1 Copyright (c) 1994-1996, 1998-2005, 2007-2009
2 Todd C. Miller <Todd.Miller@courtesan.com>
4 Permission to use, copy, modify, and distribute this software for any
5 purpose with or without fee is hereby granted, provided that the above
6 copyright notice and this permission notice appear in all copies.
8 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17 Sponsored in part by the Defense Advanced Research Projects
18 Agency (DARPA) and Air Force Research Laboratory, Air Force
19 Materiel Command, USAF, under agreement number F39502-99-1-0512.
21 $Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
26 sudoers - list of which users may execute what
30 The I<sudoers> file is composed of two types of entries: aliases
31 (basically variables) and user specifications (which specify who
34 When multiple entries match for a user, they are applied in order.
35 Where there are multiple matches, the last match is used (which is
36 not necessarily the most specific match).
38 The I<sudoers> grammar will be described below in Extended Backus-Naur
39 Form (EBNF). Don't despair if you don't know what EBNF is; it is
40 fairly simple, and the definitions below are annotated.
42 =head2 Quick guide to EBNF
44 EBNF is a concise and exact way of describing the grammar of a language.
45 Each EBNF definition is made up of I<production rules>. E.g.,
47 symbol ::= definition | alternate1 | alternate2 ...
49 Each I<production rule> references others and thus makes up a
50 grammar for the language. EBNF also contains the following
51 operators, which many readers will recognize from regular
52 expressions. Do not, however, confuse them with "wildcard"
53 characters, which have different meanings.
59 Means that the preceding symbol (or group of symbols) is optional.
60 That is, it may appear once or not at all.
64 Means that the preceding symbol (or group of symbols) may appear
69 Means that the preceding symbol (or group of symbols) may appear
74 Parentheses may be used to group symbols together. For clarity,
75 we will use single quotes ('') to designate what is a verbatim character
76 string (as opposed to a symbol name).
80 There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
81 C<Host_Alias> and C<Cmnd_Alias>.
83 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
84 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
85 'Host_Alias' Host_Alias (':' Host_Alias)* |
86 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
88 User_Alias ::= NAME '=' User_List
90 Runas_Alias ::= NAME '=' Runas_List
92 Host_Alias ::= NAME '=' Host_List
94 Cmnd_Alias ::= NAME '=' Cmnd_List
96 NAME ::= [A-Z]([a-z][A-Z][0-9]_)*
98 Each I<alias> definition is of the form
100 Alias_Type NAME = item1, item2, ...
102 where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
103 or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
104 and underscore characters ('_'). A C<NAME> B<must> start with an
105 uppercase letter. It is possible to put several alias definitions
106 of the same type on a single line, joined by a colon (':'). E.g.,
108 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
110 The definitions of what constitutes a valid I<alias> member follow.
115 User ::= '!'* username |
119 '!'* '%:'nonunix_group |
122 A C<User_List> is made up of one or more usernames, uids (prefixed
123 with '#'), system groups (prefixed with '%'), netgroups (prefixed
124 with '+') and C<User_Alias>es. Each list item may be prefixed with
125 zero or more '!' operators. An odd number of '!' operators negate
126 the value of the item; an even number just cancel each other out.
128 A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
129 be enclosed in double quotes to avoid the need for escaping special
130 characters. Alternately, special characters may be specified in
131 escaped hex mode, e.g. \x20 for space.
133 The C<nonunix_group> syntax depends on the underlying implementation.
134 For instance, the QAS AD backend supports the following formats:
140 Group in the same domain: "Group Name"
144 Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
148 Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
152 Note that quotes around group names are optional. Unquoted strings must
153 use a backslash (\) to escape spaces and the '@' symbol.
155 Runas_List ::= Runas_Member |
156 Runas_Member ',' Runas_List
158 Runas_Member ::= '!'* username |
164 A C<Runas_List> is similar to a C<User_List> except that instead
165 of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
166 usernames and groups are matched as strings. In other words, two
167 users (groups) with the same uid (gid) are considered to be distinct.
168 If you wish to match all usernames with the same uid (e.g.E<nbsp>root
169 and toor), you can use a uid instead (#0 in the example given).
174 Host ::= '!'* hostname |
176 '!'* network(/netmask)? |
180 A C<Host_List> is made up of one or more hostnames, IP addresses,
181 network numbers, netgroups (prefixed with '+') and other aliases.
182 Again, the value of an item may be negated with the '!' operator.
183 If you do not specify a netmask along with the network number,
184 B<sudo> will query each of the local host's network interfaces and,
185 if the network number corresponds to one of the hosts's network
186 interfaces, the corresponding netmask will be used. The netmask
187 may be specified either in standard IP address notation
188 (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
189 or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
190 include shell-style wildcards (see the L<Wildcards> section below),
191 but unless the C<hostname> command on your machine returns the fully
192 qualified hostname, you'll need to use the I<fqdn> option for
193 wildcards to be useful.
198 commandname ::= filename |
202 Cmnd ::= '!'* commandname |
207 A C<Cmnd_List> is a list of one or more commandnames, directories, and other
208 aliases. A commandname is a fully qualified filename which may include
209 shell-style wildcards (see the L<Wildcards> section below). A simple
210 filename allows the user to run the command with any arguments he/she
211 wishes. However, you may also specify command line arguments (including
212 wildcards). Alternately, you can specify C<""> to indicate that the command
213 may only be run B<without> command line arguments. A directory is a
214 fully qualified pathname ending in a '/'. When you specify a directory
215 in a C<Cmnd_List>, the user will be able to run any file within that directory
216 (but not in any subdirectories therein).
218 If a C<Cmnd> has associated command line arguments, then the arguments
219 in the C<Cmnd> must match exactly those given by the user on the command line
220 (or match the wildcards if there are any). Note that the following
221 characters must be escaped with a '\' if they are used in command
222 arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
223 is used to permit a user to run B<sudo> with the B<-e> option (or
224 as B<sudoedit>). It may take command line arguments just as
225 a normal command does.
229 Certain configuration options may be changed from their default
230 values at runtime via one or more C<Default_Entry> lines. These
231 may affect all users on any host, all users on a specific host, a
232 specific user, a specific command, or commands being run as a specific user.
233 Note that per-command entries may not include command line arguments.
234 If you need to specify arguments, define a C<Cmnd_Alias> and reference
237 Default_Type ::= 'Defaults' |
238 'Defaults' '@' Host_List |
239 'Defaults' ':' User_List |
240 'Defaults' '!' Cmnd_List |
241 'Defaults' '>' Runas_List
243 Default_Entry ::= Default_Type Parameter_List
245 Parameter_List ::= Parameter |
246 Parameter ',' Parameter_List
248 Parameter ::= Parameter '=' Value |
249 Parameter '+=' Value |
250 Parameter '-=' Value |
253 Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
254 Flags are implicitly boolean and can be turned off via the '!'
255 operator. Some integer, string and list parameters may also be
256 used in a boolean context to disable them. Values may be enclosed
257 in double quotes (C<">) when they contain multiple words. Special
258 characters may be escaped with a backslash (C<\>).
260 Lists have two additional assignment operators, C<+=> and C<-=>.
261 These operators are used to add to and delete from a list respectively.
262 It is not an error to use the C<-=> operator to remove an element
263 that does not exist in a list.
265 Defaults entries are parsed in the following order: generic, host
266 and user Defaults first, then runas Defaults and finally command
269 See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
271 =head2 User Specification
273 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
274 (':' Host_List '=' Cmnd_Spec_List)*
276 Cmnd_Spec_List ::= Cmnd_Spec |
277 Cmnd_Spec ',' Cmnd_Spec_List
279 Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
281 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
283 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
284 'SETENV:' | 'NOSETENV:' )
286 A B<user specification> determines which commands a user may run
287 (and as what user) on specified hosts. By default, commands are
288 run as B<root>, but this can be changed on a per-command basis.
290 The basic structure of a user specification is `who = where (as_whom)
291 what'. Let's break that down into its constituent parts:
295 A C<Runas_Spec> determines the user and/or the group that a command
296 may be run as. A fully-specified C<Runas_Spec> consists of two
297 C<Runas_List>s (as defined above) separated by a colon (':') and
298 enclosed in a set of parentheses. The first C<Runas_List> indicates
299 which users the command may be run as via B<sudo>'s B<-u> option.
300 The second defines a list of groups that can be specified via
301 B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
302 command may be run with any combination of users and groups listed
303 in their respective C<Runas_List>s. If only the first is specified,
304 the command may be run as any user in the list but no B<-g> option
305 may be specified. If the first C<Runas_List> is empty but the
306 second is specified, the command may be run as the invoking user
307 with the group set to any listed in the C<Runas_List>. If no
308 C<Runas_Spec> is specified the command may be run as B<root> and
309 no group may be specified.
311 A C<Runas_Spec> sets the default for the commands that follow it.
312 What this means is that for the entry:
314 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
316 The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
317 F</usr/bin/lprm> -- but only as B<operator>. E.g.,
319 $ sudo -u operator /bin/ls.
321 It is also possible to override a C<Runas_Spec> later on in an
322 entry. If we modify the entry like so:
324 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
326 Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
327 but F</bin/kill> and F</usr/bin/lprm> as B<root>.
329 We can extend this to allow B<dgb> to run C</bin/ls> with either
330 the user or group set to B<operator>:
332 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
335 In the following example, user B<tcm> may run commands that access
336 a modem device file with the dialer group. Note that in this example
337 only the group will be set, the command still runs as user B<tcm>.
339 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
340 /usr/local/bin/minicom
344 A command may have zero or more tags associated with it. There are
345 eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
346 C<SETENV> and C<NOSETENV>.
347 Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
348 C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
349 opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
352 =head3 NOPASSWD and PASSWD
354 By default, B<sudo> requires that a user authenticate him or herself
355 before running a command. This behavior can be modified via the
356 C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
357 a default for the commands that follow it in the C<Cmnd_Spec_List>.
358 Conversely, the C<PASSWD> tag can be used to reverse things.
361 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
363 would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
364 F</usr/bin/lprm> as B<root> on the machine rushmore without
365 authenticating himself. If we only want B<ray> to be able to
366 run F</bin/kill> without a password the entry would be:
368 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
370 Note, however, that the C<PASSWD> tag has no effect on users who are
371 in the group specified by the I<exempt_group> option.
373 By default, if the C<NOPASSWD> tag is applied to any of the entries
374 for a user on the current host, he or she will be able to run
375 C<sudo -l> without a password. Additionally, a user may only run
376 C<sudo -v> without a password if the C<NOPASSWD> tag is present
377 for all a user's entries that pertain to the current host.
378 This behavior may be overridden via the verifypw and listpw options.
380 =head3 NOEXEC and EXEC
382 If B<sudo> has been compiled with I<noexec> support and the underlying
383 operating system supports it, the C<NOEXEC> tag can be used to prevent
384 a dynamically-linked executable from running further commands itself.
386 In the following example, user B<aaron> may run F</usr/bin/more>
387 and F</usr/bin/vi> but shell escapes will be disabled.
389 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
391 See the L<PREVENTING SHELL ESCAPES> section below for more details
392 on how C<NOEXEC> works and whether or not it will work on your system.
394 =head3 SETENV and NOSETENV
396 These tags override the value of the I<setenv> option on a per-command
397 basis. Note that if C<SETENV> has been set for a command, any
398 environment variables set on the command line way are not subject
399 to the restrictions imposed by I<env_check>, I<env_delete>, or
400 I<env_keep>. As such, only trusted users should be allowed to set
401 variables in this manner. If the command matched is B<ALL>, the
402 C<SETENV> tag is implied for that command; this default may
403 be overridden by use of the C<UNSETENV> tag.
407 B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
408 to be used in hostnames, pathnames and command line arguments in
409 the I<sudoers> file. Wildcard matching is done via the B<POSIX>
410 L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
417 Matches any set of zero or more characters.
421 Matches any single character.
425 Matches any character in the specified range.
429 Matches any character B<not> in the specified range.
433 For any character "x", evaluates to "x". This is used to
434 escape special characters such as: "*", "?", "[", and "}".
438 POSIX character classes may also be used if your system's L<glob(3)>
439 and L<fnmatch(3)> functions support them. However, because the
440 C<':'> character has special meaning in I<sudoers>, it must be
441 escaped. For example:
443 /bin/ls [[\:alpha\:]]*
445 Would match any filename beginning with a letter.
447 Note that a forward slash ('/') will B<not> be matched by
448 wildcards used in the pathname. When matching the command
449 line arguments, however, a slash B<does> get matched by
450 wildcards. This is to make a path like:
454 match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
456 =head2 Exceptions to wildcard rules
458 The following exceptions apply to the above rules:
464 If the empty string C<""> is the only command line argument in the
465 I<sudoers> entry it means that command is not allowed to be run
466 with B<any> arguments.
470 =head2 Including other files from within sudoers
472 It is possible to include other I<sudoers> files from within the
473 I<sudoers> file currently being parsed using the C<#include> and
474 C<#includedir> directives.
476 This can be used, for example, to keep a site-wide I<sudoers> file
477 in addition to a local, per-machine file. For the sake of this
478 example the site-wide I<sudoers> will be F</etc/sudoers> and the
479 per-machine one will be F</etc/sudoers.local>. To include
480 F</etc/sudoers.local> from within F</etc/sudoers> we would use the
481 following line in F</etc/sudoers>:
485 C<#include /etc/sudoers.local>
489 When B<sudo> reaches this line it will suspend processing of the
490 current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
491 Upon reaching the end of F</etc/sudoers.local>, the rest of
492 F</etc/sudoers> will be processed. Files that are included may
493 themselves include other files. A hard limit of 128 nested include
494 files is enforced to prevent include file loops.
496 The filename may include the C<%h> escape, signifying the short form
497 of the hostname. I.e., if the machine's hostname is "xerxes", then
499 C<#include /etc/sudoers.%h>
501 will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
503 The C<#includedir> directive can be used to create a F<sudo.d>
504 directory that the system package manager can drop I<sudoers> rules
505 into as part of package installation. For example, given:
507 C<#includedir /etc/sudoers.d>
509 B<sudo> will read each file in F</etc/sudoers.d>, skipping file
510 names that end in C<~> or contain a C<.> character to avoid causing
511 problems with package manager or editor temporary/backup files.
512 Files are parsed in sorted lexical order. That is,
513 F</etc/sudoers.d/01_first> will be parsed before
514 F</etc/sudoers.d/10_second>. Be aware that because the sorting is
515 lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
516 B<after> F</etc/sudoers.d/10_second>. Using a consistent number
517 of leading zeroes in the file names can be used to avoid such
520 Note that unlike files included via C<#include>, B<visudo> will not
521 edit the files in a C<#includedir> directory unless one of them
522 contains a syntax error. It is still possible to run B<visudo>
523 with the C<-f> flag to edit the files directly.
525 =head2 Other special characters and reserved words
527 The pound sign ('#') is used to indicate a comment (unless it is
528 part of a #include directive or unless it occurs in the context of
529 a user name and is followed by one or more digits, in which case
530 it is treated as a uid). Both the comment character and any text
531 after it, up to the end of the line, are ignored.
533 The reserved word B<ALL> is a built-in I<alias> that always causes
534 a match to succeed. It can be used wherever one might otherwise
535 use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
536 You should not try to define your own I<alias> called B<ALL> as the
537 built-in alias will be used in preference to your own. Please note
538 that using B<ALL> can be dangerous since in a command context, it
539 allows the user to run B<any> command on the system.
541 An exclamation point ('!') can be used as a logical I<not> operator
542 both in an I<alias> and in front of a C<Cmnd>. This allows one to
543 exclude certain values. Note, however, that using a C<!> in
544 conjunction with the built-in C<ALL> alias to allow a user to
545 run "all but a few" commands rarely works as intended (see SECURITY
548 Long lines can be continued with a backslash ('\') as the last
549 character on the line.
551 Whitespace between elements in a list as well as special syntactic
552 characters in a I<User Specification> ('=', ':', '(', ')') is optional.
554 The following characters must be escaped with a backslash ('\') when
555 used as part of a word (e.g.E<nbsp>a username or hostname):
556 '@', '!', '=', ':', ',', '(', ')', '\'.
558 =head1 SUDOERS OPTIONS
560 B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
561 explained earlier. A list of all supported Defaults parameters,
562 grouped by type, are listed below.
570 If set, B<sudo> will set the C<HOME> environment variable to the home
571 directory of the target user (which is root unless the B<-u> option is used).
572 This effectively means that the B<-H> option is always implied.
573 This flag is I<off> by default.
577 If set, users must authenticate themselves via a password (or other
578 means of authentication) before they may run commands. This default
579 may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
580 This flag is I<on> by default.
582 =item closefrom_override
584 If set, the user may use B<sudo>'s B<-C> option which
585 overrides the default starting point at which B<sudo> begins
586 closing open file descriptors. This flag is I<off> by default.
590 If set, B<visudo> will use the value of the EDITOR or VISUAL
591 environment variables before falling back on the default editor list.
592 Note that this may create a security hole as it allows the user to
593 run any arbitrary command as root without logging. A safer alternative
594 is to place a colon-separated list of editors in the C<editor>
595 variable. B<visudo> will then only use the EDITOR or VISUAL if
596 they match a value specified in C<editor>. This flag is I<@env_editor@> by
601 If set, B<sudo> will reset the environment to only contain the
602 LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
603 variables in the caller's environment that match the C<env_keep>
604 and C<env_check> lists are then added. The default contents of the
605 C<env_keep> and C<env_check> lists are displayed when B<sudo> is
606 run by root with the I<-V> option. If the I<secure_path> option
607 is set, its value will be used for the C<PATH> environment variable.
608 This flag is I<on> by default.
612 Set this flag if you want to put fully qualified hostnames in the
613 I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
614 You may still use the short form if you wish (and even mix the two).
615 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
616 which may make B<sudo> unusable if DNS stops working (for example
617 if the machine is not plugged into the network). Also note that
618 you must use the host's official name as DNS knows it. That is,
619 you may not use a host alias (C<CNAME> entry) due to performance
620 issues and the fact that there is no way to get all aliases from
621 DNS. If your machine's hostname (as returned by the C<hostname>
622 command) is already fully qualified you shouldn't need to set
623 I<fqdn>. This flag is I<@fqdn@> by default.
627 If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
628 environment variable; the C<PATH> itself is not modified. This
629 flag is I<@ignore_dot@> by default.
631 =item ignore_local_sudoers
633 If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
634 This is intended for Enterprises that wish to prevent the usage of local
635 sudoers files so that only LDAP is used. This thwarts the efforts of
636 rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
637 When this option is present, F<@sysconfdir@/sudoers> does not even need to
638 exist. Since this option tells B<sudo> how to behave when no specific LDAP
639 entries have been matched, this sudoOption is only meaningful for the
640 C<cn=defaults> section. This flag is I<off> by default.
644 If set, B<sudo> will insult users when they enter an incorrect
645 password. This flag is I<@insults@> by default.
649 If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
650 This flag is I<off> by default.
654 If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
655 This flag is I<off> by default.
657 =item long_otp_prompt
659 When validating with a One Time Password (OPT) scheme such as
660 B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
661 to cut and paste the challenge to a local window. It's not as
662 pretty as the default but some people find it more convenient. This
663 flag is I<@long_otp_prompt@> by default.
667 Send mail to the I<mailto> user every time a users runs B<sudo>.
668 This flag is I<off> by default.
672 Send mail to the I<mailto> user if the user running B<sudo> does not
673 enter the correct password. This flag is I<off> by default.
677 If set, mail will be sent to the I<mailto> user if the invoking
678 user exists in the I<sudoers> file, but is not allowed to run
679 commands on the current host. This flag is I<@mail_no_host@> by default.
683 If set, mail will be sent to the I<mailto> user if the invoking
684 user is allowed to use B<sudo> but the command they are trying is not
685 listed in their I<sudoers> file entry or is explicitly denied.
686 This flag is I<@mail_no_perms@> by default.
690 If set, mail will be sent to the I<mailto> user if the invoking
691 user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
696 If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
697 tag has been set, unless overridden by a C<EXEC> tag. See the
698 description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
699 ESCAPES> section at the end of this manual. This flag is I<off> by default.
703 Normally, B<sudo> will tell the user when a command could not be
704 found in their C<PATH> environment variable. Some sites may wish
705 to disable this as it could be used to gather information on the
706 location of executables that the normal user does not have access
707 to. The disadvantage is that if the executable is simply not in
708 the user's C<PATH>, B<sudo> will tell the user that they are not
709 allowed to run it, which can be confusing. This flag is I<@path_info@>
712 =item passprompt_override
714 The password prompt specified by I<passprompt> will normally only
715 be used if the passwod prompt provided by systems such as PAM matches
716 the string "Password:". If I<passprompt_override> is set, I<passprompt>
717 will always be used. This flag is I<off> by default.
719 =item preserve_groups
721 By default, B<sudo> will initialize the group vector to the list of
722 groups the target user is in. When I<preserve_groups> is set, the
723 user's existing group vector is left unaltered. The real and
724 effective group IDs, however, are still set to match the target
725 user. This flag is I<off> by default.
729 By default, B<sudo> reads the password like most other Unix programs,
730 by turning off echo until the user hits the return (or enter) key.
731 Some users become confused by this as it appears to them that B<sudo>
732 has hung at this point. When I<pwfeedback> is set, B<sudo> will
733 provide visual feedback when the user presses a key. Note that
734 this does have a security impact as an onlooker may be able to
735 determine the length of the password being entered.
736 This flag is I<off> by default.
740 If set, B<sudo> will only run when the user is logged in to a real
741 tty. When this flag is set, B<sudo> can only be run from a login
742 session and not via other means such as L<cron(8)> or cgi-bin scripts.
743 This flag is I<off> by default.
747 If set, root is allowed to run B<sudo> too. Disabling this prevents users
748 from "chaining" B<sudo> commands to get a root shell by doing something
749 like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
750 will also prevent root and from running B<sudoedit>.
751 Disabling I<root_sudo> provides no real additional security; it
752 exists purely for historical reasons.
753 This flag is I<@root_sudo@> by default.
757 If set, B<sudo> will prompt for the root password instead of the password
758 of the invoking user. This flag is I<off> by default.
762 If set, B<sudo> will prompt for the password of the user defined by the
763 I<runas_default> option (defaults to C<@runas_default@>) instead of the
764 password of the invoking user. This flag is I<off> by default.
768 If set and B<sudo> is invoked with the B<-s> option the C<HOME>
769 environment variable will be set to the home directory of the target
770 user (which is root unless the B<-u> option is used). This effectively
771 makes the B<-s> option imply B<-H>. This flag is I<off> by default.
775 Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
776 environment variables to the name of the target user (usually root
777 unless the B<-u> option is given). However, since some programs
778 (including the RCS revision control system) use C<LOGNAME> to
779 determine the real identity of the user, it may be desirable to
780 change this behavior. This can be done by negating the set_logname
781 option. Note that if the I<env_reset> option has not been disabled,
782 entries in the I<env_keep> list will override the value of
783 I<set_logname>. This flag is I<off> by default.
787 Allow the user to disable the I<env_reset> option from the command
788 line. Additionally, environment variables set via the command line
789 are not subject to the restrictions imposed by I<env_check>,
790 I<env_delete>, or I<env_keep>. As such, only trusted users should
791 be allowed to set variables in this manner. This flag is I<off>
796 If set and B<sudo> is invoked with no arguments it acts as if the
797 B<-s> option had been given. That is, it runs a shell as root (the
798 shell is determined by the C<SHELL> environment variable if it is
799 set, falling back on the shell listed in the invoking user's
800 /etc/passwd entry if not). This flag is I<off> by default.
804 Normally, B<sudo> uses the L<glob(3)> function to do shell-style
805 globbing when matching pathnames. However, since it accesses the
806 file system, L<glob(3)> can take a long time to complete for some
807 patterns, especially when the pattern references a network file
808 system that is mounted on demand (automounted). The I<fast_glob>
809 option causes B<sudo> to use the L<fnmatch(3)> function, which does
810 not access the file system to do its matching. The disadvantage
811 of I<fast_glob> is that it is unable to match relative pathnames
812 such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
816 Normally, when B<sudo> executes a command the real and effective
817 UIDs are set to the target user (root by default). This option
818 changes that behavior such that the real UID is left as the invoking
819 user's UID. In other words, this makes B<sudo> act as a setuid
820 wrapper. This can be useful on systems that disable some potentially
821 dangerous functionality when a program is run setuid. This option
822 is only effective on systems with either the setreuid() or setresuid()
823 function. This flag is I<off> by default.
827 If set, B<sudo> will prompt for the password of the user specified by
828 the B<-u> option (defaults to C<root>) instead of the password of the
829 invoking user. Note that this precludes the use of a uid not listed
830 in the passwd database as an argument to the B<-u> option.
831 This flag is I<off> by default.
835 If set, users must authenticate on a per-tty basis. Normally,
836 B<sudo> uses a directory in the ticket dir with the same name as
837 the user running it. With this flag enabled, B<sudo> will use a
838 file named for the tty the user is logged in on in that directory.
839 This flag is I<@tty_tickets@> by default.
843 If set, B<sudo> will set the umask as specified by I<sudoers> without
844 modification. This makes it possible to specify a more permissive
845 umask in I<sudoers> than the user's own umask and matches historical
846 behavior. If I<umask_override> is not set, B<sudo> will set the
847 umask to be the union of the user's umask and what is specified in
848 I<sudoers>. This flag is I<off> by default.
852 If set, B<sudo> will apply the defaults specified for the target user's
853 login class if one exists. Only available if B<sudo> is configured with
854 the --with-logincap option. This flag is I<off> by default.
858 By default, B<sudo> will refuse to run if the user must enter a
859 password but it is not possible to disable echo on the terminal.
860 If the I<visiblepw> flag is set, B<sudo> will prompt for a password
861 even when it would be visible on the screen. This makes it possible
862 to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
863 not allocate a tty. This flag is I<off> by default.
873 Before it executes a command, B<sudo> will close all open file
874 descriptors other than standard input, standard output and standard
875 error (ie: file descriptors 0-2). The I<closefrom> option can be used
876 to specify a different file descriptor at which to start closing.
881 The number of tries a user gets to enter his/her password before
882 B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
886 B<Integers that can be used in a boolean context>:
892 Number of characters per line for the file log. This value is used
893 to decide when to wrap lines for nicer log files. This has no
894 effect on the syslog log file, only the file log. The default is
895 C<@loglen@> (use 0 or negate the option to disable word wrap).
899 Number of minutes before the B<sudo> password prompt times out.
900 The default is C<@password_timeout@>; set this to C<0> for no password timeout.
902 =item timestamp_timeout
904 Number of minutes that can elapse before B<sudo> will ask for a
905 passwd again. The default is C<@timeout@>. Set this to C<0> to always
906 prompt for a password.
907 If set to a value less than C<0> the user's timestamp will never
908 expire. This can be used to allow users to create or delete their
909 own timestamps via C<sudo -v> and C<sudo -k> respectively.
913 Umask to use when running the command. Negate this option or set
914 it to 0777 to preserve the user's umask. The actual umask that is
915 used will be the union of the user's umask and C<@sudo_umask@>.
916 This guarantees that B<sudo> never lowers the umask when running a
917 command. Note on systems that use PAM, the default PAM configuration
918 may specify its own umask which will override the value set in
927 =item badpass_message
929 Message that is displayed if a user enters an incorrect password.
930 The default is C<@badpass_message@> unless insults are enabled.
934 A colon (':') separated list of editors allowed to be used with
935 B<visudo>. B<visudo> will choose the editor that matches the user's
936 EDITOR environment variable if possible, or the first editor in the
937 list that exists and is executable. The default is the path to vi
942 Subject of the mail sent to the I<mailto> user. The escape C<%h>
943 will expand to the hostname of the machine.
944 Default is C<@mailsub@>.
948 Path to a shared library containing dummy versions of the execv(),
949 execve() and fexecve() library functions that just return an error.
950 This is used to implement the I<noexec> functionality on systems that
951 support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
955 The default prompt to use when asking for a password; can be overridden
956 via the B<-p> option or the C<SUDO_PROMPT> environment variable.
957 The following percent (`C<%>') escapes are supported:
963 expanded to the local hostname including the domain name
964 (on if the machine's hostname is fully qualified or the I<fqdn>
969 expanded to the local hostname without the domain name
973 expanded to the user whose password is being asked for (respects the
974 I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
978 expanded to the login name of the user the command will
979 be run as (defaults to root)
983 expanded to the invoking user's login name
987 two consecutive C<%> characters are collapsed into a single C<%> character
991 The default value is C<@passprompt@>.
995 The default SELinux role to use when constructing a new security
996 context to run the command. The default role may be overridden on
997 a per-command basis in I<sudoers> or via command line options.
998 This option is only available whe B<sudo> is built with SELinux support.
1002 The default user to run commands as if the B<-u> option is not specified
1003 on the command line. This defaults to C<@runas_default@>.
1004 Note that if I<runas_default> is set it B<must> occur before
1005 any C<Runas_Alias> specifications.
1009 Syslog priority to use when user authenticates unsuccessfully.
1010 Defaults to C<@badpri@>.
1012 =item syslog_goodpri
1014 Syslog priority to use when user authenticates successfully.
1015 Defaults to C<@goodpri@>.
1017 =item sudoers_locale
1019 Locale to use when parsing the sudoers file. Note that changing
1020 the locale may affect how sudoers is interpreted.
1025 The directory in which B<sudo> stores its timestamp files.
1026 The default is F<@timedir@>.
1028 =item timestampowner
1030 The owner of the timestamp directory and the timestamps stored therein.
1031 The default is C<root>.
1035 The default SELinux type to use when constructing a new security
1036 context to run the command. The default type may be overridden on
1037 a per-command basis in I<sudoers> or via command line options.
1038 This option is only available whe B<sudo> is built with SELinux support.
1042 B<Strings that can be used in a boolean context>:
1048 The I<askpass> option specifies the fully qualified path to a helper
1049 program used to read the user's password when no terminal is
1050 available. This may be the case when B<sudo> is executed from a
1051 graphical (as opposed to text-based) application. The program
1052 specified by I<askpass> should display the argument passed to it
1053 as the prompt and write the user's password to the standard output.
1054 The value of I<askpass> may be overridden by the C<SUDO_ASKPASS>
1055 environment variable.
1059 The I<env_file> options specifies the fully qualified path to a
1060 file containing variables to be set in the environment of the program
1061 being run. Entries in this file should either be of the form
1062 C<VARIABLE=value> or C<export VARIABLE=value>. The value may
1063 optionally be surrounded by single or double quotes. Variables in
1064 this file are subject to other B<sudo> environment settings such
1065 as I<env_keep> and I<env_check>.
1069 Users in this group are exempt from password and PATH requirements.
1070 This is not set by default.
1074 This option controls when a short lecture will be printed along with
1075 the password prompt. It has the following possible values:
1081 Always lecture the user.
1085 Never lecture the user.
1089 Only lecture the user the first time they run B<sudo>.
1093 If no value is specified, a value of I<once> is implied.
1094 Negating the option results in a value of I<never> being used.
1095 The default value is I<@lecture@>.
1099 Path to a file containing an alternate B<sudo> lecture that will
1100 be used in place of the standard lecture if the named file exists.
1101 By default, B<sudo> uses a built-in lecture.
1105 This option controls when a password will be required when a
1106 user runs B<sudo> with the B<-l> option. It has the following possible values:
1112 All the user's I<sudoers> entries for the current host must have
1113 the C<NOPASSWD> flag set to avoid entering a password.
1117 The user must always enter a password to use the B<-l> option.
1121 At least one of the user's I<sudoers> entries for the current host
1122 must have the C<NOPASSWD> flag set to avoid entering a password.
1126 The user need never enter a password to use the B<-l> option.
1130 If no value is specified, a value of I<any> is implied.
1131 Negating the option results in a value of I<never> being used.
1132 The default value is I<any>.
1136 Path to the B<sudo> log file (not the syslog log file). Setting a path
1137 turns on logging to a file; negating this option turns it off.
1138 By default, B<sudo> logs via syslog.
1142 Flags to use when invoking mailer. Defaults to B<-t>.
1146 Path to mail program used to send warning mail.
1147 Defaults to the path to sendmail found at configure time.
1151 Address to use for the "from" address when sending warning and error
1152 mail. The address should be enclosed in double quotes (C<">) to
1153 protect against B<sudo> interpreting the C<@> sign. Defaults to
1154 the name of the user running B<sudo>.
1158 Address to send warning and error mail to. The address should
1159 be enclosed in double quotes (C<">) to protect against B<sudo>
1160 interpreting the C<@> sign. Defaults to C<@mailto@>.
1164 Path used for every command run from B<sudo>. If you don't trust the
1165 people running B<sudo> to have a sane C<PATH> environment variable you may
1166 want to use this. Another use is if you want to have the "root path"
1167 be separate from the "user path." Users in the group specified by the
1168 I<exempt_group> option are not affected by I<secure_path>.
1169 This is not set by default.
1173 Syslog facility if syslog is being used for logging (negate to
1174 disable syslog logging). Defaults to C<@logfac@>.
1178 This option controls when a password will be required when a user runs
1179 B<sudo> with the B<-v> option. It has the following possible values:
1185 All the user's I<sudoers> entries for the current host must have
1186 the C<NOPASSWD> flag set to avoid entering a password.
1190 The user must always enter a password to use the B<-v> option.
1194 At least one of the user's I<sudoers> entries for the current host
1195 must have the C<NOPASSWD> flag set to avoid entering a password.
1199 The user need never enter a password to use the B<-v> option.
1203 If no value is specified, a value of I<all> is implied.
1204 Negating the option results in a value of I<never> being used.
1205 The default value is I<all>.
1209 B<Lists that can be used in a boolean context>:
1215 Environment variables to be removed from the user's environment if
1216 the variable's value contains C<%> or C</> characters. This can
1217 be used to guard against printf-style format vulnerabilities in
1218 poorly-written programs. The argument may be a double-quoted,
1219 space-separated list or a single value without double-quotes. The
1220 list can be replaced, added to, deleted from, or disabled by using
1221 the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
1222 of whether the C<env_reset> option is enabled or disabled, variables
1223 specified by C<env_check> will be preserved in the environment if
1224 they pass the aforementioned check. The default list of environment
1225 variables to check is displayed when B<sudo> is run by root with
1230 Not effective due to security issues: only variables listed in
1231 I<env_keep> or I<env_check> can be passed through B<sudo>!
1233 Environment variables to be removed from the user's environment
1234 when the I<env_reset> option is not in effect. The argument may
1235 be a double-quoted, space-separated list or a single value without
1236 double-quotes. The list can be replaced, added to, deleted from,
1237 or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
1238 respectively. The default list of environment variables to remove
1239 is displayed when B<sudo> is run by root with the I<-V> option.
1240 Note that many operating systems will remove potentially dangerous
1241 variables from the environment of any setuid process (such as
1246 Environment variables to be preserved in the user's environment.
1247 This allows fine-grained
1248 control over the environment B<sudo>-spawned processes will receive.
1249 The argument may be a double-quoted, space-separated list or a
1250 single value without double-quotes. The list can be replaced, added
1251 to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1252 C<!> operators respectively. The default list of variables to keep
1253 is displayed when B<sudo> is run by root with the I<-V> option.
1257 When logging via L<syslog(3)>, B<sudo> accepts the following values
1258 for the syslog facility (the value of the B<syslog> Parameter):
1259 B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
1260 B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
1261 B<local6>, and B<local7>. The following syslog priorities are
1262 supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
1263 B<notice>, and B<warning>.
1269 =item F<@sysconfdir@/sudoers>
1271 List of who can run what
1277 =item F</etc/netgroup>
1279 List of network groups
1285 Below are example I<sudoers> entries. Admittedly, some of
1286 these are a bit contrived. First, we define our I<aliases>:
1288 Below are example I<sudoers> entries. Admittedly, some of
1289 these are a bit contrived. First, we allow a few environment
1290 variables to pass and then define our I<aliases>:
1292 # Run X applications through sudo; HOME is used to find .Xauthority file
1293 # Note that some programs may use HOME for other purposes too and
1294 # this may lead to privilege escalation!
1295 Defaults env_keep = "DISPLAY HOME"
1297 # User alias specification
1298 User_Alias FULLTIMERS = millert, mikef, dowdy
1299 User_Alias PARTTIMERS = bostley, jwfox, crawl
1300 User_Alias WEBMASTERS = will, wendy, wim
1302 # Runas alias specification
1303 Runas_Alias OP = root, operator
1304 Runas_Alias DB = oracle, sybase
1305 Runas_Alias ADMINGRP = adm, oper
1307 # Host alias specification
1308 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1309 SGI = grolsch, dandelion, black :\
1310 ALPHA = widget, thalamus, foobar :\
1311 HPPA = boa, nag, python
1312 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1313 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1314 Host_Alias SERVERS = master, mail, www, ns
1315 Host_Alias CDROM = orion, perseus, hercules
1317 # Cmnd alias specification
1318 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1319 /usr/sbin/restore, /usr/sbin/rrestore
1320 Cmnd_Alias KILL = /usr/bin/kill
1321 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1322 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1323 Cmnd_Alias HALT = /usr/sbin/halt
1324 Cmnd_Alias REBOOT = /usr/sbin/reboot
1325 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1326 /usr/local/bin/tcsh, /usr/bin/rsh, \
1328 Cmnd_Alias SU = /usr/bin/su
1329 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1331 Here we override some of the compiled in default values. We want
1332 B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1333 cases. We don't want to subject the full time staff to the B<sudo>
1334 lecture, user B<millert> need not give a password, and we don't
1335 want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1336 variables when running commands as root. Additionally, on the
1337 machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1338 local log file and make sure we log the year in each log line since
1339 the log entries will be kept around for several years. Lastly, we
1340 disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1341 (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1343 # Override built-in defaults
1344 Defaults syslog=auth
1345 Defaults>root !set_logname
1346 Defaults:FULLTIMERS !lecture
1347 Defaults:millert !authenticate
1348 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1349 Defaults!PAGERS noexec
1351 The I<User specification> is the part that actually determines who may
1354 root ALL = (ALL) ALL
1355 %wheel ALL = (ALL) ALL
1357 We let B<root> and any user in group B<wheel> run any command on any
1360 FULLTIMERS ALL = NOPASSWD: ALL
1362 Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1363 command on any host without authenticating themselves.
1365 PARTTIMERS ALL = ALL
1367 Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1368 command on any host but they must authenticate themselves first
1369 (since the entry lacks the C<NOPASSWD> tag).
1373 The user B<jack> may run any command on the machines in the I<CSNETS> alias
1374 (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1375 Of those networks, only C<128.138.204.0> has an explicit netmask (in
1376 CIDR notation) indicating it is a class C network. For the other
1377 networks in I<CSNETS>, the local machine's netmask will be used
1382 The user B<lisa> may run any command on any host in the I<CUNETS> alias
1383 (the class B network C<128.138.0.0>).
1385 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1386 sudoedit /etc/printcap, /usr/oper/bin/
1388 The B<operator> user may run commands limited to simple maintenance.
1389 Here, those are commands related to backups, killing processes, the
1390 printing system, shutting down the system, and any commands in the
1391 directory F</usr/oper/bin/>.
1393 joe ALL = /usr/bin/su operator
1395 The user B<joe> may only L<su(1)> to operator.
1397 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1399 %opers ALL = (: ADMINGRP) /usr/sbin/
1401 Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
1402 with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
1405 The user B<pete> is allowed to change anyone's password except for
1406 root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1407 does not take multiple usernames on the command line.
1409 bob SPARC = (OP) ALL : SGI = (OP) ALL
1411 The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1412 as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1416 The user B<jim> may run any command on machines in the I<biglab> netgroup.
1417 B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1419 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1421 Users in the B<secretaries> netgroup need to help manage the printers
1422 as well as add and remove users, so they are allowed to run those
1423 commands on all machines.
1425 fred ALL = (DB) NOPASSWD: ALL
1427 The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1428 (B<oracle> or B<sybase>) without giving a password.
1430 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1432 On the I<ALPHA> machines, user B<john> may su to anyone except root
1433 but he is not allowed to specify any options to the L<su(1)> command.
1435 jen ALL, !SERVERS = ALL
1437 The user B<jen> may run any command on any machine except for those
1438 in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1440 jill SERVERS = /usr/bin/, !SU, !SHELLS
1442 For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1443 any commands in the directory F</usr/bin/> except for those commands
1444 belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1446 steve CSNETS = (operator) /usr/local/op_commands/
1448 The user B<steve> may run any command in the directory /usr/local/op_commands/
1449 but only as user operator.
1451 matt valkyrie = KILL
1453 On his personal workstation, valkyrie, B<matt> needs to be able to
1454 kill hung processes.
1456 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1458 On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1459 wendy, and wim), may run any command as user www (which owns the
1460 web pages) or simply L<su(1)> to www.
1462 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1463 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1465 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1466 C<Host_Alias> (orion, perseus, hercules) without entering a password.
1467 This is a bit tedious for users to type, so it is a prime candidate
1468 for encapsulating in a shell script.
1470 =head1 SECURITY NOTES
1472 It is generally not effective to "subtract" commands from C<ALL>
1473 using the '!' operator. A user can trivially circumvent this
1474 by copying the desired command to a different name and then
1475 executing that. For example:
1477 bill ALL = ALL, !SU, !SHELLS
1479 Doesn't really prevent B<bill> from running the commands listed in
1480 I<SU> or I<SHELLS> since he can simply copy those commands to a
1481 different name, or use a shell escape from an editor or other
1482 program. Therefore, these kind of restrictions should be considered
1483 advisory at best (and reinforced by policy).
1485 =head1 PREVENTING SHELL ESCAPES
1487 Once B<sudo> executes a program, that program is free to do whatever
1488 it pleases, including run other programs. This can be a security
1489 issue since it is not uncommon for a program to allow shell escapes,
1490 which lets a user bypass B<sudo>'s access control and logging.
1491 Common programs that permit shell escapes include shells (obviously),
1492 editors, paginators, mail and terminal programs.
1494 There are two basic approaches to this problem:
1500 Avoid giving users access to commands that allow the user to run
1501 arbitrary commands. Many editors have a restricted mode where shell
1502 escapes are disabled, though B<sudoedit> is a better solution to
1503 running editors via B<sudo>. Due to the large number of programs that
1504 offer shell escapes, restricting users to the set of programs that
1505 do not if often unworkable.
1509 Many systems that support shared libraries have the ability to
1510 override default library functions by pointing an environment
1511 variable (usually C<LD_PRELOAD>) to an alternate shared library.
1512 On such systems, B<sudo>'s I<noexec> functionality can be used to
1513 prevent a program run by B<sudo> from executing any other programs.
1514 Note, however, that this applies only to native dynamically-linked
1515 executables. Statically-linked executables and foreign executables
1516 running under binary emulation are not affected.
1518 To tell whether or not B<sudo> supports I<noexec>, you can run
1519 the following as root:
1521 sudo -V | grep "dummy exec"
1523 If the resulting output contains a line that begins with:
1525 File containing dummy exec functions:
1527 then B<sudo> may be able to replace the exec family of functions
1528 in the standard library with its own that simply return an error.
1529 Unfortunately, there is no foolproof way to know whether or not
1530 I<noexec> will work at compile-time. I<noexec> should work on
1531 SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
1532 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
1533 is expected to work on most operating systems that support the
1534 C<LD_PRELOAD> environment variable. Check your operating system's
1535 manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1536 dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1538 To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1539 in the User Specification section above. Here is that example again:
1541 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1543 This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1544 with I<noexec> enabled. This will prevent those two commands from
1545 executing other commands (such as a shell). If you are unsure
1546 whether or not your system is capable of supporting I<noexec> you
1547 can always just try it out and see if it works.
1551 Note that restricting shell escapes is not a panacea. Programs
1552 running as root are still capable of many potentially hazardous
1553 operations (such as changing or overwriting files) that could lead
1554 to unintended privilege escalation. In the specific case of an
1555 editor, a safer approach is to give the user permission to run
1560 L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
1564 The I<sudoers> file should B<always> be edited by the B<visudo>
1565 command which locks the file and does grammatical checking. It is
1566 imperative that I<sudoers> be free of syntax errors since B<sudo>
1567 will not run with a syntactically incorrect I<sudoers> file.
1569 When using netgroups of machines (as opposed to users), if you
1570 store fully qualified hostnames in the netgroup (as is usually the
1571 case), you either need to have the machine's hostname be fully qualified
1572 as returned by the C<hostname> command or use the I<fqdn> option in
1577 If you feel you have found a bug in B<sudo>, please submit a bug report
1578 at http://www.sudo.ws/sudo/bugs/
1582 Limited free support is available via the sudo-users mailing list,
1583 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1584 search the archives.
1588 B<sudo> is provided ``AS IS'' and any express or implied warranties,
1589 including, but not limited to, the implied warranties of merchantability
1590 and fitness for a particular purpose are disclaimed. See the LICENSE
1591 file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1592 for complete details.