Annotation of src/usr.bin/sudo/sudoers.pod, Revision 1.8
1.1 millert 1: =cut
1.5 millert 2: Copyright (c) 1994-1996, 1998-2005, 2007
3: Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 4:
5: Permission to use, copy, modify, and distribute this software for any
6: purpose with or without fee is hereby granted, provided that the above
7: copyright notice and this permission notice appear in all copies.
8:
9: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17:
18: Sponsored in part by the Defense Advanced Research Projects
19: Agency (DARPA) and Air Force Research Laboratory, Air Force
20: Materiel Command, USAF, under agreement number F39502-99-1-0512.
21:
1.8 ! millert 22: $Sudo: sudoers.pod,v 1.95.2.23 2008/01/05 23:59:42 millert Exp $
1.1 millert 23: =pod
24:
25: =head1 NAME
26:
27: sudoers - list of which users may execute what
28:
29: =head1 DESCRIPTION
30:
31: The I<sudoers> file is composed of two types of entries: aliases
32: (basically variables) and user specifications (which specify who
33: may run what).
34:
35: When multiple entries match for a user, they are applied in order.
36: Where there are multiple matches, the last match is used (which is
37: not necessarily the most specific match).
38:
39: The I<sudoers> grammar will be described below in Extended Backus-Naur
40: Form (EBNF). Don't despair if you don't know what EBNF is; it is
41: fairly simple, and the definitions below are annotated.
42:
43: =head2 Quick guide to EBNF
44:
45: EBNF is a concise and exact way of describing the grammar of a language.
46: Each EBNF definition is made up of I<production rules>. E.g.,
47:
48: symbol ::= definition | alternate1 | alternate2 ...
49:
50: Each I<production rule> references others and thus makes up a
51: grammar for the language. EBNF also contains the following
52: operators, which many readers will recognize from regular
53: expressions. Do not, however, confuse them with "wildcard"
54: characters, which have different meanings.
55:
1.5 millert 56: =over 4
1.1 millert 57:
58: =item C<?>
59:
60: Means that the preceding symbol (or group of symbols) is optional.
61: That is, it may appear once or not at all.
62:
63: =item C<*>
64:
65: Means that the preceding symbol (or group of symbols) may appear
66: zero or more times.
67:
68: =item C<+>
69:
70: Means that the preceding symbol (or group of symbols) may appear
71: one or more times.
72:
73: =back
74:
75: Parentheses may be used to group symbols together. For clarity,
76: we will use single quotes ('') to designate what is a verbatim character
77: string (as opposed to a symbol name).
78:
79: =head2 Aliases
80:
81: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
82: C<Host_Alias> and C<Cmnd_Alias>.
83:
84: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
85: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
86: 'Host_Alias' Host_Alias (':' Host_Alias)* |
87: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
88:
89: User_Alias ::= NAME '=' User_List
90:
91: Runas_Alias ::= NAME '=' Runas_List
92:
93: Host_Alias ::= NAME '=' Host_List
94:
95: Cmnd_Alias ::= NAME '=' Cmnd_List
96:
97: NAME ::= [A-Z]([A-Z][0-9]_)*
98:
99: Each I<alias> definition is of the form
100:
101: Alias_Type NAME = item1, item2, ...
102:
103: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
104: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
105: and underscore characters ('_'). A C<NAME> B<must> start with an
106: uppercase letter. It is possible to put several alias definitions
107: of the same type on a single line, joined by a colon (':'). E.g.,
108:
109: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
110:
111: The definitions of what constitutes a valid I<alias> member follow.
112:
113: User_List ::= User |
114: User ',' User_List
115:
116: User ::= '!'* username |
117: '!'* '%'group |
118: '!'* '+'netgroup |
119: '!'* User_Alias
120:
121: A C<User_List> is made up of one or more usernames, system groups
122: (prefixed with '%'), netgroups (prefixed with '+') and other aliases.
123: Each list item may be prefixed with one or more '!' operators.
124: An odd number of '!' operators negate the value of the item; an even
125: number just cancel each other out.
126:
127: Runas_List ::= Runas_User |
128: Runas_User ',' Runas_List
129:
130: Runas_User ::= '!'* username |
131: '!'* '#'uid |
132: '!'* '%'group |
133: '!'* +netgroup |
134: '!'* Runas_Alias
135:
136: A C<Runas_List> is similar to a C<User_List> except that it can
137: also contain uids (prefixed with '#') and instead of C<User_Alias>es
138: it can contain C<Runas_Alias>es. Note that usernames and groups
139: are matched as strings. In other words, two users (groups) with
140: the same uid (gid) are considered to be distinct. If you wish to
141: match all usernames with the same uid (e.g.E<nbsp>root and toor), you
142: can use a uid instead (#0 in the example given).
143:
144: Host_List ::= Host |
145: Host ',' Host_List
146:
147: Host ::= '!'* hostname |
148: '!'* ip_addr |
149: '!'* network(/netmask)? |
150: '!'* '+'netgroup |
151: '!'* Host_Alias
152:
153: A C<Host_List> is made up of one or more hostnames, IP addresses,
154: network numbers, netgroups (prefixed with '+') and other aliases.
155: Again, the value of an item may be negated with the '!' operator.
156: If you do not specify a netmask along with the network number,
157: B<sudo> will query each of the local host's network interfaces and,
158: if the network number corresponds to one of the hosts's network
159: interfaces, the corresponding netmask will be used. The netmask
1.5 millert 160: may be specified either in standard IP address notation
161: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
162: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
1.1 millert 163: include shell-style wildcards (see the L<Wildcards> section below),
164: but unless the C<hostname> command on your machine returns the fully
165: qualified hostname, you'll need to use the I<fqdn> option for
166: wildcards to be useful.
167:
168: Cmnd_List ::= Cmnd |
169: Cmnd ',' Cmnd_List
170:
171: commandname ::= filename |
172: filename args |
173: filename '""'
174:
175: Cmnd ::= '!'* commandname |
176: '!'* directory |
177: '!'* "sudoedit" |
178: '!'* Cmnd_Alias
179:
180: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
181: aliases. A commandname is a fully qualified filename which may include
182: shell-style wildcards (see the L<Wildcards> section below). A simple
183: filename allows the user to run the command with any arguments he/she
184: wishes. However, you may also specify command line arguments (including
185: wildcards). Alternately, you can specify C<""> to indicate that the command
186: may only be run B<without> command line arguments. A directory is a
187: fully qualified pathname ending in a '/'. When you specify a directory
188: in a C<Cmnd_List>, the user will be able to run any file within that directory
189: (but not in any subdirectories therein).
190:
191: If a C<Cmnd> has associated command line arguments, then the arguments
192: in the C<Cmnd> must match exactly those given by the user on the command line
193: (or match the wildcards if there are any). Note that the following
194: characters must be escaped with a '\' if they are used in command
195: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
196: is used to permit a user to run B<sudo> with the B<-e> flag (or
197: as B<sudoedit>). It may take command line arguments just as
198: a normal command does.
199:
200: =head2 Defaults
201:
202: Certain configuration options may be changed from their default
203: values at runtime via one or more C<Default_Entry> lines. These
204: may affect all users on any host, all users on a specific host, a
205: specific user, or commands being run as a specific user.
206:
207: Default_Type ::= 'Defaults' |
1.6 millert 208: 'Defaults' '@' Host_List |
209: 'Defaults' ':' User_List |
210: 'Defaults' '>' Runas_List
1.1 millert 211:
212: Default_Entry ::= Default_Type Parameter_List
213:
214: Parameter_List ::= Parameter |
215: Parameter ',' Parameter_List
216:
217: Parameter ::= Parameter '=' Value |
218: Parameter '+=' Value |
219: Parameter '-=' Value |
220: '!'* Parameter
221:
222: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
223: Flags are implicitly boolean and can be turned off via the '!'
224: operator. Some integer, string and list parameters may also be
225: used in a boolean context to disable them. Values may be enclosed
226: in double quotes (C<">) when they contain multiple words. Special
227: characters may be escaped with a backslash (C<\>).
228:
229: Lists have two additional assignment operators, C<+=> and C<-=>.
230: These operators are used to add to and delete from a list respectively.
231: It is not an error to use the C<-=> operator to remove an element
232: that does not exist in a list.
233:
234: See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
235:
236: =head2 User Specification
237:
238: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
239: (':' Host_List '=' Cmnd_Spec_List)*
240:
241: Cmnd_Spec_List ::= Cmnd_Spec |
242: Cmnd_Spec ',' Cmnd_Spec_List
243:
244: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
245:
246: Runas_Spec ::= '(' Runas_List ')'
247:
248: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
249: 'SETENV:' | 'NOSETENV:')
250:
251: A B<user specification> determines which commands a user may run
252: (and as what user) on specified hosts. By default, commands are
253: run as B<root>, but this can be changed on a per-command basis.
254:
255: Let's break that down into its constituent parts:
256:
257: =head2 Runas_Spec
258:
259: A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
260: enclosed in a set of parentheses. If you do not specify a
261: C<Runas_Spec> in the user specification, a default C<Runas_Spec>
262: of B<root> will be used. A C<Runas_Spec> sets the default for
263: commands that follow it. What this means is that for the entry:
264:
265: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
266:
267: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
268: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
269:
270: $ sudo -u operator /bin/ls.
271:
272: It is also possible to override a C<Runas_Spec> later on in an
273: entry. If we modify the entry like so:
274:
275: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
276:
277: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
278: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
279:
280: =head2 Tag_Spec
281:
282: A command may have zero or more tags associated with it. There are
283: six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
284: C<SETENV> and C<NOSETENV>.
285: Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
286: C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
287: opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
288: overrides C<EXEC>).
289:
290: =head3 NOPASSWD and PASSWD
291:
292: By default, B<sudo> requires that a user authenticate him or herself
293: before running a command. This behavior can be modified via the
294: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
295: a default for the commands that follow it in the C<Cmnd_Spec_List>.
296: Conversely, the C<PASSWD> tag can be used to reverse things.
297: For example:
298:
299: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
300:
301: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
302: F</usr/bin/lprm> as root on the machine rushmore as B<root> without
303: authenticating himself. If we only want B<ray> to be able to
304: run F</bin/kill> without a password the entry would be:
305:
306: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
307:
308: Note, however, that the C<PASSWD> tag has no effect on users who are
309: in the group specified by the I<exempt_group> option.
310:
311: By default, if the C<NOPASSWD> tag is applied to any of the entries
312: for a user on the current host, he or she will be able to run
313: C<sudo -l> without a password. Additionally, a user may only run
314: C<sudo -v> without a password if the C<NOPASSWD> tag is present
315: for all a user's entries that pertain to the current host.
316: This behavior may be overridden via the verifypw and listpw options.
317:
318: =head3 NOEXEC and EXEC
319:
320: If B<sudo> has been compiled with I<noexec> support and the underlying
321: operating system supports it, the C<NOEXEC> tag can be used to prevent
322: a dynamically-linked executable from running further commands itself.
323:
324: In the following example, user B<aaron> may run F</usr/bin/more>
325: and F</usr/bin/vi> but shell escapes will be disabled.
326:
327: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
328:
329: See the L<PREVENTING SHELL ESCAPES> section below for more details
330: on how C<NOEXEC> works and whether or not it will work on your system.
331:
332: =head3 SETENV and NOSETENV
333:
334: These tags override the value of the I<setenv> option on a per-command
335: basis. Note that if C<SETENV> has been set for a command, any
336: environment variables set on the command line way are not subject
337: to the restrictions imposed by I<env_check>, I<env_delete>, or
338: I<env_keep>. As such, only trusted users should be allowed to set
1.7 millert 339: variables in this manner. If the command matched is B<ALL>, the
340: C<SETENV> tag is implied for that command; this default may
341: be overridden by use of the C<UNSETENV> tag.
1.1 millert 342:
343: =head2 Wildcards
344:
345: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
346: to be used in pathnames as well as command line arguments in the
347: I<sudoers> file. Wildcard matching is done via the B<POSIX>
348: L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
349:
350: =over 8
351:
352: =item C<*>
353:
354: Matches any set of zero or more characters.
355:
356: =item C<?>
357:
358: Matches any single character.
359:
360: =item C<[...]>
361:
362: Matches any character in the specified range.
363:
364: =item C<[!...]>
365:
366: Matches any character B<not> in the specified range.
367:
368: =item C<\x>
369:
370: For any character "x", evaluates to "x". This is used to
371: escape special characters such as: "*", "?", "[", and "}".
372:
373: =back
374:
375: Note that a forward slash ('/') will B<not> be matched by
376: wildcards used in the pathname. When matching the command
377: line arguments, however, a slash B<does> get matched by
378: wildcards. This is to make a path like:
379:
380: /usr/bin/*
381:
382: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
383:
384: =head2 Exceptions to wildcard rules
385:
386: The following exceptions apply to the above rules:
387:
388: =over 8
389:
390: =item C<"">
391:
392: If the empty string C<""> is the only command line argument in the
393: I<sudoers> entry it means that command is not allowed to be run
394: with B<any> arguments.
395:
396: =back
397:
398: =head2 Other special characters and reserved words
399:
400: The pound sign ('#') is used to indicate a comment (unless it is
401: part of a #include directive or unless it occurs in the context of
402: a user name and is followed by one or more digits, in which case
403: it is treated as a uid). Both the comment character and any text
404: after it, up to the end of the line, are ignored.
405:
406: The reserved word B<ALL> is a built-in I<alias> that always causes
407: a match to succeed. It can be used wherever one might otherwise
408: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
409: You should not try to define your own I<alias> called B<ALL> as the
410: built-in alias will be used in preference to your own. Please note
411: that using B<ALL> can be dangerous since in a command context, it
412: allows the user to run B<any> command on the system.
413:
414: An exclamation point ('!') can be used as a logical I<not> operator
415: both in an I<alias> and in front of a C<Cmnd>. This allows one to
416: exclude certain values. Note, however, that using a C<!> in
417: conjunction with the built-in C<ALL> alias to allow a user to
418: run "all but a few" commands rarely works as intended (see SECURITY
419: NOTES below).
420:
421: Long lines can be continued with a backslash ('\') as the last
422: character on the line.
423:
424: Whitespace between elements in a list as well as special syntactic
425: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
426:
427: The following characters must be escaped with a backslash ('\') when
428: used as part of a word (e.g.E<nbsp>a username or hostname):
429: '@', '!', '=', ':', ',', '(', ')', '\'.
430:
431: =head1 SUDOERS OPTIONS
432:
433: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
434: explained earlier. A list of all supported Defaults parameters,
435: grouped by type, are listed below.
436:
437: B<Flags>:
438:
1.5 millert 439: =over 16
1.1 millert 440:
441: =item always_set_home
442:
443: If set, B<sudo> will set the C<HOME> environment variable to the home
444: directory of the target user (which is root unless the B<-u> option is used).
445: This effectively means that the B<-H> flag is always implied.
446: This flag is I<off> by default.
447:
448: =item authenticate
449:
450: If set, users must authenticate themselves via a password (or other
451: means of authentication) before they may run commands. This default
452: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
453: This flag is I<on> by default.
454:
455: =item env_editor
456:
457: If set, B<visudo> will use the value of the EDITOR or VISUAL
458: environment variables before falling back on the default editor list.
459: Note that this may create a security hole as it allows the user to
460: run any arbitrary command as root without logging. A safer alternative
461: is to place a colon-separated list of editors in the C<editor>
462: variable. B<visudo> will then only use the EDITOR or VISUAL if
463: they match a value specified in C<editor>. This flag is I<@env_editor@> by
464: default.
465:
466: =item env_reset
467:
468: If set, B<sudo> will reset the environment to only contain the
469: LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
470: variables in the caller's environment that match the C<env_keep>
471: and C<env_check> lists are then added. The default contents of the
472: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
473: run by root with the I<-V> option. If B<sudo> was compiled with
474: the C<SECURE_PATH> option, its value will be used for the C<PATH>
475: environment variable. This flag is I<on> by default.
476:
477: =item fqdn
478:
479: Set this flag if you want to put fully qualified hostnames in the
480: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
481: You may still use the short form if you wish (and even mix the two).
482: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
483: which may make B<sudo> unusable if DNS stops working (for example
484: if the machine is not plugged into the network). Also note that
485: you must use the host's official name as DNS knows it. That is,
486: you may not use a host alias (C<CNAME> entry) due to performance
487: issues and the fact that there is no way to get all aliases from
488: DNS. If your machine's hostname (as returned by the C<hostname>
489: command) is already fully qualified you shouldn't need to set
490: I<fqdn>. This flag is I<@fqdn@> by default.
491:
492: =item ignore_dot
493:
494: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
495: environment variable; the C<PATH> itself is not modified. This
496: flag is I<@ignore_dot@> by default. Currently, while it is possible
497: to set I<ignore_dot> in I<sudoers>, its value is not used. This option
498: should be considered read-only (it will be fixed in a future version
499: of B<sudo>).
500:
501: =item ignore_local_sudoers
502:
503: If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
504: This is intended for Enterprises that wish to prevent the usage of local
505: sudoers files so that only LDAP is used. This thwarts the efforts of
506: rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
507: When this option is present, @sysconfdir@/sudoers does not even need to exist.
508: Since this option tells B<sudo> how to behave when no specific LDAP entries
509: have been matched, this sudoOption is only meaningful for the cn=defaults
510: section. This flag is I<off> by default.
511:
512: =item insults
513:
514: If set, B<sudo> will insult users when they enter an incorrect
515: password. This flag is I<@insults@> by default.
516:
517: =item log_host
518:
519: If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
520: This flag is I<off> by default.
521:
522: =item log_year
523:
524: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
525: This flag is I<off> by default.
526:
527: =item long_otp_prompt
528:
529: When validating with a One Time Password (OPT) scheme such as
530: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
531: to cut and paste the challenge to a local window. It's not as
532: pretty as the default but some people find it more convenient. This
533: flag is I<@long_otp_prompt@> by default.
534:
535: =item mail_always
536:
537: Send mail to the I<mailto> user every time a users runs B<sudo>.
538: This flag is I<off> by default.
539:
540: =item mail_badpass
541:
542: Send mail to the I<mailto> user if the user running B<sudo> does not
543: enter the correct password. This flag is I<off> by default.
544:
545: =item mail_no_host
546:
547: If set, mail will be sent to the I<mailto> user if the invoking
548: user exists in the I<sudoers> file, but is not allowed to run
549: commands on the current host. This flag is I<@mail_no_host@> by default.
550:
551: =item mail_no_perms
552:
553: If set, mail will be sent to the I<mailto> user if the invoking
554: user is allowed to use B<sudo> but the command they are trying is not
555: listed in their I<sudoers> file entry or is explicitly denied.
556: This flag is I<@mail_no_perms@> by default.
557:
558: =item mail_no_user
559:
560: If set, mail will be sent to the I<mailto> user if the invoking
561: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
562: by default.
563:
564: =item noexec
565:
566: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
567: tag has been set, unless overridden by a C<EXEC> tag. See the
568: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
569: ESCAPES> section at the end of this manual. This flag is I<off> by default.
570:
571: =item path_info
572:
573: Normally, B<sudo> will tell the user when a command could not be
574: found in their C<PATH> environment variable. Some sites may wish
575: to disable this as it could be used to gather information on the
576: location of executables that the normal user does not have access
577: to. The disadvantage is that if the executable is simply not in
578: the user's C<PATH>, B<sudo> will tell the user that they are not
579: allowed to run it, which can be confusing. This flag is I<@path_info@>
580: by default.
1.7 millert 581:
582: =item passprompt_override
583:
584: The password prompt specified by I<passprompt> will normally only
585: be used if the passwod prompt provided by systems such as PAM matches
586: the string "Password:". If I<passprompt_override> is set, I<passprompt>
587: will always be used. This flag is I<off> by default.
1.1 millert 588:
589: =item preserve_groups
590:
591: By default B<sudo> will initialize the group vector to the list of
592: groups the target user is in. When I<preserve_groups> is set, the
593: user's existing group vector is left unaltered. The real and
594: effective group IDs, however, are still set to match the target
595: user. This flag is I<off> by default.
596:
597: =item requiretty
598:
599: If set, B<sudo> will only run when the user is logged in to a real
600: tty. This will disallow things like C<"rsh somehost sudo ls"> since
601: L<rsh(1)> does not allocate a tty. Because it is not possible to turn
602: off echo when there is no tty present, some sites may wish to set
603: this flag to prevent a user from entering a visible password. This
604: flag is I<off> by default.
605:
606: =item root_sudo
607:
608: If set, root is allowed to run B<sudo> too. Disabling this prevents users
609: from "chaining" B<sudo> commands to get a root shell by doing something
610: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
611: will also prevent root and from running B<sudoedit>.
612: Disabling I<root_sudo> provides no real additional security; it
613: exists purely for historical reasons.
614: This flag is I<@root_sudo@> by default.
615:
616: =item rootpw
617:
618: If set, B<sudo> will prompt for the root password instead of the password
619: of the invoking user. This flag is I<off> by default.
620:
621: =item runaspw
622:
623: If set, B<sudo> will prompt for the password of the user defined by the
624: I<runas_default> option (defaults to C<@runas_default@>) instead of the
625: password of the invoking user. This flag is I<off> by default.
626:
627: =item set_home
628:
629: If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
630: environment variable will be set to the home directory of the target
631: user (which is root unless the B<-u> option is used). This effectively
632: makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
633:
634: =item set_logname
635:
636: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
637: environment variables to the name of the target user (usually root
638: unless the B<-u> flag is given). However, since some programs
639: (including the RCS revision control system) use C<LOGNAME> to
640: determine the real identity of the user, it may be desirable to
641: change this behavior. This can be done by negating the set_logname
642: option. Note that if the I<env_reset> option has not been disabled,
643: entries in the I<env_keep> list will override the value of
644: I<set_logname>. This flag is I<off> by default.
645:
646: =item setenv
647:
648: Allow the user to disable the I<env_reset> option from the command
649: line. Additionally, environment variables set via the command line
650: are not subject to the restrictions imposed by I<env_check>,
651: I<env_delete>, or I<env_keep>. As such, only trusted users should
652: be allowed to set variables in this manner. This flag is I<off>
653: by default.
654:
655: =item shell_noargs
656:
657: If set and B<sudo> is invoked with no arguments it acts as if the
658: B<-s> flag had been given. That is, it runs a shell as root (the
659: shell is determined by the C<SHELL> environment variable if it is
660: set, falling back on the shell listed in the invoking user's
661: /etc/passwd entry if not). This flag is I<off> by default.
662:
663: =item stay_setuid
664:
665: Normally, when B<sudo> executes a command the real and effective
666: UIDs are set to the target user (root by default). This option
667: changes that behavior such that the real UID is left as the invoking
668: user's UID. In other words, this makes B<sudo> act as a setuid
669: wrapper. This can be useful on systems that disable some potentially
670: dangerous functionality when a program is run setuid. This option
671: is only effective on systems with either the setreuid() or setresuid()
672: function. This flag is I<off> by default.
673:
674: =item targetpw
675:
676: If set, B<sudo> will prompt for the password of the user specified by
677: the B<-u> flag (defaults to C<root>) instead of the password of the
678: invoking user. Note that this precludes the use of a uid not listed
679: in the passwd database as an argument to the B<-u> flag.
680: This flag is I<off> by default.
681:
682: =item tty_tickets
683:
684: If set, users must authenticate on a per-tty basis. Normally,
685: B<sudo> uses a directory in the ticket dir with the same name as
686: the user running it. With this flag enabled, B<sudo> will use a
687: file named for the tty the user is logged in on in that directory.
688: This flag is I<@tty_tickets@> by default.
689:
690: =item use_loginclass
691:
692: If set, B<sudo> will apply the defaults specified for the target user's
693: login class if one exists. Only available if B<sudo> is configured with
694: the --with-logincap option. This flag is I<off> by default.
695:
696: =back
697:
698: B<Integers>:
699:
1.5 millert 700: =over 16
1.1 millert 701:
702: =item passwd_tries
703:
704: The number of tries a user gets to enter his/her password before
705: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
706:
707: =back
708:
709: B<Integers that can be used in a boolean context>:
710:
1.5 millert 711: =over 16
1.1 millert 712:
713: =item loglinelen
714:
715: Number of characters per line for the file log. This value is used
716: to decide when to wrap lines for nicer log files. This has no
717: effect on the syslog log file, only the file log. The default is
718: C<@loglen@> (use 0 or negate the option to disable word wrap).
719:
720: =item passwd_timeout
721:
722: Number of minutes before the B<sudo> password prompt times out.
723: The default is C<@password_timeout@>; set this to C<0> for no password timeout.
724:
725: =item timestamp_timeout
726:
727: Number of minutes that can elapse before B<sudo> will ask for a
728: passwd again. The default is C<@timeout@>. Set this to C<0> to always
729: prompt for a password.
730: If set to a value less than C<0> the user's timestamp will never
731: expire. This can be used to allow users to create or delete their
732: own timestamps via C<sudo -v> and C<sudo -k> respectively.
733:
734: =item umask
735:
736: Umask to use when running the command. Negate this option or set
737: it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
738:
739: =back
740:
741: B<Strings>:
742:
1.5 millert 743: =over 16
1.1 millert 744:
745: =item badpass_message
746:
747: Message that is displayed if a user enters an incorrect password.
748: The default is C<@badpass_message@> unless insults are enabled.
749:
750: =item editor
751:
752: A colon (':') separated list of editors allowed to be used with
753: B<visudo>. B<visudo> will choose the editor that matches the user's
754: EDITOR environment variable if possible, or the first editor in the
755: list that exists and is executable. The default is the path to vi
756: on your system.
757:
758: =item mailsub
759:
760: Subject of the mail sent to the I<mailto> user. The escape C<%h>
761: will expand to the hostname of the machine.
762: Default is C<@mailsub@>.
763:
764: =item noexec_file
765:
766: Path to a shared library containing dummy versions of the execv(),
767: execve() and fexecve() library functions that just return an error.
768: This is used to implement the I<noexec> functionality on systems that
769: support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
770:
771: =item passprompt
772:
773: The default prompt to use when asking for a password; can be overridden
774: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
775: The following percent (`C<%>') escapes are supported:
776:
1.5 millert 777: =over 4
1.1 millert 778:
779: =item C<%H>
780:
781: expanded to the local hostname including the domain name
782: (on if the machine's hostname is fully qualified or the I<fqdn>
783: option is set)
784:
785: =item C<%h>
786:
787: expanded to the local hostname without the domain name
1.8 ! millert 788:
! 789: =item C<%p>
! 790:
! 791: expanded to the user whose password is being asked for (respects the
! 792: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1.1 millert 793:
794: =item C<%U>
795:
796: expanded to the login name of the user the command will
797: be run as (defaults to root)
798:
799: =item C<%u>
800:
801: expanded to the invoking user's login name
802:
803: =item C<%%>
804:
805: two consecutive C<%> characters are collapsed into a single C<%> character
806:
807: =back
808:
809: The default value is C<@passprompt@>.
810:
811: =item runas_default
812:
813: The default user to run commands as if the B<-u> flag is not specified
814: on the command line. This defaults to C<@runas_default@>.
815: Note that if I<runas_default> is set it B<must> occur before
816: any C<Runas_Alias> specifications.
817:
818: =item syslog_badpri
819:
820: Syslog priority to use when user authenticates unsuccessfully.
821: Defaults to C<@badpri@>.
822:
823: =item syslog_goodpri
824:
825: Syslog priority to use when user authenticates successfully.
826: Defaults to C<@goodpri@>.
827:
828: =item timestampdir
829:
830: The directory in which B<sudo> stores its timestamp files.
831: The default is F<@timedir@>.
832:
833: =item timestampowner
834:
835: The owner of the timestamp directory and the timestamps stored therein.
836: The default is C<root>.
837:
838: =back
839:
840: B<Strings that can be used in a boolean context>:
841:
842: =over 12
843:
844: =item exempt_group
845:
846: Users in this group are exempt from password and PATH requirements.
847: This is not set by default.
848:
849: =item lecture
850:
851: This option controls when a short lecture will be printed along with
852: the password prompt. It has the following possible values:
853:
854: =over 8
855:
856: =item always
857:
858: Always lecture the user.
859:
860: =item never
861:
862: Never lecture the user.
863:
864: =item once
865:
866: Only lecture the user the first time they run B<sudo>.
867:
868: =back
869:
870: If no value is specified, a value of I<once> is implied.
871: Negating the option results in a value of I<never> being used.
872: The default value is I<@lecture@>.
873:
874: =item lecture_file
875:
876: Path to a file containing an alternate B<sudo> lecture that will
877: be used in place of the standard lecture if the named file exists.
878: By default, B<sudo> uses a built-in lecture.
879:
880: =item listpw
881:
882: This option controls when a password will be required when a
883: user runs B<sudo> with the B<-l> flag. It has the following possible values:
884:
885: =over 8
886:
887: =item all
888:
889: All the user's I<sudoers> entries for the current host must have
890: the C<NOPASSWD> flag set to avoid entering a password.
891:
892: =item always
893:
894: The user must always enter a password to use the B<-l> flag.
895:
896: =item any
897:
898: At least one of the user's I<sudoers> entries for the current host
899: must have the C<NOPASSWD> flag set to avoid entering a password.
900:
901: =item never
902:
903: The user need never enter a password to use the B<-l> flag.
904:
905: =back
906:
907: If no value is specified, a value of I<any> is implied.
908: Negating the option results in a value of I<never> being used.
909: The default value is I<any>.
910:
911: =item logfile
912:
913: Path to the B<sudo> log file (not the syslog log file). Setting a path
914: turns on logging to a file; negating this option turns it off.
915: By default, B<sudo> logs via syslog.
916:
917: =item mailerflags
918:
919: Flags to use when invoking mailer. Defaults to B<-t>.
920:
921: =item mailerpath
922:
923: Path to mail program used to send warning mail.
924: Defaults to the path to sendmail found at configure time.
925:
926: =item mailto
927:
928: Address to send warning and error mail to. The address should
929: be enclosed in double quotes (C<">) to protect against B<sudo>
930: interpreting the C<@> sign. Defaults to C<@mailto@>.
931:
932: =item syslog
933:
934: Syslog facility if syslog is being used for logging (negate to
935: disable syslog logging). Defaults to C<@logfac@>.
936:
937: =item verifypw
938:
939: This option controls when a password will be required when a user runs
940: B<sudo> with the B<-v> flag. It has the following possible values:
941:
942: =over 8
943:
944: =item all
945:
946: All the user's I<sudoers> entries for the current host must have
947: the C<NOPASSWD> flag set to avoid entering a password.
948:
949: =item always
950:
951: The user must always enter a password to use the B<-v> flag.
952:
953: =item any
954:
955: At least one of the user's I<sudoers> entries for the current host
956: must have the C<NOPASSWD> flag set to avoid entering a password.
957:
958: =item never
959:
960: The user need never enter a password to use the B<-v> flag.
961:
962: =back
963:
964: If no value is specified, a value of I<all> is implied.
965: Negating the option results in a value of I<never> being used.
966: The default value is I<all>.
967:
968: =back
969:
970: B<Lists that can be used in a boolean context>:
971:
1.5 millert 972: =over 16
1.1 millert 973:
974: =item env_check
975:
976: Environment variables to be removed from the user's environment if
977: the variable's value contains C<%> or C</> characters. This can
978: be used to guard against printf-style format vulnerabilities in
979: poorly-written programs. The argument may be a double-quoted,
980: space-separated list or a single value without double-quotes. The
981: list can be replaced, added to, deleted from, or disabled by using
982: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
983: of whether the C<env_reset> option is enabled or disabled, variables
984: specified by C<env_check> will be preserved in the environment if
985: they pass the aforementioned check. The default list of environment
986: variables to check is displayed when B<sudo> is run by root with
987: the I<-V> option.
988:
989: =item env_delete
990:
991: Environment variables to be removed from the user's environment.
992: The argument may be a double-quoted, space-separated list or a
993: single value without double-quotes. The list can be replaced, added
994: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
995: C<!> operators respectively. The default list of environment
996: variables to remove is displayed when B<sudo> is run by root with the
997: I<-V> option. Note that many operating systems will remove potentially
998: dangerous variables from the environment of any setuid process (such
999: as B<sudo>).
1000:
1001: =item env_keep
1002:
1003: Environment variables to be preserved in the user's environment
1004: when the I<env_reset> option is in effect. This allows fine-grained
1005: control over the environment B<sudo>-spawned processes will receive.
1006: The argument may be a double-quoted, space-separated list or a
1007: single value without double-quotes. The list can be replaced, added
1008: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1009: C<!> operators respectively. The default list of variables to keep
1010: is displayed when B<sudo> is run by root with the I<-V> option.
1011:
1012: =back
1013:
1014: When logging via L<syslog(3)>, B<sudo> accepts the following values
1015: for the syslog facility (the value of the B<syslog> Parameter):
1016: B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1017: B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1018: B<local6>, and B<local7>. The following syslog priorities are
1019: supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1020: B<notice>, and B<warning>.
1021:
1022: =head1 FILES
1023:
1.4 millert 1024: =over 4
1025:
1.3 millert 1026: =item F<@sysconfdir@/sudoers>C< >
1027: List of who can run what
1028:
1029: =item F</etc/group>C< >
1030: Local groups file
1031:
1032: =item F</etc/netgroup>C< >
1033: List of network groups
1.4 millert 1034:
1035: =back
1.1 millert 1036:
1037: =head1 EXAMPLES
1038:
1039: Since the I<sudoers> file is parsed in a single pass, order is
1040: important. In general, you should structure I<sudoers> such that
1041: the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
1042: come first, followed by any C<Default_Entry> lines, and finally the
1043: C<Runas_Alias> and user specifications. The basic rule of thumb
1044: is you cannot reference an Alias that has not already been defined.
1045:
1046: Below are example I<sudoers> entries. Admittedly, some of
1047: these are a bit contrived. First, we define our I<aliases>:
1048:
1049: # User alias specification
1050: User_Alias FULLTIMERS = millert, mikef, dowdy
1051: User_Alias PARTTIMERS = bostley, jwfox, crawl
1052: User_Alias WEBMASTERS = will, wendy, wim
1053:
1054: # Runas alias specification
1055: Runas_Alias OP = root, operator
1056: Runas_Alias DB = oracle, sybase
1057:
1058: # Host alias specification
1059: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1060: SGI = grolsch, dandelion, black :\
1061: ALPHA = widget, thalamus, foobar :\
1062: HPPA = boa, nag, python
1063: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1064: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1065: Host_Alias SERVERS = master, mail, www, ns
1066: Host_Alias CDROM = orion, perseus, hercules
1067:
1068: # Cmnd alias specification
1069: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1070: /usr/sbin/restore, /usr/sbin/rrestore
1071: Cmnd_Alias KILL = /usr/bin/kill
1072: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1073: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1074: Cmnd_Alias HALT = /usr/sbin/halt
1075: Cmnd_Alias REBOOT = /usr/sbin/reboot
1076: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1077: /usr/local/bin/tcsh, /usr/bin/rsh, \
1078: /usr/local/bin/zsh
1079: Cmnd_Alias SU = /usr/bin/su
1.5 millert 1080: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 millert 1081:
1082: Here we override some of the compiled in default values. We want
1083: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1084: cases. We don't want to subject the full time staff to the B<sudo>
1085: lecture, user B<millert> need not give a password, and we don't
1086: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1087: variables when running commands as root. Additionally, on the
1088: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1089: local log file and make sure we log the year in each log line since
1.5 millert 1090: the log entries will be kept around for several years. Lastly, we
1091: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1092: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1.1 millert 1093:
1094: # Override built-in defaults
1095: Defaults syslog=auth
1096: Defaults>root !set_logname
1097: Defaults:FULLTIMERS !lecture
1098: Defaults:millert !authenticate
1099: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1100: Defaults!PAGERS noexec
1101:
1102: The I<User specification> is the part that actually determines who may
1103: run what.
1104:
1105: root ALL = (ALL) ALL
1106: %wheel ALL = (ALL) ALL
1107:
1108: We let B<root> and any user in group B<wheel> run any command on any
1109: host as any user.
1110:
1111: FULLTIMERS ALL = NOPASSWD: ALL
1112:
1113: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1114: command on any host without authenticating themselves.
1115:
1116: PARTTIMERS ALL = ALL
1117:
1118: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1119: command on any host but they must authenticate themselves first
1120: (since the entry lacks the C<NOPASSWD> tag).
1121:
1122: jack CSNETS = ALL
1123:
1124: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1125: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1126: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1127: CIDR notation) indicating it is a class C network. For the other
1128: networks in I<CSNETS>, the local machine's netmask will be used
1129: during matching.
1130:
1131: lisa CUNETS = ALL
1132:
1133: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1134: (the class B network C<128.138.0.0>).
1135:
1136: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1137: sudoedit /etc/printcap, /usr/oper/bin/
1138:
1139: The B<operator> user may run commands limited to simple maintenance.
1140: Here, those are commands related to backups, killing processes, the
1141: printing system, shutting down the system, and any commands in the
1142: directory F</usr/oper/bin/>.
1143:
1144: joe ALL = /usr/bin/su operator
1145:
1146: The user B<joe> may only L<su(1)> to operator.
1147:
1148: pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1149:
1150: The user B<pete> is allowed to change anyone's password except for
1151: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1152: does not take multiple usernames on the command line.
1153:
1154: bob SPARC = (OP) ALL : SGI = (OP) ALL
1155:
1156: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1157: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1158:
1159: jim +biglab = ALL
1160:
1161: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1162: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1163:
1164: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1165:
1166: Users in the B<secretaries> netgroup need to help manage the printers
1167: as well as add and remove users, so they are allowed to run those
1168: commands on all machines.
1169:
1170: fred ALL = (DB) NOPASSWD: ALL
1171:
1172: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1173: (B<oracle> or B<sybase>) without giving a password.
1174:
1175: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1176:
1177: On the I<ALPHA> machines, user B<john> may su to anyone except root
1178: but he is not allowed to give L<su(1)> any flags.
1179:
1180: jen ALL, !SERVERS = ALL
1181:
1182: The user B<jen> may run any command on any machine except for those
1183: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1184:
1185: jill SERVERS = /usr/bin/, !SU, !SHELLS
1186:
1187: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1.5 millert 1188: any commands in the directory F</usr/bin/> except for those commands
1.1 millert 1189: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1190:
1191: steve CSNETS = (operator) /usr/local/op_commands/
1192:
1193: The user B<steve> may run any command in the directory /usr/local/op_commands/
1194: but only as user operator.
1195:
1196: matt valkyrie = KILL
1197:
1198: On his personal workstation, valkyrie, B<matt> needs to be able to
1199: kill hung processes.
1200:
1201: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1202:
1203: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1204: wendy, and wim), may run any command as user www (which owns the
1205: web pages) or simply L<su(1)> to www.
1206:
1207: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1208: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1209:
1210: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1211: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1212: This is a bit tedious for users to type, so it is a prime candidate
1213: for encapsulating in a shell script.
1214:
1215: =head1 SECURITY NOTES
1216:
1217: It is generally not effective to "subtract" commands from C<ALL>
1218: using the '!' operator. A user can trivially circumvent this
1219: by copying the desired command to a different name and then
1220: executing that. For example:
1221:
1222: bill ALL = ALL, !SU, !SHELLS
1223:
1224: Doesn't really prevent B<bill> from running the commands listed in
1225: I<SU> or I<SHELLS> since he can simply copy those commands to a
1226: different name, or use a shell escape from an editor or other
1227: program. Therefore, these kind of restrictions should be considered
1228: advisory at best (and reinforced by policy).
1229:
1230: =head1 PREVENTING SHELL ESCAPES
1231:
1232: Once B<sudo> executes a program, that program is free to do whatever
1233: it pleases, including run other programs. This can be a security
1234: issue since it is not uncommon for a program to allow shell escapes,
1235: which lets a user bypass B<sudo>'s access control and logging.
1236: Common programs that permit shell escapes include shells (obviously),
1237: editors, paginators, mail and terminal programs.
1238:
1239: There are two basic approaches to this problem:
1240:
1241: =over 10
1242:
1243: =item restrict
1244:
1245: Avoid giving users access to commands that allow the user to run
1246: arbitrary commands. Many editors have a restricted mode where shell
1247: escapes are disabled, though B<sudoedit> is a better solution to
1248: running editors via B<sudo>. Due to the large number of programs that
1249: offer shell escapes, restricting users to the set of programs that
1250: do not if often unworkable.
1251:
1252: =item noexec
1253:
1254: Many systems that support shared libraries have the ability to
1255: override default library functions by pointing an environment
1256: variable (usually C<LD_PRELOAD>) to an alternate shared library.
1257: On such systems, B<sudo>'s I<noexec> functionality can be used to
1258: prevent a program run by B<sudo> from executing any other programs.
1259: Note, however, that this applies only to native dynamically-linked
1260: executables. Statically-linked executables and foreign executables
1261: running under binary emulation are not affected.
1262:
1263: To tell whether or not B<sudo> supports I<noexec>, you can run
1264: the following as root:
1265:
1266: sudo -V | grep "dummy exec"
1267:
1268: If the resulting output contains a line that begins with:
1269:
1270: File containing dummy exec functions:
1271:
1272: then B<sudo> may be able to replace the exec family of functions
1273: in the standard library with its own that simply return an error.
1274: Unfortunately, there is no foolproof way to know whether or not
1275: I<noexec> will work at compile-time. I<noexec> should work on
1276: SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1277: 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1278: is expected to work on most operating systems that support the
1279: C<LD_PRELOAD> environment variable. Check your operating system's
1280: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1281: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1282:
1283: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1284: in the User Specification section above. Here is that example again:
1285:
1286: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1287:
1288: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1289: with I<noexec> enabled. This will prevent those two commands from
1290: executing other commands (such as a shell). If you are unsure
1291: whether or not your system is capable of supporting I<noexec> you
1292: can always just try it out and see if it works.
1293:
1294: =back
1295:
1296: Note that restricting shell escapes is not a panacea. Programs
1297: running as root are still capable of many potentially hazardous
1298: operations (such as changing or overwriting files) that could lead
1299: to unintended privilege escalation. In the specific case of an
1300: editor, a safer approach is to give the user permission to run
1301: B<sudoedit>.
1302:
1303: =head1 SEE ALSO
1304:
1305: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
1306:
1307: =head1 CAVEATS
1308:
1309: The I<sudoers> file should B<always> be edited by the B<visudo>
1310: command which locks the file and does grammatical checking. It is
1311: imperative that I<sudoers> be free of syntax errors since B<sudo>
1312: will not run with a syntactically incorrect I<sudoers> file.
1313:
1314: When using netgroups of machines (as opposed to users), if you
1315: store fully qualified hostnames in the netgroup (as is usually the
1316: case), you either need to have the machine's hostname be fully qualified
1317: as returned by the C<hostname> command or use the I<fqdn> option in
1318: I<sudoers>.
1319:
1320: =head1 BUGS
1321:
1322: If you feel you have found a bug in B<sudo>, please submit a bug report
1323: at http://www.sudo.ws/sudo/bugs/
1324:
1325: =head1 SUPPORT
1326:
1327: Limited free support is available via the sudo-users mailing list,
1328: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1329: search the archives.
1330:
1331: =head1 DISCLAIMER
1332:
1333: B<sudo> is provided ``AS IS'' and any express or implied warranties,
1334: including, but not limited to, the implied warranties of merchantability
1335: and fitness for a particular purpose are disclaimed. See the LICENSE
1336: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1337: for complete details.