4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
24 EBNF is a concise and exact way of describing the grammar of a
25 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
27 symbol ::= definition | alternate1 | alternate2 ...
29 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
30 the language. EBNF also contains the following operators, which many
31 readers will recognize from regular expressions. Do not, however,
32 confuse them with "wildcard" characters, which have different meanings.
34 ? Means that the preceding symbol (or group of symbols) is optional.
35 That is, it may appear once or not at all.
37 * Means that the preceding symbol (or group of symbols) may appear
40 + Means that the preceding symbol (or group of symbols) may appear
43 Parentheses may be used to group symbols together. For clarity, we
44 will use single quotes ('') to designate what is a verbatim character
45 string (as opposed to a symbol name).
47 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
48 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
51 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
52 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
53 'Host_Alias' Host_Alias (':' Host_Alias)* |
54 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
56 User_Alias ::= NAME '=' User_List
58 Runas_Alias ::= NAME '=' Runas_List
60 Host_Alias ::= NAME '=' Host_List
64 1.7.2p2 November 24, 2009 1
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Cmnd_Alias ::= NAME '=' Cmnd_List
76 NAME ::= [A-Z]([A-Z][0-9]_)*
78 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
80 Alias_Type NAME = item1, item2, ...
82 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
83 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
84 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
85 letter. It is possible to put several alias definitions of the same
86 type on a single line, joined by a colon (':'). E.g.,
88 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
90 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
95 User ::= '!'* username |
99 '!'* '%:'nonunix_group |
102 A User_List is made up of one or more usernames, uids (prefixed with
103 '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
104 and User_Aliases. Each list item may be prefixed with zero or more '!'
105 operators. An odd number of '!' operators negate the value of the
106 item; an even number just cancel each other out.
108 A username, group, netgroup and nonunix_groups may be enclosed in
109 double quotes to avoid the need for escaping special characters.
110 Alternately, special characters may be specified in escaped hex mode,
113 The nonunix_group syntax depends on the underlying implementation. For
114 instance, the QAS AD backend supports the following formats:
116 +
\bo Group in the same domain: "Group Name"
118 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
120 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
122 Note that quotes around group names are optional. Unquoted strings
123 must use a backslash (\) to escape spaces and the '@' symbol.
125 Runas_List ::= Runas_Member |
126 Runas_Member ',' Runas_List
130 1.7.2p2 November 24, 2009 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
140 Runas_Member ::= '!'* username |
146 A Runas_List is similar to a User_List except that instead of
147 User_Aliases it can contain Runas_Aliases. Note that usernames and
148 groups are matched as strings. In other words, two users (groups) with
149 the same uid (gid) are considered to be distinct. If you wish to match
150 all usernames with the same uid (e.g. root and toor), you can use a uid
151 instead (#0 in the example given).
156 Host ::= '!'* hostname |
158 '!'* network(/netmask)? |
162 A Host_List is made up of one or more hostnames, IP addresses, network
163 numbers, netgroups (prefixed with '+') and other aliases. Again, the
164 value of an item may be negated with the '!' operator. If you do not
165 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
166 of the local host's network interfaces and, if the network number
167 corresponds to one of the hosts's network interfaces, the corresponding
168 netmask will be used. The netmask may be specified either in standard
169 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
170 CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
171 shell-style wildcards (see the Wildcards section below), but unless the
172 hostname command on your machine returns the fully qualified hostname,
173 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
178 commandname ::= filename |
182 Cmnd ::= '!'* commandname |
187 A Cmnd_List is a list of one or more commandnames, directories, and
188 other aliases. A commandname is a fully qualified filename which may
189 include shell-style wildcards (see the Wildcards section below). A
190 simple filename allows the user to run the command with any arguments
191 he/she wishes. However, you may also specify command line arguments
192 (including wildcards). Alternately, you can specify "" to indicate
196 1.7.2p2 November 24, 2009 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
205 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
206 directory is a fully qualified pathname ending in a '/'. When you
207 specify a directory in a Cmnd_List, the user will be able to run any
208 file within that directory (but not in any subdirectories therein).
210 If a Cmnd has associated command line arguments, then the arguments in
211 the Cmnd must match exactly those given by the user on the command line
212 (or match the wildcards if there are any). Note that the following
213 characters must be escaped with a '\' if they are used in command
214 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
215 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
216 may take command line arguments just as a normal command does.
218 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
219 Certain configuration options may be changed from their default values
220 at runtime via one or more Default_Entry lines. These may affect all
221 users on any host, all users on a specific host, a specific user, a
222 specific command, or commands being run as a specific user. Note that
223 per-command entries may not include command line arguments. If you
224 need to specify arguments, define a Cmnd_Alias and reference that
227 Default_Type ::= 'Defaults' |
228 'Defaults' '@' Host_List |
229 'Defaults' ':' User_List |
230 'Defaults' '!' Cmnd_List |
231 'Defaults' '>' Runas_List
233 Default_Entry ::= Default_Type Parameter_List
235 Parameter_List ::= Parameter |
236 Parameter ',' Parameter_List
238 Parameter ::= Parameter '=' Value |
239 Parameter '+=' Value |
240 Parameter '-=' Value |
243 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
244 implicitly boolean and can be turned off via the '!' operator. Some
245 integer, string and list parameters may also be used in a boolean
246 context to disable them. Values may be enclosed in double quotes (")
247 when they contain multiple words. Special characters may be escaped
248 with a backslash (\).
250 Lists have two additional assignment operators, += and -=. These
251 operators are used to add to and delete from a list respectively. It
252 is not an error to use the -= operator to remove an element that does
255 Defaults entries are parsed in the following order: generic, host and
256 user Defaults first, then runas Defaults and finally command defaults.
258 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
262 1.7.2p2 November 24, 2009 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
272 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
273 (':' Host_List '=' Cmnd_Spec_List)*
275 Cmnd_Spec_List ::= Cmnd_Spec |
276 Cmnd_Spec ',' Cmnd_Spec_List
278 Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
280 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
282 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
283 'SETENV:' | 'NOSETENV:' )
285 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
286 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
287 but this can be changed on a per-command basis.
289 The basic structure of a user specification is `who = where (as_whom)
290 what'. Let's break that down into its constituent parts:
292 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
293 A Runas_Spec determines the user and/or the group that a command may be
294 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
295 defined above) separated by a colon (':') and enclosed in a set of
296 parentheses. The first Runas_List indicates which users the command
297 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
298 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
299 are specified, the command may be run with any combination of users and
300 groups listed in their respective Runas_Lists. If only the first is
301 specified, the command may be run as any user in the list but no -
\b-g
\bg
302 option may be specified. If the first Runas_List is empty but the
303 second is specified, the command may be run as the invoking user with
304 the group set to any listed in the Runas_List. If no Runas_Spec is
305 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
307 A Runas_Spec sets the default for the commands that follow it. What
308 this means is that for the entry:
310 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
312 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
313 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
315 $ sudo -u operator /bin/ls.
317 It is also possible to override a Runas_Spec later on in an entry. If
318 we modify the entry like so:
320 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
322 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
323 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
328 1.7.2p2 November 24, 2009 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
338 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
340 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
343 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
344 device file with the dialer group. Note that in this example only the
345 group will be set, the command still runs as user t
\btc
\bcm
\bm.
347 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
348 /usr/local/bin/minicom
350 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
351 A command may have zero or more tags associated with it. There are
352 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
353 NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
354 Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
355 tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
357 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
359 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
360 before running a command. This behavior can be modified via the
361 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
362 the commands that follow it in the Cmnd_Spec_List. Conversely, the
363 PASSWD tag can be used to reverse things. For example:
365 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
367 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
368 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
369 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
372 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
374 Note, however, that the PASSWD tag has no effect on users who are in
375 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
377 By default, if the NOPASSWD tag is applied to any of the entries for a
378 user on the current host, he or she will be able to run sudo -l without
379 a password. Additionally, a user may only run sudo -v without a
380 password if the NOPASSWD tag is present for all a user's entries that
381 pertain to the current host. This behavior may be overridden via the
382 verifypw and listpw options.
384 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
386 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
387 operating system supports it, the NOEXEC tag can be used to prevent a
388 dynamically-linked executable from running further commands itself.
390 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
394 1.7.2p2 November 24, 2009 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
405 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
407 See the "PREVENTING SHELL ESCAPES" section below for more details on
408 how NOEXEC works and whether or not it will work on your system.
410 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
412 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
413 basis. Note that if SETENV has been set for a command, any environment
414 variables set on the command line way are not subject to the
415 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such,
416 only trusted users should be allowed to set variables in this manner.
417 If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied for that
418 command; this default may be overridden by use of the UNSETENV tag.
420 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
421 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
422 used in hostnames, pathnames and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
423 file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
424 routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
426 * Matches any set of zero or more characters.
428 ? Matches any single character.
430 [...] Matches any character in the specified range.
432 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
434 \x For any character "x", evaluates to "x". This is used to
435 escape special characters such as: "*", "?", "[", and "}".
437 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
438 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
439 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
441 /bin/ls [[\:alpha\:]]*
443 Would match any filename beginning with a letter.
445 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
446 in the pathname. When matching the command line arguments, however, a
447 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
451 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
453 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
454 The following exceptions apply to the above rules:
456 "" If the empty string "" is the only command line argument in the
460 1.7.2p2 November 24, 2009 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
470 with a
\ban
\bny
\by arguments.
472 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
473 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
474 file currently being parsed using the #include and #includedir
477 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
478 addition to a local, per-machine file. For the sake of this example
479 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
480 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
481 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
483 #include /etc/sudoers.local
485 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
486 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
487 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
488 processed. Files that are included may themselves include other files.
489 A hard limit of 128 nested include files is enforced to prevent include
492 The filename may include the %h escape, signifying the short form of
493 the hostname. I.e., if the machine's hostname is "xerxes", then
495 #include /etc/sudoers.%h
497 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
499 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
500 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
501 package installation. For example, given:
503 #includedir /etc/sudoers.d
505 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
506 end in ~ or contain a . character to avoid causing problems with
507 package manager or editor temporary/backup files. Files are parsed in
508 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
509 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
510 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
511 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
512 in the file names can be used to avoid such problems.
514 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
515 files in a #includedir directory unless one of them contains a syntax
516 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
519 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
520 The pound sign ('#') is used to indicate a comment (unless it is part
521 of a #include directive or unless it occurs in the context of a user
522 name and is followed by one or more digits, in which case it is treated
526 1.7.2p2 November 24, 2009 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535 as a uid). Both the comment character and any text after it, up to the
536 end of the line, are ignored.
538 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
539 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
540 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
541 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
542 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
543 since in a command context, it allows the user to run a
\ban
\bny
\by command on
546 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
547 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
548 values. Note, however, that using a ! in conjunction with the built-in
549 ALL alias to allow a user to run "all but a few" commands rarely works
550 as intended (see SECURITY NOTES below).
552 Long lines can be continued with a backslash ('\') as the last
553 character on the line.
555 Whitespace between elements in a list as well as special syntactic
556 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
558 The following characters must be escaped with a backslash ('\') when
559 used as part of a word (e.g. a username or hostname): '@', '!', '=',
560 ':', ',', '(', ')', '\'.
562 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
563 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
564 earlier. A list of all supported Defaults parameters, grouped by type,
567 F
\bFl
\bla
\bag
\bgs
\bs:
569 always_set_home If set, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable to
570 the home directory of the target user (which is root
571 unless the -
\b-u
\bu option is used). This effectively means
572 that the -
\b-H
\bH option is always implied. This flag is _
\bo_
\bf_
\bf
575 authenticate If set, users must authenticate themselves via a
576 password (or other means of authentication) before they
577 may run commands. This default may be overridden via
578 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
582 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
583 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
584 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
587 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
588 VISUAL environment variables before falling back on the
592 1.7.2p2 November 24, 2009 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601 default editor list. Note that this may create a
602 security hole as it allows the user to run any
603 arbitrary command as root without logging. A safer
604 alternative is to place a colon-separated list of
605 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
606 use the EDITOR or VISUAL if they match a value
607 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
609 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
610 the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
611 variables. Any variables in the caller's environment
612 that match the env_keep and env_check lists are then
613 added. The default contents of the env_keep and
614 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
615 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
616 its value will be used for the PATH environment
617 variable. This flag is _
\bo_
\bn by default.
619 fqdn Set this flag if you want to put fully qualified
620 hostnames in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost
621 you would use myhost.mydomain.edu. You may still use
622 the short form if you wish (and even mix the two).
623 Beware that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS
624 lookups which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops
625 working (for example if the machine is not plugged into
626 the network). Also note that you must use the host's
627 official name as DNS knows it. That is, you may not
628 use a host alias (CNAME entry) due to performance
629 issues and the fact that there is no way to get all
630 aliases from DNS. If your machine's hostname (as
631 returned by the hostname command) is already fully
632 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
633 _
\bo_
\bf_
\bf by default.
635 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
636 PATH environment variable; the PATH itself is not
637 modified. This flag is _
\bo_
\bf_
\bf by default.
640 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
641 skipped. This is intended for Enterprises that wish to
642 prevent the usage of local sudoers files so that only
643 LDAP is used. This thwarts the efforts of rogue
644 operators who would attempt to add roles to
645 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
646 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
647 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
648 entries have been matched, this sudoOption is only
649 meaningful for the cn=defaults section. This flag is
650 _
\bo_
\bf_
\bf by default.
652 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
653 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
658 1.7.2p2 November 24, 2009 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 log_host If set, the hostname will be logged in the (non-syslog)
668 s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
670 log_year If set, the four-digit year will be logged in the (non-
671 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
673 long_otp_prompt When validating with a One Time Password (OPT) scheme
674 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
675 make it easier to cut and paste the challenge to a
676 local window. It's not as pretty as the default but
677 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
680 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
681 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
683 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
684 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
687 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
688 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
689 allowed to run commands on the current host. This flag
690 is _
\bo_
\bf_
\bf by default.
692 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
693 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
694 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
695 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
698 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
699 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
702 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
703 NOEXEC tag has been set, unless overridden by a EXEC
704 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
705 well as the "PREVENTING SHELL ESCAPES" section at the
706 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
708 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
709 not be found in their PATH environment variable. Some
710 sites may wish to disable this as it could be used to
711 gather information on the location of executables that
712 the normal user does not have access to. The
713 disadvantage is that if the executable is simply not in
714 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
715 not allowed to run it, which can be confusing. This
716 flag is _
\bo_
\bn by default.
719 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
720 normally only be used if the passwod prompt provided by
724 1.7.2p2 November 24, 2009 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 systems such as PAM matches the string "Password:". If
734 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be
735 used. This flag is _
\bo_
\bf_
\bf by default.
737 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
738 the list of groups the target user is in. When
739 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
740 vector is left unaltered. The real and effective group
741 IDs, however, are still set to match the target user.
742 This flag is _
\bo_
\bf_
\bf by default.
744 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
745 Unix programs, by turning off echo until the user hits
746 the return (or enter) key. Some users become confused
747 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
748 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
749 visual feedback when the user presses a key. Note that
750 this does have a security impact as an onlooker may be
751 able to determine the length of the password being
752 entered. This flag is _
\bo_
\bf_
\bf by default.
754 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
755 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
756 run from a login session and not via other means such
757 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
760 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
761 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
762 get a root shell by doing something like "sudo sudo
763 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
764 will also prevent root and from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
765 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
766 security; it exists purely for historical reasons.
767 This flag is _
\bo_
\bn by default.
769 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
770 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
773 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
774 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
775 instead of the password of the invoking user. This
776 flag is _
\bo_
\bf_
\bf by default.
778 set_home If set and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the HOME
779 environment variable will be set to the home directory
780 of the target user (which is root unless the -
\b-u
\bu option
781 is used). This effectively makes the -
\b-s
\bs option imply
782 -
\b-H
\bH. This flag is _
\bo_
\bf_
\bf by default.
784 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
785 environment variables to the name of the target user
786 (usually root unless the -
\b-u
\bu option is given). However,
790 1.7.2p2 November 24, 2009 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 since some programs (including the RCS revision control
800 system) use LOGNAME to determine the real identity of
801 the user, it may be desirable to change this behavior.
802 This can be done by negating the set_logname option.
803 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
804 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
805 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bf_
\bf by default.
807 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
808 command line. Additionally, environment variables set
809 via the command line are not subject to the
810 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
811 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
812 allowed to set variables in this manner. This flag is
813 _
\bo_
\bf_
\bf by default.
815 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
816 if the -
\b-s
\bs option had been given. That is, it runs a
817 shell as root (the shell is determined by the SHELL
818 environment variable if it is set, falling back on the
819 shell listed in the invoking user's /etc/passwd entry
820 if not). This flag is _
\bo_
\bf_
\bf by default.
822 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
823 style globbing when matching pathnames. However, since
824 it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a long
825 time to complete for some patterns, especially when the
826 pattern references a network file system that is
827 mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option
828 causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function, which does
829 not access the file system to do its matching. The
830 disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is unable to match
831 relative pathnames such as _
\b._
\b/_
\bl_
\bs or _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This
832 flag is _
\bo_
\bf_
\bf by default.
834 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
835 effective UIDs are set to the target user (root by
836 default). This option changes that behavior such that
837 the real UID is left as the invoking user's UID. In
838 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
839 This can be useful on systems that disable some
840 potentially dangerous functionality when a program is
841 run setuid. This option is only effective on systems
842 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
843 This flag is _
\bo_
\bf_
\bf by default.
845 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
846 specified by the -
\b-u
\bu option (defaults to root) instead
847 of the password of the invoking user. Note that this
848 precludes the use of a uid not listed in the passwd
849 database as an argument to the -
\b-u
\bu option. This flag is
850 _
\bo_
\bf_
\bf by default.
852 tty_tickets If set, users must authenticate on a per-tty basis.
856 1.7.2p2 November 24, 2009 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 Normally, s
\bsu
\bud
\bdo
\bo uses a directory in the ticket dir with
866 the same name as the user running it. With this flag
867 enabled, s
\bsu
\bud
\bdo
\bo will use a file named for the tty the
868 user is logged in on in that directory. This flag is
869 _
\bo_
\bf_
\bf by default.
871 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
872 without modification. This makes it possible to
873 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
874 user's own umask and matches historical behavior. If
875 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
876 be the union of the user's umask and what is specified
877 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
879 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
880 target user's login class if one exists. Only
881 available if s
\bsu
\bud
\bdo
\bo is configured with the
882 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
884 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
885 enter a password but it is not possible to disable echo
886 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
887 will prompt for a password even when it would be
888 visible on the screen. This makes it possible to run
889 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
890 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
892 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
894 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
895 file descriptors other than standard input, standard
896 output and standard error (ie: file descriptors 0-2).
897 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
898 file descriptor at which to start closing. The default
901 passwd_tries The number of tries a user gets to enter his/her
902 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
905 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
907 loglinelen Number of characters per line for the file log. This
908 value is used to decide when to wrap lines for nicer
909 log files. This has no effect on the syslog log file,
910 only the file log. The default is 80 (use 0 or negate
911 the option to disable word wrap).
913 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
914 out. The default is 5; set this to 0 for no password
918 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
922 1.7.2p2 November 24, 2009 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 for a passwd again. The default is 5. Set this to 0
932 to always prompt for a password. If set to a value
933 less than 0 the user's timestamp will never expire.
934 This can be used to allow users to create or delete
935 their own timestamps via sudo -v and sudo -k
938 umask Umask to use when running the command. Negate this
939 option or set it to 0777 to preserve the user's umask.
940 The actual umask that is used will be the union of the
941 user's umask and 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
942 lowers the umask when running a command. Note on
943 systems that use PAM, the default PAM configuration may
944 specify its own umask which will override the value set
945 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
947 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
949 badpass_message Message that is displayed if a user enters an incorrect
950 password. The default is Sorry, try again. unless
953 editor A colon (':') separated list of editors allowed to be
954 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
955 matches the user's EDITOR environment variable if
956 possible, or the first editor in the list that exists
957 and is executable. The default is the path to vi on
960 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
961 %h will expand to the hostname of the machine. Default
962 is *** SECURITY information for %h ***.
964 noexec_file Path to a shared library containing dummy versions of
965 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
966 that just return an error. This is used to implement
967 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
968 LD_PRELOAD or its equivalent. Defaults to
969 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
971 passprompt The default prompt to use when asking for a password;
972 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
973 environment variable. The following percent (`%')
974 escapes are supported:
976 %H expanded to the local hostname including the domain
977 name (on if the machine's hostname is fully
978 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
980 %h expanded to the local hostname without the domain
983 %p expanded to the user whose password is being asked
984 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
988 1.7.2p2 November 24, 2009 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
999 %U expanded to the login name of the user the command
1000 will be run as (defaults to root)
1002 %u expanded to the invoking user's login name
1004 %% two consecutive % characters are collapsed into a
1007 The default value is Password:.
1009 runas_default The default user to run commands as if the -
\b-u
\bu option is
1010 not specified on the command line. This defaults to
1011 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
1012 before any Runas_Alias specifications.
1014 syslog_badpri Syslog priority to use when user authenticates
1015 unsuccessfully. Defaults to alert.
1017 syslog_goodpri Syslog priority to use when user authenticates
1018 successfully. Defaults to notice.
1020 sudoers_locale Locale to use when parsing the sudoers file. Note that
1021 changing the locale may affect how sudoers is
1022 interpreted. Defaults to "C".
1024 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1025 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo.
1027 timestampowner The owner of the timestamp directory and the timestamps
1028 stored therein. The default is root.
1030 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1032 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
1033 helper program used to read the user's password when no
1034 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
1035 executed from a graphical (as opposed to text-based)
1036 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
1037 display the argument passed to it as the prompt and write
1038 the user's password to the standard output. The value of
1039 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
1042 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1043 a file containing variables to be set in the environment of
1044 the program being run. Entries in this file should either
1045 be of the form VARIABLE=value or export VARIABLE=value.
1046 The value may optionally be surrounded by single or double
1047 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1048 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1054 1.7.2p2 November 24, 2009 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1064 Users in this group are exempt from password and PATH
1065 requirements. This is not set by default.
1067 lecture This option controls when a short lecture will be printed
1068 along with the password prompt. It has the following
1071 always Always lecture the user.
1073 never Never lecture the user.
1075 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1077 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1078 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1079 The default value is _
\bo_
\bn_
\bc_
\be.
1082 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1083 will be used in place of the standard lecture if the named
1084 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1086 listpw This option controls when a password will be required when
1087 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1090 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1091 must have the NOPASSWD flag set to avoid entering a
1094 always The user must always enter a password to use the -
\b-l
\bl
1097 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1098 current host must have the NOPASSWD flag set to
1099 avoid entering a password.
1101 never The user need never enter a password to use the -
\b-l
\bl
1104 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1105 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1106 The default value is _
\ba_
\bn_
\by.
1108 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1109 Setting a path turns on logging to a file; negating this
1110 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1112 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1114 mailerpath Path to mail program used to send warning mail. Defaults
1115 to the path to sendmail found at configure time.
1120 1.7.2p2 November 24, 2009 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 mailfrom Address to use for the "from" address when sending warning
1130 and error mail. The address should be enclosed in double
1131 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1132 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1134 mailto Address to send warning and error mail to. The address
1135 should be enclosed in double quotes (") to protect against
1136 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1138 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1139 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1140 environment variable you may want to use this. Another use
1141 is if you want to have the "root path" be separate from the
1142 "user path." Users in the group specified by the
1143 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1144 option is not set by default.
1146 syslog Syslog facility if syslog is being used for logging (negate
1147 to disable syslog logging). Defaults to local2.
1149 verifypw This option controls when a password will be required when
1150 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1153 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1154 must have the NOPASSWD flag set to avoid entering a
1157 always The user must always enter a password to use the -
\b-v
\bv
1160 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1161 current host must have the NOPASSWD flag set to
1162 avoid entering a password.
1164 never The user need never enter a password to use the -
\b-v
\bv
1167 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1168 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1169 The default value is _
\ba_
\bl_
\bl.
1171 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1173 env_check Environment variables to be removed from the user's
1174 environment if the variable's value contains % or /
1175 characters. This can be used to guard against printf-
1176 style format vulnerabilities in poorly-written
1177 programs. The argument may be a double-quoted, space-
1178 separated list or a single value without double-quotes.
1179 The list can be replaced, added to, deleted from, or
1180 disabled by using the =, +=, -=, and ! operators
1181 respectively. Regardless of whether the env_reset
1182 option is enabled or disabled, variables specified by
1186 1.7.2p2 November 24, 2009 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1195 env_check will be preserved in the environment if they
1196 pass the aforementioned check. The default list of
1197 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1198 is run by root with the _
\b-_
\bV option.
1200 env_delete Environment variables to be removed from the user's
1201 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1202 The argument may be a double-quoted, space-separated
1203 list or a single value without double-quotes. The list
1204 can be replaced, added to, deleted from, or disabled by
1205 using the =, +=, -=, and ! operators respectively. The
1206 default list of environment variables to remove is
1207 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1208 Note that many operating systems will remove
1209 potentially dangerous variables from the environment of
1210 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1212 env_keep Environment variables to be preserved in the user's
1213 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1214 This allows fine-grained control over the environment
1215 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1216 be a double-quoted, space-separated list or a single
1217 value without double-quotes. The list can be replaced,
1218 added to, deleted from, or disabled by using the =, +=,
1219 -=, and ! operators respectively. The default list of
1220 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1221 with the _
\b-_
\bV option.
1223 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1224 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1225 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1226 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1227 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1228 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1230 F
\bFI
\bIL
\bLE
\bES
\bS
1231 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1233 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1235 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1237 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1238 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1239 contrived. First, we define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1241 # User alias specification
1242 User_Alias FULLTIMERS = millert, mikef, dowdy
1243 User_Alias PARTTIMERS = bostley, jwfox, crawl
1244 User_Alias WEBMASTERS = will, wendy, wim
1246 # Runas alias specification
1247 Runas_Alias OP = root, operator
1248 Runas_Alias DB = oracle, sybase
1252 1.7.2p2 November 24, 2009 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 Runas_Alias ADMINGRP = adm, oper
1263 # Host alias specification
1264 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1265 SGI = grolsch, dandelion, black :\
1266 ALPHA = widget, thalamus, foobar :\
1267 HPPA = boa, nag, python
1268 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1269 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1270 Host_Alias SERVERS = master, mail, www, ns
1271 Host_Alias CDROM = orion, perseus, hercules
1273 # Cmnd alias specification
1274 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1275 /usr/sbin/restore, /usr/sbin/rrestore
1276 Cmnd_Alias KILL = /usr/bin/kill
1277 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1278 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1279 Cmnd_Alias HALT = /usr/sbin/halt
1280 Cmnd_Alias REBOOT = /usr/sbin/reboot
1281 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1282 /usr/local/bin/tcsh, /usr/bin/rsh, \
1284 Cmnd_Alias SU = /usr/bin/su
1285 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1287 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1288 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1289 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1290 need not give a password, and we don't want to reset the LOGNAME, USER
1291 or USERNAME environment variables when running commands as root.
1292 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1293 additional local log file and make sure we log the year in each log
1294 line since the log entries will be kept around for several years.
1295 Lastly, we disable shell escapes for the commands in the PAGERS
1296 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1298 # Override built-in defaults
1299 Defaults syslog=auth
1300 Defaults>root !set_logname
1301 Defaults:FULLTIMERS !lecture
1302 Defaults:millert !authenticate
1303 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1304 Defaults!PAGERS noexec
1306 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1309 root ALL = (ALL) ALL
1310 %wheel ALL = (ALL) ALL
1312 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1318 1.7.2p2 November 24, 2009 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1327 FULLTIMERS ALL = NOPASSWD: ALL
1329 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1330 any host without authenticating themselves.
1332 PARTTIMERS ALL = ALL
1334 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1335 any host but they must authenticate themselves first (since the entry
1336 lacks the NOPASSWD tag).
1340 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1341 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1342 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1343 notation) indicating it is a class C network. For the other networks
1344 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1348 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1349 class B network 128.138.0.0).
1351 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1352 sudoedit /etc/printcap, /usr/oper/bin/
1354 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1355 Here, those are commands related to backups, killing processes, the
1356 printing system, shutting down the system, and any commands in the
1357 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1359 joe ALL = /usr/bin/su operator
1361 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1363 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1365 %opers ALL = (: ADMINGRP) /usr/sbin/
1367 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1368 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1370 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1371 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1372 multiple usernames on the command line.
1374 bob SPARC = (OP) ALL : SGI = (OP) ALL
1376 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1377 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1384 1.7.2p2 November 24, 2009 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1393 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1394 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1396 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1398 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1399 well as add and remove users, so they are allowed to run those commands
1402 fred ALL = (DB) NOPASSWD: ALL
1404 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1405 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1407 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1409 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1410 not allowed to specify any options to the _
\bs_
\bu(1) command.
1412 jen ALL, !SERVERS = ALL
1414 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1415 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1417 jill SERVERS = /usr/bin/, !SU, !SHELLS
1419 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1420 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1421 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1423 steve CSNETS = (operator) /usr/local/op_commands/
1425 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1426 /usr/local/op_commands/ but only as user operator.
1428 matt valkyrie = KILL
1430 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1433 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1435 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1436 and wim), may run any command as user www (which owns the web pages) or
1437 simply _
\bs_
\bu(1) to www.
1439 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1440 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1442 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1443 Host_Alias (orion, perseus, hercules) without entering a password.
1444 This is a bit tedious for users to type, so it is a prime candidate for
1445 encapsulating in a shell script.
1450 1.7.2p2 November 24, 2009 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1459 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1460 It is generally not effective to "subtract" commands from ALL using the
1461 '!' operator. A user can trivially circumvent this by copying the
1462 desired command to a different name and then executing that. For
1465 bill ALL = ALL, !SU, !SHELLS
1467 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1468 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1469 use a shell escape from an editor or other program. Therefore, these
1470 kind of restrictions should be considered advisory at best (and
1471 reinforced by policy).
1473 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1474 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1475 pleases, including run other programs. This can be a security issue
1476 since it is not uncommon for a program to allow shell escapes, which
1477 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1478 that permit shell escapes include shells (obviously), editors,
1479 paginators, mail and terminal programs.
1481 There are two basic approaches to this problem:
1483 restrict Avoid giving users access to commands that allow the user to
1484 run arbitrary commands. Many editors have a restricted mode
1485 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1486 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1487 number of programs that offer shell escapes, restricting
1488 users to the set of programs that do not if often unworkable.
1490 noexec Many systems that support shared libraries have the ability
1491 to override default library functions by pointing an
1492 environment variable (usually LD_PRELOAD) to an alternate
1493 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1494 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1495 any other programs. Note, however, that this applies only to
1496 native dynamically-linked executables. Statically-linked
1497 executables and foreign executables running under binary
1498 emulation are not affected.
1500 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1503 sudo -V | grep "dummy exec"
1505 If the resulting output contains a line that begins with:
1507 File containing dummy exec functions:
1509 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1510 in the standard library with its own that simply return an
1511 error. Unfortunately, there is no foolproof way to know
1512 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1516 1.7.2p2 November 24, 2009 23
1522 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1525 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1526 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1527 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1528 systems that support the LD_PRELOAD environment variable.
1529 Check your operating system's manual pages for the dynamic
1530 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1531 to see if LD_PRELOAD is supported.
1533 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1534 documented in the User Specification section above. Here is
1537 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1539 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1540 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1541 from executing other commands (such as a shell). If you are
1542 unsure whether or not your system is capable of supporting
1543 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1545 Note that restricting shell escapes is not a panacea. Programs running
1546 as root are still capable of many potentially hazardous operations
1547 (such as changing or overwriting files) that could lead to unintended
1548 privilege escalation. In the specific case of an editor, a safer
1549 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1551 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1552 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1554 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1555 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1556 locks the file and does grammatical checking. It is imperative that
1557 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1558 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1560 When using netgroups of machines (as opposed to users), if you store
1561 fully qualified hostnames in the netgroup (as is usually the case), you
1562 either need to have the machine's hostname be fully qualified as
1563 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1566 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1567 http://www.sudo.ws/sudo/bugs/
1569 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1570 Limited free support is available via the sudo-users mailing list, see
1571 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1574 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1575 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1576 including, but not limited to, the implied warranties of
1577 merchantability and fitness for a particular purpose are disclaimed.
1578 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1582 1.7.2p2 November 24, 2009 24
1588 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1591 http://www.sudo.ws/sudo/license.html for complete details.
1648 1.7.2p2 November 24, 2009 25