« back to all changes in this revision
Viewing changes to doc/sudoers.mdoc.in
- browse files at revision 60
- compare with another revision
- download diff
- download tarball
- view history from revision 60
- Committer: Package Import Robot
- Author(s): Stéphane Graber
- Date: 2012-11-16 09:31:32 UTC
- mfrom: (1.4.13)
- Revision ID: package-import@ubuntu.com-20121116093132-ptext55adlzbrq6y
Tags: 1.8.6p3-0ubuntu1
* New upstream release (1.8.6p3).
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
* Add patch to fix building with sssd when ldap is disabled.
* Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
now does the right thing here.
* Build the main sudo package with support for sssd, this doesn't add any
additional build time or runtime dependency. sudo will dynamically load
the sssd library if 'sss' is listed for the 'sudoers' nss service.
- files added:
- .pc/fix_sssd_build.patch
- .pc/fix_sssd_build.patch/plugins
- .pc/fix_sssd_build.patch/plugins/sudoers
- plugins/sudoers/regress/check_symbols
- files removed:
- debian/sudo-ldap.manpages
- files modified:
- .pc/actually-use-buildflags.diff/common/Makefile.in
added
removed
doc/sudoers.mdoc.in
1
.\"
2
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
3
.\" Todd C. Miller <Todd.Miller@courtesan.com>
4
.\"
5
.\" Permission to use, copy, modify, and distribute this software for any
6
.\" purpose with or without fee is hereby granted, provided that the above
7
.\" copyright notice and this permission notice appear in all copies.
8
.\"
9
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17
.\"
18
.\" Sponsored in part by the Defense Advanced Research Projects
19
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21
.\"
22
.Dd July 16, 2012
23
.Dt SUDOERS @mansectform@
24
.Os Sudo @PACKAGE_VERSION@
25
.Sh NAME
26
.Nm sudoers
27
.Nd default sudo security policy module
28
.Sh DESCRIPTION
29
The
30
.Em sudoers
31
policy module determines a user's
32
.Nm sudo
33
privileges.
34
It is the default
35
.Nm sudo
36
policy plugin.
37
The policy is driven by
38
the
39
.Pa @sysconfdir@/sudoers
40
file or, optionally in LDAP.
41
The policy format is described in detail in the
42
.Sx SUDOERS FILE FORMAT
43
section.
44
For information on storing
45
.Em sudoers
46
policy information
47
in LDAP, please see
48
.Xr sudoers.ldap @mansectform@ .
49
.Ss Authentication and logging
50
The
51
.Em sudoers
52
security policy requires that most users authenticate
53
themselves before they can use
54
.Nm sudo .
55
A password is not required
56
if the invoking user is root, if the target user is the same as the
57
invoking user, or if the policy has disabled authentication for the
58
user or command.
59
Unlike
60
.Xr su 1 ,
61
when
62
.Em sudoers
63
requires
64
authentication, it validates the invoking user's credentials, not
65
the target user's (or root's) credentials.
66
This can be changed via
67
the
68
.Em rootpw ,
69
.Em targetpw
70
and
71
.Em runaspw
72
flags, described later.
73
.Pp
74
If a user who is not listed in the policy tries to run a command
75
via
76
.Nm sudo ,
77
mail is sent to the proper authorities.
78
The address
79
used for such mail is configurable via the
80
.Em mailto
81
Defaults entry
82
(described later) and defaults to
83
.Li @mailto@ .
84
.Pp
85
Note that mail will not be sent if an unauthorized user tries to
86
run
87
.Nm sudo
88
with the
89
.Fl l
90
or
91
.Fl v
92
option.
93
This allows users to
94
determine for themselves whether or not they are allowed to use
95
.Nm sudo .
96
.Pp
97
If
98
.Nm sudo
99
is run by root and the
100
.Ev SUDO_USER
101
environment variable
102
is set, the
103
.Em sudoers
104
policy will use this value to determine who
105
the actual user is.
106
This can be used by a user to log commands
107
through sudo even when a root shell has been invoked.
108
It also
109
allows the
110
.Fl e
111
option to remain useful even when invoked via a
112
sudo-run script or program.
113
Note, however, that the
114
.Em sudoers
115
lookup is still done for root, not the user specified by
116
.Ev SUDO_USER .
117
.Pp
118
.Em sudoers
119
uses time stamp files for credential caching.
120
Once a
121
user has been authenticated, the time stamp is updated and the user
122
may then use sudo without a password for a short period of time
123
.Po
124
.Li @timeout@
125
minutes unless overridden by the
126
.Em timeout
127
option
128
.Pc .
129
By default,
130
.Em sudoers
131
uses a tty-based time stamp which means that
132
there is a separate time stamp for each of a user's login sessions.
133
The
134
.Em tty_tickets
135
option can be disabled to force the use of a
136
single time stamp for all of a user's sessions.
137
.Pp
138
.Em sudoers
139
can log both successful and unsuccessful attempts (as well
140
as errors) to
141
.Xr syslog 3 ,
142
a log file, or both.
143
By default,
144
.Em sudoers
145
will log via
146
.Xr syslog 3
147
but this is changeable via the
148
.Em syslog
149
and
150
.Em logfile
151
Defaults settings.
152
.Pp
153
.Em sudoers
154
also supports logging a command's input and output
155
streams.
156
I/O logging is not on by default but can be enabled using
157
the
158
.Em log_input
159
and
160
.Em log_output
161
Defaults flags as well as the
162
.Li LOG_INPUT
163
and
164
.Li LOG_OUTPUT
165
command tags.
166
.Ss Command environment
167
Since environment variables can influence program behavior,
168
.Em sudoers
169
provides a means to restrict which variables from the user's
170
environment are inherited by the command to be run.
171
There are two
172
distinct ways
173
.Em sudoers
174
can deal with environment variables.
175
.Pp
176
By default, the
177
.Em env_reset
178
option is enabled.
179
This causes commands
180
to be executed with a new, minimal environment.
181
On AIX (and Linux
182
systems without PAM), the environment is initialized with the
183
contents of the
184
.Pa /etc/environment
185
file.
186
On BSD systems, if the
187
.Em use_loginclass
188
option is enabled, the environment is initialized
189
based on the
190
.Em path
191
and
192
.Em setenv
193
settings in
194
.Pa /etc/login.conf .
195
The new environment contains the
196
.Ev TERM ,
197
.Ev PATH ,
198
.Ev HOME ,
199
.Ev MAIL ,
200
.Ev SHELL ,
201
.Ev LOGNAME ,
202
.Ev USER ,
203
.Ev USERNAME
204
and
205
.Ev SUDO_*
206
variables
207
in addition to variables from the invoking process permitted by the
208
.Em env_check
209
and
210
.Em env_keep
211
options.
212
This is effectively a whitelist
213
for environment variables.
214
.Pp
215
If, however, the
216
.Em env_reset
217
option is disabled, any variables not
218
explicitly denied by the
219
.Em env_check
220
and
221
.Em env_delete
222
options are
223
inherited from the invoking process.
224
In this case,
225
.Em env_check
226
and
227
.Em env_delete
228
behave like a blacklist.
229
Since it is not possible
230
to blacklist all potentially dangerous environment variables, use
231
of the default
232
.Em env_reset
233
behavior is encouraged.
234
.Pp
235
In all cases, environment variables with a value beginning with
236
.Li ()
237
are removed as they could be interpreted as
238
.Sy bash
239
functions.
240
The list of environment variables that
241
.Nm sudo
242
allows or denies is
243
contained in the output of
244
.Dq Li sudo -V
245
when run as root.
246
.Pp
247
Note that the dynamic linker on most operating systems will remove
248
variables that can control dynamic linking from the environment of
249
setuid executables, including
250
.Nm sudo .
251
Depending on the operating
252
system this may include
253
.Ev _RLD* ,
254
.Ev DYLD_* ,
255
.Ev LD_* ,
256
.Ev LDR_* ,
257
.Ev LIBPATH ,
258
.Ev SHLIB_PATH ,
259
and others.
260
These type of variables are
261
removed from the environment before
262
.Nm sudo
263
even begins execution
264
and, as such, it is not possible for
265
.Nm sudo
266
to preserve them.
267
.Pp
268
As a special case, if
269
.Nm sudo Ns No 's
270
.Fl i
271
option (initial login) is
272
specified,
273
.Em sudoers
274
will initialize the environment regardless
275
of the value of
276
.Em env_reset .
277
The
278
.Ev DISPLAY ,
279
.Ev PATH
280
and
281
.Ev TERM
282
variables remain unchanged;
283
.Ev HOME ,
284
.Ev MAIL ,
285
.Ev SHELL ,
286
.Ev USER ,
287
and
288
.Ev LOGNAME
289
are set based on the target user.
290
On AIX (and Linux
291
systems without PAM), the contents of
292
.Pa /etc/environment
293
are also
294
included.
295
On BSD systems, if the
296
.Em use_loginclass
297
option is
298
enabled, the
299
.Em path
300
and
301
.Em setenv
302
variables in
303
.Pa /etc/login.conf
304
are also applied.
305
All other environment variables are removed.
306
.Pp
307
Finally, if the
308
.Em env_file
309
option is defined, any variables present
310
in that file will be set to their specified values as long as they
311
would not conflict with an existing environment variable.
312
.Sh SUDOERS FILE FORMAT
313
The
314
.Em sudoers
315
file is composed of two types of entries: aliases
316
(basically variables) and user specifications (which specify who
317
may run what).
318
.Pp
319
When multiple entries match for a user, they are applied in order.
320
Where there are multiple matches, the last match is used (which is
321
not necessarily the most specific match).
322
.Pp
323
The
324
.Em sudoers
325
grammar will be described below in Extended Backus-Naur
326
Form (EBNF).
327
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
328
and the definitions below are annotated.
329
.Ss Quick guide to EBNF
330
EBNF is a concise and exact way of describing the grammar of a language.
331
Each EBNF definition is made up of
332
.Em production rules .
333
E.g.,
334
.Pp
335
.Li symbol ::= definition | alternate1 | alternate2 ...
336
.Pp
337
Each
338
.Em production rule
339
references others and thus makes up a
340
grammar for the language.
341
EBNF also contains the following
342
operators, which many readers will recognize from regular
343
expressions.
344
Do not, however, confuse them with
345
.Dq wildcard
346
characters, which have different meanings.
347
.Bl -tag -width 4n
348
.It Li \&?
349
Means that the preceding symbol (or group of symbols) is optional.
350
That is, it may appear once or not at all.
351
.It Li *
352
Means that the preceding symbol (or group of symbols) may appear
353
zero or more times.
354
.It Li +
355
Means that the preceding symbol (or group of symbols) may appear
356
one or more times.
357
.El
358
.Pp
359
Parentheses may be used to group symbols together.
360
For clarity,
361
we will use single quotes
362
.Pq ''
363
to designate what is a verbatim character string (as opposed to a symbol name).
364
.Ss Aliases
365
There are four kinds of aliases:
366
.Li User_Alias ,
367
.Li Runas_Alias ,
368
.Li Host_Alias
369
and
370
.Li Cmnd_Alias .
371
.Bd -literal
372
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
373
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
374
'Host_Alias' Host_Alias (':' Host_Alias)* |
375
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
376
377
User_Alias ::= NAME '=' User_List
378
379
Runas_Alias ::= NAME '=' Runas_List
380
381
Host_Alias ::= NAME '=' Host_List
382
383
Cmnd_Alias ::= NAME '=' Cmnd_List
384
385
NAME ::= [A-Z]([A-Z][0-9]_)*
386
.Ed
387
.Pp
388
Each
389
.Em alias
390
definition is of the form
391
.Bd -literal
392
Alias_Type NAME = item1, item2, ...
393
.Ed
394
.Pp
395
where
396
.Em Alias_Type
397
is one of
398
.Li User_Alias ,
399
.Li Runas_Alias ,
400
.Li Host_Alias ,
401
or
402
.Li Cmnd_Alias .
403
A
404
.Li NAME
405
is a string of uppercase letters, numbers,
406
and underscore characters
407
.Pq Ql _ .
408
A
409
.Li NAME
410
.Sy must
411
start with an
412
uppercase letter.
413
It is possible to put several alias definitions
414
of the same type on a single line, joined by a colon
415
.Pq Ql :\& .
416
E.g.,
417
.Bd -literal
418
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
419
.Ed
420
.Pp
421
The definitions of what constitutes a valid
422
.Em alias
423
member follow.
424
.Bd -literal
425
User_List ::= User |
426
User ',' User_List
427
428
User ::= '!'* user name |
429
'!'* #uid |
430
'!'* %group |
431
'!'* %#gid |
432
'!'* +netgroup |
433
'!'* %:nonunix_group |
434
'!'* %:#nonunix_gid |
435
'!'* User_Alias
436
.Ed
437
.Pp
438
A
439
.Li User_List
440
is made up of one or more user names, user ids
441
(prefixed with
442
.Ql # ) ,
443
system group names and ids (prefixed with
444
.Ql %
445
and
446
.Ql %#
447
respectively), netgroups (prefixed with
448
.Ql + ) ,
449
non-Unix group names and IDs (prefixed with
450
.Ql %:
451
and
452
.Ql %:#
453
respectively) and
454
.Li User_Alias Ns No es.
455
Each list item may be prefixed with zero or more
456
.Ql \&!
457
operators.
458
An odd number of
459
.Ql \&!
460
operators negate the value of
461
the item; an even number just cancel each other out.
462
.Pp
463
A
464
.Li user name ,
465
.Li uid ,
466
.Li group ,
467
.Li gid ,
468
.Li netgroup ,
469
.Li nonunix_group
470
or
471
.Li nonunix_gid
472
may be enclosed in double quotes to avoid the
473
need for escaping special characters.
474
Alternately, special characters
475
may be specified in escaped hex mode, e.g.\& \ex20 for space.
476
When
477
using double quotes, any prefix characters must be included inside
478
the quotes.
479
.Pp
480
The actual
481
.Li nonunix_group
482
and
483
.Li nonunix_gid
484
syntax depends on
485
the underlying group provider plugin (see the
486
.Em group_plugin
487
description below).
488
For instance, the QAS AD plugin supports the following formats:
489
.Bl -bullet -width 4n
490
.It
491
Group in the same domain: "%:Group Name"
492
.It
493
Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
494
.It
495
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
496
.El
497
.Pp
498
Note that quotes around group names are optional.
499
Unquoted strings must use a backslash
500
.Pq Ql \e
501
to escape spaces and special characters.
502
See
503
.Sx Other special characters and reserved words
504
for a list of
505
characters that need to be escaped.
