1
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
2
.\" Todd C. Miller <Todd.Miller@courtesan.com>
4
.\" Permission to use, copy, modify, and distribute this software for any
5
.\" purpose with or without fee is hereby granted, provided that the above
6
.\" copyright notice and this permission notice appear in all copies.
8
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17
.\" Sponsored in part by the Defense Advanced Research Projects
18
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
19
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
25
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
27
.\" Standard preamble:
28
.\" ========================================================================
29
.de Sp \" Vertical space (when we can't use .PP)
33
.de Vb \" Begin verbatim text
38
.de Ve \" End verbatim text
42
.\" Set up some character translations and predefined strings. \*(-- will
43
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
44
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
45
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
46
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
47
.\" nothing in troff, for use with C<>.
49
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
53
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
54
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
67
.\" Escape single quotes in literal strings from groff's Unicode transform.
71
.\" If the F register is turned on, we'll generate index entries on stderr for
72
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
73
.\" entries marked with X<> in POD. Of course, you'll have to process the
74
.\" output yourself in some meaningful fashion.
77
. tm Index:\\$1\t\\n%\t"\\$2"
87
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
88
.\" Fear. Run. Save yourself. No user-serviceable parts.
89
. \" fudge factors for nroff and troff
98
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
104
. \" simple accents for nroff and troff
114
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
115
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
116
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
117
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
118
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
119
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
121
. \" troff and (daisy-wheel) nroff accents
122
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
123
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
124
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
125
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
126
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
127
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
128
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
129
.ds ae a\h'-(\w'a'u*4/10)'e
130
.ds Ae A\h'-(\w'A'u*4/10)'E
131
. \" corrections for vroff
132
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
133
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
134
. \" for low resolution devices (crt and lpr)
135
.if \n(.H>23 .if \n(.V>19 \
148
.\" ========================================================================
150
.IX Title "SUDOERS @mansectform@"
151
.TH SUDOERS @mansectform@ "January 12, 2011" "1.7.4" "MAINTENANCE COMMANDS"
152
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
153
.\" way too many mistakes in technical documents.
157
sudoers \- list of which users may execute what
159
.IX Header "DESCRIPTION"
160
The \fIsudoers\fR file is composed of two types of entries: aliases
161
(basically variables) and user specifications (which specify who
164
When multiple entries match for a user, they are applied in order.
165
Where there are multiple matches, the last match is used (which is
166
not necessarily the most specific match).
168
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
169
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
170
fairly simple, and the definitions below are annotated.
171
.SS "Quick guide to \s-1EBNF\s0"
172
.IX Subsection "Quick guide to EBNF"
173
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
174
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
177
\& symbol ::= definition | alternate1 | alternate2 ...
180
Each \fIproduction rule\fR references others and thus makes up a
181
grammar for the language. \s-1EBNF\s0 also contains the following
182
operators, which many readers will recognize from regular
183
expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
184
characters, which have different meanings.
185
.ie n .IP "\*(C`?\*(C'" 4
186
.el .IP "\f(CW\*(C`?\*(C'\fR" 4
188
Means that the preceding symbol (or group of symbols) is optional.
189
That is, it may appear once or not at all.
190
.ie n .IP "\*(C`*\*(C'" 4
191
.el .IP "\f(CW\*(C`*\*(C'\fR" 4
193
Means that the preceding symbol (or group of symbols) may appear
195
.ie n .IP "\*(C`+\*(C'" 4
196
.el .IP "\f(CW\*(C`+\*(C'\fR" 4
198
Means that the preceding symbol (or group of symbols) may appear
201
Parentheses may be used to group symbols together. For clarity,
202
we will use single quotes ('') to designate what is a verbatim character
203
string (as opposed to a symbol name).
205
.IX Subsection "Aliases"
206
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
207
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
210
\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
211
\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
212
\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
213
\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
215
\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
217
\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
219
\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
221
\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
223
\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
226
Each \fIalias\fR definition is of the form
229
\& Alias_Type NAME = item1, item2, ...
232
where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
233
or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
234
and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
235
uppercase letter. It is possible to put several alias definitions
236
of the same type on a single line, joined by a colon (':'). E.g.,
239
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
242
The definitions of what constitutes a valid \fIalias\fR member follow.
245
\& User_List ::= User |
246
\& User \*(Aq,\*(Aq User_List
248
\& User ::= \*(Aq!\*(Aq* user name |
249
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
250
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
251
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
252
\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
253
\& \*(Aq!\*(Aq* User_Alias
256
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
257
with '#'), system groups (prefixed with '%'), netgroups (prefixed
258
with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
259
zero or more '!' operators. An odd number of '!' operators negate
260
the value of the item; an even number just cancel each other out.
262
A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
263
be enclosed in double quotes to avoid the need for escaping special
264
characters. Alternately, special characters may be specified in
265
escaped hex mode, e.g. \ex20 for space.
267
The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
268
For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
270
Group in the same domain: \*(L"Group Name\*(R"
272
Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
274
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
276
Note that quotes around group names are optional. Unquoted strings must
277
use a backslash (\e) to escape spaces and the '@' symbol.
280
\& Runas_List ::= Runas_Member |
281
\& Runas_Member \*(Aq,\*(Aq Runas_List
283
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
284
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
285
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
286
\& \*(Aq!\*(Aq* +netgroup |
287
\& \*(Aq!\*(Aq* Runas_Alias
290
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
291
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
292
user names and groups are matched as strings. In other words, two
293
users (groups) with the same uid (gid) are considered to be distinct.
294
If you wish to match all user names with the same uid (e.g.\ root
295
and toor), you can use a uid instead (#0 in the example given).
298
\& Host_List ::= Host |
299
\& Host \*(Aq,\*(Aq Host_List
301
\& Host ::= \*(Aq!\*(Aq* host name |
302
\& \*(Aq!\*(Aq* ip_addr |
303
\& \*(Aq!\*(Aq* network(/netmask)? |
304
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
305
\& \*(Aq!\*(Aq* Host_Alias
308
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
309
network numbers, netgroups (prefixed with '+') and other aliases.
310
Again, the value of an item may be negated with the '!' operator.
311
If you do not specify a netmask along with the network number,
312
\&\fBsudo\fR will query each of the local host's network interfaces and,
313
if the network number corresponds to one of the hosts's network
314
interfaces, the corresponding netmask will be used. The netmask
315
may be specified either in standard \s-1IP\s0 address notation
316
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
317
or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
318
include shell-style wildcards (see the Wildcards section below),
319
but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
320
qualified host name, you'll need to use the \fIfqdn\fR option for
321
wildcards to be useful. Note \fBsudo\fR only inspects actual network
322
interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
323
never match. Also, the host name \*(L"localhost\*(R" will only match if
324
that is the actual host name, which is usually only the case for
325
non-networked systems.
328
\& Cmnd_List ::= Cmnd |
329
\& Cmnd \*(Aq,\*(Aq Cmnd_List
331
\& commandname ::= file name |
333
\& file name \*(Aq""\*(Aq
335
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
336
\& \*(Aq!\*(Aq* directory |
337
\& \*(Aq!\*(Aq* "sudoedit" |
338
\& \*(Aq!\*(Aq* Cmnd_Alias
341
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
342
aliases. A commandname is a fully qualified file name which may include
343
shell-style wildcards (see the Wildcards section below). A simple
344
file name allows the user to run the command with any arguments he/she
345
wishes. However, you may also specify command line arguments (including
346
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
347
may only be run \fBwithout\fR command line arguments. A directory is a
348
fully qualified path name ending in a '/'. When you specify a directory
349
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
350
(but not in any subdirectories therein).
352
If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
353
in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
354
(or match the wildcards if there are any). Note that the following
355
characters must be escaped with a '\e' if they are used in command
356
arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
357
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
358
as \fBsudoedit\fR). It may take command line arguments just as
359
a normal command does.
361
.IX Subsection "Defaults"
362
Certain configuration options may be changed from their default
363
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
364
may affect all users on any host, all users on a specific host, a
365
specific user, a specific command, or commands being run as a specific user.
366
Note that per-command entries may not include command line arguments.
367
If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
371
\& Default_Type ::= \*(AqDefaults\*(Aq |
372
\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
373
\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
374
\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
375
\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
377
\& Default_Entry ::= Default_Type Parameter_List
379
\& Parameter_List ::= Parameter |
380
\& Parameter \*(Aq,\*(Aq Parameter_List
382
\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
383
\& Parameter \*(Aq+=\*(Aq Value |
384
\& Parameter \*(Aq\-=\*(Aq Value |
385
\& \*(Aq!\*(Aq* Parameter
388
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
389
Flags are implicitly boolean and can be turned off via the '!'
390
operator. Some integer, string and list parameters may also be
391
used in a boolean context to disable them. Values may be enclosed
392
in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
393
characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
395
Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
396
These operators are used to add to and delete from a list respectively.
397
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
398
that does not exist in a list.
400
Defaults entries are parsed in the following order: generic, host
401
and user Defaults first, then runas Defaults and finally command
404
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
405
.SS "User Specification"
406
.IX Subsection "User Specification"
408
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
409
\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
411
\& Cmnd_Spec_List ::= Cmnd_Spec |
412
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
414
.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
415
.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
417
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
420
\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
423
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
424
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
425
\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
428
A \fBuser specification\fR determines which commands a user may run
429
(and as what user) on specified hosts. By default, commands are
430
run as \fBroot\fR, but this can be changed on a per-command basis.
432
The basic structure of a user specification is `who = where (as_whom)
433
what'. Let's break that down into its constituent parts:
435
.IX Subsection "Runas_Spec"
436
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
437
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
438
\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
439
enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
440
which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
441
The second defines a list of groups that can be specified via
442
\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
443
command may be run with any combination of users and groups listed
444
in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
445
the command may be run as any user in the list but no \fB\-g\fR option
446
may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
447
second is specified, the command may be run as the invoking user
448
with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
449
\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
450
no group may be specified.
452
A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
453
What this means is that for the entry:
456
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
459
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
460
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
463
\& $ sudo \-u operator /bin/ls.
466
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
467
entry. If we modify the entry like so:
470
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
473
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
474
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
476
We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
477
the user or group set to \fBoperator\fR:
480
\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
484
In the following example, user \fBtcm\fR may run commands that access
485
a modem device file with the dialer group. Note that in this example
486
only the group will be set, the command still runs as user \fBtcm\fR.
489
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
490
\& /usr/local/bin/minicom
494
.IX Subsection "SELinux_Spec"
495
On systems with SELinux support, \fIsudoers\fR entries may optionally have
496
an SELinux role and/or type associated with a command. If a role or
497
type is specified with the command it will override any default values
498
specified in \fIsudoers\fR. A role or type specified on the command line,
499
however, will supercede the values in \fIsudoers\fR.
502
.IX Subsection "Tag_Spec"
503
A command may have zero or more tags associated with it. There are
504
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
505
\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
506
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
507
subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
508
it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
509
\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
511
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
512
.IX Subsection "NOPASSWD and PASSWD"
514
By default, \fBsudo\fR requires that a user authenticate him or herself
515
before running a command. This behavior can be modified via the
516
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
517
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
518
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
522
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
525
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
526
\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
527
authenticating himself. If we only want \fBray\fR to be able to
528
run \fI/bin/kill\fR without a password the entry would be:
531
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
534
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
535
in the group specified by the \fIexempt_group\fR option.
537
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
538
for a user on the current host, he or she will be able to run
539
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
540
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
541
for all a user's entries that pertain to the current host.
542
This behavior may be overridden via the verifypw and listpw options.
544
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
545
.IX Subsection "NOEXEC and EXEC"
547
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
548
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
549
a dynamically-linked executable from running further commands itself.
551
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
552
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
555
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
558
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
559
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
561
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
562
.IX Subsection "SETENV and NOSETENV"
564
These tags override the value of the \fIsetenv\fR option on a per-command
565
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
566
environment variables set on the command line way are not subject
567
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
568
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
569
variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
570
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
571
be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
573
\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
574
.IX Subsection "LOG_INPUT and NOLOG_INPUT"
576
These tags override the value of the \fIlog_input\fR option on a
577
per-command basis. For more information, see the description of
578
\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
580
\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
581
.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
583
These tags override the value of the \fIlog_output\fR option on a
584
per-command basis. For more information, see the description of
585
\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
587
.IX Subsection "Wildcards"
588
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
589
to be used in host names, path names and command line arguments in
590
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
591
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
593
.ie n .IP "\*(C`*\*(C'" 8
594
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
596
Matches any set of zero or more characters.
597
.ie n .IP "\*(C`?\*(C'" 8
598
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
600
Matches any single character.
601
.ie n .IP "\*(C`[...]\*(C'" 8
602
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
604
Matches any character in the specified range.
605
.ie n .IP "\*(C`[!...]\*(C'" 8
606
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
608
Matches any character \fBnot\fR in the specified range.
609
.ie n .IP "\*(C`\ex\*(C'" 8
610
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
612
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
613
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
615
\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
616
and \fIfnmatch\fR\|(3) functions support them. However, because the
617
\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
618
escaped. For example:
621
\& /bin/ls [[\e:alpha\e:]]*
624
Would match any file name beginning with a letter.
626
Note that a forward slash ('/') will \fBnot\fR be matched by
627
wildcards used in the path name. When matching the command
628
line arguments, however, a slash \fBdoes\fR get matched by
629
wildcards. This is to make a path like:
635
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
636
.SS "Exceptions to wildcard rules"
637
.IX Subsection "Exceptions to wildcard rules"
638
The following exceptions apply to the above rules:
640
.el .IP "\f(CW``''\fR" 8
642
If the empty string \f(CW""\fR is the only command line argument in the
643
\&\fIsudoers\fR entry it means that command is not allowed to be run
644
with \fBany\fR arguments.
645
.SS "Including other files from within sudoers"
646
.IX Subsection "Including other files from within sudoers"
647
It is possible to include other \fIsudoers\fR files from within the
648
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
649
\&\f(CW\*(C`#includedir\*(C'\fR directives.
651
This can be used, for example, to keep a site-wide \fIsudoers\fR file
652
in addition to a local, per-machine file. For the sake of this
653
example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
654
per-machine one will be \fI/etc/sudoers.local\fR. To include
655
\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
656
following line in \fI/etc/sudoers\fR:
659
\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
662
When \fBsudo\fR reaches this line it will suspend processing of the
663
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
664
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
665
\&\fI/etc/sudoers\fR will be processed. Files that are included may
666
themselves include other files. A hard limit of 128 nested include
667
files is enforced to prevent include file loops.
669
The file name may include the \f(CW%h\fR escape, signifying the short form
670
of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
672
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
674
will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
676
The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
677
directory that the system package manager can drop \fIsudoers\fR rules
678
into as part of package installation. For example, given:
680
\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
682
\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
683
names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
684
problems with package manager or editor temporary/backup files.
685
Files are parsed in sorted lexical order. That is,
686
\&\fI/etc/sudoers.d/01_first\fR will be parsed before
687
\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
688
lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
689
\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
690
of leading zeroes in the file names can be used to avoid such
693
Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
694
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
695
contains a syntax error. It is still possible to run \fBvisudo\fR
696
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
697
.SS "Other special characters and reserved words"
698
.IX Subsection "Other special characters and reserved words"
699
The pound sign ('#') is used to indicate a comment (unless it is
700
part of a #include directive or unless it occurs in the context of
701
a user name and is followed by one or more digits, in which case
702
it is treated as a uid). Both the comment character and any text
703
after it, up to the end of the line, are ignored.
705
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
706
a match to succeed. It can be used wherever one might otherwise
707
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
708
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
709
built-in alias will be used in preference to your own. Please note
710
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
711
allows the user to run \fBany\fR command on the system.
713
An exclamation point ('!') can be used as a logical \fInot\fR operator
714
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
715
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
716
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
717
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
718
\&\s-1NOTES\s0 below).
720
Long lines can be continued with a backslash ('\e') as the last
721
character on the line.
723
Whitespace between elements in a list as well as special syntactic
724
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
726
The following characters must be escaped with a backslash ('\e') when
727
used as part of a word (e.g.\ a user name or host name):
728
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
729
.SH "SUDOERS OPTIONS"
730
.IX Header "SUDOERS OPTIONS"
731
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
732
explained earlier. A list of all supported Defaults parameters,
733
grouped by type, are listed below.
735
\&\fBBoolean Flags\fR:
736
.IP "always_set_home" 16
737
.IX Item "always_set_home"
738
If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
739
home directory of the target user (which is root unless the \fB\-u\fR
740
option is used). This effectively means that the \fB\-H\fR option is
741
always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
742
\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
743
effective for configurations where \fIenv_reset\fR is disabled.
744
This flag is \fIoff\fR by default.
745
.IP "authenticate" 16
746
.IX Item "authenticate"
747
If set, users must authenticate themselves via a password (or other
748
means of authentication) before they may run commands. This default
749
may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
750
This flag is \fIon\fR by default.
751
.IP "closefrom_override" 16
752
.IX Item "closefrom_override"
753
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
754
overrides the default starting point at which \fBsudo\fR begins
755
closing open file descriptors. This flag is \fIoff\fR by default.
757
.IX Item "compress_io"
758
If set, and \fBsudo\fR is configured to log a command's input or output,
759
the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
760
by default when \fBsudo\fR is compiled with \fBzlib\fR support.
762
.IX Item "env_editor"
763
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
764
environment variables before falling back on the default editor list.
765
Note that this may create a security hole as it allows the user to
766
run any arbitrary command as root without logging. A safer alternative
767
is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
768
variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
769
they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
773
If set, \fBsudo\fR will reset the environment to only contain the
774
\&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
775
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
776
and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
777
\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
778
run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
779
is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
780
This flag is \fIon\fR by default.
783
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
784
globbing when matching path names. However, since it accesses the
785
file system, \fIglob\fR\|(3) can take a long time to complete for some
786
patterns, especially when the pattern references a network file
787
system that is mounted on demand (automounted). The \fIfast_glob\fR
788
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
789
not access the file system to do its matching. The disadvantage
790
of \fIfast_glob\fR is that it is unable to match relative path names
791
such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
792
when path names that include globbing characters are used with the
793
negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
794
As such, this option should not be used when \fIsudoers\fR contains rules
795
that contain negated path names which include globbing characters.
796
This flag is \fIoff\fR by default.
799
Set this flag if you want to put fully qualified host names in the
800
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
801
You may still use the short form if you wish (and even mix the two).
802
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
803
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
804
if the machine is not plugged into the network). Also note that
805
you must use the host's official name as \s-1DNS\s0 knows it. That is,
806
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
807
issues and the fact that there is no way to get all aliases from
808
\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
809
command) is already fully qualified you shouldn't need to set
810
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
812
.IX Item "ignore_dot"
813
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
814
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
815
flag is \fI@ignore_dot@\fR by default.
816
.IP "ignore_local_sudoers" 16
817
.IX Item "ignore_local_sudoers"
818
If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
819
This is intended for Enterprises that wish to prevent the usage of local
820
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
821
rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
822
When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
823
exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
824
entries have been matched, this sudoOption is only meaningful for the
825
\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
828
If set, \fBsudo\fR will insult users when they enter an incorrect
829
password. This flag is \fI@insults@\fR by default.
832
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
833
This flag is \fIoff\fR by default.
836
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
837
This flag is \fIoff\fR by default.
838
.IP "long_otp_prompt" 16
839
.IX Item "long_otp_prompt"
840
When validating with a One Time Password (\s-1OPT\s0) scheme such as
841
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
842
to cut and paste the challenge to a local window. It's not as
843
pretty as the default but some people find it more convenient. This
844
flag is \fI@long_otp_prompt@\fR by default.
846
.IX Item "mail_always"
847
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
848
This flag is \fIoff\fR by default.
849
.IP "mail_badpass" 16
850
.IX Item "mail_badpass"
851
Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
852
enter the correct password. This flag is \fIoff\fR by default.
853
.IP "mail_no_host" 16
854
.IX Item "mail_no_host"
855
If set, mail will be sent to the \fImailto\fR user if the invoking
856
user exists in the \fIsudoers\fR file, but is not allowed to run
857
commands on the current host. This flag is \fI@mail_no_host@\fR by default.
858
.IP "mail_no_perms" 16
859
.IX Item "mail_no_perms"
860
If set, mail will be sent to the \fImailto\fR user if the invoking
861
user is allowed to use \fBsudo\fR but the command they are trying is not
862
listed in their \fIsudoers\fR file entry or is explicitly denied.
863
This flag is \fI@mail_no_perms@\fR by default.
864
.IP "mail_no_user" 16
865
.IX Item "mail_no_user"
866
If set, mail will be sent to the \fImailto\fR user if the invoking
867
user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
871
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
872
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
873
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
874
\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
877
Normally, \fBsudo\fR will tell the user when a command could not be
878
found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
879
to disable this as it could be used to gather information on the
880
location of executables that the normal user does not have access
881
to. The disadvantage is that if the executable is simply not in
882
the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
883
allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
885
.IP "passprompt_override" 16
886
.IX Item "passprompt_override"
887
The password prompt specified by \fIpassprompt\fR will normally only
888
be used if the password prompt provided by systems such as \s-1PAM\s0 matches
889
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
890
will always be used. This flag is \fIoff\fR by default.
891
.IP "preserve_groups" 16
892
.IX Item "preserve_groups"
893
By default, \fBsudo\fR will initialize the group vector to the list of
894
groups the target user is in. When \fIpreserve_groups\fR is set, the
895
user's existing group vector is left unaltered. The real and
896
effective group IDs, however, are still set to match the target
897
user. This flag is \fIoff\fR by default.
899
.IX Item "pwfeedback"
900
By default, \fBsudo\fR reads the password like most other Unix programs,
901
by turning off echo until the user hits the return (or enter) key.
902
Some users become confused by this as it appears to them that \fBsudo\fR
903
has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
904
provide visual feedback when the user presses a key. Note that
905
this does have a security impact as an onlooker may be able to
906
determine the length of the password being entered.
907
This flag is \fIoff\fR by default.
909
.IX Item "requiretty"
910
If set, \fBsudo\fR will only run when the user is logged in to a real
911
tty. When this flag is set, \fBsudo\fR can only be run from a login
912
session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
913
This flag is \fIoff\fR by default.
916
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
917
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
918
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
919
will also prevent root from running \fBsudoedit\fR.
920
Disabling \fIroot_sudo\fR provides no real additional security; it
921
exists purely for historical reasons.
922
This flag is \fI@root_sudo@\fR by default.
925
If set, \fBsudo\fR will prompt for the root password instead of the password
926
of the invoking user. This flag is \fIoff\fR by default.
929
If set, \fBsudo\fR will prompt for the password of the user defined by the
930
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
931
password of the invoking user. This flag is \fIoff\fR by default.
934
If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
935
environment variable will be set to the home directory of the target
936
user (which is root unless the \fB\-u\fR option is used). This effectively
937
makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
938
set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
939
only effective for configurations where \fIenv_reset\fR is disabled.
940
This flag is \fIoff\fR by default.
942
.IX Item "set_logname"
943
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
944
environment variables to the name of the target user (usually root
945
unless the \fB\-u\fR option is given). However, since some programs
946
(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
947
determine the real identity of the user, it may be desirable to
948
change this behavior. This can be done by negating the set_logname
949
option. Note that if the \fIenv_reset\fR option has not been disabled,
950
entries in the \fIenv_keep\fR list will override the value of
951
\&\fIset_logname\fR. This flag is \fIon\fR by default.
954
Allow the user to disable the \fIenv_reset\fR option from the command
955
line. Additionally, environment variables set via the command line
956
are not subject to the restrictions imposed by \fIenv_check\fR,
957
\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
958
be allowed to set variables in this manner. This flag is \fIoff\fR
960
.IP "shell_noargs" 16
961
.IX Item "shell_noargs"
962
If set and \fBsudo\fR is invoked with no arguments it acts as if the
963
\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
964
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
965
set, falling back on the shell listed in the invoking user's
966
/etc/passwd entry if not). This flag is \fIoff\fR by default.
968
.IX Item "stay_setuid"
969
Normally, when \fBsudo\fR executes a command the real and effective
970
UIDs are set to the target user (root by default). This option
971
changes that behavior such that the real \s-1UID\s0 is left as the invoking
972
user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
973
wrapper. This can be useful on systems that disable some potentially
974
dangerous functionality when a program is run setuid. This option
975
is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
976
function. This flag is \fIoff\fR by default.
979
If set, \fBsudo\fR will prompt for the password of the user specified
980
by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
981
of the invoking user. In addition, the timestamp file name will
982
include the target user's name. Note that this flag precludes the
983
use of a uid not listed in the passwd database as an argument to
984
the \fB\-u\fR option. This flag is \fIoff\fR by default.
987
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
989
If the standard input is not connected to the user's tty, due to
990
I/O redirection or because the command is part of a pipeline, that
991
input is also captured and stored in a separate log file.
993
Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
994
session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
997
.IX Item "log_output"
998
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
999
output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
1000
If the standard output or standard error is not connected to the
1001
user's tty, due to I/O redirection or because the command is part
1002
of a pipeline, that output is also captured and stored in separate
1005
Output is logged to the
1006
\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
1007
included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1009
Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
1010
can also be used to list or search the available logs.
1011
.IP "tty_tickets" 16
1012
.IX Item "tty_tickets"
1013
If set, users must authenticate on a per-tty basis. With this flag
1014
enabled, \fBsudo\fR will use a file named for the tty the user is
1015
logged in on in the user's time stamp directory. If disabled, the
1016
time stamp of the directory is used instead. This flag is
1017
\&\fI@tty_tickets@\fR by default.
1018
.IP "umask_override" 16
1019
.IX Item "umask_override"
1020
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
1021
modification. This makes it possible to specify a more permissive
1022
umask in \fIsudoers\fR than the user's own umask and matches historical
1023
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
1024
umask to be the union of the user's umask and what is specified in
1025
\&\fIsudoers\fR. This flag is \fIoff\fR by default.
1027
.IP "use_loginclass" 16
1028
.IX Item "use_loginclass"
1029
If set, \fBsudo\fR will apply the defaults specified for the target user's
1030
login class if one exists. Only available if \fBsudo\fR is configured with
1031
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1035
If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
1036
logging is being gone. A malicious program run under \fBsudo\fR could
1037
conceivably fork a background process that retains to the user's
1038
terminal device after the main program has finished executing. Use
1039
of this option will make that impossible.
1041
.IX Item "visiblepw"
1042
By default, \fBsudo\fR will refuse to run if the user must enter a
1043
password but it is not possible to disable echo on the terminal.
1044
If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
1045
even when it would be visible on the screen. This makes it possible
1046
to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
1047
not allocate a tty. This flag is \fIoff\fR by default.
1051
.IX Item "closefrom"
1052
Before it executes a command, \fBsudo\fR will close all open file
1053
descriptors other than standard input, standard output and standard
1054
error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
1055
to specify a different file descriptor at which to start closing.
1056
The default is \f(CW3\fR.
1057
.IP "passwd_tries" 16
1058
.IX Item "passwd_tries"
1059
The number of tries a user gets to enter his/her password before
1060
\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
1062
\&\fBIntegers that can be used in a boolean context\fR:
1064
.IX Item "loglinelen"
1065
Number of characters per line for the file log. This value is used
1066
to decide when to wrap lines for nicer log files. This has no
1067
effect on the syslog log file, only the file log. The default is
1068
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
1069
.IP "passwd_timeout" 16
1070
.IX Item "passwd_timeout"
1071
Number of minutes before the \fBsudo\fR password prompt times out, or
1072
\&\f(CW0\fR for no timeout. The timeout may include a fractional component
1073
if minute granularity is insufficient, for example \f(CW2.5\fR. The
1074
default is \f(CW\*(C`@password_timeout@\*(C'\fR.
1075
.IP "timestamp_timeout" 16
1076
.IX Item "timestamp_timeout"
1077
Number of minutes that can elapse before \fBsudo\fR will ask for a
1078
passwd again. The timeout may include a fractional component if
1079
minute granularity is insufficient, for example \f(CW2.5\fR. The default
1080
is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
1081
If set to a value less than \f(CW0\fR the user's timestamp will never
1082
expire. This can be used to allow users to create or delete their
1083
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1086
Umask to use when running the command. Negate this option or set
1087
it to 0777 to preserve the user's umask. The actual umask that is
1088
used will be the union of the user's umask and the value of the
1089
\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
1090
that \fBsudo\fR never lowers the umask when running a command. Note
1091
on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
1092
its own umask which will override the value set in \fIsudoers\fR.
1095
.IP "badpass_message" 16
1096
.IX Item "badpass_message"
1097
Message that is displayed if a user enters an incorrect password.
1098
The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
1101
A colon (':') separated list of editors allowed to be used with
1102
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
1103
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
1104
list that exists and is executable. The default is \f(CW"@editor@"\fR.
1107
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
1108
will expand to the host name of the machine.
1109
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
1110
.IP "noexec_file" 16
1111
.IX Item "noexec_file"
1112
Path to a shared library containing dummy versions of the \fIexecv()\fR,
1113
\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
1114
This is used to implement the \fInoexec\fR functionality on systems that
1115
support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
1117
.IX Item "passprompt"
1118
The default prompt to use when asking for a password; can be overridden
1119
via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
1120
The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
1123
.el .IP "\f(CW%H\fR" 4
1125
expanded to the local host name including the domain name
1126
(on if the machine's host name is fully qualified or the \fIfqdn\fR
1129
.el .IP "\f(CW%h\fR" 4
1131
expanded to the local host name without the domain name
1133
.el .IP "\f(CW%p\fR" 4
1135
expanded to the user whose password is being asked for (respects the
1136
\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
1138
.el .IP "\f(CW%U\fR" 4
1140
expanded to the login name of the user the command will
1141
be run as (defaults to root)
1143
.el .IP "\f(CW%u\fR" 4
1145
expanded to the invoking user's login name
1146
.ie n .IP "\*(C`%%\*(C'" 4
1147
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
1149
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
1153
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
1158
The default SELinux role to use when constructing a new security
1159
context to run the command. The default role may be overridden on
1160
a per-command basis in \fIsudoers\fR or via command line options.
1161
This option is only available whe \fBsudo\fR is built with SELinux support.
1163
.IP "runas_default" 16
1164
.IX Item "runas_default"
1165
The default user to run commands as if the \fB\-u\fR option is not specified
1166
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
1167
Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
1168
any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
1169
.IP "syslog_badpri" 16
1170
.IX Item "syslog_badpri"
1171
Syslog priority to use when user authenticates unsuccessfully.
1172
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
1173
.IP "syslog_goodpri" 16
1174
.IX Item "syslog_goodpri"
1175
Syslog priority to use when user authenticates successfully.
1176
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
1177
.IP "sudoers_locale" 16
1178
.IX Item "sudoers_locale"
1179
Locale to use when parsing the sudoers file. Note that changing
1180
the locale may affect how sudoers is interpreted.
1181
Defaults to \f(CW"C"\fR.
1182
.IP "timestampdir" 16
1183
.IX Item "timestampdir"
1184
The directory in which \fBsudo\fR stores its timestamp files.
1185
The default is \fI@timedir@\fR.
1186
.IP "timestampowner" 16
1187
.IX Item "timestampowner"
1188
The owner of the timestamp directory and the timestamps stored therein.
1189
The default is \f(CW\*(C`root\*(C'\fR.
1193
The default SELinux type to use when constructing a new security
1194
context to run the command. The default type may be overridden on
1195
a per-command basis in \fIsudoers\fR or via command line options.
1196
This option is only available whe \fBsudo\fR is built with SELinux support.
1199
\&\fBStrings that can be used in a boolean context\fR:
1202
The \fIaskpass\fR option specifies the fully qualified path to a helper
1203
program used to read the user's password when no terminal is
1204
available. This may be the case when \fBsudo\fR is executed from a
1205
graphical (as opposed to text-based) application. The program
1206
specified by \fIaskpass\fR should display the argument passed to it
1207
as the prompt and write the user's password to the standard output.
1208
The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
1209
environment variable.
1212
The \fIenv_file\fR options specifies the fully qualified path to a
1213
file containing variables to be set in the environment of the program
1214
being run. Entries in this file should either be of the form
1215
\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
1216
optionally be surrounded by single or double quotes. Variables in
1217
this file are subject to other \fBsudo\fR environment settings such
1218
as \fIenv_keep\fR and \fIenv_check\fR.
1219
.IP "exempt_group" 12
1220
.IX Item "exempt_group"
1221
Users in this group are exempt from password and \s-1PATH\s0 requirements.
1222
This is not set by default.
1225
This option controls when a short lecture will be printed along with
1226
the password prompt. It has the following possible values:
1230
Always lecture the user.
1233
Never lecture the user.
1236
Only lecture the user the first time they run \fBsudo\fR.
1240
If no value is specified, a value of \fIonce\fR is implied.
1241
Negating the option results in a value of \fInever\fR being used.
1242
The default value is \fI@lecture@\fR.
1244
.IP "lecture_file" 12
1245
.IX Item "lecture_file"
1246
Path to a file containing an alternate \fBsudo\fR lecture that will
1247
be used in place of the standard lecture if the named file exists.
1248
By default, \fBsudo\fR uses a built-in lecture.
1251
This option controls when a password will be required when a
1252
user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
1256
All the user's \fIsudoers\fR entries for the current host must have
1257
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1260
The user must always enter a password to use the \fB\-l\fR option.
1263
At least one of the user's \fIsudoers\fR entries for the current host
1264
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1267
The user need never enter a password to use the \fB\-l\fR option.
1271
If no value is specified, a value of \fIany\fR is implied.
1272
Negating the option results in a value of \fInever\fR being used.
1273
The default value is \fIany\fR.
1277
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1278
turns on logging to a file; negating this option turns it off.
1279
By default, \fBsudo\fR logs via syslog.
1280
.IP "mailerflags" 12
1281
.IX Item "mailerflags"
1282
Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1284
.IX Item "mailerpath"
1285
Path to mail program used to send warning mail.
1286
Defaults to the path to sendmail found at configure time.
1289
Address to use for the \*(L"from\*(R" address when sending warning and error
1290
mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
1291
protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
1292
the name of the user running \fBsudo\fR.
1295
Address to send warning and error mail to. The address should
1296
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
1297
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
1298
.IP "secure_path" 12
1299
.IX Item "secure_path"
1300
Path used for every command run from \fBsudo\fR. If you don't trust the
1301
people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
1302
want to use this. Another use is if you want to have the \*(L"root path\*(R"
1303
be separate from the \*(L"user path.\*(R" Users in the group specified by the
1304
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
1305
This option is @secure_path@ by default.
1308
Syslog facility if syslog is being used for logging (negate to
1309
disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
1312
This option controls when a password will be required when a user runs
1313
\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
1317
All the user's \fIsudoers\fR entries for the current host must have
1318
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1321
The user must always enter a password to use the \fB\-v\fR option.
1324
At least one of the user's \fIsudoers\fR entries for the current host
1325
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1328
The user need never enter a password to use the \fB\-v\fR option.
1332
If no value is specified, a value of \fIall\fR is implied.
1333
Negating the option results in a value of \fInever\fR being used.
1334
The default value is \fIall\fR.
1337
\&\fBLists that can be used in a boolean context\fR:
1339
.IX Item "env_check"
1340
Environment variables to be removed from the user's environment if
1341
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1342
be used to guard against printf-style format vulnerabilities in
1343
poorly-written programs. The argument may be a double-quoted,
1344
space-separated list or a single value without double-quotes. The
1345
list can be replaced, added to, deleted from, or disabled by using
1346
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
1347
of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
1348
specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
1349
they pass the aforementioned check. The default list of environment
1350
variables to check is displayed when \fBsudo\fR is run by root with
1351
the \fI\-V\fR option.
1353
.IX Item "env_delete"
1354
Environment variables to be removed from the user's environment
1355
when the \fIenv_reset\fR option is not in effect. The argument may
1356
be a double-quoted, space-separated list or a single value without
1357
double-quotes. The list can be replaced, added to, deleted from,
1358
or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
1359
respectively. The default list of environment variables to remove
1360
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1361
Note that many operating systems will remove potentially dangerous
1362
variables from the environment of any setuid process (such as
1366
Environment variables to be preserved in the user's environment
1367
when the \fIenv_reset\fR option is in effect. This allows fine-grained
1368
control over the environment \fBsudo\fR\-spawned processes will receive.
1369
The argument may be a double-quoted, space-separated list or a
1370
single value without double-quotes. The list can be replaced, added
1371
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
1372
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
1373
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
1375
When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
1376
for the syslog facility (the value of the \fBsyslog\fR Parameter):
1377
\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
1378
\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
1379
\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
1380
supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
1381
\&\fBnotice\fR, and \fBwarning\fR.
1384
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
1385
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
1386
.IX Item "@sysconfdir@/sudoers"
1387
List of who can run what
1388
.IP "\fI/etc/group\fR" 24
1389
.IX Item "/etc/group"
1391
.IP "\fI/etc/netgroup\fR" 24
1392
.IX Item "/etc/netgroup"
1393
List of network groups
1394
.IP "\fI/var/log/sudo\-io\fR" 24
1395
.IX Item "/var/log/sudo-io"
1398
.IX Header "EXAMPLES"
1399
Below are example \fIsudoers\fR entries. Admittedly, some of
1400
these are a bit contrived. First, we allow a few environment
1401
variables to pass and then define our \fIaliases\fR:
1404
\& # Run X applications through sudo; HOME is used to find the
1405
\& # .Xauthority file. Note that other programs use HOME to find
1406
\& # configuration files and this may lead to privilege escalation!
1407
\& Defaults env_keep += "DISPLAY HOME"
1409
\& # User alias specification
1410
\& User_Alias FULLTIMERS = millert, mikef, dowdy
1411
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
1412
\& User_Alias WEBMASTERS = will, wendy, wim
1414
\& # Runas alias specification
1415
\& Runas_Alias OP = root, operator
1416
\& Runas_Alias DB = oracle, sybase
1417
\& Runas_Alias ADMINGRP = adm, oper
1419
\& # Host alias specification
1420
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1421
\& SGI = grolsch, dandelion, black :\e
1422
\& ALPHA = widget, thalamus, foobar :\e
1423
\& HPPA = boa, nag, python
1424
\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1425
\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1426
\& Host_Alias SERVERS = master, mail, www, ns
1427
\& Host_Alias CDROM = orion, perseus, hercules
1429
\& # Cmnd alias specification
1430
\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1431
\& /usr/sbin/restore, /usr/sbin/rrestore
1432
\& Cmnd_Alias KILL = /usr/bin/kill
1433
\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1434
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1435
\& Cmnd_Alias HALT = /usr/sbin/halt
1436
\& Cmnd_Alias REBOOT = /usr/sbin/reboot
1437
\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1438
\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1439
\& /usr/local/bin/zsh
1440
\& Cmnd_Alias SU = /usr/bin/su
1441
\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1444
Here we override some of the compiled in default values. We want
1445
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1446
cases. We don't want to subject the full time staff to the \fBsudo\fR
1447
lecture, user \fBmillert\fR need not give a password, and we don't
1448
want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
1449
variables when running commands as root. Additionally, on the
1450
machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1451
local log file and make sure we log the year in each log line since
1452
the log entries will be kept around for several years. Lastly, we
1453
disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
1454
(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
1457
\& # Override built\-in defaults
1458
\& Defaults syslog=auth
1459
\& Defaults>root !set_logname
1460
\& Defaults:FULLTIMERS !lecture
1461
\& Defaults:millert !authenticate
1462
\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1463
\& Defaults!PAGERS noexec
1466
The \fIUser specification\fR is the part that actually determines who may
1470
\& root ALL = (ALL) ALL
1471
\& %wheel ALL = (ALL) ALL
1474
We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1478
\& FULLTIMERS ALL = NOPASSWD: ALL
1481
Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1482
command on any host without authenticating themselves.
1485
\& PARTTIMERS ALL = ALL
1488
Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1489
command on any host but they must authenticate themselves first
1490
(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1493
\& jack CSNETS = ALL
1496
The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1497
(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1498
Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1499
\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1500
networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1504
\& lisa CUNETS = ALL
1507
The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1508
(the class B network \f(CW128.138.0.0\fR).
1511
\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
1512
\& sudoedit /etc/printcap, /usr/oper/bin/
1515
The \fBoperator\fR user may run commands limited to simple maintenance.
1516
Here, those are commands related to backups, killing processes, the
1517
printing system, shutting down the system, and any commands in the
1518
directory \fI/usr/oper/bin/\fR.
1521
\& joe ALL = /usr/bin/su operator
1524
The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1527
\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
1529
\& %opers ALL = (: ADMINGRP) /usr/sbin/
1532
Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
1533
with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
1536
The user \fBpete\fR is allowed to change anyone's password except for
1537
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1538
does not take multiple user names on the command line.
1541
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
1544
The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1545
as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1548
\& jim +biglab = ALL
1551
The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1552
\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1555
\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1558
Users in the \fBsecretaries\fR netgroup need to help manage the printers
1559
as well as add and remove users, so they are allowed to run those
1560
commands on all machines.
1563
\& fred ALL = (DB) NOPASSWD: ALL
1566
The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1567
(\fBoracle\fR or \fBsybase\fR) without giving a password.
1570
\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
1573
On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1574
but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
1577
\& jen ALL, !SERVERS = ALL
1580
The user \fBjen\fR may run any command on any machine except for those
1581
in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1584
\& jill SERVERS = /usr/bin/, !SU, !SHELLS
1587
For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1588
any commands in the directory \fI/usr/bin/\fR except for those commands
1589
belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1592
\& steve CSNETS = (operator) /usr/local/op_commands/
1595
The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1596
but only as user operator.
1599
\& matt valkyrie = KILL
1602
On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1603
kill hung processes.
1606
\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1609
On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
1610
wendy, and wim), may run any command as user www (which owns the
1611
web pages) or simply \fIsu\fR\|(1) to www.
1614
\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1615
\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
1618
Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
1619
\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
1620
This is a bit tedious for users to type, so it is a prime candidate
1621
for encapsulating in a shell script.
1622
.SH "SECURITY NOTES"
1623
.IX Header "SECURITY NOTES"
1624
It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
1625
using the '!' operator. A user can trivially circumvent this
1626
by copying the desired command to a different name and then
1627
executing that. For example:
1630
\& bill ALL = ALL, !SU, !SHELLS
1633
Doesn't really prevent \fBbill\fR from running the commands listed in
1634
\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
1635
different name, or use a shell escape from an editor or other
1636
program. Therefore, these kind of restrictions should be considered
1637
advisory at best (and reinforced by policy).
1639
Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
1640
to reliably negate commands where the path name includes globbing
1641
(aka wildcard) characters. This is because the C library's
1642
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
1643
is typically only an inconvenience for rules that grant privileges,
1644
it can result in a security issue for rules that subtract or revoke
1647
For example, given the following \fIsudoers\fR entry:
1650
\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
1651
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
1654
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
1655
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
1656
.SH "PREVENTING SHELL ESCAPES"
1657
.IX Header "PREVENTING SHELL ESCAPES"
1658
Once \fBsudo\fR executes a program, that program is free to do whatever
1659
it pleases, including run other programs. This can be a security
1660
issue since it is not uncommon for a program to allow shell escapes,
1661
which lets a user bypass \fBsudo\fR's access control and logging.
1662
Common programs that permit shell escapes include shells (obviously),
1663
editors, paginators, mail and terminal programs.
1665
There are two basic approaches to this problem:
1668
Avoid giving users access to commands that allow the user to run
1669
arbitrary commands. Many editors have a restricted mode where shell
1670
escapes are disabled, though \fBsudoedit\fR is a better solution to
1671
running editors via \fBsudo\fR. Due to the large number of programs that
1672
offer shell escapes, restricting users to the set of programs that
1673
do not is often unworkable.
1676
Many systems that support shared libraries have the ability to
1677
override default library functions by pointing an environment
1678
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
1679
On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
1680
prevent a program run by \fBsudo\fR from executing any other programs.
1681
Note, however, that this applies only to native dynamically-linked
1682
executables. Statically-linked executables and foreign executables
1683
running under binary emulation are not affected.
1685
To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
1686
the following as root:
1689
\& sudo \-V | grep "dummy exec"
1692
If the resulting output contains a line that begins with:
1695
\& File containing dummy exec functions:
1698
then \fBsudo\fR may be able to replace the exec family of functions
1699
in the standard library with its own that simply return an error.
1700
Unfortunately, there is no foolproof way to know whether or not
1701
\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
1702
SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
1703
11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
1704
is expected to work on most operating systems that support the
1705
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
1706
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1707
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
1709
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
1710
in the User Specification section above. Here is that example again:
1713
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1716
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
1717
with \fInoexec\fR enabled. This will prevent those two commands from
1718
executing other commands (such as a shell). If you are unsure
1719
whether or not your system is capable of supporting \fInoexec\fR you
1720
can always just try it out and see if it works.
1722
Note that restricting shell escapes is not a panacea. Programs
1723
running as root are still capable of many potentially hazardous
1724
operations (such as changing or overwriting files) that could lead
1725
to unintended privilege escalation. In the specific case of an
1726
editor, a safer approach is to give the user permission to run
1729
.IX Header "SEE ALSO"
1730
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
1732
.IX Header "CAVEATS"
1733
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
1734
command which locks the file and does grammatical checking. It is
1735
imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
1736
will not run with a syntactically incorrect \fIsudoers\fR file.
1738
When using netgroups of machines (as opposed to users), if you
1739
store fully qualified host name in the netgroup (as is usually the
1740
case), you either need to have the machine's host name be fully qualified
1741
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
1745
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
1746
at http://www.sudo.ws/sudo/bugs/
1748
.IX Header "SUPPORT"
1749
Limited free support is available via the sudo-users mailing list,
1750
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
1751
search the archives.
1753
.IX Header "DISCLAIMER"
1754
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
1755
including, but not limited to, the implied warranties of merchantability
1756
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
1757
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
1758
for complete details.