4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
25 EBNF is a concise and exact way of describing the grammar of a
26 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
28 symbol ::= definition | alternate1 | alternate2 ...
30 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
31 the language. EBNF also contains the following operators, which many
32 readers will recognize from regular expressions. Do not, however,
33 confuse them with "wildcard" characters, which have different meanings.
35 ? Means that the preceding symbol (or group of symbols) is optional.
36 That is, it may appear once or not at all.
38 * Means that the preceding symbol (or group of symbols) may appear
41 + Means that the preceding symbol (or group of symbols) may appear
44 Parentheses may be used to group symbols together. For clarity, we
45 will use single quotes ('') to designate what is a verbatim character
46 string (as opposed to a symbol name).
48 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
50 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
53 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
54 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
55 'Host_Alias' Host_Alias (':' Host_Alias)* |
56 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
58 User_Alias ::= NAME '=' User_List
60 Runas_Alias ::= NAME '=' Runas_List
64 1.7.0 December 3, 2008 1
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Host_Alias ::= NAME '=' Host_List
76 Cmnd_Alias ::= NAME '=' Cmnd_List
78 NAME ::= [A-Z]([A-Z][0-9]_)*
80 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
82 Alias_Type NAME = item1, item2, ...
84 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
85 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
86 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
87 letter. It is possible to put several alias definitions of the same
88 type on a single line, joined by a colon (':'). E.g.,
90 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
92 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
97 User ::= '!'* username |
103 A User_List is made up of one or more usernames, uids (prefixed with
104 '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
105 and User_Aliases. Each list item may be prefixed with zero or more '!'
106 operators. An odd number of '!' operators negate the value of the
107 item; an even number just cancel each other out.
109 Runas_List ::= Runas_Member |
110 Runas_Member ',' Runas_List
112 Runas_Member ::= '!'* username |
118 A Runas_List is similar to a User_List except that instead of
119 User_Aliases it can contain Runas_Aliases. Note that usernames and
120 groups are matched as strings. In other words, two users (groups) with
121 the same uid (gid) are considered to be distinct. If you wish to match
122 all usernames with the same uid (e.g. root and toor), you can use a uid
123 instead (#0 in the example given).
130 1.7.0 December 3, 2008 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
140 Host ::= '!'* hostname |
142 '!'* network(/netmask)? |
146 A Host_List is made up of one or more hostnames, IP addresses, network
147 numbers, netgroups (prefixed with '+') and other aliases. Again, the
148 value of an item may be negated with the '!' operator. If you do not
149 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
150 of the local host's network interfaces and, if the network number
151 corresponds to one of the hosts's network interfaces, the corresponding
152 netmask will be used. The netmask may be specified either in standard
153 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
154 CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
155 shell-style wildcards (see the Wildcards section below), but unless the
156 hostname command on your machine returns the fully qualified hostname,
157 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
162 commandname ::= filename |
166 Cmnd ::= '!'* commandname |
171 A Cmnd_List is a list of one or more commandnames, directories, and
172 other aliases. A commandname is a fully qualified filename which may
173 include shell-style wildcards (see the Wildcards section below). A
174 simple filename allows the user to run the command with any arguments
175 he/she wishes. However, you may also specify command line arguments
176 (including wildcards). Alternately, you can specify "" to indicate
177 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
178 directory is a fully qualified pathname ending in a '/'. When you
179 specify a directory in a Cmnd_List, the user will be able to run any
180 file within that directory (but not in any subdirectories therein).
182 If a Cmnd has associated command line arguments, then the arguments in
183 the Cmnd must match exactly those given by the user on the command line
184 (or match the wildcards if there are any). Note that the following
185 characters must be escaped with a '\' if they are used in command
186 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
187 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
188 may take command line arguments just as a normal command does.
196 1.7.0 December 3, 2008 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
205 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
207 Certain configuration options may be changed from their default values
208 at runtime via one or more Default_Entry lines. These may affect all
209 users on any host, all users on a specific host, a specific user, a
210 specific command, or commands being run as a specific user. Note that
211 per-command entries may not include command line arguments. If you
212 need to specify arguments, define a Cmnd_Alias and reference that
215 Default_Type ::= 'Defaults' |
216 'Defaults' '@' Host_List |
217 'Defaults' ':' User_List |
218 'Defaults' '!' Cmnd_List |
219 'Defaults' '>' Runas_List
221 Default_Entry ::= Default_Type Parameter_List
223 Parameter_List ::= Parameter |
224 Parameter ',' Parameter_List
226 Parameter ::= Parameter '=' Value |
227 Parameter '+=' Value |
228 Parameter '-=' Value |
231 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
232 implicitly boolean and can be turned off via the '!' operator. Some
233 integer, string and list parameters may also be used in a boolean
234 context to disable them. Values may be enclosed in double quotes (")
235 when they contain multiple words. Special characters may be escaped
236 with a backslash (\).
238 Lists have two additional assignment operators, += and -=. These
239 operators are used to add to and delete from a list respectively. It
240 is not an error to use the -= operator to remove an element that does
243 Defaults entries are parsed in the following order: generic, host and
244 user Defaults first, then runas Defaults and finally command defaults.
246 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
248 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
250 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
251 (':' Host_List '=' Cmnd_Spec_List)*
253 Cmnd_Spec_List ::= Cmnd_Spec |
254 Cmnd_Spec ',' Cmnd_Spec_List
256 Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
258 Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
262 1.7.0 December 3, 2008 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
272 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
273 'SETENV:' | 'NOSETENV:' )
275 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
276 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
277 but this can be changed on a per-command basis.
279 Let's break that down into its constituent parts:
281 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
283 A Runas_Spec determines the user and/or the group that a command may be
284 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
285 defined above) separated by a colon (':') and enclosed in a set of
286 parentheses. The first Runas_List indicates which users the command
287 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
288 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
289 are specified, the command may be run with any combination of users and
290 groups listed in their respective Runas_Lists. If only the first is
291 specified, the command may be run as any user in the list but no -
\b-g
\bg
292 option may be specified. If the first Runas_List is empty but the
293 second is specified, the command may be run as the invoking user with
294 the group set to any listed in the Runas_List. If no Runas_Spec is
295 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
297 A Runas_Spec sets the default for the commands that follow it. What
298 this means is that for the entry:
300 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
302 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
303 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
305 $ sudo -u operator /bin/ls.
307 It is also possible to override a Runas_Spec later on in an entry. If
308 we modify the entry like so:
310 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
312 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
313 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
315 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
316 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
318 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
321 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
322 device file with the dialer group. Note that in this example only the
323 group will be set, the command still runs as user t
\btc
\bcm
\bm.
328 1.7.0 December 3, 2008 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
338 /usr/local/bin/minicom
340 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
342 A command may have zero or more tags associated with it. There are
343 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
344 NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
345 Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
346 tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
348 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
350 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
351 before running a command. This behavior can be modified via the
352 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
353 the commands that follow it in the Cmnd_Spec_List. Conversely, the
354 PASSWD tag can be used to reverse things. For example:
356 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
358 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
359 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
360 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
363 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
365 Note, however, that the PASSWD tag has no effect on users who are in
366 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
368 By default, if the NOPASSWD tag is applied to any of the entries for a
369 user on the current host, he or she will be able to run sudo -l without
370 a password. Additionally, a user may only run sudo -v without a
371 password if the NOPASSWD tag is present for all a user's entries that
372 pertain to the current host. This behavior may be overridden via the
373 verifypw and listpw options.
375 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
377 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
378 operating system supports it, the NOEXEC tag can be used to prevent a
379 dynamically-linked executable from running further commands itself.
381 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
382 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
384 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
386 See the "PREVENTING SHELL ESCAPES" section below for more details on
387 how NOEXEC works and whether or not it will work on your system.
389 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
394 1.7.0 December 3, 2008 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
404 basis. Note that if SETENV has been set for a command, any environment
405 variables set on the command line way are not subject to the
406 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such,
407 only trusted users should be allowed to set variables in this manner.
408 If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied for that
409 command; this default may be overridden by use of the UNSETENV tag.
411 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
413 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
414 used in hostnames, pathnames and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
415 file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routine.
416 Note that these are _
\bn_
\bo_
\bt regular expressions.
418 * Matches any set of zero or more characters.
420 ? Matches any single character.
422 [...] Matches any character in the specified range.
424 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
426 \x For any character "x", evaluates to "x". This is used to
427 escape special characters such as: "*", "?", "[", and "}".
429 POSIX character classes may also be used if your system's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
430 function supports them. However, because the ':' character has special
431 meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
433 /bin/ls [[\:alpha\:]]*
435 Would match any filename beginning with a letter.
437 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
438 in the pathname. When matching the command line arguments, however, a
439 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
443 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
445 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
447 The following exceptions apply to the above rules:
449 "" If the empty string "" is the only command line argument in the
450 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
451 with a
\ban
\bny
\by arguments.
453 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
455 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
456 file currently being parsed using the #include directive, similar to
460 1.7.0 December 3, 2008 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 the one used by the C preprocessor. This is useful, for example, for
470 keeping a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in addition to a per-machine local
471 one. For the sake of this example the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
472 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To
473 include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following
474 line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
476 #include /etc/sudoers.local
478 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
479 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
480 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
481 processed. Files that are included may themselves include other files.
482 A hard limit of 128 nested include files is enforced to prevent include
485 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
487 The pound sign ('#') is used to indicate a comment (unless it is part
488 of a #include directive or unless it occurs in the context of a user
489 name and is followed by one or more digits, in which case it is treated
490 as a uid). Both the comment character and any text after it, up to the
491 end of the line, are ignored.
493 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
494 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
495 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
496 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
497 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
498 since in a command context, it allows the user to run a
\ban
\bny
\by command on
501 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
502 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
503 values. Note, however, that using a ! in conjunction with the built-in
504 ALL alias to allow a user to run "all but a few" commands rarely works
505 as intended (see SECURITY NOTES below).
507 Long lines can be continued with a backslash ('\') as the last
508 character on the line.
510 Whitespace between elements in a list as well as special syntactic
511 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
513 The following characters must be escaped with a backslash ('\') when
514 used as part of a word (e.g. a username or hostname): '@', '!', '=',
515 ':', ',', '(', ')', '\'.
517 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
518 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
519 earlier. A list of all supported Defaults parameters, grouped by type,
522 F
\bFl
\bla
\bag
\bgs
\bs:
526 1.7.0 December 3, 2008 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535 always_set_home If set, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable to
536 the home directory of the target user (which is root
537 unless the -
\b-u
\bu option is used). This effectively means
538 that the -
\b-H
\bH option is always implied. This flag is _
\bo_
\bf_
\bf
541 authenticate If set, users must authenticate themselves via a
542 password (or other means of authentication) before they
543 may run commands. This default may be overridden via
544 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
548 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
549 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
550 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
553 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
554 VISUAL environment variables before falling back on the
555 default editor list. Note that this may create a
556 security hole as it allows the user to run any
557 arbitrary command as root without logging. A safer
558 alternative is to place a colon-separated list of
559 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
560 use the EDITOR or VISUAL if they match a value
561 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
563 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
564 the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
565 variables. Any variables in the caller's environment
566 that match the env_keep and env_check lists are then
567 added. The default contents of the env_keep and
568 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
569 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
570 its value will be used for the PATH environment
571 variable. This flag is _
\bo_
\bn by default.
573 fqdn Set this flag if you want to put fully qualified
574 hostnames in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost
575 you would use myhost.mydomain.edu. You may still use
576 the short form if you wish (and even mix the two).
577 Beware that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS
578 lookups which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops
579 working (for example if the machine is not plugged into
580 the network). Also note that you must use the host's
581 official name as DNS knows it. That is, you may not
582 use a host alias (CNAME entry) due to performance
583 issues and the fact that there is no way to get all
584 aliases from DNS. If your machine's hostname (as
585 returned by the hostname command) is already fully
586 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
587 _
\bo_
\bf_
\bf by default.
592 1.7.0 December 3, 2008 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
602 PATH environment variable; the PATH itself is not
603 modified. This flag is _
\bo_
\bf_
\bf by default.
606 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
607 skipped. This is intended for Enterprises that wish to
608 prevent the usage of local sudoers files so that only
609 LDAP is used. This thwarts the efforts of rogue
610 operators who would attempt to add roles to
611 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
612 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
613 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
614 entries have been matched, this sudoOption is only
615 meaningful for the cn=defaults section. This flag is
616 _
\bo_
\bf_
\bf by default.
618 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
619 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
621 log_host If set, the hostname will be logged in the (non-syslog)
622 s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
624 log_year If set, the four-digit year will be logged in the (non-
625 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
627 long_otp_prompt When validating with a One Time Password (OPT) scheme
628 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
629 make it easier to cut and paste the challenge to a
630 local window. It's not as pretty as the default but
631 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
634 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
635 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
637 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
638 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
641 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
642 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
643 allowed to run commands on the current host. This flag
644 is _
\bo_
\bf_
\bf by default.
646 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
647 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
648 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
649 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
652 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
653 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
658 1.7.0 December 3, 2008 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
668 NOEXEC tag has been set, unless overridden by a EXEC
669 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
670 well as the "PREVENTING SHELL ESCAPES" section at the
671 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
673 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
674 not be found in their PATH environment variable. Some
675 sites may wish to disable this as it could be used to
676 gather information on the location of executables that
677 the normal user does not have access to. The
678 disadvantage is that if the executable is simply not in
679 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
680 not allowed to run it, which can be confusing. This
681 flag is _
\bo_
\bn by default.
684 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
685 normally only be used if the passwod prompt provided by
686 systems such as PAM matches the string "Password:". If
687 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be
688 used. This flag is _
\bo_
\bf_
\bf by default.
690 preserve_groups By default s
\bsu
\bud
\bdo
\bo will initialize the group vector to the
691 list of groups the target user is in. When
692 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
693 vector is left unaltered. The real and effective group
694 IDs, however, are still set to match the target user.
695 This flag is _
\bo_
\bf_
\bf by default.
697 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
698 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
699 run from a login session and not via other means such
700 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
703 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
704 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
705 get a root shell by doing something like "sudo sudo
706 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
707 will also prevent root and from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
708 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
709 security; it exists purely for historical reasons.
710 This flag is _
\bo_
\bn by default.
712 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
713 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
716 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
717 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
718 instead of the password of the invoking user. This
719 flag is _
\bo_
\bf_
\bf by default.
724 1.7.0 December 3, 2008 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 set_home If set and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the HOME
734 environment variable will be set to the home directory
735 of the target user (which is root unless the -
\b-u
\bu option
736 is used). This effectively makes the -
\b-s
\bs option imply
737 -
\b-H
\bH. This flag is _
\bo_
\bf_
\bf by default.
739 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
740 environment variables to the name of the target user
741 (usually root unless the -
\b-u
\bu option is given). However,
742 since some programs (including the RCS revision control
743 system) use LOGNAME to determine the real identity of
744 the user, it may be desirable to change this behavior.
745 This can be done by negating the set_logname option.
746 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
747 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
748 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bf_
\bf by default.
750 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
751 command line. Additionally, environment variables set
752 via the command line are not subject to the
753 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
754 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
755 allowed to set variables in this manner. This flag is
756 _
\bo_
\bf_
\bf by default.
758 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
759 if the -
\b-s
\bs option had been given. That is, it runs a
760 shell as root (the shell is determined by the SHELL
761 environment variable if it is set, falling back on the
762 shell listed in the invoking user's /etc/passwd entry
763 if not). This flag is _
\bo_
\bf_
\bf by default.
765 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
766 effective UIDs are set to the target user (root by
767 default). This option changes that behavior such that
768 the real UID is left as the invoking user's UID. In
769 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
770 This can be useful on systems that disable some
771 potentially dangerous functionality when a program is
772 run setuid. This option is only effective on systems
773 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
774 This flag is _
\bo_
\bf_
\bf by default.
776 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
777 specified by the -
\b-u
\bu option (defaults to root) instead
778 of the password of the invoking user. Note that this
779 precludes the use of a uid not listed in the passwd
780 database as an argument to the -
\b-u
\bu option. This flag is
781 _
\bo_
\bf_
\bf by default.
783 tty_tickets If set, users must authenticate on a per-tty basis.
784 Normally, s
\bsu
\bud
\bdo
\bo uses a directory in the ticket dir with
785 the same name as the user running it. With this flag
786 enabled, s
\bsu
\bud
\bdo
\bo will use a file named for the tty the
790 1.7.0 December 3, 2008 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 user is logged in on in that directory. This flag is
800 _
\bo_
\bf_
\bf by default.
802 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
803 target user's login class if one exists. Only
804 available if s
\bsu
\bud
\bdo
\bo is configured with the
805 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
807 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
808 enter a password but it is not possible to disable echo
809 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
810 will prompt for a password even when it would be
811 visible on the screen. This makes it possible to run
812 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
813 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
815 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
817 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
818 file descriptors other than standard input, standard
819 output and standard error (ie: file descriptors 0-2).
820 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
821 file descriptor at which to start closing. The default
824 passwd_tries The number of tries a user gets to enter his/her
825 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
828 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
830 loglinelen Number of characters per line for the file log. This
831 value is used to decide when to wrap lines for nicer
832 log files. This has no effect on the syslog log file,
833 only the file log. The default is 80 (use 0 or negate
834 the option to disable word wrap).
836 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
837 out. The default is 5; set this to 0 for no password
841 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
842 for a passwd again. The default is 5. Set this to 0
843 to always prompt for a password. If set to a value
844 less than 0 the user's timestamp will never expire.
845 This can be used to allow users to create or delete
846 their own timestamps via sudo -v and sudo -k
849 umask Umask to use when running the command. Negate this
850 option or set it to 0777 to preserve the user's umask.
851 The actual umask that is used will be the union of the
852 user's umask and 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
856 1.7.0 December 3, 2008 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 lowers the umask when running a command. Note on
866 systems that use PAM, the default PAM configuration may
867 specify its own umask which will override the value set
868 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
870 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
872 badpass_message Message that is displayed if a user enters an incorrect
873 password. The default is Sorry, try again. unless
876 editor A colon (':') separated list of editors allowed to be
877 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
878 matches the user's EDITOR environment variable if
879 possible, or the first editor in the list that exists
880 and is executable. The default is the path to vi on
883 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
884 %h will expand to the hostname of the machine. Default
885 is *** SECURITY information for %h ***.
887 noexec_file Path to a shared library containing dummy versions of
888 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
889 that just return an error. This is used to implement
890 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
891 LD_PRELOAD or its equivalent. Defaults to
892 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
894 passprompt The default prompt to use when asking for a password;
895 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
896 environment variable. The following percent (`%')
897 escapes are supported:
899 %H expanded to the local hostname including the domain
900 name (on if the machine's hostname is fully
901 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
903 %h expanded to the local hostname without the domain
906 %p expanded to the user whose password is being asked
907 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
908 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
910 %U expanded to the login name of the user the command
911 will be run as (defaults to root)
913 %u expanded to the invoking user's login name
915 %% two consecutive % characters are collapsed into a
918 The default value is Password:.
922 1.7.0 December 3, 2008 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 runas_default The default user to run commands as if the -
\b-u
\bu option is
932 not specified on the command line. This defaults to
933 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
934 before any Runas_Alias specifications.
936 syslog_badpri Syslog priority to use when user authenticates
937 unsuccessfully. Defaults to alert.
939 syslog_goodpri Syslog priority to use when user authenticates
940 successfully. Defaults to notice.
942 sudoers_locale Locale to use when parsing the sudoers file. Note that
943 changing the locale may affect how sudoers is
944 interpreted. Defaults to "C".
946 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
947 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo.
949 timestampowner The owner of the timestamp directory and the timestamps
950 stored therein. The default is root.
952 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
954 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
955 helper program used to read the user's password when no
956 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
957 executed from a graphical (as opposed to text-based)
958 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
959 display the argument passed to it as the prompt and write
960 the user's password to the standard output. The value of
961 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
964 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
965 a file containing variables to be set in the environment of
966 the program being run. Entries in this file should be of
967 the form VARIABLE=value. Variables in this file are
968 subject to other s
\bsu
\bud
\bdo
\bo environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
969 and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
972 Users in this group are exempt from password and PATH
973 requirements. This is not set by default.
975 lecture This option controls when a short lecture will be printed
976 along with the password prompt. It has the following
979 always Always lecture the user.
981 never Never lecture the user.
983 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
988 1.7.0 December 3, 2008 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
998 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
999 The default value is _
\bo_
\bn_
\bc_
\be.
1002 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1003 will be used in place of the standard lecture if the named
1004 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1006 listpw This option controls when a password will be required when
1007 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1010 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1011 must have the NOPASSWD flag set to avoid entering a
1014 always The user must always enter a password to use the -
\b-l
\bl
1017 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1018 current host must have the NOPASSWD flag set to
1019 avoid entering a password.
1021 never The user need never enter a password to use the -
\b-l
\bl
1024 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1025 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1026 The default value is _
\ba_
\bn_
\by.
1028 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1029 Setting a path turns on logging to a file; negating this
1030 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1032 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1034 mailerpath Path to mail program used to send warning mail. Defaults
1035 to the path to sendmail found at configure time.
1037 mailfrom Address to use for the "from" address when sending warning
1038 and error mail. The address should be enclosed in double
1039 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1040 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1042 mailto Address to send warning and error mail to. The address
1043 should be enclosed in double quotes (") to protect against
1044 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1046 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1047 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1048 environment variable you may want to use this. Another use
1049 is if you want to have the "root path" be separate from the
1050 "user path." Users in the group specified by the
1054 1.7.0 December 3, 2008 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1064 is not set by default.
1066 syslog Syslog facility if syslog is being used for logging (negate
1067 to disable syslog logging). Defaults to local2.
1069 verifypw This option controls when a password will be required when
1070 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1073 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1074 must have the NOPASSWD flag set to avoid entering a
1077 always The user must always enter a password to use the -
\b-v
\bv
1080 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1081 current host must have the NOPASSWD flag set to
1082 avoid entering a password.
1084 never The user need never enter a password to use the -
\b-v
\bv
1087 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1088 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1089 The default value is _
\ba_
\bl_
\bl.
1091 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1093 env_check Environment variables to be removed from the user's
1094 environment if the variable's value contains % or /
1095 characters. This can be used to guard against printf-
1096 style format vulnerabilities in poorly-written
1097 programs. The argument may be a double-quoted, space-
1098 separated list or a single value without double-quotes.
1099 The list can be replaced, added to, deleted from, or
1100 disabled by using the =, +=, -=, and ! operators
1101 respectively. Regardless of whether the env_reset
1102 option is enabled or disabled, variables specified by
1103 env_check will be preserved in the environment if they
1104 pass the aforementioned check. The default list of
1105 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1106 is run by root with the _
\b-_
\bV option.
1108 env_delete Environment variables to be removed from the user's
1109 environment. The argument may be a double-quoted,
1110 space-separated list or a single value without double-
1111 quotes. The list can be replaced, added to, deleted
1112 from, or disabled by using the =, +=, -=, and !
1113 operators respectively. The default list of
1114 environment variables to remove is displayed when s
\bsu
\bud
\bdo
\bo
1115 is run by root with the _
\b-_
\bV option. Note that many
1116 operating systems will remove potentially dangerous
1120 1.7.0 December 3, 2008 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 variables from the environment of any setuid process
1130 (such as s
\bsu
\bud
\bdo
\bo).
1132 env_keep Environment variables to be preserved in the user's
1133 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1134 This allows fine-grained control over the environment
1135 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1136 be a double-quoted, space-separated list or a single
1137 value without double-quotes. The list can be replaced,
1138 added to, deleted from, or disabled by using the =, +=,
1139 -=, and ! operators respectively. The default list of
1140 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1141 with the _
\b-_
\bV option.
1143 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1144 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1145 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1146 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1147 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1148 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1150 F
\bFI
\bIL
\bLE
\bES
\bS
1151 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1153 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1155 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1157 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1158 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1159 contrived. First, we define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1161 # User alias specification
1162 User_Alias FULLTIMERS = millert, mikef, dowdy
1163 User_Alias PARTTIMERS = bostley, jwfox, crawl
1164 User_Alias WEBMASTERS = will, wendy, wim
1166 # Runas alias specification
1167 Runas_Alias OP = root, operator
1168 Runas_Alias DB = oracle, sybase
1170 # Host alias specification
1171 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1172 SGI = grolsch, dandelion, black :\
1173 ALPHA = widget, thalamus, foobar :\
1174 HPPA = boa, nag, python
1175 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1176 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1177 Host_Alias SERVERS = master, mail, www, ns
1178 Host_Alias CDROM = orion, perseus, hercules
1180 # Cmnd alias specification
1181 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1182 /usr/sbin/restore, /usr/sbin/rrestore
1186 1.7.0 December 3, 2008 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1195 Cmnd_Alias KILL = /usr/bin/kill
1196 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1197 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1198 Cmnd_Alias HALT = /usr/sbin/halt
1199 Cmnd_Alias REBOOT = /usr/sbin/reboot
1200 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1201 /usr/local/bin/tcsh, /usr/bin/rsh, \
1203 Cmnd_Alias SU = /usr/bin/su
1204 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1206 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1207 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1208 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1209 need not give a password, and we don't want to reset the LOGNAME, USER
1210 or USERNAME environment variables when running commands as root.
1211 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1212 additional local log file and make sure we log the year in each log
1213 line since the log entries will be kept around for several years.
1214 Lastly, we disable shell escapes for the commands in the PAGERS
1215 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1217 # Override built-in defaults
1218 Defaults syslog=auth
1219 Defaults>root !set_logname
1220 Defaults:FULLTIMERS !lecture
1221 Defaults:millert !authenticate
1222 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1223 Defaults!PAGERS noexec
1225 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1228 root ALL = (ALL) ALL
1229 %wheel ALL = (ALL) ALL
1231 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1234 FULLTIMERS ALL = NOPASSWD: ALL
1236 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1237 any host without authenticating themselves.
1239 PARTTIMERS ALL = ALL
1241 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1242 any host but they must authenticate themselves first (since the entry
1243 lacks the NOPASSWD tag).
1247 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1248 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1252 1.7.0 December 3, 2008 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1262 notation) indicating it is a class C network. For the other networks
1263 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1267 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1268 class B network 128.138.0.0).
1270 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1271 sudoedit /etc/printcap, /usr/oper/bin/
1273 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1274 Here, those are commands related to backups, killing processes, the
1275 printing system, shutting down the system, and any commands in the
1276 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1278 joe ALL = /usr/bin/su operator
1280 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1282 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1284 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1285 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1286 multiple usernames on the command line.
1288 bob SPARC = (OP) ALL : SGI = (OP) ALL
1290 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1291 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1295 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1296 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1298 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1300 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1301 well as add and remove users, so they are allowed to run those commands
1304 fred ALL = (DB) NOPASSWD: ALL
1306 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1307 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1309 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1311 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1312 not allowed to specify any options to the _
\bs_
\bu(1) command.
1314 jen ALL, !SERVERS = ALL
1318 1.7.0 December 3, 2008 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1327 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1328 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1330 jill SERVERS = /usr/bin/, !SU, !SHELLS
1332 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1333 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1334 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1336 steve CSNETS = (operator) /usr/local/op_commands/
1338 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1339 /usr/local/op_commands/ but only as user operator.
1341 matt valkyrie = KILL
1343 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1346 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1348 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1349 and wim), may run any command as user www (which owns the web pages) or
1350 simply _
\bs_
\bu(1) to www.
1352 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1353 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1355 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1356 Host_Alias (orion, perseus, hercules) without entering a password.
1357 This is a bit tedious for users to type, so it is a prime candidate for
1358 encapsulating in a shell script.
1360 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1361 It is generally not effective to "subtract" commands from ALL using the
1362 '!' operator. A user can trivially circumvent this by copying the
1363 desired command to a different name and then executing that. For
1366 bill ALL = ALL, !SU, !SHELLS
1368 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1369 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1370 use a shell escape from an editor or other program. Therefore, these
1371 kind of restrictions should be considered advisory at best (and
1372 reinforced by policy).
1374 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1375 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1376 pleases, including run other programs. This can be a security issue
1377 since it is not uncommon for a program to allow shell escapes, which
1378 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1379 that permit shell escapes include shells (obviously), editors,
1380 paginators, mail and terminal programs.
1384 1.7.0 December 3, 2008 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1393 There are two basic approaches to this problem:
1395 restrict Avoid giving users access to commands that allow the user to
1396 run arbitrary commands. Many editors have a restricted mode
1397 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1398 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1399 number of programs that offer shell escapes, restricting
1400 users to the set of programs that do not if often unworkable.
1402 noexec Many systems that support shared libraries have the ability
1403 to override default library functions by pointing an
1404 environment variable (usually LD_PRELOAD) to an alternate
1405 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1406 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1407 any other programs. Note, however, that this applies only to
1408 native dynamically-linked executables. Statically-linked
1409 executables and foreign executables running under binary
1410 emulation are not affected.
1412 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1415 sudo -V | grep "dummy exec"
1417 If the resulting output contains a line that begins with:
1419 File containing dummy exec functions:
1421 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1422 in the standard library with its own that simply return an
1423 error. Unfortunately, there is no foolproof way to know
1424 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1425 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1426 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1427 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1428 systems that support the LD_PRELOAD environment variable.
1429 Check your operating system's manual pages for the dynamic
1430 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1431 to see if LD_PRELOAD is supported.
1433 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1434 documented in the User Specification section above. Here is
1437 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1439 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1440 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1441 from executing other commands (such as a shell). If you are
1442 unsure whether or not your system is capable of supporting
1443 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1445 Note that restricting shell escapes is not a panacea. Programs running
1446 as root are still capable of many potentially hazardous operations
1450 1.7.0 December 3, 2008 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1459 (such as changing or overwriting files) that could lead to unintended
1460 privilege escalation. In the specific case of an editor, a safer
1461 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1463 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1464 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1466 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1467 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1468 locks the file and does grammatical checking. It is imperative that
1469 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1470 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1472 When using netgroups of machines (as opposed to users), if you store
1473 fully qualified hostnames in the netgroup (as is usually the case), you
1474 either need to have the machine's hostname be fully qualified as
1475 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1478 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1479 http://www.sudo.ws/sudo/bugs/
1481 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1482 Limited free support is available via the sudo-users mailing list, see
1483 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1486 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1487 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1488 including, but not limited to, the implied warranties of
1489 merchantability and fitness for a particular purpose are disclaimed.
1490 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1491 http://www.sudo.ws/sudo/license.html for complete details.
1516 1.7.0 December 3, 2008 23