506
.Bd -literal
507
Runas_List ::= Runas_Member |
508
Runas_Member ',' Runas_List
509
510
Runas_Member ::= '!'* user name |
511
'!'* #uid |
512
'!'* %group |
513
'!'* %#gid |
514
'!'* %:nonunix_group |
515
'!'* %:#nonunix_gid |
516
'!'* +netgroup |
517
'!'* Runas_Alias
518
.Ed
519
.Pp
520
A
521
.Li Runas_List
522
is similar to a
523
.Li User_List
524
except that instead
525
of
526
.Li User_Alias Ns No es
527
it can contain
528
.Li Runas_Alias Ns No es .
529
Note that
530
user names and groups are matched as strings.
531
In other words, two
532
users (groups) with the same uid (gid) are considered to be distinct.
533
If you wish to match all user names with the same uid (e.g.\&
534
root and toor), you can use a uid instead (#0 in the example given).
535
.Bd -literal
536
Host_List ::= Host |
537
Host ',' Host_List
538
539
Host ::= '!'* host name |
540
'!'* ip_addr |
541
'!'* network(/netmask)? |
542
'!'* +netgroup |
543
'!'* Host_Alias
544
.Ed
545
.Pp
546
A
547
.Li Host_List
548
is made up of one or more host names, IP addresses,
549
network numbers, netgroups (prefixed with
550
.Ql + )
551
and other aliases.
552
Again, the value of an item may be negated with the
553
.Ql \&!
554
operator.
555
If you do not specify a netmask along with the network number,
556
.Nm sudo
557
will query each of the local host's network interfaces and,
558
if the network number corresponds to one of the hosts's network
559
interfaces, the corresponding netmask will be used.
560
The netmask
561
may be specified either in standard IP address notation
562
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
563
or CIDR notation (number of bits, e.g.\& 24 or 64).
564
A host name may include shell-style wildcards (see the
565
.Sx Wildcards
566
section below),
567
but unless the
568
.Li host name
569
command on your machine returns the fully
570
qualified host name, you'll need to use the
571
.Em fqdn
572
option for wildcards to be useful.
573
Note that
574
.Nm sudo
575
only inspects actual network interfaces; this means that IP address
576
127.0.0.1 (localhost) will never match.
577
Also, the host name
578
.Dq localhost
579
will only match if that is the actual host name, which is usually
580
only the case for non-networked systems.
581
.Bd -literal
582
Cmnd_List ::= Cmnd |
583
Cmnd ',' Cmnd_List
584
585
command name ::= file name |
586
file name args |
587
file name '""'
588
589
Cmnd ::= '!'* command name |
590
'!'* directory |
591
'!'* "sudoedit" |
592
'!'* Cmnd_Alias
593
.Ed
594
.Pp
595
A
596
.Li Cmnd_List
597
is a list of one or more command names, directories, and other aliases.
598
A command name is a fully qualified file name which may include
599
shell-style wildcards (see the
600
.Sx Wildcards
601
section below).
602
A simple file name allows the user to run the command with any
603
arguments he/she wishes.
604
However, you may also specify command line arguments (including
605
wildcards).
606
Alternately, you can specify
607
.Li \&""
608
to indicate that the command
609
may only be run
610
.Sy without
611
command line arguments.
612
A directory is a
613
fully qualified path name ending in a
614
.Ql / .
615
When you specify a directory in a
616
.Li Cmnd_List ,
617
the user will be able to run any file within that directory
618
(but not in any sub-directories therein).
619
.Pp
620
If a
621
.Li Cmnd
622
has associated command line arguments, then the arguments
623
in the
624
.Li Cmnd
625
must match exactly those given by the user on the command line
626
(or match the wildcards if there are any).
627
Note that the following characters must be escaped with a
628
.Ql \e
629
if they are used in command arguments:
630
.Ql ,\& ,
631
.Ql :\& ,
632
.Ql =\& ,
633
.Ql \e .
634
The special command
635
.Dq Li sudoedit
636
is used to permit a user to run
637
.Nm sudo
638
with the
639
.Fl e
640
option (or as
641
.Nm sudoedit ) .
642
It may take command line arguments just as a normal command does.
643
.Ss Defaults
644
Certain configuration options may be changed from their default
645
values at run-time via one or more
646
.Li Default_Entry
647
lines.
648
These may affect all users on any host, all users on a specific host, a
649
specific user, a specific command, or commands being run as a specific user.
650
Note that per-command entries may not include command line arguments.
651
If you need to specify arguments, define a
652
.Li Cmnd_Alias
653
and reference
654
that instead.
655
.Bd -literal
656
Default_Type ::= 'Defaults' |
657
'Defaults' '@' Host_List |
658
'Defaults' ':' User_List |
659
'Defaults' '!' Cmnd_List |
660
'Defaults' '>' Runas_List
661
662
Default_Entry ::= Default_Type Parameter_List
663
664
Parameter_List ::= Parameter |
665
Parameter ',' Parameter_List
666
667
Parameter ::= Parameter '=' Value |
668
Parameter '+=' Value |
669
Parameter '-=' Value |
670
'!'* Parameter
671
.Ed
672
.Pp
673
Parameters may be
674
.Sy flags ,
675
.Sy integer
676
values,
677
.Sy strings ,
678
or
679
.Sy lists .
680
Flags are implicitly boolean and can be turned off via the
681
.Ql \&!
682
operator.
683
Some integer, string and list parameters may also be
684
used in a boolean context to disable them.
685
Values may be enclosed
686
in double quotes
687
.Pq \&""
688
when they contain multiple words.
689
Special characters may be escaped with a backslash
690
.Pq Ql \e .
691
.Pp
692
Lists have two additional assignment operators,
693
.Li +=
694
and
695
.Li -= .
696
These operators are used to add to and delete from a list respectively.
697
It is not an error to use the
698
.Li -=
699
operator to remove an element
700
that does not exist in a list.
701
.Pp
702
Defaults entries are parsed in the following order: generic, host
703
and user Defaults first, then runas Defaults and finally command
704
defaults.
705
.Pp
706
See
707
.Sx SUDOERS OPTIONS
708
for a list of supported Defaults parameters.
709
.Ss User specification
710
.Bd -literal
711
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
712
(':' Host_List '=' Cmnd_Spec_List)*
713
714
Cmnd_Spec_List ::= Cmnd_Spec |
715
Cmnd_Spec ',' Cmnd_Spec_List
716
717
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
718
719
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
720
721
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
722
723
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
724
725
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
726
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
727
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
728
.Ed
729
.Pp
730
A
731
.Sy user specification
732
determines which commands a user may run
733
(and as what user) on specified hosts.
734
By default, commands are
735
run as
736
.Sy root ,
737
but this can be changed on a per-command basis.
738
.Pp
739
The basic structure of a user specification is
740
.Dq who where = (as_whom) what .
741
Let's break that down into its constituent parts:
742
.Ss Runas_Spec
743
A
744
.Li Runas_Spec
745
determines the user and/or the group that a command
746
may be run as.
747
A fully-specified
748
.Li Runas_Spec
749
consists of two
750
.Li Runas_List Ns No s
751
(as defined above) separated by a colon
752
.Pq Ql :\&
753
and enclosed in a set of parentheses.
754
The first
755
.Li Runas_List
756
indicates
757
which users the command may be run as via
758
.Nm sudo Ns No 's
759
.Fl u
760
option.
761
The second defines a list of groups that can be specified via
762
.Nm sudo Ns No 's
763
.Fl g
764
option.
765
If both
766
.Li Runas_List Ns No s
767
are specified, the command may be run with any combination of users
768
and groups listed in their respective
769
.Li Runas_List Ns No s.
770
If only the first is specified, the command may be run as any user
771
in the list but no
772
.Fl g
773
option
774
may be specified.
775
If the first
776
.Li Runas_List
777
is empty but the
778
second is specified, the command may be run as the invoking user
779
with the group set to any listed in the
780
.Li Runas_List .
781
If both
782
.Li Runas_List Ns No s
783
are empty, the command may only be run as the invoking user.
784
If no
785
.Li Runas_Spec
786
is specified the command may be run as
787
.Sy root
788
and
789
no group may be specified.
790
.Pp
791
A
792
.Li Runas_Spec
793
sets the default for the commands that follow it.
794
What this means is that for the entry:
795
.Bd -literal
796
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
797
.Ed
798
.Pp
799
The user
800
.Sy dgb
801
may run
802
.Pa /bin/ls ,
803
.Pa /bin/kill ,
804
and
805
.Pa /usr/bin/lprm Ns No \(em Ns but
806
only as
807
.Sy operator .
808
E.g.,
809
.Bd -literal
810
$ sudo -u operator /bin/ls
811
.Ed
812
.Pp
813
It is also possible to override a
814
.Li Runas_Spec
815
later on in an entry.
816
If we modify the entry like so:
817
.Bd -literal
818
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
819
.Ed
820
.Pp
821
Then user
822
.Sy dgb
823
is now allowed to run
824
.Pa /bin/ls
825
as
826
.Sy operator ,
827
but
828
.Pa /bin/kill
829
and
830
.Pa /usr/bin/lprm
831
as
832
.Sy root .
833
.Pp
834
We can extend this to allow
835
.Sy dgb
836
to run
837
.Li /bin/ls
838
with either
839
the user or group set to
840
.Sy operator :
841
.Bd -literal
842
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
843
/usr/bin/lprm
844
.Ed
845
.Pp
846
Note that while the group portion of the
847
.Li Runas_Spec
848
permits the
849
user to run as command with that group, it does not force the user
850
to do so.
851
If no group is specified on the command line, the command
852
will run with the group listed in the target user's password database
853
entry.
854
The following would all be permitted by the sudoers entry above:
855
.Bd -literal
856
$ sudo -u operator /bin/ls
857
$ sudo -u operator -g operator /bin/ls
858
$ sudo -g operator /bin/ls
859
.Ed
860
.Pp
861
In the following example, user
862
.Sy tcm
863
may run commands that access
864
a modem device file with the dialer group.
865
.Bd -literal
866
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
867
/usr/local/bin/minicom
868
.Ed
869
.Pp
870
Note that in this example only the group will be set, the command
871
still runs as user
872
.Sy tcm .
873
E.g.\&
874
.Bd -literal
875
$ sudo -g dialer /usr/bin/cu
876
.Ed
877
.Pp
878
Multiple users and groups may be present in a
879
.Li Runas_Spec ,
880
in which case the user may select any combination of users and groups via the
881
.Fl u
882
and
883
.Fl g
884
options.
885
In this example:
886
.Bd -literal
887
alan ALL = (root, bin : operator, system) ALL
888
.Ed
889
.Pp
890
user
891
.Sy alan
892
may run any command as either user root or bin,
893
optionally setting the group to operator or system.
894
.Ss SELinux_Spec
895
On systems with SELinux support,
896
.Em sudoers
897
entries may optionally have an SELinux role and/or type associated
898
with a command.
899
If a role or
900
type is specified with the command it will override any default values
901
specified in
902
.Em sudoers .
903
A role or type specified on the command line,
904
however, will supersede the values in
905
.Em sudoers .
906
.Ss Solaris_Priv_Spec
907
On Solaris systems,
908
.Em sudoers
909
entries may optionally specify Solaris privilege set and/or limit
910
privilege set associated with a command.
911
If privileges or limit privileges are specified with the command
912
it will override any default values specified in
913
.Em sudoers .
914
.Pp
915
A privilege set is a comma-separated list of privilege names.
916
The
917
.Xr ppriv 1
918
command can be used to list all privileges known to the system.
919
For example:
920
.Bd -literal
921
$ ppriv -l
922
.Ed
923
.Pp
924
In addition, there are several
925
.Dq special
926
privilege strings:
927
.Bl -tag -width 8n
928
.It none
929
the empty set
930
.It all
931
the set of all privileges
932
.It zone
933
the set of all privileges available in the current zone
934
.It basic
935
the default set of privileges normal users are granted at login time
936
.El
937
.Pp
938
Privileges can be excluded from a set by prefixing the privilege
939
name with either an
940
.Ql \&!
941
or
942
.Ql \-
943
character.
944
.Ss Tag_Spec
945
A command may have zero or more tags associated with it.
946
There are
947
ten possible tag values:
948
.Li NOPASSWD ,
949
.Li PASSWD ,
950
.Li NOEXEC ,
951
.Li EXEC ,
952
.Li SETENV ,
953
.Li NOSETENV ,
954
.Li LOG_INPUT ,
955
.Li NOLOG_INPUT ,
956
.Li LOG_OUTPUT
957
and
958
.Li NOLOG_OUTPUT .
959
Once a tag is set on a
960
.Li Cmnd ,
961
subsequent
962
.Li Cmnd Ns No s
963
in the
964
.Li Cmnd_Spec_List ,
965
inherit the tag unless it is overridden by the opposite tag (in other words,
966
.Li PASSWD
967
overrides
968
.Li NOPASSWD
969
and
970
.Li NOEXEC
971
overrides
972
.Li EXEC ) .
973
.Pp
974
.Em NOPASSWD and PASSWD
975
.Pp
976
By default,
977
.Nm sudo
978
requires that a user authenticate him or herself
979
before running a command.
980
This behavior can be modified via the
981
.Li NOPASSWD
982
tag.
983
Like a
984
.Li Runas_Spec ,
985
the
986
.Li NOPASSWD
987
tag sets
988
a default for the commands that follow it in the
989
.Li Cmnd_Spec_List .
990
Conversely, the
991
.Li PASSWD
992
tag can be used to reverse things.
993
For example:
994
.Bd -literal
995
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
996
.Ed
997
.Pp
998
would allow the user
999
.Sy ray
1000
to run
1001
.Pa /bin/kill ,
1002
.Pa /bin/ls ,
1003
and
1004
.Pa /usr/bin/lprm
1005
as
1006
.Sy root
1007
on the machine rushmore without authenticating himself.
1008
If we only want
1009
.Sy ray
1010
to be able to
1011
run
1012
.Pa /bin/kill
1013
without a password the entry would be:
1014
.Bd -literal
1015
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1016
.Ed
1017
.Pp
1018
Note, however, that the
1019
.Li PASSWD
1020
tag has no effect on users who are in the group specified by the
1021
.Em exempt_group
1022
option.
1023
.Pp
1024
By default, if the
1025
.Li NOPASSWD
1026
tag is applied to any of the entries for a user on the current host,
1027
he or she will be able to run
1028
.Dq Li sudo -l
1029
without a password.
1030
Additionally, a user may only run
1031
.Dq Li sudo -v
1032
without a password if the
1033
.Li NOPASSWD
1034
tag is present for all a user's entries that pertain to the current host.
1035
This behavior may be overridden via the
1036
.Em verifypw
1037
and
1038
.Em listpw
1039
options.
1040
.Pp
1041
.Em NOEXEC and EXEC
1042
.Pp
1043
If
1044
.Nm sudo
1045
has been compiled with
1046
.Em noexec
1047
support and the underlying operating system supports it, the
1048
.Li NOEXEC
1049
tag can be used to prevent a dynamically-linked executable from
1050
running further commands itself.
1051
.Pp
1052
In the following example, user
1053
.Sy aaron
1054
may run
1055
.Pa /usr/bin/more
1056
and
1057
.Pa /usr/bin/vi
1058
but shell escapes will be disabled.
1059
.Bd -literal
1060
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1061
.Ed
1062
.Pp
1063
See the
1064
.Sx Preventing shell escapes
1065
section below for more details on how
1066
.Li NOEXEC
1067
works and whether or not it will work on your system.
1068
.Pp
1069
.Em SETENV and NOSETENV
1070
.Pp
1071
These tags override the value of the
1072
.Em setenv
1073
option on a per-command basis.
1074
Note that if
1075
.Li SETENV
1076
has been set for a command, the user may disable the
1077
.Em env_reset
1078
option from the command line via the
1079
.Fl E
1080
option.
1081
Additionally, environment variables set on the command
1082
line are not subject to the restrictions imposed by
1083
.Em env_check ,
1084
.Em env_delete ,
1085
or
1086
.Em env_keep .
1087
As such, only trusted users should be allowed to set variables in this manner.
1088
If the command matched is
1089
.Sy ALL ,
1090
the
1091
.Li SETENV
1092
tag is implied for that command; this default may be overridden by use of the
1093
.Li NOSETENV
1094
tag.
1095
.Pp
1096
.Em LOG_INPUT and NOLOG_INPUT
1097
.Pp
1098
These tags override the value of the
1099
.Em log_input
1100
option on a per-command basis.
1101
For more information, see the description of
1102
.Em log_input
1103
in the
1104
.Sx SUDOERS OPTIONS
1105
section below.
1106
.Pp
1107
.Em LOG_OUTPUT and NOLOG_OUTPUT
1108
.Pp
1109
These tags override the value of the
1110
.Em log_output
1111
option on a per-command basis.
1112
For more information, see the description of
1113
.Em log_output
1114
in the
1115
.Sx SUDOERS OPTIONS
1116
section below.
1117
.Ss Wildcards
1118
.Nm sudo
1119
allows shell-style
1120
.Em wildcards
1121
(aka meta or glob characters)
1122
to be used in host names, path names and command line arguments in the
1123
.Em sudoers
1124
file.
1125
Wildcard matching is done via the
1126
.Sy POSIX
1127
.Xr glob 3
1128
and
1129
.Xr fnmatch 3
1130
routines.
1131
Note that these are
1132
.Em not
1133
regular expressions.
1134
.Bl -tag -width 8n
1135
.It Li *
1136
Matches any set of zero or more characters.
1137
.It Li \&?
1138
Matches any single character.
1139
.It Li [...]
1140
Matches any character in the specified range.
1141
.It Li [!...]
1142
Matches any character
1143
.Sy not
1144
in the specified range.
1145
.It Li \ex
1146
For any character
1147
.Sq x ,
1148
evaluates to
1149
.Sq x .
1150
This is used to escape special characters such as:
1151
.Ql * ,
1152
.Ql \&? ,
1153
.Ql [\& ,
1154
and
1155
.Ql ]\& .
1156
.El
1157
.Pp
1158
POSIX character classes may also be used if your system's
1159
.Xr glob 3
1160
and
1161
.Xr fnmatch 3
1162
functions support them.
1163
However, because the
1164
.Ql :\&
1165
character has special meaning in
1166
.Em sudoers ,
1167
it must be
1168
escaped.
1169
For example:
1170
.Bd -literal -offset 4n
1171
/bin/ls [[\:alpha\:]]*
1172
.Ed
1173
.Pp
1174
Would match any file name beginning with a letter.
1175
.Pp
1176
Note that a forward slash
1177
.Pq Ql /
1178
will
1179
.Sy not
1180
be matched by
1181
wildcards used in the path name.
1182
This is to make a path like:
1183
.Bd -literal -offset 4n
1184
/usr/bin/*
1185
.Ed
1186
.Pp
1187
match
1188
.Pa /usr/bin/who
1189
but not
1190
.Pa /usr/bin/X11/xterm .
1191
.Pp
1192
When matching the command line arguments, however, a slash
1193
.Sy does
1194
get matched by wildcards since command line arguments may contain
1195
arbitrary strings and not just path names.
1196
.Pp
1197
Wildcards in command line arguments should be used with care.
1198
Because command line arguments are matched as a single, concatenated
1199
string, a wildcard such as
1200
.Ql \&?
1201
or
1202
.Ql *
1203
can match multiple words.
1204
For example, while a sudoers entry like:
1205
.Bd -literal -offset 4n
1206
%operator ALL = /bin/cat /var/log/messages*
1207
.Ed
1208
.Pp
1209
will allow command like:
1210
.Bd -literal -offset 4n
1211
$ sudo cat /var/log/messages.1
1212
.Ed
1213
.Pp
1214
It will also allow:
1215
.Bd -literal -offset 4n
1216
$ sudo cat /var/log/messages /etc/shadow
1217
.Ed
1218
.Pp
1219
which is probably not what was intended.
1220
.Ss Exceptions to wildcard rules
1221
The following exceptions apply to the above rules:
1222
.Bl -tag -width 8n
1223
.It Li \&""
1224
If the empty string
1225
.Li \&""
1226
is the only command line argument in the
1227
.Em sudoers
1228
entry it means that command is not allowed to be run with
1229
.Sy any
1230
arguments.
1231
.It sudoedit
1232
Command line arguments to the
1233
.Em sudoedit
1234
built-in command should always be path names, so a forward slash
1235
.Pq Ql /
1236
will not be matched by a wildcard.
1237
.El
1238
.Ss Including other files from within sudoers
1239
It is possible to include other
1240
.Em sudoers
1241
files from within the
1242
.Em sudoers
1243
file currently being parsed using the
1244
.Li #include
1245
and
1246
.Li #includedir
1247
directives.
1248
.Pp
1249
This can be used, for example, to keep a site-wide
1250
.Em sudoers
1251
file in addition to a local, per-machine file.
1252
For the sake of this example the site-wide
1253
.Em sudoers
1254
will be
1255
.Pa /etc/sudoers
1256
and the per-machine one will be
1257
.Pa /etc/sudoers.local .
1258
To include
1259
.Pa /etc/sudoers.local
1260
from within
1261
.Pa /etc/sudoers
1262
we would use the
1263
following line in
1264
.Pa /etc/sudoers :
1265
.Bd -literal -offset 4n
1266
#include /etc/sudoers.local
1267
.Ed
1268
.Pp
1269
When
1270
.Nm sudo
1271
reaches this line it will suspend processing of the current file
1272
.Pq Pa /etc/sudoers
1273
and switch to
1274
.Pa /etc/sudoers.local .
1275
Upon reaching the end of
1276
.Pa /etc/sudoers.local ,
1277
the rest of
1278
.Pa /etc/sudoers
1279
will be processed.
1280
Files that are included may themselves include other files.
1281
A hard limit of 128 nested include files is enforced to prevent include
1282
file loops.
1283
.Pp
1284
If the path to the include file is not fully-qualified (does not
1285
begin with a
1286
.Ql / ,
1287
it must be located in the same directory as the sudoers file it was
1288
included from.
1289
For example, if
1290
.Pa /etc/sudoers
1291
contains the line:
1292
.Bd -literal -offset 4n
1293
.Li #include sudoers.local
1294
.Ed
1295
.Pp
1296
the file that will be included is
1297
.Pa /etc/sudoers.local .
1298
.Pp
1299
The file name may also include the
1300
.Li %h
1301
escape, signifying the short form of the host name.
1302
In other words, if the machine's host name is
1303
.Dq xerxes ,
1304
then
1305
.Bd -literal -offset 4n
1306
#include /etc/sudoers.%h
1307
.Ed
1308
.Pp
1309
will cause
1310
.Nm sudo
1311
to include the file
1312
.Pa /etc/sudoers.xerxes .
1313
.Pp
1314
The
1315
.Li #includedir
1316
directive can be used to create a
1317
.Pa sudo.d
1318
directory that the system package manager can drop
1319
.Em sudoers
1320
rules
1321
into as part of package installation.
1322
For example, given:
1323
.Bd -literal -offset 4n
1324
#includedir /etc/sudoers.d
1325
.Ed
1326
.Pp
1327
.Nm sudo
1328
will read each file in
1329
.Pa /etc/sudoers.d ,
1330
skipping file names that end in
1331
.Ql ~
1332
or contain a
1333
.Ql .\&
1334
character to avoid causing problems with package manager or editor
1335
temporary/backup files.
1336
Files are parsed in sorted lexical order.
1337
That is,
1338
.Pa /etc/sudoers.d/01_first
1339
will be parsed before
1340
.Pa /etc/sudoers.d/10_second .
1341
Be aware that because the sorting is lexical, not numeric,
1342
.Pa /etc/sudoers.d/1_whoops
1343
would be loaded
1344
.Sy after
1345
.Pa /etc/sudoers.d/10_second .
1346
Using a consistent number of leading zeroes in the file names can be used
1347
to avoid such problems.
1348
.Pp
1349
Note that unlike files included via
1350
.Li #include ,
1351
.Nm visudo
1352
will not edit the files in a
1353
.Li #includedir
1354
directory unless one of them contains a syntax error.
1355
It is still possible to run
1356
.Nm visudo
1357
with the
1358
.Fl f
1359
flag to edit the files directly.
1360
.Ss Other special characters and reserved words
1361
The pound sign
1362
.Pq Ql #
1363
is used to indicate a comment (unless it is part of a #include
1364
directive or unless it occurs in the context of a user name and is
1365
followed by one or more digits, in which case it is treated as a
1366
uid).
1367
Both the comment character and any text after it, up to the end of
1368
the line, are ignored.
1369
.Pp
1370
The reserved word
1371
.Sy ALL
1372
is a built-in
1373
.Em alias
1374
that always causes a match to succeed.
1375
It can be used wherever one might otherwise use a
1376
.Li Cmnd_Alias ,
1377
.Li User_Alias ,
1378
.Li Runas_Alias ,
1379
or
1380
.Li Host_Alias .
1381
You should not try to define your own
1382
.Em alias
1383
called
1384
.Sy ALL
1385
as the built-in alias will be used in preference to your own.
1386
Please note that using
1387
.Sy ALL
1388
can be dangerous since in a command context, it allows the user to run
1389
.Sy any
1390
command on the system.
1391
.Pp
1392
An exclamation point
1393
.Pq Ql \&!
1394
can be used as a logical
1395
.Em not
1396
operator both in an
1397
.Em alias
1398
and in front of a
1399
.Li Cmnd .
1400
This allows one to exclude certain values.
1401
Note, however, that using a
1402
.Ql \&!
1403
in conjunction with the built-in
1404
.Sy ALL
1405
alias to allow a user to run
1406
.Dq all but a few
1407
commands rarely works as intended (see
1408
.Sx SECURITY NOTES
1409
below).
1410
.Pp
1411
Long lines can be continued with a backslash
1412
.Pq Ql \e
1413
as the last character on the line.
1414
.Pp
1415
White space between elements in a list as well as special syntactic
1416
characters in a
1417
.Em User Specification
1418
.Po
1419
.Ql =\& ,
1420
.Ql :\& ,
1421
.Ql (\& ,
1422
.Ql )\&
1423
.Pc
1424
is optional.
1425
.Pp
1426
The following characters must be escaped with a backslash
1427
.Pq Ql \e
1428
when used as part of a word (e.g.\& a user name or host name):
1429
.Ql \&! ,
1430
.Ql =\& ,
1431
.Ql :\& ,
1432
.Ql ,\& ,
1433
.Ql (\& ,
1434
.Ql )\& ,
1435
.Ql \e .
1436
.Sh SUDOERS OPTIONS
1437
.Nm sudo Ns No 's
1438
behavior can be modified by
1439
.Li Default_Entry
1440
lines, as explained earlier.
1441
A list of all supported Defaults parameters, grouped by type, are listed below.
1442
.Pp
1443
.Sy Boolean Flags :
1444
.Bl -tag -width 16n
1445
.It always_set_home
1446
If enabled,
1447
.Nm sudo
1448
will set the
1449
.Ev HOME
1450
environment variable to the home directory of the target user
1451
(which is root unless the
1452
.Fl u
1453
option is used).
1454
This effectively means that the
1455
.Fl H
1456
option is always implied.
1457
Note that
1458
.Ev HOME
1459
is already set when the the
1460
.Em env_reset
1461
option is enabled, so
1462
.Em always_set_home
1463
is only effective for configurations where either
1464
.Em env_reset
1465
is disabled or
1466
.Ev HOME
1467
is present in the
1468
.Em env_keep
1469
list.
1470
This flag is
1471
.Em off
1472
by default.
1473
.It authenticate
1474
If set, users must authenticate themselves via a password (or other
1475
means of authentication) before they may run commands.
1476
This default may be overridden via the
1477
.Li PASSWD
1478
and
1479
.Li NOPASSWD
1480
tags.
1481
This flag is
1482
.Em on
1483
by default.
1484
.It closefrom_override
1485
If set, the user may use
1486
.Nm sudo Ns No 's
1487
.Fl C
1488
option which overrides the default starting point at which
1489
.Nm sudo
1490
begins closing open file descriptors.
1491
This flag is
1492
.Em off
1493
by default.
1494
.It compress_io
1495
If set, and
1496
.Nm sudo
1497
is configured to log a command's input or output,
1498
the I/O logs will be compressed using
1499
.Sy zlib .
1500
This flag is
1501
.Em on
1502
by default when
1503
.Nm sudo
1504
is compiled with
1505
.Sy zlib
1506
support.
1507
.It env_editor
1508
If set,
1509
.Nm visudo
1510
will use the value of the
1511
.Ev EDITOR
1512
or
1513
.Ev VISUAL
1514
environment variables before falling back on the default editor list.
1515
Note that this may create a security hole as it allows the user to
1516
run any arbitrary command as root without logging.
1517
A safer alternative is to place a colon-separated list of editors
1518
in the
1519
.Li editor
1520
variable.
1521
.Nm visudo
1522
will then only use the
1523
.Ev EDITOR
1524
or
1525
.Ev VISUAL
1526
if they match a value specified in
1527
.Li editor .
1528
This flag is
1529
.Em @env_editor@
1530
by
1531
default.
1532
.It env_reset
1533
If set,
1534
.Nm sudo
1535
will run the command in a minimal environment containing the
1536
.Ev TERM ,
1537
.Ev PATH ,
1538
.Ev HOME ,
1539
.Ev MAIL ,
1540
.Ev SHELL ,
1541
.Ev LOGNAME ,
1542
.Ev USER ,
1543
.Ev USERNAME
1544
and
1545
.Ev SUDO_*
1546
variables.
1547
Any
1548
variables in the caller's environment that match the
1549
.Li env_keep
1550
and
1551
.Li env_check
1552
lists are then added, followed by any variables present in the file
1553
specified by the
1554
.Em env_file
1555
option (if any).
1556
The default contents of the
1557
.Li env_keep
1558
and
1559
.Li env_check
1560
lists are displayed when
1561
.Nm sudo
1562
is run by root with the
1563
.Fl V
1564
option.
1565
If the
1566
.Em secure_path
1567
option is set, its value will be used for the
1568
.Ev PATH
1569
environment variable.
1570
This flag is
1571
.Em @env_reset@
1572
by default.
1573
.It fast_glob
1574
Normally,
1575
.Nm sudo
1576
uses the
1577
.Xr glob 3
1578
function to do shell-style globbing when matching path names.
1579
However, since it accesses the file system,
1580
.Xr glob 3
1581
can take a long time to complete for some patterns, especially
1582
when the pattern references a network file system that is mounted
1583
on demand (auto mounted).
1584
The
1585
.Em fast_glob
1586
option causes
1587
.Nm sudo
1588
to use the
1589
.Xr fnmatch 3
1590
function, which does not access the file system to do its matching.
1591
The disadvantage of
1592
.Em fast_glob
1593
is that it is unable to match relative path names such as
1594
.Pa ./ls
1595
or
1596
.Pa ../bin/ls .
1597
This has security implications when path names that include globbing
1598
characters are used with the negation operator,
1599
.Ql !\& ,
1600
as such rules can be trivially bypassed.
1601
As such, this option should not be used when
1602
.Em sudoers
1603
contains rules that contain negated path names which include globbing
1604
characters.
1605
This flag is
1606
.Em off
1607
by default.
1608
.It fqdn
1609
Set this flag if you want to put fully qualified host names in the
1610
.Em sudoers
1611
file when the local host name (as returned by the
1612
.Li hostname
1613
command) does not contain the domain name.
1614
In other words, instead of myhost you would use myhost.mydomain.edu.
1615
You may still use the short form if you wish (and even mix the two).
1616
This option is only effective when the
1617
.Dq canonical
1618
host name, as returned by the
1619
.Fn getaddrinfo
1620
or
1621
.Fn gethostbyname
1622
function, is a fully-qualified domain name.
1623
This is usually the case when the system is configured to use DNS
1624
for host name resolution.
1625
.Pp
1626
If the system is configured to use the
1627
.Pa /etc/hosts
1628
file in preference to DNS, the
1629
.Dq canonical
1630
host name may not be fully-qualified.
1631
The order that sources are queried for hosts name resolution
1632
is usually specified in the
1633
.Pa @nsswitch_conf@ ,
1634
.Pa @netsvc_conf@ ,
1635
.Pa /etc/host.conf ,
1636
or, in some cases,
1637
.Pa /etc/resolv.conf
1638
file.
1639
In the
1640
.Pa /etc/hosts
1641
file, the first host name of the entry is considered to be the
1642
.Dq canonical
1643
name; subsequent names are aliases that are not used by
1644
.Nm sudoers .
1645
For example, the following hosts file line for the machine
1646
.Dq xyzzy
1647
has the fully-qualified domain name as the
1648
.Dq canonical
1649
host name, and the short version as an alias.
1650
.sp
1651
.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1652
.sp
1653
If the machine's hosts file entry is not formatted properly, the
1654
.Em fqdn
1655
option will not be effective if it is queried before DNS.
1656
.Pp
1657
Beware that when using DNS for host name resolution, turning on
1658
.Em fqdn
1659
requires
1660
.Nm sudoers
1661
to make DNS lookups which renders
1662
.Nm sudo
1663
unusable if DNS stops working (for example if the machine is disconnected
1664
from the network).
1665
Also note that just like with the hosts file, you must use the
1666
.Dq canonical
1667
name as DNS knows it.
1668
That is, you may not use a host alias
1669
.Po
1670
.Li CNAME
1671
entry
1672
.Pc
1673
due to performance issues and the fact that there is no way to get all
1674
aliases from DNS.
1675
.Pp
1676
This flag is
1677
.Em @fqdn@
1678
by default.
1679
.It ignore_dot
1680
If set,
1681
.Nm sudo
1682
will ignore "." or "" (both denoting current directory) in the
1683
.Ev PATH
1684
environment variable; the
1685
.Ev PATH
1686
itself is not modified.
1687
This flag is
1688
.Em @ignore_dot@
1689
by default.
1690
.It ignore_local_sudoers
1691
If set via LDAP, parsing of
1692
.Pa @sysconfdir@/sudoers
1693
will be skipped.
1694
This is intended for Enterprises that wish to prevent the usage of local
1695
sudoers files so that only LDAP is used.
1696
This thwarts the efforts of rogue operators who would attempt to add roles to
1697
.Pa @sysconfdir@/sudoers .
1698
When this option is present,
1699
.Pa @sysconfdir@/sudoers
1700
does not even need to exist.
1701
Since this option tells
1702
.Nm sudo
1703
how to behave when no specific LDAP entries have been matched, this
1704
sudoOption is only meaningful for the
1705
.Li cn=defaults
1706
section.
1707
This flag is
1708
.Em off
1709
by default.
1710
.It insults
1711
If set,
1712
.Nm sudo
1713
will insult users when they enter an incorrect password.
1714
This flag is
1715
.Em @insults@
1716
by default.
1717
.It log_host
1718
If set, the host name will be logged in the (non-syslog)
1719
.Nm sudo
1720
log file.
1721
This flag is
1722
.Em off
1723
by default.
1724
.It log_input
1725
If set,
1726
.Nm sudo
1727
will run the command in a
1728
.Em pseudo tty
1729
and log all user input.
1730
If the standard input is not connected to the user's tty, due to
1731
I/O redirection or because the command is part of a pipeline, that
1732
input is also captured and stored in a separate log file.
1733
.Pp
1734
Input is logged to the directory specified by the
1735
.Em iolog_dir
1736
option
1737
.Po
1738
.Pa @iolog_dir@
1739
by default
1740
.Pc
1741
using a unique session ID that is included in the normal
1742
.Nm sudo
1743
log line, prefixed with
1744
.Dq Li TSID= .
1745
The
1746
.Em iolog_file
1747
option may be used to control the format of the session ID.
1748
.Pp
1749
Note that user input may contain sensitive information such as
1750
passwords (even if they are not echoed to the screen), which will
1751
be stored in the log file unencrypted.
1752
In most cases, logging the command output via
1753
.Em log_output
1754
is all that is required.
1755
.It log_output
1756
If set,
1757
.Nm sudo
1758
will run the command in a
1759
.Em pseudo tty
1760
and log all output that is sent to the screen, similar to the
1761
.Xr script 1
1762
command.
1763
If the standard output or standard error is not connected to the
1764
user's tty, due to I/O redirection or because the command is part
1765
of a pipeline, that output is also captured and stored in separate
1766
log files.
1767
.Pp
1768
Output is logged to the directory specified by the
1769
.Em iolog_dir
1770
option
1771
.Po
1772
.Pa @iolog_dir@
1773
by default
1774
.Pc
1775
using a unique session ID that is included in the normal
1776
.Nm sudo
1777
log line, prefixed with
1778
.Dq Li TSID= .
1779
The
1780
.Em iolog_file
1781
option may be used to control the format of the session ID.
1782
.Pp
1783
Output logs may be viewed with the
1784
.Xr sudoreplay @mansectsu@
1785
utility, which can also be used to list or search the available logs.
1786
.It log_year
1787
If set, the four-digit year will be logged in the (non-syslog)
1788
.Nm sudo
1789
log file.
1790
This flag is
1791
.Em off
1792
by default.
1793
.It long_otp_prompt
1794
When validating with a One Time Password (OTP) scheme such as
1795
.Sy S/Key
1796
or
1797
.Sy OPIE ,
1798
a two-line prompt is used to make it easier
1799
to cut and paste the challenge to a local window.
1800
It's not as pretty as the default but some people find it more convenient.
1801
This flag is
1802
.Em @long_otp_prompt@
1803
by default.
1804
.It mail_always
1805
Send mail to the
1806
.Em mailto
1807
user every time a users runs
1808
.Nm sudo .
1809
This flag is
1810
.Em off
1811
by default.
1812
.It mail_badpass
1813
Send mail to the
1814
.Em mailto
1815
user if the user running
1816
.Nm sudo
1817
does not enter the correct password.
1818
If the command the user is attempting to run is not permitted by
1819
.Em sudoers
1820
and one of the
1821
.Em mail_always ,
1822
.Em mail_no_host ,
1823
.Em mail_no_perms
1824
or
1825
.Em mail_no_user
1826
flags are set, this flag will have no effect.
1827
This flag is
1828
.Em off
1829
by default.
1830
.It mail_no_host
1831
If set, mail will be sent to the
1832
.Em mailto
1833
user if the invoking user exists in the
1834
.Em sudoers
1835
file, but is not allowed to run commands on the current host.
1836
This flag is
1837
.Em @mail_no_host@
1838
by default.
1839
.It mail_no_perms
1840
If set, mail will be sent to the
1841
.Em mailto
1842
user if the invoking user is allowed to use
1843
.Nm sudo
1844
but the command they are trying is not listed in their
1845
.Em sudoers
1846
file entry or is explicitly denied.
1847
This flag is
1848
.Em @mail_no_perms@
1849
by default.
1850
.It mail_no_user
1851
If set, mail will be sent to the
1852
.Em mailto
1853
user if the invoking user is not in the
1854
.Em sudoers
1855
file.
1856
This flag is
1857
.Em @mail_no_user@
1858
by default.
1859
.It noexec
1860
If set, all commands run via
1861
.Nm sudo
1862
will behave as if the
1863
.Li NOEXEC
1864
tag has been set, unless overridden by a
1865
.Li EXEC
1866
tag.
1867
See the description of
1868
.Em NOEXEC and EXEC
1869
below as well as the
1870
.Sx Preventing shell escapes
1871
section at the end of this manual.
1872
This flag is
1873
.Em off
1874
by default.
1875
.It path_info
1876
Normally,
1877
.Nm sudo
1878
will tell the user when a command could not be
1879
found in their
1880
.Ev PATH
1881
environment variable.
1882
Some sites may wish to disable this as it could be used to gather
1883
information on the location of executables that the normal user does
1884
not have access to.
1885
The disadvantage is that if the executable is simply not in the user's
1886
.Ev PATH ,
1887
.Nm sudo
1888
will tell the user that they are not allowed to run it, which can be confusing.
1889
This flag is
1890
.Em @path_info@
1891
by default.
1892
.It passprompt_override
1893
The password prompt specified by
1894
.Em passprompt
1895
will normally only be used if the password prompt provided by systems
1896
such as PAM matches the string
1897
.Dq Password: .
1898
If
1899
.Em passprompt_override
1900
is set,
1901
.Em passprompt
1902
will always be used.
1903
This flag is
1904
.Em off
1905
by default.
1906
.It preserve_groups
1907
By default,
1908
.Nm sudo
1909
will initialize the group vector to the list of groups the target user is in.
1910
When
1911
.Em preserve_groups
1912
is set, the user's existing group vector is left unaltered.
1913
The real and effective group IDs, however, are still set to match the
1914
target user.
1915
This flag is
1916
.Em off
1917
by default.
1918
.It pwfeedback
1919
By default,
1920
.Nm sudo
1921
reads the password like most other Unix programs,
1922
by turning off echo until the user hits the return (or enter) key.
1923
Some users become confused by this as it appears to them that
1924
.Nm sudo
1925
has hung at this point.
1926
When
1927
.Em pwfeedback
1928
is set,
1929
.Nm sudo
1930
will provide visual feedback when the user presses a key.
1931
Note that this does have a security impact as an onlooker may be able to
1932
determine the length of the password being entered.
1933
This flag is
1934
.Em off
1935
by default.
1936
.It requiretty
1937
If set,
1938
.Nm sudo
1939
will only run when the user is logged in to a real tty.
1940
When this flag is set,
1941
.Nm sudo
1942
can only be run from a login session and not via other means such as
1943
.Xr cron @mansectsu@
1944
or cgi-bin scripts.
1945
This flag is
1946
.Em off
1947
by default.
1948
.It root_sudo
1949
If set, root is allowed to run
1950
.Nm sudo
1951
too.
1952
Disabling this prevents users from
1953
.Dq chaining
1954
.Nm sudo
1955
commands to get a root shell by doing something like
1956
.Dq Li sudo sudo /bin/sh .
1957
Note, however, that turning off
1958
.Em root_sudo
1959
will also prevent root from running
1960
.Nm sudoedit .
1961
Disabling
1962
.Em root_sudo
1963
provides no real additional security; it exists purely for historical reasons.
1964
This flag is
1965
.Em @root_sudo@
1966
by default.
1967
.It rootpw
1968
If set,
1969
.Nm sudo
1970
will prompt for the root password instead of the password of the invoking user.
1971
This flag is
1972
.Em off
1973
by default.
1974
.It runaspw
1975
If set,
1976
.Nm sudo
1977
will prompt for the password of the user defined by the
1978
.Em runas_default
1979
option (defaults to
1980
.Li @runas_default@ )
1981
instead of the password of the invoking user.
1982
This flag is
1983
.Em off
1984
by default.
1985
.It set_home
1986
If enabled and
1987
.Nm sudo
1988
is invoked with the
1989
.Fl s
1990
option the
1991
.Ev HOME
1992
environment variable will be set to the home directory of the target
1993
user (which is root unless the
1994
.Fl u
1995
option is used).
1996
This effectively makes the
1997
.Fl s
1998
option imply
1999
.Fl H .
2000
Note that
2001
.Ev HOME
2002
is already set when the the
2003
.Em env_reset
2004
option is enabled, so
2005
.Em set_home
2006
is only effective for configurations where either
2007
.Em env_reset
2008
is disabled
2009
or
2010
.Ev HOME
2011
is present in the
2012
.Em env_keep
2013
list.
2014
This flag is
2015
.Em off
2016
by default.
2017
.It set_logname
2018
Normally,
2019
.Nm sudo
2020
will set the
2021
.Ev LOGNAME ,
2022
.Ev USER
2023
and
2024
.Ev USERNAME
2025
environment variables to the name of the target user (usually root unless the
2026
.Fl u
2027
option is given).
2028
However, since some programs (including the RCS revision control system) use
2029
.Ev LOGNAME
2030
to determine the real identity of the user, it may be desirable to
2031
change this behavior.
2032
This can be done by negating the set_logname option.
2033
Note that if the
2034
.Em env_reset
2035
option has not been disabled, entries in the
2036
.Em env_keep
2037
list will override the value of
2038
.Em set_logname .
2039
This flag is
2040
.Em on
2041
by default.
2042
.It set_utmp
2043
When enabled,
2044
.Nm sudo
2045
will create an entry in the utmp (or utmpx) file when a pseudo-tty
2046
is allocated.
2047
A pseudo-tty is allocated by
2048
.Nm sudo
2049
when the
2050
.Em log_input ,
2051
.Em log_output
2052
or
2053
.Em use_pty
2054
flags are enabled.
2055
By default, the new entry will be a copy of the user's existing utmp
2056
entry (if any), with the tty, time, type and pid fields updated.
2057
This flag is
2058
.Em on
2059
by default.
2060
.It setenv
2061
Allow the user to disable the
2062
.Em env_reset
2063
option from the command line via the
2064
.Fl E
2065
option.
2066
Additionally, environment variables set via the command line are
2067
not subject to the restrictions imposed by
2068
.Em env_check ,
2069
.Em env_delete ,
2070
or
2071
.Em env_keep .
2072
As such, only trusted users should be allowed to set variables in this manner.
2073
This flag is
2074
.Em off
2075
by default.
2076
.It shell_noargs
2077
If set and
2078
.Nm sudo
2079
is invoked with no arguments it acts as if the
2080
.Fl s
2081
option had been given.
2082
That is, it runs a shell as root (the shell is determined by the
2083
.Ev SHELL
2084
environment variable if it is set, falling back on the shell listed
2085
in the invoking user's /etc/passwd entry if not).
2086
This flag is
2087
.Em off
2088
by default.
2089
.It stay_setuid
2090
Normally, when
2091
.Nm sudo
2092
executes a command the real and effective UIDs are set to the target
2093
user (root by default).
2094
This option changes that behavior such that the real UID is left
2095
as the invoking user's UID.
2096
In other words, this makes
2097
.Nm sudo
2098
act as a setuid wrapper.
2099
This can be useful on systems that disable some potentially
2100
dangerous functionality when a program is run setuid.
2101
This option is only effective on systems that support either the
2102
.Xr setreuid 2
2103
or
2104
.Xr setresuid 2
2105
system call.
2106
This flag is
2107
.Em off
2108
by default.
2109
.It targetpw
2110
If set,
2111
.Nm sudo
2112
will prompt for the password of the user specified
2113
by the
2114
.Fl u
2115
option (defaults to
2116
.Li root )
2117
instead of the password of the invoking user.
2118
In addition, the time stamp file name will include the target user's name.
2119
Note that this flag precludes the use of a uid not listed in the passwd
2120
database as an argument to the
2121
.Fl u
2122
option.
2123
This flag is
2124
.Em off
2125
by default.
2126
.It tty_tickets
2127
If set, users must authenticate on a per-tty basis.
2128
With this flag enabled,
2129
.Nm sudo
2130
will use a file named for the tty the user is
2131
logged in on in the user's time stamp directory.
2132
If disabled, the time stamp of the directory is used instead.
2133
This flag is
2134
.Em @tty_tickets@
2135
by default.
2136
.It umask_override
2137
If set,
2138
.Nm sudo
2139
will set the umask as specified by
2140
.Em sudoers
2141
without modification.
2142
This makes it possible to specify a more permissive umask in
2143
.Em sudoers
2144
than the user's own umask and matches historical behavior.
2145
If
2146
.Em umask_override
2147
is not set,
2148
.Nm sudo
2149
will set the umask to be the union of the user's umask and what is specified in
2150
.Em sudoers .
2151
This flag is
2152
.Em @umask_override@
2153
by default.
2154
.It use_loginclass
2155
If set,
2156
.Nm sudo
2157
will apply the defaults specified for the target user's login class
2158
if one exists.
2159
Only available if
2160
.Nm sudo
2161
is configured with the
2162
.Li --with-logincap
2163
option.
2164
This flag is
2165
.Em off
2166
by default.
2167
.It use_pty
2168
If set,
2169
.Nm sudo
2170
will run the command in a pseudo-pty even if no I/O logging is being gone.
2171
A malicious program run under
2172
.Nm sudo
2173
could conceivably fork a background process that retains to the user's
2174
terminal device after the main program has finished executing.
2175
Use of this option will make that impossible.
2176
This flag is
2177
.Em off
2178
by default.
2179
.It utmp_runas
2180
If set,
2181
.Nm sudo
2182
will store the name of the runas user when updating the utmp (or utmpx) file.
2183
By default,
2184
.Nm sudo
2185
stores the name of the invoking user.
2186
This flag is
2187
.Em off
2188
by default.
2189
.It visiblepw
2190
By default,
2191
.Nm sudo
2192
will refuse to run if the user must enter a password but it is not
2193
possible to disable echo on the terminal.
2194
If the
2195
.Em visiblepw
2196
flag is set,
2197
.Nm sudo
2198
will prompt for a password even when it would be visible on the screen.
2199
This makes it possible to run things like
2200
.Dq Li ssh somehost sudo ls
2201
since by default,
2202
.Xr ssh 1
2203
does
2204
not allocate a tty when running a command.
2205
This flag is
2206
.Em off
2207
by default.
2208
.El
2209
.Pp
2210
.Sy Integers :
2211
.Bl -tag -width 16n
2212
.It closefrom
2213
Before it executes a command,
2214
.Nm sudo
2215
will close all open file descriptors other than standard input,
2216
standard output and standard error (ie: file descriptors 0-2).
2217
The
2218
.Em closefrom
2219
option can be used to specify a different file descriptor at which
2220
to start closing.
2221
The default is
2222
.Li 3 .
2223
.It passwd_tries
2224
The number of tries a user gets to enter his/her password before
2225
.Nm sudo
2226
logs the failure and exits.
2227
The default is
2228
.Li @passwd_tries@ .
2229
.El
2230
.Pp
2231
.Sy Integers that can be used in a boolean context :
2232
.Bl -tag -width 16n
2233
.It loglinelen
2234
Number of characters per line for the file log.
2235
This value is used to decide when to wrap lines for nicer log files.
2236
This has no effect on the syslog log file, only the file log.
2237
The default is
2238
.Li @loglen@
2239
(use 0 or negate the option to disable word wrap).
2240
.It passwd_timeout
2241
Number of minutes before the
2242
.Nm sudo
2243
password prompt times out, or
2244
.Li 0
2245
for no timeout.
2246
The timeout may include a fractional component
2247
if minute granularity is insufficient, for example
2248
.Li 2.5 .
2249
The
2250
default is
2251
.Li @password_timeout@ .
2252
.It timestamp_timeout
2253
Number of minutes that can elapse before
2254
.Nm sudo
2255
will ask for a passwd again.
2256
The timeout may include a fractional component if
2257
minute granularity is insufficient, for example
2258
.Li 2.5 .
2259
The default is
2260
.Li @timeout@ .
2261
Set this to
2262
.Li 0
2263
to always prompt for a password.
2264
If set to a value less than
2265
.Li 0
2266
the user's time stamp will never expire.
2267
This can be used to allow users to create or delete their own time stamps via
2268
.Dq Li sudo -v
2269
and
2270
.Dq Li sudo -k
2271
respectively.
2272
.It umask
2273
Umask to use when running the command.
2274
Negate this option or set it to 0777 to preserve the user's umask.
2275
The actual umask that is used will be the union of the user's umask
2276
and the value of the
2277
.Em umask
2278
option, which defaults to
2279
.Li @sudo_umask@ .
2280
This guarantees
2281
that
2282
.Nm sudo
2283
never lowers the umask when running a command.
2284
Note: on systems that use PAM, the default PAM configuration may specify
2285
its own umask which will override the value set in
2286
.Em sudoers .
2287
.El
2288
.Pp
2289
.Sy Strings :
2290
.Bl -tag -width 16n
2291
.It badpass_message
2292
Message that is displayed if a user enters an incorrect password.
2293
The default is
2294
.Li @badpass_message@
2295
unless insults are enabled.
2296
.It editor
2297
A colon
2298
.Pq Ql :\&
2299
separated list of editors allowed to be used with
2300
.Nm visudo .
2301
.Nm visudo
2302
will choose the editor that matches the user's
2303
.Ev EDITOR
2304
environment variable if possible, or the first editor in the
2305
list that exists and is executable.
2306
The default is
2307
.Pa @editor@ .
2308
.It iolog_dir
2309
The top-level directory to use when constructing the path name for
2310
the input/output log directory.
2311
Only used if the
2312
.Em log_input
2313
or
2314
.Em log_output
2315
options are enabled or when the
2316
.Li LOG_INPUT
2317
or
2318
.Li LOG_OUTPUT
2319
tags are present for a command.
2320
The session sequence number, if any, is stored in the directory.
2321
The default is
2322
.Pa @iolog_dir@ .
2323
.Pp
2324
The following percent
2325
.Pq Ql %
2326
escape sequences are supported:
2327
.Bl -tag -width 4n
2328
.It Li %{seq}
2329
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2330
where every two digits are used to form a new directory, e.g.\&
2331
.Pa 01/00/A5
2332
.It Li %{user}
2333
expanded to the invoking user's login name
2334
.It Li %{group}
2335
expanded to the name of the invoking user's real group ID
2336
.It Li %{runas_user}
2337
expanded to the login name of the user the command will
2338
be run as (e.g.\& root)
2339
.It Li %{runas_group}
2340
expanded to the group name of the user the command will
2341
be run as (e.g.\& wheel)
2342
.It Li %{hostname}
2343
expanded to the local host name without the domain name
2344
.It Li %{command}
2345
expanded to the base name of the command being run
2346
.El
2347
.Pp
2348
In addition, any escape sequences supported by the system's
2349
.Xr strftime 3
2350
function will be expanded.
2351
.Pp
2352
To include a literal
2353
.Ql %
2354
character, the string
2355
.Ql %%
2356
should be used.
2357
.It iolog_file
2358
The path name, relative to
2359
.Em iolog_dir ,
2360
in which to store input/output logs when the
2361
.Em log_input
2362
or
2363
.Em log_output
2364
options are enabled or when the
2365
.Li LOG_INPUT
2366
or
2367
.Li LOG_OUTPUT
2368
tags are present for a command.
2369
Note that
2370
.Em iolog_file
2371
may contain directory components.
2372
The default is
2373
.Dq Li %{seq} .
2374
.Pp
2375
See the
2376
.Em iolog_dir
2377
option above for a list of supported percent
2378
.Pq Ql %
2379
escape sequences.
2380
.Pp
2381
In addition to the escape sequences, path names that end in six or
2382
more
2383
.Li X Ns No s
2384
will have the
2385
.Li X Ns No s
2386
replaced with a unique combination of digits and letters, similar to the
2387
.Xr mktemp 3
2388
function.
2389
.It limitprivs
2390
The default Solaris limit privileges to use when constructing a new
2391
privilege set for a command.
2392
This bounds all privileges of the executing process.
2393
The default limit privileges may be overridden on a per-command basis in
2394
.Em sudoers .
2395
This option is only available if
2396
.Nm
2397
is built on Solaris 10 or higher.
2398
.It mailsub
2399
Subject of the mail sent to the
2400
.Em mailto
2401
user.
2402
The escape
2403
.Li %h
2404
will expand to the host name of the machine.
2405
Default is
2406
.Dq Li @mailsub@ .
2407
.It noexec_file
2408
This option is no longer supported.
2409
The path to the noexec file should now be set in the
2410
.Pa @sysconfdir@/sudo.conf
2411
file.
2412
.It passprompt
2413
The default prompt to use when asking for a password; can be overridden via the
2414
.Fl p
2415
option or the
2416
.Ev SUDO_PROMPT
2417
environment variable.
2418
The following percent
2419
.Pq Ql %
2420
escape sequences are supported:
2421
.Bl -tag -width 4n
2422
.It Li %H
2423
expanded to the local host name including the domain name
2424
(only if the machine's host name is fully qualified or the
2425
.Em fqdn
2426
option is set)
2427
.It Li %h
2428
expanded to the local host name without the domain name
2429
.It Li %p
2430
expanded to the user whose password is being asked for (respects the
2431
.Em rootpw ,
2432
.Em targetpw
2433
and
2434
.Em runaspw
2435
flags in
2436
.Em sudoers )
2437
.It Li \&%U
2438
expanded to the login name of the user the command will
2439
be run as (defaults to root)
2440
.It Li %u
2441
expanded to the invoking user's login name
2442
.It Li %%
2443
two consecutive
2444
.Li %
2445
characters are collapsed into a single
2446
.Li %
2447
character
2448
.El
2449
.Pp
2450
The default value is
2451
.Dq Li @passprompt@ .
2452
.It privs
2453
The default Solaris privileges to use when constructing a new
2454
privilege set for a command.
2455
This is passed to the executing process via the inherited privilege set,
2456
but is bounded by the limit privileges.
2457
If the
2458
.Em privs
2459
option is specified but the
2460
.Em limitprivs
2461
option is not, the limit privileges of the executing process is set to
2462
.Em privs .
2463
The default privileges may be overridden on a per-command basis in
2464
.Em sudoers .
2465
This option is only available if
2466
.Nm
2467
is built on Solaris 10 or higher.
2468
.It role
2469
The default SELinux role to use when constructing a new security
2470
context to run the command.
2471
The default role may be overridden on a per-command basis in
2472
.Em sudoers
2473
or via command line options.
2474
This option is only available when
2475
.Nm sudo
2476
is built with SELinux support.
2477
.It runas_default
2478
The default user to run commands as if the
2479
.Fl u
2480
option is not specified on the command line.
2481
This defaults to
2482
.Li @runas_default@ .
2483
.It syslog_badpri
2484
Syslog priority to use when user authenticates unsuccessfully.
2485
Defaults to
2486
.Li @badpri@ .
2487
.Pp
2488
The following syslog priorities are supported:
2489
.Sy alert ,
2490
.Sy crit ,
2491
.Sy debug ,
2492
.Sy emerg ,
2493
.Sy err ,
2494
.Sy info ,
2495
.Sy notice ,
2496
and
2497
.Sy warning .
2498
.It syslog_goodpri
2499
Syslog priority to use when user authenticates successfully.
2500
Defaults to
2501
.Li @goodpri@ .
2502
.Pp
2503
See
2504
.Sx syslog_badpri
2505
for the list of supported syslog priorities.
2506
.It sudoers_locale
2507
Locale to use when parsing the sudoers file, logging commands, and
2508
sending email.
2509
Note that changing the locale may affect how sudoers is interpreted.
2510
Defaults to
2511
.Dq Li C .
2512
.It timestampdir
2513
The directory in which
2514
.Nm sudo
2515
stores its time stamp files.
2516
The default is
2517
.Pa @timedir@ .
2518
.It timestampowner
2519
The owner of the time stamp directory and the time stamps stored therein.
2520
The default is
2521
.Li root .
2522
.It type
2523
The default SELinux type to use when constructing a new security
2524
context to run the command.
2525
The default type may be overridden on a per-command basis in
2526
.Em sudoers
2527
or via command line options.
2528
This option is only available when
2529
.Nm sudo
2530
is built with SELinux support.
2531
.El
2532
.Pp
2533
.Sy Strings that can be used in a boolean context :
2534
.Bl -tag -width 12n
2535
.It env_file
2536
The
2537
.Em env_file
2538
option specifies the fully qualified path to a file containing variables
2539
to be set in the environment of the program being run.
2540
Entries in this file should either be of the form
2541
.Dq Li VARIABLE=value
2542
or
2543
.Dq Li export VARIABLE=value .
2544
The value may optionally be surrounded by single or double quotes.
2545
Variables in this file are subject to other
2546
.Nm sudo
2547
environment settings such as
2548
.Em env_keep
2549
and
2550
.Em env_check .
2551
.It exempt_group
2552
Users in this group are exempt from password and PATH requirements.
2553
The group name specified should not include a
2554
.Li %
2555
prefix.
2556
This is not set by default.
2557
.It group_plugin
2558
A string containing a
2559
.Em sudoers
2560
group plugin with optional arguments.
2561
This can be used to implement support for the
2562
.Li nonunix_group
2563
syntax described earlier.
2564
The string should consist of the plugin
2565
path, either fully-qualified or relative to the
2566
.Pa @prefix@/libexec
2567
directory, followed by any configuration arguments the plugin requires.
2568
These arguments (if any) will be passed to the plugin's initialization function.
2569
If arguments are present, the string must be enclosed in double quotes
2570
.Pq \&"" .
2571
.Pp
2572
For example, given
2573
.Pa /etc/sudo-group ,
2574
a group file in Unix group format, the sample group plugin can be used:
2575
.Bd -literal
2576
Defaults group_plugin="sample_group.so /etc/sudo-group"
2577
.Ed
2578
.Pp
2579
For more information see
2580
.Xr sudo_plugin @mansectform@ .
2581
.It lecture
2582
This option controls when a short lecture will be printed along with
2583
the password prompt.
2584
It has the following possible values:
2585
.Bl -tag -width 6n
2586
.It always
2587
Always lecture the user.
2588
.It never
2589
Never lecture the user.
2590
.It once
2591
Only lecture the user the first time they run
2592
.Nm sudo .
2593
.El
2594
.Pp
2595
If no value is specified, a value of
2596
.Em once
2597
is implied.
2598
Negating the option results in a value of
2599
.Em never
2600
being used.
2601
The default value is
2602
.Em @lecture@ .
2603
.It lecture_file
2604
Path to a file containing an alternate
2605
.Nm sudo
2606
lecture that will be used in place of the standard lecture if the named
2607
file exists.
2608
By default,
2609
.Nm sudo
2610
uses a built-in lecture.
2611
.It listpw
2612
This option controls when a password will be required when a user runs
2613
.Nm sudo
2614
with the
2615
.Fl l
2616
option.
2617
It has the following possible values:
2618
.Bl -tag -width 8n
2619
.It all
2620
All the user's
2621
.Em sudoers
2622
entries for the current host must have
2623
the
2624
.Li NOPASSWD
2625
flag set to avoid entering a password.
2626
.It always
2627
The user must always enter a password to use the
2628
.Fl l
2629
option.
2630
.It any
2631
At least one of the user's
2632
.Em sudoers
2633
entries for the current host
2634
must have the
2635
.Li NOPASSWD
2636
flag set to avoid entering a password.
2637
.It never
2638
The user need never enter a password to use the
2639
.Fl l
2640
option.
2641
.El
2642
.Pp
2643
If no value is specified, a value of
2644
.Em any
2645
is implied.
2646
Negating the option results in a value of
2647
.Em never
2648
being used.
2649
The default value is
2650
.Em any .
2651
.It logfile
2652
Path to the
2653
.Nm sudo
2654
log file (not the syslog log file).
2655
Setting a path turns on logging to a file;
2656
negating this option turns it off.
2657
By default,
2658
.Nm sudo
2659
logs via syslog.
2660
.It mailerflags
2661
Flags to use when invoking mailer. Defaults to
2662
.Fl t .
2663
.It mailerpath
2664
Path to mail program used to send warning mail.
2665
Defaults to the path to sendmail found at configure time.
2666
.It mailfrom
2667
Address to use for the
2668
.Dq from
2669
address when sending warning and error mail.
2670
The address should be enclosed in double quotes
2671
.Pq \&""
2672
to protect against
2673
.Nm sudo
2674
interpreting the
2675
.Li @
2676
sign.
2677
Defaults to the name of the user running
2678
.Nm sudo .
2679
.It mailto
2680
Address to send warning and error mail to.
2681
The address should be enclosed in double quotes
2682
.Pq \&""
2683
to protect against
2684
.Nm sudo
2685
interpreting the
2686
.Li @
2687
sign.
2688
Defaults to
2689
.Li @mailto@ .
2690
.It secure_path
2691
Path used for every command run from
2692
.Nm sudo .
2693
If you don't trust the
2694
people running
2695
.Nm sudo
2696
to have a sane
2697
.Ev PATH
2698
environment variable you may want to use this.
2699
Another use is if you want to have the
2700
.Dq root path
2701
be separate from the
2702
.Dq user path .
2703
Users in the group specified by the
2704
.Em exempt_group
2705
option are not affected by
2706
.Em secure_path .
2707
This option is @secure_path@ by default.
2708
.It syslog
2709
Syslog facility if syslog is being used for logging (negate to
2710
disable syslog logging).
2711
Defaults to
2712
.Li @logfac@ .
2713
.Pp
2714
The following syslog facilities are supported:
2715
.Sy authpriv
2716
(if your
2717
OS supports it),
2718
.Sy auth ,
2719
.Sy daemon ,
2720
.Sy user ,
2721
.Sy local0 ,
2722
.Sy local1 ,
2723
.Sy local2 ,
2724
.Sy local3 ,
2725
.Sy local4 ,
2726
.Sy local5 ,
2727
.Sy local6 ,
2728
and
2729
.Sy local7 .
2730
.It verifypw
2731
This option controls when a password will be required when a user runs
2732
.Nm sudo
2733
with the
2734
.Fl v
2735
option.
2736
It has the following possible values:
2737
.Bl -tag -width 6n
2738
.It all
2739
All the user's
2740
.Em sudoers
2741
entries for the current host must have the
2742
.Li NOPASSWD
2743
flag set to avoid entering a password.
2744
.It always
2745
The user must always enter a password to use the
2746
.Fl v
2747
option.
2748
.It any
2749
At least one of the user's
2750
.Em sudoers
2751
entries for the current host must have the
2752
.Li NOPASSWD
2753
flag set to avoid entering a password.
2754
.It never
2755
The user need never enter a password to use the
2756
.Fl v
2757
option.
2758
.El
2759
.Pp
2760
If no value is specified, a value of
2761
.Em all
2762
is implied.
2763
Negating the option results in a value of
2764
.Em never
2765
being used.
2766
The default value is
2767
.Em all .
2768
.El
2769
.Pp
2770
.Sy Lists that can be used in a boolean context :
2771
.Bl -tag -width 16n
2772
.It env_check
2773
Environment variables to be removed from the user's environment if
2774
the variable's value contains
2775
.Ql %
2776
or
2777
.Ql /
2778
characters.
2779
This can be used to guard against printf-style format vulnerabilities
2780
in poorly-written programs.
2781
The argument may be a double-quoted, space-separated list or a
2782
single value without double-quotes.
2783
The list can be replaced, added to, deleted from, or disabled by using
2784
the
2785
.Li = ,
2786
.Li += ,
2787
.Li -= ,
2788
and
2789
.Li \&!
2790
operators respectively.
2791
Regardless of whether the
2792
.Li env_reset
2793
option is enabled or disabled, variables specified by
2794
.Li env_check
2795
will be preserved in the environment if they pass the aforementioned check.
2796
The default list of environment variables to check is displayed when
2797
.Nm sudo
2798
is run by root with
2799
the
2800
.Fl V
2801
option.
2802
.It env_delete
2803
Environment variables to be removed from the user's environment when the
2804
.Em env_reset
2805
option is not in effect.
2806
The argument may be a double-quoted, space-separated list or a
2807
single value without double-quotes.
2808
The list can be replaced, added to, deleted from, or disabled by using the
2809
.Li = ,
2810
.Li += ,
2811
.Li -= ,
2812
and
2813
.Li \&!
2814
operators respectively.
2815
The default list of environment variables to remove is displayed when
2816
.Nm sudo
2817
is run by root with the
2818
.Fl V
2819
option.
2820
Note that many operating systems will remove potentially dangerous
2821
variables from the environment of any setuid process (such as
2822
.Nm sudo ) .
2823
.It env_keep
2824
Environment variables to be preserved in the user's environment when the
2825
.Em env_reset
2826
option is in effect.
2827
This allows fine-grained control over the environment
2828
.Nm sudo Ns No -spawned
2829
processes will receive.
2830
The argument may be a double-quoted, space-separated list or a
2831
single value without double-quotes.
2832
The list can be replaced, added to, deleted from, or disabled by using the
2833
.Li = ,
2834
.Li += ,
2835
.Li -= ,
2836
and
2837
.Li \&!
2838
operators respectively.
2839
The default list of variables to keep
2840
is displayed when
2841
.Nm sudo
2842
is run by root with the
2843
.Fl V
2844
option.
2845
.El
2846
.Sh LOG FORMAT
2847
.Nm sudoers
2848
can log events using either
2849
.Xr syslog 3
2850
or a simple log file.
2851
In each case the log format is almost identical.
2852
.Ss Accepted command log entries
2853
Commands that sudo runs are logged using the following format (split
2854
into multiple lines for readability):
2855
.Bd -literal -offset 4n
2856
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
2857
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
2858
ENV=env_vars COMMAND=command
2859
.Ed
2860
.Pp
2861
Where the fields are as follows:
2862
.Bl -tag -width 12n
2863
.It date
2864
The date the command was run.
2865
Typically, this is in the format
2866
.Dq MMM, DD, HH:MM:SS .
2867
If logging via
2868
.Xr syslog 3 ,
2869
the actual date format is controlled by the syslog daemon.
2870
If logging to a file and the
2871
.Em log_year
2872
option is enabled,
2873
the date will also include the year.
2874
.It hostname
2875
The name of the host
2876
.Nm sudo
2877
was run on.
2878
This field is only present when logging via
2879
.Xr syslog 3 .
2880
.It progname
2881
The name of the program, usually
2882
.Em sudo
2883
or
2884
.Em sudoedit .
2885
This field is only present when logging via
2886
.Xr syslog 3 .
2887
.It username
2888
The login name of the user who ran
2889
.Nm sudo .
2890
.It ttyname
2891
The short name of the terminal (e.g.\&
2892
.Dq console ,
2893
.Dq tty01 ,
2894
or
2895
.Dq pts/0 )
2896
.Nm sudo
2897
was run on, or
2898
.Dq unknown
2899
if there was no terminal present.
2900
.It cwd
2901
The current working directory that
2902
.Nm sudo
2903
was run in.
2904
.It runasuser
2905
The user the command was run as.
2906
.It runasgroup
2907
The group the command was run as if one was specified on the command line.
2908
.It logid
2909
An I/O log identifier that can be used to replay the command's output.
2910
This is only present when the
2911
.Em log_input
2912
or
2913
.Em log_output
2914
option is enabled.
2915
.It env_vars
2916
A list of environment variables specified on the command line,
2917
if specified.
2918
.It command
2919
The actual command that was executed.
2920
.El
2921
.Pp
2922
Messages are logged using the locale specified by
2923
.Em sudoers_locale ,
2924
which defaults to the
2925
.Dq Li C
2926
locale.
2927
.Ss Denied command log entries
2928
If the user is not allowed to run the command, the reason for the denial
2929
will follow the user name.
2930
Possible reasons include:
2931
.Bl -tag -width 4
2932
.It user NOT in sudoers
2933
The user is not listed in the
2934
.Em sudoers
2935
file.
2936
.It user NOT authorized on host
2937
The user is listed in the
2938
.Em sudoers
2939
file but is not allowed to run commands on the host.
2940
.It command not allowed
2941
The user is listed in the
2942
.Em sudoers
2943
file for the host but they are not allowed to run the specified command.
2944
.It 3 incorrect password attempts
2945
The user failed to enter their password after 3 tries.
2946
The actual number of tries will vary based on the number of
2947
failed attempts and the value of the
2948
.Em passwd_tries
2949
option.
2950
.It a password is required
2951
.Nm sudo Ns No 's
2952
.Fl n
2953
option was specified but a password was required.
2954
.It sorry, you are not allowed to set the following environment variables
2955
The user specified environment variables on the command line that
2956
were not allowed by
2957
.Em sudoers .
2958
.El
2959
.Ss Error log entries
2960
If an error occurs,
2961
.Nm sudoers
2962
will log a message and, in most cases, send a message to the
2963
administrator via email.
2964
Possible errors include:
2965
.Bl -tag -width 4
2966
.It parse error in @sysconfdir@/sudoers near line N
2967
.Nm sudoers
2968
encountered an error when parsing the specified file.
2969
In some cases, the actual error may be one line above or below the
2970
line number listed, depending on the type of error.
2971
.It problem with defaults entries
2972
The
2973
.Em sudoers
2974
file contains one or more unknown Defaults settings.
2975
This does not prevent
2976
.Nm sudo
2977
from running, but the
2978
.Em sudoers
2979
file should be checked using
2980
.Nm visudo .
2981
.It timestamp owner (username): \&No such user
2982
The time stamp directory owner, as specified by the
2983
.Em timestampowner
2984
setting, could not be found in the password database.
2985
.It unable to open/read @sysconfdir@/sudoers
2986
The
2987
.Em sudoers
2988
file could not be opened for reading.
2989
This can happen when the
2990
.Em sudoers
2991
file is located on a remote file system that maps user ID 0 to
2992
a different value.
2993
Normally,
2994
.Nm sudoers
2995
tries to open
2996
.Em sudoers
2997
using group permissions to avoid this problem.
2998
Consider changing the ownership of
2999
.Pa @sysconfdir@/sudoers
3000
by adding an option like
3001
.Dq sudoers_uid=N
3002
(where
3003
.Sq N
3004
is the user ID that owns the
3005
.Em sudoers
3006
file) to the
3007
.Nm sudoers
3008
plugin line in the
3009
.Pa @sysconfdir@/sudo.conf
3010
file.
3011
.It unable to stat @sysconfdir@/sudoers
3012
The
3013
.Pa @sysconfdir@/sudoers
3014
file is missing.
3015
.It @sysconfdir@/sudoers is not a regular file
3016
The
3017
.Pa @sysconfdir@/sudoers
3018
file exists but is not a regular file or symbolic link.
3019
.It @sysconfdir@/sudoers is owned by uid N, should be 0
3020
The
3021
.Em sudoers
3022
file has the wrong owner.
3023
If you wish to change the
3024
.Em sudoers
3025
file owner, please add
3026
.Dq sudoers_uid=N
3027
(where
3028
.Sq N
3029
is the user ID that owns the
3030
.Em sudoers
3031
file) to the
3032
.Nm sudoers
3033
plugin line in the
3034
.Pa @sysconfdir@/sudo.conf
3035
file.
3036
.It @sysconfdir@/sudoers is world writable
3037
The permissions on the
3038
.Em sudoers
3039
file allow all users to write to it.
3040
The
3041
.Em sudoers
3042
file must not be world-writable, the default file mode
3043
is 0440 (readable by owner and group, writable by none).
3044
The default mode may be changed via the
3045
.Dq sudoers_mode
3046
option to the
3047
.Nm sudoers
3048
plugin line in the
3049
.Pa @sysconfdir@/sudo.conf
3050
file.
3051
.It @sysconfdir@/sudoers is owned by gid N, should be 1
3052
The
3053
.Em sudoers
3054
file has the wrong group ownership.
3055
If you wish to change the
3056
.Em sudoers
3057
file group ownership, please add
3058
.Dq sudoers_gid=N
3059
(where
3060
.Sq N
3061
is the group ID that owns the
3062
.Em sudoers
3063
file) to the
3064
.Nm sudoers
3065
plugin line in the
3066
.Pa @sysconfdir@/sudo.conf
3067
file.
3068
.It unable to open @timedir@/username/ttyname
3069
.Em sudoers
3070
was unable to read or create the user's time stamp file.
3071
.It unable to write to @timedir@/username/ttyname
3072
.Em sudoers
3073
was unable to write to the user's time stamp file.
3074
.It unable to mkdir to @timedir@/username
3075
.Em sudoers
3076
was unable to create the user's time stamp directory.
3077
.El
3078
.Ss Notes on logging via syslog
3079
By default,
3080
.Em sudoers
3081
logs messages via
3082
.Xr syslog 3 .
3083
The
3084
.Em date ,
3085
.Em hostname ,
3086
and
3087
.Em progname
3088
fields are added by the syslog daemon, not
3089
.Em sudoers
3090
itself.
3091
As such, they may vary in format on different systems.
3092
.Pp
3093
On most systems,
3094
.Xr syslog 3
3095
has a relatively small log buffer.
3096
To prevent the command line arguments from being truncated,
3097
.Nm sudoers
3098
will split up log messages that are larger than 960 characters
3099
(not including the date, hostname, and the string
3100
.Dq sudo ) .
3101
When a message is split, additional parts will include the string
3102
.Dq Pq command continued
3103
after the user name and before the continued command line arguments.
3104
.Ss Notes on logging to a file
3105
If the
3106
.Em logfile
3107
option is set,
3108
.Em sudoers
3109
will log to a local file, such as
3110
.Pa /var/log/sudo .
3111
When logging to a file,
3112
.Em sudoers
3113
uses a format similar to
3114
.Xr syslog 3 ,
3115
with a few important differences:
3116
.Bl -enum
3117
.It
3118
The
3119
.Em progname
3120
and
3121
.Em hostname
3122
fields are not present.
3123
.It
3124
If the
3125
.Em log_year
3126
option is enabled,
3127
the date will also include the year.
3128
.It
3129
Lines that are longer than
3130
.Em loglinelen
3131
characters (80 by default) are word-wrapped and continued on the
3132
next line with a four character indent.
3133
This makes entries easier to read for a human being, but makes it
3134
more difficult to use
3135
.Xr grep 1
3136
on the log files.
3137
If the
3138
.Em loglinelen
3139
option is set to 0 (or negated with a
3140
.Ql \&! ) ,
3141
word wrap will be disabled.
3142
.El
3143
.Sh SUDO.CONF
3144
The
3145
.Pa @sysconfdir@/sudo.conf
3146
file determines which plugins the
3147
.Nm sudo
3148
front end will load.
3149
If no
3150
.Pa @sysconfdir@/sudo.conf
3151
file
3152
is present, or it contains no
3153
.Li Plugin
3154
lines,
3155
.Nm sudo
3156
will use the
3157
.Em sudoers
3158
security policy and I/O logging, which corresponds to the following
3159
.Pa @sysconfdir@/sudo.conf
3160
file.
3161
.Bd -literal
3162
#
3163
# Default @sysconfdir@/sudo.conf file
3164
#
3165
# Format:
3166
# Plugin plugin_name plugin_path plugin_options ...
3167
# Path askpass /path/to/askpass
3168
# Path noexec /path/to/sudo_noexec.so
3169
# Debug sudo /var/log/sudo_debug all@warn
3170
# Set disable_coredump true
3171
#
3172
# The plugin_path is relative to @prefix@/libexec unless
3173
# fully qualified.
3174
# The plugin_name corresponds to a global symbol in the plugin
3175
# that contains the plugin interface structure.
3176
# The plugin_options are optional.
3177
#
3178
Plugin policy_plugin sudoers.so
3179
Plugin io_plugin sudoers.so
3180
.Ed
3181
.Ss Plugin options
3182
Starting with
3183
.Nm sudo
3184
1.8.5, it is possible to pass options to the
3185
.Em sudoers
3186
plugin.
3187
Options may be listed after the path to the plugin (i.e.\& after
3188
.Pa sudoers.so ) ;
3189
multiple options should be space-separated.
3190
For example:
3191
.Bd -literal
3192
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3193
.Ed
3194
.Pp
3195
The following plugin options are supported:
3196
.Bl -tag -width 8n
3197
.It sudoers_file=pathname
3198
The
3199
.Em sudoers_file
3200
option can be used to override the default path
3201
to the
3202
.Em sudoers
3203
file.
3204
.It sudoers_uid=uid
3205
The
3206
.Em sudoers_uid
3207
option can be used to override the default owner of the sudoers file.
3208
It should be specified as a numeric user ID.
3209
.It sudoers_gid=gid
3210
The
3211
.Em sudoers_gid
3212
option can be used to override the default group of the sudoers file.
3213
It should be specified as a numeric group ID.
3214
.It sudoers_mode=mode
3215
The
3216
.Em sudoers_mode
3217
option can be used to override the default file mode for the sudoers file.
3218
It should be specified as an octal value.
3219
.El
3220
.Ss Debug flags
3221
Versions 1.8.4 and higher of the
3222
.Em sudoers
3223
plugin supports a debugging framework that can help track down what the
3224
plugin is doing internally if there is a problem.
3225
This can be configured in the
3226
.Pa @sysconfdir@/sudo.conf
3227
file as described in
3228
.Xr sudo @mansectsu@ .
3229
.Pp
3230
The
3231
.Em sudoers
3232
plugin uses the same debug flag format as the
3233
.Nm sudo
3234
front-end:
3235
.Em subsystem Ns No @ Ns Em priority .
3236
.Pp
3237
The priorities used by
3238
.Em sudoers ,
3239
in order of decreasing severity,
3240
are:
3241
.Em crit ,
3242
.Em err ,
3243
.Em warn ,
3244
.Em notice ,
3245
.Em diag ,
3246
.Em info ,
3247
.Em trace
3248
and
3249
.Em debug .
3250
Each priority, when specified, also includes all priorities higher than it.
3251
For example, a priority of
3252
.Em notice
3253
would include debug messages logged at
3254
.Em notice
3255
and higher.
3256
.Pp
3257
The following subsystems are used by
3258
.Em sudoers :
3259
.Bl -tag -width 8n
3260
.It Em alias
3261
.Li User_Alias ,
3262
.Li Runas_Alias ,
3263
.Li Host_Alias
3264
and
3265
.Li Cmnd_Alias
3266
processing
3267
.It Em all
3268
matches every subsystem
3269
.It Em audit
3270
BSM and Linux audit code
3271
.It Em auth
3272
user authentication
3273
.It Em defaults
3274
.Em sudoers
3275
.Em Defaults
3276
settings
3277
.It Em env
3278
environment handling
3279
.It Em ldap
3280
LDAP-based sudoers
3281
.It Em logging
3282
logging support
3283
.It Em match
3284
matching of users, groups, hosts and netgroups in
3285
.Em sudoers
3286
.It Em netif
3287
network interface handling
3288
.It Em nss
3289
network service switch handling in
3290
.Em sudoers
3291
.It Em parser
3292
.Em sudoers
3293
file parsing
3294
.It Em perms
3295
permission setting
3296
.It Em plugin
3297
The equivalent of
3298
.Em main
3299
for the plugin.
3300
.It Em pty
3301
pseudo-tty related code
3302
.It Em rbtree
3303
redblack tree internals
3304
.It Em util
3305
utility functions
3306
.El
3307
.Sh FILES
3308
.Bl -tag -width 24n
3309
.It Pa @sysconfdir@/sudo.conf
3310
Sudo front end configuration
3311
.It Pa @sysconfdir@/sudoers
3312
List of who can run what
3313
.It Pa /etc/group
3314
Local groups file
3315
.It Pa /etc/netgroup
3316
List of network groups
3317
.It Pa @iolog_dir@
3318
I/O log files
3319
.It Pa @timedir@
3320
Directory containing time stamps for the
3321
.Em sudoers
3322
security policy
3323
.It Pa /etc/environment
3324
Initial environment for
3325
.Fl i
3326
mode on AIX and Linux systems
3327
.El
3328
.Sh EXAMPLES
3329
Below are example
3330
.Em sudoers
3331
entries.
3332
Admittedly, some of these are a bit contrived.
3333
First, we allow a few environment variables to pass and then define our
3334
.Em aliases :
3335
.Bd -literal
3336
# Run X applications through sudo; HOME is used to find the
3337
# .Xauthority file. Note that other programs use HOME to find
3338
# configuration files and this may lead to privilege escalation!
3339
Defaults env_keep += "DISPLAY HOME"
3340
3341
# User alias specification
3342
User_Alias FULLTIMERS = millert, mikef, dowdy
3343
User_Alias PARTTIMERS = bostley, jwfox, crawl
3344
User_Alias WEBMASTERS = will, wendy, wim
3345
3346
# Runas alias specification
3347
Runas_Alias OP = root, operator
3348
Runas_Alias DB = oracle, sybase
3349
Runas_Alias ADMINGRP = adm, oper
3350
3351
# Host alias specification
3352
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3353
SGI = grolsch, dandelion, black :\e
3354
ALPHA = widget, thalamus, foobar :\e
3355
HPPA = boa, nag, python
3356
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3357
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3358
Host_Alias SERVERS = master, mail, www, ns
3359
Host_Alias CDROM = orion, perseus, hercules
3360
3361
# Cmnd alias specification
3362
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3363
/usr/sbin/restore, /usr/sbin/rrestore
3364
Cmnd_Alias KILL = /usr/bin/kill
3365
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3366
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3367
Cmnd_Alias HALT = /usr/sbin/halt
3368
Cmnd_Alias REBOOT = /usr/sbin/reboot
3369
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3370
/usr/local/bin/tcsh, /usr/bin/rsh,\e
3371
/usr/local/bin/zsh
3372
Cmnd_Alias SU = /usr/bin/su
3373
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3374
.Ed
3375
.Pp
3376
Here we override some of the compiled in default values.
3377
We want
3378
.Nm sudo
3379
to log via
3380
.Xr syslog 3
3381
using the
3382
.Em auth
3383
facility in all cases.
3384
We don't want to subject the full time staff to the
3385
.Nm sudo
3386
lecture, user
3387
.Sy millert
3388
need not give a password, and we don't want to reset the
3389
.Ev LOGNAME ,
3390
.Ev USER
3391
or
3392
.Ev USERNAME
3393
environment variables when running commands as root.
3394
Additionally, on the machines in the
3395
.Em SERVERS
3396
.Li Host_Alias ,
3397
we keep an additional local log file and make sure we log the year
3398
in each log line since the log entries will be kept around for several years.
3399
Lastly, we disable shell escapes for the commands in the PAGERS
3400
.Li Cmnd_Alias
3401
.Po
3402
.Pa /usr/bin/more ,
3403
.Pa /usr/bin/pg
3404
and
3405
.Pa /usr/bin/less
3406
.Pc .
3407
.Bd -literal
3408
# Override built-in defaults
3409
Defaults syslog=auth
3410
Defaults>root !set_logname
3411
Defaults:FULLTIMERS !lecture
3412
Defaults:millert !authenticate
3413
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3414
Defaults!PAGERS noexec
3415
.Ed
3416
.Pp
3417
The
3418
.Em User specification
3419
is the part that actually determines who may run what.
3420
.Bd -literal
3421
root ALL = (ALL) ALL
3422
%wheel ALL = (ALL) ALL
3423
.Ed
3424
.Pp
3425
We let
3426
.Sy root
3427
and any user in group
3428
.Sy wheel
3429
run any command on any host as any user.
3430
.Bd -literal
3431
FULLTIMERS ALL = NOPASSWD: ALL
3432
.Ed
3433
.Pp
3434
Full time sysadmins
3435
.Po
3436
.Sy millert ,
3437
.Sy mikef ,
3438
and
3439
.Sy dowdy
3440
.Pc
3441
may run any command on any host without authenticating themselves.
3442
.Bd -literal
3443
PARTTIMERS ALL = ALL
3444
.Ed
3445
.Pp
3446
Part time sysadmins
3447
.Sy bostley ,
3448
.Sy jwfox ,
3449
and
3450
.Sy crawl )
3451
may run any command on any host but they must authenticate themselves
3452
first (since the entry lacks the
3453
.Li NOPASSWD
3454
tag).
3455
.Bd -literal
3456
jack CSNETS = ALL
3457
.Ed
3458
.Pp
3459
The user
3460
.Sy jack
3461
may run any command on the machines in the
3462
.Em CSNETS
3463
alias (the networks
3464
.Li 128.138.243.0 ,
3465
.Li 128.138.204.0 ,
3466
and
3467
.Li 128.138.242.0 ) .
3468
Of those networks, only
3469
.Li 128.138.204.0
3470
has an explicit netmask (in CIDR notation) indicating it is a class C network.
3471
For the other networks in
3472
.Em CSNETS ,
3473
the local machine's netmask will be used during matching.
3474
.Bd -literal
3475
lisa CUNETS = ALL
3476
.Ed
3477
.Pp
3478
The user
3479
.Sy lisa
3480
may run any command on any host in the
3481
.Em CUNETS
3482
alias (the class B network
3483
.Li 128.138.0.0 ) .
3484
.Bd -literal
3485
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3486
sudoedit /etc/printcap, /usr/oper/bin/
3487
.Ed
3488
.Pp
3489
The
3490
.Sy operator
3491
user may run commands limited to simple maintenance.
3492
Here, those are commands related to backups, killing processes, the
3493
printing system, shutting down the system, and any commands in the
3494
directory
3495
.Pa /usr/oper/bin/ .
3496
.Bd -literal
3497
joe ALL = /usr/bin/su operator
3498
.Ed
3499
.Pp
3500
The user
3501
.Sy joe
3502
may only
3503
.Xr su 1
3504
to operator.
3505
.Bd -literal
3506
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3507
3508
%opers ALL = (: ADMINGRP) /usr/sbin/
3509
.Ed
3510
.Pp
3511
Users in the
3512
.Sy opers
3513
group may run commands in
3514
.Pa /usr/sbin/
3515
as themselves
3516
with any group in the
3517
.Em ADMINGRP
3518
.Li Runas_Alias
3519
(the
3520
.Sy adm
3521
and
3522
.Sy oper
3523
groups).
3524
.Pp
3525
The user
3526
.Sy pete
3527
is allowed to change anyone's password except for
3528
root on the
3529
.Em HPPA
3530
machines.
3531
Note that this assumes
3532
.Xr passwd 1
3533
does not take multiple user names on the command line.
3534
.Bd -literal
3535
bob SPARC = (OP) ALL : SGI = (OP) ALL
3536
.Ed
3537
.Pp
3538
The user
3539
.Sy bob
3540
may run anything on the
3541
.Em SPARC
3542
and
3543
.Em SGI
3544
machines as any user listed in the
3545
.Em OP
3546
.Li Runas_Alias
3547
.Po
3548
.Sy root
3549
and
3550
.Sy operator .
3551
.Pc
3552
.Bd -literal
3553
jim +biglab = ALL
3554
.Ed
3555
.Pp
3556
The user
3557
.Sy jim
3558
may run any command on machines in the
3559
.Em biglab
3560
netgroup.
3561
.Nm sudo
3562
knows that
3563
.Dq biglab
3564
is a netgroup due to the
3565
.Ql +
3566
prefix.
3567
.Bd -literal
3568
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3569
.Ed
3570
.Pp
3571
Users in the
3572
.Sy secretaries
3573
netgroup need to help manage the printers as well as add and remove users,
3574
so they are allowed to run those commands on all machines.
3575
.Bd -literal
3576
fred ALL = (DB) NOPASSWD: ALL
3577
.Ed
3578
.Pp
3579
The user
3580
.Sy fred
3581
can run commands as any user in the
3582
.Em DB
3583
.Li Runas_Alias
3584
.Po
3585
.Sy oracle
3586
or
3587
.Sy sybase
3588
.Pc
3589
without giving a password.
3590
.Bd -literal
3591
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3592
.Ed
3593
.Pp
3594
On the
3595
.Em ALPHA
3596
machines, user
3597
.Sy john
3598
may su to anyone except root but he is not allowed to specify any options
3599
to the
3600
.Xr su 1
3601
command.
3602
.Bd -literal
3603
jen ALL, !SERVERS = ALL
3604
.Ed
3605
.Pp
3606
The user
3607
.Sy jen
3608
may run any command on any machine except for those in the
3609
.Em SERVERS
3610
.Li Host_Alias
3611
(master, mail, www and ns).
3612
.Bd -literal
3613
jill SERVERS = /usr/bin/, !SU, !SHELLS
3614
.Ed
3615
.Pp
3616
For any machine in the
3617
.Em SERVERS
3618
.Li Host_Alias ,
3619
.Sy jill
3620
may run
3621
any commands in the directory
3622
.Pa /usr/bin/
3623
except for those commands
3624
belonging to the
3625
.Em SU
3626
and
3627
.Em SHELLS
3628
.Li Cmnd_Aliases .
3629
.Bd -literal
3630
steve CSNETS = (operator) /usr/local/op_commands/
3631
.Ed
3632
.Pp
3633
The user
3634
.Sy steve
3635
may run any command in the directory /usr/local/op_commands/
3636
but only as user operator.
3637
.Bd -literal
3638
matt valkyrie = KILL
3639
.Ed
3640
.Pp
3641
On his personal workstation, valkyrie,
3642
.Sy matt
3643
needs to be able to kill hung processes.
3644
.Bd -literal
3645
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3646
.Ed
3647
.Pp
3648
On the host www, any user in the
3649
.Em WEBMASTERS
3650
.Li User_Alias
3651
(will, wendy, and wim), may run any command as user www (which owns the
3652
web pages) or simply
3653
.Xr su 1
3654
to www.
3655
.Bd -literal
3656
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3657
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3658
.Ed
3659
.Pp
3660
Any user may mount or unmount a CD-ROM on the machines in the CDROM
3661
.Li Host_Alias
3662
(orion, perseus, hercules) without entering a password.
3663
This is a bit tedious for users to type, so it is a prime candidate
3664
for encapsulating in a shell script.
3665
.Sh SECURITY NOTES
3666
.Ss Limitations of the So !\& Sc operator
3667
It is generally not effective to
3668
.Dq subtract
3669
commands from
3670
.Sy ALL
3671
using the
3672
.Ql !\&
3673
operator.
3674
A user can trivially circumvent this by copying the desired command
3675
to a different name and then executing that.
3676
For example:
3677
.Bd -literal
3678
bill ALL = ALL, !SU, !SHELLS
3679
.Ed
3680
.Pp
3681
Doesn't really prevent
3682
.Sy bill
3683
from running the commands listed in
3684
.Em SU
3685
or
3686
.Em SHELLS
3687
since he can simply copy those commands to a different name, or use
3688
a shell escape from an editor or other program.
3689
Therefore, these kind of restrictions should be considered
3690
advisory at best (and reinforced by policy).
3691
.Pp
3692
In general, if a user has sudo
3693
.Sy ALL
3694
there is nothing to prevent them from creating their own program that gives
3695
them a root shell (or making their own copy of a shell) regardless of any
3696
.Ql !\&
3697
elements in the user specification.
3698
.Ss Security implications of Em fast_glob
3699
If the
3700
.Em fast_glob
3701
option is in use, it is not possible to reliably negate commands where the
3702
path name includes globbing (aka wildcard) characters.
3703
This is because the C library's
3704
.Xr fnmatch 3
3705
function cannot resolve relative paths.
3706
While this is typically only an inconvenience for rules that grant privileges,
3707
it can result in a security issue for rules that subtract or revoke privileges.
3708
.Pp
3709
For example, given the following
3710
.Em sudoers
3711
entry:
3712
.Bd -literal
3713
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3714
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3715
.Ed
3716
.Pp
3717
User
3718
.Sy john
3719
can still run
3720
.Li /usr/bin/passwd root
3721
if
3722
.Em fast_glob
3723
is enabled by changing to
3724
.Pa /usr/bin
3725
and running
3726
.Li ./passwd root
3727
instead.
3728
.Ss Preventing shell escapes
3729
Once
3730
.Nm sudo
3731
executes a program, that program is free to do whatever
3732
it pleases, including run other programs.
3733
This can be a security issue since it is not uncommon for a program to
3734
allow shell escapes, which lets a user bypass
3735
.Nm sudo Ns No 's
3736
access control and logging.
3737
Common programs that permit shell escapes include shells (obviously),
3738
editors, paginators, mail and terminal programs.
3739
.Pp
3740
There are two basic approaches to this problem:
3741
.Bl -tag -width 8n
3742
.It restrict
3743
Avoid giving users access to commands that allow the user to run
3744
arbitrary commands.
3745
Many editors have a restricted mode where shell
3746
escapes are disabled, though
3747
.Nm sudoedit
3748
is a better solution to
3749
running editors via
3750
.Nm sudo .
3751
Due to the large number of programs that
3752
offer shell escapes, restricting users to the set of programs that
3753
do not is often unworkable.
3754
.It noexec
3755
Many systems that support shared libraries have the ability to
3756
override default library functions by pointing an environment
3757
variable (usually
3758
.Ev LD_PRELOAD )
3759
to an alternate shared library.
3760
On such systems,
3761
.Nm sudo Ns No 's
3762
.Em noexec
3763
functionality can be used to prevent a program run by
3764
.Nm sudo
3765
from executing any other programs.
3766
Note, however, that this applies only to native dynamically-linked
3767
executables.
3768
Statically-linked executables and foreign executables
3769
running under binary emulation are not affected.
3770
.Pp
3771
The
3772
.Em noexec
3773
feature is known to work on SunOS, Solaris, *BSD,
3774
Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3775
It should be supported on most operating systems that support the
3776
.Ev LD_PRELOAD
3777
environment variable.
3778
Check your operating system's manual pages for the dynamic linker
3779
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3780
.Ev LD_PRELOAD
3781
is supported.
3782
.Pp
3783
On Solaris 10 and higher,
3784
.Em noexec
3785
uses Solaris privileges instead of the
3786
.Ev LD_PRELOAD
3787
environment variable.
3788
.Pp
3789
To enable
3790
.Em noexec
3791
for a command, use the
3792
.Li NOEXEC
3793
tag as documented
3794
in the User Specification section above.
3795
Here is that example again:
3796
.Bd -literal
3797
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3798
.Ed
3799
.Pp
3800
This allows user
3801
.Sy aaron
3802
to run
3803
.Pa /usr/bin/more
3804
and
3805
.Pa /usr/bin/vi
3806
with
3807
.Em noexec
3808
enabled.
3809
This will prevent those two commands from
3810
executing other commands (such as a shell).
3811
If you are unsure whether or not your system is capable of supporting
3812
.Em noexec
3813
you can always just try it out and check whether shell escapes work when
3814
.Em noexec
3815
is enabled.
3816
.El
3817
.Pp
3818
Note that restricting shell escapes is not a panacea.
3819
Programs running as root are still capable of many potentially hazardous
3820
operations (such as changing or overwriting files) that could lead
3821
to unintended privilege escalation.
3822
In the specific case of an editor, a safer approach is to give the
3823
user permission to run
3824
.Nm sudoedit .
3825
.Ss Time stamp file checks
3826
.Em sudoers
3827
will check the ownership of its time stamp directory
3828
.Po
3829
.Pa @timedir@
3830
by default
3831
.Pc
3832
and ignore the directory's contents if it is not owned by root or
3833
if it is writable by a user other than root.
3834
On systems that allow non-root users to give away files via
3835
.Xr chown 2 ,
3836
if the time stamp directory is located in a world-writable
3837
directory (e.g.\&,
3838
.Pa /tmp ) ,
3839
it is possible for a user to create the time stamp directory before
3840
.Nm sudo
3841
is run.
3842
However, because
3843
.Em sudoers
3844
checks the ownership and mode of the directory and its
3845
contents, the only damage that can be done is to
3846
.Dq hide
3847
files by putting them in the time stamp dir.
3848
This is unlikely to happen since once the time stamp dir is owned by root
3849
and inaccessible by any other user, the user placing files there would be
3850
unable to get them back out.
3851
.Pp
3852
.Em sudoers
3853
will not honor time stamps set far in the future.
3854
Time stamps with a date greater than current_time + 2 *
3855
.Li TIMEOUT
3856
will be ignored and sudo will log and complain.
3857
This is done to keep a user from creating his/her own time stamp with a
3858
bogus date on systems that allow users to give away files if the time
3859
stamp directory is located in a world-writable directory.
3860
.Pp
3861
On systems where the boot time is available,
3862
.Em sudoers
3863
will ignore time stamps that date from before the machine booted.
3864
.Pp
3865
Since time stamp files live in the file system, they can outlive a
3866
user's login session.
3867
As a result, a user may be able to login, run a command with
3868
.Nm sudo
3869
after authenticating, logout, login again, and run
3870
.Nm sudo
3871
without authenticating so long as the time stamp file's modification
3872
time is within
3873
.Li @timeout@
3874
minutes (or whatever the timeout is set to in
3875
.Em sudoers ) .
3876
When the
3877
.Em tty_tickets
3878
option is enabled, the time stamp has per-tty granularity but still
3879
may outlive the user's session.
3880
On Linux systems where the devpts filesystem is used, Solaris systems
3881
with the devices filesystem, as well as other systems that utilize a
3882
devfs filesystem that monotonically increase the inode number of devices
3883
as they are created (such as Mac OS X),
3884
.Em sudoers
3885
is able to determine when a tty-based time stamp file is stale and will
3886
ignore it.
3887
Administrators should not rely on this feature as it is not universally
3888
available.
3889
.Sh SEE ALSO
3890
.Xr ssh 1 ,
3891
.Xr su 1 ,
3892
.Xr fnmatch 3 ,
3893
.Xr glob 3 ,
3894
.Xr mktemp 3 ,
3895
.Xr strftime 3 ,
3896
.Xr sudoers.ldap @mansectform@ ,
3897
.Xr sudo_plugin @mansectsu@ ,
3898
.Xr sudo @mansectsu@ ,
3899
.Xr visudo @mansectsu@
3900
.Sh CAVEATS
3901
The
3902
.Em sudoers
3903
file should
3904
.Sy always
3905
be edited by the
3906
.Nm visudo
3907
command which locks the file and does grammatical checking.
3908
It is
3909
imperative that
3910
.Em sudoers
3911
be free of syntax errors since
3912
.Nm sudo
3913
will not run with a syntactically incorrect
3914
.Em sudoers
3915
file.
3916
.Pp
3917
When using netgroups of machines (as opposed to users), if you
3918
store fully qualified host name in the netgroup (as is usually the
3919
case), you either need to have the machine's host name be fully qualified
3920
as returned by the
3921
.Li hostname
3922
command or use the
3923
.Em fqdn
3924
option in
3925
.Em sudoers .
3926
.Sh BUGS
3927
If you feel you have found a bug in
3928
.Nm sudo ,
3929
please submit a bug report at http://www.sudo.ws/sudo/bugs/
3930
.Sh SUPPORT
3931
Limited free support is available via the sudo-users mailing list,
3932
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
3933
search the archives.
3934
.Sh DISCLAIMER
3935
.Nm sudo
3936
is provided
3937
.Dq AS IS
3938
and any express or implied warranties, including, but not limited
3939
to, the implied warranties of merchantability and fitness for a
3940
particular purpose are disclaimed.
3941
See the LICENSE file distributed with
3942
.Nm sudo
3943
or http://www.sudo.ws/sudo/license.html for complete details.
Loggerhead is a web-based interface for Breezy
Version: 2.0.1