Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.17
1.17 ! millert 1: .\" Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com>
1.14 millert 2: .\"
1.17 ! millert 3: .\" Permission to use, copy, modify, and distribute this software for any
! 4: .\" purpose with or without fee is hereby granted, provided that the above
! 5: .\" copyright notice and this permission notice appear in all copies.
1.14 millert 6: .\"
1.17 ! millert 7: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 8: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 9: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 10: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 11: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 12: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 13: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 14: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.14 millert 15: .\"
1.17 ! millert 16: .\" Sponsored in part by the Defense Advanced Research Projects
! 17: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
! 18: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
1.14 millert 19: .\"
1.17 ! millert 20: .\" $Sudo: sudoers.man.in,v 1.46 2004/09/06 20:46:28 millert Exp $
! 21: .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
1.9 millert 22: .\"
23: .\" Standard preamble:
1.15 millert 24: .\" ========================================================================
1.9 millert 25: .de Sh \" Subsection heading
1.1 millert 26: .br
27: .if t .Sp
28: .ne 5
29: .PP
30: \fB\\$1\fR
31: .PP
32: ..
1.9 millert 33: .de Sp \" Vertical space (when we can't use .PP)
1.1 millert 34: .if t .sp .5v
35: .if n .sp
36: ..
1.9 millert 37: .de Vb \" Begin verbatim text
1.1 millert 38: .ft CW
39: .nf
40: .ne \\$1
41: ..
1.9 millert 42: .de Ve \" End verbatim text
1.1 millert 43: .ft R
44: .fi
45: ..
1.9 millert 46: .\" Set up some character translations and predefined strings. \*(-- will
47: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
48: .\" double quote, and \*(R" will give a right double quote. | will give a
1.15 millert 49: .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
50: .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
51: .\" expand to `' in nroff, nothing in troff, for use with C<>.
1.1 millert 52: .tr \(*W-|\(bv\*(Tr
1.9 millert 53: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1.1 millert 54: .ie n \{\
1.9 millert 55: . ds -- \(*W-
56: . ds PI pi
57: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
58: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
59: . ds L" ""
60: . ds R" ""
61: . ds C`
62: . ds C'
1.1 millert 63: 'br\}
64: .el\{\
1.9 millert 65: . ds -- \|\(em\|
66: . ds PI \(*p
67: . ds L" ``
68: . ds R" ''
1.1 millert 69: 'br\}
1.9 millert 70: .\"
1.15 millert 71: .\" If the F register is turned on, we'll generate index entries on stderr for
72: .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
73: .\" entries marked with X<> in POD. Of course, you'll have to process the
74: .\" output yourself in some meaningful fashion.
1.9 millert 75: .if \nF \{\
76: . de IX
77: . tm Index:\\$1\t\\n%\t"\\$2"
1.1 millert 78: ..
1.9 millert 79: . nr % 0
80: . rr F
1.1 millert 81: .\}
1.9 millert 82: .\"
1.15 millert 83: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
84: .\" way too many mistakes in technical documents.
1.9 millert 85: .hy 0
1.1 millert 86: .if n .na
1.9 millert 87: .\"
88: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
89: .\" Fear. Run. Save yourself. No user-serviceable parts.
90: . \" fudge factors for nroff and troff
1.1 millert 91: .if n \{\
1.9 millert 92: . ds #H 0
93: . ds #V .8m
94: . ds #F .3m
95: . ds #[ \f1
96: . ds #] \fP
1.1 millert 97: .\}
98: .if t \{\
1.9 millert 99: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
100: . ds #V .6m
101: . ds #F 0
102: . ds #[ \&
103: . ds #] \&
1.1 millert 104: .\}
1.9 millert 105: . \" simple accents for nroff and troff
1.1 millert 106: .if n \{\
1.9 millert 107: . ds ' \&
108: . ds ` \&
109: . ds ^ \&
110: . ds , \&
111: . ds ~ ~
112: . ds /
1.1 millert 113: .\}
114: .if t \{\
1.9 millert 115: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
116: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
117: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
118: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
119: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
120: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1.1 millert 121: .\}
1.9 millert 122: . \" troff and (daisy-wheel) nroff accents
1.1 millert 123: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
124: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
125: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
126: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
127: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
128: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
129: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
130: .ds ae a\h'-(\w'a'u*4/10)'e
131: .ds Ae A\h'-(\w'A'u*4/10)'E
1.9 millert 132: . \" corrections for vroff
1.1 millert 133: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
134: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1.9 millert 135: . \" for low resolution devices (crt and lpr)
1.1 millert 136: .if \n(.H>23 .if \n(.V>19 \
137: \{\
1.9 millert 138: . ds : e
139: . ds 8 ss
140: . ds o a
141: . ds d- d\h'-1'\(ga
142: . ds D- D\h'-1'\(hy
143: . ds th \o'bp'
144: . ds Th \o'LP'
145: . ds ae ae
146: . ds Ae AE
1.1 millert 147: .\}
148: .rm #[ #] #H #V #F C
1.15 millert 149: .\" ========================================================================
1.9 millert 150: .\"
1.15 millert 151: .IX Title "SUDOERS 5"
1.17 ! millert 152: .TH SUDOERS 5 "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
1.1 millert 153: .SH "NAME"
154: sudoers \- list of which users may execute what
155: .SH "DESCRIPTION"
1.9 millert 156: .IX Header "DESCRIPTION"
1.17 ! millert 157: The \fIsudoers\fR file is composed of two types of entries: aliases
! 158: (basically variables) and user specifications (which specify who
! 159: may run what).
! 160: .PP
! 161: When multiple entries match for a user, they are applied in order.
! 162: Where there are conflicting values, the last match is used (which
! 163: is not necessarily the most specific match).
! 164: .PP
! 165: The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
! 166: Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
! 167: fairly simple, and the definitions below are annotated.
1.1 millert 168: .Sh "Quick guide to \s-1EBNF\s0"
1.9 millert 169: .IX Subsection "Quick guide to EBNF"
170: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
1.7 pjanzen 171: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
1.1 millert 172: .PP
173: .Vb 1
174: \& symbol ::= definition | alternate1 | alternate2 ...
175: .Ve
1.15 millert 176: .PP
1.1 millert 177: Each \fIproduction rule\fR references others and thus makes up a
178: grammar for the language. \s-1EBNF\s0 also contains the following
179: operators, which many readers will recognize from regular
180: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
181: characters, which have different meanings.
1.15 millert 182: .ie n .IP "\*(C`?\*(C'" 8
183: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
1.9 millert 184: .IX Item "?"
1.1 millert 185: Means that the preceding symbol (or group of symbols) is optional.
186: That is, it may appear once or not at all.
1.15 millert 187: .ie n .IP "\*(C`*\*(C'" 8
188: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
1.9 millert 189: .IX Item "*"
1.1 millert 190: Means that the preceding symbol (or group of symbols) may appear
191: zero or more times.
1.15 millert 192: .ie n .IP "\*(C`+\*(C'" 8
193: .el .IP "\f(CW\*(C`+\*(C'\fR" 8
1.9 millert 194: .IX Item "+"
1.1 millert 195: Means that the preceding symbol (or group of symbols) may appear
196: one or more times.
197: .PP
198: Parentheses may be used to group symbols together. For clarity,
199: we will use single quotes ('') to designate what is a verbatim character
200: string (as opposed to a symbol name).
201: .Sh "Aliases"
1.9 millert 202: .IX Subsection "Aliases"
203: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
204: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
1.1 millert 205: .PP
206: .Vb 4
1.9 millert 207: \& Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
208: \& 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
209: \& 'Host_Alias' Host_Alias (':' Host_Alias)* |
210: \& 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
1.1 millert 211: .Ve
1.15 millert 212: .PP
1.1 millert 213: .Vb 1
214: \& User_Alias ::= NAME '=' User_List
215: .Ve
1.15 millert 216: .PP
1.1 millert 217: .Vb 1
1.9 millert 218: \& Runas_Alias ::= NAME '=' Runas_List
1.1 millert 219: .Ve
1.15 millert 220: .PP
1.1 millert 221: .Vb 1
222: \& Host_Alias ::= NAME '=' Host_List
223: .Ve
1.15 millert 224: .PP
1.1 millert 225: .Vb 1
226: \& Cmnd_Alias ::= NAME '=' Cmnd_List
227: .Ve
1.15 millert 228: .PP
1.1 millert 229: .Vb 1
230: \& NAME ::= [A-Z]([A-Z][0-9]_)*
231: .Ve
1.15 millert 232: .PP
1.1 millert 233: Each \fIalias\fR definition is of the form
234: .PP
235: .Vb 1
236: \& Alias_Type NAME = item1, item2, ...
237: .Ve
1.15 millert 238: .PP
1.9 millert 239: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
240: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
1.13 jmc 241: and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
1.7 pjanzen 242: uppercase letter. It is possible to put several alias definitions
1.8 jufi 243: of the same type on a single line, joined by a colon (':'). E.g.,
1.1 millert 244: .PP
245: .Vb 1
246: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
247: .Ve
1.15 millert 248: .PP
1.1 millert 249: The definitions of what constitutes a valid \fIalias\fR member follow.
250: .PP
251: .Vb 2
252: \& User_List ::= User |
253: \& User ',' User_List
254: .Ve
1.15 millert 255: .PP
1.9 millert 256: .Vb 4
1.1 millert 257: \& User ::= '!'* username |
258: \& '!'* '%'group |
259: \& '!'* '+'netgroup |
260: \& '!'* User_Alias
261: .Ve
1.15 millert 262: .PP
1.17 ! millert 263: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups
! 264: (prefixed with '%'), netgroups (prefixed with '+') and other aliases.
! 265: Each list item may be prefixed with one or more '!' operators.
! 266: An odd number of '!' operators negate the value of the item; an even
! 267: number just cancel each other out.
1.1 millert 268: .PP
269: .Vb 2
270: \& Runas_List ::= Runas_User |
271: \& Runas_User ',' Runas_List
272: .Ve
1.15 millert 273: .PP
1.1 millert 274: .Vb 5
275: \& Runas_User ::= '!'* username |
276: \& '!'* '#'uid |
277: \& '!'* '%'group |
278: \& '!'* +netgroup |
279: \& '!'* Runas_Alias
280: .Ve
1.15 millert 281: .PP
1.9 millert 282: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can
283: also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes
1.17 ! millert 284: it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups
! 285: are matched as strings. In other words, two users (groups) with
! 286: the same uid (gid) are considered to be distinct. If you wish to
! 287: match all usernames with the same uid (e.g. root and toor), you
! 288: can use a uid instead (#0 in the example given).
1.1 millert 289: .PP
290: .Vb 2
291: \& Host_List ::= Host |
292: \& Host ',' Host_List
293: .Ve
1.15 millert 294: .PP
1.1 millert 295: .Vb 5
296: \& Host ::= '!'* hostname |
297: \& '!'* ip_addr |
298: \& '!'* network(/netmask)? |
299: \& '!'* '+'netgroup |
300: \& '!'* Host_Alias
301: .Ve
1.15 millert 302: .PP
1.9 millert 303: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
304: network numbers, netgroups (prefixed with '+') and other aliases.
305: Again, the value of an item may be negated with the '!' operator.
1.1 millert 306: If you do not specify a netmask with a network number, the netmask
1.15 millert 307: of the host's ethernet interface(s) will be used when matching.
1.6 krw 308: The netmask may be specified either in dotted quad notation (e.g.
309: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname
1.17 ! millert 310: may include shell-style wildcards (see the Wildcards section below),
1.9 millert 311: but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
1.5 millert 312: qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
313: to be useful.
1.1 millert 314: .PP
315: .Vb 2
316: \& Cmnd_List ::= Cmnd |
317: \& Cmnd ',' Cmnd_List
318: .Ve
1.15 millert 319: .PP
1.1 millert 320: .Vb 3
321: \& commandname ::= filename |
322: \& filename args |
323: \& filename '""'
324: .Ve
1.15 millert 325: .PP
1.17 ! millert 326: .Vb 4
1.1 millert 327: \& Cmnd ::= '!'* commandname |
328: \& '!'* directory |
1.17 ! millert 329: \& '!'* "sudoedit" |
1.1 millert 330: \& '!'* Cmnd_Alias
331: .Ve
1.15 millert 332: .PP
1.9 millert 333: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
1.5 millert 334: aliases. A commandname is a fully qualified filename which may include
1.17 ! millert 335: shell-style wildcards (see the Wildcards section below). A simple
1.1 millert 336: filename allows the user to run the command with any arguments he/she
1.9 millert 337: wishes. However, you may also specify command line arguments (including
1.15 millert 338: wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
1.1 millert 339: may only be run \fBwithout\fR command line arguments. A directory is a
1.9 millert 340: fully qualified pathname ending in a '/'. When you specify a directory
341: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
1.1 millert 342: (but not in any subdirectories therein).
343: .PP
1.9 millert 344: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
345: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
1.1 millert 346: (or match the wildcards if there are any). Note that the following
1.9 millert 347: characters must be escaped with a '\e' if they are used in command
1.17 ! millert 348: arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
! 349: is used to permit a user to run \fBsudo\fR with the \fB\-e\fR flag (or
! 350: as \fBsudoedit\fR). It may take command line arguments just as
! 351: a normal command does.
1.1 millert 352: .Sh "Defaults"
1.9 millert 353: .IX Subsection "Defaults"
1.1 millert 354: Certain configuration options may be changed from their default
1.9 millert 355: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
1.15 millert 356: may affect all users on any host, all users on a specific host, a
1.17 ! millert 357: specific user, or commands being run as a specific user.
1.1 millert 358: .PP
1.15 millert 359: .Vb 4
1.17 ! millert 360: \& Default_Type ::= 'Defaults' |
! 361: \& 'Defaults' '@' Host |
! 362: \& 'Defaults' ':' User |
1.15 millert 363: \& 'Defaults' '>' RunasUser
1.1 millert 364: .Ve
1.15 millert 365: .PP
1.1 millert 366: .Vb 1
367: \& Default_Entry ::= Default_Type Parameter_List
368: .Ve
1.15 millert 369: .PP
1.17 ! millert 370: .Vb 2
! 371: \& Parameter_List ::= Parameter |
! 372: \& Parameter ',' Parameter_List
! 373: .Ve
! 374: .PP
1.9 millert 375: .Vb 4
1.17 ! millert 376: \& Parameter ::= Parameter '=' Value |
! 377: \& Parameter '+=' Value |
! 378: \& Parameter '-=' Value |
! 379: \& '!'* Parameter
1.1 millert 380: .Ve
1.15 millert 381: .PP
1.9 millert 382: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
383: Flags are implicitly boolean and can be turned off via the '!'
384: operator. Some integer, string and list parameters may also be
385: used in a boolean context to disable them. Values may be enclosed
386: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
387: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
388: .PP
389: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
390: These operators are used to add to and delete from a list respectively.
391: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
392: that does not exist in a list.
393: .PP
394: \&\fBFlags\fR:
1.15 millert 395: .IP "long_otp_prompt" 12
1.9 millert 396: .IX Item "long_otp_prompt"
1.4 millert 397: When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
398: a two-line prompt is used to make it easier to cut and paste the
399: challenge to a local window. It's not as pretty as the default but
1.9 millert 400: some people find it more convenient. This flag is \fIoff\fR
401: by default.
1.15 millert 402: .IP "ignore_dot" 12
1.9 millert 403: .IX Item "ignore_dot"
404: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
405: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
1.17 ! millert 406: flag is \fIoff\fR by default. Currently, while it is possible
! 407: to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option
! 408: should be considered read-only (it will be fixed in a future version
! 409: of \fBsudo\fR).
1.15 millert 410: .IP "mail_always" 12
1.9 millert 411: .IX Item "mail_always"
1.5 millert 412: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1.9 millert 413: This flag is \fIoff\fR by default.
1.15 millert 414: .IP "mail_badpass" 12
1.9 millert 415: .IX Item "mail_badpass"
416: Send mail to the \fImailto\fR user if the user running sudo does not
417: enter the correct password. This flag is \fIoff\fR by default.
1.15 millert 418: .IP "mail_no_user" 12
1.9 millert 419: .IX Item "mail_no_user"
1.4 millert 420: If set, mail will be sent to the \fImailto\fR user if the invoking
1.9 millert 421: user is not in the \fIsudoers\fR file. This flag is \fIon\fR
422: by default.
1.15 millert 423: .IP "mail_no_host" 12
1.9 millert 424: .IX Item "mail_no_host"
1.4 millert 425: If set, mail will be sent to the \fImailto\fR user if the invoking
426: user exists in the \fIsudoers\fR file, but is not allowed to run
1.9 millert 427: commands on the current host. This flag is \fIoff\fR by default.
1.15 millert 428: .IP "mail_no_perms" 12
1.9 millert 429: .IX Item "mail_no_perms"
1.4 millert 430: If set, mail will be sent to the \fImailto\fR user if the invoking
1.13 jmc 431: user is allowed to use \fBsudo\fR but the command they are trying is not
1.17 ! millert 432: listed in their \fIsudoers\fR file entry or is explicitly denied.
! 433: This flag is \fIoff\fR by default.
1.15 millert 434: .IP "tty_tickets" 12
1.9 millert 435: .IX Item "tty_tickets"
1.4 millert 436: If set, users must authenticate on a per-tty basis. Normally,
1.9 millert 437: \&\fBsudo\fR uses a directory in the ticket dir with the same name as
1.4 millert 438: the user running it. With this flag enabled, \fBsudo\fR will use a
439: file named for the tty the user is logged in on in that directory.
1.9 millert 440: This flag is \fIoff\fR by default.
1.15 millert 441: .IP "authenticate" 12
1.9 millert 442: .IX Item "authenticate"
1.4 millert 443: If set, users must authenticate themselves via a password (or other
444: means of authentication) before they may run commands. This default
1.9 millert 445: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
446: This flag is \fIon\fR by default.
1.15 millert 447: .IP "root_sudo" 12
1.9 millert 448: .IX Item "root_sudo"
1.5 millert 449: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
450: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1.17 ! millert 451: like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
! 452: will also prevent root and from running \fBsudoedit\fR.
! 453: Disabling \fIroot_sudo\fR provides no real additional security; it
! 454: exists purely for historical reasons.
1.9 millert 455: This flag is \fIon\fR by default.
1.15 millert 456: .IP "log_host" 12
1.9 millert 457: .IX Item "log_host"
1.15 millert 458: If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
1.9 millert 459: This flag is \fIoff\fR by default.
1.15 millert 460: .IP "log_year" 12
1.9 millert 461: .IX Item "log_year"
1.15 millert 462: If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
1.9 millert 463: This flag is \fIoff\fR by default.
1.15 millert 464: .IP "shell_noargs" 12
1.9 millert 465: .IX Item "shell_noargs"
1.4 millert 466: If set and \fBsudo\fR is invoked with no arguments it acts as if the
1.9 millert 467: \&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
468: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1.4 millert 469: set, falling back on the shell listed in the invoking user's
1.9 millert 470: /etc/passwd entry if not). This flag is \fIoff\fR by default.
1.15 millert 471: .IP "set_home" 12
1.9 millert 472: .IX Item "set_home"
473: If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
1.4 millert 474: environment variable will be set to the home directory of the target
1.9 millert 475: user (which is root unless the \fB\-u\fR option is used). This effectively
476: makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
1.15 millert 477: .IP "always_set_home" 12
1.9 millert 478: .IX Item "always_set_home"
479: If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
480: directory of the target user (which is root unless the \fB\-u\fR option is used).
481: This effectively means that the \fB\-H\fR flag is always implied.
482: This flag is \fIoff\fR by default.
1.15 millert 483: .IP "path_info" 12
1.9 millert 484: .IX Item "path_info"
1.4 millert 485: Normally, \fBsudo\fR will tell the user when a command could not be
1.9 millert 486: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
487: to disable this as it could be used to gather information on the
488: location of executables that the normal user does not have access
489: to. The disadvantage is that if the executable is simply not in
490: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
491: allowed to run it, which can be confusing. This flag is \fIoff\fR by
492: default.
1.15 millert 493: .IP "preserve_groups" 12
1.9 millert 494: .IX Item "preserve_groups"
495: By default \fBsudo\fR will initialize the group vector to the list of
496: groups the target user is in. When \fIpreserve_groups\fR is set, the
497: user's existing group vector is left unaltered. The real and
498: effective group IDs, however, are still set to match the target
499: user. This flag is \fIoff\fR by default.
1.15 millert 500: .IP "fqdn" 12
1.9 millert 501: .IX Item "fqdn"
1.4 millert 502: Set this flag if you want to put fully qualified hostnames in the
1.13 jmc 503: \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
1.4 millert 504: You may still use the short form if you wish (and even mix the two).
1.5 millert 505: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
1.4 millert 506: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
507: if the machine is not plugged into the network). Also note that
508: you must use the host's official name as \s-1DNS\s0 knows it. That is,
1.9 millert 509: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
1.4 millert 510: issues and the fact that there is no way to get all aliases from
1.9 millert 511: \&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
1.4 millert 512: command) is already fully qualified you shouldn't need to set
1.9 millert 513: \&\fIfqdn\fR. This flag is \fIoff\fR by default.
1.15 millert 514: .IP "insults" 12
1.9 millert 515: .IX Item "insults"
1.5 millert 516: If set, \fBsudo\fR will insult users when they enter an incorrect
1.9 millert 517: password. This flag is \fIon\fR by default.
1.15 millert 518: .IP "requiretty" 12
1.9 millert 519: .IX Item "requiretty"
1.5 millert 520: If set, \fBsudo\fR will only run when the user is logged in to a real
1.15 millert 521: tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
1.9 millert 522: \&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
1.15 millert 523: off echo when there is no tty present, some sites may with to set
1.4 millert 524: this flag to prevent a user from entering a visible password. This
1.9 millert 525: flag is \fIoff\fR by default.
1.15 millert 526: .IP "env_editor" 12
1.9 millert 527: .IX Item "env_editor"
528: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
529: environment variables before falling back on the default editor list.
530: Note that this may create a security hole as it allows the user to
531: run any arbitrary command as root without logging. A safer alternative
532: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
533: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
534: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`on\*(C'\fR by
535: default.
1.15 millert 536: .IP "rootpw" 12
1.9 millert 537: .IX Item "rootpw"
1.5 millert 538: If set, \fBsudo\fR will prompt for the root password instead of the password
1.9 millert 539: of the invoking user. This flag is \fIoff\fR by default.
1.15 millert 540: .IP "runaspw" 12
1.9 millert 541: .IX Item "runaspw"
1.5 millert 542: If set, \fBsudo\fR will prompt for the password of the user defined by the
1.17 ! millert 543: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the
! 544: password of the invoking user. This flag is \fIoff\fR by default.
1.15 millert 545: .IP "targetpw" 12
1.9 millert 546: .IX Item "targetpw"
1.5 millert 547: If set, \fBsudo\fR will prompt for the password of the user specified by
1.9 millert 548: the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
1.17 ! millert 549: invoking user. Note that this precludes the use of a uid not listed
! 550: in the passwd database as an argument to the \fB\-u\fR flag.
! 551: This flag is \fIoff\fR by default.
1.15 millert 552: .IP "set_logname" 12
1.9 millert 553: .IX Item "set_logname"
554: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables
555: to the name of the target user (usually root unless the \fB\-u\fR flag is given).
1.5 millert 556: However, since some programs (including the \s-1RCS\s0 revision control system)
1.9 millert 557: use \f(CW\*(C`LOGNAME\*(C'\fR to determine the real identity of the user, it may be desirable
1.5 millert 558: to change this behavior. This can be done by negating the set_logname option.
1.15 millert 559: .IP "stay_setuid" 12
1.9 millert 560: .IX Item "stay_setuid"
561: Normally, when \fBsudo\fR executes a command the real and effective
562: UIDs are set to the target user (root by default). This option
563: changes that behavior such that the real \s-1UID\s0 is left as the invoking
564: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
565: wrapper. This can be useful on systems that disable some potentially
1.10 millert 566: dangerous functionality when a program is run setuid. Note, however,
567: that this means that sudo will run with the real uid of the invoking
568: user which may allow that user to kill \fBsudo\fR before it can log a
569: failure, depending on how your \s-1OS\s0 defines the interaction between
570: signals and setuid processes.
1.15 millert 571: .IP "env_reset" 12
1.9 millert 572: .IX Item "env_reset"
573: If set, \fBsudo\fR will reset the environment to only contain the
574: following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`TERM\*(C'\fR,
575: and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables).
576: Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment.
577: The other variables are set to default values (possibly modified
578: by the value of the \fIset_logname\fR option). If \fBsudo\fR was compiled
579: with the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR
580: environment variable.
581: Other variables may be preserved with the \fIenv_keep\fR option.
1.15 millert 582: .IP "use_loginclass" 12
1.9 millert 583: .IX Item "use_loginclass"
584: If set, \fBsudo\fR will apply the defaults specified for the target user's
585: login class if one exists. Only available if \fBsudo\fR is configured with
1.15 millert 586: the \-\-with\-logincap option. This flag is \fIoff\fR by default.
1.17 ! millert 587: .IP "noexec" 12
! 588: .IX Item "noexec"
! 589: If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
! 590: tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
! 591: description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
! 592: .IP "ignore_local_sudoers" 12
! 593: .IX Item "ignore_local_sudoers"
! 594: If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
! 595: This is intended for an Enterprises that wish to prevent the usage of local
! 596: sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
! 597: rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
! 598: When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
! 599: Since this options tells sudo how to behave when no specific \s-1LDAP\s0 entries
! 600: have been matched, this sudoOption is only meaningful for the cn=defaults
! 601: section. This flag is \fIoff\fR by default.
1.1 millert 602: .PP
1.9 millert 603: \&\fBIntegers\fR:
1.15 millert 604: .IP "passwd_tries" 12
1.9 millert 605: .IX Item "passwd_tries"
1.4 millert 606: The number of tries a user gets to enter his/her password before
1.9 millert 607: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`3\*(C'\fR.
1.1 millert 608: .PP
1.9 millert 609: \&\fBIntegers that can be used in a boolean context\fR:
1.15 millert 610: .IP "loglinelen" 12
1.9 millert 611: .IX Item "loglinelen"
1.4 millert 612: Number of characters per line for the file log. This value is used
613: to decide when to wrap lines for nicer log files. This has no
614: effect on the syslog log file, only the file log. The default is
1.9 millert 615: \&\f(CW\*(C`80\*(C'\fR (use 0 or negate the option to disable word wrap).
1.15 millert 616: .IP "timestamp_timeout" 12
1.9 millert 617: .IX Item "timestamp_timeout"
618: Number of minutes that can elapse before \fBsudo\fR will ask for a
1.15 millert 619: passwd again. The default is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW0\fR to always
1.9 millert 620: prompt for a password.
1.15 millert 621: If set to a value less than \f(CW0\fR the user's timestamp will never
1.9 millert 622: expire. This can be used to allow users to create or delete their
623: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1.15 millert 624: .IP "passwd_timeout" 12
1.9 millert 625: .IX Item "passwd_timeout"
1.5 millert 626: Number of minutes before the \fBsudo\fR password prompt times out.
1.15 millert 627: The default is \f(CW\*(C`5\*(C'\fR, set this to \f(CW0\fR for no password timeout.
628: .IP "umask" 12
1.9 millert 629: .IX Item "umask"
630: Umask to use when running the command. Negate this option or set
631: it to 0777 to preserve the user's umask. The default is \f(CW\*(C`0022\*(C'\fR.
1.1 millert 632: .PP
1.9 millert 633: \&\fBStrings\fR:
1.15 millert 634: .IP "mailsub" 12
1.9 millert 635: .IX Item "mailsub"
1.15 millert 636: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
1.4 millert 637: will expand to the hostname of the machine.
1.9 millert 638: Default is \f(CW\*(C`*** SECURITY information for %h ***\*(C'\fR.
1.15 millert 639: .IP "badpass_message" 12
1.9 millert 640: .IX Item "badpass_message"
1.4 millert 641: Message that is displayed if a user enters an incorrect password.
1.9 millert 642: The default is \f(CW\*(C`Sorry, try again.\*(C'\fR unless insults are enabled.
1.15 millert 643: .IP "timestampdir" 12
1.9 millert 644: .IX Item "timestampdir"
1.4 millert 645: The directory in which \fBsudo\fR stores its timestamp files.
1.9 millert 646: The default is \fI/var/run/sudo\fR.
1.15 millert 647: .IP "timestampowner" 12
648: .IX Item "timestampowner"
649: The owner of the timestamp directory and the timestamps stored therein.
650: The default is \f(CW\*(C`root\*(C'\fR.
651: .IP "passprompt" 12
1.9 millert 652: .IX Item "passprompt"
1.4 millert 653: The default prompt to use when asking for a password; can be overridden
1.15 millert 654: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
655: The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
656: .RS 12
657: .ie n .IP "%u" 8
658: .el .IP "\f(CW%u\fR" 8
659: .IX Item "%u"
660: expanded to the invoking user's login name
661: .ie n .IP "%U" 8
662: .el .IP "\f(CW%U\fR" 8
663: .IX Item "%U"
664: expanded to the login name of the user the command will
665: be run as (defaults to root)
666: .ie n .IP "%h" 8
667: .el .IP "\f(CW%h\fR" 8
668: .IX Item "%h"
669: expanded to the local hostname without the domain name
670: .ie n .IP "%H" 8
671: .el .IP "\f(CW%H\fR" 8
672: .IX Item "%H"
673: expanded to the local hostname including the domain name
674: (on if the machine's hostname is fully qualified or the \fIfqdn\fR
675: option is set)
676: .ie n .IP "\*(C`%%\*(C'" 8
677: .el .IP "\f(CW\*(C`%%\*(C'\fR" 8
678: .IX Item "%%"
679: two consecutive \f(CW\*(C`%\*(C'\fR characters are collaped into a single \f(CW\*(C`%\*(C'\fR character
680: .RE
681: .RS 12
682: .Sp
683: The default value is \f(CW\*(C`Password:\*(C'\fR.
684: .RE
685: .IP "runas_default" 12
1.9 millert 686: .IX Item "runas_default"
687: The default user to run commands as if the \fB\-u\fR flag is not specified
688: on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.
1.17 ! millert 689: Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
! 690: any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
1.15 millert 691: .IP "syslog_goodpri" 12
1.9 millert 692: .IX Item "syslog_goodpri"
1.4 millert 693: Syslog priority to use when user authenticates successfully.
1.9 millert 694: Defaults to \f(CW\*(C`notice\*(C'\fR.
1.15 millert 695: .IP "syslog_badpri" 12
1.9 millert 696: .IX Item "syslog_badpri"
1.4 millert 697: Syslog priority to use when user authenticates unsuccessfully.
1.9 millert 698: Defaults to \f(CW\*(C`alert\*(C'\fR.
1.15 millert 699: .IP "editor" 12
1.9 millert 700: .IX Item "editor"
701: A colon (':') separated list of editors allowed to be used with
702: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
703: \&\s-1USER\s0 environment variable if possible, or the first editor in the
704: list that exists and is executable. The default is the path to vi
705: on your system.
1.17 ! millert 706: .IP "noexec_file" 12
! 707: .IX Item "noexec_file"
! 708: Path to a shared library containing dummy versions of the \fIexecv()\fR,
! 709: \&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
! 710: This is used to implement the \fInoexec\fR functionality on systems that
! 711: support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/libexec/sudo_noexec.so\fR.
1.1 millert 712: .PP
1.9 millert 713: \&\fBStrings that can be used in a boolean context\fR:
1.17 ! millert 714: .IP "lecture" 12
! 715: .IX Item "lecture"
! 716: This option controls when a short lecture will be printed along with
! 717: the password prompt. It has the following possible values:
! 718: .RS 12
! 719: .IP "never" 8
! 720: .IX Item "never"
! 721: Never lecture the user.
! 722: .IP "once" 8
! 723: .IX Item "once"
! 724: Only lecture the user the first time they run \fBsudo\fR.
! 725: .IP "always" 8
! 726: .IX Item "always"
! 727: Always lecture the user.
! 728: .RE
! 729: .RS 12
! 730: .Sp
! 731: The default value is \fIonce\fR.
! 732: .RE
! 733: .IP "lecture_file" 12
! 734: .IX Item "lecture_file"
! 735: Path to a file containing an alternate sudo lecture that will
! 736: be used in place of the standard lecture if the named file exists.
1.15 millert 737: .IP "logfile" 12
1.9 millert 738: .IX Item "logfile"
1.5 millert 739: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1.7 pjanzen 740: turns on logging to a file; negating this option turns it off.
1.15 millert 741: .IP "syslog" 12
1.9 millert 742: .IX Item "syslog"
1.4 millert 743: Syslog facility if syslog is being used for logging (negate to
1.17 ! millert 744: disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR.
1.15 millert 745: .IP "mailerpath" 12
1.9 millert 746: .IX Item "mailerpath"
1.4 millert 747: Path to mail program used to send warning mail.
748: Defaults to the path to sendmail found at configure time.
1.15 millert 749: .IP "mailerflags" 12
1.9 millert 750: .IX Item "mailerflags"
751: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1.15 millert 752: .IP "mailto" 12
1.9 millert 753: .IX Item "mailto"
754: Address to send warning and error mail to. The address should
755: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against sudo
756: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`root\*(C'\fR.
1.15 millert 757: .IP "exempt_group" 12
1.9 millert 758: .IX Item "exempt_group"
1.4 millert 759: Users in this group are exempt from password and \s-1PATH\s0 requirements.
760: This is not set by default.
1.15 millert 761: .IP "verifypw" 12
1.9 millert 762: .IX Item "verifypw"
763: This option controls when a password will be required when a user runs
764: \&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
765: .RS 12
1.15 millert 766: .IP "all" 8
1.9 millert 767: .IX Item "all"
768: All the user's \fIsudoers\fR entries for the current host must have
769: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 770: .IP "any" 8
1.9 millert 771: .IX Item "any"
772: At least one of the user's \fIsudoers\fR entries for the current host
773: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 774: .IP "never" 8
1.9 millert 775: .IX Item "never"
776: The user need never enter a password to use the \fB\-v\fR flag.
1.15 millert 777: .IP "always" 8
1.9 millert 778: .IX Item "always"
779: The user must always enter a password to use the \fB\-v\fR flag.
780: .RE
781: .RS 12
1.3 millert 782: .Sp
1.9 millert 783: The default value is `all'.
784: .RE
1.15 millert 785: .IP "listpw" 12
1.9 millert 786: .IX Item "listpw"
1.3 millert 787: This option controls when a password will be required when a
1.15 millert 788: user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values:
1.9 millert 789: .RS 12
1.15 millert 790: .IP "all" 8
1.9 millert 791: .IX Item "all"
792: All the user's \fIsudoers\fR entries for the current host must have
793: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 794: .IP "any" 8
1.9 millert 795: .IX Item "any"
796: At least one of the user's \fIsudoers\fR entries for the current host
797: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
1.15 millert 798: .IP "never" 8
1.9 millert 799: .IX Item "never"
800: The user need never enter a password to use the \fB\-l\fR flag.
1.15 millert 801: .IP "always" 8
1.9 millert 802: .IX Item "always"
803: The user must always enter a password to use the \fB\-l\fR flag.
804: .RE
805: .RS 12
1.3 millert 806: .Sp
1.9 millert 807: The default value is `any'.
808: .RE
809: .PP
810: \&\fBLists that can be used in a boolean context\fR:
1.15 millert 811: .IP "env_check" 12
1.9 millert 812: .IX Item "env_check"
813: Environment variables to be removed from the user's environment if
814: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
1.13 jmc 815: be used to guard against printf-style format vulnerabilities in
1.15 millert 816: poorly-written programs. The argument may be a double\-quoted,
817: space-separated list or a single value without double\-quotes. The
1.9 millert 818: list can be replaced, added to, deleted from, or disabled by using
819: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
1.13 jmc 820: list of environment variables to check is printed when \fBsudo\fR is
1.9 millert 821: run by root with the \fI\-V\fR option.
1.15 millert 822: .IP "env_delete" 12
1.9 millert 823: .IX Item "env_delete"
824: Environment variables to be removed from the user's environment.
1.15 millert 825: The argument may be a double\-quoted, space-separated list or a
826: single value without double\-quotes. The list can be replaced, added
1.9 millert 827: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
828: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
1.13 jmc 829: variables to remove is printed when \fBsudo\fR is run by root with the
1.15 millert 830: \&\fI\-V\fR option. Note that many operating systems will remove potentially
831: dangerous variables from the environment of any setuid process (such
832: as \fBsudo\fR).
833: .IP "env_keep" 12
1.9 millert 834: .IX Item "env_keep"
835: Environment variables to be preserved in the user's environment
836: when the \fIenv_reset\fR option is in effect. This allows fine-grained
837: control over the environment \fBsudo\fR\-spawned processes will receive.
1.15 millert 838: The argument may be a double\-quoted, space-separated list or a
839: single value without double\-quotes. The list can be replaced, added
1.9 millert 840: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
841: \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
1.1 millert 842: .PP
1.17 ! millert 843: When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
! 844: for the syslog facility (the value of the \fBsyslog\fR Parameter):
! 845: \&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
! 846: \&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
! 847: \&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
! 848: supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
! 849: \&\fBnotice\fR, and \fBwarning\fR.
1.1 millert 850: .Sh "User Specification"
1.9 millert 851: .IX Subsection "User Specification"
1.3 millert 852: .Vb 2
1.17 ! millert 853: \& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
! 854: \& (':' Host_List '=' Cmnd_Spec_List)*
1.1 millert 855: .Ve
1.15 millert 856: .PP
1.1 millert 857: .Vb 2
858: \& Cmnd_Spec_List ::= Cmnd_Spec |
859: \& Cmnd_Spec ',' Cmnd_Spec_List
860: .Ve
1.15 millert 861: .PP
1.1 millert 862: .Vb 1
1.17 ! millert 863: \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
1.3 millert 864: .Ve
1.15 millert 865: .PP
1.3 millert 866: .Vb 1
867: \& Runas_Spec ::= '(' Runas_List ')'
1.1 millert 868: .Ve
1.15 millert 869: .PP
1.17 ! millert 870: .Vb 1
! 871: \& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
! 872: .Ve
! 873: .PP
1.1 millert 874: A \fBuser specification\fR determines which commands a user may run
875: (and as what user) on specified hosts. By default, commands are
1.7 pjanzen 876: run as \fBroot\fR, but this can be changed on a per-command basis.
1.1 millert 877: .PP
878: Let's break that down into its constituent parts:
879: .Sh "Runas_Spec"
1.9 millert 880: .IX Subsection "Runas_Spec"
881: A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
1.1 millert 882: enclosed in a set of parentheses. If you do not specify a
1.9 millert 883: \&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
884: of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
1.1 millert 885: commands that follow it. What this means is that for the entry:
886: .PP
887: .Vb 1
1.13 jmc 888: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1.1 millert 889: .Ve
1.15 millert 890: .PP
1.1 millert 891: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
1.9 millert 892: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
1.1 millert 893: .PP
894: .Vb 1
1.17 ! millert 895: \& $ sudo -u operator /bin/ls.
1.1 millert 896: .Ve
1.15 millert 897: .PP
1.9 millert 898: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
1.1 millert 899: entry. If we modify the entry like so:
900: .PP
901: .Vb 1
902: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
903: .Ve
1.15 millert 904: .PP
1.1 millert 905: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
906: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
1.17 ! millert 907: .Sh "Tag_Spec"
! 908: .IX Subsection "Tag_Spec"
! 909: A command may have zero or more tags associated with it. There are
! 910: four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR.
! 911: Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
! 912: \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
! 913: opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR
! 914: overrides \f(CW\*(C`NOEXEC\*(C'\fR).
! 915: .PP
! 916: \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
1.9 millert 917: .IX Subsection "NOPASSWD and PASSWD"
1.17 ! millert 918: .PP
1.1 millert 919: By default, \fBsudo\fR requires that a user authenticate him or herself
920: before running a command. This behavior can be modified via the
1.9 millert 921: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
922: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
923: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
1.1 millert 924: For example:
925: .PP
926: .Vb 1
927: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
928: .Ve
1.15 millert 929: .PP
1.1 millert 930: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
1.9 millert 931: \&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
1.1 millert 932: authenticating himself. If we only want \fBray\fR to be able to
933: run \fI/bin/kill\fR without a password the entry would be:
934: .PP
935: .Vb 1
936: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
937: .Ve
1.15 millert 938: .PP
1.9 millert 939: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
1.3 millert 940: in the group specified by the exempt_group option.
941: .PP
1.9 millert 942: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
1.3 millert 943: for a user on the current host, he or she will be able to run
1.9 millert 944: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
945: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
1.3 millert 946: for all a user's entries that pertain to the current host.
947: This behavior may be overridden via the verifypw and listpw options.
1.17 ! millert 948: .PP
! 949: \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
! 950: .IX Subsection "NOEXEC and EXEC"
! 951: .PP
! 952: If sudo has been compiled with \fInoexec\fR support and the underlying
! 953: operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
! 954: a dynamically-linked executable from running further commands itself.
! 955: .PP
! 956: In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
! 957: and \fI/usr/bin/vi\fR but shell escapes will be disabled.
! 958: .PP
! 959: .Vb 1
! 960: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 961: .Ve
! 962: .PP
! 963: See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
! 964: on how \fInoexec\fR works and whether or not it will work on your system.
! 965: .Sh "Wildcards"
! 966: .IX Subsection "Wildcards"
! 967: \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
! 968: to be used in pathnames as well as command line arguments in the
! 969: \&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
! 970: \&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
1.15 millert 971: .ie n .IP "\*(C`*\*(C'" 8
972: .el .IP "\f(CW\*(C`*\*(C'\fR" 8
1.9 millert 973: .IX Item "*"
1.1 millert 974: Matches any set of zero or more characters.
1.15 millert 975: .ie n .IP "\*(C`?\*(C'" 8
976: .el .IP "\f(CW\*(C`?\*(C'\fR" 8
1.9 millert 977: .IX Item "?"
1.1 millert 978: Matches any single character.
1.15 millert 979: .ie n .IP "\*(C`[...]\*(C'" 8
980: .el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
1.9 millert 981: .IX Item "[...]"
1.1 millert 982: Matches any character in the specified range.
1.15 millert 983: .ie n .IP "\*(C`[!...]\*(C'" 8
984: .el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
1.9 millert 985: .IX Item "[!...]"
1.1 millert 986: Matches any character \fBnot\fR in the specified range.
1.15 millert 987: .ie n .IP "\*(C`\ex\*(C'" 8
988: .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
1.9 millert 989: .IX Item "x"
1.1 millert 990: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
991: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
992: .PP
993: Note that a forward slash ('/') will \fBnot\fR be matched by
994: wildcards used in the pathname. When matching the command
1.13 jmc 995: line arguments, however, a slash \fBdoes\fR get matched by
1.1 millert 996: wildcards. This is to make a path like:
997: .PP
998: .Vb 1
999: \& /usr/bin/*
1000: .Ve
1.15 millert 1001: .PP
1.17 ! millert 1002: match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
! 1003: .PP
! 1004: \&\s-1WARNING:\s0 a pathname with wildcards will \fBnot\fR match a user command
! 1005: that consists of a relative path. In other words, given the
! 1006: following \fIsudoers\fR entry:
! 1007: .PP
! 1008: .Vb 1
! 1009: \& billy workstation = /usr/bin/*
! 1010: .Ve
! 1011: .PP
! 1012: user billy will be able to run any command in /usr/bin as root, such
! 1013: as \fI/usr/bin/w\fR. The following two command will be allowed (the first
! 1014: assumes that \fI/usr/bin\fR is in the user's path):
! 1015: .PP
! 1016: .Vb 2
! 1017: \& $ sudo w
! 1018: \& $ sudo /usr/bin/w
! 1019: .Ve
! 1020: .PP
! 1021: However, this will not:
! 1022: .PP
! 1023: .Vb 2
! 1024: \& $ cd /usr/bin
! 1025: \& $ sudo ./w
! 1026: .Ve
! 1027: .PP
! 1028: For this reason you should only \fBgrant\fR access to commands using
! 1029: wildcards and never \fBrestrict\fR access using them. This limitation
! 1030: will be removed in a future version of \fBsudo\fR.
! 1031: .Sh "Exceptions to wildcard rules"
! 1032: .IX Subsection "Exceptions to wildcard rules"
1.1 millert 1033: The following exceptions apply to the above rules:
1.15 millert 1034: .ie n .IP """""" 8
1035: .el .IP "\f(CW``''\fR" 8
1036: .IX Item """"""
1037: If the empty string \f(CW""\fR is the only command line argument in the
1.9 millert 1038: \&\fIsudoers\fR entry it means that command is not allowed to be run
1.1 millert 1039: with \fBany\fR arguments.
1.17 ! millert 1040: .Sh "Other special characters and reserved words"
! 1041: .IX Subsection "Other special characters and reserved words"
1.1 millert 1042: The pound sign ('#') is used to indicate a comment (unless it
1043: occurs in the context of a user name and is followed by one or
1044: more digits, in which case it is treated as a uid). Both the
1045: comment character and any text after it, up to the end of the line,
1046: are ignored.
1047: .PP
1.16 jmc 1048: The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
1.1 millert 1049: a match to succeed. It can be used wherever one might otherwise
1.9 millert 1050: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
1.1 millert 1051: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
1.16 jmc 1052: built-in alias will be used in preference to your own. Please note
1.1 millert 1053: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
1054: allows the user to run \fBany\fR command on the system.
1055: .PP
1.9 millert 1056: An exclamation point ('!') can be used as a logical \fInot\fR operator
1057: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
1058: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
1.16 jmc 1059: conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
1.1 millert 1060: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
1.9 millert 1061: \&\s-1NOTES\s0 below).
1.1 millert 1062: .PP
1.9 millert 1063: Long lines can be continued with a backslash ('\e') as the last
1.1 millert 1064: character on the line.
1065: .PP
1.7 pjanzen 1066: Whitespace between elements in a list as well as special syntactic
1.9 millert 1067: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
1.1 millert 1068: .PP
1.9 millert 1069: The following characters must be escaped with a backslash ('\e') when
1.6 krw 1070: used as part of a word (e.g. a username or hostname):
1.9 millert 1071: \&'@', '!', '=', ':', ',', '(', ')', '\e'.
1.17 ! millert 1072: .SH "FILES"
! 1073: .IX Header "FILES"
! 1074: .Vb 3
! 1075: \& /etc/sudoers List of who can run what
! 1076: \& /etc/group Local groups file
! 1077: \& /etc/netgroup List of network groups
! 1078: .Ve
1.1 millert 1079: .SH "EXAMPLES"
1.9 millert 1080: .IX Header "EXAMPLES"
1.17 ! millert 1081: Since the \fIsudoers\fR file is parsed in a single pass, order is
! 1082: important. In general, you should structure \fIsudoers\fR such that
! 1083: the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications
! 1084: come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the
! 1085: \&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb
! 1086: is you cannot reference an Alias that has not already been defined.
! 1087: .PP
1.1 millert 1088: Below are example \fIsudoers\fR entries. Admittedly, some of
1089: these are a bit contrived. First, we define our \fIaliases\fR:
1090: .PP
1091: .Vb 4
1092: \& # User alias specification
1093: \& User_Alias FULLTIMERS = millert, mikef, dowdy
1094: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
1095: \& User_Alias WEBMASTERS = will, wendy, wim
1096: .Ve
1.15 millert 1097: .PP
1.1 millert 1098: .Vb 3
1099: \& # Runas alias specification
1100: \& Runas_Alias OP = root, operator
1101: \& Runas_Alias DB = oracle, sybase
1102: .Ve
1.15 millert 1103: .PP
1.1 millert 1104: .Vb 9
1105: \& # Host alias specification
1106: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
1107: \& SGI = grolsch, dandelion, black :\e
1108: \& ALPHA = widget, thalamus, foobar :\e
1109: \& HPPA = boa, nag, python
1110: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1111: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1112: \& Host_Alias SERVERS = master, mail, www, ns
1113: \& Host_Alias CDROM = orion, perseus, hercules
1114: .Ve
1.15 millert 1115: .PP
1.1 millert 1116: .Vb 12
1117: \& # Cmnd alias specification
1118: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
1119: \& /usr/sbin/restore, /usr/sbin/rrestore
1120: \& Cmnd_Alias KILL = /usr/bin/kill
1121: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1122: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1.17 ! millert 1123: \& Cmnd_Alias HALT = /usr/sbin/halt
! 1124: \& Cmnd_Alias REBOOT = /usr/sbin/reboot
1.1 millert 1125: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
1126: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
1127: \& /usr/local/bin/zsh
1128: \& Cmnd_Alias SU = /usr/bin/su
1129: .Ve
1.15 millert 1130: .PP
1.1 millert 1131: Here we override some of the compiled in default values. We want
1.15 millert 1132: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
1133: cases. We don't want to subject the full time staff to the \fBsudo\fR
1134: lecture, user \fBmillert\fR need not give a password, and we don't
1.17 ! millert 1135: want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when
1.15 millert 1136: running commands as root. Additionally, on the machines in the
1137: \&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and
1138: make sure we log the year in each log line since the log entries
1139: will be kept around for several years.
1.1 millert 1140: .PP
1.15 millert 1141: .Vb 6
1.16 jmc 1142: \& # Override built-in defaults
1.1 millert 1143: \& Defaults syslog=auth
1.15 millert 1144: \& Defaults>root !set_logname
1.1 millert 1145: \& Defaults:FULLTIMERS !lecture
1146: \& Defaults:millert !authenticate
1147: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1148: .Ve
1.15 millert 1149: .PP
1.1 millert 1150: The \fIUser specification\fR is the part that actually determines who may
1151: run what.
1152: .PP
1153: .Vb 2
1154: \& root ALL = (ALL) ALL
1155: \& %wheel ALL = (ALL) ALL
1156: .Ve
1.15 millert 1157: .PP
1.1 millert 1158: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
1159: host as any user.
1160: .PP
1161: .Vb 1
1162: \& FULLTIMERS ALL = NOPASSWD: ALL
1163: .Ve
1.15 millert 1164: .PP
1.1 millert 1165: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
1166: command on any host without authenticating themselves.
1167: .PP
1168: .Vb 1
1169: \& PARTTIMERS ALL = ALL
1170: .Ve
1.15 millert 1171: .PP
1.1 millert 1172: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
1173: command on any host but they must authenticate themselves first
1.9 millert 1174: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1.1 millert 1175: .PP
1176: .Vb 1
1177: \& jack CSNETS = ALL
1178: .Ve
1.15 millert 1179: .PP
1.9 millert 1180: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
1.15 millert 1181: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
1182: Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
1.9 millert 1183: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
1184: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1.1 millert 1185: during matching.
1186: .PP
1187: .Vb 1
1188: \& lisa CUNETS = ALL
1189: .Ve
1.15 millert 1190: .PP
1.9 millert 1191: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
1.15 millert 1192: (the class B network \f(CW128.138.0.0\fR).
1.1 millert 1193: .PP
1194: .Vb 2
1.17 ! millert 1195: \& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
! 1196: \& sudoedit /etc/printcap, /usr/oper/bin/
1.1 millert 1197: .Ve
1.15 millert 1198: .PP
1.1 millert 1199: The \fBoperator\fR user may run commands limited to simple maintenance.
1200: Here, those are commands related to backups, killing processes, the
1201: printing system, shutting down the system, and any commands in the
1202: directory \fI/usr/oper/bin/\fR.
1203: .PP
1204: .Vb 1
1205: \& joe ALL = /usr/bin/su operator
1206: .Ve
1.15 millert 1207: .PP
1.1 millert 1208: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
1209: .PP
1210: .Vb 1
1211: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1212: .Ve
1.15 millert 1213: .PP
1.1 millert 1214: The user \fBpete\fR is allowed to change anyone's password except for
1.9 millert 1215: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1.1 millert 1216: does not take multiple usernames on the command line.
1217: .PP
1218: .Vb 1
1219: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
1220: .Ve
1.15 millert 1221: .PP
1.9 millert 1222: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
1223: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1.1 millert 1224: .PP
1225: .Vb 1
1226: \& jim +biglab = ALL
1227: .Ve
1.15 millert 1228: .PP
1.1 millert 1229: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1.9 millert 1230: \&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1.1 millert 1231: .PP
1232: .Vb 1
1233: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1234: .Ve
1.15 millert 1235: .PP
1.1 millert 1236: Users in the \fBsecretaries\fR netgroup need to help manage the printers
1237: as well as add and remove users, so they are allowed to run those
1238: commands on all machines.
1239: .PP
1240: .Vb 1
1241: \& fred ALL = (DB) NOPASSWD: ALL
1242: .Ve
1.15 millert 1243: .PP
1.9 millert 1244: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1.1 millert 1245: (\fBoracle\fR or \fBsybase\fR) without giving a password.
1246: .PP
1247: .Vb 1
1248: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1249: .Ve
1.15 millert 1250: .PP
1.9 millert 1251: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1.1 millert 1252: but he is not allowed to give \fIsu\fR\|(1) any flags.
1253: .PP
1254: .Vb 1
1255: \& jen ALL, !SERVERS = ALL
1256: .Ve
1.15 millert 1257: .PP
1.1 millert 1258: The user \fBjen\fR may run any command on any machine except for those
1.9 millert 1259: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1.1 millert 1260: .PP
1261: .Vb 1
1262: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
1263: .Ve
1.15 millert 1264: .PP
1.9 millert 1265: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1.1 millert 1266: any commands in the directory /usr/bin/ except for those commands
1.9 millert 1267: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1.1 millert 1268: .PP
1269: .Vb 1
1270: \& steve CSNETS = (operator) /usr/local/op_commands/
1271: .Ve
1.15 millert 1272: .PP
1.1 millert 1273: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1274: but only as user operator.
1275: .PP
1276: .Vb 1
1277: \& matt valkyrie = KILL
1278: .Ve
1.15 millert 1279: .PP
1.1 millert 1280: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1281: kill hung processes.
1282: .PP
1283: .Vb 1
1284: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1285: .Ve
1.15 millert 1286: .PP
1.9 millert 1287: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
1.1 millert 1288: wendy, and wim), may run any command as user www (which owns the
1289: web pages) or simply \fIsu\fR\|(1) to www.
1290: .PP
1291: .Vb 2
1292: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1293: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
1294: .Ve
1.15 millert 1295: .PP
1296: Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
1.9 millert 1297: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
1.7 pjanzen 1298: This is a bit tedious for users to type, so it is a prime candidate
1.1 millert 1299: for encapsulating in a shell script.
1300: .SH "SECURITY NOTES"
1.9 millert 1301: .IX Header "SECURITY NOTES"
1302: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
1303: using the '!' operator. A user can trivially circumvent this
1.1 millert 1304: by copying the desired command to a different name and then
1305: executing that. For example:
1306: .PP
1307: .Vb 1
1308: \& bill ALL = ALL, !SU, !SHELLS
1309: .Ve
1.15 millert 1310: .PP
1.1 millert 1311: Doesn't really prevent \fBbill\fR from running the commands listed in
1.9 millert 1312: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
1.1 millert 1313: different name, or use a shell escape from an editor or other
1314: program. Therefore, these kind of restrictions should be considered
1315: advisory at best (and reinforced by policy).
1.17 ! millert 1316: .SH "PREVENTING SHELL ESCAPES"
! 1317: .IX Header "PREVENTING SHELL ESCAPES"
! 1318: Once \fBsudo\fR executes a program, that program is free to do whatever
! 1319: it pleases, including run other programs. This can be a security
! 1320: issue since it is not uncommon for a program to allow shell escapes,
! 1321: which lets a user bypass \fBsudo\fR's restrictions. Common programs
! 1322: that permit shell escapes include shells (obviously), editors,
! 1323: paginators, mail and terminal programs.
! 1324: .PP
! 1325: Many systems that support shared libraries have the ability to
! 1326: override default library functions by pointing an environment
! 1327: variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
! 1328: On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
! 1329: prevent a program run by sudo from executing any other programs.
! 1330: Note, however, that this applies only to native dynamically-linked
! 1331: executables. Statically-linked executables and foreign executables
! 1332: running under binary emulation are not affected.
! 1333: .PP
! 1334: To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
! 1335: the following as root:
! 1336: .PP
! 1337: .Vb 1
! 1338: \& sudo -V | grep "dummy exec"
! 1339: .Ve
! 1340: .PP
! 1341: If the resulting output contains a line that begins with:
! 1342: .PP
! 1343: .Vb 1
! 1344: \& File containing dummy exec functions:
! 1345: .Ve
! 1346: .PP
! 1347: then \fBsudo\fR may be able to replace the exec family of functions
! 1348: in the standard library with its own that simply return an error.
! 1349: Unfortunately, there is no foolproof way to know whether or not
! 1350: \&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on
! 1351: SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
! 1352: 11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR
! 1353: is expected to work on most operating systems that support the
! 1354: \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
! 1355: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
! 1356: dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
! 1357: .PP
! 1358: To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
! 1359: in the User Specification section above. Here is that example again:
! 1360: .PP
! 1361: .Vb 1
! 1362: \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 1363: .Ve
! 1364: .PP
! 1365: This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
! 1366: with \fInoexec\fR enabled. This will prevent those two commands from
! 1367: executing other commands (such as a shell). If you are unsure
! 1368: whether or not your system is capable of supporting \fInoexec\fR you
! 1369: can always just try it out and see if it works.
! 1370: .PP
! 1371: Note that disabling shell escapes is not a panacea. Programs running
! 1372: as root are still capable of many potentially hazardous operations
! 1373: (such as changing or overwriting files) that could lead to unintended
! 1374: privilege escalation. In the specific case of an editor, a safer
! 1375: approach is to give the user permission to run \fBsudoedit\fR.
! 1376: .SH "SEE ALSO"
! 1377: .IX Header "SEE ALSO"
! 1378: \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(8), visudo(8)
1.1 millert 1379: .SH "CAVEATS"
1.9 millert 1380: .IX Header "CAVEATS"
1.1 millert 1381: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
1382: command which locks the file and does grammatical checking. It is
1383: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
1384: will not run with a syntactically incorrect \fIsudoers\fR file.
1.3 millert 1385: .PP
1386: When using netgroups of machines (as opposed to users), if you
1.5 millert 1387: store fully qualified hostnames in the netgroup (as is usually the
1388: case), you either need to have the machine's hostname be fully qualified
1.9 millert 1389: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
1390: \&\fIsudoers\fR.
1.17 ! millert 1391: .SH "BUGS"
! 1392: .IX Header "BUGS"
! 1393: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
! 1394: at http://www.sudo.ws/sudo/bugs/
! 1395: .SH "SUPPORT"
! 1396: .IX Header "SUPPORT"
! 1397: Commercial support is available for \fBsudo\fR, see
! 1398: http://www.sudo.ws/sudo/support.html for details.
! 1399: .PP
! 1400: Limited free support is available via the sudo-users mailing list,
! 1401: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
! 1402: search the archives.
! 1403: .SH "DISCLAIMER"
! 1404: .IX Header "DISCLAIMER"
! 1405: \&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
! 1406: including, but not limited to, the implied warranties of merchantability
! 1407: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
! 1408: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
! 1409: for complete details.
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo