version 1.12, 2008/11/24 15:13:35 |
version 1.13, 2009/04/11 11:48:06 |
|
|
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
|
$Sudo: sudoers.pod,v 1.154 2008/11/24 15:08:16 millert Exp $ |
$Sudo: sudoers.pod,v 1.163 2009/03/08 15:51:01 millert Exp $ |
=pod |
=pod |
|
|
=head1 NAME |
=head1 NAME |
|
|
and user Defaults first, then runas Defaults and finally command |
and user Defaults first, then runas Defaults and finally command |
defaults. |
defaults. |
|
|
See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
|
|
=head2 User Specification |
=head2 User Specification |
|
|
|
|
=head2 Wildcards |
=head2 Wildcards |
|
|
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) |
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) |
to be used in pathnames as well as command line arguments in the |
to be used in hostnames, pathnames and command line arguments in |
I<sudoers> file. Wildcard matching is done via the B<POSIX> |
the I<sudoers> file. Wildcard matching is done via the B<POSIX> |
L<fnmatch(3)> routine. Note that these are I<not> regular expressions. |
L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not> |
|
regular expressions. |
|
|
=over 8 |
=over 8 |
|
|
|
|
|
|
=back |
=back |
|
|
POSIX character classes may also be used if your system's |
POSIX character classes may also be used if your system's L<glob(3)> |
L<fnmatch(3)> function supports them. However, because the |
and L<fnmatch(3)> functions support them. However, because the |
C<':'> character has special meaning in I<sudoers>, it must |
C<':'> character has special meaning in I<sudoers>, it must be |
be escaped. For example: |
escaped. For example: |
|
|
/bin/ls [[\:alpha\:]]* |
/bin/ls [[\:alpha\:]]* |
|
|
|
|
addition to a per-machine local one. For the sake of this example |
addition to a per-machine local one. For the sake of this example |
the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
from F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
from within F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
|
|
#include /etc/sudoers.local |
=over 4 |
|
|
|
C<#include /etc/sudoers.local> |
|
|
|
=back |
|
|
When B<sudo> reaches this line it will suspend processing of the |
When B<sudo> reaches this line it will suspend processing of the |
current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
Upon reaching the end of F</etc/sudoers.local>, the rest of |
Upon reaching the end of F</etc/sudoers.local>, the rest of |
|
|
themselves include other files. A hard limit of 128 nested include |
themselves include other files. A hard limit of 128 nested include |
files is enforced to prevent include file loops. |
files is enforced to prevent include file loops. |
|
|
|
The filename may include the C<%h> escape, signifying the short form |
|
of the hostname. I.e., if the machine's hostname is "xerxes", then |
|
|
|
#include /etc/sudoers.%h |
|
|
|
will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
|
|
=head2 Other special characters and reserved words |
=head2 Other special characters and reserved words |
|
|
The pound sign ('#') is used to indicate a comment (unless it is |
The pound sign ('#') is used to indicate a comment (unless it is |
|
|
|
|
=item preserve_groups |
=item preserve_groups |
|
|
By default B<sudo> will initialize the group vector to the list of |
By default, B<sudo> will initialize the group vector to the list of |
groups the target user is in. When I<preserve_groups> is set, the |
groups the target user is in. When I<preserve_groups> is set, the |
user's existing group vector is left unaltered. The real and |
user's existing group vector is left unaltered. The real and |
effective group IDs, however, are still set to match the target |
effective group IDs, however, are still set to match the target |
user. This flag is I<off> by default. |
user. This flag is I<off> by default. |
|
|
|
=item pwfeedback |
|
|
|
By default, B<sudo> reads the password like most other Unix programs, |
|
by turning off echo until the user hits the return (or enter) key. |
|
Some users become confused by this as it appears to them that B<sudo> |
|
has hung at this point. When I<pwfeedback> is set, B<sudo> will |
|
provide visual feedback when the user presses a key. Note that |
|
this does have a security impact as an onlooker may be able to |
|
determine the length of the password being entered. |
|
This flag is I<off> by default. |
|
|
=item requiretty |
=item requiretty |
|
|
If set, B<sudo> will only run when the user is logged in to a real |
If set, B<sudo> will only run when the user is logged in to a real |
|
|
set, falling back on the shell listed in the invoking user's |
set, falling back on the shell listed in the invoking user's |
/etc/passwd entry if not). This flag is I<off> by default. |
/etc/passwd entry if not). This flag is I<off> by default. |
|
|
|
=item fast_glob |
|
|
|
Normally, B<sudo> uses the L<glob(3)> function to do shell-style |
|
globbing when matching pathnames. However, since it accesses the |
|
file system, L<glob(3)> can take a long time to complete for some |
|
patterns, especially when the pattern references a network file |
|
system that is mounted on demand (automounted). The I<fast_glob> |
|
option causes B<sudo> to use the L<fnmatch(3)> function, which does |
|
not access the file system to do its matching. The disadvantage |
|
of I<fast_glob> is that it is unable to match relative pathnames |
|
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default. |
|
|
=item stay_setuid |
=item stay_setuid |
|
|
Normally, when B<sudo> executes a command the real and effective |
Normally, when B<sudo> executes a command the real and effective |
|
|
file named for the tty the user is logged in on in that directory. |
file named for the tty the user is logged in on in that directory. |
This flag is I<@tty_tickets@> by default. |
This flag is I<@tty_tickets@> by default. |
|
|
|
=item umask_override |
|
|
|
If set, B<sudo> will set the umask as specified by I<sudoers> without |
|
modification. This makes it possible to specify a more permissive |
|
umask in I<sudoers> than the user's own umask and matches historical |
|
behavior. If I<umask_override> is not set, B<sudo> will set the |
|
umask to be the union of the user's umask and what is specified in |
|
I<sudoers>. This flag is I<off> by default. |
|
|
=item use_loginclass |
=item use_loginclass |
|
|
If set, B<sudo> will apply the defaults specified for the target user's |
If set, B<sudo> will apply the defaults specified for the target user's |
|
|
|
|
=head1 SEE ALSO |
=head1 SEE ALSO |
|
|
L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)> |
L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)> |
|
|
=head1 CAVEATS |
=head1 CAVEATS |
|
|