version 1.6, 2001/01/09 18:15:31 |
version 1.7, 2001/09/17 23:49:21 |
|
|
''' $RCSfile$$Revision$$Date$ |
''' $RCSfile$$Revision$$Date$ |
''' |
''' |
''' $Log$ |
''' $Log$ |
|
''' Revision 1.7 2001/09/17 23:49:21 pjanzen |
|
''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ |
|
''' |
''' Revision 1.6 2001/01/09 18:15:31 krw |
''' Revision 1.6 2001/01/09 18:15:31 krw |
''' Typos: 'eg.' -> 'e.g.' |
''' Typos: 'eg.' -> 'e.g.' |
''' |
''' |
|
|
.\" Ip Item |
.\" Ip Item |
.\" X<> Xref (embedded |
.\" X<> Xref (embedded |
.\" Of course, you have to process the output yourself |
.\" Of course, you have to process the output yourself |
.\" in some meaninful fashion. |
.\" in some meaningful fashion. |
.if \nF \{ |
.if \nF \{ |
.de IX |
.de IX |
.tm Index:\\$1\t\\n%\t"\\$2" |
.tm Index:\\$1\t\\n%\t"\\$2" |
|
|
.SH "NAME" |
.SH "NAME" |
sudoers \- list of which users may execute what |
sudoers \- list of which users may execute what |
.SH "DESCRIPTION" |
.SH "DESCRIPTION" |
The \fIsudoers\fR file is composed two types of entries: |
The \fIsudoers\fR file is composed of two types of entries: |
aliases (basically variables) and user specifications |
aliases (basically variables) and user specifications |
(which specify who may run what). The grammar of \fIsudoers\fR |
(which specify who may run what). The grammar of \fIsudoers\fR |
will be described below in Extended Backus-Naur Form (EBNF). |
will be described below in Extended Backus-Naur Form (EBNF). |
Don't despair if you don't know what EBNF is, it is fairly |
Don't despair if you don't know what EBNF is; it is fairly |
simple and the definitions below are annotated. |
simple, and the definitions below are annotated. |
.Sh "Quick guide to \s-1EBNF\s0" |
.Sh "Quick guide to \s-1EBNF\s0" |
\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg. |
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& symbol ::= definition | alternate1 | alternate2 ... |
\& symbol ::= definition | alternate1 | alternate2 ... |
|
|
we will use single quotes ('') to designate what is a verbatim character |
we will use single quotes ('') to designate what is a verbatim character |
string (as opposed to a symbol name). |
string (as opposed to a symbol name). |
.Sh "Aliases" |
.Sh "Aliases" |
There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, |
There are four kinds of aliases: \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, |
\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. |
\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. |
.PP |
.PP |
.Vb 4 |
.Vb 4 |
|
|
\& Alias_Type NAME = item1, item2, ... |
\& Alias_Type NAME = item1, item2, ... |
.Ve |
.Ve |
where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, |
where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, |
or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers, |
or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of uppercase letters, numbers, |
and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an |
and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an |
upper case letter. It is possible to put several alias definitions |
uppercase letter. It is possible to put several alias definitions |
of the same type on a single line, joined by a semicolon (':'). Eg. |
of the same type on a single line, joined by a semicolon (':'). E.g., |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
|
|
(prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), |
(prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), |
netgroups (prefixed with \*(L'+') and other aliases. Each list |
netgroups (prefixed with \*(L'+') and other aliases. Each list |
item may be prefixed with one or more \*(L'!\*(R' operators. An odd number |
item may be prefixed with one or more \*(L'!\*(R' operators. An odd number |
of \*(L'!\*(R' operators negates the value of the item; an even number |
of \*(L'!\*(R' operators negate the value of the item; an even number |
just cancel each other out. |
just cancel each other out. |
.PP |
.PP |
.Vb 2 |
.Vb 2 |
|
|
be confusing. This flag is off by default. |
be confusing. This flag is off by default. |
.Ip "fqdn" 12 |
.Ip "fqdn" 12 |
Set this flag if you want to put fully qualified hostnames in the |
Set this flag if you want to put fully qualified hostnames in the |
\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. |
\fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu. |
You may still use the short form if you wish (and even mix the two). |
You may still use the short form if you wish (and even mix the two). |
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups |
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups |
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example |
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example |
|
|
80 (use 0 or negate to disable word wrap). |
80 (use 0 or negate to disable word wrap). |
.Ip "timestamp_timeout" 12 |
.Ip "timestamp_timeout" 12 |
Number of minutes that can elapse before \fBsudo\fR will ask for a passwd |
Number of minutes that can elapse before \fBsudo\fR will ask for a passwd |
again. The default is 5, set this to 0 to always prompt for a password. |
again. The default is 5. Set this to 0 to always prompt for a password. |
.Ip "passwd_timeout" 12 |
.Ip "passwd_timeout" 12 |
Number of minutes before the \fBsudo\fR password prompt times out. |
Number of minutes before the \fBsudo\fR password prompt times out. |
The default is 5, set this to 0 for no password timeout. |
The default is 5, set this to 0 for no password timeout. |
|
|
\fBStrings that can be used in a boolean context\fR: |
\fBStrings that can be used in a boolean context\fR: |
.Ip "logfile" 12 |
.Ip "logfile" 12 |
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
turns on logging to a file, negating this option turns it off. |
turns on logging to a file; negating this option turns it off. |
.Ip "syslog" 12 |
.Ip "syslog" 12 |
Syslog facility if syslog is being used for logging (negate to |
Syslog facility if syslog is being used for logging (negate to |
disable syslog logging). Defaults to \*(L"local2\*(R". |
disable syslog logging). Defaults to \*(L"local2\*(R". |
|
|
.Ip "mailerflags" 12 |
.Ip "mailerflags" 12 |
Flags to use when invoking mailer. Defaults to \f(CW-t\fR. |
Flags to use when invoking mailer. Defaults to \f(CW-t\fR. |
.Ip "mailto" 12 |
.Ip "mailto" 12 |
Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". |
Address to send warning and error mail to. Defaults to \*(L"root\*(R". |
.Ip "exempt_group" 12 |
.Ip "exempt_group" 12 |
Users in this group are exempt from password and \s-1PATH\s0 requirements. |
Users in this group are exempt from password and \s-1PATH\s0 requirements. |
This is not set by default. |
This is not set by default. |
|
|
be separate from the \*(L"user path.\*(R" This is not set by default. |
be separate from the \*(L"user path.\*(R" This is not set by default. |
.Ip "verifypw" 12 |
.Ip "verifypw" 12 |
This option controls when a password will be required when a |
This option controls when a password will be required when a |
user runs \fBsudo\fR with the \fB\-v\fR. It has the following possible values: |
user runs \fBsudo\fR with \fB\-v\fR. It has the following possible values: |
.Sp |
.Sp |
.Vb 3 |
.Vb 3 |
\& all All the user's I<sudoers> entries for the |
\& all All the user's I<sudoers> entries for the |
|
|
.Ve |
.Ve |
A \fBuser specification\fR determines which commands a user may run |
A \fBuser specification\fR determines which commands a user may run |
(and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
run as \fBroot\fR but this can be changed on a per-command basis. |
run as \fBroot\fR, but this can be changed on a per-command basis. |
.PP |
.PP |
Let's break that down into its constituent parts: |
Let's break that down into its constituent parts: |
.Sh "Runas_Spec" |
.Sh "Runas_Spec" |
|
|
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who |
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who |
.Ve |
.Ve |
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and |
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and |
\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg. |
\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. E.g., |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& sudo -u operator /bin/ls. |
\& sudo -u operator /bin/ls. |
|
|
.Vb 1 |
.Vb 1 |
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
.Ve |
.Ve |
Note however, that the \f(CWPASSWD\fR tag has no effect on users who are |
Note, however, that the \f(CWPASSWD\fR tag has no effect on users who are |
in the group specified by the exempt_group option. |
in the group specified by the exempt_group option. |
.PP |
.PP |
By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries |
By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries |
|
|
Long lines can be continued with a backslash (\*(R'\e') as the last |
Long lines can be continued with a backslash (\*(R'\e') as the last |
character on the line. |
character on the line. |
.PP |
.PP |
Whitespace between elements in a list as well as specicial syntactic |
Whitespace between elements in a list as well as special syntactic |
characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. |
characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. |
.PP |
.PP |
The following characters must be escaped with a backslash (\*(R'\e') when |
The following characters must be escaped with a backslash (\*(R'\e') when |
|
|
.Ve |
.Ve |
Any user may mount or unmount a CD\-ROM on the machines in the CDROM |
Any user may mount or unmount a CD\-ROM on the machines in the CDROM |
\f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. |
\f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. |
This is a bit tedious for users to type, so it is a prime candiate |
This is a bit tedious for users to type, so it is a prime candidate |
for encapsulating in a shell script. |
for encapsulating in a shell script. |
.SH "SECURITY NOTES" |
.SH "SECURITY NOTES" |
It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR |
It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR |