Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.3
1.1 millert 1: .rn '' }`
1.3 ! millert 2: ''' $RCSfile: sudoers.man,v $$Revision: 1.22 $$Date: 2000/01/24 03:57:49 $
1.2 aaron 3: '''
1.3 ! millert 4: ''' $Log: sudoers.man,v $
! 5: ''' Revision 1.22 2000/01/24 03:57:49 millert
! 6: ''' Add netgroup caveat
1.1 millert 7: '''
8: '''
9: .de Sh
10: .br
11: .if t .Sp
12: .ne 5
13: .PP
14: \fB\\$1\fR
15: .PP
16: ..
17: .de Sp
18: .if t .sp .5v
19: .if n .sp
20: ..
21: .de Ip
22: .br
23: .ie \\n(.$>=3 .ne \\$3
24: .el .ne 3
25: .IP "\\$1" \\$2
26: ..
27: .de Vb
28: .ft CW
29: .nf
30: .ne \\$1
31: ..
32: .de Ve
33: .ft R
34:
35: .fi
36: ..
37: '''
38: '''
39: ''' Set up \*(-- to give an unbreakable dash;
40: ''' string Tr holds user defined translation string.
41: ''' Bell System Logo is used as a dummy character.
42: '''
43: .tr \(*W-|\(bv\*(Tr
44: .ie n \{\
45: .ds -- \(*W-
46: .ds PI pi
47: .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
48: .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
49: .ds L" ""
50: .ds R" ""
51: ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
52: ''' \*(L" and \*(R", except that they are used on ".xx" lines,
53: ''' such as .IP and .SH, which do another additional levels of
54: ''' double-quote interpretation
55: .ds M" """
56: .ds S" """
57: .ds N" """""
58: .ds T" """""
59: .ds L' '
60: .ds R' '
61: .ds M' '
62: .ds S' '
63: .ds N' '
64: .ds T' '
65: 'br\}
66: .el\{\
67: .ds -- \(em\|
68: .tr \*(Tr
69: .ds L" ``
70: .ds R" ''
71: .ds M" ``
72: .ds S" ''
73: .ds N" ``
74: .ds T" ''
75: .ds L' `
76: .ds R' '
77: .ds M' `
78: .ds S' '
79: .ds N' `
80: .ds T' '
81: .ds PI \(*p
82: 'br\}
83: .\" If the F register is turned on, we'll generate
84: .\" index entries out stderr for the following things:
85: .\" TH Title
86: .\" SH Header
87: .\" Sh Subsection
88: .\" Ip Item
89: .\" X<> Xref (embedded
90: .\" Of course, you have to process the output yourself
91: .\" in some meaninful fashion.
92: .if \nF \{
93: .de IX
94: .tm Index:\\$1\t\\n%\t"\\$2"
95: ..
96: .nr % 0
97: .rr F
98: .\}
1.3 ! millert 99: .TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS"
1.1 millert 100: .UC
101: .if n .hy 0
102: .if n .na
103: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
104: .de CQ \" put $1 in typewriter font
105: .ft CW
106: 'if n "\c
107: 'if t \\&\\$1\c
108: 'if n \\&\\$1\c
109: 'if n \&"
110: \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
111: '.ft R
112: ..
113: .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
114: . \" AM - accent mark definitions
115: .bd B 3
116: . \" fudge factors for nroff and troff
117: .if n \{\
118: . ds #H 0
119: . ds #V .8m
120: . ds #F .3m
121: . ds #[ \f1
122: . ds #] \fP
123: .\}
124: .if t \{\
125: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
126: . ds #V .6m
127: . ds #F 0
128: . ds #[ \&
129: . ds #] \&
130: .\}
131: . \" simple accents for nroff and troff
132: .if n \{\
133: . ds ' \&
134: . ds ` \&
135: . ds ^ \&
136: . ds , \&
137: . ds ~ ~
138: . ds ? ?
139: . ds ! !
