version 1.13, 2009/04/11 11:48:06 |
version 1.14, 2009/06/21 14:48:42 |
|
|
Copyright (c) 1994-1996, 1998-2005, 2007-2008 |
Copyright (c) 1994-1996, 1998-2005, 2007-2009 |
Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
|
|
Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
|
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
|
$Sudo: sudoers.pod,v 1.163 2009/03/08 15:51:01 millert Exp $ |
$Sudo: sudoers.pod,v 1.170 2009/06/15 21:19:47 millert Exp $ |
=pod |
=pod |
|
|
=head1 NAME |
=head1 NAME |
|
|
'!'* '#'uid | |
'!'* '#'uid | |
'!'* '%'group | |
'!'* '%'group | |
'!'* '+'netgroup | |
'!'* '+'netgroup | |
|
'!'* '%:'nonunix_group | |
'!'* User_Alias |
'!'* User_Alias |
|
|
A C<User_List> is made up of one or more usernames, uids (prefixed |
A C<User_List> is made up of one or more usernames, uids (prefixed |
|
|
zero or more '!' operators. An odd number of '!' operators negate |
zero or more '!' operators. An odd number of '!' operators negate |
the value of the item; an even number just cancel each other out. |
the value of the item; an even number just cancel each other out. |
|
|
|
A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may |
|
be enclosed in double quotes to avoid the need for escaping special |
|
characters. Alternately, special characters may be specified in |
|
escaped hex mode, e.g. \x20 for space. |
|
|
|
The C<nonunix_group> syntax depends on the underlying implementation. |
|
For instance, the QAS AD backend supports the following formats: |
|
|
|
=over 4 |
|
|
|
=item * |
|
|
|
Group in the same domain: "Group Name" |
|
|
|
=item * |
|
|
|
Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
|
|
|
=item * |
|
|
|
Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
|
|
|
=back |
|
|
|
Note that quotes around group names are optional. Unquoted strings must |
|
use a backslash (\) to escape spaces and the '@' symbol. |
|
|
Runas_List ::= Runas_Member | |
Runas_List ::= Runas_Member | |
Runas_Member ',' Runas_List |
Runas_Member ',' Runas_List |
|
|
|
|
(and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
run as B<root>, but this can be changed on a per-command basis. |
run as B<root>, but this can be changed on a per-command basis. |
|
|
Let's break that down into its constituent parts: |
The basic structure of a user specification is `who = where (as_whom) |
|
what'. Let's break that down into its constituent parts: |
|
|
=head2 Runas_Spec |
=head2 Runas_Spec |
|
|
|
|
=head2 Including other files from within sudoers |
=head2 Including other files from within sudoers |
|
|
It is possible to include other I<sudoers> files from within the |
It is possible to include other I<sudoers> files from within the |
I<sudoers> file currently being parsed using the C<#include> |
I<sudoers> file currently being parsed using the C<#include> and |
directive, similar to the one used by the C preprocessor. This is |
C<#includedir> directives. |
useful, for example, for keeping a site-wide I<sudoers> file in |
|
addition to a per-machine local one. For the sake of this example |
|
the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
|
one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
|
from within F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
|
|
|
|
This can be used, for example, to keep a site-wide I<sudoers> file |
|
in addition to a local, per-machine file. For the sake of this |
|
example the site-wide I<sudoers> will be F</etc/sudoers> and the |
|
per-machine one will be F</etc/sudoers.local>. To include |
|
F</etc/sudoers.local> from within F</etc/sudoers> we would use the |
|
following line in F</etc/sudoers>: |
|
|
=over 4 |
=over 4 |
|
|
C<#include /etc/sudoers.local> |
C<#include /etc/sudoers.local> |
|
|
The filename may include the C<%h> escape, signifying the short form |
The filename may include the C<%h> escape, signifying the short form |
of the hostname. I.e., if the machine's hostname is "xerxes", then |
of the hostname. I.e., if the machine's hostname is "xerxes", then |
|
|
#include /etc/sudoers.%h |
C<#include /etc/sudoers.%h> |
|
|
will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
|
|
|
The C<#includedir> directive can be used to create a F<sudo.d> |
|
directory that the system package manager can drop I<sudoers> rules |
|
into as part of package installation. For example, given: |
|
|
|
C<#includedir /etc/sudoers.d> |
|
|
|
B<sudo> will read each file in F</etc/sudoers.d>, skipping file |
|
names that end in C<~> or contain a C<.> character to avoid causing |
|
problems with package manager or editor temporary/backup files. |
|
Files are parsed in sorted lexical order. That is, |
|
F</etc/sudoers.d/01_first> will be parsed before |
|
F</etc/sudoers.d/10_second>. Be aware that because the sorting is |
|
lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded |
|
B<after> F</etc/sudoers.d/10_second>. Using a consistent number |
|
of leading zeroes in the file names can be used to avoid such |
|
problems. |
|
|
|
Note that unlike files included via C<#include>, B<visudo> will not |
|
edit the files in a C<#includedir> directory unless one of them |
|
contains a syntax error. It is still possible to run B<visudo> |
|
with the C<-f> flag to edit the files directly. |
|
|
=head2 Other special characters and reserved words |
=head2 Other special characters and reserved words |
|
|
The pound sign ('#') is used to indicate a comment (unless it is |
The pound sign ('#') is used to indicate a comment (unless it is |
|
|
|
|
The default value is C<@passprompt@>. |
The default value is C<@passprompt@>. |
|
|
|
=item role |
|
|
|
The default SELinux role to use when constructing a new security |
|
context to run the command. The default role may be overridden on |
|
a per-command basis in I<sudoers> or via command line options. |
|
This option is only available whe B<sudo> is built with SELinux support. |
|
|
=item runas_default |
=item runas_default |
|
|
The default user to run commands as if the B<-u> option is not specified |
The default user to run commands as if the B<-u> option is not specified |
|
|
The owner of the timestamp directory and the timestamps stored therein. |
The owner of the timestamp directory and the timestamps stored therein. |
The default is C<root>. |
The default is C<root>. |
|
|
|
=item type |
|
|
|
The default SELinux type to use when constructing a new security |
|
context to run the command. The default type may be overridden on |
|
a per-command basis in I<sudoers> or via command line options. |
|
This option is only available whe B<sudo> is built with SELinux support. |
|
|
=back |
=back |
|
|
B<Strings that can be used in a boolean context>: |
B<Strings that can be used in a boolean context>: |
|
|
# Runas alias specification |
# Runas alias specification |
Runas_Alias OP = root, operator |
Runas_Alias OP = root, operator |
Runas_Alias DB = oracle, sybase |
Runas_Alias DB = oracle, sybase |
|
Runas_Alias ADMINGRP = adm, oper |
|
|
# Host alias specification |
# Host alias specification |
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
|
|
The user B<joe> may only L<su(1)> to operator. |
The user B<joe> may only L<su(1)> to operator. |
|
|
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
|
|
|
%opers ALL = (: ADMINGRP) /usr/sbin/ |
|
|
|
Users in the B<opers> group may run commands in F</usr/sbin/> as themselves |
|
with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper> |
|
groups). |
|
|
The user B<pete> is allowed to change anyone's password except for |
The user B<pete> is allowed to change anyone's password except for |
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |