Annotation of src/usr.bin/sudo/sudoers.pod, Revision 1.4
1.1 millert 1: =cut
2: Copyright (c) 1994-1996,1998-2005 Todd C. Miller <Todd.Miller@courtesan.com>
3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
1.3 millert 21: $Sudo: sudoers.pod,v 1.95.2.16 2007/07/29 23:09:47 millert Exp $
1.1 millert 22: =pod
23:
24: =head1 NAME
25:
26: sudoers - list of which users may execute what
27:
28: =head1 DESCRIPTION
29:
30: The I<sudoers> file is composed of two types of entries: aliases
31: (basically variables) and user specifications (which specify who
32: may run what).
33:
34: When multiple entries match for a user, they are applied in order.
35: Where there are multiple matches, the last match is used (which is
36: not necessarily the most specific match).
37:
38: The I<sudoers> grammar will be described below in Extended Backus-Naur
39: Form (EBNF). Don't despair if you don't know what EBNF is; it is
40: fairly simple, and the definitions below are annotated.
41:
42: =head2 Quick guide to EBNF
43:
44: EBNF is a concise and exact way of describing the grammar of a language.
45: Each EBNF definition is made up of I<production rules>. E.g.,
46:
47: symbol ::= definition | alternate1 | alternate2 ...
48:
49: Each I<production rule> references others and thus makes up a
50: grammar for the language. EBNF also contains the following
51: operators, which many readers will recognize from regular
52: expressions. Do not, however, confuse them with "wildcard"
53: characters, which have different meanings.
54:
55: =over 8
56:
57: =item C<?>
58:
59: Means that the preceding symbol (or group of symbols) is optional.
60: That is, it may appear once or not at all.
61:
62: =item C<*>
63:
64: Means that the preceding symbol (or group of symbols) may appear
65: zero or more times.
66:
67: =item C<+>
68:
69: Means that the preceding symbol (or group of symbols) may appear
70: one or more times.
71:
72: =back
73:
74: Parentheses may be used to group symbols together. For clarity,
75: we will use single quotes ('') to designate what is a verbatim character
76: string (as opposed to a symbol name).
77:
78: =head2 Aliases
79:
80: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
81: C<Host_Alias> and C<Cmnd_Alias>.
82:
83: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
84: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
85: 'Host_Alias' Host_Alias (':' Host_Alias)* |
86: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
87:
88: User_Alias ::= NAME '=' User_List
89:
90: Runas_Alias ::= NAME '=' Runas_List
91:
92: Host_Alias ::= NAME '=' Host_List
93:
94: Cmnd_Alias ::= NAME '=' Cmnd_List
95:
96: NAME ::= [A-Z]([A-Z][0-9]_)*
97:
98: Each I<alias> definition is of the form
99:
100: Alias_Type NAME = item1, item2, ...
101:
102: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
103: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
104: and underscore characters ('_'). A C<NAME> B<must> start with an
105: uppercase letter. It is possible to put several alias definitions
106: of the same type on a single line, joined by a colon (':'). E.g.,
107:
108: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
109:
110: The definitions of what constitutes a valid I<alias> member follow.
111:
112: User_List ::= User |
113: User ',' User_List
114:
115: User ::= '!'* username |
116: '!'* '%'group |
117: '!'* '+'netgroup |
118: '!'* User_Alias
119:
120: A C<User_List> is made up of one or more usernames, system groups
121: (prefixed with '%'), netgroups (prefixed with '+') and other aliases.
122: Each list item may be prefixed with one or more '!' operators.
123: An odd number of '!' operators negate the value of the item; an even
124: number just cancel each other out.
125:
126: Runas_List ::= Runas_User |
127: Runas_User ',' Runas_List
128:
129: Runas_User ::= '!'* username |
130: '!'* '#'uid |
131: '!'* '%'group |
132: '!'* +netgroup |
133: '!'* Runas_Alias
134:
135: A C<Runas_List> is similar to a C<User_List> except that it can
136: also contain uids (prefixed with '#') and instead of C<User_Alias>es
137: it can contain C<Runas_Alias>es. Note that usernames and groups
138: are matched as strings. In other words, two users (groups) with
139: the same uid (gid) are considered to be distinct. If you wish to
140: match all usernames with the same uid (e.g.E<nbsp>root and toor), you
141: can use a uid instead (#0 in the example given).
142:
143: Host_List ::= Host |
144: Host ',' Host_List
145:
146: Host ::= '!'* hostname |
147: '!'* ip_addr |
148: '!'* network(/netmask)? |
149: '!'* '+'netgroup |
150: '!'* Host_Alias
151:
152: A C<Host_List> is made up of one or more hostnames, IP addresses,
153: network numbers, netgroups (prefixed with '+') and other aliases.
154: Again, the value of an item may be negated with the '!' operator.
155: If you do not specify a netmask along with the network number,
156: B<sudo> will query each of the local host's network interfaces and,
157: if the network number corresponds to one of the hosts's network
158: interfaces, the corresponding netmask will be used. The netmask
159: may be specified either in dotted quad notation (e.g.E<nbsp>255.255.255.0)
160: or CIDR notation (number of bits, e.g.E<nbsp>24). A hostname may
161: include shell-style wildcards (see the L<Wildcards> section below),
162: but unless the C<hostname> command on your machine returns the fully
163: qualified hostname, you'll need to use the I<fqdn> option for
164: wildcards to be useful.
165:
166: Cmnd_List ::= Cmnd |
167: Cmnd ',' Cmnd_List
168:
169: commandname ::= filename |
170: filename args |
171: filename '""'
172:
173: Cmnd ::= '!'* commandname |
174: '!'* directory |
175: '!'* "sudoedit" |
176: '!'* Cmnd_Alias
177:
178: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
179: aliases. A commandname is a fully qualified filename which may include
180: shell-style wildcards (see the L<Wildcards> section below). A simple
181: filename allows the user to run the command with any arguments he/she
182: wishes. However, you may also specify command line arguments (including
183: wildcards). Alternately, you can specify C<""> to indicate that the command
184: may only be run B<without> command line arguments. A directory is a
185: fully qualified pathname ending in a '/'. When you specify a directory
186: in a C<Cmnd_List>, the user will be able to run any file within that directory
187: (but not in any subdirectories therein).
188:
189: If a C<Cmnd> has associated command line arguments, then the arguments
190: in the C<Cmnd> must match exactly those given by the user on the command line
191: (or match the wildcards if there are any). Note that the following
192: characters must be escaped with a '\' if they are used in command
193: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
194: is used to permit a user to run B<sudo> with the B<-e> flag (or
195: as B<sudoedit>). It may take command line arguments just as
196: a normal command does.
197:
198: =head2 Defaults
199:
200: Certain configuration options may be changed from their default
201: values at runtime via one or more C<Default_Entry> lines. These
202: may affect all users on any host, all users on a specific host, a
203: specific user, or commands being run as a specific user.
204:
205: Default_Type ::= 'Defaults' |
206: 'Defaults' '@' Host |
207: 'Defaults' ':' User |
208: 'Defaults' '>' RunasUser
209:
210: Default_Entry ::= Default_Type Parameter_List
211:
212: Parameter_List ::= Parameter |
213: Parameter ',' Parameter_List
214:
215: Parameter ::= Parameter '=' Value |
216: Parameter '+=' Value |
217: Parameter '-=' Value |
218: '!'* Parameter
219:
220: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
221: Flags are implicitly boolean and can be turned off via the '!'
222: operator. Some integer, string and list parameters may also be
223: used in a boolean context to disable them. Values may be enclosed
224: in double quotes (C<">) when they contain multiple words. Special
225: characters may be escaped with a backslash (C<\>).
226:
227: Lists have two additional assignment operators, C<+=> and C<-=>.
228: These operators are used to add to and delete from a list respectively.
229: It is not an error to use the C<-=> operator to remove an element
230: that does not exist in a list.
231:
232: See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
233:
234: =head2 User Specification
235:
236: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
237: (':' Host_List '=' Cmnd_Spec_List)*
238:
239: Cmnd_Spec_List ::= Cmnd_Spec |
240: Cmnd_Spec ',' Cmnd_Spec_List
241:
242: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
243:
244: Runas_Spec ::= '(' Runas_List ')'
245:
246: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
247: 'SETENV:' | 'NOSETENV:')
248:
249: A B<user specification> determines which commands a user may run
250: (and as what user) on specified hosts. By default, commands are
251: run as B<root>, but this can be changed on a per-command basis.
252:
253: Let's break that down into its constituent parts:
254:
255: =head2 Runas_Spec
256:
257: A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
258: enclosed in a set of parentheses. If you do not specify a
259: C<Runas_Spec> in the user specification, a default C<Runas_Spec>
260: of B<root> will be used. A C<Runas_Spec> sets the default for
261: commands that follow it. What this means is that for the entry:
262:
263: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
264:
265: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
266: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
267:
268: $ sudo -u operator /bin/ls.
269:
270: It is also possible to override a C<Runas_Spec> later on in an
271: entry. If we modify the entry like so:
272:
273: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
274:
275: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
276: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
277:
278: =head2 Tag_Spec
279:
280: A command may have zero or more tags associated with it. There are
281: six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
282: C<SETENV> and C<NOSETENV>.
283: Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
284: C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
285: opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
286: overrides C<EXEC>).
287:
288: =head3 NOPASSWD and PASSWD
289:
290: By default, B<sudo> requires that a user authenticate him or herself
291: before running a command. This behavior can be modified via the
292: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
293: a default for the commands that follow it in the C<Cmnd_Spec_List>.
294: Conversely, the C<PASSWD> tag can be used to reverse things.
295: For example:
296:
297: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
298:
299: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
300: F</usr/bin/lprm> as root on the machine rushmore as B<root> without
301: authenticating himself. If we only want B<ray> to be able to
302: run F</bin/kill> without a password the entry would be:
303:
304: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
305:
306: Note, however, that the C<PASSWD> tag has no effect on users who are
307: in the group specified by the I<exempt_group> option.
308:
309: By default, if the C<NOPASSWD> tag is applied to any of the entries
310: for a user on the current host, he or she will be able to run
311: C<sudo -l> without a password. Additionally, a user may only run
312: C<sudo -v> without a password if the C<NOPASSWD> tag is present
313: for all a user's entries that pertain to the current host.
314: This behavior may be overridden via the verifypw and listpw options.
315:
316: =head3 NOEXEC and EXEC
317:
318: If B<sudo> has been compiled with I<noexec> support and the underlying
319: operating system supports it, the C<NOEXEC> tag can be used to prevent
320: a dynamically-linked executable from running further commands itself.
321:
322: In the following example, user B<aaron> may run F</usr/bin/more>
323: and F</usr/bin/vi> but shell escapes will be disabled.
324:
325: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
326:
327: See the L<PREVENTING SHELL ESCAPES> section below for more details
328: on how C<NOEXEC> works and whether or not it will work on your system.
329:
330: =head3 SETENV and NOSETENV
331:
332: These tags override the value of the I<setenv> option on a per-command
333: basis. Note that if C<SETENV> has been set for a command, any
334: environment variables set on the command line way are not subject
335: to the restrictions imposed by I<env_check>, I<env_delete>, or
336: I<env_keep>. As such, only trusted users should be allowed to set
337: variables in this manner.
338:
339: =head2 Wildcards
340:
341: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
342: to be used in pathnames as well as command line arguments in the
343: I<sudoers> file. Wildcard matching is done via the B<POSIX>
344: L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
345:
346: =over 8
347:
348: =item C<*>
349:
350: Matches any set of zero or more characters.
351:
352: =item C<?>
353:
354: Matches any single character.
355:
356: =item C<[...]>
357:
358: Matches any character in the specified range.
359:
360: =item C<[!...]>
361:
362: Matches any character B<not> in the specified range.
363:
364: =item C<\x>
365:
366: For any character "x", evaluates to "x". This is used to
367: escape special characters such as: "*", "?", "[", and "}".
368:
369: =back
370:
371: Note that a forward slash ('/') will B<not> be matched by
372: wildcards used in the pathname. When matching the command
373: line arguments, however, a slash B<does> get matched by
374: wildcards. This is to make a path like:
375:
376: /usr/bin/*
377:
378: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
379:
380: =head2 Exceptions to wildcard rules
381:
382: The following exceptions apply to the above rules:
383:
384: =over 8
385:
386: =item C<"">
387:
388: If the empty string C<""> is the only command line argument in the
389: I<sudoers> entry it means that command is not allowed to be run
390: with B<any> arguments.
391:
392: =back
393:
394: =head2 Other special characters and reserved words
395:
396: The pound sign ('#') is used to indicate a comment (unless it is
397: part of a #include directive or unless it occurs in the context of
398: a user name and is followed by one or more digits, in which case
399: it is treated as a uid). Both the comment character and any text
400: after it, up to the end of the line, are ignored.
401:
402: The reserved word B<ALL> is a built-in I<alias> that always causes
403: a match to succeed. It can be used wherever one might otherwise
404: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
405: You should not try to define your own I<alias> called B<ALL> as the
406: built-in alias will be used in preference to your own. Please note
407: that using B<ALL> can be dangerous since in a command context, it
408: allows the user to run B<any> command on the system.
409:
410: An exclamation point ('!') can be used as a logical I<not> operator
411: both in an I<alias> and in front of a C<Cmnd>. This allows one to
412: exclude certain values. Note, however, that using a C<!> in
413: conjunction with the built-in C<ALL> alias to allow a user to
414: run "all but a few" commands rarely works as intended (see SECURITY
415: NOTES below).
416:
417: Long lines can be continued with a backslash ('\') as the last
418: character on the line.
419:
420: Whitespace between elements in a list as well as special syntactic
421: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
422:
423: The following characters must be escaped with a backslash ('\') when
424: used as part of a word (e.g.E<nbsp>a username or hostname):
425: '@', '!', '=', ':', ',', '(', ')', '\'.
426:
427: =head1 SUDOERS OPTIONS
428:
429: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
430: explained earlier. A list of all supported Defaults parameters,
431: grouped by type, are listed below.
432:
433: B<Flags>:
434:
435: =over 12
436:
437: =item always_set_home
438:
439: If set, B<sudo> will set the C<HOME> environment variable to the home
440: directory of the target user (which is root unless the B<-u> option is used).
441: This effectively means that the B<-H> flag is always implied.
442: This flag is I<off> by default.
443:
444: =item authenticate
445:
446: If set, users must authenticate themselves via a password (or other
447: means of authentication) before they may run commands. This default
448: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
449: This flag is I<on> by default.
450:
451: =item env_editor
452:
453: If set, B<visudo> will use the value of the EDITOR or VISUAL
454: environment variables before falling back on the default editor list.
455: Note that this may create a security hole as it allows the user to
456: run any arbitrary command as root without logging. A safer alternative
457: is to place a colon-separated list of editors in the C<editor>
458: variable. B<visudo> will then only use the EDITOR or VISUAL if
459: they match a value specified in C<editor>. This flag is I<@env_editor@> by
460: default.
461:
462: =item env_reset
463:
464: If set, B<sudo> will reset the environment to only contain the
465: LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
466: variables in the caller's environment that match the C<env_keep>
467: and C<env_check> lists are then added. The default contents of the
468: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
469: run by root with the I<-V> option. If B<sudo> was compiled with
470: the C<SECURE_PATH> option, its value will be used for the C<PATH>
471: environment variable. This flag is I<on> by default.
472:
473: =item fqdn
474:
475: Set this flag if you want to put fully qualified hostnames in the
476: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
477: You may still use the short form if you wish (and even mix the two).
478: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
479: which may make B<sudo> unusable if DNS stops working (for example
480: if the machine is not plugged into the network). Also note that
481: you must use the host's official name as DNS knows it. That is,
482: you may not use a host alias (C<CNAME> entry) due to performance
483: issues and the fact that there is no way to get all aliases from
484: DNS. If your machine's hostname (as returned by the C<hostname>
485: command) is already fully qualified you shouldn't need to set
486: I<fqdn>. This flag is I<@fqdn@> by default.
487:
488: =item ignore_dot
489:
490: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
491: environment variable; the C<PATH> itself is not modified. This
492: flag is I<@ignore_dot@> by default. Currently, while it is possible
493: to set I<ignore_dot> in I<sudoers>, its value is not used. This option
494: should be considered read-only (it will be fixed in a future version
495: of B<sudo>).
496:
497: =item ignore_local_sudoers
498:
499: If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
500: This is intended for Enterprises that wish to prevent the usage of local
501: sudoers files so that only LDAP is used. This thwarts the efforts of
502: rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
503: When this option is present, @sysconfdir@/sudoers does not even need to exist.
504: Since this option tells B<sudo> how to behave when no specific LDAP entries
505: have been matched, this sudoOption is only meaningful for the cn=defaults
506: section. This flag is I<off> by default.
507:
508: =item insults
509:
510: If set, B<sudo> will insult users when they enter an incorrect
511: password. This flag is I<@insults@> by default.
512:
513: =item log_host
514:
515: If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
516: This flag is I<off> by default.
517:
518: =item log_year
519:
520: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
521: This flag is I<off> by default.
522:
523: =item long_otp_prompt
524:
525: When validating with a One Time Password (OPT) scheme such as
526: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
527: to cut and paste the challenge to a local window. It's not as
528: pretty as the default but some people find it more convenient. This
529: flag is I<@long_otp_prompt@> by default.
530:
531: =item mail_always
532:
533: Send mail to the I<mailto> user every time a users runs B<sudo>.
534: This flag is I<off> by default.
535:
536: =item mail_badpass
537:
538: Send mail to the I<mailto> user if the user running B<sudo> does not
539: enter the correct password. This flag is I<off> by default.
540:
541: =item mail_no_host
542:
543: If set, mail will be sent to the I<mailto> user if the invoking
544: user exists in the I<sudoers> file, but is not allowed to run
545: commands on the current host. This flag is I<@mail_no_host@> by default.
546:
547: =item mail_no_perms
548:
549: If set, mail will be sent to the I<mailto> user if the invoking
550: user is allowed to use B<sudo> but the command they are trying is not
551: listed in their I<sudoers> file entry or is explicitly denied.
552: This flag is I<@mail_no_perms@> by default.
553:
554: =item mail_no_user
555:
556: If set, mail will be sent to the I<mailto> user if the invoking
557: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
558: by default.
559:
560: =item noexec
561:
562: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
563: tag has been set, unless overridden by a C<EXEC> tag. See the
564: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
565: ESCAPES> section at the end of this manual. This flag is I<off> by default.
566:
567: =item path_info
568:
569: Normally, B<sudo> will tell the user when a command could not be
570: found in their C<PATH> environment variable. Some sites may wish
571: to disable this as it could be used to gather information on the
572: location of executables that the normal user does not have access
573: to. The disadvantage is that if the executable is simply not in
574: the user's C<PATH>, B<sudo> will tell the user that they are not
575: allowed to run it, which can be confusing. This flag is I<@path_info@>
576: by default.
577:
578: =item preserve_groups
579:
580: By default B<sudo> will initialize the group vector to the list of
581: groups the target user is in. When I<preserve_groups> is set, the
582: user's existing group vector is left unaltered. The real and
583: effective group IDs, however, are still set to match the target
584: user. This flag is I<off> by default.
585:
586: =item requiretty
587:
588: If set, B<sudo> will only run when the user is logged in to a real
589: tty. This will disallow things like C<"rsh somehost sudo ls"> since
590: L<rsh(1)> does not allocate a tty. Because it is not possible to turn
591: off echo when there is no tty present, some sites may wish to set
592: this flag to prevent a user from entering a visible password. This
593: flag is I<off> by default.
594:
595: =item root_sudo
596:
597: If set, root is allowed to run B<sudo> too. Disabling this prevents users
598: from "chaining" B<sudo> commands to get a root shell by doing something
599: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
600: will also prevent root and from running B<sudoedit>.
601: Disabling I<root_sudo> provides no real additional security; it
602: exists purely for historical reasons.
603: This flag is I<@root_sudo@> by default.
604:
605: =item rootpw
606:
607: If set, B<sudo> will prompt for the root password instead of the password
608: of the invoking user. This flag is I<off> by default.
609:
610: =item runaspw
611:
612: If set, B<sudo> will prompt for the password of the user defined by the
613: I<runas_default> option (defaults to C<@runas_default@>) instead of the
614: password of the invoking user. This flag is I<off> by default.
615:
616: =item set_home
617:
618: If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
619: environment variable will be set to the home directory of the target
620: user (which is root unless the B<-u> option is used). This effectively
621: makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
622:
623: =item set_logname
624:
625: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
626: environment variables to the name of the target user (usually root
627: unless the B<-u> flag is given). However, since some programs
628: (including the RCS revision control system) use C<LOGNAME> to
629: determine the real identity of the user, it may be desirable to
630: change this behavior. This can be done by negating the set_logname
631: option. Note that if the I<env_reset> option has not been disabled,
632: entries in the I<env_keep> list will override the value of
633: I<set_logname>. This flag is I<off> by default.
634:
635: =item setenv
636:
637: Allow the user to disable the I<env_reset> option from the command
638: line. Additionally, environment variables set via the command line
639: are not subject to the restrictions imposed by I<env_check>,
640: I<env_delete>, or I<env_keep>. As such, only trusted users should
641: be allowed to set variables in this manner. This flag is I<off>
642: by default.
643:
644: =item shell_noargs
645:
646: If set and B<sudo> is invoked with no arguments it acts as if the
647: B<-s> flag had been given. That is, it runs a shell as root (the
648: shell is determined by the C<SHELL> environment variable if it is
649: set, falling back on the shell listed in the invoking user's
650: /etc/passwd entry if not). This flag is I<off> by default.
651:
652: =item stay_setuid
653:
654: Normally, when B<sudo> executes a command the real and effective
655: UIDs are set to the target user (root by default). This option
656: changes that behavior such that the real UID is left as the invoking
657: user's UID. In other words, this makes B<sudo> act as a setuid
658: wrapper. This can be useful on systems that disable some potentially
659: dangerous functionality when a program is run setuid. This option
660: is only effective on systems with either the setreuid() or setresuid()
661: function. This flag is I<off> by default.
662:
663: =item targetpw
664:
665: If set, B<sudo> will prompt for the password of the user specified by
666: the B<-u> flag (defaults to C<root>) instead of the password of the
667: invoking user. Note that this precludes the use of a uid not listed
668: in the passwd database as an argument to the B<-u> flag.
669: This flag is I<off> by default.
670:
671: =item tty_tickets
672:
673: If set, users must authenticate on a per-tty basis. Normally,
674: B<sudo> uses a directory in the ticket dir with the same name as
675: the user running it. With this flag enabled, B<sudo> will use a
676: file named for the tty the user is logged in on in that directory.
677: This flag is I<@tty_tickets@> by default.
678:
679: =item use_loginclass
680:
681: If set, B<sudo> will apply the defaults specified for the target user's
682: login class if one exists. Only available if B<sudo> is configured with
683: the --with-logincap option. This flag is I<off> by default.
684:
685: =back
686:
687: B<Integers>:
688:
689: =over 12
690:
691: =item passwd_tries
692:
693: The number of tries a user gets to enter his/her password before
694: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
695:
696: =back
697:
698: B<Integers that can be used in a boolean context>:
699:
700: =over 12
701:
702: =item loglinelen
703:
704: Number of characters per line for the file log. This value is used
705: to decide when to wrap lines for nicer log files. This has no
706: effect on the syslog log file, only the file log. The default is
707: C<@loglen@> (use 0 or negate the option to disable word wrap).
708:
709: =item passwd_timeout
710:
711: Number of minutes before the B<sudo> password prompt times out.
712: The default is C<@password_timeout@>; set this to C<0> for no password timeout.
713:
714: =item timestamp_timeout
715:
716: Number of minutes that can elapse before B<sudo> will ask for a
717: passwd again. The default is C<@timeout@>. Set this to C<0> to always
718: prompt for a password.
719: If set to a value less than C<0> the user's timestamp will never
720: expire. This can be used to allow users to create or delete their
721: own timestamps via C<sudo -v> and C<sudo -k> respectively.
722:
723: =item umask
724:
725: Umask to use when running the command. Negate this option or set
726: it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
727:
728: =back
729:
730: B<Strings>:
731:
732: =over 12
733:
734: =item badpass_message
735:
736: Message that is displayed if a user enters an incorrect password.
737: The default is C<@badpass_message@> unless insults are enabled.
738:
739: =item editor
740:
741: A colon (':') separated list of editors allowed to be used with
742: B<visudo>. B<visudo> will choose the editor that matches the user's
743: EDITOR environment variable if possible, or the first editor in the
744: list that exists and is executable. The default is the path to vi
745: on your system.
746:
747: =item mailsub
748:
749: Subject of the mail sent to the I<mailto> user. The escape C<%h>
750: will expand to the hostname of the machine.
751: Default is C<@mailsub@>.
752:
753: =item noexec_file
754:
755: Path to a shared library containing dummy versions of the execv(),
756: execve() and fexecve() library functions that just return an error.
757: This is used to implement the I<noexec> functionality on systems that
758: support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
759:
760: =item passprompt
761:
762: The default prompt to use when asking for a password; can be overridden
763: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
764: The following percent (`C<%>') escapes are supported:
765:
766: =over 8
767:
768: =item C<%H>
769:
770: expanded to the local hostname including the domain name
771: (on if the machine's hostname is fully qualified or the I<fqdn>
772: option is set)
773:
774: =item C<%h>
775:
776: expanded to the local hostname without the domain name
777:
778: =item C<%U>
779:
780: expanded to the login name of the user the command will
781: be run as (defaults to root)
782:
783: =item C<%u>
784:
785: expanded to the invoking user's login name
786:
787: =item C<%%>
788:
789: two consecutive C<%> characters are collapsed into a single C<%> character
790:
791: =back
792:
793: The default value is C<@passprompt@>.
794:
795: =item runas_default
796:
797: The default user to run commands as if the B<-u> flag is not specified
798: on the command line. This defaults to C<@runas_default@>.
799: Note that if I<runas_default> is set it B<must> occur before
800: any C<Runas_Alias> specifications.
801:
802: =item syslog_badpri
803:
804: Syslog priority to use when user authenticates unsuccessfully.
805: Defaults to C<@badpri@>.
806:
807: =item syslog_goodpri
808:
809: Syslog priority to use when user authenticates successfully.
810: Defaults to C<@goodpri@>.
811:
812: =item timestampdir
813:
814: The directory in which B<sudo> stores its timestamp files.
815: The default is F<@timedir@>.
816:
817: =item timestampowner
818:
819: The owner of the timestamp directory and the timestamps stored therein.
820: The default is C<root>.
821:
822: =back
823:
824: B<Strings that can be used in a boolean context>:
825:
826: =over 12
827:
828: =item exempt_group
829:
830: Users in this group are exempt from password and PATH requirements.
831: This is not set by default.
832:
833: =item lecture
834:
835: This option controls when a short lecture will be printed along with
836: the password prompt. It has the following possible values:
837:
838: =over 8
839:
840: =item always
841:
842: Always lecture the user.
843:
844: =item never
845:
846: Never lecture the user.
847:
848: =item once
849:
850: Only lecture the user the first time they run B<sudo>.
851:
852: =back
853:
854: If no value is specified, a value of I<once> is implied.
855: Negating the option results in a value of I<never> being used.
856: The default value is I<@lecture@>.
857:
858: =item lecture_file
859:
860: Path to a file containing an alternate B<sudo> lecture that will
861: be used in place of the standard lecture if the named file exists.
862: By default, B<sudo> uses a built-in lecture.
863:
864: =item listpw
865:
866: This option controls when a password will be required when a
867: user runs B<sudo> with the B<-l> flag. It has the following possible values:
868:
869: =over 8
870:
871: =item all
872:
873: All the user's I<sudoers> entries for the current host must have
874: the C<NOPASSWD> flag set to avoid entering a password.
875:
876: =item always
877:
878: The user must always enter a password to use the B<-l> flag.
879:
880: =item any
881:
882: At least one of the user's I<sudoers> entries for the current host
883: must have the C<NOPASSWD> flag set to avoid entering a password.
884:
885: =item never
886:
887: The user need never enter a password to use the B<-l> flag.
888:
889: =back
890:
891: If no value is specified, a value of I<any> is implied.
892: Negating the option results in a value of I<never> being used.
893: The default value is I<any>.
894:
895: =item logfile
896:
897: Path to the B<sudo> log file (not the syslog log file). Setting a path
898: turns on logging to a file; negating this option turns it off.
899: By default, B<sudo> logs via syslog.
900:
901: =item mailerflags
902:
903: Flags to use when invoking mailer. Defaults to B<-t>.
904:
905: =item mailerpath
906:
907: Path to mail program used to send warning mail.
908: Defaults to the path to sendmail found at configure time.
909:
910: =item mailto
911:
912: Address to send warning and error mail to. The address should
913: be enclosed in double quotes (C<">) to protect against B<sudo>
914: interpreting the C<@> sign. Defaults to C<@mailto@>.
915:
916: =item syslog
917:
918: Syslog facility if syslog is being used for logging (negate to
919: disable syslog logging). Defaults to C<@logfac@>.
920:
921: =item verifypw
922:
923: This option controls when a password will be required when a user runs
924: B<sudo> with the B<-v> flag. It has the following possible values:
925:
926: =over 8
927:
928: =item all
929:
930: All the user's I<sudoers> entries for the current host must have
931: the C<NOPASSWD> flag set to avoid entering a password.
932:
933: =item always
934:
935: The user must always enter a password to use the B<-v> flag.
936:
937: =item any
938:
939: At least one of the user's I<sudoers> entries for the current host
940: must have the C<NOPASSWD> flag set to avoid entering a password.
941:
942: =item never
943:
944: The user need never enter a password to use the B<-v> flag.
945:
946: =back
947:
948: If no value is specified, a value of I<all> is implied.
949: Negating the option results in a value of I<never> being used.
950: The default value is I<all>.
951:
952: =back
953:
954: B<Lists that can be used in a boolean context>:
955:
956: =over 12
957:
958: =item env_check
959:
960: Environment variables to be removed from the user's environment if
961: the variable's value contains C<%> or C</> characters. This can
962: be used to guard against printf-style format vulnerabilities in
963: poorly-written programs. The argument may be a double-quoted,
964: space-separated list or a single value without double-quotes. The
965: list can be replaced, added to, deleted from, or disabled by using
966: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
967: of whether the C<env_reset> option is enabled or disabled, variables
968: specified by C<env_check> will be preserved in the environment if
969: they pass the aforementioned check. The default list of environment
970: variables to check is displayed when B<sudo> is run by root with
971: the I<-V> option.
972:
973: =item env_delete
974:
975: Environment variables to be removed from the user's environment.
976: The argument may be a double-quoted, space-separated list or a
977: single value without double-quotes. The list can be replaced, added
978: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
979: C<!> operators respectively. The default list of environment
980: variables to remove is displayed when B<sudo> is run by root with the
981: I<-V> option. Note that many operating systems will remove potentially
982: dangerous variables from the environment of any setuid process (such
983: as B<sudo>).
984:
985: =item env_keep
986:
987: Environment variables to be preserved in the user's environment
988: when the I<env_reset> option is in effect. This allows fine-grained
989: control over the environment B<sudo>-spawned processes will receive.
990: The argument may be a double-quoted, space-separated list or a
991: single value without double-quotes. The list can be replaced, added
992: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
993: C<!> operators respectively. The default list of variables to keep
994: is displayed when B<sudo> is run by root with the I<-V> option.
995:
996: =back
997:
998: When logging via L<syslog(3)>, B<sudo> accepts the following values
999: for the syslog facility (the value of the B<syslog> Parameter):
1000: B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1001: B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1002: B<local6>, and B<local7>. The following syslog priorities are
1003: supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1004: B<notice>, and B<warning>.
1005:
1006: =head1 FILES
1007:
1.4 ! millert 1008: =over 4
! 1009:
1.3 millert 1010: =item F<@sysconfdir@/sudoers>C< >
1011: List of who can run what
1012:
1013: =item F</etc/group>C< >
1014: Local groups file
1015:
1016: =item F</etc/netgroup>C< >
1017: List of network groups
1.4 ! millert 1018:
! 1019: =back
1.1 millert 1020:
1021: =head1 EXAMPLES
1022:
1023: Since the I<sudoers> file is parsed in a single pass, order is
1024: important. In general, you should structure I<sudoers> such that
1025: the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
1026: come first, followed by any C<Default_Entry> lines, and finally the
1027: C<Runas_Alias> and user specifications. The basic rule of thumb
1028: is you cannot reference an Alias that has not already been defined.
1029:
1030: Below are example I<sudoers> entries. Admittedly, some of
1031: these are a bit contrived. First, we define our I<aliases>:
1032:
1033: # User alias specification
1034: User_Alias FULLTIMERS = millert, mikef, dowdy
1035: User_Alias PARTTIMERS = bostley, jwfox, crawl
1036: User_Alias WEBMASTERS = will, wendy, wim
1037:
1038: # Runas alias specification
1039: Runas_Alias OP = root, operator
1040: Runas_Alias DB = oracle, sybase
1041:
1042: # Host alias specification
1043: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1044: SGI = grolsch, dandelion, black :\
1045: ALPHA = widget, thalamus, foobar :\
1046: HPPA = boa, nag, python
1047: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1048: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1049: Host_Alias SERVERS = master, mail, www, ns
1050: Host_Alias CDROM = orion, perseus, hercules
1051:
1052: # Cmnd alias specification
1053: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1054: /usr/sbin/restore, /usr/sbin/rrestore
1055: Cmnd_Alias KILL = /usr/bin/kill
1056: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1057: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1058: Cmnd_Alias HALT = /usr/sbin/halt
1059: Cmnd_Alias REBOOT = /usr/sbin/reboot
1060: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1061: /usr/local/bin/tcsh, /usr/bin/rsh, \
1062: /usr/local/bin/zsh
1063: Cmnd_Alias SU = /usr/bin/su
1064:
1065: Here we override some of the compiled in default values. We want
1066: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1067: cases. We don't want to subject the full time staff to the B<sudo>
1068: lecture, user B<millert> need not give a password, and we don't
1069: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1070: variables when running commands as root. Additionally, on the
1071: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1072: local log file and make sure we log the year in each log line since
1073: the log entries will be kept around for several years.
1074:
1075: # Override built-in defaults
1076: Defaults syslog=auth
1077: Defaults>root !set_logname
1078: Defaults:FULLTIMERS !lecture
1079: Defaults:millert !authenticate
1080: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1081: Defaults!PAGERS noexec
1082:
1083: The I<User specification> is the part that actually determines who may
1084: run what.
1085:
1086: root ALL = (ALL) ALL
1087: %wheel ALL = (ALL) ALL
1088:
1089: We let B<root> and any user in group B<wheel> run any command on any
1090: host as any user.
1091:
1092: FULLTIMERS ALL = NOPASSWD: ALL
1093:
1094: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1095: command on any host without authenticating themselves.
1096:
1097: PARTTIMERS ALL = ALL
1098:
1099: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1100: command on any host but they must authenticate themselves first
1101: (since the entry lacks the C<NOPASSWD> tag).
1102:
1103: jack CSNETS = ALL
1104:
1105: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1106: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1107: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1108: CIDR notation) indicating it is a class C network. For the other
1109: networks in I<CSNETS>, the local machine's netmask will be used
1110: during matching.
1111:
1112: lisa CUNETS = ALL
1113:
1114: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1115: (the class B network C<128.138.0.0>).
1116:
1117: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1118: sudoedit /etc/printcap, /usr/oper/bin/
1119:
1120: The B<operator> user may run commands limited to simple maintenance.
1121: Here, those are commands related to backups, killing processes, the
1122: printing system, shutting down the system, and any commands in the
1123: directory F</usr/oper/bin/>.
1124:
1125: joe ALL = /usr/bin/su operator
1126:
1127: The user B<joe> may only L<su(1)> to operator.
1128:
1129: pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1130:
1131: The user B<pete> is allowed to change anyone's password except for
1132: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1133: does not take multiple usernames on the command line.
1134:
1135: bob SPARC = (OP) ALL : SGI = (OP) ALL
1136:
1137: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1138: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1139:
1140: jim +biglab = ALL
1141:
1142: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1143: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1144:
1145: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1146:
1147: Users in the B<secretaries> netgroup need to help manage the printers
1148: as well as add and remove users, so they are allowed to run those
1149: commands on all machines.
1150:
1151: fred ALL = (DB) NOPASSWD: ALL
1152:
1153: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1154: (B<oracle> or B<sybase>) without giving a password.
1155:
1156: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1157:
1158: On the I<ALPHA> machines, user B<john> may su to anyone except root
1159: but he is not allowed to give L<su(1)> any flags.
1160:
1161: jen ALL, !SERVERS = ALL
1162:
1163: The user B<jen> may run any command on any machine except for those
1164: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1165:
1166: jill SERVERS = /usr/bin/, !SU, !SHELLS
1167:
1168: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1169: any commands in the directory /usr/bin/ except for those commands
1170: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1171:
1172: steve CSNETS = (operator) /usr/local/op_commands/
1173:
1174: The user B<steve> may run any command in the directory /usr/local/op_commands/
1175: but only as user operator.
1176:
1177: matt valkyrie = KILL
1178:
1179: On his personal workstation, valkyrie, B<matt> needs to be able to
1180: kill hung processes.
1181:
1182: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1183:
1184: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1185: wendy, and wim), may run any command as user www (which owns the
1186: web pages) or simply L<su(1)> to www.
1187:
1188: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1189: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1190:
1191: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1192: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1193: This is a bit tedious for users to type, so it is a prime candidate
1194: for encapsulating in a shell script.
1195:
1196: =head1 SECURITY NOTES
1197:
1198: It is generally not effective to "subtract" commands from C<ALL>
1199: using the '!' operator. A user can trivially circumvent this
1200: by copying the desired command to a different name and then
1201: executing that. For example:
1202:
1203: bill ALL = ALL, !SU, !SHELLS
1204:
1205: Doesn't really prevent B<bill> from running the commands listed in
1206: I<SU> or I<SHELLS> since he can simply copy those commands to a
1207: different name, or use a shell escape from an editor or other
1208: program. Therefore, these kind of restrictions should be considered
1209: advisory at best (and reinforced by policy).
1210:
1211: =head1 PREVENTING SHELL ESCAPES
1212:
1213: Once B<sudo> executes a program, that program is free to do whatever
1214: it pleases, including run other programs. This can be a security
1215: issue since it is not uncommon for a program to allow shell escapes,
1216: which lets a user bypass B<sudo>'s access control and logging.
1217: Common programs that permit shell escapes include shells (obviously),
1218: editors, paginators, mail and terminal programs.
1219:
1220: There are two basic approaches to this problem:
1221:
1222: =over 10
1223:
1224: =item restrict
1225:
1226: Avoid giving users access to commands that allow the user to run
1227: arbitrary commands. Many editors have a restricted mode where shell
1228: escapes are disabled, though B<sudoedit> is a better solution to
1229: running editors via B<sudo>. Due to the large number of programs that
1230: offer shell escapes, restricting users to the set of programs that
1231: do not if often unworkable.
1232:
1233: =item noexec
1234:
1235: Many systems that support shared libraries have the ability to
1236: override default library functions by pointing an environment
1237: variable (usually C<LD_PRELOAD>) to an alternate shared library.
1238: On such systems, B<sudo>'s I<noexec> functionality can be used to
1239: prevent a program run by B<sudo> from executing any other programs.
1240: Note, however, that this applies only to native dynamically-linked
1241: executables. Statically-linked executables and foreign executables
1242: running under binary emulation are not affected.
1243:
1244: To tell whether or not B<sudo> supports I<noexec>, you can run
1245: the following as root:
1246:
1247: sudo -V | grep "dummy exec"
1248:
1249: If the resulting output contains a line that begins with:
1250:
1251: File containing dummy exec functions:
1252:
1253: then B<sudo> may be able to replace the exec family of functions
1254: in the standard library with its own that simply return an error.
1255: Unfortunately, there is no foolproof way to know whether or not
1256: I<noexec> will work at compile-time. I<noexec> should work on
1257: SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1258: 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1259: is expected to work on most operating systems that support the
1260: C<LD_PRELOAD> environment variable. Check your operating system's
1261: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1262: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1263:
1264: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1265: in the User Specification section above. Here is that example again:
1266:
1267: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1268:
1269: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1270: with I<noexec> enabled. This will prevent those two commands from
1271: executing other commands (such as a shell). If you are unsure
1272: whether or not your system is capable of supporting I<noexec> you
1273: can always just try it out and see if it works.
1274:
1275: =back
1276:
1277: Note that restricting shell escapes is not a panacea. Programs
1278: running as root are still capable of many potentially hazardous
1279: operations (such as changing or overwriting files) that could lead
1280: to unintended privilege escalation. In the specific case of an
1281: editor, a safer approach is to give the user permission to run
1282: B<sudoedit>.
1283:
1284: =head1 SEE ALSO
1285:
1286: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
1287:
1288: =head1 CAVEATS
1289:
1290: The I<sudoers> file should B<always> be edited by the B<visudo>
1291: command which locks the file and does grammatical checking. It is
1292: imperative that I<sudoers> be free of syntax errors since B<sudo>
1293: will not run with a syntactically incorrect I<sudoers> file.
1294:
1295: When using netgroups of machines (as opposed to users), if you
1296: store fully qualified hostnames in the netgroup (as is usually the
1297: case), you either need to have the machine's hostname be fully qualified
1298: as returned by the C<hostname> command or use the I<fqdn> option in
1299: I<sudoers>.
1300:
1301: =head1 BUGS
1302:
1303: If you feel you have found a bug in B<sudo>, please submit a bug report
1304: at http://www.sudo.ws/sudo/bugs/
1305:
1306: =head1 SUPPORT
1307:
1308: Limited free support is available via the sudo-users mailing list,
1309: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1310: search the archives.
1311:
1312: =head1 DISCLAIMER
1313:
1314: B<sudo> is provided ``AS IS'' and any express or implied warranties,
1315: including, but not limited to, the implied warranties of merchantability
1316: and fitness for a particular purpose are disclaimed. See the LICENSE
1317: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1318: for complete details.