2
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
3
.\" Todd C. Miller <Todd.Miller@courtesan.com>
5
.\" Permission to use, copy, modify, and distribute this software for any
6
.\" purpose with or without fee is hereby granted, provided that the above
7
.\" copyright notice and this permission notice appear in all copies.
9
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18
.\" Sponsored in part by the Defense Advanced Research Projects
19
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23
.Dt SUDOERS @mansectform@
24
.Os Sudo @PACKAGE_VERSION@
27
.Nd default sudo security policy module
31
policy module determines a user's
37
The policy is driven by
39
.Pa @sysconfdir@/sudoers
40
file or, optionally in LDAP.
41
The policy format is described in detail in the
42
.Sx SUDOERS FILE FORMAT
44
For information on storing
48
.Xr sudoers.ldap @mansectform@ .
49
.Ss Authentication and logging
52
security policy requires that most users authenticate
53
themselves before they can use
55
A password is not required
56
if the invoking user is root, if the target user is the same as the
57
invoking user, or if the policy has disabled authentication for the
64
authentication, it validates the invoking user's credentials, not
65
the target user's (or root's) credentials.
66
This can be changed via
72
flags, described later.
74
If a user who is not listed in the policy tries to run a command
77
mail is sent to the proper authorities.
79
used for such mail is configurable via the
82
(described later) and defaults to
85
Note that mail will not be sent if an unauthorized user tries to
94
determine for themselves whether or not they are allowed to use
99
is run by root and the
104
policy will use this value to determine who
106
This can be used by a user to log commands
107
through sudo even when a root shell has been invoked.
111
option to remain useful even when invoked via a
112
sudo-run script or program.
113
Note, however, that the
115
lookup is still done for root, not the user specified by
119
uses time stamp files for credential caching.
121
user has been authenticated, the time stamp is updated and the user
122
may then use sudo without a password for a short period of time
125
minutes unless overridden by the
131
uses a tty-based time stamp which means that
132
there is a separate time stamp for each of a user's login sessions.
135
option can be disabled to force the use of a
136
single time stamp for all of a user's sessions.
139
can log both successful and unsuccessful attempts (as well
147
but this is changeable via the
154
also supports logging a command's input and output
156
I/O logging is not on by default but can be enabled using
161
Defaults flags as well as the
166
.Ss Command environment
167
Since environment variables can influence program behavior,
169
provides a means to restrict which variables from the user's
170
environment are inherited by the command to be run.
174
can deal with environment variables.
180
to be executed with a new, minimal environment.
182
systems without PAM), the environment is initialized with the
186
On BSD systems, if the
188
option is enabled, the environment is initialized
194
.Pa /etc/login.conf .
195
The new environment contains the
207
in addition to variables from the invoking process permitted by the
212
This is effectively a whitelist
213
for environment variables.
217
option is disabled, any variables not
218
explicitly denied by the
223
inherited from the invoking process.
228
behave like a blacklist.
229
Since it is not possible
230
to blacklist all potentially dangerous environment variables, use
233
behavior is encouraged.
235
In all cases, environment variables with a value beginning with
237
are removed as they could be interpreted as
240
The list of environment variables that
243
contained in the output of
247
Note that the dynamic linker on most operating systems will remove
248
variables that can control dynamic linking from the environment of
249
setuid executables, including
251
Depending on the operating
252
system this may include
260
These type of variables are
261
removed from the environment before
263
even begins execution
264
and, as such, it is not possible for
268
As a special case, if
271
option (initial login) is
274
will initialize the environment regardless
282
variables remain unchanged;
289
are set based on the target user.
291
systems without PAM), the contents of
295
On BSD systems, if the
305
All other environment variables are removed.
309
option is defined, any variables present
310
in that file will be set to their specified values as long as they
311
would not conflict with an existing environment variable.
312
.Sh SUDOERS FILE FORMAT
315
file is composed of two types of entries: aliases
316
(basically variables) and user specifications (which specify who
319
When multiple entries match for a user, they are applied in order.
320
Where there are multiple matches, the last match is used (which is
321
not necessarily the most specific match).
325
grammar will be described below in Extended Backus-Naur
327
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
328
and the definitions below are annotated.
329
.Ss Quick guide to EBNF
330
EBNF is a concise and exact way of describing the grammar of a language.
331
Each EBNF definition is made up of
332
.Em production rules .
335
.Li symbol ::= definition | alternate1 | alternate2 ...
339
references others and thus makes up a
340
grammar for the language.
341
EBNF also contains the following
342
operators, which many readers will recognize from regular
344
Do not, however, confuse them with
346
characters, which have different meanings.
349
Means that the preceding symbol (or group of symbols) is optional.
350
That is, it may appear once or not at all.
352
Means that the preceding symbol (or group of symbols) may appear
355
Means that the preceding symbol (or group of symbols) may appear
359
Parentheses may be used to group symbols together.
361
we will use single quotes
363
to designate what is a verbatim character string (as opposed to a symbol name).
365
There are four kinds of aliases:
372
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
373
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
374
'Host_Alias' Host_Alias (':' Host_Alias)* |
375
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
377
User_Alias ::= NAME '=' User_List
379
Runas_Alias ::= NAME '=' Runas_List
381
Host_Alias ::= NAME '=' Host_List
383
Cmnd_Alias ::= NAME '=' Cmnd_List
385
NAME ::= [A-Z]([A-Z][0-9]_)*
390
definition is of the form
392
Alias_Type NAME = item1, item2, ...
405
is a string of uppercase letters, numbers,
406
and underscore characters
413
It is possible to put several alias definitions
414
of the same type on a single line, joined by a colon
418
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
421
The definitions of what constitutes a valid
428
User ::= '!'* user name |
433
'!'* %:nonunix_group |
434
'!'* %:#nonunix_gid |
440
is made up of one or more user names, user ids
443
system group names and ids (prefixed with
447
respectively), netgroups (prefixed with
449
non-Unix group names and IDs (prefixed with
454
.Li User_Alias Ns No es.
455
Each list item may be prefixed with zero or more
460
operators negate the value of
461
the item; an even number just cancel each other out.
472
may be enclosed in double quotes to avoid the
473
need for escaping special characters.
474
Alternately, special characters
475
may be specified in escaped hex mode, e.g.\& \ex20 for space.
477
using double quotes, any prefix characters must be included inside
485
the underlying group provider plugin (see the
488
For instance, the QAS AD plugin supports the following formats:
489
.Bl -bullet -width 4n
491
Group in the same domain: "%:Group Name"
493
Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
495
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
498
Note that quotes around group names are optional.
499
Unquoted strings must use a backslash
501
to escape spaces and special characters.
503
.Sx Other special characters and reserved words
505
characters that need to be escaped.
507
Runas_List ::= Runas_Member |
508
Runas_Member ',' Runas_List
510
Runas_Member ::= '!'* user name |
514
'!'* %:nonunix_group |
515
'!'* %:#nonunix_gid |
526
.Li User_Alias Ns No es
528
.Li Runas_Alias Ns No es .
530
user names and groups are matched as strings.
532
users (groups) with the same uid (gid) are considered to be distinct.
533
If you wish to match all user names with the same uid (e.g.\&
534
root and toor), you can use a uid instead (#0 in the example given).
539
Host ::= '!'* host name |
541
'!'* network(/netmask)? |
548
is made up of one or more host names, IP addresses,
549
network numbers, netgroups (prefixed with
552
Again, the value of an item may be negated with the
555
If you do not specify a netmask along with the network number,
557
will query each of the local host's network interfaces and,
558
if the network number corresponds to one of the hosts's network
559
interfaces, the corresponding netmask will be used.
561
may be specified either in standard IP address notation
562
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
563
or CIDR notation (number of bits, e.g.\& 24 or 64).
564
A host name may include shell-style wildcards (see the
569
command on your machine returns the fully
570
qualified host name, you'll need to use the
572
option for wildcards to be useful.
575
only inspects actual network interfaces; this means that IP address
576
127.0.0.1 (localhost) will never match.
579
will only match if that is the actual host name, which is usually
580
only the case for non-networked systems.
585
command name ::= file name |
589
Cmnd ::= '!'* command name |
597
is a list of one or more command names, directories, and other aliases.
598
A command name is a fully qualified file name which may include
599
shell-style wildcards (see the
602
A simple file name allows the user to run the command with any
603
arguments he/she wishes.
604
However, you may also specify command line arguments (including
606
Alternately, you can specify
608
to indicate that the command
611
command line arguments.
613
fully qualified path name ending in a
615
When you specify a directory in a
617
the user will be able to run any file within that directory
618
(but not in any sub-directories therein).
622
has associated command line arguments, then the arguments
625
must match exactly those given by the user on the command line
626
(or match the wildcards if there are any).
627
Note that the following characters must be escaped with a
629
if they are used in command arguments:
636
is used to permit a user to run
642
It may take command line arguments just as a normal command does.
644
Certain configuration options may be changed from their default
645
values at run-time via one or more
648
These may affect all users on any host, all users on a specific host, a
649
specific user, a specific command, or commands being run as a specific user.
650
Note that per-command entries may not include command line arguments.
651
If you need to specify arguments, define a
656
Default_Type ::= 'Defaults' |
657
'Defaults' '@' Host_List |
658
'Defaults' ':' User_List |
659
'Defaults' '!' Cmnd_List |
660
'Defaults' '>' Runas_List
662
Default_Entry ::= Default_Type Parameter_List
664
Parameter_List ::= Parameter |
665
Parameter ',' Parameter_List
667
Parameter ::= Parameter '=' Value |
668
Parameter '+=' Value |
669
Parameter '-=' Value |
680
Flags are implicitly boolean and can be turned off via the
683
Some integer, string and list parameters may also be
684
used in a boolean context to disable them.
685
Values may be enclosed
688
when they contain multiple words.
689
Special characters may be escaped with a backslash
692
Lists have two additional assignment operators,
696
These operators are used to add to and delete from a list respectively.
697
It is not an error to use the
699
operator to remove an element
700
that does not exist in a list.
702
Defaults entries are parsed in the following order: generic, host
703
and user Defaults first, then runas Defaults and finally command
708
for a list of supported Defaults parameters.
709
.Ss User specification
711
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
712
(':' Host_List '=' Cmnd_Spec_List)*
714
Cmnd_Spec_List ::= Cmnd_Spec |
715
Cmnd_Spec ',' Cmnd_Spec_List
717
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
719
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
721
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
723
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
725
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
726
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
727
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
731
.Sy user specification
732
determines which commands a user may run
733
(and as what user) on specified hosts.
734
By default, commands are
737
but this can be changed on a per-command basis.
739
The basic structure of a user specification is
740
.Dq who where = (as_whom) what .
741
Let's break that down into its constituent parts:
745
determines the user and/or the group that a command
750
.Li Runas_List Ns No s
751
(as defined above) separated by a colon
753
and enclosed in a set of parentheses.
757
which users the command may be run as via
761
The second defines a list of groups that can be specified via
766
.Li Runas_List Ns No s
767
are specified, the command may be run with any combination of users
768
and groups listed in their respective
769
.Li Runas_List Ns No s.
770
If only the first is specified, the command may be run as any user
778
second is specified, the command may be run as the invoking user
779
with the group set to any listed in the
782
.Li Runas_List Ns No s
783
are empty, the command may only be run as the invoking user.
786
is specified the command may be run as
789
no group may be specified.
793
sets the default for the commands that follow it.
794
What this means is that for the entry:
796
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
805
.Pa /usr/bin/lprm Ns No \(em Ns but
810
$ sudo -u operator /bin/ls
813
It is also possible to override a
815
later on in an entry.
816
If we modify the entry like so:
818
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
823
is now allowed to run
834
We can extend this to allow
839
the user or group set to
842
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
846
Note that while the group portion of the
849
user to run as command with that group, it does not force the user
851
If no group is specified on the command line, the command
852
will run with the group listed in the target user's password database
854
The following would all be permitted by the sudoers entry above:
856
$ sudo -u operator /bin/ls
857
$ sudo -u operator -g operator /bin/ls
858
$ sudo -g operator /bin/ls
861
In the following example, user
863
may run commands that access
864
a modem device file with the dialer group.
866
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
867
/usr/local/bin/minicom
870
Note that in this example only the group will be set, the command
875
$ sudo -g dialer /usr/bin/cu
878
Multiple users and groups may be present in a
880
in which case the user may select any combination of users and groups via the
887
alan ALL = (root, bin : operator, system) ALL
892
may run any command as either user root or bin,
893
optionally setting the group to operator or system.
895
On systems with SELinux support,
897
entries may optionally have an SELinux role and/or type associated
900
type is specified with the command it will override any default values
903
A role or type specified on the command line,
904
however, will supersede the values in
906
.Ss Solaris_Priv_Spec
909
entries may optionally specify Solaris privilege set and/or limit
910
privilege set associated with a command.
911
If privileges or limit privileges are specified with the command
912
it will override any default values specified in
915
A privilege set is a comma-separated list of privilege names.
918
command can be used to list all privileges known to the system.
924
In addition, there are several
931
the set of all privileges
933
the set of all privileges available in the current zone
935
the default set of privileges normal users are granted at login time
938
Privileges can be excluded from a set by prefixing the privilege
945
A command may have zero or more tags associated with it.
947
ten possible tag values:
959
Once a tag is set on a
965
inherit the tag unless it is overridden by the opposite tag (in other words,
974
.Em NOPASSWD and PASSWD
978
requires that a user authenticate him or herself
979
before running a command.
980
This behavior can be modified via the
988
a default for the commands that follow it in the
992
tag can be used to reverse things.
995
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1007
on the machine rushmore without authenticating himself.
1013
without a password the entry would be:
1015
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1018
Note, however, that the
1020
tag has no effect on users who are in the group specified by the
1026
tag is applied to any of the entries for a user on the current host,
1027
he or she will be able to run
1030
Additionally, a user may only run
1032
without a password if the
1034
tag is present for all a user's entries that pertain to the current host.
1035
This behavior may be overridden via the
1045
has been compiled with
1047
support and the underlying operating system supports it, the
1049
tag can be used to prevent a dynamically-linked executable from
1050
running further commands itself.
1052
In the following example, user
1058
but shell escapes will be disabled.
1060
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1064
.Sx Preventing shell escapes
1065
section below for more details on how
1067
works and whether or not it will work on your system.
1069
.Em SETENV and NOSETENV
1071
These tags override the value of the
1073
option on a per-command basis.
1076
has been set for a command, the user may disable the
1078
option from the command line via the
1081
Additionally, environment variables set on the command
1082
line are not subject to the restrictions imposed by
1087
As such, only trusted users should be allowed to set variables in this manner.
1088
If the command matched is
1092
tag is implied for that command; this default may be overridden by use of the
1096
.Em LOG_INPUT and NOLOG_INPUT
1098
These tags override the value of the
1100
option on a per-command basis.
1101
For more information, see the description of
1107
.Em LOG_OUTPUT and NOLOG_OUTPUT
1109
These tags override the value of the
1111
option on a per-command basis.
1112
For more information, see the description of
1121
(aka meta or glob characters)
1122
to be used in host names, path names and command line arguments in the
1125
Wildcard matching is done via the
1133
regular expressions.
1136
Matches any set of zero or more characters.
1138
Matches any single character.
1140
Matches any character in the specified range.
1142
Matches any character
1144
in the specified range.
1150
This is used to escape special characters such as:
1158
POSIX character classes may also be used if your system's
1162
functions support them.
1163
However, because the
1165
character has special meaning in
1170
.Bd -literal -offset 4n
1171
/bin/ls [[\:alpha\:]]*
1174
Would match any file name beginning with a letter.
1176
Note that a forward slash
1181
wildcards used in the path name.
1182
This is to make a path like:
1183
.Bd -literal -offset 4n
1190
.Pa /usr/bin/X11/xterm .
1192
When matching the command line arguments, however, a slash
1194
get matched by wildcards since command line arguments may contain
1195
arbitrary strings and not just path names.
1197
Wildcards in command line arguments should be used with care.
1198
Because command line arguments are matched as a single, concatenated
1199
string, a wildcard such as
1203
can match multiple words.
1204
For example, while a sudoers entry like:
1205
.Bd -literal -offset 4n
1206
%operator ALL = /bin/cat /var/log/messages*
1209
will allow command like:
1210
.Bd -literal -offset 4n
1211
$ sudo cat /var/log/messages.1
1215
.Bd -literal -offset 4n
1216
$ sudo cat /var/log/messages /etc/shadow
1219
which is probably not what was intended.
1220
.Ss Exceptions to wildcard rules
1221
The following exceptions apply to the above rules:
1226
is the only command line argument in the
1228
entry it means that command is not allowed to be run with
1232
Command line arguments to the
1234
built-in command should always be path names, so a forward slash
1236
will not be matched by a wildcard.
1238
.Ss Including other files from within sudoers
1239
It is possible to include other
1241
files from within the
1243
file currently being parsed using the
1249
This can be used, for example, to keep a site-wide
1251
file in addition to a local, per-machine file.
1252
For the sake of this example the site-wide
1256
and the per-machine one will be
1257
.Pa /etc/sudoers.local .
1259
.Pa /etc/sudoers.local
1265
.Bd -literal -offset 4n
1266
#include /etc/sudoers.local
1271
reaches this line it will suspend processing of the current file
1274
.Pa /etc/sudoers.local .
1275
Upon reaching the end of
1276
.Pa /etc/sudoers.local ,
1280
Files that are included may themselves include other files.
1281
A hard limit of 128 nested include files is enforced to prevent include
1284
If the path to the include file is not fully-qualified (does not
1287
it must be located in the same directory as the sudoers file it was
1292
.Bd -literal -offset 4n
1293
.Li #include sudoers.local
1296
the file that will be included is
1297
.Pa /etc/sudoers.local .
1299
The file name may also include the
1301
escape, signifying the short form of the host name.
1302
In other words, if the machine's host name is
1305
.Bd -literal -offset 4n
1306
#include /etc/sudoers.%h
1312
.Pa /etc/sudoers.xerxes .
1316
directive can be used to create a
1318
directory that the system package manager can drop
1321
into as part of package installation.
1323
.Bd -literal -offset 4n
1324
#includedir /etc/sudoers.d
1328
will read each file in
1329
.Pa /etc/sudoers.d ,
1330
skipping file names that end in
1334
character to avoid causing problems with package manager or editor
1335
temporary/backup files.
1336
Files are parsed in sorted lexical order.
1338
.Pa /etc/sudoers.d/01_first
1339
will be parsed before
1340
.Pa /etc/sudoers.d/10_second .
1341
Be aware that because the sorting is lexical, not numeric,
1342
.Pa /etc/sudoers.d/1_whoops
1345
.Pa /etc/sudoers.d/10_second .
1346
Using a consistent number of leading zeroes in the file names can be used
1347
to avoid such problems.
1349
Note that unlike files included via
1352
will not edit the files in a
1354
directory unless one of them contains a syntax error.
1355
It is still possible to run
1359
flag to edit the files directly.
1360
.Ss Other special characters and reserved words
1363
is used to indicate a comment (unless it is part of a #include
1364
directive or unless it occurs in the context of a user name and is
1365
followed by one or more digits, in which case it is treated as a
1367
Both the comment character and any text after it, up to the end of
1368
the line, are ignored.
1374
that always causes a match to succeed.
1375
It can be used wherever one might otherwise use a
1381
You should not try to define your own
1385
as the built-in alias will be used in preference to your own.
1386
Please note that using
1388
can be dangerous since in a command context, it allows the user to run
1390
command on the system.
1392
An exclamation point
1394
can be used as a logical
1400
This allows one to exclude certain values.
1401
Note, however, that using a
1403
in conjunction with the built-in
1405
alias to allow a user to run
1407
commands rarely works as intended (see
1411
Long lines can be continued with a backslash
1413
as the last character on the line.
1415
White space between elements in a list as well as special syntactic
1417
.Em User Specification
1426
The following characters must be escaped with a backslash
1428
when used as part of a word (e.g.\& a user name or host name):
1438
behavior can be modified by
1440
lines, as explained earlier.
1441
A list of all supported Defaults parameters, grouped by type, are listed below.
1450
environment variable to the home directory of the target user
1451
(which is root unless the
1454
This effectively means that the
1456
option is always implied.
1459
is already set when the the
1461
option is enabled, so
1463
is only effective for configurations where either
1474
If set, users must authenticate themselves via a password (or other
1475
means of authentication) before they may run commands.
1476
This default may be overridden via the
1484
.It closefrom_override
1485
If set, the user may use
1488
option which overrides the default starting point at which
1490
begins closing open file descriptors.
1497
is configured to log a command's input or output,
1498
the I/O logs will be compressed using
1510
will use the value of the
1514
environment variables before falling back on the default editor list.
1515
Note that this may create a security hole as it allows the user to
1516
run any arbitrary command as root without logging.
1517
A safer alternative is to place a colon-separated list of editors
1522
will then only use the
1526
if they match a value specified in
1535
will run the command in a minimal environment containing the
1548
variables in the caller's environment that match the
1552
lists are then added, followed by any variables present in the file
1556
The default contents of the
1560
lists are displayed when
1562
is run by root with the
1567
option is set, its value will be used for the
1569
environment variable.
1578
function to do shell-style globbing when matching path names.
1579
However, since it accesses the file system,
1581
can take a long time to complete for some patterns, especially
1582
when the pattern references a network file system that is mounted
1583
on demand (auto mounted).
1590
function, which does not access the file system to do its matching.
1593
is that it is unable to match relative path names such as
1597
This has security implications when path names that include globbing
1598
characters are used with the negation operator,
1600
as such rules can be trivially bypassed.
1601
As such, this option should not be used when
1603
contains rules that contain negated path names which include globbing
1609
Set this flag if you want to put fully qualified host names in the
1611
file when the local host name (as returned by the
1613
command) does not contain the domain name.
1614
In other words, instead of myhost you would use myhost.mydomain.edu.
1615
You may still use the short form if you wish (and even mix the two).
1616
This option is only effective when the
1618
host name, as returned by the
1622
function, is a fully-qualified domain name.
1623
This is usually the case when the system is configured to use DNS
1624
for host name resolution.
1626
If the system is configured to use the
1628
file in preference to DNS, the
1630
host name may not be fully-qualified.
1631
The order that sources are queried for hosts name resolution
1632
is usually specified in the
1633
.Pa @nsswitch_conf@ ,
1635
.Pa /etc/host.conf ,
1637
.Pa /etc/resolv.conf
1641
file, the first host name of the entry is considered to be the
1643
name; subsequent names are aliases that are not used by
1645
For example, the following hosts file line for the machine
1647
has the fully-qualified domain name as the
1649
host name, and the short version as an alias.
1651
.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1653
If the machine's hosts file entry is not formatted properly, the
1655
option will not be effective if it is queried before DNS.
1657
Beware that when using DNS for host name resolution, turning on
1661
to make DNS lookups which renders
1663
unusable if DNS stops working (for example if the machine is disconnected
1665
Also note that just like with the hosts file, you must use the
1667
name as DNS knows it.
1668
That is, you may not use a host alias
1673
due to performance issues and the fact that there is no way to get all
1682
will ignore "." or "" (both denoting current directory) in the
1684
environment variable; the
1686
itself is not modified.
1690
.It ignore_local_sudoers
1691
If set via LDAP, parsing of
1692
.Pa @sysconfdir@/sudoers
1694
This is intended for Enterprises that wish to prevent the usage of local
1695
sudoers files so that only LDAP is used.
1696
This thwarts the efforts of rogue operators who would attempt to add roles to
1697
.Pa @sysconfdir@/sudoers .
1698
When this option is present,
1699
.Pa @sysconfdir@/sudoers
1700
does not even need to exist.
1701
Since this option tells
1703
how to behave when no specific LDAP entries have been matched, this
1704
sudoOption is only meaningful for the
1713
will insult users when they enter an incorrect password.
1718
If set, the host name will be logged in the (non-syslog)
1727
will run the command in a
1729
and log all user input.
1730
If the standard input is not connected to the user's tty, due to
1731
I/O redirection or because the command is part of a pipeline, that
1732
input is also captured and stored in a separate log file.
1734
Input is logged to the directory specified by the
1741
using a unique session ID that is included in the normal
1743
log line, prefixed with
1747
option may be used to control the format of the session ID.
1749
Note that user input may contain sensitive information such as
1750
passwords (even if they are not echoed to the screen), which will
1751
be stored in the log file unencrypted.
1752
In most cases, logging the command output via
1754
is all that is required.
1758
will run the command in a
1760
and log all output that is sent to the screen, similar to the
1763
If the standard output or standard error is not connected to the
1764
user's tty, due to I/O redirection or because the command is part
1765
of a pipeline, that output is also captured and stored in separate
1768
Output is logged to the directory specified by the
1775
using a unique session ID that is included in the normal
1777
log line, prefixed with
1781
option may be used to control the format of the session ID.
1783
Output logs may be viewed with the
1784
.Xr sudoreplay @mansectsu@
1785
utility, which can also be used to list or search the available logs.
1787
If set, the four-digit year will be logged in the (non-syslog)
1794
When validating with a One Time Password (OTP) scheme such as
1798
a two-line prompt is used to make it easier
1799
to cut and paste the challenge to a local window.
1800
It's not as pretty as the default but some people find it more convenient.
1802
.Em @long_otp_prompt@
1807
user every time a users runs
1815
user if the user running
1817
does not enter the correct password.
1818
If the command the user is attempting to run is not permitted by
1826
flags are set, this flag will have no effect.
1831
If set, mail will be sent to the
1833
user if the invoking user exists in the
1835
file, but is not allowed to run commands on the current host.
1840
If set, mail will be sent to the
1842
user if the invoking user is allowed to use
1844
but the command they are trying is not listed in their
1846
file entry or is explicitly denied.
1851
If set, mail will be sent to the
1853
user if the invoking user is not in the
1860
If set, all commands run via
1862
will behave as if the
1864
tag has been set, unless overridden by a
1867
See the description of
1869
below as well as the
1870
.Sx Preventing shell escapes
1871
section at the end of this manual.
1878
will tell the user when a command could not be
1881
environment variable.
1882
Some sites may wish to disable this as it could be used to gather
1883
information on the location of executables that the normal user does
1885
The disadvantage is that if the executable is simply not in the user's
1888
will tell the user that they are not allowed to run it, which can be confusing.
1892
.It passprompt_override
1893
The password prompt specified by
1895
will normally only be used if the password prompt provided by systems
1896
such as PAM matches the string
1899
.Em passprompt_override
1902
will always be used.
1909
will initialize the group vector to the list of groups the target user is in.
1912
is set, the user's existing group vector is left unaltered.
1913
The real and effective group IDs, however, are still set to match the
1921
reads the password like most other Unix programs,
1922
by turning off echo until the user hits the return (or enter) key.
1923
Some users become confused by this as it appears to them that
1925
has hung at this point.
1930
will provide visual feedback when the user presses a key.
1931
Note that this does have a security impact as an onlooker may be able to
1932
determine the length of the password being entered.
1939
will only run when the user is logged in to a real tty.
1940
When this flag is set,
1942
can only be run from a login session and not via other means such as
1943
.Xr cron @mansectsu@
1949
If set, root is allowed to run
1952
Disabling this prevents users from
1955
commands to get a root shell by doing something like
1956
.Dq Li sudo sudo /bin/sh .
1957
Note, however, that turning off
1959
will also prevent root from running
1963
provides no real additional security; it exists purely for historical reasons.
1970
will prompt for the root password instead of the password of the invoking user.
1977
will prompt for the password of the user defined by the
1980
.Li @runas_default@ )
1981
instead of the password of the invoking user.
1992
environment variable will be set to the home directory of the target
1993
user (which is root unless the
1996
This effectively makes the
2002
is already set when the the
2004
option is enabled, so
2006
is only effective for configurations where either
2025
environment variables to the name of the target user (usually root unless the
2028
However, since some programs (including the RCS revision control system) use
2030
to determine the real identity of the user, it may be desirable to
2031
change this behavior.
2032
This can be done by negating the set_logname option.
2035
option has not been disabled, entries in the
2037
list will override the value of
2045
will create an entry in the utmp (or utmpx) file when a pseudo-tty
2047
A pseudo-tty is allocated by
2055
By default, the new entry will be a copy of the user's existing utmp
2056
entry (if any), with the tty, time, type and pid fields updated.
2061
Allow the user to disable the
2063
option from the command line via the
2066
Additionally, environment variables set via the command line are
2067
not subject to the restrictions imposed by
2072
As such, only trusted users should be allowed to set variables in this manner.
2079
is invoked with no arguments it acts as if the
2081
option had been given.
2082
That is, it runs a shell as root (the shell is determined by the
2084
environment variable if it is set, falling back on the shell listed
2085
in the invoking user's /etc/passwd entry if not).
2092
executes a command the real and effective UIDs are set to the target
2093
user (root by default).
2094
This option changes that behavior such that the real UID is left
2095
as the invoking user's UID.
2096
In other words, this makes
2098
act as a setuid wrapper.
2099
This can be useful on systems that disable some potentially
2100
dangerous functionality when a program is run setuid.
2101
This option is only effective on systems that support either the
2112
will prompt for the password of the user specified
2117
instead of the password of the invoking user.
2118
In addition, the time stamp file name will include the target user's name.
2119
Note that this flag precludes the use of a uid not listed in the passwd
2120
database as an argument to the
2127
If set, users must authenticate on a per-tty basis.
2128
With this flag enabled,
2130
will use a file named for the tty the user is
2131
logged in on in the user's time stamp directory.
2132
If disabled, the time stamp of the directory is used instead.
2139
will set the umask as specified by
2141
without modification.
2142
This makes it possible to specify a more permissive umask in
2144
than the user's own umask and matches historical behavior.
2149
will set the umask to be the union of the user's umask and what is specified in
2152
.Em @umask_override@
2157
will apply the defaults specified for the target user's login class
2161
is configured with the
2170
will run the command in a pseudo-pty even if no I/O logging is being gone.
2171
A malicious program run under
2173
could conceivably fork a background process that retains to the user's
2174
terminal device after the main program has finished executing.
2175
Use of this option will make that impossible.
2182
will store the name of the runas user when updating the utmp (or utmpx) file.
2185
stores the name of the invoking user.
2192
will refuse to run if the user must enter a password but it is not
2193
possible to disable echo on the terminal.
2198
will prompt for a password even when it would be visible on the screen.
2199
This makes it possible to run things like
2200
.Dq Li ssh somehost sudo ls
2204
not allocate a tty when running a command.
2213
Before it executes a command,
2215
will close all open file descriptors other than standard input,
2216
standard output and standard error (ie: file descriptors 0-2).
2219
option can be used to specify a different file descriptor at which
2224
The number of tries a user gets to enter his/her password before
2226
logs the failure and exits.
2228
.Li @passwd_tries@ .
2231
.Sy Integers that can be used in a boolean context :
2234
Number of characters per line for the file log.
2235
This value is used to decide when to wrap lines for nicer log files.
2236
This has no effect on the syslog log file, only the file log.
2239
(use 0 or negate the option to disable word wrap).
2241
Number of minutes before the
2243
password prompt times out, or
2246
The timeout may include a fractional component
2247
if minute granularity is insufficient, for example
2251
.Li @password_timeout@ .
2252
.It timestamp_timeout
2253
Number of minutes that can elapse before
2255
will ask for a passwd again.
2256
The timeout may include a fractional component if
2257
minute granularity is insufficient, for example
2263
to always prompt for a password.
2264
If set to a value less than
2266
the user's time stamp will never expire.
2267
This can be used to allow users to create or delete their own time stamps via
2273
Umask to use when running the command.
2274
Negate this option or set it to 0777 to preserve the user's umask.
2275
The actual umask that is used will be the union of the user's umask
2276
and the value of the
2278
option, which defaults to
2283
never lowers the umask when running a command.
2284
Note: on systems that use PAM, the default PAM configuration may specify
2285
its own umask which will override the value set in
2292
Message that is displayed if a user enters an incorrect password.
2294
.Li @badpass_message@
2295
unless insults are enabled.
2299
separated list of editors allowed to be used with
2302
will choose the editor that matches the user's
2304
environment variable if possible, or the first editor in the
2305
list that exists and is executable.
2309
The top-level directory to use when constructing the path name for
2310
the input/output log directory.
2315
options are enabled or when the
2319
tags are present for a command.
2320
The session sequence number, if any, is stored in the directory.
2324
The following percent
2326
escape sequences are supported:
2329
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2330
where every two digits are used to form a new directory, e.g.\&
2333
expanded to the invoking user's login name
2335
expanded to the name of the invoking user's real group ID
2336
.It Li %{runas_user}
2337
expanded to the login name of the user the command will
2338
be run as (e.g.\& root)
2339
.It Li %{runas_group}
2340
expanded to the group name of the user the command will
2341
be run as (e.g.\& wheel)
2343
expanded to the local host name without the domain name
2345
expanded to the base name of the command being run
2348
In addition, any escape sequences supported by the system's
2350
function will be expanded.
2352
To include a literal
2354
character, the string
2358
The path name, relative to
2360
in which to store input/output logs when the
2364
options are enabled or when the
2368
tags are present for a command.
2371
may contain directory components.
2377
option above for a list of supported percent
2381
In addition to the escape sequences, path names that end in six or
2386
replaced with a unique combination of digits and letters, similar to the
2390
The default Solaris limit privileges to use when constructing a new
2391
privilege set for a command.
2392
This bounds all privileges of the executing process.
2393
The default limit privileges may be overridden on a per-command basis in
2395
This option is only available if
2397
is built on Solaris 10 or higher.
2399
Subject of the mail sent to the
2404
will expand to the host name of the machine.
2408
This option is no longer supported.
2409
The path to the noexec file should now be set in the
2410
.Pa @sysconfdir@/sudo.conf
2413
The default prompt to use when asking for a password; can be overridden via the
2417
environment variable.
2418
The following percent
2420
escape sequences are supported:
2423
expanded to the local host name including the domain name
2424
(only if the machine's host name is fully qualified or the
2428
expanded to the local host name without the domain name
2430
expanded to the user whose password is being asked for (respects the
2438
expanded to the login name of the user the command will
2439
be run as (defaults to root)
2441
expanded to the invoking user's login name
2445
characters are collapsed into a single
2450
The default value is
2451
.Dq Li @passprompt@ .
2453
The default Solaris privileges to use when constructing a new
2454
privilege set for a command.
2455
This is passed to the executing process via the inherited privilege set,
2456
but is bounded by the limit privileges.
2459
option is specified but the
2461
option is not, the limit privileges of the executing process is set to
2463
The default privileges may be overridden on a per-command basis in
2465
This option is only available if
2467
is built on Solaris 10 or higher.
2469
The default SELinux role to use when constructing a new security
2470
context to run the command.
2471
The default role may be overridden on a per-command basis in
2473
or via command line options.
2474
This option is only available when
2476
is built with SELinux support.
2478
The default user to run commands as if the
2480
option is not specified on the command line.
2482
.Li @runas_default@ .
2484
Syslog priority to use when user authenticates unsuccessfully.
2488
The following syslog priorities are supported:
2499
Syslog priority to use when user authenticates successfully.
2505
for the list of supported syslog priorities.
2507
Locale to use when parsing the sudoers file, logging commands, and
2509
Note that changing the locale may affect how sudoers is interpreted.
2513
The directory in which
2515
stores its time stamp files.
2519
The owner of the time stamp directory and the time stamps stored therein.
2523
The default SELinux type to use when constructing a new security
2524
context to run the command.
2525
The default type may be overridden on a per-command basis in
2527
or via command line options.
2528
This option is only available when
2530
is built with SELinux support.
2533
.Sy Strings that can be used in a boolean context :
2538
option specifies the fully qualified path to a file containing variables
2539
to be set in the environment of the program being run.
2540
Entries in this file should either be of the form
2541
.Dq Li VARIABLE=value
2543
.Dq Li export VARIABLE=value .
2544
The value may optionally be surrounded by single or double quotes.
2545
Variables in this file are subject to other
2547
environment settings such as
2552
Users in this group are exempt from password and PATH requirements.
2553
The group name specified should not include a
2556
This is not set by default.
2558
A string containing a
2560
group plugin with optional arguments.
2561
This can be used to implement support for the
2563
syntax described earlier.
2564
The string should consist of the plugin
2565
path, either fully-qualified or relative to the
2566
.Pa @prefix@/libexec
2567
directory, followed by any configuration arguments the plugin requires.
2568
These arguments (if any) will be passed to the plugin's initialization function.
2569
If arguments are present, the string must be enclosed in double quotes
2573
.Pa /etc/sudo-group ,
2574
a group file in Unix group format, the sample group plugin can be used:
2576
Defaults group_plugin="sample_group.so /etc/sudo-group"
2579
For more information see
2580
.Xr sudo_plugin @mansectform@ .
2582
This option controls when a short lecture will be printed along with
2583
the password prompt.
2584
It has the following possible values:
2587
Always lecture the user.
2589
Never lecture the user.
2591
Only lecture the user the first time they run
2595
If no value is specified, a value of
2598
Negating the option results in a value of
2601
The default value is
2604
Path to a file containing an alternate
2606
lecture that will be used in place of the standard lecture if the named
2610
uses a built-in lecture.
2612
This option controls when a password will be required when a user runs
2617
It has the following possible values:
2622
entries for the current host must have
2625
flag set to avoid entering a password.
2627
The user must always enter a password to use the
2631
At least one of the user's
2633
entries for the current host
2636
flag set to avoid entering a password.
2638
The user need never enter a password to use the
2643
If no value is specified, a value of
2646
Negating the option results in a value of
2649
The default value is
2654
log file (not the syslog log file).
2655
Setting a path turns on logging to a file;
2656
negating this option turns it off.
2661
Flags to use when invoking mailer. Defaults to
2664
Path to mail program used to send warning mail.
2665
Defaults to the path to sendmail found at configure time.
2667
Address to use for the
2669
address when sending warning and error mail.
2670
The address should be enclosed in double quotes
2677
Defaults to the name of the user running
2680
Address to send warning and error mail to.
2681
The address should be enclosed in double quotes
2691
Path used for every command run from
2693
If you don't trust the
2698
environment variable you may want to use this.
2699
Another use is if you want to have the
2701
be separate from the
2703
Users in the group specified by the
2705
option are not affected by
2707
This option is @secure_path@ by default.
2709
Syslog facility if syslog is being used for logging (negate to
2710
disable syslog logging).
2714
The following syslog facilities are supported:
2731
This option controls when a password will be required when a user runs
2736
It has the following possible values:
2741
entries for the current host must have the
2743
flag set to avoid entering a password.
2745
The user must always enter a password to use the
2749
At least one of the user's
2751
entries for the current host must have the
2753
flag set to avoid entering a password.
2755
The user need never enter a password to use the
2760
If no value is specified, a value of
2763
Negating the option results in a value of
2766
The default value is
2770
.Sy Lists that can be used in a boolean context :
2773
Environment variables to be removed from the user's environment if
2774
the variable's value contains
2779
This can be used to guard against printf-style format vulnerabilities
2780
in poorly-written programs.
2781
The argument may be a double-quoted, space-separated list or a
2782
single value without double-quotes.
2783
The list can be replaced, added to, deleted from, or disabled by using
2790
operators respectively.
2791
Regardless of whether the
2793
option is enabled or disabled, variables specified by
2795
will be preserved in the environment if they pass the aforementioned check.
2796
The default list of environment variables to check is displayed when
2803
Environment variables to be removed from the user's environment when the
2805
option is not in effect.
2806
The argument may be a double-quoted, space-separated list or a
2807
single value without double-quotes.
2808
The list can be replaced, added to, deleted from, or disabled by using the
2814
operators respectively.
2815
The default list of environment variables to remove is displayed when
2817
is run by root with the
2820
Note that many operating systems will remove potentially dangerous
2821
variables from the environment of any setuid process (such as
2824
Environment variables to be preserved in the user's environment when the
2826
option is in effect.
2827
This allows fine-grained control over the environment
2828
.Nm sudo Ns No -spawned
2829
processes will receive.
2830
The argument may be a double-quoted, space-separated list or a
2831
single value without double-quotes.
2832
The list can be replaced, added to, deleted from, or disabled by using the
2838
operators respectively.
2839
The default list of variables to keep
2842
is run by root with the
2848
can log events using either
2850
or a simple log file.
2851
In each case the log format is almost identical.
2852
.Ss Accepted command log entries
2853
Commands that sudo runs are logged using the following format (split
2854
into multiple lines for readability):
2855
.Bd -literal -offset 4n
2856
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
2857
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
2858
ENV=env_vars COMMAND=command
2861
Where the fields are as follows:
2864
The date the command was run.
2865
Typically, this is in the format
2866
.Dq MMM, DD, HH:MM:SS .
2869
the actual date format is controlled by the syslog daemon.
2870
If logging to a file and the
2873
the date will also include the year.
2875
The name of the host
2878
This field is only present when logging via
2881
The name of the program, usually
2885
This field is only present when logging via
2888
The login name of the user who ran
2891
The short name of the terminal (e.g.\&
2899
if there was no terminal present.
2901
The current working directory that
2905
The user the command was run as.
2907
The group the command was run as if one was specified on the command line.
2909
An I/O log identifier that can be used to replay the command's output.
2910
This is only present when the
2916
A list of environment variables specified on the command line,
2919
The actual command that was executed.
2922
Messages are logged using the locale specified by
2923
.Em sudoers_locale ,
2924
which defaults to the
2927
.Ss Denied command log entries
2928
If the user is not allowed to run the command, the reason for the denial
2929
will follow the user name.
2930
Possible reasons include:
2932
.It user NOT in sudoers
2933
The user is not listed in the
2936
.It user NOT authorized on host
2937
The user is listed in the
2939
file but is not allowed to run commands on the host.
2940
.It command not allowed
2941
The user is listed in the
2943
file for the host but they are not allowed to run the specified command.
2944
.It 3 incorrect password attempts
2945
The user failed to enter their password after 3 tries.
2946
The actual number of tries will vary based on the number of
2947
failed attempts and the value of the
2950
.It a password is required
2953
option was specified but a password was required.
2954
.It sorry, you are not allowed to set the following environment variables
2955
The user specified environment variables on the command line that
2959
.Ss Error log entries
2962
will log a message and, in most cases, send a message to the
2963
administrator via email.
2964
Possible errors include:
2966
.It parse error in @sysconfdir@/sudoers near line N
2968
encountered an error when parsing the specified file.
2969
In some cases, the actual error may be one line above or below the
2970
line number listed, depending on the type of error.
2971
.It problem with defaults entries
2974
file contains one or more unknown Defaults settings.
2975
This does not prevent
2977
from running, but the
2979
file should be checked using
2981
.It timestamp owner (username): \&No such user
2982
The time stamp directory owner, as specified by the
2984
setting, could not be found in the password database.
2985
.It unable to open/read @sysconfdir@/sudoers
2988
file could not be opened for reading.
2989
This can happen when the
2991
file is located on a remote file system that maps user ID 0 to
2997
using group permissions to avoid this problem.
2998
Consider changing the ownership of
2999
.Pa @sysconfdir@/sudoers
3000
by adding an option like
3004
is the user ID that owns the
3009
.Pa @sysconfdir@/sudo.conf
3011
.It unable to stat @sysconfdir@/sudoers
3013
.Pa @sysconfdir@/sudoers
3015
.It @sysconfdir@/sudoers is not a regular file
3017
.Pa @sysconfdir@/sudoers
3018
file exists but is not a regular file or symbolic link.
3019
.It @sysconfdir@/sudoers is owned by uid N, should be 0
3022
file has the wrong owner.
3023
If you wish to change the
3025
file owner, please add
3029
is the user ID that owns the
3034
.Pa @sysconfdir@/sudo.conf
3036
.It @sysconfdir@/sudoers is world writable
3037
The permissions on the
3039
file allow all users to write to it.
3042
file must not be world-writable, the default file mode
3043
is 0440 (readable by owner and group, writable by none).
3044
The default mode may be changed via the
3049
.Pa @sysconfdir@/sudo.conf
3051
.It @sysconfdir@/sudoers is owned by gid N, should be 1
3054
file has the wrong group ownership.
3055
If you wish to change the
3057
file group ownership, please add
3061
is the group ID that owns the
3066
.Pa @sysconfdir@/sudo.conf
3068
.It unable to open @timedir@/username/ttyname
3070
was unable to read or create the user's time stamp file.
3071
.It unable to write to @timedir@/username/ttyname
3073
was unable to write to the user's time stamp file.
3074
.It unable to mkdir to @timedir@/username
3076
was unable to create the user's time stamp directory.
3078
.Ss Notes on logging via syslog
3088
fields are added by the syslog daemon, not
3091
As such, they may vary in format on different systems.
3095
has a relatively small log buffer.
3096
To prevent the command line arguments from being truncated,
3098
will split up log messages that are larger than 960 characters
3099
(not including the date, hostname, and the string
3101
When a message is split, additional parts will include the string
3102
.Dq Pq command continued
3103
after the user name and before the continued command line arguments.
3104
.Ss Notes on logging to a file
3109
will log to a local file, such as
3111
When logging to a file,
3113
uses a format similar to
3115
with a few important differences:
3122
fields are not present.
3127
the date will also include the year.
3129
Lines that are longer than
3131
characters (80 by default) are word-wrapped and continued on the
3132
next line with a four character indent.
3133
This makes entries easier to read for a human being, but makes it
3134
more difficult to use
3139
option is set to 0 (or negated with a
3141
word wrap will be disabled.
3145
.Pa @sysconfdir@/sudo.conf
3146
file determines which plugins the
3148
front end will load.
3150
.Pa @sysconfdir@/sudo.conf
3152
is present, or it contains no
3158
security policy and I/O logging, which corresponds to the following
3159
.Pa @sysconfdir@/sudo.conf
3163
# Default @sysconfdir@/sudo.conf file
3166
# Plugin plugin_name plugin_path plugin_options ...
3167
# Path askpass /path/to/askpass
3168
# Path noexec /path/to/sudo_noexec.so
3169
# Debug sudo /var/log/sudo_debug all@warn
3170
# Set disable_coredump true
3172
# The plugin_path is relative to @prefix@/libexec unless
3174
# The plugin_name corresponds to a global symbol in the plugin
3175
# that contains the plugin interface structure.
3176
# The plugin_options are optional.
3178
Plugin policy_plugin sudoers.so
3179
Plugin io_plugin sudoers.so
3184
1.8.5, it is possible to pass options to the
3187
Options may be listed after the path to the plugin (i.e.\& after
3189
multiple options should be space-separated.
3192
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3195
The following plugin options are supported:
3197
.It sudoers_file=pathname
3200
option can be used to override the default path
3207
option can be used to override the default owner of the sudoers file.
3208
It should be specified as a numeric user ID.
3212
option can be used to override the default group of the sudoers file.
3213
It should be specified as a numeric group ID.
3214
.It sudoers_mode=mode
3217
option can be used to override the default file mode for the sudoers file.
3218
It should be specified as an octal value.
3221
Versions 1.8.4 and higher of the
3223
plugin supports a debugging framework that can help track down what the
3224
plugin is doing internally if there is a problem.
3225
This can be configured in the
3226
.Pa @sysconfdir@/sudo.conf
3227
file as described in
3228
.Xr sudo @mansectsu@ .
3232
plugin uses the same debug flag format as the
3235
.Em subsystem Ns No @ Ns Em priority .
3237
The priorities used by
3239
in order of decreasing severity,
3250
Each priority, when specified, also includes all priorities higher than it.
3251
For example, a priority of
3253
would include debug messages logged at
3257
The following subsystems are used by
3268
matches every subsystem
3270
BSM and Linux audit code
3278
environment handling
3284
matching of users, groups, hosts and netgroups in
3287
network interface handling
3289
network service switch handling in
3301
pseudo-tty related code
3303
redblack tree internals
3309
.It Pa @sysconfdir@/sudo.conf
3310
Sudo front end configuration
3311
.It Pa @sysconfdir@/sudoers
3312
List of who can run what
3315
.It Pa /etc/netgroup
3316
List of network groups
3320
Directory containing time stamps for the
3323
.It Pa /etc/environment
3324
Initial environment for
3326
mode on AIX and Linux systems
3332
Admittedly, some of these are a bit contrived.
3333
First, we allow a few environment variables to pass and then define our
3336
# Run X applications through sudo; HOME is used to find the
3337
# .Xauthority file. Note that other programs use HOME to find
3338
# configuration files and this may lead to privilege escalation!
3339
Defaults env_keep += "DISPLAY HOME"
3341
# User alias specification
3342
User_Alias FULLTIMERS = millert, mikef, dowdy
3343
User_Alias PARTTIMERS = bostley, jwfox, crawl
3344
User_Alias WEBMASTERS = will, wendy, wim
3346
# Runas alias specification
3347
Runas_Alias OP = root, operator
3348
Runas_Alias DB = oracle, sybase
3349
Runas_Alias ADMINGRP = adm, oper
3351
# Host alias specification
3352
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3353
SGI = grolsch, dandelion, black :\e
3354
ALPHA = widget, thalamus, foobar :\e
3355
HPPA = boa, nag, python
3356
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3357
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3358
Host_Alias SERVERS = master, mail, www, ns
3359
Host_Alias CDROM = orion, perseus, hercules
3361
# Cmnd alias specification
3362
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3363
/usr/sbin/restore, /usr/sbin/rrestore
3364
Cmnd_Alias KILL = /usr/bin/kill
3365
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3366
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3367
Cmnd_Alias HALT = /usr/sbin/halt
3368
Cmnd_Alias REBOOT = /usr/sbin/reboot
3369
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3370
/usr/local/bin/tcsh, /usr/bin/rsh,\e
3372
Cmnd_Alias SU = /usr/bin/su
3373
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3376
Here we override some of the compiled in default values.
3383
facility in all cases.
3384
We don't want to subject the full time staff to the
3388
need not give a password, and we don't want to reset the
3393
environment variables when running commands as root.
3394
Additionally, on the machines in the
3397
we keep an additional local log file and make sure we log the year
3398
in each log line since the log entries will be kept around for several years.
3399
Lastly, we disable shell escapes for the commands in the PAGERS
3408
# Override built-in defaults
3409
Defaults syslog=auth
3410
Defaults>root !set_logname
3411
Defaults:FULLTIMERS !lecture
3412
Defaults:millert !authenticate
3413
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3414
Defaults!PAGERS noexec
3418
.Em User specification
3419
is the part that actually determines who may run what.
3421
root ALL = (ALL) ALL
3422
%wheel ALL = (ALL) ALL
3427
and any user in group
3429
run any command on any host as any user.
3431
FULLTIMERS ALL = NOPASSWD: ALL
3441
may run any command on any host without authenticating themselves.
3443
PARTTIMERS ALL = ALL
3451
may run any command on any host but they must authenticate themselves
3452
first (since the entry lacks the
3461
may run any command on the machines in the
3467
.Li 128.138.242.0 ) .
3468
Of those networks, only
3470
has an explicit netmask (in CIDR notation) indicating it is a class C network.
3471
For the other networks in
3473
the local machine's netmask will be used during matching.
3480
may run any command on any host in the
3482
alias (the class B network
3485
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3486
sudoedit /etc/printcap, /usr/oper/bin/
3491
user may run commands limited to simple maintenance.
3492
Here, those are commands related to backups, killing processes, the
3493
printing system, shutting down the system, and any commands in the
3495
.Pa /usr/oper/bin/ .
3497
joe ALL = /usr/bin/su operator
3506
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3508
%opers ALL = (: ADMINGRP) /usr/sbin/
3513
group may run commands in
3516
with any group in the
3527
is allowed to change anyone's password except for
3531
Note that this assumes
3533
does not take multiple user names on the command line.
3535
bob SPARC = (OP) ALL : SGI = (OP) ALL
3540
may run anything on the
3544
machines as any user listed in the
3558
may run any command on machines in the
3564
is a netgroup due to the
3568
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3573
netgroup need to help manage the printers as well as add and remove users,
3574
so they are allowed to run those commands on all machines.
3576
fred ALL = (DB) NOPASSWD: ALL
3581
can run commands as any user in the
3589
without giving a password.
3591
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3598
may su to anyone except root but he is not allowed to specify any options
3603
jen ALL, !SERVERS = ALL
3608
may run any command on any machine except for those in the
3611
(master, mail, www and ns).
3613
jill SERVERS = /usr/bin/, !SU, !SHELLS
3616
For any machine in the
3621
any commands in the directory
3623
except for those commands
3630
steve CSNETS = (operator) /usr/local/op_commands/
3635
may run any command in the directory /usr/local/op_commands/
3636
but only as user operator.
3638
matt valkyrie = KILL
3641
On his personal workstation, valkyrie,
3643
needs to be able to kill hung processes.
3645
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3648
On the host www, any user in the
3651
(will, wendy, and wim), may run any command as user www (which owns the
3652
web pages) or simply
3656
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3657
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3660
Any user may mount or unmount a CD-ROM on the machines in the CDROM
3662
(orion, perseus, hercules) without entering a password.
3663
This is a bit tedious for users to type, so it is a prime candidate
3664
for encapsulating in a shell script.
3666
.Ss Limitations of the So !\& Sc operator
3667
It is generally not effective to
3674
A user can trivially circumvent this by copying the desired command
3675
to a different name and then executing that.
3678
bill ALL = ALL, !SU, !SHELLS
3681
Doesn't really prevent
3683
from running the commands listed in
3687
since he can simply copy those commands to a different name, or use
3688
a shell escape from an editor or other program.
3689
Therefore, these kind of restrictions should be considered
3690
advisory at best (and reinforced by policy).
3692
In general, if a user has sudo
3694
there is nothing to prevent them from creating their own program that gives
3695
them a root shell (or making their own copy of a shell) regardless of any
3697
elements in the user specification.
3698
.Ss Security implications of Em fast_glob
3701
option is in use, it is not possible to reliably negate commands where the
3702
path name includes globbing (aka wildcard) characters.
3703
This is because the C library's
3705
function cannot resolve relative paths.
3706
While this is typically only an inconvenience for rules that grant privileges,
3707
it can result in a security issue for rules that subtract or revoke privileges.
3709
For example, given the following
3713
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3714
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3720
.Li /usr/bin/passwd root
3723
is enabled by changing to
3728
.Ss Preventing shell escapes
3731
executes a program, that program is free to do whatever
3732
it pleases, including run other programs.
3733
This can be a security issue since it is not uncommon for a program to
3734
allow shell escapes, which lets a user bypass
3736
access control and logging.
3737
Common programs that permit shell escapes include shells (obviously),
3738
editors, paginators, mail and terminal programs.
3740
There are two basic approaches to this problem:
3743
Avoid giving users access to commands that allow the user to run
3745
Many editors have a restricted mode where shell
3746
escapes are disabled, though
3748
is a better solution to
3751
Due to the large number of programs that
3752
offer shell escapes, restricting users to the set of programs that
3753
do not is often unworkable.
3755
Many systems that support shared libraries have the ability to
3756
override default library functions by pointing an environment
3759
to an alternate shared library.
3763
functionality can be used to prevent a program run by
3765
from executing any other programs.
3766
Note, however, that this applies only to native dynamically-linked
3768
Statically-linked executables and foreign executables
3769
running under binary emulation are not affected.
3773
feature is known to work on SunOS, Solaris, *BSD,
3774
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3775
It should be supported on most operating systems that support the
3777
environment variable.
3778
Check your operating system's manual pages for the dynamic linker
3779
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3783
On Solaris 10 and higher,
3785
uses Solaris privileges instead of the
3787
environment variable.
3791
for a command, use the
3794
in the User Specification section above.
3795
Here is that example again:
3797
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3809
This will prevent those two commands from
3810
executing other commands (such as a shell).
3811
If you are unsure whether or not your system is capable of supporting
3813
you can always just try it out and check whether shell escapes work when
3818
Note that restricting shell escapes is not a panacea.
3819
Programs running as root are still capable of many potentially hazardous
3820
operations (such as changing or overwriting files) that could lead
3821
to unintended privilege escalation.
3822
In the specific case of an editor, a safer approach is to give the
3823
user permission to run
3825
.Ss Time stamp file checks
3827
will check the ownership of its time stamp directory
3832
and ignore the directory's contents if it is not owned by root or
3833
if it is writable by a user other than root.
3834
On systems that allow non-root users to give away files via
3836
if the time stamp directory is located in a world-writable
3839
it is possible for a user to create the time stamp directory before
3844
checks the ownership and mode of the directory and its
3845
contents, the only damage that can be done is to
3847
files by putting them in the time stamp dir.
3848
This is unlikely to happen since once the time stamp dir is owned by root
3849
and inaccessible by any other user, the user placing files there would be
3850
unable to get them back out.
3853
will not honor time stamps set far in the future.
3854
Time stamps with a date greater than current_time + 2 *
3856
will be ignored and sudo will log and complain.
3857
This is done to keep a user from creating his/her own time stamp with a
3858
bogus date on systems that allow users to give away files if the time
3859
stamp directory is located in a world-writable directory.
3861
On systems where the boot time is available,
3863
will ignore time stamps that date from before the machine booted.
3865
Since time stamp files live in the file system, they can outlive a
3866
user's login session.
3867
As a result, a user may be able to login, run a command with
3869
after authenticating, logout, login again, and run
3871
without authenticating so long as the time stamp file's modification
3874
minutes (or whatever the timeout is set to in
3878
option is enabled, the time stamp has per-tty granularity but still
3879
may outlive the user's session.
3880
On Linux systems where the devpts filesystem is used, Solaris systems
3881
with the devices filesystem, as well as other systems that utilize a
3882
devfs filesystem that monotonically increase the inode number of devices
3883
as they are created (such as Mac OS X),
3885
is able to determine when a tty-based time stamp file is stale and will
3887
Administrators should not rely on this feature as it is not universally
3896
.Xr sudoers.ldap @mansectform@ ,
3897
.Xr sudo_plugin @mansectsu@ ,
3898
.Xr sudo @mansectsu@ ,
3899
.Xr visudo @mansectsu@
3907
command which locks the file and does grammatical checking.
3911
be free of syntax errors since
3913
will not run with a syntactically incorrect
3917
When using netgroups of machines (as opposed to users), if you
3918
store fully qualified host name in the netgroup (as is usually the
3919
case), you either need to have the machine's host name be fully qualified
3927
If you feel you have found a bug in
3929
please submit a bug report at http://www.sudo.ws/sudo/bugs/
3931
Limited free support is available via the sudo-users mailing list,
3932
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
3933
search the archives.
3938
and any express or implied warranties, including, but not limited
3939
to, the implied warranties of merchantability and fitness for a
3940
particular purpose are disclaimed.
3941
See the LICENSE file distributed with
3943
or http://www.sudo.ws/sudo/license.html for complete details.