Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.16
1.15 millert 1: .\" Copyright (c) 1994-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
1.14 millert 2: .\" All rights reserved.
3: .\"
4: .\" Redistribution and use in source and binary forms, with or without
5: .\" modification, are permitted provided that the following conditions
6: .\" are met:
7: .\"
8: .\" 1. Redistributions of source code must retain the above copyright
9: .\" notice, this list of conditions and the following disclaimer.
10: .\"
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\"
15: .\" 3. The name of the author may not be used to endorse or promote products
16: .\" derived from this software without specific prior written permission
17: .\" from the author.
18: .\"
19: .\" 4. Products derived from this software may not be called "Sudo" nor
20: .\" may "Sudo" appear in their names without specific prior written
21: .\" permission from the author.
22: .\"
23: .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24: .\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
25: .\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
26: .\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27: .\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28: .\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
29: .\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
30: .\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
31: .\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
32: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.15 millert 33: .\"
34: .\" $Sudo: sudoers.man.in,v 1.24 2003/03/15 20:33:31 millert Exp $
35: .\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
1.9 millert 36: .\"
37: .\" Standard preamble:
1.15 millert 38: .\" ========================================================================
1.9 millert 39: .de Sh \" Subsection heading
1.1 millert 40: .br
41: .if t .Sp
42: .ne 5
43: .PP
44: \fB\\$1\fR
45: .PP
46: ..
1.9 millert 47: .de Sp \" Vertical space (when we can't use .PP)
1.1 millert 48: .if t .sp .5v
49: .if n .sp
50: ..
1.9 millert 51: .de Vb \" Begin verbatim text
1.1 millert 52: .ft CW
53: .nf
54: .ne \\$1
55: ..
1.9 millert 56: .de Ve \" End verbatim text
1.1 millert 57: .ft R
58: .fi
59: ..
1.9 millert 60: .\" Set up some character translations and predefined strings. \*(-- will
61: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
62: .\" double quote, and \*(R" will give a right double quote. | will give a
1.15 millert 63: .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
64: .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
65: .\" expand to `' in nroff, nothing in troff, for use with C<>.
1.1 millert 66: .tr \(*W-|\(bv\*(Tr
1.9 millert 67: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1.1 millert 68: .ie n \{\
1.9 millert 69: . ds -- \(*W-
70: . ds PI pi
71: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
72: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
73: . ds L" ""
74: . ds R" ""
75: . ds C`
76: . ds C'
1.1 millert 77: 'br\}
78: .el\{\
1.9 millert 79: . ds -- \|\(em\|
80: . ds PI \(*p
81: . ds L" ``
82: . ds R" ''
1.1 millert 83: 'br\}
1.9 millert 84: .\"
1.15 millert 85: .\" If the F register is turned on, we'll generate index entries on stderr for
86: .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
87: .\" entries marked with X<> in POD. Of course, you'll have to process the
88: .\" output yourself in some meaningful fashion.
1.9 millert 89: .if \nF \{\
90: . de IX
91: . tm Index:\\$1\t\\n%\t"\\$2"
1.1 millert 92: ..
1.9 millert 93: . nr % 0
94: . rr F
1.1 millert 95: .\}
1.9 millert 96: .\"
1.15 millert 97: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
98: .\" way too many mistakes in technical documents.
1.9 millert 99: .hy 0
1.1 millert 100: .if n .na
1.9 millert 101: .\"
102: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
103: .\" Fear. Run. Save yourself. No user-serviceable parts.
104: . \" fudge factors for nroff and troff
1.1 millert 105: .if n \{\
1.9 millert 106: . ds #H 0
107: . ds #V .8m
108: . ds #F .3m
109: . ds #[ \f1
110: . ds #] \fP
1.1 millert 111: .\}
112: .if t \{\
1.9 millert 113: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
114: . ds #V .6m
115: . ds #F 0
116: . ds #[ \&
117: . ds #] \&
1.1 millert 118: .\}
1.9 millert 119: . \" simple accents for nroff and troff
1.1 millert 120: .if n \{\
1.9 millert 121: . ds ' \&
122: . ds ` \&
123: . ds ^ \&
124: . ds , \&
125: . ds ~ ~
126: . ds /
1.1 millert 127: .\}
128: .if t \{\
1.9 millert 129: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
130: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
131: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
132: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
133: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
134: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1.1 millert 135: .\}
1.9 millert 136: . \" troff and (daisy-wheel) nroff accents
1.1 millert 137: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
138: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
139: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
140: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
141: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
142: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
143: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
144: .ds ae a\h'-(\w'a'u*4/10)'e
145: .ds Ae A\h'-(\w'A'u*4/10)'E
1.9 millert 146: . \" corrections for vroff
1.1 millert 147: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
148: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1.9 millert 149: . \" for low resolution devices (crt and lpr)
1.1 millert 150: .if \n(.H>23 .if \n(.V>19 \
151: \{\
1.9 millert 152: . ds : e
153: . ds 8 ss
154: . ds o a
155: . ds d- d\h'-1'\(ga
156: . ds D- D\h'-1'\(hy
157: . ds th \o'bp'
158: . ds Th \o'LP'
159: . ds ae ae
160: . ds Ae AE
1.1 millert 161: .\}
162: .rm #[ #] #H #V #F C
1.15 millert 163: .\" ========================================================================
1.9 millert 164: .\"
1.15 millert 165: .IX Title "SUDOERS 5"
166: .TH SUDOERS 5 "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS"
1.1 millert 167: .SH "NAME"
168: sudoers \- list of which users may execute what
169: .SH "DESCRIPTION"
1.9 millert 170: .IX Header "DESCRIPTION"
1.7 pjanzen 171: The \fIsudoers\fR file is composed of two types of entries:
1.1 millert 172: aliases (basically variables) and user specifications
173: (which specify who may run what). The grammar of \fIsudoers\fR
1.9 millert 174: will be described below in Extended Backus-Naur Form (\s-1EBNF\s0).
175: Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly
1.7 pjanzen 176: simple, and the definitions below are annotated.
1.1 millert 177: .Sh "Quick guide to \s-1EBNF\s0"
1.9 millert 178: .IX Subsection "Quick guide to EBNF"
179: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
1.7 pjanzen 180: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
1.1 millert 181: .PP
182: .Vb 1
183: \& symbol ::= definition | alternate1 | alternate2 ...
184: .Ve
1.15 millert 185: .PP
1.1 millert 186: Each \fIproduction rule\fR references others and thus makes up a
187: grammar for the language. \s-1EBNF\s0 also contains the following
188: operators, which many readers will recognize from regular
189: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
190: characters, which have different meanings.
1.15 millert 191: .ie n .IP "\*(C`?\*(C'" 8
192: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
1.9 millert 193: .IX Item "?"
1.1 millert 194: Means that the preceding symbol (or group of symbols) is optional.
195: That is, it may appear once or not at all.
1.15 millert 196: .ie n .IP "\*(C`*\*(C'" 8
197: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
1.9 millert 198: .IX Item "*"
1.1 millert 199: Means that the preceding symbol (or group of symbols) may appear
200: zero or more times.
1.15 millert 201: .ie n .IP "\*(C`+\*(C'" 8
202: .el .IP "\f(CW\*(C`+\*(C'\fR" 8
1.9 millert 203: .IX Item "+"
1.1 millert 204: Means that the preceding symbol (or group of symbols) may appear
205: one or more times.
206: .PP
207: Parentheses may be used to group symbols together. For clarity,
208: we will use single quotes ('') to designate what is a verbatim character
209: string (as opposed to a symbol name).
210: .Sh "Aliases"
1.9 millert 211: .IX Subsection "Aliases"
212: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
213: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
1.1 millert 214: .PP
215: .Vb 4
1.9 millert 216: \& Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
217: \& 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
218: \& 'Host_Alias' Host_Alias (':' Host_Alias)* |
219: \& 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
1.1 millert 220: .Ve
1.15 millert 221: .PP
1.1 millert 222: .Vb 1
223: \& User_Alias ::= NAME '=' User_List
224: .Ve
1.15 millert 225: .PP
1.1 millert 226: .Vb 1
1.9 millert 227: \& Runas_Alias ::= NAME '=' Runas_List
1.1 millert 228: .Ve
1.15 millert 229: .PP
1.1 millert 230: .Vb 1
231: \& Host_Alias ::= NAME '=' Host_List
232: .Ve
1.15 millert 233: .PP
1.1 millert 234: .Vb 1
235: \& Cmnd_Alias ::= NAME '=' Cmnd_List
236: .Ve
1.15 millert 237: .PP
1.1 millert 238: .Vb 1
239: \& NAME ::= [A-Z]([A-Z][0-9]_)*
240: .Ve
1.15 millert 241: .PP
1.1 millert 242: Each \fIalias\fR definition is of the form
243: .PP
244: .Vb 1
245: \& Alias_Type NAME = item1, item2, ...
246: .Ve
1.15 millert 247: .PP
1.9 millert 248: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
249: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
1.13 jmc 250: and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
1.7 pjanzen 251: uppercase letter. It is possible to put several alias definitions
1.8 jufi 252: of the same type on a single line, joined by a colon (':'). E.g.,
1.1 millert 253: .PP
254: .Vb 1
255: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
256: .Ve
1.15 millert 257: .PP
1.1 millert 258: The definitions of what constitutes a valid \fIalias\fR member follow.
259: .PP
260: .Vb 2
261: \& User_List ::= User |
262: \& User ',' User_List
263: .Ve
1.15 millert 264: .PP
1.9 millert 265: .Vb 4
1.1 millert 266: \& User ::= '!'* username |
267: \& '!'* '%'group |
268: \& '!'* '+'netgroup |
269: \& '!'* User_Alias
270: .Ve
1.15 millert 271: .PP
1.9 millert 272: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids
273: (prefixed with '#'), System groups (prefixed with '%'),
274: netgroups (prefixed with '+') and other aliases. Each list
275: item may be prefixed with one or more '!' operators. An odd number
276: of '!' operators negate the value of the item; an even number
1.1 millert 277: just cancel each other out.
278: .PP
279: .Vb 2
280: \& Runas_List ::= Runas_User |
281: \& Runas_User ',' Runas_List
282: .Ve
1.15 millert 283: .PP
1.1 millert 284: .Vb 5
285: \& Runas_User ::= '!'* username |
286: \& '!'* '#'uid |
287: \& '!'* '%'group |
288: \& '!'* +netgroup |
289: \& '!'* Runas_Alias
290: .Ve
1.15 millert 291: .PP
1.9 millert 292: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can
293: also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes
294: it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes.
1.1 millert 295: .PP
296: .Vb 2
297: \& Host_List ::= Host |
298: \& Host ',' Host_List
299: .Ve
1.15 millert 300: .PP
1.1 millert 301: .Vb 5
302: \& Host ::= '!'* hostname |
303: \& '!'* ip_addr |
304: \& '!'* network(/netmask)? |
305: \& '!'* '+'netgroup |
306: \& '!'* Host_Alias
307: .Ve
1.15 millert 308: .PP
1.9 millert 309: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
310: network numbers, netgroups (prefixed with '+') and other aliases.
311: Again, the value of an item may be negated with the '!' operator.
1.1 millert 312: If you do not specify a netmask with a network number, the netmask
1.15 millert 313: of the host's ethernet interface(s) will be used when matching.
1.6 krw 314: The netmask may be specified either in dotted quad notation (e.g.
315: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname
1.9 millert 316: may include shell-style wildcards (see `Wildcards' section below),
317: but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
1.5 millert 318: qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
319: to be useful.
1.1 millert 320: .PP
321: .Vb 2
322: \& Cmnd_List ::= Cmnd |
323: \& Cmnd ',' Cmnd_List
324: .Ve
1.15 millert 325: .PP
1.1 millert 326: .Vb 3
327: \& commandname ::= filename |
328: \& filename args |
329: \& filename '""'
330: .Ve
1.15 millert 331: .PP
1.1 millert 332: .Vb 3
333: \& Cmnd ::= '!'* commandname |
334: \& '!'* directory |
335: \& '!'* Cmnd_Alias
336: .Ve
1.15 millert 337: .PP
1.9 millert 338: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
1.5 millert 339: aliases. A commandname is a fully qualified filename which may include
1.9 millert 340: shell-style wildcards (see `Wildcards' section below). A simple
1.1 millert 341: filename allows the user to run the command with any arguments he/she
1.9 millert 342: wishes. However, you may also specify command line arguments (including
1.15 millert 343: wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
1.1 millert 344: may only be run \fBwithout\fR command line arguments. A directory is a
1.9 millert 345: fully qualified pathname ending in a '/'. When you specify a directory
346: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
1.1 millert 347: (but not in any subdirectories therein).
348: .PP
1.9 millert 349: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
350: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
1.1 millert 351: (or match the wildcards if there are any). Note that the following
1.9 millert 352: characters must be escaped with a '\e' if they are used in command
353: arguments: ',', ':', '=', '\e'.
1.1 millert 354: .Sh "Defaults"
1.9 millert 355: .IX Subsection "Defaults"
1.1 millert 356: Certain configuration options may be changed from their default
1.9 millert 357: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
1.15 millert 358: may affect all users on any host, all users on a specific host, a
359: specific user, or commands being run as a specific user. When
360: multiple entries match, they are applied in order. Where there are
361: conflicting values, the last value on a matching line takes effect.
1.1 millert 362: .PP
1.15 millert 363: .Vb 4
1.1 millert 364: \& Default_Type ::= 'Defaults' ||
1.15 millert 365: \& 'Defaults' '@' Host ||
1.1 millert 366: \& 'Defaults' ':' User ||
1.15 millert 367: \& 'Defaults' '>' RunasUser
1.1 millert 368: .Ve
1.15 millert 369: .PP
1.1 millert 370: .Vb 1
371: \& Default_Entry ::= Default_Type Parameter_List
372: .Ve
1.15 millert 373: .PP
1.9 millert 374: .Vb 4
1.1 millert 375: \& Parameter ::= Parameter '=' Value ||
1.9 millert 376: \& Parameter '+=' Value ||
377: \& Parameter '-=' Value ||
1.1 millert 378: \& '!'* Parameter ||
379: .Ve
1.15 millert 380: .PP
1.9 millert 381: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
382: Flags are implicitly boolean and can be turned off via the '!'
383: operator. Some integer, string and list parameters may also be
384: used in a boolean context to disable them. Values may be enclosed
385: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
386: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
387: .PP
388: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
389: These operators are used to add to and delete from a list respectively.
390: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
391: that does not exist in a list.
392: .PP
393: Note that since the \fIsudoers\fR file is parsed in order the best place
394: to put the Defaults section is after the Host, User, and Cmnd aliases
395: but before the user specifications.
1.1 millert 396: .PP
1.9 millert 397: \&\fBFlags\fR:
1.15 millert 398: .IP "long_otp_prompt" 12
1.9 millert 399: .IX Item "long_otp_prompt"
1.4 millert 400: When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
401: a two-line prompt is used to make it easier to cut and paste the
402: challenge to a local window. It's not as pretty as the default but
1.9 millert 403: some people find it more convenient. This flag is \fIoff\fR
404: by default.
1.15 millert 405: .IP "ignore_dot" 12
1.9 millert 406: .IX Item "ignore_dot"
407: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
408: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
1.15 millert 409: flag is \fIon\fR by default.
410: .IP "mail_always" 12
1.9 millert 411: .IX Item "mail_always"
1.5 millert 412: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1.9 millert 413: This flag is \fIoff\fR by default.
1.15 millert 414: .IP "mail_badpass" 12
1.9 millert 415: .IX Item "mail_badpass"
416: Send mail to the \fImailto\fR user if the user running sudo does not
417: enter the correct password. This flag is \fIoff\fR by default.
1.15 millert 418: .IP "mail_no_user" 12
1.9 millert 419: .IX Item "mail_no_user"
1.4 millert 420: If set, mail will be sent to the \fImailto\fR user if the invoking
1.9 millert 421: user is not in the \fIsudoers\fR file. This flag is \fIon\fR
422: by default.
1.15 millert 423: .IP "mail_no_host" 12
1.9 millert 424: .IX Item "mail_no_host"
1.4 millert 425: If set, mail will be sent to the \fImailto\fR user if the invoking
426: user exists in the \fIsudoers\fR file, but is not allowed to run
1.9 millert 427: commands on the current host. This flag is \fIoff\fR by default.
1.15 millert 428: .IP "mail_no_perms" 12
1.9 millert 429: .IX Item "mail_no_perms"
1.4 millert 430: If set, mail will be sent to the \fImailto\fR user if the invoking
1.13 jmc 431: user is allowed to use \fBsudo\fR but the command they are trying is not
1.9 millert 432: listed in their \fIsudoers\fR file entry. This flag is \fIoff\fR
433: by default.
1.15 millert 434: .IP "tty_tickets" 12
1.9 millert 435: .IX Item "tty_tickets"
1.4 millert 436: If set, users must authenticate on a per-tty basis. Normally,
1.9 millert 437: \&\fBsudo\fR uses a directory in the ticket dir with the same name as
1.4 millert 438: the user running it. With this flag enabled, \fBsudo\fR will use a
439: file named for the tty the user is logged in on in that directory.
1.9 millert 440: This flag is \fIoff\fR by default.
1.15 millert 441: .IP "lecture" 12
1.9 millert 442: .IX Item "lecture"
1.4 millert 443: If set, a user will receive a short lecture the first time he/she
1.9 millert 444: runs \fBsudo\fR. This flag is \fIon\fR by default.
1.15 millert 445: .IP "authenticate" 12
1.9 millert 446: .IX Item "authenticate"
1.4 millert 447: If set, users must authenticate themselves via a password (or other
448: means of authentication) before they may run commands. This default
1.9 millert 449: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
450: This flag is \fIon\fR by default.
1.15 millert 451: .IP "root_sudo" 12
1.9 millert 452: .IX Item "root_sudo"
1.5 millert 453: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
454: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1.15 millert 455: like \f(CW"sudo sudo /bin/sh"\fR.
1.9 millert 456: This flag is \fIon\fR by default.
1.15 millert 457: .IP "log_host" 12
1.9 millert 458: .IX Item "log_host"
1.15 millert 459: If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
1.9 millert 460: This flag is \fIoff\fR by default.
1.15 millert 461: .IP "log_year" 12
1.9 millert 462: .IX Item "log_year"
1.15 millert 463: If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
1.9 millert 464: This flag is \fIoff\fR by default.
1.15 millert 465: .IP "shell_noargs" 12
1.9 millert 466: .IX Item "shell_noargs"
1.4 millert 467: If set and \fBsudo\fR is invoked with no arguments it acts as if the
1.9 millert 468: \&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
469: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1.4 millert 470: set, falling back on the shell listed in the invoking user's
1.9 millert 471: /etc/passwd entry if not). This flag is \fIoff\fR by default.
1.15 millert 472: .IP "set_home" 12
1.9 millert 473: .IX Item "set_home"
474: If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
1.4 millert 475: environment variable will be set to the home directory of the target
1.9 millert 476: user (which is root unless the \fB\-u\fR option is used). This effectively
477: makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
1.15 millert 478: .IP "always_set_home" 12
1.9 millert 479: .IX Item "always_set_home"
480: If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
481: directory of the target user (which is root unless the \fB\-u\fR option is used).
482: This effectively means that the \fB\-H\fR flag is always implied.
483: This flag is \fIoff\fR by default.
1.15 millert 484: .IP "path_info" 12
1.9 millert 485: .IX Item "path_info"
1.4 millert 486: Normally, \fBsudo\fR will tell the user when a command could not be
1.9 millert 487: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
488: to disable this as it could be used to gather information on the
489: location of executables that the normal user does not have access
490: to. The disadvantage is that if the executable is simply not in
491: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
492: allowed to run it, which can be confusing. This flag is \fIoff\fR by
493: default.
1.15 millert 494: .IP "preserve_groups" 12
1.9 millert 495: .IX Item "preserve_groups"
496: By default \fBsudo\fR will initialize the group vector to the list of
497: groups the target user is in. When \fIpreserve_groups\fR is set, the
498: user's existing group vector is left unaltered. The real and
499: effective group IDs, however, are still set to match the target
500: user. This flag is \fIoff\fR by default.
1.15 millert 501: .IP "fqdn" 12
1.9 millert 502: .IX Item "fqdn"
1.4 millert 503: Set this flag if you want to put fully qualified hostnames in the
1.13 jmc 504: \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
1.4 millert 505: You may still use the short form if you wish (and even mix the two).
1.5 millert 506: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
1.4 millert 507: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
508: if the machine is not plugged into the network). Also note that
509: you must use the host's official name as \s-1DNS\s0 knows it. That is,
1.9 millert 510: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
1.4 millert 511: issues and the fact that there is no way to get all aliases from
1.9 millert 512: \&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
1.4 millert 513: command) is already fully qualified you shouldn't need to set
1.9 millert 514: \&\fIfqdn\fR. This flag is \fIoff\fR by default.
1.15 millert 515: .IP "insults" 12
1.9 millert 516: .IX Item "insults"
1.5 millert 517: If set, \fBsudo\fR will insult users when they enter an incorrect
1.9 millert 518: password. This flag is \fIon\fR by default.
1.15 millert 519: .IP "requiretty" 12
1.9 millert 520: .IX Item "requiretty"
1.5 millert 521: If set, \fBsudo\fR will only run when the user is logged in to a real
1.15 millert 522: tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
1.9 millert 523: \&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
1.15 millert 524: off echo when there is no tty present, some sites may with to set
1.4 millert 525: this flag to prevent a user from entering a visible password. This
1.9 millert 526: flag is \fIoff\fR by default.
1.15 millert 527: .IP "env_editor" 12
1.9 millert 528: .IX Item "env_editor"
529: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
530: environment variables before falling back on the default editor list.
531: Note that this may create a security hole as it allows the user to
532: run any arbitrary command as root without logging. A safer alternative
533: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
534: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
535: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`on\*(C'\fR by
536: default.
1.15 millert 537: .IP "rootpw" 12
1.9 millert 538: .IX Item "rootpw"
1.5 millert 539: If set, \fBsudo\fR will prompt for the root password instead of the password
1.9 millert 540: of the invoking user. This flag is \fIoff\fR by default.
1.15 millert 541: .IP "runaspw" 12
1.9 millert 542: .IX Item "runaspw"
1.5 millert 543: If set, \fBsudo\fR will prompt for the password of the user defined by the
1.9 millert 544: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
545: of the invoking user. This flag is \fIoff\fR by default.
1.15 millert 546: .IP "targetpw" 12
1.9 millert 547: .IX Item "targetpw"
1.5 millert 548: If set, \fBsudo\fR will prompt for the password of the user specified by
1.9 millert 549: the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
550: invoking user. This flag is \fIoff\fR by default.
1.15 millert 551: .IP "set_logname" 12
1.9 millert 552: .IX Item "set_logname"
553: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables
554: to the name of the target user (usually root unless the \fB\-u\fR flag is given).
1.5 millert 555: However, since some programs (including the \s-1RCS\s0 revision control system)
1.9 millert 556: use \f(CW\*(C`LOGNAME\*(C'\fR to determine the real identity of the user, it may be desirable
1.5 millert 557: to change this behavior. This can be done by negating the set_logname option.
1.15 millert 558: .IP "stay_setuid" 12
1.9 millert 559: .IX Item "stay_setuid"
560: Normally, when \fBsudo\fR executes a command the real and effective
561: UIDs are set to the target user (root by default). This option
562: changes that behavior such that the real \s-1UID\s0 is left as the invoking
563: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
564: wrapper. This can be useful on systems that disable some potentially
1.10 millert 565: dangerous functionality when a program is run setuid. Note, however,
566: that this means that sudo will run with the real uid of the invoking
567: user which may allow that user to kill \fBsudo\fR before it can log a
568: failure, depending on how your \s-1OS\s0 defines the interaction between
569: signals and setuid processes.
1.15 millert 570: .IP "env_reset" 12
1.9 millert 571: .IX Item "env_reset"
572: If set, \fBsudo\fR will reset the environment to only contain the
573: following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`TERM\*(C'\fR,
574: and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables).
575: Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment.
576: The other variables are set to default values (possibly modified
577: by the value of the \fIset_logname\fR option). If \fBsudo\fR was compiled
578: with the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR
579: environment variable.
580: Other variables may be preserved with the \fIenv_keep\fR option.
1.15 millert 581: .IP "use_loginclass" 12
1.9 millert 582: .IX Item "use_loginclass"
583: If set, \fBsudo\fR will apply the defaults specified for the target user's
584: login class if one exists. Only available if \fBsudo\fR is configured with
1.15 millert 585: the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1.1 millert 586: .PP
1.9 millert 587: \&\fBIntegers\fR:
1.15 millert 588: .IP "passwd_tries" 12
1.9 millert 589: .IX Item "passwd_tries"
1.4 millert 590: The number of tries a user gets to enter his/her password before
1.9 millert 591: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`3\*(C'\fR.
1.1 millert 592: .PP
1.9 millert 593: \&\fBIntegers that can be used in a boolean context\fR:
1.15 millert 594: .IP "loglinelen" 12
1.9 millert 595: .IX Item "loglinelen"
1.4 millert 596: Number of characters per line for the file log. This value is used
597: to decide when to wrap lines for nicer log files. This has no
598: effect on the syslog log file, only the file log. The default is
1.9 millert 599: \&\f(CW\*(C`80\*(C'\fR (use 0 or negate the option to disable word wrap).
1.15 millert 600: .IP "timestamp_timeout" 12
1.9 millert 601: .IX Item "timestamp_timeout"
602: Number of minutes that can elapse before \fBsudo\fR will ask for a
1.15 millert 603: passwd again. The default is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW0\fR to always
1.9 millert 604: prompt for a password.
1.15 millert 605: If set to a value less than \f(CW0\fR the user's timestamp will never
1.9 millert 606: expire. This can be used to allow users to create or delete their
607: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1.15 millert 608: .IP "passwd_timeout" 12
1.9 millert 609: .IX Item "passwd_timeout"
1.5 millert 610: Number of minutes before the \fBsudo\fR password prompt times out.
1.15 millert 611: The default is \f(CW\*(C`5\*(C'\fR, set this to \f(CW0\fR for no password timeout.
612: .IP "umask" 12
1.9 millert 613: .IX Item "umask"
614: Umask to use when running the command. Negate this option or set
615: it to 0777 to preserve the user's umask. The default is \f(CW\*(C`0022\*(C'\fR.
1.1 millert 616: .PP
1.9 millert 617: \&\fBStrings\fR:
1.15 millert 618: .IP "mailsub" 12
1.9 millert 619: .IX Item "mailsub"
1.15 millert 620: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
1.4 millert 621: will expand to the hostname of the machine.
1.9 millert 622: Default is \f(CW\*(C`*** SECURITY information for %h ***\*(C'\fR.
1.15 millert 623: .IP "badpass_message" 12
1.9 millert 624: .IX Item "badpass_message"
1.4 millert 625: Message that is displayed if a user enters an incorrect password.
1.9 millert 626: The default is \f(CW\*(C`Sorry, try again.\*(C'\fR unless insults are enabled.
1.15 millert 627: .IP "timestampdir" 12
1.9 millert 628: .IX Item "timestampdir"
1.4 millert 629: The directory in which \fBsudo\fR stores its timestamp files.
1.9 millert 630: The default is \fI/var/run/sudo\fR.
1.15 millert 631: .IP "timestampowner" 12
632: .IX Item "timestampowner"
633: The owner of the timestamp directory and the timestamps stored therein.
634: The default is \f(CW\*(C`root\*(C'\fR.
635: .IP "passprompt" 12
1.9 millert 636: .IX Item "passprompt"
1.4 millert 637: The default prompt to use when asking for a password; can be overridden
1.15 millert 638: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
639: The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
640: .RS 12
641: .ie n .IP "%u" 8
642: .el .IP "\f(CW%u\fR" 8
643: .IX Item "%u"
644: expanded to the invoking user's login name
645: .ie n .IP "%U" 8
646: .el .IP "\f(CW%U\fR" 8
647: .IX Item "%U"
648: expanded to the login name of the user the command will
649: be run as (defaults to root)
650: .ie n .IP "%h" 8
651: .el .IP "\f(CW%h\fR" 8
652: .IX Item "%h"
653: expanded to the local hostname without the domain name
654: .ie n .IP "%H" 8
655: .el .IP "\f(CW%H\fR" 8
656: .IX Item "%H"
657: expanded to the local hostname including the domain name
658: (on if the machine's hostname is fully qualified or the \fIfqdn\fR
659: option is set)
660: .ie n .IP "\*(C`%%\*(C'" 8
661: .el .IP "\f(CW\*(C`%%\*(C'\fR" 8
662: .IX Item "%%"
663: two consecutive \f(CW\*(C`%\*(C'\fR characters are collaped into a single \f(CW\*(C`%\*(C'\fR character
664: .RE
665: .RS 12
666: .Sp
667: The default value is \f(CW\*(C`Password:\*(C'\fR.
668: .RE
669: .IP "runas_default" 12
1.9 millert 670: .IX Item "runas_default"
671: The default user to run commands as if the \fB\-u\fR flag is not specified
672: on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.
1.15 millert 673: .IP "syslog_goodpri" 12
1.9 millert 674: .IX Item "syslog_goodpri"
1.4 millert 675: Syslog priority to use when user authenticates successfully.
1.9 millert 676: Defaults to \f(CW\*(C`notice\*(C'\fR.
1.15 millert 677: .IP "syslog_badpri" 12
1.9 millert 678: .IX Item "syslog_badpri"
1.4 millert 679: Syslog priority to use when user authenticates unsuccessfully.
1.9 millert 680: Defaults to \f(CW\*(C`alert\*(C'\fR.
1.15 millert 681: .IP "editor" 12
1.9 millert 682: .IX Item "editor"
683: A colon (':') separated list of editors allowed to be used with
684: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
685: \&\s-1USER\s0 environment variable if possible, or the first editor in the
686: list that exists and is executable. The default is the path to vi
687: on your system.
1.1 millert 688: .PP
1.9 millert 689: \&\fBStrings that can be used in a boolean context\fR:
1.15 millert 690: .IP "logfile" 12
1.9 millert 691: .IX Item "logfile"
1.5 millert 692: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1.7 pjanzen 693: turns on logging to a file; negating this option turns it off.
1.15 millert 694: .IP "syslog" 12
1.9 millert 695: .IX Item "syslog"
1.4 millert 696: Syslog facility if syslog is being used for logging (negate to
1.15 millert 697: disable syslog logging). Defaults to \f(CW\*(C`local2\*(C'\fR.
698: .IP "mailerpath" 12
1.9 millert 699: .IX Item "mailerpath"
1.4 millert 700: Path to mail program used to send warning mail.
701: Defaults to the path to sendmail found at configure time.
1.15 millert 702: .IP "mailerflags" 12
1.9 millert 703: .IX Item "mailerflags"
704: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1.15 millert 705: .IP "mailto" 12
1.9 millert 706: .IX Item "mailto"
707: Address to send warning and error mail to. The address should
708: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against sudo
709: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`root\*(C'\fR.
1.15 millert 710: .IP "exempt_group" 12
1.9 millert 711: .IX Item "exempt_group"
1.4 millert 712: Users in this group are exempt from password and \s-1PATH\s0 requirements.
713: This is not set by default.
1.15 millert 714: .IP "verifypw" 12
1.9 millert 715: .IX Item "verifypw"
716: This option controls when a password will be required when a user runs
717: \&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
718: .RS 12
1.15 millert 719: .IP "all" 8
1.9 millert 720: .IX Item "all"
721: All the user's \fIsudoers\fR entries for the current host must have
722: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 723: .IP "any" 8
1.9 millert 724: .IX Item "any"
725: At least one of the user's \fIsudoers\fR entries for the current host
726: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 727: .IP "never" 8
1.9 millert 728: .IX Item "never"
729: The user need never enter a password to use the \fB\-v\fR flag.
1.15 millert 730: .IP "always" 8
1.9 millert 731: .IX Item "always"
732: The user must always enter a password to use the \fB\-v\fR flag.
733: .RE
734: .RS 12
1.3 millert 735: .Sp
1.9 millert 736: The default value is `all'.
737: .RE
1.15 millert 738: .IP "listpw" 12
1.9 millert 739: .IX Item "listpw"
1.3 millert 740: This option controls when a password will be required when a
1.15 millert 741: user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values:
1.9 millert 742: .RS 12
1.15 millert 743: .IP "all" 8
1.9 millert 744: .IX Item "all"
745: All the user's \fIsudoers\fR entries for the current host must have
746: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 747: .IP "any" 8
1.9 millert 748: .IX Item "any"
749: At least one of the user's \fIsudoers\fR entries for the current host
750: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 751: .IP "never" 8
1.9 millert 752: .IX Item "never"
753: The user need never enter a password to use the \fB\-l\fR flag.
1.15 millert 754: .IP "always" 8
1.9 millert 755: .IX Item "always"
756: The user must always enter a password to use the \fB\-l\fR flag.
757: .RE
758: .RS 12
1.3 millert 759: .Sp
1.9 millert 760: The default value is `any'.
761: .RE
762: .PP
763: \&\fBLists that can be used in a boolean context\fR:
1.15 millert 764: .IP "env_check" 12
1.9 millert 765: .IX Item "env_check"
766: Environment variables to be removed from the user's environment if
767: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1.13 jmc 768: be used to guard against printf-style format vulnerabilities in
1.15 millert 769: poorly-written programs. The argument may be a double\-quoted,
770: space-separated list or a single value without double\-quotes. The
1.9 millert 771: list can be replaced, added to, deleted from, or disabled by using
772: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
1.13 jmc 773: list of environment variables to check is printed when \fBsudo\fR is
1.9 millert 774: run by root with the \fI\-V\fR option.
1.15 millert 775: .IP "env_delete" 12
1.9 millert 776: .IX Item "env_delete"
777: Environment variables to be removed from the user's environment.
1.15 millert 778: The argument may be a double\-quoted, space-separated list or a
779: single value without double\-quotes. The list can be replaced, added
1.9 millert 780: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
781: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
1.13 jmc 782: variables to remove is printed when \fBsudo\fR is run by root with the
1.15 millert 783: \&\fI\-V\fR option. Note that many operating systems will remove potentially
784: dangerous variables from the environment of any setuid process (such
785: as \fBsudo\fR).
786: .IP "env_keep" 12
1.9 millert 787: .IX Item "env_keep"
788: Environment variables to be preserved in the user's environment
789: when the \fIenv_reset\fR option is in effect. This allows fine-grained
790: control over the environment \fBsudo\fR\-spawned processes will receive.
1.15 millert 791: The argument may be a double\-quoted, space-separated list or a
792: single value without double\-quotes. The list can be replaced, added
1.9 millert 793: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
794: \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
1.1 millert 795: .PP
1.5 millert 796: When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog
1.1 millert 797: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
798: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
1.9 millert 799: \&\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
1.1 millert 800: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
1.9 millert 801: \&\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1.1 millert 802: .Sh "User Specification"
1.9 millert 803: .IX Subsection "User Specification"
1.3 millert 804: .Vb 2
1.9 millert 805: \& User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \e
1.3 millert 806: \& (':' User_Spec)*
1.1 millert 807: .Ve
1.15 millert 808: .PP
1.1 millert 809: .Vb 2
810: \& Cmnd_Spec_List ::= Cmnd_Spec |
811: \& Cmnd_Spec ',' Cmnd_Spec_List
812: .Ve
1.15 millert 813: .PP
1.1 millert 814: .Vb 1
1.3 millert 815: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
816: .Ve
1.15 millert 817: .PP
1.3 millert 818: .Vb 1
819: \& Runas_Spec ::= '(' Runas_List ')'
1.1 millert 820: .Ve
1.15 millert 821: .PP
1.1 millert 822: A \fBuser specification\fR determines which commands a user may run
823: (and as what user) on specified hosts. By default, commands are
1.7 pjanzen 824: run as \fBroot\fR, but this can be changed on a per-command basis.
1.1 millert 825: .PP
826: Let's break that down into its constituent parts:
827: .Sh "Runas_Spec"
1.9 millert 828: .IX Subsection "Runas_Spec"
829: A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
1.1 millert 830: enclosed in a set of parentheses. If you do not specify a
1.9 millert 831: \&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
832: of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
1.1 millert 833: commands that follow it. What this means is that for the entry:
834: .PP
835: .Vb 1
1.13 jmc 836: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1.1 millert 837: .Ve
1.15 millert 838: .PP
1.1 millert 839: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
1.9 millert 840: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
1.1 millert 841: .PP
842: .Vb 1
843: \& sudo -u operator /bin/ls.
844: .Ve
1.15 millert 845: .PP
1.9 millert 846: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
1.1 millert 847: entry. If we modify the entry like so:
848: .PP
849: .Vb 1
850: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
851: .Ve
1.15 millert 852: .PP
1.1 millert 853: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
854: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
855: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
1.9 millert 856: .IX Subsection "NOPASSWD and PASSWD"
1.1 millert 857: By default, \fBsudo\fR requires that a user authenticate him or herself
858: before running a command. This behavior can be modified via the
1.9 millert 859: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
860: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
861: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
1.1 millert 862: For example:
863: .PP
864: .Vb 1
865: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
866: .Ve
1.15 millert 867: .PP
1.1 millert 868: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
1.9 millert 869: \&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
1.1 millert 870: authenticating himself. If we only want \fBray\fR to be able to
871: run \fI/bin/kill\fR without a password the entry would be:
872: .PP
873: .Vb 1
874: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
875: .Ve
1.15 millert 876: .PP
1.9 millert 877: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
1.3 millert 878: in the group specified by the exempt_group option.
879: .PP
1.9 millert 880: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
1.3 millert 881: for a user on the current host, he or she will be able to run
1.9 millert 882: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
883: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
1.3 millert 884: for all a user's entries that pertain to the current host.
885: This behavior may be overridden via the verifypw and listpw options.
1.1 millert 886: .Sh "Wildcards (aka meta characters):"
1.9 millert 887: .IX Subsection "Wildcards (aka meta characters):"
888: \&\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
1.1 millert 889: as well as command line arguments in the \fIsudoers\fR file. Wildcard
1.15 millert 890: matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
1.1 millert 891: these are \fInot\fR regular expressions.
1.15 millert 892: .ie n .IP "\*(C`*\*(C'" 8
893: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
1.9 millert 894: .IX Item "*"
1.1 millert 895: Matches any set of zero or more characters.
1.15 millert 896: .ie n .IP "\*(C`?\*(C'" 8
897: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
1.9 millert 898: .IX Item "?"
1.1 millert 899: Matches any single character.
1.15 millert 900: .ie n .IP "\*(C`[...]\*(C'" 8
901: .el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
1.9 millert 902: .IX Item "[...]"
1.1 millert 903: Matches any character in the specified range.
1.15 millert 904: .ie n .IP "\*(C`[!...]\*(C'" 8
905: .el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
1.9 millert 906: .IX Item "[!...]"
1.1 millert 907: Matches any character \fBnot\fR in the specified range.
1.15 millert 908: .ie n .IP "\*(C`\ex\*(C'" 8
909: .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
1.9 millert 910: .IX Item "x"
1.1 millert 911: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
912: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
913: .PP
914: Note that a forward slash ('/') will \fBnot\fR be matched by
915: wildcards used in the pathname. When matching the command
1.13 jmc 916: line arguments, however, a slash \fBdoes\fR get matched by
1.1 millert 917: wildcards. This is to make a path like:
918: .PP
919: .Vb 1
920: \& /usr/bin/*
921: .Ve
1.15 millert 922: .PP
1.9 millert 923: match \f(CW\*(C`/usr/bin/who\*(C'\fR but not \f(CW\*(C`/usr/bin/X11/xterm\*(C'\fR.
1.1 millert 924: .Sh "Exceptions to wildcard rules:"
1.9 millert 925: .IX Subsection "Exceptions to wildcard rules:"
1.1 millert 926: The following exceptions apply to the above rules:
1.15 millert 927: .ie n .IP """""" 8
928: .el .IP "\f(CW``''\fR" 8
929: .IX Item """"""
930: If the empty string \f(CW""\fR is the only command line argument in the
1.9 millert 931: \&\fIsudoers\fR entry it means that command is not allowed to be run
1.1 millert 932: with \fBany\fR arguments.
933: .Sh "Other special characters and reserved words:"
1.9 millert 934: .IX Subsection "Other special characters and reserved words:"
1.1 millert 935: The pound sign ('#') is used to indicate a comment (unless it
936: occurs in the context of a user name and is followed by one or
937: more digits, in which case it is treated as a uid). Both the
938: comment character and any text after it, up to the end of the line,
939: are ignored.
940: .PP
1.16 ! jmc 941: The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
1.1 millert 942: a match to succeed. It can be used wherever one might otherwise
1.9 millert 943: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
1.1 millert 944: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
1.16 ! jmc 945: built-in alias will be used in preference to your own. Please note
1.1 millert 946: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
947: allows the user to run \fBany\fR command on the system.
948: .PP
1.9 millert 949: An exclamation point ('!') can be used as a logical \fInot\fR operator
950: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
951: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
1.16 ! jmc 952: conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
1.1 millert 953: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
1.9 millert 954: \&\s-1NOTES\s0 below).
1.1 millert 955: .PP
1.9 millert 956: Long lines can be continued with a backslash ('\e') as the last
1.1 millert 957: character on the line.
958: .PP
1.7 pjanzen 959: Whitespace between elements in a list as well as special syntactic
1.9 millert 960: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
1.1 millert 961: .PP
1.9 millert 962: The following characters must be escaped with a backslash ('\e') when
1.6 krw 963: used as part of a word (e.g. a username or hostname):
1.9 millert 964: \&'@', '!', '=', ':', ',', '(', ')', '\e'.
1.1 millert 965: .SH "EXAMPLES"
1.9 millert 966: .IX Header "EXAMPLES"
1.1 millert 967: Below are example \fIsudoers\fR entries. Admittedly, some of
968: these are a bit contrived. First, we define our \fIaliases\fR:
969: .PP
970: .Vb 4
971: \& # User alias specification
972: \& User_Alias FULLTIMERS = millert, mikef, dowdy
973: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
974: \& User_Alias WEBMASTERS = will, wendy, wim
975: .Ve
1.15 millert 976: .PP
1.1 millert 977: .Vb 3
978: \& # Runas alias specification
979: \& Runas_Alias OP = root, operator
980: \& Runas_Alias DB = oracle, sybase
981: .Ve
1.15 millert 982: .PP
1.1 millert 983: .Vb 9
984: \& # Host alias specification
985: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
986: \& SGI = grolsch, dandelion, black :\e
987: \& ALPHA = widget, thalamus, foobar :\e
988: \& HPPA = boa, nag, python
989: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
990: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
991: \& Host_Alias SERVERS = master, mail, www, ns
992: \& Host_Alias CDROM = orion, perseus, hercules
993: .Ve
1.15 millert 994: .PP
1.1 millert 995: .Vb 12
996: \& # Cmnd alias specification
997: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
998: \& /usr/sbin/restore, /usr/sbin/rrestore
999: \& Cmnd_Alias KILL = /usr/bin/kill
1000: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1001: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1002: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
1003: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
1004: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1005: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1006: \& /usr/local/bin/zsh
1007: \& Cmnd_Alias SU = /usr/bin/su
1008: .Ve
1.15 millert 1009: .PP
1.1 millert 1010: Here we override some of the compiled in default values. We want
1.15 millert 1011: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1012: cases. We don't want to subject the full time staff to the \fBsudo\fR
1013: lecture, user \fBmillert\fR need not give a password, and we don't
1014: want to set the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when
1015: running commands as root. Additionally, on the machines in the
1016: \&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and
1017: make sure we log the year in each log line since the log entries
1018: will be kept around for several years.
1.1 millert 1019: .PP
1.15 millert 1020: .Vb 6
1.16 ! jmc 1021: \& # Override built-in defaults
1.1 millert 1022: \& Defaults syslog=auth
1.15 millert 1023: \& Defaults>root !set_logname
1.1 millert 1024: \& Defaults:FULLTIMERS !lecture
1025: \& Defaults:millert !authenticate
1026: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1027: .Ve
1.15 millert 1028: .PP
1.1 millert 1029: The \fIUser specification\fR is the part that actually determines who may
1030: run what.
1031: .PP
1032: .Vb 2
1033: \& root ALL = (ALL) ALL
1034: \& %wheel ALL = (ALL) ALL
1035: .Ve
1.15 millert 1036: .PP
1.1 millert 1037: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1038: host as any user.
1039: .PP
1040: .Vb 1
1041: \& FULLTIMERS ALL = NOPASSWD: ALL
1042: .Ve
1.15 millert 1043: .PP
1.1 millert 1044: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1045: command on any host without authenticating themselves.
1046: .PP
1047: .Vb 1
1048: \& PARTTIMERS ALL = ALL
1049: .Ve
1.15 millert 1050: .PP
1.1 millert 1051: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1052: command on any host but they must authenticate themselves first
1.9 millert 1053: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1.1 millert 1054: .PP
1055: .Vb 1
1056: \& jack CSNETS = ALL
1057: .Ve
1.15 millert 1058: .PP
1.9 millert 1059: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1.15 millert 1060: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1061: Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1.9 millert 1062: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1063: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1.1 millert 1064: during matching.
1065: .PP
1066: .Vb 1
1067: \& lisa CUNETS = ALL
1068: .Ve
1.15 millert 1069: .PP
1.9 millert 1070: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1.15 millert 1071: (the class B network \f(CW128.138.0.0\fR).
1.1 millert 1072: .PP
1073: .Vb 2
1074: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
1075: \& /usr/oper/bin/
1076: .Ve
1.15 millert 1077: .PP
1.1 millert 1078: The \fBoperator\fR user may run commands limited to simple maintenance.
1079: Here, those are commands related to backups, killing processes, the
1080: printing system, shutting down the system, and any commands in the
1081: directory \fI/usr/oper/bin/\fR.
1082: .PP
1083: .Vb 1
1084: \& joe ALL = /usr/bin/su operator
1085: .Ve
1.15 millert 1086: .PP
1.1 millert 1087: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1088: .PP
1089: .Vb 1
1090: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1091: .Ve
1.15 millert 1092: .PP
1.1 millert 1093: The user \fBpete\fR is allowed to change anyone's password except for
1.9 millert 1094: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1.1 millert 1095: does not take multiple usernames on the command line.
1096: .PP
1097: .Vb 1
1098: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
1099: .Ve
1.15 millert 1100: .PP
1.9 millert 1101: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1102: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1.1 millert 1103: .PP
1104: .Vb 1
1105: \& jim +biglab = ALL
1106: .Ve
1.15 millert 1107: .PP
1.1 millert 1108: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1.9 millert 1109: \&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1.1 millert 1110: .PP
1111: .Vb 1
1112: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1113: .Ve
1.15 millert 1114: .PP
1.1 millert 1115: Users in the \fBsecretaries\fR netgroup need to help manage the printers
1116: as well as add and remove users, so they are allowed to run those
1117: commands on all machines.
1118: .PP
1119: .Vb 1
1120: \& fred ALL = (DB) NOPASSWD: ALL
1121: .Ve
1.15 millert 1122: .PP
1.9 millert 1123: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1.1 millert 1124: (\fBoracle\fR or \fBsybase\fR) without giving a password.
1125: .PP
1126: .Vb 1
1127: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1128: .Ve
1.15 millert 1129: .PP
1.9 millert 1130: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1.1 millert 1131: but he is not allowed to give \fIsu\fR\|(1) any flags.
1132: .PP
1133: .Vb 1
1134: \& jen ALL, !SERVERS = ALL
1135: .Ve
1.15 millert 1136: .PP
1.1 millert 1137: The user \fBjen\fR may run any command on any machine except for those
1.9 millert 1138: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1.1 millert 1139: .PP
1140: .Vb 1
1141: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
1142: .Ve
1.15 millert 1143: .PP
1.9 millert 1144: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1.1 millert 1145: any commands in the directory /usr/bin/ except for those commands
1.9 millert 1146: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1.1 millert 1147: .PP
1148: .Vb 1
1149: \& steve CSNETS = (operator) /usr/local/op_commands/
1150: .Ve
1.15 millert 1151: .PP
1.1 millert 1152: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1153: but only as user operator.
1154: .PP
1155: .Vb 1
1156: \& matt valkyrie = KILL
1157: .Ve
1.15 millert 1158: .PP
1.1 millert 1159: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1160: kill hung processes.
1161: .PP
1162: .Vb 1
1163: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1164: .Ve
1.15 millert 1165: .PP
1.9 millert 1166: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
1.1 millert 1167: wendy, and wim), may run any command as user www (which owns the
1168: web pages) or simply \fIsu\fR\|(1) to www.
1169: .PP
1170: .Vb 2
1171: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1172: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
1173: .Ve
1.15 millert 1174: .PP
1175: Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
1.9 millert 1176: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
1.7 pjanzen 1177: This is a bit tedious for users to type, so it is a prime candidate
1.1 millert 1178: for encapsulating in a shell script.
1179: .SH "SECURITY NOTES"
1.9 millert 1180: .IX Header "SECURITY NOTES"
1181: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
1182: using the '!' operator. A user can trivially circumvent this
1.1 millert 1183: by copying the desired command to a different name and then
1184: executing that. For example:
1185: .PP
1186: .Vb 1
1187: \& bill ALL = ALL, !SU, !SHELLS
1188: .Ve
1.15 millert 1189: .PP
1.1 millert 1190: Doesn't really prevent \fBbill\fR from running the commands listed in
1.9 millert 1191: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
1.1 millert 1192: different name, or use a shell escape from an editor or other
1193: program. Therefore, these kind of restrictions should be considered
1194: advisory at best (and reinforced by policy).
1195: .SH "CAVEATS"
1.9 millert 1196: .IX Header "CAVEATS"
1.1 millert 1197: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
1198: command which locks the file and does grammatical checking. It is
1199: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
1200: will not run with a syntactically incorrect \fIsudoers\fR file.
1.3 millert 1201: .PP
1202: When using netgroups of machines (as opposed to users), if you
1.5 millert 1203: store fully qualified hostnames in the netgroup (as is usually the
1204: case), you either need to have the machine's hostname be fully qualified
1.9 millert 1205: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
1206: \&\fIsudoers\fR.
1.1 millert 1207: .SH "FILES"
1.9 millert 1208: .IX Header "FILES"
1.1 millert 1209: .Vb 3
1210: \& /etc/sudoers List of who can run what
1211: \& /etc/group Local groups file
1212: \& /etc/netgroup List of network groups
1213: .Ve
1214: .SH "SEE ALSO"
1215: .IX Header "SEE ALSO"
1.15 millert 1216: \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(8), \fIvisudo\fR\|(8)