272
321
Where there are multiple matches, the last match is used (which is
273
322
not necessarily the most specific match).
275
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
276
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
277
fairly simple, and the definitions below are annotated.
278
.SS "Quick guide to \s-1EBNF\s0"
279
.IX Subsection "Quick guide to EBNF"
280
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
281
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
284
\& symbol ::= definition | alternate1 | alternate2 ...
287
Each \fIproduction rule\fR references others and thus makes up a
288
grammar for the language. \s-1EBNF\s0 also contains the following
326
grammar will be described below in Extended Backus-Naur
328
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
329
and the definitions below are annotated.
330
.SS "Quick guide to EBNF"
331
EBNF is a concise and exact way of describing the grammar of a language.
332
Each EBNF definition is made up of
333
\fIproduction rules\fR.
336
\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
339
\fIproduction rule\fR
340
references others and thus makes up a
341
grammar for the language.
342
EBNF also contains the following
289
343
operators, which many readers will recognize from regular
290
expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
345
Do not, however, confuse them with
291
347
characters, which have different meanings.
292
.ie n .IP "\*(C`?\*(C'" 4
293
.el .IP "\f(CW\*(C`?\*(C'\fR" 4
295
350
Means that the preceding symbol (or group of symbols) is optional.
296
351
That is, it may appear once or not at all.
297
.ie n .IP "\*(C`*\*(C'" 4
298
.el .IP "\f(CW\*(C`*\*(C'\fR" 4
300
354
Means that the preceding symbol (or group of symbols) may appear
301
355
zero or more times.
302
.ie n .IP "\*(C`+\*(C'" 4
303
.el .IP "\f(CW\*(C`+\*(C'\fR" 4
305
358
Means that the preceding symbol (or group of symbols) may appear
306
359
one or more times.
308
Parentheses may be used to group symbols together. For clarity,
309
we will use single quotes ('') to designate what is a verbatim character
310
string (as opposed to a symbol name).
361
Parentheses may be used to group symbols together.
363
we will use single quotes
365
to designate what is a verbatim character string (as opposed to a symbol name).
312
.IX Subsection "Aliases"
313
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
314
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
317
\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
318
\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
319
\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
320
\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
322
\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
324
\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
326
\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
328
\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
330
\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
333
Each \fIalias\fR definition is of the form
336
\& Alias_Type NAME = item1, item2, ...
339
where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
340
or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
341
and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
342
uppercase letter. It is possible to put several alias definitions
343
of the same type on a single line, joined by a colon (':'). E.g.,
346
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
349
The definitions of what constitutes a valid \fIalias\fR member follow.
352
\& User_List ::= User |
353
\& User \*(Aq,\*(Aq User_List
355
\& User ::= \*(Aq!\*(Aq* user name |
356
\& \*(Aq!\*(Aq* #uid |
357
\& \*(Aq!\*(Aq* %group |
358
\& \*(Aq!\*(Aq* %#gid |
359
\& \*(Aq!\*(Aq* +netgroup |
360
\& \*(Aq!\*(Aq* %:nonunix_group |
361
\& \*(Aq!\*(Aq* %:#nonunix_gid |
362
\& \*(Aq!\*(Aq* User_Alias
365
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
366
(prefixed with '#'), system group names and ids (prefixed with '%'
367
and '%#' respectively), netgroups (prefixed with '+'), non-Unix
368
group names and IDs (prefixed with '%:' and '%:#' respectively) and
369
\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
370
\&'!' operators. An odd number of '!' operators negate the value of
367
There are four kinds of aliases:
376
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
377
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
378
'Host_Alias' Host_Alias (':' Host_Alias)* |
379
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
381
User_Alias ::= NAME '=' User_List
383
Runas_Alias ::= NAME '=' Runas_List
385
Host_Alias ::= NAME '=' Host_List
387
Cmnd_Alias ::= NAME '=' Cmnd_List
389
NAME ::= [A-Z]([A-Z][0-9]_)*
395
definition is of the form
399
Alias_Type NAME = item1, item2, ...
413
is a string of uppercase letters, numbers,
414
and underscore characters
421
It is possible to put several alias definitions
422
of the same type on a single line, joined by a colon
428
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
432
The definitions of what constitutes a valid
441
User ::= '!'* user name |
446
'!'* %:nonunix_group |
447
'!'* %:#nonunix_gid |
454
is made up of one or more user names, user ids
457
system group names and ids (prefixed with
461
respectively), netgroups (prefixed with
463
non-Unix group names and IDs (prefixed with
469
Each list item may be prefixed with zero or more
474
operators negate the value of
371
475
the item; an even number just cancel each other out.
373
A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
374
or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
375
need for escaping special characters. Alternately, special characters
376
may be specified in escaped hex mode, e.g. \ex20 for space. When
486
may be enclosed in double quotes to avoid the
487
need for escaping special characters.
488
Alternately, special characters
489
may be specified in escaped hex mode, e.g.\& \ex20 for space.
377
491
using double quotes, any prefix characters must be included inside
380
The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
381
the underlying group provider plugin (see the \fIgroup_plugin\fR
382
description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
385
Group in the same domain: \*(L"Group Name\*(R"
387
Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
389
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
499
the underlying group provider plugin (see the
502
For instance, the QAS AD plugin supports the following formats:
505
Group in the same domain: "%:Group Name"
508
Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
511
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
391
Note that quotes around group names are optional. Unquoted strings
392
must use a backslash (\e) to escape spaces and special characters.
393
See \*(L"Other special characters and reserved words\*(R" for a list of
513
Note that quotes around group names are optional.
514
Unquoted strings must use a backslash
516
to escape spaces and special characters.
518
\fIOther special characters and reserved words\fR
394
520
characters that need to be escaped.
397
\& Runas_List ::= Runas_Member |
398
\& Runas_Member \*(Aq,\*(Aq Runas_List
400
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
401
\& \*(Aq!\*(Aq* #uid |
402
\& \*(Aq!\*(Aq* %group |
403
\& \*(Aq!\*(Aq* %#gid |
404
\& \*(Aq!\*(Aq* %:nonunix_group |
405
\& \*(Aq!\*(Aq* %:#nonunix_gid |
406
\& \*(Aq!\*(Aq* +netgroup |
407
\& \*(Aq!\*(Aq* Runas_Alias
410
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
411
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
412
user names and groups are matched as strings. In other words, two
524
Runas_List ::= Runas_Member |
525
Runas_Member ',' Runas_List
527
Runas_Member ::= '!'* user name |
531
'!'* %:nonunix_group |
532
'!'* %:#nonunix_gid |
548
user names and groups are matched as strings.
413
550
users (groups) with the same uid (gid) are considered to be distinct.
414
If you wish to match all user names with the same uid (e.g.\ root
415
and toor), you can use a uid instead (#0 in the example given).
418
\& Host_List ::= Host |
419
\& Host \*(Aq,\*(Aq Host_List
421
\& Host ::= \*(Aq!\*(Aq* host name |
422
\& \*(Aq!\*(Aq* ip_addr |
423
\& \*(Aq!\*(Aq* network(/netmask)? |
424
\& \*(Aq!\*(Aq* +netgroup |
425
\& \*(Aq!\*(Aq* Host_Alias
428
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
429
network numbers, netgroups (prefixed with '+') and other aliases.
430
Again, the value of an item may be negated with the '!' operator.
551
If you wish to match all user names with the same uid (e.g.\&
552
root and toor), you can use a uid instead (#0 in the example given).
559
Host ::= '!'* host name |
561
'!'* network(/netmask)? |
569
is made up of one or more host names, IP addresses,
570
network numbers, netgroups (prefixed with
573
Again, the value of an item may be negated with the
431
576
If you do not specify a netmask along with the network number,
432
\&\fBsudo\fR will query each of the local host's network interfaces and,
578
will query each of the local host's network interfaces and,
433
579
if the network number corresponds to one of the hosts's network
434
interfaces, the corresponding netmask will be used. The netmask
435
may be specified either in standard \s-1IP\s0 address notation
436
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
437
or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
438
include shell-style wildcards (see the Wildcards section below),
439
but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
440
qualified host name, you'll need to use the \fIfqdn\fR option for
441
wildcards to be useful. Note \fBsudo\fR only inspects actual network
442
interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
443
never match. Also, the host name \*(L"localhost\*(R" will only match if
444
that is the actual host name, which is usually only the case for
445
non-networked systems.
448
\& Cmnd_List ::= Cmnd |
449
\& Cmnd \*(Aq,\*(Aq Cmnd_List
451
\& commandname ::= file name |
453
\& file name \*(Aq""\*(Aq
455
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
456
\& \*(Aq!\*(Aq* directory |
457
\& \*(Aq!\*(Aq* "sudoedit" |
458
\& \*(Aq!\*(Aq* Cmnd_Alias
461
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
462
aliases. A commandname is a fully qualified file name which may include
463
shell-style wildcards (see the Wildcards section below). A simple
464
file name allows the user to run the command with any arguments he/she
465
wishes. However, you may also specify command line arguments (including
466
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
467
may only be run \fBwithout\fR command line arguments. A directory is a
468
fully qualified path name ending in a '/'. When you specify a directory
469
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
470
(but not in any subdirectories therein).
472
If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
473
in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
474
(or match the wildcards if there are any). Note that the following
475
characters must be escaped with a '\e' if they are used in command
476
arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
477
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
478
as \fBsudoedit\fR). It may take command line arguments just as
479
a normal command does.
580
interfaces, the corresponding netmask will be used.
582
may be specified either in standard IP address notation
583
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
584
or CIDR notation (number of bits, e.g.\& 24 or 64).
585
A host name may include shell-style wildcards (see the
590
command on your machine returns the fully
591
qualified host name, you'll need to use the
593
option for wildcards to be useful.
596
only inspects actual network interfaces; this means that IP address
597
127.0.0.1 (localhost) will never match.
600
will only match if that is the actual host name, which is usually
601
only the case for non-networked systems.
608
command name ::= file name |
612
Cmnd ::= '!'* command name |
621
is a list of one or more command names, directories, and other aliases.
622
A command name is a fully qualified file name which may include
623
shell-style wildcards (see the
626
A simple file name allows the user to run the command with any
627
arguments he/she wishes.
628
However, you may also specify command line arguments (including
630
Alternately, you can specify
632
to indicate that the command
635
command line arguments.
637
fully qualified path name ending in a
639
When you specify a directory in a
641
the user will be able to run any file within that directory
642
(but not in any sub-directories therein).
646
has associated command line arguments, then the arguments
649
must match exactly those given by the user on the command line
650
(or match the wildcards if there are any).
651
Note that the following characters must be escaped with a
653
if they are used in command arguments:
660
is used to permit a user to run
666
It may take command line arguments just as a normal command does.
481
.IX Subsection "Defaults"
482
668
Certain configuration options may be changed from their default
483
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
484
may affect all users on any host, all users on a specific host, a
669
values at run-time via one or more
672
These may affect all users on any host, all users on a specific host, a
485
673
specific user, a specific command, or commands being run as a specific user.
486
674
Note that per-command entries may not include command line arguments.
487
If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
675
If you need to specify arguments, define a
491
\& Default_Type ::= \*(AqDefaults\*(Aq |
492
\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
493
\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
494
\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
495
\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
497
\& Default_Entry ::= Default_Type Parameter_List
499
\& Parameter_List ::= Parameter |
500
\& Parameter \*(Aq,\*(Aq Parameter_List
502
\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
503
\& Parameter \*(Aq+=\*(Aq Value |
504
\& Parameter \*(Aq\-=\*(Aq Value |
505
\& \*(Aq!\*(Aq* Parameter
508
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
509
Flags are implicitly boolean and can be turned off via the '!'
510
operator. Some integer, string and list parameters may also be
511
used in a boolean context to disable them. Values may be enclosed
512
in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
513
characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
515
Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
682
Default_Type ::= 'Defaults' |
683
'Defaults' '@' Host_List |
684
'Defaults' ':' User_List |
685
'Defaults' '!' Cmnd_List |
686
'Defaults' '>' Runas_List
688
Default_Entry ::= Default_Type Parameter_List
690
Parameter_List ::= Parameter |
691
Parameter ',' Parameter_List
693
Parameter ::= Parameter '=' Value |
694
Parameter '+=' Value |
695
Parameter '-=' Value |
707
Flags are implicitly boolean and can be turned off via the
710
Some integer, string and list parameters may also be
711
used in a boolean context to disable them.
712
Values may be enclosed
715
when they contain multiple words.
716
Special characters may be escaped with a backslash
719
Lists have two additional assignment operators,
516
723
These operators are used to add to and delete from a list respectively.
517
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
724
It is not an error to use the
726
operator to remove an element
518
727
that does not exist in a list.
520
729
Defaults entries are parsed in the following order: generic, host
521
730
and user Defaults first, then runas Defaults and finally command
524
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
525
.SS "User Specification"
526
.IX Subsection "User Specification"
528
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
529
\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
531
\& Cmnd_Spec_List ::= Cmnd_Spec |
532
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
534
.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
535
.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
537
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
540
\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
543
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
544
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
545
\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
548
A \fBuser specification\fR determines which commands a user may run
549
(and as what user) on specified hosts. By default, commands are
550
run as \fBroot\fR, but this can be changed on a per-command basis.
552
The basic structure of a user specification is `who where = (as_whom)
553
what'. Let's break that down into its constituent parts:
734
\fISUDOERS OPTIONS\fR
735
for a list of supported Defaults parameters.
736
.SS "User specification"
739
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
740
(':' Host_List '=' Cmnd_Spec_List)*
742
Cmnd_Spec_List ::= Cmnd_Spec |
743
Cmnd_Spec ',' Cmnd_Spec_List
745
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
747
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
749
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
751
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
753
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
754
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
755
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
760
\fBuser specification\fR
761
determines which commands a user may run
762
(and as what user) on specified hosts.
763
By default, commands are
766
but this can be changed on a per-command basis.
768
The basic structure of a user specification is
769
``who where = (as_whom) what''.
770
Let's break that down into its constituent parts:
555
.IX Subsection "Runas_Spec"
556
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
557
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
558
\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
559
enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
560
which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
774
determines the user and/or the group that a command
780
(as defined above) separated by a colon
782
and enclosed in a set of parentheses.
786
which users the command may be run as via
561
790
The second defines a list of groups that can be specified via
562
\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
563
command may be run with any combination of users and groups listed
564
in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
565
the command may be run as any user in the list but no \fB\-g\fR option
566
may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
796
are specified, the command may be run with any combination of users
797
and groups listed in their respective
799
If only the first is specified, the command may be run as any user
567
807
second is specified, the command may be run as the invoking user
568
with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
569
\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
808
with the group set to any listed in the
812
are empty, the command may only be run as the invoking user.
815
is specified the command may be run as
570
818
no group may be specified.
572
A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
822
sets the default for the commands that follow it.
573
823
What this means is that for the entry:
576
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
579
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
580
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
583
\& $ sudo \-u operator /bin/ls
586
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
587
entry. If we modify the entry like so:
590
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
593
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
594
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
596
We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
597
the user or group set to \fBoperator\fR:
600
\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
604
Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
827
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
837
\fI/usr/bin/lprm\fR\(embut
844
$ sudo -u operator /bin/ls
848
It is also possible to override a
850
later on in an entry.
851
If we modify the entry like so:
855
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
861
is now allowed to run
872
We can extend this to allow
877
the user or group set to
882
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
887
Note that while the group portion of the
605
890
user to run as command with that group, it does not force the user
606
to do so. If no group is specified on the command line, the command
892
If no group is specified on the command line, the command
607
893
will run with the group listed in the target user's password database
608
entry. The following would all be permitted by the sudoers entry above:
611
\& $ sudo \-u operator /bin/ls
612
\& $ sudo \-u operator \-g operator /bin/ls
613
\& $ sudo \-g operator /bin/ls
616
In the following example, user \fBtcm\fR may run commands that access
895
The following would all be permitted by the sudoers entry above:
899
$ sudo -u operator /bin/ls
900
$ sudo -u operator -g operator /bin/ls
901
$ sudo -g operator /bin/ls
905
In the following example, user
907
may run commands that access
617
908
a modem device file with the dialer group.
620
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
621
\& /usr/local/bin/minicom
912
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
913
/usr/local/bin/minicom
624
917
Note that in this example only the group will be set, the command
625
still runs as user \fBtcm\fR. E.g.
628
\& $ sudo \-g dialer /usr/bin/cu
631
Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
632
which case the user may select any combination of users and groups
633
via the \fB\-u\fR and \fB\-g\fR options. In this example:
636
\& alan ALL = (root, bin : operator, system) ALL
639
user \fBalan\fR may run any command as either user root or bin,
924
$ sudo -g dialer /usr/bin/cu
928
Multiple users and groups may be present in a
930
in which case the user may select any combination of users and groups via the
939
alan ALL = (root, bin : operator, system) ALL
945
may run any command as either user root or bin,
640
946
optionally setting the group to operator or system.
642
947
.SS "SELinux_Spec"
643
.IX Subsection "SELinux_Spec"
644
On systems with SELinux support, \fIsudoers\fR entries may optionally have
645
an SELinux role and/or type associated with a command. If a role or
948
On systems with SELinux support,
950
entries may optionally have an SELinux role and/or type associated
646
953
type is specified with the command it will override any default values
647
specified in \fIsudoers\fR. A role or type specified on the command line,
648
however, will supercede the values in \fIsudoers\fR.
956
A role or type specified on the command line,
957
however, will supersede the values in
959
.SS "Solaris_Priv_Spec"
962
entries may optionally specify Solaris privilege set and/or limit
963
privilege set associated with a command.
964
If privileges or limit privileges are specified with the command
965
it will override any default values specified in
968
A privilege set is a comma-separated list of privilege names.
971
command can be used to list all privileges known to the system.
980
In addition, there are several
988
the set of all privileges
991
the set of all privileges available in the current zone
994
the default set of privileges normal users are granted at login time
996
Privileges can be excluded from a set by prefixing the privilege
651
.IX Subsection "Tag_Spec"
652
A command may have zero or more tags associated with it. There are
653
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
654
\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
655
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
656
subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
657
it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
658
\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
660
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
661
.IX Subsection "NOPASSWD and PASSWD"
663
By default, \fBsudo\fR requires that a user authenticate him or herself
664
before running a command. This behavior can be modified via the
665
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
666
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
667
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
1003
A command may have zero or more tags associated with it.
1005
ten possible tag values:
1017
Once a tag is set on a
1022
\fRCmnd_Spec_List\fR,
1023
inherit the tag unless it is overridden by the opposite tag (in other words,
1032
\fINOPASSWD and PASSWD\fR
1036
requires that a user authenticate him or herself
1037
before running a command.
1038
This behavior can be modified via the
1046
a default for the commands that follow it in the
1047
\fRCmnd_Spec_List\fR.
1050
tag can be used to reverse things.
671
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
674
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
675
\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
676
authenticating himself. If we only want \fBray\fR to be able to
677
run \fI/bin/kill\fR without a password the entry would be:
680
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
683
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
684
in the group specified by the \fIexempt_group\fR option.
686
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
687
for a user on the current host, he or she will be able to run
688
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
689
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
690
for all a user's entries that pertain to the current host.
691
This behavior may be overridden via the verifypw and listpw options.
693
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
694
.IX Subsection "NOEXEC and EXEC"
696
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
697
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
698
a dynamically-linked executable from running further commands itself.
700
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
701
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
704
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
707
See the \*(L"Preventing Shell Escapes\*(R" section below for more details
708
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
710
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
711
.IX Subsection "SETENV and NOSETENV"
713
These tags override the value of the \fIsetenv\fR option on a per-command
714
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
715
may disable the \fIenv_reset\fR option from the command line via the
716
\&\fB\-E\fR option. Additionally, environment variables set on the command
717
line are not subject to the restrictions imposed by \fIenv_check\fR,
718
\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
719
be allowed to set variables in this manner. If the command matched
720
is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
721
default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
723
\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
724
.IX Subsection "LOG_INPUT and NOLOG_INPUT"
726
These tags override the value of the \fIlog_input\fR option on a
727
per-command basis. For more information, see the description of
728
\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
730
\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
731
.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
733
These tags override the value of the \fIlog_output\fR option on a
734
per-command basis. For more information, see the description of
735
\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
1055
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1059
would allow the user
1068
on the machine rushmore without authenticating himself.
1074
without a password the entry would be:
1078
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1082
Note, however, that the
1084
tag has no effect on users who are in the group specified by the
1090
tag is applied to any of the entries for a user on the current host,
1091
he or she will be able to run
1094
Additionally, a user may only run
1096
without a password if the
1098
tag is present for all a user's entries that pertain to the current host.
1099
This behavior may be overridden via the
1105
\fINOEXEC and EXEC\fR
1109
has been compiled with
1111
support and the underlying operating system supports it, the
1113
tag can be used to prevent a dynamically-linked executable from
1114
running further commands itself.
1116
In the following example, user
1122
but shell escapes will be disabled.
1126
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1131
\fIPreventing shell escapes\fR
1132
section below for more details on how
1134
works and whether or not it will work on your system.
1136
\fISETENV and NOSETENV\fR
1138
These tags override the value of the
1140
option on a per-command basis.
1143
has been set for a command, the user may disable the
1145
option from the command line via the
1148
Additionally, environment variables set on the command
1149
line are not subject to the restrictions imposed by
1154
As such, only trusted users should be allowed to set variables in this manner.
1155
If the command matched is
1159
tag is implied for that command; this default may be overridden by use of the
1163
\fILOG_INPUT and NOLOG_INPUT\fR
1165
These tags override the value of the
1167
option on a per-command basis.
1168
For more information, see the description of
1171
\fISUDOERS OPTIONS\fR
1174
\fILOG_OUTPUT and NOLOG_OUTPUT\fR
1176
These tags override the value of the
1178
option on a per-command basis.
1179
For more information, see the description of
1182
\fISUDOERS OPTIONS\fR
737
.IX Subsection "Wildcards"
738
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
739
to be used in host names, path names and command line arguments in
740
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
741
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
1188
(aka meta or glob characters)
1189
to be used in host names, path names and command line arguments in the
1192
Wildcard matching is done via the
742
1200
regular expressions.
743
.ie n .IP "\*(C`*\*(C'" 8
744
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
746
1203
Matches any set of zero or more characters.
747
.ie n .IP "\*(C`?\*(C'" 8
748
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
750
1206
Matches any single character.
751
.ie n .IP "\*(C`[...]\*(C'" 8
752
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
754
1209
Matches any character in the specified range.
755
.ie n .IP "\*(C`[!...]\*(C'" 8
756
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
758
Matches any character \fBnot\fR in the specified range.
759
.ie n .IP "\*(C`\ex\*(C'" 8
760
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
762
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
763
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
765
\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
766
and \fIfnmatch\fR\|(3) functions support them. However, because the
767
\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
768
escaped. For example:
771
\& /bin/ls [[\e:alpha\e:]]*
1212
Matches any character
1214
in the specified range.
1221
This is used to escape special characters such as:
1228
POSIX character classes may also be used if your system's
1232
functions support them.
1233
However, because the
1235
character has special meaning in
1243
/bin/ls [[\:alpha\:]]*
774
1247
Would match any file name beginning with a letter.
776
Note that a forward slash ('/') will \fBnot\fR be matched by
777
wildcards used in the path name. When matching the command
778
line arguments, however, a slash \fBdoes\fR get matched by
779
wildcards. This is to make a path like:
785
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
1249
Note that a forward slash
1254
wildcards used in the path name.
1255
This is to make a path like:
1266
\fI/usr/bin/X11/xterm\fR.
1268
When matching the command line arguments, however, a slash
1270
get matched by wildcards since command line arguments may contain
1271
arbitrary strings and not just path names.
1273
Wildcards in command line arguments should be used with care.
1274
Because command line arguments are matched as a single, concatenated
1275
string, a wildcard such as
1279
can match multiple words.
1280
For example, while a sudoers entry like:
1284
%operator ALL = /bin/cat /var/log/messages*
1288
will allow command like:
1292
$ sudo cat /var/log/messages.1
1300
$ sudo cat /var/log/messages /etc/shadow
1304
which is probably not what was intended.
786
1305
.SS "Exceptions to wildcard rules"
787
.IX Subsection "Exceptions to wildcard rules"
788
1306
The following exceptions apply to the above rules:
790
.el .IP "\f(CW``''\fR" 8
792
If the empty string \f(CW""\fR is the only command line argument in the
793
\&\fIsudoers\fR entry it means that command is not allowed to be run
794
with \fBany\fR arguments.
1311
is the only command line argument in the
1313
entry it means that command is not allowed to be run with
1318
Command line arguments to the
1320
built-in command should always be path names, so a forward slash
1322
will not be matched by a wildcard.
795
1323
.SS "Including other files from within sudoers"
796
.IX Subsection "Including other files from within sudoers"
797
It is possible to include other \fIsudoers\fR files from within the
798
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
799
\&\f(CW\*(C`#includedir\*(C'\fR directives.
1324
It is possible to include other
1326
files from within the
1328
file currently being parsed using the
801
This can be used, for example, to keep a site-wide \fIsudoers\fR file
802
in addition to a local, per-machine file. For the sake of this
803
example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
804
per-machine one will be \fI/etc/sudoers.local\fR. To include
805
\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
806
following line in \fI/etc/sudoers\fR:
809
\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
1334
This can be used, for example, to keep a site-wide
1336
file in addition to a local, per-machine file.
1337
For the sake of this example the site-wide
1341
and the per-machine one will be
1342
\fI/etc/sudoers.local\fR.
1344
\fI/etc/sudoers.local\fR
1353
#include /etc/sudoers.local
812
When \fBsudo\fR reaches this line it will suspend processing of the
813
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
814
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
815
\&\fI/etc/sudoers\fR will be processed. Files that are included may
816
themselves include other files. A hard limit of 128 nested include
817
files is enforced to prevent include file loops.
1359
reaches this line it will suspend processing of the current file
1360
(\fI/etc/sudoers\fR)
1362
\fI/etc/sudoers.local\fR.
1363
Upon reaching the end of
1364
\fI/etc/sudoers.local\fR,
1368
Files that are included may themselves include other files.
1369
A hard limit of 128 nested include files is enforced to prevent include
819
1372
If the path to the include file is not fully-qualified (does not
820
begin with a \fI/\fR), it must be located in the same directory as the
821
sudoers file it was included from. For example, if \fI/etc/sudoers\fR
1375
it must be located in the same directory as the sudoers file it was
822
1379
contains the line:
825
\&\f(CW\*(C`#include sudoers.local\*(C'\fR
828
the file that will be included is \fI/etc/sudoers.local\fR.
830
The file name may also include the \f(CW%h\fR escape, signifying the short form
831
of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
833
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
835
will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
837
The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
838
directory that the system package manager can drop \fIsudoers\fR rules
839
into as part of package installation. For example, given:
841
\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
843
\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
844
names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
845
problems with package manager or editor temporary/backup files.
