| version 1.13, 2009/04/11 11:48:06 |
version 1.14, 2009/06/21 14:48:42 |
|
|
| Copyright (c) 1994-1996, 1998-2005, 2007-2008 |
Copyright (c) 1994-1996, 1998-2005, 2007-2009 |
| Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
| |
|
| Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
|
| Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
| Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| |
|
| $Sudo: sudoers.pod,v 1.163 2009/03/08 15:51:01 millert Exp $ |
$Sudo: sudoers.pod,v 1.170 2009/06/15 21:19:47 millert Exp $ |
| =pod |
=pod |
| |
|
| =head1 NAME |
=head1 NAME |
|
|
| '!'* '#'uid | |
'!'* '#'uid | |
| '!'* '%'group | |
'!'* '%'group | |
| '!'* '+'netgroup | |
'!'* '+'netgroup | |
| |
'!'* '%:'nonunix_group | |
| '!'* User_Alias |
'!'* User_Alias |
| |
|
| A C<User_List> is made up of one or more usernames, uids (prefixed |
A C<User_List> is made up of one or more usernames, uids (prefixed |
|
|
| zero or more '!' operators. An odd number of '!' operators negate |
zero or more '!' operators. An odd number of '!' operators negate |
| the value of the item; an even number just cancel each other out. |
the value of the item; an even number just cancel each other out. |
| |
|
| |
A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may |
| |
be enclosed in double quotes to avoid the need for escaping special |
| |
characters. Alternately, special characters may be specified in |
| |
escaped hex mode, e.g. \x20 for space. |
| |
|
| |
The C<nonunix_group> syntax depends on the underlying implementation. |
| |
For instance, the QAS AD backend supports the following formats: |
| |
|
| |
=over 4 |
| |
|
| |
=item * |
| |
|
| |
Group in the same domain: "Group Name" |
| |
|
| |
=item * |
| |
|
| |
Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
| |
|
| |
=item * |
| |
|
| |
Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
| |
|
| |
=back |
| |
|
| |
Note that quotes around group names are optional. Unquoted strings must |
| |
use a backslash (\) to escape spaces and the '@' symbol. |
| |
|
| Runas_List ::= Runas_Member | |
Runas_List ::= Runas_Member | |
| Runas_Member ',' Runas_List |
Runas_Member ',' Runas_List |
| |
|
|
|
| (and as what user) on specified hosts. By default, commands are |
(and as what user) on specified hosts. By default, commands are |
| run as B<root>, but this can be changed on a per-command basis. |
run as B<root>, but this can be changed on a per-command basis. |
| |
|
| Let's break that down into its constituent parts: |
The basic structure of a user specification is `who = where (as_whom) |
| |
what'. Let's break that down into its constituent parts: |
| |
|
| =head2 Runas_Spec |
=head2 Runas_Spec |
| |
|
|
|
| =head2 Including other files from within sudoers |
=head2 Including other files from within sudoers |
| |
|
| It is possible to include other I<sudoers> files from within the |
It is possible to include other I<sudoers> files from within the |
| I<sudoers> file currently being parsed using the C<#include> |
I<sudoers> file currently being parsed using the C<#include> and |
| directive, similar to the one used by the C preprocessor. This is |
C<#includedir> directives. |
| useful, for example, for keeping a site-wide I<sudoers> file in |
|
| addition to a per-machine local one. For the sake of this example |
|
| the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine |
|
| one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> |
|
| from within F</etc/sudoers> we would use the following line in F</etc/sudoers>: |
|
| |
|
| |
This can be used, for example, to keep a site-wide I<sudoers> file |
| |
in addition to a local, per-machine file. For the sake of this |
| |
example the site-wide I<sudoers> will be F</etc/sudoers> and the |
| |
per-machine one will be F</etc/sudoers.local>. To include |
| |
F</etc/sudoers.local> from within F</etc/sudoers> we would use the |
| |
following line in F</etc/sudoers>: |
| |
|
| =over 4 |
=over 4 |
| |
|
| C<#include /etc/sudoers.local> |
C<#include /etc/sudoers.local> |
|
|
| The filename may include the C<%h> escape, signifying the short form |
The filename may include the C<%h> escape, signifying the short form |
| of the hostname. I.e., if the machine's hostname is "xerxes", then |
of the hostname. I.e., if the machine's hostname is "xerxes", then |
| |
|
| #include /etc/sudoers.%h |
C<#include /etc/sudoers.%h> |
| |
|
| will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
| |
|
| |
The C<#includedir> directive can be used to create a F<sudo.d> |
| |
directory that the system package manager can drop I<sudoers> rules |
| |
into as part of package installation. For example, given: |
| |
|
| |
C<#includedir /etc/sudoers.d> |
| |
|
| |
B<sudo> will read each file in F</etc/sudoers.d>, skipping file |
| |
names that end in C<~> or contain a C<.> character to avoid causing |
| |
problems with package manager or editor temporary/backup files. |
| |
Files are parsed in sorted lexical order. That is, |
| |
F</etc/sudoers.d/01_first> will be parsed before |
| |
F</etc/sudoers.d/10_second>. Be aware that because the sorting is |
| |
lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded |
| |
B<after> F</etc/sudoers.d/10_second>. Using a consistent number |
| |
of leading zeroes in the file names can be used to avoid such |
| |
problems. |
| |
|
| |
Note that unlike files included via C<#include>, B<visudo> will not |
| |
edit the files in a C<#includedir> directory unless one of them |
| |
contains a syntax error. It is still possible to run B<visudo> |
| |
with the C<-f> flag to edit the files directly. |
| |
|
| =head2 Other special characters and reserved words |
=head2 Other special characters and reserved words |
| |
|
| The pound sign ('#') is used to indicate a comment (unless it is |
The pound sign ('#') is used to indicate a comment (unless it is |
|
|
| |
|
| The default value is C<@passprompt@>. |
The default value is C<@passprompt@>. |
| |
|
| |
=item role |
| |
|
| |
The default SELinux role to use when constructing a new security |
| |
context to run the command. The default role may be overridden on |
| |
a per-command basis in I<sudoers> or via command line options. |
| |
This option is only available whe B<sudo> is built with SELinux support. |
| |
|
| =item runas_default |
=item runas_default |
| |
|
| The default user to run commands as if the B<-u> option is not specified |
The default user to run commands as if the B<-u> option is not specified |
|
|
| The owner of the timestamp directory and the timestamps stored therein. |
The owner of the timestamp directory and the timestamps stored therein. |
| The default is C<root>. |
The default is C<root>. |
| |
|
| |
=item type |
| |
|
| |
The default SELinux type to use when constructing a new security |
| |
context to run the command. The default type may be overridden on |
| |
a per-command basis in I<sudoers> or via command line options. |
| |
This option is only available whe B<sudo> is built with SELinux support. |
| |
|
| =back |
=back |
| |
|
| B<Strings that can be used in a boolean context>: |
B<Strings that can be used in a boolean context>: |
|
|
| # Runas alias specification |
# Runas alias specification |
| Runas_Alias OP = root, operator |
Runas_Alias OP = root, operator |
| Runas_Alias DB = oracle, sybase |
Runas_Alias DB = oracle, sybase |
| |
Runas_Alias ADMINGRP = adm, oper |
| |
|
| # Host alias specification |
# Host alias specification |
| Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
|
|
| The user B<joe> may only L<su(1)> to operator. |
The user B<joe> may only L<su(1)> to operator. |
| |
|
| pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
| |
|
| |
%opers ALL = (: ADMINGRP) /usr/sbin/ |
| |
|
| |
Users in the B<opers> group may run commands in F</usr/sbin/> as themselves |
| |
with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper> |
| |
groups). |
| |
|
| The user B<pete> is allowed to change anyone's password except for |
The user B<pete> is allowed to change anyone's password except for |
| root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.pod CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo