| version 1.6, 2001/01/09 18:15:31 |
version 1.7, 2001/09/17 23:49:21 |
|
|
| ''' $RCSfile$$Revision$$Date$ |
''' $RCSfile$$Revision$$Date$ |
| ''' |
''' |
| ''' $Log$ |
''' $Log$ |
| |
''' Revision 1.7 2001/09/17 23:49:21 pjanzen |
| |
''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ |
| |
''' |
| ''' Revision 1.6 2001/01/09 18:15:31 krw |
''' Revision 1.6 2001/01/09 18:15:31 krw |
| ''' Typos: 'eg.' -> 'e.g.' |
''' Typos: 'eg.' -> 'e.g.' |
| ''' |
''' |
|
|
| .\" Ip Item |
.\" Ip Item |
| .\" X<> Xref (embedded |
.\" X<> Xref (embedded |
| .\" Of course, you have to process the output yourself |
.\" Of course, you have to process the output yourself |
| .\" in some meaninful fashion. |
.\" in some meaningful fashion. |
| .if \nF \{ |
.if \nF \{ |
| .de IX |
.de IX |
| .tm Index:\\$1\t\\n%\t"\\$2" |
.tm Index:\\$1\t\\n%\t"\\$2" |
|
|
| .SH "NAME" |
.SH "NAME" |
| sudoers \- list of which users may execute what |
sudoers \- list of which users may execute what |
| .SH "DESCRIPTION" |
.SH "DESCRIPTION" |
| The \fIsudoers\fR file is composed two types of entries: |
The \fIsudoers\fR file is composed of two types of entries: |
| aliases (basically variables) and user specifications |
aliases (basically variables) and user specifications |
| (which specify who may run what). The grammar of \fIsudoers\fR |
(which specify who may run what). The grammar of \fIsudoers\fR |
| will be described below in Extended Backus-Naur Form (EBNF). |
will be described below in Extended Backus-Naur Form (EBNF). |
| Don't despair if you don't know what EBNF is, it is fairly |
Don't despair if you don't know what EBNF is; it is fairly |
| simple and the definitions below are annotated. |
simple, and the definitions below are annotated. |
| .Sh "Quick guide to \s-1EBNF\s0" |
.Sh "Quick guide to \s-1EBNF\s0" |
| \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
| Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg. |
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., |
| .PP |
.PP |
| .Vb 1 |
.Vb 1 |
| \& symbol ::= definition | alternate1 | alternate2 ... |
\& symbol ::= definition | alternate1 | alternate2 ... |
|
|
| we will use single quotes ('') to designate what is a verbatim character |
we will use single quotes ('') to designate what is a verbatim character |
| string (as opposed to a symbol name). |
string (as opposed to a symbol name). |
| .Sh "Aliases" |
.Sh "Aliases" |
| There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, |
There are four kinds of aliases: \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, |
| \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. |
\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. |
| .PP |
.PP |
| .Vb 4 |
.Vb 4 |
|
|
| \& Alias_Type NAME = item1, item2, ... |
\& Alias_Type NAME = item1, item2, ... |
| .Ve |
.Ve |
| where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, |
where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, |
| or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers, |
or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of uppercase letters, numbers, |
| and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an |
and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an |
| upper case letter. It is possible to put several alias definitions |
uppercase letter. It is possible to put several alias definitions |
| of the same type on a single line, joined by a semicolon (':'). Eg. |
of the same type on a single line, joined by a semicolon (':'). E.g., |
| .PP |
.PP |
| .Vb 1 |
.Vb 1 |
| \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
|
|
| (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), |
(prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), |
| netgroups (prefixed with \*(L'+') and other aliases. Each list |
netgroups (prefixed with \*(L'+') and other aliases. Each list |
| item may be prefixed with one or more \*(L'!\*(R' operators. An odd number |
item may be prefixed with one or more \*(L'!\*(R' operators. An odd number |
| of \*(L'!\*(R' operators negates the value of the item; an even number |
of \*(L'!\*(R' operators negate the value of the item; an even number |
| just cancel each other out. |
just cancel each other out. |
| .PP |
.PP |
| .Vb 2 |
.Vb 2 |
|
|
| be confusing. This flag is off by default. |
be confusing. This flag is off by default. |
| .Ip "fqdn" 12 |
.Ip "fqdn" 12 |
| Set this flag if you want to put fully qualified hostnames in the |
Set this flag if you want to put fully qualified hostnames in the |
| \fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. |
\fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu. |
| You may still use the short form if you wish (and even mix the two). |
You may still use the short form if you wish (and even mix the two). |
| Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups |
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups |
| which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example |
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example |
|
|
| 80 (use 0 or negate to disable word wrap). |
80 (use 0 or negate to disable word wrap). |
| .Ip "timestamp_timeout" 12 |
.Ip "timestamp_timeout" 12 |
| Number of minutes that can elapse before \fBsudo\fR will ask for a passwd |
Number of minutes that can elapse before \fBsudo\fR will ask for a passwd |
| again. The default is 5, set this to 0 to always prompt for a password. |
again. The default is 5. Set this to 0 to always prompt for a password. |
| .Ip "passwd_timeout" 12 |
.Ip "passwd_timeout" 12 |
| Number of minutes before the \fBsudo\fR password prompt times out. |
Number of minutes before the \fBsudo\fR password prompt times out. |
| The default is 5, set this to 0 for no password timeout. |
The default is 5, set this to 0 for no password timeout. |
|
|
| \fBStrings that can be used in a boolean context\fR: |
\fBStrings that can be used in a boolean context\fR: |
| .Ip "logfile" 12 |
.Ip "logfile" 12 |
| Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
| turns on logging to a file, negating this option turns it off. |
turns on logging to a file; negating this option turns it off. |
| .Ip "syslog" 12 |
.Ip "syslog" 12 |
| Syslog facility if syslog is being used for logging (negate to |
Syslog facility if syslog is being used for logging (negate to |
| disable syslog logging). Defaults to \*(L"local2\*(R". |
disable syslog logging). Defaults to \*(L"local2\*(R". |
|
|
| .Ip "mailerflags" 12 |
.Ip "mailerflags" 12 |
| Flags to use when invoking mailer. Defaults to \f(CW-t\fR. |
Flags to use when invoking mailer. Defaults to \f(CW-t\fR. |
| .Ip "mailto" 12 |
.Ip "mailto" 12 |
| Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". |
Address to send warning and error mail to. Defaults to \*(L"root\*(R". |
| .Ip "exempt_group" 12 |
.Ip "exempt_group" 12 |
| Users in this group are exempt from password and \s-1PATH\s0 requirements. |
Users in this group are exempt from password and \s-1PATH\s0 requirements. |
| This is not set by default. |
This is not set by default. |
|
|
| be separate from the \*(L"user path.\*(R" This is not set by default. |
be separate from the \*(L"user path.\*(R" This is not set by default. |
| .Ip "verifypw" 12 |
.Ip "verifypw" 12 |
| This option controls when a password will be required when a |
This option controls when a password will be required when a |
| user runs \fBsudo\fR with the \fB\-v\fR. It has the following possible values: |
user runs \fBsudo\fR with \fB\-v\fR. It has the following possible values: |
| .Sp |
.Sp |
| .Vb 3 |
.Vb 3 |
| \& all All the user's I<sudoers> entries for the |
\& all All the user's I<sudoers> entries for the |
|
|
| .Ve |
.Ve |
| A \fBuser specification\fR determines which commands a user may run |
A \fBuser specification\fR determines which commands a user may run |
| (and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
| run as \fBroot\fR but this can be changed on a per-command basis. |
run as \fBroot\fR, but this can be changed on a per-command basis. |
| .PP |
.PP |
| Let's break that down into its constituent parts: |
Let's break that down into its constituent parts: |
| .Sh "Runas_Spec" |
.Sh "Runas_Spec" |
|
|
| \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who |
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who |
| .Ve |
.Ve |
| The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and |
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and |
| \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg. |
\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. E.g., |
| .PP |
.PP |
| .Vb 1 |
.Vb 1 |
| \& sudo -u operator /bin/ls. |
\& sudo -u operator /bin/ls. |
|
|
| .Vb 1 |
.Vb 1 |
| \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
| .Ve |
.Ve |
| Note however, that the \f(CWPASSWD\fR tag has no effect on users who are |
Note, however, that the \f(CWPASSWD\fR tag has no effect on users who are |
| in the group specified by the exempt_group option. |
in the group specified by the exempt_group option. |
| .PP |
.PP |
| By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries |
By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries |
|
|
| Long lines can be continued with a backslash (\*(R'\e') as the last |
Long lines can be continued with a backslash (\*(R'\e') as the last |
| character on the line. |
character on the line. |
| .PP |
.PP |
| Whitespace between elements in a list as well as specicial syntactic |
Whitespace between elements in a list as well as special syntactic |
| characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. |
characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. |
| .PP |
.PP |
| The following characters must be escaped with a backslash (\*(R'\e') when |
The following characters must be escaped with a backslash (\*(R'\e') when |
|
|
| .Ve |
.Ve |
| Any user may mount or unmount a CD\-ROM on the machines in the CDROM |
Any user may mount or unmount a CD\-ROM on the machines in the CDROM |
| \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. |
\f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. |
| This is a bit tedious for users to type, so it is a prime candiate |
This is a bit tedious for users to type, so it is a prime candidate |
| for encapsulating in a shell script. |
for encapsulating in a shell script. |
| .SH "SECURITY NOTES" |
.SH "SECURITY NOTES" |
| It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR |
It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR |
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo