2 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
3 .\" Todd C. Miller <Todd.Miller@courtesan.com>
5 .\" Permission to use, copy, modify, and distribute this software for any
6 .\" purpose with or without fee is hereby granted, provided that the above
7 .\" copyright notice and this permission notice appear in all copies.
9 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18 .\" Sponsored in part by the Defense Advanced Research Projects
19 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 .Dt SUDOERS @mansectform@
24 .Os Sudo @PACKAGE_VERSION@
27 .Nd default sudo security policy module
31 policy module determines a user's
37 The policy is driven by
39 .Pa @sysconfdir@/sudoers
40 file or, optionally in LDAP.
41 The policy format is described in detail in the
42 .Sx SUDOERS FILE FORMAT
44 For information on storing
48 .Xr sudoers.ldap @mansectform@ .
49 .Ss Authentication and logging
52 security policy requires that most users authenticate
53 themselves before they can use
55 A password is not required
56 if the invoking user is root, if the target user is the same as the
57 invoking user, or if the policy has disabled authentication for the
64 authentication, it validates the invoking user's credentials, not
65 the target user's (or root's) credentials.
66 This can be changed via
72 flags, described later.
74 If a user who is not listed in the policy tries to run a command
77 mail is sent to the proper authorities.
79 used for such mail is configurable via the
82 (described later) and defaults to
85 Note that mail will not be sent if an unauthorized user tries to
94 determine for themselves whether or not they are allowed to use
99 is run by root and the
104 policy will use this value to determine who
106 This can be used by a user to log commands
107 through sudo even when a root shell has been invoked.
111 option to remain useful even when invoked via a
112 sudo-run script or program.
113 Note, however, that the
115 lookup is still done for root, not the user specified by
119 uses time stamp files for credential caching.
121 user has been authenticated, the time stamp is updated and the user
122 may then use sudo without a password for a short period of time
125 minutes unless overridden by the
131 uses a tty-based time stamp which means that
132 there is a separate time stamp for each of a user's login sessions.
135 option can be disabled to force the use of a
136 single time stamp for all of a user's sessions.
139 can log both successful and unsuccessful attempts (as well
147 but this is changeable via the
154 also supports logging a command's input and output
156 I/O logging is not on by default but can be enabled using
161 Defaults flags as well as the
166 .Ss Command environment
167 Since environment variables can influence program behavior,
169 provides a means to restrict which variables from the user's
170 environment are inherited by the command to be run.
174 can deal with environment variables.
180 to be executed with a new, minimal environment.
182 systems without PAM), the environment is initialized with the
186 On BSD systems, if the
188 option is enabled, the environment is initialized
194 .Pa /etc/login.conf .
195 The new environment contains the
207 in addition to variables from the invoking process permitted by the
212 This is effectively a whitelist
213 for environment variables.
217 option is disabled, any variables not
218 explicitly denied by the
223 inherited from the invoking process.
228 behave like a blacklist.
229 Since it is not possible
230 to blacklist all potentially dangerous environment variables, use
233 behavior is encouraged.
235 In all cases, environment variables with a value beginning with
237 are removed as they could be interpreted as
240 The list of environment variables that
243 contained in the output of
247 Note that the dynamic linker on most operating systems will remove
248 variables that can control dynamic linking from the environment of
249 setuid executables, including
251 Depending on the operating
252 system this may include
260 These type of variables are
261 removed from the environment before
263 even begins execution
264 and, as such, it is not possible for
268 As a special case, if
271 option (initial login) is
274 will initialize the environment regardless
282 variables remain unchanged;
289 are set based on the target user.
291 systems without PAM), the contents of
295 On BSD systems, if the
305 All other environment variables are removed.
309 option is defined, any variables present
310 in that file will be set to their specified values as long as they
311 would not conflict with an existing environment variable.
312 .Sh SUDOERS FILE FORMAT
315 file is composed of two types of entries: aliases
316 (basically variables) and user specifications (which specify who
319 When multiple entries match for a user, they are applied in order.
320 Where there are multiple matches, the last match is used (which is
321 not necessarily the most specific match).
325 grammar will be described below in Extended Backus-Naur
327 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
328 and the definitions below are annotated.
329 .Ss Quick guide to EBNF
330 EBNF is a concise and exact way of describing the grammar of a language.
331 Each EBNF definition is made up of
332 .Em production rules .
335 .Li symbol ::= definition | alternate1 | alternate2 ...
339 references others and thus makes up a
340 grammar for the language.
341 EBNF also contains the following
342 operators, which many readers will recognize from regular
344 Do not, however, confuse them with
346 characters, which have different meanings.
349 Means that the preceding symbol (or group of symbols) is optional.
350 That is, it may appear once or not at all.
352 Means that the preceding symbol (or group of symbols) may appear
355 Means that the preceding symbol (or group of symbols) may appear
359 Parentheses may be used to group symbols together.
361 we will use single quotes
363 to designate what is a verbatim character string (as opposed to a symbol name).
365 There are four kinds of aliases:
372 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
373 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
374 'Host_Alias' Host_Alias (':' Host_Alias)* |
375 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
377 User_Alias ::= NAME '=' User_List
379 Runas_Alias ::= NAME '=' Runas_List
381 Host_Alias ::= NAME '=' Host_List
383 Cmnd_Alias ::= NAME '=' Cmnd_List
385 NAME ::= [A-Z]([A-Z][0-9]_)*
390 definition is of the form
392 Alias_Type NAME = item1, item2, ...
405 is a string of uppercase letters, numbers,
406 and underscore characters
413 It is possible to put several alias definitions
414 of the same type on a single line, joined by a colon
418 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
421 The definitions of what constitutes a valid
428 User ::= '!'* user name |
433 '!'* %:nonunix_group |
434 '!'* %:#nonunix_gid |
440 is made up of one or more user names, user ids
443 system group names and ids (prefixed with
447 respectively), netgroups (prefixed with
449 non-Unix group names and IDs (prefixed with
454 .Li User_Alias Ns No es.
455 Each list item may be prefixed with zero or more
460 operators negate the value of
461 the item; an even number just cancel each other out.
472 may be enclosed in double quotes to avoid the
473 need for escaping special characters.
474 Alternately, special characters
475 may be specified in escaped hex mode, e.g.\& \ex20 for space.
477 using double quotes, any prefix characters must be included inside
485 the underlying group provider plugin (see the
488 For instance, the QAS AD plugin supports the following formats:
489 .Bl -bullet -width 4n
491 Group in the same domain: "%:Group Name"
493 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
495 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
498 Note that quotes around group names are optional.
499 Unquoted strings must use a backslash
501 to escape spaces and special characters.
503 .Sx Other special characters and reserved words
505 characters that need to be escaped.
507 Runas_List ::= Runas_Member |
508 Runas_Member ',' Runas_List
510 Runas_Member ::= '!'* user name |
514 '!'* %:nonunix_group |
515 '!'* %:#nonunix_gid |
526 .Li User_Alias Ns No es
528 .Li Runas_Alias Ns No es .
530 user names and groups are matched as strings.
532 users (groups) with the same uid (gid) are considered to be distinct.
533 If you wish to match all user names with the same uid (e.g.\&
534 root and toor), you can use a uid instead (#0 in the example given).
539 Host ::= '!'* host name |
541 '!'* network(/netmask)? |
548 is made up of one or more host names, IP addresses,
549 network numbers, netgroups (prefixed with
552 Again, the value of an item may be negated with the
555 If you do not specify a netmask along with the network number,
557 will query each of the local host's network interfaces and,
558 if the network number corresponds to one of the hosts's network
559 interfaces, the corresponding netmask will be used.
561 may be specified either in standard IP address notation
562 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
563 or CIDR notation (number of bits, e.g.\& 24 or 64).
564 A host name may include shell-style wildcards (see the
569 command on your machine returns the fully
570 qualified host name, you'll need to use the
572 option for wildcards to be useful.
575 only inspects actual network interfaces; this means that IP address
576 127.0.0.1 (localhost) will never match.
579 will only match if that is the actual host name, which is usually
580 only the case for non-networked systems.
585 command name ::= file name |
589 Cmnd ::= '!'* command name |
597 is a list of one or more command names, directories, and other aliases.
598 A command name is a fully qualified file name which may include
599 shell-style wildcards (see the
602 A simple file name allows the user to run the command with any
603 arguments he/she wishes.
604 However, you may also specify command line arguments (including
606 Alternately, you can specify
608 to indicate that the command
611 command line arguments.
613 fully qualified path name ending in a
615 When you specify a directory in a
617 the user will be able to run any file within that directory
618 (but not in any sub-directories therein).
622 has associated command line arguments, then the arguments
625 must match exactly those given by the user on the command line
626 (or match the wildcards if there are any).
627 Note that the following characters must be escaped with a
629 if they are used in command arguments:
636 is used to permit a user to run
642 It may take command line arguments just as a normal command does.
644 Certain configuration options may be changed from their default
645 values at run-time via one or more
648 These may affect all users on any host, all users on a specific host, a
649 specific user, a specific command, or commands being run as a specific user.
650 Note that per-command entries may not include command line arguments.
651 If you need to specify arguments, define a
656 Default_Type ::= 'Defaults' |
657 'Defaults' '@' Host_List |
658 'Defaults' ':' User_List |
659 'Defaults' '!' Cmnd_List |
660 'Defaults' '>' Runas_List
662 Default_Entry ::= Default_Type Parameter_List
664 Parameter_List ::= Parameter |
665 Parameter ',' Parameter_List
667 Parameter ::= Parameter '=' Value |
668 Parameter '+=' Value |
669 Parameter '-=' Value |
680 Flags are implicitly boolean and can be turned off via the
683 Some integer, string and list parameters may also be
684 used in a boolean context to disable them.
685 Values may be enclosed
688 when they contain multiple words.
689 Special characters may be escaped with a backslash
692 Lists have two additional assignment operators,
696 These operators are used to add to and delete from a list respectively.
697 It is not an error to use the
699 operator to remove an element
700 that does not exist in a list.
702 Defaults entries are parsed in the following order: generic, host
703 and user Defaults first, then runas Defaults and finally command
708 for a list of supported Defaults parameters.
709 .Ss User specification
711 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
712 (':' Host_List '=' Cmnd_Spec_List)*
714 Cmnd_Spec_List ::= Cmnd_Spec |
715 Cmnd_Spec ',' Cmnd_Spec_List
717 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
719 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
721 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
723 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
725 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
726 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
727 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
731 .Sy user specification
732 determines which commands a user may run
733 (and as what user) on specified hosts.
734 By default, commands are
737 but this can be changed on a per-command basis.
739 The basic structure of a user specification is
740 .Dq who where = (as_whom) what .
741 Let's break that down into its constituent parts:
745 determines the user and/or the group that a command
750 .Li Runas_List Ns No s
751 (as defined above) separated by a colon
753 and enclosed in a set of parentheses.
757 which users the command may be run as via
761 The second defines a list of groups that can be specified via
766 .Li Runas_List Ns No s
767 are specified, the command may be run with any combination of users
768 and groups listed in their respective
769 .Li Runas_List Ns No s.
770 If only the first is specified, the command may be run as any user
778 second is specified, the command may be run as the invoking user
779 with the group set to any listed in the
782 .Li Runas_List Ns No s
783 are empty, the command may only be run as the invoking user.
786 is specified the command may be run as
789 no group may be specified.
793 sets the default for the commands that follow it.
794 What this means is that for the entry:
796 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
805 .Pa /usr/bin/lprm Ns No \(em Ns but
810 $ sudo -u operator /bin/ls
813 It is also possible to override a
815 later on in an entry.
816 If we modify the entry like so:
818 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
823 is now allowed to run
834 We can extend this to allow
839 the user or group set to
842 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
846 Note that while the group portion of the
849 user to run as command with that group, it does not force the user
851 If no group is specified on the command line, the command
852 will run with the group listed in the target user's password database
854 The following would all be permitted by the sudoers entry above:
856 $ sudo -u operator /bin/ls
857 $ sudo -u operator -g operator /bin/ls
858 $ sudo -g operator /bin/ls
861 In the following example, user
863 may run commands that access
864 a modem device file with the dialer group.
866 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
867 /usr/local/bin/minicom
870 Note that in this example only the group will be set, the command
875 $ sudo -g dialer /usr/bin/cu
878 Multiple users and groups may be present in a
880 in which case the user may select any combination of users and groups via the
887 alan ALL = (root, bin : operator, system) ALL
892 may run any command as either user root or bin,
893 optionally setting the group to operator or system.
895 On systems with SELinux support,
897 entries may optionally have an SELinux role and/or type associated
900 type is specified with the command it will override any default values
903 A role or type specified on the command line,
904 however, will supersede the values in
906 .Ss Solaris_Priv_Spec
909 entries may optionally specify Solaris privilege set and/or limit
910 privilege set associated with a command.
911 If privileges or limit privileges are specified with the command
912 it will override any default values specified in
915 A privilege set is a comma-separated list of privilege names.
918 command can be used to list all privileges known to the system.
924 In addition, there are several
931 the set of all privileges
933 the set of all privileges available in the current zone
935 the default set of privileges normal users are granted at login time
938 Privileges can be excluded from a set by prefixing the privilege
945 A command may have zero or more tags associated with it.
947 ten possible tag values:
959 Once a tag is set on a
965 inherit the tag unless it is overridden by the opposite tag (in other words,
974 .Em NOPASSWD and PASSWD
978 requires that a user authenticate him or herself
979 before running a command.
980 This behavior can be modified via the
988 a default for the commands that follow it in the
992 tag can be used to reverse things.
995 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1007 on the machine rushmore without authenticating himself.
1013 without a password the entry would be:
1015 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1018 Note, however, that the
1020 tag has no effect on users who are in the group specified by the
1026 tag is applied to any of the entries for a user on the current host,
1027 he or she will be able to run
1030 Additionally, a user may only run
1032 without a password if the
1034 tag is present for all a user's entries that pertain to the current host.
1035 This behavior may be overridden via the
1045 has been compiled with
1047 support and the underlying operating system supports it, the
1049 tag can be used to prevent a dynamically-linked executable from
1050 running further commands itself.
1052 In the following example, user
1058 but shell escapes will be disabled.
1060 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1064 .Sx Preventing shell escapes
1065 section below for more details on how
1067 works and whether or not it will work on your system.
1069 .Em SETENV and NOSETENV
1071 These tags override the value of the
1073 option on a per-command basis.
1076 has been set for a command, the user may disable the
1078 option from the command line via the
1081 Additionally, environment variables set on the command
1082 line are not subject to the restrictions imposed by
1087 As such, only trusted users should be allowed to set variables in this manner.
1088 If the command matched is
1092 tag is implied for that command; this default may be overridden by use of the
1096 .Em LOG_INPUT and NOLOG_INPUT
1098 These tags override the value of the
1100 option on a per-command basis.
1101 For more information, see the description of
1107 .Em LOG_OUTPUT and NOLOG_OUTPUT
1109 These tags override the value of the
1111 option on a per-command basis.
1112 For more information, see the description of
1121 (aka meta or glob characters)
1122 to be used in host names, path names and command line arguments in the
1125 Wildcard matching is done via the
1133 regular expressions.
1136 Matches any set of zero or more characters.
1138 Matches any single character.
1140 Matches any character in the specified range.
1142 Matches any character
1144 in the specified range.
1150 This is used to escape special characters such as:
1158 POSIX character classes may also be used if your system's
1162 functions support them.
1163 However, because the
1165 character has special meaning in
1170 .Bd -literal -offset 4n
1171 /bin/ls [[\:alpha\:]]*
1174 Would match any file name beginning with a letter.
1176 Note that a forward slash
1181 wildcards used in the path name.
1182 This is to make a path like:
1183 .Bd -literal -offset 4n
1190 .Pa /usr/bin/X11/xterm .
1192 When matching the command line arguments, however, a slash
1194 get matched by wildcards since command line arguments may contain
1195 arbitrary strings and not just path names.
1197 Wildcards in command line arguments should be used with care.
1198 Because command line arguments are matched as a single, concatenated
1199 string, a wildcard such as
1203 can match multiple words.
1204 For example, while a sudoers entry like:
1205 .Bd -literal -offset 4n
1206 %operator ALL = /bin/cat /var/log/messages*
1209 will allow command like:
1210 .Bd -literal -offset 4n
1211 $ sudo cat /var/log/messages.1
1215 .Bd -literal -offset 4n
1216 $ sudo cat /var/log/messages /etc/shadow
1219 which is probably not what was intended.
1220 .Ss Exceptions to wildcard rules
1221 The following exceptions apply to the above rules:
1226 is the only command line argument in the
1228 entry it means that command is not allowed to be run with
1232 Command line arguments to the
1234 built-in command should always be path names, so a forward slash
1236 will not be matched by a wildcard.
1238 .Ss Including other files from within sudoers
1239 It is possible to include other
1241 files from within the
1243 file currently being parsed using the
1249 This can be used, for example, to keep a site-wide
1251 file in addition to a local, per-machine file.
1252 For the sake of this example the site-wide
1256 and the per-machine one will be
1257 .Pa /etc/sudoers.local .
1259 .Pa /etc/sudoers.local
1265 .Bd -literal -offset 4n
1266 #include /etc/sudoers.local
1271 reaches this line it will suspend processing of the current file
1274 .Pa /etc/sudoers.local .
1275 Upon reaching the end of
1276 .Pa /etc/sudoers.local ,
1280 Files that are included may themselves include other files.
1281 A hard limit of 128 nested include files is enforced to prevent include
1284 If the path to the include file is not fully-qualified (does not
1287 it must be located in the same directory as the sudoers file it was
1292 .Bd -literal -offset 4n
1293 .Li #include sudoers.local
1296 the file that will be included is
1297 .Pa /etc/sudoers.local .
1299 The file name may also include the
1301 escape, signifying the short form of the host name.
1302 In other words, if the machine's host name is
1305 .Bd -literal -offset 4n
1306 #include /etc/sudoers.%h
1312 .Pa /etc/sudoers.xerxes .
1316 directive can be used to create a
1318 directory that the system package manager can drop
1321 into as part of package installation.
1323 .Bd -literal -offset 4n
1324 #includedir /etc/sudoers.d
1328 will read each file in
1329 .Pa /etc/sudoers.d ,
1330 skipping file names that end in
1334 character to avoid causing problems with package manager or editor
1335 temporary/backup files.
1336 Files are parsed in sorted lexical order.
1338 .Pa /etc/sudoers.d/01_first
1339 will be parsed before
1340 .Pa /etc/sudoers.d/10_second .
1341 Be aware that because the sorting is lexical, not numeric,
1342 .Pa /etc/sudoers.d/1_whoops
1345 .Pa /etc/sudoers.d/10_second .
1346 Using a consistent number of leading zeroes in the file names can be used
1347 to avoid such problems.
1349 Note that unlike files included via
1352 will not edit the files in a
1354 directory unless one of them contains a syntax error.
1355 It is still possible to run
1359 flag to edit the files directly.
1360 .Ss Other special characters and reserved words
1363 is used to indicate a comment (unless it is part of a #include
1364 directive or unless it occurs in the context of a user name and is
1365 followed by one or more digits, in which case it is treated as a
1367 Both the comment character and any text after it, up to the end of
1368 the line, are ignored.
1374 that always causes a match to succeed.
1375 It can be used wherever one might otherwise use a
1381 You should not try to define your own
1385 as the built-in alias will be used in preference to your own.
1386 Please note that using
1388 can be dangerous since in a command context, it allows the user to run
1390 command on the system.
1392 An exclamation point
1394 can be used as a logical
1400 This allows one to exclude certain values.
1401 Note, however, that using a
1403 in conjunction with the built-in
1405 alias to allow a user to run
1407 commands rarely works as intended (see
1411 Long lines can be continued with a backslash
1413 as the last character on the line.
1415 White space between elements in a list as well as special syntactic
1417 .Em User Specification
1426 The following characters must be escaped with a backslash
1428 when used as part of a word (e.g.\& a user name or host name):
1438 behavior can be modified by
1440 lines, as explained earlier.
1441 A list of all supported Defaults parameters, grouped by type, are listed below.
1450 environment variable to the home directory of the target user
1451 (which is root unless the
1454 This effectively means that the
1456 option is always implied.
1459 is already set when the the
1461 option is enabled, so
1463 is only effective for configurations where either
1474 If set, users must authenticate themselves via a password (or other
1475 means of authentication) before they may run commands.
1476 This default may be overridden via the
1484 .It closefrom_override
1485 If set, the user may use
1488 option which overrides the default starting point at which
1490 begins closing open file descriptors.
1497 is configured to log a command's input or output,
1498 the I/O logs will be compressed using
1510 will use the value of the
1514 environment variables before falling back on the default editor list.
1515 Note that this may create a security hole as it allows the user to
1516 run any arbitrary command as root without logging.
1517 A safer alternative is to place a colon-separated list of editors
1522 will then only use the
1526 if they match a value specified in
1535 will run the command in a minimal environment containing the
1548 variables in the caller's environment that match the
1552 lists are then added, followed by any variables present in the file
1556 The default contents of the
1560 lists are displayed when
1562 is run by root with the
1567 option is set, its value will be used for the
1569 environment variable.
1578 function to do shell-style globbing when matching path names.
1579 However, since it accesses the file system,
1581 can take a long time to complete for some patterns, especially
1582 when the pattern references a network file system that is mounted
1583 on demand (auto mounted).
1590 function, which does not access the file system to do its matching.
1593 is that it is unable to match relative path names such as
1597 This has security implications when path names that include globbing
1598 characters are used with the negation operator,
1600 as such rules can be trivially bypassed.
1601 As such, this option should not be used when
1603 contains rules that contain negated path names which include globbing
1609 Set this flag if you want to put fully qualified host names in the
1611 file when the local host name (as returned by the
1613 command) does not contain the domain name.
1614 In other words, instead of myhost you would use myhost.mydomain.edu.
1615 You may still use the short form if you wish (and even mix the two).
1616 This option is only effective when the
1618 host name, as returned by the
1622 function, is a fully-qualified domain name.
1623 This is usually the case when the system is configured to use DNS
1624 for host name resolution.
1626 If the system is configured to use the
1628 file in preference to DNS, the
1630 host name may not be fully-qualified.
1631 The order that sources are queried for hosts name resolution
1632 is usually specified in the
1633 .Pa @nsswitch_conf@ ,
1635 .Pa /etc/host.conf ,
1637 .Pa /etc/resolv.conf
1641 file, the first host name of the entry is considered to be the
1643 name; subsequent names are aliases that are not used by
1645 For example, the following hosts file line for the machine
1647 has the fully-qualified domain name as the
1649 host name, and the short version as an alias.
1651 .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1653 If the machine's hosts file entry is not formatted properly, the
1655 option will not be effective if it is queried before DNS.
1657 Beware that when using DNS for host name resolution, turning on
1661 to make DNS lookups which renders
1663 unusable if DNS stops working (for example if the machine is disconnected
1665 Also note that just like with the hosts file, you must use the
1667 name as DNS knows it.
1668 That is, you may not use a host alias
1673 due to performance issues and the fact that there is no way to get all
1682 will ignore "." or "" (both denoting current directory) in the
1684 environment variable; the
1686 itself is not modified.
1690 .It ignore_local_sudoers
1691 If set via LDAP, parsing of
1692 .Pa @sysconfdir@/sudoers
1694 This is intended for Enterprises that wish to prevent the usage of local
1695 sudoers files so that only LDAP is used.
1696 This thwarts the efforts of rogue operators who would attempt to add roles to
1697 .Pa @sysconfdir@/sudoers .
1698 When this option is present,
1699 .Pa @sysconfdir@/sudoers
1700 does not even need to exist.
1701 Since this option tells
1703 how to behave when no specific LDAP entries have been matched, this
1704 sudoOption is only meaningful for the
1713 will insult users when they enter an incorrect password.
1718 If set, the host name will be logged in the (non-syslog)
1727 will run the command in a
1729 and log all user input.
1730 If the standard input is not connected to the user's tty, due to
1731 I/O redirection or because the command is part of a pipeline, that
1732 input is also captured and stored in a separate log file.
1734 Input is logged to the directory specified by the
1741 using a unique session ID that is included in the normal
1743 log line, prefixed with
1747 option may be used to control the format of the session ID.
1749 Note that user input may contain sensitive information such as
1750 passwords (even if they are not echoed to the screen), which will
1751 be stored in the log file unencrypted.
1752 In most cases, logging the command output via
1754 is all that is required.
1758 will run the command in a
1760 and log all output that is sent to the screen, similar to the
1763 If the standard output or standard error is not connected to the
1764 user's tty, due to I/O redirection or because the command is part
1765 of a pipeline, that output is also captured and stored in separate
1768 Output is logged to the directory specified by the
1775 using a unique session ID that is included in the normal
1777 log line, prefixed with
1781 option may be used to control the format of the session ID.
1783 Output logs may be viewed with the
1784 .Xr sudoreplay @mansectsu@
1785 utility, which can also be used to list or search the available logs.
1787 If set, the four-digit year will be logged in the (non-syslog)
1794 When validating with a One Time Password (OTP) scheme such as
1798 a two-line prompt is used to make it easier
1799 to cut and paste the challenge to a local window.
1800 It's not as pretty as the default but some people find it more convenient.
1802 .Em @long_otp_prompt@
1807 user every time a users runs
1815 user if the user running
1817 does not enter the correct password.
1818 If the command the user is attempting to run is not permitted by
1826 flags are set, this flag will have no effect.
1831 If set, mail will be sent to the
1833 user if the invoking user exists in the
1835 file, but is not allowed to run commands on the current host.
1840 If set, mail will be sent to the
1842 user if the invoking user is allowed to use
1844 but the command they are trying is not listed in their
1846 file entry or is explicitly denied.
1851 If set, mail will be sent to the
1853 user if the invoking user is not in the
1860 If set, all commands run via
1862 will behave as if the
1864 tag has been set, unless overridden by a
1867 See the description of
1869 below as well as the
1870 .Sx Preventing shell escapes
1871 section at the end of this manual.
1878 will tell the user when a command could not be
1881 environment variable.
1882 Some sites may wish to disable this as it could be used to gather
1883 information on the location of executables that the normal user does
1885 The disadvantage is that if the executable is simply not in the user's
1888 will tell the user that they are not allowed to run it, which can be confusing.
1892 .It passprompt_override
1893 The password prompt specified by
1895 will normally only be used if the password prompt provided by systems
1896 such as PAM matches the string
1899 .Em passprompt_override
1902 will always be used.
1909 will initialize the group vector to the list of groups the target user is in.
1912 is set, the user's existing group vector is left unaltered.
1913 The real and effective group IDs, however, are still set to match the
1921 reads the password like most other Unix programs,
1922 by turning off echo until the user hits the return (or enter) key.
1923 Some users become confused by this as it appears to them that
1925 has hung at this point.
1930 will provide visual feedback when the user presses a key.
1931 Note that this does have a security impact as an onlooker may be able to
1932 determine the length of the password being entered.
1939 will only run when the user is logged in to a real tty.
1940 When this flag is set,
1942 can only be run from a login session and not via other means such as
1943 .Xr cron @mansectsu@
1949 If set, root is allowed to run
1952 Disabling this prevents users from
1955 commands to get a root shell by doing something like
1956 .Dq Li sudo sudo /bin/sh .
1957 Note, however, that turning off
1959 will also prevent root from running
1963 provides no real additional security; it exists purely for historical reasons.
1970 will prompt for the root password instead of the password of the invoking user.
1977 will prompt for the password of the user defined by the
1980 .Li @runas_default@ )
1981 instead of the password of the invoking user.
1992 environment variable will be set to the home directory of the target
1993 user (which is root unless the
1996 This effectively makes the
2002 is already set when the the
2004 option is enabled, so
2006 is only effective for configurations where either
2025 environment variables to the name of the target user (usually root unless the
2028 However, since some programs (including the RCS revision control system) use
2030 to determine the real identity of the user, it may be desirable to
2031 change this behavior.
2032 This can be done by negating the set_logname option.
2035 option has not been disabled, entries in the
2037 list will override the value of
2045 will create an entry in the utmp (or utmpx) file when a pseudo-tty
2047 A pseudo-tty is allocated by
2055 By default, the new entry will be a copy of the user's existing utmp
2056 entry (if any), with the tty, time, type and pid fields updated.
2061 Allow the user to disable the
2063 option from the command line via the
2066 Additionally, environment variables set via the command line are
2067 not subject to the restrictions imposed by
2072 As such, only trusted users should be allowed to set variables in this manner.
2079 is invoked with no arguments it acts as if the
2081 option had been given.
2082 That is, it runs a shell as root (the shell is determined by the
2084 environment variable if it is set, falling back on the shell listed
2085 in the invoking user's /etc/passwd entry if not).
2092 executes a command the real and effective UIDs are set to the target
2093 user (root by default).
2094 This option changes that behavior such that the real UID is left
2095 as the invoking user's UID.
2096 In other words, this makes
2098 act as a setuid wrapper.
2099 This can be useful on systems that disable some potentially
2100 dangerous functionality when a program is run setuid.
2101 This option is only effective on systems that support either the
2112 will prompt for the password of the user specified
2117 instead of the password of the invoking user.
2118 In addition, the time stamp file name will include the target user's name.
2119 Note that this flag precludes the use of a uid not listed in the passwd
2120 database as an argument to the
2127 If set, users must authenticate on a per-tty basis.
2128 With this flag enabled,
2130 will use a file named for the tty the user is
2131 logged in on in the user's time stamp directory.
2132 If disabled, the time stamp of the directory is used instead.
2139 will set the umask as specified by
2141 without modification.
2142 This makes it possible to specify a more permissive umask in
2144 than the user's own umask and matches historical behavior.
2149 will set the umask to be the union of the user's umask and what is specified in
2152 .Em @umask_override@
2157 will apply the defaults specified for the target user's login class
2161 is configured with the
2170 will run the command in a pseudo-pty even if no I/O logging is being gone.
2171 A malicious program run under
2173 could conceivably fork a background process that retains to the user's
2174 terminal device after the main program has finished executing.
2175 Use of this option will make that impossible.
2182 will store the name of the runas user when updating the utmp (or utmpx) file.
2185 stores the name of the invoking user.
2192 will refuse to run if the user must enter a password but it is not
2193 possible to disable echo on the terminal.
2198 will prompt for a password even when it would be visible on the screen.
2199 This makes it possible to run things like
2200 .Dq Li ssh somehost sudo ls
2204 not allocate a tty when running a command.
2213 Before it executes a command,
2215 will close all open file descriptors other than standard input,
2216 standard output and standard error (ie: file descriptors 0-2).
2219 option can be used to specify a different file descriptor at which
2224 The number of tries a user gets to enter his/her password before
2226 logs the failure and exits.
2228 .Li @passwd_tries@ .
2231 .Sy Integers that can be used in a boolean context :
2234 Number of characters per line for the file log.
2235 This value is used to decide when to wrap lines for nicer log files.
2236 This has no effect on the syslog log file, only the file log.
2239 (use 0 or negate the option to disable word wrap).
2241 Number of minutes before the
2243 password prompt times out, or
2246 The timeout may include a fractional component
2247 if minute granularity is insufficient, for example
2251 .Li @password_timeout@ .
2252 .It timestamp_timeout
2253 Number of minutes that can elapse before
2255 will ask for a passwd again.
2256 The timeout may include a fractional component if
2257 minute granularity is insufficient, for example
2263 to always prompt for a password.
2264 If set to a value less than
2266 the user's time stamp will never expire.
2267 This can be used to allow users to create or delete their own time stamps via
2273 Umask to use when running the command.
2274 Negate this option or set it to 0777 to preserve the user's umask.
2275 The actual umask that is used will be the union of the user's umask
2276 and the value of the
2278 option, which defaults to
2283 never lowers the umask when running a command.
2284 Note: on systems that use PAM, the default PAM configuration may specify
2285 its own umask which will override the value set in
2292 Message that is displayed if a user enters an incorrect password.
2294 .Li @badpass_message@
2295 unless insults are enabled.
2299 separated list of editors allowed to be used with
2302 will choose the editor that matches the user's
2304 environment variable if possible, or the first editor in the
2305 list that exists and is executable.
2309 The top-level directory to use when constructing the path name for
2310 the input/output log directory.
2315 options are enabled or when the
2319 tags are present for a command.
2320 The session sequence number, if any, is stored in the directory.
2324 The following percent
2326 escape sequences are supported:
2329 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2330 where every two digits are used to form a new directory, e.g.\&
2333 expanded to the invoking user's login name
2335 expanded to the name of the invoking user's real group ID
2336 .It Li %{runas_user}
2337 expanded to the login name of the user the command will
2338 be run as (e.g.\& root)
2339 .It Li %{runas_group}
2340 expanded to the group name of the user the command will
2341 be run as (e.g.\& wheel)
2343 expanded to the local host name without the domain name
2345 expanded to the base name of the command being run
2348 In addition, any escape sequences supported by the system's
2350 function will be expanded.
2352 To include a literal
2354 character, the string
2358 The path name, relative to
2360 in which to store input/output logs when the
2364 options are enabled or when the
2368 tags are present for a command.
2371 may contain directory components.
2377 option above for a list of supported percent
2381 In addition to the escape sequences, path names that end in six or
2386 replaced with a unique combination of digits and letters, similar to the
2390 The default Solaris limit privileges to use when constructing a new
2391 privilege set for a command.
2392 This bounds all privileges of the executing process.
2393 The default limit privileges may be overridden on a per-command basis in
2395 This option is only available if
2397 is built on Solaris 10 or higher.
2399 Subject of the mail sent to the
2404 will expand to the host name of the machine.
2408 This option is no longer supported.
2409 The path to the noexec file should now be set in the
2410 .Pa @sysconfdir@/sudo.conf
2413 The default prompt to use when asking for a password; can be overridden via the
2417 environment variable.
2418 The following percent
2420 escape sequences are supported:
2423 expanded to the local host name including the domain name
2424 (only if the machine's host name is fully qualified or the
2428 expanded to the local host name without the domain name
2430 expanded to the user whose password is being asked for (respects the
2438 expanded to the login name of the user the command will
2439 be run as (defaults to root)
2441 expanded to the invoking user's login name
2445 characters are collapsed into a single
2450 The default value is
2451 .Dq Li @passprompt@ .
2453 The default Solaris privileges to use when constructing a new
2454 privilege set for a command.
2455 This is passed to the executing process via the inherited privilege set,
2456 but is bounded by the limit privileges.
2459 option is specified but the
2461 option is not, the limit privileges of the executing process is set to
2463 The default privileges may be overridden on a per-command basis in
2465 This option is only available if
2467 is built on Solaris 10 or higher.
2469 The default SELinux role to use when constructing a new security
2470 context to run the command.
2471 The default role may be overridden on a per-command basis in
2473 or via command line options.
2474 This option is only available when
2476 is built with SELinux support.
2478 The default user to run commands as if the
2480 option is not specified on the command line.
2482 .Li @runas_default@ .
2484 Syslog priority to use when user authenticates unsuccessfully.
2488 The following syslog priorities are supported:
2499 Syslog priority to use when user authenticates successfully.
2505 for the list of supported syslog priorities.
2507 Locale to use when parsing the sudoers file, logging commands, and
2509 Note that changing the locale may affect how sudoers is interpreted.
2513 The directory in which
2515 stores its time stamp files.
2519 The owner of the time stamp directory and the time stamps stored therein.
2523 The default SELinux type to use when constructing a new security
2524 context to run the command.
2525 The default type may be overridden on a per-command basis in
2527 or via command line options.
2528 This option is only available when
2530 is built with SELinux support.
2533 .Sy Strings that can be used in a boolean context :
2538 option specifies the fully qualified path to a file containing variables
2539 to be set in the environment of the program being run.
2540 Entries in this file should either be of the form
2541 .Dq Li VARIABLE=value
2543 .Dq Li export VARIABLE=value .
2544 The value may optionally be surrounded by single or double quotes.
2545 Variables in this file are subject to other
2547 environment settings such as
2552 Users in this group are exempt from password and PATH requirements.
2553 The group name specified should not include a
2556 This is not set by default.
2558 A string containing a
2560 group plugin with optional arguments.
2561 This can be used to implement support for the
2563 syntax described earlier.
2564 The string should consist of the plugin
2565 path, either fully-qualified or relative to the
2566 .Pa @prefix@/libexec
2567 directory, followed by any configuration arguments the plugin requires.
2568 These arguments (if any) will be passed to the plugin's initialization function.
2569 If arguments are present, the string must be enclosed in double quotes
2573 .Pa /etc/sudo-group ,
2574 a group file in Unix group format, the sample group plugin can be used:
2576 Defaults group_plugin="sample_group.so /etc/sudo-group"
2579 For more information see
2580 .Xr sudo_plugin @mansectform@ .
2582 This option controls when a short lecture will be printed along with
2583 the password prompt.
2584 It has the following possible values:
2587 Always lecture the user.
2589 Never lecture the user.
2591 Only lecture the user the first time they run
2595 If no value is specified, a value of
2598 Negating the option results in a value of
2601 The default value is
2604 Path to a file containing an alternate
2606 lecture that will be used in place of the standard lecture if the named
2610 uses a built-in lecture.
2612 This option controls when a password will be required when a user runs
2617 It has the following possible values:
2622 entries for the current host must have
2625 flag set to avoid entering a password.
2627 The user must always enter a password to use the
2631 At least one of the user's
2633 entries for the current host
2636 flag set to avoid entering a password.
2638 The user need never enter a password to use the
2643 If no value is specified, a value of
2646 Negating the option results in a value of
2649 The default value is
2654 log file (not the syslog log file).
2655 Setting a path turns on logging to a file;
2656 negating this option turns it off.
2661 Flags to use when invoking mailer. Defaults to
2664 Path to mail program used to send warning mail.
2665 Defaults to the path to sendmail found at configure time.
2667 Address to use for the
2669 address when sending warning and error mail.
2670 The address should be enclosed in double quotes
2677 Defaults to the name of the user running
2680 Address to send warning and error mail to.
2681 The address should be enclosed in double quotes
2691 Path used for every command run from
2693 If you don't trust the
2698 environment variable you may want to use this.
2699 Another use is if you want to have the
2701 be separate from the
2703 Users in the group specified by the
2705 option are not affected by
2707 This option is @secure_path@ by default.
2709 Syslog facility if syslog is being used for logging (negate to
2710 disable syslog logging).
2714 The following syslog facilities are supported:
2731 This option controls when a password will be required when a user runs
2736 It has the following possible values:
2741 entries for the current host must have the
2743 flag set to avoid entering a password.
2745 The user must always enter a password to use the
2749 At least one of the user's
2751 entries for the current host must have the
2753 flag set to avoid entering a password.
2755 The user need never enter a password to use the
2760 If no value is specified, a value of
2763 Negating the option results in a value of
2766 The default value is
2770 .Sy Lists that can be used in a boolean context :
2773 Environment variables to be removed from the user's environment if
2774 the variable's value contains
2779 This can be used to guard against printf-style format vulnerabilities
2780 in poorly-written programs.
2781 The argument may be a double-quoted, space-separated list or a
2782 single value without double-quotes.
2783 The list can be replaced, added to, deleted from, or disabled by using
2790 operators respectively.
2791 Regardless of whether the
2793 option is enabled or disabled, variables specified by
2795 will be preserved in the environment if they pass the aforementioned check.
2796 The default list of environment variables to check is displayed when
2803 Environment variables to be removed from the user's environment when the
2805 option is not in effect.
2806 The argument may be a double-quoted, space-separated list or a
2807 single value without double-quotes.
2808 The list can be replaced, added to, deleted from, or disabled by using the
2814 operators respectively.
2815 The default list of environment variables to remove is displayed when
2817 is run by root with the
2820 Note that many operating systems will remove potentially dangerous
2821 variables from the environment of any setuid process (such as
2824 Environment variables to be preserved in the user's environment when the
2826 option is in effect.
2827 This allows fine-grained control over the environment
2828 .Nm sudo Ns No -spawned
2829 processes will receive.
2830 The argument may be a double-quoted, space-separated list or a
2831 single value without double-quotes.
2832 The list can be replaced, added to, deleted from, or disabled by using the
2838 operators respectively.
2839 The default list of variables to keep
2842 is run by root with the
2848 can log events using either
2850 or a simple log file.
2851 In each case the log format is almost identical.
2852 .Ss Accepted command log entries
2853 Commands that sudo runs are logged using the following format (split
2854 into multiple lines for readability):
2855 .Bd -literal -offset 4n
2856 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
2857 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
2858 ENV=env_vars COMMAND=command
2861 Where the fields are as follows:
2864 The date the command was run.
2865 Typically, this is in the format
2866 .Dq MMM, DD, HH:MM:SS .
2869 the actual date format is controlled by the syslog daemon.
2870 If logging to a file and the
2873 the date will also include the year.
2875 The name of the host
2878 This field is only present when logging via
2881 The name of the program, usually
2885 This field is only present when logging via
2888 The login name of the user who ran
2891 The short name of the terminal (e.g.\&
2899 if there was no terminal present.
2901 The current working directory that
2905 The user the command was run as.
2907 The group the command was run as if one was specified on the command line.
2909 An I/O log identifier that can be used to replay the command's output.
2910 This is only present when the
2916 A list of environment variables specified on the command line,
2919 The actual command that was executed.
2922 Messages are logged using the locale specified by
2923 .Em sudoers_locale ,
2924 which defaults to the
2927 .Ss Denied command log entries
2928 If the user is not allowed to run the command, the reason for the denial
2929 will follow the user name.
2930 Possible reasons include:
2932 .It user NOT in sudoers
2933 The user is not listed in the
2936 .It user NOT authorized on host
2937 The user is listed in the
2939 file but is not allowed to run commands on the host.
2940 .It command not allowed
2941 The user is listed in the
2943 file for the host but they are not allowed to run the specified command.
2944 .It 3 incorrect password attempts
2945 The user failed to enter their password after 3 tries.
2946 The actual number of tries will vary based on the number of
2947 failed attempts and the value of the
2950 .It a password is required
2953 option was specified but a password was required.
2954 .It sorry, you are not allowed to set the following environment variables
2955 The user specified environment variables on the command line that
2959 .Ss Error log entries
2962 will log a message and, in most cases, send a message to the
2963 administrator via email.
2964 Possible errors include:
2966 .It parse error in @sysconfdir@/sudoers near line N
2968 encountered an error when parsing the specified file.
2969 In some cases, the actual error may be one line above or below the
2970 line number listed, depending on the type of error.
2971 .It problem with defaults entries
2974 file contains one or more unknown Defaults settings.
2975 This does not prevent
2977 from running, but the
2979 file should be checked using
2981 .It timestamp owner (username): \&No such user
2982 The time stamp directory owner, as specified by the
2984 setting, could not be found in the password database.
2985 .It unable to open/read @sysconfdir@/sudoers
2988 file could not be opened for reading.
2989 This can happen when the
2991 file is located on a remote file system that maps user ID 0 to
2997 using group permissions to avoid this problem.
2998 Consider changing the ownership of
2999 .Pa @sysconfdir@/sudoers
3000 by adding an option like
3004 is the user ID that owns the
3009 .Pa @sysconfdir@/sudo.conf
3011 .It unable to stat @sysconfdir@/sudoers
3013 .Pa @sysconfdir@/sudoers
3015 .It @sysconfdir@/sudoers is not a regular file
3017 .Pa @sysconfdir@/sudoers
3018 file exists but is not a regular file or symbolic link.
3019 .It @sysconfdir@/sudoers is owned by uid N, should be 0
3022 file has the wrong owner.
3023 If you wish to change the
3025 file owner, please add
3029 is the user ID that owns the
3034 .Pa @sysconfdir@/sudo.conf
3036 .It @sysconfdir@/sudoers is world writable
3037 The permissions on the
3039 file allow all users to write to it.
3042 file must not be world-writable, the default file mode
3043 is 0440 (readable by owner and group, writable by none).
3044 The default mode may be changed via the
3049 .Pa @sysconfdir@/sudo.conf
3051 .It @sysconfdir@/sudoers is owned by gid N, should be 1
3054 file has the wrong group ownership.
3055 If you wish to change the
3057 file group ownership, please add
3061 is the group ID that owns the
3066 .Pa @sysconfdir@/sudo.conf
3068 .It unable to open @timedir@/username/ttyname
3070 was unable to read or create the user's time stamp file.
3071 .It unable to write to @timedir@/username/ttyname
3073 was unable to write to the user's time stamp file.
3074 .It unable to mkdir to @timedir@/username
3076 was unable to create the user's time stamp directory.
3078 .Ss Notes on logging via syslog
3088 fields are added by the syslog daemon, not
3091 As such, they may vary in format on different systems.
3095 has a relatively small log buffer.
3096 To prevent the command line arguments from being truncated,
3098 will split up log messages that are larger than 960 characters
3099 (not including the date, hostname, and the string
3101 When a message is split, additional parts will include the string
3102 .Dq Pq command continued
3103 after the user name and before the continued command line arguments.
3104 .Ss Notes on logging to a file
3109 will log to a local file, such as
3111 When logging to a file,
3113 uses a format similar to
3115 with a few important differences:
3122 fields are not present.
3127 the date will also include the year.
3129 Lines that are longer than
3131 characters (80 by default) are word-wrapped and continued on the
3132 next line with a four character indent.
3133 This makes entries easier to read for a human being, but makes it
3134 more difficult to use
3139 option is set to 0 (or negated with a
3141 word wrap will be disabled.
3145 .Pa @sysconfdir@/sudo.conf
3146 file determines which plugins the
3148 front end will load.
3150 .Pa @sysconfdir@/sudo.conf
3152 is present, or it contains no
3158 security policy and I/O logging, which corresponds to the following
3159 .Pa @sysconfdir@/sudo.conf
3163 # Default @sysconfdir@/sudo.conf file
3166 # Plugin plugin_name plugin_path plugin_options ...
3167 # Path askpass /path/to/askpass
3168 # Path noexec /path/to/sudo_noexec.so
3169 # Debug sudo /var/log/sudo_debug all@warn
3170 # Set disable_coredump true
3172 # The plugin_path is relative to @prefix@/libexec unless
3174 # The plugin_name corresponds to a global symbol in the plugin
3175 # that contains the plugin interface structure.
3176 # The plugin_options are optional.
3178 Plugin policy_plugin sudoers.so
3179 Plugin io_plugin sudoers.so
3184 1.8.5, it is possible to pass options to the
3187 Options may be listed after the path to the plugin (i.e.\& after
3189 multiple options should be space-separated.
3192 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
3195 The following plugin options are supported:
3197 .It sudoers_file=pathname
3200 option can be used to override the default path
3207 option can be used to override the default owner of the sudoers file.
3208 It should be specified as a numeric user ID.
3212 option can be used to override the default group of the sudoers file.
3213 It should be specified as a numeric group ID.
3214 .It sudoers_mode=mode
3217 option can be used to override the default file mode for the sudoers file.
3218 It should be specified as an octal value.
3221 Versions 1.8.4 and higher of the
3223 plugin supports a debugging framework that can help track down what the
3224 plugin is doing internally if there is a problem.
3225 This can be configured in the
3226 .Pa @sysconfdir@/sudo.conf
3227 file as described in
3228 .Xr sudo @mansectsu@ .
3232 plugin uses the same debug flag format as the
3235 .Em subsystem Ns No @ Ns Em priority .
3237 The priorities used by
3239 in order of decreasing severity,
3250 Each priority, when specified, also includes all priorities higher than it.
3251 For example, a priority of
3253 would include debug messages logged at
3257 The following subsystems are used by
3268 matches every subsystem
3270 BSM and Linux audit code
3278 environment handling
3284 matching of users, groups, hosts and netgroups in
3287 network interface handling
3289 network service switch handling in
3301 pseudo-tty related code
3303 redblack tree internals
3309 .It Pa @sysconfdir@/sudo.conf
3310 Sudo front end configuration
3311 .It Pa @sysconfdir@/sudoers
3312 List of who can run what
3315 .It Pa /etc/netgroup
3316 List of network groups
3320 Directory containing time stamps for the
3323 .It Pa /etc/environment
3324 Initial environment for
3326 mode on AIX and Linux systems
3332 Admittedly, some of these are a bit contrived.
3333 First, we allow a few environment variables to pass and then define our
3336 # Run X applications through sudo; HOME is used to find the
3337 # .Xauthority file. Note that other programs use HOME to find
3338 # configuration files and this may lead to privilege escalation!
3339 Defaults env_keep += "DISPLAY HOME"
3341 # User alias specification
3342 User_Alias FULLTIMERS = millert, mikef, dowdy
3343 User_Alias PARTTIMERS = bostley, jwfox, crawl
3344 User_Alias WEBMASTERS = will, wendy, wim
3346 # Runas alias specification
3347 Runas_Alias OP = root, operator
3348 Runas_Alias DB = oracle, sybase
3349 Runas_Alias ADMINGRP = adm, oper
3351 # Host alias specification
3352 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3353 SGI = grolsch, dandelion, black :\e
3354 ALPHA = widget, thalamus, foobar :\e
3355 HPPA = boa, nag, python
3356 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3357 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3358 Host_Alias SERVERS = master, mail, www, ns
3359 Host_Alias CDROM = orion, perseus, hercules
3361 # Cmnd alias specification
3362 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3363 /usr/sbin/restore, /usr/sbin/rrestore
3364 Cmnd_Alias KILL = /usr/bin/kill
3365 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3366 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3367 Cmnd_Alias HALT = /usr/sbin/halt
3368 Cmnd_Alias REBOOT = /usr/sbin/reboot
3369 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3370 /usr/local/bin/tcsh, /usr/bin/rsh,\e
3372 Cmnd_Alias SU = /usr/bin/su
3373 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3376 Here we override some of the compiled in default values.
3383 facility in all cases.
3384 We don't want to subject the full time staff to the
3388 need not give a password, and we don't want to reset the
3393 environment variables when running commands as root.
3394 Additionally, on the machines in the
3397 we keep an additional local log file and make sure we log the year
3398 in each log line since the log entries will be kept around for several years.
3399 Lastly, we disable shell escapes for the commands in the PAGERS
3408 # Override built-in defaults
3409 Defaults syslog=auth
3410 Defaults>root !set_logname
3411 Defaults:FULLTIMERS !lecture
3412 Defaults:millert !authenticate
3413 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3414 Defaults!PAGERS noexec
3418 .Em User specification
3419 is the part that actually determines who may run what.
3421 root ALL = (ALL) ALL
3422 %wheel ALL = (ALL) ALL
3427 and any user in group
3429 run any command on any host as any user.
3431 FULLTIMERS ALL = NOPASSWD: ALL
3441 may run any command on any host without authenticating themselves.
3443 PARTTIMERS ALL = ALL
3451 may run any command on any host but they must authenticate themselves
3452 first (since the entry lacks the
3461 may run any command on the machines in the
3467 .Li 128.138.242.0 ) .
3468 Of those networks, only
3470 has an explicit netmask (in CIDR notation) indicating it is a class C network.
3471 For the other networks in
3473 the local machine's netmask will be used during matching.
3480 may run any command on any host in the
3482 alias (the class B network
3485 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3486 sudoedit /etc/printcap, /usr/oper/bin/
3491 user may run commands limited to simple maintenance.
3492 Here, those are commands related to backups, killing processes, the
3493 printing system, shutting down the system, and any commands in the
3495 .Pa /usr/oper/bin/ .
3497 joe ALL = /usr/bin/su operator
3506 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3508 %opers ALL = (: ADMINGRP) /usr/sbin/
3513 group may run commands in
3516 with any group in the
3527 is allowed to change anyone's password except for
3531 Note that this assumes
3533 does not take multiple user names on the command line.
3535 bob SPARC = (OP) ALL : SGI = (OP) ALL
3540 may run anything on the
3544 machines as any user listed in the
3558 may run any command on machines in the
3564 is a netgroup due to the
3568 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3573 netgroup need to help manage the printers as well as add and remove users,
3574 so they are allowed to run those commands on all machines.
3576 fred ALL = (DB) NOPASSWD: ALL
3581 can run commands as any user in the
3589 without giving a password.
3591 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3598 may su to anyone except root but he is not allowed to specify any options
3603 jen ALL, !SERVERS = ALL
3608 may run any command on any machine except for those in the
3611 (master, mail, www and ns).
3613 jill SERVERS = /usr/bin/, !SU, !SHELLS
3616 For any machine in the
3621 any commands in the directory
3623 except for those commands
3630 steve CSNETS = (operator) /usr/local/op_commands/
3635 may run any command in the directory /usr/local/op_commands/
3636 but only as user operator.
3638 matt valkyrie = KILL
3641 On his personal workstation, valkyrie,
3643 needs to be able to kill hung processes.
3645 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3648 On the host www, any user in the
3651 (will, wendy, and wim), may run any command as user www (which owns the
3652 web pages) or simply
3656 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3657 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3660 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3662 (orion, perseus, hercules) without entering a password.
3663 This is a bit tedious for users to type, so it is a prime candidate
3664 for encapsulating in a shell script.
3666 .Ss Limitations of the So !\& Sc operator
3667 It is generally not effective to
3674 A user can trivially circumvent this by copying the desired command
3675 to a different name and then executing that.
3678 bill ALL = ALL, !SU, !SHELLS
3681 Doesn't really prevent
3683 from running the commands listed in
3687 since he can simply copy those commands to a different name, or use
3688 a shell escape from an editor or other program.
3689 Therefore, these kind of restrictions should be considered
3690 advisory at best (and reinforced by policy).
3692 In general, if a user has sudo
3694 there is nothing to prevent them from creating their own program that gives
3695 them a root shell (or making their own copy of a shell) regardless of any
3697 elements in the user specification.
3698 .Ss Security implications of Em fast_glob
3701 option is in use, it is not possible to reliably negate commands where the
3702 path name includes globbing (aka wildcard) characters.
3703 This is because the C library's
3705 function cannot resolve relative paths.
3706 While this is typically only an inconvenience for rules that grant privileges,
3707 it can result in a security issue for rules that subtract or revoke privileges.
3709 For example, given the following
3713 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3714 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3720 .Li /usr/bin/passwd root
3723 is enabled by changing to
3728 .Ss Preventing shell escapes
3731 executes a program, that program is free to do whatever
3732 it pleases, including run other programs.
3733 This can be a security issue since it is not uncommon for a program to
3734 allow shell escapes, which lets a user bypass
3736 access control and logging.
3737 Common programs that permit shell escapes include shells (obviously),
3738 editors, paginators, mail and terminal programs.
3740 There are two basic approaches to this problem:
3743 Avoid giving users access to commands that allow the user to run
3745 Many editors have a restricted mode where shell
3746 escapes are disabled, though
3748 is a better solution to
3751 Due to the large number of programs that
3752 offer shell escapes, restricting users to the set of programs that
3753 do not is often unworkable.
3755 Many systems that support shared libraries have the ability to
3756 override default library functions by pointing an environment
3759 to an alternate shared library.
3763 functionality can be used to prevent a program run by
3765 from executing any other programs.
3766 Note, however, that this applies only to native dynamically-linked
3768 Statically-linked executables and foreign executables
3769 running under binary emulation are not affected.
3773 feature is known to work on SunOS, Solaris, *BSD,
3774 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3775 It should be supported on most operating systems that support the
3777 environment variable.
3778 Check your operating system's manual pages for the dynamic linker
3779 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3783 On Solaris 10 and higher,
3785 uses Solaris privileges instead of the
3787 environment variable.
3791 for a command, use the
3794 in the User Specification section above.
3795 Here is that example again:
3797 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3809 This will prevent those two commands from
3810 executing other commands (such as a shell).
3811 If you are unsure whether or not your system is capable of supporting
3813 you can always just try it out and check whether shell escapes work when
3818 Note that restricting shell escapes is not a panacea.
3819 Programs running as root are still capable of many potentially hazardous
3820 operations (such as changing or overwriting files) that could lead
3821 to unintended privilege escalation.
3822 In the specific case of an editor, a safer approach is to give the
3823 user permission to run
3825 .Ss Time stamp file checks
3827 will check the ownership of its time stamp directory
3832 and ignore the directory's contents if it is not owned by root or
3833 if it is writable by a user other than root.
3834 On systems that allow non-root users to give away files via
3836 if the time stamp directory is located in a world-writable
3839 it is possible for a user to create the time stamp directory before
3844 checks the ownership and mode of the directory and its
3845 contents, the only damage that can be done is to
3847 files by putting them in the time stamp dir.
3848 This is unlikely to happen since once the time stamp dir is owned by root
3849 and inaccessible by any other user, the user placing files there would be
3850 unable to get them back out.
3853 will not honor time stamps set far in the future.
3854 Time stamps with a date greater than current_time + 2 *
3856 will be ignored and sudo will log and complain.
3857 This is done to keep a user from creating his/her own time stamp with a
3858 bogus date on systems that allow users to give away files if the time
3859 stamp directory is located in a world-writable directory.
3861 On systems where the boot time is available,
3863 will ignore time stamps that date from before the machine booted.
3865 Since time stamp files live in the file system, they can outlive a
3866 user's login session.
3867 As a result, a user may be able to login, run a command with
3869 after authenticating, logout, login again, and run
3871 without authenticating so long as the time stamp file's modification
3874 minutes (or whatever the timeout is set to in
3878 option is enabled, the time stamp has per-tty granularity but still
3879 may outlive the user's session.
3880 On Linux systems where the devpts filesystem is used, Solaris systems
3881 with the devices filesystem, as well as other systems that utilize a
3882 devfs filesystem that monotonically increase the inode number of devices
3883 as they are created (such as Mac OS X),
3885 is able to determine when a tty-based time stamp file is stale and will
3887 Administrators should not rely on this feature as it is not universally
3896 .Xr sudoers.ldap @mansectform@ ,
3897 .Xr sudo_plugin @mansectsu@ ,
3898 .Xr sudo @mansectsu@ ,
3899 .Xr visudo @mansectsu@
3907 command which locks the file and does grammatical checking.
3911 be free of syntax errors since
3913 will not run with a syntactically incorrect
3917 When using netgroups of machines (as opposed to users), if you
3918 store fully qualified host name in the netgroup (as is usually the
3919 case), you either need to have the machine's host name be fully qualified
3927 If you feel you have found a bug in
3929 please submit a bug report at http://www.sudo.ws/sudo/bugs/
3931 Limited free support is available via the sudo-users mailing list,
3932 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
3933 search the archives.
3938 and any express or implied warranties, including, but not limited
3939 to, the implied warranties of merchantability and fitness for a
3940 particular purpose are disclaimed.
3941 See the LICENSE file distributed with
3943 or http://www.sudo.ws/sudo/license.html for complete details.