140: . ds /
141: . ds q
142: .\}
143: .if t \{\
144: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
145: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
146: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
147: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
148: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
149: . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
150: . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
151: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
152: . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
153: .\}
154: . \" troff and (daisy-wheel) nroff accents
155: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
156: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
157: .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
158: .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
159: .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
160: .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
161: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
162: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
163: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
164: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
165: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
166: .ds ae a\h'-(\w'a'u*4/10)'e
167: .ds Ae A\h'-(\w'A'u*4/10)'E
168: .ds oe o\h'-(\w'o'u*4/10)'e
169: .ds Oe O\h'-(\w'O'u*4/10)'E
170: . \" corrections for vroff
171: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
172: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
173: . \" for low resolution devices (crt and lpr)
174: .if \n(.H>23 .if \n(.V>19 \
175: \{\
176: . ds : e
177: . ds 8 ss
178: . ds v \h'-1'\o'\(aa\(ga'
179: . ds _ \h'-1'^
180: . ds . \h'-1'.
181: . ds 3 3
182: . ds o a
183: . ds d- d\h'-1'\(ga
184: . ds D- D\h'-1'\(hy
185: . ds th \o'bp'
186: . ds Th \o'LP'
187: . ds ae ae
188: . ds Ae AE
189: . ds oe oe
190: . ds Oe OE
191: .\}
192: .rm #[ #] #H #V #F C
193: .SH "NAME"
194: sudoers \- list of which users may execute what
195: .SH "DESCRIPTION"
196: The \fIsudoers\fR file is composed two types of entries:
197: aliases (basically variables) and user specifications
198: (which specify who may run what). The grammar of \fIsudoers\fR
199: will be described below in Extended Backus-Naur Form (EBNF).
200: Don't despair if you don't know what EBNF is, it is fairly
201: simple and the definitions below are annotated.
202: .Sh "Quick guide to \s-1EBNF\s0"
203: \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
204: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg.
205: .PP
206: .Vb 1
207: \& symbol ::= definition | alternate1 | alternate2 ...
208: .Ve
209: Each \fIproduction rule\fR references others and thus makes up a
210: grammar for the language. \s-1EBNF\s0 also contains the following
211: operators, which many readers will recognize from regular
212: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
213: characters, which have different meanings.
214: .Ip "\f(CW?\fR" 8
215: Means that the preceding symbol (or group of symbols) is optional.
216: That is, it may appear once or not at all.
217: .Ip "\f(CW*\fR" 8
218: Means that the preceding symbol (or group of symbols) may appear
219: zero or more times.
220: .Ip "\f(CW+\fR" 8
221: Means that the preceding symbol (or group of symbols) may appear
222: one or more times.
223: .PP
224: Parentheses may be used to group symbols together. For clarity,
225: we will use single quotes ('') to designate what is a verbatim character
226: string (as opposed to a symbol name).
227: .Sh "Aliases"
228: There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
229: \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
230: .PP
231: .Vb 4
232: \& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
1.3 ! millert 233: \& 'Runas_Alias' = Runas_Alias (':' Runas_Alias)* |
! 234: \& 'Host_Alias' = Host_Alias (':' Host_Alias)* |
! 235: \& 'Cmnd_Alias' = Cmnd_Alias (':' Cmnd_Alias)*
1.1 millert 236: .Ve
237: .Vb 1
238: \& User_Alias ::= NAME '=' User_List
239: .Ve
240: .Vb 1
241: \& Runas_Alias ::= NAME '=' Runas_User_List
242: .Ve
243: .Vb 1
244: \& Host_Alias ::= NAME '=' Host_List
245: .Ve
246: .Vb 1
247: \& Cmnd_Alias ::= NAME '=' Cmnd_List
248: .Ve
249: .Vb 1
250: \& NAME ::= [A-Z]([A-Z][0-9]_)*
251: .Ve
252: Each \fIalias\fR definition is of the form
253: .PP
254: .Vb 1
255: \& Alias_Type NAME = item1, item2, ...
256: .Ve
257: where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR,
258: or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers,
259: and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an
260: upper case letter. It is possible to put several alias definitions
261: of the same type on a single line, joined by a semicolon (':'). Eg.
262: .PP
263: .Vb 1
264: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
265: .Ve
266: The definitions of what constitutes a valid \fIalias\fR member follow.
267: .PP
268: .Vb 2
269: \& User_List ::= User |
270: \& User ',' User_List
271: .Ve
272: .Vb 5
273: \& User ::= '!'* username |
274: \& '!'* '#'uid |
275: \& '!'* '%'group |
276: \& '!'* '+'netgroup |
277: \& '!'* User_Alias
278: .Ve
279: A \f(CWUser_List\fR is made up of one or more usernames, uids
280: (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'),
281: netgroups (prefixed with \*(L'+') and other aliases. Each list
282: item may be prefixed with one or more \*(L'!\*(R' operators. An odd number
283: of \*(L'!\*(R' operators negates the value of the item; an even number
284: just cancel each other out.
285: .PP
286: .Vb 2
287: \& Runas_List ::= Runas_User |
288: \& Runas_User ',' Runas_List
289: .Ve
290: .Vb 5
291: \& Runas_User ::= '!'* username |
292: \& '!'* '#'uid |
293: \& '!'* '%'group |
294: \& '!'* +netgroup |
295: \& '!'* Runas_Alias
296: .Ve
297: Likewise, a \f(CWRunas_List\fR has the same possible elements
298: as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR,
299: instead of a \f(CWUser_Alias\fR.
300: .PP
301: .Vb 2
302: \& Host_List ::= Host |
303: \& Host ',' Host_List
304: .Ve
305: .Vb 5
306: \& Host ::= '!'* hostname |
307: \& '!'* ip_addr |
308: \& '!'* network(/netmask)? |
309: \& '!'* '+'netgroup |
310: \& '!'* Host_Alias
311: .Ve
312: A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
313: network numbers, netgroups (prefixed with \*(L'+') and other aliases.
314: Again, the value of an item may be negated with the \*(L'!\*(R' operator.
315: If you do not specify a netmask with a network number, the netmask
316: of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
317: The netmask may be specified either in dotted quad notation (eg.
318: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).
319: .PP
320: .Vb 2
321: \& Cmnd_List ::= Cmnd |
322: \& Cmnd ',' Cmnd_List
323: .Ve
324: .Vb 3
325: \& commandname ::= filename |
326: \& filename args |
327: \& filename '""'
328: .Ve
329: .Vb 3
330: \& Cmnd ::= '!'* commandname |
331: \& '!'* directory |
332: \& '!'* Cmnd_Alias
333: .Ve
334: A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
335: aliases. A commandname is a fully-qualified filename which may include
336: shell-style wildcards (see `Wildcards\*(R' section below). A simple
337: filename allows the user to run the command with any arguments he/she
338: wishes. However, you may also command line arguments (including wildcards).
339: Alternately, you can specify \f(CW""\fR to indicate that the command
340: may only be run \fBwithout\fR command line arguments. A directory is a
341: fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory
342: in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory
343: (but not in any subdirectories therein).
344: .PP
345: If a \f(CWCmnd\fR has associated command line arguments, then the arguments
346: in the \f(CWCmnd\fR must match exactly those given by the user on the command line
347: (or match the wildcards if there are any). Note that the following
348: characters must be escaped with a \*(L'\e\*(R' if they are used in command
349: arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\*(R'.
350: .Sh "Defaults"
351: Certain configuration options may be changed from their default
352: values at runtime via one or more \f(CWDefault_Entry\fR lines. These
353: may affect all users on any host, all users on a specific host,
354: or just a specific user. When multiple entries match, they are
355: applied in order. Where there are conflicting values, the last
356: value on a matching line takes effect.
357: .PP
358: .Vb 3
359: \& Default_Type ::= 'Defaults' ||
360: \& 'Defaults' ':' User ||
361: \& 'Defaults' '@' Host
362: .Ve
363: .Vb 1
364: \& Default_Entry ::= Default_Type Parameter_List
365: .Ve
366: .Vb 2
367: \& Parameter ::= Parameter '=' Value ||
368: \& '!'* Parameter ||
369: .Ve
370: Parameters may be \fBflags\fR, \fBinteger\fR values, or \fBstrings\fR. Flags
371: are implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
372: Some integer and string parameters may also be used in a boolean
373: context to disable them. Values may be enclosed in double quotes
374: (\f(CW"\fR) when they contain multiple words. Special characters may
375: be escaped with a backslash (\f(CW\e\fR).
376: .PP
377: \fBFlags\fR:
378: .Ip "long_otp_prompt" 12
379: Put \s-1OTP\s0 prompt on its own line
380: .Ip "ignore_dot" 12
381: Ignore \*(L'.\*(R' in \f(CW$PATH\fR
382: .Ip "mail_always" 12
383: Always send mail when sudo is run
384: .Ip "mail_no_user" 12
385: Send mail if the user is not in sudoers
386: .Ip "mail_no_host" 12
387: Send mail if the user is not in sudoers for this host
388: .Ip "mail_no_perms" 12
389: Send mail if the user is not allowed to run a command
390: .Ip "tty_tickets" 12
391: Use a separate timestamp for each user/tty combo
392: .Ip "lecture" 12
393: Lecture user the first time they run sudo
394: .Ip "authenticate" 12
395: Require users to authenticate by default
396: .Ip "root_sudo" 12
397: Root may run sudo
398: .Ip "log_host" 12
399: Log the hostname in the (non-syslog) log file
400: .Ip "log_year" 12
401: Log the year in the (non-syslog) log file
402: .Ip "shell_noargs" 12
403: If sudo is invoked with no arguments, start a shell
404: .Ip "set_home" 12
405: Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
406: .Ip "path_info" 12
407: Allow some information gathering to give useful error messages
408: .Ip "fqdn" 12
409: Require fully-qualified hostnames in the sudoers file
410: .Ip "insults" 12
411: Insult the user when they enter an incorrect password
412: .Ip "requiretty" 12
413: Only allow the user to run sudo if they have a tty
414: .PP
415: \fBIntegers\fR:
416: .Ip "passwd_tries" 12
417: Number of tries to enter a password
418: .PP
419: \fBIntegers that can be used in a boolean context\fR:
420: .Ip "loglinelen" 12
421: Length at which to wrap log file lines (use 0 or negate for no wrap)
422: .Ip "timestamp_timeout" 12
423: Authentication timestamp timeout
424: .Ip "passwd_timeout" 12
425: Password prompt timeout
426: .Ip "umask" 12
427: Umask to use or 0777 to use user's
428: .PP
429: \fBStrings\fR:
430: .Ip "mailsub" 12
431: Subject line for mail messages
432: .Ip "badpass_message" 12
433: Incorrect password message
434: .Ip "timestampdir" 12
435: Path to authentication timestamp dir
436: .Ip "passprompt" 12
437: Default password prompt
438: .Ip "runas_default" 12
439: Default user to run commands as
440: .Ip "syslog_goodpri" 12
441: Syslog priority to use when user authenticates successfully
442: .Ip "syslog_badpri" 12
443: Syslog priority to use when user authenticates unsuccessfully
444: .PP
445: \fBStrings that can be used in a boolean context\fR:
446: .Ip "syslog" 12
447: Syslog facility if syslog is being used for logging (negate to disable syslog)
448: .Ip "mailerpath" 12
449: Path to mail program
450: .Ip "mailerflags" 12
451: Flags for mail program
452: .Ip "mailto" 12
453: Address to send mail to
454: .Ip "exempt_group" 12
455: Users in this group are exempt from password and \s-1PATH\s0 requirements
456: .Ip "secure_path" 12
457: Value to override user's \f(CW$PATH\fR with
1.3 ! millert 458: .Ip "verifypw" 12
! 459: This option controls when a password will be required when a
! 460: user runs sudo with the \fB\-v\fR. It has the following possible values:
! 461: .Sp
! 462: .Vb 3
! 463: \& all All the user's sudoers entries for the
! 464: \& current host must have the C<NOPASSWD>
! 465: \& flag set to avoid entering a password.
! 466: .Ve
! 467: .Vb 4
! 468: \& any At least one of the user's sudoers entries
! 469: \& for the current host must have the
! 470: \& C<NOPASSWD> flag set to avoid entering a
! 471: \& password.
! 472: .Ve
! 473: .Vb 2
! 474: \& never The user need never enter a password to use
! 475: \& the B<-v> flag.
! 476: .Ve
! 477: .Vb 2
! 478: \& always The user must always enter a password to use
! 479: \& the B<-v> flag.
! 480: .Ve
! 481: The default value is `all\*(R'.
! 482: .Ip "listpw" 12
! 483: This option controls when a password will be required when a
! 484: user runs sudo with the \fB\-l\fR. It has the following possible values:
! 485: .Sp
! 486: .Vb 3
! 487: \& all All the user's sudoers entries for the
! 488: \& current host must have the C<NOPASSWD>
! 489: \& flag set to avoid entering a password.
! 490: .Ve
! 491: .Vb 4
! 492: \& any At least one of the user's sudoers entries
! 493: \& for the current host must have the
! 494: \& C<NOPASSWD> flag set to avoid entering a
! 495: \& password.
! 496: .Ve
! 497: .Vb 2
! 498: \& never The user need never enter a password to use
! 499: \& the B<-l> flag.
! 500: .Ve
! 501: .Vb 2
! 502: \& always The user must always enter a password to use
! 503: \& the B<-l> flag.
! 504: .Ve
! 505: The default value is `any\*(R'.
1.1 millert 506: .PP
507: When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
508: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
509: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
510: \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
511: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
512: \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
513: .Sh "User Specification"
514: .PP
1.3 ! millert 515: .Vb 2
! 516: \& User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \e
! 517: \& (':' User_Spec)*
1.1 millert 518: .Ve
519: .Vb 2
520: \& Cmnd_Spec_List ::= Cmnd_Spec |
521: \& Cmnd_Spec ',' Cmnd_Spec_List
522: .Ve
523: .Vb 1
1.3 ! millert 524: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
! 525: .Ve
! 526: .Vb 1
! 527: \& Runas_Spec ::= '(' Runas_List ')'
1.1 millert 528: .Ve
529: A \fBuser specification\fR determines which commands a user may run
530: (and as what user) on specified hosts. By default, commands are
531: run as \fBroot\fR but this can be changed on a per-command basis.
532: .PP
533: Let's break that down into its constituent parts:
534: .Sh "Runas_Spec"
535: A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above)
536: enclosed in a set of parentheses. If you do not specify a
537: \f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR
538: of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for
539: commands that follow it. What this means is that for the entry:
540: .PP
541: .Vb 1
542: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
543: .Ve
544: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
545: \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg.
546: .PP
547: .Vb 1
548: \& sudo -u operator /bin/ls.
549: .Ve
550: It is also possible to override a \f(CWRunas_Spec\fR later on in an
551: entry. If we modify the entry like so:
552: .PP
553: .Vb 1
554: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
555: .Ve
556: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
557: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
558: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
559: By default, \fBsudo\fR requires that a user authenticate him or herself
560: before running a command. This behavior can be modified via the
561: \f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets
562: a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR.
563: Conversely, the \f(CWPASSWD\fR tag can be used to reverse things.
564: For example:
565: .PP
566: .Vb 1
567: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
568: .Ve
569: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
570: \fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
571: authenticating himself. If we only want \fBray\fR to be able to
572: run \fI/bin/kill\fR without a password the entry would be:
573: .PP
574: .Vb 1
575: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
576: .Ve
1.3 ! millert 577: Note however, that the \f(CWPASSWD\fR tag has no effect on users who are
! 578: in the group specified by the exempt_group option.
! 579: .PP
! 580: By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries
! 581: for a user on the current host, he or she will be able to run
! 582: \f(CWsudo -l\fR without a password. Additionally, a user may only run
! 583: \f(CWsudo -v\fR without a password if the \f(CWNOPASSWD\fR tag is present
! 584: for all a user's entries that pertain to the current host.
! 585: This behavior may be overridden via the verifypw and listpw options.
1.1 millert 586: .Sh "Wildcards (aka meta characters):"
587: \fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
588: as well as command line arguments in the \fIsudoers\fR file. Wildcard
589: matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
590: these are \fInot\fR regular expressions.
591: .Ip "\f(CW*\fR" 8
592: Matches any set of zero or more characters.
593: .Ip "\f(CW?\fR" 8
594: Matches any single character.
595: .Ip "\f(CW[...]\fR" 8
596: Matches any character in the specified range.
597: .Ip "\f(CW[!...]\fR" 8
598: Matches any character \fBnot\fR in the specified range.
