1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1
SUDOERS(4) Programmer's Manual SUDOERS(4)
6
sudoers - default sudo security policy module
4
ssuuddooeerrss - default sudo security policy module
8
6
DDEESSCCRRIIPPTTIIOONN
9
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is
10
the default ssuuddoo policy plugin. The policy is driven by the
11
_/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is
12
described in detail in the "SUDOERS FILE FORMAT" section. For
13
information on storing _s_u_d_o_e_r_s policy information in LDAP, please see
14
_s_u_d_o_e_r_s_._l_d_a_p(4).
16
AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg
17
The _s_u_d_o_e_r_s security policy requires that most users authenticate
18
themselves before they can use ssuuddoo. A password is not required if the
19
invoking user is root, if the target user is the same as the invoking
20
user, or if the policy has disabled authentication for the user or
21
command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it
22
validates the invoking user's credentials, not the target user's (or
23
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
24
_r_u_n_a_s_p_w flags, described later.
26
If a user who is not listed in the policy tries to run a command via
27
ssuuddoo, mail is sent to the proper authorities. The address used for
28
such mail is configurable via the _m_a_i_l_t_o Defaults entry (described
29
later) and defaults to root.
31
Note that mail will not be sent if an unauthorized user tries to run
32
ssuuddoo with the --ll or --vv option. This allows users to determine for
33
themselves whether or not they are allowed to use ssuuddoo.
35
If ssuuddoo is run by root and the SUDO_USER environment variable is set,
36
the _s_u_d_o_e_r_s policy will use this value to determine who the actual user
37
is. This can be used by a user to log commands through sudo even when
38
a root shell has been invoked. It also allows the --ee option to remain
39
useful even when invoked via a sudo-run script or program. Note,
40
however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user
41
specified by SUDO_USER.
43
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
44
been authenticated, a time stamp is updated and the user may then use
45
sudo without a password for a short period of time (5 minutes unless
46
overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based
47
time stamp which means that there is a separate time stamp for each of
48
a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
49
force the use of a single time stamp for all of a user's sessions.
51
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
52
errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will
53
log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e
56
_s_u_d_o_e_r_s also supports logging a command's input and output streams.
57
I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
58
and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
61
CCoommmmaanndd EEnnvviirroonnmmeenntt
62
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
63
provides a means to restrict which variables from the user's
64
environment are inherited by the command to be run. There are two
65
distinct ways _s_u_d_o_e_r_s can deal with environment variables.
67
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to
68
be executed with a new, minimal environment. On AIX (and Linux systems
69
without PAM), the environment is initialized with the contents of the
70
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
71
enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
72
settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
73
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
74
in addition to variables from the invoking process permitted by the
75
_e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
76
environment variables.
78
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
79
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
80
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e
81
behave like a blacklist. Since it is not possible to blacklist all
82
potentially dangerous environment variables, use of the default
83
_e_n_v___r_e_s_e_t behavior is encouraged.
85
In all cases, environment variables with a value beginning with () are
86
removed as they could be interpreted as bbaasshh functions. The list of
87
environment variables that ssuuddoo allows or denies is contained in the
88
output of sudo -V when run as root.
90
Note that the dynamic linker on most operating systems will remove
91
variables that can control dynamic linking from the environment of
92
setuid executables, including ssuuddoo. Depending on the operating system
93
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
94
others. These type of variables are removed from the environment
95
before ssuuddoo even begins execution and, as such, it is not possible for
96
ssuuddoo to preserve them.
98
As a special case, if ssuuddoo's --ii option (initial login) is specified,
99
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
100
_e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged;
101
_H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user.
102
On AIX (and Linux systems without PAM), the contents of
103
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the
104
_u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in
105
_/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are
108
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in
109
that file will be set to their specified values as long as they would
110
not conflict with an existing environment variable.
7
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the
8
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
9
file or, optionally in LDAP. The policy format is described in detail in
10
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
11
policy information in LDAP, please see sudoers.ldap(4).
13
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
14
The _s_u_d_o_e_r_s security policy requires that most users authenticate
15
themselves before they can use ssuuddoo. A password is not required if the
16
invoking user is root, if the target user is the same as the invoking
17
user, or if the policy has disabled authentication for the user or
18
command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
19
validates the invoking user's credentials, not the target user's (or
20
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
21
_r_u_n_a_s_p_w flags, described later.
23
If a user who is not listed in the policy tries to run a command via
24
ssuuddoo, mail is sent to the proper authorities. The address used for such
25
mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and
28
Note that mail will not be sent if an unauthorized user tries to run ssuuddoo
29
with the --ll or --vv option. This allows users to determine for themselves
30
whether or not they are allowed to use ssuuddoo.
32
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
33
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
34
This can be used by a user to log commands through sudo even when a root
35
shell has been invoked. It also allows the --ee option to remain useful
36
even when invoked via a sudo-run script or program. Note, however, that
37
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
40
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has
41
been authenticated, the time stamp is updated and the user may then use
42
sudo without a password for a short period of time (5 minutes unless
43
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based
44
time stamp which means that there is a separate time stamp for each of a
45
user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force
46
the use of a single time stamp for all of a user's sessions.
48
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
49
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
50
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
53
_s_u_d_o_e_r_s also supports logging a command's input and output streams. I/O
54
logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and
55
_l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
58
CCoommmmaanndd eennvviirroonnmmeenntt
59
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
60
provides a means to restrict which variables from the user's environment
61
are inherited by the command to be run. There are two distinct ways
62
_s_u_d_o_e_r_s can deal with environment variables.
64
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
65
executed with a new, minimal environment. On AIX (and Linux systems
66
without PAM), the environment is initialized with the contents of the
67
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
68
enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
69
settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
70
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
71
addition to variables from the invoking process permitted by the
72
_e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for
73
environment variables.
75
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
76
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
77
from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave
78
like a blacklist. Since it is not possible to blacklist all potentially
79
dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is
82
In all cases, environment variables with a value beginning with () are
83
removed as they could be interpreted as bbaasshh functions. The list of
84
environment variables that ssuuddoo allows or denies is contained in the
85
output of ``sudo -V'' when run as root.
87
Note that the dynamic linker on most operating systems will remove
88
variables that can control dynamic linking from the environment of setuid
89
executables, including ssuuddoo. Depending on the operating system this may
90
include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
91
These type of variables are removed from the environment before ssuuddoo even
92
begins execution and, as such, it is not possible for ssuuddoo to preserve
95
As a special case, if ssuuddoo's --ii option (initial login) is specified,
96
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
97
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
98
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
99
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
100
also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled,
101
the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All
102
other environment variables are removed.
104
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that
105
file will be set to their specified values as long as they would not
106
conflict with an existing environment variable.
112
108
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
113
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
114
(basically variables) and user specifications (which specify who may
117
When multiple entries match for a user, they are applied in order.
118
Where there are multiple matches, the last match is used (which is not
119
necessarily the most specific match).
121
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur
122
Form (EBNF). Don't despair if you don't know what EBNF is; it is
123
fairly simple, and the definitions below are annotated.
109
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically
110
variables) and user specifications (which specify who may run what).
112
When multiple entries match for a user, they are applied in order. Where
113
there are multiple matches, the last match is used (which is not
114
necessarily the most specific match).
116
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
117
(EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
118
simple, and the definitions below are annotated.
125
120
QQuuiicckk gguuiiddee ttoo EEBBNNFF
126
EBNF is a concise and exact way of describing the grammar of a
127
language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
129
symbol ::= definition | alternate1 | alternate2 ...
131
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
132
the language. EBNF also contains the following operators, which many
133
readers will recognize from regular expressions. Do not, however,
134
confuse them with "wildcard" characters, which have different meanings.
136
? Means that the preceding symbol (or group of symbols) is optional.
121
EBNF is a concise and exact way of describing the grammar of a language.
122
Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
124
symbol ::= definition | alternate1 | alternate2 ...
126
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
127
the language. EBNF also contains the following operators, which many
128
readers will recognize from regular expressions. Do not, however,
129
confuse them with ``wildcard'' characters, which have different meanings.
131
? Means that the preceding symbol (or group of symbols) is optional.
137
132
That is, it may appear once or not at all.
139
* Means that the preceding symbol (or group of symbols) may appear
134
* Means that the preceding symbol (or group of symbols) may appear
140
135
zero or more times.
142
+ Means that the preceding symbol (or group of symbols) may appear
137
+ Means that the preceding symbol (or group of symbols) may appear
143
138
one or more times.
145
Parentheses may be used to group symbols together. For clarity, we
146
will use single quotes ('') to designate what is a verbatim character
147
string (as opposed to a symbol name).
140
Parentheses may be used to group symbols together. For clarity, we will
141
use single quotes ('') to designate what is a verbatim character string
142
(as opposed to a symbol name).
150
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
153
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
154
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
155
'Host_Alias' Host_Alias (':' Host_Alias)* |
156
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
158
User_Alias ::= NAME '=' User_List
160
Runas_Alias ::= NAME '=' Runas_List
162
Host_Alias ::= NAME '=' Host_List
164
Cmnd_Alias ::= NAME '=' Cmnd_List
166
NAME ::= [A-Z]([A-Z][0-9]_)*
168
Each _a_l_i_a_s definition is of the form
170
Alias_Type NAME = item1, item2, ...
172
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
173
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
174
underscore characters ('_'). A NAME mmuusstt start with an uppercase
175
letter. It is possible to put several alias definitions of the same
176
type on a single line, joined by a colon (':'). E.g.,
178
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
180
The definitions of what constitutes a valid _a_l_i_a_s member follow.
185
User ::= '!'* user name |
190
'!'* %:nonunix_group |
191
'!'* %:#nonunix_gid |
194
A User_List is made up of one or more user names, user ids (prefixed
195
with '#'), system group names and ids (prefixed with '%' and '%#'
196
respectively), netgroups (prefixed with '+'), non-Unix group names and
197
IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
198
list item may be prefixed with zero or more '!' operators. An odd
199
number of '!' operators negate the value of the item; an even number
200
just cancel each other out.
202
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
203
may be enclosed in double quotes to avoid the need for escaping special
204
characters. Alternately, special characters may be specified in
205
escaped hex mode, e.g. \x20 for space. When using double quotes, any
206
prefix characters must be included inside the quotes.
208
The actual nonunix_group and nonunix_gid syntax depends on the
209
underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description
210
below). For instance, the QAS AD plugin supports the following
213
o Group in the same domain: "Group Name"
215
o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
217
o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
219
Note that quotes around group names are optional. Unquoted strings
220
must use a backslash (\) to escape spaces and special characters. See
221
"Other special characters and reserved words" for a list of characters
222
that need to be escaped.
224
Runas_List ::= Runas_Member |
225
Runas_Member ',' Runas_List
227
Runas_Member ::= '!'* user name |
231
'!'* %:nonunix_group |
232
'!'* %:#nonunix_gid |
236
A Runas_List is similar to a User_List except that instead of
237
User_Aliases it can contain Runas_Aliases. Note that user names and
238
groups are matched as strings. In other words, two users (groups) with
239
the same uid (gid) are considered to be distinct. If you wish to match
240
all user names with the same uid (e.g. root and toor), you can use a
241
uid instead (#0 in the example given).
246
Host ::= '!'* host name |
248
'!'* network(/netmask)? |
252
A Host_List is made up of one or more host names, IP addresses, network
253
numbers, netgroups (prefixed with '+') and other aliases. Again, the
254
value of an item may be negated with the '!' operator. If you do not
255
specify a netmask along with the network number, ssuuddoo will query each
256
of the local host's network interfaces and, if the network number
257
corresponds to one of the hosts's network interfaces, the corresponding
258
netmask will be used. The netmask may be specified either in standard
259
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
260
CIDR notation (number of bits, e.g. 24 or 64). A host name may include
261
shell-style wildcards (see the Wildcards section below), but unless the
262
host name command on your machine returns the fully qualified host
263
name, you'll need to use the _f_q_d_n option for wildcards to be useful.
264
Note ssuuddoo only inspects actual network interfaces; this means that IP
265
address 127.0.0.1 (localhost) will never match. Also, the host name
266
"localhost" will only match if that is the actual host name, which is
267
usually only the case for non-networked systems.
272
commandname ::= file name |
276
Cmnd ::= '!'* commandname |
281
A Cmnd_List is a list of one or more commandnames, directories, and
282
other aliases. A commandname is a fully qualified file name which may
283
include shell-style wildcards (see the Wildcards section below). A
284
simple file name allows the user to run the command with any arguments
285
he/she wishes. However, you may also specify command line arguments
286
(including wildcards). Alternately, you can specify "" to indicate
287
that the command may only be run wwiitthhoouutt command line arguments. A
288
directory is a fully qualified path name ending in a '/'. When you
289
specify a directory in a Cmnd_List, the user will be able to run any
290
file within that directory (but not in any subdirectories therein).
292
If a Cmnd has associated command line arguments, then the arguments in
293
the Cmnd must match exactly those given by the user on the command line
294
(or match the wildcards if there are any). Note that the following
295
characters must be escaped with a '\' if they are used in command
296
arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
297
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
298
may take command line arguments just as a normal command does.
145
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
148
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
149
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
150
'Host_Alias' Host_Alias (':' Host_Alias)* |
151
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
153
User_Alias ::= NAME '=' User_List
155
Runas_Alias ::= NAME '=' Runas_List
157
Host_Alias ::= NAME '=' Host_List
159
Cmnd_Alias ::= NAME '=' Cmnd_List
161
NAME ::= [A-Z]([A-Z][0-9]_)*
163
Each _a_l_i_a_s definition is of the form
165
Alias_Type NAME = item1, item2, ...
167
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
168
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
169
underscore characters (`_'). A NAME mmuusstt start with an uppercase letter.
170
It is possible to put several alias definitions of the same type on a
171
single line, joined by a colon (`:'). E.g.,
173
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
175
The definitions of what constitutes a valid _a_l_i_a_s member follow.
180
User ::= '!'* user name |
185
'!'* %:nonunix_group |
186
'!'* %:#nonunix_gid |
189
A User_List is made up of one or more user names, user ids (prefixed with
190
`#'), system group names and ids (prefixed with `%' and `%#'
191
respectively), netgroups (prefixed with `+'), non-Unix group names and
192
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
193
list item may be prefixed with zero or more `!' operators. An odd number
194
of `!' operators negate the value of the item; an even number just cancel
197
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
198
be enclosed in double quotes to avoid the need for escaping special
199
characters. Alternately, special characters may be specified in escaped
200
hex mode, e.g. \x20 for space. When using double quotes, any prefix
201
characters must be included inside the quotes.
203
The actual nonunix_group and nonunix_gid syntax depends on the underlying
204
group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For
205
instance, the QAS AD plugin supports the following formats:
207
oo Group in the same domain: "%:Group Name"
209
oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
211
oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
213
Note that quotes around group names are optional. Unquoted strings must
214
use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r
215
_s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need
218
Runas_List ::= Runas_Member |
219
Runas_Member ',' Runas_List
221
Runas_Member ::= '!'* user name |
225
'!'* %:nonunix_group |
226
'!'* %:#nonunix_gid |
230
A Runas_List is similar to a User_List except that instead of
231
User_Aliases it can contain Runas_Aliases. Note that user names and
232
groups are matched as strings. In other words, two users (groups) with
233
the same uid (gid) are considered to be distinct. If you wish to match
234
all user names with the same uid (e.g. root and toor), you can use a uid
235
instead (#0 in the example given).
240
Host ::= '!'* host name |
242
'!'* network(/netmask)? |
246
A Host_List is made up of one or more host names, IP addresses, network
247
numbers, netgroups (prefixed with `+') and other aliases. Again, the
248
value of an item may be negated with the `!' operator. If you do not
249
specify a netmask along with the network number, ssuuddoo will query each of
250
the local host's network interfaces and, if the network number
251
corresponds to one of the hosts's network interfaces, the corresponding
252
netmask will be used. The netmask may be specified either in standard IP
253
address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
254
notation (number of bits, e.g. 24 or 64). A host name may include shell-
255
style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
256
name command on your machine returns the fully qualified host name,
257
you'll need to use the _f_q_d_n option for wildcards to be useful. Note that
258
ssuuddoo only inspects actual network interfaces; this means that IP address
259
127.0.0.1 (localhost) will never match. Also, the host name
260
``localhost'' will only match if that is the actual host name, which is
261
usually only the case for non-networked systems.
266
command name ::= file name |
270
Cmnd ::= '!'* command name |
275
A Cmnd_List is a list of one or more command names, directories, and
276
other aliases. A command name is a fully qualified file name which may
277
include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A
278
simple file name allows the user to run the command with any arguments
279
he/she wishes. However, you may also specify command line arguments
280
(including wildcards). Alternately, you can specify "" to indicate that
281
the command may only be run wwiitthhoouutt command line arguments. A directory
282
is a fully qualified path name ending in a `/'. When you specify a
283
directory in a Cmnd_List, the user will be able to run any file within
284
that directory (but not in any sub-directories therein).
286
If a Cmnd has associated command line arguments, then the arguments in
287
the Cmnd must match exactly those given by the user on the command line
288
(or match the wildcards if there are any). Note that the following
289
characters must be escaped with a `\' if they are used in command
290
arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
291
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
292
take command line arguments just as a normal command does.
301
Certain configuration options may be changed from their default values
302
at runtime via one or more Default_Entry lines. These may affect all
303
users on any host, all users on a specific host, a specific user, a
304
specific command, or commands being run as a specific user. Note that
305
per-command entries may not include command line arguments. If you
306
need to specify arguments, define a Cmnd_Alias and reference that
309
Default_Type ::= 'Defaults' |
310
'Defaults' '@' Host_List |
311
'Defaults' ':' User_List |
312
'Defaults' '!' Cmnd_List |
313
'Defaults' '>' Runas_List
315
Default_Entry ::= Default_Type Parameter_List
317
Parameter_List ::= Parameter |
318
Parameter ',' Parameter_List
320
Parameter ::= Parameter '=' Value |
321
Parameter '+=' Value |
322
Parameter '-=' Value |
325
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
326
implicitly boolean and can be turned off via the '!' operator. Some
327
integer, string and list parameters may also be used in a boolean
328
context to disable them. Values may be enclosed in double quotes (")
329
when they contain multiple words. Special characters may be escaped
330
with a backslash (\).
332
Lists have two additional assignment operators, += and -=. These
333
operators are used to add to and delete from a list respectively. It
334
is not an error to use the -= operator to remove an element that does
337
Defaults entries are parsed in the following order: generic, host and
338
user Defaults first, then runas Defaults and finally command defaults.
340
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
342
UUsseerr SSppeecciiffiiccaattiioonn
343
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
344
(':' Host_List '=' Cmnd_Spec_List)*
346
Cmnd_Spec_List ::= Cmnd_Spec |
347
Cmnd_Spec ',' Cmnd_Spec_List
349
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
351
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
353
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
355
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
356
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
357
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
359
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
360
what user) on specified hosts. By default, commands are run as rroooott,
361
but this can be changed on a per-command basis.
363
The basic structure of a user specification is `who where = (as_whom)
364
what'. Let's break that down into its constituent parts:
295
Certain configuration options may be changed from their default values at
296
run-time via one or more Default_Entry lines. These may affect all users
297
on any host, all users on a specific host, a specific user, a specific
298
command, or commands being run as a specific user. Note that per-command
299
entries may not include command line arguments. If you need to specify
300
arguments, define a Cmnd_Alias and reference that instead.
302
Default_Type ::= 'Defaults' |
303
'Defaults' '@' Host_List |
304
'Defaults' ':' User_List |
305
'Defaults' '!' Cmnd_List |
306
'Defaults' '>' Runas_List
308
Default_Entry ::= Default_Type Parameter_List
310
Parameter_List ::= Parameter |
311
Parameter ',' Parameter_List
313
Parameter ::= Parameter '=' Value |
314
Parameter '+=' Value |
315
Parameter '-=' Value |
318
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
319
implicitly boolean and can be turned off via the `!' operator. Some
320
integer, string and list parameters may also be used in a boolean context
321
to disable them. Values may be enclosed in double quotes ("") when they
322
contain multiple words. Special characters may be escaped with a
325
Lists have two additional assignment operators, += and -=. These
326
operators are used to add to and delete from a list respectively. It is
327
not an error to use the -= operator to remove an element that does not
330
Defaults entries are parsed in the following order: generic, host and
331
user Defaults first, then runas Defaults and finally command defaults.
333
See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
335
UUsseerr ssppeecciiffiiccaattiioonn
336
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
337
(':' Host_List '=' Cmnd_Spec_List)*
339
Cmnd_Spec_List ::= Cmnd_Spec |
340
Cmnd_Spec ',' Cmnd_Spec_List
342
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
344
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
346
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
348
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
350
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
351
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
352
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
354
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
355
what user) on specified hosts. By default, commands are run as rroooott, but
356
this can be changed on a per-command basis.
358
The basic structure of a user specification is ``who where = (as_whom)
359
what''. Let's break that down into its constituent parts:
366
361
RRuunnaass__SSppeecc
367
A Runas_Spec determines the user and/or the group that a command may be
368
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
369
defined above) separated by a colon (':') and enclosed in a set of
370
parentheses. The first Runas_List indicates which users the command
371
may be run as via ssuuddoo's --uu option. The second defines a list of
372
groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists
373
are specified, the command may be run with any combination of users and
374
groups listed in their respective Runas_Lists. If only the first is
375
specified, the command may be run as any user in the list but no --gg
376
option may be specified. If the first Runas_List is empty but the
377
second is specified, the command may be run as the invoking user with
378
the group set to any listed in the Runas_List. If no Runas_Spec is
379
specified the command may be run as rroooott and no group may be specified.
381
A Runas_Spec sets the default for the commands that follow it. What
382
this means is that for the entry:
384
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
386
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
387
as ooppeerraattoorr. E.g.,
389
$ sudo -u operator /bin/ls
391
It is also possible to override a Runas_Spec later on in an entry. If
392
we modify the entry like so:
394
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
396
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
397
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
399
We can extend this to allow ddggbb to run /bin/ls with either the user or
400
group set to ooppeerraattoorr:
402
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
405
Note that while the group portion of the Runas_Spec permits the user to
406
run as command with that group, it does not force the user to do so.
407
If no group is specified on the command line, the command will run with
408
the group listed in the target user's password database entry. The
409
following would all be permitted by the sudoers entry above:
411
$ sudo -u operator /bin/ls
412
$ sudo -u operator -g operator /bin/ls
413
$ sudo -g operator /bin/ls
415
In the following example, user ttccmm may run commands that access a modem
416
device file with the dialer group.
418
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
419
/usr/local/bin/minicom
421
Note that in this example only the group will be set, the command still
422
runs as user ttccmm. E.g.
424
$ sudo -g dialer /usr/bin/cu
426
Multiple users and groups may be present in a Runas_Spec, in which case
427
the user may select any combination of users and groups via the --uu and
428
--gg options. In this example:
430
alan ALL = (root, bin : operator, system) ALL
432
user aallaann may run any command as either user root or bin, optionally
433
setting the group to operator or system.
362
A Runas_Spec determines the user and/or the group that a command may be
363
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
364
defined above) separated by a colon (`:') and enclosed in a set of
365
parentheses. The first Runas_List indicates which users the command may
366
be run as via ssuuddoo's --uu option. The second defines a list of groups that
367
can be specified via ssuuddoo's --gg option. If both Runas_Lists are
368
specified, the command may be run with any combination of users and
369
groups listed in their respective Runas_Lists. If only the first is
370
specified, the command may be run as any user in the list but no --gg
371
option may be specified. If the first Runas_List is empty but the second
372
is specified, the command may be run as the invoking user with the group
373
set to any listed in the Runas_List. If both Runas_Lists are empty, the
374
command may only be run as the invoking user. If no Runas_Spec is
375
specified the command may be run as rroooott and no group may be specified.
377
A Runas_Spec sets the default for the commands that follow it. What this
378
means is that for the entry:
380
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
382
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as
383
ooppeerraattoorr. E.g.,
385
$ sudo -u operator /bin/ls
387
It is also possible to override a Runas_Spec later on in an entry. If we
388
modify the entry like so:
390
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
392
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
393
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
395
We can extend this to allow ddggbb to run /bin/ls with either the user or
396
group set to ooppeerraattoorr:
398
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
401
Note that while the group portion of the Runas_Spec permits the user to
402
run as command with that group, it does not force the user to do so. If
403
no group is specified on the command line, the command will run with the
404
group listed in the target user's password database entry. The following
405
would all be permitted by the sudoers entry above:
407
$ sudo -u operator /bin/ls
408
$ sudo -u operator -g operator /bin/ls
409
$ sudo -g operator /bin/ls
411
In the following example, user ttccmm may run commands that access a modem
412
device file with the dialer group.
414
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
415
/usr/local/bin/minicom
417
Note that in this example only the group will be set, the command still
418
runs as user ttccmm. E.g.
420
$ sudo -g dialer /usr/bin/cu
422
Multiple users and groups may be present in a Runas_Spec, in which case
423
the user may select any combination of users and groups via the --uu and --gg
424
options. In this example:
426
alan ALL = (root, bin : operator, system) ALL
428
user aallaann may run any command as either user root or bin, optionally
429
setting the group to operator or system.
435
431
SSEELLiinnuuxx__SSppeecc
436
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
437
SELinux role and/or type associated with a command. If a role or type
438
is specified with the command it will override any default values
439
specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
440
however, will supercede the values in _s_u_d_o_e_r_s.
432
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
433
SELinux role and/or type associated with a command. If a role or type is
434
specified with the command it will override any default values specified
435
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
436
supersede the values in _s_u_d_o_e_r_s.
438
SSoollaarriiss__PPrriivv__SSppeecc
439
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
440
privilege set and/or limit privilege set associated with a command. If
441
privileges or limit privileges are specified with the command it will
442
override any default values specified in _s_u_d_o_e_r_s.
444
A privilege set is a comma-separated list of privilege names. The
445
ppriv(1) command can be used to list all privileges known to the system.
450
In addition, there are several ``special'' privilege strings:
454
all the set of all privileges
456
zone the set of all privileges available in the current zone
458
basic the default set of privileges normal users are granted at login
461
Privileges can be excluded from a set by prefixing the privilege name
462
with either an `!' or `-' character.
443
A command may have zero or more tags associated with it. There are
444
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
445
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
446
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
447
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
448
overrides NOPASSWD and NOEXEC overrides EXEC).
450
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
452
By default, ssuuddoo requires that a user authenticate him or herself
453
before running a command. This behavior can be modified via the
454
NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
455
the commands that follow it in the Cmnd_Spec_List. Conversely, the
456
PASSWD tag can be used to reverse things. For example:
458
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
460
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
461
as rroooott on the machine rushmore without authenticating himself. If we
462
only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
465
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
467
Note, however, that the PASSWD tag has no effect on users who are in
468
the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
470
By default, if the NOPASSWD tag is applied to any of the entries for a
471
user on the current host, he or she will be able to run sudo -l without
472
a password. Additionally, a user may only run sudo -v without a
473
password if the NOPASSWD tag is present for all a user's entries that
474
pertain to the current host. This behavior may be overridden via the
475
verifypw and listpw options.
477
_N_O_E_X_E_C _a_n_d _E_X_E_C
479
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
480
operating system supports it, the NOEXEC tag can be used to prevent a
481
dynamically-linked executable from running further commands itself.
483
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
484
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
486
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
488
See the "Preventing Shell Escapes" section below for more details on
489
how NOEXEC works and whether or not it will work on your system.
491
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
493
These tags override the value of the _s_e_t_e_n_v option on a per-command
494
basis. Note that if SETENV has been set for a command, the user may
495
disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
496
Additionally, environment variables set on the command line are not
497
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
498
_e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
499
variables in this manner. If the command matched is AALLLL, the SETENV
500
tag is implied for that command; this default may be overridden by use
503
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
505
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
506
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
507
"SUDOERS OPTIONS" section below.
509
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
511
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
512
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
513
"SUDOERS OPTIONS" section below.
465
A command may have zero or more tags associated with it. There are ten
466
possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
467
LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
468
on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
469
it is overridden by the opposite tag (in other words, PASSWD overrides
470
NOPASSWD and NOEXEC overrides EXEC).
472
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
474
By default, ssuuddoo requires that a user authenticate him or herself before
475
running a command. This behavior can be modified via the NOPASSWD tag.
476
Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
477
follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
478
to reverse things. For example:
480
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
482
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as
483
rroooott on the machine rushmore without authenticating himself. If we only
484
want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would
487
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
489
Note, however, that the PASSWD tag has no effect on users who are in the
490
group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
492
By default, if the NOPASSWD tag is applied to any of the entries for a
493
user on the current host, he or she will be able to run ``sudo -l''
494
without a password. Additionally, a user may only run ``sudo -v''
495
without a password if the NOPASSWD tag is present for all a user's
496
entries that pertain to the current host. This behavior may be
497
overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
499
_N_O_E_X_E_C _a_n_d _E_X_E_C
501
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
502
operating system supports it, the NOEXEC tag can be used to prevent a
503
dynamically-linked executable from running further commands itself.
505
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
506
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
508
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
510
See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
511
NOEXEC works and whether or not it will work on your system.
513
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
515
These tags override the value of the _s_e_t_e_n_v option on a per-command
516
basis. Note that if SETENV has been set for a command, the user may
517
disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
518
Additionally, environment variables set on the command line are not
519
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
520
_e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables
521
in this manner. If the command matched is AALLLL, the SETENV tag is implied
522
for that command; this default may be overridden by use of the NOSETENV
525
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T
527
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
528
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
529
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
531
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T
533
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
534
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
535
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
515
537
WWiillddccaarrddss
516
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
517
used in host names, path names and command line arguments in the
518
_s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
519
_f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
521
* Matches any set of zero or more characters.
523
? Matches any single character.
525
[...] Matches any character in the specified range.
527
[!...] Matches any character nnoott in the specified range.
529
\x For any character "x", evaluates to "x". This is used to
530
escape special characters such as: "*", "?", "[", and "}".
532
POSIX character classes may also be used if your system's _g_l_o_b(3) and
533
_f_n_m_a_t_c_h(3) functions support them. However, because the ':' character
534
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
536
/bin/ls [[\:alpha\:]]*
538
Would match any file name beginning with a letter.
540
Note that a forward slash ('/') will nnoott be matched by wildcards used
541
in the path name. When matching the command line arguments, however, a
542
slash ddooeess get matched by wildcards. This is to make a path like:
546
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
538
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
539
used in host names, path names and command line arguments in the _s_u_d_o_e_r_s
540
file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3)
541
routines. Note that these are _n_o_t regular expressions.
543
* Matches any set of zero or more characters.
545
? Matches any single character.
547
[...] Matches any character in the specified range.
549
[!...] Matches any character nnoott in the specified range.
551
\x For any character `x', evaluates to `x'. This is used to
552
escape special characters such as: `*', `?', `[', and `]'.
554
POSIX character classes may also be used if your system's glob(3) and
555
fnmatch(3) functions support them. However, because the `:' character
556
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
560
Would match any file name beginning with a letter.
562
Note that a forward slash (`/') will nnoott be matched by wildcards used in
563
the path name. This is to make a path like:
567
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
569
When matching the command line arguments, however, a slash ddooeess get
570
matched by wildcards since command line arguments may contain arbitrary
571
strings and not just path names.
573
Wildcards in command line arguments should be used with care. Because
574
command line arguments are matched as a single, concatenated string, a
575
wildcard such as `?' or `*' can match multiple words. For example, while
576
a sudoers entry like:
578
%operator ALL = /bin/cat /var/log/messages*
580
will allow command like:
582
$ sudo cat /var/log/messages.1
586
$ sudo cat /var/log/messages /etc/shadow
588
which is probably not what was intended.
548
590
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
549
The following exceptions apply to the above rules:
591
The following exceptions apply to the above rules:
551
"" If the empty string "" is the only command line argument in the
593
"" If the empty string "" is the only command line argument in the
552
594
_s_u_d_o_e_r_s entry it means that command is not allowed to be run
553
595
with aannyy arguments.
597
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
598
always be path names, so a forward slash (`/') will not be
599
matched by a wildcard.
555
601
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
556
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
557
file currently being parsed using the #include and #includedir
560
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
561
addition to a local, per-machine file. For the sake of this example
562
the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
563
be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
564
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
566
#include /etc/sudoers.local
568
When ssuuddoo reaches this line it will suspend processing of the current
569
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
570
the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
571
processed. Files that are included may themselves include other files.
572
A hard limit of 128 nested include files is enforced to prevent include
575
If the path to the include file is not fully-qualified (does not begin
576
with a _/), it must be located in the same directory as the sudoers file
577
it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
579
#include sudoers.local
581
the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
583
The file name may also include the %h escape, signifying the short form
584
of the host name. I.e., if the machine's host name is "xerxes", then
586
#include /etc/sudoers.%h
588
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
590
The #includedir directive can be used to create a _s_u_d_o_._d directory that
591
the system package manager can drop _s_u_d_o_e_r_s rules into as part of
592
package installation. For example, given:
594
#includedir /etc/sudoers.d
596
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
597
end in ~ or contain a . character to avoid causing problems with
598
package manager or editor temporary/backup files. Files are parsed in
599
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
600
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
601
lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
602
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
603
in the file names can be used to avoid such problems.
605
Note that unlike files included via #include, vviissuuddoo will not edit the
606
files in a #includedir directory unless one of them contains a syntax
607
error. It is still possible to run vviissuuddoo with the -f flag to edit the
602
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
603
file currently being parsed using the #include and #includedir
606
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
607
addition to a local, per-machine file. For the sake of this example the
608
site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
609
_/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
610
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
612
#include /etc/sudoers.local
614
When ssuuddoo reaches this line it will suspend processing of the current
615
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the
616
end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed.
617
Files that are included may themselves include other files. A hard limit
618
of 128 nested include files is enforced to prevent include file loops.
620
If the path to the include file is not fully-qualified (does not begin
621
with a `/', it must be located in the same directory as the sudoers file
622
it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
624
#include sudoers.local
626
the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
628
The file name may also include the %h escape, signifying the short form
629
of the host name. In other words, if the machine's host name is
632
#include /etc/sudoers.%h
634
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
636
The #includedir directive can be used to create a _s_u_d_o_._d directory that
637
the system package manager can drop _s_u_d_o_e_r_s rules into as part of package
638
installation. For example, given:
640
#includedir /etc/sudoers.d
642
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end
643
in `~' or contain a `.' character to avoid causing problems with package
644
manager or editor temporary/backup files. Files are parsed in sorted
645
lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before
646
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical,
647
not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
648
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in
649
the file names can be used to avoid such problems.
651
Note that unlike files included via #include, vviissuuddoo will not edit the
652
files in a #includedir directory unless one of them contains a syntax
653
error. It is still possible to run vviissuuddoo with the --ff flag to edit the
610
656
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
611
The pound sign ('#') is used to indicate a comment (unless it is part
612
of a #include directive or unless it occurs in the context of a user
613
name and is followed by one or more digits, in which case it is treated
614
as a uid). Both the comment character and any text after it, up to the
615
end of the line, are ignored.
617
The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
618
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
619
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
620
your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
621
preference to your own. Please note that using AALLLL can be dangerous
622
since in a command context, it allows the user to run aannyy command on
625
An exclamation point ('!') can be used as a logical _n_o_t operator both
626
in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
627
values. Note, however, that using a ! in conjunction with the built-in
628
ALL alias to allow a user to run "all but a few" commands rarely works
629
as intended (see SECURITY NOTES below).
631
Long lines can be continued with a backslash ('\') as the last
632
character on the line.
634
Whitespace between elements in a list as well as special syntactic
635
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
637
The following characters must be escaped with a backslash ('\') when
638
used as part of a word (e.g. a user name or host name): '!', '=', ':',
657
The pound sign (`#') is used to indicate a comment (unless it is part of
658
a #include directive or unless it occurs in the context of a user name
659
and is followed by one or more digits, in which case it is treated as a
660
uid). Both the comment character and any text after it, up to the end of
661
the line, are ignored.
663
The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
664
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
665
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
666
your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
667
preference to your own. Please note that using AALLLL can be dangerous
668
since in a command context, it allows the user to run aannyy command on the
671
An exclamation point (`!') can be used as a logical _n_o_t operator both in
672
an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain
673
values. Note, however, that using a `!' in conjunction with the built-in
674
AALLLL alias to allow a user to run ``all but a few'' commands rarely works
675
as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below).
677
Long lines can be continued with a backslash (`\') as the last character
680
White space between elements in a list as well as special syntactic
681
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
683
The following characters must be escaped with a backslash (`\') when used
684
as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
641
687
SSUUDDOOEERRSS OOPPTTIIOONNSS
642
ssuuddoo's behavior can be modified by Default_Entry lines, as explained
643
earlier. A list of all supported Defaults parameters, grouped by type,
646
BBoooolleeaann FFllaaggss:
648
always_set_home If enabled, ssuuddoo will set the HOME environment variable
688
ssuuddoo's behavior can be modified by Default_Entry lines, as explained
689
earlier. A list of all supported Defaults parameters, grouped by type,
692
BBoooolleeaann FFllaaggss:
694
always_set_home If enabled, ssuuddoo will set the HOME environment variable
649
695
to the home directory of the target user (which is root
650
696
unless the --uu option is used). This effectively means
651
697
that the --HH option is always implied. Note that HOME
1346
1444
added to, deleted from, or disabled by using the =, +=,
1347
1445
-=, and ! operators respectively. The default list of
1348
1446
variables to keep is displayed when ssuuddoo is run by root
1349
with the _-_V option.
1447
with the --VV option.
1450
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In
1451
each case the log format is almost identical.
1453
AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
1454
Commands that sudo runs are logged using the following format (split into
1455
multiple lines for readability):
1457
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1458
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1459
ENV=env_vars COMMAND=command
1461
Where the fields are as follows:
1463
date The date the command was run. Typically, this is in the
1464
format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1465
the actual date format is controlled by the syslog daemon.
1466
If logging to a file and the _l_o_g___y_e_a_r option is enabled,
1467
the date will also include the year.
1469
hostname The name of the host ssuuddoo was run on. This field is only
1470
present when logging via syslog(3).
1472
progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This
1473
field is only present when logging via syslog(3).
1475
username The login name of the user who ran ssuuddoo.
1477
ttyname The short name of the terminal (e.g. ``console'',
1478
``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if
1479
there was no terminal present.
1481
cwd The current working directory that ssuuddoo was run in.
1483
runasuser The user the command was run as.
1485
runasgroup The group the command was run as if one was specified on
1488
logid An I/O log identifier that can be used to replay the
1489
command's output. This is only present when the _l_o_g___i_n_p_u_t
1490
or _l_o_g___o_u_t_p_u_t option is enabled.
1492
env_vars A list of environment variables specified on the command
1495
command The actual command that was executed.
1497
Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
1498
defaults to the ``C'' locale.
1500
DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
1501
If the user is not allowed to run the command, the reason for the denial
1502
will follow the user name. Possible reasons include:
1505
The user is not listed in the _s_u_d_o_e_r_s file.
1507
user NOT authorized on host
1508
The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run
1509
commands on the host.
1512
The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
1513
allowed to run the specified command.
1515
3 incorrect password attempts
1516
The user failed to enter their password after 3 tries. The actual
1517
number of tries will vary based on the number of failed attempts and
1518
the value of the _p_a_s_s_w_d___t_r_i_e_s option.
1520
a password is required
1521
ssuuddoo's --nn option was specified but a password was required.
1523
sorry, you are not allowed to set the following environment variables
1524
The user specified environment variables on the command line that were
1525
not allowed by _s_u_d_o_e_r_s.
1527
EErrrroorr lloogg eennttrriieess
1528
If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
1529
message to the administrator via email. Possible errors include:
1531
parse error in /etc/sudoers near line N
1532
ssuuddooeerrss encountered an error when parsing the specified file. In some
1533
cases, the actual error may be one line above or below the line number
1534
listed, depending on the type of error.
1536
problem with defaults entries
1537
The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
1538
does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
1539
checked using vviissuuddoo.
1541
timestamp owner (username): No such user
1542
The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
1543
setting, could not be found in the password database.
1545
unable to open/read /etc/sudoers
1546
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
1547
when the _s_u_d_o_e_r_s file is located on a remote file system that maps
1548
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
1549
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
1550
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
1551
``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
1552
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1554
unable to stat /etc/sudoers
1555
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
1557
/etc/sudoers is not a regular file
1558
The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
1561
/etc/sudoers is owned by uid N, should be 0
1562
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
1563
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
1564
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
1565
_/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1567
/etc/sudoers is world writable
1568
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
1569
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
1570
0440 (readable by owner and group, writable by none). The default
1571
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
1572
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1574
/etc/sudoers is owned by gid N, should be 1
1575
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
1576
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
1577
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
1578
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1580
unable to open /var/adm/sudo/username/ttyname
1581
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
1583
unable to write to /var/adm/sudo/username/ttyname
1584
_s_u_d_o_e_r_s was unable to write to the user's time stamp file.
1586
unable to mkdir to /var/adm/sudo/username
1587
_s_u_d_o_e_r_s was unable to create the user's time stamp directory.
1589
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
1590
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
1591
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
1592
such, they may vary in format on different systems.
1594
On most systems, syslog(3) has a relatively small log buffer. To prevent
1595
the command line arguments from being truncated, ssuuddooeerrss will split up
1596
log messages that are larger than 960 characters (not including the date,
1597
hostname, and the string ``sudo''). When a message is split, additional
1598
parts will include the string ``(command continued)'' after the user name
1599
and before the continued command line arguments.
1601
NNootteess oonn llooggggiinngg ttoo aa ffiillee
1602
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
1603
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
1604
syslog(3), with a few important differences:
1606
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
1608
2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the
1611
3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are
1612
word-wrapped and continued on the next line with a four character
1613
indent. This makes entries easier to read for a human being, but
1614
makes it more difficult to use grep(1) on the log files. If the
1615
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
1351
1618
SSUUDDOO..CCOONNFF
1352
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end
1353
will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no
1354
Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O
1355
logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1358
# Default /etc/sudo.conf file
1361
# Plugin plugin_name plugin_path plugin_options ...
1362
# Path askpass /path/to/askpass
1363
# Path noexec /path/to/sudo_noexec.so
1364
# Debug sudo /var/log/sudo_debug all@warn
1365
# Set disable_coredump true
1367
# The plugin_path is relative to /usr/local/libexec unless
1369
# The plugin_name corresponds to a global symbol in the plugin
1370
# that contains the plugin interface structure.
1371
# The plugin_options are optional.
1373
Plugin policy_plugin sudoers.so
1374
Plugin io_plugin sudoers.so
1376
PPLLUUGGIINN OOPPTTIIOONNSS
1377
Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s
1378
plugin. Options may be listed after the path to the plugin (i.e. after
1379
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
1381
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1383
The following plugin options are supported:
1385
sudoers_file=pathname
1386
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
1387
path to the _s_u_d_o_e_r_s file.
1390
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
1391
owner of the sudoers file. It should be specified as a
1395
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
1396
group of the sudoers file. It should be specified as a
1400
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
1401
file mode for the sudoers file. It should be specified as an
1404
DDEEBBUUGG FFLLAAGGSS
1405
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
1406
framework that can help track down what the plugin is doing internally
1407
if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
1408
file as described in _s_u_d_o(1m).
1410
The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself:
1411
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
1413
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
1414
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
1415
when specified, also includes all priorities higher than it. For
1416
example, a priority of _n_o_t_i_c_e would include debug messages logged at
1417
_n_o_t_i_c_e and higher.
1419
The following subsystems are used by _s_u_d_o_e_r_s:
1421
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1423
_a_l_l matches every subsystem
1425
_a_u_d_i_t BSM and Linux audit code
1427
_a_u_t_h user authentication
1429
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
1431
_e_n_v environment handling
1433
_l_d_a_p LDAP-based sudoers
1435
_l_o_g_g_i_n_g logging support
1437
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
1439
_n_e_t_i_f network interface handling
1441
_n_s_s network service switch handling in _s_u_d_o_e_r_s
1443
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
1445
_p_e_r_m_s permission setting
1447
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
1449
_p_t_y pseudo-tty related code
1451
_r_b_t_r_e_e redblack tree internals
1453
_u_t_i_l utility functions
1619
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will
1620
load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin
1621
lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which
1622
corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
1625
# Default /etc/sudo.conf file
1628
# Plugin plugin_name plugin_path plugin_options ...
1629
# Path askpass /path/to/askpass
1630
# Path noexec /path/to/sudo_noexec.so
1631
# Debug sudo /var/log/sudo_debug all@warn
1632
# Set disable_coredump true
1634
# The plugin_path is relative to /usr/local/libexec unless
1636
# The plugin_name corresponds to a global symbol in the plugin
1637
# that contains the plugin interface structure.
1638
# The plugin_options are optional.
1640
Plugin policy_plugin sudoers.so
1641
Plugin io_plugin sudoers.so
1643
PPlluuggiinn ooppttiioonnss
1644
Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s
1645
plugin. Options may be listed after the path to the plugin (i.e. after
1646
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
1648
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1650
The following plugin options are supported:
1652
sudoers_file=pathname
1653
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
1654
path to the _s_u_d_o_e_r_s file.
1657
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
1658
owner of the sudoers file. It should be specified as a numeric
1662
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
1663
group of the sudoers file. It should be specified as a numeric
1667
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
1668
file mode for the sudoers file. It should be specified as an
1671
DDeebbuugg ffllaaggss
1672
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
1673
framework that can help track down what the plugin is doing internally if
1674
there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as
1675
described in sudo(1m).
1677
The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end:
1678
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
1680
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
1681
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
1682
when specified, also includes all priorities higher than it. For
1683
example, a priority of _n_o_t_i_c_e would include debug messages logged at
1684
_n_o_t_i_c_e and higher.
1686
The following subsystems are used by _s_u_d_o_e_r_s:
1688
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1690
_a_l_l matches every subsystem
1692
_a_u_d_i_t BSM and Linux audit code
1694
_a_u_t_h user authentication
1696
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
1698
_e_n_v environment handling
1700
_l_d_a_p LDAP-based sudoers
1702
_l_o_g_g_i_n_g logging support
1704
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
1706
_n_e_t_i_f network interface handling
1708
_n_s_s network service switch handling in _s_u_d_o_e_r_s
1710
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
1712
_p_e_r_m_s permission setting
1714
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
1716
_p_t_y pseudo-tty related code
1718
_r_b_t_r_e_e redblack tree internals
1720
_u_t_i_l utility functions
1456
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1458
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1460
_/_e_t_c_/_g_r_o_u_p Local groups file
1462
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1464
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1466
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1723
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
1725
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
1727
_/_e_t_c_/_g_r_o_u_p Local groups file
1729
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1731
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
1733
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
1467
1734
_s_u_d_o_e_r_s security policy
1469
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1736
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
1472
1739
EEXXAAMMPPLLEESS
1473
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1474
contrived. First, we allow a few environment variables to pass and
1475
then define our _a_l_i_a_s_e_s:
1477
# Run X applications through sudo; HOME is used to find the
1478
# .Xauthority file. Note that other programs use HOME to find
1479
# configuration files and this may lead to privilege escalation!
1480
Defaults env_keep += "DISPLAY HOME"
1482
# User alias specification
1483
User_Alias FULLTIMERS = millert, mikef, dowdy
1484
User_Alias PARTTIMERS = bostley, jwfox, crawl
1485
User_Alias WEBMASTERS = will, wendy, wim
1487
# Runas alias specification
1488
Runas_Alias OP = root, operator
1489
Runas_Alias DB = oracle, sybase
1490
Runas_Alias ADMINGRP = adm, oper
1492
# Host alias specification
1493
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1494
SGI = grolsch, dandelion, black :\
1495
ALPHA = widget, thalamus, foobar :\
1496
HPPA = boa, nag, python
1497
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1498
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1499
Host_Alias SERVERS = master, mail, www, ns
1500
Host_Alias CDROM = orion, perseus, hercules
1502
# Cmnd alias specification
1503
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1504
/usr/sbin/restore, /usr/sbin/rrestore
1505
Cmnd_Alias KILL = /usr/bin/kill
1506
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1507
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1508
Cmnd_Alias HALT = /usr/sbin/halt
1509
Cmnd_Alias REBOOT = /usr/sbin/reboot
1510
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1511
/usr/local/bin/tcsh, /usr/bin/rsh, \
1513
Cmnd_Alias SU = /usr/bin/su
1514
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1516
Here we override some of the compiled in default values. We want ssuuddoo
1517
to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
1518
want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
1519
need not give a password, and we don't want to reset the LOGNAME, USER
1520
or USERNAME environment variables when running commands as root.
1521
Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an
1522
additional local log file and make sure we log the year in each log
1523
line since the log entries will be kept around for several years.
1524
Lastly, we disable shell escapes for the commands in the PAGERS
1525
Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
1527
# Override built-in defaults
1528
Defaults syslog=auth
1529
Defaults>root !set_logname
1530
Defaults:FULLTIMERS !lecture
1531
Defaults:millert !authenticate
1532
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1533
Defaults!PAGERS noexec
1535
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1538
root ALL = (ALL) ALL
1539
%wheel ALL = (ALL) ALL
1541
We let rroooott and any user in group wwhheeeell run any command on any host as
1544
FULLTIMERS ALL = NOPASSWD: ALL
1546
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1547
any host without authenticating themselves.
1549
PARTTIMERS ALL = ALL
1551
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
1552
any host but they must authenticate themselves first (since the entry
1553
lacks the NOPASSWD tag).
1557
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1558
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1559
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1560
notation) indicating it is a class C network. For the other networks
1561
in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
1565
The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1566
class B network 128.138.0.0).
1568
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1569
sudoedit /etc/printcap, /usr/oper/bin/
1571
The ooppeerraattoorr user may run commands limited to simple maintenance.
1572
Here, those are commands related to backups, killing processes, the
1573
printing system, shutting down the system, and any commands in the
1574
directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1576
joe ALL = /usr/bin/su operator
1578
The user jjooee may only _s_u(1) to operator.
1580
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1582
%opers ALL = (: ADMINGRP) /usr/sbin/
1584
Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1585
with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1587
The user ppeettee is allowed to change anyone's password except for root on
1588
the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
1589
multiple user names on the command line.
1591
bob SPARC = (OP) ALL : SGI = (OP) ALL
1593
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1594
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
1598
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1599
ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
1601
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1603
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1604
well as add and remove users, so they are allowed to run those commands
1607
fred ALL = (DB) NOPASSWD: ALL
1609
The user ffrreedd can run commands as any user in the _D_B Runas_Alias
1610
(oorraaccllee or ssyybbaassee) without giving a password.
1612
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1614
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1615
not allowed to specify any options to the _s_u(1) command.
1617
jen ALL, !SERVERS = ALL
1619
The user jjeenn may run any command on any machine except for those in the
1620
_S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1622
jill SERVERS = /usr/bin/, !SU, !SHELLS
1624
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1625
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
1626
and _S_H_E_L_L_S Cmnd_Aliases.
1628
steve CSNETS = (operator) /usr/local/op_commands/
1630
The user sstteevvee may run any command in the directory
1631
/usr/local/op_commands/ but only as user operator.
1633
matt valkyrie = KILL
1635
On his personal workstation, valkyrie, mmaatttt needs to be able to kill
1638
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1640
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy,
1641
and wim), may run any command as user www (which owns the web pages) or
1642
simply _s_u(1) to www.
1644
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1645
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1647
Any user may mount or unmount a CD-ROM on the machines in the CDROM
1648
Host_Alias (orion, perseus, hercules) without entering a password.
1649
This is a bit tedious for users to type, so it is a prime candidate for
1650
encapsulating in a shell script.
1740
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
1741
contrived. First, we allow a few environment variables to pass and then
1742
define our _a_l_i_a_s_e_s:
1744
# Run X applications through sudo; HOME is used to find the
1745
# .Xauthority file. Note that other programs use HOME to find
1746
# configuration files and this may lead to privilege escalation!
1747
Defaults env_keep += "DISPLAY HOME"
1749
# User alias specification
1750
User_Alias FULLTIMERS = millert, mikef, dowdy
1751
User_Alias PARTTIMERS = bostley, jwfox, crawl
1752
User_Alias WEBMASTERS = will, wendy, wim
1754
# Runas alias specification
1755
Runas_Alias OP = root, operator
1756
Runas_Alias DB = oracle, sybase
1757
Runas_Alias ADMINGRP = adm, oper
1759
# Host alias specification
1760
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1761
SGI = grolsch, dandelion, black :\
1762
ALPHA = widget, thalamus, foobar :\
1763
HPPA = boa, nag, python
1764
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1765
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1766
Host_Alias SERVERS = master, mail, www, ns
1767
Host_Alias CDROM = orion, perseus, hercules
1769
# Cmnd alias specification
1770
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1771
/usr/sbin/restore, /usr/sbin/rrestore
1772
Cmnd_Alias KILL = /usr/bin/kill
1773
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1774
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1775
Cmnd_Alias HALT = /usr/sbin/halt
1776
Cmnd_Alias REBOOT = /usr/sbin/reboot
1777
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1778
/usr/local/bin/tcsh, /usr/bin/rsh,\
1780
Cmnd_Alias SU = /usr/bin/su
1781
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1783
Here we override some of the compiled in default values. We want ssuuddoo to
1784
log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to
1785
subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not
1786
give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1787
environment variables when running commands as root. Additionally, on
1788
the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log
1789
file and make sure we log the year in each log line since the log entries
1790
will be kept around for several years. Lastly, we disable shell escapes
1791
for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
1792
_/_u_s_r_/_b_i_n_/_l_e_s_s).
1794
# Override built-in defaults
1795
Defaults syslog=auth
1796
Defaults>root !set_logname
1797
Defaults:FULLTIMERS !lecture
1798
Defaults:millert !authenticate
1799
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1800
Defaults!PAGERS noexec
1802
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
1805
root ALL = (ALL) ALL
1806
%wheel ALL = (ALL) ALL
1808
We let rroooott and any user in group wwhheeeell run any command on any host as
1811
FULLTIMERS ALL = NOPASSWD: ALL
1813
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
1814
any host without authenticating themselves.
1816
PARTTIMERS ALL = ALL
1818
Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any
1819
host but they must authenticate themselves first (since the entry lacks
1824
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
1825
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1826
networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1827
indicating it is a class C network. For the other networks in _C_S_N_E_T_S,
1828
the local machine's netmask will be used during matching.
1832
The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
1833
class B network 128.138.0.0).
1835
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1836
sudoedit /etc/printcap, /usr/oper/bin/
1838
The ooppeerraattoorr user may run commands limited to simple maintenance. Here,
1839
those are commands related to backups, killing processes, the printing
1840
system, shutting down the system, and any commands in the directory
1841
_/_u_s_r_/_o_p_e_r_/_b_i_n_/.
1843
joe ALL = /usr/bin/su operator
1845
The user jjooee may only su(1) to operator.
1847
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1849
%opers ALL = (: ADMINGRP) /usr/sbin/
1851
Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
1852
with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
1854
The user ppeettee is allowed to change anyone's password except for root on
1855
the _H_P_P_A machines. Note that this assumes passwd(1) does not take
1856
multiple user names on the command line.
1858
bob SPARC = (OP) ALL : SGI = (OP) ALL
1860
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
1861
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.)
1865
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
1866
ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix.
1868
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1870
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
1871
well as add and remove users, so they are allowed to run those commands
1874
fred ALL = (DB) NOPASSWD: ALL
1876
The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee
1877
or ssyybbaassee) without giving a password.
1879
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1881
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
1882
not allowed to specify any options to the su(1) command.
1884
jen ALL, !SERVERS = ALL
1886
The user jjeenn may run any command on any machine except for those in the
1887
_S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
1889
jill SERVERS = /usr/bin/, !SU, !SHELLS
1891
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
1892
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
1893
_S_H_E_L_L_S Cmnd_Aliases.
1895
steve CSNETS = (operator) /usr/local/op_commands/
1897
The user sstteevvee may run any command in the directory
1898
/usr/local/op_commands/ but only as user operator.
1900
matt valkyrie = KILL
1902
On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung
1905
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1907
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and
1908
wim), may run any command as user www (which owns the web pages) or
1909
simply su(1) to www.
1911
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1912
/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1914
Any user may mount or unmount a CD-ROM on the machines in the CDROM
1915
Host_Alias (orion, perseus, hercules) without entering a password. This
1916
is a bit tedious for users to type, so it is a prime candidate for
1917
encapsulating in a shell script.
1652
1919
SSEECCUURRIITTYY NNOOTTEESS
1653
LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr
1654
It is generally not effective to "subtract" commands from ALL using the
1655
'!' operator. A user can trivially circumvent this by copying the
1656
desired command to a different name and then executing that. For
1659
bill ALL = ALL, !SU, !SHELLS
1661
Doesn't really prevent bbiillll from running the commands listed in _S_U or
1662
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
1663
use a shell escape from an editor or other program. Therefore, these
1664
kind of restrictions should be considered advisory at best (and
1665
reinforced by policy).
1667
In general, if a user has sudo ALL there is nothing to prevent them
1668
from creating their own program that gives them a root shell (or making
1669
their own copy of a shell) regardless of any '!' elements in the user
1920
LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr
1921
It is generally not effective to ``subtract'' commands from AALLLL using the
1922
`!' operator. A user can trivially circumvent this by copying the
1923
desired command to a different name and then executing that. For
1926
bill ALL = ALL, !SU, !SHELLS
1928
Doesn't really prevent bbiillll from running the commands listed in _S_U or
1929
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
1930
use a shell escape from an editor or other program. Therefore, these
1931
kind of restrictions should be considered advisory at best (and
1932
reinforced by policy).
1934
In general, if a user has sudo AALLLL there is nothing to prevent them from
1935
creating their own program that gives them a root shell (or making their
1936
own copy of a shell) regardless of any `!' elements in the user
1672
1939
SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
1673
If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably
1674
negate commands where the path name includes globbing (aka wildcard)
1675
characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot
1676
resolve relative paths. While this is typically only an inconvenience
1677
for rules that grant privileges, it can result in a security issue for
1678
rules that subtract or revoke privileges.
1680
For example, given the following _s_u_d_o_e_r_s entry:
1682
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1683
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1685
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1686
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1688
PPrreevveennttiinngg SShheellll EEssccaappeess
1689
Once ssuuddoo executes a program, that program is free to do whatever it
1690
pleases, including run other programs. This can be a security issue
1691
since it is not uncommon for a program to allow shell escapes, which
1692
lets a user bypass ssuuddoo's access control and logging. Common programs
1693
that permit shell escapes include shells (obviously), editors,
1694
paginators, mail and terminal programs.
1696
There are two basic approaches to this problem:
1698
restrict Avoid giving users access to commands that allow the user to
1699
run arbitrary commands. Many editors have a restricted mode
1700
where shell escapes are disabled, though ssuuddooeeddiitt is a better
1701
solution to running editors via ssuuddoo. Due to the large
1702
number of programs that offer shell escapes, restricting
1703
users to the set of programs that do not is often unworkable.
1705
noexec Many systems that support shared libraries have the ability
1706
to override default library functions by pointing an
1707
environment variable (usually LD_PRELOAD) to an alternate
1708
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
1709
can be used to prevent a program run by ssuuddoo from executing
1710
any other programs. Note, however, that this applies only to
1711
native dynamically-linked executables. Statically-linked
1712
executables and foreign executables running under binary
1713
emulation are not affected.
1715
The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1716
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1717
above. It should be supported on most operating systems that
1718
support the LD_PRELOAD environment variable. Check your
1719
operating system's manual pages for the dynamic linker
1720
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1721
if LD_PRELOAD is supported.
1723
On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1724
instead of the LD_PRELOAD environment variable.
1726
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1727
documented in the User Specification section above. Here is
1730
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1732
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
1733
with _n_o_e_x_e_c enabled. This will prevent those two commands
1734
from executing other commands (such as a shell). If you are
1735
unsure whether or not your system is capable of supporting
1736
_n_o_e_x_e_c you can always just try it out and check whether shell
1737
escapes work when _n_o_e_x_e_c is enabled.
1739
Note that restricting shell escapes is not a panacea. Programs running
1740
as root are still capable of many potentially hazardous operations
1741
(such as changing or overwriting files) that could lead to unintended
1742
privilege escalation. In the specific case of an editor, a safer
1743
approach is to give the user permission to run ssuuddooeeddiitt.
1940
If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate
1941
commands where the path name includes globbing (aka wildcard) characters.
1942
This is because the C library's fnmatch(3) function cannot resolve
1943
relative paths. While this is typically only an inconvenience for rules
1944
that grant privileges, it can result in a security issue for rules that
1945
subtract or revoke privileges.
1947
For example, given the following _s_u_d_o_e_r_s entry:
1949
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
1950
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1952
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
1953
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1955
PPrreevveennttiinngg sshheellll eessccaappeess
1956
Once ssuuddoo executes a program, that program is free to do whatever it
1957
pleases, including run other programs. This can be a security issue
1958
since it is not uncommon for a program to allow shell escapes, which lets
1959
a user bypass ssuuddoo's access control and logging. Common programs that
1960
permit shell escapes include shells (obviously), editors, paginators,
1961
mail and terminal programs.
1963
There are two basic approaches to this problem:
1965
restrict Avoid giving users access to commands that allow the user to
1966
run arbitrary commands. Many editors have a restricted mode
1967
where shell escapes are disabled, though ssuuddooeeddiitt is a better
1968
solution to running editors via ssuuddoo. Due to the large number
1969
of programs that offer shell escapes, restricting users to the
1970
set of programs that do not is often unworkable.
1972
noexec Many systems that support shared libraries have the ability to
1973
override default library functions by pointing an environment
1974
variable (usually LD_PRELOAD) to an alternate shared library.
1975
On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to
1976
prevent a program run by ssuuddoo from executing any other
1977
programs. Note, however, that this applies only to native
1978
dynamically-linked executables. Statically-linked executables
1979
and foreign executables running under binary emulation are not
1982
The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
1983
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1984
above. It should be supported on most operating systems that
1985
support the LD_PRELOAD environment variable. Check your
1986
operating system's manual pages for the dynamic linker (usually
1987
ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
1988
LD_PRELOAD is supported.
1990
On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
1991
instead of the LD_PRELOAD environment variable.
1993
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
1994
documented in the User Specification section above. Here is
1997
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1999
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
2000
with _n_o_e_x_e_c enabled. This will prevent those two commands from
2001
executing other commands (such as a shell). If you are unsure
2002
whether or not your system is capable of supporting _n_o_e_x_e_c you
2003
can always just try it out and check whether shell escapes work
2004
when _n_o_e_x_e_c is enabled.
2006
Note that restricting shell escapes is not a panacea. Programs running
2007
as root are still capable of many potentially hazardous operations (such
2008
as changing or overwriting files) that could lead to unintended privilege
2009
escalation. In the specific case of an editor, a safer approach is to
2010
give the user permission to run ssuuddooeeddiitt.
1745
2012
TTiimmee ssttaammpp ffiillee cchheecckkss
1746
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
1747
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
1748
not owned by root or if it is writable by a user other than root. On
1749
systems that allow non-root users to give away files via _c_h_o_w_n(2), if
1750
the time stamp directory is located in a world-writable directory
1751
(e.g., _/_t_m_p), it is possible for a user to create the time stamp
1752
directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the
1753
ownership and mode of the directory and its contents, the only damage
1754
that can be done is to "hide" files by putting them in the time stamp
1755
dir. This is unlikely to happen since once the time stamp dir is owned
1756
by root and inaccessible by any other user, the user placing files
1757
there would be unable to get them back out.
1759
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
1760
with a date greater than current_time + 2 * TIMEOUT will be ignored and
1761
sudo will log and complain. This is done to keep a user from creating
1762
his/her own time stamp with a bogus date on systems that allow users to
1763
give away files if the time stamp directory is located in a world-
1766
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
1767
stamps that date from before the machine booted.
1769
Since time stamp files live in the file system, they can outlive a
1770
user's login session. As a result, a user may be able to login, run a
1771
command with ssuuddoo after authenticating, logout, login again, and run
1772
ssuuddoo without authenticating so long as the time stamp file's
1773
modification time is within 5 minutes (or whatever the timeout is set
1774
to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp
1775
has per-tty granularity but still may outlive the user's session. On
1776
Linux systems where the devpts filesystem is used, Solaris systems with
1777
the devices filesystem, as well as other systems that utilize a devfs
1778
filesystem that monotonically increase the inode number of devices as
1779
they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when
1780
a tty-based time stamp file is stale and will ignore it.
1781
Administrators should not rely on this feature as it is not universally
2013
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
2014
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
2015
not owned by root or if it is writable by a user other than root. On
2016
systems that allow non-root users to give away files via chown(2), if the
2017
time stamp directory is located in a world-writable directory (e.g.,
2018
_/_t_m_p), it is possible for a user to create the time stamp directory
2019
before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and
2020
mode of the directory and its contents, the only damage that can be done
2021
is to ``hide'' files by putting them in the time stamp dir. This is
2022
unlikely to happen since once the time stamp dir is owned by root and
2023
inaccessible by any other user, the user placing files there would be
2024
unable to get them back out.
2026
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
2027
with a date greater than current_time + 2 * TIMEOUT will be ignored and
2028
sudo will log and complain. This is done to keep a user from creating
2029
his/her own time stamp with a bogus date on systems that allow users to
2030
give away files if the time stamp directory is located in a world-
2033
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
2034
stamps that date from before the machine booted.
2036
Since time stamp files live in the file system, they can outlive a user's
2037
login session. As a result, a user may be able to login, run a command
2038
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
2039
authenticating so long as the time stamp file's modification time is
2040
within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When
2041
the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity
2042
but still may outlive the user's session. On Linux systems where the
2043
devpts filesystem is used, Solaris systems with the devices filesystem,
2044
as well as other systems that utilize a devfs filesystem that
2045
monotonically increase the inode number of devices as they are created
2046
(such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time
2047
stamp file is stale and will ignore it. Administrators should not rely
2048
on this feature as it is not universally available.
1784
2050
SSEEEE AALLSSOO
1785
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3),
1786
_s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
2051
ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
2052
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
1789
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
1790
locks the file and does grammatical checking. It is imperative that
1791
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
1792
syntactically incorrect _s_u_d_o_e_r_s file.
2055
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
2056
locks the file and does grammatical checking. It is imperative that
2057
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
2058
syntactically incorrect _s_u_d_o_e_r_s file.
1794
When using netgroups of machines (as opposed to users), if you store
1795
fully qualified host name in the netgroup (as is usually the case), you
1796
either need to have the machine's host name be fully qualified as
1797
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
2060
When using netgroups of machines (as opposed to users), if you store
2061
fully qualified host name in the netgroup (as is usually the case), you
2062
either need to have the machine's host name be fully qualified as
2063
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1800
If you feel you have found a bug in ssuuddoo, please submit a bug report at
1801
http://www.sudo.ws/sudo/bugs/
2066
If you feel you have found a bug in ssuuddoo, please submit a bug report at
2067
http://www.sudo.ws/sudo/bugs/
1804
Limited free support is available via the sudo-users mailing list, see
1805
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
2070
Limited free support is available via the sudo-users mailing list, see
2071
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
1808
2074
DDIISSCCLLAAIIMMEERR
1809
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
1810
including, but not limited to, the implied warranties of
1811
merchantability and fitness for a particular purpose are disclaimed.
1812
See the LICENSE file distributed with ssuuddoo or
1813
http://www.sudo.ws/sudo/license.html for complete details.
1817
1.8.5 March 28, 2012 SUDOERS(4)
2075
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
2076
including, but not limited to, the implied warranties of merchantability
2077
and fitness for a particular purpose are disclaimed. See the LICENSE
2078
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
2081
Sudo 1.8.6 July 16, 2012 Sudo 1.8.6