Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.2
1.1 millert 1: .rn '' }`
1.2 ! aaron 2: ''' $RCSfile: sudoers.5,v $$Revision: 1.1.1.1 $$Date: 1999/11/18 16:29:01 $
! 3: '''
! 4: ''' $Log: sudoers.5,v $
! 5: ''' Revision 1.1.1.1 1999/11/18 16:29:01 millert
! 6: ''' sudo 1.6, now with a BSD license
1.1 millert 7: '''
8: ''' Revision 1.15 1999/11/16 05:23:41 millert
9: ''' Add warning about using ALL in a command context.
10: '''
11: '''
12: .de Sh
13: .br
14: .if t .Sp
15: .ne 5
16: .PP
17: \fB\\$1\fR
18: .PP
19: ..
20: .de Sp
21: .if t .sp .5v
22: .if n .sp
23: ..
24: .de Ip
25: .br
26: .ie \\n(.$>=3 .ne \\$3
27: .el .ne 3
28: .IP "\\$1" \\$2
29: ..
30: .de Vb
31: .ft CW
32: .nf
33: .ne \\$1
34: ..
35: .de Ve
36: .ft R
37:
38: .fi
39: ..
40: '''
41: '''
42: ''' Set up \*(-- to give an unbreakable dash;
43: ''' string Tr holds user defined translation string.
44: ''' Bell System Logo is used as a dummy character.
45: '''
46: .tr \(*W-|\(bv\*(Tr
47: .ie n \{\
48: .ds -- \(*W-
49: .ds PI pi
50: .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
51: .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
52: .ds L" ""
53: .ds R" ""
54: ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
55: ''' \*(L" and \*(R", except that they are used on ".xx" lines,
56: ''' such as .IP and .SH, which do another additional levels of
57: ''' double-quote interpretation
58: .ds M" """
59: .ds S" """
60: .ds N" """""
61: .ds T" """""
62: .ds L' '
63: .ds R' '
64: .ds M' '
65: .ds S' '
66: .ds N' '
67: .ds T' '
68: 'br\}
69: .el\{\
70: .ds -- \(em\|
71: .tr \*(Tr
72: .ds L" ``
73: .ds R" ''
74: .ds M" ``
75: .ds S" ''
76: .ds N" ``
77: .ds T" ''
78: .ds L' `
79: .ds R' '
80: .ds M' `
81: .ds S' '
82: .ds N' `
83: .ds T' '
84: .ds PI \(*p
85: 'br\}
86: .\" If the F register is turned on, we'll generate
87: .\" index entries out stderr for the following things:
88: .\" TH Title
89: .\" SH Header
90: .\" Sh Subsection
91: .\" Ip Item
92: .\" X<> Xref (embedded
93: .\" Of course, you have to process the output yourself
94: .\" in some meaninful fashion.
95: .if \nF \{
96: .de IX
97: .tm Index:\\$1\t\\n%\t"\\$2"
98: ..
99: .nr % 0
100: .rr F
101: .\}
102: .TH sudoers 5 "1.6" "15/Nov/1999" "FILE FORMATS"
103: .UC
104: .if n .hy 0
105: .if n .na
106: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
107: .de CQ \" put $1 in typewriter font
108: .ft CW
109: 'if n "\c
110: 'if t \\&\\$1\c
111: 'if n \\&\\$1\c
112: 'if n \&"
113: \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
114: '.ft R
115: ..
116: .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
117: . \" AM - accent mark definitions
118: .bd B 3
119: . \" fudge factors for nroff and troff
120: .if n \{\
121: . ds #H 0
122: . ds #V .8m
123: . ds #F .3m
124: . ds #[ \f1
125: . ds #] \fP
126: .\}
127: .if t \{\
128: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
129: . ds #V .6m
130: . ds #F 0
131: . ds #[ \&
132: . ds #] \&
133: .\}
134: . \" simple accents for nroff and troff
135: .if n \{\
136: . ds ' \&
137: . ds ` \&
138: . ds ^ \&
139: . ds , \&
140: . ds ~ ~
141: . ds ? ?
142: . ds ! !
143: . ds /
144: . ds q
145: .\}
146: .if t \{\
147: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
148: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
149: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
150: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
151: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
152: . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
153: . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
154: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
155: . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
156: .\}
157: . \" troff and (daisy-wheel) nroff accents
158: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
159: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
160: .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
161: .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
162: .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
163: .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
164: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
165: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
166: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
167: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
168: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
169: .ds ae a\h'-(\w'a'u*4/10)'e
170: .ds Ae A\h'-(\w'A'u*4/10)'E
171: .ds oe o\h'-(\w'o'u*4/10)'e
172: .ds Oe O\h'-(\w'O'u*4/10)'E
173: . \" corrections for vroff
174: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
175: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
176: . \" for low resolution devices (crt and lpr)
177: .if \n(.H>23 .if \n(.V>19 \
178: \{\
179: . ds : e
180: . ds 8 ss
181: . ds v \h'-1'\o'\(aa\(ga'
182: . ds _ \h'-1'^
183: . ds . \h'-1'.
184: . ds 3 3
185: . ds o a
186: . ds d- d\h'-1'\(ga
187: . ds D- D\h'-1'\(hy
188: . ds th \o'bp'
189: . ds Th \o'LP'
190: . ds ae ae
191: . ds Ae AE
192: . ds oe oe
193: . ds Oe OE
194: .\}
195: .rm #[ #] #H #V #F C
196: .SH "NAME"
197: sudoers \- list of which users may execute what
198: .SH "DESCRIPTION"
199: The \fIsudoers\fR file is composed two types of entries:
200: aliases (basically variables) and user specifications
201: (which specify who may run what). The grammar of \fIsudoers\fR
202: will be described below in Extended Backus-Naur Form (EBNF).
203: Don't despair if you don't know what EBNF is, it is fairly
204: simple and the definitions below are annotated.
205: .Sh "Quick guide to \s-1EBNF\s0"
206: \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
207: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg.
208: .PP
209: .Vb 1
210: \& symbol ::= definition | alternate1 | alternate2 ...
211: .Ve
212: Each \fIproduction rule\fR references others and thus makes up a
213: grammar for the language. \s-1EBNF\s0 also contains the following
214: operators, which many readers will recognize from regular
215: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
216: characters, which have different meanings.
217: .Ip "\f(CW?\fR" 8
218: Means that the preceding symbol (or group of symbols) is optional.
219: That is, it may appear once or not at all.
220: .Ip "\f(CW*\fR" 8
221: Means that the preceding symbol (or group of symbols) may appear
222: zero or more times.
223: .Ip "\f(CW+\fR" 8
224: Means that the preceding symbol (or group of symbols) may appear
225: one or more times.
226: .PP
227: Parentheses may be used to group symbols together. For clarity,
228: we will use single quotes ('') to designate what is a verbatim character
229: string (as opposed to a symbol name).
230: .Sh "Aliases"
231: There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
232: \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
233: .PP
234: .Vb 4
235: \& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
236: \& 'Runas_Alias' (':' Runas_Alias)* |
237: \& 'Host_Alias' (':' Host_Alias)* |
238: \& 'Cmnd_Alias' (':' Cmnd_Alias)*
239: .Ve
240: .Vb 1
241: \& User_Alias ::= NAME '=' User_List
242: .Ve
243: .Vb 1
244: \& Runas_Alias ::= NAME '=' Runas_User_List
245: .Ve
246: .Vb 1
247: \& Host_Alias ::= NAME '=' Host_List
248: .Ve
249: .Vb 1
250: \& Cmnd_Alias ::= NAME '=' Cmnd_List
251: .Ve
252: .Vb 1
253: \& NAME ::= [A-Z]([A-Z][0-9]_)*
254: .Ve
255: Each \fIalias\fR definition is of the form
256: .PP
257: .Vb 1
258: \& Alias_Type NAME = item1, item2, ...
259: .Ve
260: where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR,
261: or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers,
262: and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an
263: upper case letter. It is possible to put several alias definitions
264: of the same type on a single line, joined by a semicolon (':'). Eg.
265: .PP
266: .Vb 1
267: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
268: .Ve
269: The definitions of what constitutes a valid \fIalias\fR member follow.
270: .PP
271: .Vb 2
272: \& User_List ::= User |
273: \& User ',' User_List
274: .Ve
275: .Vb 5
276: \& User ::= '!'* username |
277: \& '!'* '#'uid |
278: \& '!'* '%'group |
279: \& '!'* '+'netgroup |
280: \& '!'* User_Alias
281: .Ve
282: A \f(CWUser_List\fR is made up of one or more usernames, uids
283: (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'),
284: netgroups (prefixed with \*(L'+') and other aliases. Each list
285: item may be prefixed with one or more \*(L'!\*(R' operators. An odd number
286: of \*(L'!\*(R' operators negates the value of the item; an even number
287: just cancel each other out.
288: .PP
289: .Vb 2
290: \& Runas_List ::= Runas_User |
291: \& Runas_User ',' Runas_List
292: .Ve
293: .Vb 5
294: \& Runas_User ::= '!'* username |
295: \& '!'* '#'uid |
296: \& '!'* '%'group |
297: \& '!'* +netgroup |
298: \& '!'* Runas_Alias
299: .Ve
300: Likewise, a \f(CWRunas_List\fR has the same possible elements
301: as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR,
302: instead of a \f(CWUser_Alias\fR.
303: .PP
304: .Vb 2
305: \& Host_List ::= Host |
306: \& Host ',' Host_List
307: .Ve
308: .Vb 5
309: \& Host ::= '!'* hostname |
310: \& '!'* ip_addr |
311: \& '!'* network(/netmask)? |
312: \& '!'* '+'netgroup |
313: \& '!'* Host_Alias
314: .Ve
315: A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
316: network numbers, netgroups (prefixed with \*(L'+') and other aliases.
317: Again, the value of an item may be negated with the \*(L'!\*(R' operator.
318: If you do not specify a netmask with a network number, the netmask
319: of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
320: The netmask may be specified either in dotted quad notation (eg.
321: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).
322: .PP
323: .Vb 2
324: \& Cmnd_List ::= Cmnd |
325: \& Cmnd ',' Cmnd_List
326: .Ve
327: .Vb 3
328: \& commandname ::= filename |
329: \& filename args |
330: \& filename '""'
331: .Ve
332: .Vb 3
333: \& Cmnd ::= '!'* commandname |
334: \& '!'* directory |
335: \& '!'* Cmnd_Alias
336: .Ve
337: A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
338: aliases. A commandname is a fully-qualified filename which may include
339: shell-style wildcards (see `Wildcards\*(R' section below). A simple
340: filename allows the user to run the command with any arguments he/she
341: wishes. However, you may also command line arguments (including wildcards).
342: Alternately, you can specify \f(CW""\fR to indicate that the command
343: may only be run \fBwithout\fR command line arguments. A directory is a
344: fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory
345: in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory
346: (but not in any subdirectories therein).
347: .PP
348: If a \f(CWCmnd\fR has associated command line arguments, then the arguments
349: in the \f(CWCmnd\fR must match exactly those given by the user on the command line
350: (or match the wildcards if there are any). Note that the following
351: characters must be escaped with a \*(L'\e\*(R' if they are used in command
352: arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\*(R'.
353: .Sh "Defaults"
354: Certain configuration options may be changed from their default
355: values at runtime via one or more \f(CWDefault_Entry\fR lines. These
356: may affect all users on any host, all users on a specific host,
357: or just a specific user. When multiple entries match, they are
358: applied in order. Where there are conflicting values, the last
359: value on a matching line takes effect.
360: .PP
361: .Vb 3
362: \& Default_Type ::= 'Defaults' ||
363: \& 'Defaults' ':' User ||
364: \& 'Defaults' '@' Host
365: .Ve
366: .Vb 1
367: \& Default_Entry ::= Default_Type Parameter_List
368: .Ve
369: .Vb 2
370: \& Parameter ::= Parameter '=' Value ||
371: \& '!'* Parameter ||
372: .Ve
373: Parameters may be \fBflags\fR, \fBinteger\fR values, or \fBstrings\fR. Flags
374: are implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
375: Some integer and string parameters may also be used in a boolean
376: context to disable them. Values may be enclosed in double quotes
377: (\f(CW"\fR) when they contain multiple words. Special characters may
378: be escaped with a backslash (\f(CW\e\fR).
379: .PP
380: \fBFlags\fR:
381: .Ip "long_otp_prompt" 12
382: Put \s-1OTP\s0 prompt on its own line
383: .Ip "ignore_dot" 12
384: Ignore \*(L'.\*(R' in \f(CW$PATH\fR
385: .Ip "mail_always" 12
386: Always send mail when sudo is run
387: .Ip "mail_no_user" 12
388: Send mail if the user is not in sudoers
389: .Ip "mail_no_host" 12
390: Send mail if the user is not in sudoers for this host
391: .Ip "mail_no_perms" 12
392: Send mail if the user is not allowed to run a command
393: .Ip "tty_tickets" 12
394: Use a separate timestamp for each user/tty combo
395: .Ip "lecture" 12
396: Lecture user the first time they run sudo
397: .Ip "authenticate" 12
398: Require users to authenticate by default
399: .Ip "root_sudo" 12
400: Root may run sudo
401: .Ip "log_host" 12
402: Log the hostname in the (non-syslog) log file
403: .Ip "log_year" 12
404: Log the year in the (non-syslog) log file
405: .Ip "shell_noargs" 12
406: If sudo is invoked with no arguments, start a shell
407: .Ip "set_home" 12
408: Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
409: .Ip "path_info" 12
410: Allow some information gathering to give useful error messages
411: .Ip "fqdn" 12
412: Require fully-qualified hostnames in the sudoers file
413: .Ip "insults" 12
414: Insult the user when they enter an incorrect password
415: .Ip "requiretty" 12
416: Only allow the user to run sudo if they have a tty
417: .PP
418: \fBIntegers\fR:
419: .Ip "passwd_tries" 12
420: Number of tries to enter a password
421: .PP
422: \fBIntegers that can be used in a boolean context\fR:
423: .Ip "loglinelen" 12
424: Length at which to wrap log file lines (use 0 or negate for no wrap)
425: .Ip "timestamp_timeout" 12
426: Authentication timestamp timeout
427: .Ip "passwd_timeout" 12
428: Password prompt timeout
429: .Ip "umask" 12
430: Umask to use or 0777 to use user's
431: .PP
432: \fBStrings\fR:
433: .Ip "mailsub" 12
434: Subject line for mail messages
435: .Ip "badpass_message" 12
436: Incorrect password message
437: .Ip "timestampdir" 12
438: Path to authentication timestamp dir
439: .Ip "passprompt" 12
440: Default password prompt
441: .Ip "runas_default" 12
442: Default user to run commands as
443: .Ip "syslog_goodpri" 12
444: Syslog priority to use when user authenticates successfully
445: .Ip "syslog_badpri" 12
446: Syslog priority to use when user authenticates unsuccessfully
447: .PP
448: \fBStrings that can be used in a boolean context\fR:
449: .Ip "syslog" 12
450: Syslog facility if syslog is being used for logging (negate to disable syslog)
451: .Ip "mailerpath" 12
452: Path to mail program
453: .Ip "mailerflags" 12
454: Flags for mail program
455: .Ip "mailto" 12
456: Address to send mail to
457: .Ip "exempt_group" 12
458: Users in this group are exempt from password and \s-1PATH\s0 requirements
459: .Ip "secure_path" 12
460: Value to override user's \f(CW$PATH\fR with
461: .PP
462: When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
463: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
464: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
465: \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
466: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
467: \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
468: .Sh "User Specification"
469: .PP
470: .Vb 1
471: \& Runas_Spec ::= '(' Runas_List ')'
472: .Ve
473: .Vb 1
474: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
475: .Ve
476: .Vb 2
477: \& Cmnd_Spec_List ::= Cmnd_Spec |
478: \& Cmnd_Spec ',' Cmnd_Spec_List
479: .Ve
480: .Vb 1
481: \& User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
482: .Ve
483: A \fBuser specification\fR determines which commands a user may run
484: (and as what user) on specified hosts. By default, commands are
485: run as \fBroot\fR but this can be changed on a per-command basis.
486: .PP
487: Let's break that down into its constituent parts:
488: .Sh "Runas_Spec"
489: A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above)
490: enclosed in a set of parentheses. If you do not specify a
491: \f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR
492: of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for
493: commands that follow it. What this means is that for the entry:
494: .PP
495: .Vb 1
496: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
497: .Ve
498: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
499: \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg.
500: .PP
501: .Vb 1
502: \& sudo -u operator /bin/ls.
503: .Ve
504: It is also possible to override a \f(CWRunas_Spec\fR later on in an
505: entry. If we modify the entry like so:
506: .PP
507: .Vb 1
508: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
509: .Ve
510: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
511: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
512: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
513: By default, \fBsudo\fR requires that a user authenticate him or herself
514: before running a command. This behavior can be modified via the
515: \f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets
516: a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR.
517: Conversely, the \f(CWPASSWD\fR tag can be used to reverse things.
518: For example:
519: .PP
520: .Vb 1
521: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
522: .Ve
523: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
524: \fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
525: authenticating himself. If we only want \fBray\fR to be able to
526: run \fI/bin/kill\fR without a password the entry would be:
527: .PP
528: .Vb 1
529: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
530: .Ve
531: .Sh "Wildcards (aka meta characters):"
532: \fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
533: as well as command line arguments in the \fIsudoers\fR file. Wildcard
534: matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
535: these are \fInot\fR regular expressions.
536: .Ip "\f(CW*\fR" 8
537: Matches any set of zero or more characters.
538: .Ip "\f(CW?\fR" 8
539: Matches any single character.
540: .Ip "\f(CW[...]\fR" 8
541: Matches any character in the specified range.
542: .Ip "\f(CW[!...]\fR" 8
543: Matches any character \fBnot\fR in the specified range.
544: .Ip "\f(CW\ex\fR" 8
545: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
546: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
547: .PP
548: Note that a forward slash ('/') will \fBnot\fR be matched by
549: wildcards used in the pathname. When matching the command
550: line arguments, however, as slash \fBdoes\fR get matched by
551: wildcards. This is to make a path like:
552: .PP
553: .Vb 1
554: \& /usr/bin/*
555: .Ve
556: match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR.
557: .Sh "Exceptions to wildcard rules:"
558: The following exceptions apply to the above rules:
559: .Ip \f(CW""\fR 8
560: If the empty string \f(CW""\fR is the only command line argument in the
561: \fIsudoers\fR entry it means that command is not allowed to be run
562: with \fBany\fR arguments.
563: .Sh "Other special characters and reserved words:"
564: The pound sign ('#') is used to indicate a comment (unless it
565: occurs in the context of a user name and is followed by one or
566: more digits, in which case it is treated as a uid). Both the
567: comment character and any text after it, up to the end of the line,
568: are ignored.
569: .PP
1.2 ! aaron 570: The reserved word \fB\s-1ALL\s0\fR is a built in \fIalias\fR that always causes
1.1 millert 571: a match to succeed. It can be used wherever one might otherwise
572: use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
573: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
574: built in alias will be used in preference to your own. Please note
575: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
576: allows the user to run \fBany\fR command on the system.
577: .PP
578: An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
579: both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to
580: exclude certain values. Note, however, that using a \f(CW!\fR in
581: conjunction with the built in \f(CWALL\fR alias to allow a user to
582: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
583: \s-1NOTES\s0 below).
584: .PP
585: Long lines can be continued with a backslash (\*(R'\e') as the last
586: character on the line.
587: .PP
588: Whitespace between elements in a list as well as specicial syntactic
589: characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional.
590: .PP
591: The following characters must be escaped with a backslash (\*(R'\e') when
592: used as part of a word (eg. a username or hostname):
593: \&'@\*(R', \*(L'!\*(R', \*(L'=\*(R', \*(L':\*(R', \*(L',\*(R', \*(L'(\*(R', \*(L')\*(R', \*(L'\e\*(R'.
594: .SH "EXAMPLES"
595: Below are example \fIsudoers\fR entries. Admittedly, some of
596: these are a bit contrived. First, we define our \fIaliases\fR:
597: .PP
598: .Vb 4
599: \& # User alias specification
600: \& User_Alias FULLTIMERS = millert, mikef, dowdy
601: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
602: \& User_Alias WEBMASTERS = will, wendy, wim
603: .Ve
604: .Vb 3
605: \& # Runas alias specification
606: \& Runas_Alias OP = root, operator
607: \& Runas_Alias DB = oracle, sybase
608: .Ve
609: .Vb 9
610: \& # Host alias specification
611: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
612: \& SGI = grolsch, dandelion, black :\e
613: \& ALPHA = widget, thalamus, foobar :\e
614: \& HPPA = boa, nag, python
615: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
616: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
617: \& Host_Alias SERVERS = master, mail, www, ns
618: \& Host_Alias CDROM = orion, perseus, hercules
619: .Ve
620: .Vb 12
621: \& # Cmnd alias specification
622: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
623: \& /usr/sbin/restore, /usr/sbin/rrestore
624: \& Cmnd_Alias KILL = /usr/bin/kill
625: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
626: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
627: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
628: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
629: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
630: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
631: \& /usr/local/bin/zsh
632: \& Cmnd_Alias SU = /usr/bin/su
633: .Ve
634: Here we override some of the compiled in default values. We want
635: sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
636: We don't want to subject the full time staff to the \fBsudo\fR lecture,
637: and user \fBmillert\fR need not give a password. In addition, on the
638: machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
639: local log file and make sure we log the year in each log line since
640: the log entries will be kept around for several years.
641: .PP
642: .Vb 5
643: \& # Override builtin defaults
644: \& Defaults syslog=auth
645: \& Defaults:FULLTIMERS !lecture
646: \& Defaults:millert !authenticate
647: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
648: .Ve
649: The \fIUser specification\fR is the part that actually determines who may
650: run what.
651: .PP
652: .Vb 2
653: \& root ALL = (ALL) ALL
654: \& %wheel ALL = (ALL) ALL
655: .Ve
656: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
657: host as any user.
658: .PP
659: .Vb 1
660: \& FULLTIMERS ALL = NOPASSWD: ALL
661: .Ve
662: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
663: command on any host without authenticating themselves.
664: .PP
665: .Vb 1
666: \& PARTTIMERS ALL = ALL
667: .Ve
668: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
669: command on any host but they must authenticate themselves first
670: (since the entry lacks the \f(CWNOPASSWD\fR tag).
671: .PP
672: .Vb 1
673: \& jack CSNETS = ALL
674: .Ve
675: The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias
676: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
677: Of those networks, only <128.138.204.0> has an explicit netmask (in
678: CIDR notation) indicating it is a class C network. For the other
679: networks in \fICSNETS\fR, the local machine's netmask will be used
680: during matching.
681: .PP
682: .Vb 1
683: \& lisa CUNETS = ALL
684: .Ve
685: The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias
686: (the class B network \f(CW128.138.0.0\fR).
687: .PP
688: .Vb 2
689: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
690: \& /usr/oper/bin/
691: .Ve
692: The \fBoperator\fR user may run commands limited to simple maintenance.
693: Here, those are commands related to backups, killing processes, the
694: printing system, shutting down the system, and any commands in the
695: directory \fI/usr/oper/bin/\fR.
696: .PP
697: .Vb 1
698: \& joe ALL = /usr/bin/su operator
699: .Ve
700: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
701: .PP
702: .Vb 1
703: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
704: .Ve
705: The user \fBpete\fR is allowed to change anyone's password except for
706: root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1)
707: does not take multiple usernames on the command line.
708: .PP
709: .Vb 1
710: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
711: .Ve
712: The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines
713: as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR).
714: .PP
715: .Vb 1
716: \& jim +biglab = ALL
717: .Ve
718: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
719: \fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix.
720: .PP
721: .Vb 1
722: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
723: .Ve
724: Users in the \fBsecretaries\fR netgroup need to help manage the printers
725: as well as add and remove users, so they are allowed to run those
726: commands on all machines.
727: .PP
728: .Vb 1
729: \& fred ALL = (DB) NOPASSWD: ALL
730: .Ve
731: The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR
732: (\fBoracle\fR or \fBsybase\fR) without giving a password.
733: .PP
734: .Vb 1
735: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
736: .Ve
737: On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root
738: but he is not allowed to give \fIsu\fR\|(1) any flags.
739: .PP
740: .Vb 1
741: \& jen ALL, !SERVERS = ALL
742: .Ve
743: The user \fBjen\fR may run any command on any machine except for those
744: in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns).
745: .PP
746: .Vb 1
747: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
748: .Ve
749: For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run
750: any commands in the directory /usr/bin/ except for those commands
751: belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR.
752: .PP
753: .Vb 1
754: \& steve CSNETS = (operator) /usr/local/op_commands/
755: .Ve
756: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
757: but only as user operator.
758: .PP
759: .Vb 1
760: \& matt valkyrie = KILL
761: .Ve
762: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
763: kill hung processes.
764: .PP
765: .Vb 1
766: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
767: .Ve
768: On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will,
769: wendy, and wim), may run any command as user www (which owns the
770: web pages) or simply \fIsu\fR\|(1) to www.
771: .PP
772: .Vb 2
773: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
774: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
775: .Ve
776: Any user may mount or unmount a CD\-ROM on the machines in the CDROM
777: \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password.
778: This is a bit tedious for users to type, so it is a prime candiate
779: for encapsulating in a shell script.
780: .SH "SECURITY NOTES"
781: It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR
782: using the \*(L'!\*(R' operator. A user can trivially circumvent this
783: by copying the desired command to a different name and then
784: executing that. For example:
785: .PP
786: .Vb 1
787: \& bill ALL = ALL, !SU, !SHELLS
788: .Ve
789: Doesn't really prevent \fBbill\fR from running the commands listed in
790: \fISU\fR or \fISHELLS\fR since he can simply copy those commands to a
791: different name, or use a shell escape from an editor or other
792: program. Therefore, these kind of restrictions should be considered
793: advisory at best (and reinforced by policy).
794: .SH "CAVEATS"
795: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
796: command which locks the file and does grammatical checking. It is
797: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
798: will not run with a syntactically incorrect \fIsudoers\fR file.
799: .SH "FILES"
800: .PP
801: .Vb 3
802: \& /etc/sudoers List of who can run what
803: \& /etc/group Local groups file
804: \& /etc/netgroup List of network groups
805: .Ve
806: .SH "SEE ALSO"
807: \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
808:
809: .rn }` ''
810: .IX Title "sudoers 5"
811: .IX Name "sudoers - list of which users may execute what"
812:
813: .IX Header "NAME"
814:
815: .IX Header "DESCRIPTION"
816:
817: .IX Subsection "Quick guide to \s-1EBNF\s0"
818:
819: .IX Item "\f(CW?\fR"
820:
821: .IX Item "\f(CW*\fR"
822:
823: .IX Item "\f(CW+\fR"
824:
825: .IX Subsection "Aliases"
826:
827: .IX Subsection "Defaults"
828:
829: .IX Item "long_otp_prompt"
830:
831: .IX Item "ignore_dot"
832:
833: .IX Item "mail_always"
834:
835: .IX Item "mail_no_user"
836:
837: .IX Item "mail_no_host"
838:
839: .IX Item "mail_no_perms"
840:
841: .IX Item "tty_tickets"
842:
843: .IX Item "lecture"
844:
845: .IX Item "authenticate"
846:
847: .IX Item "root_sudo"
848:
849: .IX Item "log_host"
850:
851: .IX Item "log_year"
852:
853: .IX Item "shell_noargs"
854:
855: .IX Item "set_home"
856:
857: .IX Item "path_info"
858:
859: .IX Item "fqdn"
860:
861: .IX Item "insults"
862:
863: .IX Item "requiretty"
864:
865: .IX Item "passwd_tries"
866:
867: .IX Item "loglinelen"
868:
869: .IX Item "timestamp_timeout"
870:
871: .IX Item "passwd_timeout"
872:
873: .IX Item "umask"
874:
875: .IX Item "mailsub"
876:
877: .IX Item "badpass_message"
878:
879: .IX Item "timestampdir"
880:
881: .IX Item "passprompt"
882:
883: .IX Item "runas_default"
884:
885: .IX Item "syslog_goodpri"
886:
887: .IX Item "syslog_badpri"
888:
889: .IX Item "syslog"
890:
891: .IX Item "mailerpath"
892:
893: .IX Item "mailerflags"
894:
895: .IX Item "mailto"
896:
897: .IX Item "exempt_group"
898:
899: .IX Item "secure_path"
900:
901: .IX Subsection "User Specification"
902:
903: .IX Subsection "Runas_Spec"
904:
905: .IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
906:
907: .IX Subsection "Wildcards (aka meta characters):"
908:
909: .IX Item "\f(CW*\fR"
910:
911: .IX Item "\f(CW?\fR"
912:
913: .IX Item "\f(CW[...]\fR"
914:
915: .IX Item "\f(CW[!...]\fR"
916:
917: .IX Item "\f(CW\ex\fR"
918:
919: .IX Subsection "Exceptions to wildcard rules:"
920:
921: .IX Item "\f(CW""\fR"
922:
923: .IX Subsection "Other special characters and reserved words:"
924:
925: .IX Header "EXAMPLES"
926:
927: .IX Header "SECURITY NOTES"
928:
929: .IX Header "CAVEATS"
930:
931: .IX Header "FILES"
932:
933: .IX Header "SEE ALSO"
934: