version 1.16, 2003/04/14 06:39:24 |
version 1.17, 2004/09/28 15:10:51 |
|
|
.\" Copyright (c) 1994-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" All rights reserved. |
|
.\" |
.\" |
.\" Redistribution and use in source and binary forms, with or without |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" modification, are permitted provided that the following conditions |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" are met: |
.\" copyright notice and this permission notice appear in all copies. |
.\" |
.\" |
.\" 1. Redistributions of source code must retain the above copyright |
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
.\" notice, this list of conditions and the following disclaimer. |
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
.\" |
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
.\" 2. Redistributions in binary form must reproduce the above copyright |
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
.\" notice, this list of conditions and the following disclaimer in the |
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
.\" documentation and/or other materials provided with the distribution. |
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
.\" |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" 3. The name of the author may not be used to endorse or promote products |
|
.\" derived from this software without specific prior written permission |
|
.\" from the author. |
|
.\" |
|
.\" 4. Products derived from this software may not be called "Sudo" nor |
|
.\" may "Sudo" appear in their names without specific prior written |
|
.\" permission from the author. |
|
.\" |
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
|
.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY |
|
.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL |
|
.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
|
.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
|
.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; |
|
.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
|
.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
|
.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF |
|
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.\" $Sudo: sudoers.man.in,v 1.24 2003/03/15 20:33:31 millert Exp $ |
.\" Sponsored in part by the Defense Advanced Research Projects |
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
|
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
.\" |
|
.\" $Sudo: sudoers.man.in,v 1.46 2004/09/06 20:46:28 millert Exp $ |
|
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 |
.\" |
.\" |
.\" Standard preamble: |
.\" Standard preamble: |
.\" ======================================================================== |
.\" ======================================================================== |
|
|
.\" ======================================================================== |
.\" ======================================================================== |
.\" |
.\" |
.IX Title "SUDOERS 5" |
.IX Title "SUDOERS 5" |
.TH SUDOERS 5 "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS" |
.TH SUDOERS 5 "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" |
.SH "NAME" |
.SH "NAME" |
sudoers \- list of which users may execute what |
sudoers \- list of which users may execute what |
.SH "DESCRIPTION" |
.SH "DESCRIPTION" |
.IX Header "DESCRIPTION" |
.IX Header "DESCRIPTION" |
The \fIsudoers\fR file is composed of two types of entries: |
The \fIsudoers\fR file is composed of two types of entries: aliases |
aliases (basically variables) and user specifications |
(basically variables) and user specifications (which specify who |
(which specify who may run what). The grammar of \fIsudoers\fR |
may run what). |
will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). |
.PP |
Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly |
When multiple entries match for a user, they are applied in order. |
simple, and the definitions below are annotated. |
Where there are conflicting values, the last match is used (which |
|
is not necessarily the most specific match). |
|
.PP |
|
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur |
|
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is |
|
fairly simple, and the definitions below are annotated. |
.Sh "Quick guide to \s-1EBNF\s0" |
.Sh "Quick guide to \s-1EBNF\s0" |
.IX Subsection "Quick guide to EBNF" |
.IX Subsection "Quick guide to EBNF" |
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. |
|
|
\& '!'* User_Alias |
\& '!'* User_Alias |
.Ve |
.Ve |
.PP |
.PP |
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids |
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups |
(prefixed with '#'), System groups (prefixed with '%'), |
(prefixed with '%'), netgroups (prefixed with '+') and other aliases. |
netgroups (prefixed with '+') and other aliases. Each list |
Each list item may be prefixed with one or more '!' operators. |
item may be prefixed with one or more '!' operators. An odd number |
An odd number of '!' operators negate the value of the item; an even |
of '!' operators negate the value of the item; an even number |
number just cancel each other out. |
just cancel each other out. |
|
.PP |
.PP |
.Vb 2 |
.Vb 2 |
\& Runas_List ::= Runas_User | |
\& Runas_List ::= Runas_User | |
|
|
.PP |
.PP |
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can |
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can |
also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes |
also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes |
it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. |
it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups |
|
are matched as strings. In other words, two users (groups) with |
|
the same uid (gid) are considered to be distinct. If you wish to |
|
match all usernames with the same uid (e.g. root and toor), you |
|
can use a uid instead (#0 in the example given). |
.PP |
.PP |
.Vb 2 |
.Vb 2 |
\& Host_List ::= Host | |
\& Host_List ::= Host | |
|
|
of the host's ethernet interface(s) will be used when matching. |
of the host's ethernet interface(s) will be used when matching. |
The netmask may be specified either in dotted quad notation (e.g. |
The netmask may be specified either in dotted quad notation (e.g. |
255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname |
255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname |
may include shell-style wildcards (see `Wildcards' section below), |
may include shell-style wildcards (see the Wildcards section below), |
but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully |
but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully |
qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards |
qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards |
to be useful. |
to be useful. |
|
|
\& filename '""' |
\& filename '""' |
.Ve |
.Ve |
.PP |
.PP |
.Vb 3 |
.Vb 4 |
\& Cmnd ::= '!'* commandname | |
\& Cmnd ::= '!'* commandname | |
\& '!'* directory | |
\& '!'* directory | |
|
\& '!'* "sudoedit" | |
\& '!'* Cmnd_Alias |
\& '!'* Cmnd_Alias |
.Ve |
.Ve |
.PP |
.PP |
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other |
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other |
aliases. A commandname is a fully qualified filename which may include |
aliases. A commandname is a fully qualified filename which may include |
shell-style wildcards (see `Wildcards' section below). A simple |
shell-style wildcards (see the Wildcards section below). A simple |
filename allows the user to run the command with any arguments he/she |
filename allows the user to run the command with any arguments he/she |
wishes. However, you may also specify command line arguments (including |
wishes. However, you may also specify command line arguments (including |
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command |
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command |
|
|
in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line |
in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line |
(or match the wildcards if there are any). Note that the following |
(or match the wildcards if there are any). Note that the following |
characters must be escaped with a '\e' if they are used in command |
characters must be escaped with a '\e' if they are used in command |
arguments: ',', ':', '=', '\e'. |
arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR |
|
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR flag (or |
|
as \fBsudoedit\fR). It may take command line arguments just as |
|
a normal command does. |
.Sh "Defaults" |
.Sh "Defaults" |
.IX Subsection "Defaults" |
.IX Subsection "Defaults" |
Certain configuration options may be changed from their default |
Certain configuration options may be changed from their default |
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These |
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These |
may affect all users on any host, all users on a specific host, a |
may affect all users on any host, all users on a specific host, a |
specific user, or commands being run as a specific user. When |
specific user, or commands being run as a specific user. |
multiple entries match, they are applied in order. Where there are |
|
conflicting values, the last value on a matching line takes effect. |
|
.PP |
.PP |
.Vb 4 |
.Vb 4 |
\& Default_Type ::= 'Defaults' || |
\& Default_Type ::= 'Defaults' | |
\& 'Defaults' '@' Host || |
\& 'Defaults' '@' Host | |
\& 'Defaults' ':' User || |
\& 'Defaults' ':' User | |
\& 'Defaults' '>' RunasUser |
\& 'Defaults' '>' RunasUser |
.Ve |
.Ve |
.PP |
.PP |
|
|
\& Default_Entry ::= Default_Type Parameter_List |
\& Default_Entry ::= Default_Type Parameter_List |
.Ve |
.Ve |
.PP |
.PP |
|
.Vb 2 |
|
\& Parameter_List ::= Parameter | |
|
\& Parameter ',' Parameter_List |
|
.Ve |
|
.PP |
.Vb 4 |
.Vb 4 |
\& Parameter ::= Parameter '=' Value || |
\& Parameter ::= Parameter '=' Value | |
\& Parameter '+=' Value || |
\& Parameter '+=' Value | |
\& Parameter '-=' Value || |
\& Parameter '-=' Value | |
\& '!'* Parameter || |
\& '!'* Parameter |
.Ve |
.Ve |
.PP |
.PP |
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR. |
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR. |
|
|
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element |
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element |
that does not exist in a list. |
that does not exist in a list. |
.PP |
.PP |
Note that since the \fIsudoers\fR file is parsed in order the best place |
|
to put the Defaults section is after the Host, User, and Cmnd aliases |
|
but before the user specifications. |
|
.PP |
|
\&\fBFlags\fR: |
\&\fBFlags\fR: |
.IP "long_otp_prompt" 12 |
.IP "long_otp_prompt" 12 |
.IX Item "long_otp_prompt" |
.IX Item "long_otp_prompt" |
|
|
.IX Item "ignore_dot" |
.IX Item "ignore_dot" |
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR |
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR |
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This |
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This |
flag is \fIon\fR by default. |
flag is \fIoff\fR by default. Currently, while it is possible |
|
to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option |
|
should be considered read-only (it will be fixed in a future version |
|
of \fBsudo\fR). |
.IP "mail_always" 12 |
.IP "mail_always" 12 |
.IX Item "mail_always" |
.IX Item "mail_always" |
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. |
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. |
|
|
.IX Item "mail_no_perms" |
.IX Item "mail_no_perms" |
If set, mail will be sent to the \fImailto\fR user if the invoking |
If set, mail will be sent to the \fImailto\fR user if the invoking |
user is allowed to use \fBsudo\fR but the command they are trying is not |
user is allowed to use \fBsudo\fR but the command they are trying is not |
listed in their \fIsudoers\fR file entry. This flag is \fIoff\fR |
listed in their \fIsudoers\fR file entry or is explicitly denied. |
by default. |
This flag is \fIoff\fR by default. |
.IP "tty_tickets" 12 |
.IP "tty_tickets" 12 |
.IX Item "tty_tickets" |
.IX Item "tty_tickets" |
If set, users must authenticate on a per-tty basis. Normally, |
If set, users must authenticate on a per-tty basis. Normally, |
|
|
the user running it. With this flag enabled, \fBsudo\fR will use a |
the user running it. With this flag enabled, \fBsudo\fR will use a |
file named for the tty the user is logged in on in that directory. |
file named for the tty the user is logged in on in that directory. |
This flag is \fIoff\fR by default. |
This flag is \fIoff\fR by default. |
.IP "lecture" 12 |
|
.IX Item "lecture" |
|
If set, a user will receive a short lecture the first time he/she |
|
runs \fBsudo\fR. This flag is \fIon\fR by default. |
|
.IP "authenticate" 12 |
.IP "authenticate" 12 |
.IX Item "authenticate" |
.IX Item "authenticate" |
If set, users must authenticate themselves via a password (or other |
If set, users must authenticate themselves via a password (or other |
|
|
.IX Item "root_sudo" |
.IX Item "root_sudo" |
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users |
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users |
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something |
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something |
like \f(CW"sudo sudo /bin/sh"\fR. |
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR |
|
will also prevent root and from running \fBsudoedit\fR. |
|
Disabling \fIroot_sudo\fR provides no real additional security; it |
|
exists purely for historical reasons. |
This flag is \fIon\fR by default. |
This flag is \fIon\fR by default. |
.IP "log_host" 12 |
.IP "log_host" 12 |
.IX Item "log_host" |
.IX Item "log_host" |
|
|
.IP "runaspw" 12 |
.IP "runaspw" 12 |
.IX Item "runaspw" |
.IX Item "runaspw" |
If set, \fBsudo\fR will prompt for the password of the user defined by the |
If set, \fBsudo\fR will prompt for the password of the user defined by the |
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password |
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the |
of the invoking user. This flag is \fIoff\fR by default. |
password of the invoking user. This flag is \fIoff\fR by default. |
.IP "targetpw" 12 |
.IP "targetpw" 12 |
.IX Item "targetpw" |
.IX Item "targetpw" |
If set, \fBsudo\fR will prompt for the password of the user specified by |
If set, \fBsudo\fR will prompt for the password of the user specified by |
the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the |
the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the |
invoking user. This flag is \fIoff\fR by default. |
invoking user. Note that this precludes the use of a uid not listed |
|
in the passwd database as an argument to the \fB\-u\fR flag. |
|
This flag is \fIoff\fR by default. |
.IP "set_logname" 12 |
.IP "set_logname" 12 |
.IX Item "set_logname" |
.IX Item "set_logname" |
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables |
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables |
|
|
If set, \fBsudo\fR will apply the defaults specified for the target user's |
If set, \fBsudo\fR will apply the defaults specified for the target user's |
login class if one exists. Only available if \fBsudo\fR is configured with |
login class if one exists. Only available if \fBsudo\fR is configured with |
the \-\-with\-logincap option. This flag is \fIoff\fR by default. |
the \-\-with\-logincap option. This flag is \fIoff\fR by default. |
|
.IP "noexec" 12 |
|
.IX Item "noexec" |
|
If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR |
|
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the |
|
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. |
|
.IP "ignore_local_sudoers" 12 |
|
.IX Item "ignore_local_sudoers" |
|
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. |
|
This is intended for an Enterprises that wish to prevent the usage of local |
|
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of |
|
rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. |
|
When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. |
|
Since this options tells sudo how to behave when no specific \s-1LDAP\s0 entries |
|
have been matched, this sudoOption is only meaningful for the cn=defaults |
|
section. This flag is \fIoff\fR by default. |
.PP |
.PP |
\&\fBIntegers\fR: |
\&\fBIntegers\fR: |
.IP "passwd_tries" 12 |
.IP "passwd_tries" 12 |
|
|
.IX Item "runas_default" |
.IX Item "runas_default" |
The default user to run commands as if the \fB\-u\fR flag is not specified |
The default user to run commands as if the \fB\-u\fR flag is not specified |
on the command line. This defaults to \f(CW\*(C`root\*(C'\fR. |
on the command line. This defaults to \f(CW\*(C`root\*(C'\fR. |
|
Note that if \fIrunas_default\fR is set it \fBmust\fR occur before |
|
any \f(CW\*(C`Runas_Alias\*(C'\fR specifications. |
.IP "syslog_goodpri" 12 |
.IP "syslog_goodpri" 12 |
.IX Item "syslog_goodpri" |
.IX Item "syslog_goodpri" |
Syslog priority to use when user authenticates successfully. |
Syslog priority to use when user authenticates successfully. |
|
|
\&\s-1USER\s0 environment variable if possible, or the first editor in the |
\&\s-1USER\s0 environment variable if possible, or the first editor in the |
list that exists and is executable. The default is the path to vi |
list that exists and is executable. The default is the path to vi |
on your system. |
on your system. |
|
.IP "noexec_file" 12 |
|
.IX Item "noexec_file" |
|
Path to a shared library containing dummy versions of the \fIexecv()\fR, |
|
\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. |
|
This is used to implement the \fInoexec\fR functionality on systems that |
|
support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/libexec/sudo_noexec.so\fR. |
.PP |
.PP |
\&\fBStrings that can be used in a boolean context\fR: |
\&\fBStrings that can be used in a boolean context\fR: |
|
.IP "lecture" 12 |
|
.IX Item "lecture" |
|
This option controls when a short lecture will be printed along with |
|
the password prompt. It has the following possible values: |
|
.RS 12 |
|
.IP "never" 8 |
|
.IX Item "never" |
|
Never lecture the user. |
|
.IP "once" 8 |
|
.IX Item "once" |
|
Only lecture the user the first time they run \fBsudo\fR. |
|
.IP "always" 8 |
|
.IX Item "always" |
|
Always lecture the user. |
|
.RE |
|
.RS 12 |
|
.Sp |
|
The default value is \fIonce\fR. |
|
.RE |
|
.IP "lecture_file" 12 |
|
.IX Item "lecture_file" |
|
Path to a file containing an alternate sudo lecture that will |
|
be used in place of the standard lecture if the named file exists. |
.IP "logfile" 12 |
.IP "logfile" 12 |
.IX Item "logfile" |
.IX Item "logfile" |
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path |
|
|
.IP "syslog" 12 |
.IP "syslog" 12 |
.IX Item "syslog" |
.IX Item "syslog" |
Syslog facility if syslog is being used for logging (negate to |
Syslog facility if syslog is being used for logging (negate to |
disable syslog logging). Defaults to \f(CW\*(C`local2\*(C'\fR. |
disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR. |
.IP "mailerpath" 12 |
.IP "mailerpath" 12 |
.IX Item "mailerpath" |
.IX Item "mailerpath" |
Path to mail program used to send warning mail. |
Path to mail program used to send warning mail. |
|
|
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and |
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and |
\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. |
\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. |
.PP |
.PP |
When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog |
When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values |
facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0 |
for the syslog facility (the value of the \fBsyslog\fR Parameter): |
supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, |
\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, |
\&\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following |
\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, |
syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, |
\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are |
\&\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. |
supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, |
|
\&\fBnotice\fR, and \fBwarning\fR. |
.Sh "User Specification" |
.Sh "User Specification" |
.IX Subsection "User Specification" |
.IX Subsection "User Specification" |
.Vb 2 |
.Vb 2 |
\& User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \e |
\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e |
\& (':' User_Spec)* |
\& (':' Host_List '=' Cmnd_Spec_List)* |
.Ve |
.Ve |
.PP |
.PP |
.Vb 2 |
.Vb 2 |
|
|
.Ve |
.Ve |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd |
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd |
.Ve |
.Ve |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& Runas_Spec ::= '(' Runas_List ')' |
\& Runas_Spec ::= '(' Runas_List ')' |
.Ve |
.Ve |
.PP |
.PP |
|
.Vb 1 |
|
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') |
|
.Ve |
|
.PP |
A \fBuser specification\fR determines which commands a user may run |
A \fBuser specification\fR determines which commands a user may run |
(and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
run as \fBroot\fR, but this can be changed on a per-command basis. |
run as \fBroot\fR, but this can be changed on a per-command basis. |
|
|
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., |
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., |
.PP |
.PP |
.Vb 1 |
.Vb 1 |
\& sudo -u operator /bin/ls. |
\& $ sudo -u operator /bin/ls. |
.Ve |
.Ve |
.PP |
.PP |
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an |
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an |
|
|
.PP |
.PP |
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, |
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, |
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. |
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. |
.Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0" |
.Sh "Tag_Spec" |
|
.IX Subsection "Tag_Spec" |
|
A command may have zero or more tags associated with it. There are |
|
four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR. |
|
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the |
|
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the |
|
opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR |
|
overrides \f(CW\*(C`NOEXEC\*(C'\fR). |
|
.PP |
|
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR |
.IX Subsection "NOPASSWD and PASSWD" |
.IX Subsection "NOPASSWD and PASSWD" |
|
.PP |
By default, \fBsudo\fR requires that a user authenticate him or herself |
By default, \fBsudo\fR requires that a user authenticate him or herself |
before running a command. This behavior can be modified via the |
before running a command. This behavior can be modified via the |
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets |
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets |
|
|
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present |
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present |
for all a user's entries that pertain to the current host. |
for all a user's entries that pertain to the current host. |
This behavior may be overridden via the verifypw and listpw options. |
This behavior may be overridden via the verifypw and listpw options. |
.Sh "Wildcards (aka meta characters):" |
.PP |
.IX Subsection "Wildcards (aka meta characters):" |
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR |
\&\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames |
.IX Subsection "NOEXEC and EXEC" |
as well as command line arguments in the \fIsudoers\fR file. Wildcard |
.PP |
matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that |
If sudo has been compiled with \fInoexec\fR support and the underlying |
these are \fInot\fR regular expressions. |
operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent |
|
a dynamically-linked executable from running further commands itself. |
|
.PP |
|
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR |
|
and \fI/usr/bin/vi\fR but shell escapes will be disabled. |
|
.PP |
|
.Vb 1 |
|
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
|
.Ve |
|
.PP |
|
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details |
|
on how \fInoexec\fR works and whether or not it will work on your system. |
|
.Sh "Wildcards" |
|
.IX Subsection "Wildcards" |
|
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) |
|
to be used in pathnames as well as command line arguments in the |
|
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR |
|
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions. |
.ie n .IP "\*(C`*\*(C'" 8 |
.ie n .IP "\*(C`*\*(C'" 8 |
.el .IP "\f(CW\*(C`*\*(C'\fR" 8 |
.el .IP "\f(CW\*(C`*\*(C'\fR" 8 |
.IX Item "*" |
.IX Item "*" |
|
|
\& /usr/bin/* |
\& /usr/bin/* |
.Ve |
.Ve |
.PP |
.PP |
match \f(CW\*(C`/usr/bin/who\*(C'\fR but not \f(CW\*(C`/usr/bin/X11/xterm\*(C'\fR. |
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. |
.Sh "Exceptions to wildcard rules:" |
.PP |
.IX Subsection "Exceptions to wildcard rules:" |
\&\s-1WARNING:\s0 a pathname with wildcards will \fBnot\fR match a user command |
|
that consists of a relative path. In other words, given the |
|
following \fIsudoers\fR entry: |
|
.PP |
|
.Vb 1 |
|
\& billy workstation = /usr/bin/* |
|
.Ve |
|
.PP |
|
user billy will be able to run any command in /usr/bin as root, such |
|
as \fI/usr/bin/w\fR. The following two command will be allowed (the first |
|
assumes that \fI/usr/bin\fR is in the user's path): |
|
.PP |
|
.Vb 2 |
|
\& $ sudo w |
|
\& $ sudo /usr/bin/w |
|
.Ve |
|
.PP |
|
However, this will not: |
|
.PP |
|
.Vb 2 |
|
\& $ cd /usr/bin |
|
\& $ sudo ./w |
|
.Ve |
|
.PP |
|
For this reason you should only \fBgrant\fR access to commands using |
|
wildcards and never \fBrestrict\fR access using them. This limitation |
|
will be removed in a future version of \fBsudo\fR. |
|
.Sh "Exceptions to wildcard rules" |
|
.IX Subsection "Exceptions to wildcard rules" |
The following exceptions apply to the above rules: |
The following exceptions apply to the above rules: |
.ie n .IP """""" 8 |
.ie n .IP """""" 8 |
.el .IP "\f(CW``''\fR" 8 |
.el .IP "\f(CW``''\fR" 8 |
|
|
If the empty string \f(CW""\fR is the only command line argument in the |
If the empty string \f(CW""\fR is the only command line argument in the |
\&\fIsudoers\fR entry it means that command is not allowed to be run |
\&\fIsudoers\fR entry it means that command is not allowed to be run |
with \fBany\fR arguments. |
with \fBany\fR arguments. |
.Sh "Other special characters and reserved words:" |
.Sh "Other special characters and reserved words" |
.IX Subsection "Other special characters and reserved words:" |
.IX Subsection "Other special characters and reserved words" |
The pound sign ('#') is used to indicate a comment (unless it |
The pound sign ('#') is used to indicate a comment (unless it |
occurs in the context of a user name and is followed by one or |
occurs in the context of a user name and is followed by one or |
more digits, in which case it is treated as a uid). Both the |
more digits, in which case it is treated as a uid). Both the |
|
|
The following characters must be escaped with a backslash ('\e') when |
The following characters must be escaped with a backslash ('\e') when |
used as part of a word (e.g. a username or hostname): |
used as part of a word (e.g. a username or hostname): |
\&'@', '!', '=', ':', ',', '(', ')', '\e'. |
\&'@', '!', '=', ':', ',', '(', ')', '\e'. |
|
.SH "FILES" |
|
.IX Header "FILES" |
|
.Vb 3 |
|
\& /etc/sudoers List of who can run what |
|
\& /etc/group Local groups file |
|
\& /etc/netgroup List of network groups |
|
.Ve |
.SH "EXAMPLES" |
.SH "EXAMPLES" |
.IX Header "EXAMPLES" |
.IX Header "EXAMPLES" |
|
Since the \fIsudoers\fR file is parsed in a single pass, order is |
|
important. In general, you should structure \fIsudoers\fR such that |
|
the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications |
|
come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the |
|
\&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb |
|
is you cannot reference an Alias that has not already been defined. |
|
.PP |
Below are example \fIsudoers\fR entries. Admittedly, some of |
Below are example \fIsudoers\fR entries. Admittedly, some of |
these are a bit contrived. First, we define our \fIaliases\fR: |
these are a bit contrived. First, we define our \fIaliases\fR: |
.PP |
.PP |
|
|
\& Cmnd_Alias KILL = /usr/bin/kill |
\& Cmnd_Alias KILL = /usr/bin/kill |
\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
\& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt |
\& Cmnd_Alias HALT = /usr/sbin/halt |
\& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot |
\& Cmnd_Alias REBOOT = /usr/sbin/reboot |
\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e |
\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e |
\& /usr/local/bin/tcsh, /usr/bin/rsh, \e |
\& /usr/local/bin/tcsh, /usr/bin/rsh, \e |
\& /usr/local/bin/zsh |
\& /usr/local/bin/zsh |
|
|
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all |
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all |
cases. We don't want to subject the full time staff to the \fBsudo\fR |
cases. We don't want to subject the full time staff to the \fBsudo\fR |
lecture, user \fBmillert\fR need not give a password, and we don't |
lecture, user \fBmillert\fR need not give a password, and we don't |
want to set the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when |
want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when |
running commands as root. Additionally, on the machines in the |
running commands as root. Additionally, on the machines in the |
\&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and |
\&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and |
make sure we log the year in each log line since the log entries |
make sure we log the year in each log line since the log entries |
|
|
(the class B network \f(CW128.138.0.0\fR). |
(the class B network \f(CW128.138.0.0\fR). |
.PP |
.PP |
.Vb 2 |
.Vb 2 |
\& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e |
\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e |
\& /usr/oper/bin/ |
\& sudoedit /etc/printcap, /usr/oper/bin/ |
.Ve |
.Ve |
.PP |
.PP |
The \fBoperator\fR user may run commands limited to simple maintenance. |
The \fBoperator\fR user may run commands limited to simple maintenance. |
|
|
different name, or use a shell escape from an editor or other |
different name, or use a shell escape from an editor or other |
program. Therefore, these kind of restrictions should be considered |
program. Therefore, these kind of restrictions should be considered |
advisory at best (and reinforced by policy). |
advisory at best (and reinforced by policy). |
|
.SH "PREVENTING SHELL ESCAPES" |
|
.IX Header "PREVENTING SHELL ESCAPES" |
|
Once \fBsudo\fR executes a program, that program is free to do whatever |
|
it pleases, including run other programs. This can be a security |
|
issue since it is not uncommon for a program to allow shell escapes, |
|
which lets a user bypass \fBsudo\fR's restrictions. Common programs |
|
that permit shell escapes include shells (obviously), editors, |
|
paginators, mail and terminal programs. |
|
.PP |
|
Many systems that support shared libraries have the ability to |
|
override default library functions by pointing an environment |
|
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. |
|
On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to |
|
prevent a program run by sudo from executing any other programs. |
|
Note, however, that this applies only to native dynamically-linked |
|
executables. Statically-linked executables and foreign executables |
|
running under binary emulation are not affected. |
|
.PP |
|
To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run |
|
the following as root: |
|
.PP |
|
.Vb 1 |
|
\& sudo -V | grep "dummy exec" |
|
.Ve |
|
.PP |
|
If the resulting output contains a line that begins with: |
|
.PP |
|
.Vb 1 |
|
\& File containing dummy exec functions: |
|
.Ve |
|
.PP |
|
then \fBsudo\fR may be able to replace the exec family of functions |
|
in the standard library with its own that simply return an error. |
|
Unfortunately, there is no foolproof way to know whether or not |
|
\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on |
|
SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX |
|
11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR |
|
is expected to work on most operating systems that support the |
|
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's |
|
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, |
|
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. |
|
.PP |
|
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented |
|
in the User Specification section above. Here is that example again: |
|
.PP |
|
.Vb 1 |
|
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
|
.Ve |
|
.PP |
|
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR |
|
with \fInoexec\fR enabled. This will prevent those two commands from |
|
executing other commands (such as a shell). If you are unsure |
|
whether or not your system is capable of supporting \fInoexec\fR you |
|
can always just try it out and see if it works. |
|
.PP |
|
Note that disabling shell escapes is not a panacea. Programs running |
|
as root are still capable of many potentially hazardous operations |
|
(such as changing or overwriting files) that could lead to unintended |
|
privilege escalation. In the specific case of an editor, a safer |
|
approach is to give the user permission to run \fBsudoedit\fR. |
|
.SH "SEE ALSO" |
|
.IX Header "SEE ALSO" |
|
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(8), visudo(8) |
.SH "CAVEATS" |
.SH "CAVEATS" |
.IX Header "CAVEATS" |
.IX Header "CAVEATS" |
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR |
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR |
|
|
case), you either need to have the machine's hostname be fully qualified |
case), you either need to have the machine's hostname be fully qualified |
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in |
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in |
\&\fIsudoers\fR. |
\&\fIsudoers\fR. |
.SH "FILES" |
.SH "BUGS" |
.IX Header "FILES" |
.IX Header "BUGS" |
.Vb 3 |
If you feel you have found a bug in \fBsudo\fR, please submit a bug report |
\& /etc/sudoers List of who can run what |
at http://www.sudo.ws/sudo/bugs/ |
\& /etc/group Local groups file |
.SH "SUPPORT" |
\& /etc/netgroup List of network groups |
.IX Header "SUPPORT" |
.Ve |
Commercial support is available for \fBsudo\fR, see |
.SH "SEE ALSO" |
http://www.sudo.ws/sudo/support.html for details. |
.IX Header "SEE ALSO" |
.PP |
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(8), \fIvisudo\fR\|(8) |
Limited free support is available via the sudo-users mailing list, |
|
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or |
|
search the archives. |
|
.SH "DISCLAIMER" |
|
.IX Header "DISCLAIMER" |
|
\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, |
|
including, but not limited to, the implied warranties of merchantability |
|
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 |
|
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html |
|
for complete details. |