1 SUDOERS(4) Programmer's Manual SUDOERS(4)
4 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs - default sudo security policy plugin
6 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
7 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy plugin determines a user's s
\bsu
\bud
\bdo
\bo privileges. It is the
8 default s
\bsu
\bud
\bdo
\bo policy plugin. The policy is driven by the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
9 file or, optionally in LDAP. The policy format is described in detail in
10 the _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bF_
\bI_
\bL_
\bE _
\bF_
\bO_
\bR_
\bM_
\bA_
\bT section. For information on storing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
11 policy information in LDAP, please see sudoers.ldap(4).
13 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg s
\bsu
\bud
\bdo
\bo.
\b.c
\bco
\bon
\bnf
\bf f
\bfo
\bor
\br s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
14 s
\bsu
\bud
\bdo
\bo consults the sudo.conf(4) file to determine which policy and and I/O
15 logging plugins to load. If no sudo.conf(4) file is present, or if it
16 contains no Plugin lines, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will be used for policy decisions and
17 I/O logging. To explicitly configure sudo.conf(4) to use the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
18 plugin, the following configuration can be used.
20 Plugin sudoers_policy sudoers.so
21 Plugin sudoers_io sudoers.so
23 Starting with s
\bsu
\bud
\bdo
\bo 1.8.5, it is possible to specify optional arguments to
24 the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin in the sudo.conf(4) file. These arguments, if
25 present, should be listed after the path to the plugin (i.e. after
26 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bs_
\bo). Multiple arguments may be specified, separated by white
29 Plugin sudoers_policy sudoers.so sudoers_mode=0400
31 The following plugin arguments are supported:
34 The _
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf argument can be used to override the default path
35 to the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file.
38 The _
\bl_
\bd_
\ba_
\bp_
\b__
\bs_
\be_
\bc_
\br_
\be_
\bt argument can be used to override the default
39 path to the _
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt file.
42 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bf_
\bi_
\bl_
\be argument can be used to override the default
43 path to the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
46 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bu_
\bi_
\bd argument can be used to override the default
47 owner of the sudoers file. It should be specified as a numeric
51 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bg_
\bi_
\bd argument can be used to override the default
52 group of the sudoers file. It must be specified as a numeric
53 group ID (not a group name).
56 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bm_
\bo_
\bd_
\be argument can be used to override the default
57 file mode for the sudoers file. It should be specified as an
60 For more information on configuring sudo.conf(4), please refer to its
63 A
\bAu
\but
\bth
\bhe
\ben
\bnt
\bti
\bic
\bca
\bat
\bti
\bio
\bon
\bn a
\ban
\bnd
\bd l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg
64 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy requires that most users authenticate
65 themselves before they can use s
\bsu
\bud
\bdo
\bo. A password is not required if the
66 invoking user is root, if the target user is the same as the invoking
67 user, or if the policy has disabled authentication for the user or
68 command. Unlike su(1), when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs requires authentication, it
69 validates the invoking user's credentials, not the target user's (or
70 root's) credentials. This can be changed via the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
71 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags, described later.
73 If a user who is not listed in the policy tries to run a command via
74 s
\bsu
\bud
\bdo
\bo, mail is sent to the proper authorities. The address used for such
75 mail is configurable via the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo Defaults entry (described later) and
78 Note that mail will not be sent if an unauthorized user tries to run s
\bsu
\bud
\bdo
\bo
79 with the -
\b-l
\bl or -
\b-v
\bv option. This allows users to determine for themselves
80 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
82 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment variable is set, the
83 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will use this value to determine who the actual user is.
84 This can be used by a user to log commands through sudo even when a root
85 shell has been invoked. It also allows the -
\b-e
\be option to remain useful
86 even when invoked via a sudo-run script or program. Note, however, that
87 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs lookup is still done for root, not the user specified by
90 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses time stamp files for credential caching. Once a user has
91 been authenticated, the time stamp is updated and the user may then use
92 sudo without a password for a short period of time (5 minutes unless
93 overridden by the _
\bt_
\bi_
\bm_
\be_
\bo_
\bu_
\bt option). By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a tty-based
94 time stamp which means that there is a separate time stamp for each of a
95 user's login sessions. The _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option can be disabled to force
96 the use of a single time stamp for all of a user's sessions.
98 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can log both successful and unsuccessful attempts (as well as
99 errors) to syslog(3), a log file, or both. By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will log
100 via syslog(3) but this is changeable via the _
\bs_
\by_
\bs_
\bl_
\bo_
\bg and _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be Defaults
103 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs also supports logging a command's input and output streams. I/O
104 logging is not on by default but can be enabled using the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt and
105 _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
108 C
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd e
\ben
\bnv
\bvi
\bir
\bro
\bon
\bnm
\bme
\ben
\bnt
\bt
109 Since environment variables can influence program behavior, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
110 provides a means to restrict which variables from the user's environment
111 are inherited by the command to be run. There are two distinct ways
112 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs can deal with environment variables.
114 By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled. This causes commands to be
115 executed with a new, minimal environment. On AIX (and Linux systems
116 without PAM), the environment is initialized with the contents of the
117 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt file. On BSD systems, if the _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is
118 enabled, the environment is initialized based on the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv
119 settings in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The new environment contains the TERM,
120 PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
121 addition to variables from the invoking process permitted by the
122 _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp options. This is effectively a whitelist for
123 environment variables.
125 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled, any variables not
126 explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited
127 from the invoking process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave
128 like a blacklist. Since it is not possible to blacklist all potentially
129 dangerous environment variables, use of the default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is
132 In all cases, environment variables with a value beginning with () are
133 removed as they could be interpreted as b
\bba
\bas
\bsh
\bh functions. The list of
134 environment variables that s
\bsu
\bud
\bdo
\bo allows or denies is contained in the
135 output of ``sudo -V'' when run as root.
137 Note that the dynamic linker on most operating systems will remove
138 variables that can control dynamic linking from the environment of setuid
139 executables, including s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may
140 include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
141 These type of variables are removed from the environment before s
\bsu
\bud
\bdo
\bo even
142 begins execution and, as such, it is not possible for s
\bsu
\bud
\bdo
\bo to preserve
145 As a special case, if s
\bsu
\bud
\bdo
\bo's -
\b-i
\bi option (initial login) is specified,
146 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will initialize the environment regardless of the value of
147 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
148 MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
149 (and Linux systems without PAM), the contents of _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt are
150 also included. On BSD systems, if the _
\bu_
\bs_
\be_
\b__
\bl_
\bo_
\bg_
\bi_
\bn_
\bc_
\bl_
\ba_
\bs_
\bs option is enabled,
151 the _
\bp_
\ba_
\bt_
\bh and _
\bs_
\be_
\bt_
\be_
\bn_
\bv variables in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf are also applied. All
152 other environment variables are removed.
154 Finally, if the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option is defined, any variables present in that
155 file will be set to their specified values as long as they would not
156 conflict with an existing environment variable.
158 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS F
\bFI
\bIL
\bLE
\bE F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
159 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases (basically
160 variables) and user specifications (which specify who may run what).
162 When multiple entries match for a user, they are applied in order. Where
163 there are multiple matches, the last match is used (which is not
164 necessarily the most specific match).
166 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur Form
167 (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
168 simple, and the definitions below are annotated.
170 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
171 EBNF is a concise and exact way of describing the grammar of a language.
172 Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
174 symbol ::= definition | alternate1 | alternate2 ...
176 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
177 the language. EBNF also contains the following operators, which many
178 readers will recognize from regular expressions. Do not, however,
179 confuse them with ``wildcard'' characters, which have different meanings.
181 ? Means that the preceding symbol (or group of symbols) is optional.
182 That is, it may appear once or not at all.
184 * Means that the preceding symbol (or group of symbols) may appear
187 + Means that the preceding symbol (or group of symbols) may appear
190 Parentheses may be used to group symbols together. For clarity, we will
191 use single quotes ('') to designate what is a verbatim character string
192 (as opposed to a symbol name).
194 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
195 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
198 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
199 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
200 'Host_Alias' Host_Alias (':' Host_Alias)* |
201 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
203 User_Alias ::= NAME '=' User_List
205 Runas_Alias ::= NAME '=' Runas_List
207 Host_Alias ::= NAME '=' Host_List
209 Cmnd_Alias ::= NAME '=' Cmnd_List
211 NAME ::= [A-Z]([A-Z][0-9]_)*
213 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
215 Alias_Type NAME = item1, item2, ...
217 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
218 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
219 underscore characters (`_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase letter.
220 It is possible to put several alias definitions of the same type on a
221 single line, joined by a colon (`:'). E.g.,
223 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
225 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
230 User ::= '!'* user name |
235 '!'* %:nonunix_group |
236 '!'* %:#nonunix_gid |
239 A User_List is made up of one or more user names, user IDs (prefixed with
240 `#'), system group names and IDs (prefixed with `%' and `%#'
241 respectively), netgroups (prefixed with `+'), non-Unix group names and
242 IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
243 list item may be prefixed with zero or more `!' operators. An odd number
244 of `!' operators negate the value of the item; an even number just cancel
247 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
248 be enclosed in double quotes to avoid the need for escaping special
249 characters. Alternately, special characters may be specified in escaped
250 hex mode, e.g. \x20 for space. When using double quotes, any prefix
251 characters must be included inside the quotes.
253 The actual nonunix_group and nonunix_gid syntax depends on the underlying
254 group provider plugin. For instance, the QAS AD plugin supports the
257 o
\bo Group in the same domain: "%:Group Name"
259 o
\bo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
261 o
\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
263 See _
\bG_
\bR_
\bO_
\bU_
\bP _
\bP_
\bR_
\bO_
\bV_
\bI_
\bD_
\bE_
\bR _
\bP_
\bL_
\bU_
\bG_
\bI_
\bN_
\bS for more information.
265 Note that quotes around group names are optional. Unquoted strings must
266 use a backslash (`\') to escape spaces and special characters. See _
\bO_
\bt_
\bh_
\be_
\br
267 _
\bs_
\bp_
\be_
\bc_
\bi_
\ba_
\bl _
\bc_
\bh_
\ba_
\br_
\ba_
\bc_
\bt_
\be_
\br_
\bs _
\ba_
\bn_
\bd _
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\bd _
\bw_
\bo_
\br_
\bd_
\bs for a list of characters that need
270 Runas_List ::= Runas_Member |
271 Runas_Member ',' Runas_List
273 Runas_Member ::= '!'* user name |
277 '!'* %:nonunix_group |
278 '!'* %:#nonunix_gid |
282 A Runas_List is similar to a User_List except that instead of
283 User_Aliases it can contain Runas_Aliases. Note that user names and
284 groups are matched as strings. In other words, two users (groups) with
285 the same uid (gid) are considered to be distinct. If you wish to match
286 all user names with the same uid (e.g. root and toor), you can use a uid
287 instead (#0 in the example given).
292 Host ::= '!'* host name |
294 '!'* network(/netmask)? |
298 A Host_List is made up of one or more host names, IP addresses, network
299 numbers, netgroups (prefixed with `+') and other aliases. Again, the
300 value of an item may be negated with the `!' operator. If you do not
301 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each of
302 the local host's network interfaces and, if the network number
303 corresponds to one of the hosts's network interfaces, the corresponding
304 netmask will be used. The netmask may be specified either in standard IP
305 address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
306 notation (number of bits, e.g. 24 or 64). A host name may include shell-
307 style wildcards (see the _
\bW_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs section below), but unless the host
308 name command on your machine returns the fully qualified host name,
309 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful. Note that
310 s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP address
311 127.0.0.1 (localhost) will never match. Also, the host name
312 ``localhost'' will only match if that is the actual host name, which is
313 usually only the case for non-networked systems.
315 digest ::= [A-Fa-f0-9]+ |
318 Digest_Spec ::= "sha224" ':' digest |
319 "sha256" ':' digest |
320 "sha384" ':' digest |
326 command name ::= file name |
330 Cmnd ::= Digest_Spec? '!'* command name |
335 A Cmnd_List is a list of one or more command names, directories, and
336 other aliases. A command name is a fully qualified file name which may
337 include shell-style wildcards (see the _
\bW_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs section below). A
338 simple file name allows the user to run the command with any arguments
339 he/she wishes. However, you may also specify command line arguments
340 (including wildcards). Alternately, you can specify "" to indicate that
341 the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A directory
342 is a fully qualified path name ending in a `/'. When you specify a
343 directory in a Cmnd_List, the user will be able to run any file within
344 that directory (but not in any sub-directories therein).
346 If a Cmnd has associated command line arguments, then the arguments in
347 the Cmnd must match exactly those given by the user on the command line
348 (or match the wildcards if there are any). Note that the following
349 characters must be escaped with a `\' if they are used in command
350 arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
351 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It may
352 take command line arguments just as a normal command does. Note that
353 ``sudoedit'' is a command built into s
\bsu
\bud
\bdo
\bo itself and must be specified in
354 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs without a leading path.
356 If a command name is prefixed with a Digest_Spec, the command will only
357 match successfully if it can be verified using the specified SHA-2
358 digest. This may be useful in situations where the user invoking s
\bsu
\bud
\bdo
\bo
359 has write access to the command or its parent directory. The following
360 digest formats are supported: sha224, sha256, sha384 and sha512. The
361 string may be specified in either hex or base64 format (base64 is more
362 compact). There are several utilities capable of generating SHA-2
363 digests in hex format such as openssl, shasum, sha224sum, sha256sum,
364 sha384sum, sha512sum.
366 For example, using openssl:
368 $ openssl dgst -sha224 /bin/ls
369 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
371 It is also possible to use openssl to generate base64 output:
373 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
374 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
376 Command digests are only supported by version 1.8.7 or higher.
378 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
379 Certain configuration options may be changed from their default values at
380 run-time via one or more Default_Entry lines. These may affect all users
381 on any host, all users on a specific host, a specific user, a specific
382 command, or commands being run as a specific user. Note that per-command
383 entries may not include command line arguments. If you need to specify
384 arguments, define a Cmnd_Alias and reference that instead.
386 Default_Type ::= 'Defaults' |
387 'Defaults' '@' Host_List |
388 'Defaults' ':' User_List |
389 'Defaults' '!' Cmnd_List |
390 'Defaults' '>' Runas_List
392 Default_Entry ::= Default_Type Parameter_List
394 Parameter_List ::= Parameter |
395 Parameter ',' Parameter_List
397 Parameter ::= Parameter '=' Value |
398 Parameter '+=' Value |
399 Parameter '-=' Value |
402 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
403 implicitly boolean and can be turned off via the `!' operator. Some
404 integer, string and list parameters may also be used in a boolean context
405 to disable them. Values may be enclosed in double quotes ("") when they
406 contain multiple words. Special characters may be escaped with a
409 Lists have two additional assignment operators, += and -=. These
410 operators are used to add to and delete from a list respectively. It is
411 not an error to use the -= operator to remove an element that does not
414 Defaults entries are parsed in the following order: generic, host and
415 user Defaults first, then runas Defaults and finally command defaults.
417 See _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS for a list of supported Defaults parameters.
419 U
\bUs
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
420 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
421 (':' Host_List '=' Cmnd_Spec_List)*
423 Cmnd_Spec_List ::= Cmnd_Spec |
424 Cmnd_Spec ',' Cmnd_Spec_List
426 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
428 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
430 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
432 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
434 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
435 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
436 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
438 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
439 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt, but
440 this can be changed on a per-command basis.
442 The basic structure of a user specification is ``who where = (as_whom)
443 what''. Let's break that down into its constituent parts:
445 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
446 A Runas_Spec determines the user and/or the group that a command may be
447 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
448 defined above) separated by a colon (`:') and enclosed in a set of
449 parentheses. The first Runas_List indicates which users the command may
450 be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of groups that
451 can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists are
452 specified, the command may be run with any combination of users and
453 groups listed in their respective Runas_Lists. If only the first is
454 specified, the command may be run as any user in the list but no -
\b-g
\bg
455 option may be specified. If the first Runas_List is empty but the second
456 is specified, the command may be run as the invoking user with the group
457 set to any listed in the Runas_List. If both Runas_Lists are empty, the
458 command may only be run as the invoking user. If no Runas_Spec is
459 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
461 A Runas_Spec sets the default for the commands that follow it. What this
462 means is that for the entry:
464 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
466 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm--but only as
467 o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
469 $ sudo -u operator /bin/ls
471 It is also possible to override a Runas_Spec later on in an entry. If we
472 modify the entry like so:
474 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
476 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
477 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
479 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
480 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
482 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
485 Note that while the group portion of the Runas_Spec permits the user to
486 run as command with that group, it does not force the user to do so. If
487 no group is specified on the command line, the command will run with the
488 group listed in the target user's password database entry. The following
489 would all be permitted by the sudoers entry above:
491 $ sudo -u operator /bin/ls
492 $ sudo -u operator -g operator /bin/ls
493 $ sudo -g operator /bin/ls
495 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
496 device file with the dialer group.
498 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
499 /usr/local/bin/minicom
501 Note that in this example only the group will be set, the command still
502 runs as user t
\btc
\bcm
\bm. E.g.
504 $ sudo -g dialer /usr/bin/cu
506 Multiple users and groups may be present in a Runas_Spec, in which case
507 the user may select any combination of users and groups via the -
\b-u
\bu and -
\b-g
\bg
508 options. In this example:
510 alan ALL = (root, bin : operator, system) ALL
512 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
513 setting the group to operator or system.
515 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
516 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
517 SELinux role and/or type associated with a command. If a role or type is
518 specified with the command it will override any default values specified
519 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line, however, will
520 supersede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
522 S
\bSo
\bol
\bla
\bar
\bri
\bis
\bs_
\b_P
\bPr
\bri
\biv
\bv_
\b_S
\bSp
\bpe
\bec
\bc
523 On Solaris systems, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally specify Solaris
524 privilege set and/or limit privilege set associated with a command. If
525 privileges or limit privileges are specified with the command it will
526 override any default values specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
528 A privilege set is a comma-separated list of privilege names. The
529 ppriv(1) command can be used to list all privileges known to the system.
534 In addition, there are several ``special'' privilege strings:
538 all the set of all privileges
540 zone the set of all privileges available in the current zone
542 basic the default set of privileges normal users are granted at login
545 Privileges can be excluded from a set by prefixing the privilege name
546 with either an `!' or `-' character.
548 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
549 A command may have zero or more tags associated with it. There are ten
550 possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
551 LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
552 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
553 it is overridden by the opposite tag (in other words, PASSWD overrides
554 NOPASSWD and NOEXEC overrides EXEC).
556 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD and _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
558 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
559 before running a command. This behavior can be modified via the
560 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
561 the commands that follow it in the Cmnd_Spec_List. Conversely, the
562 PASSWD tag can be used to reverse things. For example:
564 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
566 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
567 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
568 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
571 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
573 Note, however, that the PASSWD tag has no effect on users who are in
574 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
576 By default, if the NOPASSWD tag is applied to any of the entries for a
577 user on the current host, he or she will be able to run ``sudo -l''
578 without a password. Additionally, a user may only run ``sudo -v''
579 without a password if the NOPASSWD tag is present for all a user's
580 entries that pertain to the current host. This behavior may be
581 overridden via the _
\bv_
\be_
\br_
\bi_
\bf_
\by_
\bp_
\bw and _
\bl_
\bi_
\bs_
\bt_
\bp_
\bw options.
583 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC and _
\bE_
\bX_
\bE_
\bC
585 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
586 operating system supports it, the NOEXEC tag can be used to prevent a
587 dynamically-linked executable from running further commands itself.
589 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
590 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
592 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
594 See the _
\bP_
\br_
\be_
\bv_
\be_
\bn_
\bt_
\bi_
\bn_
\bg _
\bs_
\bh_
\be_
\bl_
\bl _
\be_
\bs_
\bc_
\ba_
\bp_
\be_
\bs section below for more details on how
595 NOEXEC works and whether or not it will work on your system.
597 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV and _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
599 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
600 basis. Note that if SETENV has been set for a command, the user may
601 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
602 Additionally, environment variables set on the command line are not
603 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
604 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set
605 variables in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV
606 tag is implied for that command; this default may be overridden by use
609 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT and _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
611 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
612 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
613 _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS section below.
615 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT and _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
617 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
618 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
619 _
\bS_
\bU_
\bD_
\bO_
\bE_
\bR_
\bS _
\bO_
\bP_
\bT_
\bI_
\bO_
\bN_
\bS section below.
621 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
622 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
623 used in host names, path names and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
624 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
625 as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _
\bn_
\bo_
\bt
628 * Matches any set of zero or more characters.
630 ? Matches any single character.
632 [...] Matches any character in the specified range.
634 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
636 \x For any character `x', evaluates to `x'. This is used to
637 escape special characters such as: `*', `?', `[', and `]'.
639 Character classes may also be used if your system's glob(3) and
640 fnmatch(3) functions support them. However, because the `:' character
641 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
645 Would match any file name beginning with a letter.
647 Note that a forward slash (`/') will n
\bno
\bot
\bt be matched by wildcards used in
648 the path name. This is to make a path like:
652 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
654 When matching the command line arguments, however, a slash d
\bdo
\boe
\bes
\bs get
655 matched by wildcards since command line arguments may contain arbitrary
656 strings and not just path names.
658 Wildcards in command line arguments should be used with care. Because
659 command line arguments are matched as a single, concatenated string, a
660 wildcard such as `?' or `*' can match multiple words. For example, while
661 a sudoers entry like:
663 %operator ALL = /bin/cat /var/log/messages*
665 will allow command like:
667 $ sudo cat /var/log/messages.1
671 $ sudo cat /var/log/messages /etc/shadow
673 which is probably not what was intended.
675 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
676 The following exceptions apply to the above rules:
678 "" If the empty string "" is the only command line argument in the
679 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
680 with a
\ban
\bny
\by arguments.
682 sudoedit Command line arguments to the _
\bs_
\bu_
\bd_
\bo_
\be_
\bd_
\bi_
\bt built-in command should
683 always be path names, so a forward slash (`/') will not be
684 matched by a wildcard.
686 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
687 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
688 file currently being parsed using the #include and #includedir
691 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
692 addition to a local, per-machine file. For the sake of this example the
693 site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will be
694 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
695 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
697 #include /etc/sudoers.local
699 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
700 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching the
701 end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be processed.
702 Files that are included may themselves include other files. A hard limit
703 of 128 nested include files is enforced to prevent include file loops.
705 If the path to the include file is not fully-qualified (does not begin
706 with a `/', it must be located in the same directory as the sudoers file
707 it was included from. For example, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains the line:
709 #include sudoers.local
711 the file that will be included is _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl.
713 The file name may also include the %h escape, signifying the short form
714 of the host name. In other words, if the machine's host name is
717 #include /etc/sudoers.%h
719 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
721 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
722 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of package
723 installation. For example, given:
725 #includedir /etc/sudoers.d
727 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that end
728 in `~' or contain a `.' character to avoid causing problems with package
729 manager or editor temporary/backup files. Files are parsed in sorted
730 lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed before
731 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is lexical,
732 not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
733 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes in
734 the file names can be used to avoid such problems.
736 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
737 files in a #includedir directory unless one of them contains a syntax
738 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -
\b-f
\bf flag to edit the
741 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
742 The pound sign (`#') is used to indicate a comment (unless it is part of
743 a #include directive or unless it occurs in the context of a user name
744 and is followed by one or more digits, in which case it is treated as a
745 uid). Both the comment character and any text after it, up to the end of
746 the line, are ignored.
748 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
749 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
750 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
751 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
752 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
753 since in a command context, it allows the user to run a
\ban
\bny
\by command on the
756 An exclamation point (`!') can be used as a logical _
\bn_
\bo_
\bt operator in a
757 list or _
\ba_
\bl_
\bi_
\ba_
\bs as well as in front of a Cmnd. This allows one to exclude
758 certain values. For the `!' operator to be effective, there must be
759 something for it to exclude. For example, to match all users except for
764 If the A
\bAL
\bLL
\bL, is omitted, as in:
768 it would explicitly deny root but not match any other users. This is
769 different from a true ``negation'' operator.
771 Note, however, that using a `!' in conjunction with the built-in A
\bAL
\bLL
\bL
772 alias to allow a user to run ``all but a few'' commands rarely works as
773 intended (see _
\bS_
\bE_
\bC_
\bU_
\bR_
\bI_
\bT_
\bY _
\bN_
\bO_
\bT_
\bE_
\bS below).
775 Long lines can be continued with a backslash (`\') as the last character
778 White space between elements in a list as well as special syntactic
779 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn (`=', `:', `(', `)') is optional.
781 The following characters must be escaped with a backslash (`\') when used
782 as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
785 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
786 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
787 earlier. A list of all supported Defaults parameters, grouped by type,
790 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
792 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
793 to the home directory of the target user (which is root
794 unless the -
\b-u
\bu option is used). This effectively means
795 that the -
\b-H
\bH option is always implied. Note that HOME
796 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
797 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
798 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
799 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
802 authenticate If set, users must authenticate themselves via a
803 password (or other means of authentication) before they
804 may run commands. This default may be overridden via
805 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
809 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
810 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
811 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
814 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
815 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
816 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
817 z
\bzl
\bli
\bib
\bb support.
819 exec_background By default, s
\bsu
\bud
\bdo
\bo runs a command as the foreground
820 process as long as s
\bsu
\bud
\bdo
\bo itself is running in the
821 foreground. When the _
\be_
\bx_
\be_
\bc_
\b__
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd flag is enabled
822 and the command is being run in a pty (due to I/O
823 logging or the _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flag), the command will be run
824 as a background process. Attempts to read from the
825 controlling terminal (or to change terminal settings)
826 will result in the command being suspended with the
827 SIGTTIN signal (or SIGTTOU in the case of terminal
828 settings). If this happens when s
\bsu
\bud
\bdo
\bo is a foreground
829 process, the command will be granted the controlling
830 terminal and resumed in the foreground with no user
831 intervention required. The advantage of initially
832 running the command in the background is that s
\bsu
\bud
\bdo
\bo need
833 not read from the terminal unless the command
834 explicitly requests it. Otherwise, any terminal input
835 must be passed to the command, whether it has required
836 it or not (the kernel buffers terminals so it is not
837 possible to tell whether the command really wants the
838 input). This is different from historic _
\bs_
\bu_
\bd_
\bo behavior
839 or when the command is not being run in a pty.
841 For this to work seamlessly, the operating system must
842 support the automatic restarting of system calls.
843 Unfortunately, not all operating systems do this by
844 default, and even those that do may have bugs. For
845 example, Mac OS X fails to restart the t
\btc
\bcg
\bge
\bet
\bta
\bat
\btt
\btr
\br() and
846 t
\btc
\bcs
\bse
\bet
\bta
\bat
\btt
\btr
\br() system calls (this is a bug in Mac OS X).
847 Furthermore, because this behavior depends on the
848 command stopping with the SIGTTIN or SIGTTOU signals,
849 programs that catch these signals and suspend
850 themselves with a different signal (usually SIGTOP)
851 will not be automatically foregrounded. Some versions
852 of the linux su(1) command behave this way.
854 This setting is only supported by version 1.8.7 or
855 higher. It has no effect unless I/O logging is enabled
856 or the _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flag is enabled.
858 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
859 VISUAL environment variables before falling back on the
860 default editor list. Note that this may create a
861 security hole as it allows the user to run any
862 arbitrary command as root without logging. A safer
863 alternative is to place a colon-separated list of
864 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
865 use the EDITOR or VISUAL if they match a value
866 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
868 env_reset If set, s
\bsu
\bud
\bdo
\bo will run the command in a minimal
869 environment containing the TERM, PATH, HOME, MAIL,
870 SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
871 Any variables in the caller's environment that match
872 the env_keep and env_check lists are then added,
873 followed by any variables present in the file specified
874 by the _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option (if any). The default contents
875 of the env_keep and env_check lists are displayed when
876 s
\bsu
\bud
\bdo
\bo is run by root with the -
\b-V
\bV option. If the
877 _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set, its value will be used for
878 the PATH environment variable. This flag is _
\bo_
\bn by
881 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the glob(3) function to do shell-
882 style globbing when matching path names. However,
883 since it accesses the file system, glob(3) can take a
884 long time to complete for some patterns, especially
885 when the pattern references a network file system that
886 is mounted on demand (auto mounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
887 option causes s
\bsu
\bud
\bdo
\bo to use the fnmatch(3) function,
888 which does not access the file system to do its
889 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
890 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
891 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
892 names that include globbing characters are used with
893 the negation operator, `!', as such rules can be
894 trivially bypassed. As such, this option should not be
895 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
896 path names which include globbing characters. This
897 flag is _
\bo_
\bf_
\bf by default.
899 fqdn Set this flag if you want to put fully qualified host
900 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file when the local host name (as
901 returned by the hostname command) does not contain the
902 domain name. In other words, instead of myhost you
903 would use myhost.mydomain.edu. You may still use the
904 short form if you wish (and even mix the two). This
905 option is only effective when the ``canonical'' host
906 name, as returned by the g
\bge
\bet
\bta
\bad
\bdd
\bdr
\bri
\bin
\bnf
\bfo
\bo() or
907 g
\bge
\bet
\bth
\bho
\bos
\bst
\btb
\bby
\byn
\bna
\bam
\bme
\be() function, is a fully-qualified domain
908 name. This is usually the case when the system is
909 configured to use DNS for host name resolution.
911 If the system is configured to use the _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\bs file
912 in preference to DNS, the ``canonical'' host name may
913 not be fully-qualified. The order that sources are
914 queried for hosts name resolution is usually specified
915 in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf,
916 _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\b._
\bc_
\bo_
\bn_
\bf, or, in some cases, _
\b/_
\be_
\bt_
\bc_
\b/_
\br_
\be_
\bs_
\bo_
\bl_
\bv_
\b._
\bc_
\bo_
\bn_
\bf
917 file. In the _
\b/_
\be_
\bt_
\bc_
\b/_
\bh_
\bo_
\bs_
\bt_
\bs file, the first host name of
918 the entry is considered to be the ``canonical'' name;
919 subsequent names are aliases that are not used by
920 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs. For example, the following hosts file line
921 for the machine ``xyzzy'' has the fully-qualified
922 domain name as the ``canonical'' host name, and the
923 short version as an alias.
925 192.168.1.1 xyzzy.sudo.ws xyzzy
927 If the machine's hosts file entry is not formatted
928 properly, the _
\bf_
\bq_
\bd_
\bn option will not be effective if it
929 is queried before DNS.
931 Beware that when using DNS for host name resolution,
932 turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs to make DNS lookups
933 which renders s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
934 example if the machine is disconnected from the
935 network). Also note that just like with the hosts
936 file, you must use the ``canonical'' name as DNS knows
937 it. That is, you may not use a host alias (CNAME
938 entry) due to performance issues and the fact that
939 there is no way to get all aliases from DNS.
941 This flag is _
\bo_
\bf_
\bf by default.
943 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore "." or "" (both denoting
944 current directory) in the PATH environment variable;
945 the PATH itself is not modified. This flag is _
\bo_
\bf_
\bf by
949 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
950 skipped. This is intended for Enterprises that wish to
951 prevent the usage of local sudoers files so that only
952 LDAP is used. This thwarts the efforts of rogue
953 operators who would attempt to add roles to
954 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
955 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
956 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
957 entries have been matched, this sudoOption is only
958 meaningful for the cn=defaults section. This flag is
959 _
\bo_
\bf_
\bf by default.
961 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
962 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
964 log_host If set, the host name will be logged in the (non-
965 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
967 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
968 log all user input. If the standard input is not
969 connected to the user's tty, due to I/O redirection or
970 because the command is part of a pipeline, that input
971 is also captured and stored in a separate log file.
973 Input is logged to the directory specified by the
974 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
975 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
976 log line, prefixed with ``TSID=''. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
977 option may be used to control the format of the session
980 Note that user input may contain sensitive information
981 such as passwords (even if they are not echoed to the
982 screen), which will be stored in the log file
983 unencrypted. In most cases, logging the command output
984 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
986 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
987 log all output that is sent to the screen, similar to
988 the script(1) command. If the standard output or
989 standard error is not connected to the user's tty, due
990 to I/O redirection or because the command is part of a
991 pipeline, that output is also captured and stored in
994 Output is logged to the directory specified by the
995 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
996 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
997 log line, prefixed with ``TSID=''. The _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
998 option may be used to control the format of the session
1001 Output logs may be viewed with the sudoreplay(1m)
1002 utility, which can also be used to list or search the
1005 log_year If set, the four-digit year will be logged in the (non-
1006 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
1008 long_otp_prompt When validating with a One Time Password (OTP) scheme
1009 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
1010 make it easier to cut and paste the challenge to a
1011 local window. It's not as pretty as the default but
1012 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
1015 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
1016 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
1018 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
1019 does not enter the correct password. If the command
1020 the user is attempting to run is not permitted by
1021 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and one of the _
\bm_
\ba_
\bi_
\bl_
\b__
\ba_
\bl_
\bw_
\ba_
\by_
\bs, _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bh_
\bo_
\bs_
\bt,
1022 _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bp_
\be_
\br_
\bm_
\bs or _
\bm_
\ba_
\bi_
\bl_
\b__
\bn_
\bo_
\b__
\bu_
\bs_
\be_
\br flags are set, this flag
1023 will have no effect. This flag is _
\bo_
\bf_
\bf by default.
1025 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
1026 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
1027 allowed to run commands on the current host. This flag
1028 is _
\bo_
\bf_
\bf by default.
1030 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
1031 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
1032 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
1033 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
1036 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
1037 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
1038 _
\bo_
\bn by default.
1040 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
1041 NOEXEC tag has been set, unless overridden by a EXEC
1042 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
1043 well as the _
\bP_
\br_
\be_
\bv_
\be_
\bn_
\bt_
\bi_
\bn_
\bg _
\bs_
\bh_
\be_
\bl_
\bl _
\be_
\bs_
\bc_
\ba_
\bp_
\be_
\bs section at the end
1044 of this manual. This flag is _
\bo_
\bf_
\bf by default.
1046 pam_session On systems that use PAM for authentication, s
\bsu
\bud
\bdo
\bo will
1047 create a new PAM session for the command to be run in.
1048 Disabling _
\bp_
\ba_
\bm_
\b__
\bs_
\be_
\bs_
\bs_
\bi_
\bo_
\bn may be needed on older PAM
1049 implementations or on operating systems where opening a
1050 PAM session changes the utmp or wtmp files. If PAM
1051 session support is disabled, resource limits may not be
1052 updated for the command being run. This flag is _
\bo_
\bn by
1055 This setting is only supported by version 1.8.7 or
1059 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
1060 normally only be used if the password prompt provided
1061 by systems such as PAM matches the string
1062 ``Password:''. If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set,
1063 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be used. This flag is _
\bo_
\bf_
\bf by
1066 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
1067 not be found in their PATH environment variable. Some
1068 sites may wish to disable this as it could be used to
1069 gather information on the location of executables that
1070 the normal user does not have access to. The
1071 disadvantage is that if the executable is simply not in
1072 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
1073 not allowed to run it, which can be confusing. This
1074 flag is _
\bo_
\bn by default.
1076 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
1077 the list of groups the target user is in. When
1078 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
1079 vector is left unaltered. The real and effective group
1080 IDs, however, are still set to match the target user.
1081 This flag is _
\bo_
\bf_
\bf by default.
1083 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
1084 Unix programs, by turning off echo until the user hits
1085 the return (or enter) key. Some users become confused
1086 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
1087 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
1088 visual feedback when the user presses a key. Note that
1089 this does have a security impact as an onlooker may be
1090 able to determine the length of the password being
1091 entered. This flag is _
\bo_
\bf_
\bf by default.
1093 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
1094 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
1095 run from a login session and not via other means such
1096 as cron(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
1099 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
1100 this prevents users from ``chaining'' s
\bsu
\bud
\bdo
\bo commands to
1101 get a root shell by doing something like ``sudo sudo
1102 /bin/sh''. Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
1103 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1104 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
1105 security; it exists purely for historical reasons.
1106 This flag is _
\bo_
\bn by default.
1108 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
1109 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
1112 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
1113 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
1114 instead of the password of the invoking user. This
1115 flag is _
\bo_
\bf_
\bf by default.
1117 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
1118 HOME environment variable will be set to the home
1119 directory of the target user (which is root unless the
1120 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
1121 option imply -
\b-H
\bH. Note that HOME is already set when
1122 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
1123 only effective for configurations where either
1124 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
1125 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
1127 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
1128 environment variables to the name of the target user
1129 (usually root unless the -
\b-u
\bu option is given). However,
1130 since some programs (including the RCS revision control
1131 system) use LOGNAME to determine the real identity of
1132 the user, it may be desirable to change this behavior.
1133 This can be done by negating the set_logname option.
1134 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
1135 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
1136 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
1138 set_utmp When enabled, s
\bsu
\bud
\bdo
\bo will create an entry in the utmp (or
1139 utmpx) file when a pseudo-tty is allocated. A pseudo-
1140 tty is allocated by s
\bsu
\bud
\bdo
\bo when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt, _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1141 or _
\bu_
\bs_
\be_
\b__
\bp_
\bt_
\by flags are enabled. By default, the new
1142 entry will be a copy of the user's existing utmp entry
1143 (if any), with the tty, time, type and pid fields
1144 updated. This flag is _
\bo_
\bn by default.
1146 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
1147 command line via the -
\b-E
\bE option. Additionally,
1148 environment variables set via the command line are not
1149 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk,
1150 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users
1151 should be allowed to set variables in this manner.
1152 This flag is _
\bo_
\bf_
\bf by default.
1154 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
1155 if the -
\b-s
\bs option had been given. That is, it runs a
1156 shell as root (the shell is determined by the SHELL
1157 environment variable if it is set, falling back on the
1158 shell listed in the invoking user's /etc/passwd entry
1159 if not). This flag is _
\bo_
\bf_
\bf by default.
1161 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
1162 effective UIDs are set to the target user (root by
1163 default). This option changes that behavior such that
1164 the real UID is left as the invoking user's UID. In
1165 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
1166 This can be useful on systems that disable some
1167 potentially dangerous functionality when a program is
1168 run setuid. This option is only effective on systems
1169 that support either the setreuid(2) or setresuid(2)
1170 system call. This flag is _
\bo_
\bf_
\bf by default.
1172 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
1173 specified by the -
\b-u
\bu option (defaults to root) instead
1174 of the password of the invoking user. In addition, the
1175 time stamp file name will include the target user's
1176 name. Note that this flag precludes the use of a uid
1177 not listed in the passwd database as an argument to the
1178 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
1180 tty_tickets If set, users must authenticate on a per-tty basis.
1181 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
1182 the tty the user is logged in on in the user's time
1183 stamp directory. If disabled, the time stamp of the
1184 directory is used instead. This flag is _
\bo_
\bn by default.
1186 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1187 without modification. This makes it possible to
1188 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
1189 user's own umask and matches historical behavior. If
1190 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
1191 be the union of the user's umask and what is specified
1192 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
1194 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
1195 target user's login class if one exists. Only
1196 available if s
\bsu
\bud
\bdo
\bo is configured with the
1197 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
1199 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
1200 if no I/O logging is being gone. A malicious program
1201 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
1202 process that retains to the user's terminal device
1203 after the main program has finished executing. Use of
1204 this option will make that impossible. This flag is
1205 _
\bo_
\bf_
\bf by default.
1207 utmp_runas If set, s
\bsu
\bud
\bdo
\bo will store the name of the runas user when
1208 updating the utmp (or utmpx) file. By default, s
\bsu
\bud
\bdo
\bo
1209 stores the name of the invoking user. This flag is _
\bo_
\bf_
\bf
1212 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
1213 enter a password but it is not possible to disable echo
1214 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
1215 will prompt for a password even when it would be
1216 visible on the screen. This makes it possible to run
1217 things like ``ssh somehost sudo ls'' since by default,
1218 ssh(1) does not allocate a tty when running a command.
1219 This flag is _
\bo_
\bf_
\bf by default.
1221 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
1223 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
1224 file descriptors other than standard input, standard
1225 output and standard error (ie: file descriptors 0-2).
1226 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
1227 file descriptor at which to start closing. The default
1230 passwd_tries The number of tries a user gets to enter his/her
1231 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
1234 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1236 loglinelen Number of characters per line for the file log. This
1237 value is used to decide when to wrap lines for nicer
1238 log files. This has no effect on the syslog log file,
1239 only the file log. The default is 80 (use 0 or negate
1240 the option to disable word wrap).
1242 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1243 out, or 0 for no timeout. The timeout may include a
1244 fractional component if minute granularity is
1245 insufficient, for example 2.5. The default is 5.
1248 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1249 for a passwd again. The timeout may include a
1250 fractional component if minute granularity is
1251 insufficient, for example 2.5. The default is 5. Set
1252 this to 0 to always prompt for a password. If set to a
1253 value less than 0 the user's time stamp will never
1254 expire. This can be used to allow users to create or
1255 delete their own time stamps via ``sudo -v'' and ``sudo
1258 umask Umask to use when running the command. Negate this
1259 option or set it to 0777 to preserve the user's umask.
1260 The actual umask that is used will be the union of the
1261 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1262 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1263 lowers the umask when running a command. Note: on
1264 systems that use PAM, the default PAM configuration may
1265 specify its own umask which will override the value set
1266 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1268 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1270 badpass_message Message that is displayed if a user enters an incorrect
1271 password. The default is Sorry, try again. unless
1272 insults are enabled.
1274 editor A colon (`:') separated list of editors allowed to be
1275 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1276 matches the user's EDITOR environment variable if
1277 possible, or the first editor in the list that exists
1278 and is executable. The default is _
\bv_
\bi.
1280 iolog_dir The top-level directory to use when constructing the
1281 path name for the input/output log directory. Only
1282 used if the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled
1283 or when the LOG_INPUT or LOG_OUTPUT tags are present
1284 for a command. The session sequence number, if any, is
1285 stored in the directory. The default is
1286 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
1288 The following percent (`%') escape sequences are
1292 expanded to a monotonically increasing base-36
1293 sequence number, such as 0100A5, where every two
1294 digits are used to form a new directory, e.g.
1295 _
\b0_
\b1_
\b/_
\b0_
\b0_
\b/_
\bA_
\b5
1298 expanded to the invoking user's login name
1301 expanded to the name of the invoking user's real
1305 expanded to the login name of the user the
1306 command will be run as (e.g. root)
1309 expanded to the group name of the user the
1310 command will be run as (e.g. wheel)
1313 expanded to the local host name without the
1317 expanded to the base name of the command being
1320 In addition, any escape sequences supported by the
1321 system's strftime(3) function will be expanded.
1323 To include a literal `%' character, the string `%%'
1326 iolog_file The path name, relative to _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br, in which to store
1327 input/output logs when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
1328 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1329 tags are present for a command. Note that _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1330 may contain directory components. The default is
1333 See the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option above for a list of supported
1334 percent (`%') escape sequences.
1336 In addition to the escape sequences, path names that
1337 end in six or more Xs will have the Xs replaced with a
1338 unique combination of digits and letters, similar to
1339 the mktemp(3) function.
1341 If the path created by concatenating _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br and
1342 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be already exists, the existing I/O log file
1343 will be truncated and overwritten unless _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be
1344 ends in six or more Xs.
1346 limitprivs The default Solaris limit privileges to use when
1347 constructing a new privilege set for a command. This
1348 bounds all privileges of the executing process. The
1349 default limit privileges may be overridden on a per-
1350 command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This option is only
1351 available if s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs is built on Solaris 10 or higher.
1353 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The
1354 escape %h will expand to the host name of the machine.
1355 Default is ``*** SECURITY information for %h ***''.
1357 maxseq The maximum sequence number that will be substituted
1358 for the ``%{seq}'' escape in the I/O log file (see the
1359 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br description above for more information).
1360 While the value substituted for ``%{seq}'' is in base
1361 36, _
\bm_
\ba_
\bx_
\bs_
\be_
\bq itself should be expressed in decimal.
1362 Values larger than 2176782336 (which corresponds to the
1363 base 36 sequence number ``ZZZZZZ'') will be silently
1364 truncated to 2176782336. The default value is
1367 Once the local sequence number reaches the value of
1368 _
\bm_
\ba_
\bx_
\bs_
\be_
\bq, it will ``roll over'' to zero, after which
1369 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will truncate and re-use any existing I/O log
1372 This setting is only supported by version 1.8.7 or
1375 noexec_file As of s
\bsu
\bud
\bdo
\bo version 1.8.1 this option is no longer
1376 supported. The path to the noexec file should now be
1377 set in the sudo.conf(4) file.
1379 passprompt The default prompt to use when asking for a password;
1380 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1381 environment variable. The following percent (`%')
1382 escape sequences are supported:
1384 %H expanded to the local host name including the
1385 domain name (only if the machine's host name is
1386 fully qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1388 %h expanded to the local host name without the
1391 %p expanded to the user whose password is being
1392 asked for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
1393 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1395 %U expanded to the login name of the user the
1396 command will be run as (defaults to root)
1398 %u expanded to the invoking user's login name
1400 %% two consecutive % characters are collapsed into a
1403 The default value is ``Password:''.
1405 privs The default Solaris privileges to use when constructing
1406 a new privilege set for a command. This is passed to
1407 the executing process via the inherited privilege set,
1408 but is bounded by the limit privileges. If the _
\bp_
\br_
\bi_
\bv_
\bs
1409 option is specified but the _
\bl_
\bi_
\bm_
\bi_
\bt_
\bp_
\br_
\bi_
\bv_
\bs option is not,
1410 the limit privileges of the executing process is set to
1411 _
\bp_
\br_
\bi_
\bv_
\bs. The default privileges may be overridden on a
1412 per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This option is only
1413 available if s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs is built on Solaris 10 or higher.
1415 role The default SELinux role to use when constructing a new
1416 security context to run the command. The default role
1417 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1418 via command line options. This option is only
1419 available when s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1421 runas_default The default user to run commands as if the -
\b-u
\bu option is
1422 not specified on the command line. This defaults to
1425 syslog_badpri Syslog priority to use when user authenticates
1426 unsuccessfully. Defaults to alert.
1428 The following syslog priorities are supported: a
\bal
\ble
\ber
\brt
\bt,
1429 c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1431 syslog_goodpri Syslog priority to use when user authenticates
1432 successfully. Defaults to notice.
1434 See _
\bs_
\by_
\bs_
\bl_
\bo_
\bg_
\b__
\bb_
\ba_
\bd_
\bp_
\br_
\bi for the list of supported syslog
1437 sudoers_locale Locale to use when parsing the sudoers file, logging
1438 commands, and sending email. Note that changing the
1439 locale may affect how sudoers is interpreted. Defaults
1442 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its time stamp
1443 files. The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1445 timestampowner The owner of the time stamp directory and the time
1446 stamps stored therein. The default is root.
1448 type The default SELinux type to use when constructing a new
1449 security context to run the command. The default type
1450 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1451 via command line options. This option is only
1452 available when s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1454 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1456 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be option specifies the fully qualified path to a
1457 file containing variables to be set in the environment of
1458 the program being run. Entries in this file should either
1459 be of the form ``VARIABLE=value'' or ``export
1460 VARIABLE=value''. The value may optionally be surrounded
1461 by single or double quotes. Variables in this file are
1462 subject to other s
\bsu
\bud
\bdo
\bo environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
1463 and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1465 exempt_group Users in this group are exempt from password and PATH
1466 requirements. The group name specified should not include
1467 a % prefix. This is not set by default.
1469 group_plugin A string containing a _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs group plugin with optional
1470 arguments. The string should consist of the plugin path,
1471 either fully-qualified or relative to the
1472 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo directory, followed by any
1473 configuration arguments the plugin requires. These
1474 arguments (if any) will be passed to the plugin's
1475 initialization function. If arguments are present, the
1476 string must be enclosed in double quotes ("").
1478 For more information see GROUP PROVIDER PLUGINS.
1480 lecture This option controls when a short lecture will be printed
1481 along with the password prompt. It has the following
1484 always Always lecture the user.
1486 never Never lecture the user.
1488 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1490 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1491 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1492 The default value is _
\bo_
\bn_
\bc_
\be.
1494 lecture_file Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1495 will be used in place of the standard lecture if the named
1496 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1498 listpw This option controls when a password will be required when
1499 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1502 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current
1503 host must have the NOPASSWD flag set to avoid
1504 entering a password.
1506 always The user must always enter a password to use the
1509 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for
1510 the current host must have the NOPASSWD flag set
1511 to avoid entering a password.
1513 never The user need never enter a password to use the
1516 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1517 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1518 The default value is _
\ba_
\bn_
\by.
1520 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1521 Setting a path turns on logging to a file; negating this
1522 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1524 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1526 mailerpath Path to mail program used to send warning mail. Defaults
1527 to the path to sendmail found at configure time.
1529 mailfrom Address to use for the ``from'' address when sending
1530 warning and error mail. The address should be enclosed in
1531 double quotes ("") to protect against s
\bsu
\bud
\bdo
\bo interpreting the
1532 @ sign. Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1534 mailto Address to send warning and error mail to. The address
1535 should be enclosed in double quotes ("") to protect against
1536 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1538 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1539 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1540 environment variable you may want to use this. Another use
1541 is if you want to have the ``root path'' be separate from
1542 the ``user path''. Users in the group specified by the
1543 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1544 option is not set by default.
1546 syslog Syslog facility if syslog is being used for logging (negate
1547 to disable syslog logging). Defaults to auth.
1549 The following syslog facilities are supported: a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if
1550 your OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1,
1551 l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3, l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7.
1553 verifypw This option controls when a password will be required when
1554 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1557 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1558 must have the NOPASSWD flag set to avoid entering a
1561 always The user must always enter a password to use the -
\b-v
\bv
1564 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1565 current host must have the NOPASSWD flag set to
1566 avoid entering a password.
1568 never The user need never enter a password to use the -
\b-v
\bv
1571 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1572 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1573 The default value is _
\ba_
\bl_
\bl.
1575 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1577 env_check Environment variables to be removed from the user's
1578 environment if the variable's value contains `%' or `/'
1579 characters. This can be used to guard against printf-
1580 style format vulnerabilities in poorly-written
1581 programs. The argument may be a double-quoted, space-
1582 separated list or a single value without double-quotes.
1583 The list can be replaced, added to, deleted from, or
1584 disabled by using the =, +=, -=, and ! operators
1585 respectively. Regardless of whether the env_reset
1586 option is enabled or disabled, variables specified by
1587 env_check will be preserved in the environment if they
1588 pass the aforementioned check. The default list of
1589 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1590 is run by root with the -
\b-V
\bV option.
1592 env_delete Environment variables to be removed from the user's
1593 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1594 The argument may be a double-quoted, space-separated
1595 list or a single value without double-quotes. The list
1596 can be replaced, added to, deleted from, or disabled by
1597 using the =, +=, -=, and ! operators respectively. The
1598 default list of environment variables to remove is
1599 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the -
\b-V
\bV option.
1600 Note that many operating systems will remove
1601 potentially dangerous variables from the environment of
1602 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1604 env_keep Environment variables to be preserved in the user's
1605 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1606 This allows fine-grained control over the environment
1607 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1608 be a double-quoted, space-separated list or a single
1609 value without double-quotes. The list can be replaced,
1610 added to, deleted from, or disabled by using the =, +=,
1611 -=, and ! operators respectively. The default list of
1612 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1613 with the -
\b-V
\bV option.
1615 G
\bGR
\bRO
\bOU
\bUP
\bP P
\bPR
\bRO
\bOV
\bVI
\bID
\bDE
\bER
\bR P
\bPL
\bLU
\bUG
\bGI
\bIN
\bNS
\bS
1616 The s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin supports its own plugin interface to allow non-Unix
1617 group lookups which can query a group source other than the standard Unix
1618 group database. This can be used to implement support for the
1619 nonunix_group syntax described earlier.
1621 Group provider plugins are specified via the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn Defaults
1622 setting. The argument to _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn should consist of the plugin path,
1623 either fully-qualified or relative to the _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo
1624 directory, followed by any configuration options the plugin requires.
1625 These options (if specified) will be passed to the plugin's
1626 initialization function. If options are present, the string must be
1627 enclosed in double quotes ("").
1629 The following group provider plugins are installed by default:
1632 The _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bf_
\bi_
\bl_
\be plugin supports an alternate group file that
1633 uses the same syntax as the _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp file. The path to the
1634 group file should be specified as an option to the plugin. For
1635 example, if the group file to be used is _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bg_
\br_
\bo_
\bu_
\bp:
1637 Defaults group_plugin="group_file.so /etc/sudo-group"
1640 The _
\bs_
\by_
\bs_
\bt_
\be_
\bm_
\b__
\bg_
\br_
\bo_
\bu_
\bp plugin supports group lookups via the standard
1641 C library functions g
\bge
\bet
\btg
\bgr
\brn
\bna
\bam
\bm() and g
\bge
\bet
\btg
\bgr
\bri
\bid
\bd(). This plugin can
1642 be used in instances where the user belongs to groups not
1643 present in the user's supplemental group vector. This plugin
1646 Defaults group_plugin=system_group.so
1648 The group provider plugin API is described in detail in sudo_plugin(1m).
1650 L
\bLO
\bOG
\bG F
\bFO
\bOR
\bRM
\bMA
\bAT
\bT
1651 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs can log events using either syslog(3) or a simple log file. In
1652 each case the log format is almost identical.
1654 A
\bAc
\bcc
\bce
\bep
\bpt
\bte
\bed
\bd c
\bco
\bom
\bmm
\bma
\ban
\bnd
\bd l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1655 Commands that sudo runs are logged using the following format (split into
1656 multiple lines for readability):
1658 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1659 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1660 ENV=env_vars COMMAND=command
1662 Where the fields are as follows:
1664 date The date the command was run. Typically, this is in the
1665 format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
1666 the actual date format is controlled by the syslog daemon.
1667 If logging to a file and the _
\bl_
\bo_
\bg_
\b__
\by_
\be_
\ba_
\br option is enabled,
1668 the date will also include the year.
1670 hostname The name of the host s
\bsu
\bud
\bdo
\bo was run on. This field is only
1671 present when logging via syslog(3).
1673 progname The name of the program, usually _
\bs_
\bu_
\bd_
\bo or _
\bs_
\bu_
\bd_
\bo_
\be_
\bd_
\bi_
\bt. This
1674 field is only present when logging via syslog(3).
1676 username The login name of the user who ran s
\bsu
\bud
\bdo
\bo.
1678 ttyname The short name of the terminal (e.g. ``console'',
1679 ``tty01'', or ``pts/0'') s
\bsu
\bud
\bdo
\bo was run on, or ``unknown'' if
1680 there was no terminal present.
1682 cwd The current working directory that s
\bsu
\bud
\bdo
\bo was run in.
1684 runasuser The user the command was run as.
1686 runasgroup The group the command was run as if one was specified on
1689 logid An I/O log identifier that can be used to replay the
1690 command's output. This is only present when the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt
1691 or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option is enabled.
1693 env_vars A list of environment variables specified on the command
1696 command The actual command that was executed.
1698 Messages are logged using the locale specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b__
\bl_
\bo_
\bc_
\ba_
\bl_
\be, which
1699 defaults to the ``C'' locale.
1701 D
\bDe
\ben
\bni
\bie
\bed
\bd c
\bco
\bom
\bmm
\bma
\ban
\bnd
\bd l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1702 If the user is not allowed to run the command, the reason for the denial
1703 will follow the user name. Possible reasons include:
1706 The user is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1708 user NOT authorized on host
1709 The user is listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file but is not allowed to run
1710 commands on the host.
1713 The user is listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file for the host but they are not
1714 allowed to run the specified command.
1716 3 incorrect password attempts
1717 The user failed to enter their password after 3 tries. The actual
1718 number of tries will vary based on the number of failed attempts and
1719 the value of the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd_
\b__
\bt_
\br_
\bi_
\be_
\bs option.
1721 a password is required
1722 s
\bsu
\bud
\bdo
\bo's -
\b-n
\bn option was specified but a password was required.
1724 sorry, you are not allowed to set the following environment variables
1725 The user specified environment variables on the command line that were
1726 not allowed by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1728 E
\bEr
\brr
\bro
\bor
\br l
\blo
\bog
\bg e
\ben
\bnt
\btr
\bri
\bie
\bes
\bs
1729 If an error occurs, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will log a message and, in most cases, send a
1730 message to the administrator via email. Possible errors include:
1732 parse error in /etc/sudoers near line N
1733 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs encountered an error when parsing the specified file. In some
1734 cases, the actual error may be one line above or below the line number
1735 listed, depending on the type of error.
1737 problem with defaults entries
1738 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file contains one or more unknown Defaults settings. This
1739 does not prevent s
\bsu
\bud
\bdo
\bo from running, but the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should be
1740 checked using v
\bvi
\bis
\bsu
\bud
\bdo
\bo.
1742 timestamp owner (username): No such user
1743 The time stamp directory owner, as specified by the _
\bt_
\bi_
\bm_
\be_
\bs_
\bt_
\ba_
\bm_
\bp_
\bo_
\bw_
\bn_
\be_
\br
1744 setting, could not be found in the password database.
1746 unable to open/read /etc/sudoers
1747 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file could not be opened for reading. This can happen
1748 when the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is located on a remote file system that maps
1749 user ID 0 to a different value. Normally, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs tries to open
1750 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs using group permissions to avoid this problem. Consider
1751 either changing the ownership of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or adding an argument
1752 like ``sudoers_uid=N'' (where `N' is the user ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1753 file) to the end of the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs Plugin line in the sudo.conf(4) file.
1755 unable to stat /etc/sudoers
1756 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is missing.
1758 /etc/sudoers is not a regular file
1759 The _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file exists but is not a regular file or symbolic
1762 /etc/sudoers is owned by uid N, should be 0
1763 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file has the wrong owner. If you wish to change the
1764 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
1765 user ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file) to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs Plugin line in the
1768 /etc/sudoers is world writable
1769 The permissions on the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file allow all users to write to it.
1770 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file must not be world-writable, the default file mode is
1771 0440 (readable by owner and group, writable by none). The default
1772 mode may be changed via the ``sudoers_mode'' option to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
1773 Plugin line in the sudo.conf(4) file.
1775 /etc/sudoers is owned by gid N, should be 1
1776 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file has the wrong group ownership. If you wish to change
1777 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file group ownership, please add ``sudoers_gid=N'' (where
1778 `N' is the group ID that owns the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file) to the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs Plugin
1779 line in the sudo.conf(4) file.
1781 unable to open /var/adm/sudo/username/ttyname
1782 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to read or create the user's time stamp file.
1784 unable to write to /var/adm/sudo/username/ttyname
1785 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to write to the user's time stamp file.
1787 unable to mkdir to /var/adm/sudo/username
1788 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs was unable to create the user's time stamp directory.
1790 N
\bNo
\bot
\bte
\bes
\bs o
\bon
\bn l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg v
\bvi
\bia
\ba s
\bsy
\bys
\bsl
\blo
\bog
\bg
1791 By default, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs logs messages via syslog(3). The _
\bd_
\ba_
\bt_
\be, _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be, and
1792 _
\bp_
\br_
\bo_
\bg_
\bn_
\ba_
\bm_
\be fields are added by the syslog daemon, not _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs itself. As
1793 such, they may vary in format on different systems.
1795 On most systems, syslog(3) has a relatively small log buffer. To prevent
1796 the command line arguments from being truncated, s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs will split up
1797 log messages that are larger than 960 characters (not including the date,
1798 hostname, and the string ``sudo''). When a message is split, additional
1799 parts will include the string ``(command continued)'' after the user name
1800 and before the continued command line arguments.
1802 N
\bNo
\bot
\bte
\bes
\bs o
\bon
\bn l
\blo
\bog
\bgg
\bgi
\bin
\bng
\bg t
\bto
\bo a
\ba f
\bfi
\bil
\ble
\be
1803 If the _
\bl_
\bo_
\bg_
\bf_
\bi_
\bl_
\be option is set, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will log to a local file, such as
1804 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo. When logging to a file, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs uses a format similar to
1805 syslog(3), with a few important differences:
1807 1. The _
\bp_
\br_
\bo_
\bg_
\bn_
\ba_
\bm_
\be and _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be fields are not present.
1809 2. If the _
\bl_
\bo_
\bg_
\b__
\by_
\be_
\ba_
\br option is enabled, the date will also include the
1812 3. Lines that are longer than _
\bl_
\bo_
\bg_
\bl_
\bi_
\bn_
\be_
\bl_
\be_
\bn characters (80 by default) are
1813 word-wrapped and continued on the next line with a four character
1814 indent. This makes entries easier to read for a human being, but
1815 makes it more difficult to use grep(1) on the log files. If the
1816 _
\bl_
\bo_
\bg_
\bl_
\bi_
\bn_
\be_
\bl_
\be_
\bn option is set to 0 (or negated with a `!'), word wrap
1819 F
\bFI
\bIL
\bLE
\bES
\bS
1820 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf Sudo front end configuration
1822 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1824 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1826 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1828 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1830 _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing time stamps for the
1831 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy
1833 _
\b/_
\be_
\bt_
\bc_
\b/_
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt Initial environment for -
\b-i
\bi mode on AIX and
1836 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1837 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1838 contrived. First, we allow a few environment variables to pass and then
1839 define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1841 # Run X applications through sudo; HOME is used to find the
1842 # .Xauthority file. Note that other programs use HOME to find
1843 # configuration files and this may lead to privilege escalation!
1844 Defaults env_keep += "DISPLAY HOME"
1846 # User alias specification
1847 User_Alias FULLTIMERS = millert, mikef, dowdy
1848 User_Alias PARTTIMERS = bostley, jwfox, crawl
1849 User_Alias WEBMASTERS = will, wendy, wim
1851 # Runas alias specification
1852 Runas_Alias OP = root, operator
1853 Runas_Alias DB = oracle, sybase
1854 Runas_Alias ADMINGRP = adm, oper
1856 # Host alias specification
1857 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1858 SGI = grolsch, dandelion, black :\
1859 ALPHA = widget, thalamus, foobar :\
1860 HPPA = boa, nag, python
1861 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1862 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1863 Host_Alias SERVERS = master, mail, www, ns
1864 Host_Alias CDROM = orion, perseus, hercules
1866 # Cmnd alias specification
1867 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1868 /usr/sbin/restore, /usr/sbin/rrestore,\
1869 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
1870 /home/operator/bin/start_backups
1871 Cmnd_Alias KILL = /usr/bin/kill
1872 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1873 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1874 Cmnd_Alias HALT = /usr/sbin/halt
1875 Cmnd_Alias REBOOT = /usr/sbin/reboot
1876 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1877 /usr/local/bin/tcsh, /usr/bin/rsh,\
1879 Cmnd_Alias SU = /usr/bin/su
1880 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1882 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo to
1883 log via syslog(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't want to
1884 subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt need not
1885 give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1886 environment variables when running commands as root. Additionally, on
1887 the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an additional local log
1888 file and make sure we log the year in each log line since the log entries
1889 will be kept around for several years. Lastly, we disable shell escapes
1890 for the commands in the PAGERS Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and
1891 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1893 # Override built-in defaults
1894 Defaults syslog=auth
1895 Defaults>root !set_logname
1896 Defaults:FULLTIMERS !lecture
1897 Defaults:millert !authenticate
1898 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1899 Defaults!PAGERS noexec
1901 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1904 root ALL = (ALL) ALL
1905 %wheel ALL = (ALL) ALL
1907 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1910 FULLTIMERS ALL = NOPASSWD: ALL
1912 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1913 any host without authenticating themselves.
1915 PARTTIMERS ALL = ALL
1917 Part time sysadmins b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on any
1918 host but they must authenticate themselves first (since the entry lacks
1923 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1924 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
1925 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1926 indicating it is a class C network. For the other networks in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS,
1927 the local machine's netmask will be used during matching.
1931 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1932 class B network 128.138.0.0).
1934 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1935 sudoedit /etc/printcap, /usr/oper/bin/
1937 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance. Here,
1938 those are commands related to backups, killing processes, the printing
1939 system, shutting down the system, and any commands in the directory
1940 _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/. Note that one command in the DUMPS Cmnd_Alias includes a
1941 sha224 digest, _
\b/_
\bh_
\bo_
\bm_
\be_
\b/_
\bo_
\bp_
\be_
\br_
\ba_
\bt_
\bo_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bs_
\bt_
\ba_
\br_
\bt_
\b__
\bb_
\ba_
\bc_
\bk_
\bu_
\bp_
\bs. This is because the
1942 directory containing the script is writable by the operator user. If the
1943 script is modified (resulting in a digest mismatch) it will no longer be
1944 possible to run it via s
\bsu
\bud
\bdo
\bo.
1946 joe ALL = /usr/bin/su operator
1948 The user j
\bjo
\boe
\be may only su(1) to operator.
1950 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1952 %opers ALL = (: ADMINGRP) /usr/sbin/
1954 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1955 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1957 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1958 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes passwd(1) does not take
1959 multiple user names on the command line.
1961 bob SPARC = (OP) ALL : SGI = (OP) ALL
1963 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1964 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br.)
1968 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1969 s
\bsu
\bud
\bdo
\bo knows that ``biglab'' is a netgroup due to the `+' prefix.
1971 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1973 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1974 well as add and remove users, so they are allowed to run those commands
1977 fred ALL = (DB) NOPASSWD: ALL
1979 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias (o
\bor
\bra
\bac
\bcl
\ble
\be
1980 or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1982 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1984 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1985 not allowed to specify any options to the su(1) command.
1987 jen ALL, !SERVERS = ALL
1989 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1990 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1992 jill SERVERS = /usr/bin/, !SU, !SHELLS
1994 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1995 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU and
1996 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1998 steve CSNETS = (operator) /usr/local/op_commands/
2000 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
2001 /usr/local/op_commands/ but only as user operator.
2003 matt valkyrie = KILL
2005 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill hung
2008 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2010 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy, and
2011 wim), may run any command as user www (which owns the web pages) or
2012 simply su(1) to www.
2014 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2015 /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
2017 Any user may mount or unmount a CD-ROM on the machines in the CDROM
2018 Host_Alias (orion, perseus, hercules) without entering a password. This
2019 is a bit tedious for users to type, so it is a prime candidate for
2020 encapsulating in a shell script.
2022 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
2023 L
\bLi
\bim
\bmi
\bit
\bta
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf t
\bth
\bhe
\be `
\b`!
\b!'
\b' o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br
2024 It is generally not effective to ``subtract'' commands from A
\bAL
\bLL
\bL using the
2025 `!' operator. A user can trivially circumvent this by copying the
2026 desired command to a different name and then executing that. For
2029 bill ALL = ALL, !SU, !SHELLS
2031 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
2032 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
2033 use a shell escape from an editor or other program. Therefore, these
2034 kind of restrictions should be considered advisory at best (and
2035 reinforced by policy).
2037 In general, if a user has sudo A
\bAL
\bLL
\bL there is nothing to prevent them from
2038 creating their own program that gives them a root shell (or making their
2039 own copy of a shell) regardless of any `!' elements in the user
2042 S
\bSe
\bec
\bcu
\bur
\bri
\bit
\bty
\by i
\bim
\bmp
\bpl
\bli
\bic
\bca
\bat
\bti
\bio
\bon
\bns
\bs o
\bof
\bf _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
2043 If the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to reliably negate
2044 commands where the path name includes globbing (aka wildcard) characters.
2045 This is because the C library's fnmatch(3) function cannot resolve
2046 relative paths. While this is typically only an inconvenience for rules
2047 that grant privileges, it can result in a security issue for rules that
2048 subtract or revoke privileges.
2050 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
2052 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2053 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2055 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
2056 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
2058 P
\bPr
\bre
\bev
\bve
\ben
\bnt
\bti
\bin
\bng
\bg s
\bsh
\bhe
\bel
\bll
\bl e
\bes
\bsc
\bca
\bap
\bpe
\bes
\bs
2059 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
2060 pleases, including run other programs. This can be a security issue
2061 since it is not uncommon for a program to allow shell escapes, which lets
2062 a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs that
2063 permit shell escapes include shells (obviously), editors, paginators,
2064 mail and terminal programs.
2066 There are two basic approaches to this problem:
2068 restrict Avoid giving users access to commands that allow the user to
2069 run arbitrary commands. Many editors have a restricted mode
2070 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
2071 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large number
2072 of programs that offer shell escapes, restricting users to the
2073 set of programs that do not is often unworkable.
2075 noexec Many systems that support shared libraries have the ability to
2076 override default library functions by pointing an environment
2077 variable (usually LD_PRELOAD) to an alternate shared library.
2078 On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality can be used to
2079 prevent a program run by s
\bsu
\bud
\bdo
\bo from executing any other
2080 programs. Note, however, that this applies only to native
2081 dynamically-linked executables. Statically-linked executables
2082 and foreign executables running under binary emulation are not
2085 The _
\bn_
\bo_
\be_
\bx_
\be_
\bc feature is known to work on SunOS, Solaris, *BSD,
2086 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
2087 above. It should be supported on most operating systems that
2088 support the LD_PRELOAD environment variable. Check your
2089 operating system's manual pages for the dynamic linker (usually
2090 ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2091 LD_PRELOAD is supported.
2093 On Solaris 10 and higher, _
\bn_
\bo_
\be_
\bx_
\be_
\bc uses Solaris privileges
2094 instead of the LD_PRELOAD environment variable.
2096 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
2097 documented in the User Specification section above. Here is
2100 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2102 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
2103 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands from
2104 executing other commands (such as a shell). If you are unsure
2105 whether or not your system is capable of supporting _
\bn_
\bo_
\be_
\bx_
\be_
\bc you
2106 can always just try it out and check whether shell escapes work
2107 when _
\bn_
\bo_
\be_
\bx_
\be_
\bc is enabled.
2109 Note that restricting shell escapes is not a panacea. Programs running
2110 as root are still capable of many potentially hazardous operations (such
2111 as changing or overwriting files) that could lead to unintended privilege
2112 escalation. In the specific case of an editor, a safer approach is to
2113 give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
2115 T
\bTi
\bim
\bme
\be s
\bst
\bta
\bam
\bmp
\bp f
\bfi
\bil
\ble
\be c
\bch
\bhe
\bec
\bck
\bks
\bs
2116 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will check the ownership of its time stamp directory
2117 (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's contents if it is
2118 not owned by root or if it is writable by a user other than root. On
2119 systems that allow non-root users to give away files via chown(2), if the
2120 time stamp directory is located in a world-writable directory (e.g.,
2121 _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the time stamp directory
2122 before s
\bsu
\bud
\bdo
\bo is run. However, because _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs checks the ownership and
2123 mode of the directory and its contents, the only damage that can be done
2124 is to ``hide'' files by putting them in the time stamp dir. This is
2125 unlikely to happen since once the time stamp dir is owned by root and
2126 inaccessible by any other user, the user placing files there would be
2127 unable to get them back out.
2129 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will not honor time stamps set far in the future. Time stamps
2130 with a date greater than current_time + 2 * TIMEOUT will be ignored and
2131 sudo will log and complain. This is done to keep a user from creating
2132 his/her own time stamp with a bogus date on systems that allow users to
2133 give away files if the time stamp directory is located in a world-
2136 On systems where the boot time is available, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will ignore time
2137 stamps that date from before the machine booted.
2139 Since time stamp files live in the file system, they can outlive a user's
2140 login session. As a result, a user may be able to login, run a command
2141 with s
\bsu
\bud
\bdo
\bo after authenticating, logout, login again, and run s
\bsu
\bud
\bdo
\bo without
2142 authenticating so long as the time stamp file's modification time is
2143 within 5 minutes (or whatever the timeout is set to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs). When
2144 the _
\bt_
\bt_
\by_
\b__
\bt_
\bi_
\bc_
\bk_
\be_
\bt_
\bs option is enabled, the time stamp has per-tty granularity
2145 but still may outlive the user's session. On Linux systems where the
2146 devpts filesystem is used, Solaris systems with the devices filesystem,
2147 as well as other systems that utilize a devfs filesystem that
2148 monotonically increase the inode number of devices as they are created
2149 (such as Mac OS X), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is able to determine when a tty-based time
2150 stamp file is stale and will ignore it. Administrators should not rely
2151 on this feature as it is not universally available.
2153 D
\bDE
\bEB
\bBU
\bUG
\bGG
\bGI
\bIN
\bNG
\bG
2154 Versions 1.8.4 and higher of the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin support a flexible
2155 debugging framework that can help track down what the plugin is doing
2156 internally if there is a problem. This can be configured in the
2159 The s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin uses the same debug flag format as the s
\bsu
\bud
\bdo
\bo front-end:
2160 _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by.
2162 The priorities used by s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs, in order of decreasing severity, are:
2163 _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg. Each priority,
2164 when specified, also includes all priorities higher than it. For
2165 example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages logged at
2166 _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
2168 The following subsystems are used by the s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs plugin:
2170 _
\ba_
\bl_
\bi_
\ba_
\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2172 _
\ba_
\bl_
\bl matches every subsystem
2174 _
\ba_
\bu_
\bd_
\bi_
\bt BSM and Linux audit code
2176 _
\ba_
\bu_
\bt_
\bh user authentication
2178 _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs settings
2180 _
\be_
\bn_
\bv environment handling
2182 _
\bl_
\bd_
\ba_
\bp LDAP-based sudoers
2184 _
\bl_
\bo_
\bg_
\bg_
\bi_
\bn_
\bg logging support
2186 _
\bm_
\ba_
\bt_
\bc_
\bh matching of users, groups, hosts and netgroups in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
2188 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
2190 _
\bn_
\bs_
\bs network service switch handling in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
2192 _
\bp_
\ba_
\br_
\bs_
\be_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file parsing
2194 _
\bp_
\be_
\br_
\bm_
\bs permission setting
2196 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn The equivalent of _
\bm_
\ba_
\bi_
\bn for the plugin.
2198 _
\bp_
\bt_
\by pseudo-tty related code
2200 _
\br_
\bb_
\bt_
\br_
\be_
\be redblack tree internals
2202 _
\bu_
\bt_
\bi_
\bl utility functions
2205 Debug sudo /var/log/sudo_debug match@info,nss@info
2207 For more information, see the sudo.conf(4) manual.
2209 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
2210 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
2211 sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
2213 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
2214 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
2215 locks the file and does grammatical checking. It is imperative that
2216 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
2217 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
2219 When using netgroups of machines (as opposed to users), if you store
2220 fully qualified host name in the netgroup (as is usually the case), you
2221 either need to have the machine's host name be fully qualified as
2222 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
2225 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
2226 http://www.sudo.ws/sudo/bugs/
2228 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
2229 Limited free support is available via the sudo-users mailing list, see
2230 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2233 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
2234 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
2235 including, but not limited to, the implied warranties of merchantability
2236 and fitness for a particular purpose are disclaimed. See the LICENSE
2237 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
2240 Sudo 1.8.7 April 30, 2013 Sudo 1.8.7