Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.7
1.1 millert 1: .rn '' }`
1.7 ! pjanzen 2: ''' $RCSfile: sudoers.5,v $$Revision: 1.6 $$Date: 2001/01/09 18:15:31 $
1.6 krw 3: '''
4: ''' $Log: sudoers.5,v $
1.7 ! pjanzen 5: ''' Revision 1.6 2001/01/09 18:15:31 krw
! 6: ''' Typos: 'eg.' -> 'e.g.'
! 7: '''
1.6 krw 8: ''' Revision 1.5 2000/03/27 03:44:39 millert
9: ''' sudo 1.6.3; see http://www.courtesan.com/sudo/current.html for a list
10: ''' of changes.
1.2 aaron 11: '''
1.5 millert 12: ''' Revision 1.5 2000/03/27 03:26:23 millert
13: ''' Use 8 and 5 in the man page bodies as well.
1.1 millert 14: '''
15: '''
16: .de Sh
17: .br
18: .if t .Sp
19: .ne 5
20: .PP
21: \fB\\$1\fR
22: .PP
23: ..
24: .de Sp
25: .if t .sp .5v
26: .if n .sp
27: ..
28: .de Ip
29: .br
30: .ie \\n(.$>=3 .ne \\$3
31: .el .ne 3
32: .IP "\\$1" \\$2
33: ..
34: .de Vb
35: .ft CW
36: .nf
37: .ne \\$1
38: ..
39: .de Ve
40: .ft R
41:
42: .fi
43: ..
44: '''
45: '''
46: ''' Set up \*(-- to give an unbreakable dash;
47: ''' string Tr holds user defined translation string.
48: ''' Bell System Logo is used as a dummy character.
49: '''
50: .tr \(*W-|\(bv\*(Tr
51: .ie n \{\
52: .ds -- \(*W-
53: .ds PI pi
54: .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
55: .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
56: .ds L" ""
57: .ds R" ""
58: ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
59: ''' \*(L" and \*(R", except that they are used on ".xx" lines,
60: ''' such as .IP and .SH, which do another additional levels of
61: ''' double-quote interpretation
62: .ds M" """
63: .ds S" """
64: .ds N" """""
65: .ds T" """""
66: .ds L' '
67: .ds R' '
68: .ds M' '
69: .ds S' '
70: .ds N' '
71: .ds T' '
72: 'br\}
73: .el\{\
74: .ds -- \(em\|
75: .tr \*(Tr
76: .ds L" ``
77: .ds R" ''
78: .ds M" ``
79: .ds S" ''
80: .ds N" ``
81: .ds T" ''
82: .ds L' `
83: .ds R' '
84: .ds M' `
85: .ds S' '
86: .ds N' `
87: .ds T' '
88: .ds PI \(*p
89: 'br\}
90: .\" If the F register is turned on, we'll generate
91: .\" index entries out stderr for the following things:
92: .\" TH Title
93: .\" SH Header
94: .\" Sh Subsection
95: .\" Ip Item
96: .\" X<> Xref (embedded
97: .\" Of course, you have to process the output yourself
1.7 ! pjanzen 98: .\" in some meaningful fashion.
1.1 millert 99: .if \nF \{
100: .de IX
101: .tm Index:\\$1\t\\n%\t"\\$2"
102: ..
103: .nr % 0
104: .rr F
105: .\}
1.5 millert 106: .TH sudoers 5 "1.6.3" "26/Mar/2000" "FILE FORMATS"
1.1 millert 107: .UC
108: .if n .hy 0
109: .if n .na
110: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
111: .de CQ \" put $1 in typewriter font
112: .ft CW
113: 'if n "\c
114: 'if t \\&\\$1\c
115: 'if n \\&\\$1\c
116: 'if n \&"
117: \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
118: '.ft R
119: ..
120: .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
121: . \" AM - accent mark definitions
122: .bd B 3
123: . \" fudge factors for nroff and troff
124: .if n \{\
125: . ds #H 0
126: . ds #V .8m
127: . ds #F .3m
128: . ds #[ \f1
129: . ds #] \fP
130: .\}
131: .if t \{\
132: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
133: . ds #V .6m
134: . ds #F 0
135: . ds #[ \&
136: . ds #] \&
137: .\}
138: . \" simple accents for nroff and troff
139: .if n \{\
140: . ds ' \&
141: . ds ` \&
142: . ds ^ \&
143: . ds , \&
144: . ds ~ ~
145: . ds ? ?
146: . ds ! !
147: . ds /
148: . ds q
149: .\}
150: .if t \{\
151: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
152: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
153: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
154: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
155: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
156: . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
157: . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
158: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
159: . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
160: .\}
161: . \" troff and (daisy-wheel) nroff accents
162: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
163: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
164: .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
165: .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
166: .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
167: .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
168: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
169: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
170: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
171: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
172: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
173: .ds ae a\h'-(\w'a'u*4/10)'e
174: .ds Ae A\h'-(\w'A'u*4/10)'E
175: .ds oe o\h'-(\w'o'u*4/10)'e
176: .ds Oe O\h'-(\w'O'u*4/10)'E
177: . \" corrections for vroff
178: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
179: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
180: . \" for low resolution devices (crt and lpr)
181: .if \n(.H>23 .if \n(.V>19 \
182: \{\
183: . ds : e
184: . ds 8 ss
185: . ds v \h'-1'\o'\(aa\(ga'
186: . ds _ \h'-1'^
187: . ds . \h'-1'.
188: . ds 3 3
189: . ds o a
190: . ds d- d\h'-1'\(ga
191: . ds D- D\h'-1'\(hy
192: . ds th \o'bp'
193: . ds Th \o'LP'
194: . ds ae ae
195: . ds Ae AE
196: . ds oe oe
197: . ds Oe OE
198: .\}
199: .rm #[ #] #H #V #F C
200: .SH "NAME"
201: sudoers \- list of which users may execute what
202: .SH "DESCRIPTION"
1.7 ! pjanzen 203: The \fIsudoers\fR file is composed of two types of entries:
1.1 millert 204: aliases (basically variables) and user specifications
205: (which specify who may run what). The grammar of \fIsudoers\fR
206: will be described below in Extended Backus-Naur Form (EBNF).
1.7 ! pjanzen 207: Don't despair if you don't know what EBNF is; it is fairly
! 208: simple, and the definitions below are annotated.
1.1 millert 209: .Sh "Quick guide to \s-1EBNF\s0"
210: \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
1.7 ! pjanzen 211: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
1.1 millert 212: .PP
213: .Vb 1
214: \& symbol ::= definition | alternate1 | alternate2 ...
215: .Ve
216: Each \fIproduction rule\fR references others and thus makes up a
217: grammar for the language. \s-1EBNF\s0 also contains the following
218: operators, which many readers will recognize from regular
219: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
220: characters, which have different meanings.
221: .Ip "\f(CW?\fR" 8
222: Means that the preceding symbol (or group of symbols) is optional.
223: That is, it may appear once or not at all.
224: .Ip "\f(CW*\fR" 8
225: Means that the preceding symbol (or group of symbols) may appear
226: zero or more times.
227: .Ip "\f(CW+\fR" 8
228: Means that the preceding symbol (or group of symbols) may appear
229: one or more times.
230: .PP
231: Parentheses may be used to group symbols together. For clarity,
232: we will use single quotes ('') to designate what is a verbatim character
233: string (as opposed to a symbol name).
234: .Sh "Aliases"
1.7 ! pjanzen 235: There are four kinds of aliases: \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
1.1 millert 236: \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
237: .PP
238: .Vb 4
239: \& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
1.3 millert 240: \& 'Runas_Alias' = Runas_Alias (':' Runas_Alias)* |
241: \& 'Host_Alias' = Host_Alias (':' Host_Alias)* |
242: \& 'Cmnd_Alias' = Cmnd_Alias (':' Cmnd_Alias)*
1.1 millert 243: .Ve
244: .Vb 1
245: \& User_Alias ::= NAME '=' User_List
246: .Ve
247: .Vb 1
248: \& Runas_Alias ::= NAME '=' Runas_User_List
249: .Ve
250: .Vb 1
251: \& Host_Alias ::= NAME '=' Host_List
252: .Ve
253: .Vb 1
254: \& Cmnd_Alias ::= NAME '=' Cmnd_List
255: .Ve
256: .Vb 1
257: \& NAME ::= [A-Z]([A-Z][0-9]_)*
258: .Ve
259: Each \fIalias\fR definition is of the form
260: .PP
261: .Vb 1
262: \& Alias_Type NAME = item1, item2, ...
263: .Ve
264: where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR,
1.7 ! pjanzen 265: or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of uppercase letters, numbers,
1.1 millert 266: and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an
1.7 ! pjanzen 267: uppercase letter. It is possible to put several alias definitions
! 268: of the same type on a single line, joined by a semicolon (':'). E.g.,
1.1 millert 269: .PP
270: .Vb 1
271: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
272: .Ve
273: The definitions of what constitutes a valid \fIalias\fR member follow.
274: .PP
275: .Vb 2
276: \& User_List ::= User |
277: \& User ',' User_List
278: .Ve
279: .Vb 5
280: \& User ::= '!'* username |
281: \& '!'* '#'uid |
282: \& '!'* '%'group |
283: \& '!'* '+'netgroup |
284: \& '!'* User_Alias
285: .Ve
286: A \f(CWUser_List\fR is made up of one or more usernames, uids
287: (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'),
288: netgroups (prefixed with \*(L'+') and other aliases. Each list
289: item may be prefixed with one or more \*(L'!\*(R' operators. An odd number
1.7 ! pjanzen 290: of \*(L'!\*(R' operators negate the value of the item; an even number
1.1 millert 291: just cancel each other out.
292: .PP
293: .Vb 2
294: \& Runas_List ::= Runas_User |
295: \& Runas_User ',' Runas_List
296: .Ve
297: .Vb 5
298: \& Runas_User ::= '!'* username |
299: \& '!'* '#'uid |
300: \& '!'* '%'group |
301: \& '!'* +netgroup |
302: \& '!'* Runas_Alias
303: .Ve
304: Likewise, a \f(CWRunas_List\fR has the same possible elements
305: as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR,
306: instead of a \f(CWUser_Alias\fR.
307: .PP
308: .Vb 2
309: \& Host_List ::= Host |
310: \& Host ',' Host_List
311: .Ve
312: .Vb 5
313: \& Host ::= '!'* hostname |
314: \& '!'* ip_addr |
315: \& '!'* network(/netmask)? |
316: \& '!'* '+'netgroup |
317: \& '!'* Host_Alias
318: .Ve
319: A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
320: network numbers, netgroups (prefixed with \*(L'+') and other aliases.
321: Again, the value of an item may be negated with the \*(L'!\*(R' operator.
322: If you do not specify a netmask with a network number, the netmask
323: of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
1.6 krw 324: The netmask may be specified either in dotted quad notation (e.g.
325: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname
1.5 millert 326: may include shell-style wildcards (see `Wildcards\*(R' section below),
327: but unless the \f(CWhostname\fR command on your machine returns the fully
328: qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
329: to be useful.
1.1 millert 330: .PP
331: .Vb 2
332: \& Cmnd_List ::= Cmnd |
333: \& Cmnd ',' Cmnd_List
334: .Ve
335: .Vb 3
336: \& commandname ::= filename |
337: \& filename args |
338: \& filename '""'
339: .Ve
340: .Vb 3
341: \& Cmnd ::= '!'* commandname |
342: \& '!'* directory |
343: \& '!'* Cmnd_Alias
344: .Ve
345: A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
1.5 millert 346: aliases. A commandname is a fully qualified filename which may include
1.1 millert 347: shell-style wildcards (see `Wildcards\*(R' section below). A simple
348: filename allows the user to run the command with any arguments he/she
349: wishes. However, you may also command line arguments (including wildcards).
350: Alternately, you can specify \f(CW""\fR to indicate that the command
351: may only be run \fBwithout\fR command line arguments. A directory is a
352: fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory
353: in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory
354: (but not in any subdirectories therein).
355: .PP
356: If a \f(CWCmnd\fR has associated command line arguments, then the arguments
357: in the \f(CWCmnd\fR must match exactly those given by the user on the command line
358: (or match the wildcards if there are any). Note that the following
359: characters must be escaped with a \*(L'\e\*(R' if they are used in command
360: arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\*(R'.
361: .Sh "Defaults"
362: Certain configuration options may be changed from their default
363: values at runtime via one or more \f(CWDefault_Entry\fR lines. These
364: may affect all users on any host, all users on a specific host,
365: or just a specific user. When multiple entries match, they are
366: applied in order. Where there are conflicting values, the last
367: value on a matching line takes effect.
368: .PP
369: .Vb 3
370: \& Default_Type ::= 'Defaults' ||
371: \& 'Defaults' ':' User ||
372: \& 'Defaults' '@' Host
373: .Ve
374: .Vb 1
375: \& Default_Entry ::= Default_Type Parameter_List
376: .Ve
377: .Vb 2
378: \& Parameter ::= Parameter '=' Value ||
379: \& '!'* Parameter ||
380: .Ve
381: Parameters may be \fBflags\fR, \fBinteger\fR values, or \fBstrings\fR. Flags
382: are implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
383: Some integer and string parameters may also be used in a boolean
384: context to disable them. Values may be enclosed in double quotes
385: (\f(CW"\fR) when they contain multiple words. Special characters may
386: be escaped with a backslash (\f(CW\e\fR).
387: .PP
388: \fBFlags\fR:
389: .Ip "long_otp_prompt" 12
1.4 millert 390: When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
391: a two-line prompt is used to make it easier to cut and paste the
392: challenge to a local window. It's not as pretty as the default but
393: some people find it more convenient. This flag is off by default.
1.1 millert 394: .Ip "ignore_dot" 12
1.4 millert 395: If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
396: the \f(CW$PATH\fR itself is not modified. This flag is off by default.
1.1 millert 397: .Ip "mail_always" 12
1.5 millert 398: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1.4 millert 399: This flag is off by default.
1.1 millert 400: .Ip "mail_no_user" 12
1.4 millert 401: If set, mail will be sent to the \fImailto\fR user if the invoking
402: user is not in the \fIsudoers\fR file. This flag is on by default.
1.1 millert 403: .Ip "mail_no_host" 12
1.4 millert 404: If set, mail will be sent to the \fImailto\fR user if the invoking
405: user exists in the \fIsudoers\fR file, but is not allowed to run
406: commands on the current host. This flag is off by default.
1.1 millert 407: .Ip "mail_no_perms" 12
1.4 millert 408: If set, mail will be sent to the \fImailto\fR user if the invoking
1.5 millert 409: user allowed to use \fBsudo\fR but the command they are trying is not
1.4 millert 410: listed in their \fIsudoers\fR file entry. This flag is off by default.
1.1 millert 411: .Ip "tty_tickets" 12
1.4 millert 412: If set, users must authenticate on a per-tty basis. Normally,
413: \fBsudo\fR uses a directory in the ticket dir with the same name as
414: the user running it. With this flag enabled, \fBsudo\fR will use a
415: file named for the tty the user is logged in on in that directory.
416: This flag is off by default.
1.1 millert 417: .Ip "lecture" 12
1.4 millert 418: If set, a user will receive a short lecture the first time he/she
419: runs \fBsudo\fR. This flag is on by default.
1.1 millert 420: .Ip "authenticate" 12
1.4 millert 421: If set, users must authenticate themselves via a password (or other
422: means of authentication) before they may run commands. This default
423: may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
424: This flag is on by default.
1.1 millert 425: .Ip "root_sudo" 12
1.5 millert 426: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
427: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1.4 millert 428: like \f(CW"sudo sudo /bin/sh"\fR.
429: This flag is on by default.
1.1 millert 430: .Ip "log_host" 12
1.4 millert 431: If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
432: This flag is off by default.
1.1 millert 433: .Ip "log_year" 12
1.4 millert 434: If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
435: This flag is off by default.
1.1 millert 436: .Ip "shell_noargs" 12
1.4 millert 437: If set and \fBsudo\fR is invoked with no arguments it acts as if the
438: \f(CW-s\fR flag had been given. That is, it runs a shell as root (the
439: shell is determined by the \f(CWSHELL\fR environment variable if it is
440: set, falling back on the shell listed in the invoking user's
441: /etc/passwd entry if not). This flag is off by default.
1.1 millert 442: .Ip "set_home" 12
1.4 millert 443: If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR
444: environment variable will be set to the home directory of the target
445: user (which is root unless the \f(CW-u\fR option is used). This effectively
446: makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default.
1.1 millert 447: .Ip "path_info" 12
1.4 millert 448: Normally, \fBsudo\fR will tell the user when a command could not be
449: found in their \f(CW$PATH\fR. Some sites may wish to disable this as
450: it could be used to gather information on the location of executables
451: that the normal user does not have access to. The disadvantage is
452: that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR
453: will tell the user that they are not allowed to run it, which can
454: be confusing. This flag is off by default.
1.1 millert 455: .Ip "fqdn" 12
1.4 millert 456: Set this flag if you want to put fully qualified hostnames in the
1.7 ! pjanzen 457: \fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu.
1.4 millert 458: You may still use the short form if you wish (and even mix the two).
1.5 millert 459: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
1.4 millert 460: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
461: if the machine is not plugged into the network). Also note that
462: you must use the host's official name as \s-1DNS\s0 knows it. That is,
463: you may not use a host alias (\f(CWCNAME\fR entry) due to performance
464: issues and the fact that there is no way to get all aliases from
465: \s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR
466: command) is already fully qualified you shouldn't need to set
467: \fIfqfn\fR. This flag is off by default.
1.1 millert 468: .Ip "insults" 12
1.5 millert 469: If set, \fBsudo\fR will insult users when they enter an incorrect
1.4 millert 470: password. This flag is off by default.
1.1 millert 471: .Ip "requiretty" 12
1.5 millert 472: If set, \fBsudo\fR will only run when the user is logged in to a real
1.4 millert 473: tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
474: \fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
475: of echo when there is no tty present, some sites may with to set
476: this flag to prevent a user from entering a visible password. This
477: flag is off by default.
1.5 millert 478: .Ip "env_editor" 12
479: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment
480: falling back on the default editor. Note that this may create a
481: security hole as most editors allow a user to get a shell (which
482: would be a root shell and not be logged).
483: .Ip "rootpw" 12
484: If set, \fBsudo\fR will prompt for the root password instead of the password
485: of the invoking user.
486: .Ip "runaspw" 12
487: If set, \fBsudo\fR will prompt for the password of the user defined by the
488: \fIrunas_default\fR option (defaults to root) instead of the password
489: of the invoking user.
490: .Ip "targetpw" 12
491: If set, \fBsudo\fR will prompt for the password of the user specified by
492: the \f(CW-u\fR flag (defaults to root) instead of the password of the
493: invoking user.
494: .Ip "set_logname" 12
495: Normally, \fBsudo\fR will set the \f(CWLOGNAME\fR and \f(CWUSER\fR environment variables
496: to the name of the target user (usually root unless the \f(CW-u\fR flag is given).
497: However, since some programs (including the \s-1RCS\s0 revision control system)
498: use \f(CWLOGNAME\fR to determine the real identity of the user, it may be desirable
499: to change this behavior. This can be done by negating the set_logname option.
1.1 millert 500: .PP
501: \fBIntegers\fR:
502: .Ip "passwd_tries" 12
1.4 millert 503: The number of tries a user gets to enter his/her password before
1.5 millert 504: \fBsudo\fR logs the failure and exits. The default is 3.
1.1 millert 505: .PP
506: \fBIntegers that can be used in a boolean context\fR:
507: .Ip "loglinelen" 12
1.4 millert 508: Number of characters per line for the file log. This value is used
509: to decide when to wrap lines for nicer log files. This has no
510: effect on the syslog log file, only the file log. The default is
511: 80 (use 0 or negate to disable word wrap).
1.1 millert 512: .Ip "timestamp_timeout" 12
1.4 millert 513: Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
1.7 ! pjanzen 514: again. The default is 5. Set this to 0 to always prompt for a password.
1.1 millert 515: .Ip "passwd_timeout" 12
1.5 millert 516: Number of minutes before the \fBsudo\fR password prompt times out.
1.4 millert 517: The default is 5, set this to 0 for no password timeout.
1.1 millert 518: .Ip "umask" 12
1.4 millert 519: Umask to use when running the root command. Set this to 0777 to
520: not override the user's umask. The default is 0022.
1.1 millert 521: .PP
522: \fBStrings\fR:
523: .Ip "mailsub" 12
1.4 millert 524: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
525: will expand to the hostname of the machine.
526: Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R".
1.1 millert 527: .Ip "badpass_message" 12
1.4 millert 528: Message that is displayed if a user enters an incorrect password.
529: The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.
1.1 millert 530: .Ip "timestampdir" 12
1.4 millert 531: The directory in which \fBsudo\fR stores its timestamp files.
1.5 millert 532: The default is \fI@\s-1TIMEDIR\s0@\fR.
1.1 millert 533: .Ip "passprompt" 12
1.4 millert 534: The default prompt to use when asking for a password; can be overridden
535: via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports
536: two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands
537: to the local hostname. The default value is \*(L"Password:\*(R".
1.1 millert 538: .Ip "runas_default" 12
1.4 millert 539: The default user to run commands as if the \f(CW-u\fR flag is not specified
540: on the command line. This defaults to \*(L"root\*(R".
1.1 millert 541: .Ip "syslog_goodpri" 12
1.4 millert 542: Syslog priority to use when user authenticates successfully.
543: Defaults to \*(L"notice\*(R".
1.1 millert 544: .Ip "syslog_badpri" 12
1.4 millert 545: Syslog priority to use when user authenticates unsuccessfully.
546: Defaults to \*(L"alert\*(R".
1.5 millert 547: .Ip "editor" 12
548: Path to the editor to be used by \fBvisudo\fR. The default is the path
549: to vi on your system.
1.1 millert 550: .PP
551: \fBStrings that can be used in a boolean context\fR:
1.5 millert 552: .Ip "logfile" 12
553: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1.7 ! pjanzen 554: turns on logging to a file; negating this option turns it off.
1.1 millert 555: .Ip "syslog" 12
1.4 millert 556: Syslog facility if syslog is being used for logging (negate to
557: disable syslog logging). Defaults to \*(L"local2\*(R".
1.1 millert 558: .Ip "mailerpath" 12
1.4 millert 559: Path to mail program used to send warning mail.
560: Defaults to the path to sendmail found at configure time.
1.1 millert 561: .Ip "mailerflags" 12
1.4 millert 562: Flags to use when invoking mailer. Defaults to \f(CW-t\fR.
1.1 millert 563: .Ip "mailto" 12
1.7 ! pjanzen 564: Address to send warning and error mail to. Defaults to \*(L"root\*(R".
1.1 millert 565: .Ip "exempt_group" 12
1.4 millert 566: Users in this group are exempt from password and \s-1PATH\s0 requirements.
567: This is not set by default.
1.1 millert 568: .Ip "secure_path" 12
1.4 millert 569: Path used for every command run from \fBsudo\fR. If you don't trust the
1.5 millert 570: people running \fBsudo\fR to have a sane \f(CWPATH\fR environment variable you may
1.4 millert 571: want to use this. Another use is if you want to have the \*(L"root path\*(R"
572: be separate from the \*(L"user path.\*(R" This is not set by default.
1.3 millert 573: .Ip "verifypw" 12
574: This option controls when a password will be required when a
1.7 ! pjanzen 575: user runs \fBsudo\fR with \fB\-v\fR. It has the following possible values:
1.3 millert 576: .Sp
577: .Vb 3
1.4 millert 578: \& all All the user's I<sudoers> entries for the
1.3 millert 579: \& current host must have the C<NOPASSWD>
580: \& flag set to avoid entering a password.
581: .Ve
582: .Vb 4
1.4 millert 583: \& any At least one of the user's I<sudoers> entries
1.3 millert 584: \& for the current host must have the
585: \& C<NOPASSWD> flag set to avoid entering a
586: \& password.
587: .Ve
588: .Vb 2
589: \& never The user need never enter a password to use
590: \& the B<-v> flag.
591: .Ve
592: .Vb 2
593: \& always The user must always enter a password to use
594: \& the B<-v> flag.
595: .Ve
596: The default value is `all\*(R'.
597: .Ip "listpw" 12
598: This option controls when a password will be required when a
1.5 millert 599: user runs \fBsudo\fR with the \fB\-l\fR. It has the following possible values:
1.3 millert 600: .Sp
601: .Vb 3
1.4 millert 602: \& all All the user's I<sudoers> entries for the
1.3 millert 603: \& current host must have the C<NOPASSWD>
604: \& flag set to avoid entering a password.
605: .Ve
606: .Vb 4
1.4 millert 607: \& any At least one of the user's I<sudoers> entries
1.3 millert 608: \& for the current host must have the
609: \& C<NOPASSWD> flag set to avoid entering a
610: \& password.
611: .Ve
612: .Vb 2
613: \& never The user need never enter a password to use
614: \& the B<-l> flag.
615: .Ve
616: .Vb 2
617: \& always The user must always enter a password to use
618: \& the B<-l> flag.
619: .Ve
620: The default value is `any\*(R'.
1.1 millert 621: .PP
1.5 millert 622: When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog
1.1 millert 623: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
624: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
625: \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
626: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
627: \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
628: .Sh "User Specification"
629: .PP
1.3 millert 630: .Vb 2
631: \& User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \e
632: \& (':' User_Spec)*
1.1 millert 633: .Ve
634: .Vb 2
635: \& Cmnd_Spec_List ::= Cmnd_Spec |
636: \& Cmnd_Spec ',' Cmnd_Spec_List
637: .Ve
638: .Vb 1
1.3 millert 639: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
640: .Ve
641: .Vb 1
642: \& Runas_Spec ::= '(' Runas_List ')'
1.1 millert 643: .Ve
644: A \fBuser specification\fR determines which commands a user may run
645: (and as what user) on specified hosts. By default, commands are
1.7 ! pjanzen 646: run as \fBroot\fR, but this can be changed on a per-command basis.
1.1 millert 647: .PP
648: Let's break that down into its constituent parts:
649: .Sh "Runas_Spec"
650: A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above)
651: enclosed in a set of parentheses. If you do not specify a
652: \f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR
653: of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for
654: commands that follow it. What this means is that for the entry:
655: .PP
656: .Vb 1
657: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
658: .Ve
659: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
1.7 ! pjanzen 660: \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. E.g.,
1.1 millert 661: .PP
662: .Vb 1
663: \& sudo -u operator /bin/ls.
664: .Ve
665: It is also possible to override a \f(CWRunas_Spec\fR later on in an
666: entry. If we modify the entry like so:
667: .PP
668: .Vb 1
669: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
670: .Ve
671: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
672: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
673: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
674: By default, \fBsudo\fR requires that a user authenticate him or herself
675: before running a command. This behavior can be modified via the
676: \f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets
677: a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR.
678: Conversely, the \f(CWPASSWD\fR tag can be used to reverse things.
679: For example:
680: .PP
681: .Vb 1
682: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
683: .Ve
684: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
685: \fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
686: authenticating himself. If we only want \fBray\fR to be able to
687: run \fI/bin/kill\fR without a password the entry would be:
688: .PP
689: .Vb 1
690: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
691: .Ve
1.7 ! pjanzen 692: Note, however, that the \f(CWPASSWD\fR tag has no effect on users who are
1.3 millert 693: in the group specified by the exempt_group option.
694: .PP
695: By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries
696: for a user on the current host, he or she will be able to run
697: \f(CWsudo -l\fR without a password. Additionally, a user may only run
698: \f(CWsudo -v\fR without a password if the \f(CWNOPASSWD\fR tag is present
699: for all a user's entries that pertain to the current host.
700: This behavior may be overridden via the verifypw and listpw options.
1.1 millert 701: .Sh "Wildcards (aka meta characters):"
702: \fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
703: as well as command line arguments in the \fIsudoers\fR file. Wildcard
704: matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
705: these are \fInot\fR regular expressions.
706: .Ip "\f(CW*\fR" 8
707: Matches any set of zero or more characters.
708: .Ip "\f(CW?\fR" 8
709: Matches any single character.
710: .Ip "\f(CW[...]\fR" 8
711: Matches any character in the specified range.
712: .Ip "\f(CW[!...]\fR" 8
713: Matches any character \fBnot\fR in the specified range.
714: .Ip "\f(CW\ex\fR" 8
715: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
716: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
717: .PP
718: Note that a forward slash ('/') will \fBnot\fR be matched by
719: wildcards used in the pathname. When matching the command
720: line arguments, however, as slash \fBdoes\fR get matched by
721: wildcards. This is to make a path like:
722: .PP
723: .Vb 1
724: \& /usr/bin/*
725: .Ve
726: match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR.
727: .Sh "Exceptions to wildcard rules:"
728: The following exceptions apply to the above rules:
729: .Ip \f(CW""\fR 8
730: If the empty string \f(CW""\fR is the only command line argument in the
731: \fIsudoers\fR entry it means that command is not allowed to be run
732: with \fBany\fR arguments.
733: .Sh "Other special characters and reserved words:"
734: The pound sign ('#') is used to indicate a comment (unless it
735: occurs in the context of a user name and is followed by one or
736: more digits, in which case it is treated as a uid). Both the
737: comment character and any text after it, up to the end of the line,
738: are ignored.
739: .PP
1.2 aaron 740: The reserved word \fB\s-1ALL\s0\fR is a built in \fIalias\fR that always causes
1.1 millert 741: a match to succeed. It can be used wherever one might otherwise
742: use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
743: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
744: built in alias will be used in preference to your own. Please note
745: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
746: allows the user to run \fBany\fR command on the system.
747: .PP
748: An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
749: both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to
750: exclude certain values. Note, however, that using a \f(CW!\fR in
751: conjunction with the built in \f(CWALL\fR alias to allow a user to
752: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
753: \s-1NOTES\s0 below).
754: .PP
755: Long lines can be continued with a backslash (\*(R'\e') as the last
756: character on the line.
757: .PP
1.7 ! pjanzen 758: Whitespace between elements in a list as well as special syntactic
1.1 millert 759: characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional.
760: .PP
761: The following characters must be escaped with a backslash (\*(R'\e') when
1.6 krw 762: used as part of a word (e.g. a username or hostname):
1.1 millert 763: \&'@\*(R', \*(L'!\*(R', \*(L'=\*(R', \*(L':\*(R', \*(L',\*(R', \*(L'(\*(R', \*(L')\*(R', \*(L'\e\*(R'.
764: .SH "EXAMPLES"
765: Below are example \fIsudoers\fR entries. Admittedly, some of
766: these are a bit contrived. First, we define our \fIaliases\fR:
767: .PP
768: .Vb 4
769: \& # User alias specification
770: \& User_Alias FULLTIMERS = millert, mikef, dowdy
771: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
772: \& User_Alias WEBMASTERS = will, wendy, wim
773: .Ve
774: .Vb 3
775: \& # Runas alias specification
776: \& Runas_Alias OP = root, operator
777: \& Runas_Alias DB = oracle, sybase
778: .Ve
779: .Vb 9
780: \& # Host alias specification
781: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
782: \& SGI = grolsch, dandelion, black :\e
783: \& ALPHA = widget, thalamus, foobar :\e
784: \& HPPA = boa, nag, python
785: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
786: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
787: \& Host_Alias SERVERS = master, mail, www, ns
788: \& Host_Alias CDROM = orion, perseus, hercules
789: .Ve
790: .Vb 12
791: \& # Cmnd alias specification
792: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
793: \& /usr/sbin/restore, /usr/sbin/rrestore
794: \& Cmnd_Alias KILL = /usr/bin/kill
795: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
796: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
797: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
798: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
799: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
800: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
801: \& /usr/local/bin/zsh
802: \& Cmnd_Alias SU = /usr/bin/su
803: .Ve
804: Here we override some of the compiled in default values. We want
1.5 millert 805: \fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
1.1 millert 806: We don't want to subject the full time staff to the \fBsudo\fR lecture,
807: and user \fBmillert\fR need not give a password. In addition, on the
808: machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
809: local log file and make sure we log the year in each log line since
810: the log entries will be kept around for several years.
811: .PP
812: .Vb 5
813: \& # Override builtin defaults
814: \& Defaults syslog=auth
815: \& Defaults:FULLTIMERS !lecture
816: \& Defaults:millert !authenticate
817: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
818: .Ve
819: The \fIUser specification\fR is the part that actually determines who may
820: run what.
821: .PP
822: .Vb 2
823: \& root ALL = (ALL) ALL
824: \& %wheel ALL = (ALL) ALL
825: .Ve
826: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
827: host as any user.
828: .PP
829: .Vb 1
830: \& FULLTIMERS ALL = NOPASSWD: ALL
831: .Ve
832: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
833: command on any host without authenticating themselves.
834: .PP
835: .Vb 1
836: \& PARTTIMERS ALL = ALL
837: .Ve
838: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
839: command on any host but they must authenticate themselves first
840: (since the entry lacks the \f(CWNOPASSWD\fR tag).
841: .PP
842: .Vb 1
843: \& jack CSNETS = ALL
844: .Ve
845: The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias
846: (the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
847: Of those networks, only <128.138.204.0> has an explicit netmask (in
848: CIDR notation) indicating it is a class C network. For the other
849: networks in \fICSNETS\fR, the local machine's netmask will be used
850: during matching.
851: .PP
852: .Vb 1
853: \& lisa CUNETS = ALL
854: .Ve
855: The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias
856: (the class B network \f(CW128.138.0.0\fR).
857: .PP
858: .Vb 2
859: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
860: \& /usr/oper/bin/
861: .Ve
862: The \fBoperator\fR user may run commands limited to simple maintenance.
863: Here, those are commands related to backups, killing processes, the
864: printing system, shutting down the system, and any commands in the
865: directory \fI/usr/oper/bin/\fR.
866: .PP
867: .Vb 1
868: \& joe ALL = /usr/bin/su operator
869: .Ve
870: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
871: .PP
872: .Vb 1
873: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
874: .Ve
875: The user \fBpete\fR is allowed to change anyone's password except for
876: root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1)
877: does not take multiple usernames on the command line.
878: .PP
879: .Vb 1
880: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
881: .Ve
882: The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines
883: as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR).
884: .PP
885: .Vb 1
886: \& jim +biglab = ALL
887: .Ve
888: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
889: \fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix.
890: .PP
891: .Vb 1
892: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
893: .Ve
894: Users in the \fBsecretaries\fR netgroup need to help manage the printers
895: as well as add and remove users, so they are allowed to run those
896: commands on all machines.
897: .PP
898: .Vb 1
899: \& fred ALL = (DB) NOPASSWD: ALL
900: .Ve
901: The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR
902: (\fBoracle\fR or \fBsybase\fR) without giving a password.
903: .PP
904: .Vb 1
905: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
906: .Ve
907: On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root
908: but he is not allowed to give \fIsu\fR\|(1) any flags.
909: .PP
910: .Vb 1
911: \& jen ALL, !SERVERS = ALL
912: .Ve
913: The user \fBjen\fR may run any command on any machine except for those
914: in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns).
915: .PP
916: .Vb 1
917: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
918: .Ve
919: For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run
920: any commands in the directory /usr/bin/ except for those commands
921: belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR.
922: .PP
923: .Vb 1
924: \& steve CSNETS = (operator) /usr/local/op_commands/
925: .Ve
926: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
927: but only as user operator.
928: .PP
929: .Vb 1
930: \& matt valkyrie = KILL
931: .Ve
932: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
933: kill hung processes.
934: .PP
935: .Vb 1
936: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
937: .Ve
938: On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will,
939: wendy, and wim), may run any command as user www (which owns the
940: web pages) or simply \fIsu\fR\|(1) to www.
941: .PP
942: .Vb 2
943: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
944: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
945: .Ve
946: Any user may mount or unmount a CD\-ROM on the machines in the CDROM
947: \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password.
1.7 ! pjanzen 948: This is a bit tedious for users to type, so it is a prime candidate
1.1 millert 949: for encapsulating in a shell script.
950: .SH "SECURITY NOTES"
951: It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR
952: using the \*(L'!\*(R' operator. A user can trivially circumvent this
953: by copying the desired command to a different name and then
954: executing that. For example:
955: .PP
956: .Vb 1
957: \& bill ALL = ALL, !SU, !SHELLS
958: .Ve
959: Doesn't really prevent \fBbill\fR from running the commands listed in
960: \fISU\fR or \fISHELLS\fR since he can simply copy those commands to a
961: different name, or use a shell escape from an editor or other
962: program. Therefore, these kind of restrictions should be considered
963: advisory at best (and reinforced by policy).
964: .SH "CAVEATS"
965: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
966: command which locks the file and does grammatical checking. It is
967: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
968: will not run with a syntactically incorrect \fIsudoers\fR file.
1.3 millert 969: .PP
970: When using netgroups of machines (as opposed to users), if you
1.5 millert 971: store fully qualified hostnames in the netgroup (as is usually the
972: case), you either need to have the machine's hostname be fully qualified
1.3 millert 973: as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in
974: \fIsudoers\fR.
1.1 millert 975: .SH "FILES"
976: .PP
977: .Vb 3
978: \& /etc/sudoers List of who can run what
979: \& /etc/group Local groups file
980: \& /etc/netgroup List of network groups
981: .Ve
982: .SH "SEE ALSO"
983: \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
984:
985: .rn }` ''
986: .IX Title "sudoers 5"
987: .IX Name "sudoers - list of which users may execute what"
988:
989: .IX Header "NAME"
990:
991: .IX Header "DESCRIPTION"
992:
993: .IX Subsection "Quick guide to \s-1EBNF\s0"
994:
995: .IX Item "\f(CW?\fR"
996:
997: .IX Item "\f(CW*\fR"
998:
999: .IX Item "\f(CW+\fR"
1000:
1001: .IX Subsection "Aliases"
1002:
1003: .IX Subsection "Defaults"
1004:
1005: .IX Item "long_otp_prompt"
1006:
1007: .IX Item "ignore_dot"
1008:
1009: .IX Item "mail_always"
1010:
1011: .IX Item "mail_no_user"
1012:
1013: .IX Item "mail_no_host"
1014:
1015: .IX Item "mail_no_perms"
1016:
1017: .IX Item "tty_tickets"
1018:
1019: .IX Item "lecture"
1020:
1021: .IX Item "authenticate"
1022:
1023: .IX Item "root_sudo"
1024:
1025: .IX Item "log_host"
1026:
1027: .IX Item "log_year"
1028:
1029: .IX Item "shell_noargs"
1030:
1031: .IX Item "set_home"
1032:
1033: .IX Item "path_info"
1034:
1035: .IX Item "fqdn"
1036:
1037: .IX Item "insults"
1038:
1039: .IX Item "requiretty"
1040:
1.5 millert 1041: .IX Item "env_editor"
1042:
1043: .IX Item "rootpw"
1044:
1045: .IX Item "runaspw"
1046:
1047: .IX Item "targetpw"
1048:
1049: .IX Item "set_logname"
1050:
1.1 millert 1051: .IX Item "passwd_tries"
1052:
1053: .IX Item "loglinelen"
1054:
1055: .IX Item "timestamp_timeout"
1056:
1057: .IX Item "passwd_timeout"
1058:
1059: .IX Item "umask"
1060:
1061: .IX Item "mailsub"
1062:
1063: .IX Item "badpass_message"
1064:
1065: .IX Item "timestampdir"
1066:
1067: .IX Item "passprompt"
1068:
1069: .IX Item "runas_default"
1070:
1071: .IX Item "syslog_goodpri"
1072:
1073: .IX Item "syslog_badpri"
1.5 millert 1074:
1075: .IX Item "editor"
1076:
1077: .IX Item "logfile"
1.1 millert 1078:
1079: .IX Item "syslog"
1080:
1081: .IX Item "mailerpath"
1082:
1083: .IX Item "mailerflags"
1084:
1085: .IX Item "mailto"
1086:
1087: .IX Item "exempt_group"
1088:
1089: .IX Item "secure_path"
1090:
1.3 millert 1091: .IX Item "verifypw"
1092:
1093: .IX Item "listpw"
1094:
1.1 millert 1095: .IX Subsection "User Specification"
1096:
1097: .IX Subsection "Runas_Spec"
1098:
1099: .IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
1100:
1101: .IX Subsection "Wildcards (aka meta characters):"
1102:
1103: .IX Item "\f(CW*\fR"
1104:
1105: .IX Item "\f(CW?\fR"
1106:
1107: .IX Item "\f(CW[...]\fR"
1108:
1109: .IX Item "\f(CW[!...]\fR"
1110:
1111: .IX Item "\f(CW\ex\fR"
1112:
1113: .IX Subsection "Exceptions to wildcard rules:"
1114:
1.3 millert 1115: .IX Item \f(CW""\fR
1.1 millert 1116:
1117: .IX Subsection "Other special characters and reserved words:"
1118:
1119: .IX Header "EXAMPLES"
1120:
1121: .IX Header "SECURITY NOTES"
1122:
1123: .IX Header "CAVEATS"
1124:
1125: .IX Header "FILES"
1126:
1127: .IX Header "SEE ALSO"
1128: