Annotation of embedaddon/sudo/doc/sudoers.pod, revision 1.1
1.1 ! misho 1: Copyright (c) 1994-1996, 1998-2005, 2007-2011
! 2: Todd C. Miller <Todd.Miller@courtesan.com>
! 3:
! 4: Permission to use, copy, modify, and distribute this software for any
! 5: purpose with or without fee is hereby granted, provided that the above
! 6: copyright notice and this permission notice appear in all copies.
! 7:
! 8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 16:
! 17: Sponsored in part by the Defense Advanced Research Projects
! 18: Agency (DARPA) and Air Force Research Laboratory, Air Force
! 19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 20:
! 21: =pod
! 22:
! 23: =head1 NAME
! 24:
! 25: sudoers - default sudo security policy module
! 26:
! 27: =head1 DESCRIPTION
! 28:
! 29: The I<sudoers> policy module determines a user's B<sudo> privileges.
! 30: It is the default B<sudo> policy plugin. The policy is driven by
! 31: the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
! 32: format is described in detail in the L<"SUDOERS FILE FORMAT">
! 33: section. For information on storing I<sudoers> policy information
! 34: in LDAP, please see L<sudoers.ldap(5)>.
! 35:
! 36: =head2 Authentication and Logging
! 37:
! 38: The I<sudoers> security policy requires that most users authenticate
! 39: themselves before they can use B<sudo>. A password is not required
! 40: if the invoking user is root, if the target user is the same as the
! 41: invoking user, or if the policy has disabled authentication for the
! 42: user or command. Unlike L<su(1)>, when I<sudoers> requires
! 43: authentication, it validates the invoking user's credentials, not
! 44: the target user's (or root's) credentials. This can be changed via
! 45: the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
! 46:
! 47: If a user who is not listed in the policy tries to run a command
! 48: via B<sudo>, mail is sent to the proper authorities. The address
! 49: used for such mail is configurable via the I<mailto> Defaults entry
! 50: (described later) and defaults to C<@mailto@>.
! 51:
! 52: Note that mail will not be sent if an unauthorized user tries to
! 53: run B<sudo> with the B<-l> or B<-v> option. This allows users to
! 54: determine for themselves whether or not they are allowed to use
! 55: B<sudo>.
! 56:
! 57: If B<sudo> is run by root and the C<SUDO_USER> environment variable
! 58: is set, the I<sudoers> policy will use this value to determine who
! 59: the actual user is. This can be used by a user to log commands
! 60: through sudo even when a root shell has been invoked. It also
! 61: allows the B<-e> option to remain useful even when invoked via a
! 62: sudo-run script or program. Note, however, that the I<sudoers>
! 63: lookup is still done for root, not the user specified by C<SUDO_USER>.
! 64:
! 65: I<sudoers> uses time stamp files for credential caching. Once a
! 66: user has been authenticated, a time stamp is updated and the user
! 67: may then use sudo without a password for a short period of time
! 68: (C<@timeout@> minutes unless overridden by the I<timeout> option.
! 69: By default, I<sudoers> uses a tty-based time stamp which means that
! 70: there is a separate time stamp for each of a user's login sessions.
! 71: The I<tty_tickets> option can be disabled to force the use of a
! 72: single time stamp for all of a user's sessions.
! 73:
! 74: I<sudoers> can log both successful and unsuccessful attempts (as well
! 75: as errors) to syslog(3), a log file, or both. By default, I<sudoers>
! 76: will log via syslog(3) but this is changeable via the I<syslog>
! 77: and I<logfile> Defaults settings.
! 78:
! 79: I<sudoers> also supports logging a command's input and output
! 80: streams. I/O logging is not on by default but can be enabled using
! 81: the I<log_input> and I<log_output> Defaults flags as well as the
! 82: C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
! 83:
! 84: =head2 Command Environment
! 85:
! 86: Since environment variables can influence program behavior, I<sudoers>
! 87: provides a means to restrict which variables from the user's
! 88: environment are inherited by the command to be run. There are two
! 89: distinct ways I<sudoers> can deal with environment variables.
! 90:
! 91: By default, the I<env_reset> option is enabled. This causes commands
! 92: to be executed with a minimal environment containing C<TERM>,
! 93: C<PATH>, C<HOME>, C<MAIL>, C<SHELL>, C<LOGNAME>, C<USER> and C<USERNAME> in
! 94: addition to variables from the invoking process permitted by the
! 95: I<env_check> and I<env_keep> options. This is effectively a whitelist
! 96: for environment variables.
! 97:
! 98: If, however, the I<env_reset> option is disabled, any variables not
! 99: explicitly denied by the I<env_check> and I<env_delete> options are
! 100: inherited from the invoking process. In this case, I<env_check>
! 101: and I<env_delete> behave like a blacklist. Since it is not possible
! 102: to blacklist all potentially dangerous environment variables, use
! 103: of the default I<env_reset> behavior is encouraged.
! 104:
! 105: In all cases, environment variables with a value beginning with
! 106: C<()> are removed as they could be interpreted as B<bash> functions.
! 107: The list of environment variables that B<sudo> allows or denies is
! 108: contained in the output of C<sudo -V> when run as root.
! 109:
! 110: Note that the dynamic linker on most operating systems will remove
! 111: variables that can control dynamic linking from the environment of
! 112: setuid executables, including B<sudo>. Depending on the operating
! 113: system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
! 114: C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
! 115: removed from the environment before B<sudo> even begins execution
! 116: and, as such, it is not possible for B<sudo> to preserve them.
! 117:
! 118: As a special case, if B<sudo>'s B<-i> option (initial login) is
! 119: specified, I<sudoers> will initialize the environment regardless
! 120: of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
! 121: variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
! 122: and I<LOGNAME> are set based on the target user. On Linux and AIX
! 123: systems the contents of F</etc/environment> are also included. All
! 124: other environment variables are removed.
! 125:
! 126: =head1 SUDOERS FILE FORMAT
! 127:
! 128: The I<sudoers> file is composed of two types of entries: aliases
! 129: (basically variables) and user specifications (which specify who
! 130: may run what).
! 131:
! 132: When multiple entries match for a user, they are applied in order.
! 133: Where there are multiple matches, the last match is used (which is
! 134: not necessarily the most specific match).
! 135:
! 136: The I<sudoers> grammar will be described below in Extended Backus-Naur
! 137: Form (EBNF). Don't despair if you don't know what EBNF is; it is
! 138: fairly simple, and the definitions below are annotated.
! 139:
! 140: =head2 Quick guide to EBNF
! 141:
! 142: EBNF is a concise and exact way of describing the grammar of a language.
! 143: Each EBNF definition is made up of I<production rules>. E.g.,
! 144:
! 145: symbol ::= definition | alternate1 | alternate2 ...
! 146:
! 147: Each I<production rule> references others and thus makes up a
! 148: grammar for the language. EBNF also contains the following
! 149: operators, which many readers will recognize from regular
! 150: expressions. Do not, however, confuse them with "wildcard"
! 151: characters, which have different meanings.
! 152:
! 153: =over 4
! 154:
! 155: =item C<?>
! 156:
! 157: Means that the preceding symbol (or group of symbols) is optional.
! 158: That is, it may appear once or not at all.
! 159:
! 160: =item C<*>
! 161:
! 162: Means that the preceding symbol (or group of symbols) may appear
! 163: zero or more times.
! 164:
! 165: =item C<+>
! 166:
! 167: Means that the preceding symbol (or group of symbols) may appear
! 168: one or more times.
! 169:
! 170: =back
! 171:
! 172: Parentheses may be used to group symbols together. For clarity,
! 173: we will use single quotes ('') to designate what is a verbatim character
! 174: string (as opposed to a symbol name).
! 175:
! 176: =head2 Aliases
! 177:
! 178: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
! 179: C<Host_Alias> and C<Cmnd_Alias>.
! 180:
! 181: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 182: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 183: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 184: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 185:
! 186: User_Alias ::= NAME '=' User_List
! 187:
! 188: Runas_Alias ::= NAME '=' Runas_List
! 189:
! 190: Host_Alias ::= NAME '=' Host_List
! 191:
! 192: Cmnd_Alias ::= NAME '=' Cmnd_List
! 193:
! 194: NAME ::= [A-Z]([A-Z][0-9]_)*
! 195:
! 196: Each I<alias> definition is of the form
! 197:
! 198: Alias_Type NAME = item1, item2, ...
! 199:
! 200: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
! 201: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
! 202: and underscore characters ('_'). A C<NAME> B<must> start with an
! 203: uppercase letter. It is possible to put several alias definitions
! 204: of the same type on a single line, joined by a colon (':'). E.g.,
! 205:
! 206: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 207:
! 208: The definitions of what constitutes a valid I<alias> member follow.
! 209:
! 210: User_List ::= User |
! 211: User ',' User_List
! 212:
! 213: User ::= '!'* user name |
! 214: '!'* #uid |
! 215: '!'* %group |
! 216: '!'* %#gid |
! 217: '!'* +netgroup |
! 218: '!'* %:nonunix_group |
! 219: '!'* %:#nonunix_gid |
! 220: '!'* User_Alias
! 221:
! 222: A C<User_List> is made up of one or more user names, user ids
! 223: (prefixed with '#'), system group names and ids (prefixed with '%'
! 224: and '%#' respectively), netgroups (prefixed with '+'), non-Unix
! 225: group names and IDs (prefixed with '%:' and '%:#' respectively) and
! 226: C<User_Alias>es. Each list item may be prefixed with zero or more
! 227: '!' operators. An odd number of '!' operators negate the value of
! 228: the item; an even number just cancel each other out.
! 229:
! 230: A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
! 231: or C<nonunix_gid> may be enclosed in double quotes to avoid the
! 232: need for escaping special characters. Alternately, special characters
! 233: may be specified in escaped hex mode, e.g. \x20 for space. When
! 234: using double quotes, any prefix characters must be included inside
! 235: the quotes.
! 236:
! 237: The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
! 238: the underlying group provider plugin (see the I<group_plugin>
! 239: description below). For instance, the QAS AD plugin supports the
! 240: following formats:
! 241:
! 242: =over 4
! 243:
! 244: =item *
! 245:
! 246: Group in the same domain: "Group Name"
! 247:
! 248: =item *
! 249:
! 250: Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
! 251:
! 252: =item *
! 253:
! 254: Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
! 255:
! 256: =back
! 257:
! 258: Note that quotes around group names are optional. Unquoted strings
! 259: must use a backslash (\) to escape spaces and special characters.
! 260: See L<"Other special characters and reserved words"> for a list of
! 261: characters that need to be escaped.
! 262:
! 263: Runas_List ::= Runas_Member |
! 264: Runas_Member ',' Runas_List
! 265:
! 266: Runas_Member ::= '!'* user name |
! 267: '!'* #uid |
! 268: '!'* %group |
! 269: '!'* %#gid |
! 270: '!'* %:nonunix_group |
! 271: '!'* %:#nonunix_gid |
! 272: '!'* +netgroup |
! 273: '!'* Runas_Alias
! 274:
! 275: A C<Runas_List> is similar to a C<User_List> except that instead
! 276: of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
! 277: user names and groups are matched as strings. In other words, two
! 278: users (groups) with the same uid (gid) are considered to be distinct.
! 279: If you wish to match all user names with the same uid (e.g.E<nbsp>root
! 280: and toor), you can use a uid instead (#0 in the example given).
! 281:
! 282: Host_List ::= Host |
! 283: Host ',' Host_List
! 284:
! 285: Host ::= '!'* host name |
! 286: '!'* ip_addr |
! 287: '!'* network(/netmask)? |
! 288: '!'* +netgroup |
! 289: '!'* Host_Alias
! 290:
! 291: A C<Host_List> is made up of one or more host names, IP addresses,
! 292: network numbers, netgroups (prefixed with '+') and other aliases.
! 293: Again, the value of an item may be negated with the '!' operator.
! 294: If you do not specify a netmask along with the network number,
! 295: B<sudo> will query each of the local host's network interfaces and,
! 296: if the network number corresponds to one of the hosts's network
! 297: interfaces, the corresponding netmask will be used. The netmask
! 298: may be specified either in standard IP address notation
! 299: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
! 300: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
! 301: include shell-style wildcards (see the L<Wildcards> section below),
! 302: but unless the C<host name> command on your machine returns the fully
! 303: qualified host name, you'll need to use the I<fqdn> option for
! 304: wildcards to be useful. Note B<sudo> only inspects actual network
! 305: interfaces; this means that IP address 127.0.0.1 (localhost) will
! 306: never match. Also, the host name "localhost" will only match if
! 307: that is the actual host name, which is usually only the case for
! 308: non-networked systems.
! 309:
! 310: Cmnd_List ::= Cmnd |
! 311: Cmnd ',' Cmnd_List
! 312:
! 313: commandname ::= file name |
! 314: file name args |
! 315: file name '""'
! 316:
! 317: Cmnd ::= '!'* commandname |
! 318: '!'* directory |
! 319: '!'* "sudoedit" |
! 320: '!'* Cmnd_Alias
! 321:
! 322: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
! 323: aliases. A commandname is a fully qualified file name which may include
! 324: shell-style wildcards (see the L<Wildcards> section below). A simple
! 325: file name allows the user to run the command with any arguments he/she
! 326: wishes. However, you may also specify command line arguments (including
! 327: wildcards). Alternately, you can specify C<""> to indicate that the command
! 328: may only be run B<without> command line arguments. A directory is a
! 329: fully qualified path name ending in a '/'. When you specify a directory
! 330: in a C<Cmnd_List>, the user will be able to run any file within that directory
! 331: (but not in any subdirectories therein).
! 332:
! 333: If a C<Cmnd> has associated command line arguments, then the arguments
! 334: in the C<Cmnd> must match exactly those given by the user on the command line
! 335: (or match the wildcards if there are any). Note that the following
! 336: characters must be escaped with a '\' if they are used in command
! 337: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
! 338: is used to permit a user to run B<sudo> with the B<-e> option (or
! 339: as B<sudoedit>). It may take command line arguments just as
! 340: a normal command does.
! 341:
! 342: =head2 Defaults
! 343:
! 344: Certain configuration options may be changed from their default
! 345: values at runtime via one or more C<Default_Entry> lines. These
! 346: may affect all users on any host, all users on a specific host, a
! 347: specific user, a specific command, or commands being run as a specific user.
! 348: Note that per-command entries may not include command line arguments.
! 349: If you need to specify arguments, define a C<Cmnd_Alias> and reference
! 350: that instead.
! 351:
! 352: Default_Type ::= 'Defaults' |
! 353: 'Defaults' '@' Host_List |
! 354: 'Defaults' ':' User_List |
! 355: 'Defaults' '!' Cmnd_List |
! 356: 'Defaults' '>' Runas_List
! 357:
! 358: Default_Entry ::= Default_Type Parameter_List
! 359:
! 360: Parameter_List ::= Parameter |
! 361: Parameter ',' Parameter_List
! 362:
! 363: Parameter ::= Parameter '=' Value |
! 364: Parameter '+=' Value |
! 365: Parameter '-=' Value |
! 366: '!'* Parameter
! 367:
! 368: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
! 369: Flags are implicitly boolean and can be turned off via the '!'
! 370: operator. Some integer, string and list parameters may also be
! 371: used in a boolean context to disable them. Values may be enclosed
! 372: in double quotes (C<">) when they contain multiple words. Special
! 373: characters may be escaped with a backslash (C<\>).
! 374:
! 375: Lists have two additional assignment operators, C<+=> and C<-=>.
! 376: These operators are used to add to and delete from a list respectively.
! 377: It is not an error to use the C<-=> operator to remove an element
! 378: that does not exist in a list.
! 379:
! 380: Defaults entries are parsed in the following order: generic, host
! 381: and user Defaults first, then runas Defaults and finally command
! 382: defaults.
! 383:
! 384: See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
! 385:
! 386: =head2 User Specification
! 387:
! 388: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
! 389: (':' Host_List '=' Cmnd_Spec_List)*
! 390:
! 391: Cmnd_Spec_List ::= Cmnd_Spec |
! 392: Cmnd_Spec ',' Cmnd_Spec_List
! 393:
! 394: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
! 395:
! 396: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 397:
! 398: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
! 399:
! 400: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 401: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
! 402: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
! 403:
! 404: A B<user specification> determines which commands a user may run
! 405: (and as what user) on specified hosts. By default, commands are
! 406: run as B<root>, but this can be changed on a per-command basis.
! 407:
! 408: The basic structure of a user specification is `who where = (as_whom)
! 409: what'. Let's break that down into its constituent parts:
! 410:
! 411: =head2 Runas_Spec
! 412:
! 413: A C<Runas_Spec> determines the user and/or the group that a command
! 414: may be run as. A fully-specified C<Runas_Spec> consists of two
! 415: C<Runas_List>s (as defined above) separated by a colon (':') and
! 416: enclosed in a set of parentheses. The first C<Runas_List> indicates
! 417: which users the command may be run as via B<sudo>'s B<-u> option.
! 418: The second defines a list of groups that can be specified via
! 419: B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
! 420: command may be run with any combination of users and groups listed
! 421: in their respective C<Runas_List>s. If only the first is specified,
! 422: the command may be run as any user in the list but no B<-g> option
! 423: may be specified. If the first C<Runas_List> is empty but the
! 424: second is specified, the command may be run as the invoking user
! 425: with the group set to any listed in the C<Runas_List>. If no
! 426: C<Runas_Spec> is specified the command may be run as B<root> and
! 427: no group may be specified.
! 428:
! 429: A C<Runas_Spec> sets the default for the commands that follow it.
! 430: What this means is that for the entry:
! 431:
! 432: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 433:
! 434: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
! 435: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
! 436:
! 437: $ sudo -u operator /bin/ls
! 438:
! 439: It is also possible to override a C<Runas_Spec> later on in an
! 440: entry. If we modify the entry like so:
! 441:
! 442: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 443:
! 444: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
! 445: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
! 446:
! 447: We can extend this to allow B<dgb> to run C</bin/ls> with either
! 448: the user or group set to B<operator>:
! 449:
! 450: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
! 451: /usr/bin/lprm
! 452:
! 453: Note that while the group portion of the C<Runas_Spec> permits the
! 454: user to run as command with that group, it does not force the user
! 455: to do so. If no group is specified on the command line, the command
! 456: will run with the group listed in the target user's password database
! 457: entry. The following would all be permitted by the sudoers entry above:
! 458:
! 459: $ sudo -u operator /bin/ls
! 460: $ sudo -u operator -g operator /bin/ls
! 461: $ sudo -g operator /bin/ls
! 462:
! 463: In the following example, user B<tcm> may run commands that access
! 464: a modem device file with the dialer group.
! 465:
! 466: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
! 467: /usr/local/bin/minicom
! 468:
! 469: Note that in this example only the group will be set, the command
! 470: still runs as user B<tcm>. E.g.
! 471:
! 472: $ sudo -g dialer /usr/bin/cu
! 473:
! 474: Multiple users and groups may be present in a C<Runas_Spec>, in
! 475: which case the user may select any combination of users and groups
! 476: via the B<-u> and B<-g> options. In this example:
! 477:
! 478: alan ALL = (root, bin : operator, system) ALL
! 479:
! 480: user B<alan> may run any command as either user root or bin,
! 481: optionally setting the group to operator or system.
! 482:
! 483: =head2 SELinux_Spec
! 484:
! 485: On systems with SELinux support, I<sudoers> entries may optionally have
! 486: an SELinux role and/or type associated with a command. If a role or
! 487: type is specified with the command it will override any default values
! 488: specified in I<sudoers>. A role or type specified on the command line,
! 489: however, will supercede the values in I<sudoers>.
! 490:
! 491: =head2 Tag_Spec
! 492:
! 493: A command may have zero or more tags associated with it. There are
! 494: eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
! 495: C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
! 496: C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
! 497: subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
! 498: it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
! 499: C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
! 500:
! 501: =head3 NOPASSWD and PASSWD
! 502:
! 503: By default, B<sudo> requires that a user authenticate him or herself
! 504: before running a command. This behavior can be modified via the
! 505: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
! 506: a default for the commands that follow it in the C<Cmnd_Spec_List>.
! 507: Conversely, the C<PASSWD> tag can be used to reverse things.
! 508: For example:
! 509:
! 510: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 511:
! 512: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
! 513: F</usr/bin/lprm> as B<root> on the machine rushmore without
! 514: authenticating himself. If we only want B<ray> to be able to
! 515: run F</bin/kill> without a password the entry would be:
! 516:
! 517: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 518:
! 519: Note, however, that the C<PASSWD> tag has no effect on users who are
! 520: in the group specified by the I<exempt_group> option.
! 521:
! 522: By default, if the C<NOPASSWD> tag is applied to any of the entries
! 523: for a user on the current host, he or she will be able to run
! 524: C<sudo -l> without a password. Additionally, a user may only run
! 525: C<sudo -v> without a password if the C<NOPASSWD> tag is present
! 526: for all a user's entries that pertain to the current host.
! 527: This behavior may be overridden via the verifypw and listpw options.
! 528:
! 529: =head3 NOEXEC and EXEC
! 530:
! 531: If B<sudo> has been compiled with I<noexec> support and the underlying
! 532: operating system supports it, the C<NOEXEC> tag can be used to prevent
! 533: a dynamically-linked executable from running further commands itself.
! 534:
! 535: In the following example, user B<aaron> may run F</usr/bin/more>
! 536: and F</usr/bin/vi> but shell escapes will be disabled.
! 537:
! 538: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 539:
! 540: See the L<PREVENTING SHELL ESCAPES> section below for more details
! 541: on how C<NOEXEC> works and whether or not it will work on your system.
! 542:
! 543: =head3 SETENV and NOSETENV
! 544:
! 545: These tags override the value of the I<setenv> option on a per-command
! 546: basis. Note that if C<SETENV> has been set for a command, the user
! 547: may disable the I<env_reset> option from the command line via the
! 548: B<-E> option. Additionally, environment variables set on the command
! 549: line are not subject to the restrictions imposed by I<env_check>,
! 550: I<env_delete>, or I<env_keep>. As such, only trusted users should
! 551: be allowed to set variables in this manner. If the command matched
! 552: is B<ALL>, the C<SETENV> tag is implied for that command; this
! 553: default may be overridden by use of the C<NOSETENV> tag.
! 554:
! 555: =head3 LOG_INPUT and NOLOG_INPUT
! 556:
! 557: These tags override the value of the I<log_input> option on a
! 558: per-command basis. For more information, see the description of
! 559: I<log_input> in the L<"SUDOERS OPTIONS"> section below.
! 560:
! 561: =head3 LOG_OUTPUT and NOLOG_OUTPUT
! 562:
! 563: These tags override the value of the I<log_output> option on a
! 564: per-command basis. For more information, see the description of
! 565: I<log_output> in the L<"SUDOERS OPTIONS"> section below.
! 566:
! 567: =head2 Wildcards
! 568:
! 569: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
! 570: to be used in host names, path names and command line arguments in
! 571: the I<sudoers> file. Wildcard matching is done via the B<POSIX>
! 572: L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
! 573: regular expressions.
! 574:
! 575: =over 8
! 576:
! 577: =item C<*>
! 578:
! 579: Matches any set of zero or more characters.
! 580:
! 581: =item C<?>
! 582:
! 583: Matches any single character.
! 584:
! 585: =item C<[...]>
! 586:
! 587: Matches any character in the specified range.
! 588:
! 589: =item C<[!...]>
! 590:
! 591: Matches any character B<not> in the specified range.
! 592:
! 593: =item C<\x>
! 594:
! 595: For any character "x", evaluates to "x". This is used to
! 596: escape special characters such as: "*", "?", "[", and "}".
! 597:
! 598: =back
! 599:
! 600: POSIX character classes may also be used if your system's L<glob(3)>
! 601: and L<fnmatch(3)> functions support them. However, because the
! 602: C<':'> character has special meaning in I<sudoers>, it must be
! 603: escaped. For example:
! 604:
! 605: /bin/ls [[\:alpha\:]]*
! 606:
! 607: Would match any file name beginning with a letter.
! 608:
! 609: Note that a forward slash ('/') will B<not> be matched by
! 610: wildcards used in the path name. When matching the command
! 611: line arguments, however, a slash B<does> get matched by
! 612: wildcards. This is to make a path like:
! 613:
! 614: /usr/bin/*
! 615:
! 616: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
! 617:
! 618: =head2 Exceptions to wildcard rules
! 619:
! 620: The following exceptions apply to the above rules:
! 621:
! 622: =over 8
! 623:
! 624: =item C<"">
! 625:
! 626: If the empty string C<""> is the only command line argument in the
! 627: I<sudoers> entry it means that command is not allowed to be run
! 628: with B<any> arguments.
! 629:
! 630: =back
! 631:
! 632: =head2 Including other files from within sudoers
! 633:
! 634: It is possible to include other I<sudoers> files from within the
! 635: I<sudoers> file currently being parsed using the C<#include> and
! 636: C<#includedir> directives.
! 637:
! 638: This can be used, for example, to keep a site-wide I<sudoers> file
! 639: in addition to a local, per-machine file. For the sake of this
! 640: example the site-wide I<sudoers> will be F</etc/sudoers> and the
! 641: per-machine one will be F</etc/sudoers.local>. To include
! 642: F</etc/sudoers.local> from within F</etc/sudoers> we would use the
! 643: following line in F</etc/sudoers>:
! 644:
! 645: =over 4
! 646:
! 647: C<#include /etc/sudoers.local>
! 648:
! 649: =back
! 650:
! 651: When B<sudo> reaches this line it will suspend processing of the
! 652: current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
! 653: Upon reaching the end of F</etc/sudoers.local>, the rest of
! 654: F</etc/sudoers> will be processed. Files that are included may
! 655: themselves include other files. A hard limit of 128 nested include
! 656: files is enforced to prevent include file loops.
! 657:
! 658: The file name may include the C<%h> escape, signifying the short form
! 659: of the host name. I.e., if the machine's host name is "xerxes", then
! 660:
! 661: C<#include /etc/sudoers.%h>
! 662:
! 663: will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
! 664:
! 665: The C<#includedir> directive can be used to create a F<sudo.d>
! 666: directory that the system package manager can drop I<sudoers> rules
! 667: into as part of package installation. For example, given:
! 668:
! 669: C<#includedir /etc/sudoers.d>
! 670:
! 671: B<sudo> will read each file in F</etc/sudoers.d>, skipping file
! 672: names that end in C<~> or contain a C<.> character to avoid causing
! 673: problems with package manager or editor temporary/backup files.
! 674: Files are parsed in sorted lexical order. That is,
! 675: F</etc/sudoers.d/01_first> will be parsed before
! 676: F</etc/sudoers.d/10_second>. Be aware that because the sorting is
! 677: lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
! 678: B<after> F</etc/sudoers.d/10_second>. Using a consistent number
! 679: of leading zeroes in the file names can be used to avoid such
! 680: problems.
! 681:
! 682: Note that unlike files included via C<#include>, B<visudo> will not
! 683: edit the files in a C<#includedir> directory unless one of them
! 684: contains a syntax error. It is still possible to run B<visudo>
! 685: with the C<-f> flag to edit the files directly.
! 686:
! 687: =head2 Other special characters and reserved words
! 688:
! 689: The pound sign ('#') is used to indicate a comment (unless it is
! 690: part of a #include directive or unless it occurs in the context of
! 691: a user name and is followed by one or more digits, in which case
! 692: it is treated as a uid). Both the comment character and any text
! 693: after it, up to the end of the line, are ignored.
! 694:
! 695: The reserved word B<ALL> is a built-in I<alias> that always causes
! 696: a match to succeed. It can be used wherever one might otherwise
! 697: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
! 698: You should not try to define your own I<alias> called B<ALL> as the
! 699: built-in alias will be used in preference to your own. Please note
! 700: that using B<ALL> can be dangerous since in a command context, it
! 701: allows the user to run B<any> command on the system.
! 702:
! 703: An exclamation point ('!') can be used as a logical I<not> operator
! 704: both in an I<alias> and in front of a C<Cmnd>. This allows one to
! 705: exclude certain values. Note, however, that using a C<!> in
! 706: conjunction with the built-in C<ALL> alias to allow a user to
! 707: run "all but a few" commands rarely works as intended (see SECURITY
! 708: NOTES below).
! 709:
! 710: Long lines can be continued with a backslash ('\') as the last
! 711: character on the line.
! 712:
! 713: Whitespace between elements in a list as well as special syntactic
! 714: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
! 715:
! 716: The following characters must be escaped with a backslash ('\') when
! 717: used as part of a word (e.g.E<nbsp>a user name or host name):
! 718: '!', '=', ':', ',', '(', ')', '\'.
! 719:
! 720: =head1 SUDOERS OPTIONS
! 721:
! 722: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
! 723: explained earlier. A list of all supported Defaults parameters,
! 724: grouped by type, are listed below.
! 725:
! 726: B<Boolean Flags>:
! 727:
! 728: =over 16
! 729:
! 730: =item always_set_home
! 731:
! 732: If enabled, B<sudo> will set the C<HOME> environment variable to the
! 733: home directory of the target user (which is root unless the B<-u>
! 734: option is used). This effectively means that the B<-H> option is
! 735: always implied. Note that C<HOME> is already set when the the
! 736: I<env_reset> option is enabled, so I<always_set_home> is only
! 737: effective for configurations where either I<env_reset> is disabled
! 738: or C<HOME> is present in the I<env_keep> list.
! 739: This flag is I<off> by default.
! 740:
! 741: =item authenticate
! 742:
! 743: If set, users must authenticate themselves via a password (or other
! 744: means of authentication) before they may run commands. This default
! 745: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
! 746: This flag is I<on> by default.
! 747:
! 748: =item closefrom_override
! 749:
! 750: If set, the user may use B<sudo>'s B<-C> option which
! 751: overrides the default starting point at which B<sudo> begins
! 752: closing open file descriptors. This flag is I<off> by default.
! 753:
! 754: =item compress_io
! 755:
! 756: If set, and B<sudo> is configured to log a command's input or output,
! 757: the I/O logs will be compressed using B<zlib>. This flag is I<on>
! 758: by default when B<sudo> is compiled with B<zlib> support.
! 759:
! 760: =item env_editor
! 761:
! 762: If set, B<visudo> will use the value of the EDITOR or VISUAL
! 763: environment variables before falling back on the default editor list.
! 764: Note that this may create a security hole as it allows the user to
! 765: run any arbitrary command as root without logging. A safer alternative
! 766: is to place a colon-separated list of editors in the C<editor>
! 767: variable. B<visudo> will then only use the EDITOR or VISUAL if
! 768: they match a value specified in C<editor>. This flag is I<@env_editor@> by
! 769: default.
! 770:
! 771: =item env_reset
! 772:
! 773: If set, B<sudo> will reset the environment to only contain the
! 774: LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
! 775: variables in the caller's environment that match the C<env_keep>
! 776: and C<env_check> lists are then added. The default contents of the
! 777: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
! 778: run by root with the I<-V> option. If the I<secure_path> option
! 779: is set, its value will be used for the C<PATH> environment variable.
! 780: This flag is I<@env_reset@> by default.
! 781:
! 782: =item fast_glob
! 783:
! 784: Normally, B<sudo> uses the L<glob(3)> function to do shell-style
! 785: globbing when matching path names. However, since it accesses the
! 786: file system, L<glob(3)> can take a long time to complete for some
! 787: patterns, especially when the pattern references a network file
! 788: system that is mounted on demand (automounted). The I<fast_glob>
! 789: option causes B<sudo> to use the L<fnmatch(3)> function, which does
! 790: not access the file system to do its matching. The disadvantage
! 791: of I<fast_glob> is that it is unable to match relative path names
! 792: such as F<./ls> or F<../bin/ls>. This has security implications
! 793: when path names that include globbing characters are used with the
! 794: negation operator, C<'!'>, as such rules can be trivially bypassed.
! 795: As such, this option should not be used when I<sudoers> contains rules
! 796: that contain negated path names which include globbing characters.
! 797: This flag is I<off> by default.
! 798:
! 799: =item fqdn
! 800:
! 801: Set this flag if you want to put fully qualified host names in the
! 802: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
! 803: You may still use the short form if you wish (and even mix the two).
! 804: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
! 805: which may make B<sudo> unusable if DNS stops working (for example
! 806: if the machine is not plugged into the network). Also note that
! 807: you must use the host's official name as DNS knows it. That is,
! 808: you may not use a host alias (C<CNAME> entry) due to performance
! 809: issues and the fact that there is no way to get all aliases from
! 810: DNS. If your machine's host name (as returned by the C<hostname>
! 811: command) is already fully qualified you shouldn't need to set
! 812: I<fqdn>. This flag is I<@fqdn@> by default.
! 813:
! 814: =item ignore_dot
! 815:
! 816: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
! 817: environment variable; the C<PATH> itself is not modified. This
! 818: flag is I<@ignore_dot@> by default.
! 819:
! 820: =item ignore_local_sudoers
! 821:
! 822: If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
! 823: This is intended for Enterprises that wish to prevent the usage of local
! 824: sudoers files so that only LDAP is used. This thwarts the efforts of
! 825: rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
! 826: When this option is present, F<@sysconfdir@/sudoers> does not even need to
! 827: exist. Since this option tells B<sudo> how to behave when no specific LDAP
! 828: entries have been matched, this sudoOption is only meaningful for the
! 829: C<cn=defaults> section. This flag is I<off> by default.
! 830:
! 831: =item insults
! 832:
! 833: If set, B<sudo> will insult users when they enter an incorrect
! 834: password. This flag is I<@insults@> by default.
! 835:
! 836: =item log_host
! 837:
! 838: If set, the host name will be logged in the (non-syslog) B<sudo> log file.
! 839: This flag is I<off> by default.
! 840:
! 841: =item log_input
! 842:
! 843: If set, B<sudo> will run the command in a I<pseudo tty> and log all
! 844: user input.
! 845: If the standard input is not connected to the user's tty, due to
! 846: I/O redirection or because the command is part of a pipeline, that
! 847: input is also captured and stored in a separate log file.
! 848:
! 849: Input is logged to the directory specified by the I<iolog_dir>
! 850: option (F<@iolog_dir@> by default) using a unique session ID that
! 851: is included in the normal B<sudo> log line, prefixed with I<TSID=>.
! 852: The I<iolog_file> option may be used to control the format of the
! 853: session ID.
! 854:
! 855: Note that user input may contain sensitive information such as
! 856: passwords (even if they are not echoed to the screen), which will
! 857: be stored in the log file unencrypted. In most cases, logging the
! 858: command output via I<log_output> is all that is required.
! 859:
! 860: =item log_output
! 861:
! 862: If set, B<sudo> will run the command in a I<pseudo tty> and log all
! 863: output that is sent to the screen, similar to the script(1) command.
! 864: If the standard output or standard error is not connected to the
! 865: user's tty, due to I/O redirection or because the command is part
! 866: of a pipeline, that output is also captured and stored in separate
! 867: log files.
! 868:
! 869: Output is logged to the directory specified by the I<iolog_dir>
! 870: option (F<@iolog_dir@> by default) using a unique session ID that
! 871: is included in the normal B<sudo> log line, prefixed with I<TSID=>.
! 872: The I<iolog_file> option may be used to control the format of the
! 873: session ID.
! 874:
! 875: Output logs may be viewed with the L<sudoreplay(8)> utility, which
! 876: can also be used to list or search the available logs.
! 877:
! 878: =item log_year
! 879:
! 880: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
! 881: This flag is I<off> by default.
! 882:
! 883: =item long_otp_prompt
! 884:
! 885: When validating with a One Time Password (OTP) scheme such as
! 886: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
! 887: to cut and paste the challenge to a local window. It's not as
! 888: pretty as the default but some people find it more convenient. This
! 889: flag is I<@long_otp_prompt@> by default.
! 890:
! 891: =item mail_always
! 892:
! 893: Send mail to the I<mailto> user every time a users runs B<sudo>.
! 894: This flag is I<off> by default.
! 895:
! 896: =item mail_badpass
! 897:
! 898: Send mail to the I<mailto> user if the user running B<sudo> does not
! 899: enter the correct password. This flag is I<off> by default.
! 900:
! 901: =item mail_no_host
! 902:
! 903: If set, mail will be sent to the I<mailto> user if the invoking
! 904: user exists in the I<sudoers> file, but is not allowed to run
! 905: commands on the current host. This flag is I<@mail_no_host@> by default.
! 906:
! 907: =item mail_no_perms
! 908:
! 909: If set, mail will be sent to the I<mailto> user if the invoking
! 910: user is allowed to use B<sudo> but the command they are trying is not
! 911: listed in their I<sudoers> file entry or is explicitly denied.
! 912: This flag is I<@mail_no_perms@> by default.
! 913:
! 914: =item mail_no_user
! 915:
! 916: If set, mail will be sent to the I<mailto> user if the invoking
! 917: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
! 918: by default.
! 919:
! 920: =item noexec
! 921:
! 922: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
! 923: tag has been set, unless overridden by a C<EXEC> tag. See the
! 924: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
! 925: ESCAPES> section at the end of this manual. This flag is I<off> by default.
! 926:
! 927: =item path_info
! 928:
! 929: Normally, B<sudo> will tell the user when a command could not be
! 930: found in their C<PATH> environment variable. Some sites may wish
! 931: to disable this as it could be used to gather information on the
! 932: location of executables that the normal user does not have access
! 933: to. The disadvantage is that if the executable is simply not in
! 934: the user's C<PATH>, B<sudo> will tell the user that they are not
! 935: allowed to run it, which can be confusing. This flag is I<@path_info@>
! 936: by default.
! 937:
! 938: =item passprompt_override
! 939:
! 940: The password prompt specified by I<passprompt> will normally only
! 941: be used if the password prompt provided by systems such as PAM matches
! 942: the string "Password:". If I<passprompt_override> is set, I<passprompt>
! 943: will always be used. This flag is I<off> by default.
! 944:
! 945: =item preserve_groups
! 946:
! 947: By default, B<sudo> will initialize the group vector to the list of
! 948: groups the target user is in. When I<preserve_groups> is set, the
! 949: user's existing group vector is left unaltered. The real and
! 950: effective group IDs, however, are still set to match the target
! 951: user. This flag is I<off> by default.
! 952:
! 953: =item pwfeedback
! 954:
! 955: By default, B<sudo> reads the password like most other Unix programs,
! 956: by turning off echo until the user hits the return (or enter) key.
! 957: Some users become confused by this as it appears to them that B<sudo>
! 958: has hung at this point. When I<pwfeedback> is set, B<sudo> will
! 959: provide visual feedback when the user presses a key. Note that
! 960: this does have a security impact as an onlooker may be able to
! 961: determine the length of the password being entered.
! 962: This flag is I<off> by default.
! 963:
! 964: =item requiretty
! 965:
! 966: If set, B<sudo> will only run when the user is logged in to a real
! 967: tty. When this flag is set, B<sudo> can only be run from a login
! 968: session and not via other means such as L<cron(8)> or cgi-bin scripts.
! 969: This flag is I<off> by default.
! 970:
! 971: =item root_sudo
! 972:
! 973: If set, root is allowed to run B<sudo> too. Disabling this prevents users
! 974: from "chaining" B<sudo> commands to get a root shell by doing something
! 975: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
! 976: will also prevent root from running B<sudoedit>.
! 977: Disabling I<root_sudo> provides no real additional security; it
! 978: exists purely for historical reasons.
! 979: This flag is I<@root_sudo@> by default.
! 980:
! 981: =item rootpw
! 982:
! 983: If set, B<sudo> will prompt for the root password instead of the password
! 984: of the invoking user. This flag is I<off> by default.
! 985:
! 986: =item runaspw
! 987:
! 988: If set, B<sudo> will prompt for the password of the user defined by the
! 989: I<runas_default> option (defaults to C<@runas_default@>) instead of the
! 990: password of the invoking user. This flag is I<off> by default.
! 991:
! 992: =item set_home
! 993:
! 994: If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
! 995: environment variable will be set to the home directory of the target
! 996: user (which is root unless the B<-u> option is used). This effectively
! 997: makes the B<-s> option imply B<-H>. Note that C<HOME> is already
! 998: set when the the I<env_reset> option is enabled, so I<set_home> is
! 999: only effective for configurations where either I<env_reset> is disabled
! 1000: or C<HOME> is present in the I<env_keep> list.
! 1001: This flag is I<off> by default.
! 1002:
! 1003: =item set_logname
! 1004:
! 1005: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
! 1006: environment variables to the name of the target user (usually root
! 1007: unless the B<-u> option is given). However, since some programs
! 1008: (including the RCS revision control system) use C<LOGNAME> to
! 1009: determine the real identity of the user, it may be desirable to
! 1010: change this behavior. This can be done by negating the set_logname
! 1011: option. Note that if the I<env_reset> option has not been disabled,
! 1012: entries in the I<env_keep> list will override the value of
! 1013: I<set_logname>. This flag is I<on> by default.
! 1014:
! 1015: =item set_utmp
! 1016:
! 1017: When enabled, B<sudo> will create an entry in the utmp (or utmpx)
! 1018: file when a pseudo-tty is allocated. A pseudo-tty is allocated by
! 1019: B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
! 1020: are enabled. By default, the new entry will be a copy of the user's
! 1021: existing utmp entry (if any), with the tty, time, type and pid
! 1022: fields updated. This flag is I<on> by default.
! 1023:
! 1024: =item setenv
! 1025:
! 1026: Allow the user to disable the I<env_reset> option from the command
! 1027: line via the B<-E> option. Additionally, environment variables set
! 1028: via the command line are not subject to the restrictions imposed
! 1029: by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
! 1030: trusted users should be allowed to set variables in this manner.
! 1031: This flag is I<off> by default.
! 1032:
! 1033: =item shell_noargs
! 1034:
! 1035: If set and B<sudo> is invoked with no arguments it acts as if the
! 1036: B<-s> option had been given. That is, it runs a shell as root (the
! 1037: shell is determined by the C<SHELL> environment variable if it is
! 1038: set, falling back on the shell listed in the invoking user's
! 1039: /etc/passwd entry if not). This flag is I<off> by default.
! 1040:
! 1041: =item stay_setuid
! 1042:
! 1043: Normally, when B<sudo> executes a command the real and effective
! 1044: UIDs are set to the target user (root by default). This option
! 1045: changes that behavior such that the real UID is left as the invoking
! 1046: user's UID. In other words, this makes B<sudo> act as a setuid
! 1047: wrapper. This can be useful on systems that disable some potentially
! 1048: dangerous functionality when a program is run setuid. This option
! 1049: is only effective on systems with either the setreuid() or setresuid()
! 1050: function. This flag is I<off> by default.
! 1051:
! 1052: =item targetpw
! 1053:
! 1054: If set, B<sudo> will prompt for the password of the user specified
! 1055: by the B<-u> option (defaults to C<root>) instead of the password
! 1056: of the invoking user. In addition, the timestamp file name will
! 1057: include the target user's name. Note that this flag precludes the
! 1058: use of a uid not listed in the passwd database as an argument to
! 1059: the B<-u> option. This flag is I<off> by default.
! 1060:
! 1061: =item tty_tickets
! 1062:
! 1063: If set, users must authenticate on a per-tty basis. With this flag
! 1064: enabled, B<sudo> will use a file named for the tty the user is
! 1065: logged in on in the user's time stamp directory. If disabled, the
! 1066: time stamp of the directory is used instead. This flag is
! 1067: I<@tty_tickets@> by default.
! 1068:
! 1069: =item umask_override
! 1070:
! 1071: If set, B<sudo> will set the umask as specified by I<sudoers> without
! 1072: modification. This makes it possible to specify a more permissive
! 1073: umask in I<sudoers> than the user's own umask and matches historical
! 1074: behavior. If I<umask_override> is not set, B<sudo> will set the
! 1075: umask to be the union of the user's umask and what is specified in
! 1076: I<sudoers>. This flag is I<@umask_override@> by default.
! 1077:
! 1078: =item use_loginclass
! 1079:
! 1080: If set, B<sudo> will apply the defaults specified for the target user's
! 1081: login class if one exists. Only available if B<sudo> is configured with
! 1082: the --with-logincap option. This flag is I<off> by default.
! 1083:
! 1084: =item use_pty
! 1085:
! 1086: If set, B<sudo> will run the command in a pseudo-pty even if no I/O
! 1087: logging is being gone. A malicious program run under B<sudo> could
! 1088: conceivably fork a background process that retains to the user's
! 1089: terminal device after the main program has finished executing. Use
! 1090: of this option will make that impossible. This flag is I<off> by default.
! 1091:
! 1092: =item utmp_runas
! 1093:
! 1094: If set, B<sudo> will store the name of the runas user when updating
! 1095: the utmp (or utmpx) file. By default, B<sudo> stores the name of
! 1096: the invoking user. This flag is I<off> by default.
! 1097:
! 1098: =item visiblepw
! 1099:
! 1100: By default, B<sudo> will refuse to run if the user must enter a
! 1101: password but it is not possible to disable echo on the terminal.
! 1102: If the I<visiblepw> flag is set, B<sudo> will prompt for a password
! 1103: even when it would be visible on the screen. This makes it possible
! 1104: to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
! 1105: not allocate a tty. This flag is I<off> by default.
! 1106:
! 1107: =back
! 1108:
! 1109: B<Integers>:
! 1110:
! 1111: =over 16
! 1112:
! 1113: =item closefrom
! 1114:
! 1115: Before it executes a command, B<sudo> will close all open file
! 1116: descriptors other than standard input, standard output and standard
! 1117: error (ie: file descriptors 0-2). The I<closefrom> option can be used
! 1118: to specify a different file descriptor at which to start closing.
! 1119: The default is C<3>.
! 1120:
! 1121: =item passwd_tries
! 1122:
! 1123: The number of tries a user gets to enter his/her password before
! 1124: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
! 1125:
! 1126: =back
! 1127:
! 1128: B<Integers that can be used in a boolean context>:
! 1129:
! 1130: =over 16
! 1131:
! 1132: =item loglinelen
! 1133:
! 1134: Number of characters per line for the file log. This value is used
! 1135: to decide when to wrap lines for nicer log files. This has no
! 1136: effect on the syslog log file, only the file log. The default is
! 1137: C<@loglen@> (use 0 or negate the option to disable word wrap).
! 1138:
! 1139: =item passwd_timeout
! 1140:
! 1141: Number of minutes before the B<sudo> password prompt times out, or
! 1142: C<0> for no timeout. The timeout may include a fractional component
! 1143: if minute granularity is insufficient, for example C<2.5>. The
! 1144: default is C<@password_timeout@>.
! 1145:
! 1146: =item timestamp_timeout
! 1147:
! 1148: Number of minutes that can elapse before B<sudo> will ask for a
! 1149: passwd again. The timeout may include a fractional component if
! 1150: minute granularity is insufficient, for example C<2.5>. The default
! 1151: is C<@timeout@>. Set this to C<0> to always prompt for a password.
! 1152: If set to a value less than C<0> the user's timestamp will never
! 1153: expire. This can be used to allow users to create or delete their
! 1154: own timestamps via C<sudo -v> and C<sudo -k> respectively.
! 1155:
! 1156: =item umask
! 1157:
! 1158: Umask to use when running the command. Negate this option or set
! 1159: it to 0777 to preserve the user's umask. The actual umask that is
! 1160: used will be the union of the user's umask and the value of the
! 1161: I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
! 1162: that B<sudo> never lowers the umask when running a command. Note
! 1163: on systems that use PAM, the default PAM configuration may specify
! 1164: its own umask which will override the value set in I<sudoers>.
! 1165:
! 1166: =back
! 1167:
! 1168: B<Strings>:
! 1169:
! 1170: =over 16
! 1171:
! 1172: =item badpass_message
! 1173:
! 1174: Message that is displayed if a user enters an incorrect password.
! 1175: The default is C<@badpass_message@> unless insults are enabled.
! 1176:
! 1177: =item editor
! 1178:
! 1179: A colon (':') separated list of editors allowed to be used with
! 1180: B<visudo>. B<visudo> will choose the editor that matches the user's
! 1181: EDITOR environment variable if possible, or the first editor in the
! 1182: list that exists and is executable. The default is C<"@editor@">.
! 1183:
! 1184: =item iolog_dir
! 1185:
! 1186: The top-level directory to use when constructing the path name for
! 1187: the input/output log directory. Only used if the I<log_input> or
! 1188: I<log_output> options are enabled or when the C<LOG_INPUT> or
! 1189: C<LOG_OUTPUT> tags are present for a command. The session sequence
! 1190: number, if any, is stored in the directory.
! 1191: The default is C<"@iolog_dir@">.
! 1192:
! 1193: The following percent (`C<%>') escape sequences are supported:
! 1194:
! 1195: =over 4
! 1196:
! 1197: =item C<%{seq}>
! 1198:
! 1199: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
! 1200: where every two digits are used to form a new directory, e.g. F<01/00/A5>
! 1201:
! 1202: =item C<%{user}>
! 1203:
! 1204: expanded to the invoking user's login name
! 1205:
! 1206: =item C<%{group}>
! 1207:
! 1208: expanded to the name of the invoking user's real group ID
! 1209:
! 1210: =item C<%{runas_user}>
! 1211:
! 1212: expanded to the login name of the user the command will
! 1213: be run as (e.g. root)
! 1214:
! 1215: =item C<%{runas_group}>
! 1216:
! 1217: expanded to the group name of the user the command will
! 1218: be run as (e.g. wheel)
! 1219:
! 1220: =item C<%{hostname}>
! 1221:
! 1222: expanded to the local host name without the domain name
! 1223:
! 1224: =item C<%{command}>
! 1225:
! 1226: expanded to the base name of the command being run
! 1227:
! 1228: =back
! 1229:
! 1230: In addition, any escape sequences supported by the system's strftime()
! 1231: function will be expanded.
! 1232:
! 1233: To include a literal `C<%>' character, the string `C<%%>' should
! 1234: be used.
! 1235:
! 1236: =item iolog_file
! 1237:
! 1238: The path name, relative to I<iolog_dir>, in which to store input/output
! 1239: logs when the I<log_input> or I<log_output> options are enabled or
! 1240: when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
! 1241: Note that I<iolog_file> may contain directory components.
! 1242: The default is C<"%{seq}">.
! 1243:
! 1244: See the I<iolog_dir> option above for a list of supported percent
! 1245: (`C<%>') escape sequences.
! 1246:
! 1247: In addition to the escape sequences, path names that end in six or
! 1248: more C<X>s will have the C<X>s replaced with a unique combination
! 1249: of digits and letters, similar to the mktemp() function.
! 1250:
! 1251: =item mailsub
! 1252:
! 1253: Subject of the mail sent to the I<mailto> user. The escape C<%h>
! 1254: will expand to the host name of the machine.
! 1255: Default is C<@mailsub@>.
! 1256:
! 1257: =item noexec_file
! 1258:
! 1259: This option is deprecated and will be removed in a future release
! 1260: of B<sudo>. The path to the noexec file should now be set in the
! 1261: F<@sysconfdir@/sudo.conf> file.
! 1262:
! 1263: =item passprompt
! 1264:
! 1265: The default prompt to use when asking for a password; can be overridden
! 1266: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
! 1267: The following percent (`C<%>') escape sequences are supported:
! 1268:
! 1269: =over 4
! 1270:
! 1271: =item C<%H>
! 1272:
! 1273: expanded to the local host name including the domain name
! 1274: (only if the machine's host name is fully qualified or the I<fqdn>
! 1275: option is set)
! 1276:
! 1277: =item C<%h>
! 1278:
! 1279: expanded to the local host name without the domain name
! 1280:
! 1281: =item C<%p>
! 1282:
! 1283: expanded to the user whose password is being asked for (respects the
! 1284: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
! 1285:
! 1286: =item C<%U>
! 1287:
! 1288: expanded to the login name of the user the command will
! 1289: be run as (defaults to root)
! 1290:
! 1291: =item C<%u>
! 1292:
! 1293: expanded to the invoking user's login name
! 1294:
! 1295: =item C<%%>
! 1296:
! 1297: two consecutive C<%> characters are collapsed into a single C<%> character
! 1298:
! 1299: =back
! 1300:
! 1301: The default value is C<@passprompt@>.
! 1302:
! 1303: =item role
! 1304:
! 1305: The default SELinux role to use when constructing a new security
! 1306: context to run the command. The default role may be overridden on
! 1307: a per-command basis in I<sudoers> or via command line options.
! 1308: This option is only available whe B<sudo> is built with SELinux support.
! 1309:
! 1310: =item runas_default
! 1311:
! 1312: The default user to run commands as if the B<-u> option is not specified
! 1313: on the command line. This defaults to C<@runas_default@>.
! 1314:
! 1315: =item syslog_badpri
! 1316:
! 1317: Syslog priority to use when user authenticates unsuccessfully.
! 1318: Defaults to C<@badpri@>.
! 1319:
! 1320: The following syslog priorities are supported: B<alert>, B<crit>,
! 1321: B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
! 1322:
! 1323: =item syslog_goodpri
! 1324:
! 1325: Syslog priority to use when user authenticates successfully.
! 1326: Defaults to C<@goodpri@>.
! 1327:
! 1328: See L<syslog_badpri> for the list of supported syslog priorities.
! 1329:
! 1330: =item sudoers_locale
! 1331:
! 1332: Locale to use when parsing the sudoers file, logging commands, and
! 1333: sending email. Note that changing the locale may affect how sudoers
! 1334: is interpreted. Defaults to C<"C">.
! 1335:
! 1336: =item timestampdir
! 1337:
! 1338: The directory in which B<sudo> stores its timestamp files.
! 1339: The default is F<@timedir@>.
! 1340:
! 1341: =item timestampowner
! 1342:
! 1343: The owner of the timestamp directory and the timestamps stored therein.
! 1344: The default is C<root>.
! 1345:
! 1346: =item type
! 1347:
! 1348: The default SELinux type to use when constructing a new security
! 1349: context to run the command. The default type may be overridden on
! 1350: a per-command basis in I<sudoers> or via command line options.
! 1351: This option is only available whe B<sudo> is built with SELinux support.
! 1352:
! 1353: =back
! 1354:
! 1355: B<Strings that can be used in a boolean context>:
! 1356:
! 1357: =over 12
! 1358:
! 1359: =item env_file
! 1360:
! 1361: The I<env_file> options specifies the fully qualified path to a
! 1362: file containing variables to be set in the environment of the program
! 1363: being run. Entries in this file should either be of the form
! 1364: C<VARIABLE=value> or C<export VARIABLE=value>. The value may
! 1365: optionally be surrounded by single or double quotes. Variables in
! 1366: this file are subject to other B<sudo> environment settings such
! 1367: as I<env_keep> and I<env_check>.
! 1368:
! 1369: =item exempt_group
! 1370:
! 1371: Users in this group are exempt from password and PATH requirements.
! 1372: The group name specified should not include a C<%> prefix.
! 1373: This is not set by default.
! 1374:
! 1375: =item group_plugin
! 1376:
! 1377: A string containing a I<sudoers> group plugin with optional arguments.
! 1378: This can be used to implement support for the C<nonunix_group>
! 1379: syntax described earlier. The string should consist of the plugin
! 1380: path, either fully-qualified or relative to the F<@prefix@/libexec>
! 1381: directory, followed by any configuration arguments the plugin
! 1382: requires. These arguments (if any) will be passed to the plugin's
! 1383: initialization function. If arguments are present, the string must
! 1384: be enclosed in double quotes (C<">).
! 1385:
! 1386: For example, given F</etc/sudo-group>, a group file in Unix group
! 1387: format, the sample group plugin can be used:
! 1388:
! 1389: Defaults group_plugin="sample_group.so /etc/sudo-group"
! 1390:
! 1391: For more information see L<sudo_plugin(5)>.
! 1392:
! 1393: =item lecture
! 1394:
! 1395: This option controls when a short lecture will be printed along with
! 1396: the password prompt. It has the following possible values:
! 1397:
! 1398: =over 8
! 1399:
! 1400: =item always
! 1401:
! 1402: Always lecture the user.
! 1403:
! 1404: =item never
! 1405:
! 1406: Never lecture the user.
! 1407:
! 1408: =item once
! 1409:
! 1410: Only lecture the user the first time they run B<sudo>.
! 1411:
! 1412: =back
! 1413:
! 1414: If no value is specified, a value of I<once> is implied.
! 1415: Negating the option results in a value of I<never> being used.
! 1416: The default value is I<@lecture@>.
! 1417:
! 1418: =item lecture_file
! 1419:
! 1420: Path to a file containing an alternate B<sudo> lecture that will
! 1421: be used in place of the standard lecture if the named file exists.
! 1422: By default, B<sudo> uses a built-in lecture.
! 1423:
! 1424: =item listpw
! 1425:
! 1426: This option controls when a password will be required when a
! 1427: user runs B<sudo> with the B<-l> option. It has the following possible values:
! 1428:
! 1429: =over 8
! 1430:
! 1431: =item all
! 1432:
! 1433: All the user's I<sudoers> entries for the current host must have
! 1434: the C<NOPASSWD> flag set to avoid entering a password.
! 1435:
! 1436: =item always
! 1437:
! 1438: The user must always enter a password to use the B<-l> option.
! 1439:
! 1440: =item any
! 1441:
! 1442: At least one of the user's I<sudoers> entries for the current host
! 1443: must have the C<NOPASSWD> flag set to avoid entering a password.
! 1444:
! 1445: =item never
! 1446:
! 1447: The user need never enter a password to use the B<-l> option.
! 1448:
! 1449: =back
! 1450:
! 1451: If no value is specified, a value of I<any> is implied.
! 1452: Negating the option results in a value of I<never> being used.
! 1453: The default value is I<any>.
! 1454:
! 1455: =item logfile
! 1456:
! 1457: Path to the B<sudo> log file (not the syslog log file). Setting a path
! 1458: turns on logging to a file; negating this option turns it off.
! 1459: By default, B<sudo> logs via syslog.
! 1460:
! 1461: =item mailerflags
! 1462:
! 1463: Flags to use when invoking mailer. Defaults to B<-t>.
! 1464:
! 1465: =item mailerpath
! 1466:
! 1467: Path to mail program used to send warning mail.
! 1468: Defaults to the path to sendmail found at configure time.
! 1469:
! 1470: =item mailfrom
! 1471:
! 1472: Address to use for the "from" address when sending warning and error
! 1473: mail. The address should be enclosed in double quotes (C<">) to
! 1474: protect against B<sudo> interpreting the C<@> sign. Defaults to
! 1475: the name of the user running B<sudo>.
! 1476:
! 1477: =item mailto
! 1478:
! 1479: Address to send warning and error mail to. The address should
! 1480: be enclosed in double quotes (C<">) to protect against B<sudo>
! 1481: interpreting the C<@> sign. Defaults to C<@mailto@>.
! 1482:
! 1483: =item secure_path
! 1484:
! 1485: Path used for every command run from B<sudo>. If you don't trust the
! 1486: people running B<sudo> to have a sane C<PATH> environment variable you may
! 1487: want to use this. Another use is if you want to have the "root path"
! 1488: be separate from the "user path." Users in the group specified by the
! 1489: I<exempt_group> option are not affected by I<secure_path>.
! 1490: This option is @secure_path@ by default.
! 1491:
! 1492: =item syslog
! 1493:
! 1494: Syslog facility if syslog is being used for logging (negate to
! 1495: disable syslog logging). Defaults to C<@logfac@>.
! 1496:
! 1497: The following syslog facilities are supported: B<authpriv> (if your
! 1498: OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
! 1499: B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
! 1500:
! 1501: =item verifypw
! 1502:
! 1503: This option controls when a password will be required when a user runs
! 1504: B<sudo> with the B<-v> option. It has the following possible values:
! 1505:
! 1506: =over 8
! 1507:
! 1508: =item all
! 1509:
! 1510: All the user's I<sudoers> entries for the current host must have
! 1511: the C<NOPASSWD> flag set to avoid entering a password.
! 1512:
! 1513: =item always
! 1514:
! 1515: The user must always enter a password to use the B<-v> option.
! 1516:
! 1517: =item any
! 1518:
! 1519: At least one of the user's I<sudoers> entries for the current host
! 1520: must have the C<NOPASSWD> flag set to avoid entering a password.
! 1521:
! 1522: =item never
! 1523:
! 1524: The user need never enter a password to use the B<-v> option.
! 1525:
! 1526: =back
! 1527:
! 1528: If no value is specified, a value of I<all> is implied.
! 1529: Negating the option results in a value of I<never> being used.
! 1530: The default value is I<all>.
! 1531:
! 1532: =back
! 1533:
! 1534: B<Lists that can be used in a boolean context>:
! 1535:
! 1536: =over 16
! 1537:
! 1538: =item env_check
! 1539:
! 1540: Environment variables to be removed from the user's environment if
! 1541: the variable's value contains C<%> or C</> characters. This can
! 1542: be used to guard against printf-style format vulnerabilities in
! 1543: poorly-written programs. The argument may be a double-quoted,
! 1544: space-separated list or a single value without double-quotes. The
! 1545: list can be replaced, added to, deleted from, or disabled by using
! 1546: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
! 1547: of whether the C<env_reset> option is enabled or disabled, variables
! 1548: specified by C<env_check> will be preserved in the environment if
! 1549: they pass the aforementioned check. The default list of environment
! 1550: variables to check is displayed when B<sudo> is run by root with
! 1551: the I<-V> option.
! 1552:
! 1553: =item env_delete
! 1554:
! 1555: Environment variables to be removed from the user's environment
! 1556: when the I<env_reset> option is not in effect. The argument may
! 1557: be a double-quoted, space-separated list or a single value without
! 1558: double-quotes. The list can be replaced, added to, deleted from,
! 1559: or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
! 1560: respectively. The default list of environment variables to remove
! 1561: is displayed when B<sudo> is run by root with the I<-V> option.
! 1562: Note that many operating systems will remove potentially dangerous
! 1563: variables from the environment of any setuid process (such as
! 1564: B<sudo>).
! 1565:
! 1566: =item env_keep
! 1567:
! 1568: Environment variables to be preserved in the user's environment
! 1569: when the I<env_reset> option is in effect. This allows fine-grained
! 1570: control over the environment B<sudo>-spawned processes will receive.
! 1571: The argument may be a double-quoted, space-separated list or a
! 1572: single value without double-quotes. The list can be replaced, added
! 1573: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
! 1574: C<!> operators respectively. The default list of variables to keep
! 1575: is displayed when B<sudo> is run by root with the I<-V> option.
! 1576:
! 1577: =back
! 1578:
! 1579: =head1 FILES
! 1580:
! 1581: =over 24
! 1582:
! 1583: =item F<@sysconfdir@/sudoers>
! 1584:
! 1585: List of who can run what
! 1586:
! 1587: =item F</etc/group>
! 1588:
! 1589: Local groups file
! 1590:
! 1591: =item F</etc/netgroup>
! 1592:
! 1593: List of network groups
! 1594:
! 1595: =item F<@iolog_dir@>
! 1596:
! 1597: I/O log files
! 1598:
! 1599: =item F<@timedir@>
! 1600:
! 1601: Directory containing time stamps for the I<sudoers> security policy
! 1602:
! 1603: =item F</etc/environment>
! 1604:
! 1605: Initial environment for B<-i> mode on Linux and AIX
! 1606:
! 1607: =back
! 1608:
! 1609: =head1 EXAMPLES
! 1610:
! 1611: Below are example I<sudoers> entries. Admittedly, some of
! 1612: these are a bit contrived. First, we allow a few environment
! 1613: variables to pass and then define our I<aliases>:
! 1614:
! 1615: # Run X applications through sudo; HOME is used to find the
! 1616: # .Xauthority file. Note that other programs use HOME to find
! 1617: # configuration files and this may lead to privilege escalation!
! 1618: Defaults env_keep += "DISPLAY HOME"
! 1619:
! 1620: # User alias specification
! 1621: User_Alias FULLTIMERS = millert, mikef, dowdy
! 1622: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 1623: User_Alias WEBMASTERS = will, wendy, wim
! 1624:
! 1625: # Runas alias specification
! 1626: Runas_Alias OP = root, operator
! 1627: Runas_Alias DB = oracle, sybase
! 1628: Runas_Alias ADMINGRP = adm, oper
! 1629:
! 1630: # Host alias specification
! 1631: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
! 1632: SGI = grolsch, dandelion, black :\
! 1633: ALPHA = widget, thalamus, foobar :\
! 1634: HPPA = boa, nag, python
! 1635: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 1636: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 1637: Host_Alias SERVERS = master, mail, www, ns
! 1638: Host_Alias CDROM = orion, perseus, hercules
! 1639:
! 1640: # Cmnd alias specification
! 1641: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
! 1642: /usr/sbin/restore, /usr/sbin/rrestore
! 1643: Cmnd_Alias KILL = /usr/bin/kill
! 1644: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 1645: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 1646: Cmnd_Alias HALT = /usr/sbin/halt
! 1647: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 1648: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
! 1649: /usr/local/bin/tcsh, /usr/bin/rsh, \
! 1650: /usr/local/bin/zsh
! 1651: Cmnd_Alias SU = /usr/bin/su
! 1652: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 1653:
! 1654: Here we override some of the compiled in default values. We want
! 1655: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
! 1656: cases. We don't want to subject the full time staff to the B<sudo>
! 1657: lecture, user B<millert> need not give a password, and we don't
! 1658: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
! 1659: variables when running commands as root. Additionally, on the
! 1660: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
! 1661: local log file and make sure we log the year in each log line since
! 1662: the log entries will be kept around for several years. Lastly, we
! 1663: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
! 1664: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
! 1665:
! 1666: # Override built-in defaults
! 1667: Defaults syslog=auth
! 1668: Defaults>root !set_logname
! 1669: Defaults:FULLTIMERS !lecture
! 1670: Defaults:millert !authenticate
! 1671: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 1672: Defaults!PAGERS noexec
! 1673:
! 1674: The I<User specification> is the part that actually determines who may
! 1675: run what.
! 1676:
! 1677: root ALL = (ALL) ALL
! 1678: %wheel ALL = (ALL) ALL
! 1679:
! 1680: We let B<root> and any user in group B<wheel> run any command on any
! 1681: host as any user.
! 1682:
! 1683: FULLTIMERS ALL = NOPASSWD: ALL
! 1684:
! 1685: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
! 1686: command on any host without authenticating themselves.
! 1687:
! 1688: PARTTIMERS ALL = ALL
! 1689:
! 1690: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
! 1691: command on any host but they must authenticate themselves first
! 1692: (since the entry lacks the C<NOPASSWD> tag).
! 1693:
! 1694: jack CSNETS = ALL
! 1695:
! 1696: The user B<jack> may run any command on the machines in the I<CSNETS> alias
! 1697: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
! 1698: Of those networks, only C<128.138.204.0> has an explicit netmask (in
! 1699: CIDR notation) indicating it is a class C network. For the other
! 1700: networks in I<CSNETS>, the local machine's netmask will be used
! 1701: during matching.
! 1702:
! 1703: lisa CUNETS = ALL
! 1704:
! 1705: The user B<lisa> may run any command on any host in the I<CUNETS> alias
! 1706: (the class B network C<128.138.0.0>).
! 1707:
! 1708: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
! 1709: sudoedit /etc/printcap, /usr/oper/bin/
! 1710:
! 1711: The B<operator> user may run commands limited to simple maintenance.
! 1712: Here, those are commands related to backups, killing processes, the
! 1713: printing system, shutting down the system, and any commands in the
! 1714: directory F</usr/oper/bin/>.
! 1715:
! 1716: joe ALL = /usr/bin/su operator
! 1717:
! 1718: The user B<joe> may only L<su(1)> to operator.
! 1719:
! 1720: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 1721:
! 1722: %opers ALL = (: ADMINGRP) /usr/sbin/
! 1723:
! 1724: Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
! 1725: with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
! 1726: groups).
! 1727:
! 1728: The user B<pete> is allowed to change anyone's password except for
! 1729: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
! 1730: does not take multiple user names on the command line.
! 1731:
! 1732: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 1733:
! 1734: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
! 1735: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
! 1736:
! 1737: jim +biglab = ALL
! 1738:
! 1739: The user B<jim> may run any command on machines in the I<biglab> netgroup.
! 1740: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
! 1741:
! 1742: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 1743:
! 1744: Users in the B<secretaries> netgroup need to help manage the printers
! 1745: as well as add and remove users, so they are allowed to run those
! 1746: commands on all machines.
! 1747:
! 1748: fred ALL = (DB) NOPASSWD: ALL
! 1749:
! 1750: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
! 1751: (B<oracle> or B<sybase>) without giving a password.
! 1752:
! 1753: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 1754:
! 1755: On the I<ALPHA> machines, user B<john> may su to anyone except root
! 1756: but he is not allowed to specify any options to the L<su(1)> command.
! 1757:
! 1758: jen ALL, !SERVERS = ALL
! 1759:
! 1760: The user B<jen> may run any command on any machine except for those
! 1761: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
! 1762:
! 1763: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 1764:
! 1765: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
! 1766: any commands in the directory F</usr/bin/> except for those commands
! 1767: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
! 1768:
! 1769: steve CSNETS = (operator) /usr/local/op_commands/
! 1770:
! 1771: The user B<steve> may run any command in the directory /usr/local/op_commands/
! 1772: but only as user operator.
! 1773:
! 1774: matt valkyrie = KILL
! 1775:
! 1776: On his personal workstation, valkyrie, B<matt> needs to be able to
! 1777: kill hung processes.
! 1778:
! 1779: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 1780:
! 1781: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
! 1782: wendy, and wim), may run any command as user www (which owns the
! 1783: web pages) or simply L<su(1)> to www.
! 1784:
! 1785: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
! 1786: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 1787:
! 1788: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 1789: C<Host_Alias> (orion, perseus, hercules) without entering a password.
! 1790: This is a bit tedious for users to type, so it is a prime candidate
! 1791: for encapsulating in a shell script.
! 1792:
! 1793: =head1 SECURITY NOTES
! 1794:
! 1795: It is generally not effective to "subtract" commands from C<ALL>
! 1796: using the '!' operator. A user can trivially circumvent this
! 1797: by copying the desired command to a different name and then
! 1798: executing that. For example:
! 1799:
! 1800: bill ALL = ALL, !SU, !SHELLS
! 1801:
! 1802: Doesn't really prevent B<bill> from running the commands listed in
! 1803: I<SU> or I<SHELLS> since he can simply copy those commands to a
! 1804: different name, or use a shell escape from an editor or other
! 1805: program. Therefore, these kind of restrictions should be considered
! 1806: advisory at best (and reinforced by policy).
! 1807:
! 1808: Furthermore, if the I<fast_glob> option is in use, it is not possible
! 1809: to reliably negate commands where the path name includes globbing
! 1810: (aka wildcard) characters. This is because the C library's
! 1811: L<fnmatch(3)> function cannot resolve relative paths. While this
! 1812: is typically only an inconvenience for rules that grant privileges,
! 1813: it can result in a security issue for rules that subtract or revoke
! 1814: privileges.
! 1815:
! 1816: For example, given the following I<sudoers> entry:
! 1817:
! 1818: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
! 1819: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 1820:
! 1821: User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
! 1822: enabled by changing to F</usr/bin> and running C<./passwd root> instead.
! 1823:
! 1824: =head1 PREVENTING SHELL ESCAPES
! 1825:
! 1826: Once B<sudo> executes a program, that program is free to do whatever
! 1827: it pleases, including run other programs. This can be a security
! 1828: issue since it is not uncommon for a program to allow shell escapes,
! 1829: which lets a user bypass B<sudo>'s access control and logging.
! 1830: Common programs that permit shell escapes include shells (obviously),
! 1831: editors, paginators, mail and terminal programs.
! 1832:
! 1833: There are two basic approaches to this problem:
! 1834:
! 1835: =over 10
! 1836:
! 1837: =item restrict
! 1838:
! 1839: Avoid giving users access to commands that allow the user to run
! 1840: arbitrary commands. Many editors have a restricted mode where shell
! 1841: escapes are disabled, though B<sudoedit> is a better solution to
! 1842: running editors via B<sudo>. Due to the large number of programs that
! 1843: offer shell escapes, restricting users to the set of programs that
! 1844: do not is often unworkable.
! 1845:
! 1846: =item noexec
! 1847:
! 1848: Many systems that support shared libraries have the ability to
! 1849: override default library functions by pointing an environment
! 1850: variable (usually C<LD_PRELOAD>) to an alternate shared library.
! 1851: On such systems, B<sudo>'s I<noexec> functionality can be used to
! 1852: prevent a program run by B<sudo> from executing any other programs.
! 1853: Note, however, that this applies only to native dynamically-linked
! 1854: executables. Statically-linked executables and foreign executables
! 1855: running under binary emulation are not affected.
! 1856:
! 1857: The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
! 1858: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
! 1859: It should be supported on most operating systems that support the
! 1860: C<LD_PRELOAD> environment variable. Check your operating system's
! 1861: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
! 1862: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
! 1863:
! 1864: On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
! 1865: of the C<LD_PRELOAD> environment variable.
! 1866:
! 1867: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
! 1868: in the User Specification section above. Here is that example again:
! 1869:
! 1870: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1871:
! 1872: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
! 1873: with I<noexec> enabled. This will prevent those two commands from
! 1874: executing other commands (such as a shell). If you are unsure
! 1875: whether or not your system is capable of supporting I<noexec> you
! 1876: can always just try it out and check whether shell escapes work
! 1877: when I<noexec> is enabled.
! 1878:
! 1879: =back
! 1880:
! 1881: Note that restricting shell escapes is not a panacea. Programs
! 1882: running as root are still capable of many potentially hazardous
! 1883: operations (such as changing or overwriting files) that could lead
! 1884: to unintended privilege escalation. In the specific case of an
! 1885: editor, a safer approach is to give the user permission to run
! 1886: B<sudoedit>.
! 1887:
! 1888: =head1 SECURITY NOTES
! 1889:
! 1890: I<sudoers> will check the ownership of its time stamp directory
! 1891: (F<@timedir@> by default) and ignore the directory's contents if
! 1892: it is not owned by root or if it is writable by a user other than
! 1893: root. On systems that allow non-root users to give away files via
! 1894: L<chown(2)>, if the time stamp directory is located in a world-writable
! 1895: directory (e.g., F</tmp>), it is possible for a user to create the
! 1896: time stamp directory before B<sudo> is run. However, because
! 1897: I<sudoers> checks the ownership and mode of the directory and its
! 1898: contents, the only damage that can be done is to "hide" files by
! 1899: putting them in the time stamp dir. This is unlikely to happen
! 1900: since once the time stamp dir is owned by root and inaccessible by
! 1901: any other user, the user placing files there would be unable to get
! 1902: them back out.
! 1903:
! 1904: I<sudoers> will not honor time stamps set far in the future. Time
! 1905: stamps with a date greater than current_time + 2 * C<TIMEOUT> will
! 1906: be ignored and sudo will log and complain. This is done to keep a
! 1907: user from creating his/her own time stamp with a bogus date on
! 1908: systems that allow users to give away files if the time stamp directory
! 1909: is located in a world-writable directory.
! 1910:
! 1911: On systems where the boot time is available, I<sudoers> will ignore
! 1912: time stamps that date from before the machine booted.
! 1913:
! 1914: Since time stamp files live in the file system, they can outlive a
! 1915: user's login session. As a result, a user may be able to login,
! 1916: run a command with B<sudo> after authenticating, logout, login
! 1917: again, and run B<sudo> without authenticating so long as the time
! 1918: stamp file's modification time is within C<@timeout@> minutes (or
! 1919: whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
! 1920: option is enabled, the time stamp has per-tty granularity but still
! 1921: may outlive the user's session. On Linux systems where the devpts
! 1922: filesystem is used, Solaris systems with the devices filesystem,
! 1923: as well as other systems that utilize a devfs filesystem that
! 1924: monotonically increase the inode number of devices as they are
! 1925: created (such as Mac OS X), I<sudoers> is able to determine when a
! 1926: tty-based time stamp file is stale and will ignore it. Administrators
! 1927: should not rely on this feature as it is not universally available.
! 1928:
! 1929: If users have sudo C<ALL> there is nothing to prevent them from
! 1930: creating their own program that gives them a root shell (or making
! 1931: their own copy of a shell) regardless of any '!' elements in the
! 1932: user specification.
! 1933:
! 1934: =head1 SEE ALSO
! 1935:
! 1936: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
! 1937: L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
! 1938:
! 1939: =head1 CAVEATS
! 1940:
! 1941: The I<sudoers> file should B<always> be edited by the B<visudo>
! 1942: command which locks the file and does grammatical checking. It is
! 1943: imperative that I<sudoers> be free of syntax errors since B<sudo>
! 1944: will not run with a syntactically incorrect I<sudoers> file.
! 1945:
! 1946: When using netgroups of machines (as opposed to users), if you
! 1947: store fully qualified host name in the netgroup (as is usually the
! 1948: case), you either need to have the machine's host name be fully qualified
! 1949: as returned by the C<hostname> command or use the I<fqdn> option in
! 1950: I<sudoers>.
! 1951:
! 1952: =head1 BUGS
! 1953:
! 1954: If you feel you have found a bug in B<sudo>, please submit a bug report
! 1955: at http://www.sudo.ws/sudo/bugs/
! 1956:
! 1957: =head1 SUPPORT
! 1958:
! 1959: Limited free support is available via the sudo-users mailing list,
! 1960: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
! 1961: search the archives.
! 1962:
! 1963: =head1 DISCLAIMER
! 1964:
! 1965: B<sudo> is provided ``AS IS'' and any express or implied warranties,
! 1966: including, but not limited to, the implied warranties of merchantability
! 1967: and fitness for a particular purpose are disclaimed. See the LICENSE
! 1968: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
! 1969: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>