599: .Ip "\f(CW\ex\fR" 8
600: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
601: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
602: .PP
603: Note that a forward slash ('/') will \fBnot\fR be matched by
604: wildcards used in the pathname. When matching the command
605: line arguments, however, as slash \fBdoes\fR get matched by
606: wildcards. This is to make a path like:
607: .PP
608: .Vb 1
609: \& /usr/bin/*
610: .Ve
611: match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR.
612: .Sh "Exceptions to wildcard rules:"
613: The following exceptions apply to the above rules:
614: .Ip \f(CW""\fR 8
615: If the empty string \f(CW""\fR is the only command line argument in the
616: \fIsudoers\fR entry it means that command is not allowed to be run
617: with \fBany\fR arguments.
618: .Sh "Other special characters and reserved words:"
619: The pound sign ('#') is used to indicate a comment (unless it
620: occurs in the context of a user name and is followed by one or
621: more digits, in which case it is treated as a uid). Both the
622: comment character and any text after it, up to the end of the line,
623: are ignored.
624: .PP
1.2 aaron 625: The reserved word \fB\s-1ALL\s0\fR is a built in \fIalias\fR that always causes
1.1 millert 626: a match to succeed. It can be used wherever one might otherwise
627: use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
628: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
629: built in alias will be used in preference to your own. Please note
630: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
631: allows the user to run \fBany\fR command on the system.
632: .PP
633: An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
634: both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to
635: exclude certain values. Note, however, that using a \f(CW!\fR in
636: conjunction with the built in \f(CWALL\fR alias to allow a user to
637: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
638: \s-1NOTES\s0 below).
639: .PP
640: Long lines can be continued with a backslash (\*(R'\e') as the last
641: character on the line.
642: .PP
643: Whitespace between elements in a list as well as specicial syntactic
644: characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional.
645: .PP
646: The following characters must be escaped with a backslash (\*(R'\e') when
647: used as part of a word (eg. a username or hostname):
648: \&'@\*(R', \*(L'!\*(R', \*(L'=\*(R', \*(L':\*(R', \*(L',\*(R', \*(L'(\*(R', \*(L')\*(R', \*(L'\e\*(R'.
649: .SH "EXAMPLES"
650: Below are example \fIsudoers\fR entries. Admittedly, some of
651: these are a bit contrived. First, we define our \fIaliases\fR:
652: .PP
653: .Vb 4
654: \& # User alias specification
655: \& User_Alias FULLTIMERS = millert, mikef, dowdy
656: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
657: \& User_Alias WEBMASTERS = will, wendy, wim
658: .Ve
659: .Vb 3
660: \& # Runas alias specification
661: \& Runas_Alias OP = root, operator
662: \& Runas_Alias DB = oracle, sybase
663: .Ve
664: .Vb 9
665: \& # Host alias specification
666: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
667: \& SGI = grolsch, dandelion, black :\e
668: \& ALPHA = widget, thalamus, foobar :\e
669: \& HPPA = boa, nag, python
670: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
671: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
672: \& Host_Alias SERVERS = master, mail, www, ns
673: \& Host_Alias CDROM = orion, perseus, hercules
674: .Ve
675: .Vb 12
676: \& # Cmnd alias specification
677: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
678: \& /usr/sbin/restore, /usr/sbin/rrestore
679: \& Cmnd_Alias KILL = /usr/bin/kill
680: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
681: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
682: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
683: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
684: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
685: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
686: \& /usr/local/bin/zsh
687: \& Cmnd_Alias SU = /usr/bin/su
688: .Ve
689: Here we override some of the compiled in default values. We want
690: sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
691: We don't want to subject the full time staff to the \fBsudo\fR lecture,
692: and user \fBmillert\fR need not give a password. In addition, on the
693: machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
694: local log file and make sure we log the year in each log line since
695: the log entries will be kept around for several years.
696: .PP
697: .Vb 5
698: \& # Override builtin defaults
699: \& Defaults syslog=auth
700: \& Defaults:FULLTIMERS !lecture
701: \& Defaults:millert !authenticate
702: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
703: .Ve
704: The \fIUser specification\fR is the part that actually determines who may
705: run what.
706: .PP
707: .Vb 2
708: \& root ALL = (ALL) ALL
709: \& %wheel ALL = (ALL) ALL
710: .Ve
711: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
712: host as any user.
713: .PP
714: .Vb 1
715: \& FULLTIMERS ALL = NOPASSWD: ALL
716: .Ve
717: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
718: command on any host without authenticating themselves.
719: .PP
720: .Vb 1
721: \& PARTTIMERS ALL = ALL
722: .Ve
723: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
724: command on any host but they must authenticate themselves first
725: (since the entry lacks the \f(CWNOPASSWD\fR tag).
726: .PP
727: .Vb 1
728: \& jack CSNETS = ALL
729: .Ve
730: The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias
731: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
732: Of those networks, only <128.138.204.0> has an explicit netmask (in
733: CIDR notation) indicating it is a class C network. For the other
734: networks in \fICSNETS\fR, the local machine's netmask will be used
735: during matching.
736: .PP
737: .Vb 1
738: \& lisa CUNETS = ALL
739: .Ve
740: The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias
741: (the class B network \f(CW128.138.0.0\fR).
742: .PP
743: .Vb 2
744: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
745: \& /usr/oper/bin/
746: .Ve
747: The \fBoperator\fR user may run commands limited to simple maintenance.
748: Here, those are commands related to backups, killing processes, the
749: printing system, shutting down the system, and any commands in the
750: directory \fI/usr/oper/bin/\fR.
751: .PP
752: .Vb 1
753: \& joe ALL = /usr/bin/su operator
754: .Ve
755: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
756: .PP
757: .Vb 1
758: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
759: .Ve
760: The user \fBpete\fR is allowed to change anyone's password except for
761: root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1)
762: does not take multiple usernames on the command line.
763: .PP
764: .Vb 1
765: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
766: .Ve
767: The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines
768: as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR).
769: .PP
770: .Vb 1
771: \& jim +biglab = ALL
772: .Ve
773: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
774: \fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix.
775: .PP
776: .Vb 1
777: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
778: .Ve
779: Users in the \fBsecretaries\fR netgroup need to help manage the printers
780: as well as add and remove users, so they are allowed to run those
781: commands on all machines.
782: .PP
783: .Vb 1
784: \& fred ALL = (DB) NOPASSWD: ALL
785: .Ve
786: The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR
787: (\fBoracle\fR or \fBsybase\fR) without giving a password.
788: .PP
789: .Vb 1
790: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
791: .Ve
792: On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root
793: but he is not allowed to give \fIsu\fR\|(1) any flags.
794: .PP
795: .Vb 1
796: \& jen ALL, !SERVERS = ALL
797: .Ve
798: The user \fBjen\fR may run any command on any machine except for those
799: in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns).
800: .PP
801: .Vb 1
802: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
803: .Ve
804: For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run
805: any commands in the directory /usr/bin/ except for those commands
806: belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR.
807: .PP
808: .Vb 1
809: \& steve CSNETS = (operator) /usr/local/op_commands/
810: .Ve
811: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
812: but only as user operator.
813: .PP
814: .Vb 1
815: \& matt valkyrie = KILL
816: .Ve
817: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
818: kill hung processes.
819: .PP
820: .Vb 1
821: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
822: .Ve
823: On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will,
824: wendy, and wim), may run any command as user www (which owns the
825: web pages) or simply \fIsu\fR\|(1) to www.
826: .PP
827: .Vb 2
828: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
829: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
830: .Ve
831: Any user may mount or unmount a CD\-ROM on the machines in the CDROM
832: \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password.
833: This is a bit tedious for users to type, so it is a prime candiate
834: for encapsulating in a shell script.
835: .SH "SECURITY NOTES"
836: It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR
837: using the \*(L'!\*(R' operator. A user can trivially circumvent this
838: by copying the desired command to a different name and then
839: executing that. For example:
840: .PP
841: .Vb 1
842: \& bill ALL = ALL, !SU, !SHELLS
843: .Ve
844: Doesn't really prevent \fBbill\fR from running the commands listed in
845: \fISU\fR or \fISHELLS\fR since he can simply copy those commands to a
846: different name, or use a shell escape from an editor or other
847: program. Therefore, these kind of restrictions should be considered
848: advisory at best (and reinforced by policy).
849: .SH "CAVEATS"
850: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
851: command which locks the file and does grammatical checking. It is
852: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
853: will not run with a syntactically incorrect \fIsudoers\fR file.
1.3 ! millert 854: .PP
! 855: When using netgroups of machines (as opposed to users), if you
! 856: store fully-qualified hostnames in the netgroup (as is usually the
! 857: case), you either need to have the machine's hostname be fully-qualified
! 858: as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in
! 859: \fIsudoers\fR.
1.1 millert 860: .SH "FILES"
861: .PP
862: .Vb 3
863: \& /etc/sudoers List of who can run what
864: \& /etc/group Local groups file
865: \& /etc/netgroup List of network groups
866: .Ve
867: .SH "SEE ALSO"
868: \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
869:
870: .rn }` ''
871: .IX Title "sudoers 5"
872: .IX Name "sudoers - list of which users may execute what"
873:
874: .IX Header "NAME"
875:
876: .IX Header "DESCRIPTION"
877:
878: .IX Subsection "Quick guide to \s-1EBNF\s0"
879:
880: .IX Item "\f(CW?\fR"
881:
882: .IX Item "\f(CW*\fR"
883:
884: .IX Item "\f(CW+\fR"
885:
886: .IX Subsection "Aliases"
887:
888: .IX Subsection "Defaults"
889:
890: .IX Item "long_otp_prompt"
891:
892: .IX Item "ignore_dot"
893:
894: .IX Item "mail_always"
895:
896: .IX Item "mail_no_user"
897:
898: .IX Item "mail_no_host"
899:
900: .IX Item "mail_no_perms"
901:
902: .IX Item "tty_tickets"
903:
904: .IX Item "lecture"
905:
906: .IX Item "authenticate"
907:
908: .IX Item "root_sudo"
909:
910: .IX Item "log_host"
911:
912: .IX Item "log_year"
913:
914: .IX Item "shell_noargs"
915:
916: .IX Item "set_home"
917:
918: .IX Item "path_info"
919:
920: .IX Item "fqdn"
921:
922: .IX Item "insults"
923:
924: .IX Item "requiretty"
925:
926: .IX Item "passwd_tries"
927:
928: .IX Item "loglinelen"
929:
930: .IX Item "timestamp_timeout"
931:
932: .IX Item "passwd_timeout"
933:
934: .IX Item "umask"
935:
936: .IX Item "mailsub"
937:
938: .IX Item "badpass_message"
939:
940: .IX Item "timestampdir"
941:
942: .IX Item "passprompt"
943:
944: .IX Item "runas_default"
945:
946: .IX Item "syslog_goodpri"
947:
948: .IX Item "syslog_badpri"
949:
950: .IX Item "syslog"
951:
952: .IX Item "mailerpath"
953:
954: .IX Item "mailerflags"
955:
956: .IX Item "mailto"
957:
958: .IX Item "exempt_group"
959:
960: .IX Item "secure_path"
961:
1.3 ! millert 962: .IX Item "verifypw"
! 963:
! 964: .IX Item "listpw"
! 965:
1.1 millert 966: .IX Subsection "User Specification"
967:
968: .IX Subsection "Runas_Spec"
969:
970: .IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
971:
972: .IX Subsection "Wildcards (aka meta characters):"
973:
974: .IX Item "\f(CW*\fR"
975:
976: .IX Item "\f(CW?\fR"
977:
978: .IX Item "\f(CW[...]\fR"
979:
980: .IX Item "\f(CW[!...]\fR"
981:
982: .IX Item "\f(CW\ex\fR"
983:
984: .IX Subsection "Exceptions to wildcard rules:"
985:
1.3 ! millert 986: .IX Item \f(CW""\fR
1.1 millert 987:
988: .IX Subsection "Other special characters and reserved words:"
989:
990: .IX Header "EXAMPLES"
991:
992: .IX Header "SECURITY NOTES"
993:
994: .IX Header "CAVEATS"
995:
996: .IX Header "FILES"
997:
998: .IX Header "SEE ALSO"
999: