Annotation of src/usr.bin/sudo/sudoers.mdoc.in, Revision 1.4
1.1 millert 1: .\"
2: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
1.3 ajacouto 22: .Dd $Mdocdate: September 23 2013 $
1.1 millert 23: .Dt SUDOERS @mansectform@
24: .Os
25: .Sh NAME
26: .Nm sudoers
27: .Nd list of which users may execute what
28: .Sh DESCRIPTION
29: The
30: .Em sudoers
31: file is composed of two types of entries: aliases
32: (basically variables) and user specifications (which specify who
33: may run what).
34: .Pp
35: When multiple entries match for a user, they are applied in order.
36: Where there are multiple matches, the last match is used (which is
37: not necessarily the most specific match).
38: .Pp
39: The
40: .Em sudoers
41: grammar will be described below in Extended Backus-Naur
42: Form (EBNF).
43: Don't despair if you are unfamiliar with EBNF; it is fairly simple,
44: and the definitions below are annotated.
45: .Ss Quick guide to EBNF
46: EBNF is a concise and exact way of describing the grammar of a language.
47: Each EBNF definition is made up of
48: .Em production rules .
49: E.g.,
50: .Pp
51: .Li symbol ::= definition | alternate1 | alternate2 ...
52: .Pp
53: Each
54: .Em production rule
55: references others and thus makes up a
56: grammar for the language.
57: EBNF also contains the following
58: operators, which many readers will recognize from regular
59: expressions.
60: Do not, however, confuse them with
61: .Dq wildcard
62: characters, which have different meanings.
63: .Bl -tag -width 4n
64: .It Li \&?
65: Means that the preceding symbol (or group of symbols) is optional.
66: That is, it may appear once or not at all.
67: .It Li *
68: Means that the preceding symbol (or group of symbols) may appear
69: zero or more times.
70: .It Li +
71: Means that the preceding symbol (or group of symbols) may appear
72: one or more times.
73: .El
74: .Pp
75: Parentheses may be used to group symbols together.
76: For clarity,
77: we will use single quotes
78: .Pq ''
79: to designate what is a verbatim character string (as opposed to a symbol name).
80: .Ss Aliases
81: There are four kinds of aliases:
82: .Li User_Alias ,
83: .Li Runas_Alias ,
84: .Li Host_Alias
85: and
86: .Li Cmnd_Alias .
87: .Bd -literal
88: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
89: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
90: 'Host_Alias' Host_Alias (':' Host_Alias)* |
91: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
92:
93: User_Alias ::= NAME '=' User_List
94:
95: Runas_Alias ::= NAME '=' Runas_List
96:
97: Host_Alias ::= NAME '=' Host_List
98:
99: Cmnd_Alias ::= NAME '=' Cmnd_List
100:
101: NAME ::= [A-Z]([A-Z][0-9]_)*
102: .Ed
103: .Pp
104: Each
105: .Em alias
106: definition is of the form
107: .Bd -literal
108: Alias_Type NAME = item1, item2, ...
109: .Ed
110: .Pp
111: where
112: .Em Alias_Type
113: is one of
114: .Li User_Alias ,
115: .Li Runas_Alias ,
116: .Li Host_Alias ,
117: or
118: .Li Cmnd_Alias .
119: A
120: .Li NAME
121: is a string of uppercase letters, numbers,
122: and underscore characters
123: .Pq Ql _ .
124: A
125: .Li NAME
126: .Sy must
127: start with an
128: uppercase letter.
129: It is possible to put several alias definitions
130: of the same type on a single line, joined by a colon
131: .Pq Ql :\& .
132: E.g.,
133: .Bd -literal
134: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
135: .Ed
136: .Pp
137: The definitions of what constitutes a valid
138: .Em alias
139: member follow.
140: .Bd -literal
141: User_List ::= User |
142: User ',' User_List
143:
144: User ::= '!'* user name |
145: '!'* #uid |
146: '!'* %group |
147: '!'* %#gid |
148: '!'* +netgroup |
149: '!'* %:nonunix_group |
150: '!'* %:#nonunix_gid |
151: '!'* User_Alias
152: .Ed
153: .Pp
154: A
155: .Li User_List
156: is made up of one or more user names, user ids
157: (prefixed with
158: .Ql # ) ,
159: system group names and ids (prefixed with
160: .Ql %
161: and
162: .Ql %#
163: respectively), netgroups (prefixed with
164: .Ql + ) ,
165: non-Unix group names and IDs (prefixed with
166: .Ql %:
167: and
168: .Ql %:#
169: respectively) and
170: .Li User_Alias Ns No es.
171: Each list item may be prefixed with zero or more
172: .Ql \&!
173: operators.
174: An odd number of
175: .Ql \&!
176: operators negate the value of
177: the item; an even number just cancel each other out.
178: .Pp
179: A
180: .Li user name ,
181: .Li uid ,
182: .Li group ,
183: .Li gid ,
184: .Li netgroup ,
185: .Li nonunix_group
186: or
187: .Li nonunix_gid
188: may be enclosed in double quotes to avoid the
189: need for escaping special characters.
190: Alternately, special characters
191: may be specified in escaped hex mode, e.g.\& \ex20 for space.
192: When
193: using double quotes, any prefix characters must be included inside
194: the quotes.
195: .Pp
196: The actual
197: .Li nonunix_group
198: and
199: .Li nonunix_gid
200: syntax depends on
201: the underlying implementation.
202: For instance, the QAS AD backend supports the following formats:
203: .Bl -bullet -width 4n
204: .It
205: Group in the same domain: "%:Group Name"
206: .It
207: Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
208: .It
209: Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
210: .El
211: .Pp
212: Note that quotes around group names are optional.
213: Unquoted strings must use a backslash
214: .Pq Ql \e
215: to escape spaces and special characters.
216: See
217: .Sx Other special characters and reserved words
218: for a list of
219: characters that need to be escaped.
220: .Bd -literal
221: Runas_List ::= Runas_Member |
222: Runas_Member ',' Runas_List
223:
224: Runas_Member ::= '!'* user name |
225: '!'* #uid |
226: '!'* %group |
227: '!'* %#gid |
228: '!'* %:nonunix_group |
229: '!'* %:#nonunix_gid |
230: '!'* +netgroup |
231: '!'* Runas_Alias
232: .Ed
233: .Pp
234: A
235: .Li Runas_List
236: is similar to a
237: .Li User_List
238: except that instead
239: of
240: .Li User_Alias Ns No es
241: it can contain
242: .Li Runas_Alias Ns No es .
243: Note that
244: user names and groups are matched as strings.
245: In other words, two
246: users (groups) with the same uid (gid) are considered to be distinct.
247: If you wish to match all user names with the same uid (e.g.\&
248: root and toor), you can use a uid instead (#0 in the example given).
249: .Bd -literal
250: Host_List ::= Host |
251: Host ',' Host_List
252:
253: Host ::= '!'* host name |
254: '!'* ip_addr |
255: '!'* network(/netmask)? |
256: '!'* +netgroup |
257: '!'* Host_Alias
258: .Ed
259: .Pp
260: A
261: .Li Host_List
262: is made up of one or more host names, IP addresses,
263: network numbers, netgroups (prefixed with
264: .Ql + )
265: and other aliases.
266: Again, the value of an item may be negated with the
267: .Ql \&!
268: operator.
269: If you do not specify a netmask along with the network number,
270: .Nm sudo
271: will query each of the local host's network interfaces and,
272: if the network number corresponds to one of the hosts's network
273: interfaces, the corresponding netmask will be used.
274: The netmask
275: may be specified either in standard IP address notation
276: (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
277: or CIDR notation (number of bits, e.g.\& 24 or 64).
278: A host name may include shell-style wildcards (see the
279: .Sx Wildcards
280: section below),
281: but unless the
282: .Li host name
283: command on your machine returns the fully
284: qualified host name, you'll need to use the
285: .Em fqdn
286: option for wildcards to be useful.
287: Note that
288: .Nm sudo
289: only inspects actual network interfaces; this means that IP address
290: 127.0.0.1 (localhost) will never match.
291: Also, the host name
292: .Dq localhost
293: will only match if that is the actual host name, which is usually
294: only the case for non-networked systems.
295: .Bd -literal
296: Cmnd_List ::= Cmnd |
297: Cmnd ',' Cmnd_List
298:
299: command name ::= file name |
300: file name args |
301: file name '""'
302:
303: Cmnd ::= '!'* command name |
304: '!'* directory |
305: '!'* "sudoedit" |
306: '!'* Cmnd_Alias
307: .Ed
308: .Pp
309: A
310: .Li Cmnd_List
311: is a list of one or more command names, directories, and other aliases.
312: A command name is a fully qualified file name which may include
313: shell-style wildcards (see the
314: .Sx Wildcards
315: section below).
316: A simple file name allows the user to run the command with any
317: arguments he/she wishes.
318: However, you may also specify command line arguments (including
319: wildcards).
320: Alternately, you can specify
321: .Li \&""
322: to indicate that the command
323: may only be run
324: .Sy without
325: command line arguments.
326: A directory is a
327: fully qualified path name ending in a
328: .Ql / .
329: When you specify a directory in a
330: .Li Cmnd_List ,
331: the user will be able to run any file within that directory
332: (but not in any sub-directories therein).
333: .Pp
334: If a
335: .Li Cmnd
336: has associated command line arguments, then the arguments
337: in the
338: .Li Cmnd
339: must match exactly those given by the user on the command line
340: (or match the wildcards if there are any).
341: Note that the following characters must be escaped with a
342: .Ql \e
343: if they are used in command arguments:
344: .Ql ,\& ,
345: .Ql :\& ,
346: .Ql =\& ,
347: .Ql \e .
348: The special command
349: .Dq Li sudoedit
350: is used to permit a user to run
351: .Nm sudo
352: with the
353: .Fl e
354: option (or as
355: .Nm sudoedit ) .
356: It may take command line arguments just as a normal command does.
357: .Ss Defaults
358: Certain configuration options may be changed from their default
359: values at run-time via one or more
360: .Li Default_Entry
361: lines.
362: These may affect all users on any host, all users on a specific host, a
363: specific user, a specific command, or commands being run as a specific user.
364: Note that per-command entries may not include command line arguments.
365: If you need to specify arguments, define a
366: .Li Cmnd_Alias
367: and reference
368: that instead.
369: .Bd -literal
370: Default_Type ::= 'Defaults' |
371: 'Defaults' '@' Host_List |
372: 'Defaults' ':' User_List |
373: 'Defaults' '!' Cmnd_List |
374: 'Defaults' '>' Runas_List
375:
376: Default_Entry ::= Default_Type Parameter_List
377:
378: Parameter_List ::= Parameter |
379: Parameter ',' Parameter_List
380:
381: Parameter ::= Parameter '=' Value |
382: Parameter '+=' Value |
383: Parameter '-=' Value |
384: '!'* Parameter
385: .Ed
386: .Pp
387: Parameters may be
388: .Sy flags ,
389: .Sy integer
390: values,
391: .Sy strings ,
392: or
393: .Sy lists .
394: Flags are implicitly boolean and can be turned off via the
395: .Ql \&!
396: operator.
397: Some integer, string and list parameters may also be
398: used in a boolean context to disable them.
399: Values may be enclosed
400: in double quotes
401: .Pq \&""
402: when they contain multiple words.
403: Special characters may be escaped with a backslash
404: .Pq Ql \e .
405: .Pp
406: Lists have two additional assignment operators,
407: .Li +=
408: and
409: .Li -= .
410: These operators are used to add to and delete from a list respectively.
411: It is not an error to use the
412: .Li -=
413: operator to remove an element
414: that does not exist in a list.
415: .Pp
416: Defaults entries are parsed in the following order: generic, host
417: and user Defaults first, then runas Defaults and finally command
418: defaults.
419: .Pp
420: See
421: .Sx SUDOERS OPTIONS
422: for a list of supported Defaults parameters.
423: .Ss User Specification
424: .Bd -literal
425: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
426: (':' Host_List '=' Cmnd_Spec_List)*
427:
428: Cmnd_Spec_List ::= Cmnd_Spec |
429: Cmnd_Spec ',' Cmnd_Spec_List
430:
431: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
432:
433: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
434:
435: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
436: 'SETENV:' | 'NOSETENV:')
437: .Ed
438: .Pp
439: A
440: .Sy user specification
441: determines which commands a user may run
442: (and as what user) on specified hosts.
443: By default, commands are
444: run as
445: .Sy root ,
446: but this can be changed on a per-command basis.
447: .Pp
448: The basic structure of a user specification is
449: .Dq who where = (as_whom) what .
450: Let's break that down into its constituent parts:
451: .Ss Runas_Spec
452: A
453: .Li Runas_Spec
454: determines the user and/or the group that a command
455: may be run as.
456: A fully-specified
457: .Li Runas_Spec
458: consists of two
459: .Li Runas_List Ns No s
460: (as defined above) separated by a colon
461: .Pq Ql :\&
462: and enclosed in a set of parentheses.
463: The first
464: .Li Runas_List
465: indicates
466: which users the command may be run as via
467: .Nm sudo Ns No 's
468: .Fl u
469: option.
470: The second defines a list of groups that can be specified via
471: .Nm sudo Ns No 's
472: .Fl g
473: option.
474: If both
475: .Li Runas_List Ns No s
476: are specified, the command may be run with any combination of users
477: and groups listed in their respective
478: .Li Runas_List Ns No s.
479: If only the first is specified, the command may be run as any user
480: in the list but no
481: .Fl g
482: option
483: may be specified.
484: If the first
485: .Li Runas_List
486: is empty but the
487: second is specified, the command may be run as the invoking user
488: with the group set to any listed in the
489: .Li Runas_List .
490: If no
491: .Li Runas_Spec
492: is specified the command may be run as
493: .Sy root
494: and
495: no group may be specified.
496: .Pp
497: A
498: .Li Runas_Spec
499: sets the default for the commands that follow it.
500: What this means is that for the entry:
501: .Bd -literal
502: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
503: .Ed
504: .Pp
505: The user
506: .Sy dgb
507: may run
508: .Pa /bin/ls ,
509: .Pa /bin/kill ,
510: and
511: .Pa /usr/bin/lprm Ns No \(em Ns but
512: only as
513: .Sy operator .
514: E.g.,
515: .Bd -literal
516: $ sudo -u operator /bin/ls
517: .Ed
518: .Pp
519: It is also possible to override a
520: .Li Runas_Spec
521: later on in an entry.
522: If we modify the entry like so:
523: .Bd -literal
524: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
525: .Ed
526: .Pp
527: Then user
528: .Sy dgb
529: is now allowed to run
530: .Pa /bin/ls
531: as
532: .Sy operator ,
533: but
534: .Pa /bin/kill
535: and
536: .Pa /usr/bin/lprm
537: as
538: .Sy root .
539: .Pp
540: We can extend this to allow
541: .Sy dgb
542: to run
543: .Li /bin/ls
544: with either
545: the user or group set to
546: .Sy operator :
547: .Bd -literal
548: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
549: /usr/bin/lprm
550: .Ed
551: .Pp
552: Note that while the group portion of the
553: .Li Runas_Spec
554: permits the
555: user to run as command with that group, it does not force the user
556: to do so.
557: If no group is specified on the command line, the command
558: will run with the group listed in the target user's password database
559: entry.
560: The following would all be permitted by the sudoers entry above:
561: .Bd -literal
562: $ sudo -u operator /bin/ls
563: $ sudo -u operator -g operator /bin/ls
564: $ sudo -g operator /bin/ls
565: .Ed
566: .Pp
567: In the following example, user
568: .Sy tcm
569: may run commands that access
570: a modem device file with the dialer group.
571: .Bd -literal
572: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
573: /usr/local/bin/minicom
574: .Ed
575: .Pp
576: Note that in this example only the group will be set, the command
577: still runs as user
578: .Sy tcm .
579: E.g.\&
580: .Bd -literal
581: $ sudo -g dialer /usr/bin/cu
582: .Ed
583: .Pp
584: Multiple users and groups may be present in a
585: .Li Runas_Spec ,
586: in which case the user may select any combination of users and groups via the
587: .Fl u
588: and
589: .Fl g
590: options.
591: In this example:
592: .Bd -literal
593: alan ALL = (root, bin : operator, system) ALL
594: .Ed
595: .Pp
596: user
597: .Sy alan
598: may run any command as either user root or bin,
599: optionally setting the group to operator or system.
600: .Ss Tag_Spec
601: A command may have zero or more tags associated with it.
602: There are
603: six possible tag values:
604: .Li NOPASSWD ,
605: .Li PASSWD ,
606: .Li NOEXEC ,
607: .Li EXEC ,
608: .Li SETENV ,
609: and
610: .Li NOSETENV .
611: Once a tag is set on a
612: .Li Cmnd ,
613: subsequent
614: .Li Cmnd Ns No s
615: in the
616: .Li Cmnd_Spec_List ,
617: inherit the tag unless it is overridden by the opposite tag (in other words,
618: .Li PASSWD
619: overrides
620: .Li NOPASSWD
621: and
622: .Li NOEXEC
623: overrides
624: .Li EXEC ) .
625: .Pp
626: .Em NOPASSWD and PASSWD
627: .Pp
628: By default,
629: .Nm sudo
630: requires that a user authenticate him or herself
631: before running a command.
632: This behavior can be modified via the
633: .Li NOPASSWD
634: tag.
635: Like a
636: .Li Runas_Spec ,
637: the
638: .Li NOPASSWD
639: tag sets
640: a default for the commands that follow it in the
641: .Li Cmnd_Spec_List .
642: Conversely, the
643: .Li PASSWD
644: tag can be used to reverse things.
645: For example:
646: .Bd -literal
647: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
648: .Ed
649: .Pp
650: would allow the user
651: .Sy ray
652: to run
653: .Pa /bin/kill ,
654: .Pa /bin/ls ,
655: and
656: .Pa /usr/bin/lprm
657: as
658: .Sy root
659: on the machine rushmore without authenticating himself.
660: If we only want
661: .Sy ray
662: to be able to
663: run
664: .Pa /bin/kill
665: without a password the entry would be:
666: .Bd -literal
667: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
668: .Ed
669: .Pp
670: Note, however, that the
671: .Li PASSWD
672: tag has no effect on users who are in the group specified by the
673: .Em exempt_group
674: option.
675: .Pp
676: By default, if the
677: .Li NOPASSWD
678: tag is applied to any of the entries for a user on the current host,
679: he or she will be able to run
680: .Dq Li sudo -l
681: without a password.
682: Additionally, a user may only run
683: .Dq Li sudo -v
684: without a password if the
685: .Li NOPASSWD
686: tag is present for all a user's entries that pertain to the current host.
687: This behavior may be overridden via the
688: .Em verifypw
689: and
690: .Em listpw
691: options.
692: .Pp
693: .Em NOEXEC and EXEC
694: .Pp
695: If
696: .Nm sudo
697: has been compiled with
698: .Em noexec
699: support and the underlying operating system supports it, the
700: .Li NOEXEC
701: tag can be used to prevent a dynamically-linked executable from
702: running further commands itself.
703: .Pp
704: In the following example, user
705: .Sy aaron
706: may run
707: .Pa /usr/bin/more
708: and
709: .Pa /usr/bin/vi
710: but shell escapes will be disabled.
711: .Bd -literal
712: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
713: .Ed
714: .Pp
715: See the
716: .Sx Preventing Shell Escapes
717: section below for more details on how
718: .Li NOEXEC
719: works and whether or not it will work on your system.
720: .Pp
721: .Em SETENV and NOSETENV
722: .Pp
723: These tags override the value of the
724: .Em setenv
725: option on a per-command basis.
726: Note that if
727: .Li SETENV
728: has been set for a command, the user may disable the
729: .Em env_reset
730: option from the command line via the
731: .Fl E
732: option.
733: Additionally, environment variables set on the command
734: line are not subject to the restrictions imposed by
735: .Em env_check ,
736: .Em env_delete ,
737: or
738: .Em env_keep .
739: As such, only trusted users should be allowed to set variables in this manner.
740: If the command matched is
741: .Sy ALL ,
742: the
743: .Li SETENV
744: tag is implied for that command; this default may be overridden by use of the
745: .Li NOSETENV
746: tag.
747: .Ss Wildcards
748: .Nm sudo
749: allows shell-style
750: .Em wildcards
751: (aka meta or glob characters)
752: to be used in host names, path names and command line arguments in the
753: .Em sudoers
754: file.
755: Wildcard matching is done via the
756: .Sy POSIX
757: .Xr glob 3
758: and
759: .Xr fnmatch 3
760: routines.
761: Note that these are
762: .Em not
763: regular expressions.
764: .Bl -tag -width 8n
765: .It Li *
766: Matches any set of zero or more characters.
767: .It Li \&?
768: Matches any single character.
769: .It Li [...]
770: Matches any character in the specified range.
771: .It Li [!...]
772: Matches any character
773: .Sy not
774: in the specified range.
775: .It Li \ex
776: For any character
777: .Sq x ,
778: evaluates to
779: .Sq x .
780: This is used to escape special characters such as:
781: .Ql * ,
782: .Ql \&? ,
783: .Ql [\& ,
784: and
785: .Ql ]\& .
786: .El
787: .Pp
788: POSIX character classes may also be used if your system's
789: .Xr glob 3
790: and
791: .Xr fnmatch 3
792: functions support them.
793: However, because the
794: .Ql :\&
795: character has special meaning in
796: .Em sudoers ,
797: it must be
798: escaped.
799: For example:
800: .Bd -literal -offset 4n
1.4 ! millert 801: /bin/ls [[:\&alpha:\&]]*
1.1 millert 802: .Ed
803: .Pp
804: Would match any file name beginning with a letter.
805: .Pp
806: Note that a forward slash
807: .Pq Ql /
808: will
809: .Sy not
810: be matched by
811: wildcards used in the path name.
812: This is to make a path like:
813: .Bd -literal -offset 4n
814: /usr/bin/*
815: .Ed
816: .Pp
817: match
818: .Pa /usr/bin/who
819: but not
820: .Pa /usr/bin/X11/xterm .
821: .Pp
822: When matching the command line arguments, however, a slash
823: .Sy does
824: get matched by wildcards since command line arguments may contain
825: arbitrary strings and not just path names.
826: .Pp
827: Wildcards in command line arguments should be used with care.
828: Because command line arguments are matched as a single, concatenated
829: string, a wildcard such as
830: .Ql \&?
831: or
832: .Ql *
833: can match multiple words.
834: For example, while a sudoers entry like:
835: .Bd -literal -offset 4n
836: %operator ALL = /bin/cat /var/log/messages*
837: .Ed
838: .Pp
839: will allow command like:
840: .Bd -literal -offset 4n
841: $ sudo cat /var/log/messages.1
842: .Ed
843: .Pp
844: It will also allow:
845: .Bd -literal -offset 4n
846: $ sudo cat /var/log/messages /etc/shadow
847: .Ed
848: .Pp
849: which is probably not what was intended.
850: .Ss Exceptions to wildcard rules
851: The following exceptions apply to the above rules:
852: .Bl -tag -width 8n
853: .It Li \&""
854: If the empty string
855: .Li \&""
856: is the only command line argument in the
857: .Em sudoers
858: entry it means that command is not allowed to be run with
859: .Sy any
860: arguments.
861: .It sudoedit
862: Command line arguments to the
863: .Em sudoedit
864: built-in command should always be path names, so a forward slash
865: .Pq Ql /
866: will not be matched by a wildcard.
867: .El
868: .Ss Including other files from within sudoers
869: It is possible to include other
870: .Em sudoers
871: files from within the
872: .Em sudoers
873: file currently being parsed using the
874: .Li #include
875: and
876: .Li #includedir
877: directives.
878: .Pp
879: This can be used, for example, to keep a site-wide
880: .Em sudoers
881: file in addition to a local, per-machine file.
882: For the sake of this example the site-wide
883: .Em sudoers
884: will be
885: .Pa /etc/sudoers
886: and the per-machine one will be
887: .Pa /etc/sudoers.local .
888: To include
889: .Pa /etc/sudoers.local
890: from within
891: .Pa /etc/sudoers
892: we would use the
893: following line in
894: .Pa /etc/sudoers :
895: .Bd -literal -offset 4n
896: #include /etc/sudoers.local
897: .Ed
898: .Pp
899: When
900: .Nm sudo
901: reaches this line it will suspend processing of the current file
902: .Pq Pa /etc/sudoers
903: and switch to
904: .Pa /etc/sudoers.local .
905: Upon reaching the end of
906: .Pa /etc/sudoers.local ,
907: the rest of
908: .Pa /etc/sudoers
909: will be processed.
910: Files that are included may themselves include other files.
911: A hard limit of 128 nested include files is enforced to prevent include
912: file loops.
913: .Pp
914: If the path to the include file is not fully-qualified (does not
915: begin with a
916: .Ql / ,
917: it must be located in the same directory as the sudoers file it was
918: included from.
919: For example, if
920: .Pa /etc/sudoers
921: contains the line:
922: .Bd -literal -offset 4n
923: .Li #include sudoers.local
924: .Ed
925: .Pp
926: the file that will be included is
927: .Pa /etc/sudoers.local .
928: .Pp
929: The file name may also include the
930: .Li %h
931: escape, signifying the short form of the host name.
932: In other words, if the machine's host name is
933: .Dq xerxes ,
934: then
935: .Bd -literal -offset 4n
936: #include /etc/sudoers.%h
937: .Ed
938: .Pp
939: will cause
940: .Nm sudo
941: to include the file
942: .Pa /etc/sudoers.xerxes .
943: .Pp
944: The
945: .Li #includedir
946: directive can be used to create a
947: .Pa sudo.d
948: directory that the system package manager can drop
949: .Em sudoers
950: rules
951: into as part of package installation.
952: For example, given:
953: .Bd -literal -offset 4n
954: #includedir /etc/sudoers.d
955: .Ed
956: .Pp
957: .Nm sudo
958: will read each file in
959: .Pa /etc/sudoers.d ,
960: skipping file names that end in
961: .Ql ~
962: or contain a
963: .Ql .\&
964: character to avoid causing problems with package manager or editor
965: temporary/backup files.
966: Files are parsed in sorted lexical order.
967: That is,
968: .Pa /etc/sudoers.d/01_first
969: will be parsed before
970: .Pa /etc/sudoers.d/10_second .
971: Be aware that because the sorting is lexical, not numeric,
972: .Pa /etc/sudoers.d/1_whoops
973: would be loaded
974: .Sy after
975: .Pa /etc/sudoers.d/10_second .
976: Using a consistent number of leading zeroes in the file names can be used
977: to avoid such problems.
978: .Pp
979: Note that unlike files included via
980: .Li #include ,
981: .Nm visudo
982: will not edit the files in a
983: .Li #includedir
984: directory unless one of them contains a syntax error.
985: It is still possible to run
986: .Nm visudo
987: with the
988: .Fl f
989: flag to edit the files directly.
990: .Ss Other special characters and reserved words
991: The pound sign
992: .Pq Ql #
993: is used to indicate a comment (unless it is part of a #include
994: directive or unless it occurs in the context of a user name and is
995: followed by one or more digits, in which case it is treated as a
996: uid).
997: Both the comment character and any text after it, up to the end of
998: the line, are ignored.
999: .Pp
1000: The reserved word
1001: .Sy ALL
1002: is a built-in
1003: .Em alias
1004: that always causes a match to succeed.
1005: It can be used wherever one might otherwise use a
1006: .Li Cmnd_Alias ,
1007: .Li User_Alias ,
1008: .Li Runas_Alias ,
1009: or
1010: .Li Host_Alias .
1011: You should not try to define your own
1012: .Em alias
1013: called
1014: .Sy ALL
1015: as the built-in alias will be used in preference to your own.
1016: Please note that using
1017: .Sy ALL
1018: can be dangerous since in a command context, it allows the user to run
1019: .Sy any
1020: command on the system.
1021: .Pp
1022: An exclamation point
1023: .Pq Ql \&!
1024: can be used as a logical
1025: .Em not
1026: operator both in an
1027: .Em alias
1028: and in front of a
1029: .Li Cmnd .
1030: This allows one to exclude certain values.
1031: Note, however, that using a
1032: .Ql \&!
1033: in conjunction with the built-in
1034: .Sy ALL
1035: alias to allow a user to run
1036: .Dq all but a few
1037: commands rarely works as intended (see
1038: .Sx SECURITY NOTES
1039: below).
1040: .Pp
1041: Long lines can be continued with a backslash
1042: .Pq Ql \e
1043: as the last character on the line.
1044: .Pp
1045: White space between elements in a list as well as special syntactic
1046: characters in a
1047: .Em User Specification
1048: .Po
1049: .Ql =\& ,
1050: .Ql :\& ,
1051: .Ql (\& ,
1052: .Ql )\&
1053: .Pc
1054: is optional.
1055: .Pp
1056: The following characters must be escaped with a backslash
1057: .Pq Ql \e
1058: when used as part of a word (e.g.\& a user name or host name):
1059: .Ql \&! ,
1060: .Ql =\& ,
1061: .Ql :\& ,
1062: .Ql ,\& ,
1063: .Ql (\& ,
1064: .Ql )\& ,
1065: .Ql \e .
1066: .Sh SUDOERS OPTIONS
1067: .Nm sudo Ns No 's
1068: behavior can be modified by
1069: .Li Default_Entry
1070: lines, as explained earlier.
1071: A list of all supported Defaults parameters, grouped by type, are listed below.
1072: .Pp
1073: .Sy Boolean Flags :
1074: .Bl -tag -width 16n
1075: .It always_set_home
1076: If enabled,
1077: .Nm sudo
1078: will set the
1079: .Ev HOME
1080: environment variable to the home directory of the target user
1081: (which is root unless the
1082: .Fl u
1083: option is used).
1084: This effectively means that the
1085: .Fl H
1086: option is always implied.
1087: This flag is
1088: .Em off
1089: by default.
1090: .It authenticate
1091: If set, users must authenticate themselves via a password (or other
1092: means of authentication) before they may run commands.
1093: This default may be overridden via the
1094: .Li PASSWD
1095: and
1096: .Li NOPASSWD
1097: tags.
1098: This flag is
1099: .Em on
1100: by default.
1101: .It closefrom_override
1102: If set, the user may use
1103: .Nm sudo Ns No 's
1104: .Fl C
1105: option which overrides the default starting point at which
1106: .Nm sudo
1107: begins closing open file descriptors.
1108: This flag is
1109: .Em off
1110: by default.
1111: .It env_editor
1112: If set,
1113: .Nm visudo
1114: will use the value of the
1115: .Ev EDITOR
1116: or
1117: .Ev VISUAL
1118: environment variables before falling back on the default editor list.
1119: Note that this may create a security hole as it allows the user to
1120: run any arbitrary command as root without logging.
1121: A safer alternative is to place a colon-separated list of editors
1122: in the
1123: .Li editor
1124: variable.
1125: .Nm visudo
1126: will then only use the
1127: .Ev EDITOR
1128: or
1129: .Ev VISUAL
1130: if they match a value specified in
1131: .Li editor .
1132: This flag is
1133: .Em @env_editor@
1134: by
1135: default.
1136: .It env_reset
1137: If set,
1138: .Nm sudo
1139: will run the command in a minimal environment containing the
1140: .Ev TERM ,
1141: .Ev PATH ,
1142: .Ev HOME ,
1143: .Ev MAIL ,
1144: .Ev SHELL ,
1145: .Ev LOGNAME ,
1146: .Ev USER ,
1147: .Ev USERNAME
1148: and
1149: .Ev SUDO_*
1150: variables.
1151: Any
1152: variables in the caller's environment that match the
1153: .Li env_keep
1154: and
1155: .Li env_check
1156: lists are then added, followed by any variables present in the file
1157: specified by the
1158: .Em env_file
1159: option (if any).
1160: The default contents of the
1161: .Li env_keep
1162: and
1163: .Li env_check
1164: lists are displayed when
1165: .Nm sudo
1166: is run by root with the
1167: .Fl V
1168: option.
1169: If the
1170: .Em secure_path
1171: option is set, its value will be used for the
1172: .Ev PATH
1173: environment variable.
1174: This flag is
1175: .Em @env_reset@
1176: by default.
1177: .It fast_glob
1178: Normally,
1179: .Nm sudo
1180: uses the
1181: .Xr glob 3
1182: function to do shell-style globbing when matching path names.
1183: However, since it accesses the file system,
1184: .Xr glob 3
1185: can take a long time to complete for some patterns, especially
1186: when the pattern references a network file system that is mounted
1187: on demand (auto mounted).
1188: The
1189: .Em fast_glob
1190: option causes
1191: .Nm sudo
1192: to use the
1193: .Xr fnmatch 3
1194: function, which does not access the file system to do its matching.
1195: The disadvantage of
1196: .Em fast_glob
1197: is that it is unable to match relative path names such as
1198: .Pa ./ls
1199: or
1200: .Pa ../bin/ls .
1201: This has security implications when path names that include globbing
1202: characters are used with the negation operator,
1203: .Ql !\& ,
1204: as such rules can be trivially bypassed.
1205: As such, this option should not be used when
1206: .Em sudoers
1207: contains rules that contain negated path names which include globbing
1208: characters.
1209: This flag is
1210: .Em off
1211: by default.
1212: .It fqdn
1213: Set this flag if you want to put fully qualified host names in the
1214: .Em sudoers
1215: file when the local host name (as returned by the
1216: .Li hostname
1217: command) does not contain the domain name.
1218: In other words, instead of myhost you would use myhost.mydomain.edu.
1219: You may still use the short form if you wish (and even mix the two).
1220: This option is only effective when the
1221: .Dq canonical
1222: host name, as returned by the
1223: .Fn getaddrinfo
1224: or
1225: .Fn gethostbyname
1226: function, is a fully-qualified domain name.
1227: This is usually the case when the system is configured to use DNS
1228: for host name resolution.
1229: .Pp
1230: If the system is configured to use the
1231: .Pa /etc/hosts
1232: file in preference to DNS, the
1233: .Dq canonical
1234: host name may not be fully-qualified.
1235: The order that sources are queried for hosts name resolution
1236: is specified in the
1237: .Pa /etc/resolv.conf
1238: file.
1239: In the
1240: .Pa /etc/hosts
1241: file, the first host name of the entry is considered to be the
1242: .Dq canonical
1243: name; subsequent names are aliases that are not used by
1244: .Nm sudoers .
1245: For example, the following hosts file line for the machine
1246: .Dq xyzzy
1247: has the fully-qualified domain name as the
1248: .Dq canonical
1249: host name, and the short version as an alias.
1250: .sp
1251: .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1252: .sp
1253: If the machine's hosts file entry is not formatted properly, the
1254: .Em fqdn
1255: option will not be effective if it is queried before DNS.
1256: .Pp
1257: Beware that when using DNS for host name resolution, turning on
1258: .Em fqdn
1259: requires
1260: .Nm sudoers
1261: to make DNS lookups which renders
1262: .Nm sudo
1263: unusable if DNS stops working (for example if the machine is disconnected
1264: from the network).
1265: Also note that just like with the hosts file, you must use the
1266: .Dq canonical
1267: name as DNS knows it.
1268: That is, you may not use a host alias
1269: .Po
1270: .Li CNAME
1271: entry
1272: .Pc
1273: due to performance issues and the fact that there is no way to get all
1274: aliases from DNS.
1275: .Pp
1276: This flag is
1277: .Em @fqdn@
1278: by default.
1279: .It ignore_dot
1280: If set,
1281: .Nm sudo
1282: will ignore "." or "" (both denoting current directory) in the
1283: .Ev PATH
1284: environment variable; the
1285: .Ev PATH
1286: itself is not modified.
1287: This flag is
1288: .Em @ignore_dot@
1289: by default.
1290: .It ignore_local_sudoers
1291: If set via LDAP, parsing of
1292: .Pa @sysconfdir@/sudoers
1293: will be skipped.
1294: This is intended for Enterprises that wish to prevent the usage of local
1295: sudoers files so that only LDAP is used.
1296: This thwarts the efforts of rogue operators who would attempt to add roles to
1297: .Pa @sysconfdir@/sudoers .
1298: When this option is present,
1299: .Pa @sysconfdir@/sudoers
1300: does not even need to exist.
1301: Since this option tells
1302: .Nm sudo
1303: how to behave when no specific LDAP entries have been matched, this
1304: sudoOption is only meaningful for the
1305: .Li cn=defaults
1306: section.
1307: This flag is
1308: .Em off
1309: by default.
1310: .It insults
1311: If set,
1312: .Nm sudo
1313: will insult users when they enter an incorrect password.
1314: This flag is
1315: .Em @insults@
1316: by default.
1317: .It log_host
1318: If set, the host name will be logged in the (non-syslog)
1319: .Nm sudo
1320: log file.
1321: This flag is
1322: .Em off
1323: by default.
1324: .It log_year
1325: If set, the four-digit year will be logged in the (non-syslog)
1326: .Nm sudo
1327: log file.
1328: This flag is
1329: .Em off
1330: by default.
1331: .It long_otp_prompt
1332: When validating with a One Time Password (OTP) scheme such as
1333: .Sy S/Key
1334: or
1335: .Sy OPIE ,
1336: a two-line prompt is used to make it easier
1337: to cut and paste the challenge to a local window.
1338: It's not as pretty as the default but some people find it more convenient.
1339: This flag is
1340: .Em @long_otp_prompt@
1341: by default.
1342: .It mail_always
1343: Send mail to the
1344: .Em mailto
1345: user every time a users runs
1346: .Nm sudo .
1347: This flag is
1348: .Em off
1349: by default.
1350: .It mail_badpass
1351: Send mail to the
1352: .Em mailto
1353: user if the user running
1354: .Nm sudo
1355: does not enter the correct password.
1356: If the command the user is attempting to run is not permitted by
1357: .Em sudoers
1358: and one of the
1359: .Em mail_always ,
1360: .Em mail_no_host ,
1361: .Em mail_no_perms
1362: or
1363: .Em mail_no_user
1364: flags are set, this flag will have no effect.
1365: This flag is
1366: .Em off
1367: by default.
1368: .It mail_no_host
1369: If set, mail will be sent to the
1370: .Em mailto
1371: user if the invoking user exists in the
1372: .Em sudoers
1373: file, but is not allowed to run commands on the current host.
1374: This flag is
1375: .Em @mail_no_host@
1376: by default.
1377: .It mail_no_perms
1378: If set, mail will be sent to the
1379: .Em mailto
1380: user if the invoking user is allowed to use
1381: .Nm sudo
1382: but the command they are trying is not listed in their
1383: .Em sudoers
1384: file entry or is explicitly denied.
1385: This flag is
1386: .Em @mail_no_perms@
1387: by default.
1388: .It mail_no_user
1389: If set, mail will be sent to the
1390: .Em mailto
1391: user if the invoking user is not in the
1392: .Em sudoers
1393: file.
1394: This flag is
1395: .Em @mail_no_user@
1396: by default.
1397: .It noexec
1398: If set, all commands run via
1399: .Nm sudo
1400: will behave as if the
1401: .Li NOEXEC
1402: tag has been set, unless overridden by a
1403: .Li EXEC
1404: tag.
1405: See the description of
1406: .Em NOEXEC and EXEC
1407: below as well as the
1408: .Sx Preventing Shell Escapes
1409: section at the end of this manual.
1410: This flag is
1411: .Em off
1412: by default.
1413: .It path_info
1414: Normally,
1415: .Nm sudo
1416: will tell the user when a command could not be
1417: found in their
1418: .Ev PATH
1419: environment variable.
1420: Some sites may wish to disable this as it could be used to gather
1421: information on the location of executables that the normal user does
1422: not have access to.
1423: The disadvantage is that if the executable is simply not in the user's
1424: .Ev PATH ,
1425: .Nm sudo
1426: will tell the user that they are not allowed to run it, which can be confusing.
1427: This flag is
1428: .Em @path_info@
1429: by default.
1430: .It passprompt_override
1431: The password prompt specified by
1432: .Em passprompt
1433: will normally only be used if the password prompt provided by systems
1434: such as PAM matches the string
1435: .Dq Password: .
1436: If
1437: .Em passprompt_override
1438: is set,
1439: .Em passprompt
1440: will always be used.
1441: This flag is
1442: .Em off
1443: by default.
1444: .It preserve_groups
1445: By default,
1446: .Nm sudo
1447: will initialize the group vector to the list of groups the target user is in.
1448: When
1449: .Em preserve_groups
1450: is set, the user's existing group vector is left unaltered.
1451: The real and effective group IDs, however, are still set to match the
1452: target user.
1453: This flag is
1454: .Em off
1455: by default.
1456: .It pwfeedback
1457: By default,
1458: .Nm sudo
1459: reads the password like most other Unix programs,
1460: by turning off echo until the user hits the return (or enter) key.
1461: Some users become confused by this as it appears to them that
1462: .Nm sudo
1463: has hung at this point.
1464: When
1465: .Em pwfeedback
1466: is set,
1467: .Nm sudo
1468: will provide visual feedback when the user presses a key.
1469: Note that this does have a security impact as an onlooker may be able to
1470: determine the length of the password being entered.
1471: This flag is
1472: .Em off
1473: by default.
1474: .It requiretty
1475: If set,
1476: .Nm sudo
1477: will only run when the user is logged in to a real tty.
1478: When this flag is set,
1479: .Nm sudo
1480: can only be run from a login session and not via other means such as
1481: .Xr cron @mansectsu@
1482: or cgi-bin scripts.
1483: This flag is
1484: .Em off
1485: by default.
1486: .It root_sudo
1487: If set, root is allowed to run
1488: .Nm sudo
1489: too.
1490: Disabling this prevents users from
1491: .Dq chaining
1492: .Nm sudo
1493: commands to get a root shell by doing something like
1494: .Dq Li sudo sudo /bin/sh .
1495: Note, however, that turning off
1496: .Em root_sudo
1497: will also prevent root from running
1498: .Nm sudoedit .
1499: Disabling
1500: .Em root_sudo
1501: provides no real additional security; it exists purely for historical reasons.
1502: This flag is
1503: .Em @root_sudo@
1504: by default.
1505: .It rootpw
1506: If set,
1507: .Nm sudo
1508: will prompt for the root password instead of the password of the invoking user.
1509: This flag is
1510: .Em off
1511: by default.
1512: .It runaspw
1513: If set,
1514: .Nm sudo
1515: will prompt for the password of the user defined by the
1516: .Em runas_default
1517: option (defaults to
1518: .Li @runas_default@ )
1519: instead of the password of the invoking user.
1520: This flag is
1521: .Em off
1522: by default.
1523: .It set_home
1524: If enabled and
1525: .Nm sudo
1526: is invoked with the
1527: .Fl s
1528: option the
1529: .Ev HOME
1530: environment variable will be set to the home directory of the target
1531: user (which is root unless the
1532: .Fl u
1533: option is used).
1534: This effectively makes the
1535: .Fl s
1536: option imply
1537: .Fl H .
1538: This flag is
1539: .Em off
1540: by default.
1541: .It set_logname
1542: Normally,
1543: .Nm sudo
1544: will set the
1545: .Ev LOGNAME ,
1546: .Ev USER
1547: and
1548: .Ev USERNAME
1549: environment variables to the name of the target user (usually root unless the
1550: .Fl u
1551: option is given).
1552: However, since some programs (including the RCS revision control system) use
1553: .Ev LOGNAME
1554: to determine the real identity of the user, it may be desirable to
1555: change this behavior.
1556: This can be done by negating the set_logname option.
1557: Note that if the
1558: .Em env_reset
1559: option has not been disabled, entries in the
1560: .Em env_keep
1561: list will override the value of
1562: .Em set_logname .
1563: This flag is
1564: .Em on
1565: by default.
1566: .It setenv
1567: Allow the user to disable the
1568: .Em env_reset
1569: option from the command line via the
1570: .Fl E
1571: option.
1572: Additionally, environment variables set via the command line are
1573: not subject to the restrictions imposed by
1574: .Em env_check ,
1575: .Em env_delete ,
1576: or
1577: .Em env_keep .
1578: As such, only trusted users should be allowed to set variables in this manner.
1579: This flag is
1580: .Em off
1581: by default.
1582: .It shell_noargs
1583: If set and
1584: .Nm sudo
1585: is invoked with no arguments it acts as if the
1586: .Fl s
1587: option had been given.
1588: That is, it runs a shell as root (the shell is determined by the
1589: .Ev SHELL
1590: environment variable if it is set, falling back on the shell listed
1591: in the invoking user's /etc/passwd entry if not).
1592: This flag is
1593: .Em off
1594: by default.
1595: .It stay_setuid
1596: Normally, when
1597: .Nm sudo
1598: executes a command the real and effective UIDs are set to the target
1599: user (root by default).
1600: This option changes that behavior such that the real UID is left
1601: as the invoking user's UID.
1602: In other words, this makes
1603: .Nm sudo
1604: act as a setuid wrapper.
1605: This can be useful on systems that disable some potentially
1606: dangerous functionality when a program is run setuid.
1607: This option is only effective on systems that support either the
1608: .Xr setreuid 2
1609: or
1610: .Xr setresuid 2
1611: system call.
1612: This flag is
1613: .Em off
1614: by default.
1615: .It targetpw
1616: If set,
1617: .Nm sudo
1618: will prompt for the password of the user specified
1619: by the
1620: .Fl u
1621: option (defaults to
1622: .Li root )
1623: instead of the password of the invoking user.
1624: In addition, the time stamp file name will include the target user's name.
1625: Note that this flag precludes the use of a uid not listed in the passwd
1626: database as an argument to the
1627: .Fl u
1628: option.
1629: This flag is
1630: .Em off
1631: by default.
1632: .It tty_tickets
1633: If set, users must authenticate on a per-tty basis.
1634: With this flag enabled,
1635: .Nm sudo
1636: will use a file named for the tty the user is
1637: logged in on in the user's time stamp directory.
1638: If disabled, the time stamp of the directory is used instead.
1639: This flag is
1640: .Em @tty_tickets@
1641: by default.
1642: .It umask_override
1643: If set,
1644: .Nm sudo
1645: will set the umask as specified by
1646: .Em sudoers
1647: without modification.
1648: This makes it possible to specify a more permissive umask in
1649: .Em sudoers
1650: than the user's own umask and matches historical behavior.
1651: If
1652: .Em umask_override
1653: is not set,
1654: .Nm sudo
1655: will set the umask to be the union of the user's umask and what is specified in
1656: .Em sudoers .
1657: This flag is
1658: .Em @umask_override@
1659: by default.
1660: .It use_loginclass
1661: If set,
1662: .Nm sudo
1663: will apply the defaults specified for the target user's login class
1664: if one exists.
1665: Only available if
1666: .Nm sudo
1667: is configured with the
1668: .Li --with-logincap
1669: option.
1670: This flag is
1671: .Em off
1672: by default.
1673: .It use_pty
1674: If set,
1675: .Nm sudo
1676: will run the command in a pseudo-pty even if no I/O logging is being gone.
1677: A malicious program run under
1678: .Nm sudo
1679: could conceivably fork a background process that retains to the user's
1680: terminal device after the main program has finished executing.
1681: Use of this option will make that impossible.
1682: This flag is
1683: .Em off
1684: by default.
1685: .It visiblepw
1686: By default,
1687: .Nm sudo
1688: will refuse to run if the user must enter a password but it is not
1689: possible to disable echo on the terminal.
1690: If the
1691: .Em visiblepw
1692: flag is set,
1693: .Nm sudo
1694: will prompt for a password even when it would be visible on the screen.
1695: This makes it possible to run things like
1696: .Dq Li ssh somehost sudo ls
1697: since by default,
1698: .Xr ssh 1
1699: does
1700: not allocate a tty when running a command.
1701: This flag is
1702: .Em off
1703: by default.
1704: .El
1705: .Pp
1706: .Sy Integers :
1707: .Bl -tag -width 16n
1708: .It closefrom
1709: Before it executes a command,
1710: .Nm sudo
1711: will close all open file descriptors other than standard input,
1712: standard output and standard error (ie: file descriptors 0-2).
1713: The
1714: .Em closefrom
1715: option can be used to specify a different file descriptor at which
1716: to start closing.
1717: The default is
1718: .Li 3 .
1719: .It passwd_tries
1720: The number of tries a user gets to enter his/her password before
1721: .Nm sudo
1722: logs the failure and exits.
1723: The default is
1724: .Li @passwd_tries@ .
1725: .El
1726: .Pp
1727: .Sy Integers that can be used in a boolean context :
1728: .Bl -tag -width 16n
1729: .It loglinelen
1730: Number of characters per line for the file log.
1731: This value is used to decide when to wrap lines for nicer log files.
1732: This has no effect on the syslog log file, only the file log.
1733: The default is
1734: .Li @loglen@
1735: (use 0 or negate the option to disable word wrap).
1736: .It passwd_timeout
1737: Number of minutes before the
1738: .Nm sudo
1739: password prompt times out, or
1740: .Li 0
1741: for no timeout.
1742: The timeout may include a fractional component
1743: if minute granularity is insufficient, for example
1744: .Li 2.5 .
1745: The
1746: default is
1747: .Li @password_timeout@ .
1748: .It timestamp_timeout
1749: Number of minutes that can elapse before
1750: .Nm sudo
1751: will ask for a passwd again.
1752: The timeout may include a fractional component if
1753: minute granularity is insufficient, for example
1754: .Li 2.5 .
1755: The default is
1756: .Li @timeout@ .
1757: Set this to
1758: .Li 0
1759: to always prompt for a password.
1760: If set to a value less than
1761: .Li 0
1762: the user's time stamp will never expire.
1763: This can be used to allow users to create or delete their own time stamps via
1764: .Dq Li sudo -v
1765: and
1766: .Dq Li sudo -k
1767: respectively.
1768: .It umask
1769: Umask to use when running the command.
1770: Negate this option or set it to 0777 to preserve the user's umask.
1771: The actual umask that is used will be the union of the user's umask
1772: and the value of the
1773: .Em umask
1774: option, which defaults to
1775: .Li @sudo_umask@ .
1776: This guarantees
1777: that
1778: .Nm sudo
1779: never lowers the umask when running a command.
1780: Note: on systems that use PAM, the default PAM configuration may specify
1781: its own umask which will override the value set in
1782: .Em sudoers .
1783: .El
1784: .Pp
1785: .Sy Strings :
1786: .Bl -tag -width 16n
1787: .It badpass_message
1788: Message that is displayed if a user enters an incorrect password.
1789: The default is
1790: .Li @badpass_message@
1791: unless insults are enabled.
1792: .It editor
1793: A colon
1794: .Pq Ql :\&
1795: separated list of editors allowed to be used with
1796: .Nm visudo .
1797: .Nm visudo
1798: will choose the editor that matches the user's
1799: .Ev EDITOR
1800: environment variable if possible, or the first editor in the
1801: list that exists and is executable.
1802: The default is
1803: .Pa @editor@ .
1804: .It mailsub
1805: Subject of the mail sent to the
1806: .Em mailto
1807: user.
1808: The escape
1809: .Li %h
1810: will expand to the host name of the machine.
1811: Default is
1812: .Dq Li @mailsub@ .
1813: .It noexec_file
1814: The
1815: .Em noexec
1816: option specifies the the fully-qualified path to a shared library
1817: containing dummy versions of the
1818: .Fn execv ,
1819: .Fn execve
1820: and
1821: .Fn fexecve
1822: library functions that just return an error.
1823: This is used to implement the
1824: .Em noexec
1825: functionality on systems that support
1826: .Ev LD_PRELOAD
1827: or its equivalent.
1828: Defaults to
1829: .Pa @noexec_file@ .
1830: .It passprompt
1831: The default prompt to use when asking for a password; can be overridden via the
1832: .Fl p
1833: option or the
1834: .Ev SUDO_PROMPT
1835: environment variable.
1836: The following percent
1837: .Pq Ql %
1838: escape sequences are supported:
1839: .Bl -tag -width 4n
1840: .It Li %H
1841: expanded to the local host name including the domain name
1842: (only if the machine's host name is fully qualified or the
1843: .Em fqdn
1844: option is set)
1845: .It Li %h
1846: expanded to the local host name without the domain name
1847: .It Li %p
1848: expanded to the user whose password is being asked for (respects the
1849: .Em rootpw ,
1850: .Em targetpw
1851: and
1852: .Em runaspw
1853: flags in
1854: .Em sudoers )
1855: .It Li \&%U
1856: expanded to the login name of the user the command will
1857: be run as (defaults to root)
1858: .It Li %u
1859: expanded to the invoking user's login name
1860: .It Li %%
1861: two consecutive
1862: .Li %
1863: characters are collapsed into a single
1864: .Li %
1865: character
1866: .El
1867: .Pp
1868: The default value is
1869: .Dq Li @passprompt@ .
1870: .It runas_default
1871: The default user to run commands as if the
1872: .Fl u
1873: option is not specified on the command line.
1874: This defaults to
1875: .Li @runas_default@ .
1876: .It syslog_badpri
1877: Syslog priority to use when user authenticates unsuccessfully.
1878: Defaults to
1879: .Li @badpri@ .
1880: .Pp
1881: The following syslog priorities are supported:
1882: .Sy alert ,
1883: .Sy crit ,
1884: .Sy debug ,
1885: .Sy emerg ,
1886: .Sy err ,
1887: .Sy info ,
1888: .Sy notice ,
1889: and
1890: .Sy warning .
1891: .It syslog_goodpri
1892: Syslog priority to use when user authenticates successfully.
1893: Defaults to
1894: .Li @goodpri@ .
1895: .Pp
1896: See
1897: .Sx syslog_badpri
1898: for the list of supported syslog priorities.
1899: .It sudoers_locale
1900: Locale to use when parsing the sudoers file, logging commands, and
1901: sending email.
1902: Note that changing the locale may affect how sudoers is interpreted.
1903: Defaults to
1904: .Dq Li C .
1905: .It timestampdir
1906: The directory in which
1907: .Nm sudo
1908: stores its time stamp files.
1909: The default is
1910: .Pa @timedir@ .
1911: .It timestampowner
1912: The owner of the time stamp directory and the time stamps stored therein.
1913: The default is
1914: .Li root .
1915: .It askpass
1916: The
1917: .Em askpass
1918: option specifies the fully qualified path to a helper program used
1919: to read the user's password when no terminal is available.
1920: This may be the case when
1921: .Nm sudo
1922: is executed from a graphical (as opposed to text-based) application.
1923: The program specified by
1924: .Em askpass
1925: should display the argument passed to it as the prompt and write
1926: the user's password to the standard output.
1927: The value of
1928: .Em askpass
1929: may be overridden by the
1930: .Ev SUDO_ASKPASS
1931: environment variable.
1932: .It env_file
1933: The
1934: .Em env_file
1935: option specifies the fully qualified path to a file containing variables
1936: to be set in the environment of the program being run.
1937: Entries in this file should either be of the form
1938: .Dq Li VARIABLE=value
1939: or
1940: .Dq Li export VARIABLE=value .
1941: The value may optionally be surrounded by single or double quotes.
1942: Variables in this file are subject to other
1943: .Nm sudo
1944: environment settings such as
1945: .Em env_keep
1946: and
1947: .Em env_check .
1948: .It exempt_group
1949: Users in this group are exempt from password and PATH requirements.
1950: The group name specified should not include a
1951: .Li %
1952: prefix.
1953: This is not set by default.
1954: .It lecture
1955: This option controls when a short lecture will be printed along with
1956: the password prompt.
1957: It has the following possible values:
1958: .Bl -tag -width 6n
1959: .It always
1960: Always lecture the user.
1961: .It never
1962: Never lecture the user.
1963: .It once
1964: Only lecture the user the first time they run
1965: .Nm sudo .
1966: .El
1967: .Pp
1968: If no value is specified, a value of
1969: .Em once
1970: is implied.
1971: Negating the option results in a value of
1972: .Em never
1973: being used.
1974: The default value is
1975: .Em @lecture@ .
1976: .It lecture_file
1977: Path to a file containing an alternate
1978: .Nm sudo
1979: lecture that will be used in place of the standard lecture if the named
1980: file exists.
1981: By default,
1982: .Nm sudo
1983: uses a built-in lecture.
1984: .It listpw
1985: This option controls when a password will be required when a user runs
1986: .Nm sudo
1987: with the
1988: .Fl l
1989: option.
1990: It has the following possible values:
1991: .Bl -tag -width 8n
1992: .It all
1993: All the user's
1994: .Em sudoers
1995: entries for the current host must have
1996: the
1997: .Li NOPASSWD
1998: flag set to avoid entering a password.
1999: .It always
2000: The user must always enter a password to use the
2001: .Fl l
2002: option.
2003: .It any
2004: At least one of the user's
2005: .Em sudoers
2006: entries for the current host
2007: must have the
2008: .Li NOPASSWD
2009: flag set to avoid entering a password.
2010: .It never
2011: The user need never enter a password to use the
2012: .Fl l
2013: option.
2014: .El
2015: .Pp
2016: If no value is specified, a value of
2017: .Em any
2018: is implied.
2019: Negating the option results in a value of
2020: .Em never
2021: being used.
2022: The default value is
2023: .Em any .
2024: .It logfile
2025: Path to the
2026: .Nm sudo
2027: log file (not the syslog log file).
2028: Setting a path turns on logging to a file;
2029: negating this option turns it off.
2030: By default,
2031: .Nm sudo
2032: logs via syslog.
2033: .It mailerflags
2034: Flags to use when invoking mailer. Defaults to
2035: .Fl t .
2036: .It mailerpath
2037: Path to mail program used to send warning mail.
2038: Defaults to the path to sendmail found at configure time.
2039: .It mailfrom
2040: Address to use for the
2041: .Dq from
2042: address when sending warning and error mail.
2043: The address should be enclosed in double quotes
2044: .Pq \&""
2045: to protect against
2046: .Nm sudo
2047: interpreting the
2048: .Li @
2049: sign.
2050: Defaults to the name of the user running
2051: .Nm sudo .
2052: .It mailto
2053: Address to send warning and error mail to.
2054: The address should be enclosed in double quotes
2055: .Pq \&""
2056: to protect against
2057: .Nm sudo
2058: interpreting the
2059: .Li @
2060: sign.
2061: Defaults to
2062: .Li @mailto@ .
2063: .It secure_path
2064: Path used for every command run from
2065: .Nm sudo .
2066: If you don't trust the
2067: people running
2068: .Nm sudo
2069: to have a sane
2070: .Ev PATH
2071: environment variable you may want to use this.
2072: Another use is if you want to have the
2073: .Dq root path
2074: be separate from the
2075: .Dq user path .
2076: Users in the group specified by the
2077: .Em exempt_group
2078: option are not affected by
2079: .Em secure_path .
2080: This option is @secure_path@ by default.
2081: .It syslog
2082: Syslog facility if syslog is being used for logging (negate to
2083: disable syslog logging).
2084: Defaults to
2085: .Li @logfac@ .
2086: .Pp
2087: The following syslog facilities are supported:
2088: .Sy authpriv
2089: (if your
2090: OS supports it),
2091: .Sy auth ,
2092: .Sy daemon ,
2093: .Sy user ,
2094: .Sy local0 ,
2095: .Sy local1 ,
2096: .Sy local2 ,
2097: .Sy local3 ,
2098: .Sy local4 ,
2099: .Sy local5 ,
2100: .Sy local6 ,
2101: and
2102: .Sy local7 .
2103: .It verifypw
2104: This option controls when a password will be required when a user runs
2105: .Nm sudo
2106: with the
2107: .Fl v
2108: option.
2109: It has the following possible values:
2110: .Bl -tag -width 6n
2111: .It all
2112: All the user's
2113: .Em sudoers
2114: entries for the current host must have the
2115: .Li NOPASSWD
2116: flag set to avoid entering a password.
2117: .It always
2118: The user must always enter a password to use the
2119: .Fl v
2120: option.
2121: .It any
2122: At least one of the user's
2123: .Em sudoers
2124: entries for the current host must have the
2125: .Li NOPASSWD
2126: flag set to avoid entering a password.
2127: .It never
2128: The user need never enter a password to use the
2129: .Fl v
2130: option.
2131: .El
2132: .Pp
2133: If no value is specified, a value of
2134: .Em all
2135: is implied.
2136: Negating the option results in a value of
2137: .Em never
2138: being used.
2139: The default value is
2140: .Em all .
2141: .El
2142: .Pp
2143: .Sy Lists that can be used in a boolean context :
2144: .Bl -tag -width 16n
2145: .It env_check
2146: Environment variables to be removed from the user's environment if
2147: the variable's value contains
2148: .Ql %
2149: or
2150: .Ql /
2151: characters.
2152: This can be used to guard against printf-style format vulnerabilities
2153: in poorly-written programs.
2154: The argument may be a double-quoted, space-separated list or a
2155: single value without double-quotes.
2156: The list can be replaced, added to, deleted from, or disabled by using
2157: the
2158: .Li = ,
2159: .Li += ,
2160: .Li -= ,
2161: and
2162: .Li \&!
2163: operators respectively.
2164: Regardless of whether the
2165: .Li env_reset
2166: option is enabled or disabled, variables specified by
2167: .Li env_check
2168: will be preserved in the environment if they pass the aforementioned check.
2169: The default list of environment variables to check is displayed when
2170: .Nm sudo
2171: is run by root with
2172: the
2173: .Fl V
2174: option.
2175: .It env_delete
2176: Environment variables to be removed from the user's environment when the
2177: .Em env_reset
2178: option is not in effect.
2179: The argument may be a double-quoted, space-separated list or a
2180: single value without double-quotes.
2181: The list can be replaced, added to, deleted from, or disabled by using the
2182: .Li = ,
2183: .Li += ,
2184: .Li -= ,
2185: and
2186: .Li \&!
2187: operators respectively.
2188: The default list of environment variables to remove is displayed when
2189: .Nm sudo
2190: is run by root with the
2191: .Fl V
2192: option.
2193: Note that many operating systems will remove potentially dangerous
2194: variables from the environment of any setuid process (such as
2195: .Nm sudo ) .
2196: .It env_keep
2197: Environment variables to be preserved in the user's environment when the
2198: .Em env_reset
2199: option is in effect.
2200: This allows fine-grained control over the environment
2201: .Nm sudo Ns No -spawned
2202: processes will receive.
2203: The argument may be a double-quoted, space-separated list or a
2204: single value without double-quotes.
2205: The list can be replaced, added to, deleted from, or disabled by using the
2206: .Li = ,
2207: .Li += ,
2208: .Li -= ,
2209: and
2210: .Li \&!
2211: operators respectively.
2212: The default list of variables to keep
2213: is displayed when
2214: .Nm sudo
2215: is run by root with the
2216: .Fl V
2217: option.
2218: .El
2219: .Sh FILES
2220: .Bl -tag -width 24n
2221: .It Pa @sysconfdir@/sudoers
2222: List of who can run what
2223: .It Pa /etc/group
2224: Local groups file
2225: .It Pa /etc/netgroup
2226: List of network groups
2227: .El
2228: .Sh EXAMPLES
2229: Below are example
2230: .Em sudoers
2231: entries.
2232: Admittedly, some of these are a bit contrived.
2233: First, we allow a few environment variables to pass and then define our
2234: .Em aliases :
2235: .Bd -literal
2236: # Run X applications through sudo; HOME is used to find the
2237: # .Xauthority file. Note that other programs use HOME to find
2238: # configuration files and this may lead to privilege escalation!
2239: Defaults env_keep += "DISPLAY HOME"
2240:
2241: # User alias specification
2242: User_Alias FULLTIMERS = millert, mikef, dowdy
2243: User_Alias PARTTIMERS = bostley, jwfox, crawl
2244: User_Alias WEBMASTERS = will, wendy, wim
2245:
2246: # Runas alias specification
2247: Runas_Alias OP = root, operator
2248: Runas_Alias DB = oracle, sybase
2249: Runas_Alias ADMINGRP = adm, oper
2250:
2251: # Host alias specification
2252: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
2253: SGI = grolsch, dandelion, black :\e
2254: ALPHA = widget, thalamus, foobar :\e
2255: HPPA = boa, nag, python
2256: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2257: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2258: Host_Alias SERVERS = master, mail, www, ns
2259: Host_Alias CDROM = orion, perseus, hercules
2260:
2261: # Cmnd alias specification
2262: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
2263: /usr/sbin/restore, /usr/sbin/rrestore
2264: Cmnd_Alias KILL = /usr/bin/kill
2265: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2266: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2267: Cmnd_Alias HALT = /usr/sbin/halt
2268: Cmnd_Alias REBOOT = /usr/sbin/reboot
2269: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
2270: /usr/local/bin/tcsh, /usr/bin/rsh,\e
2271: /usr/local/bin/zsh
2272: Cmnd_Alias SU = /usr/bin/su
2273: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2274: .Ed
2275: .Pp
2276: Here we override some of the compiled in default values.
2277: We want
2278: .Nm sudo
2279: to log via
2280: .Xr syslog 3
2281: using the
2282: .Em auth
2283: facility in all cases.
2284: We don't want to subject the full time staff to the
2285: .Nm sudo
2286: lecture, user
2287: .Sy millert
2288: need not give a password, and we don't want to reset the
2289: .Ev LOGNAME ,
2290: .Ev USER
2291: or
2292: .Ev USERNAME
2293: environment variables when running commands as root.
2294: Additionally, on the machines in the
2295: .Em SERVERS
2296: .Li Host_Alias ,
2297: we keep an additional local log file and make sure we log the year
2298: in each log line since the log entries will be kept around for several years.
2299: Lastly, we disable shell escapes for the commands in the PAGERS
2300: .Li Cmnd_Alias
2301: .Po
2302: .Pa /usr/bin/more ,
2303: .Pa /usr/bin/pg
2304: and
2305: .Pa /usr/bin/less
2306: .Pc .
2307: .Bd -literal
2308: # Override built-in defaults
2309: Defaults syslog=auth
2310: Defaults>root !set_logname
2311: Defaults:FULLTIMERS !lecture
2312: Defaults:millert !authenticate
2313: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2314: Defaults!PAGERS noexec
2315: .Ed
2316: .Pp
2317: The
2318: .Em User specification
2319: is the part that actually determines who may run what.
2320: .Bd -literal
2321: root ALL = (ALL) ALL
2322: %wheel ALL = (ALL) ALL
2323: .Ed
2324: .Pp
2325: We let
2326: .Sy root
2327: and any user in group
2328: .Sy wheel
2329: run any command on any host as any user.
2330: .Bd -literal
2331: FULLTIMERS ALL = NOPASSWD: ALL
2332: .Ed
2333: .Pp
2334: Full time sysadmins
2335: .Po
2336: .Sy millert ,
2337: .Sy mikef ,
2338: and
2339: .Sy dowdy
2340: .Pc
2341: may run any command on any host without authenticating themselves.
2342: .Bd -literal
2343: PARTTIMERS ALL = ALL
2344: .Ed
2345: .Pp
2346: Part time sysadmins
2347: .Sy bostley ,
2348: .Sy jwfox ,
2349: and
2350: .Sy crawl )
2351: may run any command on any host but they must authenticate themselves
2352: first (since the entry lacks the
2353: .Li NOPASSWD
2354: tag).
2355: .Bd -literal
2356: jack CSNETS = ALL
2357: .Ed
2358: .Pp
2359: The user
2360: .Sy jack
2361: may run any command on the machines in the
2362: .Em CSNETS
2363: alias (the networks
2364: .Li 128.138.243.0 ,
2365: .Li 128.138.204.0 ,
2366: and
2367: .Li 128.138.242.0 ) .
2368: Of those networks, only
2369: .Li 128.138.204.0
2370: has an explicit netmask (in CIDR notation) indicating it is a class C network.
2371: For the other networks in
2372: .Em CSNETS ,
2373: the local machine's netmask will be used during matching.
2374: .Bd -literal
2375: lisa CUNETS = ALL
2376: .Ed
2377: .Pp
2378: The user
2379: .Sy lisa
2380: may run any command on any host in the
2381: .Em CUNETS
2382: alias (the class B network
2383: .Li 128.138.0.0 ) .
2384: .Bd -literal
2385: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
2386: sudoedit /etc/printcap, /usr/oper/bin/
2387: .Ed
2388: .Pp
2389: The
2390: .Sy operator
2391: user may run commands limited to simple maintenance.
2392: Here, those are commands related to backups, killing processes, the
2393: printing system, shutting down the system, and any commands in the
2394: directory
2395: .Pa /usr/oper/bin/ .
2396: .Bd -literal
2397: joe ALL = /usr/bin/su operator
2398: .Ed
2399: .Pp
2400: The user
2401: .Sy joe
2402: may only
2403: .Xr su 1
2404: to operator.
2405: .Bd -literal
2406: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
2407:
2408: %opers ALL = (: ADMINGRP) /usr/sbin/
2409: .Ed
2410: .Pp
2411: Users in the
2412: .Sy opers
2413: group may run commands in
2414: .Pa /usr/sbin/
2415: as themselves
2416: with any group in the
2417: .Em ADMINGRP
2418: .Li Runas_Alias
2419: (the
2420: .Sy adm
2421: and
2422: .Sy oper
2423: groups).
2424: .Pp
2425: The user
2426: .Sy pete
2427: is allowed to change anyone's password except for
2428: root on the
2429: .Em HPPA
2430: machines.
2431: Note that this assumes
2432: .Xr passwd 1
2433: does not take multiple user names on the command line.
2434: .Bd -literal
2435: bob SPARC = (OP) ALL : SGI = (OP) ALL
2436: .Ed
2437: .Pp
2438: The user
2439: .Sy bob
2440: may run anything on the
2441: .Em SPARC
2442: and
2443: .Em SGI
2444: machines as any user listed in the
2445: .Em OP
2446: .Li Runas_Alias
2447: .Po
2448: .Sy root
2449: and
2450: .Sy operator .
2451: .Pc
2452: .Bd -literal
2453: jim +biglab = ALL
2454: .Ed
2455: .Pp
2456: The user
2457: .Sy jim
2458: may run any command on machines in the
2459: .Em biglab
2460: netgroup.
2461: .Nm sudo
2462: knows that
2463: .Dq biglab
2464: is a netgroup due to the
2465: .Ql +
2466: prefix.
2467: .Bd -literal
2468: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2469: .Ed
2470: .Pp
2471: Users in the
2472: .Sy secretaries
2473: netgroup need to help manage the printers as well as add and remove users,
2474: so they are allowed to run those commands on all machines.
2475: .Bd -literal
2476: fred ALL = (DB) NOPASSWD: ALL
2477: .Ed
2478: .Pp
2479: The user
2480: .Sy fred
2481: can run commands as any user in the
2482: .Em DB
2483: .Li Runas_Alias
2484: .Po
2485: .Sy oracle
2486: or
2487: .Sy sybase
2488: .Pc
2489: without giving a password.
2490: .Bd -literal
2491: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2492: .Ed
2493: .Pp
2494: On the
2495: .Em ALPHA
2496: machines, user
2497: .Sy john
2498: may su to anyone except root but he is not allowed to specify any options
2499: to the
2500: .Xr su 1
2501: command.
2502: .Bd -literal
2503: jen ALL, !SERVERS = ALL
2504: .Ed
2505: .Pp
2506: The user
2507: .Sy jen
2508: may run any command on any machine except for those in the
2509: .Em SERVERS
2510: .Li Host_Alias
2511: (master, mail, www and ns).
2512: .Bd -literal
2513: jill SERVERS = /usr/bin/, !SU, !SHELLS
2514: .Ed
2515: .Pp
2516: For any machine in the
2517: .Em SERVERS
2518: .Li Host_Alias ,
2519: .Sy jill
2520: may run
2521: any commands in the directory
2522: .Pa /usr/bin/
2523: except for those commands
2524: belonging to the
2525: .Em SU
2526: and
2527: .Em SHELLS
2528: .Li Cmnd_Aliases .
2529: .Bd -literal
2530: steve CSNETS = (operator) /usr/local/op_commands/
2531: .Ed
2532: .Pp
2533: The user
2534: .Sy steve
2535: may run any command in the directory /usr/local/op_commands/
2536: but only as user operator.
2537: .Bd -literal
2538: matt valkyrie = KILL
2539: .Ed
2540: .Pp
2541: On his personal workstation, valkyrie,
2542: .Sy matt
2543: needs to be able to kill hung processes.
2544: .Bd -literal
2545: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2546: .Ed
2547: .Pp
2548: On the host www, any user in the
2549: .Em WEBMASTERS
2550: .Li User_Alias
2551: (will, wendy, and wim), may run any command as user www (which owns the
2552: web pages) or simply
2553: .Xr su 1
2554: to www.
2555: .Bd -literal
2556: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
1.3 ajacouto 2557: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1.1 millert 2558: .Ed
2559: .Pp
2560: Any user may mount or unmount a CD-ROM on the machines in the CDROM
2561: .Li Host_Alias
2562: (orion, perseus, hercules) without entering a password.
2563: This is a bit tedious for users to type, so it is a prime candidate
2564: for encapsulating in a shell script.
2565: .Sh SECURITY NOTES
2566: .Ss Limitations of the So !\& Sc operator
2567: It is generally not effective to
2568: .Dq subtract
2569: commands from
2570: .Sy ALL
2571: using the
2572: .Ql !\&
2573: operator.
2574: A user can trivially circumvent this by copying the desired command
2575: to a different name and then executing that.
2576: For example:
2577: .Bd -literal
2578: bill ALL = ALL, !SU, !SHELLS
2579: .Ed
2580: .Pp
2581: Doesn't really prevent
2582: .Sy bill
2583: from running the commands listed in
2584: .Em SU
2585: or
2586: .Em SHELLS
2587: since he can simply copy those commands to a different name, or use
2588: a shell escape from an editor or other program.
2589: Therefore, these kind of restrictions should be considered
2590: advisory at best (and reinforced by policy).
2591: .Pp
2592: In general, if a user has sudo
2593: .Sy ALL
2594: there is nothing to prevent them from creating their own program that gives
2595: them a root shell (or making their own copy of a shell) regardless of any
2596: .Ql !\&
2597: elements in the user specification.
2598: .Ss Security implications of Em fast_glob
2599: If the
2600: .Em fast_glob
2601: option is in use, it is not possible to reliably negate commands where the
2602: path name includes globbing (aka wildcard) characters.
2603: This is because the C library's
2604: .Xr fnmatch 3
2605: function cannot resolve relative paths.
2606: While this is typically only an inconvenience for rules that grant privileges,
2607: it can result in a security issue for rules that subtract or revoke privileges.
2608: .Pp
2609: For example, given the following
2610: .Em sudoers
2611: entry:
2612: .Bd -literal
2613: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
2614: /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2615: .Ed
2616: .Pp
2617: User
2618: .Sy john
2619: can still run
2620: .Li /usr/bin/passwd root
2621: if
2622: .Em fast_glob
2623: is enabled by changing to
2624: .Pa /usr/bin
2625: and running
2626: .Li ./passwd root
2627: instead.
2628: .Ss Preventing Shell Escapes
2629: Once
2630: .Nm sudo
2631: executes a program, that program is free to do whatever
2632: it pleases, including run other programs.
2633: This can be a security issue since it is not uncommon for a program to
2634: allow shell escapes, which lets a user bypass
2635: .Nm sudo Ns No 's
2636: access control and logging.
2637: Common programs that permit shell escapes include shells (obviously),
2638: editors, paginators, mail and terminal programs.
2639: .Pp
2640: There are two basic approaches to this problem:
2641: .Bl -tag -width 8n
2642: .It restrict
2643: Avoid giving users access to commands that allow the user to run
2644: arbitrary commands.
2645: Many editors have a restricted mode where shell
2646: escapes are disabled, though
2647: .Nm sudoedit
2648: is a better solution to
2649: running editors via
2650: .Nm sudo .
2651: Due to the large number of programs that
2652: offer shell escapes, restricting users to the set of programs that
2653: do not is often unworkable.
2654: .It noexec
2655: Many systems that support shared libraries have the ability to
2656: override default library functions by pointing an environment
2657: variable (usually
2658: .Ev LD_PRELOAD )
2659: to an alternate shared library.
2660: On such systems,
2661: .Nm sudo Ns No 's
2662: .Em noexec
2663: functionality can be used to prevent a program run by
2664: .Nm sudo
2665: from executing any other programs.
2666: Note, however, that this applies only to native dynamically-linked
2667: executables.
2668: Statically-linked executables and foreign executables
2669: running under binary emulation are not affected.
2670: .Pp
2671: The
2672: .Em noexec
2673: feature is known to work on SunOS, Solaris, *BSD,
2674: Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
2675: It should be supported on most operating systems that support the
2676: .Ev LD_PRELOAD
2677: environment variable.
2678: Check your operating system's manual pages for the dynamic linker
2679: (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2680: .Ev LD_PRELOAD
2681: is supported.
2682: .Pp
2683: To enable
2684: .Em noexec
2685: for a command, use the
2686: .Li NOEXEC
2687: tag as documented
2688: in the User Specification section above.
2689: Here is that example again:
2690: .Bd -literal
2691: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2692: .Ed
2693: .Pp
2694: This allows user
2695: .Sy aaron
2696: to run
2697: .Pa /usr/bin/more
2698: and
2699: .Pa /usr/bin/vi
2700: with
2701: .Em noexec
2702: enabled.
2703: This will prevent those two commands from
2704: executing other commands (such as a shell).
2705: If you are unsure whether or not your system is capable of supporting
2706: .Em noexec
2707: you can always just try it out and check whether shell escapes work when
2708: .Em noexec
2709: is enabled.
2710: .El
2711: .Pp
2712: Note that restricting shell escapes is not a panacea.
2713: Programs running as root are still capable of many potentially hazardous
2714: operations (such as changing or overwriting files) that could lead
2715: to unintended privilege escalation.
2716: In the specific case of an editor, a safer approach is to give the
2717: user permission to run
2718: .Nm sudoedit .
2719: .Sh SEE ALSO
2720: .Xr ssh 1 ,
2721: .Xr su 1 ,
2722: .Xr fnmatch 3 ,
2723: .Xr glob 3 ,
2724: .Xr mktemp 3 ,
2725: .Xr strftime 3 ,
2726: .Xr sudoers.ldap @mansectform@ ,
2727: .Xr sudo @mansectsu@ ,
2728: .Xr visudo @mansectsu@
2729: .Sh CAVEATS
2730: The
2731: .Em sudoers
2732: file should
2733: .Sy always
2734: be edited by the
2735: .Nm visudo
2736: command which locks the file and does grammatical checking.
2737: It is
2738: imperative that
2739: .Em sudoers
2740: be free of syntax errors since
2741: .Nm sudo
2742: will not run with a syntactically incorrect
2743: .Em sudoers
2744: file.
2745: .Pp
2746: When using netgroups of machines (as opposed to users), if you
2747: store fully qualified host name in the netgroup (as is usually the
2748: case), you either need to have the machine's host name be fully qualified
2749: as returned by the
2750: .Li hostname
2751: command or use the
2752: .Em fqdn
2753: option in
2754: .Em sudoers .
2755: .Sh BUGS
2756: If you feel you have found a bug in
2757: .Nm sudo ,
2758: please submit a bug report at http://www.sudo.ws/sudo/bugs/
2759: .Sh SUPPORT
2760: Limited free support is available via the sudo-users mailing list,
2761: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
2762: search the archives.
2763: .Sh DISCLAIMER
2764: .Nm sudo
2765: is provided
2766: .Dq AS IS
2767: and any express or implied warranties, including, but not limited
2768: to, the implied warranties of merchantability and fitness for a
2769: particular purpose are disclaimed.
2770: See the LICENSE file distributed with
2771: .Nm sudo
2772: or http://www.sudo.ws/sudo/license.html for complete details.