Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.1
1.1 ! millert 1: .rn '' }`
! 2: ''' $RCSfile: sudoers.man,v $$Revision: 1.15 $$Date: 1999/11/16 05:23:41 $
! 3: '''
! 4: ''' $Log: sudoers.man,v $
! 5: ''' Revision 1.15 1999/11/16 05:23:41 millert
! 6: ''' Add warning about using ALL in a command context.
! 7: '''
! 8: '''
! 9: .de Sh
! 10: .br
! 11: .if t .Sp
! 12: .ne 5
! 13: .PP
! 14: \fB\\$1\fR
! 15: .PP
! 16: ..
! 17: .de Sp
! 18: .if t .sp .5v
! 19: .if n .sp
! 20: ..
! 21: .de Ip
! 22: .br
! 23: .ie \\n(.$>=3 .ne \\$3
! 24: .el .ne 3
! 25: .IP "\\$1" \\$2
! 26: ..
! 27: .de Vb
! 28: .ft CW
! 29: .nf
! 30: .ne \\$1
! 31: ..
! 32: .de Ve
! 33: .ft R
! 34:
! 35: .fi
! 36: ..
! 37: '''
! 38: '''
! 39: ''' Set up \*(-- to give an unbreakable dash;
! 40: ''' string Tr holds user defined translation string.
! 41: ''' Bell System Logo is used as a dummy character.
! 42: '''
! 43: .tr \(*W-|\(bv\*(Tr
! 44: .ie n \{\
! 45: .ds -- \(*W-
! 46: .ds PI pi
! 47: .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
! 48: .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
! 49: .ds L" ""
! 50: .ds R" ""
! 51: ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
! 52: ''' \*(L" and \*(R", except that they are used on ".xx" lines,
! 53: ''' such as .IP and .SH, which do another additional levels of
! 54: ''' double-quote interpretation
! 55: .ds M" """
! 56: .ds S" """
! 57: .ds N" """""
! 58: .ds T" """""
! 59: .ds L' '
! 60: .ds R' '
! 61: .ds M' '
! 62: .ds S' '
! 63: .ds N' '
! 64: .ds T' '
! 65: 'br\}
! 66: .el\{\
! 67: .ds -- \(em\|
! 68: .tr \*(Tr
! 69: .ds L" ``
! 70: .ds R" ''
! 71: .ds M" ``
! 72: .ds S" ''
! 73: .ds N" ``
! 74: .ds T" ''
! 75: .ds L' `
! 76: .ds R' '
! 77: .ds M' `
! 78: .ds S' '
! 79: .ds N' `
! 80: .ds T' '
! 81: .ds PI \(*p
! 82: 'br\}
! 83: .\" If the F register is turned on, we'll generate
! 84: .\" index entries out stderr for the following things:
! 85: .\" TH Title
! 86: .\" SH Header
! 87: .\" Sh Subsection
! 88: .\" Ip Item
! 89: .\" X<> Xref (embedded
! 90: .\" Of course, you have to process the output yourself
! 91: .\" in some meaninful fashion.
! 92: .if \nF \{
! 93: .de IX
! 94: .tm Index:\\$1\t\\n%\t"\\$2"
! 95: ..
! 96: .nr % 0
! 97: .rr F
! 98: .\}
! 99: .TH sudoers 5 "1.6" "15/Nov/1999" "FILE FORMATS"
! 100: .UC
! 101: .if n .hy 0
! 102: .if n .na
! 103: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
! 104: .de CQ \" put $1 in typewriter font
! 105: .ft CW
! 106: 'if n "\c
! 107: 'if t \\&\\$1\c
! 108: 'if n \\&\\$1\c
! 109: 'if n \&"
! 110: \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
! 111: '.ft R
! 112: ..
! 113: .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
! 114: . \" AM - accent mark definitions
! 115: .bd B 3
! 116: . \" fudge factors for nroff and troff
! 117: .if n \{\
! 118: . ds #H 0
! 119: . ds #V .8m
! 120: . ds #F .3m
! 121: . ds #[ \f1
! 122: . ds #] \fP
! 123: .\}
! 124: .if t \{\
! 125: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
! 126: . ds #V .6m
! 127: . ds #F 0
! 128: . ds #[ \&
! 129: . ds #] \&
! 130: .\}
! 131: . \" simple accents for nroff and troff
! 132: .if n \{\
! 133: . ds ' \&
! 134: . ds ` \&
! 135: . ds ^ \&
! 136: . ds , \&
! 137: . ds ~ ~
! 138: . ds ? ?
! 139: . ds ! !
! 140: . ds /
! 141: . ds q
! 142: .\}
! 143: .if t \{\
! 144: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
! 145: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
! 146: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
! 147: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
! 148: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
! 149: . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
! 150: . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
! 151: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
! 152: . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
! 153: .\}
! 154: . \" troff and (daisy-wheel) nroff accents
! 155: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
! 156: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
! 157: .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
! 158: .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
! 159: .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
! 160: .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
! 161: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
! 162: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
! 163: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
! 164: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
! 165: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
! 166: .ds ae a\h'-(\w'a'u*4/10)'e
! 167: .ds Ae A\h'-(\w'A'u*4/10)'E
! 168: .ds oe o\h'-(\w'o'u*4/10)'e
! 169: .ds Oe O\h'-(\w'O'u*4/10)'E
! 170: . \" corrections for vroff
! 171: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
! 172: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
! 173: . \" for low resolution devices (crt and lpr)
! 174: .if \n(.H>23 .if \n(.V>19 \
! 175: \{\
! 176: . ds : e
! 177: . ds 8 ss
! 178: . ds v \h'-1'\o'\(aa\(ga'
! 179: . ds _ \h'-1'^
! 180: . ds . \h'-1'.
! 181: . ds 3 3
! 182: . ds o a
! 183: . ds d- d\h'-1'\(ga
! 184: . ds D- D\h'-1'\(hy
! 185: . ds th \o'bp'
! 186: . ds Th \o'LP'
! 187: . ds ae ae
! 188: . ds Ae AE
! 189: . ds oe oe
! 190: . ds Oe OE
! 191: .\}
! 192: .rm #[ #] #H #V #F C
! 193: .SH "NAME"
! 194: sudoers \- list of which users may execute what
! 195: .SH "DESCRIPTION"
! 196: The \fIsudoers\fR file is composed two types of entries:
! 197: aliases (basically variables) and user specifications
! 198: (which specify who may run what). The grammar of \fIsudoers\fR
! 199: will be described below in Extended Backus-Naur Form (EBNF).
! 200: Don't despair if you don't know what EBNF is, it is fairly
! 201: simple and the definitions below are annotated.
! 202: .Sh "Quick guide to \s-1EBNF\s0"
! 203: \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
! 204: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg.
! 205: .PP
! 206: .Vb 1
! 207: \& symbol ::= definition | alternate1 | alternate2 ...
! 208: .Ve
! 209: Each \fIproduction rule\fR references others and thus makes up a
! 210: grammar for the language. \s-1EBNF\s0 also contains the following
! 211: operators, which many readers will recognize from regular
! 212: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
! 213: characters, which have different meanings.
! 214: .Ip "\f(CW?\fR" 8
! 215: Means that the preceding symbol (or group of symbols) is optional.
! 216: That is, it may appear once or not at all.
! 217: .Ip "\f(CW*\fR" 8
! 218: Means that the preceding symbol (or group of symbols) may appear
! 219: zero or more times.
! 220: .Ip "\f(CW+\fR" 8
! 221: Means that the preceding symbol (or group of symbols) may appear
! 222: one or more times.
! 223: .PP
! 224: Parentheses may be used to group symbols together. For clarity,
! 225: we will use single quotes ('') to designate what is a verbatim character
! 226: string (as opposed to a symbol name).
! 227: .Sh "Aliases"
! 228: There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
! 229: \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
! 230: .PP
! 231: .Vb 4
! 232: \& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
! 233: \& 'Runas_Alias' (':' Runas_Alias)* |
! 234: \& 'Host_Alias' (':' Host_Alias)* |
! 235: \& 'Cmnd_Alias' (':' Cmnd_Alias)*
! 236: .Ve
! 237: .Vb 1
! 238: \& User_Alias ::= NAME '=' User_List
! 239: .Ve
! 240: .Vb 1
! 241: \& Runas_Alias ::= NAME '=' Runas_User_List
! 242: .Ve
! 243: .Vb 1
! 244: \& Host_Alias ::= NAME '=' Host_List
! 245: .Ve
! 246: .Vb 1
! 247: \& Cmnd_Alias ::= NAME '=' Cmnd_List
! 248: .Ve
! 249: .Vb 1
! 250: \& NAME ::= [A-Z]([A-Z][0-9]_)*
! 251: .Ve
! 252: Each \fIalias\fR definition is of the form
! 253: .PP
! 254: .Vb 1
! 255: \& Alias_Type NAME = item1, item2, ...
! 256: .Ve
! 257: where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR,
! 258: or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers,
! 259: and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an
! 260: upper case letter. It is possible to put several alias definitions
! 261: of the same type on a single line, joined by a semicolon (':'). Eg.
! 262: .PP
! 263: .Vb 1
! 264: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 265: .Ve
! 266: The definitions of what constitutes a valid \fIalias\fR member follow.
! 267: .PP
! 268: .Vb 2
! 269: \& User_List ::= User |
! 270: \& User ',' User_List
! 271: .Ve
! 272: .Vb 5
! 273: \& User ::= '!'* username |
! 274: \& '!'* '#'uid |
! 275: \& '!'* '%'group |
! 276: \& '!'* '+'netgroup |
! 277: \& '!'* User_Alias
! 278: .Ve
! 279: A \f(CWUser_List\fR is made up of one or more usernames, uids
! 280: (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'),
! 281: netgroups (prefixed with \*(L'+') and other aliases. Each list
! 282: item may be prefixed with one or more \*(L'!\*(R' operators. An odd number
! 283: of \*(L'!\*(R' operators negates the value of the item; an even number
! 284: just cancel each other out.
! 285: .PP
! 286: .Vb 2
! 287: \& Runas_List ::= Runas_User |
! 288: \& Runas_User ',' Runas_List
! 289: .Ve
! 290: .Vb 5
! 291: \& Runas_User ::= '!'* username |
! 292: \& '!'* '#'uid |
! 293: \& '!'* '%'group |
! 294: \& '!'* +netgroup |
! 295: \& '!'* Runas_Alias
! 296: .Ve
! 297: Likewise, a \f(CWRunas_List\fR has the same possible elements
! 298: as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR,
! 299: instead of a \f(CWUser_Alias\fR.
! 300: .PP
! 301: .Vb 2
! 302: \& Host_List ::= Host |
! 303: \& Host ',' Host_List
! 304: .Ve
! 305: .Vb 5
! 306: \& Host ::= '!'* hostname |
! 307: \& '!'* ip_addr |
! 308: \& '!'* network(/netmask)? |
! 309: \& '!'* '+'netgroup |
! 310: \& '!'* Host_Alias
! 311: .Ve
! 312: A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
! 313: network numbers, netgroups (prefixed with \*(L'+') and other aliases.
! 314: Again, the value of an item may be negated with the \*(L'!\*(R' operator.
! 315: If you do not specify a netmask with a network number, the netmask
! 316: of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
! 317: The netmask may be specified either in dotted quad notation (eg.
! 318: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).
! 319: .PP
! 320: .Vb 2
! 321: \& Cmnd_List ::= Cmnd |
! 322: \& Cmnd ',' Cmnd_List
! 323: .Ve
! 324: .Vb 3
! 325: \& commandname ::= filename |
! 326: \& filename args |
! 327: \& filename '""'
! 328: .Ve
! 329: .Vb 3
! 330: \& Cmnd ::= '!'* commandname |
! 331: \& '!'* directory |
! 332: \& '!'* Cmnd_Alias
! 333: .Ve
! 334: A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
! 335: aliases. A commandname is a fully-qualified filename which may include
! 336: shell-style wildcards (see `Wildcards\*(R' section below). A simple
! 337: filename allows the user to run the command with any arguments he/she
! 338: wishes. However, you may also command line arguments (including wildcards).
! 339: Alternately, you can specify \f(CW""\fR to indicate that the command
! 340: may only be run \fBwithout\fR command line arguments. A directory is a
! 341: fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory
! 342: in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory
! 343: (but not in any subdirectories therein).
! 344: .PP
! 345: If a \f(CWCmnd\fR has associated command line arguments, then the arguments
! 346: in the \f(CWCmnd\fR must match exactly those given by the user on the command line
! 347: (or match the wildcards if there are any). Note that the following
! 348: characters must be escaped with a \*(L'\e\*(R' if they are used in command
! 349: arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\*(R'.
! 350: .Sh "Defaults"
! 351: Certain configuration options may be changed from their default
! 352: values at runtime via one or more \f(CWDefault_Entry\fR lines. These
! 353: may affect all users on any host, all users on a specific host,
! 354: or just a specific user. When multiple entries match, they are
! 355: applied in order. Where there are conflicting values, the last
! 356: value on a matching line takes effect.
! 357: .PP
! 358: .Vb 3
! 359: \& Default_Type ::= 'Defaults' ||
! 360: \& 'Defaults' ':' User ||
! 361: \& 'Defaults' '@' Host
! 362: .Ve
! 363: .Vb 1
! 364: \& Default_Entry ::= Default_Type Parameter_List
! 365: .Ve
! 366: .Vb 2
! 367: \& Parameter ::= Parameter '=' Value ||
! 368: \& '!'* Parameter ||
! 369: .Ve
! 370: Parameters may be \fBflags\fR, \fBinteger\fR values, or \fBstrings\fR. Flags
! 371: are implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
! 372: Some integer and string parameters may also be used in a boolean
! 373: context to disable them. Values may be enclosed in double quotes
! 374: (\f(CW"\fR) when they contain multiple words. Special characters may
! 375: be escaped with a backslash (\f(CW\e\fR).
! 376: .PP
! 377: \fBFlags\fR:
! 378: .Ip "long_otp_prompt" 12
! 379: Put \s-1OTP\s0 prompt on its own line
! 380: .Ip "ignore_dot" 12
! 381: Ignore \*(L'.\*(R' in \f(CW$PATH\fR
! 382: .Ip "mail_always" 12
! 383: Always send mail when sudo is run
! 384: .Ip "mail_no_user" 12
! 385: Send mail if the user is not in sudoers
! 386: .Ip "mail_no_host" 12
! 387: Send mail if the user is not in sudoers for this host
! 388: .Ip "mail_no_perms" 12
! 389: Send mail if the user is not allowed to run a command
! 390: .Ip "tty_tickets" 12
! 391: Use a separate timestamp for each user/tty combo
! 392: .Ip "lecture" 12
! 393: Lecture user the first time they run sudo
! 394: .Ip "authenticate" 12
! 395: Require users to authenticate by default
! 396: .Ip "root_sudo" 12
! 397: Root may run sudo
! 398: .Ip "log_host" 12
! 399: Log the hostname in the (non-syslog) log file
! 400: .Ip "log_year" 12
! 401: Log the year in the (non-syslog) log file
! 402: .Ip "shell_noargs" 12
! 403: If sudo is invoked with no arguments, start a shell
! 404: .Ip "set_home" 12
! 405: Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
! 406: .Ip "path_info" 12
! 407: Allow some information gathering to give useful error messages
! 408: .Ip "fqdn" 12
! 409: Require fully-qualified hostnames in the sudoers file
! 410: .Ip "insults" 12
! 411: Insult the user when they enter an incorrect password
! 412: .Ip "requiretty" 12
! 413: Only allow the user to run sudo if they have a tty
! 414: .PP
! 415: \fBIntegers\fR:
! 416: .Ip "passwd_tries" 12
! 417: Number of tries to enter a password
! 418: .PP
! 419: \fBIntegers that can be used in a boolean context\fR:
! 420: .Ip "loglinelen" 12
! 421: Length at which to wrap log file lines (use 0 or negate for no wrap)
! 422: .Ip "timestamp_timeout" 12
! 423: Authentication timestamp timeout
! 424: .Ip "passwd_timeout" 12
! 425: Password prompt timeout
! 426: .Ip "umask" 12
! 427: Umask to use or 0777 to use user's
! 428: .PP
! 429: \fBStrings\fR:
! 430: .Ip "mailsub" 12
! 431: Subject line for mail messages
! 432: .Ip "badpass_message" 12
! 433: Incorrect password message
! 434: .Ip "timestampdir" 12
! 435: Path to authentication timestamp dir
! 436: .Ip "passprompt" 12
! 437: Default password prompt
! 438: .Ip "runas_default" 12
! 439: Default user to run commands as
! 440: .Ip "syslog_goodpri" 12
! 441: Syslog priority to use when user authenticates successfully
! 442: .Ip "syslog_badpri" 12
! 443: Syslog priority to use when user authenticates unsuccessfully
! 444: .PP
! 445: \fBStrings that can be used in a boolean context\fR:
! 446: .Ip "syslog" 12
! 447: Syslog facility if syslog is being used for logging (negate to disable syslog)
! 448: .Ip "mailerpath" 12
! 449: Path to mail program
! 450: .Ip "mailerflags" 12
! 451: Flags for mail program
! 452: .Ip "mailto" 12
! 453: Address to send mail to
! 454: .Ip "exempt_group" 12
! 455: Users in this group are exempt from password and \s-1PATH\s0 requirements
! 456: .Ip "secure_path" 12
! 457: Value to override user's \f(CW$PATH\fR with
! 458: .PP
! 459: When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
! 460: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
! 461: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
! 462: \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
! 463: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
! 464: \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
! 465: .Sh "User Specification"
! 466: .PP
! 467: .Vb 1
! 468: \& Runas_Spec ::= '(' Runas_List ')'
! 469: .Ve
! 470: .Vb 1
! 471: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
! 472: .Ve
! 473: .Vb 2
! 474: \& Cmnd_Spec_List ::= Cmnd_Spec |
! 475: \& Cmnd_Spec ',' Cmnd_Spec_List
! 476: .Ve
! 477: .Vb 1
! 478: \& User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
! 479: .Ve
! 480: A \fBuser specification\fR determines which commands a user may run
! 481: (and as what user) on specified hosts. By default, commands are
! 482: run as \fBroot\fR but this can be changed on a per-command basis.
! 483: .PP
! 484: Let's break that down into its constituent parts:
! 485: .Sh "Runas_Spec"
! 486: A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above)
! 487: enclosed in a set of parentheses. If you do not specify a
! 488: \f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR
! 489: of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for
! 490: commands that follow it. What this means is that for the entry:
! 491: .PP
! 492: .Vb 1
! 493: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
! 494: .Ve
! 495: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
! 496: \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg.
! 497: .PP
! 498: .Vb 1
! 499: \& sudo -u operator /bin/ls.
! 500: .Ve
! 501: It is also possible to override a \f(CWRunas_Spec\fR later on in an
! 502: entry. If we modify the entry like so:
! 503: .PP
! 504: .Vb 1
! 505: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 506: .Ve
! 507: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
! 508: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
! 509: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
! 510: By default, \fBsudo\fR requires that a user authenticate him or herself
! 511: before running a command. This behavior can be modified via the
! 512: \f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets
! 513: a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR.
! 514: Conversely, the \f(CWPASSWD\fR tag can be used to reverse things.
! 515: For example:
! 516: .PP
! 517: .Vb 1
! 518: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 519: .Ve
! 520: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
! 521: \fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
! 522: authenticating himself. If we only want \fBray\fR to be able to
! 523: run \fI/bin/kill\fR without a password the entry would be:
! 524: .PP
! 525: .Vb 1
! 526: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 527: .Ve
! 528: .Sh "Wildcards (aka meta characters):"
! 529: \fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
! 530: as well as command line arguments in the \fIsudoers\fR file. Wildcard
! 531: matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
! 532: these are \fInot\fR regular expressions.
! 533: .Ip "\f(CW*\fR" 8
! 534: Matches any set of zero or more characters.
! 535: .Ip "\f(CW?\fR" 8
! 536: Matches any single character.
! 537: .Ip "\f(CW[...]\fR" 8
! 538: Matches any character in the specified range.
! 539: .Ip "\f(CW[!...]\fR" 8
! 540: Matches any character \fBnot\fR in the specified range.
! 541: .Ip "\f(CW\ex\fR" 8
! 542: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
! 543: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
! 544: .PP
! 545: Note that a forward slash ('/') will \fBnot\fR be matched by
! 546: wildcards used in the pathname. When matching the command
! 547: line arguments, however, as slash \fBdoes\fR get matched by
! 548: wildcards. This is to make a path like:
! 549: .PP
! 550: .Vb 1
! 551: \& /usr/bin/*
! 552: .Ve
! 553: match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR.
! 554: .Sh "Exceptions to wildcard rules:"
! 555: The following exceptions apply to the above rules:
! 556: .Ip \f(CW""\fR 8
! 557: If the empty string \f(CW""\fR is the only command line argument in the
! 558: \fIsudoers\fR entry it means that command is not allowed to be run
! 559: with \fBany\fR arguments.
! 560: .Sh "Other special characters and reserved words:"
! 561: The pound sign ('#') is used to indicate a comment (unless it
! 562: occurs in the context of a user name and is followed by one or
! 563: more digits, in which case it is treated as a uid). Both the
! 564: comment character and any text after it, up to the end of the line,
! 565: are ignored.
! 566: .PP
! 567: The reserved word \fB\s-1ALL\s0\fR is a a built in \fIalias\fR that always causes
! 568: a match to succeed. It can be used wherever one might otherwise
! 569: use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
! 570: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
! 571: built in alias will be used in preference to your own. Please note
! 572: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
! 573: allows the user to run \fBany\fR command on the system.
! 574: .PP
! 575: An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
! 576: both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to
! 577: exclude certain values. Note, however, that using a \f(CW!\fR in
! 578: conjunction with the built in \f(CWALL\fR alias to allow a user to
! 579: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
! 580: \s-1NOTES\s0 below).
! 581: .PP
! 582: Long lines can be continued with a backslash (\*(R'\e') as the last
! 583: character on the line.
! 584: .PP
! 585: Whitespace between elements in a list as well as specicial syntactic
! 586: characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional.
! 587: .PP
! 588: The following characters must be escaped with a backslash (\*(R'\e') when
! 589: used as part of a word (eg. a username or hostname):
! 590: \&'@\*(R', \*(L'!\*(R', \*(L'=\*(R', \*(L':\*(R', \*(L',\*(R', \*(L'(\*(R', \*(L')\*(R', \*(L'\e\*(R'.
! 591: .SH "EXAMPLES"
! 592: Below are example \fIsudoers\fR entries. Admittedly, some of
! 593: these are a bit contrived. First, we define our \fIaliases\fR:
! 594: .PP
! 595: .Vb 4
! 596: \& # User alias specification
! 597: \& User_Alias FULLTIMERS = millert, mikef, dowdy
! 598: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
! 599: \& User_Alias WEBMASTERS = will, wendy, wim
! 600: .Ve
! 601: .Vb 3
! 602: \& # Runas alias specification
! 603: \& Runas_Alias OP = root, operator
! 604: \& Runas_Alias DB = oracle, sybase
! 605: .Ve
! 606: .Vb 9
! 607: \& # Host alias specification
! 608: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
! 609: \& SGI = grolsch, dandelion, black :\e
! 610: \& ALPHA = widget, thalamus, foobar :\e
! 611: \& HPPA = boa, nag, python
! 612: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 613: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 614: \& Host_Alias SERVERS = master, mail, www, ns
! 615: \& Host_Alias CDROM = orion, perseus, hercules
! 616: .Ve
! 617: .Vb 12
! 618: \& # Cmnd alias specification
! 619: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
! 620: \& /usr/sbin/restore, /usr/sbin/rrestore
! 621: \& Cmnd_Alias KILL = /usr/bin/kill
! 622: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 623: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 624: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
! 625: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
! 626: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
! 627: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
! 628: \& /usr/local/bin/zsh
! 629: \& Cmnd_Alias SU = /usr/bin/su
! 630: .Ve
! 631: Here we override some of the compiled in default values. We want
! 632: sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
! 633: We don't want to subject the full time staff to the \fBsudo\fR lecture,
! 634: and user \fBmillert\fR need not give a password. In addition, on the
! 635: machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
! 636: local log file and make sure we log the year in each log line since
! 637: the log entries will be kept around for several years.
! 638: .PP
! 639: .Vb 5
! 640: \& # Override builtin defaults
! 641: \& Defaults syslog=auth
! 642: \& Defaults:FULLTIMERS !lecture
! 643: \& Defaults:millert !authenticate
! 644: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 645: .Ve
! 646: The \fIUser specification\fR is the part that actually determines who may
! 647: run what.
! 648: .PP
! 649: .Vb 2
! 650: \& root ALL = (ALL) ALL
! 651: \& %wheel ALL = (ALL) ALL
! 652: .Ve
! 653: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
! 654: host as any user.
! 655: .PP
! 656: .Vb 1
! 657: \& FULLTIMERS ALL = NOPASSWD: ALL
! 658: .Ve
! 659: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
! 660: command on any host without authenticating themselves.
! 661: .PP
! 662: .Vb 1
! 663: \& PARTTIMERS ALL = ALL
! 664: .Ve
! 665: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
! 666: command on any host but they must authenticate themselves first
! 667: (since the entry lacks the \f(CWNOPASSWD\fR tag).
! 668: .PP
! 669: .Vb 1
! 670: \& jack CSNETS = ALL
! 671: .Ve
! 672: The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias
! 673: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
! 674: Of those networks, only <128.138.204.0> has an explicit netmask (in
! 675: CIDR notation) indicating it is a class C network. For the other
! 676: networks in \fICSNETS\fR, the local machine's netmask will be used
! 677: during matching.
! 678: .PP
! 679: .Vb 1
! 680: \& lisa CUNETS = ALL
! 681: .Ve
! 682: The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias
! 683: (the class B network \f(CW128.138.0.0\fR).
! 684: .PP
! 685: .Vb 2
! 686: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
! 687: \& /usr/oper/bin/
! 688: .Ve
! 689: The \fBoperator\fR user may run commands limited to simple maintenance.
! 690: Here, those are commands related to backups, killing processes, the
! 691: printing system, shutting down the system, and any commands in the
! 692: directory \fI/usr/oper/bin/\fR.
! 693: .PP
! 694: .Vb 1
! 695: \& joe ALL = /usr/bin/su operator
! 696: .Ve
! 697: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
! 698: .PP
! 699: .Vb 1
! 700: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
! 701: .Ve
! 702: The user \fBpete\fR is allowed to change anyone's password except for
! 703: root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1)
! 704: does not take multiple usernames on the command line.
! 705: .PP
! 706: .Vb 1
! 707: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
! 708: .Ve
! 709: The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines
! 710: as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR).
! 711: .PP
! 712: .Vb 1
! 713: \& jim +biglab = ALL
! 714: .Ve
! 715: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
! 716: \fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix.
! 717: .PP
! 718: .Vb 1
! 719: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 720: .Ve
! 721: Users in the \fBsecretaries\fR netgroup need to help manage the printers
! 722: as well as add and remove users, so they are allowed to run those
! 723: commands on all machines.
! 724: .PP
! 725: .Vb 1
! 726: \& fred ALL = (DB) NOPASSWD: ALL
! 727: .Ve
! 728: The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR
! 729: (\fBoracle\fR or \fBsybase\fR) without giving a password.
! 730: .PP
! 731: .Vb 1
! 732: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 733: .Ve
! 734: On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root
! 735: but he is not allowed to give \fIsu\fR\|(1) any flags.
! 736: .PP
! 737: .Vb 1
! 738: \& jen ALL, !SERVERS = ALL
! 739: .Ve
! 740: The user \fBjen\fR may run any command on any machine except for those
! 741: in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns).
! 742: .PP
! 743: .Vb 1
! 744: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
! 745: .Ve
! 746: For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run
! 747: any commands in the directory /usr/bin/ except for those commands
! 748: belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR.
! 749: .PP
! 750: .Vb 1
! 751: \& steve CSNETS = (operator) /usr/local/op_commands/
! 752: .Ve
! 753: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
! 754: but only as user operator.
! 755: .PP
! 756: .Vb 1
! 757: \& matt valkyrie = KILL
! 758: .Ve
! 759: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
! 760: kill hung processes.
! 761: .PP
! 762: .Vb 1
! 763: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 764: .Ve
! 765: On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will,
! 766: wendy, and wim), may run any command as user www (which owns the
! 767: web pages) or simply \fIsu\fR\|(1) to www.
! 768: .PP
! 769: .Vb 2
! 770: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
! 771: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
! 772: .Ve
! 773: Any user may mount or unmount a CD\-ROM on the machines in the CDROM
! 774: \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password.
! 775: This is a bit tedious for users to type, so it is a prime candiate
! 776: for encapsulating in a shell script.
! 777: .SH "SECURITY NOTES"
! 778: It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR
! 779: using the \*(L'!\*(R' operator. A user can trivially circumvent this
! 780: by copying the desired command to a different name and then
! 781: executing that. For example:
! 782: .PP
! 783: .Vb 1
! 784: \& bill ALL = ALL, !SU, !SHELLS
! 785: .Ve
! 786: Doesn't really prevent \fBbill\fR from running the commands listed in
! 787: \fISU\fR or \fISHELLS\fR since he can simply copy those commands to a
! 788: different name, or use a shell escape from an editor or other
! 789: program. Therefore, these kind of restrictions should be considered
! 790: advisory at best (and reinforced by policy).
! 791: .SH "CAVEATS"
! 792: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
! 793: command which locks the file and does grammatical checking. It is
! 794: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
! 795: will not run with a syntactically incorrect \fIsudoers\fR file.
! 796: .SH "FILES"
! 797: .PP
! 798: .Vb 3
! 799: \& /etc/sudoers List of who can run what
! 800: \& /etc/group Local groups file
! 801: \& /etc/netgroup List of network groups
! 802: .Ve
! 803: .SH "SEE ALSO"
! 804: \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
! 805:
! 806: .rn }` ''
! 807: .IX Title "sudoers 5"
! 808: .IX Name "sudoers - list of which users may execute what"
! 809:
! 810: .IX Header "NAME"
! 811:
! 812: .IX Header "DESCRIPTION"
! 813:
! 814: .IX Subsection "Quick guide to \s-1EBNF\s0"
! 815:
! 816: .IX Item "\f(CW?\fR"
! 817:
! 818: .IX Item "\f(CW*\fR"
! 819:
! 820: .IX Item "\f(CW+\fR"
! 821:
! 822: .IX Subsection "Aliases"
! 823:
! 824: .IX Subsection "Defaults"
! 825:
! 826: .IX Item "long_otp_prompt"
! 827:
! 828: .IX Item "ignore_dot"
! 829:
! 830: .IX Item "mail_always"
! 831:
! 832: .IX Item "mail_no_user"
! 833:
! 834: .IX Item "mail_no_host"
! 835:
! 836: .IX Item "mail_no_perms"
! 837:
! 838: .IX Item "tty_tickets"
! 839:
! 840: .IX Item "lecture"
! 841:
! 842: .IX Item "authenticate"
! 843:
! 844: .IX Item "root_sudo"
! 845:
! 846: .IX Item "log_host"
! 847:
! 848: .IX Item "log_year"
! 849:
! 850: .IX Item "shell_noargs"
! 851:
! 852: .IX Item "set_home"
! 853:
! 854: .IX Item "path_info"
! 855:
! 856: .IX Item "fqdn"
! 857:
! 858: .IX Item "insults"
! 859:
! 860: .IX Item "requiretty"
! 861:
! 862: .IX Item "passwd_tries"
! 863:
! 864: .IX Item "loglinelen"
! 865:
! 866: .IX Item "timestamp_timeout"
! 867:
! 868: .IX Item "passwd_timeout"
! 869:
! 870: .IX Item "umask"
! 871:
! 872: .IX Item "mailsub"
! 873:
! 874: .IX Item "badpass_message"
! 875:
! 876: .IX Item "timestampdir"
! 877:
! 878: .IX Item "passprompt"
! 879:
! 880: .IX Item "runas_default"
! 881:
! 882: .IX Item "syslog_goodpri"
! 883:
! 884: .IX Item "syslog_badpri"
! 885:
! 886: .IX Item "syslog"
! 887:
! 888: .IX Item "mailerpath"
! 889:
! 890: .IX Item "mailerflags"
! 891:
! 892: .IX Item "mailto"
! 893:
! 894: .IX Item "exempt_group"
! 895:
! 896: .IX Item "secure_path"
! 897:
! 898: .IX Subsection "User Specification"
! 899:
! 900: .IX Subsection "Runas_Spec"
! 901:
! 902: .IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
! 903:
! 904: .IX Subsection "Wildcards (aka meta characters):"
! 905:
! 906: .IX Item "\f(CW*\fR"
! 907:
! 908: .IX Item "\f(CW?\fR"
! 909:
! 910: .IX Item "\f(CW[...]\fR"
! 911:
! 912: .IX Item "\f(CW[!...]\fR"
! 913:
! 914: .IX Item "\f(CW\ex\fR"
! 915:
! 916: .IX Subsection "Exceptions to wildcard rules:"
! 917:
! 918: .IX Item "\f(CW""\fR"
! 919:
! 920: .IX Subsection "Other special characters and reserved words:"
! 921:
! 922: .IX Header "EXAMPLES"
! 923:
! 924: .IX Header "SECURITY NOTES"
! 925:
! 926: .IX Header "CAVEATS"
! 927:
! 928: .IX Header "FILES"
! 929:
! 930: .IX Header "SEE ALSO"
! 931: