Annotation of embedaddon/sudo/doc/sudoers.mdoc.in, revision 1.1.1.4
1.1 misho 1: .\"
1.1.1.4 ! misho 2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014
1.1.1.2 misho 3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
1.1.1.4 ! misho 22: .Dd February 15, 2014
1.1 misho 23: .Dt SUDOERS @mansectform@
24: .Os Sudo @PACKAGE_VERSION@
25: .Sh NAME
26: .Nm sudoers
1.1.1.2 misho 27: .Nd default sudo security policy plugin
1.1 misho 28: .Sh DESCRIPTION
29: The
30: .Em sudoers
1.1.1.2 misho 31: policy plugin determines a user's
1.1 misho 32: .Nm sudo
33: privileges.
34: It is the default
35: .Nm sudo
36: policy plugin.
37: The policy is driven by
38: the
39: .Pa @sysconfdir@/sudoers
40: file or, optionally in LDAP.
41: The policy format is described in detail in the
42: .Sx SUDOERS FILE FORMAT
43: section.
44: For information on storing
45: .Em sudoers
46: policy information
47: in LDAP, please see
48: .Xr sudoers.ldap @mansectform@ .
1.1.1.2 misho 49: .Ss Configuring sudo.conf for sudoers
50: .Nm sudo
51: consults the
52: .Xr sudo.conf @mansectform@
53: file to determine which policy and and I/O logging plugins to load.
54: If no
55: .Xr sudo.conf @mansectform@
56: file is present, or if it contains no
57: .Li Plugin
58: lines,
59: .Nm sudoers
60: will be used for policy decisions and I/O logging.
61: To explicitly configure
62: .Xr sudo.conf @mansectform@
63: to use the
64: .Nm sudoers
65: plugin, the following configuration can be used.
66: .Bd -literal -offset indent
67: Plugin sudoers_policy sudoers.so
68: Plugin sudoers_io sudoers.so
69: .Ed
70: .Pp
71: Starting with
72: .Nm sudo
73: 1.8.5, it is possible to specify optional arguments to the
74: .Nm sudoers
75: plugin in the
76: .Xr sudo.conf @mansectform@
77: file.
78: These arguments, if present, should be listed after the path to the plugin
79: (i.e.\& after
80: .Pa sudoers.so ) .
81: Multiple arguments may be specified, separated by white space.
82: For example:
83: .Bd -literal -offset indent
84: Plugin sudoers_policy sudoers.so sudoers_mode=0400
85: .Ed
86: .Pp
87: The following plugin arguments are supported:
88: .Bl -tag -width 8n
89: .It ldap_conf=pathname
90: The
91: .Em ldap_conf
92: argument can be used to override the default path to the
93: .Pa ldap.conf
94: file.
95: .It ldap_secret=pathname
96: The
97: .Em ldap_secret
98: argument can be used to override the default path to the
99: .Pa ldap.secret
100: file.
101: .It sudoers_file=pathname
102: The
103: .Em sudoers_file
104: argument can be used to override the default path to the
105: .Em sudoers
106: file.
107: .It sudoers_uid=uid
108: The
109: .Em sudoers_uid
110: argument can be used to override the default owner of the sudoers file.
111: It should be specified as a numeric user ID.
112: .It sudoers_gid=gid
113: The
114: .Em sudoers_gid
115: argument can be used to override the default group of the sudoers file.
116: It must be specified as a numeric group ID (not a group name).
117: .It sudoers_mode=mode
118: The
119: .Em sudoers_mode
120: argument can be used to override the default file mode for the sudoers file.
121: It should be specified as an octal value.
122: .El
123: .Pp
124: For more information on configuring
125: .Xr sudo.conf @mansectform@ ,
126: please refer to its manual.
1.1 misho 127: .Ss Authentication and logging
128: The
129: .Em sudoers
130: security policy requires that most users authenticate
131: themselves before they can use
132: .Nm sudo .
133: A password is not required
134: if the invoking user is root, if the target user is the same as the
135: invoking user, or if the policy has disabled authentication for the
136: user or command.
137: Unlike
138: .Xr su 1 ,
139: when
140: .Em sudoers
141: requires
142: authentication, it validates the invoking user's credentials, not
143: the target user's (or root's) credentials.
144: This can be changed via
145: the
146: .Em rootpw ,
147: .Em targetpw
148: and
149: .Em runaspw
150: flags, described later.
151: .Pp
152: If a user who is not listed in the policy tries to run a command
153: via
154: .Nm sudo ,
155: mail is sent to the proper authorities.
156: The address
157: used for such mail is configurable via the
158: .Em mailto
159: Defaults entry
160: (described later) and defaults to
161: .Li @mailto@ .
162: .Pp
163: Note that mail will not be sent if an unauthorized user tries to
164: run
165: .Nm sudo
166: with the
167: .Fl l
168: or
169: .Fl v
170: option.
171: This allows users to
172: determine for themselves whether or not they are allowed to use
173: .Nm sudo .
174: .Pp
175: If
176: .Nm sudo
177: is run by root and the
178: .Ev SUDO_USER
179: environment variable
180: is set, the
181: .Em sudoers
182: policy will use this value to determine who
183: the actual user is.
184: This can be used by a user to log commands
185: through sudo even when a root shell has been invoked.
186: It also
187: allows the
188: .Fl e
189: option to remain useful even when invoked via a
190: sudo-run script or program.
191: Note, however, that the
192: .Em sudoers
193: lookup is still done for root, not the user specified by
194: .Ev SUDO_USER .
195: .Pp
196: .Em sudoers
1.1.1.4 ! misho 197: uses per-user time stamp files for credential caching.
! 198: Once a user has been authenticated, a record is written
! 199: containing the uid that was used to authenticate, the
! 200: terminal session ID, and a time stamp
! 201: (using a monotonic clock if one is available).
! 202: The user may then use
! 203: .Nm sudo
! 204: without a password for a short period of time
1.1 misho 205: .Po
206: .Li @timeout@
207: minutes unless overridden by the
208: .Em timeout
209: option
210: .Pc .
211: By default,
212: .Em sudoers
1.1.1.4 ! misho 213: uses a separate record for each tty, which means that
! 214: a user's login sessions are authenticated separately.
1.1 misho 215: The
216: .Em tty_tickets
217: option can be disabled to force the use of a
218: single time stamp for all of a user's sessions.
219: .Pp
220: .Em sudoers
221: can log both successful and unsuccessful attempts (as well
222: as errors) to
223: .Xr syslog 3 ,
224: a log file, or both.
225: By default,
226: .Em sudoers
227: will log via
228: .Xr syslog 3
229: but this is changeable via the
230: .Em syslog
231: and
232: .Em logfile
233: Defaults settings.
234: .Pp
235: .Em sudoers
236: also supports logging a command's input and output
237: streams.
238: I/O logging is not on by default but can be enabled using
239: the
240: .Em log_input
241: and
242: .Em log_output
243: Defaults flags as well as the
244: .Li LOG_INPUT
245: and
246: .Li LOG_OUTPUT
247: command tags.
248: .Ss Command environment
249: Since environment variables can influence program behavior,
250: .Em sudoers
251: provides a means to restrict which variables from the user's
252: environment are inherited by the command to be run.
253: There are two
254: distinct ways
255: .Em sudoers
256: can deal with environment variables.
257: .Pp
258: By default, the
259: .Em env_reset
260: option is enabled.
261: This causes commands
262: to be executed with a new, minimal environment.
263: On AIX (and Linux
264: systems without PAM), the environment is initialized with the
265: contents of the
266: .Pa /etc/environment
267: file.
268: On BSD systems, if the
269: .Em use_loginclass
270: option is enabled, the environment is initialized
271: based on the
272: .Em path
273: and
274: .Em setenv
275: settings in
276: .Pa /etc/login.conf .
277: The new environment contains the
278: .Ev TERM ,
279: .Ev PATH ,
280: .Ev HOME ,
281: .Ev MAIL ,
282: .Ev SHELL ,
283: .Ev LOGNAME ,
284: .Ev USER ,
285: .Ev USERNAME
286: and
287: .Ev SUDO_*
288: variables
289: in addition to variables from the invoking process permitted by the
290: .Em env_check
291: and
292: .Em env_keep
293: options.
294: This is effectively a whitelist
295: for environment variables.
296: .Pp
297: If, however, the
298: .Em env_reset
299: option is disabled, any variables not
300: explicitly denied by the
301: .Em env_check
302: and
303: .Em env_delete
304: options are
305: inherited from the invoking process.
306: In this case,
307: .Em env_check
308: and
309: .Em env_delete
310: behave like a blacklist.
311: Since it is not possible
312: to blacklist all potentially dangerous environment variables, use
313: of the default
314: .Em env_reset
315: behavior is encouraged.
316: .Pp
317: In all cases, environment variables with a value beginning with
318: .Li ()
319: are removed as they could be interpreted as
320: .Sy bash
321: functions.
322: The list of environment variables that
323: .Nm sudo
324: allows or denies is
325: contained in the output of
326: .Dq Li sudo -V
327: when run as root.
328: .Pp
329: Note that the dynamic linker on most operating systems will remove
330: variables that can control dynamic linking from the environment of
331: setuid executables, including
332: .Nm sudo .
333: Depending on the operating
334: system this may include
335: .Ev _RLD* ,
336: .Ev DYLD_* ,
337: .Ev LD_* ,
338: .Ev LDR_* ,
339: .Ev LIBPATH ,
340: .Ev SHLIB_PATH ,
341: and others.
342: These type of variables are
343: removed from the environment before
344: .Nm sudo
345: even begins execution
346: and, as such, it is not possible for
347: .Nm sudo
348: to preserve them.
349: .Pp
350: As a special case, if
1.1.1.4 ! misho 351: .Nm sudo Ns 's
1.1 misho 352: .Fl i
353: option (initial login) is
354: specified,
355: .Em sudoers
356: will initialize the environment regardless
357: of the value of
358: .Em env_reset .
359: The
360: .Ev DISPLAY ,
361: .Ev PATH
362: and
363: .Ev TERM
364: variables remain unchanged;
365: .Ev HOME ,
366: .Ev MAIL ,
367: .Ev SHELL ,
368: .Ev USER ,
369: and
370: .Ev LOGNAME
371: are set based on the target user.
372: On AIX (and Linux
373: systems without PAM), the contents of
374: .Pa /etc/environment
375: are also
376: included.
377: On BSD systems, if the
378: .Em use_loginclass
379: option is
380: enabled, the
381: .Em path
382: and
383: .Em setenv
384: variables in
385: .Pa /etc/login.conf
386: are also applied.
387: All other environment variables are removed.
388: .Pp
389: Finally, if the
390: .Em env_file
391: option is defined, any variables present
392: in that file will be set to their specified values as long as they
393: would not conflict with an existing environment variable.
394: .Sh SUDOERS FILE FORMAT
395: The
396: .Em sudoers
397: file is composed of two types of entries: aliases
398: (basically variables) and user specifications (which specify who
399: may run what).
400: .Pp
401: When multiple entries match for a user, they are applied in order.
402: Where there are multiple matches, the last match is used (which is
403: not necessarily the most specific match).
404: .Pp
405: The
406: .Em sudoers
407: grammar will be described below in Extended Backus-Naur
408: Form (EBNF).
409: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
410: and the definitions below are annotated.
411: .Ss Quick guide to EBNF
412: EBNF is a concise and exact way of describing the grammar of a language.
413: Each EBNF definition is made up of
414: .Em production rules .
415: E.g.,
416: .Pp
417: .Li symbol ::= definition | alternate1 | alternate2 ...
418: .Pp
419: Each
420: .Em production rule
421: references others and thus makes up a
422: grammar for the language.
423: EBNF also contains the following
424: operators, which many readers will recognize from regular
425: expressions.
426: Do not, however, confuse them with
427: .Dq wildcard
428: characters, which have different meanings.
429: .Bl -tag -width 4n
430: .It Li \&?
431: Means that the preceding symbol (or group of symbols) is optional.
432: That is, it may appear once or not at all.
433: .It Li *
434: Means that the preceding symbol (or group of symbols) may appear
435: zero or more times.
436: .It Li +
437: Means that the preceding symbol (or group of symbols) may appear
438: one or more times.
439: .El
440: .Pp
441: Parentheses may be used to group symbols together.
442: For clarity,
443: we will use single quotes
444: .Pq ''
445: to designate what is a verbatim character string (as opposed to a symbol name).
446: .Ss Aliases
447: There are four kinds of aliases:
448: .Li User_Alias ,
449: .Li Runas_Alias ,
450: .Li Host_Alias
451: and
452: .Li Cmnd_Alias .
453: .Bd -literal
454: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
455: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
456: 'Host_Alias' Host_Alias (':' Host_Alias)* |
457: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
458:
459: User_Alias ::= NAME '=' User_List
460:
461: Runas_Alias ::= NAME '=' Runas_List
462:
463: Host_Alias ::= NAME '=' Host_List
464:
465: Cmnd_Alias ::= NAME '=' Cmnd_List
466:
467: NAME ::= [A-Z]([A-Z][0-9]_)*
468: .Ed
469: .Pp
470: Each
471: .Em alias
472: definition is of the form
473: .Bd -literal
474: Alias_Type NAME = item1, item2, ...
475: .Ed
476: .Pp
477: where
478: .Em Alias_Type
479: is one of
480: .Li User_Alias ,
481: .Li Runas_Alias ,
482: .Li Host_Alias ,
483: or
484: .Li Cmnd_Alias .
485: A
486: .Li NAME
487: is a string of uppercase letters, numbers,
488: and underscore characters
489: .Pq Ql _ .
490: A
491: .Li NAME
492: .Sy must
493: start with an
494: uppercase letter.
495: It is possible to put several alias definitions
496: of the same type on a single line, joined by a colon
497: .Pq Ql :\& .
498: E.g.,
499: .Bd -literal
500: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
501: .Ed
502: .Pp
503: The definitions of what constitutes a valid
504: .Em alias
505: member follow.
506: .Bd -literal
507: User_List ::= User |
508: User ',' User_List
509:
510: User ::= '!'* user name |
511: '!'* #uid |
512: '!'* %group |
513: '!'* %#gid |
514: '!'* +netgroup |
515: '!'* %:nonunix_group |
516: '!'* %:#nonunix_gid |
517: '!'* User_Alias
518: .Ed
519: .Pp
520: A
521: .Li User_List
1.1.1.2 misho 522: is made up of one or more user names, user IDs
1.1 misho 523: (prefixed with
524: .Ql # ) ,
1.1.1.2 misho 525: system group names and IDs (prefixed with
1.1 misho 526: .Ql %
527: and
528: .Ql %#
529: respectively), netgroups (prefixed with
530: .Ql + ) ,
531: non-Unix group names and IDs (prefixed with
532: .Ql %:
533: and
534: .Ql %:#
535: respectively) and
1.1.1.4 ! misho 536: .Li User_Alias Ns es.
1.1 misho 537: Each list item may be prefixed with zero or more
538: .Ql \&!
539: operators.
540: An odd number of
541: .Ql \&!
542: operators negate the value of
543: the item; an even number just cancel each other out.
544: .Pp
545: A
546: .Li user name ,
547: .Li uid ,
548: .Li group ,
549: .Li gid ,
550: .Li netgroup ,
551: .Li nonunix_group
552: or
553: .Li nonunix_gid
554: may be enclosed in double quotes to avoid the
555: need for escaping special characters.
556: Alternately, special characters
557: may be specified in escaped hex mode, e.g.\& \ex20 for space.
558: When
559: using double quotes, any prefix characters must be included inside
560: the quotes.
561: .Pp
562: The actual
563: .Li nonunix_group
564: and
565: .Li nonunix_gid
566: syntax depends on
1.1.1.2 misho 567: the underlying group provider plugin.
1.1 misho 568: For instance, the QAS AD plugin supports the following formats:
569: .Bl -bullet -width 4n
570: .It
571: Group in the same domain: "%:Group Name"
572: .It
573: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
574: .It
575: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
576: .El
577: .Pp
1.1.1.2 misho 578: See
579: .Sx "GROUP PROVIDER PLUGINS"
580: for more information.
581: .Pp
1.1 misho 582: Note that quotes around group names are optional.
583: Unquoted strings must use a backslash
584: .Pq Ql \e
585: to escape spaces and special characters.
586: See
587: .Sx Other special characters and reserved words
588: for a list of
589: characters that need to be escaped.
590: .Bd -literal
591: Runas_List ::= Runas_Member |
592: Runas_Member ',' Runas_List
593:
594: Runas_Member ::= '!'* user name |
595: '!'* #uid |
596: '!'* %group |
597: '!'* %#gid |
598: '!'* %:nonunix_group |
599: '!'* %:#nonunix_gid |
600: '!'* +netgroup |
601: '!'* Runas_Alias
602: .Ed
603: .Pp
604: A
605: .Li Runas_List
606: is similar to a
607: .Li User_List
608: except that instead
609: of
1.1.1.4 ! misho 610: .Li User_Alias Ns es
1.1 misho 611: it can contain
1.1.1.4 ! misho 612: .Li Runas_Alias Ns es .
1.1 misho 613: Note that
614: user names and groups are matched as strings.
615: In other words, two
616: users (groups) with the same uid (gid) are considered to be distinct.
617: If you wish to match all user names with the same uid (e.g.\&
618: root and toor), you can use a uid instead (#0 in the example given).
619: .Bd -literal
620: Host_List ::= Host |
621: Host ',' Host_List
622:
623: Host ::= '!'* host name |
624: '!'* ip_addr |
625: '!'* network(/netmask)? |
626: '!'* +netgroup |
627: '!'* Host_Alias
628: .Ed
629: .Pp
630: A
631: .Li Host_List
632: is made up of one or more host names, IP addresses,
633: network numbers, netgroups (prefixed with
634: .Ql + )
635: and other aliases.
636: Again, the value of an item may be negated with the
637: .Ql \&!
638: operator.
639: If you do not specify a netmask along with the network number,
640: .Nm sudo
641: will query each of the local host's network interfaces and,
642: if the network number corresponds to one of the hosts's network
643: interfaces, the corresponding netmask will be used.
644: The netmask
645: may be specified either in standard IP address notation
646: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
647: or CIDR notation (number of bits, e.g.\& 24 or 64).
648: A host name may include shell-style wildcards (see the
649: .Sx Wildcards
650: section below),
651: but unless the
652: .Li host name
653: command on your machine returns the fully
654: qualified host name, you'll need to use the
655: .Em fqdn
656: option for wildcards to be useful.
657: Note that
658: .Nm sudo
659: only inspects actual network interfaces; this means that IP address
660: 127.0.0.1 (localhost) will never match.
661: Also, the host name
662: .Dq localhost
663: will only match if that is the actual host name, which is usually
664: only the case for non-networked systems.
665: .Bd -literal
1.1.1.2 misho 666: digest ::= [A-Fa-f0-9]+ |
667: [[A-Za-z0-9\+/=]+
668:
669: Digest_Spec ::= "sha224" ':' digest |
670: "sha256" ':' digest |
671: "sha384" ':' digest |
672: "sha512" ':' digest
673:
1.1 misho 674: Cmnd_List ::= Cmnd |
675: Cmnd ',' Cmnd_List
676:
677: command name ::= file name |
678: file name args |
679: file name '""'
680:
1.1.1.2 misho 681: Cmnd ::= Digest_Spec? '!'* command name |
1.1 misho 682: '!'* directory |
683: '!'* "sudoedit" |
684: '!'* Cmnd_Alias
685: .Ed
686: .Pp
687: A
688: .Li Cmnd_List
689: is a list of one or more command names, directories, and other aliases.
690: A command name is a fully qualified file name which may include
691: shell-style wildcards (see the
692: .Sx Wildcards
693: section below).
694: A simple file name allows the user to run the command with any
695: arguments he/she wishes.
696: However, you may also specify command line arguments (including
697: wildcards).
698: Alternately, you can specify
699: .Li \&""
700: to indicate that the command
701: may only be run
702: .Sy without
703: command line arguments.
704: A directory is a
705: fully qualified path name ending in a
706: .Ql / .
707: When you specify a directory in a
708: .Li Cmnd_List ,
709: the user will be able to run any file within that directory
710: (but not in any sub-directories therein).
711: .Pp
712: If a
713: .Li Cmnd
714: has associated command line arguments, then the arguments
715: in the
716: .Li Cmnd
717: must match exactly those given by the user on the command line
718: (or match the wildcards if there are any).
719: Note that the following characters must be escaped with a
720: .Ql \e
721: if they are used in command arguments:
722: .Ql ,\& ,
723: .Ql :\& ,
724: .Ql =\& ,
725: .Ql \e .
1.1.1.2 misho 726: The built-in command
1.1 misho 727: .Dq Li sudoedit
728: is used to permit a user to run
729: .Nm sudo
730: with the
731: .Fl e
732: option (or as
733: .Nm sudoedit ) .
734: It may take command line arguments just as a normal command does.
1.1.1.2 misho 735: Note that
736: .Dq Li sudoedit
737: is a command built into
738: .Nm sudo
739: itself and must be specified in
740: .Em sudoers
741: without a leading path.
742: .Pp
743: If a
744: .Li command name
745: is prefixed with a
746: .Li Digest_Spec ,
747: the command will only match successfully if it can be verified
748: using the specified SHA-2 digest.
749: This may be useful in situations where the user invoking
750: .Nm sudo
751: has write access to the command or its parent directory.
752: The following digest formats are supported: sha224, sha256, sha384 and sha512.
753: The string may be specified in either hex or base64 format
754: (base64 is more compact).
755: There are several utilities capable of generating SHA-2 digests in hex
756: format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
757: .Pp
758: For example, using openssl:
759: .Bd -literal
760: $ openssl dgst -sha224 /bin/ls
761: SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
762: .Ed
763: .Pp
764: It is also possible to use openssl to generate base64 output:
765: .Bd -literal
766: $ openssl dgst -binary -sha224 /bin/ls | openssl base64
767: EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
768: .Ed
769: .Pp
770: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 771: .Ss Defaults
772: Certain configuration options may be changed from their default
773: values at run-time via one or more
774: .Li Default_Entry
775: lines.
776: These may affect all users on any host, all users on a specific host, a
777: specific user, a specific command, or commands being run as a specific user.
778: Note that per-command entries may not include command line arguments.
779: If you need to specify arguments, define a
780: .Li Cmnd_Alias
781: and reference
782: that instead.
783: .Bd -literal
784: Default_Type ::= 'Defaults' |
785: 'Defaults' '@' Host_List |
786: 'Defaults' ':' User_List |
787: 'Defaults' '!' Cmnd_List |
788: 'Defaults' '>' Runas_List
789:
790: Default_Entry ::= Default_Type Parameter_List
791:
792: Parameter_List ::= Parameter |
793: Parameter ',' Parameter_List
794:
795: Parameter ::= Parameter '=' Value |
796: Parameter '+=' Value |
797: Parameter '-=' Value |
798: '!'* Parameter
799: .Ed
800: .Pp
801: Parameters may be
802: .Sy flags ,
803: .Sy integer
804: values,
805: .Sy strings ,
806: or
807: .Sy lists .
808: Flags are implicitly boolean and can be turned off via the
809: .Ql \&!
810: operator.
811: Some integer, string and list parameters may also be
812: used in a boolean context to disable them.
813: Values may be enclosed
814: in double quotes
815: .Pq \&""
816: when they contain multiple words.
817: Special characters may be escaped with a backslash
818: .Pq Ql \e .
819: .Pp
820: Lists have two additional assignment operators,
821: .Li +=
822: and
823: .Li -= .
824: These operators are used to add to and delete from a list respectively.
825: It is not an error to use the
826: .Li -=
827: operator to remove an element
828: that does not exist in a list.
829: .Pp
830: Defaults entries are parsed in the following order: generic, host
831: and user Defaults first, then runas Defaults and finally command
832: defaults.
833: .Pp
834: See
835: .Sx SUDOERS OPTIONS
836: for a list of supported Defaults parameters.
837: .Ss User specification
838: .Bd -literal
839: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
840: (':' Host_List '=' Cmnd_Spec_List)*
841:
842: Cmnd_Spec_List ::= Cmnd_Spec |
843: Cmnd_Spec ',' Cmnd_Spec_List
844:
845: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
846:
847: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
848:
849: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
850:
851: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
852:
853: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
854: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
855: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
856: .Ed
857: .Pp
858: A
859: .Sy user specification
860: determines which commands a user may run
861: (and as what user) on specified hosts.
862: By default, commands are
863: run as
864: .Sy root ,
865: but this can be changed on a per-command basis.
866: .Pp
867: The basic structure of a user specification is
868: .Dq who where = (as_whom) what .
869: Let's break that down into its constituent parts:
870: .Ss Runas_Spec
871: A
872: .Li Runas_Spec
873: determines the user and/or the group that a command
874: may be run as.
875: A fully-specified
876: .Li Runas_Spec
877: consists of two
1.1.1.4 ! misho 878: .Li Runas_List Ns s
1.1 misho 879: (as defined above) separated by a colon
880: .Pq Ql :\&
881: and enclosed in a set of parentheses.
882: The first
883: .Li Runas_List
884: indicates
885: which users the command may be run as via
1.1.1.4 ! misho 886: .Nm sudo Ns 's
1.1 misho 887: .Fl u
888: option.
889: The second defines a list of groups that can be specified via
1.1.1.4 ! misho 890: .Nm sudo Ns 's
1.1 misho 891: .Fl g
892: option.
893: If both
1.1.1.4 ! misho 894: .Li Runas_List Ns s
1.1 misho 895: are specified, the command may be run with any combination of users
896: and groups listed in their respective
1.1.1.4 ! misho 897: .Li Runas_List Ns s.
1.1 misho 898: If only the first is specified, the command may be run as any user
899: in the list but no
900: .Fl g
901: option
902: may be specified.
903: If the first
904: .Li Runas_List
905: is empty but the
906: second is specified, the command may be run as the invoking user
907: with the group set to any listed in the
908: .Li Runas_List .
909: If both
1.1.1.4 ! misho 910: .Li Runas_List Ns s
1.1 misho 911: are empty, the command may only be run as the invoking user.
912: If no
913: .Li Runas_Spec
914: is specified the command may be run as
915: .Sy root
916: and
917: no group may be specified.
918: .Pp
919: A
920: .Li Runas_Spec
921: sets the default for the commands that follow it.
922: What this means is that for the entry:
923: .Bd -literal
924: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
925: .Ed
926: .Pp
927: The user
928: .Sy dgb
929: may run
930: .Pa /bin/ls ,
931: .Pa /bin/kill ,
932: and
1.1.1.4 ! misho 933: .Pa /usr/bin/lprm Ns \(em Ns but
1.1 misho 934: only as
935: .Sy operator .
936: E.g.,
937: .Bd -literal
938: $ sudo -u operator /bin/ls
939: .Ed
940: .Pp
941: It is also possible to override a
942: .Li Runas_Spec
943: later on in an entry.
944: If we modify the entry like so:
945: .Bd -literal
946: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
947: .Ed
948: .Pp
949: Then user
950: .Sy dgb
951: is now allowed to run
952: .Pa /bin/ls
953: as
954: .Sy operator ,
955: but
956: .Pa /bin/kill
957: and
958: .Pa /usr/bin/lprm
959: as
960: .Sy root .
961: .Pp
962: We can extend this to allow
963: .Sy dgb
964: to run
965: .Li /bin/ls
966: with either
967: the user or group set to
968: .Sy operator :
969: .Bd -literal
970: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
971: /usr/bin/lprm
972: .Ed
973: .Pp
974: Note that while the group portion of the
975: .Li Runas_Spec
976: permits the
977: user to run as command with that group, it does not force the user
978: to do so.
979: If no group is specified on the command line, the command
980: will run with the group listed in the target user's password database
981: entry.
982: The following would all be permitted by the sudoers entry above:
983: .Bd -literal
984: $ sudo -u operator /bin/ls
985: $ sudo -u operator -g operator /bin/ls
986: $ sudo -g operator /bin/ls
987: .Ed
988: .Pp
989: In the following example, user
990: .Sy tcm
991: may run commands that access
992: a modem device file with the dialer group.
993: .Bd -literal
994: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
995: /usr/local/bin/minicom
996: .Ed
997: .Pp
998: Note that in this example only the group will be set, the command
999: still runs as user
1000: .Sy tcm .
1001: E.g.\&
1002: .Bd -literal
1003: $ sudo -g dialer /usr/bin/cu
1004: .Ed
1005: .Pp
1006: Multiple users and groups may be present in a
1007: .Li Runas_Spec ,
1008: in which case the user may select any combination of users and groups via the
1009: .Fl u
1010: and
1011: .Fl g
1012: options.
1013: In this example:
1014: .Bd -literal
1015: alan ALL = (root, bin : operator, system) ALL
1016: .Ed
1017: .Pp
1018: user
1019: .Sy alan
1020: may run any command as either user root or bin,
1021: optionally setting the group to operator or system.
1022: .Ss SELinux_Spec
1023: On systems with SELinux support,
1024: .Em sudoers
1025: entries may optionally have an SELinux role and/or type associated
1026: with a command.
1027: If a role or
1028: type is specified with the command it will override any default values
1029: specified in
1030: .Em sudoers .
1031: A role or type specified on the command line,
1032: however, will supersede the values in
1033: .Em sudoers .
1034: .Ss Solaris_Priv_Spec
1035: On Solaris systems,
1036: .Em sudoers
1037: entries may optionally specify Solaris privilege set and/or limit
1038: privilege set associated with a command.
1039: If privileges or limit privileges are specified with the command
1040: it will override any default values specified in
1041: .Em sudoers .
1042: .Pp
1043: A privilege set is a comma-separated list of privilege names.
1044: The
1045: .Xr ppriv 1
1046: command can be used to list all privileges known to the system.
1047: For example:
1048: .Bd -literal
1049: $ ppriv -l
1050: .Ed
1051: .Pp
1052: In addition, there are several
1053: .Dq special
1054: privilege strings:
1055: .Bl -tag -width 8n
1056: .It none
1057: the empty set
1058: .It all
1059: the set of all privileges
1060: .It zone
1061: the set of all privileges available in the current zone
1062: .It basic
1063: the default set of privileges normal users are granted at login time
1064: .El
1065: .Pp
1066: Privileges can be excluded from a set by prefixing the privilege
1067: name with either an
1068: .Ql \&!
1069: or
1070: .Ql \-
1071: character.
1072: .Ss Tag_Spec
1073: A command may have zero or more tags associated with it.
1074: There are
1075: ten possible tag values:
1076: .Li NOPASSWD ,
1077: .Li PASSWD ,
1078: .Li NOEXEC ,
1079: .Li EXEC ,
1080: .Li SETENV ,
1081: .Li NOSETENV ,
1082: .Li LOG_INPUT ,
1083: .Li NOLOG_INPUT ,
1084: .Li LOG_OUTPUT
1085: and
1086: .Li NOLOG_OUTPUT .
1087: Once a tag is set on a
1088: .Li Cmnd ,
1089: subsequent
1.1.1.4 ! misho 1090: .Li Cmnd Ns s
1.1 misho 1091: in the
1092: .Li Cmnd_Spec_List ,
1093: inherit the tag unless it is overridden by the opposite tag (in other words,
1094: .Li PASSWD
1095: overrides
1096: .Li NOPASSWD
1097: and
1098: .Li NOEXEC
1099: overrides
1100: .Li EXEC ) .
1.1.1.2 misho 1101: .Bl -hang -width 0n
1102: .It Em NOPASSWD No and Em PASSWD
1103: .sp
1.1 misho 1104: By default,
1105: .Nm sudo
1106: requires that a user authenticate him or herself
1107: before running a command.
1108: This behavior can be modified via the
1109: .Li NOPASSWD
1110: tag.
1111: Like a
1112: .Li Runas_Spec ,
1113: the
1114: .Li NOPASSWD
1115: tag sets
1116: a default for the commands that follow it in the
1117: .Li Cmnd_Spec_List .
1118: Conversely, the
1119: .Li PASSWD
1120: tag can be used to reverse things.
1121: For example:
1122: .Bd -literal
1123: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1124: .Ed
1125: .Pp
1126: would allow the user
1127: .Sy ray
1128: to run
1129: .Pa /bin/kill ,
1130: .Pa /bin/ls ,
1131: and
1132: .Pa /usr/bin/lprm
1133: as
1134: .Sy root
1135: on the machine rushmore without authenticating himself.
1136: If we only want
1137: .Sy ray
1138: to be able to
1139: run
1140: .Pa /bin/kill
1141: without a password the entry would be:
1142: .Bd -literal
1143: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1144: .Ed
1145: .Pp
1146: Note, however, that the
1147: .Li PASSWD
1148: tag has no effect on users who are in the group specified by the
1149: .Em exempt_group
1150: option.
1151: .Pp
1152: By default, if the
1153: .Li NOPASSWD
1154: tag is applied to any of the entries for a user on the current host,
1155: he or she will be able to run
1156: .Dq Li sudo -l
1157: without a password.
1158: Additionally, a user may only run
1159: .Dq Li sudo -v
1160: without a password if the
1161: .Li NOPASSWD
1162: tag is present for all a user's entries that pertain to the current host.
1163: This behavior may be overridden via the
1164: .Em verifypw
1165: and
1166: .Em listpw
1167: options.
1.1.1.2 misho 1168: .It Em NOEXEC No and Em EXEC
1169: .sp
1.1 misho 1170: If
1171: .Nm sudo
1172: has been compiled with
1173: .Em noexec
1174: support and the underlying operating system supports it, the
1175: .Li NOEXEC
1176: tag can be used to prevent a dynamically-linked executable from
1177: running further commands itself.
1178: .Pp
1179: In the following example, user
1180: .Sy aaron
1181: may run
1182: .Pa /usr/bin/more
1183: and
1184: .Pa /usr/bin/vi
1185: but shell escapes will be disabled.
1186: .Bd -literal
1187: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1188: .Ed
1189: .Pp
1190: See the
1191: .Sx Preventing shell escapes
1192: section below for more details on how
1193: .Li NOEXEC
1194: works and whether or not it will work on your system.
1.1.1.2 misho 1195: .It Em SETENV No and Em NOSETENV
1196: .sp
1.1 misho 1197: These tags override the value of the
1198: .Em setenv
1199: option on a per-command basis.
1200: Note that if
1201: .Li SETENV
1202: has been set for a command, the user may disable the
1203: .Em env_reset
1204: option from the command line via the
1205: .Fl E
1206: option.
1207: Additionally, environment variables set on the command
1208: line are not subject to the restrictions imposed by
1209: .Em env_check ,
1210: .Em env_delete ,
1211: or
1212: .Em env_keep .
1213: As such, only trusted users should be allowed to set variables in this manner.
1214: If the command matched is
1215: .Sy ALL ,
1216: the
1217: .Li SETENV
1218: tag is implied for that command; this default may be overridden by use of the
1219: .Li NOSETENV
1220: tag.
1.1.1.2 misho 1221: .It Em LOG_INPUT No and Em NOLOG_INPUT
1222: .sp
1.1 misho 1223: These tags override the value of the
1224: .Em log_input
1225: option on a per-command basis.
1226: For more information, see the description of
1227: .Em log_input
1228: in the
1229: .Sx SUDOERS OPTIONS
1230: section below.
1.1.1.2 misho 1231: .It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
1232: .sp
1.1 misho 1233: These tags override the value of the
1234: .Em log_output
1235: option on a per-command basis.
1236: For more information, see the description of
1237: .Em log_output
1238: in the
1239: .Sx SUDOERS OPTIONS
1240: section below.
1.1.1.2 misho 1241: .El
1.1 misho 1242: .Ss Wildcards
1243: .Nm sudo
1244: allows shell-style
1245: .Em wildcards
1246: (aka meta or glob characters)
1247: to be used in host names, path names and command line arguments in the
1248: .Em sudoers
1249: file.
1250: Wildcard matching is done via the
1251: .Xr glob 3
1252: and
1253: .Xr fnmatch 3
1.1.1.2 misho 1254: functions as specified by
1255: .St -p1003.1 .
1.1 misho 1256: Note that these are
1257: .Em not
1258: regular expressions.
1259: .Bl -tag -width 8n
1260: .It Li *
1261: Matches any set of zero or more characters.
1262: .It Li \&?
1263: Matches any single character.
1264: .It Li [...]
1265: Matches any character in the specified range.
1266: .It Li [!...]
1267: Matches any character
1268: .Sy not
1269: in the specified range.
1270: .It Li \ex
1271: For any character
1272: .Sq x ,
1273: evaluates to
1274: .Sq x .
1275: This is used to escape special characters such as:
1276: .Ql * ,
1277: .Ql \&? ,
1278: .Ql [\& ,
1279: and
1280: .Ql ]\& .
1281: .El
1282: .Pp
1.1.1.2 misho 1283: Character classes may also be used if your system's
1.1 misho 1284: .Xr glob 3
1285: and
1286: .Xr fnmatch 3
1287: functions support them.
1288: However, because the
1289: .Ql :\&
1290: character has special meaning in
1291: .Em sudoers ,
1292: it must be
1293: escaped.
1294: For example:
1295: .Bd -literal -offset 4n
1.1.1.4 ! misho 1296: /bin/ls [[:\&alpha:\&]]*
1.1 misho 1297: .Ed
1298: .Pp
1299: Would match any file name beginning with a letter.
1300: .Pp
1301: Note that a forward slash
1302: .Pq Ql /
1303: will
1304: .Sy not
1305: be matched by
1306: wildcards used in the path name.
1307: This is to make a path like:
1308: .Bd -literal -offset 4n
1309: /usr/bin/*
1310: .Ed
1311: .Pp
1312: match
1313: .Pa /usr/bin/who
1314: but not
1315: .Pa /usr/bin/X11/xterm .
1316: .Pp
1317: When matching the command line arguments, however, a slash
1318: .Sy does
1319: get matched by wildcards since command line arguments may contain
1320: arbitrary strings and not just path names.
1321: .Pp
1322: Wildcards in command line arguments should be used with care.
1323: Because command line arguments are matched as a single, concatenated
1324: string, a wildcard such as
1325: .Ql \&?
1326: or
1327: .Ql *
1328: can match multiple words.
1329: For example, while a sudoers entry like:
1330: .Bd -literal -offset 4n
1331: %operator ALL = /bin/cat /var/log/messages*
1332: .Ed
1333: .Pp
1334: will allow command like:
1335: .Bd -literal -offset 4n
1336: $ sudo cat /var/log/messages.1
1337: .Ed
1338: .Pp
1339: It will also allow:
1340: .Bd -literal -offset 4n
1341: $ sudo cat /var/log/messages /etc/shadow
1342: .Ed
1343: .Pp
1344: which is probably not what was intended.
1345: .Ss Exceptions to wildcard rules
1346: The following exceptions apply to the above rules:
1347: .Bl -tag -width 8n
1348: .It Li \&""
1349: If the empty string
1350: .Li \&""
1351: is the only command line argument in the
1352: .Em sudoers
1353: entry it means that command is not allowed to be run with
1354: .Sy any
1355: arguments.
1356: .It sudoedit
1357: Command line arguments to the
1358: .Em sudoedit
1359: built-in command should always be path names, so a forward slash
1360: .Pq Ql /
1361: will not be matched by a wildcard.
1362: .El
1363: .Ss Including other files from within sudoers
1364: It is possible to include other
1365: .Em sudoers
1366: files from within the
1367: .Em sudoers
1368: file currently being parsed using the
1369: .Li #include
1370: and
1371: .Li #includedir
1372: directives.
1373: .Pp
1374: This can be used, for example, to keep a site-wide
1375: .Em sudoers
1376: file in addition to a local, per-machine file.
1377: For the sake of this example the site-wide
1378: .Em sudoers
1379: will be
1380: .Pa /etc/sudoers
1381: and the per-machine one will be
1382: .Pa /etc/sudoers.local .
1383: To include
1384: .Pa /etc/sudoers.local
1385: from within
1386: .Pa /etc/sudoers
1387: we would use the
1388: following line in
1389: .Pa /etc/sudoers :
1390: .Bd -literal -offset 4n
1391: #include /etc/sudoers.local
1392: .Ed
1393: .Pp
1394: When
1395: .Nm sudo
1396: reaches this line it will suspend processing of the current file
1397: .Pq Pa /etc/sudoers
1398: and switch to
1399: .Pa /etc/sudoers.local .
1400: Upon reaching the end of
1401: .Pa /etc/sudoers.local ,
1402: the rest of
1403: .Pa /etc/sudoers
1404: will be processed.
1405: Files that are included may themselves include other files.
1406: A hard limit of 128 nested include files is enforced to prevent include
1407: file loops.
1408: .Pp
1409: If the path to the include file is not fully-qualified (does not
1410: begin with a
1411: .Ql / ,
1412: it must be located in the same directory as the sudoers file it was
1413: included from.
1414: For example, if
1415: .Pa /etc/sudoers
1416: contains the line:
1417: .Bd -literal -offset 4n
1418: .Li #include sudoers.local
1419: .Ed
1420: .Pp
1421: the file that will be included is
1422: .Pa /etc/sudoers.local .
1423: .Pp
1424: The file name may also include the
1425: .Li %h
1426: escape, signifying the short form of the host name.
1427: In other words, if the machine's host name is
1428: .Dq xerxes ,
1429: then
1430: .Bd -literal -offset 4n
1431: #include /etc/sudoers.%h
1432: .Ed
1433: .Pp
1434: will cause
1435: .Nm sudo
1436: to include the file
1437: .Pa /etc/sudoers.xerxes .
1438: .Pp
1439: The
1440: .Li #includedir
1441: directive can be used to create a
1442: .Pa sudo.d
1443: directory that the system package manager can drop
1444: .Em sudoers
1445: rules
1446: into as part of package installation.
1447: For example, given:
1448: .Bd -literal -offset 4n
1449: #includedir /etc/sudoers.d
1450: .Ed
1451: .Pp
1452: .Nm sudo
1453: will read each file in
1454: .Pa /etc/sudoers.d ,
1455: skipping file names that end in
1456: .Ql ~
1457: or contain a
1458: .Ql .\&
1459: character to avoid causing problems with package manager or editor
1460: temporary/backup files.
1461: Files are parsed in sorted lexical order.
1462: That is,
1463: .Pa /etc/sudoers.d/01_first
1464: will be parsed before
1465: .Pa /etc/sudoers.d/10_second .
1466: Be aware that because the sorting is lexical, not numeric,
1467: .Pa /etc/sudoers.d/1_whoops
1468: would be loaded
1469: .Sy after
1470: .Pa /etc/sudoers.d/10_second .
1471: Using a consistent number of leading zeroes in the file names can be used
1472: to avoid such problems.
1473: .Pp
1474: Note that unlike files included via
1475: .Li #include ,
1476: .Nm visudo
1477: will not edit the files in a
1478: .Li #includedir
1479: directory unless one of them contains a syntax error.
1480: It is still possible to run
1481: .Nm visudo
1482: with the
1483: .Fl f
1484: flag to edit the files directly.
1485: .Ss Other special characters and reserved words
1486: The pound sign
1487: .Pq Ql #
1488: is used to indicate a comment (unless it is part of a #include
1489: directive or unless it occurs in the context of a user name and is
1490: followed by one or more digits, in which case it is treated as a
1491: uid).
1492: Both the comment character and any text after it, up to the end of
1493: the line, are ignored.
1494: .Pp
1495: The reserved word
1496: .Sy ALL
1497: is a built-in
1498: .Em alias
1499: that always causes a match to succeed.
1500: It can be used wherever one might otherwise use a
1501: .Li Cmnd_Alias ,
1502: .Li User_Alias ,
1503: .Li Runas_Alias ,
1504: or
1505: .Li Host_Alias .
1506: You should not try to define your own
1507: .Em alias
1508: called
1509: .Sy ALL
1510: as the built-in alias will be used in preference to your own.
1511: Please note that using
1512: .Sy ALL
1513: can be dangerous since in a command context, it allows the user to run
1514: .Sy any
1515: command on the system.
1516: .Pp
1517: An exclamation point
1518: .Pq Ql \&!
1519: can be used as a logical
1520: .Em not
1.1.1.2 misho 1521: operator in a list or
1.1 misho 1522: .Em alias
1.1.1.2 misho 1523: as well as in front of a
1.1 misho 1524: .Li Cmnd .
1525: This allows one to exclude certain values.
1.1.1.2 misho 1526: For the
1527: .Ql \&!
1528: operator to be effective, there must be something for it to exclude.
1529: For example, to match all users except for root one would use:
1530: .Bd -literal -offset 4n
1531: ALL,!root
1532: .Ed
1533: .Pp
1534: If the
1535: .Sy ALL ,
1536: is omitted, as in:
1537: .Bd -literal -offset 4n
1538: !root
1539: .Ed
1540: .Pp
1541: it would explicitly deny root but not match any other users.
1542: This is different from a true
1543: .Dq negation
1544: operator.
1545: .Pp
1.1 misho 1546: Note, however, that using a
1547: .Ql \&!
1548: in conjunction with the built-in
1549: .Sy ALL
1550: alias to allow a user to run
1551: .Dq all but a few
1552: commands rarely works as intended (see
1553: .Sx SECURITY NOTES
1554: below).
1555: .Pp
1556: Long lines can be continued with a backslash
1557: .Pq Ql \e
1558: as the last character on the line.
1559: .Pp
1560: White space between elements in a list as well as special syntactic
1561: characters in a
1562: .Em User Specification
1563: .Po
1564: .Ql =\& ,
1565: .Ql :\& ,
1566: .Ql (\& ,
1567: .Ql )\&
1568: .Pc
1569: is optional.
1570: .Pp
1571: The following characters must be escaped with a backslash
1572: .Pq Ql \e
1573: when used as part of a word (e.g.\& a user name or host name):
1574: .Ql \&! ,
1575: .Ql =\& ,
1576: .Ql :\& ,
1577: .Ql ,\& ,
1578: .Ql (\& ,
1579: .Ql )\& ,
1580: .Ql \e .
1581: .Sh SUDOERS OPTIONS
1.1.1.4 ! misho 1582: .Nm sudo Ns 's
1.1 misho 1583: behavior can be modified by
1584: .Li Default_Entry
1585: lines, as explained earlier.
1586: A list of all supported Defaults parameters, grouped by type, are listed below.
1587: .Pp
1588: .Sy Boolean Flags :
1589: .Bl -tag -width 16n
1590: .It always_set_home
1591: If enabled,
1592: .Nm sudo
1593: will set the
1594: .Ev HOME
1595: environment variable to the home directory of the target user
1596: (which is root unless the
1597: .Fl u
1598: option is used).
1599: This effectively means that the
1600: .Fl H
1601: option is always implied.
1602: Note that
1603: .Ev HOME
1.1.1.3 misho 1604: is already set when the
1.1 misho 1605: .Em env_reset
1606: option is enabled, so
1607: .Em always_set_home
1608: is only effective for configurations where either
1609: .Em env_reset
1610: is disabled or
1611: .Ev HOME
1612: is present in the
1613: .Em env_keep
1614: list.
1615: This flag is
1616: .Em off
1617: by default.
1618: .It authenticate
1619: If set, users must authenticate themselves via a password (or other
1620: means of authentication) before they may run commands.
1621: This default may be overridden via the
1622: .Li PASSWD
1623: and
1624: .Li NOPASSWD
1625: tags.
1626: This flag is
1627: .Em on
1628: by default.
1629: .It closefrom_override
1630: If set, the user may use
1.1.1.4 ! misho 1631: .Nm sudo Ns 's
1.1 misho 1632: .Fl C
1633: option which overrides the default starting point at which
1634: .Nm sudo
1635: begins closing open file descriptors.
1636: This flag is
1637: .Em off
1638: by default.
1639: .It compress_io
1640: If set, and
1641: .Nm sudo
1642: is configured to log a command's input or output,
1643: the I/O logs will be compressed using
1644: .Sy zlib .
1645: This flag is
1646: .Em on
1647: by default when
1648: .Nm sudo
1649: is compiled with
1650: .Sy zlib
1651: support.
1.1.1.4 ! misho 1652: .It use_netgroups
! 1653: If set, netgroups (prefixed with
! 1654: .Ql + ) ,
! 1655: may be used in place of a user or host.
! 1656: For LDAP-based sudoers, netgroup support requires an expensive
! 1657: substring match on the server.
! 1658: If netgroups are not needed, this option can be disabled to reduce the
! 1659: load on the LDAP server.
! 1660: This flag is
! 1661: .Em on
! 1662: by default.
1.1.1.2 misho 1663: .It exec_background
1664: By default,
1665: .Nm sudo
1666: runs a command as the foreground process as long as
1667: .Nm sudo
1668: itself is running in the foreground.
1669: When the
1670: .Em exec_background
1671: flag is enabled and the command is being run in a pty (due to I/O logging
1672: or the
1673: .Em use_pty
1674: flag), the command will be run as a background process.
1675: Attempts to read from the controlling terminal (or to change terminal
1676: settings) will result in the command being suspended with the
1677: .Dv SIGTTIN
1678: signal (or
1679: .Dv SIGTTOU
1680: in the case of terminal settings).
1681: If this happens when
1682: .Nm sudo
1683: is a foreground process, the command will be granted the controlling terminal
1684: and resumed in the foreground with no user intervention required.
1685: The advantage of initially running the command in the background is that
1686: .Nm sudo
1687: need not read from the terminal unless the command explicitly requests it.
1688: Otherwise, any terminal input must be passed to the command, whether it
1689: has required it or not (the kernel buffers terminals so it is not possible
1690: to tell whether the command really wants the input).
1691: This is different from historic
1692: .Em sudo
1693: behavior or when the command is not being run in a pty.
1694: .Pp
1695: For this to work seamlessly, the operating system must support the
1696: automatic restarting of system calls.
1697: Unfortunately, not all operating systems do this by default,
1698: and even those that do may have bugs.
1699: For example, Mac OS X fails to restart the
1700: .Fn tcgetattr
1701: and
1702: .Fn tcsetattr
1703: system calls (this is a bug in Mac OS X).
1704: Furthermore, because this behavior depends on the command stopping with the
1705: .Dv SIGTTIN
1706: or
1707: .Dv SIGTTOU
1708: signals, programs that catch these signals and suspend themselves
1709: with a different signal (usually
1710: .Dv SIGTOP )
1711: will not be automatically foregrounded.
1712: Some versions of the linux
1713: .Xr su 1
1714: command behave this way.
1715: .Pp
1716: This setting is only supported by version 1.8.7 or higher.
1717: It has no effect unless I/O logging is enabled or the
1718: .Em use_pty
1719: flag is enabled.
1.1 misho 1720: .It env_editor
1721: If set,
1722: .Nm visudo
1723: will use the value of the
1724: .Ev EDITOR
1725: or
1726: .Ev VISUAL
1727: environment variables before falling back on the default editor list.
1728: Note that this may create a security hole as it allows the user to
1729: run any arbitrary command as root without logging.
1730: A safer alternative is to place a colon-separated list of editors
1731: in the
1732: .Li editor
1733: variable.
1734: .Nm visudo
1735: will then only use the
1736: .Ev EDITOR
1737: or
1738: .Ev VISUAL
1739: if they match a value specified in
1740: .Li editor .
1741: This flag is
1742: .Em @env_editor@
1.1.1.4 ! misho 1743: by default.
1.1 misho 1744: .It env_reset
1745: If set,
1746: .Nm sudo
1747: will run the command in a minimal environment containing the
1748: .Ev TERM ,
1749: .Ev PATH ,
1750: .Ev HOME ,
1751: .Ev MAIL ,
1752: .Ev SHELL ,
1753: .Ev LOGNAME ,
1754: .Ev USER ,
1755: .Ev USERNAME
1756: and
1757: .Ev SUDO_*
1758: variables.
1759: Any
1760: variables in the caller's environment that match the
1761: .Li env_keep
1762: and
1763: .Li env_check
1764: lists are then added, followed by any variables present in the file
1765: specified by the
1766: .Em env_file
1767: option (if any).
1768: The default contents of the
1769: .Li env_keep
1770: and
1771: .Li env_check
1772: lists are displayed when
1773: .Nm sudo
1774: is run by root with the
1775: .Fl V
1776: option.
1777: If the
1778: .Em secure_path
1779: option is set, its value will be used for the
1780: .Ev PATH
1781: environment variable.
1782: This flag is
1783: .Em @env_reset@
1784: by default.
1785: .It fast_glob
1786: Normally,
1787: .Nm sudo
1788: uses the
1789: .Xr glob 3
1790: function to do shell-style globbing when matching path names.
1791: However, since it accesses the file system,
1792: .Xr glob 3
1793: can take a long time to complete for some patterns, especially
1794: when the pattern references a network file system that is mounted
1795: on demand (auto mounted).
1796: The
1797: .Em fast_glob
1798: option causes
1799: .Nm sudo
1800: to use the
1801: .Xr fnmatch 3
1802: function, which does not access the file system to do its matching.
1803: The disadvantage of
1804: .Em fast_glob
1805: is that it is unable to match relative path names such as
1806: .Pa ./ls
1807: or
1808: .Pa ../bin/ls .
1809: This has security implications when path names that include globbing
1810: characters are used with the negation operator,
1811: .Ql !\& ,
1812: as such rules can be trivially bypassed.
1813: As such, this option should not be used when
1814: .Em sudoers
1815: contains rules that contain negated path names which include globbing
1816: characters.
1817: This flag is
1818: .Em off
1819: by default.
1820: .It fqdn
1821: Set this flag if you want to put fully qualified host names in the
1822: .Em sudoers
1823: file when the local host name (as returned by the
1824: .Li hostname
1825: command) does not contain the domain name.
1826: In other words, instead of myhost you would use myhost.mydomain.edu.
1827: You may still use the short form if you wish (and even mix the two).
1828: This option is only effective when the
1829: .Dq canonical
1830: host name, as returned by the
1831: .Fn getaddrinfo
1832: or
1833: .Fn gethostbyname
1834: function, is a fully-qualified domain name.
1835: This is usually the case when the system is configured to use DNS
1836: for host name resolution.
1837: .Pp
1838: If the system is configured to use the
1839: .Pa /etc/hosts
1840: file in preference to DNS, the
1841: .Dq canonical
1842: host name may not be fully-qualified.
1.1.1.4 ! misho 1843: The order that sources are queried for host name resolution
1.1 misho 1844: is usually specified in the
1845: .Pa @nsswitch_conf@ ,
1846: .Pa @netsvc_conf@ ,
1847: .Pa /etc/host.conf ,
1848: or, in some cases,
1849: .Pa /etc/resolv.conf
1850: file.
1851: In the
1852: .Pa /etc/hosts
1853: file, the first host name of the entry is considered to be the
1854: .Dq canonical
1855: name; subsequent names are aliases that are not used by
1856: .Nm sudoers .
1857: For example, the following hosts file line for the machine
1858: .Dq xyzzy
1859: has the fully-qualified domain name as the
1860: .Dq canonical
1861: host name, and the short version as an alias.
1862: .sp
1863: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1864: .sp
1865: If the machine's hosts file entry is not formatted properly, the
1866: .Em fqdn
1867: option will not be effective if it is queried before DNS.
1868: .Pp
1869: Beware that when using DNS for host name resolution, turning on
1870: .Em fqdn
1871: requires
1872: .Nm sudoers
1873: to make DNS lookups which renders
1874: .Nm sudo
1875: unusable if DNS stops working (for example if the machine is disconnected
1876: from the network).
1877: Also note that just like with the hosts file, you must use the
1878: .Dq canonical
1879: name as DNS knows it.
1880: That is, you may not use a host alias
1881: .Po
1882: .Li CNAME
1883: entry
1884: .Pc
1885: due to performance issues and the fact that there is no way to get all
1886: aliases from DNS.
1887: .Pp
1888: This flag is
1889: .Em @fqdn@
1890: by default.
1891: .It ignore_dot
1892: If set,
1893: .Nm sudo
1894: will ignore "." or "" (both denoting current directory) in the
1895: .Ev PATH
1896: environment variable; the
1897: .Ev PATH
1898: itself is not modified.
1899: This flag is
1900: .Em @ignore_dot@
1901: by default.
1902: .It ignore_local_sudoers
1903: If set via LDAP, parsing of
1904: .Pa @sysconfdir@/sudoers
1905: will be skipped.
1906: This is intended for Enterprises that wish to prevent the usage of local
1907: sudoers files so that only LDAP is used.
1908: This thwarts the efforts of rogue operators who would attempt to add roles to
1909: .Pa @sysconfdir@/sudoers .
1910: When this option is present,
1911: .Pa @sysconfdir@/sudoers
1912: does not even need to exist.
1913: Since this option tells
1914: .Nm sudo
1915: how to behave when no specific LDAP entries have been matched, this
1916: sudoOption is only meaningful for the
1917: .Li cn=defaults
1918: section.
1919: This flag is
1920: .Em off
1921: by default.
1922: .It insults
1923: If set,
1924: .Nm sudo
1925: will insult users when they enter an incorrect password.
1926: This flag is
1927: .Em @insults@
1928: by default.
1929: .It log_host
1930: If set, the host name will be logged in the (non-syslog)
1931: .Nm sudo
1932: log file.
1933: This flag is
1934: .Em off
1935: by default.
1936: .It log_input
1937: If set,
1938: .Nm sudo
1939: will run the command in a
1940: .Em pseudo tty
1941: and log all user input.
1942: If the standard input is not connected to the user's tty, due to
1943: I/O redirection or because the command is part of a pipeline, that
1944: input is also captured and stored in a separate log file.
1945: .Pp
1946: Input is logged to the directory specified by the
1947: .Em iolog_dir
1948: option
1949: .Po
1950: .Pa @iolog_dir@
1951: by default
1952: .Pc
1953: using a unique session ID that is included in the normal
1954: .Nm sudo
1955: log line, prefixed with
1956: .Dq Li TSID= .
1957: The
1958: .Em iolog_file
1959: option may be used to control the format of the session ID.
1960: .Pp
1961: Note that user input may contain sensitive information such as
1962: passwords (even if they are not echoed to the screen), which will
1963: be stored in the log file unencrypted.
1964: In most cases, logging the command output via
1965: .Em log_output
1966: is all that is required.
1967: .It log_output
1968: If set,
1969: .Nm sudo
1970: will run the command in a
1971: .Em pseudo tty
1972: and log all output that is sent to the screen, similar to the
1973: .Xr script 1
1974: command.
1975: If the standard output or standard error is not connected to the
1976: user's tty, due to I/O redirection or because the command is part
1977: of a pipeline, that output is also captured and stored in separate
1978: log files.
1979: .Pp
1980: Output is logged to the directory specified by the
1981: .Em iolog_dir
1982: option
1983: .Po
1984: .Pa @iolog_dir@
1985: by default
1986: .Pc
1987: using a unique session ID that is included in the normal
1988: .Nm sudo
1989: log line, prefixed with
1990: .Dq Li TSID= .
1991: The
1992: .Em iolog_file
1993: option may be used to control the format of the session ID.
1994: .Pp
1995: Output logs may be viewed with the
1996: .Xr sudoreplay @mansectsu@
1997: utility, which can also be used to list or search the available logs.
1998: .It log_year
1999: If set, the four-digit year will be logged in the (non-syslog)
2000: .Nm sudo
2001: log file.
2002: This flag is
2003: .Em off
2004: by default.
2005: .It long_otp_prompt
2006: When validating with a One Time Password (OTP) scheme such as
2007: .Sy S/Key
2008: or
2009: .Sy OPIE ,
2010: a two-line prompt is used to make it easier
2011: to cut and paste the challenge to a local window.
2012: It's not as pretty as the default but some people find it more convenient.
2013: This flag is
2014: .Em @long_otp_prompt@
2015: by default.
2016: .It mail_always
2017: Send mail to the
2018: .Em mailto
2019: user every time a users runs
2020: .Nm sudo .
2021: This flag is
2022: .Em off
2023: by default.
2024: .It mail_badpass
2025: Send mail to the
2026: .Em mailto
2027: user if the user running
2028: .Nm sudo
2029: does not enter the correct password.
2030: If the command the user is attempting to run is not permitted by
2031: .Em sudoers
2032: and one of the
2033: .Em mail_always ,
2034: .Em mail_no_host ,
2035: .Em mail_no_perms
2036: or
2037: .Em mail_no_user
2038: flags are set, this flag will have no effect.
2039: This flag is
2040: .Em off
2041: by default.
2042: .It mail_no_host
2043: If set, mail will be sent to the
2044: .Em mailto
2045: user if the invoking user exists in the
2046: .Em sudoers
2047: file, but is not allowed to run commands on the current host.
2048: This flag is
2049: .Em @mail_no_host@
2050: by default.
2051: .It mail_no_perms
2052: If set, mail will be sent to the
2053: .Em mailto
2054: user if the invoking user is allowed to use
2055: .Nm sudo
2056: but the command they are trying is not listed in their
2057: .Em sudoers
2058: file entry or is explicitly denied.
2059: This flag is
2060: .Em @mail_no_perms@
2061: by default.
2062: .It mail_no_user
2063: If set, mail will be sent to the
2064: .Em mailto
2065: user if the invoking user is not in the
2066: .Em sudoers
2067: file.
2068: This flag is
2069: .Em @mail_no_user@
2070: by default.
2071: .It noexec
2072: If set, all commands run via
2073: .Nm sudo
2074: will behave as if the
2075: .Li NOEXEC
2076: tag has been set, unless overridden by a
2077: .Li EXEC
2078: tag.
2079: See the description of
2080: .Em NOEXEC and EXEC
2081: below as well as the
2082: .Sx Preventing shell escapes
2083: section at the end of this manual.
2084: This flag is
2085: .Em off
2086: by default.
1.1.1.2 misho 2087: .It pam_session
2088: On systems that use PAM for authentication,
1.1 misho 2089: .Nm sudo
1.1.1.2 misho 2090: will create a new PAM session for the command to be run in.
2091: Disabling
2092: .Em pam_session
2093: may be needed on older PAM implementations or on operating systems where
2094: opening a PAM session changes the utmp or wtmp files.
2095: If PAM session support is disabled, resource limits may not be updated
2096: for the command being run.
1.1.1.3 misho 2097: If
2098: .Em pam_session ,
2099: .Em pam_setcred ,
2100: and
2101: .Em use_pty
2102: are disabled and I/O logging has not been configured,
2103: .Nm sudo
2104: will execute the command directly instead of running it as a child
2105: process.
1.1 misho 2106: This flag is
1.1.1.2 misho 2107: .Em @pam_session@
1.1 misho 2108: by default.
1.1.1.2 misho 2109: .Pp
2110: This setting is only supported by version 1.8.7 or higher.
1.1.1.3 misho 2111: .It pam_setcred
2112: On systems that use PAM for authentication,
2113: .Nm sudo
2114: will attempt to establish credentials for the target user by default,
2115: if supported by the underlying authentication system.
2116: One example of a credential is a Kerberos ticket.
2117: If
2118: .Em pam_session ,
2119: .Em pam_setcred ,
2120: and
2121: .Em use_pty
2122: are disabled and I/O logging has not been configured,
2123: .Nm sudo
2124: will execute the command directly instead of running it as a child
2125: process.
2126: This flag is
2127: .Em on
2128: by default.
2129: .Pp
2130: This setting is only supported by version 1.8.8 or higher.
1.1 misho 2131: .It passprompt_override
2132: The password prompt specified by
2133: .Em passprompt
2134: will normally only be used if the password prompt provided by systems
2135: such as PAM matches the string
2136: .Dq Password: .
2137: If
2138: .Em passprompt_override
2139: is set,
2140: .Em passprompt
2141: will always be used.
2142: This flag is
2143: .Em off
2144: by default.
1.1.1.2 misho 2145: .It path_info
2146: Normally,
2147: .Nm sudo
2148: will tell the user when a command could not be
2149: found in their
2150: .Ev PATH
2151: environment variable.
2152: Some sites may wish to disable this as it could be used to gather
2153: information on the location of executables that the normal user does
2154: not have access to.
2155: The disadvantage is that if the executable is simply not in the user's
2156: .Ev PATH ,
2157: .Nm sudo
2158: will tell the user that they are not allowed to run it, which can be confusing.
2159: This flag is
2160: .Em @path_info@
2161: by default.
1.1 misho 2162: .It preserve_groups
2163: By default,
2164: .Nm sudo
2165: will initialize the group vector to the list of groups the target user is in.
2166: When
2167: .Em preserve_groups
2168: is set, the user's existing group vector is left unaltered.
2169: The real and effective group IDs, however, are still set to match the
2170: target user.
2171: This flag is
2172: .Em off
2173: by default.
2174: .It pwfeedback
2175: By default,
2176: .Nm sudo
2177: reads the password like most other Unix programs,
2178: by turning off echo until the user hits the return (or enter) key.
2179: Some users become confused by this as it appears to them that
2180: .Nm sudo
2181: has hung at this point.
2182: When
2183: .Em pwfeedback
2184: is set,
2185: .Nm sudo
2186: will provide visual feedback when the user presses a key.
2187: Note that this does have a security impact as an onlooker may be able to
2188: determine the length of the password being entered.
2189: This flag is
2190: .Em off
2191: by default.
2192: .It requiretty
2193: If set,
2194: .Nm sudo
2195: will only run when the user is logged in to a real tty.
2196: When this flag is set,
2197: .Nm sudo
2198: can only be run from a login session and not via other means such as
2199: .Xr cron @mansectsu@
2200: or cgi-bin scripts.
2201: This flag is
2202: .Em off
2203: by default.
2204: .It root_sudo
2205: If set, root is allowed to run
2206: .Nm sudo
2207: too.
2208: Disabling this prevents users from
2209: .Dq chaining
2210: .Nm sudo
2211: commands to get a root shell by doing something like
2212: .Dq Li sudo sudo /bin/sh .
2213: Note, however, that turning off
2214: .Em root_sudo
2215: will also prevent root from running
2216: .Nm sudoedit .
2217: Disabling
2218: .Em root_sudo
2219: provides no real additional security; it exists purely for historical reasons.
2220: This flag is
2221: .Em @root_sudo@
2222: by default.
2223: .It rootpw
2224: If set,
2225: .Nm sudo
1.1.1.4 ! misho 2226: will prompt for the root password instead of the password of the invoking user
! 2227: when running a command or editing a file.
1.1 misho 2228: This flag is
2229: .Em off
2230: by default.
2231: .It runaspw
2232: If set,
2233: .Nm sudo
2234: will prompt for the password of the user defined by the
2235: .Em runas_default
2236: option (defaults to
2237: .Li @runas_default@ )
1.1.1.4 ! misho 2238: instead of the password of the invoking user
! 2239: when running a command or editing a file.
1.1 misho 2240: This flag is
2241: .Em off
2242: by default.
2243: .It set_home
2244: If enabled and
2245: .Nm sudo
2246: is invoked with the
2247: .Fl s
2248: option the
2249: .Ev HOME
2250: environment variable will be set to the home directory of the target
2251: user (which is root unless the
2252: .Fl u
2253: option is used).
2254: This effectively makes the
2255: .Fl s
2256: option imply
2257: .Fl H .
2258: Note that
2259: .Ev HOME
1.1.1.3 misho 2260: is already set when the
1.1 misho 2261: .Em env_reset
2262: option is enabled, so
2263: .Em set_home
2264: is only effective for configurations where either
2265: .Em env_reset
2266: is disabled
2267: or
2268: .Ev HOME
2269: is present in the
2270: .Em env_keep
2271: list.
2272: This flag is
2273: .Em off
2274: by default.
2275: .It set_logname
2276: Normally,
2277: .Nm sudo
2278: will set the
2279: .Ev LOGNAME ,
2280: .Ev USER
2281: and
2282: .Ev USERNAME
2283: environment variables to the name of the target user (usually root unless the
2284: .Fl u
2285: option is given).
2286: However, since some programs (including the RCS revision control system) use
2287: .Ev LOGNAME
2288: to determine the real identity of the user, it may be desirable to
2289: change this behavior.
2290: This can be done by negating the set_logname option.
2291: Note that if the
2292: .Em env_reset
2293: option has not been disabled, entries in the
2294: .Em env_keep
2295: list will override the value of
2296: .Em set_logname .
2297: This flag is
2298: .Em on
2299: by default.
2300: .It set_utmp
2301: When enabled,
2302: .Nm sudo
2303: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2304: is allocated.
2305: A pseudo-tty is allocated by
2306: .Nm sudo
2307: when the
2308: .Em log_input ,
2309: .Em log_output
2310: or
2311: .Em use_pty
2312: flags are enabled.
2313: By default, the new entry will be a copy of the user's existing utmp
2314: entry (if any), with the tty, time, type and pid fields updated.
2315: This flag is
2316: .Em on
2317: by default.
2318: .It setenv
2319: Allow the user to disable the
2320: .Em env_reset
2321: option from the command line via the
2322: .Fl E
2323: option.
2324: Additionally, environment variables set via the command line are
2325: not subject to the restrictions imposed by
2326: .Em env_check ,
2327: .Em env_delete ,
2328: or
2329: .Em env_keep .
2330: As such, only trusted users should be allowed to set variables in this manner.
2331: This flag is
2332: .Em off
2333: by default.
2334: .It shell_noargs
2335: If set and
2336: .Nm sudo
2337: is invoked with no arguments it acts as if the
2338: .Fl s
2339: option had been given.
2340: That is, it runs a shell as root (the shell is determined by the
2341: .Ev SHELL
2342: environment variable if it is set, falling back on the shell listed
2343: in the invoking user's /etc/passwd entry if not).
2344: This flag is
2345: .Em off
2346: by default.
2347: .It stay_setuid
2348: Normally, when
2349: .Nm sudo
2350: executes a command the real and effective UIDs are set to the target
2351: user (root by default).
2352: This option changes that behavior such that the real UID is left
2353: as the invoking user's UID.
2354: In other words, this makes
2355: .Nm sudo
2356: act as a setuid wrapper.
2357: This can be useful on systems that disable some potentially
2358: dangerous functionality when a program is run setuid.
2359: This option is only effective on systems that support either the
2360: .Xr setreuid 2
2361: or
2362: .Xr setresuid 2
2363: system call.
2364: This flag is
2365: .Em off
2366: by default.
2367: .It targetpw
2368: If set,
2369: .Nm sudo
2370: will prompt for the password of the user specified
2371: by the
2372: .Fl u
2373: option (defaults to
2374: .Li root )
1.1.1.4 ! misho 2375: instead of the password of the invoking user
! 2376: when running a command or editing a file.
1.1 misho 2377: Note that this flag precludes the use of a uid not listed in the passwd
2378: database as an argument to the
2379: .Fl u
2380: option.
2381: This flag is
2382: .Em off
2383: by default.
2384: .It tty_tickets
2385: If set, users must authenticate on a per-tty basis.
2386: With this flag enabled,
2387: .Nm sudo
1.1.1.4 ! misho 2388: will use a separate record in the time stamp file for each tty.
! 2389: If disabled, a single record is used for all login sessions.
1.1 misho 2390: This flag is
2391: .Em @tty_tickets@
2392: by default.
2393: .It umask_override
2394: If set,
2395: .Nm sudo
2396: will set the umask as specified by
2397: .Em sudoers
2398: without modification.
2399: This makes it possible to specify a more permissive umask in
2400: .Em sudoers
2401: than the user's own umask and matches historical behavior.
2402: If
2403: .Em umask_override
2404: is not set,
2405: .Nm sudo
2406: will set the umask to be the union of the user's umask and what is specified in
2407: .Em sudoers .
2408: This flag is
2409: .Em @umask_override@
2410: by default.
2411: .It use_loginclass
2412: If set,
2413: .Nm sudo
2414: will apply the defaults specified for the target user's login class
2415: if one exists.
2416: Only available if
2417: .Nm sudo
2418: is configured with the
2419: .Li --with-logincap
2420: option.
2421: This flag is
2422: .Em off
2423: by default.
2424: .It use_pty
2425: If set,
2426: .Nm sudo
2427: will run the command in a pseudo-pty even if no I/O logging is being gone.
2428: A malicious program run under
2429: .Nm sudo
2430: could conceivably fork a background process that retains to the user's
2431: terminal device after the main program has finished executing.
2432: Use of this option will make that impossible.
2433: This flag is
2434: .Em off
2435: by default.
2436: .It utmp_runas
2437: If set,
2438: .Nm sudo
2439: will store the name of the runas user when updating the utmp (or utmpx) file.
2440: By default,
2441: .Nm sudo
2442: stores the name of the invoking user.
2443: This flag is
2444: .Em off
2445: by default.
2446: .It visiblepw
2447: By default,
2448: .Nm sudo
2449: will refuse to run if the user must enter a password but it is not
2450: possible to disable echo on the terminal.
2451: If the
2452: .Em visiblepw
2453: flag is set,
2454: .Nm sudo
2455: will prompt for a password even when it would be visible on the screen.
2456: This makes it possible to run things like
2457: .Dq Li ssh somehost sudo ls
2458: since by default,
2459: .Xr ssh 1
2460: does
2461: not allocate a tty when running a command.
2462: This flag is
2463: .Em off
2464: by default.
2465: .El
2466: .Pp
2467: .Sy Integers :
2468: .Bl -tag -width 16n
2469: .It closefrom
2470: Before it executes a command,
2471: .Nm sudo
2472: will close all open file descriptors other than standard input,
2473: standard output and standard error (ie: file descriptors 0-2).
2474: The
2475: .Em closefrom
2476: option can be used to specify a different file descriptor at which
2477: to start closing.
2478: The default is
2479: .Li 3 .
2480: .It passwd_tries
2481: The number of tries a user gets to enter his/her password before
2482: .Nm sudo
2483: logs the failure and exits.
2484: The default is
2485: .Li @passwd_tries@ .
2486: .El
2487: .Pp
2488: .Sy Integers that can be used in a boolean context :
2489: .Bl -tag -width 16n
2490: .It loglinelen
2491: Number of characters per line for the file log.
2492: This value is used to decide when to wrap lines for nicer log files.
2493: This has no effect on the syslog log file, only the file log.
2494: The default is
2495: .Li @loglen@
2496: (use 0 or negate the option to disable word wrap).
2497: .It passwd_timeout
2498: Number of minutes before the
2499: .Nm sudo
2500: password prompt times out, or
2501: .Li 0
2502: for no timeout.
2503: The timeout may include a fractional component
2504: if minute granularity is insufficient, for example
2505: .Li 2.5 .
2506: The
2507: default is
2508: .Li @password_timeout@ .
2509: .It timestamp_timeout
2510: Number of minutes that can elapse before
2511: .Nm sudo
2512: will ask for a passwd again.
2513: The timeout may include a fractional component if
2514: minute granularity is insufficient, for example
2515: .Li 2.5 .
2516: The default is
2517: .Li @timeout@ .
2518: Set this to
2519: .Li 0
2520: to always prompt for a password.
2521: If set to a value less than
2522: .Li 0
2523: the user's time stamp will never expire.
2524: This can be used to allow users to create or delete their own time stamps via
2525: .Dq Li sudo -v
2526: and
2527: .Dq Li sudo -k
2528: respectively.
2529: .It umask
2530: Umask to use when running the command.
2531: Negate this option or set it to 0777 to preserve the user's umask.
2532: The actual umask that is used will be the union of the user's umask
2533: and the value of the
2534: .Em umask
2535: option, which defaults to
2536: .Li @sudo_umask@ .
2537: This guarantees
2538: that
2539: .Nm sudo
2540: never lowers the umask when running a command.
2541: Note: on systems that use PAM, the default PAM configuration may specify
2542: its own umask which will override the value set in
2543: .Em sudoers .
2544: .El
2545: .Pp
2546: .Sy Strings :
2547: .Bl -tag -width 16n
2548: .It badpass_message
2549: Message that is displayed if a user enters an incorrect password.
2550: The default is
2551: .Li @badpass_message@
2552: unless insults are enabled.
2553: .It editor
2554: A colon
2555: .Pq Ql :\&
2556: separated list of editors allowed to be used with
2557: .Nm visudo .
2558: .Nm visudo
2559: will choose the editor that matches the user's
2560: .Ev EDITOR
2561: environment variable if possible, or the first editor in the
2562: list that exists and is executable.
2563: The default is
2564: .Pa @editor@ .
2565: .It iolog_dir
2566: The top-level directory to use when constructing the path name for
2567: the input/output log directory.
2568: Only used if the
2569: .Em log_input
2570: or
2571: .Em log_output
2572: options are enabled or when the
2573: .Li LOG_INPUT
2574: or
2575: .Li LOG_OUTPUT
2576: tags are present for a command.
2577: The session sequence number, if any, is stored in the directory.
2578: The default is
2579: .Pa @iolog_dir@ .
2580: .Pp
2581: The following percent
2582: .Pq Ql %
2583: escape sequences are supported:
2584: .Bl -tag -width 4n
2585: .It Li %{seq}
2586: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2587: where every two digits are used to form a new directory, e.g.\&
2588: .Pa 01/00/A5
2589: .It Li %{user}
2590: expanded to the invoking user's login name
2591: .It Li %{group}
2592: expanded to the name of the invoking user's real group ID
2593: .It Li %{runas_user}
2594: expanded to the login name of the user the command will
2595: be run as (e.g.\& root)
2596: .It Li %{runas_group}
2597: expanded to the group name of the user the command will
2598: be run as (e.g.\& wheel)
2599: .It Li %{hostname}
2600: expanded to the local host name without the domain name
2601: .It Li %{command}
2602: expanded to the base name of the command being run
2603: .El
2604: .Pp
2605: In addition, any escape sequences supported by the system's
2606: .Xr strftime 3
2607: function will be expanded.
2608: .Pp
2609: To include a literal
2610: .Ql %
2611: character, the string
2612: .Ql %%
2613: should be used.
2614: .It iolog_file
2615: The path name, relative to
2616: .Em iolog_dir ,
2617: in which to store input/output logs when the
2618: .Em log_input
2619: or
2620: .Em log_output
2621: options are enabled or when the
2622: .Li LOG_INPUT
2623: or
2624: .Li LOG_OUTPUT
2625: tags are present for a command.
2626: Note that
2627: .Em iolog_file
2628: may contain directory components.
2629: The default is
2630: .Dq Li %{seq} .
2631: .Pp
2632: See the
2633: .Em iolog_dir
2634: option above for a list of supported percent
2635: .Pq Ql %
2636: escape sequences.
2637: .Pp
2638: In addition to the escape sequences, path names that end in six or
2639: more
1.1.1.4 ! misho 2640: .Li X Ns s
1.1 misho 2641: will have the
1.1.1.4 ! misho 2642: .Li X Ns s
1.1 misho 2643: replaced with a unique combination of digits and letters, similar to the
2644: .Xr mktemp 3
2645: function.
1.1.1.2 misho 2646: .Pp
2647: If the path created by concatenating
2648: .Em iolog_dir
2649: and
2650: .Em iolog_file
2651: already exists, the existing I/O log file will be truncated and
2652: overwritten unless
2653: .Em iolog_file
2654: ends in six or
2655: more
1.1.1.4 ! misho 2656: .Li X Ns s .
! 2657: .It lecture_status_dir
! 2658: The directory in which
! 2659: .Nm sudo
! 2660: stores per-user lecture status files.
! 2661: Once a user has received the lecture, a zero-length file is
! 2662: created in this directory so that
! 2663: .Nm sudo
! 2664: will not lecture the user again.
! 2665: This directory should
! 2666: .Em not
! 2667: be cleared when the system reboots.
! 2668: The default is
! 2669: .Pa @vardir@/lectured .
1.1 misho 2670: .It limitprivs
2671: The default Solaris limit privileges to use when constructing a new
2672: privilege set for a command.
2673: This bounds all privileges of the executing process.
2674: The default limit privileges may be overridden on a per-command basis in
2675: .Em sudoers .
2676: This option is only available if
2677: .Nm
2678: is built on Solaris 10 or higher.
2679: .It mailsub
2680: Subject of the mail sent to the
2681: .Em mailto
2682: user.
2683: The escape
2684: .Li %h
2685: will expand to the host name of the machine.
2686: Default is
2687: .Dq Li @mailsub@ .
1.1.1.2 misho 2688: .It maxseq
2689: The maximum sequence number that will be substituted for the
2690: .Dq Li %{seq}
2691: escape in the I/O log file (see the
2692: .Em iolog_dir
2693: description above for more information).
2694: While the value substituted for
2695: .Dq Li %{seq}
2696: is in base 36,
2697: .Em maxseq
2698: itself should be expressed in decimal.
2699: Values larger than 2176782336 (which corresponds to the
2700: base 36 sequence number
2701: .Dq ZZZZZZ )
2702: will be silently truncated to 2176782336.
2703: The default value is 2176782336.
2704: .Pp
2705: Once the local sequence number reaches the value of
2706: .Em maxseq ,
2707: it will
2708: .Dq roll over
2709: to zero, after which
2710: .Nm sudoers
1.1.1.4 ! misho 2711: will truncate and re-use any existing I/O log path names.
1.1.1.2 misho 2712: .Pp
2713: This setting is only supported by version 1.8.7 or higher.
1.1 misho 2714: .It noexec_file
1.1.1.2 misho 2715: As of
2716: .Nm sudo
2717: version 1.8.1 this option is no longer supported.
1.1 misho 2718: The path to the noexec file should now be set in the
1.1.1.2 misho 2719: .Xr sudo.conf @mansectform@
1.1 misho 2720: file.
1.1.1.3 misho 2721: .It pam_login_service
2722: On systems that use PAM for authentication, this is the service
2723: name used when the
2724: .Fl i
2725: option is specified.
2726: The default value is
2727: .Dq Li @pam_login_service@ .
2728: See the description of
2729: .Em pam_service
2730: for more information.
2731: .Pp
2732: This setting is only supported by version 1.8.8 or higher.
2733: .It pam_service
2734: On systems that use PAM for authentication, the service name
2735: specifies the PAM policy to apply.
2736: This usually corresponds to an entry in the
2737: .Pa pam.conf
2738: file or a file in the
2739: .Pa /etc/pam.d
2740: directory.
2741: The default value is
2742: .Dq Li sudo .
2743: .Pp
2744: This setting is only supported by version 1.8.8 or higher.
1.1 misho 2745: .It passprompt
2746: The default prompt to use when asking for a password; can be overridden via the
2747: .Fl p
2748: option or the
2749: .Ev SUDO_PROMPT
2750: environment variable.
2751: The following percent
2752: .Pq Ql %
2753: escape sequences are supported:
2754: .Bl -tag -width 4n
2755: .It Li %H
2756: expanded to the local host name including the domain name
2757: (only if the machine's host name is fully qualified or the
2758: .Em fqdn
2759: option is set)
2760: .It Li %h
2761: expanded to the local host name without the domain name
2762: .It Li %p
2763: expanded to the user whose password is being asked for (respects the
2764: .Em rootpw ,
2765: .Em targetpw
2766: and
2767: .Em runaspw
2768: flags in
2769: .Em sudoers )
2770: .It Li \&%U
2771: expanded to the login name of the user the command will
2772: be run as (defaults to root)
2773: .It Li %u
2774: expanded to the invoking user's login name
2775: .It Li %%
2776: two consecutive
2777: .Li %
2778: characters are collapsed into a single
2779: .Li %
2780: character
2781: .El
2782: .Pp
2783: The default value is
2784: .Dq Li @passprompt@ .
2785: .It privs
2786: The default Solaris privileges to use when constructing a new
2787: privilege set for a command.
2788: This is passed to the executing process via the inherited privilege set,
2789: but is bounded by the limit privileges.
2790: If the
2791: .Em privs
2792: option is specified but the
2793: .Em limitprivs
2794: option is not, the limit privileges of the executing process is set to
2795: .Em privs .
2796: The default privileges may be overridden on a per-command basis in
2797: .Em sudoers .
2798: This option is only available if
2799: .Nm
2800: is built on Solaris 10 or higher.
2801: .It role
2802: The default SELinux role to use when constructing a new security
2803: context to run the command.
2804: The default role may be overridden on a per-command basis in
2805: .Em sudoers
2806: or via command line options.
2807: This option is only available when
2808: .Nm sudo
2809: is built with SELinux support.
2810: .It runas_default
2811: The default user to run commands as if the
2812: .Fl u
2813: option is not specified on the command line.
2814: This defaults to
2815: .Li @runas_default@ .
2816: .It syslog_badpri
2817: Syslog priority to use when user authenticates unsuccessfully.
2818: Defaults to
2819: .Li @badpri@ .
2820: .Pp
2821: The following syslog priorities are supported:
2822: .Sy alert ,
2823: .Sy crit ,
2824: .Sy debug ,
2825: .Sy emerg ,
2826: .Sy err ,
2827: .Sy info ,
2828: .Sy notice ,
2829: and
2830: .Sy warning .
2831: .It syslog_goodpri
2832: Syslog priority to use when user authenticates successfully.
2833: Defaults to
2834: .Li @goodpri@ .
2835: .Pp
2836: See
1.1.1.3 misho 2837: .Em syslog_badpri
1.1 misho 2838: for the list of supported syslog priorities.
2839: .It sudoers_locale
2840: Locale to use when parsing the sudoers file, logging commands, and
2841: sending email.
2842: Note that changing the locale may affect how sudoers is interpreted.
2843: Defaults to
2844: .Dq Li C .
2845: .It timestampdir
2846: The directory in which
2847: .Nm sudo
2848: stores its time stamp files.
1.1.1.4 ! misho 2849: This directory should be cleared when the system reboots.
1.1 misho 2850: The default is
1.1.1.4 ! misho 2851: .Pa @rundir@/ts .
1.1 misho 2852: .It timestampowner
1.1.1.4 ! misho 2853: The owner of the lecture status directory, time stamp directory and all
! 2854: files stored therein.
1.1 misho 2855: The default is
2856: .Li root .
2857: .It type
2858: The default SELinux type to use when constructing a new security
2859: context to run the command.
2860: The default type may be overridden on a per-command basis in
2861: .Em sudoers
2862: or via command line options.
2863: This option is only available when
2864: .Nm sudo
2865: is built with SELinux support.
2866: .El
2867: .Pp
2868: .Sy Strings that can be used in a boolean context :
2869: .Bl -tag -width 12n
2870: .It env_file
2871: The
2872: .Em env_file
2873: option specifies the fully qualified path to a file containing variables
2874: to be set in the environment of the program being run.
2875: Entries in this file should either be of the form
2876: .Dq Li VARIABLE=value
2877: or
2878: .Dq Li export VARIABLE=value .
2879: The value may optionally be surrounded by single or double quotes.
2880: Variables in this file are subject to other
2881: .Nm sudo
2882: environment settings such as
2883: .Em env_keep
2884: and
2885: .Em env_check .
2886: .It exempt_group
2887: Users in this group are exempt from password and PATH requirements.
2888: The group name specified should not include a
2889: .Li %
2890: prefix.
2891: This is not set by default.
2892: .It group_plugin
2893: A string containing a
2894: .Em sudoers
2895: group plugin with optional arguments.
2896: The string should consist of the plugin
2897: path, either fully-qualified or relative to the
1.1.1.2 misho 2898: .Pa @PLUGINDIR@
1.1 misho 2899: directory, followed by any configuration arguments the plugin requires.
2900: These arguments (if any) will be passed to the plugin's initialization function.
2901: If arguments are present, the string must be enclosed in double quotes
2902: .Pq \&"" .
2903: .Pp
2904: For more information see
1.1.1.2 misho 2905: .Xr "GROUP PROVIDER PLUGINS" .
1.1 misho 2906: .It lecture
2907: This option controls when a short lecture will be printed along with
2908: the password prompt.
2909: It has the following possible values:
2910: .Bl -tag -width 6n
2911: .It always
2912: Always lecture the user.
2913: .It never
2914: Never lecture the user.
2915: .It once
2916: Only lecture the user the first time they run
2917: .Nm sudo .
2918: .El
2919: .Pp
2920: If no value is specified, a value of
2921: .Em once
2922: is implied.
2923: Negating the option results in a value of
2924: .Em never
2925: being used.
2926: The default value is
2927: .Em @lecture@ .
2928: .It lecture_file
2929: Path to a file containing an alternate
2930: .Nm sudo
2931: lecture that will be used in place of the standard lecture if the named
2932: file exists.
2933: By default,
2934: .Nm sudo
2935: uses a built-in lecture.
2936: .It listpw
2937: This option controls when a password will be required when a user runs
2938: .Nm sudo
2939: with the
2940: .Fl l
2941: option.
2942: It has the following possible values:
2943: .Bl -tag -width 8n
2944: .It all
2945: All the user's
2946: .Em sudoers
2947: entries for the current host must have
2948: the
2949: .Li NOPASSWD
2950: flag set to avoid entering a password.
2951: .It always
2952: The user must always enter a password to use the
2953: .Fl l
2954: option.
2955: .It any
2956: At least one of the user's
2957: .Em sudoers
2958: entries for the current host
2959: must have the
2960: .Li NOPASSWD
2961: flag set to avoid entering a password.
2962: .It never
2963: The user need never enter a password to use the
2964: .Fl l
2965: option.
2966: .El
2967: .Pp
2968: If no value is specified, a value of
2969: .Em any
2970: is implied.
2971: Negating the option results in a value of
2972: .Em never
2973: being used.
2974: The default value is
2975: .Em any .
2976: .It logfile
2977: Path to the
2978: .Nm sudo
2979: log file (not the syslog log file).
2980: Setting a path turns on logging to a file;
2981: negating this option turns it off.
2982: By default,
2983: .Nm sudo
2984: logs via syslog.
2985: .It mailerflags
2986: Flags to use when invoking mailer. Defaults to
2987: .Fl t .
2988: .It mailerpath
2989: Path to mail program used to send warning mail.
2990: Defaults to the path to sendmail found at configure time.
2991: .It mailfrom
2992: Address to use for the
2993: .Dq from
2994: address when sending warning and error mail.
2995: The address should be enclosed in double quotes
2996: .Pq \&""
2997: to protect against
2998: .Nm sudo
2999: interpreting the
3000: .Li @
3001: sign.
3002: Defaults to the name of the user running
3003: .Nm sudo .
3004: .It mailto
3005: Address to send warning and error mail to.
3006: The address should be enclosed in double quotes
3007: .Pq \&""
3008: to protect against
3009: .Nm sudo
3010: interpreting the
3011: .Li @
3012: sign.
3013: Defaults to
3014: .Li @mailto@ .
3015: .It secure_path
3016: Path used for every command run from
3017: .Nm sudo .
3018: If you don't trust the
3019: people running
3020: .Nm sudo
3021: to have a sane
3022: .Ev PATH
3023: environment variable you may want to use this.
3024: Another use is if you want to have the
3025: .Dq root path
3026: be separate from the
3027: .Dq user path .
3028: Users in the group specified by the
3029: .Em exempt_group
3030: option are not affected by
3031: .Em secure_path .
3032: This option is @secure_path@ by default.
3033: .It syslog
3034: Syslog facility if syslog is being used for logging (negate to
3035: disable syslog logging).
3036: Defaults to
3037: .Li @logfac@ .
3038: .Pp
3039: The following syslog facilities are supported:
3040: .Sy authpriv
3041: (if your
3042: OS supports it),
3043: .Sy auth ,
3044: .Sy daemon ,
3045: .Sy user ,
3046: .Sy local0 ,
3047: .Sy local1 ,
3048: .Sy local2 ,
3049: .Sy local3 ,
3050: .Sy local4 ,
3051: .Sy local5 ,
3052: .Sy local6 ,
3053: and
3054: .Sy local7 .
3055: .It verifypw
3056: This option controls when a password will be required when a user runs
3057: .Nm sudo
3058: with the
3059: .Fl v
3060: option.
3061: It has the following possible values:
3062: .Bl -tag -width 6n
3063: .It all
3064: All the user's
3065: .Em sudoers
3066: entries for the current host must have the
3067: .Li NOPASSWD
3068: flag set to avoid entering a password.
3069: .It always
3070: The user must always enter a password to use the
3071: .Fl v
3072: option.
3073: .It any
3074: At least one of the user's
3075: .Em sudoers
3076: entries for the current host must have the
3077: .Li NOPASSWD
3078: flag set to avoid entering a password.
3079: .It never
3080: The user need never enter a password to use the
3081: .Fl v
3082: option.
3083: .El
3084: .Pp
3085: If no value is specified, a value of
3086: .Em all
3087: is implied.
3088: Negating the option results in a value of
3089: .Em never
3090: being used.
3091: The default value is
3092: .Em all .
3093: .El
3094: .Pp
3095: .Sy Lists that can be used in a boolean context :
3096: .Bl -tag -width 16n
3097: .It env_check
3098: Environment variables to be removed from the user's environment if
3099: the variable's value contains
3100: .Ql %
3101: or
3102: .Ql /
3103: characters.
3104: This can be used to guard against printf-style format vulnerabilities
3105: in poorly-written programs.
3106: The argument may be a double-quoted, space-separated list or a
3107: single value without double-quotes.
3108: The list can be replaced, added to, deleted from, or disabled by using
3109: the
3110: .Li = ,
3111: .Li += ,
3112: .Li -= ,
3113: and
3114: .Li \&!
3115: operators respectively.
3116: Regardless of whether the
3117: .Li env_reset
3118: option is enabled or disabled, variables specified by
3119: .Li env_check
3120: will be preserved in the environment if they pass the aforementioned check.
3121: The default list of environment variables to check is displayed when
3122: .Nm sudo
3123: is run by root with
3124: the
3125: .Fl V
3126: option.
3127: .It env_delete
3128: Environment variables to be removed from the user's environment when the
3129: .Em env_reset
3130: option is not in effect.
3131: The argument may be a double-quoted, space-separated list or a
3132: single value without double-quotes.
3133: The list can be replaced, added to, deleted from, or disabled by using the
3134: .Li = ,
3135: .Li += ,
3136: .Li -= ,
3137: and
3138: .Li \&!
3139: operators respectively.
3140: The default list of environment variables to remove is displayed when
3141: .Nm sudo
3142: is run by root with the
3143: .Fl V
3144: option.
3145: Note that many operating systems will remove potentially dangerous
3146: variables from the environment of any setuid process (such as
3147: .Nm sudo ) .
3148: .It env_keep
3149: Environment variables to be preserved in the user's environment when the
3150: .Em env_reset
3151: option is in effect.
3152: This allows fine-grained control over the environment
1.1.1.4 ! misho 3153: .Nm sudo Ns -spawned
1.1 misho 3154: processes will receive.
3155: The argument may be a double-quoted, space-separated list or a
3156: single value without double-quotes.
3157: The list can be replaced, added to, deleted from, or disabled by using the
3158: .Li = ,
3159: .Li += ,
3160: .Li -= ,
3161: and
3162: .Li \&!
3163: operators respectively.
3164: The default list of variables to keep
3165: is displayed when
3166: .Nm sudo
3167: is run by root with the
3168: .Fl V
3169: option.
3170: .El
1.1.1.2 misho 3171: .Sh GROUP PROVIDER PLUGINS
3172: The
3173: .Nm sudoers
3174: plugin supports its own plugin interface to allow non-Unix
3175: group lookups which can query a group source other
3176: than the standard Unix group database.
3177: This can be used to implement support for the
3178: .Li nonunix_group
3179: syntax described earlier.
3180: .Pp
3181: Group provider plugins are specified via the
3182: .Em group_plugin
3183: Defaults setting.
3184: The argument to
3185: .Em group_plugin
3186: should consist of the plugin path, either fully-qualified or relative to the
3187: .Pa @PLUGINDIR@
3188: directory, followed by any configuration options the plugin requires.
3189: These options (if specified) will be passed to the plugin's initialization
3190: function.
3191: If options are present, the string must be enclosed in double quotes
3192: .Pq \&"" .
3193: .Pp
3194: The following group provider plugins are installed by default:
3195: .Bl -tag -width 8n
3196: .It group_file
3197: The
3198: .Em group_file
3199: plugin supports an alternate group file that uses the same syntax as the
3200: .Pa /etc/group
3201: file.
3202: The path to the group file should be specified as an option
3203: to the plugin.
3204: For example, if the group file to be used is
3205: .Pa /etc/sudo-group :
3206: .Bd -literal
3207: Defaults group_plugin="group_file.so /etc/sudo-group"
3208: .Ed
3209: .It system_group
3210: The
3211: .Em system_group
3212: plugin supports group lookups via the standard C library functions
3213: .Fn getgrnam
3214: and
3215: .Fn getgrid .
3216: This plugin can be used in instances where the user belongs to
3217: groups not present in the user's supplemental group vector.
3218: This plugin takes no options:
3219: .Bd -literal
3220: Defaults group_plugin=system_group.so
3221: .Ed
3222: .El
3223: .Pp
3224: The group provider plugin API is described in detail in
3225: .Xr sudo_plugin @mansectsu@ .
1.1 misho 3226: .Sh LOG FORMAT
3227: .Nm sudoers
3228: can log events using either
3229: .Xr syslog 3
3230: or a simple log file.
3231: In each case the log format is almost identical.
3232: .Ss Accepted command log entries
3233: Commands that sudo runs are logged using the following format (split
3234: into multiple lines for readability):
3235: .Bd -literal -offset 4n
3236: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3237: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3238: ENV=env_vars COMMAND=command
3239: .Ed
3240: .Pp
3241: Where the fields are as follows:
3242: .Bl -tag -width 12n
3243: .It date
3244: The date the command was run.
3245: Typically, this is in the format
3246: .Dq MMM, DD, HH:MM:SS .
3247: If logging via
3248: .Xr syslog 3 ,
3249: the actual date format is controlled by the syslog daemon.
3250: If logging to a file and the
3251: .Em log_year
3252: option is enabled,
3253: the date will also include the year.
3254: .It hostname
3255: The name of the host
3256: .Nm sudo
3257: was run on.
3258: This field is only present when logging via
3259: .Xr syslog 3 .
3260: .It progname
3261: The name of the program, usually
3262: .Em sudo
3263: or
3264: .Em sudoedit .
3265: This field is only present when logging via
3266: .Xr syslog 3 .
3267: .It username
3268: The login name of the user who ran
3269: .Nm sudo .
3270: .It ttyname
3271: The short name of the terminal (e.g.\&
3272: .Dq console ,
3273: .Dq tty01 ,
3274: or
3275: .Dq pts/0 )
3276: .Nm sudo
3277: was run on, or
3278: .Dq unknown
3279: if there was no terminal present.
3280: .It cwd
3281: The current working directory that
3282: .Nm sudo
3283: was run in.
3284: .It runasuser
3285: The user the command was run as.
3286: .It runasgroup
3287: The group the command was run as if one was specified on the command line.
3288: .It logid
3289: An I/O log identifier that can be used to replay the command's output.
3290: This is only present when the
3291: .Em log_input
3292: or
3293: .Em log_output
3294: option is enabled.
3295: .It env_vars
3296: A list of environment variables specified on the command line,
3297: if specified.
3298: .It command
3299: The actual command that was executed.
3300: .El
3301: .Pp
3302: Messages are logged using the locale specified by
3303: .Em sudoers_locale ,
3304: which defaults to the
3305: .Dq Li C
3306: locale.
3307: .Ss Denied command log entries
3308: If the user is not allowed to run the command, the reason for the denial
3309: will follow the user name.
3310: Possible reasons include:
3311: .Bl -tag -width 4
3312: .It user NOT in sudoers
3313: The user is not listed in the
3314: .Em sudoers
3315: file.
3316: .It user NOT authorized on host
3317: The user is listed in the
3318: .Em sudoers
3319: file but is not allowed to run commands on the host.
3320: .It command not allowed
3321: The user is listed in the
3322: .Em sudoers
3323: file for the host but they are not allowed to run the specified command.
3324: .It 3 incorrect password attempts
3325: The user failed to enter their password after 3 tries.
3326: The actual number of tries will vary based on the number of
3327: failed attempts and the value of the
3328: .Em passwd_tries
3329: option.
3330: .It a password is required
1.1.1.4 ! misho 3331: .Nm sudo Ns 's
1.1 misho 3332: .Fl n
3333: option was specified but a password was required.
3334: .It sorry, you are not allowed to set the following environment variables
3335: The user specified environment variables on the command line that
3336: were not allowed by
3337: .Em sudoers .
3338: .El
3339: .Ss Error log entries
3340: If an error occurs,
3341: .Nm sudoers
3342: will log a message and, in most cases, send a message to the
3343: administrator via email.
3344: Possible errors include:
3345: .Bl -tag -width 4
3346: .It parse error in @sysconfdir@/sudoers near line N
3347: .Nm sudoers
3348: encountered an error when parsing the specified file.
3349: In some cases, the actual error may be one line above or below the
3350: line number listed, depending on the type of error.
3351: .It problem with defaults entries
3352: The
3353: .Em sudoers
3354: file contains one or more unknown Defaults settings.
3355: This does not prevent
3356: .Nm sudo
3357: from running, but the
3358: .Em sudoers
3359: file should be checked using
3360: .Nm visudo .
3361: .It timestamp owner (username): \&No such user
3362: The time stamp directory owner, as specified by the
3363: .Em timestampowner
3364: setting, could not be found in the password database.
3365: .It unable to open/read @sysconfdir@/sudoers
3366: The
3367: .Em sudoers
3368: file could not be opened for reading.
3369: This can happen when the
3370: .Em sudoers
3371: file is located on a remote file system that maps user ID 0 to
3372: a different value.
3373: Normally,
3374: .Nm sudoers
3375: tries to open
3376: .Em sudoers
3377: using group permissions to avoid this problem.
1.1.1.2 misho 3378: Consider either changing the ownership of
1.1 misho 3379: .Pa @sysconfdir@/sudoers
1.1.1.2 misho 3380: or adding an argument like
1.1 misho 3381: .Dq sudoers_uid=N
3382: (where
3383: .Sq N
3384: is the user ID that owns the
3385: .Em sudoers
1.1.1.2 misho 3386: file) to the end of the
1.1 misho 3387: .Nm sudoers
1.1.1.2 misho 3388: .Li Plugin
3389: line in the
3390: .Xr sudo.conf @mansectform@
1.1 misho 3391: file.
3392: .It unable to stat @sysconfdir@/sudoers
3393: The
3394: .Pa @sysconfdir@/sudoers
3395: file is missing.
3396: .It @sysconfdir@/sudoers is not a regular file
3397: The
3398: .Pa @sysconfdir@/sudoers
3399: file exists but is not a regular file or symbolic link.
3400: .It @sysconfdir@/sudoers is owned by uid N, should be 0
3401: The
3402: .Em sudoers
3403: file has the wrong owner.
3404: If you wish to change the
3405: .Em sudoers
3406: file owner, please add
3407: .Dq sudoers_uid=N
3408: (where
3409: .Sq N
3410: is the user ID that owns the
3411: .Em sudoers
3412: file) to the
3413: .Nm sudoers
1.1.1.2 misho 3414: .Li Plugin
3415: line in the
3416: .Xr sudo.conf @mansectform@
1.1 misho 3417: file.
3418: .It @sysconfdir@/sudoers is world writable
3419: The permissions on the
3420: .Em sudoers
3421: file allow all users to write to it.
3422: The
3423: .Em sudoers
3424: file must not be world-writable, the default file mode
3425: is 0440 (readable by owner and group, writable by none).
3426: The default mode may be changed via the
3427: .Dq sudoers_mode
3428: option to the
3429: .Nm sudoers
1.1.1.2 misho 3430: .Li Plugin
3431: line in the
3432: .Xr sudo.conf @mansectform@
1.1 misho 3433: file.
3434: .It @sysconfdir@/sudoers is owned by gid N, should be 1
3435: The
3436: .Em sudoers
3437: file has the wrong group ownership.
3438: If you wish to change the
3439: .Em sudoers
3440: file group ownership, please add
3441: .Dq sudoers_gid=N
3442: (where
3443: .Sq N
3444: is the group ID that owns the
3445: .Em sudoers
3446: file) to the
3447: .Nm sudoers
1.1.1.2 misho 3448: .Li Plugin
3449: line in the
3450: .Xr sudo.conf @mansectform@
1.1 misho 3451: file.
1.1.1.4 ! misho 3452: .It unable to open @rundir@/ts/username
1.1 misho 3453: .Em sudoers
3454: was unable to read or create the user's time stamp file.
1.1.1.4 ! misho 3455: This can happen when
! 3456: .Em timestampowner
! 3457: is set to a user other than root and the mode on
! 3458: .Pa @rundir@
! 3459: is not searchable by group or other.
! 3460: The default mode for
! 3461: .Pa @rundir@
! 3462: is 0711.
! 3463: .It unable to write to @rundir@/ts/username
1.1 misho 3464: .Em sudoers
3465: was unable to write to the user's time stamp file.
1.1.1.4 ! misho 3466: .It @rundir@/ts is owned by uid X, should be Y
! 3467: The time stamp directory is owned by a user other than
! 3468: .Em timestampowner .
! 3469: This can occur when the value of
! 3470: .Em timestampowner
! 3471: has been changed.
1.1 misho 3472: .Em sudoers
1.1.1.4 ! misho 3473: will ignore the time stamp directory until the owner is corrected.
! 3474: .It @rundir@/ts is group writable
! 3475: The time stamp directory is group-writable; it should be writable only by
! 3476: .Em timestampowner .
! 3477: The default mode for the time stamp directory is 0700.
! 3478: .Em sudoers
! 3479: will ignore the time stamp directory until the mode is corrected.
1.1 misho 3480: .El
3481: .Ss Notes on logging via syslog
3482: By default,
3483: .Em sudoers
3484: logs messages via
3485: .Xr syslog 3 .
3486: The
3487: .Em date ,
3488: .Em hostname ,
3489: and
3490: .Em progname
3491: fields are added by the syslog daemon, not
3492: .Em sudoers
3493: itself.
3494: As such, they may vary in format on different systems.
3495: .Pp
3496: On most systems,
3497: .Xr syslog 3
3498: has a relatively small log buffer.
3499: To prevent the command line arguments from being truncated,
3500: .Nm sudoers
3501: will split up log messages that are larger than 960 characters
3502: (not including the date, hostname, and the string
3503: .Dq sudo ) .
3504: When a message is split, additional parts will include the string
3505: .Dq Pq command continued
3506: after the user name and before the continued command line arguments.
3507: .Ss Notes on logging to a file
3508: If the
3509: .Em logfile
3510: option is set,
3511: .Em sudoers
3512: will log to a local file, such as
3513: .Pa /var/log/sudo .
3514: When logging to a file,
3515: .Em sudoers
3516: uses a format similar to
3517: .Xr syslog 3 ,
3518: with a few important differences:
3519: .Bl -enum
3520: .It
3521: The
3522: .Em progname
3523: and
3524: .Em hostname
3525: fields are not present.
3526: .It
3527: If the
3528: .Em log_year
3529: option is enabled,
3530: the date will also include the year.
3531: .It
3532: Lines that are longer than
3533: .Em loglinelen
3534: characters (80 by default) are word-wrapped and continued on the
3535: next line with a four character indent.
3536: This makes entries easier to read for a human being, but makes it
3537: more difficult to use
3538: .Xr grep 1
3539: on the log files.
3540: If the
3541: .Em loglinelen
3542: option is set to 0 (or negated with a
3543: .Ql \&! ) ,
3544: word wrap will be disabled.
3545: .El
3546: .Sh FILES
3547: .Bl -tag -width 24n
3548: .It Pa @sysconfdir@/sudo.conf
3549: Sudo front end configuration
3550: .It Pa @sysconfdir@/sudoers
3551: List of who can run what
3552: .It Pa /etc/group
3553: Local groups file
3554: .It Pa /etc/netgroup
3555: List of network groups
3556: .It Pa @iolog_dir@
3557: I/O log files
1.1.1.4 ! misho 3558: .It Pa @rundir@/ts
1.1 misho 3559: Directory containing time stamps for the
3560: .Em sudoers
3561: security policy
1.1.1.4 ! misho 3562: .It Pa @vardir@/lectured
! 3563: Directory containing lecture status files for the
! 3564: .Em sudoers
! 3565: security policy
1.1 misho 3566: .It Pa /etc/environment
3567: Initial environment for
3568: .Fl i
3569: mode on AIX and Linux systems
3570: .El
3571: .Sh EXAMPLES
3572: Below are example
3573: .Em sudoers
3574: entries.
3575: Admittedly, some of these are a bit contrived.
3576: First, we allow a few environment variables to pass and then define our
3577: .Em aliases :
3578: .Bd -literal
3579: # Run X applications through sudo; HOME is used to find the
3580: # .Xauthority file. Note that other programs use HOME to find
3581: # configuration files and this may lead to privilege escalation!
3582: Defaults env_keep += "DISPLAY HOME"
3583:
3584: # User alias specification
3585: User_Alias FULLTIMERS = millert, mikef, dowdy
3586: User_Alias PARTTIMERS = bostley, jwfox, crawl
3587: User_Alias WEBMASTERS = will, wendy, wim
3588:
3589: # Runas alias specification
3590: Runas_Alias OP = root, operator
3591: Runas_Alias DB = oracle, sybase
3592: Runas_Alias ADMINGRP = adm, oper
3593:
3594: # Host alias specification
3595: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3596: SGI = grolsch, dandelion, black :\e
3597: ALPHA = widget, thalamus, foobar :\e
3598: HPPA = boa, nag, python
3599: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3600: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3601: Host_Alias SERVERS = master, mail, www, ns
3602: Host_Alias CDROM = orion, perseus, hercules
3603:
3604: # Cmnd alias specification
3605: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1.1.1.2 misho 3606: /usr/sbin/restore, /usr/sbin/rrestore,\e
3607: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3608: /home/operator/bin/start_backups
1.1 misho 3609: Cmnd_Alias KILL = /usr/bin/kill
3610: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3611: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3612: Cmnd_Alias HALT = /usr/sbin/halt
3613: Cmnd_Alias REBOOT = /usr/sbin/reboot
3614: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3615: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3616: /usr/local/bin/zsh
3617: Cmnd_Alias SU = /usr/bin/su
3618: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3619: .Ed
3620: .Pp
3621: Here we override some of the compiled in default values.
3622: We want
3623: .Nm sudo
3624: to log via
3625: .Xr syslog 3
3626: using the
3627: .Em auth
3628: facility in all cases.
3629: We don't want to subject the full time staff to the
3630: .Nm sudo
3631: lecture, user
3632: .Sy millert
3633: need not give a password, and we don't want to reset the
3634: .Ev LOGNAME ,
3635: .Ev USER
3636: or
3637: .Ev USERNAME
3638: environment variables when running commands as root.
3639: Additionally, on the machines in the
3640: .Em SERVERS
3641: .Li Host_Alias ,
3642: we keep an additional local log file and make sure we log the year
3643: in each log line since the log entries will be kept around for several years.
3644: Lastly, we disable shell escapes for the commands in the PAGERS
3645: .Li Cmnd_Alias
3646: .Po
3647: .Pa /usr/bin/more ,
3648: .Pa /usr/bin/pg
3649: and
3650: .Pa /usr/bin/less
3651: .Pc .
1.1.1.3 misho 3652: Note that this will not effectively constrain users with
3653: .Nm sudo
3654: .Sy ALL
3655: privileges.
1.1 misho 3656: .Bd -literal
3657: # Override built-in defaults
3658: Defaults syslog=auth
3659: Defaults>root !set_logname
3660: Defaults:FULLTIMERS !lecture
3661: Defaults:millert !authenticate
3662: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3663: Defaults!PAGERS noexec
3664: .Ed
3665: .Pp
3666: The
3667: .Em User specification
3668: is the part that actually determines who may run what.
3669: .Bd -literal
3670: root ALL = (ALL) ALL
3671: %wheel ALL = (ALL) ALL
3672: .Ed
3673: .Pp
3674: We let
3675: .Sy root
3676: and any user in group
3677: .Sy wheel
3678: run any command on any host as any user.
3679: .Bd -literal
3680: FULLTIMERS ALL = NOPASSWD: ALL
3681: .Ed
3682: .Pp
3683: Full time sysadmins
3684: .Po
3685: .Sy millert ,
3686: .Sy mikef ,
3687: and
3688: .Sy dowdy
3689: .Pc
3690: may run any command on any host without authenticating themselves.
3691: .Bd -literal
3692: PARTTIMERS ALL = ALL
3693: .Ed
3694: .Pp
3695: Part time sysadmins
3696: .Sy bostley ,
3697: .Sy jwfox ,
3698: and
3699: .Sy crawl )
3700: may run any command on any host but they must authenticate themselves
3701: first (since the entry lacks the
3702: .Li NOPASSWD
3703: tag).
3704: .Bd -literal
3705: jack CSNETS = ALL
3706: .Ed
3707: .Pp
3708: The user
3709: .Sy jack
3710: may run any command on the machines in the
3711: .Em CSNETS
3712: alias (the networks
3713: .Li 128.138.243.0 ,
3714: .Li 128.138.204.0 ,
3715: and
3716: .Li 128.138.242.0 ) .
3717: Of those networks, only
3718: .Li 128.138.204.0
3719: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3720: For the other networks in
3721: .Em CSNETS ,
3722: the local machine's netmask will be used during matching.
3723: .Bd -literal
3724: lisa CUNETS = ALL
3725: .Ed
3726: .Pp
3727: The user
3728: .Sy lisa
3729: may run any command on any host in the
3730: .Em CUNETS
3731: alias (the class B network
3732: .Li 128.138.0.0 ) .
3733: .Bd -literal
3734: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3735: sudoedit /etc/printcap, /usr/oper/bin/
3736: .Ed
3737: .Pp
3738: The
3739: .Sy operator
3740: user may run commands limited to simple maintenance.
3741: Here, those are commands related to backups, killing processes, the
3742: printing system, shutting down the system, and any commands in the
3743: directory
3744: .Pa /usr/oper/bin/ .
1.1.1.2 misho 3745: Note that one command in the
3746: .Li DUMPS
3747: Cmnd_Alias includes a sha224 digest,
3748: .Pa /home/operator/bin/start_backups .
3749: This is because the directory containing the script is writable by the
3750: operator user.
3751: If the script is modified (resulting in a digest mismatch) it will no longer
3752: be possible to run it via
3753: .Nm sudo .
1.1 misho 3754: .Bd -literal
3755: joe ALL = /usr/bin/su operator
3756: .Ed
3757: .Pp
3758: The user
3759: .Sy joe
3760: may only
3761: .Xr su 1
3762: to operator.
3763: .Bd -literal
3764: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3765:
3766: %opers ALL = (: ADMINGRP) /usr/sbin/
3767: .Ed
3768: .Pp
3769: Users in the
3770: .Sy opers
3771: group may run commands in
3772: .Pa /usr/sbin/
3773: as themselves
3774: with any group in the
3775: .Em ADMINGRP
3776: .Li Runas_Alias
3777: (the
3778: .Sy adm
3779: and
3780: .Sy oper
3781: groups).
3782: .Pp
3783: The user
3784: .Sy pete
3785: is allowed to change anyone's password except for
3786: root on the
3787: .Em HPPA
3788: machines.
3789: Note that this assumes
3790: .Xr passwd 1
3791: does not take multiple user names on the command line.
3792: .Bd -literal
3793: bob SPARC = (OP) ALL : SGI = (OP) ALL
3794: .Ed
3795: .Pp
3796: The user
3797: .Sy bob
3798: may run anything on the
3799: .Em SPARC
3800: and
3801: .Em SGI
3802: machines as any user listed in the
3803: .Em OP
3804: .Li Runas_Alias
3805: .Po
3806: .Sy root
3807: and
3808: .Sy operator .
3809: .Pc
3810: .Bd -literal
3811: jim +biglab = ALL
3812: .Ed
3813: .Pp
3814: The user
3815: .Sy jim
3816: may run any command on machines in the
3817: .Em biglab
3818: netgroup.
3819: .Nm sudo
3820: knows that
3821: .Dq biglab
3822: is a netgroup due to the
3823: .Ql +
3824: prefix.
3825: .Bd -literal
3826: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3827: .Ed
3828: .Pp
3829: Users in the
3830: .Sy secretaries
3831: netgroup need to help manage the printers as well as add and remove users,
3832: so they are allowed to run those commands on all machines.
3833: .Bd -literal
3834: fred ALL = (DB) NOPASSWD: ALL
3835: .Ed
3836: .Pp
3837: The user
3838: .Sy fred
3839: can run commands as any user in the
3840: .Em DB
3841: .Li Runas_Alias
3842: .Po
3843: .Sy oracle
3844: or
3845: .Sy sybase
3846: .Pc
3847: without giving a password.
3848: .Bd -literal
3849: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3850: .Ed
3851: .Pp
3852: On the
3853: .Em ALPHA
3854: machines, user
3855: .Sy john
3856: may su to anyone except root but he is not allowed to specify any options
3857: to the
3858: .Xr su 1
3859: command.
3860: .Bd -literal
3861: jen ALL, !SERVERS = ALL
3862: .Ed
3863: .Pp
3864: The user
3865: .Sy jen
3866: may run any command on any machine except for those in the
3867: .Em SERVERS
3868: .Li Host_Alias
3869: (master, mail, www and ns).
3870: .Bd -literal
3871: jill SERVERS = /usr/bin/, !SU, !SHELLS
3872: .Ed
3873: .Pp
3874: For any machine in the
3875: .Em SERVERS
3876: .Li Host_Alias ,
3877: .Sy jill
3878: may run
3879: any commands in the directory
3880: .Pa /usr/bin/
3881: except for those commands
3882: belonging to the
3883: .Em SU
3884: and
3885: .Em SHELLS
3886: .Li Cmnd_Aliases .
1.1.1.3 misho 3887: While not specifically mentioned in the rule, the commands in the
3888: .Em PAGERS
3889: .Li Cmnd_Alias
3890: all reside in
3891: .Pa /usr/bin
3892: and have the
3893: .Em noexec
3894: option set.
1.1 misho 3895: .Bd -literal
3896: steve CSNETS = (operator) /usr/local/op_commands/
3897: .Ed
3898: .Pp
3899: The user
3900: .Sy steve
3901: may run any command in the directory /usr/local/op_commands/
3902: but only as user operator.
3903: .Bd -literal
3904: matt valkyrie = KILL
3905: .Ed
3906: .Pp
3907: On his personal workstation, valkyrie,
3908: .Sy matt
3909: needs to be able to kill hung processes.
3910: .Bd -literal
3911: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3912: .Ed
3913: .Pp
3914: On the host www, any user in the
3915: .Em WEBMASTERS
3916: .Li User_Alias
3917: (will, wendy, and wim), may run any command as user www (which owns the
3918: web pages) or simply
3919: .Xr su 1
3920: to www.
3921: .Bd -literal
3922: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3923: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3924: .Ed
3925: .Pp
3926: Any user may mount or unmount a CD-ROM on the machines in the CDROM
3927: .Li Host_Alias
3928: (orion, perseus, hercules) without entering a password.
3929: This is a bit tedious for users to type, so it is a prime candidate
3930: for encapsulating in a shell script.
3931: .Sh SECURITY NOTES
3932: .Ss Limitations of the So !\& Sc operator
3933: It is generally not effective to
3934: .Dq subtract
3935: commands from
3936: .Sy ALL
3937: using the
3938: .Ql !\&
3939: operator.
3940: A user can trivially circumvent this by copying the desired command
3941: to a different name and then executing that.
3942: For example:
3943: .Bd -literal
3944: bill ALL = ALL, !SU, !SHELLS
3945: .Ed
3946: .Pp
3947: Doesn't really prevent
3948: .Sy bill
3949: from running the commands listed in
3950: .Em SU
3951: or
3952: .Em SHELLS
3953: since he can simply copy those commands to a different name, or use
3954: a shell escape from an editor or other program.
3955: Therefore, these kind of restrictions should be considered
3956: advisory at best (and reinforced by policy).
3957: .Pp
3958: In general, if a user has sudo
3959: .Sy ALL
3960: there is nothing to prevent them from creating their own program that gives
3961: them a root shell (or making their own copy of a shell) regardless of any
3962: .Ql !\&
3963: elements in the user specification.
3964: .Ss Security implications of Em fast_glob
3965: If the
3966: .Em fast_glob
3967: option is in use, it is not possible to reliably negate commands where the
3968: path name includes globbing (aka wildcard) characters.
3969: This is because the C library's
3970: .Xr fnmatch 3
3971: function cannot resolve relative paths.
3972: While this is typically only an inconvenience for rules that grant privileges,
3973: it can result in a security issue for rules that subtract or revoke privileges.
3974: .Pp
3975: For example, given the following
3976: .Em sudoers
3977: entry:
3978: .Bd -literal
3979: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3980: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3981: .Ed
3982: .Pp
3983: User
3984: .Sy john
3985: can still run
3986: .Li /usr/bin/passwd root
3987: if
3988: .Em fast_glob
3989: is enabled by changing to
3990: .Pa /usr/bin
3991: and running
3992: .Li ./passwd root
3993: instead.
3994: .Ss Preventing shell escapes
3995: Once
3996: .Nm sudo
3997: executes a program, that program is free to do whatever
3998: it pleases, including run other programs.
3999: This can be a security issue since it is not uncommon for a program to
4000: allow shell escapes, which lets a user bypass
1.1.1.4 ! misho 4001: .Nm sudo Ns 's
1.1 misho 4002: access control and logging.
4003: Common programs that permit shell escapes include shells (obviously),
4004: editors, paginators, mail and terminal programs.
4005: .Pp
4006: There are two basic approaches to this problem:
4007: .Bl -tag -width 8n
4008: .It restrict
4009: Avoid giving users access to commands that allow the user to run
4010: arbitrary commands.
4011: Many editors have a restricted mode where shell
4012: escapes are disabled, though
4013: .Nm sudoedit
4014: is a better solution to
4015: running editors via
4016: .Nm sudo .
4017: Due to the large number of programs that
4018: offer shell escapes, restricting users to the set of programs that
4019: do not is often unworkable.
4020: .It noexec
4021: Many systems that support shared libraries have the ability to
4022: override default library functions by pointing an environment
4023: variable (usually
4024: .Ev LD_PRELOAD )
4025: to an alternate shared library.
4026: On such systems,
1.1.1.4 ! misho 4027: .Nm sudo Ns 's
1.1 misho 4028: .Em noexec
4029: functionality can be used to prevent a program run by
4030: .Nm sudo
4031: from executing any other programs.
4032: Note, however, that this applies only to native dynamically-linked
4033: executables.
4034: Statically-linked executables and foreign executables
4035: running under binary emulation are not affected.
4036: .Pp
4037: The
4038: .Em noexec
4039: feature is known to work on SunOS, Solaris, *BSD,
4040: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
4041: It should be supported on most operating systems that support the
4042: .Ev LD_PRELOAD
4043: environment variable.
4044: Check your operating system's manual pages for the dynamic linker
4045: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4046: .Ev LD_PRELOAD
4047: is supported.
4048: .Pp
4049: On Solaris 10 and higher,
4050: .Em noexec
4051: uses Solaris privileges instead of the
4052: .Ev LD_PRELOAD
4053: environment variable.
4054: .Pp
4055: To enable
4056: .Em noexec
4057: for a command, use the
4058: .Li NOEXEC
4059: tag as documented
4060: in the User Specification section above.
4061: Here is that example again:
4062: .Bd -literal
4063: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4064: .Ed
4065: .Pp
4066: This allows user
4067: .Sy aaron
4068: to run
4069: .Pa /usr/bin/more
4070: and
4071: .Pa /usr/bin/vi
4072: with
4073: .Em noexec
4074: enabled.
4075: This will prevent those two commands from
4076: executing other commands (such as a shell).
4077: If you are unsure whether or not your system is capable of supporting
4078: .Em noexec
4079: you can always just try it out and check whether shell escapes work when
4080: .Em noexec
4081: is enabled.
4082: .El
4083: .Pp
4084: Note that restricting shell escapes is not a panacea.
4085: Programs running as root are still capable of many potentially hazardous
4086: operations (such as changing or overwriting files) that could lead
4087: to unintended privilege escalation.
4088: In the specific case of an editor, a safer approach is to give the
4089: user permission to run
1.1.1.4 ! misho 4090: .Nm sudoedit
! 4091: (see below).
! 4092: .Ss Secure editing
! 4093: The
! 4094: .Em sudoers
! 4095: plugin includes
! 4096: .Nm sudoedit
! 4097: support which allows users to securely edit files with the editor
! 4098: of their choice.
! 4099: As
! 4100: .Nm sudoedit
! 4101: is a built-in command, it must be specified in
! 4102: .Em sudoers
! 4103: without a leading path.
! 4104: However, it may take command line arguments just as a normal command does.
! 4105: For example, to allow user operator to edit the
! 4106: .Dq message of the day
! 4107: file:
! 4108: .Bd -literal -offset indent
! 4109: operator sudoedit /etc/motd
! 4110: .Ed
! 4111: .Pp
! 4112: The operator user then runs
! 4113: .Nm sudoedit
! 4114: as follows:
! 4115: .Bd -literal -offset indent
! 4116: $ sudoedit /etc/motd
! 4117: .Ed
! 4118: .Pp
! 4119: The editor will run as the operator user, not root, on a temporary copy of
! 4120: .Pa /etc/motd .
! 4121: After the file has been edited,
! 4122: .Pa /etc/motd
! 4123: will be updated with the contents of the temporary copy.
1.1 misho 4124: .Ss Time stamp file checks
4125: .Em sudoers
4126: will check the ownership of its time stamp directory
4127: .Po
1.1.1.4 ! misho 4128: .Pa @rundir@/ts
1.1 misho 4129: by default
4130: .Pc
4131: and ignore the directory's contents if it is not owned by root or
4132: if it is writable by a user other than root.
1.1.1.4 ! misho 4133: Older versions of
! 4134: .Nm sudo
! 4135: stored time stamp files in
! 4136: .Pa /tmp ;
! 4137: this is no longer recommended as it may be possible for a user
! 4138: to create the time stamp themselves on systems that allow
! 4139: unprivileged users to change the ownership of files they create.
! 4140: .Pp
! 4141: While the time stamp directory
! 4142: .Em should
! 4143: be cleared at reboot time, not all systems contain a
! 4144: .Pa /var/run
! 4145: directory.
! 4146: To avoid potential problems,
! 4147: .Em sudoers
! 4148: will ignore time stamp files that date from before the machine booted
! 4149: on systems where the boot time is available.
! 4150: .Pp
! 4151: Some systems with graphical desktop environments allow unprivileged
! 4152: users to change the system clock.
! 4153: Since
! 4154: .Em sudoers
! 4155: relies on the system clock for time stamp validation, it may be
! 4156: possible on such systems for a user to run
! 4157: .Nm sudo
! 4158: for longer than
! 4159: .Em timestamp_timeout
! 4160: by setting the clock back.
! 4161: To combat this,
! 4162: .Em sudoers
! 4163: uses a monotonic clock (which never moves backwards) for its time stamps
! 4164: if the system supports it.
1.1 misho 4165: .Pp
4166: .Em sudoers
4167: will not honor time stamps set far in the future.
4168: Time stamps with a date greater than current_time + 2 *
4169: .Li TIMEOUT
1.1.1.4 ! misho 4170: will be ignored and
1.1 misho 4171: .Em sudoers
1.1.1.4 ! misho 4172: will log and complain.
1.1 misho 4173: .Pp
4174: Since time stamp files live in the file system, they can outlive a
4175: user's login session.
4176: As a result, a user may be able to login, run a command with
4177: .Nm sudo
4178: after authenticating, logout, login again, and run
4179: .Nm sudo
1.1.1.4 ! misho 4180: without authenticating so long as the record's time stamp is within
1.1 misho 4181: .Li @timeout@
1.1.1.4 ! misho 4182: minutes (or whatever value the timeout is set to in
1.1 misho 4183: .Em sudoers ) .
4184: When the
4185: .Em tty_tickets
1.1.1.4 ! misho 4186: option is enabled, the time stamp record includes the device
! 4187: number of the terminal the user authenticated with.
! 4188: This provides per-tty granularity but time stamp records still
1.1 misho 4189: may outlive the user's session.
1.1.1.4 ! misho 4190: The time stamp record also includes the session ID of the process
! 4191: that last authenticated.
! 4192: This prevents processes in different terminal sessions from using
! 4193: the same time stamp record.
! 4194: It also helps reduce the chance that a user will be able to run
! 4195: .Nm sudo
! 4196: without entering a password when logging out and back in again
! 4197: on the same terminal.
1.1.1.2 misho 4198: .Sh DEBUGGING
4199: Versions 1.8.4 and higher of the
4200: .Nm sudoers
4201: plugin support a flexible debugging framework that can help track
4202: down what the plugin is doing internally if there is a problem.
4203: This can be configured in the
4204: .Xr sudo.conf @mansectform@
4205: file.
4206: .Pp
4207: The
4208: .Nm sudoers
4209: plugin uses the same debug flag format as the
4210: .Nm sudo
4211: front-end:
1.1.1.4 ! misho 4212: .Em subsystem Ns @ Ns Em priority .
1.1.1.2 misho 4213: .Pp
4214: The priorities used by
4215: .Nm sudoers ,
4216: in order of decreasing severity,
4217: are:
4218: .Em crit , err , warn , notice , diag , info , trace
4219: and
4220: .Em debug .
4221: Each priority, when specified, also includes all priorities higher
4222: than it.
4223: For example, a priority of
4224: .Em notice
4225: would include debug messages logged at
4226: .Em notice
4227: and higher.
4228: .Pp
4229: The following subsystems are used by the
4230: .Nm sudoers
4231: plugin:
4232: .Bl -tag -width 8n
4233: .It Em alias
4234: .Li User_Alias ,
4235: .Li Runas_Alias ,
4236: .Li Host_Alias
4237: and
4238: .Li Cmnd_Alias
4239: processing
4240: .It Em all
4241: matches every subsystem
4242: .It Em audit
4243: BSM and Linux audit code
4244: .It Em auth
4245: user authentication
4246: .It Em defaults
4247: .Em sudoers
4248: .Em Defaults
4249: settings
4250: .It Em env
4251: environment handling
4252: .It Em ldap
4253: LDAP-based sudoers
4254: .It Em logging
4255: logging support
4256: .It Em match
4257: matching of users, groups, hosts and netgroups in
4258: .Em sudoers
4259: .It Em netif
4260: network interface handling
4261: .It Em nss
4262: network service switch handling in
4263: .Em sudoers
4264: .It Em parser
4265: .Em sudoers
4266: file parsing
4267: .It Em perms
4268: permission setting
4269: .It Em plugin
4270: The equivalent of
4271: .Em main
4272: for the plugin.
4273: .It Em pty
4274: pseudo-tty related code
4275: .It Em rbtree
4276: redblack tree internals
1.1.1.4 ! misho 4277: .It Em sssd
! 4278: SSSD-based sudoers
1.1.1.2 misho 4279: .It Em util
4280: utility functions
4281: .El
4282: For example:
4283: .Bd -literal
4284: Debug sudo /var/log/sudo_debug match@info,nss@info
4285: .Ed
4286: .Pp
4287: For more information, see the
4288: .Xr sudo.conf @mansectform@
4289: manual.
1.1 misho 4290: .Sh SEE ALSO
4291: .Xr ssh 1 ,
4292: .Xr su 1 ,
4293: .Xr fnmatch 3 ,
4294: .Xr glob 3 ,
4295: .Xr mktemp 3 ,
4296: .Xr strftime 3 ,
1.1.1.2 misho 4297: .Xr sudo.conf @mansectform@ ,
1.1 misho 4298: .Xr sudoers.ldap @mansectform@ ,
4299: .Xr sudo_plugin @mansectsu@ ,
4300: .Xr sudo @mansectsu@ ,
4301: .Xr visudo @mansectsu@
4302: .Sh CAVEATS
4303: The
4304: .Em sudoers
4305: file should
4306: .Sy always
4307: be edited by the
4308: .Nm visudo
4309: command which locks the file and does grammatical checking.
4310: It is
4311: imperative that
4312: .Em sudoers
4313: be free of syntax errors since
4314: .Nm sudo
4315: will not run with a syntactically incorrect
4316: .Em sudoers
4317: file.
4318: .Pp
4319: When using netgroups of machines (as opposed to users), if you
4320: store fully qualified host name in the netgroup (as is usually the
4321: case), you either need to have the machine's host name be fully qualified
4322: as returned by the
4323: .Li hostname
4324: command or use the
4325: .Em fqdn
4326: option in
4327: .Em sudoers .
4328: .Sh BUGS
4329: If you feel you have found a bug in
4330: .Nm sudo ,
4331: please submit a bug report at http://www.sudo.ws/sudo/bugs/
4332: .Sh SUPPORT
4333: Limited free support is available via the sudo-users mailing list,
4334: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4335: search the archives.
4336: .Sh DISCLAIMER
4337: .Nm sudo
4338: is provided
4339: .Dq AS IS
4340: and any express or implied warranties, including, but not limited
4341: to, the implied warranties of merchantability and fitness for a
4342: particular purpose are disclaimed.
4343: See the LICENSE file distributed with
4344: .Nm sudo
4345: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>