1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
4 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
5 .\" Todd C. Miller <Todd.Miller@courtesan.com>
7 .\" Permission to use, copy, modify, and distribute this software for any
8 .\" purpose with or without fee is hereby granted, provided that the above
9 .\" copyright notice and this permission notice appear in all copies.
11 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 .\" Sponsored in part by the Defense Advanced Research Projects
21 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
22 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 .TH "SUDOERS" "@mansectsu@" "April 30, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
29 \- default sudo security policy plugin
33 policy plugin determines a user's
39 The policy is driven by
41 \fI@sysconfdir@/sudoers\fR
42 file or, optionally in LDAP.
43 The policy format is described in detail in the
44 \fISUDOERS FILE FORMAT\fR
46 For information on storing
50 sudoers.ldap(@mansectform@).
51 .SS "Configuring sudo.conf for sudoers"
54 sudo.conf(@mansectform@)
55 file to determine which policy and and I/O logging plugins to load.
57 sudo.conf(@mansectform@)
58 file is present, or if it contains no
62 will be used for policy decisions and I/O logging.
63 To explicitly configure
64 sudo.conf(@mansectform@)
67 plugin, the following configuration can be used.
71 Plugin sudoers_policy sudoers.so
72 Plugin sudoers_io sudoers.so
78 1.8.5, it is possible to specify optional arguments to the
81 sudo.conf(@mansectform@)
83 These arguments, if present, should be listed after the path to the plugin
86 Multiple arguments may be specified, separated by white space.
91 Plugin sudoers_policy sudoers.so sudoers_mode=0400
95 The following plugin arguments are supported:
100 argument can be used to override the default path to the
107 argument can be used to override the default path to the
111 sudoers_file=pathname
114 argument can be used to override the default path to the
121 argument can be used to override the default owner of the sudoers file.
122 It should be specified as a numeric user ID.
127 argument can be used to override the default group of the sudoers file.
128 It must be specified as a numeric group ID (not a group name).
133 argument can be used to override the default file mode for the sudoers file.
134 It should be specified as an octal value.
136 For more information on configuring
137 sudo.conf(@mansectform@),
138 please refer to its manual.
139 .SS "Authentication and logging"
142 security policy requires that most users authenticate
143 themselves before they can use
145 A password is not required
146 if the invoking user is root, if the target user is the same as the
147 invoking user, or if the policy has disabled authentication for the
154 authentication, it validates the invoking user's credentials, not
155 the target user's (or root's) credentials.
156 This can be changed via
162 flags, described later.
164 If a user who is not listed in the policy tries to run a command
167 mail is sent to the proper authorities.
169 used for such mail is configurable via the
172 (described later) and defaults to
175 Note that mail will not be sent if an unauthorized user tries to
184 determine for themselves whether or not they are allowed to use
189 is run by root and the
194 policy will use this value to determine who
196 This can be used by a user to log commands
197 through sudo even when a root shell has been invoked.
201 option to remain useful even when invoked via a
202 sudo-run script or program.
203 Note, however, that the
205 lookup is still done for root, not the user specified by
209 uses time stamp files for credential caching.
211 user has been authenticated, the time stamp is updated and the user
212 may then use sudo without a password for a short period of time
214 minutes unless overridden by the
220 uses a tty-based time stamp which means that
221 there is a separate time stamp for each of a user's login sessions.
224 option can be disabled to force the use of a
225 single time stamp for all of a user's sessions.
228 can log both successful and unsuccessful attempts (as well
236 but this is changeable via the
243 also supports logging a command's input and output
245 I/O logging is not on by default but can be enabled using
250 Defaults flags as well as the
255 .SS "Command environment"
256 Since environment variables can influence program behavior,
258 provides a means to restrict which variables from the user's
259 environment are inherited by the command to be run.
263 can deal with environment variables.
269 to be executed with a new, minimal environment.
271 systems without PAM), the environment is initialized with the
273 \fI/etc/environment\fR
275 On BSD systems, if the
277 option is enabled, the environment is initialized
283 \fI/etc/login.conf\fR.
284 The new environment contains the
296 in addition to variables from the invoking process permitted by the
301 This is effectively a whitelist
302 for environment variables.
306 option is disabled, any variables not
307 explicitly denied by the
312 inherited from the invoking process.
317 behave like a blacklist.
318 Since it is not possible
319 to blacklist all potentially dangerous environment variables, use
322 behavior is encouraged.
324 In all cases, environment variables with a value beginning with
326 are removed as they could be interpreted as
329 The list of environment variables that
332 contained in the output of
336 Note that the dynamic linker on most operating systems will remove
337 variables that can control dynamic linking from the environment of
338 setuid executables, including
340 Depending on the operating
341 system this may include
349 These type of variables are
350 removed from the environment before
352 even begins execution
353 and, as such, it is not possible for
357 As a special case, if
360 option (initial login) is
363 will initialize the environment regardless
371 variables remain unchanged;
378 are set based on the target user.
380 systems without PAM), the contents of
381 \fI/etc/environment\fR
384 On BSD systems, if the
392 \fI/etc/login.conf\fR
394 All other environment variables are removed.
398 option is defined, any variables present
399 in that file will be set to their specified values as long as they
400 would not conflict with an existing environment variable.
401 .SH "SUDOERS FILE FORMAT"
404 file is composed of two types of entries: aliases
405 (basically variables) and user specifications (which specify who
408 When multiple entries match for a user, they are applied in order.
409 Where there are multiple matches, the last match is used (which is
410 not necessarily the most specific match).
414 grammar will be described below in Extended Backus-Naur
416 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
417 and the definitions below are annotated.
418 .SS "Quick guide to EBNF"
419 EBNF is a concise and exact way of describing the grammar of a language.
420 Each EBNF definition is made up of
421 \fIproduction rules\fR.
424 \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
427 \fIproduction rule\fR
428 references others and thus makes up a
429 grammar for the language.
430 EBNF also contains the following
431 operators, which many readers will recognize from regular
433 Do not, however, confuse them with
435 characters, which have different meanings.
438 Means that the preceding symbol (or group of symbols) is optional.
439 That is, it may appear once or not at all.
442 Means that the preceding symbol (or group of symbols) may appear
446 Means that the preceding symbol (or group of symbols) may appear
449 Parentheses may be used to group symbols together.
451 we will use single quotes
453 to designate what is a verbatim character string (as opposed to a symbol name).
455 There are four kinds of aliases:
464 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
465 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
466 'Host_Alias' Host_Alias (':' Host_Alias)* |
467 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
469 User_Alias ::= NAME '=' User_List
471 Runas_Alias ::= NAME '=' Runas_List
473 Host_Alias ::= NAME '=' Host_List
475 Cmnd_Alias ::= NAME '=' Cmnd_List
477 NAME ::= [A-Z]([A-Z][0-9]_)*
483 definition is of the form
487 Alias_Type NAME = item1, item2, ...
501 is a string of uppercase letters, numbers,
502 and underscore characters
509 It is possible to put several alias definitions
510 of the same type on a single line, joined by a colon
516 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
520 The definitions of what constitutes a valid
529 User ::= '!'* user name |
534 '!'* %:nonunix_group |
535 '!'* %:#nonunix_gid |
542 is made up of one or more user names, user IDs
545 system group names and IDs (prefixed with
549 respectively), netgroups (prefixed with
551 non-Unix group names and IDs (prefixed with
557 Each list item may be prefixed with zero or more
562 operators negate the value of
563 the item; an even number just cancel each other out.
574 may be enclosed in double quotes to avoid the
575 need for escaping special characters.
576 Alternately, special characters
577 may be specified in escaped hex mode, e.g.\& \ex20 for space.
579 using double quotes, any prefix characters must be included inside
587 the underlying group provider plugin.
588 For instance, the QAS AD plugin supports the following formats:
591 Group in the same domain: "%:Group Name"
594 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
597 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
600 \fIGROUP PROVIDER PLUGINS\fR
601 for more information.
603 Note that quotes around group names are optional.
604 Unquoted strings must use a backslash
606 to escape spaces and special characters.
608 \fIOther special characters and reserved words\fR
610 characters that need to be escaped.
614 Runas_List ::= Runas_Member |
615 Runas_Member ',' Runas_List
617 Runas_Member ::= '!'* user name |
621 '!'* %:nonunix_group |
622 '!'* %:#nonunix_gid |
638 user names and groups are matched as strings.
640 users (groups) with the same uid (gid) are considered to be distinct.
641 If you wish to match all user names with the same uid (e.g.\&
642 root and toor), you can use a uid instead (#0 in the example given).
649 Host ::= '!'* host name |
651 '!'* network(/netmask)? |
659 is made up of one or more host names, IP addresses,
660 network numbers, netgroups (prefixed with
663 Again, the value of an item may be negated with the
666 If you do not specify a netmask along with the network number,
668 will query each of the local host's network interfaces and,
669 if the network number corresponds to one of the hosts's network
670 interfaces, the corresponding netmask will be used.
672 may be specified either in standard IP address notation
673 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
674 or CIDR notation (number of bits, e.g.\& 24 or 64).
675 A host name may include shell-style wildcards (see the
680 command on your machine returns the fully
681 qualified host name, you'll need to use the
683 option for wildcards to be useful.
686 only inspects actual network interfaces; this means that IP address
687 127.0.0.1 (localhost) will never match.
690 will only match if that is the actual host name, which is usually
691 only the case for non-networked systems.
695 digest ::= [A-Fa-f0-9]+ |
698 Digest_Spec ::= "sha224" ':' digest |
699 "sha256" ':' digest |
700 "sha384" ':' digest |
706 command name ::= file name |
710 Cmnd ::= Digest_Spec? '!'* command name |
719 is a list of one or more command names, directories, and other aliases.
720 A command name is a fully qualified file name which may include
721 shell-style wildcards (see the
724 A simple file name allows the user to run the command with any
725 arguments he/she wishes.
726 However, you may also specify command line arguments (including
728 Alternately, you can specify
730 to indicate that the command
733 command line arguments.
735 fully qualified path name ending in a
737 When you specify a directory in a
739 the user will be able to run any file within that directory
740 (but not in any sub-directories therein).
744 has associated command line arguments, then the arguments
747 must match exactly those given by the user on the command line
748 (or match the wildcards if there are any).
749 Note that the following characters must be escaped with a
751 if they are used in command arguments:
758 is used to permit a user to run
764 It may take command line arguments just as a normal command does.
767 is a command built into
769 itself and must be specified in
771 without a leading path.
777 the command will only match successfully if it can be verified
778 using the specified SHA-2 digest.
779 This may be useful in situations where the user invoking
781 has write access to the command or its parent directory.
782 The following digest formats are supported: sha224, sha256, sha384 and sha512.
783 The string may be specified in either hex or base64 format
784 (base64 is more compact).
785 There are several utilities capable of generating SHA-2 digests in hex
786 format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
788 For example, using openssl:
792 $ openssl dgst -sha224 /bin/ls
793 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
797 It is also possible to use openssl to generate base64 output:
801 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
802 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
806 Command digests are only supported by version 1.8.7 or higher.
808 Certain configuration options may be changed from their default
809 values at run-time via one or more
812 These may affect all users on any host, all users on a specific host, a
813 specific user, a specific command, or commands being run as a specific user.
814 Note that per-command entries may not include command line arguments.
815 If you need to specify arguments, define a
822 Default_Type ::= 'Defaults' |
823 'Defaults' '@' Host_List |
824 'Defaults' ':' User_List |
825 'Defaults' '!' Cmnd_List |
826 'Defaults' '>' Runas_List
828 Default_Entry ::= Default_Type Parameter_List
830 Parameter_List ::= Parameter |
831 Parameter ',' Parameter_List
833 Parameter ::= Parameter '=' Value |
834 Parameter '+=' Value |
835 Parameter '-=' Value |
847 Flags are implicitly boolean and can be turned off via the
850 Some integer, string and list parameters may also be
851 used in a boolean context to disable them.
852 Values may be enclosed
855 when they contain multiple words.
856 Special characters may be escaped with a backslash
859 Lists have two additional assignment operators,
863 These operators are used to add to and delete from a list respectively.
864 It is not an error to use the
866 operator to remove an element
867 that does not exist in a list.
869 Defaults entries are parsed in the following order: generic, host
870 and user Defaults first, then runas Defaults and finally command
874 \fISUDOERS OPTIONS\fR
875 for a list of supported Defaults parameters.
876 .SS "User specification"
879 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
880 (':' Host_List '=' Cmnd_Spec_List)*
882 Cmnd_Spec_List ::= Cmnd_Spec |
883 Cmnd_Spec ',' Cmnd_Spec_List
885 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
887 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
889 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
891 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
893 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
894 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
895 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
900 \fBuser specification\fR
901 determines which commands a user may run
902 (and as what user) on specified hosts.
903 By default, commands are
906 but this can be changed on a per-command basis.
908 The basic structure of a user specification is
909 ``who where = (as_whom) what''.
910 Let's break that down into its constituent parts:
914 determines the user and/or the group that a command
920 (as defined above) separated by a colon
922 and enclosed in a set of parentheses.
926 which users the command may be run as via
930 The second defines a list of groups that can be specified via
936 are specified, the command may be run with any combination of users
937 and groups listed in their respective
939 If only the first is specified, the command may be run as any user
947 second is specified, the command may be run as the invoking user
948 with the group set to any listed in the
952 are empty, the command may only be run as the invoking user.
955 is specified the command may be run as
958 no group may be specified.
962 sets the default for the commands that follow it.
963 What this means is that for the entry:
967 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
977 \fI/usr/bin/lprm\fR\(embut
984 $ sudo -u operator /bin/ls
988 It is also possible to override a
990 later on in an entry.
991 If we modify the entry like so:
995 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1001 is now allowed to run
1012 We can extend this to allow
1017 the user or group set to
1022 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1027 Note that while the group portion of the
1030 user to run as command with that group, it does not force the user
1032 If no group is specified on the command line, the command
1033 will run with the group listed in the target user's password database
1035 The following would all be permitted by the sudoers entry above:
1039 $ sudo -u operator /bin/ls
1040 $ sudo -u operator -g operator /bin/ls
1041 $ sudo -g operator /bin/ls
1045 In the following example, user
1047 may run commands that access
1048 a modem device file with the dialer group.
1052 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1053 /usr/local/bin/minicom
1057 Note that in this example only the group will be set, the command
1064 $ sudo -g dialer /usr/bin/cu
1068 Multiple users and groups may be present in a
1070 in which case the user may select any combination of users and groups via the
1079 alan ALL = (root, bin : operator, system) ALL
1085 may run any command as either user root or bin,
1086 optionally setting the group to operator or system.
1088 On systems with SELinux support,
1090 entries may optionally have an SELinux role and/or type associated
1093 type is specified with the command it will override any default values
1096 A role or type specified on the command line,
1097 however, will supersede the values in
1099 .SS "Solaris_Priv_Spec"
1102 entries may optionally specify Solaris privilege set and/or limit
1103 privilege set associated with a command.
1104 If privileges or limit privileges are specified with the command
1105 it will override any default values specified in
1108 A privilege set is a comma-separated list of privilege names.
1111 command can be used to list all privileges known to the system.
1120 In addition, there are several
1128 the set of all privileges
1131 the set of all privileges available in the current zone
1134 the default set of privileges normal users are granted at login time
1136 Privileges can be excluded from a set by prefixing the privilege
1143 A command may have zero or more tags associated with it.
1145 ten possible tag values:
1157 Once a tag is set on a
1162 \fRCmnd_Spec_List\fR,
1163 inherit the tag unless it is overridden by the opposite tag (in other words,
1172 \fINOPASSWD\fR and \fIPASSWD\fR
1176 requires that a user authenticate him or herself
1177 before running a command.
1178 This behavior can be modified via the
1186 a default for the commands that follow it in the
1187 \fRCmnd_Spec_List\fR.
1190 tag can be used to reverse things.
1196 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1200 would allow the user
1209 on the machine rushmore without authenticating himself.
1215 without a password the entry would be:
1219 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1223 Note, however, that the
1225 tag has no effect on users who are in the group specified by the
1231 tag is applied to any of the entries for a user on the current host,
1232 he or she will be able to run
1235 Additionally, a user may only run
1237 without a password if the
1239 tag is present for all a user's entries that pertain to the current host.
1240 This behavior may be overridden via the
1249 \fINOEXEC\fR and \fIEXEC\fR
1253 has been compiled with
1255 support and the underlying operating system supports it, the
1257 tag can be used to prevent a dynamically-linked executable from
1258 running further commands itself.
1260 In the following example, user
1266 but shell escapes will be disabled.
1271 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1276 \fIPreventing shell escapes\fR
1277 section below for more details on how
1279 works and whether or not it will work on your system.
1285 \fISETENV\fR and \fINOSETENV\fR
1287 These tags override the value of the
1289 option on a per-command basis.
1292 has been set for a command, the user may disable the
1294 option from the command line via the
1297 Additionally, environment variables set on the command
1298 line are not subject to the restrictions imposed by
1303 As such, only trusted users should be allowed to set variables in this manner.
1304 If the command matched is
1308 tag is implied for that command; this default may be overridden by use of the
1313 \fILOG_INPUT\fR and \fINOLOG_INPUT\fR
1315 These tags override the value of the
1317 option on a per-command basis.
1318 For more information, see the description of
1321 \fISUDOERS OPTIONS\fR
1324 \fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
1326 These tags override the value of the
1328 option on a per-command basis.
1329 For more information, see the description of
1332 \fISUDOERS OPTIONS\fR
1338 (aka meta or glob characters)
1339 to be used in host names, path names and command line arguments in the
1342 Wildcard matching is done via the
1346 functions as specified by
1347 IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
1350 regular expressions.
1353 Matches any set of zero or more characters.
1356 Matches any single character.
1359 Matches any character in the specified range.
1362 Matches any character
1364 in the specified range.
1371 This is used to escape special characters such as:
1378 Character classes may also be used if your system's
1382 functions support them.
1383 However, because the
1385 character has special meaning in
1393 /bin/ls [[\:alpha\:]]*
1397 Would match any file name beginning with a letter.
1399 Note that a forward slash
1404 wildcards used in the path name.
1405 This is to make a path like:
1416 \fI/usr/bin/X11/xterm\fR.
1418 When matching the command line arguments, however, a slash
1420 get matched by wildcards since command line arguments may contain
1421 arbitrary strings and not just path names.
1423 Wildcards in command line arguments should be used with care.
1424 Because command line arguments are matched as a single, concatenated
1425 string, a wildcard such as
1429 can match multiple words.
1430 For example, while a sudoers entry like:
1434 %operator ALL = /bin/cat /var/log/messages*
1438 will allow command like:
1442 $ sudo cat /var/log/messages.1
1450 $ sudo cat /var/log/messages /etc/shadow
1454 which is probably not what was intended.
1455 .SS "Exceptions to wildcard rules"
1456 The following exceptions apply to the above rules:
1461 is the only command line argument in the
1463 entry it means that command is not allowed to be run with
1468 Command line arguments to the
1470 built-in command should always be path names, so a forward slash
1472 will not be matched by a wildcard.
1473 .SS "Including other files from within sudoers"
1474 It is possible to include other
1476 files from within the
1478 file currently being parsed using the
1484 This can be used, for example, to keep a site-wide
1486 file in addition to a local, per-machine file.
1487 For the sake of this example the site-wide
1491 and the per-machine one will be
1492 \fI/etc/sudoers.local\fR.
1494 \fI/etc/sudoers.local\fR
1503 #include /etc/sudoers.local
1509 reaches this line it will suspend processing of the current file
1510 (\fI/etc/sudoers\fR)
1512 \fI/etc/sudoers.local\fR.
1513 Upon reaching the end of
1514 \fI/etc/sudoers.local\fR,
1518 Files that are included may themselves include other files.
1519 A hard limit of 128 nested include files is enforced to prevent include
1522 If the path to the include file is not fully-qualified (does not
1525 it must be located in the same directory as the sudoers file it was
1533 \fR#include sudoers.local\fR
1537 the file that will be included is
1538 \fI/etc/sudoers.local\fR.
1540 The file name may also include the
1542 escape, signifying the short form of the host name.
1543 In other words, if the machine's host name is
1549 #include /etc/sudoers.%h
1556 \fI/etc/sudoers.xerxes\fR.
1560 directive can be used to create a
1562 directory that the system package manager can drop
1565 into as part of package installation.
1570 #includedir /etc/sudoers.d
1575 will read each file in
1576 \fI/etc/sudoers.d\fR,
1577 skipping file names that end in
1581 character to avoid causing problems with package manager or editor
1582 temporary/backup files.
1583 Files are parsed in sorted lexical order.
1585 \fI/etc/sudoers.d/01_first\fR
1586 will be parsed before
1587 \fI/etc/sudoers.d/10_second\fR.
1588 Be aware that because the sorting is lexical, not numeric,
1589 \fI/etc/sudoers.d/1_whoops\fR
1592 \fI/etc/sudoers.d/10_second\fR.
1593 Using a consistent number of leading zeroes in the file names can be used
1594 to avoid such problems.
1596 Note that unlike files included via
1599 will not edit the files in a
1601 directory unless one of them contains a syntax error.
1602 It is still possible to run
1606 flag to edit the files directly.
1607 .SS "Other special characters and reserved words"
1610 is used to indicate a comment (unless it is part of a #include
1611 directive or unless it occurs in the context of a user name and is
1612 followed by one or more digits, in which case it is treated as a
1614 Both the comment character and any text after it, up to the end of
1615 the line, are ignored.
1621 that always causes a match to succeed.
1622 It can be used wherever one might otherwise use a
1628 You should not try to define your own
1632 as the built-in alias will be used in preference to your own.
1633 Please note that using
1635 can be dangerous since in a command context, it allows the user to run
1637 command on the system.
1639 An exclamation point
1641 can be used as a logical
1643 operator in a list or
1645 as well as in front of a
1647 This allows one to exclude certain values.
1650 operator to be effective, there must be something for it to exclude.
1651 For example, to match all users except for root one would use:
1669 it would explicitly deny root but not match any other users.
1670 This is different from a true
1674 Note, however, that using a
1676 in conjunction with the built-in
1678 alias to allow a user to run
1680 commands rarely works as intended (see
1681 \fISECURITY NOTES\fR
1684 Long lines can be continued with a backslash
1686 as the last character on the line.
1688 White space between elements in a list as well as special syntactic
1690 \fIUser Specification\fR
1697 The following characters must be escaped with a backslash
1699 when used as part of a word (e.g.\& a user name or host name):
1707 .SH "SUDOERS OPTIONS"
1709 behavior can be modified by
1711 lines, as explained earlier.
1712 A list of all supported Defaults parameters, grouped by type, are listed below.
1714 \fBBoolean Flags\fR:
1721 environment variable to the home directory of the target user
1722 (which is root unless the
1725 This effectively means that the
1727 option is always implied.
1730 is already set when the the
1732 option is enabled, so
1733 \fIalways_set_home\fR
1734 is only effective for configurations where either
1746 If set, users must authenticate themselves via a password (or other
1747 means of authentication) before they may run commands.
1748 This default may be overridden via the
1758 If set, the user may use
1761 option which overrides the default starting point at which
1763 begins closing open file descriptors.
1771 is configured to log a command's input or output,
1772 the I/O logs will be compressed using
1785 runs a command as the foreground process as long as
1787 itself is running in the foreground.
1789 \fIexec_background\fR
1790 flag is enabled and the command is being run in a pty (due to I/O logging
1793 flag), the command will be run as a background process.
1794 Attempts to read from the controlling terminal (or to change terminal
1795 settings) will result in the command being suspended with the
1799 in the case of terminal settings).
1800 If this happens when
1802 is a foreground process, the command will be granted the controlling terminal
1803 and resumed in the foreground with no user intervention required.
1804 The advantage of initially running the command in the background is that
1806 need not read from the terminal unless the command explicitly requests it.
1807 Otherwise, any terminal input must be passed to the command, whether it
1808 has required it or not (the kernel buffers terminals so it is not possible
1809 to tell whether the command really wants the input).
1810 This is different from historic
1812 behavior or when the command is not being run in a pty.
1814 For this to work seamlessly, the operating system must support the
1815 automatic restarting of system calls.
1816 Unfortunately, not all operating systems do this by default,
1817 and even those that do may have bugs.
1818 For example, Mac OS X fails to restart the
1822 system calls (this is a bug in Mac OS X).
1823 Furthermore, because this behavior depends on the command stopping with the
1827 signals, programs that catch these signals and suspend themselves
1828 with a different signal (usually
1830 will not be automatically foregrounded.
1831 Some versions of the linux
1833 command behave this way.
1835 This setting is only supported by version 1.8.7 or higher.
1836 It has no effect unless I/O logging is enabled or the
1843 will use the value of the
1847 environment variables before falling back on the default editor list.
1848 Note that this may create a security hole as it allows the user to
1849 run any arbitrary command as root without logging.
1850 A safer alternative is to place a colon-separated list of editors
1855 will then only use the
1859 if they match a value specified in
1869 will run the command in a minimal environment containing the
1882 variables in the caller's environment that match the
1886 lists are then added, followed by any variables present in the file
1890 The default contents of the
1894 lists are displayed when
1896 is run by root with the
1901 option is set, its value will be used for the
1903 environment variable.
1913 function to do shell-style globbing when matching path names.
1914 However, since it accesses the file system,
1916 can take a long time to complete for some patterns, especially
1917 when the pattern references a network file system that is mounted
1918 on demand (auto mounted).
1925 function, which does not access the file system to do its matching.
1928 is that it is unable to match relative path names such as
1932 This has security implications when path names that include globbing
1933 characters are used with the negation operator,
1935 as such rules can be trivially bypassed.
1936 As such, this option should not be used when
1938 contains rules that contain negated path names which include globbing
1945 Set this flag if you want to put fully qualified host names in the
1947 file when the local host name (as returned by the
1949 command) does not contain the domain name.
1950 In other words, instead of myhost you would use myhost.mydomain.edu.
1951 You may still use the short form if you wish (and even mix the two).
1952 This option is only effective when the
1954 host name, as returned by the
1957 \fBgethostbyname\fR()
1958 function, is a fully-qualified domain name.
1959 This is usually the case when the system is configured to use DNS
1960 for host name resolution.
1962 If the system is configured to use the
1964 file in preference to DNS, the
1966 host name may not be fully-qualified.
1967 The order that sources are queried for hosts name resolution
1968 is usually specified in the
1969 \fI@nsswitch_conf@\fR,
1970 \fI@netsvc_conf@\fR,
1971 \fI/etc/host.conf\fR,
1973 \fI/etc/resolv.conf\fR
1977 file, the first host name of the entry is considered to be the
1979 name; subsequent names are aliases that are not used by
1981 For example, the following hosts file line for the machine
1983 has the fully-qualified domain name as the
1985 host name, and the short version as an alias.
1988 192.168.1.1 xyzzy.sudo.ws xyzzy
1991 If the machine's hosts file entry is not formatted properly, the
1993 option will not be effective if it is queried before DNS.
1995 Beware that when using DNS for host name resolution, turning on
1999 to make DNS lookups which renders
2001 unusable if DNS stops working (for example if the machine is disconnected
2003 Also note that just like with the hosts file, you must use the
2005 name as DNS knows it.
2006 That is, you may not use a host alias
2009 due to performance issues and the fact that there is no way to get all
2019 will ignore "." or "" (both denoting current directory) in the
2021 environment variable; the
2023 itself is not modified.
2028 ignore_local_sudoers
2029 If set via LDAP, parsing of
2030 \fI@sysconfdir@/sudoers\fR
2032 This is intended for Enterprises that wish to prevent the usage of local
2033 sudoers files so that only LDAP is used.
2034 This thwarts the efforts of rogue operators who would attempt to add roles to
2035 \fI@sysconfdir@/sudoers\fR.
2036 When this option is present,
2037 \fI@sysconfdir@/sudoers\fR
2038 does not even need to exist.
2039 Since this option tells
2041 how to behave when no specific LDAP entries have been matched, this
2042 sudoOption is only meaningful for the
2052 will insult users when they enter an incorrect password.
2058 If set, the host name will be logged in the (non-syslog)
2068 will run the command in a
2070 and log all user input.
2071 If the standard input is not connected to the user's tty, due to
2072 I/O redirection or because the command is part of a pipeline, that
2073 input is also captured and stored in a separate log file.
2075 Input is logged to the directory specified by the
2080 using a unique session ID that is included in the normal
2082 log line, prefixed with
2086 option may be used to control the format of the session ID.
2088 Note that user input may contain sensitive information such as
2089 passwords (even if they are not echoed to the screen), which will
2090 be stored in the log file unencrypted.
2091 In most cases, logging the command output via
2093 is all that is required.
2098 will run the command in a
2100 and log all output that is sent to the screen, similar to the
2103 If the standard output or standard error is not connected to the
2104 user's tty, due to I/O redirection or because the command is part
2105 of a pipeline, that output is also captured and stored in separate
2108 Output is logged to the directory specified by the
2113 using a unique session ID that is included in the normal
2115 log line, prefixed with
2119 option may be used to control the format of the session ID.
2121 Output logs may be viewed with the
2122 sudoreplay(@mansectsu@)
2123 utility, which can also be used to list or search the available logs.
2126 If set, the four-digit year will be logged in the (non-syslog)
2134 When validating with a One Time Password (OTP) scheme such as
2138 a two-line prompt is used to make it easier
2139 to cut and paste the challenge to a local window.
2140 It's not as pretty as the default but some people find it more convenient.
2142 \fI@long_otp_prompt@\fR
2148 user every time a users runs
2157 user if the user running
2159 does not enter the correct password.
2160 If the command the user is attempting to run is not permitted by
2168 flags are set, this flag will have no effect.
2174 If set, mail will be sent to the
2176 user if the invoking user exists in the
2178 file, but is not allowed to run commands on the current host.
2180 \fI@mail_no_host@\fR
2184 If set, mail will be sent to the
2186 user if the invoking user is allowed to use
2188 but the command they are trying is not listed in their
2190 file entry or is explicitly denied.
2192 \fI@mail_no_perms@\fR
2196 If set, mail will be sent to the
2198 user if the invoking user is not in the
2202 \fI@mail_no_user@\fR
2206 If set, all commands run via
2208 will behave as if the
2210 tag has been set, unless overridden by a
2213 See the description of
2214 \fINOEXEC and EXEC\fR
2215 below as well as the
2216 \fIPreventing shell escapes\fR
2217 section at the end of this manual.
2223 On systems that use PAM for authentication,
2225 will create a new PAM session for the command to be run in.
2228 may be needed on older PAM implementations or on operating systems where
2229 opening a PAM session changes the utmp or wtmp files.
2230 If PAM session support is disabled, resource limits may not be updated
2231 for the command being run.
2236 This setting is only supported by version 1.8.7 or higher.
2239 The password prompt specified by
2241 will normally only be used if the password prompt provided by systems
2242 such as PAM matches the string
2245 \fIpassprompt_override\fR
2248 will always be used.
2256 will tell the user when a command could not be
2259 environment variable.
2260 Some sites may wish to disable this as it could be used to gather
2261 information on the location of executables that the normal user does
2263 The disadvantage is that if the executable is simply not in the user's
2266 will tell the user that they are not allowed to run it, which can be confusing.
2274 will initialize the group vector to the list of groups the target user is in.
2276 \fIpreserve_groups\fR
2277 is set, the user's existing group vector is left unaltered.
2278 The real and effective group IDs, however, are still set to match the
2287 reads the password like most other Unix programs,
2288 by turning off echo until the user hits the return (or enter) key.
2289 Some users become confused by this as it appears to them that
2291 has hung at this point.
2296 will provide visual feedback when the user presses a key.
2297 Note that this does have a security impact as an onlooker may be able to
2298 determine the length of the password being entered.
2306 will only run when the user is logged in to a real tty.
2307 When this flag is set,
2309 can only be run from a login session and not via other means such as
2317 If set, root is allowed to run
2320 Disabling this prevents users from
2323 commands to get a root shell by doing something like
2324 ``\fRsudo sudo /bin/sh\fR''.
2325 Note, however, that turning off
2327 will also prevent root from running
2331 provides no real additional security; it exists purely for historical reasons.
2339 will prompt for the root password instead of the password of the invoking user.
2347 will prompt for the password of the user defined by the
2350 \fR@runas_default@\fR)
2351 instead of the password of the invoking user.
2363 environment variable will be set to the home directory of the target
2364 user (which is root unless the
2367 This effectively makes the
2373 is already set when the the
2375 option is enabled, so
2377 is only effective for configurations where either
2397 environment variables to the name of the target user (usually root unless the
2400 However, since some programs (including the RCS revision control system) use
2402 to determine the real identity of the user, it may be desirable to
2403 change this behavior.
2404 This can be done by negating the set_logname option.
2407 option has not been disabled, entries in the
2409 list will override the value of
2418 will create an entry in the utmp (or utmpx) file when a pseudo-tty
2420 A pseudo-tty is allocated by
2428 By default, the new entry will be a copy of the user's existing utmp
2429 entry (if any), with the tty, time, type and pid fields updated.
2435 Allow the user to disable the
2437 option from the command line via the
2440 Additionally, environment variables set via the command line are
2441 not subject to the restrictions imposed by
2446 As such, only trusted users should be allowed to set variables in this manner.
2454 is invoked with no arguments it acts as if the
2456 option had been given.
2457 That is, it runs a shell as root (the shell is determined by the
2459 environment variable if it is set, falling back on the shell listed
2460 in the invoking user's /etc/passwd entry if not).
2468 executes a command the real and effective UIDs are set to the target
2469 user (root by default).
2470 This option changes that behavior such that the real UID is left
2471 as the invoking user's UID.
2472 In other words, this makes
2474 act as a setuid wrapper.
2475 This can be useful on systems that disable some potentially
2476 dangerous functionality when a program is run setuid.
2477 This option is only effective on systems that support either the
2489 will prompt for the password of the user specified
2494 instead of the password of the invoking user.
2495 In addition, the time stamp file name will include the target user's name.
2496 Note that this flag precludes the use of a uid not listed in the passwd
2497 database as an argument to the
2505 If set, users must authenticate on a per-tty basis.
2506 With this flag enabled,
2508 will use a file named for the tty the user is
2509 logged in on in the user's time stamp directory.
2510 If disabled, the time stamp of the directory is used instead.
2518 will set the umask as specified by
2520 without modification.
2521 This makes it possible to specify a more permissive umask in
2523 than the user's own umask and matches historical behavior.
2525 \fIumask_override\fR
2528 will set the umask to be the union of the user's umask and what is specified in
2531 \fI@umask_override@\fR
2537 will apply the defaults specified for the target user's login class
2541 is configured with the
2542 \fR--with-logincap\fR
2551 will run the command in a pseudo-pty even if no I/O logging is being gone.
2552 A malicious program run under
2554 could conceivably fork a background process that retains to the user's
2555 terminal device after the main program has finished executing.
2556 Use of this option will make that impossible.
2564 will store the name of the runas user when updating the utmp (or utmpx) file.
2567 stores the name of the invoking user.
2575 will refuse to run if the user must enter a password but it is not
2576 possible to disable echo on the terminal.
2581 will prompt for a password even when it would be visible on the screen.
2582 This makes it possible to run things like
2583 ``\fRssh somehost sudo ls\fR''
2587 not allocate a tty when running a command.
2595 Before it executes a command,
2597 will close all open file descriptors other than standard input,
2598 standard output and standard error (ie: file descriptors 0-2).
2601 option can be used to specify a different file descriptor at which
2607 The number of tries a user gets to enter his/her password before
2609 logs the failure and exits.
2611 \fR@passwd_tries@\fR.
2613 \fBIntegers that can be used in a boolean context\fR:
2616 Number of characters per line for the file log.
2617 This value is used to decide when to wrap lines for nicer log files.
2618 This has no effect on the syslog log file, only the file log.
2621 (use 0 or negate the option to disable word wrap).
2624 Number of minutes before the
2626 password prompt times out, or
2629 The timeout may include a fractional component
2630 if minute granularity is insufficient, for example
2634 \fR@password_timeout@\fR.
2638 Number of minutes that can elapse before
2640 will ask for a passwd again.
2641 The timeout may include a fractional component if
2642 minute granularity is insufficient, for example
2648 to always prompt for a password.
2649 If set to a value less than
2651 the user's time stamp will never expire.
2652 This can be used to allow users to create or delete their own time stamps via
2659 Umask to use when running the command.
2660 Negate this option or set it to 0777 to preserve the user's umask.
2661 The actual umask that is used will be the union of the user's umask
2662 and the value of the
2664 option, which defaults to
2669 never lowers the umask when running a command.
2670 Note: on systems that use PAM, the default PAM configuration may specify
2671 its own umask which will override the value set in
2677 Message that is displayed if a user enters an incorrect password.
2679 \fR@badpass_message@\fR
2680 unless insults are enabled.
2685 separated list of editors allowed to be used with
2688 will choose the editor that matches the user's
2690 environment variable if possible, or the first editor in the
2691 list that exists and is executable.
2696 The top-level directory to use when constructing the path name for
2697 the input/output log directory.
2702 options are enabled or when the
2706 tags are present for a command.
2707 The session sequence number, if any, is stored in the directory.
2711 The following percent
2713 escape sequences are supported:
2717 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2718 where every two digits are used to form a new directory, e.g.\&
2722 expanded to the invoking user's login name
2725 expanded to the name of the invoking user's real group ID
2728 expanded to the login name of the user the command will
2729 be run as (e.g.\& root)
2731 \fR%{runas_group}\fR
2732 expanded to the group name of the user the command will
2733 be run as (e.g.\& wheel)
2736 expanded to the local host name without the domain name
2739 expanded to the base name of the command being run
2741 In addition, any escape sequences supported by the system's
2743 function will be expanded.
2745 To include a literal
2747 character, the string
2755 The path name, relative to
2757 in which to store input/output logs when the
2761 options are enabled or when the
2765 tags are present for a command.
2768 may contain directory components.
2774 option above for a list of supported percent
2778 In addition to the escape sequences, path names that end in six or
2783 replaced with a unique combination of digits and letters, similar to the
2787 If the path created by concatenating
2791 already exists, the existing I/O log file will be truncated and
2800 The default Solaris limit privileges to use when constructing a new
2801 privilege set for a command.
2802 This bounds all privileges of the executing process.
2803 The default limit privileges may be overridden on a per-command basis in
2805 This option is only available if
2807 is built on Solaris 10 or higher.
2810 Subject of the mail sent to the
2815 will expand to the host name of the machine.
2817 ``\fR@mailsub@\fR''.
2820 The maximum sequence number that will be substituted for the
2822 escape in the I/O log file (see the
2824 description above for more information).
2825 While the value substituted for
2829 itself should be expressed in decimal.
2830 Values larger than 2176782336 (which corresponds to the
2831 base 36 sequence number
2833 will be silently truncated to 2176782336.
2834 The default value is 2176782336.
2836 Once the local sequence number reaches the value of
2840 to zero, after which
2842 will truncate and re-use any existing I/O log pathnames.
2844 This setting is only supported by version 1.8.7 or higher.
2849 version 1.8.1 this option is no longer supported.
2850 The path to the noexec file should now be set in the
2851 sudo.conf(@mansectform@)
2855 The default prompt to use when asking for a password; can be overridden via the
2859 environment variable.
2860 The following percent
2862 escape sequences are supported:
2866 expanded to the local host name including the domain name
2867 (only if the machine's host name is fully qualified or the
2872 expanded to the local host name without the domain name
2875 expanded to the user whose password is being asked for (respects the
2884 expanded to the login name of the user the command will
2885 be run as (defaults to root)
2888 expanded to the invoking user's login name
2893 characters are collapsed into a single
2897 The default value is
2898 ``\fR@passprompt@\fR''.
2904 The default Solaris privileges to use when constructing a new
2905 privilege set for a command.
2906 This is passed to the executing process via the inherited privilege set,
2907 but is bounded by the limit privileges.
2910 option is specified but the
2912 option is not, the limit privileges of the executing process is set to
2914 The default privileges may be overridden on a per-command basis in
2916 This option is only available if
2918 is built on Solaris 10 or higher.
2922 The default SELinux role to use when constructing a new security
2923 context to run the command.
2924 The default role may be overridden on a per-command basis in
2926 or via command line options.
2927 This option is only available when
2929 is built with SELinux support.
2932 The default user to run commands as if the
2934 option is not specified on the command line.
2936 \fR@runas_default@\fR.
2939 Syslog priority to use when user authenticates unsuccessfully.
2943 The following syslog priorities are supported:
2955 Syslog priority to use when user authenticates successfully.
2961 for the list of supported syslog priorities.
2964 Locale to use when parsing the sudoers file, logging commands, and
2966 Note that changing the locale may affect how sudoers is interpreted.
2971 The directory in which
2973 stores its time stamp files.
2978 The owner of the time stamp directory and the time stamps stored therein.
2983 The default SELinux type to use when constructing a new security
2984 context to run the command.
2985 The default type may be overridden on a per-command basis in
2987 or via command line options.
2988 This option is only available when
2990 is built with SELinux support.
2992 \fBStrings that can be used in a boolean context\fR:
2997 option specifies the fully qualified path to a file containing variables
2998 to be set in the environment of the program being run.
2999 Entries in this file should either be of the form
3000 ``\fRVARIABLE=value\fR''
3002 ``\fRexport VARIABLE=value\fR''.
3003 The value may optionally be surrounded by single or double quotes.
3004 Variables in this file are subject to other
3006 environment settings such as
3012 Users in this group are exempt from password and PATH requirements.
3013 The group name specified should not include a
3016 This is not set by default.
3019 A string containing a
3021 group plugin with optional arguments.
3022 The string should consist of the plugin
3023 path, either fully-qualified or relative to the
3025 directory, followed by any configuration arguments the plugin requires.
3026 These arguments (if any) will be passed to the plugin's initialization function.
3027 If arguments are present, the string must be enclosed in double quotes
3030 For more information see
3031 GROUP PROVIDER PLUGINS.
3034 This option controls when a short lecture will be printed along with
3035 the password prompt.
3036 It has the following possible values:
3040 Always lecture the user.
3043 Never lecture the user.
3046 Only lecture the user the first time they run
3049 If no value is specified, a value of
3052 Negating the option results in a value of
3055 The default value is
3062 Path to a file containing an alternate
3064 lecture that will be used in place of the standard lecture if the named
3068 uses a built-in lecture.
3072 This option controls when a password will be required when a user runs
3077 It has the following possible values:
3083 entries for the current host must have
3086 flag set to avoid entering a password.
3089 The user must always enter a password to use the
3094 At least one of the user's
3096 entries for the current host
3099 flag set to avoid entering a password.
3102 The user need never enter a password to use the
3106 If no value is specified, a value of
3109 Negating the option results in a value of
3112 The default value is
3121 log file (not the syslog log file).
3122 Setting a path turns on logging to a file;
3123 negating this option turns it off.
3130 Flags to use when invoking mailer. Defaults to
3134 Path to mail program used to send warning mail.
3135 Defaults to the path to sendmail found at configure time.
3138 Address to use for the
3140 address when sending warning and error mail.
3141 The address should be enclosed in double quotes
3148 Defaults to the name of the user running
3152 Address to send warning and error mail to.
3153 The address should be enclosed in double quotes
3164 Path used for every command run from
3166 If you don't trust the
3171 environment variable you may want to use this.
3172 Another use is if you want to have the
3174 be separate from the
3176 Users in the group specified by the
3178 option are not affected by
3180 This option is @secure_path@ by default.
3183 Syslog facility if syslog is being used for logging (negate to
3184 disable syslog logging).
3188 The following syslog facilities are supported:
3206 This option controls when a password will be required when a user runs
3211 It has the following possible values:
3217 entries for the current host must have the
3219 flag set to avoid entering a password.
3222 The user must always enter a password to use the
3227 At least one of the user's
3229 entries for the current host must have the
3231 flag set to avoid entering a password.
3234 The user need never enter a password to use the
3238 If no value is specified, a value of
3241 Negating the option results in a value of
3244 The default value is
3248 \fBLists that can be used in a boolean context\fR:
3251 Environment variables to be removed from the user's environment if
3252 the variable's value contains
3257 This can be used to guard against printf-style format vulnerabilities
3258 in poorly-written programs.
3259 The argument may be a double-quoted, space-separated list or a
3260 single value without double-quotes.
3261 The list can be replaced, added to, deleted from, or disabled by using
3268 operators respectively.
3269 Regardless of whether the
3271 option is enabled or disabled, variables specified by
3273 will be preserved in the environment if they pass the aforementioned check.
3274 The default list of environment variables to check is displayed when
3282 Environment variables to be removed from the user's environment when the
3284 option is not in effect.
3285 The argument may be a double-quoted, space-separated list or a
3286 single value without double-quotes.
3287 The list can be replaced, added to, deleted from, or disabled by using the
3293 operators respectively.
3294 The default list of environment variables to remove is displayed when
3296 is run by root with the
3299 Note that many operating systems will remove potentially dangerous
3300 variables from the environment of any setuid process (such as
3304 Environment variables to be preserved in the user's environment when the
3306 option is in effect.
3307 This allows fine-grained control over the environment
3309 processes will receive.
3310 The argument may be a double-quoted, space-separated list or a
3311 single value without double-quotes.
3312 The list can be replaced, added to, deleted from, or disabled by using the
3318 operators respectively.
3319 The default list of variables to keep
3322 is run by root with the
3325 .SH "GROUP PROVIDER PLUGINS"
3328 plugin supports its own plugin interface to allow non-Unix
3329 group lookups which can query a group source other
3330 than the standard Unix group database.
3331 This can be used to implement support for the
3333 syntax described earlier.
3335 Group provider plugins are specified via the
3340 should consist of the plugin path, either fully-qualified or relative to the
3342 directory, followed by any configuration options the plugin requires.
3343 These options (if specified) will be passed to the plugin's initialization
3345 If options are present, the string must be enclosed in double quotes
3348 The following group provider plugins are installed by default:
3353 plugin supports an alternate group file that uses the same syntax as the
3356 The path to the group file should be specified as an option
3358 For example, if the group file to be used is
3359 \fI/etc/sudo-group\fR:
3364 Defaults group_plugin="group_file.so /etc/sudo-group"
3374 plugin supports group lookups via the standard C library functions
3378 This plugin can be used in instances where the user belongs to
3379 groups not present in the user's supplemental group vector.
3380 This plugin takes no options:
3385 Defaults group_plugin=system_group.so
3391 The group provider plugin API is described in detail in
3392 sudo_plugin(@mansectsu@).
3395 can log events using either
3397 or a simple log file.
3398 In each case the log format is almost identical.
3399 .SS "Accepted command log entries"
3400 Commands that sudo runs are logged using the following format (split
3401 into multiple lines for readability):
3405 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3406 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3407 ENV=env_vars COMMAND=command
3411 Where the fields are as follows:
3414 The date the command was run.
3415 Typically, this is in the format
3416 ``MMM, DD, HH:MM:SS''.
3419 the actual date format is controlled by the syslog daemon.
3420 If logging to a file and the
3423 the date will also include the year.
3426 The name of the host
3429 This field is only present when logging via
3433 The name of the program, usually
3437 This field is only present when logging via
3441 The login name of the user who ran
3445 The short name of the terminal (e.g.\&
3453 if there was no terminal present.
3456 The current working directory that
3461 The user the command was run as.
3464 The group the command was run as if one was specified on the command line.
3467 An I/O log identifier that can be used to replay the command's output.
3468 This is only present when the
3475 A list of environment variables specified on the command line,
3479 The actual command that was executed.
3481 Messages are logged using the locale specified by
3482 \fIsudoers_locale\fR,
3483 which defaults to the
3486 .SS "Denied command log entries"
3487 If the user is not allowed to run the command, the reason for the denial
3488 will follow the user name.
3489 Possible reasons include:
3492 The user is not listed in the
3496 user NOT authorized on host
3497 The user is listed in the
3499 file but is not allowed to run commands on the host.
3502 The user is listed in the
3504 file for the host but they are not allowed to run the specified command.
3506 3 incorrect password attempts
3507 The user failed to enter their password after 3 tries.
3508 The actual number of tries will vary based on the number of
3509 failed attempts and the value of the
3513 a password is required
3516 option was specified but a password was required.
3518 sorry, you are not allowed to set the following environment variables
3519 The user specified environment variables on the command line that
3522 .SS "Error log entries"
3525 will log a message and, in most cases, send a message to the
3526 administrator via email.
3527 Possible errors include:
3529 parse error in @sysconfdir@/sudoers near line N
3531 encountered an error when parsing the specified file.
3532 In some cases, the actual error may be one line above or below the
3533 line number listed, depending on the type of error.
3535 problem with defaults entries
3538 file contains one or more unknown Defaults settings.
3539 This does not prevent
3541 from running, but the
3543 file should be checked using
3546 timestamp owner (username): \&No such user
3547 The time stamp directory owner, as specified by the
3548 \fItimestampowner\fR
3549 setting, could not be found in the password database.
3551 unable to open/read @sysconfdir@/sudoers
3554 file could not be opened for reading.
3555 This can happen when the
3557 file is located on a remote file system that maps user ID 0 to
3563 using group permissions to avoid this problem.
3564 Consider either changing the ownership of
3565 \fI@sysconfdir@/sudoers\fR
3566 or adding an argument like
3570 is the user ID that owns the
3572 file) to the end of the
3576 sudo.conf(@mansectform@)
3579 unable to stat @sysconfdir@/sudoers
3581 \fI@sysconfdir@/sudoers\fR
3584 @sysconfdir@/sudoers is not a regular file
3586 \fI@sysconfdir@/sudoers\fR
3587 file exists but is not a regular file or symbolic link.
3589 @sysconfdir@/sudoers is owned by uid N, should be 0
3592 file has the wrong owner.
3593 If you wish to change the
3595 file owner, please add
3599 is the user ID that owns the
3605 sudo.conf(@mansectform@)
3608 @sysconfdir@/sudoers is world writable
3609 The permissions on the
3611 file allow all users to write to it.
3614 file must not be world-writable, the default file mode
3615 is 0440 (readable by owner and group, writable by none).
3616 The default mode may be changed via the
3622 sudo.conf(@mansectform@)
3625 @sysconfdir@/sudoers is owned by gid N, should be 1
3628 file has the wrong group ownership.
3629 If you wish to change the
3631 file group ownership, please add
3635 is the group ID that owns the
3641 sudo.conf(@mansectform@)
3644 unable to open @timedir@/username/ttyname
3646 was unable to read or create the user's time stamp file.
3648 unable to write to @timedir@/username/ttyname
3650 was unable to write to the user's time stamp file.
3652 unable to mkdir to @timedir@/username
3654 was unable to create the user's time stamp directory.
3655 .SS "Notes on logging via syslog"
3665 fields are added by the syslog daemon, not
3668 As such, they may vary in format on different systems.
3672 has a relatively small log buffer.
3673 To prevent the command line arguments from being truncated,
3675 will split up log messages that are larger than 960 characters
3676 (not including the date, hostname, and the string
3678 When a message is split, additional parts will include the string
3679 ``(command continued)''
3680 after the user name and before the continued command line arguments.
3681 .SS "Notes on logging to a file"
3686 will log to a local file, such as
3687 \fI/var/log/sudo\fR.
3688 When logging to a file,
3690 uses a format similar to
3692 with a few important differences:
3699 fields are not present.
3705 the date will also include the year.
3708 Lines that are longer than
3710 characters (80 by default) are word-wrapped and continued on the
3711 next line with a four character indent.
3712 This makes entries easier to read for a human being, but makes it
3713 more difficult to use
3718 option is set to 0 (or negated with a
3720 word wrap will be disabled.
3723 \fI@sysconfdir@/sudo.conf\fR
3724 Sudo front end configuration
3726 \fI@sysconfdir@/sudoers\fR
3727 List of who can run what
3733 List of network groups
3739 Directory containing time stamps for the
3743 \fI/etc/environment\fR
3744 Initial environment for
3746 mode on AIX and Linux systems
3751 Admittedly, some of these are a bit contrived.
3752 First, we allow a few environment variables to pass and then define our
3757 # Run X applications through sudo; HOME is used to find the
3758 # .Xauthority file. Note that other programs use HOME to find
3759 # configuration files and this may lead to privilege escalation!
3760 Defaults env_keep += "DISPLAY HOME"
3762 # User alias specification
3763 User_Alias FULLTIMERS = millert, mikef, dowdy
3764 User_Alias PARTTIMERS = bostley, jwfox, crawl
3765 User_Alias WEBMASTERS = will, wendy, wim
3767 # Runas alias specification
3768 Runas_Alias OP = root, operator
3769 Runas_Alias DB = oracle, sybase
3770 Runas_Alias ADMINGRP = adm, oper
3772 # Host alias specification
3773 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3774 SGI = grolsch, dandelion, black :\e
3775 ALPHA = widget, thalamus, foobar :\e
3776 HPPA = boa, nag, python
3777 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3778 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3779 Host_Alias SERVERS = master, mail, www, ns
3780 Host_Alias CDROM = orion, perseus, hercules
3782 # Cmnd alias specification
3783 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3784 /usr/sbin/restore, /usr/sbin/rrestore,\e
3785 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3786 /home/operator/bin/start_backups
3787 Cmnd_Alias KILL = /usr/bin/kill
3788 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3789 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3790 Cmnd_Alias HALT = /usr/sbin/halt
3791 Cmnd_Alias REBOOT = /usr/sbin/reboot
3792 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3793 /usr/local/bin/tcsh, /usr/bin/rsh,\e
3795 Cmnd_Alias SU = /usr/bin/su
3796 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3800 Here we override some of the compiled in default values.
3807 facility in all cases.
3808 We don't want to subject the full time staff to the
3812 need not give a password, and we don't want to reset the
3817 environment variables when running commands as root.
3818 Additionally, on the machines in the
3821 we keep an additional local log file and make sure we log the year
3822 in each log line since the log entries will be kept around for several years.
3823 Lastly, we disable shell escapes for the commands in the PAGERS
3825 (\fI/usr/bin/more\fR,
3828 \fI/usr/bin/less\fR)
3833 # Override built-in defaults
3834 Defaults syslog=auth
3835 Defaults>root !set_logname
3836 Defaults:FULLTIMERS !lecture
3837 Defaults:millert !authenticate
3838 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3839 Defaults!PAGERS noexec
3844 \fIUser specification\fR
3845 is the part that actually determines who may run what.
3849 root ALL = (ALL) ALL
3850 %wheel ALL = (ALL) ALL
3856 and any user in group
3858 run any command on any host as any user.
3862 FULLTIMERS ALL = NOPASSWD: ALL
3871 may run any command on any host without authenticating themselves.
3875 PARTTIMERS ALL = ALL
3884 may run any command on any host but they must authenticate themselves
3885 first (since the entry lacks the
3897 may run any command on the machines in the
3900 \fR128.138.243.0\fR,
3901 \fR128.138.204.0\fR,
3903 \fR128.138.242.0\fR).
3904 Of those networks, only
3906 has an explicit netmask (in CIDR notation) indicating it is a class C network.
3907 For the other networks in
3909 the local machine's netmask will be used during matching.
3919 may run any command on any host in the
3921 alias (the class B network
3926 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3927 sudoedit /etc/printcap, /usr/oper/bin/
3933 user may run commands limited to simple maintenance.
3934 Here, those are commands related to backups, killing processes, the
3935 printing system, shutting down the system, and any commands in the
3937 \fI/usr/oper/bin/\fR.
3938 Note that one command in the
3940 Cmnd_Alias includes a sha224 digest,
3941 \fI/home/operator/bin/start_backups\fR.
3942 This is because the directory containing the script is writable by the
3944 If the script is modified (resulting in a digest mismatch) it will no longer
3945 be possible to run it via
3950 joe ALL = /usr/bin/su operator
3962 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3964 %opers ALL = (: ADMINGRP) /usr/sbin/
3970 group may run commands in
3973 with any group in the
3984 is allowed to change anyone's password except for
3988 Note that this assumes
3990 does not take multiple user names on the command line.
3994 bob SPARC = (OP) ALL : SGI = (OP) ALL
4000 may run anything on the
4004 machines as any user listed in the
4019 may run any command on machines in the
4025 is a netgroup due to the
4031 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
4037 netgroup need to help manage the printers as well as add and remove users,
4038 so they are allowed to run those commands on all machines.
4042 fred ALL = (DB) NOPASSWD: ALL
4048 can run commands as any user in the
4054 without giving a password.
4058 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
4066 may su to anyone except root but he is not allowed to specify any options
4073 jen ALL, !SERVERS = ALL
4079 may run any command on any machine except for those in the
4082 (master, mail, www and ns).
4086 jill SERVERS = /usr/bin/, !SU, !SHELLS
4090 For any machine in the
4095 any commands in the directory
4097 except for those commands
4106 steve CSNETS = (operator) /usr/local/op_commands/
4112 may run any command in the directory /usr/local/op_commands/
4113 but only as user operator.
4117 matt valkyrie = KILL
4121 On his personal workstation, valkyrie,
4123 needs to be able to kill hung processes.
4127 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
4131 On the host www, any user in the
4134 (will, wendy, and wim), may run any command as user www (which owns the
4135 web pages) or simply
4141 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
4142 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
4146 Any user may mount or unmount a CD-ROM on the machines in the CDROM
4148 (orion, perseus, hercules) without entering a password.
4149 This is a bit tedious for users to type, so it is a prime candidate
4150 for encapsulating in a shell script.
4151 .SH "SECURITY NOTES"
4152 .SS "Limitations of the `!\&' operator"
4153 It is generally not effective to
4160 A user can trivially circumvent this by copying the desired command
4161 to a different name and then executing that.
4166 bill ALL = ALL, !SU, !SHELLS
4170 Doesn't really prevent
4172 from running the commands listed in
4176 since he can simply copy those commands to a different name, or use
4177 a shell escape from an editor or other program.
4178 Therefore, these kind of restrictions should be considered
4179 advisory at best (and reinforced by policy).
4181 In general, if a user has sudo
4183 there is nothing to prevent them from creating their own program that gives
4184 them a root shell (or making their own copy of a shell) regardless of any
4186 elements in the user specification.
4187 .SS "Security implications of \fIfast_glob\fR"
4190 option is in use, it is not possible to reliably negate commands where the
4191 path name includes globbing (aka wildcard) characters.
4192 This is because the C library's
4194 function cannot resolve relative paths.
4195 While this is typically only an inconvenience for rules that grant privileges,
4196 it can result in a security issue for rules that subtract or revoke privileges.
4198 For example, given the following
4204 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
4205 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
4212 \fR/usr/bin/passwd root\fR
4215 is enabled by changing to
4220 .SS "Preventing shell escapes"
4223 executes a program, that program is free to do whatever
4224 it pleases, including run other programs.
4225 This can be a security issue since it is not uncommon for a program to
4226 allow shell escapes, which lets a user bypass
4228 access control and logging.
4229 Common programs that permit shell escapes include shells (obviously),
4230 editors, paginators, mail and terminal programs.
4232 There are two basic approaches to this problem:
4235 Avoid giving users access to commands that allow the user to run
4237 Many editors have a restricted mode where shell
4238 escapes are disabled, though
4240 is a better solution to
4243 Due to the large number of programs that
4244 offer shell escapes, restricting users to the set of programs that
4245 do not is often unworkable.
4248 Many systems that support shared libraries have the ability to
4249 override default library functions by pointing an environment
4252 to an alternate shared library.
4256 functionality can be used to prevent a program run by
4258 from executing any other programs.
4259 Note, however, that this applies only to native dynamically-linked
4261 Statically-linked executables and foreign executables
4262 running under binary emulation are not affected.
4266 feature is known to work on SunOS, Solaris, *BSD,
4267 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
4268 It should be supported on most operating systems that support the
4270 environment variable.
4271 Check your operating system's manual pages for the dynamic linker
4272 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
4276 On Solaris 10 and higher,
4278 uses Solaris privileges instead of the
4280 environment variable.
4284 for a command, use the
4287 in the User Specification section above.
4288 Here is that example again:
4293 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
4306 This will prevent those two commands from
4307 executing other commands (such as a shell).
4308 If you are unsure whether or not your system is capable of supporting
4310 you can always just try it out and check whether shell escapes work when
4315 Note that restricting shell escapes is not a panacea.
4316 Programs running as root are still capable of many potentially hazardous
4317 operations (such as changing or overwriting files) that could lead
4318 to unintended privilege escalation.
4319 In the specific case of an editor, a safer approach is to give the
4320 user permission to run
4322 .SS "Time stamp file checks"
4324 will check the ownership of its time stamp directory
4327 and ignore the directory's contents if it is not owned by root or
4328 if it is writable by a user other than root.
4329 On systems that allow non-root users to give away files via
4331 if the time stamp directory is located in a world-writable
4334 it is possible for a user to create the time stamp directory before
4339 checks the ownership and mode of the directory and its
4340 contents, the only damage that can be done is to
4342 files by putting them in the time stamp dir.
4343 This is unlikely to happen since once the time stamp dir is owned by root
4344 and inaccessible by any other user, the user placing files there would be
4345 unable to get them back out.
4348 will not honor time stamps set far in the future.
4349 Time stamps with a date greater than current_time + 2 *
4351 will be ignored and sudo will log and complain.
4352 This is done to keep a user from creating his/her own time stamp with a
4353 bogus date on systems that allow users to give away files if the time
4354 stamp directory is located in a world-writable directory.
4356 On systems where the boot time is available,
4358 will ignore time stamps that date from before the machine booted.
4360 Since time stamp files live in the file system, they can outlive a
4361 user's login session.
4362 As a result, a user may be able to login, run a command with
4364 after authenticating, logout, login again, and run
4366 without authenticating so long as the time stamp file's modification
4369 minutes (or whatever the timeout is set to in
4373 option is enabled, the time stamp has per-tty granularity but still
4374 may outlive the user's session.
4375 On Linux systems where the devpts filesystem is used, Solaris systems
4376 with the devices filesystem, as well as other systems that utilize a
4377 devfs filesystem that monotonically increase the inode number of devices
4378 as they are created (such as Mac OS X),
4380 is able to determine when a tty-based time stamp file is stale and will
4382 Administrators should not rely on this feature as it is not universally
4385 Versions 1.8.4 and higher of the
4387 plugin support a flexible debugging framework that can help track
4388 down what the plugin is doing internally if there is a problem.
4389 This can be configured in the
4390 sudo.conf(@mansectform@)
4395 plugin uses the same debug flag format as the
4398 \fIsubsystem\fR@\fIpriority\fR.
4400 The priorities used by
4402 in order of decreasing severity,
4404 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
4407 Each priority, when specified, also includes all priorities higher
4409 For example, a priority of
4411 would include debug messages logged at
4415 The following subsystems are used by the
4428 matches every subsystem
4431 BSM and Linux audit code
4442 environment handling
4451 matching of users, groups, hosts and netgroups in
4455 network interface handling
4458 network service switch handling in
4474 pseudo-tty related code
4477 redblack tree internals
4488 Debug sudo /var/log/sudo_debug match@info,nss@info
4492 For more information, see the
4493 sudo.conf(@mansectform@)
4502 sudo.conf(@mansectform@),
4503 sudoers.ldap(@mansectform@),
4504 sudo_plugin(@mansectsu@),
4514 command which locks the file and does grammatical checking.
4518 be free of syntax errors since
4520 will not run with a syntactically incorrect
4524 When using netgroups of machines (as opposed to users), if you
4525 store fully qualified host name in the netgroup (as is usually the
4526 case), you either need to have the machine's host name be fully qualified
4534 If you feel you have found a bug in
4536 please submit a bug report at http://www.sudo.ws/sudo/bugs/
4538 Limited free support is available via the sudo-users mailing list,
4539 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4540 search the archives.
4545 and any express or implied warranties, including, but not limited
4546 to, the implied warranties of merchantability and fitness for a
4547 particular purpose are disclaimed.
4548 See the LICENSE file distributed with
4550 or http://www.sudo.ws/sudo/license.html for complete details.