1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
4 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
5 .\" Todd C. Miller <Todd.Miller@courtesan.com>
7 .\" Permission to use, copy, modify, and distribute this software for any
8 .\" purpose with or without fee is hereby granted, provided that the above
9 .\" copyright notice and this permission notice appear in all copies.
11 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 .\" Sponsored in part by the Defense Advanced Research Projects
21 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 .TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
29 \- default sudo security policy module
33 policy module determines a user's
39 The policy is driven by
41 \fI@sysconfdir@/sudoers\fR
42 file or, optionally in LDAP.
43 The policy format is described in detail in the
44 \fISUDOERS FILE FORMAT\fR
46 For information on storing
50 sudoers.ldap(@mansectform@).
51 .SS "Authentication and logging"
54 security policy requires that most users authenticate
55 themselves before they can use
57 A password is not required
58 if the invoking user is root, if the target user is the same as the
59 invoking user, or if the policy has disabled authentication for the
66 authentication, it validates the invoking user's credentials, not
67 the target user's (or root's) credentials.
68 This can be changed via
74 flags, described later.
76 If a user who is not listed in the policy tries to run a command
79 mail is sent to the proper authorities.
81 used for such mail is configurable via the
84 (described later) and defaults to
87 Note that mail will not be sent if an unauthorized user tries to
96 determine for themselves whether or not they are allowed to use
101 is run by root and the
106 policy will use this value to determine who
108 This can be used by a user to log commands
109 through sudo even when a root shell has been invoked.
113 option to remain useful even when invoked via a
114 sudo-run script or program.
115 Note, however, that the
117 lookup is still done for root, not the user specified by
121 uses time stamp files for credential caching.
123 user has been authenticated, the time stamp is updated and the user
124 may then use sudo without a password for a short period of time
126 minutes unless overridden by the
132 uses a tty-based time stamp which means that
133 there is a separate time stamp for each of a user's login sessions.
136 option can be disabled to force the use of a
137 single time stamp for all of a user's sessions.
140 can log both successful and unsuccessful attempts (as well
148 but this is changeable via the
155 also supports logging a command's input and output
157 I/O logging is not on by default but can be enabled using
162 Defaults flags as well as the
167 .SS "Command environment"
168 Since environment variables can influence program behavior,
170 provides a means to restrict which variables from the user's
171 environment are inherited by the command to be run.
175 can deal with environment variables.
181 to be executed with a new, minimal environment.
183 systems without PAM), the environment is initialized with the
185 \fI/etc/environment\fR
187 On BSD systems, if the
189 option is enabled, the environment is initialized
195 \fI/etc/login.conf\fR.
196 The new environment contains the
208 in addition to variables from the invoking process permitted by the
213 This is effectively a whitelist
214 for environment variables.
218 option is disabled, any variables not
219 explicitly denied by the
224 inherited from the invoking process.
229 behave like a blacklist.
230 Since it is not possible
231 to blacklist all potentially dangerous environment variables, use
234 behavior is encouraged.
236 In all cases, environment variables with a value beginning with
238 are removed as they could be interpreted as
241 The list of environment variables that
244 contained in the output of
248 Note that the dynamic linker on most operating systems will remove
249 variables that can control dynamic linking from the environment of
250 setuid executables, including
252 Depending on the operating
253 system this may include
261 These type of variables are
262 removed from the environment before
264 even begins execution
265 and, as such, it is not possible for
269 As a special case, if
272 option (initial login) is
275 will initialize the environment regardless
283 variables remain unchanged;
290 are set based on the target user.
292 systems without PAM), the contents of
293 \fI/etc/environment\fR
296 On BSD systems, if the
304 \fI/etc/login.conf\fR
306 All other environment variables are removed.
310 option is defined, any variables present
311 in that file will be set to their specified values as long as they
312 would not conflict with an existing environment variable.
313 .SH "SUDOERS FILE FORMAT"
316 file is composed of two types of entries: aliases
317 (basically variables) and user specifications (which specify who
320 When multiple entries match for a user, they are applied in order.
321 Where there are multiple matches, the last match is used (which is
322 not necessarily the most specific match).
326 grammar will be described below in Extended Backus-Naur
328 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
329 and the definitions below are annotated.
330 .SS "Quick guide to EBNF"
331 EBNF is a concise and exact way of describing the grammar of a language.
332 Each EBNF definition is made up of
333 \fIproduction rules\fR.
336 \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
339 \fIproduction rule\fR
340 references others and thus makes up a
341 grammar for the language.
342 EBNF also contains the following
343 operators, which many readers will recognize from regular
345 Do not, however, confuse them with
347 characters, which have different meanings.
350 Means that the preceding symbol (or group of symbols) is optional.
351 That is, it may appear once or not at all.
354 Means that the preceding symbol (or group of symbols) may appear
358 Means that the preceding symbol (or group of symbols) may appear
361 Parentheses may be used to group symbols together.
363 we will use single quotes
365 to designate what is a verbatim character string (as opposed to a symbol name).
367 There are four kinds of aliases:
376 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
377 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
378 'Host_Alias' Host_Alias (':' Host_Alias)* |
379 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
381 User_Alias ::= NAME '=' User_List
383 Runas_Alias ::= NAME '=' Runas_List
385 Host_Alias ::= NAME '=' Host_List
387 Cmnd_Alias ::= NAME '=' Cmnd_List
389 NAME ::= [A-Z]([A-Z][0-9]_)*
395 definition is of the form
399 Alias_Type NAME = item1, item2, ...
413 is a string of uppercase letters, numbers,
414 and underscore characters
421 It is possible to put several alias definitions
422 of the same type on a single line, joined by a colon
428 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
432 The definitions of what constitutes a valid
441 User ::= '!'* user name |
446 '!'* %:nonunix_group |
447 '!'* %:#nonunix_gid |
454 is made up of one or more user names, user ids
457 system group names and ids (prefixed with
461 respectively), netgroups (prefixed with
463 non-Unix group names and IDs (prefixed with
469 Each list item may be prefixed with zero or more
474 operators negate the value of
475 the item; an even number just cancel each other out.
486 may be enclosed in double quotes to avoid the
487 need for escaping special characters.
488 Alternately, special characters
489 may be specified in escaped hex mode, e.g.\& \ex20 for space.
491 using double quotes, any prefix characters must be included inside
499 the underlying group provider plugin (see the
502 For instance, the QAS AD plugin supports the following formats:
505 Group in the same domain: "%:Group Name"
508 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
511 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
513 Note that quotes around group names are optional.
514 Unquoted strings must use a backslash
516 to escape spaces and special characters.
518 \fIOther special characters and reserved words\fR
520 characters that need to be escaped.
524 Runas_List ::= Runas_Member |
525 Runas_Member ',' Runas_List
527 Runas_Member ::= '!'* user name |
531 '!'* %:nonunix_group |
532 '!'* %:#nonunix_gid |
548 user names and groups are matched as strings.
550 users (groups) with the same uid (gid) are considered to be distinct.
551 If you wish to match all user names with the same uid (e.g.\&
552 root and toor), you can use a uid instead (#0 in the example given).
559 Host ::= '!'* host name |
561 '!'* network(/netmask)? |
569 is made up of one or more host names, IP addresses,
570 network numbers, netgroups (prefixed with
573 Again, the value of an item may be negated with the
576 If you do not specify a netmask along with the network number,
578 will query each of the local host's network interfaces and,
579 if the network number corresponds to one of the hosts's network
580 interfaces, the corresponding netmask will be used.
582 may be specified either in standard IP address notation
583 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
584 or CIDR notation (number of bits, e.g.\& 24 or 64).
585 A host name may include shell-style wildcards (see the
590 command on your machine returns the fully
591 qualified host name, you'll need to use the
593 option for wildcards to be useful.
596 only inspects actual network interfaces; this means that IP address
597 127.0.0.1 (localhost) will never match.
600 will only match if that is the actual host name, which is usually
601 only the case for non-networked systems.
608 command name ::= file name |
612 Cmnd ::= '!'* command name |
621 is a list of one or more command names, directories, and other aliases.
622 A command name is a fully qualified file name which may include
623 shell-style wildcards (see the
626 A simple file name allows the user to run the command with any
627 arguments he/she wishes.
628 However, you may also specify command line arguments (including
630 Alternately, you can specify
632 to indicate that the command
635 command line arguments.
637 fully qualified path name ending in a
639 When you specify a directory in a
641 the user will be able to run any file within that directory
642 (but not in any sub-directories therein).
646 has associated command line arguments, then the arguments
649 must match exactly those given by the user on the command line
650 (or match the wildcards if there are any).
651 Note that the following characters must be escaped with a
653 if they are used in command arguments:
660 is used to permit a user to run
666 It may take command line arguments just as a normal command does.
668 Certain configuration options may be changed from their default
669 values at run-time via one or more
672 These may affect all users on any host, all users on a specific host, a
673 specific user, a specific command, or commands being run as a specific user.
674 Note that per-command entries may not include command line arguments.
675 If you need to specify arguments, define a
682 Default_Type ::= 'Defaults' |
683 'Defaults' '@' Host_List |
684 'Defaults' ':' User_List |
685 'Defaults' '!' Cmnd_List |
686 'Defaults' '>' Runas_List
688 Default_Entry ::= Default_Type Parameter_List
690 Parameter_List ::= Parameter |
691 Parameter ',' Parameter_List
693 Parameter ::= Parameter '=' Value |
694 Parameter '+=' Value |
695 Parameter '-=' Value |
707 Flags are implicitly boolean and can be turned off via the
710 Some integer, string and list parameters may also be
711 used in a boolean context to disable them.
712 Values may be enclosed
715 when they contain multiple words.
716 Special characters may be escaped with a backslash
719 Lists have two additional assignment operators,
723 These operators are used to add to and delete from a list respectively.
724 It is not an error to use the
726 operator to remove an element
727 that does not exist in a list.
729 Defaults entries are parsed in the following order: generic, host
730 and user Defaults first, then runas Defaults and finally command
734 \fISUDOERS OPTIONS\fR
735 for a list of supported Defaults parameters.
736 .SS "User specification"
739 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
740 (':' Host_List '=' Cmnd_Spec_List)*
742 Cmnd_Spec_List ::= Cmnd_Spec |
743 Cmnd_Spec ',' Cmnd_Spec_List
745 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
747 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
749 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
751 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
753 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
754 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
755 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
760 \fBuser specification\fR
761 determines which commands a user may run
762 (and as what user) on specified hosts.
763 By default, commands are
766 but this can be changed on a per-command basis.
768 The basic structure of a user specification is
769 ``who where = (as_whom) what''.
770 Let's break that down into its constituent parts:
774 determines the user and/or the group that a command
780 (as defined above) separated by a colon
782 and enclosed in a set of parentheses.
786 which users the command may be run as via
790 The second defines a list of groups that can be specified via
796 are specified, the command may be run with any combination of users
797 and groups listed in their respective
799 If only the first is specified, the command may be run as any user
807 second is specified, the command may be run as the invoking user
808 with the group set to any listed in the
812 are empty, the command may only be run as the invoking user.
815 is specified the command may be run as
818 no group may be specified.
822 sets the default for the commands that follow it.
823 What this means is that for the entry:
827 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
837 \fI/usr/bin/lprm\fR\(embut
844 $ sudo -u operator /bin/ls
848 It is also possible to override a
850 later on in an entry.
851 If we modify the entry like so:
855 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
861 is now allowed to run
872 We can extend this to allow
877 the user or group set to
882 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
887 Note that while the group portion of the
890 user to run as command with that group, it does not force the user
892 If no group is specified on the command line, the command
893 will run with the group listed in the target user's password database
895 The following would all be permitted by the sudoers entry above:
899 $ sudo -u operator /bin/ls
900 $ sudo -u operator -g operator /bin/ls
901 $ sudo -g operator /bin/ls
905 In the following example, user
907 may run commands that access
908 a modem device file with the dialer group.
912 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
913 /usr/local/bin/minicom
917 Note that in this example only the group will be set, the command
924 $ sudo -g dialer /usr/bin/cu
928 Multiple users and groups may be present in a
930 in which case the user may select any combination of users and groups via the
939 alan ALL = (root, bin : operator, system) ALL
945 may run any command as either user root or bin,
946 optionally setting the group to operator or system.
948 On systems with SELinux support,
950 entries may optionally have an SELinux role and/or type associated
953 type is specified with the command it will override any default values
956 A role or type specified on the command line,
957 however, will supersede the values in
959 .SS "Solaris_Priv_Spec"
962 entries may optionally specify Solaris privilege set and/or limit
963 privilege set associated with a command.
964 If privileges or limit privileges are specified with the command
965 it will override any default values specified in
968 A privilege set is a comma-separated list of privilege names.
971 command can be used to list all privileges known to the system.
980 In addition, there are several
988 the set of all privileges
991 the set of all privileges available in the current zone
994 the default set of privileges normal users are granted at login time
996 Privileges can be excluded from a set by prefixing the privilege
1003 A command may have zero or more tags associated with it.
1005 ten possible tag values:
1017 Once a tag is set on a
1022 \fRCmnd_Spec_List\fR,
1023 inherit the tag unless it is overridden by the opposite tag (in other words,
1032 \fINOPASSWD and PASSWD\fR
1036 requires that a user authenticate him or herself
1037 before running a command.
1038 This behavior can be modified via the
1046 a default for the commands that follow it in the
1047 \fRCmnd_Spec_List\fR.
1050 tag can be used to reverse things.
1055 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1059 would allow the user
1068 on the machine rushmore without authenticating himself.
1074 without a password the entry would be:
1078 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1082 Note, however, that the
1084 tag has no effect on users who are in the group specified by the
1090 tag is applied to any of the entries for a user on the current host,
1091 he or she will be able to run
1094 Additionally, a user may only run
1096 without a password if the
1098 tag is present for all a user's entries that pertain to the current host.
1099 This behavior may be overridden via the
1105 \fINOEXEC and EXEC\fR
1109 has been compiled with
1111 support and the underlying operating system supports it, the
1113 tag can be used to prevent a dynamically-linked executable from
1114 running further commands itself.
1116 In the following example, user
1122 but shell escapes will be disabled.
1126 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1131 \fIPreventing shell escapes\fR
1132 section below for more details on how
1134 works and whether or not it will work on your system.
1136 \fISETENV and NOSETENV\fR
1138 These tags override the value of the
1140 option on a per-command basis.
1143 has been set for a command, the user may disable the
1145 option from the command line via the
1148 Additionally, environment variables set on the command
1149 line are not subject to the restrictions imposed by
1154 As such, only trusted users should be allowed to set variables in this manner.
1155 If the command matched is
1159 tag is implied for that command; this default may be overridden by use of the
1163 \fILOG_INPUT and NOLOG_INPUT\fR
1165 These tags override the value of the
1167 option on a per-command basis.
1168 For more information, see the description of
1171 \fISUDOERS OPTIONS\fR
1174 \fILOG_OUTPUT and NOLOG_OUTPUT\fR
1176 These tags override the value of the
1178 option on a per-command basis.
1179 For more information, see the description of
1182 \fISUDOERS OPTIONS\fR
1188 (aka meta or glob characters)
1189 to be used in host names, path names and command line arguments in the
1192 Wildcard matching is done via the
1200 regular expressions.
1203 Matches any set of zero or more characters.
1206 Matches any single character.
1209 Matches any character in the specified range.
1212 Matches any character
1214 in the specified range.
1221 This is used to escape special characters such as:
1228 POSIX character classes may also be used if your system's
1232 functions support them.
1233 However, because the
1235 character has special meaning in
1243 /bin/ls [[\:alpha\:]]*
1247 Would match any file name beginning with a letter.
1249 Note that a forward slash
1254 wildcards used in the path name.
1255 This is to make a path like:
1266 \fI/usr/bin/X11/xterm\fR.
1268 When matching the command line arguments, however, a slash
1270 get matched by wildcards since command line arguments may contain
1271 arbitrary strings and not just path names.
1273 Wildcards in command line arguments should be used with care.
1274 Because command line arguments are matched as a single, concatenated
1275 string, a wildcard such as
1279 can match multiple words.
1280 For example, while a sudoers entry like:
1284 %operator ALL = /bin/cat /var/log/messages*
1288 will allow command like:
1292 $ sudo cat /var/log/messages.1
1300 $ sudo cat /var/log/messages /etc/shadow
1304 which is probably not what was intended.
1305 .SS "Exceptions to wildcard rules"
1306 The following exceptions apply to the above rules:
1311 is the only command line argument in the
1313 entry it means that command is not allowed to be run with
1318 Command line arguments to the
1320 built-in command should always be path names, so a forward slash
1322 will not be matched by a wildcard.
1323 .SS "Including other files from within sudoers"
1324 It is possible to include other
1326 files from within the
1328 file currently being parsed using the
1334 This can be used, for example, to keep a site-wide
1336 file in addition to a local, per-machine file.
1337 For the sake of this example the site-wide
1341 and the per-machine one will be
1342 \fI/etc/sudoers.local\fR.
1344 \fI/etc/sudoers.local\fR
1353 #include /etc/sudoers.local
1359 reaches this line it will suspend processing of the current file
1360 (\fI/etc/sudoers\fR)
1362 \fI/etc/sudoers.local\fR.
1363 Upon reaching the end of
1364 \fI/etc/sudoers.local\fR,
1368 Files that are included may themselves include other files.
1369 A hard limit of 128 nested include files is enforced to prevent include
1372 If the path to the include file is not fully-qualified (does not
1375 it must be located in the same directory as the sudoers file it was
1383 \fR#include sudoers.local\fR
1387 the file that will be included is
1388 \fI/etc/sudoers.local\fR.
1390 The file name may also include the
1392 escape, signifying the short form of the host name.
1393 In other words, if the machine's host name is
1399 #include /etc/sudoers.%h
1406 \fI/etc/sudoers.xerxes\fR.
1410 directive can be used to create a
1412 directory that the system package manager can drop
1415 into as part of package installation.
1420 #includedir /etc/sudoers.d
1425 will read each file in
1426 \fI/etc/sudoers.d\fR,
1427 skipping file names that end in
1431 character to avoid causing problems with package manager or editor
1432 temporary/backup files.
1433 Files are parsed in sorted lexical order.
1435 \fI/etc/sudoers.d/01_first\fR
1436 will be parsed before
1437 \fI/etc/sudoers.d/10_second\fR.
1438 Be aware that because the sorting is lexical, not numeric,
1439 \fI/etc/sudoers.d/1_whoops\fR
1442 \fI/etc/sudoers.d/10_second\fR.
1443 Using a consistent number of leading zeroes in the file names can be used
1444 to avoid such problems.
1446 Note that unlike files included via
1449 will not edit the files in a
1451 directory unless one of them contains a syntax error.
1452 It is still possible to run
1456 flag to edit the files directly.
1457 .SS "Other special characters and reserved words"
1460 is used to indicate a comment (unless it is part of a #include
1461 directive or unless it occurs in the context of a user name and is
1462 followed by one or more digits, in which case it is treated as a
1464 Both the comment character and any text after it, up to the end of
1465 the line, are ignored.
1471 that always causes a match to succeed.
1472 It can be used wherever one might otherwise use a
1478 You should not try to define your own
1482 as the built-in alias will be used in preference to your own.
1483 Please note that using
1485 can be dangerous since in a command context, it allows the user to run
1487 command on the system.
1489 An exclamation point
1491 can be used as a logical
1497 This allows one to exclude certain values.
1498 Note, however, that using a
1500 in conjunction with the built-in
1502 alias to allow a user to run
1504 commands rarely works as intended (see
1505 \fISECURITY NOTES\fR
1508 Long lines can be continued with a backslash
1510 as the last character on the line.
1512 White space between elements in a list as well as special syntactic
1514 \fIUser Specification\fR
1521 The following characters must be escaped with a backslash
1523 when used as part of a word (e.g.\& a user name or host name):
1531 .SH "SUDOERS OPTIONS"
1533 behavior can be modified by
1535 lines, as explained earlier.
1536 A list of all supported Defaults parameters, grouped by type, are listed below.
1538 \fBBoolean Flags\fR:
1545 environment variable to the home directory of the target user
1546 (which is root unless the
1549 This effectively means that the
1551 option is always implied.
1554 is already set when the the
1556 option is enabled, so
1557 \fIalways_set_home\fR
1558 is only effective for configurations where either
1570 If set, users must authenticate themselves via a password (or other
1571 means of authentication) before they may run commands.
1572 This default may be overridden via the
1582 If set, the user may use
1585 option which overrides the default starting point at which
1587 begins closing open file descriptors.
1595 is configured to log a command's input or output,
1596 the I/O logs will be compressed using
1609 will use the value of the
1613 environment variables before falling back on the default editor list.
1614 Note that this may create a security hole as it allows the user to
1615 run any arbitrary command as root without logging.
1616 A safer alternative is to place a colon-separated list of editors
1621 will then only use the
1625 if they match a value specified in
1635 will run the command in a minimal environment containing the
1648 variables in the caller's environment that match the
1652 lists are then added, followed by any variables present in the file
1656 The default contents of the
1660 lists are displayed when
1662 is run by root with the
1667 option is set, its value will be used for the
1669 environment variable.
1679 function to do shell-style globbing when matching path names.
1680 However, since it accesses the file system,
1682 can take a long time to complete for some patterns, especially
1683 when the pattern references a network file system that is mounted
1684 on demand (auto mounted).
1691 function, which does not access the file system to do its matching.
1694 is that it is unable to match relative path names such as
1698 This has security implications when path names that include globbing
1699 characters are used with the negation operator,
1701 as such rules can be trivially bypassed.
1702 As such, this option should not be used when
1704 contains rules that contain negated path names which include globbing
1711 Set this flag if you want to put fully qualified host names in the
1713 file when the local host name (as returned by the
1715 command) does not contain the domain name.
1716 In other words, instead of myhost you would use myhost.mydomain.edu.
1717 You may still use the short form if you wish (and even mix the two).
1718 This option is only effective when the
1720 host name, as returned by the
1723 \fBgethostbyname\fR()
1724 function, is a fully-qualified domain name.
1725 This is usually the case when the system is configured to use DNS
1726 for host name resolution.
1728 If the system is configured to use the
1730 file in preference to DNS, the
1732 host name may not be fully-qualified.
1733 The order that sources are queried for hosts name resolution
1734 is usually specified in the
1735 \fI@nsswitch_conf@\fR,
1736 \fI@netsvc_conf@\fR,
1737 \fI/etc/host.conf\fR,
1739 \fI/etc/resolv.conf\fR
1743 file, the first host name of the entry is considered to be the
1745 name; subsequent names are aliases that are not used by
1747 For example, the following hosts file line for the machine
1749 has the fully-qualified domain name as the
1751 host name, and the short version as an alias.
1754 192.168.1.1 xyzzy.sudo.ws xyzzy
1757 If the machine's hosts file entry is not formatted properly, the
1759 option will not be effective if it is queried before DNS.
1761 Beware that when using DNS for host name resolution, turning on
1765 to make DNS lookups which renders
1767 unusable if DNS stops working (for example if the machine is disconnected
1769 Also note that just like with the hosts file, you must use the
1771 name as DNS knows it.
1772 That is, you may not use a host alias
1775 due to performance issues and the fact that there is no way to get all
1785 will ignore "." or "" (both denoting current directory) in the
1787 environment variable; the
1789 itself is not modified.
1794 ignore_local_sudoers
1795 If set via LDAP, parsing of
1796 \fI@sysconfdir@/sudoers\fR
1798 This is intended for Enterprises that wish to prevent the usage of local
1799 sudoers files so that only LDAP is used.
1800 This thwarts the efforts of rogue operators who would attempt to add roles to
1801 \fI@sysconfdir@/sudoers\fR.
1802 When this option is present,
1803 \fI@sysconfdir@/sudoers\fR
1804 does not even need to exist.
1805 Since this option tells
1807 how to behave when no specific LDAP entries have been matched, this
1808 sudoOption is only meaningful for the
1818 will insult users when they enter an incorrect password.
1824 If set, the host name will be logged in the (non-syslog)
1834 will run the command in a
1836 and log all user input.
1837 If the standard input is not connected to the user's tty, due to
1838 I/O redirection or because the command is part of a pipeline, that
1839 input is also captured and stored in a separate log file.
1841 Input is logged to the directory specified by the
1846 using a unique session ID that is included in the normal
1848 log line, prefixed with
1852 option may be used to control the format of the session ID.
1854 Note that user input may contain sensitive information such as
1855 passwords (even if they are not echoed to the screen), which will
1856 be stored in the log file unencrypted.
1857 In most cases, logging the command output via
1859 is all that is required.
1864 will run the command in a
1866 and log all output that is sent to the screen, similar to the
1869 If the standard output or standard error is not connected to the
1870 user's tty, due to I/O redirection or because the command is part
1871 of a pipeline, that output is also captured and stored in separate
1874 Output is logged to the directory specified by the
1879 using a unique session ID that is included in the normal
1881 log line, prefixed with
1885 option may be used to control the format of the session ID.
1887 Output logs may be viewed with the
1888 sudoreplay(@mansectsu@)
1889 utility, which can also be used to list or search the available logs.
1892 If set, the four-digit year will be logged in the (non-syslog)
1900 When validating with a One Time Password (OTP) scheme such as
1904 a two-line prompt is used to make it easier
1905 to cut and paste the challenge to a local window.
1906 It's not as pretty as the default but some people find it more convenient.
1908 \fI@long_otp_prompt@\fR
1914 user every time a users runs
1923 user if the user running
1925 does not enter the correct password.
1926 If the command the user is attempting to run is not permitted by
1934 flags are set, this flag will have no effect.
1940 If set, mail will be sent to the
1942 user if the invoking user exists in the
1944 file, but is not allowed to run commands on the current host.
1946 \fI@mail_no_host@\fR
1950 If set, mail will be sent to the
1952 user if the invoking user is allowed to use
1954 but the command they are trying is not listed in their
1956 file entry or is explicitly denied.
1958 \fI@mail_no_perms@\fR
1962 If set, mail will be sent to the
1964 user if the invoking user is not in the
1968 \fI@mail_no_user@\fR
1972 If set, all commands run via
1974 will behave as if the
1976 tag has been set, unless overridden by a
1979 See the description of
1980 \fINOEXEC and EXEC\fR
1981 below as well as the
1982 \fIPreventing shell escapes\fR
1983 section at the end of this manual.
1991 will tell the user when a command could not be
1994 environment variable.
1995 Some sites may wish to disable this as it could be used to gather
1996 information on the location of executables that the normal user does
1998 The disadvantage is that if the executable is simply not in the user's
2001 will tell the user that they are not allowed to run it, which can be confusing.
2007 The password prompt specified by
2009 will normally only be used if the password prompt provided by systems
2010 such as PAM matches the string
2013 \fIpassprompt_override\fR
2016 will always be used.
2024 will initialize the group vector to the list of groups the target user is in.
2026 \fIpreserve_groups\fR
2027 is set, the user's existing group vector is left unaltered.
2028 The real and effective group IDs, however, are still set to match the
2037 reads the password like most other Unix programs,
2038 by turning off echo until the user hits the return (or enter) key.
2039 Some users become confused by this as it appears to them that
2041 has hung at this point.
2046 will provide visual feedback when the user presses a key.
2047 Note that this does have a security impact as an onlooker may be able to
2048 determine the length of the password being entered.
2056 will only run when the user is logged in to a real tty.
2057 When this flag is set,
2059 can only be run from a login session and not via other means such as
2067 If set, root is allowed to run
2070 Disabling this prevents users from
2073 commands to get a root shell by doing something like
2074 ``\fRsudo sudo /bin/sh\fR''.
2075 Note, however, that turning off
2077 will also prevent root from running
2081 provides no real additional security; it exists purely for historical reasons.
2089 will prompt for the root password instead of the password of the invoking user.
2097 will prompt for the password of the user defined by the
2100 \fR@runas_default@\fR)
2101 instead of the password of the invoking user.
2113 environment variable will be set to the home directory of the target
2114 user (which is root unless the
2117 This effectively makes the
2123 is already set when the the
2125 option is enabled, so
2127 is only effective for configurations where either
2147 environment variables to the name of the target user (usually root unless the
2150 However, since some programs (including the RCS revision control system) use
2152 to determine the real identity of the user, it may be desirable to
2153 change this behavior.
2154 This can be done by negating the set_logname option.
2157 option has not been disabled, entries in the
2159 list will override the value of
2168 will create an entry in the utmp (or utmpx) file when a pseudo-tty
2170 A pseudo-tty is allocated by
2178 By default, the new entry will be a copy of the user's existing utmp
2179 entry (if any), with the tty, time, type and pid fields updated.
2185 Allow the user to disable the
2187 option from the command line via the
2190 Additionally, environment variables set via the command line are
2191 not subject to the restrictions imposed by
2196 As such, only trusted users should be allowed to set variables in this manner.
2204 is invoked with no arguments it acts as if the
2206 option had been given.
2207 That is, it runs a shell as root (the shell is determined by the
2209 environment variable if it is set, falling back on the shell listed
2210 in the invoking user's /etc/passwd entry if not).
2218 executes a command the real and effective UIDs are set to the target
2219 user (root by default).
2220 This option changes that behavior such that the real UID is left
2221 as the invoking user's UID.
2222 In other words, this makes
2224 act as a setuid wrapper.
2225 This can be useful on systems that disable some potentially
2226 dangerous functionality when a program is run setuid.
2227 This option is only effective on systems that support either the
2239 will prompt for the password of the user specified
2244 instead of the password of the invoking user.
2245 In addition, the time stamp file name will include the target user's name.
2246 Note that this flag precludes the use of a uid not listed in the passwd
2247 database as an argument to the
2255 If set, users must authenticate on a per-tty basis.
2256 With this flag enabled,
2258 will use a file named for the tty the user is
2259 logged in on in the user's time stamp directory.
2260 If disabled, the time stamp of the directory is used instead.
2268 will set the umask as specified by
2270 without modification.
2271 This makes it possible to specify a more permissive umask in
2273 than the user's own umask and matches historical behavior.
2275 \fIumask_override\fR
2278 will set the umask to be the union of the user's umask and what is specified in
2281 \fI@umask_override@\fR
2287 will apply the defaults specified for the target user's login class
2291 is configured with the
2292 \fR--with-logincap\fR
2301 will run the command in a pseudo-pty even if no I/O logging is being gone.
2302 A malicious program run under
2304 could conceivably fork a background process that retains to the user's
2305 terminal device after the main program has finished executing.
2306 Use of this option will make that impossible.
2314 will store the name of the runas user when updating the utmp (or utmpx) file.
2317 stores the name of the invoking user.
2325 will refuse to run if the user must enter a password but it is not
2326 possible to disable echo on the terminal.
2331 will prompt for a password even when it would be visible on the screen.
2332 This makes it possible to run things like
2333 ``\fRssh somehost sudo ls\fR''
2337 not allocate a tty when running a command.
2345 Before it executes a command,
2347 will close all open file descriptors other than standard input,
2348 standard output and standard error (ie: file descriptors 0-2).
2351 option can be used to specify a different file descriptor at which
2357 The number of tries a user gets to enter his/her password before
2359 logs the failure and exits.
2361 \fR@passwd_tries@\fR.
2363 \fBIntegers that can be used in a boolean context\fR:
2366 Number of characters per line for the file log.
2367 This value is used to decide when to wrap lines for nicer log files.
2368 This has no effect on the syslog log file, only the file log.
2371 (use 0 or negate the option to disable word wrap).
2374 Number of minutes before the
2376 password prompt times out, or
2379 The timeout may include a fractional component
2380 if minute granularity is insufficient, for example
2384 \fR@password_timeout@\fR.
2388 Number of minutes that can elapse before
2390 will ask for a passwd again.
2391 The timeout may include a fractional component if
2392 minute granularity is insufficient, for example
2398 to always prompt for a password.
2399 If set to a value less than
2401 the user's time stamp will never expire.
2402 This can be used to allow users to create or delete their own time stamps via
2409 Umask to use when running the command.
2410 Negate this option or set it to 0777 to preserve the user's umask.
2411 The actual umask that is used will be the union of the user's umask
2412 and the value of the
2414 option, which defaults to
2419 never lowers the umask when running a command.
2420 Note: on systems that use PAM, the default PAM configuration may specify
2421 its own umask which will override the value set in
2427 Message that is displayed if a user enters an incorrect password.
2429 \fR@badpass_message@\fR
2430 unless insults are enabled.
2435 separated list of editors allowed to be used with
2438 will choose the editor that matches the user's
2440 environment variable if possible, or the first editor in the
2441 list that exists and is executable.
2446 The top-level directory to use when constructing the path name for
2447 the input/output log directory.
2452 options are enabled or when the
2456 tags are present for a command.
2457 The session sequence number, if any, is stored in the directory.
2461 The following percent
2463 escape sequences are supported:
2467 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2468 where every two digits are used to form a new directory, e.g.\&
2472 expanded to the invoking user's login name
2475 expanded to the name of the invoking user's real group ID
2478 expanded to the login name of the user the command will
2479 be run as (e.g.\& root)
2481 \fR%{runas_group}\fR
2482 expanded to the group name of the user the command will
2483 be run as (e.g.\& wheel)
2486 expanded to the local host name without the domain name
2489 expanded to the base name of the command being run
2491 In addition, any escape sequences supported by the system's
2493 function will be expanded.
2495 To include a literal
2497 character, the string
2505 The path name, relative to
2507 in which to store input/output logs when the
2511 options are enabled or when the
2515 tags are present for a command.
2518 may contain directory components.
2524 option above for a list of supported percent
2528 In addition to the escape sequences, path names that end in six or
2533 replaced with a unique combination of digits and letters, similar to the
2539 The default Solaris limit privileges to use when constructing a new
2540 privilege set for a command.
2541 This bounds all privileges of the executing process.
2542 The default limit privileges may be overridden on a per-command basis in
2544 This option is only available if
2546 is built on Solaris 10 or higher.
2549 Subject of the mail sent to the
2554 will expand to the host name of the machine.
2556 ``\fR@mailsub@\fR''.
2559 This option is no longer supported.
2560 The path to the noexec file should now be set in the
2561 \fI@sysconfdir@/sudo.conf\fR
2565 The default prompt to use when asking for a password; can be overridden via the
2569 environment variable.
2570 The following percent
2572 escape sequences are supported:
2576 expanded to the local host name including the domain name
2577 (only if the machine's host name is fully qualified or the
2582 expanded to the local host name without the domain name
2585 expanded to the user whose password is being asked for (respects the
2594 expanded to the login name of the user the command will
2595 be run as (defaults to root)
2598 expanded to the invoking user's login name
2603 characters are collapsed into a single
2607 The default value is
2608 ``\fR@passprompt@\fR''.
2614 The default Solaris privileges to use when constructing a new
2615 privilege set for a command.
2616 This is passed to the executing process via the inherited privilege set,
2617 but is bounded by the limit privileges.
2620 option is specified but the
2622 option is not, the limit privileges of the executing process is set to
2624 The default privileges may be overridden on a per-command basis in
2626 This option is only available if
2628 is built on Solaris 10 or higher.
2632 The default SELinux role to use when constructing a new security
2633 context to run the command.
2634 The default role may be overridden on a per-command basis in
2636 or via command line options.
2637 This option is only available when
2639 is built with SELinux support.
2642 The default user to run commands as if the
2644 option is not specified on the command line.
2646 \fR@runas_default@\fR.
2649 Syslog priority to use when user authenticates unsuccessfully.
2653 The following syslog priorities are supported:
2665 Syslog priority to use when user authenticates successfully.
2671 for the list of supported syslog priorities.
2674 Locale to use when parsing the sudoers file, logging commands, and
2676 Note that changing the locale may affect how sudoers is interpreted.
2681 The directory in which
2683 stores its time stamp files.
2688 The owner of the time stamp directory and the time stamps stored therein.
2693 The default SELinux type to use when constructing a new security
2694 context to run the command.
2695 The default type may be overridden on a per-command basis in
2697 or via command line options.
2698 This option is only available when
2700 is built with SELinux support.
2702 \fBStrings that can be used in a boolean context\fR:
2707 option specifies the fully qualified path to a file containing variables
2708 to be set in the environment of the program being run.
2709 Entries in this file should either be of the form
2710 ``\fRVARIABLE=value\fR''
2712 ``\fRexport VARIABLE=value\fR''.
2713 The value may optionally be surrounded by single or double quotes.
2714 Variables in this file are subject to other
2716 environment settings such as
2722 Users in this group are exempt from password and PATH requirements.
2723 The group name specified should not include a
2726 This is not set by default.
2729 A string containing a
2731 group plugin with optional arguments.
2732 This can be used to implement support for the
2734 syntax described earlier.
2735 The string should consist of the plugin
2736 path, either fully-qualified or relative to the
2737 \fI@prefix@/libexec\fR
2738 directory, followed by any configuration arguments the plugin requires.
2739 These arguments (if any) will be passed to the plugin's initialization function.
2740 If arguments are present, the string must be enclosed in double quotes
2744 \fI/etc/sudo-group\fR,
2745 a group file in Unix group format, the sample group plugin can be used:
2750 Defaults group_plugin="sample_group.so /etc/sudo-group"
2754 For more information see
2755 sudo_plugin(@mansectform@).
2761 This option controls when a short lecture will be printed along with
2762 the password prompt.
2763 It has the following possible values:
2768 Always lecture the user.
2771 Never lecture the user.
2774 Only lecture the user the first time they run
2777 If no value is specified, a value of
2780 Negating the option results in a value of
2783 The default value is
2790 Path to a file containing an alternate
2792 lecture that will be used in place of the standard lecture if the named
2796 uses a built-in lecture.
2800 This option controls when a password will be required when a user runs
2805 It has the following possible values:
2811 entries for the current host must have
2814 flag set to avoid entering a password.
2817 The user must always enter a password to use the
2822 At least one of the user's
2824 entries for the current host
2827 flag set to avoid entering a password.
2830 The user need never enter a password to use the
2834 If no value is specified, a value of
2837 Negating the option results in a value of
2840 The default value is
2849 log file (not the syslog log file).
2850 Setting a path turns on logging to a file;
2851 negating this option turns it off.
2858 Flags to use when invoking mailer. Defaults to
2862 Path to mail program used to send warning mail.
2863 Defaults to the path to sendmail found at configure time.
2866 Address to use for the
2868 address when sending warning and error mail.
2869 The address should be enclosed in double quotes
2876 Defaults to the name of the user running
2880 Address to send warning and error mail to.
2881 The address should be enclosed in double quotes
2892 Path used for every command run from
2894 If you don't trust the
2899 environment variable you may want to use this.
2900 Another use is if you want to have the
2902 be separate from the
2904 Users in the group specified by the
2906 option are not affected by
2908 This option is @secure_path@ by default.
2911 Syslog facility if syslog is being used for logging (negate to
2912 disable syslog logging).
2916 The following syslog facilities are supported:
2934 This option controls when a password will be required when a user runs
2939 It has the following possible values:
2945 entries for the current host must have the
2947 flag set to avoid entering a password.
2950 The user must always enter a password to use the
2955 At least one of the user's
2957 entries for the current host must have the
2959 flag set to avoid entering a password.
2962 The user need never enter a password to use the
2966 If no value is specified, a value of
2969 Negating the option results in a value of
2972 The default value is
2976 \fBLists that can be used in a boolean context\fR:
2979 Environment variables to be removed from the user's environment if
2980 the variable's value contains
2985 This can be used to guard against printf-style format vulnerabilities
2986 in poorly-written programs.
2987 The argument may be a double-quoted, space-separated list or a
2988 single value without double-quotes.
2989 The list can be replaced, added to, deleted from, or disabled by using
2996 operators respectively.
2997 Regardless of whether the
2999 option is enabled or disabled, variables specified by
3001 will be preserved in the environment if they pass the aforementioned check.
3002 The default list of environment variables to check is displayed when
3010 Environment variables to be removed from the user's environment when the
3012 option is not in effect.
3013 The argument may be a double-quoted, space-separated list or a
3014 single value without double-quotes.
3015 The list can be replaced, added to, deleted from, or disabled by using the
3021 operators respectively.
3022 The default list of environment variables to remove is displayed when
3024 is run by root with the
3027 Note that many operating systems will remove potentially dangerous
3028 variables from the environment of any setuid process (such as
3032 Environment variables to be preserved in the user's environment when the
3034 option is in effect.
3035 This allows fine-grained control over the environment
3037 processes will receive.
3038 The argument may be a double-quoted, space-separated list or a
3039 single value without double-quotes.
3040 The list can be replaced, added to, deleted from, or disabled by using the
3046 operators respectively.
3047 The default list of variables to keep
3050 is run by root with the
3055 can log events using either
3057 or a simple log file.
3058 In each case the log format is almost identical.
3059 .SS "Accepted command log entries"
3060 Commands that sudo runs are logged using the following format (split
3061 into multiple lines for readability):
3065 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3066 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3067 ENV=env_vars COMMAND=command
3071 Where the fields are as follows:
3074 The date the command was run.
3075 Typically, this is in the format
3076 ``MMM, DD, HH:MM:SS''.
3079 the actual date format is controlled by the syslog daemon.
3080 If logging to a file and the
3083 the date will also include the year.
3086 The name of the host
3089 This field is only present when logging via
3093 The name of the program, usually
3097 This field is only present when logging via
3101 The login name of the user who ran
3105 The short name of the terminal (e.g.\&
3113 if there was no terminal present.
3116 The current working directory that
3121 The user the command was run as.
3124 The group the command was run as if one was specified on the command line.
3127 An I/O log identifier that can be used to replay the command's output.
3128 This is only present when the
3135 A list of environment variables specified on the command line,
3139 The actual command that was executed.
3141 Messages are logged using the locale specified by
3142 \fIsudoers_locale\fR,
3143 which defaults to the
3146 .SS "Denied command log entries"
3147 If the user is not allowed to run the command, the reason for the denial
3148 will follow the user name.
3149 Possible reasons include:
3152 The user is not listed in the
3156 user NOT authorized on host
3157 The user is listed in the
3159 file but is not allowed to run commands on the host.
3162 The user is listed in the
3164 file for the host but they are not allowed to run the specified command.
3166 3 incorrect password attempts
3167 The user failed to enter their password after 3 tries.
3168 The actual number of tries will vary based on the number of
3169 failed attempts and the value of the
3173 a password is required
3176 option was specified but a password was required.
3178 sorry, you are not allowed to set the following environment variables
3179 The user specified environment variables on the command line that
3182 .SS "Error log entries"
3185 will log a message and, in most cases, send a message to the
3186 administrator via email.
3187 Possible errors include:
3189 parse error in @sysconfdir@/sudoers near line N
3191 encountered an error when parsing the specified file.
3192 In some cases, the actual error may be one line above or below the
3193 line number listed, depending on the type of error.
3195 problem with defaults entries
3198 file contains one or more unknown Defaults settings.
3199 This does not prevent
3201 from running, but the
3203 file should be checked using
3206 timestamp owner (username): \&No such user
3207 The time stamp directory owner, as specified by the
3208 \fItimestampowner\fR
3209 setting, could not be found in the password database.
3211 unable to open/read @sysconfdir@/sudoers
3214 file could not be opened for reading.
3215 This can happen when the
3217 file is located on a remote file system that maps user ID 0 to
3223 using group permissions to avoid this problem.
3224 Consider changing the ownership of
3225 \fI@sysconfdir@/sudoers\fR
3226 by adding an option like
3230 is the user ID that owns the
3235 \fI@sysconfdir@/sudo.conf\fR
3238 unable to stat @sysconfdir@/sudoers
3240 \fI@sysconfdir@/sudoers\fR
3243 @sysconfdir@/sudoers is not a regular file
3245 \fI@sysconfdir@/sudoers\fR
3246 file exists but is not a regular file or symbolic link.
3248 @sysconfdir@/sudoers is owned by uid N, should be 0
3251 file has the wrong owner.
3252 If you wish to change the
3254 file owner, please add
3258 is the user ID that owns the
3263 \fI@sysconfdir@/sudo.conf\fR
3266 @sysconfdir@/sudoers is world writable
3267 The permissions on the
3269 file allow all users to write to it.
3272 file must not be world-writable, the default file mode
3273 is 0440 (readable by owner and group, writable by none).
3274 The default mode may be changed via the
3279 \fI@sysconfdir@/sudo.conf\fR
3282 @sysconfdir@/sudoers is owned by gid N, should be 1
3285 file has the wrong group ownership.
3286 If you wish to change the
3288 file group ownership, please add
3292 is the group ID that owns the
3297 \fI@sysconfdir@/sudo.conf\fR
3300 unable to open @timedir@/username/ttyname
3302 was unable to read or create the user's time stamp file.
3304 unable to write to @timedir@/username/ttyname
3306 was unable to write to the user's time stamp file.
3308 unable to mkdir to @timedir@/username
3310 was unable to create the user's time stamp directory.
3311 .SS "Notes on logging via syslog"
3321 fields are added by the syslog daemon, not
3324 As such, they may vary in format on different systems.
3328 has a relatively small log buffer.
3329 To prevent the command line arguments from being truncated,
3331 will split up log messages that are larger than 960 characters
3332 (not including the date, hostname, and the string
3334 When a message is split, additional parts will include the string
3335 ``(command continued)''
3336 after the user name and before the continued command line arguments.
3337 .SS "Notes on logging to a file"
3342 will log to a local file, such as
3343 \fI/var/log/sudo\fR.
3344 When logging to a file,
3346 uses a format similar to
3348 with a few important differences:
3355 fields are not present.
3361 the date will also include the year.
3364 Lines that are longer than
3366 characters (80 by default) are word-wrapped and continued on the
3367 next line with a four character indent.
3368 This makes entries easier to read for a human being, but makes it
3369 more difficult to use
3374 option is set to 0 (or negated with a
3376 word wrap will be disabled.
3379 \fI@sysconfdir@/sudo.conf\fR
3380 file determines which plugins the
3382 front end will load.
3384 \fI@sysconfdir@/sudo.conf\fR
3386 is present, or it contains no
3392 security policy and I/O logging, which corresponds to the following
3393 \fI@sysconfdir@/sudo.conf\fR
3399 # Default @sysconfdir@/sudo.conf file
3402 # Plugin plugin_name plugin_path plugin_options ...
3403 # Path askpass /path/to/askpass
3404 # Path noexec /path/to/sudo_noexec.so
3405 # Debug sudo /var/log/sudo_debug all@warn
3406 # Set disable_coredump true
3408 # The plugin_path is relative to @prefix@/libexec unless
3410 # The plugin_name corresponds to a global symbol in the plugin
3411 # that contains the plugin interface structure.
3412 # The plugin_options are optional.
3414 Plugin policy_plugin sudoers.so
3415 Plugin io_plugin sudoers.so
3418 .SS "Plugin options"
3421 1.8.5, it is possible to pass options to the
3424 Options may be listed after the path to the plugin (i.e.\& after
3426 multiple options should be space-separated.
3431 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3435 The following plugin options are supported:
3437 sudoers_file=pathname
3440 option can be used to override the default path
3448 option can be used to override the default owner of the sudoers file.
3449 It should be specified as a numeric user ID.
3454 option can be used to override the default group of the sudoers file.
3455 It should be specified as a numeric group ID.
3460 option can be used to override the default file mode for the sudoers file.
3461 It should be specified as an octal value.
3463 Versions 1.8.4 and higher of the
3465 plugin supports a debugging framework that can help track down what the
3466 plugin is doing internally if there is a problem.
3467 This can be configured in the
3468 \fI@sysconfdir@/sudo.conf\fR
3469 file as described in
3474 plugin uses the same debug flag format as the
3477 \fIsubsystem\fR@\fIpriority\fR.
3479 The priorities used by
3481 in order of decreasing severity,
3492 Each priority, when specified, also includes all priorities higher than it.
3493 For example, a priority of
3495 would include debug messages logged at
3499 The following subsystems are used by
3511 matches every subsystem
3514 BSM and Linux audit code
3525 environment handling
3534 matching of users, groups, hosts and netgroups in
3538 network interface handling
3541 network service switch handling in
3557 pseudo-tty related code
3560 redblack tree internals
3566 \fI@sysconfdir@/sudo.conf\fR
3567 Sudo front end configuration
3569 \fI@sysconfdir@/sudoers\fR
3570 List of who can run what
3576 List of network groups
3582 Directory containing time stamps for the
3586 \fI/etc/environment\fR
3587 Initial environment for
3589 mode on AIX and Linux systems
3594 Admittedly, some of these are a bit contrived.
3595 First, we allow a few environment variables to pass and then define our
3600 # Run X applications through sudo; HOME is used to find the
3601 # .Xauthority file. Note that other programs use HOME to find
3602 # configuration files and this may lead to privilege escalation!
3603 Defaults env_keep += "DISPLAY HOME"
3605 # User alias specification
3606 User_Alias FULLTIMERS = millert, mikef, dowdy
3607 User_Alias PARTTIMERS = bostley, jwfox, crawl
3608 User_Alias WEBMASTERS = will, wendy, wim
3610 # Runas alias specification
3611 Runas_Alias OP = root, operator
3612 Runas_Alias DB = oracle, sybase
3613 Runas_Alias ADMINGRP = adm, oper
3615 # Host alias specification
3616 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3617 SGI = grolsch, dandelion, black :\e
3618 ALPHA = widget, thalamus, foobar :\e
3619 HPPA = boa, nag, python
3620 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3621 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3622 Host_Alias SERVERS = master, mail, www, ns
3623 Host_Alias CDROM = orion, perseus, hercules
3625 # Cmnd alias specification
3626 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3627 /usr/sbin/restore, /usr/sbin/rrestore
3628 Cmnd_Alias KILL = /usr/bin/kill
3629 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3630 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3631 Cmnd_Alias HALT = /usr/sbin/halt
3632 Cmnd_Alias REBOOT = /usr/sbin/reboot
3633 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3634 /usr/local/bin/tcsh, /usr/bin/rsh,\e
3636 Cmnd_Alias SU = /usr/bin/su
3637 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3641 Here we override some of the compiled in default values.
3648 facility in all cases.
3649 We don't want to subject the full time staff to the
3653 need not give a password, and we don't want to reset the
3658 environment variables when running commands as root.
3659 Additionally, on the machines in the
3662 we keep an additional local log file and make sure we log the year
3663 in each log line since the log entries will be kept around for several years.
3664 Lastly, we disable shell escapes for the commands in the PAGERS
3666 (\fI/usr/bin/more\fR,
3669 \fI/usr/bin/less\fR)
3674 # Override built-in defaults
3675 Defaults syslog=auth
3676 Defaults>root !set_logname
3677 Defaults:FULLTIMERS !lecture
3678 Defaults:millert !authenticate
3679 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3680 Defaults!PAGERS noexec
3685 \fIUser specification\fR
3686 is the part that actually determines who may run what.
3690 root ALL = (ALL) ALL
3691 %wheel ALL = (ALL) ALL
3697 and any user in group
3699 run any command on any host as any user.
3703 FULLTIMERS ALL = NOPASSWD: ALL
3712 may run any command on any host without authenticating themselves.
3716 PARTTIMERS ALL = ALL
3725 may run any command on any host but they must authenticate themselves
3726 first (since the entry lacks the
3738 may run any command on the machines in the
3741 \fR128.138.243.0\fR,
3742 \fR128.138.204.0\fR,
3744 \fR128.138.242.0\fR).
3745 Of those networks, only
3747 has an explicit netmask (in CIDR notation) indicating it is a class C network.
3748 For the other networks in
3750 the local machine's netmask will be used during matching.
3760 may run any command on any host in the
3762 alias (the class B network
3767 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3768 sudoedit /etc/printcap, /usr/oper/bin/
3774 user may run commands limited to simple maintenance.
3775 Here, those are commands related to backups, killing processes, the
3776 printing system, shutting down the system, and any commands in the
3778 \fI/usr/oper/bin/\fR.
3782 joe ALL = /usr/bin/su operator
3794 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3796 %opers ALL = (: ADMINGRP) /usr/sbin/
3802 group may run commands in
3805 with any group in the
3816 is allowed to change anyone's password except for
3820 Note that this assumes
3822 does not take multiple user names on the command line.
3826 bob SPARC = (OP) ALL : SGI = (OP) ALL
3832 may run anything on the
3836 machines as any user listed in the
3851 may run any command on machines in the
3857 is a netgroup due to the
3863 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3869 netgroup need to help manage the printers as well as add and remove users,
3870 so they are allowed to run those commands on all machines.
3874 fred ALL = (DB) NOPASSWD: ALL
3880 can run commands as any user in the
3886 without giving a password.
3890 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3898 may su to anyone except root but he is not allowed to specify any options
3905 jen ALL, !SERVERS = ALL
3911 may run any command on any machine except for those in the
3914 (master, mail, www and ns).
3918 jill SERVERS = /usr/bin/, !SU, !SHELLS
3922 For any machine in the
3927 any commands in the directory
3929 except for those commands
3938 steve CSNETS = (operator) /usr/local/op_commands/
3944 may run any command in the directory /usr/local/op_commands/
3945 but only as user operator.
3949 matt valkyrie = KILL
3953 On his personal workstation, valkyrie,
3955 needs to be able to kill hung processes.
3959 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3963 On the host www, any user in the
3966 (will, wendy, and wim), may run any command as user www (which owns the
3967 web pages) or simply
3973 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3974 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3978 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3980 (orion, perseus, hercules) without entering a password.
3981 This is a bit tedious for users to type, so it is a prime candidate
3982 for encapsulating in a shell script.
3983 .SH "SECURITY NOTES"
3984 .SS "Limitations of the `!\&' operator"
3985 It is generally not effective to
3992 A user can trivially circumvent this by copying the desired command
3993 to a different name and then executing that.
3998 bill ALL = ALL, !SU, !SHELLS
4002 Doesn't really prevent
4004 from running the commands listed in
4008 since he can simply copy those commands to a different name, or use
4009 a shell escape from an editor or other program.
4010 Therefore, these kind of restrictions should be considered
4011 advisory at best (and reinforced by policy).
4013 In general, if a user has sudo
4015 there is nothing to prevent them from creating their own program that gives
4016 them a root shell (or making their own copy of a shell) regardless of any
4018 elements in the user specification.
4019 .SS "Security implications of \fIfast_glob\fR"
4022 option is in use, it is not possible to reliably negate commands where the
4023 path name includes globbing (aka wildcard) characters.
4024 This is because the C library's
4026 function cannot resolve relative paths.
4027 While this is typically only an inconvenience for rules that grant privileges,
4028 it can result in a security issue for rules that subtract or revoke privileges.
4030 For example, given the following
4036 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4037 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4044 \fR/usr/bin/passwd root\fR
4047 is enabled by changing to
4052 .SS "Preventing shell escapes"
4055 executes a program, that program is free to do whatever
4056 it pleases, including run other programs.
4057 This can be a security issue since it is not uncommon for a program to
4058 allow shell escapes, which lets a user bypass
4060 access control and logging.
4061 Common programs that permit shell escapes include shells (obviously),
4062 editors, paginators, mail and terminal programs.
4064 There are two basic approaches to this problem:
4067 Avoid giving users access to commands that allow the user to run
4069 Many editors have a restricted mode where shell
4070 escapes are disabled, though
4072 is a better solution to
4075 Due to the large number of programs that
4076 offer shell escapes, restricting users to the set of programs that
4077 do not is often unworkable.
4080 Many systems that support shared libraries have the ability to
4081 override default library functions by pointing an environment
4084 to an alternate shared library.
4088 functionality can be used to prevent a program run by
4090 from executing any other programs.
4091 Note, however, that this applies only to native dynamically-linked
4093 Statically-linked executables and foreign executables
4094 running under binary emulation are not affected.
4098 feature is known to work on SunOS, Solaris, *BSD,
4099 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
4100 It should be supported on most operating systems that support the
4102 environment variable.
4103 Check your operating system's manual pages for the dynamic linker
4104 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4108 On Solaris 10 and higher,
4110 uses Solaris privileges instead of the
4112 environment variable.
4116 for a command, use the
4119 in the User Specification section above.
4120 Here is that example again:
4125 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4138 This will prevent those two commands from
4139 executing other commands (such as a shell).
4140 If you are unsure whether or not your system is capable of supporting
4142 you can always just try it out and check whether shell escapes work when
4147 Note that restricting shell escapes is not a panacea.
4148 Programs running as root are still capable of many potentially hazardous
4149 operations (such as changing or overwriting files) that could lead
4150 to unintended privilege escalation.
4151 In the specific case of an editor, a safer approach is to give the
4152 user permission to run
4154 .SS "Time stamp file checks"
4156 will check the ownership of its time stamp directory
4159 and ignore the directory's contents if it is not owned by root or
4160 if it is writable by a user other than root.
4161 On systems that allow non-root users to give away files via
4163 if the time stamp directory is located in a world-writable
4166 it is possible for a user to create the time stamp directory before
4171 checks the ownership and mode of the directory and its
4172 contents, the only damage that can be done is to
4174 files by putting them in the time stamp dir.
4175 This is unlikely to happen since once the time stamp dir is owned by root
4176 and inaccessible by any other user, the user placing files there would be
4177 unable to get them back out.
4180 will not honor time stamps set far in the future.
4181 Time stamps with a date greater than current_time + 2 *
4183 will be ignored and sudo will log and complain.
4184 This is done to keep a user from creating his/her own time stamp with a
4185 bogus date on systems that allow users to give away files if the time
4186 stamp directory is located in a world-writable directory.
4188 On systems where the boot time is available,
4190 will ignore time stamps that date from before the machine booted.
4192 Since time stamp files live in the file system, they can outlive a
4193 user's login session.
4194 As a result, a user may be able to login, run a command with
4196 after authenticating, logout, login again, and run
4198 without authenticating so long as the time stamp file's modification
4201 minutes (or whatever the timeout is set to in
4205 option is enabled, the time stamp has per-tty granularity but still
4206 may outlive the user's session.
4207 On Linux systems where the devpts filesystem is used, Solaris systems
4208 with the devices filesystem, as well as other systems that utilize a
4209 devfs filesystem that monotonically increase the inode number of devices
4210 as they are created (such as Mac OS X),
4212 is able to determine when a tty-based time stamp file is stale and will
4214 Administrators should not rely on this feature as it is not universally
4223 sudoers.ldap(@mansectform@),
4224 sudo_plugin(@mansectsu@),
4234 command which locks the file and does grammatical checking.
4238 be free of syntax errors since
4240 will not run with a syntactically incorrect
4244 When using netgroups of machines (as opposed to users), if you
4245 store fully qualified host name in the netgroup (as is usually the
4246 case), you either need to have the machine's host name be fully qualified
4254 If you feel you have found a bug in
4256 please submit a bug report at http://www.sudo.ws/sudo/bugs/
4258 Limited free support is available via the sudo-users mailing list,
4259 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4260 search the archives.
4265 and any express or implied warranties, including, but not limited
4266 to, the implied warranties of merchantability and fitness for a
4267 particular purpose are disclaimed.
4268 See the LICENSE file distributed with
4270 or http://www.sudo.ws/sudo/license.html for complete details.