« back to all changes in this revision
Viewing changes to doc/sudoers.cat
- browse files at revision 60
- compare with another revision
- download diff
- download tarball
- view history from revision 60
- Committer: Package Import Robot
- Author(s): Stéphane Graber
- Date: 2012-11-16 09:31:32 UTC
- mfrom: (1.4.13)
- Revision ID: package-import@ubuntu.com-20121116093132-ptext55adlzbrq6y
Tags: 1.8.6p3-0ubuntu1
* New upstream release (1.8.6p3).
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
- files added:
- .pc/fix_sssd_build.patch
- .pc/fix_sssd_build.patch/plugins
- .pc/fix_sssd_build.patch/plugins/sudoers
- plugins/sudoers/regress/check_symbols
- files removed:
- debian/sudo-ldap.manpages
- files modified:
- .pc/actually-use-buildflags.diff/common/Makefile.in
added
removed
doc/sudoers.cat
1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
2
3
1
SUDOERS(4) Programmer's Manual SUDOERS(4)
4
2
5
3
NNAAMMEE
6
sudoers - default sudo security policy module
4
ssuuddooeerrss - default sudo security policy module
7
5
8
6
DDEESSCCRRIIPPTTIIOONN
9
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is
10
the default ssuuddoo policy plugin. The policy is driven by the
11
_/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is
12
described in detail in the "SUDOERS FILE FORMAT" section. For
13
information on storing _s_u_d_o_e_r_s policy information in LDAP, please see
14
_s_u_d_o_e_r_s_._l_d_a_p(4).
15
16
AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg
17
The _s_u_d_o_e_r_s security policy requires that most users authenticate
18
themselves before they can use ssuuddoo. A password is not required if the
19
invoking user is root, if the target user is the same as the invoking
20
user, or if the policy has disabled authentication for the user or
21
command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it
22
validates the invoking user's credentials, not the target user's (or
23
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
24
_r_u_n_a_s_p_w flags, described later.
25
26
If a user who is not listed in the policy tries to run a command via
27
ssuuddoo, mail is sent to the proper authorities. The address used for
28
such mail is configurable via the _m_a_i_l_t_o Defaults entry (described
29
later) and defaults to root.
30
31
Note that mail will not be sent if an unauthorized user tries to run
32
ssuuddoo with the --ll or --vv option. This allows users to determine for
33
themselves whether or not they are allowed to use ssuuddoo.
34
35
If ssuuddoo is run by root and the SUDO_USER environment variable is set,
36
the _s_u_d_o_e_r_s policy will use this value to determine who the actual user
37
is. This can be used by a user to log commands through sudo even when
38
a root shell has been invoked. It also allows the --ee option to remain
39
useful even when invoked via a sudo-run script or program. Note,
40
however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user
41
specified by SUDO_USER.
42
43
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
44
been authenticated, a time stamp is updated and the user may then use
45
sudo without a password for a short period of time (5 minutes unless
46
overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based
47
time stamp which means that there is a separate time stamp for each of
48
a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
49
force the use of a single time stamp for all of a user's sessions.
50
51
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
52
errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will
53
log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e
54
Defaults settings.
55
56
_s_u_d_o_e_r_s also supports logging a command's input and output streams.
57
I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
58
and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
59
command tags.
60
61
CCoommmmaanndd EEnnvviirroonnmmeenntt
62
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
63
provides a means to restrict which variables from the user's
64
environment are inherited by the command to be run. There are two
65
distinct ways _s_u_d_o_e_r_s can deal with environment variables.
66
67
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to
68
be executed with a new, minimal environment. On AIX (and Linux systems
69
without PAM), the environment is initialized with the contents of the
70
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
71
enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
72
settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
73
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
74
in addition to variables from the invoking process permitted by the
75
_e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
76
environment variables.
77
78
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
79
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
80
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e
81
behave like a blacklist. Since it is not possible to blacklist all
82
potentially dangerous environment variables, use of the default
83
_e_n_v___r_e_s_e_t behavior is encouraged.
84
85
In all cases, environment variables with a value beginning with () are
86
removed as they could be interpreted as bbaasshh functions. The list of
87
environment variables that ssuuddoo allows or denies is contained in the
88
output of sudo -V when run as root.
89
90
Note that the dynamic linker on most operating systems will remove
91
variables that can control dynamic linking from the environment of
92
setuid executables, including ssuuddoo. Depending on the operating system
93
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
94
others. These type of variables are removed from the environment
95
before ssuuddoo even begins execution and, as such, it is not possible for
96
ssuuddoo to preserve them.
97
98
As a special case, if ssuuddoo's --ii option (initial login) is specified,
99
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
100
_e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged;
101
_H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user.
102
On AIX (and Linux systems without PAM), the contents of
103
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the
104
_u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in
105
_/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are
106
removed.
107
108
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in
109
that file will be set to their specified values as long as they would
110
not conflict with an existing environment variable.
7
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the
8
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
9
file or, optionally in LDAP. The policy format is described in detail in
10
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
11
policy information in LDAP, please see sudoers.ldap(4).
12
13
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
14
The _s_u_d_o_e_r_s security policy requires that most users authenticate
15
themselves before they can use ssuuddoo. A password is not required if the
16
invoking user is root, if the target user is the same as the invoking
17
user, or if the policy has disabled authentication for the user or
18
command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
19
validates the invoking user's credentials, not the target user's (or
20
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
21
_r_u_n_a_s_p_w flags, described later.
22
23
If a user who is not listed in the policy tries to run a command via
24
ssuuddoo, mail is sent to the proper authorities. The address used for such
25
mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and
26
defaults to root.
27
28
Note that mail will not be sent if an unauthorized user tries to run ssuuddoo
29
with the --ll or --vv option. This allows users to determine for themselves
30
whether or not they are allowed to use ssuuddoo.
31
32
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
33
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
34
This can be used by a user to log commands through sudo even when a root
35
shell has been invoked. It also allows the --ee option to remain useful
36
even when invoked via a sudo-run script or program. Note, however, that
37
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
38
SUDO_USER.
39
40
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
41
been authenticated, the time stamp is updated and the user may then use
42
sudo without a password for a short period of time (5 minutes unless
43
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based
44
time stamp which means that there is a separate time stamp for each of a
45
user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force
46
the use of a single time stamp for all of a user's sessions.
47
48
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
49
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
50
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
51
settings.
52
53
_s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O
54
logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and
55
_l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
56
tags.
57
58
CCoommmmaanndd eennvviirroonnmmeenntt
59
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
60
provides a means to restrict which variables from the user's environment
61
are inherited by the command to be run. There are two distinct ways
62
_s_u_d_o_e_r_s can deal with environment variables.
63
64
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
65
executed with a new, minimal environment. On AIX (and Linux systems
66
without PAM), the environment is initialized with the contents of the
67
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
68
enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
69
settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
70
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
71
addition to variables from the invoking process permitted by the
72
_e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
73
environment variables.
74
75
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
76
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
77
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave
78
like a blacklist. Since it is not possible to blacklist all potentially
79
dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is
80
encouraged.
81
82
In all cases, environment variables with a value beginning with () are
83
removed as they could be interpreted as bbaasshh functions. The list of
84
environment variables that ssuuddoo allows or denies is contained in the
85
output of ``sudo -V'' when run as root.
86
87
Note that the dynamic linker on most operating systems will remove
88
variables that can control dynamic linking from the environment of setuid
89
executables, including ssuuddoo. Depending on the operating system this may
90
include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
91
These type of variables are removed from the environment before ssuuddoo even
92
begins execution and, as such, it is not possible for ssuuddoo to preserve
93
them.
94
95
As a special case, if ssuuddoo's --ii option (initial login) is specified,
96
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
97
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
98
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
99
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
100
also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled,
101
the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All
102
other environment variables are removed.
103
104
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that
105
file will be set to their specified values as long as they would not
106
conflict with an existing environment variable.
111
107
112
108
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
113
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
114
(basically variables) and user specifications (which specify who may
115
run what).
116
117
When multiple entries match for a user, they are applied in order.
118
Where there are multiple matches, the last match is used (which is not
119
necessarily the most specific match).
120
121
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur
122
Form (EBNF). Don't despair if you don't know what EBNF is; it is
123
fairly simple, and the definitions below are annotated.
109
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically
110
variables) and user specifications (which specify who may run what).
111
112
When multiple entries match for a user, they are applied in order. Where
113
there are multiple matches, the last match is used (which is not
114
necessarily the most specific match).
115
116
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
117
(EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
118
simple, and the definitions below are annotated.
124
119
125
120
QQuuiicckk gguuiiddee ttoo EEBBNNFF
126
EBNF is a concise and exact way of describing the grammar of a
127
language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
128
129
symbol ::= definition | alternate1 | alternate2 ...
130
131
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
132
the language. EBNF also contains the following operators, which many
133
readers will recognize from regular expressions. Do not, however,
134
confuse them with "wildcard" characters, which have different meanings.
135
136
? Means that the preceding symbol (or group of symbols) is optional.
121
EBNF is a concise and exact way of describing the grammar of a language.
122
Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
123
124
symbol ::= definition | alternate1 | alternate2 ...
125
126
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
127
the language. EBNF also contains the following operators, which many
128
readers will recognize from regular expressions. Do not, however,
129
confuse them with ``wildcard'' characters, which have different meanings.
130
131
? Means that the preceding symbol (or group of symbols) is optional.
137
132
That is, it may appear once or not at all.
138
133
139
* Means that the preceding symbol (or group of symbols) may appear
134
* Means that the preceding symbol (or group of symbols) may appear
140
135
zero or more times.
141
136
142
+ Means that the preceding symbol (or group of symbols) may appear
137
+ Means that the preceding symbol (or group of symbols) may appear
143
138
one or more times.
144
139
145
Parentheses may be used to group symbols together. For clarity, we
146
will use single quotes ('') to designate what is a verbatim character
147
string (as opposed to a symbol name).
140
Parentheses may be used to group symbols together. For clarity, we will
141
use single quotes ('') to designate what is a verbatim character string
142
(as opposed to a symbol name).
148
143
149
144
AAlliiaasseess
150
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
151
and Cmnd_Alias.
152
153
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
154
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
155
'Host_Alias' Host_Alias (':' Host_Alias)* |
156
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
157
158
User_Alias ::= NAME '=' User_List
159
160
Runas_Alias ::= NAME '=' Runas_List
161
162
Host_Alias ::= NAME '=' Host_List
163
164
Cmnd_Alias ::= NAME '=' Cmnd_List
165
166
NAME ::= [A-Z]([A-Z][0-9]_)*
167
168
Each _a_l_i_a_s definition is of the form
169
170
Alias_Type NAME = item1, item2, ...
171
172
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
173
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
174
underscore characters ('_'). A NAME mmuusstt start with an uppercase
175
letter. It is possible to put several alias definitions of the same
176
type on a single line, joined by a colon (':'). E.g.,
177
178
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
179
180
The definitions of what constitutes a valid _a_l_i_a_s member follow.
181
182
User_List ::= User |
183
User ',' User_List
184
185
User ::= '!'* user name |
186
'!'* #uid |
187
'!'* %group |
188
'!'* %#gid |
189
'!'* +netgroup |
190
'!'* %:nonunix_group |
191
'!'* %:#nonunix_gid |
192
'!'* User_Alias
193
194
A User_List is made up of one or more user names, user ids (prefixed
195
with '#'), system group names and ids (prefixed with '%' and '%#'
196
respectively), netgroups (prefixed with '+'), non-Unix group names and
197
IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
198
list item may be prefixed with zero or more '!' operators. An odd
199
number of '!' operators negate the value of the item; an even number
200
just cancel each other out.
201
202
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
203
may be enclosed in double quotes to avoid the need for escaping special
204
characters. Alternately, special characters may be specified in
205
escaped hex mode, e.g. \x20 for space. When using double quotes, any
206
prefix characters must be included inside the quotes.
207
208
The actual nonunix_group and nonunix_gid syntax depends on the
209
underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description
210
below). For instance, the QAS AD plugin supports the following
211
formats:
212
213
o Group in the same domain: "Group Name"
214
215
o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
216
217
o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
218
219
Note that quotes around group names are optional. Unquoted strings
220
must use a backslash (\) to escape spaces and special characters. See
221
"Other special characters and reserved words" for a list of characters
222
that need to be escaped.
223
224
Runas_List ::= Runas_Member |
225
Runas_Member ',' Runas_List
226
227
Runas_Member ::= '!'* user name |
228
'!'* #uid |
229
'!'* %group |
230
'!'* %#gid |
231
'!'* %:nonunix_group |
232
'!'* %:#nonunix_gid |
233
'!'* +netgroup |
234
'!'* Runas_Alias
235
236
A Runas_List is similar to a User_List except that instead of
237
User_Aliases it can contain Runas_Aliases. Note that user names and
238
groups are matched as strings. In other words, two users (groups) with
239
the same uid (gid) are considered to be distinct. If you wish to match
240
all user names with the same uid (e.g. root and toor), you can use a
241
uid instead (#0 in the example given).
242
243
Host_List ::= Host |
244
Host ',' Host_List
245
246
Host ::= '!'* host name |
247
'!'* ip_addr |
248
'!'* network(/netmask)? |
249
'!'* +netgroup |
250
'!'* Host_Alias
251
252
A Host_List is made up of one or more host names, IP addresses, network
253
numbers, netgroups (prefixed with '+') and other aliases. Again, the
254
value of an item may be negated with the '!' operator. If you do not
255
specify a netmask along with the network number, ssuuddoo will query each
256
of the local host's network interfaces and, if the network number
257
corresponds to one of the hosts's network interfaces, the corresponding
258
netmask will be used. The netmask may be specified either in standard
259
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
260
CIDR notation (number of bits, e.g. 24 or 64). A host name may include
261
shell-style wildcards (see the Wildcards section below), but unless the
262
host name command on your machine returns the fully qualified host
263
name, you'll need to use the _f_q_d_n option for wildcards to be useful.
264
Note ssuuddoo only inspects actual network interfaces; this means that IP
265
address 127.0.0.1 (localhost) will never match. Also, the host name
266
"localhost" will only match if that is the actual host name, which is
267
usually only the case for non-networked systems.
268
269
Cmnd_List ::= Cmnd |
270
Cmnd ',' Cmnd_List
271
272
commandname ::= file name |
273
file name args |
274
file name '""'
275
276
Cmnd ::= '!'* commandname |
277
'!'* directory |
278
'!'* "sudoedit" |
279
'!'* Cmnd_Alias
280
281
A Cmnd_List is a list of one or more commandnames, directories, and
282
other aliases. A commandname is a fully qualified file name which may
283
include shell-style wildcards (see the Wildcards section below). A
284
simple file name allows the user to run the command with any arguments
285
he/she wishes. However, you may also specify command line arguments
286
(including wildcards). Alternately, you can specify "" to indicate
287
that the command may only be run wwiitthhoouutt command line arguments. A
288
directory is a fully qualified path name ending in a '/'. When you
289
specify a directory in a Cmnd_List, the user will be able to run any
290
file within that directory (but not in any subdirectories therein).
291
292
If a Cmnd has associated command line arguments, then the arguments in
293
the Cmnd must match exactly those given by the user on the command line
294
(or match the wildcards if there are any). Note that the following
295
characters must be escaped with a '\' if they are used in command
296
arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
297
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
298
may take command line arguments just as a normal command does.
145
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
146
Cmnd_Alias.
147
148
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
149
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
150
'Host_Alias' Host_Alias (':' Host_Alias)* |
151
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
152
153
User_Alias ::= NAME '=' User_List
154
155
Runas_Alias ::= NAME '=' Runas_List
156
157
Host_Alias ::= NAME '=' Host_List
158
159
Cmnd_Alias ::= NAME '=' Cmnd_List
160
161
NAME ::= [A-Z]([A-Z][0-9]_)*
162
163
Each _a_l_i_a_s definition is of the form
164
165
Alias_Type NAME = item1, item2, ...
166
167
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
168
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
169
underscore characters (`_'). A NAME mmuusstt start with an uppercase letter.
170
It is possible to put several alias definitions of the same type on a
171
single line, joined by a colon (`:'). E.g.,
172
173
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
174
175
The definitions of what constitutes a valid _a_l_i_a_s member follow.
176
177
User_List ::= User |
178
User ',' User_List
179
180
User ::= '!'* user name |
181
'!'* #uid |
182
'!'* %group |
183
'!'* %#gid |
184
'!'* +netgroup |
185
'!'* %:nonunix_group |
186
'!'* %:#nonunix_gid |
187
'!'* User_Alias
188
189
A User_List is made up of one or more user names, user ids (prefixed with
190
`#'), system group names and ids (prefixed with `%' and `%#'
191
respectively), netgroups (prefixed with `+'), non-Unix group names and
192
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
193
list item may be prefixed with zero or more `!' operators. An odd number
194
of `!' operators negate the value of the item; an even number just cancel
195
each other out.
196
197
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
198
be enclosed in double quotes to avoid the need for escaping special
199
characters. Alternately, special characters may be specified in escaped
200
hex mode, e.g. \x20 for space. When using double quotes, any prefix
201
characters must be included inside the quotes.
202
203
The actual nonunix_group and nonunix_gid syntax depends on the underlying
204
group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For
205
instance, the QAS AD plugin supports the following formats:
206
207
oo Group in the same domain: "%:Group Name"
208
209
oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
210
211
oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
212
213
Note that quotes around group names are optional. Unquoted strings must
214
use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r
215
_s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need
216
to be escaped.
217
218
Runas_List ::= Runas_Member |
219
Runas_Member ',' Runas_List
220
221
Runas_Member ::= '!'* user name |
222
'!'* #uid |
223
'!'* %group |
224
'!'* %#gid |
225
'!'* %:nonunix_group |
226
'!'* %:#nonunix_gid |
227
'!'* +netgroup |
228
'!'* Runas_Alias
229
230
A Runas_List is similar to a User_List except that instead of
231
User_Aliases it can contain Runas_Aliases. Note that user names and
232
groups are matched as strings. In other words, two users (groups) with
233
the same uid (gid) are considered to be distinct. If you wish to match
234
all user names with the same uid (e.g. root and toor), you can use a uid
235
instead (#0 in the example given).
236
237
Host_List ::= Host |
238
Host ',' Host_List
239
240
Host ::= '!'* host name |
241
'!'* ip_addr |
242
'!'* network(/netmask)? |
243
'!'* +netgroup |
244
'!'* Host_Alias
245
246
A Host_List is made up of one or more host names, IP addresses, network
247
numbers, netgroups (prefixed with `+') and other aliases. Again, the
248
value of an item may be negated with the `!' operator. If you do not
249
specify a netmask along with the network number, ssuuddoo will query each of
250
the local host's network interfaces and, if the network number
251
corresponds to one of the hosts's network interfaces, the corresponding
252
netmask will be used. The netmask may be specified either in standard IP
253
address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
254
notation (number of bits, e.g. 24 or 64). A host name may include shell-
255
style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
256
name command on your machine returns the fully qualified host name,
257
you'll need to use the _f_q_d_n option for wildcards to be useful. Note that
258
ssuuddoo only inspects actual network interfaces; this means that IP address
259
127.0.0.1 (localhost) will never match. Also, the host name
260
``localhost'' will only match if that is the actual host name, which is
261
usually only the case for non-networked systems.
262
263
Cmnd_List ::= Cmnd |
264
Cmnd ',' Cmnd_List
265
266
command name ::= file name |
267
file name args |
268
file name '""'
269
270
Cmnd ::= '!'* command name |
271
'!'* directory |
272
'!'* "sudoedit" |
273
'!'* Cmnd_Alias
274
275
A Cmnd_List is a list of one or more command names, directories, and
276
other aliases. A command name is a fully qualified file name which may
277
include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A
278
simple file name allows the user to run the command with any arguments
279
he/she wishes. However, you may also specify command line arguments
280
(including wildcards). Alternately, you can specify "" to indicate that
281
the command may only be run wwiitthhoouutt command line arguments. A directory
282
is a fully qualified path name ending in a `/'. When you specify a
283
directory in a Cmnd_List, the user will be able to run any file within
284
that directory (but not in any sub-directories therein).
285
286
If a Cmnd has associated command line arguments, then the arguments in
287
the Cmnd must match exactly those given by the user on the command line
288
(or match the wildcards if there are any). Note that the following
289
characters must be escaped with a `\' if they are used in command
290
arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
291
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
292
take command line arguments just as a normal command does.
299
293
300
294
DDeeffaauullttss
301
Certain configuration options may be changed from their default values
302
at runtime via one or more Default_Entry lines. These may affect all
303
users on any host, all users on a specific host, a specific user, a
304
specific command, or commands being run as a specific user. Note that
305
per-command entries may not include command line arguments. If you
306
need to specify arguments, define a Cmnd_Alias and reference that
307
instead.
308
309
Default_Type ::= 'Defaults' |
310
'Defaults' '@' Host_List |
311
'Defaults' ':' User_List |
312
'Defaults' '!' Cmnd_List |
313
'Defaults' '>' Runas_List
314
315
Default_Entry ::= Default_Type Parameter_List
316
317
Parameter_List ::= Parameter |
318
Parameter ',' Parameter_List
319
320
Parameter ::= Parameter '=' Value |
321
Parameter '+=' Value |
322
Parameter '-=' Value |
323
'!'* Parameter
324
325
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
326
implicitly boolean and can be turned off via the '!' operator. Some
327
integer, string and list parameters may also be used in a boolean
328
context to disable them. Values may be enclosed in double quotes (")
329
when they contain multiple words. Special characters may be escaped
330
with a backslash (\).
331
332
Lists have two additional assignment operators, += and -=. These
333
operators are used to add to and delete from a list respectively. It
334
is not an error to use the -= operator to remove an element that does
335
not exist in a list.
336
337
Defaults entries are parsed in the following order: generic, host and
338
user Defaults first, then runas Defaults and finally command defaults.
339
340
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
341
342
UUsseerr SSppeecciiffiiccaattiioonn
343
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
344
(':' Host_List '=' Cmnd_Spec_List)*
345
346
Cmnd_Spec_List ::= Cmnd_Spec |
347
Cmnd_Spec ',' Cmnd_Spec_List
348
349
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
350
351
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
352
353
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
354
355
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
356
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
357
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
358
359
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
360
what user) on specified hosts. By default, commands are run as rroooott,
361
but this can be changed on a per-command basis.
362
363
The basic structure of a user specification is `who where = (as_whom)
364
what'. Let's break that down into its constituent parts:
295
Certain configuration options may be changed from their default values at
296
run-time via one or more Default_Entry lines. These may affect all users
297
on any host, all users on a specific host, a specific user, a specific
298
command, or commands being run as a specific user. Note that per-command
299
entries may not include command line arguments. If you need to specify
300
arguments, define a Cmnd_Alias and reference that instead.
301
302
Default_Type ::= 'Defaults' |
303
'Defaults' '@' Host_List |
304
'Defaults' ':' User_List |
305
'Defaults' '!' Cmnd_List |
306
'Defaults' '>' Runas_List
307
308
Default_Entry ::= Default_Type Parameter_List
309
310
Parameter_List ::= Parameter |
311
Parameter ',' Parameter_List
312
313
Parameter ::= Parameter '=' Value |
314
Parameter '+=' Value |
315
Parameter '-=' Value |
316
'!'* Parameter
317
318
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
319
implicitly boolean and can be turned off via the `!' operator. Some
320
integer, string and list parameters may also be used in a boolean context
321
to disable them. Values may be enclosed in double quotes ("") when they
322
contain multiple words. Special characters may be escaped with a
323
backslash (`\').
324
325
Lists have two additional assignment operators, += and -=. These
326
operators are used to add to and delete from a list respectively. It is
327
not an error to use the -= operator to remove an element that does not
328
exist in a list.
329
330
Defaults entries are parsed in the following order: generic, host and
331
user Defaults first, then runas Defaults and finally command defaults.
332
333
See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
334
335
UUsseerr ssppeecciiffiiccaattiioonn
336
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
337
(':' Host_List '=' Cmnd_Spec_List)*
338
339
Cmnd_Spec_List ::= Cmnd_Spec |
340
Cmnd_Spec ',' Cmnd_Spec_List
341
342
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
343
344
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
345
346
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
347
348
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
349
350
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
351
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
352
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
353
354
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
355
what user) on specified hosts. By default, commands are run as rroooott, but
356
this can be changed on a per-command basis.
357
358
The basic structure of a user specification is ``who where = (as_whom)
359
what''. Let's break that down into its constituent parts:
365
360
366
361
RRuunnaass__SSppeecc
367
A Runas_Spec determines the user and/or the group that a command may be
368
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
369
defined above) separated by a colon (':') and enclosed in a set of
370
parentheses. The first Runas_List indicates which users the command
371
may be run as via ssuuddoo's --uu option. The second defines a list of
372
groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists
373
are specified, the command may be run with any combination of users and
374
groups listed in their respective Runas_Lists. If only the first is
375
specified, the command may be run as any user in the list but no --gg
376
option may be specified. If the first Runas_List is empty but the
377
second is specified, the command may be run as the invoking user with
378
the group set to any listed in the Runas_List. If no Runas_Spec is
379
specified the command may be run as rroooott and no group may be specified.
380
381
A Runas_Spec sets the default for the commands that follow it. What
382
this means is that for the entry:
383
384
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
385
386
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
387
as ooppeerraattoorr. E.g.,
388
389
$ sudo -u operator /bin/ls
390
391
It is also possible to override a Runas_Spec later on in an entry. If
392
we modify the entry like so:
393
394
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
395
396
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
397
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
398
399
We can extend this to allow ddggbb to run /bin/ls with either the user or
400
group set to ooppeerraattoorr:
401
402
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
403
/usr/bin/lprm
404
405
Note that while the group portion of the Runas_Spec permits the user to
406
run as command with that group, it does not force the user to do so.
407
If no group is specified on the command line, the command will run with
408
the group listed in the target user's password database entry. The
409
following would all be permitted by the sudoers entry above:
410
411
$ sudo -u operator /bin/ls
412
$ sudo -u operator -g operator /bin/ls
413
$ sudo -g operator /bin/ls
414
415
In the following example, user ttccmm may run commands that access a modem
416
device file with the dialer group.
417
418
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
419
/usr/local/bin/minicom
420
421
Note that in this example only the group will be set, the command still
422
runs as user ttccmm. E.g.
423
424
$ sudo -g dialer /usr/bin/cu
425
426
Multiple users and groups may be present in a Runas_Spec, in which case
427
the user may select any combination of users and groups via the --uu and
428
--gg options. In this example:
429
430
alan ALL = (root, bin : operator, system) ALL
431
432
user aallaann may run any command as either user root or bin, optionally
433
setting the group to operator or system.
362
A Runas_Spec determines the user and/or the group that a command may be
363
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
364
defined above) separated by a colon (`:') and enclosed in a set of
365
parentheses. The first Runas_List indicates which users the command may
366
be run as via ssuuddoo's --uu option. The second defines a list of groups that
367
can be specified via ssuuddoo's --gg option. If both Runas_Lists are
368
specified, the command may be run with any combination of users and
369
groups listed in their respective Runas_Lists. If only the first is
370
specified, the command may be run as any user in the list but no --gg
371
option may be specified. If the first Runas_List is empty but the second
372
is specified, the command may be run as the invoking user with the group
373
set to any listed in the Runas_List. If both Runas_Lists are empty, the
374
command may only be run as the invoking user. If no Runas_Spec is
375
specified the command may be run as rroooott and no group may be specified.
376
377
A Runas_Spec sets the default for the commands that follow it. What this
378
means is that for the entry:
379
380
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
381
382
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as
383
ooppeerraattoorr. E.g.,
384
385
$ sudo -u operator /bin/ls
386
387
It is also possible to override a Runas_Spec later on in an entry. If we
388
modify the entry like so:
389
390
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
391
392
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
393
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
394
395
We can extend this to allow ddggbb to run /bin/ls with either the user or
396
group set to ooppeerraattoorr:
397
398
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
399
/usr/bin/lprm
400
401
Note that while the group portion of the Runas_Spec permits the user to
402
run as command with that group, it does not force the user to do so. If
403
no group is specified on the command line, the command will run with the
404
group listed in the target user's password database entry. The following
405
would all be permitted by the sudoers entry above:
406
407
$ sudo -u operator /bin/ls
408
$ sudo -u operator -g operator /bin/ls
409
$ sudo -g operator /bin/ls
410
411
In the following example, user ttccmm may run commands that access a modem
412
device file with the dialer group.
413
414
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
415
/usr/local/bin/minicom
416
417
Note that in this example only the group will be set, the command still
418
runs as user ttccmm. E.g.
419
420
$ sudo -g dialer /usr/bin/cu
421
422
Multiple users and groups may be present in a Runas_Spec, in which case
423
the user may select any combination of users and groups via the --uu and --gg
424
options. In this example:
425
426
alan ALL = (root, bin : operator, system) ALL
427
428
user aallaann may run any command as either user root or bin, optionally
429
setting the group to operator or system.
434
430
435
431
SSEELLiinnuuxx__SSppeecc
436
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
437
SELinux role and/or type associated with a command. If a role or type
438
is specified with the command it will override any default values
439
specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
440
however, will supercede the values in _s_u_d_o_e_r_s.
432
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
433
SELinux role and/or type associated with a command. If a role or type is
434
specified with the command it will override any default values specified
435
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
436
supersede the values in _s_u_d_o_e_r_s.
437
438
SSoollaarriiss__PPrriivv__SSppeecc
439
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
440
privilege set and/or limit privilege set associated with a command. If
441
privileges or limit privileges are specified with the command it will
442
override any default values specified in _s_u_d_o_e_r_s.
443
444
A privilege set is a comma-separated list of privilege names. The
445
ppriv(1) command can be used to list all privileges known to the system.
446
For example:
447
448
$ ppriv -l
449
450
In addition, there are several ``special'' privilege strings:
451
452
none the empty set
453
454
all the set of all privileges
455
456
zone the set of all privileges available in the current zone
457
458
basic the default set of privileges normal users are granted at login
459
time
460
461
Privileges can be excluded from a set by prefixing the privilege name
462
with either an `!' or `-' character.
441
463
442
464
TTaagg__SSppeecc
443
A command may have zero or more tags associated with it. There are
444
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
445
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
446
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
447
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
448
overrides NOPASSWD and NOEXEC overrides EXEC).
449
450
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
451
452
By default, ssuuddoo requires that a user authenticate him or herself
453
before running a command. This behavior can be modified via the
454
NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
455
the commands that follow it in the Cmnd_Spec_List. Conversely, the
456
PASSWD tag can be used to reverse things. For example:
457
458
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
459
460
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
461
as rroooott on the machine rushmore without authenticating himself. If we
462
only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
463
would be:
464
465
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
466
467
Note, however, that the PASSWD tag has no effect on users who are in
468
the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
469
470
By default, if the NOPASSWD tag is applied to any of the entries for a
471
user on the current host, he or she will be able to run sudo -l without
472
a password. Additionally, a user may only run sudo -v without a
473
password if the NOPASSWD tag is present for all a user's entries that
474
pertain to the current host. This behavior may be overridden via the
475
verifypw and listpw options.
476
477
_N_O_E_X_E_C _a_n_d _E_X_E_C
478
479
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
480
operating system supports it, the NOEXEC tag can be used to prevent a
481
dynamically-linked executable from running further commands itself.
482
483
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
484
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
485
486
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
487
488
See the "Preventing Shell Escapes" section below for more details on
489
how NOEXEC works and whether or not it will work on your system.
490
491
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
492
493
These tags override the value of the _s_e_t_e_n_v option on a per-command
494
basis. Note that if SETENV has been set for a command, the user may
495
disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
496
Additionally, environment variables set on the command line are not
497
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
498
_e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
499
variables in this manner. If the command matched is AALLLL, the SETENV
500
tag is implied for that command; this default may be overridden by use
501
of the NOSETENV tag.
502
503
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
504
505
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
506
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
507
"SUDOERS OPTIONS" section below.
508
509
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
510
511
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
512
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
513
"SUDOERS OPTIONS" section below.
465
A command may have zero or more tags associated with it. There are ten
466
possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
467
LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
468
on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
469
it is overridden by the opposite tag (in other words, PASSWD overrides
470
NOPASSWD and NOEXEC overrides EXEC).
471
472
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
473
474
By default, ssuuddoo requires that a user authenticate him or herself before
475
running a command. This behavior can be modified via the NOPASSWD tag.
476
Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
477
follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
478
to reverse things. For example:
479
480
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
481
482
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as
483
rroooott on the machine rushmore without authenticating himself. If we only
484
want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would
485
be:
486
487
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
488
489
Note, however, that the PASSWD tag has no effect on users who are in the
490
group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
491
492
By default, if the NOPASSWD tag is applied to any of the entries for a
493
user on the current host, he or she will be able to run ``sudo -l''
494
without a password. Additionally, a user may only run ``sudo -v''
495
without a password if the NOPASSWD tag is present for all a user's
496
entries that pertain to the current host. This behavior may be
497
overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
498
499
_N_O_E_X_E_C _a_n_d _E_X_E_C
500
501
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
502
operating system supports it, the NOEXEC tag can be used to prevent a
503
dynamically-linked executable from running further commands itself.
504
505
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
506
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
507
508
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
509
510
See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
511
NOEXEC works and whether or not it will work on your system.
512
513
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
514
515
These tags override the value of the _s_e_t_e_n_v option on a per-command
516
basis. Note that if SETENV has been set for a command, the user may
517
disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
518
Additionally, environment variables set on the command line are not
519
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
520
_e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables
521
in this manner. If the command matched is AALLLL, the SETENV tag is implied
522
for that command; this default may be overridden by use of the NOSETENV
523
tag.
524
525
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
526
527
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
528
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
529
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
530
531
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
532
533
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
534
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
535
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
514
536
515
537
WWiillddccaarrddss
516
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
517
used in host names, path names and command line arguments in the
518
_s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
519
_f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
520
521
* Matches any set of zero or more characters.
522
523
? Matches any single character.
524
525
[...] Matches any character in the specified range.
526
527
[!...] Matches any character nnoott in the specified range.
528
529
\x For any character "x", evaluates to "x". This is used to
530
escape special characters such as: "*", "?", "[", and "}".
531
532
POSIX character classes may also be used if your system's _g_l_o_b(3) and
533
_f_n_m_a_t_c_h(3) functions support them. However, because the ':' character
534
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
535
536
/bin/ls [[\:alpha\:]]*
537
538
Would match any file name beginning with a letter.
539
540
Note that a forward slash ('/') will nnoott be matched by wildcards used
541
in the path name. When matching the command line arguments, however, a
542
slash ddooeess get matched by wildcards. This is to make a path like:
543
544
/usr/bin/*
545
546
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
538
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
539
used in host names, path names and command line arguments in the _s_u_d_o_e_r_s
540
file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3)
541
routines. Note that these are _n_o_t regular expressions.
542
543
* Matches any set of zero or more characters.
544
545
? Matches any single character.
546
547
[...] Matches any character in the specified range.
548
549
[!...] Matches any character nnoott in the specified range.
550
551
\x For any character `x', evaluates to `x'. This is used to
552
escape special characters such as: `*', `?', `[', and `]'.
553
554
POSIX character classes may also be used if your system's glob(3) and
555
fnmatch(3) functions support them. However, because the `:' character
556
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
557
558
/bin/ls [[:alpha:]]*
559
560
Would match any file name beginning with a letter.
561
562
Note that a forward slash (`/') will nnoott be matched by wildcards used in
563
the path name. This is to make a path like:
564
565
/usr/bin/*
566
567
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
568
569
When matching the command line arguments, however, a slash ddooeess get
570
matched by wildcards since command line arguments may contain arbitrary
571
strings and not just path names.
572
573
Wildcards in command line arguments should be used with care. Because
574
command line arguments are matched as a single, concatenated string, a
575
wildcard such as `?' or `*' can match multiple words. For example, while
576
a sudoers entry like:
577
578
%operator ALL = /bin/cat /var/log/messages*
579
580
will allow command like:
581
582
$ sudo cat /var/log/messages.1
583
584
It will also allow:
585
586
$ sudo cat /var/log/messages /etc/shadow
587
588
which is probably not what was intended.
547
589
548
590
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
549
The following exceptions apply to the above rules:
591
The following exceptions apply to the above rules:
550
592
551
"" If the empty string "" is the only command line argument in the
593
"" If the empty string "" is the only command line argument in the
552
594
_s_u_d_o_e_r_s entry it means that command is not allowed to be run
553
595
with aannyy arguments.
554
596
597
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
598
always be path names, so a forward slash (`/') will not be
599
matched by a wildcard.
600
555
601
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
556
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
557
file currently being parsed using the #include and #includedir
558
directives.
559
560
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
561
addition to a local, per-machine file. For the sake of this example
562
the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
563
be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
564
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
565
566
#include /etc/sudoers.local
567
568
When ssuuddoo reaches this line it will suspend processing of the current
569
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
570
the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
571
processed. Files that are included may themselves include other files.
572
A hard limit of 128 nested include files is enforced to prevent include
573
file loops.
574
575
If the path to the include file is not fully-qualified (does not begin
576
with a _/), it must be located in the same directory as the sudoers file
577
it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
578
579
#include sudoers.local
580
581
the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
582
583
The file name may also include the %h escape, signifying the short form
584
of the host name. I.e., if the machine's host name is "xerxes", then
585
586
#include /etc/sudoers.%h
587
588
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
589
590
The #includedir directive can be used to create a _s_u_d_o_._d directory that
591
the system package manager can drop _s_u_d_o_e_r_s rules into as part of
592
package installation. For example, given:
593
594
#includedir /etc/sudoers.d
595
596
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
597
end in ~ or contain a . character to avoid causing problems with
598
package manager or editor temporary/backup files. Files are parsed in
599
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
600
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
601
lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
602
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
603
in the file names can be used to avoid such problems.
604
605
Note that unlike files included via #include, vviissuuddoo will not edit the
606
files in a #includedir directory unless one of them contains a syntax
607
error. It is still possible to run vviissuuddoo with the -f flag to edit the
608
files directly.
602
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
603
file currently being parsed using the #include and #includedir
604
directives.
605
606
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
607
addition to a local, per-machine file. For the sake of this example the
608
site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
609
_/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
610
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
611
612
#include /etc/sudoers.local
613
614
When ssuuddoo reaches this line it will suspend processing of the current
615
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the
616
end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed.
617
Files that are included may themselves include other files. A hard limit
618
of 128 nested include files is enforced to prevent include file loops.
619
620
If the path to the include file is not fully-qualified (does not begin
621
with a `/', it must be located in the same directory as the sudoers file
622
it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
623
624
#include sudoers.local
625
626
the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
627
628
The file name may also include the %h escape, signifying the short form
629
of the host name. In other words, if the machine's host name is
630
``xerxes'', then
631
632
#include /etc/sudoers.%h
633
634
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
635
636
The #includedir directive can be used to create a _s_u_d_o_._d directory that
637
the system package manager can drop _s_u_d_o_e_r_s rules into as part of package
638
installation. For example, given:
639
640
#includedir /etc/sudoers.d
641
642
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end
643
in `~' or contain a `.' character to avoid causing problems with package
644
manager or editor temporary/backup files. Files are parsed in sorted
645
lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before
646
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical,
647
not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
648
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in
649
the file names can be used to avoid such problems.
650
651
Note that unlike files included via #include, vviissuuddoo will not edit the
652
files in a #includedir directory unless one of them contains a syntax
653
error. It is still possible to run vviissuuddoo with the --ff flag to edit the
654
files directly.
609
655
610
656
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
611
The pound sign ('#') is used to indicate a comment (unless it is part
612
of a #include directive or unless it occurs in the context of a user
613
name and is followed by one or more digits, in which case it is treated
614
as a uid). Both the comment character and any text after it, up to the
615
end of the line, are ignored.
616
617
The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
618
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
619
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
620
your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
621
preference to your own. Please note that using AALLLL can be dangerous
622
since in a command context, it allows the user to run aannyy command on
623
the system.
624
625
An exclamation point ('!') can be used as a logical _n_o_t operator both
626
in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
627
values. Note, however, that using a ! in conjunction with the built-in
628
ALL alias to allow a user to run "all but a few" commands rarely works
629
as intended (see SECURITY NOTES below).
630
631
Long lines can be continued with a backslash ('\') as the last
632
character on the line.
633
634
Whitespace between elements in a list as well as special syntactic
635
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
636
637
The following characters must be escaped with a backslash ('\') when
638
used as part of a word (e.g. a user name or host name): '!', '=', ':',
639
',', '(', ')', '\'.
657
The pound sign (`#') is used to indicate a comment (unless it is part of
658
a #include directive or unless it occurs in the context of a user name
659
and is followed by one or more digits, in which case it is treated as a
660
uid). Both the comment character and any text after it, up to the end of
661
the line, are ignored.
662
663
The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
664
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
665
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
666
your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
667
preference to your own. Please note that using AALLLL can be dangerous
668
since in a command context, it allows the user to run aannyy command on the
669
system.
670
671
An exclamation point (`!') can be used as a logical _n_o_t operator both in
672
an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
673
values. Note, however, that using a `!' in conjunction with the built-in
674
AALLLL alias to allow a user to run ``all but a few'' commands rarely works
675
as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below).
676
677
Long lines can be continued with a backslash (`\') as the last character
678
on the line.
679
680
White space between elements in a list as well as special syntactic
681
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
682
683
The following characters must be escaped with a backslash (`\') when used
684
as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
685
`(', `)', `\'.
640
686
641
687
SSUUDDOOEERRSS OOPPTTIIOONNSS
642
ssuuddoo's behavior can be modified by Default_Entry lines, as explained
643
earlier. A list of all supported Defaults parameters, grouped by type,
644
are listed below.
645
646
BBoooolleeaann FFllaaggss:
647
648
always_set_home If enabled, ssuuddoo will set the HOME environment variable
688
ssuuddoo's behavior can be modified by Default_Entry lines, as explained
689
earlier. A list of all supported Defaults parameters, grouped by type,
690
are listed below.
691
692
BBoooolleeaann FFllaaggss:
693
694
always_set_home If enabled, ssuuddoo will set the HOME environment variable
649
695
to the home directory of the target user (which is root
650
696
unless the --uu option is used). This effectively means
651
697
that the --HH option is always implied. Note that HOME
655
701
HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
656
702
by default.
657
703
658
authenticate If set, users must authenticate themselves via a
704
authenticate If set, users must authenticate themselves via a
659
705
password (or other means of authentication) before they
660
706
may run commands. This default may be overridden via
661
707
the PASSWD and NOPASSWD tags. This flag is _o_n by
662
708
default.
663
709
664
closefrom_override
710
closefrom_override
665
711
If set, the user may use ssuuddoo's --CC option which
666
712
overrides the default starting point at which ssuuddoo
667
713
begins closing open file descriptors. This flag is _o_f_f
668
714
by default.
669
715
670
compress_io If set, and ssuuddoo is configured to log a command's input
716
compress_io If set, and ssuuddoo is configured to log a command's input
671
717
or output, the I/O logs will be compressed using zzlliibb.
672
718
This flag is _o_n by default when ssuuddoo is compiled with
673
719
zzlliibb support.
674
720
675
env_editor If set, vviissuuddoo will use the value of the EDITOR or
721
env_editor If set, vviissuuddoo will use the value of the EDITOR or
676
722
VISUAL environment variables before falling back on the
677
723
default editor list. Note that this may create a
678
724
security hole as it allows the user to run any
682
728
use the EDITOR or VISUAL if they match a value
683
729
specified in editor. This flag is _o_f_f by default.
684
730
685
env_reset If set, ssuuddoo will run the command in a minimal
731
env_reset If set, ssuuddoo will run the command in a minimal
686
732
environment containing the TERM, PATH, HOME, MAIL,
687
733
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
688
734
Any variables in the caller's environment that match
690
736
followed by any variables present in the file specified
691
737
by the _e_n_v___f_i_l_e option (if any). The default contents
692
738
of the env_keep and env_check lists are displayed when
693
ssuuddoo is run by root with the _-_V option. If the
739
ssuuddoo is run by root with the --VV option. If the
694
740
_s_e_c_u_r_e___p_a_t_h option is set, its value will be used for
695
741
the PATH environment variable. This flag is _o_n by
696
742
default.
697
743
698
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
744
fast_glob Normally, ssuuddoo uses the glob(3) function to do shell-
699
745
style globbing when matching path names. However,
700
since it accesses the file system, _g_l_o_b(3) can take a
746
since it accesses the file system, glob(3) can take a
701
747
long time to complete for some patterns, especially
702
748
when the pattern references a network file system that
703
is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
704
option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
749
is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b
750
option causes ssuuddoo to use the fnmatch(3) function,
705
751
which does not access the file system to do its
706
752
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
707
753
unable to match relative path names such as _._/_l_s or
708
754
_._._/_b_i_n_/_l_s. This has security implications when path
709
755
names that include globbing characters are used with
710
the negation operator, '!', as such rules can be
756
the negation operator, `!', as such rules can be
711
757
trivially bypassed. As such, this option should not be
712
758
used when _s_u_d_o_e_r_s contains rules that contain negated
713
759
path names which include globbing characters. This
714
760
flag is _o_f_f by default.
715
761
716
fqdn Set this flag if you want to put fully qualified host
717
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
762
fqdn Set this flag if you want to put fully qualified host
763
names in the _s_u_d_o_e_r_s file when the local host name (as
764
returned by the hostname command) does not contain the
765
domain name. In other words, instead of myhost you
718
766
would use myhost.mydomain.edu. You may still use the
719
short form if you wish (and even mix the two). Beware
720
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
721
which may make ssuuddoo unusable if DNS stops working (for
722
example if the machine is not plugged into the
723
network). Also note that you must use the host's
724
official name as DNS knows it. That is, you may not
725
use a host alias (CNAME entry) due to performance
726
issues and the fact that there is no way to get all
727
aliases from DNS. If your machine's host name (as
728
returned by the hostname command) is already fully
729
qualified you shouldn't need to set _f_q_d_n. This flag is
730
_o_f_f by default.
731
732
ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
733
PATH environment variable; the PATH itself is not
734
modified. This flag is _o_f_f by default.
735
736
ignore_local_sudoers
767
short form if you wish (and even mix the two). This
768
option is only effective when the ``canonical'' host
769
name, as returned by the ggeettaaddddrriinnffoo() or
770
ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain
771
name. This is usually the case when the system is
772
configured to use DNS for host name resolution.
773
774
If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file
775
in preference to DNS, the ``canonical'' host name may
776
not be fully-qualified. The order that sources are
777
queried for hosts name resolution is usually specified
778
in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f,
779
_/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f
780
file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of
781
the entry is considered to be the ``canonical'' name;
782
subsequent names are aliases that are not used by
783
ssuuddooeerrss. For example, the following hosts file line
784
for the machine ``xyzzy'' has the fully-qualified
785
domain name as the ``canonical'' host name, and the
786
short version as an alias.
787
788
192.168.1.1 xyzzy.sudo.ws xyzzy
789
790
If the machine's hosts file entry is not formatted
791
properly, the _f_q_d_n option will not be effective if it
792
is queried before DNS.
793
794
Beware that when using DNS for host name resolution,
795
turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups
796
which renders ssuuddoo unusable if DNS stops working (for
797
example if the machine is disconnected from the
798
network). Also note that just like with the hosts
799
file, you must use the ``canonical'' name as DNS knows
800
it. That is, you may not use a host alias (CNAME
801
entry) due to performance issues and the fact that
802
there is no way to get all aliases from DNS.
803
804
This flag is _o_f_f by default.
805
806
ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
807
current directory) in the PATH environment variable;
808
the PATH itself is not modified. This flag is _o_f_f by
809
default.
810
811
ignore_local_sudoers
737
812
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
738
813
skipped. This is intended for Enterprises that wish to
739
814
prevent the usage of local sudoers files so that only
740
815
LDAP is used. This thwarts the efforts of rogue
741
816
operators who would attempt to add roles to
742
817
_/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
743
_/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
818
_/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
744
819
option tells ssuuddoo how to behave when no specific LDAP
745
820
entries have been matched, this sudoOption is only
746
821
meaningful for the cn=defaults section. This flag is
747
822
_o_f_f by default.
748
823
749
insults If set, ssuuddoo will insult users when they enter an
824
insults If set, ssuuddoo will insult users when they enter an
750
825
incorrect password. This flag is _o_f_f by default.
751
826
752
log_host If set, the host name will be logged in the (non-
827
log_host If set, the host name will be logged in the (non-
753
828
syslog) ssuuddoo log file. This flag is _o_f_f by default.
754
829
755
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
830
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
756
831
log all user input. If the standard input is not
757
832
connected to the user's tty, due to I/O redirection or
758
833
because the command is part of a pipeline, that input
761
836
Input is logged to the directory specified by the
762
837
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
763
838
unique session ID that is included in the normal ssuuddoo
764
log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
765
may be used to control the format of the session ID.
839
log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
840
option may be used to control the format of the session
841
ID.
766
842
767
843
Note that user input may contain sensitive information
768
844
such as passwords (even if they are not echoed to the
770
846
unencrypted. In most cases, logging the command output
771
847
via _l_o_g___o_u_t_p_u_t is all that is required.
772
848
773
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
849
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
774
850
log all output that is sent to the screen, similar to
775
the _s_c_r_i_p_t(1) command. If the standard output or
851
the script(1) command. If the standard output or
776
852
standard error is not connected to the user's tty, due
777
853
to I/O redirection or because the command is part of a
778
854
pipeline, that output is also captured and stored in
781
857
Output is logged to the directory specified by the
782
858
_i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
783
859
unique session ID that is included in the normal ssuuddoo
784
log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option
785
may be used to control the format of the session ID.
860
log line, prefixed with ``TSID=''. The _i_o_l_o_g___f_i_l_e
861
option may be used to control the format of the session
862
ID.
786
863
787
Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
864
Output logs may be viewed with the sudoreplay(1m)
788
865
utility, which can also be used to list or search the
789
866
available logs.
790
867
791
log_year If set, the four-digit year will be logged in the (non-
868
log_year If set, the four-digit year will be logged in the (non-
792
869
syslog) ssuuddoo log file. This flag is _o_f_f by default.
793
870
794
long_otp_prompt When validating with a One Time Password (OTP) scheme
871
long_otp_prompt When validating with a One Time Password (OTP) scheme
795
872
such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
796
873
make it easier to cut and paste the challenge to a
797
874
local window. It's not as pretty as the default but
798
875
some people find it more convenient. This flag is _o_f_f
799
876
by default.
800
877
801
mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
878
mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
802
879
ssuuddoo. This flag is _o_f_f by default.
803
880
804
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
805
does not enter the correct password. This flag is _o_f_f
806
by default.
881
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
882
does not enter the correct password. If the command
883
the user is attempting to run is not permitted by
884
_s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t,
885
_m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag
886
will have no effect. This flag is _o_f_f by default.
807
887
808
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
888
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
809
889
invoking user exists in the _s_u_d_o_e_r_s file, but is not
810
890
allowed to run commands on the current host. This flag
811
891
is _o_f_f by default.
812
892
813
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
893
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
814
894
invoking user is allowed to use ssuuddoo but the command
815
895
they are trying is not listed in their _s_u_d_o_e_r_s file
816
896
entry or is explicitly denied. This flag is _o_f_f by
817
897
default.
818
898
819
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
899
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
820
900
invoking user is not in the _s_u_d_o_e_r_s file. This flag is
821
901
_o_n by default.
822
902
823
noexec If set, all commands run via ssuuddoo will behave as if the
903
noexec If set, all commands run via ssuuddoo will behave as if the
824
904
NOEXEC tag has been set, unless overridden by a EXEC
825
905
tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
826
well as the "Preventing Shell Escapes" section at the
827
end of this manual. This flag is _o_f_f by default.
906
well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
907
of this manual. This flag is _o_f_f by default.
828
908
829
path_info Normally, ssuuddoo will tell the user when a command could
909
path_info Normally, ssuuddoo will tell the user when a command could
830
910
not be found in their PATH environment variable. Some
831
911
sites may wish to disable this as it could be used to
832
912
gather information on the location of executables that
836
916
not allowed to run it, which can be confusing. This
837
917
flag is _o_n by default.
838
918
839
passprompt_override
919
passprompt_override
840
920
The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
841
921
normally only be used if the password prompt provided
842
by systems such as PAM matches the string "Password:".
843
If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always
844
be used. This flag is _o_f_f by default.
922
by systems such as PAM matches the string
923
``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set,
924
_p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by
925
default.
845
926
846
preserve_groups By default, ssuuddoo will initialize the group vector to
927
preserve_groups By default, ssuuddoo will initialize the group vector to
847
928
the list of groups the target user is in. When
848
929
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
849
930
vector is left unaltered. The real and effective group
850
931
IDs, however, are still set to match the target user.
851
932
This flag is _o_f_f by default.
852
933
853
pwfeedback By default, ssuuddoo reads the password like most other
934
pwfeedback By default, ssuuddoo reads the password like most other
854
935
Unix programs, by turning off echo until the user hits
855
936
the return (or enter) key. Some users become confused
856
937
by this as it appears to them that ssuuddoo has hung at
860
941
able to determine the length of the password being
861
942
entered. This flag is _o_f_f by default.
862
943
863
requiretty If set, ssuuddoo will only run when the user is logged in
944
requiretty If set, ssuuddoo will only run when the user is logged in
864
945
to a real tty. When this flag is set, ssuuddoo can only be
865
946
run from a login session and not via other means such
866
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
947
as cron(1m) or cgi-bin scripts. This flag is _o_f_f by
867
948
default.
868
949
869
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
870
this prevents users from "chaining" ssuuddoo commands to
871
get a root shell by doing something like "sudo sudo
872
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
950
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
951
this prevents users from ``chaining'' ssuuddoo commands to
952
get a root shell by doing something like ``sudo sudo
953
/bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o
873
954
will also prevent root from running ssuuddooeeddiitt.
874
955
Disabling _r_o_o_t___s_u_d_o provides no real additional
875
956
security; it exists purely for historical reasons.
876
957
This flag is _o_n by default.
877
958
878
rootpw If set, ssuuddoo will prompt for the root password instead
959
rootpw If set, ssuuddoo will prompt for the root password instead
879
960
of the password of the invoking user. This flag is _o_f_f
880
961
by default.
881
962
882
runaspw If set, ssuuddoo will prompt for the password of the user
963
runaspw If set, ssuuddoo will prompt for the password of the user
883
964
defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
884
965
instead of the password of the invoking user. This
885
966
flag is _o_f_f by default.
886
967
887
set_home If enabled and ssuuddoo is invoked with the --ss option the
968
set_home If enabled and ssuuddoo is invoked with the --ss option the
888
969
HOME environment variable will be set to the home
889
970
directory of the target user (which is root unless the
890
971
--uu option is used). This effectively makes the --ss
894
975
_e_n_v___r_e_s_e_t is disabled or HOME is present in the
895
976
_e_n_v___k_e_e_p list. This flag is _o_f_f by default.
896
977
897
set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
978
set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
898
979
environment variables to the name of the target user
899
980
(usually root unless the --uu option is given). However,
900
981
since some programs (including the RCS revision control
905
986
disabled, entries in the _e_n_v___k_e_e_p list will override
906
987
the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default.
907
988
908
set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
989
set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
909
990
utmpx) file when a pseudo-tty is allocated. A pseudo-
910
991
tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
911
992
or _u_s_e___p_t_y flags are enabled. By default, the new
913
994
(if any), with the tty, time, type and pid fields
914
995
updated. This flag is _o_n by default.
915
996
916
setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
997
setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
917
998
command line via the --EE option. Additionally,
918
999
environment variables set via the command line are not
919
1000
subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
921
1002
should be allowed to set variables in this manner.
922
1003
This flag is _o_f_f by default.
923
1004
924
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
1005
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
925
1006
if the --ss option had been given. That is, it runs a
926
1007
shell as root (the shell is determined by the SHELL
927
1008
environment variable if it is set, falling back on the
928
1009
shell listed in the invoking user's /etc/passwd entry
929
1010
if not). This flag is _o_f_f by default.
930
1011
931
stay_setuid Normally, when ssuuddoo executes a command the real and
1012
stay_setuid Normally, when ssuuddoo executes a command the real and
932
1013
effective UIDs are set to the target user (root by
933
1014
default). This option changes that behavior such that
934
1015
the real UID is left as the invoking user's UID. In
936
1017
This can be useful on systems that disable some
937
1018
potentially dangerous functionality when a program is
938
1019
run setuid. This option is only effective on systems
939
with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
940
This flag is _o_f_f by default.
1020
that support either the setreuid(2) or setresuid(2)
1021
system call. This flag is _o_f_f by default.
941
1022
942
targetpw If set, ssuuddoo will prompt for the password of the user
1023
targetpw If set, ssuuddoo will prompt for the password of the user
943
1024
specified by the --uu option (defaults to root) instead
944
1025
of the password of the invoking user. In addition, the
945
timestamp file name will include the target user's
1026
time stamp file name will include the target user's
946
1027
name. Note that this flag precludes the use of a uid
947
1028
not listed in the passwd database as an argument to the
948
1029
--uu option. This flag is _o_f_f by default.
949
1030
950
tty_tickets If set, users must authenticate on a per-tty basis.
1031
tty_tickets If set, users must authenticate on a per-tty basis.
951
1032
With this flag enabled, ssuuddoo will use a file named for
952
1033
the tty the user is logged in on in the user's time
953
1034
stamp directory. If disabled, the time stamp of the
954
1035
directory is used instead. This flag is _o_n by default.
955
1036
956
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
1037
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
957
1038
without modification. This makes it possible to
958
1039
specify a more permissive umask in _s_u_d_o_e_r_s than the
959
1040
user's own umask and matches historical behavior. If
961
1042
be the union of the user's umask and what is specified
962
1043
in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
963
1044
964
use_loginclass If set, ssuuddoo will apply the defaults specified for the
1045
use_loginclass If set, ssuuddoo will apply the defaults specified for the
965
1046
target user's login class if one exists. Only
966
1047
available if ssuuddoo is configured with the
967
1048
--with-logincap option. This flag is _o_f_f by default.
968
1049
969
use_pty If set, ssuuddoo will run the command in a pseudo-pty even
1050
use_pty If set, ssuuddoo will run the command in a pseudo-pty even
970
1051
if no I/O logging is being gone. A malicious program
971
1052
run under ssuuddoo could conceivably fork a background
972
1053
process that retains to the user's terminal device
974
1055
this option will make that impossible. This flag is
975
1056
_o_f_f by default.
976
1057
977
utmp_runas If set, ssuuddoo will store the name of the runas user when
1058
utmp_runas If set, ssuuddoo will store the name of the runas user when
978
1059
updating the utmp (or utmpx) file. By default, ssuuddoo
979
1060
stores the name of the invoking user. This flag is _o_f_f
980
1061
by default.
981
1062
982
visiblepw By default, ssuuddoo will refuse to run if the user must
1063
visiblepw By default, ssuuddoo will refuse to run if the user must
983
1064
enter a password but it is not possible to disable echo
984
1065
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
985
1066
will prompt for a password even when it would be
986
1067
visible on the screen. This makes it possible to run
987
things like "rsh somehost sudo ls" since _r_s_h(1) does
988
not allocate a tty. This flag is _o_f_f by default.
989
990
IInntteeggeerrss:
991
992
closefrom Before it executes a command, ssuuddoo will close all open
1068
things like ``ssh somehost sudo ls'' since by default,
1069
ssh(1) does not allocate a tty when running a command.
1070
This flag is _o_f_f by default.
1071
1072
IInntteeggeerrss:
1073
1074
closefrom Before it executes a command, ssuuddoo will close all open
993
1075
file descriptors other than standard input, standard
994
1076
output and standard error (ie: file descriptors 0-2).
995
1077
The _c_l_o_s_e_f_r_o_m option can be used to specify a different
996
1078
file descriptor at which to start closing. The default
997
1079
is 3.
998
1080
999
passwd_tries The number of tries a user gets to enter his/her
1081
passwd_tries The number of tries a user gets to enter his/her
1000
1082
password before ssuuddoo logs the failure and exits. The
1001
1083
default is 3.
1002
1084
1003
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1085
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1004
1086
1005
loglinelen Number of characters per line for the file log. This
1087
loglinelen Number of characters per line for the file log. This
1006
1088
value is used to decide when to wrap lines for nicer
1007
1089
log files. This has no effect on the syslog log file,
1008
1090
only the file log. The default is 80 (use 0 or negate
1009
1091
the option to disable word wrap).
1010
1092
1011
passwd_timeout Number of minutes before the ssuuddoo password prompt times
1093
passwd_timeout Number of minutes before the ssuuddoo password prompt times
1012
1094
out, or 0 for no timeout. The timeout may include a
1013
1095
fractional component if minute granularity is
1014
1096
insufficient, for example 2.5. The default is 5.
1015
1097
1016
timestamp_timeout
1098
timestamp_timeout
1017
1099
Number of minutes that can elapse before ssuuddoo will ask
1018
1100
for a passwd again. The timeout may include a
1019
1101
fractional component if minute granularity is
1020
1102
insufficient, for example 2.5. The default is 5. Set
1021
1103
this to 0 to always prompt for a password. If set to a
1022
value less than 0 the user's timestamp will never
1104
value less than 0 the user's time stamp will never
1023
1105
expire. This can be used to allow users to create or
1024
delete their own timestamps via sudo -v and sudo -k
1025
respectively.
1106
delete their own time stamps via ``sudo -v'' and ``sudo
1107
-k'' respectively.
1026
1108
1027
umask Umask to use when running the command. Negate this
1109
umask Umask to use when running the command. Negate this
1028
1110
option or set it to 0777 to preserve the user's umask.
1029
1111
The actual umask that is used will be the union of the
1030
1112
user's umask and the value of the _u_m_a_s_k option, which
1031
1113
defaults to 0022. This guarantees that ssuuddoo never
1032
lowers the umask when running a command. Note on
1114
lowers the umask when running a command. Note: on
1033
1115
systems that use PAM, the default PAM configuration may
1034
1116
specify its own umask which will override the value set
1035
1117
in _s_u_d_o_e_r_s.
1036
1118
1037
SSttrriinnggss:
1119
SSttrriinnggss:
1038
1120
1039
badpass_message Message that is displayed if a user enters an incorrect
1121
badpass_message Message that is displayed if a user enters an incorrect
1040
1122
password. The default is Sorry, try again. unless
1041
1123
insults are enabled.
1042
1124
1043
editor A colon (':') separated list of editors allowed to be
1125
editor A colon (`:') separated list of editors allowed to be
1044
1126
used with vviissuuddoo. vviissuuddoo will choose the editor that
1045
1127
matches the user's EDITOR environment variable if
1046
1128
possible, or the first editor in the list that exists
1047
and is executable. The default is "vi".
1129
and is executable. The default is _v_i.
1048
1130
1049
iolog_dir The top-level directory to use when constructing the
1131
iolog_dir The top-level directory to use when constructing the
1050
1132
path name for the input/output log directory. Only
1051
1133
used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
1052
1134
or when the LOG_INPUT or LOG_OUTPUT tags are present
1053
1135
for a command. The session sequence number, if any, is
1054
1136
stored in the directory. The default is
1055
"/var/log/sudo-io".
1137
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
1056
1138
1057
1139
The following percent (`%') escape sequences are
1058
1140
supported:
1059
1141
1060
1142
%{seq}
1061
expanded to a monotonically increasing base-36
1062
sequence number, such as 0100A5, where every two
1063
digits are used to form a new directory, e.g.
1064
_0_1_/_0_0_/_A_5
1143
expanded to a monotonically increasing base-36
1144
sequence number, such as 0100A5, where every two
1145
digits are used to form a new directory, e.g.
1146
_0_1_/_0_0_/_A_5
1065
1147
1066
1148
%{user}
1067
expanded to the invoking user's login name
1149
expanded to the invoking user's login name
1068
1150
1069
1151
%{group}
1070
expanded to the name of the invoking user's real
1071
group ID
1152
expanded to the name of the invoking user's real
1153
group ID
1072
1154
1073
1155
%{runas_user}
1074
expanded to the login name of the user the command
1075
will be run as (e.g. root)
1156
expanded to the login name of the user the
1157
command will be run as (e.g. root)
1076
1158
1077
1159
%{runas_group}
1078
expanded to the group name of the user the command
1079
will be run as (e.g. wheel)
1160
expanded to the group name of the user the
1161
command will be run as (e.g. wheel)
1080
1162
1081
1163
%{hostname}
1082
expanded to the local host name without the domain
1083
name
1164
expanded to the local host name without the
1165
domain name
1084
1166
1085
1167
%{command}
1086
expanded to the base name of the command being run
1168
expanded to the base name of the command being
1169
run
1087
1170
1088
1171
In addition, any escape sequences supported by the
1089
system's _s_t_r_f_t_i_m_e_(_) function will be expanded.
1172
system's strftime(3) function will be expanded.
1090
1173
1091
1174
To include a literal `%' character, the string `%%'
1092
1175
should be used.
1093
1176
1094
iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1177
iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
1095
1178
input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
1096
1179
options are enabled or when the LOG_INPUT or LOG_OUTPUT
1097
1180
tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
1098
1181
may contain directory components. The default is
1099
"%{seq}".
1182
``%{seq}''.
1100
1183
1101
1184
See the _i_o_l_o_g___d_i_r option above for a list of supported
1102
1185
percent (`%') escape sequences.
1104
1187
In addition to the escape sequences, path names that
1105
1188
end in six or more Xs will have the Xs replaced with a
1106
1189
unique combination of digits and letters, similar to
1107
the _m_k_t_e_m_p_(_) function.
1108
1109
mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape
1110
%h will expand to the host name of the machine.
1111
Default is *** SECURITY information for %h ***.
1112
1113
noexec_file This option is no longer supported. The path to the
1190
the mktemp(3) function.
1191
1192
limitprivs The default Solaris limit privileges to use when
1193
constructing a new privilege set for a command. This
1194
bounds all privileges of the executing process. The
1195
default limit privileges may be overridden on a per-
1196
command basis in _s_u_d_o_e_r_s. This option is only
1197
available if ssuuddooeerrss is built on Solaris 10 or higher.
1198
1199
mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The
1200
escape %h will expand to the host name of the machine.
1201
Default is ``*** SECURITY information for %h ***''.
1202
1203
noexec_file This option is no longer supported. The path to the
1114
1204
noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
1115
1205
file.
1116
1206
1117
passprompt The default prompt to use when asking for a password;
1207
passprompt The default prompt to use when asking for a password;
1118
1208
can be overridden via the --pp option or the SUDO_PROMPT
1119
1209
environment variable. The following percent (`%')
1120
1210
escape sequences are supported:
1121
1211
1122
%H expanded to the local host name including the
1123
domain name (only if the machine's host name is
1124
fully qualified or the _f_q_d_n option is set)
1125
1126
%h expanded to the local host name without the domain
1127
name
1128
1129
%p expanded to the user whose password is being asked
1130
for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w
1131
flags in _s_u_d_o_e_r_s)
1132
1133
%U expanded to the login name of the user the command
1134
will be run as (defaults to root)
1135
1136
%u expanded to the invoking user's login name
1137
1138
%% two consecutive % characters are collapsed into a
1139
single % character
1140
1141
The default value is Password:.
1142
1143
role The default SELinux role to use when constructing a new
1212
%H expanded to the local host name including the
1213
domain name (only if the machine's host name is
1214
fully qualified or the _f_q_d_n option is set)
1215
1216
%h expanded to the local host name without the
1217
domain name
1218
1219
%p expanded to the user whose password is being
1220
asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
1221
_r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s)
1222
1223
%U expanded to the login name of the user the
1224
command will be run as (defaults to root)
1225
1226
%u expanded to the invoking user's login name
1227
1228
%% two consecutive % characters are collapsed into a
1229
single % character
1230
1231
The default value is ``Password:''.
1232
1233
privs The default Solaris privileges to use when constructing
1234
a new privilege set for a command. This is passed to
1235
the executing process via the inherited privilege set,
1236
but is bounded by the limit privileges. If the _p_r_i_v_s
1237
option is specified but the _l_i_m_i_t_p_r_i_v_s option is not,
1238
the limit privileges of the executing process is set to
1239
_p_r_i_v_s. The default privileges may be overridden on a
1240
per-command basis in _s_u_d_o_e_r_s. This option is only
1241
available if ssuuddooeerrss is built on Solaris 10 or higher.
1242
1243
role The default SELinux role to use when constructing a new
1144
1244
security context to run the command. The default role
1145
1245
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1146
1246
via command line options. This option is only
1147
available whe ssuuddoo is built with SELinux support.
1247
available when ssuuddoo is built with SELinux support.
1148
1248
1149
runas_default The default user to run commands as if the --uu option is
1249
runas_default The default user to run commands as if the --uu option is
1150
1250
not specified on the command line. This defaults to
1151
1251
root.
1152
1252
1153
syslog_badpri Syslog priority to use when user authenticates
1253
syslog_badpri Syslog priority to use when user authenticates
1154
1254
unsuccessfully. Defaults to alert.
1155
1255
1156
1256
The following syslog priorities are supported: aalleerrtt,
1157
1257
ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg.
1158
1258
1159
syslog_goodpri Syslog priority to use when user authenticates
1259
syslog_goodpri Syslog priority to use when user authenticates
1160
1260
successfully. Defaults to notice.
1161
1261
1162
See syslog_badpri for the list of supported syslog
1262
See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog
1163
1263
priorities.
1164
1264
1165
sudoers_locale Locale to use when parsing the sudoers file, logging
1265
sudoers_locale Locale to use when parsing the sudoers file, logging
1166
1266
commands, and sending email. Note that changing the
1167
1267
locale may affect how sudoers is interpreted. Defaults
1168
to "C".
1169
1170
timestampdir The directory in which ssuuddoo stores its timestamp files.
1171
The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1172
1173
timestampowner The owner of the timestamp directory and the timestamps
1174
stored therein. The default is root.
1175
1176
type The default SELinux type to use when constructing a new
1268
to ``C''.
1269
1270
timestampdir The directory in which ssuuddoo stores its time stamp
1271
files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
1272
1273
timestampowner The owner of the time stamp directory and the time
1274
stamps stored therein. The default is root.
1275
1276
type The default SELinux type to use when constructing a new
1177
1277
security context to run the command. The default type
1178
1278
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
1179
1279
via command line options. This option is only
1180
available whe ssuuddoo is built with SELinux support.
1181
1182
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1183
1184
env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
1280
available when ssuuddoo is built with SELinux support.
1281
1282
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1283
1284
env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
1185
1285
file containing variables to be set in the environment of
1186
1286
the program being run. Entries in this file should either
1187
be of the form VARIABLE=value or export VARIABLE=value.
1188
The value may optionally be surrounded by single or double
1189
quotes. Variables in this file are subject to other ssuuddoo
1190
environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
1287
be of the form ``VARIABLE=value'' or ``export
1288
VARIABLE=value''. The value may optionally be surrounded
1289
by single or double quotes. Variables in this file are
1290
subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p
1291
and _e_n_v___c_h_e_c_k.
1191
1292
1192
exempt_group
1193
Users in this group are exempt from password and PATH
1293
exempt_group Users in this group are exempt from password and PATH
1194
1294
requirements. The group name specified should not include
1195
1295
a % prefix. This is not set by default.
1196
1296
1197
group_plugin
1198
A string containing a _s_u_d_o_e_r_s group plugin with optional
1297
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional
1199
1298
arguments. This can be used to implement support for the
1200
1299
nonunix_group syntax described earlier. The string should
1201
1300
consist of the plugin path, either fully-qualified or
1203
1302
any configuration arguments the plugin requires. These
1204
1303
arguments (if any) will be passed to the plugin's
1205
1304
initialization function. If arguments are present, the
1206
string must be enclosed in double quotes (").
1305
string must be enclosed in double quotes ("").
1207
1306
1208
1307
For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix
1209
1308
group format, the sample group plugin can be used:
1210
1309
1211
Defaults group_plugin="sample_group.so /etc/sudo-group"
1212
1213
For more information see _s_u_d_o___p_l_u_g_i_n(4).
1214
1215
lecture This option controls when a short lecture will be printed
1310
Defaults group_plugin="sample_group.so /etc/sudo-group"
1311
1312
For more information see sudo_plugin(4).
1313
1314
lecture This option controls when a short lecture will be printed
1216
1315
along with the password prompt. It has the following
1217
1316
possible values:
1218
1317
1226
1325
Negating the option results in a value of _n_e_v_e_r being used.
1227
1326
The default value is _o_n_c_e.
1228
1327
1229
lecture_file
1230
Path to a file containing an alternate ssuuddoo lecture that
1328
lecture_file Path to a file containing an alternate ssuuddoo lecture that
1231
1329
will be used in place of the standard lecture if the named
1232
1330
file exists. By default, ssuuddoo uses a built-in lecture.
1233
1331
1234
listpw This option controls when a password will be required when
1332
listpw This option controls when a password will be required when
1235
1333
a user runs ssuuddoo with the --ll option. It has the following
1236
1334
possible values:
1237
1335
1238
all All the user's _s_u_d_o_e_r_s entries for the current host
1239
must have the NOPASSWD flag set to avoid entering a
1240
password.
1241
1242
always The user must always enter a password to use the --ll
1243
option.
1244
1245
any At least one of the user's _s_u_d_o_e_r_s entries for the
1246
current host must have the NOPASSWD flag set to
1247
avoid entering a password.
1248
1249
never The user need never enter a password to use the --ll
1250
option.
1336
all All the user's _s_u_d_o_e_r_s entries for the current
1337
host must have the NOPASSWD flag set to avoid
1338
entering a password.
1339
1340
always The user must always enter a password to use the
1341
--ll option.
1342
1343
any At least one of the user's _s_u_d_o_e_r_s entries for
1344
the current host must have the NOPASSWD flag set
1345
to avoid entering a password.
1346
1347
never The user need never enter a password to use the
1348
--ll option.
1251
1349
1252
1350
If no value is specified, a value of _a_n_y is implied.
1253
1351
Negating the option results in a value of _n_e_v_e_r being used.
1254
1352
The default value is _a_n_y.
1255
1353
1256
logfile Path to the ssuuddoo log file (not the syslog log file).
1354
logfile Path to the ssuuddoo log file (not the syslog log file).
1257
1355
Setting a path turns on logging to a file; negating this
1258
1356
option turns it off. By default, ssuuddoo logs via syslog.
1259
1357
1260
mailerflags Flags to use when invoking mailer. Defaults to --tt.
1358
mailerflags Flags to use when invoking mailer. Defaults to --tt.
1261
1359
1262
mailerpath Path to mail program used to send warning mail. Defaults
1360
mailerpath Path to mail program used to send warning mail. Defaults
1263
1361
to the path to sendmail found at configure time.
1264
1362
1265
mailfrom Address to use for the "from" address when sending warning
1266
and error mail. The address should be enclosed in double
1267
quotes (") to protect against ssuuddoo interpreting the @ sign.
1268
Defaults to the name of the user running ssuuddoo.
1363
mailfrom Address to use for the ``from'' address when sending
1364
warning and error mail. The address should be enclosed in
1365
double quotes ("") to protect against ssuuddoo interpreting the
1366
@ sign. Defaults to the name of the user running ssuuddoo.
1269
1367
1270
mailto Address to send warning and error mail to. The address
1271
should be enclosed in double quotes (") to protect against
1368
mailto Address to send warning and error mail to. The address
1369
should be enclosed in double quotes ("") to protect against
1272
1370
ssuuddoo interpreting the @ sign. Defaults to root.
1273
1371
1274
secure_path Path used for every command run from ssuuddoo. If you don't
1372
secure_path Path used for every command run from ssuuddoo. If you don't
1275
1373
trust the people running ssuuddoo to have a sane PATH
1276
1374
environment variable you may want to use this. Another use
1277
is if you want to have the "root path" be separate from the
1278
"user path." Users in the group specified by the
1375
is if you want to have the ``root path'' be separate from
1376
the ``user path''. Users in the group specified by the
1279
1377
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
1280
1378
option is not set by default.
1281
1379
1282
syslog Syslog facility if syslog is being used for logging (negate
1380
syslog Syslog facility if syslog is being used for logging (negate
1283
1381
to disable syslog logging). Defaults to auth.
1284
1382
1285
1383
The following syslog facilities are supported: aauutthhpprriivv (if
1286
1384
your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
1287
1385
llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
1288
1386
1289
verifypw This option controls when a password will be required when
1387
verifypw This option controls when a password will be required when
1290
1388
a user runs ssuuddoo with the --vv option. It has the following
1291
1389
possible values:
1292
1390
1308
1406
Negating the option results in a value of _n_e_v_e_r being used.
1309
1407
The default value is _a_l_l.
1310
1408
1311
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1409
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1312
1410
1313
env_check Environment variables to be removed from the user's
1314
environment if the variable's value contains % or /
1411
env_check Environment variables to be removed from the user's
1412
environment if the variable's value contains `%' or `/'
1315
1413
characters. This can be used to guard against printf-
1316
1414
style format vulnerabilities in poorly-written
1317
1415
programs. The argument may be a double-quoted, space-
1323
1421
env_check will be preserved in the environment if they
1324
1422
pass the aforementioned check. The default list of
1325
1423
environment variables to check is displayed when ssuuddoo
1326
is run by root with the _-_V option.
1424
is run by root with the --VV option.
1327
1425
1328
env_delete Environment variables to be removed from the user's
1426
env_delete Environment variables to be removed from the user's
1329
1427
environment when the _e_n_v___r_e_s_e_t option is not in effect.
1330
1428
The argument may be a double-quoted, space-separated
1331
1429
list or a single value without double-quotes. The list
1332
1430
can be replaced, added to, deleted from, or disabled by
1333
1431
using the =, +=, -=, and ! operators respectively. The
1334
1432
default list of environment variables to remove is
1335
displayed when ssuuddoo is run by root with the _-_V option.
1433
displayed when ssuuddoo is run by root with the --VV option.
1336
1434
Note that many operating systems will remove
1337
1435
potentially dangerous variables from the environment of
1338
1436
any setuid process (such as ssuuddoo).
1339
1437
1340
env_keep Environment variables to be preserved in the user's
1438
env_keep Environment variables to be preserved in the user's
1341
1439
environment when the _e_n_v___r_e_s_e_t option is in effect.
1342
1440
This allows fine-grained control over the environment
1343
1441
ssuuddoo-spawned processes will receive. The argument may
1346
1444
added to, deleted from, or disabled by using the =, +=,
1347
1445
-=, and ! operators respectively. The default list of
1348
1446
variables to keep is displayed when ssuuddoo is run by root
1349
with the _-_V option.
1447
with the --VV option.
1448
1449
LLOOGG FFOORRMMAATT
1450
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In
1451
each case the log format is almost identical.
1452
1453
AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
1454
Commands that sudo runs are logged using the following format (split into
1455
multiple lines for readability):
1456
1457
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1458
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1459
ENV=env_vars COMMAND=command
1460
1461
Where the fields are as follows:
1462
1463
date The date the command was run. Typically, this is in the
1464
format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1465
the actual date format is controlled by the syslog daemon.
1466
If logging to a file and the _l_o_g___y_e_a_r option is enabled,
1467
the date will also include the year.
1468
1469
hostname The name of the host ssuuddoo was run on. This field is only
1470
present when logging via syslog(3).
1471
1472
progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This
1473
field is only present when logging via syslog(3).
1474
1475
username The login name of the user who ran ssuuddoo.
1476
1477
ttyname The short name of the terminal (e.g. ``console'',
1478
``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if
1479
there was no terminal present.
1480
1481
cwd The current working directory that ssuuddoo was run in.
1482
1483
runasuser The user the command was run as.
1484
1485
runasgroup The group the command was run as if one was specified on
1486
the command line.
1487
1488
logid An I/O log identifier that can be used to replay the
1489
command's output. This is only present when the _l_o_g___i_n_p_u_t
1490
or _l_o_g___o_u_t_p_u_t option is enabled.
1491
1492
env_vars A list of environment variables specified on the command
1493
line, if specified.
1494
1495
command The actual command that was executed.
1496
1497
Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
1498
defaults to the ``C'' locale.
1499
1500
DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
1501
If the user is not allowed to run the command, the reason for the denial
1502
will follow the user name. Possible reasons include:
1503
1504
user NOT in sudoers
1505
The user is not listed in the _s_u_d_o_e_r_s file.
1506
1507
user NOT authorized on host
1508
The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run
1509
commands on the host.
1510
1511
command not allowed
1512
The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
1513
allowed to run the specified command.
1514
1515
3 incorrect password attempts
1516
The user failed to enter their password after 3 tries. The actual
1517
number of tries will vary based on the number of failed attempts and
1518
the value of the _p_a_s_s_w_d___t_r_i_e_s option.
1519
1520
a password is required
1521
ssuuddoo's --nn option was specified but a password was required.
1522
1523
sorry, you are not allowed to set the following environment variables
1524
The user specified environment variables on the command line that were
1525
not allowed by _s_u_d_o_e_r_s.
1526
1527
EErrrroorr lloogg eennttrriieess
1528
If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
1529
message to the administrator via email. Possible errors include:
1530
1531
parse error in /etc/sudoers near line N
1532
ssuuddooeerrss encountered an error when parsing the specified file. In some
1533
cases, the actual error may be one line above or below the line number
1534
listed, depending on the type of error.
1535
1536
problem with defaults entries
1537
The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
1538
does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
1539
checked using vviissuuddoo.
1540
1541
timestamp owner (username): No such user
1542
The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
1543
setting, could not be found in the password database.
1544
1545
unable to open/read /etc/sudoers
1546
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
1547
when the _s_u_d_o_e_r_s file is located on a remote file system that maps
1548
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
1549
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
1550
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
1551
``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
1552
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1553
1554
unable to stat /etc/sudoers
1555
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
1556
1557
/etc/sudoers is not a regular file
1558
The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
1559
link.
1560
1561
/etc/sudoers is owned by uid N, should be 0
1562
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
1563
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
1564
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
1565
_/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1566
1567
/etc/sudoers is world writable
1568
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
1569
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
1570
0440 (readable by owner and group, writable by none). The default
1571
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
1572
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1573
1574
/etc/sudoers is owned by gid N, should be 1
1575
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
1576
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
1577
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
1578
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1579
1580
unable to open /var/adm/sudo/username/ttyname
1581
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
1582
1583
unable to write to /var/adm/sudo/username/ttyname
1584
_s_u_d_o_e_r_s was unable to write to the user's time stamp file.
1585
1586
unable to mkdir to /var/adm/sudo/username
1587
_s_u_d_o_e_r_s was unable to create the user's time stamp directory.
1588
1589
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
1590
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
1591
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
1592
such, they may vary in format on different systems.
1593
1594
On most systems, syslog(3) has a relatively small log buffer. To prevent
1595
the command line arguments from being truncated, ssuuddooeerrss will split up
1596
log messages that are larger than 960 characters (not including the date,
1597
hostname, and the string ``sudo''). When a message is split, additional
1598
parts will include the string ``(command continued)'' after the user name
1599
and before the continued command line arguments.
1600
1601
NNootteess oonn llooggggiinngg ttoo aa ffiillee
1602
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
1603
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
1604
syslog(3), with a few important differences:
1605
1606
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
1607
1608
2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the
1609
year.
1610
1611
3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are
1612
word-wrapped and continued on the next line with a four character
1613
indent. This makes entries easier to read for a human being, but
1614
makes it more difficult to use grep(1) on the log files. If the
1615
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
1616
will be disabled.
1350
1617
1351
1618
SSUUDDOO..CCOONNFF
1352
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end
1353
will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no
1354
Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O
1355
logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1356
1357
#
1358
# Default /etc/sudo.conf file
1359
#
1360
# Format:
1361
# Plugin plugin_name plugin_path plugin_options ...
1362
# Path askpass /path/to/askpass
1363
# Path noexec /path/to/sudo_noexec.so
1364
# Debug sudo /var/log/sudo_debug all@warn
1365
# Set disable_coredump true
1366
#
1367
# The plugin_path is relative to /usr/local/libexec unless
1368
# fully qualified.
1369
# The plugin_name corresponds to a global symbol in the plugin
1370
# that contains the plugin interface structure.
1371
# The plugin_options are optional.
1372
#
1373
Plugin policy_plugin sudoers.so
1374
Plugin io_plugin sudoers.so
1375
1376
PPLLUUGGIINN OOPPTTIIOONNSS
1377
Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s
1378
plugin. Options may be listed after the path to the plugin (i.e. after
1379
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
1380
1381
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1382
1383
The following plugin options are supported:
1384
1385
sudoers_file=pathname
1386
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
1387
path to the _s_u_d_o_e_r_s file.
1388
1389
sudoers_uid=uid
1390
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
1391
owner of the sudoers file. It should be specified as a
1392
numeric user ID.
1393
1394
sudoers_gid=gid
1395
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
1396
group of the sudoers file. It should be specified as a
1397
numeric group ID.
1398
1399
sudoers_mode=mode
1400
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
1401
file mode for the sudoers file. It should be specified as an
1402
octal value.
1403
1404
DDEEBBUUGG FFLLAAGGSS
1405
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
1406
framework that can help track down what the plugin is doing internally
1407
if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
1408
file as described in _s_u_d_o(1m).
1409
1410
The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself:
1411
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
1412
1413
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
1414
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
1415
when specified, also includes all priorities higher than it. For
1416
example, a priority of _n_o_t_i_c_e would include debug messages logged at
1417
_n_o_t_i_c_e and higher.
1418
1419
The following subsystems are used by _s_u_d_o_e_r_s:
1420
1421
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1422
1423
_a_l_l matches every subsystem
1424
1425
_a_u_d_i_t BSM and Linux audit code
1426
1427
_a_u_t_h user authentication
1428
1429
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
1430
1431
_e_n_v environment handling
1432
1433
_l_d_a_p LDAP-based sudoers
1434
1435
_l_o_g_g_i_n_g logging support
1436
1437
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
1438
1439
_n_e_t_i_f network interface handling
1440
1441
_n_s_s network service switch handling in _s_u_d_o_e_r_s
1442
1443
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
1444
1445
_p_e_r_m_s permission setting
1446
1447
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
1448
1449
_p_t_y pseudo-tty related code
1450
1451
_r_b_t_r_e_e redblack tree internals
1452
1453
_u_t_i_l utility functions
1619
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will
1620
load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin
1621
lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which
1622
corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1623
1624
#
1625
# Default /etc/sudo.conf file
1626
#
1627
# Format:
1628
# Plugin plugin_name plugin_path plugin_options ...
1629
# Path askpass /path/to/askpass
1630
# Path noexec /path/to/sudo_noexec.so
1631
# Debug sudo /var/log/sudo_debug all@warn
1632
# Set disable_coredump true
1633
#
1634
# The plugin_path is relative to /usr/local/libexec unless
1635
# fully qualified.
1636
# The plugin_name corresponds to a global symbol in the plugin
1637
# that contains the plugin interface structure.
1638
# The plugin_options are optional.
1639
#
1640
Plugin policy_plugin sudoers.so
1641
Plugin io_plugin sudoers.so
1642
1643
PPlluuggiinn ooppttiioonnss
1644
Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s
1645
plugin. Options may be listed after the path to the plugin (i.e. after
1646
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
1647
1648
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1649
1650
The following plugin options are supported:
1651
1652
sudoers_file=pathname
1653
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
1654
path to the _s_u_d_o_e_r_s file.
1655
1656
sudoers_uid=uid
1657
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
1658
owner of the sudoers file. It should be specified as a numeric
1659
user ID.
1660
1661
sudoers_gid=gid
1662
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
1663
group of the sudoers file. It should be specified as a numeric
1664
group ID.
1665
1666
sudoers_mode=mode
1667
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
1668
file mode for the sudoers file. It should be specified as an
1669
octal value.
1670
1671
DDeebbuugg ffllaaggss
1672
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
1673
framework that can help track down what the plugin is doing internally if
1674
there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as
1675
described in sudo(1m).
1676
1677
The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end:
1678
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
1679
1680
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
1681
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
1682
when specified, also includes all priorities higher than it. For
1683
example, a priority of _n_o_t_i_c_e would include debug messages logged at
1684
_n_o_t_i_c_e and higher.
1685
1686
The following subsystems are used by _s_u_d_o_e_r_s:
1687
1688
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1689
1690
_a_l_l matches every subsystem
1691
1692
_a_u_d_i_t BSM and Linux audit code
1693
1694
_a_u_t_h user authentication
1695
1696
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
1697
1698
_e_n_v environment handling
1699
1700
_l_d_a_p LDAP-based sudoers
1701
1702
_l_o_g_g_i_n_g logging support
1703
1704
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
1705
1706
_n_e_t_i_f network interface handling
1707
1708
_n_s_s network service switch handling in _s_u_d_o_e_r_s
1709
1710
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
1711
1712
_p_e_r_m_s permission setting
1713
1714
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
1715
1716
_p_t_y pseudo-tty related code
1717
1718
_r_b_t_r_e_e redblack tree internals
1719
1720
_u_t_i_l utility functions
1454
1721
1455
1722
FFIILLEESS
1456
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1457
1458
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1459
1460
_/_e_t_c_/_g_r_o_u_p Local groups file
1461
1462
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1463
1464
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1465
1466
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1723
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1724
1725
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1726
1727
_/_e_t_c_/_g_r_o_u_p Local groups file
1728
1729
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1730
1731
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1732
1733
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1467
1734
_s_u_d_o_e_r_s security policy
1468
1735
1469
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1736
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1470
1737
Linux systems
1471
1738
1472
1739
EEXXAAMMPPLLEESS
1473
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1474
contrived. First, we allow a few environment variables to pass and
1475
then define our _a_l_i_a_s_e_s:
1476
1477
# Run X applications through sudo; HOME is used to find the
1478
# .Xauthority file. Note that other programs use HOME to find
1479
# configuration files and this may lead to privilege escalation!
1480
Defaults env_keep += "DISPLAY HOME"
1481
1482
# User alias specification
1483
User_Alias FULLTIMERS = millert, mikef, dowdy
1484
User_Alias PARTTIMERS = bostley, jwfox, crawl
1485
User_Alias WEBMASTERS = will, wendy, wim
1486
1487
# Runas alias specification
1488
Runas_Alias OP = root, operator
1489
Runas_Alias DB = oracle, sybase
1490
Runas_Alias ADMINGRP = adm, oper
1491
1492
# Host alias specification
1493
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1494
SGI = grolsch, dandelion, black :\
1495
ALPHA = widget, thalamus, foobar :\
1496
HPPA = boa, nag, python
1497
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1498
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1499
Host_Alias SERVERS = master, mail, www, ns
1500
Host_Alias CDROM = orion, perseus, hercules
1501
1502
# Cmnd alias specification
1503
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1504
/usr/sbin/restore, /usr/sbin/rrestore
1505
Cmnd_Alias KILL = /usr/bin/kill
1506
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1507
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1508
Cmnd_Alias HALT = /usr/sbin/halt
1509
Cmnd_Alias REBOOT = /usr/sbin/reboot
1510
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1511
/usr/local/bin/tcsh, /usr/bin/rsh, \
1512
/usr/local/bin/zsh
1513
Cmnd_Alias SU = /usr/bin/su
1514
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1515
1516
Here we override some of the compiled in default values. We want ssuuddoo
1517
to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
1518
want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
1519
need not give a password, and we don't want to reset the LOGNAME, USER
1520
or USERNAME environment variables when running commands as root.
1521
Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an
1522
additional local log file and make sure we log the year in each log
1523
line since the log entries will be kept around for several years.
1524
Lastly, we disable shell escapes for the commands in the PAGERS
1525
Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
1526
1527
# Override built-in defaults
1528
Defaults syslog=auth
1529
Defaults>root !set_logname
1530
Defaults:FULLTIMERS !lecture
1531
Defaults:millert !authenticate
1532
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1533
Defaults!PAGERS noexec
1534
1535
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1536
what.
1537
1538
root ALL = (ALL) ALL
1539
%wheel ALL = (ALL) ALL
1540
1541
We let rroooott and any user in group wwhheeeell run any command on any host as
1542
any user.
1543
1544
FULLTIMERS ALL = NOPASSWD: ALL
1545
1546
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1547
any host without authenticating themselves.
1548
1549
PARTTIMERS ALL = ALL
1550
1551
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
1552
any host but they must authenticate themselves first (since the entry
1553
lacks the NOPASSWD tag).
1554
1555
jack CSNETS = ALL
1556
1557
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1558
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1559
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1560
notation) indicating it is a class C network. For the other networks
1561
in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
1562
1563
lisa CUNETS = ALL
1564
1565
The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1566
class B network 128.138.0.0).
1567
1568
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1569
sudoedit /etc/printcap, /usr/oper/bin/
1570
1571
The ooppeerraattoorr user may run commands limited to simple maintenance.
1572
Here, those are commands related to backups, killing processes, the
1573
printing system, shutting down the system, and any commands in the
1574
directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1575
1576
joe ALL = /usr/bin/su operator
1577
1578
The user jjooee may only _s_u(1) to operator.
1579
1580
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1581
1582
%opers ALL = (: ADMINGRP) /usr/sbin/
1583
1584
Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1585
with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1586
1587
The user ppeettee is allowed to change anyone's password except for root on
1588
the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
1589
multiple user names on the command line.
1590
1591
bob SPARC = (OP) ALL : SGI = (OP) ALL
1592
1593
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1594
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
1595
1596
jim +biglab = ALL
1597
1598
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1599
ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
1600
1601
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1602
1603
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1604
well as add and remove users, so they are allowed to run those commands
1605
on all machines.
1606
1607
fred ALL = (DB) NOPASSWD: ALL
1608
1609
The user ffrreedd can run commands as any user in the _D_B Runas_Alias
1610
(oorraaccllee or ssyybbaassee) without giving a password.
1611
1612
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1613
1614
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1615
not allowed to specify any options to the _s_u(1) command.
1616
1617
jen ALL, !SERVERS = ALL
1618
1619
The user jjeenn may run any command on any machine except for those in the
1620
_S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1621
1622
jill SERVERS = /usr/bin/, !SU, !SHELLS
1623
1624
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1625
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
1626
and _S_H_E_L_L_S Cmnd_Aliases.
1627
1628
steve CSNETS = (operator) /usr/local/op_commands/
1629
1630
The user sstteevvee may run any command in the directory
1631
/usr/local/op_commands/ but only as user operator.
1632
1633
matt valkyrie = KILL
1634
1635
On his personal workstation, valkyrie, mmaatttt needs to be able to kill
1636
hung processes.
1637
1638
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1639
1640
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy,
1641
and wim), may run any command as user www (which owns the web pages) or
1642
simply _s_u(1) to www.
1643
1644
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1645
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1646
1647
Any user may mount or unmount a CD-ROM on the machines in the CDROM
1648
Host_Alias (orion, perseus, hercules) without entering a password.
1649
This is a bit tedious for users to type, so it is a prime candidate for
1650
encapsulating in a shell script.
1740
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1741
contrived. First, we allow a few environment variables to pass and then
1742
define our _a_l_i_a_s_e_s:
1743
1744
# Run X applications through sudo; HOME is used to find the
1745
# .Xauthority file. Note that other programs use HOME to find
1746
# configuration files and this may lead to privilege escalation!
1747
Defaults env_keep += "DISPLAY HOME"
1748
1749
# User alias specification
1750
User_Alias FULLTIMERS = millert, mikef, dowdy
1751
User_Alias PARTTIMERS = bostley, jwfox, crawl
1752
User_Alias WEBMASTERS = will, wendy, wim
1753
1754
# Runas alias specification
1755
Runas_Alias OP = root, operator
1756
Runas_Alias DB = oracle, sybase
1757
Runas_Alias ADMINGRP = adm, oper
1758
1759
# Host alias specification
1760
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1761
SGI = grolsch, dandelion, black :\
1762
ALPHA = widget, thalamus, foobar :\
1763
HPPA = boa, nag, python
1764
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1765
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1766
Host_Alias SERVERS = master, mail, www, ns
1767
Host_Alias CDROM = orion, perseus, hercules
1768
1769
# Cmnd alias specification
1770
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1771
/usr/sbin/restore, /usr/sbin/rrestore
1772
Cmnd_Alias KILL = /usr/bin/kill
1773
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1774
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1775
Cmnd_Alias HALT = /usr/sbin/halt
1776
Cmnd_Alias REBOOT = /usr/sbin/reboot
1777
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1778
/usr/local/bin/tcsh, /usr/bin/rsh,\
1779
/usr/local/bin/zsh
1780
Cmnd_Alias SU = /usr/bin/su
1781
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1782
1783
Here we override some of the compiled in default values. We want ssuuddoo to
1784
log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to
1785
subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not
1786
give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1787
environment variables when running commands as root. Additionally, on
1788
the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log
1789
file and make sure we log the year in each log line since the log entries
1790
will be kept around for several years. Lastly, we disable shell escapes
1791
for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
1792
_/_u_s_r_/_b_i_n_/_l_e_s_s).
1793
1794
# Override built-in defaults
1795
Defaults syslog=auth
1796
Defaults>root !set_logname
1797
Defaults:FULLTIMERS !lecture
1798
Defaults:millert !authenticate
1799
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1800
Defaults!PAGERS noexec
1801
1802
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1803
what.
1804
1805
root ALL = (ALL) ALL
1806
%wheel ALL = (ALL) ALL
1807
1808
We let rroooott and any user in group wwhheeeell run any command on any host as
1809
any user.
1810
1811
FULLTIMERS ALL = NOPASSWD: ALL
1812
1813
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1814
any host without authenticating themselves.
1815
1816
PARTTIMERS ALL = ALL
1817
1818
Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any
1819
host but they must authenticate themselves first (since the entry lacks
1820
the NOPASSWD tag).
1821
1822
jack CSNETS = ALL
1823
1824
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1825
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1826
networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1827
indicating it is a class C network. For the other networks in _C_S_N_E_T_S,
1828
the local machine's netmask will be used during matching.
1829
1830
lisa CUNETS = ALL
1831
1832
The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1833
class B network 128.138.0.0).
1834
1835
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1836
sudoedit /etc/printcap, /usr/oper/bin/
1837
1838
The ooppeerraattoorr user may run commands limited to simple maintenance. Here,
1839
those are commands related to backups, killing processes, the printing
1840
system, shutting down the system, and any commands in the directory
1841
_/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1842
1843
joe ALL = /usr/bin/su operator
1844
1845
The user jjooee may only su(1) to operator.
1846
1847
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1848
1849
%opers ALL = (: ADMINGRP) /usr/sbin/
1850
1851
Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1852
with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1853
1854
The user ppeettee is allowed to change anyone's password except for root on
1855
the _H_P_P_A machines. Note that this assumes passwd(1) does not take
1856
multiple user names on the command line.
1857
1858
bob SPARC = (OP) ALL : SGI = (OP) ALL
1859
1860
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1861
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.)
1862
1863
jim +biglab = ALL
1864
1865
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1866
ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix.
1867
1868
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1869
1870
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1871
well as add and remove users, so they are allowed to run those commands
1872
on all machines.
1873
1874
fred ALL = (DB) NOPASSWD: ALL
1875
1876
The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee
1877
or ssyybbaassee) without giving a password.
1878
1879
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1880
1881
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1882
not allowed to specify any options to the su(1) command.
1883
1884
jen ALL, !SERVERS = ALL
1885
1886
The user jjeenn may run any command on any machine except for those in the
1887
_S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1888
1889
jill SERVERS = /usr/bin/, !SU, !SHELLS
1890
1891
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1892
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
1893
_S_H_E_L_L_S Cmnd_Aliases.
1894
1895
steve CSNETS = (operator) /usr/local/op_commands/
1896
1897
The user sstteevvee may run any command in the directory
1898
/usr/local/op_commands/ but only as user operator.
1899
1900
matt valkyrie = KILL
1901
1902
On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung
1903
processes.
1904
1905
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1906
1907
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and
1908
wim), may run any command as user www (which owns the web pages) or
1909
simply su(1) to www.
1910
1911
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1912
/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1913
1914
Any user may mount or unmount a CD-ROM on the machines in the CDROM
1915
Host_Alias (orion, perseus, hercules) without entering a password. This
1916
is a bit tedious for users to type, so it is a prime candidate for
1917
encapsulating in a shell script.
1651
1918
1652
1919
SSEECCUURRIITTYY NNOOTTEESS
1653
LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr
1654
It is generally not effective to "subtract" commands from ALL using the
1655
'!' operator. A user can trivially circumvent this by copying the
1656
desired command to a different name and then executing that. For
1657
example:
1658
1659
bill ALL = ALL, !SU, !SHELLS
1660
1661
Doesn't really prevent bbiillll from running the commands listed in _S_U or
1662
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
1663
use a shell escape from an editor or other program. Therefore, these
1664
kind of restrictions should be considered advisory at best (and
1665
reinforced by policy).
1666
1667
In general, if a user has sudo ALL there is nothing to prevent them
1668
from creating their own program that gives them a root shell (or making
1669
their own copy of a shell) regardless of any '!' elements in the user
1670
specification.
1920
LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr
1921
It is generally not effective to ``subtract'' commands from AALLLL using the
1922
`!' operator. A user can trivially circumvent this by copying the
1923
desired command to a different name and then executing that. For
1924
example:
1925
1926
bill ALL = ALL, !SU, !SHELLS
1927
1928
Doesn't really prevent bbiillll from running the commands listed in _S_U or
1929
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
1930
use a shell escape from an editor or other program. Therefore, these
1931
kind of restrictions should be considered advisory at best (and
1932
reinforced by policy).
1933
1934
In general, if a user has sudo AALLLL there is nothing to prevent them from
1935
creating their own program that gives them a root shell (or making their
1936
own copy of a shell) regardless of any `!' elements in the user
1937
specification.
1671
1938
1672
1939
SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
1673
If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably
1674
negate commands where the path name includes globbing (aka wildcard)
1675
characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot
1676
resolve relative paths. While this is typically only an inconvenience
1677
for rules that grant privileges, it can result in a security issue for
1678
rules that subtract or revoke privileges.
1679
1680
For example, given the following _s_u_d_o_e_r_s entry:
1681
1682
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1683
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1684
1685
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1686
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1687
1688
PPrreevveennttiinngg SShheellll EEssccaappeess
1689
Once ssuuddoo executes a program, that program is free to do whatever it
1690
pleases, including run other programs. This can be a security issue
1691
since it is not uncommon for a program to allow shell escapes, which
1692
lets a user bypass ssuuddoo's access control and logging. Common programs
1693
that permit shell escapes include shells (obviously), editors,
1694
paginators, mail and terminal programs.
1695
1696
There are two basic approaches to this problem:
1697
1698
restrict Avoid giving users access to commands that allow the user to
1699
run arbitrary commands. Many editors have a restricted mode
1700
where shell escapes are disabled, though ssuuddooeeddiitt is a better
1701
solution to running editors via ssuuddoo. Due to the large
1702
number of programs that offer shell escapes, restricting
1703
users to the set of programs that do not is often unworkable.
1704
1705
noexec Many systems that support shared libraries have the ability
1706
to override default library functions by pointing an
1707
environment variable (usually LD_PRELOAD) to an alternate
1708
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
1709
can be used to prevent a program run by ssuuddoo from executing
1710
any other programs. Note, however, that this applies only to
1711
native dynamically-linked executables. Statically-linked
1712
executables and foreign executables running under binary
1713
emulation are not affected.
1714
1715
The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1716
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1717
above. It should be supported on most operating systems that
1718
support the LD_PRELOAD environment variable. Check your
1719
operating system's manual pages for the dynamic linker
1720
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1721
if LD_PRELOAD is supported.
1722
1723
On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1724
instead of the LD_PRELOAD environment variable.
1725
1726
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1727
documented in the User Specification section above. Here is
1728
that example again:
1729
1730
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1731
1732
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
1733
with _n_o_e_x_e_c enabled. This will prevent those two commands
1734
from executing other commands (such as a shell). If you are
1735
unsure whether or not your system is capable of supporting
1736
_n_o_e_x_e_c you can always just try it out and check whether shell
1737
escapes work when _n_o_e_x_e_c is enabled.
1738
1739
Note that restricting shell escapes is not a panacea. Programs running
1740
as root are still capable of many potentially hazardous operations
1741
(such as changing or overwriting files) that could lead to unintended
1742
privilege escalation. In the specific case of an editor, a safer
1743
approach is to give the user permission to run ssuuddooeeddiitt.
1940
If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate
1941
commands where the path name includes globbing (aka wildcard) characters.
1942
This is because the C library's fnmatch(3) function cannot resolve
1943
relative paths. While this is typically only an inconvenience for rules
1944
that grant privileges, it can result in a security issue for rules that
1945
subtract or revoke privileges.
1946
1947
For example, given the following _s_u_d_o_e_r_s entry:
1948
1949
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
1950
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1951
1952
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1953
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1954
1955
PPrreevveennttiinngg sshheellll eessccaappeess
1956
Once ssuuddoo executes a program, that program is free to do whatever it
1957
pleases, including run other programs. This can be a security issue
1958
since it is not uncommon for a program to allow shell escapes, which lets
1959
a user bypass ssuuddoo's access control and logging. Common programs that
1960
permit shell escapes include shells (obviously), editors, paginators,
1961
mail and terminal programs.
1962
1963
There are two basic approaches to this problem:
1964
1965
restrict Avoid giving users access to commands that allow the user to
1966
run arbitrary commands. Many editors have a restricted mode
1967
where shell escapes are disabled, though ssuuddooeeddiitt is a better
1968
solution to running editors via ssuuddoo. Due to the large number
1969
of programs that offer shell escapes, restricting users to the
1970
set of programs that do not is often unworkable.
1971
1972
noexec Many systems that support shared libraries have the ability to
1973
override default library functions by pointing an environment
1974
variable (usually LD_PRELOAD) to an alternate shared library.
1975
On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to
1976
prevent a program run by ssuuddoo from executing any other
1977
programs. Note, however, that this applies only to native
1978
dynamically-linked executables. Statically-linked executables
1979
and foreign executables running under binary emulation are not
1980
affected.
1981
1982
The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1983
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1984
above. It should be supported on most operating systems that
1985
support the LD_PRELOAD environment variable. Check your
1986
operating system's manual pages for the dynamic linker (usually
1987
ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
1988
LD_PRELOAD is supported.
1989
1990
On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1991
instead of the LD_PRELOAD environment variable.
1992
1993
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1994
documented in the User Specification section above. Here is
1995
that example again:
1996
1997
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1998
1999
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
2000
with _n_o_e_x_e_c enabled. This will prevent those two commands from
2001
executing other commands (such as a shell). If you are unsure
2002
whether or not your system is capable of supporting _n_o_e_x_e_c you
2003
can always just try it out and check whether shell escapes work
2004
when _n_o_e_x_e_c is enabled.
2005
2006
Note that restricting shell escapes is not a panacea. Programs running
2007
as root are still capable of many potentially hazardous operations (such
2008
as changing or overwriting files) that could lead to unintended privilege
2009
escalation. In the specific case of an editor, a safer approach is to
2010
give the user permission to run ssuuddooeeddiitt.
1744
2011
1745
2012
TTiimmee ssttaammpp ffiillee cchheecckkss
1746
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
1747
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
1748
not owned by root or if it is writable by a user other than root. On
1749
systems that allow non-root users to give away files via _c_h_o_w_n(2), if
1750
the time stamp directory is located in a world-writable directory
1751
(e.g., _/_t_m_p), it is possible for a user to create the time stamp
1752
directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the
1753
ownership and mode of the directory and its contents, the only damage
1754
that can be done is to "hide" files by putting them in the time stamp
1755
dir. This is unlikely to happen since once the time stamp dir is owned
1756
by root and inaccessible by any other user, the user placing files
1757
there would be unable to get them back out.
1758
1759
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
1760
with a date greater than current_time + 2 * TIMEOUT will be ignored and
1761
sudo will log and complain. This is done to keep a user from creating
1762
his/her own time stamp with a bogus date on systems that allow users to
1763
give away files if the time stamp directory is located in a world-
1764
writable directory.
1765
1766
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
1767
stamps that date from before the machine booted.
1768
1769
Since time stamp files live in the file system, they can outlive a
1770
user's login session. As a result, a user may be able to login, run a
1771
command with ssuuddoo after authenticating, logout, login again, and run
1772
ssuuddoo without authenticating so long as the time stamp file's
1773
modification time is within 5 minutes (or whatever the timeout is set
1774
to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp
1775
has per-tty granularity but still may outlive the user's session. On
1776
Linux systems where the devpts filesystem is used, Solaris systems with
1777
the devices filesystem, as well as other systems that utilize a devfs
1778
filesystem that monotonically increase the inode number of devices as
1779
they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when
1780
a tty-based time stamp file is stale and will ignore it.
1781
Administrators should not rely on this feature as it is not universally
1782
available.
2013
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
2014
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
2015
not owned by root or if it is writable by a user other than root. On
2016
systems that allow non-root users to give away files via chown(2), if the
2017
time stamp directory is located in a world-writable directory (e.g.,
2018
_/_t_m_p), it is possible for a user to create the time stamp directory
2019
before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and
2020
mode of the directory and its contents, the only damage that can be done
2021
is to ``hide'' files by putting them in the time stamp dir. This is
2022
unlikely to happen since once the time stamp dir is owned by root and
2023
inaccessible by any other user, the user placing files there would be
2024
unable to get them back out.
2025
2026
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
2027
with a date greater than current_time + 2 * TIMEOUT will be ignored and
2028
sudo will log and complain. This is done to keep a user from creating
2029
his/her own time stamp with a bogus date on systems that allow users to
2030
give away files if the time stamp directory is located in a world-
2031
writable directory.
2032
2033
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
2034
stamps that date from before the machine booted.
2035
2036
Since time stamp files live in the file system, they can outlive a user's
2037
login session. As a result, a user may be able to login, run a command
2038
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
2039
authenticating so long as the time stamp file's modification time is
2040
within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When
2041
the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity
2042
but still may outlive the user's session. On Linux systems where the
2043
devpts filesystem is used, Solaris systems with the devices filesystem,
2044
as well as other systems that utilize a devfs filesystem that
2045
monotonically increase the inode number of devices as they are created
2046
(such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time
2047
stamp file is stale and will ignore it. Administrators should not rely
2048
on this feature as it is not universally available.
1783
2049
1784
2050
SSEEEE AALLSSOO
1785
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3),
1786
_s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
2051
ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
2052
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
1787
2053
1788
2054
CCAAVVEEAATTSS
1789
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
1790
locks the file and does grammatical checking. It is imperative that
1791
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
1792
syntactically incorrect _s_u_d_o_e_r_s file.
2055
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
2056
locks the file and does grammatical checking. It is imperative that
2057
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
2058
syntactically incorrect _s_u_d_o_e_r_s file.
1793
2059
1794
When using netgroups of machines (as opposed to users), if you store
1795
fully qualified host name in the netgroup (as is usually the case), you
1796
either need to have the machine's host name be fully qualified as
1797
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
2060
When using netgroups of machines (as opposed to users), if you store
2061
fully qualified host name in the netgroup (as is usually the case), you
2062
either need to have the machine's host name be fully qualified as
2063
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1798
2064
1799
2065
BBUUGGSS
1800
If you feel you have found a bug in ssuuddoo, please submit a bug report at
1801
http://www.sudo.ws/sudo/bugs/
2066
If you feel you have found a bug in ssuuddoo, please submit a bug report at
2067
http://www.sudo.ws/sudo/bugs/
1802
2068
1803
2069
SSUUPPPPOORRTT
1804
Limited free support is available via the sudo-users mailing list, see
1805
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1806
the archives.
2070
Limited free support is available via the sudo-users mailing list, see
2071
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2072
archives.
1807
2073
1808
2074
DDIISSCCLLAAIIMMEERR
1809
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
1810
including, but not limited to, the implied warranties of
1811
merchantability and fitness for a particular purpose are disclaimed.
1812
See the LICENSE file distributed with ssuuddoo or
1813
http://www.sudo.ws/sudo/license.html for complete details.
1814
1815
1816
1817
1.8.5 March 28, 2012 SUDOERS(4)
2075
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
2076
including, but not limited to, the implied warranties of merchantability
2077
and fitness for a particular purpose are disclaimed. See the LICENSE
2078
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
2079
complete details.
2080
2081
Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
Loggerhead is a web-based interface for Breezy
Version: 2.0.1