4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
25 EBNF is a concise and exact way of describing the grammar of a
26 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
28 symbol ::= definition | alternate1 | alternate2 ...
30 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
31 the language. EBNF also contains the following operators, which many
32 readers will recognize from regular expressions. Do not, however,
33 confuse them with "wildcard" characters, which have different meanings.
35 ? Means that the preceding symbol (or group of symbols) is optional.
36 That is, it may appear once or not at all.
38 * Means that the preceding symbol (or group of symbols) may appear
41 + Means that the preceding symbol (or group of symbols) may appear
44 Parentheses may be used to group symbols together. For clarity, we
45 will use single quotes ('') to designate what is a verbatim character
46 string (as opposed to a symbol name).
48 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
50 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
53 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
54 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
55 'Host_Alias' Host_Alias (':' Host_Alias)* |
56 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
58 User_Alias ::= NAME '=' User_List
60 Runas_Alias ::= NAME '=' Runas_List
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Host_Alias ::= NAME '=' Host_List
76 Cmnd_Alias ::= NAME '=' Cmnd_List
78 NAME ::= [A-Z]([A-Z][0-9]_)*
80 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
82 Alias_Type NAME = item1, item2, ...
84 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
85 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
86 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
87 letter. It is possible to put several alias definitions of the same
88 type on a single line, joined by a colon (':'). E.g.,
90 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
92 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
97 User ::= '!'* username |
101 '!'* '%:'nonunix_group |
104 A User_List is made up of one or more usernames, uids (prefixed with
105 '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
106 and User_Aliases. Each list item may be prefixed with zero or more '!'
107 operators. An odd number of '!' operators negate the value of the
108 item; an even number just cancel each other out.
110 A username, group, netgroup and nonunix_groups may be enclosed in
111 double quotes to avoid the need for escaping special characters.
112 Alternately, special characters may be specified in escaped hex mode,
115 The nonunix_group syntax depends on the underlying implementation. For
116 instance, the QAS AD backend supports the following formats:
118 +
\bo Group in the same domain: "Group Name"
120 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
122 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
124 Note that quotes around group names are optional. Unquoted strings
125 must use a backslash (\) to escape spaces and the '@' symbol.
130 1.7.2 June 30, 2009 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
139 Runas_List ::= Runas_Member |
140 Runas_Member ',' Runas_List
142 Runas_Member ::= '!'* username |
148 A Runas_List is similar to a User_List except that instead of
149 User_Aliases it can contain Runas_Aliases. Note that usernames and
150 groups are matched as strings. In other words, two users (groups) with
151 the same uid (gid) are considered to be distinct. If you wish to match
152 all usernames with the same uid (e.g. root and toor), you can use a uid
153 instead (#0 in the example given).
158 Host ::= '!'* hostname |
160 '!'* network(/netmask)? |
164 A Host_List is made up of one or more hostnames, IP addresses, network
165 numbers, netgroups (prefixed with '+') and other aliases. Again, the
166 value of an item may be negated with the '!' operator. If you do not
167 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
168 of the local host's network interfaces and, if the network number
169 corresponds to one of the hosts's network interfaces, the corresponding
170 netmask will be used. The netmask may be specified either in standard
171 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
172 CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
173 shell-style wildcards (see the Wildcards section below), but unless the
174 hostname command on your machine returns the fully qualified hostname,
175 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
180 commandname ::= filename |
184 Cmnd ::= '!'* commandname |
189 A Cmnd_List is a list of one or more commandnames, directories, and
190 other aliases. A commandname is a fully qualified filename which may
191 include shell-style wildcards (see the Wildcards section below). A
192 simple filename allows the user to run the command with any arguments
196 1.7.2 June 30, 2009 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
205 he/she wishes. However, you may also specify command line arguments
206 (including wildcards). Alternately, you can specify "" to indicate
207 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
208 directory is a fully qualified pathname ending in a '/'. When you
209 specify a directory in a Cmnd_List, the user will be able to run any
210 file within that directory (but not in any subdirectories therein).
212 If a Cmnd has associated command line arguments, then the arguments in
213 the Cmnd must match exactly those given by the user on the command line
214 (or match the wildcards if there are any). Note that the following
215 characters must be escaped with a '\' if they are used in command
216 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
217 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
218 may take command line arguments just as a normal command does.
220 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
222 Certain configuration options may be changed from their default values
223 at runtime via one or more Default_Entry lines. These may affect all
224 users on any host, all users on a specific host, a specific user, a
225 specific command, or commands being run as a specific user. Note that
226 per-command entries may not include command line arguments. If you
227 need to specify arguments, define a Cmnd_Alias and reference that
230 Default_Type ::= 'Defaults' |
231 'Defaults' '@' Host_List |
232 'Defaults' ':' User_List |
233 'Defaults' '!' Cmnd_List |
234 'Defaults' '>' Runas_List
236 Default_Entry ::= Default_Type Parameter_List
238 Parameter_List ::= Parameter |
239 Parameter ',' Parameter_List
241 Parameter ::= Parameter '=' Value |
242 Parameter '+=' Value |
243 Parameter '-=' Value |
246 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
247 implicitly boolean and can be turned off via the '!' operator. Some
248 integer, string and list parameters may also be used in a boolean
249 context to disable them. Values may be enclosed in double quotes (")
250 when they contain multiple words. Special characters may be escaped
251 with a backslash (\).
253 Lists have two additional assignment operators, += and -=. These
254 operators are used to add to and delete from a list respectively. It
255 is not an error to use the -= operator to remove an element that does
258 Defaults entries are parsed in the following order: generic, host and
262 1.7.2 June 30, 2009 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271 user Defaults first, then runas Defaults and finally command defaults.
273 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
275 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
277 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
278 (':' Host_List '=' Cmnd_Spec_List)*
280 Cmnd_Spec_List ::= Cmnd_Spec |
281 Cmnd_Spec ',' Cmnd_Spec_List
283 Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
285 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
287 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
288 'SETENV:' | 'NOSETENV:' )
290 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
291 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
292 but this can be changed on a per-command basis.
294 The basic structure of a user specification is `who = where (as_whom)
295 what'. Let's break that down into its constituent parts:
297 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
299 A Runas_Spec determines the user and/or the group that a command may be
300 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
301 defined above) separated by a colon (':') and enclosed in a set of
302 parentheses. The first Runas_List indicates which users the command
303 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
304 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
305 are specified, the command may be run with any combination of users and
306 groups listed in their respective Runas_Lists. If only the first is
307 specified, the command may be run as any user in the list but no -
\b-g
\bg
308 option may be specified. If the first Runas_List is empty but the
309 second is specified, the command may be run as the invoking user with
310 the group set to any listed in the Runas_List. If no Runas_Spec is
311 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
313 A Runas_Spec sets the default for the commands that follow it. What
314 this means is that for the entry:
316 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
318 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
319 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
321 $ sudo -u operator /bin/ls.
323 It is also possible to override a Runas_Spec later on in an entry. If
324 we modify the entry like so:
328 1.7.2 June 30, 2009 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
339 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
340 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
342 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
343 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
345 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
348 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
349 device file with the dialer group. Note that in this example only the
350 group will be set, the command still runs as user t
\btc
\bcm
\bm.
352 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
353 /usr/local/bin/minicom
355 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
357 A command may have zero or more tags associated with it. There are
358 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
359 NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
360 Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
361 tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
363 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
365 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
366 before running a command. This behavior can be modified via the
367 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
368 the commands that follow it in the Cmnd_Spec_List. Conversely, the
369 PASSWD tag can be used to reverse things. For example:
371 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
373 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
374 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
375 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
378 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
380 Note, however, that the PASSWD tag has no effect on users who are in
381 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
383 By default, if the NOPASSWD tag is applied to any of the entries for a
384 user on the current host, he or she will be able to run sudo -l without
385 a password. Additionally, a user may only run sudo -v without a
386 password if the NOPASSWD tag is present for all a user's entries that
387 pertain to the current host. This behavior may be overridden via the
388 verifypw and listpw options.
390 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
394 1.7.2 June 30, 2009 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
404 operating system supports it, the NOEXEC tag can be used to prevent a
405 dynamically-linked executable from running further commands itself.
407 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
408 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
410 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
412 See the "PREVENTING SHELL ESCAPES" section below for more details on
413 how NOEXEC works and whether or not it will work on your system.
415 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
417 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
418 basis. Note that if SETENV has been set for a command, any environment
419 variables set on the command line way are not subject to the
420 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such,
421 only trusted users should be allowed to set variables in this manner.
422 If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied for that
423 command; this default may be overridden by use of the UNSETENV tag.
425 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
427 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
428 used in hostnames, pathnames and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
429 file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
430 routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
432 * Matches any set of zero or more characters.
434 ? Matches any single character.
436 [...] Matches any character in the specified range.
438 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
440 \x For any character "x", evaluates to "x". This is used to
441 escape special characters such as: "*", "?", "[", and "}".
443 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
444 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
445 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
447 /bin/ls [[\:alpha\:]]*
449 Would match any filename beginning with a letter.
451 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
452 in the pathname. When matching the command line arguments, however, a
453 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
460 1.7.2 June 30, 2009 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
471 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
473 The following exceptions apply to the above rules:
475 "" If the empty string "" is the only command line argument in the
476 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
477 with a
\ban
\bny
\by arguments.
479 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
481 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
482 file currently being parsed using the #include and #includedir
485 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
486 addition to a local, per-machine file. For the sake of this example
487 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
488 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
489 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
491 #include /etc/sudoers.local
493 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
494 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
495 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
496 processed. Files that are included may themselves include other files.
497 A hard limit of 128 nested include files is enforced to prevent include
500 The filename may include the %h escape, signifying the short form of
501 the hostname. I.e., if the machine's hostname is "xerxes", then
503 #include /etc/sudoers.%h
505 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
507 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
508 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
509 package installation. For example, given:
511 #includedir /etc/sudoers.d
513 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
514 end in ~ or contain a . character to avoid causing problems with
515 package manager or editor temporary/backup files. Files are parsed in
516 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
517 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
518 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
519 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
520 in the file names can be used to avoid such problems.
522 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
526 1.7.2 June 30, 2009 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535 files in a #includedir directory unless one of them contains a syntax
536 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
539 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
541 The pound sign ('#') is used to indicate a comment (unless it is part
542 of a #include directive or unless it occurs in the context of a user
543 name and is followed by one or more digits, in which case it is treated
544 as a uid). Both the comment character and any text after it, up to the
545 end of the line, are ignored.
547 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
548 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
549 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
550 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
551 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
552 since in a command context, it allows the user to run a
\ban
\bny
\by command on
555 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
556 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
557 values. Note, however, that using a ! in conjunction with the built-in
558 ALL alias to allow a user to run "all but a few" commands rarely works
559 as intended (see SECURITY NOTES below).
561 Long lines can be continued with a backslash ('\') as the last
562 character on the line.
564 Whitespace between elements in a list as well as special syntactic
565 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
567 The following characters must be escaped with a backslash ('\') when
568 used as part of a word (e.g. a username or hostname): '@', '!', '=',
569 ':', ',', '(', ')', '\'.
571 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
572 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
573 earlier. A list of all supported Defaults parameters, grouped by type,
576 F
\bFl
\bla
\bag
\bgs
\bs:
578 always_set_home If set, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable to
579 the home directory of the target user (which is root
580 unless the -
\b-u
\bu option is used). This effectively means
581 that the -
\b-H
\bH option is always implied. This flag is _
\bo_
\bf_
\bf
584 authenticate If set, users must authenticate themselves via a
585 password (or other means of authentication) before they
586 may run commands. This default may be overridden via
587 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
592 1.7.2 June 30, 2009 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
602 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
603 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
604 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
607 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
608 VISUAL environment variables before falling back on the
609 default editor list. Note that this may create a
610 security hole as it allows the user to run any
611 arbitrary command as root without logging. A safer
612 alternative is to place a colon-separated list of
613 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
614 use the EDITOR or VISUAL if they match a value
615 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
617 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
618 the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
619 variables. Any variables in the caller's environment
620 that match the env_keep and env_check lists are then
621 added. The default contents of the env_keep and
622 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
623 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
624 its value will be used for the PATH environment
625 variable. This flag is _
\bo_
\bn by default.
627 fqdn Set this flag if you want to put fully qualified
628 hostnames in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost
629 you would use myhost.mydomain.edu. You may still use
630 the short form if you wish (and even mix the two).
631 Beware that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS
632 lookups which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops
633 working (for example if the machine is not plugged into
634 the network). Also note that you must use the host's
635 official name as DNS knows it. That is, you may not
636 use a host alias (CNAME entry) due to performance
637 issues and the fact that there is no way to get all
638 aliases from DNS. If your machine's hostname (as
639 returned by the hostname command) is already fully
640 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
641 _
\bo_
\bf_
\bf by default.
643 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
644 PATH environment variable; the PATH itself is not
645 modified. This flag is _
\bo_
\bf_
\bf by default.
648 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
649 skipped. This is intended for Enterprises that wish to
650 prevent the usage of local sudoers files so that only
651 LDAP is used. This thwarts the efforts of rogue
652 operators who would attempt to add roles to
653 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
654 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
658 1.7.2 June 30, 2009 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
668 entries have been matched, this sudoOption is only
669 meaningful for the cn=defaults section. This flag is
670 _
\bo_
\bf_
\bf by default.
672 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
673 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
675 log_host If set, the hostname will be logged in the (non-syslog)
676 s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
678 log_year If set, the four-digit year will be logged in the (non-
679 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
681 long_otp_prompt When validating with a One Time Password (OPT) scheme
682 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
683 make it easier to cut and paste the challenge to a
684 local window. It's not as pretty as the default but
685 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
688 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
689 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
691 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
692 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
695 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
696 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
697 allowed to run commands on the current host. This flag
698 is _
\bo_
\bf_
\bf by default.
700 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
701 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
702 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
703 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
706 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
707 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
710 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
711 NOEXEC tag has been set, unless overridden by a EXEC
712 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
713 well as the "PREVENTING SHELL ESCAPES" section at the
714 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
716 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
717 not be found in their PATH environment variable. Some
718 sites may wish to disable this as it could be used to
719 gather information on the location of executables that
720 the normal user does not have access to. The
724 1.7.2 June 30, 2009 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 disadvantage is that if the executable is simply not in
734 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
735 not allowed to run it, which can be confusing. This
736 flag is _
\bo_
\bn by default.
739 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
740 normally only be used if the passwod prompt provided by
741 systems such as PAM matches the string "Password:". If
742 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be
743 used. This flag is _
\bo_
\bf_
\bf by default.
745 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
746 the list of groups the target user is in. When
747 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
748 vector is left unaltered. The real and effective group
749 IDs, however, are still set to match the target user.
750 This flag is _
\bo_
\bf_
\bf by default.
752 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
753 Unix programs, by turning off echo until the user hits
754 the return (or enter) key. Some users become confused
755 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
756 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
757 visual feedback when the user presses a key. Note that
758 this does have a security impact as an onlooker may be
759 able to determine the length of the password being
760 entered. This flag is _
\bo_
\bf_
\bf by default.
762 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
763 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
764 run from a login session and not via other means such
765 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
768 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
769 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
770 get a root shell by doing something like "sudo sudo
771 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
772 will also prevent root and from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
773 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
774 security; it exists purely for historical reasons.
775 This flag is _
\bo_
\bn by default.
777 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
778 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
781 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
782 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
783 instead of the password of the invoking user. This
784 flag is _
\bo_
\bf_
\bf by default.
786 set_home If set and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the HOME
790 1.7.2 June 30, 2009 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 environment variable will be set to the home directory
800 of the target user (which is root unless the -
\b-u
\bu option
801 is used). This effectively makes the -
\b-s
\bs option imply
802 -
\b-H
\bH. This flag is _
\bo_
\bf_
\bf by default.
804 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
805 environment variables to the name of the target user
806 (usually root unless the -
\b-u
\bu option is given). However,
807 since some programs (including the RCS revision control
808 system) use LOGNAME to determine the real identity of
809 the user, it may be desirable to change this behavior.
810 This can be done by negating the set_logname option.
811 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
812 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
813 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bf_
\bf by default.
815 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
816 command line. Additionally, environment variables set
817 via the command line are not subject to the
818 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
819 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
820 allowed to set variables in this manner. This flag is
821 _
\bo_
\bf_
\bf by default.
823 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
824 if the -
\b-s
\bs option had been given. That is, it runs a
825 shell as root (the shell is determined by the SHELL
826 environment variable if it is set, falling back on the
827 shell listed in the invoking user's /etc/passwd entry
828 if not). This flag is _
\bo_
\bf_
\bf by default.
830 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
831 style globbing when matching pathnames. However, since
832 it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a long
833 time to complete for some patterns, especially when the
834 pattern references a network file system that is
835 mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option
836 causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function, which does
837 not access the file system to do its matching. The
838 disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is unable to match
839 relative pathnames such as _
\b._
\b/_
\bl_
\bs or _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This
840 flag is _
\bo_
\bf_
\bf by default.
842 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
843 effective UIDs are set to the target user (root by
844 default). This option changes that behavior such that
845 the real UID is left as the invoking user's UID. In
846 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
847 This can be useful on systems that disable some
848 potentially dangerous functionality when a program is
849 run setuid. This option is only effective on systems
850 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
851 This flag is _
\bo_
\bf_
\bf by default.
856 1.7.2 June 30, 2009 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
866 specified by the -
\b-u
\bu option (defaults to root) instead
867 of the password of the invoking user. Note that this
868 precludes the use of a uid not listed in the passwd
869 database as an argument to the -
\b-u
\bu option. This flag is
870 _
\bo_
\bf_
\bf by default.
872 tty_tickets If set, users must authenticate on a per-tty basis.
873 Normally, s
\bsu
\bud
\bdo
\bo uses a directory in the ticket dir with
874 the same name as the user running it. With this flag
875 enabled, s
\bsu
\bud
\bdo
\bo will use a file named for the tty the
876 user is logged in on in that directory. This flag is
877 _
\bo_
\bf_
\bf by default.
879 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
880 without modification. This makes it possible to
881 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
882 user's own umask and matches historical behavior. If
883 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
884 be the union of the user's umask and what is specified
885 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
887 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
888 target user's login class if one exists. Only
889 available if s
\bsu
\bud
\bdo
\bo is configured with the
890 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
892 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
893 enter a password but it is not possible to disable echo
894 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
895 will prompt for a password even when it would be
896 visible on the screen. This makes it possible to run
897 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
898 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
900 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
902 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
903 file descriptors other than standard input, standard
904 output and standard error (ie: file descriptors 0-2).
905 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
906 file descriptor at which to start closing. The default
909 passwd_tries The number of tries a user gets to enter his/her
910 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
913 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
915 loglinelen Number of characters per line for the file log. This
916 value is used to decide when to wrap lines for nicer
917 log files. This has no effect on the syslog log file,
918 only the file log. The default is 80 (use 0 or negate
922 1.7.2 June 30, 2009 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 the option to disable word wrap).
933 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
934 out. The default is 5; set this to 0 for no password
938 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
939 for a passwd again. The default is 5. Set this to 0
940 to always prompt for a password. If set to a value
941 less than 0 the user's timestamp will never expire.
942 This can be used to allow users to create or delete
943 their own timestamps via sudo -v and sudo -k
946 umask Umask to use when running the command. Negate this
947 option or set it to 0777 to preserve the user's umask.
948 The actual umask that is used will be the union of the
949 user's umask and 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
950 lowers the umask when running a command. Note on
951 systems that use PAM, the default PAM configuration may
952 specify its own umask which will override the value set
953 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
955 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
957 badpass_message Message that is displayed if a user enters an incorrect
958 password. The default is Sorry, try again. unless
961 editor A colon (':') separated list of editors allowed to be
962 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
963 matches the user's EDITOR environment variable if
964 possible, or the first editor in the list that exists
965 and is executable. The default is the path to vi on
968 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
969 %h will expand to the hostname of the machine. Default
970 is *** SECURITY information for %h ***.
972 noexec_file Path to a shared library containing dummy versions of
973 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
974 that just return an error. This is used to implement
975 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
976 LD_PRELOAD or its equivalent. Defaults to
977 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
979 passprompt The default prompt to use when asking for a password;
980 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
981 environment variable. The following percent (`%')
982 escapes are supported:
984 %H expanded to the local hostname including the domain
988 1.7.2 June 30, 2009 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 name (on if the machine's hostname is fully
998 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1000 %h expanded to the local hostname without the domain
1003 %p expanded to the user whose password is being asked
1004 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1005 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1007 %U expanded to the login name of the user the command
1008 will be run as (defaults to root)
1010 %u expanded to the invoking user's login name
1012 %% two consecutive % characters are collapsed into a
1015 The default value is Password:.
1017 runas_default The default user to run commands as if the -
\b-u
\bu option is
1018 not specified on the command line. This defaults to
1019 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
1020 before any Runas_Alias specifications.
1022 syslog_badpri Syslog priority to use when user authenticates
1023 unsuccessfully. Defaults to alert.
1025 syslog_goodpri Syslog priority to use when user authenticates
1026 successfully. Defaults to notice.
1028 sudoers_locale Locale to use when parsing the sudoers file. Note that
1029 changing the locale may affect how sudoers is
1030 interpreted. Defaults to "C".
1032 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1033 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo.
1035 timestampowner The owner of the timestamp directory and the timestamps
1036 stored therein. The default is root.
1038 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1040 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
1041 helper program used to read the user's password when no
1042 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
1043 executed from a graphical (as opposed to text-based)
1044 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
1045 display the argument passed to it as the prompt and write
1046 the user's password to the standard output. The value of
1047 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
1050 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1054 1.7.2 June 30, 2009 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063 a file containing variables to be set in the environment of
1064 the program being run. Entries in this file should either
1065 be of the form VARIABLE=value or export VARIABLE=value.
1066 The value may optionally be surrounded by single or double
1067 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1068 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1071 Users in this group are exempt from password and PATH
1072 requirements. This is not set by default.
1074 lecture This option controls when a short lecture will be printed
1075 along with the password prompt. It has the following
1078 always Always lecture the user.
1080 never Never lecture the user.
1082 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1084 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1085 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1086 The default value is _
\bo_
\bn_
\bc_
\be.
1089 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1090 will be used in place of the standard lecture if the named
1091 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1093 listpw This option controls when a password will be required when
1094 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1097 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1098 must have the NOPASSWD flag set to avoid entering a
1101 always The user must always enter a password to use the -
\b-l
\bl
1104 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1105 current host must have the NOPASSWD flag set to
1106 avoid entering a password.
1108 never The user need never enter a password to use the -
\b-l
\bl
1111 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1112 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1113 The default value is _
\ba_
\bn_
\by.
1115 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1116 Setting a path turns on logging to a file; negating this
1120 1.7.2 June 30, 2009 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1131 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1133 mailerpath Path to mail program used to send warning mail. Defaults
1134 to the path to sendmail found at configure time.
1136 mailfrom Address to use for the "from" address when sending warning
1137 and error mail. The address should be enclosed in double
1138 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1139 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1141 mailto Address to send warning and error mail to. The address
1142 should be enclosed in double quotes (") to protect against
1143 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1145 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1146 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1147 environment variable you may want to use this. Another use
1148 is if you want to have the "root path" be separate from the
1149 "user path." Users in the group specified by the
1150 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1151 is not set by default.
1153 syslog Syslog facility if syslog is being used for logging (negate
1154 to disable syslog logging). Defaults to local2.
1156 verifypw This option controls when a password will be required when
1157 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1160 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1161 must have the NOPASSWD flag set to avoid entering a
1164 always The user must always enter a password to use the -
\b-v
\bv
1167 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1168 current host must have the NOPASSWD flag set to
1169 avoid entering a password.
1171 never The user need never enter a password to use the -
\b-v
\bv
1174 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1175 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1176 The default value is _
\ba_
\bl_
\bl.
1178 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1180 env_check Environment variables to be removed from the user's
1181 environment if the variable's value contains % or /
1182 characters. This can be used to guard against printf-
1186 1.7.2 June 30, 2009 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1195 style format vulnerabilities in poorly-written
1196 programs. The argument may be a double-quoted, space-
1197 separated list or a single value without double-quotes.
1198 The list can be replaced, added to, deleted from, or
1199 disabled by using the =, +=, -=, and ! operators
1200 respectively. Regardless of whether the env_reset
1201 option is enabled or disabled, variables specified by
1202 env_check will be preserved in the environment if they
1203 pass the aforementioned check. The default list of
1204 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1205 is run by root with the _
\b-_
\bV option.
1207 env_delete Environment variables to be removed from the user's
1208 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1209 The argument may be a double-quoted, space-separated
1210 list or a single value without double-quotes. The list
1211 can be replaced, added to, deleted from, or disabled by
1212 using the =, +=, -=, and ! operators respectively. The
1213 default list of environment variables to remove is
1214 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1215 Note that many operating systems will remove
1216 potentially dangerous variables from the environment of
1217 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1219 env_keep Environment variables to be preserved in the user's
1220 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1221 This allows fine-grained control over the environment
1222 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1223 be a double-quoted, space-separated list or a single
1224 value without double-quotes. The list can be replaced,
1225 added to, deleted from, or disabled by using the =, +=,
1226 -=, and ! operators respectively. The default list of
1227 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1228 with the _
\b-_
\bV option.
1230 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1231 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1232 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1233 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1234 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1235 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1237 F
\bFI
\bIL
\bLE
\bES
\bS
1238 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1240 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1242 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1244 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1245 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1246 contrived. First, we define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1252 1.7.2 June 30, 2009 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 # User alias specification
1262 User_Alias FULLTIMERS = millert, mikef, dowdy
1263 User_Alias PARTTIMERS = bostley, jwfox, crawl
1264 User_Alias WEBMASTERS = will, wendy, wim
1266 # Runas alias specification
1267 Runas_Alias OP = root, operator
1268 Runas_Alias DB = oracle, sybase
1269 Runas_Alias ADMINGRP = adm, oper
1271 # Host alias specification
1272 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1273 SGI = grolsch, dandelion, black :\
1274 ALPHA = widget, thalamus, foobar :\
1275 HPPA = boa, nag, python
1276 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1277 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1278 Host_Alias SERVERS = master, mail, www, ns
1279 Host_Alias CDROM = orion, perseus, hercules
1281 # Cmnd alias specification
1282 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1283 /usr/sbin/restore, /usr/sbin/rrestore
1284 Cmnd_Alias KILL = /usr/bin/kill
1285 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1286 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1287 Cmnd_Alias HALT = /usr/sbin/halt
1288 Cmnd_Alias REBOOT = /usr/sbin/reboot
1289 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1290 /usr/local/bin/tcsh, /usr/bin/rsh, \
1292 Cmnd_Alias SU = /usr/bin/su
1293 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1295 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1296 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1297 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1298 need not give a password, and we don't want to reset the LOGNAME, USER
1299 or USERNAME environment variables when running commands as root.
1300 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1301 additional local log file and make sure we log the year in each log
1302 line since the log entries will be kept around for several years.
1303 Lastly, we disable shell escapes for the commands in the PAGERS
1304 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1306 # Override built-in defaults
1307 Defaults syslog=auth
1308 Defaults>root !set_logname
1309 Defaults:FULLTIMERS !lecture
1310 Defaults:millert !authenticate
1311 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1312 Defaults!PAGERS noexec
1314 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1318 1.7.2 June 30, 2009 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1329 root ALL = (ALL) ALL
1330 %wheel ALL = (ALL) ALL
1332 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1335 FULLTIMERS ALL = NOPASSWD: ALL
1337 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1338 any host without authenticating themselves.
1340 PARTTIMERS ALL = ALL
1342 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1343 any host but they must authenticate themselves first (since the entry
1344 lacks the NOPASSWD tag).
1348 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1349 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1350 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1351 notation) indicating it is a class C network. For the other networks
1352 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1356 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1357 class B network 128.138.0.0).
1359 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1360 sudoedit /etc/printcap, /usr/oper/bin/
1362 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1363 Here, those are commands related to backups, killing processes, the
1364 printing system, shutting down the system, and any commands in the
1365 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1367 joe ALL = /usr/bin/su operator
1369 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1371 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1373 %opers ALL = (: ADMINGRP) /usr/sbin/
1375 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1376 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1378 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1379 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1380 multiple usernames on the command line.
1384 1.7.2 June 30, 2009 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1393 bob SPARC = (OP) ALL : SGI = (OP) ALL
1395 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1396 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1400 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1401 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1403 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1405 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1406 well as add and remove users, so they are allowed to run those commands
1409 fred ALL = (DB) NOPASSWD: ALL
1411 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1412 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1414 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1416 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1417 not allowed to specify any options to the _
\bs_
\bu(1) command.
1419 jen ALL, !SERVERS = ALL
1421 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1422 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1424 jill SERVERS = /usr/bin/, !SU, !SHELLS
1426 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1427 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1428 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1430 steve CSNETS = (operator) /usr/local/op_commands/
1432 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1433 /usr/local/op_commands/ but only as user operator.
1435 matt valkyrie = KILL
1437 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1440 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1442 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1443 and wim), may run any command as user www (which owns the web pages) or
1444 simply _
\bs_
\bu(1) to www.
1450 1.7.2 June 30, 2009 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1459 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1460 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1462 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1463 Host_Alias (orion, perseus, hercules) without entering a password.
1464 This is a bit tedious for users to type, so it is a prime candidate for
1465 encapsulating in a shell script.
1467 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1468 It is generally not effective to "subtract" commands from ALL using the
1469 '!' operator. A user can trivially circumvent this by copying the
1470 desired command to a different name and then executing that. For
1473 bill ALL = ALL, !SU, !SHELLS
1475 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1476 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1477 use a shell escape from an editor or other program. Therefore, these
1478 kind of restrictions should be considered advisory at best (and
1479 reinforced by policy).
1481 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1482 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1483 pleases, including run other programs. This can be a security issue
1484 since it is not uncommon for a program to allow shell escapes, which
1485 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1486 that permit shell escapes include shells (obviously), editors,
1487 paginators, mail and terminal programs.
1489 There are two basic approaches to this problem:
1491 restrict Avoid giving users access to commands that allow the user to
1492 run arbitrary commands. Many editors have a restricted mode
1493 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1494 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1495 number of programs that offer shell escapes, restricting
1496 users to the set of programs that do not if often unworkable.
1498 noexec Many systems that support shared libraries have the ability
1499 to override default library functions by pointing an
1500 environment variable (usually LD_PRELOAD) to an alternate
1501 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1502 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1503 any other programs. Note, however, that this applies only to
1504 native dynamically-linked executables. Statically-linked
1505 executables and foreign executables running under binary
1506 emulation are not affected.
1508 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1511 sudo -V | grep "dummy exec"
1516 1.7.2 June 30, 2009 23
1522 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1525 If the resulting output contains a line that begins with:
1527 File containing dummy exec functions:
1529 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1530 in the standard library with its own that simply return an
1531 error. Unfortunately, there is no foolproof way to know
1532 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1533 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1534 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1535 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1536 systems that support the LD_PRELOAD environment variable.
1537 Check your operating system's manual pages for the dynamic
1538 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1539 to see if LD_PRELOAD is supported.
1541 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1542 documented in the User Specification section above. Here is
1545 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1547 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1548 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1549 from executing other commands (such as a shell). If you are
1550 unsure whether or not your system is capable of supporting
1551 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1553 Note that restricting shell escapes is not a panacea. Programs running
1554 as root are still capable of many potentially hazardous operations
1555 (such as changing or overwriting files) that could lead to unintended
1556 privilege escalation. In the specific case of an editor, a safer
1557 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1559 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1560 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1562 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1563 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1564 locks the file and does grammatical checking. It is imperative that
1565 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1566 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1568 When using netgroups of machines (as opposed to users), if you store
1569 fully qualified hostnames in the netgroup (as is usually the case), you
1570 either need to have the machine's hostname be fully qualified as
1571 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1574 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1575 http://www.sudo.ws/sudo/bugs/
1577 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1578 Limited free support is available via the sudo-users mailing list, see
1582 1.7.2 June 30, 2009 24
1588 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1591 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1594 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1595 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1596 including, but not limited to, the implied warranties of
1597 merchantability and fitness for a particular purpose are disclaimed.
1598 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1599 http://www.sudo.ws/sudo/license.html for complete details.
1648 1.7.2 June 30, 2009 25