Annotation of embedaddon/sudo/doc/sudoers.mdoc.in, revision 1.1.1.2
1.1 misho 1: .\"
1.1.1.2 ! misho 2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
! 3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
1.1.1.2 ! misho 22: .Dd April 30, 2013
1.1 misho 23: .Dt SUDOERS @mansectform@
24: .Os Sudo @PACKAGE_VERSION@
25: .Sh NAME
26: .Nm sudoers
1.1.1.2 ! misho 27: .Nd default sudo security policy plugin
1.1 misho 28: .Sh DESCRIPTION
29: The
30: .Em sudoers
1.1.1.2 ! misho 31: policy plugin determines a user's
1.1 misho 32: .Nm sudo
33: privileges.
34: It is the default
35: .Nm sudo
36: policy plugin.
37: The policy is driven by
38: the
39: .Pa @sysconfdir@/sudoers
40: file or, optionally in LDAP.
41: The policy format is described in detail in the
42: .Sx SUDOERS FILE FORMAT
43: section.
44: For information on storing
45: .Em sudoers
46: policy information
47: in LDAP, please see
48: .Xr sudoers.ldap @mansectform@ .
1.1.1.2 ! misho 49: .Ss Configuring sudo.conf for sudoers
! 50: .Nm sudo
! 51: consults the
! 52: .Xr sudo.conf @mansectform@
! 53: file to determine which policy and and I/O logging plugins to load.
! 54: If no
! 55: .Xr sudo.conf @mansectform@
! 56: file is present, or if it contains no
! 57: .Li Plugin
! 58: lines,
! 59: .Nm sudoers
! 60: will be used for policy decisions and I/O logging.
! 61: To explicitly configure
! 62: .Xr sudo.conf @mansectform@
! 63: to use the
! 64: .Nm sudoers
! 65: plugin, the following configuration can be used.
! 66: .Bd -literal -offset indent
! 67: Plugin sudoers_policy sudoers.so
! 68: Plugin sudoers_io sudoers.so
! 69: .Ed
! 70: .Pp
! 71: Starting with
! 72: .Nm sudo
! 73: 1.8.5, it is possible to specify optional arguments to the
! 74: .Nm sudoers
! 75: plugin in the
! 76: .Xr sudo.conf @mansectform@
! 77: file.
! 78: These arguments, if present, should be listed after the path to the plugin
! 79: (i.e.\& after
! 80: .Pa sudoers.so ) .
! 81: Multiple arguments may be specified, separated by white space.
! 82: For example:
! 83: .Bd -literal -offset indent
! 84: Plugin sudoers_policy sudoers.so sudoers_mode=0400
! 85: .Ed
! 86: .Pp
! 87: The following plugin arguments are supported:
! 88: .Bl -tag -width 8n
! 89: .It ldap_conf=pathname
! 90: The
! 91: .Em ldap_conf
! 92: argument can be used to override the default path to the
! 93: .Pa ldap.conf
! 94: file.
! 95: .It ldap_secret=pathname
! 96: The
! 97: .Em ldap_secret
! 98: argument can be used to override the default path to the
! 99: .Pa ldap.secret
! 100: file.
! 101: .It sudoers_file=pathname
! 102: The
! 103: .Em sudoers_file
! 104: argument can be used to override the default path to the
! 105: .Em sudoers
! 106: file.
! 107: .It sudoers_uid=uid
! 108: The
! 109: .Em sudoers_uid
! 110: argument can be used to override the default owner of the sudoers file.
! 111: It should be specified as a numeric user ID.
! 112: .It sudoers_gid=gid
! 113: The
! 114: .Em sudoers_gid
! 115: argument can be used to override the default group of the sudoers file.
! 116: It must be specified as a numeric group ID (not a group name).
! 117: .It sudoers_mode=mode
! 118: The
! 119: .Em sudoers_mode
! 120: argument can be used to override the default file mode for the sudoers file.
! 121: It should be specified as an octal value.
! 122: .El
! 123: .Pp
! 124: For more information on configuring
! 125: .Xr sudo.conf @mansectform@ ,
! 126: please refer to its manual.
1.1 misho 127: .Ss Authentication and logging
128: The
129: .Em sudoers
130: security policy requires that most users authenticate
131: themselves before they can use
132: .Nm sudo .
133: A password is not required
134: if the invoking user is root, if the target user is the same as the
135: invoking user, or if the policy has disabled authentication for the
136: user or command.
137: Unlike
138: .Xr su 1 ,
139: when
140: .Em sudoers
141: requires
142: authentication, it validates the invoking user's credentials, not
143: the target user's (or root's) credentials.
144: This can be changed via
145: the
146: .Em rootpw ,
147: .Em targetpw
148: and
149: .Em runaspw
150: flags, described later.
151: .Pp
152: If a user who is not listed in the policy tries to run a command
153: via
154: .Nm sudo ,
155: mail is sent to the proper authorities.
156: The address
157: used for such mail is configurable via the
158: .Em mailto
159: Defaults entry
160: (described later) and defaults to
161: .Li @mailto@ .
162: .Pp
163: Note that mail will not be sent if an unauthorized user tries to
164: run
165: .Nm sudo
166: with the
167: .Fl l
168: or
169: .Fl v
170: option.
171: This allows users to
172: determine for themselves whether or not they are allowed to use
173: .Nm sudo .
174: .Pp
175: If
176: .Nm sudo
177: is run by root and the
178: .Ev SUDO_USER
179: environment variable
180: is set, the
181: .Em sudoers
182: policy will use this value to determine who
183: the actual user is.
184: This can be used by a user to log commands
185: through sudo even when a root shell has been invoked.
186: It also
187: allows the
188: .Fl e
189: option to remain useful even when invoked via a
190: sudo-run script or program.
191: Note, however, that the
192: .Em sudoers
193: lookup is still done for root, not the user specified by
194: .Ev SUDO_USER .
195: .Pp
196: .Em sudoers
197: uses time stamp files for credential caching.
198: Once a
199: user has been authenticated, the time stamp is updated and the user
200: may then use sudo without a password for a short period of time
201: .Po
202: .Li @timeout@
203: minutes unless overridden by the
204: .Em timeout
205: option
206: .Pc .
207: By default,
208: .Em sudoers
209: uses a tty-based time stamp which means that
210: there is a separate time stamp for each of a user's login sessions.
211: The
212: .Em tty_tickets
213: option can be disabled to force the use of a
214: single time stamp for all of a user's sessions.
215: .Pp
216: .Em sudoers
217: can log both successful and unsuccessful attempts (as well
218: as errors) to
219: .Xr syslog 3 ,
220: a log file, or both.
221: By default,
222: .Em sudoers
223: will log via
224: .Xr syslog 3
225: but this is changeable via the
226: .Em syslog
227: and
228: .Em logfile
229: Defaults settings.
230: .Pp
231: .Em sudoers
232: also supports logging a command's input and output
233: streams.
234: I/O logging is not on by default but can be enabled using
235: the
236: .Em log_input
237: and
238: .Em log_output
239: Defaults flags as well as the
240: .Li LOG_INPUT
241: and
242: .Li LOG_OUTPUT
243: command tags.
244: .Ss Command environment
245: Since environment variables can influence program behavior,
246: .Em sudoers
247: provides a means to restrict which variables from the user's
248: environment are inherited by the command to be run.
249: There are two
250: distinct ways
251: .Em sudoers
252: can deal with environment variables.
253: .Pp
254: By default, the
255: .Em env_reset
256: option is enabled.
257: This causes commands
258: to be executed with a new, minimal environment.
259: On AIX (and Linux
260: systems without PAM), the environment is initialized with the
261: contents of the
262: .Pa /etc/environment
263: file.
264: On BSD systems, if the
265: .Em use_loginclass
266: option is enabled, the environment is initialized
267: based on the
268: .Em path
269: and
270: .Em setenv
271: settings in
272: .Pa /etc/login.conf .
273: The new environment contains the
274: .Ev TERM ,
275: .Ev PATH ,
276: .Ev HOME ,
277: .Ev MAIL ,
278: .Ev SHELL ,
279: .Ev LOGNAME ,
280: .Ev USER ,
281: .Ev USERNAME
282: and
283: .Ev SUDO_*
284: variables
285: in addition to variables from the invoking process permitted by the
286: .Em env_check
287: and
288: .Em env_keep
289: options.
290: This is effectively a whitelist
291: for environment variables.
292: .Pp
293: If, however, the
294: .Em env_reset
295: option is disabled, any variables not
296: explicitly denied by the
297: .Em env_check
298: and
299: .Em env_delete
300: options are
301: inherited from the invoking process.
302: In this case,
303: .Em env_check
304: and
305: .Em env_delete
306: behave like a blacklist.
307: Since it is not possible
308: to blacklist all potentially dangerous environment variables, use
309: of the default
310: .Em env_reset
311: behavior is encouraged.
312: .Pp
313: In all cases, environment variables with a value beginning with
314: .Li ()
315: are removed as they could be interpreted as
316: .Sy bash
317: functions.
318: The list of environment variables that
319: .Nm sudo
320: allows or denies is
321: contained in the output of
322: .Dq Li sudo -V
323: when run as root.
324: .Pp
325: Note that the dynamic linker on most operating systems will remove
326: variables that can control dynamic linking from the environment of
327: setuid executables, including
328: .Nm sudo .
329: Depending on the operating
330: system this may include
331: .Ev _RLD* ,
332: .Ev DYLD_* ,
333: .Ev LD_* ,
334: .Ev LDR_* ,
335: .Ev LIBPATH ,
336: .Ev SHLIB_PATH ,
337: and others.
338: These type of variables are
339: removed from the environment before
340: .Nm sudo
341: even begins execution
342: and, as such, it is not possible for
343: .Nm sudo
344: to preserve them.
345: .Pp
346: As a special case, if
347: .Nm sudo Ns No 's
348: .Fl i
349: option (initial login) is
350: specified,
351: .Em sudoers
352: will initialize the environment regardless
353: of the value of
354: .Em env_reset .
355: The
356: .Ev DISPLAY ,
357: .Ev PATH
358: and
359: .Ev TERM
360: variables remain unchanged;
361: .Ev HOME ,
362: .Ev MAIL ,
363: .Ev SHELL ,
364: .Ev USER ,
365: and
366: .Ev LOGNAME
367: are set based on the target user.
368: On AIX (and Linux
369: systems without PAM), the contents of
370: .Pa /etc/environment
371: are also
372: included.
373: On BSD systems, if the
374: .Em use_loginclass
375: option is
376: enabled, the
377: .Em path
378: and
379: .Em setenv
380: variables in
381: .Pa /etc/login.conf
382: are also applied.
383: All other environment variables are removed.
384: .Pp
385: Finally, if the
386: .Em env_file
387: option is defined, any variables present
388: in that file will be set to their specified values as long as they
389: would not conflict with an existing environment variable.
390: .Sh SUDOERS FILE FORMAT
391: The
392: .Em sudoers
393: file is composed of two types of entries: aliases
394: (basically variables) and user specifications (which specify who
395: may run what).
396: .Pp
397: When multiple entries match for a user, they are applied in order.
398: Where there are multiple matches, the last match is used (which is
399: not necessarily the most specific match).
400: .Pp
401: The
402: .Em sudoers
403: grammar will be described below in Extended Backus-Naur
404: Form (EBNF).
405: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
406: and the definitions below are annotated.
407: .Ss Quick guide to EBNF
408: EBNF is a concise and exact way of describing the grammar of a language.
409: Each EBNF definition is made up of
410: .Em production rules .
411: E.g.,
412: .Pp
413: .Li symbol ::= definition | alternate1 | alternate2 ...
414: .Pp
415: Each
416: .Em production rule
417: references others and thus makes up a
418: grammar for the language.
419: EBNF also contains the following
420: operators, which many readers will recognize from regular
421: expressions.
422: Do not, however, confuse them with
423: .Dq wildcard
424: characters, which have different meanings.
425: .Bl -tag -width 4n
426: .It Li \&?
427: Means that the preceding symbol (or group of symbols) is optional.
428: That is, it may appear once or not at all.
429: .It Li *
430: Means that the preceding symbol (or group of symbols) may appear
431: zero or more times.
432: .It Li +
433: Means that the preceding symbol (or group of symbols) may appear
434: one or more times.
435: .El
436: .Pp
437: Parentheses may be used to group symbols together.
438: For clarity,
439: we will use single quotes
440: .Pq ''
441: to designate what is a verbatim character string (as opposed to a symbol name).
442: .Ss Aliases
443: There are four kinds of aliases:
444: .Li User_Alias ,
445: .Li Runas_Alias ,
446: .Li Host_Alias
447: and
448: .Li Cmnd_Alias .
449: .Bd -literal
450: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
451: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
452: 'Host_Alias' Host_Alias (':' Host_Alias)* |
453: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
454:
455: User_Alias ::= NAME '=' User_List
456:
457: Runas_Alias ::= NAME '=' Runas_List
458:
459: Host_Alias ::= NAME '=' Host_List
460:
461: Cmnd_Alias ::= NAME '=' Cmnd_List
462:
463: NAME ::= [A-Z]([A-Z][0-9]_)*
464: .Ed
465: .Pp
466: Each
467: .Em alias
468: definition is of the form
469: .Bd -literal
470: Alias_Type NAME = item1, item2, ...
471: .Ed
472: .Pp
473: where
474: .Em Alias_Type
475: is one of
476: .Li User_Alias ,
477: .Li Runas_Alias ,
478: .Li Host_Alias ,
479: or
480: .Li Cmnd_Alias .
481: A
482: .Li NAME
483: is a string of uppercase letters, numbers,
484: and underscore characters
485: .Pq Ql _ .
486: A
487: .Li NAME
488: .Sy must
489: start with an
490: uppercase letter.
491: It is possible to put several alias definitions
492: of the same type on a single line, joined by a colon
493: .Pq Ql :\& .
494: E.g.,
495: .Bd -literal
496: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
497: .Ed
498: .Pp
499: The definitions of what constitutes a valid
500: .Em alias
501: member follow.
502: .Bd -literal
503: User_List ::= User |
504: User ',' User_List
505:
506: User ::= '!'* user name |
507: '!'* #uid |
508: '!'* %group |
509: '!'* %#gid |
510: '!'* +netgroup |
511: '!'* %:nonunix_group |
512: '!'* %:#nonunix_gid |
513: '!'* User_Alias
514: .Ed
515: .Pp
516: A
517: .Li User_List
1.1.1.2 ! misho 518: is made up of one or more user names, user IDs
1.1 misho 519: (prefixed with
520: .Ql # ) ,
1.1.1.2 ! misho 521: system group names and IDs (prefixed with
1.1 misho 522: .Ql %
523: and
524: .Ql %#
525: respectively), netgroups (prefixed with
526: .Ql + ) ,
527: non-Unix group names and IDs (prefixed with
528: .Ql %:
529: and
530: .Ql %:#
531: respectively) and
532: .Li User_Alias Ns No es.
533: Each list item may be prefixed with zero or more
534: .Ql \&!
535: operators.
536: An odd number of
537: .Ql \&!
538: operators negate the value of
539: the item; an even number just cancel each other out.
540: .Pp
541: A
542: .Li user name ,
543: .Li uid ,
544: .Li group ,
545: .Li gid ,
546: .Li netgroup ,
547: .Li nonunix_group
548: or
549: .Li nonunix_gid
550: may be enclosed in double quotes to avoid the
551: need for escaping special characters.
552: Alternately, special characters
553: may be specified in escaped hex mode, e.g.\& \ex20 for space.
554: When
555: using double quotes, any prefix characters must be included inside
556: the quotes.
557: .Pp
558: The actual
559: .Li nonunix_group
560: and
561: .Li nonunix_gid
562: syntax depends on
1.1.1.2 ! misho 563: the underlying group provider plugin.
1.1 misho 564: For instance, the QAS AD plugin supports the following formats:
565: .Bl -bullet -width 4n
566: .It
567: Group in the same domain: "%:Group Name"
568: .It
569: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
570: .It
571: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
572: .El
573: .Pp
1.1.1.2 ! misho 574: See
! 575: .Sx "GROUP PROVIDER PLUGINS"
! 576: for more information.
! 577: .Pp
1.1 misho 578: Note that quotes around group names are optional.
579: Unquoted strings must use a backslash
580: .Pq Ql \e
581: to escape spaces and special characters.
582: See
583: .Sx Other special characters and reserved words
584: for a list of
585: characters that need to be escaped.
586: .Bd -literal
587: Runas_List ::= Runas_Member |
588: Runas_Member ',' Runas_List
589:
590: Runas_Member ::= '!'* user name |
591: '!'* #uid |
592: '!'* %group |
593: '!'* %#gid |
594: '!'* %:nonunix_group |
595: '!'* %:#nonunix_gid |
596: '!'* +netgroup |
597: '!'* Runas_Alias
598: .Ed
599: .Pp
600: A
601: .Li Runas_List
602: is similar to a
603: .Li User_List
604: except that instead
605: of
606: .Li User_Alias Ns No es
607: it can contain
608: .Li Runas_Alias Ns No es .
609: Note that
610: user names and groups are matched as strings.
611: In other words, two
612: users (groups) with the same uid (gid) are considered to be distinct.
613: If you wish to match all user names with the same uid (e.g.\&
614: root and toor), you can use a uid instead (#0 in the example given).
615: .Bd -literal
616: Host_List ::= Host |
617: Host ',' Host_List
618:
619: Host ::= '!'* host name |
620: '!'* ip_addr |
621: '!'* network(/netmask)? |
622: '!'* +netgroup |
623: '!'* Host_Alias
624: .Ed
625: .Pp
626: A
627: .Li Host_List
628: is made up of one or more host names, IP addresses,
629: network numbers, netgroups (prefixed with
630: .Ql + )
631: and other aliases.
632: Again, the value of an item may be negated with the
633: .Ql \&!
634: operator.
635: If you do not specify a netmask along with the network number,
636: .Nm sudo
637: will query each of the local host's network interfaces and,
638: if the network number corresponds to one of the hosts's network
639: interfaces, the corresponding netmask will be used.
640: The netmask
641: may be specified either in standard IP address notation
642: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
643: or CIDR notation (number of bits, e.g.\& 24 or 64).
644: A host name may include shell-style wildcards (see the
645: .Sx Wildcards
646: section below),
647: but unless the
648: .Li host name
649: command on your machine returns the fully
650: qualified host name, you'll need to use the
651: .Em fqdn
652: option for wildcards to be useful.
653: Note that
654: .Nm sudo
655: only inspects actual network interfaces; this means that IP address
656: 127.0.0.1 (localhost) will never match.
657: Also, the host name
658: .Dq localhost
659: will only match if that is the actual host name, which is usually
660: only the case for non-networked systems.
661: .Bd -literal
1.1.1.2 ! misho 662: digest ::= [A-Fa-f0-9]+ |
! 663: [[A-Za-z0-9\+/=]+
! 664:
! 665: Digest_Spec ::= "sha224" ':' digest |
! 666: "sha256" ':' digest |
! 667: "sha384" ':' digest |
! 668: "sha512" ':' digest
! 669:
1.1 misho 670: Cmnd_List ::= Cmnd |
671: Cmnd ',' Cmnd_List
672:
673: command name ::= file name |
674: file name args |
675: file name '""'
676:
1.1.1.2 ! misho 677: Cmnd ::= Digest_Spec? '!'* command name |
1.1 misho 678: '!'* directory |
679: '!'* "sudoedit" |
680: '!'* Cmnd_Alias
681: .Ed
682: .Pp
683: A
684: .Li Cmnd_List
685: is a list of one or more command names, directories, and other aliases.
686: A command name is a fully qualified file name which may include
687: shell-style wildcards (see the
688: .Sx Wildcards
689: section below).
690: A simple file name allows the user to run the command with any
691: arguments he/she wishes.
692: However, you may also specify command line arguments (including
693: wildcards).
694: Alternately, you can specify
695: .Li \&""
696: to indicate that the command
697: may only be run
698: .Sy without
699: command line arguments.
700: A directory is a
701: fully qualified path name ending in a
702: .Ql / .
703: When you specify a directory in a
704: .Li Cmnd_List ,
705: the user will be able to run any file within that directory
706: (but not in any sub-directories therein).
707: .Pp
708: If a
709: .Li Cmnd
710: has associated command line arguments, then the arguments
711: in the
712: .Li Cmnd
713: must match exactly those given by the user on the command line
714: (or match the wildcards if there are any).
715: Note that the following characters must be escaped with a
716: .Ql \e
717: if they are used in command arguments:
718: .Ql ,\& ,
719: .Ql :\& ,
720: .Ql =\& ,
721: .Ql \e .
1.1.1.2 ! misho 722: The built-in command
1.1 misho 723: .Dq Li sudoedit
724: is used to permit a user to run
725: .Nm sudo
726: with the
727: .Fl e
728: option (or as
729: .Nm sudoedit ) .
730: It may take command line arguments just as a normal command does.
1.1.1.2 ! misho 731: Note that
! 732: .Dq Li sudoedit
! 733: is a command built into
! 734: .Nm sudo
! 735: itself and must be specified in
! 736: .Em sudoers
! 737: without a leading path.
! 738: .Pp
! 739: If a
! 740: .Li command name
! 741: is prefixed with a
! 742: .Li Digest_Spec ,
! 743: the command will only match successfully if it can be verified
! 744: using the specified SHA-2 digest.
! 745: This may be useful in situations where the user invoking
! 746: .Nm sudo
! 747: has write access to the command or its parent directory.
! 748: The following digest formats are supported: sha224, sha256, sha384 and sha512.
! 749: The string may be specified in either hex or base64 format
! 750: (base64 is more compact).
! 751: There are several utilities capable of generating SHA-2 digests in hex
! 752: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
! 753: .Pp
! 754: For example, using openssl:
! 755: .Bd -literal
! 756: $ openssl dgst -sha224 /bin/ls
! 757: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
! 758: .Ed
! 759: .Pp
! 760: It is also possible to use openssl to generate base64 output:
! 761: .Bd -literal
! 762: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
! 763: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
! 764: .Ed
! 765: .Pp
! 766: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 767: .Ss Defaults
768: Certain configuration options may be changed from their default
769: values at run-time via one or more
770: .Li Default_Entry
771: lines.
772: These may affect all users on any host, all users on a specific host, a
773: specific user, a specific command, or commands being run as a specific user.
774: Note that per-command entries may not include command line arguments.
775: If you need to specify arguments, define a
776: .Li Cmnd_Alias
777: and reference
778: that instead.
779: .Bd -literal
780: Default_Type ::= 'Defaults' |
781: 'Defaults' '@' Host_List |
782: 'Defaults' ':' User_List |
783: 'Defaults' '!' Cmnd_List |
784: 'Defaults' '>' Runas_List
785:
786: Default_Entry ::= Default_Type Parameter_List
787:
788: Parameter_List ::= Parameter |
789: Parameter ',' Parameter_List
790:
791: Parameter ::= Parameter '=' Value |
792: Parameter '+=' Value |
793: Parameter '-=' Value |
794: '!'* Parameter
795: .Ed
796: .Pp
797: Parameters may be
798: .Sy flags ,
799: .Sy integer
800: values,
801: .Sy strings ,
802: or
803: .Sy lists .
804: Flags are implicitly boolean and can be turned off via the
805: .Ql \&!
806: operator.
807: Some integer, string and list parameters may also be
808: used in a boolean context to disable them.
809: Values may be enclosed
810: in double quotes
811: .Pq \&""
812: when they contain multiple words.
813: Special characters may be escaped with a backslash
814: .Pq Ql \e .
815: .Pp
816: Lists have two additional assignment operators,
817: .Li +=
818: and
819: .Li -= .
820: These operators are used to add to and delete from a list respectively.
821: It is not an error to use the
822: .Li -=
823: operator to remove an element
824: that does not exist in a list.
825: .Pp
826: Defaults entries are parsed in the following order: generic, host
827: and user Defaults first, then runas Defaults and finally command
828: defaults.
829: .Pp
830: See
831: .Sx SUDOERS OPTIONS
832: for a list of supported Defaults parameters.
833: .Ss User specification
834: .Bd -literal
835: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
836: (':' Host_List '=' Cmnd_Spec_List)*
837:
838: Cmnd_Spec_List ::= Cmnd_Spec |
839: Cmnd_Spec ',' Cmnd_Spec_List
840:
841: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
842:
843: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
844:
845: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
846:
847: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
848:
849: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
850: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
851: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
852: .Ed
853: .Pp
854: A
855: .Sy user specification
856: determines which commands a user may run
857: (and as what user) on specified hosts.
858: By default, commands are
859: run as
860: .Sy root ,
861: but this can be changed on a per-command basis.
862: .Pp
863: The basic structure of a user specification is
864: .Dq who where = (as_whom) what .
865: Let's break that down into its constituent parts:
866: .Ss Runas_Spec
867: A
868: .Li Runas_Spec
869: determines the user and/or the group that a command
870: may be run as.
871: A fully-specified
872: .Li Runas_Spec
873: consists of two
874: .Li Runas_List Ns No s
875: (as defined above) separated by a colon
876: .Pq Ql :\&
877: and enclosed in a set of parentheses.
878: The first
879: .Li Runas_List
880: indicates
881: which users the command may be run as via
882: .Nm sudo Ns No 's
883: .Fl u
884: option.
885: The second defines a list of groups that can be specified via
886: .Nm sudo Ns No 's
887: .Fl g
888: option.
889: If both
890: .Li Runas_List Ns No s
891: are specified, the command may be run with any combination of users
892: and groups listed in their respective
893: .Li Runas_List Ns No s.
894: If only the first is specified, the command may be run as any user
895: in the list but no
896: .Fl g
897: option
898: may be specified.
899: If the first
900: .Li Runas_List
901: is empty but the
902: second is specified, the command may be run as the invoking user
903: with the group set to any listed in the
904: .Li Runas_List .
905: If both
906: .Li Runas_List Ns No s
907: are empty, the command may only be run as the invoking user.
908: If no
909: .Li Runas_Spec
910: is specified the command may be run as
911: .Sy root
912: and
913: no group may be specified.
914: .Pp
915: A
916: .Li Runas_Spec
917: sets the default for the commands that follow it.
918: What this means is that for the entry:
919: .Bd -literal
920: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
921: .Ed
922: .Pp
923: The user
924: .Sy dgb
925: may run
926: .Pa /bin/ls ,
927: .Pa /bin/kill ,
928: and
929: .Pa /usr/bin/lprm Ns No \(em Ns but
930: only as
931: .Sy operator .
932: E.g.,
933: .Bd -literal
934: $ sudo -u operator /bin/ls
935: .Ed
936: .Pp
937: It is also possible to override a
938: .Li Runas_Spec
939: later on in an entry.
940: If we modify the entry like so:
941: .Bd -literal
942: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
943: .Ed
944: .Pp
945: Then user
946: .Sy dgb
947: is now allowed to run
948: .Pa /bin/ls
949: as
950: .Sy operator ,
951: but
952: .Pa /bin/kill
953: and
954: .Pa /usr/bin/lprm
955: as
956: .Sy root .
957: .Pp
958: We can extend this to allow
959: .Sy dgb
960: to run
961: .Li /bin/ls
962: with either
963: the user or group set to
964: .Sy operator :
965: .Bd -literal
966: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
967: /usr/bin/lprm
968: .Ed
969: .Pp
970: Note that while the group portion of the
971: .Li Runas_Spec
972: permits the
973: user to run as command with that group, it does not force the user
974: to do so.
975: If no group is specified on the command line, the command
976: will run with the group listed in the target user's password database
977: entry.
978: The following would all be permitted by the sudoers entry above:
979: .Bd -literal
980: $ sudo -u operator /bin/ls
981: $ sudo -u operator -g operator /bin/ls
982: $ sudo -g operator /bin/ls
983: .Ed
984: .Pp
985: In the following example, user
986: .Sy tcm
987: may run commands that access
988: a modem device file with the dialer group.
989: .Bd -literal
990: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
991: /usr/local/bin/minicom
992: .Ed
993: .Pp
994: Note that in this example only the group will be set, the command
995: still runs as user
996: .Sy tcm .
997: E.g.\&
998: .Bd -literal
999: $ sudo -g dialer /usr/bin/cu
1000: .Ed
1001: .Pp
1002: Multiple users and groups may be present in a
1003: .Li Runas_Spec ,
1004: in which case the user may select any combination of users and groups via the
1005: .Fl u
1006: and
1007: .Fl g
1008: options.
1009: In this example:
1010: .Bd -literal
1011: alan ALL = (root, bin : operator, system) ALL
1012: .Ed
1013: .Pp
1014: user
1015: .Sy alan
1016: may run any command as either user root or bin,
1017: optionally setting the group to operator or system.
1018: .Ss SELinux_Spec
1019: On systems with SELinux support,
1020: .Em sudoers
1021: entries may optionally have an SELinux role and/or type associated
1022: with a command.
1023: If a role or
1024: type is specified with the command it will override any default values
1025: specified in
1026: .Em sudoers .
1027: A role or type specified on the command line,
1028: however, will supersede the values in
1029: .Em sudoers .
1030: .Ss Solaris_Priv_Spec
1031: On Solaris systems,
1032: .Em sudoers
1033: entries may optionally specify Solaris privilege set and/or limit
1034: privilege set associated with a command.
1035: If privileges or limit privileges are specified with the command
1036: it will override any default values specified in
1037: .Em sudoers .
1038: .Pp
1039: A privilege set is a comma-separated list of privilege names.
1040: The
1041: .Xr ppriv 1
1042: command can be used to list all privileges known to the system.
1043: For example:
1044: .Bd -literal
1045: $ ppriv -l
1046: .Ed
1047: .Pp
1048: In addition, there are several
1049: .Dq special
1050: privilege strings:
1051: .Bl -tag -width 8n
1052: .It none
1053: the empty set
1054: .It all
1055: the set of all privileges
1056: .It zone
1057: the set of all privileges available in the current zone
1058: .It basic
1059: the default set of privileges normal users are granted at login time
1060: .El
1061: .Pp
1062: Privileges can be excluded from a set by prefixing the privilege
1063: name with either an
1064: .Ql \&!
1065: or
1066: .Ql \-
1067: character.
1068: .Ss Tag_Spec
1069: A command may have zero or more tags associated with it.
1070: There are
1071: ten possible tag values:
1072: .Li NOPASSWD ,
1073: .Li PASSWD ,
1074: .Li NOEXEC ,
1075: .Li EXEC ,
1076: .Li SETENV ,
1077: .Li NOSETENV ,
1078: .Li LOG_INPUT ,
1079: .Li NOLOG_INPUT ,
1080: .Li LOG_OUTPUT
1081: and
1082: .Li NOLOG_OUTPUT .
1083: Once a tag is set on a
1084: .Li Cmnd ,
1085: subsequent
1086: .Li Cmnd Ns No s
1087: in the
1088: .Li Cmnd_Spec_List ,
1089: inherit the tag unless it is overridden by the opposite tag (in other words,
1090: .Li PASSWD
1091: overrides
1092: .Li NOPASSWD
1093: and
1094: .Li NOEXEC
1095: overrides
1096: .Li EXEC ) .
1.1.1.2 ! misho 1097: .Bl -hang -width 0n
! 1098: .It Em NOPASSWD No and Em PASSWD
! 1099: .sp
1.1 misho 1100: By default,
1101: .Nm sudo
1102: requires that a user authenticate him or herself
1103: before running a command.
1104: This behavior can be modified via the
1105: .Li NOPASSWD
1106: tag.
1107: Like a
1108: .Li Runas_Spec ,
1109: the
1110: .Li NOPASSWD
1111: tag sets
1112: a default for the commands that follow it in the
1113: .Li Cmnd_Spec_List .
1114: Conversely, the
1115: .Li PASSWD
1116: tag can be used to reverse things.
1117: For example:
1118: .Bd -literal
1119: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1120: .Ed
1121: .Pp
1122: would allow the user
1123: .Sy ray
1124: to run
1125: .Pa /bin/kill ,
1126: .Pa /bin/ls ,
1127: and
1128: .Pa /usr/bin/lprm
1129: as
1130: .Sy root
1131: on the machine rushmore without authenticating himself.
1132: If we only want
1133: .Sy ray
1134: to be able to
1135: run
1136: .Pa /bin/kill
1137: without a password the entry would be:
1138: .Bd -literal
1139: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1140: .Ed
1141: .Pp
1142: Note, however, that the
1143: .Li PASSWD
1144: tag has no effect on users who are in the group specified by the
1145: .Em exempt_group
1146: option.
1147: .Pp
1148: By default, if the
1149: .Li NOPASSWD
1150: tag is applied to any of the entries for a user on the current host,
1151: he or she will be able to run
1152: .Dq Li sudo -l
1153: without a password.
1154: Additionally, a user may only run
1155: .Dq Li sudo -v
1156: without a password if the
1157: .Li NOPASSWD
1158: tag is present for all a user's entries that pertain to the current host.
1159: This behavior may be overridden via the
1160: .Em verifypw
1161: and
1162: .Em listpw
1163: options.
1.1.1.2 ! misho 1164: .It Em NOEXEC No and Em EXEC
! 1165: .sp
1.1 misho 1166: If
1167: .Nm sudo
1168: has been compiled with
1169: .Em noexec
1170: support and the underlying operating system supports it, the
1171: .Li NOEXEC
1172: tag can be used to prevent a dynamically-linked executable from
1173: running further commands itself.
1174: .Pp
1175: In the following example, user
1176: .Sy aaron
1177: may run
1178: .Pa /usr/bin/more
1179: and
1180: .Pa /usr/bin/vi
1181: but shell escapes will be disabled.
1182: .Bd -literal
1183: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1184: .Ed
1185: .Pp
1186: See the
1187: .Sx Preventing shell escapes
1188: section below for more details on how
1189: .Li NOEXEC
1190: works and whether or not it will work on your system.
1.1.1.2 ! misho 1191: .It Em SETENV No and Em NOSETENV
! 1192: .sp
1.1 misho 1193: These tags override the value of the
1194: .Em setenv
1195: option on a per-command basis.
1196: Note that if
1197: .Li SETENV
1198: has been set for a command, the user may disable the
1199: .Em env_reset
1200: option from the command line via the
1201: .Fl E
1202: option.
1203: Additionally, environment variables set on the command
1204: line are not subject to the restrictions imposed by
1205: .Em env_check ,
1206: .Em env_delete ,
1207: or
1208: .Em env_keep .
1209: As such, only trusted users should be allowed to set variables in this manner.
1210: If the command matched is
1211: .Sy ALL ,
1212: the
1213: .Li SETENV
1214: tag is implied for that command; this default may be overridden by use of the
1215: .Li NOSETENV
1216: tag.
1.1.1.2 ! misho 1217: .It Em LOG_INPUT No and Em NOLOG_INPUT
! 1218: .sp
1.1 misho 1219: These tags override the value of the
1220: .Em log_input
1221: option on a per-command basis.
1222: For more information, see the description of
1223: .Em log_input
1224: in the
1225: .Sx SUDOERS OPTIONS
1226: section below.
1.1.1.2 ! misho 1227: .It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
! 1228: .sp
1.1 misho 1229: These tags override the value of the
1230: .Em log_output
1231: option on a per-command basis.
1232: For more information, see the description of
1233: .Em log_output
1234: in the
1235: .Sx SUDOERS OPTIONS
1236: section below.
1.1.1.2 ! misho 1237: .El
1.1 misho 1238: .Ss Wildcards
1239: .Nm sudo
1240: allows shell-style
1241: .Em wildcards
1242: (aka meta or glob characters)
1243: to be used in host names, path names and command line arguments in the
1244: .Em sudoers
1245: file.
1246: Wildcard matching is done via the
1247: .Xr glob 3
1248: and
1249: .Xr fnmatch 3
1.1.1.2 ! misho 1250: functions as specified by
! 1251: .St -p1003.1 .
1.1 misho 1252: Note that these are
1253: .Em not
1254: regular expressions.
1255: .Bl -tag -width 8n
1256: .It Li *
1257: Matches any set of zero or more characters.
1258: .It Li \&?
1259: Matches any single character.
1260: .It Li [...]
1261: Matches any character in the specified range.
1262: .It Li [!...]
1263: Matches any character
1264: .Sy not
1265: in the specified range.
1266: .It Li \ex
1267: For any character
1268: .Sq x ,
1269: evaluates to
1270: .Sq x .
1271: This is used to escape special characters such as:
1272: .Ql * ,
1273: .Ql \&? ,
1274: .Ql [\& ,
1275: and
1276: .Ql ]\& .
1277: .El
1278: .Pp
1.1.1.2 ! misho 1279: Character classes may also be used if your system's
1.1 misho 1280: .Xr glob 3
1281: and
1282: .Xr fnmatch 3
1283: functions support them.
1284: However, because the
1285: .Ql :\&
1286: character has special meaning in
1287: .Em sudoers ,
1288: it must be
1289: escaped.
1290: For example:
1291: .Bd -literal -offset 4n
1292: /bin/ls [[\:alpha\:]]*
1293: .Ed
1294: .Pp
1295: Would match any file name beginning with a letter.
1296: .Pp
1297: Note that a forward slash
1298: .Pq Ql /
1299: will
1300: .Sy not
1301: be matched by
1302: wildcards used in the path name.
1303: This is to make a path like:
1304: .Bd -literal -offset 4n
1305: /usr/bin/*
1306: .Ed
1307: .Pp
1308: match
1309: .Pa /usr/bin/who
1310: but not
1311: .Pa /usr/bin/X11/xterm .
1312: .Pp
1313: When matching the command line arguments, however, a slash
1314: .Sy does
1315: get matched by wildcards since command line arguments may contain
1316: arbitrary strings and not just path names.
1317: .Pp
1318: Wildcards in command line arguments should be used with care.
1319: Because command line arguments are matched as a single, concatenated
1320: string, a wildcard such as
1321: .Ql \&?
1322: or
1323: .Ql *
1324: can match multiple words.
1325: For example, while a sudoers entry like:
1326: .Bd -literal -offset 4n
1327: %operator ALL = /bin/cat /var/log/messages*
1328: .Ed
1329: .Pp
1330: will allow command like:
1331: .Bd -literal -offset 4n
1332: $ sudo cat /var/log/messages.1
1333: .Ed
1334: .Pp
1335: It will also allow:
1336: .Bd -literal -offset 4n
1337: $ sudo cat /var/log/messages /etc/shadow
1338: .Ed
1339: .Pp
1340: which is probably not what was intended.
1341: .Ss Exceptions to wildcard rules
1342: The following exceptions apply to the above rules:
1343: .Bl -tag -width 8n
1344: .It Li \&""
1345: If the empty string
1346: .Li \&""
1347: is the only command line argument in the
1348: .Em sudoers
1349: entry it means that command is not allowed to be run with
1350: .Sy any
1351: arguments.
1352: .It sudoedit
1353: Command line arguments to the
1354: .Em sudoedit
1355: built-in command should always be path names, so a forward slash
1356: .Pq Ql /
1357: will not be matched by a wildcard.
1358: .El
1359: .Ss Including other files from within sudoers
1360: It is possible to include other
1361: .Em sudoers
1362: files from within the
1363: .Em sudoers
1364: file currently being parsed using the
1365: .Li #include
1366: and
1367: .Li #includedir
1368: directives.
1369: .Pp
1370: This can be used, for example, to keep a site-wide
1371: .Em sudoers
1372: file in addition to a local, per-machine file.
1373: For the sake of this example the site-wide
1374: .Em sudoers
1375: will be
1376: .Pa /etc/sudoers
1377: and the per-machine one will be
1378: .Pa /etc/sudoers.local .
1379: To include
1380: .Pa /etc/sudoers.local
1381: from within
1382: .Pa /etc/sudoers
1383: we would use the
1384: following line in
1385: .Pa /etc/sudoers :
1386: .Bd -literal -offset 4n
1387: #include /etc/sudoers.local
1388: .Ed
1389: .Pp
1390: When
1391: .Nm sudo
1392: reaches this line it will suspend processing of the current file
1393: .Pq Pa /etc/sudoers
1394: and switch to
1395: .Pa /etc/sudoers.local .
1396: Upon reaching the end of
1397: .Pa /etc/sudoers.local ,
1398: the rest of
1399: .Pa /etc/sudoers
1400: will be processed.
1401: Files that are included may themselves include other files.
1402: A hard limit of 128 nested include files is enforced to prevent include
1403: file loops.
1404: .Pp
1405: If the path to the include file is not fully-qualified (does not
1406: begin with a
1407: .Ql / ,
1408: it must be located in the same directory as the sudoers file it was
1409: included from.
1410: For example, if
1411: .Pa /etc/sudoers
1412: contains the line:
1413: .Bd -literal -offset 4n
1414: .Li #include sudoers.local
1415: .Ed
1416: .Pp
1417: the file that will be included is
1418: .Pa /etc/sudoers.local .
1419: .Pp
1420: The file name may also include the
1421: .Li %h
1422: escape, signifying the short form of the host name.
1423: In other words, if the machine's host name is
1424: .Dq xerxes ,
1425: then
1426: .Bd -literal -offset 4n
1427: #include /etc/sudoers.%h
1428: .Ed
1429: .Pp
1430: will cause
1431: .Nm sudo
1432: to include the file
1433: .Pa /etc/sudoers.xerxes .
1434: .Pp
1435: The
1436: .Li #includedir
1437: directive can be used to create a
1438: .Pa sudo.d
1439: directory that the system package manager can drop
1440: .Em sudoers
1441: rules
1442: into as part of package installation.
1443: For example, given:
1444: .Bd -literal -offset 4n
1445: #includedir /etc/sudoers.d
1446: .Ed
1447: .Pp
1448: .Nm sudo
1449: will read each file in
1450: .Pa /etc/sudoers.d ,
1451: skipping file names that end in
1452: .Ql ~
1453: or contain a
1454: .Ql .\&
1455: character to avoid causing problems with package manager or editor
1456: temporary/backup files.
1457: Files are parsed in sorted lexical order.
1458: That is,
1459: .Pa /etc/sudoers.d/01_first
1460: will be parsed before
1461: .Pa /etc/sudoers.d/10_second .
1462: Be aware that because the sorting is lexical, not numeric,
1463: .Pa /etc/sudoers.d/1_whoops
1464: would be loaded
1465: .Sy after
1466: .Pa /etc/sudoers.d/10_second .
1467: Using a consistent number of leading zeroes in the file names can be used
1468: to avoid such problems.
1469: .Pp
1470: Note that unlike files included via
1471: .Li #include ,
1472: .Nm visudo
1473: will not edit the files in a
1474: .Li #includedir
1475: directory unless one of them contains a syntax error.
1476: It is still possible to run
1477: .Nm visudo
1478: with the
1479: .Fl f
1480: flag to edit the files directly.
1481: .Ss Other special characters and reserved words
1482: The pound sign
1483: .Pq Ql #
1484: is used to indicate a comment (unless it is part of a #include
1485: directive or unless it occurs in the context of a user name and is
1486: followed by one or more digits, in which case it is treated as a
1487: uid).
1488: Both the comment character and any text after it, up to the end of
1489: the line, are ignored.
1490: .Pp
1491: The reserved word
1492: .Sy ALL
1493: is a built-in
1494: .Em alias
1495: that always causes a match to succeed.
1496: It can be used wherever one might otherwise use a
1497: .Li Cmnd_Alias ,
1498: .Li User_Alias ,
1499: .Li Runas_Alias ,
1500: or
1501: .Li Host_Alias .
1502: You should not try to define your own
1503: .Em alias
1504: called
1505: .Sy ALL
1506: as the built-in alias will be used in preference to your own.
1507: Please note that using
1508: .Sy ALL
1509: can be dangerous since in a command context, it allows the user to run
1510: .Sy any
1511: command on the system.
1512: .Pp
1513: An exclamation point
1514: .Pq Ql \&!
1515: can be used as a logical
1516: .Em not
1.1.1.2 ! misho 1517: operator in a list or
1.1 misho 1518: .Em alias
1.1.1.2 ! misho 1519: as well as in front of a
1.1 misho 1520: .Li Cmnd .
1521: This allows one to exclude certain values.
1.1.1.2 ! misho 1522: For the
! 1523: .Ql \&!
! 1524: operator to be effective, there must be something for it to exclude.
! 1525: For example, to match all users except for root one would use:
! 1526: .Bd -literal -offset 4n
! 1527: ALL,!root
! 1528: .Ed
! 1529: .Pp
! 1530: If the
! 1531: .Sy ALL ,
! 1532: is omitted, as in:
! 1533: .Bd -literal -offset 4n
! 1534: !root
! 1535: .Ed
! 1536: .Pp
! 1537: it would explicitly deny root but not match any other users.
! 1538: This is different from a true
! 1539: .Dq negation
! 1540: operator.
! 1541: .Pp
1.1 misho 1542: Note, however, that using a
1543: .Ql \&!
1544: in conjunction with the built-in
1545: .Sy ALL
1546: alias to allow a user to run
1547: .Dq all but a few
1548: commands rarely works as intended (see
1549: .Sx SECURITY NOTES
1550: below).
1551: .Pp
1552: Long lines can be continued with a backslash
1553: .Pq Ql \e
1554: as the last character on the line.
1555: .Pp
1556: White space between elements in a list as well as special syntactic
1557: characters in a
1558: .Em User Specification
1559: .Po
1560: .Ql =\& ,
1561: .Ql :\& ,
1562: .Ql (\& ,
1563: .Ql )\&
1564: .Pc
1565: is optional.
1566: .Pp
1567: The following characters must be escaped with a backslash
1568: .Pq Ql \e
1569: when used as part of a word (e.g.\& a user name or host name):
1570: .Ql \&! ,
1571: .Ql =\& ,
1572: .Ql :\& ,
1573: .Ql ,\& ,
1574: .Ql (\& ,
1575: .Ql )\& ,
1576: .Ql \e .
1577: .Sh SUDOERS OPTIONS
1578: .Nm sudo Ns No 's
1579: behavior can be modified by
1580: .Li Default_Entry
1581: lines, as explained earlier.
1582: A list of all supported Defaults parameters, grouped by type, are listed below.
1583: .Pp
1584: .Sy Boolean Flags :
1585: .Bl -tag -width 16n
1586: .It always_set_home
1587: If enabled,
1588: .Nm sudo
1589: will set the
1590: .Ev HOME
1591: environment variable to the home directory of the target user
1592: (which is root unless the
1593: .Fl u
1594: option is used).
1595: This effectively means that the
1596: .Fl H
1597: option is always implied.
1598: Note that
1599: .Ev HOME
1600: is already set when the the
1601: .Em env_reset
1602: option is enabled, so
1603: .Em always_set_home
1604: is only effective for configurations where either
1605: .Em env_reset
1606: is disabled or
1607: .Ev HOME
1608: is present in the
1609: .Em env_keep
1610: list.
1611: This flag is
1612: .Em off
1613: by default.
1614: .It authenticate
1615: If set, users must authenticate themselves via a password (or other
1616: means of authentication) before they may run commands.
1617: This default may be overridden via the
1618: .Li PASSWD
1619: and
1620: .Li NOPASSWD
1621: tags.
1622: This flag is
1623: .Em on
1624: by default.
1625: .It closefrom_override
1626: If set, the user may use
1627: .Nm sudo Ns No 's
1628: .Fl C
1629: option which overrides the default starting point at which
1630: .Nm sudo
1631: begins closing open file descriptors.
1632: This flag is
1633: .Em off
1634: by default.
1635: .It compress_io
1636: If set, and
1637: .Nm sudo
1638: is configured to log a command's input or output,
1639: the I/O logs will be compressed using
1640: .Sy zlib .
1641: This flag is
1642: .Em on
1643: by default when
1644: .Nm sudo
1645: is compiled with
1646: .Sy zlib
1647: support.
1.1.1.2 ! misho 1648: .It exec_background
! 1649: By default,
! 1650: .Nm sudo
! 1651: runs a command as the foreground process as long as
! 1652: .Nm sudo
! 1653: itself is running in the foreground.
! 1654: When the
! 1655: .Em exec_background
! 1656: flag is enabled and the command is being run in a pty (due to I/O logging
! 1657: or the
! 1658: .Em use_pty
! 1659: flag), the command will be run as a background process.
! 1660: Attempts to read from the controlling terminal (or to change terminal
! 1661: settings) will result in the command being suspended with the
! 1662: .Dv SIGTTIN
! 1663: signal (or
! 1664: .Dv SIGTTOU
! 1665: in the case of terminal settings).
! 1666: If this happens when
! 1667: .Nm sudo
! 1668: is a foreground process, the command will be granted the controlling terminal
! 1669: and resumed in the foreground with no user intervention required.
! 1670: The advantage of initially running the command in the background is that
! 1671: .Nm sudo
! 1672: need not read from the terminal unless the command explicitly requests it.
! 1673: Otherwise, any terminal input must be passed to the command, whether it
! 1674: has required it or not (the kernel buffers terminals so it is not possible
! 1675: to tell whether the command really wants the input).
! 1676: This is different from historic
! 1677: .Em sudo
! 1678: behavior or when the command is not being run in a pty.
! 1679: .Pp
! 1680: For this to work seamlessly, the operating system must support the
! 1681: automatic restarting of system calls.
! 1682: Unfortunately, not all operating systems do this by default,
! 1683: and even those that do may have bugs.
! 1684: For example, Mac OS X fails to restart the
! 1685: .Fn tcgetattr
! 1686: and
! 1687: .Fn tcsetattr
! 1688: system calls (this is a bug in Mac OS X).
! 1689: Furthermore, because this behavior depends on the command stopping with the
! 1690: .Dv SIGTTIN
! 1691: or
! 1692: .Dv SIGTTOU
! 1693: signals, programs that catch these signals and suspend themselves
! 1694: with a different signal (usually
! 1695: .Dv SIGTOP )
! 1696: will not be automatically foregrounded.
! 1697: Some versions of the linux
! 1698: .Xr su 1
! 1699: command behave this way.
! 1700: .Pp
! 1701: This setting is only supported by version 1.8.7 or higher.
! 1702: It has no effect unless I/O logging is enabled or the
! 1703: .Em use_pty
! 1704: flag is enabled.
1.1 misho 1705: .It env_editor
1706: If set,
1707: .Nm visudo
1708: will use the value of the
1709: .Ev EDITOR
1710: or
1711: .Ev VISUAL
1712: environment variables before falling back on the default editor list.
1713: Note that this may create a security hole as it allows the user to
1714: run any arbitrary command as root without logging.
1715: A safer alternative is to place a colon-separated list of editors
1716: in the
1717: .Li editor
1718: variable.
1719: .Nm visudo
1720: will then only use the
1721: .Ev EDITOR
1722: or
1723: .Ev VISUAL
1724: if they match a value specified in
1725: .Li editor .
1726: This flag is
1727: .Em @env_editor@
1728: by
1729: default.
1730: .It env_reset
1731: If set,
1732: .Nm sudo
1733: will run the command in a minimal environment containing the
1734: .Ev TERM ,
1735: .Ev PATH ,
1736: .Ev HOME ,
1737: .Ev MAIL ,
1738: .Ev SHELL ,
1739: .Ev LOGNAME ,
1740: .Ev USER ,
1741: .Ev USERNAME
1742: and
1743: .Ev SUDO_*
1744: variables.
1745: Any
1746: variables in the caller's environment that match the
1747: .Li env_keep
1748: and
1749: .Li env_check
1750: lists are then added, followed by any variables present in the file
1751: specified by the
1752: .Em env_file
1753: option (if any).
1754: The default contents of the
1755: .Li env_keep
1756: and
1757: .Li env_check
1758: lists are displayed when
1759: .Nm sudo
1760: is run by root with the
1761: .Fl V
1762: option.
1763: If the
1764: .Em secure_path
1765: option is set, its value will be used for the
1766: .Ev PATH
1767: environment variable.
1768: This flag is
1769: .Em @env_reset@
1770: by default.
1771: .It fast_glob
1772: Normally,
1773: .Nm sudo
1774: uses the
1775: .Xr glob 3
1776: function to do shell-style globbing when matching path names.
1777: However, since it accesses the file system,
1778: .Xr glob 3
1779: can take a long time to complete for some patterns, especially
1780: when the pattern references a network file system that is mounted
1781: on demand (auto mounted).
1782: The
1783: .Em fast_glob
1784: option causes
1785: .Nm sudo
1786: to use the
1787: .Xr fnmatch 3
1788: function, which does not access the file system to do its matching.
1789: The disadvantage of
1790: .Em fast_glob
1791: is that it is unable to match relative path names such as
1792: .Pa ./ls
1793: or
1794: .Pa ../bin/ls .
1795: This has security implications when path names that include globbing
1796: characters are used with the negation operator,
1797: .Ql !\& ,
1798: as such rules can be trivially bypassed.
1799: As such, this option should not be used when
1800: .Em sudoers
1801: contains rules that contain negated path names which include globbing
1802: characters.
1803: This flag is
1804: .Em off
1805: by default.
1806: .It fqdn
1807: Set this flag if you want to put fully qualified host names in the
1808: .Em sudoers
1809: file when the local host name (as returned by the
1810: .Li hostname
1811: command) does not contain the domain name.
1812: In other words, instead of myhost you would use myhost.mydomain.edu.
1813: You may still use the short form if you wish (and even mix the two).
1814: This option is only effective when the
1815: .Dq canonical
1816: host name, as returned by the
1817: .Fn getaddrinfo
1818: or
1819: .Fn gethostbyname
1820: function, is a fully-qualified domain name.
1821: This is usually the case when the system is configured to use DNS
1822: for host name resolution.
1823: .Pp
1824: If the system is configured to use the
1825: .Pa /etc/hosts
1826: file in preference to DNS, the
1827: .Dq canonical
1828: host name may not be fully-qualified.
1829: The order that sources are queried for hosts name resolution
1830: is usually specified in the
1831: .Pa @nsswitch_conf@ ,
1832: .Pa @netsvc_conf@ ,
1833: .Pa /etc/host.conf ,
1834: or, in some cases,
1835: .Pa /etc/resolv.conf
1836: file.
1837: In the
1838: .Pa /etc/hosts
1839: file, the first host name of the entry is considered to be the
1840: .Dq canonical
1841: name; subsequent names are aliases that are not used by
1842: .Nm sudoers .
1843: For example, the following hosts file line for the machine
1844: .Dq xyzzy
1845: has the fully-qualified domain name as the
1846: .Dq canonical
1847: host name, and the short version as an alias.
1848: .sp
1849: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1850: .sp
1851: If the machine's hosts file entry is not formatted properly, the
1852: .Em fqdn
1853: option will not be effective if it is queried before DNS.
1854: .Pp
1855: Beware that when using DNS for host name resolution, turning on
1856: .Em fqdn
1857: requires
1858: .Nm sudoers
1859: to make DNS lookups which renders
1860: .Nm sudo
1861: unusable if DNS stops working (for example if the machine is disconnected
1862: from the network).
1863: Also note that just like with the hosts file, you must use the
1864: .Dq canonical
1865: name as DNS knows it.
1866: That is, you may not use a host alias
1867: .Po
1868: .Li CNAME
1869: entry
1870: .Pc
1871: due to performance issues and the fact that there is no way to get all
1872: aliases from DNS.
1873: .Pp
1874: This flag is
1875: .Em @fqdn@
1876: by default.
1877: .It ignore_dot
1878: If set,
1879: .Nm sudo
1880: will ignore "." or "" (both denoting current directory) in the
1881: .Ev PATH
1882: environment variable; the
1883: .Ev PATH
1884: itself is not modified.
1885: This flag is
1886: .Em @ignore_dot@
1887: by default.
1888: .It ignore_local_sudoers
1889: If set via LDAP, parsing of
1890: .Pa @sysconfdir@/sudoers
1891: will be skipped.
1892: This is intended for Enterprises that wish to prevent the usage of local
1893: sudoers files so that only LDAP is used.
1894: This thwarts the efforts of rogue operators who would attempt to add roles to
1895: .Pa @sysconfdir@/sudoers .
1896: When this option is present,
1897: .Pa @sysconfdir@/sudoers
1898: does not even need to exist.
1899: Since this option tells
1900: .Nm sudo
1901: how to behave when no specific LDAP entries have been matched, this
1902: sudoOption is only meaningful for the
1903: .Li cn=defaults
1904: section.
1905: This flag is
1906: .Em off
1907: by default.
1908: .It insults
1909: If set,
1910: .Nm sudo
1911: will insult users when they enter an incorrect password.
1912: This flag is
1913: .Em @insults@
1914: by default.
1915: .It log_host
1916: If set, the host name will be logged in the (non-syslog)
1917: .Nm sudo
1918: log file.
1919: This flag is
1920: .Em off
1921: by default.
1922: .It log_input
1923: If set,
1924: .Nm sudo
1925: will run the command in a
1926: .Em pseudo tty
1927: and log all user input.
1928: If the standard input is not connected to the user's tty, due to
1929: I/O redirection or because the command is part of a pipeline, that
1930: input is also captured and stored in a separate log file.
1931: .Pp
1932: Input is logged to the directory specified by the
1933: .Em iolog_dir
1934: option
1935: .Po
1936: .Pa @iolog_dir@
1937: by default
1938: .Pc
1939: using a unique session ID that is included in the normal
1940: .Nm sudo
1941: log line, prefixed with
1942: .Dq Li TSID= .
1943: The
1944: .Em iolog_file
1945: option may be used to control the format of the session ID.
1946: .Pp
1947: Note that user input may contain sensitive information such as
1948: passwords (even if they are not echoed to the screen), which will
1949: be stored in the log file unencrypted.
1950: In most cases, logging the command output via
1951: .Em log_output
1952: is all that is required.
1953: .It log_output
1954: If set,
1955: .Nm sudo
1956: will run the command in a
1957: .Em pseudo tty
1958: and log all output that is sent to the screen, similar to the
1959: .Xr script 1
1960: command.
1961: If the standard output or standard error is not connected to the
1962: user's tty, due to I/O redirection or because the command is part
1963: of a pipeline, that output is also captured and stored in separate
1964: log files.
1965: .Pp
1966: Output is logged to the directory specified by the
1967: .Em iolog_dir
1968: option
1969: .Po
1970: .Pa @iolog_dir@
1971: by default
1972: .Pc
1973: using a unique session ID that is included in the normal
1974: .Nm sudo
1975: log line, prefixed with
1976: .Dq Li TSID= .
1977: The
1978: .Em iolog_file
1979: option may be used to control the format of the session ID.
1980: .Pp
1981: Output logs may be viewed with the
1982: .Xr sudoreplay @mansectsu@
1983: utility, which can also be used to list or search the available logs.
1984: .It log_year
1985: If set, the four-digit year will be logged in the (non-syslog)
1986: .Nm sudo
1987: log file.
1988: This flag is
1989: .Em off
1990: by default.
1991: .It long_otp_prompt
1992: When validating with a One Time Password (OTP) scheme such as
1993: .Sy S/Key
1994: or
1995: .Sy OPIE ,
1996: a two-line prompt is used to make it easier
1997: to cut and paste the challenge to a local window.
1998: It's not as pretty as the default but some people find it more convenient.
1999: This flag is
2000: .Em @long_otp_prompt@
2001: by default.
2002: .It mail_always
2003: Send mail to the
2004: .Em mailto
2005: user every time a users runs
2006: .Nm sudo .
2007: This flag is
2008: .Em off
2009: by default.
2010: .It mail_badpass
2011: Send mail to the
2012: .Em mailto
2013: user if the user running
2014: .Nm sudo
2015: does not enter the correct password.
2016: If the command the user is attempting to run is not permitted by
2017: .Em sudoers
2018: and one of the
2019: .Em mail_always ,
2020: .Em mail_no_host ,
2021: .Em mail_no_perms
2022: or
2023: .Em mail_no_user
2024: flags are set, this flag will have no effect.
2025: This flag is
2026: .Em off
2027: by default.
2028: .It mail_no_host
2029: If set, mail will be sent to the
2030: .Em mailto
2031: user if the invoking user exists in the
2032: .Em sudoers
2033: file, but is not allowed to run commands on the current host.
2034: This flag is
2035: .Em @mail_no_host@
2036: by default.
2037: .It mail_no_perms
2038: If set, mail will be sent to the
2039: .Em mailto
2040: user if the invoking user is allowed to use
2041: .Nm sudo
2042: but the command they are trying is not listed in their
2043: .Em sudoers
2044: file entry or is explicitly denied.
2045: This flag is
2046: .Em @mail_no_perms@
2047: by default.
2048: .It mail_no_user
2049: If set, mail will be sent to the
2050: .Em mailto
2051: user if the invoking user is not in the
2052: .Em sudoers
2053: file.
2054: This flag is
2055: .Em @mail_no_user@
2056: by default.
2057: .It noexec
2058: If set, all commands run via
2059: .Nm sudo
2060: will behave as if the
2061: .Li NOEXEC
2062: tag has been set, unless overridden by a
2063: .Li EXEC
2064: tag.
2065: See the description of
2066: .Em NOEXEC and EXEC
2067: below as well as the
2068: .Sx Preventing shell escapes
2069: section at the end of this manual.
2070: This flag is
2071: .Em off
2072: by default.
1.1.1.2 ! misho 2073: .It pam_session
! 2074: On systems that use PAM for authentication,
1.1 misho 2075: .Nm sudo
1.1.1.2 ! misho 2076: will create a new PAM session for the command to be run in.
! 2077: Disabling
! 2078: .Em pam_session
! 2079: may be needed on older PAM implementations or on operating systems where
! 2080: opening a PAM session changes the utmp or wtmp files.
! 2081: If PAM session support is disabled, resource limits may not be updated
! 2082: for the command being run.
1.1 misho 2083: This flag is
1.1.1.2 ! misho 2084: .Em @pam_session@
1.1 misho 2085: by default.
1.1.1.2 ! misho 2086: .Pp
! 2087: This setting is only supported by version 1.8.7 or higher.
1.1 misho 2088: .It passprompt_override
2089: The password prompt specified by
2090: .Em passprompt
2091: will normally only be used if the password prompt provided by systems
2092: such as PAM matches the string
2093: .Dq Password: .
2094: If
2095: .Em passprompt_override
2096: is set,
2097: .Em passprompt
2098: will always be used.
2099: This flag is
2100: .Em off
2101: by default.
1.1.1.2 ! misho 2102: .It path_info
! 2103: Normally,
! 2104: .Nm sudo
! 2105: will tell the user when a command could not be
! 2106: found in their
! 2107: .Ev PATH
! 2108: environment variable.
! 2109: Some sites may wish to disable this as it could be used to gather
! 2110: information on the location of executables that the normal user does
! 2111: not have access to.
! 2112: The disadvantage is that if the executable is simply not in the user's
! 2113: .Ev PATH ,
! 2114: .Nm sudo
! 2115: will tell the user that they are not allowed to run it, which can be confusing.
! 2116: This flag is
! 2117: .Em @path_info@
! 2118: by default.
1.1 misho 2119: .It preserve_groups
2120: By default,
2121: .Nm sudo
2122: will initialize the group vector to the list of groups the target user is in.
2123: When
2124: .Em preserve_groups
2125: is set, the user's existing group vector is left unaltered.
2126: The real and effective group IDs, however, are still set to match the
2127: target user.
2128: This flag is
2129: .Em off
2130: by default.
2131: .It pwfeedback
2132: By default,
2133: .Nm sudo
2134: reads the password like most other Unix programs,
2135: by turning off echo until the user hits the return (or enter) key.
2136: Some users become confused by this as it appears to them that
2137: .Nm sudo
2138: has hung at this point.
2139: When
2140: .Em pwfeedback
2141: is set,
2142: .Nm sudo
2143: will provide visual feedback when the user presses a key.
2144: Note that this does have a security impact as an onlooker may be able to
2145: determine the length of the password being entered.
2146: This flag is
2147: .Em off
2148: by default.
2149: .It requiretty
2150: If set,
2151: .Nm sudo
2152: will only run when the user is logged in to a real tty.
2153: When this flag is set,
2154: .Nm sudo
2155: can only be run from a login session and not via other means such as
2156: .Xr cron @mansectsu@
2157: or cgi-bin scripts.
2158: This flag is
2159: .Em off
2160: by default.
2161: .It root_sudo
2162: If set, root is allowed to run
2163: .Nm sudo
2164: too.
2165: Disabling this prevents users from
2166: .Dq chaining
2167: .Nm sudo
2168: commands to get a root shell by doing something like
2169: .Dq Li sudo sudo /bin/sh .
2170: Note, however, that turning off
2171: .Em root_sudo
2172: will also prevent root from running
2173: .Nm sudoedit .
2174: Disabling
2175: .Em root_sudo
2176: provides no real additional security; it exists purely for historical reasons.
2177: This flag is
2178: .Em @root_sudo@
2179: by default.
2180: .It rootpw
2181: If set,
2182: .Nm sudo
2183: will prompt for the root password instead of the password of the invoking user.
2184: This flag is
2185: .Em off
2186: by default.
2187: .It runaspw
2188: If set,
2189: .Nm sudo
2190: will prompt for the password of the user defined by the
2191: .Em runas_default
2192: option (defaults to
2193: .Li @runas_default@ )
2194: instead of the password of the invoking user.
2195: This flag is
2196: .Em off
2197: by default.
2198: .It set_home
2199: If enabled and
2200: .Nm sudo
2201: is invoked with the
2202: .Fl s
2203: option the
2204: .Ev HOME
2205: environment variable will be set to the home directory of the target
2206: user (which is root unless the
2207: .Fl u
2208: option is used).
2209: This effectively makes the
2210: .Fl s
2211: option imply
2212: .Fl H .
2213: Note that
2214: .Ev HOME
2215: is already set when the the
2216: .Em env_reset
2217: option is enabled, so
2218: .Em set_home
2219: is only effective for configurations where either
2220: .Em env_reset
2221: is disabled
2222: or
2223: .Ev HOME
2224: is present in the
2225: .Em env_keep
2226: list.
2227: This flag is
2228: .Em off
2229: by default.
2230: .It set_logname
2231: Normally,
2232: .Nm sudo
2233: will set the
2234: .Ev LOGNAME ,
2235: .Ev USER
2236: and
2237: .Ev USERNAME
2238: environment variables to the name of the target user (usually root unless the
2239: .Fl u
2240: option is given).
2241: However, since some programs (including the RCS revision control system) use
2242: .Ev LOGNAME
2243: to determine the real identity of the user, it may be desirable to
2244: change this behavior.
2245: This can be done by negating the set_logname option.
2246: Note that if the
2247: .Em env_reset
2248: option has not been disabled, entries in the
2249: .Em env_keep
2250: list will override the value of
2251: .Em set_logname .
2252: This flag is
2253: .Em on
2254: by default.
2255: .It set_utmp
2256: When enabled,
2257: .Nm sudo
2258: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2259: is allocated.
2260: A pseudo-tty is allocated by
2261: .Nm sudo
2262: when the
2263: .Em log_input ,
2264: .Em log_output
2265: or
2266: .Em use_pty
2267: flags are enabled.
2268: By default, the new entry will be a copy of the user's existing utmp
2269: entry (if any), with the tty, time, type and pid fields updated.
2270: This flag is
2271: .Em on
2272: by default.
2273: .It setenv
2274: Allow the user to disable the
2275: .Em env_reset
2276: option from the command line via the
2277: .Fl E
2278: option.
2279: Additionally, environment variables set via the command line are
2280: not subject to the restrictions imposed by
2281: .Em env_check ,
2282: .Em env_delete ,
2283: or
2284: .Em env_keep .
2285: As such, only trusted users should be allowed to set variables in this manner.
2286: This flag is
2287: .Em off
2288: by default.
2289: .It shell_noargs
2290: If set and
2291: .Nm sudo
2292: is invoked with no arguments it acts as if the
2293: .Fl s
2294: option had been given.
2295: That is, it runs a shell as root (the shell is determined by the
2296: .Ev SHELL
2297: environment variable if it is set, falling back on the shell listed
2298: in the invoking user's /etc/passwd entry if not).
2299: This flag is
2300: .Em off
2301: by default.
2302: .It stay_setuid
2303: Normally, when
2304: .Nm sudo
2305: executes a command the real and effective UIDs are set to the target
2306: user (root by default).
2307: This option changes that behavior such that the real UID is left
2308: as the invoking user's UID.
2309: In other words, this makes
2310: .Nm sudo
2311: act as a setuid wrapper.
2312: This can be useful on systems that disable some potentially
2313: dangerous functionality when a program is run setuid.
2314: This option is only effective on systems that support either the
2315: .Xr setreuid 2
2316: or
2317: .Xr setresuid 2
2318: system call.
2319: This flag is
2320: .Em off
2321: by default.
2322: .It targetpw
2323: If set,
2324: .Nm sudo
2325: will prompt for the password of the user specified
2326: by the
2327: .Fl u
2328: option (defaults to
2329: .Li root )
2330: instead of the password of the invoking user.
2331: In addition, the time stamp file name will include the target user's name.
2332: Note that this flag precludes the use of a uid not listed in the passwd
2333: database as an argument to the
2334: .Fl u
2335: option.
2336: This flag is
2337: .Em off
2338: by default.
2339: .It tty_tickets
2340: If set, users must authenticate on a per-tty basis.
2341: With this flag enabled,
2342: .Nm sudo
2343: will use a file named for the tty the user is
2344: logged in on in the user's time stamp directory.
2345: If disabled, the time stamp of the directory is used instead.
2346: This flag is
2347: .Em @tty_tickets@
2348: by default.
2349: .It umask_override
2350: If set,
2351: .Nm sudo
2352: will set the umask as specified by
2353: .Em sudoers
2354: without modification.
2355: This makes it possible to specify a more permissive umask in
2356: .Em sudoers
2357: than the user's own umask and matches historical behavior.
2358: If
2359: .Em umask_override
2360: is not set,
2361: .Nm sudo
2362: will set the umask to be the union of the user's umask and what is specified in
2363: .Em sudoers .
2364: This flag is
2365: .Em @umask_override@
2366: by default.
2367: .It use_loginclass
2368: If set,
2369: .Nm sudo
2370: will apply the defaults specified for the target user's login class
2371: if one exists.
2372: Only available if
2373: .Nm sudo
2374: is configured with the
2375: .Li --with-logincap
2376: option.
2377: This flag is
2378: .Em off
2379: by default.
2380: .It use_pty
2381: If set,
2382: .Nm sudo
2383: will run the command in a pseudo-pty even if no I/O logging is being gone.
2384: A malicious program run under
2385: .Nm sudo
2386: could conceivably fork a background process that retains to the user's
2387: terminal device after the main program has finished executing.
2388: Use of this option will make that impossible.
2389: This flag is
2390: .Em off
2391: by default.
2392: .It utmp_runas
2393: If set,
2394: .Nm sudo
2395: will store the name of the runas user when updating the utmp (or utmpx) file.
2396: By default,
2397: .Nm sudo
2398: stores the name of the invoking user.
2399: This flag is
2400: .Em off
2401: by default.
2402: .It visiblepw
2403: By default,
2404: .Nm sudo
2405: will refuse to run if the user must enter a password but it is not
2406: possible to disable echo on the terminal.
2407: If the
2408: .Em visiblepw
2409: flag is set,
2410: .Nm sudo
2411: will prompt for a password even when it would be visible on the screen.
2412: This makes it possible to run things like
2413: .Dq Li ssh somehost sudo ls
2414: since by default,
2415: .Xr ssh 1
2416: does
2417: not allocate a tty when running a command.
2418: This flag is
2419: .Em off
2420: by default.
2421: .El
2422: .Pp
2423: .Sy Integers :
2424: .Bl -tag -width 16n
2425: .It closefrom
2426: Before it executes a command,
2427: .Nm sudo
2428: will close all open file descriptors other than standard input,
2429: standard output and standard error (ie: file descriptors 0-2).
2430: The
2431: .Em closefrom
2432: option can be used to specify a different file descriptor at which
2433: to start closing.
2434: The default is
2435: .Li 3 .
2436: .It passwd_tries
2437: The number of tries a user gets to enter his/her password before
2438: .Nm sudo
2439: logs the failure and exits.
2440: The default is
2441: .Li @passwd_tries@ .
2442: .El
2443: .Pp
2444: .Sy Integers that can be used in a boolean context :
2445: .Bl -tag -width 16n
2446: .It loglinelen
2447: Number of characters per line for the file log.
2448: This value is used to decide when to wrap lines for nicer log files.
2449: This has no effect on the syslog log file, only the file log.
2450: The default is
2451: .Li @loglen@
2452: (use 0 or negate the option to disable word wrap).
2453: .It passwd_timeout
2454: Number of minutes before the
2455: .Nm sudo
2456: password prompt times out, or
2457: .Li 0
2458: for no timeout.
2459: The timeout may include a fractional component
2460: if minute granularity is insufficient, for example
2461: .Li 2.5 .
2462: The
2463: default is
2464: .Li @password_timeout@ .
2465: .It timestamp_timeout
2466: Number of minutes that can elapse before
2467: .Nm sudo
2468: will ask for a passwd again.
2469: The timeout may include a fractional component if
2470: minute granularity is insufficient, for example
2471: .Li 2.5 .
2472: The default is
2473: .Li @timeout@ .
2474: Set this to
2475: .Li 0
2476: to always prompt for a password.
2477: If set to a value less than
2478: .Li 0
2479: the user's time stamp will never expire.
2480: This can be used to allow users to create or delete their own time stamps via
2481: .Dq Li sudo -v
2482: and
2483: .Dq Li sudo -k
2484: respectively.
2485: .It umask
2486: Umask to use when running the command.
2487: Negate this option or set it to 0777 to preserve the user's umask.
2488: The actual umask that is used will be the union of the user's umask
2489: and the value of the
2490: .Em umask
2491: option, which defaults to
2492: .Li @sudo_umask@ .
2493: This guarantees
2494: that
2495: .Nm sudo
2496: never lowers the umask when running a command.
2497: Note: on systems that use PAM, the default PAM configuration may specify
2498: its own umask which will override the value set in
2499: .Em sudoers .
2500: .El
2501: .Pp
2502: .Sy Strings :
2503: .Bl -tag -width 16n
2504: .It badpass_message
2505: Message that is displayed if a user enters an incorrect password.
2506: The default is
2507: .Li @badpass_message@
2508: unless insults are enabled.
2509: .It editor
2510: A colon
2511: .Pq Ql :\&
2512: separated list of editors allowed to be used with
2513: .Nm visudo .
2514: .Nm visudo
2515: will choose the editor that matches the user's
2516: .Ev EDITOR
2517: environment variable if possible, or the first editor in the
2518: list that exists and is executable.
2519: The default is
2520: .Pa @editor@ .
2521: .It iolog_dir
2522: The top-level directory to use when constructing the path name for
2523: the input/output log directory.
2524: Only used if the
2525: .Em log_input
2526: or
2527: .Em log_output
2528: options are enabled or when the
2529: .Li LOG_INPUT
2530: or
2531: .Li LOG_OUTPUT
2532: tags are present for a command.
2533: The session sequence number, if any, is stored in the directory.
2534: The default is
2535: .Pa @iolog_dir@ .
2536: .Pp
2537: The following percent
2538: .Pq Ql %
2539: escape sequences are supported:
2540: .Bl -tag -width 4n
2541: .It Li %{seq}
2542: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2543: where every two digits are used to form a new directory, e.g.\&
2544: .Pa 01/00/A5
2545: .It Li %{user}
2546: expanded to the invoking user's login name
2547: .It Li %{group}
2548: expanded to the name of the invoking user's real group ID
2549: .It Li %{runas_user}
2550: expanded to the login name of the user the command will
2551: be run as (e.g.\& root)
2552: .It Li %{runas_group}
2553: expanded to the group name of the user the command will
2554: be run as (e.g.\& wheel)
2555: .It Li %{hostname}
2556: expanded to the local host name without the domain name
2557: .It Li %{command}
2558: expanded to the base name of the command being run
2559: .El
2560: .Pp
2561: In addition, any escape sequences supported by the system's
2562: .Xr strftime 3
2563: function will be expanded.
2564: .Pp
2565: To include a literal
2566: .Ql %
2567: character, the string
2568: .Ql %%
2569: should be used.
2570: .It iolog_file
2571: The path name, relative to
2572: .Em iolog_dir ,
2573: in which to store input/output logs when the
2574: .Em log_input
2575: or
2576: .Em log_output
2577: options are enabled or when the
2578: .Li LOG_INPUT
2579: or
2580: .Li LOG_OUTPUT
2581: tags are present for a command.
2582: Note that
2583: .Em iolog_file
2584: may contain directory components.
2585: The default is
2586: .Dq Li %{seq} .
2587: .Pp
2588: See the
2589: .Em iolog_dir
2590: option above for a list of supported percent
2591: .Pq Ql %
2592: escape sequences.
2593: .Pp
2594: In addition to the escape sequences, path names that end in six or
2595: more
2596: .Li X Ns No s
2597: will have the
2598: .Li X Ns No s
2599: replaced with a unique combination of digits and letters, similar to the
2600: .Xr mktemp 3
2601: function.
1.1.1.2 ! misho 2602: .Pp
! 2603: If the path created by concatenating
! 2604: .Em iolog_dir
! 2605: and
! 2606: .Em iolog_file
! 2607: already exists, the existing I/O log file will be truncated and
! 2608: overwritten unless
! 2609: .Em iolog_file
! 2610: ends in six or
! 2611: more
! 2612: .Li X Ns No s .
1.1 misho 2613: .It limitprivs
2614: The default Solaris limit privileges to use when constructing a new
2615: privilege set for a command.
2616: This bounds all privileges of the executing process.
2617: The default limit privileges may be overridden on a per-command basis in
2618: .Em sudoers .
2619: This option is only available if
2620: .Nm
2621: is built on Solaris 10 or higher.
2622: .It mailsub
2623: Subject of the mail sent to the
2624: .Em mailto
2625: user.
2626: The escape
2627: .Li %h
2628: will expand to the host name of the machine.
2629: Default is
2630: .Dq Li @mailsub@ .
1.1.1.2 ! misho 2631: .It maxseq
! 2632: The maximum sequence number that will be substituted for the
! 2633: .Dq Li %{seq}
! 2634: escape in the I/O log file (see the
! 2635: .Em iolog_dir
! 2636: description above for more information).
! 2637: While the value substituted for
! 2638: .Dq Li %{seq}
! 2639: is in base 36,
! 2640: .Em maxseq
! 2641: itself should be expressed in decimal.
! 2642: Values larger than 2176782336 (which corresponds to the
! 2643: base 36 sequence number
! 2644: .Dq ZZZZZZ )
! 2645: will be silently truncated to 2176782336.
! 2646: The default value is 2176782336.
! 2647: .Pp
! 2648: Once the local sequence number reaches the value of
! 2649: .Em maxseq ,
! 2650: it will
! 2651: .Dq roll over
! 2652: to zero, after which
! 2653: .Nm sudoers
! 2654: will truncate and re-use any existing I/O log pathnames.
! 2655: .Pp
! 2656: This setting is only supported by version 1.8.7 or higher.
1.1 misho 2657: .It noexec_file
1.1.1.2 ! misho 2658: As of
! 2659: .Nm sudo
! 2660: version 1.8.1 this option is no longer supported.
1.1 misho 2661: The path to the noexec file should now be set in the
1.1.1.2 ! misho 2662: .Xr sudo.conf @mansectform@
1.1 misho 2663: file.
2664: .It passprompt
2665: The default prompt to use when asking for a password; can be overridden via the
2666: .Fl p
2667: option or the
2668: .Ev SUDO_PROMPT
2669: environment variable.
2670: The following percent
2671: .Pq Ql %
2672: escape sequences are supported:
2673: .Bl -tag -width 4n
2674: .It Li %H
2675: expanded to the local host name including the domain name
2676: (only if the machine's host name is fully qualified or the
2677: .Em fqdn
2678: option is set)
2679: .It Li %h
2680: expanded to the local host name without the domain name
2681: .It Li %p
2682: expanded to the user whose password is being asked for (respects the
2683: .Em rootpw ,
2684: .Em targetpw
2685: and
2686: .Em runaspw
2687: flags in
2688: .Em sudoers )
2689: .It Li \&%U
2690: expanded to the login name of the user the command will
2691: be run as (defaults to root)
2692: .It Li %u
2693: expanded to the invoking user's login name
2694: .It Li %%
2695: two consecutive
2696: .Li %
2697: characters are collapsed into a single
2698: .Li %
2699: character
2700: .El
2701: .Pp
2702: The default value is
2703: .Dq Li @passprompt@ .
2704: .It privs
2705: The default Solaris privileges to use when constructing a new
2706: privilege set for a command.
2707: This is passed to the executing process via the inherited privilege set,
2708: but is bounded by the limit privileges.
2709: If the
2710: .Em privs
2711: option is specified but the
2712: .Em limitprivs
2713: option is not, the limit privileges of the executing process is set to
2714: .Em privs .
2715: The default privileges may be overridden on a per-command basis in
2716: .Em sudoers .
2717: This option is only available if
2718: .Nm
2719: is built on Solaris 10 or higher.
2720: .It role
2721: The default SELinux role to use when constructing a new security
2722: context to run the command.
2723: The default role may be overridden on a per-command basis in
2724: .Em sudoers
2725: or via command line options.
2726: This option is only available when
2727: .Nm sudo
2728: is built with SELinux support.
2729: .It runas_default
2730: The default user to run commands as if the
2731: .Fl u
2732: option is not specified on the command line.
2733: This defaults to
2734: .Li @runas_default@ .
2735: .It syslog_badpri
2736: Syslog priority to use when user authenticates unsuccessfully.
2737: Defaults to
2738: .Li @badpri@ .
2739: .Pp
2740: The following syslog priorities are supported:
2741: .Sy alert ,
2742: .Sy crit ,
2743: .Sy debug ,
2744: .Sy emerg ,
2745: .Sy err ,
2746: .Sy info ,
2747: .Sy notice ,
2748: and
2749: .Sy warning .
2750: .It syslog_goodpri
2751: Syslog priority to use when user authenticates successfully.
2752: Defaults to
2753: .Li @goodpri@ .
2754: .Pp
2755: See
2756: .Sx syslog_badpri
2757: for the list of supported syslog priorities.
2758: .It sudoers_locale
2759: Locale to use when parsing the sudoers file, logging commands, and
2760: sending email.
2761: Note that changing the locale may affect how sudoers is interpreted.
2762: Defaults to
2763: .Dq Li C .
2764: .It timestampdir
2765: The directory in which
2766: .Nm sudo
2767: stores its time stamp files.
2768: The default is
2769: .Pa @timedir@ .
2770: .It timestampowner
2771: The owner of the time stamp directory and the time stamps stored therein.
2772: The default is
2773: .Li root .
2774: .It type
2775: The default SELinux type to use when constructing a new security
2776: context to run the command.
2777: The default type may be overridden on a per-command basis in
2778: .Em sudoers
2779: or via command line options.
2780: This option is only available when
2781: .Nm sudo
2782: is built with SELinux support.
2783: .El
2784: .Pp
2785: .Sy Strings that can be used in a boolean context :
2786: .Bl -tag -width 12n
2787: .It env_file
2788: The
2789: .Em env_file
2790: option specifies the fully qualified path to a file containing variables
2791: to be set in the environment of the program being run.
2792: Entries in this file should either be of the form
2793: .Dq Li VARIABLE=value
2794: or
2795: .Dq Li export VARIABLE=value .
2796: The value may optionally be surrounded by single or double quotes.
2797: Variables in this file are subject to other
2798: .Nm sudo
2799: environment settings such as
2800: .Em env_keep
2801: and
2802: .Em env_check .
2803: .It exempt_group
2804: Users in this group are exempt from password and PATH requirements.
2805: The group name specified should not include a
2806: .Li %
2807: prefix.
2808: This is not set by default.
2809: .It group_plugin
2810: A string containing a
2811: .Em sudoers
2812: group plugin with optional arguments.
2813: The string should consist of the plugin
2814: path, either fully-qualified or relative to the
1.1.1.2 ! misho 2815: .Pa @PLUGINDIR@
1.1 misho 2816: directory, followed by any configuration arguments the plugin requires.
2817: These arguments (if any) will be passed to the plugin's initialization function.
2818: If arguments are present, the string must be enclosed in double quotes
2819: .Pq \&"" .
2820: .Pp
2821: For more information see
1.1.1.2 ! misho 2822: .Xr "GROUP PROVIDER PLUGINS" .
1.1 misho 2823: .It lecture
2824: This option controls when a short lecture will be printed along with
2825: the password prompt.
2826: It has the following possible values:
2827: .Bl -tag -width 6n
2828: .It always
2829: Always lecture the user.
2830: .It never
2831: Never lecture the user.
2832: .It once
2833: Only lecture the user the first time they run
2834: .Nm sudo .
2835: .El
2836: .Pp
2837: If no value is specified, a value of
2838: .Em once
2839: is implied.
2840: Negating the option results in a value of
2841: .Em never
2842: being used.
2843: The default value is
2844: .Em @lecture@ .
2845: .It lecture_file
2846: Path to a file containing an alternate
2847: .Nm sudo
2848: lecture that will be used in place of the standard lecture if the named
2849: file exists.
2850: By default,
2851: .Nm sudo
2852: uses a built-in lecture.
2853: .It listpw
2854: This option controls when a password will be required when a user runs
2855: .Nm sudo
2856: with the
2857: .Fl l
2858: option.
2859: It has the following possible values:
2860: .Bl -tag -width 8n
2861: .It all
2862: All the user's
2863: .Em sudoers
2864: entries for the current host must have
2865: the
2866: .Li NOPASSWD
2867: flag set to avoid entering a password.
2868: .It always
2869: The user must always enter a password to use the
2870: .Fl l
2871: option.
2872: .It any
2873: At least one of the user's
2874: .Em sudoers
2875: entries for the current host
2876: must have the
2877: .Li NOPASSWD
2878: flag set to avoid entering a password.
2879: .It never
2880: The user need never enter a password to use the
2881: .Fl l
2882: option.
2883: .El
2884: .Pp
2885: If no value is specified, a value of
2886: .Em any
2887: is implied.
2888: Negating the option results in a value of
2889: .Em never
2890: being used.
2891: The default value is
2892: .Em any .
2893: .It logfile
2894: Path to the
2895: .Nm sudo
2896: log file (not the syslog log file).
2897: Setting a path turns on logging to a file;
2898: negating this option turns it off.
2899: By default,
2900: .Nm sudo
2901: logs via syslog.
2902: .It mailerflags
2903: Flags to use when invoking mailer. Defaults to
2904: .Fl t .
2905: .It mailerpath
2906: Path to mail program used to send warning mail.
2907: Defaults to the path to sendmail found at configure time.
2908: .It mailfrom
2909: Address to use for the
2910: .Dq from
2911: address when sending warning and error mail.
2912: The address should be enclosed in double quotes
2913: .Pq \&""
2914: to protect against
2915: .Nm sudo
2916: interpreting the
2917: .Li @
2918: sign.
2919: Defaults to the name of the user running
2920: .Nm sudo .
2921: .It mailto
2922: Address to send warning and error mail to.
2923: The address should be enclosed in double quotes
2924: .Pq \&""
2925: to protect against
2926: .Nm sudo
2927: interpreting the
2928: .Li @
2929: sign.
2930: Defaults to
2931: .Li @mailto@ .
2932: .It secure_path
2933: Path used for every command run from
2934: .Nm sudo .
2935: If you don't trust the
2936: people running
2937: .Nm sudo
2938: to have a sane
2939: .Ev PATH
2940: environment variable you may want to use this.
2941: Another use is if you want to have the
2942: .Dq root path
2943: be separate from the
2944: .Dq user path .
2945: Users in the group specified by the
2946: .Em exempt_group
2947: option are not affected by
2948: .Em secure_path .
2949: This option is @secure_path@ by default.
2950: .It syslog
2951: Syslog facility if syslog is being used for logging (negate to
2952: disable syslog logging).
2953: Defaults to
2954: .Li @logfac@ .
2955: .Pp
2956: The following syslog facilities are supported:
2957: .Sy authpriv
2958: (if your
2959: OS supports it),
2960: .Sy auth ,
2961: .Sy daemon ,
2962: .Sy user ,
2963: .Sy local0 ,
2964: .Sy local1 ,
2965: .Sy local2 ,
2966: .Sy local3 ,
2967: .Sy local4 ,
2968: .Sy local5 ,
2969: .Sy local6 ,
2970: and
2971: .Sy local7 .
2972: .It verifypw
2973: This option controls when a password will be required when a user runs
2974: .Nm sudo
2975: with the
2976: .Fl v
2977: option.
2978: It has the following possible values:
2979: .Bl -tag -width 6n
2980: .It all
2981: All the user's
2982: .Em sudoers
2983: entries for the current host must have the
2984: .Li NOPASSWD
2985: flag set to avoid entering a password.
2986: .It always
2987: The user must always enter a password to use the
2988: .Fl v
2989: option.
2990: .It any
2991: At least one of the user's
2992: .Em sudoers
2993: entries for the current host must have the
2994: .Li NOPASSWD
2995: flag set to avoid entering a password.
2996: .It never
2997: The user need never enter a password to use the
2998: .Fl v
2999: option.
3000: .El
3001: .Pp
3002: If no value is specified, a value of
3003: .Em all
3004: is implied.
3005: Negating the option results in a value of
3006: .Em never
3007: being used.
3008: The default value is
3009: .Em all .
3010: .El
3011: .Pp
3012: .Sy Lists that can be used in a boolean context :
3013: .Bl -tag -width 16n
3014: .It env_check
3015: Environment variables to be removed from the user's environment if
3016: the variable's value contains
3017: .Ql %
3018: or
3019: .Ql /
3020: characters.
3021: This can be used to guard against printf-style format vulnerabilities
3022: in poorly-written programs.
3023: The argument may be a double-quoted, space-separated list or a
3024: single value without double-quotes.
3025: The list can be replaced, added to, deleted from, or disabled by using
3026: the
3027: .Li = ,
3028: .Li += ,
3029: .Li -= ,
3030: and
3031: .Li \&!
3032: operators respectively.
3033: Regardless of whether the
3034: .Li env_reset
3035: option is enabled or disabled, variables specified by
3036: .Li env_check
3037: will be preserved in the environment if they pass the aforementioned check.
3038: The default list of environment variables to check is displayed when
3039: .Nm sudo
3040: is run by root with
3041: the
3042: .Fl V
3043: option.
3044: .It env_delete
3045: Environment variables to be removed from the user's environment when the
3046: .Em env_reset
3047: option is not in effect.
3048: The argument may be a double-quoted, space-separated list or a
3049: single value without double-quotes.
3050: The list can be replaced, added to, deleted from, or disabled by using the
3051: .Li = ,
3052: .Li += ,
3053: .Li -= ,
3054: and
3055: .Li \&!
3056: operators respectively.
3057: The default list of environment variables to remove is displayed when
3058: .Nm sudo
3059: is run by root with the
3060: .Fl V
3061: option.
3062: Note that many operating systems will remove potentially dangerous
3063: variables from the environment of any setuid process (such as
3064: .Nm sudo ) .
3065: .It env_keep
3066: Environment variables to be preserved in the user's environment when the
3067: .Em env_reset
3068: option is in effect.
3069: This allows fine-grained control over the environment
3070: .Nm sudo Ns No -spawned
3071: processes will receive.
3072: The argument may be a double-quoted, space-separated list or a
3073: single value without double-quotes.
3074: The list can be replaced, added to, deleted from, or disabled by using the
3075: .Li = ,
3076: .Li += ,
3077: .Li -= ,
3078: and
3079: .Li \&!
3080: operators respectively.
3081: The default list of variables to keep
3082: is displayed when
3083: .Nm sudo
3084: is run by root with the
3085: .Fl V
3086: option.
3087: .El
1.1.1.2 ! misho 3088: .Sh GROUP PROVIDER PLUGINS
! 3089: The
! 3090: .Nm sudoers
! 3091: plugin supports its own plugin interface to allow non-Unix
! 3092: group lookups which can query a group source other
! 3093: than the standard Unix group database.
! 3094: This can be used to implement support for the
! 3095: .Li nonunix_group
! 3096: syntax described earlier.
! 3097: .Pp
! 3098: Group provider plugins are specified via the
! 3099: .Em group_plugin
! 3100: Defaults setting.
! 3101: The argument to
! 3102: .Em group_plugin
! 3103: should consist of the plugin path, either fully-qualified or relative to the
! 3104: .Pa @PLUGINDIR@
! 3105: directory, followed by any configuration options the plugin requires.
! 3106: These options (if specified) will be passed to the plugin's initialization
! 3107: function.
! 3108: If options are present, the string must be enclosed in double quotes
! 3109: .Pq \&"" .
! 3110: .Pp
! 3111: The following group provider plugins are installed by default:
! 3112: .Bl -tag -width 8n
! 3113: .It group_file
! 3114: The
! 3115: .Em group_file
! 3116: plugin supports an alternate group file that uses the same syntax as the
! 3117: .Pa /etc/group
! 3118: file.
! 3119: The path to the group file should be specified as an option
! 3120: to the plugin.
! 3121: For example, if the group file to be used is
! 3122: .Pa /etc/sudo-group :
! 3123: .Bd -literal
! 3124: Defaults group_plugin="group_file.so /etc/sudo-group"
! 3125: .Ed
! 3126: .It system_group
! 3127: The
! 3128: .Em system_group
! 3129: plugin supports group lookups via the standard C library functions
! 3130: .Fn getgrnam
! 3131: and
! 3132: .Fn getgrid .
! 3133: This plugin can be used in instances where the user belongs to
! 3134: groups not present in the user's supplemental group vector.
! 3135: This plugin takes no options:
! 3136: .Bd -literal
! 3137: Defaults group_plugin=system_group.so
! 3138: .Ed
! 3139: .El
! 3140: .Pp
! 3141: The group provider plugin API is described in detail in
! 3142: .Xr sudo_plugin @mansectsu@ .
1.1 misho 3143: .Sh LOG FORMAT
3144: .Nm sudoers
3145: can log events using either
3146: .Xr syslog 3
3147: or a simple log file.
3148: In each case the log format is almost identical.
3149: .Ss Accepted command log entries
3150: Commands that sudo runs are logged using the following format (split
3151: into multiple lines for readability):
3152: .Bd -literal -offset 4n
3153: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3154: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3155: ENV=env_vars COMMAND=command
3156: .Ed
3157: .Pp
3158: Where the fields are as follows:
3159: .Bl -tag -width 12n
3160: .It date
3161: The date the command was run.
3162: Typically, this is in the format
3163: .Dq MMM, DD, HH:MM:SS .
3164: If logging via
3165: .Xr syslog 3 ,
3166: the actual date format is controlled by the syslog daemon.
3167: If logging to a file and the
3168: .Em log_year
3169: option is enabled,
3170: the date will also include the year.
3171: .It hostname
3172: The name of the host
3173: .Nm sudo
3174: was run on.
3175: This field is only present when logging via
3176: .Xr syslog 3 .
3177: .It progname
3178: The name of the program, usually
3179: .Em sudo
3180: or
3181: .Em sudoedit .
3182: This field is only present when logging via
3183: .Xr syslog 3 .
3184: .It username
3185: The login name of the user who ran
3186: .Nm sudo .
3187: .It ttyname
3188: The short name of the terminal (e.g.\&
3189: .Dq console ,
3190: .Dq tty01 ,
3191: or
3192: .Dq pts/0 )
3193: .Nm sudo
3194: was run on, or
3195: .Dq unknown
3196: if there was no terminal present.
3197: .It cwd
3198: The current working directory that
3199: .Nm sudo
3200: was run in.
3201: .It runasuser
3202: The user the command was run as.
3203: .It runasgroup
3204: The group the command was run as if one was specified on the command line.
3205: .It logid
3206: An I/O log identifier that can be used to replay the command's output.
3207: This is only present when the
3208: .Em log_input
3209: or
3210: .Em log_output
3211: option is enabled.
3212: .It env_vars
3213: A list of environment variables specified on the command line,
3214: if specified.
3215: .It command
3216: The actual command that was executed.
3217: .El
3218: .Pp
3219: Messages are logged using the locale specified by
3220: .Em sudoers_locale ,
3221: which defaults to the
3222: .Dq Li C
3223: locale.
3224: .Ss Denied command log entries
3225: If the user is not allowed to run the command, the reason for the denial
3226: will follow the user name.
3227: Possible reasons include:
3228: .Bl -tag -width 4
3229: .It user NOT in sudoers
3230: The user is not listed in the
3231: .Em sudoers
3232: file.
3233: .It user NOT authorized on host
3234: The user is listed in the
3235: .Em sudoers
3236: file but is not allowed to run commands on the host.
3237: .It command not allowed
3238: The user is listed in the
3239: .Em sudoers
3240: file for the host but they are not allowed to run the specified command.
3241: .It 3 incorrect password attempts
3242: The user failed to enter their password after 3 tries.
3243: The actual number of tries will vary based on the number of
3244: failed attempts and the value of the
3245: .Em passwd_tries
3246: option.
3247: .It a password is required
3248: .Nm sudo Ns No 's
3249: .Fl n
3250: option was specified but a password was required.
3251: .It sorry, you are not allowed to set the following environment variables
3252: The user specified environment variables on the command line that
3253: were not allowed by
3254: .Em sudoers .
3255: .El
3256: .Ss Error log entries
3257: If an error occurs,
3258: .Nm sudoers
3259: will log a message and, in most cases, send a message to the
3260: administrator via email.
3261: Possible errors include:
3262: .Bl -tag -width 4
3263: .It parse error in @sysconfdir@/sudoers near line N
3264: .Nm sudoers
3265: encountered an error when parsing the specified file.
3266: In some cases, the actual error may be one line above or below the
3267: line number listed, depending on the type of error.
3268: .It problem with defaults entries
3269: The
3270: .Em sudoers
3271: file contains one or more unknown Defaults settings.
3272: This does not prevent
3273: .Nm sudo
3274: from running, but the
3275: .Em sudoers
3276: file should be checked using
3277: .Nm visudo .
3278: .It timestamp owner (username): \&No such user
3279: The time stamp directory owner, as specified by the
3280: .Em timestampowner
3281: setting, could not be found in the password database.
3282: .It unable to open/read @sysconfdir@/sudoers
3283: The
3284: .Em sudoers
3285: file could not be opened for reading.
3286: This can happen when the
3287: .Em sudoers
3288: file is located on a remote file system that maps user ID 0 to
3289: a different value.
3290: Normally,
3291: .Nm sudoers
3292: tries to open
3293: .Em sudoers
3294: using group permissions to avoid this problem.
1.1.1.2 ! misho 3295: Consider either changing the ownership of
1.1 misho 3296: .Pa @sysconfdir@/sudoers
1.1.1.2 ! misho 3297: or adding an argument like
1.1 misho 3298: .Dq sudoers_uid=N
3299: (where
3300: .Sq N
3301: is the user ID that owns the
3302: .Em sudoers
1.1.1.2 ! misho 3303: file) to the end of the
1.1 misho 3304: .Nm sudoers
1.1.1.2 ! misho 3305: .Li Plugin
! 3306: line in the
! 3307: .Xr sudo.conf @mansectform@
1.1 misho 3308: file.
3309: .It unable to stat @sysconfdir@/sudoers
3310: The
3311: .Pa @sysconfdir@/sudoers
3312: file is missing.
3313: .It @sysconfdir@/sudoers is not a regular file
3314: The
3315: .Pa @sysconfdir@/sudoers
3316: file exists but is not a regular file or symbolic link.
3317: .It @sysconfdir@/sudoers is owned by uid N, should be 0
3318: The
3319: .Em sudoers
3320: file has the wrong owner.
3321: If you wish to change the
3322: .Em sudoers
3323: file owner, please add
3324: .Dq sudoers_uid=N
3325: (where
3326: .Sq N
3327: is the user ID that owns the
3328: .Em sudoers
3329: file) to the
3330: .Nm sudoers
1.1.1.2 ! misho 3331: .Li Plugin
! 3332: line in the
! 3333: .Xr sudo.conf @mansectform@
1.1 misho 3334: file.
3335: .It @sysconfdir@/sudoers is world writable
3336: The permissions on the
3337: .Em sudoers
3338: file allow all users to write to it.
3339: The
3340: .Em sudoers
3341: file must not be world-writable, the default file mode
3342: is 0440 (readable by owner and group, writable by none).
3343: The default mode may be changed via the
3344: .Dq sudoers_mode
3345: option to the
3346: .Nm sudoers
1.1.1.2 ! misho 3347: .Li Plugin
! 3348: line in the
! 3349: .Xr sudo.conf @mansectform@
1.1 misho 3350: file.
3351: .It @sysconfdir@/sudoers is owned by gid N, should be 1
3352: The
3353: .Em sudoers
3354: file has the wrong group ownership.
3355: If you wish to change the
3356: .Em sudoers
3357: file group ownership, please add
3358: .Dq sudoers_gid=N
3359: (where
3360: .Sq N
3361: is the group ID that owns the
3362: .Em sudoers
3363: file) to the
3364: .Nm sudoers
1.1.1.2 ! misho 3365: .Li Plugin
! 3366: line in the
! 3367: .Xr sudo.conf @mansectform@
1.1 misho 3368: file.
3369: .It unable to open @timedir@/username/ttyname
3370: .Em sudoers
3371: was unable to read or create the user's time stamp file.
3372: .It unable to write to @timedir@/username/ttyname
3373: .Em sudoers
3374: was unable to write to the user's time stamp file.
3375: .It unable to mkdir to @timedir@/username
3376: .Em sudoers
3377: was unable to create the user's time stamp directory.
3378: .El
3379: .Ss Notes on logging via syslog
3380: By default,
3381: .Em sudoers
3382: logs messages via
3383: .Xr syslog 3 .
3384: The
3385: .Em date ,
3386: .Em hostname ,
3387: and
3388: .Em progname
3389: fields are added by the syslog daemon, not
3390: .Em sudoers
3391: itself.
3392: As such, they may vary in format on different systems.
3393: .Pp
3394: On most systems,
3395: .Xr syslog 3
3396: has a relatively small log buffer.
3397: To prevent the command line arguments from being truncated,
3398: .Nm sudoers
3399: will split up log messages that are larger than 960 characters
3400: (not including the date, hostname, and the string
3401: .Dq sudo ) .
3402: When a message is split, additional parts will include the string
3403: .Dq Pq command continued
3404: after the user name and before the continued command line arguments.
3405: .Ss Notes on logging to a file
3406: If the
3407: .Em logfile
3408: option is set,
3409: .Em sudoers
3410: will log to a local file, such as
3411: .Pa /var/log/sudo .
3412: When logging to a file,
3413: .Em sudoers
3414: uses a format similar to
3415: .Xr syslog 3 ,
3416: with a few important differences:
3417: .Bl -enum
3418: .It
3419: The
3420: .Em progname
3421: and
3422: .Em hostname
3423: fields are not present.
3424: .It
3425: If the
3426: .Em log_year
3427: option is enabled,
3428: the date will also include the year.
3429: .It
3430: Lines that are longer than
3431: .Em loglinelen
3432: characters (80 by default) are word-wrapped and continued on the
3433: next line with a four character indent.
3434: This makes entries easier to read for a human being, but makes it
3435: more difficult to use
3436: .Xr grep 1
3437: on the log files.
3438: If the
3439: .Em loglinelen
3440: option is set to 0 (or negated with a
3441: .Ql \&! ) ,
3442: word wrap will be disabled.
3443: .El
3444: .Sh FILES
3445: .Bl -tag -width 24n
3446: .It Pa @sysconfdir@/sudo.conf
3447: Sudo front end configuration
3448: .It Pa @sysconfdir@/sudoers
3449: List of who can run what
3450: .It Pa /etc/group
3451: Local groups file
3452: .It Pa /etc/netgroup
3453: List of network groups
3454: .It Pa @iolog_dir@
3455: I/O log files
3456: .It Pa @timedir@
3457: Directory containing time stamps for the
3458: .Em sudoers
3459: security policy
3460: .It Pa /etc/environment
3461: Initial environment for
3462: .Fl i
3463: mode on AIX and Linux systems
3464: .El
3465: .Sh EXAMPLES
3466: Below are example
3467: .Em sudoers
3468: entries.
3469: Admittedly, some of these are a bit contrived.
3470: First, we allow a few environment variables to pass and then define our
3471: .Em aliases :
3472: .Bd -literal
3473: # Run X applications through sudo; HOME is used to find the
3474: # .Xauthority file. Note that other programs use HOME to find
3475: # configuration files and this may lead to privilege escalation!
3476: Defaults env_keep += "DISPLAY HOME"
3477:
3478: # User alias specification
3479: User_Alias FULLTIMERS = millert, mikef, dowdy
3480: User_Alias PARTTIMERS = bostley, jwfox, crawl
3481: User_Alias WEBMASTERS = will, wendy, wim
3482:
3483: # Runas alias specification
3484: Runas_Alias OP = root, operator
3485: Runas_Alias DB = oracle, sybase
3486: Runas_Alias ADMINGRP = adm, oper
3487:
3488: # Host alias specification
3489: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3490: SGI = grolsch, dandelion, black :\e
3491: ALPHA = widget, thalamus, foobar :\e
3492: HPPA = boa, nag, python
3493: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3494: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3495: Host_Alias SERVERS = master, mail, www, ns
3496: Host_Alias CDROM = orion, perseus, hercules
3497:
3498: # Cmnd alias specification
3499: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1.1.1.2 ! misho 3500: /usr/sbin/restore, /usr/sbin/rrestore,\e
! 3501: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
! 3502: /home/operator/bin/start_backups
1.1 misho 3503: Cmnd_Alias KILL = /usr/bin/kill
3504: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3505: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3506: Cmnd_Alias HALT = /usr/sbin/halt
3507: Cmnd_Alias REBOOT = /usr/sbin/reboot
3508: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3509: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3510: /usr/local/bin/zsh
3511: Cmnd_Alias SU = /usr/bin/su
3512: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3513: .Ed
3514: .Pp
3515: Here we override some of the compiled in default values.
3516: We want
3517: .Nm sudo
3518: to log via
3519: .Xr syslog 3
3520: using the
3521: .Em auth
3522: facility in all cases.
3523: We don't want to subject the full time staff to the
3524: .Nm sudo
3525: lecture, user
3526: .Sy millert
3527: need not give a password, and we don't want to reset the
3528: .Ev LOGNAME ,
3529: .Ev USER
3530: or
3531: .Ev USERNAME
3532: environment variables when running commands as root.
3533: Additionally, on the machines in the
3534: .Em SERVERS
3535: .Li Host_Alias ,
3536: we keep an additional local log file and make sure we log the year
3537: in each log line since the log entries will be kept around for several years.
3538: Lastly, we disable shell escapes for the commands in the PAGERS
3539: .Li Cmnd_Alias
3540: .Po
3541: .Pa /usr/bin/more ,
3542: .Pa /usr/bin/pg
3543: and
3544: .Pa /usr/bin/less
3545: .Pc .
3546: .Bd -literal
3547: # Override built-in defaults
3548: Defaults syslog=auth
3549: Defaults>root !set_logname
3550: Defaults:FULLTIMERS !lecture
3551: Defaults:millert !authenticate
3552: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3553: Defaults!PAGERS noexec
3554: .Ed
3555: .Pp
3556: The
3557: .Em User specification
3558: is the part that actually determines who may run what.
3559: .Bd -literal
3560: root ALL = (ALL) ALL
3561: %wheel ALL = (ALL) ALL
3562: .Ed
3563: .Pp
3564: We let
3565: .Sy root
3566: and any user in group
3567: .Sy wheel
3568: run any command on any host as any user.
3569: .Bd -literal
3570: FULLTIMERS ALL = NOPASSWD: ALL
3571: .Ed
3572: .Pp
3573: Full time sysadmins
3574: .Po
3575: .Sy millert ,
3576: .Sy mikef ,
3577: and
3578: .Sy dowdy
3579: .Pc
3580: may run any command on any host without authenticating themselves.
3581: .Bd -literal
3582: PARTTIMERS ALL = ALL
3583: .Ed
3584: .Pp
3585: Part time sysadmins
3586: .Sy bostley ,
3587: .Sy jwfox ,
3588: and
3589: .Sy crawl )
3590: may run any command on any host but they must authenticate themselves
3591: first (since the entry lacks the
3592: .Li NOPASSWD
3593: tag).
3594: .Bd -literal
3595: jack CSNETS = ALL
3596: .Ed
3597: .Pp
3598: The user
3599: .Sy jack
3600: may run any command on the machines in the
3601: .Em CSNETS
3602: alias (the networks
3603: .Li 128.138.243.0 ,
3604: .Li 128.138.204.0 ,
3605: and
3606: .Li 128.138.242.0 ) .
3607: Of those networks, only
3608: .Li 128.138.204.0
3609: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3610: For the other networks in
3611: .Em CSNETS ,
3612: the local machine's netmask will be used during matching.
3613: .Bd -literal
3614: lisa CUNETS = ALL
3615: .Ed
3616: .Pp
3617: The user
3618: .Sy lisa
3619: may run any command on any host in the
3620: .Em CUNETS
3621: alias (the class B network
3622: .Li 128.138.0.0 ) .
3623: .Bd -literal
3624: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3625: sudoedit /etc/printcap, /usr/oper/bin/
3626: .Ed
3627: .Pp
3628: The
3629: .Sy operator
3630: user may run commands limited to simple maintenance.
3631: Here, those are commands related to backups, killing processes, the
3632: printing system, shutting down the system, and any commands in the
3633: directory
3634: .Pa /usr/oper/bin/ .
1.1.1.2 ! misho 3635: Note that one command in the
! 3636: .Li DUMPS
! 3637: Cmnd_Alias includes a sha224 digest,
! 3638: .Pa /home/operator/bin/start_backups .
! 3639: This is because the directory containing the script is writable by the
! 3640: operator user.
! 3641: If the script is modified (resulting in a digest mismatch) it will no longer
! 3642: be possible to run it via
! 3643: .Nm sudo .
1.1 misho 3644: .Bd -literal
3645: joe ALL = /usr/bin/su operator
3646: .Ed
3647: .Pp
3648: The user
3649: .Sy joe
3650: may only
3651: .Xr su 1
3652: to operator.
3653: .Bd -literal
3654: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3655:
3656: %opers ALL = (: ADMINGRP) /usr/sbin/
3657: .Ed
3658: .Pp
3659: Users in the
3660: .Sy opers
3661: group may run commands in
3662: .Pa /usr/sbin/
3663: as themselves
3664: with any group in the
3665: .Em ADMINGRP
3666: .Li Runas_Alias
3667: (the
3668: .Sy adm
3669: and
3670: .Sy oper
3671: groups).
3672: .Pp
3673: The user
3674: .Sy pete
3675: is allowed to change anyone's password except for
3676: root on the
3677: .Em HPPA
3678: machines.
3679: Note that this assumes
3680: .Xr passwd 1
3681: does not take multiple user names on the command line.
3682: .Bd -literal
3683: bob SPARC = (OP) ALL : SGI = (OP) ALL
3684: .Ed
3685: .Pp
3686: The user
3687: .Sy bob
3688: may run anything on the
3689: .Em SPARC
3690: and
3691: .Em SGI
3692: machines as any user listed in the
3693: .Em OP
3694: .Li Runas_Alias
3695: .Po
3696: .Sy root
3697: and
3698: .Sy operator .
3699: .Pc
3700: .Bd -literal
3701: jim +biglab = ALL
3702: .Ed
3703: .Pp
3704: The user
3705: .Sy jim
3706: may run any command on machines in the
3707: .Em biglab
3708: netgroup.
3709: .Nm sudo
3710: knows that
3711: .Dq biglab
3712: is a netgroup due to the
3713: .Ql +
3714: prefix.
3715: .Bd -literal
3716: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3717: .Ed
3718: .Pp
3719: Users in the
3720: .Sy secretaries
3721: netgroup need to help manage the printers as well as add and remove users,
3722: so they are allowed to run those commands on all machines.
3723: .Bd -literal
3724: fred ALL = (DB) NOPASSWD: ALL
3725: .Ed
3726: .Pp
3727: The user
3728: .Sy fred
3729: can run commands as any user in the
3730: .Em DB
3731: .Li Runas_Alias
3732: .Po
3733: .Sy oracle
3734: or
3735: .Sy sybase
3736: .Pc
3737: without giving a password.
3738: .Bd -literal
3739: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3740: .Ed
3741: .Pp
3742: On the
3743: .Em ALPHA
3744: machines, user
3745: .Sy john
3746: may su to anyone except root but he is not allowed to specify any options
3747: to the
3748: .Xr su 1
3749: command.
3750: .Bd -literal
3751: jen ALL, !SERVERS = ALL
3752: .Ed
3753: .Pp
3754: The user
3755: .Sy jen
3756: may run any command on any machine except for those in the
3757: .Em SERVERS
3758: .Li Host_Alias
3759: (master, mail, www and ns).
3760: .Bd -literal
3761: jill SERVERS = /usr/bin/, !SU, !SHELLS
3762: .Ed
3763: .Pp
3764: For any machine in the
3765: .Em SERVERS
3766: .Li Host_Alias ,
3767: .Sy jill
3768: may run
3769: any commands in the directory
3770: .Pa /usr/bin/
3771: except for those commands
3772: belonging to the
3773: .Em SU
3774: and
3775: .Em SHELLS
3776: .Li Cmnd_Aliases .
3777: .Bd -literal
3778: steve CSNETS = (operator) /usr/local/op_commands/
3779: .Ed
3780: .Pp
3781: The user
3782: .Sy steve
3783: may run any command in the directory /usr/local/op_commands/
3784: but only as user operator.
3785: .Bd -literal
3786: matt valkyrie = KILL
3787: .Ed
3788: .Pp
3789: On his personal workstation, valkyrie,
3790: .Sy matt
3791: needs to be able to kill hung processes.
3792: .Bd -literal
3793: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3794: .Ed
3795: .Pp
3796: On the host www, any user in the
3797: .Em WEBMASTERS
3798: .Li User_Alias
3799: (will, wendy, and wim), may run any command as user www (which owns the
3800: web pages) or simply
3801: .Xr su 1
3802: to www.
3803: .Bd -literal
3804: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3805: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3806: .Ed
3807: .Pp
3808: Any user may mount or unmount a CD-ROM on the machines in the CDROM
3809: .Li Host_Alias
3810: (orion, perseus, hercules) without entering a password.
3811: This is a bit tedious for users to type, so it is a prime candidate
3812: for encapsulating in a shell script.
3813: .Sh SECURITY NOTES
3814: .Ss Limitations of the So !\& Sc operator
3815: It is generally not effective to
3816: .Dq subtract
3817: commands from
3818: .Sy ALL
3819: using the
3820: .Ql !\&
3821: operator.
3822: A user can trivially circumvent this by copying the desired command
3823: to a different name and then executing that.
3824: For example:
3825: .Bd -literal
3826: bill ALL = ALL, !SU, !SHELLS
3827: .Ed
3828: .Pp
3829: Doesn't really prevent
3830: .Sy bill
3831: from running the commands listed in
3832: .Em SU
3833: or
3834: .Em SHELLS
3835: since he can simply copy those commands to a different name, or use
3836: a shell escape from an editor or other program.
3837: Therefore, these kind of restrictions should be considered
3838: advisory at best (and reinforced by policy).
3839: .Pp
3840: In general, if a user has sudo
3841: .Sy ALL
3842: there is nothing to prevent them from creating their own program that gives
3843: them a root shell (or making their own copy of a shell) regardless of any
3844: .Ql !\&
3845: elements in the user specification.
3846: .Ss Security implications of Em fast_glob
3847: If the
3848: .Em fast_glob
3849: option is in use, it is not possible to reliably negate commands where the
3850: path name includes globbing (aka wildcard) characters.
3851: This is because the C library's
3852: .Xr fnmatch 3
3853: function cannot resolve relative paths.
3854: While this is typically only an inconvenience for rules that grant privileges,
3855: it can result in a security issue for rules that subtract or revoke privileges.
3856: .Pp
3857: For example, given the following
3858: .Em sudoers
3859: entry:
3860: .Bd -literal
3861: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3862: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3863: .Ed
3864: .Pp
3865: User
3866: .Sy john
3867: can still run
3868: .Li /usr/bin/passwd root
3869: if
3870: .Em fast_glob
3871: is enabled by changing to
3872: .Pa /usr/bin
3873: and running
3874: .Li ./passwd root
3875: instead.
3876: .Ss Preventing shell escapes
3877: Once
3878: .Nm sudo
3879: executes a program, that program is free to do whatever
3880: it pleases, including run other programs.
3881: This can be a security issue since it is not uncommon for a program to
3882: allow shell escapes, which lets a user bypass
3883: .Nm sudo Ns No 's
3884: access control and logging.
3885: Common programs that permit shell escapes include shells (obviously),
3886: editors, paginators, mail and terminal programs.
3887: .Pp
3888: There are two basic approaches to this problem:
3889: .Bl -tag -width 8n
3890: .It restrict
3891: Avoid giving users access to commands that allow the user to run
3892: arbitrary commands.
3893: Many editors have a restricted mode where shell
3894: escapes are disabled, though
3895: .Nm sudoedit
3896: is a better solution to
3897: running editors via
3898: .Nm sudo .
3899: Due to the large number of programs that
3900: offer shell escapes, restricting users to the set of programs that
3901: do not is often unworkable.
3902: .It noexec
3903: Many systems that support shared libraries have the ability to
3904: override default library functions by pointing an environment
3905: variable (usually
3906: .Ev LD_PRELOAD )
3907: to an alternate shared library.
3908: On such systems,
3909: .Nm sudo Ns No 's
3910: .Em noexec
3911: functionality can be used to prevent a program run by
3912: .Nm sudo
3913: from executing any other programs.
3914: Note, however, that this applies only to native dynamically-linked
3915: executables.
3916: Statically-linked executables and foreign executables
3917: running under binary emulation are not affected.
3918: .Pp
3919: The
3920: .Em noexec
3921: feature is known to work on SunOS, Solaris, *BSD,
3922: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3923: It should be supported on most operating systems that support the
3924: .Ev LD_PRELOAD
3925: environment variable.
3926: Check your operating system's manual pages for the dynamic linker
3927: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3928: .Ev LD_PRELOAD
3929: is supported.
3930: .Pp
3931: On Solaris 10 and higher,
3932: .Em noexec
3933: uses Solaris privileges instead of the
3934: .Ev LD_PRELOAD
3935: environment variable.
3936: .Pp
3937: To enable
3938: .Em noexec
3939: for a command, use the
3940: .Li NOEXEC
3941: tag as documented
3942: in the User Specification section above.
3943: Here is that example again:
3944: .Bd -literal
3945: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3946: .Ed
3947: .Pp
3948: This allows user
3949: .Sy aaron
3950: to run
3951: .Pa /usr/bin/more
3952: and
3953: .Pa /usr/bin/vi
3954: with
3955: .Em noexec
3956: enabled.
3957: This will prevent those two commands from
3958: executing other commands (such as a shell).
3959: If you are unsure whether or not your system is capable of supporting
3960: .Em noexec
3961: you can always just try it out and check whether shell escapes work when
3962: .Em noexec
3963: is enabled.
3964: .El
3965: .Pp
3966: Note that restricting shell escapes is not a panacea.
3967: Programs running as root are still capable of many potentially hazardous
3968: operations (such as changing or overwriting files) that could lead
3969: to unintended privilege escalation.
3970: In the specific case of an editor, a safer approach is to give the
3971: user permission to run
3972: .Nm sudoedit .
3973: .Ss Time stamp file checks
3974: .Em sudoers
3975: will check the ownership of its time stamp directory
3976: .Po
3977: .Pa @timedir@
3978: by default
3979: .Pc
3980: and ignore the directory's contents if it is not owned by root or
3981: if it is writable by a user other than root.
3982: On systems that allow non-root users to give away files via
3983: .Xr chown 2 ,
3984: if the time stamp directory is located in a world-writable
3985: directory (e.g.\&,
3986: .Pa /tmp ) ,
3987: it is possible for a user to create the time stamp directory before
3988: .Nm sudo
3989: is run.
3990: However, because
3991: .Em sudoers
3992: checks the ownership and mode of the directory and its
3993: contents, the only damage that can be done is to
3994: .Dq hide
3995: files by putting them in the time stamp dir.
3996: This is unlikely to happen since once the time stamp dir is owned by root
3997: and inaccessible by any other user, the user placing files there would be
3998: unable to get them back out.
3999: .Pp
4000: .Em sudoers
4001: will not honor time stamps set far in the future.
4002: Time stamps with a date greater than current_time + 2 *
4003: .Li TIMEOUT
4004: will be ignored and sudo will log and complain.
4005: This is done to keep a user from creating his/her own time stamp with a
4006: bogus date on systems that allow users to give away files if the time
4007: stamp directory is located in a world-writable directory.
4008: .Pp
4009: On systems where the boot time is available,
4010: .Em sudoers
4011: will ignore time stamps that date from before the machine booted.
4012: .Pp
4013: Since time stamp files live in the file system, they can outlive a
4014: user's login session.
4015: As a result, a user may be able to login, run a command with
4016: .Nm sudo
4017: after authenticating, logout, login again, and run
4018: .Nm sudo
4019: without authenticating so long as the time stamp file's modification
4020: time is within
4021: .Li @timeout@
4022: minutes (or whatever the timeout is set to in
4023: .Em sudoers ) .
4024: When the
4025: .Em tty_tickets
4026: option is enabled, the time stamp has per-tty granularity but still
4027: may outlive the user's session.
4028: On Linux systems where the devpts filesystem is used, Solaris systems
4029: with the devices filesystem, as well as other systems that utilize a
4030: devfs filesystem that monotonically increase the inode number of devices
4031: as they are created (such as Mac OS X),
4032: .Em sudoers
4033: is able to determine when a tty-based time stamp file is stale and will
4034: ignore it.
4035: Administrators should not rely on this feature as it is not universally
4036: available.
1.1.1.2 ! misho 4037: .Sh DEBUGGING
! 4038: Versions 1.8.4 and higher of the
! 4039: .Nm sudoers
! 4040: plugin support a flexible debugging framework that can help track
! 4041: down what the plugin is doing internally if there is a problem.
! 4042: This can be configured in the
! 4043: .Xr sudo.conf @mansectform@
! 4044: file.
! 4045: .Pp
! 4046: The
! 4047: .Nm sudoers
! 4048: plugin uses the same debug flag format as the
! 4049: .Nm sudo
! 4050: front-end:
! 4051: .Em subsystem Ns No @ Ns Em priority .
! 4052: .Pp
! 4053: The priorities used by
! 4054: .Nm sudoers ,
! 4055: in order of decreasing severity,
! 4056: are:
! 4057: .Em crit , err , warn , notice , diag , info , trace
! 4058: and
! 4059: .Em debug .
! 4060: Each priority, when specified, also includes all priorities higher
! 4061: than it.
! 4062: For example, a priority of
! 4063: .Em notice
! 4064: would include debug messages logged at
! 4065: .Em notice
! 4066: and higher.
! 4067: .Pp
! 4068: The following subsystems are used by the
! 4069: .Nm sudoers
! 4070: plugin:
! 4071: .Bl -tag -width 8n
! 4072: .It Em alias
! 4073: .Li User_Alias ,
! 4074: .Li Runas_Alias ,
! 4075: .Li Host_Alias
! 4076: and
! 4077: .Li Cmnd_Alias
! 4078: processing
! 4079: .It Em all
! 4080: matches every subsystem
! 4081: .It Em audit
! 4082: BSM and Linux audit code
! 4083: .It Em auth
! 4084: user authentication
! 4085: .It Em defaults
! 4086: .Em sudoers
! 4087: .Em Defaults
! 4088: settings
! 4089: .It Em env
! 4090: environment handling
! 4091: .It Em ldap
! 4092: LDAP-based sudoers
! 4093: .It Em logging
! 4094: logging support
! 4095: .It Em match
! 4096: matching of users, groups, hosts and netgroups in
! 4097: .Em sudoers
! 4098: .It Em netif
! 4099: network interface handling
! 4100: .It Em nss
! 4101: network service switch handling in
! 4102: .Em sudoers
! 4103: .It Em parser
! 4104: .Em sudoers
! 4105: file parsing
! 4106: .It Em perms
! 4107: permission setting
! 4108: .It Em plugin
! 4109: The equivalent of
! 4110: .Em main
! 4111: for the plugin.
! 4112: .It Em pty
! 4113: pseudo-tty related code
! 4114: .It Em rbtree
! 4115: redblack tree internals
! 4116: .It Em util
! 4117: utility functions
! 4118: .El
! 4119: For example:
! 4120: .Bd -literal
! 4121: Debug sudo /var/log/sudo_debug match@info,nss@info
! 4122: .Ed
! 4123: .Pp
! 4124: For more information, see the
! 4125: .Xr sudo.conf @mansectform@
! 4126: manual.
1.1 misho 4127: .Sh SEE ALSO
4128: .Xr ssh 1 ,
4129: .Xr su 1 ,
4130: .Xr fnmatch 3 ,
4131: .Xr glob 3 ,
4132: .Xr mktemp 3 ,
4133: .Xr strftime 3 ,
1.1.1.2 ! misho 4134: .Xr sudo.conf @mansectform@ ,
1.1 misho 4135: .Xr sudoers.ldap @mansectform@ ,
4136: .Xr sudo_plugin @mansectsu@ ,
4137: .Xr sudo @mansectsu@ ,
4138: .Xr visudo @mansectsu@
4139: .Sh CAVEATS
4140: The
4141: .Em sudoers
4142: file should
4143: .Sy always
4144: be edited by the
4145: .Nm visudo
4146: command which locks the file and does grammatical checking.
4147: It is
4148: imperative that
4149: .Em sudoers
4150: be free of syntax errors since
4151: .Nm sudo
4152: will not run with a syntactically incorrect
4153: .Em sudoers
4154: file.
4155: .Pp
4156: When using netgroups of machines (as opposed to users), if you
4157: store fully qualified host name in the netgroup (as is usually the
4158: case), you either need to have the machine's host name be fully qualified
4159: as returned by the
4160: .Li hostname
4161: command or use the
4162: .Em fqdn
4163: option in
4164: .Em sudoers .
4165: .Sh BUGS
4166: If you feel you have found a bug in
4167: .Nm sudo ,
4168: please submit a bug report at http://www.sudo.ws/sudo/bugs/
4169: .Sh SUPPORT
4170: Limited free support is available via the sudo-users mailing list,
4171: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4172: search the archives.
4173: .Sh DISCLAIMER
4174: .Nm sudo
4175: is provided
4176: .Dq AS IS
4177: and any express or implied warranties, including, but not limited
4178: to, the implied warranties of merchantability and fitness for a
4179: particular purpose are disclaimed.
4180: See the LICENSE file distributed with
4181: .Nm sudo
4182: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc