
! 2683: to protect against
! 2684: .Nm sudo
! 2685: interpreting the
! 2686: .Li @
! 2687: sign.
! 2688: Defaults to
! 2689: .Li @mailto@ .
! 2690: .It secure_path
! 2691: Path used for every command run from
! 2692: .Nm sudo .
! 2693: If you don't trust the
! 2694: people running
! 2695: .Nm sudo
! 2696: to have a sane
! 2697: .Ev PATH
! 2698: environment variable you may want to use this.
! 2699: Another use is if you want to have the
! 2700: .Dq root path
! 2701: be separate from the
! 2702: .Dq user path .
! 2703: Users in the group specified by the
! 2704: .Em exempt_group
! 2705: option are not affected by
! 2706: .Em secure_path .
! 2707: This option is @secure_path@ by default.
! 2708: .It syslog
! 2709: Syslog facility if syslog is being used for logging (negate to
! 2710: disable syslog logging).
! 2711: Defaults to
! 2712: .Li @logfac@ .
! 2713: .Pp
! 2714: The following syslog facilities are supported:
! 2715: .Sy authpriv
! 2716: (if your
! 2717: OS supports it),
! 2718: .Sy auth ,
! 2719: .Sy daemon ,
! 2720: .Sy user ,
! 2721: .Sy local0 ,
! 2722: .Sy local1 ,
! 2723: .Sy local2 ,
! 2724: .Sy local3 ,
! 2725: .Sy local4 ,
! 2726: .Sy local5 ,
! 2727: .Sy local6 ,
! 2728: and
! 2729: .Sy local7 .
! 2730: .It verifypw
! 2731: This option controls when a password will be required when a user runs
! 2732: .Nm sudo
! 2733: with the
! 2734: .Fl v
! 2735: option.
! 2736: It has the following possible values:
! 2737: .Bl -tag -width 6n
! 2738: .It all
! 2739: All the user's
! 2740: .Em sudoers
! 2741: entries for the current host must have the
! 2742: .Li NOPASSWD
! 2743: flag set to avoid entering a password.
! 2744: .It always
! 2745: The user must always enter a password to use the
! 2746: .Fl v
! 2747: option.
! 2748: .It any
! 2749: At least one of the user's
! 2750: .Em sudoers
! 2751: entries for the current host must have the
! 2752: .Li NOPASSWD
! 2753: flag set to avoid entering a password.
! 2754: .It never
! 2755: The user need never enter a password to use the
! 2756: .Fl v
! 2757: option.
! 2758: .El
! 2759: .Pp
! 2760: If no value is specified, a value of
! 2761: .Em all
! 2762: is implied.
! 2763: Negating the option results in a value of
! 2764: .Em never
! 2765: being used.
! 2766: The default value is
! 2767: .Em all .
! 2768: .El
! 2769: .Pp
! 2770: .Sy Lists that can be used in a boolean context :
! 2771: .Bl -tag -width 16n
! 2772: .It env_check
! 2773: Environment variables to be removed from the user's environment if
! 2774: the variable's value contains
! 2775: .Ql %
! 2776: or
! 2777: .Ql /
! 2778: characters.
! 2779: This can be used to guard against printf-style format vulnerabilities
! 2780: in poorly-written programs.
! 2781: The argument may be a double-quoted, space-separated list or a
! 2782: single value without double-quotes.
! 2783: The list can be replaced, added to, deleted from, or disabled by using
! 2784: the
! 2785: .Li = ,
! 2786: .Li += ,
! 2787: .Li -= ,
! 2788: and
! 2789: .Li \&!
! 2790: operators respectively.
! 2791: Regardless of whether the
! 2792: .Li env_reset
! 2793: option is enabled or disabled, variables specified by
! 2794: .Li env_check
! 2795: will be preserved in the environment if they pass the aforementioned check.
! 2796: The default list of environment variables to check is displayed when
! 2797: .Nm sudo
! 2798: is run by root with
! 2799: the
! 2800: .Fl V
! 2801: option.
! 2802: .It env_delete
! 2803: Environment variables to be removed from the user's environment when the
! 2804: .Em env_reset
! 2805: option is not in effect.
! 2806: The argument may be a double-quoted, space-separated list or a
! 2807: single value without double-quotes.
! 2808: The list can be replaced, added to, deleted from, or disabled by using the
! 2809: .Li = ,
! 2810: .Li += ,
! 2811: .Li -= ,
! 2812: and
! 2813: .Li \&!
! 2814: operators respectively.
! 2815: The default list of environment variables to remove is displayed when
! 2816: .Nm sudo
! 2817: is run by root with the
! 2818: .Fl V
! 2819: option.
! 2820: Note that many operating systems will remove potentially dangerous
! 2821: variables from the environment of any setuid process (such as
! 2822: .Nm sudo ) .
! 2823: .It env_keep
! 2824: Environment variables to be preserved in the user's environment when the
! 2825: .Em env_reset
! 2826: option is in effect.
! 2827: This allows fine-grained control over the environment
! 2828: .Nm sudo Ns No -spawned
! 2829: processes will receive.
! 2830: The argument may be a double-quoted, space-separated list or a
! 2831: single value without double-quotes.
! 2832: The list can be replaced, added to, deleted from, or disabled by using the
! 2833: .Li = ,
! 2834: .Li += ,
! 2835: .Li -= ,
! 2836: and
! 2837: .Li \&!
! 2838: operators respectively.
! 2839: The default list of variables to keep
! 2840: is displayed when
! 2841: .Nm sudo
! 2842: is run by root with the
! 2843: .Fl V
! 2844: option.
! 2845: .El
! 2846: .Sh LOG FORMAT
! 2847: .Nm sudoers
! 2848: can log events using either
! 2849: .Xr syslog 3
! 2850: or a simple log file.
! 2851: In each case the log format is almost identical.
! 2852: .Ss Accepted command log entries
! 2853: Commands that sudo runs are logged using the following format (split
! 2854: into multiple lines for readability):
! 2855: .Bd -literal -offset 4n
! 2856: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
! 2857: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
! 2858: ENV=env_vars COMMAND=command
! 2859: .Ed
! 2860: .Pp
! 2861: Where the fields are as follows:
! 2862: .Bl -tag -width 12n
! 2863: .It date
! 2864: The date the command was run.
! 2865: Typically, this is in the format
! 2866: .Dq MMM, DD, HH:MM:SS .
! 2867: If logging via
! 2868: .Xr syslog 3 ,
! 2869: the actual date format is controlled by the syslog daemon.
! 2870: If logging to a file and the
! 2871: .Em log_year
! 2872: option is enabled,
! 2873: the date will also include the year.
! 2874: .It hostname
! 2875: The name of the host
! 2876: .Nm sudo
! 2877: was run on.
! 2878: This field is only present when logging via
! 2879: .Xr syslog 3 .
! 2880: .It progname
! 2881: The name of the program, usually
! 2882: .Em sudo
! 2883: or
! 2884: .Em sudoedit .
! 2885: This field is only present when logging via
! 2886: .Xr syslog 3 .
! 2887: .It username
! 2888: The login name of the user who ran
! 2889: .Nm sudo .
! 2890: .It ttyname
! 2891: The short name of the terminal (e.g.\&
! 2892: .Dq console ,
! 2893: .Dq tty01 ,
! 2894: or
! 2895: .Dq pts/0 )
! 2896: .Nm sudo
! 2897: was run on, or
! 2898: .Dq unknown
! 2899: if there was no terminal present.
! 2900: .It cwd
! 2901: The current working directory that
! 2902: .Nm sudo
! 2903: was run in.
! 2904: .It runasuser
! 2905: The user the command was run as.
! 2906: .It runasgroup
! 2907: The group the command was run as if one was specified on the command line.
! 2908: .It logid
! 2909: An I/O log identifier that can be used to replay the command's output.
! 2910: This is only present when the
! 2911: .Em log_input
! 2912: or
! 2913: .Em log_output
! 2914: option is enabled.
! 2915: .It env_vars
! 2916: A list of environment variables specified on the command line,
! 2917: if specified.
! 2918: .It command
! 2919: The actual command that was executed.
! 2920: .El
! 2921: .Pp
! 2922: Messages are logged using the locale specified by
! 2923: .Em sudoers_locale ,
! 2924: which defaults to the
! 2925: .Dq Li C
! 2926: locale.
! 2927: .Ss Denied command log entries
! 2928: If the user is not allowed to run the command, the reason for the denial
! 2929: will follow the user name.
! 2930: Possible reasons include:
! 2931: .Bl -tag -width 4
! 2932: .It user NOT in sudoers
! 2933: The user is not listed in the
! 2934: .Em sudoers
! 2935: file.
! 2936: .It user NOT authorized on host
! 2937: The user is listed in the
! 2938: .Em sudoers
! 2939: file but is not allowed to run commands on the host.
! 2940: .It command not allowed
! 2941: The user is listed in the
! 2942: .Em sudoers
! 2943: file for the host but they are not allowed to run the specified command.
! 2944: .It 3 incorrect password attempts
! 2945: The user failed to enter their password after 3 tries.
! 2946: The actual number of tries will vary based on the number of
! 2947: failed attempts and the value of the
! 2948: .Em passwd_tries
! 2949: option.
! 2950: .It a password is required
! 2951: .Nm sudo Ns No 's
! 2952: .Fl n
! 2953: option was specified but a password was required.
! 2954: .It sorry, you are not allowed to set the following environment variables
! 2955: The user specified environment variables on the command line that
! 2956: were not allowed by
! 2957: .Em sudoers .
! 2958: .El
! 2959: .Ss Error log entries
! 2960: If an error occurs,
! 2961: .Nm sudoers
! 2962: will log a message and, in most cases, send a message to the
! 2963: administrator via email.
! 2964: Possible errors include:
! 2965: .Bl -tag -width 4
! 2966: .It parse error in @sysconfdir@/sudoers near line N
! 2967: .Nm sudoers
! 2968: encountered an error when parsing the specified file.
! 2969: In some cases, the actual error may be one line above or below the
! 2970: line number listed, depending on the type of error.
! 2971: .It problem with defaults entries
! 2972: The
! 2973: .Em sudoers
! 2974: file contains one or more unknown Defaults settings.
! 2975: This does not prevent
! 2976: .Nm sudo
! 2977: from running, but the
! 2978: .Em sudoers
! 2979: file should be checked using
! 2980: .Nm visudo .
! 2981: .It timestamp owner (username): \&No such user
! 2982: The time stamp directory owner, as specified by the
! 2983: .Em timestampowner
! 2984: setting, could not be found in the password database.
! 2985: .It unable to open/read @sysconfdir@/sudoers
! 2986: The
! 2987: .Em sudoers
! 2988: file could not be opened for reading.
! 2989: This can happen when the
! 2990: .Em sudoers
! 2991: file is located on a remote file system that maps user ID 0 to
! 2992: a different value.
! 2993: Normally,
! 2994: .Nm sudoers
! 2995: tries to open
! 2996: .Em sudoers
! 2997: using group permissions to avoid this problem.
! 2998: Consider changing the ownership of
! 2999: .Pa @sysconfdir@/sudoers
! 3000: by adding an option like
! 3001: .Dq sudoers_uid=N
! 3002: (where
! 3003: .Sq N
! 3004: is the user ID that owns the
! 3005: .Em sudoers
! 3006: file) to the
! 3007: .Nm sudoers
! 3008: plugin line in the
! 3009: .Pa @sysconfdir@/sudo.conf
! 3010: file.
! 3011: .It unable to stat @sysconfdir@/sudoers
! 3012: The
! 3013: .Pa @sysconfdir@/sudoers
! 3014: file is missing.
! 3015: .It @sysconfdir@/sudoers is not a regular file
! 3016: The
! 3017: .Pa @sysconfdir@/sudoers
! 3018: file exists but is not a regular file or symbolic link.
! 3019: .It @sysconfdir@/sudoers is owned by uid N, should be 0
! 3020: The
! 3021: .Em sudoers
! 3022: file has the wrong owner.
! 3023: If you wish to change the
! 3024: .Em sudoers
! 3025: file owner, please add
! 3026: .Dq sudoers_uid=N
! 3027: (where
! 3028: .Sq N
! 3029: is the user ID that owns the
! 3030: .Em sudoers
! 3031: file) to the
! 3032: .Nm sudoers
! 3033: plugin line in the
! 3034: .Pa @sysconfdir@/sudo.conf
! 3035: file.
! 3036: .It @sysconfdir@/sudoers is world writable
! 3037: The permissions on the
! 3038: .Em sudoers
! 3039: file allow all users to write to it.
! 3040: The
! 3041: .Em sudoers
! 3042: file must not be world-writable, the default file mode
! 3043: is 0440 (readable by owner and group, writable by none).
! 3044: The default mode may be changed via the
! 3045: .Dq sudoers_mode
! 3046: option to the
! 3047: .Nm sudoers
! 3048: plugin line in the
! 3049: .Pa @sysconfdir@/sudo.conf
! 3050: file.
! 3051: .It @sysconfdir@/sudoers is owned by gid N, should be 1
! 3052: The
! 3053: .Em sudoers
! 3054: file has the wrong group ownership.
! 3055: If you wish to change the
! 3056: .Em sudoers
! 3057: file group ownership, please add
! 3058: .Dq sudoers_gid=N
! 3059: (where
! 3060: .Sq N
! 3061: is the group ID that owns the
! 3062: .Em sudoers
! 3063: file) to the
! 3064: .Nm sudoers
! 3065: plugin line in the
! 3066: .Pa @sysconfdir@/sudo.conf
! 3067: file.
! 3068: .It unable to open @timedir@/username/ttyname
! 3069: .Em sudoers
! 3070: was unable to read or create the user's time stamp file.
! 3071: .It unable to write to @timedir@/username/ttyname
! 3072: .Em sudoers
! 3073: was unable to write to the user's time stamp file.
! 3074: .It unable to mkdir to @timedir@/username
! 3075: .Em sudoers
! 3076: was unable to create the user's time stamp directory.
! 3077: .El
! 3078: .Ss Notes on logging via syslog
! 3079: By default,
! 3080: .Em sudoers
! 3081: logs messages via
! 3082: .Xr syslog 3 .
! 3083: The
! 3084: .Em date ,
! 3085: .Em hostname ,
! 3086: and
! 3087: .Em progname
! 3088: fields are added by the syslog daemon, not
! 3089: .Em sudoers
! 3090: itself.
! 3091: As such, they may vary in format on different systems.
! 3092: .Pp
! 3093: On most systems,
! 3094: .Xr syslog 3
! 3095: has a relatively small log buffer.
! 3096: To prevent the command line arguments from being truncated,
! 3097: .Nm sudoers
! 3098: will split up log messages that are larger than 960 characters
! 3099: (not including the date, hostname, and the string
! 3100: .Dq sudo ) .
! 3101: When a message is split, additional parts will include the string
! 3102: .Dq Pq command continued
! 3103: after the user name and before the continued command line arguments.
! 3104: .Ss Notes on logging to a file
! 3105: If the
! 3106: .Em logfile
! 3107: option is set,
! 3108: .Em sudoers
! 3109: will log to a local file, such as
! 3110: .Pa /var/log/sudo .
! 3111: When logging to a file,
! 3112: .Em sudoers
! 3113: uses a format similar to
! 3114: .Xr syslog 3 ,
! 3115: with a few important differences:
! 3116: .Bl -enum
! 3117: .It
! 3118: The
! 3119: .Em progname
! 3120: and
! 3121: .Em hostname
! 3122: fields are not present.
! 3123: .It
! 3124: If the
! 3125: .Em log_year
! 3126: option is enabled,
! 3127: the date will also include the year.
! 3128: .It
! 3129: Lines that are longer than
! 3130: .Em loglinelen
! 3131: characters (80 by default) are word-wrapped and continued on the
! 3132: next line with a four character indent.
! 3133: This makes entries easier to read for a human being, but makes it
! 3134: more difficult to use
! 3135: .Xr grep 1
! 3136: on the log files.
! 3137: If the
! 3138: .Em loglinelen
! 3139: option is set to 0 (or negated with a
! 3140: .Ql \&! ) ,
! 3141: word wrap will be disabled.
! 3142: .El
! 3143: .Sh SUDO.CONF
! 3144: The
! 3145: .Pa @sysconfdir@/sudo.conf
! 3146: file determines which plugins the
! 3147: .Nm sudo
! 3148: front end will load.
! 3149: If no
! 3150: .Pa @sysconfdir@/sudo.conf
! 3151: file
! 3152: is present, or it contains no
! 3153: .Li Plugin
! 3154: lines,
! 3155: .Nm sudo
! 3156: will use the
! 3157: .Em sudoers
! 3158: security policy and I/O logging, which corresponds to the following
! 3159: .Pa @sysconfdir@/sudo.conf
! 3160: file.
! 3161: .Bd -literal
! 3162: #
! 3163: # Default @sysconfdir@/sudo.conf file
! 3164: #
! 3165: # Format:
! 3166: # Plugin plugin_name plugin_path plugin_options ...
! 3167: # Path askpass /path/to/askpass
! 3168: # Path noexec /path/to/sudo_noexec.so
! 3169: # Debug sudo /var/log/sudo_debug all@warn
! 3170: # Set disable_coredump true
! 3171: #
! 3172: # The plugin_path is relative to @prefix@/libexec unless
! 3173: # fully qualified.
! 3174: # The plugin_name corresponds to a global symbol in the plugin
! 3175: # that contains the plugin interface structure.
! 3176: # The plugin_options are optional.
! 3177: #
! 3178: Plugin policy_plugin sudoers.so
! 3179: Plugin io_plugin sudoers.so
! 3180: .Ed
! 3181: .Ss Plugin options
! 3182: Starting with
! 3183: .Nm sudo
! 3184: 1.8.5, it is possible to pass options to the
! 3185: .Em sudoers
! 3186: plugin.
! 3187: Options may be listed after the path to the plugin (i.e.\& after
! 3188: .Pa sudoers.so ) ;
! 3189: multiple options should be space-separated.
! 3190: For example:
! 3191: .Bd -literal
! 3192: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 3193: .Ed
! 3194: .Pp
! 3195: The following plugin options are supported:
! 3196: .Bl -tag -width 8n
! 3197: .It sudoers_file=pathname
! 3198: The
! 3199: .Em sudoers_file
! 3200: option can be used to override the default path
! 3201: to the
! 3202: .Em sudoers
! 3203: file.
! 3204: .It sudoers_uid=uid
! 3205: The
! 3206: .Em sudoers_uid
! 3207: option can be used to override the default owner of the sudoers file.
! 3208: It should be specified as a numeric user ID.
! 3209: .It sudoers_gid=gid
! 3210: The
! 3211: .Em sudoers_gid
! 3212: option can be used to override the default group of the sudoers file.
! 3213: It should be specified as a numeric group ID.
! 3214: .It sudoers_mode=mode
! 3215: The
! 3216: .Em sudoers_mode
! 3217: option can be used to override the default file mode for the sudoers file.
! 3218: It should be specified as an octal value.
! 3219: .El
! 3220: .Ss Debug flags
! 3221: Versions 1.8.4 and higher of the
! 3222: .Em sudoers
! 3223: plugin supports a debugging framework that can help track down what the
! 3224: plugin is doing internally if there is a problem.
! 3225: This can be configured in the
! 3226: .Pa @sysconfdir@/sudo.conf
! 3227: file as described in
! 3228: .Xr sudo @mansectsu@ .
! 3229: .Pp
! 3230: The
! 3231: .Em sudoers
! 3232: plugin uses the same debug flag format as the
! 3233: .Nm sudo
! 3234: front-end:
! 3235: .Em subsystem Ns No @ Ns Em priority .
! 3236: .Pp
! 3237: The priorities used by
! 3238: .Em sudoers ,
! 3239: in order of decreasing severity,
! 3240: are:
! 3241: .Em crit ,
! 3242: .Em err ,
! 3243: .Em warn ,
! 3244: .Em notice ,
! 3245: .Em diag ,
! 3246: .Em info ,
! 3247: .Em trace
! 3248: and
! 3249: .Em debug .
! 3250: Each priority, when specified, also includes all priorities higher than it.
! 3251: For example, a priority of
! 3252: .Em notice
! 3253: would include debug messages logged at
! 3254: .Em notice
! 3255: and higher.
! 3256: .Pp
! 3257: The following subsystems are used by
! 3258: .Em sudoers :
! 3259: .Bl -tag -width 8n
! 3260: .It Em alias
! 3261: .Li User_Alias ,
! 3262: .Li Runas_Alias ,
! 3263: .Li Host_Alias
! 3264: and
! 3265: .Li Cmnd_Alias
! 3266: processing
! 3267: .It Em all
! 3268: matches every subsystem
! 3269: .It Em audit
! 3270: BSM and Linux audit code
! 3271: .It Em auth
! 3272: user authentication
! 3273: .It Em defaults
! 3274: .Em sudoers
! 3275: .Em Defaults
! 3276: settings
! 3277: .It Em env
! 3278: environment handling
! 3279: .It Em ldap
! 3280: LDAP-based sudoers
! 3281: .It Em logging
! 3282: logging support
! 3283: .It Em match
! 3284: matching of users, groups, hosts and netgroups in
! 3285: .Em sudoers
! 3286: .It Em netif
! 3287: network interface handling
! 3288: .It Em nss
! 3289: network service switch handling in
! 3290: .Em sudoers
! 3291: .It Em parser
! 3292: .Em sudoers
! 3293: file parsing
! 3294: .It Em perms
! 3295: permission setting
! 3296: .It Em plugin
! 3297: The equivalent of
! 3298: .Em main
! 3299: for the plugin.
! 3300: .It Em pty
! 3301: pseudo-tty related code
! 3302: .It Em rbtree
! 3303: redblack tree internals
! 3304: .It Em util
! 3305: utility functions
! 3306: .El
! 3307: .Sh FILES
! 3308: .Bl -tag -width 24n
! 3309: .It Pa @sysconfdir@/sudo.conf
! 3310: Sudo front end configuration
! 3311: .It Pa @sysconfdir@/sudoers
! 3312: List of who can run what
! 3313: .It Pa /etc/group
! 3314: Local groups file
! 3315: .It Pa /etc/netgroup
! 3316: List of network groups
! 3317: .It Pa @iolog_dir@
! 3318: I/O log files
! 3319: .It Pa @timedir@
! 3320: Directory containing time stamps for the
! 3321: .Em sudoers
! 3322: security policy
! 3323: .It Pa /etc/environment
! 3324: Initial environment for
! 3325: .Fl i
! 3326: mode on AIX and Linux systems
! 3327: .El
! 3328: .Sh EXAMPLES
! 3329: Below are example
! 3330: .Em sudoers
! 3331: entries.
! 3332: Admittedly, some of these are a bit contrived.
! 3333: First, we allow a few environment variables to pass and then define our
! 3334: .Em aliases :
! 3335: .Bd -literal
! 3336: # Run X applications through sudo; HOME is used to find the
! 3337: # .Xauthority file. Note that other programs use HOME to find
! 3338: # configuration files and this may lead to privilege escalation!
! 3339: Defaults env_keep += "DISPLAY HOME"
! 3340:
! 3341: # User alias specification
! 3342: User_Alias FULLTIMERS = millert, mikef, dowdy
! 3343: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 3344: User_Alias WEBMASTERS = will, wendy, wim
! 3345:
! 3346: # Runas alias specification
! 3347: Runas_Alias OP = root, operator
! 3348: Runas_Alias DB = oracle, sybase
! 3349: Runas_Alias ADMINGRP = adm, oper
! 3350:
! 3351: # Host alias specification
! 3352: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
! 3353: SGI = grolsch, dandelion, black :\e
! 3354: ALPHA = widget, thalamus, foobar :\e
! 3355: HPPA = boa, nag, python
! 3356: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 3357: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 3358: Host_Alias SERVERS = master, mail, www, ns
! 3359: Host_Alias CDROM = orion, perseus, hercules
! 3360:
! 3361: # Cmnd alias specification
! 3362: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
! 3363: /usr/sbin/restore, /usr/sbin/rrestore
! 3364: Cmnd_Alias KILL = /usr/bin/kill
! 3365: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 3366: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 3367: Cmnd_Alias HALT = /usr/sbin/halt
! 3368: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 3369: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
! 3370: /usr/local/bin/tcsh, /usr/bin/rsh,\e
! 3371: /usr/local/bin/zsh
! 3372: Cmnd_Alias SU = /usr/bin/su
! 3373: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 3374: .Ed
! 3375: .Pp
! 3376: Here we override some of the compiled in default values.
! 3377: We want
! 3378: .Nm sudo
! 3379: to log via
! 3380: .Xr syslog 3
! 3381: using the
! 3382: .Em auth
! 3383: facility in all cases.
! 3384: We don't want to subject the full time staff to the
! 3385: .Nm sudo
! 3386: lecture, user
! 3387: .Sy millert
! 3388: need not give a password, and we don't want to reset the
! 3389: .Ev LOGNAME ,
! 3390: .Ev USER
! 3391: or
! 3392: .Ev USERNAME
! 3393: environment variables when running commands as root.
! 3394: Additionally, on the machines in the
! 3395: .Em SERVERS
! 3396: .Li Host_Alias ,
! 3397: we keep an additional local log file and make sure we log the year
! 3398: in each log line since the log entries will be kept around for several years.
! 3399: Lastly, we disable shell escapes for the commands in the PAGERS
! 3400: .Li Cmnd_Alias
! 3401: .Po
! 3402: .Pa /usr/bin/more ,
! 3403: .Pa /usr/bin/pg
! 3404: and
! 3405: .Pa /usr/bin/less
! 3406: .Pc .
! 3407: .Bd -literal
! 3408: # Override built-in defaults
! 3409: Defaults syslog=auth
! 3410: Defaults>root !set_logname
! 3411: Defaults:FULLTIMERS !lecture
! 3412: Defaults:millert !authenticate
! 3413: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 3414: Defaults!PAGERS noexec
! 3415: .Ed
! 3416: .Pp
! 3417: The
! 3418: .Em User specification
! 3419: is the part that actually determines who may run what.
! 3420: .Bd -literal
! 3421: root ALL = (ALL) ALL
! 3422: %wheel ALL = (ALL) ALL
! 3423: .Ed
! 3424: .Pp
! 3425: We let
! 3426: .Sy root
! 3427: and any user in group
! 3428: .Sy wheel
! 3429: run any command on any host as any user.
! 3430: .Bd -literal
! 3431: FULLTIMERS ALL = NOPASSWD: ALL
! 3432: .Ed
! 3433: .Pp
! 3434: Full time sysadmins
! 3435: .Po
! 3436: .Sy millert ,
! 3437: .Sy mikef ,
! 3438: and
! 3439: .Sy dowdy
! 3440: .Pc
! 3441: may run any command on any host without authenticating themselves.
! 3442: .Bd -literal
! 3443: PARTTIMERS ALL = ALL
! 3444: .Ed
! 3445: .Pp
! 3446: Part time sysadmins
! 3447: .Sy bostley ,
! 3448: .Sy jwfox ,
! 3449: and
! 3450: .Sy crawl )
! 3451: may run any command on any host but they must authenticate themselves
! 3452: first (since the entry lacks the
! 3453: .Li NOPASSWD
! 3454: tag).
! 3455: .Bd -literal
! 3456: jack CSNETS = ALL
! 3457: .Ed
! 3458: .Pp
! 3459: The user
! 3460: .Sy jack
! 3461: may run any command on the machines in the
! 3462: .Em CSNETS
! 3463: alias (the networks
! 3464: .Li 128.138.243.0 ,
! 3465: .Li 128.138.204.0 ,
! 3466: and
! 3467: .Li 128.138.242.0 ) .
! 3468: Of those networks, only
! 3469: .Li 128.138.204.0
! 3470: has an explicit netmask (in CIDR notation) indicating it is a class C network.
! 3471: For the other networks in
! 3472: .Em CSNETS ,
! 3473: the local machine's netmask will be used during matching.
! 3474: .Bd -literal
! 3475: lisa CUNETS = ALL
! 3476: .Ed
! 3477: .Pp
! 3478: The user
! 3479: .Sy lisa
! 3480: may run any command on any host in the
! 3481: .Em CUNETS
! 3482: alias (the class B network
! 3483: .Li 128.138.0.0 ) .
! 3484: .Bd -literal
! 3485: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
! 3486: sudoedit /etc/printcap, /usr/oper/bin/
! 3487: .Ed
! 3488: .Pp
! 3489: The
! 3490: .Sy operator
! 3491: user may run commands limited to simple maintenance.
! 3492: Here, those are commands related to backups, killing processes, the
! 3493: printing system, shutting down the system, and any commands in the
! 3494: directory
! 3495: .Pa /usr/oper/bin/ .
! 3496: .Bd -literal
! 3497: joe ALL = /usr/bin/su operator
! 3498: .Ed
! 3499: .Pp
! 3500: The user
! 3501: .Sy joe
! 3502: may only
! 3503: .Xr su 1
! 3504: to operator.
! 3505: .Bd -literal
! 3506: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 3507:
! 3508: %opers ALL = (: ADMINGRP) /usr/sbin/
! 3509: .Ed
! 3510: .Pp
! 3511: Users in the
! 3512: .Sy opers
! 3513: group may run commands in
! 3514: .Pa /usr/sbin/
! 3515: as themselves
! 3516: with any group in the
! 3517: .Em ADMINGRP
! 3518: .Li Runas_Alias
! 3519: (the
! 3520: .Sy adm
! 3521: and
! 3522: .Sy oper
! 3523: groups).
! 3524: .Pp
! 3525: The user
! 3526: .Sy pete
! 3527: is allowed to change anyone's password except for
! 3528: root on the
! 3529: .Em HPPA
! 3530: machines.
! 3531: Note that this assumes
! 3532: .Xr passwd 1
! 3533: does not take multiple user names on the command line.
! 3534: .Bd -literal
! 3535: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 3536: .Ed
! 3537: .Pp
! 3538: The user
! 3539: .Sy bob
! 3540: may run anything on the
! 3541: .Em SPARC
! 3542: and
! 3543: .Em SGI
! 3544: machines as any user listed in the
! 3545: .Em OP
! 3546: .Li Runas_Alias
! 3547: .Po
! 3548: .Sy root
! 3549: and
! 3550: .Sy operator .
! 3551: .Pc
! 3552: .Bd -literal
! 3553: jim +biglab = ALL
! 3554: .Ed
! 3555: .Pp
! 3556: The user
! 3557: .Sy jim
! 3558: may run any command on machines in the
! 3559: .Em biglab
! 3560: netgroup.
! 3561: .Nm sudo
! 3562: knows that
! 3563: .Dq biglab
! 3564: is a netgroup due to the
! 3565: .Ql +
! 3566: prefix.
! 3567: .Bd -literal
! 3568: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 3569: .Ed
! 3570: .Pp
! 3571: Users in the
! 3572: .Sy secretaries
! 3573: netgroup need to help manage the printers as well as add and remove users,
! 3574: so they are allowed to run those commands on all machines.
! 3575: .Bd -literal
! 3576: fred ALL = (DB) NOPASSWD: ALL
! 3577: .Ed
! 3578: .Pp
! 3579: The user
! 3580: .Sy fred
! 3581: can run commands as any user in the
! 3582: .Em DB
! 3583: .Li Runas_Alias
! 3584: .Po
! 3585: .Sy oracle
! 3586: or
! 3587: .Sy sybase
! 3588: .Pc
! 3589: without giving a password.
! 3590: .Bd -literal
! 3591: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 3592: .Ed
! 3593: .Pp
! 3594: On the
! 3595: .Em ALPHA
! 3596: machines, user
! 3597: .Sy john
! 3598: may su to anyone except root but he is not allowed to specify any options
! 3599: to the
! 3600: .Xr su 1
! 3601: command.
! 3602: .Bd -literal
! 3603: jen ALL, !SERVERS = ALL
! 3604: .Ed
! 3605: .Pp
! 3606: The user
! 3607: .Sy jen
! 3608: may run any command on any machine except for those in the
! 3609: .Em SERVERS
! 3610: .Li Host_Alias
! 3611: (master, mail, www and ns).
! 3612: .Bd -literal
! 3613: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 3614: .Ed
! 3615: .Pp
! 3616: For any machine in the
! 3617: .Em SERVERS
! 3618: .Li Host_Alias ,
! 3619: .Sy jill
! 3620: may run
! 3621: any commands in the directory
! 3622: .Pa /usr/bin/
! 3623: except for those commands
! 3624: belonging to the
! 3625: .Em SU
! 3626: and
! 3627: .Em SHELLS
! 3628: .Li Cmnd_Aliases .
! 3629: .Bd -literal
! 3630: steve CSNETS = (operator) /usr/local/op_commands/
! 3631: .Ed
! 3632: .Pp
! 3633: The user
! 3634: .Sy steve
! 3635: may run any command in the directory /usr/local/op_commands/
! 3636: but only as user operator.
! 3637: .Bd -literal
! 3638: matt valkyrie = KILL
! 3639: .Ed
! 3640: .Pp
! 3641: On his personal workstation, valkyrie,
! 3642: .Sy matt
! 3643: needs to be able to kill hung processes.
! 3644: .Bd -literal
! 3645: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 3646: .Ed
! 3647: .Pp
! 3648: On the host www, any user in the
! 3649: .Em WEBMASTERS
! 3650: .Li User_Alias
! 3651: (will, wendy, and wim), may run any command as user www (which owns the
! 3652: web pages) or simply
! 3653: .Xr su 1
! 3654: to www.
! 3655: .Bd -literal
! 3656: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
! 3657: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 3658: .Ed
! 3659: .Pp
! 3660: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 3661: .Li Host_Alias
! 3662: (orion, perseus, hercules) without entering a password.
! 3663: This is a bit tedious for users to type, so it is a prime candidate
! 3664: for encapsulating in a shell script.
! 3665: .Sh SECURITY NOTES
! 3666: .Ss Limitations of the So !\& Sc operator
! 3667: It is generally not effective to
! 3668: .Dq subtract
! 3669: commands from
! 3670: .Sy ALL
! 3671: using the
! 3672: .Ql !\&
! 3673: operator.
! 3674: A user can trivially circumvent this by copying the desired command
! 3675: to a different name and then executing that.
! 3676: For example:
! 3677: .Bd -literal
! 3678: bill ALL = ALL, !SU, !SHELLS
! 3679: .Ed
! 3680: .Pp
! 3681: Doesn't really prevent
! 3682: .Sy bill
! 3683: from running the commands listed in
! 3684: .Em SU
! 3685: or
! 3686: .Em SHELLS
! 3687: since he can simply copy those commands to a different name, or use
! 3688: a shell escape from an editor or other program.
! 3689: Therefore, these kind of restrictions should be considered
! 3690: advisory at best (and reinforced by policy).
! 3691: .Pp
! 3692: In general, if a user has sudo
! 3693: .Sy ALL
! 3694: there is nothing to prevent them from creating their own program that gives
! 3695: them a root shell (or making their own copy of a shell) regardless of any
! 3696: .Ql !\&
! 3697: elements in the user specification.
! 3698: .Ss Security implications of Em fast_glob
! 3699: If the
! 3700: .Em fast_glob
! 3701: option is in use, it is not possible to reliably negate commands where the
! 3702: path name includes globbing (aka wildcard) characters.
! 3703: This is because the C library's
! 3704: .Xr fnmatch 3
! 3705: function cannot resolve relative paths.
! 3706: While this is typically only an inconvenience for rules that grant privileges,
! 3707: it can result in a security issue for rules that subtract or revoke privileges.
! 3708: .Pp
! 3709: For example, given the following
! 3710: .Em sudoers
! 3711: entry:
! 3712: .Bd -literal
! 3713: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
! 3714: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 3715: .Ed
! 3716: .Pp
! 3717: User
! 3718: .Sy john
! 3719: can still run
! 3720: .Li /usr/bin/passwd root
! 3721: if
! 3722: .Em fast_glob
! 3723: is enabled by changing to
! 3724: .Pa /usr/bin
! 3725: and running
! 3726: .Li ./passwd root
! 3727: instead.
! 3728: .Ss Preventing shell escapes
! 3729: Once
! 3730: .Nm sudo
! 3731: executes a program, that program is free to do whatever
! 3732: it pleases, including run other programs.
! 3733: This can be a security issue since it is not uncommon for a program to
! 3734: allow shell escapes, which lets a user bypass
! 3735: .Nm sudo Ns No 's
! 3736: access control and logging.
! 3737: Common programs that permit shell escapes include shells (obviously),
! 3738: editors, paginators, mail and terminal programs.
! 3739: .Pp
! 3740: There are two basic approaches to this problem:
! 3741: .Bl -tag -width 8n
! 3742: .It restrict
! 3743: Avoid giving users access to commands that allow the user to run
! 3744: arbitrary commands.
! 3745: Many editors have a restricted mode where shell
! 3746: escapes are disabled, though
! 3747: .Nm sudoedit
! 3748: is a better solution to
! 3749: running editors via
! 3750: .Nm sudo .
! 3751: Due to the large number of programs that
! 3752: offer shell escapes, restricting users to the set of programs that
! 3753: do not is often unworkable.
! 3754: .It noexec
! 3755: Many systems that support shared libraries have the ability to
! 3756: override default library functions by pointing an environment
! 3757: variable (usually
! 3758: .Ev LD_PRELOAD )
! 3759: to an alternate shared library.
! 3760: On such systems,
! 3761: .Nm sudo Ns No 's
! 3762: .Em noexec
! 3763: functionality can be used to prevent a program run by
! 3764: .Nm sudo
! 3765: from executing any other programs.
! 3766: Note, however, that this applies only to native dynamically-linked
! 3767: executables.
! 3768: Statically-linked executables and foreign executables
! 3769: running under binary emulation are not affected.
! 3770: .Pp
! 3771: The
! 3772: .Em noexec
! 3773: feature is known to work on SunOS, Solaris, *BSD,
! 3774: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
! 3775: It should be supported on most operating systems that support the
! 3776: .Ev LD_PRELOAD
! 3777: environment variable.
! 3778: Check your operating system's manual pages for the dynamic linker
! 3779: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
! 3780: .Ev LD_PRELOAD
! 3781: is supported.
! 3782: .Pp
! 3783: On Solaris 10 and higher,
! 3784: .Em noexec
! 3785: uses Solaris privileges instead of the
! 3786: .Ev LD_PRELOAD
! 3787: environment variable.
! 3788: .Pp
! 3789: To enable
! 3790: .Em noexec
! 3791: for a command, use the
! 3792: .Li NOEXEC
! 3793: tag as documented
! 3794: in the User Specification section above.
! 3795: Here is that example again:
! 3796: .Bd -literal
! 3797: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 3798: .Ed
! 3799: .Pp
! 3800: This allows user
! 3801: .Sy aaron
! 3802: to run
! 3803: .Pa /usr/bin/more
! 3804: and
! 3805: .Pa /usr/bin/vi
! 3806: with
! 3807: .Em noexec
! 3808: enabled.
! 3809: This will prevent those two commands from
! 3810: executing other commands (such as a shell).
! 3811: If you are unsure whether or not your system is capable of supporting
! 3812: .Em noexec
! 3813: you can always just try it out and check whether shell escapes work when
! 3814: .Em noexec
! 3815: is enabled.
! 3816: .El
! 3817: .Pp
! 3818: Note that restricting shell escapes is not a panacea.
! 3819: Programs running as root are still capable of many potentially hazardous
! 3820: operations (such as changing or overwriting files) that could lead
! 3821: to unintended privilege escalation.
! 3822: In the specific case of an editor, a safer approach is to give the
! 3823: user permission to run
! 3824: .Nm sudoedit .
! 3825: .Ss Time stamp file checks
! 3826: .Em sudoers
! 3827: will check the ownership of its time stamp directory
! 3828: .Po
! 3829: .Pa @timedir@
! 3830: by default
! 3831: .Pc
! 3832: and ignore the directory's contents if it is not owned by root or
! 3833: if it is writable by a user other than root.
! 3834: On systems that allow non-root users to give away files via
! 3835: .Xr chown 2 ,
! 3836: if the time stamp directory is located in a world-writable
! 3837: directory (e.g.\&,
! 3838: .Pa /tmp ) ,
! 3839: it is possible for a user to create the time stamp directory before
! 3840: .Nm sudo
! 3841: is run.
! 3842: However, because
! 3843: .Em sudoers
! 3844: checks the ownership and mode of the directory and its
! 3845: contents, the only damage that can be done is to
! 3846: .Dq hide
! 3847: files by putting them in the time stamp dir.
! 3848: This is unlikely to happen since once the time stamp dir is owned by root
! 3849: and inaccessible by any other user, the user placing files there would be
! 3850: unable to get them back out.
! 3851: .Pp
! 3852: .Em sudoers
! 3853: will not honor time stamps set far in the future.
! 3854: Time stamps with a date greater than current_time + 2 *
! 3855: .Li TIMEOUT
! 3856: will be ignored and sudo will log and complain.
! 3857: This is done to keep a user from creating his/her own time stamp with a
! 3858: bogus date on systems that allow users to give away files if the time
! 3859: stamp directory is located in a world-writable directory.
! 3860: .Pp
! 3861: On systems where the boot time is available,
! 3862: .Em sudoers
! 3863: will ignore time stamps that date from before the machine booted.
! 3864: .Pp
! 3865: Since time stamp files live in the file system, they can outlive a
! 3866: user's login session.
! 3867: As a result, a user may be able to login, run a command with
! 3868: .Nm sudo
! 3869: after authenticating, logout, login again, and run
! 3870: .Nm sudo
! 3871: without authenticating so long as the time stamp file's modification
! 3872: time is within
! 3873: .Li @timeout@
! 3874: minutes (or whatever the timeout is set to in
! 3875: .Em sudoers ) .
! 3876: When the
! 3877: .Em tty_tickets
! 3878: option is enabled, the time stamp has per-tty granularity but still
! 3879: may outlive the user's session.
! 3880: On Linux systems where the devpts filesystem is used, Solaris systems
! 3881: with the devices filesystem, as well as other systems that utilize a
! 3882: devfs filesystem that monotonically increase the inode number of devices
! 3883: as they are created (such as Mac OS X),
! 3884: .Em sudoers
! 3885: is able to determine when a tty-based time stamp file is stale and will
! 3886: ignore it.
! 3887: Administrators should not rely on this feature as it is not universally
! 3888: available.
! 3889: .Sh SEE ALSO
! 3890: .Xr ssh 1 ,
! 3891: .Xr su 1 ,
! 3892: .Xr fnmatch 3 ,
! 3893: .Xr glob 3 ,
! 3894: .Xr mktemp 3 ,
! 3895: .Xr strftime 3 ,
! 3896: .Xr sudoers.ldap @mansectform@ ,
! 3897: .Xr sudo_plugin @mansectsu@ ,
! 3898: .Xr sudo @mansectsu@ ,
! 3899: .Xr visudo @mansectsu@
! 3900: .Sh CAVEATS
! 3901: The
! 3902: .Em sudoers
! 3903: file should
! 3904: .Sy always
! 3905: be edited by the
! 3906: .Nm visudo
! 3907: command which locks the file and does grammatical checking.
! 3908: It is
! 3909: imperative that
! 3910: .Em sudoers
! 3911: be free of syntax errors since
! 3912: .Nm sudo
! 3913: will not run with a syntactically incorrect
! 3914: .Em sudoers
! 3915: file.
! 3916: .Pp
! 3917: When using netgroups of machines (as opposed to users), if you
! 3918: store fully qualified host name in the netgroup (as is usually the
! 3919: case), you either need to have the machine's host name be fully qualified
! 3920: as returned by the
! 3921: .Li hostname
! 3922: command or use the
! 3923: .Em fqdn
! 3924: option in
! 3925: .Em sudoers .
! 3926: .Sh BUGS
! 3927: If you feel you have found a bug in
! 3928: .Nm sudo ,
! 3929: please submit a bug report at http://www.sudo.ws/sudo/bugs/
! 3930: .Sh SUPPORT
! 3931: Limited free support is available via the sudo-users mailing list,
! 3932: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
! 3933: search the archives.
! 3934: .Sh DISCLAIMER
! 3935: .Nm sudo
! 3936: is provided
! 3937: .Dq AS IS
! 3938: and any express or implied warranties, including, but not limited
! 3939: to, the implied warranties of merchantability and fitness for a
! 3940: particular purpose are disclaimed.
! 3941: See the LICENSE file distributed with
! 3942: .Nm sudo
! 3943: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc