1 SUDOERS(4) Programmer's Manual SUDOERS(4)
4 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs - default sudo security policy module
6 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
7 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy module determines a user's s
\bsu
\bud
\bdo
\bo privileges. It is the
8 default s
\bsu
\bud
\bdo
\bo policy plugin. The policy is driven by the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
9 file or, optionally in LDAP. The policy format is described in detail in
10 the _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bF_
\bI_
\bL_
\bE _
\bF_
\bO_
\bR_
\bM_
\bA_
\bT section. For information on storing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
11 policy information in LDAP, please see sudoers.ldap(4).
13 A
\bAu
\but
\bth
\bhe
\ben
\bnt
\bti
\bic
\bca
\bat
\bti
\bio
\bon
\bn a
\ban
\bnd
\bd l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg
14 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy requires that most users authenticate
15 themselves before they can use s
\bsu
\bud
\bdo
\bo. A password is not required if the
16 invoking user is root, if the target user is the same as the invoking
17 user, or if the policy has disabled authentication for the user or
18 command. Unlike su(1), when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs requires authentication, it
19 validates the invoking user's credentials, not the target user's (or
20 root's) credentials. This can be changed via the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
21 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags, described later.
23 If a user who is not listed in the policy tries to run a command via
24 s
\bsu
\bud
\bdo
\bo, mail is sent to the proper authorities. The address used for such
25 mail is configurable via the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo Defaults entry (described later) and
28 Note that mail will not be sent if an unauthorized user tries to run s
\bsu
\bud
\bdo
\bo
29 with the -
\b-l
\bl or -
\b-v
\bv option. This allows users to determine for themselves
30 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
32 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment variable is set, the
33 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will use this value to determine who the actual user is.
34 This can be used by a user to log commands through sudo even when a root
35 shell has been invoked. It also allows the -
\b-e
\be option to remain useful
36 even when invoked via a sudo-run script or program. Note, however, that
37 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs lookup is still done for root, not the user specified by
40 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses time stamp files for credential caching. Once a user has
41 been authenticated, the time stamp is updated and the user may then use
42 sudo without a password for a short period of time (5 minutes unless
43 overridden by the _
\bt_
\bi_
\bm_
\be_
\bo_
\bu_
\bt option). By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a tty-based
44 time stamp which means that there is a separate time stamp for each of a
45 user's login sessions. The _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option can be disabled to force
46 the use of a single time stamp for all of a user's sessions.
48 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can log both successful and unsuccessful attempts (as well as
49 errors) to syslog(3), a log file, or both. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will log
50 via syslog(3) but this is changeable via the _
\bs_
\by_
\bs_
\bl_
\bo_
\bg and _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be Defaults
53 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs also supports logging a command's input and output streams. I/O
54 logging is not on by default but can be enabled using the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt and
55 _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
58 C
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd e
\ben
\bnv
\bvi
\bir
\bro
\bon
\bnm
\bme
\ben
\bnt
\bt
59 Since environment variables can influence program behavior, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
60 provides a means to restrict which variables from the user's environment
61 are inherited by the command to be run. There are two distinct ways
62 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can deal with environment variables.
64 By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled. This causes commands to be
65 executed with a new, minimal environment. On AIX (and Linux systems
66 without PAM), the environment is initialized with the contents of the
67 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt file. On BSD systems, if the _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is
68 enabled, the environment is initialized based on the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv
69 settings in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The new environment contains the TERM,
70 PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
71 addition to variables from the invoking process permitted by the
72 _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp options. This is effectively a whitelist for
73 environment variables.
75 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled, any variables not
76 explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited
77 from the invoking process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave
78 like a blacklist. Since it is not possible to blacklist all potentially
79 dangerous environment variables, use of the default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is
82 In all cases, environment variables with a value beginning with () are
83 removed as they could be interpreted as b
\bba
\bas
\bsh
\bh functions. The list of
84 environment variables that s
\bsu
\bud
\bdo
\bo allows or denies is contained in the
85 output of ``sudo -V'' when run as root.
87 Note that the dynamic linker on most operating systems will remove
88 variables that can control dynamic linking from the environment of setuid
89 executables, including s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may
90 include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
91 These type of variables are removed from the environment before s
\bsu
\bud
\bdo
\bo even
92 begins execution and, as such, it is not possible for s
\bsu
\bud
\bdo
\bo to preserve
95 As a special case, if s
\bsu
\bud
\bdo
\bo's -
\b-i
\bi option (initial login) is specified,
96 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will initialize the environment regardless of the value of
97 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
98 MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
99 (and Linux systems without PAM), the contents of _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt are
100 also included. On BSD systems, if the _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is enabled,
101 the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv variables in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf are also applied. All
102 other environment variables are removed.
104 Finally, if the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option is defined, any variables present in that
105 file will be set to their specified values as long as they would not
106 conflict with an existing environment variable.
108 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS F
\bFI
\bIL
\bLE
\bE F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
109 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases (basically
110 variables) and user specifications (which specify who may run what).
112 When multiple entries match for a user, they are applied in order. Where
113 there are multiple matches, the last match is used (which is not
114 necessarily the most specific match).
116 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur Form
117 (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
118 simple, and the definitions below are annotated.
120 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
121 EBNF is a concise and exact way of describing the grammar of a language.
122 Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
124 symbol ::= definition | alternate1 | alternate2 ...
126 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
127 the language. EBNF also contains the following operators, which many
128 readers will recognize from regular expressions. Do not, however,
129 confuse them with ``wildcard'' characters, which have different meanings.
131 ? Means that the preceding symbol (or group of symbols) is optional.
132 That is, it may appear once or not at all.
134 * Means that the preceding symbol (or group of symbols) may appear
137 + Means that the preceding symbol (or group of symbols) may appear
140 Parentheses may be used to group symbols together. For clarity, we will
141 use single quotes ('') to designate what is a verbatim character string
142 (as opposed to a symbol name).
144 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
145 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
148 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
149 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
150 'Host_Alias' Host_Alias (':' Host_Alias)* |
151 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
153 User_Alias ::= NAME '=' User_List
155 Runas_Alias ::= NAME '=' Runas_List
157 Host_Alias ::= NAME '=' Host_List
159 Cmnd_Alias ::= NAME '=' Cmnd_List
161 NAME ::= [A-Z]([A-Z][0-9]_)*
163 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
165 Alias_Type NAME = item1, item2, ...
167 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
168 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
169 underscore characters (`_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase letter.
170 It is possible to put several alias definitions of the same type on a
171 single line, joined by a colon (`:'). E.g.,
173 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
175 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
180 User ::= '!'* user name |
185 '!'* %:nonunix_group |
186 '!'* %:#nonunix_gid |
189 A User_List is made up of one or more user names, user ids (prefixed with
190 `#'), system group names and ids (prefixed with `%' and `%#'
191 respectively), netgroups (prefixed with `+'), non-Unix group names and
192 IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
193 list item may be prefixed with zero or more `!' operators. An odd number
194 of `!' operators negate the value of the item; an even number just cancel
197 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
198 be enclosed in double quotes to avoid the need for escaping special
199 characters. Alternately, special characters may be specified in escaped
200 hex mode, e.g. \x20 for space. When using double quotes, any prefix
201 characters must be included inside the quotes.
203 The actual nonunix_group and nonunix_gid syntax depends on the underlying
204 group provider plugin (see the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn description below). For
205 instance, the QAS AD plugin supports the following formats:
207 o
\bo Group in the same domain: "%:Group Name"
209 o
\bo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
211 o
\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
213 Note that quotes around group names are optional. Unquoted strings must
214 use a backslash (`\') to escape spaces and special characters. See _
\bO_
\bt_
\bh_
\be_
\br
215 _
\bs_
\bp_
\be_
\bc_
\bi_
\ba_
\bl _
\bc_
\bh_
\ba_
\br_
\ba_
\bc_
\bt_
\be_
\br_
\bs _
\ba_
\bn_
\bd _
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\bd _
\bw_
\bo_
\br_
\bd_
\bs for a list of characters that need
218 Runas_List ::= Runas_Member |
219 Runas_Member ',' Runas_List
221 Runas_Member ::= '!'* user name |
225 '!'* %:nonunix_group |
226 '!'* %:#nonunix_gid |
230 A Runas_List is similar to a User_List except that instead of
231 User_Aliases it can contain Runas_Aliases. Note that user names and
232 groups are matched as strings. In other words, two users (groups) with
233 the same uid (gid) are considered to be distinct. If you wish to match
234 all user names with the same uid (e.g. root and toor), you can use a uid
235 instead (#0 in the example given).
240 Host ::= '!'* host name |
242 '!'* network(/netmask)? |
246 A Host_List is made up of one or more host names, IP addresses, network
247 numbers, netgroups (prefixed with `+') and other aliases. Again, the
248 value of an item may be negated with the `!' operator. If you do not
249 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each of
250 the local host's network interfaces and, if the network number
251 corresponds to one of the hosts's network interfaces, the corresponding
252 netmask will be used. The netmask may be specified either in standard IP
253 address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
254 notation (number of bits, e.g. 24 or 64). A host name may include shell-
255 style wildcards (see the _
\bW_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs section below), but unless the host
256 name command on your machine returns the fully qualified host name,
257 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful. Note that
258 s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP address
259 127.0.0.1 (localhost) will never match. Also, the host name
260 ``localhost'' will only match if that is the actual host name, which is
261 usually only the case for non-networked systems.
266 command name ::= file name |
270 Cmnd ::= '!'* command name |
275 A Cmnd_List is a list of one or more command names, directories, and
276 other aliases. A command name is a fully qualified file name which may
277 include shell-style wildcards (see the _
\bW_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs section below). A
278 simple file name allows the user to run the command with any arguments
279 he/she wishes. However, you may also specify command line arguments
280 (including wildcards). Alternately, you can specify "" to indicate that
281 the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A directory
282 is a fully qualified path name ending in a `/'. When you specify a
283 directory in a Cmnd_List, the user will be able to run any file within
284 that directory (but not in any sub-directories therein).
286 If a Cmnd has associated command line arguments, then the arguments in
287 the Cmnd must match exactly those given by the user on the command line
288 (or match the wildcards if there are any). Note that the following
289 characters must be escaped with a `\' if they are used in command
290 arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
291 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It may
292 take command line arguments just as a normal command does.
294 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
295 Certain configuration options may be changed from their default values at
296 run-time via one or more Default_Entry lines. These may affect all users
297 on any host, all users on a specific host, a specific user, a specific
298 command, or commands being run as a specific user. Note that per-command
299 entries may not include command line arguments. If you need to specify
300 arguments, define a Cmnd_Alias and reference that instead.
302 Default_Type ::= 'Defaults' |
303 'Defaults' '@' Host_List |
304 'Defaults' ':' User_List |
305 'Defaults' '!' Cmnd_List |
306 'Defaults' '>' Runas_List
308 Default_Entry ::= Default_Type Parameter_List
310 Parameter_List ::= Parameter |
311 Parameter ',' Parameter_List
313 Parameter ::= Parameter '=' Value |
314 Parameter '+=' Value |
315 Parameter '-=' Value |
318 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
319 implicitly boolean and can be turned off via the `!' operator. Some
320 integer, string and list parameters may also be used in a boolean context
321 to disable them. Values may be enclosed in double quotes ("") when they
322 contain multiple words. Special characters may be escaped with a
325 Lists have two additional assignment operators, += and -=. These
326 operators are used to add to and delete from a list respectively. It is
327 not an error to use the -= operator to remove an element that does not
330 Defaults entries are parsed in the following order: generic, host and
331 user Defaults first, then runas Defaults and finally command defaults.
333 See _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS for a list of supported Defaults parameters.
335 U
\bUs
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
336 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
337 (':' Host_List '=' Cmnd_Spec_List)*
339 Cmnd_Spec_List ::= Cmnd_Spec |
340 Cmnd_Spec ',' Cmnd_Spec_List
342 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
344 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
346 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
348 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
350 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
351 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
352 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
354 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
355 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt, but
356 this can be changed on a per-command basis.
358 The basic structure of a user specification is ``who where = (as_whom)
359 what''. Let's break that down into its constituent parts:
361 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
362 A Runas_Spec determines the user and/or the group that a command may be
363 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
364 defined above) separated by a colon (`:') and enclosed in a set of
365 parentheses. The first Runas_List indicates which users the command may
366 be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of groups that
367 can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists are
368 specified, the command may be run with any combination of users and
369 groups listed in their respective Runas_Lists. If only the first is
370 specified, the command may be run as any user in the list but no -
\b-g
\bg
371 option may be specified. If the first Runas_List is empty but the second
372 is specified, the command may be run as the invoking user with the group
373 set to any listed in the Runas_List. If both Runas_Lists are empty, the
374 command may only be run as the invoking user. If no Runas_Spec is
375 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
377 A Runas_Spec sets the default for the commands that follow it. What this
378 means is that for the entry:
380 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
382 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm--but only as
383 o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
385 $ sudo -u operator /bin/ls
387 It is also possible to override a Runas_Spec later on in an entry. If we
388 modify the entry like so:
390 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
392 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
393 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
395 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
396 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
398 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
401 Note that while the group portion of the Runas_Spec permits the user to
402 run as command with that group, it does not force the user to do so. If
403 no group is specified on the command line, the command will run with the
404 group listed in the target user's password database entry. The following
405 would all be permitted by the sudoers entry above:
407 $ sudo -u operator /bin/ls
408 $ sudo -u operator -g operator /bin/ls
409 $ sudo -g operator /bin/ls
411 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
412 device file with the dialer group.
414 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
415 /usr/local/bin/minicom
417 Note that in this example only the group will be set, the command still
418 runs as user t
\btc
\bcm
\bm. E.g.
420 $ sudo -g dialer /usr/bin/cu
422 Multiple users and groups may be present in a Runas_Spec, in which case
423 the user may select any combination of users and groups via the -
\b-u
\bu and -
\b-g
\bg
424 options. In this example:
426 alan ALL = (root, bin : operator, system) ALL
428 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
429 setting the group to operator or system.
431 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
432 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
433 SELinux role and/or type associated with a command. If a role or type is
434 specified with the command it will override any default values specified
435 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line, however, will
436 supersede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
438 S
\bSo
\bol
\bla
\bar
\bri
\bis
\bs_
\b_P
\bPr
\bri
\biv
\bv_
\b_S
\bSp
\bpe
\bec
\bc
439 On Solaris systems, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally specify Solaris
440 privilege set and/or limit privilege set associated with a command. If
441 privileges or limit privileges are specified with the command it will
442 override any default values specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
444 A privilege set is a comma-separated list of privilege names. The
445 ppriv(1) command can be used to list all privileges known to the system.
450 In addition, there are several ``special'' privilege strings:
454 all the set of all privileges
456 zone the set of all privileges available in the current zone
458 basic the default set of privileges normal users are granted at login
461 Privileges can be excluded from a set by prefixing the privilege name
462 with either an `!' or `-' character.
464 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
465 A command may have zero or more tags associated with it. There are ten
466 possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
467 LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
468 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
469 it is overridden by the opposite tag (in other words, PASSWD overrides
470 NOPASSWD and NOEXEC overrides EXEC).
472 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
474 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself before
475 running a command. This behavior can be modified via the NOPASSWD tag.
476 Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
477 follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
478 to reverse things. For example:
480 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
482 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as
483 r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we only
484 want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry would
487 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
489 Note, however, that the PASSWD tag has no effect on users who are in the
490 group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
492 By default, if the NOPASSWD tag is applied to any of the entries for a
493 user on the current host, he or she will be able to run ``sudo -l''
494 without a password. Additionally, a user may only run ``sudo -v''
495 without a password if the NOPASSWD tag is present for all a user's
496 entries that pertain to the current host. This behavior may be
497 overridden via the _
\bv_
\be_
\br_
\bi_
\bf_
\by_
\bp_
\bw and _
\bl_
\bi_
\bs_
\bt_
\bp_
\bw options.
499 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
501 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
502 operating system supports it, the NOEXEC tag can be used to prevent a
503 dynamically-linked executable from running further commands itself.
505 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
506 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
508 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
510 See the _
\bP_
\br_
\be_
\bv_
\be_
\bn_
\bt_
\bi_
\bn_
\bg _
\bs_
\bh_
\be_
\bl_
\bl _
\be_
\bs_
\bc_
\ba_
\bp_
\be_
\bs section below for more details on how
511 NOEXEC works and whether or not it will work on your system.
513 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
515 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
516 basis. Note that if SETENV has been set for a command, the user may
517 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
518 Additionally, environment variables set on the command line are not
519 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
520 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set variables
521 in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied
522 for that command; this default may be overridden by use of the NOSETENV
525 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
527 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
528 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
529 _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS section below.
531 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
533 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
534 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
535 _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS section below.
537 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
538 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
539 used in host names, path names and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
540 file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX glob(3) and fnmatch(3)
541 routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
543 * Matches any set of zero or more characters.
545 ? Matches any single character.
547 [...] Matches any character in the specified range.
549 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
551 \x For any character `x', evaluates to `x'. This is used to
552 escape special characters such as: `*', `?', `[', and `]'.
554 POSIX character classes may also be used if your system's glob(3) and
555 fnmatch(3) functions support them. However, because the `:' character
556 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
560 Would match any file name beginning with a letter.
562 Note that a forward slash (`/') will n
\bno
\bot
\bt be matched by wildcards used in
563 the path name. This is to make a path like:
567 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
569 When matching the command line arguments, however, a slash d
\bdo
\boe
\bes
\bs get
570 matched by wildcards since command line arguments may contain arbitrary
571 strings and not just path names.
573 Wildcards in command line arguments should be used with care. Because
574 command line arguments are matched as a single, concatenated string, a
575 wildcard such as `?' or `*' can match multiple words. For example, while
576 a sudoers entry like:
578 %operator ALL = /bin/cat /var/log/messages*
580 will allow command like:
582 $ sudo cat /var/log/messages.1
586 $ sudo cat /var/log/messages /etc/shadow
588 which is probably not what was intended.
590 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
591 The following exceptions apply to the above rules:
593 "" If the empty string "" is the only command line argument in the
594 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
595 with a
\ban
\bny
\by arguments.
597 sudoedit Command line arguments to the _
\bs_
\bu_
\bd_
\bo_
\be_
\bd_
\bi_
\bt built-in command should
598 always be path names, so a forward slash (`/') will not be
599 matched by a wildcard.
601 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
602 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
603 file currently being parsed using the #include and #includedir
606 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
607 addition to a local, per-machine file. For the sake of this example the
608 site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will be
609 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
610 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
612 #include /etc/sudoers.local
614 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
615 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching the
616 end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be processed.
617 Files that are included may themselves include other files. A hard limit
618 of 128 nested include files is enforced to prevent include file loops.
620 If the path to the include file is not fully-qualified (does not begin
621 with a `/', it must be located in the same directory as the sudoers file
622 it was included from. For example, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains the line:
624 #include sudoers.local
626 the file that will be included is _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl.
628 The file name may also include the %h escape, signifying the short form
629 of the host name. In other words, if the machine's host name is
632 #include /etc/sudoers.%h
634 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
636 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
637 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of package
638 installation. For example, given:
640 #includedir /etc/sudoers.d
642 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that end
643 in `~' or contain a `.' character to avoid causing problems with package
644 manager or editor temporary/backup files. Files are parsed in sorted
645 lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed before
646 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is lexical,
647 not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
648 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes in
649 the file names can be used to avoid such problems.
651 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
652 files in a #includedir directory unless one of them contains a syntax
653 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -
\b-f
\bf flag to edit the
656 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
657 The pound sign (`#') is used to indicate a comment (unless it is part of
658 a #include directive or unless it occurs in the context of a user name
659 and is followed by one or more digits, in which case it is treated as a
660 uid). Both the comment character and any text after it, up to the end of
661 the line, are ignored.
663 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
664 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
665 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
666 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
667 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
668 since in a command context, it allows the user to run a
\ban
\bny
\by command on the
671 An exclamation point (`!') can be used as a logical _
\bn_
\bo_
\bt operator both in
672 an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
673 values. Note, however, that using a `!' in conjunction with the built-in
674 A
\bAL
\bLL
\bL alias to allow a user to run ``all but a few'' commands rarely works
675 as intended (see _
\bS_
\bE_
\bC_
\bU_
\bR_
\bI_
\bT_
\bY _
\bN_
\bO_
\bT_
\bE_
\bS below).
677 Long lines can be continued with a backslash (`\') as the last character
680 White space between elements in a list as well as special syntactic
681 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn (`=', `:', `(', `)') is optional.
683 The following characters must be escaped with a backslash (`\') when used
684 as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
687 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
688 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
689 earlier. A list of all supported Defaults parameters, grouped by type,
692 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
694 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
695 to the home directory of the target user (which is root
696 unless the -
\b-u
\bu option is used). This effectively means
697 that the -
\b-H
\bH option is always implied. Note that HOME
698 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
699 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
700 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
701 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
704 authenticate If set, users must authenticate themselves via a
705 password (or other means of authentication) before they
706 may run commands. This default may be overridden via
707 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
711 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
712 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
713 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
716 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
717 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
718 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
719 z
\bzl
\bli
\bib
\bb support.
721 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
722 VISUAL environment variables before falling back on the
723 default editor list. Note that this may create a
724 security hole as it allows the user to run any
725 arbitrary command as root without logging. A safer
726 alternative is to place a colon-separated list of
727 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
728 use the EDITOR or VISUAL if they match a value
729 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
731 env_reset If set, s
\bsu
\bud
\bdo
\bo will run the command in a minimal
732 environment containing the TERM, PATH, HOME, MAIL,
733 SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
734 Any variables in the caller's environment that match
735 the env_keep and env_check lists are then added,
736 followed by any variables present in the file specified
737 by the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option (if any). The default contents
738 of the env_keep and env_check lists are displayed when
739 s
\bsu
\bud
\bdo
\bo is run by root with the -
\b-V
\bV option. If the
740 _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set, its value will be used for
741 the PATH environment variable. This flag is _
\bo_
\bn by
744 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the glob(3) function to do shell-
745 style globbing when matching path names. However,
746 since it accesses the file system, glob(3) can take a
747 long time to complete for some patterns, especially
748 when the pattern references a network file system that
749 is mounted on demand (auto mounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
750 option causes s
\bsu
\bud
\bdo
\bo to use the fnmatch(3) function,
751 which does not access the file system to do its
752 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
753 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
754 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
755 names that include globbing characters are used with
756 the negation operator, `!', as such rules can be
757 trivially bypassed. As such, this option should not be
758 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
759 path names which include globbing characters. This
760 flag is _
\bo_
\bf_
\bf by default.
762 fqdn Set this flag if you want to put fully qualified host
763 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file when the local host name (as
764 returned by the hostname command) does not contain the
765 domain name. In other words, instead of myhost you
766 would use myhost.mydomain.edu. You may still use the
767 short form if you wish (and even mix the two). This
768 option is only effective when the ``canonical'' host
769 name, as returned by the g
\bge
\bet
\bta
\bad
\bdd
\bdr
\bri
\bin
\bnf
\bfo
\bo() or
770 g
\bge
\bet
\bth
\bho
\bos
\bst
\btb
\bby
\byn
\bna
\bam
\bme
\be() function, is a fully-qualified domain
771 name. This is usually the case when the system is
772 configured to use DNS for host name resolution.
774 If the system is configured to use the _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\bs file
775 in preference to DNS, the ``canonical'' host name may
776 not be fully-qualified. The order that sources are
777 queried for hosts name resolution is usually specified
778 in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf,
779 _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\b._
\bc_
\bo_
\bn_
\bf, or, in some cases, _
\b/_
\be_
\bt_
\bc_
\b/_
\br_
\be_
\bs_
\bo_
\bl_
\bv_
\b._
\bc_
\bo_
\bn_
\bf
780 file. In the _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\bs file, the first host name of
781 the entry is considered to be the ``canonical'' name;
782 subsequent names are aliases that are not used by
783 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs. For example, the following hosts file line
784 for the machine ``xyzzy'' has the fully-qualified
785 domain name as the ``canonical'' host name, and the
786 short version as an alias.
788 192.168.1.1 xyzzy.sudo.ws xyzzy
790 If the machine's hosts file entry is not formatted
791 properly, the _
\bf_
\bq_
\bd_
\bn option will not be effective if it
792 is queried before DNS.
794 Beware that when using DNS for host name resolution,
795 turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs to make DNS lookups
796 which renders s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
797 example if the machine is disconnected from the
798 network). Also note that just like with the hosts
799 file, you must use the ``canonical'' name as DNS knows
800 it. That is, you may not use a host alias (CNAME
801 entry) due to performance issues and the fact that
802 there is no way to get all aliases from DNS.
804 This flag is _
\bo_
\bf_
\bf by default.
806 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore "." or "" (both denoting
807 current directory) in the PATH environment variable;
808 the PATH itself is not modified. This flag is _
\bo_
\bf_
\bf by
812 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
813 skipped. This is intended for Enterprises that wish to
814 prevent the usage of local sudoers files so that only
815 LDAP is used. This thwarts the efforts of rogue
816 operators who would attempt to add roles to
817 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
818 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
819 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
820 entries have been matched, this sudoOption is only
821 meaningful for the cn=defaults section. This flag is
822 _
\bo_
\bf_
\bf by default.
824 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
825 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
827 log_host If set, the host name will be logged in the (non-
828 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
830 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
831 log all user input. If the standard input is not
832 connected to the user's tty, due to I/O redirection or
833 because the command is part of a pipeline, that input
834 is also captured and stored in a separate log file.
836 Input is logged to the directory specified by the
837 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
838 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
839 log line, prefixed with ``TSID=''. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
840 option may be used to control the format of the session
843 Note that user input may contain sensitive information
844 such as passwords (even if they are not echoed to the
845 screen), which will be stored in the log file
846 unencrypted. In most cases, logging the command output
847 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
849 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
850 log all output that is sent to the screen, similar to
851 the script(1) command. If the standard output or
852 standard error is not connected to the user's tty, due
853 to I/O redirection or because the command is part of a
854 pipeline, that output is also captured and stored in
857 Output is logged to the directory specified by the
858 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
859 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
860 log line, prefixed with ``TSID=''. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
861 option may be used to control the format of the session
864 Output logs may be viewed with the sudoreplay(1m)
865 utility, which can also be used to list or search the
868 log_year If set, the four-digit year will be logged in the (non-
869 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
871 long_otp_prompt When validating with a One Time Password (OTP) scheme
872 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
873 make it easier to cut and paste the challenge to a
874 local window. It's not as pretty as the default but
875 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
878 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
879 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
881 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
882 does not enter the correct password. If the command
883 the user is attempting to run is not permitted by
884 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and one of the _
\bm_
\ba_
\bi_
\bl_
\b__
\ba_
\bl_
\bw_
\ba_
\by_
\bs, _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bh_
\bo_
\bs_
\bt,
885 _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bp_
\be_
\br_
\bm_
\bs or _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bu_
\bs_
\be_
\br flags are set, this flag
886 will have no effect. This flag is _
\bo_
\bf_
\bf by default.
888 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
889 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
890 allowed to run commands on the current host. This flag
891 is _
\bo_
\bf_
\bf by default.
893 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
894 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
895 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
896 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
899 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
900 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
903 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
904 NOEXEC tag has been set, unless overridden by a EXEC
905 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
906 well as the _
\bP_
\br_
\be_
\bv_
\be_
\bn_
\bt_
\bi_
\bn_
\bg _
\bs_
\bh_
\be_
\bl_
\bl _
\be_
\bs_
\bc_
\ba_
\bp_
\be_
\bs section at the end
907 of this manual. This flag is _
\bo_
\bf_
\bf by default.
909 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
910 not be found in their PATH environment variable. Some
911 sites may wish to disable this as it could be used to
912 gather information on the location of executables that
913 the normal user does not have access to. The
914 disadvantage is that if the executable is simply not in
915 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
916 not allowed to run it, which can be confusing. This
917 flag is _
\bo_
\bn by default.
920 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
921 normally only be used if the password prompt provided
922 by systems such as PAM matches the string
923 ``Password:''. If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set,
924 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be used. This flag is _
\bo_
\bf_
\bf by
927 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
928 the list of groups the target user is in. When
929 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
930 vector is left unaltered. The real and effective group
931 IDs, however, are still set to match the target user.
932 This flag is _
\bo_
\bf_
\bf by default.
934 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
935 Unix programs, by turning off echo until the user hits
936 the return (or enter) key. Some users become confused
937 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
938 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
939 visual feedback when the user presses a key. Note that
940 this does have a security impact as an onlooker may be
941 able to determine the length of the password being
942 entered. This flag is _
\bo_
\bf_
\bf by default.
944 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
945 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
946 run from a login session and not via other means such
947 as cron(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
950 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
951 this prevents users from ``chaining'' s
\bsu
\bud
\bdo
\bo commands to
952 get a root shell by doing something like ``sudo sudo
953 /bin/sh''. Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
954 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
955 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
956 security; it exists purely for historical reasons.
957 This flag is _
\bo_
\bn by default.
959 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
960 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
963 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
964 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
965 instead of the password of the invoking user. This
966 flag is _
\bo_
\bf_
\bf by default.
968 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
969 HOME environment variable will be set to the home
970 directory of the target user (which is root unless the
971 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
972 option imply -
\b-H
\bH. Note that HOME is already set when
973 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
974 only effective for configurations where either
975 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
976 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
978 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
979 environment variables to the name of the target user
980 (usually root unless the -
\b-u
\bu option is given). However,
981 since some programs (including the RCS revision control
982 system) use LOGNAME to determine the real identity of
983 the user, it may be desirable to change this behavior.
984 This can be done by negating the set_logname option.
985 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
986 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
987 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
989 set_utmp When enabled, s
\bsu
\bud
\bdo
\bo will create an entry in the utmp (or
990 utmpx) file when a pseudo-tty is allocated. A pseudo-
991 tty is allocated by s
\bsu
\bud
\bdo
\bo when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt, _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
992 or _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flags are enabled. By default, the new
993 entry will be a copy of the user's existing utmp entry
994 (if any), with the tty, time, type and pid fields
995 updated. This flag is _
\bo_
\bn by default.
997 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
998 command line via the -
\b-E
\bE option. Additionally,
999 environment variables set via the command line are not
1000 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk,
1001 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users
1002 should be allowed to set variables in this manner.
1003 This flag is _
\bo_
\bf_
\bf by default.
1005 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
1006 if the -
\b-s
\bs option had been given. That is, it runs a
1007 shell as root (the shell is determined by the SHELL
1008 environment variable if it is set, falling back on the
1009 shell listed in the invoking user's /etc/passwd entry
1010 if not). This flag is _
\bo_
\bf_
\bf by default.
1012 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
1013 effective UIDs are set to the target user (root by
1014 default). This option changes that behavior such that
1015 the real UID is left as the invoking user's UID. In
1016 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
1017 This can be useful on systems that disable some
1018 potentially dangerous functionality when a program is
1019 run setuid. This option is only effective on systems
1020 that support either the setreuid(2) or setresuid(2)
1021 system call. This flag is _
\bo_
\bf_
\bf by default.
1023 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
1024 specified by the -
\b-u
\bu option (defaults to root) instead
1025 of the password of the invoking user. In addition, the
1026 time stamp file name will include the target user's
1027 name. Note that this flag precludes the use of a uid
1028 not listed in the passwd database as an argument to the
1029 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
1031 tty_tickets If set, users must authenticate on a per-tty basis.
1032 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
1033 the tty the user is logged in on in the user's time
1034 stamp directory. If disabled, the time stamp of the
1035 directory is used instead. This flag is _
\bo_
\bn by default.
1037 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1038 without modification. This makes it possible to
1039 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
1040 user's own umask and matches historical behavior. If
1041 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
1042 be the union of the user's umask and what is specified
1043 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
1045 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
1046 target user's login class if one exists. Only
1047 available if s
\bsu
\bud
\bdo
\bo is configured with the
1048 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
1050 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
1051 if no I/O logging is being gone. A malicious program
1052 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
1053 process that retains to the user's terminal device
1054 after the main program has finished executing. Use of
1055 this option will make that impossible. This flag is
1056 _
\bo_
\bf_
\bf by default.
1058 utmp_runas If set, s
\bsu
\bud
\bdo
\bo will store the name of the runas user when
1059 updating the utmp (or utmpx) file. By default, s
\bsu
\bud
\bdo
\bo
1060 stores the name of the invoking user. This flag is _
\bo_
\bf_
\bf
1063 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
1064 enter a password but it is not possible to disable echo
1065 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
1066 will prompt for a password even when it would be
1067 visible on the screen. This makes it possible to run
1068 things like ``ssh somehost sudo ls'' since by default,
1069 ssh(1) does not allocate a tty when running a command.
1070 This flag is _
\bo_
\bf_
\bf by default.
1072 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
1074 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
1075 file descriptors other than standard input, standard
1076 output and standard error (ie: file descriptors 0-2).
1077 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
1078 file descriptor at which to start closing. The default
1081 passwd_tries The number of tries a user gets to enter his/her
1082 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
1085 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1087 loglinelen Number of characters per line for the file log. This
1088 value is used to decide when to wrap lines for nicer
1089 log files. This has no effect on the syslog log file,
1090 only the file log. The default is 80 (use 0 or negate
1091 the option to disable word wrap).
1093 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1094 out, or 0 for no timeout. The timeout may include a
1095 fractional component if minute granularity is
1096 insufficient, for example 2.5. The default is 5.
1099 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1100 for a passwd again. The timeout may include a
1101 fractional component if minute granularity is
1102 insufficient, for example 2.5. The default is 5. Set
1103 this to 0 to always prompt for a password. If set to a
1104 value less than 0 the user's time stamp will never
1105 expire. This can be used to allow users to create or
1106 delete their own time stamps via ``sudo -v'' and ``sudo
1109 umask Umask to use when running the command. Negate this
1110 option or set it to 0777 to preserve the user's umask.
1111 The actual umask that is used will be the union of the
1112 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1113 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1114 lowers the umask when running a command. Note: on
1115 systems that use PAM, the default PAM configuration may
1116 specify its own umask which will override the value set
1117 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1119 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1121 badpass_message Message that is displayed if a user enters an incorrect
1122 password. The default is Sorry, try again. unless
1123 insults are enabled.
1125 editor A colon (`:') separated list of editors allowed to be
1126 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1127 matches the user's EDITOR environment variable if
1128 possible, or the first editor in the list that exists
1129 and is executable. The default is _
\bv_
\bi.
1131 iolog_dir The top-level directory to use when constructing the
1132 path name for the input/output log directory. Only
1133 used if the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled
1134 or when the LOG_INPUT or LOG_OUTPUT tags are present
1135 for a command. The session sequence number, if any, is
1136 stored in the directory. The default is
1137 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
1139 The following percent (`%') escape sequences are
1143 expanded to a monotonically increasing base-36
1144 sequence number, such as 0100A5, where every two
1145 digits are used to form a new directory, e.g.
1146 _
\b0_
\b1_
\b/_
\b0_
\b0_
\b/_
\bA_
\b5
1149 expanded to the invoking user's login name
1152 expanded to the name of the invoking user's real
1156 expanded to the login name of the user the
1157 command will be run as (e.g. root)
1160 expanded to the group name of the user the
1161 command will be run as (e.g. wheel)
1164 expanded to the local host name without the
1168 expanded to the base name of the command being
1171 In addition, any escape sequences supported by the
1172 system's strftime(3) function will be expanded.
1174 To include a literal `%' character, the string `%%'
1177 iolog_file The path name, relative to _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br, in which to store
1178 input/output logs when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1179 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1180 tags are present for a command. Note that _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1181 may contain directory components. The default is
1184 See the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option above for a list of supported
1185 percent (`%') escape sequences.
1187 In addition to the escape sequences, path names that
1188 end in six or more Xs will have the Xs replaced with a
1189 unique combination of digits and letters, similar to
1190 the mktemp(3) function.
1192 limitprivs The default Solaris limit privileges to use when
1193 constructing a new privilege set for a command. This
1194 bounds all privileges of the executing process. The
1195 default limit privileges may be overridden on a per-
1196 command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This option is only
1197 available if s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs is built on Solaris 10 or higher.
1199 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The
1200 escape %h will expand to the host name of the machine.
1201 Default is ``*** SECURITY information for %h ***''.
1203 noexec_file This option is no longer supported. The path to the
1204 noexec file should now be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
1207 passprompt The default prompt to use when asking for a password;
1208 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1209 environment variable. The following percent (`%')
1210 escape sequences are supported:
1212 %H expanded to the local host name including the
1213 domain name (only if the machine's host name is
1214 fully qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1216 %h expanded to the local host name without the
1219 %p expanded to the user whose password is being
1220 asked for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
1221 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1223 %U expanded to the login name of the user the
1224 command will be run as (defaults to root)
1226 %u expanded to the invoking user's login name
1228 %% two consecutive % characters are collapsed into a
1231 The default value is ``Password:''.
1233 privs The default Solaris privileges to use when constructing
1234 a new privilege set for a command. This is passed to
1235 the executing process via the inherited privilege set,
1236 but is bounded by the limit privileges. If the _
\bp_
\br_
\bi_
\bv_
\bs
1237 option is specified but the _
\bl_
\bi_
\bm_
\bi_
\bt_
\bp_
\br_
\bi_
\bv_
\bs option is not,
1238 the limit privileges of the executing process is set to
1239 _
\bp_
\br_
\bi_
\bv_
\bs. The default privileges may be overridden on a
1240 per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This option is only
1241 available if s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs is built on Solaris 10 or higher.
1243 role The default SELinux role to use when constructing a new
1244 security context to run the command. The default role
1245 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1246 via command line options. This option is only
1247 available when s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1249 runas_default The default user to run commands as if the -
\b-u
\bu option is
1250 not specified on the command line. This defaults to
1253 syslog_badpri Syslog priority to use when user authenticates
1254 unsuccessfully. Defaults to alert.
1256 The following syslog priorities are supported: a
\bal
\ble
\ber
\brt
\bt,
1257 c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1259 syslog_goodpri Syslog priority to use when user authenticates
1260 successfully. Defaults to notice.
1262 See _
\bs_
\by_
\bs_
\bl_
\bo_
\bg_
\b__
\bb_
\ba_
\bd_
\bp_
\br_
\bi for the list of supported syslog
1265 sudoers_locale Locale to use when parsing the sudoers file, logging
1266 commands, and sending email. Note that changing the
1267 locale may affect how sudoers is interpreted. Defaults
1270 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its time stamp
1271 files. The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1273 timestampowner The owner of the time stamp directory and the time
1274 stamps stored therein. The default is root.
1276 type The default SELinux type to use when constructing a new
1277 security context to run the command. The default type
1278 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1279 via command line options. This option is only
1280 available when s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1282 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1284 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option specifies the fully qualified path to a
1285 file containing variables to be set in the environment of
1286 the program being run. Entries in this file should either
1287 be of the form ``VARIABLE=value'' or ``export
1288 VARIABLE=value''. The value may optionally be surrounded
1289 by single or double quotes. Variables in this file are
1290 subject to other s
\bsu
\bud
\bdo
\bo environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
1291 and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1293 exempt_group Users in this group are exempt from password and PATH
1294 requirements. The group name specified should not include
1295 a % prefix. This is not set by default.
1297 group_plugin A string containing a _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs group plugin with optional
1298 arguments. This can be used to implement support for the
1299 nonunix_group syntax described earlier. The string should
1300 consist of the plugin path, either fully-qualified or
1301 relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory, followed by
1302 any configuration arguments the plugin requires. These
1303 arguments (if any) will be passed to the plugin's
1304 initialization function. If arguments are present, the
1305 string must be enclosed in double quotes ("").
1307 For example, given _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bg_
\br_
\bo_
\bu_
\bp, a group file in Unix
1308 group format, the sample group plugin can be used:
1310 Defaults group_plugin="sample_group.so /etc/sudo-group"
1312 For more information see sudo_plugin(4).
1314 lecture This option controls when a short lecture will be printed
1315 along with the password prompt. It has the following
1318 always Always lecture the user.
1320 never Never lecture the user.
1322 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1324 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1325 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1326 The default value is _
\bo_
\bn_
\bc_
\be.
1328 lecture_file Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1329 will be used in place of the standard lecture if the named
1330 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1332 listpw This option controls when a password will be required when
1333 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1336 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current
1337 host must have the NOPASSWD flag set to avoid
1338 entering a password.
1340 always The user must always enter a password to use the
1343 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for
1344 the current host must have the NOPASSWD flag set
1345 to avoid entering a password.
1347 never The user need never enter a password to use the
1350 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1351 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1352 The default value is _
\ba_
\bn_
\by.
1354 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1355 Setting a path turns on logging to a file; negating this
1356 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1358 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1360 mailerpath Path to mail program used to send warning mail. Defaults
1361 to the path to sendmail found at configure time.
1363 mailfrom Address to use for the ``from'' address when sending
1364 warning and error mail. The address should be enclosed in
1365 double quotes ("") to protect against s
\bsu
\bud
\bdo
\bo interpreting the
1366 @ sign. Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1368 mailto Address to send warning and error mail to. The address
1369 should be enclosed in double quotes ("") to protect against
1370 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1372 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1373 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1374 environment variable you may want to use this. Another use
1375 is if you want to have the ``root path'' be separate from
1376 the ``user path''. Users in the group specified by the
1377 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1378 option is not set by default.
1380 syslog Syslog facility if syslog is being used for logging (negate
1381 to disable syslog logging). Defaults to auth.
1383 The following syslog facilities are supported: a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if
1384 your OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1,
1385 l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3, l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7.
1387 verifypw This option controls when a password will be required when
1388 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1391 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1392 must have the NOPASSWD flag set to avoid entering a
1395 always The user must always enter a password to use the -
\b-v
\bv
1398 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1399 current host must have the NOPASSWD flag set to
1400 avoid entering a password.
1402 never The user need never enter a password to use the -
\b-v
\bv
1405 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1406 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1407 The default value is _
\ba_
\bl_
\bl.
1409 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1411 env_check Environment variables to be removed from the user's
1412 environment if the variable's value contains `%' or `/'
1413 characters. This can be used to guard against printf-
1414 style format vulnerabilities in poorly-written
1415 programs. The argument may be a double-quoted, space-
1416 separated list or a single value without double-quotes.
1417 The list can be replaced, added to, deleted from, or
1418 disabled by using the =, +=, -=, and ! operators
1419 respectively. Regardless of whether the env_reset
1420 option is enabled or disabled, variables specified by
1421 env_check will be preserved in the environment if they
1422 pass the aforementioned check. The default list of
1423 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1424 is run by root with the -
\b-V
\bV option.
1426 env_delete Environment variables to be removed from the user's
1427 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1428 The argument may be a double-quoted, space-separated
1429 list or a single value without double-quotes. The list
1430 can be replaced, added to, deleted from, or disabled by
1431 using the =, +=, -=, and ! operators respectively. The
1432 default list of environment variables to remove is
1433 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the -
\b-V
\bV option.
1434 Note that many operating systems will remove
1435 potentially dangerous variables from the environment of
1436 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1438 env_keep Environment variables to be preserved in the user's
1439 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1440 This allows fine-grained control over the environment
1441 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1442 be a double-quoted, space-separated list or a single
1443 value without double-quotes. The list can be replaced,
1444 added to, deleted from, or disabled by using the =, +=,
1445 -=, and ! operators respectively. The default list of
1446 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1447 with the -
\b-V
\bV option.
1449 L
\bLO
\bOG
\bG F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
1450 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs can log events using either syslog(3) or a simple log file. In
1451 each case the log format is almost identical.
1453 A
\bAc
\bcc
\bce
\bep
\bpt
\bte
\bed
\bd c
\bco
\bom
\bmm
\bma
\ban
\bnd
\bd l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1454 Commands that sudo runs are logged using the following format (split into
1455 multiple lines for readability):
1457 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1458 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1459 ENV=env_vars COMMAND=command
1461 Where the fields are as follows:
1463 date The date the command was run. Typically, this is in the
1464 format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1465 the actual date format is controlled by the syslog daemon.
1466 If logging to a file and the _
\bl_
\bo_
\bg_
\b__
\by_
\be_
\ba_
\br option is enabled,
1467 the date will also include the year.
1469 hostname The name of the host s
\bsu
\bud
\bdo
\bo was run on. This field is only
1470 present when logging via syslog(3).
1472 progname The name of the program, usually _
\bs_
\bu_
\bd_
\bo or _
\bs_
\bu_
\bd_
\bo_
\be_
\bd_
\bi_
\bt. This
1473 field is only present when logging via syslog(3).
1475 username The login name of the user who ran s
\bsu
\bud
\bdo
\bo.
1477 ttyname The short name of the terminal (e.g. ``console'',
1478 ``tty01'', or ``pts/0'') s
\bsu
\bud
\bdo
\bo was run on, or ``unknown'' if
1479 there was no terminal present.
1481 cwd The current working directory that s
\bsu
\bud
\bdo
\bo was run in.
1483 runasuser The user the command was run as.
1485 runasgroup The group the command was run as if one was specified on
1488 logid An I/O log identifier that can be used to replay the
1489 command's output. This is only present when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt
1490 or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option is enabled.
1492 env_vars A list of environment variables specified on the command
1495 command The actual command that was executed.
1497 Messages are logged using the locale specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bl_
\bo_
\bc_
\ba_
\bl_
\be, which
1498 defaults to the ``C'' locale.
1500 D
\bDe
\ben
\bni
\bie
\bed
\bd c
\bco
\bom
\bmm
\bma
\ban
\bnd
\bd l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1501 If the user is not allowed to run the command, the reason for the denial
1502 will follow the user name. Possible reasons include:
1505 The user is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1507 user NOT authorized on host
1508 The user is listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file but is not allowed to run
1509 commands on the host.
1512 The user is listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file for the host but they are not
1513 allowed to run the specified command.
1515 3 incorrect password attempts
1516 The user failed to enter their password after 3 tries. The actual
1517 number of tries will vary based on the number of failed attempts and
1518 the value of the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd_
\b__
\bt_
\br_
\bi_
\be_
\bs option.
1520 a password is required
1521 s
\bsu
\bud
\bdo
\bo's -
\b-n
\bn option was specified but a password was required.
1523 sorry, you are not allowed to set the following environment variables
1524 The user specified environment variables on the command line that were
1525 not allowed by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1527 E
\bEr
\brr
\bro
\bor
\br l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1528 If an error occurs, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will log a message and, in most cases, send a
1529 message to the administrator via email. Possible errors include:
1531 parse error in /etc/sudoers near line N
1532 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs encountered an error when parsing the specified file. In some
1533 cases, the actual error may be one line above or below the line number
1534 listed, depending on the type of error.
1536 problem with defaults entries
1537 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file contains one or more unknown Defaults settings. This
1538 does not prevent s
\bsu
\bud
\bdo
\bo from running, but the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should be
1539 checked using v
\bvi
\bis
\bsu
\bud
\bdo
\bo.
1541 timestamp owner (username): No such user
1542 The time stamp directory owner, as specified by the _
\bt_
\bi_
\bm_
\be_
\bs_
\bt_
\ba_
\bm_
\bp_
\bo_
\bw_
\bn_
\be_
\br
1543 setting, could not be found in the password database.
1545 unable to open/read /etc/sudoers
1546 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file could not be opened for reading. This can happen
1547 when the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is located on a remote file system that maps
1548 user ID 0 to a different value. Normally, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs tries to open
1549 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs using group permissions to avoid this problem. Consider
1550 changing the ownership of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs by adding an option like
1551 ``sudoers_uid=N'' (where `N' is the user ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1552 file) to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin line in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1554 unable to stat /etc/sudoers
1555 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is missing.
1557 /etc/sudoers is not a regular file
1558 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file exists but is not a regular file or symbolic
1561 /etc/sudoers is owned by uid N, should be 0
1562 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file has the wrong owner. If you wish to change the
1563 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
1564 user ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file) to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin line in the
1565 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1567 /etc/sudoers is world writable
1568 The permissions on the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file allow all users to write to it.
1569 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file must not be world-writable, the default file mode is
1570 0440 (readable by owner and group, writable by none). The default
1571 mode may be changed via the ``sudoers_mode'' option to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
1572 plugin line in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1574 /etc/sudoers is owned by gid N, should be 1
1575 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file has the wrong group ownership. If you wish to change
1576 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file group ownership, please add ``sudoers_gid=N'' (where
1577 `N' is the group ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file) to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin
1578 line in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1580 unable to open /var/adm/sudo/username/ttyname
1581 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to read or create the user's time stamp file.
1583 unable to write to /var/adm/sudo/username/ttyname
1584 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to write to the user's time stamp file.
1586 unable to mkdir to /var/adm/sudo/username
1587 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to create the user's time stamp directory.
1589 N
\bNo
\bot
\bte
\bes
\bs o
\bon
\bn l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg v
\bvi
\bia
\ba s
\bsy
\bys
\bsl
\blo
\bog
\bg
1590 By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs logs messages via syslog(3). The _
\bd_
\ba_
\bt_
\be, _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be, and
1591 _
\bp_
\br_
\bo_
\bg_
\bn_
\ba_
\bm_
\be fields are added by the syslog daemon, not _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs itself. As
1592 such, they may vary in format on different systems.
1594 On most systems, syslog(3) has a relatively small log buffer. To prevent
1595 the command line arguments from being truncated, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will split up
1596 log messages that are larger than 960 characters (not including the date,
1597 hostname, and the string ``sudo''). When a message is split, additional
1598 parts will include the string ``(command continued)'' after the user name
1599 and before the continued command line arguments.
1601 N
\bNo
\bot
\bte
\bes
\bs o
\bon
\bn l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg t
\bto
\bo a
\ba f
\bfi
\bil
\ble
\be
1602 If the _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be option is set, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will log to a local file, such as
1603 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo. When logging to a file, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a format similar to
1604 syslog(3), with a few important differences:
1606 1. The _
\bp_
\br_
\bo_
\bg_
\bn_
\ba_
\bm_
\be and _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be fields are not present.
1608 2. If the _
\bl_
\bo_
\bg_
\b__
\by_
\be_
\ba_
\br option is enabled, the date will also include the
1611 3. Lines that are longer than _
\bl_
\bo_
\bg_
\bl_
\bi_
\bn_
\be_
\bl_
\be_
\bn characters (80 by default) are
1612 word-wrapped and continued on the next line with a four character
1613 indent. This makes entries easier to read for a human being, but
1614 makes it more difficult to use grep(1) on the log files. If the
1615 _
\bl_
\bo_
\bg_
\bl_
\bi_
\bn_
\be_
\bl_
\be_
\bn option is set to 0 (or negated with a `!'), word wrap
1618 S
\bSU
\bUD
\bDO
\bO.
\b.C
\bCO
\bON
\bNF
\bF
1619 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file determines which plugins the s
\bsu
\bud
\bdo
\bo front end will
1620 load. If no _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file is present, or it contains no Plugin
1621 lines, s
\bsu
\bud
\bdo
\bo will use the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy and I/O logging, which
1622 corresponds to the following _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1625 # Default /etc/sudo.conf file
1628 # Plugin plugin_name plugin_path plugin_options ...
1629 # Path askpass /path/to/askpass
1630 # Path noexec /path/to/sudo_noexec.so
1631 # Debug sudo /var/log/sudo_debug all@warn
1632 # Set disable_coredump true
1634 # The plugin_path is relative to /usr/local/libexec unless
1636 # The plugin_name corresponds to a global symbol in the plugin
1637 # that contains the plugin interface structure.
1638 # The plugin_options are optional.
1640 Plugin policy_plugin sudoers.so
1641 Plugin io_plugin sudoers.so
1643 P
\bPl
\blu
\bug
\bgi
\bin
\bn o
\bop
\bpt
\bti
\bio
\bon
\bns
\bs
1644 Starting with s
\bsu
\bud
\bdo
\bo 1.8.5, it is possible to pass options to the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1645 plugin. Options may be listed after the path to the plugin (i.e. after
1646 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bs_
\bo); multiple options should be space-separated. For example:
1648 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1650 The following plugin options are supported:
1652 sudoers_file=pathname
1653 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bf_
\bi_
\bl_
\be option can be used to override the default
1654 path to the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1657 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bu_
\bi_
\bd option can be used to override the default
1658 owner of the sudoers file. It should be specified as a numeric
1662 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bg_
\bi_
\bd option can be used to override the default
1663 group of the sudoers file. It should be specified as a numeric
1667 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bm_
\bo_
\bd_
\be option can be used to override the default
1668 file mode for the sudoers file. It should be specified as an
1671 D
\bDe
\beb
\bbu
\bug
\bg f
\bfl
\bla
\bag
\bgs
\bs
1672 Versions 1.8.4 and higher of the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin supports a debugging
1673 framework that can help track down what the plugin is doing internally if
1674 there is a problem. This can be configured in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file as
1675 described in sudo(1m).
1677 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin uses the same debug flag format as the s
\bsu
\bud
\bdo
\bo front-end:
1678 _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by.
1680 The priorities used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, in order of decreasing severity, are:
1681 _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg. Each priority,
1682 when specified, also includes all priorities higher than it. For
1683 example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages logged at
1684 _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
1686 The following subsystems are used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
1688 _
\ba_
\bl_
\bi_
\ba_
\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1690 _
\ba_
\bl_
\bl matches every subsystem
1692 _
\ba_
\bu_
\bd_
\bi_
\bt BSM and Linux audit code
1694 _
\ba_
\bu_
\bt_
\bh user authentication
1696 _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs settings
1698 _
\be_
\bn_
\bv environment handling
1700 _
\bl_
\bd_
\ba_
\bp LDAP-based sudoers
1702 _
\bl_
\bo_
\bg_
\bg_
\bi_
\bn_
\bg logging support
1704 _
\bm_
\ba_
\bt_
\bc_
\bh matching of users, groups, hosts and netgroups in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1706 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
1708 _
\bn_
\bs_
\bs network service switch handling in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1710 _
\bp_
\ba_
\br_
\bs_
\be_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file parsing
1712 _
\bp_
\be_
\br_
\bm_
\bs permission setting
1714 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn The equivalent of _
\bm_
\ba_
\bi_
\bn for the plugin.
1716 _
\bp_
\bt_
\by pseudo-tty related code
1718 _
\br_
\bb_
\bt_
\br_
\be_
\be redblack tree internals
1720 _
\bu_
\bt_
\bi_
\bl utility functions
1722 F
\bFI
\bIL
\bLE
\bES
\bS
1723 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf Sudo front end configuration
1725 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1727 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1729 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1731 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1733 _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing time stamps for the
1734 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy
1736 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt Initial environment for -
\b-i
\bi mode on AIX and
1739 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1740 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1741 contrived. First, we allow a few environment variables to pass and then
1742 define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1744 # Run X applications through sudo; HOME is used to find the
1745 # .Xauthority file. Note that other programs use HOME to find
1746 # configuration files and this may lead to privilege escalation!
1747 Defaults env_keep += "DISPLAY HOME"
1749 # User alias specification
1750 User_Alias FULLTIMERS = millert, mikef, dowdy
1751 User_Alias PARTTIMERS = bostley, jwfox, crawl
1752 User_Alias WEBMASTERS = will, wendy, wim
1754 # Runas alias specification
1755 Runas_Alias OP = root, operator
1756 Runas_Alias DB = oracle, sybase
1757 Runas_Alias ADMINGRP = adm, oper
1759 # Host alias specification
1760 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1761 SGI = grolsch, dandelion, black :\
1762 ALPHA = widget, thalamus, foobar :\
1763 HPPA = boa, nag, python
1764 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1765 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1766 Host_Alias SERVERS = master, mail, www, ns
1767 Host_Alias CDROM = orion, perseus, hercules
1769 # Cmnd alias specification
1770 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1771 /usr/sbin/restore, /usr/sbin/rrestore
1772 Cmnd_Alias KILL = /usr/bin/kill
1773 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1774 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1775 Cmnd_Alias HALT = /usr/sbin/halt
1776 Cmnd_Alias REBOOT = /usr/sbin/reboot
1777 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1778 /usr/local/bin/tcsh, /usr/bin/rsh,\
1780 Cmnd_Alias SU = /usr/bin/su
1781 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1783 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo to
1784 log via syslog(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't want to
1785 subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt need not
1786 give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1787 environment variables when running commands as root. Additionally, on
1788 the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an additional local log
1789 file and make sure we log the year in each log line since the log entries
1790 will be kept around for several years. Lastly, we disable shell escapes
1791 for the commands in the PAGERS Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and
1792 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1794 # Override built-in defaults
1795 Defaults syslog=auth
1796 Defaults>root !set_logname
1797 Defaults:FULLTIMERS !lecture
1798 Defaults:millert !authenticate
1799 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1800 Defaults!PAGERS noexec
1802 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1805 root ALL = (ALL) ALL
1806 %wheel ALL = (ALL) ALL
1808 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1811 FULLTIMERS ALL = NOPASSWD: ALL
1813 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1814 any host without authenticating themselves.
1816 PARTTIMERS ALL = ALL
1818 Part time sysadmins b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on any
1819 host but they must authenticate themselves first (since the entry lacks
1824 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1825 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1826 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1827 indicating it is a class C network. For the other networks in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS,
1828 the local machine's netmask will be used during matching.
1832 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1833 class B network 128.138.0.0).
1835 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1836 sudoedit /etc/printcap, /usr/oper/bin/
1838 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance. Here,
1839 those are commands related to backups, killing processes, the printing
1840 system, shutting down the system, and any commands in the directory
1841 _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1843 joe ALL = /usr/bin/su operator
1845 The user j
\bjo
\boe
\be may only su(1) to operator.
1847 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1849 %opers ALL = (: ADMINGRP) /usr/sbin/
1851 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1852 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1854 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1855 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes passwd(1) does not take
1856 multiple user names on the command line.
1858 bob SPARC = (OP) ALL : SGI = (OP) ALL
1860 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1861 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br.)
1865 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1866 s
\bsu
\bud
\bdo
\bo knows that ``biglab'' is a netgroup due to the `+' prefix.
1868 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1870 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1871 well as add and remove users, so they are allowed to run those commands
1874 fred ALL = (DB) NOPASSWD: ALL
1876 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias (o
\bor
\bra
\bac
\bcl
\ble
\be
1877 or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1879 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1881 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1882 not allowed to specify any options to the su(1) command.
1884 jen ALL, !SERVERS = ALL
1886 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1887 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1889 jill SERVERS = /usr/bin/, !SU, !SHELLS
1891 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1892 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU and
1893 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1895 steve CSNETS = (operator) /usr/local/op_commands/
1897 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1898 /usr/local/op_commands/ but only as user operator.
1900 matt valkyrie = KILL
1902 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill hung
1905 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1907 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy, and
1908 wim), may run any command as user www (which owns the web pages) or
1909 simply su(1) to www.
1911 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1912 /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
1914 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1915 Host_Alias (orion, perseus, hercules) without entering a password. This
1916 is a bit tedious for users to type, so it is a prime candidate for
1917 encapsulating in a shell script.
1919 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1920 L
\bLi
\bim
\bmi
\bit
\bta
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf t
\bth
\bhe
\be `
\b`!
\b!'
\b' o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br
1921 It is generally not effective to ``subtract'' commands from A
\bAL
\bLL
\bL using the
1922 `!' operator. A user can trivially circumvent this by copying the
1923 desired command to a different name and then executing that. For
1926 bill ALL = ALL, !SU, !SHELLS
1928 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1929 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1930 use a shell escape from an editor or other program. Therefore, these
1931 kind of restrictions should be considered advisory at best (and
1932 reinforced by policy).
1934 In general, if a user has sudo A
\bAL
\bLL
\bL there is nothing to prevent them from
1935 creating their own program that gives them a root shell (or making their
1936 own copy of a shell) regardless of any `!' elements in the user
1939 S
\bSe
\bec
\bcu
\bur
\bri
\bit
\bty
\by i
\bim
\bmp
\bpl
\bli
\bic
\bca
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
1940 If the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to reliably negate
1941 commands where the path name includes globbing (aka wildcard) characters.
1942 This is because the C library's fnmatch(3) function cannot resolve
1943 relative paths. While this is typically only an inconvenience for rules
1944 that grant privileges, it can result in a security issue for rules that
1945 subtract or revoke privileges.
1947 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1949 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
1950 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1952 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1953 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1955 P
\bPr
\bre
\bev
\bve
\ben
\bnt
\bti
\bin
\bng
\bg s
\bsh
\bhe
\bel
\bll
\bl e
\bes
\bsc
\bca
\bap
\bpe
\bes
\bs
1956 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1957 pleases, including run other programs. This can be a security issue
1958 since it is not uncommon for a program to allow shell escapes, which lets
1959 a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs that
1960 permit shell escapes include shells (obviously), editors, paginators,
1961 mail and terminal programs.
1963 There are two basic approaches to this problem:
1965 restrict Avoid giving users access to commands that allow the user to
1966 run arbitrary commands. Many editors have a restricted mode
1967 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1968 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large number
1969 of programs that offer shell escapes, restricting users to the
1970 set of programs that do not is often unworkable.
1972 noexec Many systems that support shared libraries have the ability to
1973 override default library functions by pointing an environment
1974 variable (usually LD_PRELOAD) to an alternate shared library.
1975 On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality can be used to
1976 prevent a program run by s
\bsu
\bud
\bdo
\bo from executing any other
1977 programs. Note, however, that this applies only to native
1978 dynamically-linked executables. Statically-linked executables
1979 and foreign executables running under binary emulation are not
1982 The _
\bn_
\bo_
\be_
\bx_
\be_
\bc feature is known to work on SunOS, Solaris, *BSD,
1983 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1984 above. It should be supported on most operating systems that
1985 support the LD_PRELOAD environment variable. Check your
1986 operating system's manual pages for the dynamic linker (usually
1987 ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
1988 LD_PRELOAD is supported.
1990 On Solaris 10 and higher, _
\bn_
\bo_
\be_
\bx_
\be_
\bc uses Solaris privileges
1991 instead of the LD_PRELOAD environment variable.
1993 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1994 documented in the User Specification section above. Here is
1997 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1999 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
2000 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands from
2001 executing other commands (such as a shell). If you are unsure
2002 whether or not your system is capable of supporting _
\bn_
\bo_
\be_
\bx_
\be_
\bc you
2003 can always just try it out and check whether shell escapes work
2004 when _
\bn_
\bo_
\be_
\bx_
\be_
\bc is enabled.
2006 Note that restricting shell escapes is not a panacea. Programs running
2007 as root are still capable of many potentially hazardous operations (such
2008 as changing or overwriting files) that could lead to unintended privilege
2009 escalation. In the specific case of an editor, a safer approach is to
2010 give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
2012 T
\bTi
\bim
\bme
\be s
\bst
\bta
\bam
\bmp
\bp f
\bfi
\bil
\ble
\be c
\bch
\bhe
\bec
\bck
\bks
\bs
2013 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will check the ownership of its time stamp directory
2014 (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's contents if it is
2015 not owned by root or if it is writable by a user other than root. On
2016 systems that allow non-root users to give away files via chown(2), if the
2017 time stamp directory is located in a world-writable directory (e.g.,
2018 _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the time stamp directory
2019 before s
\bsu
\bud
\bdo
\bo is run. However, because _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs checks the ownership and
2020 mode of the directory and its contents, the only damage that can be done
2021 is to ``hide'' files by putting them in the time stamp dir. This is
2022 unlikely to happen since once the time stamp dir is owned by root and
2023 inaccessible by any other user, the user placing files there would be
2024 unable to get them back out.
2026 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will not honor time stamps set far in the future. Time stamps
2027 with a date greater than current_time + 2 * TIMEOUT will be ignored and
2028 sudo will log and complain. This is done to keep a user from creating
2029 his/her own time stamp with a bogus date on systems that allow users to
2030 give away files if the time stamp directory is located in a world-
2033 On systems where the boot time is available, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will ignore time
2034 stamps that date from before the machine booted.
2036 Since time stamp files live in the file system, they can outlive a user's
2037 login session. As a result, a user may be able to login, run a command
2038 with s
\bsu
\bud
\bdo
\bo after authenticating, logout, login again, and run s
\bsu
\bud
\bdo
\bo without
2039 authenticating so long as the time stamp file's modification time is
2040 within 5 minutes (or whatever the timeout is set to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs). When
2041 the _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option is enabled, the time stamp has per-tty granularity
2042 but still may outlive the user's session. On Linux systems where the
2043 devpts filesystem is used, Solaris systems with the devices filesystem,
2044 as well as other systems that utilize a devfs filesystem that
2045 monotonically increase the inode number of devices as they are created
2046 (such as Mac OS X), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is able to determine when a tty-based time
2047 stamp file is stale and will ignore it. Administrators should not rely
2048 on this feature as it is not universally available.
2050 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
2051 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
2052 sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
2054 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
2055 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
2056 locks the file and does grammatical checking. It is imperative that
2057 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
2058 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
2060 When using netgroups of machines (as opposed to users), if you store
2061 fully qualified host name in the netgroup (as is usually the case), you
2062 either need to have the machine's host name be fully qualified as
2063 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
2066 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
2067 http://www.sudo.ws/sudo/bugs/
2069 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
2070 Limited free support is available via the sudo-users mailing list, see
2071 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2074 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
2075 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
2076 including, but not limited to, the implied warranties of merchantability
2077 and fitness for a particular purpose are disclaimed. See the LICENSE
2078 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
2081 Sudo 1.8.6 July 16, 2012 Sudo 1.8.6