1 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
6 sudoers - default sudo security policy module
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy module determines a user's s
\bsu
\bud
\bdo
\bo privileges. It is
10 the default s
\bsu
\bud
\bdo
\bo policy plugin. The policy is driven by the
11 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file or, optionally in LDAP. The policy format is
12 described in detail in the "SUDOERS FILE FORMAT" section. For
13 information on storing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy information in LDAP, please see
14 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4).
16 A
\bAu
\but
\bth
\bhe
\ben
\bnt
\bti
\bic
\bca
\bat
\bti
\bio
\bon
\bn a
\ban
\bnd
\bd L
\bLo
\bog
\bgg
\bgi
\bin
\bng
\bg
17 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy requires that most users authenticate
18 themselves before they can use s
\bsu
\bud
\bdo
\bo. A password is not required if the
19 invoking user is root, if the target user is the same as the invoking
20 user, or if the policy has disabled authentication for the user or
21 command. Unlike _
\bs_
\bu(1), when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs requires authentication, it
22 validates the invoking user's credentials, not the target user's (or
23 root's) credentials. This can be changed via the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
24 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags, described later.
26 If a user who is not listed in the policy tries to run a command via
27 s
\bsu
\bud
\bdo
\bo, mail is sent to the proper authorities. The address used for
28 such mail is configurable via the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo Defaults entry (described
29 later) and defaults to root.
31 Note that mail will not be sent if an unauthorized user tries to run
32 s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl or -
\b-v
\bv option. This allows users to determine for
33 themselves whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
35 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment variable is set,
36 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will use this value to determine who the actual user
37 is. This can be used by a user to log commands through sudo even when
38 a root shell has been invoked. It also allows the -
\b-e
\be option to remain
39 useful even when invoked via a sudo-run script or program. Note,
40 however, that the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs lookup is still done for root, not the user
41 specified by SUDO_USER.
43 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses time stamp files for credential caching. Once a user has
44 been authenticated, a time stamp is updated and the user may then use
45 sudo without a password for a short period of time (5 minutes unless
46 overridden by the _
\bt_
\bi_
\bm_
\be_
\bo_
\bu_
\bt option. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a tty-based
47 time stamp which means that there is a separate time stamp for each of
48 a user's login sessions. The _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option can be disabled to
49 force the use of a single time stamp for all of a user's sessions.
51 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can log both successful and unsuccessful attempts (as well as
52 errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will
53 log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable via the _
\bs_
\by_
\bs_
\bl_
\bo_
\bg and _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be
56 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs also supports logging a command's input and output streams.
57 I/O logging is not on by default but can be enabled using the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt
58 and _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
61 C
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd E
\bEn
\bnv
\bvi
\bir
\bro
\bon
\bnm
\bme
\ben
\bnt
\bt
62 Since environment variables can influence program behavior, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
63 provides a means to restrict which variables from the user's
64 environment are inherited by the command to be run. There are two
65 distinct ways _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can deal with environment variables.
67 By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled. This causes commands to
68 be executed with a new, minimal environment. On AIX (and Linux systems
69 without PAM), the environment is initialized with the contents of the
70 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt file. On BSD systems, if the _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is
71 enabled, the environment is initialized based on the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv
72 settings in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The new environment contains the TERM,
73 PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
74 in addition to variables from the invoking process permitted by the
75 _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp options. This is effectively a whitelist for
76 environment variables.
78 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled, any variables not
79 explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited
80 from the invoking process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be
81 behave like a blacklist. Since it is not possible to blacklist all
82 potentially dangerous environment variables, use of the default
83 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
85 In all cases, environment variables with a value beginning with () are
86 removed as they could be interpreted as b
\bba
\bas
\bsh
\bh functions. The list of
87 environment variables that s
\bsu
\bud
\bdo
\bo allows or denies is contained in the
88 output of sudo -V when run as root.
90 Note that the dynamic linker on most operating systems will remove
91 variables that can control dynamic linking from the environment of
92 setuid executables, including s
\bsu
\bud
\bdo
\bo. Depending on the operating system
93 this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
94 others. These type of variables are removed from the environment
95 before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it is not possible for
96 s
\bsu
\bud
\bdo
\bo to preserve them.
98 As a special case, if s
\bsu
\bud
\bdo
\bo's -
\b-i
\bi option (initial login) is specified,
99 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will initialize the environment regardless of the value of
100 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt. The _
\bD_
\bI_
\bS_
\bP_
\bL_
\bA_
\bY, _
\bP_
\bA_
\bT_
\bH and _
\bT_
\bE_
\bR_
\bM variables remain unchanged;
101 _
\bH_
\bO_
\bM_
\bE, _
\bM_
\bA_
\bI_
\bL, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, and _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE are set based on the target user.
102 On AIX (and Linux systems without PAM), the contents of
103 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt are also included. On BSD systems, if the
104 _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is enabled, the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv variables in
105 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf are also applied. All other environment variables are
108 Finally, if the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option is defined, any variables present in
109 that file will be set to their specified values as long as they would
110 not conflict with an existing environment variable.
112 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS F
\bFI
\bIL
\bLE
\bE F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
113 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
114 (basically variables) and user specifications (which specify who may
117 When multiple entries match for a user, they are applied in order.
118 Where there are multiple matches, the last match is used (which is not
119 necessarily the most specific match).
121 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
122 Form (EBNF). Don't despair if you don't know what EBNF is; it is
123 fairly simple, and the definitions below are annotated.
125 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
126 EBNF is a concise and exact way of describing the grammar of a
127 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
129 symbol ::= definition | alternate1 | alternate2 ...
131 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
132 the language. EBNF also contains the following operators, which many
133 readers will recognize from regular expressions. Do not, however,
134 confuse them with "wildcard" characters, which have different meanings.
136 ? Means that the preceding symbol (or group of symbols) is optional.
137 That is, it may appear once or not at all.
139 * Means that the preceding symbol (or group of symbols) may appear
142 + Means that the preceding symbol (or group of symbols) may appear
145 Parentheses may be used to group symbols together. For clarity, we
146 will use single quotes ('') to designate what is a verbatim character
147 string (as opposed to a symbol name).
149 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
150 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
153 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
154 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
155 'Host_Alias' Host_Alias (':' Host_Alias)* |
156 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
158 User_Alias ::= NAME '=' User_List
160 Runas_Alias ::= NAME '=' Runas_List
162 Host_Alias ::= NAME '=' Host_List
164 Cmnd_Alias ::= NAME '=' Cmnd_List
166 NAME ::= [A-Z]([A-Z][0-9]_)*
168 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
170 Alias_Type NAME = item1, item2, ...
172 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
173 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
174 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
175 letter. It is possible to put several alias definitions of the same
176 type on a single line, joined by a colon (':'). E.g.,
178 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
180 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
185 User ::= '!'* user name |
190 '!'* %:nonunix_group |
191 '!'* %:#nonunix_gid |
194 A User_List is made up of one or more user names, user ids (prefixed
195 with '#'), system group names and ids (prefixed with '%' and '%#'
196 respectively), netgroups (prefixed with '+'), non-Unix group names and
197 IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
198 list item may be prefixed with zero or more '!' operators. An odd
199 number of '!' operators negate the value of the item; an even number
200 just cancel each other out.
202 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
203 may be enclosed in double quotes to avoid the need for escaping special
204 characters. Alternately, special characters may be specified in
205 escaped hex mode, e.g. \x20 for space. When using double quotes, any
206 prefix characters must be included inside the quotes.
208 The actual nonunix_group and nonunix_gid syntax depends on the
209 underlying group provider plugin (see the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn description
210 below). For instance, the QAS AD plugin supports the following
213 o Group in the same domain: "Group Name"
215 o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
217 o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
219 Note that quotes around group names are optional. Unquoted strings
220 must use a backslash (\) to escape spaces and special characters. See
221 "Other special characters and reserved words" for a list of characters
222 that need to be escaped.
224 Runas_List ::= Runas_Member |
225 Runas_Member ',' Runas_List
227 Runas_Member ::= '!'* user name |
231 '!'* %:nonunix_group |
232 '!'* %:#nonunix_gid |
236 A Runas_List is similar to a User_List except that instead of
237 User_Aliases it can contain Runas_Aliases. Note that user names and
238 groups are matched as strings. In other words, two users (groups) with
239 the same uid (gid) are considered to be distinct. If you wish to match
240 all user names with the same uid (e.g. root and toor), you can use a
241 uid instead (#0 in the example given).
246 Host ::= '!'* host name |
248 '!'* network(/netmask)? |
252 A Host_List is made up of one or more host names, IP addresses, network
253 numbers, netgroups (prefixed with '+') and other aliases. Again, the
254 value of an item may be negated with the '!' operator. If you do not
255 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
256 of the local host's network interfaces and, if the network number
257 corresponds to one of the hosts's network interfaces, the corresponding
258 netmask will be used. The netmask may be specified either in standard
259 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
260 CIDR notation (number of bits, e.g. 24 or 64). A host name may include
261 shell-style wildcards (see the Wildcards section below), but unless the
262 host name command on your machine returns the fully qualified host
263 name, you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
264 Note s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP
265 address 127.0.0.1 (localhost) will never match. Also, the host name
266 "localhost" will only match if that is the actual host name, which is
267 usually only the case for non-networked systems.
272 commandname ::= file name |
276 Cmnd ::= '!'* commandname |
281 A Cmnd_List is a list of one or more commandnames, directories, and
282 other aliases. A commandname is a fully qualified file name which may
283 include shell-style wildcards (see the Wildcards section below). A
284 simple file name allows the user to run the command with any arguments
285 he/she wishes. However, you may also specify command line arguments
286 (including wildcards). Alternately, you can specify "" to indicate
287 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
288 directory is a fully qualified path name ending in a '/'. When you
289 specify a directory in a Cmnd_List, the user will be able to run any
290 file within that directory (but not in any subdirectories therein).
292 If a Cmnd has associated command line arguments, then the arguments in
293 the Cmnd must match exactly those given by the user on the command line
294 (or match the wildcards if there are any). Note that the following
295 characters must be escaped with a '\' if they are used in command
296 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
297 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
298 may take command line arguments just as a normal command does.
300 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
301 Certain configuration options may be changed from their default values
302 at runtime via one or more Default_Entry lines. These may affect all
303 users on any host, all users on a specific host, a specific user, a
304 specific command, or commands being run as a specific user. Note that
305 per-command entries may not include command line arguments. If you
306 need to specify arguments, define a Cmnd_Alias and reference that
309 Default_Type ::= 'Defaults' |
310 'Defaults' '@' Host_List |
311 'Defaults' ':' User_List |
312 'Defaults' '!' Cmnd_List |
313 'Defaults' '>' Runas_List
315 Default_Entry ::= Default_Type Parameter_List
317 Parameter_List ::= Parameter |
318 Parameter ',' Parameter_List
320 Parameter ::= Parameter '=' Value |
321 Parameter '+=' Value |
322 Parameter '-=' Value |
325 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
326 implicitly boolean and can be turned off via the '!' operator. Some
327 integer, string and list parameters may also be used in a boolean
328 context to disable them. Values may be enclosed in double quotes (")
329 when they contain multiple words. Special characters may be escaped
330 with a backslash (\).
332 Lists have two additional assignment operators, += and -=. These
333 operators are used to add to and delete from a list respectively. It
334 is not an error to use the -= operator to remove an element that does
337 Defaults entries are parsed in the following order: generic, host and
338 user Defaults first, then runas Defaults and finally command defaults.
340 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
342 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
343 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
344 (':' Host_List '=' Cmnd_Spec_List)*
346 Cmnd_Spec_List ::= Cmnd_Spec |
347 Cmnd_Spec ',' Cmnd_Spec_List
349 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
351 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
353 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
355 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
356 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
357 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
359 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
360 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
361 but this can be changed on a per-command basis.
363 The basic structure of a user specification is `who where = (as_whom)
364 what'. Let's break that down into its constituent parts:
366 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
367 A Runas_Spec determines the user and/or the group that a command may be
368 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
369 defined above) separated by a colon (':') and enclosed in a set of
370 parentheses. The first Runas_List indicates which users the command
371 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
372 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
373 are specified, the command may be run with any combination of users and
374 groups listed in their respective Runas_Lists. If only the first is
375 specified, the command may be run as any user in the list but no -
\b-g
\bg
376 option may be specified. If the first Runas_List is empty but the
377 second is specified, the command may be run as the invoking user with
378 the group set to any listed in the Runas_List. If no Runas_Spec is
379 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
381 A Runas_Spec sets the default for the commands that follow it. What
382 this means is that for the entry:
384 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
386 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
387 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
389 $ sudo -u operator /bin/ls
391 It is also possible to override a Runas_Spec later on in an entry. If
392 we modify the entry like so:
394 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
396 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
397 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
399 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
400 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
402 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
405 Note that while the group portion of the Runas_Spec permits the user to
406 run as command with that group, it does not force the user to do so.
407 If no group is specified on the command line, the command will run with
408 the group listed in the target user's password database entry. The
409 following would all be permitted by the sudoers entry above:
411 $ sudo -u operator /bin/ls
412 $ sudo -u operator -g operator /bin/ls
413 $ sudo -g operator /bin/ls
415 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
416 device file with the dialer group.
418 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
419 /usr/local/bin/minicom
421 Note that in this example only the group will be set, the command still
422 runs as user t
\btc
\bcm
\bm. E.g.
424 $ sudo -g dialer /usr/bin/cu
426 Multiple users and groups may be present in a Runas_Spec, in which case
427 the user may select any combination of users and groups via the -
\b-u
\bu and
428 -
\b-g
\bg options. In this example:
430 alan ALL = (root, bin : operator, system) ALL
432 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
433 setting the group to operator or system.
435 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
436 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
437 SELinux role and/or type associated with a command. If a role or type
438 is specified with the command it will override any default values
439 specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line,
440 however, will supercede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
442 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
443 A command may have zero or more tags associated with it. There are
444 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
445 NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
446 tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
447 the tag unless it is overridden by the opposite tag (i.e.: PASSWD
448 overrides NOPASSWD and NOEXEC overrides EXEC).
450 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
452 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
453 before running a command. This behavior can be modified via the
454 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
455 the commands that follow it in the Cmnd_Spec_List. Conversely, the
456 PASSWD tag can be used to reverse things. For example:
458 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
460 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
461 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
462 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
465 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
467 Note, however, that the PASSWD tag has no effect on users who are in
468 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
470 By default, if the NOPASSWD tag is applied to any of the entries for a
471 user on the current host, he or she will be able to run sudo -l without
472 a password. Additionally, a user may only run sudo -v without a
473 password if the NOPASSWD tag is present for all a user's entries that
474 pertain to the current host. This behavior may be overridden via the
475 verifypw and listpw options.
477 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
479 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
480 operating system supports it, the NOEXEC tag can be used to prevent a
481 dynamically-linked executable from running further commands itself.
483 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
484 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
486 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
488 See the "Preventing Shell Escapes" section below for more details on
489 how NOEXEC works and whether or not it will work on your system.
491 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
493 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
494 basis. Note that if SETENV has been set for a command, the user may
495 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
496 Additionally, environment variables set on the command line are not
497 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
498 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set
499 variables in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV
500 tag is implied for that command; this default may be overridden by use
503 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
505 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
506 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
507 "SUDOERS OPTIONS" section below.
509 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
511 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
512 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
513 "SUDOERS OPTIONS" section below.
515 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
516 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
517 used in host names, path names and command line arguments in the
518 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and
519 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
521 * Matches any set of zero or more characters.
523 ? Matches any single character.
525 [...] Matches any character in the specified range.
527 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
529 \x For any character "x", evaluates to "x". This is used to
530 escape special characters such as: "*", "?", "[", and "}".
532 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
533 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
534 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
536 /bin/ls [[\:alpha\:]]*
538 Would match any file name beginning with a letter.
540 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
541 in the path name. When matching the command line arguments, however, a
542 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
546 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
548 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
549 The following exceptions apply to the above rules:
551 "" If the empty string "" is the only command line argument in the
552 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
553 with a
\ban
\bny
\by arguments.
555 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
556 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
557 file currently being parsed using the #include and #includedir
560 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
561 addition to a local, per-machine file. For the sake of this example
562 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
563 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
564 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
566 #include /etc/sudoers.local
568 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
569 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
570 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
571 processed. Files that are included may themselves include other files.
572 A hard limit of 128 nested include files is enforced to prevent include
575 If the path to the include file is not fully-qualified (does not begin
576 with a _
\b/), it must be located in the same directory as the sudoers file
577 it was included from. For example, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains the line:
579 #include sudoers.local
581 the file that will be included is _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl.
583 The file name may also include the %h escape, signifying the short form
584 of the host name. I.e., if the machine's host name is "xerxes", then
586 #include /etc/sudoers.%h
588 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
590 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
591 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
592 package installation. For example, given:
594 #includedir /etc/sudoers.d
596 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
597 end in ~ or contain a . character to avoid causing problems with
598 package manager or editor temporary/backup files. Files are parsed in
599 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
600 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
601 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
602 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
603 in the file names can be used to avoid such problems.
605 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
606 files in a #includedir directory unless one of them contains a syntax
607 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
610 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
611 The pound sign ('#') is used to indicate a comment (unless it is part
612 of a #include directive or unless it occurs in the context of a user
613 name and is followed by one or more digits, in which case it is treated
614 as a uid). Both the comment character and any text after it, up to the
615 end of the line, are ignored.
617 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
618 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
619 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
620 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
621 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
622 since in a command context, it allows the user to run a
\ban
\bny
\by command on
625 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
626 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
627 values. Note, however, that using a ! in conjunction with the built-in
628 ALL alias to allow a user to run "all but a few" commands rarely works
629 as intended (see SECURITY NOTES below).
631 Long lines can be continued with a backslash ('\') as the last
632 character on the line.
634 Whitespace between elements in a list as well as special syntactic
635 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
637 The following characters must be escaped with a backslash ('\') when
638 used as part of a word (e.g. a user name or host name): '!', '=', ':',
641 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
642 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
643 earlier. A list of all supported Defaults parameters, grouped by type,
646 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
648 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
649 to the home directory of the target user (which is root
650 unless the -
\b-u
\bu option is used). This effectively means
651 that the -
\b-H
\bH option is always implied. Note that HOME
652 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
653 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
654 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
655 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
658 authenticate If set, users must authenticate themselves via a
659 password (or other means of authentication) before they
660 may run commands. This default may be overridden via
661 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
665 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
666 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
667 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
670 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
671 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
672 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
673 z
\bzl
\bli
\bib
\bb support.
675 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
676 VISUAL environment variables before falling back on the
677 default editor list. Note that this may create a
678 security hole as it allows the user to run any
679 arbitrary command as root without logging. A safer
680 alternative is to place a colon-separated list of
681 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
682 use the EDITOR or VISUAL if they match a value
683 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
685 env_reset If set, s
\bsu
\bud
\bdo
\bo will run the command in a minimal
686 environment containing the TERM, PATH, HOME, MAIL,
687 SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
688 Any variables in the caller's environment that match
689 the env_keep and env_check lists are then added,
690 followed by any variables present in the file specified
691 by the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option (if any). The default contents
692 of the env_keep and env_check lists are displayed when
693 s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option. If the
694 _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set, its value will be used for
695 the PATH environment variable. This flag is _
\bo_
\bn by
698 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
699 style globbing when matching path names. However,
700 since it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a
701 long time to complete for some patterns, especially
702 when the pattern references a network file system that
703 is mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
704 option causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function,
705 which does not access the file system to do its
706 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
707 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
708 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
709 names that include globbing characters are used with
710 the negation operator, '!', as such rules can be
711 trivially bypassed. As such, this option should not be
712 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
713 path names which include globbing characters. This
714 flag is _
\bo_
\bf_
\bf by default.
716 fqdn Set this flag if you want to put fully qualified host
717 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost you
718 would use myhost.mydomain.edu. You may still use the
719 short form if you wish (and even mix the two). Beware
720 that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS lookups
721 which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
722 example if the machine is not plugged into the
723 network). Also note that you must use the host's
724 official name as DNS knows it. That is, you may not
725 use a host alias (CNAME entry) due to performance
726 issues and the fact that there is no way to get all
727 aliases from DNS. If your machine's host name (as
728 returned by the hostname command) is already fully
729 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
730 _
\bo_
\bf_
\bf by default.
732 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
733 PATH environment variable; the PATH itself is not
734 modified. This flag is _
\bo_
\bf_
\bf by default.
737 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
738 skipped. This is intended for Enterprises that wish to
739 prevent the usage of local sudoers files so that only
740 LDAP is used. This thwarts the efforts of rogue
741 operators who would attempt to add roles to
742 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
743 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
744 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
745 entries have been matched, this sudoOption is only
746 meaningful for the cn=defaults section. This flag is
747 _
\bo_
\bf_
\bf by default.
749 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
750 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
752 log_host If set, the host name will be logged in the (non-
753 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
755 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
756 log all user input. If the standard input is not
757 connected to the user's tty, due to I/O redirection or
758 because the command is part of a pipeline, that input
759 is also captured and stored in a separate log file.
761 Input is logged to the directory specified by the
762 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
763 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
764 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
765 may be used to control the format of the session ID.
767 Note that user input may contain sensitive information
768 such as passwords (even if they are not echoed to the
769 screen), which will be stored in the log file
770 unencrypted. In most cases, logging the command output
771 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
773 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
774 log all output that is sent to the screen, similar to
775 the _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1) command. If the standard output or
776 standard error is not connected to the user's tty, due
777 to I/O redirection or because the command is part of a
778 pipeline, that output is also captured and stored in
781 Output is logged to the directory specified by the
782 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
783 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
784 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
785 may be used to control the format of the session ID.
787 Output logs may be viewed with the _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m)
788 utility, which can also be used to list or search the
791 log_year If set, the four-digit year will be logged in the (non-
792 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
794 long_otp_prompt When validating with a One Time Password (OTP) scheme
795 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
796 make it easier to cut and paste the challenge to a
797 local window. It's not as pretty as the default but
798 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
801 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
802 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
804 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
805 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
808 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
809 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
810 allowed to run commands on the current host. This flag
811 is _
\bo_
\bf_
\bf by default.
813 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
814 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
815 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
816 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
819 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
820 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
823 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
824 NOEXEC tag has been set, unless overridden by a EXEC
825 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
826 well as the "Preventing Shell Escapes" section at the
827 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
829 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
830 not be found in their PATH environment variable. Some
831 sites may wish to disable this as it could be used to
832 gather information on the location of executables that
833 the normal user does not have access to. The
834 disadvantage is that if the executable is simply not in
835 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
836 not allowed to run it, which can be confusing. This
837 flag is _
\bo_
\bn by default.
840 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
841 normally only be used if the password prompt provided
842 by systems such as PAM matches the string "Password:".
843 If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always
844 be used. This flag is _
\bo_
\bf_
\bf by default.
846 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
847 the list of groups the target user is in. When
848 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
849 vector is left unaltered. The real and effective group
850 IDs, however, are still set to match the target user.
851 This flag is _
\bo_
\bf_
\bf by default.
853 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
854 Unix programs, by turning off echo until the user hits
855 the return (or enter) key. Some users become confused
856 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
857 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
858 visual feedback when the user presses a key. Note that
859 this does have a security impact as an onlooker may be
860 able to determine the length of the password being
861 entered. This flag is _
\bo_
\bf_
\bf by default.
863 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
864 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
865 run from a login session and not via other means such
866 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
869 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
870 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
871 get a root shell by doing something like "sudo sudo
872 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
873 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
874 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
875 security; it exists purely for historical reasons.
876 This flag is _
\bo_
\bn by default.
878 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
879 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
882 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
883 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
884 instead of the password of the invoking user. This
885 flag is _
\bo_
\bf_
\bf by default.
887 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
888 HOME environment variable will be set to the home
889 directory of the target user (which is root unless the
890 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
891 option imply -
\b-H
\bH. Note that HOME is already set when
892 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
893 only effective for configurations where either
894 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
895 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
897 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
898 environment variables to the name of the target user
899 (usually root unless the -
\b-u
\bu option is given). However,
900 since some programs (including the RCS revision control
901 system) use LOGNAME to determine the real identity of
902 the user, it may be desirable to change this behavior.
903 This can be done by negating the set_logname option.
904 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
905 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
906 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
908 set_utmp When enabled, s
\bsu
\bud
\bdo
\bo will create an entry in the utmp (or
909 utmpx) file when a pseudo-tty is allocated. A pseudo-
910 tty is allocated by s
\bsu
\bud
\bdo
\bo when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt, _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
911 or _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flags are enabled. By default, the new
912 entry will be a copy of the user's existing utmp entry
913 (if any), with the tty, time, type and pid fields
914 updated. This flag is _
\bo_
\bn by default.
916 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
917 command line via the -
\b-E
\bE option. Additionally,
918 environment variables set via the command line are not
919 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk,
920 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users
921 should be allowed to set variables in this manner.
922 This flag is _
\bo_
\bf_
\bf by default.
924 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
925 if the -
\b-s
\bs option had been given. That is, it runs a
926 shell as root (the shell is determined by the SHELL
927 environment variable if it is set, falling back on the
928 shell listed in the invoking user's /etc/passwd entry
929 if not). This flag is _
\bo_
\bf_
\bf by default.
931 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
932 effective UIDs are set to the target user (root by
933 default). This option changes that behavior such that
934 the real UID is left as the invoking user's UID. In
935 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
936 This can be useful on systems that disable some
937 potentially dangerous functionality when a program is
938 run setuid. This option is only effective on systems
939 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
940 This flag is _
\bo_
\bf_
\bf by default.
942 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
943 specified by the -
\b-u
\bu option (defaults to root) instead
944 of the password of the invoking user. In addition, the
945 timestamp file name will include the target user's
946 name. Note that this flag precludes the use of a uid
947 not listed in the passwd database as an argument to the
948 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
950 tty_tickets If set, users must authenticate on a per-tty basis.
951 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
952 the tty the user is logged in on in the user's time
953 stamp directory. If disabled, the time stamp of the
954 directory is used instead. This flag is _
\bo_
\bn by default.
956 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
957 without modification. This makes it possible to
958 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
959 user's own umask and matches historical behavior. If
960 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
961 be the union of the user's umask and what is specified
962 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
964 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
965 target user's login class if one exists. Only
966 available if s
\bsu
\bud
\bdo
\bo is configured with the
967 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
969 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
970 if no I/O logging is being gone. A malicious program
971 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
972 process that retains to the user's terminal device
973 after the main program has finished executing. Use of
974 this option will make that impossible. This flag is
975 _
\bo_
\bf_
\bf by default.
977 utmp_runas If set, s
\bsu
\bud
\bdo
\bo will store the name of the runas user when
978 updating the utmp (or utmpx) file. By default, s
\bsu
\bud
\bdo
\bo
979 stores the name of the invoking user. This flag is _
\bo_
\bf_
\bf
982 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
983 enter a password but it is not possible to disable echo
984 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
985 will prompt for a password even when it would be
986 visible on the screen. This makes it possible to run
987 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
988 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
990 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
992 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
993 file descriptors other than standard input, standard
994 output and standard error (ie: file descriptors 0-2).
995 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
996 file descriptor at which to start closing. The default
999 passwd_tries The number of tries a user gets to enter his/her
1000 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
1003 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1005 loglinelen Number of characters per line for the file log. This
1006 value is used to decide when to wrap lines for nicer
1007 log files. This has no effect on the syslog log file,
1008 only the file log. The default is 80 (use 0 or negate
1009 the option to disable word wrap).
1011 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1012 out, or 0 for no timeout. The timeout may include a
1013 fractional component if minute granularity is
1014 insufficient, for example 2.5. The default is 5.
1017 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1018 for a passwd again. The timeout may include a
1019 fractional component if minute granularity is
1020 insufficient, for example 2.5. The default is 5. Set
1021 this to 0 to always prompt for a password. If set to a
1022 value less than 0 the user's timestamp will never
1023 expire. This can be used to allow users to create or
1024 delete their own timestamps via sudo -v and sudo -k
1027 umask Umask to use when running the command. Negate this
1028 option or set it to 0777 to preserve the user's umask.
1029 The actual umask that is used will be the union of the
1030 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1031 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1032 lowers the umask when running a command. Note on
1033 systems that use PAM, the default PAM configuration may
1034 specify its own umask which will override the value set
1035 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1037 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1039 badpass_message Message that is displayed if a user enters an incorrect
1040 password. The default is Sorry, try again. unless
1041 insults are enabled.
1043 editor A colon (':') separated list of editors allowed to be
1044 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1045 matches the user's EDITOR environment variable if
1046 possible, or the first editor in the list that exists
1047 and is executable. The default is "vi".
1049 iolog_dir The top-level directory to use when constructing the
1050 path name for the input/output log directory. Only
1051 used if the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled
1052 or when the LOG_INPUT or LOG_OUTPUT tags are present
1053 for a command. The session sequence number, if any, is
1054 stored in the directory. The default is
1057 The following percent (`%') escape sequences are
1061 expanded to a monotonically increasing base-36
1062 sequence number, such as 0100A5, where every two
1063 digits are used to form a new directory, e.g.
1064 _
\b0_
\b1_
\b/_
\b0_
\b0_
\b/_
\bA_
\b5
1067 expanded to the invoking user's login name
1070 expanded to the name of the invoking user's real
1074 expanded to the login name of the user the command
1075 will be run as (e.g. root)
1078 expanded to the group name of the user the command
1079 will be run as (e.g. wheel)
1082 expanded to the local host name without the domain
1086 expanded to the base name of the command being run
1088 In addition, any escape sequences supported by the
1089 system's _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be_
\b(_
\b) function will be expanded.
1091 To include a literal `%' character, the string `%%'
1094 iolog_file The path name, relative to _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br, in which to store
1095 input/output logs when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1096 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1097 tags are present for a command. Note that _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1098 may contain directory components. The default is
1101 See the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option above for a list of supported
1102 percent (`%') escape sequences.
1104 In addition to the escape sequences, path names that
1105 end in six or more Xs will have the Xs replaced with a
1106 unique combination of digits and letters, similar to
1107 the _
\bm_
\bk_
\bt_
\be_
\bm_
\bp_
\b(_
\b) function.
1109 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
1110 %h will expand to the host name of the machine.
1111 Default is *** SECURITY information for %h ***.
1113 noexec_file This option is no longer supported. The path to the
1114 noexec file should now be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
1117 passprompt The default prompt to use when asking for a password;
1118 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1119 environment variable. The following percent (`%')
1120 escape sequences are supported:
1122 %H expanded to the local host name including the
1123 domain name (only if the machine's host name is
1124 fully qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1126 %h expanded to the local host name without the domain
1129 %p expanded to the user whose password is being asked
1130 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1131 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1133 %U expanded to the login name of the user the command
1134 will be run as (defaults to root)
1136 %u expanded to the invoking user's login name
1138 %% two consecutive % characters are collapsed into a
1141 The default value is Password:.
1143 role The default SELinux role to use when constructing a new
1144 security context to run the command. The default role
1145 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1146 via command line options. This option is only
1147 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1149 runas_default The default user to run commands as if the -
\b-u
\bu option is
1150 not specified on the command line. This defaults to
1153 syslog_badpri Syslog priority to use when user authenticates
1154 unsuccessfully. Defaults to alert.
1156 The following syslog priorities are supported: a
\bal
\ble
\ber
\brt
\bt,
1157 c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1159 syslog_goodpri Syslog priority to use when user authenticates
1160 successfully. Defaults to notice.
1162 See syslog_badpri for the list of supported syslog
1165 sudoers_locale Locale to use when parsing the sudoers file, logging
1166 commands, and sending email. Note that changing the
1167 locale may affect how sudoers is interpreted. Defaults
1170 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1171 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1173 timestampowner The owner of the timestamp directory and the timestamps
1174 stored therein. The default is root.
1176 type The default SELinux type to use when constructing a new
1177 security context to run the command. The default type
1178 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1179 via command line options. This option is only
1180 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1182 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1184 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option specifies the fully qualified path to a
1185 file containing variables to be set in the environment of
1186 the program being run. Entries in this file should either
1187 be of the form VARIABLE=value or export VARIABLE=value.
1188 The value may optionally be surrounded by single or double
1189 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1190 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1193 Users in this group are exempt from password and PATH
1194 requirements. The group name specified should not include
1195 a % prefix. This is not set by default.
1198 A string containing a _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs group plugin with optional
1199 arguments. This can be used to implement support for the
1200 nonunix_group syntax described earlier. The string should
1201 consist of the plugin path, either fully-qualified or
1202 relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory, followed by
1203 any configuration arguments the plugin requires. These
1204 arguments (if any) will be passed to the plugin's
1205 initialization function. If arguments are present, the
1206 string must be enclosed in double quotes (").
1208 For example, given _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bg_
\br_
\bo_
\bu_
\bp, a group file in Unix
1209 group format, the sample group plugin can be used:
1211 Defaults group_plugin="sample_group.so /etc/sudo-group"
1213 For more information see _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(4).
1215 lecture This option controls when a short lecture will be printed
1216 along with the password prompt. It has the following
1219 always Always lecture the user.
1221 never Never lecture the user.
1223 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1225 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1226 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1227 The default value is _
\bo_
\bn_
\bc_
\be.
1230 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1231 will be used in place of the standard lecture if the named
1232 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1234 listpw This option controls when a password will be required when
1235 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1238 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1239 must have the NOPASSWD flag set to avoid entering a
1242 always The user must always enter a password to use the -
\b-l
\bl
1245 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1246 current host must have the NOPASSWD flag set to
1247 avoid entering a password.
1249 never The user need never enter a password to use the -
\b-l
\bl
1252 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1253 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1254 The default value is _
\ba_
\bn_
\by.
1256 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1257 Setting a path turns on logging to a file; negating this
1258 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1260 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1262 mailerpath Path to mail program used to send warning mail. Defaults
1263 to the path to sendmail found at configure time.
1265 mailfrom Address to use for the "from" address when sending warning
1266 and error mail. The address should be enclosed in double
1267 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1268 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1270 mailto Address to send warning and error mail to. The address
1271 should be enclosed in double quotes (") to protect against
1272 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1274 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1275 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1276 environment variable you may want to use this. Another use
1277 is if you want to have the "root path" be separate from the
1278 "user path." Users in the group specified by the
1279 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1280 option is not set by default.
1282 syslog Syslog facility if syslog is being used for logging (negate
1283 to disable syslog logging). Defaults to auth.
1285 The following syslog facilities are supported: a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if
1286 your OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1,
1287 l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3, l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7.
1289 verifypw This option controls when a password will be required when
1290 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1293 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1294 must have the NOPASSWD flag set to avoid entering a
1297 always The user must always enter a password to use the -
\b-v
\bv
1300 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1301 current host must have the NOPASSWD flag set to
1302 avoid entering a password.
1304 never The user need never enter a password to use the -
\b-v
\bv
1307 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1308 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1309 The default value is _
\ba_
\bl_
\bl.
1311 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1313 env_check Environment variables to be removed from the user's
1314 environment if the variable's value contains % or /
1315 characters. This can be used to guard against printf-
1316 style format vulnerabilities in poorly-written
1317 programs. The argument may be a double-quoted, space-
1318 separated list or a single value without double-quotes.
1319 The list can be replaced, added to, deleted from, or
1320 disabled by using the =, +=, -=, and ! operators
1321 respectively. Regardless of whether the env_reset
1322 option is enabled or disabled, variables specified by
1323 env_check will be preserved in the environment if they
1324 pass the aforementioned check. The default list of
1325 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1326 is run by root with the _
\b-_
\bV option.
1328 env_delete Environment variables to be removed from the user's
1329 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1330 The argument may be a double-quoted, space-separated
1331 list or a single value without double-quotes. The list
1332 can be replaced, added to, deleted from, or disabled by
1333 using the =, +=, -=, and ! operators respectively. The
1334 default list of environment variables to remove is
1335 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1336 Note that many operating systems will remove
1337 potentially dangerous variables from the environment of
1338 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1340 env_keep Environment variables to be preserved in the user's
1341 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1342 This allows fine-grained control over the environment
1343 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1344 be a double-quoted, space-separated list or a single
1345 value without double-quotes. The list can be replaced,
1346 added to, deleted from, or disabled by using the =, +=,
1347 -=, and ! operators respectively. The default list of
1348 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1349 with the _
\b-_
\bV option.
1351 S
\bSU
\bUD
\bDO
\bO.
\b.C
\bCO
\bON
\bNF
\bF
1352 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file determines which plugins the s
\bsu
\bud
\bdo
\bo front end
1353 will load. If no _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file is present, or it contains no
1354 Plugin lines, s
\bsu
\bud
\bdo
\bo will use the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy and I/O
1355 logging, which corresponds to the following _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1358 # Default /etc/sudo.conf file
1361 # Plugin plugin_name plugin_path plugin_options ...
1362 # Path askpass /path/to/askpass
1363 # Path noexec /path/to/sudo_noexec.so
1364 # Debug sudo /var/log/sudo_debug all@warn
1365 # Set disable_coredump true
1367 # The plugin_path is relative to /usr/local/libexec unless
1369 # The plugin_name corresponds to a global symbol in the plugin
1370 # that contains the plugin interface structure.
1371 # The plugin_options are optional.
1373 Plugin policy_plugin sudoers.so
1374 Plugin io_plugin sudoers.so
1376 P
\bPL
\bLU
\bUG
\bGI
\bIN
\bN O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
1377 Starting with s
\bsu
\bud
\bdo
\bo 1.8.5 it is possible to pass options to the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1378 plugin. Options may be listed after the path to the plugin (i.e. after
1379 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bs_
\bo); multiple options should be space-separated. For example:
1381 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1383 The following plugin options are supported:
1385 sudoers_file=pathname
1386 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bf_
\bi_
\bl_
\be option can be used to override the default
1387 path to the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1390 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bu_
\bi_
\bd option can be used to override the default
1391 owner of the sudoers file. It should be specified as a
1395 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bg_
\bi_
\bd option can be used to override the default
1396 group of the sudoers file. It should be specified as a
1400 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bm_
\bo_
\bd_
\be option can be used to override the default
1401 file mode for the sudoers file. It should be specified as an
1404 D
\bDE
\bEB
\bBU
\bUG
\bG F
\bFL
\bLA
\bAG
\bGS
\bS
1405 Versions 1.8.4 and higher of the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin supports a debugging
1406 framework that can help track down what the plugin is doing internally
1407 if there is a problem. This can be configured in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
1408 file as described in _
\bs_
\bu_
\bd_
\bo(1m).
1410 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin uses the same debug flag format as s
\bsu
\bud
\bdo
\bo itself:
1411 _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by.
1413 The priorities used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, in order of decreasing severity, are:
1414 _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg. Each priority,
1415 when specified, also includes all priorities higher than it. For
1416 example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages logged at
1417 _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
1419 The following subsystems are used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
1421 _
\ba_
\bl_
\bi_
\ba_
\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1423 _
\ba_
\bl_
\bl matches every subsystem
1425 _
\ba_
\bu_
\bd_
\bi_
\bt BSM and Linux audit code
1427 _
\ba_
\bu_
\bt_
\bh user authentication
1429 _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs settings
1431 _
\be_
\bn_
\bv environment handling
1433 _
\bl_
\bd_
\ba_
\bp LDAP-based sudoers
1435 _
\bl_
\bo_
\bg_
\bg_
\bi_
\bn_
\bg logging support
1437 _
\bm_
\ba_
\bt_
\bc_
\bh matching of users, groups, hosts and netgroups in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1439 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
1441 _
\bn_
\bs_
\bs network service switch handling in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1443 _
\bp_
\ba_
\br_
\bs_
\be_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file parsing
1445 _
\bp_
\be_
\br_
\bm_
\bs permission setting
1447 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn The equivalent of _
\bm_
\ba_
\bi_
\bn for the plugin.
1449 _
\bp_
\bt_
\by pseudo-tty related code
1451 _
\br_
\bb_
\bt_
\br_
\be_
\be redblack tree internals
1453 _
\bu_
\bt_
\bi_
\bl utility functions
1455 F
\bFI
\bIL
\bLE
\bES
\bS
1456 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf Sudo front end configuration
1458 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1460 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1462 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1464 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1466 _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing time stamps for the
1467 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy
1469 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt Initial environment for -
\b-i
\bi mode on AIX and
1472 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1473 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1474 contrived. First, we allow a few environment variables to pass and
1475 then define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1477 # Run X applications through sudo; HOME is used to find the
1478 # .Xauthority file. Note that other programs use HOME to find
1479 # configuration files and this may lead to privilege escalation!
1480 Defaults env_keep += "DISPLAY HOME"
1482 # User alias specification
1483 User_Alias FULLTIMERS = millert, mikef, dowdy
1484 User_Alias PARTTIMERS = bostley, jwfox, crawl
1485 User_Alias WEBMASTERS = will, wendy, wim
1487 # Runas alias specification
1488 Runas_Alias OP = root, operator
1489 Runas_Alias DB = oracle, sybase
1490 Runas_Alias ADMINGRP = adm, oper
1492 # Host alias specification
1493 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1494 SGI = grolsch, dandelion, black :\
1495 ALPHA = widget, thalamus, foobar :\
1496 HPPA = boa, nag, python
1497 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1498 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1499 Host_Alias SERVERS = master, mail, www, ns
1500 Host_Alias CDROM = orion, perseus, hercules
1502 # Cmnd alias specification
1503 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1504 /usr/sbin/restore, /usr/sbin/rrestore
1505 Cmnd_Alias KILL = /usr/bin/kill
1506 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1507 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1508 Cmnd_Alias HALT = /usr/sbin/halt
1509 Cmnd_Alias REBOOT = /usr/sbin/reboot
1510 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1511 /usr/local/bin/tcsh, /usr/bin/rsh, \
1513 Cmnd_Alias SU = /usr/bin/su
1514 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1516 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1517 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1518 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1519 need not give a password, and we don't want to reset the LOGNAME, USER
1520 or USERNAME environment variables when running commands as root.
1521 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1522 additional local log file and make sure we log the year in each log
1523 line since the log entries will be kept around for several years.
1524 Lastly, we disable shell escapes for the commands in the PAGERS
1525 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1527 # Override built-in defaults
1528 Defaults syslog=auth
1529 Defaults>root !set_logname
1530 Defaults:FULLTIMERS !lecture
1531 Defaults:millert !authenticate
1532 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1533 Defaults!PAGERS noexec
1535 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1538 root ALL = (ALL) ALL
1539 %wheel ALL = (ALL) ALL
1541 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1544 FULLTIMERS ALL = NOPASSWD: ALL
1546 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1547 any host without authenticating themselves.
1549 PARTTIMERS ALL = ALL
1551 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1552 any host but they must authenticate themselves first (since the entry
1553 lacks the NOPASSWD tag).
1557 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1558 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1559 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1560 notation) indicating it is a class C network. For the other networks
1561 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1565 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1566 class B network 128.138.0.0).
1568 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1569 sudoedit /etc/printcap, /usr/oper/bin/
1571 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1572 Here, those are commands related to backups, killing processes, the
1573 printing system, shutting down the system, and any commands in the
1574 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1576 joe ALL = /usr/bin/su operator
1578 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1580 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1582 %opers ALL = (: ADMINGRP) /usr/sbin/
1584 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1585 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1587 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1588 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1589 multiple user names on the command line.
1591 bob SPARC = (OP) ALL : SGI = (OP) ALL
1593 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1594 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1598 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1599 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1601 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1603 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1604 well as add and remove users, so they are allowed to run those commands
1607 fred ALL = (DB) NOPASSWD: ALL
1609 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1610 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1612 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1614 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1615 not allowed to specify any options to the _
\bs_
\bu(1) command.
1617 jen ALL, !SERVERS = ALL
1619 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1620 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1622 jill SERVERS = /usr/bin/, !SU, !SHELLS
1624 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1625 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1626 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1628 steve CSNETS = (operator) /usr/local/op_commands/
1630 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1631 /usr/local/op_commands/ but only as user operator.
1633 matt valkyrie = KILL
1635 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1638 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1640 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1641 and wim), may run any command as user www (which owns the web pages) or
1642 simply _
\bs_
\bu(1) to www.
1644 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1645 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1647 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1648 Host_Alias (orion, perseus, hercules) without entering a password.
1649 This is a bit tedious for users to type, so it is a prime candidate for
1650 encapsulating in a shell script.
1652 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1653 L
\bLi
\bim
\bmi
\bit
\bta
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf t
\bth
\bhe
\be '
\b'!
\b!'
\b' o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br
1654 It is generally not effective to "subtract" commands from ALL using the
1655 '!' operator. A user can trivially circumvent this by copying the
1656 desired command to a different name and then executing that. For
1659 bill ALL = ALL, !SU, !SHELLS
1661 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1662 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1663 use a shell escape from an editor or other program. Therefore, these
1664 kind of restrictions should be considered advisory at best (and
1665 reinforced by policy).
1667 In general, if a user has sudo ALL there is nothing to prevent them
1668 from creating their own program that gives them a root shell (or making
1669 their own copy of a shell) regardless of any '!' elements in the user
1672 S
\bSe
\bec
\bcu
\bur
\bri
\bit
\bty
\by i
\bim
\bmp
\bpl
\bli
\bic
\bca
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
1673 If the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to reliably
1674 negate commands where the path name includes globbing (aka wildcard)
1675 characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function cannot
1676 resolve relative paths. While this is typically only an inconvenience
1677 for rules that grant privileges, it can result in a security issue for
1678 rules that subtract or revoke privileges.
1680 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1682 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1683 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1685 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1686 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1688 P
\bPr
\bre
\bev
\bve
\ben
\bnt
\bti
\bin
\bng
\bg S
\bSh
\bhe
\bel
\bll
\bl E
\bEs
\bsc
\bca
\bap
\bpe
\bes
\bs
1689 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1690 pleases, including run other programs. This can be a security issue
1691 since it is not uncommon for a program to allow shell escapes, which
1692 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1693 that permit shell escapes include shells (obviously), editors,
1694 paginators, mail and terminal programs.
1696 There are two basic approaches to this problem:
1698 restrict Avoid giving users access to commands that allow the user to
1699 run arbitrary commands. Many editors have a restricted mode
1700 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1701 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1702 number of programs that offer shell escapes, restricting
1703 users to the set of programs that do not is often unworkable.
1705 noexec Many systems that support shared libraries have the ability
1706 to override default library functions by pointing an
1707 environment variable (usually LD_PRELOAD) to an alternate
1708 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1709 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1710 any other programs. Note, however, that this applies only to
1711 native dynamically-linked executables. Statically-linked
1712 executables and foreign executables running under binary
1713 emulation are not affected.
1715 The _
\bn_
\bo_
\be_
\bx_
\be_
\bc feature is known to work on SunOS, Solaris, *BSD,
1716 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1717 above. It should be supported on most operating systems that
1718 support the LD_PRELOAD environment variable. Check your
1719 operating system's manual pages for the dynamic linker
1720 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1721 if LD_PRELOAD is supported.
1723 On Solaris 10 and higher, _
\bn_
\bo_
\be_
\bx_
\be_
\bc uses Solaris privileges
1724 instead of the LD_PRELOAD environment variable.
1726 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1727 documented in the User Specification section above. Here is
1730 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1732 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1733 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1734 from executing other commands (such as a shell). If you are
1735 unsure whether or not your system is capable of supporting
1736 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and check whether shell
1737 escapes work when _
\bn_
\bo_
\be_
\bx_
\be_
\bc is enabled.
1739 Note that restricting shell escapes is not a panacea. Programs running
1740 as root are still capable of many potentially hazardous operations
1741 (such as changing or overwriting files) that could lead to unintended
1742 privilege escalation. In the specific case of an editor, a safer
1743 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1745 T
\bTi
\bim
\bme
\be s
\bst
\bta
\bam
\bmp
\bp f
\bfi
\bil
\ble
\be c
\bch
\bhe
\bec
\bck
\bks
\bs
1746 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will check the ownership of its time stamp directory
1747 (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's contents if it is
1748 not owned by root or if it is writable by a user other than root. On
1749 systems that allow non-root users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if
1750 the time stamp directory is located in a world-writable directory
1751 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the time stamp
1752 directory before s
\bsu
\bud
\bdo
\bo is run. However, because _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs checks the
1753 ownership and mode of the directory and its contents, the only damage
1754 that can be done is to "hide" files by putting them in the time stamp
1755 dir. This is unlikely to happen since once the time stamp dir is owned
1756 by root and inaccessible by any other user, the user placing files
1757 there would be unable to get them back out.
1759 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will not honor time stamps set far in the future. Time stamps
1760 with a date greater than current_time + 2 * TIMEOUT will be ignored and
1761 sudo will log and complain. This is done to keep a user from creating
1762 his/her own time stamp with a bogus date on systems that allow users to
1763 give away files if the time stamp directory is located in a world-
1766 On systems where the boot time is available, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will ignore time
1767 stamps that date from before the machine booted.
1769 Since time stamp files live in the file system, they can outlive a
1770 user's login session. As a result, a user may be able to login, run a
1771 command with s
\bsu
\bud
\bdo
\bo after authenticating, logout, login again, and run
1772 s
\bsu
\bud
\bdo
\bo without authenticating so long as the time stamp file's
1773 modification time is within 5 minutes (or whatever the timeout is set
1774 to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs). When the _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option is enabled, the time stamp
1775 has per-tty granularity but still may outlive the user's session. On
1776 Linux systems where the devpts filesystem is used, Solaris systems with
1777 the devices filesystem, as well as other systems that utilize a devfs
1778 filesystem that monotonically increase the inode number of devices as
1779 they are created (such as Mac OS X), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is able to determine when
1780 a tty-based time stamp file is stale and will ignore it.
1781 Administrators should not rely on this feature as it is not universally
1784 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1785 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bm_
\bk_
\bt_
\be_
\bm_
\bp(3), _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be(3),
1786 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4), _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
1788 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1789 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1790 locks the file and does grammatical checking. It is imperative that
1791 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1792 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1794 When using netgroups of machines (as opposed to users), if you store
1795 fully qualified host name in the netgroup (as is usually the case), you
1796 either need to have the machine's host name be fully qualified as
1797 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1800 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1801 http://www.sudo.ws/sudo/bugs/
1803 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1804 Limited free support is available via the sudo-users mailing list, see
1805 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1808 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1809 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1810 including, but not limited to, the implied warranties of
1811 merchantability and fitness for a particular purpose are disclaimed.
1812 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1813 http://www.sudo.ws/sudo/license.html for complete details.
1817 1.8.5 March 28, 2012 SUDOERS(4)