=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/sudo/Attic/sudoers.pod,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- src/usr.bin/sudo/Attic/sudoers.pod 2008/07/31 16:44:03 1.9 +++ src/usr.bin/sudo/Attic/sudoers.pod 2008/11/14 11:58:08 1.10 @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007 +Copyright (c) 1994-1996, 1998-2005, 2007-2008 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $ +$Sudo: sudoers.pod,v 1.152 2008/11/09 14:13:13 millert Exp $ =pod =head1 NAME @@ -113,32 +113,32 @@ User ',' User_List User ::= '!'* username | + '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* User_Alias -A C is made up of one or more usernames, system groups -(prefixed with '%'), netgroups (prefixed with '+') and other aliases. -Each list item may be prefixed with one or more '!' operators. -An odd number of '!' operators negate the value of the item; an even -number just cancel each other out. +A C is made up of one or more usernames, uids (prefixed +with '#'), system groups (prefixed with '%'), netgroups (prefixed +with '+') and Ces. Each list item may be prefixed with +zero or more '!' operators. An odd number of '!' operators negate +the value of the item; an even number just cancel each other out. - Runas_List ::= Runas_User | - Runas_User ',' Runas_List + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List - Runas_User ::= '!'* username | - '!'* '#'uid | - '!'* '%'group | - '!'* +netgroup | - '!'* Runas_Alias + Runas_Member ::= '!'* username | + '!'* '#'uid | + '!'* '%'group | + '!'* +netgroup | + '!'* Runas_Alias -A C is similar to a C except that it can -also contain uids (prefixed with '#') and instead of Ces -it can contain Ces. Note that usernames and groups -are matched as strings. In other words, two users (groups) with -the same uid (gid) are considered to be distinct. If you wish to -match all usernames with the same uid (e.g.Eroot and toor), you -can use a uid instead (#0 in the example given). +A C is similar to a C except that instead +of Ces it can contain Ces. Note that +usernames and groups are matched as strings. In other words, two +users (groups) with the same uid (gid) are considered to be distinct. +If you wish to match all usernames with the same uid (e.g.Eroot +and toor), you can use a uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List @@ -201,11 +201,15 @@ Certain configuration options may be changed from their default values at runtime via one or more C lines. These may affect all users on any host, all users on a specific host, a -specific user, or commands being run as a specific user. +specific user, a specific command, or commands being run as a specific user. +Note that per-command entries may not include command line arguments. +If you need to specify arguments, define a C and reference +that instead. Default_Type ::= 'Defaults' | 'Defaults' '@' Host_List | 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | 'Defaults' '>' Runas_List Default_Entry ::= Default_Type Parameter_List @@ -230,6 +234,10 @@ It is not an error to use the C<-=> operator to remove an element that does not exist in a list. +Defaults entries are parsed in the following order: generic, host +and user Defaults first, then runas Defaults and finally command +defaults. + See L for a list of supported Defaults parameters. =head2 User Specification @@ -242,10 +250,10 @@ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd - Runas_Spec ::= '(' Runas_List ')' + Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')' Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:') + 'SETENV:' | 'NOSETENV:' ) A B determines which commands a user may run (and as what user) on specified hosts. By default, commands are @@ -255,12 +263,25 @@ =head2 Runas_Spec -A C is simply a C (as defined above) -enclosed in a set of parentheses. If you do not specify a -C in the user specification, a default C -of B will be used. A C sets the default for -commands that follow it. What this means is that for the entry: +A C determines the user and/or the group that a command +may be run as. A fully-specified C consists of two +Cs (as defined above) separated by a colon (':') and +enclosed in a set of parentheses. The first C indicates +which users the command may be run as via B's B<-u> flag. +The second defines a list of groups that can be specified via +B's B<-g> flag. If both Cs are specified, the +command may be run with any combination of users and groups listed +in their respective Cs. If only the first is specified, +the command may be run as any user in the list but no B<-g> flag +may be specified. If the first C is empty but the +second is specified, the command may be run as the invoking user +with the group set to any listed in the C. If no +C is specified the command may be run as B and +no group may be specified. +A C sets the default for the commands that follow it. +What this means is that for the entry: + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm The user B may run F, F, and @@ -276,10 +297,23 @@ Then user B is now allowed to run F as B, but F and F as B. +We can extend this to allow B to run C with either +the user or group set to B: + + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ + /usr/bin/lprm + +In the following example, user B may run commands that access +a modem device file with the dialer group. Note that in this example +only the group will be set, the command still runs as user B. + + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + /usr/local/bin/minicom + =head2 Tag_Spec A command may have zero or more tags associated with it. There are -six possible tag values, C, C, C, C, +eight possible tag values, C, C, C, C, C and C. Once a tag is set on a C, subsequent Cs in the C, inherit the tag unless it is overridden by the @@ -371,6 +405,15 @@ =back +POSIX character classes may also be used if your system's +L function supports them. However, because the +C<':'> character has special meaning in I, it must +be escaped. For example: + + /bin/ls [[\:alpha\:]]* + +Would match any filename beginning with a letter. + Note that a forward slash ('/') will B be matched by wildcards used in the pathname. When matching the command line arguments, however, a slash B get matched by @@ -394,6 +437,26 @@ =back +=head2 Including other files from within sudoers + +It is possible to include other I files from within the +I file currently being parsed using the C<#include> +directive, similar to the one used by the C preprocessor. This is +useful, for example, for keeping a site-wide I file in +addition to a per-machine local one. For the sake of this example +the site-wide I will be F and the per-machine +one will be F. To include F +from F we would use the following line in F: + + #include /etc/sudoers.local + +When B reaches this line it will suspend processing of the +current file (F) and switch to F. +Upon reaching the end of F, the rest of +F will be processed. Files that are included may +themselves include other files. A hard limit of 128 nested include +files is enforced to prevent include file loops. + =head2 Other special characters and reserved words The pound sign ('#') is used to indicate a comment (unless it is @@ -451,6 +514,12 @@ may be overridden via the C and C tags. This flag is I by default. +=item closefrom_override + +If set, the user may use B's B<-C> option which +overrides the default starting point at which B begins +closing open file descriptors. This flag is I by default. + =item env_editor If set, B will use the value of the EDITOR or VISUAL @@ -469,9 +538,9 @@ variables in the caller's environment that match the C and C lists are then added. The default contents of the C and C lists are displayed when B is -run by root with the I<-V> option. If B was compiled with -the C option, its value will be used for the C -environment variable. This flag is I by default. +run by root with the I<-V> option. If the I option +is set, its value will be used for the C environment variable. +This flag is I by default. =item fqdn @@ -492,10 +561,7 @@ If set, B will ignore '.' or '' (current dir) in the C environment variable; the C itself is not modified. This -flag is I<@ignore_dot@> by default. Currently, while it is possible -to set I in I, its value is not used. This option -should be considered read-only (it will be fixed in a future version -of B). +flag is I<@ignore_dot@> by default. =item ignore_local_sudoers @@ -596,11 +662,9 @@ =item requiretty If set, B will only run when the user is logged in to a real -tty. This will disallow things like C<"rsh somehost sudo ls"> since -L does not allocate a tty. Because it is not possible to turn -off echo when there is no tty present, some sites may wish to set -this flag to prevent a user from entering a visible password. This -flag is I by default. +tty. When this flag is set, B can only be run from a login +session and not via other means such as L or cgi-bin scripts. +This flag is I by default. =item root_sudo @@ -692,12 +756,29 @@ login class if one exists. Only available if B is configured with the --with-logincap option. This flag is I by default. +=item visiblepw + +By default, B will refuse to run if the user must enter a +password but it is not possible to disable echo on the terminal. +If the I flag is set, B will prompt for a password +even when it would be visible on the screen. This makes it possible +to run things like C<"rsh somehost sudo ls"> since L does +not allocate a tty. This flag is I by default. + =back B: =over 16 +=item closefrom + +Before it executes a command, B will close all open file +descriptors other than standard input, standard output and standard +error (ie: file descriptors 0-2). The I option can be used +to specify a different file descriptor at which to start closing. +The default is C<3>. + =item passwd_tries The number of tries a user gets to enter his/her password before @@ -733,7 +814,12 @@ =item umask Umask to use when running the command. Negate this option or set -it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. +it to 0777 to preserve the user's umask. The actual umask that is +used will be the union of the user's umask and C<@sudo_umask@>. +This guarantees that B never lowers the umask when running a +command. Note on systems that use PAM, the default PAM configuration +may specify its own umask which will override the value set in +I. =back @@ -824,6 +910,12 @@ Syslog priority to use when user authenticates successfully. Defaults to C<@goodpri@>. +=item sudoers_locale + +Locale to use when parsing the sudoers file. Note that changing +the locale may affect how sudoers is interpreted. +Defaults to C<"C">. + =item timestampdir The directory in which B stores its timestamp files. @@ -840,6 +932,25 @@ =over 12 +=item askpass + +The I option specifies the fully-qualilfy path to a helper +program used to read the user's password when no terminal is +available. This may be the case when B is executed from a +graphical (as opposed to text-based) application. The program +specified by I should display the argument passed to it +as the prompt and write the user's password to the standard output. +The value of I may be overridden by the C +environment variable. + +=item env_file + +The I options specifies the fully-qualilfy path to a file +containing variables to be set in the environment of the program +being run. Entries in this file should be of the form C. +Variables in this file are subject to other B environment +settings such as I and I. + =item exempt_group Users in this group are exempt from password and PATH requirements. @@ -922,12 +1033,28 @@ Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. +=item mailfrom + +Address to use for the "from" address when sending warning and error +mail. The address should be enclosed in double quotes (C<">) to +protect against B interpreting the C<@> sign. Defaults to +the name of the user running B. + =item mailto Address to send warning and error mail to. The address should be enclosed in double quotes (C<">) to protect against B interpreting the C<@> sign. Defaults to C<@mailto@>. +=item secure_path + +Path used for every command run from B. If you don't trust the +people running B to have a sane C environment variable you may +want to use this. Another use is if you want to have the "root path" +be separate from the "user path." Users in the group specified by the +I option are not affected by I. +This is not set by default. + =item syslog Syslog facility if syslog is being used for logging (negate to @@ -1038,13 +1165,6 @@ =head1 EXAMPLES -Since the I file is parsed in a single pass, order is -important. In general, you should structure I such that -the C, C, and C specifications -come first, followed by any C lines, and finally the -C and user specifications. The basic rule of thumb -is you cannot reference an Alias that has not already been defined. - Below are example I entries. Admittedly, some of these are a bit contrived. First, we define our I: @@ -1147,7 +1267,7 @@ The user B may only L to operator. - pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root The user B is allowed to change anyone's password except for root on the I machines. Note that this assumes L