version 1.9, 2008/07/31 16:44:03 |
version 1.10, 2008/11/14 11:58:08 |
|
|
Copyright (c) 1994-1996, 1998-2005, 2007 |
Copyright (c) 1994-1996, 1998-2005, 2007-2008 |
Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
|
|
Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
|
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
|
$Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $ |
$Sudo: sudoers.pod,v 1.152 2008/11/09 14:13:13 millert Exp $ |
=pod |
=pod |
|
|
=head1 NAME |
=head1 NAME |
|
|
User ',' User_List |
User ',' User_List |
|
|
User ::= '!'* username | |
User ::= '!'* username | |
|
'!'* '#'uid | |
'!'* '%'group | |
'!'* '%'group | |
'!'* '+'netgroup | |
'!'* '+'netgroup | |
'!'* User_Alias |
'!'* User_Alias |
|
|
A C<User_List> is made up of one or more usernames, system groups |
A C<User_List> is made up of one or more usernames, uids (prefixed |
(prefixed with '%'), netgroups (prefixed with '+') and other aliases. |
with '#'), system groups (prefixed with '%'), netgroups (prefixed |
Each list item may be prefixed with one or more '!' operators. |
with '+') and C<User_Alias>es. Each list item may be prefixed with |
An odd number of '!' operators negate the value of the item; an even |
zero or more '!' operators. An odd number of '!' operators negate |
number just cancel each other out. |
the value of the item; an even number just cancel each other out. |
|
|
Runas_List ::= Runas_User | |
Runas_List ::= Runas_Member | |
Runas_User ',' Runas_List |
Runas_Member ',' Runas_List |
|
|
Runas_User ::= '!'* username | |
Runas_Member ::= '!'* username | |
'!'* '#'uid | |
'!'* '#'uid | |
'!'* '%'group | |
'!'* '%'group | |
'!'* +netgroup | |
'!'* +netgroup | |
'!'* Runas_Alias |
'!'* Runas_Alias |
|
|
A C<Runas_List> is similar to a C<User_List> except that it can |
A C<Runas_List> is similar to a C<User_List> except that instead |
also contain uids (prefixed with '#') and instead of C<User_Alias>es |
of C<User_Alias>es it can contain C<Runas_Alias>es. Note that |
it can contain C<Runas_Alias>es. Note that usernames and groups |
usernames and groups are matched as strings. In other words, two |
are matched as strings. In other words, two users (groups) with |
users (groups) with the same uid (gid) are considered to be distinct. |
the same uid (gid) are considered to be distinct. If you wish to |
If you wish to match all usernames with the same uid (e.g.E<nbsp>root |
match all usernames with the same uid (e.g.E<nbsp>root and toor), you |
and toor), you can use a uid instead (#0 in the example given). |
can use a uid instead (#0 in the example given). |
|
|
|
Host_List ::= Host | |
Host_List ::= Host | |
Host ',' Host_List |
Host ',' Host_List |
|
|
Certain configuration options may be changed from their default |
Certain configuration options may be changed from their default |
values at runtime via one or more C<Default_Entry> lines. These |
values at runtime via one or more C<Default_Entry> lines. These |
may affect all users on any host, all users on a specific host, a |
may affect all users on any host, all users on a specific host, a |
specific user, or commands being run as a specific user. |
specific user, a specific command, or commands being run as a specific user. |
|
Note that per-command entries may not include command line arguments. |
|
If you need to specify arguments, define a C<Cmnd_Alias> and reference |
|
that instead. |
|
|
Default_Type ::= 'Defaults' | |
Default_Type ::= 'Defaults' | |
'Defaults' '@' Host_List | |
'Defaults' '@' Host_List | |
'Defaults' ':' User_List | |
'Defaults' ':' User_List | |
|
'Defaults' '!' Cmnd_List | |
'Defaults' '>' Runas_List |
'Defaults' '>' Runas_List |
|
|
Default_Entry ::= Default_Type Parameter_List |
Default_Entry ::= Default_Type Parameter_List |
|
|
It is not an error to use the C<-=> operator to remove an element |
It is not an error to use the C<-=> operator to remove an element |
that does not exist in a list. |
that does not exist in a list. |
|
|
|
Defaults entries are parsed in the following order: generic, host |
|
and user Defaults first, then runas Defaults and finally command |
|
defaults. |
|
|
See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
|
|
=head2 User Specification |
=head2 User Specification |
|
|
|
|
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd |
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd |
|
|
Runas_Spec ::= '(' Runas_List ')' |
Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')' |
|
|
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
'SETENV:' | 'NOSETENV:') |
'SETENV:' | 'NOSETENV:' ) |
|
|
A B<user specification> determines which commands a user may run |
A B<user specification> determines which commands a user may run |
(and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
|
|
|
|
=head2 Runas_Spec |
=head2 Runas_Spec |
|
|
A C<Runas_Spec> is simply a C<Runas_List> (as defined above) |
A C<Runas_Spec> determines the user and/or the group that a command |
enclosed in a set of parentheses. If you do not specify a |
may be run as. A fully-specified C<Runas_Spec> consists of two |
C<Runas_Spec> in the user specification, a default C<Runas_Spec> |
C<Runas_List>s (as defined above) separated by a colon (':') and |
of B<root> will be used. A C<Runas_Spec> sets the default for |
enclosed in a set of parentheses. The first C<Runas_List> indicates |
commands that follow it. What this means is that for the entry: |
which users the command may be run as via B<sudo>'s B<-u> flag. |
|
The second defines a list of groups that can be specified via |
|
B<sudo>'s B<-g> flag. If both C<Runas_List>s are specified, the |
|
command may be run with any combination of users and groups listed |
|
in their respective C<Runas_List>s. If only the first is specified, |
|
the command may be run as any user in the list but no B<-g> flag |
|
may be specified. If the first C<Runas_List> is empty but the |
|
second is specified, the command may be run as the invoking user |
|
with the group set to any listed in the C<Runas_List>. If no |
|
C<Runas_Spec> is specified the command may be run as B<root> and |
|
no group may be specified. |
|
|
|
A C<Runas_Spec> sets the default for the commands that follow it. |
|
What this means is that for the entry: |
|
|
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
|
|
The user B<dgb> may run F</bin/ls>, F</bin/kill>, and |
The user B<dgb> may run F</bin/ls>, F</bin/kill>, and |
|
|
Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>, |
Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>, |
but F</bin/kill> and F</usr/bin/lprm> as B<root>. |
but F</bin/kill> and F</usr/bin/lprm> as B<root>. |
|
|
|
We can extend this to allow B<dgb> to run C</bin/ls> with either |
|
the user or group set to B<operator>: |
|
|
|
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ |
|
/usr/bin/lprm |
|
|
|
In the following example, user B<tcm> may run commands that access |
|
a modem device file with the dialer group. Note that in this example |
|
only the group will be set, the command still runs as user B<tcm>. |
|
|
|
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ |
|
/usr/local/bin/minicom |
|
|
=head2 Tag_Spec |
=head2 Tag_Spec |
|
|
A command may have zero or more tags associated with it. There are |
A command may have zero or more tags associated with it. There are |
six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>, |
eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>, |
C<SETENV> and C<NOSETENV>. |
C<SETENV> and C<NOSETENV>. |
Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the |
Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the |
C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the |
C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the |
|
|
|
|
=back |
=back |
|
|
|
POSIX character classes may also be used if your system's |
|
L<fnmatch(3)> function supports them. However, because the |
|
C<':'> character has special meaning in I<sudoers>, it must |
|
be escaped. For example: |
|
|
|
/bin/ls [[\:alpha\:]]* |
|
|
|
Would match any filename beginning with a letter. |
|
|
Note that a forward slash ('/') will B<not> be matched by |
Note that a forward slash ('/') will B<not> be matched by |
wildcards used in the pathname. When matching the command |
wildcards used in the pathname. When matching the command |
line arguments, however, a slash B<does> get matched by |
line arguments, however, a slash B<does> get matched by |
|
|
|
|
=back |
=back |
|
|
|
=head2 Including other files from within sudoers |
|
|
|
It is possible to include other I<sudoers> files from within the |
|
I<sudoers> file currently being parsed using the C<#include> |
|
directive, similar to the one used by the C preprocessor. This is |
|
useful, for example, for keeping a site-wide I<sudoers> file in |
|
addition to a per-machine local one. For the sake of this example |
|
the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
|
one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
|
from F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
|
|
|
#include /etc/sudoers.local |
|
|
|
When B<sudo> reaches this line it will suspend processing of the |
|
current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
|
Upon reaching the end of F</etc/sudoers.local>, the rest of |
|
F</etc/sudoers> will be processed. Files that are included may |
|
themselves include other files. A hard limit of 128 nested include |
|
files is enforced to prevent include file loops. |
|
|
=head2 Other special characters and reserved words |
=head2 Other special characters and reserved words |
|
|
The pound sign ('#') is used to indicate a comment (unless it is |
The pound sign ('#') is used to indicate a comment (unless it is |
|
|
may be overridden via the C<PASSWD> and C<NOPASSWD> tags. |
may be overridden via the C<PASSWD> and C<NOPASSWD> tags. |
This flag is I<on> by default. |
This flag is I<on> by default. |
|
|
|
=item closefrom_override |
|
|
|
If set, the user may use B<sudo>'s B<-C> option which |
|
overrides the default starting point at which B<sudo> begins |
|
closing open file descriptors. This flag is I<off> by default. |
|
|
=item env_editor |
=item env_editor |
|
|
If set, B<visudo> will use the value of the EDITOR or VISUAL |
If set, B<visudo> will use the value of the EDITOR or VISUAL |
|
|
variables in the caller's environment that match the C<env_keep> |
variables in the caller's environment that match the C<env_keep> |
and C<env_check> lists are then added. The default contents of the |
and C<env_check> lists are then added. The default contents of the |
C<env_keep> and C<env_check> lists are displayed when B<sudo> is |
C<env_keep> and C<env_check> lists are displayed when B<sudo> is |
run by root with the I<-V> option. If B<sudo> was compiled with |
run by root with the I<-V> option. If the I<secure_path> option |
the C<SECURE_PATH> option, its value will be used for the C<PATH> |
is set, its value will be used for the C<PATH> environment variable. |
environment variable. This flag is I<on> by default. |
This flag is I<on> by default. |
|
|
=item fqdn |
=item fqdn |
|
|
|
|
|
|
If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH> |
If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH> |
environment variable; the C<PATH> itself is not modified. This |
environment variable; the C<PATH> itself is not modified. This |
flag is I<@ignore_dot@> by default. Currently, while it is possible |
flag is I<@ignore_dot@> by default. |
to set I<ignore_dot> in I<sudoers>, its value is not used. This option |
|
should be considered read-only (it will be fixed in a future version |
|
of B<sudo>). |
|
|
|
=item ignore_local_sudoers |
=item ignore_local_sudoers |
|
|
|
|
=item requiretty |
=item requiretty |
|
|
If set, B<sudo> will only run when the user is logged in to a real |
If set, B<sudo> will only run when the user is logged in to a real |
tty. This will disallow things like C<"rsh somehost sudo ls"> since |
tty. When this flag is set, B<sudo> can only be run from a login |
L<rsh(1)> does not allocate a tty. Because it is not possible to turn |
session and not via other means such as L<cron(8)> or cgi-bin scripts. |
off echo when there is no tty present, some sites may wish to set |
This flag is I<off> by default. |
this flag to prevent a user from entering a visible password. This |
|
flag is I<off> by default. |
|
|
|
=item root_sudo |
=item root_sudo |
|
|
|
|
login class if one exists. Only available if B<sudo> is configured with |
login class if one exists. Only available if B<sudo> is configured with |
the --with-logincap option. This flag is I<off> by default. |
the --with-logincap option. This flag is I<off> by default. |
|
|
|
=item visiblepw |
|
|
|
By default, B<sudo> will refuse to run if the user must enter a |
|
password but it is not possible to disable echo on the terminal. |
|
If the I<visiblepw> flag is set, B<sudo> will prompt for a password |
|
even when it would be visible on the screen. This makes it possible |
|
to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does |
|
not allocate a tty. This flag is I<off> by default. |
|
|
=back |
=back |
|
|
B<Integers>: |
B<Integers>: |
|
|
=over 16 |
=over 16 |
|
|
|
=item closefrom |
|
|
|
Before it executes a command, B<sudo> will close all open file |
|
descriptors other than standard input, standard output and standard |
|
error (ie: file descriptors 0-2). The I<closefrom> option can be used |
|
to specify a different file descriptor at which to start closing. |
|
The default is C<3>. |
|
|
=item passwd_tries |
=item passwd_tries |
|
|
The number of tries a user gets to enter his/her password before |
The number of tries a user gets to enter his/her password before |
|
|
=item umask |
=item umask |
|
|
Umask to use when running the command. Negate this option or set |
Umask to use when running the command. Negate this option or set |
it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. |
it to 0777 to preserve the user's umask. The actual umask that is |
|
used will be the union of the user's umask and C<@sudo_umask@>. |
|
This guarantees that B<sudo> never lowers the umask when running a |
|
command. Note on systems that use PAM, the default PAM configuration |
|
may specify its own umask which will override the value set in |
|
I<sudoers>. |
|
|
=back |
=back |
|
|
|
|
Syslog priority to use when user authenticates successfully. |
Syslog priority to use when user authenticates successfully. |
Defaults to C<@goodpri@>. |
Defaults to C<@goodpri@>. |
|
|
|
=item sudoers_locale |
|
|
|
Locale to use when parsing the sudoers file. Note that changing |
|
the locale may affect how sudoers is interpreted. |
|
Defaults to C<"C">. |
|
|
=item timestampdir |
=item timestampdir |
|
|
The directory in which B<sudo> stores its timestamp files. |
The directory in which B<sudo> stores its timestamp files. |
|
|
|
|
=over 12 |
=over 12 |
|
|
|
=item askpass |
|
|
|
The I<askpass> option specifies the fully-qualilfy path to a helper |
|
program used to read the user's password when no terminal is |
|
available. This may be the case when B<sudo> is executed from a |
|
graphical (as opposed to text-based) application. The program |
|
specified by I<askpass> should display the argument passed to it |
|
as the prompt and write the user's password to the standard output. |
|
The value of I<askpass> may be overridden by the C<SUDO_ASKPASS> |
|
environment variable. |
|
|
|
=item env_file |
|
|
|
The I<env_file> options specifies the fully-qualilfy path to a file |
|
containing variables to be set in the environment of the program |
|
being run. Entries in this file should be of the form C<VARIABLE=value>. |
|
Variables in this file are subject to other B<sudo> environment |
|
settings such as I<env_keep> and I<env_check>. |
|
|
=item exempt_group |
=item exempt_group |
|
|
Users in this group are exempt from password and PATH requirements. |
Users in this group are exempt from password and PATH requirements. |
|
|
Path to mail program used to send warning mail. |
Path to mail program used to send warning mail. |
Defaults to the path to sendmail found at configure time. |
Defaults to the path to sendmail found at configure time. |
|
|
|
=item mailfrom |
|
|
|
Address to use for the "from" address when sending warning and error |
|
mail. The address should be enclosed in double quotes (C<">) to |
|
protect against B<sudo> interpreting the C<@> sign. Defaults to |
|
the name of the user running B<sudo>. |
|
|
=item mailto |
=item mailto |
|
|
Address to send warning and error mail to. The address should |
Address to send warning and error mail to. The address should |
be enclosed in double quotes (C<">) to protect against B<sudo> |
be enclosed in double quotes (C<">) to protect against B<sudo> |
interpreting the C<@> sign. Defaults to C<@mailto@>. |
interpreting the C<@> sign. Defaults to C<@mailto@>. |
|
|
|
=item secure_path |
|
|
|
Path used for every command run from B<sudo>. If you don't trust the |
|
people running B<sudo> to have a sane C<PATH> environment variable you may |
|
want to use this. Another use is if you want to have the "root path" |
|
be separate from the "user path." Users in the group specified by the |
|
I<exempt_group> option are not affected by I<secure_path>. |
|
This is not set by default. |
|
|
=item syslog |
=item syslog |
|
|
Syslog facility if syslog is being used for logging (negate to |
Syslog facility if syslog is being used for logging (negate to |
|
|
|
|
=head1 EXAMPLES |
=head1 EXAMPLES |
|
|
Since the I<sudoers> file is parsed in a single pass, order is |
|
important. In general, you should structure I<sudoers> such that |
|
the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications |
|
come first, followed by any C<Default_Entry> lines, and finally the |
|
C<Runas_Alias> and user specifications. The basic rule of thumb |
|
is you cannot reference an Alias that has not already been defined. |
|
|
|
Below are example I<sudoers> entries. Admittedly, some of |
Below are example I<sudoers> entries. Admittedly, some of |
these are a bit contrived. First, we define our I<aliases>: |
these are a bit contrived. First, we define our I<aliases>: |
|
|
|
|
|
|
The user B<joe> may only L<su(1)> to operator. |
The user B<joe> may only L<su(1)> to operator. |
|
|
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root |
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
|
|
The user B<pete> is allowed to change anyone's password except for |
The user B<pete> is allowed to change anyone's password except for |
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |