Annotation of src/usr.bin/sudo/sudoers.pod, Revision 1.6
1.1 millert 1: =cut
1.5 millert 2: Copyright (c) 1994-1996, 1998-2005, 2007
3: Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 4:
5: Permission to use, copy, modify, and distribute this software for any
6: purpose with or without fee is hereby granted, provided that the above
7: copyright notice and this permission notice appear in all copies.
8:
9: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17:
18: Sponsored in part by the Defense Advanced Research Projects
19: Agency (DARPA) and Air Force Research Laboratory, Air Force
20: Materiel Command, USAF, under agreement number F39502-99-1-0512.
21:
1.6 ! millert 22: $Sudo: sudoers.pod,v 1.95.2.20 2007/08/27 19:52:28 millert Exp $
1.1 millert 23: =pod
24:
25: =head1 NAME
26:
27: sudoers - list of which users may execute what
28:
29: =head1 DESCRIPTION
30:
31: The I<sudoers> file is composed of two types of entries: aliases
32: (basically variables) and user specifications (which specify who
33: may run what).
34:
35: When multiple entries match for a user, they are applied in order.
36: Where there are multiple matches, the last match is used (which is
37: not necessarily the most specific match).
38:
39: The I<sudoers> grammar will be described below in Extended Backus-Naur
40: Form (EBNF). Don't despair if you don't know what EBNF is; it is
41: fairly simple, and the definitions below are annotated.
42:
43: =head2 Quick guide to EBNF
44:
45: EBNF is a concise and exact way of describing the grammar of a language.
46: Each EBNF definition is made up of I<production rules>. E.g.,
47:
48: symbol ::= definition | alternate1 | alternate2 ...
49:
50: Each I<production rule> references others and thus makes up a
51: grammar for the language. EBNF also contains the following
52: operators, which many readers will recognize from regular
53: expressions. Do not, however, confuse them with "wildcard"
54: characters, which have different meanings.
55:
1.5 millert 56: =over 4
1.1 millert 57:
58: =item C<?>
59:
60: Means that the preceding symbol (or group of symbols) is optional.
61: That is, it may appear once or not at all.
62:
63: =item C<*>
64:
65: Means that the preceding symbol (or group of symbols) may appear
66: zero or more times.
67:
68: =item C<+>
69:
70: Means that the preceding symbol (or group of symbols) may appear
71: one or more times.
72:
73: =back
74:
75: Parentheses may be used to group symbols together. For clarity,
76: we will use single quotes ('') to designate what is a verbatim character
77: string (as opposed to a symbol name).
78:
79: =head2 Aliases
80:
81: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
82: C<Host_Alias> and C<Cmnd_Alias>.
83:
84: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
85: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
86: 'Host_Alias' Host_Alias (':' Host_Alias)* |
87: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
88:
89: User_Alias ::= NAME '=' User_List
90:
91: Runas_Alias ::= NAME '=' Runas_List
92:
93: Host_Alias ::= NAME '=' Host_List
94:
95: Cmnd_Alias ::= NAME '=' Cmnd_List
96:
97: NAME ::= [A-Z]([A-Z][0-9]_)*
98:
99: Each I<alias> definition is of the form
100:
101: Alias_Type NAME = item1, item2, ...
102:
103: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
104: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
105: and underscore characters ('_'). A C<NAME> B<must> start with an
106: uppercase letter. It is possible to put several alias definitions
107: of the same type on a single line, joined by a colon (':'). E.g.,
108:
109: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
110:
111: The definitions of what constitutes a valid I<alias> member follow.
112:
113: User_List ::= User |
114: User ',' User_List
115:
116: User ::= '!'* username |
117: '!'* '%'group |
118: '!'* '+'netgroup |
119: '!'* User_Alias
120:
121: A C<User_List> is made up of one or more usernames, system groups
122: (prefixed with '%'), netgroups (prefixed with '+') and other aliases.
123: Each list item may be prefixed with one or more '!' operators.
124: An odd number of '!' operators negate the value of the item; an even
125: number just cancel each other out.
126:
127: Runas_List ::= Runas_User |
128: Runas_User ',' Runas_List
129:
130: Runas_User ::= '!'* username |
131: '!'* '#'uid |
132: '!'* '%'group |
133: '!'* +netgroup |
134: '!'* Runas_Alias
135:
136: A C<Runas_List> is similar to a C<User_List> except that it can
137: also contain uids (prefixed with '#') and instead of C<User_Alias>es
138: it can contain C<Runas_Alias>es. Note that usernames and groups
139: are matched as strings. In other words, two users (groups) with
140: the same uid (gid) are considered to be distinct. If you wish to
141: match all usernames with the same uid (e.g.E<nbsp>root and toor), you
142: can use a uid instead (#0 in the example given).
143:
144: Host_List ::= Host |
145: Host ',' Host_List
146:
147: Host ::= '!'* hostname |
148: '!'* ip_addr |
149: '!'* network(/netmask)? |
150: '!'* '+'netgroup |
151: '!'* Host_Alias
152:
153: A C<Host_List> is made up of one or more hostnames, IP addresses,
154: network numbers, netgroups (prefixed with '+') and other aliases.
155: Again, the value of an item may be negated with the '!' operator.
156: If you do not specify a netmask along with the network number,
157: B<sudo> will query each of the local host's network interfaces and,
158: if the network number corresponds to one of the hosts's network
159: interfaces, the corresponding netmask will be used. The netmask
1.5 millert 160: may be specified either in standard IP address notation
161: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
162: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
1.1 millert 163: include shell-style wildcards (see the L<Wildcards> section below),
164: but unless the C<hostname> command on your machine returns the fully
165: qualified hostname, you'll need to use the I<fqdn> option for
166: wildcards to be useful.
167:
168: Cmnd_List ::= Cmnd |
169: Cmnd ',' Cmnd_List
170:
171: commandname ::= filename |
172: filename args |
173: filename '""'
174:
175: Cmnd ::= '!'* commandname |
176: '!'* directory |
177: '!'* "sudoedit" |
178: '!'* Cmnd_Alias
179:
180: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
181: aliases. A commandname is a fully qualified filename which may include
182: shell-style wildcards (see the L<Wildcards> section below). A simple
183: filename allows the user to run the command with any arguments he/she
184: wishes. However, you may also specify command line arguments (including
185: wildcards). Alternately, you can specify C<""> to indicate that the command
186: may only be run B<without> command line arguments. A directory is a
187: fully qualified pathname ending in a '/'. When you specify a directory
188: in a C<Cmnd_List>, the user will be able to run any file within that directory
189: (but not in any subdirectories therein).
190:
191: If a C<Cmnd> has associated command line arguments, then the arguments
192: in the C<Cmnd> must match exactly those given by the user on the command line
193: (or match the wildcards if there are any). Note that the following
194: characters must be escaped with a '\' if they are used in command
195: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
196: is used to permit a user to run B<sudo> with the B<-e> flag (or
197: as B<sudoedit>). It may take command line arguments just as
198: a normal command does.
199:
200: =head2 Defaults
201:
202: Certain configuration options may be changed from their default
203: values at runtime via one or more C<Default_Entry> lines. These
204: may affect all users on any host, all users on a specific host, a
205: specific user, or commands being run as a specific user.
206:
207: Default_Type ::= 'Defaults' |
1.6 ! millert 208: 'Defaults' '@' Host_List |
! 209: 'Defaults' ':' User_List |
! 210: 'Defaults' '>' Runas_List
1.1 millert 211:
212: Default_Entry ::= Default_Type Parameter_List
213:
214: Parameter_List ::= Parameter |
215: Parameter ',' Parameter_List
216:
217: Parameter ::= Parameter '=' Value |
218: Parameter '+=' Value |
219: Parameter '-=' Value |
220: '!'* Parameter
221:
222: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
223: Flags are implicitly boolean and can be turned off via the '!'
224: operator. Some integer, string and list parameters may also be
225: used in a boolean context to disable them. Values may be enclosed
226: in double quotes (C<">) when they contain multiple words. Special
227: characters may be escaped with a backslash (C<\>).
228:
229: Lists have two additional assignment operators, C<+=> and C<-=>.
230: These operators are used to add to and delete from a list respectively.
231: It is not an error to use the C<-=> operator to remove an element
232: that does not exist in a list.
233:
234: See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
235:
236: =head2 User Specification
237:
238: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
239: (':' Host_List '=' Cmnd_Spec_List)*
240:
241: Cmnd_Spec_List ::= Cmnd_Spec |
242: Cmnd_Spec ',' Cmnd_Spec_List
243:
244: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
245:
246: Runas_Spec ::= '(' Runas_List ')'
247:
248: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
249: 'SETENV:' | 'NOSETENV:')
250:
251: A B<user specification> determines which commands a user may run
252: (and as what user) on specified hosts. By default, commands are
253: run as B<root>, but this can be changed on a per-command basis.
254:
255: Let's break that down into its constituent parts:
256:
257: =head2 Runas_Spec
258:
259: A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
260: enclosed in a set of parentheses. If you do not specify a
261: C<Runas_Spec> in the user specification, a default C<Runas_Spec>
262: of B<root> will be used. A C<Runas_Spec> sets the default for
263: commands that follow it. What this means is that for the entry:
264:
265: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
266:
267: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
268: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
269:
270: $ sudo -u operator /bin/ls.
271:
272: It is also possible to override a C<Runas_Spec> later on in an
273: entry. If we modify the entry like so:
274:
275: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
276:
277: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
278: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
279:
280: =head2 Tag_Spec
281:
282: A command may have zero or more tags associated with it. There are
283: six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
284: C<SETENV> and C<NOSETENV>.
285: Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
286: C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
287: opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
288: overrides C<EXEC>).
289:
290: =head3 NOPASSWD and PASSWD
291:
292: By default, B<sudo> requires that a user authenticate him or herself
293: before running a command. This behavior can be modified via the
294: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
295: a default for the commands that follow it in the C<Cmnd_Spec_List>.
296: Conversely, the C<PASSWD> tag can be used to reverse things.
297: For example:
298:
299: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
300:
301: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
302: F</usr/bin/lprm> as root on the machine rushmore as B<root> without
303: authenticating himself. If we only want B<ray> to be able to
304: run F</bin/kill> without a password the entry would be:
305:
306: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
307:
308: Note, however, that the C<PASSWD> tag has no effect on users who are
309: in the group specified by the I<exempt_group> option.
310:
311: By default, if the C<NOPASSWD> tag is applied to any of the entries
312: for a user on the current host, he or she will be able to run
313: C<sudo -l> without a password. Additionally, a user may only run
314: C<sudo -v> without a password if the C<NOPASSWD> tag is present
315: for all a user's entries that pertain to the current host.
316: This behavior may be overridden via the verifypw and listpw options.
317:
318: =head3 NOEXEC and EXEC
319:
320: If B<sudo> has been compiled with I<noexec> support and the underlying
321: operating system supports it, the C<NOEXEC> tag can be used to prevent
322: a dynamically-linked executable from running further commands itself.
323:
324: In the following example, user B<aaron> may run F</usr/bin/more>
325: and F</usr/bin/vi> but shell escapes will be disabled.
326:
327: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
328:
329: See the L<PREVENTING SHELL ESCAPES> section below for more details
330: on how C<NOEXEC> works and whether or not it will work on your system.
331:
332: =head3 SETENV and NOSETENV
333:
334: These tags override the value of the I<setenv> option on a per-command
335: basis. Note that if C<SETENV> has been set for a command, any
336: environment variables set on the command line way are not subject
337: to the restrictions imposed by I<env_check>, I<env_delete>, or
338: I<env_keep>. As such, only trusted users should be allowed to set
339: variables in this manner.
340:
341: =head2 Wildcards
342:
343: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
344: to be used in pathnames as well as command line arguments in the
345: I<sudoers> file. Wildcard matching is done via the B<POSIX>
346: L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
347:
348: =over 8
349:
350: =item C<*>
351:
352: Matches any set of zero or more characters.
353:
354: =item C<?>
355:
356: Matches any single character.
357:
358: =item C<[...]>
359:
360: Matches any character in the specified range.
361:
362: =item C<[!...]>
363:
364: Matches any character B<not> in the specified range.
365:
366: =item C<\x>
367:
368: For any character "x", evaluates to "x". This is used to
369: escape special characters such as: "*", "?", "[", and "}".
370:
371: =back
372:
373: Note that a forward slash ('/') will B<not> be matched by
374: wildcards used in the pathname. When matching the command
375: line arguments, however, a slash B<does> get matched by
376: wildcards. This is to make a path like:
377:
378: /usr/bin/*
379:
380: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
381:
382: =head2 Exceptions to wildcard rules
383:
384: The following exceptions apply to the above rules:
385:
386: =over 8
387:
388: =item C<"">
389:
390: If the empty string C<""> is the only command line argument in the
391: I<sudoers> entry it means that command is not allowed to be run
392: with B<any> arguments.
393:
394: =back
395:
396: =head2 Other special characters and reserved words
397:
398: The pound sign ('#') is used to indicate a comment (unless it is
399: part of a #include directive or unless it occurs in the context of
400: a user name and is followed by one or more digits, in which case
401: it is treated as a uid). Both the comment character and any text
402: after it, up to the end of the line, are ignored.
403:
404: The reserved word B<ALL> is a built-in I<alias> that always causes
405: a match to succeed. It can be used wherever one might otherwise
406: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
407: You should not try to define your own I<alias> called B<ALL> as the
408: built-in alias will be used in preference to your own. Please note
409: that using B<ALL> can be dangerous since in a command context, it
410: allows the user to run B<any> command on the system.
411:
412: An exclamation point ('!') can be used as a logical I<not> operator
413: both in an I<alias> and in front of a C<Cmnd>. This allows one to
414: exclude certain values. Note, however, that using a C<!> in
415: conjunction with the built-in C<ALL> alias to allow a user to
416: run "all but a few" commands rarely works as intended (see SECURITY
417: NOTES below).
418:
419: Long lines can be continued with a backslash ('\') as the last
420: character on the line.
421:
422: Whitespace between elements in a list as well as special syntactic
423: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
424:
425: The following characters must be escaped with a backslash ('\') when
426: used as part of a word (e.g.E<nbsp>a username or hostname):
427: '@', '!', '=', ':', ',', '(', ')', '\'.
428:
429: =head1 SUDOERS OPTIONS
430:
431: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
432: explained earlier. A list of all supported Defaults parameters,
433: grouped by type, are listed below.
434:
435: B<Flags>:
436:
1.5 millert 437: =over 16
1.1 millert 438:
439: =item always_set_home
440:
441: If set, B<sudo> will set the C<HOME> environment variable to the home
442: directory of the target user (which is root unless the B<-u> option is used).
443: This effectively means that the B<-H> flag is always implied.
444: This flag is I<off> by default.
445:
446: =item authenticate
447:
448: If set, users must authenticate themselves via a password (or other
449: means of authentication) before they may run commands. This default
450: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
451: This flag is I<on> by default.
452:
453: =item env_editor
454:
455: If set, B<visudo> will use the value of the EDITOR or VISUAL
456: environment variables before falling back on the default editor list.
457: Note that this may create a security hole as it allows the user to
458: run any arbitrary command as root without logging. A safer alternative
459: is to place a colon-separated list of editors in the C<editor>
460: variable. B<visudo> will then only use the EDITOR or VISUAL if
461: they match a value specified in C<editor>. This flag is I<@env_editor@> by
462: default.
463:
464: =item env_reset
465:
466: If set, B<sudo> will reset the environment to only contain the
467: LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
468: variables in the caller's environment that match the C<env_keep>
469: and C<env_check> lists are then added. The default contents of the
470: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
471: run by root with the I<-V> option. If B<sudo> was compiled with
472: the C<SECURE_PATH> option, its value will be used for the C<PATH>
473: environment variable. This flag is I<on> by default.
474:
475: =item fqdn
476:
477: Set this flag if you want to put fully qualified hostnames in the
478: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
479: You may still use the short form if you wish (and even mix the two).
480: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
481: which may make B<sudo> unusable if DNS stops working (for example
482: if the machine is not plugged into the network). Also note that
483: you must use the host's official name as DNS knows it. That is,
484: you may not use a host alias (C<CNAME> entry) due to performance
485: issues and the fact that there is no way to get all aliases from
486: DNS. If your machine's hostname (as returned by the C<hostname>
487: command) is already fully qualified you shouldn't need to set
488: I<fqdn>. This flag is I<@fqdn@> by default.
489:
490: =item ignore_dot
491:
492: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
493: environment variable; the C<PATH> itself is not modified. This
494: flag is I<@ignore_dot@> by default. Currently, while it is possible
495: to set I<ignore_dot> in I<sudoers>, its value is not used. This option
496: should be considered read-only (it will be fixed in a future version
497: of B<sudo>).
498:
499: =item ignore_local_sudoers
500:
501: If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
502: This is intended for Enterprises that wish to prevent the usage of local
503: sudoers files so that only LDAP is used. This thwarts the efforts of
504: rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
505: When this option is present, @sysconfdir@/sudoers does not even need to exist.
506: Since this option tells B<sudo> how to behave when no specific LDAP entries
507: have been matched, this sudoOption is only meaningful for the cn=defaults
508: section. This flag is I<off> by default.
509:
510: =item insults
511:
512: If set, B<sudo> will insult users when they enter an incorrect
513: password. This flag is I<@insults@> by default.
514:
515: =item log_host
516:
517: If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
518: This flag is I<off> by default.
519:
520: =item log_year
521:
522: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
523: This flag is I<off> by default.
524:
525: =item long_otp_prompt
526:
527: When validating with a One Time Password (OPT) scheme such as
528: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
529: to cut and paste the challenge to a local window. It's not as
530: pretty as the default but some people find it more convenient. This
531: flag is I<@long_otp_prompt@> by default.
532:
533: =item mail_always
534:
535: Send mail to the I<mailto> user every time a users runs B<sudo>.
536: This flag is I<off> by default.
537:
538: =item mail_badpass
539:
540: Send mail to the I<mailto> user if the user running B<sudo> does not
541: enter the correct password. This flag is I<off> by default.
542:
543: =item mail_no_host
544:
545: If set, mail will be sent to the I<mailto> user if the invoking
546: user exists in the I<sudoers> file, but is not allowed to run
547: commands on the current host. This flag is I<@mail_no_host@> by default.
548:
549: =item mail_no_perms
550:
551: If set, mail will be sent to the I<mailto> user if the invoking
552: user is allowed to use B<sudo> but the command they are trying is not
553: listed in their I<sudoers> file entry or is explicitly denied.
554: This flag is I<@mail_no_perms@> by default.
555:
556: =item mail_no_user
557:
558: If set, mail will be sent to the I<mailto> user if the invoking
559: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
560: by default.
561:
562: =item noexec
563:
564: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
565: tag has been set, unless overridden by a C<EXEC> tag. See the
566: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
567: ESCAPES> section at the end of this manual. This flag is I<off> by default.
568:
569: =item path_info
570:
571: Normally, B<sudo> will tell the user when a command could not be
572: found in their C<PATH> environment variable. Some sites may wish
573: to disable this as it could be used to gather information on the
574: location of executables that the normal user does not have access
575: to. The disadvantage is that if the executable is simply not in
576: the user's C<PATH>, B<sudo> will tell the user that they are not
577: allowed to run it, which can be confusing. This flag is I<@path_info@>
578: by default.
579:
580: =item preserve_groups
581:
582: By default B<sudo> will initialize the group vector to the list of
583: groups the target user is in. When I<preserve_groups> is set, the
584: user's existing group vector is left unaltered. The real and
585: effective group IDs, however, are still set to match the target
586: user. This flag is I<off> by default.
587:
588: =item requiretty
589:
590: If set, B<sudo> will only run when the user is logged in to a real
591: tty. This will disallow things like C<"rsh somehost sudo ls"> since
592: L<rsh(1)> does not allocate a tty. Because it is not possible to turn
593: off echo when there is no tty present, some sites may wish to set
594: this flag to prevent a user from entering a visible password. This
595: flag is I<off> by default.
596:
597: =item root_sudo
598:
599: If set, root is allowed to run B<sudo> too. Disabling this prevents users
600: from "chaining" B<sudo> commands to get a root shell by doing something
601: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
602: will also prevent root and from running B<sudoedit>.
603: Disabling I<root_sudo> provides no real additional security; it
604: exists purely for historical reasons.
605: This flag is I<@root_sudo@> by default.
606:
607: =item rootpw
608:
609: If set, B<sudo> will prompt for the root password instead of the password
610: of the invoking user. This flag is I<off> by default.
611:
612: =item runaspw
613:
614: If set, B<sudo> will prompt for the password of the user defined by the
615: I<runas_default> option (defaults to C<@runas_default@>) instead of the
616: password of the invoking user. This flag is I<off> by default.
617:
618: =item set_home
619:
620: If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
621: environment variable will be set to the home directory of the target
622: user (which is root unless the B<-u> option is used). This effectively
623: makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
624:
625: =item set_logname
626:
627: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
628: environment variables to the name of the target user (usually root
629: unless the B<-u> flag is given). However, since some programs
630: (including the RCS revision control system) use C<LOGNAME> to
631: determine the real identity of the user, it may be desirable to
632: change this behavior. This can be done by negating the set_logname
633: option. Note that if the I<env_reset> option has not been disabled,
634: entries in the I<env_keep> list will override the value of
635: I<set_logname>. This flag is I<off> by default.
636:
637: =item setenv
638:
639: Allow the user to disable the I<env_reset> option from the command
640: line. Additionally, environment variables set via the command line
641: are not subject to the restrictions imposed by I<env_check>,
642: I<env_delete>, or I<env_keep>. As such, only trusted users should
643: be allowed to set variables in this manner. This flag is I<off>
644: by default.
645:
646: =item shell_noargs
647:
648: If set and B<sudo> is invoked with no arguments it acts as if the
649: B<-s> flag had been given. That is, it runs a shell as root (the
650: shell is determined by the C<SHELL> environment variable if it is
651: set, falling back on the shell listed in the invoking user's
652: /etc/passwd entry if not). This flag is I<off> by default.
653:
654: =item stay_setuid
655:
656: Normally, when B<sudo> executes a command the real and effective
657: UIDs are set to the target user (root by default). This option
658: changes that behavior such that the real UID is left as the invoking
659: user's UID. In other words, this makes B<sudo> act as a setuid
660: wrapper. This can be useful on systems that disable some potentially
661: dangerous functionality when a program is run setuid. This option
662: is only effective on systems with either the setreuid() or setresuid()
663: function. This flag is I<off> by default.
664:
665: =item targetpw
666:
667: If set, B<sudo> will prompt for the password of the user specified by
668: the B<-u> flag (defaults to C<root>) instead of the password of the
669: invoking user. Note that this precludes the use of a uid not listed
670: in the passwd database as an argument to the B<-u> flag.
671: This flag is I<off> by default.
672:
673: =item tty_tickets
674:
675: If set, users must authenticate on a per-tty basis. Normally,
676: B<sudo> uses a directory in the ticket dir with the same name as
677: the user running it. With this flag enabled, B<sudo> will use a
678: file named for the tty the user is logged in on in that directory.
679: This flag is I<@tty_tickets@> by default.
680:
681: =item use_loginclass
682:
683: If set, B<sudo> will apply the defaults specified for the target user's
684: login class if one exists. Only available if B<sudo> is configured with
685: the --with-logincap option. This flag is I<off> by default.
686:
687: =back
688:
689: B<Integers>:
690:
1.5 millert 691: =over 16
1.1 millert 692:
693: =item passwd_tries
694:
695: The number of tries a user gets to enter his/her password before
696: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
697:
698: =back
699:
700: B<Integers that can be used in a boolean context>:
701:
1.5 millert 702: =over 16
1.1 millert 703:
704: =item loglinelen
705:
706: Number of characters per line for the file log. This value is used
707: to decide when to wrap lines for nicer log files. This has no
708: effect on the syslog log file, only the file log. The default is
709: C<@loglen@> (use 0 or negate the option to disable word wrap).
710:
711: =item passwd_timeout
712:
713: Number of minutes before the B<sudo> password prompt times out.
714: The default is C<@password_timeout@>; set this to C<0> for no password timeout.
715:
716: =item timestamp_timeout
717:
718: Number of minutes that can elapse before B<sudo> will ask for a
719: passwd again. The default is C<@timeout@>. Set this to C<0> to always
720: prompt for a password.
721: If set to a value less than C<0> the user's timestamp will never
722: expire. This can be used to allow users to create or delete their
723: own timestamps via C<sudo -v> and C<sudo -k> respectively.
724:
725: =item umask
726:
727: Umask to use when running the command. Negate this option or set
728: it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
729:
730: =back
731:
732: B<Strings>:
733:
1.5 millert 734: =over 16
1.1 millert 735:
736: =item badpass_message
737:
738: Message that is displayed if a user enters an incorrect password.
739: The default is C<@badpass_message@> unless insults are enabled.
740:
741: =item editor
742:
743: A colon (':') separated list of editors allowed to be used with
744: B<visudo>. B<visudo> will choose the editor that matches the user's
745: EDITOR environment variable if possible, or the first editor in the
746: list that exists and is executable. The default is the path to vi
747: on your system.
748:
749: =item mailsub
750:
751: Subject of the mail sent to the I<mailto> user. The escape C<%h>
752: will expand to the hostname of the machine.
753: Default is C<@mailsub@>.
754:
755: =item noexec_file
756:
757: Path to a shared library containing dummy versions of the execv(),
758: execve() and fexecve() library functions that just return an error.
759: This is used to implement the I<noexec> functionality on systems that
760: support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
761:
762: =item passprompt
763:
764: The default prompt to use when asking for a password; can be overridden
765: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
766: The following percent (`C<%>') escapes are supported:
767:
1.5 millert 768: =over 4
1.1 millert 769:
770: =item C<%H>
771:
772: expanded to the local hostname including the domain name
773: (on if the machine's hostname is fully qualified or the I<fqdn>
774: option is set)
775:
776: =item C<%h>
777:
778: expanded to the local hostname without the domain name
779:
780: =item C<%U>
781:
782: expanded to the login name of the user the command will
783: be run as (defaults to root)
784:
785: =item C<%u>
786:
787: expanded to the invoking user's login name
788:
789: =item C<%%>
790:
791: two consecutive C<%> characters are collapsed into a single C<%> character
792:
793: =back
794:
795: The default value is C<@passprompt@>.
796:
797: =item runas_default
798:
799: The default user to run commands as if the B<-u> flag is not specified
800: on the command line. This defaults to C<@runas_default@>.
801: Note that if I<runas_default> is set it B<must> occur before
802: any C<Runas_Alias> specifications.
803:
804: =item syslog_badpri
805:
806: Syslog priority to use when user authenticates unsuccessfully.
807: Defaults to C<@badpri@>.
808:
809: =item syslog_goodpri
810:
811: Syslog priority to use when user authenticates successfully.
812: Defaults to C<@goodpri@>.
813:
814: =item timestampdir
815:
816: The directory in which B<sudo> stores its timestamp files.
817: The default is F<@timedir@>.
818:
819: =item timestampowner
820:
821: The owner of the timestamp directory and the timestamps stored therein.
822: The default is C<root>.
823:
824: =back
825:
826: B<Strings that can be used in a boolean context>:
827:
828: =over 12
829:
830: =item exempt_group
831:
832: Users in this group are exempt from password and PATH requirements.
833: This is not set by default.
834:
835: =item lecture
836:
837: This option controls when a short lecture will be printed along with
838: the password prompt. It has the following possible values:
839:
840: =over 8
841:
842: =item always
843:
844: Always lecture the user.
845:
846: =item never
847:
848: Never lecture the user.
849:
850: =item once
851:
852: Only lecture the user the first time they run B<sudo>.
853:
854: =back
855:
856: If no value is specified, a value of I<once> is implied.
857: Negating the option results in a value of I<never> being used.
858: The default value is I<@lecture@>.
859:
860: =item lecture_file
861:
862: Path to a file containing an alternate B<sudo> lecture that will
863: be used in place of the standard lecture if the named file exists.
864: By default, B<sudo> uses a built-in lecture.
865:
866: =item listpw
867:
868: This option controls when a password will be required when a
869: user runs B<sudo> with the B<-l> flag. It has the following possible values:
870:
871: =over 8
872:
873: =item all
874:
875: All the user's I<sudoers> entries for the current host must have
876: the C<NOPASSWD> flag set to avoid entering a password.
877:
878: =item always
879:
880: The user must always enter a password to use the B<-l> flag.
881:
882: =item any
883:
884: At least one of the user's I<sudoers> entries for the current host
885: must have the C<NOPASSWD> flag set to avoid entering a password.
886:
887: =item never
888:
889: The user need never enter a password to use the B<-l> flag.
890:
891: =back
892:
893: If no value is specified, a value of I<any> is implied.
894: Negating the option results in a value of I<never> being used.
895: The default value is I<any>.
896:
897: =item logfile
898:
899: Path to the B<sudo> log file (not the syslog log file). Setting a path
900: turns on logging to a file; negating this option turns it off.
901: By default, B<sudo> logs via syslog.
902:
903: =item mailerflags
904:
905: Flags to use when invoking mailer. Defaults to B<-t>.
906:
907: =item mailerpath
908:
909: Path to mail program used to send warning mail.
910: Defaults to the path to sendmail found at configure time.
911:
912: =item mailto
913:
914: Address to send warning and error mail to. The address should
915: be enclosed in double quotes (C<">) to protect against B<sudo>
916: interpreting the C<@> sign. Defaults to C<@mailto@>.
917:
918: =item syslog
919:
920: Syslog facility if syslog is being used for logging (negate to
921: disable syslog logging). Defaults to C<@logfac@>.
922:
923: =item verifypw
924:
925: This option controls when a password will be required when a user runs
926: B<sudo> with the B<-v> flag. It has the following possible values:
927:
928: =over 8
929:
930: =item all
931:
932: All the user's I<sudoers> entries for the current host must have
933: the C<NOPASSWD> flag set to avoid entering a password.
934:
935: =item always
936:
937: The user must always enter a password to use the B<-v> flag.
938:
939: =item any
940:
941: At least one of the user's I<sudoers> entries for the current host
942: must have the C<NOPASSWD> flag set to avoid entering a password.
943:
944: =item never
945:
946: The user need never enter a password to use the B<-v> flag.
947:
948: =back
949:
950: If no value is specified, a value of I<all> is implied.
951: Negating the option results in a value of I<never> being used.
952: The default value is I<all>.
953:
954: =back
955:
956: B<Lists that can be used in a boolean context>:
957:
1.5 millert 958: =over 16
1.1 millert 959:
960: =item env_check
961:
962: Environment variables to be removed from the user's environment if
963: the variable's value contains C<%> or C</> characters. This can
964: be used to guard against printf-style format vulnerabilities in
965: poorly-written programs. The argument may be a double-quoted,
966: space-separated list or a single value without double-quotes. The
967: list can be replaced, added to, deleted from, or disabled by using
968: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
969: of whether the C<env_reset> option is enabled or disabled, variables
970: specified by C<env_check> will be preserved in the environment if
971: they pass the aforementioned check. The default list of environment
972: variables to check is displayed when B<sudo> is run by root with
973: the I<-V> option.
974:
975: =item env_delete
976:
977: Environment variables to be removed from the user's environment.
978: The argument may be a double-quoted, space-separated list or a
979: single value without double-quotes. The list can be replaced, added
980: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
981: C<!> operators respectively. The default list of environment
982: variables to remove is displayed when B<sudo> is run by root with the
983: I<-V> option. Note that many operating systems will remove potentially
984: dangerous variables from the environment of any setuid process (such
985: as B<sudo>).
986:
987: =item env_keep
988:
989: Environment variables to be preserved in the user's environment
990: when the I<env_reset> option is in effect. This allows fine-grained
991: control over the environment B<sudo>-spawned processes will receive.
992: The argument may be a double-quoted, space-separated list or a
993: single value without double-quotes. The list can be replaced, added
994: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
995: C<!> operators respectively. The default list of variables to keep
996: is displayed when B<sudo> is run by root with the I<-V> option.
997:
998: =back
999:
1000: When logging via L<syslog(3)>, B<sudo> accepts the following values
1001: for the syslog facility (the value of the B<syslog> Parameter):
1002: B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1003: B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1004: B<local6>, and B<local7>. The following syslog priorities are
1005: supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1006: B<notice>, and B<warning>.
1007:
1008: =head1 FILES
1009:
1.4 millert 1010: =over 4
1011:
1.3 millert 1012: =item F<@sysconfdir@/sudoers>C< >
1013: List of who can run what
1014:
1015: =item F</etc/group>C< >
1016: Local groups file
1017:
1018: =item F</etc/netgroup>C< >
1019: List of network groups
1.4 millert 1020:
1021: =back
1.1 millert 1022:
1023: =head1 EXAMPLES
1024:
1025: Since the I<sudoers> file is parsed in a single pass, order is
1026: important. In general, you should structure I<sudoers> such that
1027: the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
1028: come first, followed by any C<Default_Entry> lines, and finally the
1029: C<Runas_Alias> and user specifications. The basic rule of thumb
1030: is you cannot reference an Alias that has not already been defined.
1031:
1032: Below are example I<sudoers> entries. Admittedly, some of
1033: these are a bit contrived. First, we define our I<aliases>:
1034:
1035: # User alias specification
1036: User_Alias FULLTIMERS = millert, mikef, dowdy
1037: User_Alias PARTTIMERS = bostley, jwfox, crawl
1038: User_Alias WEBMASTERS = will, wendy, wim
1039:
1040: # Runas alias specification
1041: Runas_Alias OP = root, operator
1042: Runas_Alias DB = oracle, sybase
1043:
1044: # Host alias specification
1045: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1046: SGI = grolsch, dandelion, black :\
1047: ALPHA = widget, thalamus, foobar :\
1048: HPPA = boa, nag, python
1049: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1050: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1051: Host_Alias SERVERS = master, mail, www, ns
1052: Host_Alias CDROM = orion, perseus, hercules
1053:
1054: # Cmnd alias specification
1055: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1056: /usr/sbin/restore, /usr/sbin/rrestore
1057: Cmnd_Alias KILL = /usr/bin/kill
1058: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1059: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1060: Cmnd_Alias HALT = /usr/sbin/halt
1061: Cmnd_Alias REBOOT = /usr/sbin/reboot
1062: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1063: /usr/local/bin/tcsh, /usr/bin/rsh, \
1064: /usr/local/bin/zsh
1065: Cmnd_Alias SU = /usr/bin/su
1.5 millert 1066: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 millert 1067:
1068: Here we override some of the compiled in default values. We want
1069: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1070: cases. We don't want to subject the full time staff to the B<sudo>
1071: lecture, user B<millert> need not give a password, and we don't
1072: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1073: variables when running commands as root. Additionally, on the
1074: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1075: local log file and make sure we log the year in each log line since
1.5 millert 1076: the log entries will be kept around for several years. Lastly, we
1077: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1078: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1.1 millert 1079:
1080: # Override built-in defaults
1081: Defaults syslog=auth
1082: Defaults>root !set_logname
1083: Defaults:FULLTIMERS !lecture
1084: Defaults:millert !authenticate
1085: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1086: Defaults!PAGERS noexec
1087:
1088: The I<User specification> is the part that actually determines who may
1089: run what.
1090:
1091: root ALL = (ALL) ALL
1092: %wheel ALL = (ALL) ALL
1093:
1094: We let B<root> and any user in group B<wheel> run any command on any
1095: host as any user.
1096:
1097: FULLTIMERS ALL = NOPASSWD: ALL
1098:
1099: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1100: command on any host without authenticating themselves.
1101:
1102: PARTTIMERS ALL = ALL
1103:
1104: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1105: command on any host but they must authenticate themselves first
1106: (since the entry lacks the C<NOPASSWD> tag).
1107:
1108: jack CSNETS = ALL
1109:
1110: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1111: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1112: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1113: CIDR notation) indicating it is a class C network. For the other
1114: networks in I<CSNETS>, the local machine's netmask will be used
1115: during matching.
1116:
1117: lisa CUNETS = ALL
1118:
1119: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1120: (the class B network C<128.138.0.0>).
1121:
1122: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1123: sudoedit /etc/printcap, /usr/oper/bin/
1124:
1125: The B<operator> user may run commands limited to simple maintenance.
1126: Here, those are commands related to backups, killing processes, the
1127: printing system, shutting down the system, and any commands in the
1128: directory F</usr/oper/bin/>.
1129:
1130: joe ALL = /usr/bin/su operator
1131:
1132: The user B<joe> may only L<su(1)> to operator.
1133:
1134: pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1135:
1136: The user B<pete> is allowed to change anyone's password except for
1137: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1138: does not take multiple usernames on the command line.
1139:
1140: bob SPARC = (OP) ALL : SGI = (OP) ALL
1141:
1142: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1143: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1144:
1145: jim +biglab = ALL
1146:
1147: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1148: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1149:
1150: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1151:
1152: Users in the B<secretaries> netgroup need to help manage the printers
1153: as well as add and remove users, so they are allowed to run those
1154: commands on all machines.
1155:
1156: fred ALL = (DB) NOPASSWD: ALL
1157:
1158: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1159: (B<oracle> or B<sybase>) without giving a password.
1160:
1161: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1162:
1163: On the I<ALPHA> machines, user B<john> may su to anyone except root
1164: but he is not allowed to give L<su(1)> any flags.
1165:
1166: jen ALL, !SERVERS = ALL
1167:
1168: The user B<jen> may run any command on any machine except for those
1169: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1170:
1171: jill SERVERS = /usr/bin/, !SU, !SHELLS
1172:
1173: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1.5 millert 1174: any commands in the directory F</usr/bin/> except for those commands
1.1 millert 1175: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1176:
1177: steve CSNETS = (operator) /usr/local/op_commands/
1178:
1179: The user B<steve> may run any command in the directory /usr/local/op_commands/
1180: but only as user operator.
1181:
1182: matt valkyrie = KILL
1183:
1184: On his personal workstation, valkyrie, B<matt> needs to be able to
1185: kill hung processes.
1186:
1187: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1188:
1189: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1190: wendy, and wim), may run any command as user www (which owns the
1191: web pages) or simply L<su(1)> to www.
1192:
1193: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1194: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1195:
1196: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1197: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1198: This is a bit tedious for users to type, so it is a prime candidate
1199: for encapsulating in a shell script.
1200:
1201: =head1 SECURITY NOTES
1202:
1203: It is generally not effective to "subtract" commands from C<ALL>
1204: using the '!' operator. A user can trivially circumvent this
1205: by copying the desired command to a different name and then
1206: executing that. For example:
1207:
1208: bill ALL = ALL, !SU, !SHELLS
1209:
1210: Doesn't really prevent B<bill> from running the commands listed in
1211: I<SU> or I<SHELLS> since he can simply copy those commands to a
1212: different name, or use a shell escape from an editor or other
1213: program. Therefore, these kind of restrictions should be considered
1214: advisory at best (and reinforced by policy).
1215:
1216: =head1 PREVENTING SHELL ESCAPES
1217:
1218: Once B<sudo> executes a program, that program is free to do whatever
1219: it pleases, including run other programs. This can be a security
1220: issue since it is not uncommon for a program to allow shell escapes,
1221: which lets a user bypass B<sudo>'s access control and logging.
1222: Common programs that permit shell escapes include shells (obviously),
1223: editors, paginators, mail and terminal programs.
1224:
1225: There are two basic approaches to this problem:
1226:
1227: =over 10
1228:
1229: =item restrict
1230:
1231: Avoid giving users access to commands that allow the user to run
1232: arbitrary commands. Many editors have a restricted mode where shell
1233: escapes are disabled, though B<sudoedit> is a better solution to
1234: running editors via B<sudo>. Due to the large number of programs that
1235: offer shell escapes, restricting users to the set of programs that
1236: do not if often unworkable.
1237:
1238: =item noexec
1239:
1240: Many systems that support shared libraries have the ability to
1241: override default library functions by pointing an environment
1242: variable (usually C<LD_PRELOAD>) to an alternate shared library.
1243: On such systems, B<sudo>'s I<noexec> functionality can be used to
1244: prevent a program run by B<sudo> from executing any other programs.
1245: Note, however, that this applies only to native dynamically-linked
1246: executables. Statically-linked executables and foreign executables
1247: running under binary emulation are not affected.
1248:
1249: To tell whether or not B<sudo> supports I<noexec>, you can run
1250: the following as root:
1251:
1252: sudo -V | grep "dummy exec"
1253:
1254: If the resulting output contains a line that begins with:
1255:
1256: File containing dummy exec functions:
1257:
1258: then B<sudo> may be able to replace the exec family of functions
1259: in the standard library with its own that simply return an error.
1260: Unfortunately, there is no foolproof way to know whether or not
1261: I<noexec> will work at compile-time. I<noexec> should work on
1262: SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1263: 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1264: is expected to work on most operating systems that support the
1265: C<LD_PRELOAD> environment variable. Check your operating system's
1266: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1267: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1268:
1269: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1270: in the User Specification section above. Here is that example again:
1271:
1272: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1273:
1274: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1275: with I<noexec> enabled. This will prevent those two commands from
1276: executing other commands (such as a shell). If you are unsure
1277: whether or not your system is capable of supporting I<noexec> you
1278: can always just try it out and see if it works.
1279:
1280: =back
1281:
1282: Note that restricting shell escapes is not a panacea. Programs
1283: running as root are still capable of many potentially hazardous
1284: operations (such as changing or overwriting files) that could lead
1285: to unintended privilege escalation. In the specific case of an
1286: editor, a safer approach is to give the user permission to run
1287: B<sudoedit>.
1288:
1289: =head1 SEE ALSO
1290:
1291: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
1292:
1293: =head1 CAVEATS
1294:
1295: The I<sudoers> file should B<always> be edited by the B<visudo>
1296: command which locks the file and does grammatical checking. It is
1297: imperative that I<sudoers> be free of syntax errors since B<sudo>
1298: will not run with a syntactically incorrect I<sudoers> file.
1299:
1300: When using netgroups of machines (as opposed to users), if you
1301: store fully qualified hostnames in the netgroup (as is usually the
1302: case), you either need to have the machine's hostname be fully qualified
1303: as returned by the C<hostname> command or use the I<fqdn> option in
1304: I<sudoers>.
1305:
1306: =head1 BUGS
1307:
1308: If you feel you have found a bug in B<sudo>, please submit a bug report
1309: at http://www.sudo.ws/sudo/bugs/
1310:
1311: =head1 SUPPORT
1312:
1313: Limited free support is available via the sudo-users mailing list,
1314: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1315: search the archives.
1316:
1317: =head1 DISCLAIMER
1318:
1319: B<sudo> is provided ``AS IS'' and any express or implied warranties,
1320: including, but not limited to, the implied warranties of merchantability
1321: and fitness for a particular purpose are disclaimed. See the LICENSE
1322: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1323: for complete details.