« back to all changes in this revision
Viewing changes to doc/sudoers.man.in
- browse files at revision 60
- compare with another revision
- download diff
- download tarball
- view history from revision 60
- Committer: Package Import Robot
- Author(s): Stéphane Graber
- Date: 2012-11-16 09:31:32 UTC
- mfrom: (1.4.13)
- Revision ID: package-import@ubuntu.com-20121116093132-ptext55adlzbrq6y
Tags: 1.8.6p3-0ubuntu1
* New upstream release (1.8.6p3).
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
- files added:
- .pc/fix_sssd_build.patch
- .pc/fix_sssd_build.patch/plugins
- .pc/fix_sssd_build.patch/plugins/sudoers
- plugins/sudoers/regress/check_symbols
- files removed:
- debian/sudo-ldap.manpages
- files modified:
- .pc/actually-use-buildflags.diff/common/Makefile.in
added
removed
doc/sudoers.man.in
1
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
3
.\"
1
4
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
2
.\" Todd C. Miller <Todd.Miller@courtesan.com>
3
.\"
5
.\" Todd C. Miller <Todd.Miller@courtesan.com>
6
.\"
4
7
.\" Permission to use, copy, modify, and distribute this software for any
5
8
.\" purpose with or without fee is hereby granted, provided that the above
6
9
.\" copyright notice and this permission notice appear in all copies.
7
.\"
10
.\"
8
11
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
12
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
13
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
16
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
17
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
18
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16
.\"
19
.\"
17
20
.\" Sponsored in part by the Defense Advanced Research Projects
18
21
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
19
22
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
20
.\"
21
.nr SL @SEMAN@
22
.nr BA @BAMAN@
23
.nr LC @LCMAN@
24
.\"
25
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
26
.\"
27
.\" Standard preamble:
28
.\" ========================================================================
29
.de Sp \" Vertical space (when we can't use .PP)
30
.if t .sp .5v
31
.if n .sp
32
..
33
.de Vb \" Begin verbatim text
34
.ft CW
35
.nf
36
.ne \\$1
37
..
38
.de Ve \" End verbatim text
39
.ft R
40
.fi
41
..
42
.\" Set up some character translations and predefined strings. \*(-- will
43
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
44
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
45
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
46
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
47
.\" nothing in troff, for use with C<>.
48
.tr \(*W-
49
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
50
.ie n \{\
51
. ds -- \(*W-
52
. ds PI pi
53
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
54
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
55
. ds L" ""
56
. ds R" ""
57
. ds C`
58
. ds C'
59
'br\}
60
.el\{\
61
. ds -- \|\(em\|
62
. ds PI \(*p
63
. ds L" ``
64
. ds R" ''
65
'br\}
66
.\"
67
.\" Escape single quotes in literal strings from groff's Unicode transform.
68
.ie \n(.g .ds Aq \(aq
69
.el .ds Aq '
70
.\"
71
.\" If the F register is turned on, we'll generate index entries on stderr for
72
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
73
.\" entries marked with X<> in POD. Of course, you'll have to process the
74
.\" output yourself in some meaningful fashion.
75
.ie \nF \{\
76
. de IX
77
. tm Index:\\$1\t\\n%\t"\\$2"
78
..
79
. nr % 0
80
. rr F
81
.\}
82
.el \{\
83
. de IX
84
..
85
.\}
86
.\"
87
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
88
.\" Fear. Run. Save yourself. No user-serviceable parts.
89
. \" fudge factors for nroff and troff
90
.if n \{\
91
. ds #H 0
92
. ds #V .8m
93
. ds #F .3m
94
. ds #[ \f1
95
. ds #] \fP
96
.\}
97
.if t \{\
98
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
99
. ds #V .6m
100
. ds #F 0
101
. ds #[ \&
102
. ds #] \&
103
.\}
104
. \" simple accents for nroff and troff
105
.if n \{\
106
. ds ' \&
107
. ds ` \&
108
. ds ^ \&
109
. ds , \&
110
. ds ~ ~
111
. ds /
112
.\}
113
.if t \{\
114
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
115
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
116
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
117
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
118
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
119
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
120
.\}
121
. \" troff and (daisy-wheel) nroff accents
122
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
123
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
124
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
125
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
126
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
127
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
128
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
129
.ds ae a\h'-(\w'a'u*4/10)'e
130
.ds Ae A\h'-(\w'A'u*4/10)'E
131
. \" corrections for vroff
132
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
133
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
134
. \" for low resolution devices (crt and lpr)
135
.if \n(.H>23 .if \n(.V>19 \
136
\{\
137
. ds : e
138
. ds 8 ss
139
. ds o a
140
. ds d- d\h'-1'\(ga
141
. ds D- D\h'-1'\(hy
142
. ds th \o'bp'
143
. ds Th \o'LP'
144
. ds ae ae
145
. ds Ae AE
146
.\}
147
.rm #[ #] #H #V #F C
148
.\" ========================================================================
149
.\"
150
.IX Title "SUDOERS @mansectform@"
151
.TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS"
152
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
153
.\" way too many mistakes in technical documents.
23
.\"
24
.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
25
.nh
154
26
.if n .ad l
155
.nh
156
27
.SH "NAME"
157
sudoers \- default sudo security policy module
28
\fBsudoers\fR
29
\- default sudo security policy module
158
30
.SH "DESCRIPTION"
159
.IX Header "DESCRIPTION"
160
The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
161
It is the default \fBsudo\fR policy plugin. The policy is driven by
162
the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
163
format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
164
section. For information on storing \fIsudoers\fR policy information
165
in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@).
166
.SS "Authentication and Logging"
167
.IX Subsection "Authentication and Logging"
168
The \fIsudoers\fR security policy requires that most users authenticate
169
themselves before they can use \fBsudo\fR. A password is not required
31
The
32
\fIsudoers\fR
33
policy module determines a user's
34
\fBsudo\fR
35
privileges.
36
It is the default
37
\fBsudo\fR
38
policy plugin.
39
The policy is driven by
40
the
41
\fI@sysconfdir@/sudoers\fR
42
file or, optionally in LDAP.
43
The policy format is described in detail in the
44
\fISUDOERS FILE FORMAT\fR
45
section.
46
For information on storing
47
\fIsudoers\fR
48
policy information
49
in LDAP, please see
50
sudoers.ldap(@mansectform@).
51
.SS "Authentication and logging"
52
The
53
\fIsudoers\fR
54
security policy requires that most users authenticate
55
themselves before they can use
56
\fBsudo\fR.
57
A password is not required
170
58
if the invoking user is root, if the target user is the same as the
171
59
invoking user, or if the policy has disabled authentication for the
172
user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
60
user or command.
61
Unlike
62
su(1),
63
when
64
\fIsudoers\fR
65
requires
173
66
authentication, it validates the invoking user's credentials, not
174
the target user's (or root's) credentials. This can be changed via
175
the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
67
the target user's (or root's) credentials.
68
This can be changed via
69
the
70
\fIrootpw\fR,
71
\fItargetpw\fR
72
and
73
\fIrunaspw\fR
74
flags, described later.
176
75
.PP
177
76
If a user who is not listed in the policy tries to run a command
178
via \fBsudo\fR, mail is sent to the proper authorities. The address
179
used for such mail is configurable via the \fImailto\fR Defaults entry
180
(described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR.
77
via
78
\fBsudo\fR,
79
mail is sent to the proper authorities.
80
The address
81
used for such mail is configurable via the
82
\fImailto\fR
83
Defaults entry
84
(described later) and defaults to
85
\fR@mailto@\fR.
181
86
.PP
182
87
Note that mail will not be sent if an unauthorized user tries to
183
run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
88
run
89
\fBsudo\fR
90
with the
91
\fB\-l\fR
92
or
93
\fB\-v\fR
94
option.
95
This allows users to
184
96
determine for themselves whether or not they are allowed to use
185
\&\fBsudo\fR.
186
.PP
187
If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
188
is set, the \fIsudoers\fR policy will use this value to determine who
189
the actual user is. This can be used by a user to log commands
190
through sudo even when a root shell has been invoked. It also
191
allows the \fB\-e\fR option to remain useful even when invoked via a
192
sudo-run script or program. Note, however, that the \fIsudoers\fR
193
lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
194
.PP
195
\&\fIsudoers\fR uses time stamp files for credential caching. Once a
196
user has been authenticated, a time stamp is updated and the user
97
\fBsudo\fR.
98
.PP
99
If
100
\fBsudo\fR
101
is run by root and the
102
\fRSUDO_USER\fR
103
environment variable
104
is set, the
105
\fIsudoers\fR
106
policy will use this value to determine who
107
the actual user is.
108
This can be used by a user to log commands
109
through sudo even when a root shell has been invoked.
110
It also
111
allows the
112
\fB\-e\fR
113
option to remain useful even when invoked via a
114
sudo-run script or program.
115
Note, however, that the
116
\fIsudoers\fR
117
lookup is still done for root, not the user specified by
118
\fRSUDO_USER\fR.
119
.PP
120
\fIsudoers\fR
121
uses time stamp files for credential caching.
122
Once a
123
user has been authenticated, the time stamp is updated and the user
197
124
may then use sudo without a password for a short period of time
198
(\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
199
By default, \fIsudoers\fR uses a tty-based time stamp which means that
125
(\fR@timeout@\fR
126
minutes unless overridden by the
127
\fItimeout\fR
128
option)
129
\&.
130
By default,
131
\fIsudoers\fR
132
uses a tty-based time stamp which means that
200
133
there is a separate time stamp for each of a user's login sessions.
201
The \fItty_tickets\fR option can be disabled to force the use of a
134
The
135
\fItty_tickets\fR
136
option can be disabled to force the use of a
202
137
single time stamp for all of a user's sessions.
203
138
.PP
204
\&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
205
as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
206
will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
207
and \fIlogfile\fR Defaults settings.
139
\fIsudoers\fR
140
can log both successful and unsuccessful attempts (as well
141
as errors) to
142
syslog(3),
143
a log file, or both.
144
By default,
145
\fIsudoers\fR
146
will log via
147
syslog(3)
148
but this is changeable via the
149
\fIsyslog\fR
150
and
151
\fIlogfile\fR
152
Defaults settings.
208
153
.PP
209
\&\fIsudoers\fR also supports logging a command's input and output
210
streams. I/O logging is not on by default but can be enabled using
211
the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
212
\&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
213
.SS "Command Environment"
214
.IX Subsection "Command Environment"
215
Since environment variables can influence program behavior, \fIsudoers\fR
154
\fIsudoers\fR
155
also supports logging a command's input and output
156
streams.
157
I/O logging is not on by default but can be enabled using
158
the
159
\fIlog_input\fR
160
and
161
\fIlog_output\fR
162
Defaults flags as well as the
163
\fRLOG_INPUT\fR
164
and
165
\fRLOG_OUTPUT\fR
166
command tags.
167
.SS "Command environment"
168
Since environment variables can influence program behavior,
169
\fIsudoers\fR
216
170
provides a means to restrict which variables from the user's
217
environment are inherited by the command to be run. There are two
218
distinct ways \fIsudoers\fR can deal with environment variables.
171
environment are inherited by the command to be run.
172
There are two
173
distinct ways
174
\fIsudoers\fR
175
can deal with environment variables.
219
176
.PP
220
By default, the \fIenv_reset\fR option is enabled. This causes commands
221
to be executed with a new, minimal environment. On \s-1AIX\s0 (and Linux
222
systems without \s-1PAM\s0), the environment is initialized with the
223
contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems, if the
224
\&\fIuse_loginclass\fR option is enabled, the environment is initialized
225
based on the \fIpath\fR and \fIsetenv\fR settings in \fI/etc/login.conf\fR.
226
The new environment contains the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR,
227
\&\f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables
177
By default, the
178
\fIenv_reset\fR
179
option is enabled.
180
This causes commands
181
to be executed with a new, minimal environment.
182
On AIX (and Linux
183
systems without PAM), the environment is initialized with the
184
contents of the
185
\fI/etc/environment\fR
186
file.
187
On BSD systems, if the
188
\fIuse_loginclass\fR
189
option is enabled, the environment is initialized
190
based on the
191
\fIpath\fR
192
and
193
\fIsetenv\fR
194
settings in
195
\fI/etc/login.conf\fR.
196
The new environment contains the
197
\fRTERM\fR,
198
\fRPATH\fR,
199
\fRHOME\fR,
200
\fRMAIL\fR,
201
\fRSHELL\fR,
202
\fRLOGNAME\fR,
203
\fRUSER\fR,
204
\fRUSERNAME\fR
205
and
206
\fRSUDO_*\fR
207
variables
228
208
in addition to variables from the invoking process permitted by the
229
\&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
209
\fIenv_check\fR
210
and
211
\fIenv_keep\fR
212
options.
213
This is effectively a whitelist
230
214
for environment variables.
231
215
.PP
232
If, however, the \fIenv_reset\fR option is disabled, any variables not
233
explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
234
inherited from the invoking process. In this case, \fIenv_check\fR
235
and \fIenv_delete\fR behave like a blacklist. Since it is not possible
216
If, however, the
217
\fIenv_reset\fR
218
option is disabled, any variables not
219
explicitly denied by the
220
\fIenv_check\fR
221
and
222
\fIenv_delete\fR
223
options are
224
inherited from the invoking process.
225
In this case,
226
\fIenv_check\fR
227
and
228
\fIenv_delete\fR
229
behave like a blacklist.
230
Since it is not possible
236
231
to blacklist all potentially dangerous environment variables, use
237
of the default \fIenv_reset\fR behavior is encouraged.
232
of the default
233
\fIenv_reset\fR
234
behavior is encouraged.
238
235
.PP
239
236
In all cases, environment variables with a value beginning with
240
\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
241
The list of environment variables that \fBsudo\fR allows or denies is
242
contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
237
\fR()\fR
238
are removed as they could be interpreted as
239
\fBbash\fR
240
functions.
241
The list of environment variables that
242
\fBsudo\fR
243
allows or denies is
244
contained in the output of
245
``\fRsudo -V\fR''
246
when run as root.
243
247
.PP
244
248
Note that the dynamic linker on most operating systems will remove
245
249
variables that can control dynamic linking from the environment of
246
setuid executables, including \fBsudo\fR. Depending on the operating
247
system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
248
\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
249
removed from the environment before \fBsudo\fR even begins execution
250
and, as such, it is not possible for \fBsudo\fR to preserve them.
251
.PP
252
As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
253
specified, \fIsudoers\fR will initialize the environment regardless
254
of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
255
variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
256
and \fI\s-1LOGNAME\s0\fR are set based on the target user. On \s-1AIX\s0 (and Linux
257
systems without \s-1PAM\s0), the contents of \fI/etc/environment\fR are also
258
included. On \s-1BSD\s0 systems, if the \fIuse_loginclass\fR option is
259
enabled, the \fIpath\fR and \fIsetenv\fR variables in \fI/etc/login.conf\fR
260
are also applied. All other environment variables are removed.
261
.PP
262
Finally, if the \fIenv_file\fR option is defined, any variables present
250
setuid executables, including
251
\fBsudo\fR.
252
Depending on the operating
253
system this may include
254
\fR_RLD*\fR,
255
\fRDYLD_*\fR,
256
\fRLD_*\fR,
257
\fRLDR_*\fR,
258
\fRLIBPATH\fR,
259
\fRSHLIB_PATH\fR,
260
and others.
261
These type of variables are
262
removed from the environment before
263
\fBsudo\fR
264
even begins execution
265
and, as such, it is not possible for
266
\fBsudo\fR
267
to preserve them.
268
.PP
269
As a special case, if
270
\fBsudo\fR's
271
\fB\-i\fR
272
option (initial login) is
273
specified,
274
\fIsudoers\fR
275
will initialize the environment regardless
276
of the value of
277
\fIenv_reset\fR.
278
The
279
\fRDISPLAY\fR,
280
\fRPATH\fR
281
and
282
\fRTERM\fR
283
variables remain unchanged;
284
\fRHOME\fR,
285
\fRMAIL\fR,
286
\fRSHELL\fR,
287
\fRUSER\fR,
288
and
289
\fRLOGNAME\fR
290
are set based on the target user.
291
On AIX (and Linux
292
systems without PAM), the contents of
293
\fI/etc/environment\fR
294
are also
295
included.
296
On BSD systems, if the
297
\fIuse_loginclass\fR
298
option is
299
enabled, the
300
\fIpath\fR
301
and
302
\fIsetenv\fR
303
variables in
304
\fI/etc/login.conf\fR
305
are also applied.
306
All other environment variables are removed.
307
.PP
308
Finally, if the
309
\fIenv_file\fR
310
option is defined, any variables present
263
311
in that file will be set to their specified values as long as they
264
312
would not conflict with an existing environment variable.
265
313
.SH "SUDOERS FILE FORMAT"
266
.IX Header "SUDOERS FILE FORMAT"
267
The \fIsudoers\fR file is composed of two types of entries: aliases
314
The
315
\fIsudoers\fR
316
file is composed of two types of entries: aliases
268
317
(basically variables) and user specifications (which specify who
269
318
may run what).
270
319
.PP
272
321
Where there are multiple matches, the last match is used (which is
273
322
not necessarily the most specific match).
274
323
.PP
275
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
276
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
277
fairly simple, and the definitions below are annotated.
278
.SS "Quick guide to \s-1EBNF\s0"
279
.IX Subsection "Quick guide to EBNF"
280
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
281
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
282
.PP
283
.Vb 1
284
\& symbol ::= definition | alternate1 | alternate2 ...
285
.Ve
286
.PP
287
Each \fIproduction rule\fR references others and thus makes up a
288
grammar for the language. \s-1EBNF\s0 also contains the following
324
The
325
\fIsudoers\fR
326
grammar will be described below in Extended Backus-Naur
327
Form (EBNF).
328
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
329
and the definitions below are annotated.
330
.SS "Quick guide to EBNF"
331
EBNF is a concise and exact way of describing the grammar of a language.
332
Each EBNF definition is made up of
333
\fIproduction rules\fR.
334
E.g.,
335
.PP
336
\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
337
.PP
338
Each
339
\fIproduction rule\fR
340
references others and thus makes up a
341
grammar for the language.
342
EBNF also contains the following
289
343
operators, which many readers will recognize from regular
290
expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
344
expressions.
345
Do not, however, confuse them with
346
``wildcard''
291
347
characters, which have different meanings.
292
.ie n .IP "\*(C`?\*(C'" 4
293
.el .IP "\f(CW\*(C`?\*(C'\fR" 4
294
.IX Item "?"
348
.TP 6n
349
\fR\&?\fR
295
350
Means that the preceding symbol (or group of symbols) is optional.
296
351
That is, it may appear once or not at all.
297
.ie n .IP "\*(C`*\*(C'" 4
298
.el .IP "\f(CW\*(C`*\*(C'\fR" 4
299
.IX Item "*"
352
.TP 6n
353
\fR*\fR
300
354
Means that the preceding symbol (or group of symbols) may appear
301
355
zero or more times.
302
.ie n .IP "\*(C`+\*(C'" 4
303
.el .IP "\f(CW\*(C`+\*(C'\fR" 4
304
.IX Item "+"
356
.TP 6n
357
\fR+\fR
305
358
Means that the preceding symbol (or group of symbols) may appear
306
359
one or more times.
307
360
.PP
308
Parentheses may be used to group symbols together. For clarity,
309
we will use single quotes ('') to designate what is a verbatim character
310
string (as opposed to a symbol name).
361
Parentheses may be used to group symbols together.
362
For clarity,
363
we will use single quotes
364
('')
365
to designate what is a verbatim character string (as opposed to a symbol name).
311
366
.SS "Aliases"
312
.IX Subsection "Aliases"
313
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
314
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
315
.PP
316
.Vb 4
317
\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
318
\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
319
\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
320
\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
321
\&
322
\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
323
\&
324
\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
325
\&
326
\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
327
\&
328
\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
329
\&
330
\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
331
.Ve
332
.PP
333
Each \fIalias\fR definition is of the form
334
.PP
335
.Vb 1
336
\& Alias_Type NAME = item1, item2, ...
337
.Ve
338
.PP
339
where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
340
or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
341
and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
342
uppercase letter. It is possible to put several alias definitions
343
of the same type on a single line, joined by a colon (':'). E.g.,
344
.PP
345
.Vb 1
346
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
347
.Ve
348
.PP
349
The definitions of what constitutes a valid \fIalias\fR member follow.
350
.PP
351
.Vb 2
352
\& User_List ::= User |
353
\& User \*(Aq,\*(Aq User_List
354
\&
355
\& User ::= \*(Aq!\*(Aq* user name |
356
\& \*(Aq!\*(Aq* #uid |
357
\& \*(Aq!\*(Aq* %group |
358
\& \*(Aq!\*(Aq* %#gid |
359
\& \*(Aq!\*(Aq* +netgroup |
360
\& \*(Aq!\*(Aq* %:nonunix_group |
361
\& \*(Aq!\*(Aq* %:#nonunix_gid |
362
\& \*(Aq!\*(Aq* User_Alias
363
.Ve
364
.PP
365
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
366
(prefixed with '#'), system group names and ids (prefixed with '%'
367
and '%#' respectively), netgroups (prefixed with '+'), non-Unix
368
group names and IDs (prefixed with '%:' and '%:#' respectively) and
369
\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
370
\&'!' operators. An odd number of '!' operators negate the value of
367
There are four kinds of aliases:
368
\fRUser_Alias\fR,
369
\fRRunas_Alias\fR,
370
\fRHost_Alias\fR
371
and
372
\fRCmnd_Alias\fR.
373
.nf
374
.sp
375
.RS 0n
376
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
377
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
378
'Host_Alias' Host_Alias (':' Host_Alias)* |
379
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
380
381
User_Alias ::= NAME '=' User_List
382
383
Runas_Alias ::= NAME '=' Runas_List
384
385
Host_Alias ::= NAME '=' Host_List
386
387
Cmnd_Alias ::= NAME '=' Cmnd_List
388
389
NAME ::= [A-Z]([A-Z][0-9]_)*
390
.RE
391
.fi
392
.PP
393
Each
394
\fIalias\fR
395
definition is of the form
396
.nf
397
.sp
398
.RS 0n
399
Alias_Type NAME = item1, item2, ...
400
.RE
401
.fi
402
.PP
403
where
404
\fIAlias_Type\fR
405
is one of
406
\fRUser_Alias\fR,
407
\fRRunas_Alias\fR,
408
\fRHost_Alias\fR,
409
or
410
\fRCmnd_Alias\fR.
411
A
412
\fRNAME\fR
413
is a string of uppercase letters, numbers,
414
and underscore characters
415
(`_').
416
A
417
\fRNAME\fR
418
\fBmust\fR
419
start with an
420
uppercase letter.
421
It is possible to put several alias definitions
422
of the same type on a single line, joined by a colon
423
(`:\&').
424
E.g.,
425
.nf
426
.sp
427
.RS 0n
428
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
429
.RE
430
.fi
431
.PP
432
The definitions of what constitutes a valid
433
\fIalias\fR
434
member follow.
435
.nf
436
.sp
437
.RS 0n
438
User_List ::= User |
439
User ',' User_List
440
441
User ::= '!'* user name |
442
'!'* #uid |
443
'!'* %group |
444
'!'* %#gid |
445
'!'* +netgroup |
446
'!'* %:nonunix_group |
447
'!'* %:#nonunix_gid |
448
'!'* User_Alias
449
.RE
450
.fi
451
.PP
452
A
453
\fRUser_List\fR
454
is made up of one or more user names, user ids
455
(prefixed with
456
`#'),
457
system group names and ids (prefixed with
458
`%'
459
and
460
`%#'
461
respectively), netgroups (prefixed with
462
`+'),
463
non-Unix group names and IDs (prefixed with
464
`%:'
465
and
466
`%:#'
467
respectively) and
468
\fRUser_Alias\fRes.
469
Each list item may be prefixed with zero or more
470
`\&!'
471
operators.
472
An odd number of
473
`\&!'
474
operators negate the value of
371
475
the item; an even number just cancel each other out.
372
476
.PP
373
A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
374
or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
375
need for escaping special characters. Alternately, special characters
376
may be specified in escaped hex mode, e.g. \ex20 for space. When
477
A
478
\fRuser name\fR,
479
\fRuid\fR,
480
\fRgroup\fR,
481
\fRgid\fR,
482
\fRnetgroup\fR,
483
\fRnonunix_group\fR
484
or
485
\fRnonunix_gid\fR
486
may be enclosed in double quotes to avoid the
487
need for escaping special characters.
488
Alternately, special characters
489
may be specified in escaped hex mode, e.g.\& \ex20 for space.
490
When
377
491
using double quotes, any prefix characters must be included inside
378
492
the quotes.
379
493
.PP
380
The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
381
the underlying group provider plugin (see the \fIgroup_plugin\fR
382
description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
383
following formats:
384
.IP "\(bu" 4
385
Group in the same domain: \*(L"Group Name\*(R"
386
.IP "\(bu" 4
387
Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
388
.IP "\(bu" 4
389
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
494
The actual
495
\fRnonunix_group\fR
496
and
497
\fRnonunix_gid\fR
498
syntax depends on
499
the underlying group provider plugin (see the
500
\fIgroup_plugin\fR
501
description below).
502
For instance, the QAS AD plugin supports the following formats:
503
.TP 6n
504
\fBo\fR
505
Group in the same domain: "%:Group Name"
506
.TP 6n
507
\fBo\fR
508
Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
509
.TP 6n
510
\fBo\fR
511
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
390
512
.PP
391
Note that quotes around group names are optional. Unquoted strings
392
must use a backslash (\e) to escape spaces and special characters.
393
See \*(L"Other special characters and reserved words\*(R" for a list of
513
Note that quotes around group names are optional.
514
Unquoted strings must use a backslash
515
(`\e')
516
to escape spaces and special characters.
517
See
518
\fIOther special characters and reserved words\fR
519
for a list of
394
520
characters that need to be escaped.
395
.PP
396
.Vb 2
397
\& Runas_List ::= Runas_Member |
398
\& Runas_Member \*(Aq,\*(Aq Runas_List
399
\&
400
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
401
\& \*(Aq!\*(Aq* #uid |
402
\& \*(Aq!\*(Aq* %group |
403
\& \*(Aq!\*(Aq* %#gid |
404
\& \*(Aq!\*(Aq* %:nonunix_group |
405
\& \*(Aq!\*(Aq* %:#nonunix_gid |
406
\& \*(Aq!\*(Aq* +netgroup |
407
\& \*(Aq!\*(Aq* Runas_Alias
408
.Ve
409
.PP
410
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
411
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
412
user names and groups are matched as strings. In other words, two
521
.nf
522
.sp
523
.RS 0n
524
Runas_List ::= Runas_Member |
525
Runas_Member ',' Runas_List
526
527
Runas_Member ::= '!'* user name |
528
'!'* #uid |
529
'!'* %group |
530
'!'* %#gid |
531
'!'* %:nonunix_group |
532
'!'* %:#nonunix_gid |
533
'!'* +netgroup |
534
'!'* Runas_Alias
535
.RE
536
.fi
537
.PP
538
A
539
\fRRunas_List\fR
540
is similar to a
541
\fRUser_List\fR
542
except that instead
543
of
544
\fRUser_Alias\fRes
545
it can contain
546
\fRRunas_Alias\fRes.
547
Note that
548
user names and groups are matched as strings.
549
In other words, two
413
550
users (groups) with the same uid (gid) are considered to be distinct.
414
If you wish to match all user names with the same uid (e.g.\ root
415
and toor), you can use a uid instead (#0 in the example given).
416
.PP
417
.Vb 2
418
\& Host_List ::= Host |
419
\& Host \*(Aq,\*(Aq Host_List
420
\&
421
\& Host ::= \*(Aq!\*(Aq* host name |
422
\& \*(Aq!\*(Aq* ip_addr |
423
\& \*(Aq!\*(Aq* network(/netmask)? |
424
\& \*(Aq!\*(Aq* +netgroup |
425
\& \*(Aq!\*(Aq* Host_Alias
426
.Ve
427
.PP
428
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
429
network numbers, netgroups (prefixed with '+') and other aliases.
430
Again, the value of an item may be negated with the '!' operator.
551
If you wish to match all user names with the same uid (e.g.\&
552
root and toor), you can use a uid instead (#0 in the example given).
553
.nf
554
.sp
555
.RS 0n
556
Host_List ::= Host |
557
Host ',' Host_List
558
559
Host ::= '!'* host name |
560
'!'* ip_addr |
561
'!'* network(/netmask)? |
562
'!'* +netgroup |
563
'!'* Host_Alias
564
.RE
565
.fi
566
.PP
567
A
568
\fRHost_List\fR
569
is made up of one or more host names, IP addresses,
570
network numbers, netgroups (prefixed with
571
`+')
572
and other aliases.
573
Again, the value of an item may be negated with the
574
`\&!'
575
operator.
431
576
If you do not specify a netmask along with the network number,
432
\&\fBsudo\fR will query each of the local host's network interfaces and,
577
\fBsudo\fR
578
will query each of the local host's network interfaces and,
433
579
if the network number corresponds to one of the hosts's network
434
interfaces, the corresponding netmask will be used. The netmask
435
may be specified either in standard \s-1IP\s0 address notation
436
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
437
or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
438
include shell-style wildcards (see the Wildcards section below),
439
but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
440
qualified host name, you'll need to use the \fIfqdn\fR option for
441
wildcards to be useful. Note \fBsudo\fR only inspects actual network
442
interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
443
never match. Also, the host name \*(L"localhost\*(R" will only match if
444
that is the actual host name, which is usually only the case for
445
non-networked systems.
446
.PP
447
.Vb 2
448
\& Cmnd_List ::= Cmnd |
449
\& Cmnd \*(Aq,\*(Aq Cmnd_List
450
\&
451
\& commandname ::= file name |
452
\& file name args |
453
\& file name \*(Aq""\*(Aq
454
\&
455
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
456
\& \*(Aq!\*(Aq* directory |
457
\& \*(Aq!\*(Aq* "sudoedit" |
458
\& \*(Aq!\*(Aq* Cmnd_Alias
459
.Ve
460
.PP
461
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
462
aliases. A commandname is a fully qualified file name which may include
463
shell-style wildcards (see the Wildcards section below). A simple
464
file name allows the user to run the command with any arguments he/she
465
wishes. However, you may also specify command line arguments (including
466
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
467
may only be run \fBwithout\fR command line arguments. A directory is a
468
fully qualified path name ending in a '/'. When you specify a directory
469
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
470
(but not in any subdirectories therein).
471
.PP
472
If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
473
in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
474
(or match the wildcards if there are any). Note that the following
475
characters must be escaped with a '\e' if they are used in command
476
arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
477
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
478
as \fBsudoedit\fR). It may take command line arguments just as
479
a normal command does.
580
interfaces, the corresponding netmask will be used.
581
The netmask
582
may be specified either in standard IP address notation
583
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
584
or CIDR notation (number of bits, e.g.\& 24 or 64).
585
A host name may include shell-style wildcards (see the
586
\fIWildcards\fR
587
section below),
588
but unless the
589
\fRhost name\fR
590
command on your machine returns the fully
591
qualified host name, you'll need to use the
592
\fIfqdn\fR
593
option for wildcards to be useful.
594
Note that
595
\fBsudo\fR
596
only inspects actual network interfaces; this means that IP address
597
127.0.0.1 (localhost) will never match.
598
Also, the host name
599
``localhost''
600
will only match if that is the actual host name, which is usually
601
only the case for non-networked systems.
602
.nf
603
.sp
604
.RS 0n
605
Cmnd_List ::= Cmnd |
606
Cmnd ',' Cmnd_List
607
608
command name ::= file name |
609
file name args |
610
file name '""'
611
612
Cmnd ::= '!'* command name |
613
'!'* directory |
614
'!'* "sudoedit" |
615
'!'* Cmnd_Alias
616
.RE
617
.fi
618
.PP
619
A
620
\fRCmnd_List\fR
621
is a list of one or more command names, directories, and other aliases.
622
A command name is a fully qualified file name which may include
623
shell-style wildcards (see the
624
\fIWildcards\fR
625
section below).
626
A simple file name allows the user to run the command with any
627
arguments he/she wishes.
628
However, you may also specify command line arguments (including
629
wildcards).
630
Alternately, you can specify
631
\fR\&""\fR
632
to indicate that the command
633
may only be run
634
\fBwithout\fR
635
command line arguments.
636
A directory is a
637
fully qualified path name ending in a
638
`/'.
639
When you specify a directory in a
640
\fRCmnd_List\fR,
641
the user will be able to run any file within that directory
642
(but not in any sub-directories therein).
643
.PP
644
If a
645
\fRCmnd\fR
646
has associated command line arguments, then the arguments
647
in the
648
\fRCmnd\fR
649
must match exactly those given by the user on the command line
650
(or match the wildcards if there are any).
651
Note that the following characters must be escaped with a
652
`\e'
653
if they are used in command arguments:
654
`,\&',
655
`:\&',
656
`=\&',
657
`\e'.
658
The special command
659
``\fRsudoedit\fR''
660
is used to permit a user to run
661
\fBsudo\fR
662
with the
663
\fB\-e\fR
664
option (or as
665
\fBsudoedit\fR).
666
It may take command line arguments just as a normal command does.
480
667
.SS "Defaults"
481
.IX Subsection "Defaults"
482
668
Certain configuration options may be changed from their default
483
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
484
may affect all users on any host, all users on a specific host, a
669
values at run-time via one or more
670
\fRDefault_Entry\fR
671
lines.
672
These may affect all users on any host, all users on a specific host, a
485
673
specific user, a specific command, or commands being run as a specific user.
486
674
Note that per-command entries may not include command line arguments.
487
If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
675
If you need to specify arguments, define a
676
\fRCmnd_Alias\fR
677
and reference
488
678
that instead.
489
.PP
490
.Vb 5
491
\& Default_Type ::= \*(AqDefaults\*(Aq |
492
\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
493
\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
494
\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
495
\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
496
\&
497
\& Default_Entry ::= Default_Type Parameter_List
498
\&
499
\& Parameter_List ::= Parameter |
500
\& Parameter \*(Aq,\*(Aq Parameter_List
501
\&
502
\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
503
\& Parameter \*(Aq+=\*(Aq Value |
504
\& Parameter \*(Aq\-=\*(Aq Value |
505
\& \*(Aq!\*(Aq* Parameter
506
.Ve
507
.PP
508
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
509
Flags are implicitly boolean and can be turned off via the '!'
510
operator. Some integer, string and list parameters may also be
511
used in a boolean context to disable them. Values may be enclosed
512
in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
513
characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
514
.PP
515
Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
679
.nf
680
.sp
681
.RS 0n
682
Default_Type ::= 'Defaults' |
683
'Defaults' '@' Host_List |
684
'Defaults' ':' User_List |
685
'Defaults' '!' Cmnd_List |
686
'Defaults' '>' Runas_List
687
688
Default_Entry ::= Default_Type Parameter_List
689
690
Parameter_List ::= Parameter |
691
Parameter ',' Parameter_List
692
693
Parameter ::= Parameter '=' Value |
694
Parameter '+=' Value |
695
Parameter '-=' Value |
696
'!'* Parameter
697
.RE
698
.fi
699
.PP
700
Parameters may be
701
\fBflags\fR,
702
\fBinteger\fR
703
values,
704
\fBstrings\fR,
705
or
706
\fBlists\fR.
707
Flags are implicitly boolean and can be turned off via the
708
`\&!'
709
operator.
710
Some integer, string and list parameters may also be
711
used in a boolean context to disable them.
712
Values may be enclosed
713
in double quotes
714
(\&"")
715
when they contain multiple words.
716
Special characters may be escaped with a backslash
717
(`\e').
718
.PP
719
Lists have two additional assignment operators,
720
\fR+=\fR
721
and
722
\fR-=\fR.
516
723
These operators are used to add to and delete from a list respectively.
517
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
724
It is not an error to use the
725
\fR-=\fR
726
operator to remove an element
518
727
that does not exist in a list.
519
728
.PP
520
729
Defaults entries are parsed in the following order: generic, host
521
730
and user Defaults first, then runas Defaults and finally command
522
731
defaults.
523
732
.PP
524
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
525
.SS "User Specification"
526
.IX Subsection "User Specification"
527
.Vb 2
528
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
529
\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
530
\&
531
\& Cmnd_Spec_List ::= Cmnd_Spec |
532
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
533
\&
534
.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
535
.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
536
\&
537
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
538
\&
539
.if \n(SL \{\
540
\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
541
\&
542
\}
543
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
544
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
545
\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
546
.Ve
547
.PP
548
A \fBuser specification\fR determines which commands a user may run
549
(and as what user) on specified hosts. By default, commands are
550
run as \fBroot\fR, but this can be changed on a per-command basis.
551
.PP
552
The basic structure of a user specification is `who where = (as_whom)
553
what'. Let's break that down into its constituent parts:
733
See
734
\fISUDOERS OPTIONS\fR
735
for a list of supported Defaults parameters.
736
.SS "User specification"
737
.nf
738
.RS 0n
739
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
740
(':' Host_List '=' Cmnd_Spec_List)*
741
742
Cmnd_Spec_List ::= Cmnd_Spec |
743
Cmnd_Spec ',' Cmnd_Spec_List
744
745
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
746
747
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
748
749
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
750
751
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
752
753
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
754
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
755
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
756
.RE
757
.fi
758
.PP
759
A
760
\fBuser specification\fR
761
determines which commands a user may run
762
(and as what user) on specified hosts.
763
By default, commands are
764
run as
765
\fBroot\fR,
766
but this can be changed on a per-command basis.
767
.PP
768
The basic structure of a user specification is
769
``who where = (as_whom) what''.
770
Let's break that down into its constituent parts:
554
771
.SS "Runas_Spec"
555
.IX Subsection "Runas_Spec"
556
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
557
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
558
\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
559
enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
560
which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
772
A
773
\fRRunas_Spec\fR
774
determines the user and/or the group that a command
775
may be run as.
776
A fully-specified
777
\fRRunas_Spec\fR
778
consists of two
779
\fRRunas_List\fRs
780
(as defined above) separated by a colon
781
(`:\&')
782
and enclosed in a set of parentheses.
783
The first
784
\fRRunas_List\fR
785
indicates
786
which users the command may be run as via
787
\fBsudo\fR's
788
\fB\-u\fR
789
option.
561
790
The second defines a list of groups that can be specified via
562
\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
563
command may be run with any combination of users and groups listed
564
in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
565
the command may be run as any user in the list but no \fB\-g\fR option
566
may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
791
\fBsudo\fR's
792
\fB\-g\fR
793
option.
794
If both
795
\fRRunas_List\fRs
796
are specified, the command may be run with any combination of users
797
and groups listed in their respective
798
\fRRunas_List\fRs.
799
If only the first is specified, the command may be run as any user
800
in the list but no
801
\fB\-g\fR
802
option
803
may be specified.
804
If the first
805
\fRRunas_List\fR
806
is empty but the
567
807
second is specified, the command may be run as the invoking user
568
with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
569
\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
808
with the group set to any listed in the
809
\fRRunas_List\fR.
810
If both
811
\fRRunas_List\fRs
812
are empty, the command may only be run as the invoking user.
813
If no
814
\fRRunas_Spec\fR
815
is specified the command may be run as
816
\fBroot\fR
817
and
570
818
no group may be specified.
571
819
.PP
572
A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
820
A
821
\fRRunas_Spec\fR
822
sets the default for the commands that follow it.
573
823
What this means is that for the entry:
574
.PP
575
.Vb 1
576
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
577
.Ve
578
.PP
579
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
580
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
581
.PP
582
.Vb 1
583
\& $ sudo \-u operator /bin/ls
584
.Ve
585
.PP
586
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
587
entry. If we modify the entry like so:
588
.PP
589
.Vb 1
590
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
591
.Ve
592
.PP
593
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
594
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
595
.PP
596
We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
597
the user or group set to \fBoperator\fR:
598
.PP
599
.Vb 2
600
\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
601
\& /usr/bin/lprm
602
.Ve
603
.PP
604
Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
824
.nf
825
.sp
826
.RS 0n
827
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
828
.RE
829
.fi
830
.PP
831
The user
832
\fBdgb\fR
833
may run
834
\fI/bin/ls\fR,
835
\fI/bin/kill\fR,
836
and
837
\fI/usr/bin/lprm\fR\(embut
838
only as
839
\fBoperator\fR.
840
E.g.,
841
.nf
842
.sp
843
.RS 0n
844
$ sudo -u operator /bin/ls
845
.RE
846
.fi
847
.PP
848
It is also possible to override a
849
\fRRunas_Spec\fR
850
later on in an entry.
851
If we modify the entry like so:
852
.nf
853
.sp
854
.RS 0n
855
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
856
.RE
857
.fi
858
.PP
859
Then user
860
\fBdgb\fR
861
is now allowed to run
862
\fI/bin/ls\fR
863
as
864
\fBoperator\fR,
865
but
866
\fI/bin/kill\fR
867
and
868
\fI/usr/bin/lprm\fR
869
as
870
\fBroot\fR.
871
.PP
872
We can extend this to allow
873
\fBdgb\fR
874
to run
875
\fR/bin/ls\fR
876
with either
877
the user or group set to
878
\fBoperator\fR:
879
.nf
880
.sp
881
.RS 0n
882
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
883
/usr/bin/lprm
884
.RE
885
.fi
886
.PP
887
Note that while the group portion of the
888
\fRRunas_Spec\fR
889
permits the
605
890
user to run as command with that group, it does not force the user
606
to do so. If no group is specified on the command line, the command
891
to do so.
892
If no group is specified on the command line, the command
607
893
will run with the group listed in the target user's password database
608
entry. The following would all be permitted by the sudoers entry above:
609
.PP
610
.Vb 3
611
\& $ sudo \-u operator /bin/ls
612
\& $ sudo \-u operator \-g operator /bin/ls
613
\& $ sudo \-g operator /bin/ls
614
.Ve
615
.PP
616
In the following example, user \fBtcm\fR may run commands that access
894
entry.
895
The following would all be permitted by the sudoers entry above:
896
.nf
897
.sp
898
.RS 0n
899
$ sudo -u operator /bin/ls
900
$ sudo -u operator -g operator /bin/ls
901
$ sudo -g operator /bin/ls
902
.RE
903
.fi
904
.PP
905
In the following example, user
906
\fBtcm\fR
907
may run commands that access
617
908
a modem device file with the dialer group.
618
.PP
619
.Vb 2
620
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
621
\& /usr/local/bin/minicom
622
.Ve
909
.nf
910
.sp
911
.RS 0n
912
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
913
/usr/local/bin/minicom
914
.RE
915
.fi
623
916
.PP
624
917
Note that in this example only the group will be set, the command
625
still runs as user \fBtcm\fR. E.g.
626
.PP
627
.Vb 1
628
\& $ sudo \-g dialer /usr/bin/cu
629
.Ve
630
.PP
631
Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
632
which case the user may select any combination of users and groups
633
via the \fB\-u\fR and \fB\-g\fR options. In this example:
634
.PP
635
.Vb 1
636
\& alan ALL = (root, bin : operator, system) ALL
637
.Ve
638
.PP
639
user \fBalan\fR may run any command as either user root or bin,
918
still runs as user
919
\fBtcm\fR.
920
E.g.\&
921
.nf
922
.sp
923
.RS 0n
924
$ sudo -g dialer /usr/bin/cu
925
.RE
926
.fi
927
.PP
928
Multiple users and groups may be present in a
929
\fRRunas_Spec\fR,
930
in which case the user may select any combination of users and groups via the
931
\fB\-u\fR
932
and
933
\fB\-g\fR
934
options.
935
In this example:
936
.nf
937
.sp
938
.RS 0n
939
alan ALL = (root, bin : operator, system) ALL
940
.RE
941
.fi
942
.PP
943
user
944
\fBalan\fR
945
may run any command as either user root or bin,
640
946
optionally setting the group to operator or system.
641
.if \n(SL \{\
642
947
.SS "SELinux_Spec"
643
.IX Subsection "SELinux_Spec"
644
On systems with SELinux support, \fIsudoers\fR entries may optionally have
645
an SELinux role and/or type associated with a command. If a role or
948
On systems with SELinux support,
949
\fIsudoers\fR
950
entries may optionally have an SELinux role and/or type associated
951
with a command.
952
If a role or
646
953
type is specified with the command it will override any default values
647
specified in \fIsudoers\fR. A role or type specified on the command line,
648
however, will supercede the values in \fIsudoers\fR.
649
\}
954
specified in
955
\fIsudoers\fR.
956
A role or type specified on the command line,
957
however, will supersede the values in
958
\fIsudoers\fR.
959
.SS "Solaris_Priv_Spec"
960
On Solaris systems,
961
\fIsudoers\fR
962
entries may optionally specify Solaris privilege set and/or limit
963
privilege set associated with a command.
964
If privileges or limit privileges are specified with the command
965
it will override any default values specified in
966
\fIsudoers\fR.
967
.PP
968
A privilege set is a comma-separated list of privilege names.
969
The
970
ppriv(1)
971
command can be used to list all privileges known to the system.
972
For example:
973
.nf
974
.sp
975
.RS 0n
976
$ ppriv -l
977
.RE
978
.fi
979
.PP
980
In addition, there are several
981
``special''
982
privilege strings:
983
.TP 10n
984
none
985
the empty set
986
.TP 10n
987
all
988
the set of all privileges
989
.TP 10n
990
zone
991
the set of all privileges available in the current zone
992
.TP 10n
993
basic
994
the default set of privileges normal users are granted at login time
995
.PP
996
Privileges can be excluded from a set by prefixing the privilege
997
name with either an
998
`\&!'
999
or
1000
`\-'
1001
character.
650
1002
.SS "Tag_Spec"
651
.IX Subsection "Tag_Spec"
652
A command may have zero or more tags associated with it. There are
653
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
654
\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
655
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
656
subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
657
it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
658
\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
659
.PP
660
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
661
.IX Subsection "NOPASSWD and PASSWD"
662
.PP
663
By default, \fBsudo\fR requires that a user authenticate him or herself
664
before running a command. This behavior can be modified via the
665
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
666
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
667
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
1003
A command may have zero or more tags associated with it.
1004
There are
1005
ten possible tag values:
1006
\fRNOPASSWD\fR,
1007
\fRPASSWD\fR,
1008
\fRNOEXEC\fR,
1009
\fREXEC\fR,
1010
\fRSETENV\fR,
1011
\fRNOSETENV\fR,
1012
\fRLOG_INPUT\fR,
1013
\fRNOLOG_INPUT\fR,
1014
\fRLOG_OUTPUT\fR
1015
and
1016
\fRNOLOG_OUTPUT\fR.
1017
Once a tag is set on a
1018
\fRCmnd\fR,
1019
subsequent
1020
\fRCmnd\fRs
1021
in the
1022
\fRCmnd_Spec_List\fR,
1023
inherit the tag unless it is overridden by the opposite tag (in other words,
1024
\fRPASSWD\fR
1025
overrides
1026
\fRNOPASSWD\fR
1027
and
1028
\fRNOEXEC\fR
1029
overrides
1030
\fREXEC\fR).
1031
.PP
1032
\fINOPASSWD and PASSWD\fR
1033
.PP
1034
By default,
1035
\fBsudo\fR
1036
requires that a user authenticate him or herself
1037
before running a command.
1038
This behavior can be modified via the
1039
\fRNOPASSWD\fR
1040
tag.
1041
Like a
1042
\fRRunas_Spec\fR,
1043
the
1044
\fRNOPASSWD\fR
1045
tag sets
1046
a default for the commands that follow it in the
1047
\fRCmnd_Spec_List\fR.
1048
Conversely, the
1049
\fRPASSWD\fR
1050
tag can be used to reverse things.
668
1051
For example:
669
.PP
670
.Vb 1
671
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
672
.Ve
673
.PP
674
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
675
\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
676
authenticating himself. If we only want \fBray\fR to be able to
677
run \fI/bin/kill\fR without a password the entry would be:
678
.PP
679
.Vb 1
680
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
681
.Ve
682
.PP
683
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
684
in the group specified by the \fIexempt_group\fR option.
685
.PP
686
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
687
for a user on the current host, he or she will be able to run
688
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
689
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
690
for all a user's entries that pertain to the current host.
691
This behavior may be overridden via the verifypw and listpw options.
692
.PP
693
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
694
.IX Subsection "NOEXEC and EXEC"
695
.PP
696
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
697
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
698
a dynamically-linked executable from running further commands itself.
699
.PP
700
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
701
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
702
.PP
703
.Vb 1
704
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
705
.Ve
706
.PP
707
See the \*(L"Preventing Shell Escapes\*(R" section below for more details
708
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
709
.PP
710
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
711
.IX Subsection "SETENV and NOSETENV"
712
.PP
713
These tags override the value of the \fIsetenv\fR option on a per-command
714
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
715
may disable the \fIenv_reset\fR option from the command line via the
716
\&\fB\-E\fR option. Additionally, environment variables set on the command
717
line are not subject to the restrictions imposed by \fIenv_check\fR,
718
\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
719
be allowed to set variables in this manner. If the command matched
720
is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
721
default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
722
.PP
723
\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
724
.IX Subsection "LOG_INPUT and NOLOG_INPUT"
725
.PP
726
These tags override the value of the \fIlog_input\fR option on a
727
per-command basis. For more information, see the description of
728
\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
729
.PP
730
\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
731
.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
732
.PP
733
These tags override the value of the \fIlog_output\fR option on a
734
per-command basis. For more information, see the description of
735
\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
1052
.nf
1053
.sp
1054
.RS 0n
1055
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1056
.RE
1057
.fi
1058
.PP
1059
would allow the user
1060
\fBray\fR
1061
to run
1062
\fI/bin/kill\fR,
1063
\fI/bin/ls\fR,
1064
and
1065
\fI/usr/bin/lprm\fR
1066
as
1067
\fBroot\fR
1068
on the machine rushmore without authenticating himself.
1069
If we only want
1070
\fBray\fR
1071
to be able to
1072
run
1073
\fI/bin/kill\fR
1074
without a password the entry would be:
1075
.nf
1076
.sp
1077
.RS 0n
1078
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1079
.RE
1080
.fi
1081
.PP
1082
Note, however, that the
1083
\fRPASSWD\fR
1084
tag has no effect on users who are in the group specified by the
1085
\fIexempt_group\fR
1086
option.
1087
.PP
1088
By default, if the
1089
\fRNOPASSWD\fR
1090
tag is applied to any of the entries for a user on the current host,
1091
he or she will be able to run
1092
``\fRsudo -l\fR''
1093
without a password.
1094
Additionally, a user may only run
1095
``\fRsudo -v\fR''
1096
without a password if the
1097
\fRNOPASSWD\fR
1098
tag is present for all a user's entries that pertain to the current host.
1099
This behavior may be overridden via the
1100
\fIverifypw\fR
1101
and
1102
\fIlistpw\fR
1103
options.
1104
.PP
1105
\fINOEXEC and EXEC\fR
1106
.PP
1107
If
1108
\fBsudo\fR
1109
has been compiled with
1110
\fInoexec\fR
1111
support and the underlying operating system supports it, the
1112
\fRNOEXEC\fR
1113
tag can be used to prevent a dynamically-linked executable from
1114
running further commands itself.
1115
.PP
1116
In the following example, user
1117
\fBaaron\fR
1118
may run
1119
\fI/usr/bin/more\fR
1120
and
1121
\fI/usr/bin/vi\fR
1122
but shell escapes will be disabled.
1123
.nf
1124
.sp
1125
.RS 0n
1126
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1127
.RE
1128
.fi
1129
.PP
1130
See the
1131
\fIPreventing shell escapes\fR
1132
section below for more details on how
1133
\fRNOEXEC\fR
1134
works and whether or not it will work on your system.
1135
.PP
1136
\fISETENV and NOSETENV\fR
1137
.PP
1138
These tags override the value of the
1139
\fIsetenv\fR
1140
option on a per-command basis.
1141
Note that if
1142
\fRSETENV\fR
1143
has been set for a command, the user may disable the
1144
\fIenv_reset\fR
1145
option from the command line via the
1146
\fB\-E\fR
1147
option.
1148
Additionally, environment variables set on the command
1149
line are not subject to the restrictions imposed by
1150
\fIenv_check\fR,
1151
\fIenv_delete\fR,
1152
or
1153
\fIenv_keep\fR.
1154
As such, only trusted users should be allowed to set variables in this manner.
1155
If the command matched is
1156
\fBALL\fR,
1157
the
1158
\fRSETENV\fR
1159
tag is implied for that command; this default may be overridden by use of the
1160
\fRNOSETENV\fR
1161
tag.
1162
.PP
1163
\fILOG_INPUT and NOLOG_INPUT\fR
1164
.PP
1165
These tags override the value of the
1166
\fIlog_input\fR
1167
option on a per-command basis.
1168
For more information, see the description of
1169
\fIlog_input\fR
1170
in the
1171
\fISUDOERS OPTIONS\fR
1172
section below.
1173
.PP
1174
\fILOG_OUTPUT and NOLOG_OUTPUT\fR
1175
.PP
1176
These tags override the value of the
1177
\fIlog_output\fR
1178
option on a per-command basis.
1179
For more information, see the description of
1180
\fIlog_output\fR
1181
in the
1182
\fISUDOERS OPTIONS\fR
1183
section below.
736
1184
.SS "Wildcards"
737
.IX Subsection "Wildcards"
738
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
739
to be used in host names, path names and command line arguments in
740
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
741
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
1185
\fBsudo\fR
1186
allows shell-style
1187
\fIwildcards\fR
1188
(aka meta or glob characters)
1189
to be used in host names, path names and command line arguments in the
1190
\fIsudoers\fR
1191
file.
1192
Wildcard matching is done via the
1193
\fBPOSIX\fR
1194
glob(3)
1195
and
1196
fnmatch(3)
1197
routines.
1198
Note that these are
1199
\fInot\fR
742
1200
regular expressions.
743
.ie n .IP "\*(C`*\*(C'" 8
744
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
745
.IX Item "*"
1201
.TP 10n
1202
\fR*\fR
746
1203
Matches any set of zero or more characters.
747
.ie n .IP "\*(C`?\*(C'" 8
748
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
749
.IX Item "?"
1204
.TP 10n
1205
\fR\&?\fR
750
1206
Matches any single character.
751
.ie n .IP "\*(C`[...]\*(C'" 8
752
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
753
.IX Item "[...]"
1207
.TP 10n
1208
\fR[...]\fR
754
1209
Matches any character in the specified range.
755
.ie n .IP "\*(C`[!...]\*(C'" 8
756
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
757
.IX Item "[!...]"
758
Matches any character \fBnot\fR in the specified range.
759
.ie n .IP "\*(C`\ex\*(C'" 8
760
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
761
.IX Item "x"
762
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
763
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
764
.PP
765
\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
766
and \fIfnmatch\fR\|(3) functions support them. However, because the
767
\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
768
escaped. For example:
769
.PP
770
.Vb 1
771
\& /bin/ls [[\e:alpha\e:]]*
772
.Ve
1210
.TP 10n
1211
\fR[!...]\fR
1212
Matches any character
1213
\fBnot\fR
1214
in the specified range.
1215
.TP 10n
1216
\fR\ex\fR
1217
For any character
1218
`x',
1219
evaluates to
1220
`x'.
1221
This is used to escape special characters such as:
1222
`*',
1223
`\&?',
1224
`[\&',
1225
and
1226
`]\&'.
1227
.PP
1228
POSIX character classes may also be used if your system's
1229
glob(3)
1230
and
1231
fnmatch(3)
1232
functions support them.
1233
However, because the
1234
`:\&'
1235
character has special meaning in
1236
\fIsudoers\fR,
1237
it must be
1238
escaped.
1239
For example:
1240
.nf
1241
.sp
1242
.RS 4n
1243
/bin/ls [[\:alpha\:]]*
1244
.RE
1245
.fi
773
1246
.PP
774
1247
Would match any file name beginning with a letter.
775
1248
.PP
776
Note that a forward slash ('/') will \fBnot\fR be matched by
777
wildcards used in the path name. When matching the command
778
line arguments, however, a slash \fBdoes\fR get matched by
779
wildcards. This is to make a path like:
780
.PP
781
.Vb 1
782
\& /usr/bin/*
783
.Ve
784
.PP
785
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
1249
Note that a forward slash
1250
(`/')
1251
will
1252
\fBnot\fR
1253
be matched by
1254
wildcards used in the path name.
1255
This is to make a path like:
1256
.nf
1257
.sp
1258
.RS 4n
1259
/usr/bin/*
1260
.RE
1261
.fi
1262
.PP
1263
match
1264
\fI/usr/bin/who\fR
1265
but not
1266
\fI/usr/bin/X11/xterm\fR.
1267
.PP
1268
When matching the command line arguments, however, a slash
1269
\fBdoes\fR
1270
get matched by wildcards since command line arguments may contain
1271
arbitrary strings and not just path names.
1272
.PP
1273
Wildcards in command line arguments should be used with care.
1274
Because command line arguments are matched as a single, concatenated
1275
string, a wildcard such as
1276
`\&?'
1277
or
1278
`*'
1279
can match multiple words.
1280
For example, while a sudoers entry like:
1281
.nf
1282
.sp
1283
.RS 4n
1284
%operator ALL = /bin/cat /var/log/messages*
1285
.RE
1286
.fi
1287
.PP
1288
will allow command like:
1289
.nf
1290
.sp
1291
.RS 4n
1292
$ sudo cat /var/log/messages.1
1293
.RE
1294
.fi
1295
.PP
1296
It will also allow:
1297
.nf
1298
.sp
1299
.RS 4n
1300
$ sudo cat /var/log/messages /etc/shadow
1301
.RE
1302
.fi
1303
.PP
1304
which is probably not what was intended.
786
1305
.SS "Exceptions to wildcard rules"
787
.IX Subsection "Exceptions to wildcard rules"
788
1306
The following exceptions apply to the above rules:
789
.ie n .IP """""" 8
790
.el .IP "\f(CW``''\fR" 8
791
.IX Item """"""
792
If the empty string \f(CW""\fR is the only command line argument in the
793
\&\fIsudoers\fR entry it means that command is not allowed to be run
794
with \fBany\fR arguments.
1307
.TP 10n
1308
\fR\&""\fR
1309
If the empty string
1310
\fR\&""\fR
1311
is the only command line argument in the
1312
\fIsudoers\fR
1313
entry it means that command is not allowed to be run with
1314
\fBany\fR
1315
arguments.
1316
.TP 10n
1317
sudoedit
1318
Command line arguments to the
1319
\fIsudoedit\fR
1320
built-in command should always be path names, so a forward slash
1321
(`/')
1322
will not be matched by a wildcard.
795
1323
.SS "Including other files from within sudoers"
796
.IX Subsection "Including other files from within sudoers"
797
It is possible to include other \fIsudoers\fR files from within the
798
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
799
\&\f(CW\*(C`#includedir\*(C'\fR directives.
1324
It is possible to include other
1325
\fIsudoers\fR
1326
files from within the
1327
\fIsudoers\fR
1328
file currently being parsed using the
1329
\fR#include\fR
1330
and
1331
\fR#includedir\fR
1332
directives.
800
1333
.PP
801
This can be used, for example, to keep a site-wide \fIsudoers\fR file
802
in addition to a local, per-machine file. For the sake of this
803
example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
804
per-machine one will be \fI/etc/sudoers.local\fR. To include
805
\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
806
following line in \fI/etc/sudoers\fR:
807
.Sp
808
.RS 4
809
\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
1334
This can be used, for example, to keep a site-wide
1335
\fIsudoers\fR
1336
file in addition to a local, per-machine file.
1337
For the sake of this example the site-wide
1338
\fIsudoers\fR
1339
will be
1340
\fI/etc/sudoers\fR
1341
and the per-machine one will be
1342
\fI/etc/sudoers.local\fR.
1343
To include
1344
\fI/etc/sudoers.local\fR
1345
from within
1346
\fI/etc/sudoers\fR
1347
we would use the
1348
following line in
1349
\fI/etc/sudoers\fR:
1350
.nf
1351
.sp
1352
.RS 4n
1353
#include /etc/sudoers.local
810
1354
.RE
1355
.fi
811
1356
.PP
812
When \fBsudo\fR reaches this line it will suspend processing of the
813
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
814
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
815
\&\fI/etc/sudoers\fR will be processed. Files that are included may
816
themselves include other files. A hard limit of 128 nested include
817
files is enforced to prevent include file loops.
1357
When
1358
\fBsudo\fR
1359
reaches this line it will suspend processing of the current file
1360
(\fI/etc/sudoers\fR)
1361
and switch to
1362
\fI/etc/sudoers.local\fR.
1363
Upon reaching the end of
1364
\fI/etc/sudoers.local\fR,
1365
the rest of
1366
\fI/etc/sudoers\fR
1367
will be processed.
1368
Files that are included may themselves include other files.
1369
A hard limit of 128 nested include files is enforced to prevent include
1370
file loops.
818
1371
.PP
819
1372
If the path to the include file is not fully-qualified (does not
820
begin with a \fI/\fR), it must be located in the same directory as the
821
sudoers file it was included from. For example, if \fI/etc/sudoers\fR
1373
begin with a
1374
`/',
1375
it must be located in the same directory as the sudoers file it was
1376
included from.
1377
For example, if
1378
\fI/etc/sudoers\fR
822
1379
contains the line:
823
.Sp
824
.RS 4
825
\&\f(CW\*(C`#include sudoers.local\*(C'\fR
826
.RE
827
.PP
828
the file that will be included is \fI/etc/sudoers.local\fR.
829
.PP
830
The file name may also include the \f(CW%h\fR escape, signifying the short form
831
of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
832
.PP
833
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
834
.PP
835
will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
836
.PP
837
The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
838
directory that the system package manager can drop \fIsudoers\fR rules
839
into as part of package installation. For example, given:
840
.PP
841
\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
842
.PP
843
\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
844
names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
845
problems with package manager or editor temporary/backup files.
846
Files are parsed in sorted lexical order. That is,
847
\&\fI/etc/sudoers.d/01_first\fR will be parsed before
848
\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
849
lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
850
\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
851
of leading zeroes in the file names can be used to avoid such
852
problems.
853
.PP
854
Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
855
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
856
contains a syntax error. It is still possible to run \fBvisudo\fR
857
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
1380
.nf
1381
.sp
1382
.RS 4n
1383
\fR#include sudoers.local\fR
1384
.RE
1385
.fi
1386
.PP
1387
the file that will be included is
1388
\fI/etc/sudoers.local\fR.
1389
.PP
1390
The file name may also include the
1391
\fR%h\fR
1392
escape, signifying the short form of the host name.
1393
In other words, if the machine's host name is
1394
``xerxes'',
1395
then
1396
.nf
1397
.sp
1398
.RS 4n
1399
#include /etc/sudoers.%h
1400
.RE
1401
.fi
1402
.PP
1403
will cause
1404
\fBsudo\fR
1405
to include the file
1406
\fI/etc/sudoers.xerxes\fR.
1407
.PP
1408
The
1409
\fR#includedir\fR
1410
directive can be used to create a
1411
\fIsudo.d\fR
1412
directory that the system package manager can drop
1413
\fIsudoers\fR
1414
rules
1415
into as part of package installation.
1416
For example, given:
1417
.nf
1418
.sp
1419
.RS 4n
1420
#includedir /etc/sudoers.d
1421
.RE
1422
.fi
1423
.PP
1424
\fBsudo\fR
1425
will read each file in
1426
\fI/etc/sudoers.d\fR,
1427
skipping file names that end in
1428
`~'
1429
or contain a
1430
`.\&'
1431
character to avoid causing problems with package manager or editor
1432
temporary/backup files.
1433
Files are parsed in sorted lexical order.
1434
That is,
1435
\fI/etc/sudoers.d/01_first\fR
1436
will be parsed before
1437
\fI/etc/sudoers.d/10_second\fR.
1438
Be aware that because the sorting is lexical, not numeric,
1439
\fI/etc/sudoers.d/1_whoops\fR
1440
would be loaded
1441
\fBafter\fR
1442
\fI/etc/sudoers.d/10_second\fR.
1443
Using a consistent number of leading zeroes in the file names can be used
1444
to avoid such problems.
1445
.PP
1446
Note that unlike files included via
1447
\fR#include\fR,
1448
\fBvisudo\fR
1449
will not edit the files in a
1450
\fR#includedir\fR
1451
directory unless one of them contains a syntax error.
1452
It is still possible to run
1453
\fBvisudo\fR
1454
with the
1455
\fB\-f\fR
1456
flag to edit the files directly.
858
1457
.SS "Other special characters and reserved words"
859
.IX Subsection "Other special characters and reserved words"
860
The pound sign ('#') is used to indicate a comment (unless it is
861
part of a #include directive or unless it occurs in the context of
862
a user name and is followed by one or more digits, in which case
863
it is treated as a uid). Both the comment character and any text
864
after it, up to the end of the line, are ignored.
865
.PP
866
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
867
a match to succeed. It can be used wherever one might otherwise
868
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
869
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
870
built-in alias will be used in preference to your own. Please note
871
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
872
allows the user to run \fBany\fR command on the system.
873
.PP
874
An exclamation point ('!') can be used as a logical \fInot\fR operator
875
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
876
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
877
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
878
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
879
\&\s-1NOTES\s0 below).
880
.PP
881
Long lines can be continued with a backslash ('\e') as the last
882
character on the line.
883
.PP
884
Whitespace between elements in a list as well as special syntactic
885
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
886
.PP
887
The following characters must be escaped with a backslash ('\e') when
888
used as part of a word (e.g.\ a user name or host name):
889
\&'!', '=', ':', ',', '(', ')', '\e'.
1458
The pound sign
1459
(`#')
1460
is used to indicate a comment (unless it is part of a #include
1461
directive or unless it occurs in the context of a user name and is
1462
followed by one or more digits, in which case it is treated as a
1463
uid).
1464
Both the comment character and any text after it, up to the end of
1465
the line, are ignored.
1466
.PP
1467
The reserved word
1468
\fBALL\fR
1469
is a built-in
1470
\fIalias\fR
1471
that always causes a match to succeed.
1472
It can be used wherever one might otherwise use a
1473
\fRCmnd_Alias\fR,
1474
\fRUser_Alias\fR,
1475
\fRRunas_Alias\fR,
1476
or
1477
\fRHost_Alias\fR.
1478
You should not try to define your own
1479
\fIalias\fR
1480
called
1481
\fBALL\fR
1482
as the built-in alias will be used in preference to your own.
1483
Please note that using
1484
\fBALL\fR
1485
can be dangerous since in a command context, it allows the user to run
1486
\fBany\fR
1487
command on the system.
1488
.PP
1489
An exclamation point
1490
(`\&!')
1491
can be used as a logical
1492
\fInot\fR
1493
operator both in an
1494
\fIalias\fR
1495
and in front of a
1496
\fRCmnd\fR.
1497
This allows one to exclude certain values.
1498
Note, however, that using a
1499
`\&!'
1500
in conjunction with the built-in
1501
\fBALL\fR
1502
alias to allow a user to run
1503
``all but a few''
1504
commands rarely works as intended (see
1505
\fISECURITY NOTES\fR
1506
below).
1507
.PP
1508
Long lines can be continued with a backslash
1509
(`\e')
1510
as the last character on the line.
1511
.PP
1512
White space between elements in a list as well as special syntactic
1513
characters in a
1514
\fIUser Specification\fR
1515
(`=\&',
1516
`:\&',
1517
`(\&',
1518
`)\&')
1519
is optional.
1520
.PP
1521
The following characters must be escaped with a backslash
1522
(`\e')
1523
when used as part of a word (e.g.\& a user name or host name):
1524
`\&!',
1525
`=\&',
1526
`:\&',
1527
`,\&',
1528
`(\&',
1529
`)\&',
1530
`\e'.
890
1531
.SH "SUDOERS OPTIONS"
891
.IX Header "SUDOERS OPTIONS"
892
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
893
explained earlier. A list of all supported Defaults parameters,
894
grouped by type, are listed below.
1532
\fBsudo\fR's
1533
behavior can be modified by
1534
\fRDefault_Entry\fR
1535
lines, as explained earlier.
1536
A list of all supported Defaults parameters, grouped by type, are listed below.
895
1537
.PP
896
\&\fBBoolean Flags\fR:
897
.IP "always_set_home" 16
898
.IX Item "always_set_home"
899
If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
900
home directory of the target user (which is root unless the \fB\-u\fR
901
option is used). This effectively means that the \fB\-H\fR option is
902
always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
903
\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
904
effective for configurations where either \fIenv_reset\fR is disabled
905
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
906
This flag is \fIoff\fR by default.
907
.IP "authenticate" 16
908
.IX Item "authenticate"
1538
\fBBoolean Flags\fR:
1539
.TP 18n
1540
always_set_home
1541
If enabled,
1542
\fBsudo\fR
1543
will set the
1544
\fRHOME\fR
1545
environment variable to the home directory of the target user
1546
(which is root unless the
1547
\fB\-u\fR
1548
option is used).
1549
This effectively means that the
1550
\fB\-H\fR
1551
option is always implied.
1552
Note that
1553
\fRHOME\fR
1554
is already set when the the
1555
\fIenv_reset\fR
1556
option is enabled, so
1557
\fIalways_set_home\fR
1558
is only effective for configurations where either
1559
\fIenv_reset\fR
1560
is disabled or
1561
\fRHOME\fR
1562
is present in the
1563
\fIenv_keep\fR
1564
list.
1565
This flag is
1566
\fIoff\fR
1567
by default.
1568
.TP 18n
1569
authenticate
909
1570
If set, users must authenticate themselves via a password (or other
910
means of authentication) before they may run commands. This default
911
may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
912
This flag is \fIon\fR by default.
913
.IP "closefrom_override" 16
914
.IX Item "closefrom_override"
915
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
916
overrides the default starting point at which \fBsudo\fR begins
917
closing open file descriptors. This flag is \fIoff\fR by default.
918
.IP "compress_io" 16
919
.IX Item "compress_io"
920
If set, and \fBsudo\fR is configured to log a command's input or output,
921
the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
922
by default when \fBsudo\fR is compiled with \fBzlib\fR support.
923
.IP "env_editor" 16
924
.IX Item "env_editor"
925
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
1571
means of authentication) before they may run commands.
1572
This default may be overridden via the
1573
\fRPASSWD\fR
1574
and
1575
\fRNOPASSWD\fR
1576
tags.
1577
This flag is
1578
\fIon\fR
1579
by default.
1580
.TP 18n
1581
closefrom_override
1582
If set, the user may use
1583
\fBsudo\fR's
1584
\fB\-C\fR
1585
option which overrides the default starting point at which
1586
\fBsudo\fR
1587
begins closing open file descriptors.
1588
This flag is
1589
\fIoff\fR
1590
by default.
1591
.TP 18n
1592
compress_io
1593
If set, and
1594
\fBsudo\fR
1595
is configured to log a command's input or output,
1596
the I/O logs will be compressed using
1597
\fBzlib\fR.
1598
This flag is
1599
\fIon\fR
1600
by default when
1601
\fBsudo\fR
1602
is compiled with
1603
\fBzlib\fR
1604
support.
1605
.TP 18n
1606
env_editor
1607
If set,
1608
\fBvisudo\fR
1609
will use the value of the
1610
\fREDITOR\fR
1611
or
1612
\fRVISUAL\fR
926
1613
environment variables before falling back on the default editor list.
927
1614
Note that this may create a security hole as it allows the user to
928
run any arbitrary command as root without logging. A safer alternative
929
is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
930
variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
931
they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
932
default.
933
.IP "env_reset" 16
934
.IX Item "env_reset"
935
If set, \fBsudo\fR will run the command in a minimal environment
936
containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
937
\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
938
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
939
and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
940
present in the file specified by the \fIenv_file\fR option (if any).
941
The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
942
displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
943
the \fIsecure_path\fR option is set, its value will be used for the
944
\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
945
default.
946
.IP "fast_glob" 16
947
.IX Item "fast_glob"
948
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
949
globbing when matching path names. However, since it accesses the
950
file system, \fIglob\fR\|(3) can take a long time to complete for some
951
patterns, especially when the pattern references a network file
952
system that is mounted on demand (automounted). The \fIfast_glob\fR
953
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
954
not access the file system to do its matching. The disadvantage
955
of \fIfast_glob\fR is that it is unable to match relative path names
956
such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
957
when path names that include globbing characters are used with the
958
negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
959
As such, this option should not be used when \fIsudoers\fR contains rules
960
that contain negated path names which include globbing characters.
961
This flag is \fIoff\fR by default.
962
.IP "fqdn" 16
963
.IX Item "fqdn"
1615
run any arbitrary command as root without logging.
1616
A safer alternative is to place a colon-separated list of editors
1617
in the
1618
\fReditor\fR
1619
variable.
1620
\fBvisudo\fR
1621
will then only use the
1622
\fREDITOR\fR
1623
or
1624
\fRVISUAL\fR
1625
if they match a value specified in
1626
\fReditor\fR.
1627
This flag is
1628
\fI@env_editor@\fR
1629
by
1630
default.
1631
.TP 18n
1632
env_reset
1633
If set,
1634
\fBsudo\fR
1635
will run the command in a minimal environment containing the
1636
\fRTERM\fR,
1637
\fRPATH\fR,
1638
\fRHOME\fR,
1639
\fRMAIL\fR,
1640
\fRSHELL\fR,
1641
\fRLOGNAME\fR,
1642
\fRUSER\fR,
1643
\fRUSERNAME\fR
1644
and
1645
\fRSUDO_*\fR
1646
variables.
1647
Any
1648
variables in the caller's environment that match the
1649
\fRenv_keep\fR
1650
and
1651
\fRenv_check\fR
1652
lists are then added, followed by any variables present in the file
1653
specified by the
1654
\fIenv_file\fR
1655
option (if any).
1656
The default contents of the
1657
\fRenv_keep\fR
1658
and
1659
\fRenv_check\fR
1660
lists are displayed when
1661
\fBsudo\fR
1662
is run by root with the
1663
\fB\-V\fR
1664
option.
1665
If the
1666
\fIsecure_path\fR
1667
option is set, its value will be used for the
1668
\fRPATH\fR
1669
environment variable.
1670
This flag is
1671
\fI@env_reset@\fR
1672
by default.
1673
.TP 18n
1674
fast_glob
1675
Normally,
1676
\fBsudo\fR
1677
uses the
1678
glob(3)
1679
function to do shell-style globbing when matching path names.
1680
However, since it accesses the file system,
1681
glob(3)
1682
can take a long time to complete for some patterns, especially
1683
when the pattern references a network file system that is mounted
1684
on demand (auto mounted).
1685
The
1686
\fIfast_glob\fR
1687
option causes
1688
\fBsudo\fR
1689
to use the
1690
fnmatch(3)
1691
function, which does not access the file system to do its matching.
1692
The disadvantage of
1693
\fIfast_glob\fR
1694
is that it is unable to match relative path names such as
1695
\fI./ls\fR
1696
or
1697
\fI../bin/ls\fR.
1698
This has security implications when path names that include globbing
1699
characters are used with the negation operator,
1700
`!\&',
1701
as such rules can be trivially bypassed.
1702
As such, this option should not be used when
1703
\fIsudoers\fR
1704
contains rules that contain negated path names which include globbing
1705
characters.
1706
This flag is
1707
\fIoff\fR
1708
by default.
1709
.TP 18n
1710
fqdn
964
1711
Set this flag if you want to put fully qualified host names in the
965
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
1712
\fIsudoers\fR
1713
file when the local host name (as returned by the
1714
\fRhostname\fR
1715
command) does not contain the domain name.
1716
In other words, instead of myhost you would use myhost.mydomain.edu.
966
1717
You may still use the short form if you wish (and even mix the two).
967
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
968
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
969
if the machine is not plugged into the network). Also note that
970
you must use the host's official name as \s-1DNS\s0 knows it. That is,
971
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
972
issues and the fact that there is no way to get all aliases from
973
\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
974
command) is already fully qualified you shouldn't need to set
975
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
976
.IP "ignore_dot" 16
977
.IX Item "ignore_dot"
978
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
979
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
980
flag is \fI@ignore_dot@\fR by default.
981
.IP "ignore_local_sudoers" 16
982
.IX Item "ignore_local_sudoers"
983
If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
1718
This option is only effective when the
1719
``canonical''
1720
host name, as returned by the
1721
\fBgetaddrinfo\fR()
1722
or
1723
\fBgethostbyname\fR()
1724
function, is a fully-qualified domain name.
1725
This is usually the case when the system is configured to use DNS
1726
for host name resolution.
1727
.sp
1728
If the system is configured to use the
1729
\fI/etc/hosts\fR
1730
file in preference to DNS, the
1731
``canonical''
1732
host name may not be fully-qualified.
1733
The order that sources are queried for hosts name resolution
1734
is usually specified in the
1735
\fI@nsswitch_conf@\fR,
1736
\fI@netsvc_conf@\fR,
1737
\fI/etc/host.conf\fR,
1738
or, in some cases,
1739
\fI/etc/resolv.conf\fR
1740
file.
1741
In the
1742
\fI/etc/hosts\fR
1743
file, the first host name of the entry is considered to be the
1744
``canonical''
1745
name; subsequent names are aliases that are not used by
1746
\fBsudoers\fR.
1747
For example, the following hosts file line for the machine
1748
``xyzzy''
1749
has the fully-qualified domain name as the
1750
``canonical''
1751
host name, and the short version as an alias.
1752
.sp
1753
.RS 6n
1754
192.168.1.1 xyzzy.sudo.ws xyzzy
1755
.RE
1756
.sp
1757
If the machine's hosts file entry is not formatted properly, the
1758
\fIfqdn\fR
1759
option will not be effective if it is queried before DNS.
1760
.sp
1761
Beware that when using DNS for host name resolution, turning on
1762
\fIfqdn\fR
1763
requires
1764
\fBsudoers\fR
1765
to make DNS lookups which renders
1766
\fBsudo\fR
1767
unusable if DNS stops working (for example if the machine is disconnected
1768
from the network).
1769
Also note that just like with the hosts file, you must use the
1770
``canonical''
1771
name as DNS knows it.
1772
That is, you may not use a host alias
1773
(\fRCNAME\fR
1774
entry)
1775
due to performance issues and the fact that there is no way to get all
1776
aliases from DNS.
1777
.sp
1778
This flag is
1779
\fI@fqdn@\fR
1780
by default.
1781
.TP 18n
1782
ignore_dot
1783
If set,
1784
\fBsudo\fR
1785
will ignore "." or "" (both denoting current directory) in the
1786
\fRPATH\fR
1787
environment variable; the
1788
\fRPATH\fR
1789
itself is not modified.
1790
This flag is
1791
\fI@ignore_dot@\fR
1792
by default.
1793
.TP 18n
1794
ignore_local_sudoers
1795
If set via LDAP, parsing of
1796
\fI@sysconfdir@/sudoers\fR
1797
will be skipped.
984
1798
This is intended for Enterprises that wish to prevent the usage of local
985
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
986
rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
987
When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
988
exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
989
entries have been matched, this sudoOption is only meaningful for the
990
\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
991
.IP "insults" 16
992
.IX Item "insults"
993
If set, \fBsudo\fR will insult users when they enter an incorrect
994
password. This flag is \fI@insults@\fR by default.
995
.IP "log_host" 16
996
.IX Item "log_host"
997
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
998
This flag is \fIoff\fR by default.
999
.IP "log_input" 16
1000
.IX Item "log_input"
1001
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1002
user input.
1799
sudoers files so that only LDAP is used.
1800
This thwarts the efforts of rogue operators who would attempt to add roles to
1801
\fI@sysconfdir@/sudoers\fR.
1802
When this option is present,
1803
\fI@sysconfdir@/sudoers\fR
1804
does not even need to exist.
1805
Since this option tells
1806
\fBsudo\fR
1807
how to behave when no specific LDAP entries have been matched, this
1808
sudoOption is only meaningful for the
1809
\fRcn=defaults\fR
1810
section.
1811
This flag is
1812
\fIoff\fR
1813
by default.
1814
.TP 18n
1815
insults
1816
If set,
1817
\fBsudo\fR
1818
will insult users when they enter an incorrect password.
1819
This flag is
1820
\fI@insults@\fR
1821
by default.
1822
.TP 18n
1823
log_host
1824
If set, the host name will be logged in the (non-syslog)
1825
\fBsudo\fR
1826
log file.
1827
This flag is
1828
\fIoff\fR
1829
by default.
1830
.TP 18n
1831
log_input
1832
If set,
1833
\fBsudo\fR
1834
will run the command in a
1835
\fIpseudo tty\fR
1836
and log all user input.
1003
1837
If the standard input is not connected to the user's tty, due to
1004
1838
I/O redirection or because the command is part of a pipeline, that
1005
1839
input is also captured and stored in a separate log file.
1006
.Sp
1007
Input is logged to the directory specified by the \fIiolog_dir\fR
1008
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1009
is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1010
The \fIiolog_file\fR option may be used to control the format of the
1011
session \s-1ID\s0.
1012
.Sp
1840
.sp
1841
Input is logged to the directory specified by the
1842
\fIiolog_dir\fR
1843
option
1844
(\fI@iolog_dir@\fR
1845
by default)
1846
using a unique session ID that is included in the normal
1847
\fBsudo\fR
1848
log line, prefixed with
1849
``\fRTSID=\fR''.
1850
The
1851
\fIiolog_file\fR
1852
option may be used to control the format of the session ID.
1853
.sp
1013
1854
Note that user input may contain sensitive information such as
1014
1855
passwords (even if they are not echoed to the screen), which will
1015
be stored in the log file unencrypted. In most cases, logging the
1016
command output via \fIlog_output\fR is all that is required.
1017
.IP "log_output" 16
1018
.IX Item "log_output"
1019
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1020
output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
1856
be stored in the log file unencrypted.
1857
In most cases, logging the command output via
1858
\fIlog_output\fR
1859
is all that is required.
1860
.TP 18n
1861
log_output
1862
If set,
1863
\fBsudo\fR
1864
will run the command in a
1865
\fIpseudo tty\fR
1866
and log all output that is sent to the screen, similar to the
1867
script(1)
1868
command.
1021
1869
If the standard output or standard error is not connected to the
1022
1870
user's tty, due to I/O redirection or because the command is part
1023
1871
of a pipeline, that output is also captured and stored in separate
1024
1872
log files.
1025
.Sp
1026
Output is logged to the directory specified by the \fIiolog_dir\fR
1027
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1028
is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1029
The \fIiolog_file\fR option may be used to control the format of the
1030
session \s-1ID\s0.
1031
.Sp
1032
Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
1033
can also be used to list or search the available logs.
1034
.IP "log_year" 16
1035
.IX Item "log_year"
1036
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
1037
This flag is \fIoff\fR by default.
1038
.IP "long_otp_prompt" 16
1039
.IX Item "long_otp_prompt"
1040
When validating with a One Time Password (\s-1OTP\s0) scheme such as
1041
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
1042
to cut and paste the challenge to a local window. It's not as
1043
pretty as the default but some people find it more convenient. This
1044
flag is \fI@long_otp_prompt@\fR by default.
1045
.IP "mail_always" 16
1046
.IX Item "mail_always"
1047
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1048
This flag is \fIoff\fR by default.
1049
.IP "mail_badpass" 16
1050
.IX Item "mail_badpass"
1051
Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
1052
enter the correct password. This flag is \fIoff\fR by default.
1053
.IP "mail_no_host" 16
1054
.IX Item "mail_no_host"
1055
If set, mail will be sent to the \fImailto\fR user if the invoking
1056
user exists in the \fIsudoers\fR file, but is not allowed to run
1057
commands on the current host. This flag is \fI@mail_no_host@\fR by default.
1058
.IP "mail_no_perms" 16
1059
.IX Item "mail_no_perms"
1060
If set, mail will be sent to the \fImailto\fR user if the invoking
1061
user is allowed to use \fBsudo\fR but the command they are trying is not
1062
listed in their \fIsudoers\fR file entry or is explicitly denied.
1063
This flag is \fI@mail_no_perms@\fR by default.
1064
.IP "mail_no_user" 16
1065
.IX Item "mail_no_user"
1066
If set, mail will be sent to the \fImailto\fR user if the invoking
1067
user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
1068
by default.
1069
.IP "noexec" 16
1070
.IX Item "noexec"
1071
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
1072
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
1073
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell
1074
Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
1075
.IP "path_info" 16
1076
.IX Item "path_info"
1077
Normally, \fBsudo\fR will tell the user when a command could not be
1078
found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
1079
to disable this as it could be used to gather information on the
1080
location of executables that the normal user does not have access
1081
to. The disadvantage is that if the executable is simply not in
1082
the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
1083
allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
1084
by default.
1085
.IP "passprompt_override" 16
1086
.IX Item "passprompt_override"
1087
The password prompt specified by \fIpassprompt\fR will normally only
1088
be used if the password prompt provided by systems such as \s-1PAM\s0 matches
1089
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
1090
will always be used. This flag is \fIoff\fR by default.
1091
.IP "preserve_groups" 16
1092
.IX Item "preserve_groups"
1093
By default, \fBsudo\fR will initialize the group vector to the list of
1094
groups the target user is in. When \fIpreserve_groups\fR is set, the
1095
user's existing group vector is left unaltered. The real and
1096
effective group IDs, however, are still set to match the target
1097
user. This flag is \fIoff\fR by default.
1098
.IP "pwfeedback" 16
1099
.IX Item "pwfeedback"
1100
By default, \fBsudo\fR reads the password like most other Unix programs,
1873
.sp
1874
Output is logged to the directory specified by the
1875
\fIiolog_dir\fR
1876
option
1877
(\fI@iolog_dir@\fR
1878
by default)
1879
using a unique session ID that is included in the normal
1880
\fBsudo\fR
1881
log line, prefixed with
1882
``\fRTSID=\fR''.
1883
The
1884
\fIiolog_file\fR
1885
option may be used to control the format of the session ID.
1886
.sp
1887
Output logs may be viewed with the
1888
sudoreplay(@mansectsu@)
1889
utility, which can also be used to list or search the available logs.
1890
.TP 18n
1891
log_year
1892
If set, the four-digit year will be logged in the (non-syslog)
1893
\fBsudo\fR
1894
log file.
1895
This flag is
1896
\fIoff\fR
1897
by default.
1898
.TP 18n
1899
long_otp_prompt
1900
When validating with a One Time Password (OTP) scheme such as
1901
\fBS/Key\fR
1902
or
1903
\fBOPIE\fR,
1904
a two-line prompt is used to make it easier
1905
to cut and paste the challenge to a local window.
1906
It's not as pretty as the default but some people find it more convenient.
1907
This flag is
1908
\fI@long_otp_prompt@\fR
1909
by default.
1910
.TP 18n
1911
mail_always
1912
Send mail to the
1913
\fImailto\fR
1914
user every time a users runs
1915
\fBsudo\fR.
1916
This flag is
1917
\fIoff\fR
1918
by default.
1919
.TP 18n
1920
mail_badpass
1921
Send mail to the
1922
\fImailto\fR
1923
user if the user running
1924
\fBsudo\fR
1925
does not enter the correct password.
1926
If the command the user is attempting to run is not permitted by
1927
\fIsudoers\fR
1928
and one of the
1929
\fImail_always\fR,
1930
\fImail_no_host\fR,
1931
\fImail_no_perms\fR
1932
or
1933
\fImail_no_user\fR
1934
flags are set, this flag will have no effect.
1935
This flag is
1936
\fIoff\fR
1937
by default.
1938
.TP 18n
1939
mail_no_host
1940
If set, mail will be sent to the
1941
\fImailto\fR
1942
user if the invoking user exists in the
1943
\fIsudoers\fR
1944
file, but is not allowed to run commands on the current host.
1945
This flag is
1946
\fI@mail_no_host@\fR
1947
by default.
1948
.TP 18n
1949
mail_no_perms
1950
If set, mail will be sent to the
1951
\fImailto\fR
1952
user if the invoking user is allowed to use
1953
\fBsudo\fR
1954
but the command they are trying is not listed in their
1955
\fIsudoers\fR
1956
file entry or is explicitly denied.
1957
This flag is
1958
\fI@mail_no_perms@\fR
1959
by default.
1960
.TP 18n
1961
mail_no_user
1962
If set, mail will be sent to the
1963
\fImailto\fR
1964
user if the invoking user is not in the
1965
\fIsudoers\fR
1966
file.
1967
This flag is
1968
\fI@mail_no_user@\fR
1969
by default.
1970
.TP 18n
1971
noexec
1972
If set, all commands run via
1973
\fBsudo\fR
1974
will behave as if the
1975
\fRNOEXEC\fR
1976
tag has been set, unless overridden by a
1977
\fREXEC\fR
1978
tag.
1979
See the description of
1980
\fINOEXEC and EXEC\fR
1981
below as well as the
1982
\fIPreventing shell escapes\fR
1983
section at the end of this manual.
1984
This flag is
1985
\fIoff\fR
1986
by default.
1987
.TP 18n
1988
path_info
1989
Normally,
1990
\fBsudo\fR
1991
will tell the user when a command could not be
1992
found in their
1993
\fRPATH\fR
1994
environment variable.
1995
Some sites may wish to disable this as it could be used to gather
1996
information on the location of executables that the normal user does
1997
not have access to.
1998
The disadvantage is that if the executable is simply not in the user's
1999
\fRPATH\fR,
2000
\fBsudo\fR
2001
will tell the user that they are not allowed to run it, which can be confusing.
2002
This flag is
2003
\fI@path_info@\fR
2004
by default.
2005
.TP 18n
2006
passprompt_override
2007
The password prompt specified by
2008
\fIpassprompt\fR
2009
will normally only be used if the password prompt provided by systems
2010
such as PAM matches the string
2011
``Password:''.
2012
If
2013
\fIpassprompt_override\fR
2014
is set,
2015
\fIpassprompt\fR
2016
will always be used.
2017
This flag is
2018
\fIoff\fR
2019
by default.
2020
.TP 18n
2021
preserve_groups
2022
By default,
2023
\fBsudo\fR
2024
will initialize the group vector to the list of groups the target user is in.
2025
When
2026
\fIpreserve_groups\fR
2027
is set, the user's existing group vector is left unaltered.
2028
The real and effective group IDs, however, are still set to match the
2029
target user.
2030
This flag is
2031
\fIoff\fR
2032
by default.
2033
.TP 18n
2034
pwfeedback
2035
By default,
2036
\fBsudo\fR
2037
reads the password like most other Unix programs,
1101
2038
by turning off echo until the user hits the return (or enter) key.
1102
Some users become confused by this as it appears to them that \fBsudo\fR
1103
has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
1104
provide visual feedback when the user presses a key. Note that
1105
this does have a security impact as an onlooker may be able to
2039
Some users become confused by this as it appears to them that
2040
\fBsudo\fR
2041
has hung at this point.
2042
When
2043
\fIpwfeedback\fR
2044
is set,
2045
\fBsudo\fR
2046
will provide visual feedback when the user presses a key.
2047
Note that this does have a security impact as an onlooker may be able to
1106
2048
determine the length of the password being entered.
1107
This flag is \fIoff\fR by default.
1108
.IP "requiretty" 16
1109
.IX Item "requiretty"
1110
If set, \fBsudo\fR will only run when the user is logged in to a real
1111
tty. When this flag is set, \fBsudo\fR can only be run from a login
1112
session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
1113
This flag is \fIoff\fR by default.
1114
.IP "root_sudo" 16
1115
.IX Item "root_sudo"
1116
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
1117
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1118
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
1119
will also prevent root from running \fBsudoedit\fR.
1120
Disabling \fIroot_sudo\fR provides no real additional security; it
1121
exists purely for historical reasons.
1122
This flag is \fI@root_sudo@\fR by default.
1123
.IP "rootpw" 16
1124
.IX Item "rootpw"
1125
If set, \fBsudo\fR will prompt for the root password instead of the password
1126
of the invoking user. This flag is \fIoff\fR by default.
1127
.IP "runaspw" 16
1128
.IX Item "runaspw"
1129
If set, \fBsudo\fR will prompt for the password of the user defined by the
1130
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
1131
password of the invoking user. This flag is \fIoff\fR by default.
1132
.IP "set_home" 16
1133
.IX Item "set_home"
1134
If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
2049
This flag is
2050
\fIoff\fR
2051
by default.
2052
.TP 18n
2053
requiretty
2054
If set,
2055
\fBsudo\fR
2056
will only run when the user is logged in to a real tty.
2057
When this flag is set,
2058
\fBsudo\fR
2059
can only be run from a login session and not via other means such as
2060
cron(@mansectsu@)
2061
or cgi-bin scripts.
2062
This flag is
2063
\fIoff\fR
2064
by default.
2065
.TP 18n
2066
root_sudo
2067
If set, root is allowed to run
2068
\fBsudo\fR
2069
too.
2070
Disabling this prevents users from
2071
``chaining''
2072
\fBsudo\fR
2073
commands to get a root shell by doing something like
2074
``\fRsudo sudo /bin/sh\fR''.
2075
Note, however, that turning off
2076
\fIroot_sudo\fR
2077
will also prevent root from running
2078
\fBsudoedit\fR.
2079
Disabling
2080
\fIroot_sudo\fR
2081
provides no real additional security; it exists purely for historical reasons.
2082
This flag is
2083
\fI@root_sudo@\fR
2084
by default.
2085
.TP 18n
2086
rootpw
2087
If set,
2088
\fBsudo\fR
2089
will prompt for the root password instead of the password of the invoking user.
2090
This flag is
2091
\fIoff\fR
2092
by default.
2093
.TP 18n
2094
runaspw
2095
If set,
2096
\fBsudo\fR
2097
will prompt for the password of the user defined by the
2098
\fIrunas_default\fR
2099
option (defaults to
2100
\fR@runas_default@\fR)
2101
instead of the password of the invoking user.
2102
This flag is
2103
\fIoff\fR
2104
by default.
2105
.TP 18n
2106
set_home
2107
If enabled and
2108
\fBsudo\fR
2109
is invoked with the
2110
\fB\-s\fR
2111
option the
2112
\fRHOME\fR
1135
2113
environment variable will be set to the home directory of the target
1136
user (which is root unless the \fB\-u\fR option is used). This effectively
1137
makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
1138
set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
1139
only effective for configurations where either \fIenv_reset\fR is disabled
1140
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
1141
This flag is \fIoff\fR by default.
1142
.IP "set_logname" 16
1143
.IX Item "set_logname"
1144
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
1145
environment variables to the name of the target user (usually root
1146
unless the \fB\-u\fR option is given). However, since some programs
1147
(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
1148
determine the real identity of the user, it may be desirable to
1149
change this behavior. This can be done by negating the set_logname
1150
option. Note that if the \fIenv_reset\fR option has not been disabled,
1151
entries in the \fIenv_keep\fR list will override the value of
1152
\&\fIset_logname\fR. This flag is \fIon\fR by default.
1153
.IP "set_utmp" 16
1154
.IX Item "set_utmp"
1155
When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
1156
file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1157
\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
1158
are enabled. By default, the new entry will be a copy of the user's
1159
existing utmp entry (if any), with the tty, time, type and pid
1160
fields updated. This flag is \fIon\fR by default.
1161
.IP "setenv" 16
1162
.IX Item "setenv"
1163
Allow the user to disable the \fIenv_reset\fR option from the command
1164
line via the \fB\-E\fR option. Additionally, environment variables set
1165
via the command line are not subject to the restrictions imposed
1166
by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
1167
trusted users should be allowed to set variables in this manner.
1168
This flag is \fIoff\fR by default.
1169
.IP "shell_noargs" 16
1170
.IX Item "shell_noargs"
1171
If set and \fBsudo\fR is invoked with no arguments it acts as if the
1172
\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
1173
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1174
set, falling back on the shell listed in the invoking user's
1175
/etc/passwd entry if not). This flag is \fIoff\fR by default.
1176
.IP "stay_setuid" 16
1177
.IX Item "stay_setuid"
1178
Normally, when \fBsudo\fR executes a command the real and effective
1179
UIDs are set to the target user (root by default). This option
1180
changes that behavior such that the real \s-1UID\s0 is left as the invoking
1181
user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
1182
wrapper. This can be useful on systems that disable some potentially
1183
dangerous functionality when a program is run setuid. This option
1184
is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
1185
function. This flag is \fIoff\fR by default.
1186
.IP "targetpw" 16
1187
.IX Item "targetpw"
1188
If set, \fBsudo\fR will prompt for the password of the user specified
1189
by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
1190
of the invoking user. In addition, the timestamp file name will
1191
include the target user's name. Note that this flag precludes the
1192
use of a uid not listed in the passwd database as an argument to
1193
the \fB\-u\fR option. This flag is \fIoff\fR by default.
1194
.IP "tty_tickets" 16
1195
.IX Item "tty_tickets"
1196
If set, users must authenticate on a per-tty basis. With this flag
1197
enabled, \fBsudo\fR will use a file named for the tty the user is
1198
logged in on in the user's time stamp directory. If disabled, the
1199
time stamp of the directory is used instead. This flag is
1200
\&\fI@tty_tickets@\fR by default.
1201
.IP "umask_override" 16
1202
.IX Item "umask_override"
1203
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
1204
modification. This makes it possible to specify a more permissive
1205
umask in \fIsudoers\fR than the user's own umask and matches historical
1206
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
1207
umask to be the union of the user's umask and what is specified in
1208
\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
1209
.if \n(LC \{\
1210
.IP "use_loginclass" 16
1211
.IX Item "use_loginclass"
1212
If set, \fBsudo\fR will apply the defaults specified for the target user's
1213
login class if one exists. Only available if \fBsudo\fR is configured with
1214
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1215
\}
1216
.IP "use_pty" 16
1217
.IX Item "use_pty"
1218
If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
1219
logging is being gone. A malicious program run under \fBsudo\fR could
1220
conceivably fork a background process that retains to the user's
1221
terminal device after the main program has finished executing. Use
1222
of this option will make that impossible. This flag is \fIoff\fR by default.
1223
.IP "utmp_runas" 16
1224
.IX Item "utmp_runas"
1225
If set, \fBsudo\fR will store the name of the runas user when updating
1226
the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
1227
the invoking user. This flag is \fIoff\fR by default.
1228
.IP "visiblepw" 16
1229
.IX Item "visiblepw"
1230
By default, \fBsudo\fR will refuse to run if the user must enter a
1231
password but it is not possible to disable echo on the terminal.
1232
If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
1233
even when it would be visible on the screen. This makes it possible
1234
to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
1235
not allocate a tty. This flag is \fIoff\fR by default.
2114
user (which is root unless the
2115
\fB\-u\fR
2116
option is used).
2117
This effectively makes the
2118
\fB\-s\fR
2119
option imply
2120
\fB\-H\fR.
2121
Note that
2122
\fRHOME\fR
2123
is already set when the the
2124
\fIenv_reset\fR
2125
option is enabled, so
2126
\fIset_home\fR
2127
is only effective for configurations where either
2128
\fIenv_reset\fR
2129
is disabled
2130
or
2131
\fRHOME\fR
2132
is present in the
2133
\fIenv_keep\fR
2134
list.
2135
This flag is
2136
\fIoff\fR
2137
by default.
2138
.TP 18n
2139
set_logname
2140
Normally,
2141
\fBsudo\fR
2142
will set the
2143
\fRLOGNAME\fR,
2144
\fRUSER\fR
2145
and
2146
\fRUSERNAME\fR
2147
environment variables to the name of the target user (usually root unless the
2148
\fB\-u\fR
2149
option is given).
2150
However, since some programs (including the RCS revision control system) use
2151
\fRLOGNAME\fR
2152
to determine the real identity of the user, it may be desirable to
2153
change this behavior.
2154
This can be done by negating the set_logname option.
2155
Note that if the
2156
\fIenv_reset\fR
2157
option has not been disabled, entries in the
2158
\fIenv_keep\fR
2159
list will override the value of
2160
\fIset_logname\fR.
2161
This flag is
2162
\fIon\fR
2163
by default.
2164
.TP 18n
2165
set_utmp
2166
When enabled,
2167
\fBsudo\fR
2168
will create an entry in the utmp (or utmpx) file when a pseudo-tty
2169
is allocated.
2170
A pseudo-tty is allocated by
2171
\fBsudo\fR
2172
when the
2173
\fIlog_input\fR,
2174
\fIlog_output\fR
2175
or
2176
\fIuse_pty\fR
2177
flags are enabled.
2178
By default, the new entry will be a copy of the user's existing utmp
2179
entry (if any), with the tty, time, type and pid fields updated.
2180
This flag is
2181
\fIon\fR
2182
by default.
2183
.TP 18n
2184
setenv
2185
Allow the user to disable the
2186
\fIenv_reset\fR
2187
option from the command line via the
2188
\fB\-E\fR
2189
option.
2190
Additionally, environment variables set via the command line are
2191
not subject to the restrictions imposed by
2192
\fIenv_check\fR,
2193
\fIenv_delete\fR,
2194
or
2195
\fIenv_keep\fR.
2196
As such, only trusted users should be allowed to set variables in this manner.
2197
This flag is
2198
\fIoff\fR
2199
by default.
2200
.TP 18n
2201
shell_noargs
2202
If set and
2203
\fBsudo\fR
2204
is invoked with no arguments it acts as if the
2205
\fB\-s\fR
2206
option had been given.
2207
That is, it runs a shell as root (the shell is determined by the
2208
\fRSHELL\fR
2209
environment variable if it is set, falling back on the shell listed
2210
in the invoking user's /etc/passwd entry if not).
2211
This flag is
2212
\fIoff\fR
2213
by default.
2214
.TP 18n
2215
stay_setuid
2216
Normally, when
2217
\fBsudo\fR
2218
executes a command the real and effective UIDs are set to the target
2219
user (root by default).
2220
This option changes that behavior such that the real UID is left
2221
as the invoking user's UID.
2222
In other words, this makes
2223
\fBsudo\fR
2224
act as a setuid wrapper.
2225
This can be useful on systems that disable some potentially
2226
dangerous functionality when a program is run setuid.
2227
This option is only effective on systems that support either the
2228
setreuid(2)
2229
or
2230
setresuid(2)
2231
system call.
2232
This flag is
2233
\fIoff\fR
2234
by default.
2235
.TP 18n
2236
targetpw
2237
If set,
2238
\fBsudo\fR
2239
will prompt for the password of the user specified
2240
by the
2241
\fB\-u\fR
2242
option (defaults to
2243
\fRroot\fR)
2244
instead of the password of the invoking user.
2245
In addition, the time stamp file name will include the target user's name.
2246
Note that this flag precludes the use of a uid not listed in the passwd
2247
database as an argument to the
2248
\fB\-u\fR
2249
option.
2250
This flag is
2251
\fIoff\fR
2252
by default.
2253
.TP 18n
2254
tty_tickets
2255
If set, users must authenticate on a per-tty basis.
2256
With this flag enabled,
2257
\fBsudo\fR
2258
will use a file named for the tty the user is
2259
logged in on in the user's time stamp directory.
2260
If disabled, the time stamp of the directory is used instead.
2261
This flag is
2262
\fI@tty_tickets@\fR
2263
by default.
2264
.TP 18n
2265
umask_override
2266
If set,
2267
\fBsudo\fR
2268
will set the umask as specified by
2269
\fIsudoers\fR
2270
without modification.
2271
This makes it possible to specify a more permissive umask in
2272
\fIsudoers\fR
2273
than the user's own umask and matches historical behavior.
2274
If
2275
\fIumask_override\fR
2276
is not set,
2277
\fBsudo\fR
2278
will set the umask to be the union of the user's umask and what is specified in
2279
\fIsudoers\fR.
2280
This flag is
2281
\fI@umask_override@\fR
2282
by default.
2283
.TP 18n
2284
use_loginclass
2285
If set,
2286
\fBsudo\fR
2287
will apply the defaults specified for the target user's login class
2288
if one exists.
2289
Only available if
2290
\fBsudo\fR
2291
is configured with the
2292
\fR--with-logincap\fR
2293
option.
2294
This flag is
2295
\fIoff\fR
2296
by default.
2297
.TP 18n
2298
use_pty
2299
If set,
2300
\fBsudo\fR
2301
will run the command in a pseudo-pty even if no I/O logging is being gone.
2302
A malicious program run under
2303
\fBsudo\fR
2304
could conceivably fork a background process that retains to the user's
2305
terminal device after the main program has finished executing.
2306
Use of this option will make that impossible.
2307
This flag is
2308
\fIoff\fR
2309
by default.
2310
.TP 18n
2311
utmp_runas
2312
If set,
2313
\fBsudo\fR
2314
will store the name of the runas user when updating the utmp (or utmpx) file.
2315
By default,
2316
\fBsudo\fR
2317
stores the name of the invoking user.
2318
This flag is
2319
\fIoff\fR
2320
by default.
2321
.TP 18n
2322
visiblepw
2323
By default,
2324
\fBsudo\fR
2325
will refuse to run if the user must enter a password but it is not
2326
possible to disable echo on the terminal.
2327
If the
2328
\fIvisiblepw\fR
2329
flag is set,
2330
\fBsudo\fR
2331
will prompt for a password even when it would be visible on the screen.
2332
This makes it possible to run things like
2333
``\fRssh somehost sudo ls\fR''
2334
since by default,
2335
ssh(1)
2336
does
2337
not allocate a tty when running a command.
2338
This flag is
2339
\fIoff\fR
2340
by default.
1236
2341
.PP
1237
\&\fBIntegers\fR:
1238
.IP "closefrom" 16
1239
.IX Item "closefrom"
1240
Before it executes a command, \fBsudo\fR will close all open file
1241
descriptors other than standard input, standard output and standard
1242
error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
1243
to specify a different file descriptor at which to start closing.
1244
The default is \f(CW3\fR.
1245
.IP "passwd_tries" 16
1246
.IX Item "passwd_tries"
2342
\fBIntegers\fR:
2343
.TP 18n
2344
closefrom
2345
Before it executes a command,
2346
\fBsudo\fR
2347
will close all open file descriptors other than standard input,
2348
standard output and standard error (ie: file descriptors 0-2).
2349
The
2350
\fIclosefrom\fR
2351
option can be used to specify a different file descriptor at which
2352
to start closing.
2353
The default is
2354
\fR3\fR.
2355
.TP 18n
2356
passwd_tries
1247
2357
The number of tries a user gets to enter his/her password before
1248
\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
1249
.PP
1250
\&\fBIntegers that can be used in a boolean context\fR:
1251
.IP "loglinelen" 16
1252
.IX Item "loglinelen"
1253
Number of characters per line for the file log. This value is used
1254
to decide when to wrap lines for nicer log files. This has no
1255
effect on the syslog log file, only the file log. The default is
1256
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
1257
.IP "passwd_timeout" 16
1258
.IX Item "passwd_timeout"
1259
Number of minutes before the \fBsudo\fR password prompt times out, or
1260
\&\f(CW0\fR for no timeout. The timeout may include a fractional component
1261
if minute granularity is insufficient, for example \f(CW2.5\fR. The
1262
default is \f(CW\*(C`@password_timeout@\*(C'\fR.
1263
.IP "timestamp_timeout" 16
1264
.IX Item "timestamp_timeout"
1265
Number of minutes that can elapse before \fBsudo\fR will ask for a
1266
passwd again. The timeout may include a fractional component if
1267
minute granularity is insufficient, for example \f(CW2.5\fR. The default
1268
is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
1269
If set to a value less than \f(CW0\fR the user's timestamp will never
1270
expire. This can be used to allow users to create or delete their
1271
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1272
.IP "umask" 16
1273
.IX Item "umask"
1274
Umask to use when running the command. Negate this option or set
1275
it to 0777 to preserve the user's umask. The actual umask that is
1276
used will be the union of the user's umask and the value of the
1277
\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
1278
that \fBsudo\fR never lowers the umask when running a command. Note
1279
on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
1280
its own umask which will override the value set in \fIsudoers\fR.
1281
.PP
1282
\&\fBStrings\fR:
1283
.IP "badpass_message" 16
1284
.IX Item "badpass_message"
2358
\fBsudo\fR
2359
logs the failure and exits.
2360
The default is
2361
\fR@passwd_tries@\fR.
2362
.PP
2363
\fBIntegers that can be used in a boolean context\fR:
2364
.TP 18n
2365
loglinelen
2366
Number of characters per line for the file log.
2367
This value is used to decide when to wrap lines for nicer log files.
2368
This has no effect on the syslog log file, only the file log.
2369
The default is
2370
\fR@loglen@\fR
2371
(use 0 or negate the option to disable word wrap).
2372
.TP 18n
2373
passwd_timeout
2374
Number of minutes before the
2375
\fBsudo\fR
2376
password prompt times out, or
2377
\fR0\fR
2378
for no timeout.
2379
The timeout may include a fractional component
2380
if minute granularity is insufficient, for example
2381
\fR2.5\fR.
2382
The
2383
default is
2384
\fR@password_timeout@\fR.
2385
.TP 18n
2386
timestamp_timeout
2387
.br
2388
Number of minutes that can elapse before
2389
\fBsudo\fR
2390
will ask for a passwd again.
2391
The timeout may include a fractional component if
2392
minute granularity is insufficient, for example
2393
\fR2.5\fR.
2394
The default is
2395
\fR@timeout@\fR.
2396
Set this to
2397
\fR0\fR
2398
to always prompt for a password.
2399
If set to a value less than
2400
\fR0\fR
2401
the user's time stamp will never expire.
2402
This can be used to allow users to create or delete their own time stamps via
2403
``\fRsudo -v\fR''
2404
and
2405
``\fRsudo -k\fR''
2406
respectively.
2407
.TP 18n
2408
umask
2409
Umask to use when running the command.
2410
Negate this option or set it to 0777 to preserve the user's umask.
2411
The actual umask that is used will be the union of the user's umask
2412
and the value of the
2413
\fIumask\fR
2414
option, which defaults to
2415
\fR@sudo_umask@\fR.
2416
This guarantees
2417
that
2418
\fBsudo\fR
2419
never lowers the umask when running a command.
2420
Note: on systems that use PAM, the default PAM configuration may specify
2421
its own umask which will override the value set in
2422
\fIsudoers\fR.
2423
.PP
2424
\fBStrings\fR:
2425
.TP 18n
2426
badpass_message
1285
2427
Message that is displayed if a user enters an incorrect password.
1286
The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
1287
.IP "editor" 16
1288
.IX Item "editor"
1289
A colon (':') separated list of editors allowed to be used with
1290
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
1291
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
1292
list that exists and is executable. The default is \f(CW"@editor@"\fR.
1293
.IP "iolog_dir" 16
1294
.IX Item "iolog_dir"
2428
The default is
2429
\fR@badpass_message@\fR
2430
unless insults are enabled.
2431
.TP 18n
2432
editor
2433
A colon
2434
(`:\&')
2435
separated list of editors allowed to be used with
2436
\fBvisudo\fR.
2437
\fBvisudo\fR
2438
will choose the editor that matches the user's
2439
\fREDITOR\fR
2440
environment variable if possible, or the first editor in the
2441
list that exists and is executable.
2442
The default is
2443
\fI@editor@\fR.
2444
.TP 18n
2445
iolog_dir
1295
2446
The top-level directory to use when constructing the path name for
1296
the input/output log directory. Only used if the \fIlog_input\fR or
1297
\&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
1298
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
1299
number, if any, is stored in the directory.
1300
The default is \f(CW"@iolog_dir@"\fR.
1301
.Sp
1302
The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1303
.RS 16
1304
.ie n .IP "\*(C`%{seq}\*(C'" 4
1305
.el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
1306
.IX Item "%{seq}"
1307
expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
1308
where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
1309
.ie n .IP "\*(C`%{user}\*(C'" 4
1310
.el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
1311
.IX Item "%{user}"
2447
the input/output log directory.
2448
Only used if the
2449
\fIlog_input\fR
2450
or
2451
\fIlog_output\fR
2452
options are enabled or when the
2453
\fRLOG_INPUT\fR
2454
or
2455
\fRLOG_OUTPUT\fR
2456
tags are present for a command.
2457
The session sequence number, if any, is stored in the directory.
2458
The default is
2459
\fI@iolog_dir@\fR.
2460
.sp
2461
The following percent
2462
(`%')
2463
escape sequences are supported:
2464
.RS
2465
.TP 6n
2466
\fR%{seq}\fR
2467
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2468
where every two digits are used to form a new directory, e.g.\&
2469
\fI01/00/A5\fR
2470
.TP 6n
2471
\fR%{user}\fR
1312
2472
expanded to the invoking user's login name
1313
.ie n .IP "\*(C`%{group}\*(C'" 4
1314
.el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
1315
.IX Item "%{group}"
1316
expanded to the name of the invoking user's real group \s-1ID\s0
1317
.ie n .IP "\*(C`%{runas_user}\*(C'" 4
1318
.el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
1319
.IX Item "%{runas_user}"
2473
.TP 6n
2474
\fR%{group}\fR
2475
expanded to the name of the invoking user's real group ID
2476
.TP 6n
2477
\fR%{runas_user}\fR
1320
2478
expanded to the login name of the user the command will
1321
be run as (e.g. root)
1322
.ie n .IP "\*(C`%{runas_group}\*(C'" 4
1323
.el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
1324
.IX Item "%{runas_group}"
2479
be run as (e.g.\& root)
2480
.TP 6n
2481
\fR%{runas_group}\fR
1325
2482
expanded to the group name of the user the command will
1326
be run as (e.g. wheel)
1327
.ie n .IP "\*(C`%{hostname}\*(C'" 4
1328
.el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
1329
.IX Item "%{hostname}"
2483
be run as (e.g.\& wheel)
2484
.TP 6n
2485
\fR%{hostname}\fR
1330
2486
expanded to the local host name without the domain name
1331
.ie n .IP "\*(C`%{command}\*(C'" 4
1332
.el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
1333
.IX Item "%{command}"
2487
.TP 6n
2488
\fR%{command}\fR
1334
2489
expanded to the base name of the command being run
1335
.RE
1336
.RS 16
1337
.Sp
1338
In addition, any escape sequences supported by the system's \fIstrftime()\fR
2490
.PP
2491
In addition, any escape sequences supported by the system's
2492
strftime(3)
1339
2493
function will be expanded.
1340
.Sp
1341
To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
1342
be used.
2494
.sp
2495
To include a literal
2496
`%'
2497
character, the string
2498
`%%'
2499
should be used.
2500
.PP
1343
2501
.RE
1344
.IP "iolog_file" 16
1345
.IX Item "iolog_file"
1346
The path name, relative to \fIiolog_dir\fR, in which to store input/output
1347
logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
1348
when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
1349
Note that \fIiolog_file\fR may contain directory components.
1350
The default is \f(CW"%{seq}"\fR.
1351
.Sp
1352
See the \fIiolog_dir\fR option above for a list of supported percent
1353
(`\f(CW\*(C`%\*(C'\fR') escape sequences.
1354
.Sp
2502
.PD 0
2503
.TP 18n
2504
iolog_file
2505
The path name, relative to
2506
\fIiolog_dir\fR,
2507
in which to store input/output logs when the
2508
\fIlog_input\fR
2509
or
2510
\fIlog_output\fR
2511
options are enabled or when the
2512
\fRLOG_INPUT\fR
2513
or
2514
\fRLOG_OUTPUT\fR
2515
tags are present for a command.
2516
Note that
2517
\fIiolog_file\fR
2518
may contain directory components.
2519
The default is
2520
``\fR%{seq}\fR''.
2521
.sp
2522
See the
2523
\fIiolog_dir\fR
2524
option above for a list of supported percent
2525
(`%')
2526
escape sequences.
2527
.sp
1355
2528
In addition to the escape sequences, path names that end in six or
1356
more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
1357
of digits and letters, similar to the \fImktemp()\fR function.
1358
.IP "mailsub" 16
1359
.IX Item "mailsub"
1360
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
2529
more
2530
\fRX\fRs
2531
will have the
2532
\fRX\fRs
2533
replaced with a unique combination of digits and letters, similar to the
2534
mktemp(3)
2535
function.
2536
.PD
2537
.TP 18n
2538
limitprivs
2539
The default Solaris limit privileges to use when constructing a new
2540
privilege set for a command.
2541
This bounds all privileges of the executing process.
2542
The default limit privileges may be overridden on a per-command basis in
2543
\fIsudoers\fR.
2544
This option is only available if
2545
\fBsudoers\fR
2546
is built on Solaris 10 or higher.
2547
.TP 18n
2548
mailsub
2549
Subject of the mail sent to the
2550
\fImailto\fR
2551
user.
2552
The escape
2553
\fR%h\fR
1361
2554
will expand to the host name of the machine.
1362
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
1363
.IP "noexec_file" 16
1364
.IX Item "noexec_file"
1365
This option is no longer supported. The path to the noexec file
1366
should now be set in the \fI@sysconfdir@/sudo.conf\fR file.
1367
.IP "passprompt" 16
1368
.IX Item "passprompt"
1369
The default prompt to use when asking for a password; can be overridden
1370
via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
1371
The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1372
.RS 16
1373
.ie n .IP "%H" 4
1374
.el .IP "\f(CW%H\fR" 4
1375
.IX Item "%H"
2555
Default is
2556
``\fR@mailsub@\fR''.
2557
.TP 18n
2558
noexec_file
2559
This option is no longer supported.
2560
The path to the noexec file should now be set in the
2561
\fI@sysconfdir@/sudo.conf\fR
2562
file.
2563
.TP 18n
2564
passprompt
2565
The default prompt to use when asking for a password; can be overridden via the
2566
\fB\-p\fR
2567
option or the
2568
\fRSUDO_PROMPT\fR
2569
environment variable.
2570
The following percent
2571
(`%')
2572
escape sequences are supported:
2573
.RS
2574
.TP 6n
2575
\fR%H\fR
1376
2576
expanded to the local host name including the domain name
1377
(only if the machine's host name is fully qualified or the \fIfqdn\fR
2577
(only if the machine's host name is fully qualified or the
2578
\fIfqdn\fR
1378
2579
option is set)
1379
.ie n .IP "%h" 4
1380
.el .IP "\f(CW%h\fR" 4
1381
.IX Item "%h"
2580
.TP 6n
2581
\fR%h\fR
1382
2582
expanded to the local host name without the domain name
1383
.ie n .IP "%p" 4
1384
.el .IP "\f(CW%p\fR" 4
1385
.IX Item "%p"
1386
expanded to the user whose password is being asked for (respects the
1387
\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
1388
.ie n .IP "%U" 4
1389
.el .IP "\f(CW%U\fR" 4
1390
.IX Item "%U"
2583
.TP 6n
2584
\fR%p\fR
2585
expanded to the user whose password is being asked for (respects the
2586
\fIrootpw\fR,
2587
\fItargetpw\fR
2588
and
2589
\fIrunaspw\fR
2590
flags in
2591
\fIsudoers\fR)
2592
.TP 6n
2593
\fR\&%U\fR
1391
2594
expanded to the login name of the user the command will
1392
2595
be run as (defaults to root)
1393
.ie n .IP "%u" 4
1394
.el .IP "\f(CW%u\fR" 4
1395
.IX Item "%u"
2596
.TP 6n
2597
\fR%u\fR
1396
2598
expanded to the invoking user's login name
1397
.ie n .IP "\*(C`%%\*(C'" 4
1398
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
1399
.IX Item "%%"
1400
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
1401
.RE
1402
.RS 16
1403
.Sp
1404
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
1405
.RE
1406
.if \n(SL \{\
1407
.IP "role" 16
1408
.IX Item "role"
2599
.TP 6n
2600
\fR%%\fR
2601
two consecutive
2602
\fR%\fR
2603
characters are collapsed into a single
2604
\fR%\fR
2605
character
2606
.PP
2607
The default value is
2608
``\fR@passprompt@\fR''.
2609
.PP
2610
.RE
2611
.PD 0
2612
.TP 18n
2613
privs
2614
The default Solaris privileges to use when constructing a new
2615
privilege set for a command.
2616
This is passed to the executing process via the inherited privilege set,
2617
but is bounded by the limit privileges.
2618
If the
2619
\fIprivs\fR
2620
option is specified but the
2621
\fIlimitprivs\fR
2622
option is not, the limit privileges of the executing process is set to
2623
\fIprivs\fR.
2624
The default privileges may be overridden on a per-command basis in
2625
\fIsudoers\fR.
2626
This option is only available if
2627
\fBsudoers\fR
2628
is built on Solaris 10 or higher.
2629
.PD
2630
.TP 18n
2631
role
1409
2632
The default SELinux role to use when constructing a new security
1410
context to run the command. The default role may be overridden on
1411
a per-command basis in \fIsudoers\fR or via command line options.
1412
This option is only available whe \fBsudo\fR is built with SELinux support.
1413
\}
1414
.IP "runas_default" 16
1415
.IX Item "runas_default"
1416
The default user to run commands as if the \fB\-u\fR option is not specified
1417
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
1418
.IP "syslog_badpri" 16
1419
.IX Item "syslog_badpri"
2633
context to run the command.
2634
The default role may be overridden on a per-command basis in
2635
\fIsudoers\fR
2636
or via command line options.
2637
This option is only available when
2638
\fBsudo\fR
2639
is built with SELinux support.
2640
.TP 18n
2641
runas_default
2642
The default user to run commands as if the
2643
\fB\-u\fR
2644
option is not specified on the command line.
2645
This defaults to
2646
\fR@runas_default@\fR.
2647
.TP 18n
2648
syslog_badpri
1420
2649
Syslog priority to use when user authenticates unsuccessfully.
1421
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
1422
.Sp
1423
The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
1424
\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1425
.IP "syslog_goodpri" 16
1426
.IX Item "syslog_goodpri"
2650
Defaults to
2651
\fR@badpri@\fR.
2652
.sp
2653
The following syslog priorities are supported:
2654
\fBalert\fR,
2655
\fBcrit\fR,
2656
\fBdebug\fR,
2657
\fBemerg\fR,
2658
\fBerr\fR,
2659
\fBinfo\fR,
2660
\fBnotice\fR,
2661
and
2662
\fBwarning\fR.
2663
.TP 18n
2664
syslog_goodpri
1427
2665
Syslog priority to use when user authenticates successfully.
1428
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
1429
.Sp
1430
See syslog_badpri for the list of supported syslog priorities.
1431
.IP "sudoers_locale" 16
1432
.IX Item "sudoers_locale"
2666
Defaults to
2667
\fR@goodpri@\fR.
2668
.sp
2669
See
2670
\fIsyslog_badpri\fR
2671
for the list of supported syslog priorities.
2672
.TP 18n
2673
sudoers_locale
1433
2674
Locale to use when parsing the sudoers file, logging commands, and
1434
sending email. Note that changing the locale may affect how sudoers
1435
is interpreted. Defaults to \f(CW"C"\fR.
1436
.IP "timestampdir" 16
1437
.IX Item "timestampdir"
1438
The directory in which \fBsudo\fR stores its timestamp files.
1439
The default is \fI@timedir@\fR.
1440
.IP "timestampowner" 16
1441
.IX Item "timestampowner"
1442
The owner of the timestamp directory and the timestamps stored therein.
1443
The default is \f(CW\*(C`root\*(C'\fR.
1444
.if \n(SL \{\
1445
.IP "type" 16
1446
.IX Item "type"
2675
sending email.
2676
Note that changing the locale may affect how sudoers is interpreted.
2677
Defaults to
2678
``\fRC\fR''.
2679
.TP 18n
2680
timestampdir
2681
The directory in which
2682
\fBsudo\fR
2683
stores its time stamp files.
2684
The default is
2685
\fI@timedir@\fR.
2686
.TP 18n
2687
timestampowner
2688
The owner of the time stamp directory and the time stamps stored therein.
2689
The default is
2690
\fRroot\fR.
2691
.TP 18n
2692
type
1447
2693
The default SELinux type to use when constructing a new security
1448
context to run the command. The default type may be overridden on
1449
a per-command basis in \fIsudoers\fR or via command line options.
1450
This option is only available whe \fBsudo\fR is built with SELinux support.
1451
\}
2694
context to run the command.
2695
The default type may be overridden on a per-command basis in
2696
\fIsudoers\fR
2697
or via command line options.
2698
This option is only available when
2699
\fBsudo\fR
2700
is built with SELinux support.
1452
2701
.PP
1453
\&\fBStrings that can be used in a boolean context\fR:
1454
.IP "env_file" 12
1455
.IX Item "env_file"
1456
The \fIenv_file\fR option specifies the fully qualified path to a
1457
file containing variables to be set in the environment of the program
1458
being run. Entries in this file should either be of the form
1459
\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
1460
optionally be surrounded by single or double quotes. Variables in
1461
this file are subject to other \fBsudo\fR environment settings such
1462
as \fIenv_keep\fR and \fIenv_check\fR.
1463
.IP "exempt_group" 12
1464
.IX Item "exempt_group"
1465
Users in this group are exempt from password and \s-1PATH\s0 requirements.
1466
The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
2702
\fBStrings that can be used in a boolean context\fR:
2703
.TP 14n
2704
env_file
2705
The
2706
\fIenv_file\fR
2707
option specifies the fully qualified path to a file containing variables
2708
to be set in the environment of the program being run.
2709
Entries in this file should either be of the form
2710
``\fRVARIABLE=value\fR''
2711
or
2712
``\fRexport VARIABLE=value\fR''.
2713
The value may optionally be surrounded by single or double quotes.
2714
Variables in this file are subject to other
2715
\fBsudo\fR
2716
environment settings such as
2717
\fIenv_keep\fR
2718
and
2719
\fIenv_check\fR.
2720
.TP 14n
2721
exempt_group
2722
Users in this group are exempt from password and PATH requirements.
2723
The group name specified should not include a
2724
\fR%\fR
2725
prefix.
1467
2726
This is not set by default.
1468
.IP "group_plugin" 12
1469
.IX Item "group_plugin"
1470
A string containing a \fIsudoers\fR group plugin with optional arguments.
1471
This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
1472
syntax described earlier. The string should consist of the plugin
1473
path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
1474
directory, followed by any configuration arguments the plugin
1475
requires. These arguments (if any) will be passed to the plugin's
1476
initialization function. If arguments are present, the string must
1477
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
1478
.Sp
1479
For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
1480
format, the sample group plugin can be used:
1481
.Sp
1482
.Vb 1
1483
\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
1484
.Ve
1485
.Sp
1486
For more information see \fIsudo_plugin\fR\|(@mansectform@).
1487
.IP "lecture" 12
1488
.IX Item "lecture"
2727
.TP 14n
2728
group_plugin
2729
A string containing a
2730
\fIsudoers\fR
2731
group plugin with optional arguments.
2732
This can be used to implement support for the
2733
\fRnonunix_group\fR
2734
syntax described earlier.
2735
The string should consist of the plugin
2736
path, either fully-qualified or relative to the
2737
\fI@prefix@/libexec\fR
2738
directory, followed by any configuration arguments the plugin requires.
2739
These arguments (if any) will be passed to the plugin's initialization function.
2740
If arguments are present, the string must be enclosed in double quotes
2741
(\&"").
2742
.sp
2743
For example, given
2744
\fI/etc/sudo-group\fR,
2745
a group file in Unix group format, the sample group plugin can be used:
2746
.RS
2747
.nf
2748
.sp
2749
.RS 0n
2750
Defaults group_plugin="sample_group.so /etc/sudo-group"
2751
.RE
2752
.fi
2753
.sp
2754
For more information see
2755
sudo_plugin(@mansectform@).
2756
.PP
2757
.RE
2758
.PD 0
2759
.TP 14n
2760
lecture
1489
2761
This option controls when a short lecture will be printed along with
1490
the password prompt. It has the following possible values:
1491
.RS 12
1492
.IP "always" 8
1493
.IX Item "always"
2762
the password prompt.
2763
It has the following possible values:
2764
.RS
2765
.PD
2766
.TP 8n
2767
always
1494
2768
Always lecture the user.
1495
.IP "never" 8
1496
.IX Item "never"
2769
.TP 8n
2770
never
1497
2771
Never lecture the user.
1498
.IP "once" 8
1499
.IX Item "once"
1500
Only lecture the user the first time they run \fBsudo\fR.
1501
.RE
1502
.RS 12
1503
.Sp
1504
If no value is specified, a value of \fIonce\fR is implied.
1505
Negating the option results in a value of \fInever\fR being used.
1506
The default value is \fI@lecture@\fR.
1507
.RE
1508
.IP "lecture_file" 12
1509
.IX Item "lecture_file"
1510
Path to a file containing an alternate \fBsudo\fR lecture that will
1511
be used in place of the standard lecture if the named file exists.
1512
By default, \fBsudo\fR uses a built-in lecture.
1513
.IP "listpw" 12
1514
.IX Item "listpw"
1515
This option controls when a password will be required when a
1516
user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
1517
.RS 12
1518
.IP "all" 8
1519
.IX Item "all"
1520
All the user's \fIsudoers\fR entries for the current host must have
1521
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1522
.IP "always" 8
1523
.IX Item "always"
1524
The user must always enter a password to use the \fB\-l\fR option.
1525
.IP "any" 8
1526
.IX Item "any"
1527
At least one of the user's \fIsudoers\fR entries for the current host
1528
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1529
.IP "never" 8
1530
.IX Item "never"
1531
The user need never enter a password to use the \fB\-l\fR option.
1532
.RE
1533
.RS 12
1534
.Sp
1535
If no value is specified, a value of \fIany\fR is implied.
1536
Negating the option results in a value of \fInever\fR being used.
1537
The default value is \fIany\fR.
1538
.RE
1539
.IP "logfile" 12
1540
.IX Item "logfile"
1541
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1542
turns on logging to a file; negating this option turns it off.
1543
By default, \fBsudo\fR logs via syslog.
1544
.IP "mailerflags" 12
1545
.IX Item "mailerflags"
1546
Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1547
.IP "mailerpath" 12
1548
.IX Item "mailerpath"
2772
.TP 8n
2773
once
2774
Only lecture the user the first time they run
2775
\fBsudo\fR.
2776
.PP
2777
If no value is specified, a value of
2778
\fIonce\fR
2779
is implied.
2780
Negating the option results in a value of
2781
\fInever\fR
2782
being used.
2783
The default value is
2784
\fI@lecture@\fR.
2785
.PP
2786
.RE
2787
.PD 0
2788
.TP 14n
2789
lecture_file
2790
Path to a file containing an alternate
2791
\fBsudo\fR
2792
lecture that will be used in place of the standard lecture if the named
2793
file exists.
2794
By default,
2795
\fBsudo\fR
2796
uses a built-in lecture.
2797
.PD
2798
.TP 14n
2799
listpw
2800
This option controls when a password will be required when a user runs
2801
\fBsudo\fR
2802
with the
2803
\fB\-l\fR
2804
option.
2805
It has the following possible values:
2806
.RS
2807
.TP 10n
2808
all
2809
All the user's
2810
\fIsudoers\fR
2811
entries for the current host must have
2812
the
2813
\fRNOPASSWD\fR
2814
flag set to avoid entering a password.
2815
.TP 10n
2816
always
2817
The user must always enter a password to use the
2818
\fB\-l\fR
2819
option.
2820
.TP 10n
2821
any
2822
At least one of the user's
2823
\fIsudoers\fR
2824
entries for the current host
2825
must have the
2826
\fRNOPASSWD\fR
2827
flag set to avoid entering a password.
2828
.TP 10n
2829
never
2830
The user need never enter a password to use the
2831
\fB\-l\fR
2832
option.
2833
.PP
2834
If no value is specified, a value of
2835
\fIany\fR
2836
is implied.
2837
Negating the option results in a value of
2838
\fInever\fR
2839
being used.
2840
The default value is
2841
\fIany\fR.
2842
.PP
2843
.RE
2844
.PD 0
2845
.TP 14n
2846
logfile
2847
Path to the
2848
\fBsudo\fR
2849
log file (not the syslog log file).
2850
Setting a path turns on logging to a file;
2851
negating this option turns it off.
2852
By default,
2853
\fBsudo\fR
2854
logs via syslog.
2855
.PD
2856
.TP 14n
2857
mailerflags
2858
Flags to use when invoking mailer. Defaults to
2859
\fB\-t\fR.
2860
.TP 14n
2861
mailerpath
1549
2862
Path to mail program used to send warning mail.
1550
2863
Defaults to the path to sendmail found at configure time.
1551
.IP "mailfrom" 12
1552
.IX Item "mailfrom"
1553
Address to use for the \*(L"from\*(R" address when sending warning and error
1554
mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
1555
protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
1556
the name of the user running \fBsudo\fR.
1557
.IP "mailto" 12
1558
.IX Item "mailto"
1559
Address to send warning and error mail to. The address should
1560
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
1561
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
1562
.IP "secure_path" 12
1563
.IX Item "secure_path"
1564
Path used for every command run from \fBsudo\fR. If you don't trust the
1565
people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
1566
want to use this. Another use is if you want to have the \*(L"root path\*(R"
1567
be separate from the \*(L"user path.\*(R" Users in the group specified by the
1568
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
2864
.TP 14n
2865
mailfrom
2866
Address to use for the
2867
``from''
2868
address when sending warning and error mail.
2869
The address should be enclosed in double quotes
2870
(\&"")
2871
to protect against
2872
\fBsudo\fR
2873
interpreting the
2874
\fR@\fR
2875
sign.
2876
Defaults to the name of the user running
2877
\fBsudo\fR.
2878
.TP 14n
2879
mailto
2880
Address to send warning and error mail to.
2881
The address should be enclosed in double quotes
2882
(\&"")
2883
to protect against
2884
\fBsudo\fR
2885
interpreting the
2886
\fR@\fR
2887
sign.
2888
Defaults to
2889
\fR@mailto@\fR.
2890
.TP 14n
2891
secure_path
2892
Path used for every command run from
2893
\fBsudo\fR.
2894
If you don't trust the
2895
people running
2896
\fBsudo\fR
2897
to have a sane
2898
\fRPATH\fR
2899
environment variable you may want to use this.
2900
Another use is if you want to have the
2901
``root path''
2902
be separate from the
2903
``user path''.
2904
Users in the group specified by the
2905
\fIexempt_group\fR
2906
option are not affected by
2907
\fIsecure_path\fR.
1569
2908
This option is @secure_path@ by default.
1570
.IP "syslog" 12
1571
.IX Item "syslog"
2909
.TP 14n
2910
syslog
1572
2911
Syslog facility if syslog is being used for logging (negate to
1573
disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
1574
.Sp
1575
The following syslog facilities are supported: \fBauthpriv\fR (if your
1576
\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
1577
\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
1578
.IP "verifypw" 12
1579
.IX Item "verifypw"
2912
disable syslog logging).
2913
Defaults to
2914
\fR@logfac@\fR.
2915
.sp
2916
The following syslog facilities are supported:
2917
\fBauthpriv\fR
2918
(if your
2919
OS supports it),
2920
\fBauth\fR,
2921
\fBdaemon\fR,
2922
\fBuser\fR,
2923
\fBlocal0\fR,
2924
\fBlocal1\fR,
2925
\fBlocal2\fR,
2926
\fBlocal3\fR,
2927
\fBlocal4\fR,
2928
\fBlocal5\fR,
2929
\fBlocal6\fR,
2930
and
2931
\fBlocal7\fR.
2932
.TP 14n
2933
verifypw
1580
2934
This option controls when a password will be required when a user runs
1581
\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
1582
.RS 12
1583
.IP "all" 8
1584
.IX Item "all"
1585
All the user's \fIsudoers\fR entries for the current host must have
1586
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1587
.IP "always" 8
1588
.IX Item "always"
1589
The user must always enter a password to use the \fB\-v\fR option.
1590
.IP "any" 8
1591
.IX Item "any"
1592
At least one of the user's \fIsudoers\fR entries for the current host
1593
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1594
.IP "never" 8
1595
.IX Item "never"
1596
The user need never enter a password to use the \fB\-v\fR option.
1597
.RE
1598
.RS 12
1599
.Sp
1600
If no value is specified, a value of \fIall\fR is implied.
1601
Negating the option results in a value of \fInever\fR being used.
1602
The default value is \fIall\fR.
1603
.RE
1604
.PP
1605
\&\fBLists that can be used in a boolean context\fR:
1606
.IP "env_check" 16
1607
.IX Item "env_check"
2935
\fBsudo\fR
2936
with the
2937
\fB\-v\fR
2938
option.
2939
It has the following possible values:
2940
.RS
2941
.TP 8n
2942
all
2943
All the user's
2944
\fIsudoers\fR
2945
entries for the current host must have the
2946
\fRNOPASSWD\fR
2947
flag set to avoid entering a password.
2948
.TP 8n
2949
always
2950
The user must always enter a password to use the
2951
\fB\-v\fR
2952
option.
2953
.TP 8n
2954
any
2955
At least one of the user's
2956
\fIsudoers\fR
2957
entries for the current host must have the
2958
\fRNOPASSWD\fR
2959
flag set to avoid entering a password.
2960
.TP 8n
2961
never
2962
The user need never enter a password to use the
2963
\fB\-v\fR
2964
option.
2965
.PP
2966
If no value is specified, a value of
2967
\fIall\fR
2968
is implied.
2969
Negating the option results in a value of
2970
\fInever\fR
2971
being used.
2972
The default value is
2973
\fIall\fR.
2974
.RE
2975
.PP
2976
\fBLists that can be used in a boolean context\fR:
2977
.TP 18n
2978
env_check
1608
2979
Environment variables to be removed from the user's environment if
1609
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1610
be used to guard against printf-style format vulnerabilities in
1611
poorly-written programs. The argument may be a double-quoted,
1612
space-separated list or a single value without double-quotes. The
1613
list can be replaced, added to, deleted from, or disabled by using
1614
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
1615
of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
1616
specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
1617
they pass the aforementioned check. The default list of environment
1618
variables to check is displayed when \fBsudo\fR is run by root with
1619
the \fI\-V\fR option.
1620
.IP "env_delete" 16
1621
.IX Item "env_delete"
1622
Environment variables to be removed from the user's environment
1623
when the \fIenv_reset\fR option is not in effect. The argument may
1624
be a double-quoted, space-separated list or a single value without
1625
double-quotes. The list can be replaced, added to, deleted from,
1626
or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
1627
respectively. The default list of environment variables to remove
1628
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
2980
the variable's value contains
2981
`%'
2982
or
2983
`/'
2984
characters.
2985
This can be used to guard against printf-style format vulnerabilities
2986
in poorly-written programs.
2987
The argument may be a double-quoted, space-separated list or a
2988
single value without double-quotes.
2989
The list can be replaced, added to, deleted from, or disabled by using
2990
the
2991
\fR=\fR,
2992
\fR+=\fR,
2993
\fR-=\fR,
2994
and
2995
\fR\&!\fR
2996
operators respectively.
2997
Regardless of whether the
2998
\fRenv_reset\fR
2999
option is enabled or disabled, variables specified by
3000
\fRenv_check\fR
3001
will be preserved in the environment if they pass the aforementioned check.
3002
The default list of environment variables to check is displayed when
3003
\fBsudo\fR
3004
is run by root with
3005
the
3006
\fB\-V\fR
3007
option.
3008
.TP 18n
3009
env_delete
3010
Environment variables to be removed from the user's environment when the
3011
\fIenv_reset\fR
3012
option is not in effect.
3013
The argument may be a double-quoted, space-separated list or a
3014
single value without double-quotes.
3015
The list can be replaced, added to, deleted from, or disabled by using the
3016
\fR=\fR,
3017
\fR+=\fR,
3018
\fR-=\fR,
3019
and
3020
\fR\&!\fR
3021
operators respectively.
3022
The default list of environment variables to remove is displayed when
3023
\fBsudo\fR
3024
is run by root with the
3025
\fB\-V\fR
3026
option.
1629
3027
Note that many operating systems will remove potentially dangerous
1630
3028
variables from the environment of any setuid process (such as
1631
\&\fBsudo\fR).
1632
.IP "env_keep" 16
1633
.IX Item "env_keep"
1634
Environment variables to be preserved in the user's environment
1635
when the \fIenv_reset\fR option is in effect. This allows fine-grained
1636
control over the environment \fBsudo\fR\-spawned processes will receive.
3029
\fBsudo\fR).
3030
.TP 18n
3031
env_keep
3032
Environment variables to be preserved in the user's environment when the
3033
\fIenv_reset\fR
3034
option is in effect.
3035
This allows fine-grained control over the environment
3036
\fBsudo\fR-spawned
3037
processes will receive.
1637
3038
The argument may be a double-quoted, space-separated list or a
1638
single value without double-quotes. The list can be replaced, added
1639
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
1640
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
1641
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
3039
single value without double-quotes.
3040
The list can be replaced, added to, deleted from, or disabled by using the
3041
\fR=\fR,
3042
\fR+=\fR,
3043
\fR-=\fR,
3044
and
3045
\fR\&!\fR
3046
operators respectively.
3047
The default list of variables to keep
3048
is displayed when
3049
\fBsudo\fR
3050
is run by root with the
3051
\fB\-V\fR
3052
option.
3053
.SH "LOG FORMAT"
3054
\fBsudoers\fR
3055
can log events using either
3056
syslog(3)
3057
or a simple log file.
3058
In each case the log format is almost identical.
3059
.SS "Accepted command log entries"
3060
Commands that sudo runs are logged using the following format (split
3061
into multiple lines for readability):
3062
.nf
3063
.sp
3064
.RS 4n
3065
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3066
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3067
ENV=env_vars COMMAND=command
3068
.RE
3069
.fi
3070
.PP
3071
Where the fields are as follows:
3072
.TP 14n
3073
date
3074
The date the command was run.
3075
Typically, this is in the format
3076
``MMM, DD, HH:MM:SS''.
3077
If logging via
3078
syslog(3),
3079
the actual date format is controlled by the syslog daemon.
3080
If logging to a file and the
3081
\fIlog_year\fR
3082
option is enabled,
3083
the date will also include the year.
3084
.TP 14n
3085
hostname
3086
The name of the host
3087
\fBsudo\fR
3088
was run on.
3089
This field is only present when logging via
3090
syslog(3).
3091
.TP 14n
3092
progname
3093
The name of the program, usually
3094
\fIsudo\fR
3095
or
3096
\fIsudoedit\fR.
3097
This field is only present when logging via
3098
syslog(3).
3099
.TP 14n
3100
username
3101
The login name of the user who ran
3102
\fBsudo\fR.
3103
.TP 14n
3104
ttyname
3105
The short name of the terminal (e.g.\&
3106
``console'',
3107
``tty01'',
3108
or
3109
``pts/0'')
3110
\fBsudo\fR
3111
was run on, or
3112
``unknown''
3113
if there was no terminal present.
3114
.TP 14n
3115
cwd
3116
The current working directory that
3117
\fBsudo\fR
3118
was run in.
3119
.TP 14n
3120
runasuser
3121
The user the command was run as.
3122
.TP 14n
3123
runasgroup
3124
The group the command was run as if one was specified on the command line.
3125
.TP 14n
3126
logid
3127
An I/O log identifier that can be used to replay the command's output.
3128
This is only present when the
3129
\fIlog_input\fR
3130
or
3131
\fIlog_output\fR
3132
option is enabled.
3133
.TP 14n
3134
env_vars
3135
A list of environment variables specified on the command line,
3136
if specified.
3137
.TP 14n
3138
command
3139
The actual command that was executed.
3140
.PP
3141
Messages are logged using the locale specified by
3142
\fIsudoers_locale\fR,
3143
which defaults to the
3144
``\fRC\fR''
3145
locale.
3146
.SS "Denied command log entries"
3147
If the user is not allowed to run the command, the reason for the denial
3148
will follow the user name.
3149
Possible reasons include:
3150
.TP 3n
3151
user NOT in sudoers
3152
The user is not listed in the
3153
\fIsudoers\fR
3154
file.
3155
.TP 3n
3156
user NOT authorized on host
3157
The user is listed in the
3158
\fIsudoers\fR
3159
file but is not allowed to run commands on the host.
3160
.TP 3n
3161
command not allowed
3162
The user is listed in the
3163
\fIsudoers\fR
3164
file for the host but they are not allowed to run the specified command.
3165
.TP 3n
3166
3 incorrect password attempts
3167
The user failed to enter their password after 3 tries.
3168
The actual number of tries will vary based on the number of
3169
failed attempts and the value of the
3170
\fIpasswd_tries\fR
3171
option.
3172
.TP 3n
3173
a password is required
3174
\fBsudo\fR's
3175
\fB\-n\fR
3176
option was specified but a password was required.
3177
.TP 3n
3178
sorry, you are not allowed to set the following environment variables
3179
The user specified environment variables on the command line that
3180
were not allowed by
3181
\fIsudoers\fR.
3182
.SS "Error log entries"
3183
If an error occurs,
3184
\fBsudoers\fR
3185
will log a message and, in most cases, send a message to the
3186
administrator via email.
3187
Possible errors include:
3188
.TP 3n
3189
parse error in @sysconfdir@/sudoers near line N
3190
\fBsudoers\fR
3191
encountered an error when parsing the specified file.
3192
In some cases, the actual error may be one line above or below the
3193
line number listed, depending on the type of error.
3194
.TP 3n
3195
problem with defaults entries
3196
The
3197
\fIsudoers\fR
3198
file contains one or more unknown Defaults settings.
3199
This does not prevent
3200
\fBsudo\fR
3201
from running, but the
3202
\fIsudoers\fR
3203
file should be checked using
3204
\fBvisudo\fR.
3205
.TP 3n
3206
timestamp owner (username): \&No such user
3207
The time stamp directory owner, as specified by the
3208
\fItimestampowner\fR
3209
setting, could not be found in the password database.
3210
.TP 3n
3211
unable to open/read @sysconfdir@/sudoers
3212
The
3213
\fIsudoers\fR
3214
file could not be opened for reading.
3215
This can happen when the
3216
\fIsudoers\fR
3217
file is located on a remote file system that maps user ID 0 to
3218
a different value.
3219
Normally,
3220
\fBsudoers\fR
3221
tries to open
3222
\fIsudoers\fR
3223
using group permissions to avoid this problem.
3224
Consider changing the ownership of
3225
\fI@sysconfdir@/sudoers\fR
3226
by adding an option like
3227
``sudoers_uid=N''
3228
(where
3229
`N'
3230
is the user ID that owns the
3231
\fIsudoers\fR
3232
file) to the
3233
\fBsudoers\fR
3234
plugin line in the
3235
\fI@sysconfdir@/sudo.conf\fR
3236
file.
3237
.TP 3n
3238
unable to stat @sysconfdir@/sudoers
3239
The
3240
\fI@sysconfdir@/sudoers\fR
3241
file is missing.
3242
.TP 3n
3243
@sysconfdir@/sudoers is not a regular file
3244
The
3245
\fI@sysconfdir@/sudoers\fR
3246
file exists but is not a regular file or symbolic link.
3247
.TP 3n
3248
@sysconfdir@/sudoers is owned by uid N, should be 0
3249
The
3250
\fIsudoers\fR
3251
file has the wrong owner.
3252
If you wish to change the
3253
\fIsudoers\fR
3254
file owner, please add
3255
``sudoers_uid=N''
3256
(where
3257
`N'
3258
is the user ID that owns the
3259
\fIsudoers\fR
3260
file) to the
3261
\fBsudoers\fR
3262
plugin line in the
3263
\fI@sysconfdir@/sudo.conf\fR
3264
file.
3265
.TP 3n
3266
@sysconfdir@/sudoers is world writable
3267
The permissions on the
3268
\fIsudoers\fR
3269
file allow all users to write to it.
3270
The
3271
\fIsudoers\fR
3272
file must not be world-writable, the default file mode
3273
is 0440 (readable by owner and group, writable by none).
3274
The default mode may be changed via the
3275
``sudoers_mode''
3276
option to the
3277
\fBsudoers\fR
3278
plugin line in the
3279
\fI@sysconfdir@/sudo.conf\fR
3280
file.
3281
.TP 3n
3282
@sysconfdir@/sudoers is owned by gid N, should be 1
3283
The
3284
\fIsudoers\fR
3285
file has the wrong group ownership.
3286
If you wish to change the
3287
\fIsudoers\fR
3288
file group ownership, please add
3289
``sudoers_gid=N''
3290
(where
3291
`N'
3292
is the group ID that owns the
3293
\fIsudoers\fR
3294
file) to the
3295
\fBsudoers\fR
3296
plugin line in the
3297
\fI@sysconfdir@/sudo.conf\fR
3298
file.
3299
.TP 3n
3300
unable to open @timedir@/username/ttyname
3301
\fIsudoers\fR
3302
was unable to read or create the user's time stamp file.
3303
.TP 3n
3304
unable to write to @timedir@/username/ttyname
3305
\fIsudoers\fR
3306
was unable to write to the user's time stamp file.
3307
.TP 3n
3308
unable to mkdir to @timedir@/username
3309
\fIsudoers\fR
3310
was unable to create the user's time stamp directory.
3311
.SS "Notes on logging via syslog"
3312
By default,
3313
\fIsudoers\fR
3314
logs messages via
3315
syslog(3).
3316
The
3317
\fIdate\fR,
3318
\fIhostname\fR,
3319
and
3320
\fIprogname\fR
3321
fields are added by the syslog daemon, not
3322
\fIsudoers\fR
3323
itself.
3324
As such, they may vary in format on different systems.
3325
.PP
3326
On most systems,
3327
syslog(3)
3328
has a relatively small log buffer.
3329
To prevent the command line arguments from being truncated,
3330
\fBsudoers\fR
3331
will split up log messages that are larger than 960 characters
3332
(not including the date, hostname, and the string
3333
``sudo'').
3334
When a message is split, additional parts will include the string
3335
``(command continued)''
3336
after the user name and before the continued command line arguments.
3337
.SS "Notes on logging to a file"
3338
If the
3339
\fIlogfile\fR
3340
option is set,
3341
\fIsudoers\fR
3342
will log to a local file, such as
3343
\fI/var/log/sudo\fR.
3344
When logging to a file,
3345
\fIsudoers\fR
3346
uses a format similar to
3347
syslog(3),
3348
with a few important differences:
3349
.TP 5n
3350
1.
3351
The
3352
\fIprogname\fR
3353
and
3354
\fIhostname\fR
3355
fields are not present.
3356
.TP 5n
3357
2.
3358
If the
3359
\fIlog_year\fR
3360
option is enabled,
3361
the date will also include the year.
3362
.TP 5n
3363
3.
3364
Lines that are longer than
3365
\fIloglinelen\fR
3366
characters (80 by default) are word-wrapped and continued on the
3367
next line with a four character indent.
3368
This makes entries easier to read for a human being, but makes it
3369
more difficult to use
3370
grep(1)
3371
on the log files.
3372
If the
3373
\fIloglinelen\fR
3374
option is set to 0 (or negated with a
3375
`\&!'),
3376
word wrap will be disabled.
1642
3377
.SH "SUDO.CONF"
1643
.IX Header "SUDO.CONF"
1644
The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the
1645
\&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file
1646
is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the
1647
\&\fIsudoers\fR security policy and I/O logging, which corresponds to
1648
the following \fI@sysconfdir@/sudo.conf\fR file.
1649
.PP
1650
.Vb 10
1651
\& #
1652
\& # Default @sysconfdir@/sudo.conf file
1653
\& #
1654
\& # Format:
1655
\& # Plugin plugin_name plugin_path plugin_options ...
1656
\& # Path askpass /path/to/askpass
1657
\& # Path noexec /path/to/sudo_noexec.so
1658
\& # Debug sudo /var/log/sudo_debug all@warn
1659
\& # Set disable_coredump true
1660
\& #
1661
\& # The plugin_path is relative to @prefix@/libexec unless
1662
\& # fully qualified.
1663
\& # The plugin_name corresponds to a global symbol in the plugin
1664
\& # that contains the plugin interface structure.
1665
\& # The plugin_options are optional.
1666
\& #
1667
\& Plugin policy_plugin sudoers.so
1668
\& Plugin io_plugin sudoers.so
1669
.Ve
1670
.SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0"
1671
.IX Subsection "PLUGIN OPTIONS"
1672
Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the
1673
\&\fIsudoers\fR plugin. Options may be listed after the path to the
1674
plugin (i.e. after \fIsudoers.so\fR); multiple options should be
1675
space-separated. For example:
1676
.PP
1677
.Vb 1
1678
\& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1679
.Ve
3378
The
3379
\fI@sysconfdir@/sudo.conf\fR
3380
file determines which plugins the
3381
\fBsudo\fR
3382
front end will load.
3383
If no
3384
\fI@sysconfdir@/sudo.conf\fR
3385
file
3386
is present, or it contains no
3387
\fRPlugin\fR
3388
lines,
3389
\fBsudo\fR
3390
will use the
3391
\fIsudoers\fR
3392
security policy and I/O logging, which corresponds to the following
3393
\fI@sysconfdir@/sudo.conf\fR
3394
file.
3395
.nf
3396
.sp
3397
.RS 0n
3398
#
3399
# Default @sysconfdir@/sudo.conf file
3400
#
3401
# Format:
3402
# Plugin plugin_name plugin_path plugin_options ...
3403
# Path askpass /path/to/askpass
3404
# Path noexec /path/to/sudo_noexec.so
3405
# Debug sudo /var/log/sudo_debug all@warn
3406
# Set disable_coredump true
3407
#
3408
# The plugin_path is relative to @prefix@/libexec unless
3409
# fully qualified.
3410
# The plugin_name corresponds to a global symbol in the plugin
3411
# that contains the plugin interface structure.
3412
# The plugin_options are optional.
3413
#
3414
Plugin policy_plugin sudoers.so
3415
Plugin io_plugin sudoers.so
3416
.RE
3417
.fi
3418
.SS "Plugin options"
3419
Starting with
3420
\fBsudo\fR
3421
1.8.5, it is possible to pass options to the
3422
\fIsudoers\fR
3423
plugin.
3424
Options may be listed after the path to the plugin (i.e.\& after
3425
\fIsudoers.so\fR);
3426
multiple options should be space-separated.
3427
For example:
3428
.nf
3429
.sp
3430
.RS 0n
3431
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3432
.RE
3433
.fi
1680
3434
.PP
1681
3435
The following plugin options are supported:
1682
.IP "sudoers_file=pathname" 10
1683
.IX Item "sudoers_file=pathname"
1684
The \fIsudoers_file\fR option can be used to override the default path
1685
to the \fIsudoers\fR file.
1686
.IP "sudoers_uid=uid" 10
1687
.IX Item "sudoers_uid=uid"
1688
The \fIsudoers_uid\fR option can be used to override the default owner
1689
of the sudoers file. It should be specified as a numeric user \s-1ID\s0.
1690
.IP "sudoers_gid=gid" 10
1691
.IX Item "sudoers_gid=gid"
1692
The \fIsudoers_gid\fR option can be used to override the default group
1693
of the sudoers file. It should be specified as a numeric group \s-1ID\s0.
1694
.IP "sudoers_mode=mode" 10
1695
.IX Item "sudoers_mode=mode"
1696
The \fIsudoers_mode\fR option can be used to override the default file
1697
mode for the sudoers file. It should be specified as an octal value.
1698
.SS "\s-1DEBUG\s0 \s-1FLAGS\s0"
1699
.IX Subsection "DEBUG FLAGS"
1700
Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
1701
debugging framework that can help track down what the plugin is
1702
doing internally if there is a problem. This can be configured in
1703
the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@).
1704
.PP
1705
The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
1706
itself: \fIsubsystem\fR@\fIpriority\fR.
1707
.PP
1708
The priorities used by \fIsudoers\fR, in order of decreasing severity,
1709
are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
1710
and \fIdebug\fR. Each priority, when specified, also includes all
1711
priorities higher than it. For example, a priority of \fInotice\fR
1712
would include debug messages logged at \fInotice\fR and higher.
1713
.PP
1714
The following subsystems are used by \fIsudoers\fR:
1715
.IP "\fIalias\fR" 10
1716
.IX Item "alias"
1717
\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
1718
.IP "\fIall\fR" 10
1719
.IX Item "all"
3436
.TP 10n
3437
sudoers_file=pathname
3438
The
3439
\fIsudoers_file\fR
3440
option can be used to override the default path
3441
to the
3442
\fIsudoers\fR
3443
file.
3444
.TP 10n
3445
sudoers_uid=uid
3446
The
3447
\fIsudoers_uid\fR
3448
option can be used to override the default owner of the sudoers file.
3449
It should be specified as a numeric user ID.
3450
.TP 10n
3451
sudoers_gid=gid
3452
The
3453
\fIsudoers_gid\fR
3454
option can be used to override the default group of the sudoers file.
3455
It should be specified as a numeric group ID.
3456
.TP 10n
3457
sudoers_mode=mode
3458
The
3459
\fIsudoers_mode\fR
3460
option can be used to override the default file mode for the sudoers file.
3461
It should be specified as an octal value.
3462
.SS "Debug flags"
3463
Versions 1.8.4 and higher of the
3464
\fIsudoers\fR
3465
plugin supports a debugging framework that can help track down what the
3466
plugin is doing internally if there is a problem.
3467
This can be configured in the
3468
\fI@sysconfdir@/sudo.conf\fR
3469
file as described in
3470
sudo(@mansectsu@).
3471
.PP
3472
The
3473
\fIsudoers\fR
3474
plugin uses the same debug flag format as the
3475
\fBsudo\fR
3476
front-end:
3477
\fIsubsystem\fR@\fIpriority\fR.
3478
.PP
3479
The priorities used by
3480
\fIsudoers\fR,
3481
in order of decreasing severity,
3482
are:
3483
\fIcrit\fR,
3484
\fIerr\fR,
3485
\fIwarn\fR,
3486
\fInotice\fR,
3487
\fIdiag\fR,
3488
\fIinfo\fR,
3489
\fItrace\fR
3490
and
3491
\fIdebug\fR.
3492
Each priority, when specified, also includes all priorities higher than it.
3493
For example, a priority of
3494
\fInotice\fR
3495
would include debug messages logged at
3496
\fInotice\fR
3497
and higher.
3498
.PP
3499
The following subsystems are used by
3500
\fIsudoers\fR:
3501
.TP 10n
3502
\fIalias\fR
3503
\fRUser_Alias\fR,
3504
\fRRunas_Alias\fR,
3505
\fRHost_Alias\fR
3506
and
3507
\fRCmnd_Alias\fR
3508
processing
3509
.TP 10n
3510
\fIall\fR
1720
3511
matches every subsystem
1721
.IP "\fIaudit\fR" 10
1722
.IX Item "audit"
1723
\&\s-1BSM\s0 and Linux audit code
1724
.IP "\fIauth\fR" 10
1725
.IX Item "auth"
3512
.TP 10n
3513
\fIaudit\fR
3514
BSM and Linux audit code
3515
.TP 10n
3516
\fIauth\fR
1726
3517
user authentication
1727
.IP "\fIdefaults\fR" 10
1728
.IX Item "defaults"
1729
\&\fIsudoers\fR \fIDefaults\fR settings
1730
.IP "\fIenv\fR" 10
1731
.IX Item "env"
3518
.TP 10n
3519
\fIdefaults\fR
3520
\fIsudoers\fR
3521
\fIDefaults\fR
3522
settings
3523
.TP 10n
3524
\fIenv\fR
1732
3525
environment handling
1733
.IP "\fIldap\fR" 10
1734
.IX Item "ldap"
3526
.TP 10n
3527
\fIldap\fR
1735
3528
LDAP-based sudoers
1736
.IP "\fIlogging\fR" 10
1737
.IX Item "logging"
3529
.TP 10n
3530
\fIlogging\fR
1738
3531
logging support
1739
.IP "\fImatch\fR" 10
1740
.IX Item "match"
1741
matching of users, groups, hosts and netgroups in \fIsudoers\fR
1742
.IP "\fInetif\fR" 10
1743
.IX Item "netif"
3532
.TP 10n
3533
\fImatch\fR
3534
matching of users, groups, hosts and netgroups in
3535
\fIsudoers\fR
3536
.TP 10n
3537
\fInetif\fR
1744
3538
network interface handling
1745
.IP "\fInss\fR" 10
1746
.IX Item "nss"
1747
network service switch handling in \fIsudoers\fR
1748
.IP "\fIparser\fR" 10
1749
.IX Item "parser"
1750
\&\fIsudoers\fR file parsing
1751
.IP "\fIperms\fR" 10
1752
.IX Item "perms"
3539
.TP 10n
3540
\fInss\fR
3541
network service switch handling in
3542
\fIsudoers\fR
3543
.TP 10n
3544
\fIparser\fR
3545
\fIsudoers\fR
3546
file parsing
3547
.TP 10n
3548
\fIperms\fR
1753
3549
permission setting
1754
.IP "\fIplugin\fR" 10
1755
.IX Item "plugin"
1756
The equivalent of \fImain\fR for the plugin.
1757
.IP "\fIpty\fR" 10
1758
.IX Item "pty"
3550
.TP 10n
3551
\fIplugin\fR
3552
The equivalent of
3553
\fImain\fR
3554
for the plugin.
3555
.TP 10n
3556
\fIpty\fR
1759
3557
pseudo-tty related code
1760
.IP "\fIrbtree\fR" 10
1761
.IX Item "rbtree"
3558
.TP 10n
3559
\fIrbtree\fR
1762
3560
redblack tree internals
1763
.IP "\fIutil\fR" 10
1764
.IX Item "util"
3561
.TP 10n
3562
\fIutil\fR
1765
3563
utility functions
1766
3564
.SH "FILES"
1767
.IX Header "FILES"
1768
.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
1769
.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
1770
.IX Item "@sysconfdir@/sudo.conf"
3565
.TP 26n
3566
\fI@sysconfdir@/sudo.conf\fR
1771
3567
Sudo front end configuration
1772
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
1773
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
1774
.IX Item "@sysconfdir@/sudoers"
3568
.TP 26n
3569
\fI@sysconfdir@/sudoers\fR
1775
3570
List of who can run what
1776
.IP "\fI/etc/group\fR" 24
1777
.IX Item "/etc/group"
3571
.TP 26n
3572
\fI/etc/group\fR
1778
3573
Local groups file
1779
.IP "\fI/etc/netgroup\fR" 24
1780
.IX Item "/etc/netgroup"
3574
.TP 26n
3575
\fI/etc/netgroup\fR
1781
3576
List of network groups
1782
.ie n .IP "\fI@iolog_dir@\fR" 24
1783
.el .IP "\fI@iolog_dir@\fR" 24
1784
.IX Item "@iolog_dir@"
3577
.TP 26n
3578
\fI@iolog_dir@\fR
1785
3579
I/O log files
1786
.ie n .IP "\fI@timedir@\fR" 24
1787
.el .IP "\fI@timedir@\fR" 24
1788
.IX Item "@timedir@"
1789
Directory containing time stamps for the \fIsudoers\fR security policy
1790
.IP "\fI/etc/environment\fR" 24
1791
.IX Item "/etc/environment"
1792
Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
3580
.TP 26n
3581
\fI@timedir@\fR
3582
Directory containing time stamps for the
3583
\fIsudoers\fR
3584
security policy
3585
.TP 26n
3586
\fI/etc/environment\fR
3587
Initial environment for
3588
\fB\-i\fR
3589
mode on AIX and Linux systems
1793
3590
.SH "EXAMPLES"
1794
.IX Header "EXAMPLES"
1795
Below are example \fIsudoers\fR entries. Admittedly, some of
1796
these are a bit contrived. First, we allow a few environment
1797
variables to pass and then define our \fIaliases\fR:
1798
.PP
1799
.Vb 4
1800
\& # Run X applications through sudo; HOME is used to find the
1801
\& # .Xauthority file. Note that other programs use HOME to find
1802
\& # configuration files and this may lead to privilege escalation!
1803
\& Defaults env_keep += "DISPLAY HOME"
1804
\&
1805
\& # User alias specification
1806
\& User_Alias FULLTIMERS = millert, mikef, dowdy
1807
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
1808
\& User_Alias WEBMASTERS = will, wendy, wim
1809
\&
1810
\& # Runas alias specification
1811
\& Runas_Alias OP = root, operator
1812
\& Runas_Alias DB = oracle, sybase
1813
\& Runas_Alias ADMINGRP = adm, oper
1814
\&
1815
\& # Host alias specification
1816
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1817
\& SGI = grolsch, dandelion, black :\e
1818
\& ALPHA = widget, thalamus, foobar :\e
1819
\& HPPA = boa, nag, python
1820
\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1821
\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1822
\& Host_Alias SERVERS = master, mail, www, ns
1823
\& Host_Alias CDROM = orion, perseus, hercules
1824
\&
1825
\& # Cmnd alias specification
1826
\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1827
\& /usr/sbin/restore, /usr/sbin/rrestore
1828
\& Cmnd_Alias KILL = /usr/bin/kill
1829
\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1830
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1831
\& Cmnd_Alias HALT = /usr/sbin/halt
1832
\& Cmnd_Alias REBOOT = /usr/sbin/reboot
1833
\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1834
\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1835
\& /usr/local/bin/zsh
1836
\& Cmnd_Alias SU = /usr/bin/su
1837
\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1838
.Ve
1839
.PP
1840
Here we override some of the compiled in default values. We want
1841
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1842
cases. We don't want to subject the full time staff to the \fBsudo\fR
1843
lecture, user \fBmillert\fR need not give a password, and we don't
1844
want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
1845
variables when running commands as root. Additionally, on the
1846
machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1847
local log file and make sure we log the year in each log line since
1848
the log entries will be kept around for several years. Lastly, we
1849
disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
1850
(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
1851
.PP
1852
.Vb 7
1853
\& # Override built\-in defaults
1854
\& Defaults syslog=auth
1855
\& Defaults>root !set_logname
1856
\& Defaults:FULLTIMERS !lecture
1857
\& Defaults:millert !authenticate
1858
\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1859
\& Defaults!PAGERS noexec
1860
.Ve
1861
.PP
1862
The \fIUser specification\fR is the part that actually determines who may
1863
run what.
1864
.PP
1865
.Vb 2
1866
\& root ALL = (ALL) ALL
1867
\& %wheel ALL = (ALL) ALL
1868
.Ve
1869
.PP
1870
We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1871
host as any user.
1872
.PP
1873
.Vb 1
1874
\& FULLTIMERS ALL = NOPASSWD: ALL
1875
.Ve
1876
.PP
1877
Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1878
command on any host without authenticating themselves.
1879
.PP
1880
.Vb 1
1881
\& PARTTIMERS ALL = ALL
1882
.Ve
1883
.PP
1884
Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1885
command on any host but they must authenticate themselves first
1886
(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1887
.PP
1888
.Vb 1
1889
\& jack CSNETS = ALL
1890
.Ve
1891
.PP
1892
The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1893
(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1894
Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1895
\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1896
networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1897
during matching.
1898
.PP
1899
.Vb 1
1900
\& lisa CUNETS = ALL
1901
.Ve
1902
.PP
1903
The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1904
(the class B network \f(CW128.138.0.0\fR).
1905
.PP
1906
.Vb 2
1907
\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
1908
\& sudoedit /etc/printcap, /usr/oper/bin/
1909
.Ve
1910
.PP
1911
The \fBoperator\fR user may run commands limited to simple maintenance.
3591
Below are example
3592
\fIsudoers\fR
3593
entries.
3594
Admittedly, some of these are a bit contrived.
3595
First, we allow a few environment variables to pass and then define our
3596
\fIaliases\fR:
3597
.nf
3598
.sp
3599
.RS 0n
3600
# Run X applications through sudo; HOME is used to find the
3601
# .Xauthority file. Note that other programs use HOME to find
3602
# configuration files and this may lead to privilege escalation!
3603
Defaults env_keep += "DISPLAY HOME"
3604
3605
# User alias specification
3606
User_Alias FULLTIMERS = millert, mikef, dowdy
3607
User_Alias PARTTIMERS = bostley, jwfox, crawl
3608
User_Alias WEBMASTERS = will, wendy, wim
3609
3610
# Runas alias specification
3611
Runas_Alias OP = root, operator
3612
Runas_Alias DB = oracle, sybase
3613
Runas_Alias ADMINGRP = adm, oper
3614
3615
# Host alias specification
3616
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3617
SGI = grolsch, dandelion, black :\e
3618
ALPHA = widget, thalamus, foobar :\e
3619
HPPA = boa, nag, python
3620
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3621
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3622
Host_Alias SERVERS = master, mail, www, ns
3623
Host_Alias CDROM = orion, perseus, hercules
3624
3625
# Cmnd alias specification
3626
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3627
/usr/sbin/restore, /usr/sbin/rrestore
3628
Cmnd_Alias KILL = /usr/bin/kill
3629
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3630
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3631
Cmnd_Alias HALT = /usr/sbin/halt
3632
Cmnd_Alias REBOOT = /usr/sbin/reboot
3633
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3634
/usr/local/bin/tcsh, /usr/bin/rsh,\e
3635
/usr/local/bin/zsh
3636
Cmnd_Alias SU = /usr/bin/su
3637
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3638
.RE
3639
.fi
3640
.PP
3641
Here we override some of the compiled in default values.
3642
We want
3643
\fBsudo\fR
3644
to log via
3645
syslog(3)
3646
using the
3647
\fIauth\fR
3648
facility in all cases.
3649
We don't want to subject the full time staff to the
3650
\fBsudo\fR
3651
lecture, user
3652
\fBmillert\fR
3653
need not give a password, and we don't want to reset the
3654
\fRLOGNAME\fR,
3655
\fRUSER\fR
3656
or
3657
\fRUSERNAME\fR
3658
environment variables when running commands as root.
3659
Additionally, on the machines in the
3660
\fISERVERS\fR
3661
\fRHost_Alias\fR,
3662
we keep an additional local log file and make sure we log the year
3663
in each log line since the log entries will be kept around for several years.
3664
Lastly, we disable shell escapes for the commands in the PAGERS
3665
\fRCmnd_Alias\fR
3666
(\fI/usr/bin/more\fR,
3667
\fI/usr/bin/pg\fR
3668
and
3669
\fI/usr/bin/less\fR)
3670
\&.
3671
.nf
3672
.sp
3673
.RS 0n
3674
# Override built-in defaults
3675
Defaults syslog=auth
3676
Defaults>root !set_logname
3677
Defaults:FULLTIMERS !lecture
3678
Defaults:millert !authenticate
3679
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3680
Defaults!PAGERS noexec
3681
.RE
3682
.fi
3683
.PP
3684
The
3685
\fIUser specification\fR
3686
is the part that actually determines who may run what.
3687
.nf
3688
.sp
3689
.RS 0n
3690
root ALL = (ALL) ALL
3691
%wheel ALL = (ALL) ALL
3692
.RE
3693
.fi
3694
.PP
3695
We let
3696
\fBroot\fR
3697
and any user in group
3698
\fBwheel\fR
3699
run any command on any host as any user.
3700
.nf
3701
.sp
3702
.RS 0n
3703
FULLTIMERS ALL = NOPASSWD: ALL
3704
.RE
3705
.fi
3706
.PP
3707
Full time sysadmins
3708
(\fBmillert\fR,
3709
\fBmikef\fR,
3710
and
3711
\fBdowdy\fR)
3712
may run any command on any host without authenticating themselves.
3713
.nf
3714
.sp
3715
.RS 0n
3716
PARTTIMERS ALL = ALL
3717
.RE
3718
.fi
3719
.PP
3720
Part time sysadmins
3721
\fBbostley\fR,
3722
\fBjwfox\fR,
3723
and
3724
\fBcrawl\fR)
3725
may run any command on any host but they must authenticate themselves
3726
first (since the entry lacks the
3727
\fRNOPASSWD\fR
3728
tag).
3729
.nf
3730
.sp
3731
.RS 0n
3732
jack CSNETS = ALL
3733
.RE
3734
.fi
3735
.PP
3736
The user
3737
\fBjack\fR
3738
may run any command on the machines in the
3739
\fICSNETS\fR
3740
alias (the networks
3741
\fR128.138.243.0\fR,
3742
\fR128.138.204.0\fR,
3743
and
3744
\fR128.138.242.0\fR).
3745
Of those networks, only
3746
\fR128.138.204.0\fR
3747
has an explicit netmask (in CIDR notation) indicating it is a class C network.
3748
For the other networks in
3749
\fICSNETS\fR,
3750
the local machine's netmask will be used during matching.
3751
.nf
3752
.sp
3753
.RS 0n
3754
lisa CUNETS = ALL
3755
.RE
3756
.fi
3757
.PP
3758
The user
3759
\fBlisa\fR
3760
may run any command on any host in the
3761
\fICUNETS\fR
3762
alias (the class B network
3763
\fR128.138.0.0\fR).
3764
.nf
3765
.sp
3766
.RS 0n
3767
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3768
sudoedit /etc/printcap, /usr/oper/bin/
3769
.RE
3770
.fi
3771
.PP
3772
The
3773
\fBoperator\fR
3774
user may run commands limited to simple maintenance.
1912
3775
Here, those are commands related to backups, killing processes, the
1913
3776
printing system, shutting down the system, and any commands in the
1914
directory \fI/usr/oper/bin/\fR.
1915
.PP
1916
.Vb 1
1917
\& joe ALL = /usr/bin/su operator
1918
.Ve
1919
.PP
1920
The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1921
.PP
1922
.Vb 1
1923
\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
1924
\&
1925
\& %opers ALL = (: ADMINGRP) /usr/sbin/
1926
.Ve
1927
.PP
1928
Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
1929
with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
3777
directory
3778
\fI/usr/oper/bin/\fR.
3779
.nf
3780
.sp
3781
.RS 0n
3782
joe ALL = /usr/bin/su operator
3783
.RE
3784
.fi
3785
.PP
3786
The user
3787
\fBjoe\fR
3788
may only
3789
su(1)
3790
to operator.
3791
.nf
3792
.sp
3793
.RS 0n
3794
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3795
3796
%opers ALL = (: ADMINGRP) /usr/sbin/
3797
.RE
3798
.fi
3799
.PP
3800
Users in the
3801
\fBopers\fR
3802
group may run commands in
3803
\fI/usr/sbin/\fR
3804
as themselves
3805
with any group in the
3806
\fIADMINGRP\fR
3807
\fRRunas_Alias\fR
3808
(the
3809
\fBadm\fR
3810
and
3811
\fBoper\fR
1930
3812
groups).
1931
3813
.PP
1932
The user \fBpete\fR is allowed to change anyone's password except for
1933
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
3814
The user
3815
\fBpete\fR
3816
is allowed to change anyone's password except for
3817
root on the
3818
\fIHPPA\fR
3819
machines.
3820
Note that this assumes
3821
passwd(1)
1934
3822
does not take multiple user names on the command line.
1935
.PP
1936
.Vb 1
1937
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
1938
.Ve
1939
.PP
1940
The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1941
as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1942
.PP
1943
.Vb 1
1944
\& jim +biglab = ALL
1945
.Ve
1946
.PP
1947
The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1948
\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1949
.PP
1950
.Vb 1
1951
\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1952
.Ve
1953
.PP
1954
Users in the \fBsecretaries\fR netgroup need to help manage the printers
1955
as well as add and remove users, so they are allowed to run those
1956
commands on all machines.
1957
.PP
1958
.Vb 1
1959
\& fred ALL = (DB) NOPASSWD: ALL
1960
.Ve
1961
.PP
1962
The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1963
(\fBoracle\fR or \fBsybase\fR) without giving a password.
1964
.PP
1965
.Vb 1
1966
\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
1967
.Ve
1968
.PP
1969
On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1970
but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
1971
.PP
1972
.Vb 1
1973
\& jen ALL, !SERVERS = ALL
1974
.Ve
1975
.PP
1976
The user \fBjen\fR may run any command on any machine except for those
1977
in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1978
.PP
1979
.Vb 1
1980
\& jill SERVERS = /usr/bin/, !SU, !SHELLS
1981
.Ve
1982
.PP
1983
For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1984
any commands in the directory \fI/usr/bin/\fR except for those commands
1985
belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1986
.PP
1987
.Vb 1
1988
\& steve CSNETS = (operator) /usr/local/op_commands/
1989
.Ve
1990
.PP
1991
The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
3823
.nf
3824
.sp
3825
.RS 0n
3826
bob SPARC = (OP) ALL : SGI = (OP) ALL
3827
.RE
3828
.fi
3829
.PP
3830
The user
3831
\fBbob\fR
3832
may run anything on the
3833
\fISPARC\fR
3834
and
3835
\fISGI\fR
3836
machines as any user listed in the
3837
\fIOP\fR
3838
\fRRunas_Alias\fR
3839
(\fBroot\fR
3840
and
3841
\fBoperator\fR.)
3842
.nf
3843
.sp
3844
.RS 0n
3845
jim +biglab = ALL
3846
.RE
3847
.fi
3848
.PP
3849
The user
3850
\fBjim\fR
3851
may run any command on machines in the
3852
\fIbiglab\fR
3853
netgroup.
3854
\fBsudo\fR
3855
knows that
3856
``biglab''
3857
is a netgroup due to the
3858
`+'
3859
prefix.
3860
.nf
3861
.sp
3862
.RS 0n
3863
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3864
.RE
3865
.fi
3866
.PP
3867
Users in the
3868
\fBsecretaries\fR
3869
netgroup need to help manage the printers as well as add and remove users,
3870
so they are allowed to run those commands on all machines.
3871
.nf
3872
.sp
3873
.RS 0n
3874
fred ALL = (DB) NOPASSWD: ALL
3875
.RE
3876
.fi
3877
.PP
3878
The user
3879
\fBfred\fR
3880
can run commands as any user in the
3881
\fIDB\fR
3882
\fRRunas_Alias\fR
3883
(\fBoracle\fR
3884
or
3885
\fBsybase\fR)
3886
without giving a password.
3887
.nf
3888
.sp
3889
.RS 0n
3890
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3891
.RE
3892
.fi
3893
.PP
3894
On the
3895
\fIALPHA\fR
3896
machines, user
3897
\fBjohn\fR
3898
may su to anyone except root but he is not allowed to specify any options
3899
to the
3900
su(1)
3901
command.
3902
.nf
3903
.sp
3904
.RS 0n
3905
jen ALL, !SERVERS = ALL
3906
.RE
3907
.fi
3908
.PP
3909
The user
3910
\fBjen\fR
3911
may run any command on any machine except for those in the
3912
\fISERVERS\fR
3913
\fRHost_Alias\fR
3914
(master, mail, www and ns).
3915
.nf
3916
.sp
3917
.RS 0n
3918
jill SERVERS = /usr/bin/, !SU, !SHELLS
3919
.RE
3920
.fi
3921
.PP
3922
For any machine in the
3923
\fISERVERS\fR
3924
\fRHost_Alias\fR,
3925
\fBjill\fR
3926
may run
3927
any commands in the directory
3928
\fI/usr/bin/\fR
3929
except for those commands
3930
belonging to the
3931
\fISU\fR
3932
and
3933
\fISHELLS\fR
3934
\fRCmnd_Aliases\fR.
3935
.nf
3936
.sp
3937
.RS 0n
3938
steve CSNETS = (operator) /usr/local/op_commands/
3939
.RE
3940
.fi
3941
.PP
3942
The user
3943
\fBsteve\fR
3944
may run any command in the directory /usr/local/op_commands/
1992
3945
but only as user operator.
1993
.PP
1994
.Vb 1
1995
\& matt valkyrie = KILL
1996
.Ve
1997
.PP
1998
On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1999
kill hung processes.
2000
.PP
2001
.Vb 1
2002
\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2003
.Ve
2004
.PP
2005
On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
2006
wendy, and wim), may run any command as user www (which owns the
2007
web pages) or simply \fIsu\fR\|(1) to www.
2008
.PP
2009
.Vb 2
2010
\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
2011
\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
2012
.Ve
2013
.PP
2014
Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
2015
\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
3946
.nf
3947
.sp
3948
.RS 0n
3949
matt valkyrie = KILL
3950
.RE
3951
.fi
3952
.PP
3953
On his personal workstation, valkyrie,
3954
\fBmatt\fR
3955
needs to be able to kill hung processes.
3956
.nf
3957
.sp
3958
.RS 0n
3959
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3960
.RE
3961
.fi
3962
.PP
3963
On the host www, any user in the
3964
\fIWEBMASTERS\fR
3965
\fRUser_Alias\fR
3966
(will, wendy, and wim), may run any command as user www (which owns the
3967
web pages) or simply
3968
su(1)
3969
to www.
3970
.nf
3971
.sp
3972
.RS 0n
3973
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3974
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3975
.RE
3976
.fi
3977
.PP
3978
Any user may mount or unmount a CD-ROM on the machines in the CDROM
3979
\fRHost_Alias\fR
3980
(orion, perseus, hercules) without entering a password.
2016
3981
This is a bit tedious for users to type, so it is a prime candidate
2017
3982
for encapsulating in a shell script.
2018
3983
.SH "SECURITY NOTES"
2019
.IX Header "SECURITY NOTES"
2020
.SS "Limitations of the '!' operator"
2021
.IX Subsection "Limitations of the '!' operator"
2022
It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
2023
using the '!' operator. A user can trivially circumvent this
2024
by copying the desired command to a different name and then
2025
executing that. For example:
2026
.PP
2027
.Vb 1
2028
\& bill ALL = ALL, !SU, !SHELLS
2029
.Ve
2030
.PP
2031
Doesn't really prevent \fBbill\fR from running the commands listed in
2032
\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
2033
different name, or use a shell escape from an editor or other
2034
program. Therefore, these kind of restrictions should be considered
3984
.SS "Limitations of the `!\&' operator"
3985
It is generally not effective to
3986
``subtract''
3987
commands from
3988
\fBALL\fR
3989
using the
3990
`!\&'
3991
operator.
3992
A user can trivially circumvent this by copying the desired command
3993
to a different name and then executing that.
3994
For example:
3995
.nf
3996
.sp
3997
.RS 0n
3998
bill ALL = ALL, !SU, !SHELLS
3999
.RE
4000
.fi
4001
.PP
4002
Doesn't really prevent
4003
\fBbill\fR
4004
from running the commands listed in
4005
\fISU\fR
4006
or
4007
\fISHELLS\fR
4008
since he can simply copy those commands to a different name, or use
4009
a shell escape from an editor or other program.
4010
Therefore, these kind of restrictions should be considered
2035
4011
advisory at best (and reinforced by policy).
2036
4012
.PP
2037
In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent
2038
them from creating their own program that gives them a root shell
2039
(or making their own copy of a shell) regardless of any '!' elements
2040
in the user specification.
2041
.SS "Security implications of \fIfast_glob\fP"
2042
.IX Subsection "Security implications of fast_glob"
2043
If the \fIfast_glob\fR option is in use, it is not possible
2044
to reliably negate commands where the path name includes globbing
2045
(aka wildcard) characters. This is because the C library's
2046
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
2047
is typically only an inconvenience for rules that grant privileges,
2048
it can result in a security issue for rules that subtract or revoke
2049
privileges.
2050
.PP
2051
For example, given the following \fIsudoers\fR entry:
2052
.PP
2053
.Vb 2
2054
\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
2055
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
2056
.Ve
2057
.PP
2058
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
2059
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
2060
.SS "Preventing Shell Escapes"
2061
.IX Subsection "Preventing Shell Escapes"
2062
Once \fBsudo\fR executes a program, that program is free to do whatever
2063
it pleases, including run other programs. This can be a security
2064
issue since it is not uncommon for a program to allow shell escapes,
2065
which lets a user bypass \fBsudo\fR's access control and logging.
4013
In general, if a user has sudo
4014
\fBALL\fR
4015
there is nothing to prevent them from creating their own program that gives
4016
them a root shell (or making their own copy of a shell) regardless of any
4017
`!\&'
4018
elements in the user specification.
4019
.SS "Security implications of \fIfast_glob\fR"
4020
If the
4021
\fIfast_glob\fR
4022
option is in use, it is not possible to reliably negate commands where the
4023
path name includes globbing (aka wildcard) characters.
4024
This is because the C library's
4025
fnmatch(3)
4026
function cannot resolve relative paths.
4027
While this is typically only an inconvenience for rules that grant privileges,
4028
it can result in a security issue for rules that subtract or revoke privileges.
4029
.PP
4030
For example, given the following
4031
\fIsudoers\fR
4032
entry:
4033
.nf
4034
.sp
4035
.RS 0n
4036
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4037
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4038
.RE
4039
.fi
4040
.PP
4041
User
4042
\fBjohn\fR
4043
can still run
4044
\fR/usr/bin/passwd root\fR
4045
if
4046
\fIfast_glob\fR
4047
is enabled by changing to
4048
\fI/usr/bin\fR
4049
and running
4050
\fR./passwd root\fR
4051
instead.
4052
.SS "Preventing shell escapes"
4053
Once
4054
\fBsudo\fR
4055
executes a program, that program is free to do whatever
4056
it pleases, including run other programs.
4057
This can be a security issue since it is not uncommon for a program to
4058
allow shell escapes, which lets a user bypass
4059
\fBsudo\fR's
4060
access control and logging.
2066
4061
Common programs that permit shell escapes include shells (obviously),
2067
4062
editors, paginators, mail and terminal programs.
2068
4063
.PP
2069
4064
There are two basic approaches to this problem:
2070
.IP "restrict" 10
2071
.IX Item "restrict"
4065
.TP 10n
4066
restrict
2072
4067
Avoid giving users access to commands that allow the user to run
2073
arbitrary commands. Many editors have a restricted mode where shell
2074
escapes are disabled, though \fBsudoedit\fR is a better solution to
2075
running editors via \fBsudo\fR. Due to the large number of programs that
4068
arbitrary commands.
4069
Many editors have a restricted mode where shell
4070
escapes are disabled, though
4071
\fBsudoedit\fR
4072
is a better solution to
4073
running editors via
4074
\fBsudo\fR.
4075
Due to the large number of programs that
2076
4076
offer shell escapes, restricting users to the set of programs that
2077
4077
do not is often unworkable.
2078
.IP "noexec" 10
2079
.IX Item "noexec"
4078
.TP 10n
4079
noexec
2080
4080
Many systems that support shared libraries have the ability to
2081
4081
override default library functions by pointing an environment
2082
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
2083
On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
2084
prevent a program run by \fBsudo\fR from executing any other programs.
4082
variable (usually
4083
\fRLD_PRELOAD\fR)
4084
to an alternate shared library.
4085
On such systems,
4086
\fBsudo\fR's
4087
\fInoexec\fR
4088
functionality can be used to prevent a program run by
4089
\fBsudo\fR
4090
from executing any other programs.
2085
4091
Note, however, that this applies only to native dynamically-linked
2086
executables. Statically-linked executables and foreign executables
4092
executables.
4093
Statically-linked executables and foreign executables
2087
4094
running under binary emulation are not affected.
2088
.Sp
2089
The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
2090
Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
4095
.sp
4096
The
4097
\fInoexec\fR
4098
feature is known to work on SunOS, Solaris, *BSD,
4099
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
2091
4100
It should be supported on most operating systems that support the
2092
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
2093
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
2094
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
2095
.Sp
2096
On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
2097
of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
2098
.Sp
2099
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
2100
in the User Specification section above. Here is that example again:
2101
.Sp
2102
.Vb 1
2103
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2104
.Ve
2105
.Sp
2106
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
2107
with \fInoexec\fR enabled. This will prevent those two commands from
2108
executing other commands (such as a shell). If you are unsure
2109
whether or not your system is capable of supporting \fInoexec\fR you
2110
can always just try it out and check whether shell escapes work
2111
when \fInoexec\fR is enabled.
4101
\fRLD_PRELOAD\fR
4102
environment variable.
4103
Check your operating system's manual pages for the dynamic linker
4104
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4105
\fRLD_PRELOAD\fR
4106
is supported.
4107
.sp
4108
On Solaris 10 and higher,
4109
\fInoexec\fR
4110
uses Solaris privileges instead of the
4111
\fRLD_PRELOAD\fR
4112
environment variable.
4113
.sp
4114
To enable
4115
\fInoexec\fR
4116
for a command, use the
4117
\fRNOEXEC\fR
4118
tag as documented
4119
in the User Specification section above.
4120
Here is that example again:
4121
.RS
4122
.nf
4123
.sp
4124
.RS 0n
4125
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4126
.RE
4127
.fi
4128
.sp
4129
This allows user
4130
\fBaaron\fR
4131
to run
4132
\fI/usr/bin/more\fR
4133
and
4134
\fI/usr/bin/vi\fR
4135
with
4136
\fInoexec\fR
4137
enabled.
4138
This will prevent those two commands from
4139
executing other commands (such as a shell).
4140
If you are unsure whether or not your system is capable of supporting
4141
\fInoexec\fR
4142
you can always just try it out and check whether shell escapes work when
4143
\fInoexec\fR
4144
is enabled.
4145
.RE
2112
4146
.PP
2113
Note that restricting shell escapes is not a panacea. Programs
2114
running as root are still capable of many potentially hazardous
4147
Note that restricting shell escapes is not a panacea.
4148
Programs running as root are still capable of many potentially hazardous
2115
4149
operations (such as changing or overwriting files) that could lead
2116
to unintended privilege escalation. In the specific case of an
2117
editor, a safer approach is to give the user permission to run
2118
\&\fBsudoedit\fR.
4150
to unintended privilege escalation.
4151
In the specific case of an editor, a safer approach is to give the
4152
user permission to run
4153
\fBsudoedit\fR.
2119
4154
.SS "Time stamp file checks"
2120
.IX Subsection "Time stamp file checks"
2121
\&\fIsudoers\fR will check the ownership of its time stamp directory
2122
(\fI@timedir@\fR by default) and ignore the directory's contents if
2123
it is not owned by root or if it is writable by a user other than
2124
root. On systems that allow non-root users to give away files via
2125
\&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
2126
directory (e.g., \fI/tmp\fR), it is possible for a user to create the
2127
time stamp directory before \fBsudo\fR is run. However, because
2128
\&\fIsudoers\fR checks the ownership and mode of the directory and its
2129
contents, the only damage that can be done is to \*(L"hide\*(R" files by
2130
putting them in the time stamp dir. This is unlikely to happen
2131
since once the time stamp dir is owned by root and inaccessible by
2132
any other user, the user placing files there would be unable to get
2133
them back out.
2134
.PP
2135
\&\fIsudoers\fR will not honor time stamps set far in the future. Time
2136
stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
2137
be ignored and sudo will log and complain. This is done to keep a
2138
user from creating his/her own time stamp with a bogus date on
2139
systems that allow users to give away files if the time stamp directory
2140
is located in a world-writable directory.
2141
.PP
2142
On systems where the boot time is available, \fIsudoers\fR will ignore
2143
time stamps that date from before the machine booted.
4155
\fIsudoers\fR
4156
will check the ownership of its time stamp directory
4157
(\fI@timedir@\fR
4158
by default)
4159
and ignore the directory's contents if it is not owned by root or
4160
if it is writable by a user other than root.
4161
On systems that allow non-root users to give away files via
4162
chown(2),
4163
if the time stamp directory is located in a world-writable
4164
directory (e.g.\&,
4165
\fI/tmp\fR),
4166
it is possible for a user to create the time stamp directory before
4167
\fBsudo\fR
4168
is run.
4169
However, because
4170
\fIsudoers\fR
4171
checks the ownership and mode of the directory and its
4172
contents, the only damage that can be done is to
4173
``hide''
4174
files by putting them in the time stamp dir.
4175
This is unlikely to happen since once the time stamp dir is owned by root
4176
and inaccessible by any other user, the user placing files there would be
4177
unable to get them back out.
4178
.PP
4179
\fIsudoers\fR
4180
will not honor time stamps set far in the future.
4181
Time stamps with a date greater than current_time + 2 *
4182
\fRTIMEOUT\fR
4183
will be ignored and sudo will log and complain.
4184
This is done to keep a user from creating his/her own time stamp with a
4185
bogus date on systems that allow users to give away files if the time
4186
stamp directory is located in a world-writable directory.
4187
.PP
4188
On systems where the boot time is available,
4189
\fIsudoers\fR
4190
will ignore time stamps that date from before the machine booted.
2144
4191
.PP
2145
4192
Since time stamp files live in the file system, they can outlive a
2146
user's login session. As a result, a user may be able to login,
2147
run a command with \fBsudo\fR after authenticating, logout, login
2148
again, and run \fBsudo\fR without authenticating so long as the time
2149
stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
2150
whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
4193
user's login session.
4194
As a result, a user may be able to login, run a command with
4195
\fBsudo\fR
4196
after authenticating, logout, login again, and run
4197
\fBsudo\fR
4198
without authenticating so long as the time stamp file's modification
4199
time is within
4200
\fR@timeout@\fR
4201
minutes (or whatever the timeout is set to in
4202
\fIsudoers\fR).
4203
When the
4204
\fItty_tickets\fR
2151
4205
option is enabled, the time stamp has per-tty granularity but still
2152
may outlive the user's session. On Linux systems where the devpts
2153
filesystem is used, Solaris systems with the devices filesystem,
2154
as well as other systems that utilize a devfs filesystem that
2155
monotonically increase the inode number of devices as they are
2156
created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
2157
tty-based time stamp file is stale and will ignore it. Administrators
2158
should not rely on this feature as it is not universally available.
4206
may outlive the user's session.
4207
On Linux systems where the devpts filesystem is used, Solaris systems
4208
with the devices filesystem, as well as other systems that utilize a
4209
devfs filesystem that monotonically increase the inode number of devices
4210
as they are created (such as Mac OS X),
4211
\fIsudoers\fR
4212
is able to determine when a tty-based time stamp file is stale and will
4213
ignore it.
4214
Administrators should not rely on this feature as it is not universally
4215
available.
2159
4216
.SH "SEE ALSO"
2160
.IX Header "SEE ALSO"
2161
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
2162
\&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
4217
ssh(1),
4218
su(1),
4219
fnmatch(3),
4220
glob(3),
4221
mktemp(3),
4222
strftime(3),
4223
sudoers.ldap(@mansectform@),
4224
sudo_plugin(@mansectsu@),
4225
sudo(@mansectsu@),
4226
visudo(@mansectsu@)
2163
4227
.SH "CAVEATS"
2164
.IX Header "CAVEATS"
2165
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
2166
command which locks the file and does grammatical checking. It is
2167
imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
2168
will not run with a syntactically incorrect \fIsudoers\fR file.
4228
The
4229
\fIsudoers\fR
4230
file should
4231
\fBalways\fR
4232
be edited by the
4233
\fBvisudo\fR
4234
command which locks the file and does grammatical checking.
4235
It is
4236
imperative that
4237
\fIsudoers\fR
4238
be free of syntax errors since
4239
\fBsudo\fR
4240
will not run with a syntactically incorrect
4241
\fIsudoers\fR
4242
file.
2169
4243
.PP
2170
4244
When using netgroups of machines (as opposed to users), if you
2171
4245
store fully qualified host name in the netgroup (as is usually the
2172
4246
case), you either need to have the machine's host name be fully qualified
2173
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
2174
\&\fIsudoers\fR.
4247
as returned by the
4248
\fRhostname\fR
4249
command or use the
4250
\fIfqdn\fR
4251
option in
4252
\fIsudoers\fR.
2175
4253
.SH "BUGS"
2176
.IX Header "BUGS"
2177
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
2178
at http://www.sudo.ws/sudo/bugs/
4254
If you feel you have found a bug in
4255
\fBsudo\fR,
4256
please submit a bug report at http://www.sudo.ws/sudo/bugs/
2179
4257
.SH "SUPPORT"
2180
.IX Header "SUPPORT"
2181
4258
Limited free support is available via the sudo-users mailing list,
2182
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
4259
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
2183
4260
search the archives.
2184
4261
.SH "DISCLAIMER"
2185
.IX Header "DISCLAIMER"
2186
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
2187
including, but not limited to, the implied warranties of merchantability
2188
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
2189
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
2190
for complete details.
4262
\fBsudo\fR
4263
is provided
4264
``AS IS''
4265
and any express or implied warranties, including, but not limited
4266
to, the implied warranties of merchantability and fitness for a
4267
particular purpose are disclaimed.
4268
See the LICENSE file distributed with
4269
\fBsudo\fR
4270
or http://www.sudo.ws/sudo/license.html for complete details.
Loggerhead is a web-based interface for Breezy
Version: 2.0.1