-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\& User_List ::= User |
\& User \*(Aq,\*(Aq User_List
\&
-\& User ::= \*(Aq!\*(Aq* username |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
+\& User ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-.PP
-A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
-.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
-For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+.PP
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.PP
+The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the
+underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports
+the following formats:
.IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R"
.IP "\(bu" 4
.IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
-\& Runas_Member ::= \*(Aq!\*(Aq* username |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& Runas_Member ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Runas_Alias
.Ve
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-usernames and groups are matched as strings. In other words, two
+user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all usernames with the same uid (e.g.\ root
+If you wish to match all user names with the same uid (e.g.\ root
and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
\& Host \*(Aq,\*(Aq Host_List
\&
-\& Host ::= \*(Aq!\*(Aq* hostname |
+\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
+A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard \s-1IP\s0 address notation
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
-qualified hostname, you'll need to use the \fIfqdn\fR option for
-wildcards to be useful.
+but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
+qualified host name, you'll need to use the \fIfqdn\fR option for
+wildcards to be useful. Note \fBsudo\fR only inspects actual network
+interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
+never match. Also, the host name \*(L"localhost\*(R" will only match if
+that is the actual host name, which is usually only the case for
+non-networked systems.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
\& Cmnd \*(Aq,\*(Aq Cmnd_List
\&
-\& commandname ::= filename |
-\& filename args |
-\& filename \*(Aq""\*(Aq
+\& commandname ::= file name |
+\& file name args |
+\& file name \*(Aq""\*(Aq
\&
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
\& \*(Aq!\*(Aq* directory |
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified filename which may include
+aliases. A commandname is a fully qualified file name which may include
shell-style wildcards (see the Wildcards section below). A simple
-filename allows the user to run the command with any arguments he/she
+file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified pathname ending in a '/'. When you specify a directory
+fully qualified path name ending in a '/'. When you specify a directory
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
(but not in any subdirectories therein).
.PP
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
\&
-\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
\&
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
+.if \n(SL \{\
+\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
+\&
+\}
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
+\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
-\& $ sudo \-u operator /bin/ls.
+\& $ sudo \-u operator /bin/ls
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
\& /usr/bin/lprm
.Ve
.PP
+Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+.PP
+.Vb 3
+\& $ sudo \-u operator /bin/ls
+\& $ sudo \-u operator \-g operator /bin/ls
+\& $ sudo \-g operator /bin/ls
+.Ve
+.PP
In the following example, user \fBtcm\fR may run commands that access
-a modem device file with the dialer group. Note that in this example
-only the group will be set, the command still runs as user \fBtcm\fR.
+a modem device file with the dialer group.
.PP
.Vb 2
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
+.PP
+Note that in this example only the group will be set, the command
+still runs as user \fBtcm\fR. E.g.
+.PP
+.Vb 1
+\& $ sudo \-g dialer /usr/bin/cu
+.Ve
+.PP
+Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
+which case the user may select any combination of users and groups
+via the \fB\-u\fR and \fB\-g\fR options. In this example:
+.PP
+.Vb 1
+\& alan ALL = (root, bin : operator, system) ALL
+.Ve
+.PP
+user \fBalan\fR may run any command as either user root or bin,
+optionally setting the group to operator or system.
+.if \n(SL \{\
+.SS "SELinux_Spec"
+.IX Subsection "SELinux_Spec"
+On systems with SELinux support, \fIsudoers\fR entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in \fIsudoers\fR. A role or type specified on the command line,
+however, will supercede the values in \fIsudoers\fR.
+\}
.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR.
-Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
-\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
-overrides \f(CW\*(C`EXEC\*(C'\fR).
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
+\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
+subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
+it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
+\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
-\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
-be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
+may disable the \fIenv_reset\fR option from the command line via the
+\&\fB\-E\fR option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
+default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
+.PP
+\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
+.IX Subsection "LOG_INPUT and NOLOG_INPUT"
+.PP
+These tags override the value of the \fIlog_input\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.PP
+\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
+.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+.PP
+These tags override the value of the \fIlog_output\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in
+to be used in host names, path names and command line arguments in
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
regular expressions.
\& /bin/ls [[\e:alpha\e:]]*
.Ve
.PP
-Would match any filename beginning with a letter.
+Would match any file name beginning with a letter.
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the pathname. When matching the command
+wildcards used in the path name. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.PP
-The filename may include the \f(CW%h\fR escape, signifying the short form
-of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
+The file name may include the \f(CW%h\fR escape, signifying the short form
+of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a username or hostname):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+used as part of a word (e.g.\ a user name or host name):
+\&'!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
explained earlier. A list of all supported Defaults parameters,
grouped by type, are listed below.
.PP
-\&\fBFlags\fR:
+\&\fBBoolean Flags\fR:
.IP "always_set_home" 16
.IX Item "always_set_home"
-If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
-directory of the target user (which is root unless the \fB\-u\fR option is used).
-This effectively means that the \fB\-H\fR option is always implied.
+If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
+home directory of the target user (which is root unless the \fB\-u\fR
+option is used). This effectively means that the \fB\-H\fR option is
+always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
+\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
+effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
This flag is \fIoff\fR by default.
.IP "authenticate" 16
.IX Item "authenticate"
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
overrides the default starting point at which \fBsudo\fR begins
closing open file descriptors. This flag is \fIoff\fR by default.
+.IP "compress_io" 16
+.IX Item "compress_io"
+If set, and \fBsudo\fR is configured to log a command's input or output,
+the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
+by default when \fBsudo\fR is compiled with \fBzlib\fR support.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
.IP "env_reset" 16
.IX Item "env_reset"
If set, \fBsudo\fR will reset the environment to only contain the
-\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+\&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fIon\fR by default.
+This flag is \fI@env_reset@\fR by default.
+.IP "fast_glob" 16
+.IX Item "fast_glob"
+Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
+globbing when matching path names. However, since it accesses the
+file system, \fIglob\fR\|(3) can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The \fIfast_glob\fR
+option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
+not access the file system to do its matching. The disadvantage
+of \fIfast_glob\fR is that it is unable to match relative path names
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
-Set this flag if you want to put fully qualified hostnames in the
+Set this flag if you want to put fully qualified host names in the
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
you must use the host's official name as \s-1DNS\s0 knows it. That is,
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
+\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
command) is already fully qualified you shouldn't need to set
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
.IP "ignore_dot" 16
password. This flag is \fI@insults@\fR by default.
.IP "log_host" 16
.IX Item "log_host"
-If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.
.IP "log_year" 16
.IX Item "log_year"
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
.IP "passprompt_override" 16
.IX Item "passprompt_override"
The password prompt specified by \fIpassprompt\fR will normally only
-be used if the passwod prompt provided by systems such as \s-1PAM\s0 matches
+be used if the password prompt provided by systems such as \s-1PAM\s0 matches
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
will always be used. This flag is \fIoff\fR by default.
.IP "preserve_groups" 16
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root and from running \fBsudoedit\fR.
+will also prevent root from running \fBsudoedit\fR.
Disabling \fIroot_sudo\fR provides no real additional security; it
exists purely for historical reasons.
This flag is \fI@root_sudo@\fR by default.
password of the invoking user. This flag is \fIoff\fR by default.
.IP "set_home" 16
.IX Item "set_home"
-If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
+If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
environment variable will be set to the home directory of the target
user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default.
+makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
+set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
+only effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
+This flag is \fIoff\fR by default.
.IP "set_logname" 16
.IX Item "set_logname"
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
change this behavior. This can be done by negating the set_logname
option. Note that if the \fIenv_reset\fR option has not been disabled,
entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR. This flag is \fIoff\fR by default.
+\&\fIset_logname\fR. This flag is \fIon\fR by default.
.IP "setenv" 16
.IX Item "setenv"
Allow the user to disable the \fIenv_reset\fR option from the command
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching pathnames. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative pathnames
-such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
function. This flag is \fIoff\fR by default.
.IP "targetpw" 16
.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
-invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR option.
-This flag is \fIoff\fR by default.
+If set, \fBsudo\fR will prompt for the password of the user specified
+by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the \fB\-u\fR option. This flag is \fIoff\fR by default.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. Normally,
-\&\fBsudo\fR uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, \fBsudo\fR will use a
-file named for the tty the user is logged in on in that directory.
-This flag is \fI@tty_tickets@\fR by default.
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, \fBsudo\fR will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+\&\fI@tty_tickets@\fR by default.
.IP "umask_override" 16
.IX Item "umask_override"
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
umask in \fIsudoers\fR than the user's own umask and matches historical
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
umask to be the union of the user's umask and what is specified in
-\&\fIsudoers\fR. This flag is \fIoff\fR by default.
-@LCMAN@.IP "use_loginclass" 16
-@LCMAN@.IX Item "use_loginclass"
-@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
-@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
-@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
+.if \n(LC \{\
+.IP "use_loginclass" 16
+.IX Item "use_loginclass"
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists. Only available if \fBsudo\fR is configured with
+the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+\}
+.IP "use_pty" 16
+.IX Item "use_pty"
+If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
+logging is being gone. A malicious program run under \fBsudo\fR could
+conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing. Use
+of this option will make that impossible.
.IP "visiblepw" 16
.IX Item "visiblepw"
By default, \fBsudo\fR will refuse to run if the user must enter a
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
.IP "passwd_timeout" 16
.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out.
-The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout.
+Number of minutes before the \fBsudo\fR password prompt times out, or
+\&\f(CW0\fR for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example \f(CW2.5\fR. The
+default is \f(CW\*(C`@password_timeout@\*(C'\fR.
.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always
-prompt for a password.
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example \f(CW2.5\fR. The default
+is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
If set to a value less than \f(CW0\fR the user's timestamp will never
expire. This can be used to allow users to create or delete their
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
.IX Item "umask"
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and \f(CW\*(C`@sudo_umask@\*(C'\fR.
-This guarantees that \fBsudo\fR never lowers the umask when running a
-command. Note on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration
-may specify its own umask which will override the value set in
-\&\fIsudoers\fR.
+used will be the union of the user's umask and the value of the
+\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
+that \fBsudo\fR never lowers the umask when running a command. Note
+on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
+its own umask which will override the value set in \fIsudoers\fR.
.PP
\&\fBStrings\fR:
.IP "badpass_message" 16
A colon (':') separated list of editors allowed to be used with
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is the path to vi
-on your system.
+list that exists and is executable. The default is \f(CW"@editor@"\fR.
+.IP "iolog_dir" 16
+.IX Item "iolog_dir"
+The directory in which to store input/output logs when the \fIlog_input\fR
+or \fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
+The default is \f(CW"@iolog_dir@"\fR.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
-will expand to the hostname of the machine.
+will expand to the host name of the machine.
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
.IP "noexec_file" 16
.IX Item "noexec_file"
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
-@SEMAN@.IP "role" 16
-@SEMAN@.IX Item "role"
-@SEMAN@The default SELinux role to use when constructing a new security
-@SEMAN@context to run the command. The default role may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "role" 16
+.IX Item "role"
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
.IP "sudoers_locale" 16
.IX Item "sudoers_locale"
-Locale to use when parsing the sudoers file. Note that changing
-the locale may affect how sudoers is interpreted.
-Defaults to \f(CW"C"\fR.
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to \f(CW"C"\fR.
.IP "timestampdir" 16
.IX Item "timestampdir"
The directory in which \fBsudo\fR stores its timestamp files.
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
-@SEMAN@.IP "type" 16
-@SEMAN@.IX Item "type"
-@SEMAN@The default SELinux type to use when constructing a new security
-@SEMAN@context to run the command. The default type may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "type" 16
+.IX Item "type"
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.PP
\&\fBStrings that can be used in a boolean context\fR:
.IP "askpass" 12
.IP "\fI/etc/netgroup\fR" 24
.IX Item "/etc/netgroup"
List of network groups
+.ie n .IP "\fI@iolog_dir@\fR" 24
+.el .IP "\fI@iolog_dir@\fR" 24
+.IX Item "@iolog_dir@"
+I/O log files
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
-these are a bit contrived. First, we define our \fIaliases\fR:
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our \fIaliases\fR:
.PP
.Vb 4
+\& # Run X applications through sudo; HOME is used to find the
+\& # .Xauthority file. Note that other programs use HOME to find
+\& # configuration files and this may lead to privilege escalation!
+\& Defaults env_keep += "DISPLAY HOME"
+\&
\& # User alias specification
\& User_Alias FULLTIMERS = millert, mikef, dowdy
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
.PP
The user \fBpete\fR is allowed to change anyone's password except for
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple usernames on the command line.
+does not take multiple user names on the command line.
.PP
.Vb 1
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever
escapes are disabled, though \fBsudoedit\fR is a better solution to
running editors via \fBsudo\fR. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
-do not if often unworkable.
+do not is often unworkable.
.IP "noexec" 10
.IX Item "noexec"
Many systems that support shared libraries have the ability to
will not run with a syntactically incorrect \fIsudoers\fR file.
.PP
When using netgroups of machines (as opposed to users), if you
-store fully qualified hostnames in the netgroup (as is usually the
-case), you either need to have the machine's hostname be fully qualified
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR.
.SH "BUGS"
projects / debian / sudo / blobdiff