846
Files are parsed in sorted lexical order. That is,
847
\&\fI/etc/sudoers.d/01_first\fR will be parsed before
848
\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
849
lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
850
\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
851
of leading zeroes in the file names can be used to avoid such
854
Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
855
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
856
contains a syntax error. It is still possible to run \fBvisudo\fR
857
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
1383
\fR#include sudoers.local\fR
1387
the file that will be included is
1388
\fI/etc/sudoers.local\fR.
1390
The file name may also include the
1392
escape, signifying the short form of the host name.
1393
In other words, if the machine's host name is
1399
#include /etc/sudoers.%h
1406
\fI/etc/sudoers.xerxes\fR.
1410
directive can be used to create a
1412
directory that the system package manager can drop
1415
into as part of package installation.
1420
#includedir /etc/sudoers.d
1425
will read each file in
1426
\fI/etc/sudoers.d\fR,
1427
skipping file names that end in
1431
character to avoid causing problems with package manager or editor
1432
temporary/backup files.
1433
Files are parsed in sorted lexical order.
1435
\fI/etc/sudoers.d/01_first\fR
1436
will be parsed before
1437
\fI/etc/sudoers.d/10_second\fR.
1438
Be aware that because the sorting is lexical, not numeric,
1439
\fI/etc/sudoers.d/1_whoops\fR
1442
\fI/etc/sudoers.d/10_second\fR.
1443
Using a consistent number of leading zeroes in the file names can be used
1444
to avoid such problems.
1446
Note that unlike files included via
1449
will not edit the files in a
1451
directory unless one of them contains a syntax error.
1452
It is still possible to run
1456
flag to edit the files directly.
858
1457
.SS "Other special characters and reserved words"
859
.IX Subsection "Other special characters and reserved words"
860
The pound sign ('#') is used to indicate a comment (unless it is
861
part of a #include directive or unless it occurs in the context of
862
a user name and is followed by one or more digits, in which case
863
it is treated as a uid). Both the comment character and any text
864
after it, up to the end of the line, are ignored.
866
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
867
a match to succeed. It can be used wherever one might otherwise
868
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
869
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
870
built-in alias will be used in preference to your own. Please note
871
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
872
allows the user to run \fBany\fR command on the system.
874
An exclamation point ('!') can be used as a logical \fInot\fR operator
875
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
876
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
877
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
878
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
879
\&\s-1NOTES\s0 below).
881
Long lines can be continued with a backslash ('\e') as the last
882
character on the line.
884
Whitespace between elements in a list as well as special syntactic
885
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
887
The following characters must be escaped with a backslash ('\e') when
888
used as part of a word (e.g.\ a user name or host name):
889
\&'!', '=', ':', ',', '(', ')', '\e'.
1460
is used to indicate a comment (unless it is part of a #include
1461
directive or unless it occurs in the context of a user name and is
1462
followed by one or more digits, in which case it is treated as a
1464
Both the comment character and any text after it, up to the end of
1465
the line, are ignored.
1471
that always causes a match to succeed.
1472
It can be used wherever one might otherwise use a
1478
You should not try to define your own
1482
as the built-in alias will be used in preference to your own.
1483
Please note that using
1485
can be dangerous since in a command context, it allows the user to run
1487
command on the system.
1489
An exclamation point
1491
can be used as a logical
1497
This allows one to exclude certain values.
1498
Note, however, that using a
1500
in conjunction with the built-in
1502
alias to allow a user to run
1504
commands rarely works as intended (see
1505
\fISECURITY NOTES\fR
1508
Long lines can be continued with a backslash
1510
as the last character on the line.
1512
White space between elements in a list as well as special syntactic
1514
\fIUser Specification\fR
1521
The following characters must be escaped with a backslash
1523
when used as part of a word (e.g.\& a user name or host name):
890
1531
.SH "SUDOERS OPTIONS"
891
.IX Header "SUDOERS OPTIONS"
892
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
893
explained earlier. A list of all supported Defaults parameters,
894
grouped by type, are listed below.
1533
behavior can be modified by
1535
lines, as explained earlier.
1536
A list of all supported Defaults parameters, grouped by type, are listed below.
896
\&\fBBoolean Flags\fR:
897
.IP "always_set_home" 16
898
.IX Item "always_set_home"
899
If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
900
home directory of the target user (which is root unless the \fB\-u\fR
901
option is used). This effectively means that the \fB\-H\fR option is
902
always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
903
\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
904
effective for configurations where either \fIenv_reset\fR is disabled
905
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
906
This flag is \fIoff\fR by default.
907
.IP "authenticate" 16
908
.IX Item "authenticate"
1538
\fBBoolean Flags\fR:
1545
environment variable to the home directory of the target user
1546
(which is root unless the
1549
This effectively means that the
1551
option is always implied.
1554
is already set when the the
1556
option is enabled, so
1557
\fIalways_set_home\fR
1558
is only effective for configurations where either
909
1570
If set, users must authenticate themselves via a password (or other
910
means of authentication) before they may run commands. This default
911
may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
912
This flag is \fIon\fR by default.
913
.IP "closefrom_override" 16
914
.IX Item "closefrom_override"
915
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
916
overrides the default starting point at which \fBsudo\fR begins
917
closing open file descriptors. This flag is \fIoff\fR by default.
919
.IX Item "compress_io"
920
If set, and \fBsudo\fR is configured to log a command's input or output,
921
the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
922
by default when \fBsudo\fR is compiled with \fBzlib\fR support.
924
.IX Item "env_editor"
925
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
1571
means of authentication) before they may run commands.
1572
This default may be overridden via the
1582
If set, the user may use
1585
option which overrides the default starting point at which
1587
begins closing open file descriptors.
1595
is configured to log a command's input or output,
1596
the I/O logs will be compressed using
1609
will use the value of the
926
1613
environment variables before falling back on the default editor list.
927
1614
Note that this may create a security hole as it allows the user to
928
run any arbitrary command as root without logging. A safer alternative
929
is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
930
variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
931
they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
935
If set, \fBsudo\fR will run the command in a minimal environment
936
containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
937
\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
938
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
939
and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
940
present in the file specified by the \fIenv_file\fR option (if any).
941
The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
942
displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
943
the \fIsecure_path\fR option is set, its value will be used for the
944
\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
948
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
949
globbing when matching path names. However, since it accesses the
950
file system, \fIglob\fR\|(3) can take a long time to complete for some
951
patterns, especially when the pattern references a network file
952
system that is mounted on demand (automounted). The \fIfast_glob\fR
953
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
954
not access the file system to do its matching. The disadvantage
955
of \fIfast_glob\fR is that it is unable to match relative path names
956
such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
957
when path names that include globbing characters are used with the
958
negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
959
As such, this option should not be used when \fIsudoers\fR contains rules
960
that contain negated path names which include globbing characters.
961
This flag is \fIoff\fR by default.
1615
run any arbitrary command as root without logging.
1616
A safer alternative is to place a colon-separated list of editors
1621
will then only use the
1625
if they match a value specified in
1635
will run the command in a minimal environment containing the
1648
variables in the caller's environment that match the
1652
lists are then added, followed by any variables present in the file
1656
The default contents of the
1660
lists are displayed when
1662
is run by root with the
1667
option is set, its value will be used for the
1669
environment variable.
1679
function to do shell-style globbing when matching path names.
1680
However, since it accesses the file system,
1682
can take a long time to complete for some patterns, especially
1683
when the pattern references a network file system that is mounted
1684
on demand (auto mounted).
1691
function, which does not access the file system to do its matching.
1694
is that it is unable to match relative path names such as
1698
This has security implications when path names that include globbing
1699
characters are used with the negation operator,
1701
as such rules can be trivially bypassed.
1702
As such, this option should not be used when
1704
contains rules that contain negated path names which include globbing
964
1711
Set this flag if you want to put fully qualified host names in the
965
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
1713
file when the local host name (as returned by the
1715
command) does not contain the domain name.
1716
In other words, instead of myhost you would use myhost.mydomain.edu.
966
1717
You may still use the short form if you wish (and even mix the two).
967
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
968
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
969
if the machine is not plugged into the network). Also note that
970
you must use the host's official name as \s-1DNS\s0 knows it. That is,
971
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
972
issues and the fact that there is no way to get all aliases from
973
\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
974
command) is already fully qualified you shouldn't need to set
975
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
977
.IX Item "ignore_dot"
978
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
979
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
980
flag is \fI@ignore_dot@\fR by default.
981
.IP "ignore_local_sudoers" 16
982
.IX Item "ignore_local_sudoers"
983
If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
1718
This option is only effective when the
1720
host name, as returned by the
1723
\fBgethostbyname\fR()
1724
function, is a fully-qualified domain name.
1725
This is usually the case when the system is configured to use DNS
1726
for host name resolution.
1728
If the system is configured to use the
1730
file in preference to DNS, the
1732
host name may not be fully-qualified.
1733
The order that sources are queried for hosts name resolution
1734
is usually specified in the
1735
\fI@nsswitch_conf@\fR,
1736
\fI@netsvc_conf@\fR,
1737
\fI/etc/host.conf\fR,
1739
\fI/etc/resolv.conf\fR
1743
file, the first host name of the entry is considered to be the
1745
name; subsequent names are aliases that are not used by
1747
For example, the following hosts file line for the machine
1749
has the fully-qualified domain name as the
1751
host name, and the short version as an alias.
1754
192.168.1.1 xyzzy.sudo.ws xyzzy
1757
If the machine's hosts file entry is not formatted properly, the
1759
option will not be effective if it is queried before DNS.
1761
Beware that when using DNS for host name resolution, turning on
1765
to make DNS lookups which renders
1767
unusable if DNS stops working (for example if the machine is disconnected
1769
Also note that just like with the hosts file, you must use the
1771
name as DNS knows it.
1772
That is, you may not use a host alias
1775
due to performance issues and the fact that there is no way to get all
1785
will ignore "." or "" (both denoting current directory) in the
1787
environment variable; the
1789
itself is not modified.
1794
ignore_local_sudoers
1795
If set via LDAP, parsing of
1796
\fI@sysconfdir@/sudoers\fR
984
1798
This is intended for Enterprises that wish to prevent the usage of local
985
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
986
rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
987
When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
988
exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
989
entries have been matched, this sudoOption is only meaningful for the
990
\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
993
If set, \fBsudo\fR will insult users when they enter an incorrect
994
password. This flag is \fI@insults@\fR by default.
997
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
998
This flag is \fIoff\fR by default.
1000
.IX Item "log_input"
1001
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1799
sudoers files so that only LDAP is used.
1800
This thwarts the efforts of rogue operators who would attempt to add roles to
1801
\fI@sysconfdir@/sudoers\fR.
1802
When this option is present,
1803
\fI@sysconfdir@/sudoers\fR
1804
does not even need to exist.
1805
Since this option tells
1807
how to behave when no specific LDAP entries have been matched, this
1808
sudoOption is only meaningful for the
1818
will insult users when they enter an incorrect password.
1824
If set, the host name will be logged in the (non-syslog)
1834
will run the command in a
1836
and log all user input.
1003
1837
If the standard input is not connected to the user's tty, due to
1004
1838
I/O redirection or because the command is part of a pipeline, that
1005
1839
input is also captured and stored in a separate log file.
1007
Input is logged to the directory specified by the \fIiolog_dir\fR
1008
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1009
is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1010
The \fIiolog_file\fR option may be used to control the format of the
1841
Input is logged to the directory specified by the
1846
using a unique session ID that is included in the normal
1848
log line, prefixed with
1852
option may be used to control the format of the session ID.
1013
1854
Note that user input may contain sensitive information such as
1014
1855
passwords (even if they are not echoed to the screen), which will
1015
be stored in the log file unencrypted. In most cases, logging the
1016
command output via \fIlog_output\fR is all that is required.
1018
.IX Item "log_output"
1019
If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
1020
output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
1856
be stored in the log file unencrypted.
1857
In most cases, logging the command output via
1859
is all that is required.
1864
will run the command in a
1866
and log all output that is sent to the screen, similar to the
1021
1869
If the standard output or standard error is not connected to the
1022
1870
user's tty, due to I/O redirection or because the command is part
1023
1871
of a pipeline, that output is also captured and stored in separate
1026
Output is logged to the directory specified by the \fIiolog_dir\fR
1027
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
1028
is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
1029
The \fIiolog_file\fR option may be used to control the format of the
1032
Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
1033
can also be used to list or search the available logs.
1036
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
1037
This flag is \fIoff\fR by default.
1038
.IP "long_otp_prompt" 16
1039
.IX Item "long_otp_prompt"
1040
When validating with a One Time Password (\s-1OTP\s0) scheme such as
1041
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
1042
to cut and paste the challenge to a local window. It's not as
1043
pretty as the default but some people find it more convenient. This
1044
flag is \fI@long_otp_prompt@\fR by default.
1045
.IP "mail_always" 16
1046
.IX Item "mail_always"
1047
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1048
This flag is \fIoff\fR by default.
1049
.IP "mail_badpass" 16
1050
.IX Item "mail_badpass"
1051
Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
1052
enter the correct password. This flag is \fIoff\fR by default.
1053
.IP "mail_no_host" 16
1054
.IX Item "mail_no_host"
1055
If set, mail will be sent to the \fImailto\fR user if the invoking
1056
user exists in the \fIsudoers\fR file, but is not allowed to run
1057
commands on the current host. This flag is \fI@mail_no_host@\fR by default.
1058
.IP "mail_no_perms" 16
1059
.IX Item "mail_no_perms"
1060
If set, mail will be sent to the \fImailto\fR user if the invoking
1061
user is allowed to use \fBsudo\fR but the command they are trying is not
1062
listed in their \fIsudoers\fR file entry or is explicitly denied.
1063
This flag is \fI@mail_no_perms@\fR by default.
1064
.IP "mail_no_user" 16
1065
.IX Item "mail_no_user"
1066
If set, mail will be sent to the \fImailto\fR user if the invoking
1067
user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
1071
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
1072
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
1073
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell
1074
Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
1076
.IX Item "path_info"
1077
Normally, \fBsudo\fR will tell the user when a command could not be
1078
found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
1079
to disable this as it could be used to gather information on the
1080
location of executables that the normal user does not have access
1081
to. The disadvantage is that if the executable is simply not in
1082
the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
1083
allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
1085
.IP "passprompt_override" 16
1086
.IX Item "passprompt_override"
1087
The password prompt specified by \fIpassprompt\fR will normally only
1088
be used if the password prompt provided by systems such as \s-1PAM\s0 matches
1089
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
1090
will always be used. This flag is \fIoff\fR by default.
1091
.IP "preserve_groups" 16
1092
.IX Item "preserve_groups"
1093
By default, \fBsudo\fR will initialize the group vector to the list of
1094
groups the target user is in. When \fIpreserve_groups\fR is set, the
1095
user's existing group vector is left unaltered. The real and
1096
effective group IDs, however, are still set to match the target
1097
user. This flag is \fIoff\fR by default.
1099
.IX Item "pwfeedback"
1100
By default, \fBsudo\fR reads the password like most other Unix programs,
1874
Output is logged to the directory specified by the
1879
using a unique session ID that is included in the normal
1881
log line, prefixed with
1885
option may be used to control the format of the session ID.
1887
Output logs may be viewed with the
1888
sudoreplay(@mansectsu@)
1889
utility, which can also be used to list or search the available logs.
1892
If set, the four-digit year will be logged in the (non-syslog)
1900
When validating with a One Time Password (OTP) scheme such as
1904
a two-line prompt is used to make it easier
1905
to cut and paste the challenge to a local window.
1906
It's not as pretty as the default but some people find it more convenient.
1908
\fI@long_otp_prompt@\fR
1914
user every time a users runs
1923
user if the user running
1925
does not enter the correct password.
1926
If the command the user is attempting to run is not permitted by
1934
flags are set, this flag will have no effect.
1940
If set, mail will be sent to the
1942
user if the invoking user exists in the
1944
file, but is not allowed to run commands on the current host.
1946
\fI@mail_no_host@\fR
1950
If set, mail will be sent to the
1952
user if the invoking user is allowed to use
1954
but the command they are trying is not listed in their
1956
file entry or is explicitly denied.
1958
\fI@mail_no_perms@\fR
1962
If set, mail will be sent to the
1964
user if the invoking user is not in the
1968
\fI@mail_no_user@\fR
1972
If set, all commands run via
1974
will behave as if the
1976
tag has been set, unless overridden by a
1979
See the description of
1980
\fINOEXEC and EXEC\fR
1981
below as well as the
1982
\fIPreventing shell escapes\fR
1983
section at the end of this manual.
1991
will tell the user when a command could not be
1994
environment variable.
1995
Some sites may wish to disable this as it could be used to gather
1996
information on the location of executables that the normal user does
1998
The disadvantage is that if the executable is simply not in the user's
2001
will tell the user that they are not allowed to run it, which can be confusing.
2007
The password prompt specified by
2009
will normally only be used if the password prompt provided by systems
2010
such as PAM matches the string
2013
\fIpassprompt_override\fR
2016
will always be used.
2024
will initialize the group vector to the list of groups the target user is in.
2026
\fIpreserve_groups\fR
2027
is set, the user's existing group vector is left unaltered.
2028
The real and effective group IDs, however, are still set to match the
2037
reads the password like most other Unix programs,
1101
2038
by turning off echo until the user hits the return (or enter) key.
1102
Some users become confused by this as it appears to them that \fBsudo\fR
1103
has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
1104
provide visual feedback when the user presses a key. Note that
1105
this does have a security impact as an onlooker may be able to
2039
Some users become confused by this as it appears to them that
2041
has hung at this point.
2046
will provide visual feedback when the user presses a key.
2047
Note that this does have a security impact as an onlooker may be able to
1106
2048
determine the length of the password being entered.
1107
This flag is \fIoff\fR by default.
1109
.IX Item "requiretty"
1110
If set, \fBsudo\fR will only run when the user is logged in to a real
1111
tty. When this flag is set, \fBsudo\fR can only be run from a login
1112
session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
1113
This flag is \fIoff\fR by default.
1115
.IX Item "root_sudo"
1116
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
1117
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1118
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
1119
will also prevent root from running \fBsudoedit\fR.
1120
Disabling \fIroot_sudo\fR provides no real additional security; it
1121
exists purely for historical reasons.
1122
This flag is \fI@root_sudo@\fR by default.
1125
If set, \fBsudo\fR will prompt for the root password instead of the password
1126
of the invoking user. This flag is \fIoff\fR by default.
1129
If set, \fBsudo\fR will prompt for the password of the user defined by the
1130
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
1131
password of the invoking user. This flag is \fIoff\fR by default.
1134
If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
2056
will only run when the user is logged in to a real tty.
2057
When this flag is set,
2059
can only be run from a login session and not via other means such as
2067
If set, root is allowed to run
2070
Disabling this prevents users from
2073
commands to get a root shell by doing something like
2074
``\fRsudo sudo /bin/sh\fR''.
2075
Note, however, that turning off
2077
will also prevent root from running
2081
provides no real additional security; it exists purely for historical reasons.
2089
will prompt for the root password instead of the password of the invoking user.
2097
will prompt for the password of the user defined by the
2100
\fR@runas_default@\fR)
2101
instead of the password of the invoking user.
1135
2113
environment variable will be set to the home directory of the target
1136
user (which is root unless the \fB\-u\fR option is used). This effectively
1137
makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
1138
set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
1139
only effective for configurations where either \fIenv_reset\fR is disabled
1140
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
1141
This flag is \fIoff\fR by default.
1142
.IP "set_logname" 16
1143
.IX Item "set_logname"
1144
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
1145
environment variables to the name of the target user (usually root
1146
unless the \fB\-u\fR option is given). However, since some programs
1147
(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
1148
determine the real identity of the user, it may be desirable to
1149
change this behavior. This can be done by negating the set_logname
1150
option. Note that if the \fIenv_reset\fR option has not been disabled,
1151
entries in the \fIenv_keep\fR list will override the value of
1152
\&\fIset_logname\fR. This flag is \fIon\fR by default.
1155
When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
1156
file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1157
\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
1158
are enabled. By default, the new entry will be a copy of the user's
1159
existing utmp entry (if any), with the tty, time, type and pid
1160
fields updated. This flag is \fIon\fR by default.
1163
Allow the user to disable the \fIenv_reset\fR option from the command
1164
line via the \fB\-E\fR option. Additionally, environment variables set
1165
via the command line are not subject to the restrictions imposed
1166
by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
1167
trusted users should be allowed to set variables in this manner.
1168
This flag is \fIoff\fR by default.
1169
.IP "shell_noargs" 16
1170
.IX Item "shell_noargs"
1171
If set and \fBsudo\fR is invoked with no arguments it acts as if the
1172
\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
1173
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1174
set, falling back on the shell listed in the invoking user's
1175
/etc/passwd entry if not). This flag is \fIoff\fR by default.
1176
.IP "stay_setuid" 16
1177
.IX Item "stay_setuid"
1178
Normally, when \fBsudo\fR executes a command the real and effective
1179
UIDs are set to the target user (root by default). This option
1180
changes that behavior such that the real \s-1UID\s0 is left as the invoking
1181
user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
1182
wrapper. This can be useful on systems that disable some potentially
1183
dangerous functionality when a program is run setuid. This option
1184
is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
1185
function. This flag is \fIoff\fR by default.
1188
If set, \fBsudo\fR will prompt for the password of the user specified
1189
by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
1190
of the invoking user. In addition, the timestamp file name will
1191
include the target user's name. Note that this flag precludes the
1192
use of a uid not listed in the passwd database as an argument to
1193
the \fB\-u\fR option. This flag is \fIoff\fR by default.
1194
.IP "tty_tickets" 16
1195
.IX Item "tty_tickets"
1196
If set, users must authenticate on a per-tty basis. With this flag
1197
enabled, \fBsudo\fR will use a file named for the tty the user is
1198
logged in on in the user's time stamp directory. If disabled, the
1199
time stamp of the directory is used instead. This flag is
1200
\&\fI@tty_tickets@\fR by default.
1201
.IP "umask_override" 16
1202
.IX Item "umask_override"
1203
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
1204
modification. This makes it possible to specify a more permissive
1205
umask in \fIsudoers\fR than the user's own umask and matches historical
1206
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
1207
umask to be the union of the user's umask and what is specified in
1208
\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
1210
.IP "use_loginclass" 16
1211
.IX Item "use_loginclass"
1212
If set, \fBsudo\fR will apply the defaults specified for the target user's
1213
login class if one exists. Only available if \fBsudo\fR is configured with
1214
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1218
If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
1219
logging is being gone. A malicious program run under \fBsudo\fR could
1220
conceivably fork a background process that retains to the user's
1221
terminal device after the main program has finished executing. Use
1222
of this option will make that impossible. This flag is \fIoff\fR by default.
1224
.IX Item "utmp_runas"
1225
If set, \fBsudo\fR will store the name of the runas user when updating
1226
the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
1227
the invoking user. This flag is \fIoff\fR by default.
1229
.IX Item "visiblepw"
1230
By default, \fBsudo\fR will refuse to run if the user must enter a
1231
password but it is not possible to disable echo on the terminal.
1232
If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
1233
even when it would be visible on the screen. This makes it possible
1234
to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
1235
not allocate a tty. This flag is \fIoff\fR by default.
2114
user (which is root unless the
2117
This effectively makes the
2123
is already set when the the
2125
option is enabled, so
2127
is only effective for configurations where either
2147
environment variables to the name of the target user (usually root unless the
2150
However, since some programs (including the RCS revision control system) use
2152
to determine the real identity of the user, it may be desirable to
2153
change this behavior.
2154
This can be done by negating the set_logname option.
2157
option has not been disabled, entries in the
2159
list will override the value of
2168
will create an entry in the utmp (or utmpx) file when a pseudo-tty
2170
A pseudo-tty is allocated by
2178
By default, the new entry will be a copy of the user's existing utmp
2179
entry (if any), with the tty, time, type and pid fields updated.
2185
Allow the user to disable the
2187
option from the command line via the
2190
Additionally, environment variables set via the command line are
2191
not subject to the restrictions imposed by
2196
As such, only trusted users should be allowed to set variables in this manner.
2204
is invoked with no arguments it acts as if the
2206
option had been given.
2207
That is, it runs a shell as root (the shell is determined by the
2209
environment variable if it is set, falling back on the shell listed
2210
in the invoking user's /etc/passwd entry if not).
2218
executes a command the real and effective UIDs are set to the target
2219
user (root by default).
2220
This option changes that behavior such that the real UID is left
2221
as the invoking user's UID.
2222
In other words, this makes
2224
act as a setuid wrapper.
2225
This can be useful on systems that disable some potentially
2226
dangerous functionality when a program is run setuid.
2227
This option is only effective on systems that support either the
2239
will prompt for the password of the user specified
2244
instead of the password of the invoking user.
2245
In addition, the time stamp file name will include the target user's name.
2246
Note that this flag precludes the use of a uid not listed in the passwd
2247
database as an argument to the
2255
If set, users must authenticate on a per-tty basis.
2256
With this flag enabled,
2258
will use a file named for the tty the user is
2259
logged in on in the user's time stamp directory.
2260
If disabled, the time stamp of the directory is used instead.
2268
will set the umask as specified by
2270
without modification.
2271
This makes it possible to specify a more permissive umask in
2273
than the user's own umask and matches historical behavior.
2275
\fIumask_override\fR
2278
will set the umask to be the union of the user's umask and what is specified in
2281
\fI@umask_override@\fR
2287
will apply the defaults specified for the target user's login class
2291
is configured with the
2292
\fR--with-logincap\fR
2301
will run the command in a pseudo-pty even if no I/O logging is being gone.
2302
A malicious program run under
2304
could conceivably fork a background process that retains to the user's
2305
terminal device after the main program has finished executing.
2306
Use of this option will make that impossible.
2314
will store the name of the runas user when updating the utmp (or utmpx) file.
2317
stores the name of the invoking user.
2325
will refuse to run if the user must enter a password but it is not
2326
possible to disable echo on the terminal.
2331
will prompt for a password even when it would be visible on the screen.
2332
This makes it possible to run things like
2333
``\fRssh somehost sudo ls\fR''
2337
not allocate a tty when running a command.
1239
.IX Item "closefrom"
1240
Before it executes a command, \fBsudo\fR will close all open file
1241
descriptors other than standard input, standard output and standard
1242
error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
1243
to specify a different file descriptor at which to start closing.
1244
The default is \f(CW3\fR.
1245
.IP "passwd_tries" 16
1246
.IX Item "passwd_tries"
2345
Before it executes a command,
2347
will close all open file descriptors other than standard input,
2348
standard output and standard error (ie: file descriptors 0-2).
2351
option can be used to specify a different file descriptor at which
1247
2357
The number of tries a user gets to enter his/her password before
1248
\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
1250
\&\fBIntegers that can be used in a boolean context\fR:
1252
.IX Item "loglinelen"
1253
Number of characters per line for the file log. This value is used
1254
to decide when to wrap lines for nicer log files. This has no
1255
effect on the syslog log file, only the file log. The default is
1256
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
1257
.IP "passwd_timeout" 16
1258
.IX Item "passwd_timeout"
1259
Number of minutes before the \fBsudo\fR password prompt times out, or
1260
\&\f(CW0\fR for no timeout. The timeout may include a fractional component
1261
if minute granularity is insufficient, for example \f(CW2.5\fR. The
1262
default is \f(CW\*(C`@password_timeout@\*(C'\fR.
1263
.IP "timestamp_timeout" 16
1264
.IX Item "timestamp_timeout"
1265
Number of minutes that can elapse before \fBsudo\fR will ask for a
1266
passwd again. The timeout may include a fractional component if
1267
minute granularity is insufficient, for example \f(CW2.5\fR. The default
1268
is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
1269
If set to a value less than \f(CW0\fR the user's timestamp will never
1270
expire. This can be used to allow users to create or delete their
1271
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1274
Umask to use when running the command. Negate this option or set
1275
it to 0777 to preserve the user's umask. The actual umask that is
1276
used will be the union of the user's umask and the value of the
1277
\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
1278
that \fBsudo\fR never lowers the umask when running a command. Note
1279
on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
1280
its own umask which will override the value set in \fIsudoers\fR.
1283
.IP "badpass_message" 16
1284
.IX Item "badpass_message"
2359
logs the failure and exits.
2361
\fR@passwd_tries@\fR.
2363
\fBIntegers that can be used in a boolean context\fR:
2366
Number of characters per line for the file log.
2367
This value is used to decide when to wrap lines for nicer log files.
2368
This has no effect on the syslog log file, only the file log.
2371
(use 0 or negate the option to disable word wrap).
2374
Number of minutes before the
2376
password prompt times out, or
2379
The timeout may include a fractional component
2380
if minute granularity is insufficient, for example
2384
\fR@password_timeout@\fR.
2388
Number of minutes that can elapse before
2390
will ask for a passwd again.
2391
The timeout may include a fractional component if
2392
minute granularity is insufficient, for example
2398
to always prompt for a password.
2399
If set to a value less than
2401
the user's time stamp will never expire.
2402
This can be used to allow users to create or delete their own time stamps via
2409
Umask to use when running the command.
2410
Negate this option or set it to 0777 to preserve the user's umask.
2411
The actual umask that is used will be the union of the user's umask
2412
and the value of the
2414
option, which defaults to
2419
never lowers the umask when running a command.
2420
Note: on systems that use PAM, the default PAM configuration may specify
2421
its own umask which will override the value set in
1285
2427
Message that is displayed if a user enters an incorrect password.
1286
The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
1289
A colon (':') separated list of editors allowed to be used with
1290
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
1291
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
1292
list that exists and is executable. The default is \f(CW"@editor@"\fR.
1294
.IX Item "iolog_dir"
2429
\fR@badpass_message@\fR
2430
unless insults are enabled.
2435
separated list of editors allowed to be used with
2438
will choose the editor that matches the user's
2440
environment variable if possible, or the first editor in the
2441
list that exists and is executable.
1295
2446
The top-level directory to use when constructing the path name for
1296
the input/output log directory. Only used if the \fIlog_input\fR or
1297
\&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
1298
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
1299
number, if any, is stored in the directory.
1300
The default is \f(CW"@iolog_dir@"\fR.
1302
The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1304
.ie n .IP "\*(C`%{seq}\*(C'" 4
1305
.el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
1307
expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
1308
where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
1309
.ie n .IP "\*(C`%{user}\*(C'" 4
1310
.el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
2447
the input/output log directory.
2452
options are enabled or when the
2456
tags are present for a command.
2457
The session sequence number, if any, is stored in the directory.
2461
The following percent
2463
escape sequences are supported:
2467
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2468
where every two digits are used to form a new directory, e.g.\&
1312
2472
expanded to the invoking user's login name
1313
.ie n .IP "\*(C`%{group}\*(C'" 4
1314
.el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
1316
expanded to the name of the invoking user's real group \s-1ID\s0
1317
.ie n .IP "\*(C`%{runas_user}\*(C'" 4
1318
.el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
1319
.IX Item "%{runas_user}"
2475
expanded to the name of the invoking user's real group ID
1320
2478
expanded to the login name of the user the command will
1321
be run as (e.g. root)
1322
.ie n .IP "\*(C`%{runas_group}\*(C'" 4
1323
.el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
1324
.IX Item "%{runas_group}"
2479
be run as (e.g.\& root)
2481
\fR%{runas_group}\fR
1325
2482
expanded to the group name of the user the command will
1326
be run as (e.g. wheel)
1327
.ie n .IP "\*(C`%{hostname}\*(C'" 4
1328
.el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
1329
.IX Item "%{hostname}"
2483
be run as (e.g.\& wheel)
1330
2486
expanded to the local host name without the domain name
1331
.ie n .IP "\*(C`%{command}\*(C'" 4
1332
.el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
1333
.IX Item "%{command}"
1334
2489
expanded to the base name of the command being run
1338
In addition, any escape sequences supported by the system's \fIstrftime()\fR
2491
In addition, any escape sequences supported by the system's
1339
2493
function will be expanded.
1341
To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
2495
To include a literal
2497
character, the string
1345
.IX Item "iolog_file"
1346
The path name, relative to \fIiolog_dir\fR, in which to store input/output
1347
logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
1348
when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
1349
Note that \fIiolog_file\fR may contain directory components.
1350
The default is \f(CW"%{seq}"\fR.
1352
See the \fIiolog_dir\fR option above for a list of supported percent
1353
(`\f(CW\*(C`%\*(C'\fR') escape sequences.
2505
The path name, relative to
2507
in which to store input/output logs when the
2511
options are enabled or when the
2515
tags are present for a command.
2518
may contain directory components.
2524
option above for a list of supported percent
1355
2528
In addition to the escape sequences, path names that end in six or
1356
more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
1357
of digits and letters, similar to the \fImktemp()\fR function.
1360
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
2533
replaced with a unique combination of digits and letters, similar to the
2539
The default Solaris limit privileges to use when constructing a new
2540
privilege set for a command.
2541
This bounds all privileges of the executing process.
2542
The default limit privileges may be overridden on a per-command basis in
2544
This option is only available if
2546
is built on Solaris 10 or higher.
2549
Subject of the mail sent to the
1361
2554
will expand to the host name of the machine.
1362
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
1363
.IP "noexec_file" 16
1364
.IX Item "noexec_file"
1365
This option is no longer supported. The path to the noexec file
1366
should now be set in the \fI@sysconfdir@/sudo.conf\fR file.
1368
.IX Item "passprompt"
1369
The default prompt to use when asking for a password; can be overridden
1370
via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
1371
The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
1374
.el .IP "\f(CW%H\fR" 4
2556
``\fR@mailsub@\fR''.
2559
This option is no longer supported.
2560
The path to the noexec file should now be set in the
2561
\fI@sysconfdir@/sudo.conf\fR
2565
The default prompt to use when asking for a password; can be overridden via the
2569
environment variable.
2570
The following percent
2572
escape sequences are supported:
1376
2576
expanded to the local host name including the domain name
1377
(only if the machine's host name is fully qualified or the \fIfqdn\fR
2577
(only if the machine's host name is fully qualified or the
1380
.el .IP "\f(CW%h\fR" 4
1382
2582
expanded to the local host name without the domain name
1384
.el .IP "\f(CW%p\fR" 4
1386
expanded to the user whose password is being asked for (respects the
1387
\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
1389
.el .IP "\f(CW%U\fR" 4
2585
expanded to the user whose password is being asked for (respects the
1391
2594
expanded to the login name of the user the command will
1392
2595
be run as (defaults to root)
1394
.el .IP "\f(CW%u\fR" 4
1396
2598
expanded to the invoking user's login name
1397
.ie n .IP "\*(C`%%\*(C'" 4
1398
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
1400
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
1404
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
2603
characters are collapsed into a single
2607
The default value is
2608
``\fR@passprompt@\fR''.
2614
The default Solaris privileges to use when constructing a new
2615
privilege set for a command.
2616
This is passed to the executing process via the inherited privilege set,
2617
but is bounded by the limit privileges.
2620
option is specified but the
2622
option is not, the limit privileges of the executing process is set to
2624
The default privileges may be overridden on a per-command basis in
2626
This option is only available if
2628
is built on Solaris 10 or higher.
1409
2632
The default SELinux role to use when constructing a new security
1410
context to run the command. The default role may be overridden on
1411
a per-command basis in \fIsudoers\fR or via command line options.
1412
This option is only available whe \fBsudo\fR is built with SELinux support.
1414
.IP "runas_default" 16
1415
.IX Item "runas_default"
1416
The default user to run commands as if the \fB\-u\fR option is not specified
1417
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
1418
.IP "syslog_badpri" 16
1419
.IX Item "syslog_badpri"
2633
context to run the command.
2634
The default role may be overridden on a per-command basis in
2636
or via command line options.
2637
This option is only available when
2639
is built with SELinux support.
2642
The default user to run commands as if the
2644
option is not specified on the command line.
2646
\fR@runas_default@\fR.
1420
2649
Syslog priority to use when user authenticates unsuccessfully.
1421
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
1423
The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
1424
\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1425
.IP "syslog_goodpri" 16
1426
.IX Item "syslog_goodpri"
2653
The following syslog priorities are supported:
1427
2665
Syslog priority to use when user authenticates successfully.
1428
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
1430
See syslog_badpri for the list of supported syslog priorities.
1431
.IP "sudoers_locale" 16
1432
.IX Item "sudoers_locale"
2671
for the list of supported syslog priorities.
1433
2674
Locale to use when parsing the sudoers file, logging commands, and
1434
sending email. Note that changing the locale may affect how sudoers
1435
is interpreted. Defaults to \f(CW"C"\fR.
1436
.IP "timestampdir" 16
1437
.IX Item "timestampdir"
1438
The directory in which \fBsudo\fR stores its timestamp files.
1439
The default is \fI@timedir@\fR.
1440
.IP "timestampowner" 16
1441
.IX Item "timestampowner"
1442
The owner of the timestamp directory and the timestamps stored therein.
1443
The default is \f(CW\*(C`root\*(C'\fR.
2676
Note that changing the locale may affect how sudoers is interpreted.
2681
The directory in which
2683
stores its time stamp files.
2688
The owner of the time stamp directory and the time stamps stored therein.
1447
2693
The default SELinux type to use when constructing a new security
1448
context to run the command. The default type may be overridden on
1449
a per-command basis in \fIsudoers\fR or via command line options.
1450
This option is only available whe \fBsudo\fR is built with SELinux support.
2694
context to run the command.
2695
The default type may be overridden on a per-command basis in
2697
or via command line options.
2698
This option is only available when
2700
is built with SELinux support.
1453
\&\fBStrings that can be used in a boolean context\fR:
1456
The \fIenv_file\fR option specifies the fully qualified path to a
1457
file containing variables to be set in the environment of the program
1458
being run. Entries in this file should either be of the form
1459
\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
1460
optionally be surrounded by single or double quotes. Variables in
1461
this file are subject to other \fBsudo\fR environment settings such
1462
as \fIenv_keep\fR and \fIenv_check\fR.
1463
.IP "exempt_group" 12
1464
.IX Item "exempt_group"
1465
Users in this group are exempt from password and \s-1PATH\s0 requirements.
1466
The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
2702
\fBStrings that can be used in a boolean context\fR:
2707
option specifies the fully qualified path to a file containing variables
2708
to be set in the environment of the program being run.
2709
Entries in this file should either be of the form
2710
``\fRVARIABLE=value\fR''
2712
``\fRexport VARIABLE=value\fR''.
2713
The value may optionally be surrounded by single or double quotes.
2714
Variables in this file are subject to other
2716
environment settings such as
2722
Users in this group are exempt from password and PATH requirements.
2723
The group name specified should not include a
1467
2726
This is not set by default.
1468
.IP "group_plugin" 12
1469
.IX Item "group_plugin"
1470
A string containing a \fIsudoers\fR group plugin with optional arguments.
1471
This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
1472
syntax described earlier. The string should consist of the plugin
1473
path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
1474
directory, followed by any configuration arguments the plugin
1475
requires. These arguments (if any) will be passed to the plugin's
1476
initialization function. If arguments are present, the string must
1477
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
1479
For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
1480
format, the sample group plugin can be used:
1483
\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
1486
For more information see \fIsudo_plugin\fR\|(@mansectform@).
2729
A string containing a
2731
group plugin with optional arguments.
2732
This can be used to implement support for the
2734
syntax described earlier.
2735
The string should consist of the plugin
2736
path, either fully-qualified or relative to the
2737
\fI@prefix@/libexec\fR
2738
directory, followed by any configuration arguments the plugin requires.
2739
These arguments (if any) will be passed to the plugin's initialization function.
2740
If arguments are present, the string must be enclosed in double quotes
2744
\fI/etc/sudo-group\fR,
2745
a group file in Unix group format, the sample group plugin can be used:
2750
Defaults group_plugin="sample_group.so /etc/sudo-group"
2754
For more information see
2755
sudo_plugin(@mansectform@).
1489
2761
This option controls when a short lecture will be printed along with
1490
the password prompt. It has the following possible values:
2762
the password prompt.
2763
It has the following possible values:
1494
2768
Always lecture the user.
1497
2771
Never lecture the user.
1500
Only lecture the user the first time they run \fBsudo\fR.
1504
If no value is specified, a value of \fIonce\fR is implied.
1505
Negating the option results in a value of \fInever\fR being used.
1506
The default value is \fI@lecture@\fR.
1508
.IP "lecture_file" 12
1509
.IX Item "lecture_file"
1510
Path to a file containing an alternate \fBsudo\fR lecture that will
1511
be used in place of the standard lecture if the named file exists.
1512
By default, \fBsudo\fR uses a built-in lecture.
1515
This option controls when a password will be required when a
1516
user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
1520
All the user's \fIsudoers\fR entries for the current host must have
1521
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1524
The user must always enter a password to use the \fB\-l\fR option.
1527
At least one of the user's \fIsudoers\fR entries for the current host
1528
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1531
The user need never enter a password to use the \fB\-l\fR option.
1535
If no value is specified, a value of \fIany\fR is implied.
1536
Negating the option results in a value of \fInever\fR being used.
1537
The default value is \fIany\fR.
1541
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1542
turns on logging to a file; negating this option turns it off.
1543
By default, \fBsudo\fR logs via syslog.
1544
.IP "mailerflags" 12
1545
.IX Item "mailerflags"
1546
Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1548
.IX Item "mailerpath"
2774
Only lecture the user the first time they run
2777
If no value is specified, a value of
2780
Negating the option results in a value of
2783
The default value is
2790
Path to a file containing an alternate
2792
lecture that will be used in place of the standard lecture if the named
2796
uses a built-in lecture.
2800
This option controls when a password will be required when a user runs
2805
It has the following possible values:
2811
entries for the current host must have
2814
flag set to avoid entering a password.
2817
The user must always enter a password to use the
2822
At least one of the user's
2824
entries for the current host
2827
flag set to avoid entering a password.
2830
The user need never enter a password to use the
2834
If no value is specified, a value of
2837
Negating the option results in a value of
2840
The default value is
2849
log file (not the syslog log file).
2850
Setting a path turns on logging to a file;
2851
negating this option turns it off.
2858
Flags to use when invoking mailer. Defaults to
1549
2862
Path to mail program used to send warning mail.
1550
2863
Defaults to the path to sendmail found at configure time.
1553
Address to use for the \*(L"from\*(R" address when sending warning and error
1554
mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
1555
protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
1556
the name of the user running \fBsudo\fR.
1559
Address to send warning and error mail to. The address should
1560
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
1561
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
1562
.IP "secure_path" 12
1563
.IX Item "secure_path"
1564
Path used for every command run from \fBsudo\fR. If you don't trust the
1565
people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
1566
want to use this. Another use is if you want to have the \*(L"root path\*(R"
1567
be separate from the \*(L"user path.\*(R" Users in the group specified by the
1568
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
2866
Address to use for the
2868
address when sending warning and error mail.
2869
The address should be enclosed in double quotes
2876
Defaults to the name of the user running
2880
Address to send warning and error mail to.
2881
The address should be enclosed in double quotes
2892
Path used for every command run from
2894
If you don't trust the
2899
environment variable you may want to use this.
2900
Another use is if you want to have the
2902
be separate from the
2904
Users in the group specified by the
2906
option are not affected by
1569
2908
This option is @secure_path@ by default.
1572
2911
Syslog facility if syslog is being used for logging (negate to
1573
disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
1575
The following syslog facilities are supported: \fBauthpriv\fR (if your
1576
\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
1577
\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
2912
disable syslog logging).
2916
The following syslog facilities are supported:
1580
2934
This option controls when a password will be required when a user runs
1581
\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
1585
All the user's \fIsudoers\fR entries for the current host must have
1586
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1589
The user must always enter a password to use the \fB\-v\fR option.
1592
At least one of the user's \fIsudoers\fR entries for the current host
1593
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1596
The user need never enter a password to use the \fB\-v\fR option.
1600
If no value is specified, a value of \fIall\fR is implied.
1601
Negating the option results in a value of \fInever\fR being used.
1602
The default value is \fIall\fR.
1605
\&\fBLists that can be used in a boolean context\fR:
1607
.IX Item "env_check"
2939
It has the following possible values:
2945
entries for the current host must have the
2947
flag set to avoid entering a password.
2950
The user must always enter a password to use the
2955
At least one of the user's
2957
entries for the current host must have the
2959
flag set to avoid entering a password.
2962
The user need never enter a password to use the
2966
If no value is specified, a value of
2969
Negating the option results in a value of
2972
The default value is
2976
\fBLists that can be used in a boolean context\fR:
1608
2979
Environment variables to be removed from the user's environment if
1609
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1610
be used to guard against printf-style format vulnerabilities in
1611
poorly-written programs. The argument may be a double-quoted,
1612
space-separated list or a single value without double-quotes. The
1613
list can be replaced, added to, deleted from, or disabled by using
1614
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
1615
of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
1616
specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
1617
they pass the aforementioned check. The default list of environment
1618
variables to check is displayed when \fBsudo\fR is run by root with
1619
the \fI\-V\fR option.
1621
.IX Item "env_delete"
1622
Environment variables to be removed from the user's environment
1623
when the \fIenv_reset\fR option is not in effect. The argument may
1624
be a double-quoted, space-separated list or a single value without
1625
double-quotes. The list can be replaced, added to, deleted from,
1626
or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
1627
respectively. The default list of environment variables to remove
1628
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
2980
the variable's value contains
2985
This can be used to guard against printf-style format vulnerabilities
2986
in poorly-written programs.
2987
The argument may be a double-quoted, space-separated list or a
2988
single value without double-quotes.
2989
The list can be replaced, added to, deleted from, or disabled by using
2996
operators respectively.
2997
Regardless of whether the
2999
option is enabled or disabled, variables specified by
3001
will be preserved in the environment if they pass the aforementioned check.
3002
The default list of environment variables to check is displayed when
3010
Environment variables to be removed from the user's environment when the
3012
option is not in effect.
3013
The argument may be a double-quoted, space-separated list or a
3014
single value without double-quotes.
3015
The list can be replaced, added to, deleted from, or disabled by using the
3021
operators respectively.
3022
The default list of environment variables to remove is displayed when
3024
is run by root with the
1629
3027
Note that many operating systems will remove potentially dangerous
1630
3028
variables from the environment of any setuid process (such as
1634
Environment variables to be preserved in the user's environment
1635
when the \fIenv_reset\fR option is in effect. This allows fine-grained
1636
control over the environment \fBsudo\fR\-spawned processes will receive.
3032
Environment variables to be preserved in the user's environment when the
3034
option is in effect.
3035
This allows fine-grained control over the environment
3037
processes will receive.
1637
3038
The argument may be a double-quoted, space-separated list or a
1638
single value without double-quotes. The list can be replaced, added
1639
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
1640
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
1641
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
3039
single value without double-quotes.
3040
The list can be replaced, added to, deleted from, or disabled by using the
3046
operators respectively.
3047
The default list of variables to keep
3050
is run by root with the
3055
can log events using either
3057
or a simple log file.
3058
In each case the log format is almost identical.
3059
.SS "Accepted command log entries"
3060
Commands that sudo runs are logged using the following format (split
3061
into multiple lines for readability):
3065
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3066
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3067
ENV=env_vars COMMAND=command
3071
Where the fields are as follows:
3074
The date the command was run.
3075
Typically, this is in the format
3076
``MMM, DD, HH:MM:SS''.
3079
the actual date format is controlled by the syslog daemon.
3080
If logging to a file and the
3083
the date will also include the year.
3086
The name of the host
3089
This field is only present when logging via
3093
The name of the program, usually
3097
This field is only present when logging via
3101
The login name of the user who ran
3105
The short name of the terminal (e.g.\&
3113
if there was no terminal present.
3116
The current working directory that
3121
The user the command was run as.
3124
The group the command was run as if one was specified on the command line.
3127
An I/O log identifier that can be used to replay the command's output.
3128
This is only present when the
3135
A list of environment variables specified on the command line,
3139
The actual command that was executed.
3141
Messages are logged using the locale specified by
3142
\fIsudoers_locale\fR,
3143
which defaults to the
3146
.SS "Denied command log entries"
3147
If the user is not allowed to run the command, the reason for the denial
3148
will follow the user name.
3149
Possible reasons include:
3152
The user is not listed in the
3156
user NOT authorized on host
3157
The user is listed in the
3159
file but is not allowed to run commands on the host.
3162
The user is listed in the
3164
file for the host but they are not allowed to run the specified command.
3166
3 incorrect password attempts
3167
The user failed to enter their password after 3 tries.
3168
The actual number of tries will vary based on the number of
3169
failed attempts and the value of the
3173
a password is required
3176
option was specified but a password was required.
3178
sorry, you are not allowed to set the following environment variables
3179
The user specified environment variables on the command line that
3182
.SS "Error log entries"
3185
will log a message and, in most cases, send a message to the
3186
administrator via email.
3187
Possible errors include:
3189
parse error in @sysconfdir@/sudoers near line N
3191
encountered an error when parsing the specified file.
3192
In some cases, the actual error may be one line above or below the
3193
line number listed, depending on the type of error.
3195
problem with defaults entries
3198
file contains one or more unknown Defaults settings.
3199
This does not prevent
3201
from running, but the
3203
file should be checked using
3206
timestamp owner (username): \&No such user
3207
The time stamp directory owner, as specified by the
3208
\fItimestampowner\fR
3209
setting, could not be found in the password database.
3211
unable to open/read @sysconfdir@/sudoers
3214
file could not be opened for reading.
3215
This can happen when the
3217
file is located on a remote file system that maps user ID 0 to
3223
using group permissions to avoid this problem.
3224
Consider changing the ownership of
3225
\fI@sysconfdir@/sudoers\fR
3226
by adding an option like
3230
is the user ID that owns the
3235
\fI@sysconfdir@/sudo.conf\fR
3238
unable to stat @sysconfdir@/sudoers
3240
\fI@sysconfdir@/sudoers\fR
3243
@sysconfdir@/sudoers is not a regular file
3245
\fI@sysconfdir@/sudoers\fR
3246
file exists but is not a regular file or symbolic link.
3248
@sysconfdir@/sudoers is owned by uid N, should be 0
3251
file has the wrong owner.
3252
If you wish to change the
3254
file owner, please add
3258
is the user ID that owns the
3263
\fI@sysconfdir@/sudo.conf\fR
3266
@sysconfdir@/sudoers is world writable
3267
The permissions on the
3269
file allow all users to write to it.
3272
file must not be world-writable, the default file mode
3273
is 0440 (readable by owner and group, writable by none).
3274
The default mode may be changed via the
3279
\fI@sysconfdir@/sudo.conf\fR
3282
@sysconfdir@/sudoers is owned by gid N, should be 1
3285
file has the wrong group ownership.
3286
If you wish to change the
3288
file group ownership, please add
3292
is the group ID that owns the
3297
\fI@sysconfdir@/sudo.conf\fR
3300
unable to open @timedir@/username/ttyname
3302
was unable to read or create the user's time stamp file.
3304
unable to write to @timedir@/username/ttyname
3306
was unable to write to the user's time stamp file.
3308
unable to mkdir to @timedir@/username
3310
was unable to create the user's time stamp directory.
3311
.SS "Notes on logging via syslog"
3321
fields are added by the syslog daemon, not
3324
As such, they may vary in format on different systems.
3328
has a relatively small log buffer.
3329
To prevent the command line arguments from being truncated,
3331
will split up log messages that are larger than 960 characters
3332
(not including the date, hostname, and the string
3334
When a message is split, additional parts will include the string
3335
``(command continued)''
3336
after the user name and before the continued command line arguments.
3337
.SS "Notes on logging to a file"
3342
will log to a local file, such as
3343
\fI/var/log/sudo\fR.
3344
When logging to a file,
3346
uses a format similar to
3348
with a few important differences:
3355
fields are not present.
3361
the date will also include the year.
3364
Lines that are longer than
3366
characters (80 by default) are word-wrapped and continued on the
3367
next line with a four character indent.
3368
This makes entries easier to read for a human being, but makes it
3369
more difficult to use
3374
option is set to 0 (or negated with a
3376
word wrap will be disabled.
1642
3377
.SH "SUDO.CONF"
1643
.IX Header "SUDO.CONF"
1644
The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the
1645
\&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file
1646
is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the
1647
\&\fIsudoers\fR security policy and I/O logging, which corresponds to
1648
the following \fI@sysconfdir@/sudo.conf\fR file.
1652
\& # Default @sysconfdir@/sudo.conf file
1655
\& # Plugin plugin_name plugin_path plugin_options ...
1656
\& # Path askpass /path/to/askpass
1657
\& # Path noexec /path/to/sudo_noexec.so
1658
\& # Debug sudo /var/log/sudo_debug all@warn
1659
\& # Set disable_coredump true
1661
\& # The plugin_path is relative to @prefix@/libexec unless
1662
\& # fully qualified.
1663
\& # The plugin_name corresponds to a global symbol in the plugin
1664
\& # that contains the plugin interface structure.
1665
\& # The plugin_options are optional.
1667
\& Plugin policy_plugin sudoers.so
1668
\& Plugin io_plugin sudoers.so
1670
.SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0"
1671
.IX Subsection "PLUGIN OPTIONS"
1672
Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the
1673
\&\fIsudoers\fR plugin. Options may be listed after the path to the
1674
plugin (i.e. after \fIsudoers.so\fR); multiple options should be
1675
space-separated. For example:
1678
\& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3379
\fI@sysconfdir@/sudo.conf\fR
3380
file determines which plugins the
3382
front end will load.
3384
\fI@sysconfdir@/sudo.conf\fR
3386
is present, or it contains no
3392
security policy and I/O logging, which corresponds to the following
3393
\fI@sysconfdir@/sudo.conf\fR
3399
# Default @sysconfdir@/sudo.conf file
3402
# Plugin plugin_name plugin_path plugin_options ...
3403
# Path askpass /path/to/askpass
3404
# Path noexec /path/to/sudo_noexec.so
3405
# Debug sudo /var/log/sudo_debug all@warn
3406
# Set disable_coredump true
3408
# The plugin_path is relative to @prefix@/libexec unless
3410
# The plugin_name corresponds to a global symbol in the plugin
3411
# that contains the plugin interface structure.
3412
# The plugin_options are optional.
3414
Plugin policy_plugin sudoers.so
3415
Plugin io_plugin sudoers.so
3418
.SS "Plugin options"
3421
1.8.5, it is possible to pass options to the
3424
Options may be listed after the path to the plugin (i.e.\& after
3426
multiple options should be space-separated.
3431
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1681
3435
The following plugin options are supported:
1682
.IP "sudoers_file=pathname" 10
1683
.IX Item "sudoers_file=pathname"
1684
The \fIsudoers_file\fR option can be used to override the default path
1685
to the \fIsudoers\fR file.
1686
.IP "sudoers_uid=uid" 10
1687
.IX Item "sudoers_uid=uid"
1688
The \fIsudoers_uid\fR option can be used to override the default owner
1689
of the sudoers file. It should be specified as a numeric user \s-1ID\s0.
1690
.IP "sudoers_gid=gid" 10
1691
.IX Item "sudoers_gid=gid"
1692
The \fIsudoers_gid\fR option can be used to override the default group
1693
of the sudoers file. It should be specified as a numeric group \s-1ID\s0.
1694
.IP "sudoers_mode=mode" 10
1695
.IX Item "sudoers_mode=mode"
1696
The \fIsudoers_mode\fR option can be used to override the default file
1697
mode for the sudoers file. It should be specified as an octal value.
1698
.SS "\s-1DEBUG\s0 \s-1FLAGS\s0"
1699
.IX Subsection "DEBUG FLAGS"
1700
Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
1701
debugging framework that can help track down what the plugin is
1702
doing internally if there is a problem. This can be configured in
1703
the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@).
1705
The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
1706
itself: \fIsubsystem\fR@\fIpriority\fR.
1708
The priorities used by \fIsudoers\fR, in order of decreasing severity,
1709
are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
1710
and \fIdebug\fR. Each priority, when specified, also includes all
1711
priorities higher than it. For example, a priority of \fInotice\fR
1712
would include debug messages logged at \fInotice\fR and higher.
1714
The following subsystems are used by \fIsudoers\fR:
1715
.IP "\fIalias\fR" 10
1717
\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
3437
sudoers_file=pathname
3440
option can be used to override the default path
3448
option can be used to override the default owner of the sudoers file.
3449
It should be specified as a numeric user ID.
3454
option can be used to override the default group of the sudoers file.
3455
It should be specified as a numeric group ID.
3460
option can be used to override the default file mode for the sudoers file.
3461
It should be specified as an octal value.
3463
Versions 1.8.4 and higher of the
3465
plugin supports a debugging framework that can help track down what the
3466
plugin is doing internally if there is a problem.
3467
This can be configured in the
3468
\fI@sysconfdir@/sudo.conf\fR
3469
file as described in
3474
plugin uses the same debug flag format as the
3477
\fIsubsystem\fR@\fIpriority\fR.
3479
The priorities used by
3481
in order of decreasing severity,
3492
Each priority, when specified, also includes all priorities higher than it.
3493
For example, a priority of
3495
would include debug messages logged at
3499
The following subsystems are used by
1720
3511
matches every subsystem
1721
.IP "\fIaudit\fR" 10
1723
\&\s-1BSM\s0 and Linux audit code
3514
BSM and Linux audit code
1726
3517
user authentication
1727
.IP "\fIdefaults\fR" 10
1729
\&\fIsudoers\fR \fIDefaults\fR settings
1732
3525
environment handling
1735
3528
LDAP-based sudoers
1736
.IP "\fIlogging\fR" 10
1738
3531
logging support
1739
.IP "\fImatch\fR" 10
1741
matching of users, groups, hosts and netgroups in \fIsudoers\fR
1742
.IP "\fInetif\fR" 10
3534
matching of users, groups, hosts and netgroups in
1744
3538
network interface handling
1747
network service switch handling in \fIsudoers\fR
1748
.IP "\fIparser\fR" 10
1750
\&\fIsudoers\fR file parsing
1751
.IP "\fIperms\fR" 10
3541
network service switch handling in
1753
3549
permission setting
1754
.IP "\fIplugin\fR" 10
1756
The equivalent of \fImain\fR for the plugin.
1759
3557
pseudo-tty related code
1760
.IP "\fIrbtree\fR" 10
1762
3560
redblack tree internals
1765
3563
utility functions
1768
.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
1769
.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
1770
.IX Item "@sysconfdir@/sudo.conf"
3566
\fI@sysconfdir@/sudo.conf\fR
1771
3567
Sudo front end configuration
1772
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
1773
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
1774
.IX Item "@sysconfdir@/sudoers"
3569
\fI@sysconfdir@/sudoers\fR
1775
3570
List of who can run what
1776
.IP "\fI/etc/group\fR" 24
1777
.IX Item "/etc/group"
1778
3573
Local groups file
1779
.IP "\fI/etc/netgroup\fR" 24
1780
.IX Item "/etc/netgroup"
1781
3576
List of network groups
1782
.ie n .IP "\fI@iolog_dir@\fR" 24
1783
.el .IP "\fI@iolog_dir@\fR" 24
1784
.IX Item "@iolog_dir@"
1786
.ie n .IP "\fI@timedir@\fR" 24
1787
.el .IP "\fI@timedir@\fR" 24
1788
.IX Item "@timedir@"
1789
Directory containing time stamps for the \fIsudoers\fR security policy
1790
.IP "\fI/etc/environment\fR" 24
1791
.IX Item "/etc/environment"
1792
Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
3582
Directory containing time stamps for the
3586
\fI/etc/environment\fR
3587
Initial environment for
3589
mode on AIX and Linux systems
1794
.IX Header "EXAMPLES"
1795
Below are example \fIsudoers\fR entries. Admittedly, some of
1796
these are a bit contrived. First, we allow a few environment
1797
variables to pass and then define our \fIaliases\fR:
1800
\& # Run X applications through sudo; HOME is used to find the
1801
\& # .Xauthority file. Note that other programs use HOME to find
1802
\& # configuration files and this may lead to privilege escalation!
1803
\& Defaults env_keep += "DISPLAY HOME"
1805
\& # User alias specification
1806
\& User_Alias FULLTIMERS = millert, mikef, dowdy
1807
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
1808
\& User_Alias WEBMASTERS = will, wendy, wim
1810
\& # Runas alias specification
1811
\& Runas_Alias OP = root, operator
1812
\& Runas_Alias DB = oracle, sybase
1813
\& Runas_Alias ADMINGRP = adm, oper
1815
\& # Host alias specification
1816
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1817
\& SGI = grolsch, dandelion, black :\e
1818
\& ALPHA = widget, thalamus, foobar :\e
1819
\& HPPA = boa, nag, python
1820
\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1821
\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1822
\& Host_Alias SERVERS = master, mail, www, ns
1823
\& Host_Alias CDROM = orion, perseus, hercules
1825
\& # Cmnd alias specification
1826
\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1827
\& /usr/sbin/restore, /usr/sbin/rrestore
1828
\& Cmnd_Alias KILL = /usr/bin/kill
1829
\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1830
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1831
\& Cmnd_Alias HALT = /usr/sbin/halt
1832
\& Cmnd_Alias REBOOT = /usr/sbin/reboot
1833
\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1834
\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1835
\& /usr/local/bin/zsh
1836
\& Cmnd_Alias SU = /usr/bin/su
1837
\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1840
Here we override some of the compiled in default values. We want
1841
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1842
cases. We don't want to subject the full time staff to the \fBsudo\fR
1843
lecture, user \fBmillert\fR need not give a password, and we don't
1844
want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
1845
variables when running commands as root. Additionally, on the
1846
machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1847
local log file and make sure we log the year in each log line since
1848
the log entries will be kept around for several years. Lastly, we
1849
disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
1850
(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
1853
\& # Override built\-in defaults
1854
\& Defaults syslog=auth
1855
\& Defaults>root !set_logname
1856
\& Defaults:FULLTIMERS !lecture
1857
\& Defaults:millert !authenticate
1858
\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1859
\& Defaults!PAGERS noexec
1862
The \fIUser specification\fR is the part that actually determines who may
1866
\& root ALL = (ALL) ALL
1867
\& %wheel ALL = (ALL) ALL
1870
We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1874
\& FULLTIMERS ALL = NOPASSWD: ALL
1877
Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1878
command on any host without authenticating themselves.
1881
\& PARTTIMERS ALL = ALL
1884
Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1885
command on any host but they must authenticate themselves first
1886
(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1889
\& jack CSNETS = ALL
1892
The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1893
(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1894
Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1895
\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1896
networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1900
\& lisa CUNETS = ALL
1903
The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1904
(the class B network \f(CW128.138.0.0\fR).
1907
\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
1908
\& sudoedit /etc/printcap, /usr/oper/bin/
1911
The \fBoperator\fR user may run commands limited to simple maintenance.
3594
Admittedly, some of these are a bit contrived.
3595
First, we allow a few environment variables to pass and then define our
3600
# Run X applications through sudo; HOME is used to find the
3601
# .Xauthority file. Note that other programs use HOME to find
3602
# configuration files and this may lead to privilege escalation!
3603
Defaults env_keep += "DISPLAY HOME"
3605
# User alias specification
3606
User_Alias FULLTIMERS = millert, mikef, dowdy
3607
User_Alias PARTTIMERS = bostley, jwfox, crawl
3608
User_Alias WEBMASTERS = will, wendy, wim
3610
# Runas alias specification
3611
Runas_Alias OP = root, operator
3612
Runas_Alias DB = oracle, sybase
3613
Runas_Alias ADMINGRP = adm, oper
3615
# Host alias specification
3616
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3617
SGI = grolsch, dandelion, black :\e
3618
ALPHA = widget, thalamus, foobar :\e
3619
HPPA = boa, nag, python
3620
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3621
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3622
Host_Alias SERVERS = master, mail, www, ns
3623
Host_Alias CDROM = orion, perseus, hercules
3625
# Cmnd alias specification
3626
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3627
/usr/sbin/restore, /usr/sbin/rrestore
3628
Cmnd_Alias KILL = /usr/bin/kill
3629
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3630
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3631
Cmnd_Alias HALT = /usr/sbin/halt
3632
Cmnd_Alias REBOOT = /usr/sbin/reboot
3633
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3634
/usr/local/bin/tcsh, /usr/bin/rsh,\e
3636
Cmnd_Alias SU = /usr/bin/su
3637
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3641
Here we override some of the compiled in default values.
3648
facility in all cases.
3649
We don't want to subject the full time staff to the
3653
need not give a password, and we don't want to reset the
3658
environment variables when running commands as root.
3659
Additionally, on the machines in the
3662
we keep an additional local log file and make sure we log the year
3663
in each log line since the log entries will be kept around for several years.
3664
Lastly, we disable shell escapes for the commands in the PAGERS
3666
(\fI/usr/bin/more\fR,
3669
\fI/usr/bin/less\fR)
3674
# Override built-in defaults
3675
Defaults syslog=auth
3676
Defaults>root !set_logname
3677
Defaults:FULLTIMERS !lecture
3678
Defaults:millert !authenticate
3679
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3680
Defaults!PAGERS noexec
3685
\fIUser specification\fR
3686
is the part that actually determines who may run what.
3690
root ALL = (ALL) ALL
3691
%wheel ALL = (ALL) ALL
3697
and any user in group
3699
run any command on any host as any user.
3703
FULLTIMERS ALL = NOPASSWD: ALL
3712
may run any command on any host without authenticating themselves.
3716
PARTTIMERS ALL = ALL
3725
may run any command on any host but they must authenticate themselves
3726
first (since the entry lacks the
3738
may run any command on the machines in the
3741
\fR128.138.243.0\fR,
3742
\fR128.138.204.0\fR,
3744
\fR128.138.242.0\fR).
3745
Of those networks, only
3747
has an explicit netmask (in CIDR notation) indicating it is a class C network.
3748
For the other networks in
3750
the local machine's netmask will be used during matching.
3760
may run any command on any host in the
3762
alias (the class B network
3767
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3768
sudoedit /etc/printcap, /usr/oper/bin/
3774
user may run commands limited to simple maintenance.
1912
3775
Here, those are commands related to backups, killing processes, the
1913
3776
printing system, shutting down the system, and any commands in the
1914
directory \fI/usr/oper/bin/\fR.
1917
\& joe ALL = /usr/bin/su operator
1920
The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1923
\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
1925
\& %opers ALL = (: ADMINGRP) /usr/sbin/
1928
Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
1929
with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
3778
\fI/usr/oper/bin/\fR.
3782
joe ALL = /usr/bin/su operator
3794
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3796
%opers ALL = (: ADMINGRP) /usr/sbin/
3802
group may run commands in
3805
with any group in the
1932
The user \fBpete\fR is allowed to change anyone's password except for
1933
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
3816
is allowed to change anyone's password except for
3820
Note that this assumes
1934
3822
does not take multiple user names on the command line.
1937
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
1940
The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1941
as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1944
\& jim +biglab = ALL
1947
The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1948
\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1951
\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1954
Users in the \fBsecretaries\fR netgroup need to help manage the printers
1955
as well as add and remove users, so they are allowed to run those
1956
commands on all machines.
1959
\& fred ALL = (DB) NOPASSWD: ALL
1962
The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1963
(\fBoracle\fR or \fBsybase\fR) without giving a password.
1966
\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
1969
On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1970
but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
1973
\& jen ALL, !SERVERS = ALL
1976
The user \fBjen\fR may run any command on any machine except for those
1977
in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1980
\& jill SERVERS = /usr/bin/, !SU, !SHELLS
1983
For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1984
any commands in the directory \fI/usr/bin/\fR except for those commands
1985
belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1988
\& steve CSNETS = (operator) /usr/local/op_commands/
1991
The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
3826
bob SPARC = (OP) ALL : SGI = (OP) ALL
3832
may run anything on the
3836
machines as any user listed in the
3851
may run any command on machines in the
3857
is a netgroup due to the
3863
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3869
netgroup need to help manage the printers as well as add and remove users,
3870
so they are allowed to run those commands on all machines.
3874
fred ALL = (DB) NOPASSWD: ALL
3880
can run commands as any user in the
3886
without giving a password.
3890
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3898
may su to anyone except root but he is not allowed to specify any options
3905
jen ALL, !SERVERS = ALL
3911
may run any command on any machine except for those in the
3914
(master, mail, www and ns).
3918
jill SERVERS = /usr/bin/, !SU, !SHELLS
3922
For any machine in the
3927
any commands in the directory
3929
except for those commands
3938
steve CSNETS = (operator) /usr/local/op_commands/
3944
may run any command in the directory /usr/local/op_commands/
1992
3945
but only as user operator.
1995
\& matt valkyrie = KILL
1998
On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1999
kill hung processes.
2002
\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2005
On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
2006
wendy, and wim), may run any command as user www (which owns the
2007
web pages) or simply \fIsu\fR\|(1) to www.
2010
\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
2011
\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
2014
Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
2015
\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
3949
matt valkyrie = KILL
3953
On his personal workstation, valkyrie,
3955
needs to be able to kill hung processes.
3959
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3963
On the host www, any user in the
3966
(will, wendy, and wim), may run any command as user www (which owns the
3967
web pages) or simply
3973
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3974
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3978
Any user may mount or unmount a CD-ROM on the machines in the CDROM
3980
(orion, perseus, hercules) without entering a password.
2016
3981
This is a bit tedious for users to type, so it is a prime candidate
2017
3982
for encapsulating in a shell script.
2018
3983
.SH "SECURITY NOTES"
2019
.IX Header "SECURITY NOTES"
2020
.SS "Limitations of the '!' operator"
2021
.IX Subsection "Limitations of the '!' operator"
2022
It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
2023
using the '!' operator. A user can trivially circumvent this
2024
by copying the desired command to a different name and then
2025
executing that. For example:
2028
\& bill ALL = ALL, !SU, !SHELLS
2031
Doesn't really prevent \fBbill\fR from running the commands listed in
2032
\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
2033
different name, or use a shell escape from an editor or other
2034
program. Therefore, these kind of restrictions should be considered
3984
.SS "Limitations of the `!\&' operator"
3985
It is generally not effective to
3992
A user can trivially circumvent this by copying the desired command
3993
to a different name and then executing that.
3998
bill ALL = ALL, !SU, !SHELLS
4002
Doesn't really prevent
4004
from running the commands listed in
4008
since he can simply copy those commands to a different name, or use
4009
a shell escape from an editor or other program.
4010
Therefore, these kind of restrictions should be considered
2035
4011
advisory at best (and reinforced by policy).
2037
In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent
2038
them from creating their own program that gives them a root shell
2039
(or making their own copy of a shell) regardless of any '!' elements
2040
in the user specification.
2041
.SS "Security implications of \fIfast_glob\fP"
2042
.IX Subsection "Security implications of fast_glob"
2043
If the \fIfast_glob\fR option is in use, it is not possible
2044
to reliably negate commands where the path name includes globbing
2045
(aka wildcard) characters. This is because the C library's
2046
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
2047
is typically only an inconvenience for rules that grant privileges,
2048
it can result in a security issue for rules that subtract or revoke
2051
For example, given the following \fIsudoers\fR entry:
2054
\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
2055
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
2058
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
2059
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
2060
.SS "Preventing Shell Escapes"
2061
.IX Subsection "Preventing Shell Escapes"
2062
Once \fBsudo\fR executes a program, that program is free to do whatever
2063
it pleases, including run other programs. This can be a security
2064
issue since it is not uncommon for a program to allow shell escapes,
2065
which lets a user bypass \fBsudo\fR's access control and logging.
4013
In general, if a user has sudo
4015
there is nothing to prevent them from creating their own program that gives
4016
them a root shell (or making their own copy of a shell) regardless of any
4018
elements in the user specification.
4019
.SS "Security implications of \fIfast_glob\fR"
4022
option is in use, it is not possible to reliably negate commands where the
4023
path name includes globbing (aka wildcard) characters.
4024
This is because the C library's
4026
function cannot resolve relative paths.
4027
While this is typically only an inconvenience for rules that grant privileges,
4028
it can result in a security issue for rules that subtract or revoke privileges.
4030
For example, given the following
4036
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4037
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4044
\fR/usr/bin/passwd root\fR
4047
is enabled by changing to
4052
.SS "Preventing shell escapes"
4055
executes a program, that program is free to do whatever
4056
it pleases, including run other programs.
4057
This can be a security issue since it is not uncommon for a program to
4058
allow shell escapes, which lets a user bypass
4060
access control and logging.
2066
4061
Common programs that permit shell escapes include shells (obviously),
2067
4062
editors, paginators, mail and terminal programs.
2069
4064
There are two basic approaches to this problem:
2072
4067
Avoid giving users access to commands that allow the user to run
2073
arbitrary commands. Many editors have a restricted mode where shell
2074
escapes are disabled, though \fBsudoedit\fR is a better solution to
2075
running editors via \fBsudo\fR. Due to the large number of programs that
4069
Many editors have a restricted mode where shell
4070
escapes are disabled, though
4072
is a better solution to
4075
Due to the large number of programs that
2076
4076
offer shell escapes, restricting users to the set of programs that
2077
4077
do not is often unworkable.
2080
4080
Many systems that support shared libraries have the ability to
2081
4081
override default library functions by pointing an environment
2082
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
2083
On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
2084
prevent a program run by \fBsudo\fR from executing any other programs.
4084
to an alternate shared library.
4088
functionality can be used to prevent a program run by
4090
from executing any other programs.
2085
4091
Note, however, that this applies only to native dynamically-linked
2086
executables. Statically-linked executables and foreign executables
4093
Statically-linked executables and foreign executables
2087
4094
running under binary emulation are not affected.
2089
The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
2090
Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
4098
feature is known to work on SunOS, Solaris, *BSD,
4099
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
2091
4100
It should be supported on most operating systems that support the
2092
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
2093
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
2094
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
2096
On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
2097
of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
2099
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
2100
in the User Specification section above. Here is that example again:
2103
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2106
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
2107
with \fInoexec\fR enabled. This will prevent those two commands from
2108
executing other commands (such as a shell). If you are unsure
2109
whether or not your system is capable of supporting \fInoexec\fR you
2110
can always just try it out and check whether shell escapes work
2111
when \fInoexec\fR is enabled.
4102
environment variable.
4103
Check your operating system's manual pages for the dynamic linker
4104
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4108
On Solaris 10 and higher,
4110
uses Solaris privileges instead of the
4112
environment variable.
4116
for a command, use the
4119
in the User Specification section above.
4120
Here is that example again:
4125
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4138
This will prevent those two commands from
4139
executing other commands (such as a shell).
4140
If you are unsure whether or not your system is capable of supporting
4142
you can always just try it out and check whether shell escapes work when
2113
Note that restricting shell escapes is not a panacea. Programs
2114
running as root are still capable of many potentially hazardous
4147
Note that restricting shell escapes is not a panacea.
4148
Programs running as root are still capable of many potentially hazardous
2115
4149
operations (such as changing or overwriting files) that could lead
2116
to unintended privilege escalation. In the specific case of an
2117
editor, a safer approach is to give the user permission to run
4150
to unintended privilege escalation.
4151
In the specific case of an editor, a safer approach is to give the
4152
user permission to run
2119
4154
.SS "Time stamp file checks"
2120
.IX Subsection "Time stamp file checks"
2121
\&\fIsudoers\fR will check the ownership of its time stamp directory
2122
(\fI@timedir@\fR by default) and ignore the directory's contents if
2123
it is not owned by root or if it is writable by a user other than
2124
root. On systems that allow non-root users to give away files via
2125
\&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
2126
directory (e.g., \fI/tmp\fR), it is possible for a user to create the
2127
time stamp directory before \fBsudo\fR is run. However, because
2128
\&\fIsudoers\fR checks the ownership and mode of the directory and its
2129
contents, the only damage that can be done is to \*(L"hide\*(R" files by
2130
putting them in the time stamp dir. This is unlikely to happen
2131
since once the time stamp dir is owned by root and inaccessible by
2132
any other user, the user placing files there would be unable to get
2135
\&\fIsudoers\fR will not honor time stamps set far in the future. Time
2136
stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
2137
be ignored and sudo will log and complain. This is done to keep a
2138
user from creating his/her own time stamp with a bogus date on
2139
systems that allow users to give away files if the time stamp directory
2140
is located in a world-writable directory.
2142
On systems where the boot time is available, \fIsudoers\fR will ignore
2143
time stamps that date from before the machine booted.
4156
will check the ownership of its time stamp directory
4159
and ignore the directory's contents if it is not owned by root or
4160
if it is writable by a user other than root.
4161
On systems that allow non-root users to give away files via
4163
if the time stamp directory is located in a world-writable
4166
it is possible for a user to create the time stamp directory before
4171
checks the ownership and mode of the directory and its
4172
contents, the only damage that can be done is to
4174
files by putting them in the time stamp dir.
4175
This is unlikely to happen since once the time stamp dir is owned by root
4176
and inaccessible by any other user, the user placing files there would be
4177
unable to get them back out.
4180
will not honor time stamps set far in the future.
4181
Time stamps with a date greater than current_time + 2 *
4183
will be ignored and sudo will log and complain.
4184
This is done to keep a user from creating his/her own time stamp with a
4185
bogus date on systems that allow users to give away files if the time
4186
stamp directory is located in a world-writable directory.
4188
On systems where the boot time is available,
4190
will ignore time stamps that date from before the machine booted.
2145
4192
Since time stamp files live in the file system, they can outlive a
2146
user's login session. As a result, a user may be able to login,
2147
run a command with \fBsudo\fR after authenticating, logout, login
2148
again, and run \fBsudo\fR without authenticating so long as the time
2149
stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
2150
whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
4193
user's login session.
4194
As a result, a user may be able to login, run a command with
4196
after authenticating, logout, login again, and run
4198
without authenticating so long as the time stamp file's modification
4201
minutes (or whatever the timeout is set to in
2151
4205
option is enabled, the time stamp has per-tty granularity but still
2152
may outlive the user's session. On Linux systems where the devpts
2153
filesystem is used, Solaris systems with the devices filesystem,
2154
as well as other systems that utilize a devfs filesystem that
2155
monotonically increase the inode number of devices as they are
2156
created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
2157
tty-based time stamp file is stale and will ignore it. Administrators
2158
should not rely on this feature as it is not universally available.
4206
may outlive the user's session.
4207
On Linux systems where the devpts filesystem is used, Solaris systems
4208
with the devices filesystem, as well as other systems that utilize a
4209
devfs filesystem that monotonically increase the inode number of devices
4210
as they are created (such as Mac OS X),
4212
is able to determine when a tty-based time stamp file is stale and will
4214
Administrators should not rely on this feature as it is not universally
2160
.IX Header "SEE ALSO"
2161
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
2162
\&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
4223
sudoers.ldap(@mansectform@),
4224
sudo_plugin(@mansectsu@),
2164
.IX Header "CAVEATS"
2165
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
2166
command which locks the file and does grammatical checking. It is
2167
imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
2168
will not run with a syntactically incorrect \fIsudoers\fR file.
4234
command which locks the file and does grammatical checking.
4238
be free of syntax errors since
4240
will not run with a syntactically incorrect
2170
4244
When using netgroups of machines (as opposed to users), if you
2171
4245
store fully qualified host name in the netgroup (as is usually the
2172
4246
case), you either need to have the machine's host name be fully qualified
2173
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
2177
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
2178
at http://www.sudo.ws/sudo/bugs/
4254
If you feel you have found a bug in
4256
please submit a bug report at http://www.sudo.ws/sudo/bugs/
2180
.IX Header "SUPPORT"
2181
4258
Limited free support is available via the sudo-users mailing list,
2182
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
4259
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
2183
4260
search the archives.
2184
4261
.SH "DISCLAIMER"
2185
.IX Header "DISCLAIMER"
2186
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
2187
including, but not limited to, the implied warranties of merchantability
2188
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
2189
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
2190
for complete details.
4265
and any express or implied warranties, including, but not limited
4266
to, the implied warranties of merchantability and fitness for a
4267
particular purpose are disclaimed.
4268
See the LICENSE file distributed with
4270
or http://www.sudo.ws/sudo/license.html for complete details.