[BACK]Return to sudoers.5 CVS log [TXT][DIR] Up to [local] / src / usr.bin / sudo

Diff for /src/usr.bin/sudo/Attic/sudoers.5 between version 1.4 and 1.5

version 1.4, 2000/01/28 01:10:20 version 1.5, 2000/03/27 03:44:39
Line 2 
Line 2 
 ''' $RCSfile$$Revision$$Date$  ''' $RCSfile$$Revision$$Date$
 '''  '''
 ''' $Log$  ''' $Log$
 ''' Revision 1.4  2000/01/28 01:10:20  millert  ''' Revision 1.5  2000/03/27 03:44:39  millert
 ''' 1.6.2p1  ''' sudo 1.6.3; see http://www.courtesan.com/sudo/current.html for a list
   ''' of changes.
 '''  '''
 ''' Revision 1.23  2000/01/26 21:21:28  millert  ''' Revision 1.5  2000/03/27 03:26:23  millert
 ''' Expanded docs on sudoers 'defaults' options based on INSTALL file info.  ''' Use 8 and 5 in the man page bodies as well.
 '''  '''
 '''  '''
 .de Sh  .de Sh
Line 99 
Line 100 
 .nr % 0  .nr % 0
 .rr F  .rr F
 .\}  .\}
 .TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS"  .TH sudoers 5 "1.6.3" "26/Mar/2000" "FILE FORMATS"
 .UC  .UC
 .if n .hy 0  .if n .hy 0
 .if n .na  .if n .na
Line 318 
Line 319 
 If you do not specify a netmask with a network number, the netmask  If you do not specify a netmask with a network number, the netmask
 of the host's ethernet \fIinterface\fR\|(s) will be used when matching.  of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
 The netmask may be specified either in dotted quad notation (eg.  The netmask may be specified either in dotted quad notation (eg.
 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).  255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).  A hostname
   may include shell-style wildcards (see `Wildcards\*(R' section below),
   but unless the \f(CWhostname\fR command on your machine returns the fully
   qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
   to be useful.
 .PP  .PP
 .Vb 2  .Vb 2
 \& Cmnd_List ::= Cmnd |  \& Cmnd_List ::= Cmnd |
Line 335 
Line 340 
 \&          '!'* Cmnd_Alias  \&          '!'* Cmnd_Alias
 .Ve  .Ve
 A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other  A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
 aliases.  A commandname is a fully-qualified filename which may include  aliases.  A commandname is a fully qualified filename which may include
 shell-style wildcards (see `Wildcards\*(R' section below).  A simple  shell-style wildcards (see `Wildcards\*(R' section below).  A simple
 filename allows the user to run the command with any arguments he/she  filename allows the user to run the command with any arguments he/she
 wishes.  However, you may also command line arguments (including wildcards).  wishes.  However, you may also command line arguments (including wildcards).
Line 387 
Line 392 
 If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;  If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
 the \f(CW$PATH\fR itself is not modified.  This flag is off by default.  the \f(CW$PATH\fR itself is not modified.  This flag is off by default.
 .Ip "mail_always" 12  .Ip "mail_always" 12
 Send mail to the \fImailto\fR user every time a users runs sudo.  Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
 This flag is off by default.  This flag is off by default.
 .Ip "mail_no_user" 12  .Ip "mail_no_user" 12
 If set, mail will be sent to the \fImailto\fR user if the invoking  If set, mail will be sent to the \fImailto\fR user if the invoking
Line 398 
Line 403 
 commands on the current host.  This flag is off by default.  commands on the current host.  This flag is off by default.
 .Ip "mail_no_perms" 12  .Ip "mail_no_perms" 12
 If set, mail will be sent to the \fImailto\fR user if the invoking  If set, mail will be sent to the \fImailto\fR user if the invoking
 user allowed to use sudo but the command they are trying is not  user allowed to use \fBsudo\fR but the command they are trying is not
 listed in their \fIsudoers\fR file entry.  This flag is off by default.  listed in their \fIsudoers\fR file entry.  This flag is off by default.
 .Ip "tty_tickets" 12  .Ip "tty_tickets" 12
 If set, users must authenticate on a per-tty basis.  Normally,  If set, users must authenticate on a per-tty basis.  Normally,
Line 415 
Line 420 
 may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.  may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
 This flag is on by default.  This flag is on by default.
 .Ip "root_sudo" 12  .Ip "root_sudo" 12
 If set, root is allowed to run sudo too.  Disabling this prevents users  If set, root is allowed to run \fBsudo\fR too.  Disabling this prevents users
 from \*(L"chaining\*(R" sudo commands to get a root shell by doing something  from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
 like \f(CW"sudo sudo /bin/sh"\fR.  like \f(CW"sudo sudo /bin/sh"\fR.
 This flag is on by default.  This flag is on by default.
 .Ip "log_host" 12  .Ip "log_host" 12
Line 448 
Line 453 
 Set this flag if you want to put fully qualified hostnames in the  Set this flag if you want to put fully qualified hostnames in the
 \fIsudoers\fR file.  Ie: instead of myhost you would use myhost.mydomain.edu.  \fIsudoers\fR file.  Ie: instead of myhost you would use myhost.mydomain.edu.
 You may still use the short form if you wish (and even mix the two).  You may still use the short form if you wish (and even mix the two).
 Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups  Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
 which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example  which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
 if the machine is not plugged into the network).  Also note that  if the machine is not plugged into the network).  Also note that
 you must use the host's official name as \s-1DNS\s0 knows it.  That is,  you must use the host's official name as \s-1DNS\s0 knows it.  That is,
Line 458 
Line 463 
 command) is already fully qualified you shouldn't need to set  command) is already fully qualified you shouldn't need to set
 \fIfqfn\fR.  This flag is off by default.  \fIfqfn\fR.  This flag is off by default.
 .Ip "insults" 12  .Ip "insults" 12
 If set, sudo will insult users when they enter an incorrect  If set, \fBsudo\fR will insult users when they enter an incorrect
 password.  This flag is off by default.  password.  This flag is off by default.
 .Ip "requiretty" 12  .Ip "requiretty" 12
 If set, sudo will only run when the user is logged in to a real  If set, \fBsudo\fR will only run when the user is logged in to a real
 tty.  This will disallow things like \f(CW"rsh somehost sudo ls"\fR since  tty.  This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
 \fIrsh\fR\|(1) does not allocate a tty.  Because it is not possible to turn  \fIrsh\fR\|(1) does not allocate a tty.  Because it is not possible to turn
 of echo when there is no tty present, some sites may with to set  of echo when there is no tty present, some sites may with to set
 this flag to prevent a user from entering a visible password.  This  this flag to prevent a user from entering a visible password.  This
 flag is off by default.  flag is off by default.
   .Ip "env_editor" 12
   If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment
   falling back on the default editor.  Note that this may create a
   security hole as most editors allow a user to get a shell (which
   would be a root shell and not be logged).
   .Ip "rootpw" 12
   If set, \fBsudo\fR will prompt for the root password instead of the password
   of the invoking user.
   .Ip "runaspw" 12
   If set, \fBsudo\fR will prompt for the password of the user defined by the
   \fIrunas_default\fR option (defaults to root) instead of the password
   of the invoking user.
   .Ip "targetpw" 12
   If set, \fBsudo\fR will prompt for the password of the user specified by
   the \f(CW-u\fR flag (defaults to root) instead of the password of the
   invoking user.
   .Ip "set_logname" 12
   Normally, \fBsudo\fR will set the \f(CWLOGNAME\fR and \f(CWUSER\fR environment variables
   to the name of the target user (usually root unless the \f(CW-u\fR flag is given).
   However, since some programs (including the \s-1RCS\s0 revision control system)
   use \f(CWLOGNAME\fR to determine the real identity of the user, it may be desirable
   to change this behavior.  This can be done by negating the set_logname option.
 .PP  .PP
 \fBIntegers\fR:  \fBIntegers\fR:
 .Ip "passwd_tries" 12  .Ip "passwd_tries" 12
 The number of tries a user gets to enter his/her password before  The number of tries a user gets to enter his/her password before
 sudo logs the failure and exits.  The default is 3.  \fBsudo\fR logs the failure and exits.  The default is 3.
 .PP  .PP
 \fBIntegers that can be used in a boolean context\fR:  \fBIntegers that can be used in a boolean context\fR:
 .Ip "loglinelen" 12  .Ip "loglinelen" 12
Line 483 
Line 510 
 Number of minutes that can elapse before \fBsudo\fR will ask for a passwd  Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
 again.  The default is 5, set this to 0 to always prompt for a password.  again.  The default is 5, set this to 0 to always prompt for a password.
 .Ip "passwd_timeout" 12  .Ip "passwd_timeout" 12
 Number of minutes before the sudo password prompt times out.  Number of minutes before the \fBsudo\fR password prompt times out.
 The default is 5, set this to 0 for no password timeout.  The default is 5, set this to 0 for no password timeout.
 .Ip "umask" 12  .Ip "umask" 12
 Umask to use when running the root command.  Set this to 0777 to  Umask to use when running the root command.  Set this to 0777 to
Line 499 
Line 526 
 The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.  The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.
 .Ip "timestampdir" 12  .Ip "timestampdir" 12
 The directory in which \fBsudo\fR stores its timestamp files.  The directory in which \fBsudo\fR stores its timestamp files.
 The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR.  The default is \fI@\s-1TIMEDIR\s0@\fR.
 .Ip "passprompt" 12  .Ip "passprompt" 12
 The default prompt to use when asking for a password; can be overridden  The default prompt to use when asking for a password; can be overridden
 via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports  via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports
Line 514 
Line 541 
 .Ip "syslog_badpri" 12  .Ip "syslog_badpri" 12
 Syslog priority to use when user authenticates unsuccessfully.  Syslog priority to use when user authenticates unsuccessfully.
 Defaults to \*(L"alert\*(R".  Defaults to \*(L"alert\*(R".
   .Ip "editor" 12
   Path to the editor to be used by \fBvisudo\fR.  The default is the path
   to vi on your system.
 .PP  .PP
 \fBStrings that can be used in a boolean context\fR:  \fBStrings that can be used in a boolean context\fR:
   .Ip "logfile" 12
   Path to the \fBsudo\fR log file (not the syslog log file).  Setting a path
   turns on logging to a file, negating this option turns it off.
 .Ip "syslog" 12  .Ip "syslog" 12
 Syslog facility if syslog is being used for logging (negate to  Syslog facility if syslog is being used for logging (negate to
 disable syslog logging).  Defaults to \*(L"local2\*(R".  disable syslog logging).  Defaults to \*(L"local2\*(R".
Line 531 
Line 564 
 This is not set by default.  This is not set by default.
 .Ip "secure_path" 12  .Ip "secure_path" 12
 Path used for every command run from \fBsudo\fR.  If you don't trust the  Path used for every command run from \fBsudo\fR.  If you don't trust the
 people running sudo to have a sane \f(CWPATH\fR environment variable you may  people running \fBsudo\fR to have a sane \f(CWPATH\fR environment variable you may
 want to use this.  Another use is if you want to have the \*(L"root path\*(R"  want to use this.  Another use is if you want to have the \*(L"root path\*(R"
 be separate from the \*(L"user path.\*(R"  This is not set by default.  be separate from the \*(L"user path.\*(R"  This is not set by default.
 .Ip "verifypw" 12  .Ip "verifypw" 12
 This option controls when a password will be required when a  This option controls when a password will be required when a
 user runs sudo with the \fB\-v\fR.  It has the following possible values:  user runs \fBsudo\fR with the \fB\-v\fR.  It has the following possible values:
 .Sp  .Sp
 .Vb 3  .Vb 3
 \&    all         All the user's I<sudoers> entries for the  \&    all         All the user's I<sudoers> entries for the
Line 560 
Line 593 
 The default value is `all\*(R'.  The default value is `all\*(R'.
 .Ip "listpw" 12  .Ip "listpw" 12
 This option controls when a password will be required when a  This option controls when a password will be required when a
 user runs sudo with the \fB\-l\fR.  It has the following possible values:  user runs \fBsudo\fR with the \fB\-l\fR.  It has the following possible values:
 .Sp  .Sp
 .Vb 3  .Vb 3
 \&    all         All the user's I<sudoers> entries for the  \&    all         All the user's I<sudoers> entries for the
Line 583 
Line 616 
 .Ve  .Ve
 The default value is `any\*(R'.  The default value is `any\*(R'.
 .PP  .PP
 When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog  When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog
 facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0  facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,  supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
 \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.  The following  \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.  The following
Line 766 
Line 799 
 \& Cmnd_Alias     SU = /usr/bin/su  \& Cmnd_Alias     SU = /usr/bin/su
 .Ve  .Ve
 Here we override some of the compiled in default values.  We want  Here we override some of the compiled in default values.  We want
 sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.  \fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
 We don't want to subject the full time staff to the \fBsudo\fR lecture,  We don't want to subject the full time staff to the \fBsudo\fR lecture,
 and user \fBmillert\fR need not give a password.  In addition, on the  and user \fBmillert\fR need not give a password.  In addition, on the
 machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional  machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
Line 932 
Line 965 
 will not run with a syntactically incorrect \fIsudoers\fR file.  will not run with a syntactically incorrect \fIsudoers\fR file.
 .PP  .PP
 When using netgroups of machines (as opposed to users), if you  When using netgroups of machines (as opposed to users), if you
 store fully-qualified hostnames in the netgroup (as is usually the  store fully qualified hostnames in the netgroup (as is usually the
 case), you either need to have the machine's hostname be fully-qualified  case), you either need to have the machine's hostname be fully qualified
 as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in  as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in
 \fIsudoers\fR.  \fIsudoers\fR.
 .SH "FILES"  .SH "FILES"
Line 1002 
Line 1035 
   
 .IX Item "requiretty"  .IX Item "requiretty"
   
   .IX Item "env_editor"
   
   .IX Item "rootpw"
   
   .IX Item "runaspw"
   
   .IX Item "targetpw"
   
   .IX Item "set_logname"
   
 .IX Item "passwd_tries"  .IX Item "passwd_tries"
   
 .IX Item "loglinelen"  .IX Item "loglinelen"
Line 1025 
Line 1068 
 .IX Item "syslog_goodpri"  .IX Item "syslog_goodpri"
   
 .IX Item "syslog_badpri"  .IX Item "syslog_badpri"
   
   .IX Item "editor"
   
   .IX Item "logfile"
   
 .IX Item "syslog"  .IX Item "syslog"
   
Legend:
Removed from v.1.4  
changed lines
  Added in v.1.5