| version 1.12, 2008/11/24 15:13:35 |
version 1.13, 2009/04/11 11:48:06 |
|
|
| Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
| Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| |
|
| $Sudo: sudoers.pod,v 1.154 2008/11/24 15:08:16 millert Exp $ |
$Sudo: sudoers.pod,v 1.163 2009/03/08 15:51:01 millert Exp $ |
| =pod |
=pod |
| |
|
| =head1 NAME |
=head1 NAME |
|
|
| and user Defaults first, then runas Defaults and finally command |
and user Defaults first, then runas Defaults and finally command |
| defaults. |
defaults. |
| |
|
| See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
| |
|
| =head2 User Specification |
=head2 User Specification |
| |
|
|
|
| =head2 Wildcards |
=head2 Wildcards |
| |
|
| B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) |
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) |
| to be used in pathnames as well as command line arguments in the |
to be used in hostnames, pathnames and command line arguments in |
| I<sudoers> file. Wildcard matching is done via the B<POSIX> |
the I<sudoers> file. Wildcard matching is done via the B<POSIX> |
| L<fnmatch(3)> routine. Note that these are I<not> regular expressions. |
L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not> |
| |
regular expressions. |
| |
|
| =over 8 |
=over 8 |
| |
|
|
|
| |
|
| =back |
=back |
| |
|
| POSIX character classes may also be used if your system's |
POSIX character classes may also be used if your system's L<glob(3)> |
| L<fnmatch(3)> function supports them. However, because the |
and L<fnmatch(3)> functions support them. However, because the |
| C<':'> character has special meaning in I<sudoers>, it must |
C<':'> character has special meaning in I<sudoers>, it must be |
| be escaped. For example: |
escaped. For example: |
| |
|
| /bin/ls [[\:alpha\:]]* |
/bin/ls [[\:alpha\:]]* |
| |
|
|
|
| addition to a per-machine local one. For the sake of this example |
addition to a per-machine local one. For the sake of this example |
| the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
| one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
| from F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
from within F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
| |
|
| #include /etc/sudoers.local |
=over 4 |
| |
|
| |
C<#include /etc/sudoers.local> |
| |
|
| |
=back |
| |
|
| When B<sudo> reaches this line it will suspend processing of the |
When B<sudo> reaches this line it will suspend processing of the |
| current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
| Upon reaching the end of F</etc/sudoers.local>, the rest of |
Upon reaching the end of F</etc/sudoers.local>, the rest of |
|
|
| themselves include other files. A hard limit of 128 nested include |
themselves include other files. A hard limit of 128 nested include |
| files is enforced to prevent include file loops. |
files is enforced to prevent include file loops. |
| |
|
| |
The filename may include the C<%h> escape, signifying the short form |
| |
of the hostname. I.e., if the machine's hostname is "xerxes", then |
| |
|
| |
#include /etc/sudoers.%h |
| |
|
| |
will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
| |
|
| =head2 Other special characters and reserved words |
=head2 Other special characters and reserved words |
| |
|
| The pound sign ('#') is used to indicate a comment (unless it is |
The pound sign ('#') is used to indicate a comment (unless it is |
|
|
| |
|
| =item preserve_groups |
=item preserve_groups |
| |
|
| By default B<sudo> will initialize the group vector to the list of |
By default, B<sudo> will initialize the group vector to the list of |
| groups the target user is in. When I<preserve_groups> is set, the |
groups the target user is in. When I<preserve_groups> is set, the |
| user's existing group vector is left unaltered. The real and |
user's existing group vector is left unaltered. The real and |
| effective group IDs, however, are still set to match the target |
effective group IDs, however, are still set to match the target |
| user. This flag is I<off> by default. |
user. This flag is I<off> by default. |
| |
|
| |
=item pwfeedback |
| |
|
| |
By default, B<sudo> reads the password like most other Unix programs, |
| |
by turning off echo until the user hits the return (or enter) key. |
| |
Some users become confused by this as it appears to them that B<sudo> |
| |
has hung at this point. When I<pwfeedback> is set, B<sudo> will |
| |
provide visual feedback when the user presses a key. Note that |
| |
this does have a security impact as an onlooker may be able to |
| |
determine the length of the password being entered. |
| |
This flag is I<off> by default. |
| |
|
| =item requiretty |
=item requiretty |
| |
|
| If set, B<sudo> will only run when the user is logged in to a real |
If set, B<sudo> will only run when the user is logged in to a real |
|
|
| set, falling back on the shell listed in the invoking user's |
set, falling back on the shell listed in the invoking user's |
| /etc/passwd entry if not). This flag is I<off> by default. |
/etc/passwd entry if not). This flag is I<off> by default. |
| |
|
| |
=item fast_glob |
| |
|
| |
Normally, B<sudo> uses the L<glob(3)> function to do shell-style |
| |
globbing when matching pathnames. However, since it accesses the |
| |
file system, L<glob(3)> can take a long time to complete for some |
| |
patterns, especially when the pattern references a network file |
| |
system that is mounted on demand (automounted). The I<fast_glob> |
| |
option causes B<sudo> to use the L<fnmatch(3)> function, which does |
| |
not access the file system to do its matching. The disadvantage |
| |
of I<fast_glob> is that it is unable to match relative pathnames |
| |
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default. |
| |
|
| =item stay_setuid |
=item stay_setuid |
| |
|
| Normally, when B<sudo> executes a command the real and effective |
Normally, when B<sudo> executes a command the real and effective |
|
|
| file named for the tty the user is logged in on in that directory. |
file named for the tty the user is logged in on in that directory. |
| This flag is I<@tty_tickets@> by default. |
This flag is I<@tty_tickets@> by default. |
| |
|
| |
=item umask_override |
| |
|
| |
If set, B<sudo> will set the umask as specified by I<sudoers> without |
| |
modification. This makes it possible to specify a more permissive |
| |
umask in I<sudoers> than the user's own umask and matches historical |
| |
behavior. If I<umask_override> is not set, B<sudo> will set the |
| |
umask to be the union of the user's umask and what is specified in |
| |
I<sudoers>. This flag is I<off> by default. |
| |
|
| =item use_loginclass |
=item use_loginclass |
| |
|
| If set, B<sudo> will apply the defaults specified for the target user's |
If set, B<sudo> will apply the defaults specified for the target user's |
|
|
| |
|
| =head1 SEE ALSO |
=head1 SEE ALSO |
| |
|
| L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)> |
L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)> |
| |
|
| =head1 CAVEATS |
=head1 CAVEATS |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.pod CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo