1 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
6 sudoers - default sudo security policy module
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy module determines a user's s
\bsu
\bud
\bdo
\bo privileges. It is
10 the default s
\bsu
\bud
\bdo
\bo policy plugin. The policy is driven by the
11 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file or, optionally in LDAP. The policy format is
12 described in detail in the "SUDOERS FILE FORMAT" section. For
13 information on storing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy information in LDAP, please see
14 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4).
16 A
\bAu
\but
\bth
\bhe
\ben
\bnt
\bti
\bic
\bca
\bat
\bti
\bio
\bon
\bn a
\ban
\bnd
\bd L
\bLo
\bog
\bgg
\bgi
\bin
\bng
\bg
17 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy requires that most users authenticate
18 themselves before they can use s
\bsu
\bud
\bdo
\bo. A password is not required if the
19 invoking user is root, if the target user is the same as the invoking
20 user, or if the policy has disabled authentication for the user or
21 command. Unlike _
\bs_
\bu(1), when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs requires authentication, it
22 validates the invoking user's credentials, not the target user's (or
23 root's) credentials. This can be changed via the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
24 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags, described later.
26 If a user who is not listed in the policy tries to run a command via
27 s
\bsu
\bud
\bdo
\bo, mail is sent to the proper authorities. The address used for
28 such mail is configurable via the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo Defaults entry (described
29 later) and defaults to root.
31 Note that mail will not be sent if an unauthorized user tries to run
32 s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl or -
\b-v
\bv option. This allows users to determine for
33 themselves whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
35 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment variable is set,
36 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will use this value to determine who the actual user
37 is. This can be used by a user to log commands through sudo even when
38 a root shell has been invoked. It also allows the -
\b-e
\be option to remain
39 useful even when invoked via a sudo-run script or program. Note,
40 however, that the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs lookup is still done for root, not the user
41 specified by SUDO_USER.
43 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses time stamp files for credential caching. Once a user has
44 been authenticated, a time stamp is updated and the user may then use
45 sudo without a password for a short period of time (5 minutes unless
46 overridden by the _
\bt_
\bi_
\bm_
\be_
\bo_
\bu_
\bt option. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a tty-based
47 time stamp which means that there is a separate time stamp for each of
48 a user's login sessions. The _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option can be disabled to
49 force the use of a single time stamp for all of a user's sessions.
51 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can log both successful and unsuccessful attempts (as well as
52 errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will
53 log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable via the _
\bs_
\by_
\bs_
\bl_
\bo_
\bg and _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be
56 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs also supports logging a command's input and output streams.
57 I/O logging is not on by default but can be enabled using the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt
58 and _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
61 C
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd E
\bEn
\bnv
\bvi
\bir
\bro
\bon
\bnm
\bme
\ben
\bnt
\bt
62 Since environment variables can influence program behavior, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
63 provides a means to restrict which variables from the user's
64 environment are inherited by the command to be run. There are two
65 distinct ways _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can deal with environment variables.
67 By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled. This causes commands to
68 be executed with a minimal environment containing the TERM, PATH, HOME,
69 MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition
70 to variables from the invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and
71 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp options. This is effectively a whitelist for environment
74 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled, any variables not
75 explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited
76 from the invoking process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be
77 behave like a blacklist. Since it is not possible to blacklist all
78 potentially dangerous environment variables, use of the default
79 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
81 In all cases, environment variables with a value beginning with () are
82 removed as they could be interpreted as b
\bba
\bas
\bsh
\bh functions. The list of
83 environment variables that s
\bsu
\bud
\bdo
\bo allows or denies is contained in the
84 output of sudo -V when run as root.
86 Note that the dynamic linker on most operating systems will remove
87 variables that can control dynamic linking from the environment of
88 setuid executables, including s
\bsu
\bud
\bdo
\bo. Depending on the operating system
89 this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
90 others. These type of variables are removed from the environment
91 before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it is not possible for
92 s
\bsu
\bud
\bdo
\bo to preserve them.
94 As a special case, if s
\bsu
\bud
\bdo
\bo's -
\b-i
\bi option (initial login) is specified,
95 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will initialize the environment regardless of the value of
96 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt. The _
\bD_
\bI_
\bS_
\bP_
\bL_
\bA_
\bY, _
\bP_
\bA_
\bT_
\bH and _
\bT_
\bE_
\bR_
\bM variables remain unchanged;
97 _
\bH_
\bO_
\bM_
\bE, _
\bM_
\bA_
\bI_
\bL, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, and _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE are set based on the target user.
98 On Linux and AIX systems the contents of _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt are also
99 included. All other environment variables are removed.
101 Lastly, if the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option is defined, any variables present in
102 that file will be set to their specified values.
104 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS F
\bFI
\bIL
\bLE
\bE F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
105 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
106 (basically variables) and user specifications (which specify who may
109 When multiple entries match for a user, they are applied in order.
110 Where there are multiple matches, the last match is used (which is not
111 necessarily the most specific match).
113 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
114 Form (EBNF). Don't despair if you don't know what EBNF is; it is
115 fairly simple, and the definitions below are annotated.
117 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
118 EBNF is a concise and exact way of describing the grammar of a
119 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
121 symbol ::= definition | alternate1 | alternate2 ...
123 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
124 the language. EBNF also contains the following operators, which many
125 readers will recognize from regular expressions. Do not, however,
126 confuse them with "wildcard" characters, which have different meanings.
128 ? Means that the preceding symbol (or group of symbols) is optional.
129 That is, it may appear once or not at all.
131 * Means that the preceding symbol (or group of symbols) may appear
134 + Means that the preceding symbol (or group of symbols) may appear
137 Parentheses may be used to group symbols together. For clarity, we
138 will use single quotes ('') to designate what is a verbatim character
139 string (as opposed to a symbol name).
141 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
142 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
145 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
146 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
147 'Host_Alias' Host_Alias (':' Host_Alias)* |
148 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
150 User_Alias ::= NAME '=' User_List
152 Runas_Alias ::= NAME '=' Runas_List
154 Host_Alias ::= NAME '=' Host_List
156 Cmnd_Alias ::= NAME '=' Cmnd_List
158 NAME ::= [A-Z]([A-Z][0-9]_)*
160 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
162 Alias_Type NAME = item1, item2, ...
164 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
165 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
166 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
167 letter. It is possible to put several alias definitions of the same
168 type on a single line, joined by a colon (':'). E.g.,
170 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
172 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
177 User ::= '!'* user name |
182 '!'* %:nonunix_group |
183 '!'* %:#nonunix_gid |
186 A User_List is made up of one or more user names, user ids (prefixed
187 with '#'), system group names and ids (prefixed with '%' and '%#'
188 respectively), netgroups (prefixed with '+'), non-Unix group names and
189 IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
190 list item may be prefixed with zero or more '!' operators. An odd
191 number of '!' operators negate the value of the item; an even number
192 just cancel each other out.
194 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
195 may be enclosed in double quotes to avoid the need for escaping special
196 characters. Alternately, special characters may be specified in
197 escaped hex mode, e.g. \x20 for space. When using double quotes, any
198 prefix characters must be included inside the quotes.
200 The actual nonunix_group and nonunix_gid syntax depends on the
201 underlying group provider plugin (see the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn description
202 below). For instance, the QAS AD plugin supports the following
205 +
\bo Group in the same domain: "Group Name"
207 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
209 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
211 Note that quotes around group names are optional. Unquoted strings
212 must use a backslash (\) to escape spaces and special characters. See
213 "Other special characters and reserved words" for a list of characters
214 that need to be escaped.
216 Runas_List ::= Runas_Member |
217 Runas_Member ',' Runas_List
219 Runas_Member ::= '!'* user name |
223 '!'* %:nonunix_group |
224 '!'* %:#nonunix_gid |
228 A Runas_List is similar to a User_List except that instead of
229 User_Aliases it can contain Runas_Aliases. Note that user names and
230 groups are matched as strings. In other words, two users (groups) with
231 the same uid (gid) are considered to be distinct. If you wish to match
232 all user names with the same uid (e.g. root and toor), you can use a
233 uid instead (#0 in the example given).
238 Host ::= '!'* host name |
240 '!'* network(/netmask)? |
244 A Host_List is made up of one or more host names, IP addresses, network
245 numbers, netgroups (prefixed with '+') and other aliases. Again, the
246 value of an item may be negated with the '!' operator. If you do not
247 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
248 of the local host's network interfaces and, if the network number
249 corresponds to one of the hosts's network interfaces, the corresponding
250 netmask will be used. The netmask may be specified either in standard
251 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
252 CIDR notation (number of bits, e.g. 24 or 64). A host name may include
253 shell-style wildcards (see the Wildcards section below), but unless the
254 host name command on your machine returns the fully qualified host
255 name, you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
256 Note s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP
257 address 127.0.0.1 (localhost) will never match. Also, the host name
258 "localhost" will only match if that is the actual host name, which is
259 usually only the case for non-networked systems.
264 commandname ::= file name |
268 Cmnd ::= '!'* commandname |
273 A Cmnd_List is a list of one or more commandnames, directories, and
274 other aliases. A commandname is a fully qualified file name which may
275 include shell-style wildcards (see the Wildcards section below). A
276 simple file name allows the user to run the command with any arguments
277 he/she wishes. However, you may also specify command line arguments
278 (including wildcards). Alternately, you can specify "" to indicate
279 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
280 directory is a fully qualified path name ending in a '/'. When you
281 specify a directory in a Cmnd_List, the user will be able to run any
282 file within that directory (but not in any subdirectories therein).
284 If a Cmnd has associated command line arguments, then the arguments in
285 the Cmnd must match exactly those given by the user on the command line
286 (or match the wildcards if there are any). Note that the following
287 characters must be escaped with a '\' if they are used in command
288 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
289 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
290 may take command line arguments just as a normal command does.
292 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
293 Certain configuration options may be changed from their default values
294 at runtime via one or more Default_Entry lines. These may affect all
295 users on any host, all users on a specific host, a specific user, a
296 specific command, or commands being run as a specific user. Note that
297 per-command entries may not include command line arguments. If you
298 need to specify arguments, define a Cmnd_Alias and reference that
301 Default_Type ::= 'Defaults' |
302 'Defaults' '@' Host_List |
303 'Defaults' ':' User_List |
304 'Defaults' '!' Cmnd_List |
305 'Defaults' '>' Runas_List
307 Default_Entry ::= Default_Type Parameter_List
309 Parameter_List ::= Parameter |
310 Parameter ',' Parameter_List
312 Parameter ::= Parameter '=' Value |
313 Parameter '+=' Value |
314 Parameter '-=' Value |
317 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
318 implicitly boolean and can be turned off via the '!' operator. Some
319 integer, string and list parameters may also be used in a boolean
320 context to disable them. Values may be enclosed in double quotes (")
321 when they contain multiple words. Special characters may be escaped
322 with a backslash (\).
324 Lists have two additional assignment operators, += and -=. These
325 operators are used to add to and delete from a list respectively. It
326 is not an error to use the -= operator to remove an element that does
329 Defaults entries are parsed in the following order: generic, host and
330 user Defaults first, then runas Defaults and finally command defaults.
332 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
334 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
335 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
336 (':' Host_List '=' Cmnd_Spec_List)*
338 Cmnd_Spec_List ::= Cmnd_Spec |
339 Cmnd_Spec ',' Cmnd_Spec_List
341 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
343 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
345 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
347 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
348 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
349 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
351 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
352 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
353 but this can be changed on a per-command basis.
355 The basic structure of a user specification is `who where = (as_whom)
356 what'. Let's break that down into its constituent parts:
358 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
359 A Runas_Spec determines the user and/or the group that a command may be
360 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
361 defined above) separated by a colon (':') and enclosed in a set of
362 parentheses. The first Runas_List indicates which users the command
363 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
364 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
365 are specified, the command may be run with any combination of users and
366 groups listed in their respective Runas_Lists. If only the first is
367 specified, the command may be run as any user in the list but no -
\b-g
\bg
368 option may be specified. If the first Runas_List is empty but the
369 second is specified, the command may be run as the invoking user with
370 the group set to any listed in the Runas_List. If no Runas_Spec is
371 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
373 A Runas_Spec sets the default for the commands that follow it. What
374 this means is that for the entry:
376 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
378 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
379 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
381 $ sudo -u operator /bin/ls
383 It is also possible to override a Runas_Spec later on in an entry. If
384 we modify the entry like so:
386 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
388 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
389 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
391 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
392 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
394 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
397 Note that while the group portion of the Runas_Spec permits the user to
398 run as command with that group, it does not force the user to do so.
399 If no group is specified on the command line, the command will run with
400 the group listed in the target user's password database entry. The
401 following would all be permitted by the sudoers entry above:
403 $ sudo -u operator /bin/ls
404 $ sudo -u operator -g operator /bin/ls
405 $ sudo -g operator /bin/ls
407 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
408 device file with the dialer group.
410 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
411 /usr/local/bin/minicom
413 Note that in this example only the group will be set, the command still
414 runs as user t
\btc
\bcm
\bm. E.g.
416 $ sudo -g dialer /usr/bin/cu
418 Multiple users and groups may be present in a Runas_Spec, in which case
419 the user may select any combination of users and groups via the -
\b-u
\bu and
420 -
\b-g
\bg options. In this example:
422 alan ALL = (root, bin : operator, system) ALL
424 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
425 setting the group to operator or system.
427 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
428 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
429 SELinux role and/or type associated with a command. If a role or type
430 is specified with the command it will override any default values
431 specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line,
432 however, will supercede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
434 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
435 A command may have zero or more tags associated with it. There are
436 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
437 NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
438 tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
439 the tag unless it is overridden by the opposite tag (i.e.: PASSWD
440 overrides NOPASSWD and NOEXEC overrides EXEC).
442 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
444 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
445 before running a command. This behavior can be modified via the
446 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
447 the commands that follow it in the Cmnd_Spec_List. Conversely, the
448 PASSWD tag can be used to reverse things. For example:
450 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
452 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
453 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
454 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
457 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
459 Note, however, that the PASSWD tag has no effect on users who are in
460 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
462 By default, if the NOPASSWD tag is applied to any of the entries for a
463 user on the current host, he or she will be able to run sudo -l without
464 a password. Additionally, a user may only run sudo -v without a
465 password if the NOPASSWD tag is present for all a user's entries that
466 pertain to the current host. This behavior may be overridden via the
467 verifypw and listpw options.
469 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
471 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
472 operating system supports it, the NOEXEC tag can be used to prevent a
473 dynamically-linked executable from running further commands itself.
475 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
476 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
478 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
480 See the "PREVENTING SHELL ESCAPES" section below for more details on
481 how NOEXEC works and whether or not it will work on your system.
483 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
485 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
486 basis. Note that if SETENV has been set for a command, the user may
487 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
488 Additionally, environment variables set on the command line are not
489 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
490 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set
491 variables in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV
492 tag is implied for that command; this default may be overridden by use
495 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
497 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
498 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
499 "SUDOERS OPTIONS" section below.
501 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
503 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
504 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
505 "SUDOERS OPTIONS" section below.
507 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
508 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
509 used in host names, path names and command line arguments in the
510 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and
511 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
513 * Matches any set of zero or more characters.
515 ? Matches any single character.
517 [...] Matches any character in the specified range.
519 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
521 \x For any character "x", evaluates to "x". This is used to
522 escape special characters such as: "*", "?", "[", and "}".
524 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
525 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
526 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
528 /bin/ls [[\:alpha\:]]*
530 Would match any file name beginning with a letter.
532 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
533 in the path name. When matching the command line arguments, however, a
534 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
538 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
540 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
541 The following exceptions apply to the above rules:
543 "" If the empty string "" is the only command line argument in the
544 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
545 with a
\ban
\bny
\by arguments.
547 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
548 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
549 file currently being parsed using the #include and #includedir
552 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
553 addition to a local, per-machine file. For the sake of this example
554 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
555 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
556 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
558 #include /etc/sudoers.local
560 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
561 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
562 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
563 processed. Files that are included may themselves include other files.
564 A hard limit of 128 nested include files is enforced to prevent include
567 If the path to the include file is not fully-qualified (does not begin
568 with a _
\b/), it must be located in the same directory as the sudoers file
569 it was included from. For example, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains the line:
571 #include sudoers.local
573 the file that will be included is _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl.
575 The file name may also include the %h escape, signifying the short form
576 of the host name. I.e., if the machine's host name is "xerxes", then
578 #include /etc/sudoers.%h
580 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
582 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
583 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
584 package installation. For example, given:
586 #includedir /etc/sudoers.d
588 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
589 end in ~ or contain a . character to avoid causing problems with
590 package manager or editor temporary/backup files. Files are parsed in
591 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
592 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
593 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
594 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
595 in the file names can be used to avoid such problems.
597 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
598 files in a #includedir directory unless one of them contains a syntax
599 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
602 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
603 The pound sign ('#') is used to indicate a comment (unless it is part
604 of a #include directive or unless it occurs in the context of a user
605 name and is followed by one or more digits, in which case it is treated
606 as a uid). Both the comment character and any text after it, up to the
607 end of the line, are ignored.
609 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
610 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
611 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
612 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
613 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
614 since in a command context, it allows the user to run a
\ban
\bny
\by command on
617 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
618 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
619 values. Note, however, that using a ! in conjunction with the built-in
620 ALL alias to allow a user to run "all but a few" commands rarely works
621 as intended (see SECURITY NOTES below).
623 Long lines can be continued with a backslash ('\') as the last
624 character on the line.
626 Whitespace between elements in a list as well as special syntactic
627 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
629 The following characters must be escaped with a backslash ('\') when
630 used as part of a word (e.g. a user name or host name): '!', '=', ':',
633 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
634 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
635 earlier. A list of all supported Defaults parameters, grouped by type,
638 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
640 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
641 to the home directory of the target user (which is root
642 unless the -
\b-u
\bu option is used). This effectively means
643 that the -
\b-H
\bH option is always implied. Note that HOME
644 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
645 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
646 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
647 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
650 authenticate If set, users must authenticate themselves via a
651 password (or other means of authentication) before they
652 may run commands. This default may be overridden via
653 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
657 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
658 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
659 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
662 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
663 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
664 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
665 z
\bzl
\bli
\bib
\bb support.
667 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
668 VISUAL environment variables before falling back on the
669 default editor list. Note that this may create a
670 security hole as it allows the user to run any
671 arbitrary command as root without logging. A safer
672 alternative is to place a colon-separated list of
673 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
674 use the EDITOR or VISUAL if they match a value
675 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
677 env_reset If set, s
\bsu
\bud
\bdo
\bo will run the command in a minimal
678 environment containing the TERM, PATH, HOME, MAIL,
679 SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
680 Any variables in the caller's environment that match
681 the env_keep and env_check lists are then added,
682 followed by any variables present in the file specified
683 by the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option (if any). The default contents
684 of the env_keep and env_check lists are displayed when
685 s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option. If the
686 _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set, its value will be used for
687 the PATH environment variable. This flag is _
\bo_
\bn by
690 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
691 style globbing when matching path names. However,
692 since it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a
693 long time to complete for some patterns, especially
694 when the pattern references a network file system that
695 is mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
696 option causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function,
697 which does not access the file system to do its
698 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
699 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
700 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
701 names that include globbing characters are used with
702 the negation operator, '!', as such rules can be
703 trivially bypassed. As such, this option should not be
704 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
705 path names which include globbing characters. This
706 flag is _
\bo_
\bf_
\bf by default.
708 fqdn Set this flag if you want to put fully qualified host
709 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost you
710 would use myhost.mydomain.edu. You may still use the
711 short form if you wish (and even mix the two). Beware
712 that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS lookups
713 which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
714 example if the machine is not plugged into the
715 network). Also note that you must use the host's
716 official name as DNS knows it. That is, you may not
717 use a host alias (CNAME entry) due to performance
718 issues and the fact that there is no way to get all
719 aliases from DNS. If your machine's host name (as
720 returned by the hostname command) is already fully
721 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
722 _
\bo_
\bf_
\bf by default.
724 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
725 PATH environment variable; the PATH itself is not
726 modified. This flag is _
\bo_
\bf_
\bf by default.
729 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
730 skipped. This is intended for Enterprises that wish to
731 prevent the usage of local sudoers files so that only
732 LDAP is used. This thwarts the efforts of rogue
733 operators who would attempt to add roles to
734 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
735 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
736 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
737 entries have been matched, this sudoOption is only
738 meaningful for the cn=defaults section. This flag is
739 _
\bo_
\bf_
\bf by default.
741 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
742 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
744 log_host If set, the host name will be logged in the (non-
745 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
747 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
748 log all user input. If the standard input is not
749 connected to the user's tty, due to I/O redirection or
750 because the command is part of a pipeline, that input
751 is also captured and stored in a separate log file.
753 Input is logged to the directory specified by the
754 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
755 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
756 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
757 may be used to control the format of the session ID.
759 Note that user input may contain sensitive information
760 such as passwords (even if they are not echoed to the
761 screen), which will be stored in the log file
762 unencrypted. In most cases, logging the command output
763 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
765 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
766 log all output that is sent to the screen, similar to
767 the _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1) command. If the standard output or
768 standard error is not connected to the user's tty, due
769 to I/O redirection or because the command is part of a
770 pipeline, that output is also captured and stored in
773 Output is logged to the directory specified by the
774 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
775 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
776 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
777 may be used to control the format of the session ID.
779 Output logs may be viewed with the _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m)
780 utility, which can also be used to list or search the
783 log_year If set, the four-digit year will be logged in the (non-
784 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
786 long_otp_prompt When validating with a One Time Password (OTP) scheme
787 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
788 make it easier to cut and paste the challenge to a
789 local window. It's not as pretty as the default but
790 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
793 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
794 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
796 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
797 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
800 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
801 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
802 allowed to run commands on the current host. This flag
803 is _
\bo_
\bf_
\bf by default.
805 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
806 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
807 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
808 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
811 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
812 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
815 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
816 NOEXEC tag has been set, unless overridden by a EXEC
817 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
818 well as the "PREVENTING SHELL ESCAPES" section at the
819 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
821 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
822 not be found in their PATH environment variable. Some
823 sites may wish to disable this as it could be used to
824 gather information on the location of executables that
825 the normal user does not have access to. The
826 disadvantage is that if the executable is simply not in
827 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
828 not allowed to run it, which can be confusing. This
829 flag is _
\bo_
\bn by default.
832 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
833 normally only be used if the password prompt provided
834 by systems such as PAM matches the string "Password:".
835 If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always
836 be used. This flag is _
\bo_
\bf_
\bf by default.
838 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
839 the list of groups the target user is in. When
840 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
841 vector is left unaltered. The real and effective group
842 IDs, however, are still set to match the target user.
843 This flag is _
\bo_
\bf_
\bf by default.
845 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
846 Unix programs, by turning off echo until the user hits
847 the return (or enter) key. Some users become confused
848 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
849 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
850 visual feedback when the user presses a key. Note that
851 this does have a security impact as an onlooker may be
852 able to determine the length of the password being
853 entered. This flag is _
\bo_
\bf_
\bf by default.
855 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
856 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
857 run from a login session and not via other means such
858 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
861 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
862 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
863 get a root shell by doing something like "sudo sudo
864 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
865 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
866 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
867 security; it exists purely for historical reasons.
868 This flag is _
\bo_
\bn by default.
870 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
871 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
874 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
875 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
876 instead of the password of the invoking user. This
877 flag is _
\bo_
\bf_
\bf by default.
879 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
880 HOME environment variable will be set to the home
881 directory of the target user (which is root unless the
882 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
883 option imply -
\b-H
\bH. Note that HOME is already set when
884 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
885 only effective for configurations where either
886 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
887 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
889 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
890 environment variables to the name of the target user
891 (usually root unless the -
\b-u
\bu option is given). However,
892 since some programs (including the RCS revision control
893 system) use LOGNAME to determine the real identity of
894 the user, it may be desirable to change this behavior.
895 This can be done by negating the set_logname option.
896 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
897 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
898 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
900 set_utmp When enabled, s
\bsu
\bud
\bdo
\bo will create an entry in the utmp (or
901 utmpx) file when a pseudo-tty is allocated. A pseudo-
902 tty is allocated by s
\bsu
\bud
\bdo
\bo when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt, _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
903 or _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flags are enabled. By default, the new
904 entry will be a copy of the user's existing utmp entry
905 (if any), with the tty, time, type and pid fields
906 updated. This flag is _
\bo_
\bn by default.
908 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
909 command line via the -
\b-E
\bE option. Additionally,
910 environment variables set via the command line are not
911 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk,
912 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users
913 should be allowed to set variables in this manner.
914 This flag is _
\bo_
\bf_
\bf by default.
916 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
917 if the -
\b-s
\bs option had been given. That is, it runs a
918 shell as root (the shell is determined by the SHELL
919 environment variable if it is set, falling back on the
920 shell listed in the invoking user's /etc/passwd entry
921 if not). This flag is _
\bo_
\bf_
\bf by default.
923 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
924 effective UIDs are set to the target user (root by
925 default). This option changes that behavior such that
926 the real UID is left as the invoking user's UID. In
927 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
928 This can be useful on systems that disable some
929 potentially dangerous functionality when a program is
930 run setuid. This option is only effective on systems
931 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
932 This flag is _
\bo_
\bf_
\bf by default.
934 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
935 specified by the -
\b-u
\bu option (defaults to root) instead
936 of the password of the invoking user. In addition, the
937 timestamp file name will include the target user's
938 name. Note that this flag precludes the use of a uid
939 not listed in the passwd database as an argument to the
940 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
942 tty_tickets If set, users must authenticate on a per-tty basis.
943 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
944 the tty the user is logged in on in the user's time
945 stamp directory. If disabled, the time stamp of the
946 directory is used instead. This flag is _
\bo_
\bn by default.
948 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
949 without modification. This makes it possible to
950 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
951 user's own umask and matches historical behavior. If
952 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
953 be the union of the user's umask and what is specified
954 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
956 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
957 target user's login class if one exists. Only
958 available if s
\bsu
\bud
\bdo
\bo is configured with the
959 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
961 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
962 if no I/O logging is being gone. A malicious program
963 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
964 process that retains to the user's terminal device
965 after the main program has finished executing. Use of
966 this option will make that impossible. This flag is
967 _
\bo_
\bf_
\bf by default.
969 utmp_runas If set, s
\bsu
\bud
\bdo
\bo will store the name of the runas user when
970 updating the utmp (or utmpx) file. By default, s
\bsu
\bud
\bdo
\bo
971 stores the name of the invoking user. This flag is _
\bo_
\bf_
\bf
974 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
975 enter a password but it is not possible to disable echo
976 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
977 will prompt for a password even when it would be
978 visible on the screen. This makes it possible to run
979 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
980 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
982 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
984 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
985 file descriptors other than standard input, standard
986 output and standard error (ie: file descriptors 0-2).
987 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
988 file descriptor at which to start closing. The default
991 passwd_tries The number of tries a user gets to enter his/her
992 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
995 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
997 loglinelen Number of characters per line for the file log. This
998 value is used to decide when to wrap lines for nicer
999 log files. This has no effect on the syslog log file,
1000 only the file log. The default is 80 (use 0 or negate
1001 the option to disable word wrap).
1003 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1004 out, or 0 for no timeout. The timeout may include a
1005 fractional component if minute granularity is
1006 insufficient, for example 2.5. The default is 5.
1009 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1010 for a passwd again. The timeout may include a
1011 fractional component if minute granularity is
1012 insufficient, for example 2.5. The default is 5. Set
1013 this to 0 to always prompt for a password. If set to a
1014 value less than 0 the user's timestamp will never
1015 expire. This can be used to allow users to create or
1016 delete their own timestamps via sudo -v and sudo -k
1019 umask Umask to use when running the command. Negate this
1020 option or set it to 0777 to preserve the user's umask.
1021 The actual umask that is used will be the union of the
1022 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1023 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1024 lowers the umask when running a command. Note on
1025 systems that use PAM, the default PAM configuration may
1026 specify its own umask which will override the value set
1027 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1029 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1031 badpass_message Message that is displayed if a user enters an incorrect
1032 password. The default is Sorry, try again. unless
1033 insults are enabled.
1035 editor A colon (':') separated list of editors allowed to be
1036 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1037 matches the user's EDITOR environment variable if
1038 possible, or the first editor in the list that exists
1039 and is executable. The default is "vi".
1041 iolog_dir The top-level directory to use when constructing the
1042 path name for the input/output log directory. Only
1043 used if the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled
1044 or when the LOG_INPUT or LOG_OUTPUT tags are present
1045 for a command. The session sequence number, if any, is
1046 stored in the directory. The default is
1049 The following percent (`%') escape sequences are
1053 expanded to a monotonically increasing base-36
1054 sequence number, such as 0100A5, where every two
1055 digits are used to form a new directory, e.g.
1056 _
\b0_
\b1_
\b/_
\b0_
\b0_
\b/_
\bA_
\b5
1059 expanded to the invoking user's login name
1062 expanded to the name of the invoking user's real
1066 expanded to the login name of the user the command
1067 will be run as (e.g. root)
1070 expanded to the group name of the user the command
1071 will be run as (e.g. wheel)
1074 expanded to the local host name without the domain
1078 expanded to the base name of the command being run
1080 In addition, any escape sequences supported by the
1081 system's _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be_
\b(_
\b) function will be expanded.
1083 To include a literal `%' character, the string `%%'
1086 iolog_file The path name, relative to _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br, in which to store
1087 input/output logs when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1088 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1089 tags are present for a command. Note that _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1090 may contain directory components. The default is
1093 See the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option above for a list of supported
1094 percent (`%') escape sequences.
1096 In addition to the escape sequences, path names that
1097 end in six or more Xs will have the Xs replaced with a
1098 unique combination of digits and letters, similar to
1099 the _
\bm_
\bk_
\bt_
\be_
\bm_
\bp_
\b(_
\b) function.
1101 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
1102 %h will expand to the host name of the machine.
1103 Default is *** SECURITY information for %h ***.
1105 noexec_file This option is no longer supported. The path to the
1106 noexec file should now be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
1109 passprompt The default prompt to use when asking for a password;
1110 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1111 environment variable. The following percent (`%')
1112 escape sequences are supported:
1114 %H expanded to the local host name including the
1115 domain name (only if the machine's host name is
1116 fully qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1118 %h expanded to the local host name without the domain
1121 %p expanded to the user whose password is being asked
1122 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1123 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1125 %U expanded to the login name of the user the command
1126 will be run as (defaults to root)
1128 %u expanded to the invoking user's login name
1130 %% two consecutive % characters are collapsed into a
1133 The default value is Password:.
1135 role The default SELinux role to use when constructing a new
1136 security context to run the command. The default role
1137 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1138 via command line options. This option is only
1139 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1141 runas_default The default user to run commands as if the -
\b-u
\bu option is
1142 not specified on the command line. This defaults to
1145 syslog_badpri Syslog priority to use when user authenticates
1146 unsuccessfully. Defaults to alert.
1148 The following syslog priorities are supported: a
\bal
\ble
\ber
\brt
\bt,
1149 c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1151 syslog_goodpri Syslog priority to use when user authenticates
1152 successfully. Defaults to notice.
1154 See syslog_badpri for the list of supported syslog
1157 sudoers_locale Locale to use when parsing the sudoers file, logging
1158 commands, and sending email. Note that changing the
1159 locale may affect how sudoers is interpreted. Defaults
1162 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1163 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1165 timestampowner The owner of the timestamp directory and the timestamps
1166 stored therein. The default is root.
1168 type The default SELinux type to use when constructing a new
1169 security context to run the command. The default type
1170 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1171 via command line options. This option is only
1172 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1174 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1176 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option specifies the fully qualified path to a
1177 file containing variables to be set in the environment of
1178 the program being run. Entries in this file should either
1179 be of the form VARIABLE=value or export VARIABLE=value.
1180 The value may optionally be surrounded by single or double
1181 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1182 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1185 Users in this group are exempt from password and PATH
1186 requirements. The group name specified should not include
1187 a % prefix. This is not set by default.
1190 A string containing a _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs group plugin with optional
1191 arguments. This can be used to implement support for the
1192 nonunix_group syntax described earlier. The string should
1193 consist of the plugin path, either fully-qualified or
1194 relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory, followed by
1195 any configuration arguments the plugin requires. These
1196 arguments (if any) will be passed to the plugin's
1197 initialization function. If arguments are present, the
1198 string must be enclosed in double quotes (").
1200 For example, given _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bg_
\br_
\bo_
\bu_
\bp, a group file in Unix
1201 group format, the sample group plugin can be used:
1203 Defaults group_plugin="sample_group.so /etc/sudo-group"
1205 For more information see _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(4).
1207 lecture This option controls when a short lecture will be printed
1208 along with the password prompt. It has the following
1211 always Always lecture the user.
1213 never Never lecture the user.
1215 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1217 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1218 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1219 The default value is _
\bo_
\bn_
\bc_
\be.
1222 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1223 will be used in place of the standard lecture if the named
1224 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1226 listpw This option controls when a password will be required when
1227 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1230 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1231 must have the NOPASSWD flag set to avoid entering a
1234 always The user must always enter a password to use the -
\b-l
\bl
1237 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1238 current host must have the NOPASSWD flag set to
1239 avoid entering a password.
1241 never The user need never enter a password to use the -
\b-l
\bl
1244 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1245 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1246 The default value is _
\ba_
\bn_
\by.
1248 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1249 Setting a path turns on logging to a file; negating this
1250 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1252 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1254 mailerpath Path to mail program used to send warning mail. Defaults
1255 to the path to sendmail found at configure time.
1257 mailfrom Address to use for the "from" address when sending warning
1258 and error mail. The address should be enclosed in double
1259 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1260 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1262 mailto Address to send warning and error mail to. The address
1263 should be enclosed in double quotes (") to protect against
1264 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1266 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1267 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1268 environment variable you may want to use this. Another use
1269 is if you want to have the "root path" be separate from the
1270 "user path." Users in the group specified by the
1271 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1272 option is not set by default.
1274 syslog Syslog facility if syslog is being used for logging (negate
1275 to disable syslog logging). Defaults to auth.
1277 The following syslog facilities are supported: a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if
1278 your OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1,
1279 l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3, l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7.
1281 verifypw This option controls when a password will be required when
1282 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1285 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1286 must have the NOPASSWD flag set to avoid entering a
1289 always The user must always enter a password to use the -
\b-v
\bv
1292 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1293 current host must have the NOPASSWD flag set to
1294 avoid entering a password.
1296 never The user need never enter a password to use the -
\b-v
\bv
1299 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1300 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1301 The default value is _
\ba_
\bl_
\bl.
1303 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1305 env_check Environment variables to be removed from the user's
1306 environment if the variable's value contains % or /
1307 characters. This can be used to guard against printf-
1308 style format vulnerabilities in poorly-written
1309 programs. The argument may be a double-quoted, space-
1310 separated list or a single value without double-quotes.
1311 The list can be replaced, added to, deleted from, or
1312 disabled by using the =, +=, -=, and ! operators
1313 respectively. Regardless of whether the env_reset
1314 option is enabled or disabled, variables specified by
1315 env_check will be preserved in the environment if they
1316 pass the aforementioned check. The default list of
1317 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1318 is run by root with the _
\b-_
\bV option.
1320 env_delete Environment variables to be removed from the user's
1321 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1322 The argument may be a double-quoted, space-separated
1323 list or a single value without double-quotes. The list
1324 can be replaced, added to, deleted from, or disabled by
1325 using the =, +=, -=, and ! operators respectively. The
1326 default list of environment variables to remove is
1327 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1328 Note that many operating systems will remove
1329 potentially dangerous variables from the environment of
1330 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1332 env_keep Environment variables to be preserved in the user's
1333 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1334 This allows fine-grained control over the environment
1335 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1336 be a double-quoted, space-separated list or a single
1337 value without double-quotes. The list can be replaced,
1338 added to, deleted from, or disabled by using the =, +=,
1339 -=, and ! operators respectively. The default list of
1340 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1341 with the _
\b-_
\bV option.
1343 F
\bFI
\bIL
\bLE
\bES
\bS
1344 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1346 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1348 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1350 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1352 _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing time stamps for the
1353 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy
1355 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt Initial environment for -
\b-i
\bi mode on Linux and
1358 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1359 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1360 contrived. First, we allow a few environment variables to pass and
1361 then define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1363 # Run X applications through sudo; HOME is used to find the
1364 # .Xauthority file. Note that other programs use HOME to find
1365 # configuration files and this may lead to privilege escalation!
1366 Defaults env_keep += "DISPLAY HOME"
1368 # User alias specification
1369 User_Alias FULLTIMERS = millert, mikef, dowdy
1370 User_Alias PARTTIMERS = bostley, jwfox, crawl
1371 User_Alias WEBMASTERS = will, wendy, wim
1373 # Runas alias specification
1374 Runas_Alias OP = root, operator
1375 Runas_Alias DB = oracle, sybase
1376 Runas_Alias ADMINGRP = adm, oper
1378 # Host alias specification
1379 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1380 SGI = grolsch, dandelion, black :\
1381 ALPHA = widget, thalamus, foobar :\
1382 HPPA = boa, nag, python
1383 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1384 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1385 Host_Alias SERVERS = master, mail, www, ns
1386 Host_Alias CDROM = orion, perseus, hercules
1388 # Cmnd alias specification
1389 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1390 /usr/sbin/restore, /usr/sbin/rrestore
1391 Cmnd_Alias KILL = /usr/bin/kill
1392 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1393 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1394 Cmnd_Alias HALT = /usr/sbin/halt
1395 Cmnd_Alias REBOOT = /usr/sbin/reboot
1396 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1397 /usr/local/bin/tcsh, /usr/bin/rsh, \
1399 Cmnd_Alias SU = /usr/bin/su
1400 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1402 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1403 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1404 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1405 need not give a password, and we don't want to reset the LOGNAME, USER
1406 or USERNAME environment variables when running commands as root.
1407 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1408 additional local log file and make sure we log the year in each log
1409 line since the log entries will be kept around for several years.
1410 Lastly, we disable shell escapes for the commands in the PAGERS
1411 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1413 # Override built-in defaults
1414 Defaults syslog=auth
1415 Defaults>root !set_logname
1416 Defaults:FULLTIMERS !lecture
1417 Defaults:millert !authenticate
1418 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1419 Defaults!PAGERS noexec
1421 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1424 root ALL = (ALL) ALL
1425 %wheel ALL = (ALL) ALL
1427 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1430 FULLTIMERS ALL = NOPASSWD: ALL
1432 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1433 any host without authenticating themselves.
1435 PARTTIMERS ALL = ALL
1437 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1438 any host but they must authenticate themselves first (since the entry
1439 lacks the NOPASSWD tag).
1443 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1444 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1445 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1446 notation) indicating it is a class C network. For the other networks
1447 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1451 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1452 class B network 128.138.0.0).
1454 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1455 sudoedit /etc/printcap, /usr/oper/bin/
1457 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1458 Here, those are commands related to backups, killing processes, the
1459 printing system, shutting down the system, and any commands in the
1460 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1462 joe ALL = /usr/bin/su operator
1464 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1466 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1468 %opers ALL = (: ADMINGRP) /usr/sbin/
1470 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1471 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1473 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1474 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1475 multiple user names on the command line.
1477 bob SPARC = (OP) ALL : SGI = (OP) ALL
1479 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1480 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1484 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1485 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1487 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1489 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1490 well as add and remove users, so they are allowed to run those commands
1493 fred ALL = (DB) NOPASSWD: ALL
1495 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1496 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1498 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1500 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1501 not allowed to specify any options to the _
\bs_
\bu(1) command.
1503 jen ALL, !SERVERS = ALL
1505 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1506 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1508 jill SERVERS = /usr/bin/, !SU, !SHELLS
1510 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1511 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1512 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1514 steve CSNETS = (operator) /usr/local/op_commands/
1516 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1517 /usr/local/op_commands/ but only as user operator.
1519 matt valkyrie = KILL
1521 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1524 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1526 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1527 and wim), may run any command as user www (which owns the web pages) or
1528 simply _
\bs_
\bu(1) to www.
1530 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1531 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1533 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1534 Host_Alias (orion, perseus, hercules) without entering a password.
1535 This is a bit tedious for users to type, so it is a prime candidate for
1536 encapsulating in a shell script.
1538 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1539 It is generally not effective to "subtract" commands from ALL using the
1540 '!' operator. A user can trivially circumvent this by copying the
1541 desired command to a different name and then executing that. For
1544 bill ALL = ALL, !SU, !SHELLS
1546 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1547 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1548 use a shell escape from an editor or other program. Therefore, these
1549 kind of restrictions should be considered advisory at best (and
1550 reinforced by policy).
1552 Furthermore, if the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to
1553 reliably negate commands where the path name includes globbing (aka
1554 wildcard) characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
1555 function cannot resolve relative paths. While this is typically only
1556 an inconvenience for rules that grant privileges, it can result in a
1557 security issue for rules that subtract or revoke privileges.
1559 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1561 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1562 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1564 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1565 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1567 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1568 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1569 pleases, including run other programs. This can be a security issue
1570 since it is not uncommon for a program to allow shell escapes, which
1571 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1572 that permit shell escapes include shells (obviously), editors,
1573 paginators, mail and terminal programs.
1575 There are two basic approaches to this problem:
1577 restrict Avoid giving users access to commands that allow the user to
1578 run arbitrary commands. Many editors have a restricted mode
1579 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1580 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1581 number of programs that offer shell escapes, restricting
1582 users to the set of programs that do not is often unworkable.
1584 noexec Many systems that support shared libraries have the ability
1585 to override default library functions by pointing an
1586 environment variable (usually LD_PRELOAD) to an alternate
1587 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1588 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1589 any other programs. Note, however, that this applies only to
1590 native dynamically-linked executables. Statically-linked
1591 executables and foreign executables running under binary
1592 emulation are not affected.
1594 The _
\bn_
\bo_
\be_
\bx_
\be_
\bc feature is known to work on SunOS, Solaris, *BSD,
1595 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1596 above. It should be supported on most operating systems that
1597 support the LD_PRELOAD environment variable. Check your
1598 operating system's manual pages for the dynamic linker
1599 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1600 if LD_PRELOAD is supported.
1602 On Solaris 10 and higher, _
\bn_
\bo_
\be_
\bx_
\be_
\bc uses Solaris privileges
1603 instead of the LD_PRELOAD environment variable.
1605 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1606 documented in the User Specification section above. Here is
1609 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1611 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1612 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1613 from executing other commands (such as a shell). If you are
1614 unsure whether or not your system is capable of supporting
1615 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and check whether shell
1616 escapes work when _
\bn_
\bo_
\be_
\bx_
\be_
\bc is enabled.
1618 Note that restricting shell escapes is not a panacea. Programs running
1619 as root are still capable of many potentially hazardous operations
1620 (such as changing or overwriting files) that could lead to unintended
1621 privilege escalation. In the specific case of an editor, a safer
1622 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1624 D
\bDE
\bEB
\bBU
\bUG
\bG F
\bFL
\bLA
\bAG
\bGS
\bS
1625 Versions 1.8.4 and higher of the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin supports a debugging
1626 framework that can help track down what the plugin is doing internally
1627 if there is a problem. This can be configured in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
1628 file as described in _
\bs_
\bu_
\bd_
\bo(1m).
1630 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin uses the same debug flag format as s
\bsu
\bud
\bdo
\bo itself:
1631 _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by.
1633 The priorities used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, in order of decreasing severity, are:
1634 _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg. Each priority,
1635 when specified, also includes all priorities higher than it. For
1636 example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages logged at
1637 _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
1639 The following subsystems are used by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
1641 _
\ba_
\bl_
\bi_
\ba_
\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1643 _
\ba_
\bl_
\bl matches every subsystem
1645 _
\ba_
\bu_
\bd_
\bi_
\bt BSM and Linux audit code
1647 _
\ba_
\bu_
\bt_
\bh user authentication
1649 _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs settings
1651 _
\be_
\bn_
\bv environment handling
1653 _
\bl_
\bd_
\ba_
\bp LDAP-based sudoers
1655 _
\bl_
\bo_
\bg_
\bg_
\bi_
\bn_
\bg logging support
1657 _
\bm_
\ba_
\bt_
\bc_
\bh matching of users, groups, hosts and netgroups in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1659 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
1661 _
\bn_
\bs_
\bs network service switch handling in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1663 _
\bp_
\ba_
\br_
\bs_
\be_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file parsing
1665 _
\bp_
\be_
\br_
\bm_
\bs permission setting
1667 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn The equivalent of _
\bm_
\ba_
\bi_
\bn for the plugin.
1669 _
\bp_
\bt_
\by pseudo-tty related code
1671 _
\br_
\bb_
\bt_
\br_
\be_
\be redblack tree internals
1673 _
\bu_
\bt_
\bi_
\bl utility functions
1675 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1676 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will check the ownership of its time stamp directory
1677 (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's contents if it is
1678 not owned by root or if it is writable by a user other than root. On
1679 systems that allow non-root users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if
1680 the time stamp directory is located in a world-writable directory
1681 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the time stamp
1682 directory before s
\bsu
\bud
\bdo
\bo is run. However, because _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs checks the
1683 ownership and mode of the directory and its contents, the only damage
1684 that can be done is to "hide" files by putting them in the time stamp
1685 dir. This is unlikely to happen since once the time stamp dir is owned
1686 by root and inaccessible by any other user, the user placing files
1687 there would be unable to get them back out.
1689 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will not honor time stamps set far in the future. Time stamps
1690 with a date greater than current_time + 2 * TIMEOUT will be ignored and
1691 sudo will log and complain. This is done to keep a user from creating
1692 his/her own time stamp with a bogus date on systems that allow users to
1693 give away files if the time stamp directory is located in a world-
1696 On systems where the boot time is available, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will ignore time
1697 stamps that date from before the machine booted.
1699 Since time stamp files live in the file system, they can outlive a
1700 user's login session. As a result, a user may be able to login, run a
1701 command with s
\bsu
\bud
\bdo
\bo after authenticating, logout, login again, and run
1702 s
\bsu
\bud
\bdo
\bo without authenticating so long as the time stamp file's
1703 modification time is within 5 minutes (or whatever the timeout is set
1704 to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs). When the _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option is enabled, the time stamp
1705 has per-tty granularity but still may outlive the user's session. On
1706 Linux systems where the devpts filesystem is used, Solaris systems with
1707 the devices filesystem, as well as other systems that utilize a devfs
1708 filesystem that monotonically increase the inode number of devices as
1709 they are created (such as Mac OS X), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is able to determine when
1710 a tty-based time stamp file is stale and will ignore it.
1711 Administrators should not rely on this feature as it is not universally
1714 If users have sudo ALL there is nothing to prevent them from creating
1715 their own program that gives them a root shell (or making their own
1716 copy of a shell) regardless of any '!' elements in the user
1719 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1720 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bm_
\bk_
\bt_
\be_
\bm_
\bp(3), _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be(3),
1721 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4), _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
1723 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1724 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1725 locks the file and does grammatical checking. It is imperative that
1726 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1727 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1729 When using netgroups of machines (as opposed to users), if you store
1730 fully qualified host name in the netgroup (as is usually the case), you
1731 either need to have the machine's host name be fully qualified as
1732 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1735 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1736 http://www.sudo.ws/sudo/bugs/
1738 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1739 Limited free support is available via the sudo-users mailing list, see
1740 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1743 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1744 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1745 including, but not limited to, the implied warranties of
1746 merchantability and fitness for a particular purpose are disclaimed.
1747 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1748 http://www.sudo.ws/sudo/license.html for complete details.
1752 1.8.4 February 5, 2012 SUDOERS(4)