Annotation of src/usr.bin/sudo/sudoers.mdoc.in, Revision 1.1
1.1 ! millert 1: .\"
! 2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
! 3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
! 4: .\"
! 5: .\" Permission to use, copy, modify, and distribute this software for any
! 6: .\" purpose with or without fee is hereby granted, provided that the above
! 7: .\" copyright notice and this permission notice appear in all copies.
! 8: .\"
! 9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 17: .\"
! 18: .\" Sponsored in part by the Defense Advanced Research Projects
! 19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
! 20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 21: .\"
! 22: .Dd $Mdocdate$
! 23: .Dt SUDOERS @mansectform@
! 24: .Os
! 25: .Sh NAME
! 26: .Nm sudoers
! 27: .Nd list of which users may execute what
! 28: .Sh DESCRIPTION
! 29: The
! 30: .Em sudoers
! 31: file is composed of two types of entries: aliases
! 32: (basically variables) and user specifications (which specify who
! 33: may run what).
! 34: .Pp
! 35: When multiple entries match for a user, they are applied in order.
! 36: Where there are multiple matches, the last match is used (which is
! 37: not necessarily the most specific match).
! 38: .Pp
! 39: The
! 40: .Em sudoers
! 41: grammar will be described below in Extended Backus-Naur
! 42: Form (EBNF).
! 43: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
! 44: and the definitions below are annotated.
! 45: .Ss Quick guide to EBNF
! 46: EBNF is a concise and exact way of describing the grammar of a language.
! 47: Each EBNF definition is made up of
! 48: .Em production rules .
! 49: E.g.,
! 50: .Pp
! 51: .Li symbol ::= definition | alternate1 | alternate2 ...
! 52: .Pp
! 53: Each
! 54: .Em production rule
! 55: references others and thus makes up a
! 56: grammar for the language.
! 57: EBNF also contains the following
! 58: operators, which many readers will recognize from regular
! 59: expressions.
! 60: Do not, however, confuse them with
! 61: .Dq wildcard
! 62: characters, which have different meanings.
! 63: .Bl -tag -width 4n
! 64: .It Li \&?
! 65: Means that the preceding symbol (or group of symbols) is optional.
! 66: That is, it may appear once or not at all.
! 67: .It Li *
! 68: Means that the preceding symbol (or group of symbols) may appear
! 69: zero or more times.
! 70: .It Li +
! 71: Means that the preceding symbol (or group of symbols) may appear
! 72: one or more times.
! 73: .El
! 74: .Pp
! 75: Parentheses may be used to group symbols together.
! 76: For clarity,
! 77: we will use single quotes
! 78: .Pq ''
! 79: to designate what is a verbatim character string (as opposed to a symbol name).
! 80: .Ss Aliases
! 81: There are four kinds of aliases:
! 82: .Li User_Alias ,
! 83: .Li Runas_Alias ,
! 84: .Li Host_Alias
! 85: and
! 86: .Li Cmnd_Alias .
! 87: .Bd -literal
! 88: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
! 89: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
! 90: 'Host_Alias' Host_Alias (':' Host_Alias)* |
! 91: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
! 92:
! 93: User_Alias ::= NAME '=' User_List
! 94:
! 95: Runas_Alias ::= NAME '=' Runas_List
! 96:
! 97: Host_Alias ::= NAME '=' Host_List
! 98:
! 99: Cmnd_Alias ::= NAME '=' Cmnd_List
! 100:
! 101: NAME ::= [A-Z]([A-Z][0-9]_)*
! 102: .Ed
! 103: .Pp
! 104: Each
! 105: .Em alias
! 106: definition is of the form
! 107: .Bd -literal
! 108: Alias_Type NAME = item1, item2, ...
! 109: .Ed
! 110: .Pp
! 111: where
! 112: .Em Alias_Type
! 113: is one of
! 114: .Li User_Alias ,
! 115: .Li Runas_Alias ,
! 116: .Li Host_Alias ,
! 117: or
! 118: .Li Cmnd_Alias .
! 119: A
! 120: .Li NAME
! 121: is a string of uppercase letters, numbers,
! 122: and underscore characters
! 123: .Pq Ql _ .
! 124: A
! 125: .Li NAME
! 126: .Sy must
! 127: start with an
! 128: uppercase letter.
! 129: It is possible to put several alias definitions
! 130: of the same type on a single line, joined by a colon
! 131: .Pq Ql :\& .
! 132: E.g.,
! 133: .Bd -literal
! 134: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
! 135: .Ed
! 136: .Pp
! 137: The definitions of what constitutes a valid
! 138: .Em alias
! 139: member follow.
! 140: .Bd -literal
! 141: User_List ::= User |
! 142: User ',' User_List
! 143:
! 144: User ::= '!'* user name |
! 145: '!'* #uid |
! 146: '!'* %group |
! 147: '!'* %#gid |
! 148: '!'* +netgroup |
! 149: '!'* %:nonunix_group |
! 150: '!'* %:#nonunix_gid |
! 151: '!'* User_Alias
! 152: .Ed
! 153: .Pp
! 154: A
! 155: .Li User_List
! 156: is made up of one or more user names, user ids
! 157: (prefixed with
! 158: .Ql # ) ,
! 159: system group names and ids (prefixed with
! 160: .Ql %
! 161: and
! 162: .Ql %#
! 163: respectively), netgroups (prefixed with
! 164: .Ql + ) ,
! 165: non-Unix group names and IDs (prefixed with
! 166: .Ql %:
! 167: and
! 168: .Ql %:#
! 169: respectively) and
! 170: .Li User_Alias Ns No es.
! 171: Each list item may be prefixed with zero or more
! 172: .Ql \&!
! 173: operators.
! 174: An odd number of
! 175: .Ql \&!
! 176: operators negate the value of
! 177: the item; an even number just cancel each other out.
! 178: .Pp
! 179: A
! 180: .Li user name ,
! 181: .Li uid ,
! 182: .Li group ,
! 183: .Li gid ,
! 184: .Li netgroup ,
! 185: .Li nonunix_group
! 186: or
! 187: .Li nonunix_gid
! 188: may be enclosed in double quotes to avoid the
! 189: need for escaping special characters.
! 190: Alternately, special characters
! 191: may be specified in escaped hex mode, e.g.\& \ex20 for space.
! 192: When
! 193: using double quotes, any prefix characters must be included inside
! 194: the quotes.
! 195: .Pp
! 196: The actual
! 197: .Li nonunix_group
! 198: and
! 199: .Li nonunix_gid
! 200: syntax depends on
! 201: the underlying implementation.
! 202: For instance, the QAS AD backend supports the following formats:
! 203: .Bl -bullet -width 4n
! 204: .It
! 205: Group in the same domain: "%:Group Name"
! 206: .It
! 207: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
! 208: .It
! 209: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
! 210: .El
! 211: .Pp
! 212: Note that quotes around group names are optional.
! 213: Unquoted strings must use a backslash
! 214: .Pq Ql \e
! 215: to escape spaces and special characters.
! 216: See
! 217: .Sx Other special characters and reserved words
! 218: for a list of
! 219: characters that need to be escaped.
! 220: .Bd -literal
! 221: Runas_List ::= Runas_Member |
! 222: Runas_Member ',' Runas_List
! 223:
! 224: Runas_Member ::= '!'* user name |
! 225: '!'* #uid |
! 226: '!'* %group |
! 227: '!'* %#gid |
! 228: '!'* %:nonunix_group |
! 229: '!'* %:#nonunix_gid |
! 230: '!'* +netgroup |
! 231: '!'* Runas_Alias
! 232: .Ed
! 233: .Pp
! 234: A
! 235: .Li Runas_List
! 236: is similar to a
! 237: .Li User_List
! 238: except that instead
! 239: of
! 240: .Li User_Alias Ns No es
! 241: it can contain
! 242: .Li Runas_Alias Ns No es .
! 243: Note that
! 244: user names and groups are matched as strings.
! 245: In other words, two
! 246: users (groups) with the same uid (gid) are considered to be distinct.
! 247: If you wish to match all user names with the same uid (e.g.\&
! 248: root and toor), you can use a uid instead (#0 in the example given).
! 249: .Bd -literal
! 250: Host_List ::= Host |
! 251: Host ',' Host_List
! 252:
! 253: Host ::= '!'* host name |
! 254: '!'* ip_addr |
! 255: '!'* network(/netmask)? |
! 256: '!'* +netgroup |
! 257: '!'* Host_Alias
! 258: .Ed
! 259: .Pp
! 260: A
! 261: .Li Host_List
! 262: is made up of one or more host names, IP addresses,
! 263: network numbers, netgroups (prefixed with
! 264: .Ql + )
! 265: and other aliases.
! 266: Again, the value of an item may be negated with the
! 267: .Ql \&!
! 268: operator.
! 269: If you do not specify a netmask along with the network number,
! 270: .Nm sudo
! 271: will query each of the local host's network interfaces and,
! 272: if the network number corresponds to one of the hosts's network
! 273: interfaces, the corresponding netmask will be used.
! 274: The netmask
! 275: may be specified either in standard IP address notation
! 276: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
! 277: or CIDR notation (number of bits, e.g.\& 24 or 64).
! 278: A host name may include shell-style wildcards (see the
! 279: .Sx Wildcards
! 280: section below),
! 281: but unless the
! 282: .Li host name
! 283: command on your machine returns the fully
! 284: qualified host name, you'll need to use the
! 285: .Em fqdn
! 286: option for wildcards to be useful.
! 287: Note that
! 288: .Nm sudo
! 289: only inspects actual network interfaces; this means that IP address
! 290: 127.0.0.1 (localhost) will never match.
! 291: Also, the host name
! 292: .Dq localhost
! 293: will only match if that is the actual host name, which is usually
! 294: only the case for non-networked systems.
! 295: .Bd -literal
! 296: Cmnd_List ::= Cmnd |
! 297: Cmnd ',' Cmnd_List
! 298:
! 299: command name ::= file name |
! 300: file name args |
! 301: file name '""'
! 302:
! 303: Cmnd ::= '!'* command name |
! 304: '!'* directory |
! 305: '!'* "sudoedit" |
! 306: '!'* Cmnd_Alias
! 307: .Ed
! 308: .Pp
! 309: A
! 310: .Li Cmnd_List
! 311: is a list of one or more command names, directories, and other aliases.
! 312: A command name is a fully qualified file name which may include
! 313: shell-style wildcards (see the
! 314: .Sx Wildcards
! 315: section below).
! 316: A simple file name allows the user to run the command with any
! 317: arguments he/she wishes.
! 318: However, you may also specify command line arguments (including
! 319: wildcards).
! 320: Alternately, you can specify
! 321: .Li \&""
! 322: to indicate that the command
! 323: may only be run
! 324: .Sy without
! 325: command line arguments.
! 326: A directory is a
! 327: fully qualified path name ending in a
! 328: .Ql / .
! 329: When you specify a directory in a
! 330: .Li Cmnd_List ,
! 331: the user will be able to run any file within that directory
! 332: (but not in any sub-directories therein).
! 333: .Pp
! 334: If a
! 335: .Li Cmnd
! 336: has associated command line arguments, then the arguments
! 337: in the
! 338: .Li Cmnd
! 339: must match exactly those given by the user on the command line
! 340: (or match the wildcards if there are any).
! 341: Note that the following characters must be escaped with a
! 342: .Ql \e
! 343: if they are used in command arguments:
! 344: .Ql ,\& ,
! 345: .Ql :\& ,
! 346: .Ql =\& ,
! 347: .Ql \e .
! 348: The special command
! 349: .Dq Li sudoedit
! 350: is used to permit a user to run
! 351: .Nm sudo
! 352: with the
! 353: .Fl e
! 354: option (or as
! 355: .Nm sudoedit ) .
! 356: It may take command line arguments just as a normal command does.
! 357: .Ss Defaults
! 358: Certain configuration options may be changed from their default
! 359: values at run-time via one or more
! 360: .Li Default_Entry
! 361: lines.
! 362: These may affect all users on any host, all users on a specific host, a
! 363: specific user, a specific command, or commands being run as a specific user.
! 364: Note that per-command entries may not include command line arguments.
! 365: If you need to specify arguments, define a
! 366: .Li Cmnd_Alias
! 367: and reference
! 368: that instead.
! 369: .Bd -literal
! 370: Default_Type ::= 'Defaults' |
! 371: 'Defaults' '@' Host_List |
! 372: 'Defaults' ':' User_List |
! 373: 'Defaults' '!' Cmnd_List |
! 374: 'Defaults' '>' Runas_List
! 375:
! 376: Default_Entry ::= Default_Type Parameter_List
! 377:
! 378: Parameter_List ::= Parameter |
! 379: Parameter ',' Parameter_List
! 380:
! 381: Parameter ::= Parameter '=' Value |
! 382: Parameter '+=' Value |
! 383: Parameter '-=' Value |
! 384: '!'* Parameter
! 385: .Ed
! 386: .Pp
! 387: Parameters may be
! 388: .Sy flags ,
! 389: .Sy integer
! 390: values,
! 391: .Sy strings ,
! 392: or
! 393: .Sy lists .
! 394: Flags are implicitly boolean and can be turned off via the
! 395: .Ql \&!
! 396: operator.
! 397: Some integer, string and list parameters may also be
! 398: used in a boolean context to disable them.
! 399: Values may be enclosed
! 400: in double quotes
! 401: .Pq \&""
! 402: when they contain multiple words.
! 403: Special characters may be escaped with a backslash
! 404: .Pq Ql \e .
! 405: .Pp
! 406: Lists have two additional assignment operators,
! 407: .Li +=
! 408: and
! 409: .Li -= .
! 410: These operators are used to add to and delete from a list respectively.
! 411: It is not an error to use the
! 412: .Li -=
! 413: operator to remove an element
! 414: that does not exist in a list.
! 415: .Pp
! 416: Defaults entries are parsed in the following order: generic, host
! 417: and user Defaults first, then runas Defaults and finally command
! 418: defaults.
! 419: .Pp
! 420: See
! 421: .Sx SUDOERS OPTIONS
! 422: for a list of supported Defaults parameters.
! 423: .Ss User Specification
! 424: .Bd -literal
! 425: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
! 426: (':' Host_List '=' Cmnd_Spec_List)*
! 427:
! 428: Cmnd_Spec_List ::= Cmnd_Spec |
! 429: Cmnd_Spec ',' Cmnd_Spec_List
! 430:
! 431: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
! 432:
! 433: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
! 434:
! 435: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
! 436: 'SETENV:' | 'NOSETENV:')
! 437: .Ed
! 438: .Pp
! 439: A
! 440: .Sy user specification
! 441: determines which commands a user may run
! 442: (and as what user) on specified hosts.
! 443: By default, commands are
! 444: run as
! 445: .Sy root ,
! 446: but this can be changed on a per-command basis.
! 447: .Pp
! 448: The basic structure of a user specification is
! 449: .Dq who where = (as_whom) what .
! 450: Let's break that down into its constituent parts:
! 451: .Ss Runas_Spec
! 452: A
! 453: .Li Runas_Spec
! 454: determines the user and/or the group that a command
! 455: may be run as.
! 456: A fully-specified
! 457: .Li Runas_Spec
! 458: consists of two
! 459: .Li Runas_List Ns No s
! 460: (as defined above) separated by a colon
! 461: .Pq Ql :\&
! 462: and enclosed in a set of parentheses.
! 463: The first
! 464: .Li Runas_List
! 465: indicates
! 466: which users the command may be run as via
! 467: .Nm sudo Ns No 's
! 468: .Fl u
! 469: option.
! 470: The second defines a list of groups that can be specified via
! 471: .Nm sudo Ns No 's
! 472: .Fl g
! 473: option.
! 474: If both
! 475: .Li Runas_List Ns No s
! 476: are specified, the command may be run with any combination of users
! 477: and groups listed in their respective
! 478: .Li Runas_List Ns No s.
! 479: If only the first is specified, the command may be run as any user
! 480: in the list but no
! 481: .Fl g
! 482: option
! 483: may be specified.
! 484: If the first
! 485: .Li Runas_List
! 486: is empty but the
! 487: second is specified, the command may be run as the invoking user
! 488: with the group set to any listed in the
! 489: .Li Runas_List .
! 490: If no
! 491: .Li Runas_Spec
! 492: is specified the command may be run as
! 493: .Sy root
! 494: and
! 495: no group may be specified.
! 496: .Pp
! 497: A
! 498: .Li Runas_Spec
! 499: sets the default for the commands that follow it.
! 500: What this means is that for the entry:
! 501: .Bd -literal
! 502: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
! 503: .Ed
! 504: .Pp
! 505: The user
! 506: .Sy dgb
! 507: may run
! 508: .Pa /bin/ls ,
! 509: .Pa /bin/kill ,
! 510: and
! 511: .Pa /usr/bin/lprm Ns No \(em Ns but
! 512: only as
! 513: .Sy operator .
! 514: E.g.,
! 515: .Bd -literal
! 516: $ sudo -u operator /bin/ls
! 517: .Ed
! 518: .Pp
! 519: It is also possible to override a
! 520: .Li Runas_Spec
! 521: later on in an entry.
! 522: If we modify the entry like so:
! 523: .Bd -literal
! 524: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
! 525: .Ed
! 526: .Pp
! 527: Then user
! 528: .Sy dgb
! 529: is now allowed to run
! 530: .Pa /bin/ls
! 531: as
! 532: .Sy operator ,
! 533: but
! 534: .Pa /bin/kill
! 535: and
! 536: .Pa /usr/bin/lprm
! 537: as
! 538: .Sy root .
! 539: .Pp
! 540: We can extend this to allow
! 541: .Sy dgb
! 542: to run
! 543: .Li /bin/ls
! 544: with either
! 545: the user or group set to
! 546: .Sy operator :
! 547: .Bd -literal
! 548: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
! 549: /usr/bin/lprm
! 550: .Ed
! 551: .Pp
! 552: Note that while the group portion of the
! 553: .Li Runas_Spec
! 554: permits the
! 555: user to run as command with that group, it does not force the user
! 556: to do so.
! 557: If no group is specified on the command line, the command
! 558: will run with the group listed in the target user's password database
! 559: entry.
! 560: The following would all be permitted by the sudoers entry above:
! 561: .Bd -literal
! 562: $ sudo -u operator /bin/ls
! 563: $ sudo -u operator -g operator /bin/ls
! 564: $ sudo -g operator /bin/ls
! 565: .Ed
! 566: .Pp
! 567: In the following example, user
! 568: .Sy tcm
! 569: may run commands that access
! 570: a modem device file with the dialer group.
! 571: .Bd -literal
! 572: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
! 573: /usr/local/bin/minicom
! 574: .Ed
! 575: .Pp
! 576: Note that in this example only the group will be set, the command
! 577: still runs as user
! 578: .Sy tcm .
! 579: E.g.\&
! 580: .Bd -literal
! 581: $ sudo -g dialer /usr/bin/cu
! 582: .Ed
! 583: .Pp
! 584: Multiple users and groups may be present in a
! 585: .Li Runas_Spec ,
! 586: in which case the user may select any combination of users and groups via the
! 587: .Fl u
! 588: and
! 589: .Fl g
! 590: options.
! 591: In this example:
! 592: .Bd -literal
! 593: alan ALL = (root, bin : operator, system) ALL
! 594: .Ed
! 595: .Pp
! 596: user
! 597: .Sy alan
! 598: may run any command as either user root or bin,
! 599: optionally setting the group to operator or system.
! 600: .Ss Tag_Spec
! 601: A command may have zero or more tags associated with it.
! 602: There are
! 603: six possible tag values:
! 604: .Li NOPASSWD ,
! 605: .Li PASSWD ,
! 606: .Li NOEXEC ,
! 607: .Li EXEC ,
! 608: .Li SETENV ,
! 609: and
! 610: .Li NOSETENV .
! 611: Once a tag is set on a
! 612: .Li Cmnd ,
! 613: subsequent
! 614: .Li Cmnd Ns No s
! 615: in the
! 616: .Li Cmnd_Spec_List ,
! 617: inherit the tag unless it is overridden by the opposite tag (in other words,
! 618: .Li PASSWD
! 619: overrides
! 620: .Li NOPASSWD
! 621: and
! 622: .Li NOEXEC
! 623: overrides
! 624: .Li EXEC ) .
! 625: .Pp
! 626: .Em NOPASSWD and PASSWD
! 627: .Pp
! 628: By default,
! 629: .Nm sudo
! 630: requires that a user authenticate him or herself
! 631: before running a command.
! 632: This behavior can be modified via the
! 633: .Li NOPASSWD
! 634: tag.
! 635: Like a
! 636: .Li Runas_Spec ,
! 637: the
! 638: .Li NOPASSWD
! 639: tag sets
! 640: a default for the commands that follow it in the
! 641: .Li Cmnd_Spec_List .
! 642: Conversely, the
! 643: .Li PASSWD
! 644: tag can be used to reverse things.
! 645: For example:
! 646: .Bd -literal
! 647: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
! 648: .Ed
! 649: .Pp
! 650: would allow the user
! 651: .Sy ray
! 652: to run
! 653: .Pa /bin/kill ,
! 654: .Pa /bin/ls ,
! 655: and
! 656: .Pa /usr/bin/lprm
! 657: as
! 658: .Sy root
! 659: on the machine rushmore without authenticating himself.
! 660: If we only want
! 661: .Sy ray
! 662: to be able to
! 663: run
! 664: .Pa /bin/kill
! 665: without a password the entry would be:
! 666: .Bd -literal
! 667: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
! 668: .Ed
! 669: .Pp
! 670: Note, however, that the
! 671: .Li PASSWD
! 672: tag has no effect on users who are in the group specified by the
! 673: .Em exempt_group
! 674: option.
! 675: .Pp
! 676: By default, if the
! 677: .Li NOPASSWD
! 678: tag is applied to any of the entries for a user on the current host,
! 679: he or she will be able to run
! 680: .Dq Li sudo -l
! 681: without a password.
! 682: Additionally, a user may only run
! 683: .Dq Li sudo -v
! 684: without a password if the
! 685: .Li NOPASSWD
! 686: tag is present for all a user's entries that pertain to the current host.
! 687: This behavior may be overridden via the
! 688: .Em verifypw
! 689: and
! 690: .Em listpw
! 691: options.
! 692: .Pp
! 693: .Em NOEXEC and EXEC
! 694: .Pp
! 695: If
! 696: .Nm sudo
! 697: has been compiled with
! 698: .Em noexec
! 699: support and the underlying operating system supports it, the
! 700: .Li NOEXEC
! 701: tag can be used to prevent a dynamically-linked executable from
! 702: running further commands itself.
! 703: .Pp
! 704: In the following example, user
! 705: .Sy aaron
! 706: may run
! 707: .Pa /usr/bin/more
! 708: and
! 709: .Pa /usr/bin/vi
! 710: but shell escapes will be disabled.
! 711: .Bd -literal
! 712: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 713: .Ed
! 714: .Pp
! 715: See the
! 716: .Sx Preventing Shell Escapes
! 717: section below for more details on how
! 718: .Li NOEXEC
! 719: works and whether or not it will work on your system.
! 720: .Pp
! 721: .Em SETENV and NOSETENV
! 722: .Pp
! 723: These tags override the value of the
! 724: .Em setenv
! 725: option on a per-command basis.
! 726: Note that if
! 727: .Li SETENV
! 728: has been set for a command, the user may disable the
! 729: .Em env_reset
! 730: option from the command line via the
! 731: .Fl E
! 732: option.
! 733: Additionally, environment variables set on the command
! 734: line are not subject to the restrictions imposed by
! 735: .Em env_check ,
! 736: .Em env_delete ,
! 737: or
! 738: .Em env_keep .
! 739: As such, only trusted users should be allowed to set variables in this manner.
! 740: If the command matched is
! 741: .Sy ALL ,
! 742: the
! 743: .Li SETENV
! 744: tag is implied for that command; this default may be overridden by use of the
! 745: .Li NOSETENV
! 746: tag.
! 747: .Ss Wildcards
! 748: .Nm sudo
! 749: allows shell-style
! 750: .Em wildcards
! 751: (aka meta or glob characters)
! 752: to be used in host names, path names and command line arguments in the
! 753: .Em sudoers
! 754: file.
! 755: Wildcard matching is done via the
! 756: .Sy POSIX
! 757: .Xr glob 3
! 758: and
! 759: .Xr fnmatch 3
! 760: routines.
! 761: Note that these are
! 762: .Em not
! 763: regular expressions.
! 764: .Bl -tag -width 8n
! 765: .It Li *
! 766: Matches any set of zero or more characters.
! 767: .It Li \&?
! 768: Matches any single character.
! 769: .It Li [...]
! 770: Matches any character in the specified range.
! 771: .It Li [!...]
! 772: Matches any character
! 773: .Sy not
! 774: in the specified range.
! 775: .It Li \ex
! 776: For any character
! 777: .Sq x ,
! 778: evaluates to
! 779: .Sq x .
! 780: This is used to escape special characters such as:
! 781: .Ql * ,
! 782: .Ql \&? ,
! 783: .Ql [\& ,
! 784: and
! 785: .Ql ]\& .
! 786: .El
! 787: .Pp
! 788: POSIX character classes may also be used if your system's
! 789: .Xr glob 3
! 790: and
! 791: .Xr fnmatch 3
! 792: functions support them.
! 793: However, because the
! 794: .Ql :\&
! 795: character has special meaning in
! 796: .Em sudoers ,
! 797: it must be
! 798: escaped.
! 799: For example:
! 800: .Bd -literal -offset 4n
! 801: /bin/ls [[\:alpha\:]]*
! 802: .Ed
! 803: .Pp
! 804: Would match any file name beginning with a letter.
! 805: .Pp
! 806: Note that a forward slash
! 807: .Pq Ql /
! 808: will
! 809: .Sy not
! 810: be matched by
! 811: wildcards used in the path name.
! 812: This is to make a path like:
! 813: .Bd -literal -offset 4n
! 814: /usr/bin/*
! 815: .Ed
! 816: .Pp
! 817: match
! 818: .Pa /usr/bin/who
! 819: but not
! 820: .Pa /usr/bin/X11/xterm .
! 821: .Pp
! 822: When matching the command line arguments, however, a slash
! 823: .Sy does
! 824: get matched by wildcards since command line arguments may contain
! 825: arbitrary strings and not just path names.
! 826: .Pp
! 827: Wildcards in command line arguments should be used with care.
! 828: Because command line arguments are matched as a single, concatenated
! 829: string, a wildcard such as
! 830: .Ql \&?
! 831: or
! 832: .Ql *
! 833: can match multiple words.
! 834: For example, while a sudoers entry like:
! 835: .Bd -literal -offset 4n
! 836: %operator ALL = /bin/cat /var/log/messages*
! 837: .Ed
! 838: .Pp
! 839: will allow command like:
! 840: .Bd -literal -offset 4n
! 841: $ sudo cat /var/log/messages.1
! 842: .Ed
! 843: .Pp
! 844: It will also allow:
! 845: .Bd -literal -offset 4n
! 846: $ sudo cat /var/log/messages /etc/shadow
! 847: .Ed
! 848: .Pp
! 849: which is probably not what was intended.
! 850: .Ss Exceptions to wildcard rules
! 851: The following exceptions apply to the above rules:
! 852: .Bl -tag -width 8n
! 853: .It Li \&""
! 854: If the empty string
! 855: .Li \&""
! 856: is the only command line argument in the
! 857: .Em sudoers
! 858: entry it means that command is not allowed to be run with
! 859: .Sy any
! 860: arguments.
! 861: .It sudoedit
! 862: Command line arguments to the
! 863: .Em sudoedit
! 864: built-in command should always be path names, so a forward slash
! 865: .Pq Ql /
! 866: will not be matched by a wildcard.
! 867: .El
! 868: .Ss Including other files from within sudoers
! 869: It is possible to include other
! 870: .Em sudoers
! 871: files from within the
! 872: .Em sudoers
! 873: file currently being parsed using the
! 874: .Li #include
! 875: and
! 876: .Li #includedir
! 877: directives.
! 878: .Pp
! 879: This can be used, for example, to keep a site-wide
! 880: .Em sudoers
! 881: file in addition to a local, per-machine file.
! 882: For the sake of this example the site-wide
! 883: .Em sudoers
! 884: will be
! 885: .Pa /etc/sudoers
! 886: and the per-machine one will be
! 887: .Pa /etc/sudoers.local .
! 888: To include
! 889: .Pa /etc/sudoers.local
! 890: from within
! 891: .Pa /etc/sudoers
! 892: we would use the
! 893: following line in
! 894: .Pa /etc/sudoers :
! 895: .Bd -literal -offset 4n
! 896: #include /etc/sudoers.local
! 897: .Ed
! 898: .Pp
! 899: When
! 900: .Nm sudo
! 901: reaches this line it will suspend processing of the current file
! 902: .Pq Pa /etc/sudoers
! 903: and switch to
! 904: .Pa /etc/sudoers.local .
! 905: Upon reaching the end of
! 906: .Pa /etc/sudoers.local ,
! 907: the rest of
! 908: .Pa /etc/sudoers
! 909: will be processed.
! 910: Files that are included may themselves include other files.
! 911: A hard limit of 128 nested include files is enforced to prevent include
! 912: file loops.
! 913: .Pp
! 914: If the path to the include file is not fully-qualified (does not
! 915: begin with a
! 916: .Ql / ,
! 917: it must be located in the same directory as the sudoers file it was
! 918: included from.
! 919: For example, if
! 920: .Pa /etc/sudoers
! 921: contains the line:
! 922: .Bd -literal -offset 4n
! 923: .Li #include sudoers.local
! 924: .Ed
! 925: .Pp
! 926: the file that will be included is
! 927: .Pa /etc/sudoers.local .
! 928: .Pp
! 929: The file name may also include the
! 930: .Li %h
! 931: escape, signifying the short form of the host name.
! 932: In other words, if the machine's host name is
! 933: .Dq xerxes ,
! 934: then
! 935: .Bd -literal -offset 4n
! 936: #include /etc/sudoers.%h
! 937: .Ed
! 938: .Pp
! 939: will cause
! 940: .Nm sudo
! 941: to include the file
! 942: .Pa /etc/sudoers.xerxes .
! 943: .Pp
! 944: The
! 945: .Li #includedir
! 946: directive can be used to create a
! 947: .Pa sudo.d
! 948: directory that the system package manager can drop
! 949: .Em sudoers
! 950: rules
! 951: into as part of package installation.
! 952: For example, given:
! 953: .Bd -literal -offset 4n
! 954: #includedir /etc/sudoers.d
! 955: .Ed
! 956: .Pp
! 957: .Nm sudo
! 958: will read each file in
! 959: .Pa /etc/sudoers.d ,
! 960: skipping file names that end in
! 961: .Ql ~
! 962: or contain a
! 963: .Ql .\&
! 964: character to avoid causing problems with package manager or editor
! 965: temporary/backup files.
! 966: Files are parsed in sorted lexical order.
! 967: That is,
! 968: .Pa /etc/sudoers.d/01_first
! 969: will be parsed before
! 970: .Pa /etc/sudoers.d/10_second .
! 971: Be aware that because the sorting is lexical, not numeric,
! 972: .Pa /etc/sudoers.d/1_whoops
! 973: would be loaded
! 974: .Sy after
! 975: .Pa /etc/sudoers.d/10_second .
! 976: Using a consistent number of leading zeroes in the file names can be used
! 977: to avoid such problems.
! 978: .Pp
! 979: Note that unlike files included via
! 980: .Li #include ,
! 981: .Nm visudo
! 982: will not edit the files in a
! 983: .Li #includedir
! 984: directory unless one of them contains a syntax error.
! 985: It is still possible to run
! 986: .Nm visudo
! 987: with the
! 988: .Fl f
! 989: flag to edit the files directly.
! 990: .Ss Other special characters and reserved words
! 991: The pound sign
! 992: .Pq Ql #
! 993: is used to indicate a comment (unless it is part of a #include
! 994: directive or unless it occurs in the context of a user name and is
! 995: followed by one or more digits, in which case it is treated as a
! 996: uid).
! 997: Both the comment character and any text after it, up to the end of
! 998: the line, are ignored.
! 999: .Pp
! 1000: The reserved word
! 1001: .Sy ALL
! 1002: is a built-in
! 1003: .Em alias
! 1004: that always causes a match to succeed.
! 1005: It can be used wherever one might otherwise use a
! 1006: .Li Cmnd_Alias ,
! 1007: .Li User_Alias ,
! 1008: .Li Runas_Alias ,
! 1009: or
! 1010: .Li Host_Alias .
! 1011: You should not try to define your own
! 1012: .Em alias
! 1013: called
! 1014: .Sy ALL
! 1015: as the built-in alias will be used in preference to your own.
! 1016: Please note that using
! 1017: .Sy ALL
! 1018: can be dangerous since in a command context, it allows the user to run
! 1019: .Sy any
! 1020: command on the system.
! 1021: .Pp
! 1022: An exclamation point
! 1023: .Pq Ql \&!
! 1024: can be used as a logical
! 1025: .Em not
! 1026: operator both in an
! 1027: .Em alias
! 1028: and in front of a
! 1029: .Li Cmnd .
! 1030: This allows one to exclude certain values.
! 1031: Note, however, that using a
! 1032: .Ql \&!
! 1033: in conjunction with the built-in
! 1034: .Sy ALL
! 1035: alias to allow a user to run
! 1036: .Dq all but a few
! 1037: commands rarely works as intended (see
! 1038: .Sx SECURITY NOTES
! 1039: below).
! 1040: .Pp
! 1041: Long lines can be continued with a backslash
! 1042: .Pq Ql \e
! 1043: as the last character on the line.
! 1044: .Pp
! 1045: White space between elements in a list as well as special syntactic
! 1046: characters in a
! 1047: .Em User Specification
! 1048: .Po
! 1049: .Ql =\& ,
! 1050: .Ql :\& ,
! 1051: .Ql (\& ,
! 1052: .Ql )\&
! 1053: .Pc
! 1054: is optional.
! 1055: .Pp
! 1056: The following characters must be escaped with a backslash
! 1057: .Pq Ql \e
! 1058: when used as part of a word (e.g.\& a user name or host name):
! 1059: .Ql \&! ,
! 1060: .Ql =\& ,
! 1061: .Ql :\& ,
! 1062: .Ql ,\& ,
! 1063: .Ql (\& ,
! 1064: .Ql )\& ,
! 1065: .Ql \e .
! 1066: .Sh SUDOERS OPTIONS
! 1067: .Nm sudo Ns No 's
! 1068: behavior can be modified by
! 1069: .Li Default_Entry
! 1070: lines, as explained earlier.
! 1071: A list of all supported Defaults parameters, grouped by type, are listed below.
! 1072: .Pp
! 1073: .Sy Boolean Flags :
! 1074: .Bl -tag -width 16n
! 1075: .It always_set_home
! 1076: If enabled,
! 1077: .Nm sudo
! 1078: will set the
! 1079: .Ev HOME
! 1080: environment variable to the home directory of the target user
! 1081: (which is root unless the
! 1082: .Fl u
! 1083: option is used).
! 1084: This effectively means that the
! 1085: .Fl H
! 1086: option is always implied.
! 1087: This flag is
! 1088: .Em off
! 1089: by default.
! 1090: .It authenticate
! 1091: If set, users must authenticate themselves via a password (or other
! 1092: means of authentication) before they may run commands.
! 1093: This default may be overridden via the
! 1094: .Li PASSWD
! 1095: and
! 1096: .Li NOPASSWD
! 1097: tags.
! 1098: This flag is
! 1099: .Em on
! 1100: by default.
! 1101: .It closefrom_override
! 1102: If set, the user may use
! 1103: .Nm sudo Ns No 's
! 1104: .Fl C
! 1105: option which overrides the default starting point at which
! 1106: .Nm sudo
! 1107: begins closing open file descriptors.
! 1108: This flag is
! 1109: .Em off
! 1110: by default.
! 1111: .It env_editor
! 1112: If set,
! 1113: .Nm visudo
! 1114: will use the value of the
! 1115: .Ev EDITOR
! 1116: or
! 1117: .Ev VISUAL
! 1118: environment variables before falling back on the default editor list.
! 1119: Note that this may create a security hole as it allows the user to
! 1120: run any arbitrary command as root without logging.
! 1121: A safer alternative is to place a colon-separated list of editors
! 1122: in the
! 1123: .Li editor
! 1124: variable.
! 1125: .Nm visudo
! 1126: will then only use the
! 1127: .Ev EDITOR
! 1128: or
! 1129: .Ev VISUAL
! 1130: if they match a value specified in
! 1131: .Li editor .
! 1132: This flag is
! 1133: .Em @env_editor@
! 1134: by
! 1135: default.
! 1136: .It env_reset
! 1137: If set,
! 1138: .Nm sudo
! 1139: will run the command in a minimal environment containing the
! 1140: .Ev TERM ,
! 1141: .Ev PATH ,
! 1142: .Ev HOME ,
! 1143: .Ev MAIL ,
! 1144: .Ev SHELL ,
! 1145: .Ev LOGNAME ,
! 1146: .Ev USER ,
! 1147: .Ev USERNAME
! 1148: and
! 1149: .Ev SUDO_*
! 1150: variables.
! 1151: Any
! 1152: variables in the caller's environment that match the
! 1153: .Li env_keep
! 1154: and
! 1155: .Li env_check
! 1156: lists are then added, followed by any variables present in the file
! 1157: specified by the
! 1158: .Em env_file
! 1159: option (if any).
! 1160: The default contents of the
! 1161: .Li env_keep
! 1162: and
! 1163: .Li env_check
! 1164: lists are displayed when
! 1165: .Nm sudo
! 1166: is run by root with the
! 1167: .Fl V
! 1168: option.
! 1169: If the
! 1170: .Em secure_path
! 1171: option is set, its value will be used for the
! 1172: .Ev PATH
! 1173: environment variable.
! 1174: This flag is
! 1175: .Em @env_reset@
! 1176: by default.
! 1177: .It fast_glob
! 1178: Normally,
! 1179: .Nm sudo
! 1180: uses the
! 1181: .Xr glob 3
! 1182: function to do shell-style globbing when matching path names.
! 1183: However, since it accesses the file system,
! 1184: .Xr glob 3
! 1185: can take a long time to complete for some patterns, especially
! 1186: when the pattern references a network file system that is mounted
! 1187: on demand (auto mounted).
! 1188: The
! 1189: .Em fast_glob
! 1190: option causes
! 1191: .Nm sudo
! 1192: to use the
! 1193: .Xr fnmatch 3
! 1194: function, which does not access the file system to do its matching.
! 1195: The disadvantage of
! 1196: .Em fast_glob
! 1197: is that it is unable to match relative path names such as
! 1198: .Pa ./ls
! 1199: or
! 1200: .Pa ../bin/ls .
! 1201: This has security implications when path names that include globbing
! 1202: characters are used with the negation operator,
! 1203: .Ql !\& ,
! 1204: as such rules can be trivially bypassed.
! 1205: As such, this option should not be used when
! 1206: .Em sudoers
! 1207: contains rules that contain negated path names which include globbing
! 1208: characters.
! 1209: This flag is
! 1210: .Em off
! 1211: by default.
! 1212: .It fqdn
! 1213: Set this flag if you want to put fully qualified host names in the
! 1214: .Em sudoers
! 1215: file when the local host name (as returned by the
! 1216: .Li hostname
! 1217: command) does not contain the domain name.
! 1218: In other words, instead of myhost you would use myhost.mydomain.edu.
! 1219: You may still use the short form if you wish (and even mix the two).
! 1220: This option is only effective when the
! 1221: .Dq canonical
! 1222: host name, as returned by the
! 1223: .Fn getaddrinfo
! 1224: or
! 1225: .Fn gethostbyname
! 1226: function, is a fully-qualified domain name.
! 1227: This is usually the case when the system is configured to use DNS
! 1228: for host name resolution.
! 1229: .Pp
! 1230: If the system is configured to use the
! 1231: .Pa /etc/hosts
! 1232: file in preference to DNS, the
! 1233: .Dq canonical
! 1234: host name may not be fully-qualified.
! 1235: The order that sources are queried for hosts name resolution
! 1236: is specified in the
! 1237: .Pa /etc/resolv.conf
! 1238: file.
! 1239: In the
! 1240: .Pa /etc/hosts
! 1241: file, the first host name of the entry is considered to be the
! 1242: .Dq canonical
! 1243: name; subsequent names are aliases that are not used by
! 1244: .Nm sudoers .
! 1245: For example, the following hosts file line for the machine
! 1246: .Dq xyzzy
! 1247: has the fully-qualified domain name as the
! 1248: .Dq canonical
! 1249: host name, and the short version as an alias.
! 1250: .sp
! 1251: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
! 1252: .sp
! 1253: If the machine's hosts file entry is not formatted properly, the
! 1254: .Em fqdn
! 1255: option will not be effective if it is queried before DNS.
! 1256: .Pp
! 1257: Beware that when using DNS for host name resolution, turning on
! 1258: .Em fqdn
! 1259: requires
! 1260: .Nm sudoers
! 1261: to make DNS lookups which renders
! 1262: .Nm sudo
! 1263: unusable if DNS stops working (for example if the machine is disconnected
! 1264: from the network).
! 1265: Also note that just like with the hosts file, you must use the
! 1266: .Dq canonical
! 1267: name as DNS knows it.
! 1268: That is, you may not use a host alias
! 1269: .Po
! 1270: .Li CNAME
! 1271: entry
! 1272: .Pc
! 1273: due to performance issues and the fact that there is no way to get all
! 1274: aliases from DNS.
! 1275: .Pp
! 1276: This flag is
! 1277: .Em @fqdn@
! 1278: by default.
! 1279: .It ignore_dot
! 1280: If set,
! 1281: .Nm sudo
! 1282: will ignore "." or "" (both denoting current directory) in the
! 1283: .Ev PATH
! 1284: environment variable; the
! 1285: .Ev PATH
! 1286: itself is not modified.
! 1287: This flag is
! 1288: .Em @ignore_dot@
! 1289: by default.
! 1290: .It ignore_local_sudoers
! 1291: If set via LDAP, parsing of
! 1292: .Pa @sysconfdir@/sudoers
! 1293: will be skipped.
! 1294: This is intended for Enterprises that wish to prevent the usage of local
! 1295: sudoers files so that only LDAP is used.
! 1296: This thwarts the efforts of rogue operators who would attempt to add roles to
! 1297: .Pa @sysconfdir@/sudoers .
! 1298: When this option is present,
! 1299: .Pa @sysconfdir@/sudoers
! 1300: does not even need to exist.
! 1301: Since this option tells
! 1302: .Nm sudo
! 1303: how to behave when no specific LDAP entries have been matched, this
! 1304: sudoOption is only meaningful for the
! 1305: .Li cn=defaults
! 1306: section.
! 1307: This flag is
! 1308: .Em off
! 1309: by default.
! 1310: .It insults
! 1311: If set,
! 1312: .Nm sudo
! 1313: will insult users when they enter an incorrect password.
! 1314: This flag is
! 1315: .Em @insults@
! 1316: by default.
! 1317: .It log_host
! 1318: If set, the host name will be logged in the (non-syslog)
! 1319: .Nm sudo
! 1320: log file.
! 1321: This flag is
! 1322: .Em off
! 1323: by default.
! 1324: .It log_year
! 1325: If set, the four-digit year will be logged in the (non-syslog)
! 1326: .Nm sudo
! 1327: log file.
! 1328: This flag is
! 1329: .Em off
! 1330: by default.
! 1331: .It long_otp_prompt
! 1332: When validating with a One Time Password (OTP) scheme such as
! 1333: .Sy S/Key
! 1334: or
! 1335: .Sy OPIE ,
! 1336: a two-line prompt is used to make it easier
! 1337: to cut and paste the challenge to a local window.
! 1338: It's not as pretty as the default but some people find it more convenient.
! 1339: This flag is
! 1340: .Em @long_otp_prompt@
! 1341: by default.
! 1342: .It mail_always
! 1343: Send mail to the
! 1344: .Em mailto
! 1345: user every time a users runs
! 1346: .Nm sudo .
! 1347: This flag is
! 1348: .Em off
! 1349: by default.
! 1350: .It mail_badpass
! 1351: Send mail to the
! 1352: .Em mailto
! 1353: user if the user running
! 1354: .Nm sudo
! 1355: does not enter the correct password.
! 1356: If the command the user is attempting to run is not permitted by
! 1357: .Em sudoers
! 1358: and one of the
! 1359: .Em mail_always ,
! 1360: .Em mail_no_host ,
! 1361: .Em mail_no_perms
! 1362: or
! 1363: .Em mail_no_user
! 1364: flags are set, this flag will have no effect.
! 1365: This flag is
! 1366: .Em off
! 1367: by default.
! 1368: .It mail_no_host
! 1369: If set, mail will be sent to the
! 1370: .Em mailto
! 1371: user if the invoking user exists in the
! 1372: .Em sudoers
! 1373: file, but is not allowed to run commands on the current host.
! 1374: This flag is
! 1375: .Em @mail_no_host@
! 1376: by default.
! 1377: .It mail_no_perms
! 1378: If set, mail will be sent to the
! 1379: .Em mailto
! 1380: user if the invoking user is allowed to use
! 1381: .Nm sudo
! 1382: but the command they are trying is not listed in their
! 1383: .Em sudoers
! 1384: file entry or is explicitly denied.
! 1385: This flag is
! 1386: .Em @mail_no_perms@
! 1387: by default.
! 1388: .It mail_no_user
! 1389: If set, mail will be sent to the
! 1390: .Em mailto
! 1391: user if the invoking user is not in the
! 1392: .Em sudoers
! 1393: file.
! 1394: This flag is
! 1395: .Em @mail_no_user@
! 1396: by default.
! 1397: .It noexec
! 1398: If set, all commands run via
! 1399: .Nm sudo
! 1400: will behave as if the
! 1401: .Li NOEXEC
! 1402: tag has been set, unless overridden by a
! 1403: .Li EXEC
! 1404: tag.
! 1405: See the description of
! 1406: .Em NOEXEC and EXEC
! 1407: below as well as the
! 1408: .Sx Preventing Shell Escapes
! 1409: section at the end of this manual.
! 1410: This flag is
! 1411: .Em off
! 1412: by default.
! 1413: .It path_info
! 1414: Normally,
! 1415: .Nm sudo
! 1416: will tell the user when a command could not be
! 1417: found in their
! 1418: .Ev PATH
! 1419: environment variable.
! 1420: Some sites may wish to disable this as it could be used to gather
! 1421: information on the location of executables that the normal user does
! 1422: not have access to.
! 1423: The disadvantage is that if the executable is simply not in the user's
! 1424: .Ev PATH ,
! 1425: .Nm sudo
! 1426: will tell the user that they are not allowed to run it, which can be confusing.
! 1427: This flag is
! 1428: .Em @path_info@
! 1429: by default.
! 1430: .It passprompt_override
! 1431: The password prompt specified by
! 1432: .Em passprompt
! 1433: will normally only be used if the password prompt provided by systems
! 1434: such as PAM matches the string
! 1435: .Dq Password: .
! 1436: If
! 1437: .Em passprompt_override
! 1438: is set,
! 1439: .Em passprompt
! 1440: will always be used.
! 1441: This flag is
! 1442: .Em off
! 1443: by default.
! 1444: .It preserve_groups
! 1445: By default,
! 1446: .Nm sudo
! 1447: will initialize the group vector to the list of groups the target user is in.
! 1448: When
! 1449: .Em preserve_groups
! 1450: is set, the user's existing group vector is left unaltered.
! 1451: The real and effective group IDs, however, are still set to match the
! 1452: target user.
! 1453: This flag is
! 1454: .Em off
! 1455: by default.
! 1456: .It pwfeedback
! 1457: By default,
! 1458: .Nm sudo
! 1459: reads the password like most other Unix programs,
! 1460: by turning off echo until the user hits the return (or enter) key.
! 1461: Some users become confused by this as it appears to them that
! 1462: .Nm sudo
! 1463: has hung at this point.
! 1464: When
! 1465: .Em pwfeedback
! 1466: is set,
! 1467: .Nm sudo
! 1468: will provide visual feedback when the user presses a key.
! 1469: Note that this does have a security impact as an onlooker may be able to
! 1470: determine the length of the password being entered.
! 1471: This flag is
! 1472: .Em off
! 1473: by default.
! 1474: .It requiretty
! 1475: If set,
! 1476: .Nm sudo
! 1477: will only run when the user is logged in to a real tty.
! 1478: When this flag is set,
! 1479: .Nm sudo
! 1480: can only be run from a login session and not via other means such as
! 1481: .Xr cron @mansectsu@
! 1482: or cgi-bin scripts.
! 1483: This flag is
! 1484: .Em off
! 1485: by default.
! 1486: .It root_sudo
! 1487: If set, root is allowed to run
! 1488: .Nm sudo
! 1489: too.
! 1490: Disabling this prevents users from
! 1491: .Dq chaining
! 1492: .Nm sudo
! 1493: commands to get a root shell by doing something like
! 1494: .Dq Li sudo sudo /bin/sh .
! 1495: Note, however, that turning off
! 1496: .Em root_sudo
! 1497: will also prevent root from running
! 1498: .Nm sudoedit .
! 1499: Disabling
! 1500: .Em root_sudo
! 1501: provides no real additional security; it exists purely for historical reasons.
! 1502: This flag is
! 1503: .Em @root_sudo@
! 1504: by default.
! 1505: .It rootpw
! 1506: If set,
! 1507: .Nm sudo
! 1508: will prompt for the root password instead of the password of the invoking user.
! 1509: This flag is
! 1510: .Em off
! 1511: by default.
! 1512: .It runaspw
! 1513: If set,
! 1514: .Nm sudo
! 1515: will prompt for the password of the user defined by the
! 1516: .Em runas_default
! 1517: option (defaults to
! 1518: .Li @runas_default@ )
! 1519: instead of the password of the invoking user.
! 1520: This flag is
! 1521: .Em off
! 1522: by default.
! 1523: .It set_home
! 1524: If enabled and
! 1525: .Nm sudo
! 1526: is invoked with the
! 1527: .Fl s
! 1528: option the
! 1529: .Ev HOME
! 1530: environment variable will be set to the home directory of the target
! 1531: user (which is root unless the
! 1532: .Fl u
! 1533: option is used).
! 1534: This effectively makes the
! 1535: .Fl s
! 1536: option imply
! 1537: .Fl H .
! 1538: This flag is
! 1539: .Em off
! 1540: by default.
! 1541: .It set_logname
! 1542: Normally,
! 1543: .Nm sudo
! 1544: will set the
! 1545: .Ev LOGNAME ,
! 1546: .Ev USER
! 1547: and
! 1548: .Ev USERNAME
! 1549: environment variables to the name of the target user (usually root unless the
! 1550: .Fl u
! 1551: option is given).
! 1552: However, since some programs (including the RCS revision control system) use
! 1553: .Ev LOGNAME
! 1554: to determine the real identity of the user, it may be desirable to
! 1555: change this behavior.
! 1556: This can be done by negating the set_logname option.
! 1557: Note that if the
! 1558: .Em env_reset
! 1559: option has not been disabled, entries in the
! 1560: .Em env_keep
! 1561: list will override the value of
! 1562: .Em set_logname .
! 1563: This flag is
! 1564: .Em on
! 1565: by default.
! 1566: .It setenv
! 1567: Allow the user to disable the
! 1568: .Em env_reset
! 1569: option from the command line via the
! 1570: .Fl E
! 1571: option.
! 1572: Additionally, environment variables set via the command line are
! 1573: not subject to the restrictions imposed by
! 1574: .Em env_check ,
! 1575: .Em env_delete ,
! 1576: or
! 1577: .Em env_keep .
! 1578: As such, only trusted users should be allowed to set variables in this manner.
! 1579: This flag is
! 1580: .Em off
! 1581: by default.
! 1582: .It shell_noargs
! 1583: If set and
! 1584: .Nm sudo
! 1585: is invoked with no arguments it acts as if the
! 1586: .Fl s
! 1587: option had been given.
! 1588: That is, it runs a shell as root (the shell is determined by the
! 1589: .Ev SHELL
! 1590: environment variable if it is set, falling back on the shell listed
! 1591: in the invoking user's /etc/passwd entry if not).
! 1592: This flag is
! 1593: .Em off
! 1594: by default.
! 1595: .It stay_setuid
! 1596: Normally, when
! 1597: .Nm sudo
! 1598: executes a command the real and effective UIDs are set to the target
! 1599: user (root by default).
! 1600: This option changes that behavior such that the real UID is left
! 1601: as the invoking user's UID.
! 1602: In other words, this makes
! 1603: .Nm sudo
! 1604: act as a setuid wrapper.
! 1605: This can be useful on systems that disable some potentially
! 1606: dangerous functionality when a program is run setuid.
! 1607: This option is only effective on systems that support either the
! 1608: .Xr setreuid 2
! 1609: or
! 1610: .Xr setresuid 2
! 1611: system call.
! 1612: This flag is
! 1613: .Em off
! 1614: by default.
! 1615: .It targetpw
! 1616: If set,
! 1617: .Nm sudo
! 1618: will prompt for the password of the user specified
! 1619: by the
! 1620: .Fl u
! 1621: option (defaults to
! 1622: .Li root )
! 1623: instead of the password of the invoking user.
! 1624: In addition, the time stamp file name will include the target user's name.
! 1625: Note that this flag precludes the use of a uid not listed in the passwd
! 1626: database as an argument to the
! 1627: .Fl u
! 1628: option.
! 1629: This flag is
! 1630: .Em off
! 1631: by default.
! 1632: .It tty_tickets
! 1633: If set, users must authenticate on a per-tty basis.
! 1634: With this flag enabled,
! 1635: .Nm sudo
! 1636: will use a file named for the tty the user is
! 1637: logged in on in the user's time stamp directory.
! 1638: If disabled, the time stamp of the directory is used instead.
! 1639: This flag is
! 1640: .Em @tty_tickets@
! 1641: by default.
! 1642: .It umask_override
! 1643: If set,
! 1644: .Nm sudo
! 1645: will set the umask as specified by
! 1646: .Em sudoers
! 1647: without modification.
! 1648: This makes it possible to specify a more permissive umask in
! 1649: .Em sudoers
! 1650: than the user's own umask and matches historical behavior.
! 1651: If
! 1652: .Em umask_override
! 1653: is not set,
! 1654: .Nm sudo
! 1655: will set the umask to be the union of the user's umask and what is specified in
! 1656: .Em sudoers .
! 1657: This flag is
! 1658: .Em @umask_override@
! 1659: by default.
! 1660: .It use_loginclass
! 1661: If set,
! 1662: .Nm sudo
! 1663: will apply the defaults specified for the target user's login class
! 1664: if one exists.
! 1665: Only available if
! 1666: .Nm sudo
! 1667: is configured with the
! 1668: .Li --with-logincap
! 1669: option.
! 1670: This flag is
! 1671: .Em off
! 1672: by default.
! 1673: .It use_pty
! 1674: If set,
! 1675: .Nm sudo
! 1676: will run the command in a pseudo-pty even if no I/O logging is being gone.
! 1677: A malicious program run under
! 1678: .Nm sudo
! 1679: could conceivably fork a background process that retains to the user's
! 1680: terminal device after the main program has finished executing.
! 1681: Use of this option will make that impossible.
! 1682: This flag is
! 1683: .Em off
! 1684: by default.
! 1685: .It visiblepw
! 1686: By default,
! 1687: .Nm sudo
! 1688: will refuse to run if the user must enter a password but it is not
! 1689: possible to disable echo on the terminal.
! 1690: If the
! 1691: .Em visiblepw
! 1692: flag is set,
! 1693: .Nm sudo
! 1694: will prompt for a password even when it would be visible on the screen.
! 1695: This makes it possible to run things like
! 1696: .Dq Li ssh somehost sudo ls
! 1697: since by default,
! 1698: .Xr ssh 1
! 1699: does
! 1700: not allocate a tty when running a command.
! 1701: This flag is
! 1702: .Em off
! 1703: by default.
! 1704: .El
! 1705: .Pp
! 1706: .Sy Integers :
! 1707: .Bl -tag -width 16n
! 1708: .It closefrom
! 1709: Before it executes a command,
! 1710: .Nm sudo
! 1711: will close all open file descriptors other than standard input,
! 1712: standard output and standard error (ie: file descriptors 0-2).
! 1713: The
! 1714: .Em closefrom
! 1715: option can be used to specify a different file descriptor at which
! 1716: to start closing.
! 1717: The default is
! 1718: .Li 3 .
! 1719: .It passwd_tries
! 1720: The number of tries a user gets to enter his/her password before
! 1721: .Nm sudo
! 1722: logs the failure and exits.
! 1723: The default is
! 1724: .Li @passwd_tries@ .
! 1725: .El
! 1726: .Pp
! 1727: .Sy Integers that can be used in a boolean context :
! 1728: .Bl -tag -width 16n
! 1729: .It loglinelen
! 1730: Number of characters per line for the file log.
! 1731: This value is used to decide when to wrap lines for nicer log files.
! 1732: This has no effect on the syslog log file, only the file log.
! 1733: The default is
! 1734: .Li @loglen@
! 1735: (use 0 or negate the option to disable word wrap).
! 1736: .It passwd_timeout
! 1737: Number of minutes before the
! 1738: .Nm sudo
! 1739: password prompt times out, or
! 1740: .Li 0
! 1741: for no timeout.
! 1742: The timeout may include a fractional component
! 1743: if minute granularity is insufficient, for example
! 1744: .Li 2.5 .
! 1745: The
! 1746: default is
! 1747: .Li @password_timeout@ .
! 1748: .It timestamp_timeout
! 1749: Number of minutes that can elapse before
! 1750: .Nm sudo
! 1751: will ask for a passwd again.
! 1752: The timeout may include a fractional component if
! 1753: minute granularity is insufficient, for example
! 1754: .Li 2.5 .
! 1755: The default is
! 1756: .Li @timeout@ .
! 1757: Set this to
! 1758: .Li 0
! 1759: to always prompt for a password.
! 1760: If set to a value less than
! 1761: .Li 0
! 1762: the user's time stamp will never expire.
! 1763: This can be used to allow users to create or delete their own time stamps via
! 1764: .Dq Li sudo -v
! 1765: and
! 1766: .Dq Li sudo -k
! 1767: respectively.
! 1768: .It umask
! 1769: Umask to use when running the command.
! 1770: Negate this option or set it to 0777 to preserve the user's umask.
! 1771: The actual umask that is used will be the union of the user's umask
! 1772: and the value of the
! 1773: .Em umask
! 1774: option, which defaults to
! 1775: .Li @sudo_umask@ .
! 1776: This guarantees
! 1777: that
! 1778: .Nm sudo
! 1779: never lowers the umask when running a command.
! 1780: Note: on systems that use PAM, the default PAM configuration may specify
! 1781: its own umask which will override the value set in
! 1782: .Em sudoers .
! 1783: .El
! 1784: .Pp
! 1785: .Sy Strings :
! 1786: .Bl -tag -width 16n
! 1787: .It badpass_message
! 1788: Message that is displayed if a user enters an incorrect password.
! 1789: The default is
! 1790: .Li @badpass_message@
! 1791: unless insults are enabled.
! 1792: .It editor
! 1793: A colon
! 1794: .Pq Ql :\&
! 1795: separated list of editors allowed to be used with
! 1796: .Nm visudo .
! 1797: .Nm visudo
! 1798: will choose the editor that matches the user's
! 1799: .Ev EDITOR
! 1800: environment variable if possible, or the first editor in the
! 1801: list that exists and is executable.
! 1802: The default is
! 1803: .Pa @editor@ .
! 1804: .It mailsub
! 1805: Subject of the mail sent to the
! 1806: .Em mailto
! 1807: user.
! 1808: The escape
! 1809: .Li %h
! 1810: will expand to the host name of the machine.
! 1811: Default is
! 1812: .Dq Li @mailsub@ .
! 1813: .It noexec_file
! 1814: The
! 1815: .Em noexec
! 1816: option specifies the the fully-qualified path to a shared library
! 1817: containing dummy versions of the
! 1818: .Fn execv ,
! 1819: .Fn execve
! 1820: and
! 1821: .Fn fexecve
! 1822: library functions that just return an error.
! 1823: This is used to implement the
! 1824: .Em noexec
! 1825: functionality on systems that support
! 1826: .Ev LD_PRELOAD
! 1827: or its equivalent.
! 1828: Defaults to
! 1829: .Pa @noexec_file@ .
! 1830: .It passprompt
! 1831: The default prompt to use when asking for a password; can be overridden via the
! 1832: .Fl p
! 1833: option or the
! 1834: .Ev SUDO_PROMPT
! 1835: environment variable.
! 1836: The following percent
! 1837: .Pq Ql %
! 1838: escape sequences are supported:
! 1839: .Bl -tag -width 4n
! 1840: .It Li %H
! 1841: expanded to the local host name including the domain name
! 1842: (only if the machine's host name is fully qualified or the
! 1843: .Em fqdn
! 1844: option is set)
! 1845: .It Li %h
! 1846: expanded to the local host name without the domain name
! 1847: .It Li %p
! 1848: expanded to the user whose password is being asked for (respects the
! 1849: .Em rootpw ,
! 1850: .Em targetpw
! 1851: and
! 1852: .Em runaspw
! 1853: flags in
! 1854: .Em sudoers )
! 1855: .It Li \&%U
! 1856: expanded to the login name of the user the command will
! 1857: be run as (defaults to root)
! 1858: .It Li %u
! 1859: expanded to the invoking user's login name
! 1860: .It Li %%
! 1861: two consecutive
! 1862: .Li %
! 1863: characters are collapsed into a single
! 1864: .Li %
! 1865: character
! 1866: .El
! 1867: .Pp
! 1868: The default value is
! 1869: .Dq Li @passprompt@ .
! 1870: .It runas_default
! 1871: The default user to run commands as if the
! 1872: .Fl u
! 1873: option is not specified on the command line.
! 1874: This defaults to
! 1875: .Li @runas_default@ .
! 1876: .It syslog_badpri
! 1877: Syslog priority to use when user authenticates unsuccessfully.
! 1878: Defaults to
! 1879: .Li @badpri@ .
! 1880: .Pp
! 1881: The following syslog priorities are supported:
! 1882: .Sy alert ,
! 1883: .Sy crit ,
! 1884: .Sy debug ,
! 1885: .Sy emerg ,
! 1886: .Sy err ,
! 1887: .Sy info ,
! 1888: .Sy notice ,
! 1889: and
! 1890: .Sy warning .
! 1891: .It syslog_goodpri
! 1892: Syslog priority to use when user authenticates successfully.
! 1893: Defaults to
! 1894: .Li @goodpri@ .
! 1895: .Pp
! 1896: See
! 1897: .Sx syslog_badpri
! 1898: for the list of supported syslog priorities.
! 1899: .It sudoers_locale
! 1900: Locale to use when parsing the sudoers file, logging commands, and
! 1901: sending email.
! 1902: Note that changing the locale may affect how sudoers is interpreted.
! 1903: Defaults to
! 1904: .Dq Li C .
! 1905: .It timestampdir
! 1906: The directory in which
! 1907: .Nm sudo
! 1908: stores its time stamp files.
! 1909: The default is
! 1910: .Pa @timedir@ .
! 1911: .It timestampowner
! 1912: The owner of the time stamp directory and the time stamps stored therein.
! 1913: The default is
! 1914: .Li root .
! 1915: .It askpass
! 1916: The
! 1917: .Em askpass
! 1918: option specifies the fully qualified path to a helper program used
! 1919: to read the user's password when no terminal is available.
! 1920: This may be the case when
! 1921: .Nm sudo
! 1922: is executed from a graphical (as opposed to text-based) application.
! 1923: The program specified by
! 1924: .Em askpass
! 1925: should display the argument passed to it as the prompt and write
! 1926: the user's password to the standard output.
! 1927: The value of
! 1928: .Em askpass
! 1929: may be overridden by the
! 1930: .Ev SUDO_ASKPASS
! 1931: environment variable.
! 1932: .It env_file
! 1933: The
! 1934: .Em env_file
! 1935: option specifies the fully qualified path to a file containing variables
! 1936: to be set in the environment of the program being run.
! 1937: Entries in this file should either be of the form
! 1938: .Dq Li VARIABLE=value
! 1939: or
! 1940: .Dq Li export VARIABLE=value .
! 1941: The value may optionally be surrounded by single or double quotes.
! 1942: Variables in this file are subject to other
! 1943: .Nm sudo
! 1944: environment settings such as
! 1945: .Em env_keep
! 1946: and
! 1947: .Em env_check .
! 1948: .It exempt_group
! 1949: Users in this group are exempt from password and PATH requirements.
! 1950: The group name specified should not include a
! 1951: .Li %
! 1952: prefix.
! 1953: This is not set by default.
! 1954: .It lecture
! 1955: This option controls when a short lecture will be printed along with
! 1956: the password prompt.
! 1957: It has the following possible values:
! 1958: .Bl -tag -width 6n
! 1959: .It always
! 1960: Always lecture the user.
! 1961: .It never
! 1962: Never lecture the user.
! 1963: .It once
! 1964: Only lecture the user the first time they run
! 1965: .Nm sudo .
! 1966: .El
! 1967: .Pp
! 1968: If no value is specified, a value of
! 1969: .Em once
! 1970: is implied.
! 1971: Negating the option results in a value of
! 1972: .Em never
! 1973: being used.
! 1974: The default value is
! 1975: .Em @lecture@ .
! 1976: .It lecture_file
! 1977: Path to a file containing an alternate
! 1978: .Nm sudo
! 1979: lecture that will be used in place of the standard lecture if the named
! 1980: file exists.
! 1981: By default,
! 1982: .Nm sudo
! 1983: uses a built-in lecture.
! 1984: .It listpw
! 1985: This option controls when a password will be required when a user runs
! 1986: .Nm sudo
! 1987: with the
! 1988: .Fl l
! 1989: option.
! 1990: It has the following possible values:
! 1991: .Bl -tag -width 8n
! 1992: .It all
! 1993: All the user's
! 1994: .Em sudoers
! 1995: entries for the current host must have
! 1996: the
! 1997: .Li NOPASSWD
! 1998: flag set to avoid entering a password.
! 1999: .It always
! 2000: The user must always enter a password to use the
! 2001: .Fl l
! 2002: option.
! 2003: .It any
! 2004: At least one of the user's
! 2005: .Em sudoers
! 2006: entries for the current host
! 2007: must have the
! 2008: .Li NOPASSWD
! 2009: flag set to avoid entering a password.
! 2010: .It never
! 2011: The user need never enter a password to use the
! 2012: .Fl l
! 2013: option.
! 2014: .El
! 2015: .Pp
! 2016: If no value is specified, a value of
! 2017: .Em any
! 2018: is implied.
! 2019: Negating the option results in a value of
! 2020: .Em never
! 2021: being used.
! 2022: The default value is
! 2023: .Em any .
! 2024: .It logfile
! 2025: Path to the
! 2026: .Nm sudo
! 2027: log file (not the syslog log file).
! 2028: Setting a path turns on logging to a file;
! 2029: negating this option turns it off.
! 2030: By default,
! 2031: .Nm sudo
! 2032: logs via syslog.
! 2033: .It mailerflags
! 2034: Flags to use when invoking mailer. Defaults to
! 2035: .Fl t .
! 2036: .It mailerpath
! 2037: Path to mail program used to send warning mail.
! 2038: Defaults to the path to sendmail found at configure time.
! 2039: .It mailfrom
! 2040: Address to use for the
! 2041: .Dq from
! 2042: address when sending warning and error mail.
! 2043: The address should be enclosed in double quotes
! 2044: .Pq \&""
! 2045: to protect against
! 2046: .Nm sudo
! 2047: interpreting the
! 2048: .Li @
! 2049: sign.
! 2050: Defaults to the name of the user running
! 2051: .Nm sudo .
! 2052: .It mailto
! 2053: Address to send warning and error mail to.
! 2054: The address should be enclosed in double quotes
! 2055: .Pq \&""
! 2056: to protect against
! 2057: .Nm sudo
! 2058: interpreting the
! 2059: .Li @
! 2060: sign.
! 2061: Defaults to
! 2062: .Li @mailto@ .
! 2063: .It secure_path
! 2064: Path used for every command run from
! 2065: .Nm sudo .
! 2066: If you don't trust the
! 2067: people running
! 2068: .Nm sudo
! 2069: to have a sane
! 2070: .Ev PATH
! 2071: environment variable you may want to use this.
! 2072: Another use is if you want to have the
! 2073: .Dq root path
! 2074: be separate from the
! 2075: .Dq user path .
! 2076: Users in the group specified by the
! 2077: .Em exempt_group
! 2078: option are not affected by
! 2079: .Em secure_path .
! 2080: This option is @secure_path@ by default.
! 2081: .It syslog
! 2082: Syslog facility if syslog is being used for logging (negate to
! 2083: disable syslog logging).
! 2084: Defaults to
! 2085: .Li @logfac@ .
! 2086: .Pp
! 2087: The following syslog facilities are supported:
! 2088: .Sy authpriv
! 2089: (if your
! 2090: OS supports it),
! 2091: .Sy auth ,
! 2092: .Sy daemon ,
! 2093: .Sy user ,
! 2094: .Sy local0 ,
! 2095: .Sy local1 ,
! 2096: .Sy local2 ,
! 2097: .Sy local3 ,
! 2098: .Sy local4 ,
! 2099: .Sy local5 ,
! 2100: .Sy local6 ,
! 2101: and
! 2102: .Sy local7 .
! 2103: .It verifypw
! 2104: This option controls when a password will be required when a user runs
! 2105: .Nm sudo
! 2106: with the
! 2107: .Fl v
! 2108: option.
! 2109: It has the following possible values:
! 2110: .Bl -tag -width 6n
! 2111: .It all
! 2112: All the user's
! 2113: .Em sudoers
! 2114: entries for the current host must have the
! 2115: .Li NOPASSWD
! 2116: flag set to avoid entering a password.
! 2117: .It always
! 2118: The user must always enter a password to use the
! 2119: .Fl v
! 2120: option.
! 2121: .It any
! 2122: At least one of the user's
! 2123: .Em sudoers
! 2124: entries for the current host must have the
! 2125: .Li NOPASSWD
! 2126: flag set to avoid entering a password.
! 2127: .It never
! 2128: The user need never enter a password to use the
! 2129: .Fl v
! 2130: option.
! 2131: .El
! 2132: .Pp
! 2133: If no value is specified, a value of
! 2134: .Em all
! 2135: is implied.
! 2136: Negating the option results in a value of
! 2137: .Em never
! 2138: being used.
! 2139: The default value is
! 2140: .Em all .
! 2141: .El
! 2142: .Pp
! 2143: .Sy Lists that can be used in a boolean context :
! 2144: .Bl -tag -width 16n
! 2145: .It env_check
! 2146: Environment variables to be removed from the user's environment if
! 2147: the variable's value contains
! 2148: .Ql %
! 2149: or
! 2150: .Ql /
! 2151: characters.
! 2152: This can be used to guard against printf-style format vulnerabilities
! 2153: in poorly-written programs.
! 2154: The argument may be a double-quoted, space-separated list or a
! 2155: single value without double-quotes.
! 2156: The list can be replaced, added to, deleted from, or disabled by using
! 2157: the
! 2158: .Li = ,
! 2159: .Li += ,
! 2160: .Li -= ,
! 2161: and
! 2162: .Li \&!
! 2163: operators respectively.
! 2164: Regardless of whether the
! 2165: .Li env_reset
! 2166: option is enabled or disabled, variables specified by
! 2167: .Li env_check
! 2168: will be preserved in the environment if they pass the aforementioned check.
! 2169: The default list of environment variables to check is displayed when
! 2170: .Nm sudo
! 2171: is run by root with
! 2172: the
! 2173: .Fl V
! 2174: option.
! 2175: .It env_delete
! 2176: Environment variables to be removed from the user's environment when the
! 2177: .Em env_reset
! 2178: option is not in effect.
! 2179: The argument may be a double-quoted, space-separated list or a
! 2180: single value without double-quotes.
! 2181: The list can be replaced, added to, deleted from, or disabled by using the
! 2182: .Li = ,
! 2183: .Li += ,
! 2184: .Li -= ,
! 2185: and
! 2186: .Li \&!
! 2187: operators respectively.
! 2188: The default list of environment variables to remove is displayed when
! 2189: .Nm sudo
! 2190: is run by root with the
! 2191: .Fl V
! 2192: option.
! 2193: Note that many operating systems will remove potentially dangerous
! 2194: variables from the environment of any setuid process (such as
! 2195: .Nm sudo ) .
! 2196: .It env_keep
! 2197: Environment variables to be preserved in the user's environment when the
! 2198: .Em env_reset
! 2199: option is in effect.
! 2200: This allows fine-grained control over the environment
! 2201: .Nm sudo Ns No -spawned
! 2202: processes will receive.
! 2203: The argument may be a double-quoted, space-separated list or a
! 2204: single value without double-quotes.
! 2205: The list can be replaced, added to, deleted from, or disabled by using the
! 2206: .Li = ,
! 2207: .Li += ,
! 2208: .Li -= ,
! 2209: and
! 2210: .Li \&!
! 2211: operators respectively.
! 2212: The default list of variables to keep
! 2213: is displayed when
! 2214: .Nm sudo
! 2215: is run by root with the
! 2216: .Fl V
! 2217: option.
! 2218: .El
! 2219: .Sh FILES
! 2220: .Bl -tag -width 24n
! 2221: .It Pa @sysconfdir@/sudoers
! 2222: List of who can run what
! 2223: .It Pa /etc/group
! 2224: Local groups file
! 2225: .It Pa /etc/netgroup
! 2226: List of network groups
! 2227: .El
! 2228: .Sh EXAMPLES
! 2229: Below are example
! 2230: .Em sudoers
! 2231: entries.
! 2232: Admittedly, some of these are a bit contrived.
! 2233: First, we allow a few environment variables to pass and then define our
! 2234: .Em aliases :
! 2235: .Bd -literal
! 2236: # Run X applications through sudo; HOME is used to find the
! 2237: # .Xauthority file. Note that other programs use HOME to find
! 2238: # configuration files and this may lead to privilege escalation!
! 2239: Defaults env_keep += "DISPLAY HOME"
! 2240:
! 2241: # User alias specification
! 2242: User_Alias FULLTIMERS = millert, mikef, dowdy
! 2243: User_Alias PARTTIMERS = bostley, jwfox, crawl
! 2244: User_Alias WEBMASTERS = will, wendy, wim
! 2245:
! 2246: # Runas alias specification
! 2247: Runas_Alias OP = root, operator
! 2248: Runas_Alias DB = oracle, sybase
! 2249: Runas_Alias ADMINGRP = adm, oper
! 2250:
! 2251: # Host alias specification
! 2252: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
! 2253: SGI = grolsch, dandelion, black :\e
! 2254: ALPHA = widget, thalamus, foobar :\e
! 2255: HPPA = boa, nag, python
! 2256: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
! 2257: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! 2258: Host_Alias SERVERS = master, mail, www, ns
! 2259: Host_Alias CDROM = orion, perseus, hercules
! 2260:
! 2261: # Cmnd alias specification
! 2262: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
! 2263: /usr/sbin/restore, /usr/sbin/rrestore
! 2264: Cmnd_Alias KILL = /usr/bin/kill
! 2265: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
! 2266: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
! 2267: Cmnd_Alias HALT = /usr/sbin/halt
! 2268: Cmnd_Alias REBOOT = /usr/sbin/reboot
! 2269: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
! 2270: /usr/local/bin/tcsh, /usr/bin/rsh,\e
! 2271: /usr/local/bin/zsh
! 2272: Cmnd_Alias SU = /usr/bin/su
! 2273: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
! 2274: .Ed
! 2275: .Pp
! 2276: Here we override some of the compiled in default values.
! 2277: We want
! 2278: .Nm sudo
! 2279: to log via
! 2280: .Xr syslog 3
! 2281: using the
! 2282: .Em auth
! 2283: facility in all cases.
! 2284: We don't want to subject the full time staff to the
! 2285: .Nm sudo
! 2286: lecture, user
! 2287: .Sy millert
! 2288: need not give a password, and we don't want to reset the
! 2289: .Ev LOGNAME ,
! 2290: .Ev USER
! 2291: or
! 2292: .Ev USERNAME
! 2293: environment variables when running commands as root.
! 2294: Additionally, on the machines in the
! 2295: .Em SERVERS
! 2296: .Li Host_Alias ,
! 2297: we keep an additional local log file and make sure we log the year
! 2298: in each log line since the log entries will be kept around for several years.
! 2299: Lastly, we disable shell escapes for the commands in the PAGERS
! 2300: .Li Cmnd_Alias
! 2301: .Po
! 2302: .Pa /usr/bin/more ,
! 2303: .Pa /usr/bin/pg
! 2304: and
! 2305: .Pa /usr/bin/less
! 2306: .Pc .
! 2307: .Bd -literal
! 2308: # Override built-in defaults
! 2309: Defaults syslog=auth
! 2310: Defaults>root !set_logname
! 2311: Defaults:FULLTIMERS !lecture
! 2312: Defaults:millert !authenticate
! 2313: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
! 2314: Defaults!PAGERS noexec
! 2315: .Ed
! 2316: .Pp
! 2317: The
! 2318: .Em User specification
! 2319: is the part that actually determines who may run what.
! 2320: .Bd -literal
! 2321: root ALL = (ALL) ALL
! 2322: %wheel ALL = (ALL) ALL
! 2323: .Ed
! 2324: .Pp
! 2325: We let
! 2326: .Sy root
! 2327: and any user in group
! 2328: .Sy wheel
! 2329: run any command on any host as any user.
! 2330: .Bd -literal
! 2331: FULLTIMERS ALL = NOPASSWD: ALL
! 2332: .Ed
! 2333: .Pp
! 2334: Full time sysadmins
! 2335: .Po
! 2336: .Sy millert ,
! 2337: .Sy mikef ,
! 2338: and
! 2339: .Sy dowdy
! 2340: .Pc
! 2341: may run any command on any host without authenticating themselves.
! 2342: .Bd -literal
! 2343: PARTTIMERS ALL = ALL
! 2344: .Ed
! 2345: .Pp
! 2346: Part time sysadmins
! 2347: .Sy bostley ,
! 2348: .Sy jwfox ,
! 2349: and
! 2350: .Sy crawl )
! 2351: may run any command on any host but they must authenticate themselves
! 2352: first (since the entry lacks the
! 2353: .Li NOPASSWD
! 2354: tag).
! 2355: .Bd -literal
! 2356: jack CSNETS = ALL
! 2357: .Ed
! 2358: .Pp
! 2359: The user
! 2360: .Sy jack
! 2361: may run any command on the machines in the
! 2362: .Em CSNETS
! 2363: alias (the networks
! 2364: .Li 128.138.243.0 ,
! 2365: .Li 128.138.204.0 ,
! 2366: and
! 2367: .Li 128.138.242.0 ) .
! 2368: Of those networks, only
! 2369: .Li 128.138.204.0
! 2370: has an explicit netmask (in CIDR notation) indicating it is a class C network.
! 2371: For the other networks in
! 2372: .Em CSNETS ,
! 2373: the local machine's netmask will be used during matching.
! 2374: .Bd -literal
! 2375: lisa CUNETS = ALL
! 2376: .Ed
! 2377: .Pp
! 2378: The user
! 2379: .Sy lisa
! 2380: may run any command on any host in the
! 2381: .Em CUNETS
! 2382: alias (the class B network
! 2383: .Li 128.138.0.0 ) .
! 2384: .Bd -literal
! 2385: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
! 2386: sudoedit /etc/printcap, /usr/oper/bin/
! 2387: .Ed
! 2388: .Pp
! 2389: The
! 2390: .Sy operator
! 2391: user may run commands limited to simple maintenance.
! 2392: Here, those are commands related to backups, killing processes, the
! 2393: printing system, shutting down the system, and any commands in the
! 2394: directory
! 2395: .Pa /usr/oper/bin/ .
! 2396: .Bd -literal
! 2397: joe ALL = /usr/bin/su operator
! 2398: .Ed
! 2399: .Pp
! 2400: The user
! 2401: .Sy joe
! 2402: may only
! 2403: .Xr su 1
! 2404: to operator.
! 2405: .Bd -literal
! 2406: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
! 2407:
! 2408: %opers ALL = (: ADMINGRP) /usr/sbin/
! 2409: .Ed
! 2410: .Pp
! 2411: Users in the
! 2412: .Sy opers
! 2413: group may run commands in
! 2414: .Pa /usr/sbin/
! 2415: as themselves
! 2416: with any group in the
! 2417: .Em ADMINGRP
! 2418: .Li Runas_Alias
! 2419: (the
! 2420: .Sy adm
! 2421: and
! 2422: .Sy oper
! 2423: groups).
! 2424: .Pp
! 2425: The user
! 2426: .Sy pete
! 2427: is allowed to change anyone's password except for
! 2428: root on the
! 2429: .Em HPPA
! 2430: machines.
! 2431: Note that this assumes
! 2432: .Xr passwd 1
! 2433: does not take multiple user names on the command line.
! 2434: .Bd -literal
! 2435: bob SPARC = (OP) ALL : SGI = (OP) ALL
! 2436: .Ed
! 2437: .Pp
! 2438: The user
! 2439: .Sy bob
! 2440: may run anything on the
! 2441: .Em SPARC
! 2442: and
! 2443: .Em SGI
! 2444: machines as any user listed in the
! 2445: .Em OP
! 2446: .Li Runas_Alias
! 2447: .Po
! 2448: .Sy root
! 2449: and
! 2450: .Sy operator .
! 2451: .Pc
! 2452: .Bd -literal
! 2453: jim +biglab = ALL
! 2454: .Ed
! 2455: .Pp
! 2456: The user
! 2457: .Sy jim
! 2458: may run any command on machines in the
! 2459: .Em biglab
! 2460: netgroup.
! 2461: .Nm sudo
! 2462: knows that
! 2463: .Dq biglab
! 2464: is a netgroup due to the
! 2465: .Ql +
! 2466: prefix.
! 2467: .Bd -literal
! 2468: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
! 2469: .Ed
! 2470: .Pp
! 2471: Users in the
! 2472: .Sy secretaries
! 2473: netgroup need to help manage the printers as well as add and remove users,
! 2474: so they are allowed to run those commands on all machines.
! 2475: .Bd -literal
! 2476: fred ALL = (DB) NOPASSWD: ALL
! 2477: .Ed
! 2478: .Pp
! 2479: The user
! 2480: .Sy fred
! 2481: can run commands as any user in the
! 2482: .Em DB
! 2483: .Li Runas_Alias
! 2484: .Po
! 2485: .Sy oracle
! 2486: or
! 2487: .Sy sybase
! 2488: .Pc
! 2489: without giving a password.
! 2490: .Bd -literal
! 2491: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
! 2492: .Ed
! 2493: .Pp
! 2494: On the
! 2495: .Em ALPHA
! 2496: machines, user
! 2497: .Sy john
! 2498: may su to anyone except root but he is not allowed to specify any options
! 2499: to the
! 2500: .Xr su 1
! 2501: command.
! 2502: .Bd -literal
! 2503: jen ALL, !SERVERS = ALL
! 2504: .Ed
! 2505: .Pp
! 2506: The user
! 2507: .Sy jen
! 2508: may run any command on any machine except for those in the
! 2509: .Em SERVERS
! 2510: .Li Host_Alias
! 2511: (master, mail, www and ns).
! 2512: .Bd -literal
! 2513: jill SERVERS = /usr/bin/, !SU, !SHELLS
! 2514: .Ed
! 2515: .Pp
! 2516: For any machine in the
! 2517: .Em SERVERS
! 2518: .Li Host_Alias ,
! 2519: .Sy jill
! 2520: may run
! 2521: any commands in the directory
! 2522: .Pa /usr/bin/
! 2523: except for those commands
! 2524: belonging to the
! 2525: .Em SU
! 2526: and
! 2527: .Em SHELLS
! 2528: .Li Cmnd_Aliases .
! 2529: .Bd -literal
! 2530: steve CSNETS = (operator) /usr/local/op_commands/
! 2531: .Ed
! 2532: .Pp
! 2533: The user
! 2534: .Sy steve
! 2535: may run any command in the directory /usr/local/op_commands/
! 2536: but only as user operator.
! 2537: .Bd -literal
! 2538: matt valkyrie = KILL
! 2539: .Ed
! 2540: .Pp
! 2541: On his personal workstation, valkyrie,
! 2542: .Sy matt
! 2543: needs to be able to kill hung processes.
! 2544: .Bd -literal
! 2545: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
! 2546: .Ed
! 2547: .Pp
! 2548: On the host www, any user in the
! 2549: .Em WEBMASTERS
! 2550: .Li User_Alias
! 2551: (will, wendy, and wim), may run any command as user www (which owns the
! 2552: web pages) or simply
! 2553: .Xr su 1
! 2554: to www.
! 2555: .Bd -literal
! 2556: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
! 2557: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
! 2558: .Ed
! 2559: .Pp
! 2560: Any user may mount or unmount a CD-ROM on the machines in the CDROM
! 2561: .Li Host_Alias
! 2562: (orion, perseus, hercules) without entering a password.
! 2563: This is a bit tedious for users to type, so it is a prime candidate
! 2564: for encapsulating in a shell script.
! 2565: .Sh SECURITY NOTES
! 2566: .Ss Limitations of the So !\& Sc operator
! 2567: It is generally not effective to
! 2568: .Dq subtract
! 2569: commands from
! 2570: .Sy ALL
! 2571: using the
! 2572: .Ql !\&
! 2573: operator.
! 2574: A user can trivially circumvent this by copying the desired command
! 2575: to a different name and then executing that.
! 2576: For example:
! 2577: .Bd -literal
! 2578: bill ALL = ALL, !SU, !SHELLS
! 2579: .Ed
! 2580: .Pp
! 2581: Doesn't really prevent
! 2582: .Sy bill
! 2583: from running the commands listed in
! 2584: .Em SU
! 2585: or
! 2586: .Em SHELLS
! 2587: since he can simply copy those commands to a different name, or use
! 2588: a shell escape from an editor or other program.
! 2589: Therefore, these kind of restrictions should be considered
! 2590: advisory at best (and reinforced by policy).
! 2591: .Pp
! 2592: In general, if a user has sudo
! 2593: .Sy ALL
! 2594: there is nothing to prevent them from creating their own program that gives
! 2595: them a root shell (or making their own copy of a shell) regardless of any
! 2596: .Ql !\&
! 2597: elements in the user specification.
! 2598: .Ss Security implications of Em fast_glob
! 2599: If the
! 2600: .Em fast_glob
! 2601: option is in use, it is not possible to reliably negate commands where the
! 2602: path name includes globbing (aka wildcard) characters.
! 2603: This is because the C library's
! 2604: .Xr fnmatch 3
! 2605: function cannot resolve relative paths.
! 2606: While this is typically only an inconvenience for rules that grant privileges,
! 2607: it can result in a security issue for rules that subtract or revoke privileges.
! 2608: .Pp
! 2609: For example, given the following
! 2610: .Em sudoers
! 2611: entry:
! 2612: .Bd -literal
! 2613: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
! 2614: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
! 2615: .Ed
! 2616: .Pp
! 2617: User
! 2618: .Sy john
! 2619: can still run
! 2620: .Li /usr/bin/passwd root
! 2621: if
! 2622: .Em fast_glob
! 2623: is enabled by changing to
! 2624: .Pa /usr/bin
! 2625: and running
! 2626: .Li ./passwd root
! 2627: instead.
! 2628: .Ss Preventing Shell Escapes
! 2629: Once
! 2630: .Nm sudo
! 2631: executes a program, that program is free to do whatever
! 2632: it pleases, including run other programs.
! 2633: This can be a security issue since it is not uncommon for a program to
! 2634: allow shell escapes, which lets a user bypass
! 2635: .Nm sudo Ns No 's
! 2636: access control and logging.
! 2637: Common programs that permit shell escapes include shells (obviously),
! 2638: editors, paginators, mail and terminal programs.
! 2639: .Pp
! 2640: There are two basic approaches to this problem:
! 2641: .Bl -tag -width 8n
! 2642: .It restrict
! 2643: Avoid giving users access to commands that allow the user to run
! 2644: arbitrary commands.
! 2645: Many editors have a restricted mode where shell
! 2646: escapes are disabled, though
! 2647: .Nm sudoedit
! 2648: is a better solution to
! 2649: running editors via
! 2650: .Nm sudo .
! 2651: Due to the large number of programs that
! 2652: offer shell escapes, restricting users to the set of programs that
! 2653: do not is often unworkable.
! 2654: .It noexec
! 2655: Many systems that support shared libraries have the ability to
! 2656: override default library functions by pointing an environment
! 2657: variable (usually
! 2658: .Ev LD_PRELOAD )
! 2659: to an alternate shared library.
! 2660: On such systems,
! 2661: .Nm sudo Ns No 's
! 2662: .Em noexec
! 2663: functionality can be used to prevent a program run by
! 2664: .Nm sudo
! 2665: from executing any other programs.
! 2666: Note, however, that this applies only to native dynamically-linked
! 2667: executables.
! 2668: Statically-linked executables and foreign executables
! 2669: running under binary emulation are not affected.
! 2670: .Pp
! 2671: The
! 2672: .Em noexec
! 2673: feature is known to work on SunOS, Solaris, *BSD,
! 2674: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
! 2675: It should be supported on most operating systems that support the
! 2676: .Ev LD_PRELOAD
! 2677: environment variable.
! 2678: Check your operating system's manual pages for the dynamic linker
! 2679: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
! 2680: .Ev LD_PRELOAD
! 2681: is supported.
! 2682: .Pp
! 2683: To enable
! 2684: .Em noexec
! 2685: for a command, use the
! 2686: .Li NOEXEC
! 2687: tag as documented
! 2688: in the User Specification section above.
! 2689: Here is that example again:
! 2690: .Bd -literal
! 2691: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
! 2692: .Ed
! 2693: .Pp
! 2694: This allows user
! 2695: .Sy aaron
! 2696: to run
! 2697: .Pa /usr/bin/more
! 2698: and
! 2699: .Pa /usr/bin/vi
! 2700: with
! 2701: .Em noexec
! 2702: enabled.
! 2703: This will prevent those two commands from
! 2704: executing other commands (such as a shell).
! 2705: If you are unsure whether or not your system is capable of supporting
! 2706: .Em noexec
! 2707: you can always just try it out and check whether shell escapes work when
! 2708: .Em noexec
! 2709: is enabled.
! 2710: .El
! 2711: .Pp
! 2712: Note that restricting shell escapes is not a panacea.
! 2713: Programs running as root are still capable of many potentially hazardous
! 2714: operations (such as changing or overwriting files) that could lead
! 2715: to unintended privilege escalation.
! 2716: In the specific case of an editor, a safer approach is to give the
! 2717: user permission to run
! 2718: .Nm sudoedit .
! 2719: .Sh SEE ALSO
! 2720: .Xr ssh 1 ,
! 2721: .Xr su 1 ,
! 2722: .Xr fnmatch 3 ,
! 2723: .Xr glob 3 ,
! 2724: .Xr mktemp 3 ,
! 2725: .Xr strftime 3 ,
! 2726: .Xr sudoers.ldap @mansectform@ ,
! 2727: .Xr sudo @mansectsu@ ,
! 2728: .Xr visudo @mansectsu@
! 2729: .Sh CAVEATS
! 2730: The
! 2731: .Em sudoers
! 2732: file should
! 2733: .Sy always
! 2734: be edited by the
! 2735: .Nm visudo
! 2736: command which locks the file and does grammatical checking.
! 2737: It is
! 2738: imperative that
! 2739: .Em sudoers
! 2740: be free of syntax errors since
! 2741: .Nm sudo
! 2742: will not run with a syntactically incorrect
! 2743: .Em sudoers
! 2744: file.
! 2745: .Pp
! 2746: When using netgroups of machines (as opposed to users), if you
! 2747: store fully qualified host name in the netgroup (as is usually the
! 2748: case), you either need to have the machine's host name be fully qualified
! 2749: as returned by the
! 2750: .Li hostname
! 2751: command or use the
! 2752: .Em fqdn
! 2753: option in
! 2754: .Em sudoers .
! 2755: .Sh BUGS
! 2756: If you feel you have found a bug in
! 2757: .Nm sudo ,
! 2758: please submit a bug report at http://www.sudo.ws/sudo/bugs/
! 2759: .Sh SUPPORT
! 2760: Limited free support is available via the sudo-users mailing list,
! 2761: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
! 2762: search the archives.
! 2763: .Sh DISCLAIMER
! 2764: .Nm sudo
! 2765: is provided
! 2766: .Dq AS IS
! 2767: and any express or implied warranties, including, but not limited
! 2768: to, the implied warranties of merchantability and fitness for a
! 2769: particular purpose are disclaimed.
! 2770: See the LICENSE file distributed with
! 2771: .Nm sudo
! 2772: or http://www.sudo.ws/sudo/license.html for complete details.