1: .\"
2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
22: .Dd July 16, 2012
23: .Dt SUDOERS @mansectform@
24: .Os Sudo @PACKAGE_VERSION@
25: .Sh NAME
26: .Nm sudoers
27: .Nd default sudo security policy module
28: .Sh DESCRIPTION
29: The
30: .Em sudoers
31: policy module determines a user's
32: .Nm sudo
33: privileges.
34: It is the default
35: .Nm sudo
36: policy plugin.
37: The policy is driven by
38: the
39: .Pa @sysconfdir@/sudoers
40: file or, optionally in LDAP.
41: The policy format is described in detail in the
42: .Sx SUDOERS FILE FORMAT
43: section.
44: For information on storing
45: .Em sudoers
46: policy information
47: in LDAP, please see
48: .Xr sudoers.ldap @mansectform@ .
49: .Ss Authentication and logging
50: The
51: .Em sudoers
52: security policy requires that most users authenticate
53: themselves before they can use
54: .Nm sudo .
55: A password is not required
56: if the invoking user is root, if the target user is the same as the
57: invoking user, or if the policy has disabled authentication for the
58: user or command.
59: Unlike
60: .Xr su 1 ,
61: when
62: .Em sudoers
63: requires
64: authentication, it validates the invoking user's credentials, not
65: the target user's (or root's) credentials.
66: This can be changed via
67: the
68: .Em rootpw ,
69: .Em targetpw
70: and
71: .Em runaspw
72: flags, described later.
73: .Pp
74: If a user who is not listed in the policy tries to run a command
75: via
76: .Nm sudo ,
77: mail is sent to the proper authorities.
78: The address
79: used for such mail is configurable via the
80: .Em mailto
81: Defaults entry
82: (described later) and defaults to
83: .Li @mailto@ .
84: .Pp
85: Note that mail will not be sent if an unauthorized user tries to
86: run
87: .Nm sudo
88: with the
89: .Fl l
90: or
91: .Fl v
92: option.
93: This allows users to
94: determine for themselves whether or not they are allowed to use
95: .Nm sudo .
96: .Pp
97: If
98: .Nm sudo
99: is run by root and the
100: .Ev SUDO_USER
101: environment variable
102: is set, the
103: .Em sudoers
104: policy will use this value to determine who
105: the actual user is.
106: This can be used by a user to log commands
107: through sudo even when a root shell has been invoked.
108: It also
109: allows the
110: .Fl e
111: option to remain useful even when invoked via a
112: sudo-run script or program.
113: Note, however, that the
114: .Em sudoers
115: lookup is still done for root, not the user specified by
116: .Ev SUDO_USER .
117: .Pp
118: .Em sudoers
119: uses time stamp files for credential caching.
120: Once a
121: user has been authenticated, the time stamp is updated and the user
122: may then use sudo without a password for a short period of time
123: .Po
124: .Li @timeout@
125: minutes unless overridden by the
126: .Em timeout
127: option
128: .Pc .
129: By default,
130: .Em sudoers
131: uses a tty-based time stamp which means that
132: there is a separate time stamp for each of a user's login sessions.
133: The
134: .Em tty_tickets
135: option can be disabled to force the use of a
136: single time stamp for all of a user's sessions.
137: .Pp
138: .Em sudoers
139: can log both successful and unsuccessful attempts (as well
140: as errors) to
141: .Xr syslog 3 ,
142: a log file, or both.
143: By default,
144: .Em sudoers
145: will log via
146: .Xr syslog 3
147: but this is changeable via the
148: .Em syslog
149: and
150: .Em logfile
151: Defaults settings.
152: .Pp
153: .Em sudoers
154: also supports logging a command's input and output
155: streams.
156: I/O logging is not on by default but can be enabled using
157: the
158: .Em log_input
159: and
160: .Em log_output
161: Defaults flags as well as the
162: .Li LOG_INPUT
163: and
164: .Li LOG_OUTPUT
165: command tags.
166: .Ss Command environment
167: Since environment variables can influence program behavior,
168: .Em sudoers
169: provides a means to restrict which variables from the user's
170: environment are inherited by the command to be run.
171: There are two
172: distinct ways
173: .Em sudoers
174: can deal with environment variables.
175: .Pp
176: By default, the
177: .Em env_reset
178: option is enabled.
179: This causes commands
180: to be executed with a new, minimal environment.
181: On AIX (and Linux
182: systems without PAM), the environment is initialized with the
183: contents of the
184: .Pa /etc/environment
185: file.
186: On BSD systems, if the
187: .Em use_loginclass
188: option is enabled, the environment is initialized
189: based on the
190: .Em path
191: and
192: .Em setenv
193: settings in
194: .Pa /etc/login.conf .
195: The new environment contains the
196: .Ev TERM ,
197: .Ev PATH ,
198: .Ev HOME ,
199: .Ev MAIL ,
200: .Ev SHELL ,
201: .Ev LOGNAME ,
202: .Ev USER ,
203: .Ev USERNAME
204: and
205: .Ev SUDO_*
206: variables
207: in addition to variables from the invoking process permitted by the
208: .Em env_check
209: and
210: .Em env_keep
211: options.
212: This is effectively a whitelist
213: for environment variables.
214: .Pp
215: If, however, the
216: .Em env_reset
217: option is disabled, any variables not
218: explicitly denied by the
219: .Em env_check
220: and
221: .Em env_delete
222: options are
223: inherited from the invoking process.
224: In this case,
225: .Em env_check
226: and
227: .Em env_delete
228: behave like a blacklist.
229: Since it is not possible
230: to blacklist all potentially dangerous environment variables, use
231: of the default
232: .Em env_reset
233: behavior is encouraged.
234: .Pp
235: In all cases, environment variables with a value beginning with
236: .Li ()
237: are removed as they could be interpreted as
238: .Sy bash
239: functions.
240: The list of environment variables that
241: .Nm sudo
242: allows or denies is
243: contained in the output of
244: .Dq Li sudo -V
245: when run as root.
246: .Pp
247: Note that the dynamic linker on most operating systems will remove
248: variables that can control dynamic linking from the environment of
249: setuid executables, including
250: .Nm sudo .
251: Depending on the operating
252: system this may include
253: .Ev _RLD* ,
254: .Ev DYLD_* ,
255: .Ev LD_* ,
256: .Ev LDR_* ,
257: .Ev LIBPATH ,
258: .Ev SHLIB_PATH ,
259: and others.
260: These type of variables are
261: removed from the environment before
262: .Nm sudo
263: even begins execution
264: and, as such, it is not possible for
265: .Nm sudo
266: to preserve them.
267: .Pp
268: As a special case, if
269: .Nm sudo Ns No 's
270: .Fl i
271: option (initial login) is
272: specified,
273: .Em sudoers
274: will initialize the environment regardless
275: of the value of
276: .Em env_reset .
277: The
278: .Ev DISPLAY ,
279: .Ev PATH
280: and
281: .Ev TERM
282: variables remain unchanged;
283: .Ev HOME ,
284: .Ev MAIL ,
285: .Ev SHELL ,
286: .Ev USER ,
287: and
288: .Ev LOGNAME
289: are set based on the target user.
290: On AIX (and Linux
291: systems without PAM), the contents of
292: .Pa /etc/environment
293: are also
294: included.
295: On BSD systems, if the
296: .Em use_loginclass
297: option is
298: enabled, the
299: .Em path
300: and
301: .Em setenv
302: variables in
303: .Pa /etc/login.conf
304: are also applied.
305: All other environment variables are removed.
306: .Pp
307: Finally, if the
308: .Em env_file
309: option is defined, any variables present
310: in that file will be set to their specified values as long as they
311: would not conflict with an existing environment variable.
312: .Sh SUDOERS FILE FORMAT
313: The
314: .Em sudoers
315: file is composed of two types of entries: aliases
316: (basically variables) and user specifications (which specify who
317: may run what).
318: .Pp
319: When multiple entries match for a user, they are applied in order.
320: Where there are multiple matches, the last match is used (which is
321: not necessarily the most specific match).
322: .Pp
323: The
324: .Em sudoers
325: grammar will be described below in Extended Backus-Naur
326: Form (EBNF).
327: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
328: and the definitions below are annotated.
329: .Ss Quick guide to EBNF
330: EBNF is a concise and exact way of describing the grammar of a language.
331: Each EBNF definition is made up of
332: .Em production rules .
333: E.g.,
334: .Pp
335: .Li symbol ::= definition | alternate1 | alternate2 ...
336: .Pp
337: Each
338: .Em production rule
339: references others and thus makes up a
340: grammar for the language.
341: EBNF also contains the following
342: operators, which many readers will recognize from regular
343: expressions.
344: Do not, however, confuse them with
345: .Dq wildcard
346: characters, which have different meanings.
347: .Bl -tag -width 4n
348: .It Li \&?
349: Means that the preceding symbol (or group of symbols) is optional.
350: That is, it may appear once or not at all.
351: .It Li *
352: Means that the preceding symbol (or group of symbols) may appear
353: zero or more times.
354: .It Li +
355: Means that the preceding symbol (or group of symbols) may appear
356: one or more times.
357: .El
358: .Pp
359: Parentheses may be used to group symbols together.
360: For clarity,
361: we will use single quotes
362: .Pq ''
363: to designate what is a verbatim character string (as opposed to a symbol name).
364: .Ss Aliases
365: There are four kinds of aliases:
366: .Li User_Alias ,
367: .Li Runas_Alias ,
368: .Li Host_Alias
369: and
370: .Li Cmnd_Alias .
371: .Bd -literal
372: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
373: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
374: 'Host_Alias' Host_Alias (':' Host_Alias)* |
375: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
376:
377: User_Alias ::= NAME '=' User_List
378:
379: Runas_Alias ::= NAME '=' Runas_List
380:
381: Host_Alias ::= NAME '=' Host_List
382:
383: Cmnd_Alias ::= NAME '=' Cmnd_List
384:
385: NAME ::= [A-Z]([A-Z][0-9]_)*
386: .Ed
387: .Pp
388: Each
389: .Em alias
390: definition is of the form
391: .Bd -literal
392: Alias_Type NAME = item1, item2, ...
393: .Ed
394: .Pp
395: where
396: .Em Alias_Type
397: is one of
398: .Li User_Alias ,
399: .Li Runas_Alias ,
400: .Li Host_Alias ,
401: or
402: .Li Cmnd_Alias .
403: A
404: .Li NAME
405: is a string of uppercase letters, numbers,
406: and underscore characters
407: .Pq Ql _ .
408: A
409: .Li NAME
410: .Sy must
411: start with an
412: uppercase letter.
413: It is possible to put several alias definitions
414: of the same type on a single line, joined by a colon
415: .Pq Ql :\& .
416: E.g.,
417: .Bd -literal
418: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
419: .Ed
420: .Pp
421: The definitions of what constitutes a valid
422: .Em alias
423: member follow.
424: .Bd -literal
425: User_List ::= User |
426: User ',' User_List
427:
428: User ::= '!'* user name |
429: '!'* #uid |
430: '!'* %group |
431: '!'* %#gid |
432: '!'* +netgroup |
433: '!'* %:nonunix_group |
434: '!'* %:#nonunix_gid |
435: '!'* User_Alias
436: .Ed
437: .Pp
438: A
439: .Li User_List
440: is made up of one or more user names, user ids
441: (prefixed with
442: .Ql # ) ,
443: system group names and ids (prefixed with
444: .Ql %
445: and
446: .Ql %#
447: respectively), netgroups (prefixed with
448: .Ql + ) ,
449: non-Unix group names and IDs (prefixed with
450: .Ql %:
451: and
452: .Ql %:#
453: respectively) and
454: .Li User_Alias Ns No es.
455: Each list item may be prefixed with zero or more
456: .Ql \&!
457: operators.
458: An odd number of
459: .Ql \&!
460: operators negate the value of
461: the item; an even number just cancel each other out.
462: .Pp
463: A
464: .Li user name ,
465: .Li uid ,
466: .Li group ,
467: .Li gid ,
468: .Li netgroup ,
469: .Li nonunix_group
470: or
471: .Li nonunix_gid
472: may be enclosed in double quotes to avoid the
473: need for escaping special characters.
474: Alternately, special characters
475: may be specified in escaped hex mode, e.g.\& \ex20 for space.
476: When
477: using double quotes, any prefix characters must be included inside
478: the quotes.
479: .Pp
480: The actual
481: .Li nonunix_group
482: and
483: .Li nonunix_gid
484: syntax depends on
485: the underlying group provider plugin (see the
486: .Em group_plugin
487: description below).
488: For instance, the QAS AD plugin supports the following formats:
489: .Bl -bullet -width 4n
490: .It
491: Group in the same domain: "%:Group Name"
492: .It
493: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
494: .It
495: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
496: .El
497: .Pp
498: Note that quotes around group names are optional.
499: Unquoted strings must use a backslash
500: .Pq Ql \e
501: to escape spaces and special characters.
502: See
503: .Sx Other special characters and reserved words
504: for a list of
505: characters that need to be escaped.
506: .Bd -literal
507: Runas_List ::= Runas_Member |
508: Runas_Member ',' Runas_List
509:
510: Runas_Member ::= '!'* user name |
511: '!'* #uid |
512: '!'* %group |
513: '!'* %#gid |
514: '!'* %:nonunix_group |
515: '!'* %:#nonunix_gid |
516: '!'* +netgroup |
517: '!'* Runas_Alias
518: .Ed
519: .Pp
520: A
521: .Li Runas_List
522: is similar to a
523: .Li User_List
524: except that instead
525: of
526: .Li User_Alias Ns No es
527: it can contain
528: .Li Runas_Alias Ns No es .
529: Note that
530: user names and groups are matched as strings.
531: In other words, two
532: users (groups) with the same uid (gid) are considered to be distinct.
533: If you wish to match all user names with the same uid (e.g.\&
534: root and toor), you can use a uid instead (#0 in the example given).
535: .Bd -literal
536: Host_List ::= Host |
537: Host ',' Host_List
538:
539: Host ::= '!'* host name |
540: '!'* ip_addr |
541: '!'* network(/netmask)? |
542: '!'* +netgroup |
543: '!'* Host_Alias
544: .Ed
545: .Pp
546: A
547: .Li Host_List
548: is made up of one or more host names, IP addresses,
549: network numbers, netgroups (prefixed with
550: .Ql + )
551: and other aliases.
552: Again, the value of an item may be negated with the
553: .Ql \&!
554: operator.
555: If you do not specify a netmask along with the network number,
556: .Nm sudo
557: will query each of the local host's network interfaces and,
558: if the network number corresponds to one of the hosts's network
559: interfaces, the corresponding netmask will be used.
560: The netmask
561: may be specified either in standard IP address notation
562: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
563: or CIDR notation (number of bits, e.g.\& 24 or 64).
564: A host name may include shell-style wildcards (see the
565: .Sx Wildcards
566: section below),
567: but unless the
568: .Li host name
569: command on your machine returns the fully
570: qualified host name, you'll need to use the
571: .Em fqdn
572: option for wildcards to be useful.
573: Note that
574: .Nm sudo
575: only inspects actual network interfaces; this means that IP address
576: 127.0.0.1 (localhost) will never match.
577: Also, the host name
578: .Dq localhost
579: will only match if that is the actual host name, which is usually
580: only the case for non-networked systems.
581: .Bd -literal
582: Cmnd_List ::= Cmnd |
583: Cmnd ',' Cmnd_List
584:
585: command name ::= file name |
586: file name args |
587: file name '""'
588:
589: Cmnd ::= '!'* command name |
590: '!'* directory |
591: '!'* "sudoedit" |
592: '!'* Cmnd_Alias
593: .Ed
594: .Pp
595: A
596: .Li Cmnd_List
597: is a list of one or more command names, directories, and other aliases.
598: A command name is a fully qualified file name which may include
599: shell-style wildcards (see the
600: .Sx Wildcards
601: section below).
602: A simple file name allows the user to run the command with any
603: arguments he/she wishes.
604: However, you may also specify command line arguments (including
605: wildcards).
606: Alternately, you can specify
607: .Li \&""
608: to indicate that the command
609: may only be run
610: .Sy without
611: command line arguments.
612: A directory is a
613: fully qualified path name ending in a
614: .Ql / .
615: When you specify a directory in a
616: .Li Cmnd_List ,
617: the user will be able to run any file within that directory
618: (but not in any sub-directories therein).
619: .Pp
620: If a
621: .Li Cmnd
622: has associated command line arguments, then the arguments
623: in the
624: .Li Cmnd
625: must match exactly those given by the user on the command line
626: (or match the wildcards if there are any).
627: Note that the following characters must be escaped with a
628: .Ql \e
629: if they are used in command arguments:
630: .Ql ,\& ,
631: .Ql :\& ,
632: .Ql =\& ,
633: .Ql \e .
634: The special command
635: .Dq Li sudoedit
636: is used to permit a user to run
637: .Nm sudo
638: with the
639: .Fl e
640: option (or as
641: .Nm sudoedit ) .
642: It may take command line arguments just as a normal command does.
643: .Ss Defaults
644: Certain configuration options may be changed from their default
645: values at run-time via one or more
646: .Li Default_Entry
647: lines.
648: These may affect all users on any host, all users on a specific host, a
649: specific user, a specific command, or commands being run as a specific user.
650: Note that per-command entries may not include command line arguments.
651: If you need to specify arguments, define a
652: .Li Cmnd_Alias
653: and reference
654: that instead.
655: .Bd -literal
656: Default_Type ::= 'Defaults' |
657: 'Defaults' '@' Host_List |
658: 'Defaults' ':' User_List |
659: 'Defaults' '!' Cmnd_List |
660: 'Defaults' '>' Runas_List
661:
662: Default_Entry ::= Default_Type Parameter_List
663:
664: Parameter_List ::= Parameter |
665: Parameter ',' Parameter_List
666:
667: Parameter ::= Parameter '=' Value |
668: Parameter '+=' Value |
669: Parameter '-=' Value |
670: '!'* Parameter
671: .Ed
672: .Pp
673: Parameters may be
674: .Sy flags ,
675: .Sy integer
676: values,
677: .Sy strings ,
678: or
679: .Sy lists .
680: Flags are implicitly boolean and can be turned off via the
681: .Ql \&!
682: operator.
683: Some integer, string and list parameters may also be
684: used in a boolean context to disable them.
685: Values may be enclosed
686: in double quotes
687: .Pq \&""
688: when they contain multiple words.
689: Special characters may be escaped with a backslash
690: .Pq Ql \e .
691: .Pp
692: Lists have two additional assignment operators,
693: .Li +=
694: and
695: .Li -= .
696: These operators are used to add to and delete from a list respectively.
697: It is not an error to use the
698: .Li -=
699: operator to remove an element
700: that does not exist in a list.
701: .Pp
702: Defaults entries are parsed in the following order: generic, host
703: and user Defaults first, then runas Defaults and finally command
704: defaults.
705: .Pp
706: See
707: .Sx SUDOERS OPTIONS
708: for a list of supported Defaults parameters.
709: .Ss User specification
710: .Bd -literal
711: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
712: (':' Host_List '=' Cmnd_Spec_List)*
713:
714: Cmnd_Spec_List ::= Cmnd_Spec |
715: Cmnd_Spec ',' Cmnd_Spec_List
716:
717: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
718:
719: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
720:
721: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
722:
723: Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
724:
725: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
726: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
727: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
728: .Ed
729: .Pp
730: A
731: .Sy user specification
732: determines which commands a user may run
733: (and as what user) on specified hosts.
734: By default, commands are
735: run as
736: .Sy root ,
737: but this can be changed on a per-command basis.
738: .Pp
739: The basic structure of a user specification is
740: .Dq who where = (as_whom) what .
741: Let's break that down into its constituent parts:
742: .Ss Runas_Spec
743: A
744: .Li Runas_Spec
745: determines the user and/or the group that a command
746: may be run as.
747: A fully-specified
748: .Li Runas_Spec
749: consists of two
750: .Li Runas_List Ns No s
751: (as defined above) separated by a colon
752: .Pq Ql :\&
753: and enclosed in a set of parentheses.
754: The first
755: .Li Runas_List
756: indicates
757: which users the command may be run as via
758: .Nm sudo Ns No 's
759: .Fl u
760: option.
761: The second defines a list of groups that can be specified via
762: .Nm sudo Ns No 's
763: .Fl g
764: option.
765: If both
766: .Li Runas_List Ns No s
767: are specified, the command may be run with any combination of users
768: and groups listed in their respective
769: .Li Runas_List Ns No s.
770: If only the first is specified, the command may be run as any user
771: in the list but no
772: .Fl g
773: option
774: may be specified.
775: If the first
776: .Li Runas_List
777: is empty but the
778: second is specified, the command may be run as the invoking user
779: with the group set to any listed in the
780: .Li Runas_List .
781: If both
782: .Li Runas_List Ns No s
783: are empty, the command may only be run as the invoking user.
784: If no
785: .Li Runas_Spec
786: is specified the command may be run as
787: .Sy root
788: and
789: no group may be specified.
790: .Pp
791: A
792: .Li Runas_Spec
793: sets the default for the commands that follow it.
794: What this means is that for the entry:
795: .Bd -literal
796: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
797: .Ed
798: .Pp
799: The user
800: .Sy dgb
801: may run
802: .Pa /bin/ls ,
803: .Pa /bin/kill ,
804: and
805: .Pa /usr/bin/lprm Ns No \(em Ns but
806: only as
807: .Sy operator .
808: E.g.,
809: .Bd -literal
810: $ sudo -u operator /bin/ls
811: .Ed
812: .Pp
813: It is also possible to override a
814: .Li Runas_Spec
815: later on in an entry.
816: If we modify the entry like so:
817: .Bd -literal
818: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
819: .Ed
820: .Pp
821: Then user
822: .Sy dgb
823: is now allowed to run
824: .Pa /bin/ls
825: as
826: .Sy operator ,
827: but
828: .Pa /bin/kill
829: and
830: .Pa /usr/bin/lprm
831: as
832: .Sy root .
833: .Pp
834: We can extend this to allow
835: .Sy dgb
836: to run
837: .Li /bin/ls
838: with either
839: the user or group set to
840: .Sy operator :
841: .Bd -literal
842: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
843: /usr/bin/lprm
844: .Ed
845: .Pp
846: Note that while the group portion of the
847: .Li Runas_Spec
848: permits the
849: user to run as command with that group, it does not force the user
850: to do so.
851: If no group is specified on the command line, the command
852: will run with the group listed in the target user's password database
853: entry.
854: The following would all be permitted by the sudoers entry above:
855: .Bd -literal
856: $ sudo -u operator /bin/ls
857: $ sudo -u operator -g operator /bin/ls
858: $ sudo -g operator /bin/ls
859: .Ed
860: .Pp
861: In the following example, user
862: .Sy tcm
863: may run commands that access
864: a modem device file with the dialer group.
865: .Bd -literal
866: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
867: /usr/local/bin/minicom
868: .Ed
869: .Pp
870: Note that in this example only the group will be set, the command
871: still runs as user
872: .Sy tcm .
873: E.g.\&
874: .Bd -literal
875: $ sudo -g dialer /usr/bin/cu
876: .Ed
877: .Pp
878: Multiple users and groups may be present in a
879: .Li Runas_Spec ,
880: in which case the user may select any combination of users and groups via the
881: .Fl u
882: and
883: .Fl g
884: options.
885: In this example:
886: .Bd -literal
887: alan ALL = (root, bin : operator, system) ALL
888: .Ed
889: .Pp
890: user
891: .Sy alan
892: may run any command as either user root or bin,
893: optionally setting the group to operator or system.
894: .Ss SELinux_Spec
895: On systems with SELinux support,
896: .Em sudoers
897: entries may optionally have an SELinux role and/or type associated
898: with a command.
899: If a role or
900: type is specified with the command it will override any default values
901: specified in
902: .Em sudoers .
903: A role or type specified on the command line,
904: however, will supersede the values in
905: .Em sudoers .
906: .Ss Solaris_Priv_Spec
907: On Solaris systems,
908: .Em sudoers
909: entries may optionally specify Solaris privilege set and/or limit
910: privilege set associated with a command.
911: If privileges or limit privileges are specified with the command
912: it will override any default values specified in
913: .Em sudoers .
914: .Pp
915: A privilege set is a comma-separated list of privilege names.
916: The
917: .Xr ppriv 1
918: command can be used to list all privileges known to the system.
919: For example:
920: .Bd -literal
921: $ ppriv -l
922: .Ed
923: .Pp
924: In addition, there are several
925: .Dq special
926: privilege strings:
927: .Bl -tag -width 8n
928: .It none
929: the empty set
930: .It all
931: the set of all privileges
932: .It zone
933: the set of all privileges available in the current zone
934: .It basic
935: the default set of privileges normal users are granted at login time
936: .El
937: .Pp
938: Privileges can be excluded from a set by prefixing the privilege
939: name with either an
940: .Ql \&!
941: or
942: .Ql \-
943: character.
944: .Ss Tag_Spec
945: A command may have zero or more tags associated with it.
946: There are
947: ten possible tag values:
948: .Li NOPASSWD ,
949: .Li PASSWD ,
950: .Li NOEXEC ,
951: .Li EXEC ,
952: .Li SETENV ,
953: .Li NOSETENV ,
954: .Li LOG_INPUT ,
955: .Li NOLOG_INPUT ,
956: .Li LOG_OUTPUT
957: and
958: .Li NOLOG_OUTPUT .
959: Once a tag is set on a
960: .Li Cmnd ,
961: subsequent
962: .Li Cmnd Ns No s
963: in the
964: .Li Cmnd_Spec_List ,
965: inherit the tag unless it is overridden by the opposite tag (in other words,
966: .Li PASSWD
967: overrides
968: .Li NOPASSWD
969: and
970: .Li NOEXEC
971: overrides
972: .Li EXEC ) .
973: .Pp
974: .Em NOPASSWD and PASSWD
975: .Pp
976: By default,
977: .Nm sudo
978: requires that a user authenticate him or herself
979: before running a command.
980: This behavior can be modified via the
981: .Li NOPASSWD
982: tag.
983: Like a
984: .Li Runas_Spec ,
985: the
986: .Li NOPASSWD
987: tag sets
988: a default for the commands that follow it in the
989: .Li Cmnd_Spec_List .
990: Conversely, the
991: .Li PASSWD
992: tag can be used to reverse things.
993: For example:
994: .Bd -literal
995: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
996: .Ed
997: .Pp
998: would allow the user
999: .Sy ray
1000: to run
1001: .Pa /bin/kill ,
1002: .Pa /bin/ls ,
1003: and
1004: .Pa /usr/bin/lprm
1005: as
1006: .Sy root
1007: on the machine rushmore without authenticating himself.
1008: If we only want
1009: .Sy ray
1010: to be able to
1011: run
1012: .Pa /bin/kill
1013: without a password the entry would be:
1014: .Bd -literal
1015: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1016: .Ed
1017: .Pp
1018: Note, however, that the
1019: .Li PASSWD
1020: tag has no effect on users who are in the group specified by the
1021: .Em exempt_group
1022: option.
1023: .Pp
1024: By default, if the
1025: .Li NOPASSWD
1026: tag is applied to any of the entries for a user on the current host,
1027: he or she will be able to run
1028: .Dq Li sudo -l
1029: without a password.
1030: Additionally, a user may only run
1031: .Dq Li sudo -v
1032: without a password if the
1033: .Li NOPASSWD
1034: tag is present for all a user's entries that pertain to the current host.
1035: This behavior may be overridden via the
1036: .Em verifypw
1037: and
1038: .Em listpw
1039: options.
1040: .Pp
1041: .Em NOEXEC and EXEC
1042: .Pp
1043: If
1044: .Nm sudo
1045: has been compiled with
1046: .Em noexec
1047: support and the underlying operating system supports it, the
1048: .Li NOEXEC
1049: tag can be used to prevent a dynamically-linked executable from
1050: running further commands itself.
1051: .Pp
1052: In the following example, user
1053: .Sy aaron
1054: may run
1055: .Pa /usr/bin/more
1056: and
1057: .Pa /usr/bin/vi
1058: but shell escapes will be disabled.
1059: .Bd -literal
1060: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1061: .Ed
1062: .Pp
1063: See the
1064: .Sx Preventing shell escapes
1065: section below for more details on how
1066: .Li NOEXEC
1067: works and whether or not it will work on your system.
1068: .Pp
1069: .Em SETENV and NOSETENV
1070: .Pp
1071: These tags override the value of the
1072: .Em setenv
1073: option on a per-command basis.
1074: Note that if
1075: .Li SETENV
1076: has been set for a command, the user may disable the
1077: .Em env_reset
1078: option from the command line via the
1079: .Fl E
1080: option.
1081: Additionally, environment variables set on the command
1082: line are not subject to the restrictions imposed by
1083: .Em env_check ,
1084: .Em env_delete ,
1085: or
1086: .Em env_keep .
1087: As such, only trusted users should be allowed to set variables in this manner.
1088: If the command matched is
1089: .Sy ALL ,
1090: the
1091: .Li SETENV
1092: tag is implied for that command; this default may be overridden by use of the
1093: .Li NOSETENV
1094: tag.
1095: .Pp
1096: .Em LOG_INPUT and NOLOG_INPUT
1097: .Pp
1098: These tags override the value of the
1099: .Em log_input
1100: option on a per-command basis.
1101: For more information, see the description of
1102: .Em log_input
1103: in the
1104: .Sx SUDOERS OPTIONS
1105: section below.
1106: .Pp
1107: .Em LOG_OUTPUT and NOLOG_OUTPUT
1108: .Pp
1109: These tags override the value of the
1110: .Em log_output
1111: option on a per-command basis.
1112: For more information, see the description of
1113: .Em log_output
1114: in the
1115: .Sx SUDOERS OPTIONS
1116: section below.
1117: .Ss Wildcards
1118: .Nm sudo
1119: allows shell-style
1120: .Em wildcards
1121: (aka meta or glob characters)
1122: to be used in host names, path names and command line arguments in the
1123: .Em sudoers
1124: file.
1125: Wildcard matching is done via the
1126: .Sy POSIX
1127: .Xr glob 3
1128: and
1129: .Xr fnmatch 3
1130: routines.
1131: Note that these are
1132: .Em not
1133: regular expressions.
1134: .Bl -tag -width 8n
1135: .It Li *
1136: Matches any set of zero or more characters.
1137: .It Li \&?
1138: Matches any single character.
1139: .It Li [...]
1140: Matches any character in the specified range.
1141: .It Li [!...]
1142: Matches any character
1143: .Sy not
1144: in the specified range.
1145: .It Li \ex
1146: For any character
1147: .Sq x ,
1148: evaluates to
1149: .Sq x .
1150: This is used to escape special characters such as:
1151: .Ql * ,
1152: .Ql \&? ,
1153: .Ql [\& ,
1154: and
1155: .Ql ]\& .
1156: .El
1157: .Pp
1158: POSIX character classes may also be used if your system's
1159: .Xr glob 3
1160: and
1161: .Xr fnmatch 3
1162: functions support them.
1163: However, because the
1164: .Ql :\&
1165: character has special meaning in
1166: .Em sudoers ,
1167: it must be
1168: escaped.
1169: For example:
1170: .Bd -literal -offset 4n
1171: /bin/ls [[\:alpha\:]]*
1172: .Ed
1173: .Pp
1174: Would match any file name beginning with a letter.
1175: .Pp
1176: Note that a forward slash
1177: .Pq Ql /
1178: will
1179: .Sy not
1180: be matched by
1181: wildcards used in the path name.
1182: This is to make a path like:
1183: .Bd -literal -offset 4n
1184: /usr/bin/*
1185: .Ed
1186: .Pp
1187: match
1188: .Pa /usr/bin/who
1189: but not
1190: .Pa /usr/bin/X11/xterm .
1191: .Pp
1192: When matching the command line arguments, however, a slash
1193: .Sy does
1194: get matched by wildcards since command line arguments may contain
1195: arbitrary strings and not just path names.
1196: .Pp
1197: Wildcards in command line arguments should be used with care.
1198: Because command line arguments are matched as a single, concatenated
1199: string, a wildcard such as
1200: .Ql \&?
1201: or
1202: .Ql *
1203: can match multiple words.
1204: For example, while a sudoers entry like:
1205: .Bd -literal -offset 4n
1206: %operator ALL = /bin/cat /var/log/messages*
1207: .Ed
1208: .Pp
1209: will allow command like:
1210: .Bd -literal -offset 4n
1211: $ sudo cat /var/log/messages.1
1212: .Ed
1213: .Pp
1214: It will also allow:
1215: .Bd -literal -offset 4n
1216: $ sudo cat /var/log/messages /etc/shadow
1217: .Ed
1218: .Pp
1219: which is probably not what was intended.
1220: .Ss Exceptions to wildcard rules
1221: The following exceptions apply to the above rules:
1222: .Bl -tag -width 8n
1223: .It Li \&""
1224: If the empty string
1225: .Li \&""
1226: is the only command line argument in the
1227: .Em sudoers
1228: entry it means that command is not allowed to be run with
1229: .Sy any
1230: arguments.
1231: .It sudoedit
1232: Command line arguments to the
1233: .Em sudoedit
1234: built-in command should always be path names, so a forward slash
1235: .Pq Ql /
1236: will not be matched by a wildcard.
1237: .El
1238: .Ss Including other files from within sudoers
1239: It is possible to include other
1240: .Em sudoers
1241: files from within the
1242: .Em sudoers
1243: file currently being parsed using the
1244: .Li #include
1245: and
1246: .Li #includedir
1247: directives.
1248: .Pp
1249: This can be used, for example, to keep a site-wide
1250: .Em sudoers
1251: file in addition to a local, per-machine file.
1252: For the sake of this example the site-wide
1253: .Em sudoers
1254: will be
1255: .Pa /etc/sudoers
1256: and the per-machine one will be
1257: .Pa /etc/sudoers.local .
1258: To include
1259: .Pa /etc/sudoers.local
1260: from within
1261: .Pa /etc/sudoers
1262: we would use the
1263: following line in
1264: .Pa /etc/sudoers :
1265: .Bd -literal -offset 4n
1266: #include /etc/sudoers.local
1267: .Ed
1268: .Pp
1269: When
1270: .Nm sudo
1271: reaches this line it will suspend processing of the current file
1272: .Pq Pa /etc/sudoers
1273: and switch to
1274: .Pa /etc/sudoers.local .
1275: Upon reaching the end of
1276: .Pa /etc/sudoers.local ,
1277: the rest of
1278: .Pa /etc/sudoers
1279: will be processed.
1280: Files that are included may themselves include other files.
1281: A hard limit of 128 nested include files is enforced to prevent include
1282: file loops.
1283: .Pp
1284: If the path to the include file is not fully-qualified (does not
1285: begin with a
1286: .Ql / ,
1287: it must be located in the same directory as the sudoers file it was
1288: included from.
1289: For example, if
1290: .Pa /etc/sudoers
1291: contains the line:
1292: .Bd -literal -offset 4n
1293: .Li #include sudoers.local
1294: .Ed
1295: .Pp
1296: the file that will be included is
1297: .Pa /etc/sudoers.local .
1298: .Pp
1299: The file name may also include the
1300: .Li %h
1301: escape, signifying the short form of the host name.
1302: In other words, if the machine's host name is
1303: .Dq xerxes ,
1304: then
1305: .Bd -literal -offset 4n
1306: #include /etc/sudoers.%h
1307: .Ed
1308: .Pp
1309: will cause
1310: .Nm sudo
1311: to include the file
1312: .Pa /etc/sudoers.xerxes .
1313: .Pp
1314: The
1315: .Li #includedir
1316: directive can be used to create a
1317: .Pa sudo.d
1318: directory that the system package manager can drop
1319: .Em sudoers
1320: rules
1321: into as part of package installation.
1322: For example, given:
1323: .Bd -literal -offset 4n
1324: #includedir /etc/sudoers.d
1325: .Ed
1326: .Pp
1327: .Nm sudo
1328: will read each file in
1329: .Pa /etc/sudoers.d ,
1330: skipping file names that end in
1331: .Ql ~
1332: or contain a
1333: .Ql .\&
1334: character to avoid causing problems with package manager or editor
1335: temporary/backup files.
1336: Files are parsed in sorted lexical order.
1337: That is,
1338: .Pa /etc/sudoers.d/01_first
1339: will be parsed before
1340: .Pa /etc/sudoers.d/10_second .
1341: Be aware that because the sorting is lexical, not numeric,
1342: .Pa /etc/sudoers.d/1_whoops
1343: would be loaded
1344: .Sy after
1345: .Pa /etc/sudoers.d/10_second .
1346: Using a consistent number of leading zeroes in the file names can be used
1347: to avoid such problems.
1348: .Pp
1349: Note that unlike files included via
1350: .Li #include ,
1351: .Nm visudo
1352: will not edit the files in a
1353: .Li #includedir
1354: directory unless one of them contains a syntax error.
1355: It is still possible to run
1356: .Nm visudo
1357: with the
1358: .Fl f
1359: flag to edit the files directly.
1360: .Ss Other special characters and reserved words
1361: The pound sign
1362: .Pq Ql #
1363: is used to indicate a comment (unless it is part of a #include
1364: directive or unless it occurs in the context of a user name and is
1365: followed by one or more digits, in which case it is treated as a
1366: uid).
1367: Both the comment character and any text after it, up to the end of
1368: the line, are ignored.
1369: .Pp
1370: The reserved word
1371: .Sy ALL
1372: is a built-in
1373: .Em alias
1374: that always causes a match to succeed.
1375: It can be used wherever one might otherwise use a
1376: .Li Cmnd_Alias ,
1377: .Li User_Alias ,
1378: .Li Runas_Alias ,
1379: or
1380: .Li Host_Alias .
1381: You should not try to define your own
1382: .Em alias
1383: called
1384: .Sy ALL
1385: as the built-in alias will be used in preference to your own.
1386: Please note that using
1387: .Sy ALL
1388: can be dangerous since in a command context, it allows the user to run
1389: .Sy any
1390: command on the system.
1391: .Pp
1392: An exclamation point
1393: .Pq Ql \&!
1394: can be used as a logical
1395: .Em not
1396: operator both in an
1397: .Em alias
1398: and in front of a
1399: .Li Cmnd .
1400: This allows one to exclude certain values.
1401: Note, however, that using a
1402: .Ql \&!
1403: in conjunction with the built-in
1404: .Sy ALL
1405: alias to allow a user to run
1406: .Dq all but a few
1407: commands rarely works as intended (see
1408: .Sx SECURITY NOTES
1409: below).
1410: .Pp
1411: Long lines can be continued with a backslash
1412: .Pq Ql \e
1413: as the last character on the line.
1414: .Pp
1415: White space between elements in a list as well as special syntactic
1416: characters in a
1417: .Em User Specification
1418: .Po
1419: .Ql =\& ,
1420: .Ql :\& ,
1421: .Ql (\& ,
1422: .Ql )\&
1423: .Pc
1424: is optional.
1425: .Pp
1426: The following characters must be escaped with a backslash
1427: .Pq Ql \e
1428: when used as part of a word (e.g.\& a user name or host name):
1429: .Ql \&! ,
1430: .Ql =\& ,
1431: .Ql :\& ,
1432: .Ql ,\& ,
1433: .Ql (\& ,
1434: .Ql )\& ,
1435: .Ql \e .
1436: .Sh SUDOERS OPTIONS
1437: .Nm sudo Ns No 's
1438: behavior can be modified by
1439: .Li Default_Entry
1440: lines, as explained earlier.
1441: A list of all supported Defaults parameters, grouped by type, are listed below.
1442: .Pp
1443: .Sy Boolean Flags :
1444: .Bl -tag -width 16n
1445: .It always_set_home
1446: If enabled,
1447: .Nm sudo
1448: will set the
1449: .Ev HOME
1450: environment variable to the home directory of the target user
1451: (which is root unless the
1452: .Fl u
1453: option is used).
1454: This effectively means that the
1455: .Fl H
1456: option is always implied.
1457: Note that
1458: .Ev HOME
1459: is already set when the the
1460: .Em env_reset
1461: option is enabled, so
1462: .Em always_set_home
1463: is only effective for configurations where either
1464: .Em env_reset
1465: is disabled or
1466: .Ev HOME
1467: is present in the
1468: .Em env_keep
1469: list.
1470: This flag is
1471: .Em off
1472: by default.
1473: .It authenticate
1474: If set, users must authenticate themselves via a password (or other
1475: means of authentication) before they may run commands.
1476: This default may be overridden via the
1477: .Li PASSWD
1478: and
1479: .Li NOPASSWD
1480: tags.
1481: This flag is
1482: .Em on
1483: by default.
1484: .It closefrom_override
1485: If set, the user may use
1486: .Nm sudo Ns No 's
1487: .Fl C
1488: option which overrides the default starting point at which
1489: .Nm sudo
1490: begins closing open file descriptors.
1491: This flag is
1492: .Em off
1493: by default.
1494: .It compress_io
1495: If set, and
1496: .Nm sudo
1497: is configured to log a command's input or output,
1498: the I/O logs will be compressed using
1499: .Sy zlib .
1500: This flag is
1501: .Em on
1502: by default when
1503: .Nm sudo
1504: is compiled with
1505: .Sy zlib
1506: support.
1507: .It env_editor
1508: If set,
1509: .Nm visudo
1510: will use the value of the
1511: .Ev EDITOR
1512: or
1513: .Ev VISUAL
1514: environment variables before falling back on the default editor list.
1515: Note that this may create a security hole as it allows the user to
1516: run any arbitrary command as root without logging.
1517: A safer alternative is to place a colon-separated list of editors
1518: in the
1519: .Li editor
1520: variable.
1521: .Nm visudo
1522: will then only use the
1523: .Ev EDITOR
1524: or
1525: .Ev VISUAL
1526: if they match a value specified in
1527: .Li editor .
1528: This flag is
1529: .Em @env_editor@
1530: by
1531: default.
1532: .It env_reset
1533: If set,
1534: .Nm sudo
1535: will run the command in a minimal environment containing the
1536: .Ev TERM ,
1537: .Ev PATH ,
1538: .Ev HOME ,
1539: .Ev MAIL ,
1540: .Ev SHELL ,
1541: .Ev LOGNAME ,
1542: .Ev USER ,
1543: .Ev USERNAME
1544: and
1545: .Ev SUDO_*
1546: variables.
1547: Any
1548: variables in the caller's environment that match the
1549: .Li env_keep
1550: and
1551: .Li env_check
1552: lists are then added, followed by any variables present in the file
1553: specified by the
1554: .Em env_file
1555: option (if any).
1556: The default contents of the
1557: .Li env_keep
1558: and
1559: .Li env_check
1560: lists are displayed when
1561: .Nm sudo
1562: is run by root with the
1563: .Fl V
1564: option.
1565: If the
1566: .Em secure_path
1567: option is set, its value will be used for the
1568: .Ev PATH
1569: environment variable.
1570: This flag is
1571: .Em @env_reset@
1572: by default.
1573: .It fast_glob
1574: Normally,
1575: .Nm sudo
1576: uses the
1577: .Xr glob 3
1578: function to do shell-style globbing when matching path names.
1579: However, since it accesses the file system,
1580: .Xr glob 3
1581: can take a long time to complete for some patterns, especially
1582: when the pattern references a network file system that is mounted
1583: on demand (auto mounted).
1584: The
1585: .Em fast_glob
1586: option causes
1587: .Nm sudo
1588: to use the
1589: .Xr fnmatch 3
1590: function, which does not access the file system to do its matching.
1591: The disadvantage of
1592: .Em fast_glob
1593: is that it is unable to match relative path names such as
1594: .Pa ./ls
1595: or
1596: .Pa ../bin/ls .
1597: This has security implications when path names that include globbing
1598: characters are used with the negation operator,
1599: .Ql !\& ,
1600: as such rules can be trivially bypassed.
1601: As such, this option should not be used when
1602: .Em sudoers
1603: contains rules that contain negated path names which include globbing
1604: characters.
1605: This flag is
1606: .Em off
1607: by default.
1608: .It fqdn
1609: Set this flag if you want to put fully qualified host names in the
1610: .Em sudoers
1611: file when the local host name (as returned by the
1612: .Li hostname
1613: command) does not contain the domain name.
1614: In other words, instead of myhost you would use myhost.mydomain.edu.
1615: You may still use the short form if you wish (and even mix the two).
1616: This option is only effective when the
1617: .Dq canonical
1618: host name, as returned by the
1619: .Fn getaddrinfo
1620: or
1621: .Fn gethostbyname
1622: function, is a fully-qualified domain name.
1623: This is usually the case when the system is configured to use DNS
1624: for host name resolution.
1625: .Pp
1626: If the system is configured to use the
1627: .Pa /etc/hosts
1628: file in preference to DNS, the
1629: .Dq canonical
1630: host name may not be fully-qualified.
1631: The order that sources are queried for hosts name resolution
1632: is usually specified in the
1633: .Pa @nsswitch_conf@ ,
1634: .Pa @netsvc_conf@ ,
1635: .Pa /etc/host.conf ,
1636: or, in some cases,
1637: .Pa /etc/resolv.conf
1638: file.
1639: In the
1640: .Pa /etc/hosts
1641: file, the first host name of the entry is considered to be the
1642: .Dq canonical
1643: name; subsequent names are aliases that are not used by
1644: .Nm sudoers .
1645: For example, the following hosts file line for the machine
1646: .Dq xyzzy
1647: has the fully-qualified domain name as the
1648: .Dq canonical
1649: host name, and the short version as an alias.
1650: .sp
1651: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1652: .sp
1653: If the machine's hosts file entry is not formatted properly, the
1654: .Em fqdn
1655: option will not be effective if it is queried before DNS.
1656: .Pp
1657: Beware that when using DNS for host name resolution, turning on
1658: .Em fqdn
1659: requires
1660: .Nm sudoers
1661: to make DNS lookups which renders
1662: .Nm sudo
1663: unusable if DNS stops working (for example if the machine is disconnected
1664: from the network).
1665: Also note that just like with the hosts file, you must use the
1666: .Dq canonical
1667: name as DNS knows it.
1668: That is, you may not use a host alias
1669: .Po
1670: .Li CNAME
1671: entry
1672: .Pc
1673: due to performance issues and the fact that there is no way to get all
1674: aliases from DNS.
1675: .Pp
1676: This flag is
1677: .Em @fqdn@
1678: by default.
1679: .It ignore_dot
1680: If set,
1681: .Nm sudo
1682: will ignore "." or "" (both denoting current directory) in the
1683: .Ev PATH
1684: environment variable; the
1685: .Ev PATH
1686: itself is not modified.
1687: This flag is
1688: .Em @ignore_dot@
1689: by default.
1690: .It ignore_local_sudoers
1691: If set via LDAP, parsing of
1692: .Pa @sysconfdir@/sudoers
1693: will be skipped.
1694: This is intended for Enterprises that wish to prevent the usage of local
1695: sudoers files so that only LDAP is used.
1696: This thwarts the efforts of rogue operators who would attempt to add roles to
1697: .Pa @sysconfdir@/sudoers .
1698: When this option is present,
1699: .Pa @sysconfdir@/sudoers
1700: does not even need to exist.
1701: Since this option tells
1702: .Nm sudo
1703: how to behave when no specific LDAP entries have been matched, this
1704: sudoOption is only meaningful for the
1705: .Li cn=defaults
1706: section.
1707: This flag is
1708: .Em off
1709: by default.
1710: .It insults
1711: If set,
1712: .Nm sudo
1713: will insult users when they enter an incorrect password.
1714: This flag is
1715: .Em @insults@
1716: by default.
1717: .It log_host
1718: If set, the host name will be logged in the (non-syslog)
1719: .Nm sudo
1720: log file.
1721: This flag is
1722: .Em off
1723: by default.
1724: .It log_input
1725: If set,
1726: .Nm sudo
1727: will run the command in a
1728: .Em pseudo tty
1729: and log all user input.
1730: If the standard input is not connected to the user's tty, due to
1731: I/O redirection or because the command is part of a pipeline, that
1732: input is also captured and stored in a separate log file.
1733: .Pp
1734: Input is logged to the directory specified by the
1735: .Em iolog_dir
1736: option
1737: .Po
1738: .Pa @iolog_dir@
1739: by default
1740: .Pc
1741: using a unique session ID that is included in the normal
1742: .Nm sudo
1743: log line, prefixed with
1744: .Dq Li TSID= .
1745: The
1746: .Em iolog_file
1747: option may be used to control the format of the session ID.
1748: .Pp
1749: Note that user input may contain sensitive information such as
1750: passwords (even if they are not echoed to the screen), which will
1751: be stored in the log file unencrypted.
1752: In most cases, logging the command output via
1753: .Em log_output
1754: is all that is required.
1755: .It log_output
1756: If set,
1757: .Nm sudo
1758: will run the command in a
1759: .Em pseudo tty
1760: and log all output that is sent to the screen, similar to the
1761: .Xr script 1
1762: command.
1763: If the standard output or standard error is not connected to the
1764: user's tty, due to I/O redirection or because the command is part
1765: of a pipeline, that output is also captured and stored in separate
1766: log files.
1767: .Pp
1768: Output is logged to the directory specified by the
1769: .Em iolog_dir
1770: option
1771: .Po
1772: .Pa @iolog_dir@
1773: by default
1774: .Pc
1775: using a unique session ID that is included in the normal
1776: .Nm sudo
1777: log line, prefixed with
1778: .Dq Li TSID= .
1779: The
1780: .Em iolog_file
1781: option may be used to control the format of the session ID.
1782: .Pp
1783: Output logs may be viewed with the
1784: .Xr sudoreplay @mansectsu@
1785: utility, which can also be used to list or search the available logs.
1786: .It log_year
1787: If set, the four-digit year will be logged in the (non-syslog)
1788: .Nm sudo
1789: log file.
1790: This flag is
1791: .Em off
1792: by default.
1793: .It long_otp_prompt
1794: When validating with a One Time Password (OTP) scheme such as
1795: .Sy S/Key
1796: or
1797: .Sy OPIE ,
1798: a two-line prompt is used to make it easier
1799: to cut and paste the challenge to a local window.
1800: It's not as pretty as the default but some people find it more convenient.
1801: This flag is
1802: .Em @long_otp_prompt@
1803: by default.
1804: .It mail_always
1805: Send mail to the
1806: .Em mailto
1807: user every time a users runs
1808: .Nm sudo .
1809: This flag is
1810: .Em off
1811: by default.
1812: .It mail_badpass
1813: Send mail to the
1814: .Em mailto
1815: user if the user running
1816: .Nm sudo
1817: does not enter the correct password.
1818: If the command the user is attempting to run is not permitted by
1819: .Em sudoers
1820: and one of the
1821: .Em mail_always ,
1822: .Em mail_no_host ,
1823: .Em mail_no_perms
1824: or
1825: .Em mail_no_user
1826: flags are set, this flag will have no effect.
1827: This flag is
1828: .Em off
1829: by default.
1830: .It mail_no_host
1831: If set, mail will be sent to the
1832: .Em mailto
1833: user if the invoking user exists in the
1834: .Em sudoers
1835: file, but is not allowed to run commands on the current host.
1836: This flag is
1837: .Em @mail_no_host@
1838: by default.
1839: .It mail_no_perms
1840: If set, mail will be sent to the
1841: .Em mailto
1842: user if the invoking user is allowed to use
1843: .Nm sudo
1844: but the command they are trying is not listed in their
1845: .Em sudoers
1846: file entry or is explicitly denied.
1847: This flag is
1848: .Em @mail_no_perms@
1849: by default.
1850: .It mail_no_user
1851: If set, mail will be sent to the
1852: .Em mailto
1853: user if the invoking user is not in the
1854: .Em sudoers
1855: file.
1856: This flag is
1857: .Em @mail_no_user@
1858: by default.
1859: .It noexec
1860: If set, all commands run via
1861: .Nm sudo
1862: will behave as if the
1863: .Li NOEXEC
1864: tag has been set, unless overridden by a
1865: .Li EXEC
1866: tag.
1867: See the description of
1868: .Em NOEXEC and EXEC
1869: below as well as the
1870: .Sx Preventing shell escapes
1871: section at the end of this manual.
1872: This flag is
1873: .Em off
1874: by default.
1875: .It path_info
1876: Normally,
1877: .Nm sudo
1878: will tell the user when a command could not be
1879: found in their
1880: .Ev PATH
1881: environment variable.
1882: Some sites may wish to disable this as it could be used to gather
1883: information on the location of executables that the normal user does
1884: not have access to.
1885: The disadvantage is that if the executable is simply not in the user's
1886: .Ev PATH ,
1887: .Nm sudo
1888: will tell the user that they are not allowed to run it, which can be confusing.
1889: This flag is
1890: .Em @path_info@
1891: by default.
1892: .It passprompt_override
1893: The password prompt specified by
1894: .Em passprompt
1895: will normally only be used if the password prompt provided by systems
1896: such as PAM matches the string
1897: .Dq Password: .
1898: If
1899: .Em passprompt_override
1900: is set,
1901: .Em passprompt
1902: will always be used.
1903: This flag is
1904: .Em off
1905: by default.
1906: .It preserve_groups
1907: By default,
1908: .Nm sudo
1909: will initialize the group vector to the list of groups the target user is in.
1910: When
1911: .Em preserve_groups
1912: is set, the user's existing group vector is left unaltered.
1913: The real and effective group IDs, however, are still set to match the
1914: target user.
1915: This flag is
1916: .Em off
1917: by default.
1918: .It pwfeedback
1919: By default,
1920: .Nm sudo
1921: reads the password like most other Unix programs,
1922: by turning off echo until the user hits the return (or enter) key.
1923: Some users become confused by this as it appears to them that
1924: .Nm sudo
1925: has hung at this point.
1926: When
1927: .Em pwfeedback
1928: is set,
1929: .Nm sudo
1930: will provide visual feedback when the user presses a key.
1931: Note that this does have a security impact as an onlooker may be able to
1932: determine the length of the password being entered.
1933: This flag is
1934: .Em off
1935: by default.
1936: .It requiretty
1937: If set,
1938: .Nm sudo
1939: will only run when the user is logged in to a real tty.
1940: When this flag is set,
1941: .Nm sudo
1942: can only be run from a login session and not via other means such as
1943: .Xr cron @mansectsu@
1944: or cgi-bin scripts.
1945: This flag is
1946: .Em off
1947: by default.
1948: .It root_sudo
1949: If set, root is allowed to run
1950: .Nm sudo
1951: too.
1952: Disabling this prevents users from
1953: .Dq chaining
1954: .Nm sudo
1955: commands to get a root shell by doing something like
1956: .Dq Li sudo sudo /bin/sh .
1957: Note, however, that turning off
1958: .Em root_sudo
1959: will also prevent root from running
1960: .Nm sudoedit .
1961: Disabling
1962: .Em root_sudo
1963: provides no real additional security; it exists purely for historical reasons.
1964: This flag is
1965: .Em @root_sudo@
1966: by default.
1967: .It rootpw
1968: If set,
1969: .Nm sudo
1970: will prompt for the root password instead of the password of the invoking user.
1971: This flag is
1972: .Em off
1973: by default.
1974: .It runaspw
1975: If set,
1976: .Nm sudo
1977: will prompt for the password of the user defined by the
1978: .Em runas_default
1979: option (defaults to
1980: .Li @runas_default@ )
1981: instead of the password of the invoking user.
1982: This flag is
1983: .Em off
1984: by default.
1985: .It set_home
1986: If enabled and
1987: .Nm sudo
1988: is invoked with the
1989: .Fl s
1990: option the
1991: .Ev HOME
1992: environment variable will be set to the home directory of the target
1993: user (which is root unless the
1994: .Fl u
1995: option is used).
1996: This effectively makes the
1997: .Fl s
1998: option imply
1999: .Fl H .
2000: Note that
2001: .Ev HOME
2002: is already set when the the
2003: .Em env_reset
2004: option is enabled, so
2005: .Em set_home
2006: is only effective for configurations where either
2007: .Em env_reset
2008: is disabled
2009: or
2010: .Ev HOME
2011: is present in the
2012: .Em env_keep
2013: list.
2014: This flag is
2015: .Em off
2016: by default.
2017: .It set_logname
2018: Normally,
2019: .Nm sudo
2020: will set the
2021: .Ev LOGNAME ,
2022: .Ev USER
2023: and
2024: .Ev USERNAME
2025: environment variables to the name of the target user (usually root unless the
2026: .Fl u
2027: option is given).
2028: However, since some programs (including the RCS revision control system) use
2029: .Ev LOGNAME
2030: to determine the real identity of the user, it may be desirable to
2031: change this behavior.
2032: This can be done by negating the set_logname option.
2033: Note that if the
2034: .Em env_reset
2035: option has not been disabled, entries in the
2036: .Em env_keep
2037: list will override the value of
2038: .Em set_logname .
2039: This flag is
2040: .Em on
2041: by default.
2042: .It set_utmp
2043: When enabled,
2044: .Nm sudo
2045: will create an entry in the utmp (or utmpx) file when a pseudo-tty
2046: is allocated.
2047: A pseudo-tty is allocated by
2048: .Nm sudo
2049: when the
2050: .Em log_input ,
2051: .Em log_output
2052: or
2053: .Em use_pty
2054: flags are enabled.
2055: By default, the new entry will be a copy of the user's existing utmp
2056: entry (if any), with the tty, time, type and pid fields updated.
2057: This flag is
2058: .Em on
2059: by default.
2060: .It setenv
2061: Allow the user to disable the
2062: .Em env_reset
2063: option from the command line via the
2064: .Fl E
2065: option.
2066: Additionally, environment variables set via the command line are
2067: not subject to the restrictions imposed by
2068: .Em env_check ,
2069: .Em env_delete ,
2070: or
2071: .Em env_keep .
2072: As such, only trusted users should be allowed to set variables in this manner.
2073: This flag is
2074: .Em off
2075: by default.
2076: .It shell_noargs
2077: If set and
2078: .Nm sudo
2079: is invoked with no arguments it acts as if the
2080: .Fl s
2081: option had been given.
2082: That is, it runs a shell as root (the shell is determined by the
2083: .Ev SHELL
2084: environment variable if it is set, falling back on the shell listed
2085: in the invoking user's /etc/passwd entry if not).
2086: This flag is
2087: .Em off
2088: by default.
2089: .It stay_setuid
2090: Normally, when
2091: .Nm sudo
2092: executes a command the real and effective UIDs are set to the target
2093: user (root by default).
2094: This option changes that behavior such that the real UID is left
2095: as the invoking user's UID.
2096: In other words, this makes
2097: .Nm sudo
2098: act as a setuid wrapper.
2099: This can be useful on systems that disable some potentially
2100: dangerous functionality when a program is run setuid.
2101: This option is only effective on systems that support either the
2102: .Xr setreuid 2
2103: or
2104: .Xr setresuid 2
2105: system call.
2106: This flag is
2107: .Em off
2108: by default.
2109: .It targetpw
2110: If set,
2111: .Nm sudo
2112: will prompt for the password of the user specified
2113: by the
2114: .Fl u
2115: option (defaults to
2116: .Li root )
2117: instead of the password of the invoking user.
2118: In addition, the time stamp file name will include the target user's name.
2119: Note that this flag precludes the use of a uid not listed in the passwd
2120: database as an argument to the
2121: .Fl u
2122: option.
2123: This flag is
2124: .Em off
2125: by default.
2126: .It tty_tickets
2127: If set, users must authenticate on a per-tty basis.
2128: With this flag enabled,
2129: .Nm sudo
2130: will use a file named for the tty the user is
2131: logged in on in the user's time stamp directory.
2132: If disabled, the time stamp of the directory is used instead.
2133: This flag is
2134: .Em @tty_tickets@
2135: by default.
2136: .It umask_override
2137: If set,
2138: .Nm sudo
2139: will set the umask as specified by
2140: .Em sudoers
2141: without modification.
2142: This makes it possible to specify a more permissive umask in
2143: .Em sudoers
2144: than the user's own umask and matches historical behavior.
2145: If
2146: .Em umask_override
2147: is not set,
2148: .Nm sudo
2149: will set the umask to be the union of the user's umask and what is specified in
2150: .Em sudoers .
2151: This flag is
2152: .Em @umask_override@
2153: by default.
2154: .It use_loginclass
2155: If set,
2156: .Nm sudo
2157: will apply the defaults specified for the target user's login class
2158: if one exists.
2159: Only available if
2160: .Nm sudo
2161: is configured with the
2162: .Li --with-logincap
2163: option.
2164: This flag is
2165: .Em off
2166: by default.
2167: .It use_pty
2168: If set,
2169: .Nm sudo
2170: will run the command in a pseudo-pty even if no I/O logging is being gone.
2171: A malicious program run under
2172: .Nm sudo
2173: could conceivably fork a background process that retains to the user's
2174: terminal device after the main program has finished executing.
2175: Use of this option will make that impossible.
2176: This flag is
2177: .Em off
2178: by default.
2179: .It utmp_runas
2180: If set,
2181: .Nm sudo
2182: will store the name of the runas user when updating the utmp (or utmpx) file.
2183: By default,
2184: .Nm sudo
2185: stores the name of the invoking user.
2186: This flag is
2187: .Em off
2188: by default.
2189: .It visiblepw
2190: By default,
2191: .Nm sudo
2192: will refuse to run if the user must enter a password but it is not
2193: possible to disable echo on the terminal.
2194: If the
2195: .Em visiblepw
2196: flag is set,
2197: .Nm sudo
2198: will prompt for a password even when it would be visible on the screen.
2199: This makes it possible to run things like
2200: .Dq Li ssh somehost sudo ls
2201: since by default,
2202: .Xr ssh 1
2203: does
2204: not allocate a tty when running a command.
2205: This flag is
2206: .Em off
2207: by default.
2208: .El
2209: .Pp
2210: .Sy Integers :
2211: .Bl -tag -width 16n
2212: .It closefrom
2213: Before it executes a command,
2214: .Nm sudo
2215: will close all open file descriptors other than standard input,
2216: standard output and standard error (ie: file descriptors 0-2).
2217: The
2218: .Em closefrom
2219: option can be used to specify a different file descriptor at which
2220: to start closing.
2221: The default is
2222: .Li 3 .
2223: .It passwd_tries
2224: The number of tries a user gets to enter his/her password before
2225: .Nm sudo
2226: logs the failure and exits.
2227: The default is
2228: .Li @passwd_tries@ .
2229: .El
2230: .Pp
2231: .Sy Integers that can be used in a boolean context :
2232: .Bl -tag -width 16n
2233: .It loglinelen
2234: Number of characters per line for the file log.
2235: This value is used to decide when to wrap lines for nicer log files.
2236: This has no effect on the syslog log file, only the file log.
2237: The default is
2238: .Li @loglen@
2239: (use 0 or negate the option to disable word wrap).
2240: .It passwd_timeout
2241: Number of minutes before the
2242: .Nm sudo
2243: password prompt times out, or
2244: .Li 0
2245: for no timeout.
2246: The timeout may include a fractional component
2247: if minute granularity is insufficient, for example
2248: .Li 2.5 .
2249: The
2250: default is
2251: .Li @password_timeout@ .
2252: .It timestamp_timeout
2253: Number of minutes that can elapse before
2254: .Nm sudo
2255: will ask for a passwd again.
2256: The timeout may include a fractional component if
2257: minute granularity is insufficient, for example
2258: .Li 2.5 .
2259: The default is
2260: .Li @timeout@ .
2261: Set this to
2262: .Li 0
2263: to always prompt for a password.
2264: If set to a value less than
2265: .Li 0
2266: the user's time stamp will never expire.
2267: This can be used to allow users to create or delete their own time stamps via
2268: .Dq Li sudo -v
2269: and
2270: .Dq Li sudo -k
2271: respectively.
2272: .It umask
2273: Umask to use when running the command.
2274: Negate this option or set it to 0777 to preserve the user's umask.
2275: The actual umask that is used will be the union of the user's umask
2276: and the value of the
2277: .Em umask
2278: option, which defaults to
2279: .Li @sudo_umask@ .
2280: This guarantees
2281: that
2282: .Nm sudo
2283: never lowers the umask when running a command.
2284: Note: on systems that use PAM, the default PAM configuration may specify
2285: its own umask which will override the value set in
2286: .Em sudoers .
2287: .El
2288: .Pp
2289: .Sy Strings :
2290: .Bl -tag -width 16n
2291: .It badpass_message
2292: Message that is displayed if a user enters an incorrect password.
2293: The default is
2294: .Li @badpass_message@
2295: unless insults are enabled.
2296: .It editor
2297: A colon
2298: .Pq Ql :\&
2299: separated list of editors allowed to be used with
2300: .Nm visudo .
2301: .Nm visudo
2302: will choose the editor that matches the user's
2303: .Ev EDITOR
2304: environment variable if possible, or the first editor in the
2305: list that exists and is executable.
2306: The default is
2307: .Pa @editor@ .
2308: .It iolog_dir
2309: The top-level directory to use when constructing the path name for
2310: the input/output log directory.
2311: Only used if the
2312: .Em log_input
2313: or
2314: .Em log_output
2315: options are enabled or when the
2316: .Li LOG_INPUT
2317: or
2318: .Li LOG_OUTPUT
2319: tags are present for a command.
2320: The session sequence number, if any, is stored in the directory.
2321: The default is
2322: .Pa @iolog_dir@ .
2323: .Pp
2324: The following percent
2325: .Pq Ql %
2326: escape sequences are supported:
2327: .Bl -tag -width 4n
2328: .It Li %{seq}
2329: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2330: where every two digits are used to form a new directory, e.g.\&
2331: .Pa 01/00/A5
2332: .It Li %{user}
2333: expanded to the invoking user's login name
2334: .It Li %{group}
2335: expanded to the name of the invoking user's real group ID
2336: .It Li %{runas_user}
2337: expanded to the login name of the user the command will
2338: be run as (e.g.\& root)
2339: .It Li %{runas_group}
2340: expanded to the group name of the user the command will
2341: be run as (e.g.\& wheel)
2342: .It Li %{hostname}
2343: expanded to the local host name without the domain name
2344: .It Li %{command}
2345: expanded to the base name of the command being run
2346: .El
2347: .Pp
2348: In addition, any escape sequences supported by the system's
2349: .Xr strftime 3
2350: function will be expanded.
2351: .Pp
2352: To include a literal
2353: .Ql %
2354: character, the string
2355: .Ql %%
2356: should be used.
2357: .It iolog_file
2358: The path name, relative to
2359: .Em iolog_dir ,
2360: in which to store input/output logs when the
2361: .Em log_input
2362: or
2363: .Em log_output
2364: options are enabled or when the
2365: .Li LOG_INPUT
2366: or
2367: .Li LOG_OUTPUT
2368: tags are present for a command.
2369: Note that
2370: .Em iolog_file
2371: may contain directory components.
2372: The default is
2373: .Dq Li %{seq} .
2374: .Pp
2375: See the
2376: .Em iolog_dir
2377: option above for a list of supported percent
2378: .Pq Ql %
2379: escape sequences.
2380: .Pp
2381: In addition to the escape sequences, path names that end in six or
2382: more
2383: .Li X Ns No s
2384: will have the
2385: .Li X Ns No s
2386: replaced with a unique combination of digits and letters, similar to the
2387: .Xr mktemp 3
2388: function.
2389: .It limitprivs
2390: The default Solaris limit privileges to use when constructing a new
2391: privilege set for a command.
2392: This bounds all privileges of the executing process.
2393: The default limit privileges may be overridden on a per-command basis in
2394: .Em sudoers .
2395: This option is only available if
2396: .Nm
2397: is built on Solaris 10 or higher.
2398: .It mailsub
2399: Subject of the mail sent to the
2400: .Em mailto
2401: user.
2402: The escape
2403: .Li %h
2404: will expand to the host name of the machine.
2405: Default is
2406: .Dq Li @mailsub@ .
2407: .It noexec_file
2408: This option is no longer supported.
2409: The path to the noexec file should now be set in the
2410: .Pa @sysconfdir@/sudo.conf
2411: file.
2412: .It passprompt
2413: The default prompt to use when asking for a password; can be overridden via the
2414: .Fl p
2415: option or the
2416: .Ev SUDO_PROMPT
2417: environment variable.
2418: The following percent
2419: .Pq Ql %
2420: escape sequences are supported:
2421: .Bl -tag -width 4n
2422: .It Li %H
2423: expanded to the local host name including the domain name
2424: (only if the machine's host name is fully qualified or the
2425: .Em fqdn
2426: option is set)
2427: .It Li %h
2428: expanded to the local host name without the domain name
2429: .It Li %p
2430: expanded to the user whose password is being asked for (respects the
2431: .Em rootpw ,
2432: .Em targetpw
2433: and
2434: .Em runaspw
2435: flags in
2436: .Em sudoers )
2437: .It Li \&%U
2438: expanded to the login name of the user the command will
2439: be run as (defaults to root)
2440: .It Li %u
2441: expanded to the invoking user's login name
2442: .It Li %%
2443: two consecutive
2444: .Li %
2445: characters are collapsed into a single
2446: .Li %
2447: character
2448: .El
2449: .Pp
2450: The default value is
2451: .Dq Li @passprompt@ .
2452: .It privs
2453: The default Solaris privileges to use when constructing a new
2454: privilege set for a command.
2455: This is passed to the executing process via the inherited privilege set,
2456: but is bounded by the limit privileges.
2457: If the
2458: .Em privs
2459: option is specified but the
2460: .Em limitprivs
2461: option is not, the limit privileges of the executing process is set to
2462: .Em privs .
2463: The default privileges may be overridden on a per-command basis in
2464: .Em sudoers .
2465: This option is only available if
2466: .Nm
2467: is built on Solaris 10 or higher.
2468: .It role
2469: The default SELinux role to use when constructing a new security
2470: context to run the command.
2471: The default role may be overridden on a per-command basis in
2472: .Em sudoers
2473: or via command line options.
2474: This option is only available when
2475: .Nm sudo
2476: is built with SELinux support.
2477: .It runas_default
2478: The default user to run commands as if the
2479: .Fl u
2480: option is not specified on the command line.
2481: This defaults to
2482: .Li @runas_default@ .
2483: .It syslog_badpri
2484: Syslog priority to use when user authenticates unsuccessfully.
2485: Defaults to
2486: .Li @badpri@ .
2487: .Pp
2488: The following syslog priorities are supported:
2489: .Sy alert ,
2490: .Sy crit ,
2491: .Sy debug ,
2492: .Sy emerg ,
2493: .Sy err ,
2494: .Sy info ,
2495: .Sy notice ,
2496: and
2497: .Sy warning .
2498: .It syslog_goodpri
2499: Syslog priority to use when user authenticates successfully.
2500: Defaults to
2501: .Li @goodpri@ .
2502: .Pp
2503: See
2504: .Sx syslog_badpri
2505: for the list of supported syslog priorities.
2506: .It sudoers_locale
2507: Locale to use when parsing the sudoers file, logging commands, and
2508: sending email.
2509: Note that changing the locale may affect how sudoers is interpreted.
2510: Defaults to
2511: .Dq Li C .
2512: .It timestampdir
2513: The directory in which
2514: .Nm sudo
2515: stores its time stamp files.
2516: The default is
2517: .Pa @timedir@ .
2518: .It timestampowner
2519: The owner of the time stamp directory and the time stamps stored therein.
2520: The default is
2521: .Li root .
2522: .It type
2523: The default SELinux type to use when constructing a new security
2524: context to run the command.
2525: The default type may be overridden on a per-command basis in
2526: .Em sudoers
2527: or via command line options.
2528: This option is only available when
2529: .Nm sudo
2530: is built with SELinux support.
2531: .El
2532: .Pp
2533: .Sy Strings that can be used in a boolean context :
2534: .Bl -tag -width 12n
2535: .It env_file
2536: The
2537: .Em env_file
2538: option specifies the fully qualified path to a file containing variables
2539: to be set in the environment of the program being run.
2540: Entries in this file should either be of the form
2541: .Dq Li VARIABLE=value
2542: or
2543: .Dq Li export VARIABLE=value .
2544: The value may optionally be surrounded by single or double quotes.
2545: Variables in this file are subject to other
2546: .Nm sudo
2547: environment settings such as
2548: .Em env_keep
2549: and
2550: .Em env_check .
2551: .It exempt_group
2552: Users in this group are exempt from password and PATH requirements.
2553: The group name specified should not include a
2554: .Li %
2555: prefix.
2556: This is not set by default.
2557: .It group_plugin
2558: A string containing a
2559: .Em sudoers
2560: group plugin with optional arguments.
2561: This can be used to implement support for the
2562: .Li nonunix_group
2563: syntax described earlier.
2564: The string should consist of the plugin
2565: path, either fully-qualified or relative to the
2566: .Pa @prefix@/libexec
2567: directory, followed by any configuration arguments the plugin requires.
2568: These arguments (if any) will be passed to the plugin's initialization function.
2569: If arguments are present, the string must be enclosed in double quotes
2570: .Pq \&"" .
2571: .Pp
2572: For example, given
2573: .Pa /etc/sudo-group ,
2574: a group file in Unix group format, the sample group plugin can be used:
2575: .Bd -literal
2576: Defaults group_plugin="sample_group.so /etc/sudo-group"
2577: .Ed
2578: .Pp
2579: For more information see
2580: .Xr sudo_plugin @mansectform@ .
2581: .It lecture
2582: This option controls when a short lecture will be printed along with
2583: the password prompt.
2584: It has the following possible values:
2585: .Bl -tag -width 6n
2586: .It always
2587: Always lecture the user.
2588: .It never
2589: Never lecture the user.
2590: .It once
2591: Only lecture the user the first time they run
2592: .Nm sudo .
2593: .El
2594: .Pp
2595: If no value is specified, a value of
2596: .Em once
2597: is implied.
2598: Negating the option results in a value of
2599: .Em never
2600: being used.
2601: The default value is
2602: .Em @lecture@ .
2603: .It lecture_file
2604: Path to a file containing an alternate
2605: .Nm sudo
2606: lecture that will be used in place of the standard lecture if the named
2607: file exists.
2608: By default,
2609: .Nm sudo
2610: uses a built-in lecture.
2611: .It listpw
2612: This option controls when a password will be required when a user runs
2613: .Nm sudo
2614: with the
2615: .Fl l
2616: option.
2617: It has the following possible values:
2618: .Bl -tag -width 8n
2619: .It all
2620: All the user's
2621: .Em sudoers
2622: entries for the current host must have
2623: the
2624: .Li NOPASSWD
2625: flag set to avoid entering a password.
2626: .It always
2627: The user must always enter a password to use the
2628: .Fl l
2629: option.
2630: .It any
2631: At least one of the user's
2632: .Em sudoers
2633: entries for the current host
2634: must have the
2635: .Li NOPASSWD
2636: flag set to avoid entering a password.
2637: .It never
2638: The user need never enter a password to use the
2639: .Fl l
2640: option.
2641: .El
2642: .Pp
2643: If no value is specified, a value of
2644: .Em any
2645: is implied.
2646: Negating the option results in a value of
2647: .Em never
2648: being used.
2649: The default value is
2650: .Em any .
2651: .It logfile
2652: Path to the
2653: .Nm sudo
2654: log file (not the syslog log file).
2655: Setting a path turns on logging to a file;
2656: negating this option turns it off.
2657: By default,
2658: .Nm sudo
2659: logs via syslog.
2660: .It mailerflags
2661: Flags to use when invoking mailer. Defaults to
2662: .Fl t .
2663: .It mailerpath
2664: Path to mail program used to send warning mail.
2665: Defaults to the path to sendmail found at configure time.
2666: .It mailfrom
2667: Address to use for the
2668: .Dq from
2669: address when sending warning and error mail.
2670: The address should be enclosed in double quotes
2671: .Pq \&""
2672: to protect against
2673: .Nm sudo
2674: interpreting the
2675: .Li @
2676: sign.
2677: Defaults to the name of the user running
2678: .Nm sudo .
2679: .It mailto
2680: Address to send warning and error mail to.
2681: The address should be enclosed in double quotes
2682: .Pq \&""
2683: to protect against
2684: .Nm sudo
2685: interpreting the
2686: .Li @
2687: sign.
2688: Defaults to
2689: .Li @mailto@ .
2690: .It secure_path
2691: Path used for every command run from
2692: .Nm sudo .
2693: If you don't trust the
2694: people running
2695: .Nm sudo
2696: to have a sane
2697: .Ev PATH
2698: environment variable you may want to use this.
2699: Another use is if you want to have the
2700: .Dq root path
2701: be separate from the
2702: .Dq user path .
2703: Users in the group specified by the
2704: .Em exempt_group
2705: option are not affected by
2706: .Em secure_path .
2707: This option is @secure_path@ by default.
2708: .It syslog
2709: Syslog facility if syslog is being used for logging (negate to
2710: disable syslog logging).
2711: Defaults to
2712: .Li @logfac@ .
2713: .Pp
2714: The following syslog facilities are supported:
2715: .Sy authpriv
2716: (if your
2717: OS supports it),
2718: .Sy auth ,
2719: .Sy daemon ,
2720: .Sy user ,
2721: .Sy local0 ,
2722: .Sy local1 ,
2723: .Sy local2 ,
2724: .Sy local3 ,
2725: .Sy local4 ,
2726: .Sy local5 ,
2727: .Sy local6 ,
2728: and
2729: .Sy local7 .
2730: .It verifypw
2731: This option controls when a password will be required when a user runs
2732: .Nm sudo
2733: with the
2734: .Fl v
2735: option.
2736: It has the following possible values:
2737: .Bl -tag -width 6n
2738: .It all
2739: All the user's
2740: .Em sudoers
2741: entries for the current host must have the
2742: .Li NOPASSWD
2743: flag set to avoid entering a password.
2744: .It always
2745: The user must always enter a password to use the
2746: .Fl v
2747: option.
2748: .It any
2749: At least one of the user's
2750: .Em sudoers
2751: entries for the current host must have the
2752: .Li NOPASSWD
2753: flag set to avoid entering a password.
2754: .It never
2755: The user need never enter a password to use the
2756: .Fl v
2757: option.
2758: .El
2759: .Pp
2760: If no value is specified, a value of
2761: .Em all
2762: is implied.
2763: Negating the option results in a value of
2764: .Em never
2765: being used.
2766: The default value is
2767: .Em all .
2768: .El
2769: .Pp
2770: .Sy Lists that can be used in a boolean context :
2771: .Bl -tag -width 16n
2772: .It env_check
2773: Environment variables to be removed from the user's environment if
2774: the variable's value contains
2775: .Ql %
2776: or
2777: .Ql /
2778: characters.
2779: This can be used to guard against printf-style format vulnerabilities
2780: in poorly-written programs.
2781: The argument may be a double-quoted, space-separated list or a
2782: single value without double-quotes.
2783: The list can be replaced, added to, deleted from, or disabled by using
2784: the
2785: .Li = ,
2786: .Li += ,
2787: .Li -= ,
2788: and
2789: .Li \&!
2790: operators respectively.
2791: Regardless of whether the
2792: .Li env_reset
2793: option is enabled or disabled, variables specified by
2794: .Li env_check
2795: will be preserved in the environment if they pass the aforementioned check.
2796: The default list of environment variables to check is displayed when
2797: .Nm sudo
2798: is run by root with
2799: the
2800: .Fl V
2801: option.
2802: .It env_delete
2803: Environment variables to be removed from the user's environment when the
2804: .Em env_reset
2805: option is not in effect.
2806: The argument may be a double-quoted, space-separated list or a
2807: single value without double-quotes.
2808: The list can be replaced, added to, deleted from, or disabled by using the
2809: .Li = ,
2810: .Li += ,
2811: .Li -= ,
2812: and
2813: .Li \&!
2814: operators respectively.
2815: The default list of environment variables to remove is displayed when
2816: .Nm sudo
2817: is run by root with the
2818: .Fl V
2819: option.
2820: Note that many operating systems will remove potentially dangerous
2821: variables from the environment of any setuid process (such as
2822: .Nm sudo ) .
2823: .It env_keep
2824: Environment variables to be preserved in the user's environment when the
2825: .Em env_reset
2826: option is in effect.
2827: This allows fine-grained control over the environment
2828: .Nm sudo Ns No -spawned
2829: processes will receive.
2830: The argument may be a double-quoted, space-separated list or a
2831: single value without double-quotes.
2832: The list can be replaced, added to, deleted from, or disabled by using the
2833: .Li = ,
2834: .Li += ,
2835: .Li -= ,
2836: and
2837: .Li \&!
2838: operators respectively.
2839: The default list of variables to keep
2840: is displayed when
2841: .Nm sudo
2842: is run by root with the
2843: .Fl V
2844: option.
2845: .El
2846: .Sh LOG FORMAT
2847: .Nm sudoers
2848: can log events using either
2849: .Xr syslog 3
2850: or a simple log file.
2851: In each case the log format is almost identical.
2852: .Ss Accepted command log entries
2853: Commands that sudo runs are logged using the following format (split
2854: into multiple lines for readability):
2855: .Bd -literal -offset 4n
2856: date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
2857: USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
2858: ENV=env_vars COMMAND=command
2859: .Ed
2860: .Pp
2861: Where the fields are as follows:
2862: .Bl -tag -width 12n
2863: .It date
2864: The date the command was run.
2865: Typically, this is in the format
2866: .Dq MMM, DD, HH:MM:SS .
2867: If logging via
2868: .Xr syslog 3 ,
2869: the actual date format is controlled by the syslog daemon.
2870: If logging to a file and the
2871: .Em log_year
2872: option is enabled,
2873: the date will also include the year.
2874: .It hostname
2875: The name of the host
2876: .Nm sudo
2877: was run on.
2878: This field is only present when logging via
2879: .Xr syslog 3 .
2880: .It progname
2881: The name of the program, usually
2882: .Em sudo
2883: or
2884: .Em sudoedit .
2885: This field is only present when logging via
2886: .Xr syslog 3 .
2887: .It username
2888: The login name of the user who ran
2889: .Nm sudo .
2890: .It ttyname
2891: The short name of the terminal (e.g.\&
2892: .Dq console ,
2893: .Dq tty01 ,
2894: or
2895: .Dq pts/0 )
2896: .Nm sudo
2897: was run on, or
2898: .Dq unknown
2899: if there was no terminal present.
2900: .It cwd
2901: The current working directory that
2902: .Nm sudo
2903: was run in.
2904: .It runasuser
2905: The user the command was run as.
2906: .It runasgroup
2907: The group the command was run as if one was specified on the command line.
2908: .It logid
2909: An I/O log identifier that can be used to replay the command's output.
2910: This is only present when the
2911: .Em log_input
2912: or
2913: .Em log_output
2914: option is enabled.
2915: .It env_vars
2916: A list of environment variables specified on the command line,
2917: if specified.
2918: .It command
2919: The actual command that was executed.
2920: .El
2921: .Pp
2922: Messages are logged using the locale specified by
2923: .Em sudoers_locale ,
2924: which defaults to the
2925: .Dq Li C
2926: locale.
2927: .Ss Denied command log entries
2928: If the user is not allowed to run the command, the reason for the denial
2929: will follow the user name.
2930: Possible reasons include:
2931: .Bl -tag -width 4
2932: .It user NOT in sudoers
2933: The user is not listed in the
2934: .Em sudoers
2935: file.
2936: .It user NOT authorized on host
2937: The user is listed in the
2938: .Em sudoers
2939: file but is not allowed to run commands on the host.
2940: .It command not allowed
2941: The user is listed in the
2942: .Em sudoers
2943: file for the host but they are not allowed to run the specified command.
2944: .It 3 incorrect password attempts
2945: The user failed to enter their password after 3 tries.
2946: The actual number of tries will vary based on the number of
2947: failed attempts and the value of the
2948: .Em passwd_tries
2949: option.
2950: .It a password is required
2951: .Nm sudo Ns No 's
2952: .Fl n
2953: option was specified but a password was required.
2954: .It sorry, you are not allowed to set the following environment variables
2955: The user specified environment variables on the command line that
2956: were not allowed by
2957: .Em sudoers .
2958: .El
2959: .Ss Error log entries
2960: If an error occurs,
2961: .Nm sudoers
2962: will log a message and, in most cases, send a message to the
2963: administrator via email.
2964: Possible errors include:
2965: .Bl -tag -width 4
2966: .It parse error in @sysconfdir@/sudoers near line N
2967: .Nm sudoers
2968: encountered an error when parsing the specified file.
2969: In some cases, the actual error may be one line above or below the
2970: line number listed, depending on the type of error.
2971: .It problem with defaults entries
2972: The
2973: .Em sudoers
2974: file contains one or more unknown Defaults settings.
2975: This does not prevent
2976: .Nm sudo
2977: from running, but the
2978: .Em sudoers
2979: file should be checked using
2980: .Nm visudo .
2981: .It timestamp owner (username): \&No such user
2982: The time stamp directory owner, as specified by the
2983: .Em timestampowner
2984: setting, could not be found in the password database.
2985: .It unable to open/read @sysconfdir@/sudoers
2986: The
2987: .Em sudoers
2988: file could not be opened for reading.
2989: This can happen when the
2990: .Em sudoers
2991: file is located on a remote file system that maps user ID 0 to
2992: a different value.
2993: Normally,
2994: .Nm sudoers
2995: tries to open
2996: .Em sudoers
2997: using group permissions to avoid this problem.
2998: Consider changing the ownership of
2999: .Pa @sysconfdir@/sudoers
3000: by adding an option like
3001: .Dq sudoers_uid=N
3002: (where
3003: .Sq N
3004: is the user ID that owns the
3005: .Em sudoers
3006: file) to the
3007: .Nm sudoers
3008: plugin line in the
3009: .Pa @sysconfdir@/sudo.conf
3010: file.
3011: .It unable to stat @sysconfdir@/sudoers
3012: The
3013: .Pa @sysconfdir@/sudoers
3014: file is missing.
3015: .It @sysconfdir@/sudoers is not a regular file
3016: The
3017: .Pa @sysconfdir@/sudoers
3018: file exists but is not a regular file or symbolic link.
3019: .It @sysconfdir@/sudoers is owned by uid N, should be 0
3020: The
3021: .Em sudoers
3022: file has the wrong owner.
3023: If you wish to change the
3024: .Em sudoers
3025: file owner, please add
3026: .Dq sudoers_uid=N
3027: (where
3028: .Sq N
3029: is the user ID that owns the
3030: .Em sudoers
3031: file) to the
3032: .Nm sudoers
3033: plugin line in the
3034: .Pa @sysconfdir@/sudo.conf
3035: file.
3036: .It @sysconfdir@/sudoers is world writable
3037: The permissions on the
3038: .Em sudoers
3039: file allow all users to write to it.
3040: The
3041: .Em sudoers
3042: file must not be world-writable, the default file mode
3043: is 0440 (readable by owner and group, writable by none).
3044: The default mode may be changed via the
3045: .Dq sudoers_mode
3046: option to the
3047: .Nm sudoers
3048: plugin line in the
3049: .Pa @sysconfdir@/sudo.conf
3050: file.
3051: .It @sysconfdir@/sudoers is owned by gid N, should be 1
3052: The
3053: .Em sudoers
3054: file has the wrong group ownership.
3055: If you wish to change the
3056: .Em sudoers
3057: file group ownership, please add
3058: .Dq sudoers_gid=N
3059: (where
3060: .Sq N
3061: is the group ID that owns the
3062: .Em sudoers
3063: file) to the
3064: .Nm sudoers
3065: plugin line in the
3066: .Pa @sysconfdir@/sudo.conf
3067: file.
3068: .It unable to open @timedir@/username/ttyname
3069: .Em sudoers
3070: was unable to read or create the user's time stamp file.
3071: .It unable to write to @timedir@/username/ttyname
3072: .Em sudoers
3073: was unable to write to the user's time stamp file.
3074: .It unable to mkdir to @timedir@/username
3075: .Em sudoers
3076: was unable to create the user's time stamp directory.
3077: .El
3078: .Ss Notes on logging via syslog
3079: By default,
3080: .Em sudoers
3081: logs messages via
3082: .Xr syslog 3 .
3083: The
3084: .Em date ,
3085: .Em hostname ,
3086: and
3087: .Em progname
3088: fields are added by the syslog daemon, not
3089: .Em sudoers
3090: itself.
3091: As such, they may vary in format on different systems.
3092: .Pp
3093: On most systems,
3094: .Xr syslog 3
3095: has a relatively small log buffer.
3096: To prevent the command line arguments from being truncated,
3097: .Nm sudoers
3098: will split up log messages that are larger than 960 characters
3099: (not including the date, hostname, and the string
3100: .Dq sudo ) .
3101: When a message is split, additional parts will include the string
3102: .Dq Pq command continued
3103: after the user name and before the continued command line arguments.
3104: .Ss Notes on logging to a file
3105: If the
3106: .Em logfile
3107: option is set,
3108: .Em sudoers
3109: will log to a local file, such as
3110: .Pa /var/log/sudo .
3111: When logging to a file,
3112: .Em sudoers
3113: uses a format similar to
3114: .Xr syslog 3 ,
3115: with a few important differences:
3116: .Bl -enum
3117: .It
3118: The
3119: .Em progname
3120: and
3121: .Em hostname
3122: fields are not present.
3123: .It
3124: If the
3125: .Em log_year
3126: option is enabled,
3127: the date will also include the year.
3128: .It
3129: Lines that are longer than
3130: .Em loglinelen
3131: characters (80 by default) are word-wrapped and continued on the
3132: next line with a four character indent.
3133: This makes entries easier to read for a human being, but makes it
3134: more difficult to use
3135: .Xr grep 1
3136: on the log files.
3137: If the
3138: .Em loglinelen
3139: option is set to 0 (or negated with a
3140: .Ql \&! ) ,
3141: word wrap will be disabled.
3142: .El
3143: .Sh SUDO.CONF
3144: The
3145: .Pa @sysconfdir@/sudo.conf
3146: file determines which plugins the
3147: .Nm sudo
3148: front end will load.
3149: If no
3150: .Pa @sysconfdir@/sudo.conf
3151: file
3152: is present, or it contains no
3153: .Li Plugin
3154: lines,
3155: .Nm sudo
3156: will use the
3157: .Em sudoers
3158: security policy and I/O logging, which corresponds to the following
3159: .Pa @sysconfdir@/sudo.conf
3160: file.
3161: .Bd -literal
3162: #
3163: # Default @sysconfdir@/sudo.conf file
3164: #
3165: # Format:
3166: # Plugin plugin_name plugin_path plugin_options ...
3167: # Path askpass /path/to/askpass
3168: # Path noexec /path/to/sudo_noexec.so
3169: # Debug sudo /var/log/sudo_debug all@warn
3170: # Set disable_coredump true
3171: #
3172: # The plugin_path is relative to @prefix@/libexec unless
3173: # fully qualified.
3174: # The plugin_name corresponds to a global symbol in the plugin
3175: # that contains the plugin interface structure.
3176: # The plugin_options are optional.
3177: #
3178: Plugin policy_plugin sudoers.so
3179: Plugin io_plugin sudoers.so
3180: .Ed
3181: .Ss Plugin options
3182: Starting with
3183: .Nm sudo
3184: 1.8.5, it is possible to pass options to the
3185: .Em sudoers
3186: plugin.
3187: Options may be listed after the path to the plugin (i.e.\& after
3188: .Pa sudoers.so ) ;
3189: multiple options should be space-separated.
3190: For example:
3191: .Bd -literal
3192: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3193: .Ed
3194: .Pp
3195: The following plugin options are supported:
3196: .Bl -tag -width 8n
3197: .It sudoers_file=pathname
3198: The
3199: .Em sudoers_file
3200: option can be used to override the default path
3201: to the
3202: .Em sudoers
3203: file.
3204: .It sudoers_uid=uid
3205: The
3206: .Em sudoers_uid
3207: option can be used to override the default owner of the sudoers file.
3208: It should be specified as a numeric user ID.
3209: .It sudoers_gid=gid
3210: The
3211: .Em sudoers_gid
3212: option can be used to override the default group of the sudoers file.
3213: It should be specified as a numeric group ID.
3214: .It sudoers_mode=mode
3215: The
3216: .Em sudoers_mode
3217: option can be used to override the default file mode for the sudoers file.
3218: It should be specified as an octal value.
3219: .El
3220: .Ss Debug flags
3221: Versions 1.8.4 and higher of the
3222: .Em sudoers
3223: plugin supports a debugging framework that can help track down what the
3224: plugin is doing internally if there is a problem.
3225: This can be configured in the
3226: .Pa @sysconfdir@/sudo.conf
3227: file as described in
3228: .Xr sudo @mansectsu@ .
3229: .Pp
3230: The
3231: .Em sudoers
3232: plugin uses the same debug flag format as the
3233: .Nm sudo
3234: front-end:
3235: .Em subsystem Ns No @ Ns Em priority .
3236: .Pp
3237: The priorities used by
3238: .Em sudoers ,
3239: in order of decreasing severity,
3240: are:
3241: .Em crit ,
3242: .Em err ,
3243: .Em warn ,
3244: .Em notice ,
3245: .Em diag ,
3246: .Em info ,
3247: .Em trace
3248: and
3249: .Em debug .
3250: Each priority, when specified, also includes all priorities higher than it.
3251: For example, a priority of
3252: .Em notice
3253: would include debug messages logged at
3254: .Em notice
3255: and higher.
3256: .Pp
3257: The following subsystems are used by
3258: .Em sudoers :
3259: .Bl -tag -width 8n
3260: .It Em alias
3261: .Li User_Alias ,
3262: .Li Runas_Alias ,
3263: .Li Host_Alias
3264: and
3265: .Li Cmnd_Alias
3266: processing
3267: .It Em all
3268: matches every subsystem
3269: .It Em audit
3270: BSM and Linux audit code
3271: .It Em auth
3272: user authentication
3273: .It Em defaults
3274: .Em sudoers
3275: .Em Defaults
3276: settings
3277: .It Em env
3278: environment handling
3279: .It Em ldap
3280: LDAP-based sudoers
3281: .It Em logging
3282: logging support
3283: .It Em match
3284: matching of users, groups, hosts and netgroups in
3285: .Em sudoers
3286: .It Em netif
3287: network interface handling
3288: .It Em nss
3289: network service switch handling in
3290: .Em sudoers
3291: .It Em parser
3292: .Em sudoers
3293: file parsing
3294: .It Em perms
3295: permission setting
3296: .It Em plugin
3297: The equivalent of
3298: .Em main
3299: for the plugin.
3300: .It Em pty
3301: pseudo-tty related code
3302: .It Em rbtree
3303: redblack tree internals
3304: .It Em util
3305: utility functions
3306: .El
3307: .Sh FILES
3308: .Bl -tag -width 24n
3309: .It Pa @sysconfdir@/sudo.conf
3310: Sudo front end configuration
3311: .It Pa @sysconfdir@/sudoers
3312: List of who can run what
3313: .It Pa /etc/group
3314: Local groups file
3315: .It Pa /etc/netgroup
3316: List of network groups
3317: .It Pa @iolog_dir@
3318: I/O log files
3319: .It Pa @timedir@
3320: Directory containing time stamps for the
3321: .Em sudoers
3322: security policy
3323: .It Pa /etc/environment
3324: Initial environment for
3325: .Fl i
3326: mode on AIX and Linux systems
3327: .El
3328: .Sh EXAMPLES
3329: Below are example
3330: .Em sudoers
3331: entries.
3332: Admittedly, some of these are a bit contrived.
3333: First, we allow a few environment variables to pass and then define our
3334: .Em aliases :
3335: .Bd -literal
3336: # Run X applications through sudo; HOME is used to find the
3337: # .Xauthority file. Note that other programs use HOME to find
3338: # configuration files and this may lead to privilege escalation!
3339: Defaults env_keep += "DISPLAY HOME"
3340:
3341: # User alias specification
3342: User_Alias FULLTIMERS = millert, mikef, dowdy
3343: User_Alias PARTTIMERS = bostley, jwfox, crawl
3344: User_Alias WEBMASTERS = will, wendy, wim
3345:
3346: # Runas alias specification
3347: Runas_Alias OP = root, operator
3348: Runas_Alias DB = oracle, sybase
3349: Runas_Alias ADMINGRP = adm, oper
3350:
3351: # Host alias specification
3352: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3353: SGI = grolsch, dandelion, black :\e
3354: ALPHA = widget, thalamus, foobar :\e
3355: HPPA = boa, nag, python
3356: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3357: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3358: Host_Alias SERVERS = master, mail, www, ns
3359: Host_Alias CDROM = orion, perseus, hercules
3360:
3361: # Cmnd alias specification
3362: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3363: /usr/sbin/restore, /usr/sbin/rrestore
3364: Cmnd_Alias KILL = /usr/bin/kill
3365: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3366: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3367: Cmnd_Alias HALT = /usr/sbin/halt
3368: Cmnd_Alias REBOOT = /usr/sbin/reboot
3369: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3370: /usr/local/bin/tcsh, /usr/bin/rsh,\e
3371: /usr/local/bin/zsh
3372: Cmnd_Alias SU = /usr/bin/su
3373: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3374: .Ed
3375: .Pp
3376: Here we override some of the compiled in default values.
3377: We want
3378: .Nm sudo
3379: to log via
3380: .Xr syslog 3
3381: using the
3382: .Em auth
3383: facility in all cases.
3384: We don't want to subject the full time staff to the
3385: .Nm sudo
3386: lecture, user
3387: .Sy millert
3388: need not give a password, and we don't want to reset the
3389: .Ev LOGNAME ,
3390: .Ev USER
3391: or
3392: .Ev USERNAME
3393: environment variables when running commands as root.
3394: Additionally, on the machines in the
3395: .Em SERVERS
3396: .Li Host_Alias ,
3397: we keep an additional local log file and make sure we log the year
3398: in each log line since the log entries will be kept around for several years.
3399: Lastly, we disable shell escapes for the commands in the PAGERS
3400: .Li Cmnd_Alias
3401: .Po
3402: .Pa /usr/bin/more ,
3403: .Pa /usr/bin/pg
3404: and
3405: .Pa /usr/bin/less
3406: .Pc .
3407: .Bd -literal
3408: # Override built-in defaults
3409: Defaults syslog=auth
3410: Defaults>root !set_logname
3411: Defaults:FULLTIMERS !lecture
3412: Defaults:millert !authenticate
3413: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3414: Defaults!PAGERS noexec
3415: .Ed
3416: .Pp
3417: The
3418: .Em User specification
3419: is the part that actually determines who may run what.
3420: .Bd -literal
3421: root ALL = (ALL) ALL
3422: %wheel ALL = (ALL) ALL
3423: .Ed
3424: .Pp
3425: We let
3426: .Sy root
3427: and any user in group
3428: .Sy wheel
3429: run any command on any host as any user.
3430: .Bd -literal
3431: FULLTIMERS ALL = NOPASSWD: ALL
3432: .Ed
3433: .Pp
3434: Full time sysadmins
3435: .Po
3436: .Sy millert ,
3437: .Sy mikef ,
3438: and
3439: .Sy dowdy
3440: .Pc
3441: may run any command on any host without authenticating themselves.
3442: .Bd -literal
3443: PARTTIMERS ALL = ALL
3444: .Ed
3445: .Pp
3446: Part time sysadmins
3447: .Sy bostley ,
3448: .Sy jwfox ,
3449: and
3450: .Sy crawl )
3451: may run any command on any host but they must authenticate themselves
3452: first (since the entry lacks the
3453: .Li NOPASSWD
3454: tag).
3455: .Bd -literal
3456: jack CSNETS = ALL
3457: .Ed
3458: .Pp
3459: The user
3460: .Sy jack
3461: may run any command on the machines in the
3462: .Em CSNETS
3463: alias (the networks
3464: .Li 128.138.243.0 ,
3465: .Li 128.138.204.0 ,
3466: and
3467: .Li 128.138.242.0 ) .
3468: Of those networks, only
3469: .Li 128.138.204.0
3470: has an explicit netmask (in CIDR notation) indicating it is a class C network.
3471: For the other networks in
3472: .Em CSNETS ,
3473: the local machine's netmask will be used during matching.
3474: .Bd -literal
3475: lisa CUNETS = ALL
3476: .Ed
3477: .Pp
3478: The user
3479: .Sy lisa
3480: may run any command on any host in the
3481: .Em CUNETS
3482: alias (the class B network
3483: .Li 128.138.0.0 ) .
3484: .Bd -literal
3485: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3486: sudoedit /etc/printcap, /usr/oper/bin/
3487: .Ed
3488: .Pp
3489: The
3490: .Sy operator
3491: user may run commands limited to simple maintenance.
3492: Here, those are commands related to backups, killing processes, the
3493: printing system, shutting down the system, and any commands in the
3494: directory
3495: .Pa /usr/oper/bin/ .
3496: .Bd -literal
3497: joe ALL = /usr/bin/su operator
3498: .Ed
3499: .Pp
3500: The user
3501: .Sy joe
3502: may only
3503: .Xr su 1
3504: to operator.
3505: .Bd -literal
3506: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3507:
3508: %opers ALL = (: ADMINGRP) /usr/sbin/
3509: .Ed
3510: .Pp
3511: Users in the
3512: .Sy opers
3513: group may run commands in
3514: .Pa /usr/sbin/
3515: as themselves
3516: with any group in the
3517: .Em ADMINGRP
3518: .Li Runas_Alias
3519: (the
3520: .Sy adm
3521: and
3522: .Sy oper
3523: groups).
3524: .Pp
3525: The user
3526: .Sy pete
3527: is allowed to change anyone's password except for
3528: root on the
3529: .Em HPPA
3530: machines.
3531: Note that this assumes
3532: .Xr passwd 1
3533: does not take multiple user names on the command line.
3534: .Bd -literal
3535: bob SPARC = (OP) ALL : SGI = (OP) ALL
3536: .Ed
3537: .Pp
3538: The user
3539: .Sy bob
3540: may run anything on the
3541: .Em SPARC
3542: and
3543: .Em SGI
3544: machines as any user listed in the
3545: .Em OP
3546: .Li Runas_Alias
3547: .Po
3548: .Sy root
3549: and
3550: .Sy operator .
3551: .Pc
3552: .Bd -literal
3553: jim +biglab = ALL
3554: .Ed
3555: .Pp
3556: The user
3557: .Sy jim
3558: may run any command on machines in the
3559: .Em biglab
3560: netgroup.
3561: .Nm sudo
3562: knows that
3563: .Dq biglab
3564: is a netgroup due to the
3565: .Ql +
3566: prefix.
3567: .Bd -literal
3568: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3569: .Ed
3570: .Pp
3571: Users in the
3572: .Sy secretaries
3573: netgroup need to help manage the printers as well as add and remove users,
3574: so they are allowed to run those commands on all machines.
3575: .Bd -literal
3576: fred ALL = (DB) NOPASSWD: ALL
3577: .Ed
3578: .Pp
3579: The user
3580: .Sy fred
3581: can run commands as any user in the
3582: .Em DB
3583: .Li Runas_Alias
3584: .Po
3585: .Sy oracle
3586: or
3587: .Sy sybase
3588: .Pc
3589: without giving a password.
3590: .Bd -literal
3591: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3592: .Ed
3593: .Pp
3594: On the
3595: .Em ALPHA
3596: machines, user
3597: .Sy john
3598: may su to anyone except root but he is not allowed to specify any options
3599: to the
3600: .Xr su 1
3601: command.
3602: .Bd -literal
3603: jen ALL, !SERVERS = ALL
3604: .Ed
3605: .Pp
3606: The user
3607: .Sy jen
3608: may run any command on any machine except for those in the
3609: .Em SERVERS
3610: .Li Host_Alias
3611: (master, mail, www and ns).
3612: .Bd -literal
3613: jill SERVERS = /usr/bin/, !SU, !SHELLS
3614: .Ed
3615: .Pp
3616: For any machine in the
3617: .Em SERVERS
3618: .Li Host_Alias ,
3619: .Sy jill
3620: may run
3621: any commands in the directory
3622: .Pa /usr/bin/
3623: except for those commands
3624: belonging to the
3625: .Em SU
3626: and
3627: .Em SHELLS
3628: .Li Cmnd_Aliases .
3629: .Bd -literal
3630: steve CSNETS = (operator) /usr/local/op_commands/
3631: .Ed
3632: .Pp
3633: The user
3634: .Sy steve
3635: may run any command in the directory /usr/local/op_commands/
3636: but only as user operator.
3637: .Bd -literal
3638: matt valkyrie = KILL
3639: .Ed
3640: .Pp
3641: On his personal workstation, valkyrie,
3642: .Sy matt
3643: needs to be able to kill hung processes.
3644: .Bd -literal
3645: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3646: .Ed
3647: .Pp
3648: On the host www, any user in the
3649: .Em WEBMASTERS
3650: .Li User_Alias
3651: (will, wendy, and wim), may run any command as user www (which owns the
3652: web pages) or simply
3653: .Xr su 1
3654: to www.
3655: .Bd -literal
3656: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3657: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3658: .Ed
3659: .Pp
3660: Any user may mount or unmount a CD-ROM on the machines in the CDROM
3661: .Li Host_Alias
3662: (orion, perseus, hercules) without entering a password.
3663: This is a bit tedious for users to type, so it is a prime candidate
3664: for encapsulating in a shell script.
3665: .Sh SECURITY NOTES
3666: .Ss Limitations of the So !\& Sc operator
3667: It is generally not effective to
3668: .Dq subtract
3669: commands from
3670: .Sy ALL
3671: using the
3672: .Ql !\&
3673: operator.
3674: A user can trivially circumvent this by copying the desired command
3675: to a different name and then executing that.
3676: For example:
3677: .Bd -literal
3678: bill ALL = ALL, !SU, !SHELLS
3679: .Ed
3680: .Pp
3681: Doesn't really prevent
3682: .Sy bill
3683: from running the commands listed in
3684: .Em SU
3685: or
3686: .Em SHELLS
3687: since he can simply copy those commands to a different name, or use
3688: a shell escape from an editor or other program.
3689: Therefore, these kind of restrictions should be considered
3690: advisory at best (and reinforced by policy).
3691: .Pp
3692: In general, if a user has sudo
3693: .Sy ALL
3694: there is nothing to prevent them from creating their own program that gives
3695: them a root shell (or making their own copy of a shell) regardless of any
3696: .Ql !\&
3697: elements in the user specification.
3698: .Ss Security implications of Em fast_glob
3699: If the
3700: .Em fast_glob
3701: option is in use, it is not possible to reliably negate commands where the
3702: path name includes globbing (aka wildcard) characters.
3703: This is because the C library's
3704: .Xr fnmatch 3
3705: function cannot resolve relative paths.
3706: While this is typically only an inconvenience for rules that grant privileges,
3707: it can result in a security issue for rules that subtract or revoke privileges.
3708: .Pp
3709: For example, given the following
3710: .Em sudoers
3711: entry:
3712: .Bd -literal
3713: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3714: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3715: .Ed
3716: .Pp
3717: User
3718: .Sy john
3719: can still run
3720: .Li /usr/bin/passwd root
3721: if
3722: .Em fast_glob
3723: is enabled by changing to
3724: .Pa /usr/bin
3725: and running
3726: .Li ./passwd root
3727: instead.
3728: .Ss Preventing shell escapes
3729: Once
3730: .Nm sudo
3731: executes a program, that program is free to do whatever
3732: it pleases, including run other programs.
3733: This can be a security issue since it is not uncommon for a program to
3734: allow shell escapes, which lets a user bypass
3735: .Nm sudo Ns No 's
3736: access control and logging.
3737: Common programs that permit shell escapes include shells (obviously),
3738: editors, paginators, mail and terminal programs.
3739: .Pp
3740: There are two basic approaches to this problem:
3741: .Bl -tag -width 8n
3742: .It restrict
3743: Avoid giving users access to commands that allow the user to run
3744: arbitrary commands.
3745: Many editors have a restricted mode where shell
3746: escapes are disabled, though
3747: .Nm sudoedit
3748: is a better solution to
3749: running editors via
3750: .Nm sudo .
3751: Due to the large number of programs that
3752: offer shell escapes, restricting users to the set of programs that
3753: do not is often unworkable.
3754: .It noexec
3755: Many systems that support shared libraries have the ability to
3756: override default library functions by pointing an environment
3757: variable (usually
3758: .Ev LD_PRELOAD )
3759: to an alternate shared library.
3760: On such systems,
3761: .Nm sudo Ns No 's
3762: .Em noexec
3763: functionality can be used to prevent a program run by
3764: .Nm sudo
3765: from executing any other programs.
3766: Note, however, that this applies only to native dynamically-linked
3767: executables.
3768: Statically-linked executables and foreign executables
3769: running under binary emulation are not affected.
3770: .Pp
3771: The
3772: .Em noexec
3773: feature is known to work on SunOS, Solaris, *BSD,
3774: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3775: It should be supported on most operating systems that support the
3776: .Ev LD_PRELOAD
3777: environment variable.
3778: Check your operating system's manual pages for the dynamic linker
3779: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3780: .Ev LD_PRELOAD
3781: is supported.
3782: .Pp
3783: On Solaris 10 and higher,
3784: .Em noexec
3785: uses Solaris privileges instead of the
3786: .Ev LD_PRELOAD
3787: environment variable.
3788: .Pp
3789: To enable
3790: .Em noexec
3791: for a command, use the
3792: .Li NOEXEC
3793: tag as documented
3794: in the User Specification section above.
3795: Here is that example again:
3796: .Bd -literal
3797: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3798: .Ed
3799: .Pp
3800: This allows user
3801: .Sy aaron
3802: to run
3803: .Pa /usr/bin/more
3804: and
3805: .Pa /usr/bin/vi
3806: with
3807: .Em noexec
3808: enabled.
3809: This will prevent those two commands from
3810: executing other commands (such as a shell).
3811: If you are unsure whether or not your system is capable of supporting
3812: .Em noexec
3813: you can always just try it out and check whether shell escapes work when
3814: .Em noexec
3815: is enabled.
3816: .El
3817: .Pp
3818: Note that restricting shell escapes is not a panacea.
3819: Programs running as root are still capable of many potentially hazardous
3820: operations (such as changing or overwriting files) that could lead
3821: to unintended privilege escalation.
3822: In the specific case of an editor, a safer approach is to give the
3823: user permission to run
3824: .Nm sudoedit .
3825: .Ss Time stamp file checks
3826: .Em sudoers
3827: will check the ownership of its time stamp directory
3828: .Po
3829: .Pa @timedir@
3830: by default
3831: .Pc
3832: and ignore the directory's contents if it is not owned by root or
3833: if it is writable by a user other than root.
3834: On systems that allow non-root users to give away files via
3835: .Xr chown 2 ,
3836: if the time stamp directory is located in a world-writable
3837: directory (e.g.\&,
3838: .Pa /tmp ) ,
3839: it is possible for a user to create the time stamp directory before
3840: .Nm sudo
3841: is run.
3842: However, because
3843: .Em sudoers
3844: checks the ownership and mode of the directory and its
3845: contents, the only damage that can be done is to
3846: .Dq hide
3847: files by putting them in the time stamp dir.
3848: This is unlikely to happen since once the time stamp dir is owned by root
3849: and inaccessible by any other user, the user placing files there would be
3850: unable to get them back out.
3851: .Pp
3852: .Em sudoers
3853: will not honor time stamps set far in the future.
3854: Time stamps with a date greater than current_time + 2 *
3855: .Li TIMEOUT
3856: will be ignored and sudo will log and complain.
3857: This is done to keep a user from creating his/her own time stamp with a
3858: bogus date on systems that allow users to give away files if the time
3859: stamp directory is located in a world-writable directory.
3860: .Pp
3861: On systems where the boot time is available,
3862: .Em sudoers
3863: will ignore time stamps that date from before the machine booted.
3864: .Pp
3865: Since time stamp files live in the file system, they can outlive a
3866: user's login session.
3867: As a result, a user may be able to login, run a command with
3868: .Nm sudo
3869: after authenticating, logout, login again, and run
3870: .Nm sudo
3871: without authenticating so long as the time stamp file's modification
3872: time is within
3873: .Li @timeout@
3874: minutes (or whatever the timeout is set to in
3875: .Em sudoers ) .
3876: When the
3877: .Em tty_tickets
3878: option is enabled, the time stamp has per-tty granularity but still
3879: may outlive the user's session.
3880: On Linux systems where the devpts filesystem is used, Solaris systems
3881: with the devices filesystem, as well as other systems that utilize a
3882: devfs filesystem that monotonically increase the inode number of devices
3883: as they are created (such as Mac OS X),
3884: .Em sudoers
3885: is able to determine when a tty-based time stamp file is stale and will
3886: ignore it.
3887: Administrators should not rely on this feature as it is not universally
3888: available.
3889: .Sh SEE ALSO
3890: .Xr ssh 1 ,
3891: .Xr su 1 ,
3892: .Xr fnmatch 3 ,
3893: .Xr glob 3 ,
3894: .Xr mktemp 3 ,
3895: .Xr strftime 3 ,
3896: .Xr sudoers.ldap @mansectform@ ,
3897: .Xr sudo_plugin @mansectsu@ ,
3898: .Xr sudo @mansectsu@ ,
3899: .Xr visudo @mansectsu@
3900: .Sh CAVEATS
3901: The
3902: .Em sudoers
3903: file should
3904: .Sy always
3905: be edited by the
3906: .Nm visudo
3907: command which locks the file and does grammatical checking.
3908: It is
3909: imperative that
3910: .Em sudoers
3911: be free of syntax errors since
3912: .Nm sudo
3913: will not run with a syntactically incorrect
3914: .Em sudoers
3915: file.
3916: .Pp
3917: When using netgroups of machines (as opposed to users), if you
3918: store fully qualified host name in the netgroup (as is usually the
3919: case), you either need to have the machine's host name be fully qualified
3920: as returned by the
3921: .Li hostname
3922: command or use the
3923: .Em fqdn
3924: option in
3925: .Em sudoers .
3926: .Sh BUGS
3927: If you feel you have found a bug in
3928: .Nm sudo ,
3929: please submit a bug report at http://www.sudo.ws/sudo/bugs/
3930: .Sh SUPPORT
3931: Limited free support is available via the sudo-users mailing list,
3932: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
3933: search the archives.
3934: .Sh DISCLAIMER
3935: .Nm sudo
3936: is provided
3937: .Dq AS IS
3938: and any express or implied warranties, including, but not limited
3939: to, the implied warranties of merchantability and fitness for a
3940: particular purpose are disclaimed.
3941: See the LICENSE file distributed with
3942: .Nm sudo
3943: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc