Annotation of src/usr.bin/sudo/sudoers.pod, Revision 1.9
1.5 millert 1: Copyright (c) 1994-1996, 1998-2005, 2007
2: Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
1.9 ! millert 21: $Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $
1.1 millert 22: =pod
23:
24: =head1 NAME
25:
26: sudoers - list of which users may execute what
27:
28: =head1 DESCRIPTION
29:
30: The I<sudoers> file is composed of two types of entries: aliases
31: (basically variables) and user specifications (which specify who
32: may run what).
33:
34: When multiple entries match for a user, they are applied in order.
35: Where there are multiple matches, the last match is used (which is
36: not necessarily the most specific match).
37:
38: The I<sudoers> grammar will be described below in Extended Backus-Naur
39: Form (EBNF). Don't despair if you don't know what EBNF is; it is
40: fairly simple, and the definitions below are annotated.
41:
42: =head2 Quick guide to EBNF
43:
44: EBNF is a concise and exact way of describing the grammar of a language.
45: Each EBNF definition is made up of I<production rules>. E.g.,
46:
47: symbol ::= definition | alternate1 | alternate2 ...
48:
49: Each I<production rule> references others and thus makes up a
50: grammar for the language. EBNF also contains the following
51: operators, which many readers will recognize from regular
52: expressions. Do not, however, confuse them with "wildcard"
53: characters, which have different meanings.
54:
1.5 millert 55: =over 4
1.1 millert 56:
57: =item C<?>
58:
59: Means that the preceding symbol (or group of symbols) is optional.
60: That is, it may appear once or not at all.
61:
62: =item C<*>
63:
64: Means that the preceding symbol (or group of symbols) may appear
65: zero or more times.
66:
67: =item C<+>
68:
69: Means that the preceding symbol (or group of symbols) may appear
70: one or more times.
71:
72: =back
73:
74: Parentheses may be used to group symbols together. For clarity,
75: we will use single quotes ('') to designate what is a verbatim character
76: string (as opposed to a symbol name).
77:
78: =head2 Aliases
79:
80: There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
81: C<Host_Alias> and C<Cmnd_Alias>.
82:
83: Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
84: 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
85: 'Host_Alias' Host_Alias (':' Host_Alias)* |
86: 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
87:
88: User_Alias ::= NAME '=' User_List
89:
90: Runas_Alias ::= NAME '=' Runas_List
91:
92: Host_Alias ::= NAME '=' Host_List
93:
94: Cmnd_Alias ::= NAME '=' Cmnd_List
95:
96: NAME ::= [A-Z]([A-Z][0-9]_)*
97:
98: Each I<alias> definition is of the form
99:
100: Alias_Type NAME = item1, item2, ...
101:
102: where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
103: or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
104: and underscore characters ('_'). A C<NAME> B<must> start with an
105: uppercase letter. It is possible to put several alias definitions
106: of the same type on a single line, joined by a colon (':'). E.g.,
107:
108: Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
109:
110: The definitions of what constitutes a valid I<alias> member follow.
111:
112: User_List ::= User |
113: User ',' User_List
114:
115: User ::= '!'* username |
116: '!'* '%'group |
117: '!'* '+'netgroup |
118: '!'* User_Alias
119:
120: A C<User_List> is made up of one or more usernames, system groups
121: (prefixed with '%'), netgroups (prefixed with '+') and other aliases.
122: Each list item may be prefixed with one or more '!' operators.
123: An odd number of '!' operators negate the value of the item; an even
124: number just cancel each other out.
125:
126: Runas_List ::= Runas_User |
127: Runas_User ',' Runas_List
128:
129: Runas_User ::= '!'* username |
130: '!'* '#'uid |
131: '!'* '%'group |
132: '!'* +netgroup |
133: '!'* Runas_Alias
134:
135: A C<Runas_List> is similar to a C<User_List> except that it can
136: also contain uids (prefixed with '#') and instead of C<User_Alias>es
137: it can contain C<Runas_Alias>es. Note that usernames and groups
138: are matched as strings. In other words, two users (groups) with
139: the same uid (gid) are considered to be distinct. If you wish to
140: match all usernames with the same uid (e.g.E<nbsp>root and toor), you
141: can use a uid instead (#0 in the example given).
142:
143: Host_List ::= Host |
144: Host ',' Host_List
145:
146: Host ::= '!'* hostname |
147: '!'* ip_addr |
148: '!'* network(/netmask)? |
149: '!'* '+'netgroup |
150: '!'* Host_Alias
151:
152: A C<Host_List> is made up of one or more hostnames, IP addresses,
153: network numbers, netgroups (prefixed with '+') and other aliases.
154: Again, the value of an item may be negated with the '!' operator.
155: If you do not specify a netmask along with the network number,
156: B<sudo> will query each of the local host's network interfaces and,
157: if the network number corresponds to one of the hosts's network
158: interfaces, the corresponding netmask will be used. The netmask
1.5 millert 159: may be specified either in standard IP address notation
160: (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
161: or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
1.1 millert 162: include shell-style wildcards (see the L<Wildcards> section below),
163: but unless the C<hostname> command on your machine returns the fully
164: qualified hostname, you'll need to use the I<fqdn> option for
165: wildcards to be useful.
166:
167: Cmnd_List ::= Cmnd |
168: Cmnd ',' Cmnd_List
169:
170: commandname ::= filename |
171: filename args |
172: filename '""'
173:
174: Cmnd ::= '!'* commandname |
175: '!'* directory |
176: '!'* "sudoedit" |
177: '!'* Cmnd_Alias
178:
179: A C<Cmnd_List> is a list of one or more commandnames, directories, and other
180: aliases. A commandname is a fully qualified filename which may include
181: shell-style wildcards (see the L<Wildcards> section below). A simple
182: filename allows the user to run the command with any arguments he/she
183: wishes. However, you may also specify command line arguments (including
184: wildcards). Alternately, you can specify C<""> to indicate that the command
185: may only be run B<without> command line arguments. A directory is a
186: fully qualified pathname ending in a '/'. When you specify a directory
187: in a C<Cmnd_List>, the user will be able to run any file within that directory
188: (but not in any subdirectories therein).
189:
190: If a C<Cmnd> has associated command line arguments, then the arguments
191: in the C<Cmnd> must match exactly those given by the user on the command line
192: (or match the wildcards if there are any). Note that the following
193: characters must be escaped with a '\' if they are used in command
194: arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
195: is used to permit a user to run B<sudo> with the B<-e> flag (or
196: as B<sudoedit>). It may take command line arguments just as
197: a normal command does.
198:
199: =head2 Defaults
200:
201: Certain configuration options may be changed from their default
202: values at runtime via one or more C<Default_Entry> lines. These
203: may affect all users on any host, all users on a specific host, a
204: specific user, or commands being run as a specific user.
205:
206: Default_Type ::= 'Defaults' |
1.6 millert 207: 'Defaults' '@' Host_List |
208: 'Defaults' ':' User_List |
209: 'Defaults' '>' Runas_List
1.1 millert 210:
211: Default_Entry ::= Default_Type Parameter_List
212:
213: Parameter_List ::= Parameter |
214: Parameter ',' Parameter_List
215:
216: Parameter ::= Parameter '=' Value |
217: Parameter '+=' Value |
218: Parameter '-=' Value |
219: '!'* Parameter
220:
221: Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
222: Flags are implicitly boolean and can be turned off via the '!'
223: operator. Some integer, string and list parameters may also be
224: used in a boolean context to disable them. Values may be enclosed
225: in double quotes (C<">) when they contain multiple words. Special
226: characters may be escaped with a backslash (C<\>).
227:
228: Lists have two additional assignment operators, C<+=> and C<-=>.
229: These operators are used to add to and delete from a list respectively.
230: It is not an error to use the C<-=> operator to remove an element
231: that does not exist in a list.
232:
233: See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
234:
235: =head2 User Specification
236:
237: User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
238: (':' Host_List '=' Cmnd_Spec_List)*
239:
240: Cmnd_Spec_List ::= Cmnd_Spec |
241: Cmnd_Spec ',' Cmnd_Spec_List
242:
243: Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
244:
245: Runas_Spec ::= '(' Runas_List ')'
246:
247: Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
248: 'SETENV:' | 'NOSETENV:')
249:
250: A B<user specification> determines which commands a user may run
251: (and as what user) on specified hosts. By default, commands are
252: run as B<root>, but this can be changed on a per-command basis.
253:
254: Let's break that down into its constituent parts:
255:
256: =head2 Runas_Spec
257:
258: A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
259: enclosed in a set of parentheses. If you do not specify a
260: C<Runas_Spec> in the user specification, a default C<Runas_Spec>
261: of B<root> will be used. A C<Runas_Spec> sets the default for
262: commands that follow it. What this means is that for the entry:
263:
264: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
265:
266: The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
267: F</usr/bin/lprm> -- but only as B<operator>. E.g.,
268:
269: $ sudo -u operator /bin/ls.
270:
271: It is also possible to override a C<Runas_Spec> later on in an
272: entry. If we modify the entry like so:
273:
274: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
275:
276: Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
277: but F</bin/kill> and F</usr/bin/lprm> as B<root>.
278:
279: =head2 Tag_Spec
280:
281: A command may have zero or more tags associated with it. There are
282: six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
283: C<SETENV> and C<NOSETENV>.
284: Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
285: C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
286: opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
287: overrides C<EXEC>).
288:
289: =head3 NOPASSWD and PASSWD
290:
291: By default, B<sudo> requires that a user authenticate him or herself
292: before running a command. This behavior can be modified via the
293: C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
294: a default for the commands that follow it in the C<Cmnd_Spec_List>.
295: Conversely, the C<PASSWD> tag can be used to reverse things.
296: For example:
297:
298: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
299:
300: would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
1.9 ! millert 301: F</usr/bin/lprm> as B<root> on the machine rushmore without
1.1 millert 302: authenticating himself. If we only want B<ray> to be able to
303: run F</bin/kill> without a password the entry would be:
304:
305: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
306:
307: Note, however, that the C<PASSWD> tag has no effect on users who are
308: in the group specified by the I<exempt_group> option.
309:
310: By default, if the C<NOPASSWD> tag is applied to any of the entries
311: for a user on the current host, he or she will be able to run
312: C<sudo -l> without a password. Additionally, a user may only run
313: C<sudo -v> without a password if the C<NOPASSWD> tag is present
314: for all a user's entries that pertain to the current host.
315: This behavior may be overridden via the verifypw and listpw options.
316:
317: =head3 NOEXEC and EXEC
318:
319: If B<sudo> has been compiled with I<noexec> support and the underlying
320: operating system supports it, the C<NOEXEC> tag can be used to prevent
321: a dynamically-linked executable from running further commands itself.
322:
323: In the following example, user B<aaron> may run F</usr/bin/more>
324: and F</usr/bin/vi> but shell escapes will be disabled.
325:
326: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
327:
328: See the L<PREVENTING SHELL ESCAPES> section below for more details
329: on how C<NOEXEC> works and whether or not it will work on your system.
330:
331: =head3 SETENV and NOSETENV
332:
333: These tags override the value of the I<setenv> option on a per-command
334: basis. Note that if C<SETENV> has been set for a command, any
335: environment variables set on the command line way are not subject
336: to the restrictions imposed by I<env_check>, I<env_delete>, or
337: I<env_keep>. As such, only trusted users should be allowed to set
1.7 millert 338: variables in this manner. If the command matched is B<ALL>, the
339: C<SETENV> tag is implied for that command; this default may
340: be overridden by use of the C<UNSETENV> tag.
1.1 millert 341:
342: =head2 Wildcards
343:
344: B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
345: to be used in pathnames as well as command line arguments in the
346: I<sudoers> file. Wildcard matching is done via the B<POSIX>
347: L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
348:
349: =over 8
350:
351: =item C<*>
352:
353: Matches any set of zero or more characters.
354:
355: =item C<?>
356:
357: Matches any single character.
358:
359: =item C<[...]>
360:
361: Matches any character in the specified range.
362:
363: =item C<[!...]>
364:
365: Matches any character B<not> in the specified range.
366:
367: =item C<\x>
368:
369: For any character "x", evaluates to "x". This is used to
370: escape special characters such as: "*", "?", "[", and "}".
371:
372: =back
373:
374: Note that a forward slash ('/') will B<not> be matched by
375: wildcards used in the pathname. When matching the command
376: line arguments, however, a slash B<does> get matched by
377: wildcards. This is to make a path like:
378:
379: /usr/bin/*
380:
381: match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
382:
383: =head2 Exceptions to wildcard rules
384:
385: The following exceptions apply to the above rules:
386:
387: =over 8
388:
389: =item C<"">
390:
391: If the empty string C<""> is the only command line argument in the
392: I<sudoers> entry it means that command is not allowed to be run
393: with B<any> arguments.
394:
395: =back
396:
397: =head2 Other special characters and reserved words
398:
399: The pound sign ('#') is used to indicate a comment (unless it is
400: part of a #include directive or unless it occurs in the context of
401: a user name and is followed by one or more digits, in which case
402: it is treated as a uid). Both the comment character and any text
403: after it, up to the end of the line, are ignored.
404:
405: The reserved word B<ALL> is a built-in I<alias> that always causes
406: a match to succeed. It can be used wherever one might otherwise
407: use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
408: You should not try to define your own I<alias> called B<ALL> as the
409: built-in alias will be used in preference to your own. Please note
410: that using B<ALL> can be dangerous since in a command context, it
411: allows the user to run B<any> command on the system.
412:
413: An exclamation point ('!') can be used as a logical I<not> operator
414: both in an I<alias> and in front of a C<Cmnd>. This allows one to
415: exclude certain values. Note, however, that using a C<!> in
416: conjunction with the built-in C<ALL> alias to allow a user to
417: run "all but a few" commands rarely works as intended (see SECURITY
418: NOTES below).
419:
420: Long lines can be continued with a backslash ('\') as the last
421: character on the line.
422:
423: Whitespace between elements in a list as well as special syntactic
424: characters in a I<User Specification> ('=', ':', '(', ')') is optional.
425:
426: The following characters must be escaped with a backslash ('\') when
427: used as part of a word (e.g.E<nbsp>a username or hostname):
428: '@', '!', '=', ':', ',', '(', ')', '\'.
429:
430: =head1 SUDOERS OPTIONS
431:
432: B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
433: explained earlier. A list of all supported Defaults parameters,
434: grouped by type, are listed below.
435:
436: B<Flags>:
437:
1.5 millert 438: =over 16
1.1 millert 439:
440: =item always_set_home
441:
442: If set, B<sudo> will set the C<HOME> environment variable to the home
443: directory of the target user (which is root unless the B<-u> option is used).
444: This effectively means that the B<-H> flag is always implied.
445: This flag is I<off> by default.
446:
447: =item authenticate
448:
449: If set, users must authenticate themselves via a password (or other
450: means of authentication) before they may run commands. This default
451: may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
452: This flag is I<on> by default.
453:
454: =item env_editor
455:
456: If set, B<visudo> will use the value of the EDITOR or VISUAL
457: environment variables before falling back on the default editor list.
458: Note that this may create a security hole as it allows the user to
459: run any arbitrary command as root without logging. A safer alternative
460: is to place a colon-separated list of editors in the C<editor>
461: variable. B<visudo> will then only use the EDITOR or VISUAL if
462: they match a value specified in C<editor>. This flag is I<@env_editor@> by
463: default.
464:
465: =item env_reset
466:
467: If set, B<sudo> will reset the environment to only contain the
468: LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
469: variables in the caller's environment that match the C<env_keep>
470: and C<env_check> lists are then added. The default contents of the
471: C<env_keep> and C<env_check> lists are displayed when B<sudo> is
472: run by root with the I<-V> option. If B<sudo> was compiled with
473: the C<SECURE_PATH> option, its value will be used for the C<PATH>
474: environment variable. This flag is I<on> by default.
475:
476: =item fqdn
477:
478: Set this flag if you want to put fully qualified hostnames in the
479: I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
480: You may still use the short form if you wish (and even mix the two).
481: Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
482: which may make B<sudo> unusable if DNS stops working (for example
483: if the machine is not plugged into the network). Also note that
484: you must use the host's official name as DNS knows it. That is,
485: you may not use a host alias (C<CNAME> entry) due to performance
486: issues and the fact that there is no way to get all aliases from
487: DNS. If your machine's hostname (as returned by the C<hostname>
488: command) is already fully qualified you shouldn't need to set
489: I<fqdn>. This flag is I<@fqdn@> by default.
490:
491: =item ignore_dot
492:
493: If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
494: environment variable; the C<PATH> itself is not modified. This
495: flag is I<@ignore_dot@> by default. Currently, while it is possible
496: to set I<ignore_dot> in I<sudoers>, its value is not used. This option
497: should be considered read-only (it will be fixed in a future version
498: of B<sudo>).
499:
500: =item ignore_local_sudoers
501:
1.9 ! millert 502: If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
1.1 millert 503: This is intended for Enterprises that wish to prevent the usage of local
504: sudoers files so that only LDAP is used. This thwarts the efforts of
1.9 ! millert 505: rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
! 506: When this option is present, F<@sysconfdir@/sudoers> does not even need to
! 507: exist. Since this option tells B<sudo> how to behave when no specific LDAP
! 508: entries have been matched, this sudoOption is only meaningful for the
! 509: C<cn=defaults> section. This flag is I<off> by default.
1.1 millert 510:
511: =item insults
512:
513: If set, B<sudo> will insult users when they enter an incorrect
514: password. This flag is I<@insults@> by default.
515:
516: =item log_host
517:
518: If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
519: This flag is I<off> by default.
520:
521: =item log_year
522:
523: If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
524: This flag is I<off> by default.
525:
526: =item long_otp_prompt
527:
528: When validating with a One Time Password (OPT) scheme such as
529: B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
530: to cut and paste the challenge to a local window. It's not as
531: pretty as the default but some people find it more convenient. This
532: flag is I<@long_otp_prompt@> by default.
533:
534: =item mail_always
535:
536: Send mail to the I<mailto> user every time a users runs B<sudo>.
537: This flag is I<off> by default.
538:
539: =item mail_badpass
540:
541: Send mail to the I<mailto> user if the user running B<sudo> does not
542: enter the correct password. This flag is I<off> by default.
543:
544: =item mail_no_host
545:
546: If set, mail will be sent to the I<mailto> user if the invoking
547: user exists in the I<sudoers> file, but is not allowed to run
548: commands on the current host. This flag is I<@mail_no_host@> by default.
549:
550: =item mail_no_perms
551:
552: If set, mail will be sent to the I<mailto> user if the invoking
553: user is allowed to use B<sudo> but the command they are trying is not
554: listed in their I<sudoers> file entry or is explicitly denied.
555: This flag is I<@mail_no_perms@> by default.
556:
557: =item mail_no_user
558:
559: If set, mail will be sent to the I<mailto> user if the invoking
560: user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
561: by default.
562:
563: =item noexec
564:
565: If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
566: tag has been set, unless overridden by a C<EXEC> tag. See the
567: description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
568: ESCAPES> section at the end of this manual. This flag is I<off> by default.
569:
570: =item path_info
571:
572: Normally, B<sudo> will tell the user when a command could not be
573: found in their C<PATH> environment variable. Some sites may wish
574: to disable this as it could be used to gather information on the
575: location of executables that the normal user does not have access
576: to. The disadvantage is that if the executable is simply not in
577: the user's C<PATH>, B<sudo> will tell the user that they are not
578: allowed to run it, which can be confusing. This flag is I<@path_info@>
579: by default.
1.7 millert 580:
581: =item passprompt_override
582:
583: The password prompt specified by I<passprompt> will normally only
584: be used if the passwod prompt provided by systems such as PAM matches
585: the string "Password:". If I<passprompt_override> is set, I<passprompt>
586: will always be used. This flag is I<off> by default.
1.1 millert 587:
588: =item preserve_groups
589:
590: By default B<sudo> will initialize the group vector to the list of
591: groups the target user is in. When I<preserve_groups> is set, the
592: user's existing group vector is left unaltered. The real and
593: effective group IDs, however, are still set to match the target
594: user. This flag is I<off> by default.
595:
596: =item requiretty
597:
598: If set, B<sudo> will only run when the user is logged in to a real
599: tty. This will disallow things like C<"rsh somehost sudo ls"> since
600: L<rsh(1)> does not allocate a tty. Because it is not possible to turn
601: off echo when there is no tty present, some sites may wish to set
602: this flag to prevent a user from entering a visible password. This
603: flag is I<off> by default.
604:
605: =item root_sudo
606:
607: If set, root is allowed to run B<sudo> too. Disabling this prevents users
608: from "chaining" B<sudo> commands to get a root shell by doing something
609: like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
610: will also prevent root and from running B<sudoedit>.
611: Disabling I<root_sudo> provides no real additional security; it
612: exists purely for historical reasons.
613: This flag is I<@root_sudo@> by default.
614:
615: =item rootpw
616:
617: If set, B<sudo> will prompt for the root password instead of the password
618: of the invoking user. This flag is I<off> by default.
619:
620: =item runaspw
621:
622: If set, B<sudo> will prompt for the password of the user defined by the
623: I<runas_default> option (defaults to C<@runas_default@>) instead of the
624: password of the invoking user. This flag is I<off> by default.
625:
626: =item set_home
627:
628: If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
629: environment variable will be set to the home directory of the target
630: user (which is root unless the B<-u> option is used). This effectively
631: makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
632:
633: =item set_logname
634:
635: Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
636: environment variables to the name of the target user (usually root
637: unless the B<-u> flag is given). However, since some programs
638: (including the RCS revision control system) use C<LOGNAME> to
639: determine the real identity of the user, it may be desirable to
640: change this behavior. This can be done by negating the set_logname
641: option. Note that if the I<env_reset> option has not been disabled,
642: entries in the I<env_keep> list will override the value of
643: I<set_logname>. This flag is I<off> by default.
644:
645: =item setenv
646:
647: Allow the user to disable the I<env_reset> option from the command
648: line. Additionally, environment variables set via the command line
649: are not subject to the restrictions imposed by I<env_check>,
650: I<env_delete>, or I<env_keep>. As such, only trusted users should
651: be allowed to set variables in this manner. This flag is I<off>
652: by default.
653:
654: =item shell_noargs
655:
656: If set and B<sudo> is invoked with no arguments it acts as if the
657: B<-s> flag had been given. That is, it runs a shell as root (the
658: shell is determined by the C<SHELL> environment variable if it is
659: set, falling back on the shell listed in the invoking user's
660: /etc/passwd entry if not). This flag is I<off> by default.
661:
662: =item stay_setuid
663:
664: Normally, when B<sudo> executes a command the real and effective
665: UIDs are set to the target user (root by default). This option
666: changes that behavior such that the real UID is left as the invoking
667: user's UID. In other words, this makes B<sudo> act as a setuid
668: wrapper. This can be useful on systems that disable some potentially
669: dangerous functionality when a program is run setuid. This option
670: is only effective on systems with either the setreuid() or setresuid()
671: function. This flag is I<off> by default.
672:
673: =item targetpw
674:
675: If set, B<sudo> will prompt for the password of the user specified by
676: the B<-u> flag (defaults to C<root>) instead of the password of the
677: invoking user. Note that this precludes the use of a uid not listed
678: in the passwd database as an argument to the B<-u> flag.
679: This flag is I<off> by default.
680:
681: =item tty_tickets
682:
683: If set, users must authenticate on a per-tty basis. Normally,
684: B<sudo> uses a directory in the ticket dir with the same name as
685: the user running it. With this flag enabled, B<sudo> will use a
686: file named for the tty the user is logged in on in that directory.
687: This flag is I<@tty_tickets@> by default.
688:
689: =item use_loginclass
690:
691: If set, B<sudo> will apply the defaults specified for the target user's
692: login class if one exists. Only available if B<sudo> is configured with
693: the --with-logincap option. This flag is I<off> by default.
694:
695: =back
696:
697: B<Integers>:
698:
1.5 millert 699: =over 16
1.1 millert 700:
701: =item passwd_tries
702:
703: The number of tries a user gets to enter his/her password before
704: B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
705:
706: =back
707:
708: B<Integers that can be used in a boolean context>:
709:
1.5 millert 710: =over 16
1.1 millert 711:
712: =item loglinelen
713:
714: Number of characters per line for the file log. This value is used
715: to decide when to wrap lines for nicer log files. This has no
716: effect on the syslog log file, only the file log. The default is
717: C<@loglen@> (use 0 or negate the option to disable word wrap).
718:
719: =item passwd_timeout
720:
721: Number of minutes before the B<sudo> password prompt times out.
722: The default is C<@password_timeout@>; set this to C<0> for no password timeout.
723:
724: =item timestamp_timeout
725:
726: Number of minutes that can elapse before B<sudo> will ask for a
727: passwd again. The default is C<@timeout@>. Set this to C<0> to always
728: prompt for a password.
729: If set to a value less than C<0> the user's timestamp will never
730: expire. This can be used to allow users to create or delete their
731: own timestamps via C<sudo -v> and C<sudo -k> respectively.
732:
733: =item umask
734:
735: Umask to use when running the command. Negate this option or set
736: it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
737:
738: =back
739:
740: B<Strings>:
741:
1.5 millert 742: =over 16
1.1 millert 743:
744: =item badpass_message
745:
746: Message that is displayed if a user enters an incorrect password.
747: The default is C<@badpass_message@> unless insults are enabled.
748:
749: =item editor
750:
751: A colon (':') separated list of editors allowed to be used with
752: B<visudo>. B<visudo> will choose the editor that matches the user's
753: EDITOR environment variable if possible, or the first editor in the
754: list that exists and is executable. The default is the path to vi
755: on your system.
756:
757: =item mailsub
758:
759: Subject of the mail sent to the I<mailto> user. The escape C<%h>
760: will expand to the hostname of the machine.
761: Default is C<@mailsub@>.
762:
763: =item noexec_file
764:
765: Path to a shared library containing dummy versions of the execv(),
766: execve() and fexecve() library functions that just return an error.
767: This is used to implement the I<noexec> functionality on systems that
768: support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
769:
770: =item passprompt
771:
772: The default prompt to use when asking for a password; can be overridden
773: via the B<-p> option or the C<SUDO_PROMPT> environment variable.
774: The following percent (`C<%>') escapes are supported:
775:
1.5 millert 776: =over 4
1.1 millert 777:
778: =item C<%H>
779:
780: expanded to the local hostname including the domain name
781: (on if the machine's hostname is fully qualified or the I<fqdn>
782: option is set)
783:
784: =item C<%h>
785:
786: expanded to the local hostname without the domain name
1.8 millert 787:
788: =item C<%p>
789:
790: expanded to the user whose password is being asked for (respects the
791: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1.1 millert 792:
793: =item C<%U>
794:
795: expanded to the login name of the user the command will
796: be run as (defaults to root)
797:
798: =item C<%u>
799:
800: expanded to the invoking user's login name
801:
802: =item C<%%>
803:
804: two consecutive C<%> characters are collapsed into a single C<%> character
805:
806: =back
807:
808: The default value is C<@passprompt@>.
809:
810: =item runas_default
811:
812: The default user to run commands as if the B<-u> flag is not specified
813: on the command line. This defaults to C<@runas_default@>.
814: Note that if I<runas_default> is set it B<must> occur before
815: any C<Runas_Alias> specifications.
816:
817: =item syslog_badpri
818:
819: Syslog priority to use when user authenticates unsuccessfully.
820: Defaults to C<@badpri@>.
821:
822: =item syslog_goodpri
823:
824: Syslog priority to use when user authenticates successfully.
825: Defaults to C<@goodpri@>.
826:
827: =item timestampdir
828:
829: The directory in which B<sudo> stores its timestamp files.
830: The default is F<@timedir@>.
831:
832: =item timestampowner
833:
834: The owner of the timestamp directory and the timestamps stored therein.
835: The default is C<root>.
836:
837: =back
838:
839: B<Strings that can be used in a boolean context>:
840:
841: =over 12
842:
843: =item exempt_group
844:
845: Users in this group are exempt from password and PATH requirements.
846: This is not set by default.
847:
848: =item lecture
849:
850: This option controls when a short lecture will be printed along with
851: the password prompt. It has the following possible values:
852:
853: =over 8
854:
855: =item always
856:
857: Always lecture the user.
858:
859: =item never
860:
861: Never lecture the user.
862:
863: =item once
864:
865: Only lecture the user the first time they run B<sudo>.
866:
867: =back
868:
869: If no value is specified, a value of I<once> is implied.
870: Negating the option results in a value of I<never> being used.
871: The default value is I<@lecture@>.
872:
873: =item lecture_file
874:
875: Path to a file containing an alternate B<sudo> lecture that will
876: be used in place of the standard lecture if the named file exists.
877: By default, B<sudo> uses a built-in lecture.
878:
879: =item listpw
880:
881: This option controls when a password will be required when a
882: user runs B<sudo> with the B<-l> flag. It has the following possible values:
883:
884: =over 8
885:
886: =item all
887:
888: All the user's I<sudoers> entries for the current host must have
889: the C<NOPASSWD> flag set to avoid entering a password.
890:
891: =item always
892:
893: The user must always enter a password to use the B<-l> flag.
894:
895: =item any
896:
897: At least one of the user's I<sudoers> entries for the current host
898: must have the C<NOPASSWD> flag set to avoid entering a password.
899:
900: =item never
901:
902: The user need never enter a password to use the B<-l> flag.
903:
904: =back
905:
906: If no value is specified, a value of I<any> is implied.
907: Negating the option results in a value of I<never> being used.
908: The default value is I<any>.
909:
910: =item logfile
911:
912: Path to the B<sudo> log file (not the syslog log file). Setting a path
913: turns on logging to a file; negating this option turns it off.
914: By default, B<sudo> logs via syslog.
915:
916: =item mailerflags
917:
918: Flags to use when invoking mailer. Defaults to B<-t>.
919:
920: =item mailerpath
921:
922: Path to mail program used to send warning mail.
923: Defaults to the path to sendmail found at configure time.
924:
925: =item mailto
926:
927: Address to send warning and error mail to. The address should
928: be enclosed in double quotes (C<">) to protect against B<sudo>
929: interpreting the C<@> sign. Defaults to C<@mailto@>.
930:
931: =item syslog
932:
933: Syslog facility if syslog is being used for logging (negate to
934: disable syslog logging). Defaults to C<@logfac@>.
935:
936: =item verifypw
937:
938: This option controls when a password will be required when a user runs
939: B<sudo> with the B<-v> flag. It has the following possible values:
940:
941: =over 8
942:
943: =item all
944:
945: All the user's I<sudoers> entries for the current host must have
946: the C<NOPASSWD> flag set to avoid entering a password.
947:
948: =item always
949:
950: The user must always enter a password to use the B<-v> flag.
951:
952: =item any
953:
954: At least one of the user's I<sudoers> entries for the current host
955: must have the C<NOPASSWD> flag set to avoid entering a password.
956:
957: =item never
958:
959: The user need never enter a password to use the B<-v> flag.
960:
961: =back
962:
963: If no value is specified, a value of I<all> is implied.
964: Negating the option results in a value of I<never> being used.
965: The default value is I<all>.
966:
967: =back
968:
969: B<Lists that can be used in a boolean context>:
970:
1.5 millert 971: =over 16
1.1 millert 972:
973: =item env_check
974:
975: Environment variables to be removed from the user's environment if
976: the variable's value contains C<%> or C</> characters. This can
977: be used to guard against printf-style format vulnerabilities in
978: poorly-written programs. The argument may be a double-quoted,
979: space-separated list or a single value without double-quotes. The
980: list can be replaced, added to, deleted from, or disabled by using
981: the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
982: of whether the C<env_reset> option is enabled or disabled, variables
983: specified by C<env_check> will be preserved in the environment if
984: they pass the aforementioned check. The default list of environment
985: variables to check is displayed when B<sudo> is run by root with
986: the I<-V> option.
987:
988: =item env_delete
989:
990: Environment variables to be removed from the user's environment.
991: The argument may be a double-quoted, space-separated list or a
992: single value without double-quotes. The list can be replaced, added
993: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
994: C<!> operators respectively. The default list of environment
995: variables to remove is displayed when B<sudo> is run by root with the
996: I<-V> option. Note that many operating systems will remove potentially
997: dangerous variables from the environment of any setuid process (such
998: as B<sudo>).
999:
1000: =item env_keep
1001:
1002: Environment variables to be preserved in the user's environment
1003: when the I<env_reset> option is in effect. This allows fine-grained
1004: control over the environment B<sudo>-spawned processes will receive.
1005: The argument may be a double-quoted, space-separated list or a
1006: single value without double-quotes. The list can be replaced, added
1007: to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1008: C<!> operators respectively. The default list of variables to keep
1009: is displayed when B<sudo> is run by root with the I<-V> option.
1010:
1011: =back
1012:
1013: When logging via L<syslog(3)>, B<sudo> accepts the following values
1014: for the syslog facility (the value of the B<syslog> Parameter):
1015: B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1016: B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1017: B<local6>, and B<local7>. The following syslog priorities are
1018: supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1019: B<notice>, and B<warning>.
1020:
1021: =head1 FILES
1022:
1.9 ! millert 1023: =over 24
! 1024:
! 1025: =item F<@sysconfdir@/sudoers>
1.4 millert 1026:
1.3 millert 1027: List of who can run what
1028:
1.9 ! millert 1029: =item F</etc/group>
! 1030:
1.3 millert 1031: Local groups file
1032:
1.9 ! millert 1033: =item F</etc/netgroup>
! 1034:
1.3 millert 1035: List of network groups
1.4 millert 1036:
1037: =back
1.1 millert 1038:
1039: =head1 EXAMPLES
1040:
1041: Since the I<sudoers> file is parsed in a single pass, order is
1042: important. In general, you should structure I<sudoers> such that
1043: the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
1044: come first, followed by any C<Default_Entry> lines, and finally the
1045: C<Runas_Alias> and user specifications. The basic rule of thumb
1046: is you cannot reference an Alias that has not already been defined.
1047:
1048: Below are example I<sudoers> entries. Admittedly, some of
1049: these are a bit contrived. First, we define our I<aliases>:
1050:
1051: # User alias specification
1052: User_Alias FULLTIMERS = millert, mikef, dowdy
1053: User_Alias PARTTIMERS = bostley, jwfox, crawl
1054: User_Alias WEBMASTERS = will, wendy, wim
1055:
1056: # Runas alias specification
1057: Runas_Alias OP = root, operator
1058: Runas_Alias DB = oracle, sybase
1059:
1060: # Host alias specification
1061: Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1062: SGI = grolsch, dandelion, black :\
1063: ALPHA = widget, thalamus, foobar :\
1064: HPPA = boa, nag, python
1065: Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1066: Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1067: Host_Alias SERVERS = master, mail, www, ns
1068: Host_Alias CDROM = orion, perseus, hercules
1069:
1070: # Cmnd alias specification
1071: Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1072: /usr/sbin/restore, /usr/sbin/rrestore
1073: Cmnd_Alias KILL = /usr/bin/kill
1074: Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1075: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1076: Cmnd_Alias HALT = /usr/sbin/halt
1077: Cmnd_Alias REBOOT = /usr/sbin/reboot
1078: Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1079: /usr/local/bin/tcsh, /usr/bin/rsh, \
1080: /usr/local/bin/zsh
1081: Cmnd_Alias SU = /usr/bin/su
1.5 millert 1082: Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.1 millert 1083:
1084: Here we override some of the compiled in default values. We want
1085: B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1086: cases. We don't want to subject the full time staff to the B<sudo>
1087: lecture, user B<millert> need not give a password, and we don't
1088: want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1089: variables when running commands as root. Additionally, on the
1090: machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1091: local log file and make sure we log the year in each log line since
1.5 millert 1092: the log entries will be kept around for several years. Lastly, we
1093: disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1094: (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1.1 millert 1095:
1096: # Override built-in defaults
1097: Defaults syslog=auth
1098: Defaults>root !set_logname
1099: Defaults:FULLTIMERS !lecture
1100: Defaults:millert !authenticate
1101: Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1102: Defaults!PAGERS noexec
1103:
1104: The I<User specification> is the part that actually determines who may
1105: run what.
1106:
1107: root ALL = (ALL) ALL
1108: %wheel ALL = (ALL) ALL
1109:
1110: We let B<root> and any user in group B<wheel> run any command on any
1111: host as any user.
1112:
1113: FULLTIMERS ALL = NOPASSWD: ALL
1114:
1115: Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1116: command on any host without authenticating themselves.
1117:
1118: PARTTIMERS ALL = ALL
1119:
1120: Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1121: command on any host but they must authenticate themselves first
1122: (since the entry lacks the C<NOPASSWD> tag).
1123:
1124: jack CSNETS = ALL
1125:
1126: The user B<jack> may run any command on the machines in the I<CSNETS> alias
1127: (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1128: Of those networks, only C<128.138.204.0> has an explicit netmask (in
1129: CIDR notation) indicating it is a class C network. For the other
1130: networks in I<CSNETS>, the local machine's netmask will be used
1131: during matching.
1132:
1133: lisa CUNETS = ALL
1134:
1135: The user B<lisa> may run any command on any host in the I<CUNETS> alias
1136: (the class B network C<128.138.0.0>).
1137:
1138: operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1139: sudoedit /etc/printcap, /usr/oper/bin/
1140:
1141: The B<operator> user may run commands limited to simple maintenance.
1142: Here, those are commands related to backups, killing processes, the
1143: printing system, shutting down the system, and any commands in the
1144: directory F</usr/oper/bin/>.
1145:
1146: joe ALL = /usr/bin/su operator
1147:
1148: The user B<joe> may only L<su(1)> to operator.
1149:
1150: pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1151:
1152: The user B<pete> is allowed to change anyone's password except for
1153: root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1154: does not take multiple usernames on the command line.
1155:
1156: bob SPARC = (OP) ALL : SGI = (OP) ALL
1157:
1158: The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1159: as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1160:
1161: jim +biglab = ALL
1162:
1163: The user B<jim> may run any command on machines in the I<biglab> netgroup.
1164: B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1165:
1166: +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1167:
1168: Users in the B<secretaries> netgroup need to help manage the printers
1169: as well as add and remove users, so they are allowed to run those
1170: commands on all machines.
1171:
1172: fred ALL = (DB) NOPASSWD: ALL
1173:
1174: The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1175: (B<oracle> or B<sybase>) without giving a password.
1176:
1177: john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1178:
1179: On the I<ALPHA> machines, user B<john> may su to anyone except root
1180: but he is not allowed to give L<su(1)> any flags.
1181:
1182: jen ALL, !SERVERS = ALL
1183:
1184: The user B<jen> may run any command on any machine except for those
1185: in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1186:
1187: jill SERVERS = /usr/bin/, !SU, !SHELLS
1188:
1189: For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1.5 millert 1190: any commands in the directory F</usr/bin/> except for those commands
1.1 millert 1191: belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1192:
1193: steve CSNETS = (operator) /usr/local/op_commands/
1194:
1195: The user B<steve> may run any command in the directory /usr/local/op_commands/
1196: but only as user operator.
1197:
1198: matt valkyrie = KILL
1199:
1200: On his personal workstation, valkyrie, B<matt> needs to be able to
1201: kill hung processes.
1202:
1203: WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1204:
1205: On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1206: wendy, and wim), may run any command as user www (which owns the
1207: web pages) or simply L<su(1)> to www.
1208:
1209: ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1210: /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1211:
1212: Any user may mount or unmount a CD-ROM on the machines in the CDROM
1213: C<Host_Alias> (orion, perseus, hercules) without entering a password.
1214: This is a bit tedious for users to type, so it is a prime candidate
1215: for encapsulating in a shell script.
1216:
1217: =head1 SECURITY NOTES
1218:
1219: It is generally not effective to "subtract" commands from C<ALL>
1220: using the '!' operator. A user can trivially circumvent this
1221: by copying the desired command to a different name and then
1222: executing that. For example:
1223:
1224: bill ALL = ALL, !SU, !SHELLS
1225:
1226: Doesn't really prevent B<bill> from running the commands listed in
1227: I<SU> or I<SHELLS> since he can simply copy those commands to a
1228: different name, or use a shell escape from an editor or other
1229: program. Therefore, these kind of restrictions should be considered
1230: advisory at best (and reinforced by policy).
1231:
1232: =head1 PREVENTING SHELL ESCAPES
1233:
1234: Once B<sudo> executes a program, that program is free to do whatever
1235: it pleases, including run other programs. This can be a security
1236: issue since it is not uncommon for a program to allow shell escapes,
1237: which lets a user bypass B<sudo>'s access control and logging.
1238: Common programs that permit shell escapes include shells (obviously),
1239: editors, paginators, mail and terminal programs.
1240:
1241: There are two basic approaches to this problem:
1242:
1243: =over 10
1244:
1245: =item restrict
1246:
1247: Avoid giving users access to commands that allow the user to run
1248: arbitrary commands. Many editors have a restricted mode where shell
1249: escapes are disabled, though B<sudoedit> is a better solution to
1250: running editors via B<sudo>. Due to the large number of programs that
1251: offer shell escapes, restricting users to the set of programs that
1252: do not if often unworkable.
1253:
1254: =item noexec
1255:
1256: Many systems that support shared libraries have the ability to
1257: override default library functions by pointing an environment
1258: variable (usually C<LD_PRELOAD>) to an alternate shared library.
1259: On such systems, B<sudo>'s I<noexec> functionality can be used to
1260: prevent a program run by B<sudo> from executing any other programs.
1261: Note, however, that this applies only to native dynamically-linked
1262: executables. Statically-linked executables and foreign executables
1263: running under binary emulation are not affected.
1264:
1265: To tell whether or not B<sudo> supports I<noexec>, you can run
1266: the following as root:
1267:
1268: sudo -V | grep "dummy exec"
1269:
1270: If the resulting output contains a line that begins with:
1271:
1272: File containing dummy exec functions:
1273:
1274: then B<sudo> may be able to replace the exec family of functions
1275: in the standard library with its own that simply return an error.
1276: Unfortunately, there is no foolproof way to know whether or not
1277: I<noexec> will work at compile-time. I<noexec> should work on
1278: SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1279: 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1280: is expected to work on most operating systems that support the
1281: C<LD_PRELOAD> environment variable. Check your operating system's
1282: manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1283: dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1284:
1285: To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1286: in the User Specification section above. Here is that example again:
1287:
1288: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1289:
1290: This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1291: with I<noexec> enabled. This will prevent those two commands from
1292: executing other commands (such as a shell). If you are unsure
1293: whether or not your system is capable of supporting I<noexec> you
1294: can always just try it out and see if it works.
1295:
1296: =back
1297:
1298: Note that restricting shell escapes is not a panacea. Programs
1299: running as root are still capable of many potentially hazardous
1300: operations (such as changing or overwriting files) that could lead
1301: to unintended privilege escalation. In the specific case of an
1302: editor, a safer approach is to give the user permission to run
1303: B<sudoedit>.
1304:
1305: =head1 SEE ALSO
1306:
1307: L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
1308:
1309: =head1 CAVEATS
1310:
1311: The I<sudoers> file should B<always> be edited by the B<visudo>
1312: command which locks the file and does grammatical checking. It is
1313: imperative that I<sudoers> be free of syntax errors since B<sudo>
1314: will not run with a syntactically incorrect I<sudoers> file.
1315:
1316: When using netgroups of machines (as opposed to users), if you
1317: store fully qualified hostnames in the netgroup (as is usually the
1318: case), you either need to have the machine's hostname be fully qualified
1319: as returned by the C<hostname> command or use the I<fqdn> option in
1320: I<sudoers>.
1321:
1322: =head1 BUGS
1323:
1324: If you feel you have found a bug in B<sudo>, please submit a bug report
1325: at http://www.sudo.ws/sudo/bugs/
1326:
1327: =head1 SUPPORT
1328:
1329: Limited free support is available via the sudo-users mailing list,
1330: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1331: search the archives.
1332:
1333: =head1 DISCLAIMER
1334:
1335: B<sudo> is provided ``AS IS'' and any express or implied warranties,
1336: including, but not limited to, the implied warranties of merchantability
1337: and fitness for a particular purpose are disclaimed. See the LICENSE
1338: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1339: for complete details.