1 Copyright (c) 1994-1996, 1998-2005, 2007-2012
2 Todd C. Miller <Todd.Miller@courtesan.com>
4 Permission to use, copy, modify, and distribute this software for any
5 purpose with or without fee is hereby granted, provided that the above
6 copyright notice and this permission notice appear in all copies.
8 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17 Sponsored in part by the Defense Advanced Research Projects
18 Agency (DARPA) and Air Force Research Laboratory, Air Force
19 Materiel Command, USAF, under agreement number F39502-99-1-0512.
25 sudoers - default sudo security policy module
29 The I<sudoers> policy module determines a user's B<sudo> privileges.
30 It is the default B<sudo> policy plugin. The policy is driven by
31 the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
32 format is described in detail in the L<"SUDOERS FILE FORMAT">
33 section. For information on storing I<sudoers> policy information
34 in LDAP, please see L<sudoers.ldap(5)>.
36 =head2 Authentication and Logging
38 The I<sudoers> security policy requires that most users authenticate
39 themselves before they can use B<sudo>. A password is not required
40 if the invoking user is root, if the target user is the same as the
41 invoking user, or if the policy has disabled authentication for the
42 user or command. Unlike L<su(1)>, when I<sudoers> requires
43 authentication, it validates the invoking user's credentials, not
44 the target user's (or root's) credentials. This can be changed via
45 the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
47 If a user who is not listed in the policy tries to run a command
48 via B<sudo>, mail is sent to the proper authorities. The address
49 used for such mail is configurable via the I<mailto> Defaults entry
50 (described later) and defaults to C<@mailto@>.
52 Note that mail will not be sent if an unauthorized user tries to
53 run B<sudo> with the B<-l> or B<-v> option. This allows users to
54 determine for themselves whether or not they are allowed to use
57 If B<sudo> is run by root and the C<SUDO_USER> environment variable
58 is set, the I<sudoers> policy will use this value to determine who
59 the actual user is. This can be used by a user to log commands
60 through sudo even when a root shell has been invoked. It also
61 allows the B<-e> option to remain useful even when invoked via a
62 sudo-run script or program. Note, however, that the I<sudoers>
63 lookup is still done for root, not the user specified by C<SUDO_USER>.
65 I<sudoers> uses time stamp files for credential caching. Once a
66 user has been authenticated, a time stamp is updated and the user
67 may then use sudo without a password for a short period of time
68 (C<@timeout@> minutes unless overridden by the I<timeout> option.
69 By default, I<sudoers> uses a tty-based time stamp which means that
70 there is a separate time stamp for each of a user's login sessions.
71 The I<tty_tickets> option can be disabled to force the use of a
72 single time stamp for all of a user's sessions.
74 I<sudoers> can log both successful and unsuccessful attempts (as well
75 as errors) to syslog(3), a log file, or both. By default, I<sudoers>
76 will log via syslog(3) but this is changeable via the I<syslog>
77 and I<logfile> Defaults settings.
79 I<sudoers> also supports logging a command's input and output
80 streams. I/O logging is not on by default but can be enabled using
81 the I<log_input> and I<log_output> Defaults flags as well as the
82 C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
84 =head2 Command Environment
86 Since environment variables can influence program behavior, I<sudoers>
87 provides a means to restrict which variables from the user's
88 environment are inherited by the command to be run. There are two
89 distinct ways I<sudoers> can deal with environment variables.
91 By default, the I<env_reset> option is enabled. This causes commands
92 to be executed with a new, minimal environment. On AIX (and Linux
93 systems without PAM), the environment is initialized with the
94 contents of the F</etc/environment> file. On BSD systems, if the
95 I<use_loginclass> option is enabled, the environment is initialized
96 based on the I<path> and I<setenv> settings in F</etc/login.conf>.
97 The new environment contains the C<TERM>, C<PATH>, C<HOME>, C<MAIL>,
98 C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables
99 in addition to variables from the invoking process permitted by the
100 I<env_check> and I<env_keep> options. This is effectively a whitelist
101 for environment variables.
103 If, however, the I<env_reset> option is disabled, any variables not
104 explicitly denied by the I<env_check> and I<env_delete> options are
105 inherited from the invoking process. In this case, I<env_check>
106 and I<env_delete> behave like a blacklist. Since it is not possible
107 to blacklist all potentially dangerous environment variables, use
108 of the default I<env_reset> behavior is encouraged.
110 In all cases, environment variables with a value beginning with
111 C<()> are removed as they could be interpreted as B<bash> functions.
112 The list of environment variables that B<sudo> allows or denies is
113 contained in the output of C<sudo -V> when run as root.
115 Note that the dynamic linker on most operating systems will remove
116 variables that can control dynamic linking from the environment of
117 setuid executables, including B<sudo>. Depending on the operating
118 system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
119 C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
120 removed from the environment before B<sudo> even begins execution
121 and, as such, it is not possible for B<sudo> to preserve them.
123 As a special case, if B<sudo>'s B<-i> option (initial login) is
124 specified, I<sudoers> will initialize the environment regardless
125 of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
126 variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
127 and I<LOGNAME> are set based on the target user. On AIX (and Linux
128 systems without PAM), the contents of F</etc/environment> are also
129 included. On BSD systems, if the I<use_loginclass> option is
130 enabled, the I<path> and I<setenv> variables in F</etc/login.conf>
131 are also applied. All other environment variables are removed.
133 Finally, if the I<env_file> option is defined, any variables present
134 in that file will be set to their specified values as long as they
135 would not conflict with an existing environment variable.
137 =head1 SUDOERS FILE FORMAT
139 The I<sudoers> file is composed of two types of entries: aliases
140 (basically variables) and user specifications (which specify who
143 When multiple entries match for a user, they are applied in order.
144 Where there are multiple matches, the last match is used (which is
145 not necessarily the most specific match).
147 The I<sudoers> grammar will be described below in Extended Backus-Naur
148 Form (EBNF). Don't despair if you don't know what EBNF is; it is
149 fairly simple, and the definitions below are annotated.
151 =head2 Quick guide to EBNF
153 EBNF is a concise and exact way of describing the grammar of a language.
154 Each EBNF definition is made up of I<production rules>. E.g.,
156 symbol ::= definition | alternate1 | alternate2 ...
158 Each I<production rule> references others and thus makes up a
159 grammar for the language. EBNF also contains the following
160 operators, which many readers will recognize from regular
161 expressions. Do not, however, confuse them with "wildcard"
162 characters, which have different meanings.
168 Means that the preceding symbol (or group of symbols) is optional.
169 That is, it may appear once or not at all.
173 Means that the preceding symbol (or group of symbols) may appear
178 Means that the preceding symbol (or group of symbols) may appear
183 Parentheses may be used to group symbols together. For clarity,
184 we will use single quotes ('') to designate what is a verbatim character
185 string (as opposed to a symbol name).
189 There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
190 C<Host_Alias> and C<Cmnd_Alias>.
192 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
193 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
194 'Host_Alias' Host_Alias (':' Host_Alias)* |
195 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
197 User_Alias ::= NAME '=' User_List
199 Runas_Alias ::= NAME '=' Runas_List
201 Host_Alias ::= NAME '=' Host_List
203 Cmnd_Alias ::= NAME '=' Cmnd_List
205 NAME ::= [A-Z]([A-Z][0-9]_)*
207 Each I<alias> definition is of the form
209 Alias_Type NAME = item1, item2, ...
211 where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
212 or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
213 and underscore characters ('_'). A C<NAME> B<must> start with an
214 uppercase letter. It is possible to put several alias definitions
215 of the same type on a single line, joined by a colon (':'). E.g.,
217 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
219 The definitions of what constitutes a valid I<alias> member follow.
224 User ::= '!'* user name |
229 '!'* %:nonunix_group |
230 '!'* %:#nonunix_gid |
233 A C<User_List> is made up of one or more user names, user ids
234 (prefixed with '#'), system group names and ids (prefixed with '%'
235 and '%#' respectively), netgroups (prefixed with '+'), non-Unix
236 group names and IDs (prefixed with '%:' and '%:#' respectively) and
237 C<User_Alias>es. Each list item may be prefixed with zero or more
238 '!' operators. An odd number of '!' operators negate the value of
239 the item; an even number just cancel each other out.
241 A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
242 or C<nonunix_gid> may be enclosed in double quotes to avoid the
243 need for escaping special characters. Alternately, special characters
244 may be specified in escaped hex mode, e.g. \x20 for space. When
245 using double quotes, any prefix characters must be included inside
248 The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
249 the underlying group provider plugin (see the I<group_plugin>
250 description below). For instance, the QAS AD plugin supports the
257 Group in the same domain: "Group Name"
261 Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
265 Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
269 Note that quotes around group names are optional. Unquoted strings
270 must use a backslash (\) to escape spaces and special characters.
271 See L<"Other special characters and reserved words"> for a list of
272 characters that need to be escaped.
274 Runas_List ::= Runas_Member |
275 Runas_Member ',' Runas_List
277 Runas_Member ::= '!'* user name |
281 '!'* %:nonunix_group |
282 '!'* %:#nonunix_gid |
286 A C<Runas_List> is similar to a C<User_List> except that instead
287 of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
288 user names and groups are matched as strings. In other words, two
289 users (groups) with the same uid (gid) are considered to be distinct.
290 If you wish to match all user names with the same uid (e.g.E<nbsp>root
291 and toor), you can use a uid instead (#0 in the example given).
296 Host ::= '!'* host name |
298 '!'* network(/netmask)? |
302 A C<Host_List> is made up of one or more host names, IP addresses,
303 network numbers, netgroups (prefixed with '+') and other aliases.
304 Again, the value of an item may be negated with the '!' operator.
305 If you do not specify a netmask along with the network number,
306 B<sudo> will query each of the local host's network interfaces and,
307 if the network number corresponds to one of the hosts's network
308 interfaces, the corresponding netmask will be used. The netmask
309 may be specified either in standard IP address notation
310 (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
311 or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
312 include shell-style wildcards (see the L<Wildcards> section below),
313 but unless the C<host name> command on your machine returns the fully
314 qualified host name, you'll need to use the I<fqdn> option for
315 wildcards to be useful. Note B<sudo> only inspects actual network
316 interfaces; this means that IP address 127.0.0.1 (localhost) will
317 never match. Also, the host name "localhost" will only match if
318 that is the actual host name, which is usually only the case for
319 non-networked systems.
324 commandname ::= file name |
328 Cmnd ::= '!'* commandname |
333 A C<Cmnd_List> is a list of one or more commandnames, directories, and other
334 aliases. A commandname is a fully qualified file name which may include
335 shell-style wildcards (see the L<Wildcards> section below). A simple
336 file name allows the user to run the command with any arguments he/she
337 wishes. However, you may also specify command line arguments (including
338 wildcards). Alternately, you can specify C<""> to indicate that the command
339 may only be run B<without> command line arguments. A directory is a
340 fully qualified path name ending in a '/'. When you specify a directory
341 in a C<Cmnd_List>, the user will be able to run any file within that directory
342 (but not in any subdirectories therein).
344 If a C<Cmnd> has associated command line arguments, then the arguments
345 in the C<Cmnd> must match exactly those given by the user on the command line
346 (or match the wildcards if there are any). Note that the following
347 characters must be escaped with a '\' if they are used in command
348 arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
349 is used to permit a user to run B<sudo> with the B<-e> option (or
350 as B<sudoedit>). It may take command line arguments just as
351 a normal command does.
355 Certain configuration options may be changed from their default
356 values at runtime via one or more C<Default_Entry> lines. These
357 may affect all users on any host, all users on a specific host, a
358 specific user, a specific command, or commands being run as a specific user.
359 Note that per-command entries may not include command line arguments.
360 If you need to specify arguments, define a C<Cmnd_Alias> and reference
363 Default_Type ::= 'Defaults' |
364 'Defaults' '@' Host_List |
365 'Defaults' ':' User_List |
366 'Defaults' '!' Cmnd_List |
367 'Defaults' '>' Runas_List
369 Default_Entry ::= Default_Type Parameter_List
371 Parameter_List ::= Parameter |
372 Parameter ',' Parameter_List
374 Parameter ::= Parameter '=' Value |
375 Parameter '+=' Value |
376 Parameter '-=' Value |
379 Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
380 Flags are implicitly boolean and can be turned off via the '!'
381 operator. Some integer, string and list parameters may also be
382 used in a boolean context to disable them. Values may be enclosed
383 in double quotes (C<">) when they contain multiple words. Special
384 characters may be escaped with a backslash (C<\>).
386 Lists have two additional assignment operators, C<+=> and C<-=>.
387 These operators are used to add to and delete from a list respectively.
388 It is not an error to use the C<-=> operator to remove an element
389 that does not exist in a list.
391 Defaults entries are parsed in the following order: generic, host
392 and user Defaults first, then runas Defaults and finally command
395 See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
397 =head2 User Specification
399 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
400 (':' Host_List '=' Cmnd_Spec_List)*
402 Cmnd_Spec_List ::= Cmnd_Spec |
403 Cmnd_Spec ',' Cmnd_Spec_List
405 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
407 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
409 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
411 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
412 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
413 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
415 A B<user specification> determines which commands a user may run
416 (and as what user) on specified hosts. By default, commands are
417 run as B<root>, but this can be changed on a per-command basis.
419 The basic structure of a user specification is `who where = (as_whom)
420 what'. Let's break that down into its constituent parts:
424 A C<Runas_Spec> determines the user and/or the group that a command
425 may be run as. A fully-specified C<Runas_Spec> consists of two
426 C<Runas_List>s (as defined above) separated by a colon (':') and
427 enclosed in a set of parentheses. The first C<Runas_List> indicates
428 which users the command may be run as via B<sudo>'s B<-u> option.
429 The second defines a list of groups that can be specified via
430 B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
431 command may be run with any combination of users and groups listed
432 in their respective C<Runas_List>s. If only the first is specified,
433 the command may be run as any user in the list but no B<-g> option
434 may be specified. If the first C<Runas_List> is empty but the
435 second is specified, the command may be run as the invoking user
436 with the group set to any listed in the C<Runas_List>. If no
437 C<Runas_Spec> is specified the command may be run as B<root> and
438 no group may be specified.
440 A C<Runas_Spec> sets the default for the commands that follow it.
441 What this means is that for the entry:
443 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
445 The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
446 F</usr/bin/lprm> -- but only as B<operator>. E.g.,
448 $ sudo -u operator /bin/ls
450 It is also possible to override a C<Runas_Spec> later on in an
451 entry. If we modify the entry like so:
453 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
455 Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
456 but F</bin/kill> and F</usr/bin/lprm> as B<root>.
458 We can extend this to allow B<dgb> to run C</bin/ls> with either
459 the user or group set to B<operator>:
461 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
464 Note that while the group portion of the C<Runas_Spec> permits the
465 user to run as command with that group, it does not force the user
466 to do so. If no group is specified on the command line, the command
467 will run with the group listed in the target user's password database
468 entry. The following would all be permitted by the sudoers entry above:
470 $ sudo -u operator /bin/ls
471 $ sudo -u operator -g operator /bin/ls
472 $ sudo -g operator /bin/ls
474 In the following example, user B<tcm> may run commands that access
475 a modem device file with the dialer group.
477 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
478 /usr/local/bin/minicom
480 Note that in this example only the group will be set, the command
481 still runs as user B<tcm>. E.g.
483 $ sudo -g dialer /usr/bin/cu
485 Multiple users and groups may be present in a C<Runas_Spec>, in
486 which case the user may select any combination of users and groups
487 via the B<-u> and B<-g> options. In this example:
489 alan ALL = (root, bin : operator, system) ALL
491 user B<alan> may run any command as either user root or bin,
492 optionally setting the group to operator or system.
496 On systems with SELinux support, I<sudoers> entries may optionally have
497 an SELinux role and/or type associated with a command. If a role or
498 type is specified with the command it will override any default values
499 specified in I<sudoers>. A role or type specified on the command line,
500 however, will supercede the values in I<sudoers>.
504 A command may have zero or more tags associated with it. There are
505 eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
506 C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
507 C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
508 subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
509 it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
510 C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
512 =head3 NOPASSWD and PASSWD
514 By default, B<sudo> requires that a user authenticate him or herself
515 before running a command. This behavior can be modified via the
516 C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
517 a default for the commands that follow it in the C<Cmnd_Spec_List>.
518 Conversely, the C<PASSWD> tag can be used to reverse things.
521 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
523 would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
524 F</usr/bin/lprm> as B<root> on the machine rushmore without
525 authenticating himself. If we only want B<ray> to be able to
526 run F</bin/kill> without a password the entry would be:
528 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
530 Note, however, that the C<PASSWD> tag has no effect on users who are
531 in the group specified by the I<exempt_group> option.
533 By default, if the C<NOPASSWD> tag is applied to any of the entries
534 for a user on the current host, he or she will be able to run
535 C<sudo -l> without a password. Additionally, a user may only run
536 C<sudo -v> without a password if the C<NOPASSWD> tag is present
537 for all a user's entries that pertain to the current host.
538 This behavior may be overridden via the verifypw and listpw options.
540 =head3 NOEXEC and EXEC
542 If B<sudo> has been compiled with I<noexec> support and the underlying
543 operating system supports it, the C<NOEXEC> tag can be used to prevent
544 a dynamically-linked executable from running further commands itself.
546 In the following example, user B<aaron> may run F</usr/bin/more>
547 and F</usr/bin/vi> but shell escapes will be disabled.
549 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
551 See the L<Preventing Shell Escapes> section below for more details
552 on how C<NOEXEC> works and whether or not it will work on your system.
554 =head3 SETENV and NOSETENV
556 These tags override the value of the I<setenv> option on a per-command
557 basis. Note that if C<SETENV> has been set for a command, the user
558 may disable the I<env_reset> option from the command line via the
559 B<-E> option. Additionally, environment variables set on the command
560 line are not subject to the restrictions imposed by I<env_check>,
561 I<env_delete>, or I<env_keep>. As such, only trusted users should
562 be allowed to set variables in this manner. If the command matched
563 is B<ALL>, the C<SETENV> tag is implied for that command; this
564 default may be overridden by use of the C<NOSETENV> tag.
566 =head3 LOG_INPUT and NOLOG_INPUT
568 These tags override the value of the I<log_input> option on a
569 per-command basis. For more information, see the description of
570 I<log_input> in the L<"SUDOERS OPTIONS"> section below.
572 =head3 LOG_OUTPUT and NOLOG_OUTPUT
574 These tags override the value of the I<log_output> option on a
575 per-command basis. For more information, see the description of
576 I<log_output> in the L<"SUDOERS OPTIONS"> section below.
580 B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
581 to be used in host names, path names and command line arguments in
582 the I<sudoers> file. Wildcard matching is done via the B<POSIX>
583 L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
590 Matches any set of zero or more characters.
594 Matches any single character.
598 Matches any character in the specified range.
602 Matches any character B<not> in the specified range.
606 For any character "x", evaluates to "x". This is used to
607 escape special characters such as: "*", "?", "[", and "}".
611 POSIX character classes may also be used if your system's L<glob(3)>
612 and L<fnmatch(3)> functions support them. However, because the
613 C<':'> character has special meaning in I<sudoers>, it must be
614 escaped. For example:
616 /bin/ls [[\:alpha\:]]*
618 Would match any file name beginning with a letter.
620 Note that a forward slash ('/') will B<not> be matched by
621 wildcards used in the path name. When matching the command
622 line arguments, however, a slash B<does> get matched by
623 wildcards. This is to make a path like:
627 match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
629 =head2 Exceptions to wildcard rules
631 The following exceptions apply to the above rules:
637 If the empty string C<""> is the only command line argument in the
638 I<sudoers> entry it means that command is not allowed to be run
639 with B<any> arguments.
643 =head2 Including other files from within sudoers
645 It is possible to include other I<sudoers> files from within the
646 I<sudoers> file currently being parsed using the C<#include> and
647 C<#includedir> directives.
649 This can be used, for example, to keep a site-wide I<sudoers> file
650 in addition to a local, per-machine file. For the sake of this
651 example the site-wide I<sudoers> will be F</etc/sudoers> and the
652 per-machine one will be F</etc/sudoers.local>. To include
653 F</etc/sudoers.local> from within F</etc/sudoers> we would use the
654 following line in F</etc/sudoers>:
658 C<#include /etc/sudoers.local>
662 When B<sudo> reaches this line it will suspend processing of the
663 current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
664 Upon reaching the end of F</etc/sudoers.local>, the rest of
665 F</etc/sudoers> will be processed. Files that are included may
666 themselves include other files. A hard limit of 128 nested include
667 files is enforced to prevent include file loops.
669 If the path to the include file is not fully-qualified (does not
670 begin with a F</>), it must be located in the same directory as the
671 sudoers file it was included from. For example, if F</etc/sudoers>
676 C<#include sudoers.local>
680 the file that will be included is F</etc/sudoers.local>.
682 The file name may also include the C<%h> escape, signifying the short form
683 of the host name. I.e., if the machine's host name is "xerxes", then
685 C<#include /etc/sudoers.%h>
687 will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
689 The C<#includedir> directive can be used to create a F<sudo.d>
690 directory that the system package manager can drop I<sudoers> rules
691 into as part of package installation. For example, given:
693 C<#includedir /etc/sudoers.d>
695 B<sudo> will read each file in F</etc/sudoers.d>, skipping file
696 names that end in C<~> or contain a C<.> character to avoid causing
697 problems with package manager or editor temporary/backup files.
698 Files are parsed in sorted lexical order. That is,
699 F</etc/sudoers.d/01_first> will be parsed before
700 F</etc/sudoers.d/10_second>. Be aware that because the sorting is
701 lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
702 B<after> F</etc/sudoers.d/10_second>. Using a consistent number
703 of leading zeroes in the file names can be used to avoid such
706 Note that unlike files included via C<#include>, B<visudo> will not
707 edit the files in a C<#includedir> directory unless one of them
708 contains a syntax error. It is still possible to run B<visudo>
709 with the C<-f> flag to edit the files directly.
711 =head2 Other special characters and reserved words
713 The pound sign ('#') is used to indicate a comment (unless it is
714 part of a #include directive or unless it occurs in the context of
715 a user name and is followed by one or more digits, in which case
716 it is treated as a uid). Both the comment character and any text
717 after it, up to the end of the line, are ignored.
719 The reserved word B<ALL> is a built-in I<alias> that always causes
720 a match to succeed. It can be used wherever one might otherwise
721 use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
722 You should not try to define your own I<alias> called B<ALL> as the
723 built-in alias will be used in preference to your own. Please note
724 that using B<ALL> can be dangerous since in a command context, it
725 allows the user to run B<any> command on the system.
727 An exclamation point ('!') can be used as a logical I<not> operator
728 both in an I<alias> and in front of a C<Cmnd>. This allows one to
729 exclude certain values. Note, however, that using a C<!> in
730 conjunction with the built-in C<ALL> alias to allow a user to
731 run "all but a few" commands rarely works as intended (see SECURITY
734 Long lines can be continued with a backslash ('\') as the last
735 character on the line.
737 Whitespace between elements in a list as well as special syntactic
738 characters in a I<User Specification> ('=', ':', '(', ')') is optional.
740 The following characters must be escaped with a backslash ('\') when
741 used as part of a word (e.g.E<nbsp>a user name or host name):
742 '!', '=', ':', ',', '(', ')', '\'.
744 =head1 SUDOERS OPTIONS
746 B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
747 explained earlier. A list of all supported Defaults parameters,
748 grouped by type, are listed below.
754 =item always_set_home
756 If enabled, B<sudo> will set the C<HOME> environment variable to the
757 home directory of the target user (which is root unless the B<-u>
758 option is used). This effectively means that the B<-H> option is
759 always implied. Note that C<HOME> is already set when the the
760 I<env_reset> option is enabled, so I<always_set_home> is only
761 effective for configurations where either I<env_reset> is disabled
762 or C<HOME> is present in the I<env_keep> list.
763 This flag is I<off> by default.
767 If set, users must authenticate themselves via a password (or other
768 means of authentication) before they may run commands. This default
769 may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
770 This flag is I<on> by default.
772 =item closefrom_override
774 If set, the user may use B<sudo>'s B<-C> option which
775 overrides the default starting point at which B<sudo> begins
776 closing open file descriptors. This flag is I<off> by default.
780 If set, and B<sudo> is configured to log a command's input or output,
781 the I/O logs will be compressed using B<zlib>. This flag is I<on>
782 by default when B<sudo> is compiled with B<zlib> support.
786 If set, B<visudo> will use the value of the EDITOR or VISUAL
787 environment variables before falling back on the default editor list.
788 Note that this may create a security hole as it allows the user to
789 run any arbitrary command as root without logging. A safer alternative
790 is to place a colon-separated list of editors in the C<editor>
791 variable. B<visudo> will then only use the EDITOR or VISUAL if
792 they match a value specified in C<editor>. This flag is I<@env_editor@> by
797 If set, B<sudo> will run the command in a minimal environment
798 containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>,
799 C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any
800 variables in the caller's environment that match the C<env_keep>
801 and C<env_check> lists are then added, followed by any variables
802 present in the file specified by the I<env_file> option (if any).
803 The default contents of the C<env_keep> and C<env_check> lists are
804 displayed when B<sudo> is run by root with the I<-V> option. If
805 the I<secure_path> option is set, its value will be used for the
806 C<PATH> environment variable. This flag is I<@env_reset@> by
811 Normally, B<sudo> uses the L<glob(3)> function to do shell-style
812 globbing when matching path names. However, since it accesses the
813 file system, L<glob(3)> can take a long time to complete for some
814 patterns, especially when the pattern references a network file
815 system that is mounted on demand (automounted). The I<fast_glob>
816 option causes B<sudo> to use the L<fnmatch(3)> function, which does
817 not access the file system to do its matching. The disadvantage
818 of I<fast_glob> is that it is unable to match relative path names
819 such as F<./ls> or F<../bin/ls>. This has security implications
820 when path names that include globbing characters are used with the
821 negation operator, C<'!'>, as such rules can be trivially bypassed.
822 As such, this option should not be used when I<sudoers> contains rules
823 that contain negated path names which include globbing characters.
824 This flag is I<off> by default.
828 Set this flag if you want to put fully qualified host names in the
829 I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
830 You may still use the short form if you wish (and even mix the two).
831 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
832 which may make B<sudo> unusable if DNS stops working (for example
833 if the machine is not plugged into the network). Also note that
834 you must use the host's official name as DNS knows it. That is,
835 you may not use a host alias (C<CNAME> entry) due to performance
836 issues and the fact that there is no way to get all aliases from
837 DNS. If your machine's host name (as returned by the C<hostname>
838 command) is already fully qualified you shouldn't need to set
839 I<fqdn>. This flag is I<@fqdn@> by default.
843 If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
844 environment variable; the C<PATH> itself is not modified. This
845 flag is I<@ignore_dot@> by default.
847 =item ignore_local_sudoers
849 If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
850 This is intended for Enterprises that wish to prevent the usage of local
851 sudoers files so that only LDAP is used. This thwarts the efforts of
852 rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
853 When this option is present, F<@sysconfdir@/sudoers> does not even need to
854 exist. Since this option tells B<sudo> how to behave when no specific LDAP
855 entries have been matched, this sudoOption is only meaningful for the
856 C<cn=defaults> section. This flag is I<off> by default.
860 If set, B<sudo> will insult users when they enter an incorrect
861 password. This flag is I<@insults@> by default.
865 If set, the host name will be logged in the (non-syslog) B<sudo> log file.
866 This flag is I<off> by default.
870 If set, B<sudo> will run the command in a I<pseudo tty> and log all
872 If the standard input is not connected to the user's tty, due to
873 I/O redirection or because the command is part of a pipeline, that
874 input is also captured and stored in a separate log file.
876 Input is logged to the directory specified by the I<iolog_dir>
877 option (F<@iolog_dir@> by default) using a unique session ID that
878 is included in the normal B<sudo> log line, prefixed with I<TSID=>.
879 The I<iolog_file> option may be used to control the format of the
882 Note that user input may contain sensitive information such as
883 passwords (even if they are not echoed to the screen), which will
884 be stored in the log file unencrypted. In most cases, logging the
885 command output via I<log_output> is all that is required.
889 If set, B<sudo> will run the command in a I<pseudo tty> and log all
890 output that is sent to the screen, similar to the script(1) command.
891 If the standard output or standard error is not connected to the
892 user's tty, due to I/O redirection or because the command is part
893 of a pipeline, that output is also captured and stored in separate
896 Output is logged to the directory specified by the I<iolog_dir>
897 option (F<@iolog_dir@> by default) using a unique session ID that
898 is included in the normal B<sudo> log line, prefixed with I<TSID=>.
899 The I<iolog_file> option may be used to control the format of the
902 Output logs may be viewed with the L<sudoreplay(8)> utility, which
903 can also be used to list or search the available logs.
907 If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
908 This flag is I<off> by default.
910 =item long_otp_prompt
912 When validating with a One Time Password (OTP) scheme such as
913 B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
914 to cut and paste the challenge to a local window. It's not as
915 pretty as the default but some people find it more convenient. This
916 flag is I<@long_otp_prompt@> by default.
920 Send mail to the I<mailto> user every time a users runs B<sudo>.
921 This flag is I<off> by default.
925 Send mail to the I<mailto> user if the user running B<sudo> does not
926 enter the correct password. This flag is I<off> by default.
930 If set, mail will be sent to the I<mailto> user if the invoking
931 user exists in the I<sudoers> file, but is not allowed to run
932 commands on the current host. This flag is I<@mail_no_host@> by default.
936 If set, mail will be sent to the I<mailto> user if the invoking
937 user is allowed to use B<sudo> but the command they are trying is not
938 listed in their I<sudoers> file entry or is explicitly denied.
939 This flag is I<@mail_no_perms@> by default.
943 If set, mail will be sent to the I<mailto> user if the invoking
944 user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
949 If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
950 tag has been set, unless overridden by a C<EXEC> tag. See the
951 description of I<NOEXEC and EXEC> below as well as the L<Preventing Shell
952 Escapes> section at the end of this manual. This flag is I<off> by default.
956 Normally, B<sudo> will tell the user when a command could not be
957 found in their C<PATH> environment variable. Some sites may wish
958 to disable this as it could be used to gather information on the
959 location of executables that the normal user does not have access
960 to. The disadvantage is that if the executable is simply not in
961 the user's C<PATH>, B<sudo> will tell the user that they are not
962 allowed to run it, which can be confusing. This flag is I<@path_info@>
965 =item passprompt_override
967 The password prompt specified by I<passprompt> will normally only
968 be used if the password prompt provided by systems such as PAM matches
969 the string "Password:". If I<passprompt_override> is set, I<passprompt>
970 will always be used. This flag is I<off> by default.
972 =item preserve_groups
974 By default, B<sudo> will initialize the group vector to the list of
975 groups the target user is in. When I<preserve_groups> is set, the
976 user's existing group vector is left unaltered. The real and
977 effective group IDs, however, are still set to match the target
978 user. This flag is I<off> by default.
982 By default, B<sudo> reads the password like most other Unix programs,
983 by turning off echo until the user hits the return (or enter) key.
984 Some users become confused by this as it appears to them that B<sudo>
985 has hung at this point. When I<pwfeedback> is set, B<sudo> will
986 provide visual feedback when the user presses a key. Note that
987 this does have a security impact as an onlooker may be able to
988 determine the length of the password being entered.
989 This flag is I<off> by default.
993 If set, B<sudo> will only run when the user is logged in to a real
994 tty. When this flag is set, B<sudo> can only be run from a login
995 session and not via other means such as L<cron(8)> or cgi-bin scripts.
996 This flag is I<off> by default.
1000 If set, root is allowed to run B<sudo> too. Disabling this prevents users
1001 from "chaining" B<sudo> commands to get a root shell by doing something
1002 like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
1003 will also prevent root from running B<sudoedit>.
1004 Disabling I<root_sudo> provides no real additional security; it
1005 exists purely for historical reasons.
1006 This flag is I<@root_sudo@> by default.
1010 If set, B<sudo> will prompt for the root password instead of the password
1011 of the invoking user. This flag is I<off> by default.
1015 If set, B<sudo> will prompt for the password of the user defined by the
1016 I<runas_default> option (defaults to C<@runas_default@>) instead of the
1017 password of the invoking user. This flag is I<off> by default.
1021 If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
1022 environment variable will be set to the home directory of the target
1023 user (which is root unless the B<-u> option is used). This effectively
1024 makes the B<-s> option imply B<-H>. Note that C<HOME> is already
1025 set when the the I<env_reset> option is enabled, so I<set_home> is
1026 only effective for configurations where either I<env_reset> is disabled
1027 or C<HOME> is present in the I<env_keep> list.
1028 This flag is I<off> by default.
1032 Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
1033 environment variables to the name of the target user (usually root
1034 unless the B<-u> option is given). However, since some programs
1035 (including the RCS revision control system) use C<LOGNAME> to
1036 determine the real identity of the user, it may be desirable to
1037 change this behavior. This can be done by negating the set_logname
1038 option. Note that if the I<env_reset> option has not been disabled,
1039 entries in the I<env_keep> list will override the value of
1040 I<set_logname>. This flag is I<on> by default.
1044 When enabled, B<sudo> will create an entry in the utmp (or utmpx)
1045 file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1046 B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
1047 are enabled. By default, the new entry will be a copy of the user's
1048 existing utmp entry (if any), with the tty, time, type and pid
1049 fields updated. This flag is I<on> by default.
1053 Allow the user to disable the I<env_reset> option from the command
1054 line via the B<-E> option. Additionally, environment variables set
1055 via the command line are not subject to the restrictions imposed
1056 by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
1057 trusted users should be allowed to set variables in this manner.
1058 This flag is I<off> by default.
1062 If set and B<sudo> is invoked with no arguments it acts as if the
1063 B<-s> option had been given. That is, it runs a shell as root (the
1064 shell is determined by the C<SHELL> environment variable if it is
1065 set, falling back on the shell listed in the invoking user's
1066 /etc/passwd entry if not). This flag is I<off> by default.
1070 Normally, when B<sudo> executes a command the real and effective
1071 UIDs are set to the target user (root by default). This option
1072 changes that behavior such that the real UID is left as the invoking
1073 user's UID. In other words, this makes B<sudo> act as a setuid
1074 wrapper. This can be useful on systems that disable some potentially
1075 dangerous functionality when a program is run setuid. This option
1076 is only effective on systems with either the setreuid() or setresuid()
1077 function. This flag is I<off> by default.
1081 If set, B<sudo> will prompt for the password of the user specified
1082 by the B<-u> option (defaults to C<root>) instead of the password
1083 of the invoking user. In addition, the timestamp file name will
1084 include the target user's name. Note that this flag precludes the
1085 use of a uid not listed in the passwd database as an argument to
1086 the B<-u> option. This flag is I<off> by default.
1090 If set, users must authenticate on a per-tty basis. With this flag
1091 enabled, B<sudo> will use a file named for the tty the user is
1092 logged in on in the user's time stamp directory. If disabled, the
1093 time stamp of the directory is used instead. This flag is
1094 I<@tty_tickets@> by default.
1096 =item umask_override
1098 If set, B<sudo> will set the umask as specified by I<sudoers> without
1099 modification. This makes it possible to specify a more permissive
1100 umask in I<sudoers> than the user's own umask and matches historical
1101 behavior. If I<umask_override> is not set, B<sudo> will set the
1102 umask to be the union of the user's umask and what is specified in
1103 I<sudoers>. This flag is I<@umask_override@> by default.
1105 =item use_loginclass
1107 If set, B<sudo> will apply the defaults specified for the target user's
1108 login class if one exists. Only available if B<sudo> is configured with
1109 the --with-logincap option. This flag is I<off> by default.
1113 If set, B<sudo> will run the command in a pseudo-pty even if no I/O
1114 logging is being gone. A malicious program run under B<sudo> could
1115 conceivably fork a background process that retains to the user's
1116 terminal device after the main program has finished executing. Use
1117 of this option will make that impossible. This flag is I<off> by default.
1121 If set, B<sudo> will store the name of the runas user when updating
1122 the utmp (or utmpx) file. By default, B<sudo> stores the name of
1123 the invoking user. This flag is I<off> by default.
1127 By default, B<sudo> will refuse to run if the user must enter a
1128 password but it is not possible to disable echo on the terminal.
1129 If the I<visiblepw> flag is set, B<sudo> will prompt for a password
1130 even when it would be visible on the screen. This makes it possible
1131 to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
1132 not allocate a tty. This flag is I<off> by default.
1142 Before it executes a command, B<sudo> will close all open file
1143 descriptors other than standard input, standard output and standard
1144 error (ie: file descriptors 0-2). The I<closefrom> option can be used
1145 to specify a different file descriptor at which to start closing.
1146 The default is C<3>.
1150 The number of tries a user gets to enter his/her password before
1151 B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
1155 B<Integers that can be used in a boolean context>:
1161 Number of characters per line for the file log. This value is used
1162 to decide when to wrap lines for nicer log files. This has no
1163 effect on the syslog log file, only the file log. The default is
1164 C<@loglen@> (use 0 or negate the option to disable word wrap).
1166 =item passwd_timeout
1168 Number of minutes before the B<sudo> password prompt times out, or
1169 C<0> for no timeout. The timeout may include a fractional component
1170 if minute granularity is insufficient, for example C<2.5>. The
1171 default is C<@password_timeout@>.
1173 =item timestamp_timeout
1175 Number of minutes that can elapse before B<sudo> will ask for a
1176 passwd again. The timeout may include a fractional component if
1177 minute granularity is insufficient, for example C<2.5>. The default
1178 is C<@timeout@>. Set this to C<0> to always prompt for a password.
1179 If set to a value less than C<0> the user's timestamp will never
1180 expire. This can be used to allow users to create or delete their
1181 own timestamps via C<sudo -v> and C<sudo -k> respectively.
1185 Umask to use when running the command. Negate this option or set
1186 it to 0777 to preserve the user's umask. The actual umask that is
1187 used will be the union of the user's umask and the value of the
1188 I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
1189 that B<sudo> never lowers the umask when running a command. Note
1190 on systems that use PAM, the default PAM configuration may specify
1191 its own umask which will override the value set in I<sudoers>.
1199 =item badpass_message
1201 Message that is displayed if a user enters an incorrect password.
1202 The default is C<@badpass_message@> unless insults are enabled.
1206 A colon (':') separated list of editors allowed to be used with
1207 B<visudo>. B<visudo> will choose the editor that matches the user's
1208 EDITOR environment variable if possible, or the first editor in the
1209 list that exists and is executable. The default is C<"@editor@">.
1213 The top-level directory to use when constructing the path name for
1214 the input/output log directory. Only used if the I<log_input> or
1215 I<log_output> options are enabled or when the C<LOG_INPUT> or
1216 C<LOG_OUTPUT> tags are present for a command. The session sequence
1217 number, if any, is stored in the directory.
1218 The default is C<"@iolog_dir@">.
1220 The following percent (`C<%>') escape sequences are supported:
1226 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
1227 where every two digits are used to form a new directory, e.g. F<01/00/A5>
1231 expanded to the invoking user's login name
1235 expanded to the name of the invoking user's real group ID
1237 =item C<%{runas_user}>
1239 expanded to the login name of the user the command will
1240 be run as (e.g. root)
1242 =item C<%{runas_group}>
1244 expanded to the group name of the user the command will
1245 be run as (e.g. wheel)
1247 =item C<%{hostname}>
1249 expanded to the local host name without the domain name
1253 expanded to the base name of the command being run
1257 In addition, any escape sequences supported by the system's strftime()
1258 function will be expanded.
1260 To include a literal `C<%>' character, the string `C<%%>' should
1265 The path name, relative to I<iolog_dir>, in which to store input/output
1266 logs when the I<log_input> or I<log_output> options are enabled or
1267 when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
1268 Note that I<iolog_file> may contain directory components.
1269 The default is C<"%{seq}">.
1271 See the I<iolog_dir> option above for a list of supported percent
1272 (`C<%>') escape sequences.
1274 In addition to the escape sequences, path names that end in six or
1275 more C<X>s will have the C<X>s replaced with a unique combination
1276 of digits and letters, similar to the mktemp() function.
1280 Subject of the mail sent to the I<mailto> user. The escape C<%h>
1281 will expand to the host name of the machine.
1282 Default is C<@mailsub@>.
1286 This option is no longer supported. The path to the noexec file
1287 should now be set in the F<@sysconfdir@/sudo.conf> file.
1291 The default prompt to use when asking for a password; can be overridden
1292 via the B<-p> option or the C<SUDO_PROMPT> environment variable.
1293 The following percent (`C<%>') escape sequences are supported:
1299 expanded to the local host name including the domain name
1300 (only if the machine's host name is fully qualified or the I<fqdn>
1305 expanded to the local host name without the domain name
1309 expanded to the user whose password is being asked for (respects the
1310 I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1314 expanded to the login name of the user the command will
1315 be run as (defaults to root)
1319 expanded to the invoking user's login name
1323 two consecutive C<%> characters are collapsed into a single C<%> character
1327 The default value is C<@passprompt@>.
1331 The default SELinux role to use when constructing a new security
1332 context to run the command. The default role may be overridden on
1333 a per-command basis in I<sudoers> or via command line options.
1334 This option is only available whe B<sudo> is built with SELinux support.
1338 The default user to run commands as if the B<-u> option is not specified
1339 on the command line. This defaults to C<@runas_default@>.
1343 Syslog priority to use when user authenticates unsuccessfully.
1344 Defaults to C<@badpri@>.
1346 The following syslog priorities are supported: B<alert>, B<crit>,
1347 B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
1349 =item syslog_goodpri
1351 Syslog priority to use when user authenticates successfully.
1352 Defaults to C<@goodpri@>.
1354 See L<syslog_badpri> for the list of supported syslog priorities.
1356 =item sudoers_locale
1358 Locale to use when parsing the sudoers file, logging commands, and
1359 sending email. Note that changing the locale may affect how sudoers
1360 is interpreted. Defaults to C<"C">.
1364 The directory in which B<sudo> stores its timestamp files.
1365 The default is F<@timedir@>.
1367 =item timestampowner
1369 The owner of the timestamp directory and the timestamps stored therein.
1370 The default is C<root>.
1374 The default SELinux type to use when constructing a new security
1375 context to run the command. The default type may be overridden on
1376 a per-command basis in I<sudoers> or via command line options.
1377 This option is only available whe B<sudo> is built with SELinux support.
1381 B<Strings that can be used in a boolean context>:
1387 The I<env_file> option specifies the fully qualified path to a
1388 file containing variables to be set in the environment of the program
1389 being run. Entries in this file should either be of the form
1390 C<VARIABLE=value> or C<export VARIABLE=value>. The value may
1391 optionally be surrounded by single or double quotes. Variables in
1392 this file are subject to other B<sudo> environment settings such
1393 as I<env_keep> and I<env_check>.
1397 Users in this group are exempt from password and PATH requirements.
1398 The group name specified should not include a C<%> prefix.
1399 This is not set by default.
1403 A string containing a I<sudoers> group plugin with optional arguments.
1404 This can be used to implement support for the C<nonunix_group>
1405 syntax described earlier. The string should consist of the plugin
1406 path, either fully-qualified or relative to the F<@prefix@/libexec>
1407 directory, followed by any configuration arguments the plugin
1408 requires. These arguments (if any) will be passed to the plugin's
1409 initialization function. If arguments are present, the string must
1410 be enclosed in double quotes (C<">).
1412 For example, given F</etc/sudo-group>, a group file in Unix group
1413 format, the sample group plugin can be used:
1415 Defaults group_plugin="sample_group.so /etc/sudo-group"
1417 For more information see L<sudo_plugin(5)>.
1421 This option controls when a short lecture will be printed along with
1422 the password prompt. It has the following possible values:
1428 Always lecture the user.
1432 Never lecture the user.
1436 Only lecture the user the first time they run B<sudo>.
1440 If no value is specified, a value of I<once> is implied.
1441 Negating the option results in a value of I<never> being used.
1442 The default value is I<@lecture@>.
1446 Path to a file containing an alternate B<sudo> lecture that will
1447 be used in place of the standard lecture if the named file exists.
1448 By default, B<sudo> uses a built-in lecture.
1452 This option controls when a password will be required when a
1453 user runs B<sudo> with the B<-l> option. It has the following possible values:
1459 All the user's I<sudoers> entries for the current host must have
1460 the C<NOPASSWD> flag set to avoid entering a password.
1464 The user must always enter a password to use the B<-l> option.
1468 At least one of the user's I<sudoers> entries for the current host
1469 must have the C<NOPASSWD> flag set to avoid entering a password.
1473 The user need never enter a password to use the B<-l> option.
1477 If no value is specified, a value of I<any> is implied.
1478 Negating the option results in a value of I<never> being used.
1479 The default value is I<any>.
1483 Path to the B<sudo> log file (not the syslog log file). Setting a path
1484 turns on logging to a file; negating this option turns it off.
1485 By default, B<sudo> logs via syslog.
1489 Flags to use when invoking mailer. Defaults to B<-t>.
1493 Path to mail program used to send warning mail.
1494 Defaults to the path to sendmail found at configure time.
1498 Address to use for the "from" address when sending warning and error
1499 mail. The address should be enclosed in double quotes (C<">) to
1500 protect against B<sudo> interpreting the C<@> sign. Defaults to
1501 the name of the user running B<sudo>.
1505 Address to send warning and error mail to. The address should
1506 be enclosed in double quotes (C<">) to protect against B<sudo>
1507 interpreting the C<@> sign. Defaults to C<@mailto@>.
1511 Path used for every command run from B<sudo>. If you don't trust the
1512 people running B<sudo> to have a sane C<PATH> environment variable you may
1513 want to use this. Another use is if you want to have the "root path"
1514 be separate from the "user path." Users in the group specified by the
1515 I<exempt_group> option are not affected by I<secure_path>.
1516 This option is @secure_path@ by default.
1520 Syslog facility if syslog is being used for logging (negate to
1521 disable syslog logging). Defaults to C<@logfac@>.
1523 The following syslog facilities are supported: B<authpriv> (if your
1524 OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
1525 B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
1529 This option controls when a password will be required when a user runs
1530 B<sudo> with the B<-v> option. It has the following possible values:
1536 All the user's I<sudoers> entries for the current host must have
1537 the C<NOPASSWD> flag set to avoid entering a password.
1541 The user must always enter a password to use the B<-v> option.
1545 At least one of the user's I<sudoers> entries for the current host
1546 must have the C<NOPASSWD> flag set to avoid entering a password.
1550 The user need never enter a password to use the B<-v> option.
1554 If no value is specified, a value of I<all> is implied.
1555 Negating the option results in a value of I<never> being used.
1556 The default value is I<all>.
1560 B<Lists that can be used in a boolean context>:
1566 Environment variables to be removed from the user's environment if
1567 the variable's value contains C<%> or C</> characters. This can
1568 be used to guard against printf-style format vulnerabilities in
1569 poorly-written programs. The argument may be a double-quoted,
1570 space-separated list or a single value without double-quotes. The
1571 list can be replaced, added to, deleted from, or disabled by using
1572 the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
1573 of whether the C<env_reset> option is enabled or disabled, variables
1574 specified by C<env_check> will be preserved in the environment if
1575 they pass the aforementioned check. The default list of environment
1576 variables to check is displayed when B<sudo> is run by root with
1581 Environment variables to be removed from the user's environment
1582 when the I<env_reset> option is not in effect. The argument may
1583 be a double-quoted, space-separated list or a single value without
1584 double-quotes. The list can be replaced, added to, deleted from,
1585 or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
1586 respectively. The default list of environment variables to remove
1587 is displayed when B<sudo> is run by root with the I<-V> option.
1588 Note that many operating systems will remove potentially dangerous
1589 variables from the environment of any setuid process (such as
1594 Environment variables to be preserved in the user's environment
1595 when the I<env_reset> option is in effect. This allows fine-grained
1596 control over the environment B<sudo>-spawned processes will receive.
1597 The argument may be a double-quoted, space-separated list or a
1598 single value without double-quotes. The list can be replaced, added
1599 to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1600 C<!> operators respectively. The default list of variables to keep
1601 is displayed when B<sudo> is run by root with the I<-V> option.
1607 The F<@sysconfdir@/sudo.conf> file determines which plugins the
1608 B<sudo> front end will load. If no F<@sysconfdir@/sudo.conf> file
1609 is present, or it contains no C<Plugin> lines, B<sudo> will use the
1610 I<sudoers> security policy and I/O logging, which corresponds to
1611 the following F<@sysconfdir@/sudo.conf> file.
1614 # Default @sysconfdir@/sudo.conf file
1617 # Plugin plugin_name plugin_path plugin_options ...
1618 # Path askpass /path/to/askpass
1619 # Path noexec /path/to/sudo_noexec.so
1620 # Debug sudo /var/log/sudo_debug all@warn
1621 # Set disable_coredump true
1623 # The plugin_path is relative to @prefix@/libexec unless
1625 # The plugin_name corresponds to a global symbol in the plugin
1626 # that contains the plugin interface structure.
1627 # The plugin_options are optional.
1629 Plugin policy_plugin sudoers.so
1630 Plugin io_plugin sudoers.so
1632 =head2 PLUGIN OPTIONS
1634 Starting with B<sudo> 1.8.5 it is possible to pass options to the
1635 I<sudoers> plugin. Options may be listed after the path to the
1636 plugin (i.e. after F<sudoers.so>); multiple options should be
1637 space-separated. For example:
1639 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1641 The following plugin options are supported:
1645 =item sudoers_file=pathname
1647 The I<sudoers_file> option can be used to override the default path
1648 to the I<sudoers> file.
1650 =item sudoers_uid=uid
1652 The I<sudoers_uid> option can be used to override the default owner
1653 of the sudoers file. It should be specified as a numeric user ID.
1655 =item sudoers_gid=gid
1657 The I<sudoers_gid> option can be used to override the default group
1658 of the sudoers file. It should be specified as a numeric group ID.
1660 =item sudoers_mode=mode
1662 The I<sudoers_mode> option can be used to override the default file
1663 mode for the sudoers file. It should be specified as an octal value.
1669 Versions 1.8.4 and higher of the I<sudoers> plugin supports a
1670 debugging framework that can help track down what the plugin is
1671 doing internally if there is a problem. This can be configured in
1672 the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>.
1674 The I<sudoers> plugin uses the same debug flag format as B<sudo>
1675 itself: I<subsystem>@I<priority>.
1677 The priorities used by I<sudoers>, in order of decreasing severity,
1678 are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace>
1679 and I<debug>. Each priority, when specified, also includes all
1680 priorities higher than it. For example, a priority of I<notice>
1681 would include debug messages logged at I<notice> and higher.
1683 The following subsystems are used by I<sudoers>:
1689 C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing
1693 matches every subsystem
1697 BSM and Linux audit code
1705 I<sudoers> I<Defaults> settings
1709 environment handling
1721 matching of users, groups, hosts and netgroups in I<sudoers>
1725 network interface handling
1729 network service switch handling in I<sudoers>
1733 I<sudoers> file parsing
1741 The equivalent of I<main> for the plugin.
1745 pseudo-tty related code
1749 redblack tree internals
1761 =item F<@sysconfdir@/sudo.conf>
1763 Sudo front end configuration
1765 =item F<@sysconfdir@/sudoers>
1767 List of who can run what
1773 =item F</etc/netgroup>
1775 List of network groups
1777 =item F<@iolog_dir@>
1783 Directory containing time stamps for the I<sudoers> security policy
1785 =item F</etc/environment>
1787 Initial environment for B<-i> mode on AIX and Linux systems
1793 Below are example I<sudoers> entries. Admittedly, some of
1794 these are a bit contrived. First, we allow a few environment
1795 variables to pass and then define our I<aliases>:
1797 # Run X applications through sudo; HOME is used to find the
1798 # .Xauthority file. Note that other programs use HOME to find
1799 # configuration files and this may lead to privilege escalation!
1800 Defaults env_keep += "DISPLAY HOME"
1802 # User alias specification
1803 User_Alias FULLTIMERS = millert, mikef, dowdy
1804 User_Alias PARTTIMERS = bostley, jwfox, crawl
1805 User_Alias WEBMASTERS = will, wendy, wim
1807 # Runas alias specification
1808 Runas_Alias OP = root, operator
1809 Runas_Alias DB = oracle, sybase
1810 Runas_Alias ADMINGRP = adm, oper
1812 # Host alias specification
1813 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1814 SGI = grolsch, dandelion, black :\
1815 ALPHA = widget, thalamus, foobar :\
1816 HPPA = boa, nag, python
1817 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1818 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1819 Host_Alias SERVERS = master, mail, www, ns
1820 Host_Alias CDROM = orion, perseus, hercules
1822 # Cmnd alias specification
1823 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1824 /usr/sbin/restore, /usr/sbin/rrestore
1825 Cmnd_Alias KILL = /usr/bin/kill
1826 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1827 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1828 Cmnd_Alias HALT = /usr/sbin/halt
1829 Cmnd_Alias REBOOT = /usr/sbin/reboot
1830 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1831 /usr/local/bin/tcsh, /usr/bin/rsh, \
1833 Cmnd_Alias SU = /usr/bin/su
1834 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1836 Here we override some of the compiled in default values. We want
1837 B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1838 cases. We don't want to subject the full time staff to the B<sudo>
1839 lecture, user B<millert> need not give a password, and we don't
1840 want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1841 variables when running commands as root. Additionally, on the
1842 machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1843 local log file and make sure we log the year in each log line since
1844 the log entries will be kept around for several years. Lastly, we
1845 disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1846 (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1848 # Override built-in defaults
1849 Defaults syslog=auth
1850 Defaults>root !set_logname
1851 Defaults:FULLTIMERS !lecture
1852 Defaults:millert !authenticate
1853 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1854 Defaults!PAGERS noexec
1856 The I<User specification> is the part that actually determines who may
1859 root ALL = (ALL) ALL
1860 %wheel ALL = (ALL) ALL
1862 We let B<root> and any user in group B<wheel> run any command on any
1865 FULLTIMERS ALL = NOPASSWD: ALL
1867 Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1868 command on any host without authenticating themselves.
1870 PARTTIMERS ALL = ALL
1872 Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1873 command on any host but they must authenticate themselves first
1874 (since the entry lacks the C<NOPASSWD> tag).
1878 The user B<jack> may run any command on the machines in the I<CSNETS> alias
1879 (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1880 Of those networks, only C<128.138.204.0> has an explicit netmask (in
1881 CIDR notation) indicating it is a class C network. For the other
1882 networks in I<CSNETS>, the local machine's netmask will be used
1887 The user B<lisa> may run any command on any host in the I<CUNETS> alias
1888 (the class B network C<128.138.0.0>).
1890 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1891 sudoedit /etc/printcap, /usr/oper/bin/
1893 The B<operator> user may run commands limited to simple maintenance.
1894 Here, those are commands related to backups, killing processes, the
1895 printing system, shutting down the system, and any commands in the
1896 directory F</usr/oper/bin/>.
1898 joe ALL = /usr/bin/su operator
1900 The user B<joe> may only L<su(1)> to operator.
1902 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1904 %opers ALL = (: ADMINGRP) /usr/sbin/
1906 Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
1907 with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
1910 The user B<pete> is allowed to change anyone's password except for
1911 root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1912 does not take multiple user names on the command line.
1914 bob SPARC = (OP) ALL : SGI = (OP) ALL
1916 The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1917 as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1921 The user B<jim> may run any command on machines in the I<biglab> netgroup.
1922 B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1924 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1926 Users in the B<secretaries> netgroup need to help manage the printers
1927 as well as add and remove users, so they are allowed to run those
1928 commands on all machines.
1930 fred ALL = (DB) NOPASSWD: ALL
1932 The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1933 (B<oracle> or B<sybase>) without giving a password.
1935 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1937 On the I<ALPHA> machines, user B<john> may su to anyone except root
1938 but he is not allowed to specify any options to the L<su(1)> command.
1940 jen ALL, !SERVERS = ALL
1942 The user B<jen> may run any command on any machine except for those
1943 in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1945 jill SERVERS = /usr/bin/, !SU, !SHELLS
1947 For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1948 any commands in the directory F</usr/bin/> except for those commands
1949 belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1951 steve CSNETS = (operator) /usr/local/op_commands/
1953 The user B<steve> may run any command in the directory /usr/local/op_commands/
1954 but only as user operator.
1956 matt valkyrie = KILL
1958 On his personal workstation, valkyrie, B<matt> needs to be able to
1959 kill hung processes.
1961 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1963 On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1964 wendy, and wim), may run any command as user www (which owns the
1965 web pages) or simply L<su(1)> to www.
1967 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1968 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1970 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1971 C<Host_Alias> (orion, perseus, hercules) without entering a password.
1972 This is a bit tedious for users to type, so it is a prime candidate
1973 for encapsulating in a shell script.
1975 =head1 SECURITY NOTES
1977 =head2 Limitations of the '!' operator
1979 It is generally not effective to "subtract" commands from C<ALL>
1980 using the '!' operator. A user can trivially circumvent this
1981 by copying the desired command to a different name and then
1982 executing that. For example:
1984 bill ALL = ALL, !SU, !SHELLS
1986 Doesn't really prevent B<bill> from running the commands listed in
1987 I<SU> or I<SHELLS> since he can simply copy those commands to a
1988 different name, or use a shell escape from an editor or other
1989 program. Therefore, these kind of restrictions should be considered
1990 advisory at best (and reinforced by policy).
1992 In general, if a user has sudo C<ALL> there is nothing to prevent
1993 them from creating their own program that gives them a root shell
1994 (or making their own copy of a shell) regardless of any '!' elements
1995 in the user specification.
1997 =head2 Security implications of I<fast_glob>
1999 If the I<fast_glob> option is in use, it is not possible
2000 to reliably negate commands where the path name includes globbing
2001 (aka wildcard) characters. This is because the C library's
2002 L<fnmatch(3)> function cannot resolve relative paths. While this
2003 is typically only an inconvenience for rules that grant privileges,
2004 it can result in a security issue for rules that subtract or revoke
2007 For example, given the following I<sudoers> entry:
2009 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
2010 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2012 User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
2013 enabled by changing to F</usr/bin> and running C<./passwd root> instead.
2015 =head2 Preventing Shell Escapes
2017 Once B<sudo> executes a program, that program is free to do whatever
2018 it pleases, including run other programs. This can be a security
2019 issue since it is not uncommon for a program to allow shell escapes,
2020 which lets a user bypass B<sudo>'s access control and logging.
2021 Common programs that permit shell escapes include shells (obviously),
2022 editors, paginators, mail and terminal programs.
2024 There are two basic approaches to this problem:
2030 Avoid giving users access to commands that allow the user to run
2031 arbitrary commands. Many editors have a restricted mode where shell
2032 escapes are disabled, though B<sudoedit> is a better solution to
2033 running editors via B<sudo>. Due to the large number of programs that
2034 offer shell escapes, restricting users to the set of programs that
2035 do not is often unworkable.
2039 Many systems that support shared libraries have the ability to
2040 override default library functions by pointing an environment
2041 variable (usually C<LD_PRELOAD>) to an alternate shared library.
2042 On such systems, B<sudo>'s I<noexec> functionality can be used to
2043 prevent a program run by B<sudo> from executing any other programs.
2044 Note, however, that this applies only to native dynamically-linked
2045 executables. Statically-linked executables and foreign executables
2046 running under binary emulation are not affected.
2048 The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
2049 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
2050 It should be supported on most operating systems that support the
2051 C<LD_PRELOAD> environment variable. Check your operating system's
2052 manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
2053 dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
2055 On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
2056 of the C<LD_PRELOAD> environment variable.
2058 To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
2059 in the User Specification section above. Here is that example again:
2061 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2063 This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
2064 with I<noexec> enabled. This will prevent those two commands from
2065 executing other commands (such as a shell). If you are unsure
2066 whether or not your system is capable of supporting I<noexec> you
2067 can always just try it out and check whether shell escapes work
2068 when I<noexec> is enabled.
2072 Note that restricting shell escapes is not a panacea. Programs
2073 running as root are still capable of many potentially hazardous
2074 operations (such as changing or overwriting files) that could lead
2075 to unintended privilege escalation. In the specific case of an
2076 editor, a safer approach is to give the user permission to run
2079 =head2 Time stamp file checks
2081 I<sudoers> will check the ownership of its time stamp directory
2082 (F<@timedir@> by default) and ignore the directory's contents if
2083 it is not owned by root or if it is writable by a user other than
2084 root. On systems that allow non-root users to give away files via
2085 L<chown(2)>, if the time stamp directory is located in a world-writable
2086 directory (e.g., F</tmp>), it is possible for a user to create the
2087 time stamp directory before B<sudo> is run. However, because
2088 I<sudoers> checks the ownership and mode of the directory and its
2089 contents, the only damage that can be done is to "hide" files by
2090 putting them in the time stamp dir. This is unlikely to happen
2091 since once the time stamp dir is owned by root and inaccessible by
2092 any other user, the user placing files there would be unable to get
2095 I<sudoers> will not honor time stamps set far in the future. Time
2096 stamps with a date greater than current_time + 2 * C<TIMEOUT> will
2097 be ignored and sudo will log and complain. This is done to keep a
2098 user from creating his/her own time stamp with a bogus date on
2099 systems that allow users to give away files if the time stamp directory
2100 is located in a world-writable directory.
2102 On systems where the boot time is available, I<sudoers> will ignore
2103 time stamps that date from before the machine booted.
2105 Since time stamp files live in the file system, they can outlive a
2106 user's login session. As a result, a user may be able to login,
2107 run a command with B<sudo> after authenticating, logout, login
2108 again, and run B<sudo> without authenticating so long as the time
2109 stamp file's modification time is within C<@timeout@> minutes (or
2110 whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
2111 option is enabled, the time stamp has per-tty granularity but still
2112 may outlive the user's session. On Linux systems where the devpts
2113 filesystem is used, Solaris systems with the devices filesystem,
2114 as well as other systems that utilize a devfs filesystem that
2115 monotonically increase the inode number of devices as they are
2116 created (such as Mac OS X), I<sudoers> is able to determine when a
2117 tty-based time stamp file is stale and will ignore it. Administrators
2118 should not rely on this feature as it is not universally available.
2122 L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
2123 L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
2127 The I<sudoers> file should B<always> be edited by the B<visudo>
2128 command which locks the file and does grammatical checking. It is
2129 imperative that I<sudoers> be free of syntax errors since B<sudo>
2130 will not run with a syntactically incorrect I<sudoers> file.
2132 When using netgroups of machines (as opposed to users), if you
2133 store fully qualified host name in the netgroup (as is usually the
2134 case), you either need to have the machine's host name be fully qualified
2135 as returned by the C<hostname> command or use the I<fqdn> option in
2140 If you feel you have found a bug in B<sudo>, please submit a bug report
2141 at http://www.sudo.ws/sudo/bugs/
2145 Limited free support is available via the sudo-users mailing list,
2146 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
2147 search the archives.
2151 B<sudo> is provided ``AS IS'' and any express or implied warranties,
2152 including, but not limited to, the implied warranties of merchantability
2153 and fitness for a particular purpose are disclaimed. See the LICENSE
2154 file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
2155 for complete details.