1 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
6 sudoers - default sudo security policy module
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy module determines a user's s
\bsu
\bud
\bdo
\bo privileges. It is
10 the default s
\bsu
\bud
\bdo
\bo policy plugin. The policy is driven by the
11 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file or, optionally in LDAP. The policy format is
12 described in detail in the "SUDOERS FILE FORMAT" section. For
13 information on storing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy information in LDAP, please see
14 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4).
16 A
\bAu
\but
\bth
\bhe
\ben
\bnt
\bti
\bic
\bca
\bat
\bti
\bio
\bon
\bn a
\ban
\bnd
\bd L
\bLo
\bog
\bgg
\bgi
\bin
\bng
\bg
17 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy requires that most users authenticate
18 themselves before they can use s
\bsu
\bud
\bdo
\bo. A password is not required if the
19 invoking user is root, if the target user is the same as the invoking
20 user, or if the policy has disabled authentication for the user or
21 command. Unlike _
\bs_
\bu(1), when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs requires authentication, it
22 validates the invoking user's credentials, not the target user's (or
23 root's) credentials. This can be changed via the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
24 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags, described later.
26 If a user who is not listed in the policy tries to run a command via
27 s
\bsu
\bud
\bdo
\bo, mail is sent to the proper authorities. The address used for
28 such mail is configurable via the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo Defaults entry (described
29 later) and defaults to root.
31 Note that mail will not be sent if an unauthorized user tries to run
32 s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl or -
\b-v
\bv option. This allows users to determine for
33 themselves whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
35 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment variable is set,
36 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will use this value to determine who the actual user
37 is. This can be used by a user to log commands through sudo even when
38 a root shell has been invoked. It also allows the -
\b-e
\be option to remain
39 useful even when invoked via a sudo-run script or program. Note,
40 however, that the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs lookup is still done for root, not the user
41 specified by SUDO_USER.
43 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses time stamp files for credential caching. Once a user has
44 been authenticated, a time stamp is updated and the user may then use
45 sudo without a password for a short period of time (5 minutes unless
46 overridden by the _
\bt_
\bi_
\bm_
\be_
\bo_
\bu_
\bt option. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a tty-based
47 time stamp which means that there is a separate time stamp for each of
48 a user's login sessions. The _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option can be disabled to
49 force the use of a single time stamp for all of a user's sessions.
51 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can log both successful and unsuccessful attempts (as well as
52 errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will
53 log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable via the _
\bs_
\by_
\bs_
\bl_
\bo_
\bg and _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be
56 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs also supports logging a command's input and output streams.
57 I/O logging is not on by default but can be enabled using the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt
58 and _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
61 C
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd E
\bEn
\bnv
\bvi
\bir
\bro
\bon
\bnm
\bme
\ben
\bnt
\bt
62 Since environment variables can influence program behavior, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
63 provides a means to restrict which variables from the user's
64 environment are inherited by the command to be run. There are two
65 distinct ways _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can deal with environment variables.
67 By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled. This causes commands to
68 be executed with a minimal environment containing TERM, PATH, HOME,
69 MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
70 the invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp options.
71 This is effectively a whitelist for environment variables.
73 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled, any variables not
74 explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited
75 from the invoking process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be
76 behave like a blacklist. Since it is not possible to blacklist all
77 potentially dangerous environment variables, use of the default
78 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
80 In all cases, environment variables with a value beginning with () are
81 removed as they could be interpreted as b
\bba
\bas
\bsh
\bh functions. The list of
82 environment variables that s
\bsu
\bud
\bdo
\bo allows or denies is contained in the
83 output of sudo -V when run as root.
85 Note that the dynamic linker on most operating systems will remove
86 variables that can control dynamic linking from the environment of
87 setuid executables, including s
\bsu
\bud
\bdo
\bo. Depending on the operating system
88 this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
89 others. These type of variables are removed from the environment
90 before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it is not possible for
91 s
\bsu
\bud
\bdo
\bo to preserve them.
93 As a special case, if s
\bsu
\bud
\bdo
\bo's -
\b-i
\bi option (initial login) is specified,
94 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will initialize the environment regardless of the value of
95 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt. The _
\bD_
\bI_
\bS_
\bP_
\bL_
\bA_
\bY, _
\bP_
\bA_
\bT_
\bH and _
\bT_
\bE_
\bR_
\bM variables remain unchanged;
96 _
\bH_
\bO_
\bM_
\bE, _
\bM_
\bA_
\bI_
\bL, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, and _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE are set based on the target user.
97 On Linux and AIX systems the contents of _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt are also
98 included. All other environment variables are removed.
100 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS F
\bFI
\bIL
\bLE
\bE F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
101 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
102 (basically variables) and user specifications (which specify who may
105 When multiple entries match for a user, they are applied in order.
106 Where there are multiple matches, the last match is used (which is not
107 necessarily the most specific match).
109 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
110 Form (EBNF). Don't despair if you don't know what EBNF is; it is
111 fairly simple, and the definitions below are annotated.
113 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
114 EBNF is a concise and exact way of describing the grammar of a
115 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
117 symbol ::= definition | alternate1 | alternate2 ...
119 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
120 the language. EBNF also contains the following operators, which many
121 readers will recognize from regular expressions. Do not, however,
122 confuse them with "wildcard" characters, which have different meanings.
124 ? Means that the preceding symbol (or group of symbols) is optional.
125 That is, it may appear once or not at all.
127 * Means that the preceding symbol (or group of symbols) may appear
130 + Means that the preceding symbol (or group of symbols) may appear
133 Parentheses may be used to group symbols together. For clarity, we
134 will use single quotes ('') to designate what is a verbatim character
135 string (as opposed to a symbol name).
137 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
138 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
141 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
142 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
143 'Host_Alias' Host_Alias (':' Host_Alias)* |
144 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
146 User_Alias ::= NAME '=' User_List
148 Runas_Alias ::= NAME '=' Runas_List
150 Host_Alias ::= NAME '=' Host_List
152 Cmnd_Alias ::= NAME '=' Cmnd_List
154 NAME ::= [A-Z]([A-Z][0-9]_)*
156 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
158 Alias_Type NAME = item1, item2, ...
160 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
161 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
162 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
163 letter. It is possible to put several alias definitions of the same
164 type on a single line, joined by a colon (':'). E.g.,
166 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
168 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
173 User ::= '!'* user name |
178 '!'* %:nonunix_group |
179 '!'* %:#nonunix_gid |
182 A User_List is made up of one or more user names, user ids (prefixed
183 with '#'), system group names and ids (prefixed with '%' and '%#'
184 respectively), netgroups (prefixed with '+'), non-Unix group names and
185 IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
186 list item may be prefixed with zero or more '!' operators. An odd
187 number of '!' operators negate the value of the item; an even number
188 just cancel each other out.
190 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
191 may be enclosed in double quotes to avoid the need for escaping special
192 characters. Alternately, special characters may be specified in
193 escaped hex mode, e.g. \x20 for space. When using double quotes, any
194 prefix characters must be included inside the quotes.
196 The actual nonunix_group and nonunix_gid syntax depends on the
197 underlying group provider plugin (see the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn description
198 below). For instance, the QAS AD plugin supports the following
201 +
\bo Group in the same domain: "Group Name"
203 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
205 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
207 Note that quotes around group names are optional. Unquoted strings
208 must use a backslash (\) to escape spaces and special characters. See
209 "Other special characters and reserved words" for a list of characters
210 that need to be escaped.
212 Runas_List ::= Runas_Member |
213 Runas_Member ',' Runas_List
215 Runas_Member ::= '!'* user name |
219 '!'* %:nonunix_group |
220 '!'* %:#nonunix_gid |
224 A Runas_List is similar to a User_List except that instead of
225 User_Aliases it can contain Runas_Aliases. Note that user names and
226 groups are matched as strings. In other words, two users (groups) with
227 the same uid (gid) are considered to be distinct. If you wish to match
228 all user names with the same uid (e.g. root and toor), you can use a
229 uid instead (#0 in the example given).
234 Host ::= '!'* host name |
236 '!'* network(/netmask)? |
240 A Host_List is made up of one or more host names, IP addresses, network
241 numbers, netgroups (prefixed with '+') and other aliases. Again, the
242 value of an item may be negated with the '!' operator. If you do not
243 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
244 of the local host's network interfaces and, if the network number
245 corresponds to one of the hosts's network interfaces, the corresponding
246 netmask will be used. The netmask may be specified either in standard
247 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
248 CIDR notation (number of bits, e.g. 24 or 64). A host name may include
249 shell-style wildcards (see the Wildcards section below), but unless the
250 host name command on your machine returns the fully qualified host
251 name, you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
252 Note s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP
253 address 127.0.0.1 (localhost) will never match. Also, the host name
254 "localhost" will only match if that is the actual host name, which is
255 usually only the case for non-networked systems.
260 commandname ::= file name |
264 Cmnd ::= '!'* commandname |
269 A Cmnd_List is a list of one or more commandnames, directories, and
270 other aliases. A commandname is a fully qualified file name which may
271 include shell-style wildcards (see the Wildcards section below). A
272 simple file name allows the user to run the command with any arguments
273 he/she wishes. However, you may also specify command line arguments
274 (including wildcards). Alternately, you can specify "" to indicate
275 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
276 directory is a fully qualified path name ending in a '/'. When you
277 specify a directory in a Cmnd_List, the user will be able to run any
278 file within that directory (but not in any subdirectories therein).
280 If a Cmnd has associated command line arguments, then the arguments in
281 the Cmnd must match exactly those given by the user on the command line
282 (or match the wildcards if there are any). Note that the following
283 characters must be escaped with a '\' if they are used in command
284 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
285 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
286 may take command line arguments just as a normal command does.
288 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
289 Certain configuration options may be changed from their default values
290 at runtime via one or more Default_Entry lines. These may affect all
291 users on any host, all users on a specific host, a specific user, a
292 specific command, or commands being run as a specific user. Note that
293 per-command entries may not include command line arguments. If you
294 need to specify arguments, define a Cmnd_Alias and reference that
297 Default_Type ::= 'Defaults' |
298 'Defaults' '@' Host_List |
299 'Defaults' ':' User_List |
300 'Defaults' '!' Cmnd_List |
301 'Defaults' '>' Runas_List
303 Default_Entry ::= Default_Type Parameter_List
305 Parameter_List ::= Parameter |
306 Parameter ',' Parameter_List
308 Parameter ::= Parameter '=' Value |
309 Parameter '+=' Value |
310 Parameter '-=' Value |
313 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
314 implicitly boolean and can be turned off via the '!' operator. Some
315 integer, string and list parameters may also be used in a boolean
316 context to disable them. Values may be enclosed in double quotes (")
317 when they contain multiple words. Special characters may be escaped
318 with a backslash (\).
320 Lists have two additional assignment operators, += and -=. These
321 operators are used to add to and delete from a list respectively. It
322 is not an error to use the -= operator to remove an element that does
325 Defaults entries are parsed in the following order: generic, host and
326 user Defaults first, then runas Defaults and finally command defaults.
328 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
330 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
331 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
332 (':' Host_List '=' Cmnd_Spec_List)*
334 Cmnd_Spec_List ::= Cmnd_Spec |
335 Cmnd_Spec ',' Cmnd_Spec_List
337 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
339 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
341 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
343 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
344 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
345 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
347 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
348 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
349 but this can be changed on a per-command basis.
351 The basic structure of a user specification is `who where = (as_whom)
352 what'. Let's break that down into its constituent parts:
354 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
355 A Runas_Spec determines the user and/or the group that a command may be
356 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
357 defined above) separated by a colon (':') and enclosed in a set of
358 parentheses. The first Runas_List indicates which users the command
359 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
360 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
361 are specified, the command may be run with any combination of users and
362 groups listed in their respective Runas_Lists. If only the first is
363 specified, the command may be run as any user in the list but no -
\b-g
\bg
364 option may be specified. If the first Runas_List is empty but the
365 second is specified, the command may be run as the invoking user with
366 the group set to any listed in the Runas_List. If no Runas_Spec is
367 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
369 A Runas_Spec sets the default for the commands that follow it. What
370 this means is that for the entry:
372 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
374 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
375 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
377 $ sudo -u operator /bin/ls
379 It is also possible to override a Runas_Spec later on in an entry. If
380 we modify the entry like so:
382 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
384 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
385 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
387 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
388 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
390 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
393 Note that while the group portion of the Runas_Spec permits the user to
394 run as command with that group, it does not force the user to do so.
395 If no group is specified on the command line, the command will run with
396 the group listed in the target user's password database entry. The
397 following would all be permitted by the sudoers entry above:
399 $ sudo -u operator /bin/ls
400 $ sudo -u operator -g operator /bin/ls
401 $ sudo -g operator /bin/ls
403 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
404 device file with the dialer group.
406 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
407 /usr/local/bin/minicom
409 Note that in this example only the group will be set, the command still
410 runs as user t
\btc
\bcm
\bm. E.g.
412 $ sudo -g dialer /usr/bin/cu
414 Multiple users and groups may be present in a Runas_Spec, in which case
415 the user may select any combination of users and groups via the -
\b-u
\bu and
416 -
\b-g
\bg options. In this example:
418 alan ALL = (root, bin : operator, system) ALL
420 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
421 setting the group to operator or system.
423 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
424 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
425 SELinux role and/or type associated with a command. If a role or type
426 is specified with the command it will override any default values
427 specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line,
428 however, will supercede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
430 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
431 A command may have zero or more tags associated with it. There are
432 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
433 NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
434 tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
435 the tag unless it is overridden by the opposite tag (i.e.: PASSWD
436 overrides NOPASSWD and NOEXEC overrides EXEC).
438 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
440 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
441 before running a command. This behavior can be modified via the
442 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
443 the commands that follow it in the Cmnd_Spec_List. Conversely, the
444 PASSWD tag can be used to reverse things. For example:
446 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
448 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
449 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
450 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
453 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
455 Note, however, that the PASSWD tag has no effect on users who are in
456 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
458 By default, if the NOPASSWD tag is applied to any of the entries for a
459 user on the current host, he or she will be able to run sudo -l without
460 a password. Additionally, a user may only run sudo -v without a
461 password if the NOPASSWD tag is present for all a user's entries that
462 pertain to the current host. This behavior may be overridden via the
463 verifypw and listpw options.
465 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
467 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
468 operating system supports it, the NOEXEC tag can be used to prevent a
469 dynamically-linked executable from running further commands itself.
471 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
472 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
474 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
476 See the "PREVENTING SHELL ESCAPES" section below for more details on
477 how NOEXEC works and whether or not it will work on your system.
479 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
481 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
482 basis. Note that if SETENV has been set for a command, the user may
483 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
484 Additionally, environment variables set on the command line are not
485 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
486 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set
487 variables in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV
488 tag is implied for that command; this default may be overridden by use
491 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
493 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
494 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
495 "SUDOERS OPTIONS" section below.
497 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
499 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
500 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
501 "SUDOERS OPTIONS" section below.
503 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
504 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
505 used in host names, path names and command line arguments in the
506 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and
507 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
509 * Matches any set of zero or more characters.
511 ? Matches any single character.
513 [...] Matches any character in the specified range.
515 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
517 \x For any character "x", evaluates to "x". This is used to
518 escape special characters such as: "*", "?", "[", and "}".
520 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
521 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
522 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
524 /bin/ls [[\:alpha\:]]*
526 Would match any file name beginning with a letter.
528 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
529 in the path name. When matching the command line arguments, however, a
530 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
534 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
536 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
537 The following exceptions apply to the above rules:
539 "" If the empty string "" is the only command line argument in the
540 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
541 with a
\ban
\bny
\by arguments.
543 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
544 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
545 file currently being parsed using the #include and #includedir
548 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
549 addition to a local, per-machine file. For the sake of this example
550 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
551 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
552 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
554 #include /etc/sudoers.local
556 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
557 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
558 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
559 processed. Files that are included may themselves include other files.
560 A hard limit of 128 nested include files is enforced to prevent include
563 The file name may include the %h escape, signifying the short form of
564 the host name. I.e., if the machine's host name is "xerxes", then
566 #include /etc/sudoers.%h
568 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
570 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
571 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
572 package installation. For example, given:
574 #includedir /etc/sudoers.d
576 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
577 end in ~ or contain a . character to avoid causing problems with
578 package manager or editor temporary/backup files. Files are parsed in
579 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
580 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
581 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
582 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
583 in the file names can be used to avoid such problems.
585 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
586 files in a #includedir directory unless one of them contains a syntax
587 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
590 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
591 The pound sign ('#') is used to indicate a comment (unless it is part
592 of a #include directive or unless it occurs in the context of a user
593 name and is followed by one or more digits, in which case it is treated
594 as a uid). Both the comment character and any text after it, up to the
595 end of the line, are ignored.
597 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
598 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
599 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
600 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
601 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
602 since in a command context, it allows the user to run a
\ban
\bny
\by command on
605 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
606 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
607 values. Note, however, that using a ! in conjunction with the built-in
608 ALL alias to allow a user to run "all but a few" commands rarely works
609 as intended (see SECURITY NOTES below).
611 Long lines can be continued with a backslash ('\') as the last
612 character on the line.
614 Whitespace between elements in a list as well as special syntactic
615 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
617 The following characters must be escaped with a backslash ('\') when
618 used as part of a word (e.g. a user name or host name): '!', '=', ':',
621 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
622 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
623 earlier. A list of all supported Defaults parameters, grouped by type,
626 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
628 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
629 to the home directory of the target user (which is root
630 unless the -
\b-u
\bu option is used). This effectively means
631 that the -
\b-H
\bH option is always implied. Note that HOME
632 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
633 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
634 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
635 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
638 authenticate If set, users must authenticate themselves via a
639 password (or other means of authentication) before they
640 may run commands. This default may be overridden via
641 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
645 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
646 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
647 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
650 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
651 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
652 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
653 z
\bzl
\bli
\bib
\bb support.
655 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
656 VISUAL environment variables before falling back on the
657 default editor list. Note that this may create a
658 security hole as it allows the user to run any
659 arbitrary command as root without logging. A safer
660 alternative is to place a colon-separated list of
661 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
662 use the EDITOR or VISUAL if they match a value
663 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
665 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
666 the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
667 variables. Any variables in the caller's environment
668 that match the env_keep and env_check lists are then
669 added. The default contents of the env_keep and
670 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
671 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
672 its value will be used for the PATH environment
673 variable. This flag is _
\bo_
\bn by default.
675 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
676 style globbing when matching path names. However,
677 since it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a
678 long time to complete for some patterns, especially
679 when the pattern references a network file system that
680 is mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
681 option causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function,
682 which does not access the file system to do its
683 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
684 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
685 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
686 names that include globbing characters are used with
687 the negation operator, '!', as such rules can be
688 trivially bypassed. As such, this option should not be
689 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
690 path names which include globbing characters. This
691 flag is _
\bo_
\bf_
\bf by default.
693 fqdn Set this flag if you want to put fully qualified host
694 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost you
695 would use myhost.mydomain.edu. You may still use the
696 short form if you wish (and even mix the two). Beware
697 that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS lookups
698 which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
699 example if the machine is not plugged into the
700 network). Also note that you must use the host's
701 official name as DNS knows it. That is, you may not
702 use a host alias (CNAME entry) due to performance
703 issues and the fact that there is no way to get all
704 aliases from DNS. If your machine's host name (as
705 returned by the hostname command) is already fully
706 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
707 _
\bo_
\bf_
\bf by default.
709 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
710 PATH environment variable; the PATH itself is not
711 modified. This flag is _
\bo_
\bf_
\bf by default.
714 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
715 skipped. This is intended for Enterprises that wish to
716 prevent the usage of local sudoers files so that only
717 LDAP is used. This thwarts the efforts of rogue
718 operators who would attempt to add roles to
719 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
720 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
721 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
722 entries have been matched, this sudoOption is only
723 meaningful for the cn=defaults section. This flag is
724 _
\bo_
\bf_
\bf by default.
726 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
727 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
729 log_host If set, the host name will be logged in the (non-
730 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
732 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
733 log all user input. If the standard input is not
734 connected to the user's tty, due to I/O redirection or
735 because the command is part of a pipeline, that input
736 is also captured and stored in a separate log file.
738 Input is logged to the directory specified by the
739 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
740 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
741 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
742 may be used to control the format of the session ID.
744 Note that user input may contain sensitive information
745 such as passwords (even if they are not echoed to the
746 screen), which will be stored in the log file
747 unencrypted. In most cases, logging the command output
748 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
750 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
751 log all output that is sent to the screen, similar to
752 the _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1) command. If the standard output or
753 standard error is not connected to the user's tty, due
754 to I/O redirection or because the command is part of a
755 pipeline, that output is also captured and stored in
758 Output is logged to the directory specified by the
759 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
760 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
761 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
762 may be used to control the format of the session ID.
764 Output logs may be viewed with the _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m)
765 utility, which can also be used to list or search the
768 log_year If set, the four-digit year will be logged in the (non-
769 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
771 long_otp_prompt When validating with a One Time Password (OTP) scheme
772 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
773 make it easier to cut and paste the challenge to a
774 local window. It's not as pretty as the default but
775 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
778 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
779 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
781 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
782 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
785 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
786 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
787 allowed to run commands on the current host. This flag
788 is _
\bo_
\bf_
\bf by default.
790 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
791 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
792 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
793 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
796 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
797 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
800 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
801 NOEXEC tag has been set, unless overridden by a EXEC
802 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
803 well as the "PREVENTING SHELL ESCAPES" section at the
804 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
806 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
807 not be found in their PATH environment variable. Some
808 sites may wish to disable this as it could be used to
809 gather information on the location of executables that
810 the normal user does not have access to. The
811 disadvantage is that if the executable is simply not in
812 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
813 not allowed to run it, which can be confusing. This
814 flag is _
\bo_
\bn by default.
817 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
818 normally only be used if the password prompt provided
819 by systems such as PAM matches the string "Password:".
820 If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always
821 be used. This flag is _
\bo_
\bf_
\bf by default.
823 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
824 the list of groups the target user is in. When
825 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
826 vector is left unaltered. The real and effective group
827 IDs, however, are still set to match the target user.
828 This flag is _
\bo_
\bf_
\bf by default.
830 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
831 Unix programs, by turning off echo until the user hits
832 the return (or enter) key. Some users become confused
833 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
834 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
835 visual feedback when the user presses a key. Note that
836 this does have a security impact as an onlooker may be
837 able to determine the length of the password being
838 entered. This flag is _
\bo_
\bf_
\bf by default.
840 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
841 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
842 run from a login session and not via other means such
843 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
846 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
847 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
848 get a root shell by doing something like "sudo sudo
849 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
850 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
851 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
852 security; it exists purely for historical reasons.
853 This flag is _
\bo_
\bn by default.
855 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
856 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
859 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
860 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
861 instead of the password of the invoking user. This
862 flag is _
\bo_
\bf_
\bf by default.
864 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
865 HOME environment variable will be set to the home
866 directory of the target user (which is root unless the
867 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
868 option imply -
\b-H
\bH. Note that HOME is already set when
869 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
870 only effective for configurations where either
871 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
872 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
874 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
875 environment variables to the name of the target user
876 (usually root unless the -
\b-u
\bu option is given). However,
877 since some programs (including the RCS revision control
878 system) use LOGNAME to determine the real identity of
879 the user, it may be desirable to change this behavior.
880 This can be done by negating the set_logname option.
881 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
882 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
883 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
885 set_utmp When enabled, s
\bsu
\bud
\bdo
\bo will create an entry in the utmp (or
886 utmpx) file when a pseudo-tty is allocated. A pseudo-
887 tty is allocated by s
\bsu
\bud
\bdo
\bo when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt, _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
888 or _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flags are enabled. By default, the new
889 entry will be a copy of the user's existing utmp entry
890 (if any), with the tty, time, type and pid fields
891 updated. This flag is _
\bo_
\bn by default.
893 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
894 command line via the -
\b-E
\bE option. Additionally,
895 environment variables set via the command line are not
896 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk,
897 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users
898 should be allowed to set variables in this manner.
899 This flag is _
\bo_
\bf_
\bf by default.
901 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
902 if the -
\b-s
\bs option had been given. That is, it runs a
903 shell as root (the shell is determined by the SHELL
904 environment variable if it is set, falling back on the
905 shell listed in the invoking user's /etc/passwd entry
906 if not). This flag is _
\bo_
\bf_
\bf by default.
908 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
909 effective UIDs are set to the target user (root by
910 default). This option changes that behavior such that
911 the real UID is left as the invoking user's UID. In
912 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
913 This can be useful on systems that disable some
914 potentially dangerous functionality when a program is
915 run setuid. This option is only effective on systems
916 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
917 This flag is _
\bo_
\bf_
\bf by default.
919 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
920 specified by the -
\b-u
\bu option (defaults to root) instead
921 of the password of the invoking user. In addition, the
922 timestamp file name will include the target user's
923 name. Note that this flag precludes the use of a uid
924 not listed in the passwd database as an argument to the
925 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
927 tty_tickets If set, users must authenticate on a per-tty basis.
928 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
929 the tty the user is logged in on in the user's time
930 stamp directory. If disabled, the time stamp of the
931 directory is used instead. This flag is _
\bo_
\bn by default.
933 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
934 without modification. This makes it possible to
935 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
936 user's own umask and matches historical behavior. If
937 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
938 be the union of the user's umask and what is specified
939 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
941 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
942 target user's login class if one exists. Only
943 available if s
\bsu
\bud
\bdo
\bo is configured with the
944 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
946 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
947 if no I/O logging is being gone. A malicious program
948 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
949 process that retains to the user's terminal device
950 after the main program has finished executing. Use of
951 this option will make that impossible. This flag is
952 _
\bo_
\bf_
\bf by default.
954 utmp_runas If set, s
\bsu
\bud
\bdo
\bo will store the name of the runas user when
955 updating the utmp (or utmpx) file. By default, s
\bsu
\bud
\bdo
\bo
956 stores the name of the invoking user. This flag is _
\bo_
\bf_
\bf
959 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
960 enter a password but it is not possible to disable echo
961 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
962 will prompt for a password even when it would be
963 visible on the screen. This makes it possible to run
964 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
965 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
967 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
969 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
970 file descriptors other than standard input, standard
971 output and standard error (ie: file descriptors 0-2).
972 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
973 file descriptor at which to start closing. The default
976 passwd_tries The number of tries a user gets to enter his/her
977 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
980 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
982 loglinelen Number of characters per line for the file log. This
983 value is used to decide when to wrap lines for nicer
984 log files. This has no effect on the syslog log file,
985 only the file log. The default is 80 (use 0 or negate
986 the option to disable word wrap).
988 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
989 out, or 0 for no timeout. The timeout may include a
990 fractional component if minute granularity is
991 insufficient, for example 2.5. The default is 5.
994 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
995 for a passwd again. The timeout may include a
996 fractional component if minute granularity is
997 insufficient, for example 2.5. The default is 5. Set
998 this to 0 to always prompt for a password. If set to a
999 value less than 0 the user's timestamp will never
1000 expire. This can be used to allow users to create or
1001 delete their own timestamps via sudo -v and sudo -k
1004 umask Umask to use when running the command. Negate this
1005 option or set it to 0777 to preserve the user's umask.
1006 The actual umask that is used will be the union of the
1007 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1008 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1009 lowers the umask when running a command. Note on
1010 systems that use PAM, the default PAM configuration may
1011 specify its own umask which will override the value set
1012 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1014 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1016 badpass_message Message that is displayed if a user enters an incorrect
1017 password. The default is Sorry, try again. unless
1018 insults are enabled.
1020 editor A colon (':') separated list of editors allowed to be
1021 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1022 matches the user's EDITOR environment variable if
1023 possible, or the first editor in the list that exists
1024 and is executable. The default is "vi".
1026 iolog_dir The top-level directory to use when constructing the
1027 path name for the input/output log directory. Only
1028 used if the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled
1029 or when the LOG_INPUT or LOG_OUTPUT tags are present
1030 for a command. The session sequence number, if any, is
1031 stored in the directory. The default is
1034 The following percent (`%') escape sequences are
1038 expanded to a monotonically increasing base-36
1039 sequence number, such as 0100A5, where every two
1040 digits are used to form a new directory, e.g.
1041 _
\b0_
\b1_
\b/_
\b0_
\b0_
\b/_
\bA_
\b5
1044 expanded to the invoking user's login name
1047 expanded to the name of the invoking user's real
1051 expanded to the login name of the user the command
1052 will be run as (e.g. root)
1055 expanded to the group name of the user the command
1056 will be run as (e.g. wheel)
1059 expanded to the local host name without the domain
1063 expanded to the base name of the command being run
1065 In addition, any escape sequences supported by the
1066 system's _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be_
\b(_
\b) function will be expanded.
1068 To include a literal `%' character, the string `%%'
1071 Path names that end in six or more Xs will have the Xs
1072 replaced with a unique combination of digits and
1073 letters, similar to the _
\bm_
\bk_
\bt_
\be_
\bm_
\bp_
\b(_
\b) function.
1075 iolog_file The path name, relative to _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br, in which to store
1076 input/output logs when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1077 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1078 tags are present for a command. Note that _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1079 may contain directory components. The default is
1082 See the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option above for a list of supported
1083 percent (`%') escape sequences.
1085 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
1086 %h will expand to the host name of the machine.
1087 Default is *** SECURITY information for %h ***.
1089 noexec_file This option is deprecated and will be removed in a
1090 future release of s
\bsu
\bud
\bdo
\bo. The path to the noexec file
1091 should now be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
1093 passprompt The default prompt to use when asking for a password;
1094 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1095 environment variable. The following percent (`%')
1096 escape sequences are supported:
1098 %H expanded to the local host name including the
1099 domain name (only if the machine's host name is
1100 fully qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1102 %h expanded to the local host name without the domain
1105 %p expanded to the user whose password is being asked
1106 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1107 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1109 %U expanded to the login name of the user the command
1110 will be run as (defaults to root)
1112 %u expanded to the invoking user's login name
1114 %% two consecutive % characters are collapsed into a
1117 The default value is Password:.
1119 role The default SELinux role to use when constructing a new
1120 security context to run the command. The default role
1121 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1122 via command line options. This option is only
1123 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1125 runas_default The default user to run commands as if the -
\b-u
\bu option is
1126 not specified on the command line. This defaults to
1129 syslog_badpri Syslog priority to use when user authenticates
1130 unsuccessfully. Defaults to alert.
1132 The following syslog priorities are supported: a
\bal
\ble
\ber
\brt
\bt,
1133 c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1135 syslog_goodpri Syslog priority to use when user authenticates
1136 successfully. Defaults to notice.
1138 See syslog_badpri for the list of supported syslog
1141 sudoers_locale Locale to use when parsing the sudoers file, logging
1142 commands, and sending email. Note that changing the
1143 locale may affect how sudoers is interpreted. Defaults
1146 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1147 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1149 timestampowner The owner of the timestamp directory and the timestamps
1150 stored therein. The default is root.
1152 type The default SELinux type to use when constructing a new
1153 security context to run the command. The default type
1154 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1155 via command line options. This option is only
1156 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1158 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1160 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1161 a file containing variables to be set in the environment of
1162 the program being run. Entries in this file should either
1163 be of the form VARIABLE=value or export VARIABLE=value.
1164 The value may optionally be surrounded by single or double
1165 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1166 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1169 Users in this group are exempt from password and PATH
1170 requirements. The group name specified should not include
1171 a % prefix. This is not set by default.
1174 A string containing a _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs group plugin with optional
1175 arguments. This can be used to implement support for the
1176 nonunix_group syntax described earlier. The string should
1177 consist of the plugin path, either fully-qualified or
1178 relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory, followed by
1179 any configuration arguments the plugin requires. These
1180 arguments (if any) will be passed to the plugin's
1181 initialization function. If arguments are present, the
1182 string must be enclosed in double quotes (").
1184 For example, given _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bg_
\br_
\bo_
\bu_
\bp, a group file in Unix
1185 group format, the sample group plugin can be used:
1187 Defaults group_plugin="sample_group.so /etc/sudo-group"
1189 For more information see _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(4).
1191 lecture This option controls when a short lecture will be printed
1192 along with the password prompt. It has the following
1195 always Always lecture the user.
1197 never Never lecture the user.
1199 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1201 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1202 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1203 The default value is _
\bo_
\bn_
\bc_
\be.
1206 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1207 will be used in place of the standard lecture if the named
1208 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1210 listpw This option controls when a password will be required when
1211 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1214 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1215 must have the NOPASSWD flag set to avoid entering a
1218 always The user must always enter a password to use the -
\b-l
\bl
1221 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1222 current host must have the NOPASSWD flag set to
1223 avoid entering a password.
1225 never The user need never enter a password to use the -
\b-l
\bl
1228 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1229 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1230 The default value is _
\ba_
\bn_
\by.
1232 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1233 Setting a path turns on logging to a file; negating this
1234 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1236 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1238 mailerpath Path to mail program used to send warning mail. Defaults
1239 to the path to sendmail found at configure time.
1241 mailfrom Address to use for the "from" address when sending warning
1242 and error mail. The address should be enclosed in double
1243 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1244 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1246 mailto Address to send warning and error mail to. The address
1247 should be enclosed in double quotes (") to protect against
1248 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1250 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1251 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1252 environment variable you may want to use this. Another use
1253 is if you want to have the "root path" be separate from the
1254 "user path." Users in the group specified by the
1255 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1256 option is not set by default.
1258 syslog Syslog facility if syslog is being used for logging (negate
1259 to disable syslog logging). Defaults to auth.
1261 The following syslog facilities are supported: a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if
1262 your OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1,
1263 l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3, l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7.
1265 verifypw This option controls when a password will be required when
1266 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1269 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1270 must have the NOPASSWD flag set to avoid entering a
1273 always The user must always enter a password to use the -
\b-v
\bv
1276 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1277 current host must have the NOPASSWD flag set to
1278 avoid entering a password.
1280 never The user need never enter a password to use the -
\b-v
\bv
1283 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1284 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1285 The default value is _
\ba_
\bl_
\bl.
1287 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1289 env_check Environment variables to be removed from the user's
1290 environment if the variable's value contains % or /
1291 characters. This can be used to guard against printf-
1292 style format vulnerabilities in poorly-written
1293 programs. The argument may be a double-quoted, space-
1294 separated list or a single value without double-quotes.
1295 The list can be replaced, added to, deleted from, or
1296 disabled by using the =, +=, -=, and ! operators
1297 respectively. Regardless of whether the env_reset
1298 option is enabled or disabled, variables specified by
1299 env_check will be preserved in the environment if they
1300 pass the aforementioned check. The default list of
1301 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1302 is run by root with the _
\b-_
\bV option.
1304 env_delete Environment variables to be removed from the user's
1305 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1306 The argument may be a double-quoted, space-separated
1307 list or a single value without double-quotes. The list
1308 can be replaced, added to, deleted from, or disabled by
1309 using the =, +=, -=, and ! operators respectively. The
1310 default list of environment variables to remove is
1311 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1312 Note that many operating systems will remove
1313 potentially dangerous variables from the environment of
1314 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1316 env_keep Environment variables to be preserved in the user's
1317 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1318 This allows fine-grained control over the environment
1319 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1320 be a double-quoted, space-separated list or a single
1321 value without double-quotes. The list can be replaced,
1322 added to, deleted from, or disabled by using the =, +=,
1323 -=, and ! operators respectively. The default list of
1324 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1325 with the _
\b-_
\bV option.
1327 F
\bFI
\bIL
\bLE
\bES
\bS
1328 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1330 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1332 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1334 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1336 _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing time stamps for the
1337 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy
1339 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt Initial environment for -
\b-i
\bi mode on Linux and
1342 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1343 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1344 contrived. First, we allow a few environment variables to pass and
1345 then define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1347 # Run X applications through sudo; HOME is used to find the
1348 # .Xauthority file. Note that other programs use HOME to find
1349 # configuration files and this may lead to privilege escalation!
1350 Defaults env_keep += "DISPLAY HOME"
1352 # User alias specification
1353 User_Alias FULLTIMERS = millert, mikef, dowdy
1354 User_Alias PARTTIMERS = bostley, jwfox, crawl
1355 User_Alias WEBMASTERS = will, wendy, wim
1357 # Runas alias specification
1358 Runas_Alias OP = root, operator
1359 Runas_Alias DB = oracle, sybase
1360 Runas_Alias ADMINGRP = adm, oper
1362 # Host alias specification
1363 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1364 SGI = grolsch, dandelion, black :\
1365 ALPHA = widget, thalamus, foobar :\
1366 HPPA = boa, nag, python
1367 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1368 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1369 Host_Alias SERVERS = master, mail, www, ns
1370 Host_Alias CDROM = orion, perseus, hercules
1372 # Cmnd alias specification
1373 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1374 /usr/sbin/restore, /usr/sbin/rrestore
1375 Cmnd_Alias KILL = /usr/bin/kill
1376 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1377 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1378 Cmnd_Alias HALT = /usr/sbin/halt
1379 Cmnd_Alias REBOOT = /usr/sbin/reboot
1380 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1381 /usr/local/bin/tcsh, /usr/bin/rsh, \
1383 Cmnd_Alias SU = /usr/bin/su
1384 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1386 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1387 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1388 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1389 need not give a password, and we don't want to reset the LOGNAME, USER
1390 or USERNAME environment variables when running commands as root.
1391 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1392 additional local log file and make sure we log the year in each log
1393 line since the log entries will be kept around for several years.
1394 Lastly, we disable shell escapes for the commands in the PAGERS
1395 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1397 # Override built-in defaults
1398 Defaults syslog=auth
1399 Defaults>root !set_logname
1400 Defaults:FULLTIMERS !lecture
1401 Defaults:millert !authenticate
1402 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1403 Defaults!PAGERS noexec
1405 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1408 root ALL = (ALL) ALL
1409 %wheel ALL = (ALL) ALL
1411 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1414 FULLTIMERS ALL = NOPASSWD: ALL
1416 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1417 any host without authenticating themselves.
1419 PARTTIMERS ALL = ALL
1421 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1422 any host but they must authenticate themselves first (since the entry
1423 lacks the NOPASSWD tag).
1427 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1428 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1429 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1430 notation) indicating it is a class C network. For the other networks
1431 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1435 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1436 class B network 128.138.0.0).
1438 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1439 sudoedit /etc/printcap, /usr/oper/bin/
1441 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1442 Here, those are commands related to backups, killing processes, the
1443 printing system, shutting down the system, and any commands in the
1444 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1446 joe ALL = /usr/bin/su operator
1448 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1450 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1452 %opers ALL = (: ADMINGRP) /usr/sbin/
1454 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1455 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1457 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1458 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1459 multiple user names on the command line.
1461 bob SPARC = (OP) ALL : SGI = (OP) ALL
1463 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1464 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1468 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1469 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1471 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1473 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1474 well as add and remove users, so they are allowed to run those commands
1477 fred ALL = (DB) NOPASSWD: ALL
1479 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1480 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1482 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1484 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1485 not allowed to specify any options to the _
\bs_
\bu(1) command.
1487 jen ALL, !SERVERS = ALL
1489 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1490 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1492 jill SERVERS = /usr/bin/, !SU, !SHELLS
1494 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1495 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1496 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1498 steve CSNETS = (operator) /usr/local/op_commands/
1500 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1501 /usr/local/op_commands/ but only as user operator.
1503 matt valkyrie = KILL
1505 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1508 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1510 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1511 and wim), may run any command as user www (which owns the web pages) or
1512 simply _
\bs_
\bu(1) to www.
1514 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1515 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1517 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1518 Host_Alias (orion, perseus, hercules) without entering a password.
1519 This is a bit tedious for users to type, so it is a prime candidate for
1520 encapsulating in a shell script.
1522 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1523 It is generally not effective to "subtract" commands from ALL using the
1524 '!' operator. A user can trivially circumvent this by copying the
1525 desired command to a different name and then executing that. For
1528 bill ALL = ALL, !SU, !SHELLS
1530 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1531 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1532 use a shell escape from an editor or other program. Therefore, these
1533 kind of restrictions should be considered advisory at best (and
1534 reinforced by policy).
1536 Furthermore, if the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to
1537 reliably negate commands where the path name includes globbing (aka
1538 wildcard) characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
1539 function cannot resolve relative paths. While this is typically only
1540 an inconvenience for rules that grant privileges, it can result in a
1541 security issue for rules that subtract or revoke privileges.
1543 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1545 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1546 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1548 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1549 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1551 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1552 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1553 pleases, including run other programs. This can be a security issue
1554 since it is not uncommon for a program to allow shell escapes, which
1555 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1556 that permit shell escapes include shells (obviously), editors,
1557 paginators, mail and terminal programs.
1559 There are two basic approaches to this problem:
1561 restrict Avoid giving users access to commands that allow the user to
1562 run arbitrary commands. Many editors have a restricted mode
1563 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1564 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1565 number of programs that offer shell escapes, restricting
1566 users to the set of programs that do not is often unworkable.
1568 noexec Many systems that support shared libraries have the ability
1569 to override default library functions by pointing an
1570 environment variable (usually LD_PRELOAD) to an alternate
1571 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1572 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1573 any other programs. Note, however, that this applies only to
1574 native dynamically-linked executables. Statically-linked
1575 executables and foreign executables running under binary
1576 emulation are not affected.
1578 The _
\bn_
\bo_
\be_
\bx_
\be_
\bc feature is known to work on SunOS, Solaris, *BSD,
1579 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1580 above. It should be supported on most operating systems that
1581 support the LD_PRELOAD environment variable. Check your
1582 operating system's manual pages for the dynamic linker
1583 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
1584 if LD_PRELOAD is supported.
1586 On Solaris 10 and higher, _
\bn_
\bo_
\be_
\bx_
\be_
\bc uses Solaris privileges
1587 instead of the LD_PRELOAD environment variable.
1589 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1590 documented in the User Specification section above. Here is
1593 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1595 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1596 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1597 from executing other commands (such as a shell). If you are
1598 unsure whether or not your system is capable of supporting
1599 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and check whether shell
1600 escapes work when _
\bn_
\bo_
\be_
\bx_
\be_
\bc is enabled.
1602 Note that restricting shell escapes is not a panacea. Programs running
1603 as root are still capable of many potentially hazardous operations
1604 (such as changing or overwriting files) that could lead to unintended
1605 privilege escalation. In the specific case of an editor, a safer
1606 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1608 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1609 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will check the ownership of its time stamp directory
1610 (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's contents if it is
1611 not owned by root or if it is writable by a user other than root. On
1612 systems that allow non-root users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if
1613 the time stamp directory is located in a world-writable directory
1614 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the time stamp
1615 directory before s
\bsu
\bud
\bdo
\bo is run. However, because _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs checks the
1616 ownership and mode of the directory and its contents, the only damage
1617 that can be done is to "hide" files by putting them in the time stamp
1618 dir. This is unlikely to happen since once the time stamp dir is owned
1619 by root and inaccessible by any other user, the user placing files
1620 there would be unable to get them back out.
1622 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will not honor time stamps set far in the future. Time stamps
1623 with a date greater than current_time + 2 * TIMEOUT will be ignored and
1624 sudo will log and complain. This is done to keep a user from creating
1625 his/her own time stamp with a bogus date on systems that allow users to
1626 give away files if the time stamp directory is located in a world-
1629 On systems where the boot time is available, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will ignore time
1630 stamps that date from before the machine booted.
1632 Since time stamp files live in the file system, they can outlive a
1633 user's login session. As a result, a user may be able to login, run a
1634 command with s
\bsu
\bud
\bdo
\bo after authenticating, logout, login again, and run
1635 s
\bsu
\bud
\bdo
\bo without authenticating so long as the time stamp file's
1636 modification time is within 5 minutes (or whatever the timeout is set
1637 to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs). When the _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option is enabled, the time stamp
1638 has per-tty granularity but still may outlive the user's session. On
1639 Linux systems where the devpts filesystem is used, Solaris systems with
1640 the devices filesystem, as well as other systems that utilize a devfs
1641 filesystem that monotonically increase the inode number of devices as
1642 they are created (such as Mac OS X), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is able to determine when
1643 a tty-based time stamp file is stale and will ignore it.
1644 Administrators should not rely on this feature as it is not universally
1647 If users have sudo ALL there is nothing to prevent them from creating
1648 their own program that gives them a root shell (or making their own
1649 copy of a shell) regardless of any '!' elements in the user
1652 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1653 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bm_
\bk_
\bt_
\be_
\bm_
\bp(3), _
\bs_
\bt_
\br_
\bf_
\bt_
\bi_
\bm_
\be(3),
1654 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bd_
\ba_
\bp(4), _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
1656 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1657 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1658 locks the file and does grammatical checking. It is imperative that
1659 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1660 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1662 When using netgroups of machines (as opposed to users), if you store
1663 fully qualified host name in the netgroup (as is usually the case), you
1664 either need to have the machine's host name be fully qualified as
1665 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1668 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1669 http://www.sudo.ws/sudo/bugs/
1671 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1672 Limited free support is available via the sudo-users mailing list, see
1673 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1676 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1677 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1678 including, but not limited to, the implied warranties of
1679 merchantability and fitness for a particular purpose are disclaimed.
1680 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1681 http://www.sudo.ws/sudo/license.html for complete details.
1685 1.8.2 August 17, 2011 SUDOERS(4)