src/usr.bin/sudo/sudoers.5 - diff

Return to sudoers.5 CVS log

Up to [local] / src / usr.bin / sudo

Diff for /src/usr.bin/sudo/Attic/sudoers.5 between version 1.16 and 1.17

version 1.16, 2003/04/14 06:39:24

version 1.17, 2004/09/28 15:10:51

Line 1

.\"

.\" Redistribution and use in source and binary forms, with or without

.\" Permission to use, copy, modify, and distribute this software for any

.\" modification, are permitted provided that the following conditions

.\" purpose with or without fee is hereby granted, provided that the above

.\" are met:

.\" copyright notice and this permission notice appear in all copies.

.\"

.\" 1. Redistributions of source code must retain the above copyright

.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

.\" notice, this list of conditions and the following disclaimer.

.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

.\"

.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

.\" 2. Redistributions in binary form must reproduce the above copyright

.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

.\" notice, this list of conditions and the following disclaimer in the

.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

.\" documentation and/or other materials provided with the distribution.

.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

.\"

.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

.\" 3. The name of the author may not be used to endorse or promote products

.\" derived from this software without specific prior written permission

.\" from the author.

.\"

.\" 4. Products derived from this software may not be called "Sudo" nor

.\" may "Sudo" appear in their names without specific prior written

.\" permission from the author.

.\"

.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL

.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;

.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR

.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

.\"

.\" $Sudo: sudoers.man.in,v 1.24 2003/03/15 20:33:31 millert Exp $

.\" Sponsored in part by the Defense Advanced Research Projects

.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13

.\" Agency (DARPA) and Air Force Research Laboratory, Air Force

.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.

.\"

.\" $Sudo: sudoers.man.in,v 1.46 2004/09/06 20:46:28 millert Exp $

.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14

.\"

.\" Standard preamble:

.\" ========================================================================

Line 163

Line 149

.\" ========================================================================

.\"

.IX Title "SUDOERS 5"

.TH SUDOERS 5 "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS"

.TH SUDOERS 5 "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"

.SH "NAME"

sudoers \- list of which users may execute what

.SH "DESCRIPTION"

.IX Header "DESCRIPTION"

The \fIsudoers\fR file is composed of two types of entries:

The \fIsudoers\fR file is composed of two types of entries: aliases

aliases (basically variables) and user specifications

(basically variables) and user specifications (which specify who

(which specify who may run what). The grammar of \fIsudoers\fR

may run what).

will be described below in Extended Backus-Naur Form (\s-1EBNF\s0).

.PP

Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly

When multiple entries match for a user, they are applied in order.

simple, and the definitions below are annotated.

Where there are conflicting values, the last match is used (which

is not necessarily the most specific match).

.PP

The \fIsudoers\fR grammar will be described below in Extended Backus-Naur

Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is

fairly simple, and the definitions below are annotated.

.Sh "Quick guide to \s-1EBNF\s0"

.IX Subsection "Quick guide to EBNF"

\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.

Line 269

Line 260

\& '!'* User_Alias

.Ve

.PP

A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids

A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups

(prefixed with '#'), System groups (prefixed with '%'),

(prefixed with '%'), netgroups (prefixed with '+') and other aliases.

netgroups (prefixed with '+') and other aliases. Each list

Each list item may be prefixed with one or more '!' operators.

item may be prefixed with one or more '!' operators. An odd number

An odd number of '!' operators negate the value of the item; an even

of '!' operators negate the value of the item; an even number

number just cancel each other out.

just cancel each other out.

.PP

.Vb 2

\& Runas_List ::= Runas_User |

Line 291

Line 281

.PP

A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can

also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes

it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes.

it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups

are matched as strings. In other words, two users (groups) with

the same uid (gid) are considered to be distinct. If you wish to

match all usernames with the same uid (e.g. root and toor), you

can use a uid instead (#0 in the example given).

.PP

.Vb 2

\& Host_List ::= Host |

Line 313

Line 307

of the host's ethernet interface(s) will be used when matching.

The netmask may be specified either in dotted quad notation (e.g.

255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname

may include shell-style wildcards (see `Wildcards' section below),

may include shell-style wildcards (see the Wildcards section below),

but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully

qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards

to be useful.

Line 329

Line 323

\& filename '""'

.Ve

.PP

.Vb 3

.Vb 4

\& Cmnd ::= '!'* commandname |

\& '!'* directory |

\& '!'* "sudoedit" |

\& '!'* Cmnd_Alias

.Ve

.PP

A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other

aliases. A commandname is a fully qualified filename which may include

shell-style wildcards (see `Wildcards' section below). A simple

shell-style wildcards (see the Wildcards section below). A simple

filename allows the user to run the command with any arguments he/she

wishes. However, you may also specify command line arguments (including

wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command

Line 350

Line 345

in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line

(or match the wildcards if there are any). Note that the following

characters must be escaped with a '\e' if they are used in command

arguments: ',', ':', '=', '\e'.

arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR

is used to permit a user to run \fBsudo\fR with the \fB\-e\fR flag (or

as \fBsudoedit\fR). It may take command line arguments just as

a normal command does.

.Sh "Defaults"

.IX Subsection "Defaults"

Certain configuration options may be changed from their default

values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These

may affect all users on any host, all users on a specific host, a

specific user, or commands being run as a specific user. When

specific user, or commands being run as a specific user.

multiple entries match, they are applied in order. Where there are

conflicting values, the last value on a matching line takes effect.

.PP

.Vb 4

\& Default_Type ::= 'Defaults' ||

\& Default_Type ::= 'Defaults' |

\& 'Defaults' '@' Host ||

\& 'Defaults' '@' Host |

\& 'Defaults' ':' User ||

\& 'Defaults' ':' User |

\& 'Defaults' '>' RunasUser

.Ve

.PP

Line 371

Line 367

\& Default_Entry ::= Default_Type Parameter_List

.Ve

.PP

.Vb 2

\& Parameter_List ::= Parameter |

\& Parameter ',' Parameter_List

.Ve

.PP

.Vb 4

\& Parameter ::= Parameter '=' Value ||

\& Parameter ::= Parameter '=' Value |

\& Parameter '+=' Value ||

\& Parameter '+=' Value |

\& Parameter '-=' Value ||

\& Parameter '-=' Value |

\& '!'* Parameter ||

\& '!'* Parameter

.Ve

.PP

Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.

Line 390

Line 391

It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element

that does not exist in a list.

.PP

Note that since the \fIsudoers\fR file is parsed in order the best place

to put the Defaults section is after the Host, User, and Cmnd aliases

but before the user specifications.

.PP

\&\fBFlags\fR:

.IP "long_otp_prompt" 12

.IX Item "long_otp_prompt"

Line 406

Line 403

.IX Item "ignore_dot"

If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR

environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This

flag is \fIon\fR by default.

flag is \fIoff\fR by default. Currently, while it is possible

to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option

should be considered read-only (it will be fixed in a future version

of \fBsudo\fR).

.IP "mail_always" 12

.IX Item "mail_always"

Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.

Line 429

.IX Item "mail_no_perms"

If set, mail will be sent to the \fImailto\fR user if the invoking

user is allowed to use \fBsudo\fR but the command they are trying is not

listed in their \fIsudoers\fR file entry. This flag is \fIoff\fR

listed in their \fIsudoers\fR file entry or is explicitly denied.

by default.

This flag is \fIoff\fR by default.

.IP "tty_tickets" 12

.IX Item "tty_tickets"

If set, users must authenticate on a per-tty basis. Normally,

Line 438

the user running it. With this flag enabled, \fBsudo\fR will use a

file named for the tty the user is logged in on in that directory.

This flag is \fIoff\fR by default.

.IP "lecture" 12

.IX Item "lecture"

If set, a user will receive a short lecture the first time he/she

runs \fBsudo\fR. This flag is \fIon\fR by default.

.IP "authenticate" 12

.IX Item "authenticate"

If set, users must authenticate themselves via a password (or other

Line 452

Line 448

.IX Item "root_sudo"

If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users

from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something

like \f(CW"sudo sudo /bin/sh"\fR.

like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR

will also prevent root and from running \fBsudoedit\fR.

Disabling \fIroot_sudo\fR provides no real additional security; it

exists purely for historical reasons.

This flag is \fIon\fR by default.

.IP "log_host" 12

.IX Item "log_host"

Line 541

Line 540

.IP "runaspw" 12

.IX Item "runaspw"

If set, \fBsudo\fR will prompt for the password of the user defined by the

\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password

\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the

of the invoking user. This flag is \fIoff\fR by default.

password of the invoking user. This flag is \fIoff\fR by default.

.IP "targetpw" 12

.IX Item "targetpw"

If set, \fBsudo\fR will prompt for the password of the user specified by

the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the

invoking user. This flag is \fIoff\fR by default.

invoking user. Note that this precludes the use of a uid not listed

in the passwd database as an argument to the \fB\-u\fR flag.

This flag is \fIoff\fR by default.

.IP "set_logname" 12

.IX Item "set_logname"

Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables

Line 583

Line 584

If set, \fBsudo\fR will apply the defaults specified for the target user's

the \-\-with\-logincap option. This flag is \fIoff\fR by default.

.IP "noexec" 12

.IX Item "noexec"

If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR

tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the

description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.

.IP "ignore_local_sudoers" 12

.IX Item "ignore_local_sudoers"

If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.

This is intended for an Enterprises that wish to prevent the usage of local

sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of

rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.

When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.

Since this options tells sudo how to behave when no specific \s-1LDAP\s0 entries

have been matched, this sudoOption is only meaningful for the cn=defaults

section. This flag is \fIoff\fR by default.

.PP

\&\fBIntegers\fR:

.IP "passwd_tries" 12

Line 670

Line 686

.IX Item "runas_default"

The default user to run commands as if the \fB\-u\fR flag is not specified

on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.

Note that if \fIrunas_default\fR is set it \fBmust\fR occur before

any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.

.IP "syslog_goodpri" 12

.IX Item "syslog_goodpri"

Syslog priority to use when user authenticates successfully.

Line 685

Line 703

\&\s-1USER\s0 environment variable if possible, or the first editor in the

list that exists and is executable. The default is the path to vi

on your system.

.IP "noexec_file" 12

.IX Item "noexec_file"

Path to a shared library containing dummy versions of the \fIexecv()\fR,

\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.

This is used to implement the \fInoexec\fR functionality on systems that

support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/libexec/sudo_noexec.so\fR.

.PP

\&\fBStrings that can be used in a boolean context\fR:

.IP "lecture" 12

.IX Item "lecture"

This option controls when a short lecture will be printed along with

the password prompt. It has the following possible values:

.RS 12

.IP "never" 8

.IX Item "never"

Never lecture the user.

.IP "once" 8

.IX Item "once"

Only lecture the user the first time they run \fBsudo\fR.

.IP "always" 8

.IX Item "always"

Always lecture the user.

.RE

.RS 12

.Sp

The default value is \fIonce\fR.

.RE

.IP "lecture_file" 12

.IX Item "lecture_file"

Path to a file containing an alternate sudo lecture that will

be used in place of the standard lecture if the named file exists.

.IP "logfile" 12

.IX Item "logfile"

Path to the \fBsudo\fR log file (not the syslog log file). Setting a path

Line 694

Line 741

.IP "syslog" 12

.IX Item "syslog"

Syslog facility if syslog is being used for logging (negate to

disable syslog logging). Defaults to \f(CW\*(C`local2\*(C'\fR.

disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR.

.IP "mailerpath" 12

.IX Item "mailerpath"

Path to mail program used to send warning mail.

Line 793

Line 840

to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and

\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.

.PP

When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog

When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values

facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0

for the syslog facility (the value of the \fBsyslog\fR Parameter):

supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,

\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,

\&\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following

\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,

syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,

\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are

\&\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.

supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,

\&\fBnotice\fR, and \fBwarning\fR.

.Sh "User Specification"

.IX Subsection "User Specification"

.Vb 2

\& User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \e

\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e

\& (':' User_Spec)*

\& (':' Host_List '=' Cmnd_Spec_List)*

.Ve

.PP

.Vb 2

Line 812

Line 860

.Ve

.PP

.Vb 1

\& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd

\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd

.Ve

.PP

.Vb 1

\& Runas_Spec ::= '(' Runas_List ')'

.Ve

.PP

.Vb 1

\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')

.Ve

.PP

A \fBuser specification\fR determines which commands a user may run

(and as what user) on specified hosts. By default, commands are

run as \fBroot\fR, but this can be changed on a per-command basis.

Line 840

Line 892

\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,

.PP

.Vb 1

\& sudo -u operator /bin/ls.

\& $ sudo -u operator /bin/ls.

.Ve

.PP

It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an

Line 852

Line 904

.PP

Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,

but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.

.Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"

.Sh "Tag_Spec"

.IX Subsection "Tag_Spec"

A command may have zero or more tags associated with it. There are

four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR.

Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the

\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the

opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR

overrides \f(CW\*(C`NOEXEC\*(C'\fR).

.PP

\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR

.IX Subsection "NOPASSWD and PASSWD"

.PP

By default, \fBsudo\fR requires that a user authenticate him or herself

before running a command. This behavior can be modified via the

\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets

Line 883

Line 945

\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present

for all a user's entries that pertain to the current host.

This behavior may be overridden via the verifypw and listpw options.

.Sh "Wildcards (aka meta characters):"

.PP

.IX Subsection "Wildcards (aka meta characters):"

\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR

\&\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames

.IX Subsection "NOEXEC and EXEC"

as well as command line arguments in the \fIsudoers\fR file. Wildcard

.PP

matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that

If sudo has been compiled with \fInoexec\fR support and the underlying

these are \fInot\fR regular expressions.

operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent

a dynamically-linked executable from running further commands itself.

.PP

In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR

and \fI/usr/bin/vi\fR but shell escapes will be disabled.

.PP

.Vb 1

\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

.Ve

.PP

See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details

on how \fInoexec\fR works and whether or not it will work on your system.

.Sh "Wildcards"

.IX Subsection "Wildcards"

\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)

to be used in pathnames as well as command line arguments in the

\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR

\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.

.ie n .IP "\*(C`*\*(C'" 8

.el .IP "\f(CW\*(C`*\*(C'\fR" 8

.IX Item "*"

Line 920

Line 999

\& /usr/bin/*

.Ve

.PP

match \f(CW\*(C`/usr/bin/who\*(C'\fR but not \f(CW\*(C`/usr/bin/X11/xterm\*(C'\fR.

match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.

.Sh "Exceptions to wildcard rules:"

.PP

.IX Subsection "Exceptions to wildcard rules:"

\&\s-1WARNING:\s0 a pathname with wildcards will \fBnot\fR match a user command

that consists of a relative path. In other words, given the

following \fIsudoers\fR entry:

.PP

.Vb 1

\& billy workstation = /usr/bin/*

.Ve

.PP

user billy will be able to run any command in /usr/bin as root, such

as \fI/usr/bin/w\fR. The following two command will be allowed (the first

assumes that \fI/usr/bin\fR is in the user's path):

.PP

.Vb 2

\& $ sudo w

\& $ sudo /usr/bin/w

.Ve

.PP

However, this will not:

.PP

.Vb 2

\& $ cd /usr/bin

\& $ sudo ./w

.Ve

.PP

For this reason you should only \fBgrant\fR access to commands using

wildcards and never \fBrestrict\fR access using them. This limitation

will be removed in a future version of \fBsudo\fR.

.Sh "Exceptions to wildcard rules"

.IX Subsection "Exceptions to wildcard rules"

The following exceptions apply to the above rules:

.ie n .IP """""" 8

.el .IP "\f(CW``''\fR" 8

Line 930

Line 1037

If the empty string \f(CW""\fR is the only command line argument in the

\&\fIsudoers\fR entry it means that command is not allowed to be run

with \fBany\fR arguments.

.Sh "Other special characters and reserved words:"

.Sh "Other special characters and reserved words"

.IX Subsection "Other special characters and reserved words:"

.IX Subsection "Other special characters and reserved words"

The pound sign ('#') is used to indicate a comment (unless it

occurs in the context of a user name and is followed by one or

more digits, in which case it is treated as a uid). Both the

Line 962

Line 1069

The following characters must be escaped with a backslash ('\e') when

used as part of a word (e.g. a username or hostname):

\&'@', '!', '=', ':', ',', '(', ')', '\e'.

.SH "FILES"

.IX Header "FILES"

.Vb 3

\& /etc/sudoers List of who can run what

\& /etc/group Local groups file

\& /etc/netgroup List of network groups

.Ve

.SH "EXAMPLES"

.IX Header "EXAMPLES"

Since the \fIsudoers\fR file is parsed in a single pass, order is

important. In general, you should structure \fIsudoers\fR such that

the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications

come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the

\&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb

is you cannot reference an Alias that has not already been defined.

.PP

Below are example \fIsudoers\fR entries. Admittedly, some of

these are a bit contrived. First, we define our \fIaliases\fR:

.PP

Line 999

Line 1120

\& Cmnd_Alias KILL = /usr/bin/kill

\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown

\& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt

\& Cmnd_Alias HALT = /usr/sbin/halt

\& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot

\& Cmnd_Alias REBOOT = /usr/sbin/reboot

\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e

\& /usr/local/bin/tcsh, /usr/bin/rsh, \e

\& /usr/local/bin/zsh

Line 1011

Line 1132

\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all

cases. We don't want to subject the full time staff to the \fBsudo\fR

lecture, user \fBmillert\fR need not give a password, and we don't

want to set the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when

want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when

running commands as root. Additionally, on the machines in the

\&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and

make sure we log the year in each log line since the log entries

Line 1071

Line 1192

(the class B network \f(CW128.138.0.0\fR).

.PP

.Vb 2

\& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e

\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e

\& /usr/oper/bin/

\& sudoedit /etc/printcap, /usr/oper/bin/

.Ve

.PP

The \fBoperator\fR user may run commands limited to simple maintenance.

Line 1192

Line 1313

different name, or use a shell escape from an editor or other

program. Therefore, these kind of restrictions should be considered

advisory at best (and reinforced by policy).

.SH "PREVENTING SHELL ESCAPES"

.IX Header "PREVENTING SHELL ESCAPES"

Once \fBsudo\fR executes a program, that program is free to do whatever

it pleases, including run other programs. This can be a security

issue since it is not uncommon for a program to allow shell escapes,

which lets a user bypass \fBsudo\fR's restrictions. Common programs

that permit shell escapes include shells (obviously), editors,

paginators, mail and terminal programs.

.PP

Many systems that support shared libraries have the ability to

override default library functions by pointing an environment

variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.

On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to

prevent a program run by sudo from executing any other programs.

Note, however, that this applies only to native dynamically-linked

executables. Statically-linked executables and foreign executables

running under binary emulation are not affected.

.PP

To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run

the following as root:

.PP

.Vb 1

\& sudo -V | grep "dummy exec"

.Ve

.PP

If the resulting output contains a line that begins with:

.PP

.Vb 1

\& File containing dummy exec functions:

.Ve

.PP

then \fBsudo\fR may be able to replace the exec family of functions

in the standard library with its own that simply return an error.

Unfortunately, there is no foolproof way to know whether or not

\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on

SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX

11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR

is expected to work on most operating systems that support the

\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's

manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,

dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.

.PP

To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented

in the User Specification section above. Here is that example again:

.PP

.Vb 1

\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

.Ve

.PP

This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR

with \fInoexec\fR enabled. This will prevent those two commands from

executing other commands (such as a shell). If you are unsure

whether or not your system is capable of supporting \fInoexec\fR you

can always just try it out and see if it works.

.PP

Note that disabling shell escapes is not a panacea. Programs running

as root are still capable of many potentially hazardous operations

(such as changing or overwriting files) that could lead to unintended

privilege escalation. In the specific case of an editor, a safer

approach is to give the user permission to run \fBsudoedit\fR.

.SH "SEE ALSO"

.IX Header "SEE ALSO"

\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(8), visudo(8)

.SH "CAVEATS"

.IX Header "CAVEATS"

The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR

Line 1204

Line 1388

case), you either need to have the machine's hostname be fully qualified

as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in

\&\fIsudoers\fR.

.SH "FILES"

.SH "BUGS"

.IX Header "FILES"

.IX Header "BUGS"

.Vb 3

If you feel you have found a bug in \fBsudo\fR, please submit a bug report

\& /etc/sudoers List of who can run what

at http://www.sudo.ws/sudo/bugs/

\& /etc/group Local groups file

.SH "SUPPORT"

\& /etc/netgroup List of network groups

.IX Header "SUPPORT"

.Ve

Commercial support is available for \fBsudo\fR, see

.IX Header "SEE ALSO"

.PP

Limited free support is available via the sudo-users mailing list,

see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or

search the archives.

.SH "DISCLAIMER"

.IX Header "DISCLAIMER"

\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,

including, but not limited to, the implied warranties of merchantability

and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0

file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html

for complete details.