Annotation of embedaddon/sudo/doc/sudoers.mdoc.in, revision 1.1.1.3
1.1 misho 1: .\"
1.1.1.2 misho 2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
1.1.1.3 ! misho 22: .Dd August 31, 2013
1.1 misho 23: .Dt SUDOERS @mansectform@
24: .Os Sudo @PACKAGE_VERSION@
25: .Sh NAME
26: .Nm sudoers
1.1.1.2 misho 27: .Nd default sudo security policy plugin
1.1 misho 28: .Sh DESCRIPTION
29: The
30: .Em sudoers
1.1.1.2 misho 31: policy plugin determines a user's
1.1 misho 32: .Nm sudo
33: privileges.
34: It is the default
35: .Nm sudo
36: policy plugin.
37: The policy is driven by
38: the
39: .Pa @sysconfdir@/sudoers
40: file or, optionally in LDAP.
41: The policy format is described in detail in the
42: .Sx SUDOERS FILE FORMAT
43: section.
44: For information on storing
45: .Em sudoers
46: policy information
47: in LDAP, please see
48: .Xr sudoers.ldap @mansectform@ .
1.1.1.2 misho 49: .Ss Configuring sudo.conf for sudoers
50: .Nm sudo
51: consults the
52: .Xr sudo.conf @mansectform@
53: file to determine which policy and and I/O logging plugins to load.
54: If no
55: .Xr sudo.conf @mansectform@
56: file is present, or if it contains no
57: .Li Plugin
58: lines,
59: .Nm sudoers
60: will be used for policy decisions and I/O logging.
61: To explicitly configure
62: .Xr sudo.conf @mansectform@
63: to use the
64: .Nm sudoers
65: plugin, the following configuration can be used.
66: .Bd -literal -offset indent
67: Plugin sudoers_policy sudoers.so
68: Plugin sudoers_io sudoers.so
69: .Ed
70: .Pp
71: Starting with
72: .Nm sudo
73: 1.8.5, it is possible to specify optional arguments to the
74: .Nm sudoers
75: plugin in the
76: .Xr sudo.conf @mansectform@
77: file.
78: These arguments, if present, should be listed after the path to the plugin
79: (i.e.\& after
80: .Pa sudoers.so ) .
81: Multiple arguments may be specified, separated by white space.
82: For example:
83: .Bd -literal -offset indent
84: Plugin sudoers_policy sudoers.so sudoers_mode=0400
85: .Ed
86: .Pp
87: The following plugin arguments are supported:
88: .Bl -tag -width 8n
89: .It ldap_conf=pathname
90: The
91: .Em ldap_conf
92: argument can be used to override the default path to the
93: .Pa ldap.conf
94: file.
95: .It ldap_secret=pathname
96: The
97: .Em ldap_secret
98: argument can be used to override the default path to the
99: .Pa ldap.secret
100: file.
101: .It sudoers_file=pathname
102: The
103: .Em sudoers_file
104: argument can be used to override the default path to the
105: .Em sudoers
106: file.
107: .It sudoers_uid=uid
108: The
109: .Em sudoers_uid
110: argument can be used to override the default owner of the sudoers file.
111: It should be specified as a numeric user ID.
112: .It sudoers_gid=gid
113: The
114: .Em sudoers_gid
115: argument can be used to override the default group of the sudoers file.
116: It must be specified as a numeric group ID (not a group name).
117: .It sudoers_mode=mode
118: The
119: .Em sudoers_mode
120: argument can be used to override the default file mode for the sudoers file.
121: It should be specified as an octal value.
122: .El
123: .Pp
124: For more information on configuring
125: .Xr sudo.conf @mansectform@ ,
126: please refer to its manual.
1.1 misho 127: .Ss Authentication and logging
128: The
129: .Em sudoers
130: security policy requires that most users authenticate
131: themselves before they can use
132: .Nm sudo .
133: A password is not required
134: if the invoking user is root, if the target user is the same as the
135: invoking user, or if the policy has disabled authentication for the
136: user or command.
137: Unlike
138: .Xr su 1 ,
139: when
140: .Em sudoers
141: requires
142: authentication, it validates the invoking user's credentials, not
143: the target user's (or root's) credentials.
144: This can be changed via
145: the
146: .Em rootpw ,
147: .Em targetpw
148: and
149: .Em runaspw
150: flags, described later.
151: .Pp
152: If a user who is not listed in the policy tries to run a command
153: via
154: .Nm sudo ,
155: mail is sent to the proper authorities.
156: The address
157: used for such mail is configurable via the
158: .Em mailto
159: Defaults entry
160: (described later) and defaults to
161: .Li @mailto@ .
162: .Pp
163: Note that mail will not be sent if an unauthorized user tries to
164: run
165: .Nm sudo
166: with the
167: .Fl l
168: or
169: .Fl v
170: option.
171: This allows users to
172: determine for themselves whether or not they are allowed to use
173: .Nm sudo .
174: .Pp
175: If
176: .Nm sudo
177: is run by root and the
178: .Ev SUDO_USER
179: environment variable
180: is set, the
181: .Em sudoers
182: policy will use this value to determine who
183: the actual user is.
184: This can be used by a user to log commands
185: through sudo even when a root shell has been invoked.
186: It also
187: allows the
188: .Fl e
189: option to remain useful even when invoked via a
190: sudo-run script or program.
191: Note, however, that the
192: .Em sudoers
193: lookup is still done for root, not the user specified by
194: .Ev SUDO_USER .
195: .Pp
196: .Em sudoers
197: uses time stamp files for credential caching.
198: Once a
199: user has been authenticated, the time stamp is updated and the user
200: may then use sudo without a password for a short period of time
201: .Po
202: .Li @timeout@
203: minutes unless overridden by the
204: .Em timeout
205: option
206: .Pc .
207: By default,
208: .Em sudoers
209: uses a tty-based time stamp which means that
210: there is a separate time stamp for each of a user's login sessions.
211: The
212: .Em tty_tickets
213: option can be disabled to force the use of a
214: single time stamp for all of a user's sessions.
215: .Pp
216: .Em sudoers
217: can log both successful and unsuccessful attempts (as well
218: as errors) to
219: .Xr syslog 3 ,
220: a log file, or both.
221: By default,
222: .Em sudoers
223: will log via
224: .Xr syslog 3
225: but this is changeable via the
226: .Em syslog
227: and
228: .Em logfile
229: Defaults settings.
230: .Pp
231: .Em sudoers
232: also supports logging a command's input and output
233: streams.
234: I/O logging is not on by default but can be enabled using
235: the
236: .Em log_input
237: and
238: .Em log_output
239: Defaults flags as well as the
240: .Li LOG_INPUT
241: and
242: .Li LOG_OUTPUT
243: command tags.
244: .Ss Command environment
245: Since environment variables can influence program behavior,
246: .Em sudoers
247: provides a means to restrict which variables from the user's
248: environment are inherited by the command to be run.
249: There are two
250: distinct ways
251: .Em sudoers
252: can deal with environment variables.
253: .Pp
254: By default, the
255: .Em env_reset
256: option is enabled.
257: This causes commands
258: to be executed with a new, minimal environment.
259: On AIX (and Linux
260: systems without PAM), the environment is initialized with the
261: contents of the
262: .Pa /etc/environment
263: file.
264: On BSD systems, if the
265: .Em use_loginclass
266: option is enabled, the environment is initialized
267: based on the
268: .Em path
269: and
270: .Em setenv
271: settings in
272: .Pa /etc/login.conf .
273: The new environment contains the
274: .Ev TERM ,
275: .Ev PATH ,
276: .Ev HOME ,
277: .Ev MAIL ,
278: .Ev SHELL ,
279: .Ev LOGNAME ,
280: .Ev USER ,
281: .Ev USERNAME
282: and
283: .Ev SUDO_*
284: variables
285: in addition to variables from the invoking process permitted by the
286: .Em env_check
287: and
288: .Em env_keep
289: options.
290: This is effectively a whitelist
291: for environment variables.
292: .Pp
293: If, however, the
294: .Em env_reset
295: option is disabled, any variables not
296: explicitly denied by the
297: .Em env_check
298: and
299: .Em env_delete
300: options are
301: inherited from the invoking process.
302: In this case,
303: .Em env_check
304: and
305: .Em env_delete
306: behave like a blacklist.
307: Since it is not possible
308: to blacklist all potentially dangerous environment variables, use
309: of the default
310: .Em env_reset
311: behavior is encouraged.
312: .Pp
313: In all cases, environment variables with a value beginning with
314: .Li ()
315: are removed as they could be interpreted as
316: .Sy bash
317: functions.
318: The list of environment variables that
319: .Nm sudo
320: allows or denies is
321: contained in the output of
322: .Dq Li sudo -V
323: when run as root.
324: .Pp
325: Note that the dynamic linker on most operating systems will remove
326: variables that can control dynamic linking from the environment of
327: setuid executables, including
328: .Nm sudo .
329: Depending on the operating
330: system this may include
331: .Ev _RLD* ,
332: .Ev DYLD_* ,
333: .Ev LD_* ,
334: .Ev LDR_* ,
335: .Ev LIBPATH ,
336: .Ev SHLIB_PATH ,
337: and others.
338: These type of variables are
339: removed from the environment before
340: .Nm sudo
341: even begins execution
342: and, as such, it is not possible for
343: .Nm sudo
344: to preserve them.
345: .Pp
346: As a special case, if
347: .Nm sudo Ns No 's
348: .Fl i
349: option (initial login) is
350: specified,
351: .Em sudoers
352: will initialize the environment regardless
353: of the value of
354: .Em env_reset .
355: The
356: .Ev DISPLAY ,
357: .Ev PATH
358: and
359: .Ev TERM
360: variables remain unchanged;
361: .Ev HOME ,
362: .Ev MAIL ,
363: .Ev SHELL ,
364: .Ev USER ,
365: and
366: .Ev LOGNAME
367: are set based on the target user.
368: On AIX (and Linux
369: systems without PAM), the contents of
370: .Pa /etc/environment
371: are also
372: included.
373: On BSD systems, if the
374: .Em use_loginclass
375: option is
376: enabled, the
377: .Em path
378: and
379: .Em setenv
380: variables in
381: .Pa /etc/login.conf
382: are also applied.
383: All other environment variables are removed.
384: .Pp
385: Finally, if the
386: .Em env_file
387: option is defined, any variables present
388: in that file will be set to their specified values as long as they
389: would not conflict with an existing environment variable.
390: .Sh SUDOERS FILE FORMAT
391: The
392: .Em sudoers
393: file is composed of two types of entries: aliases
394: (basically variables) and user specifications (which specify who
395: may run what).
396: .Pp
397: When multiple entries match for a user, they are applied in order.
398: Where there are multiple matches, the last match is used (which is
399: not necessarily the most specific match).
400: .Pp
401: The
402: .Em sudoers
403: grammar will be described below in Extended Backus-Naur
404: Form (EBNF).
405: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
406: and the definitions below are annotated.
407: .Ss Quick guide to EBNF
408: EBNF is a concise and exact way of describing the grammar of a language.
409: Each EBNF definition is made up of
410: .Em production rules .
411: E.g.,
412: .Pp
413: .Li symbol ::= definition | alternate1 | alternate2 ...
414: .Pp
415: Each
416: .Em production rule
417: references others and thus makes up a
418: grammar for the language.
419: EBNF also contains the following
420: operators, which many readers will recognize from regular
421: expressions.
422: Do not, however, confuse them with
423: .Dq wildcard
424: characters, which have different meanings.
425: .Bl -tag -width 4n
426: .It Li \&?
427: Means that the preceding symbol (or group of symbols) is optional.
428: That is, it may appear once or not at all.
429: .It Li *
430: Means that the preceding symbol (or group of symbols) may appear
431: zero or more times.
432: .It Li +
433: Means that the preceding symbol (or group of symbols) may appear
434: one or more times.
435: .El
436: .Pp
437: Parentheses may be used to group symbols together.
438: For clarity,
439: we will use single quotes
440: .Pq ''
441: to designate what is a verbatim character string (as opposed to a symbol name).
442: .Ss Aliases
443: There are four kinds of aliases:
444: .Li User_Alias ,
445: .Li Runas_Alias ,
446: .Li Host_Alias
447: and
448: .Li Cmnd_Alias .
449: .Bd -literal
450: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
451: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
452: 'Host_Alias' Host_Alias (':' Host_Alias)* |
453: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
454:
455: User_Alias ::= NAME '=' User_List
456:
457: Runas_Alias ::= NAME '=' Runas_List
458:
459: Host_Alias ::= NAME '=' Host_List
460:
461: Cmnd_Alias ::= NAME '=' Cmnd_List
462:
463: NAME ::= [A-Z]([A-Z][0-9]_)*
464: .Ed
465: .Pp
466: Each
467: .Em alias
468: definition is of the form
469: .Bd -literal
470: Alias_Type NAME = item1, item2, ...
471: .Ed
472: .Pp
473: where
474: .Em Alias_Type
475: is one of
476: .Li User_Alias ,
477: .Li Runas_Alias ,
478: .Li Host_Alias ,
479: or
480: .Li Cmnd_Alias .
481: A
482: .Li NAME
483: is a string of uppercase letters, numbers,
484: and underscore characters
485: .Pq Ql _ .
486: A
487: .Li NAME
488: .Sy must
489: start with an
490: uppercase letter.
491: It is possible to put several alias definitions
492: of the same type on a single line, joined by a colon
493: .Pq Ql :\& .
494: E.g.,
495: .Bd -literal
496: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
497: .Ed
498: .Pp
499: The definitions of what constitutes a valid
500: .Em alias
501: member follow.
502: .Bd -literal
503: User_List ::= User |
504: User ',' User_List
505:
506: User ::= '!'* user name |
507: '!'* #uid |
508: '!'* %group |
509: '!'* %#gid |
510: '!'* +netgroup |
511: '!'* %:nonunix_group |
512: '!'* %:#nonunix_gid |
513: '!'* User_Alias
514: .Ed
515: .Pp
516: A
517: .Li User_List
1.1.1.2 misho 518: is made up of one or more user names, user IDs
1.1 misho 519: (prefixed with
520: .Ql # ) ,
1.1.1.2 misho 521: system group names and IDs (prefixed with
1.1 misho 522: .Ql %
523: and
524: .Ql %#
525: respectively), netgroups (prefixed with
526: .Ql + ) ,
527: non-Unix group names and IDs (prefixed with
528: .Ql %:
529: and
530: .Ql %:#
531: respectively) and
532: .Li User_Alias Ns No es.
533: Each list item may be prefixed with zero or more
534: .Ql \&!
535: operators.
536: An odd number of
537: .Ql \&!
538: operators negate the value of
539: the item; an even number just cancel each other out.
540: .Pp
541: A
542: .Li user name ,
543: .Li uid ,
544: .Li group ,
545: .Li gid ,
546: .Li netgroup ,
547: .Li nonunix_group
548: or
549: .Li nonunix_gid
550: may be enclosed in double quotes to avoid the
551: need for escaping special characters.
552: Alternately, special characters
553: may be specified in escaped hex mode, e.g.\& \ex20 for space.
554: When
555: using double quotes, any prefix characters must be included inside
556: the quotes.
557: .Pp
558: The actual
559: .Li nonunix_group
560: and
561: .Li nonunix_gid
562: syntax depends on
1.1.1.2 misho 563: the underlying group provider plugin.
1.1 misho 564: For instance, the QAS AD plugin supports the following formats:
565: .Bl -bullet -width 4n
566: .It
567: Group in the same domain: "%:Group Name"
568: .It
569: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
570: .It
571: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
572: .El
573: .Pp
1.1.1.2 misho 574: See
575: .Sx "GROUP PROVIDER PLUGINS"
576: for more information.
577: .Pp
1.1 misho 578: Note that quotes around group names are optional.
579: Unquoted strings must use a backslash
580: .Pq Ql \e
581: to escape spaces and special characters.
582: See
583: .Sx Other special characters and reserved words
584: for a list of
585: characters that need to be escaped.
586: .Bd -literal
587: Runas_List ::= Runas_Member |
588: Runas_Member ',' Runas_List
589:
590: Runas_Member ::= '!'* user name |
591: '!'* #uid |
592: '!'* %group |
593: '!'* %#gid |
594: '!'* %:nonunix_group |
595: '!'* %:#nonunix_gid |
596: '!'* +netgroup |
597: '!'* Runas_Alias
598: .Ed
599: .Pp
600: A
601: .Li Runas_List
602: is similar to a
603: .Li User_List
604: except that instead
605: of
606: .Li User_Alias Ns No es
607: it can contain
608: .Li Runas_Alias Ns No es .
609: Note that
610: user names and groups are matched as strings.
611: In other words, two
612: users (groups) with the same uid (gid) are considered to be distinct.
613: If you wish to match all user names with the same uid (e.g.\&
614: root and toor), you can use a uid instead (#0 in the example given).
615: .Bd -literal
616: Host_List ::= Host |
617: Host ',' Host_List
618:
619: Host ::= '!'* host name |
620: '!'* ip_addr |
621: '!'* network(/netmask)? |
622: '!'* +netgroup |
623: '!'* Host_Alias
624: .Ed
625: .Pp
626: A
627: .Li Host_List
628: is made up of one or more host names, IP addresses,
629: network numbers, netgroups (prefixed with
630: .Ql + )
631: and other aliases.
632: Again, the value of an item may be negated with the
633: .Ql \&!
634: operator.
635: If you do not specify a netmask along with the network number,
636: .Nm sudo
637: will query each of the local host's network interfaces and,
638: if the network number corresponds to one of the hosts's network
639: interfaces, the corresponding netmask will be used.
640: The netmask
641: may be specified either in standard IP address notation
642: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
643: or CIDR notation (number of bits, e.g.\& 24 or 64).
644: A host name may include shell-style wildcards (see the
645: .Sx Wildcards
646: section below),
647: but unless the
648: .Li host name
649: command on your machine returns the fully
650: qualified host name, you'll need to use the
651: .Em fqdn
652: option for wildcards to be useful.
653: Note that
654: .Nm sudo
655: only inspects actual network interfaces; this means that IP address
656: 127.0.0.1 (localhost) will never match.
657: Also, the host name
658: .Dq localhost
659: will only match if that is the actual host name, which is usually
660: only the case for non-networked systems.
661: .Bd -literal
1.1.1.2 misho 662: digest ::= [A-Fa-f0-9]+ |
663: [[A-Za-z0-9\+/=]+
664:
665: Digest_Spec ::= "sha224" ':' digest |
666: "sha256" ':' digest |
667: "sha384" ':' digest |
668: "sha512" ':' digest
669:
1.1 misho 670: Cmnd_List ::= Cmnd |
671: Cmnd ',' Cmnd_List
672:
673: command name ::= file name |
674: file name args |
675: file name '""'
676:
1.1.1.2 misho 677: Cmnd ::= Digest_Spec? '!'* command name |
1.1 misho 678: '!'* directory |
679: '!'* "sudoedit" |
680: '!'* Cmnd_Alias
681: .Ed
682: .Pp
683: A
684: .Li Cmnd_List
685: is a list of one or more command names, directories, and other aliases.
686: A command name is a fully qualified file name which may include
687: shell-style wildcards (see the
688: .Sx Wildcards
689: section below).
690: A simple file name allows the user to run the command with any
691: arguments he/she wishes.
692: However, you may also specify command line arguments (including
693: wildcards).
694: Alternately, you can specify
695: .Li \&""
696: to indicate that the command
697: may only be run
698: .Sy without
699: command line arguments.
700: A directory is a
701: fully qualified path name ending in a
702: .Ql / .
703: When you specify a directory in a
704: .Li Cmnd_List ,
705: the user will be able to run any file within that directory
706: (but not in any sub-directories therein).
707: .Pp
708: If a
709: .Li Cmnd
710: has associated command line arguments, then the arguments
711: in the
712: .Li Cmnd
713: must match exactly those given by the user on the command line
714: (or match the wildcards if there are any).
715: Note that the following characters must be escaped with a
716: .Ql \e
717: if they are used in command arguments:
718: .Ql ,\& ,
719: .Ql :\& ,
720: .Ql =\& ,
721: .Ql \e .
1.1.1.2 misho 722: The built-in command
1.1 misho 723: .Dq Li sudoedit
724: is used to permit a user to run
725: .Nm sudo
726: with the
727: .Fl e
728: option (or as
729: .Nm sudoedit ) .
730: It may take command line arguments just as a normal command does.
1.1.1.2 misho 731: Note that
732: .Dq Li sudoedit
733: is a command built into
734: .Nm sudo
735: itself and must be specified in
736: .Em sudoers
737: without a leading path.
738: .Pp
739: If a
740: .Li command name
741: is prefixed with a
742: .Li Digest_Spec ,
743: the command will only match successfully if it can be verified
744: using the specified SHA-2 digest.
745: This may be useful in situations where the user invoking
746: .Nm sudo
747: has write access to the command or its parent directory.
748: The following digest formats are supported: sha224, sha256, sha384 and sha512.
749: The string may be specified in either hex or base64 format
750: (base64 is more compact).
751: There are several utilities capable of generating SHA-2 digests in hex
752: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
753: .Pp
754: For example, using openssl:
755: .Bd -literal
756: $ openssl dgst -sha224 /bin/ls
757: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
758: .Ed
759: .Pp
760: It is also possible to use openssl to generate base64 output:
761: .Bd -literal
762: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
763: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
764: .Ed
765: .Pp
766: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 767: .Ss Defaults
768: Certain configuration options may be changed from their default
769: values at run-time via one or more
770: .Li Default_Entry
771: lines.
772: These may affect all users on any host, all users on a specific host, a
773: specific user, a specific command, or commands being run as a specific user.
774: Note that per-command entries may not include command line arguments.
775: If you need to specify arguments, define a
776: .Li Cmnd_Alias
777: and reference
778: that instead.
779: .Bd -literal
780: Default_Type ::= 'Defaults' |
781: 'Defaults' '@' Host_List |
782: 'Defaults' ':' User_List |
783: 'Defaults' '!' Cmnd_List |
784: 'Defaults' '>' Runas_List
785:
786: Default_Entry ::= Default_Type Parameter_List
787:
788: Parameter_List ::= Parameter |
789: Parameter ',' Parameter_List
790:
791: Parameter ::= Parameter '=' Value |
792: Parameter '+=' Value |
793: Parameter '-=' Value |
794: '!'* Parameter
795: .Ed
796: .Pp
797: Parameters may be
798: .Sy flags ,
799: .Sy integer
800: values,
801: .Sy strings ,
802: or
803: .Sy lists .
804: Flags are implicitly boolean and can be turned off via the
805: .Ql \&!
806: operator.
807: Some integer, string and list parameters may also be
808: used in a boolean context to disable them.
809: Values may be enclosed
810: in double quotes
811: .Pq \&""
812: when they contain multiple words.
813: Special characters may be escaped with a backslash
814: .Pq Ql \e .
815: .Pp
816: Lists have two additional assignment operators,
817: .Li +=
818: and
819: .Li -= .
820: These operators are used to add to and delete from a list respectively.
821: It is not an error to use the
822: .Li -=
823: operator to remove an element
824: that does not exist in a list.
825: .Pp
826: Defaults entries are parsed in the following order: generic, host
827: and user Defaults first, then runas Defaults and finally command
828: defaults.
829: .Pp
830: See
831: .Sx SUDOERS OPTIONS
832: for a list of supported Defaults parameters.
833: .Ss User specification
834: .Bd -literal
835: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
836: (':' Host_List '=' Cmnd_Spec_List)*
837:
838: Cmnd_Spec_List ::= Cmnd_Spec |
839: Cmnd_Spec ',' Cmnd_Spec_List
840:
841: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
842:
843: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
844:
845: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
846:
847: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
848:
849: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
850: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
851: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
852: .Ed
853: .Pp
854: A
855: .Sy user specification
856: determines which commands a user may run
857: (and as what user) on specified hosts.
858: By default, commands are
859: run as
860: .Sy root ,
861: but this can be changed on a per-command basis.
862: .Pp
863: The basic structure of a user specification is
864: .Dq who where = (as_whom) what .
865: Let's break that down into its constituent parts:
866: .Ss Runas_Spec
867: A
868: .Li Runas_Spec
869: determines the user and/or the group that a command
870: may be run as.
871: A fully-specified
872: .Li Runas_Spec
873: consists of two
874: .Li Runas_List Ns No s
875: (as defined above) separated by a colon
876: .Pq Ql :\&
877: and enclosed in a set of parentheses.
878: The first
879: .Li Runas_List
880: indicates
881: which users the command may be run as via
882: .Nm sudo Ns No 's
883: .Fl u
884: option.
885: The second defines a list of groups that can be specified via
886: .Nm sudo Ns No 's
887: .Fl g
888: option.
889: If both
890: .Li Runas_List Ns No s
891: are specified, the command may be run with any combination of users
892: and groups listed in their respective
893: .Li Runas_List Ns No s.
894: If only the first is specified, the command may be run as any user
895: in the list but no
896: .Fl g
897: option
898: may be specified.
899: If the first
900: .Li Runas_List
901: is empty but the
902: second is specified, the command may be run as the invoking user
903: with the group set to any listed in the
904: .Li Runas_List .
905: If both
906: .Li Runas_List Ns No s
907: are empty, the command may only be run as the invoking user.
908: If no
909: .Li Runas_Spec
910: is specified the command may be run as
911: .Sy root
912: and
913: no group may be specified.
914: .Pp
915: A
916: .Li Runas_Spec
917: sets the default for the commands that follow it.
918: What this means is that for the entry:
919: .Bd -literal
920: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
921: .Ed
922: .Pp
923: The user
924: .Sy dgb
925: may run
926: .Pa /bin/ls ,
927: .Pa /bin/kill ,
928: and
929: .Pa /usr/bin/lprm Ns No \(em Ns but
930: only as
931: .Sy operator .
932: E.g.,
933: .Bd -literal
934: $ sudo -u operator /bin/ls
935: .Ed
936: .Pp
937: It is also possible to override a
938: .Li Runas_Spec
939: later on in an entry.
940: If we modify the entry like so:
941: .Bd -literal
942: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
943: .Ed
944: .Pp
945: Then user
946: .Sy dgb
947: is now allowed to run
948: .Pa /bin/ls
949: as
950: .Sy operator ,
951: but
952: .Pa /bin/kill
953: and
954: .Pa /usr/bin/lprm
955: as
956: .Sy root .
957: .Pp
958: We can extend this to allow
959: .Sy dgb
960: to run
961: .Li /bin/ls
962: with either
963: the user or group set to
964: .Sy operator :
965: .Bd -literal
966: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
967: /usr/bin/lprm
968: .Ed
969: .Pp
970: Note that while the group portion of the
971: .Li Runas_Spec
972: permits the
973: user to run as command with that group, it does not force the user
974: to do so.
975: If no group is specified on the command line, the command
976: will run with the group listed in the target user's password database
977: entry.
978: The following would all be permitted by the sudoers entry above:
979: .Bd -literal
980: $ sudo -u operator /bin/ls
981: $ sudo -u operator -g operator /bin/ls
982: $ sudo -g operator /bin/ls
983: .Ed
984: .Pp
985: In the following example, user
986: .Sy tcm
987: may run commands that access
988: a modem device file with the dialer group.
989: .Bd -literal
990: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
991: /usr/local/bin/minicom
992: .Ed
993: .Pp
994: Note that in this example only the group will be set, the command
995: still runs as user
996: .Sy tcm .
997: E.g.\&
998: .Bd -literal
999: $ sudo -g dialer /usr/bin/cu
1000: .Ed
1001: .Pp
1002: Multiple users and groups may be present in a
1003: .Li Runas_Spec ,
1004: in which case the user may select any combination of users and groups via the
1005: .Fl u
1006: and
1007: .Fl g
1008: options.
1009: In this example:
1010: .Bd -literal
1011: alan ALL = (root, bin : operator, system) ALL
1012: .Ed
1013: .Pp
1014: user
1015: .Sy alan
1016: may run any command as either user root or bin,
1017: optionally setting the group to operator or system.
1018: .Ss SELinux_Spec
1019: On systems with SELinux support,
1020: .Em sudoers
1021: entries may optionally have an SELinux role and/or type associated
1022: with a command.
1023: If a role or
1024: type is specified with the command it will override any default values
1025: specified in
1026: .Em sudoers .
1027: A role or type specified on the command line,
1028: however, will supersede the values in
1029: .Em sudoers .
1030: .Ss Solaris_Priv_Spec
1031: On Solaris systems,
1032: .Em sudoers
1033: entries may optionally specify Solaris privilege set and/or limit
1034: privilege set associated with a command.
1035: If privileges or limit privileges are specified with the command
1036: it will override any default values specified in
1037: .Em sudoers .
1038: .Pp
1039: A privilege set is a comma-separated list of privilege names.
1040: The
1041: .Xr ppriv 1
1042: command can be used to list all privileges known to the system.
1043: For example:
1044: .Bd -literal
1045: $ ppriv -l
1046: .Ed
1047: .Pp
1048: In addition, there are several
1049: .Dq special
1050: privilege strings:
1051: .Bl -tag -width 8n
1052: .It none
1053: the empty set
1054: .It all
1055: the set of all privileges
1056: .It zone
1057: the set of all privileges available in the current zone
1058: .It basic
1059: the default set of privileges normal users are granted at login time
1060: .El
1061: .Pp
1062: Privileges can be excluded from a set by prefixing the privilege
1063: name with either an
1064: .Ql \&!
1065: or
1066: .Ql \-
1067: character.
1068: .Ss Tag_Spec
1069: A command may have zero or more tags associated with it.
1070: There are
1071: ten possible tag values:
1072: .Li NOPASSWD ,
1073: .Li PASSWD ,
1074: .Li NOEXEC ,
1075: .Li EXEC ,
1076: .Li SETENV ,
1077: .Li NOSETENV ,
1078: .Li LOG_INPUT ,
1079: .Li NOLOG_INPUT ,
1080: .Li LOG_OUTPUT
1081: and
1082: .Li NOLOG_OUTPUT .
1083: Once a tag is set on a
1084: .Li Cmnd ,
1085: subsequent
1086: .Li Cmnd Ns No s
1087: in the
1088: .Li Cmnd_Spec_List ,
1089: inherit the tag unless it is overridden by the opposite tag (in other words,
1090: .Li PASSWD
1091: overrides
1092: .Li NOPASSWD
1093: and
1094: .Li NOEXEC
1095: overrides
1096: .Li EXEC ) .
1.1.1.2 misho 1097: .Bl -hang -width 0n
1098: .It Em NOPASSWD No and Em PASSWD
1099: .sp
1.1 misho 1100: By default,
1101: .Nm sudo
1102: requires that a user authenticate him or herself
1103: before running a command.
1104: This behavior can be modified via the
1105: .Li NOPASSWD
1106: tag.
1107: Like a
1108: .Li Runas_Spec ,
1109: the
1110: .Li NOPASSWD
1111: tag sets
1112: a default for the commands that follow it in the
1113: .Li Cmnd_Spec_List .
1114: Conversely, the
1115: .Li PASSWD
1116: tag can be used to reverse things.
1117: For example:
1118: .Bd -literal
1119: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1120: .Ed
1121: .Pp
1122: would allow the user
1123: .Sy ray
1124: to run
1125: .Pa /bin/kill ,
1126: .Pa /bin/ls ,
1127: and
1128: .Pa /usr/bin/lprm
1129: as
1130: .Sy root
1131: on the machine rushmore without authenticating himself.
1132: If we only want
1133: .Sy ray
1134: to be able to
1135: run
1136: .Pa /bin/kill
1137: without a password the entry would be:
1138: .Bd -literal
1139: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1140: .Ed
1141: .Pp
1142: Note, however, that the
1143: .Li PASSWD
1144: tag has no effect on users who are in the group specified by the
1145: .Em exempt_group
1146: option.
1147: .Pp
1148: By default, if the
1149: .Li NOPASSWD
1150: tag is applied to any of the entries for a user on the current host,
1151: he or she will be able to run
1152: .Dq Li sudo -l
1153: without a password.
1154: Additionally, a user may only run
1155: .Dq Li sudo -v
1156: without a password if the
1157: .Li NOPASSWD
1158: tag is present for all a user's entries that pertain to the current host.
1159: This behavior may be overridden via the
1160: .Em verifypw
1161: and
1162: .Em listpw
1163: options.
1.1.1.2 misho 1164: .It Em NOEXEC No and Em EXEC
1165: .sp
1.1 misho 1166: If
1167: .Nm sudo
1168: has been compiled with
1169: .Em noexec
1170: support and the underlying operating system supports it, the
1171: .Li NOEXEC
1172: tag can be used to prevent a dynamically-linked executable from
1173: running further commands itself.
1174: .Pp
1175: In the following example, user
1176: .Sy aaron
1177: may run
1178: .Pa /usr/bin/more
1179: and
1180: .Pa /usr/bin/vi
1181: but shell escapes will be disabled.
1182: .Bd -literal
1183: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1184: .Ed
1185: .Pp
1186: See the
1187: .Sx Preventing shell escapes
1188: section below for more details on how
1189: .Li NOEXEC
1190: works and whether or not it will work on your system.
1.1.1.2 misho 1191: .It Em SETENV No and Em NOSETENV
1192: .sp
1.1 misho 1193: These tags override the value of the
1194: .Em setenv
1195: option on a per-command basis.
1196: Note that if
1197: .Li SETENV
1198: has been set for a command, the user may disable the
1199: .Em env_reset
1200: option from the command line via the
1201: .Fl E
1202: option.
1203: Additionally, environment variables set on the command
1204: line are not subject to the restrictions imposed by
1205: .Em env_check ,
1206: .Em env_delete ,
1207: or
1208: .Em env_keep .
1209: As such, only trusted users should be allowed to set variables in this manner.
1210: If the command matched is
1211: .Sy ALL ,
1212: the
1213: .Li SETENV
1214: tag is implied for that command; this default may be overridden by use of the
1215: .Li NOSETENV
1216: tag.
1.1.1.2 misho 1217: .It Em LOG_INPUT No and Em NOLOG_INPUT
1218: .sp
1.1 misho 1219: These tags override the value of the
1220: .Em log_input
1221: option on a per-command basis.
1222: For more information, see the description of
1223: .Em log_input
1224: in the
1225: .Sx SUDOERS OPTIONS
1226: section below.
1.1.1.2 misho 1227: .It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
1228: .sp
1.1 misho 1229: These tags override the value of the
1230: .Em log_output
1231: option on a per-command basis.
1232: For more information, see the description of
1233: .Em log_output
1234: in the
1235: .Sx SUDOERS OPTIONS
1236: section below.
1.1.1.2 misho 1237: .El
1.1 misho 1238: .Ss Wildcards
1239: .Nm sudo
1240: allows shell-style
1241: .Em wildcards
1242: (aka meta or glob characters)
1243: to be used in host names, path names and command line arguments in the
1244: .Em sudoers
1245: file.
1246: Wildcard matching is done via the
1247: .Xr glob 3
1248: and
1249: .Xr fnmatch 3
1.1.1.2 misho 1250: functions as specified by
1251: .St -p1003.1 .
1.1 misho 1252: Note that these are
1253: .Em not
1254: regular expressions.
1255: .Bl -tag -width 8n
1256: .It Li *
1257: Matches any set of zero or more characters.
1258: .It Li \&?
1259: Matches any single character.
1260: .It Li [...]
1261: Matches any character in the specified range.
1262: .It Li [!...]
1263: Matches any character
1264: .Sy not
1265: in the specified range.
1266: .It Li \ex
1267: For any character
1268: .Sq x ,
1269: evaluates to
1270: .Sq x .
1271: This is used to escape special characters such as:
1272: .Ql * ,
1273: .Ql \&? ,
1274: .Ql [\& ,
1275: and
1276: .Ql ]\& .
1277: .El
1278: .Pp
1.1.1.2 misho 1279: Character classes may also be used if your system's
1.1 misho 1280: .Xr glob 3
1281: and
1282: .Xr fnmatch 3
1283: functions support them.
1284: However, because the
1285: .Ql :\&
1286: character has special meaning in
1287: .Em sudoers ,
1288: it must be
1289: escaped.
1290: For example:
1291: .Bd -literal -offset 4n
1292: /bin/ls [[\:alpha\:]]*
1293: .Ed
1294: .Pp
1295: Would match any file name beginning with a letter.
1296: .Pp
1297: Note that a forward slash
1298: .Pq Ql /
1299: will
1300: .Sy not
1301: be matched by
1302: wildcards used in the path name.
1303: This is to make a path like:
1304: .Bd -literal -offset 4n
1305: /usr/bin/*
1306: .Ed
1307: .Pp
1308: match
1309: .Pa /usr/bin/who
1310: but not
1311: .Pa /usr/bin/X11/xterm .
1312: .Pp
1313: When matching the command line arguments, however, a slash
1314: .Sy does
1315: get matched by wildcards since command line arguments may contain
1316: arbitrary strings and not just path names.
1317: .Pp
1318: Wildcards in command line arguments should be used with care.
1319: Because command line arguments are matched as a single, concatenated
1320: string, a wildcard such as
1321: .Ql \&?
1322: or
1323: .Ql *
1324: can match multiple words.
1325: For example, while a sudoers entry like:
1326: .Bd -literal -offset 4n
1327: %operator ALL = /bin/cat /var/log/messages*
1328: .Ed
1329: .Pp
1330: will allow command like:
1331: .Bd -literal -offset 4n
1332: $ sudo cat /var/log/messages.1
1333: .Ed
1334: .Pp
1335: It will also allow:
1336: .Bd -literal -offset 4n
1337: $ sudo cat /var/log/messages /etc/shadow
1338: .Ed
1339: .Pp
1340: which is probably not what was intended.
1341: .Ss Exceptions to wildcard rules
1342: The following exceptions apply to the above rules:
1343: .Bl -tag -width 8n
1344: .It Li \&""
1345: If the empty string
1346: .Li \&""
1347: is the only command line argument in the
1348: .Em sudoers
1349: entry it means that command is not allowed to be run with
1350: .Sy any
1351: arguments.
1352: .It sudoedit
1353: Command line arguments to the
1354: .Em sudoedit
1355: built-in command should always be path names, so a forward slash
1356: .Pq Ql /
1357: will not be matched by a wildcard.
1358: .El
1359: .Ss Including other files from within sudoers
1360: It is possible to include other
1361: .Em sudoers
1362: files from within the
1363: .Em sudoers
1364: file currently being parsed using the
1365: .Li #include
1366: and
1367: .Li #includedir
1368: directives.
1369: .Pp
1370: This can be used, for example, to keep a site-wide
1371: .Em sudoers
1372: file in addition to a local, per-machine file.
1373: For the sake of this example the site-wide
1374: .Em sudoers
1375: will be
1376: .Pa /etc/sudoers
1377: and the per-machine one will be
1378: .Pa /etc/sudoers.local .
1379: To include
1380: .Pa /etc/sudoers.local
1381: from within
1382: .Pa /etc/sudoers
1383: we would use the
1384: following line in
1385: .Pa /etc/sudoers :
1386: .Bd -literal -offset 4n
1387: #include /etc/sudoers.local
1388: .Ed
1389: .Pp
1390: When
1391: .Nm sudo
1392: reaches this line it will suspend processing of the current file
1393: .Pq Pa /etc/sudoers
1394: and switch to
1395: .Pa /etc/sudoers.local .
1396: Upon reaching the end of
1397: .Pa /etc/sudoers.local ,
1398: the rest of
1399: .Pa /etc/sudoers
1400: will be processed.
1401: Files that are included may themselves include other files.
1402: A hard limit of 128 nested include files is enforced to prevent include
1403: file loops.
1404: .Pp
1405: If the path to the include file is not fully-qualified (does not
1406: begin with a
1407: .Ql / ,
1408: it must be located in the same directory as the sudoers file it was
1409: included from.
1410: For example, if
1411: .Pa /etc/sudoers
1412: contains the line:
1413: .Bd -literal -offset 4n
1414: .Li #include sudoers.local
1415: .Ed
1416: .Pp
1417: the file that will be included is
1418: .Pa /etc/sudoers.local .
1419: .Pp
1420: The file name may also include the
1421: .Li %h
1422: escape, signifying the short form of the host name.
1423: In other words, if the machine's host name is
1424: .Dq xerxes ,
1425: then
1426: .Bd -literal -offset 4n
1427: #include /etc/sudoers.%h
1428: .Ed
1429: .Pp
1430: will cause
1431: .Nm sudo
1432: to include the file
1433: .Pa /etc/sudoers.xerxes .
1434: .Pp
1435: The
1436: .Li #includedir
1437: directive can be used to create a
1438: .Pa sudo.d
1439: directory that the system package manager can drop
1440: .Em sudoers
1441: rules
1442: into as part of package installation.
1443: For example, given:
1444: .Bd -literal -offset 4n
1445: #includedir /etc/sudoers.d
1446: .Ed
1447: .Pp
1448: .Nm sudo
1449: will read each file in
1450: .Pa /etc/sudoers.d ,
1451: skipping file names that end in
1452: .Ql ~
1453: or contain a
1454: .Ql .\&
1455: character to avoid causing problems with package manager or editor
1456: temporary/backup files.
1457: Files are parsed in sorted lexical order.
1458: That is,
1459: .Pa /etc/sudoers.d/01_first
1460: will be parsed before
1461: .Pa /etc/sudoers.d/10_second .
1462: Be aware that because the sorting is lexical, not numeric,
1463: .Pa /etc/sudoers.d/1_whoops
1464: would be loaded
1465: .Sy after
1466: .Pa /etc/sudoers.d/10_second .
1467: Using a consistent number of leading zeroes in the file names can be used
1468: to avoid such problems.
1469: .Pp
1470: Note that unlike files included via
1471: .Li #include ,
1472: .Nm visudo
1473: will not edit the files in a
1474: .Li #includedir
1475: directory unless one of them contains a syntax error.
1476: It is still possible to run
1477: .Nm visudo
1478: with the
1479: .Fl f
1480: flag to edit the files directly.
1481: .Ss Other special characters and reserved words
1482: The pound sign
1483: .Pq Ql #
1484: is used to indicate a comment (unless it is part of a #include
1485: directive or unless it occurs in the context of a user name and is
1486: followed by one or more digits, in which case it is treated as a
1487: uid).
1488: Both the comment character and any text after it, up to the end of
1489: the line, are ignored.
1490: .Pp
1491: The reserved word
1492: .Sy ALL
1493: is a built-in
1494: .Em alias
1495: that always causes a match to succeed.
1496: It can be used wherever one might otherwise use a
1497: .Li Cmnd_Alias ,
1498: .Li User_Alias ,
1499: .Li Runas_Alias ,
1500: or
1501: .Li Host_Alias .
1502: You should not try to define your own
1503: .Em alias
1504: called
1505: .Sy ALL
1506: as the built-in alias will be used in preference to your own.
1507: Please note that using
1508: .Sy ALL
1509: can be dangerous since in a command context, it allows the user to run
1510: .Sy any
1511: command on the system.
1512: .Pp
1513: An exclamation point
1514: .Pq Ql \&!
1515: can be used as a logical
1516: .Em not
1.1.1.2 misho 1517: operator in a list or
1.1 misho 1518: .Em alias
1.1.1.2 misho 1519: as well as in front of a
1.1 misho 1520: .Li Cmnd .
1521: This allows one to exclude certain values.
1.1.1.2 misho 1522: For the
1523: .Ql \&!
1524: operator to be effective, there must be something for it to exclude.
1525: For example, to match all users except for root one would use:
1526: .Bd -literal -offset 4n
1527: ALL,!root
1528: .Ed
1529: .Pp
1530: If the
1531: .Sy ALL ,
1532: is omitted, as in:
1533: .Bd -literal -offset 4n
1534: !root
1535: .Ed
1536: .Pp
1537: it would explicitly deny root but not match any other users.
1538: This is different from a true
1539: .Dq negation
1540: operator.
1541: .Pp
1.1 misho 1542: Note, however, that using a
1543: .Ql \&!
1544: in conjunction with the built-in
1545: .Sy ALL
1546: alias to allow a user to run
1547: .Dq all but a few
1548: commands rarely works as intended (see
1549: .Sx SECURITY NOTES
1550: below).
1551: .Pp
1552: Long lines can be continued with a backslash
1553: .Pq Ql \e
1554: as the last character on the line.
1555: .Pp
1556: White space between elements in a list as well as special syntactic
1557: characters in a
1558: .Em User Specification
1559: .Po
1560: .Ql =\& ,
1561: .Ql :\& ,
1562: .Ql (\& ,
1563: .Ql )\&
1564: .Pc
1565: is optional.
1566: .Pp
1567: The following characters must be escaped with a backslash
1568: .Pq Ql \e
1569: when used as part of a word (e.g.\& a user name or host name):
1570: .Ql \&! ,
1571: .Ql =\& ,
1572: .Ql :\& ,
1573: .Ql ,\& ,
1574: .Ql (\& ,
1575: .Ql )\& ,
1576: .Ql \e .
1577: .Sh SUDOERS OPTIONS
1578: .Nm sudo Ns No 's
1579: behavior can be modified by
1580: .Li Default_Entry
1581: lines, as explained earlier.
1582: A list of all supported Defaults parameters, grouped by type, are listed below.
1583: .Pp
1584: .Sy Boolean Flags :
1585: .Bl -tag -width 16n
1586: .It always_set_home
1587: If enabled,
1588: .Nm sudo
1589: will set the
1590: .Ev HOME
1591: environment variable to the home directory of the target user
1592: (which is root unless the
1593: .Fl u
1594: option is used).
1595: This effectively means that the
1596: .Fl H
1597: option is always implied.
1598: Note that
1599: .Ev HOME
1.1.1.3 ! misho 1600: is already set when the
1.1 misho 1601: .Em env_reset
1602: option is enabled, so
1603: .Em always_set_home
1604: is only effective for configurations where either
1605: .Em env_reset
1606: is disabled or
1607: .Ev HOME
1608: is present in the
1609: .Em env_keep
1610: list.
1611: This flag is
1612: .Em off
1613: by default.
1614: .It authenticate
1615: If set, users must authenticate themselves via a password (or other
1616: means of authentication) before they may run commands.
1617: This default may be overridden via the
1618: .Li PASSWD
1619: and
1620: .Li NOPASSWD
1621: tags.
1622: This flag is
1623: .Em on
1624: by default.
1625: .It closefrom_override
1626: If set, the user may use
1627: .Nm sudo Ns No 's
1628: .Fl C
1629: option which overrides the default starting point at which
1630: .Nm sudo
1631: begins closing open file descriptors.
1632: This flag is
1633: .Em off
1634: by default.
1635: .It compress_io
1636: If set, and
1637: .Nm sudo
1638: is configured to log a command's input or output,
1639: the I/O logs will be compressed using
1640: .Sy zlib .
1641: This flag is
1642: .Em on
1643: by default when
1644: .Nm sudo
1645: is compiled with
1646: .Sy zlib
1647: support.
1.1.1.2 misho 1648: .It exec_background
1649: By default,
1650: .Nm sudo
1651: runs a command as the foreground process as long as
1652: .Nm sudo
1653: itself is running in the foreground.
1654: When the
1655: .Em exec_background
1656: flag is enabled and the command is being run in a pty (due to I/O logging
1657: or the
1658: .Em use_pty
1659: flag), the command will be run as a background process.
1660: Attempts to read from the controlling terminal (or to change terminal
1661: settings) will result in the command being suspended with the
1662: .Dv SIGTTIN
1663: signal (or
1664: .Dv SIGTTOU
1665: in the case of terminal settings).
1666: If this happens when
1667: .Nm sudo
1668: is a foreground process, the command will be granted the controlling terminal
1669: and resumed in the foreground with no user intervention required.
1670: The advantage of initially running the command in the background is that
1671: .Nm sudo
1672: need not read from the terminal unless the command explicitly requests it.
1673: Otherwise, any terminal input must be passed to the command, whether it
1674: has required it or not (the kernel buffers terminals so it is not possible
1675: to tell whether the command really wants the input).
1676: This is different from historic
1677: .Em sudo
1678: behavior or when the command is not being run in a pty.
1679: .Pp
1680: For this to work seamlessly, the operating system must support the
1681: automatic restarting of system calls.
1682: Unfortunately, not all operating systems do this by default,
1683: and even those that do may have bugs.
1684: For example, Mac OS X fails to restart the
1685: .Fn tcgetattr
1686: and
1687: .Fn tcsetattr
1688: system calls (this is a bug in Mac OS X).
1689: Furthermore, because this behavior depends on the command stopping with the
1690: .Dv SIGTTIN
1691: or
1692: .Dv SIGTTOU
1693: signals, programs that catch these signals and suspend themselves
1694: with a different signal (usually
1695: .Dv SIGTOP )
1696: will not be automatically foregrounded.
1697: Some versions of the linux
1698: .Xr su 1
1699: command behave this way.
1700: .Pp
1701: This setting is only supported by version 1.8.7 or higher.
1702: It has no effect unless I/O logging is enabled or the
1703: .Em use_pty
1704: flag is enabled.
1.1 misho 1705: .It env_editor
1706: If set,
1707: .Nm visudo
1708: will use the value of the
1709: .Ev EDITOR
1710: or
1711: .Ev VISUAL
1712: environment variables before falling back on the default editor list.
1713: Note that this may create a security hole as it allows the user to
1714: run any arbitrary command as root without logging.
1715: A safer alternative is to place a colon-separated list of editors
1716: in the
1717: .Li editor
1718: variable.
1719: .Nm visudo
1720: will then only use the
1721: .Ev EDITOR
1722: or
1723: .Ev VISUAL
1724: if they match a value specified in
1725: .Li editor .
1726: This flag is
1727: .Em @env_editor@
1728: by
1729: default.
1730: .It env_reset
1731: If set,
1732: .Nm sudo
1733: will run the command in a minimal environment containing the
1734: .Ev TERM ,
1735: .Ev PATH ,
1736: .Ev HOME ,
1737: .Ev MAIL ,
1738: .Ev SHELL ,
1739: .Ev LOGNAME ,
1740: .Ev USER ,
1741: .Ev USERNAME
1742: and
1743: .Ev SUDO_*
1744: variables.
1745: Any
1746: variables in the caller's environment that match the
1747: .Li env_keep
1748: and
1749: .Li env_check
1750: lists are then added, followed by any variables present in the file
1751: specified by the
1752: .Em env_file
1753: option (if any).
1754: The default contents of the
1755: .Li env_keep
1756: and
1757: .Li env_check
1758: lists are displayed when
1759: .Nm sudo
1760: is run by root with the
1761: .Fl V
1762: option.
1763: If the
1764: .Em secure_path
1765: option is set, its value will be used for the
1766: .Ev PATH
1767: environment variable.
1768: This flag is
1769: .Em @env_reset@
1770: by default.
1771: .It fast_glob
1772: Normally,
1773: .Nm sudo
1774: uses the
1775: .Xr glob 3
1776: function to do shell-style globbing when matching path names.
1777: However, since it accesses the file system,
1778: .Xr glob 3
1779: can take a long time to complete for some patterns, especially
1780: when the pattern references a network file system that is mounted
1781: on demand (auto mounted).
1782: The
1783: .Em fast_glob
1784: option causes
1785: .Nm sudo
1786: to use the
1787: .Xr fnmatch 3
1788: function, which does not access the file system to do its matching.
1789: The disadvantage of
1790: .Em fast_glob
1791: is that it is unable to match relative path names such as
1792: .Pa ./ls
1793: or
1794: .Pa ../bin/ls .
1795: This has security implications when path names that include globbing
1796: characters are used with the negation operator,
1797: .Ql !\& ,
1798: as such rules can be trivially bypassed.
1799: As such, this option should not be used when
1800: .Em sudoers
1801: contains rules that contain negated path names which include globbing
1802: characters.
1803: This flag is
1804: .Em off
1805: by default.
1806: .It fqdn
1807: Set this flag if you want to put fully qualified host names in the
1808: .Em sudoers
1809: file when the local host name (as returned by the
1810: .Li hostname
1811: command) does not contain the domain name.
1812: In other words, instead of myhost you would use myhost.mydomain.edu.
1813: You may still use the short form if you wish (and even mix the two).
1814: This option is only effective when the
1815: .Dq canonical
1816: host name, as returned by the
1817: .Fn getaddrinfo
1818: or
1819: .Fn gethostbyname
1820: function, is a fully-qualified domain name.
1821: This is usually the case when the system is configured to use DNS
1822: for host name resolution.
1823: .Pp
1824: If the system is configured to use the
1825: .Pa /etc/hosts
1826: file in preference to DNS, the
1827: .Dq canonical
1828: host name may not be fully-qualified.
1829: The order that sources are queried for hosts name resolution
1830: is usually specified in the
1831: .Pa @nsswitch_conf@ ,
1832: .Pa @netsvc_conf@ ,
1833: .Pa /etc/host.conf ,
1834: or, in some cases,
1835: .Pa /etc/resolv.conf
1836: file.
1837: In the
1838: .Pa /etc/hosts
1839: file, the first host name of the entry is considered to be the
1840: .Dq canonical
1841: name; subsequent names are aliases that are not used by
1842: .Nm sudoers .
1843: For example, the following hosts file line for the machine
1844: .Dq xyzzy
1845: has the fully-qualified domain name as the
1846: .Dq canonical
1847: host name, and the short version as an alias.
1848: .sp
1849: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1850: .sp
1851: If the machine's hosts file entry is not formatted properly, the
1852: .Em fqdn
1853: option will not be effective if it is queried before DNS.
1854: .Pp
1855: Beware that when using DNS for host name resolution, turning on
1856: .Em fqdn
1857: requires
1858: .Nm sudoers
1859: to make DNS lookups which renders
1860: .Nm sudo
1861: unusable if DNS stops working (for example if the machine is disconnected
1862: from the network).
1863: Also note that just like with the hosts file, you must use the
1864: .Dq canonical
1865: name as DNS knows it.
1866: That is, you may not use a host alias
1867: .Po
1868: .Li CNAME
1869: entry
1870: .Pc
1871: due to performance issues and the fact that there is no way to get all
1872: aliases from DNS.
1873: .Pp
1874: This flag is
1875: .Em @fqdn@
1876: by default.
1877: .It ignore_dot
1878: If set,
1879: .Nm sudo
1880: will ignore "." or "" (both denoting current directory) in the
1881: .Ev PATH
1882: environment variable; the
1883: .Ev PATH
1884: itself is not modified.
1885: This flag is
1886: .Em @ignore_dot@
1887: by default.
1888: .It ignore_local_sudoers
1889: If set via LDAP, parsing of
1890: .Pa @sysconfdir@/sudoers
1891: will be skipped.
1892: This is intended for Enterprises that wish to prevent the usage of local
1893: sudoers files so that only LDAP is used.
1894: This thwarts the efforts of rogue operators who would attempt to add roles to
1895: .Pa @sysconfdir@/sudoers .
1896: When this option is present,
1897: .Pa @sysconfdir@/sudoers
1898: does not even need to exist.
1899: Since this option tells
1900: .Nm sudo
1901: how to behave when no specific LDAP entries have been matched, this
1902: sudoOption is only meaningful for the
1903: .Li cn=defaults
1904: section.
1905: This flag is
1906: .Em off
1907: by default.
1908: .It insults
1909: If set,
1910: .Nm sudo
1911: will insult users when they enter an incorrect password.
1912: This flag is
1913: .Em @insults@
1914: by default.
1915: .It log_host
1916: If set, the host name will be logged in the (non-syslog)
1917: .Nm sudo
1918: log file.
1919: This flag is
1920: .Em off
1921: by default.
1922: .It log_input
1923: If set,
1924: .Nm sudo
1925: will run the command in a
1926: .Em pseudo tty
1927: and log all user input.
1928: If the standard input is not connected to the user's tty, due to
1929: I/O redirection or because the command is part of a pipeline, that
1930: input is also captured and stored in a separate log file.
1931: .Pp
1932: Input is logged to the directory specified by the
1933: .Em iolog_dir
1934: option
1935: .Po
1936: .Pa @iolog_dir@
1937: by default
1938: .Pc
1939: using a unique session ID that is included in the normal
1940: .Nm sudo
1941: log line, prefixed with
1942: .Dq Li TSID= .
1943: The
1944: .Em iolog_file
1945: option may be used to control the format of the session ID.
1946: .Pp
1947: Note that user input may contain sensitive information such as
1948: passwords (even if they are not echoed to the screen), which will
1949: be stored in the log file unencrypted.
1950: In most cases, logging the command output via
1951: .Em log_output
1952: is all that is required.
1953: .It log_output
1954: If set,
1955: .Nm sudo
1956: will run the command in a
1957: .Em pseudo tty
1958: and log all output that is sent to the screen, similar to the
1959: .Xr script 1
1960: command.
1961: If the standard output or standard error is not connected to the
1962: user's tty, due to I/O redirection or because the command is part
1963: of a pipeline, that output is also captured and stored in separate
1964: log files.
1965: .Pp
1966: Output is logged to the directory specified by the
1967: .Em iolog_dir
1968: option
1969: .Po
1970: .Pa @iolog_dir@
1971: by default
1972: .Pc
1973: using a unique session ID that is included in the normal
1974: .Nm sudo
1975: log line, prefixed with
1976: .Dq Li TSID= .
1977: The
1978: .Em iolog_file
1979: option may be used to control the format of the session ID.
1980: .Pp
1981: Output logs may be viewed with the
1982: .Xr sudoreplay @mansectsu@
1983: utility, which can also be used to list or search the available logs.
1984: .It log_year
1985: If set, the four-digit year will be logged in the (non-syslog)
1986: .Nm sudo
1987: log file.
1988: This flag is
1989: .Em off
1990: by default.
1991: .It long_otp_prompt
1992: When validating with a One Time Password (OTP) scheme such as
1993: .Sy S/Key
1994: or
1995: .Sy OPIE ,
1996: a two-line prompt is used to make it easier
1997: to cut and paste the challenge to a local window.
1998: It's not as pretty as the default but some people find it more convenient.
1999: This flag is
2000: .Em @long_otp_prompt@
2001: by default.
2002: .It mail_always
2003: Send mail to the
2004: .Em mailto
2005: user every time a users runs
2006: .Nm sudo .
2007: This flag is
2008: .Em off
2009: by default.
2010: .It mail_badpass
2011: Send mail to the
2012: .Em mailto
2013: user if the user running
2014: .Nm sudo
2015: does not enter the correct password.
2016: If the command the user is attempting to run is not permitted by
2017: .Em sudoers
2018: and one of the
2019: .Em mail_always ,
2020: .Em mail_no_host ,
2021: .Em mail_no_perms
2022: or
2023: .Em mail_no_user
2024: flags are set, this flag will have no effect.
2025: This flag is
2026: .Em off
2027: by default.
2028: .It mail_no_host
2029: If set, mail will be sent to the
2030: .Em mailto
2031: user if the invoking user exists in the
2032: .Em sudoers
2033: file, but is not allowed to run commands on the current host.
2034: This flag is
2035: .Em @mail_no_host@
2036: by default.
2037: .It mail_no_perms
2038: If set, mail will be sent to the
2039: .Em mailto
2040: user if the invoking user is allowed to use
2041: .Nm sudo
2042: but the command they are trying is not listed in their
2043: .Em sudoers
2044: file entry or is explicitly denied.
2045: This flag is
2046: .Em @mail_no_perms@
2047: by default.
2048: .It mail_no_user
2049: If set, mail will be sent to the
2050: .Em mailto
2051: user if the invoking user is not in the
2052: .Em sudoers
2053: file.
2054: This flag is
2055: .Em @mail_no_user@
2056: by default.
2057: .It noexec
2058: If set, all commands run via
2059: .Nm sudo
2060: will behave as if the
2061: .Li NOEXEC
2062: tag has been set, unless overridden by a
2063: .Li EXEC
2064: tag.
2065: See the description of
2066: .Em NOEXEC and EXEC
2067: below as well as the
2068: .Sx Preventing shell escapes
2069: section at the end of this manual.
2070: This flag is
2071: .Em off
2072: by default.
1.1.1.2 misho 2073: .It pam_session
2074: On systems that use PAM for authentication,
1.1 misho 2075: .Nm sudo
1.1.1.2 misho 2076: will create a new PAM session for the command to be run in.
2077: Disabling
2078: .Em pam_session
2079: may be needed on older PAM implementations or on operating systems where
2080: opening a PAM session changes the utmp or wtmp files.
2081: If PAM session support is disabled, resource limits may not be updated
2082: for the command being run.
1.1.1.3 ! misho 2083: If
! 2084: .Em pam_session ,
! 2085: .Em pam_setcred ,
! 2086: and
! 2087: .Em use_pty
! 2088: are disabled and I/O logging has not been configured,
! 2089: .Nm sudo
! 2090: will execute the command directly instead of running it as a child
! 2091: process.
1.1 misho 2092: This flag is
1.1.1.2 misho 2093: .Em @pam_session@
1.1 misho 2094: by default.
1.1.1.2 misho 2095: .Pp
2096: This setting is only supported by version 1.8.7 or higher.
1.1.1.3 ! misho 2097: .It pam_setcred
! 2098: On systems that use PAM for authentication,
! 2099: .Nm sudo
! 2100: will attempt to establish credentials for the target user by default,
! 2101: if supported by the underlying authentication system.
! 2102: One example of a credential is a Kerberos ticket.
! 2103: If
! 2104: .Em pam_session ,
! 2105: .Em pam_setcred ,
! 2106: and
! 2107: .Em use_pty
! 2108: are disabled and I/O logging has not been configured,
! 2109: .Nm sudo
! 2110: will execute the command directly instead of running it as a child
! 2111: process.
! 2112: This flag is
! 2113: .Em on
! 2114: by default.
! 2115: .Pp
! 2116: This setting is only supported by version 1.8.8 or higher.
1.1 misho 2117: .It passprompt_override
2118: The password prompt specified by
2119: .Em passprompt
2120: will normally only be used if the password prompt provided by systems
2121: such as PAM matches the string
2122: .Dq Password: .
2123: If
2124: .Em passprompt_override
2125: is set,
2126: .Em passprompt
2127: will always be used.
2128: This flag is
2129: .Em off
2130: by default.
1.1.1.2 misho 2131: .It path_info
2132: Normally,
2133: .Nm sudo
2134: will tell the user when a command could not be
2135: found in their
2136: .Ev PATH
2137: environment variable.
2138: Some sites may wish to disable this as it could be used to gather
2139: information on the location of executables that the normal user does
2140: not have access to.
2141: The disadvantage is that if the executable is simply not in the user's
2142: .Ev PATH ,
2143: .Nm sudo
2144: will tell the user that they are not allowed to run it, which can be confusing.
2145: This flag is
2146: .Em @path_info@
2147: by default.
1.1 misho 2148: .It preserve_groups
2149: By default,
2150: .Nm sudo
2151: will initialize the group vector to the list of groups the target user is in.
2152: When
2153: .Em preserve_groups
2154: is set, the user's existing group vector is left unaltered.
2155: The real and effective group IDs, however, are still set to match the
2156: target user.
2157: This flag is
2158: .Em off
2159: by default.
2160: .It pwfeedback
2161: By default,
2162: .Nm sudo
2163: reads the password like most other Unix programs,
2164: by turning off echo until the user hits the return (or enter) key.
2165: Some users become confused by this as it appears to them that
2166: .Nm sudo
2167: has hung at this point.
2168: When
2169: .Em pwfeedback
2170: is set,
2171: .Nm sudo
2172: will provide visual feedback when the user presses a key.
2173: Note that this does have a security impact as an onlooker may be able to
2174: determine the length of the password being entered.
2175: This flag is
2176: .Em off
2177: by default.
2178: .It requiretty
2179: If set,
2180: .Nm sudo
2181: will only run when the user is logged in to a real tty.
2182: When this flag is set,
2183: .Nm sudo
2184: can only be run from a login session and not via other means such as
2185: .Xr cron @mansectsu@
2186: or cgi-bin scripts.
2187: This flag is
2188: .Em off
2189: by default.
2190: .It root_sudo
2191: If set, root is allowed to run
2192: .Nm sudo
2193: too.
2194: Disabling this prevents users from
2195: .Dq chaining
2196: .Nm sudo
2197: commands to get a root shell by doing something like
2198: .Dq Li sudo sudo /bin/sh .
2199: Note, however, that turning off
2200: .Em root_sudo
2201: will also prevent root from running
2202: .Nm sudoedit .
2203: Disabling
2204: .Em root_sudo
2205: provides no real additional security; it exists purely for historical reasons.
2206: This flag is
2207: .Em @root_sudo@
2208: by default.
2209: .It rootpw
2210: If set,
2211: .Nm sudo
2212: will prompt for the root password instead of the password of the invoking user.
2213: This flag is
2214: .Em off
2215: by default.
2216: .It runaspw
2217: If set,
2218: .Nm sudo
2219: will prompt for the password of the user defined by the
2220: .Em runas_default
2221: option (defaults to
2222: .Li @runas_default@ )
2223: instead of the password of the invoking user.
2224: This flag is
2225: .Em off
2226: by default.
2227: .It set_home
2228: If enabled and
2229: .Nm sudo
2230: is invoked with the
2231: .Fl s
2232: option the
2233: .Ev HOME
2234: environment variable will be set to the home directory of the target
2235: user (which is root unless the
2236: .Fl u
2237: option is used).
2238: This effectively makes the
2239: .Fl s
2240: option imply
2241: .Fl H .
2242: Note that
2243: .Ev HOME
1.1.1.3 ! misho 2244: is already set when the
1.1 misho 2245: .Em env_reset
2246: option is enabled, so
2247: .Em set_home
2248: is only effective for configurations where either
2249: .Em env_reset
2250: is disabled
2251: or
2252: .Ev HOME
2253: is present in the
2254: .Em env_keep
2255: list.
2256: This flag is
2257: .Em off
2258: by default.
2259: .It set_logname
2260: Normally,
2261: .Nm sudo
2262: will set the
2263: .Ev LOGNAME ,
2264: .Ev USER
2265: and
2266: .Ev USERNAME
2267: environment variables to the name of the target user (usually root unless the
2268: .Fl u
2269: option is given).
2270: However, since some programs (including the RCS revision control system) use
2271: .Ev LOGNAME
2272: to determine the real identity of the user, it may be desirable to
2273: change this behavior.
2274: This can be done by negating the set_logname option.
2275: Note that if the
2276: .Em env_reset
2277: option has not been disabled, entries in the
2278: .Em env_keep
2279: list will override the value of
2280: .Em set_logname .
2281: This flag is
2282: .Em on
2283: by default.
2284: .It set_utmp
2285: When enabled,
2286: .Nm sudo
2287: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2288: is allocated.
2289: A pseudo-tty is allocated by
2290: .Nm sudo
2291: when the
2292: .Em log_input ,
2293: .Em log_output
2294: or
2295: .Em use_pty
2296: flags are enabled.
2297: By default, the new entry will be a copy of the user's existing utmp
2298: entry (if any), with the tty, time, type and pid fields updated.
2299: This flag is
2300: .Em on
2301: by default.
2302: .It setenv
2303: Allow the user to disable the
2304: .Em env_reset
2305: option from the command line via the
2306: .Fl E
2307: option.
2308: Additionally, environment variables set via the command line are
2309: not subject to the restrictions imposed by
2310: .Em env_check ,
2311: .Em env_delete ,
2312: or
2313: .Em env_keep .
2314: As such, only trusted users should be allowed to set variables in this manner.
2315: This flag is
2316: .Em off
2317: by default.
2318: .It shell_noargs
2319: If set and
2320: .Nm sudo
2321: is invoked with no arguments it acts as if the
2322: .Fl s
2323: option had been given.
2324: That is, it runs a shell as root (the shell is determined by the
2325: .Ev SHELL
2326: environment variable if it is set, falling back on the shell listed
2327: in the invoking user's /etc/passwd entry if not).
2328: This flag is
2329: .Em off
2330: by default.
2331: .It stay_setuid
2332: Normally, when
2333: .Nm sudo
2334: executes a command the real and effective UIDs are set to the target
2335: user (root by default).
2336: This option changes that behavior such that the real UID is left
2337: as the invoking user's UID.
2338: In other words, this makes
2339: .Nm sudo
2340: act as a setuid wrapper.
2341: This can be useful on systems that disable some potentially
2342: dangerous functionality when a program is run setuid.
2343: This option is only effective on systems that support either the
2344: .Xr setreuid 2
2345: or
2346: .Xr setresuid 2
2347: system call.
2348: This flag is
2349: .Em off
2350: by default.
2351: .It targetpw
2352: If set,
2353: .Nm sudo
2354: will prompt for the password of the user specified
2355: by the
2356: .Fl u
2357: option (defaults to
2358: .Li root )
2359: instead of the password of the invoking user.
2360: In addition, the time stamp file name will include the target user's name.
2361: Note that this flag precludes the use of a uid not listed in the passwd
2362: database as an argument to the
2363: .Fl u
2364: option.
2365: This flag is
2366: .Em off
2367: by default.
2368: .It tty_tickets
2369: If set, users must authenticate on a per-tty basis.
2370: With this flag enabled,
2371: .Nm sudo
2372: will use a file named for the tty the user is
2373: logged in on in the user's time stamp directory.
2374: If disabled, the time stamp of the directory is used instead.
2375: This flag is
2376: .Em @tty_tickets@
2377: by default.
2378: .It umask_override
2379: If set,
2380: .Nm sudo
2381: will set the umask as specified by
2382: .Em sudoers
2383: without modification.
2384: This makes it possible to specify a more permissive umask in
2385: .Em sudoers
2386: than the user's own umask and matches historical behavior.
2387: If
2388: .Em umask_override
2389: is not set,
2390: .Nm sudo
2391: will set the umask to be the union of the user's umask and what is specified in
2392: .Em sudoers .
2393: This flag is
2394: .Em @umask_override@
2395: by default.
2396: .It use_loginclass
2397: If set,
2398: .Nm sudo
2399: will apply the defaults specified for the target user's login class
2400: if one exists.
2401: Only available if
2402: .Nm sudo
2403: is configured with the
2404: .Li --with-logincap
2405: option.
2406: This flag is
2407: .Em off
2408: by default.
2409: .It use_pty
2410: If set,
2411: .Nm sudo
2412: will run the command in a pseudo-pty even if no I/O logging is being gone.
2413: A malicious program run under
2414: .Nm sudo
2415: could conceivably fork a background process that retains to the user's
2416: terminal device after the main program has finished executing.
2417: Use of this option will make that impossible.
2418: This flag is
2419: .Em off
2420: by default.
2421: .It utmp_runas
2422: If set,
2423: .Nm sudo
2424: will store the name of the runas user when updating the utmp (or utmpx) file.
2425: By default,
2426: .Nm sudo
2427: stores the name of the invoking user.
2428: This flag is
2429: .Em off
2430: by default.
2431: .It visiblepw
2432: By default,
2433: .Nm sudo
2434: will refuse to run if the user must enter a password but it is not
2435: possible to disable echo on the terminal.
2436: If the
2437: .Em visiblepw
2438: flag is set,
2439: .Nm sudo
2440: will prompt for a password even when it would be visible on the screen.
2441: This makes it possible to run things like
2442: .Dq Li ssh somehost sudo ls
2443: since by default,
2444: .Xr ssh 1
2445: does
2446: not allocate a tty when running a command.
2447: This flag is
2448: .Em off
2449: by default.
2450: .El
2451: .Pp
2452: .Sy Integers :
2453: .Bl -tag -width 16n
2454: .It closefrom
2455: Before it executes a command,
2456: .Nm sudo
2457: will close all open file descriptors other than standard input,
2458: standard output and standard error (ie: file descriptors 0-2).
2459: The
2460: .Em closefrom
2461: option can be used to specify a different file descriptor at which
2462: to start closing.
2463: The default is
2464: .Li 3 .
2465: .It passwd_tries
2466: The number of tries a user gets to enter his/her password before
2467: .Nm sudo
2468: logs the failure and exits.
2469: The default is
2470: .Li @passwd_tries@ .
2471: .El
2472: .Pp
2473: .Sy Integers that can be used in a boolean context :
2474: .Bl -tag -width 16n
2475: .It loglinelen
2476: Number of characters per line for the file log.
2477: This value is used to decide when to wrap lines for nicer log files.
2478: This has no effect on the syslog log file, only the file log.
2479: The default is
2480: .Li @loglen@
2481: (use 0 or negate the option to disable word wrap).
2482: .It passwd_timeout
2483: Number of minutes before the
2484: .Nm sudo
2485: password prompt times out, or
2486: .Li 0
2487: for no timeout.
2488: The timeout may include a fractional component
2489: if minute granularity is insufficient, for example
2490: .Li 2.5 .
2491: The
2492: default is
2493: .Li @password_timeout@ .
2494: .It timestamp_timeout
2495: Number of minutes that can elapse before
2496: .Nm sudo
2497: will ask for a passwd again.
2498: The timeout may include a fractional component if
2499: minute granularity is insufficient, for example
2500: .Li 2.5 .
2501: The default is
2502: .Li @timeout@ .
2503: Set this to
2504: .Li 0
2505: to always prompt for a password.
2506: If set to a value less than
2507: .Li 0
2508: the user's time stamp will never expire.
2509: This can be used to allow users to create or delete their own time stamps via
2510: .Dq Li sudo -v
2511: and
2512: .Dq Li sudo -k
2513: respectively.
2514: .It umask
2515: Umask to use when running the command.
2516: Negate this option or set it to 0777 to preserve the user's umask.
2517: The actual umask that is used will be the union of the user's umask
2518: and the value of the
2519: .Em umask
2520: option, which defaults to
2521: .Li @sudo_umask@ .
2522: This guarantees
2523: that
2524: .Nm sudo
2525: never lowers the umask when running a command.
2526: Note: on systems that use PAM, the default PAM configuration may specify
2527: its own umask which will override the value set in
2528: .Em sudoers .
2529: .El
2530: .Pp
2531: .Sy Strings :
2532: .Bl -tag -width 16n
2533: .It badpass_message
2534: Message that is displayed if a user enters an incorrect password.
2535: The default is
2536: .Li @badpass_message@
2537: unless insults are enabled.
2538: .It editor
2539: A colon
2540: .Pq Ql :\&
2541: separated list of editors allowed to be used with
2542: .Nm visudo .
2543: .Nm visudo
2544: will choose the editor that matches the user's
2545: .Ev EDITOR
2546: environment variable if possible, or the first editor in the
2547: list that exists and is executable.
2548: The default is
2549: .Pa @editor@ .
2550: .It iolog_dir
2551: The top-level directory to use when constructing the path name for
2552: the input/output log directory.
2553: Only used if the
2554: .Em log_input
2555: or
2556: .Em log_output
2557: options are enabled or when the
2558: .Li LOG_INPUT
2559: or
2560: .Li LOG_OUTPUT
2561: tags are present for a command.
2562: The session sequence number, if any, is stored in the directory.
2563: The default is
2564: .Pa @iolog_dir@ .
2565: .Pp
2566: The following percent
2567: .Pq Ql %
2568: escape sequences are supported:
2569: .Bl -tag -width 4n
2570: .It Li %{seq}
2571: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2572: where every two digits are used to form a new directory, e.g.\&
2573: .Pa 01/00/A5
2574: .It Li %{user}
2575: expanded to the invoking user's login name
2576: .It Li %{group}
2577: expanded to the name of the invoking user's real group ID
2578: .It Li %{runas_user}
2579: expanded to the login name of the user the command will
2580: be run as (e.g.\& root)
2581: .It Li %{runas_group}
2582: expanded to the group name of the user the command will
2583: be run as (e.g.\& wheel)
2584: .It Li %{hostname}
2585: expanded to the local host name without the domain name
2586: .It Li %{command}
2587: expanded to the base name of the command being run
2588: .El
2589: .Pp
2590: In addition, any escape sequences supported by the system's
2591: .Xr strftime 3
2592: function will be expanded.
2593: .Pp
2594: To include a literal
2595: .Ql %
2596: character, the string
2597: .Ql %%
2598: should be used.
2599: .It iolog_file
2600: The path name, relative to
2601: .Em iolog_dir ,
2602: in which to store input/output logs when the
2603: .Em log_input
2604: or
2605: .Em log_output
2606: options are enabled or when the
2607: .Li LOG_INPUT
2608: or
2609: .Li LOG_OUTPUT
2610: tags are present for a command.
2611: Note that
2612: .Em iolog_file
2613: may contain directory components.
2614: The default is
2615: .Dq Li %{seq} .
2616: .Pp
2617: See the
2618: .Em iolog_dir
2619: option above for a list of supported percent
2620: .Pq Ql %
2621: escape sequences.
2622: .Pp
2623: In addition to the escape sequences, path names that end in six or
2624: more
2625: .Li X Ns No s
2626: will have the
2627: .Li X Ns No s
2628: replaced with a unique combination of digits and letters, similar to the
2629: .Xr mktemp 3
2630: function.
1.1.1.2 misho 2631: .Pp
2632: If the path created by concatenating
2633: .Em iolog_dir
2634: and
2635: .Em iolog_file
2636: already exists, the existing I/O log file will be truncated and
2637: overwritten unless
2638: .Em iolog_file
2639: ends in six or
2640: more
2641: .Li X Ns No s .
1.1 misho 2642: .It limitprivs
2643: The default Solaris limit privileges to use when constructing a new
2644: privilege set for a command.
2645: This bounds all privileges of the executing process.
2646: The default limit privileges may be overridden on a per-command basis in
2647: .Em sudoers .
2648: This option is only available if
2649: .Nm
2650: is built on Solaris 10 or higher.
2651: .It mailsub
2652: Subject of the mail sent to the
2653: .Em mailto
2654: user.
2655: The escape
2656: .Li %h
2657: will expand to the host name of the machine.
2658: Default is
2659: .Dq Li @mailsub@ .
1.1.1.2 misho 2660: .It maxseq
2661: The maximum sequence number that will be substituted for the
2662: .Dq Li %{seq}
2663: escape in the I/O log file (see the
2664: .Em iolog_dir
2665: description above for more information).
2666: While the value substituted for
2667: .Dq Li %{seq}
2668: is in base 36,
2669: .Em maxseq
2670: itself should be expressed in decimal.
2671: Values larger than 2176782336 (which corresponds to the
2672: base 36 sequence number
2673: .Dq ZZZZZZ )
2674: will be silently truncated to 2176782336.
2675: The default value is 2176782336.
2676: .Pp
2677: Once the local sequence number reaches the value of
2678: .Em maxseq ,
2679: it will
2680: .Dq roll over
2681: to zero, after which
2682: .Nm sudoers
2683: will truncate and re-use any existing I/O log pathnames.
2684: .Pp
2685: This setting is only supported by version 1.8.7 or higher.
1.1 misho 2686: .It noexec_file
1.1.1.2 misho 2687: As of
2688: .Nm sudo
2689: version 1.8.1 this option is no longer supported.
1.1 misho 2690: The path to the noexec file should now be set in the
1.1.1.2 misho 2691: .Xr sudo.conf @mansectform@
1.1 misho 2692: file.
1.1.1.3 ! misho 2693: .It pam_login_service
! 2694: On systems that use PAM for authentication, this is the service
! 2695: name used when the
! 2696: .Fl i
! 2697: option is specified.
! 2698: The default value is
! 2699: .Dq Li @pam_login_service@ .
! 2700: See the description of
! 2701: .Em pam_service
! 2702: for more information.
! 2703: .Pp
! 2704: This setting is only supported by version 1.8.8 or higher.
! 2705: .It pam_service
! 2706: On systems that use PAM for authentication, the service name
! 2707: specifies the PAM policy to apply.
! 2708: This usually corresponds to an entry in the
! 2709: .Pa pam.conf
! 2710: file or a file in the
! 2711: .Pa /etc/pam.d
! 2712: directory.
! 2713: The default value is
! 2714: .Dq Li sudo .
! 2715: .Pp
! 2716: This setting is only supported by version 1.8.8 or higher.
1.1 misho 2717: .It passprompt
2718: The default prompt to use when asking for a password; can be overridden via the
2719: .Fl p
2720: option or the
2721: .Ev SUDO_PROMPT
2722: environment variable.
2723: The following percent
2724: .Pq Ql %
2725: escape sequences are supported:
2726: .Bl -tag -width 4n
2727: .It Li %H
2728: expanded to the local host name including the domain name
2729: (only if the machine's host name is fully qualified or the
2730: .Em fqdn
2731: option is set)
2732: .It Li %h
2733: expanded to the local host name without the domain name
2734: .It Li %p
2735: expanded to the user whose password is being asked for (respects the
2736: .Em rootpw ,
2737: .Em targetpw
2738: and
2739: .Em runaspw
2740: flags in
2741: .Em sudoers )
2742: .It Li \&%U
2743: expanded to the login name of the user the command will
2744: be run as (defaults to root)
2745: .It Li %u
2746: expanded to the invoking user's login name
2747: .It Li %%
2748: two consecutive
2749: .Li %
2750: characters are collapsed into a single
2751: .Li %
2752: character
2753: .El
2754: .Pp
2755: The default value is
2756: .Dq Li @passprompt@ .
2757: .It privs
2758: The default Solaris privileges to use when constructing a new
2759: privilege set for a command.
2760: This is passed to the executing process via the inherited privilege set,
2761: but is bounded by the limit privileges.
2762: If the
2763: .Em privs
2764: option is specified but the
2765: .Em limitprivs
2766: option is not, the limit privileges of the executing process is set to
2767: .Em privs .
2768: The default privileges may be overridden on a per-command basis in
2769: .Em sudoers .
2770: This option is only available if
2771: .Nm
2772: is built on Solaris 10 or higher.
2773: .It role
2774: The default SELinux role to use when constructing a new security
2775: context to run the command.
2776: The default role may be overridden on a per-command basis in
2777: .Em sudoers
2778: or via command line options.
2779: This option is only available when
2780: .Nm sudo
2781: is built with SELinux support.
2782: .It runas_default
2783: The default user to run commands as if the
2784: .Fl u
2785: option is not specified on the command line.
2786: This defaults to
2787: .Li @runas_default@ .
2788: .It syslog_badpri
2789: Syslog priority to use when user authenticates unsuccessfully.
2790: Defaults to
2791: .Li @badpri@ .
2792: .Pp
2793: The following syslog priorities are supported:
2794: .Sy alert ,
2795: .Sy crit ,
2796: .Sy debug ,
2797: .Sy emerg ,
2798: .Sy err ,
2799: .Sy info ,
2800: .Sy notice ,
2801: and
2802: .Sy warning .
2803: .It syslog_goodpri
2804: Syslog priority to use when user authenticates successfully.
2805: Defaults to
2806: .Li @goodpri@ .
2807: .Pp
2808: See
1.1.1.3 ! misho 2809: .Em syslog_badpri
1.1 misho 2810: for the list of supported syslog priorities.
2811: .It sudoers_locale
2812: Locale to use when parsing the sudoers file, logging commands, and
2813: sending email.
2814: Note that changing the locale may affect how sudoers is interpreted.
2815: Defaults to
2816: .Dq Li C .
2817: .It timestampdir
2818: The directory in which
2819: .Nm sudo
2820: stores its time stamp files.
2821: The default is
2822: .Pa @timedir@ .
2823: .It timestampowner
2824: The owner of the time stamp directory and the time stamps stored therein.
2825: The default is
2826: .Li root .
2827: .It type
2828: The default SELinux type to use when constructing a new security
2829: context to run the command.
2830: The default type may be overridden on a per-command basis in
2831: .Em sudoers
2832: or via command line options.
2833: This option is only available when
2834: .Nm sudo
2835: is built with SELinux support.
2836: .El
2837: .Pp
2838: .Sy Strings that can be used in a boolean context :
2839: .Bl -tag -width 12n
2840: .It env_file
2841: The
2842: .Em env_file
2843: option specifies the fully qualified path to a file containing variables
2844: to be set in the environment of the program being run.
2845: Entries in this file should either be of the form
2846: .Dq Li VARIABLE=value
2847: or
2848: .Dq Li export VARIABLE=value .
2849: The value may optionally be surrounded by single or double quotes.
2850: Variables in this file are subject to other
2851: .Nm sudo
2852: environment settings such as
2853: .Em env_keep
2854: and
2855: .Em env_check .
2856: .It exempt_group
2857: Users in this group are exempt from password and PATH requirements.
2858: The group name specified should not include a
2859: .Li %
2860: prefix.
2861: This is not set by default.
2862: .It group_plugin
2863: A string containing a
2864: .Em sudoers
2865: group plugin with optional arguments.
2866: The string should consist of the plugin
2867: path, either fully-qualified or relative to the
1.1.1.2 misho 2868: .Pa @PLUGINDIR@
1.1 misho 2869: directory, followed by any configuration arguments the plugin requires.
2870: These arguments (if any) will be passed to the plugin's initialization function.
2871: If arguments are present, the string must be enclosed in double quotes
2872: .Pq \&"" .
2873: .Pp
2874: For more information see
1.1.1.2 misho 2875: .Xr "GROUP PROVIDER PLUGINS" .
1.1 misho 2876: .It lecture
2877: This option controls when a short lecture will be printed along with
2878: the password prompt.
2879: It has the following possible values:
2880: .Bl -tag -width 6n
2881: .It always
2882: Always lecture the user.
2883: .It never
2884: Never lecture the user.
2885: .It once
2886: Only lecture the user the first time they run
2887: .Nm sudo .
2888: .El
2889: .Pp
2890: If no value is specified, a value of
2891: .Em once
2892: is implied.
2893: Negating the option results in a value of
2894: .Em never
2895: being used.
2896: The default value is
2897: .Em @lecture@ .
2898: .It lecture_file
2899: Path to a file containing an alternate
2900: .Nm sudo
2901: lecture that will be used in place of the standard lecture if the named
2902: file exists.
2903: By default,
2904: .Nm sudo
2905: uses a built-in lecture.
2906: .It listpw
2907: This option controls when a password will be required when a user runs
2908: .Nm sudo
2909: with the
2910: .Fl l
2911: option.
2912: It has the following possible values:
2913: .Bl -tag -width 8n
2914: .It all
2915: All the user's
2916: .Em sudoers
2917: entries for the current host must have
2918: the
2919: .Li NOPASSWD
2920: flag set to avoid entering a password.
2921: .It always
2922: The user must always enter a password to use the
2923: .Fl l
2924: option.
2925: .It any
2926: At least one of the user's
2927: .Em sudoers
2928: entries for the current host
2929: must have the
2930: .Li NOPASSWD
2931: flag set to avoid entering a password.
2932: .It never
2933: The user need never enter a password to use the
2934: .Fl l
2935: option.
2936: .El
2937: .Pp
2938: If no value is specified, a value of
2939: .Em any
2940: is implied.
2941: Negating the option results in a value of
2942: .Em never
2943: being used.
2944: The default value is
2945: .Em any .
2946: .It logfile
2947: Path to the
2948: .Nm sudo
2949: log file (not the syslog log file).
2950: Setting a path turns on logging to a file;
2951: negating this option turns it off.
2952: By default,
2953: .Nm sudo
2954: logs via syslog.
2955: .It mailerflags
2956: Flags to use when invoking mailer. Defaults to
2957: .Fl t .
2958: .It mailerpath
2959: Path to mail program used to send warning mail.
2960: Defaults to the path to sendmail found at configure time.
2961: .It mailfrom
2962: Address to use for the
2963: .Dq from
2964: address when sending warning and error mail.
2965: The address should be enclosed in double quotes
2966: .Pq \&""
2967: to protect against
2968: .Nm sudo
2969: interpreting the
2970: .Li @
2971: sign.
2972: Defaults to the name of the user running
2973: .Nm sudo .
2974: .It mailto
2975: Address to send warning and error mail to.
2976: The address should be enclosed in double quotes
2977: .Pq \&""
2978: to protect against
2979: .Nm sudo
2980: interpreting the
2981: .Li @
2982: sign.
2983: Defaults to
2984: .Li @mailto@ .
2985: .It secure_path
2986: Path used for every command run from
2987: .Nm sudo .
2988: If you don't trust the
2989: people running
2990: .Nm sudo
2991: to have a sane
2992: .Ev PATH
2993: environment variable you may want to use this.
2994: Another use is if you want to have the
2995: .Dq root path
2996: be separate from the
2997: .Dq user path .
2998: Users in the group specified by the
2999: .Em exempt_group
3000: option are not affected by
3001: .Em secure_path .
3002: This option is @secure_path@ by default.
3003: .It syslog
3004: Syslog facility if syslog is being used for logging (negate to
3005: disable syslog logging).
3006: Defaults to
3007: .Li @logfac@ .
3008: .Pp
3009: The following syslog facilities are supported:
3010: .Sy authpriv
3011: (if your
3012: OS supports it),
3013: .Sy auth ,
3014: .Sy daemon ,
3015: .Sy user ,
3016: .Sy local0 ,
3017: .Sy local1 ,
3018: .Sy local2 ,
3019: .Sy local3 ,
3020: .Sy local4 ,
3021: .Sy local5 ,
3022: .Sy local6 ,
3023: and
3024: .Sy local7 .
3025: .It verifypw
3026: This option controls when a password will be required when a user runs
3027: .Nm sudo
3028: with the
3029: .Fl v
3030: option.
3031: It has the following possible values:
3032: .Bl -tag -width 6n
3033: .It all
3034: All the user's
3035: .Em sudoers
3036: entries for the current host must have the
3037: .Li NOPASSWD
3038: flag set to avoid entering a password.
3039: .It always
3040: The user must always enter a password to use the
3041: .Fl v
3042: option.
3043: .It any
3044: At least one of the user's
3045: .Em sudoers
3046: entries for the current host must have the
3047: .Li NOPASSWD
3048: flag set to avoid entering a password.
3049: .It never
3050: The user need never enter a password to use the
3051: .Fl v
3052: option.
3053: .El
3054: .Pp
3055: If no value is specified, a value of
3056: .Em all
3057: is implied.
3058: Negating the option results in a value of
3059: .Em never
3060: being used.
3061: The default value is
3062: .Em all .
3063: .El
3064: .Pp
3065: .Sy Lists that can be used in a boolean context :
3066: .Bl -tag -width 16n
3067: .It env_check
3068: Environment variables to be removed from the user's environment if
3069: the variable's value contains
3070: .Ql %
3071: or
3072: .Ql /
3073: characters.
3074: This can be used to guard against printf-style format vulnerabilities
3075: in poorly-written programs.
3076: The argument may be a double-quoted, space-separated list or a
3077: single value without double-quotes.
3078: The list can be replaced, added to, deleted from, or disabled by using
3079: the
3080: .Li = ,
3081: .Li += ,
3082: .Li -= ,
3083: and
3084: .Li \&!
3085: operators respectively.
3086: Regardless of whether the
3087: .Li env_reset
3088: option is enabled or disabled, variables specified by
3089: .Li env_check
3090: will be preserved in the environment if they pass the aforementioned check.
3091: The default list of environment variables to check is displayed when
3092: .Nm sudo
3093: is run by root with
3094: the
3095: .Fl V
3096: option.
3097: .It env_delete
3098: Environment variables to be removed from the user's environment when the
3099: .Em env_reset
3100: option is not in effect.
3101: The argument may be a double-quoted, space-separated list or a
3102: single value without double-quotes.
3103: The list can be replaced, added to, deleted from, or disabled by using the
3104: .Li = ,
3105: .Li += ,
3106: .Li -= ,
3107: and
3108: .Li \&!
3109: operators respectively.
3110: The default list of environment variables to remove is displayed when
3111: .Nm sudo
3112: is run by root with the
3113: .Fl V
3114: option.
3115: Note that many operating systems will remove potentially dangerous
3116: variables from the environment of any setuid process (such as
3117: .Nm sudo ) .
3118: .It env_keep
3119: Environment variables to be preserved in the user's environment when the
3120: .Em env_reset
3121: option is in effect.
3122: This allows fine-grained control over the environment
3123: .Nm sudo Ns No -spawned
3124: processes will receive.
3125: The argument may be a double-quoted, space-separated list or a
3126: single value without double-quotes.
3127: The list can be replaced, added to, deleted from, or disabled by using the
3128: .Li = ,
3129: .Li += ,
3130: .Li -= ,
3131: and
3132: .Li \&!
3133: operators respectively.
3134: The default list of variables to keep
3135: is displayed when
3136: .Nm sudo
3137: is run by root with the
3138: .Fl V
3139: option.
3140: .El
1.1.1.2 misho 3141: .Sh GROUP PROVIDER PLUGINS
3142: The
3143: .Nm sudoers
3144: plugin supports its own plugin interface to allow non-Unix
3145: group lookups which can query a group source other
3146: than the standard Unix group database.
3147: This can be used to implement support for the
3148: .Li nonunix_group
3149: syntax described earlier.
3150: .Pp
3151: Group provider plugins are specified via the
3152: .Em group_plugin
3153: Defaults setting.
3154: The argument to
3155: .Em group_plugin
3156: should consist of the plugin path, either fully-qualified or relative to the
3157: .Pa @PLUGINDIR@
3158: directory, followed by any configuration options the plugin requires.
3159: These options (if specified) will be passed to the plugin's initialization
3160: function.
3161: If options are present, the string must be enclosed in double quotes
3162: .Pq \&"" .
3163: .Pp
3164: The following group provider plugins are installed by default:
3165: .Bl -tag -width 8n
3166: .It group_file
3167: The
3168: .Em group_file
3169: plugin supports an alternate group file that uses the same syntax as the
3170: .Pa /etc/group
3171: file.
3172: The path to the group file should be specified as an option
3173: to the plugin.
3174: For example, if the group file to be used is
3175: .Pa /etc/sudo-group :
3176: .Bd -literal
3177: Defaults group_plugin="group_file.so /etc/sudo-group"
3178: .Ed
3179: .It system_group
3180: The
3181: .Em system_group
3182: plugin supports group lookups via the standard C library functions
3183: .Fn getgrnam
3184: and
3185: .Fn getgrid .
3186: This plugin can be used in instances where the user belongs to
3187: groups not present in the user's supplemental group vector.
3188: This plugin takes no options:
3189: .Bd -literal
3190: Defaults group_plugin=system_group.so
3191: .Ed
3192: .El
3193: .Pp
3194: The group provider plugin API is described in detail in
3195: .Xr sudo_plugin @mansectsu@ .
1.1 misho 3196: .Sh LOG FORMAT
3197: .Nm sudoers
3198: can log events using either
3199: .Xr syslog 3
3200: or a simple log file.
3201: In each case the log format is almost identical.
3202: .Ss Accepted command log entries
3203: Commands that sudo runs are logged using the following format (split
3204: into multiple lines for readability):
3205: .Bd -literal -offset 4n
3206: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3207: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3208: ENV=env_vars COMMAND=command
3209: .Ed
3210: .Pp
3211: Where the fields are as follows:
3212: .Bl -tag -width 12n
3213: .It date
3214: The date the command was run.
3215: Typically, this is in the format
3216: .Dq MMM, DD, HH:MM:SS .
3217: If logging via
3218: .Xr syslog 3 ,
3219: the actual date format is controlled by the syslog daemon.
3220: If logging to a file and the
3221: .Em log_year
3222: option is enabled,
3223: the date will also include the year.
3224: .It hostname
3225: The name of the host
3226: .Nm sudo
3227: was run on.
3228: This field is only present when logging via
3229: .Xr syslog 3 .
3230: .It progname
3231: The name of the program, usually
3232: .Em sudo
3233: or
3234: .Em sudoedit .
3235: This field is only present when logging via
3236: .Xr syslog 3 .
3237: .It username
3238: The login name of the user who ran
3239: .Nm sudo .
3240: .It ttyname
3241: The short name of the terminal (e.g.\&
3242: .Dq console ,
3243: .Dq tty01 ,
3244: or
3245: .Dq pts/0 )
3246: .Nm sudo
3247: was run on, or
3248: .Dq unknown
3249: if there was no terminal present.
3250: .It cwd
3251: The current working directory that
3252: .Nm sudo
3253: was run in.
3254: .It runasuser
3255: The user the command was run as.
3256: .It runasgroup
3257: The group the command was run as if one was specified on the command line.
3258: .It logid
3259: An I/O log identifier that can be used to replay the command's output.
3260: This is only present when the
3261: .Em log_input
3262: or
3263: .Em log_output
3264: option is enabled.
3265: .It env_vars
3266: A list of environment variables specified on the command line,
3267: if specified.
3268: .It command
3269: The actual command that was executed.
3270: .El
3271: .Pp
3272: Messages are logged using the locale specified by
3273: .Em sudoers_locale ,
3274: which defaults to the
3275: .Dq Li C
3276: locale.
3277: .Ss Denied command log entries
3278: If the user is not allowed to run the command, the reason for the denial
3279: will follow the user name.
3280: Possible reasons include:
3281: .Bl -tag -width 4
3282: .It user NOT in sudoers
3283: The user is not listed in the
3284: .Em sudoers
3285: file.
3286: .It user NOT authorized on host
3287: The user is listed in the
3288: .Em sudoers
3289: file but is not allowed to run commands on the host.
3290: .It command not allowed
3291: The user is listed in the
3292: .Em sudoers
3293: file for the host but they are not allowed to run the specified command.
3294: .It 3 incorrect password attempts
3295: The user failed to enter their password after 3 tries.
3296: The actual number of tries will vary based on the number of
3297: failed attempts and the value of the
3298: .Em passwd_tries
3299: option.
3300: .It a password is required
3301: .Nm sudo Ns No 's
3302: .Fl n
3303: option was specified but a password was required.
3304: .It sorry, you are not allowed to set the following environment variables
3305: The user specified environment variables on the command line that
3306: were not allowed by
3307: .Em sudoers .
3308: .El
3309: .Ss Error log entries
3310: If an error occurs,
3311: .Nm sudoers
3312: will log a message and, in most cases, send a message to the
3313: administrator via email.
3314: Possible errors include:
3315: .Bl -tag -width 4
3316: .It parse error in @sysconfdir@/sudoers near line N
3317: .Nm sudoers
3318: encountered an error when parsing the specified file.
3319: In some cases, the actual error may be one line above or below the
3320: line number listed, depending on the type of error.
3321: .It problem with defaults entries
3322: The
3323: .Em sudoers
3324: file contains one or more unknown Defaults settings.
3325: This does not prevent
3326: .Nm sudo
3327: from running, but the
3328: .Em sudoers
3329: file should be checked using
3330: .Nm visudo .
3331: .It timestamp owner (username): \&No such user
3332: The time stamp directory owner, as specified by the
3333: .Em timestampowner
3334: setting, could not be found in the password database.
3335: .It unable to open/read @sysconfdir@/sudoers
3336: The
3337: .Em sudoers
3338: file could not be opened for reading.
3339: This can happen when the
3340: .Em sudoers
3341: file is located on a remote file system that maps user ID 0 to
3342: a different value.
3343: Normally,
3344: .Nm sudoers
3345: tries to open
3346: .Em sudoers
3347: using group permissions to avoid this problem.
1.1.1.2 misho 3348: Consider either changing the ownership of
1.1 misho 3349: .Pa @sysconfdir@/sudoers
1.1.1.2 misho 3350: or adding an argument like
1.1 misho 3351: .Dq sudoers_uid=N
3352: (where
3353: .Sq N
3354: is the user ID that owns the
3355: .Em sudoers
1.1.1.2 misho 3356: file) to the end of the
1.1 misho 3357: .Nm sudoers
1.1.1.2 misho 3358: .Li Plugin
3359: line in the
3360: .Xr sudo.conf @mansectform@
1.1 misho 3361: file.
3362: .It unable to stat @sysconfdir@/sudoers
3363: The
3364: .Pa @sysconfdir@/sudoers
3365: file is missing.
3366: .It @sysconfdir@/sudoers is not a regular file
3367: The
3368: .Pa @sysconfdir@/sudoers
3369: file exists but is not a regular file or symbolic link.
3370: .It @sysconfdir@/sudoers is owned by uid N, should be 0
3371: The
3372: .Em sudoers
3373: file has the wrong owner.
3374: If you wish to change the
3375: .Em sudoers
3376: file owner, please add
3377: .Dq sudoers_uid=N
3378: (where
3379: .Sq N
3380: is the user ID that owns the
3381: .Em sudoers
3382: file) to the
3383: .Nm sudoers
1.1.1.2 misho 3384: .Li Plugin
3385: line in the
3386: .Xr sudo.conf @mansectform@
1.1 misho 3387: file.
3388: .It @sysconfdir@/sudoers is world writable
3389: The permissions on the
3390: .Em sudoers
3391: file allow all users to write to it.
3392: The
3393: .Em sudoers
3394: file must not be world-writable, the default file mode
3395: is 0440 (readable by owner and group, writable by none).
3396: The default mode may be changed via the
3397: .Dq sudoers_mode
3398: option to the
3399: .Nm sudoers
1.1.1.2 misho 3400: .Li Plugin
3401: line in the
3402: .Xr sudo.conf @mansectform@
1.1 misho 3403: file.
3404: .It @sysconfdir@/sudoers is owned by gid N, should be 1
3405: The
3406: .Em sudoers
3407: file has the wrong group ownership.
3408: If you wish to change the
3409: .Em sudoers
3410: file group ownership, please add
3411: .Dq sudoers_gid=N
3412: (where
3413: .Sq N
3414: is the group ID that owns the
3415: .Em sudoers
3416: file) to the
3417: .Nm sudoers
1.1.1.2 misho 3418: .Li Plugin
3419: line in the
3420: .Xr sudo.conf @mansectform@
1.1 misho 3421: file.
3422: .It unable to open @timedir@/username/ttyname
3423: .Em sudoers
3424: was unable to read or create the user's time stamp file.
3425: .It unable to write to @timedir@/username/ttyname
3426: .Em sudoers
3427: was unable to write to the user's time stamp file.
3428: .It unable to mkdir to @timedir@/username
3429: .Em sudoers
3430: was unable to create the user's time stamp directory.
3431: .El
3432: .Ss Notes on logging via syslog
3433: By default,
3434: .Em sudoers
3435: logs messages via
3436: .Xr syslog 3 .
3437: The
3438: .Em date ,
3439: .Em hostname ,
3440: and
3441: .Em progname
3442: fields are added by the syslog daemon, not
3443: .Em sudoers
3444: itself.
3445: As such, they may vary in format on different systems.
3446: .Pp
3447: On most systems,
3448: .Xr syslog 3
3449: has a relatively small log buffer.
3450: To prevent the command line arguments from being truncated,
3451: .Nm sudoers
3452: will split up log messages that are larger than 960 characters
3453: (not including the date, hostname, and the string
3454: .Dq sudo ) .
3455: When a message is split, additional parts will include the string
3456: .Dq Pq command continued
3457: after the user name and before the continued command line arguments.
3458: .Ss Notes on logging to a file
3459: If the
3460: .Em logfile
3461: option is set,
3462: .Em sudoers
3463: will log to a local file, such as
3464: .Pa /var/log/sudo .
3465: When logging to a file,
3466: .Em sudoers
3467: uses a format similar to
3468: .Xr syslog 3 ,
3469: with a few important differences:
3470: .Bl -enum
3471: .It
3472: The
3473: .Em progname
3474: and
3475: .Em hostname
3476: fields are not present.
3477: .It
3478: If the
3479: .Em log_year
3480: option is enabled,
3481: the date will also include the year.
3482: .It
3483: Lines that are longer than
3484: .Em loglinelen
3485: characters (80 by default) are word-wrapped and continued on the
3486: next line with a four character indent.
3487: This makes entries easier to read for a human being, but makes it
3488: more difficult to use
3489: .Xr grep 1
3490: on the log files.
3491: If the
3492: .Em loglinelen
3493: option is set to 0 (or negated with a
3494: .Ql \&! ) ,
3495: word wrap will be disabled.
3496: .El
3497: .Sh FILES
3498: .Bl -tag -width 24n
3499: .It Pa @sysconfdir@/sudo.conf
3500: Sudo front end configuration
3501: .It Pa @sysconfdir@/sudoers
3502: List of who can run what
3503: .It Pa /etc/group
3504: Local groups file
3505: .It Pa /etc/netgroup
3506: List of network groups
3507: .It Pa @iolog_dir@
3508: I/O log files
3509: .It Pa @timedir@
3510: Directory containing time stamps for the
3511: .Em sudoers
3512: security policy
3513: .It Pa /etc/environment
3514: Initial environment for
3515: .Fl i
3516: mode on AIX and Linux systems
3517: .El
3518: .Sh EXAMPLES
3519: Below are example
3520: .Em sudoers
3521: entries.
3522: Admittedly, some of these are a bit contrived.
3523: First, we allow a few environment variables to pass and then define our
3524: .Em aliases :
3525: .Bd -literal
3526: # Run X applications through sudo; HOME is used to find the
3527: # .Xauthority file. Note that other programs use HOME to find
3528: # configuration files and this may lead to privilege escalation!
3529: Defaults env_keep += "DISPLAY HOME"
3530:
3531: # User alias specification
3532: User_Alias FULLTIMERS = millert, mikef, dowdy
3533: User_Alias PARTTIMERS = bostley, jwfox, crawl
3534: User_Alias WEBMASTERS = will, wendy, wim
3535:
3536: # Runas alias specification
3537: Runas_Alias OP = root, operator
3538: Runas_Alias DB = oracle, sybase
3539: Runas_Alias ADMINGRP = adm, oper
3540:
3541: # Host alias specification
3542: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3543: SGI = grolsch, dandelion, black :\e
3544: ALPHA = widget, thalamus, foobar :\e
3545: HPPA = boa, nag, python
3546: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3547: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3548: Host_Alias SERVERS = master, mail, www, ns
3549: Host_Alias CDROM = orion, perseus, hercules
3550:
3551: # Cmnd alias specification
3552: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1.1.1.2 misho 3553: /usr/sbin/restore, /usr/sbin/rrestore,\e
3554: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3555: /home/operator/bin/start_backups
1.1 misho 3556: Cmnd_Alias KILL = /usr/bin/kill
3557: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3558: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3559: Cmnd_Alias HALT = /usr/sbin/halt
3560: Cmnd_Alias REBOOT = /usr/sbin/reboot
3561: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3562: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3563: /usr/local/bin/zsh
3564: Cmnd_Alias SU = /usr/bin/su
3565: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3566: .Ed
3567: .Pp
3568: Here we override some of the compiled in default values.
3569: We want
3570: .Nm sudo
3571: to log via
3572: .Xr syslog 3
3573: using the
3574: .Em auth
3575: facility in all cases.
3576: We don't want to subject the full time staff to the
3577: .Nm sudo
3578: lecture, user
3579: .Sy millert
3580: need not give a password, and we don't want to reset the
3581: .Ev LOGNAME ,
3582: .Ev USER
3583: or
3584: .Ev USERNAME
3585: environment variables when running commands as root.
3586: Additionally, on the machines in the
3587: .Em SERVERS
3588: .Li Host_Alias ,
3589: we keep an additional local log file and make sure we log the year
3590: in each log line since the log entries will be kept around for several years.
3591: Lastly, we disable shell escapes for the commands in the PAGERS
3592: .Li Cmnd_Alias
3593: .Po
3594: .Pa /usr/bin/more ,
3595: .Pa /usr/bin/pg
3596: and
3597: .Pa /usr/bin/less
3598: .Pc .
1.1.1.3 ! misho 3599: Note that this will not effectively constrain users with
! 3600: .Nm sudo
! 3601: .Sy ALL
! 3602: privileges.
1.1 misho 3603: .Bd -literal
3604: # Override built-in defaults
3605: Defaults syslog=auth
3606: Defaults>root !set_logname
3607: Defaults:FULLTIMERS !lecture
3608: Defaults:millert !authenticate
3609: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3610: Defaults!PAGERS noexec
3611: .Ed
3612: .Pp
3613: The
3614: .Em User specification
3615: is the part that actually determines who may run what.
3616: .Bd -literal
3617: root ALL = (ALL) ALL
3618: %wheel ALL = (ALL) ALL
3619: .Ed
3620: .Pp
3621: We let
3622: .Sy root
3623: and any user in group
3624: .Sy wheel
3625: run any command on any host as any user.
3626: .Bd -literal
3627: FULLTIMERS ALL = NOPASSWD: ALL
3628: .Ed
3629: .Pp
3630: Full time sysadmins
3631: .Po
3632: .Sy millert ,
3633: .Sy mikef ,
3634: and
3635: .Sy dowdy
3636: .Pc
3637: may run any command on any host without authenticating themselves.
3638: .Bd -literal
3639: PARTTIMERS ALL = ALL
3640: .Ed
3641: .Pp
3642: Part time sysadmins
3643: .Sy bostley ,
3644: .Sy jwfox ,
3645: and
3646: .Sy crawl )
3647: may run any command on any host but they must authenticate themselves
3648: first (since the entry lacks the
3649: .Li NOPASSWD
3650: tag).
3651: .Bd -literal
3652: jack CSNETS = ALL
3653: .Ed
3654: .Pp
3655: The user
3656: .Sy jack
3657: may run any command on the machines in the
3658: .Em CSNETS
3659: alias (the networks
3660: .Li 128.138.243.0 ,
3661: .Li 128.138.204.0 ,
3662: and
3663: .Li 128.138.242.0 ) .
3664: Of those networks, only
3665: .Li 128.138.204.0
3666: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3667: For the other networks in
3668: .Em CSNETS ,
3669: the local machine's netmask will be used during matching.
3670: .Bd -literal
3671: lisa CUNETS = ALL
3672: .Ed
3673: .Pp
3674: The user
3675: .Sy lisa
3676: may run any command on any host in the
3677: .Em CUNETS
3678: alias (the class B network
3679: .Li 128.138.0.0 ) .
3680: .Bd -literal
3681: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3682: sudoedit /etc/printcap, /usr/oper/bin/
3683: .Ed
3684: .Pp
3685: The
3686: .Sy operator
3687: user may run commands limited to simple maintenance.
3688: Here, those are commands related to backups, killing processes, the
3689: printing system, shutting down the system, and any commands in the
3690: directory
3691: .Pa /usr/oper/bin/ .
1.1.1.2 misho 3692: Note that one command in the
3693: .Li DUMPS
3694: Cmnd_Alias includes a sha224 digest,
3695: .Pa /home/operator/bin/start_backups .
3696: This is because the directory containing the script is writable by the
3697: operator user.
3698: If the script is modified (resulting in a digest mismatch) it will no longer
3699: be possible to run it via
3700: .Nm sudo .
1.1 misho 3701: .Bd -literal
3702: joe ALL = /usr/bin/su operator
3703: .Ed
3704: .Pp
3705: The user
3706: .Sy joe
3707: may only
3708: .Xr su 1
3709: to operator.
3710: .Bd -literal
3711: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3712:
3713: %opers ALL = (: ADMINGRP) /usr/sbin/
3714: .Ed
3715: .Pp
3716: Users in the
3717: .Sy opers
3718: group may run commands in
3719: .Pa /usr/sbin/
3720: as themselves
3721: with any group in the
3722: .Em ADMINGRP
3723: .Li Runas_Alias
3724: (the
3725: .Sy adm
3726: and
3727: .Sy oper
3728: groups).
3729: .Pp
3730: The user
3731: .Sy pete
3732: is allowed to change anyone's password except for
3733: root on the
3734: .Em HPPA
3735: machines.
3736: Note that this assumes
3737: .Xr passwd 1
3738: does not take multiple user names on the command line.
3739: .Bd -literal
3740: bob SPARC = (OP) ALL : SGI = (OP) ALL
3741: .Ed
3742: .Pp
3743: The user
3744: .Sy bob
3745: may run anything on the
3746: .Em SPARC
3747: and
3748: .Em SGI
3749: machines as any user listed in the
3750: .Em OP
3751: .Li Runas_Alias
3752: .Po
3753: .Sy root
3754: and
3755: .Sy operator .
3756: .Pc
3757: .Bd -literal
3758: jim +biglab = ALL
3759: .Ed
3760: .Pp
3761: The user
3762: .Sy jim
3763: may run any command on machines in the
3764: .Em biglab
3765: netgroup.
3766: .Nm sudo
3767: knows that
3768: .Dq biglab
3769: is a netgroup due to the
3770: .Ql +
3771: prefix.
3772: .Bd -literal
3773: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3774: .Ed
3775: .Pp
3776: Users in the
3777: .Sy secretaries
3778: netgroup need to help manage the printers as well as add and remove users,
3779: so they are allowed to run those commands on all machines.
3780: .Bd -literal
3781: fred ALL = (DB) NOPASSWD: ALL
3782: .Ed
3783: .Pp
3784: The user
3785: .Sy fred
3786: can run commands as any user in the
3787: .Em DB
3788: .Li Runas_Alias
3789: .Po
3790: .Sy oracle
3791: or
3792: .Sy sybase
3793: .Pc
3794: without giving a password.
3795: .Bd -literal
3796: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3797: .Ed
3798: .Pp
3799: On the
3800: .Em ALPHA
3801: machines, user
3802: .Sy john
3803: may su to anyone except root but he is not allowed to specify any options
3804: to the
3805: .Xr su 1
3806: command.
3807: .Bd -literal
3808: jen ALL, !SERVERS = ALL
3809: .Ed
3810: .Pp
3811: The user
3812: .Sy jen
3813: may run any command on any machine except for those in the
3814: .Em SERVERS
3815: .Li Host_Alias
3816: (master, mail, www and ns).
3817: .Bd -literal
3818: jill SERVERS = /usr/bin/, !SU, !SHELLS
3819: .Ed
3820: .Pp
3821: For any machine in the
3822: .Em SERVERS
3823: .Li Host_Alias ,
3824: .Sy jill
3825: may run
3826: any commands in the directory
3827: .Pa /usr/bin/
3828: except for those commands
3829: belonging to the
3830: .Em SU
3831: and
3832: .Em SHELLS
3833: .Li Cmnd_Aliases .
1.1.1.3 ! misho 3834: While not specifically mentioned in the rule, the commands in the
! 3835: .Em PAGERS
! 3836: .Li Cmnd_Alias
! 3837: all reside in
! 3838: .Pa /usr/bin
! 3839: and have the
! 3840: .Em noexec
! 3841: option set.
1.1 misho 3842: .Bd -literal
3843: steve CSNETS = (operator) /usr/local/op_commands/
3844: .Ed
3845: .Pp
3846: The user
3847: .Sy steve
3848: may run any command in the directory /usr/local/op_commands/
3849: but only as user operator.
3850: .Bd -literal
3851: matt valkyrie = KILL
3852: .Ed
3853: .Pp
3854: On his personal workstation, valkyrie,
3855: .Sy matt
3856: needs to be able to kill hung processes.
3857: .Bd -literal
3858: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3859: .Ed
3860: .Pp
3861: On the host www, any user in the
3862: .Em WEBMASTERS
3863: .Li User_Alias
3864: (will, wendy, and wim), may run any command as user www (which owns the
3865: web pages) or simply
3866: .Xr su 1
3867: to www.
3868: .Bd -literal
3869: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3870: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3871: .Ed
3872: .Pp
3873: Any user may mount or unmount a CD-ROM on the machines in the CDROM
3874: .Li Host_Alias
3875: (orion, perseus, hercules) without entering a password.
3876: This is a bit tedious for users to type, so it is a prime candidate
3877: for encapsulating in a shell script.
3878: .Sh SECURITY NOTES
3879: .Ss Limitations of the So !\& Sc operator
3880: It is generally not effective to
3881: .Dq subtract
3882: commands from
3883: .Sy ALL
3884: using the
3885: .Ql !\&
3886: operator.
3887: A user can trivially circumvent this by copying the desired command
3888: to a different name and then executing that.
3889: For example:
3890: .Bd -literal
3891: bill ALL = ALL, !SU, !SHELLS
3892: .Ed
3893: .Pp
3894: Doesn't really prevent
3895: .Sy bill
3896: from running the commands listed in
3897: .Em SU
3898: or
3899: .Em SHELLS
3900: since he can simply copy those commands to a different name, or use
3901: a shell escape from an editor or other program.
3902: Therefore, these kind of restrictions should be considered
3903: advisory at best (and reinforced by policy).
3904: .Pp
3905: In general, if a user has sudo
3906: .Sy ALL
3907: there is nothing to prevent them from creating their own program that gives
3908: them a root shell (or making their own copy of a shell) regardless of any
3909: .Ql !\&
3910: elements in the user specification.
3911: .Ss Security implications of Em fast_glob
3912: If the
3913: .Em fast_glob
3914: option is in use, it is not possible to reliably negate commands where the
3915: path name includes globbing (aka wildcard) characters.
3916: This is because the C library's
3917: .Xr fnmatch 3
3918: function cannot resolve relative paths.
3919: While this is typically only an inconvenience for rules that grant privileges,
3920: it can result in a security issue for rules that subtract or revoke privileges.
3921: .Pp
3922: For example, given the following
3923: .Em sudoers
3924: entry:
3925: .Bd -literal
3926: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3927: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3928: .Ed
3929: .Pp
3930: User
3931: .Sy john
3932: can still run
3933: .Li /usr/bin/passwd root
3934: if
3935: .Em fast_glob
3936: is enabled by changing to
3937: .Pa /usr/bin
3938: and running
3939: .Li ./passwd root
3940: instead.
3941: .Ss Preventing shell escapes
3942: Once
3943: .Nm sudo
3944: executes a program, that program is free to do whatever
3945: it pleases, including run other programs.
3946: This can be a security issue since it is not uncommon for a program to
3947: allow shell escapes, which lets a user bypass
3948: .Nm sudo Ns No 's
3949: access control and logging.
3950: Common programs that permit shell escapes include shells (obviously),
3951: editors, paginators, mail and terminal programs.
3952: .Pp
3953: There are two basic approaches to this problem:
3954: .Bl -tag -width 8n
3955: .It restrict
3956: Avoid giving users access to commands that allow the user to run
3957: arbitrary commands.
3958: Many editors have a restricted mode where shell
3959: escapes are disabled, though
3960: .Nm sudoedit
3961: is a better solution to
3962: running editors via
3963: .Nm sudo .
3964: Due to the large number of programs that
3965: offer shell escapes, restricting users to the set of programs that
3966: do not is often unworkable.
3967: .It noexec
3968: Many systems that support shared libraries have the ability to
3969: override default library functions by pointing an environment
3970: variable (usually
3971: .Ev LD_PRELOAD )
3972: to an alternate shared library.
3973: On such systems,
3974: .Nm sudo Ns No 's
3975: .Em noexec
3976: functionality can be used to prevent a program run by
3977: .Nm sudo
3978: from executing any other programs.
3979: Note, however, that this applies only to native dynamically-linked
3980: executables.
3981: Statically-linked executables and foreign executables
3982: running under binary emulation are not affected.
3983: .Pp
3984: The
3985: .Em noexec
3986: feature is known to work on SunOS, Solaris, *BSD,
3987: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3988: It should be supported on most operating systems that support the
3989: .Ev LD_PRELOAD
3990: environment variable.
3991: Check your operating system's manual pages for the dynamic linker
3992: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3993: .Ev LD_PRELOAD
3994: is supported.
3995: .Pp
3996: On Solaris 10 and higher,
3997: .Em noexec
3998: uses Solaris privileges instead of the
3999: .Ev LD_PRELOAD
4000: environment variable.
4001: .Pp
4002: To enable
4003: .Em noexec
4004: for a command, use the
4005: .Li NOEXEC
4006: tag as documented
4007: in the User Specification section above.
4008: Here is that example again:
4009: .Bd -literal
4010: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4011: .Ed
4012: .Pp
4013: This allows user
4014: .Sy aaron
4015: to run
4016: .Pa /usr/bin/more
4017: and
4018: .Pa /usr/bin/vi
4019: with
4020: .Em noexec
4021: enabled.
4022: This will prevent those two commands from
4023: executing other commands (such as a shell).
4024: If you are unsure whether or not your system is capable of supporting
4025: .Em noexec
4026: you can always just try it out and check whether shell escapes work when
4027: .Em noexec
4028: is enabled.
4029: .El
4030: .Pp
4031: Note that restricting shell escapes is not a panacea.
4032: Programs running as root are still capable of many potentially hazardous
4033: operations (such as changing or overwriting files) that could lead
4034: to unintended privilege escalation.
4035: In the specific case of an editor, a safer approach is to give the
4036: user permission to run
4037: .Nm sudoedit .
4038: .Ss Time stamp file checks
4039: .Em sudoers
4040: will check the ownership of its time stamp directory
4041: .Po
4042: .Pa @timedir@
4043: by default
4044: .Pc
4045: and ignore the directory's contents if it is not owned by root or
4046: if it is writable by a user other than root.
4047: On systems that allow non-root users to give away files via
4048: .Xr chown 2 ,
4049: if the time stamp directory is located in a world-writable
4050: directory (e.g.\&,
4051: .Pa /tmp ) ,
4052: it is possible for a user to create the time stamp directory before
4053: .Nm sudo
4054: is run.
4055: However, because
4056: .Em sudoers
4057: checks the ownership and mode of the directory and its
4058: contents, the only damage that can be done is to
4059: .Dq hide
4060: files by putting them in the time stamp dir.
4061: This is unlikely to happen since once the time stamp dir is owned by root
4062: and inaccessible by any other user, the user placing files there would be
4063: unable to get them back out.
4064: .Pp
4065: .Em sudoers
4066: will not honor time stamps set far in the future.
4067: Time stamps with a date greater than current_time + 2 *
4068: .Li TIMEOUT
4069: will be ignored and sudo will log and complain.
4070: This is done to keep a user from creating his/her own time stamp with a
4071: bogus date on systems that allow users to give away files if the time
4072: stamp directory is located in a world-writable directory.
4073: .Pp
4074: On systems where the boot time is available,
4075: .Em sudoers
4076: will ignore time stamps that date from before the machine booted.
4077: .Pp
4078: Since time stamp files live in the file system, they can outlive a
4079: user's login session.
4080: As a result, a user may be able to login, run a command with
4081: .Nm sudo
4082: after authenticating, logout, login again, and run
4083: .Nm sudo
4084: without authenticating so long as the time stamp file's modification
4085: time is within
4086: .Li @timeout@
4087: minutes (or whatever the timeout is set to in
4088: .Em sudoers ) .
4089: When the
4090: .Em tty_tickets
4091: option is enabled, the time stamp has per-tty granularity but still
4092: may outlive the user's session.
4093: On Linux systems where the devpts filesystem is used, Solaris systems
4094: with the devices filesystem, as well as other systems that utilize a
4095: devfs filesystem that monotonically increase the inode number of devices
4096: as they are created (such as Mac OS X),
4097: .Em sudoers
4098: is able to determine when a tty-based time stamp file is stale and will
4099: ignore it.
4100: Administrators should not rely on this feature as it is not universally
4101: available.
1.1.1.2 misho 4102: .Sh DEBUGGING
4103: Versions 1.8.4 and higher of the
4104: .Nm sudoers
4105: plugin support a flexible debugging framework that can help track
4106: down what the plugin is doing internally if there is a problem.
4107: This can be configured in the
4108: .Xr sudo.conf @mansectform@
4109: file.
4110: .Pp
4111: The
4112: .Nm sudoers
4113: plugin uses the same debug flag format as the
4114: .Nm sudo
4115: front-end:
4116: .Em subsystem Ns No @ Ns Em priority .
4117: .Pp
4118: The priorities used by
4119: .Nm sudoers ,
4120: in order of decreasing severity,
4121: are:
4122: .Em crit , err , warn , notice , diag , info , trace
4123: and
4124: .Em debug .
4125: Each priority, when specified, also includes all priorities higher
4126: than it.
4127: For example, a priority of
4128: .Em notice
4129: would include debug messages logged at
4130: .Em notice
4131: and higher.
4132: .Pp
4133: The following subsystems are used by the
4134: .Nm sudoers
4135: plugin:
4136: .Bl -tag -width 8n
4137: .It Em alias
4138: .Li User_Alias ,
4139: .Li Runas_Alias ,
4140: .Li Host_Alias
4141: and
4142: .Li Cmnd_Alias
4143: processing
4144: .It Em all
4145: matches every subsystem
4146: .It Em audit
4147: BSM and Linux audit code
4148: .It Em auth
4149: user authentication
4150: .It Em defaults
4151: .Em sudoers
4152: .Em Defaults
4153: settings
4154: .It Em env
4155: environment handling
4156: .It Em ldap
4157: LDAP-based sudoers
4158: .It Em logging
4159: logging support
4160: .It Em match
4161: matching of users, groups, hosts and netgroups in
4162: .Em sudoers
4163: .It Em netif
4164: network interface handling
4165: .It Em nss
4166: network service switch handling in
4167: .Em sudoers
4168: .It Em parser
4169: .Em sudoers
4170: file parsing
4171: .It Em perms
4172: permission setting
4173: .It Em plugin
4174: The equivalent of
4175: .Em main
4176: for the plugin.
4177: .It Em pty
4178: pseudo-tty related code
4179: .It Em rbtree
4180: redblack tree internals
4181: .It Em util
4182: utility functions
4183: .El
4184: For example:
4185: .Bd -literal
4186: Debug sudo /var/log/sudo_debug match@info,nss@info
4187: .Ed
4188: .Pp
4189: For more information, see the
4190: .Xr sudo.conf @mansectform@
4191: manual.
1.1 misho 4192: .Sh SEE ALSO
4193: .Xr ssh 1 ,
4194: .Xr su 1 ,
4195: .Xr fnmatch 3 ,
4196: .Xr glob 3 ,
4197: .Xr mktemp 3 ,
4198: .Xr strftime 3 ,
1.1.1.2 misho 4199: .Xr sudo.conf @mansectform@ ,
1.1 misho 4200: .Xr sudoers.ldap @mansectform@ ,
4201: .Xr sudo_plugin @mansectsu@ ,
4202: .Xr sudo @mansectsu@ ,
4203: .Xr visudo @mansectsu@
4204: .Sh CAVEATS
4205: The
4206: .Em sudoers
4207: file should
4208: .Sy always
4209: be edited by the
4210: .Nm visudo
4211: command which locks the file and does grammatical checking.
4212: It is
4213: imperative that
4214: .Em sudoers
4215: be free of syntax errors since
4216: .Nm sudo
4217: will not run with a syntactically incorrect
4218: .Em sudoers
4219: file.
4220: .Pp
4221: When using netgroups of machines (as opposed to users), if you
4222: store fully qualified host name in the netgroup (as is usually the
4223: case), you either need to have the machine's host name be fully qualified
4224: as returned by the
4225: .Li hostname
4226: command or use the
4227: .Em fqdn
4228: option in
4229: .Em sudoers .
4230: .Sh BUGS
4231: If you feel you have found a bug in
4232: .Nm sudo ,
4233: please submit a bug report at http://www.sudo.ws/sudo/bugs/
4234: .Sh SUPPORT
4235: Limited free support is available via the sudo-users mailing list,
4236: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4237: search the archives.
4238: .Sh DISCLAIMER
4239: .Nm sudo
4240: is provided
4241: .Dq AS IS
4242: and any express or implied warranties, including, but not limited
4243: to, the implied warranties of merchantability and fitness for a
4244: particular purpose are disclaimed.
4245: See the LICENSE file distributed with
4246: .Nm sudo
4247: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc