Annotation of embedaddon/sudo/doc/sudoers.pod, revision 1.1.1.2
1.1.1.2 ! misho 1: Copyright (c) 1994-1996, 1998-2005, 2007-2012
1.1 misho 2: Todd C. Miller <Todd.Miller@courtesan.com>
3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
21: =pod
22:
23: =head1 NAME
24:
25: sudoers - default sudo security policy module
26:
27: =head1 DESCRIPTION
28:
29: The I<sudoers> policy module determines a user's B<sudo> privileges.
30: It is the default B<sudo> policy plugin. The policy is driven by
31: the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
32: format is described in detail in the L<"SUDOERS FILE FORMAT">
33: section. For information on storing I<sudoers> policy information
34: in LDAP, please see L<sudoers.ldap(5)>.
35:
36: =head2 Authentication and Logging
37:
38: The I<sudoers> security policy requires that most users authenticate
39: themselves before they can use B<sudo>. A password is not required
40: if the invoking user is root, if the target user is the same as the
41: invoking user, or if the policy has disabled authentication for the
42: user or command. Unlike L<su(1)>, when I<sudoers> requires
43: authentication, it validates the invoking user's credentials, not
44: the target user's (or root's) credentials. This can be changed via
45: the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
46:
47: If a user who is not listed in the policy tries to run a command
48: via B<sudo>, mail is sent to the proper authorities. The address
49: used for such mail is configurable via the I<mailto> Defaults entry
50: (described later) and defaults to C<@mailto@>.
51:
52: Note that mail will not be sent if an unauthorized user tries to
53: run B<sudo> with the B<-l> or B<-v> option. This allows users to
54: determine for themselves whether or not they are allowed to use
55: B<sudo>.
56:
57: If B<sudo> is run by root and the C<SUDO_USER> environment variable
58: is set, the I<sudoers> policy will use this value to determine who
59: the actual user is. This can be used by a user to log commands
60: through sudo even when a root shell has been invoked. It also
61: allows the B<-e> option to remain useful even when invoked via a
62: sudo-run script or program. Note, however, that the I<sudoers>
63: lookup is still done for root, not the user specified by C<SUDO_USER>.
64:
65: I<sudoers> uses time stamp files for credential caching. Once a
66: user has been authenticated, a time stamp is updated and the user
67: may then use sudo without a password for a short period of time
68: (C<@timeout@> minutes unless overridden by the I<timeout> option.
69: By default, I<sudoers> uses a tty-based time stamp which means that
70: there is a separate time stamp for each of a user's login sessions.
71: The I<tty_tickets> option can be disabled to force the use of a
72: single time stamp for all of a user's sessions.
73:
74: I<sudoers> can log both successful and unsuccessful attempts (as well
75: as errors) to syslog(3), a log file, or both. By default, I<sudoers>
76: will log via syslog(3) but this is changeable via the I<syslog>
77: and I<logfile> Defaults settings.
78:
79: I<sudoers> also supports logging a command's input and output
80: streams. I/O logging is not on by default but can be enabled using
81: the I<log_input> and I<log_output> Defaults flags as well as the
82: C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
83:
84: =head2 Command Environment
85:
86: Since environment variables can influence program behavior, I<sudoers>
87: provides a means to restrict which variables from the user's
88: environment are inherited by the command to be run. There are two
89: distinct ways I<sudoers> can deal with environment variables.
90:
91: By default, the I<env_reset> option is enabled. This causes commands
1.1.1.2 ! misho 92: to be executed with a new, minimal environment. On AIX (and Linux
! 93: systems without PAM), the environment is initialized with the
! 94: contents of the F</etc/environment> file. On BSD systems, if the
! 95: I<use_loginclass> option is enabled, the environment is initialized
! 96: based on the I<path> and I<setenv> settings in F</etc/login.conf>.
! 97: The new environment contains the C<TERM>, C<PATH>, C<HOME>, C<MAIL>,
! 98: C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables
! 99: in addition to variables from the invoking process permitted by the
1.1 misho 100: I<env_check> and I<env_keep> options. This is effectively a whitelist
101: for environment variables.
102:
103: If, however, the I<env_reset> option is disabled, any variables not
104: explicitly denied by the I<env_check> and I<env_delete> options are
105: inherited from the invoking process. In this case, I<env_check>
106: and I<env_delete> behave like a blacklist. Since it is not possible
107: to blacklist all potentially dangerous environment variables, use
108: of the default I<env_reset> behavior is encouraged.
109:
110: In all cases, environment variables with a value beginning with
111: C<()> are removed as they could be interpreted as B<bash> functions.
112: The list of environment variables that B<sudo> allows or denies is
113: contained in the output of C<sudo -V> when run as root.
114:
115: Note that the dynamic linker on most operating systems will remove
116: variables that can control dynamic linking from the environment of
117: setuid executables, including B<sudo>. Depending on the operating
118: system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
119: C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
120: removed from the environment before B<sudo> even begins execution
121: and, as such, it is not possible for B<sudo> to preserve them.
122:
123: As a special case, if B<sudo>'s B<-i> option (initial login) is
124: specified, I<sudoers> will initialize the environment regardless
125: of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
126: variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
1.1.1.2 ! misho 127: and I<LOGNAME> are set based on the target user. On AIX (and Linux
! 128: systems without PAM), the contents of F</etc/environment> are also
! 129: included. On BSD systems, if the I<use_loginclass> option is
! 130: enabled, the I<path> and I<setenv> variables in F</etc/login.conf>
! 131: are also applied. All other environment variables are removed.
! 132:
! 133: Finally, if the I<env_file> option is defined, any variables present
! 134: in that file will be set to their specified values as long as they
! 135: would not conflict with an existing environment variable.
1.1 misho 136:
137: =head1 SUDOERS FILE FORMAT
138:
139: The I<sudoers> file is composed of two types of entries: aliases
140: (basically variables) and user specifications (which specify who
141: may run what).
142:
143: When multiple entries match for a user, they are applied in order.
144: Where there are multiple matches, the last match is used (which is
145: not necessarily the most specific match).
146:
147: The I<sudoers> grammar will be described below in Extended Backus-Naur
148: Form (EBNF). Don't despair if you don't know what EBNF is; it is
149: fairly simple, and the definitions below are annotated.
150:
151: =head2 Quick guide to EBNF
152:
153: EBNF is a concise and exact way of describing the grammar of a language.
154: Each EBNF definition is made up of I<production rules>. E.g.,
155:
156: symbol ::= definition | alternate1 | alternate2 ...
157:
158: Each I<production rule> references others and thus makes up a
159: grammar for the language. EBNF also contains the following
160: operators, which many readers will recognize from regular
161: expressions. Do not, however, confuse them with "wildcard"
162: characters, which have different meanings.
163:
164: =over 4
165:
166: =item C<?>
167:
168: Means that the preceding symbol (or group of symbols) is optional.
169: That is, it may appear once or not at all.
170:
171: =item C<*>
172:
173: Means that the preceding symbol (or group of symbols) may appear
174: zero or more times.
175:
176: =item C<+>
177:
178: Means that the preceding symbol (or group of symbols) may appear
179: one or more times.
180:
181: =back
182:
183: Parentheses may be used to group symbols together. For clarity,
184: we will use single quotes ('') to designate what is a verbatim character
185: string (as opposed to a symbol name).
186:
187: =head2 Aliases
188:
189: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
190: C<Host_Alias> and C<Cmnd_Alias>.
191:
192: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
193: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
194: 'Host_Alias' Host_Alias (':' Host_Alias)* |
195: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
196:
197: User_Alias ::= NAME '=' User_List
198:
199: Runas_Alias ::= NAME '=' Runas_List
200:
201: Host_Alias ::= NAME '=' Host_List
202:
203: Cmnd_Alias ::= NAME '=' Cmnd_List
204:
205: NAME ::= [A-Z]([A-Z][0-9]_)*
206:
207: Each I<alias> definition is of the form
208:
209: Alias_Type NAME = item1, item2, ...
210:
211: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
212: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
213: and underscore characters ('_'). A C<NAME> B<must> start with an
214: uppercase letter. It is possible to put several alias definitions
215: of the same type on a single line, joined by a colon (':'). E.g.,
216:
217: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
218:
219: The definitions of what constitutes a valid I<alias> member follow.
220:
221: User_List ::= User |
222: User ',' User_List
223:
224: User ::= '!'* user name |
225: '!'* #uid |
226: '!'* %group |
227: '!'* %#gid |
228: '!'* +netgroup |
229: '!'* %:nonunix_group |
230: '!'* %:#nonunix_gid |
231: '!'* User_Alias
232:
233: A C<User_List> is made up of one or more user names, user ids
234: (prefixed with '#'), system group names and ids (prefixed with '%'
235: and '%#' respectively), netgroups (prefixed with '+'), non-Unix
236: group names and IDs (prefixed with '%:' and '%:#' respectively) and
237: C<User_Alias>es. Each list item may be prefixed with zero or more
238: '!' operators. An odd number of '!' operators negate the value of
239: the item; an even number just cancel each other out.
240:
241: A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
242: or C<nonunix_gid> may be enclosed in double quotes to avoid the
243: need for escaping special characters. Alternately, special characters
244: may be specified in escaped hex mode, e.g. \x20 for space. When
245: using double quotes, any prefix characters must be included inside
246: the quotes.
247:
248: The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
249: the underlying group provider plugin (see the I<group_plugin>
250: description below). For instance, the QAS AD plugin supports the
251: following formats:
252:
253: =over 4
254:
255: =item *
256:
257: Group in the same domain: "Group Name"
258:
259: =item *
260:
261: Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
262:
263: =item *
264:
265: Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
266:
267: =back
268:
269: Note that quotes around group names are optional. Unquoted strings
270: must use a backslash (\) to escape spaces and special characters.
271: See L<"Other special characters and reserved words"> for a list of
272: characters that need to be escaped.
273:
274: Runas_List ::= Runas_Member |
275: Runas_Member ',' Runas_List
276:
277: Runas_Member ::= '!'* user name |
278: '!'* #uid |
279: '!'* %group |
280: '!'* %#gid |
281: '!'* %:nonunix_group |
282: '!'* %:#nonunix_gid |
283: '!'* +netgroup |
284: '!'* Runas_Alias
285:
286: A C<Runas_List> is similar to a C<User_List> except that instead
287: of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
288: user names and groups are matched as strings. In other words, two
289: users (groups) with the same uid (gid) are considered to be distinct.
290: If you wish to match all user names with the same uid (e.g.E<nbsp>root
291: and toor), you can use a uid instead (#0 in the example given).
292:
293: Host_List ::= Host |
294: Host ',' Host_List
295:
296: Host ::= '!'* host name |
297: '!'* ip_addr |
298: '!'* network(/netmask)? |
299: '!'* +netgroup |
300: '!'* Host_Alias
301:
302: A C<Host_List> is made up of one or more host names, IP addresses,
303: network numbers, netgroups (prefixed with '+') and other aliases.
304: Again, the value of an item may be negated with the '!' operator.
305: If you do not specify a netmask along with the network number,
306: B<sudo> will query each of the local host's network interfaces and,
307: if the network number corresponds to one of the hosts's network
308: interfaces, the corresponding netmask will be used. The netmask
309: may be specified either in standard IP address notation
310: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
311: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
312: include shell-style wildcards (see the L<Wildcards> section below),
313: but unless the C<host name> command on your machine returns the fully
314: qualified host name, you'll need to use the I<fqdn> option for
315: wildcards to be useful. Note B<sudo> only inspects actual network
316: interfaces; this means that IP address 127.0.0.1 (localhost) will
317: never match. Also, the host name "localhost" will only match if
318: that is the actual host name, which is usually only the case for
319: non-networked systems.
320:
321: Cmnd_List ::= Cmnd |
322: Cmnd ',' Cmnd_List
323:
324: commandname ::= file name |
325: file name args |
326: file name '""'
327:
328: Cmnd ::= '!'* commandname |
329: '!'* directory |
330: '!'* "sudoedit" |
331: '!'* Cmnd_Alias
332:
333: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
334: aliases. A commandname is a fully qualified file name which may include
335: shell-style wildcards (see the L<Wildcards> section below). A simple
336: file name allows the user to run the command with any arguments he/she
337: wishes. However, you may also specify command line arguments (including
338: wildcards). Alternately, you can specify C<""> to indicate that the command
339: may only be run B<without> command line arguments. A directory is a
340: fully qualified path name ending in a '/'. When you specify a directory
341: in a C<Cmnd_List>, the user will be able to run any file within that directory
342: (but not in any subdirectories therein).
343:
344: If a C<Cmnd> has associated command line arguments, then the arguments
345: in the C<Cmnd> must match exactly those given by the user on the command line
346: (or match the wildcards if there are any). Note that the following
347: characters must be escaped with a '\' if they are used in command
348: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
349: is used to permit a user to run B<sudo> with the B<-e> option (or
350: as B<sudoedit>). It may take command line arguments just as
351: a normal command does.
352:
353: =head2 Defaults
354:
355: Certain configuration options may be changed from their default
356: values at runtime via one or more C<Default_Entry> lines. These
357: may affect all users on any host, all users on a specific host, a
358: specific user, a specific command, or commands being run as a specific user.
359: Note that per-command entries may not include command line arguments.
360: If you need to specify arguments, define a C<Cmnd_Alias> and reference
361: that instead.
362:
363: Default_Type ::= 'Defaults' |
364: 'Defaults' '@' Host_List |
365: 'Defaults' ':' User_List |
366: 'Defaults' '!' Cmnd_List |
367: 'Defaults' '>' Runas_List
368:
369: Default_Entry ::= Default_Type Parameter_List
370:
371: Parameter_List ::= Parameter |
372: Parameter ',' Parameter_List
373:
374: Parameter ::= Parameter '=' Value |
375: Parameter '+=' Value |
376: Parameter '-=' Value |
377: '!'* Parameter
378:
379: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
380: Flags are implicitly boolean and can be turned off via the '!'
381: operator. Some integer, string and list parameters may also be
382: used in a boolean context to disable them. Values may be enclosed
383: in double quotes (C<">) when they contain multiple words. Special
384: characters may be escaped with a backslash (C<\>).
385:
386: Lists have two additional assignment operators, C<+=> and C<-=>.
387: These operators are used to add to and delete from a list respectively.
388: It is not an error to use the C<-=> operator to remove an element
389: that does not exist in a list.
390:
391: Defaults entries are parsed in the following order: generic, host
392: and user Defaults first, then runas Defaults and finally command
393: defaults.
394:
395: See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
396:
397: =head2 User Specification
398:
399: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
400: (':' Host_List '=' Cmnd_Spec_List)*
401:
402: Cmnd_Spec_List ::= Cmnd_Spec |
403: Cmnd_Spec ',' Cmnd_Spec_List
404:
405: Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
406:
407: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
408:
409: SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
410:
411: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
412: 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
413: 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
414:
415: A B<user specification> determines which commands a user may run
416: (and as what user) on specified hosts. By default, commands are
417: run as B<root>, but this can be changed on a per-command basis.
418:
419: The basic structure of a user specification is `who where = (as_whom)
420: what'. Let's break that down into its constituent parts:
421:
422: =head2 Runas_Spec
423:
424: A C<Runas_Spec> determines the user and/or the group that a command
425: may be run as. A fully-specified C<Runas_Spec> consists of two
426: C<Runas_List>s (as defined above) separated by a colon (':') and
427: enclosed in a set of parentheses. The first C<Runas_List> indicates
428: which users the command may be run as via B<sudo>'s B<-u> option.
429: The second defines a list of groups that can be specified via
430: B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
431: command may be run with any combination of users and groups listed
432: in their respective C<Runas_List>s. If only the first is specified,
433: the command may be run as any user in the list but no B<-g> option
434: may be specified. If the first C<Runas_List> is empty but the
435: second is specified, the command may be run as the invoking user
436: with the group set to any listed in the C<Runas_List>. If no
437: C<Runas_Spec> is specified the command may be run as B<root> and
438: no group may be specified.
439:
440: A C<Runas_Spec> sets the default for the commands that follow it.
441: What this means is that for the entry:
442:
443: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
444:
445: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
446: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
447:
448: $ sudo -u operator /bin/ls
449:
450: It is also possible to override a C<Runas_Spec> later on in an
451: entry. If we modify the entry like so:
452:
453: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
454:
455: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
456: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
457:
458: We can extend this to allow B<dgb> to run C</bin/ls> with either
459: the user or group set to B<operator>:
460:
461: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
462: /usr/bin/lprm
463:
464: Note that while the group portion of the C<Runas_Spec> permits the
465: user to run as command with that group, it does not force the user
466: to do so. If no group is specified on the command line, the command
467: will run with the group listed in the target user's password database
468: entry. The following would all be permitted by the sudoers entry above:
469:
470: $ sudo -u operator /bin/ls
471: $ sudo -u operator -g operator /bin/ls
472: $ sudo -g operator /bin/ls
473:
474: In the following example, user B<tcm> may run commands that access
475: a modem device file with the dialer group.
476:
477: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
478: /usr/local/bin/minicom
479:
480: Note that in this example only the group will be set, the command
481: still runs as user B<tcm>. E.g.
482:
483: $ sudo -g dialer /usr/bin/cu
484:
485: Multiple users and groups may be present in a C<Runas_Spec>, in
486: which case the user may select any combination of users and groups
487: via the B<-u> and B<-g> options. In this example:
488:
489: alan ALL = (root, bin : operator, system) ALL
490:
491: user B<alan> may run any command as either user root or bin,
492: optionally setting the group to operator or system.
493:
494: =head2 SELinux_Spec
495:
496: On systems with SELinux support, I<sudoers> entries may optionally have
497: an SELinux role and/or type associated with a command. If a role or
498: type is specified with the command it will override any default values
499: specified in I<sudoers>. A role or type specified on the command line,
500: however, will supercede the values in I<sudoers>.
501:
502: =head2 Tag_Spec
503:
504: A command may have zero or more tags associated with it. There are
505: eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
506: C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
507: C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
508: subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
509: it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
510: C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
511:
512: =head3 NOPASSWD and PASSWD
513:
514: By default, B<sudo> requires that a user authenticate him or herself
515: before running a command. This behavior can be modified via the
516: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
517: a default for the commands that follow it in the C<Cmnd_Spec_List>.
518: Conversely, the C<PASSWD> tag can be used to reverse things.
519: For example:
520:
521: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
522:
523: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
524: F</usr/bin/lprm> as B<root> on the machine rushmore without
525: authenticating himself. If we only want B<ray> to be able to
526: run F</bin/kill> without a password the entry would be:
527:
528: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
529:
530: Note, however, that the C<PASSWD> tag has no effect on users who are
531: in the group specified by the I<exempt_group> option.
532:
533: By default, if the C<NOPASSWD> tag is applied to any of the entries
534: for a user on the current host, he or she will be able to run
535: C<sudo -l> without a password. Additionally, a user may only run
536: C<sudo -v> without a password if the C<NOPASSWD> tag is present
537: for all a user's entries that pertain to the current host.
538: This behavior may be overridden via the verifypw and listpw options.
539:
540: =head3 NOEXEC and EXEC
541:
542: If B<sudo> has been compiled with I<noexec> support and the underlying
543: operating system supports it, the C<NOEXEC> tag can be used to prevent
544: a dynamically-linked executable from running further commands itself.
545:
546: In the following example, user B<aaron> may run F</usr/bin/more>
547: and F</usr/bin/vi> but shell escapes will be disabled.
548:
549: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
550:
1.1.1.2 ! misho 551: See the L<Preventing Shell Escapes> section below for more details
1.1 misho 552: on how C<NOEXEC> works and whether or not it will work on your system.
553:
554: =head3 SETENV and NOSETENV
555:
556: These tags override the value of the I<setenv> option on a per-command
557: basis. Note that if C<SETENV> has been set for a command, the user
558: may disable the I<env_reset> option from the command line via the
559: B<-E> option. Additionally, environment variables set on the command
560: line are not subject to the restrictions imposed by I<env_check>,
561: I<env_delete>, or I<env_keep>. As such, only trusted users should
562: be allowed to set variables in this manner. If the command matched
563: is B<ALL>, the C<SETENV> tag is implied for that command; this
564: default may be overridden by use of the C<NOSETENV> tag.
565:
566: =head3 LOG_INPUT and NOLOG_INPUT
567:
568: These tags override the value of the I<log_input> option on a
569: per-command basis. For more information, see the description of
570: I<log_input> in the L<"SUDOERS OPTIONS"> section below.
571:
572: =head3 LOG_OUTPUT and NOLOG_OUTPUT
573:
574: These tags override the value of the I<log_output> option on a
575: per-command basis. For more information, see the description of
576: I<log_output> in the L<"SUDOERS OPTIONS"> section below.
577:
578: =head2 Wildcards
579:
580: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
581: to be used in host names, path names and command line arguments in
582: the I<sudoers> file. Wildcard matching is done via the B<POSIX>
583: L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
584: regular expressions.
585:
586: =over 8
587:
588: =item C<*>
589:
590: Matches any set of zero or more characters.
591:
592: =item C<?>
593:
594: Matches any single character.
595:
596: =item C<[...]>
597:
598: Matches any character in the specified range.
599:
600: =item C<[!...]>
601:
602: Matches any character B<not> in the specified range.
603:
604: =item C<\x>
605:
606: For any character "x", evaluates to "x". This is used to
607: escape special characters such as: "*", "?", "[", and "}".
608:
609: =back
610:
611: POSIX character classes may also be used if your system's L<glob(3)>
612: and L<fnmatch(3)> functions support them. However, because the
613: C<':'> character has special meaning in I<sudoers>, it must be
614: escaped. For example:
615:
616: /bin/ls [[\:alpha\:]]*
617:
618: Would match any file name beginning with a letter.
619:
620: Note that a forward slash ('/') will B<not> be matched by
621: wildcards used in the path name. When matching the command
622: line arguments, however, a slash B<does> get matched by
623: wildcards. This is to make a path like:
624:
625: /usr/bin/*
626:
627: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
628:
629: =head2 Exceptions to wildcard rules
630:
631: The following exceptions apply to the above rules:
632:
633: =over 8
634:
635: =item C<"">
636:
637: If the empty string C<""> is the only command line argument in the
638: I<sudoers> entry it means that command is not allowed to be run
639: with B<any> arguments.
640:
641: =back
642:
643: =head2 Including other files from within sudoers
644:
645: It is possible to include other I<sudoers> files from within the
646: I<sudoers> file currently being parsed using the C<#include> and
647: C<#includedir> directives.
648:
649: This can be used, for example, to keep a site-wide I<sudoers> file
650: in addition to a local, per-machine file. For the sake of this
651: example the site-wide I<sudoers> will be F</etc/sudoers> and the
652: per-machine one will be F</etc/sudoers.local>. To include
653: F</etc/sudoers.local> from within F</etc/sudoers> we would use the
654: following line in F</etc/sudoers>:
655:
656: =over 4
657:
658: C<#include /etc/sudoers.local>
659:
660: =back
661:
662: When B<sudo> reaches this line it will suspend processing of the
663: current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
664: Upon reaching the end of F</etc/sudoers.local>, the rest of
665: F</etc/sudoers> will be processed. Files that are included may
666: themselves include other files. A hard limit of 128 nested include
667: files is enforced to prevent include file loops.
668:
1.1.1.2 ! misho 669: If the path to the include file is not fully-qualified (does not
! 670: begin with a F</>), it must be located in the same directory as the
! 671: sudoers file it was included from. For example, if F</etc/sudoers>
! 672: contains the line:
! 673:
! 674: =over 4
! 675:
! 676: C<#include sudoers.local>
! 677:
! 678: =back
! 679:
! 680: the file that will be included is F</etc/sudoers.local>.
! 681:
! 682: The file name may also include the C<%h> escape, signifying the short form
1.1 misho 683: of the host name. I.e., if the machine's host name is "xerxes", then
684:
685: C<#include /etc/sudoers.%h>
686:
687: will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
688:
689: The C<#includedir> directive can be used to create a F<sudo.d>
690: directory that the system package manager can drop I<sudoers> rules
691: into as part of package installation. For example, given:
692:
693: C<#includedir /etc/sudoers.d>
694:
695: B<sudo> will read each file in F</etc/sudoers.d>, skipping file
696: names that end in C<~> or contain a C<.> character to avoid causing
697: problems with package manager or editor temporary/backup files.
698: Files are parsed in sorted lexical order. That is,
699: F</etc/sudoers.d/01_first> will be parsed before
700: F</etc/sudoers.d/10_second>. Be aware that because the sorting is
701: lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
702: B<after> F</etc/sudoers.d/10_second>. Using a consistent number
703: of leading zeroes in the file names can be used to avoid such
704: problems.
705:
706: Note that unlike files included via C<#include>, B<visudo> will not
707: edit the files in a C<#includedir> directory unless one of them
708: contains a syntax error. It is still possible to run B<visudo>
709: with the C<-f> flag to edit the files directly.
710:
711: =head2 Other special characters and reserved words
712:
713: The pound sign ('#') is used to indicate a comment (unless it is
714: part of a #include directive or unless it occurs in the context of
715: a user name and is followed by one or more digits, in which case
716: it is treated as a uid). Both the comment character and any text
717: after it, up to the end of the line, are ignored.
718:
719: The reserved word B<ALL> is a built-in I<alias> that always causes
720: a match to succeed. It can be used wherever one might otherwise
721: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
722: You should not try to define your own I<alias> called B<ALL> as the
723: built-in alias will be used in preference to your own. Please note
724: that using B<ALL> can be dangerous since in a command context, it
725: allows the user to run B<any> command on the system.
726:
727: An exclamation point ('!') can be used as a logical I<not> operator
728: both in an I<alias> and in front of a C<Cmnd>. This allows one to
729: exclude certain values. Note, however, that using a C<!> in
730: conjunction with the built-in C<ALL> alias to allow a user to
731: run "all but a few" commands rarely works as intended (see SECURITY
732: NOTES below).
733:
734: Long lines can be continued with a backslash ('\') as the last
735: character on the line.
736:
737: Whitespace between elements in a list as well as special syntactic
738: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
739:
740: The following characters must be escaped with a backslash ('\') when
741: used as part of a word (e.g.E<nbsp>a user name or host name):
742: '!', '=', ':', ',', '(', ')', '\'.
743:
744: =head1 SUDOERS OPTIONS
745:
746: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
747: explained earlier. A list of all supported Defaults parameters,
748: grouped by type, are listed below.
749:
750: B<Boolean Flags>:
751:
752: =over 16
753:
754: =item always_set_home
755:
756: If enabled, B<sudo> will set the C<HOME> environment variable to the
757: home directory of the target user (which is root unless the B<-u>
758: option is used). This effectively means that the B<-H> option is
759: always implied. Note that C<HOME> is already set when the the
760: I<env_reset> option is enabled, so I<always_set_home> is only
761: effective for configurations where either I<env_reset> is disabled
762: or C<HOME> is present in the I<env_keep> list.
763: This flag is I<off> by default.
764:
765: =item authenticate
766:
767: If set, users must authenticate themselves via a password (or other
768: means of authentication) before they may run commands. This default
769: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
770: This flag is I<on> by default.
771:
772: =item closefrom_override
773:
774: If set, the user may use B<sudo>'s B<-C> option which
775: overrides the default starting point at which B<sudo> begins
776: closing open file descriptors. This flag is I<off> by default.
777:
778: =item compress_io
779:
780: If set, and B<sudo> is configured to log a command's input or output,
781: the I/O logs will be compressed using B<zlib>. This flag is I<on>
782: by default when B<sudo> is compiled with B<zlib> support.
783:
784: =item env_editor
785:
786: If set, B<visudo> will use the value of the EDITOR or VISUAL
787: environment variables before falling back on the default editor list.
788: Note that this may create a security hole as it allows the user to
789: run any arbitrary command as root without logging. A safer alternative
790: is to place a colon-separated list of editors in the C<editor>
791: variable. B<visudo> will then only use the EDITOR or VISUAL if
792: they match a value specified in C<editor>. This flag is I<@env_editor@> by
793: default.
794:
795: =item env_reset
796:
1.1.1.2 ! misho 797: If set, B<sudo> will run the command in a minimal environment
! 798: containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>,
! 799: C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any
1.1 misho 800: variables in the caller's environment that match the C<env_keep>
1.1.1.2 ! misho 801: and C<env_check> lists are then added, followed by any variables
! 802: present in the file specified by the I<env_file> option (if any).
! 803: The default contents of the C<env_keep> and C<env_check> lists are
! 804: displayed when B<sudo> is run by root with the I<-V> option. If
! 805: the I<secure_path> option is set, its value will be used for the
! 806: C<PATH> environment variable. This flag is I<@env_reset@> by
! 807: default.
1.1 misho 808:
809: =item fast_glob
810:
811: Normally, B<sudo> uses the L<glob(3)> function to do shell-style
812: globbing when matching path names. However, since it accesses the
813: file system, L<glob(3)> can take a long time to complete for some
814: patterns, especially when the pattern references a network file
815: system that is mounted on demand (automounted). The I<fast_glob>
816: option causes B<sudo> to use the L<fnmatch(3)> function, which does
817: not access the file system to do its matching. The disadvantage
818: of I<fast_glob> is that it is unable to match relative path names
819: such as F<./ls> or F<../bin/ls>. This has security implications
820: when path names that include globbing characters are used with the
821: negation operator, C<'!'>, as such rules can be trivially bypassed.
822: As such, this option should not be used when I<sudoers> contains rules
823: that contain negated path names which include globbing characters.
824: This flag is I<off> by default.
825:
826: =item fqdn
827:
828: Set this flag if you want to put fully qualified host names in the
829: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
830: You may still use the short form if you wish (and even mix the two).
831: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
832: which may make B<sudo> unusable if DNS stops working (for example
833: if the machine is not plugged into the network). Also note that
834: you must use the host's official name as DNS knows it. That is,
835: you may not use a host alias (C<CNAME> entry) due to performance
836: issues and the fact that there is no way to get all aliases from
837: DNS. If your machine's host name (as returned by the C<hostname>
838: command) is already fully qualified you shouldn't need to set
839: I<fqdn>. This flag is I<@fqdn@> by default.
840:
841: =item ignore_dot
842:
843: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
844: environment variable; the C<PATH> itself is not modified. This
845: flag is I<@ignore_dot@> by default.
846:
847: =item ignore_local_sudoers
848:
849: If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
850: This is intended for Enterprises that wish to prevent the usage of local
851: sudoers files so that only LDAP is used. This thwarts the efforts of
852: rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
853: When this option is present, F<@sysconfdir@/sudoers> does not even need to
854: exist. Since this option tells B<sudo> how to behave when no specific LDAP
855: entries have been matched, this sudoOption is only meaningful for the
856: C<cn=defaults> section. This flag is I<off> by default.
857:
858: =item insults
859:
860: If set, B<sudo> will insult users when they enter an incorrect
861: password. This flag is I<@insults@> by default.
862:
863: =item log_host
864:
865: If set, the host name will be logged in the (non-syslog) B<sudo> log file.
866: This flag is I<off> by default.
867:
868: =item log_input
869:
870: If set, B<sudo> will run the command in a I<pseudo tty> and log all
871: user input.
872: If the standard input is not connected to the user's tty, due to
873: I/O redirection or because the command is part of a pipeline, that
874: input is also captured and stored in a separate log file.
875:
876: Input is logged to the directory specified by the I<iolog_dir>
877: option (F<@iolog_dir@> by default) using a unique session ID that
878: is included in the normal B<sudo> log line, prefixed with I<TSID=>.
879: The I<iolog_file> option may be used to control the format of the
880: session ID.
881:
882: Note that user input may contain sensitive information such as
883: passwords (even if they are not echoed to the screen), which will
884: be stored in the log file unencrypted. In most cases, logging the
885: command output via I<log_output> is all that is required.
886:
887: =item log_output
888:
889: If set, B<sudo> will run the command in a I<pseudo tty> and log all
890: output that is sent to the screen, similar to the script(1) command.
891: If the standard output or standard error is not connected to the
892: user's tty, due to I/O redirection or because the command is part
893: of a pipeline, that output is also captured and stored in separate
894: log files.
895:
896: Output is logged to the directory specified by the I<iolog_dir>
897: option (F<@iolog_dir@> by default) using a unique session ID that
898: is included in the normal B<sudo> log line, prefixed with I<TSID=>.
899: The I<iolog_file> option may be used to control the format of the
900: session ID.
901:
902: Output logs may be viewed with the L<sudoreplay(8)> utility, which
903: can also be used to list or search the available logs.
904:
905: =item log_year
906:
907: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
908: This flag is I<off> by default.
909:
910: =item long_otp_prompt
911:
912: When validating with a One Time Password (OTP) scheme such as
913: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
914: to cut and paste the challenge to a local window. It's not as
915: pretty as the default but some people find it more convenient. This
916: flag is I<@long_otp_prompt@> by default.
917:
918: =item mail_always
919:
920: Send mail to the I<mailto> user every time a users runs B<sudo>.
921: This flag is I<off> by default.
922:
923: =item mail_badpass
924:
925: Send mail to the I<mailto> user if the user running B<sudo> does not
926: enter the correct password. This flag is I<off> by default.
927:
928: =item mail_no_host
929:
930: If set, mail will be sent to the I<mailto> user if the invoking
931: user exists in the I<sudoers> file, but is not allowed to run
932: commands on the current host. This flag is I<@mail_no_host@> by default.
933:
934: =item mail_no_perms
935:
936: If set, mail will be sent to the I<mailto> user if the invoking
937: user is allowed to use B<sudo> but the command they are trying is not
938: listed in their I<sudoers> file entry or is explicitly denied.
939: This flag is I<@mail_no_perms@> by default.
940:
941: =item mail_no_user
942:
943: If set, mail will be sent to the I<mailto> user if the invoking
944: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
945: by default.
946:
947: =item noexec
948:
949: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
950: tag has been set, unless overridden by a C<EXEC> tag. See the
1.1.1.2 ! misho 951: description of I<NOEXEC and EXEC> below as well as the L<Preventing Shell
! 952: Escapes> section at the end of this manual. This flag is I<off> by default.
1.1 misho 953:
954: =item path_info
955:
956: Normally, B<sudo> will tell the user when a command could not be
957: found in their C<PATH> environment variable. Some sites may wish
958: to disable this as it could be used to gather information on the
959: location of executables that the normal user does not have access
960: to. The disadvantage is that if the executable is simply not in
961: the user's C<PATH>, B<sudo> will tell the user that they are not
962: allowed to run it, which can be confusing. This flag is I<@path_info@>
963: by default.
964:
965: =item passprompt_override
966:
967: The password prompt specified by I<passprompt> will normally only
968: be used if the password prompt provided by systems such as PAM matches
969: the string "Password:". If I<passprompt_override> is set, I<passprompt>
970: will always be used. This flag is I<off> by default.
971:
972: =item preserve_groups
973:
974: By default, B<sudo> will initialize the group vector to the list of
975: groups the target user is in. When I<preserve_groups> is set, the
976: user's existing group vector is left unaltered. The real and
977: effective group IDs, however, are still set to match the target
978: user. This flag is I<off> by default.
979:
980: =item pwfeedback
981:
982: By default, B<sudo> reads the password like most other Unix programs,
983: by turning off echo until the user hits the return (or enter) key.
984: Some users become confused by this as it appears to them that B<sudo>
985: has hung at this point. When I<pwfeedback> is set, B<sudo> will
986: provide visual feedback when the user presses a key. Note that
987: this does have a security impact as an onlooker may be able to
988: determine the length of the password being entered.
989: This flag is I<off> by default.
990:
991: =item requiretty
992:
993: If set, B<sudo> will only run when the user is logged in to a real
994: tty. When this flag is set, B<sudo> can only be run from a login
995: session and not via other means such as L<cron(8)> or cgi-bin scripts.
996: This flag is I<off> by default.
997:
998: =item root_sudo
999:
1000: If set, root is allowed to run B<sudo> too. Disabling this prevents users
1001: from "chaining" B<sudo> commands to get a root shell by doing something
1002: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
1003: will also prevent root from running B<sudoedit>.
1004: Disabling I<root_sudo> provides no real additional security; it
1005: exists purely for historical reasons.
1006: This flag is I<@root_sudo@> by default.
1007:
1008: =item rootpw
1009:
1010: If set, B<sudo> will prompt for the root password instead of the password
1011: of the invoking user. This flag is I<off> by default.
1012:
1013: =item runaspw
1014:
1015: If set, B<sudo> will prompt for the password of the user defined by the
1016: I<runas_default> option (defaults to C<@runas_default@>) instead of the
1017: password of the invoking user. This flag is I<off> by default.
1018:
1019: =item set_home
1020:
1021: If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
1022: environment variable will be set to the home directory of the target
1023: user (which is root unless the B<-u> option is used). This effectively
1024: makes the B<-s> option imply B<-H>. Note that C<HOME> is already
1025: set when the the I<env_reset> option is enabled, so I<set_home> is
1026: only effective for configurations where either I<env_reset> is disabled
1027: or C<HOME> is present in the I<env_keep> list.
1028: This flag is I<off> by default.
1029:
1030: =item set_logname
1031:
1032: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
1033: environment variables to the name of the target user (usually root
1034: unless the B<-u> option is given). However, since some programs
1035: (including the RCS revision control system) use C<LOGNAME> to
1036: determine the real identity of the user, it may be desirable to
1037: change this behavior. This can be done by negating the set_logname
1038: option. Note that if the I<env_reset> option has not been disabled,
1039: entries in the I<env_keep> list will override the value of
1040: I<set_logname>. This flag is I<on> by default.
1041:
1042: =item set_utmp
1043:
1044: When enabled, B<sudo> will create an entry in the utmp (or utmpx)
1045: file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1046: B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
1047: are enabled. By default, the new entry will be a copy of the user's
1048: existing utmp entry (if any), with the tty, time, type and pid
1049: fields updated. This flag is I<on> by default.
1050:
1051: =item setenv
1052:
1053: Allow the user to disable the I<env_reset> option from the command
1054: line via the B<-E> option. Additionally, environment variables set
1055: via the command line are not subject to the restrictions imposed
1056: by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
1057: trusted users should be allowed to set variables in this manner.
1058: This flag is I<off> by default.
1059:
1060: =item shell_noargs
1061:
1062: If set and B<sudo> is invoked with no arguments it acts as if the
1063: B<-s> option had been given. That is, it runs a shell as root (the
1064: shell is determined by the C<SHELL> environment variable if it is
1065: set, falling back on the shell listed in the invoking user's
1066: /etc/passwd entry if not). This flag is I<off> by default.
1067:
1068: =item stay_setuid
1069:
1070: Normally, when B<sudo> executes a command the real and effective
1071: UIDs are set to the target user (root by default). This option
1072: changes that behavior such that the real UID is left as the invoking
1073: user's UID. In other words, this makes B<sudo> act as a setuid
1074: wrapper. This can be useful on systems that disable some potentially
1075: dangerous functionality when a program is run setuid. This option
1076: is only effective on systems with either the setreuid() or setresuid()
1077: function. This flag is I<off> by default.
1078:
1079: =item targetpw
1080:
1081: If set, B<sudo> will prompt for the password of the user specified
1082: by the B<-u> option (defaults to C<root>) instead of the password
1083: of the invoking user. In addition, the timestamp file name will
1084: include the target user's name. Note that this flag precludes the
1085: use of a uid not listed in the passwd database as an argument to
1086: the B<-u> option. This flag is I<off> by default.
1087:
1088: =item tty_tickets
1089:
1090: If set, users must authenticate on a per-tty basis. With this flag
1091: enabled, B<sudo> will use a file named for the tty the user is
1092: logged in on in the user's time stamp directory. If disabled, the
1093: time stamp of the directory is used instead. This flag is
1094: I<@tty_tickets@> by default.
1095:
1096: =item umask_override
1097:
1098: If set, B<sudo> will set the umask as specified by I<sudoers> without
1099: modification. This makes it possible to specify a more permissive
1100: umask in I<sudoers> than the user's own umask and matches historical
1101: behavior. If I<umask_override> is not set, B<sudo> will set the
1102: umask to be the union of the user's umask and what is specified in
1103: I<sudoers>. This flag is I<@umask_override@> by default.
1104:
1105: =item use_loginclass
1106:
1107: If set, B<sudo> will apply the defaults specified for the target user's
1108: login class if one exists. Only available if B<sudo> is configured with
1109: the --with-logincap option. This flag is I<off> by default.
1110:
1111: =item use_pty
1112:
1113: If set, B<sudo> will run the command in a pseudo-pty even if no I/O
1114: logging is being gone. A malicious program run under B<sudo> could
1115: conceivably fork a background process that retains to the user's
1116: terminal device after the main program has finished executing. Use
1117: of this option will make that impossible. This flag is I<off> by default.
1118:
1119: =item utmp_runas
1120:
1121: If set, B<sudo> will store the name of the runas user when updating
1122: the utmp (or utmpx) file. By default, B<sudo> stores the name of
1123: the invoking user. This flag is I<off> by default.
1124:
1125: =item visiblepw
1126:
1127: By default, B<sudo> will refuse to run if the user must enter a
1128: password but it is not possible to disable echo on the terminal.
1129: If the I<visiblepw> flag is set, B<sudo> will prompt for a password
1130: even when it would be visible on the screen. This makes it possible
1131: to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
1132: not allocate a tty. This flag is I<off> by default.
1133:
1134: =back
1135:
1136: B<Integers>:
1137:
1138: =over 16
1139:
1140: =item closefrom
1141:
1142: Before it executes a command, B<sudo> will close all open file
1143: descriptors other than standard input, standard output and standard
1144: error (ie: file descriptors 0-2). The I<closefrom> option can be used
1145: to specify a different file descriptor at which to start closing.
1146: The default is C<3>.
1147:
1148: =item passwd_tries
1149:
1150: The number of tries a user gets to enter his/her password before
1151: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
1152:
1153: =back
1154:
1155: B<Integers that can be used in a boolean context>:
1156:
1157: =over 16
1158:
1159: =item loglinelen
1160:
1161: Number of characters per line for the file log. This value is used
1162: to decide when to wrap lines for nicer log files. This has no
1163: effect on the syslog log file, only the file log. The default is
1164: C<@loglen@> (use 0 or negate the option to disable word wrap).
1165:
1166: =item passwd_timeout
1167:
1168: Number of minutes before the B<sudo> password prompt times out, or
1169: C<0> for no timeout. The timeout may include a fractional component
1170: if minute granularity is insufficient, for example C<2.5>. The
1171: default is C<@password_timeout@>.
1172:
1173: =item timestamp_timeout
1174:
1175: Number of minutes that can elapse before B<sudo> will ask for a
1176: passwd again. The timeout may include a fractional component if
1177: minute granularity is insufficient, for example C<2.5>. The default
1178: is C<@timeout@>. Set this to C<0> to always prompt for a password.
1179: If set to a value less than C<0> the user's timestamp will never
1180: expire. This can be used to allow users to create or delete their
1181: own timestamps via C<sudo -v> and C<sudo -k> respectively.
1182:
1183: =item umask
1184:
1185: Umask to use when running the command. Negate this option or set
1186: it to 0777 to preserve the user's umask. The actual umask that is
1187: used will be the union of the user's umask and the value of the
1188: I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
1189: that B<sudo> never lowers the umask when running a command. Note
1190: on systems that use PAM, the default PAM configuration may specify
1191: its own umask which will override the value set in I<sudoers>.
1192:
1193: =back
1194:
1195: B<Strings>:
1196:
1197: =over 16
1198:
1199: =item badpass_message
1200:
1201: Message that is displayed if a user enters an incorrect password.
1202: The default is C<@badpass_message@> unless insults are enabled.
1203:
1204: =item editor
1205:
1206: A colon (':') separated list of editors allowed to be used with
1207: B<visudo>. B<visudo> will choose the editor that matches the user's
1208: EDITOR environment variable if possible, or the first editor in the
1209: list that exists and is executable. The default is C<"@editor@">.
1210:
1211: =item iolog_dir
1212:
1213: The top-level directory to use when constructing the path name for
1214: the input/output log directory. Only used if the I<log_input> or
1215: I<log_output> options are enabled or when the C<LOG_INPUT> or
1216: C<LOG_OUTPUT> tags are present for a command. The session sequence
1217: number, if any, is stored in the directory.
1218: The default is C<"@iolog_dir@">.
1219:
1220: The following percent (`C<%>') escape sequences are supported:
1221:
1222: =over 4
1223:
1224: =item C<%{seq}>
1225:
1226: expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
1227: where every two digits are used to form a new directory, e.g. F<01/00/A5>
1228:
1229: =item C<%{user}>
1230:
1231: expanded to the invoking user's login name
1232:
1233: =item C<%{group}>
1234:
1235: expanded to the name of the invoking user's real group ID
1236:
1237: =item C<%{runas_user}>
1238:
1239: expanded to the login name of the user the command will
1240: be run as (e.g. root)
1241:
1242: =item C<%{runas_group}>
1243:
1244: expanded to the group name of the user the command will
1245: be run as (e.g. wheel)
1246:
1247: =item C<%{hostname}>
1248:
1249: expanded to the local host name without the domain name
1250:
1251: =item C<%{command}>
1252:
1253: expanded to the base name of the command being run
1254:
1255: =back
1256:
1257: In addition, any escape sequences supported by the system's strftime()
1258: function will be expanded.
1259:
1260: To include a literal `C<%>' character, the string `C<%%>' should
1261: be used.
1262:
1263: =item iolog_file
1264:
1265: The path name, relative to I<iolog_dir>, in which to store input/output
1266: logs when the I<log_input> or I<log_output> options are enabled or
1267: when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
1268: Note that I<iolog_file> may contain directory components.
1269: The default is C<"%{seq}">.
1270:
1271: See the I<iolog_dir> option above for a list of supported percent
1272: (`C<%>') escape sequences.
1273:
1274: In addition to the escape sequences, path names that end in six or
1275: more C<X>s will have the C<X>s replaced with a unique combination
1276: of digits and letters, similar to the mktemp() function.
1277:
1278: =item mailsub
1279:
1280: Subject of the mail sent to the I<mailto> user. The escape C<%h>
1281: will expand to the host name of the machine.
1282: Default is C<@mailsub@>.
1283:
1284: =item noexec_file
1285:
1.1.1.2 ! misho 1286: This option is no longer supported. The path to the noexec file
! 1287: should now be set in the F<@sysconfdir@/sudo.conf> file.
1.1 misho 1288:
1289: =item passprompt
1290:
1291: The default prompt to use when asking for a password; can be overridden
1292: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
1293: The following percent (`C<%>') escape sequences are supported:
1294:
1295: =over 4
1296:
1297: =item C<%H>
1298:
1299: expanded to the local host name including the domain name
1300: (only if the machine's host name is fully qualified or the I<fqdn>
1301: option is set)
1302:
1303: =item C<%h>
1304:
1305: expanded to the local host name without the domain name
1306:
1307: =item C<%p>
1308:
1309: expanded to the user whose password is being asked for (respects the
1310: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1311:
1312: =item C<%U>
1313:
1314: expanded to the login name of the user the command will
1315: be run as (defaults to root)
1316:
1317: =item C<%u>
1318:
1319: expanded to the invoking user's login name
1320:
1321: =item C<%%>
1322:
1323: two consecutive C<%> characters are collapsed into a single C<%> character
1324:
1325: =back
1326:
1327: The default value is C<@passprompt@>.
1328:
1329: =item role
1330:
1331: The default SELinux role to use when constructing a new security
1332: context to run the command. The default role may be overridden on
1333: a per-command basis in I<sudoers> or via command line options.
1334: This option is only available whe B<sudo> is built with SELinux support.
1335:
1336: =item runas_default
1337:
1338: The default user to run commands as if the B<-u> option is not specified
1339: on the command line. This defaults to C<@runas_default@>.
1340:
1341: =item syslog_badpri
1342:
1343: Syslog priority to use when user authenticates unsuccessfully.
1344: Defaults to C<@badpri@>.
1345:
1346: The following syslog priorities are supported: B<alert>, B<crit>,
1347: B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
1348:
1349: =item syslog_goodpri
1350:
1351: Syslog priority to use when user authenticates successfully.
1352: Defaults to C<@goodpri@>.
1353:
1354: See L<syslog_badpri> for the list of supported syslog priorities.
1355:
1356: =item sudoers_locale
1357:
1358: Locale to use when parsing the sudoers file, logging commands, and
1359: sending email. Note that changing the locale may affect how sudoers
1360: is interpreted. Defaults to C<"C">.
1361:
1362: =item timestampdir
1363:
1364: The directory in which B<sudo> stores its timestamp files.
1365: The default is F<@timedir@>.
1366:
1367: =item timestampowner
1368:
1369: The owner of the timestamp directory and the timestamps stored therein.
1370: The default is C<root>.
1371:
1372: =item type
1373:
1374: The default SELinux type to use when constructing a new security
1375: context to run the command. The default type may be overridden on
1376: a per-command basis in I<sudoers> or via command line options.
1377: This option is only available whe B<sudo> is built with SELinux support.
1378:
1379: =back
1380:
1381: B<Strings that can be used in a boolean context>:
1382:
1383: =over 12
1384:
1385: =item env_file
1386:
1.1.1.2 ! misho 1387: The I<env_file> option specifies the fully qualified path to a
1.1 misho 1388: file containing variables to be set in the environment of the program
1389: being run. Entries in this file should either be of the form
1390: C<VARIABLE=value> or C<export VARIABLE=value>. The value may
1391: optionally be surrounded by single or double quotes. Variables in
1392: this file are subject to other B<sudo> environment settings such
1393: as I<env_keep> and I<env_check>.
1394:
1395: =item exempt_group
1396:
1397: Users in this group are exempt from password and PATH requirements.
1398: The group name specified should not include a C<%> prefix.
1399: This is not set by default.
1400:
1401: =item group_plugin
1402:
1403: A string containing a I<sudoers> group plugin with optional arguments.
1404: This can be used to implement support for the C<nonunix_group>
1405: syntax described earlier. The string should consist of the plugin
1406: path, either fully-qualified or relative to the F<@prefix@/libexec>
1407: directory, followed by any configuration arguments the plugin
1408: requires. These arguments (if any) will be passed to the plugin's
1409: initialization function. If arguments are present, the string must
1410: be enclosed in double quotes (C<">).
1411:
1412: For example, given F</etc/sudo-group>, a group file in Unix group
1413: format, the sample group plugin can be used:
1414:
1415: Defaults group_plugin="sample_group.so /etc/sudo-group"
1416:
1417: For more information see L<sudo_plugin(5)>.
1418:
1419: =item lecture
1420:
1421: This option controls when a short lecture will be printed along with
1422: the password prompt. It has the following possible values:
1423:
1424: =over 8
1425:
1426: =item always
1427:
1428: Always lecture the user.
1429:
1430: =item never
1431:
1432: Never lecture the user.
1433:
1434: =item once
1435:
1436: Only lecture the user the first time they run B<sudo>.
1437:
1438: =back
1439:
1440: If no value is specified, a value of I<once> is implied.
1441: Negating the option results in a value of I<never> being used.
1442: The default value is I<@lecture@>.
1443:
1444: =item lecture_file
1445:
1446: Path to a file containing an alternate B<sudo> lecture that will
1447: be used in place of the standard lecture if the named file exists.
1448: By default, B<sudo> uses a built-in lecture.
1449:
1450: =item listpw
1451:
1452: This option controls when a password will be required when a
1453: user runs B<sudo> with the B<-l> option. It has the following possible values:
1454:
1455: =over 8
1456:
1457: =item all
1458:
1459: All the user's I<sudoers> entries for the current host must have
1460: the C<NOPASSWD> flag set to avoid entering a password.
1461:
1462: =item always
1463:
1464: The user must always enter a password to use the B<-l> option.
1465:
1466: =item any
1467:
1468: At least one of the user's I<sudoers> entries for the current host
1469: must have the C<NOPASSWD> flag set to avoid entering a password.
1470:
1471: =item never
1472:
1473: The user need never enter a password to use the B<-l> option.
1474:
1475: =back
1476:
1477: If no value is specified, a value of I<any> is implied.
1478: Negating the option results in a value of I<never> being used.
1479: The default value is I<any>.
1480:
1481: =item logfile
1482:
1483: Path to the B<sudo> log file (not the syslog log file). Setting a path
1484: turns on logging to a file; negating this option turns it off.
1485: By default, B<sudo> logs via syslog.
1486:
1487: =item mailerflags
1488:
1489: Flags to use when invoking mailer. Defaults to B<-t>.
1490:
1491: =item mailerpath
1492:
1493: Path to mail program used to send warning mail.
1494: Defaults to the path to sendmail found at configure time.
1495:
1496: =item mailfrom
1497:
1498: Address to use for the "from" address when sending warning and error
1499: mail. The address should be enclosed in double quotes (C<">) to
1500: protect against B<sudo> interpreting the C<@> sign. Defaults to
1501: the name of the user running B<sudo>.
1502:
1503: =item mailto
1504:
1505: Address to send warning and error mail to. The address should
1506: be enclosed in double quotes (C<">) to protect against B<sudo>
1507: interpreting the C<@> sign. Defaults to C<@mailto@>.
1508:
1509: =item secure_path
1510:
1511: Path used for every command run from B<sudo>. If you don't trust the
1512: people running B<sudo> to have a sane C<PATH> environment variable you may
1513: want to use this. Another use is if you want to have the "root path"
1514: be separate from the "user path." Users in the group specified by the
1515: I<exempt_group> option are not affected by I<secure_path>.
1516: This option is @secure_path@ by default.
1517:
1518: =item syslog
1519:
1520: Syslog facility if syslog is being used for logging (negate to
1521: disable syslog logging). Defaults to C<@logfac@>.
1522:
1523: The following syslog facilities are supported: B<authpriv> (if your
1524: OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
1525: B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
1526:
1527: =item verifypw
1528:
1529: This option controls when a password will be required when a user runs
1530: B<sudo> with the B<-v> option. It has the following possible values:
1531:
1532: =over 8
1533:
1534: =item all
1535:
1536: All the user's I<sudoers> entries for the current host must have
1537: the C<NOPASSWD> flag set to avoid entering a password.
1538:
1539: =item always
1540:
1541: The user must always enter a password to use the B<-v> option.
1542:
1543: =item any
1544:
1545: At least one of the user's I<sudoers> entries for the current host
1546: must have the C<NOPASSWD> flag set to avoid entering a password.
1547:
1548: =item never
1549:
1550: The user need never enter a password to use the B<-v> option.
1551:
1552: =back
1553:
1554: If no value is specified, a value of I<all> is implied.
1555: Negating the option results in a value of I<never> being used.
1556: The default value is I<all>.
1557:
1558: =back
1559:
1560: B<Lists that can be used in a boolean context>:
1561:
1562: =over 16
1563:
1564: =item env_check
1565:
1566: Environment variables to be removed from the user's environment if
1567: the variable's value contains C<%> or C</> characters. This can
1568: be used to guard against printf-style format vulnerabilities in
1569: poorly-written programs. The argument may be a double-quoted,
1570: space-separated list or a single value without double-quotes. The
1571: list can be replaced, added to, deleted from, or disabled by using
1572: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
1573: of whether the C<env_reset> option is enabled or disabled, variables
1574: specified by C<env_check> will be preserved in the environment if
1575: they pass the aforementioned check. The default list of environment
1576: variables to check is displayed when B<sudo> is run by root with
1577: the I<-V> option.
1578:
1579: =item env_delete
1580:
1581: Environment variables to be removed from the user's environment
1582: when the I<env_reset> option is not in effect. The argument may
1583: be a double-quoted, space-separated list or a single value without
1584: double-quotes. The list can be replaced, added to, deleted from,
1585: or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
1586: respectively. The default list of environment variables to remove
1587: is displayed when B<sudo> is run by root with the I<-V> option.
1588: Note that many operating systems will remove potentially dangerous
1589: variables from the environment of any setuid process (such as
1590: B<sudo>).
1591:
1592: =item env_keep
1593:
1594: Environment variables to be preserved in the user's environment
1595: when the I<env_reset> option is in effect. This allows fine-grained
1596: control over the environment B<sudo>-spawned processes will receive.
1597: The argument may be a double-quoted, space-separated list or a
1598: single value without double-quotes. The list can be replaced, added
1599: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1600: C<!> operators respectively. The default list of variables to keep
1601: is displayed when B<sudo> is run by root with the I<-V> option.
1602:
1603: =back
1604:
1.1.1.2 ! misho 1605: =head1 SUDO.CONF
! 1606:
! 1607: The F<@sysconfdir@/sudo.conf> file determines which plugins the
! 1608: B<sudo> front end will load. If no F<@sysconfdir@/sudo.conf> file
! 1609: is present, or it contains no C<Plugin> lines, B<sudo> will use the
! 1610: I<sudoers> security policy and I/O logging, which corresponds to
! 1611: the following F<@sysconfdir@/sudo.conf> file.
! 1612:
! 1613: #
! 1614: # Default @sysconfdir@/sudo.conf file
! 1615: #
! 1616: # Format:
! 1617: # Plugin plugin_name plugin_path plugin_options ...
! 1618: # Path askpass /path/to/askpass
! 1619: # Path noexec /path/to/sudo_noexec.so
! 1620: # Debug sudo /var/log/sudo_debug all@warn
! 1621: # Set disable_coredump true
! 1622: #
! 1623: # The plugin_path is relative to @prefix@/libexec unless
! 1624: # fully qualified.
! 1625: # The plugin_name corresponds to a global symbol in the plugin
! 1626: # that contains the plugin interface structure.
! 1627: # The plugin_options are optional.
! 1628: #
! 1629: Plugin policy_plugin sudoers.so
! 1630: Plugin io_plugin sudoers.so
! 1631:
! 1632: =head2 PLUGIN OPTIONS
! 1633:
! 1634: Starting with B<sudo> 1.8.5 it is possible to pass options to the
! 1635: I<sudoers> plugin. Options may be listed after the path to the
! 1636: plugin (i.e. after F<sudoers.so>); multiple options should be
! 1637: space-separated. For example:
! 1638:
! 1639: Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
! 1640:
! 1641: The following plugin options are supported:
! 1642:
! 1643: =over 10
! 1644:
! 1645: =item sudoers_file=pathname
! 1646:
! 1647: The I<sudoers_file> option can be used to override the default path
! 1648: to the I<sudoers> file.
! 1649:
! 1650: =item sudoers_uid=uid
! 1651:
! 1652: The I<sudoers_uid> option can be used to override the default owner
! 1653: of the sudoers file. It should be specified as a numeric user ID.
! 1654:
! 1655: =item sudoers_gid=gid
! 1656:
! 1657: The I<sudoers_gid> option can be used to override the default group
! 1658: of the sudoers file. It should be specified as a numeric group ID.
! 1659:
! 1660: =item sudoers_mode=mode
! 1661:
! 1662: The I<sudoers_mode> option can be used to override the default file
! 1663: mode for the sudoers file. It should be specified as an octal value.
! 1664:
! 1665: =back
! 1666:
! 1667: =head2 DEBUG FLAGS
! 1668:
! 1669: Versions 1.8.4 and higher of the I<sudoers> plugin supports a
! 1670: debugging framework that can help track down what the plugin is
! 1671: doing internally if there is a problem. This can be configured in
! 1672: the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>.
! 1673:
! 1674: The I<sudoers> plugin uses the same debug flag format as B<sudo>
! 1675: itself: I<subsystem>@I<priority>.
! 1676:
! 1677: The priorities used by I<sudoers>, in order of decreasing severity,
! 1678: are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace>
! 1679: and I<debug>. Each priority, when specified, also includes all
! 1680: priorities higher than it. For example, a priority of I<notice>
! 1681: would include debug messages logged at I<notice> and higher.
! 1682:
! 1683: The following subsystems are used by I<sudoers>:
! 1684:
! 1685: =over 10
! 1686:
! 1687: =item I<alias>
! 1688:
! 1689: C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing
! 1690:
! 1691: =item I<all>
! 1692:
! 1693: matches every subsystem
! 1694:
! 1695: =item I<audit>
! 1696:
! 1697: BSM and Linux audit code
! 1698:
! 1699: =item I<auth>
! 1700:
! 1701: user authentication
! 1702:
! 1703: =item I<defaults>
! 1704:
! 1705: I<sudoers> I<Defaults> settings
! 1706:
! 1707: =item I<env>
! 1708:
! 1709: environment handling
! 1710:
! 1711: =item I<ldap>
! 1712:
! 1713: LDAP-based sudoers
! 1714:
! 1715: =item I<logging>
! 1716:
! 1717: logging support
! 1718:
! 1719: =item I<match>
! 1720:
! 1721: matching of users, groups, hosts and netgroups in I<sudoers>
! 1722:
! 1723: =item I<netif>
! 1724:
! 1725: network interface handling
! 1726:
! 1727: =item I<nss>
! 1728:
! 1729: network service switch handling in I<sudoers>
! 1730:
! 1731: =item I<parser>
! 1732:
! 1733: I<sudoers> file parsing
! 1734:
! 1735: =item I<perms>
! 1736:
! 1737: permission setting
! 1738:
! 1739: =item I<plugin>
! 1740:
! 1741: The equivalent of I<main> for the plugin.
! 1742:
! 1743: =item I<pty>
! 1744:
! 1745: pseudo-tty related code
! 1746:
! 1747: =item I<rbtree>
! 1748:
! 1749: redblack tree internals
! 1750:
! 1751: =item I<util>
! 1752:
! 1753: utility functions
! 1754:
! 1755: =back
! 1756:
1.1 misho 1757: =head1 FILES
1758:
1759: =over 24
1760:
1.1.1.2 ! misho 1761: =item F<@sysconfdir@/sudo.conf>
! 1762:
! 1763: Sudo front end configuration
! 1764:
1.1 misho 1765: =item F<@sysconfdir@/sudoers>
1766:
1767: List of who can run what
1768:
1769: =item F</etc/group>
1770:
1771: Local groups file
1772:
1773: =item F</etc/netgroup>
1774:
1775: List of network groups
1776:
1777: =item F<@iolog_dir@>
1778:
1779: I/O log files
1780:
1781: =item F<@timedir@>
1782:
1783: Directory containing time stamps for the I<sudoers> security policy
1784:
1785: =item F</etc/environment>
1786:
1.1.1.2 ! misho 1787: Initial environment for B<-i> mode on AIX and Linux systems
1.1 misho 1788:
1789: =back
1790:
1791: =head1 EXAMPLES
1792:
1793: Below are example I<sudoers> entries. Admittedly, some of
1794: these are a bit contrived. First, we allow a few environment
1795: variables to pass and then define our I<aliases>:
1796:
1797: # Run X applications through sudo; HOME is used to find the
1798: # .Xauthority file. Note that other programs use HOME to find
1799: # configuration files and this may lead to privilege escalation!
1800: Defaults env_keep += "DISPLAY HOME"
1801:
1802: # User alias specification
1803: User_Alias FULLTIMERS = millert, mikef, dowdy
1804: User_Alias PARTTIMERS = bostley, jwfox, crawl
1805: User_Alias WEBMASTERS = will, wendy, wim
1806:
1807: # Runas alias specification
1808: Runas_Alias OP = root, operator
1809: Runas_Alias DB = oracle, sybase
1810: Runas_Alias ADMINGRP = adm, oper
1811:
1812: # Host alias specification
1813: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1814: SGI = grolsch, dandelion, black :\
1815: ALPHA = widget, thalamus, foobar :\
1816: HPPA = boa, nag, python
1817: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1818: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1819: Host_Alias SERVERS = master, mail, www, ns
1820: Host_Alias CDROM = orion, perseus, hercules
1821:
1822: # Cmnd alias specification
1823: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1824: /usr/sbin/restore, /usr/sbin/rrestore
1825: Cmnd_Alias KILL = /usr/bin/kill
1826: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1827: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1828: Cmnd_Alias HALT = /usr/sbin/halt
1829: Cmnd_Alias REBOOT = /usr/sbin/reboot
1830: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1831: /usr/local/bin/tcsh, /usr/bin/rsh, \
1832: /usr/local/bin/zsh
1833: Cmnd_Alias SU = /usr/bin/su
1834: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1835:
1836: Here we override some of the compiled in default values. We want
1837: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1838: cases. We don't want to subject the full time staff to the B<sudo>
1839: lecture, user B<millert> need not give a password, and we don't
1840: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1841: variables when running commands as root. Additionally, on the
1842: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1843: local log file and make sure we log the year in each log line since
1844: the log entries will be kept around for several years. Lastly, we
1845: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1846: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1847:
1848: # Override built-in defaults
1849: Defaults syslog=auth
1850: Defaults>root !set_logname
1851: Defaults:FULLTIMERS !lecture
1852: Defaults:millert !authenticate
1853: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1854: Defaults!PAGERS noexec
1855:
1856: The I<User specification> is the part that actually determines who may
1857: run what.
1858:
1859: root ALL = (ALL) ALL
1860: %wheel ALL = (ALL) ALL
1861:
1862: We let B<root> and any user in group B<wheel> run any command on any
1863: host as any user.
1864:
1865: FULLTIMERS ALL = NOPASSWD: ALL
1866:
1867: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1868: command on any host without authenticating themselves.
1869:
1870: PARTTIMERS ALL = ALL
1871:
1872: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1873: command on any host but they must authenticate themselves first
1874: (since the entry lacks the C<NOPASSWD> tag).
1875:
1876: jack CSNETS = ALL
1877:
1878: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1879: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1880: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1881: CIDR notation) indicating it is a class C network. For the other
1882: networks in I<CSNETS>, the local machine's netmask will be used
1883: during matching.
1884:
1885: lisa CUNETS = ALL
1886:
1887: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1888: (the class B network C<128.138.0.0>).
1889:
1890: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1891: sudoedit /etc/printcap, /usr/oper/bin/
1892:
1893: The B<operator> user may run commands limited to simple maintenance.
1894: Here, those are commands related to backups, killing processes, the
1895: printing system, shutting down the system, and any commands in the
1896: directory F</usr/oper/bin/>.
1897:
1898: joe ALL = /usr/bin/su operator
1899:
1900: The user B<joe> may only L<su(1)> to operator.
1901:
1902: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1903:
1904: %opers ALL = (: ADMINGRP) /usr/sbin/
1905:
1906: Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
1907: with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
1908: groups).
1909:
1910: The user B<pete> is allowed to change anyone's password except for
1911: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1912: does not take multiple user names on the command line.
1913:
1914: bob SPARC = (OP) ALL : SGI = (OP) ALL
1915:
1916: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1917: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1918:
1919: jim +biglab = ALL
1920:
1921: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1922: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1923:
1924: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1925:
1926: Users in the B<secretaries> netgroup need to help manage the printers
1927: as well as add and remove users, so they are allowed to run those
1928: commands on all machines.
1929:
1930: fred ALL = (DB) NOPASSWD: ALL
1931:
1932: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1933: (B<oracle> or B<sybase>) without giving a password.
1934:
1935: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1936:
1937: On the I<ALPHA> machines, user B<john> may su to anyone except root
1938: but he is not allowed to specify any options to the L<su(1)> command.
1939:
1940: jen ALL, !SERVERS = ALL
1941:
1942: The user B<jen> may run any command on any machine except for those
1943: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1944:
1945: jill SERVERS = /usr/bin/, !SU, !SHELLS
1946:
1947: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1948: any commands in the directory F</usr/bin/> except for those commands
1949: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1950:
1951: steve CSNETS = (operator) /usr/local/op_commands/
1952:
1953: The user B<steve> may run any command in the directory /usr/local/op_commands/
1954: but only as user operator.
1955:
1956: matt valkyrie = KILL
1957:
1958: On his personal workstation, valkyrie, B<matt> needs to be able to
1959: kill hung processes.
1960:
1961: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1962:
1963: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1964: wendy, and wim), may run any command as user www (which owns the
1965: web pages) or simply L<su(1)> to www.
1966:
1967: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1968: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1969:
1970: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1971: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1972: This is a bit tedious for users to type, so it is a prime candidate
1973: for encapsulating in a shell script.
1974:
1975: =head1 SECURITY NOTES
1976:
1.1.1.2 ! misho 1977: =head2 Limitations of the '!' operator
! 1978:
1.1 misho 1979: It is generally not effective to "subtract" commands from C<ALL>
1980: using the '!' operator. A user can trivially circumvent this
1981: by copying the desired command to a different name and then
1982: executing that. For example:
1983:
1984: bill ALL = ALL, !SU, !SHELLS
1985:
1986: Doesn't really prevent B<bill> from running the commands listed in
1987: I<SU> or I<SHELLS> since he can simply copy those commands to a
1988: different name, or use a shell escape from an editor or other
1989: program. Therefore, these kind of restrictions should be considered
1990: advisory at best (and reinforced by policy).
1991:
1.1.1.2 ! misho 1992: In general, if a user has sudo C<ALL> there is nothing to prevent
! 1993: them from creating their own program that gives them a root shell
! 1994: (or making their own copy of a shell) regardless of any '!' elements
! 1995: in the user specification.
! 1996:
! 1997: =head2 Security implications of I<fast_glob>
! 1998:
! 1999: If the I<fast_glob> option is in use, it is not possible
1.1 misho 2000: to reliably negate commands where the path name includes globbing
2001: (aka wildcard) characters. This is because the C library's
2002: L<fnmatch(3)> function cannot resolve relative paths. While this
2003: is typically only an inconvenience for rules that grant privileges,
2004: it can result in a security issue for rules that subtract or revoke
2005: privileges.
2006:
2007: For example, given the following I<sudoers> entry:
2008:
2009: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
2010: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2011:
2012: User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
2013: enabled by changing to F</usr/bin> and running C<./passwd root> instead.
2014:
1.1.1.2 ! misho 2015: =head2 Preventing Shell Escapes
1.1 misho 2016:
2017: Once B<sudo> executes a program, that program is free to do whatever
2018: it pleases, including run other programs. This can be a security
2019: issue since it is not uncommon for a program to allow shell escapes,
2020: which lets a user bypass B<sudo>'s access control and logging.
2021: Common programs that permit shell escapes include shells (obviously),
2022: editors, paginators, mail and terminal programs.
2023:
2024: There are two basic approaches to this problem:
2025:
2026: =over 10
2027:
2028: =item restrict
2029:
2030: Avoid giving users access to commands that allow the user to run
2031: arbitrary commands. Many editors have a restricted mode where shell
2032: escapes are disabled, though B<sudoedit> is a better solution to
2033: running editors via B<sudo>. Due to the large number of programs that
2034: offer shell escapes, restricting users to the set of programs that
2035: do not is often unworkable.
2036:
2037: =item noexec
2038:
2039: Many systems that support shared libraries have the ability to
2040: override default library functions by pointing an environment
2041: variable (usually C<LD_PRELOAD>) to an alternate shared library.
2042: On such systems, B<sudo>'s I<noexec> functionality can be used to
2043: prevent a program run by B<sudo> from executing any other programs.
2044: Note, however, that this applies only to native dynamically-linked
2045: executables. Statically-linked executables and foreign executables
2046: running under binary emulation are not affected.
2047:
2048: The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
2049: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
2050: It should be supported on most operating systems that support the
2051: C<LD_PRELOAD> environment variable. Check your operating system's
2052: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
2053: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
2054:
2055: On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
2056: of the C<LD_PRELOAD> environment variable.
2057:
2058: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
2059: in the User Specification section above. Here is that example again:
2060:
2061: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2062:
2063: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
2064: with I<noexec> enabled. This will prevent those two commands from
2065: executing other commands (such as a shell). If you are unsure
2066: whether or not your system is capable of supporting I<noexec> you
2067: can always just try it out and check whether shell escapes work
2068: when I<noexec> is enabled.
2069:
2070: =back
2071:
2072: Note that restricting shell escapes is not a panacea. Programs
2073: running as root are still capable of many potentially hazardous
2074: operations (such as changing or overwriting files) that could lead
2075: to unintended privilege escalation. In the specific case of an
2076: editor, a safer approach is to give the user permission to run
2077: B<sudoedit>.
2078:
1.1.1.2 ! misho 2079: =head2 Time stamp file checks
1.1 misho 2080:
2081: I<sudoers> will check the ownership of its time stamp directory
2082: (F<@timedir@> by default) and ignore the directory's contents if
2083: it is not owned by root or if it is writable by a user other than
2084: root. On systems that allow non-root users to give away files via
2085: L<chown(2)>, if the time stamp directory is located in a world-writable
2086: directory (e.g., F</tmp>), it is possible for a user to create the
2087: time stamp directory before B<sudo> is run. However, because
2088: I<sudoers> checks the ownership and mode of the directory and its
2089: contents, the only damage that can be done is to "hide" files by
2090: putting them in the time stamp dir. This is unlikely to happen
2091: since once the time stamp dir is owned by root and inaccessible by
2092: any other user, the user placing files there would be unable to get
2093: them back out.
2094:
2095: I<sudoers> will not honor time stamps set far in the future. Time
2096: stamps with a date greater than current_time + 2 * C<TIMEOUT> will
2097: be ignored and sudo will log and complain. This is done to keep a
2098: user from creating his/her own time stamp with a bogus date on
2099: systems that allow users to give away files if the time stamp directory
2100: is located in a world-writable directory.
2101:
2102: On systems where the boot time is available, I<sudoers> will ignore
2103: time stamps that date from before the machine booted.
2104:
2105: Since time stamp files live in the file system, they can outlive a
2106: user's login session. As a result, a user may be able to login,
2107: run a command with B<sudo> after authenticating, logout, login
2108: again, and run B<sudo> without authenticating so long as the time
2109: stamp file's modification time is within C<@timeout@> minutes (or
2110: whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
2111: option is enabled, the time stamp has per-tty granularity but still
2112: may outlive the user's session. On Linux systems where the devpts
2113: filesystem is used, Solaris systems with the devices filesystem,
2114: as well as other systems that utilize a devfs filesystem that
2115: monotonically increase the inode number of devices as they are
2116: created (such as Mac OS X), I<sudoers> is able to determine when a
2117: tty-based time stamp file is stale and will ignore it. Administrators
2118: should not rely on this feature as it is not universally available.
2119:
2120: =head1 SEE ALSO
2121:
2122: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
2123: L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
2124:
2125: =head1 CAVEATS
2126:
2127: The I<sudoers> file should B<always> be edited by the B<visudo>
2128: command which locks the file and does grammatical checking. It is
2129: imperative that I<sudoers> be free of syntax errors since B<sudo>
2130: will not run with a syntactically incorrect I<sudoers> file.
2131:
2132: When using netgroups of machines (as opposed to users), if you
2133: store fully qualified host name in the netgroup (as is usually the
2134: case), you either need to have the machine's host name be fully qualified
2135: as returned by the C<hostname> command or use the I<fqdn> option in
2136: I<sudoers>.
2137:
2138: =head1 BUGS
2139:
2140: If you feel you have found a bug in B<sudo>, please submit a bug report
2141: at http://www.sudo.ws/sudo/bugs/
2142:
2143: =head1 SUPPORT
2144:
2145: Limited free support is available via the sudo-users mailing list,
2146: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
2147: search the archives.
2148:
2149: =head1 DISCLAIMER
2150:
2151: B<sudo> is provided ``AS IS'' and any express or implied warranties,
2152: including, but not limited to, the implied warranties of merchantability
2153: and fitness for a particular purpose are disclaimed. See the LICENSE
2154: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
2155: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>