Annotation of src/usr.bin/sudo/sudoers.5, Revision 1.9
1.9 ! millert 1: .\" Automatically generated by Pod::Man version 1.15
! 2: .\" Sun Dec 30 12:24:30 2001
! 3: .\"
! 4: .\" Standard preamble:
! 5: .\" ======================================================================
! 6: .de Sh \" Subsection heading
1.1 millert 7: .br
8: .if t .Sp
9: .ne 5
10: .PP
11: \fB\\$1\fR
12: .PP
13: ..
1.9 ! millert 14: .de Sp \" Vertical space (when we can't use .PP)
1.1 millert 15: .if t .sp .5v
16: .if n .sp
17: ..
1.9 ! millert 18: .de Ip \" List item
1.1 millert 19: .br
20: .ie \\n(.$>=3 .ne \\$3
21: .el .ne 3
22: .IP "\\$1" \\$2
23: ..
1.9 ! millert 24: .de Vb \" Begin verbatim text
1.1 millert 25: .ft CW
26: .nf
27: .ne \\$1
28: ..
1.9 ! millert 29: .de Ve \" End verbatim text
1.1 millert 30: .ft R
31:
32: .fi
33: ..
1.9 ! millert 34: .\" Set up some character translations and predefined strings. \*(-- will
! 35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
! 36: .\" double quote, and \*(R" will give a right double quote. | will give a
! 37: .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
! 38: .\" to do unbreakable dashes and therefore won't be available. \*(C` and
! 39: .\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
1.1 millert 40: .tr \(*W-|\(bv\*(Tr
1.9 ! millert 41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1.1 millert 42: .ie n \{\
1.9 ! millert 43: . ds -- \(*W-
! 44: . ds PI pi
! 45: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
! 46: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
! 47: . ds L" ""
! 48: . ds R" ""
! 49: . ds C`
! 50: . ds C'
1.1 millert 51: 'br\}
52: .el\{\
1.9 ! millert 53: . ds -- \|\(em\|
! 54: . ds PI \(*p
! 55: . ds L" ``
! 56: . ds R" ''
1.1 millert 57: 'br\}
1.9 ! millert 58: .\"
! 59: .\" If the F register is turned on, we'll generate index entries on stderr
! 60: .\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
! 61: .\" index entries marked with X<> in POD. Of course, you'll have to process
! 62: .\" the output yourself in some meaningful fashion.
! 63: .if \nF \{\
! 64: . de IX
! 65: . tm Index:\\$1\t\\n%\t"\\$2"
1.1 millert 66: ..
1.9 ! millert 67: . nr % 0
! 68: . rr F
1.1 millert 69: .\}
1.9 ! millert 70: .\"
! 71: .\" For nroff, turn off justification. Always turn off hyphenation; it
! 72: .\" makes way too many mistakes in technical documents.
! 73: .hy 0
1.1 millert 74: .if n .na
1.9 ! millert 75: .\"
! 76: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
! 77: .\" Fear. Run. Save yourself. No user-serviceable parts.
1.1 millert 78: .bd B 3
1.9 ! millert 79: . \" fudge factors for nroff and troff
1.1 millert 80: .if n \{\
1.9 ! millert 81: . ds #H 0
! 82: . ds #V .8m
! 83: . ds #F .3m
! 84: . ds #[ \f1
! 85: . ds #] \fP
1.1 millert 86: .\}
87: .if t \{\
1.9 ! millert 88: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
! 89: . ds #V .6m
! 90: . ds #F 0
! 91: . ds #[ \&
! 92: . ds #] \&
1.1 millert 93: .\}
1.9 ! millert 94: . \" simple accents for nroff and troff
1.1 millert 95: .if n \{\
1.9 ! millert 96: . ds ' \&
! 97: . ds ` \&
! 98: . ds ^ \&
! 99: . ds , \&
! 100: . ds ~ ~
! 101: . ds /
1.1 millert 102: .\}
103: .if t \{\
1.9 ! millert 104: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
! 105: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
! 106: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
! 107: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
! 108: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
! 109: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1.1 millert 110: .\}
1.9 ! millert 111: . \" troff and (daisy-wheel) nroff accents
1.1 millert 112: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119: .ds ae a\h'-(\w'a'u*4/10)'e
120: .ds Ae A\h'-(\w'A'u*4/10)'E
1.9 ! millert 121: . \" corrections for vroff
1.1 millert 122: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1.9 ! millert 124: . \" for low resolution devices (crt and lpr)
1.1 millert 125: .if \n(.H>23 .if \n(.V>19 \
126: \{\
1.9 ! millert 127: . ds : e
! 128: . ds 8 ss
! 129: . ds o a
! 130: . ds d- d\h'-1'\(ga
! 131: . ds D- D\h'-1'\(hy
! 132: . ds th \o'bp'
! 133: . ds Th \o'LP'
! 134: . ds ae ae
! 135: . ds Ae AE
1.1 millert 136: .\}
137: .rm #[ #] #H #V #F C
1.9 ! millert 138: .\" ======================================================================
! 139: .\"
! 140: .IX Title "sudoers 5"
! 141: .TH sudoers 5 "1.6.4" "December 30, 2001" "MAINTENANCE COMMANDS"
! 142: .UC
1.1 millert 143: .SH "NAME"
144: sudoers \- list of which users may execute what
145: .SH "DESCRIPTION"
1.9 ! millert 146: .IX Header "DESCRIPTION"
1.7 pjanzen 147: The \fIsudoers\fR file is composed of two types of entries:
1.1 millert 148: aliases (basically variables) and user specifications
149: (which specify who may run what). The grammar of \fIsudoers\fR
1.9 ! millert 150: will be described below in Extended Backus-Naur Form (\s-1EBNF\s0).
! 151: Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly
1.7 pjanzen 152: simple, and the definitions below are annotated.
1.1 millert 153: .Sh "Quick guide to \s-1EBNF\s0"
1.9 ! millert 154: .IX Subsection "Quick guide to EBNF"
! 155: \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
1.7 pjanzen 156: Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
1.1 millert 157: .PP
158: .Vb 1
159: \& symbol ::= definition | alternate1 | alternate2 ...
160: .Ve
161: Each \fIproduction rule\fR references others and thus makes up a
162: grammar for the language. \s-1EBNF\s0 also contains the following
163: operators, which many readers will recognize from regular
164: expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
165: characters, which have different meanings.
1.9 ! millert 166: .Ip "\f(CW\*(C`?\*(C'\fR" 8
! 167: .IX Item "?"
1.1 millert 168: Means that the preceding symbol (or group of symbols) is optional.
169: That is, it may appear once or not at all.
1.9 ! millert 170: .Ip "\f(CW\*(C`*\*(C'\fR" 8
! 171: .IX Item "*"
1.1 millert 172: Means that the preceding symbol (or group of symbols) may appear
173: zero or more times.
1.9 ! millert 174: .Ip "\f(CW\*(C`+\*(C'\fR" 8
! 175: .IX Item "+"
1.1 millert 176: Means that the preceding symbol (or group of symbols) may appear
177: one or more times.
178: .PP
179: Parentheses may be used to group symbols together. For clarity,
180: we will use single quotes ('') to designate what is a verbatim character
181: string (as opposed to a symbol name).
182: .Sh "Aliases"
1.9 ! millert 183: .IX Subsection "Aliases"
! 184: There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
! 185: \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
1.1 millert 186: .PP
187: .Vb 4
1.9 ! millert 188: \& Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 189: \& 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 190: \& 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 191: \& 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
1.1 millert 192: .Ve
193: .Vb 1
194: \& User_Alias ::= NAME '=' User_List
195: .Ve
196: .Vb 1
1.9 ! millert 197: \& Runas_Alias ::= NAME '=' Runas_List
1.1 millert 198: .Ve
199: .Vb 1
200: \& Host_Alias ::= NAME '=' Host_List
201: .Ve
202: .Vb 1
203: \& Cmnd_Alias ::= NAME '=' Cmnd_List
204: .Ve
205: .Vb 1
206: \& NAME ::= [A-Z]([A-Z][0-9]_)*
207: .Ve
208: Each \fIalias\fR definition is of the form
209: .PP
210: .Vb 1
211: \& Alias_Type NAME = item1, item2, ...
212: .Ve
1.9 ! millert 213: where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
! 214: or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
! 215: and the underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
1.7 pjanzen 216: uppercase letter. It is possible to put several alias definitions
1.8 jufi 217: of the same type on a single line, joined by a colon (':'). E.g.,
1.1 millert 218: .PP
219: .Vb 1
220: \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
221: .Ve
222: The definitions of what constitutes a valid \fIalias\fR member follow.
223: .PP
224: .Vb 2
225: \& User_List ::= User |
226: \& User ',' User_List
227: .Ve
1.9 ! millert 228: .Vb 4
1.1 millert 229: \& User ::= '!'* username |
230: \& '!'* '%'group |
231: \& '!'* '+'netgroup |
232: \& '!'* User_Alias
233: .Ve
1.9 ! millert 234: A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids
! 235: (prefixed with '#'), System groups (prefixed with '%'),
! 236: netgroups (prefixed with '+') and other aliases. Each list
! 237: item may be prefixed with one or more '!' operators. An odd number
! 238: of '!' operators negate the value of the item; an even number
1.1 millert 239: just cancel each other out.
240: .PP
241: .Vb 2
242: \& Runas_List ::= Runas_User |
243: \& Runas_User ',' Runas_List
244: .Ve
245: .Vb 5
246: \& Runas_User ::= '!'* username |
247: \& '!'* '#'uid |
248: \& '!'* '%'group |
249: \& '!'* +netgroup |
250: \& '!'* Runas_Alias
251: .Ve
1.9 ! millert 252: A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can
! 253: also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes
! 254: it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes.
1.1 millert 255: .PP
256: .Vb 2
257: \& Host_List ::= Host |
258: \& Host ',' Host_List
259: .Ve
260: .Vb 5
261: \& Host ::= '!'* hostname |
262: \& '!'* ip_addr |
263: \& '!'* network(/netmask)? |
264: \& '!'* '+'netgroup |
265: \& '!'* Host_Alias
266: .Ve
1.9 ! millert 267: A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
! 268: network numbers, netgroups (prefixed with '+') and other aliases.
! 269: Again, the value of an item may be negated with the '!' operator.
1.1 millert 270: If you do not specify a netmask with a network number, the netmask
271: of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
1.6 krw 272: The netmask may be specified either in dotted quad notation (e.g.
273: 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname
1.9 ! millert 274: may include shell-style wildcards (see `Wildcards' section below),
! 275: but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
1.5 millert 276: qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
277: to be useful.
1.1 millert 278: .PP
279: .Vb 2
280: \& Cmnd_List ::= Cmnd |
281: \& Cmnd ',' Cmnd_List
282: .Ve
283: .Vb 3
284: \& commandname ::= filename |
285: \& filename args |
286: \& filename '""'
287: .Ve
288: .Vb 3
289: \& Cmnd ::= '!'* commandname |
290: \& '!'* directory |
291: \& '!'* Cmnd_Alias
292: .Ve
1.9 ! millert 293: A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
1.5 millert 294: aliases. A commandname is a fully qualified filename which may include
1.9 ! millert 295: shell-style wildcards (see `Wildcards' section below). A simple
1.1 millert 296: filename allows the user to run the command with any arguments he/she
1.9 ! millert 297: wishes. However, you may also specify command line arguments (including
! 298: wildcards). Alternately, you can specify \f(CW\*(C`""\*(C'\fR to indicate that the command
1.1 millert 299: may only be run \fBwithout\fR command line arguments. A directory is a
1.9 ! millert 300: fully qualified pathname ending in a '/'. When you specify a directory
! 301: in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
1.1 millert 302: (but not in any subdirectories therein).
303: .PP
1.9 ! millert 304: If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
! 305: in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
1.1 millert 306: (or match the wildcards if there are any). Note that the following
1.9 ! millert 307: characters must be escaped with a '\e' if they are used in command
! 308: arguments: ',', ':', '=', '\e'.
1.1 millert 309: .Sh "Defaults"
1.9 ! millert 310: .IX Subsection "Defaults"
1.1 millert 311: Certain configuration options may be changed from their default
1.9 ! millert 312: values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
1.1 millert 313: may affect all users on any host, all users on a specific host,
314: or just a specific user. When multiple entries match, they are
315: applied in order. Where there are conflicting values, the last
316: value on a matching line takes effect.
317: .PP
318: .Vb 3
319: \& Default_Type ::= 'Defaults' ||
320: \& 'Defaults' ':' User ||
321: \& 'Defaults' '@' Host
322: .Ve
323: .Vb 1
324: \& Default_Entry ::= Default_Type Parameter_List
325: .Ve
1.9 ! millert 326: .Vb 4
1.1 millert 327: \& Parameter ::= Parameter '=' Value ||
1.9 ! millert 328: \& Parameter '+=' Value ||
! 329: \& Parameter '-=' Value ||
1.1 millert 330: \& '!'* Parameter ||
331: .Ve
1.9 ! millert 332: Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
! 333: Flags are implicitly boolean and can be turned off via the '!'
! 334: operator. Some integer, string and list parameters may also be
! 335: used in a boolean context to disable them. Values may be enclosed
! 336: in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
! 337: characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
! 338: .PP
! 339: Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
! 340: These operators are used to add to and delete from a list respectively.
! 341: It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
! 342: that does not exist in a list.
! 343: .PP
! 344: Note that since the \fIsudoers\fR file is parsed in order the best place
! 345: to put the Defaults section is after the Host, User, and Cmnd aliases
! 346: but before the user specifications.
1.1 millert 347: .PP
1.9 ! millert 348: \&\fBFlags\fR:
1.1 millert 349: .Ip "long_otp_prompt" 12
1.9 ! millert 350: .IX Item "long_otp_prompt"
1.4 millert 351: When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
352: a two-line prompt is used to make it easier to cut and paste the
353: challenge to a local window. It's not as pretty as the default but
1.9 ! millert 354: some people find it more convenient. This flag is \fIoff\fR
! 355: by default.
1.1 millert 356: .Ip "ignore_dot" 12
1.9 ! millert 357: .IX Item "ignore_dot"
! 358: If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
! 359: environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
! 360: flag is \fIoff\fR by default.
1.1 millert 361: .Ip "mail_always" 12
1.9 ! millert 362: .IX Item "mail_always"
1.5 millert 363: Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
1.9 ! millert 364: This flag is \fIoff\fR by default.
! 365: .Ip "mail_badpass" 12
! 366: .IX Item "mail_badpass"
! 367: Send mail to the \fImailto\fR user if the user running sudo does not
! 368: enter the correct password. This flag is \fIoff\fR by default.
1.1 millert 369: .Ip "mail_no_user" 12
1.9 ! millert 370: .IX Item "mail_no_user"
1.4 millert 371: If set, mail will be sent to the \fImailto\fR user if the invoking
1.9 ! millert 372: user is not in the \fIsudoers\fR file. This flag is \fIon\fR
! 373: by default.
1.1 millert 374: .Ip "mail_no_host" 12
1.9 ! millert 375: .IX Item "mail_no_host"
1.4 millert 376: If set, mail will be sent to the \fImailto\fR user if the invoking
377: user exists in the \fIsudoers\fR file, but is not allowed to run
1.9 ! millert 378: commands on the current host. This flag is \fIoff\fR by default.
1.1 millert 379: .Ip "mail_no_perms" 12
1.9 ! millert 380: .IX Item "mail_no_perms"
1.4 millert 381: If set, mail will be sent to the \fImailto\fR user if the invoking
1.5 millert 382: user allowed to use \fBsudo\fR but the command they are trying is not
1.9 ! millert 383: listed in their \fIsudoers\fR file entry. This flag is \fIoff\fR
! 384: by default.
1.1 millert 385: .Ip "tty_tickets" 12
1.9 ! millert 386: .IX Item "tty_tickets"
1.4 millert 387: If set, users must authenticate on a per-tty basis. Normally,
1.9 ! millert 388: \&\fBsudo\fR uses a directory in the ticket dir with the same name as
1.4 millert 389: the user running it. With this flag enabled, \fBsudo\fR will use a
390: file named for the tty the user is logged in on in that directory.
1.9 ! millert 391: This flag is \fIoff\fR by default.
1.1 millert 392: .Ip "lecture" 12
1.9 ! millert 393: .IX Item "lecture"
1.4 millert 394: If set, a user will receive a short lecture the first time he/she
1.9 ! millert 395: runs \fBsudo\fR. This flag is \fIon\fR by default.
1.1 millert 396: .Ip "authenticate" 12
1.9 ! millert 397: .IX Item "authenticate"
1.4 millert 398: If set, users must authenticate themselves via a password (or other
399: means of authentication) before they may run commands. This default
1.9 ! millert 400: may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
! 401: This flag is \fIon\fR by default.
1.1 millert 402: .Ip "root_sudo" 12
1.9 ! millert 403: .IX Item "root_sudo"
1.5 millert 404: If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
405: from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
1.9 ! millert 406: like \f(CW\*(C`"sudo sudo /bin/sh"\*(C'\fR.
! 407: This flag is \fIon\fR by default.
1.1 millert 408: .Ip "log_host" 12
1.9 ! millert 409: .IX Item "log_host"
1.4 millert 410: If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
1.9 ! millert 411: This flag is \fIoff\fR by default.
1.1 millert 412: .Ip "log_year" 12
1.9 ! millert 413: .IX Item "log_year"
1.4 millert 414: If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
1.9 ! millert 415: This flag is \fIoff\fR by default.
1.1 millert 416: .Ip "shell_noargs" 12
1.9 ! millert 417: .IX Item "shell_noargs"
1.4 millert 418: If set and \fBsudo\fR is invoked with no arguments it acts as if the
1.9 ! millert 419: \&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
! 420: shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
1.4 millert 421: set, falling back on the shell listed in the invoking user's
1.9 ! millert 422: /etc/passwd entry if not). This flag is \fIoff\fR by default.
1.1 millert 423: .Ip "set_home" 12
1.9 ! millert 424: .IX Item "set_home"
! 425: If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
1.4 millert 426: environment variable will be set to the home directory of the target
1.9 ! millert 427: user (which is root unless the \fB\-u\fR option is used). This effectively
! 428: makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
! 429: .Ip "always_set_home" 12
! 430: .IX Item "always_set_home"
! 431: If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
! 432: directory of the target user (which is root unless the \fB\-u\fR option is used).
! 433: This effectively means that the \fB\-H\fR flag is always implied.
! 434: This flag is \fIoff\fR by default.
1.1 millert 435: .Ip "path_info" 12
1.9 ! millert 436: .IX Item "path_info"
1.4 millert 437: Normally, \fBsudo\fR will tell the user when a command could not be
1.9 ! millert 438: found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
! 439: to disable this as it could be used to gather information on the
! 440: location of executables that the normal user does not have access
! 441: to. The disadvantage is that if the executable is simply not in
! 442: the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
! 443: allowed to run it, which can be confusing. This flag is \fIoff\fR by
! 444: default.
! 445: .Ip "preserve_groups" 12
! 446: .IX Item "preserve_groups"
! 447: By default \fBsudo\fR will initialize the group vector to the list of
! 448: groups the target user is in. When \fIpreserve_groups\fR is set, the
! 449: user's existing group vector is left unaltered. The real and
! 450: effective group IDs, however, are still set to match the target
! 451: user. This flag is \fIoff\fR by default.
1.1 millert 452: .Ip "fqdn" 12
1.9 ! millert 453: .IX Item "fqdn"
1.4 millert 454: Set this flag if you want to put fully qualified hostnames in the
1.9 ! millert 455: \&\fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu.
1.4 millert 456: You may still use the short form if you wish (and even mix the two).
1.5 millert 457: Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
1.4 millert 458: which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
459: if the machine is not plugged into the network). Also note that
460: you must use the host's official name as \s-1DNS\s0 knows it. That is,
1.9 ! millert 461: you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
1.4 millert 462: issues and the fact that there is no way to get all aliases from
1.9 ! millert 463: \&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
1.4 millert 464: command) is already fully qualified you shouldn't need to set
1.9 ! millert 465: \&\fIfqdn\fR. This flag is \fIoff\fR by default.
1.1 millert 466: .Ip "insults" 12
1.9 ! millert 467: .IX Item "insults"
1.5 millert 468: If set, \fBsudo\fR will insult users when they enter an incorrect
1.9 ! millert 469: password. This flag is \fIon\fR by default.
1.1 millert 470: .Ip "requiretty" 12
1.9 ! millert 471: .IX Item "requiretty"
1.5 millert 472: If set, \fBsudo\fR will only run when the user is logged in to a real
1.9 ! millert 473: tty. This will disallow things like \f(CW\*(C`"rsh somehost sudo ls"\*(C'\fR since
! 474: \&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
1.4 millert 475: of echo when there is no tty present, some sites may with to set
476: this flag to prevent a user from entering a visible password. This
1.9 ! millert 477: flag is \fIoff\fR by default.
1.5 millert 478: .Ip "env_editor" 12
1.9 ! millert 479: .IX Item "env_editor"
! 480: If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
! 481: environment variables before falling back on the default editor list.
! 482: Note that this may create a security hole as it allows the user to
! 483: run any arbitrary command as root without logging. A safer alternative
! 484: is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
! 485: variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
! 486: they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`on\*(C'\fR by
! 487: default.
1.5 millert 488: .Ip "rootpw" 12
1.9 ! millert 489: .IX Item "rootpw"
1.5 millert 490: If set, \fBsudo\fR will prompt for the root password instead of the password
1.9 ! millert 491: of the invoking user. This flag is \fIoff\fR by default.
1.5 millert 492: .Ip "runaspw" 12
1.9 ! millert 493: .IX Item "runaspw"
1.5 millert 494: If set, \fBsudo\fR will prompt for the password of the user defined by the
1.9 ! millert 495: \&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
! 496: of the invoking user. This flag is \fIoff\fR by default.
1.5 millert 497: .Ip "targetpw" 12
1.9 ! millert 498: .IX Item "targetpw"
1.5 millert 499: If set, \fBsudo\fR will prompt for the password of the user specified by
1.9 ! millert 500: the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
! 501: invoking user. This flag is \fIoff\fR by default.
1.5 millert 502: .Ip "set_logname" 12
1.9 ! millert 503: .IX Item "set_logname"
! 504: Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables
! 505: to the name of the target user (usually root unless the \fB\-u\fR flag is given).
1.5 millert 506: However, since some programs (including the \s-1RCS\s0 revision control system)
1.9 ! millert 507: use \f(CW\*(C`LOGNAME\*(C'\fR to determine the real identity of the user, it may be desirable
1.5 millert 508: to change this behavior. This can be done by negating the set_logname option.
1.9 ! millert 509: .Ip "stay_setuid" 12
! 510: .IX Item "stay_setuid"
! 511: Normally, when \fBsudo\fR executes a command the real and effective
! 512: UIDs are set to the target user (root by default). This option
! 513: changes that behavior such that the real \s-1UID\s0 is left as the invoking
! 514: user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
! 515: wrapper. This can be useful on systems that disable some potentially
! 516: dangerous functionality when a program is run setuid.
! 517: .Ip "env_reset" 12
! 518: .IX Item "env_reset"
! 519: If set, \fBsudo\fR will reset the environment to only contain the
! 520: following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`TERM\*(C'\fR,
! 521: and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables).
! 522: Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment.
! 523: The other variables are set to default values (possibly modified
! 524: by the value of the \fIset_logname\fR option). If \fBsudo\fR was compiled
! 525: with the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR
! 526: environment variable.
! 527: Other variables may be preserved with the \fIenv_keep\fR option.
! 528: .Ip "use_loginclass" 12
! 529: .IX Item "use_loginclass"
! 530: If set, \fBsudo\fR will apply the defaults specified for the target user's
! 531: login class if one exists. Only available if \fBsudo\fR is configured with
! 532: the \-\-with-logincap option. This flag is \fIoff\fR by default.
1.1 millert 533: .PP
1.9 ! millert 534: \&\fBIntegers\fR:
1.1 millert 535: .Ip "passwd_tries" 12
1.9 ! millert 536: .IX Item "passwd_tries"
1.4 millert 537: The number of tries a user gets to enter his/her password before
1.9 ! millert 538: \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`3\*(C'\fR.
1.1 millert 539: .PP
1.9 ! millert 540: \&\fBIntegers that can be used in a boolean context\fR:
1.1 millert 541: .Ip "loglinelen" 12
1.9 ! millert 542: .IX Item "loglinelen"
1.4 millert 543: Number of characters per line for the file log. This value is used
544: to decide when to wrap lines for nicer log files. This has no
545: effect on the syslog log file, only the file log. The default is
1.9 ! millert 546: \&\f(CW\*(C`80\*(C'\fR (use 0 or negate the option to disable word wrap).
1.1 millert 547: .Ip "timestamp_timeout" 12
1.9 ! millert 548: .IX Item "timestamp_timeout"
! 549: Number of minutes that can elapse before \fBsudo\fR will ask for a
! 550: passwd again. The default is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW\*(C`0\*(C'\fR to always
! 551: prompt for a password.
! 552: If set to a value less than \f(CW\*(C`0\*(C'\fR the user's timestamp will never
! 553: expire. This can be used to allow users to create or delete their
! 554: own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
1.1 millert 555: .Ip "passwd_timeout" 12
1.9 ! millert 556: .IX Item "passwd_timeout"
1.5 millert 557: Number of minutes before the \fBsudo\fR password prompt times out.
1.9 ! millert 558: The default is \f(CW\*(C`5\*(C'\fR, set this to \f(CW\*(C`0\*(C'\fR for no password timeout.
1.1 millert 559: .Ip "umask" 12
1.9 ! millert 560: .IX Item "umask"
! 561: Umask to use when running the command. Negate this option or set
! 562: it to 0777 to preserve the user's umask. The default is \f(CW\*(C`0022\*(C'\fR.
1.1 millert 563: .PP
1.9 ! millert 564: \&\fBStrings\fR:
1.1 millert 565: .Ip "mailsub" 12
1.9 ! millert 566: .IX Item "mailsub"
! 567: Subject of the mail sent to the \fImailto\fR user. The escape \f(CW\*(C`%h\*(C'\fR
1.4 millert 568: will expand to the hostname of the machine.
1.9 ! millert 569: Default is \f(CW\*(C`*** SECURITY information for %h ***\*(C'\fR.
1.1 millert 570: .Ip "badpass_message" 12
1.9 ! millert 571: .IX Item "badpass_message"
1.4 millert 572: Message that is displayed if a user enters an incorrect password.
1.9 ! millert 573: The default is \f(CW\*(C`Sorry, try again.\*(C'\fR unless insults are enabled.
1.1 millert 574: .Ip "timestampdir" 12
1.9 ! millert 575: .IX Item "timestampdir"
1.4 millert 576: The directory in which \fBsudo\fR stores its timestamp files.
1.9 ! millert 577: The default is \fI/var/run/sudo\fR.
1.1 millert 578: .Ip "passprompt" 12
1.9 ! millert 579: .IX Item "passprompt"
1.4 millert 580: The default prompt to use when asking for a password; can be overridden
1.9 ! millert 581: via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable. Supports
1.4 millert 582: two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands
1.9 ! millert 583: to the local hostname. The default value is \f(CW\*(C`Password:\*(C'\fR.
1.1 millert 584: .Ip "runas_default" 12
1.9 ! millert 585: .IX Item "runas_default"
! 586: The default user to run commands as if the \fB\-u\fR flag is not specified
! 587: on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.
1.1 millert 588: .Ip "syslog_goodpri" 12
1.9 ! millert 589: .IX Item "syslog_goodpri"
1.4 millert 590: Syslog priority to use when user authenticates successfully.
1.9 ! millert 591: Defaults to \f(CW\*(C`notice\*(C'\fR.
1.1 millert 592: .Ip "syslog_badpri" 12
1.9 ! millert 593: .IX Item "syslog_badpri"
1.4 millert 594: Syslog priority to use when user authenticates unsuccessfully.
1.9 ! millert 595: Defaults to \f(CW\*(C`alert\*(C'\fR.
1.5 millert 596: .Ip "editor" 12
1.9 ! millert 597: .IX Item "editor"
! 598: A colon (':') separated list of editors allowed to be used with
! 599: \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
! 600: \&\s-1USER\s0 environment variable if possible, or the first editor in the
! 601: list that exists and is executable. The default is the path to vi
! 602: on your system.
1.1 millert 603: .PP
1.9 ! millert 604: \&\fBStrings that can be used in a boolean context\fR:
1.5 millert 605: .Ip "logfile" 12
1.9 ! millert 606: .IX Item "logfile"
1.5 millert 607: Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
1.7 pjanzen 608: turns on logging to a file; negating this option turns it off.
1.1 millert 609: .Ip "syslog" 12
1.9 ! millert 610: .IX Item "syslog"
1.4 millert 611: Syslog facility if syslog is being used for logging (negate to
1.9 ! millert 612: disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR.
1.1 millert 613: .Ip "mailerpath" 12
1.9 ! millert 614: .IX Item "mailerpath"
1.4 millert 615: Path to mail program used to send warning mail.
616: Defaults to the path to sendmail found at configure time.
1.1 millert 617: .Ip "mailerflags" 12
1.9 ! millert 618: .IX Item "mailerflags"
! 619: Flags to use when invoking mailer. Defaults to \fB\-t\fR.
1.1 millert 620: .Ip "mailto" 12
1.9 ! millert 621: .IX Item "mailto"
! 622: Address to send warning and error mail to. The address should
! 623: be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against sudo
! 624: interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`root\*(C'\fR.
1.1 millert 625: .Ip "exempt_group" 12
1.9 ! millert 626: .IX Item "exempt_group"
1.4 millert 627: Users in this group are exempt from password and \s-1PATH\s0 requirements.
628: This is not set by default.
1.3 millert 629: .Ip "verifypw" 12
1.9 ! millert 630: .IX Item "verifypw"
! 631: This option controls when a password will be required when a user runs
! 632: \&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
! 633: .RS 12
! 634: .Ip "all" 8
! 635: .IX Item "all"
! 636: All the user's \fIsudoers\fR entries for the current host must have
! 637: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 638: .Ip "any" 8
! 639: .IX Item "any"
! 640: At least one of the user's \fIsudoers\fR entries for the current host
! 641: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 642: .Ip "never" 8
! 643: .IX Item "never"
! 644: The user need never enter a password to use the \fB\-v\fR flag.
! 645: .Ip "always" 8
! 646: .IX Item "always"
! 647: The user must always enter a password to use the \fB\-v\fR flag.
! 648: .RE
! 649: .RS 12
1.3 millert 650: .Sp
1.9 ! millert 651: The default value is `all'.
! 652: .RE
1.3 millert 653: .Ip "listpw" 12
1.9 ! millert 654: .IX Item "listpw"
1.3 millert 655: This option controls when a password will be required when a
1.5 millert 656: user runs \fBsudo\fR with the \fB\-l\fR. It has the following possible values:
1.9 ! millert 657: .RS 12
! 658: .Ip "all" 8
! 659: .IX Item "all"
! 660: All the user's \fIsudoers\fR entries for the current host must have
! 661: the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 662: .Ip "any" 8
! 663: .IX Item "any"
! 664: At least one of the user's \fIsudoers\fR entries for the current host
! 665: must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
! 666: .Ip "never" 8
! 667: .IX Item "never"
! 668: The user need never enter a password to use the \fB\-l\fR flag.
! 669: .Ip "always" 8
! 670: .IX Item "always"
! 671: The user must always enter a password to use the \fB\-l\fR flag.
! 672: .RE
! 673: .RS 12
1.3 millert 674: .Sp
1.9 ! millert 675: The default value is `any'.
! 676: .RE
! 677: .PP
! 678: \&\fBLists that can be used in a boolean context\fR:
! 679: .Ip "env_check" 12
! 680: .IX Item "env_check"
! 681: Environment variables to be removed from the user's environment if
! 682: the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
! 683: be used to guard against printf-style format vulnerabilties in
! 684: poorly-written programs. The argument may be a double-quoted,
! 685: space-separated list or a single value without double-quotes. The
! 686: list can be replaced, added to, deleted from, or disabled by using
! 687: the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
! 688: list of environment variable to check is printed when \fBsudo\fR is
! 689: run by root with the \fI\-V\fR option.
! 690: .Ip "env_delete" 12
! 691: .IX Item "env_delete"
! 692: Environment variables to be removed from the user's environment.
! 693: The argument may be a double-quoted, space-separated list or a
! 694: single value without double-quotes. The list can be replaced, added
! 695: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
! 696: \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
! 697: variable to remove is printed when \fBsudo\fR is run by root with the
! 698: \&\fI\-V\fR option.
! 699: .Ip "env_keep" 12
! 700: .IX Item "env_keep"
! 701: Environment variables to be preserved in the user's environment
! 702: when the \fIenv_reset\fR option is in effect. This allows fine-grained
! 703: control over the environment \fBsudo\fR\-spawned processes will receive.
! 704: The argument may be a double-quoted, space-separated list or a
! 705: single value without double-quotes. The list can be replaced, added
! 706: to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
! 707: \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
1.1 millert 708: .PP
1.5 millert 709: When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog
1.1 millert 710: facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
711: supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
1.9 ! millert 712: \&\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following
1.1 millert 713: syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR,
1.9 ! millert 714: \&\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
1.1 millert 715: .Sh "User Specification"
1.9 ! millert 716: .IX Subsection "User Specification"
1.3 millert 717: .Vb 2
1.9 ! millert 718: \& User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \e
1.3 millert 719: \& (':' User_Spec)*
1.1 millert 720: .Ve
721: .Vb 2
722: \& Cmnd_Spec_List ::= Cmnd_Spec |
723: \& Cmnd_Spec ',' Cmnd_Spec_List
724: .Ve
725: .Vb 1
1.3 millert 726: \& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
727: .Ve
728: .Vb 1
729: \& Runas_Spec ::= '(' Runas_List ')'
1.1 millert 730: .Ve
731: A \fBuser specification\fR determines which commands a user may run
732: (and as what user) on specified hosts. By default, commands are
1.7 pjanzen 733: run as \fBroot\fR, but this can be changed on a per-command basis.
1.1 millert 734: .PP
735: Let's break that down into its constituent parts:
736: .Sh "Runas_Spec"
1.9 ! millert 737: .IX Subsection "Runas_Spec"
! 738: A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
1.1 millert 739: enclosed in a set of parentheses. If you do not specify a
1.9 ! millert 740: \&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
! 741: of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
1.1 millert 742: commands that follow it. What this means is that for the entry:
743: .PP
744: .Vb 1
745: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
746: .Ve
747: The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
1.9 ! millert 748: \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
1.1 millert 749: .PP
750: .Vb 1
751: \& sudo -u operator /bin/ls.
752: .Ve
1.9 ! millert 753: It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
1.1 millert 754: entry. If we modify the entry like so:
755: .PP
756: .Vb 1
757: \& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
758: .Ve
759: Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
760: but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
761: .Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
1.9 ! millert 762: .IX Subsection "NOPASSWD and PASSWD"
1.1 millert 763: By default, \fBsudo\fR requires that a user authenticate him or herself
764: before running a command. This behavior can be modified via the
1.9 ! millert 765: \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
! 766: a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
! 767: Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
1.1 millert 768: For example:
769: .PP
770: .Vb 1
771: \& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
772: .Ve
773: would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
1.9 ! millert 774: \&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
1.1 millert 775: authenticating himself. If we only want \fBray\fR to be able to
776: run \fI/bin/kill\fR without a password the entry would be:
777: .PP
778: .Vb 1
779: \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
780: .Ve
1.9 ! millert 781: Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
1.3 millert 782: in the group specified by the exempt_group option.
783: .PP
1.9 ! millert 784: By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
1.3 millert 785: for a user on the current host, he or she will be able to run
1.9 ! millert 786: \&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
! 787: \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
1.3 millert 788: for all a user's entries that pertain to the current host.
789: This behavior may be overridden via the verifypw and listpw options.
1.1 millert 790: .Sh "Wildcards (aka meta characters):"
1.9 ! millert 791: .IX Subsection "Wildcards (aka meta characters):"
! 792: \&\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
1.1 millert 793: as well as command line arguments in the \fIsudoers\fR file. Wildcard
1.9 ! millert 794: matching is done via the \fB\s-1POSIX\s0\fR \f(CW\*(C`fnmatch(3)\*(C'\fR routine. Note that
1.1 millert 795: these are \fInot\fR regular expressions.
1.9 ! millert 796: .Ip "\f(CW\*(C`*\*(C'\fR" 8
! 797: .IX Item "*"
1.1 millert 798: Matches any set of zero or more characters.
1.9 ! millert 799: .Ip "\f(CW\*(C`?\*(C'\fR" 8
! 800: .IX Item "?"
1.1 millert 801: Matches any single character.
1.9 ! millert 802: .Ip "\f(CW\*(C`[...]\*(C'\fR" 8
! 803: .IX Item "[...]"
1.1 millert 804: Matches any character in the specified range.
1.9 ! millert 805: .Ip "\f(CW\*(C`[!...]\*(C'\fR" 8
! 806: .IX Item "[!...]"
1.1 millert 807: Matches any character \fBnot\fR in the specified range.
1.9 ! millert 808: .Ip "\f(CW\*(C`\ex\*(C'\fR" 8
! 809: .IX Item "x"
1.1 millert 810: For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
811: escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
812: .PP
813: Note that a forward slash ('/') will \fBnot\fR be matched by
814: wildcards used in the pathname. When matching the command
815: line arguments, however, as slash \fBdoes\fR get matched by
816: wildcards. This is to make a path like:
817: .PP
818: .Vb 1
819: \& /usr/bin/*
820: .Ve
1.9 ! millert 821: match \f(CW\*(C`/usr/bin/who\*(C'\fR but not \f(CW\*(C`/usr/bin/X11/xterm\*(C'\fR.
1.1 millert 822: .Sh "Exceptions to wildcard rules:"
1.9 ! millert 823: .IX Subsection "Exceptions to wildcard rules:"
1.1 millert 824: The following exceptions apply to the above rules:
1.9 ! millert 825: .if n .Ip "\f(CW""""""""\fR" 8
! 826: .el .Ip "\f(CW``''\fR" 8
! 827: .IX Item """""
! 828: If the empty string \f(CW\*(C`""\*(C'\fR is the only command line argument in the
! 829: \&\fIsudoers\fR entry it means that command is not allowed to be run
1.1 millert 830: with \fBany\fR arguments.
831: .Sh "Other special characters and reserved words:"
1.9 ! millert 832: .IX Subsection "Other special characters and reserved words:"
1.1 millert 833: The pound sign ('#') is used to indicate a comment (unless it
834: occurs in the context of a user name and is followed by one or
835: more digits, in which case it is treated as a uid). Both the
836: comment character and any text after it, up to the end of the line,
837: are ignored.
838: .PP
1.2 aaron 839: The reserved word \fB\s-1ALL\s0\fR is a built in \fIalias\fR that always causes
1.1 millert 840: a match to succeed. It can be used wherever one might otherwise
1.9 ! millert 841: use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
1.1 millert 842: You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
843: built in alias will be used in preference to your own. Please note
844: that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
845: allows the user to run \fBany\fR command on the system.
846: .PP
1.9 ! millert 847: An exclamation point ('!') can be used as a logical \fInot\fR operator
! 848: both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
! 849: exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
! 850: conjunction with the built in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
1.1 millert 851: run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
1.9 ! millert 852: \&\s-1NOTES\s0 below).
1.1 millert 853: .PP
1.9 ! millert 854: Long lines can be continued with a backslash ('\e') as the last
1.1 millert 855: character on the line.
856: .PP
1.7 pjanzen 857: Whitespace between elements in a list as well as special syntactic
1.9 ! millert 858: characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
1.1 millert 859: .PP
1.9 ! millert 860: The following characters must be escaped with a backslash ('\e') when
1.6 krw 861: used as part of a word (e.g. a username or hostname):
1.9 ! millert 862: \&'@', '!', '=', ':', ',', '(', ')', '\e'.
1.1 millert 863: .SH "EXAMPLES"
1.9 ! millert 864: .IX Header "EXAMPLES"
1.1 millert 865: Below are example \fIsudoers\fR entries. Admittedly, some of
866: these are a bit contrived. First, we define our \fIaliases\fR:
867: .PP
868: .Vb 4
869: \& # User alias specification
870: \& User_Alias FULLTIMERS = millert, mikef, dowdy
871: \& User_Alias PARTTIMERS = bostley, jwfox, crawl
872: \& User_Alias WEBMASTERS = will, wendy, wim
873: .Ve
874: .Vb 3
875: \& # Runas alias specification
876: \& Runas_Alias OP = root, operator
877: \& Runas_Alias DB = oracle, sybase
878: .Ve
879: .Vb 9
880: \& # Host alias specification
881: \& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
882: \& SGI = grolsch, dandelion, black :\e
883: \& ALPHA = widget, thalamus, foobar :\e
884: \& HPPA = boa, nag, python
885: \& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
886: \& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
887: \& Host_Alias SERVERS = master, mail, www, ns
888: \& Host_Alias CDROM = orion, perseus, hercules
889: .Ve
890: .Vb 12
891: \& # Cmnd alias specification
892: \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
893: \& /usr/sbin/restore, /usr/sbin/rrestore
894: \& Cmnd_Alias KILL = /usr/bin/kill
895: \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
896: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
897: \& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
898: \& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
899: \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
900: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e
901: \& /usr/local/bin/zsh
902: \& Cmnd_Alias SU = /usr/bin/su
903: .Ve
904: Here we override some of the compiled in default values. We want
1.9 ! millert 905: \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
1.1 millert 906: We don't want to subject the full time staff to the \fBsudo\fR lecture,
907: and user \fBmillert\fR need not give a password. In addition, on the
1.9 ! millert 908: machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
1.1 millert 909: local log file and make sure we log the year in each log line since
910: the log entries will be kept around for several years.
911: .PP
912: .Vb 5
1.9 ! millert 913: \& # Override built in defaults
1.1 millert 914: \& Defaults syslog=auth
915: \& Defaults:FULLTIMERS !lecture
916: \& Defaults:millert !authenticate
917: \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
918: .Ve
919: The \fIUser specification\fR is the part that actually determines who may
920: run what.
921: .PP
922: .Vb 2
923: \& root ALL = (ALL) ALL
924: \& %wheel ALL = (ALL) ALL
925: .Ve
926: We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
927: host as any user.
928: .PP
929: .Vb 1
930: \& FULLTIMERS ALL = NOPASSWD: ALL
931: .Ve
932: Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
933: command on any host without authenticating themselves.
934: .PP
935: .Vb 1
936: \& PARTTIMERS ALL = ALL
937: .Ve
938: Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
939: command on any host but they must authenticate themselves first
1.9 ! millert 940: (since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
1.1 millert 941: .PP
942: .Vb 1
943: \& jack CSNETS = ALL
944: .Ve
1.9 ! millert 945: The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
! 946: (the networks \f(CW\*(C`128.138.243.0\*(C'\fR, \f(CW\*(C`128.138.204.0\*(C'\fR, and \f(CW\*(C`128.138.242.0\*(C'\fR).
! 947: Of those networks, only \f(CW\*(C`128.138.204.0\*(C'\fR has an explicit netmask (in
! 948: \&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
! 949: networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
1.1 millert 950: during matching.
951: .PP
952: .Vb 1
953: \& lisa CUNETS = ALL
954: .Ve
1.9 ! millert 955: The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
! 956: (the class B network \f(CW\*(C`128.138.0.0\*(C'\fR).
1.1 millert 957: .PP
958: .Vb 2
959: \& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
960: \& /usr/oper/bin/
961: .Ve
962: The \fBoperator\fR user may run commands limited to simple maintenance.
963: Here, those are commands related to backups, killing processes, the
964: printing system, shutting down the system, and any commands in the
965: directory \fI/usr/oper/bin/\fR.
966: .PP
967: .Vb 1
968: \& joe ALL = /usr/bin/su operator
969: .Ve
970: The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
971: .PP
972: .Vb 1
973: \& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
974: .Ve
975: The user \fBpete\fR is allowed to change anyone's password except for
1.9 ! millert 976: root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
1.1 millert 977: does not take multiple usernames on the command line.
978: .PP
979: .Vb 1
980: \& bob SPARC = (OP) ALL : SGI = (OP) ALL
981: .Ve
1.9 ! millert 982: The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
! 983: as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
1.1 millert 984: .PP
985: .Vb 1
986: \& jim +biglab = ALL
987: .Ve
988: The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
1.9 ! millert 989: \&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
1.1 millert 990: .PP
991: .Vb 1
992: \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
993: .Ve
994: Users in the \fBsecretaries\fR netgroup need to help manage the printers
995: as well as add and remove users, so they are allowed to run those
996: commands on all machines.
997: .PP
998: .Vb 1
999: \& fred ALL = (DB) NOPASSWD: ALL
1000: .Ve
1.9 ! millert 1001: The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
1.1 millert 1002: (\fBoracle\fR or \fBsybase\fR) without giving a password.
1003: .PP
1004: .Vb 1
1005: \& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1006: .Ve
1.9 ! millert 1007: On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
1.1 millert 1008: but he is not allowed to give \fIsu\fR\|(1) any flags.
1009: .PP
1010: .Vb 1
1011: \& jen ALL, !SERVERS = ALL
1012: .Ve
1013: The user \fBjen\fR may run any command on any machine except for those
1.9 ! millert 1014: in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
1.1 millert 1015: .PP
1016: .Vb 1
1017: \& jill SERVERS = /usr/bin/, !SU, !SHELLS
1018: .Ve
1.9 ! millert 1019: For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
1.1 millert 1020: any commands in the directory /usr/bin/ except for those commands
1.9 ! millert 1021: belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
1.1 millert 1022: .PP
1023: .Vb 1
1024: \& steve CSNETS = (operator) /usr/local/op_commands/
1025: .Ve
1026: The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
1027: but only as user operator.
1028: .PP
1029: .Vb 1
1030: \& matt valkyrie = KILL
1031: .Ve
1032: On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
1033: kill hung processes.
1034: .PP
1035: .Vb 1
1036: \& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1037: .Ve
1.9 ! millert 1038: On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
1.1 millert 1039: wendy, and wim), may run any command as user www (which owns the
1040: web pages) or simply \fIsu\fR\|(1) to www.
1041: .PP
1042: .Vb 2
1043: \& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1044: \& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
1045: .Ve
1.9 ! millert 1046: Any user may mount or unmount a \s-1CD-ROM\s0 on the machines in the \s-1CDROM\s0
! 1047: \&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
1.7 pjanzen 1048: This is a bit tedious for users to type, so it is a prime candidate
1.1 millert 1049: for encapsulating in a shell script.
1050: .SH "SECURITY NOTES"
1.9 ! millert 1051: .IX Header "SECURITY NOTES"
! 1052: It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
! 1053: using the '!' operator. A user can trivially circumvent this
1.1 millert 1054: by copying the desired command to a different name and then
1055: executing that. For example:
1056: .PP
1057: .Vb 1
1058: \& bill ALL = ALL, !SU, !SHELLS
1059: .Ve
1060: Doesn't really prevent \fBbill\fR from running the commands listed in
1.9 ! millert 1061: \&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
1.1 millert 1062: different name, or use a shell escape from an editor or other
1063: program. Therefore, these kind of restrictions should be considered
1064: advisory at best (and reinforced by policy).
1065: .SH "CAVEATS"
1.9 ! millert 1066: .IX Header "CAVEATS"
1.1 millert 1067: The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
1068: command which locks the file and does grammatical checking. It is
1069: imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
1070: will not run with a syntactically incorrect \fIsudoers\fR file.
1.3 millert 1071: .PP
1072: When using netgroups of machines (as opposed to users), if you
1.5 millert 1073: store fully qualified hostnames in the netgroup (as is usually the
1074: case), you either need to have the machine's hostname be fully qualified
1.9 ! millert 1075: as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
! 1076: \&\fIsudoers\fR.
1.1 millert 1077: .SH "FILES"
1.9 ! millert 1078: .IX Header "FILES"
1.1 millert 1079: .Vb 3
1080: \& /etc/sudoers List of who can run what
1081: \& /etc/group Local groups file
1082: \& /etc/netgroup List of network groups
1083: .Ve
1084: .SH "SEE ALSO"
1085: .IX Header "SEE ALSO"
1.9 ! millert 1086: \&\fIrsh\fR\|(1), \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).