252
254
respectively. It is not an error to use the -= operator
253
255
to remove an element that does not exist in a list.
258
When validating with a One Time Password
262
1.6.8p12 June, 20 2005 4
268
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271
scheme (SS//KKeeyy or OOPPIIEE), a two-line prompt is
272
used to make it easier to cut and paste the
273
challenge to a local window. It's not as
274
pretty as the default but some people find it
275
more convenient. This flag is _o_f_f by default.
277
ignore_dot If set, ssuuddoo will ignore '.' or '' (current
278
dir) in the PATH environment variable; the
279
PATH itself is not modified. This flag is _o_f_f
280
by default. Currently, while it is possible
281
to set _i_g_n_o_r_e___d_o_t in _s_u_d_o_e_r_s, its value is not
282
used. This option should be considered read-
283
only (it will be fixed in a future version of
286
mail_always Send mail to the _m_a_i_l_t_o user every time a
287
users runs ssuuddoo. This flag is _o_f_f by default.
290
Send mail to the _m_a_i_l_t_o user if the user run�
291
ning sudo does not enter the correct password.
292
This flag is _o_f_f by default.
295
If set, mail will be sent to the _m_a_i_l_t_o user
296
if the invoking user is not in the _s_u_d_o_e_r_s
297
file. This flag is _o_n by default.
300
If set, mail will be sent to the _m_a_i_l_t_o user
301
if the invoking user exists in the _s_u_d_o_e_r_s
302
file, but is not allowed to run commands on
303
the current host. This flag is _o_f_f by
307
If set, mail will be sent to the _m_a_i_l_t_o user
308
if the invoking user is allowed to use ssuuddoo
309
but the command they are trying is not listed
310
in their _s_u_d_o_e_r_s file entry or is explicitly
311
denied. This flag is _o_f_f by default.
313
tty_tickets If set, users must authenticate on a per-tty
314
basis. Normally, ssuuddoo uses a directory in the
315
ticket dir with the same name as the user run�
316
ning it. With this flag enabled, ssuuddoo will
317
use a file named for the tty the user is
318
logged in on in that directory. This flag is
322
If set, users must authenticate themselves via
323
a password (or other means of authentication)
324
before they may run commands. This default
328
1.6.8p12 June, 20 2005 5
334
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337
may be overridden via the PASSWD and NOPASSWD
338
tags. This flag is _o_n by default.
340
root_sudo If set, root is allowed to run ssuuddoo too. Dis�
341
abling this prevents users from "chaining"
342
ssuuddoo commands to get a root shell by doing
343
something like "sudo sudo /bin/sh". Note,
344
however, that turning off _r_o_o_t___s_u_d_o will also
345
prevent root and from running ssuuddooeeddiitt. Dis�
346
abling _r_o_o_t___s_u_d_o provides no real additional
347
security; it exists purely for historical rea�
348
sons. This flag is _o_n by default.
350
log_host If set, the hostname will be logged in the
351
(non-syslog) ssuuddoo log file. This flag is _o_f_f
354
log_year If set, the four-digit year will be logged in
355
the (non-syslog) ssuuddoo log file. This flag is
359
If set and ssuuddoo is invoked with no arguments
360
it acts as if the --ss flag had been given.
361
That is, it runs a shell as root (the shell is
362
determined by the SHELL environment variable
363
if it is set, falling back on the shell listed
364
in the invoking user's /etc/passwd entry if
365
not). This flag is _o_f_f by default.
367
set_home If set and ssuuddoo is invoked with the --ss flag
368
the HOME environment variable will be set to
369
the home directory of the target user (which
370
is root unless the --uu option is used). This
371
effectively makes the --ss flag imply --HH. This
372
flag is _o_f_f by default.
375
If set, ssuuddoo will set the HOME environment
376
variable to the home directory of the target
377
user (which is root unless the --uu option is
378
used). This effectively means that the --HH
379
flag is always implied. This flag is _o_f_f by
382
path_info Normally, ssuuddoo will tell the user when a com�
383
mand could not be found in their PATH environ�
384
ment variable. Some sites may wish to disable
385
this as it could be used to gather information
386
on the location of executables that the normal
387
user does not have access to. The disadvan�
388
tage is that if the executable is simply not
389
in the user's PATH, ssuuddoo will tell the user
390
that they are not allowed to run it, which can
394
1.6.8p12 June, 20 2005 6
400
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403
be confusing. This flag is _o_f_f by default.
406
By default ssuuddoo will initialize the group vec�
407
tor to the list of groups the target user is
408
in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's
409
existing group vector is left unaltered. The
410
real and effective group IDs, however, are
411
still set to match the target user. This flag
412
is _o_f_f by default.
414
fqdn Set this flag if you want to put fully quali�
415
fied hostnames in the _s_u_d_o_e_r_s file. I.e.,
416
instead of myhost you would use myhost.mydo�
417
main.edu. You may still use the short form if
418
you wish (and even mix the two). Beware that
419
turning on _f_q_d_n requires ssuuddoo to make DNS
420
lookups which may make ssuuddoo unusable if DNS
421
stops working (for example if the machine is
422
not plugged into the network). Also note that
423
you must use the host's official name as DNS
424
knows it. That is, you may not use a host
425
alias (CNAME entry) due to performance issues
426
and the fact that there is no way to get all
427
aliases from DNS. If your machine's hostname
428
(as returned by the hostname command) is
429
already fully qualified you shouldn't need to
430
set _f_q_d_n. This flag is _o_f_f by default.
432
insults If set, ssuuddoo will insult users when they enter
433
an incorrect password. This flag is _o_f_f by
436
requiretty If set, ssuuddoo will only run when the user is
437
logged in to a real tty. This will disallow
438
things like "rsh somehost sudo ls" since
439
_r_s_h(1) does not allocate a tty. Because it is
440
not possible to turn off echo when there is no
441
tty present, some sites may with to set this
442
flag to prevent a user from entering a visible
443
password. This flag is _o_f_f by default.
445
env_editor If set, vviissuuddoo will use the value of the EDI�
446
TOR or VISUAL environment variables before
447
falling back on the default editor list. Note
448
that this may create a security hole as it
449
allows the user to run any arbitrary command
450
as root without logging. A safer alternative
451
is to place a colon-separated list of editors
452
in the editor variable. vviissuuddoo will then only
453
use the EDITOR or VISUAL if they match a value
454
specified in editor. This flag is off by
460
1.6.8p12 June, 20 2005 7
466
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469
rootpw If set, ssuuddoo will prompt for the root password
470
instead of the password of the invoking user.
471
This flag is _o_f_f by default.
473
runaspw If set, ssuuddoo will prompt for the password of
474
the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option
475
(defaults to root) instead of the password of
476
the invoking user. This flag is _o_f_f by
479
targetpw If set, ssuuddoo will prompt for the password of
480
the user specified by the --uu flag (defaults to
481
root) instead of the password of the invoking
482
user. Note that this precludes the use of a
483
uid not listed in the passwd database as an
484
argument to the --uu flag. This flag is _o_f_f by
487
set_logname Normally, ssuuddoo will set the LOGNAME and USER
488
environment variables to the name of the tar�
489
get user (usually root unless the --uu flag is
490
given). However, since some programs (includ�
491
ing the RCS revision control system) use LOG�
492
NAME to determine the real identity of the
493
user, it may be desirable to change this
494
behavior. This can be done by negating the
497
stay_setuid Normally, when ssuuddoo executes a command the
498
real and effective UIDs are set to the target
499
user (root by default). This option changes
500
that behavior such that the real UID is left
501
as the invoking user's UID. In other words,
502
this makes ssuuddoo act as a setuid wrapper. This
503
can be useful on systems that disable some
504
potentially dangerous functionality when a
505
program is run setuid. Note, however, that
506
this means that sudo will run with the real
507
uid of the invoking user which may allow that
508
user to kill ssuuddoo before it can log a failure,
509
depending on how your OS defines the interac�
510
tion between signals and setuid processes.
512
env_reset If set, ssuuddoo will reset the environment to
513
only contain the following variables: HOME,
514
LOGNAME, PATH, SHELL, TERM, and USER (in addi�
515
tion to the SUDO_* variables). Of these, only
516
TERM is copied unaltered from the old environ�
517
ment. The other variables are set to default
518
values (possibly modified by the value of the
519
_s_e_t___l_o_g_n_a_m_e option). If ssuuddoo was compiled
520
with the SECURE_PATH option, its value will be
521
used for the PATH environment variable. Other
522
variables may be preserved with the _e_n_v___k_e_e_p
526
1.6.8p12 June, 20 2005 8
532
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
538
If set, ssuuddoo will apply the defaults specified
539
for the target user's login class if one
540
exists. Only available if ssuuddoo is configured
541
with the --with-logincap option. This flag is
544
noexec If set, all commands run via sudo will behave
545
as if the NOEXEC tag has been set, unless
546
overridden by a EXEC tag. See the description
547
of _N_O_E_X_E_C _a_n_d _E_X_E_C below as well as the "PRE�
548
VENTING SHELL ESCAPES" section at the end of
549
this manual. This flag is _o_f_f by default.
552
If set via LDAP, parsing of @sysconfdir@/sudo�
553
ers will be skipped. This is intended for an
554
Enterprises that wish to prevent the usage of
555
local sudoers files so that only LDAP is used.
556
This thwarts the efforts of rogue operators
557
who would attempt to add roles to
558
@sysconfdir@/sudoers. When this option is
559
present, @sysconfdir@/sudoers does not even
560
need to exist. Since this options tells sudo
561
how to behave when no specific LDAP entries
562
have been matched, this sudoOption is only
563
meaningful for the cn=defaults section. This
564
flag is _o_f_f by default.
569
The number of tries a user gets to enter
570
his/her password before ssuuddoo logs the failure
571
and exits. The default is 3.
573
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
575
loglinelen Number of characters per line for the file
576
log. This value is used to decide when to
577
wrap lines for nicer log files. This has no
578
effect on the syslog log file, only the file
579
log. The default is 80 (use 0 or negate the
580
option to disable word wrap).
583
Number of minutes that can elapse before ssuuddoo
584
will ask for a passwd again. The default is
585
5. Set this to 0 to always prompt for a pass�
586
word. If set to a value less than 0 the
587
user's timestamp will never expire. This can
588
be used to allow users to create or delete
592
1.6.8p12 June, 20 2005 9
598
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601
their own timestamps via sudo -v and sudo -k
605
Number of minutes before the ssuuddoo password
606
prompt times out. The default is 5, set this
607
to 0 for no password timeout.
609
umask Umask to use when running the command. Negate
610
this option or set it to 0777 to preserve the
611
user's umask. The default is 0022.
615
mailsub Subject of the mail sent to the _m_a_i_l_t_o user.
616
The escape %h will expand to the hostname of
617
the machine. Default is *** SECURITY informa�
621
Message that is displayed if a user enters an
622
incorrect password. The default is Sorry, try
623
again. unless insults are enabled.
626
The directory in which ssuuddoo stores its times�
627
tamp files. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o.
630
The owner of the timestamp directory and the
631
timestamps stored therein. The default is
634
passprompt The default prompt to use when asking for a
635
password; can be overridden via the --pp option
636
or the SUDO_PROMPT environment variable. The
637
following percent (`%') escapes are supported:
639
%u expanded to the invoking user's login
642
%U expanded to the login name of the user
643
the command will be run as (defaults
646
%h expanded to the local hostname without
649
%H expanded to the local hostname includ�
650
ing the domain name (on if the
651
machine's hostname is fully qualified
652
or the _f_q_d_n option is set)
654
%% two consecutive % characters are
658
1.6.8p12 June, 20 2005 10
664
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667
collaped into a single % character
669
The default value is Password:.
672
The default user to run commands as if the --uu
673
flag is not specified on the command line.
674
This defaults to root. Note that if
675
_r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur before any
676
Runas_Alias specifications.
679
Syslog priority to use when user authenticates
680
successfully. Defaults to notice.
683
Syslog priority to use when user authenticates
684
unsuccessfully. Defaults to alert.
686
editor A colon (':') separated list of editors
687
allowed to be used with vviissuuddoo. vviissuuddoo will
688
choose the editor that matches the user's USER
689
environment variable if possible, or the first
690
editor in the list that exists and is exe�
691
cutable. The default is the path to vi on
694
noexec_file Path to a shared library containing dummy ver�
695
sions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_)
696
library functions that just return an error.
697
This is used to implement the _n_o_e_x_e_c function�
698
ality on systems that support LD_PRELOAD or
699
its equivalent. Defaults to
700
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
702
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
704
lecture This option controls when a short lecture will
705
be printed along with the password prompt. It
706
has the following possible values:
708
never Never lecture the user.
710
once Only lecture the user the first time
713
always Always lecture the user.
715
If no value is specified, a value of _o_n_c_e is
716
implied. Negating the option results in a
717
value of _n_e_v_e_r being used. The default value
724
1.6.8p12 June, 20 2005 11
730
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
734
Path to a file containing an alternate sudo
735
lecture that will be used in place of the
736
standard lecture if the named file exists.
738
logfile Path to the ssuuddoo log file (not the syslog log
739
file). Setting a path turns on logging to a
740
file; negating this option turns it off.
742
syslog Syslog facility if syslog is being used for
743
logging (negate to disable syslog logging).
746
mailerpath Path to mail program used to send warning
747
mail. Defaults to the path to sendmail found
750
mailerflags Flags to use when invoking mailer. Defaults to
753
mailto Address to send warning and error mail to.
754
The address should be enclosed in double
755
quotes (") to protect against sudo interpret�
756
ing the @ sign. Defaults to root.
759
Users in this group are exempt from password
760
and PATH requirements. This is not set by
763
verifypw This option controls when a password will be
764
required when a user runs ssuuddoo with the --vv
765
flag. It has the following possible values:
767
all All the user's _s_u_d_o_e_r_s entries for the
768
current host must have the NOPASSWD
769
flag set to avoid entering a password.
771
any At least one of the user's _s_u_d_o_e_r_s
772
entries for the current host must have
773
the NOPASSWD flag set to avoid enter�
776
never The user need never enter a password
777
to use the --vv flag.
779
always The user must always enter a password
780
to use the --vv flag.
782
If no value is specified, a value of _a_l_l is
783
implied. Negating the option results in a
784
value of _n_e_v_e_r being used. The default value
790
1.6.8p12 June, 20 2005 12
796
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799
listpw This option controls when a password will be
800
required when a user runs ssuuddoo with the --ll
801
flag. It has the following possible values:
803
all All the user's _s_u_d_o_e_r_s entries for the
804
current host must have the NOPASSWD
805
flag set to avoid entering a password.
807
any At least one of the user's _s_u_d_o_e_r_s
808
entries for the current host must have
809
the NOPASSWD flag set to avoid enter�
812
never The user need never enter a password
813
to use the --ll flag.
815
always The user must always enter a password
816
to use the --ll flag.
818
If no value is specified, a value of _a_n_y is
819
implied. Negating the option results in a
820
value of _n_e_v_e_r being used. The default value
823
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
825
env_check Environment variables to be removed from the
826
user's environment if the variable's value
827
contains % or / characters. This can be used
828
to guard against printf-style format vulnera�
829
bilities in poorly-written programs. The
830
argument may be a double-quoted, space-sepa�
831
rated list or a single value without dou�
832
ble-quotes. The list can be replaced, added
833
to, deleted from, or disabled by using the =,
834
+=, -=, and ! operators respectively. The
835
default list of environment variables to check
836
is printed when ssuuddoo is run by root with the
839
env_delete Environment variables to be removed from the
840
user's environment. The argument may be a
841
double-quoted, space-separated list or a sin�
842
gle value without double-quotes. The list can
843
be replaced, added to, deleted from, or dis�
844
abled by using the =, +=, -=, and ! operators
845
respectively. The default list of environment
846
variables to remove is printed when ssuuddoo is
847
run by root with the _-_V option. Note that
848
many operating systems will remove potentially
849
dangerous variables from the environment of
850
any setuid process (such as ssuuddoo).
852
env_keep Environment variables to be preserved in the
856
1.6.8p12 June, 20 2005 13
862
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865
user's environment when the _e_n_v___r_e_s_e_t option
866
is in effect. This allows fine-grained con�
867
trol over the environment ssuuddoo-spawned pro�
868
cesses will receive. The argument may be a
869
double-quoted, space-separated list or a sin�
870
gle value without double-quotes. The list can
871
be replaced, added to, deleted from, or dis�
872
abled by using the =, +=, -=, and ! operators
873
respectively. This list has no default mem�
876
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
877
values for the syslog facility (the value of the ssyysslloogg
878
Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee��
879
mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55,
880
llooccaall66, and llooccaall77. The following syslog priorities are
881
supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee,
257
See "SUDOERS OPTIONS" for a list of supported Defaults
262
1.6.9p6 October 9, 2007 4
268
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
884
271
UUsseerr SSppeecciiffiiccaattiioonn
1113
484
('\') when used as part of a word (e.g. a username or
1114
485
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
1120
1.6.8p12 June, 20 2005 17
1126
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
487
SSUUDDOOEERRSS OOPPTTIIOONNSS
488
ssuuddoo's behavior can be modified by Default_Entry lines, as
489
explained earlier. A list of all supported Defaults
490
parameters, grouped by type, are listed below.
494
always_set_home If set, ssuuddoo will set the HOME environment
495
variable to the home directory of the tar�
496
get user (which is root unless the --uu
497
option is used). This effectively means
498
that the --HH flag is always implied. This
499
flag is _o_f_f by default.
501
authenticate If set, users must authenticate themselves
502
via a password (or other means of authen�
503
tication) before they may run commands.
504
This default may be overridden via the
505
PASSWD and NOPASSWD tags. This flag is _o_n
508
env_editor If set, vviissuuddoo will use the value of the
509
EDITOR or VISUAL environment variables
510
before falling back on the default editor
511
list. Note that this may create a secu�
512
rity hole as it allows the user to run any
513
arbitrary command as root without logging.
514
A safer alternative is to place a colon-
515
separated list of editors in the editor
516
variable. vviissuuddoo will then only use the
517
EDITOR or VISUAL if they match a value
518
specified in editor. This flag is _o_f_f by
521
env_reset If set, ssuuddoo will reset the environment to
522
only contain the LOGNAME, SHELL, USER,
526
1.6.9p6 October 9, 2007 8
532
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535
USERNAME and the SUDO_* variables. Any
536
variables in the caller's environment that
537
match the env_keep and env_check lists are
538
then added. The default contents of the
539
env_keep and env_check lists are displayed
540
when ssuuddoo is run by root with the _-_V
541
option. If ssuuddoo was compiled with the
542
SECURE_PATH option, its value will be used
543
for the PATH environment variable. This
544
flag is _o_n by default.
546
fqdn Set this flag if you want to put fully
547
qualified hostnames in the _s_u_d_o_e_r_s file.
548
I.e., instead of myhost you would use
549
myhost.mydomain.edu. You may still use
550
the short form if you wish (and even mix
551
the two). Beware that turning on _f_q_d_n
552
requires ssuuddoo to make DNS lookups which
553
may make ssuuddoo unusable if DNS stops work�
554
ing (for example if the machine is not
555
plugged into the network). Also note that
556
you must use the host's official name as
557
DNS knows it. That is, you may not use a
558
host alias (CNAME entry) due to perfor�
559
mance issues and the fact that there is no
560
way to get all aliases from DNS. If your
561
machine's hostname (as returned by the
562
hostname command) is already fully quali�
563
fied you shouldn't need to set _f_q_d_n. This
564
flag is _o_f_f by default.
566
ignore_dot If set, ssuuddoo will ignore '.' or '' (cur�
567
rent dir) in the PATH environment vari�
568
able; the PATH itself is not modified.
569
This flag is _o_f_f by default. Currently,
570
while it is possible to set _i_g_n_o_r_e___d_o_t in
571
_s_u_d_o_e_r_s, its value is not used. This
572
option should be considered read-only (it
573
will be fixed in a future version of
577
If set via LDAP, parsing of
578
@sysconfdir@/sudoers will be skipped.
579
This is intended for Enterprises that wish
580
to prevent the usage of local sudoers
581
files so that only LDAP is used. This
582
thwarts the efforts of rogue operators who
583
would attempt to add roles to
584
@sysconfdir@/sudoers. When this option is
585
present, @sysconfdir@/sudoers does not
586
even need to exist. Since this option
587
tells ssuuddoo how to behave when no specific
588
LDAP entries have been matched, this
592
1.6.9p6 October 9, 2007 9
598
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601
sudoOption is only meaningful for the
602
cn=defaults section. This flag is _o_f_f by
605
insults If set, ssuuddoo will insult users when they
606
enter an incorrect password. This flag is
609
log_host If set, the hostname will be logged in the
610
(non-syslog) ssuuddoo log file. This flag is
613
log_year If set, the four-digit year will be logged
614
in the (non-syslog) ssuuddoo log file. This
615
flag is _o_f_f by default.
617
long_otp_prompt When validating with a One Time Password
618
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
619
line prompt is used to make it easier to
620
cut and paste the challenge to a local
621
window. It's not as pretty as the default
622
but some people find it more convenient.
623
This flag is _o_f_f by default.
625
mail_always Send mail to the _m_a_i_l_t_o user every time a
626
users runs ssuuddoo. This flag is _o_f_f by
629
mail_badpass Send mail to the _m_a_i_l_t_o user if the user
630
running ssuuddoo does not enter the correct
631
password. This flag is _o_f_f by default.
633
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o
634
user if the invoking user exists in the
635
_s_u_d_o_e_r_s file, but is not allowed to run
636
commands on the current host. This flag
637
is _o_f_f by default.
639
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o
640
user if the invoking user is allowed to
641
use ssuuddoo but the command they are trying
642
is not listed in their _s_u_d_o_e_r_s file entry
643
or is explicitly denied. This flag is _o_f_f
646
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o
647
user if the invoking user is not in the
648
_s_u_d_o_e_r_s file. This flag is _o_n by default.
650
noexec If set, all commands run via ssuuddoo will
651
behave as if the NOEXEC tag has been set,
652
unless overridden by a EXEC tag. See the
653
description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
654
well as the "PREVENTING SHELL ESCAPES"
658
1.6.9p6 October 9, 2007 10
664
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667
section at the end of this manual. This
668
flag is _o_f_f by default.
670
path_info Normally, ssuuddoo will tell the user when a
671
command could not be found in their PATH
672
environment variable. Some sites may wish
673
to disable this as it could be used to
674
gather information on the location of exe�
675
cutables that the normal user does not
676
have access to. The disadvantage is that
677
if the executable is simply not in the
678
user's PATH, ssuuddoo will tell the user that
679
they are not allowed to run it, which can
680
be confusing. This flag is _o_n by default.
682
preserve_groups By default ssuuddoo will initialize the group
683
vector to the list of groups the target
684
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
685
the user's existing group vector is left
686
unaltered. The real and effective group
687
IDs, however, are still set to match the
688
target user. This flag is _o_f_f by default.
690
requiretty If set, ssuuddoo will only run when the user
691
is logged in to a real tty. This will
692
disallow things like "rsh somehost sudo
693
ls" since _r_s_h(1) does not allocate a tty.
694
Because it is not possible to turn off
695
echo when there is no tty present, some
696
sites may wish to set this flag to prevent
697
a user from entering a visible password.
698
This flag is _o_f_f by default.
700
root_sudo If set, root is allowed to run ssuuddoo too.
701
Disabling this prevents users from "chain�
702
ing" ssuuddoo commands to get a root shell by
703
doing something like "sudo sudo /bin/sh".
704
Note, however, that turning off _r_o_o_t___s_u_d_o
705
will also prevent root and from running
706
ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no
707
real additional security; it exists purely
708
for historical reasons. This flag is _o_n
711
rootpw If set, ssuuddoo will prompt for the root
712
password instead of the password of the
713
invoking user. This flag is _o_f_f by
716
runaspw If set, ssuuddoo will prompt for the password
717
of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t
718
option (defaults to root) instead of the
719
password of the invoking user. This flag
720
is _o_f_f by default.
724
1.6.9p6 October 9, 2007 11
730
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733
set_home If set and ssuuddoo is invoked with the --ss
734
flag the HOME environment variable will be
735
set to the home directory of the target
736
user (which is root unless the --uu option
737
is used). This effectively makes the --ss
738
flag imply --HH. This flag is _o_f_f by
741
set_logname Normally, ssuuddoo will set the LOGNAME, USER
742
and USERNAME environment variables to the
743
name of the target user (usually root
744
unless the --uu flag is given). However,
745
since some programs (including the RCS
746
revision control system) use LOGNAME to
747
determine the real identity of the user,
748
it may be desirable to change this behav�
749
ior. This can be done by negating the
750
set_logname option. Note that if the
751
_e_n_v___r_e_s_e_t option has not been disabled,
752
entries in the _e_n_v___k_e_e_p list will override
753
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
756
setenv Allow the user to disable the _e_n_v___r_e_s_e_t
757
option from the command line. Addition�
758
ally, environment variables set via the
759
command line are not subject to the
760
restrictions imposed by _e_n_v___c_h_e_c_k,
761
_e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only
762
trusted users should be allowed to set
763
variables in this manner. This flag is
766
shell_noargs If set and ssuuddoo is invoked with no argu�
767
ments it acts as if the --ss flag had been
768
given. That is, it runs a shell as root
769
(the shell is determined by the SHELL
770
environment variable if it is set, falling
771
back on the shell listed in the invoking
772
user's /etc/passwd entry if not). This
773
flag is _o_f_f by default.
775
stay_setuid Normally, when ssuuddoo executes a command the
776
real and effective UIDs are set to the
777
target user (root by default). This
778
option changes that behavior such that the
779
real UID is left as the invoking user's
780
UID. In other words, this makes ssuuddoo act
781
as a setuid wrapper. This can be useful
782
on systems that disable some potentially
783
dangerous functionality when a program is
784
run setuid. This option is only effective
785
on systems with either the _s_e_t_r_e_u_i_d_(_) or
786
_s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by
790
1.6.9p6 October 9, 2007 12
796
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
801
targetpw If set, ssuuddoo will prompt for the password
802
of the user specified by the --uu flag
803
(defaults to root) instead of the password
804
of the invoking user. Note that this pre�
805
cludes the use of a uid not listed in the
806
passwd database as an argument to the --uu
807
flag. This flag is _o_f_f by default.
809
tty_tickets If set, users must authenticate on a per-
810
tty basis. Normally, ssuuddoo uses a direc�
811
tory in the ticket dir with the same name
812
as the user running it. With this flag
813
enabled, ssuuddoo will use a file named for
814
the tty the user is logged in on in that
815
directory. This flag is _o_f_f by default.
817
use_loginclass If set, ssuuddoo will apply the defaults spec�
818
ified for the target user's login class if
819
one exists. Only available if ssuuddoo is
820
configured with the --with-logincap
821
option. This flag is _o_f_f by default.
825
passwd_tries The number of tries a user gets to enter
826
his/her password before ssuuddoo logs the
827
failure and exits. The default is 3.
829
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
831
loglinelen Number of characters per line for the file
832
log. This value is used to decide when to
833
wrap lines for nicer log files. This has
834
no effect on the syslog log file, only the
835
file log. The default is 80 (use 0 or
836
negate the option to disable word wrap).
838
passwd_timeout Number of minutes before the ssuuddoo password
839
prompt times out. The default is 5; set
840
this to 0 for no password timeout.
843
Number of minutes that can elapse before
844
ssuuddoo will ask for a passwd again. The
845
default is 5. Set this to 0 to always
846
prompt for a password. If set to a value
847
less than 0 the user's timestamp will
848
never expire. This can be used to allow
849
users to create or delete their own times�
850
tamps via sudo -v and sudo -k respec�
856
1.6.9p6 October 9, 2007 13
862
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865
umask Umask to use when running the command.
866
Negate this option or set it to 0777 to
867
preserve the user's umask. The default is
872
badpass_message Message that is displayed if a user enters
873
an incorrect password. The default is
874
Sorry, try again. unless insults are
877
editor A colon (':') separated list of editors
878
allowed to be used with vviissuuddoo. vviissuuddoo
879
will choose the editor that matches the
880
user's EDITOR environment variable if pos�
881
sible, or the first editor in the list
882
that exists and is executable. The
883
default is the path to vi on your system.
885
mailsub Subject of the mail sent to the _m_a_i_l_t_o
886
user. The escape %h will expand to the
887
hostname of the machine. Default is ***
888
SECURITY information for %h ***.
890
noexec_file Path to a shared library containing dummy
891
versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_�
892
_e_c_v_e_(_) library functions that just return
893
an error. This is used to implement the
894
_n_o_e_x_e_c functionality on systems that sup�
895
port LD_PRELOAD or its equivalent.
897
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
899
passprompt The default prompt to use when asking for
900
a password; can be overridden via the --pp
901
option or the SUDO_PROMPT environment
902
variable. The following percent (`%')
903
escapes are supported:
905
%H expanded to the local hostname includ�
906
ing the domain name (on if the
907
machine's hostname is fully qualified
908
or the _f_q_d_n option is set)
910
%h expanded to the local hostname without
913
%U expanded to the login name of the user
914
the command will be run as (defaults
917
%u expanded to the invoking user's login
922
1.6.9p6 October 9, 2007 14
928
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931
%% two consecutive % characters are col�
932
lapsed into a single % character
934
The default value is Password:.
936
runas_default The default user to run commands as if the
937
--uu flag is not specified on the command
938
line. This defaults to root. Note that
939
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
940
before any Runas_Alias specifications.
942
syslog_badpri Syslog priority to use when user authenti�
943
cates unsuccessfully. Defaults to alert.
945
syslog_goodpri Syslog priority to use when user authenti�
946
cates successfully. Defaults to notice.
948
timestampdir The directory in which ssuuddoo stores its
949
timestamp files. The default is
950
_/_v_a_r_/_r_u_n_/_s_u_d_o.
952
timestampowner The owner of the timestamp directory and
953
the timestamps stored therein. The
956
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
959
Users in this group are exempt from password
960
and PATH requirements. This is not set by
963
lecture This option controls when a short lecture will
964
be printed along with the password prompt. It
965
has the following possible values:
967
always Always lecture the user.
969
never Never lecture the user.
971
once Only lecture the user the first time
974
If no value is specified, a value of _o_n_c_e is
975
implied. Negating the option results in a
976
value of _n_e_v_e_r being used. The default value
980
Path to a file containing an alternate ssuuddoo
981
lecture that will be used in place of the
982
standard lecture if the named file exists. By
983
default, ssuuddoo uses a built-in lecture.
988
1.6.9p6 October 9, 2007 15
994
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997
listpw This option controls when a password will be
998
required when a user runs ssuuddoo with the --ll
999
flag. It has the following possible values:
1001
all All the user's _s_u_d_o_e_r_s entries for the
1002
current host must have the NOPASSWD
1003
flag set to avoid entering a password.
1005
always The user must always enter a password
1006
to use the --ll flag.
1008
any At least one of the user's _s_u_d_o_e_r_s
1009
entries for the current host must have
1010
the NOPASSWD flag set to avoid enter�
1013
never The user need never enter a password
1014
to use the --ll flag.
1016
If no value is specified, a value of _a_n_y is
1017
implied. Negating the option results in a
1018
value of _n_e_v_e_r being used. The default value
1021
logfile Path to the ssuuddoo log file (not the syslog log
1022
file). Setting a path turns on logging to a
1023
file; negating this option turns it off. By
1024
default, ssuuddoo logs via syslog.
1026
mailerflags Flags to use when invoking mailer. Defaults to
1029
mailerpath Path to mail program used to send warning
1030
mail. Defaults to the path to sendmail found
1033
mailto Address to send warning and error mail to.
1034
The address should be enclosed in double
1035
quotes (") to protect against ssuuddoo interpret�
1036
ing the @ sign. Defaults to root.
1038
syslog Syslog facility if syslog is being used for
1039
logging (negate to disable syslog logging).
1042
verifypw This option controls when a password will be
1043
required when a user runs ssuuddoo with the --vv
1044
flag. It has the following possible values:
1046
all All the user's _s_u_d_o_e_r_s entries for the
1047
current host must have the NOPASSWD
1048
flag set to avoid entering a password.
1050
always The user must always enter a password
1054
1.6.9p6 October 9, 2007 16
1060
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063
to use the --vv flag.
1065
any At least one of the user's _s_u_d_o_e_r_s
1066
entries for the current host must have
1067
the NOPASSWD flag set to avoid enter�
1070
never The user need never enter a password
1071
to use the --vv flag.
1073
If no value is specified, a value of _a_l_l is
1074
implied. Negating the option results in a
1075
value of _n_e_v_e_r being used. The default value
1078
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1080
env_check Environment variables to be removed from
1081
the user's environment if the variable's
1082
value contains % or / characters. This
1083
can be used to guard against printf-style
1084
format vulnerabilities in poorly-written
1085
programs. The argument may be a dou�
1086
ble-quoted, space-separated list or a sin�
1087
gle value without double-quotes. The list
1088
can be replaced, added to, deleted from,
1089
or disabled by using the =, +=, -=, and !
1090
operators respectively. Regardless of
1091
whether the env_reset option is enabled or
1092
disabled, variables specified by env_check
1093
will be preserved in the environment if
1094
they pass the aforementioned check. The
1095
default list of environment variables to
1096
check is displayed when ssuuddoo is run by
1097
root with the _-_V option.
1099
env_delete Environment variables to be removed from
1100
the user's environment. The argument may
1101
be a double-quoted, space-separated list
1102
or a single value without double-quotes.
1103
The list can be replaced, added to,
1104
deleted from, or disabled by using the =,
1105
+=, -=, and ! operators respectively. The
1106
default list of environment variables to
1107
remove is displayed when ssuuddoo is run by
1108
root with the _-_V option. Note that many
1109
operating systems will remove potentially
1110
dangerous variables from the environment
1111
of any setuid process (such as ssuuddoo).
1113
env_keep Environment variables to be preserved in
1114
the user's environment when the _e_n_v___r_e_s_e_t
1115
option is in effect. This allows fine-
1116
grained control over the environment
1120
1.6.9p6 October 9, 2007 17
1126
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129
ssuuddoo-spawned processes will receive. The
1130
argument may be a double-quoted, space-
1131
separated list or a single value without
1132
double-quotes. The list can be replaced,
1133
added to, deleted from, or disabled by
1134
using the =, +=, -=, and ! operators
1135
respectively. The default list of vari�
1136
ables to keep is displayed when ssuuddoo is
1137
run by root with the _-_V option.
1139
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
1140
values for the syslog facility (the value of the ssyysslloogg
1141
Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee��
1142
mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55,
1143
llooccaall66, and llooccaall77. The following syslog priorities are
1144
supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee,
1130
/etc/sudoers List of who can run what
1131
/etc/group Local groups file
1132
/etc/netgroup List of network groups
1148
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1149
_/_e_t_c_/_g_r_o_u_p Local groups file
1150
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1134
1152
EEXXAAMMPPLLEESS
1135
1153
Since the _s_u_d_o_e_r_s file is parsed in a single pass, order