Annotation of src/usr.bin/sudo/sudoers.pod, Revision 1.16
1.14 millert 1: Copyright (c) 1994-1996, 1998-2005, 2007-2009
1.5 millert 2: Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
1.16 ! millert 21: $Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
1.1 millert 22: =pod
23:
24: =head1 NAME
25:
26: sudoers - list of which users may execute what
27:
28: =head1 DESCRIPTION
29:
30: The I<sudoers> file is composed of two types of entries: aliases
31: (basically variables) and user specifications (which specify who
32: may run what).
33:
34: When multiple entries match for a user, they are applied in order.
35: Where there are multiple matches, the last match is used (which is
36: not necessarily the most specific match).
37:
38: The I<sudoers> grammar will be described below in Extended Backus-Naur
39: Form (EBNF). Don't despair if you don't know what EBNF is; it is
40: fairly simple, and the definitions below are annotated.
41:
42: =head2 Quick guide to EBNF
43:
44: EBNF is a concise and exact way of describing the grammar of a language.
45: Each EBNF definition is made up of I<production rules>. E.g.,
46:
47: symbol ::= definition | alternate1 | alternate2 ...
48:
49: Each I<production rule> references others and thus makes up a
50: grammar for the language. EBNF also contains the following
51: operators, which many readers will recognize from regular
52: expressions. Do not, however, confuse them with "wildcard"
53: characters, which have different meanings.
54:
1.5 millert 55: =over 4
1.1 millert 56:
57: =item C<?>
58:
59: Means that the preceding symbol (or group of symbols) is optional.
60: That is, it may appear once or not at all.
61:
62: =item C<*>
63:
64: Means that the preceding symbol (or group of symbols) may appear
65: zero or more times.
66:
67: =item C<+>
68:
69: Means that the preceding symbol (or group of symbols) may appear
70: one or more times.
71:
72: =back
73:
74: Parentheses may be used to group symbols together. For clarity,
75: we will use single quotes ('') to designate what is a verbatim character
76: string (as opposed to a symbol name).
77:
78: =head2 Aliases
79:
80: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
81: C<Host_Alias> and C<Cmnd_Alias>.
82:
83: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
84: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
85: 'Host_Alias' Host_Alias (':' Host_Alias)* |
86: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
87:
88: User_Alias ::= NAME '=' User_List
89:
90: Runas_Alias ::= NAME '=' Runas_List
91:
92: Host_Alias ::= NAME '=' Host_List
93:
94: Cmnd_Alias ::= NAME '=' Cmnd_List
95:
96: NAME ::= [A-Z]([A-Z][0-9]_)*
97:
98: Each I<alias> definition is of the form
99:
100: Alias_Type NAME = item1, item2, ...
101:
102: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
103: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
104: and underscore characters ('_'). A C<NAME> B<must> start with an
105: uppercase letter. It is possible to put several alias definitions
106: of the same type on a single line, joined by a colon (':'). E.g.,
107:
108: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
109:
110: The definitions of what constitutes a valid I<alias> member follow.
111:
112: User_List ::= User |
113: User ',' User_List
114:
115: User ::= '!'* username |
1.10 millert 116: '!'* '#'uid |
1.1 millert 117: '!'* '%'group |
118: '!'* '+'netgroup |
1.14 millert 119: '!'* '%:'nonunix_group |
1.1 millert 120: '!'* User_Alias
121:
1.10 millert 122: A C<User_List> is made up of one or more usernames, uids (prefixed
123: with '#'), system groups (prefixed with '%'), netgroups (prefixed
124: with '+') and C<User_Alias>es. Each list item may be prefixed with
125: zero or more '!' operators. An odd number of '!' operators negate
126: the value of the item; an even number just cancel each other out.
127:
1.14 millert 128: A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
129: be enclosed in double quotes to avoid the need for escaping special
130: characters. Alternately, special characters may be specified in
131: escaped hex mode, e.g. \x20 for space.
132:
133: The C<nonunix_group> syntax depends on the underlying implementation.
134: For instance, the QAS AD backend supports the following formats:
135:
136: =over 4
137:
138: =item *
139:
140: Group in the same domain: "Group Name"
141:
142: =item *
143:
144: Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
145:
146: =item *
147:
148: Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
149:
150: =back
151:
152: Note that quotes around group names are optional. Unquoted strings must
153: use a backslash (\) to escape spaces and the '@' symbol.
154:
1.10 millert 155: Runas_List ::= Runas_Member |
156: Runas_Member ',' Runas_List
157:
158: Runas_Member ::= '!'* username |
159: '!'* '#'uid |
160: '!'* '%'group |
161: '!'* +netgroup |
162: '!'* Runas_Alias
163:
164: A C<Runas_List> is similar to a C<User_List> except that instead
165: of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
166: usernames and groups are matched as strings. In other words, two
167: users (groups) with the same uid (gid) are considered to be distinct.
168: If you wish to match all usernames with the same uid (e.g.E<nbsp>root
169: and toor), you can use a uid instead (#0 in the example given).
1.1 millert 170:
171: Host_List ::= Host |
172: Host ',' Host_List
173:
174: Host ::= '!'* hostname |
175: '!'* ip_addr |
176: '!'* network(/netmask)? |
177: '!'* '+'netgroup |
178: '!'* Host_Alias
179:
180: A C<Host_List> is made up of one or more hostnames, IP addresses,
181: network numbers, netgroups (prefixed with '+') and other aliases.
182: Again, the value of an item may be negated with the '!' operator.
183: If you do not specify a netmask along with the network number,
184: B<sudo> will query each of the local host's network interfaces and,
185: if the network number corresponds to one of the hosts's network
186: interfaces, the corresponding netmask will be used. The netmask
1.5 millert 187: may be specified either in standard IP address notation
188: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
189: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
1.1 millert 190: include shell-style wildcards (see the L<Wildcards> section below),
191: but unless the C<hostname> command on your machine returns the fully
192: qualified hostname, you'll need to use the I<fqdn> option for
193: wildcards to be useful.
194:
195: Cmnd_List ::= Cmnd |
196: Cmnd ',' Cmnd_List
197:
198: commandname ::= filename |
199: filename args |
200: filename '""'
201:
202: Cmnd ::= '!'* commandname |
203: '!'* directory |
204: '!'* "sudoedit" |
205: '!'* Cmnd_Alias
206:
207: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
208: aliases. A commandname is a fully qualified filename which may include
209: shell-style wildcards (see the L<Wildcards> section below). A simple
210: filename allows the user to run the command with any arguments he/she
211: wishes. However, you may also specify command line arguments (including
212: wildcards). Alternately, you can specify C<""> to indicate that the command
213: may only be run B<without> command line arguments. A directory is a
214: fully qualified pathname ending in a '/'. When you specify a directory
215: in a C<Cmnd_List>, the user will be able to run any file within that directory
216: (but not in any subdirectories therein).
217:
218: If a C<Cmnd> has associated command line arguments, then the arguments
219: in the C<Cmnd> must match exactly those given by the user on the command line
220: (or match the wildcards if there are any). Note that the following
221: characters must be escaped with a '\' if they are used in command
222: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
1.11 millert 223: is used to permit a user to run B<sudo> with the B<-e> option (or
1.1 millert 224: as B<sudoedit>). It may take command line arguments just as
225: a normal command does.
226:
227: =head2 Defaults
228:
229: Certain configuration options may be changed from their default
230: values at runtime via one or more C<Default_Entry> lines. These
231: may affect all users on any host, all users on a specific host, a
1.10 millert 232: specific user, a specific command, or commands being run as a specific user.
233: Note that per-command entries may not include command line arguments.
234: If you need to specify arguments, define a C<Cmnd_Alias> and reference
235: that instead.
1.1 millert 236:
237: Default_Type ::= 'Defaults' |
1.6 millert 238: 'Defaults' '@' Host_List |
239: 'Defaults' ':' User_List |
1.10 millert 240: 'Defaults' '!' Cmnd_List |
1.6 millert 241: 'Defaults' '>' Runas_List
1.1 millert 242:
243: Default_Entry ::= Default_Type Parameter_List
244:
245: Parameter_List ::= Parameter |
246: Parameter ',' Parameter_List
247:
248: Parameter ::= Parameter '=' Value |
249: Parameter '+=' Value |
250: Parameter '-=' Value |
251: '!'* Parameter
252:
253: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
254: Flags are implicitly boolean and can be turned off via the '!'
255: operator. Some integer, string and list parameters may also be
256: used in a boolean context to disable them. Values may be enclosed
257: in double quotes (C<">) when they contain multiple words. Special
258: characters may be escaped with a backslash (C<\>).
259:
260: Lists have two additional assignment operators, C<+=> and C<-=>.
261: These operators are used to add to and delete from a list respectively.
262: It is not an error to use the C<-=> operator to remove an element
263: that does not exist in a list.
264:
1.10 millert 265: Defaults entries are parsed in the following order: generic, host
266: and user Defaults first, then runas Defaults and finally command
267: defaults.
268:
1.13 millert 269: See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
1.1 millert 270:
271: =head2 User Specification
272:
273: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
274: (':' Host_List '=' Cmnd_Spec_List)*
275:
276: Cmnd_Spec_List ::= Cmnd_Spec |
277: Cmnd_Spec ',' Cmnd_Spec_List
278:
279: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
280:
1.16 ! millert 281: Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
1.1 millert 282:
283: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
1.10 millert 284: 'SETENV:' | 'NOSETENV:' )
1.1 millert 285:
286: A B<user specification> determines which commands a user may run
287: (and as what user) on specified hosts. By default, commands are
288: run as B<root>, but this can be changed on a per-command basis.
289:
1.14 millert 290: The basic structure of a user specification is `who = where (as_whom)
291: what'. Let's break that down into its constituent parts:
1.1 millert 292:
293: =head2 Runas_Spec
294:
1.10 millert 295: A C<Runas_Spec> determines the user and/or the group that a command
296: may be run as. A fully-specified C<Runas_Spec> consists of two
297: C<Runas_List>s (as defined above) separated by a colon (':') and
298: enclosed in a set of parentheses. The first C<Runas_List> indicates
1.11 millert 299: which users the command may be run as via B<sudo>'s B<-u> option.
1.10 millert 300: The second defines a list of groups that can be specified via
1.11 millert 301: B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
1.10 millert 302: command may be run with any combination of users and groups listed
303: in their respective C<Runas_List>s. If only the first is specified,
1.11 millert 304: the command may be run as any user in the list but no B<-g> option
1.10 millert 305: may be specified. If the first C<Runas_List> is empty but the
306: second is specified, the command may be run as the invoking user
307: with the group set to any listed in the C<Runas_List>. If no
308: C<Runas_Spec> is specified the command may be run as B<root> and
309: no group may be specified.
310:
311: A C<Runas_Spec> sets the default for the commands that follow it.
312: What this means is that for the entry:
1.1 millert 313:
314: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
315:
316: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
317: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
318:
319: $ sudo -u operator /bin/ls.
320:
321: It is also possible to override a C<Runas_Spec> later on in an
322: entry. If we modify the entry like so:
323:
324: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
325:
326: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
327: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
328:
1.10 millert 329: We can extend this to allow B<dgb> to run C</bin/ls> with either
330: the user or group set to B<operator>:
331:
332: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
333: /usr/bin/lprm
334:
335: In the following example, user B<tcm> may run commands that access
336: a modem device file with the dialer group. Note that in this example
337: only the group will be set, the command still runs as user B<tcm>.
338:
339: tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
340: /usr/local/bin/minicom
341:
1.1 millert 342: =head2 Tag_Spec
343:
344: A command may have zero or more tags associated with it. There are
1.10 millert 345: eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
1.1 millert 346: C<SETENV> and C<NOSETENV>.
347: Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
348: C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
349: opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
350: overrides C<EXEC>).
351:
352: =head3 NOPASSWD and PASSWD
353:
354: By default, B<sudo> requires that a user authenticate him or herself
355: before running a command. This behavior can be modified via the
356: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
357: a default for the commands that follow it in the C<Cmnd_Spec_List>.
358: Conversely, the C<PASSWD> tag can be used to reverse things.
359: For example:
360:
361: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
362:
363: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
1.9 millert 364: F</usr/bin/lprm> as B<root> on the machine rushmore without
1.1 millert 365: authenticating himself. If we only want B<ray> to be able to
366: run F</bin/kill> without a password the entry would be:
367:
368: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
369:
370: Note, however, that the C<PASSWD> tag has no effect on users who are
371: in the group specified by the I<exempt_group> option.
372:
373: By default, if the C<NOPASSWD> tag is applied to any of the entries
374: for a user on the current host, he or she will be able to run
375: C<sudo -l> without a password. Additionally, a user may only run
376: C<sudo -v> without a password if the C<NOPASSWD> tag is present
377: for all a user's entries that pertain to the current host.
378: This behavior may be overridden via the verifypw and listpw options.
379:
380: =head3 NOEXEC and EXEC
381:
382: If B<sudo> has been compiled with I<noexec> support and the underlying
383: operating system supports it, the C<NOEXEC> tag can be used to prevent
384: a dynamically-linked executable from running further commands itself.
385:
386: In the following example, user B<aaron> may run F</usr/bin/more>
387: and F</usr/bin/vi> but shell escapes will be disabled.
388:
389: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
390:
391: See the L<PREVENTING SHELL ESCAPES> section below for more details
392: on how C<NOEXEC> works and whether or not it will work on your system.
393:
394: =head3 SETENV and NOSETENV
395:
396: These tags override the value of the I<setenv> option on a per-command
397: basis. Note that if C<SETENV> has been set for a command, any
398: environment variables set on the command line way are not subject
399: to the restrictions imposed by I<env_check>, I<env_delete>, or
400: I<env_keep>. As such, only trusted users should be allowed to set
1.7 millert 401: variables in this manner. If the command matched is B<ALL>, the
402: C<SETENV> tag is implied for that command; this default may
403: be overridden by use of the C<UNSETENV> tag.
1.1 millert 404:
405: =head2 Wildcards
406:
407: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
1.13 millert 408: to be used in hostnames, pathnames and command line arguments in
409: the I<sudoers> file. Wildcard matching is done via the B<POSIX>
410: L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
411: regular expressions.
1.1 millert 412:
413: =over 8
414:
415: =item C<*>
416:
417: Matches any set of zero or more characters.
418:
419: =item C<?>
420:
421: Matches any single character.
422:
423: =item C<[...]>
424:
425: Matches any character in the specified range.
426:
427: =item C<[!...]>
428:
429: Matches any character B<not> in the specified range.
430:
431: =item C<\x>
432:
433: For any character "x", evaluates to "x". This is used to
434: escape special characters such as: "*", "?", "[", and "}".
435:
436: =back
437:
1.13 millert 438: POSIX character classes may also be used if your system's L<glob(3)>
439: and L<fnmatch(3)> functions support them. However, because the
440: C<':'> character has special meaning in I<sudoers>, it must be
441: escaped. For example:
1.10 millert 442:
443: /bin/ls [[\:alpha\:]]*
444:
445: Would match any filename beginning with a letter.
446:
1.1 millert 447: Note that a forward slash ('/') will B<not> be matched by
448: wildcards used in the pathname. When matching the command
449: line arguments, however, a slash B<does> get matched by
450: wildcards. This is to make a path like:
451:
452: /usr/bin/*
453:
454: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
455:
456: =head2 Exceptions to wildcard rules
457:
458: The following exceptions apply to the above rules:
459:
460: =over 8
461:
462: =item C<"">
463:
464: If the empty string C<""> is the only command line argument in the
465: I<sudoers> entry it means that command is not allowed to be run
466: with B<any> arguments.
467:
468: =back
469:
1.10 millert 470: =head2 Including other files from within sudoers
471:
472: It is possible to include other I<sudoers> files from within the
1.14 millert 473: I<sudoers> file currently being parsed using the C<#include> and
474: C<#includedir> directives.
475:
476: This can be used, for example, to keep a site-wide I<sudoers> file
477: in addition to a local, per-machine file. For the sake of this
478: example the site-wide I<sudoers> will be F</etc/sudoers> and the
479: per-machine one will be F</etc/sudoers.local>. To include
480: F</etc/sudoers.local> from within F</etc/sudoers> we would use the
481: following line in F</etc/sudoers>:
1.10 millert 482:
1.13 millert 483: =over 4
484:
485: C<#include /etc/sudoers.local>
486:
487: =back
1.10 millert 488:
489: When B<sudo> reaches this line it will suspend processing of the
490: current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
491: Upon reaching the end of F</etc/sudoers.local>, the rest of
492: F</etc/sudoers> will be processed. Files that are included may
493: themselves include other files. A hard limit of 128 nested include
494: files is enforced to prevent include file loops.
495:
1.13 millert 496: The filename may include the C<%h> escape, signifying the short form
497: of the hostname. I.e., if the machine's hostname is "xerxes", then
498:
1.14 millert 499: C<#include /etc/sudoers.%h>
1.13 millert 500:
501: will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
502:
1.14 millert 503: The C<#includedir> directive can be used to create a F<sudo.d>
504: directory that the system package manager can drop I<sudoers> rules
505: into as part of package installation. For example, given:
506:
507: C<#includedir /etc/sudoers.d>
508:
509: B<sudo> will read each file in F</etc/sudoers.d>, skipping file
510: names that end in C<~> or contain a C<.> character to avoid causing
511: problems with package manager or editor temporary/backup files.
512: Files are parsed in sorted lexical order. That is,
513: F</etc/sudoers.d/01_first> will be parsed before
514: F</etc/sudoers.d/10_second>. Be aware that because the sorting is
515: lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
516: B<after> F</etc/sudoers.d/10_second>. Using a consistent number
517: of leading zeroes in the file names can be used to avoid such
518: problems.
519:
520: Note that unlike files included via C<#include>, B<visudo> will not
521: edit the files in a C<#includedir> directory unless one of them
522: contains a syntax error. It is still possible to run B<visudo>
523: with the C<-f> flag to edit the files directly.
524:
1.1 millert 525: =head2 Other special characters and reserved words
526:
527: The pound sign ('#') is used to indicate a comment (unless it is
528: part of a #include directive or unless it occurs in the context of
529: a user name and is followed by one or more digits, in which case
530: it is treated as a uid). Both the comment character and any text
531: after it, up to the end of the line, are ignored.
532:
533: The reserved word B<ALL> is a built-in I<alias> that always causes
534: a match to succeed. It can be used wherever one might otherwise
535: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
536: You should not try to define your own I<alias> called B<ALL> as the
537: built-in alias will be used in preference to your own. Please note
538: that using B<ALL> can be dangerous since in a command context, it
539: allows the user to run B<any> command on the system.
540:
541: An exclamation point ('!') can be used as a logical I<not> operator
542: both in an I<alias> and in front of a C<Cmnd>. This allows one to
543: exclude certain values. Note, however, that using a C<!> in
544: conjunction with the built-in C<ALL> alias to allow a user to
545: run "all but a few" commands rarely works as intended (see SECURITY
546: NOTES below).
547:
548: Long lines can be continued with a backslash ('\') as the last
549: character on the line.
550:
551: Whitespace between elements in a list as well as special syntactic
552: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
553:
554: The following characters must be escaped with a backslash ('\') when
555: used as part of a word (e.g.E<nbsp>a username or hostname):
556: '@', '!', '=', ':', ',', '(', ')', '\'.
557:
558: =head1 SUDOERS OPTIONS
559:
560: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
561: explained earlier. A list of all supported Defaults parameters,
562: grouped by type, are listed below.
563:
564: B<Flags>:
565:
1.5 millert 566: =over 16
1.1 millert 567:
568: =item always_set_home
569:
570: If set, B<sudo> will set the C<HOME> environment variable to the home
571: directory of the target user (which is root unless the B<-u> option is used).
1.11 millert 572: This effectively means that the B<-H> option is always implied.
1.1 millert 573: This flag is I<off> by default.
574:
575: =item authenticate
576:
577: If set, users must authenticate themselves via a password (or other
578: means of authentication) before they may run commands. This default
579: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
580: This flag is I<on> by default.
581:
1.10 millert 582: =item closefrom_override
583:
584: If set, the user may use B<sudo>'s B<-C> option which
585: overrides the default starting point at which B<sudo> begins
586: closing open file descriptors. This flag is I<off> by default.
587:
1.1 millert 588: =item env_editor
589:
590: If set, B<visudo> will use the value of the EDITOR or VISUAL
591: environment variables before falling back on the default editor list.
592: Note that this may create a security hole as it allows the user to
593: run any arbitrary command as root without logging. A safer alternative
594: is to place a colon-separated list of editors in the C<editor>
595: variable. B<visudo> will then only use the EDITOR or VISUAL if
596: they match a value specified in C<editor>. This flag is I<@env_editor@> by
597: default.
598:
599: =item env_reset
600:
601: If set, B<sudo> will reset the environment to only contain the
602: LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
603: variables in the caller's environment that match the C<env_keep>
604: and C<env_check> lists are then added. The default contents of the
605: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
1.10 millert 606: run by root with the I<-V> option. If the I<secure_path> option
607: is set, its value will be used for the C<PATH> environment variable.
608: This flag is I<on> by default.
1.1 millert 609:
610: =item fqdn
611:
612: Set this flag if you want to put fully qualified hostnames in the
613: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
614: You may still use the short form if you wish (and even mix the two).
615: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
616: which may make B<sudo> unusable if DNS stops working (for example
617: if the machine is not plugged into the network). Also note that
618: you must use the host's official name as DNS knows it. That is,
619: you may not use a host alias (C<CNAME> entry) due to performance
620: issues and the fact that there is no way to get all aliases from
621: DNS. If your machine's hostname (as returned by the C<hostname>
622: command) is already fully qualified you shouldn't need to set
623: I<fqdn>. This flag is I<@fqdn@> by default.
624:
625: =item ignore_dot
626:
627: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
628: environment variable; the C<PATH> itself is not modified. This
1.10 millert 629: flag is I<@ignore_dot@> by default.
1.1 millert 630:
631: =item ignore_local_sudoers
632:
1.9 millert 633: If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
1.1 millert 634: This is intended for Enterprises that wish to prevent the usage of local
635: sudoers files so that only LDAP is used. This thwarts the efforts of
1.9 millert 636: rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
637: When this option is present, F<@sysconfdir@/sudoers> does not even need to
638: exist. Since this option tells B<sudo> how to behave when no specific LDAP
639: entries have been matched, this sudoOption is only meaningful for the
640: C<cn=defaults> section. This flag is I<off> by default.
1.1 millert 641:
642: =item insults
643:
644: If set, B<sudo> will insult users when they enter an incorrect
645: password. This flag is I<@insults@> by default.
646:
647: =item log_host
648:
649: If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
650: This flag is I<off> by default.
651:
652: =item log_year
653:
654: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
655: This flag is I<off> by default.
656:
657: =item long_otp_prompt
658:
659: When validating with a One Time Password (OPT) scheme such as
660: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
661: to cut and paste the challenge to a local window. It's not as
662: pretty as the default but some people find it more convenient. This
663: flag is I<@long_otp_prompt@> by default.
664:
665: =item mail_always
666:
667: Send mail to the I<mailto> user every time a users runs B<sudo>.
668: This flag is I<off> by default.
669:
670: =item mail_badpass
671:
672: Send mail to the I<mailto> user if the user running B<sudo> does not
673: enter the correct password. This flag is I<off> by default.
674:
675: =item mail_no_host
676:
677: If set, mail will be sent to the I<mailto> user if the invoking
678: user exists in the I<sudoers> file, but is not allowed to run
679: commands on the current host. This flag is I<@mail_no_host@> by default.
680:
681: =item mail_no_perms
682:
683: If set, mail will be sent to the I<mailto> user if the invoking
684: user is allowed to use B<sudo> but the command they are trying is not
685: listed in their I<sudoers> file entry or is explicitly denied.
686: This flag is I<@mail_no_perms@> by default.
687:
688: =item mail_no_user
689:
690: If set, mail will be sent to the I<mailto> user if the invoking
691: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
692: by default.
693:
694: =item noexec
695:
696: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
697: tag has been set, unless overridden by a C<EXEC> tag. See the
698: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
699: ESCAPES> section at the end of this manual. This flag is I<off> by default.
700:
701: =item path_info
702:
703: Normally, B<sudo> will tell the user when a command could not be
704: found in their C<PATH> environment variable. Some sites may wish
705: to disable this as it could be used to gather information on the
706: location of executables that the normal user does not have access
707: to. The disadvantage is that if the executable is simply not in
708: the user's C<PATH>, B<sudo> will tell the user that they are not
709: allowed to run it, which can be confusing. This flag is I<@path_info@>
710: by default.
1.7 millert 711:
712: =item passprompt_override
713:
714: The password prompt specified by I<passprompt> will normally only
715: be used if the passwod prompt provided by systems such as PAM matches
716: the string "Password:". If I<passprompt_override> is set, I<passprompt>
717: will always be used. This flag is I<off> by default.
1.1 millert 718:
719: =item preserve_groups
720:
1.13 millert 721: By default, B<sudo> will initialize the group vector to the list of
1.1 millert 722: groups the target user is in. When I<preserve_groups> is set, the
723: user's existing group vector is left unaltered. The real and
724: effective group IDs, however, are still set to match the target
725: user. This flag is I<off> by default.
726:
1.13 millert 727: =item pwfeedback
728:
729: By default, B<sudo> reads the password like most other Unix programs,
730: by turning off echo until the user hits the return (or enter) key.
731: Some users become confused by this as it appears to them that B<sudo>
732: has hung at this point. When I<pwfeedback> is set, B<sudo> will
733: provide visual feedback when the user presses a key. Note that
734: this does have a security impact as an onlooker may be able to
735: determine the length of the password being entered.
736: This flag is I<off> by default.
737:
1.1 millert 738: =item requiretty
739:
740: If set, B<sudo> will only run when the user is logged in to a real
1.10 millert 741: tty. When this flag is set, B<sudo> can only be run from a login
742: session and not via other means such as L<cron(8)> or cgi-bin scripts.
743: This flag is I<off> by default.
1.1 millert 744:
745: =item root_sudo
746:
747: If set, root is allowed to run B<sudo> too. Disabling this prevents users
748: from "chaining" B<sudo> commands to get a root shell by doing something
749: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
750: will also prevent root and from running B<sudoedit>.
751: Disabling I<root_sudo> provides no real additional security; it
752: exists purely for historical reasons.
753: This flag is I<@root_sudo@> by default.
754:
755: =item rootpw
756:
757: If set, B<sudo> will prompt for the root password instead of the password
758: of the invoking user. This flag is I<off> by default.
759:
760: =item runaspw
761:
762: If set, B<sudo> will prompt for the password of the user defined by the
763: I<runas_default> option (defaults to C<@runas_default@>) instead of the
764: password of the invoking user. This flag is I<off> by default.
765:
766: =item set_home
767:
1.11 millert 768: If set and B<sudo> is invoked with the B<-s> option the C<HOME>
1.1 millert 769: environment variable will be set to the home directory of the target
770: user (which is root unless the B<-u> option is used). This effectively
1.11 millert 771: makes the B<-s> option imply B<-H>. This flag is I<off> by default.
1.1 millert 772:
773: =item set_logname
774:
775: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
776: environment variables to the name of the target user (usually root
1.11 millert 777: unless the B<-u> option is given). However, since some programs
1.1 millert 778: (including the RCS revision control system) use C<LOGNAME> to
779: determine the real identity of the user, it may be desirable to
780: change this behavior. This can be done by negating the set_logname
781: option. Note that if the I<env_reset> option has not been disabled,
782: entries in the I<env_keep> list will override the value of
783: I<set_logname>. This flag is I<off> by default.
784:
785: =item setenv
786:
787: Allow the user to disable the I<env_reset> option from the command
788: line. Additionally, environment variables set via the command line
789: are not subject to the restrictions imposed by I<env_check>,
790: I<env_delete>, or I<env_keep>. As such, only trusted users should
791: be allowed to set variables in this manner. This flag is I<off>
792: by default.
793:
794: =item shell_noargs
795:
796: If set and B<sudo> is invoked with no arguments it acts as if the
1.11 millert 797: B<-s> option had been given. That is, it runs a shell as root (the
1.1 millert 798: shell is determined by the C<SHELL> environment variable if it is
799: set, falling back on the shell listed in the invoking user's
800: /etc/passwd entry if not). This flag is I<off> by default.
801:
1.13 millert 802: =item fast_glob
803:
804: Normally, B<sudo> uses the L<glob(3)> function to do shell-style
805: globbing when matching pathnames. However, since it accesses the
806: file system, L<glob(3)> can take a long time to complete for some
807: patterns, especially when the pattern references a network file
808: system that is mounted on demand (automounted). The I<fast_glob>
809: option causes B<sudo> to use the L<fnmatch(3)> function, which does
810: not access the file system to do its matching. The disadvantage
811: of I<fast_glob> is that it is unable to match relative pathnames
812: such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
813:
1.1 millert 814: =item stay_setuid
815:
816: Normally, when B<sudo> executes a command the real and effective
817: UIDs are set to the target user (root by default). This option
818: changes that behavior such that the real UID is left as the invoking
819: user's UID. In other words, this makes B<sudo> act as a setuid
820: wrapper. This can be useful on systems that disable some potentially
821: dangerous functionality when a program is run setuid. This option
822: is only effective on systems with either the setreuid() or setresuid()
823: function. This flag is I<off> by default.
824:
825: =item targetpw
826:
827: If set, B<sudo> will prompt for the password of the user specified by
1.11 millert 828: the B<-u> option (defaults to C<root>) instead of the password of the
1.1 millert 829: invoking user. Note that this precludes the use of a uid not listed
1.11 millert 830: in the passwd database as an argument to the B<-u> option.
1.1 millert 831: This flag is I<off> by default.
832:
833: =item tty_tickets
834:
835: If set, users must authenticate on a per-tty basis. Normally,
836: B<sudo> uses a directory in the ticket dir with the same name as
837: the user running it. With this flag enabled, B<sudo> will use a
838: file named for the tty the user is logged in on in that directory.
839: This flag is I<@tty_tickets@> by default.
840:
1.13 millert 841: =item umask_override
842:
843: If set, B<sudo> will set the umask as specified by I<sudoers> without
844: modification. This makes it possible to specify a more permissive
845: umask in I<sudoers> than the user's own umask and matches historical
846: behavior. If I<umask_override> is not set, B<sudo> will set the
847: umask to be the union of the user's umask and what is specified in
848: I<sudoers>. This flag is I<off> by default.
849:
1.1 millert 850: =item use_loginclass
851:
852: If set, B<sudo> will apply the defaults specified for the target user's
853: login class if one exists. Only available if B<sudo> is configured with
854: the --with-logincap option. This flag is I<off> by default.
855:
1.10 millert 856: =item visiblepw
857:
858: By default, B<sudo> will refuse to run if the user must enter a
859: password but it is not possible to disable echo on the terminal.
860: If the I<visiblepw> flag is set, B<sudo> will prompt for a password
861: even when it would be visible on the screen. This makes it possible
862: to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
863: not allocate a tty. This flag is I<off> by default.
864:
1.1 millert 865: =back
866:
867: B<Integers>:
868:
1.5 millert 869: =over 16
1.1 millert 870:
1.10 millert 871: =item closefrom
872:
873: Before it executes a command, B<sudo> will close all open file
874: descriptors other than standard input, standard output and standard
875: error (ie: file descriptors 0-2). The I<closefrom> option can be used
876: to specify a different file descriptor at which to start closing.
877: The default is C<3>.
878:
1.1 millert 879: =item passwd_tries
880:
881: The number of tries a user gets to enter his/her password before
882: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
883:
884: =back
885:
886: B<Integers that can be used in a boolean context>:
887:
1.5 millert 888: =over 16
1.1 millert 889:
890: =item loglinelen
891:
892: Number of characters per line for the file log. This value is used
893: to decide when to wrap lines for nicer log files. This has no
894: effect on the syslog log file, only the file log. The default is
895: C<@loglen@> (use 0 or negate the option to disable word wrap).
896:
897: =item passwd_timeout
898:
899: Number of minutes before the B<sudo> password prompt times out.
900: The default is C<@password_timeout@>; set this to C<0> for no password timeout.
901:
902: =item timestamp_timeout
903:
904: Number of minutes that can elapse before B<sudo> will ask for a
905: passwd again. The default is C<@timeout@>. Set this to C<0> to always
906: prompt for a password.
907: If set to a value less than C<0> the user's timestamp will never
908: expire. This can be used to allow users to create or delete their
909: own timestamps via C<sudo -v> and C<sudo -k> respectively.
910:
911: =item umask
912:
913: Umask to use when running the command. Negate this option or set
1.10 millert 914: it to 0777 to preserve the user's umask. The actual umask that is
915: used will be the union of the user's umask and C<@sudo_umask@>.
916: This guarantees that B<sudo> never lowers the umask when running a
917: command. Note on systems that use PAM, the default PAM configuration
918: may specify its own umask which will override the value set in
919: I<sudoers>.
1.1 millert 920:
921: =back
922:
923: B<Strings>:
924:
1.5 millert 925: =over 16
1.1 millert 926:
927: =item badpass_message
928:
929: Message that is displayed if a user enters an incorrect password.
930: The default is C<@badpass_message@> unless insults are enabled.
931:
932: =item editor
933:
934: A colon (':') separated list of editors allowed to be used with
935: B<visudo>. B<visudo> will choose the editor that matches the user's
936: EDITOR environment variable if possible, or the first editor in the
937: list that exists and is executable. The default is the path to vi
938: on your system.
939:
940: =item mailsub
941:
942: Subject of the mail sent to the I<mailto> user. The escape C<%h>
943: will expand to the hostname of the machine.
944: Default is C<@mailsub@>.
945:
946: =item noexec_file
947:
948: Path to a shared library containing dummy versions of the execv(),
949: execve() and fexecve() library functions that just return an error.
950: This is used to implement the I<noexec> functionality on systems that
951: support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
952:
953: =item passprompt
954:
955: The default prompt to use when asking for a password; can be overridden
956: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
957: The following percent (`C<%>') escapes are supported:
958:
1.5 millert 959: =over 4
1.1 millert 960:
961: =item C<%H>
962:
963: expanded to the local hostname including the domain name
964: (on if the machine's hostname is fully qualified or the I<fqdn>
965: option is set)
966:
967: =item C<%h>
968:
969: expanded to the local hostname without the domain name
1.8 millert 970:
971: =item C<%p>
972:
973: expanded to the user whose password is being asked for (respects the
974: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1.1 millert 975:
976: =item C<%U>
977:
978: expanded to the login name of the user the command will
979: be run as (defaults to root)
980:
981: =item C<%u>
982:
983: expanded to the invoking user's login name
984:
985: =item C<%%>
986:
987: two consecutive C<%> characters are collapsed into a single C<%> character
988:
989: =back
990:
991: The default value is C<@passprompt@>.
992:
1.16 ! millert 993: =item role
! 994:
! 995: The default SELinux role to use when constructing a new security
! 996: context to run the command. The default role may be overridden on
! 997: a per-command basis in I<sudoers> or via command line options.
! 998: This option is only available whe B<sudo> is built with SELinux support.
! 999:
1.1 millert 1000: =item runas_default
1001:
1.11 millert 1002: The default user to run commands as if the B<-u> option is not specified
1.1 millert 1003: on the command line. This defaults to C<@runas_default@>.
1004: Note that if I<runas_default> is set it B<must> occur before
1005: any C<Runas_Alias> specifications.
1006:
1007: =item syslog_badpri
1008:
1009: Syslog priority to use when user authenticates unsuccessfully.
1010: Defaults to C<@badpri@>.
1011:
1012: =item syslog_goodpri
1013:
1014: Syslog priority to use when user authenticates successfully.
1015: Defaults to C<@goodpri@>.
1016:
1.10 millert 1017: =item sudoers_locale
1018:
1019: Locale to use when parsing the sudoers file. Note that changing
1020: the locale may affect how sudoers is interpreted.
1021: Defaults to C<"C">.
1022:
1.1 millert 1023: =item timestampdir
1024:
1025: The directory in which B<sudo> stores its timestamp files.
1026: The default is F<@timedir@>.
1027:
1028: =item timestampowner
1029:
1030: The owner of the timestamp directory and the timestamps stored therein.
1031: The default is C<root>.
1.16 ! millert 1032:
! 1033: =item type
! 1034:
! 1035: The default SELinux type to use when constructing a new security
! 1036: context to run the command. The default type may be overridden on
! 1037: a per-command basis in I<sudoers> or via command line options.
! 1038: This option is only available whe B<sudo> is built with SELinux support.
1.1 millert 1039:
1040: =back
1041:
1042: B<Strings that can be used in a boolean context>:
1043:
1044: =over 12
1045:
1.10 millert 1046: =item askpass
1047:
1.12 millert 1048: The I<askpass> option specifies the fully qualified path to a helper
1.10 millert 1049: program used to read the user's password when no terminal is
1050: available. This may be the case when B<sudo> is executed from a
1051: graphical (as opposed to text-based) application. The program
1052: specified by I<askpass> should display the argument passed to it
1053: as the prompt and write the user's password to the standard output.
1054: The value of I<askpass> may be overridden by the C<SUDO_ASKPASS>
1055: environment variable.
1056:
1057: =item env_file
1058:
1.15 millert 1059: The I<env_file> options specifies the fully qualified path to a
1060: file containing variables to be set in the environment of the program
1061: being run. Entries in this file should either be of the form
1062: C<VARIABLE=value> or C<export VARIABLE=value>. The value may
1063: optionally be surrounded by single or double quotes. Variables in
1064: this file are subject to other B<sudo> environment settings such
1065: as I<env_keep> and I<env_check>.
1.10 millert 1066:
1.1 millert 1067: =item exempt_group
1068:
1069: Users in this group are exempt from password and PATH requirements.
1070: This is not set by default.
1071:
1072: =item lecture
1073:
1074: This option controls when a short lecture will be printed along with
1075: the password prompt. It has the following possible values:
1076:
1077: =over 8
1078:
1079: =item always
1080:
1081: Always lecture the user.
1082:
1083: =item never
1084:
1085: Never lecture the user.
1086:
1087: =item once
1088:
1089: Only lecture the user the first time they run B<sudo>.
1090:
1091: =back
1092:
1093: If no value is specified, a value of I<once> is implied.
1094: Negating the option results in a value of I<never> being used.
1095: The default value is I<@lecture@>.
1096:
1097: =item lecture_file
1098:
1099: Path to a file containing an alternate B<sudo> lecture that will
1100: be used in place of the standard lecture if the named file exists.
1101: By default, B<sudo> uses a built-in lecture.
1102:
1103: =item listpw
1104:
1105: This option controls when a password will be required when a
1.11 millert 1106: user runs B<sudo> with the B<-l> option. It has the following possible values:
1.1 millert 1107:
1108: =over 8
1109:
1110: =item all
1111:
1112: All the user's I<sudoers> entries for the current host must have
1113: the C<NOPASSWD> flag set to avoid entering a password.
1114:
1115: =item always
1116:
1.11 millert 1117: The user must always enter a password to use the B<-l> option.
1.1 millert 1118:
1119: =item any
1120:
1121: At least one of the user's I<sudoers> entries for the current host
1122: must have the C<NOPASSWD> flag set to avoid entering a password.
1123:
1124: =item never
1125:
1.11 millert 1126: The user need never enter a password to use the B<-l> option.
1.1 millert 1127:
1128: =back
1129:
1130: If no value is specified, a value of I<any> is implied.
1131: Negating the option results in a value of I<never> being used.
1132: The default value is I<any>.
1133:
1134: =item logfile
1135:
1136: Path to the B<sudo> log file (not the syslog log file). Setting a path
1137: turns on logging to a file; negating this option turns it off.
1138: By default, B<sudo> logs via syslog.
1139:
1140: =item mailerflags
1141:
1142: Flags to use when invoking mailer. Defaults to B<-t>.
1143:
1144: =item mailerpath
1145:
1146: Path to mail program used to send warning mail.
1147: Defaults to the path to sendmail found at configure time.
1148:
1.10 millert 1149: =item mailfrom
1150:
1151: Address to use for the "from" address when sending warning and error
1152: mail. The address should be enclosed in double quotes (C<">) to
1153: protect against B<sudo> interpreting the C<@> sign. Defaults to
1154: the name of the user running B<sudo>.
1155:
1.1 millert 1156: =item mailto
1157:
1158: Address to send warning and error mail to. The address should
1159: be enclosed in double quotes (C<">) to protect against B<sudo>
1160: interpreting the C<@> sign. Defaults to C<@mailto@>.
1161:
1.10 millert 1162: =item secure_path
1163:
1164: Path used for every command run from B<sudo>. If you don't trust the
1165: people running B<sudo> to have a sane C<PATH> environment variable you may
1166: want to use this. Another use is if you want to have the "root path"
1167: be separate from the "user path." Users in the group specified by the
1168: I<exempt_group> option are not affected by I<secure_path>.
1169: This is not set by default.
1170:
1.1 millert 1171: =item syslog
1172:
1173: Syslog facility if syslog is being used for logging (negate to
1174: disable syslog logging). Defaults to C<@logfac@>.
1175:
1176: =item verifypw
1177:
1178: This option controls when a password will be required when a user runs
1.11 millert 1179: B<sudo> with the B<-v> option. It has the following possible values:
1.1 millert 1180:
1181: =over 8
1182:
1183: =item all
1184:
1185: All the user's I<sudoers> entries for the current host must have
1186: the C<NOPASSWD> flag set to avoid entering a password.
1187:
1188: =item always
1189:
1.11 millert 1190: The user must always enter a password to use the B<-v> option.
1.1 millert 1191:
1192: =item any
1193:
1194: At least one of the user's I<sudoers> entries for the current host
1195: must have the C<NOPASSWD> flag set to avoid entering a password.
1196:
1197: =item never
1198:
1.11 millert 1199: The user need never enter a password to use the B<-v> option.
1.1 millert 1200:
1201: =back
1202:
1203: If no value is specified, a value of I<all> is implied.
1204: Negating the option results in a value of I<never> being used.
1205: The default value is I<all>.
1206:
1207: =back
1208:
1209: B<Lists that can be used in a boolean context>:
1210:
1.5 millert 1211: =over 16
1.1 millert 1212:
1213: =item env_check
1214:
1215: Environment variables to be removed from the user's environment if
1216: the variable's value contains C<%> or C</> characters. This can
1217: be used to guard against printf-style format vulnerabilities in
1218: poorly-written programs. The argument may be a double-quoted,
1219: space-separated list or a single value without double-quotes. The
1220: list can be replaced, added to, deleted from, or disabled by using
1221: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
1222: of whether the C<env_reset> option is enabled or disabled, variables
1223: specified by C<env_check> will be preserved in the environment if
1224: they pass the aforementioned check. The default list of environment
1225: variables to check is displayed when B<sudo> is run by root with
1226: the I<-V> option.
1227:
1228: =item env_delete
1229:
1.15 millert 1230: Environment variables to be removed from the user's environment
1231: when the I<env_reset> option is not in effect. The argument may
1232: be a double-quoted, space-separated list or a single value without
1233: double-quotes. The list can be replaced, added to, deleted from,
1234: or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
1235: respectively. The default list of environment variables to remove
1236: is displayed when B<sudo> is run by root with the I<-V> option.
1237: Note that many operating systems will remove potentially dangerous
1238: variables from the environment of any setuid process (such as
1239: B<sudo>).
1.1 millert 1240:
1241: =item env_keep
1242:
1243: Environment variables to be preserved in the user's environment
1244: when the I<env_reset> option is in effect. This allows fine-grained
1245: control over the environment B<sudo>-spawned processes will receive.
1246: The argument may be a double-quoted, space-separated list or a
1247: single value without double-quotes. The list can be replaced, added
1248: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1249: C<!> operators respectively. The default list of variables to keep
1250: is displayed when B<sudo> is run by root with the I<-V> option.
1251:
1252: =back
1253:
1254: When logging via L<syslog(3)>, B<sudo> accepts the following values
1255: for the syslog facility (the value of the B<syslog> Parameter):
1256: B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1257: B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1258: B<local6>, and B<local7>. The following syslog priorities are
1259: supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1260: B<notice>, and B<warning>.
1261:
1262: =head1 FILES
1263:
1.9 millert 1264: =over 24
1265:
1266: =item F<@sysconfdir@/sudoers>
1.4 millert 1267:
1.3 millert 1268: List of who can run what
1269:
1.9 millert 1270: =item F</etc/group>
1271:
1.3 millert 1272: Local groups file
1273:
1.9 millert 1274: =item F</etc/netgroup>
1275:
1.3 millert 1276: List of network groups
1.4 millert 1277:
1278: =back
1.1 millert 1279:
1280: =head1 EXAMPLES
1281:
1282: Below are example I<sudoers> entries. Admittedly, some of
1283: these are a bit contrived. First, we define our I<aliases>:
1284:
1285: # User alias specification
1286: User_Alias FULLTIMERS = millert, mikef, dowdy
1287: User_Alias PARTTIMERS = bostley, jwfox, crawl
1288: User_Alias WEBMASTERS = will, wendy, wim
1289:
1290: # Runas alias specification
1291: Runas_Alias OP = root, operator
1292: Runas_Alias DB = oracle, sybase
1.14 millert 1293: Runas_Alias ADMINGRP = adm, oper
1.1 millert 1294:
1295: # Host alias specification
1296: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1297: SGI = grolsch, dandelion, black :\
1298: ALPHA = widget, thalamus, foobar :\
1299: HPPA = boa, nag, python
1300: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1301: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1302: Host_Alias SERVERS = master, mail, www, ns
1303: Host_Alias CDROM = orion, perseus, hercules
1304:
1305: # Cmnd alias specification
1306: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1307: /usr/sbin/restore, /usr/sbin/rrestore
1308: Cmnd_Alias KILL = /usr/bin/kill
1309: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1310: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1311: Cmnd_Alias HALT = /usr/sbin/halt
1312: Cmnd_Alias REBOOT = /usr/sbin/reboot
1313: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1314: /usr/local/bin/tcsh, /usr/bin/rsh, \
1315: /usr/local/bin/zsh
1316: Cmnd_Alias SU = /usr/bin/su
1.5 millert 1317: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 millert 1318:
1319: Here we override some of the compiled in default values. We want
1320: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1321: cases. We don't want to subject the full time staff to the B<sudo>
1322: lecture, user B<millert> need not give a password, and we don't
1323: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1324: variables when running commands as root. Additionally, on the
1325: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1326: local log file and make sure we log the year in each log line since
1.5 millert 1327: the log entries will be kept around for several years. Lastly, we
1328: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1329: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1.1 millert 1330:
1331: # Override built-in defaults
1332: Defaults syslog=auth
1333: Defaults>root !set_logname
1334: Defaults:FULLTIMERS !lecture
1335: Defaults:millert !authenticate
1336: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1337: Defaults!PAGERS noexec
1338:
1339: The I<User specification> is the part that actually determines who may
1340: run what.
1341:
1342: root ALL = (ALL) ALL
1343: %wheel ALL = (ALL) ALL
1344:
1345: We let B<root> and any user in group B<wheel> run any command on any
1346: host as any user.
1347:
1348: FULLTIMERS ALL = NOPASSWD: ALL
1349:
1350: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1351: command on any host without authenticating themselves.
1352:
1353: PARTTIMERS ALL = ALL
1354:
1355: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1356: command on any host but they must authenticate themselves first
1357: (since the entry lacks the C<NOPASSWD> tag).
1358:
1359: jack CSNETS = ALL
1360:
1361: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1362: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1363: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1364: CIDR notation) indicating it is a class C network. For the other
1365: networks in I<CSNETS>, the local machine's netmask will be used
1366: during matching.
1367:
1368: lisa CUNETS = ALL
1369:
1370: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1371: (the class B network C<128.138.0.0>).
1372:
1373: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1374: sudoedit /etc/printcap, /usr/oper/bin/
1375:
1376: The B<operator> user may run commands limited to simple maintenance.
1377: Here, those are commands related to backups, killing processes, the
1378: printing system, shutting down the system, and any commands in the
1379: directory F</usr/oper/bin/>.
1380:
1381: joe ALL = /usr/bin/su operator
1382:
1383: The user B<joe> may only L<su(1)> to operator.
1384:
1.10 millert 1385: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1.14 millert 1386:
1387: %opers ALL = (: ADMINGRP) /usr/sbin/
1388:
1389: Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
1390: with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
1391: groups).
1.1 millert 1392:
1393: The user B<pete> is allowed to change anyone's password except for
1394: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1395: does not take multiple usernames on the command line.
1396:
1397: bob SPARC = (OP) ALL : SGI = (OP) ALL
1398:
1399: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1400: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1401:
1402: jim +biglab = ALL
1403:
1404: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1405: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1406:
1407: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1408:
1409: Users in the B<secretaries> netgroup need to help manage the printers
1410: as well as add and remove users, so they are allowed to run those
1411: commands on all machines.
1412:
1413: fred ALL = (DB) NOPASSWD: ALL
1414:
1415: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1416: (B<oracle> or B<sybase>) without giving a password.
1417:
1418: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1419:
1420: On the I<ALPHA> machines, user B<john> may su to anyone except root
1.11 millert 1421: but he is not allowed to specify any options to the L<su(1)> command.
1.1 millert 1422:
1423: jen ALL, !SERVERS = ALL
1424:
1425: The user B<jen> may run any command on any machine except for those
1426: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1427:
1428: jill SERVERS = /usr/bin/, !SU, !SHELLS
1429:
1430: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1.5 millert 1431: any commands in the directory F</usr/bin/> except for those commands
1.1 millert 1432: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1433:
1434: steve CSNETS = (operator) /usr/local/op_commands/
1435:
1436: The user B<steve> may run any command in the directory /usr/local/op_commands/
1437: but only as user operator.
1438:
1439: matt valkyrie = KILL
1440:
1441: On his personal workstation, valkyrie, B<matt> needs to be able to
1442: kill hung processes.
1443:
1444: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1445:
1446: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1447: wendy, and wim), may run any command as user www (which owns the
1448: web pages) or simply L<su(1)> to www.
1449:
1450: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1451: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1452:
1453: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1454: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1455: This is a bit tedious for users to type, so it is a prime candidate
1456: for encapsulating in a shell script.
1457:
1458: =head1 SECURITY NOTES
1459:
1460: It is generally not effective to "subtract" commands from C<ALL>
1461: using the '!' operator. A user can trivially circumvent this
1462: by copying the desired command to a different name and then
1463: executing that. For example:
1464:
1465: bill ALL = ALL, !SU, !SHELLS
1466:
1467: Doesn't really prevent B<bill> from running the commands listed in
1468: I<SU> or I<SHELLS> since he can simply copy those commands to a
1469: different name, or use a shell escape from an editor or other
1470: program. Therefore, these kind of restrictions should be considered
1471: advisory at best (and reinforced by policy).
1472:
1473: =head1 PREVENTING SHELL ESCAPES
1474:
1475: Once B<sudo> executes a program, that program is free to do whatever
1476: it pleases, including run other programs. This can be a security
1477: issue since it is not uncommon for a program to allow shell escapes,
1478: which lets a user bypass B<sudo>'s access control and logging.
1479: Common programs that permit shell escapes include shells (obviously),
1480: editors, paginators, mail and terminal programs.
1481:
1482: There are two basic approaches to this problem:
1483:
1484: =over 10
1485:
1486: =item restrict
1487:
1488: Avoid giving users access to commands that allow the user to run
1489: arbitrary commands. Many editors have a restricted mode where shell
1490: escapes are disabled, though B<sudoedit> is a better solution to
1491: running editors via B<sudo>. Due to the large number of programs that
1492: offer shell escapes, restricting users to the set of programs that
1493: do not if often unworkable.
1494:
1495: =item noexec
1496:
1497: Many systems that support shared libraries have the ability to
1498: override default library functions by pointing an environment
1499: variable (usually C<LD_PRELOAD>) to an alternate shared library.
1500: On such systems, B<sudo>'s I<noexec> functionality can be used to
1501: prevent a program run by B<sudo> from executing any other programs.
1502: Note, however, that this applies only to native dynamically-linked
1503: executables. Statically-linked executables and foreign executables
1504: running under binary emulation are not affected.
1505:
1506: To tell whether or not B<sudo> supports I<noexec>, you can run
1507: the following as root:
1508:
1509: sudo -V | grep "dummy exec"
1510:
1511: If the resulting output contains a line that begins with:
1512:
1513: File containing dummy exec functions:
1514:
1515: then B<sudo> may be able to replace the exec family of functions
1516: in the standard library with its own that simply return an error.
1517: Unfortunately, there is no foolproof way to know whether or not
1518: I<noexec> will work at compile-time. I<noexec> should work on
1519: SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1520: 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1521: is expected to work on most operating systems that support the
1522: C<LD_PRELOAD> environment variable. Check your operating system's
1523: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1524: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1525:
1526: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1527: in the User Specification section above. Here is that example again:
1528:
1529: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1530:
1531: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1532: with I<noexec> enabled. This will prevent those two commands from
1533: executing other commands (such as a shell). If you are unsure
1534: whether or not your system is capable of supporting I<noexec> you
1535: can always just try it out and see if it works.
1536:
1537: =back
1538:
1539: Note that restricting shell escapes is not a panacea. Programs
1540: running as root are still capable of many potentially hazardous
1541: operations (such as changing or overwriting files) that could lead
1542: to unintended privilege escalation. In the specific case of an
1543: editor, a safer approach is to give the user permission to run
1544: B<sudoedit>.
1545:
1546: =head1 SEE ALSO
1547:
1.13 millert 1548: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
1.1 millert 1549:
1550: =head1 CAVEATS
1551:
1552: The I<sudoers> file should B<always> be edited by the B<visudo>
1553: command which locks the file and does grammatical checking. It is
1554: imperative that I<sudoers> be free of syntax errors since B<sudo>
1555: will not run with a syntactically incorrect I<sudoers> file.
1556:
1557: When using netgroups of machines (as opposed to users), if you
1558: store fully qualified hostnames in the netgroup (as is usually the
1559: case), you either need to have the machine's hostname be fully qualified
1560: as returned by the C<hostname> command or use the I<fqdn> option in
1561: I<sudoers>.
1562:
1563: =head1 BUGS
1564:
1565: If you feel you have found a bug in B<sudo>, please submit a bug report
1566: at http://www.sudo.ws/sudo/bugs/
1567:
1568: =head1 SUPPORT
1569:
1570: Limited free support is available via the sudo-users mailing list,
1571: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1572: search the archives.
1573:
1574: =head1 DISCLAIMER
1575:
1576: B<sudo> is provided ``AS IS'' and any express or implied warranties,
1577: including, but not limited to, the implied warranties of merchantability
1578: and fitness for a particular purpose are disclaimed. See the LICENSE
1579: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1580: for complete details.